Basic Management andConfiguration Guide

www.procurve.com

ProCurve Secure Router 7000dl

ProCurve Secure Router 7000dl Series

Basic Management and Configuration Guide

December 2005J04_01

Hewlett-Packard Company8000 Foothills BoulevardRoseville, California 95747http://www.procurve.com/

© Copyright 2005 Hewlett-Packard Development Company,L.P. The information contained herein is subject to change with-out notice. All Rights Reserved.

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard.

Publication Number

5991-3785December 2005

Applicable Products

ProCurve Secure Router 7102 dl (J8752A)ProCurve Secure Router 7203 dl (J8753A)

Trademark Credits

Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.

Disclaimer

The information contained in this document is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard.

Warranty

See the Customer Support/Warranty booklet included with the product.

A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.

Contents

1 Overview

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Using This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Understanding Command Syntax Statements . . . . . . . . . . . . . . . . . . . . 1-5

CLI Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

IP Address Notation Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Quick Starts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Obtaining Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Downloading Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Interface Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Accessing the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . 1-11

Using the ProCurve Web Browser Interface . . . . . . . . . . . . . . . . 1-12

Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

ProCurve Secure Router Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

E1 and T1 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

ISDN Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Backup Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

Wide-Slot Option Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

Interface Numbering Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22

Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

Power LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

Fault LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

i

LEDs for Slots 1 and 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24

Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24

Backup LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25

Tx and Rx LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25

Slot 3 LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25

Status LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26

Activity LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26

Test LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26

Ethernet and Activity LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26

Activity LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27

Link LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27

Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27

Optional IPSec VPN Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27

Compact Flash Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28

Redundant Power Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29

Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29

Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30

Bootup Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30

Advantages of Booting From Compact Flash . . . . . . . . . . . . . . . . 1-32

Setting Up a Compact Flash Card From Which to Boot the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33

Saving Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33

AutoSynch™ Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34

Secure Router OS Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34

Basic Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36

Enable Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36

Global Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37

Commands Available in the Basic, Enable, or Global Configuration Mode Contexts . . . . . . . . . . . . . . . . . . . . 1-39

Basic Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39

Clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39

Enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39

Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40

Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40

Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-41

ii

Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42

Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42

Terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43

Wall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43

Enable Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43

Clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-44

Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45

Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46

Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46

Debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49

Dir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49

Disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-50

Erase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-50

Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51

Reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51

Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51

Undebug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-56

Write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-56

show tech . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-57

Updating the Boot Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-59

Global Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . 1-60

hostname Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-60

autosynch Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-60

Support for SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-61

SafeMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-61

Help Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64

CLI Help Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64

Editing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64

no . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66

do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66

exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66

Bootstrap Mode Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66

iii

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-70

Compact Flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-70

AutoSynch™ Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-70

Using the reload in Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-72

Managing Configuration Files Using a Text Editor . . . . . . . . . . . . . . . . . . 1-73

Creating and Transferring Configuration Files . . . . . . . . . . . . . . . . . . 1-75

Configuration File Transfer Using the Console Port . . . . . . . . . . 1-76

Configuration File Transfer Using a TFTP Server . . . . . . . . . . . . 1-78

Configuration File Transfer Using a Compact Flash Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-81

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-83

Accessing the Secure Router OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-83

2 Controlling Management Access to the ProCurve Secure

Router

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Securing Management Access to the ProCurve Secure Router . . . . . . . . . 2-4

Restricting Access to the Enable Mode Context . . . . . . . . . . . . . . . . . . 2-4

Configuring a Password for Console Access . . . . . . . . . . . . . . . . . . . . . 2-5

Enabling Remote Access to the ProCurve Secure Router . . . . . . . . . . 2-6

Configuring an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

Configuring Telnet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Configuring Local User Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Encrypting All the Passwords Configured on the Router . . . . . . 2-11

Enabling Access to the Web Browser Interface . . . . . . . . . . . . . . 2-11

Managing SSH Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

Using FTP to Access the Router . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

Using the Local User List for Console or Telnet Access . . . . . . . 2-13

Enabling Secure Copy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

Viewing Information about Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14

Using the AAA Subsystem to Control Management Access . . . . . . . . . . . 2-14

Advantages of Using the AAA Subsystem . . . . . . . . . . . . . . . . . . . . . . 2-15

Enabling the AAA Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

iv

Configuring AAA for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

Creating a Named List for the Enable Mode Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

Creating a Named List for User Authentication . . . . . . . . . . . . . . 2-18

Criteria for Failure of Authentication Methods . . . . . . . . . . . . . . 2-19

Assign the Named List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20

Options for AAA Authentication: Configuring Banners, Messages, and Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21

Configuring Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23

Define a Named List for Authorization . . . . . . . . . . . . . . . . . . . . . 2-23

Assign the Named List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24

Enable Authorization Commands for Console Line . . . . . . . . . . 2-24

Configuring the TACACS+ Server for Accounting . . . . . . . . . . . . . . . 2-25

Configuring a Named List for Accounting . . . . . . . . . . . . . . . . . . 2-25

Assign the Named List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26

Configure Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26

Do Not Send Records for Null Users . . . . . . . . . . . . . . . . . . . . . . . 2-27

Configuring a RADIUS Server for Authentication . . . . . . . . . . . . . . . 2-27

Define the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27

Define a Group of RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . 2-29

Configure Global Settings for RADIUS Servers . . . . . . . . . . . . . . 2-30

Configuring the TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31

Define the TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31

Creating a TACACS+ Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33

Configure Global Settings for TACACS+ Servers . . . . . . . . . . . . 2-34

Troubleshooting AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35

debug aaa Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35

Troubleshooting the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36

debug radius Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37

Troubleshooting the TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . 2-37

Port Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40

Enabling Supplicant Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40

Troubleshooting Supplicant Functionality . . . . . . . . . . . . . . . . . . . . . 2-41

v

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-42

Configure the Enable Mode Password . . . . . . . . . . . . . . . . . . . . . . . . . 2-42

Configure a Password for the Console Access . . . . . . . . . . . . . . . . . . 2-42

Configuring Remote Access to the ProCurve Secure Router . . . . . . 2-43

Configuring an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . 2-43

Configuring a Password for Telnet Access . . . . . . . . . . . . . . . . . . 2-44

Configuring Local User Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45

Configuring AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45

Configuring Authentication with AAA . . . . . . . . . . . . . . . . . . . . . . 2-46

Configuring Authorization with AAA . . . . . . . . . . . . . . . . . . . . . . . 2-46

Configuring the TACACS+ Server for Accounting . . . . . . . . . . . . 2-47

Defining a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48

Defining a TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48

Enabling 802.1X Supplicant Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48

3 Configuring Ethernet Interfaces

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Configuring the Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Enabling the Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Configuring an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Assigning a Static IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Configuring the Ethernet Interface as a DHCP Client . . . . . . . . . . 3-5

Configuring the Ethernet Interface as an Unnumbered Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

Setting the Speed and the Duplex Settings . . . . . . . . . . . . . . . . . . . . . 3-10

Configuring the Line for Half-Duplex or Full-Duplex . . . . . . . . . . . . . 3-11

Setting the MTU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11

Adding a Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

Summary of Ethernet Configuration Settings . . . . . . . . . . . . . . . . . . . 3-13

Configure VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15

Configuring VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17

Assigning an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19

vi

Viewing the Status of Ethernet Interfaces or Subinterfaces . . . . . . . . . . . 3-19

show interfaces Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19

show running-config Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21

Viewing the Configurations That Have Been Entered . . . . . . . . . 3-22

Viewing All the Configuration Settings Including Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22

Troubleshooting an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24

show event-history Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25

debug interface ethernet Command . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26

Configuring the Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26

4 Configuring E1 and T1 Interfaces

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Overview of E1 and T1 WAN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Elements of an E1- or T1-Carrier Line . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Connecting Your Premises to the Public Carrier: the Local Loop . . . 4-4

External or Built-in CSU/DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

ProCurve Secure Router Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

E1 Modules with a Built-in DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

T1 Modules with a Built-in CSU/DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9

Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9

E1 or T1 Interfaces: Configuring the Physical Layer . . . . . . . . . . . . . 4-10

E1 or T1 Interface Configuration Mode Context . . . . . . . . . . . . . 4-11

Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12

Line Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14

Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15

Clock Source, or Timing, for the E1- or T1-Carrier Line . . . . . . . 4-17

Transmit Signal Level (T1 Interfaces Only) . . . . . . . . . . . . . . . . . 4-18

Set the FDL (T1 Interfaces Only) . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19

Activate the E1 or T1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20

Threshold Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21

Types of Line Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22

vii

Viewing Information about E1 and T1 Interfaces . . . . . . . . . . . . . . . . . . . 4-26

show interfaces Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27

show running-config Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28

show running-config verbose Command . . . . . . . . . . . . . . . . . . . . . . . 4-29

Troubleshooting E1 and T1 WAN Connections . . . . . . . . . . . . . . . . . . . . . 4-30

No Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32

Red Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32

Yellow Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34

Green Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35

Viewing Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37

Configuring an E1 or T1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38

5 Configuring Serial Interfaces for E1- and T1-Carrier Lines

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Using the Serial Module for E1- or T1-Carrier Lines . . . . . . . . . . . . . . . . . . 5-3

Elements of an E1- or T1-Carrier Line . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Connecting Your Premises to the Public Carrier’s Central Office: the Local Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

External or Built-in CSU/DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6

Serial Module for the ProCurve Secure Router . . . . . . . . . . . . . . . . . . . 5-7

Standards Supported by the Serial Module . . . . . . . . . . . . . . . . . . 5-7

Serial Interface: Configuring the Physical Layer . . . . . . . . . . . . . . . . . . . . . 5-8

Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

Serial Interface Configuration Mode Context . . . . . . . . . . . . . . . . . . . 5-12

Configuring the Interface for the Appropriate Cable . . . . . . . . . . . . . 5-12

Configuring the Clock Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13

Inverting et-clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13

Inverting txclock or rxclock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13

Activating the Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14

Configuring the Data Link Layer Protocol . . . . . . . . . . . . . . . . . . . . . . 5-14

viii

Viewing Information about the Serial Interface . . . . . . . . . . . . . . . . . . . . . 5-15

show interfaces serial Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15

show running-config interface Command . . . . . . . . . . . . . . . . . . . . . . 5-16

View All the WAN Connections Configured on the Router . . . . . . . . 5-17

Troubleshooting a Serial Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17

Checking the LED for the Serial Module . . . . . . . . . . . . . . . . . . . . . . . 5-18

No Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19

Red Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19

Yellow Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20

Green Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

Solving a Specific Problem: the Line Between the Serial Module and the CSU/DSU Keeps Going Down . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22

Configure a Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22

6 Configuring the Data Link Layer Protocol for E1, T1, and

Serial Interfaces

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Configuring the Logical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

PPP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

Establishing a PPP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

Creating a PPP Interface on the ProCurve Secure Router . . . . . . 6-6

Configuring an IP Address for the WAN Connection . . . . . . . . . . 6-8

Activating the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10

Binding the Physical Interface to the Logical Interface . . . . . . . 6-10

PPP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11

Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16

Settings Explained in Other Chapters . . . . . . . . . . . . . . . . . . . . . . 6-18

Frame Relay Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19

Packet-Switching Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20

Components of a Frame Relay Network . . . . . . . . . . . . . . . . . . . . 6-21

DLCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22

Create the Frame Relay Interface . . . . . . . . . . . . . . . . . . . . . . . . . 6-23

Activate the Frame Relay Interface . . . . . . . . . . . . . . . . . . . . . . . . 6-25

Define the Signaling Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25

ix

Define the Frame Relay Signaling Type . . . . . . . . . . . . . . . . . . . . 6-26

Configure Frame-Relay Counters . . . . . . . . . . . . . . . . . . . . . . . . . 6-26

Create the Frame Relay Subinterface . . . . . . . . . . . . . . . . . . . . . . 6-28

Assign a DLCI to the Frame Relay Subinterface . . . . . . . . . . . . . 6-28

Configure the IP Address for the WAN Connection . . . . . . . . . . 6-29

Set the CIR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-33

Set the EIR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-34

Bind the Physical Interface to the Logical Interface . . . . . . . . . . 6-35

Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-36

Settings Explained in Other Chapters . . . . . . . . . . . . . . . . . . . . . . 6-38

Configuring HDLC as the Data Link Layer Protocol . . . . . . . . . . . . . . 6-39

Create the HDLC Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39

Activate the HDLC Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41

Configure an IP Address for the WAN Connection . . . . . . . . . . . 6-41

Bind the Physical Interface to the Logical Interface . . . . . . . . . . 6-43

Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-44

Settings Explained in Other Chapters . . . . . . . . . . . . . . . . . . . . . . 6-46

Example Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-46

Checking the Status of Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53

View the Status of Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53

Viewing the Status of PPP Interfaces . . . . . . . . . . . . . . . . . . . . . . 6-53

Viewing the Status of Frame Relay Interfaces and Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-55

Viewing the Status of HDLC Interfaces . . . . . . . . . . . . . . . . . . . . . 6-57

Viewing Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . 6-57

Troubleshooting Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58

Troubleshooting the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58

Troubleshooting PPP Authentication . . . . . . . . . . . . . . . . . . . . . . 6-62

Troubleshooting the Frame Relay Interface . . . . . . . . . . . . . . . . . . . . 6-65

Troubleshooting HDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-69

x

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70

PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70

PPP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-71

Requiring the Peer to Authenticate Itself . . . . . . . . . . . . . . . . . . . 6-72

Authenticating to a Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-72

Frame Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-73

HDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-75

7 ADSL WAN Connections

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

ADSL Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4

ADSL Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

ADSL2 and ADSL2+: Enhancing Transmission Speeds . . . . . . . . 7-5

READSL: Supporting Greater Distances . . . . . . . . . . . . . . . . . . . . . 7-6

Elements of an ADSL Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6

ADSL Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7

ADSL Annex A and Annex B: Sharing the Line with Analog or ISDN Voice Traffic . . . . . . . . . . . . . . . . . . . . . . . . . 7-8

ADSL Splitters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9

ADSL Without Splitters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10

ADSL Modules for the ProCurve Secure Router . . . . . . . . . . . . . . . . . . . . 7-11

Configuring the ADSL Interface: the Physical Layer . . . . . . . . . . . . . 7-12

Accessing the ADSL Interface Configuration Mode Context . . . 7-12

Activating the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13

Defining the Training Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13

Setting the SNR-Margin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15

Monitoring the SNR-Margin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16

Manually Forcing Retraining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16

Configuring the Data Link Layer for the ADSL Connection . . . . . . . 7-17

Creating the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17

Activating the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17

Configuring a Subinterface for each PVC . . . . . . . . . . . . . . . . . . . . . . 7-18

Creating the Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18

Activating the ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19

Configuring the VPI/VCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19

xi

Defining the ATM Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20

Assigning the ATM Subinterface an IP Address . . . . . . . . . . . . . . 7-20

OAM Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-26

Bind the ADSL Interface to the ATM Interface . . . . . . . . . . . . . . . . . . 7-27

Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27

PPPoE Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28

Two Phases for Establishing a PPPoE Session . . . . . . . . . . . . . . . . . . 7-29

Discovery Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29

PPP Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-31

Creating the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32

Assigning an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-33

Binding the ATM Subinterface to the PPP Interface . . . . . . . . . . . . . 7-33

Identifying the Access Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . 7-34

Identifying PPPoE Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-35

PPPoA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-35

Creating the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37

Assigning an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37

Binding the ATM Subinterface to the PPP Interface . . . . . . . . . . . . . 7-38

Routed Bridged Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-39

Viewing the Status and Configuration of Interfaces . . . . . . . . . . . . . . . . . 7-41

Viewing the Status of the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . 7-41

Viewing the Status of the ATM Interface and Subinterface . . . . . . . . 7-44

Troubleshooting the ADSL Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46

Troubleshooting the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46

Identifying the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46

debug interface adsl events Command . . . . . . . . . . . . . . . . . . . . . 7-47

Troubleshooting the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-48

Troubleshooting the ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . 7-49

debug atm oam Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-49

Troubleshooting PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-50

Troubleshooting the PPPoE Discovery Process . . . . . . . . . . . . . 7-50

show pppoe Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-51

xii

Clear a PPPoE Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-52

debug pppoe client Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-52

Troubleshooting the PPP Link Establishment Process . . . . . . . . . . . 7-52

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-54

Configure the Physical Layer: the ADSL Interface . . . . . . . . . . . . . . . 7-54

Configure the Data Link Layer: the ATM Interface and Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-56

Configure ATM Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-56

Configure RBE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-58

Configure PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-59

Configure PPPoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-61

8 Configuring Demand Routing for Primary ISDN Modules

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Overview of ISDN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

Elements of an ISDN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

The Local Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

ISDN Interfaces: Connecting Equipment to the ISDN Network . . . . . 8-8

Line Coding for ISDN BRI Connections . . . . . . . . . . . . . . . . . . . . . . . . . 8-9

ISDN Data Link Layer Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9

LAPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10

Q.931 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11

Call Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11

ProCurve Secure Router ISDN Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13

Primary ISDN Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15

Using Demand Routing for ISDN Connections . . . . . . . . . . . . . . . . . . . . . . 8-16

Define the Traffic That Triggers the Connection . . . . . . . . . . . . . . . . 8-18

Specifying a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19

Defining the Source and Destination Addresses . . . . . . . . . . . . . 8-20

Configuring the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22

Creating the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23

Configuring an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-24

Matching the Interesting Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26

Specifying the connect-mode Option . . . . . . . . . . . . . . . . . . . . . . 8-29

xiii

Associating a Resource Pool with the Demand Interface . . . . . . 8-30

Defining the Connect Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-30

Specify the Order in Which Connect Sequences Are Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32

Configure the Number of Connect Sequence Attempts . . . . . . . 8-33

Configure Settings for the Recovery State . . . . . . . . . . . . . . . . . . 8-33

Understanding How the connect-sequence Commands Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-35

Configuring the idle-timeout Option . . . . . . . . . . . . . . . . . . . . . . . 8-37

Configuring the fast-idle Option . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38

Defining the caller-number Option . . . . . . . . . . . . . . . . . . . . . . . . 8-38

Defining the called-number Option . . . . . . . . . . . . . . . . . . . . . . . . 8-39

Configuring the Hold Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39

Configuring the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40

Accessing the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40

Configuring the ISDN Signaling (Switch) Type . . . . . . . . . . . . . . 8-41

Configuring a SPID and LDN for ISDN BRI U Modules . . . . . . . 8-42

Configuring an LDN for BRI S/T Modules . . . . . . . . . . . . . . . . . . . 8-43

Activating the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43

Caller ID Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43

Configuring the ISDN Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-44

Creating an ISDN Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-44

Assigning BRI Interfaces to the ISDN Group . . . . . . . . . . . . . . . . 8-44

Assigning the ISDN Group to a Resource Pool . . . . . . . . . . . . . . 8-45

Configuring the incoming-accept-number . . . . . . . . . . . . . . . . . . 8-45

Configuring a Static Route for the Demand Interface . . . . . . . . . . . . 8-46

Example of a Successful Demand Interface Call . . . . . . . . . . . . . . . . 8-48

MLPPP: Increasing Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50

Configuring MLPPP for Incoming Calls . . . . . . . . . . . . . . . . . . . . 8-50

Configuring MLPPP for Demand Interfaces . . . . . . . . . . . . . . . . . 8-51

Example of MLPPP with Demand Routing . . . . . . . . . . . . . . . . . . 8-52

Configuring PPP Authentication for an ISDN Connection . . . . . . . . 8-53

Enabling PPP Authentication for All Demand Interfaces . . . . . . 8-54

Configuring PAP Authentication for a Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54

xiv

Configuring CHAP Authentication for a Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54

Configuring the Username and Password That the Router Expects to Receive . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-55

Configuring Peer IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-55

Example of Demand Routing with PAP Authentication . . . . . . . . . . 8-55

Setting the MTU for Demand Interfaces . . . . . . . . . . . . . . . . . . . . . . . 8-56

Configuring an ISDN Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57

Using Call Types and Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-59

Default ISDN Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-60

Viewing Information about Demand Routing . . . . . . . . . . . . . . . . . . . . . . . 8-61

Viewing the Status of the Demand Interface . . . . . . . . . . . . . . . . . . . . 8-61

Viewing a Summary of Information about the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-63

Viewing the Status of the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . 8-64

Viewing Demand Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-66

Viewing the Resource Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-67

Show the Running-Config for the Demand Interface . . . . . . . . . . . . . 8-67

Troubleshooting Demand Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-68

Checking the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-68

Checking the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-69

Checking the ACL That Defines the Interesting Traffic . . . . . . . . . . . 8-71

Troubleshooting the ISDN Connection . . . . . . . . . . . . . . . . . . . . . . . . 8-72

Test Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-73

Line Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-75

Troubleshooting with Loopbacks . . . . . . . . . . . . . . . . . . . . . . . . . 8-75

Troubleshooting PPP for the ISDN Connection . . . . . . . . . . . . . . . . . 8-75

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-76

9 Configuring the E1 + G.703 and T1 + DSX-1 Modules

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Using an E1- or T1-Carrier Line for Data and Voice . . . . . . . . . . . . . . . . . . . 9-3

Drop-and-Insert Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3

Standards Supported by the Drop-and-Insert Modules . . . . . . . . . 9-3

xv

Configuring the E1 + G.703 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9- 4

Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

Configuring the E1 Interface for Data Communications . . . . . . . . . . . 9-5

Assigning Channels to the E1 Interface . . . . . . . . . . . . . . . . . . . . . 9-5

Setting the Clock Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7

Accessing the G.703 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7

Configuring Line Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7

Configuring Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8

Enabling TS16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9

Activating the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10

Checking the Status of the G.703 Interface . . . . . . . . . . . . . . . . . . . . . 9-10

Viewing Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11

Troubleshooting the G.703 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12

Alarms or Errors That Will Not Clear . . . . . . . . . . . . . . . . . . . . . . 9-12

Yellow Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

Interface Is Accruing Errored Seconds and Clock Slips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

Configuring the T1 + DSX-1 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

Configuring the T1 Interface for Data Communications . . . . . . . . . . 9-14

Assigning Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

Setting the Clock Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15

Accessing the T1 Interface for the DSX-1 Port . . . . . . . . . . . . . . . . . . 9-16

Configuring Line Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16

Configuring Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17

Setting the Line Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18

Configuring Signaling Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18

Activating the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-19

Checking the Status of the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . 9-19

Viewing Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20

Troubleshooting the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20

Alarms or Errors That Will Not Clear . . . . . . . . . . . . . . . . . . . . . . 9-20

Yellow Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21

Interface Is Accruing Errored Seconds and Clock Slips . . . . . . . 9-21

xvi

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21

Configuring the E1 + G.703 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22

Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22

Configuring the E1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22

Configuring the G.703 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23

Configuring the T1 + DSX-1 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-24

Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . 9-24

Assigning the Channels to the T1 Interface . . . . . . . . . . . . . . . . . 9-24

Configuring the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25

10 Bridging—Transmitting Non-IP Traffic or Merging Two

Networks

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3

Transmitting Non-IP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Merging Two Remote Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Configuring Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

Configuring a Bridge Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6

Assigning an Interface to the Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6

Disabling IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7

Viewing the Bridge Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8

Troubleshooting Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10

Configuring Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12

STP BPDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12

STP States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13

RSTP Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14

RSTP and STP Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17

xvii

Configuring RSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17

Determining Which Device Becomes Root: Setting the Router’s Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-18

Determining Which Links Are Chosen: Setting Link Cost . . . . 10-18

Setting Interface Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19

Altering Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22

Configuring STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23

Using the BPDU Filter to Disable STP or RSTP . . . . . . . . . . . . . . . . 10-23

Troubleshooting Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24

Testing Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24

Addressing Common Spanning Tree Problems . . . . . . . . . . . . . . . . . 10-25

Slow Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27

Incorrect Path Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29

11 IP Routing—Configuring Static Routes

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

Network Addresses and Subnet Masks . . . . . . . . . . . . . . . . . . . . . 11-4

Classful Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5

CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6

Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7

Destination Network Address and Subnet Mask . . . . . . . . . . . . . 11-7

Next-Hop Address and Forwarding Interface . . . . . . . . . . . . . . . 11-8

Administrative Distance and Metric . . . . . . . . . . . . . . . . . . . . . . . 11-8

Other Information Stored in a Route . . . . . . . . . . . . . . . . . . . . . . . 11-9

Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9

Dynamic Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10

Static Routing Versus Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . 11-10

Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11

Fast Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12

xviii

Configuring Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13

Configuring a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14

Configuring a Floating Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . 11-16

Configuring a Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17

Configuring a Route through the Null Interface . . . . . . . . . . . . . . . . 11-18

Configuring Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-20

Enabling Fast Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-22

Troubleshooting Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23

Monitoring the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23

Using the Routing Table to Troubleshoot Static Routing . . . . . 11-25

Monitoring Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26

Clearing Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-27

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30

Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30

Connecting Simple Remote Sites . . . . . . . . . . . . . . . . . . . . . . . . . 11-30

Routing Traffic to an ISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-31

12 Domain Name System (DNS) Services

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Host and Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Host Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Authoritative and Caching Name Servers . . . . . . . . . . . . . . . . . . . . . . 12-4

DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4

ProCurve Secure Router DNS Support . . . . . . . . . . . . . . . . . . . . . . . . . 12-5

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6

Static DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7

Custom DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7

xix

Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8

Enabling DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8

Adding an Entry to the Router’s Host Table . . . . . . . . . . . . . . . . . . . . 12-9

Specifying DNS Server Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10

Enabling the Router to Act as a Name Server . . . . . . . . . . . . . . . . . . 12-10

Troubleshooting DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11

Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11

Debugging DNS Server Activity . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11

Debugging DNS Client Activity . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14

Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15

Opening an Account with DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16

Configuring the Interface’s IP Address . . . . . . . . . . . . . . . . . . . . . . . . 12-16

Setting a Dynamic Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16

Specifying a Static Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17

Activating the Dynamic DNS Client . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17

Special Considerations for Configuring Custom DNS . . . . . . . . . . . 12-18

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-19

Configuring the ProCurve Secure Router as a DNS Client . . . . . . . 12-19

Configuring the ProCurve Secure Router as a Name Server . . . . . . 12-20

Configuring a Dynamic DNS Client on a ProCurve Secure Router Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20

13 Dynamic Host Configuration Protocol (DHCP)

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3

DHCP Request Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3

The ProCurve Secure Router as a DHCP Server . . . . . . . . . . . . . . . . . 13-4

The ProCurve Secure Router as a DHCP Client . . . . . . . . . . . . . . . . . 13-5

DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6

Configuring a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6

Excluding Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7

Creating a DHCP Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7

Specifying the Network Address and Subnet Mask . . . . . . . . . . . 13-8

Specifying the Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9

xx

Changing a Pool’s Lease Time . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-10

Specifying DNS, WINS, and Other Servers . . . . . . . . . . . . . . . . . 13-11

Specifying a Domain Name for the Subnet . . . . . . . . . . . . . . . . . 13-12

Specifying a Bootfile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12

Configuring Parent and Child Pools . . . . . . . . . . . . . . . . . . . . . . . . . . 13-13

Example DHCP Pool Configuration . . . . . . . . . . . . . . . . . . . . . . 13-14

Assigning a Fixed Address to a Host through a DHCP Server . . . . 13-14

Configuring DHCP Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-15

Configuring the DHCP Server’s Ping Settings . . . . . . . . . . . . . . . . . . 13-17

Managing and Troubleshooting the DHCP Server . . . . . . . . . . . . . . . . . . 13-18

Viewing DHCP Client Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-19

Monitoring the DHCP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-19

Clients Unable to Receive a DHCP Address . . . . . . . . . . . . . . . . 13-20

Client Receiving the Wrong Fixed DHCP Address . . . . . . . . . . 13-21

Configuring a Router Interface as a DHCP Client . . . . . . . . . . . . . . . . . . 13-21

Configuring a Dynamic Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-22

Setting an Interface’s Client ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-23

Setting the Interface’s Hostnatme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-24

Preventing the Interface from Taking Other Configurations . . . . . . 13-24

Configuring a Static Hostname for an Interface with a Dynamic Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-25

Managing and Troubleshooting the DHCP Client . . . . . . . . . . . . . . . . . . 13-26

Viewing the Interface’s Lease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-26

Releasing and Renewing Dynamic Addresses . . . . . . . . . . . . . . . . . . 13-27

Monitoring DHCP Client Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-27

Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-30

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-32

Configuring a DHCP Server for a Network . . . . . . . . . . . . . . . . . . . . 13-33

Assigning a Fixed DHCP Address to a Single Host . . . . . . . . . . . . . . 13-34

Configuring a Router Interface as a DHCP Client . . . . . . . . . . . . . . . 13-36

xxi

14 Using the Web Browser Interface for Basic Configuration

Tasks

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-1

Configuring Access to the Web Browser Interface . . . . . . . . . . . . . . . . . . 14-4

Enabling Access to the Web Browser Interface . . . . . . . . . . . . . . . . . 14-4

Managing Files, Firmware, Boot Software, and the AutoSynch™ Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5

The AutoSynch™ Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7

Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-10

Reboot Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13

Telnet to Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-14

Enabling IP Services on the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-15

Web Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17

Configuring Passwords to Control Management Access to the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-18

Encrypting All the Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-18

Configuring a Local User List: Passwords for Web, SSH, and FTP Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19

Configuring an Enable Mode Password . . . . . . . . . . . . . . . . . . . . . . . 14-21

Configuring a Password for Telnet Access . . . . . . . . . . . . . . . . . . . . 14-22

Configuring a Password for Console Access . . . . . . . . . . . . . . . . . . . 14-23

Configuring a Password for SSH Access . . . . . . . . . . . . . . . . . . . . . . 14-24

Configuring a Password for HTTP Access . . . . . . . . . . . . . . . . . . . . . 14-25

Configuring a Password for FTP Access . . . . . . . . . . . . . . . . . . . . . . 14-26

Using the AAA Subsystem to Control Management Access . . . . . . 14-27

Configuring Authentication Using a RADIUS Server . . . . . . . . 14-28

Configuring Authentication Using a TACACS+ Server . . . . . . . 14-29

Configuring Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-31

IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-32

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-33

Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-34

Ethernet Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-34

Releasing/Renewing a DCHP IP Address . . . . . . . . . . . . . . . . . . . . . . 14-34

xxii

Configuring PPPoE for the Ethernet Interface . . . . . . . . . . . . . . . . . 14-35

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-37

Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-37

View Statistics for the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . 14-38

Configuring E1 and T1 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-39

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-42

Configuring a Serial Interface for an E1- or T1-Carrier Line . . . . . . . . . 14-44

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46

Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46

Configure PPP as the Data Link Layer Protocol . . . . . . . . . . . . . . . . 14-47

IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-48

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-49

Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-49

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-50

PPP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-50

Requiring a Peer to Authenticate Itself to the Local Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-50

Configuring the Local Router to Authenticate Itself to a Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-51

Configure Frame Relay as the Data Link Layer Protocol . . . . . . . . . 14-52

Configure a Permanent Virtual Circuit (PVC) . . . . . . . . . . . . . . 14-54

Configure IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-56

Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-56

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-56

Configure HDLC as the Data Link Layer Protocol . . . . . . . . . . . . . . 14-58

IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-59

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-59

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-60

Configuring ADSL Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-61

Configure an ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-63

Configure the ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-63

Configuring ATM Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-66

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-68

xxiii

Configuring PPPoE or PPPoA for the ADSL Connection . . . . . . . . 14-68

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-70

Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-70

View Statistics for the PPP Interface . . . . . . . . . . . . . . . . . . . . . . 14-70

ISDN Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-71

E1 + G.703 and T1 + DSX-1 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-74

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-76

Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-77

Configuring Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-77

Configuring the Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . 14-80

Viewing a Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-81

Setting Global Spanning Tree Parameters . . . . . . . . . . . . . . . . . 14-82

Configuring Spanning Tree Settings for Individual Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-84

Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-86

Configuring a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-86

Configuring a Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-88

DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-89

Configuring DNS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-89

Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-91

Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-94

Configuring a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-94

Configuring a DHCP Pool for a Subnet . . . . . . . . . . . . . . . . . . . . 14-95

Assigning a Single Host a Fixed Address . . . . . . . . . . . . . . . . . . 14-97

Configuring an Interface as a DHCP Client . . . . . . . . . . . . . . . . . . . . 14-98

Configuring UDP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-100

A Appendix A: Configuring the Router to Boot from

Compact Flash

Updating the Boot Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

B Appendix B: Glossary

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1

xxiv

1

Overview

Contents

Using This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Understanding Command Syntax Statements . . . . . . . . . . . . . . . . . . . . 1-5

CLI Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

IP Address Notation Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Quick Starts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Obtaining Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Downloading Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Interface Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Accessing the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . 1-11

Using the ProCurve Web Browser Interface . . . . . . . . . . . . . . . . 1-12

Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

ProCurve Secure Router Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

E1 and T1 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

ISDN Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

Backup Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

Wide-Slot Option Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

Interface Numbering Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22

Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

Power LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

Fault LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

1-1

OverviewContents

LEDs for Slots 1 and 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24

Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24

Backup LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25

Tx and Rx LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25

Slot 3 LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25

Status LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26

Activity LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26

Test LED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26

Ethernet and Activity LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-26

Activity LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27

Link LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27

Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27

Optional IPSec VPN Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27

Compact Flash Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28

Redundant Power Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29

Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29

Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30

Bootup Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30

Advantages of Booting From Compact Flash . . . . . . . . . . . . . . . . 1-32

Setting Up a Compact Flash Card From Which to Boot the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33

Saving Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33

AutoSynch™ Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34

Secure Router OS Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34

Basic Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36

Enable Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36

Global Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37

Commands Available in the Basic, Enable, or Global Configuration Mode Contexts . . . . . . . . . . . . . . . . . . . . . . 1-39

Basic Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39

Clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39

Enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-39

Logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40

Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-40

Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-41

Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42

Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42

1-2

OverviewContents

Terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43

Wall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43

Enable Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-43

Clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-44

Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45

Configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46

Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46

Debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49

Dir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-49

Disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-50

Erase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-50

Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51

Reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51

Show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51

Undebug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-56

Write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-56

show tech . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-57

Updating the Boot Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-59

Global Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . 1-60

hostname Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-60

autosynch Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-60

Support for SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-61

SafeMode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-61

Help Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64

CLI Help Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64

Editing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-64

no . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66

do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66

exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66

Bootstrap Mode Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-66

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-70

Compact Flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-70

AutoSynch™ Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-70

Using the reload in Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-72

1-3

OverviewContents

Managing Configuration Files Using a Text Editor . . . . . . . . . . . . . . . . . . 1-73

Creating and Transferring Configuration Files . . . . . . . . . . . . . . . . . . 1-75

Configuration File Transfer Using the Console Port . . . . . . . . . . 1-76

Configuration File Transfer Using a TFTP Server . . . . . . . . . . . . 1-78

Configuration File Transfer Using a Compact Flash Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-81

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-83

Accessing the Secure Router OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-83

1-4

OverviewUsing This Guide

Using This Guide

The ProCurve Secure Router Management and Configuration Guide describes how to use the ProCurve Secure Router 7000 series in a network environment. Specifically, it focuses on two models:

■ ProCurve Secure Router 7102dl

■ ProCurve Secure Router 7203dl

This guide describes how to use the command line interface (CLI) and the Web browser interface to configure, manage, monitor, and troubleshoot basic router operation. In particular, this guide focuses on configuring the router’s physical interfaces and basic Data Link Layer protocols to establish LAN and WAN connections.

This guide assumes that your router uses the J04_01 SROS image or later. If the router runs J_03 or earlier, see the ProCurve Secure Router 7000dl Series

Management and Configuration Guide for instructions.

If you need information on how to configure advanced router functions such as virtual private networks (VPNs), multilink connections, backup connec-tions, network address translation (NAT), quality of service (QoS), multicast-ing, or routing protocols, see the ProCurve Secure Router Advanced

Management and Configuration Guide.

Understanding Command Syntax Statements

This guide uses the following conventions for command syntax and information.

Syntax: show access-lists [<listname>]

Syntax: [permit | deny] [any | host <A.B.C.D> | <A.B.C.D> <wildcard bits>] ■ Carats ( < > ) enclose a description of a command element, a part of the

command in which you enter information specific to your particular router or WAN. For example, in the first command shown above, you replace <listname> with the name of a particular access control list (ACL) configured on your router.

1-5

OverviewUsing This Guide

■ Square brackets ( [ ] ) are used in two ways:

• They enclose a set of options. When entering the command, you select one option from the set. For example, in the second command shown above, you would enter any or host <A.B.C.D> or <A.B.C.D>

<wildcard bits>.

• They indicate an optional element. You can include the optional element in the command, but it is not required.

■ Vertical bars ( | ) separate alternative, mutually exclusive elements.

■ Carats within square brackets ( [ < > ] ) indicate that you may optionally add the information specific to your router or WAN to the command. For example, in the first command above, you can either replace <listname> with the name of a specific ACL or not enter a name at all to view all ACLs.

■ Braces ( { } ) indicate an embedded option.

■ Bold typeface is used for simulations of actual keys. For example, the “Y” key appears as y.

■ Italics indicate an element that you must replace with information that is specific to your router or WAN.

When examples of commands are included in this guide, the guide notes the context required for the command and displays the context as it appears in the CLI.

CLI Prompt

When you first boot up your ProCurve Secure Router, the CLI prompt indicates the router model:

ProCurveSR7102dl>

ProCurveSR7203dl>

For simplicity, throughout this manual the CLI prompt will be shown as:

ProCurve>

You can change the name displayed at the prompt of your router by changing the router’s hostname. See “hostname Command” on page 1-60 for instructions.

1-6

OverviewUsing This Guide

IP Address Notation Convention

You must sometimes enter an IP address or addresses as part of a command. For example, you might need to assign an IP address to a logical interface on the ProCurve Secure Router, or you might need to enter an IP address to be filtered by an ACL.

When you enter IP addresses, you must use one of the following formats:

■ IP address with subnet mask:

Syntax: ip address 192.168.1.1 255.255.255.0■ IP with Classless Inter-Domain Routing (CIDR) notation (prefix length):

Syntax: ip address 192.168.1.1 /24

Quick Starts

Each chapter includes a Quick Start section that provides the instructions you need to quickly configure the functions described in that chapter on your ProCurve Secure Router. Designed for experienced network administrators, the Quick Start sections provide minimal explanation.

The first time you perform a task, ProCurve Networking strongly recommends that you read the entire chapter so you thoroughly understand how to manage the ProCurve Secure Router. If you begin to use the Quick Start instructions and find that you need additional information about a specific aspect of the configuration, check the “Contents” for that chapter to locate the section that contains the explanation you need.

The Quick Start section is located at the end of each chapter. For the specific page number, consult the “Contents” pages located at the beginning of each chapter.

Obtaining Additional Information

You will need the Adobe® Acrobat® Reader to view, print, or copy product documentation. To obtain the additional documentation, follow these steps:

1. Access the ProCurve Networking Web site at http://www.procurve.com.

2. Click Technical support in the bar on the left side of the screen, and then click Product manuals. (See Figure 1-1.)

3. Click the name of the product for which you want documentation.

4. On the resulting Web page, double-click the document you want.

1-7

OverviewUsing This Guide

5. When the document file opens, click the disk icon in the Acrobat® toolbar and save a copy of the file.

Figure 1-1. The ProCurve Technical Support Web Page

Downloading Software Updates

ProCurve Networking periodically updates the router software to include new features. You can download software updates and the corresponding release notes from ProCurve Networking’s Web site as described below.

To download software, complete the following steps:

1. Access the ProCurve Networking Web site at http://www.procurve.com.

2. Click Software updates (in the sidebar). (See Figure 1-2.)

3. Under Latest software, click Secure Router 7000dl Series.

Click Product Manuals

1-8

OverviewUsing This Guide

Figure 1-2. Downloading Software Updates

Release notes are included with the software updates and provide information about:

■ new features and how to configure and use them

■ software management, including downloading the new software to the router

■ software fixes addressed in current and previous releases

Step 2

Step 3

1-9

OverviewInterface Management Options

Interface Management Options

The ProCurve Secure Router includes two management interfaces: the com-mand line interface (CLI) and the Web browser interface.

CLI

To initially access the CLI, connect the COM port on your workstation to the console port on the front panel of the router. Use the serial cable (5184-1894) that was shipped with the ProCurve Secure Router. Then run terminal session software such as Tera Term or Hyper Terminal on your workstation, setting the following parameters for the session:

■ Baud Rate = 9600

■ Parity = None

■ Data Bits = 8

■ Stop Bits = 1

■ Flow Control = None

Using the CLI provides you an organized, linear path to help you configure your router. This guide will focus primarily on configuring the router through the CLI.

Web Browser Interface

You can also manage the ProCurve Secure Router through the Web browser interface, which allows you to navigate the router’s (OS) in a GUI environment. Even if you are a dedicated CLI user, you should try out this easy-to-use Web browser interface. You will find it especially helpful for more complicated tasks such as configuring access control policies (ACPs) and virtual private networks (VPNs). (See Figure 1-3.) In fact, the Web browser interface provides wizards to help you configure VPNs, the router’s built-in firewall, or QoS for VoIP.

1-10

OverviewInterface Management Options

Figure 1-3. Configuring ACPs Using the Web Browser Interface

Accessing the Web Browser Interface

To access the Web browser interface, you must first establish a CLI session and configure at least one interface through which you can establish an HTTP session with the router. You must also enable the HTTP server on the router and configure a password for HTTP access. (For information about enabling access to the Web browser interface, see “Enabling Access to the Web Browser Interface” on page 14-4.)

1-11

OverviewInterface Management Options

Using the ProCurve Web Browser Interface

The ProCurve Web browser interface is organized into the following sections:

■ System

■ Router/Bridge

■ Firewall

■ VPN

■ Utilities

The System section of the interface contains general router functions. In this section, you can:

■ configure WAN and LAN connections

■ configure IP services

■ enable the Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers

■ set the router’s hostname and add entries to the DNS host table

■ configure Link Layer Discovery Protocol (LLDP) settings

You can also click Getting Started to display a help menu, or select System

Summary to display information about the router. Click Physical Interfaces for a list of interfaces (including status and type) on your router.

The Router/Bridge section allows you to configure the router’s bridging and routing functions. You can set a default gateway, configure the IP interfaces, set up quality of service (QoS) maps and routing protocols, and add entries to the route table. You can also configure the router to act as a bridge and participate in a spanning tree.

The firewall wizard can be found in the Firewall section. Click Firewall

Wizard to open the wizard in a new window. The wizard guides you through establishing policies for controlling access to your network. From the Fire-

wall section, you can also enable specific application-level gateways (ALGs) and set protocol timeouts.

The VPN section includes a wizard that simplifies the process of configuring an IPSec-compliant VPN. The VPN section eliminates the difficulty of remem-bering the many commands necessary for configuring a VPN in the CLI. The VPN section only appears in the Web browser interface if you have installed an optional IPSec encryption module in the rear panel of your router.

You can perform most of your file maintenance in the Utilities section. Click Configure to complete tasks such as saving, downloading, uploading, and deleting files. You can also click Firmware to view information about your

1-12

OverviewHardware Overview

router’s current OS and upload any necessary upgrades. You can click Reboot and restart the router, and you can also set up a Telnet session by clicking Telnet to Unit.

N o t e In the CLI, boot and configuration files are referred to as software. In the Web browser interface, the boot and configuration files are called firmware.

For more information on how to configure your ProCurve Secure Router using the Web browser interface, see Chapter 14: Using the Web Browser Interface

for Basic Configuration Tasks.

Hardware Overview

This section provides a brief overview of external features, slots, and modules on the ProCurve Secure Router 7000dl Series. The ProCurve Secure Router 7000dl Series includes two models: the ProCurve Secure Router 7102dl and the ProCurve Secure Router 7203dl. Both models include two narrow module slots. The ProCurve Secure Router 7203dl also includes one wide module slot.

ProCurve Secure Router Front Panel

To make accessing the router and connecting it to other devices more conve-nient, the console interface and all physical link ports are located on the front panel of the router. The front panel of each router includes two Ethernet interfaces and two narrow dl option module slots that can house your two choices from among ten narrow modules. The ProCurve Secure Router 7203dl also provides a wide module slot to support up to eight additional T1 or E1 lines.

The following sections briefly introduce the features on the front of your ProCurve Secure Router.

Console Port

The console port, which is a DB-9 DTE male connector, allows you to manage the ProCurve Secure Router locally. To access the CLI, use the serial cable (5184-1894) supplied with the router to connect the console port to the COM port on your laptop or PC. (See Figure 1-4.)

1-13

OverviewHardware Overview

Figure 1-4. Connecting to the Console Port

Ethernet Ports

Because the two Ethernet ports are not modular, they are assigned a fixed slot and port number. For interface notation purposes, these ports are labeled Eth 0/1 and Eth 0/2. (See Figure 1-5.)

Figure 1-5. Connecting to the Two Ethernet Ports

The Ethernet ports support a 10 Mbps or a 100 Mbps connection. Connect these ports to your LAN using 10Base-T or 100Base-T cabling with an RJ-45 connector that meets the EIA/TIA-568-A and 568-B standards. For a 10 Mbps connection, use a Category 3 cable or better. For a 100 Mbps connection, use a Category 5 cable or better.

Slots

The ProCurve Secure Router models 7102dl and 7203dl are both equipped with two narrow slots. (See Figure 1-6.)

Console Port

Eth 0/2 Eth 0/1

1-14

OverviewHardware Overview

Figure 1-6. Two Narrow Slots

Each slot can house one of the ten narrow modules available for WAN connections. (See Table 1-1.)

Table 1-1. Narrow Slot Modules

Slot 1 Slot 2

Module Type of Module Explanation

E1 modules:• one-port module• two-port module

E1 module with integrated DSU supports E1-carrier lines when the service provider does not provide an external DSU

T1 modules:• one-port module• two-port module

T1 module with integrated CSU/DSU

supports T1-carrier lines when the service provider does not provide an external CSU/DSU

E1 + G.703 module E1 for data and analog voice allocates some channels of the E1-carrier line for data transmission and some channels for voice (through a PBX)

T1 + DSX-1 module T1 for data and analog voice allocates some channels of the T1-carrier line for data transmission and some channels for voice (through a PBX)

serial module T1- or E1-carrier line that connects to an external CSU/DSU using a serial connector

supports E1- or T1-carrier lines when the service provider provides an external CSU/DSU

ADSL2+ Annex A module ADSL2+ for most regions of North America

provides up to 25 Mbps downstream and 1.544 Mbps upstream; enables analog voice traffic to be transmitted at lower frequencies on the local loop

ADSL2+ Annex B module ADSL2+ for Germany and other areas of the world

provides up to 25 Mbps downstream and 1.544 Mbps upstream; enables Integrated Services Digital Network (ISDN) voice and fax traffic to be transmitted at lower frequencies on the local loop

ISDN module (two ports) ISDN BRI for voice and data provides cost-efficient, dial-up WAN access

1-15

OverviewHardware Overview

N o t e For information on these or additional modules, please check the ProCurve Web site at www.procurve.com. Click on Products & Solutions in the left bar, then click on Secure Router 7000dl series under WAN.

E1 and T1 Modules

E-carrier lines are used in Europe, Asia, Australia, and South America. T-carrier lines are used in the United States, Canada, and, to some degree, in Japan.

N o t e Japan uses J-carrier lines for voice and both T-carrier and E-carrier lines for data. J-carrier lines are not supported by the ProCurve Secure Router.

The type of module you purchase to support your E1 or T1 WAN connection depends on how your public carrier implements the Channel Service Unit/Digital Service Unit (CSU/DSU) that is required for E1- and T1-carrier lines. The CSU/DSU has two main functions. The DSU accepts traffic from the router and translates it from the signaling format used on the LAN to the format necessary for transmission on the WAN. The CSU then generates the signal to be sent across the WAN.

The public carrier can provide:

■ the CSU/DSU as one complete unit

■ only the CSU

■ neither the CSU nor the DSU

Common practice varies depending on the region in which the public carrier operates. In Europe, Asia, Australia, or South America, the public carrier will either provide the CSU/DSU or just the CSU. In North America, the public carrier will provide the CSU/DSU, or the public carrier will not provide either the CSU or DSU. (For more information about E1- and T1-carrier lines, see Chapter 4: Configuring E1 and T1 Interfaces.)

E1 Modules. If you are leasing an E1-carrier line and the public carrier provides only the CSU, you will need to purchase one of the E1 modules, which include a built-in DSU. (See Figure 1-7.) You can select:

■ a one-port E1 module, which supports a full E1-carrier line (32 channels or 2.048 Mbps)

■ a two-port E1 module, which provides 2.048 Mbps on each interface (4.096 Mbps total)

■ an E1 + G.703 module, which enables you to use some channels for data and some channels for voice

1-16

OverviewHardware Overview

Figure 1-7. E1 Modules

T1 Modules. If you are leasing a T1-carrier line and the public carrier does not provide a CSU/DSU, you will need to purchase one of the three narrow slot T1 modules, which include a built-in CSU/DSU. (See Figure 1-8.) Select:

■ a one-port T1 module, which supports a full T1-carrier line (24 channels or 1.544 Mbps)

■ a two-port T1 module, which provides 1.544 Mbps on each interface (3.088 Mbps total)

■ a T1 + DSX-1 module, which enables you to use some channels for data and some channels for voice

Figure 1-8. T1 Modules

Serial Module. If you lease an E1- or T1-carrier line and the public carrier provides an external CSU/DSU, you will need to purchase the serial module. (See Figure 1-9.)

1-17

OverviewHardware Overview

Figure 1-9. Serial Module

ADSL2+ Annex A or Annex B Module. The ADSL2+ modules provide bandwidth up to 25 Mbps downstream and 1.544 Mbps upstream. Because ADSL also supports analog voice on the local loop, existing telephone equip-ment and fax machines can continue to carry traffic on the same line. The ADSL2+ Annex A module supports analog voice over the Plain Old Telephone Service (POTS). The ADSL2+ Annex B module supports ISDN voice and fax traffic. (See figure 1-10.)

Figure 1-10. ADSL Modules

ISDN Module

The two-port ISDN module provides two Basic Rate Interface (BRI) lines for dial-up connections. Each ISDN BRI line can deliver a maximum bandwidth of 128 Kbps. (See Figure 1-11.) The S/T interface module is most often used outside North America. The U interface module is used in WAN connections in the United States and Canada.

1-18

OverviewHardware Overview

Figure 1-11. ISDN BRI Modules

Backup Modules

A backup connection protects a company’s WAN operations against system failure. Three types of backup modules are available for the ProCurve Secure Router:

■ ISDN BRI S/T backup module for use outside of North America—supports a 64 Kbps backup call or a bonded 128 Kbps call

■ ISDN BRI U backup module for use in the US and Canada—supports a 64 Kbps backup call or a bonded 128 Kbps call

■ VTU V.90 compliant analog modem—provides a connection speed of up to 56 Kbps

N o t e Backup ISDN call bonding is currently a ProCurve proprietary technology. If you bond your BRI backup call, your router can only place the call to another ProCurve Secure Router.

With the ProCurve Secure Router, it is not necessary to devote an entire module slot for a backup connection. Each module includes a backup inter-face port. To activate the backup interface, you must purchase a separate backup module and install it on top of the module, as shown in Figure 1-12.

1-19

OverviewHardware Overview

Figure 1-12. Installing a Backup Module on Top of a Narrow Slot Module

Each backup module can be used to back up any WAN connection on the router, no matter where the backup module is housed.

Wide-Slot Option Modules

The ProCurve Secure Router 7203dl includes a third, wide-module slot. ProCurve offers an eight-port E1/T1 module and an eight-port serial module. (See Figure 1-14 and Figure 1-15). This module supports both E1 and T1 formats and can be toggled between the two. The toggle switch is located on the top of the module. Set the switch to ON for E1 format; set the switch to 1 for T1 format. Figure 1-13 shows the location of the toggle switch on the module.

1-20

OverviewHardware Overview

Figure 1-13. E1/T1 Toggle Switch

N o t e Although the ProCurve Secure Router 7203dl can support up to 12 E1 or T1 lines, the router only supports enough throughput for up to 8 E1 or T1 lines.

You can configure each of the eight ports independently with separate clock sources, frame formats, and other specifications.

Figure 1-14. The Eight-port T1/E1 Module

E1/T1 Toggle Switch

Port Numbers

1-21

OverviewHardware Overview

Figure 1-15. The Eight-port T1/E1 Serial Module

Interface Numbering Conventions

When configuring a WAN connection, you will need to specify the slot and port of the physical interface that is providing the connection. The syntax for specifying a physical interface is <interface> <slot>/<port>.

Replace <interface> with the name of the interface. For example, for E1 interfaces, you would use e1, and for ADSL interfaces you would use adsl. For ISDN interfaces, use bri.

Replace <slot> with the slot number in which the module is inserted. The slots on the router are numbered from left to right. The left narrow slot is slot 1, and the slot to the right is slot 2. If you have a ProCurve Secure Router 7203dl, the wide module is installed in slot 3, the rightmost slot.

Finally, replace <port> with the number of the port on the module. Like the slots, the ports are numbered from left to right. The port number is printed below each port on the module. (See Figure 1-14)

For example, if you have a two-port T1 module in slot one, you would configure the left T1 port by entering:

ProCurve(config)# interface t1 1/1

To configure the other T1 port, you would enter:

ProCurve(config)# interface t1 1/2

As mentioned earlier, the Ethernet interfaces are also labeled in <slot>/

<port> notation as eth 0/1 and eth 0/2.

1-22

OverviewHardware Overview

Status LEDs

ProCurve Secure Routers feature LEDs on the front panel to provide informa-tion about the condition of the router itself and of the modules you have installed. This section describes how to interpret these LEDs.

Power LED

The power LED indicates the router’s power status. (See Figure 1-16 for its location on the front panel.) It displays one of the following:

■ No light—The AC power input is off.

■ Solid green—The power is on.

Figure 1-16. Power and Fault LEDs

Fault LED

The fault LED is located directly below the power LED. (See Figure 1-16.) It flashes orange to indicate any fault condition, including:

■ a cooling fan failure

■ a failure in the option modules

If the power source in the ProCurve Secure Router 7102dl fails, the router turns off, as do its LEDs. However, the ProCurve Secure Router 7203dl features a redundant power source (RPS) outlet to provide greater network stability. When a problem occurs with the primary power source, the fault LED flashes orange, and the RPS begins to supply power to the ProCurve Secure Router. Problems with the primary power source include:

■ AC power not being received

■ primary AC/DC power converter failure

When the fault LED is flashing slowly on a ProCurve Secure Router 7203dl, the RPS is currently in use.

Power LED

Fault LED

1-23

OverviewHardware Overview

LEDs for Slots 1 and 2

Both the ProCurve Secure Router 7102dl and 7203dl have two columns of LEDs that report information about the modules installed in the narrow slots. As you would expect, column 1 reports information about the module in slot 1, and column 2 reports information about the module in slot 2. Each column contains four LEDs; each LED monitors a different aspect of the module’s Physical and Data Link Layer connections. (See Figure 1-17.)

Figure 1-17. Two Columns of LEDs Report Information about the Modules in Slots 1 and 2.

Status LEDs

The first LED in each column signals whether or not the module in the corresponding slot is functional and connected to the network. The status LED can display one of the following:

■ No light—No module has been installed, or the interface is administra-tively down. An interface is administratively down until you activate it.

■ Red—A module has been installed, and the corresponding interface has been activated, but no valid physical connection has been established. Red LEDs may also indicate other problems with the interface, such as:

• a self-test failure

• an active WAN alarm condition

■ Green—A module has been installed and activated, and the physical connection is up and operational.

■ Yellow—An interface on the module is being tested.

Slot 1 and 2 LEDs

1-24

OverviewHardware Overview

Backup LEDs

The second LED in each column reports the status of the backup module, if a backup module is installed. The LED in the first column corresponds to the backup module in slot one, and the LED in the second column corresponds to the module in slot two. The status LEDs for backup modules can display one of the following:

■ No light—A backup module has not been installed and activated.

■ Red—The backup module has been activated and configured, but a valid physical connection has not been made. A red LED may also indicate that the backup interface has received a WAN alarm or has failed a self-test.

■ Solid green—The module is ready to be used if a connection that it backs up should fail. For ISDN BRI backup modules, a solid green light further indicates that the module has completed negotiation with the switch.

■ Yellow—A self-test is in process.

■ Flashing green—The backup link is currently active.

Tx and Rx LEDs

The Tx and Rx LEDs signal WAN activity across the corresponding interface’s link. The third (Tx) LED in each column signals that the interface is transmit-ting data, and the fourth (Rx) LED indicates that the interface is receiving data. Tx and Rx LEDs signal the following:

■ Off—The link is inactive.

■ Green—Data is being transferred across the WAN or backup interface.

Slot 3 LEDs

The ProCurve Secure Router 7203dl includes a third column of LEDs that represent the wide module. Unlike the other columns of LEDs, this column includes only three LEDs. (See Figure 1-18.)

1-25

OverviewHardware Overview

Figure 1-18. On the ProCurve Secure Router 7203dl, the Third Column LEDs Report on the Wide Module.

Status LED

The first LED reports on the status of the wide module, indicating whether the wide module is installed and functional.

■ No light—The module has not been installed or none of the interface ports have been activated.

■ Green—The module has been recognized and at least one interface is up.

■ Red—There is an active alarm condition on one of the interfaces.

Activity LED

The second LED reports activity across the WAN links established through the wide module. The LED flashes green to signal activity.

Test LED

The third LED glows solid yellow if one of the interfaces on the module is in test mode.

Ethernet and Activity LEDs

The Ethernet interfaces also have LEDs that report on their status and activity. (See Figure 1-19.)

Slot 3 LEDs

1-26

OverviewHardware Overview

Figure 1-19. LEDs for Ethernet Interfaces

Activity LEDs

Activity LEDs signal data transfer between the LAN and the router.

■ No light—The Ethernet connection is inactive.

■ Flashing yellow—The link is currently transmitting or receiving data.

Link LEDs

Link LEDs signal whether or not the router recognizes a valid connection to a LAN.

■ No light—The Ethernet interface is down.

■ Green—The Ethernet interface is up.

Rear Panel

The rear panel of the ProCurve Secure Router includes a slot for an optional IPSec VPN module and a slot for a compact flash card. The ProCurve Secure Router 7203dl also includes an additional feature: an outlet for a Redundant Power Source.

Optional IPSec VPN Module

If your company wants to establish virtual private networks (VPNs) over the Internet, you can install the IPSec VPN module in the slot provided on the ProCurve Secure Router’s rear panel. (See Figure 1-20.) The router can then establish a VPN with another router or with a VPN client that is installed on a user’s workstation. Remote sites and individual users can then connect to your company’s network through private Internet connections.

Link LED Activity LED

1-27

OverviewHardware Overview

Figure 1-20. IPSec VPN Module

To protect your network from security breaches through the Internet, the ProCurve Secure Router establishes secure VPN tunnels using the industry-standard IP Security (IPSec) protocol. The IPSec VPN module enables the software that supports the IPSec protocols and relieves the CPU of the overhead associated with processing the encryption algorithms.

When the IPSec VPN module is installed, the ProCurve Secure Router 7102dl supports up to 500 VPN tunnels; the ProCurve Secure Router 7203dl supports up to 1000 tunnels.

Compact Flash Card

The compact flash slot on the ProCurve Secure Router’s back panel supports most standard compact flash cards. (See Figure 1-21.) To protect your ProCurve Secure Router against system failure, you can store the Secure Router OS software and your configuration file on a compact flash card. In fact, the ProCurve Secure Router provides additional features that automati-cally use compact flash to safeguard the Secure Router OS and your configu-rations. These features are described in “Bootup Process” on page 1-30 and “AutoSynch™ Technology” on page 1-34.

Figure 1-21. Compact Flash Slot on Rear Panel of the ProCurve Secure Router

Slot for the IPSec VPN module

Compact flash slot

1-28

OverviewHardware Overview

Redundant Power Source

The RPS outlet on the back panel of the ProCurve Secure Router 7203dl provides increased router reliability for mission-critical applications. (See Figure 1-22.) The RPS slot can be used with the ProCurve 600 Redundant External Power Supply.

Figure 1-22. RPS Outlet on the ProCurve Secure Router 7203dl

Memory

Both the ProCurve Secure Router 7102dl and 7203dl have 32 MB of internal flash memory. The flash memory provides nonvolatile random access memory (NVRAM); in other words, the router retains what is stored in the internal flash even when the router is powered down.

Because internal flash memory is relatively limited, SROS software is stored in compressed form. The SROS software file is approximately 6 MB. The number of configuration files that can be saved in internal flash is limited only by the amount of available memory. Because configuration files tend to be small, you will be able to save multiple configuration files in internal flash.

In addition to internal flash, the ProCurve Secure Router 7102dl has 128 MB of random access memory (RAM), which holds the running configuration. All information in RAM is lost when the router is powered off. The ProCurve Secure Router 7203dl has 256 MB of RAM.

RPS slot

1-29

OverviewSoftware Overview

Software Overview

To manage your ProCurve Secure Router, you must understand basic router operations, including how the router uses:

■ Secure Router OS (SROS) boot code

■ SROS software

■ the startup-config

■ the running-config

Further, you must understand how the Secure Router OS is organized so that you can properly configure the router and enable safeguards to protect the router from unauthorized access.

This section describes software operations such as the boot process, the process of saving configurations, the OS hierarchy, and the bootstrap mode.

Bootup Process

Concurrent with the release of J02_02A.biz software in July 2005, ProCurve Networking changed the boot process for the ProCurve Secure Router. By default, the ProCurve Secure Router now boots from compact flash. If a compact flash card is not inserted into the compact flash slot or if the card does not contain the required Secure Router OS file, the router will boot from internal flash. Previously, the ProCurve Secure Router booted only from internal flash.

This change has been made in routers that shipped after July 2005; these routers have the following serial numbers:

■ ProCurve Secure Router 7102dl (J8752A) US525TRAP4 or later

■ ProCurve Secure Router 7203dl (J8753A) US522TS252 or later

N o t e If you purchased a ProCurve Secure Router before this change was made, you can enable the new boot process by upgrading to J02_02A.biz or later and making a small configuration change. For information about this configura-tion change, see Appendix A: Configuring the Router to Boot from Compact

Flash.

1-30

OverviewSoftware Overview

The boot process begins when you power up the ProCurve Secure Router or manually reload it. It proceeds as follows:

1. The router first loads the SROS boot software (which has been set through the copy <source> <filename> boot command).

2. The router then searches compact flash for the SROS.BIZ file, which contains the Secure Router OS software.

• If the router finds the SROS.BIZ file in compact flash, it will load this SROS software and begin step 3.

• If a compact flash card is not installed or the SROS.BIZ file on the card is missing or corrupted, the router searches for this file in internal flash. If the router finds the SROS.BIZ file in internal flash, it loads this SROS software and begins step 3.

• If the router does not find a valid SROS.BIZ file in either compact flash or internal flash, the router boots up in bootstrap mode (as described in “Bootstrap Mode Context” on page 1-66).

3. After the router finds a valid SROS.BIZ file (either in compact flash or internal flash), it checks compact flash for the startup-config file, which contains the saved configurations for the router.

• If the router finds the startup-config file in compact flash, it loads this file.

• If the router does not find the startup-config in compact flash, it searches for the startup-config file in internal flash. If it finds the startup-config in flash, it loads this configuration.

• If the router does not find the startup-config file in either compact flash or internal flash, the router boots in basic mode using the factory default configuration settings.

1-31

OverviewSoftware Overview

Figure 1-23 summarizes the boot process.

Figure 1-23. Booting the ProCurve Secure Router

Advantages of Booting From Compact Flash

Booting from compact flash simplifies router setup. You can use a compact flash card to preconfigure a router and simply send the card to a remote site. Any person at the remote side can insert the compact flash card into the router, connect the cables that will enable the LAN and WAN connections, and power up the router. The ProCurve Secure Router will boot with the SROS.BIZ file and startup-config on compact flash, and the router will be immediately operational.

To check the configuration by remote, you can simply establish a Telnet or Secure Shell (SSH) session with the router or use the Web browser interface.

YesYes

Yes

compact flash

Yes

SROS.BIZ

internal flash

SROS.BIZ

startup-config startup-config

boot-basic mode boot-basic mode

No

No

Router loads the boot software (J0X_0X-boot.biz) from internal flash

Checks compact flash (cflash) for SROS.BIZ

ProCurve Secure Router

NoRouter boots using default settings

Router boots in bootstrap mode

No

1-32

OverviewSoftware Overview

Setting Up a Compact Flash Card From Which to Boot the Router

Newly shipped ProCurve Secure routers have an internal flash that contains two SROS software files:

■ J0X_0X.biz

■ SROS.BIZ

The SROS.BIZ and J0X_0X.biz files are identical. The J0X_0X.biz file reflects the version number of the software, such as J04_01.biz. This file has then been resaved as SROS.BIZ.

Internal flash also contains the startup-config file. At this point, the startup-config file contains the default configuration for the router. Once you have configured your router and saved the configurations, the new startup-config file will allow the router to boot up with the configurations you have made.

To set up a new compact flash card so that the router can boot from it, insert the card into the slot provided on the back panel of the router and copy the following files from flash memory to compact flash:

■ J0X_0X.biz

■ SROS.BIZ

■ startup-config

After you copy the files to a compact flash card, take the card to any ProCurve Secure Router. Unless its boot process has been altered, the router will automatically boot from the software and startup-config file stored on the card.

When ProCurve Networking releases new software, part of the update process will include renaming the new file as SROS.BIZ and copying the new file to compact flash and to internal flash. When you need to know the version of software the router is using, the show version command will display the exact version. (This and other show commands are described later in this chapter.)

Saving Configuration Changes

When the ProCurve Secure Router loads the startup-config, it executes it line by line as the running-config. As you make configuration changes, these changes are held in RAM. Because RAM is cleared every time the router is powered down, you must save any changes that you want to keep to the startup-config file.

1-33

OverviewSoftware Overview

When the command is entered, the ProCurve Secure Router first tries to save these changes to a startup-config file on compact flash. If no compact flash card is inserted into the slot on the back panel, the router saves the changes to the startup-config file that is stored in internal flash. If no startup-config file exists on either the compact flash or internal flash memories, the router creates the file and saves the configuration to it.

AutoSynch™ Technology

The AutoSynch feature was first released as an update in the J03_01.biz software. This feature ensures that the SROS software (SROS.BIZ) and the startup-config file stored on compact flash are identical to those stored on internal flash. AutoSynch technology affects only the SROS.BIZ and startup-config files; any other files that you intend to keep on the compact flash drive will need to be manually copied from your router’s internal flash to the compact flash card.

When you save your configurations, the ProCurve Secure Router saves the running-config to the startup-config stored on the compact flash. If the auto-

synch command is enabled, when you save your current configuration to the startup-config, the file is saved to both compact flash and internal flash at the same time.

AutoSynch technology ensures that you always have a backup copy of your configuration file and the SROS software you are using. If a hardware failure should occur, you simply contact ProCurve Networking to get a new part or even a new unit (if that is required). Then you replace the part, insert the compact flash card, and power up the router. The router automatically loads the SROS software and the startup-config from the compact flash card.

Likewise, if the SROS software or the configuration file becomes corrupted, you have up-to-date backup copies, so downtime is confined to the time it takes to load these copies. This is especially helpful if the SROS software you are using is no longer available on the ProCurve Networking Web site (because subsequent versions have been released).

Secure Router OS Hierarchy

The ProCurve Secure Router OS is organized into two security modes and then further organized into configuration modes. Each of these modes allows you to access and configure a separate aspect of your router’s operation. This OS hierarchy creates levels of security by limiting certain functions to authorized users.

1-34

OverviewSoftware Overview

This section introduces the different mode contexts and describes the types of commands you can enter in each one. (See Figure 1-24.)

Figure 1-24. Security and Configuration Modes in the Secure Router OS

To protect your WAN against unauthorized access, the ProCurve Secure Router has two security modes:

■ basic mode

■ enable mode

ConsoleSSHTelnet

ADSL LoopbackATM ModemBRI PPPDemand SerialE1 SHDSLEthernet T1Frame Relay TunnelHDLC

Session now available

Press Return to get started

Interface configuration

context

Line configuration

context

Router configuration

context

Other configuration

contexts

BGPOSPFRIPPIM-Sparse

Crypto IKE policyCrypto mapIP access-listIP policy-classISDN-group

enable

ProCurve>

configure terminal

ProCurve#

ProCurve(config)#Global configuration mode context

Enable mode context

Basic mode context

Return

Security modes

1-35

OverviewSoftware Overview

Basic Mode

The basic mode allows restricted access to the router, providing only a limited number of commands. From this mode, you can view basic system informa-tion, verify some processes, and enter traceroute and ping commands. You do not have access to any of the options that allow you to configure the router.

When you first access the Secure Router OS through the CLI and press Enter, the router is in the basic mode context. To verify your location in the CLI, check the prompt. In the basic mode context, the prompt is the > symbol, as shown below:

ProCurve>

From the basic mode context, you can access the enable mode by entering:

ProCurve> enable

Enable Mode

The enable mode is sometimes called the privileged mode because it allows you to access all management and configuration commands. You can use this command to view detailed information about how your router is functioning, perform system management tasks, and gain access to all configuration modes on the router. From the enable mode, you can save, mode, and delete the startup-config and running-config files and use the show and debug com-mands.

Although you cannot actually configure the ProCurve Secure Router from the enable mode, you can access the global configuration mode from this mode, and from there, you can access any configuration mode and configure any aspect of the router. For additional security, you can—and should—password protect this more-secure OS level.

In the enable mode context, the prompt is followed by the # symbol, as shown below:

ProCurve#

From the enable mode context, you can access the global configuration mode context by entering:

ProCurve# configure terminal

1-36

OverviewSoftware Overview

Global Configuration Mode

From the global configuration mode, you can make configuration changes that apply to the entire router and all interfaces. You can configure the system’s global parameters, such as the hostname, passwords, and banners. You can also set parameters for IP services such as DHCP and DNS. You can enable the built-in firewall and configure global options for that firewall. You can also configure passwords to protect the enable mode and SSH, FTP, and HTTP access.

From the global configuration mode context, you can also access other configuration mode contexts to configure specific router interfaces and func-tions, such as routing protocols. There are four main types of contexts:

■ interface

■ router

■ line

■ other

Interface. The interface configuration mode contexts enable you to config-ure the LAN and the WAN connections to your router. To configure an interface, enter the following command from the global configuration mode context:

Syntax: interface <interface> [<slot>/<port> | <interface number>]

Replace <interface> with the type of physical interface such as e1, t1, serial, bri (for ISDN interfaces), adsl, or modem (for analog backup interfaces). You can also replace <interface> with a logical interface such as ppp, frame-

relay, loopback, or tunnel. For physical interfaces, replace <slot>/<port> with the slot and port location of the connection, and for logical interfaces, replace <interface number> with the interface number.

For example, if your router has a T1 module in slot one, you would type interface t1 1/1 to configure this interface. The CLI prompt will change to show that you are in the T1 1/1 interface configuration mode context:

ProCurve(config)# interface t1 1/1ProCurve(config-t1 1/1)#

For another example, if you want to configure a PPP connection to an ISP, you would enter interface ppp 1 to create and configure a PPP logical interface.

1-37

OverviewSoftware Overview

Router. You can configure dynamic routing protocols from the router con-figuration mode contexts. There are four router configuration modes: BGP, RIP, PIM-Sparse, and OSPF. To configure these protocols, move to the global configuration mode context and use this command:

Syntax: router [bgp | ospf | pim-sparse | rip]

For example, to configure RIP, enter:

ProCurve(config)# router ripProCurve(config-rip)#

When configuring BGP, you must also designate an AS number, which can be between 1 and 65535, in the command line. (Your ISP will provide this number.)

Syntax: router bgp <AS number>

For example, enter:

ProCurve(config)# router bgp 1ProCurve(config-bgp)#

Line. Your router has three data lines that allow you to access the ProCurve Secure Router’s OS: console, SSH, and Telnet. You can configure options for line sessions by accessing the line configuration mode context.

Syntax: line [console 0 | ssh <0-4> | telnet <0-4>]

For example, you might enter:

ProCurve(config)# line ssh 2

For more information on configuring secure access to the router using these lines, see Chapter 2: Controlling Management Access to the ProCurve Secure

Router.

Other. You can access other configuration mode contexts from the global configuration mode context, such as those from which you configure ACLs, access control policies (ACPs), QoS maps, and crypto maps. You can enter these configuration contexts from the global configuration mode context or from individual interface configuration mode contexts.

1-38

OverviewSoftware Overview

Commands Available in the Basic, Enable, or Global Configuration Mode Contexts

The ProCurve Secure Router OS permits you to use certain commands only in specific modes. When you are managing the ProCurve Secure Router and you try to use a command that is not supported from the current mode context, you will receive an error message.

To help you become familiar with the Secure Router OS, the following sections introduce the types of commands that are available in the three main modes: basic, enable, and global configuration.

Basic Mode Commands

The basic mode commands include those discussed in the following sections.

Clear

These commands reset router operations or statistical records. Table 1-2 shows the clear commands available in basic mode context.

Table 1-2. Basic Mode Context clear Commands

Enable

To begin managing the router in the enable mode context, enter:

Syntax: enable

Option Result

clear counters [<interface>] clears interface counters, such as the number of packets transmitted and received or errors detected

clear event-history clears the event history log

clear host [<hostname> | *] deletes host table entries

clear sip [location | user-registration] clears local SIP information

clear user [console | ssh | telnet] detaches a user from a particular line

1-39

OverviewSoftware Overview

Logout

Exit the current CLI session and return to the login screen.

Syntax: logout

Ping

Send an ICMP echo to a specified destination. To send a default ping of 5 echoes, enter:

Syntax: ping [<A.B.C.D > | <domain name>]

When you begin sending ICMP echoes, the router displays a legend to describe the types of responses the router receives. For example, Figure 1-25 shows a successful ping:

Figure 1-25. Sending a Ping

Typing ping and pressing Enter without a destination address will allow you to set extended options for the ICMP echo. Extended options include the number of pings to be sent, the size of the datagram to be sent, and the timeout value. The CLI displays default settings in brackets; press Enter to accept the defaults. For example:

ProCurve> pingTarget IP address?Repeat count [5]:Datagram size [100]:Timeout in seconds [2]:Extended commands? [n]

Pressing y for the Extended commands? option allows you to set the source address and data pattern. You can also specify that the ping sweep a range of datagram sizes.

ProCurve> ping 1.1.1.1Legend: ‘!’ = Success, ‘?’ = Unknown host, ‘$’ = Invalid host address

‘*’ = Request timed out, ‘–’ = Destination host unreachable‘x’ = TTL expired in transit

!!!!!Success rate is 100 percent (5/5), round trip min/avg/max = 3/3.0/3 ms

1-40

OverviewSoftware Overview

If you enter y for the verbose option in the extended commands, the output reports the result of each ping with a description of the datagram size and the echo’s round-trip time. For example:

Reply from 1.1.1.1: bytes = 100 time = 4 ms

If you need to halt a ping operation, press Ctrl+C.

N o t e Ping commands are available in all areas of the Secure Router OS.

Show

View information about, or the current status of, an interface or feature. Table 1-3 is a list of show commands available in the router’s basic mode context. For a more comprehensive list of show commands, see “Show” on page 1-51.

Table 1-3. Basic Mode Context show Commands

Option Result

show arp [realtime] shows the ARP table, which includes interfaces’ IP and MAC addresses

show autosynch-status reports whether the SROS.BIZ and startup-config in internal flash and compact flash are synchronized

show clock displays clock information such as the time, date, and time source

show demand shows demand routing parameters and statistics

show dynamic-dns shows the dynamic DNS hostname and registered IP address

show event-history displays the events log

show frame-relay [fragment | lmi | multilink | pvc] gives information on Frame Relay fragmentation, LMI status polls, permanent virtual connections (PVCs), and multilinks

show interfaces [<interface ID> {performance-statistics | realtime}]

shows status reports for router interfaces; you can also specify a particular interface

show ip access-list [<name>] displays configured ACLs and the number of packets the router has matched to each entry

show ip interfaces [demand | ethernet | frame-relay | hdlc | loopback | ppp | tunnel]

lists interfaces with their assigned IP addresses and network masks, the MTU for each interface, and whether fast caching is enabled on the interface

1-41

OverviewSoftware Overview

Telnet

Open a Telnet session. (You enable and set the parameters for Telnet sessions from the Telnet line configuration mode context.)

Syntax: telnet <A.B.C.D>

For information on how to set up a Telnet session, see Chapter 2: Controlling

Management Access to the ProCurve Secure Router.

Traceroute

Ping an IP address and display the hops that the packet takes en route to the destination.

Syntax: traceroute <A.B.C.D>

The router will display a route to a destination up to 30 hops away. You can end the traceroute process at any time by pressing Ctrl+C.

show isdn-group [<interface number>] lists the ISDN group configurations and member interfaces

show lldp [<cr> | device <name> | interface <interface ID> | <neighbors>]

displays LLDP settings and information, including information on specific neighbors

show memory heap [realtime] displays statistics for the router memory, including how much has been used and how much is available

show modules gives information on the router’s modules, including the type of module in each slot and the number of ports in each module

show processes cpu shows the process statistics, including the load percent for each process

show snmp displays the SNMP information and packets received

show sntp shows SNTP information

show thresholds displays the thresholds that have been exceeded on each E1 or T1 interface

show version displays the router system software and hardware versions

Option Result

1-42

OverviewSoftware Overview

Similar to the ping command, you can set extended options for tracing a route by entering traceroute and pressing Enter without specifying the destination address. Options include the source address at which the trace begins and the maximum number of hops.

The traceroute command is also available from the enable mode context.

Terminal

Set the maximum number of lines to display on the screen during a terminal session.

Syntax: terminal length <0-480>

If a readout includes more lines than the configured terminal length amount, the display stops at the length limit and displays --MORE-- at the bottom.

To continue the display after the --MORE--, press Spacebar. To only display the next line of the readout, press Enter. To return to the router prompt and end the display, press a key.

Wall

Broadcast a message through the console port.

Syntax: wall <message>

Enable Mode Commands

To enter the enable mode context, enter enable from the basic mode context. The following sections briefly describe some of the enable mode commands and their functions.

I m p o r t a n t ! ProCurve strongly recommends that you set an enable password to prevent unauthorized access to the router. If the enable mode context is not password protected, anyone with console access to the router will be able to change the configurations and compromise network security. See “Restricting Access to the Enable Mode Context” on page 2-4 for more information on how to configure an enable mode password.

1-43

OverviewSoftware Overview

Clear

The enable mode context expands the options for the clear command. To view these options, enter:

Syntax: clear ?

Table 1-4 lists the clear command options available in the enable mode context.

Table 1-4. Enable Mode Context clear Commands

Option Result

clear access-list clears the statistics for packets matched to ACL entries

clear arp-cache clears the ARP cache

clear arp-entry clears a single ARP table entry

clear bridge [<group number>] clears the bridge table

clear buffers clears the buffer statistics

clear counters [<interface>] clears interface counters

clear crypto [ike | ipsec] sa clears any existing crypto IKE or IPSec SAs

clear dump-core clears core-dump debug information

clear event-history clears the event-history log

clear host deletes DNS host table entries

clear ip [bgp | cache | dhcp-server | igmp | ospf | policy-sessions| policy-stats | prefix-list | route {* | <A.B.C.D>}]

clears IP routes or sessions established using an ACP

clear lldp [counters | neighbors] clears lldp information

clear pppoe <ppp interface number> clears a single PPPoE session

clear processes [cpu | queue] clears router process statistics

clear qos map clears the QoS map statistics

clear route-map counters resets the statistics for packets selected by route maps

clear sip [location | proxy | user-registration] clears local SIP-related information

clear spanning-tree clears spanning tree statistics

clear tacacs+ statistics clears TACACS+ server statistics

clear user [console | ssh | telnet] detaches a user from a particular line

1-44

OverviewSoftware Overview

Some examples of clear commands include the following:

Syntax: clear ip policy-sessions

This command clears all sessions established using the ACPs applied to router interfaces.

Syntax: clear ip route [** | <A.B.C.D>]

The ** option clears all routes learned through a routing protocol. Static routes are not affected. You can clear a single route by entering the destination IP address.

Clock

The clock command in the enable mode context allows you to set the clock, adjust for the time zone, and manage the clock source. To view the options for the clock command, enter:

Syntax: clock ?

For example, to set the clock and the time zone, enter:

Syntax: clock set <HH:MM:SS>Syntax: clock timezone <zone>

Enter clock timezone ? for a complete list of keywords for the time zones of various locations.

Daylight Savings Time Auto Correction. The router is set to automati-cally correct the time for daylight savings time. If the router is operating in an area that does not observe daylight savings time, you should disable this option using the clock no-auto-correct-dst command. Enter:

ProCurve# clock no-auto-correct-dst

To re-enable daylight savings time correction, enter:

ProCurve# clock auto-correct-dst

1-45

OverviewSoftware Overview

Configure

There are four options to this command: memory, network, overwrite-

network, and terminal. The configure memory, configure network, and configure overwrite-network commands allow you to retrieve and apply a configuration file by saving the file as the router’s running-config. Using this command causes your router to immediately begin using the specified config-uration without rebooting the router.

The configure memory command pulls and activates the startup-config file from compact flash memory. If no compact flash card is mounted, this command pulls and activates the startup-config file from flash. The file you intend to use must be named startup-config.

The configure network command pulls and applies a file from a TFTP server as the running-config.

Enter configure overwrite-network to retrieve a file from a TFTP server and save it as startup-config and startup-config.bak on compact flash. This command only works if you have a compact flash card installed on the router. Configure overwrite-network overwrites any existing startup-config file on compact flash with the startup-config it retrieves from the TFTP server.

The last configure command, configure terminal, moves you to the CLI’s global configuration mode context.

Copy

This command is used for managing configuration files and other files on your router. It has the following syntax:

Syntax: copy <source file location> <source filename> <destination location> <des-tination filename>

This command is used to copy and save files in the router’s internal flash and compact flash memories. Table 1-5 gives the available options for the copy command.

You can also use this command to save the changes you make in the running-config to the startup-config. If you do not save these changes, the next time the router reboots, all changes will be lost.

1-46

OverviewSoftware Overview

To save configuration changes while using the CLI, enter:

Syntax: copy running-config [<destination location> <destination filename> | <config-file>]

ProCurve# copy running-config startup-config

Verify that the Done. Success! message is displayed, indicating that the copy process is complete.

Table 1-5. Options for the copy Command

To save a configuration as a file on compact flash, enter the following com-mand from the enable mode context:

Syntax: copy flash <config-file> cflash <filename>

Replace <config-file> with either running-config or startup-config and replace <filename> with a name that you choose.

Source Location Options Destination Location Options

cflash <filename> or flash <filename>

• boot• cflash [<filename>]• flash [<filename>]• interface (only from flash <filename>)

cflash or flash • tftp• xmodem

console • flash <filename>

running-config • cflash <filename>• flash <filename>• startup-config• tftp• xmodem

startup-config • cflash <filename>• flash <filename>• running-config• tftp• xmodem

tftp or xmodem • flash• cflash• running-config• startup-config

1-47

OverviewSoftware Overview

Verify that the Percent Complete 100% message is displayed, indicating that the download is complete. The current configuration is now saved in compact flash with the specified filename.

To save a configuration as a file on internal flash, enter the following from the enable mode context:

ProCurve# copy <source file location> <source config-file> flash [<filename>]

Replace <source file location> with the location of the configuration file you are saving, either compact flash (cflash) or internal flash (flash) memory. Replace <source config-file> with startup-config or running-config (You can also enter a filename to copy a file to another location). You must enter a destination filename unless the filename will be the same as that of the source. For example, if you need to save the startup-config file from the compact flash card to internal flash, enter:

ProCurve# copy cflash startup-config flash startup-config

Saving the Current or Start-up Configuration to a TFTP Server. To initiate an upload of a configuration file to an external TFTP server, enter one of the following commands from the enable mode context:

ProCurve# copy [flash | cflash] tftpProCurve# copy [startup-config | running-config] tftp

For example, if you wanted to upload the startup-config on compact flash to your TFTP server, you would enter:

ProCurve# copy cflash tftp

When prompted for the Address of remote host?, enter the IP address of the TFTP server.

When prompted for the Source filename?, enter the name of the configura-tion file (startup-config or running-config) you would like to upload.

When you are prompted for the Destination filename?, enter the filename under which the uploaded configuration should be saved.

The copy command can be used for other file TFTP management tasks such as:

■ loading a running-configuration file from the TFTP server—Enter copy

tftp running-config.

■ loading a startup-configuration from the TFTP server—Enter copy tftp

startup-config.

1-48

OverviewSoftware Overview

Debug

Entering debug will display debug messages as packets arrive on the router. Debugging is useful when troubleshooting or testing your router’s operation.

The Secure Router OS provides many debug commands, including options for most protocols and processes run on the router.

For a list of debug commands, go to the enable mode context and enter:

ProCurve# debug ?

For example, you could debug the establishment of a PPP connection:

ProCurve# debug ppp negotiation

You can find the exact command syntax for relevant debug commands in the troubleshooting section of each chapter.

C a u t i o n This guide will describe how to use debug commands to troubleshoot your router. You should be aware that debug commands are processor-intensive and could seriously degrade network performance.

Dir

This command shows the current files in internal flash or compact flash.

Syntax: dir [flash | cflash] [*.<file extension>]

Use the flash option to list all files in the router’s flash memory. Use the cflash option to display all the files on the router’s compact flash card.

The * symbol is a wildcard that allows you to specify a file pattern to display. For example, if you want the router to list all the Secure Router OS files in internal flash memory, you would enter:

ProCurve# dir flash *.biz

Or if you wanted to display all the router configuration files stored on the compact flash card, you might enter:

ProCurve# dir cflash *.cfg

N o t e If you do not specify an option for flash or cflash, the CLI displays only files in the internal flash.

1-49

OverviewSoftware Overview

Disable

To leave the enable mode context, type disable. The Secure Router OS will return you to basic mode context.

Erase

The erase command is a file management command. Table 1-6 shows the erase command options.

Syntax: erase [{cflash | flash} <filename> | startup-config | file-system cflash]

Table 1-6. File Locations for the erase Command

For example, entering erase flash <filename> will delete the file you specify from internal flash:

ProCurve# erase flash oldconfig

N o t e When erasing files, be sure to enter the filename exactly as it appears in the directory.

Erasing the startup-config files will return the router to the factory default settings at the next reboot. Entering erase startup after executing the autosynch command will delete the startup-config files from both flash and compact flash. If you have a compact flash card, and are not running the autosynch command, this command erases the startup-config only from compact flash. If you do not have a compact flash card, this command erases the startup-config file from flash.

Use the erase file-system cflash command to format your compact flash card memory. Using this command will erase any existing files on your compact flash card.

File location Description

cflash <filename> erases the specified file from compact flash

file-system cflash formats compact flash

flash <filename> erases the specified file from flash

startup-config erases the startup-config file

1-50

OverviewSoftware Overview

Events

The events command enables the Secure Router OS to display a notice to the CLI whenever an event occurs. This command is useful for troubleshooting, because it lets you immediately determine whether a connection is up and working properly. This command is active in the default router settings. To turn off the events reporting, enter no events.

Reload

This command exits the current session and reboots the router. Before exiting the session, the Secure Router OS will ask whether you want to save the running-config. It will also ask you to confirm that you want to reboot the router.

Show

The enable mode context includes the complete set of show commands for the Secure Router OS. Table 1-7 lists these show commands.

Table 1-7. Enable Mode Context show Commands

Option Result

show access-lists [<name>] displays ACLs, including all entries and the number of packets the router has matched to each entry

show arp [interfaces <interface ID>] [realtime] shows the ARP table, which includes interfaces’ IP and MAC addresses

show atm pvc [interfaces atm <number.subinterface>] shows information about ATM PVCs on an ADSL connection

show atm traffic interface atm <number.subinterface> shows information about ATM traffic on a specific virtual channel

show autosynch-status reports whether the SROS.BIZ and startup-config in internal flash and compact flash are synchronized

show backup interfaces displays the backup configuration, including backup phone numbers

show bridge [<interface ID> | <bridge group>] displays the bridge table and, optionally, the table for a particular logical interface or bridge group

show buffers [users] [realtime] lists the buffer pool statistics

show cflash lists files in compact flash

show clock [detail] displays clock information such as the time, date, and time source

1-51

OverviewSoftware Overview

show configuration shows the startup configuration

show connections lists all logical interface binds

show crypto [ca | ike | ipsec | map] shows certificates and VPN configurations, such as IKE policies, transform sets, and crypto maps

show debugging displays the active debugging switches

show demand shows the current statistics and settings for the demand interfaces

show dialin interfaces displays interfaces that are configured to provide dial-in console sessions

show dynamic-dns shows dynamic DNS status including hostname and registered IP address

show event-history displays the events log

show file [{cflash | flash} <filename>] shows the contents of a file in internal flash or compact flash

show flash lists the files in internal flash

show frame-relay [fragment | lmi | multilink | pvc] gives information on Frame Relay fragmentation, LMI status polls, permanent virtual connections (PVCs), and multilinks

show hosts [verbose] displays IP domain name, style, name servers, and the IP host table

show interfaces [<interface ID>] shows the interface table; input an interface ID to see information on a particular interface

show interfaces <physical interface ID> performance-statistics

shows the performance statistics for physical interface over the past 15 minutes

show interfaces [<interface ID>] realtime displays interface statistics in realtime

show ip <options> lists information on IP traffic, routes, ACLs, ACPs, and routing protocols

show ip interfaces [demand | ethernet | frame-relay | hdlc | loopback | ppp | tunnel]

lists interfaces with their assigned IP addresses and network masks, the MTU for each interface, and whether fast caching is enabled

show isdn-group lists the ISDN group configurations and member interfaces

show lldp [<cr> | device <name> | interface <interface ID> | neighbors]

shows LLDP settings and information, including information on specific neighbors

show memory heap [realtime] displays statistics for the router memory, including how much has been used and how much is available

Option Result

1-52

OverviewSoftware Overview

show modules gives information on the router’s modules, including the type of module in each slot and the number of ports in each module

show output-startup lists the startup-config error log

show port-auth supplicant [interface <interface ID> | summary]

displays port authentication information

show pppoe displays the status of the PPPoE client

show processes cpu [realtime] shows the process statistics, including the load percent for each process

show qos map displays the QoS maps, including how many packets have been matched to the map

show queue [<interface ID>] lists the statistics for queues on an interface or interfaces

show queueing [fair] shows each interface queue’s discard threshold and maximum number of subqueues

show radius statistics displays RADIUS system statistics

show route-map [<name>] displays the route-map

show running-config shows the current operating configuration

show sip [location | resources | statistics | user-registration]

displays information such as a local SIP location database, resources allocated to SIP sessions, and registered SIP users

show snmp displays the SNMP information and packets received

show sntp shows SNTP information

show spanning-tree [<bridge group number>] [realtime] displays the spanning-tree topology

show startup-config [checksum] displays the startup configuration

show tacacs+ statistics lists TACACS+ packet and socket statistics

show tcp info [<tcp index>] [realtime] lists information for TCP ports

show tech [terminal] generates and displays the output of most show commands to the screen or to saves the output to showtech.txt

show thresholds displays the thresholds that have been exceeded on each E1 or T1 interface

show udp info [<session ID>] [realtime] lists information for UDP ports

show users [realtime] displays the users currently connected to a session on the router

show version displays the router system software and hardware versions

Option Result

1-53

OverviewSoftware Overview

The verbose option is available for many show commands. This option displays all aspects of the item you are displaying. For example, the show

running-config verbose command displays all the configurations currently running on your router, including default settings that have not been altered.

The show interfaces command will display information on any of the router’s physical or logical interfaces. When you enter this command without an option for a specific interface, the CLI will display information on all the router’s interfaces. If you only need to see information on a particular interface, you can specify the physical interface by its slot and port numbers and the logical interfaces by the interface number.

You have the option to specify the types of information to be displayed by the show interfaces <interface> command. To see snapshots the errors detected on a physical interface’s performance over a certain interval, enter:

Syntax: show interface <interface> <slot>/<port> performance-statistics [Total-24-hour | <range of intervals>]

To view the performance statistics over the past 24-hours in 15-minute inter-vals, enter:

ProCurve# show interface t1 1/1 performance-statistics

You can also limit the display to a specific range of 15-minute intervals by replacing <range of intervals> with a range of values between 1 and 96. (Interval 1 is the interval which began 24 hours ago.) For example:

ProCurve# show interfaces e1 1/1 performance-statistics 74-76

A screen displays, showing statistics during the numbered intervals. Figure 1-26 shows the performance statistics for a T1 line.

1-54

OverviewSoftware Overview

Figure 1-26. show interfaces t1 performance-statistics Command

Alternatively, you can specify the readout to only show a summary of the total statistics over the last 24 hours by entering the Total-24-hour option.

The performance-statistics command is available only for physical interfaces. To end the display, press Ctrl+C.

To see realtime information on a physical or logical interface, enter:

Syntax: show interfaces <interface> <slot>/<port> realtime

or

Syntax: show interfaces <interface> <number> realtime

For example, to display realtime information about the T1 interface that is installed in slot one, port one, enter:

ProCurve# show interface t1 1/1 realtime

This command displays a readout of the current statistics, which is updated once every second. Figure 1-27 shows the realtime command screen for a T1 interface.

To pause the update, press f. To resume the update, press r. To leave the realtime screen, press Ctrl+C.

Interval 74 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes Interval 75 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes Interval 76 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes

1-55

OverviewSoftware Overview

Figure 1-27. show t1 1/1 realtime Command

The show event command displays the event-history log. The event-history is a log of the dates, times, and description of events such as connections going up or down or attacks blocked by the Secure Router OS firewall.

Many show commands also have options that allow you to focus or specify the display. For a list of available options for a specific show command, enter the command at the CLI and press ?.

Undebug

This command disables a debug command. To turn off all currently active debug commands, enter undebug all.

Write

This command is a file management command that manages the running-config file.

■ write memory. This command is similar to the copy command. Entering write memory will save the running-configuration to the startup-config-uration. In J03_01.biz and later, the running-config will automatically save

--------------------------------------------------------------------t1 1/1 is UP Receiver has no alarms T1 coding is B8ZS, framing is ESF Clock source is through t1 1/2, FDL type is ANSI Line build-out is 0dB No remote loopbacks, No network loopbacks Acceptance of remote loopback requests enabled Tx Alarm Enable: rai Last clearing of counters never loss of frame : 1, last occurred 00:10:27 loss of signal : 1, last occurred 00:10:41 AIS alarm : 0 40 Remote alarm : 0

DS0 Status: 123456789012345678901234 NNNNNNNNNNNNNNNNNNNNNNNN Status Legend: '-' = DS0 is unallocated 'N' = DS0 is dedicated (nailed)

Line Status: -- No Alarms --(OUTPUT TRUNCATED)-------------------------------------------------- Exit - 'Ctrl-C', Freeze - 'f', Resume - 'r'

Instructions for pausing or ending the output

1-56

OverviewSoftware Overview

to the compact flash card, if present, as startup-config. Otherwise the running-config will be saved as startup-config on the router’s internal flash.

■ write erase. This command erases the startup-config. If you have a compact flash card, the startup-config is erased from cflash. If you are running the AutoSynch feature, this command erases startup-config from both flash and compact flash. If you do not have a compact flash card, the file is erased from flash.

■ write network. This command saves the running-config to a TFTP server. Enter a filename meaningful to you when you are prompted with Desti-

nation filename?.

■ write terminal. This command is similar to the show running-config command; it displays the current running-configuration in the CLI.

show tech

Unlike the other show commands, the show tech command does not neces-sarily display the information in the CLI. This command creates a file named showtech.txt in flash that contains a summary of the router’s show command information.

To create this file, enter show tech from the enable mode context. This will prepare the showtech.txt file and save it in the router’s internal flash.

After the showtech.txt file is created, you can save it to compact flash or upload it to a TFTP server. You can also save the contents of the showtech.txt file to your terminal’s text editor. See “Managing Configuration Files Using a Text Editor” on page 1-73 for more information on performing these tasks. (When following the steps for copying a file, replace <filename> with show-tech.txt.)

N o t e The showtech.txt file is saved to internal flash. If you intend to use a compact flash card to transport the file, you must save the showtech.txt file to compact flash.

The showtech.txt file contains a readout of many of the show commands:

■ show version

■ show modules

■ show cflash

■ show run verbose

■ show interfaces

■ show atm pvc

1-57

OverviewSoftware Overview

■ show dial-backup interfaces

■ show dialin

■ show frame-relay lmi

■ show frame-relay pvc

■ show ip bgp neighbors

■ show ip bgp neighbor summary

■ show ip ospf neighbor

■ show ip ospf neighbor summary-add

■ show ip route

■ show bridge

■ show spanning-tree

■ show ip interfaces

■ show connections

■ show arp

■ show ip traffic

■ show tcp info

■ show ip protocols

■ show ip mroute

■ show ip access-lists

■ show event-history

■ show output-startup

■ show processes cpu

■ show buffers

■ show buffers users

■ show memory heap

■ show debugging

To display the contents of a showtech.txt file, enter show file [flash | cflash]

showtech.txt from the enable mode context.

This readout allows a network administrator to pinpoint a router configura-tion problem without a connection to the router.

You can also specify the show tech command readout be displayed to the CLI instead of generating and saving the showtech.txt file to flash memory. To display the readout to the screen, use the terminal option.

Syntax: show tech [terminal]

1-58

OverviewSoftware Overview

Updating the Boot Code

When applying a new boot configuration file, enter boot as the destination of a copy command. This command copies a file to the boot sector. For example, if you are upgrading from J03_01.biz to J04_01.biz, you might enter:

ProCurve# copy flash J04_01-boot.biz boot

The resulting text explains that other router tasks will be halted while the boot code is upgraded. See Figure 1-28.

Figure 1-28. Upgrading Boot Code

Enter y. The router then begins to update the boot sector code with the file you specified. The output shown in Figure 1-29 is displayed.

Figure 1-29. Successfully Upgraded Boot Code

Upgrading boot code is a critical process that cannot be interrupted. If something were to happen and the process was not able to be completed, it would render your unit inoperable. It is for this reason that during a bootcode upgrade, all other system tasks will be halted. This means packets will not be routed, and all console sessions will not respond during the upgrade process. Once this process finishes, the system will function as it did before. This process will take approximately 20 seconds.Do you want to proceed? [yes/no] Enter y

WARNING!! A bootcode upgrade has been initiated. Your session will become nonresponsive for the duration of the upgrade (approx. 20 seconds). A message will be sent when the upgrade is completed.Reading 324883 bytes of code, stand by . . .Image is compressed, inflating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Verifying imageErasing boot sectorProgramming boot sectorSuccess!!!Bootcode upgrade process done. Your session should function normally.Success!!!!ProCurve#

1-59

OverviewSoftware Overview

Global Configuration Mode Commands

From enable mode, access the global configuration mode context by entering configure terminal. It is from this mode context that you enter the commands to configure the router; most of the commands in the global configuration mode context are discussed in the various chapters included in this guide. This section explains how to create an enable mode password, activate the AutoSynch™ technology, configure access to the Web browser interface, and enable support for Simple Network Management Protocol (SNMP). For information on how to configure a particular router interface or function, see the “Table of Contents” in either this Guide or the Advanced

Management and Configuration Guide.

hostname Command

It is often useful to give the router a name that helps to distinguish it from other routers in your network. To change the router’s hostname, enter the following command from the global configuration mode context:

ProCurve(config)# hostname <hostname>

autosynch Command

The AutoSynch™ feature is used with a compact flash card. Enabling AutoSynch technology allows the router to automatically keep the startup-config and SROS files in internal flash synchronized with the startup-config and SROS file on the compact flash card.

The autosynch command is disabled in its default setting. To enable the AutoSynch technology, move to the global configuration mode context and enter:

ProCurve (config)# autosynch-mode

The CLI should display:

AutoSynch: SROS.BIZ synchedAutoSynch: startup-config synched

To disable the autosynch command, use the no command:

ProCurve(config)# no autosynch-mode

AutoSynch: SROS.BIZ not synchedAutoSynch: startup-config not synched

1-60

OverviewSoftware Overview

Support for SNMP

If you are using a Simple Network Management Protocol (SNMP) console, you can configure the ProCurve Secure Router as an SNMP agent and enable SNMP traps.

Entering ip snmp agent from the global configuration mode context enables the SNMP agent functions on the router. You can set up the SNMP agent from the global configuration mode by entering snmp-server. You will move to the SNMP server configuration mode context, from which you can set the chassis ID, contact information, management URL and URL label, source interface, community name, and the host that is to receive the SNMP information. You can also enable SNMP traps on individual interfaces.

MIBs for the ProCurve SR 7000dl series routers are available at the ProCurve Web site. To download the MIBs, go to http://www.hp.com/rnd/software/

securerouters.htm and click the latest version of the SR 7000dl Router MIB File.

SafeMode

SafeMode is a CLI feature that allows you to perform configuration changes without the fear of being disconnected from a Telnet or SSH session. Some configuration changes can interrupt network connectivity. If you are managing a router remotely via SSH or Telnet, you can inadvertently lose your connection to the router.

For example, you may need to apply an ACL, but this ACL doesn’t allow Telnet or SSH traffic. Once you applied the ACL, you would be locked out of the router. In order to fix the configuration that has locked you out, you would need physical access to the router so that you could establish a console session with it. SafeMode allows you to make configuration changes using Telnet or SSH without worrying about losing your connection and being unable to reestablish it.

SafeMode requires you to periodically reset a reload timer. If the reload timer runs out before you reset it, the Secure Router OS will assume that the current running configuration has disrupted your connection to the router. It will save the running-config to internal flash as “problem-config” and reboot the router. Once the router has reloaded, it will display a reboot cause message and load the currently saved startup-configuration file. The startup-config should allow you to regain access to the router. You will then be able to review the saved problem-config file and correct the setting that caused the disruption.

1-61

OverviewSoftware Overview

After you enable SafeMode and set the time limit, a reload timer is activated for the Telnet and SSH access lines and begins to count down. You also set a threshold timer, which is shorter than the reload timer. When the threshold timer expires, a warning message is displayed in the CLI that allows you to reset the timer. Unless you enter the reset keystroke before the reload timer finishes counting down, the router reboots. This prevents you from being locked out of the router if you lose the connection and are unable to reset the timer.

While SafeMode is enabled, it temporarily suspends AutoSynch functioning. This prevents a disruptive configuration from being saved to both flash and compact flash. After the SafeMode configuration is complete and you have disabled the SafeMode counter, the AutoSynch function, if previously enabled, will automatically re-enable and begin synchronization.

Enabling SafeMode. To enable SafeMode, access the global configuration mode context and enter:

Syntax: safe-mode [<reload time> <threshold time>]

For example:

ProCurve(config)# safe-mode 600 500ProCurve(safe-config)#

Set the <reload time> to the number of seconds to countdown until the router reboots. Set the <threshold time> to the number of seconds to countdown until you receive a reminder to reset the timer. Both the reload time and threshold time must be between 30 and 3600 seconds. The default value for the reload time is 300 seconds, and the default value for the threshold time is 60 seconds. To enable SafeMode with the default settings, enter safe-

mode at the global configuration prompt.

The reload time should be greater than the threshold time. If you enter a threshold value greater than the reload value, the CLI displays an error message.

When you are configuring in SafeMode from a Telnet or SSH session, the configuration mode context prompt is displayed as safe-config. For example:

ProCurve(safe-config)# interface ethernet 0/1ProCurve(safe-config-eth 0/1)#

All configurations that you make during SafeMode are saved in RAM as part of the running-config.

1-62

OverviewSoftware Overview

After the countdown for the reload timer has begun, it continues until you either reset it by pressing Ctrl+R, you disable it by entering no safe-mode, or you exit out of the global configuration mode context.

Use the no form of the command to disable SafeMode and the countdown timer:

ProCurve(safe-config)# no safe-modeProCurve(config)#

SafeMode Functioning. SafeMode events are displayed in the CLI. When the threshold timer reaches zero, a notice is displayed in the CLI reminding you to reset the timer:

SAFEMODE: SafeMode will reboot in <threshold> seconds.

When you activate SafeMode, or when you leave and re-enter the configuration mode context while SafeMode is enabled, the reload timer is activated and a message is displayed in the CLI:

SAFEMODE: SafeMode enabled. Reboot in <n> seconds!

Once SafeMode is enabled, any CLI user can reset the timer by entering Ctrl+R. You can reset the timer at any time, as often as you need to complete the configuration.

C a u t i o n If you save your configuration to the startup-config while in SafeMode, you may essentially negate SafeMode’s effect: the router may reboot with the saved disruptive configuration and you will still be locked out of the router. Be very careful about saving your in-process configurations when in SafeMode.

The problem-config file that is generated when the router reboots can be examined and edited in a text editor to repair the commands that caused the problems. For more information on using a text editor to edit router configurations, see “Configuration File Transfer Using the Console Port” on page 1-76, “Configuration File Transfer Using a TFTP Server” on page 1-78, or “Configuration File Transfer Using a Compact Flash Card” on page 1-81.

N o t e The problem-config file is saved in the router’s internal flash memory. If you want to transport the file or save a backup of the file using compact flash, you need to copy the file to compact flash by entering copy flash problem-config

cflash problem-config from the enable mode context.

1-63

OverviewHelp Tools

Help Tools

The Secure Router OS features help tools, editing functions, and global commands to help you navigate through the Secure Router OS and configure and maintain your WAN.

CLI Help Commands

You can enter the ? character to display the available command syntax for any command in the CLI.

The ? character displays information about the available commands and options available to those commands in your current CLI context. You will not need to press Enter to activate the ? help tool. The character immediately triggers the display.

■ ?. Entering the ? character displays a list of all the available commands in your current mode context with a brief description of their functions.

■ <letter>?. If you know the beginning of a command but need to be reminded of the entire word or if you want a more limited list of com-mands, enter a letter or set of letters followed immediately by the ? command. Do not put a space between the letters and the ?. The router will then display only the specific commands that begin with those letters. For example,

ProCurve> e?enable exception exit

■ <command> ?. If you know the command but need to be reminded of the available options, type the command followed by a space and ?. This will bring up a display of the available options for that command in the current mode and a brief description of each. The following is an example:

ProCurve(config t1 1/1)#clock source ?internal -Use internal clock sourceline -Recover clock from linethrough -Recover clock from alt i/f

Editing Commands

The router’s CLI supports basic editing functions that move the cursor through the command line and allow you to cycle through previous commands. Table 1-8 describes the Secure Router OS CLI editing commands.

1-64

OverviewHelp Tools

Table 1-8. Keystrokes for Moving Around the CLI

Command Recall. Recall the most recent command by entering Ctrl+P or by pressing the up arrow. Pressing the up arrow again will cycle through the previous commands.

Moving within the Command Line. When typing a lengthy command, you may make an error and need to move the cursor within the command line. See Table 1-8 for a list of keystrokes that move the cursor within the command line.

Tab. The Tab key is a shortcut key. Press Tab after typing the first few charac-ters of a command. If you have typed enough characters to distinguish the command from all other available commands, the Secure Router OS will finish the word for you.

Truncation. The ProCurve Secure Router OS also recognizes truncated commands. You only need to enter enough characters in the CLI to distinguish the command you wish to execute from other available commands. A good way to learn how many characters you must enter for a particular command is to press the Tab key. If, when you press Tab, the Secure Router OS is able to finish the command without having to list possible options, you have typed enough characters.

For example, when entering the enable mode context, it is not necessary to type the whole word enable. The basic mode context includes three com-mands that begin with the letter “e” and only one command that begins with the letters “en.” To enter the enable mode context from basic mode you only need to enter en and press Enter. This can be checked by pressing Tab after typing en at the basic mode context prompt. Because the Secure Router OS is able to finish the word enable, it also recognizes the truncated command.

Editing Command Action

Ctrl+P or up arrow recall the most recent command

Ctrl+A move to the beginning of the line (Home)

Ctrl+E move to the end of the line (End)

Ctrl+F or right arrow move forward one character

Ctrl+B or left arrow move backward one character

Tab finish partially typed command

1-65

OverviewHelp Tools

no

In the enable and configuration mode contexts, typing the word no before a command negates that command. For example, if you want to stop event notices from displaying to the CLI screen, enter no events.

do

If you need to execute an enable mode command from a configuration mode context, type do before you enter the command. The do command allows you to stay in your current mode context while executing other mode context commands. For example, to display the status of a physical interface while configuring its logical interface, enter:

Syntax: do show interfaces <interface type> <slot>/<port>

ProCurve(config-ppp 1)# do show interface e1 1/1

exit

To leave a specific interface or configuration mode, type exit. The exit command moves you back one mode level. For example, if you were in the ATM interface configuration mode context and entered exit, you would return to the global configuration mode context.

When you enter the exit command in the global configuration mode context, you return to the enable mode context and the CLI displays this message:

Appropriate commands must be issued to preserve configuration.

This message is a reminder to save the configuration you have completed. All configuration changes are initially saved in the router’s running-configuration file. If the router were powered down, the running config, and any changes that you have not saved, would be lost.

Save your current configuration by entering either write memory or copy

run startup from the enable mode context.

Bootstrap Mode Context

The bootstrap mode context allows you access your router when a problem with the software, or a forgotten password, prevents you from accessing it through a console session. Bootstrap mode is a temporary measure to allow you enough access to the router to restore it to proper operation.

1-66

OverviewHelp Tools

The ProCurve Secure Router automatically enters the bootstrap mode context if it cannot locate valid SROS software or if the SROS software has been corrupted. You can also access the bootstrap mode by pressing Esc during the first five seconds of the startup process. During the startup process, the screen will display a countdown, alerting you to how much time you have left to access the bootstrap mode context.

You may want to access the bootstrap mode context if you need to replace corrupted software, cannot remember the system password, or have made configurations that have locked you out of the router. For security, the bootstrap mode context is available only through the console port and cannot be accessed through the Web browser interface.

When you enter the bootstrap mode context, this CLI prompt will display:

bootstrap#

The commands available in bootstrap mode are limited to those related to helping you to successfully boot the router. The following is a list of some of the bootstrap mode commands.

Boot. This command allows you to configure the software and configura-tions booted by the router.

Syntax: boot [cflash <filename> | flash <filename> | config {flash | cflash} <filename> | system {flash | cflash} <filename> | <filename>] [<backup boot file location> <backup filename>]

To set the Secure Router OS software that you want the router to use to boot, enter:

Syntax: boot system [flash | cflash] <filename> [<backup location> <backup file-name>]

For example:

bootstrap# boot system cflash SROS.BIZ flash SROS.BIZ

To set the configuration file that you want the router to load, enter:

Syntax: boot config [flash | cflash] <filename>

For example:

bootstrap# boot config cflash startup-config flash startup-config.bak

1-67

OverviewHelp Tools

After you configure the boot software settings, enter reload or boot to reboot the server.

Use the boot [cflash | flash] <filename> option to immediately boot the router using the specified file. To set the backup boot code, replace <backup filename> with the name of the file you want the router to boot with in case the primary boot file you specified is unavailable or corrupted. Replace <backup boot file location> with flash or cflash.

Bypass. This command allows you to bypass passwords and configurations. If you are locked out because you have forgotten a console or enable pass-word, you can reboot the system with the following commands:

bootstrap# bypass passwordsbootstrap# boot

This command will reboot the ProCurve Secure Router using the startup-config but with all passwords disabled.

If you inadvertently make configuration changes that lock you out of the router, you may need to bypass the startup-config to keep yourself from being locked out permanently. You can reboot the router using the default settings by entering the following commands:

bootstrap# bypass startup-configbootstrap# boot

Replacing Corrupted Software. If the Secure Router OS software is invalid or corrupted, you need to load new software. However, the Secure Router OS may be corrupted to the point that you can no longer access the CLI or Web browser interface to upgrade it. You can upgrade the Secure Router OS software from the bootstrap mode by completing the following steps:

1. Configure an IP address for the Ethernet 0/1 interface by entering:

bootstrap# ip address <A.B.C.D> <subnet mask>

In this mode, the subnet mask must be in <A.B.C.D> format. The router will not accept a prefix length notation.

2. Copy the Secure Router OS software from a TFTP server by entering:

bootstrap# copy tftp flashAddress of remote host? <A.B.C.D>

Source of filename? J04_01.bizDestination filename? J04_01.biz

1-68

OverviewHelp Tools

You can also copy the Secure Router OS software from a compact flash card.

bootstrap# copy cflash <filename> flash [<filename>]

3. If your router uses the standard boot process, you should copy the new software as SROS.BIZ to both the compact flash memory (if your router uses a compact flash card) and the internal flash.

bootstrap# copy flash J04_01.biz cflash SROS.BIZbootstrap# copy flash J04_01.biz flash SROS.BIZ

4. Alternatively, you can enter the boot system command and specify the new Secure Router OS software by entering:

Syntax: boot system [flash | cflash] <filename>

bootstrap# boot system flash J04_01.biz

This option, however, is not recommended because you must then enter a new boot system command whenever you upgrade the router’s soft-ware.

5. Enter reload or boot to reboot the system.

N o t e A quicker and easier way to replace corrupted software is to make sure that you have an uncorrupted backup copy of the Secure Router OS on compact flash. If you have a compact flash card with the good copy of the Secure Router OS, you only need to insert it into the router and boot it. Then copy the uncorrupted version to flash and erase the corrupt version.

1-69

OverviewTroubleshooting

Troubleshooting

Compact Flash

Compact flash performance can vary greatly between vendors. If there seems to be a delay when the ProCurve Secure Router saves changes to the compact flash card, the Secure Router OS is still functioning, though at times it may seem to be in a suspended state.

If your router does not have a dedicated compact flash card, you will need to copy needed files to the router’s internal flash memory if you want to continue to use these files and configurations. To save a compact flash file to the router’s internal flash, access the enable mode context and enter:

Syntax: copy <source> <filename> <destination> <filename>

For example:

ProCurve# copy cflash SROS.BIZ flash SROS.BIZ

If you use the show tech command and intend to transport the file on your compact flash card, you will need to save the file to the compact flash card. From the enable mode context, enter:

ProCurve# copy flash showtech.txt cflash showtech.txt

AutoSynch™ Error Messages

If the router is displaying AutoSynch error messages or messages that your files are not synchronized, you may need to do some file management tasks to get it up and running.

The autosynch command synchronizes files from compact flash to flash. It is very important to ensure that you have the current and proper SROS.BIZ and startup-config files on compact flash. Otherwise, once synchronization begins, the version of SROS.BIZ or startup-config on compact flash will be copied over the file on flash.

Table 1-9 is a short list of AutoSynch error messages.

1-70

OverviewTroubleshooting

Table 1-9. AutoSynch™ Error Messages

If the router is reporting that the compact flash card is removed, check the back panel to be sure that the compact flash card is firmly mounted in the slot.

Even if you have identical copies of SROS.BIZ on both flash and compact flash, the router will not be able to report that SROS.BIZ is synched until there are synchronized copies of startup-config on compact flash and flash. Both loca-tions must have files with exactly the same filename.

Because the router always synchronizes files from compact flash to internal flash memory, it will report error messages if you do not have a copy of the SROS.BIZ or startup-config files on compact flash.

Copy the missing file from flash to cflash by entering the following commands from the enable mode context:

ProCurve# copy flash SROS.BIZ cflash SROS.BIZProCurve# write memory

Then enter autosynch from the enable mode context to synchronize the files.

N o t e During the AutoSynch synchronization process, do not remove the compact flash card. Wait for state completion.

If the router is reporting that the files are not synchronized after you have ensured that there are copies of SROS.BIZ and startup-config on the compact flash card, check the filenames.

N o t e Filenames are case sensitive. SROS.biz is not the same file as SROS.BIZ. It is important that the filenames on the compact flash card are exactly correct.

Error Message Action

compact flash removed Make sure the compact flash card is firmly mounted in the compact flash slot

CFLASH startup-config does not exist

From the enable mode context, enter write memory. Then begin synchronization by entering autosynch.

CFLASH SROS.BIZ does not exist

From the enable mode context, enter copy fl SROS.BIZ cfl SROS.BIZ.

CFLASH startup-config not synched

Enter autosynch from the enable mode context.

1-71

OverviewTroubleshooting

C a u t i o n Be very careful doing any kind of file management with the startup-config and SROS.BIZ files while the autosynch command is enabled. If you erase either the startup-config file or SROS.BIZ file from compact flash, the file will also be erased from the internal flash.

If you have managed to erase the SROS.BIZ file from both flash and compact flash, you can create the file by entering this command from the enable mode context:

ProCurve# copy flash J0X_0X.biz flash SROS.BIZ

Pay special attention to the filenames.

If you have erased the startup-config, entering write memory from the enable mode context will create a startup-config file and save it to compact flash.

Using the reload in Command

When you are configuring the ProCurve Secure Router, you may want to enter a safeguard to ensure that you do not inadvertently block your access to the router. You can configure the ProCurve Secure Router to reload the startup-config after a set time period has elapsed, returning the router to its previous configurations.

To schedule a system reboot, enter the following command from the enable mode context:

ProCurve# reload in <mmm>

or

ProCurve# reload in <hhh:mm>

Replace <mmm> with the number of minutes to countdown until the router reboots. You can specify a three-digit number. Replace <hhh:mm> with a countdown time such as 1:15 (1 hour and 15 minutes).

For example, if you wanted to set the router to reboot in 3 hours, you would enter:

ProCurve# reload in 3:00

or

ProCurve# reload in 180

1-72

OverviewManaging Configuration Files Using a Text Editor

The CLI will prompt you to save the system configuration. If you have already made the configurations that you want to test, reply no. If you are getting ready to make the configurations to be tested and want to save previous configura-tions, reply yes. The CLI then displays:

You are about to reboot the system. Continue? [y/n]

Enter y. The system will not reboot immediately. It will wait the amount of time you have specified. Remember that while you are doing a delicate configuration and using the reload in command, you must not save the running-config to the startup-config (by entering either write memory or copy run start). Otherwise, the ProCurve Secure Router will load these configurations when it reboots.

To cancel the reload, enter:

ProCurve# reload cancel

N o t e SafeMode automates this process if you are configuring the router using a Telnet or SSH session. (See “SafeMode” on page 1-61.)

Managing Configuration Files Using a Text Editor

Configuration files can be adjusted to each router’s needs using your com-puter’s text editor. This allows you to set up a configuration on one router, save it to a file, and edit it for installation on another router.

ProCurve Secure router configuration files are robust. If you miskey a com-mand or make a mistake in the text editor, the router will simply ignore the mistake and use the default settings. If any necessary command is missing, the router will substitute the default. Problem commands will trigger an error message during bootup.

It is not necessary to re-edit the configuration in a text editor to repair a problem; simply enter the pertinent command in the CLI. View the error messages displayed during bootup to determine which command is faulty.

1-73

OverviewManaging Configuration Files Using a Text Editor

Figure 1-30. Boot Error Messages

The error messages in Figure 1-30 were displayed during bootup. In this particular case, the startup-config file has VPNs configured, and the router that is booting does not have the IPSec VPN module that enables these commands. The VPN commands are reported as errors.

You can use error messages like these to locate and troubleshoot a problem in the router’s configuration.

1-74

OverviewManaging Configuration Files Using a Text Editor

Figure 1-31. Using Boot Error Messages to Target a Configuration Problem

The line number given in the error message is the line number in the running-config. You can use this information to locate and repair any configuration problems.

You will need to scroll up in your terminal session software window to read the error message. Make a note of the line, the command, and the resulting error message, as shown in Figure 1-31. Then return to the command line and enter the enable mode context.

Enter show running-config to display the current configuration. When the running-config is displayed, begin with the first exclamation point and count down, line by line, until you reach the line that generated the error message. Check the resulting message from the error report. Repair the problem by entering the appropriate configuration context and re-entering the command using the error report as a guide.

For example, in Figure 1-31 there is an error in line 58. The faulty command was

ProCurve(config-ike)# peer 10.2.2.1

The peer at 10.2.2.1 was already assigned to IKE policy 100 and cannot be assigned to more than one policy. In this example, you should configure the IKE policy for a different peer.

Creating and Transferring Configuration Files

To create a configuration file, begin by creating a base configuration on an originating router. Save the base configuration by entering copy running-

config <destination location> <destination filename> or write mem-

ory from the enable mode context.

Error location

Resulting message

1-75

OverviewManaging Configuration Files Using a Text Editor

If you do not want the base router to use the base configuration, you should save the base configuration as a .cfg or .txt file. From the enable mode context, enter:

ProCurve# copy flash running-config <destination location> <destination filename>

If you entered write memory and are running the AutoSynch function, the configuration is saved as the startup-config file on the flash and compact flash memories. If you have a compact flash card but are not running the AutoSynch function, this command will save the configuration as startup-config on the compact flash card. If you do not have a compact flash card in your router, the file is saved in internal flash as the startup-config file.

Configuration File Transfer Using the Console Port

In order to complete these steps, you must establish a console session with the ProCurve Secure Router.

1. Create a base configuration.

Use either the router’s factory defaults or another router’s configuration as a base. This can be the contents of the startup-config file or the current running-configuration. Display this configuration from the enable mode context.

Syntax: show file <location> <filename>

ProCurve# show file cflash startup-configorProCurve# show running-config verbose

2. Copy the text.

Use your mouse to highlight the resulting display in the terminal session window. Copy this text either by pressing Ctrl+C, right-clicking the mouse and clicking Copy, or by clicking Edit > Copy in the window.

Paste the copied text into a text editor program such as Notepad.

3. Edit the configuration.

Change the configuration as needed. Adjust IP addresses, hostnames, and other settings.

1-76

OverviewManaging Configuration Files Using a Text Editor

4. Copy the edited text.

Highlight the edited configuration in the text editor. Copy the highlighted text either by pressing Ctrl+C, right-clicking the mouse and clicking Copy, or clicking Edit > Copy in the window.

5. Save the edited configuration on the router.

On the router you are configuring, enter the enable mode context. Then enter the following from the enable mode context:

Syntax: copy console flash <destination filename>

ProCurve# copy console flash configuration.txtEnter text to be saved to “configuration.txt”

Type CTRL+D to finish

Replace <destination filename> with the name you want to give this file.

When the message Enter text to be saved to “configuration.txt”,

Type CTRL+D to finish appears, paste the text into the terminal session window. You may need to right-click the mouse and click Paste to host. Press Ctrl+D after the text has been entered.

The text is saved as a file in the location you specified and with the filename you specified.

6. Erase files that may conflict with the new configuration.

Enter show flash from the enable mode context. If there are files named startup-config or startup-config.bak, erase them:

ProCurve# erase flash startup-configDeleted NONVOL:/startup-configProCurve# erase flash startup-config.bakDeleted NONVOL:/startup-config.bak

Do the same for compact flash by entering show cflash and erasing any startup-config files.

ProCurve# erase cflash startup-configDeleted CFLASH:/startup-configProCurve# erase cflash startup-config.bakDeleted CFLASH:/startup-config.bak

Erasing the startup-config files will return the router configurations to the factory defaults.

1-77

OverviewManaging Configuration Files Using a Text Editor

7. Install the configuration.

Copy the edited configuration file to startup-config.

Syntax: copy <source location> <source filename> <destination location> <destination filename>

ProCurve# copy flash configuration.txt flash startup-config

The router will create the startup-config file and save the edited configu-ration to the file.

8. Reboot the router.

Enter reload from the enable mode context. When it prompts you to save the system configuration, press n.

N o t e Be careful. If you press y when asked to save the system configuration, the new startup configuration you just entered will be erased and replaced by the current running configuration.

Press y when asked whether you want to proceed.

The router will boot up using the new configuration.

Configuration File Transfer Using a TFTP Server

1. Create a base configuration. Then copy the base configuration to a file.

Syntax: copy <source> <base config filename> <destination> <destination file-name.txt>

For example:

ProCurve# copy flash startup-config flash routerB.txt

Replace <source> with the location of the base configuration file. If you have a compact flash card and the file is saved on compact flash, enter cflash. Otherwise, enter flash. Because you will be editing this file in a text editor, give the file a .txt extension.

1-78

OverviewManaging Configuration Files Using a Text Editor

2. Upload the file to the TFTP server.

Syntax: copy <source location> tftp

ProCurve# copy flash tftpAddress of remote host? 192.168.100.2Source filename? routerB.txtDestination filename? [routerB.txt]

After you enter copy <source location> tftp from the enable mode context, the router will prompt you for the information it needs to suc-cessfully complete the TFTP file transfer. When prompted, enter the IP address of the TFTP server that is to receive the file. Then enter the filename of the configuration file. When asked for the destination file-name, you can either rename the file by entering the desired filename or keep the same name by pressing Enter.

N o t e Filenames are case sensitive. When copying a file, be sure to enter the filename exactly.

3. Open the file in a text editor.

Once the file has been successfully uploaded into a TFTP server, you can open the file using a text editor such as Notepad.

4. Enter the changes.

Using the text editor, change the configurations that need to be custom-ized. For example, you may need to change the IP addresses, hostname, and other configurations to suit the destination router. Save the edited configuration file back into the TFTP server.

5. Initiate a session with the router on which you want to install the custom-ized configuration.

6. Erase files on the target router that may conflict with the new configura-tion.

Make sure that the internal flash on the target router does not include a backup startup-config.

ProCurve# show flashProCurve# show cflash

If there is a startup-config.bak, erase it.

1-79

OverviewManaging Configuration Files Using a Text Editor

ProCurve# erase flash startup-config.bakDeleted NONVOL:/startup-config.bakProCurve# erase cflash startup-config.bakDeleted CFLASH:/startup-config.bak

To be sure that old configurations do not interfere with the new configu-ration, erase any startup-config files. This will reset the router to its factory defaults.

ProCurve# erase flash startup-configDeleted NONVOL:/startup-configProCurve# erase cflash startup-configDeleted CFLASH:/startup-config

7. Upload and apply the edited configuration file to the destination router.

Configure the destination router to upload TFTP files. In most cases, this will involve configuring a connection between the router and the TFTP server.

After you have configured access to the TFTP server from the destination router, enter the enable mode context and enter:

Syntax: configure network

ProCurve# configure networkAddress of remote host? 192.168.100.2Source filename? routerB.txtInitiating TFTP transfer . . .Received 1044 bytes.Transfer complete.

Opening and applying file . . .

ProCurve2#

8. Save the new configuration.

The configure network command saves the configuration to running-config. To preserve this configuration, you need to save the running-config as the startup-config.

Syntax: write memory

The router will now load and use the current configuration when it is booted.

1-80

OverviewManaging Configuration Files Using a Text Editor

Configuration File Transfer Using a Compact Flash Card

1. Copy and rename the base configuration.

Syntax: copy <source> <base configuration name> <destination> <destination filename.txt>

For example, if your base configuration were the router’s startup-config, you would enter:

ProCurve# copy cflash startup-config cflash routerB.txt

Replace <source> with the location of the base configuration file. Because you will be editing this file in a text editor, give the destination filename a .txt extension.

N o t e Filenames are case sensitive. When copying a file, be sure to enter the filename exactly.

2. Move the file to a text editor.

Remove the compact flash card from the router and put in into the compact flash card slot on your terminal. Open the configuration file in a text editor such as Notepad.

3. Enter the configuration changes.

Using the text editor, change the configurations that need to be custom-ized. For example, you may need to change the IP addresses, hostname, and other configurations to suit the destination router.

Save the edited configuration to the compact flash card. Eject the card.

N o t e If you are using a dedicated compact flash card on this router, you can simply name the edited configuration startup-config. As long as the destination router uses the standard boot process, the new configuration will load when you install it in the destination router and reboot it. Otherwise, you can follow the steps below.

4. Insert the compact flash card into the destination router’s compact flash slot in the rear of the router.

1-81

OverviewManaging Configuration Files Using a Text Editor

5. Open a session with the destination router and erase files that may conflict with the new configuration.

Make sure there are no startup-configuration files on the router’s internal flash or compact flash. Backup files for the startup-config can also inter-fere with the installation of the new configuration.

ProCurve# show cflash

If you see files called startup-config.bak or startup-config, erase them.

ProCurve# erase cflash startup-config.bakDeleted CFLASH:/ startup-config.bakProCurve# erase flash startup-config.bakDeleted NONVOL:/ startup-config.bak

Unless you saved the edited configuration as startup-config on the com-pact flash card, you will need to erase the existing startup-config files. These files can interfere with the installation of the edited configuration.

ProCurve# erase cflash startup-configDeleted CFLASH:/ startup-configProCurve# erase flash startup-configDeleted NONVOL:/ startup-config

Erasing the startup files will reset the router to its factory defaults.

6. Install the edited configuration.

From the enable mode context, load the edited configuration file and rename it “startup-config”:

Syntax: copy cflash <filename> cflash startup-config

ProCurve# copy cflash routerB.txt cflash startup-config

7. Reboot the router.

Enter reload from the enable mode context. When the Secure Router OS prompts you to save the system configuration, press n.

N o t e Be careful. If you press y when asked to save the system configuration, the new startup configuration you just entered will be erased and replaced by the current running configuration.

Press y when asked whether you want to proceed. The router will boot up using the new configuration.

1-82

OverviewQuick Start

Quick Start

This section provides the instructions you need to quickly access the ProCurve Secure Router CLI and establish a console session.

Only minimal explanation is provided. It is strongly recommended that you read the entire chapter so that you understand how the Secure Router oper-ating system (OS) is organized and how to manage the OS. If you need information about a specific aspect of managing the OS, see “Contents” on page 1-1 to locate the section that contains the explanation you need.

Accessing the Secure Router OS

1. Use the serial cable (5184-1894) that shipped with the ProCurve Secure Router to connect the COM port on your computer to the console port on the front panel of the router.

2. Open a terminal session with the ProCurve Secure Router using the following settings:

• Baud Rate = 9600

• Parity = None

• Data Bits = 8

• Stop Bits = 1

• Flow Control = None

3. Press Enter to access the basic mode context.

4. Access the enable mode context:

ProCurve> enable

5. Access the global configuration mode:

ProCurve# configure terminal

For information about configuring Telnet, SSH, or HTTP access, see Chapter

2: Controlling Management Access to the ProCurve Secure Router. For information about configuring Web access to the router, see “Enabling Access to the Web Browser Interface” on page 14-4.

1-83

OverviewQuick Start

1-84

2

Controlling Management Access to the ProCurve Secure Router

Contents

Securing Management Access to the ProCurve Secure Router . . . . . . . . . 2-4

Restricting Access to the Enable Mode Context . . . . . . . . . . . . . . . . . . 2-4

Configuring a Password for Console Access . . . . . . . . . . . . . . . . . . . . . 2-5

Enabling Remote Access to the ProCurve Secure Router . . . . . . . . . . 2-6

Configuring an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

Configuring Telnet Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Configuring Local User Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Encrypting All the Passwords Configured on the Router . . . . . . 2-11

Enabling Access to the Web Browser Interface . . . . . . . . . . . . . . 2-11

Managing SSH Communications . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

Using FTP to Access the Router . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

Using the Local User List for Console or Telnet Access . . . . . . . 2-13

Enabling Secure Copy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13

Viewing Information about Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14

Using the AAA Subsystem to Control Management Access . . . . . . . . . . . 2-14

Advantages of Using the AAA Subsystem . . . . . . . . . . . . . . . . . . . . . . 2-15

Enabling the AAA Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

Configuring AAA for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

Creating a Named List for the Enable Mode Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

Creating a Named List for User Authentication . . . . . . . . . . . . . . 2-18

Criteria for Failure of Authentication Methods . . . . . . . . . . . . . . 2-19

Assign the Named List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20

Options for AAA Authentication: Configuring Banners, Messages, and Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21

2-1

Controlling Management Access to the ProCurve Secure RouterContents

Configuring Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23

Define a Named List for Authorization . . . . . . . . . . . . . . . . . . . . . 2-23

Assign the Named List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24

Enable Authorization Commands for Console Line . . . . . . . . . . 2-24

Configuring the TACACS+ Server for Accounting . . . . . . . . . . . . . . . 2-25

Configuring a Named List for Accounting . . . . . . . . . . . . . . . . . . 2-25

Assign the Named List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26

Configure Update Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-26

Do Not Send Records for Null Users . . . . . . . . . . . . . . . . . . . . . . . 2-27

Configuring a RADIUS Server for Authentication . . . . . . . . . . . . . . . 2-27

Define the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-27

Define a Group of RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . 2-29

Configure Global Settings for RADIUS Servers . . . . . . . . . . . . . . 2-30

Configuring the TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31

Define the TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31

Creating a TACACS+ Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33

Configure Global Settings for TACACS+ Servers . . . . . . . . . . . . 2-34

Troubleshooting AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35

debug aaa Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-35

Troubleshooting the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . 2-36

debug radius Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37

Troubleshooting the TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . 2-37

Port Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40

Enabling Supplicant Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40

Troubleshooting Supplicant Functionality . . . . . . . . . . . . . . . . . . . . . 2-41

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-42

Configure the Enable Mode Password . . . . . . . . . . . . . . . . . . . . . . . . . 2-42

Configure a Password for the Console Access . . . . . . . . . . . . . . . . . . 2-42

Configuring Remote Access to the ProCurve Secure Router . . . . . . 2-43

Configuring an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . 2-43

Configuring a Password for Telnet Access . . . . . . . . . . . . . . . . . . 2-44

Configuring Local User Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45

2-2

Controlling Management Access to the ProCurve Secure RouterContents

Configuring AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-45

Configuring Authentication with AAA . . . . . . . . . . . . . . . . . . . . . . 2-46

Configuring Authorization with AAA . . . . . . . . . . . . . . . . . . . . . . . 2-46

Configuring the TACACS+ Server for Accounting . . . . . . . . . . . . 2-47

Defining a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48

Defining a TACACS+ Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48

Enabling 802.1X Supplicant Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-48

2-3

Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router

Securing Management Access to the ProCurve Secure Router

The ProCurve Secure Router supports both local and remote management. For local management, you can use a serial cable to attach your PC to the ProCurve Secure Router and establish a console terminal session. For remote management, you have the following options:

■ Telnet

■ Secure Shell (SSH)

■ Web browser interface

You can also establish an FTP session with the router or use secure copy server to copy configuration files to internal or compact flash.

The ProCurve Secure Router allows you to restrict who can use these access methods to manage the router.

Restricting Access to the Enable Mode Context

The first step you should take to protect your WAN is to configure a password for the enable mode context. If you do not configure this password, anyone who has physical access to your router can establish a console terminal session and view or change configurations on the router.

In addition, an enable mode password is required for remote management through a Telnet or SSH session. If you do not create an enable mode pass-word, you may be able to establish a Telnet or SSH session (if the router is configured to permit this access), but you will not be able to move beyond the basic mode context.

To configure an enable mode password, move to the global configuration mode context and enter:

Syntax: enable password [md5] <password>

Replace <password> with any combination of up to 30 characters. Include the Message Digest 5 (md5) option to encrypt the password.

For example, if you want to set the password as procurve, enter:

ProCurve(config)# enable password procurve

2-4

Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router

Because you did not include the md5 option, the password you entered is stored as clear text and is displayed when you enter the show running-config command, as shown below.

hostname “ProCurve”enable password procurve

To encrypt the password so that it is not stored as clear text, use the md5 option. From the global configuration mode context, enter:

ProCurve(config)# enable password md5 procurve

The ProCurve Secure Router then uses the MD5 hashing algorithm to encrypt the password so that it is not readable when it is transmitted across the wire or when you display the running-config file. An encrypted password is dis-played in the running-config as shown below:

hostname “ProCurveSR7203dl”enable password md5 encrypted b46f9961af093fdfb9e177eda79

Configuring a Password for Console Access

If possible, you should place the ProCurve Secure Router in a locked room so that unauthorized users do not have physical access to it. Restricting physical access to the router helps prevent malicious or curious users from damaging your WAN or LAN.

You can further protect the ProCurve Secure Router by configuring a pass-word for console access. Then, if someone breaches the physical security you have set up to protect the router, the console password prevents that person from viewing information that is available at the basic mode context. Although the basic mode offers only a limited number of commands, you can still enter show commands and view some configuration information. For example, you can view information about:

■ interfaces

■ event-history

Configuring a password for the console access is a three-step process:

1. Access the console line configuration mode context.

2. Enter the login command, which requires users to provide a password before they can access the ProCurve Secure Router OS through a console session.

3. Enter the password that authorized users must supply when they start a console session.

2-5

Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router

From the global configuration mode context, enter:

ProCurve(config)# line console 0

The ProCurve Secure Router prompt will show that you are in the console line configuration mode context:

ProCurve(config-con0)#

Enter:

ProCurve(config-con0)#loginProCurve(config-con0)#password <password>

Replace <password> with any combination of up to 30 characters.

The password you enter is stored as clear text and is displayed when you enter the show running-config command, as shown below.

line con 0 login password procurve

To encrypt the password, use the md5 option. From the global configuration mode context, enter:

ProCurve(config-con0)# password md5 <password>

The ProCurve Secure Router then uses the MD5 hashing algorithm to encrypt the password so that it is not readable when it is transmitted across the wire or when you display the running-config file.

Enabling Remote Access to the ProCurve Secure Router

As mentioned earlier, you can access the ProCurve Secure Router through the Web browser interface, Telnet session, SSH session, or FTP session. To establish this access, you must configure at least one interface, such as an Ethernet interface.

2-6

Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router

Configuring an Ethernet Interface

This section provides the minimum steps required to configure an Ethernet interface. For more detailed information about configuring an Ethernet inter-face, see Chapter 3: Configuring Ethernet Interfaces.)

1. Use a 10Base-T or 100Base-T cable to connect the Ethernet port to a device (such as a switch) on your LAN.

2. Open your terminal session software and initiate a console session with the ProCurve Secure Router, using the following parameters:

• Baud Rate = 9600

• Parity = None

• Data Bits = 8

• Stop Bits = 1

• Flow Control = None

3. Press Enter when you are prompted to start a session with the router. The router basic mode context prompt appears, as shown below:

ProCurve>

4. Access the enable mode context:

ProCurve> enable

5. Access the global configuration mode context:

ProCurve# configure terminal

6. From the global configuration mode context, enter the Ethernet interface configuration mode context:

ProCurve(config)# interface ethernet 0/<port>

7. Assign the Ethernet interface an IP address.

Syntax: ip address <A.B.C.D> [<subnet mask> | /<prefix-length>]

For example, if you want to assign the Ethernet interface an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0, enter

ProCurve(config-eth 0/1)# ip address 192.168.1.1 /24

8. Activate the Ethernet interface.

ProCurve(config-eth 0/1)# no shutdown

9. Save your configuration.

ProCurve(config-eth 0/1)# do write memory

2-7

Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router

Configuring Telnet Access

By default, the ProCurve Secure Router requires a login password for Telnet sessions. Unless you configure a password for a Telnet line or disable the login option, no one can establish a Telnet session with the ProCurve Secure Router. This security helps protect your organization against unauthorized users who might try to access your ProCurve Secure Router and damage or get information about your WAN.

In addition to configuring a password for Telnet access, you must configure a password for the enable mode. If you do not configure a password for the enable mode, you can establish a Telnet session and enter the basic mode context. However, you cannot move beyond the basic mode context.

You can configure five Telnet lines, which are numbered 0 to 4. If you configure all five lines, a maximum of five people can establish a Telnet session with the ProCurve Secure Router at one time.

Configuring the Telnet Lines. Configuring Telnet access is a three-step process:

1. Access the Telnet line configuration mode context.

2. Enter the password that authorized users must supply when they start a Telnet session.

3. Configure a password for the enable mode context, if you have not done so already.

From the global configuration mode context, enter the following command:

Syntax: line telnet <0–4>

For example, if you want to configure line 0, enter:

ProCurve(config)# line telnet 0

The ProCurve Secure Router prompt will show that you are in the Telnet line 0 configuration mode context:

ProCurve(config-telnet0)#

You can then enter the password command:

Syntax: password [md5] <password>

The md5 option encrypts the password as it is sent over the wire and when it is stored in the running-config.

2-8

Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router

For example, if you want to create the password as procurve, enter

ProCurve(config-telnet0)# password md5 procurve

N o t e You can also configure an access control list (ACL) to block or limit Telnet access. For instructions on configuring this ACL, see the Advanced Management

and Configuration Guide, Chapter 5: Applying Access Control to Router

Interfaces.

Configuring Multiple Telnet Lines at Once. You can also create a password for all Telnet lines at once. Enter:

ProCurve(config) line telnet 0 4

Entering 0 4 indicates that you are configuring all four lines. The router context displays the lines you are configuring, as shown below:

ProCurve(config-telnet0–4)

You can then enter the password command.

N o t e If you do not enter a space between 0 and 4, you will configure only line 4. The prompt will be displayed as:

ProCurve(config-telnet04)

Configuring Multiple Passwords for Telnet Lines. If you have a large IT staff, you may want to configure multiple Telnet lines. You may also want to configure a different password for one Telnet line and reserve that line for your access only.

You should always place the more restrictive password on the configured Telnet line with the highest number due to the way that the ProCurve Secure Router handles Telnet sessions. The router always assigns a remote user to the first available Telnet line, starting with line 0. That is, the first user to initiate a Telnet session connects over Telnet line 0, the second over Telnet line 1, and so forth.

If a user cannot enter the correct password, the router terminates the Telnet session. It does not allow the user to access the next Telnet line. If you place a password that only you know on Telnet line 0, no other user will be able to access the other Telnet lines for which they do know the password—except in the unlikely event that you have already established a Telnet session with the router.

2-9

Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router

Configuring an Enable Mode Password. To provide access to the enable mode context through a Telnet session, you must configure an enable mode password. If you do not configure an enable mode password, users will receive a message, telling them that no enable mode password is configured, and they will be denied access to the enable mode context.

To configure an enable mode password, move to the global configuration mode context and enter:

Syntax: enable password [md5] <password>

Configuring Timeout Setting for Telnet Access. By default, the ProCurve Secure Router maintains your Telnet session until it has been inactive for 15 minutes. You can configure the number of minutes a line session can remain inactive before the Secure Router OS terminates the session. From the Telnet line configuration mode context, enter:

Syntax: line-timeout <minutes>

Replace minutes with a number between 0 and 35791.

To return this setting to the default value, use the no command:

Syntax: no line-timeout <minutes>

Entering 0 will disable the timeout.

Disabling the Login Requirement. If you do not want to require a pass-word for users to establish a Telnet session, you can disable the login option. From the Telnet line configuration mode context, enter:

ProCurve(config-telnet0–4)# no login

Disabling this option is not recommended because it weakens your security and could compromise your entire network. However, if you do disable the login option, you are still required to create an enable mode password to allow users to configure the router through a Telnet session.

Configuring Local User Lists

By default, access to HTTP, SSH, and FTP is controlled through the local user list. To add a username and password to the local user list, enter the following command from the global configuration mode:

Syntax: username <username> password <password>

2-10

Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router

Both the username and password can be an alphanumerical string up to 30 characters in length.

You can add multiple usernames and passwords to the local user list, and these usernames and passwords can be used for HTTP, SSH, and FTP access.

Encrypting All the Passwords Configured on the Router

By default, the passwords that you enter in the local user list are not encrypted. You can enter one command to encrypt all the passwords configured on the ProCurve Secure Router, including the passwords configured for Telnet and console access. From the global configuration mode context, enter:

ProCurve(config)# service password-encryption

Enabling Access to the Web Browser Interface

In addition to configuring a username and password, you must enable the HTTP server in order to access the Web browser interface. From the global configuration mode context, enter:

ProCurve(config)# ip http server [<TCP port>]

Include the <TCP port> option only if you want to change the port on which the server receives HTTP communications.

If you want to use Secure Sockets Layer (SSL) to protect the communications between your PC and the router, enter:

ProCurve(config)# ip http secure-server [<TCP port>]

Again, include the <TCP port> option only if you want to customize the port on which the HTTP server receives and sends communications.

After you configure a username and password for the local user list and enable the HTTP server, you can access the Web browser interface. Make sure that your workstation is on a network segment that is connected to the ProCurve Secure Router. Then, open an Internet browser and enter the IP address assigned to the Ethernet interface. For example, if the IP address of the Ethernet interface is 192.168.1.1, enter:

http://192.168.1.1

If you have enabled the HTTP secure server, enter:

https://192.168.1.1

2-11

Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router

When prompted, enter a username and password that you configured in the local user list.

Managing SSH Communications

With Telnet, communications between the server and your PC are sent over the wire in clear text. If you want to encrypt these communications, you can use SSH instead.

The SSH server on the ProCurve Secure Router is enabled by default. After you configure a username and password in the local user list, you can enter that username and password to access the router through SSH.

The ProCurve Secure Router supports up to five SSH lines, which are num-bered 0 to 4. If you configure a username and password in the local user list, a maximum of five people can establish an SSH session with the ProCurve Secure Router at one time.

You can configure timeout settings for SSH lines just as you configure timeout settings for Telnet lines. First, move to the SSH line configuration mode context by entering the following command from the global configuration mode context:

Syntax: line ssh <0–4>

To access all the SSH lines at once, enter:

ProCurve(config)# line ssh 0 4

By default, ProCurve Secure Router maintains your SSH session until it has been inactive for 15 minutes. To configure the number of minutes an SSH session can remain inactive before the Secure Router OS terminates the session, enter the following command from the SSH line configuration mode context:

Syntax: line-timeout <minutes>

Replace minutes with a number between 0 and 35791.

To return this setting to the default value, use the no command:

Syntax: no line-timeout <minutes>

Entering 0 will disable the timeout.

2-12

Controlling Management Access to the ProCurve Secure RouterSecuring Management Access to the ProCurve Secure Router

N o t e If you want to use an ACL to restrict SSH access, you apply this ACL at the SSH line configuration mode context. For more information, see the Advanced

Management and Configuration Guide, Chapter 5: Applying Access Control

to Router Interfaces.

Using FTP to Access the Router

After you add one username and password to the local user list, you can use FTP to access the router. You can then copy configuration files to and from the router’s compact flash or internal flash. If you want to encrypt these files as they are copied to and from the router, see “Enabling Secure Copy Server” on page 2-13.

Using the Local User List for Console or Telnet Access

You can configure the ProCurve Secure Router to use the usernames and passwords you configure from the global configuration mode context to control access to console terminal, SSH, or Telnet sessions. To use these passwords for console terminal sessions, move to the console configuration mode context and enter:

ProCurve(config-con0)# login local-userlist

By default, no login password is required for console terminal sessions.

To use these passwords for SSH or Telnet access, move to the appropriate line configuration mode context and enter the same command:

ProCurve(config-ssh0–4)# login local-userlist

ProCurve(config-telnet0–4)# login local-userlist

Enabling Secure Copy Server

You can enable the secure copy (SCP) server, so that files are encrypted as they are copied to and from the ProCurve Secure Router. You use the SCP server in conjunction with SSH so that the user trying to access the server is authenticated and the data transmitted is encrypted.

To enable the SCP server, enter the following command from the global configuration mode context:

Syntax: ip scp server

2-13

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

To disable the SCP server, enter:

Syntax: no ip scp server

Viewing Information about Users

At any time, you can view information about the users who are accessing the ProCurve Secure Router through the console, Telnet, SSH, FTP, and Web browser interface. From the enable mode context, enter:

ProCurve# show users

Figure 2-1 shows the type of information that is displayed when you enter this command. You can view the username that the user entered to obtain access, the type of access (such as console or Telnet), and the time the connection has been idle. For Telnet, SSH, FTP, and Web access, you can also view the IP address of the device from which the user obtained access.

Figure 2-1. Viewing the Users Who Are Accessing the Router Through the Console, Telnet, SSH, FTP, and Web Browser Interface

Using the AAA Subsystem to Control Management Access

Authentication, authorization, and accounting (AAA) is an industry standard for controlling:

■ which users can access a system (authentication)

■ what they can do once they are granted access (authorization)

■ what is recorded about their activities (accounting)

The AAA subsystem on the ProCurve Secure Router currently supports:

■ authentication methods configured on the router itself

■ authentication through Remote Authentication Dial-In User Service (RADIUS) servers

■ authentication, authorization, and accounting through TACACS+ servers

- CONSOLE 0 ‘password-only’ logged in and enabled Idle for 00:00:00- TELNET 0 (192.168.20.25:1029) 'geoff' logged in and enabled Idle for 00:00:09

2-14

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

Advantages of Using the AAA Subsystem

The AAA subsystem provides more flexibility than simple password-based authentication. If you enable the AAA subsystem, you can configure a list of authentication methods for the enable mode and for each access method. For example, you could configure a list of authentication methods for Telnet access or for SSH access. The authentication methods include:

■ the Telnet password

■ the enable mode password

■ the local userlist

■ a RADIUS server

■ a TACACS+ server

You configure the list of authentication methods in the order in which you want them used. Then, if one method fails, the next method is used. (For information about what constitutes a failure, see “Criteria for Failure of Authentication Methods” on page 2-19.)

The AAA subsystem allows you to use a standard authentication method across your entire network. If you are using a RADIUS server or a TACACS+ server to authenticate network services and applications, you can use this same server to authenticate management access to the ProCurve Secure Router.

In addition to controlling management access, the AAA subsystem can be used to authenticate VPN users when Xauth is configured. (For more information about Xauth, see the ProCurve Secure Router Advanced Management and

Configuration Guide, Chapter 8: Virtual Private Networks.)

The AAA subsystem also strengthens your WAN security by supporting autho-rization and accounting for management access to the ProCurve Secure Router. Enforced through a TACACS+ server, authorization and accounting go beyond password authentication to ensure that only authorized users perform management functions and to provide a record of the configuration commands entered.

Enabling the AAA Subsystem

By default, the AAA subsystem is disabled. To enable it, move to the global configuration mode context and enter:

ProCurve(config)# aaa on

2-15

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

After you enable the AAA subsystem, the complete set of AAA commands becomes available in the ProCurve Secure Router OS. For example, you can then configure AAA-based authentication, authorization, and accounting for SSH lines. The AAA authentication settings that you configure override any other authentication settings you have configured.

Configuring AAA for Authentication

Configuring AAA for authentication involves the following steps:

1. Create a list of authentication methods, called a named list. You can create a named list for the enable mode and a named list for each access method.

2. Assign the named list to the console line, Telnet lines, SSH lines, FTP server, or HTTP server. You do not have to complete this step to configure AAA authentication methods for the enable mode.

3. Configure the RADIUS or TACACS+ server if you want to use one of these servers to authenticate VPN users or users who try to manage the ProCurve Secure Router. (To learn how to configure these servers, see “Define the RADIUS Server” on page 2-27 and “Define the TACACS+ Server” on page 2-31.)

Creating a Named List for the Enable Mode Authentication

To create a named list for the enable mode, you must determine the authenti-cation methods you want to use and the order in which you want the authenti-cation methods applied. From the global configuration mode context, enter:

Syntax: aaa authentication enable default {none | line | enable | [group <groupname> | radius | tacacs+]}

2-16

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

The options you can select for the enable mode context are listed in Table 2-1:

Table 2-1. Authentication Options for the Enable Named List

For example, you may decide that when a user attempts to access the enable mode context, you want the ProCurve Secure Router to use the following authentication methods, in the order they are listed:

■ TACACS+

■ enable

You would enter:

ProCurve(config)# aaa authentication enable default group tacacs+ enable

If you enter this command, the ProCurve Secure Router will first try to authenticate the user through the TACACS+ server. If the TACACS+ server does not respond, the ProCurve Secure Router will prompt the user to enter the enable mode password and will check the password that the user enters against the enable mode password you configured.

For the enable mode password, you do not have to enter another command to apply the named list. If you are using a RADIUS or TACACS+ server as an authentication method, you must configure the ProCurve Secure Router to locate and communicate with that server. For information about the configuration required for a RADIUS server, see “Configuring a RADIUS Server for Authentication” on page 2-27. For information about the configuration required for a TACACS+ server, see “Define the TACACS+ Server” on page 2-31.

Option Meaning

none No password is required.

line Use the password configured for the Telnet line or the console.

enable Use the password configured for the enable mode context.

group [<groupname> | radius | tacacs+]

Use one of the following:• group of RADIUS or TACACS+ servers that you have

configured• all the RADIUS servers that you have defined (if you have

not defined a group of RADIUS servers)• all the TACACS+ servers that you have defined (if you have

not defined a group of TACACS+ servers)

2-17

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

N o t e If you enable the AAA subsystem but do not configure a named list for the enable mode, the Secure Router OS uses the enable mode password by default.

Creating a Named List for User Authentication

To create a named list for user authentication, you must determine the authentication methods you want to use and the order in which you want the authentication methods applied. From the global configuration mode context, enter:

Syntax: aaa authentication login <listname> {none | line | enable | [group <groupname> | radius | tacacs+]}

Replace <listname> with the name you want to give the named list you create.

The options you can select to authenticate users are listed in Table 2-2:

Table 2-2. Authentication Options for Named Lists

There is one difference between the list of options for the enable mode and the list of options for authenticating users: the local user database is not an option for the enable mode.

Option Meaning

none No password is required.

line Use the password configured for the line or the console.

enable Use the password configured for the enable mode context.

local Use the local user database (which is defined on the router).

group [<groupname> | radius | tacacs+]

Use one of the following:• group of RADIUS or TACACS+ servers that you have

configured• all the RADIUS servers that you have defined (if you have not

defined a group of RADIUS servers)• all the TACACS+ servers that you have defined (if you have not

defined a group of TACACS+ servers)

2-18

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

For example, when you configure a named list for user authentication, you may want to call this list UserLogin. You may also decide to use the following authentication methods:

■ enable password

■ line password

■ local user database

In this case, you would enter:

ProCurve(config)# aaa authentication login UserLogin enable line local

N o t e If you select the enable password as an authentication method for an access method that requires a username, the username is, by default, $enab15$. You can change this username for RADIUS servers when you enter the radius-server command, as explained in “Define the RADIUS Server” on page 2-27.

If no enable password has been defined, the AAA subsystem moves to the line username and password. If no username and password have been defined for the line, the AAA subsystem moves to the local user database and tries to match the username and password that the user enters to a username and password in that database.

Criteria for Failure of Authentication Methods

The AAA subsystem skips an authentication method if the method itself fails. However, if a user fails to enter the correct password, that user is denied access to the router. The user failed in his or her attempt to authenticate; the authentication method did not fail.

The ProCurve Secure Router uses the following criteria to determine if an authentication method failed:

■ Line and enable passwords fail if no line or enable passwords are configured.

■ RADIUS or TACACS+ servers fail if the ProCurve Secure Router tries to communicate with them but they do not respond.

■ The local user list fails if the given user is not listed in the database.

For example, if you configure the authentication methods with RADIUS as the first option and the RADIUS server goes down, the AAA subsystem tries the next authentication method you configured. If you listed the local user list after the RADIUS server, the AAA subsystem will use that authentication method next.

2-19

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

Assign the Named List

After you configure a named list, you must assign the list to the specific access method. To assign a list to the console, Telnet, or SSH lines, move to the appropriate line configuration mode context and enter:

Syntax: login authentication <named list>

For example, to assign ListA to the console line, enter:

ProCurve(config)# line console 0ProCurve(config-con0)# login authentication ListA

To assign ListA to the Telnet 0 line, enter:

ProCurve(config)# line telnet 0ProCurve(config-telnet0)# login authentication ListA

To assign ListA to all of the SSH lines, enter:

ProCurve(config)# line ssh 0 4ProCurve(config-ssh0-4)# login authentication ListA

For FTP and HTTP access, you assign the list from the global configuration mode context. If you want to assign a named list to control FTP access, enter:

Syntax: ftp authentication <named list>

If you want to assign a named list to control Web access, enter the following command from the global configuration mode context:

Syntax: ip http authentication <named list>

No Named List Assigned. If you enable the AAA subsystem but do not configure a named list and assign it to an access method (console, Telnet, FTP, SSH, or HTTP), the ProCurve Secure Router handles authentication as outlined in Table 2-3.

2-20

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

Table 2-3. Default Action if No Named List Is Configured

Options for AAA Authentication: Configuring Banners, Messages, and Prompts

To help users log in to the ProCurve Secure Router successfully, you can customize the following:

■ banner

■ message that is displayed when a login attempt fails

■ password prompt

■ username prompt

To configure these displays, you use the following command syntax:

Syntax: aaa authentication [banner | fail-message | password-prompt | username-prompt]

Configuring a Banner. A banner is displayed before a user attempts to log in to the router. By default, the following banner is displayed:

User Access Verification

To configure a banner, move to the global configuration mode context and enter the aaa authentication banner command followed by any character that signals the beginning of the banner text. For example, you might enter the @ character, as shown below:

ProCurve(config)# aaa authentication banner @

You can then type the banner that you want to display. For example, you might enter:

Only authorized users allowed @

Access Authentication Method

console access no password required

Telnet access Telnet password

FTP access local user list

HTTP access local user list

SSH access local user list

2-21

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

To end the banner, you must enter the same character that you used to signal the beginning of the banner.

Configuring a Fail Message. A fail message is displayed if the user’s attempts to log in to the router and fails. By default, the fail message is:

Authentication Failed

To customize a fail message, move to the global configuration mode context and enter the aaa authentication fail-message command followed by a character that signals the beginning of the message that you want to display. For example, you might enter the @ character or even the !, as shown below:

ProCurve(config)# aaa authentication fail-message !

Then type the message you want to be displayed if a login attempt fails. After entering the message, enter the same character you used to signal the begin-ning of the fail message. In the example above, you would enter the ! character.

Configuring a Username or Password Prompt. By default, the ProCurve Secure Router displays the following prompts to help users log in to the router:

Username:Password:

To customize the username prompt, move to the global configuration mode context and enter:

Syntax: aaa authentication username-prompt <prompt>

Replace <prompt> with the word you want displayed when users attempt to log in. For example, if you want the prompt to be User, enter:

ProCurve(config)# aaa authentication username-prompt User

To customize the password prompt, move to the global configuration mode context and enter:

Syntax: aaa authentication password-prompt <prompt>

Replace <prompt> with the word you want displayed when users attempt to log in. For example, if you want the prompt to be Secret, enter:

ProCurve(config)# aaa authentication password-prompt Secret

2-22

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

Configuring Authorization

After you enable the AAA subsystem, you can use a TACACS+ server to control not only who can access the Secure Router OS but also who can actually enter unprivileged or privileged commands. That is, you can determine which users are authorized to configure the router from the basic or enable mode context.

Configuring authorization through the TACACS+ server involves the following steps:

1. Define a named list for authorization.

2. Assign the named list to a line configuration mode context.

If you want to enforce authorization for console sessions, you must also enable authorization for the console line.

Of course, the AAA subsystem must be enabled, and the TACACS+ server must be defined. (See “Define the TACACS+ Server” on page 2-31.)

Define a Named List for Authorization

You must define a named list for authorization, just as you define a named list for authentication. In this named list, you specify if users are authorized to enter commands from the basic or enable mode context. You also define the TACACS+ servers that will handle the authorization request.

To define a named list for authorization, enter the following command from the global configuration mode context:

Syntax: aaa authorization commands [1 | 15] [default | <named list>] group [tacacs+ | <group name>] [if-authenticated | none]

Include 1 or 15 to specify the level of commands for which you want to configure authorization: 1 is unprivileged access, which is the basic mode, and 15 is privileged access, which is the enable mode.

Specify the default authorization list or replace <named list> to create a named list.

Use the group tacacs+ option to specify the default group of TACACS+ servers. Use the group <group name> if you have created a group of TACACS+ servers.

2-23

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

Include the if-authenticated option to authorize authenticated users. Use the none option to grant access immediately. You may want to enter none as a second option. That way, if the ProCurve Secure Router cannot contact the TACACS+ server, you will still be able to configure the router.

For example, to allow authenticated users to configure the router from the enable mode context, enter:

ProCurve (config)# aaa authorization commands 15 default group tacacs+ if-authenticated

After you create a named list for authorization, you must assign it to an access method, such as a Telnet or SSH line.

Assign the Named List

To assign the named list to a console, Telnet, or SSH line, you must move to the line configuration mode context. To completely enforce this security measure, you must ensure that you assign the named list to all of the Telnet or SSH lines that you have enabled. For example, if you have enabled all five Telnet lines, you must assign the named list to all five lines.

From the appropriate line configuration mode context, enter:

Syntax: authorization commands [1 | 15] [default | <named list>]

Enter 1 to grant access to the basic mode, or enter 15 to grant access to the enable mode.

Enter default to assign the default list, or replace <named list> with the list that you have created.

For example, you might create a named list called Authorize and then assign it to all of the Telnet lines. You might also include the 15 option because you want this named list to control who can enter commands from the enable mode context. From the global configuration mode context, enter:

ProCurve (config)# line telnet 0 4ProCurve (config-telnet04)# authorization commands 15 Authorize

Enable Authorization Commands for Console Line

If you want to configure authorization commands for the console line, you must enable this capability. From the global configuration mode context, enter:

Syntax: aaa authorization console

2-24

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

N o t e Take care when you configure authorization for the console line. If you are not careful, you may prohibit yourself from entering commands from the console.

To disable authorization through the console line, enter:

Syntax: no aaa authorization console

By default, authorization commands can be configured for the enable mode context. To disable authorization for the enable mode context, enter the following command from the global configuration mode context:

Syntax: no aaa authorization config-command

To re-instate this capability, enter:

Syntax: aaa authorization config-command

Configuring the TACACS+ Server for Accounting

You can track which users access the ProCurve Secure Router and the configuration changes those users make. When you configure AAA accounting on the ProCurve Secure Router, it will configuration information to the TACACS+ sever you specify.

Configuring accounting involves the following steps:

1. Configure a named list.

2. Apply the named list.

Of course, the AAA subsystem must be enabled, and the TACACS+ server must be defined. (See “Define the TACACS+ Server” on page 2-31.)

Configuring a Named List for Accounting

Once again, you create a named list to configure accounting on the ProCurve Secure Router. This named list determines:

■ what information is sent to the TACACS+ server

■ which TACACS+ the information is sent to

■ when the information is sent

Syntax: aaa accounting commands [1 |15] [default | <named list>] [none | stop-only] group [tacacs+ | <group name>]

2-25

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

Specify the level of commands for which you want to generate accounting: 1 is unprivileged access, which is the basic mode, and 15 is privileged access, which is the enable mode.

Specify the default accounting list or replace <named list> to create an accounting list.

Include the stop-only option if you want an accounting record to be generated when the user ends his or her session. Include the none option if you do not want an accounting record generated. For example, you may not want any records generated if a user enters a command at the basic mode context.

Include the group tacacs+ option if you want the ProCurve Secure Router to send the accounting information to the default group of TACACS+ servers. Replace group <groupname> with a group that you created. You can specify more than one group.

Assign the Named List

To assign the named list to a console, Telnet, or SSH line, you must move to the appropriate line configuration mode context. If you want to record con-figuration activities for all Telnet and SSH lines, you must ensure that you assign the named list to all of the Telnet or SSH lines that you have enabled. For example, if you have enabled all five Telnet lines, you must assign the named list to all five lines.

From the appropriate line configuration mode context, enter:

Syntax: accounting commands [1 | 15] [default | <named list>]

For example, you might create a named list called Account and then assign it to all of the Telnet lines. You might also include the 15 option because you want this named list to record information about the commands entered from the privileged mode. From the global configuration mode context, enter:

ProCurve (config)# line telnet 0 4ProCurve (config-telnet04)# accounting commands 15 Account

Configure Update Settings

You can configure when the ProCurve Secure Router sends updates to the TACACS+ server. To configure updates, enter the following command from the global configuration mode context:

Syntax: aaa accounting update [newinfo | periodic <minutes>]

2-26

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

Include newinfo if you want all new records sent immediately, or include periodic if you want the records sent at specific intervals. If you specify periodic, replace <minutes> with a number between 1 and 2147483647.

Do Not Send Records for Null Users

By default, the ProCurve Secure Router does not send accounting information for the null usernames. Null usernames are any users that the TACACS+ system cannot identify. For example, if you do not control access to the console line through the TACACS+ servers, users who access and make changes through the console line will not be known to the TACACS+ server. The ProCurve Secure Router will not send information about such users to the TACACS+ server unless you change this default setting. To do so, enter:

Syntax: no aaa accounting suppress null-username

Configuring a RADIUS Server for Authentication

In order to use a RADIUS server in a named list, you must configure the Secure Router OS to locate and contact that RADIUS server. If your network includes multiple RADIUS servers, you can add these servers to the default group of RADIUS servers or define a group of RADIUS servers. In addition, you can configure specific settings for each RADIUS server, or you can configure global settings for all of the RADIUS servers you define.

Define the RADIUS Server

The ProCurve Secure Router must be able to locate and communicate with the RADIUS server. (See Figure 2-2.)

2-27

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

Figure 2-2. Using a RADIUS Server for Authenticating Users Who Want to Manage the ProCurve Secure Router

To set up this communication, you must specify the IP address of the RADIUS server. Enter the following command from the global configuration mode context:

Syntax: radius-server host <A.B.C.D | hostname> [acct-port <port number> | auth-port <port number> | retransmit <number> | timeout <seconds> | key <key>]

To define the RADIUS server, you simply enter the first part of the command:

Syntax: radius-server host <A.B.C.D | hostname>

Either replace <A.B.C.D> with an IP address or replace <hostname> with the RADIUS server’s host name. For example, if your RADIUS server has the IP address of 192.168.115.5, enter:

ProCurve(config)# radius-server host 192.168.115.5

You can also configure other settings—such as the authentication port and the shared key—for the RADIUS server. Table 2-4 lists the available options.

Core switch

RADIUSserver

Edge switch

ProCurve Secure Router

Edge switch

2-28

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

Table 2-4. Customizing Settings for Individual RADIUS Servers

For example, you might enter:

ProCurve(config)# radius-server host 192.168.115.5 acct-port 1646 key secret

After you define a RADIUS server, that server is added to the router’s default RADIUS group. If you define a second RADIUS server, it is added to the default group, and the Secure Router OS contacts the servers in the order in which you entered them. Once you define the RADIUS servers in the default group, this order cannot be changed.

If you want to change the order in which the Secure Router OS contacts the RADIUS servers, you should create a RADIUS server group, as described in the next section.

Define a Group of RADIUS Servers

To define a group of RADIUS servers, enter the following command from the global configuration mode context:

Syntax: aaa group server radius <groupname>

Replace <groupname> with a name that is meaningful to you.

For example, the following command creates a group called myServers and enters the RADIUS group configuration mode context:

ProCurve(config)# aaa group server radius myServersProCurve(config-sg-radius)#

Option Meaning Default Value

acct-port <port number> configures the router to send accounting requests to the port you specify

acct-port 1813

auth-port <port number> configures the router to send authentication requests to the port you specify

auth-port 1812

retransmit <attempts> specifies the number of times the router tries to contact the RADIUS server after the timeout expires

global RADIUS setting

timeout <seconds> specifies the number of seconds the router waits if it does not receive a response from the RADIUS server

global RADIUS setting

key <key> defines the shared key the router uses to authenticate to the RADIUS server

none

2-29

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

From this context, use the following command to add RADIUS servers to the group:

Syntax: server <hostname | A.B.C.D>

Either replace <hostname> with the RADIUS server’s hostname or replace <A.B.C.D> with the RADIUS server’s IP address.

The following examples add servers to the myServers group:

ProCurve(config)# aaa group server radius myServersProCurve(config-sg-radius)# server 1.2.3.4 auth-port 1812ProCurve(config-sg-radius)# server 4.3.2.1ProCurve(config-sg-radius)# exit

or

ProCurve(config)# aaa group server radius myServersProCurve(config-sg-radius)# server 2.2.2.2ProCurve(config-sg-radius)# exit

You must use the radius-server command to define RADIUS servers before you can add them to a group. If a server is added to a named group but is not defined by a radius-server command, the router simply bypasses that server in the list.

Empty RADIUS groups are not saved. When the last server is removed from a group, the Secure Router OS automatically deletes the group.

Configure Global Settings for RADIUS Servers

You can configure global settings that will be applied to all RADIUS servers defined on the router. However, if you configure specific settings for a RADIUS server, these settings will override the global settings.

To configure global settings, you use the radius-server command, but you do not specify a particular server. Instead, you use the following command syntax:

Syntax: radius-server [challenge-noecho | deadtime <minutes> | enable-username <name> | key <key> | retry <attempts> | radius-server timeout <seconds>]

You must enter this command from the global configuration mode context. Table 2-5 lists all the options and what they do.

2-30

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

Table 2-5. Global Settings for RADIUS Servers

The following is an example configuration for global RADIUS settings:

ProCurve(config)# radius-server challenge-noechoProCurve(config)# radius-server deadtime 10ProCurve(config)# radius-server timeout 2ProCurve(config)# radius-server retry 4ProCurve(config)# radius-server key my secret key

Configuring the TACACS+ Server

In addition to supporting authentication, the ProCurve Secure Router supports authorization and accounting with TACACS+ servers. If you want to use a TACACS+ server to authenticate, authorize, or keep track of users who want to manage the ProCurve Secure Router, you must first define the TACACS+ server.

Define the TACACS+ Server

In order to authenticate, authorize, and track users who try to access the ProCurve Secure Router, the TACACS+ server must be able to communicate with the router. (See Figure 2-3.)

Option Meaning Default Value

challenge-noecho disables echoing of user challenge-entry; users will see the text of the challenge as they type responses (enabling this option hides the text as it is being entered)

on

deadtime <minutes> specifies how long a RADIUS server is considered “dead” if a timeout occurs; the router will not contact the server again until after the deadtime expires

1 minute

enable-username <name> specifies a username to be used for enable authentication enable-username $enab15$

key <key> specifies the shared key to use with RADIUS servers none

retry <attempts> specifies how many times the ProCurve Secure Router should try to contact a RADIUS server before marking it as “dead”

3

timeout <seconds> specifies how long to wait for a RADIUS server to respond to a request

5 seconds

2-31

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

Figure 2-3. Using a TACACS+ Server for Authenticating Users Who Want to Manage the ProCurve Secure Router

To enable this communication, you must configure the IP address or host name of the TACACS+ server. From the global configuration mode context, enter:

Syntax: tacacs-server host <A.B.C.D | hostname>

Either replace <A.B.C.D> with an IP address or replace <hostname> with the TACACS+ server’s host name. For example, if the TACACS+ server has the IP address 192.168.7.1, enter:

ProCurve(config)# tacacs-server host 192.168.7.1

After you define a TACACS+ server, that server is added to the router’s default TACACS+ group. If you define a second TACACS+ server, it is added to the default group, and the Secure Router OS contacts the servers in the order in which you entered them. After you define TACACS+ servers, you cannot change the order in which TACACS+ servers are listed in the default group. (Instead, you would have to delete servers by entering the no tacacs-server

host command and then redefine them in the order you want them used.)

If you want to change the order in which the Secure Router OS contacts the TACACS+ servers, you can create a TACACS+ server group, as described in “Creating a TACACS+ Group” on page 2-33.

Core switch

TACACS+server

Edge switch

ProCurve Secure Router

Edge switch

2-32

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

You can use the complete tacacs-server command to configure other settings for a TACACS+ server, as shown below:

Syntax: tacacs-server host <A.B.C.D | hostname> [port <number> | timeout <seconds> | key <key>]

You can enter all of the options with one command if you include them in the order shown above. Table 2-6 lists these options and provides a brief explanation for each one.

Table 2-6. Customizing Settings for TACACS+ Servers

For example, you might enter:

ProCurve(config)# tacacs-server host 192.168.7.1 timeout 10 key cool

After you entered this command, the ProCurve Secure Router would time out the connection if the TACACS+ server did not respond after 10 seconds, and the router would use cool as the shared secret with the TACACS+ server.

Creating a TACACS+ Group

To define a group of TACACS+ servers, enter the following command from the global configuration mode context:

Syntax: aaa group server tacacs+ <groupname>

Replace <groupname> with a name that is meaningful to you.

Option Meaning Default Value

port <number> Specifies the TCP port number to be used when connecting to the TACACS+ server. You can enter a number between 1 and 65535.

49

timeout <seconds> Specifies the period of time (in seconds) that the router will wait for a response before it declares an error. You can specify a number between 1 and 1000. This command overrides any time you set with the tacacs-server timeout command. For more information about this command, see “Configure Global Settings for TACACS+ Servers” on page 2-34.

5

key <key> Specifies the shared secret for the TACACS+ server. This command overrides any key specified with the tacacs-server key command. For more information about this command, see “Configure Global Settings for TACACS+ Servers” on page 2-34.

none

2-33

Controlling Management Access to the ProCurve Secure RouterUsing the AAA Subsystem to Control Management Access

For example, the following command creates a group called tacacs and enters the TACACS+ group configuration mode context:

ProCurve(config)# aaa group server tacacs+ tacacsProCurve(config-sg-tacacs+)#

Use the following command to add TACACS+ servers to the group:

Syntax: server <hostname | A.B.C.D>

Either replace <hostname> with the TACACS+ server’s hostname or replace <A.B.C.D> with the server’s IP address.

The following example adds two servers to the tacacs group:

ProCurve(config-sg-tacacs+)# server 192.168.1.1 ProCurve(config-sg-tacacs+)# server 192.168.7.101ProCurve(config-sg-tacacs+)# exit

You must use the tacacs-server command to define TACACS+ servers before you can add them to a group. If you add a server to a group but the server is not defined by a tacacs-server command, the router simply bypasses that server in the group.

The Secure Router OS does not save empty TACACS+ groups. When the last server is removed from a group, the Secure Router OS automatically deletes the group.

Configure Global Settings for TACACS+ Servers

You can configure global settings that will be applied to all TACACS+ servers defined on the router. However, if you configure specific settings for a TACACS+ server, those settings override the global settings.

To configure global settings, you use the tacacs-server command, but you do not specify a particular server. Instead, you use the following commands:

Syntax: tacacs-server key <key>

Syntax: tacacs-server packet maxsize <size>

Syntax: tacacs-server timeout <seconds>

2-34

Controlling Management Access to the ProCurve Secure RouterTroubleshooting AAA

Table 2-7. Global Settings for TACACS+ Servers

Troubleshooting AAA

The ProCurve Secure Router provides several commands to help you troubleshoot the AAA subsystem.

debug aaa Command

You can view detailed messages about the AAA subsystem in real time. From the enable mode context, enter:

Syntax: debug aaa

The Secure Router OS will then display AAA events such as connection notices, login attempts, and session tracking. Figure 2-4 shows the debug aaa

messages when a user attempts to establish a Telnet session but does not enter a valid username and password. The AAA subsystem has been enabled on the router, but no named list has been defined for Telnet access, so the ProCurve Secure Router uses the default named list.

Option Meaning Default Value

tacacs-server key <key> Specifies the shared key to use with TACACS+ servers. Any keys you configure for a particular TACACS+ server supersede the global key.

none

packet maxsize <size> Defines the packet size to send to the TACACS+ server. You can specify a number between 10240 and 65535.

10240

tacacs-server timeout <seconds>

Specifies how long to wait for the TACACS+ server to respond to a request. You can specify a number between 1 and 1000.

5 seconds

2-35

Controlling Management Access to the ProCurve Secure RouterTroubleshooting AAA

Figure 2-4. debug aaa

To end the debug messages, enter:

Syntax: no debug aaa

Troubleshooting the RADIUS Server

To view information about RADIUS servers, enter the following command from the enable mode context:

ProCurve# show radius statistics

This command displays information such as:

■ number of packets sent

■ number of invalid responses

■ number of timeouts

■ average packet delay

■ maximum packet delay

Statistics are shown for both authentication and accounting packets. (See Figure 2-5.)

AAA: New Session on portal 'TELNET 0 (172.22.12.60:4867)'.

AAA: No list mapped to 'TELNET 0'. Using 'default'.

AAA: Attempting authentication (username/password).

AAA: RADIUS authentication failed.

AAA: Authentication failed.

AAA: Closing Session on portal 'TELNET 0 (192.168.1.60:4867)'.

No named list for Telnet line 0; default aaa configuration used Default for

Telnet is local userlist

Not a valid username and password

2-36

Controlling Management Access to the ProCurve Secure RouterTroubleshooting AAA

Figure 2-5. show radius statistics

debug radius Command

You can view debug messages about RADIUS servers in real time. From the enable mode context, enter:

Syntax: debug radius

The RADIUS debug messages show the communication process with the remote RADIUS servers, as shown below.

RADIUS AUTHENTICATION: Sending packet to 172.22.48.1 (1645).RADIUS AUTHENTICATION: Received response from 172.22.48.1.

To end the debug messages, enter one of the following commands:

Syntax: no debug radius

Troubleshooting the TACACS+ Server

You can display information about the authentication, authorization, and accounting packets that the ProCurve Secure Router exchanges with the TACACS+ server. From the enable mode context, enter:

Syntax: show tacacs+ statistics

Figure 2-6 shows the type of information displayed with this command.

Auth. Acct.

Number of packets sent: 10 0

Number of invalid responses: 2 0

Number of timeouts: 0 0

Average delay: 2 ms 0 ms

Maximum delay: 3 ms 0 ms

2-37

Controlling Management Access to the ProCurve Secure RouterTroubleshooting AAA

Figure 2-6. Viewing Information about Authentication, Authorization, and Accounting Through the TACACS+ Server

To clear the statistics associated with TACACS+ protocol, enter the following command from the enable mode context:

Syntax: clear tacacs+ statistics

To debug the authentication, authorization, or accounting with the TACACS+ server, enter the following command at the enable mode context:

Syntax: debug tacacs+ [packets | events]

Figure 2-7 shows the output if you enter this command to monitor authentication through the TACACS+ server.

Authentication Authorization AccountingPackets sent: 25 0 0Invalid responses: 0 0 0Timeouts: 0 0 0Average delay: 0ms 0ms 0msMaximum delay: 0ms 0ms 0ms

Socket Opens: 10Socket Closes: 10Socket Aborts: 0Socket Errors: 0Socket Timeouts: 0Socket Failed Connections: 0Socket Packets Sent: 25Socket Packets Received: 25

2-38

Controlling Management Access to the ProCurve Secure RouterTroubleshooting AAA

Figure 2-7. Using Debug to Monitor Authentication Through the TACACS+ Server

TAC+ TX: Sending Authentication START pkt TAC+ TX: version=0xc0, type=Authentication, seq_no=1, flags=00 TAC+ TX: action=Login TAC+ TX: level=1 TAC+ TX: authen type=ASCII TAC+ TX: requested service=Login TAC+ TX: username= TAC+ TX: port=TELNET 0 (192.168.7.23:1072) TAC+ TX: remote address=192.168.7.23TAC+ RX: Received Authen REPLY pkt TAC+ RX: version=0xc0, type=Authentication, seq_no=2, flags=00 TAC+ RX: status=GETUSER TAC+ RX: flags=00 TAC+ RX: server msg=Login:TAC+ TX: Sending Authentication CONTINUE pkt TAC+ TX: version=0xc0, type=Authentication, seq_no=3, flags=00 TAC+ TX: user message=******** TAC+ TX: flags=0x00TAC+ RX: Received Authen REPLY pkt TAC+ RX: version=0xc0, type=Authentication, seq_no=4, flags=00 TAC+ RX: status=GETPASS TAC+ RX: flags=0x01 TAC+ RX: server msg=Password:TAC+ TX: Sending Authentication CONTINUE pkt TAC+ TX: version=0xc0, type=Authentication, seq_no=5, flags=00 TAC+ TX: user message=******** TAC+ TX: flags=0x00TAC+ RX: Received Authen REPLY pkt TAC+ RX: version=0xc0, type=Authentication, seq_no=6, flags=00 TAC+ RX: status=PASS TAC+ RX: flags=00 TAC+ RX: server msg=

User is authenticated

IP address of the device trying to establish a Telnet session

2-39

Controlling Management Access to the ProCurve Secure RouterPort Authentication

Port Authentication

Allowing mobile devices unlimited access to a network poses a severe security risk. While it is beneficial to allow employees to plug in and gain access to a company’s LAN, there is the potential that unauthorized users may similarly gain access to your network.

Devices can be required to authenticate themselves before they are assigned an IP address on a network and before the access port is opened. The IEEE 802.1X protocol provides a standard for this authentication.

Enabling Supplicant Functionality

The ProCurve Secure Router can act as an IEEE 802.1X supplicant. You can set the supplicant username and password for access to the protected network using the port-auth command.

To enable the router to function as a supplicant:

1. Move to the configuration mode context for the Ethernet interface that you want to use to access the 802.1X-secured network.

ProCurve(config)# interface eth 0/1ProCurve(config-eth 0/1)#

2. Configure the supplicant username and password:

Syntax: port-auth supplicant username <username> password <password>

ProCurve(config-eth 0/1)# port-auth supplicant username ProCurve password ProCurve

The default username is “username,” and the default password is “password.”

3. Enable the interface’s supplicant functionality by entering the following:

ProCurve(config-eth 0/1)# port-auth supplicant

As soon as you enable the supplicant functionality, the interface begins to attempt to authenticate itself and establish a connection to the 802.1X-secured network.

2-40

Controlling Management Access to the ProCurve Secure RouterPort Authentication

Troubleshooting Supplicant Functionality

If the ProCurve Secure Router is unable to access the 802.1X-secured network, begin troubleshooting by checking the physical connection. Ensure that the 10Base-T or 100Base-T cable is connected and in the proper ports.

Check the supplicant status and make sure that it is enabled and that you have entered the correct username and password. You can do this by entering the following from the enable mode context:

Syntax: show port-auth supplicant [summary | interface <slot>/<port>]

ProCurve# show port-auth supplicant interface eth 0/1

This command displays the Local Supplicant mode (enabled or disabled), the username and password that are configured, the router’s authorization status, and the connection status. The summary option displays only the interface, its status and current state, and whether it is authorized.

Debug the supplicant interface by entering:

Syntax: debug port-auth {general | packet [both | rx | tx] | supp-sm}

The general option displays the port authentication configuration. To view information on the packet exchange in transmit-only, receive-only, or both directions, use the packet option. The supp-sm option displays information on the supplicant state machine.

If you have entered the correct username and password, and you have checked the physical connection and access is still denied, you may need to contact the 802.1X-secured network’s administrator. Then determine what other authentication requirements may be needed and ensure that the administrator did not miskey your supplicant username and password.

2-41

Controlling Management Access to the ProCurve Secure RouterQuick Start

Quick Start

This section provides the commands you must enter to quickly configure passwords to protect management access to the ProCurve Secure Router. Only a minimal explanation is provided.

If you need additional information about any of these options, see “Contents” on page 2-1 to locate the section and page number that contains the explanation you need.

Configure the Enable Mode Password

From the global configuration mode context, enter:

Syntax: enable password [md5] <password>

Replace <password> with any combination of up to 30 characters. The Message Digest 5 (md5) option encrypts the password. If you do not enter this option, the password is stored in clear text in the running-config.

Configure a Password for the Console Access

By default, you do not have to enter a password to access the ProCurve Secure Router through a console session. To configure a password to protect console access, complete these steps:

1. From the global configuration mode context, enter:

ProCurve(config)# line console 0

2. Enter the login command to require a password for console access.

ProCurve(config-con0)# login

3. Create a password:

Syntax: password [md5] <password>

Replace <password> with any combination of up to 30 characters. Use the md5 option if you want the password encrypted. For example:

ProCurve(config-con0)#password md5 procurve

If you do not enter the md5 option, the password is stored in clear text in the running-config.

2-42

Controlling Management Access to the ProCurve Secure RouterQuick Start

Configuring Remote Access to the ProCurve Secure Router

You can access the ProCurve Secure Router through:

■ Telnet

■ SSH

■ HTTP

■ FTP

■ Secure Copy (SCP) server

Configuring an Ethernet Interface

Before you can access the router through a remote location, you must enable at least one interface and provide a physical connection to either a LAN or WAN. This section provides the minimum steps required to configure an Ethernet interface and to connect that interface to your company’s LAN. You can then access the router from a workstation on the LAN. For more detailed information about configuring an Ethernet interface, see Chapter 3: Config-

uring Ethernet Interfaces.)

1. Use a 10Base-T or 100Base-T cable to connect the Ethernet port to a device (such as a switch) on your LAN.

2. Open your terminal session software and initiate a console session with the ProCurve Secure Router, using the following parameters:

• Baud Rate = 9600

• Parity = None

• Data Bits = 8

• Stop Bits = 1

• Flow Control = None

3. Press Enter when you are prompted to start a session with the router. The router basic mode context prompt appears, as shown below:

ProCurve>

4. Access the enable mode context:

ProCurve> enable

5. Access the global configuration mode context:

ProCurve# configure terminal

2-43

Controlling Management Access to the ProCurve Secure RouterQuick Start

6. From the global configuration mode context, enter the Ethernet interface configuration mode context:

ProCurve(config)# interface ethernet 0/<port>

7. Assign the Ethernet interface an IP address.

Syntax: ip address <A.B.C.D> [<subnet mask> | /<prefix-length>]

For example, if you want to assign the Ethernet interface an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0, enter

ProCurve(config-eth 0/1)# ip address 192.168.1.1 /24

8. Activate the Ethernet interface.

ProCurve(config-eth 0/1)# no shutdown

9. Save your configuration.

ProCurve(config-eth 0/1)# do write memory

Configuring a Password for Telnet Access

By default, you are required to configure a password for Telnet access. In addition, you must configure an enable mode password.

1. From the global configuration mode context, enter the following command:

Syntax: line telnet <0–4>

For example, if you want to configure port 0, enter:

ProCurve(config)# line telnet 0

If you want to configure all the Telnet ports, enter:

ProCurve(config)# line telnet 0 4

2. Configure a password for Telnet access:

Syntax: password [md5] <password>

For additional security, use the md5 option to encrypt the password.

For example, if you want to create the password as procurve, enter

ProCurve(config-telnet0)# password md5 procurve

3. Exit to the global configuration mode context and create password for the enable mode context.

Syntax: enable password [md5] <password>

2-44

Controlling Management Access to the ProCurve Secure RouterQuick Start

N o t e You can configure an access control list (ACL) to block Telnet access. For instructions on configuring this ACL, see Chapter 5: Applying Access Control

to Router Interfaces in the Advanced Management and Configuration Guide.

Configuring Local User Lists

You can configure multiple usernames and passwords to be used for FTP, HTTP, and SSH access to the router. From the global configuration mode context, enter:

Syntax: username <username> password <password>

These passwords are stored in the local user lists.

To encrypt all the passwords configured on the ProCurve Secure Router, enter the following command from the global configuration mode context:

ProCurve(config)# service password-encryption

The ProCurve Secure Router automatically supports SSH and FTP access. After you configure a password in the local user list, you can access the router through these methods.

Enabling HTTP Access. From the global configuration mode context, enter:

ProCurve(config)# ip http server

If you want to use Secure Sockets Layer (SSL) to protect the communications between your PC and the router, enter:

ProCurve(config)# ip http secure-server

Enabling the SCP Server. To encrypt files as they are copied to and from the ProCurve Secure Router, enter the following command from the global configuration mode context:

Syntax: ip scp server

Configuring AAA

To configuring AAA, complete these steps.:

1. Enable the AAA subsystem.

ProCurve(config)# aaa on

2-45

Controlling Management Access to the ProCurve Secure RouterQuick Start

Configuring Authentication with AAA

2. Create a list of authentication methods, called a named list, for the enable mode.

Syntax: aaa authentication enable default {none | line | enable | [group <group-name> | radius | tacacs+]}

For example, you might enter:

ProCurve(config)# aaa authentication enable default enable line

N o t e If you specify a RADIUS or TACACS+ server, you must define that server. See “Defining a RADIUS Server” on page 2-48 and “Defining a TACACS+ Server” on page 2-48.

3. Create a named list for the router’s access lines (such as the console line and the Telnet lines).

Syntax: aaa authentication login <listname> {none | line | enable | [group <groupname> | radius | tacacs+]}

Replace <listname> with the name you want to use to refer to the named list you create. For example, you might enter:

ProCurve(config)# aaa authentication login LoginList enable line local

4. Assign the named list to the console line, Telnet lines, FTP, or Web access. Move to the appropriate line configuration mode context and enter:

Syntax: login authentication <aaa login list>

You do not have to complete this step to configure AAA authentication methods for the enable mode.

Configuring Authorization with AAA

5. To define a named list for authorization, enter the following command from the global configuration mode context:

Syntax: aaa authorization commands [1 | 15] [default | <named list>] group [tacacs+ | <group name>] [if-authenticated | none]

Include 1 or 15 to specify the level of commands for which you want to configure authorization: 1 is for unprivileged access, or basic mode, and 15 is for privileged access, or the enable mode.

Specify the default authorization list or replace <named list> to create a named list.

2-46

Controlling Management Access to the ProCurve Secure RouterQuick Start

Use the group tacacs+ option to specify the default group of TACACS+ servers. Use the group <group name> if you have created a group of TACACS+ servers.

Include the if-authenticated option to authorize authenticated users. Use the none option if authorization is not required. You may want to enter none as a second option. That way, if the ProCurve Secure Router cannot contact the TACACS+ server, you will still be able to configure the router.

6. Assign the named list to a console, Telnet, or SSH line. From the appro-priate line configuration mode context, enter:

Syntax: authorization commands [1 | 15] [default | <named list>]

7. To enable authorization commands for the console line, enter the follow-ing command from the global configuration mode context:

Syntax: aaa authorization console

N o t e Take care when you configure authorization for the console line. If you are not careful, you may prohibit yourself from entering commands from the console.

Configuring the TACACS+ Server for Accounting

8. To configure a named list for accounting, enter:

Syntax: aaa accounting commands [1 |15] [default | <named list> [none | stop-only] group [tacacs+ | <group name>]

Specify the level of commands for which you want to generate accounting: 1 is for unprivileged access, which is the basic mode, and 15 is for privileged access, which is the enable mode.

Specify the default accounting list or replace <named list> to create an accounting list.

Include the stop-only option if you want an accounting record to be generated when the user ends his or her session. Include the none option if you do not want an accounting record generated. For example, you may not want any records generated if a user enters a command at the basic mode context.

Include the group tacacs+ option if you want the ProCurve Secure Router to send the accounting information to the default group of TACACS+ servers. Replace group <groupname> with a group that you created. You can specify more than one group.

2-47

Controlling Management Access to the ProCurve Secure RouterQuick Start

9. Assign the named list to a console, Telnet, or SSH line. From the appro-priate line configuration mode context, enter:

Syntax: accounting commands [1 | 15] [default | <named list>]

Defining a RADIUS Server

Define the IP address of the RADIUS server and the key that the ProCurve Secure Router must use to authenticate to the server (if a key is required). From the global configuration mode context, enter:

Syntax: radius-server host <A.B.C.D> key <key>

Replace <A.B.C.D> with the RADIUS server’s IP address and replace <key> with the shared key for the RADIUS server.

Defining a TACACS+ Server

Define the IP address of the TACACS+ server and the key that the ProCurve Secure Router must use to authenticate to the server (if a key is required). From the global configuration mode context, enter:

Syntax: tacacs-server host <A.B.C.D | hostname> <key>

Replace <A.B.C.D> with the server’s IP address or replace <hostname> with the hostname of the TACACS+ server. Replace <key> with the shared key.

Enabling 802.1X Supplicant Status

To enable the router to function as a supplicant:

1. Move to the configuration mode context for the Ethernet interface that you want to use to access the 802.1X-secured network.

ProCurve(config)# interface eth 0/1ProCurve(config-eth 0/1)#

2. Configure the supplicant username and password:

Syntax: port-auth supplicant username <username> password <password>

ProCurve(config-eth 0/1)# port-auth supplicant username ProCurve password ProCurve

The default username is “username,” and the default password is “password.”

3. Enable the interface’s supplicant functionality by entering the following:

ProCurve(config-eth 0/1)# port-auth supplicant

2-48

3

Configuring Ethernet Interfaces

Contents

Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

Configuring the Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3

Enabling the Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

Configuring an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Assigning a Static IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

Configuring the Ethernet Interface as a DHCP Client . . . . . . . . . . 3-5

Configuring the Ethernet Interface as an Unnumbered Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

Setting the Speed and the Duplex Settings . . . . . . . . . . . . . . . . . . . . . 3-10

Configuring the Line for Half-Duplex or Full-Duplex . . . . . . . . . . . . . 3-11

Setting the MTU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11

Adding a Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

Summary of Ethernet Configuration Settings . . . . . . . . . . . . . . . . . . . 3-13

Configure VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15

Configuring VLAN Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17

Assigning an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19

Viewing the Status of Ethernet Interfaces or Subinterfaces . . . . . . . . . . . 3-19

show interfaces Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19

show running-config Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21

Viewing the Configurations That Have Been Entered . . . . . . . . . 3-22

Viewing All the Configuration Settings Including Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22

Troubleshooting an Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24

show event-history Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25

debug interface ethernet Command . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26

Configuring the Ethernet Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26

3-1

Configuring Ethernet InterfacesEthernet Interfaces

Ethernet Interfaces

The ProCurve Secure Router includes two Ethernet ports on the front panel, allowing you to connect two LAN segments to your WAN. You can also use the Ethernet ports to connect to a cable or Digital Subscriber Line (DSL) modem. Most companies will connect the router to a switch on the LAN segment. (See Figure 3-1.)

To connect a LAN segment to an Ethernet port, you use unshielded 10Base-T or 100Base-T cabling with an RJ-45 connector that meets the EIA/TIA-568-A or 568-B standards. For a 10-Mbps connection, use a Category 3 cable or better. For a 100-Mbps connection, use a Category 5 cable or better.

Figure 3-1. Connecting LAN Segments to the ProCurve Secure Router

Like the uplink ports on ProCurve switches, the Ethernet ports on the ProCurve Secure Router support auto MDIX, which automatically reverse transmit and receive signals as needed; even in situations in which you would normally need a crossover cable, you can still use a straight-through cable. For example, you can connect a PC to an Ethernet interface on the ProCurve Secure Router with a straight-through cable.

After you connect your LAN segments to the ProCurve Secure Router, you can enable the built-in firewall and configure access control policies to protect your internal network from unauthorized access or network attacks. (For more information about enabling the firewall, see the Advanced Management

Switch

Server

Server

ProCurve Secure Router

Switch

Ethernet 0/1

Ethernet 0/2

3-2

Configuring Ethernet InterfacesEthernet Interfaces

and Configuration Guide, Chapter 4: ProCurve Secure Router OS Firewall—

Protecting the Internal, Trusted Network; for more information about access controls, see the Advanced Management and Configuration Guide, Chapter 5: Applying Access Control to Router Interfaces.)

Configuring the Ethernet Interface

The Ethernet interface is the only interface on the ProCurve Secure Router that you configure to control both the Physical and the Data Link Layers of a connection. To configure an Ethernet interface, you must access the appro-priate interface. Like the physical WAN interfaces on the ProCurve Secure Router, the Ethernet interfaces are referred to by their slot and port number.

For Ethernet interfaces, the slot number is always 0. The port number for the bottom Ethernet port is 1, so the interface for that port is referred to as Ethernet 0/1. The port number for the top port is 2, so the interface for that port is referred to as Ethernet 0/2. (See Figure 3-2.)

Figure 3-2. Ethernet Ports on the ProCurve Secure Router

To access the Ethernet configuration mode context in the command line interface (CLI), enter the following command from the global configuration mode context:

Syntax: interface ethernet 0/<port>

For example, if you want to configure the bottom Ethernet port, enter:

ProCurve(config)# interface ethernet 0/1

Ethernet 0/2

Ethernet 0/1

3-3

Configuring Ethernet InterfacesEthernet Interfaces

You can also use a truncated reference for both interface and Ethernet, as shown below:

ProCurve(config)# int eth 0/1

When you truncate a command, you only need to enter enough of the com-mand to distinguish it from other commands.

After you enter the int eth 0/1 command, the prompt will show that you are in the Ethernet 0/1 interface configuration mode context:

ProCurve(config-eth 0/1)#

Enabling the Ethernet Interface

By default, all the interfaces on the ProCurve Secure Router are administra-tively down. You must activate the Ethernet interface before you can establish a connection to it. From the Ethernet interface configuration mode context, enter:

ProCurve(config-eth 0/1)# no shutdown

After you activate the interface, a message is displayed on the CLI, reporting that the interface is administratively up. Then when the Ethernet interface establishes a valid connection to the endpoint device, another message is displayed, reporting that the interface is up.

If the Ethernet interface cannot establish a valid connection, the status of the interface changes to down. You need to continue configuring the interface, or you need to attach a cable to the interface and establish a connection with another device such as a switch.

These interface status messages are displayed on the CLI by default. To stop these messages from being displayed, enter the following enable mode command:

ProCurve# no events

To enable the display of these messages again, enter:

ProCurve# events

3-4

Configuring Ethernet InterfacesEthernet Interfaces

Configuring an IP Address

To assign the Ethernet interface an IP address, you must be at the Ethernet interface configuration mode context:

ProCurve(config-eth 0/1)#

You then have several options for assigning an IP address to an Ethernet interface:

■ You can assign the Ethernet interface a static IP address.

■ You can configure the Ethernet interface as a Dynamic Host Configuration Protocol (DHCP) client.

■ You can configure the Ethernet interface as an unnumbered interface.

Assigning a Static IP Address

To assign the Ethernet interface a static IP address, use the following com-mand syntax:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

For example, you might enter:

ProCurve(config-eth 0/1)# ip address 192.168.1.1 255.255.255.0

Because the ProCurve Secure Router supports Classless Inter-Domain Rout-ing (CIDR) notations, you could also enter:

ProCurve(config-eth 0/1)# ip address 192.168.1.1 /24

N o t e You must include a space between the IP address and the / symbol in front of the prefix length.

Configuring the Ethernet Interface as a DHCP Client

If you are using DHCP to assign IP addresses to the clients on your network, you may also want to have the DHCP server assign an IP address to the Ethernet interface. To enable the DHCP client for the Ethernet interface, you use one of the following commands:

Syntax: ip address dhcp {client-id [ethernet 0/<port> | HH:HH:HH:HH:HH:HH:HH] | hostname <hostname>}

Syntax: ip address dhcp [hostname <hostname> | no-default-route | no-domain-name | no-nameservers]

3-5

Configuring Ethernet InterfacesEthernet Interfaces

In addition to enabling the DHCP client, this command allows you to configure the settings shown in Table 3-1.

Table 3-1. DHCP Client Settings

Before you enable the DHCP client, you must decide whether or not you want to configure the settings listed in Table 3-1, and you must then include the settings in the same command you enter to enable the DHCP client. After you enable the DHCP client, it immediately begins to search for a DHCP server and negotiate a lease. You cannot impose settings on that lease after it is established.

Accepting the Default Settings. If you want to use default DHCP settings for Ethernet interface, you can simply enter:

ProCurve(config-eth 0/1)# ip address dhcp

The DHCP client on the Ethernet interface will immediately begin to send DHCP discovery messages to find a DHCP server. When a DHCP server responds, the client will negotiate an IP address.

The DHCP client will send DHCP discovery messages whether or not the Ethernet interface is activated or a valid Ethernet connection has been estab-lished. It will continue to send DHCP discovery messages until a DHCP server responds.

Option Meaning Default Setting

client-id configures the client id displayed in the DHCP server’s table

media type and interface’s MAC address

hostname configures the hostname displayed in the DHCP server’s table

router hostname

no-default-route specifies that the DHCP client should not accept the default route obtained through DHCP

accept default route from the DHCP server

no-domain-name specifies that the DHCP client should not accept the domain name included with the other lease settings that the DHCP server sends

accept the domain name setting from the DHCP server

no-nameservers specifies that the DHCP client should not accept the DNS setting included with the other lease settings that the DHCP server sends

accept DNS settings from the DHCP server

3-6

Configuring Ethernet InterfacesEthernet Interfaces

You should ensure that the DHCP client receives an IP address so that these requests do not consume router resources or bandwidth on your Ethernet link. To determine if the Ethernet interface has been assigned an IP address, enter:

ProCurve(config-eth 0/1)# do show int eth 0/1

N o t e The do command allows you to enter enable mode commands from any context (except the basic mode context).

Configuring a Client Identifier. By default, the Secure Router OS popu-lates the DHCP client identifier with the Ethernet interface’s media type and media access control (MAC) address. You can specify that the DHCP client uses the MAC address of the other Ethernet port, or you can change the client identifier to a customized MAC address.

To configure a client identifier when you enable the DHCP client, enter:

Syntax: ip address dhcp client-id [ethernet 0/<port> | HH:HH:HH:HH:HH:HH:HH]

When you configure the client-identifier, you can also configure a hostname, as explained in the next section.

Configuring a Hostname. The Secure Router OS uses the hostname con-figured for the router as the Ethernet interface’s default DHCP client host-name. If you want to override this name when you enable the DHCP client, enter the following command:

Syntax: ip address dhcp hostname <hostname>

For example, you might want to specify that the hostname is RouterB. In this case, you would enter:

ProCurve(config-eth 0/1)# ip address dhcp hostname RouterB

When you specify the hostname, you can also configure a client-identifier at the same time, as shown below.

ProCurve(config-eth 0/1)# ip address dhcp client-id ethernet 0/2 hostname RouterB

If you enter this command, the DHCP client will use the MAC address of the Ethernet 0/2 interface as its client identifier. The DHCP client will also use the hostname RouterB.

Alternatively, you can specify the hostname and configure the client to ignore the settings received from the DHCP server. These commands are described in the following sections.

3-7

Configuring Ethernet InterfacesEthernet Interfaces

Overriding Settings Received from the DHCP Server. If the DHCP server is configured to provide a default-route, a domain name, or a domain name server (DNS), the DHCP client for the Ethernet interface will accept and use these settings. If you do not want to use any of these settings, enter:

Syntax: ip address dhcp [hostname <hostname> | no-default-route | no-domain-name | no-nameservers]

For example, if you do not want the DHCP client to use the route settings and name (DNS) server settings that it receives from the DHCP server, enter:

ProCurve(config-eth 0/1)# ip address dhcp no-default-route no-nameservers

If you do not want the DHCP client to use any of the default settings, enter:

ProCurve(config-eth 0/1)# ip address dhcp no-default-route no-domain-name no-nameservers

Releasing or Renewing an IP address. If you want to manually force the Ethernet interface to release or renew an IP address, enter these commands from the Ethernet interface configuration mode context:

ProCurve(config-eth 0/1)# ip dhcp release

ProCurve(config-eth 0/1)# ip dhcp renew

Remove the DHCP Client Setting. If you decide that you no longer want the Ethernet interface to be a DHCP client, enter:

ProCurve(config-eth 0/1)# no ip address dhcp

Changing a Setting for the DHCP Client. If you want to change a setting for the DHCP client, you must first disable the client. Then you can enter the command to enable the client with the setting that you want to change.

Before you disable the client, you should release the IP address obtained through DHCP. This will prevent the DHCP server from holding the IP address and allow it to assign the IP address to another client.

For example, if you enabled the DHCP client with all the default settings and later determined that you wanted the router to function as the DNS server for the Ethernet interface, you would enter:

ProCurve(config-eth 0/1)# ip dhcp releaseProCurve(config-eth 0/1)# no ip address dhcpProCurve(config-eth 0/1)# ip address dhcp no-nameservers

3-8

Configuring Ethernet InterfacesEthernet Interfaces

Configuring the Ethernet Interface as an Unnumbered Interface

To conserve IP addresses on your network, you may want to create the Ethernet interface as an unnumbered interface. When you assign the Ethernet interface an IP address, that IP address cannot overlap with the IP addresses assigned to other interfaces on the router. As a result, each interface on the router that has an IP address represents an entire subnet. Depending on the subnetting scheme you use, this could use more IP addresses than you can spare.

You can configure the Ethernet interface (and other interfaces on the ProCurve Secure Router) as an unnumbered interface. The Ethernet interface will then use the IP address of the interface you specify. The Secure Router OS uses the IP address of the specified interface when sending route updates over the unnumbered interface.

Before configuring the Ethernet interface as an unnumbered interface, you should be aware of a potential disadvantage: if the interface to which the IP address is actually assigned goes down, the Ethernet interface will be unavail-able. For example, suppose you configure the Ethernet 0/1 interface as an unnumbered interface that takes its IP address from the Frame Relay 1.16 subinterface. If the Frame Relay 1.16 subinterface goes down, the Ethernet 0/1 interface will be unavailable as well.

To minimize the chances of the interface with the IP address going down, you can assign the IP address to a loopback interface, which typically does not go down.

To configure an Ethernet interface as an unnumbered interface, enter the following command from the Ethernet interface configuration mode context:

Syntax: ip unnumbered <interface>

Valid interfaces include:

■ Asynchronous Transfer Mode (ATM) subinterfaces

■ the other Ethernet interface or Ethernet subinterfaces

■ demand interfaces

■ Frame Relay subinterfaces

■ High-level Data Link Control (HDLC) interfaces

■ loopback interfaces

■ PPP interfaces

3-9

Configuring Ethernet InterfacesEthernet Interfaces

If you configure the Ethernet interface to support virtual LANs (VLANs), you can specify an Ethernet subinterface.

For example, you would enter the following commands to configure a loop-back interface and then configure the Ethernet 0/1 interface to use the IP address assigned to that loopback interface:

ProCurve(config)# interface loopback 1ProCurve(config-loop 1)# ip address 10.1.1.1 /24ProCurve(config-loop 1)# interface ethernet 0/1ProCurve(config-eth 0/1)# ip unnumbered loopback 1ProCurve(config-eth 0/1)# no shutdown

N o t e You do not have to enter no shutdown to activate a loopback interface. The status of a loopback interface automatically changes to up after you enter the interface loopback <interface number> command.

Setting the Speed and the Duplex Settings

By default, the Ethernet interfaces automatically negotiate both the line speed and duplex setting, as outlined below:

■ When an Ethernet interface is enabled and the cable is connected to an endpoint, the interface first tries to negotiate the speed at 100 Mbps with full-duplex. If the endpoint device can operate at 100 Mbps with full-duplex, the Ethernet link is established.

■ If the endpoint device cannot operate at 100 Mbps with full-duplex, the Ethernet interface attempts to establish the speed at 10 Mbps with full-duplex. If the endpoint device can operate at this speed with full-duplex, the link is established with these settings.

■ If the endpoint device cannot operate at 10 Mbps with full duplex, the Ethernet interface attempts to establish the speed at 10 Mbps with half-duplex. If the endpoint device accepts these settings, the link is established.

If you have manually configured a setting for duplex on the interface, the negotiated setting for duplex is ignored.

Unless the router experiences problems negotiating the speed with the device at the other end of the Ethernet link, you should keep the default setting of auto. However, if you need to set the speed of the link for the Ethernet interface, use the following command syntax:

Syntax: speed [10 | 100 | auto]

3-10

Configuring Ethernet InterfacesEthernet Interfaces

For example, you might enter:

ProCurve(config-eth 0/1)# speed 100

N o t e If you configure a default setting for speed, the Ethernet interfaces still negotiate the duplex setting—either full-duplex or half-duplex. Some Ethernet devices cannot negotiate duplex if the speed is manually set. To avoid possible problems, you may want to manually configure the duplex setting if the speed is manually set. (Manually configuring the duplex setting is described in the next section.)

You can enter one of the following commands to return to the default setting for speed:

ProCurve(config-eth 0/1)# speed auto

or

ProCurve(config-eth 0/1)# no speed

Configuring the Line for Half-Duplex or Full-Duplex

The Ethernet modules support both full-duplex and half-duplex. By default, the Ethernet modules operate at full-duplex. If you need to change this setting, enter:

ProCurve(config-eth 0/1)# half-duplex

To return to the default setting, you can enter one of the following commands:

ProCurve(config-eth 0/1)# full-duplex

or

ProCurve(config-eth 0/1)# no half-duplex

Setting the MTU

The maximum transmission unit (MTU) defines the largest size that an Ether-net frame can be. If a frame exceeds the MTU, it must be fragmented. By default, the MTU for Ethernet interfaces is 1500 bytes.

For most environments you should keep the default MTU size. However, you may need to adjust the MTU if the interface is connected to another device that uses a different MTU size and you have enabled Open Shortest Path First (OSPF) routing on the ProCurve Secure Router. OSPF routers cannot become

3-11

Configuring Ethernet InterfacesEthernet Interfaces

adjacent if their MTU sizes do not match. You should ensure that the MTU on the device at the far end of the Ethernet connection is using the same MTU as the interface you are configuring.

If routers and switches have different MTU sizes in a TCP/IP network, trans-missions and routing may be affected. For example, if a switch has a smaller MTU and your router sends a frame that exceeds that size, the switch will fragment the frame. If the forwarded frame is tagged with the “do not frag-ment” field, then the switch cannot send the frame onto its destination. In this case, the switch must return an Internet Control Message Protocol (ICMP) message to notify the router that the frame cannot be fragmented. The router, in turn, must send the packet back to the originator, and the originator must remove the “do not fragment” field and resend the frame. If possible, you should ensure that the switches and routers on your network are using the same MTU.

N o t e The MTU size refers to the Ethernet payload.

To change this setting, enter:

Syntax: mtu <size>

Replace <size> with a number between 64 and 1500.

Adding a Description

You can add a description to the interface if you want to document information about it. For example, you might want to use a description to differentiate between the two Ethernet interfaces: you could document which LAN seg-ment connects to each interface. You might also want to use a description if you have had to troubleshoot a problem and want to document why you changed a particular setting.

Syntax: description <line>

Replace <line> with up to 80 characters. For example, you might enter:

ProCurve(config-eth 0/1)# description Attached to building 1

The description you enter is displayed only when you enter the following command from the enable mode context:

ProCurve# show running-config

3-12

Configuring Ethernet InterfacesEthernet Interfaces

interface eth 0/1 description Attached to building 1 ip address 192.168.1.1 255.255.255.0 no shutdown

You can also view the description by entering:

ProCurve# show running-config interface eth 0/1

This command displays the running-config settings for only the Ethernet 0/1 interface.

Summary of Ethernet Configuration Settings

Table 3-2 shows the main settings for configuring an Ethernet interface.

Table 3-2. Ethernet Interface Configuration Options

Setting Description Default Page

description include information about the interface that can be viewed when you enter show running-config

no default 3-12

encapsulation 802.1q configures the interface to support VLANs

no default 3-15

full-duplex or half-duplex defines whether the connection uses full-duplex or half-duplex

full-duplex 3-10

ip address <A.B.C.D> <subnet mask | /prefix length>

assigns a static IP address to the interface

no default 3-5

ip address dhcp configures the interface as a DHCP client that receives its address from a DHCP server

no default 3-5

ip unnumbered <interface> uses the IP address assigned to another interface on the router

no default 3-5

mtu <size> sets the maximum size that an Ethernet frame can be before it is fragmented

1500 3-11

no shutdown activates interface shutdown 3-4

speed [10 | 100 | auto] defines the speed at which data is transmitted over the connection

auto 3-10

3-13

Configuring Ethernet InterfacesEthernet Interfaces

In addition to configuring these settings, you can:

■ assign access control policies (ACPs) or access control lists (ACLs) to the interface

■ enable bridging

■ assign crypto maps to enable virtual private networks (VPNs)

■ configure settings for routing protocols

■ configure quality of service (QoS) settings

These settings are discussed in other chapters, as shown in Table 3-3.

Table 3-3. Additional Configurations for the Ethernet Interface

After you configure one Ethernet interface using the CLI, you can enable the HTTP server and use the Web browser interface to configure the other Ethernet interfaces, see Chapter 14: Using the Web Browser Interface for

Basic Configuration Tasks.

Ethernet subinterfaces are used to enable VLAN support. To configure VLAN support and the Ethernet subinterfaces, you will configure these settings from the Ethernet subinterface configuration mode context. (VLAN support is discussed in the next section.)

Settings Configuration Guide Page

access controls to filter incoming and outgoing traffic Advanced 5-18

bridging Basic 10-6

VPNs Advanced 8-46

routing commands for OSPF, RIP, or BGP Advanced 13-1

quality of service settings Advanced 7-28

3-14

Configuring Ethernet InterfacesConfigure VLAN Support

Configure VLAN Support

VLANs enable you to group users by logical function rather than physical location. Creating VLANs on your network provides several advantages:

■ VLANs allow you to segment your network into smaller broadcast domains. In networks that have large broadcast domains, broadcast storms can disrupt network traffic.

■ VLANs enhance your network security. Because each VLAN is a separate broadcast domain, members of a particular VLAN cannot “see” traffic from other VLANs.

■ VLANs simplify network management. For example, you can use VLANs to grant users access to network resources.

ProCurve Networking devices support the IEEE 802.1Q standard for VLAN tagging. When you define a VLAN on an 802.1Q-compliant device, it inserts a four-byte tag into the Ethernet frame. This tag identifies the packet’s VLAN membership. The 802.1Q tag contains:

■ the tag value, which identifies the data as a tag

■ the VLAN ID

As per the 802.1Q specification, the default tag value is 8100 (hexadecimal). The VLAN ID is determined by the VLAN on which the packet is being forwarded.

Figure 3-3 shows the format of Ethernet frames that contain the 802.1Q tag.

N o t e Because a VLAN tag is inserted into the Ethernet frame, it is called VLAN

tagging in a ProCurve environment. (In a Cisco environment, VLAN tagging is referred to as VLAN trunking.)

3-15

Configuring Ethernet InterfacesConfigure VLAN Support

Figure 3-3. The 802.1Q Tag

A VLAN is comprised of multiple ports operating as members of the same subnet (or broadcast domain). Ports on multiple devices can belong to the same VLAN, and traffic moving between ports in the same VLAN is bridged (or “switched”).

Traffic moving between different VLANs, on the other hand, must be routed. If a switch supports IP routing, it can internally route IP (IPv4) traffic between VLANs. If a switch is not configured to route traffic internally between LANs, an external router must forward traffic between VLANs. The router, of course, must support 802.1Q. (See Figure 3-4.)

Ethernet II with 802.1Q tag

IEEE 802.3 with 802.1Q tag

Destination address

6 bytes

Source address

6 bytes

802.1Q Tag

4 bytes

Type field

2 bytes

Data field

Up to 1500 bytes

CRC

4 bytes

Destination address

6 bytes

Source address

6 bytes

802.1Q Tag

4 bytes

Length field

2 bytes

Data field

Up to 1496 bytes

CRC

4 bytes

Octet 4Octet 2Octet 1

Tag protocol ID(TPID)

802.1P(3 bits)

VLAN ID(12 bits)

1 2 3 4 5 6 7 8

3-16

Configuring Ethernet InterfacesConfigure VLAN Support

Figure 3-4. Routing VLAN Traffic Between Layer 2 Switches

If your company is using Layer 2 switches, you may want to enable VLAN support on the ProCurve Secure Router and configure it to route the VLAN traffic on your internal network.

You may also want to enable VLAN support on the ProCurve Secure Router so that you can use VLANs to apply network access controls. By using VLANs, you can tailor access controls for the users who are members of different VLANs. For example, you can apply different access controls to the marketing department, which is part of VLAN12, than the access controls you apply to the executives of your company, which are part of VLAN 20. (For more information about access controls on router interfaces, see the Advanced

Management and Configuration Guide, Chapter 5: Applying Access Control

to Router Interfaces.)

You can also use VLANs to grant groups of users access to VPNs. (For more information about VPNs, see the Advanced Management and Configuration

Guide, Chapter 8: Virtual Private Networks.)

Configuring VLAN Support

Configuring VLAN support on the ProCurve Secure Router involves four steps:

1. Enable the ProCurve Secure Router to read IEEE 802.1Q tags.

2. Create Ethernet subinterfaces.

3. Associate each Ethernet subinterface with a VLAN ID.

4. Assign the Ethernet subinterfaces an IP address.

Switch

Server

Server

ProCurve Secure Router

Switch

Layer 2 switch

Layer 2 switch

Routing between VLANs

3-17

Configuring Ethernet InterfacesConfigure VLAN Support

Enabling VLAN Support. To configure the ProCurve Secure Router to rec-ognize the IEEE 802.1Q tag and route traffic accordingly, enter the following command from the Ethernet interface configuration mode context:

ProCurve(config-eth 0/1)# encapsulation 802.1Q

After you enter this command, the ProCurve Secure Router immediately recognizes that it must route traffic through this Ethernet interface to multiple VLANs with separate IP addresses. You will no longer be able to assign an IP address to the Ethernet interface. Instead, you must assign an IP address to the Ethernet subinterfaces.

Creating Subinterfaces. Because each VLAN represents a subnet with a unique network IP address, you must create one Ethernet subinterface for each VLAN. To create an Ethernet subinterface, move to the Ethernet interface mode configuration context and enter the following command:

Syntax: interface eth 0/<port number.subinterface number>

Replace <port number> with 1 for the bottom Ethernet port and with 2 for the top port. Replace <subinterface number> with a number that uniquely identifies this subinterface.

For example, to create the Ethernet subinterface 0/1.1, enter:

ProCurve(config-eth 0/1)# interface ethernet 0/1.1

The router prompt shows that you are at the configuration mode context for the Ethernet subinterface that you just created:

ProCurve(config-eth 0/1.1)#

Setting the VLAN ID. Next, you must associate the subinterface with a particular VLAN on your network. To create this association, enter the follow-ing command from the Ethernet subinterface configuration mode context:

Syntax: vlan-id <vlan id> [native]

Replace <vlan id> with the number of the VLAN. Use the native option if you want the traffic to leave the subinterface untagged. If you do not include this option, the traffic will remain tagged.

3-18

Configuring Ethernet InterfacesViewing the Status of Ethernet Interfaces or Subinterfaces

Assigning an IP Address

You must assign the Ethernet subinterfaces a static IP address. From the Ethernet subinterface configuration mode context, enter:

Syntax: ip address <A.B.C.D> <subnet mask | /<prefix length>

For example, if you are configuring a subinterface for VLAN 2 and VLAN 2 encompasses the subnet 192.168.115.0 255.255.255.0, you might enter:

ProCurve(config-eth 0/1.1)# ip address 192.168.115.5 /24

Viewing the Status of Ethernet Interfaces or Subinterfaces

After you configure an Ethernet interface or subinterface, you may want to view the configuration settings you have entered, or you may want to deter-mine the status of the interface—is the interface up, down, or administratively down? You can use the following commands to view the configuration and status of Ethernet interfaces and subinterfaces:

■ show interfaces command

■ show running-config commands

show interfaces Command

To view the status of an Ethernet interface, move to the enable mode context and enter:

Syntax: show interfaces ethernet 0/<port>

For example, to view the status of the Ethernet 0/1 interface, enter:

ProCurve# show interfaces ethernet 0/1

If you are not at the enable mode context, you can use the do command. Enter:

ProCurve(config-eth 0/1)# do show interfaces ethernet 0/1

3-19

Configuring Ethernet InterfacesViewing the Status of Ethernet Interfaces or Subinterfaces

Figure 3-5. Interpreting the Output from a show interfaces ethernet Command

The Ethernet 0/1 interface shown in Figure 3-5 is up, and the line protocol is up. You can also see that the IP address and subnet mask have been configured and the speed of the connection is 100 Mbps with full-duplex.

If you have created Ethernet subinterfaces to support the VLANs on your network, enter:

Syntax: show interfaces eth 0/<port number.subinterface number>

For example, to view the status of the Ethernet 0/2.5 subinterface, enter:

ProCurve# show interfaces ethernet 0/2.5

You can view the status information for the Ethernet interfaces in real-time by adding the realtime option to the show interfaces command. (See Figure 3-6.)

Syntax: show interfaces eth 0/<port number.subinterface number> [realtime]

eth 0/1 is UP eth 0/1 is UP, line protocol is UP Hardware address is 00:15:55:05:35:D4 Ip address is 192.168.1.1, netmask is 255.255.255.0 MTU is 1500 bytes, BW is 100000 Kbit 100Mb/s, negotiated full-duplex, configured full-duplex ARP type: ARPA; ARP timeout is 20 minutes 5 minute input rate 32 bits/sec, 0 packets/sec 5 minute output rate 16 bits/sec, 0 packets/sec 16 packets input, 1460 bytes 0 unicasts, 16 broadcasts, 0 multicasts input 0 unknown protocol, 0 symbol errors, 0 discards 0 input errors, 0 runts, 0 giants 0 no buffer, 0 overruns, 0 internal receive errors 0 alignment errors, 0 crc errors 3 packets output, 522 bytes 2 unicasts, 1 broadcasts, 0 multicasts output 0 output errors, 0 deferred, 0 discards 0 single, 0 multiple, 0 late collisions 0 excessive collisions, 0 underruns 0 internal transmit errors, 0 carrier sense errors 0 resets, 0 throttles

Physical Layer and Data Link Layer are up

Negotiated speed and type of duplex

3-20

Configuring Ethernet InterfacesViewing the Status of Ethernet Interfaces or Subinterfaces

Figure 3-6. Results of the show interface ethernet realtime Command

To end the realtime display of the show interface ethernet command, enter Ctrl+C. To suspend the updates and maintain the current display, enter f. To view the updates again, enter r.

show running-config Commands

Located in RAM, the running-config file includes the configurations that are currently running on the router—this includes the configurations that were read from the startup-config when the ProCurve Secure Router was booted, and any configurations that you have subsequently entered. The running-config is cleared every time the ProCurve Secure Router is powered down, and any changes that have not been saved to the startup-config file are lost.

N o t e To save the running-config to the startup-config file, you must enter one of the following commands from the enable mode context:

write memory

copy running-config startup-config

-------------------------------------------------------------------eth 0/1 is UP, line protocol is UP Hardware address is 00:12:79:05:25:B0 Ip address is 192.168.1.1, netmask is 255.255.255.0 MTU is 1500 bytes, BW is 100000 Kbit 100Mb/s, negotiated full-duplex, configured full-duplex ARP type: ARPA; ARP timeout is 20 minutes 5 minute input rate 208 bits/sec, 0 packets/sec 5 minute output rate608 bits/sec, 1 packets/sec 47 packets input, 7448 bits/sec, 1 packets/sec 244 packets input, 22907 bytes multicasts input 192 unicasts, 52 broadcasts, 0 multicasts input 0 input errors, 0 runts, 0 giants 0 no buffer, 0 overruns, 0 internal receive errors 0 alignment errors, 0 crc errors 3 packets output, 512 bytes 204 packets output, 16642 bytes multicasts output 193 unicasts, 1 broadcasts, 10 multicasts output 0 single, 0 multiple, 0 late collisions 0 excessive collisions, 0 underruns 0 internal transmit errors, 0 carrier sense errors(OUTPUT TRUNCATED)-------------------------------------------------- Exit - 'Ctrl-C', Freeze - 'f', Resume - 'r'

Instructions for pausing or ending the output

3-21

Configuring Ethernet InterfacesViewing the Status of Ethernet Interfaces or Subinterfaces

Viewing the Configurations That Have Been Entered

To view the settings that have been entered manually and are currently being used by the ProCurve Secure Router, move to the enable mode context and enter:

ProCurve# show running-config

This command displays the current configurations for the router. You must browse the output to find the configurations for the Ethernet interfaces, which are listed under the headings interface eth 0/1 or interface eth 0/2. If you have configured Ethernet subinterfaces, the configurations for each are listed under their respective ports.

If you do not want to browse through the entire running-config, you can enter:

ProCurve# show running-config interface eth 0/<port>

This command displays the manually entered configurations for only the Ethernet interface that you specify.

Likewise, you can view the configuration settings you have entered for the Ethernet subinterfaces by entering:

Syntax: show running-config interface eth 0/<port number.subinterface number>

Figure 3-7 shows the portion of the show running-config output that is related to the Ethernet 0/1.1 subinterface.

Figure 3-7. Viewing the show running-config Command for an Ethernet Subinterface

Viewing All the Configuration Settings Including Defaults

The show running-config command displays only the settings that you have configured for the ProCurve Secure Router. It does not display the default settings, which are automatically applied to the router. To view all the settings that are currently applied to the router, enter the following command from the enable mode context:

ProCurve# show running-config verbose

interface eth 0/1.1 ip address 192.168.1.1 255.255.255.0 no shutdown

3-22

Configuring Ethernet InterfacesViewing the Status of Ethernet Interfaces or Subinterfaces

The display shows the current running-config file, including any default set-tings. Again, you will need to browse for the information relating to the Ethernet interface or subinterface you are checking.

Alternately, you can enter the following command to display only information about a particular Ethernet interface or subinterface:

Syntax: show running-config interface eth 0/<port number.subinterface number> verbose

Figure 3-8 shows the output for the Ethernet 0/2.1 interface.

Figure 3-8. Using the show running-config verbose Command

interface eth 0/2.1 description alias native no shutdown ip address 192.10.10.1 255.255.255.0 ip proxy-arp ip ospf authentication-key ip ospf authentication null ip ospf message-digest-key 1 md5 ip ospf message-digest-key 2 md5 ip ospf cost 0 ip ospf retransmit-interval 5 ip ospf transmit-delay 1 ip ospf priority 1 ip ospf hello-interval 10 ip ospf dead-interval 40 no ip mcast-stub helper-enable ip igmp version 2 ip igmp last-member-query-interval 1000 ip igmp query-interval 60 ip igmp query-max-response-time 10 ip igmp querier-timeout 120 no ip igmp immediate-leave mtu 1500 bandwidth 0 ip route-cache ip split-horizon no crypto map no dynamic-dns no qos-policy out max-reserved-bandwidth 75

3-23

Configuring Ethernet InterfacesTroubleshooting an Ethernet Interface

To understand the difference between the show running-config command and the show running-config verbose command, compare Figure 3-7 to Figure 3-8. For example, if you entered the IP address, a description, and the no shut command to configure the Ethernet interface, only those settings are listed when you enter the show running-config command.

When you enter show running-config verbose, other default settings that you have not altered are also displayed. For example, the running-config

verbose command displays settings such as the Ethernet interface’s MTU, speed and duplex settings, MAC address, as well as settings for OSPF routing and Link Layer Discovery Protocol (LLDP).

Troubleshooting an Ethernet Interface

The first step in troubleshooting problems with any interface is to enter the show interfaces command. This command allows you to determine, at a glance, if the connection is up.

If the interface has not been activated, the following status is displayed:

eth 0/1 is administratively down

You should then move to the Ethernet interface configuration mode context and enter the no shutdown command.

Two error messages indicate problems with the interface:

■ “eth 0/1 is DOWN” indicates that the Physical Layer is not active. This problem may be caused by:

• loose or bad connection

• bad cabling

• no cabling

■ “line protocol is DOWN” indicates that the software processes that handle the line protocol consider the interface down. Whether due to faulty hardware, incompatible configurations, or problems at the other end of the line, the ProCurve Secure Router cannot negotiate a link on the interface.

3-24

Configuring Ethernet InterfacesTroubleshooting an Ethernet Interface

Depending on the error messages displayed, you should check the cabling or the configuration settings for the Ethernet interface. If the “eth 0/1 is DOWN” message is displayed, substitute a different 10Base-T or 100Base-T cable and make sure the connectors are securely seated in the Ethernet port on both the router and the far-end device.

If the “line protocol is DOWN” message is displayed, check your configuration. Ensure that the Ethernet interface can successfully negotiate the speed and duplex settings for the line.

show event-history Command

Another useful tool for troubleshooting problems on the Ethernet interface is the show event-history command. By default, the ProCurve Secure Router logs events such as changes in the status of interfaces and ports. To display this information, enter the following command from the enable mode context:

ProCurve# show event-history

To isolate problems, you can clear the event history, reproduce the problem, and then display the event history again. To clear the event history, enter the following command from the enable mode context:

ProCurve# clear event-history

The event history is automatically cleared when the router is rebooted.

debug interface ethernet Command

If you check the configurations and basic hardware used for the Ethernet connection and still cannot resolve the issue, you can use the debug interface command to display information about the interface in real-time.

Syntax: debug interface <interface>

Replace <interface> with Ethernet.

For example, if you cannot establish an Ethernet connection, you may want to enter this command to determine if the Ethernet interface is successfully negotiating the speed and the duplex setting. Figure 3-9 shows the debug messages for an Ethernet interface that was successfully established.

3-25

Configuring Ethernet InterfacesQuick Start

Figure 3-9. debug interface ethernet Messages

To end the display of debug messages, enter:

Syntax: no debug interface <interface>

ProCurve# no debug interface ethernet

Quick Start

This section provides the commands you must enter to quickly configure Ethernet interfaces. Only a minimal explanation is provided.

If you need additional information about any of these options, see “Contents” on page 3-1 to locate the section and page number that contains the explanation you need.

Configuring the Ethernet Interface

To configure the Ethernet interface, complete these steps:

1. Use a 10Base-T or 100Base-T cable to connect the Ethernet port on the ProCurve Secure Router to the appropriate device on your LAN. In most cases, you will connect the router to a switch.

2. Establish a terminal session with the ProCurve Secure Router. You are automatically at the basic mode context.

ProCurve>

3. Move to the enable mode context. If you have configured a password for the enable mode context, enter that password when you are prompted to do so.

ProCurve> enablePassword:

2005.08.27 15:31:53 ETHERNET_INTERFACE.eth 0/1 auto-negotiation in progress2005.08.27 15:31:55 ETHERNET_INTERFACE.eth 0/1 auto-negotiation complete2005.08.27 15:31:56 ETHERNET_INTERFACE.eth 0/1 link up2005.08.27 15:31:56 ETHERNET_INTERFACE.eth 0/1 speed is 100Mbps, full duplex2005.08.27 15:31:56 INTERFACE_STATUS.eth 0/1 changed state to up

3-26

Configuring Ethernet InterfacesQuick Start

4. Move to the global configuration mode context.

ProCurve# configure terminal

5. Access the Ethernet configuration mode context:

Syntax: interface ethernet 0/<port>

For example, if you want to configure the bottom Ethernet port, enter:

ProCurve(config)# interface ethernet 0/1

6. Assign the Ethernet interface an IP address.

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

For example, if you want to assign the Ethernet interface the IP address 192.168.1.1 /24, enter:

ProCurve(config-eth 0/1)# ip address 192.168.1.1 /24

7. Activate the interface

ProCurve(config-eth 0/1)# no shut

8. View the status of the Ethernet interface you just configured.

ProCurve(config-eth 0/1)# do show interface ethernet 0/<port>

N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context).

3-27

Configuring Ethernet InterfacesQuick Start

3-28

4

Configuring E1 and T1 Interfaces

Contents

Overview of E1 and T1 WAN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Elements of an E1- or T1-Carrier Line . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Connecting Your Premises to the Public Carrier: the Local Loop . . . 4-4

External or Built-in CSU/DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

ProCurve Secure Router Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

E1 Modules with a Built-in DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

T1 Modules with a Built-in CSU/DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9

Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9

E1 or T1 Interfaces: Configuring the Physical Layer . . . . . . . . . . . . . 4-10

E1 or T1 Interface Configuration Mode Context . . . . . . . . . . . . . 4-11

Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-12

Line Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14

Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-15

Clock Source, or Timing, for the E1- or T1-Carrier Line . . . . . . . 4-17

Transmit Signal Level (T1 Interfaces Only) . . . . . . . . . . . . . . . . . 4-18

Set the FDL (T1 Interfaces Only) . . . . . . . . . . . . . . . . . . . . . . . . . . 4-19

Activate the E1 or T1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20

Threshold Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21

Types of Line Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-22

Viewing Information about E1 and T1 Interfaces . . . . . . . . . . . . . . . . . . . 4-26

show interfaces Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27

show running-config Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28

show running-config verbose Command . . . . . . . . . . . . . . . . . . . . . . . 4-29

4-1

Configuring E1 and T1 InterfacesContents

Troubleshooting E1 and T1 WAN Connections . . . . . . . . . . . . . . . . . . . . . 4-30

No Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32

Red Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32

Yellow Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-34

Green Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35

Viewing Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-35

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-37

Configuring an E1 or T1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-38

4-2

Configuring E1 and T1 InterfacesOverview of E1 and T1 WAN Connections

Overview of E1 and T1 WAN Connections

Public carriers offer E1- and T1-carrier lines for customers who need dedicated, secure, point-to-point wide area network (WAN) connections. The connection is always active, so data can be immediately transmitted at any time, with no wait for a dial-up process.

In Europe, Australia, South America, and Asia, Public Telephone and Tele-graph (PTT) authorities offer E1-carrier lines, which provide 2.048 Mbps bandwidth. In the United States, Canada, and sometimes Japan, telcos offer T1-carrier lines, which provide 1.544 Mbps bandwidth.

N o t e In Japan, PTTs offer T1-carrier lines and sometimes E1-carrier lines for data. For traditional analog voice, these PTTs offer J1-carrier lines. (J1 lines are outside the scope of the ProCurve Secure Router Management and Config-

uration Guide.)

An E1- or T1-carrier line can be used for both traditional analog voice and data—a characteristic that can make it an appealing option for some companies. By combining analog voice and data on an E1- or T1-carrier line, companies may be able to save money on their telephone and data communications costs.

Elements of an E1- or T1-Carrier Line

All WAN connections, including E1- and T1-carrier lines, consist of three basic elements:

■ the physical transmission media, such as the cabling, switches, routers, and other infrastructure required to create and maintain the connection

■ electrical signaling specifications for generating, transmitting, and receiv-ing signals through the various transmission media

■ Data Link Layer protocols, which provide logical flow control for moving data between the peers in the WAN (peers are the devices at either end of a WAN connection)

4-3

Configuring E1 and T1 InterfacesOverview of E1 and T1 WAN Connections

Physical transmission media and electrical specifications are part of the Physical Layer (Layer 1) of the Open Systems Interconnection (OSI) model, and Data Link Layer protocols are part of the Data Link Layer (Layer 2). (See Figure 4-1.)

Figure 4-1. Physical and Data Link Layers of the OSI model

When you configure an E1 or T1 WAN connection, you must configure both the Physical Layer and the Data Link Layer (which is also called the logical layer).

Connecting Your Premises to the Public Carrier: the Local Loop

In the United States and Canada, the network that provides the infrastructure for T1-carrier lines is called the public switched telephone network (PSTN). In all other countries, PTT authorities provide the infrastructure for WAN connections.

When you lease an E1- or T1-carrier line, your LAN must be connected to the public carrier’s nearest central office (CO). All of the telecommunications infrastructure that is used to connect your LAN to the CO is collectively called the local loop. Because the CO may be located miles away from your premises, this telecommunications infrastructure may include repeaters, as well as switches, cable, and connectors. (See Figure 4-2.)

Physical layer

Data Link layer

Network layer

Transport layer

Session layer

Presentation layer

Application layer

1

2

3

4

5

6

7

PPPFrame RelayHDLC

E1 and T1

4-4

Configuring E1 and T1 InterfacesOverview of E1 and T1 WAN Connections

Figure 4-2. Local Loop

All carrier lines require the same basic components on the local loop, although the components may differ slightly in form and design. (See Figure 4-2.) These components are listed below:

■ CSU/DSU—The Channel Service Unit/Digital Service Unit (CSU/DSU) has two purposes: The DSU accepts traffic from the router and translates it from the signaling format used on the LAN to the format necessary for transmission on the WAN. The CSU then generates the signal to be sent across the WAN. For incoming traffic, the CSU regenerates the signal for transmission across the LAN.

■ Demarc—A line of demarcation, or demarc, separates your wiring and equipment from the public carrier’s wiring and equipment. As a general rule, you own, operate, and maintain the wiring and equipment on your side of the demarc, and the public carrier owns, operates, and maintains the wiring and equipment on its side of the demarc.

■ Network interface unit (NIU)—The NIU automatically maintains the WAN connection and enables public carrier employees to perform simple man-agement tasks from a remote location. The NIU is usually located outside the subscriber’s premises so that public carrier employees can always access it. In the United States and Canada, the NIU is commonly referred to as the smart jack.

■ Wire span—Because public carrier networks were originally designed to carry analog voice calls, copper wire is still the most common physical transmission medium used on the local loop. Because copper wire has a limited capacity to carry signals, local loops that use copper wire are the slowest, least capable component of the WAN connection.

Wire span

Router (DTE)

Demarc

CSU/DSU

Network Interface Unit (Smart Jack)

Public Carrier’s CO

Repeater OCU

Office Channel Unit(PTT’s CSU)

LAN

4-5

Configuring E1 and T1 InterfacesOverview of E1 and T1 WAN Connections

■ Repeater—A repeater receives, amplifies, and retransmits the digital signal so that the signal is always strong enough to be read. The distance between repeaters depends on the type of connection, including the transmission media used. On an E1 or T1 connection over unshielded twisted pair (UTP) wiring, the distance between repeaters is one mile or less.

■ Office channel unit—Located at the CO, the office channel unit (OCU) performs the same function at the public carrier’s site that the CSU performs at each subscriber’s site: It generates the signal to be sent across the WAN—either to be sent to a subscriber’s premises or to be transmitted on to the public carrier network.

Although you will never see most of these components, having a basic under-standing of the local loop can help you work with your public carrier to troubleshoot problems if your E1- or T1-carrier line ever goes down.

In addition, two of these components directly affect your E1 or T1 WAN connection: the demarc and the CSU/DSU. The demarc determines which part of the E1 or T1 WAN connection you are responsible for. Again, this becomes important if your E1- or T1-carrier line ever goes down and you have to work with the public carrier to identify and fix the problem.

The CSU/DSU is important because its form and design not only determines which ProCurve Secure Router module you purchase but also which settings you must configure for the E1- or T1-carrier line.

External or Built-in CSU/DSU

Your public carrier determines the type of CSU/DSU that will be used in your WAN connection. There are three options:

■ The public carrier provides the CSU/DSU and installs it on your premises.

■ The public carrier provides the CSU but not the DSU.

■ The public carrier does not provide the CSU/DSU.

In Europe, Australia, South America, and Asia (except Japan), the PTT author-ity will provide both the CSU/DSU or just the CSU. In the United States and Canada, public carriers will either provide the entire CSU/DSU, or they will not provide either one at all.

If the public carrier provides an external CSU/DSU, you should purchase a serial module. (See Figure 4-3.) For information about the serial module, see Chapter 5: Configuring Serial Interfaces for E1- and T1-Carrier Lines.

4-6

Configuring E1 and T1 InterfacesOverview of E1 and T1 WAN Connections

Figure 4-3. Router Connects Directly to an External CSU/DSU.

If your public carrier does not provide the DSU, the router must include a built-in DSU. You will then use UTP cable with RJ-48C connectors to connect the router to the external CSU. (See Figure 4-4.)

Figure 4-4. Router with a Built-in DSU Connects Directly to the External CSU.

If your public carrier does not provide the CSU/DSU, the router must include a built-in CSU/DSU. In this case, the public carrier provides a wall jack on your premises to connect your router to the local loop, and you use UTP cable with RJ-48C connectors to connect the router to the wall jack. (See Figure 4-5.)

Wire span

Router (DTE)

Demarc

CSU/DSU

Network Interface Unit (Smart Jack)

Public Carrier’s CO

Repeater OCU

Office Channel Unit(public carrier’s CSU)

LAN

Wire span

Router w/internal DSU

Demarc

CSUNetwork

Interface Unit (Smart Jack)

Public Carrier’s CO

Repeater OCU

Office Channel Unit(Public carrier’s CSU)

LAN

UTP cable with RJ-48C connectors

4-7

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

Figure 4-5. Router with a Built-in CSU/DSU

ProCurve Secure Router Modules

ProCurve Networking provides several E1 and T1 modules, which are described in the next sections.

E1 Modules with a Built-in DSU

If your public carrier does not provide an external DSU, you should use one of the E1 modules, which include a built-in DSU:

■ one-port E1 module

■ two-port E1 module

■ eight-port wide-option module (ProCurve Secure Router 7203dl only)

Supported Standards

The ProCurve Secure Router E1 modules are standards based. Specifically, they support the standards listed in Table 4-1.

Wire span

Router w/ internal CSU/DSU

Demarc

Network Interface Unit (Smart Jack)

Public Carrier’s CO

Repeater OCU

Office Channel Unit(public carrier’s CSU)

LAN

UTP cable with RJ-48C connectors

4-8

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

Table 4-1. Standards Supported by E1 Modules

For instructions on configuring E1 modules, see “E1 or T1 Interfaces: Config-uring the Physical Layer” on page 4-10.

T1 Modules with a Built-in CSU/DSU

If your public carrier does not provide a CSU/DSU, you should use one of the ProCurve Secure Router T1 modules, which include a built-in CSU/DSU:

■ one-port T1 module

■ two-port T1 module

■ eight-port wide-option module (ProCurve Secure Router 7203dl only)

Supported Standards

The ProCurve Secure Router T1 modules support the standards listed in Table 4-2.

Type of Standard Port

E-carrier line • International Telecommunications Union (ITU) G.703• ITU-T G.704 (CRC-4)• ITU-T G.823• ITU-T G.797

Electrical/power • Norme Europeenne (EN) 60950 (EN is also referred to as European Standards.)

• International Electrotechnical Commission (IEC) 60950• Australian Standard/New Zealand Standard (AS/NZS) 60950

4-9

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

Table 4-2. Standards Supported by T1 Modules

Instructions for configuring the T1 modules begin below.

E1 or T1 Interfaces: Configuring the Physical Layer

When you configure an E1 or T1 interface, the settings you enter must match the settings that your public carrier is using. Your public carrier will provide you with the settings you should enter for the following:

■ number of channels

■ line coding

■ frame format

■ clock source

For T1-carrier lines, your public carrier may also provide you with settings for the following:

■ line build out (LBO), or signal level

■ facility data link (FDL), if you are using the Extended SuperFrame (ESF) frame format

In addition to configuring these options, you must activate the E1 or T1 interface.

These are the minimal configuration options that you must enter to establish the Physical Layer of the WAN connection. In fact, you may not have to enter all of these options: if the public carrier’s setting for an option matches the default setting for the E1 or T1 interface, you do not have to configure that option.

Type of Standard Port

T-carrier line • AT&T TR194• AT&T TR54016• American National Standards Institute (ANSI) T1.403

Electrical/power • AT&T Pub 62411 (jitter tolerance)• U.S. Federal Communications Commission (FCC) Part 15

Class A• EN 55022 Class A• American Council for Terminal Attachments (ACTA)/FCC

Part 68• Industry Canada (IC) CS-03• UL/cUL 60950• IEC 60950

4-10

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

The rest of this section describes these options in more detail and explains how to configure them from the command line interface (CLI). If you want to configure the E1 or T1 connection from the Web browser interface, see Chapter 14: Using the Web Browser Interface for Basic Configuration Tasks.

E1 or T1 Interface Configuration Mode Context

To begin configuring the E1 or T1 interface that will provide the WAN connec-tion, you must access the appropriate configuration mode context. In the ProCurve Secure Router CLI, move to the global configuration mode context and enter:

Syntax: interface <interface> <slot>/<port>

Replace <interface> with e1 or t1, depending on the type of connection you are configuring. On the ProCurve Secure Router, the interface for each phys-ical port is identified by its slot number and port number.

The possible slot numbers for an E1 or T1 interface are:

■ 1 = dl option module slot 1

■ 2 = dl option module slot 2

■ 3 = dl wide option module slot (ProCurve Secure Router 7203dl only)

The port number you enter depends on the number of ports included in the E1 or T1 module. For example, two-port E1 modules have two E1 ports plus one backup port. (For more information about backup ports, see the ProCurve

Secure Router Advanced Management and Configuration Guide, Chapter 3:

Configuring Backup WAN Connections.) If the E1 module is located in slot 1 and you are configuring the interface for port 1, enter:

ProCurve(config)# interface e1 1/1

Likewise, if the T1 module is located in slot 2 and you are configuring the interface for port 2, enter:

ProCurve(config)# interface t1 2/2

The router prompt should indicate that you have entered the appropriate interface configuration mode context:

ProCurve(config-t1 2/2)#

From the configuration mode context, you can enter the ? help command to display the commands available from this configuration mode context.

ProCurve(config-t1 2/2)# ?

4-11

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

The settings that you must configure in order to establish an E1 or T1 WAN connection are explained in the following sections.

Channels

As mentioned earlier, E1- and T1-carrier lines provide different transmission speeds. An E1-carrier line provides 2.048 Mbps in total bandwidth, which is divided into 32 channels. A T1-carrier line, on the other hand, provides 1.544 Mbps in total bandwidth, which is divided into 24 channels.

Called digital signal zero (DS0), each channel operates at 64 Kbps, the amount of bandwidth required to transmit a single analog voice call through a digital telecommunications network. The channels in these dedicated circuits are created using time division multiplexing (TDM). By combining, or multiplex-ing, multiple channels into a larger, more complex signal, TDM creates a high-bandwidth channel. (See Figure 4-6.)

Figure 4-6. Multiplexing Multiple Channels into One E1- or T1-Carrier Line

Each channel receives an equal time slice within the complex signal in a rotating, repeating sequence and thus receives an equal amount of bandwidth. On the receiving end, TDM is used to recover the original signals through a reverse process called demultiplexing.

E1 Channels. When you configure an E1 module with a built-in DSU, you must configure the number of channels that the E1 WAN connection uses. You can configure channels 1-31. One channel—channel 0—is used to maintain the connection and cannot be used for data or voice.

If you purchase an entire E1-carrier line, you configure channels 1-31. If you purchase a fractional E1-carrier line, your public carrier will tell you which channels to configure for that connection. (If you want to use some of the channels for voice, see Chapter 9: Configuring the E1 + G.703 and T1 +

DSX-1 Modules.)

MUX MUX

32 or 24 DS0s 32 or 24 DS0s

DS0 channels multiplexed into E1 or T1

E1 or T1 demultiplexed into DS0 channels

E1- or T1-carrier line

4-12

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

T1 Channels. When you configure a T1 module with a built-in CSU/DSU, you must configure the number of channels that the T1 WAN connection uses. If you lease an entire T1 line, you configure channels 1-24. If you lease a fractional T1 line, your public carrier will tell you which channels to configure for that connection. (If you want to use some of the channels for voice, see Chapter 9: Configuring the E1 + G.703 and T1 + DSX-1 Modules.)

Configuring the Number of Channels. To configure the number of channels used for an E1 or T1 WAN connection, you use the tdm-group command:

Syntax: tdm-group <number> timeslots <range of numbers> speed [56 | 64]

This command creates a TDM group and assigns it a number of channels. Replace <number> with a number between 1 and 255, and replace <range of numbers> with the channels that will be used for this connection.

The TDM-group number relates directly to the interface that you are config-uring. This means that you can create a TDM group 1 for each E1 or T1 interface on the ProCurve Secure Router.

You enter the tdm-group command from the E1 or T1 interface configuration mode context. For example, to configure the E1 1/1 interface to use all 31 channels, enter:

ProCurve(config-e1 1/1)# tdm-group 1 timeslots 1-31

To configure the T1 2/2 interface to use all 24 channels, enter:

ProCurve(config-t1 2/2)# tdm-group 1 timeslots 1-24

Speed Option. If you view the syntax for the tdm-group command from the CLI, you will notice that it includes a speed option, as shown below:

Syntax: tdm-group <number> timeslots <range of numbers> speed [56 | 64]

By default, the speed for channels is 64 kbps, and this setting will be used for all E1-carrier lines and most T1-carrier lines. The speed 56 setting is used only if your public carrier is using a 56 Kbps setting for the connection. In this case, your public carrier will tell you to set the speed for each channel to 56 kbps. For all other environments, you should simply accept the default setting of 64 kbps.

4-13

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

Line Coding

In addition to configuring the number of channels for the E1 or T1 connection, you must configure the interface to use the same line coding that your public carrier is using. Line coding defines how digital signals are configured for transport through a physical transmission medium. Line coding schemes use electrical signals to represent the logical 0 and 1 bits in a data stream.

E1- and T1-carrier lines have slightly different options for line coding.

E1 Line Coding. E1-carrier lines use the following line coding schemes:

■ Alternate mark inversion (AMI)

■ High-density bipolar of order 3 (HDB3)

AMI uses alternating positive and negative voltage (referred to as alternating polarity or bipolarity) to represent logical ones, and zero voltage to represent logical zeros. Because AMI uses zero voltage for logical zeros, it can cause synchronization loss between peers at each end of a WAN connection if a data stream contains a long string of logical zeros.

Although HDB3 is based on AMI, HDB3 prevents synchronization loss by limiting the number of consecutive zero signals in a data stream to three. HDB3 replaces four logical zeros with three signals at zero voltage and a violation bit with the same polarity as the last AMI logical one detected.

Because HDB3 is the most common line coding scheme used in E1 lines, it is the default setting for all E1 interfaces on the ProCurve Secure Router.

To configure line coding on an E1 interface, enter the following command from the E1 interface configuration mode context:

Syntax: coding [ami | hdb3]

For example, to configure the line coding as AMI, enter:

ProCurve(config-e1 1/1)# coding ami

T1 Line Coding. T1-carrier lines use the following line coding schemes:

■ AMI

■ Bipolar 8-Zero Substitution (B8ZS)

4-14

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

Like HDB3, B8ZS was designed to overcome the deficiencies of AMI. To prevent synchronization loss, B8ZS replaces a string of eight zeros with a string that includes two logical ones of the same polarity as a timing mark. Because B8ZS has become the standard line coding used on T1-carrier lines, it is the default setting on the ProCurve Secure Router.

To configure line coding on a T1 interface, enter the following command from the T1 interface configuration mode context:

Syntax: coding [ami | b8zs]

For example, to configure the T1 interface to use the ami option, enter:

ProCurve(config-t1 1/1)# coding ami

N o t e If you want to accept a default setting, it is not necessary to enter the command. For an E1-carrier line, you can simply accept the default setting of HDB3. For a T1-carrier line, you can simply accept the default setting of B8ZS.

Frame Format

You must configure the E1 or T1 interface to use the same frame format as that used by the public carrier. Otherwise, the WAN connection cannot be established.

E1-carrier lines and T1-carrier lines use different frame formats.

E1 Frame Formats. E1 interfaces on the ProCurve Secure Router support two frame formats:

■ E1

■ Cyclic Redundancy Check 4 (CRC4)

In the E1 frame format, a channel (or timeslot) is called a TS, and the 32 channels are numbered TS0 to TS31. Two channels are used to establish and maintain synchronization and signaling: specifically, TS0 is used for synchro-nization, error detection, and alarms, and TS16 is used for signaling. The other channels are used to transmit data.

CRC4 is based on the E1 frame format but includes additional error detection. A checksum bit is included in all even frames of the 16-frame multiframe: frames 0, 2, 4, 6, 8, 10, 12, and 14. A total of 8 checksum bits are used.

4-15

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

Although E1 interfaces, including those for the G.703 port, support two frame formats, only one option is listed if you enter the following command from the E1 interface configuration mode context:

ProCurve(config-e1 1/1)# framing ?

Only the crc4 option is listed.

By default, the frame format is E1. If your public carrier is using the E1 frame format, you simply accept the default setting by not entering a framing command.

However, if your public carrier is using the CRC4 frame format, enter:

Syntax: framing crc4

ProCurve(config-e1 1/1)# framing crc4

To return to the E1 frame format, enter:

ProCurve(config-e1 1/1)# no framing crc4

T1 Frame Formats. For T1-carrier lines, public carriers use one of two frame formats:

■ D4

■ ESF

D4 framing aggregates 12 DS0 frames into a single superframe. The ESF standard multiplexes 24 DS0 frames into an extended superframe.

The ESF format has essentially replaced the D4 framing standard because it frees up bits that can be used to maintain the connection. Due to its popularity, ESF is the default setting for T1 modules on the ProCurve Secure Router.

To configure the frame format, enter the following command from the T1 interface configuration mode context:

Syntax: framing [d4 | esf]

If you want to use the default frame format, ESF, you do not have to enter a command. However, if you want to configure the T1 interface to use D4, enter:

ProCurve(config-t1 1/1)# framing d4

4-16

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

Clock Source, or Timing, for the E1- or T1-Carrier Line

Because data transmission requires hosts to be synchronized, you must configure the clock source, or timing, for the E1 or T1 interface. You can configure the E1 or T1 interface with one of the following clock sources:

■ Line—Use the line setting if the E1 or T1 interface will take the clock source from the public carrier.

■ Internal—Use the internal setting if the E1 or T1 interface will provide the clock for the connection. For example, if you connect the ProCurve Secure Router to another router, one of the routers must provide the clock source. If the local ProCurve Secure Router is providing the clock source, use the internal setting.

■ Through—Use the through setting if you want the E1 or T1 interface to take the clock from the other interface on that module.

Each narrow E1 or T1 module can have only one clock source. If the module has two ports, one port must be set to line or internal; the other port must be set to through.

Each port on the eight-port E1 or T1 module can have its own clock source. You can set the clock source for each port to line.

Table 4-3 shows the default clock source settings for the different ports on the E1 or T1 modules.

Table 4-3. Default Clock Source Settings for E1 and T1 Modules

N o t e On the one-port E1 and T1 modules, the only clock source options are internal and line. This is because when an E1 or T1 line accepts a clock

source through setting, the timing must come from another port on the same module.

Module Port Default Clock Source

One-port E1 or T1 module 1 line

Two-port E1 or T1 module 12

linethrough

E1 + G.703 moduleT1 + DSX-1 module

12

linethrough

Eight-port module 1–8 line

4-17

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

To configure the clock source, enter the following command from the E1 or T1 interface configuration mode context:

Syntax: clock source [internal | line | through]

For example, to configure the clock source as line, enter:

ProCurve(config-e1 2/1)# clock source line

N o t e You cannot connect two interfaces on one module to different service providers because each module can have only one clock source. If you want to use two different service providers, you must purchase two separate modules, or you must purchase the eight-port module.

Transmit Signal Level (T1 Interfaces Only)

With T1 interfaces, you can configure the level of the transmit signal. As the distance between the ends of a T1-carrier line increases, so does attenuation, or loss in signal strength. Long cables (which are defined as cables longer than 655 feet) must send stronger signals and boost these signals with repeaters to overcome attenuation.

When two devices are connected at close proximity, the opposite problem can occur: a strong signal can cause the line to become too “hot.”

The Line Build Out (lbo) command allows the T1 interface to take cable length into account when setting the signal strength. The longer the cable, the stronger the signal needs to be. For short cables, you can set the LBO lower, so that the interface artificially attenuates a T1 output signal, thereby simulat-ing a degraded signal.

There are two commands for configuring LBO:

Syntax: lbo long <value>

Syntax: lbo short <value>

The command you use depends on the distance between the T1 equipment. This distance is measured in cable length. If the cable is longer than 655 feet, you use the lbo long command. If the cable is shorter than 655 feet, you use the lbo short command.

lbo long Command. If you are configuring LBO for a T1 interface connected by a cable that is longer than 655 feet, use the following command:

Syntax: lbo long <value>

4-18

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

Replace <value> with one of the following numbers, which are in decibels (db):

■ -22.5

■ -15

■ -7.5

■ 0

You should set the LBO to avoid overloading a receiver’s circuits. For sensitive interfaces or for interfaces that are connected with a long cable but separated by a short distance, use the more negative values to prevent the line from becoming too hot. For example, two units in close proximity should be configured for the maximum attenuation of -22.5 dB:

ProCurve(config-t1 1/1)# lbo long -22.5

To configure LBO for a long cable to -7.5, enter:

ProCurve(config-t1 1/1)# lbo long -7.5

The default setting for LBO is 0 db.

lbo short Command. If the cable that connects the T1 interface is less than 655 feet long, use the following command:

Syntax: lbo short <value>

Replace <value> with the actual length of the cable, in feet, that separates the two devices. You can enter a number between 0 and 655. For example, if the ProCurve Secure Router is 500 feet of cable away from the other device, you would enter:

ProCurve(config-t1 1/1)# lbo short 500

Based on the number of feet between the two units, the ProCurve Secure Router will set an appropriate signal level.

Set the FDL (T1 Interfaces Only)

T1-carrier lines that use the ESF frame format support an out-of-band channel that is used to transmit performance-monitoring and maintenance informa-tion about the line. The facility data link (FDL) channel allows the transmis-sion of monitoring and maintenance flags such as the yellow alarm signal.

4-19

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

If used on a T1-carrier line, the FDL channel must conform to one of the following standards:

■ ANSI T1.403 standard

■ ATT TR 54016 standard

By default, the T1 interfaces on the ProCurve Secure Router use the ANSI standard.

If your public carrier tells you to change this setting, use the following command:

Syntax: fdl [ansi | att | none]

For example, to configure FDL to use the ATT standard, enter:

ProCurve(config-t1 1/1)# fdl att

Use the no form of this command to return to the default value.

If your service provider does not use FDL, you should deactivate the FDL channel by entering:

ProCurve(config-t1 1/1)# fdl none

Activate the E1 or T1 Interface

By default, all physical interfaces on the ProCurve Secure Router are shut down. You must activate the E1 or T1 interface. From the E1 or T1 interface configuration mode context, enter:

Syntax: no shutdown

After you enter this command, the status of the interface will change from down to administratively up.

By default, the ProCurve Secure Router displays a message on the CLI when the status of an interface changes. For example, when you enter no shutdown to activate the E1 interface, you receive this message:

INTERFACE_STATUS.e1 1/1 changed state to administratively up

4-20

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

If you have connected the interface to either to the wall jack or the external CSU, the interface will try to establish the Physical Layer of the WAN connec-tion. If the E1 or T1 interface successfully establishes that Physical Layer, another message should be displayed:

INTERFACE_STATUS.e1 1/1 changed state to up

or

INTERFACE_STATUS.t1 1/1 changed state to up

These messages are part of the event-history log and can help you quickly determine if an interface is functional. However, you can suppress these messages if, for example, you feel they disrupt your efforts to configure the router. Move to the enable mode context and enter:

ProCurve# no events

To return to the default setting, enter:

ProCurve# events

N o t e The events display should not be confused with event-history, which is a collection of all logs of interface events, as well as other logs. To display this information, enter the show event-history command from the global config-uration mode context.

If the status of the interface does not change to up, you may need to trouble-shoot the connection, as explained in “Troubleshooting E1 and T1 WAN Connections” on page 4-30.

If the interface is up, you must configure the appropriate Data Link Layer protocol for the connection, as described in Chapter 6: Configuring the Data

Link Layer Protocol for E1, T1, and Serial Interfaces.

Threshold Commands

When you configure and activate an E1- or T1-carrier line, line error thresholds are enabled by default. When a threshold is reached, an events notification is displayed on the router’s CLI.

4-21

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

Table 4-4 lists the default settings for line error thresholds.

Table 4-4. Threshold Commands

To set a line error threshold, enter the following command from the E1 or T1 interface configuration mode context:

Syntax: threshold [BES | CSS | DM | ES | LCV | LES | PCV | SEFS | SES | UAS] [15Min | 24Hr] <number of errors>

Use the 15Min option to set the thresholds for 15-minute intervals. Use the 24Hr option to set the threshold for 24-hour intervals. The time period for these intervals is based on the past 15 minutes or 24 hours at any given moment, not on set 15 minute or 24 hour blocks of time. By default, both 15 minute and 24 hour thresholds are set.

Types of Line Errors

The ProCurve Secure Router reports 10 types of line errors. Each line error type has its own error triggers. Table 4-5 lists the line errors that the ProCurve Secure Router reports and the triggers for each of these line errors.

Setting Description 15-Minute Default

24-Hour Default

BES Bursty Errored Seconds 10 100

CSS Controlled Slip Seconds 1 4

DM Degraded Minutes 1 4

ES Errored Seconds 65 648

LCV Line Code Violations 13340 133400

LES Line Errored Seconds 65 648

PCV Path Coding Violations 72 691

SEFS Severely Errored Framing Seconds 2 17

SES Severely Errored Seconds 10 100

UAS Unavailable Seconds 10 10

4-22

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

Table 4-5. Events That Trigger Line Errors

Error Type Triggers

BES 1-320 Path Coding Violations (PCV)

CSS Controlled Slip Seconds (CSS)

DM Bit Error Rate (BER) between .000001 and .001

ES ESF and CRC4:– PCV– Out Of Frame (OOF)– CSS– Alarm Indication Signal (AIS)

D4 or E1:– PCV– Out of Frame – CSS– AIS– BPV

LCV Bipolar Violations (BPVs) and Excessive Zeros (EXZs)

LES • Seconds with BPVs or EXZs or Loss Of Signal (LOS)• Seconds with Line Code Violations (LCVs)

PCV E1/D4 frame synchronization errors

CRC4 or ESF checksum error

SEFS • OOF• LOS

SES • ESF errors:– 320+ PCVs– OOF– AIS

• CRC errors:– Severely Errored Seconds (SES)– 832+PCVs

• E1 framing 2048+ LCVs

4-23

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

The following is a list of the line errors and a brief description of each.

BES. A Bursty Errored Second (BES) is a one-second time period with between one and 320 Path Coding Violation (PCV) events, no Severely Errored Framing Seconds (SEFS) defects, and no detected incoming Alarm Indication Signal (AIS) defects.

CSS. A Controlled Slip Second (CSS) is a one-second interval containing one or more controlled slips. A controlled slip is the replication or deletion of the payload bits in a DS1 or E1 frame. This problem may be caused by a difference between the timing of the interface sending and the interface receiving the signal.

DM. A Degraded Minute (DM) is a one-minute interval with a bit error rate (BER) that is higher than .000001. The one-minute intervals are derived by removing severely errored seconds (SESs) from the total time and then consecutively grouping the remaining seconds into blocks of 60.

ES. An Errored Second (ES) is a one-second period with one or more errored blocks or bit errors. For T1-carrier lines that use ESF and E1-carrier lines that use CRC4, one of the following occurs during the one-second period:

■ one or more PCVs

■ one or more Out of Frame (OOF) defects (seven or more consecutive errored framing patterns)

■ one or more CSSs

■ an AIS defect

For carrier lines that use D4 and E1 framing, Bipolar Violations (BPVs) also trigger an ES.

LCV. A Line Code Violation (LCV) occurs when a carrier line experiences either BPVs (when using AIM) or excessive zeros (EXZ) (when using HDB3 or B8ZS). A BPV is an error in which an interface receives two pulses of the

• D4 errors:– Framing error– OOF– 1544+ LCVs

UAS • 10+ SESs• Line failure + SES

Error Type Triggers

4-24

Configuring E1 and T1 InterfacesProCurve Secure Router Modules

same polarity without an intervening pulse of the opposite polarity. An EXZ is the occurrence of any zero string length equal to or greater than three for B3ZS or greater than four for HDB3. LCVs usually signal a mismatch in line coding type. For example, the local interface uses AIM, but the remote endpoint uses HDB3.

LES. A Line Errored Second (LES) occurs if one or more of the following are detected in a one-second time interval:

■ LCVs (that is, one or more BPVs or EXZs)

■ LOS

The LES count lists the number that have occurred.

PCV. A PCV is caused by a frame synchronization bit error in a D4 or E1 frame. If a T1-carrier line uses ESF or if an E1-carrier line uses CRC4, a PCV is an error detected by the CRC.

SEFS. The number of seconds during which an OOF or LOS occurred.

SES. For a T1-carrier line using ESF, a Severely Errored Second (SES) is one-second time interval during which one of the following occurs:

■ 320 or more PCVs

■ one or more OOF defects

■ an AIS

For an E1-carrier line using CRC4, an SES occurs in one of the following is detected during a one-second interval:

■ 832 or more PCVs

■ one or more OOF defects

For a T1-carrier line using D4 frame formatting, an SES is a second with at least one framing error, OOF defect, or 1544 or more LCVs.

For an E1-carrier line, an SES is caused by 2048 or more LCVs in a second.

UAS. Unavailable Seconds (UAS) are calculated by counting the number of seconds that the interface is unavailable. An E1 or T1 interface becomes unavailable after ten contiguous SESs or the onset of the condition that led to the failure. If the condition leading to the failure was immediately preceded by one or more contiguous SESs, then the UAS are counted from the onset of these SESs.

4-25

Configuring E1 and T1 InterfacesViewing Information about E1 and T1 Interfaces

To return a threshold to its default setting, enter this command from the global configuration mode context:

Syntax: no thresholds [BES | CSS | DM | ES | LCV | LES | PCV | SEFS | SES | UAS] [15Min | 24Hr]

For example, to return the 15-minute SES threshold to its default setting of 10, enter:

ProCurve(config)# no threshold SES 15Min

To return all thresholds to their default setting, enter:

ProCurve(config)# no thresholds

Viewing Information about E1 and T1 Interfaces

To view status or configuration information about a E1 or T1 interface, you can use the show commands listed in Table 4-6.

Table 4-6. show Commands

Command Explanation

show interfaces displays information about all the interfaces—active or inactive—on the ProCurve Secure Router

show interface <interface> <slot>/<port> [realtime | performance-statistics]

displays information about a specific physical interface

show running-config displays all of the settings that you have configured for the ProCurve Secure Router

show running-config verbose displays the entire running-config, including the settings that you have configured and the default settings that you have not altered

show running-config interface <interface> <slot>/<port> displays the settings that you have configured for a particular physical interface

show running-config interface <interface> <slot>/<port> verbose

displays the entire running-config for a particular interface, including the settings you configured and the default settings that you have not altered

4-26

Configuring E1 and T1 InterfacesViewing Information about E1 and T1 Interfaces

show interfaces Command

You can use the show interfaces <interface> <slot>/<port> command to view detailed information about the status of the E1 or T1 interface. For example, if you want to view the status of the E1 1/1 interface, enter the following command from the enable mode context:

ProCurve# show interfaces e1 1/1

Figure 4-7 shows the results of this command for an E1 interface. In this example, the E1 interface has been configured, but the Data Link Layer protocol has not.

Figure 4-7. show interface E1

e1 1/1 is UP Receiver has no alarms E1 coding is HDB3, framing is E1 Clock source is internal No network loopbacks Last clearing of counters never loss of frame : 1, last occurred 00:01:55 loss of signal : 0 AIS alarm : 0 Remote alarm : 0

Timeslot Status: 01234567890123456789012345678901 F------------------------------- Status Legend: '-' = Timeslot is unallocated 'N' = Timeslot is dedicated (nailed) 'F' = Timeslot is dedicated for framing

Line Status: -- No Alarms --

5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec Current Performance Statistics: 8 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 2 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 8 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes

TDM group 1, line protocol is not set Encapsulation is not set

Physical Layer is up

No Data Link Layer protocol is configured.

Channel assignments are not displayed correctly until the Data Link Layer protocol is configured.

Settings for line coding, frame format, and clock source

4-27

Configuring E1 and T1 InterfacesViewing Information about E1 and T1 Interfaces

The first line indicates whether the interface is up or down. The second line lists alarms, if there are any. The next two lines show current configurations for line coding, framing, and clock source. For T1 interfaces, the FDL type and the line build out settings are also listed. If the line is in loopback, this information is listed as well.

The channels are listed as a series of digits: for an E1 interface, the channels are listed as 0-9, 0-9, 0-9, and 1. As shown in Figure 4-7, the first channel 0 is reserved for framing. For a T1 interface, the channels are listed as 1-9, 0-9, and 0-4.

Underneath the digits, a series of Ns or dashes indicate how the channels are being used. Channels marked with N are dedicated to the E1- or T1-carrier line. Channels that are marked by a – are not being used.

Although the E1 interface shown in Figure 4-7 has been configured to use channels 1-31, these channels do not appear to be allocated to the line. The channel assignment is not displayed correctly until you properly configure the Data Link Layer protocol. After the protocol is configured for the E1 or T1 interface, the show interfaces command will indicate that the channels are allocated. (For more information, see Chapter 6: Configuring the Data Link

Layer Protocol for E1, T1, and Serial Interfaces.)

If you are configuring an E1 interface for an E1 + G.703 module, the channels that you do not allocate to the E1 interface are marked with a D and are allocated to the G.703 interface. Likewise, if you are configuring a T1 interface for a T1 + DSX-1 module, the channels that you do not assign to the T1 interface are marked with a D and allocated to the DSX-1 module.

N o t e By default, all channels are allocated to the G.703 or DSX-1 interface until you change this configuration. For more information about allocating channels to the G.703 or DSX-1 interface, see Chapter 9: Configuring the E1 + G.703 and

T1 + DSX-1 Modules.

As Figure 4-7 shows, the section under the channel assignment displays the line status and informs you of any alarms.

show running-config Command

To check all of the settings that have been entered for the E1 or T1 interface, enter the following command:

Syntax: show running-config

4-28

Configuring E1 and T1 InterfacesViewing Information about E1 and T1 Interfaces

This command displays the configuration that you have entered for the entire router. You must then scroll through the running-config until you locate the appropriate E1 or T1 interface.

To save time, you can enter the following command from the enable mode context:

Syntax: show running-config interface <interface> <slot>/<port>

For example, if you want to display the commands that you have entered for the E1 1/1 interface, enter:

ProCurve# show running-config interface e1 1/1

Figure 4-8 shows the output for a sample network.

Figure 4-8. show running-config <interface> <slot>/<port>

According to this display, the network administrator has entered only three commands for this E1 interface:

ProCurve(config-e1 1/1)# clock source internalProCurve(config-e1 1/1)# tdm-group 1 timeslots 1-31ProCurve(config-e1 1/1)# no shutdown

show running-config verbose Command

To view all of the settings—the commands you have entered and the default settings—for an interface, enter the following command from the enable mode context:

Syntax: show running-config interface <interface> <slot>/<port> verbose

For example, to view all of the settings for the E1 1/1 interface, enter:

ProCurve# show running-config interface e1 1/1 verbose

Figure 4-9 shows the verbose output for a sample network. Compare this output with the output shown in Figure 4-8.

interface e1 1/1 clock source internal tdm-group 1 timeslots 1-31 speed 64 no shutdown

This output shows only the commands that you have manually entered.

4-29

Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections

Figure 4-9. show running-config <interface> <slot>/<port> verbose

Troubleshooting E1 and T1 WAN Connections

Troubleshooting problems with WAN connections is a two-step process:

1. Check the Physical Layer:

a. Check whether the E1 or T1 interface is up or down.

b. Check for alarms.

c. Check the configurations to ensure that you are using the correct settings.

d. Check the cabling and the connections.

2. Check the logical layer:

a. Check to ensure that a Data Link Layer protocol has been defined and is bound to the E1 or T1 interface.

b. Check the configurations to ensure that you are using the correct settings.

This chapter provides information about troubleshooting the Physical Layer. For information about troubleshooting the Data Link Layer, see Chapter 6:

Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.

interface e1 1/1 description no framing crc4 clock source internal coding hdb3 lbo long 0 remote-loopback sa4tx-bit 0 loop-alarm-detect remote-alarm rai alias snmp trap link-status no ts16 no shutdown

This is the default setting; the E1-carrier line is using the E1 frame format.

4-30

Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections

You should start by troubleshooting the physical interface because it must be up before the logical connection can be established. You can quickly check the LEDs on the front of the ProCurve Secure Router to determine the status of a physical interface. Locate the LED that corresponds to the slot in which the E1 or T1 module is installed. (See Figure 4-10.)

Figure 4-10. Use the Stat LED to Check the Status of a Physical Interface

Table 4-7 shows the possible color of the stat LED, lists the meaning, and outlines the action you might take next.

Table 4-7. Check the LEDs

LEDs for slot 1 LEDs for slot 1

Color Meaning Action

No light No module is installed, or the interface is not activated.

• Ensure you are checking the LED for the slot in which the E1 or T1 module is installed.

• Enter the show interface <interface> <slot>/<port> command to determine if you need to activate the interface.

• If the line is administratively down, enter no shutdown.

Red Interface is activated, but there are alarms.

• Use the show interface <interface> <slot>/<port> command to determine what alarms are being reported.

• Check the configuration.• Check the connections and the cable itself.

Yellow The interface is in loopback mode

• Cancel the loopback, or call your public carrier and ask for the loopback to be canceled.

Green The Physical Layer is up.

• Enter the show interface <interface> <slot>/<port> command to ensure that you have configured the correct Data Link Layer protocol for the line.

• Ensure that you have configured the correct channels for the connection.• Check the status of the logical interface and follow the troubleshooting steps

for the protocol you are using.

4-31

Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections

The color of the lights and a more detailed explanation are provided below.

No Light

If no light appears, ensure that you are checking the LED that corresponds to the slot in which the E1 or T1 module is installed, as shown in Figure 4-10.

Next, view the status of the E1 or T1 interface by entering:

ProCurve# show interfaces <interface> <slot>/<port>

If the E1 or T1 interface is administratively down, move to the appropriate interface configuration mode context and enter no shutdown. For example, you might enter:

ProCurve(config-e1 1/1)# no shutdown

The status of the interface should change.

Red Light

If the LED is red, the interface is administratively up, but it is receiving alarms. View the status of the interface by entering:

ProCurve# show interface <interface> <slot>/<port>

Note any alarms that are being reported. (See Figure 4-11.)

4-32

Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections

Figure 4-11. Using the show interfaces Command to Troubleshoot Problems

The most common alarms and some possible solutions are listed in Table 4-8.

e1 1/1 is DOWN Encapsulation is not set Transmitter is sending remote alarm Receiver has loss of signal, loss of frame E1 coding is HDB3, framing is E1 Clock source is internal No network loopbacks Last clearing of counters never loss of frame : 1, current duration 00:00:54 loss of signal : 1, current duration 00:00:53 AIS alarm : 0 Remote alarm : 0

Timeslot Status: 01234567890123456789012345678901 FNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN Status Legend: '-' = Timeslot is unallocated 'N' = Timeslot is dedicated (nailed) 'F' = Timeslot is dedicated for framing

Line Status: -- LOS -- LOF -- Tx LOF --

5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec Current Performance Statistics: 10 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 56 Severely Errored Frame Seconds 56 Unavailable Seconds, 0 Path Code Violations 1 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes

TDM group 1, line protocol is DOWN Encapsulation PPP (ppp 1) 0 packets input, 0 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame 0 abort, 0 discards, 0 overruns

If the interface is down, look for reported alarms

Check configuration settings: line coding and framing

4-33

Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections

Table 4-8. Alarms and Their Possible Causes

Check the Configuration. Review your configuration and ensure that you have entered the settings that match those used by your public carrier. In addition to checking the line coding and frame format, check:

■ channels dedicated, or “nailed,” to the interface

■ clock source

■ line protocol, or the Data Link Layer protocol

Resolve any problems, such as incompatible line coding or loss of synchroni-zation due to conflicting clock sources. If a line protocol is not listed, you must configure a logical interface (the Data Link Layer), and then you must bind the E1 or T1 interface to that logical interface.

Check the Hardware. If the configuration of the E1 or T1 interface appears to be correct, but the E1 or T1 interface is still down, examine the hardware. Is the cable attached correctly? Is the cable bad? Use a different cable to see if this makes a difference. Try looping the signal back through the interface to determine whether the source of the problem is the interface on the ProCurve Secure Router or the other end of the link.

Yellow Light

If one of the IT staff initiated a loopback test, enter the appropriate command to cancel it. From the E1 or T1 interface configuration mode context, enter:

E1 Syntax: no loopback remote

T1 Syntax: no loopback remote [line {fdl | inband} | payload]

E1 and T1 Syntax: no loopback network [line | payload]

Alarm Possible Cause Possible Solutions

LOS—loss of signal

• You may be using a different type of line coding than that used by the public carrier.

• The cable connection may be loose.• The cable may be bad.

• Check all the settings, including the setting for line coding.

• Check the connections to ensure that the cable is plugged securely into the E1 or T1 port on one end and the CSU or wall-jack at the other end.

• Substitute a different cable.

LOF—loss of frame

• You may be using a different type of frame format than that used by the public carrier.

• The cable connection may be loose.• The cable may be bad.

• Check the setting for frame format.• Check the connections to ensure that the cable is

plugged securely into the E1 or T1 port on one end and the CSU or wall-jack at the other end.

• Substitute a different cable.

4-34

Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections

If the loopback was not initiated on the ProCurve Secure Router, your public carrier is testing the line. Call your public carrier to have the loopback canceled or to determine the reason for the loopback test.

Green Light

If the stat LED for the physical interface is green but the WAN connection is down, you should still check the configuration for the E1 or T1 interface. In some cases, the physical connection may be established even though there is a problem with the configuration.

For example, the router and the public carrier’s equipment may be able to establish the Physical Layer connection even though the channels configured on the E1 or T1 interface do not match the channels that the public carrier has configured for the connection. When the Data Link Layer protocol tries to establish its connection, however, the connection fails. Although the problem appears to be with the Data Link Layer, it is actually a configuration problem with the E1 or T1 interface.

If the E1 or T1 interface is up and the configuration appears to be correct, you should begin troubleshooting the logical interface. For tips on troubleshooting PPP, Frame Relay, or High-Level Data Link Control (HDLC), see Chapter 6:

Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.

Viewing Performance Statistics

The show interface command provides two options for physical interfaces:

■ performance-statistics

■ realtime

The performance-statistics option displays interval snapshots of errors occurring on the connection. You can view snapshots of all 15-minute intervals in the past 24 hours, or you can specify that the Secure Router OS display:

■ a summary of the total statistics over the last 24 hours

■ a specific 15-minute interval or a range of specific intervals

To view performance statistics, enter:

Syntax: show interfaces <interface> <slot>/<port> performance-statistics [Total-24-hour | <range of intervals>]

4-35

Configuring E1 and T1 InterfacesTroubleshooting E1 and T1 WAN Connections

For example, to view performance statistics accumulated on the T1 1/1 interface over all 15-minute intervals in the past 24 hours, enter:

ProCurve# show interfaces t1 1/1 performance-statistics

To view only certain 15-minute intervals, replace <range of intervals> with numbers between 1 and 96. The intervals are numbered from the interval that occurred 24 hours earlier (1) to the present interval (96). For example, enter:

ProCurve# show interface t1 1/1 performance statistics 32-34

Figure 4-12 shows the output for a T1 interface that is experiencing no errors.

Figure 4-12. Viewing Performance Statistics for a Physical Interface

To end the output, enter Ctrl+C.

To view the output for the show interfaces command in real-time, enter:

Syntax: show interface <interface> <slot>/<port> realtime

For example, to view real-time information for the T1 1/1 interface, enter:

ProCurve# show interface t1 1/1 realtime

Figure 4-13 shows the type of information that is displayed.

Interval 32 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes Interval 33 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes Interval 34 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes

4-36

Configuring E1 and T1 InterfacesQuick Start

Figure 4-13. Viewing the show interfaces Output in Real-Time

To end the output and return to troubleshooting the router, enter Ctrl+C.

Quick Start

This section provides the commands you must enter to quickly configure an E1 or T1 interface on the ProCurve Secure Router. Only a minimal explanation is provided.

If you need additional information about any of these options, see “Contents” on page 4-1 to locate the section and page number that contains the explanation you need.

--------------------------------------------------------------------t1 1/1 is UP Receiver has no alarms T1 coding is B8ZS, framing is ESF Clock source is through t1 1/2, FDL type is ANSI Line build-out is 0dB No remote loopbacks, No network loopbacks Acceptance of remote loopback requests enabled Tx Alarm Enable: rai Last clearing of counters never loss of frame : 1, last occurred 00:10:27 loss of signal : 1, last occurred 00:10:41 AIS alarm : 0 40 Remote alarm : 0

DS0 Status: 123456789012345678901234 NNNNNNNNNNNNNNNNNNNNNNNN Status Legend: '-' = DS0 is unallocated 'N' = DS0 is dedicated (nailed)

Line Status: -- No Alarms --(OUTPUT TRUNCATED)-------------------------------------------------- Exit - 'Ctrl-C', Freeze - 'f', Resume - 'r'

Instructions for pausing or ending the output

4-37

Configuring E1 and T1 InterfacesQuick Start

Configuring an E1 or T1 Interface

Before you begin to configure an E1 or T1 interface, you should know the settings that you must enter for the following:

■ number of channels used

■ line coding

■ frame format

■ clock source

Your public carrier should provide you with this information.

To configure the E1 or T1 interface, complete these steps:

1. If you are configuring an E1 interface, use unshielded twisted pair (UTP) cabling with RJ-48C connectors to connect the E1 port on the ProCurve Secure Router to the external CSU provided by your public carrier. If you are configuring a T1 interface, use UTP cabling with RJ-48C connectors to connect the T1 port to the wall jack provided by your public carrier.

2. Establish a terminal session with the ProCurve Secure Router. You are automatically at the basic mode context.

ProCurve>

3. Move to the enable mode context. If you have configured a password for the enable mode context, enter the password.

ProCurve> enablePassword:

4. Move to the global configuration mode context.

ProCurve# configure terminal

5. Move to the E1 or T1 interface configuration mode context.

Syntax: interface <interface> <slot>/<port>

For example, if you are configuring a one-port E1 or T1 module that is installed in slot one, enter:

ProCurve(config)# interface e1 1/1

or

ProCurve(config)# interface t1 1/1

6. Create a TDM group and assign it the number of channels used for this connection.

Syntax: tdm-group <number> timeslots <range of numbers>

4-38

Configuring E1 and T1 InterfacesQuick Start

For example, to assign the E1 or T1 interface all the channels, enter:

ProCurve(config-e1 1/1)# tdm-group 1 timeslots 1-31

or

ProCurve(config-t1 1/1)# tdm-group 1 timeslots 1-24

7. Configure the line coding. For E1 interfaces, use the following syntax:

Syntax: coding [ami | hdb3]

ProCurve(config-e1 1/1)# coding ami

HDB3 is the default setting for E1 interfaces.

For T1 interfaces, use the following syntax:

Syntax: coding [ami | b8zs]

ProCurve(config-t1 1/1)# coding ami

B8ZS is the default setting for T1 interfaces.

8. Configure the frame format for the E1- or T1-carrier line. For E1-carrier lines, use the following syntax:

Syntax: framing crc4

If your public carrier is using E1 framing format, do not enter a framing command. E1 framing is the default setting for E1 interfaces. If your PTT is using CRC4, change the frame format.

ProCurve(config-e1 1/1)# framing crc4

If you need to change the frame format back to E1, enter:

ProCurve(config-e1 1/1)# no framing crc4

For T1 interfaces, use the following syntax to configure the framing:

Syntax: framing [d4 | esf]

ProCurve(config-t1 1/1)# framing d4

The default setting for T1 framing is ESF.

9. Configure the clock source setting.

Syntax: clock source [internal | line | through]

ProCurve(config-e1 1/1)# clock source line

or

ProCurve(config-t1 1/1)# clock source line

4-39

Configuring E1 and T1 InterfacesQuick Start

Table 4-9 shows the default settings for the clock source on each type of E1 or T1 module.

Table 4-9. Default clock source settings for E1 and T1 modules

10. For T1 interfaces only, configure the line build out (lbo). If the cable connecting the T1 interface to the wall jack is longer than 655 feet, use the following lbo command:

Syntax: lbo long <value>

Replace <value> with one of the following numbers, which are in decibels (db):

• -22.5

• -15

• -7.5

• 0

If the cable connecting the T1 interface to the wall jack is shorter than 655 feet, use the following lbo command:

Syntax: lbo short <value>

Replace <value> with the actual number of feet. For example, if the cable is 100 feet, enter:

ProCurve(config-t1 1/1)# lbo short 100

11. Activate the interface.

ProCurve(config-e1 1/1)# no shutdown

or

ProCurve(config-t1 1/1)# no shutdown

Module Port Default Clock Source

One-port E1 or T1 module 1 line

Two-port E1 or T1 module 12

linethrough

E1 + G.703 moduleT1 + DSX-1 module

12

linethrough

Eight-port module 1–8 line

4-40

Configuring E1 and T1 InterfacesQuick Start

12. View the status of the E1 or T1 interface.

ProCurve(config-e1 1/1)# do show interface e1 1/1

or

ProCurve(config-t1 1/1)# do show interface t1 1/1

N o t e The do command enables you to enter enable mode commands (such as show commands) from any context.

By default, the ProCurve Secure Router immediately notifies you that the interface is administratively up. It will take a few moments to establish the E1 or T1 connection, however. When the connection goes up, the ProCurve Secure Router displays another message at the command line interface (CLI), reporting that the line is up. If you want to disable this reporting function, enter no events from the enable mode context.

You must now configure the Data Link Layer protocol for the E1 or T1 interface. For information about configuring this protocol, see Chapter 6:

Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.

4-41

Configuring E1 and T1 InterfacesQuick Start

4-42

5

Configuring Serial Interfaces for E1- and T1-Carrier Lines

Contents

Using the Serial Module for E1- or T1-Carrier Lines . . . . . . . . . . . . . . . . . . 5-3

Elements of an E1- or T1-Carrier Line . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Connecting Your Premises to the Public Carrier’s Central Office: the Local Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

External or Built-in CSU/DSU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6

Serial Module for the ProCurve Secure Router . . . . . . . . . . . . . . . . . . . 5-7

Standards Supported by the Serial Module . . . . . . . . . . . . . . . . . . 5-7

Serial Interface: Configuring the Physical Layer . . . . . . . . . . . . . . . . . . . . . 5-8

Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

Serial Interface Configuration Mode Context . . . . . . . . . . . . . . . . . . . 5-12

Configuring the Interface for the Appropriate Cable . . . . . . . . . . . . . 5-12

Configuring the Clock Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13

Inverting et-clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13

Inverting txclock or rxclock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13

Activating the Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14

Configuring the Data Link Layer Protocol . . . . . . . . . . . . . . . . . . . . . . 5-14

Viewing Information about the Serial Interface . . . . . . . . . . . . . . . . . . . . . 5-15

show interfaces serial Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15

show running-config interface Command . . . . . . . . . . . . . . . . . . . . . . 5-16

View All the WAN Connections Configured on the Router . . . . . . . . 5-17

5-1

Configuring Serial Interfaces for E1- and T1-Carrier LinesContents

Troubleshooting a Serial Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-17

Checking the LED for the Serial Module . . . . . . . . . . . . . . . . . . . . . . . 5-18

No Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19

Red Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19

Yellow Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-20

Green Light . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

Solving a Specific Problem: the Line Between the Serial Module and the CSU/DSU Keeps Going Down . . . . . . . . . . . . . . . . . . . . . . . . . 5-21

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22

Configure a Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22

5-2

Configuring Serial Interfaces for E1- and T1-Carrier LinesUsing the Serial Module for E1- or T1-Carrier Lines

Using the Serial Module for E1- or T1-Carrier Lines

When companies require dedicated, secure point-to-point wide area network (WAN) connections, one of the available solutions is a leased E1- or T1-carrier line. With an E1- or T1-carrier line, the connection is always active. Because there is no dial-up process, data can be immediately transmitted at any time.

In Europe, Australia, South America, and Asia, Public Telephone and Tele-graph (PTT) authorities offer E1-carrier lines, which provide 2.048 Mbps bandwidth. In the United States, Canada, and in some areas of Japan, telcos offer T1-carrier lines, which provide 1.544 Mbps bandwidth.

N o t e In Japan, PTTs offer T1-carrier lines and sometimes E1-carrier lines for data. For traditional analog voice, these PTTs offer J1-carrier lines. (J1 lines are outside the scope of this Basic Configuration and Management Guide.)

Elements of an E1- or T1-Carrier Line

All WAN connections, including E1- and T1 carrier lines, consist of three basic elements:

■ the physical transmission media, such as the cabling, switches, routers, and other infrastructure required to create and maintain the connection

■ electrical signaling specifications for generating, transmitting, and receiv-ing signals through the various transmission media

■ Data Link Layer protocols, which provide logical flow control for moving data between the peers (the devices at either end of a WAN connection)

Physical transmission media and electrical specifications are part of the Physical Layer (or Layer 1) of the Open Systems Interconnection (OSI) model, and Data Link Layer protocols are part of the Data Link Layer (or Layer 2). (See Figure 5-1.)

5-3

Configuring Serial Interfaces for E1- and T1-Carrier LinesUsing the Serial Module for E1- or T1-Carrier Lines

Figure 5-1. Physical and Data Link Layers of the OSI Model

When you configure the ProCurve Secure Router to support an E1 or T1 WAN connection, you must configure:

■ the Physical Layer

■ the Data Link Layer, which is also called the logical layer

Connecting Your Premises to the Public Carrier’s Central Office: the Local Loop

In the United States and Canada, the network that provides the infrastructure for T1-carrier lines is called the public switched telephone network (PSTN). In all other countries, PTT authorities provide the infrastructure for WAN connections.

When you lease an E1- or T1-carrier line, your LAN must be connected to the public carrier’s nearest central office (CO). All of the telecommunications infrastructure that is used to connect your LAN to the CO is collectively called the local loop. Because the CO may be located miles away from your premises, this telecommunications infrastructure may include repeaters, as well as switches, cable, and connectors. (See Figure 5-2.)

Physical Layer

Data Link Layer

Network Layer

Transport Layer

Session Layer

Presentation Layer

Application Layer

1

2

3

4

5

6

7

PPPFrame RelayHDLC

E1- and T1-carrier lines

5-4

Configuring Serial Interfaces for E1- and T1-Carrier LinesUsing the Serial Module for E1- or T1-Carrier Lines

Figure 5-2. Local Loop

All carrier lines require the same basic components on the local loop, although the components may differ slightly in form and design. (See Figure 5-2.) These components are listed below:

■ CSU/DSU—The Channel Service Unit/Digital Service Unit (CSU/DSU) has two purposes: The DSU accepts traffic from the router and translates it from the signaling format used on the LAN to the format necessary for transmission on the WAN. The CSU then generates the signal to be sent across the WAN (or regenerates the signal for transmission across the LAN).

■ Demarc—A line of demarcation, or demarc, separates your wiring and equipment from the public carrier’s wiring and equipment. As a general rule, you own, operate, and maintain the wiring and equipment on your side of the demarc, and the public carrier owns, operates, and maintains the wiring and equipment on its side of the demarc.

■ Network interface unit (NIU)—The NIU automatically maintains the WAN connection and enables public carrier employees to perform simple man-agement tasks from a remote location. The NIU is usually located outside the subscriber’s premises so that public carrier employees can always access it. In the United States and Canada, the NIU is commonly referred to as the smart jack.

■ Wire span—Because public carrier networks were originally designed to carry analog voice calls, copper wire is still the most common physical transmission medium used on the local loop. Because copper wire has a limited capacity to carry signals, local loops that use copper wire are the slowest, least capable component of the WAN connection.

Wire span

Router (DTE)

Demarc

CSU/DSU

Network Interface Unit (Smart Jack)

Public Carrier’s CO

Repeater OCU

Office Channel Unit(PTT’s CSU)

LAN

5-5

Configuring Serial Interfaces for E1- and T1-Carrier LinesUsing the Serial Module for E1- or T1-Carrier Lines

■ Repeater—A repeater receives, amplifies, and retransmits the digital signal so that the signal is always strong enough to be read. The distance between repeaters depends on the type of connection, including the transmission media used. For example, for a T1 connection over unshielded twisted pair (UTP) wiring, the distance between repeaters is one mile or less.

■ Office channel unit (OCU)—Located at the CO, the OCU performs the same function at the public carrier’s site that the CSU performs at each subscriber’s site: it generates the signal to be sent—either to a subscriber’s premises or to the public carrier network.

Although you will never see most of these components, having a basic under-standing of the local loop can help you work with your public carrier to troubleshoot problems if your E1- or T1-carrier line ever goes down.

In addition, two of these components directly affect your E1 or T1 WAN connection: the demarc and the CSU/DSU. The demarc determines for which part of the E1 or T1 WAN connection you are responsible. Again, this becomes important if your E1- or T1-carrier line ever goes down and you have to work with the public carrier to identify and fix the problem.

The CSU/DSU is important because its form and design not only determines which ProCurve Secure Router module you purchase but also which settings you must configure for the E1- or T1-carrier line.

External or Built-in CSU/DSU

Your public carrier determines the type of CSU/DSU that will be used for your WAN connection. There are three options:

■ The public carrier provides the CSU/DSU and installs it on your premises.

■ The public carrier provides the CSU but not the DSU.

■ The public carrier does not provide the CSU/DSU.

In Europe, Australia, South America, and Asia (except Japan), the PTT author-ity will provide both the CSU/DSU or just the CSU. In the United States and Canada, public carriers will either provide the entire CSU/DSU, or they will not provide either the CSU or the DSU.

5-6

Configuring Serial Interfaces for E1- and T1-Carrier LinesUsing the Serial Module for E1- or T1-Carrier Lines

Serial Module for the ProCurve Secure Router

The ProCurve Secure WAN serial modules are used when the public carrier provides an external CSU/DSU for an E1- or T1-carrier line. (See Figure 5-2 on page 5-5.) ProCurve Networking offers two serial modules:

■ one-port narrow module

■ eight-port, or octal, wide module

If your company is the United States or Canada and your public carrier does not provide an external CSU/DSU, you must purchase and use a T1 module. If your company is in another country and the public carrier provides only a CSU, you must purchase and use an E1 module. (For instructions on configuring these modules, see Chapter 4: Configuring E1 and T1

Interfaces.)

Standards Supported by the Serial Module

The ProCurve Secure Router serial modules are standards based. Specifically, they support the following standards:

■ U.S. Federal Communications Commission (FCC) Part 15 Class A

■ Norme Européenne EN55022 Class A—EN is also referred to as European Standards.

■ EN55024, EN61000-3-2, EN61000-3-3

■ European Telecommunications Standards Institute (ETSI) TBR 1 and ETSI TBR 2

■ EN60950

■ UL/CUL 60950

■ Australian Standard/New Zealand Standard (AS/NZS) 60950

■ International Electrotechnical Commission (IEC) 60950

■ International Organization for Standardization (ISO) 4903 (X.21)

■ Comité Consultatif International Téléphonique et Télégraphique (CCITT) V.35 Synchronous (V.35)

5-7

Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer

Serial Interface: Configuring the Physical Layer

Because the external CSU/DSU manages timing, framing, and signaling for the E1- or T1-carrier line, the serial interface does not have to perform these functions. Consequently, you do not need to configure options to control these functions. As a result, the serial interface requires only minimal configuration.

Making the Physical Connection

To connect the serial module to the CSU/DSU, you will need one of the following cables. (See Figure 5-3.)

■ V.35 cable

■ X.21 cable

■ EIA 530 cable

Figure 5-3. The Serial Module Connects Directly to an External CSU/DSU.

The serial module ships with either a V.35 cable or an X.21 cable.

N o t e ProCurve Networking does not currently provide an EIA 530 cable.

Wire span

Router (DTE)

Demarc

CSU/DSU

NIU(Smart Jack)

Public Carrier’s CO

Repeater OCU

Office Channel Unit(public carrier’s CSU)

LAN

Serial V.35, X.21, or EIA 530 cable

5-8

Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer

If you are not sure which type of cable you have, this chapter provides illustrations of the three cable connectors. For example, Figure 5-4 shows the pinouts for ProCurve Networking’s implementation of the V.35 cable connec-tor and lists how each pin is used.

Figure 5-4. ProCurve Networking’s V.35 Cable Connector

M/34 (“34-pin M-block“) connector pinout

Pin Signal/Circuit Name

A UnusedB Signal GroundC RTS_A, Request to Send AD CTS_A, Clear to Send AE DSR_A, Data Set Ready AF DCD_A, Data Carrier Detect AH DTR_A, Data Terminal Ready AJ UnusedK TM_A, Test Mode AL UnusedN UnusedN UnusedP TD_A, Send Data AR RD_A, Receive Data AS TD_B, Send Data BT RD_B, Receive Data BU ETC_A, Terminal Timing AV RCLK_A, Receive Timing AW ETC_B, Terminal Timing BX RCLK_B, Receive Timing BY TCLK_A, Send Timing AAA TCLK_B, Send Timing B

M, Z, BB through FF, and MM are reserved for future international standardization, HH through LL are reserved for country-specific standards

V.35

5-9

Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer

Figure 5-5 shows the pinouts for ProCurve Networking’s implementation of the X.21 cable connector and lists how each pin is used.

Figure 5-5. ProCurve Networking’s X.21 Cable Connector

1 8

9 15

X.21

DB-15 (DA-15) X.27-compatible connector pinout

Pin Signal/Circuit Name

1 Unused2 TD_A, Transmit A3 RTS_A, Request to Send A4 RD_A, Receive Data A5 CTS_A, Clear to Send A6 RCLK_A, Receive Timing A7 Unused8 Signal Ground9 TD_B, Transmit Data B10 RTS_B, Request to Send B11 RD_B, Receive Data B12 CTS_B, Clear to Send B13 RCLK_B, Receive Timing B14 Unused15 Reserved for future international use

5-10

Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer

If you have an EIA 530 cable that you purchased from another vendor, the ProCurve Secure Router supports it. You can also use Figure 5-6, which shows the pinouts for EIA 530, to create this type of connector.

Figure 5-6. Connector for an EIA 530 Cable

Whichever cable you use, the serial module supports up to 10 Mbps.

1 13

14 25

DB-25

DB-25 connector pinout

Pin Signal/Circuit Name

1 Shield2 TD_A, Transmitted Data A3 RD_A, Received Data A4 RTS_A, Request to Send A5 CTS_A, Clear to Send A6 DCR_A, DCE Ready A7 Signal Ground8 RLSD_A, Received Line Signal Detector A9 RSECTC_B, Receiver Signal Element Timing (DCE Source) B10 RLSD_B, Received Line Signal Detector B11 TSETT_B, Transmitter Signal Element Timing (DTE Source) B12 TSETC_B, Transmitter Signal Element Timing (DCE Source) B13 CTS_B, Clear to Send B14 TD_B, Transmitted Data B15 TSETC_A, Transmitter Signal Element Timing (DCE Source) A16 RD_B, Received Data B17 RSETC, Receiver Signal Element Timing (DCE Source) A18 LL, Local Loopback19 RTS_B, Request to Send B20 DTR_A, DTE Ready A21 RL, Remote Loopback22 DCR_B, DCE Ready B23 DTR_B, DTE Ready B24 TSETT_A, Transmitter Signal Element Timing (DTE Source) A25 TM, Test Mode

5-11

Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer

Serial Interface Configuration Mode ContextTo begin configuring the serial interface for the E1 or T1 connection, you must access the appropriate configuration mode context. In the ProCurve Secure Router command line interface (CLI), move to the global configuration mode context and enter:

Syntax: interface serial <slot>/<port>

On the ProCurve Secure Router, the interface for each physical port is identi-fied by its slot number and port number. The possible slot numbers for the serial module are:

■ 1 = dl narrow option module slot 1

■ 2 = dl narrow option module slot 2

■ 3 = dl wide option, or octal, module slot 3 (ProCurve Secure Router SR7203dl only)

For narrow option module slots, there is only one possible port number: 1.

For example, if the serial module is in slot 1, enter:

ProCurve(config)# interface serial 1/1

For the octal serial module, eight port numbers are possible. For example, if you are configuring port 6, enter:

ProCurve(config)# interface serial 3/6

After you enter the command, the ProCurve Secure Router prompt should indicate that you are at the serial interface configuration mode context:

ProCurve(config-ser 3/6)#

Configuring the Interface for the Appropriate CableBecause the V.35, X.21, and EIA 530 connectors transmit and receive signals across different pins, you must configure the serial interface to use the appropriate signaling so that it can communicate with the CSU/DSU. From the serial interface configuration mode context, enter the following command to configure the interface for the appropriate cable:

Syntax: serial-mode [EIA530 | V35 | X21]

For example, if you are using an X.21 cable, enter:

ProCurve(config-ser 1/1)# serial-mode X21

The default setting is V35.

5-12

Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer

Configuring the Clock Source

The serial interface must have a clock source to synchronize the transmission of data. The clock source for the serial interface is called the external transmit reference clock (et-clock). By default, the source for et-clock is set to txclock, which means that the serial interface takes the clock from the transmit signal.

If you need to configure the clock source for the serial line, enter the following command from the serial interface configuration mode context:

Syntax: et-clock-source <source>

There are two possible sources:

■ txclock, the default setting

■ rxclock, which specifies that the serial interface should take the clock from the receive signal

Your public carrier should tell you which setting to use.

Inverting et-clock

If the cable that connects the serial module to the CSU/DSU is long, it may cause a phase shift in the data transmitted. If this happens, you must invert et-clock by entering:

ProCurve(config-ser 1/1)# invert etclock

After you enter this command, the serial module inverts et-clock in the data stream before transmitting it.

To return et-clock to its default setting, enter:

ProCurve(config-ser 1/1)# no invert etclock

Inverting txclock or rxclock

If the cable that connects the serial module to the CSU/DSU is long, the CSU/DSU may be configured to invert the transmit clock. You must then configure the serial interface so that it can receive the inverted clock. Enter one of the following commands:

Syntax: invert txclockSyntax: invert rxclock

5-13

Configuring Serial Interfaces for E1- and T1-Carrier LinesSerial Interface: Configuring the Physical Layer

If you enter the invert txclock command, the serial interface will invert the transmit clock that is taken from the data stream. The serial interface inverts the transmit clock before it transmits a signal.

If you enter the invert rxclock command, the serial interface will look for an inverted receive clock in the data it receives from the CSU/DSU.

Activating the Serial Interface

To activate the serial interface, enter the following command from the serial interface configuration mode context:

ProCurve(config-ser 1/1)# no shutdown

The serial interface should now be activated, and the physical interface should be ready for data transfer.

By default, the ProCurve Secure Router immediately notifies you that the interface is administratively up. It will take a few moments to establish the serial connection, however. When the connection goes up, the ProCurve Secure Router displays another message at the CLI, reporting that the serial interface is up. If you want to disable this reporting function, enter no events from the enable mode context.

Configuring the Data Link Layer Protocol

You must configure the serial interface to use the same Data Link Layer protocol that your public carrier is using. For information about configuring the protocol, see Chapter 6: Configuring the Data Link Layer Protocol

for E1, T1, and Serial Interfaces.

5-14

Configuring Serial Interfaces for E1- and T1-Carrier LinesViewing Information about the Serial Interface

Viewing Information about the Serial Interface

You can view information about the E1- and T1-carrier line associated with the serial interface, and you can view the configuration settings that have been entered for the serial interface.

show interfaces serial Command

To view information about the serial interface and the carrier line associated with it, enter the following command from the enable mode context:

Syntax: show interfaces serial <slot>/<port>

You can also use the do command to enter this command from any context (except the basic mode context). For example, from the global configuration mode context, enter:

ProCurve(config)# do show interfaces serial 2/1

This command displays information about the serial interface in slot two. (See Figure 5-7.)

Figure 5-7. show interfaces serial Command

The first line reports the status of the interface. The status will be one of the following:

■ up

■ administratively down

■ down

ser 2/1 is UP, line protocol is UP Encapsulation FRAME-RELAY IETF (fr 1) Transmit clock source is TCLK DCD=up DSR=up DTR=up RTS=up CTS=up 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 4624 packets input, 0 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 701 frame 8 abort, 0 discards, 0 overruns 4803 packets output, 0 bytes, 0 underruns

Data Link Layer protocol (logical interface)

Status of interface

5-15

Configuring Serial Interfaces for E1- and T1-Carrier LinesViewing Information about the Serial Interface

If the interface is administratively down, you must enter no shutdown from the serial interface configuration mode context to activate it. If the interface is down, you should begin troubleshooting the problem, as explained in “Troubleshooting a Serial Connection” on page 5-17.

show running-config interface Command

To view the configuration for the serial interface, enter the following com-mand from the enable mode context:

Syntax: show running-config interface serial <slot>/<port>

This command displays only the options that you have configured for the serial interface. If you want to view the entire configuration, including the default settings that are being applied to the interface, include the verbose option:

Syntax: show running-config interface serial <slot>/<port> verbose

Figure 5-7 shows the difference between the output of the show running-

config interface serial 2/1 command and the show running-config inter-

face serial 2/1 verbose commands.

Figure 5-8. show running-config interface serial Commands

ProCurve# show running-config interface serial 2/1Building configuration...

interface ser 2/1 no shutdown

ProCurve# show running-config interface serial 2/1 verboseBuilding configuration...

interface ser 2/1 description et-clock-source txclock no ignore dcd no invert txclock no invert rxclock no invert etclock serial-mode V35 alias snmp trap link-status no shutdownend

Displays all the commands that affect the interface—including both default settings and the settings that were entered

Only one command was entered

5-16

Configuring Serial Interfaces for E1- and T1-Carrier LinesTroubleshooting a Serial Connection

View All the WAN Connections Configured on the Router

If your ProCurve Secure Router is providing several WAN connections for your company, you may want to view a list of these connections. The show

connections command provides a quick view of all the connections on the router. As Figure 5-9 shows, this command lists the logical interface and the physical interface for each connection.

You enter the show connections command from the enable mode context.

Figure 5-9. show connections Command

Troubleshooting a Serial Connection

When you troubleshoot a serial interface, you should isolate the problem to determine if it is a problem with the Physical Layer or the Data Link Layer. Follow this standard process for troubleshooting WAN connections:

1. Check the Physical Layer.

a. Check whether the serial interface is up or down.

b. Check the configurations to ensure that you are using the correct settings.

c. Check the cabling, the connections, and other hardware.

d. Check the CSU/DSU settings and compare these settings against those used for the serial interface.

ProCurveSR7203dl#show connectionsDisplaying all connections...Conn Id From To-----------------------------------------------------------1 ppp 1 t1 1/1, tdm-group 12 fr 1 t1 3/1, tdm-group 13 fr 2 ser 2/1 Serial interface with Frame

Relay as the Data Link Layer protocol

5-17

Configuring Serial Interfaces for E1- and T1-Carrier LinesTroubleshooting a Serial Connection

2. Check the logical layer.

a. Check to ensure that a Data Link Layer protocol has been defined and is bound to the serial interface.

b. Check the configurations to ensure that you are using the correct settings.

This chapter explains how to troubleshoot the Physical Layer. For information about the Data Link Layer, see Chapter 6: Configuring the Data Link Layer

Protocol for E1, T1, and Serial Interfaces.

Checking the LED for the Serial Module

To determine the status of the serial interface, you can quickly check the LED for the slot where the serial module is installed. Table 5-1 shows the possible status of the LED, lists the meaning for this status, and outlines the action you might take next.

Table 5-1. Check the LEDs

Color Meaning Action

no light No module is installed, or the interface is not activated.

• Use the show interfaces serial <slot>/<port> command to determine if you need to activate the interface.

• If the line is administratively down, enter no shutdown.

red Interface is activated, but there are alarms. • Use the show interfaces serial <slot>/<port> command to determine what alarms are being reported.

yellow The interface is in loopback mode. • Contact the public carrier to cancel the loopback test. Loopback commands are not available from the serial interface configuration mode context.

green The Physical Layer is up. • Enter the show interfaces serial <slot>/<port> command to ensure that you have configured the correct protocol for the line. (The protocol is the logical interface.)

• Check the status of the logical interface and follow the troubleshooting steps for the protocol you are using.

5-18

Configuring Serial Interfaces for E1- and T1-Carrier LinesTroubleshooting a Serial Connection

No Light

Ensure that you are checking the LED that corresponds to the slot where the serial module is installed. Next, view the status of the serial interface by entering:

ProCurve# show interfaces serial <slot>/<port>

If the serial interface is administratively down, move to the serial interface configuration mode context and enter:

ProCurve(config-ser 1/1)# no shutdown

The status of the interface should change.

Red Light

If the LED is red, the interface is administratively up, but it is receiving alarms. View the status of the serial interface by entering:

ProCurve# show interfaces serial <slot>/<port>

Figure 5-10 shows a serial interface that is down.

Figure 5-10. Using the show interfaces serial Command to Troubleshoot the Serial Interface

Some possible problems and solutions are listed below:

■ The router is not receiving a signal from the CSU/DSU.

• Verify that you have configured the correct serial-mode setting for the cable that you are using. For example, if you are using an X.21 cable, verify that you have configured serial-mode X21 for the interface.

• Check the connections to make sure that the cable is not loose.

ser 2/1 is down, line protocol is DOWN Encapsulation is not set Transmit clock source is TCLK DCD=up DSR=up DTR=down RTS=down CTS=up 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame 0 abort, 0 discards, 0 overruns 0 packets output, 0 bytes, 0 underrunss

5-19

Configuring Serial Interfaces for E1- and T1-Carrier LinesTroubleshooting a Serial Connection

• If you have an extra X.21, V.35, or EIA 530 cable, try using that cable to connect the serial module to the CSU/DSU.

• Check the LEDs on the CSU/DSU and ensure that it is up. The CSU/DSU may be turned off, or it may have experienced a hardware failure.

■ The serial module is misconfigured.

• Compare the list of settings that you received from your public carrier with the settings configured on the serial module. To view both the settings you have entered and the default settings for the interface, enter the following command. (See Figure 5-11.)

ProCurve# show running-config interface serial <slot>/<port> verbose• Correct any settings so that the configuration for the serial module

matches that used on CSU/DSU.

Figure 5-11. Viewing the Output for the show running-config interface serial verbose Command

■ The public carrier is experiencing a problem. For example, the carrier line may be down between the CSU/DSU and the CO, or the line may not be properly connected to the CSU/DSU.

• Contact your public carrier. You should be prepared to explain the settings that are configured on the serial interface and to answer questions about the troubleshooting steps you have taken.

Yellow Light

A yellow light indicates a loopback test. Because you cannot initiate a loop-back test from the serial interface configuration mode context, you must contact your public carrier to cancel the loopback test or to determine why it was issued.

interface ser 2/1 description et-clock-source txclock no ignore dcd no invert txclock no invert rxclock no invert etclock serial-mode V35 alias snmp trap link-status no shutdown

5-20

Configuring Serial Interfaces for E1- and T1-Carrier LinesTroubleshooting a Serial Connection

Green Light

If the serial interface is up, you should begin troubleshooting the logical interface. See Chapter 6: Configuring the Data Link Layer Protocol for E1,

T1, and Serial Interfaces.

Solving a Specific Problem: the Line Between the Serial Module and the CSU/DSU Keeps Going Down

If the line between the serial module and the CSU/DSU keeps going down, you may want to configure the router to ignore data carrier detected (DCD) signals. Serial cables supported by the ProCurve Secure Router consist of 26 leads. Each lead either:

■ transmits a specific signal from the router to the CSU/DSU

■ receives a specific signal from the CSU/DSU

The router transmits the following signals to the CSU/DSU:

■ data terminal ready (DTR)

■ request to send (RTS)

The router receives these signals from the CSU/DSU:

■ clear to send (CTS)

■ data carrier detected (DCD)

■ data set ready (DSR)

■ test-mode (TM)

Using these signals, the ProCurve Secure Router and the CSU/DSU negotiate data transfer and signal each other to control data flow. If the CSU/DSU drops the CTS signal, the ProCurve Secure Router stops sending data. In turn, if the ProCurve Secure Router must pause incoming data, it drops RTS, and the CSU/DSU holds the data stream until it once again receives RTS.

The ProCurve Secure Router follows set protocols for dealing with inserted and dropped signals. You can, however, reconfigure the router to respond to dropped signals in different ways. For example, by default, when the serial interface loses the DCD signal, it does not attempt to reestablish a connection.

You can configure the serial interface to ignore the DCD status and continue trying to make a connection without the DCD signal. To do so, enter the following command from the serial interface configuration mode context:

ProCurve(config-ser 1/1)# ignore dcd

5-21

Configuring Serial Interfaces for E1- and T1-Carrier LinesQuick Start

To return the interface to the default setting, enter:

ProCurve(config-ser 1/1)# no ignore dcd

Quick Start

This section provides the commands you must enter to quickly configure a serial module on the ProCurve Secure Router. Only a minimal explanation is provided.

If you need additional information about any of these options, check “Con-tents” on page 5-1 to locate the section that contains the explanation you need.

Configure a Serial Interface

To configure a serial interface, complete the following steps:

1. Use a V.35 or X.21 cable to connect the serial module to the external Channel Service Unit/Digital Service Unit (CSU/DSU). (The serial module also supports the EIA 530 cable if you have one available from another vendor.)

2. Establish a terminal session with the ProCurve Secure Router. You are automatically at the basic mode context.

ProCurve>

3. Move to the enable mode context. If you have configured a password for the enable mode context, enter the password.

ProCurve> enablePassword:

4. Move to the global configuration mode context.

ProCurve# configure terminal

5. Move to the serial interface configuration mode context.

Syntax: interface serial <slot>/<port>

ProCurve(config)# interface serial 1/1

5-22

Configuring Serial Interfaces for E1- and T1-Carrier LinesQuick Start

6. Configure the interface for the cable that you used to connect the serial module to the CSU/DSU. The default setting is V35.

Syntax: serial-mode [EIA530 | V35 | X21]

For example, to configure the serial interface to use an X.21 cable, enter:

ProCurve(config-ser 1/1)# serial-mode X21

7. Activate the serial interface.

ProCurve(config-ser 1/1)# no shutdown

By default, the ProCurve Secure Router immediately notifies you that the interface is administratively up. It will take a few moments to establish the serial connection, however. When the connection goes up, the ProCurve Secure Router displays another message at the command line interface (CLI), reporting that the line is up. If you want to disable this reporting function, enter no events from the enable mode context.

8. View the status of the serial interface.

ProCurve(config-ser 1/1)# do show interface ser 1/1

N o t e The do command enables you to enter enable mode commands (such as show commands) from any context (except the basic mode context).

You must now configure the Data Link Layer protocol for the serial interface as explained in Chapter 6: Configuring the Data Link Layer Protocol for E1,

T1, and Serial Interfaces.

5-23

Configuring Serial Interfaces for E1- and T1-Carrier LinesQuick Start

5-24

6

Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

Contents

Configuring the Logical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3

PPP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

Establishing a PPP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4

Creating a PPP Interface on the ProCurve Secure Router . . . . . . 6-6

Configuring an IP Address for the WAN Connection . . . . . . . . . . 6-8

Activating the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10

Binding the Physical Interface to the Logical Interface . . . . . . . 6-10

PPP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11

Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16

Settings Explained in Other Chapters . . . . . . . . . . . . . . . . . . . . . . 6-18

Frame Relay Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19

Packet-Switching Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-20

Components of a Frame Relay Network . . . . . . . . . . . . . . . . . . . . 6-21

DLCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-22

Create the Frame Relay Interface . . . . . . . . . . . . . . . . . . . . . . . . . 6-23

Activate the Frame Relay Interface . . . . . . . . . . . . . . . . . . . . . . . . 6-25

Define the Signaling Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-25

Define the Frame Relay Signaling Type . . . . . . . . . . . . . . . . . . . . 6-26

Configure Frame-Relay Counters . . . . . . . . . . . . . . . . . . . . . . . . . 6-26

Create the Frame Relay Subinterface . . . . . . . . . . . . . . . . . . . . . . 6-28

Assign a DLCI to the Frame Relay Subinterface . . . . . . . . . . . . . 6-28

Configure the IP Address for the WAN Connection . . . . . . . . . . 6-29

Set the CIR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-33

Set the EIR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-34

Bind the Physical Interface to the Logical Interface . . . . . . . . . . 6-35

Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-36

Settings Explained in Other Chapters . . . . . . . . . . . . . . . . . . . . . . 6-38

6-1

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesContents

Configuring HDLC as the Data Link Layer Protocol . . . . . . . . . . . . . . 6-39

Create the HDLC Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-39

Activate the HDLC Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-41

Configure an IP Address for the WAN Connection . . . . . . . . . . . 6-41

Bind the Physical Interface to the Logical Interface . . . . . . . . . . 6-43

Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-44

Settings Explained in Other Chapters . . . . . . . . . . . . . . . . . . . . . . 6-46

Example Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-46

Checking the Status of Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53

View the Status of Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-53

Viewing the Status of PPP Interfaces . . . . . . . . . . . . . . . . . . . . . . 6-53

Viewing the Status of Frame Relay Interfaces and Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-55

Viewing the Status of HDLC Interfaces . . . . . . . . . . . . . . . . . . . . . 6-57

Viewing Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . 6-57

Troubleshooting Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58

Troubleshooting the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-58

Troubleshooting PPP Authentication . . . . . . . . . . . . . . . . . . . . . . 6-62

Troubleshooting the Frame Relay Interface . . . . . . . . . . . . . . . . . . . . 6-65

Troubleshooting HDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-69

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70

PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-70

PPP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-71

Requiring the Peer to Authenticate Itself . . . . . . . . . . . . . . . . . . . 6-72

Authenticating to a Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-72

Frame Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-73

HDLC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-75

6-2

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Configuring the Logical Interface

As outlined in Chapter 4: Configuring E1 and T1 Interfaces, all WAN connections—including E1- and T1-carrier lines—require both a Physical Layer and a Data Link Layer. (See Figure 6-1.) The Physical Layer encom-passes:

■ the transmission media and other infrastructure required to create and maintain the WAN connection

■ the electrical signaling specifications for generating, transmitting, and receiving signals through the various transmission media

The Data Link Layer provides logical flow control for transmitting data between the peers of a WAN connection.

Figure 6-1. Data Link Layer Is Layer 2 in the OSI module.

The ProCurve Secure Router supports the following Data Link Layer protocols for E1, T1, and serial interfaces:

■ Point-to-Point Protocol (PPP), including Multilink PPP (MLPPP)

■ Frame Relay, including Multilink Frame Relay (MLFR)

■ High-Level Data Link Control (HDLC)

For more information about MLPPP and MLFR, see the Advanced Manage-

ment and Configuration Guide, Chapter 2: Increasing Bandwidth.

Physical Layer

Data Link Layer

Network Layer

Transport Layer

Session Layer

Presentation Layer

Application Layer

1

2

3

4

5

6

7

PPPFrame RelayHDLC

E1, T1, or serial

6-3

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

PPP Overview

PPP is a suite of protocols, rather than just a single protocol. (See Figure 6-2.) The PPP suite includes several types of protocols:

■ link control protocol (LCP)

■ authentication protocols

■ network control protocols (NCPs)

■ PPP

Each type of protocol has a specific role in establishing and maintaining a PPP connection

Figure 6-2. Protocols in the PPP Suite

Establishing a PPP Connection

When two peers try to establish a PPP connection, they must exchange protocols in the following order:

1. LCP

2. Authentication protocol

3. NCP

4. PPP

Link Control Protocols

LQR DTP

LEX BAP

LCP

Network Control Protocols

IPCP BCP

ECP CSCP

LLDPCP LEXCP

ATCP CCP

BACP SNACP

SDCP IPXCPAuthentication

Protocols

PAP CHAP

EAP PPP

1

2

4

3

ProCurve Secure Router supports the protocols that are underlined.

6-4

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Exchanging an authentication protocol is optional.

Understanding how a PPP session is established can help you troubleshoot problems if they occur. (See Figure 6-3.)

Figure 6-3. Establishing a PPP Link

Link Establishment. Two PPP peers exchange LCP frames to establish, configure, and test the WAN link. These frames allow the peers to determine if the link can accommodate the data they want to transfer. The LCP frames also contain a field called the configuration option. Configuration options inform the peer desired settings for the link such as the size of the PPP datagrams that will be sent and their degree of compression.

The two peers negotiate these settings. If the LCP frames do not contain a particular configuration option field, the peers use the default configuration for that option.

Authentication Protocol. If authentication is configured, the two peers authenticate the link. Although authentication is optional, the peers pass through this phase whether or not authentication is chosen.

PPP supports several authentication protocols:

■ Password Authentication Protocol (PAP)

■ Challenge Handshake Authentication Protocol (CHAP)

■ Extensible Authentication Protocol (EAP)

The ProCurve Secure Router supports PAP and CHAP.

1. Link establishmentLCP

2. Authentication (optional) PAP, CHAP, or EAP

3. Negotiation of Network Layer protocols NCP: IPCP, BCP, and so on

4. Session established PPP

ProCurve Secure Router

ProCurve Secure Router

6-5

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

NCP. PPP uses an NCP to enable the exchange of Network Layer protocols—such as IP—across a WAN link. As Figure 6-2 shows, there is a specific NCP for each support Network Layer protocol. For example, the NCP for IP is IP Control Protocol (IPCP), and the NCP for IPX (which is a legacy Novell NetWare protocol) is IPX Control Protocol (IPXCP).

The ProCurve Secure Router supports the following NCPs:

■ IP Control Protocol (IPCP)

■ Bridging Control Protocol (BCP)

■ Link-Layer Discovery Protocol (LLDP) Control Protocol (LLDPCP)

In order to exchange Network Layer protocols, the NCP must be in an “opened” state.

PPP. PPP frames carry the actual information being transferred over the WAN link. In PPP terminology, this information is called a datagram.

After the two peers successfully exchange LCP frames, authenticate the link (if authentication is configured), and negotiate the Network Layer protocol, a PPP session is established. The peers can then exchange PPP datagrams.

Creating a PPP Interface on the ProCurve Secure Router

To begin configuring PPP for an E1, T1, or serial interface, you must create a logical interface. From the global configuration mode context, enter:

Syntax: interface <interface> <number>

Replace <interface> with ppp and replace <number> with any number between 1 and 1024. Each PPP interface you configure on the router must have a unique number.

For example, if you are configuring the first PPP interface on the router, enter:

ProCurve(config)# interface ppp 1

The router prompt indicates that you have entered the PPP 1 interface configuration mode context:

ProCurve(config-ppp 1)#

You can enter the ? help command to display the commands available from this configuration mode context.

ProCurve(config-ppp 1)# ?

6-6

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Table 6-1 shows the main settings that you must configure for an E1, T1, or serial interface connection that uses PPP.

Table 6-1. Options for Configuring an E1, T1, or Serial Interface with PPP

Interface Configuration Mode Context

Command Explanation Page

e1 • tdm-group <number> timeslots <range of numbers>

• coding [ami | hdb3]• frame format [e1 | crc4]• clock source [internal | line |

through]• no shutdown

• defines the number of channels used for the E1 connection

• defines the line coding• defines the frame format• defines the clock source, or timing, for the

connection• activates the interface

4-10

t1 • tdm-group <number> timeslots <range of numbers>

• coding [ami | b8zs]• frame format [esf | d4]• clock source [internal | line |

through]• lbo long <value> | lbo short <value>• no shutdown

• defines the number of channels used for the T1 connection

• defines the line coding• defines the frame format• defines the clock source, or timing, for the

connection• sets the level of the transmit signal• activates the interface

4-10

serial • serial-mode [EIA530 | V35 | X21]

• et-clock-source [txclock | rxclock]

• no shutdown

• configures the serial interface to support the appropriate cable

• configures the serial interface to take the clock from the transmit signal (txclock) or from the receive signal, (rxclock)

• activates the interface

5-12

ppp • ip address <A.B.C.D> [<subnet mask> | </prefix length>]

or• ip address negotiatedor• ip unnumbered <interface>

• no shutdown

• assigns a static IP address to the PPP interface

• configures the PPP interface to negotiate an IP address from its peer

• configures the PPP interface to use the IP address assigned to another interface

• activates the interface

6-8

global configuration or interface configuration

• bind <number> <physical interface> <slot>/<port> [<tdm-group number>] ppp <interface number>

• binds the physical interface to the PPP interface

• requires a tdm-group number for T1 and E1 interfaces (but not for serial interfaces)

6-10

6-7

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

The PPP settings are described in the sections that follow. (For information about E1 and T1 interface settings, see Chapter 4: Configuring E1 and T1

Interfaces. For information about serial interface settings, see Chapter 5:

Configuring Serial Interfaces for E1- and T1-Carrier Lines.)

Configuring an IP Address for the WAN Connection

You configure the IP address for the E1 or T1 WAN connection on the PPP interface rather than on the physical interface. There are several ways to assign an IP address to the PPP interface:

■ assign a static IP address

■ configure the PPP interface to negotiate an IP address with its PPP peer

■ configure the PPP interface as an unnumbered interface

N o t e If the PPP interface is part of a bridge and IP routing is disabled, you can configure the PPP interface as a Dynamic Host Configuration Protocol (DHCP) client.

Configure a Static IP Address. To assign the PPP interface a static IP address, enter the following command from the PPP interface configuration mode context:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

For example, you might enter:

ProCurve(config-ppp 1)# ip address 10.1.1.1 255.255.255.252

For subnet mask, you can enter the complete subnet mask or the classless inter-domain routing (CIDR) notation. For example, you might enter:

ProCurve(config-ppp 1)# ip address 10.1.1.1 /30

Configure a Negotiated IP Address. If you are using your WAN connec-tion for Internet access, your Internet Service Provider (ISP) may want you to configure the PPP interface so that it negotiates the IP address with the ISP’s router. From the PPP interface configuration mode context, enter:

Syntax: ip address negotiated [no-default]

Include the no-default option if you do not want the router to accept a default route from the PPP peer that is providing the IP address.

6-8

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Configure the PPP Interface as an Unnumbered Interface. To con-serve IP addresses on your network, you may want to create the PPP interface as an unnumbered interface. When you assign a logical interface on the router an IP address, that IP address cannot overlap with the IP addresses that are assigned to other logical interfaces. As a result, each interface that has an IP address represents an entire subnet. Depending on the subnetting scheme you use, this could use more IP addresses than you can spare.

You can configure the PPP interface (and other interfaces on the ProCurve Secure Router) as an unnumbered interface. The PPP interface will then use the IP address of another interface—the interface you specify. The Secure Router OS uses the IP address of the specified interface when sending route updates over the unnumbered interface.

Before configuring the PPP interface as an unnumbered interface, you should be aware of a potential disadvantage: If the interface to which the IP address is actually assigned goes down, the PPP interface will be unavailable as well. For example, suppose you configure the PPP 1 interface as an unnumbered interface that takes its IP address from the Ethernet 0/1 interface. If the Ethernet 0/1 interface goes down, the PPP 1 interface will also be unavailable.

To minimize the chances that the interface with the IP address will go down, you can assign the IP address to a loopback interface, which typically does not go down.

To configure the PPP interface as an unnumbered interface, enter the follow-ing command from the PPP interface configuration mode context:

Syntax: ip unnumbered <interface>

Valid interfaces include:

■ Ethernet interfaces and subinterfaces

■ Frame Relay subinterfaces

■ other PPP interfaces

■ HDLC interfaces

■ loopback interfaces

■ Asynchronous Transfer Mode (ATM) subinterfaces

■ demand interfaces

6-9

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

For example, you would enter the following commands to configure a loop-back interface and then configure the PPP 1 interface to use the IP address assigned to that loopback interface:

ProCurve(config)# interface loopback 1ProCurve(config-loop 1)# ip address 10.1.2.2 /30ProCurve(config-loop 1)# interface ppp 1ProCurve(config-ppp 1)# ip unnumbered loopback 1

N o t e You do not have to enter no shutdown to activate a loopback interface. The status of a loopback interface changes to up after you enter the interface

loopback <interface number> command.

Activating the PPP Interface

To activate the PPP interface, enter the following command from the PPP interface configuration mode context:

ProCurve(config-ppp 1)# no shutdown

Although the PPP interface is activated, its status will not change to up until it is bound to a physical interface. It can then begin to negotiate a PPP session with its peer, and if that negotiation is successful, the status of the PPP interface will change to up.

Binding the Physical Interface to the Logical Interface

On the ProCurve Secure Router, you must bind the physical interface to the logical interface so that the router knows which Data Link Layer protocol to use for that WAN connection. When you bind a physical interface to a logical interface, the two are considered a single interface bind group.

From the global configuration mode context, enter:

Syntax: bind <bind number> <physical interface> <slot>/<port> [<tdm-group number>] <logical interface> <logical interface number>

You can also enter this command from the PPP interface configuration mode context.

Replace <bind number> with a number that is globally significant. That is, each bind command you enter on the router must have a unique bind number.

6-10

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Replace <physical interface> with the type of WAN connection, such as E1, T1, or serial. Replace <slot> and <port> with the correct numbers to identify this interface’s location on the ProCurve Secure Router.

If you are binding an E1 or T1 interface to the PPP interface, replace <TDM-

group number> with the TDM group number you created on the E1 or T1 interface. If you are binding a serial interface to the PPP interface, omit this option.

N o t e You do not include a TDM group number when binding a serial interface to a logical interface because the serial interface does not use TDM groups.

Replace <logical interface> with ppp and replace < logical interface num-

ber> with the number you assigned to this interface. For example, if you want to bind the E1 1/1 interface or the T1 1/1 interface to the PPP 1 interface, enter:

ProCurve(config)# bind 1 e1 1/1 1 ppp 1

or

ProCurve(config)# bind 1 t1 1/1 1 ppp 1

If you want to bind the serial 1/1 interface to the PPP 1 interface, enter:

ProCurve(config)# bind 1 ser 1/1 ppp 1

To see an example configuration that uses PPP, see “Example Networks” on page 6-46.

PPP Authentication

You can increase the security of your WAN by requiring the PPP peer at the other end of the link to vouch that it is, indeed, the authorized router at the remote site. You can also configure the router to provide its own authentica-tion information. Many Internet service providers (ISPs) require authentica-tion so that they grant service only to subscribers who have paid for it.

The ProCurve Secure Router supports two authentication protocols for PPP:

■ PAP

■ CHAP

PAP. PAP is the simplest possible authentication scheme. It requires a two-way message exchange. One peer sends the password previously agreed upon to the other peer, which is called the authenticator. The authenticator looks up the password in its database. If the password matches, the authenticator

6-11

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

returns an authentication acknowledge. The two peers can then send NCPs to negotiate the Network Layer protocols. If this negotiation is successful, the PPP session is established.

With PAP, the two peers authenticate only once, and the username and password are sent in clear text across the connecting private circuit. Because PAP sends the password directly over the wire, anyone capable of tapping into the wire can intercept it.

CHAP. CHAP solves the security problem of PAP by hashing the password and sending the hash value instead of the password over the wire. CHAP follows the process shown in Figure 6-4:

1. The authenticator challenges the peer.

2. The peer combines its password with a string of text and calculates a hash value using the Message Digest 5 (MD5) algorithm. (The password is irreversibly encrypted.) The peer sends the hash value to the authenticator.

3. The authenticator knows both the agreed-upon string of text and the peer’s password. The authenticator performs the same hashing calcula-tion and compares its hash value to the hash value sent by the peer.

4. If the hash values match, the authenticator acknowledges the peer, and the peers proceed to exchange NCPs. If the hash values do not match, the authenticator continues to issue challenges until the peer returns a match-ing hash value or runs out of retry attempts.

Because the encryption prevents hackers from hijacking a password, CHAP provides increased security. In addition, CHAP requires peers to reauthen-ticate themselves from time to time.

6-12

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Figure 6-4. CHAP Process

When you configure CHAP on the ProCurve Secure Router, you only need to set the password. The router automatically sends the hostname for the user-name and computes the hash value.

Requiring a Peer to Authenticate Itself. When you configure PPP authentication on the ProCurve Secure Router, you must first choose whether you want to use PAP or CHAP. To require authentication, you must:

■ enable PAP or CHAP on the connection

■ set the peer’s username and password

You configure authentication for an individual PPP connection. Move to the logical interface for the connection and specify the type of authentication:

Syntax: ppp authentication [chap | pap]

For example, if you want to use CHAP for the PPP 1 interface, enter:

ProCurve(config-ppp 1)# ppp authentication chap

N o t e Both sides of the connection do not have to require authentication. However, if both sides require authentication, they must use the same protocol. If your peer requires authentication, you must set the username and password the router will send. (These are distinct from the username and password that the router accepts.) See “Setting a PAP Username and Password” on page 6-14 and “Setting a CHAP Username and Password” on page 6-15.

Calculate hash

Challenge1

Peer

2

Compares hash values

Hash3

Acknowledge4

Authenticator

Calculate hash

6-13

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

You must add the password you have agreed upon for the peer to the PPP database. The PPP database for each connection is separate and distinct from the global username and password database and the databases of other PPP connections. Because the database is for a point-to-point connection, it stores only one username and password. You manage the database for a PPP con-nection from its logical interface configuration mode context.

To set the username and password that the ProCurve Secure Router accepts from a peer, enter the following command from the global configuration mode context:

Syntax: username <username> password <password>

For example, you might enter:

ProCurve(config-ppp 1)# username SiteB password procurve

For CHAP, the username should be the hostname of the peer.

Authenticating to a Peer. The device at the other end of a PPP connection may require the ProCurve Secure Router to authenticate itself. To configure the local router, you must:

■ configure which authentication protocol to use

■ set the username and password

The authentication protocol must match that requested by the peer. If you do not know which protocol the peer is using, you can view the debug messages and look for PAP or CHAP. From the enable mode context, enter:

ProCurve# debug ppp authentication

You specify the authentication protocol with the same command that you enter to configure the username and password that the ProCurve Secure Router sends the PPP peer. The company or ISP that is requiring PPP authen-tication should provide you with the username and password, which are case sensitive.

Setting a PAP Username and Password. To configure PAP authentica-tion information for a WAN connection, you must move to the configuration mode context for the logical interface that provides the Data Link Layer for the connection. To set the username and password that the router will send in clear text over the wire, enter:

Syntax: ppp pap sent-username <username> password <password>

6-14

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

For example, you might enter:

ProCurve(config-ppp 1)# ppp pap sent-username SiteA password procurve

N o t e PAP will be used only to authenticate this WAN connection. You do not have to actually enable the PAP protocol. It is perfectly acceptable for the local router to authenticate itself to a peer without requiring that peer to authen-ticate itself in turn.

Setting a CHAP Username and Password. You configure the router to authenticate itself from the PPP interface configuration mode context for the connection. For CHAP, you only have to set the password that the router will hash and send encrypted to the peer. Enter:

Syntax: ppp chap password <password>

The peer or ISP should provide this password. For example:

ProCurve(config-ppp 1)# ppp chap password procurve

The router automatically sends its hostname for its username. Make sure that this hostname actually matches that by which the peer identifies your router. (This can be particularly important when authenticating to an ISP.) If neces-sary, you can override the hostname with a different username by entering:

Syntax: ppp chap hostname <username>

For example, you might enter:

ProCurve(config-ppp 1)# ppp chap hostname ProcurveA

Recording PPP Authentication Information. If you are configuring PPP authentication, you may want to print Table 6-2 and enter the information for your router.

Table 6-2. PPP Authentication Worksheet

Option Your Setting

PPP interface number

authentication protocol

Are you requiring the peer to authenticate itself?

Yes/No

peer username

6-15

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

This worksheet will help you enter the PPP authentication command for your router.

Additional Settings

Depending on your company’s WAN environment, you may want to configure other settings on the PPP interface.

Configure a Secondary IP Address for the Interface. You can config-ure a secondary IP address on an interface if the interface supports more than one subnet. For example, the LAN you connect to an Ethernet interface may require more IP addresses than the primary subnet can provide.

N o t e When using secondary IP addresses, avoid routing loops by verifying that all devices on the network segment are configured with secondary IP addresses on the secondary subnet.

From the PPP interface configuration mode context, enter:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length> secondary

Replace <A.B.C.D> with the secondary IP address and replace <subnet mask> with the corresponding subnet mask. Instead of specifying a subnet mask, you can replace </prefix length> with the CIDR notation. Finally, include the secondary option.

For example, you might enter:

ProCurve(config-ppp 1)# ip address 192.168.115.1 255.255.255.0 secondary

You can include an unlimited number of secondary IP addresses.

To remove a secondary IP address, enter:

Syntax: no ip address <A.B.C.D> <subnet mask | /prefix length> secondary

peer password

Are you authenticating to the peer? Yes/No

local router’s username

local router’s password

Option Your Setting

6-16

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Set the MTU. The maximum transmission unit (MTU) defines the largest size that a PPP frame can be. If a frame exceeds this size, it must be fragmented. By default, the MTU for PPP interfaces is 1500 bytes. To change this setting, enter:

Syntax: mtu <size>

Replace <size> with a number between 64 and 1520.

For most environments, you should leave the MTU at 1500. In some cases, however, you may need to adjust the MTU size. For example, you need to evaluate MTU size if:

■ The interface is connected to another router that uses a different MTU size.

■ The interface is used in a PPP over Ethernet (PPPoE) environment. (For more information about PPPoE, see Chapter 7: ADSL WAN Connections.)

If two PPP peers use different MTU sizes, this mismatch can affect transmis-sions and routing. For example, if the PPP peer has a smaller MTU and your router sends a frame that exceeds that size, the PPP peer will have to fragment the frame. If the frame is tagged with the “do not fragment” field, then the router cannot forward the frame.

If you have enabled Open Shortest Path First (OSPF) routing on the ProCurve Secure Router, you should be especially careful when setting the MTU. OSPF routers cannot become adjacent if their MTU sizes do not match. You should ensure that the MTU on the router at the far-end of the PPP connection is using the same MTU as the router you are configuring.

You may also need to configure the MTU for PPPoE. When two devices initiate a PPPoE session, they negotiate an MTU of 1492 bytes because the payload of an Ethernet frame cannot exceed 1500 bytes. With the overhead created by PPP, the PPPoE frame is 1500 bytes.

Typically, the two PPPoE devices will negotiate the MTU size of 1492. If there are problems, however, you may need to manually configure the MTU.

Adding a Description. You can add a description to the PPP interface if you want to document information about it. For example, if you have configured multiple PPP interfaces, you may want to document how each PPP interface is being used. To create a description, enter:

Syntax: description <line>

6-17

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Replace <line> with a phrase up to 80 characters. For example, you might enter:

ProCurve(config-ppp 1)# description WAN link to Denver office

This description is displayed only when you enter the show running-config

command. From the enable mode context, enter:

ProCurve# show running-config

You must then scroll through the running-config to find the interface ppp 1

heading. To view only the running-config for the PPP 1 interface, enter:

ProCurve# show running-config interface ppp 1

Configuration information such as the following is displayed:

interface ppp 1 description WAN link to Denver office ip address 192.168.1.1 255.255.255.0 bind 1 ser 1/1 ppp 1 no shutdown

Settings Explained in Other Chapters

In addition to configuring these settings for the PPP interface, you can:

■ assign access control policies (ACPs) or access control lists (ACLs) to the PPP interface

■ assign crypto maps to enable virtual private networks (VPNs)

■ configure settings for routing protocols

■ enable bridging

Table 6-3 lists additional configurations that you can enter from the PPP interface and the page number where you find information about those configurations.

6-18

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Table 6-3. Additional Configuration Settings for the PPP Interface

Frame Relay Overview

For companies that can accept lower transmission speeds during peak usage times, Frame Relay provides a more affordable WAN solution than a dedicated E1- or T1-carrier line. Frame Relay can run over a variety of physical WAN connections, including E1- and T1-carrier lines. Whatever the physical WAN connection is, Frame Relay allocates bandwidth on that connection dynami-cally. As a result, public carriers provide a subscriber with bandwidth only when that subscriber requires it.

Frame Relay cuts costs both for public carriers and subscribers because it minimizes idle bandwidth: Public carriers can allocate the same bandwidth to multiple subscribers, and subscribers do not pay for bandwidth that they do not use.

When companies purchase Frame Relay service, they negotiate a Service Level Agreement (SLA) that specifies a Committed Information Rate (CIR), the amount of bandwidth they can use. The CIR is contractually guaranteed bandwidth, rather than physically guaranteed as with dedicated E1- or T1-carrier lines. If Frame Relay carriers do not provide the CIR, however, they can be fined. Consequently, carriers usually ensure that the bandwidth stipu-lated in the CIR is available to the customer. (See Figure 6-5.)

Settings Configuration Guide

Page Number

access controls to filter incoming and outgoing traffic Advanced 5-18, 5-37

bridging Basic 10-6

VPNs Advanced 8-46

routing commands for OSPF, RIP, or BGP Advanced 13-1

quality of service settings Advanced 7-28

6-19

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Figure 6-5. A Frame Relay Network Dynamically Allocates Bandwidth.

Packet-Switching Network

Frame Relay transfers data through multiple nodes in a shared network using packet switching. Frame Relay divides data into frames, and each frame travels through the network individually, passing from one Frame Relay switch to another in a non-fixed path, until the frames are reassembled at their destination.

Although frames can take multiple and variable paths through a shared network, two routers, which are identified by administratively assigned circuit IDs, define the fixed endpoints to a permanent virtual circuit (PVC). In a Frame Relay network, a PVC is a logical connection between two sites. (See Figure 6-6.)

Router

Frame Relay switch

Router

Frame Relay switch

Frame Relay switch

Subscriber 1

Subscriber 2

Public Carrier’s COFrame Relay

over T1

Frame Relayover T1

Transmitting an average of 768 Kbps with bursts to 900 Kbps

Transmitting an average of 640 Kbps with bursts to 832 Kbps

6-20

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Figure 6-6. A PVC Connects Two Endpoints in the Frame Relay Network.

Components of a Frame Relay Network

The Frame Relay network consists of several components, each of which has a specific role.

■ user, or data terminal equipment (DTE)

■ network, or data communications equipment (DCE)

■ network-to-network interfaces (NNI)

■ user-to-network interfaces (UNI)

When you configure Frame Relay on the ProCurve Secure Router, you must define the role that the router will perform in the Frame Relay network. (See Figure 6-7.)

Router

Frame Relay switch

Router

Frame Relay switch

Frame Relay switch

Subscriber 1

Subscriber 2

Public Carrier’s COFrame Relay

over T1

Frame Relayover T1

PVC between Subscriber 1 and Subscriber 2

PVC between Subscriber 1 and Subscriber 2

6-21

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Figure 6-7. Components in a Frame Relay Network

DTE. The DTE receives data from the LAN in the form of multiple protocol packets and encapsulates each packet into a Frame Relay frame. The header of such a frame is called the Data Link Connection Identifier (DLCI) and contains the frame’s ultimate destination.

You can configure the DTE to manage congestion and maintain quality of service. For example, the DTE can manipulate the actual size of each frame sent through the network. It also can buffer and fragment packets to reserve bandwidth for particular circuits and ensure quality of service for time-sensitive packets such as voice applications.

DCE. in a Frame Relay network, the DCE is the Frame Relay switch, which establishes and maintains the Frame Relay connection. After receiving frames from the DTE, the DCE converts these frames into signals supported by the physical media of the network. The DCE also reads the DLCI on incoming packets, checks its switch lookup table, and then forwards data to the appro-priate outgoing port—which leads to the correct virtual endpoint.

UNI. UNIs connect the DTE to the DCE and provide access to the Frame Relay network.

NNI. NNIs connect a DCE to a DCE, using bidirectional signaling. That is, NNIs connect one Frame Relay switch to another.

DLCI

As mentioned earlier, the DTE marks each outgoing frame with a DLCI, a 10-bit field in the Address Field of the Frame Relay header. The switch reads the DLCI to determine the appropriate PVC endpoint to which to send the frame. DLCIs are locally, not globally, significant. (See Figure 6-8.)

UNI: DTE to DCE

NNI: DCE to DCE

Router (DTE)

Frame Relay Switch (DCE)

Frame Relay Switch (DCE)

Frame Relay Switch (DCE)

Router (DTE)

Router (DTE)UNI

NNI

UNI

UNI

NNI

6-22

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

The 10-bit field enables 1024 possible DLCI numbers, but some are reserved for special purposes:

■ 0 signals Annex A and D

■ 1-15 and 1008-1022 are reserved

■ 1023 signals the Link Management Interface (LMI)

The remaining 976 DLCI numbers between 16 and 1007 are available to users. Your Frame Relay service provider will assign you a DLCI.

Figure 6-8. The DLCI Identifies the PVC Endpoint.

Create the Frame Relay Interface

To begin configuring Frame Relay as the Data Link Layer protocol for an E1, T1, or serial interface, you must create a logical interface. From the global configuration mode context, enter:

Syntax: interface <interface> <number>

Replace <interface> with frame-relay; you can also use the shortcut fr. Replace <number> with any number between 1 and 1024. Each Frame Relay interface that you create on the router must have a unique number.

For example, if you are configuring the first Frame Relay interface on the router, you might enter:

ProCurve(config)# interface frame-relay 1

The router prompt indicates that you have entered the proper interface configuration mode context:

ProCurve(config-fr 1)#

Each Frame Relay switch keeps a table of PVC endpoints and their DLCI.

Router (DTE) Frame Relay Switch (DCE)

Router (DTE)

Router (DTE)UNI

UNIUNI

DLCI 17

DLCI 18

DLCI 16

6-23

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

From this configuration mode context, you can enter the ? help command to display the commands available from this configuration mode context.

ProCurve(config-fr 1)# ?

Table 6-4 shows the main settings that you must configure for an E1, T1, or serial interface that uses Frame Relay.

Table 6-4. Frame Relay Configuration Options

Interface Configuration Mode Context

Command Description Page

e1 • tdm-group <number> timeslots <range of numbers>

• coding [ami | hdb3]• frame format [e1 | crc4]• clock source [internal | line | through]

• no shutdown

• defines the number of channels used for the E1 connection

• defines the line coding• defines the frame format• defines the clock source, or timing,

for the connection• activates the interface

4-10

t1 • tdm-group <number> timeslots <range of numbers]

• coding [ami | b8zs]• frame format [esf | d4]• clock source [internal | line | through]• no shutdown

• defines the number of channels used for the T1 connection

• defines the line coding• specifies frame format• defines the clock source• activates the interface

4-10

serial • serial-mode [EIA530 | V35 | X21]

• et-clock-source [txclock | rxclock]

• no shutdown

• configures the serial interface to support the appropriate cable

• configures the serial interface to take the clock from the transmit signal, txclock, or from the receive signal, rxclock

• activates the interface

5-12

frame-relay interface

• no shutdown• frame-relay intf-type [dte | dce | nni]• frame-relay lmi-type [ansi | auto | cisco |

none | q933a]

• activates the interface• defines the signaling role as user,

network, or both• defines Frame Relay signaling type

6-25

6-24

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

The Frame Relay settings are described in the sections that follow.

Activate the Frame Relay Interface

You must activate the Frame Relay interface. From the Frame Relay interface configuration mode context, enter:

ProCurve(config-fr 1)# no shutdown

Define the Signaling Role

You must configure the signaling role that the ProCurve Secure Router will fulfill in the Frame Relay network. With few exceptions, the ProCurve Secure Router will function as the user, or DTE, and consequently, this is the default setting.

However, the other options are available if you should ever need to change the signaling role. For example, if you are setting up a test WAN to determine if your applications will run over a Frame Relay connection, you may need to configure the router as a DCE.

frame-relay subinterface

• frame-relay interface-dlci <dlci>• ip address <A.B.C.D> <subnet mask | /prefix

length>or• ip address dhcp {client-id [ethernet 0/

<port> | HH:HH:HH:HH:HH:HH:HH] | hostname <word>}

• ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]

or• ip unnumbered <interface>

• defines the DLCI for the PVC• defines a static IP address for the

interface

• configures the Frame Relay subinterface as a DHCP client

• configures the Frame Relay as an unnumbered interface, which takes its IP address from another interface

6-28

global configuration or interface configuration

• bind <number> <physical interface> <slot>/<port> [<tdm-group number>] Frame Relay <interface number>

• binds the physical interface to the logical interface

• requires tdm-group number for E1 and T1 interfaces (but not for serial interfaces)

6-35

Interface Configuration Mode Context

Command Description Page

6-25

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

To configure the signaling role, enter the following command from the Frame Relay interface configuration mode context:

Syntax: frame-relay intf-type [dte | dce | nni]

Define the Frame Relay Signaling Type

You must configure the Frame Relay interface to use the same signaling type that your Frame Relay service provider uses. From the Frame Relay interface configuration mode context, enter:

Syntax: frame-relay lmi-type [ansi | auto | cisco | none | q933a]

Table 6-5 maps the Frame Relay signaling type to the setting that you must enter for the frame-relay lmi-type command.

Table 6-5. Frame Relay Signaling

For example, to set the signaling type to auto, enter the following command from the Frame Relay interface configuration mode context:

ProCurve(config-fr 1)# frame-relay lmi-type auto

The default setting is ansi.

Configure Frame-Relay Counters

The Frame Relay counters monitor status polls sent and received, track errors, and change the endpoint’s signaling status from up to down, depending on the number of errors counted within a set frame of events. Although you can tailor the counter settings to your system, most applications do not require special settings, so you should keep the default settings.

Signaling type Option Complete Command

Annex D ansi frame-relay lmi-type ansi

detect signaling type from incoming message

auto frame-relay lmi-type auto

Cisco LMI cisco frame-relay lmi-type cisco

no signaling (disables signaling role as well)

none frame-relay lmi-type none

Annex A q933a frame-relay lmi-type q933a

6-26

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Table 6-6 lists the Frame Relay counters, the possible settings, and the polls that each one controls.

Table 6-6. Frame Relay Counters

You can use the no command to return counters to their default settings.

Frame Relay Counter Possible Settings

Default Setting

Description

frame-relay lmi-n391dce <polls> 1-255 6 Configure how many link integrity polls occur in between the full-status polls. Configure this setting for the DCE endpoint.

frame-relay lmi-n391dte <polls> 1-255 6 Configure how many link integrity polls occur between the full status polls. Configure this setting for the DTE endpoint.

frame-relay lmi-n392dce <threshold> 1-10 3 Configure an error threshold number for the DCE. If the error threshold is met, the signaling status is changed to down, which indicates a service-affecting condition. This condition is cleared after this number of consecutive error-free N393 events are received.

frame-relay lmi-n392dte <threshold> 1-10 3 Configure an error threshold number for the DTE. If the error threshold is met, the signaling status is changed to down, which indicates a service-affecting condition. This condition is cleared after this number of consecutive error-free N393 events are received.

frame-relay lmi-n393dce <counter> 1-10 4 Configure the LMI- monitored event counter for the DCE endpoint.

frame-relay lmi-n393dte <counter> 1-10 4 Configure the LMI- monitored event counter for the DTE endpoint.

frame-relay lmi-t391dte <seconds> 5-30 seconds 10 seconds Set the T391 signal-polling timer for the DTE endpoint.

frame-relay lmi-t392dce <seconds> 5-30 seconds 10 seconds Set the T392 polling-verification timer for the DCE endpoint.

6-27

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Create the Frame Relay Subinterface

You must create a Frame Relay subinterface for each PVC that you want to establish through this Frame Relay interface. To create a Frame Relay sub-interface, enter the following command from the global configuration context or from the Frame Relay interface configuration mode context:

Syntax: interface frame-relay <number.subinterface number>

Replace the first number in <number.subinterface number> with the number of the Frame Relay interface that you have already configured. Then replace subinterface number with any number between 16 to 1007. Using the same number as the subinterface’s DLCI can help you keep track of the subinterface and troubleshoot any errors.

For example, if your public carrier has assigned your company a DLCI of 16, enter:

ProCurve(config-fr 1)# interface frame-relay 1.16

You are then moved to the Frame Relay subinterface configuration mode context, which is reflected in the router prompt:

ProCurve(config-fr 1.16)#

From the Frame Relay subinterface configuration mode context, you can configure a variety of settings for the connection, including the MTU size and excess burst rate. However, to initially establish the sublink, you only need to assign it a DLCI.

Assign a DLCI to the Frame Relay Subinterface

The Frame Relay service provider assigns each PVC endpoint a DLCI on the Frame Relay switch, and the switch maintains a table of each DLCI so that it can pass traffic through an outbound port uniquely associated with a specific peer. Your Frame Relay service provider should tell you the DLCI for the PVC.

To assign the DLCI to the Frame Relay interface, enter the following command from the Frame Relay subinterface configuration mode context:

Syntax: frame-relay interface-dlci <DLCI>

Replace <DLCI> with a valid DLCI number, ranging from 16 to 1007. You must assign a different DLCI to each PVC established on the same router.

6-28

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

For example, if the Frame Relay service provider assigned your company a DLCI of 16, enter:

ProCurve(config-fr 1.16)# frame-relay interface-dlci 16

Configure the IP Address for the WAN Connection

You configure the IP address for the WAN connection on the Frame Relay subinterface, rather than on the physical interface or the Frame Relay inter-face. There are several ways to assign an IP address to the Frame Relay subinterface:

■ assign a static IP address

■ configure the Frame Relay subinterface as a DHCP client

■ configure the Frame Relay subinterface as an unnumbered interface

Configuring a Static IP Address. From the Frame Relay subinterface con-figuration mode context, enter:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

For <subnet mask>, you can enter the complete subnet mask or replace </prefix length> with the CIDR notation. For example, you might enter:

ProCurve(config-fr 1.16)# ip address 10.10.2.1 /30

Configure the Frame Relay Subinterface as a DHCP Client. Your Frame Relay service provider may want to dynamically assign your router an IP address for each Frame Relay PVC. To enable a Frame Relay subinterface to use DHCP to obtain an IP address, use one of the following commands:

Syntax: ip address dhcp {client-id [ethernet 0/<port number> | HH:HH:HH:HH:HH:HH:HH] | hostname <word>}

Syntax: ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]

In addition to enabling the DHCP client for the Frame Relay subinterface, this command allows you to configure the settings shown in Table 6-7.

6-29

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Table 6-7. Default Settings for the DHCP Client

Before you enable the DHCP client, you must decide whether or not you want to configure the settings listed in Table 6-7, and you must then include the settings in the same command that you enter to enable the DHCP client. After you enable the DHCP client, it immediately begins to search for a DHCP server and negotiate a lease. You cannot impose settings on that lease after it is established.

Accepting the Default Settings . If you want to use default DHCP settings for the Frame Relay subinterface, you can simply enter:

ProCurve(config-fr 1.16)# ip address dhcp

The DHCP client on the Frame Relay subinterface will immediately begin to send DHCP discovery message to find a DHCP server. When a DHCP server responds, the client will negotiate an IP address.

The DHCP client will send DHCP discovery messages whether or not the Frame Relay subinterface is activated or a valid connection has been estab-lished. It will continue to send DHCP discovery messages until a DHCP server responds.

You should ensure that the DHCP client receives an IP address so that these discovery messages do not consume router resources or bandwidth on your Frame Relay link. To determine whether the Frame Relay subinterface has been assigned an IP address, enter the following command from the enable mode context:

ProCurve# show interface frame-relay <number.subinterface number>

Option Use Default Setting

client-id configures the client identifier displayed in the DHCP server’s table

media type and interface’s MAC address

hostname configures the hostname displayed in the DHCP server’s table

router hostname

no-default-route specifies that the DHCP client should not accept the default route obtained through DHCP

accept default route from the DHCP server

no-domain-name specifies that the DHCP client should not accept the domain name included with the other lease settings that the DHCP server sends

accept the domain name setting from the DHCP server

no-nameservers specifies that the DHCP client should not accept the DNS setting included with the other lease settings that the DHCP server sends

accept DNS settings from the DHCP server

6-30

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Configuring a Client Identifier. By default, the Secure Router OS popu-lates the client identifier with the media type and the interface’s media access control (MAC) address. You can specify that the DHCP client uses the MAC address of an Ethernet port, or you can change the client identifier to a customized MAC address.

To configure a client identifier when you enable the DHCP client, enter:

Syntax: ip address dhcp client-id [ethernet 0/<port number> | HH:HH:HH:HH:HH:HH:HH]

When you configure the client identifier, you can also configure a hostname, as explained in the next section.

Configuring a Hostname. The Secure Router OS uses the hostname con-figured for the router as the Frame Relay subinterface’s default DHCP client hostname. If you want to override this hostname when you enable the DHCP client, enter the following command:

Syntax: ip address dhcp hostname <word>

For example, you might want to specify that the hostname is RouterB. In this case, you would enter:

ProCurve(config-fr 1.1)# ip address dhcp hostname RouterB

When you specify the hostname, you can also configure a client identifier at the same time, as shown below.

ProCurve(config-fr 1.1)# ip address dhcp client-id ethernet 0/1 hostname RouterB

If you enter this command, the DHCP client will use the MAC address of the Ethernet 0/1 interface as its client identifier, and it will use the hostname RouterB.

Alternatively, you can specify the hostname and configure the client to ignore the settings received from the DHCP server. These commands are described in the following sections.

Overriding Settings Received from the DHCP Server. If the DHCP server is configured to provide a default-route, a domain name, or a domain name system (DNS) server, the DHCP client for the Frame-Relay subinterface will accept and use these settings. If you do not want to use any or one of these settings, enter the appropriate option when you enable the DHCP client:

Syntax: ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]

6-31

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

For example, if you do not want the DHCP client to use the default route and name server settings that it receives from the DHCP server, enter:

ProCurve(config-fr 1.1)# ip address dhcp no-default-route no-nameservers

Changing a Setting for the DHCP Client. If you want to change a setting for the DHCP client, you must first disable the client. Then you can enter the command to enable the client with the setting that you want to change.

Before you disable the client, you should release the IP address obtained through DHCP. This will prevent the DHCP server from holding the IP address and allow it to assign the IP address to another client.

Releasing or Renewing an IP address. If you want to manually force the Frame Relay subinterface to release or renew an IP address, enter these commands from the Frame Relay subinterface configuration mode context:

ProCurve(config-fr 1.1)# ip dhcp release

ProCurve(config-fr 1.1)# ip dhcp renew

Remove the DHCP Client Setting. If you decide that you no longer want the Frame-Relay subinterface to be a DHCP client, enter:

ProCurve(config-fr 1.1)# no ip address dhcp

Configure the Frame Relay Subinterface as an Unnumbered

Interface. To conserve IP addresses on your network, you may want to create the Frame Relay subinterface as an unnumbered interface. When you assign a logical interface on the router an IP address, that IP address cannot overlap with the IP addresses assigned to other logical interfaces. As a result, each interface that has an IP address represents a subnet. Depending on the subnetting scheme you use, this could use more IP addresses than you can spare.

You can configure the Frame Relay subinterface as an unnumbered interface that uses the IP address assigned to another interface. The Secure Router OS uses the IP address of the specified interface when sending route updates over the unnumbered interface.

Before configuring the Frame Relay subinterface as an unnumbered interface, you should be aware of a potential disadvantage: If the interface to which the IP address is actually assigned goes down, the Frame Relay subinterface will be unavailable. For example, suppose you configure Frame Relay 1.16 as an

6-32

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

unnumbered interface that takes its IP address from the Ethernet 0/1 interface. If the Ethernet 0/1 interface goes down, the Frame Relay 1.16 subinterface will be unavailable as well.

To minimize the chances of the interface with the IP address going down, you can assign the IP address to a loopback interface, which typically does not go down.

To configure a Frame Relay subinterface as an unnumbered interface, enter the following command from the Frame Relay subinterface configuration mode context:

Syntax: ip unnumbered <interface>

Valid interfaces include:

■ Ethernet interfaces and subinterfaces

■ other Frame Relay subinterfaces

■ PPP interfaces

■ HDLC interfaces

■ loopback interfaces

■ Asynchronous Transfer Mode (ATM) subinterfaces

■ demand interfaces

For example, you would enter the following commands to configure a loop-back interface and then configure the Frame Relay 1.16 subinterface to use the IP address assigned to that loopback interface:

ProCurve(config)# interface loopback 1ProCurve(config-loop 1)# ip address 10.1.1.1 /30ProCurve(config-loop 1)# interface fr 1.16 ProCurve(config-fr 1.16)# ip unnumbered loopback 1

N o t e You do not have to enter no shutdown to activate a loopback interface. The status of a loopback interface changes to up after you enter the interface

loopback <interface number> command.

Set the CIR

You can configure the CIR for the Frame Relay link using the frame-relay bc command. As explained earlier, the CIR is the bandwidth that your Frame Relay service provider guarantees your company.

6-33

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

The CIR is calculated from the Bc, which is the maximum number of bits that the Frame Relay carrier guarantees to forward during a certain interval of time (T). The CIR is equal to Bc/T.

You should set a Bc for each Frame Relay subinterface to ensure that the PVC does not exceed its CIR. Some Frame Relay service providers may charge your company extra if your company consistently transmits over its CIR.

The industry standard is to calculate the time interval as 1 second. As a result, the Bc is essentially the CIR. To set the CIR, enter the following command from the Frame Relay subinterface configuration mode context:

Syntax: frame-relay bc <committed burst value>

Replace <committed burst value> with your CIR expressed in bits. You can set a Bc between 0 and 4,294,967,294 bps.

For example, you might enter:

ProCurve(config-fr 1.1)# frame-relay bc 256000

Set the EIR

When your company negotiated a SLA, the terms of that agreement probably allowed for a burst rate on the Frame Relay connection. This burst rate is called the Excess Information Rate (EIR), which defines the maximum amount of traffic your company is allowed to send over its CIR.

The Be sets the maximum number of bits that the router can transmit during T. Just as Bc is equal to the CIR, Be is equal to the EIR. Be determines the rate at which the ProCurve Secure Router can burst data above the CIR when there is no congestion on the Frame Relay network.

N o t e If you enter a value for the frame-relay bc command, you should also configure a burst rate for the Frame Relay link. Otherwise, the link will be limited to the bandwidth you specified in the frame-relay bc command.

Together, the frame-relay bc and the frame-relay be commands define the amount of bandwidth you can use on the Frame Relay link. The sum of the values you specify for these two commands should be greater than 8000.

To configure the EIR for the Frame-Relay link, enter:

Syntax: frame-relay be <excessive burst value>

6-34

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Replace <excessive burst value> with a burst rate, expressed in bits. You can set a Be between 0 and 4,294,967,294 bps.

For example, you might enter:

ProCurve(config-fr 1.1)# frame-relay be 64000

Discard Eligible (DE) Bit. After a PVC reaches its CIR, the Frame Relay switch marks each packet with a Discard Eligible (DE) bit. For example, if a PVC’s Bc is 1.0 Mb, its Be is 1.5 Mb, and it is transmitting traffic at full capacity, then Frame Relay switch will set the DE bit on the last 500 kilobytes of packets. If the Frame Relay network becomes congested, the Frame Relay switch first drops the packets that are marked with the DE bit.

Bind the Physical Interface to the Logical Interface

On the ProCurve Secure Router, you must bind the physical interface to the logical interface so that the router knows which Data Link Layer protocol to use for that WAN connection. When you bind a physical interface to a logical interface, the two are considered a single interface bind group.

You bind the physical interface to the Frame Relay interface, not to individual subinterfaces. In this way, various PVCs can use any available bandwidth on the physical connection to burst data past their CIR. You can enter the bind command from the global configuration mode context or from the Frame Relay interface configuration mode context:

Syntax: bind <bind number> <physical interface> <slot>/<port> [<tdm-group number>] <logical interface> <logical interface number>

The <bind number> is globally significant. That is, each bind command you enter on the router must have a unique bind number.

Replace <physical interface> with E1, T1, or serial. The <slot> and <port> pinpoint this interface’s location on the ProCurve Secure Router and distin-guish multiple lines of the same type from each other.

If you are binding the Frame Relay interface to an E1 or T1 interface, replace <tdm-group number> with the TDM group you created when you configured that interface. If you are binding the serial interface to the Frame Relay interface, you do not include this option.

In this instance, the <logical interface> is Frame Relay, and the <logical

interface number> refers to the number you assigned to this interface.

6-35

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

For example, if you want to bind the E1 1/1 interface to the Frame Relay 1 interface, enter:

ProCurve(config)# bind 1 e1 1/1 1 fr 1

N o t e You bind the physical interface to the Frame Relay interface (not to the subinterface).

If you want to bind the serial 1/1 interface to the Frame Relay 1 interface, enter:

ProCurve(config)# bind 1 ser 1/1 fr 1

N o t e When you bind a serial interface to the Frame Relay interface, you do not include a TDM group number because the serial interface does not use TDM groups.

To see an example configuration that uses Frame Relay, see “Example Net-works” on page 6-46.

Additional Settings

Depending on your company’s WAN environment, you may want to configure other options on the Frame Relay interface or subinterface.

Configure a Secondary IP Address for the Subinterface. You can con-figure a secondary IP address on the Frame Relay subinterface. Enter:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length> secondary

Replace <A.B.C.D> with secondary IP address and specify a subnet mask using the <subnet mask> option or the </prefix length> option. Finally, include the secondary option.

For example, you might enter:

ProCurve(config-fr 1.1)# ip address 192.168.115.1 255.255.255.252 secondary

To remove the secondary IP address, enter:

Syntax: no ip address <A.B.C.D> <subnet mask | /prefix length> secondary

You can include an unlimited number of secondary IP addresses.

6-36

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Set the MTU. The MTU defines the largest size that a frame can be before it must be fragmented. The MTU size on the Frame Relay subinterface should match the MTU used by the remote router and the intervening network devices. Although you can match the MTU on your Frame Relay interface with that used by your public carrier’s equipment, you cannot ensure that all the intervening network devices will use the same MTU. To avoid any problems that may occur if an intervening network device is using a small MTU size, you may want to enable Frame Relay fragmentation. For more information about Frame Relay fragmentation, see the Advanced Management and Configura-

tion Guide, Chapter 7: Setting Up Quality of Service.

N o t e If you have enabled Open Shortest Path First (OSPF) routing on the ProCurve Secure Router, you should take special care when setting the MTU. OSPF routers cannot become adjacent if their MTU sizes do not match.

By default, the MTU for Frame Relay subinterfaces is 1500 bytes. To change this setting, enter the following command from the Frame Relay subinterface configuration mode context:

Syntax: mtu <size>

Replace <size> with a number between 64 and 1520.

Adding a Description. You can add a description to a Frame Relay interface or subinterface if you want to document information about it. For example, if you have multiple PVCs configured on a Frame Relay interface, you may want to document the other end point of each PVC. In this case, you would enter the following command at the Frame Relay subinterface configuration mode context:

Syntax: description <line>

Replace <line> with a phrase up to 80 characters. For example, you might enter:

ProCurve(config-fr 1.16)# description WAN link to London office

This description is displayed when you enter the show running-config command. From the enable mode context, enter:

ProCurve# show running-config

You can also view the description by entering:

ProCurve# show running-config interface fr 1.16

6-37

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

This command displays the running-config settings for only the Frame Relay 1.16 subinterface, as shown below:

interface fr 1.16 frame-relay interface-dlci 16 description WAN link to London office ip address 192.168.1.1 255.255.255.0 no shutdown

Settings Explained in Other Chapters

In addition to configuring these settings for Frame Relay, you can:

■ assign ACPs or ACLs to control access to the Frame Relay subinterface

■ enable bridging

■ assign crypto maps to enable VPNs

■ configure settings for routing protocols

■ configure Quality of Service (QoS) settings

Table 6-8 lists additional configurations that you can enter from the Frame Relay interface and subinterface and the page number where you can find information about those configurations.

Table 6-8. Additional Configurations for the Frame Relay

Settings Apply to Frame Relay Interface or Subinterface

Configuration Guide Page

access controls to filter incoming and outgoing traffic

Frame Relay subinterface Advanced 5-18, 5-37

bridging Frame Relay subinterface Basic 10-6

VPNs Frame Relay subinterface Advanced 8-46

routing commands for OSPF, RIP, or BGP Frame Relay subinterface Advanced 13-1

QoS settings Frame Relay interface Advanced 7-28

6-38

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

Configuring HDLC as the Data Link Layer Protocol

One of the oldest Data Link Layer protocols for a WAN, HDLC actually predates the PC. Although it was developed for a mainframe environment, which includes primary and secondary devices, HDLC has been updated for use in the PC environment. However, some functionality and terminology have survived from its early use, as evidenced by its modes of operation.

HDLC has three modes of operation:

Normal Response Mode (NRM). A secondary device can transmit only when the primary device specifically instructs it to do so.

Asynchronous Response Mode (ARM). A secondary device can initiate a transmission; however, the primary device controls the establishment and termination of the link.

Asynchronous Balanced Mode (ABM). Devices at both ends of a connec-tion are configured to be both primary and secondary devices and can establish a link, transmit data without permission, and terminate a link.

When you configure the ProCurve Secure Router to use HDLC for an E1 or T1 connection, it operate in ABM.

HDLC uses three different types of frames:

■ Unnumbered frames establish a link.

■ Supervisory frames carry error and flow control information.

■ Information frames carry the Network Layer packets across the WAN link.

Create the HDLC Interface

To begin configuring HDLC as the Data Link Layer protocol for an E1, T1, or serial interface, you must create a logical interface. From the global configura-tion mode context, enter:

Syntax: interface <interface> <number>

Replace <interface> with HDLC and replace <number> with any number between 1 and 1024. Each HDLC interface you configure on the router must have a unique number.

For example, if you are configuring the first HDLC interface on the router, you could enter:

ProCurve(config)# interface hdlc 1

6-39

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

The router prompt indicates that you have entered the appropriate interface configuration mode context:

ProCurve(config-hdlc 1)#

From this configuration mode context, you can enter the ? help command to display the commands available from this configuration mode context.

ProCurve(config-hdlc 1)# ?

Table 6-9 shows the main settings that you must configure for an E1, T1, or serial interface that uses HDLC.

Table 6-9. Options for Configuring an E1, T1, or Serial Interface with HDLC

Interface Configuration Mode Context

Command Explanation Page

e1 • tdm-group <number> timeslots <range of numbers>

• coding [ami | hdb3]• frame format [e1 | crc4]• clock source [internal | line | through]

• no shutdown

• defines the number of channels used for the E1 connection

• defines the line coding• defines the frame format• defines the clock source, or timing,

for the connection• activates the interface

4-10

t1 • tdm-group <number> timeslots <range of numbers>

• coding [ami | b8zs]• frame format [esf | d4]• clock source [internal | line | through]

• lbo long <value> | lbo short <value>• no shutdown

• defines the number of channels used for the T1 connection

• defines the line coding• defines the frame format• defines the clock source, or timing,

for the connection• sets the level of the transmit signal• activates the interface

4-10

serial • serial-mode [EIA530 | V35 | X21]

• et-clock-source [txclock | rxclock]

• no shutdown

• configures the serial interface to support the appropriate cable

• configures the serial interface to take the clock from the transmit signal, txclock, or from the receive signal, rxclock

• activates the interface

5-12

6-40

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

The HDLC settings are described in the sections that follow.

Activate the HDLC Interface

You must activate the HDLC interface. From the HDLC interface configuration mode context, enter:

ProCurve(config-hdlc 1)# no shutdown

Although the HDLC interface is activated, its status will not change to up until it is bound to a physical interface. It can then begin to negotiate an HDLC session, and if that negotiation is successful, the status of the HDLC interface will change to up.

Configure an IP Address for the WAN Connection

You configure the IP address for the WAN connection on the HDLC interface, rather than on the physical interface. There are two ways to assign an IP address to the HDLC interface:

■ assign a static IP address

■ configure the HDLC interface as an unnumbered interface

Assign a Static IP Address. To assign the HDLC interface an IP address, enter the following command from the HDLC interface configuration mode context:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

hdlc • no shutdown• ip address <A.B.C.D> <subnet mask | /

prefix length>or• ip unnumbered <interface>

• activates the interface• assigns a static IP address to the

HDLC interface

• configures the HDLC interface to use the IP address assigned to another interface

6-41

global configuration or interface configuration

• bind <number> <physical interface> <slot>/<port> [<tdm-group number>] hdlc <interface number>

• binds the physical interface to the logical interface

• requires the tdm-group number for E1 and T1 interfaces, but not for serial interfaces

6-43

Interface Configuration Mode Context

Command Explanation Page

6-41

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

You can replace <subnet mask> with the complete subnet mask, or you can replace </prefix length> with the CIDR notation. For example, you might enter:

ProCurve(config-hdlc 1)# ip address 10.1.1.1 /24

Configure the HDLC Interface as an Unnumbered Interface. To con-serve IP addresses on your network, you may want to create the HDLC interface as an unnumbered interface. When you assign a logical interface an IP address, that IP address cannot overlap with the IP addresses assigned to other logical interfaces on your network. As a result, each interface that has an IP address represents an entire subnet. Depending on the subnetting scheme you use, this could use more IP addresses than you can spare.

You can configure the HDLC interface (and other interfaces on the ProCurve Secure Router) as an unnumbered interface. The HDLC interface will then use the IP address of another interface—the interface you specify. The Secure Router OS uses the IP address of the specified interface when sending route updates over the unnumbered interface.

Configuring the HDLC interface as an unnumbered interface has a potential disadvantage: If the interface to which the IP address is actually assigned goes down, the HDLC interface will be unavailable as well. For example, suppose you configure the HDLC 1 interface as an unnumbered interface that takes its IP address from the Ethernet 0/1 interface. If the Ethernet 0/1 interface goes down, the HDLC 1 interface will also be unavailable.

To minimize the chances of the interface with the IP address going down, you can assign the IP address to a loopback interface, which typically does not go down.

To configure the HDLC interface as an unnumbered interface, enter the following command from the HDLC interface configuration mode context:

Syntax: ip unnumbered <interface>

Valid interfaces include:

■ ATM subinterfaces

■ Ethernet interfaces and subinterfaces

■ Frame Relay subinterfaces

■ loopback interfaces

■ PPP interfaces

■ demand interfaces

6-42

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

For example, you would enter the following commands to configure a loop-back interface and then configure the HDLC 1 interface to use the IP address assigned to that loopback interface:

ProCurve(config)# interface loopback 1ProCurve(config-loop 1)# ip address 192.168.5.1 /24ProCurve(config-loop 1)# interface hdlc 1ProCurve(config-hdlc 1)# ip unnumbered loopback 1

N o t e You do not have to enter no shutdown to activate a loopback interface. The status of a loopback interface changes to up after you enter the interface

loopback command.

Bind the Physical Interface to the Logical Interface

On the ProCurve Secure Router, you must bind the physical interface to the logical interface so that the router knows which Data Link Layer protocol to use for that WAN connection. When you bind a physical interface to a logical interface, the two are considered a single interface bind group.

You can enter the bind command from the global configuration mode context or the HDLC interface configuration mode context:

Syntax: bind <bind number> <physical interface> <slot>/<port> [<tdm-group number>] <logical interface> <logical interface number>

You can also enter the bind command from the HDLC interface configuration mode context.

Replace <bind number> with a number that is globally significant. That is, each bind command you enter on the router must have a unique bind number.

Replace <physical interface> with E1, T1, or serial. Replace <slot> and <port> with the numbers that identify the physical interface’s location on the ProCurve Secure Router.

If you are binding the HDLC interface to an E1 or T1 interface, include the <tdm-group number> that you created when you configured the E1 or T1 interface. If you are binding the HDLC interface to a serial interface, you do not include this option.

Replace <logical interface> with hdlc and the <logical interface number> with the number you assigned to this interface.

6-43

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

For example, if you want to bind the T1 2/1 interface to the HDLC 1 interface, enter:

ProCurve(config)# bind 1 t1 2/1 hdlc 1

If you want to bind the serial interface to the HDLC interface, enter:

ProCurve(config)# bind 1 serial 1/1 hdlc 1

N o t e If you are binding a serial interface to the HDLC interface, you do not include the TDM group number because you do not use TDM groups on a serial interface.

Additional Settings

Depending on your company’s WAN environment, you may want to configure other options on the HDLC interface.

Configure a Secondary IP Address for the Interface. You can config-ure a secondary IP address on the HDLC interface. From the HDLC interface configuration mode context, enter:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length> secondary

Replace <A.B.C.D> with secondary IP address and specify a subnet mask using the <subnet mask> option or the </prefix length> option. Finally, include the secondary option.

For example, you might enter:

ProCurve(config-hdlc 1)# ip address 192.168.5.1 255.255.255.252 secondary

You can include an unlimited number of secondary IP addresses.

To remove the secondary IP address, enter:

Syntax: no ip address <A.B.C.D> <subnet mask | /prefix length> secondary

Set the MTU. The MTU defines the largest size that a frame can be. If a frame exceeds the size limit, it must be fragmented. For best results, the MTU size on the HDLC interface should match the MTU used by the remote router.

6-44

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesConfiguring the Logical Interface

N o t e If you have enabled Open Shortest Path First (OSPF) routing on the ProCurve Secure Router, you should take special care when setting the MTU. OSPF routers cannot become adjacent if their MTU sizes do not match.

By default, the MTU for HDLC interfaces is 1500 bytes. To change this setting, enter the following command from the HDLC interface configuration mode context:

Syntax: mtu <size>

Replace <size> with a number between 64 and 1520.

Add a Description. You can add a description to the HDLC interface if you want to document information that will be displayed in the running-config. From the HDLC interface configuration mode context, enter:

Syntax: description <line>

Replace <line> with a phrase up to 80 characters. For example, you might enter:

ProCurve(config-hdlc 1)# description WAN link to Saratoga Street office

This description is displayed only when you enter the show running-config command. From the enable mode context, enter:

ProCurve# show running-config

You must then scroll through the entire running-config to find the interface

hdlc heading. To view only the running-config for the HDLC interface, enter:

ProCurve# show running-config interface hdlc 1

This command displays the running-config settings for only the HDLC inter-face, as shown below:

interface hdlc 1 description WAN link to Saratoga Street office ip address 192.168.1.1 255.255.255.0 bind 1 e1 1/1 1 hdlc 1 no shutdown

6-45

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks

Settings Explained in Other Chapters

In addition to configuring these settings for an HDLC interface, you can:

■ assign ACPs or ACLs to control access to the HDLC interface

■ enable bridging

■ assign crypto maps to enable VPNs

■ configure settings for routing protocols

■ configure QoS settings

Table 6-10 lists additional configurations that you can enter from the HDLC interface and the page number where you find information about those configurations.

Table 6-10. Additional Configurations for the HDLC Interface

Example Networks

This section outlines examples of E1- and T1-carrier lines that use PPP, Frame Relay, and HDLC as the Data Link Layer protocol. It also provides examples of WANs that are using PPP authentication.

Example 1. Figure 6-9 shows a company’s WAN that includes a connection between two offices in London. Because this company needed a constant, reliable connection between these two offices, they leased an E1-carrier line for both the Seething Lane and Chelsea Harbor offices. The Data Link Layer protocol is PPP.

The company also required a connection to its Paris office. For this connec-tion, the company negotiated an SLA with a Frame Relay service provider.

Settings Configuration Guide

Page

access controls to filter incoming and outgoing traffic Advanced 5-18, 5-37

bridging Basic 10-6

VPNs Advanced 8-46

routing commands for OSPF, RIP, or BGP Advanced 13-1

QoS settings Advanced 7-28

6-46

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks

Finally, the company set up an Asymmetric Digital Subscriber (ADSL) line to a local Internet Service Provider (ISP). Through this connection, the com-pany’s employees can access the Internet. (For information about ADSL, see Chapter 7: ADSL WAN Connections.)

Figure 6-9. Example WAN Using E1-Carrier Lines with PPP and Frame Relay

Figure 6-10 shows the configuration for the E1, PPP, and Frame Relay inter-faces, as they appear in the running-config for Router B, the router for the London Chelsea Harbor office.

Router B

E1 with PPP

192.168.1.1

London Chelsea Harbor

InternetRouter

ISP

Router A

London Seething Lane

Office

Router C

Paris

E1 with Frame Relay 10.1.1.1 /30

ADSL2+ Annex B with PPPoE

Frame Relay Network

E1 with Frame Relay

6-47

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks

Figure 6-10. Running-Config for Router B in Example 1

Because the company is using default settings for line coding (HDB3) and frame format (E1) on the E1-carrier lines, the network administrator did not enter these settings. Consequently, they are not listed when you enter the following command from the enable mode context:

ProCurve# show running-config

To view all of the configuration settings—including the default settings—you must enter:

ProCurve# show running-config verbose

Example 2. The WAN shown in Figure 6-11 is for a U.S.-based company that has three offices: The main office is in Atlanta, and the two branch offices are in San Francisco and London. To connect the San Francisco office to the Atlanta office, the company leased a T1-carrier line for each office and are using HDLC as the Data Link Layer protocol. The two offices are exchanging confidential information and wanted a dedicated connection with the full bandwidth of a T1-carrier line.

interface e1 1/1 tdm-group 1 timeslots 1-31 speed 64 no shutdown!interface e1 1/2 clock source through tdm-group 1 timeslots 1-31 speed 64 no shutdown!interface fr 1 point-to-point frame-relay intf-type dte frame-relay lmi-type q933a no shutdown bind 2 e1 1/2 1 frame-relay 1!interface fr 1.16 point-to-point frame-relay interface-dlci 16 frame-relay bc 1600000 frame-relay be 128000 ip address 10.1.1.1 255.255.255.252!interface ppp 1 ip address 192.168.1.1 255.255.255.0 no shutdown bind 1 e1 1/1 1 ppp 1

6-48

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks

To connect the Atlanta office to the London office, the company chose Frame Relay, which allows them to cross country borders at a more affordable cost than dedicated T1-and E1-carrier lines.

The company uses ADSL for its Internet connection at the Atlanta office. (For information about ADSL, see Chapter 7: ADSL WAN Connections.)

Figure 6-11. Example WAN Using Carrier Lines with HDLC and Frame Relay

Figure 6-12 shows the configurations for the T1, HDLC, and Frame Relay interfaces, as they appear in the running-config for the Atlanta router.

Router

T1 with HDLC

10.1.1.1 /30

Atlanta

InternetRouter

ISP

Router

San Francisco Router

London

T1 with Frame Relay

10.5.5.1 /30

Frame Relay Network

E1 with Frame Relay

ADSL Annex A

6-49

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks

Figure 6-12. Running-Config for the Atlanta Router in Example 2

Because the company is using default settings for line coding (B8ZS) and frame format (ESF) on the T1-carrier lines, the network administrator did not enter these settings. Consequently, they are not listed when you enter the following command from the enable mode context:

ProCurve# show running-config

To view all of the configuration settings—including the default settings—you must enter:

ProCurve# show running-config verbose

Example 3: Two Routers Authenticating Each Other with PAP. In this example, the router at Site A (hostname Local) and the router at Site B (hostname Remote) authenticate each other with PAP. Local’s password is XXX, and Remote’s password is YYY. (See Figure 6-13.)

interface t1 1/1 lbo short 550 tdm-group 1 timeslots 1-24 speed 64 no shutdown!interface t1 1/2 clock source through lbo short 550 tdm-group 1 timeslots 1-24 speed 64 no shutdown!interface fr 1 point-to-point frame-relay intf-type dte frame-relay lmi-type ansi no shutdown bind 2 t1 1/2 1 frame-relay 1!interface fr 1.104 point-to-point frame-relay interface-dlci 104 ip address 10.5.5.1 255.255.255.252!interface hdlc 1 ip address 10.1.1.1 255.255.255.252 no shutdown bind 1 t1 1/1 1 hdlc 1

6-50

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks

You would configure Local as follows:

1. Access the PPP interface configuration mode context:

Local(config)# interface ppp 1

2. Configure the router to authenticate Remote with PAP:

Local(config-ppp 1)# ppp authentication pap

3. Set Remote’s username and password:

Local(config-ppp 1)# username Remote password YYY

4. Set the router’s own PAP username and password:

Local(config-ppp 1)# ppp pap sent-username Local password XXX

Figure 6-13. Routers Authenticating Each Other

Remote would then be configured in the same way:

1. Access the PPP interface configuration mode and configure the router to authenticate Local with PAP:

Remote(config)# interface ppp 1Remote(config-ppp 1)# ppp authentication pap

2. Set Local’s username and password:

Remote(config-ppp 1)# username Local password XXX

3. Set the router’s own PAP username and password:

Remote(config-ppp 1)# ppp pap sent-username Remote password YYY

Example 4: One Peer Requesting CHAP. Both routers do not have to require authentication. For example, only Local could request Remote to authenticate itself using CHAP. The commands would be as follows for Local:

Local(config)# interface ppp 1Local(config-ppp 1)# ppp authentication chapLocal(config-ppp 1)# username Remote password YYY

PPP database:username Remote password YYY

Remote

YYY

LocalXXX

PPP database:username Local password XXX

6-51

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesExample Networks

Remote would be configured as follows:

Remote(config)# interface ppp 1Remote(config-ppp 1)# ppp chap password YYY

Example 5: CHAP Authentication to an ISP. In this example, the ISP has provided an ID (ID-GIVEN-BY-ISP) and password (PWD-GIVEN-BY-ISP) to be used when authenticating through CHAP. (See Figure 6-14.)

Figure 6-14. Authentication to an ISP

You would configure the router being authenticated as follows:

1. Access the PPP interface:

ProCurve(config)# interface ppp 1

2. Configure the ID given by the ISP to override the local hostname.

ProCurve(config-ppp 1)# ppp chap hostname ID-GIVEN-BY-ISP

3. Set the password given by the ISP:

Remote(config-ppp 1)# ppp chap password PWD-GIVEN-BY-ISP

ISP assigned hostname

LocalISP assigned password Internet

6-52

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesChecking the Status of Logical Interfaces

Checking the Status of Logical Interfaces

After you configure the physical and logical interfaces and bind them together, the ProCurve Secure Router should be able to exchange data with the device at the other end of the WAN connection.

View the Status of Interfaces

To view the status of the logical interface you have bound to the E1, T1, or serial interface, you can use show commands. Table 6-11 lists the show commands that you can use to view information about interfaces.

Table 6-11. show Commands for Logical Interfaces

Viewing the Status of PPP Interfaces

For example, if you want to view the status of the PPP 1 interface, enter the following command from the enable mode context:

Syntax: show interface ppp 1

Figure 6-15 shows the results of this command for a sample network.

Command Explanation

show interfaces displays information about all the interfaces—active or inactive—on the ProCurve Secure Router

show interface <interface> <number> [realtime] displays information about a specific logical interface

show running-config displays all of the settings that you have configured for the ProCurve Secure Router

show running-config verbose displays the entire running-config, including the default settings

show running-config interface <interface> <number>

displays the settings that you have configured for a particular interface

show running-config interface <interface> <number> verbose

displays the entire running-config for a particular interface, including the default settings

6-53

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesChecking the Status of Logical Interfaces

Figure 6-15. show interface ppp <number>

This command displays a report about the logical interface’s status, including information such as:

■ whether the interface is up or down

■ whether the physical link bound to the logical interface is up or down

■ whether the LCP is opened

■ endpoint settings

■ errors

■ queuing method

■ available bandwidth

■ the negotiated NCP and whether it is opened

■ IP address

■ peer IP address

ppp 1 is UP Configuration: Keep-alive is set (10 sec.) No multilink MTU = 1492 No authentication IP is configured 192.168.1.20 255.255.255.0 Link thru atm 1.1 is UP; LCP state is OPENED, negotiated MTU is 1492 Receive: bytes=20296, pkts=2727, errors=0 Transmit: bytes=27728, pkts=2214, errors=0 5 minute input rate 208 bits/sec, 0 packets/sec 5 minute output rate 112 bits/sec, 0 packets/sec Bundle information Queueing method: fifo HDLC tx ring limit: 0 Output queue: 0/1/200/0 (size/highest/max total/drops) IP is UP, IPCP state is OPENED Address=192.168.1.20 Mask=255.255.255.0 Peer address=192.168.1.1 IP MTU=1492, Bandwidth=896 Kbps LLDPCP State is STOPPED

Status of interface

No authentication is configured

Status of NCP

Negotiated MTU

IP address of PPP peer

IP address

6-54

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesChecking the Status of Logical Interfaces

Viewing the Status of Frame Relay Interfaces and Subinterfaces

For Frame Relay, you can view the status of both the interface and the subinterface. To view information about the Frame Relay interface, enter the following command from the enable mode context:

Syntax: show interface frame-relay <number>

Figure 6-16 shows the results of this command for a sample network.

Figure 6-16. show interface frame-relay <number>

With this command, you can view the Frame Relay signaling role and signaling type, and you can view the information about packet discards or errors.

You can view this information in real-time by adding this option when you enter the show command:

Syntax: show interface frame-relay <number> realtime

Figure 6-17 shows the results of this command for a sample network.

fr 1 is UP Configuration: Signaling type is AUTO, signaling role is USER Multilink disabled Polling interval is 10 seconds, full inquiry interval is 6 polling intervals Link information: 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 8 bits/sec, 0 packets/sec BW 1984 Kbit Queueing method: weighted fair HDLC tx ring limit: 2 Output queue:0/1/100/64/0 (size/highest/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Available Bandwidth 1488 kilobits/sec 0 packets input, 0 bytes 1 pkts discarded, 0 error pkts, 0 unknown protocol pkts 25 packets output, 334 bytes 1 tx pkts discarded, 0 tx error pkts

Status of interface

signaling type and role

6-55

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesChecking the Status of Logical Interfaces

Figure 6-17. show interface frame-relay <number> realtime

The Secure Router OS will continue to refresh this display with current information until you enter Ctrl+C to end the display.

To view information about the Frame Relay subinterface, enter the following command from the enable mode context:

Syntax: show interface frame-relay <number.subinterface number>

Figure 6-18 shows the results of this command for a sample network.

Figure 6-18. show interface frame-relay <number.subinterface number>

As Figure 6-18 shows, you can view the status of the Frame Relay subinterface, the IP address, the DLCI, the MTU size, and the average utilization.

-------------------------------------------------------------------fr 1 is UP Configuration: Signaling type is ANSI, signaling role is USER Multilink disabled Polling interval is 10 seconds, full inquiry interval is 6 polling intervals Link information: 5 minute input rate 24 bits/sec, 0 packets/sec 5 minute output rate 8 bits/sec, 0 packets/sec BW 1984 Kbit Queueing method: weighted fair HDLC tx ring limit: 2 Output queue:0/1/428/64/0 (size/highest/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Available Bandwidth 1488 kilobits/sec 44 packets input, 915 bytes 1 pkts discarded, 0 error pkts, 0 unknown protocol pkts 23 packets output, 322 bytes 1 tx pkts discarded, 0 tx error pktsExit - 'Ctrl-C', Freeze - 'f', Resume - 'r'

fr 1.1 is Active Ip address is 10.10.10.1, mask is 255.255.255.252 Interface-dlci is 104 MTU is 1500 bytes, BW is 128000 Kbit (limited) Average utilization is 92%

Status of interface

DLCI

Utilization

6-56

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesChecking the Status of Logical Interfaces

Viewing the Status of HDLC Interfaces

To view information about the HDLC interface, enter the following command from the enable mode context:

Syntax: show interface hdlc <number>

Figure 6-19 shows the results of this command for a sample network.

Figure 6-19. show interface hdlc <number>

Viewing Configuration Information

You can view the running-config for a logical interface by entering the follow-ing command from the enable mode context:

Syntax: show running-config interface <interface> <number>

Replace <interface> with the logical interface and replace <number> with the number you used to create that interface. For example, to view the running-config for an HDLC interface, enter:

ProCurve# show running-config interface hdlc 1

Figure 6-20 shows the results of this command for a sample network.

Figure 6-20. show running-config interface hdlc <number>

hdlc 1 is UP Configuration: Keep-alive is set (10 sec.) IP is configured 10.1.1.1 255.255.255.252 Link information: Receive: bytes=6896, pkts=65, errors=0, broadcast=22 Transmit: bytes=8158, pkts=79, errors=0, broadcast=29 5 minute input rate 184 bits/sec, 0 packets/sec 5 minute output rate 216 bits/sec, 0 packets/sec IP is UP Address=10.1.1.1 Mask=255.255.255.252 IP MTU=1500, Bandwidth=1984 Kbps

Status of interface

IP address

MTU and bandwidth

interface hdlc 1 ip address 10.1.1.1 255.255.255.252 no shutdown bind 1 e1 1/1 1 hdlc 1

6-57

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces

Troubleshooting Logical Interfaces

If the physical interface is up but the logical interface is not, the steps you take to troubleshoot the problem vary, depending on the Data Link Layer protocol you are using. This section is organized into three sections:

■ troubleshooting the PPP interface

■ troubleshooting the Frame Relay interface and subinterface

■ troubleshooting the HDLC interface

N o t e Enter the show and debug commands described in this troubleshooting section from the enable mode context. You can also access these commands from any configuration mode context by adding do to the beginning of the command.

Troubleshooting the PPP Interface

The first tool in troubleshooting a logical interface is the show interfaces command. From the enable mode context, enter the following command to check the status of a PPP interface that is bound to the E1, T1, or serial interface:

Syntax: show interfaces ppp <number>

6-58

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces

Figure 6-21. show interface ppp <number>

If the PPP interface is down, you should recheck the configuration to see if there are any errors. (See Figure 6-21.) You should also ensure that you have bound the physical interface to the PPP interface. If you have entered a bind command, it should be displayed when you enter show running-config

interface ppp <number> from the enable mode context.

You should then determine if all steps for establishing a PPP session were completed successfully. The output for the show interface ppp command provides basic information about different PPP protocols, and you can use this information to determine if these PPP protocols were exchanged. If you want more detailed information to troubleshoot the PPP session, you can use debug commands, which are explained later in this section.

LCP State. When you enter show interfaces ppp command, the status report will indicate whether the LCP state is opened, initial, or starting.

■ If the LCP is opened, the ProCurve Secure Router was able to exchange LCP packets with its peer.

■ If the LCP is in the initial state, the ProCurve Secure Router has not yet succeeded in establishing a link with the peer.

■ If the LCP state is starting, the PPP interface is attempting to reopen a link that has been lost.

ppp 2 is DOWN Configuration: Keep-alive is set (10 sec.) No multilink MTU = 1500 No authentication IP is configured 15.1.1.1 255.0.0.0 Link thru ser 2/1 is DOWN; LCP state is INITIAL Receive: bytes=0, pkts=0, errors=0 Transmit: bytes=0, pkts=0, errors=0 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec Bundle information Queueing method: weighted fair HDLC driver does not support quality-of-service, or is not cross-connected Output queue: 0/0/-1512133286/64/0 (size/highest/max total/threshold/drops) Conversations 0/0/0 (active/max active/max total) Available Bandwidth 0 kilobits/sec

6-59

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces

If the LCP status is not opened, you may need to double-check your configu-ration settings with your public carrier. For example, the carrier may have allocated a different number of DS0 channels to the physical line. You will need to reconfigure the physical interface to the correct number of DS0 channels. The public carrier may also be using a different Data Link Layer protocol.

NCP State. If the router has been able to exchange LCPs and has success-fully passed through the authentication phase, the show interfaces ppp command displays:

■ the type of NCP the router is using

■ the status of the NCP

Figure 6-22. Using the show interface ppp Command to Check the NCP

In Figure 6-22, PPP is using IPCP as the NCP. If the NCP is not open, it cannot encapsulate one or both of the two peers’ network protocols. Verify that both ends of the connection are using viable upper-layer protocols.

Debug Commands. You can also isolate problems by examining frames coming through the PPP interface in real time. You can use this information to track the establishment of the PPP session and determine when and why the connection is not established.

ppp 1 is UP Configuration: Keep-alive is set (10 sec.) No multilink MTU = 1500 No authentication IP is configured 10.1.1.1 255.255.255.252 Link thru t1 1/1 is UP; LCP state is OPENED, negotiated MTU is 1500 Receive: bytes=870, pkts=68, errors=0 Transmit: bytes=1070, pkts=48, errors=0 5 minute input rate 24 bits/sec, 0 packets/sec 5 minute output rate 24 bits/sec, 0 packets/sec Bundle information Queueing method: weighted fair HDLC tx ring limit: 2 Output queue: 0/1/400/64/0 (size/highest/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Available Bandwidth 1536 kilobits/sec IP is DOWN, IPCP state is CLOSED LLDPCP State is OPENED

Check the status of NCP

6-60

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces

N o t e Debug commands are processor intensive.

Table 6-12 lists the debug commands you can use to monitor PPP interfaces.

Table 6-12. Debug commands for PPP Interfaces

For example, if the status of the NCP is stopped, you may want to enter the

debug ppp negotiations command. You should be able to see each stage in the process of establishing a PPP connection. Figure 6-23 shows the debug messages when a PPP connection is established successfully.

Command Explanation

debug ppp verbose displays detailed information about all PPP frames as they arrive on or are sent from the PPP interface

debug ppp errors displays error messages relating to PPP

debug ppp negotiation displays events relating to link negotiation; shows if link protocols are able to open; reveals when negotiations between two PPP peers fail

debug ppp authentication displays real-time messages relating to PAP and CHAP

undebug all turns off debug messages

6-61

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces

Figure 6-23. debug ppp negotiation

Troubleshooting PPP Authentication

If you are troubleshooting a PPP connection and you notice that the LCP state is continually going up and down, it is possible that one or both of the peers cannot authenticate themselves. You can view debug authentication messages to determine whether the local or the remote router has failed to authenticate itself. When troubleshooting PAP, you can also view the usernames and passwords the routers are sending.

To monitor the PPP authentication process, enter the following command from the enable mode context:

ProCurve# debug ppp authentication

Troubleshooting PAP. If you are using PAP authentication, look for mes-sages such as those shown in Figure 6-24.

2005.08.12 17:51:01 PPP.NEGOTIATION PPPrx[e1 1/1] LCP: Conf-Ack ID=33 Len=16 ACCM(00000000) MAGIC(d418e92e)2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] LCP: Conf-Req ID=188 Len=16 ACCM(00000000) MAGIC(2656e0ba)2005.08.12 17:51:02 PPP.NEGOTIATION PPPtx[e1 1/1] LCP: Conf-Ack ID=188 Len=16 ACCM(00000000) MAGIC(2656e0ba)2005.08.12 17:51:02 PPP.NEGOTIATION PPPFSM: layer up, Protocol=c0212005.08.12 17:51:02 PPP.NEGOTIATION e1 1/1: LCP up2005.08.12 17:51:02 PPP.NEGOTIATION PPPtx[e1 1/1] LLDPCP: Conf-Req ID=1 Len=42005.08.12 17:51:02 PPP.NEGOTIATION PPPtx[e1 1/1] IPCP: Conf-Req ID=1 Len=10 IP (10.1.1.1)2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] LCP: Identification MAGIC(2656e0ba) Msg(A04)2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] IPCP: Conf-Req ID=1 Len=22 IP(10.3.3.2) PriDNS(0.0.0.0) SecDNS(0.0.0.0)2005.08.12 17:51:02 PPP.NEGOTIATION PPPtx[e1 1/1] IPCP: Conf-Rej ID=1 Len=16 PriDNS(0.0.0.0) SecDNS(0.0.0.0)2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] LCP: ProtoRej (82cc)2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] IPCP: Conf-Ack ID=1 Len=10 IP(10.1.1.1)2005.08.12 17:51:02 INTERFACE_STATUS.ppp 1 changed state to up2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] IPCP: Conf-Req ID=2 Len=10 IP(10.3.3.2)2005.08.12 17:51:02 PPP.NEGOTIATION PPPtx[e1 1/1] IPCP: Conf-Ack ID=2 Len=10 IP(10.3.3.2)2005.08.12 17:51:02 PPP.NEGOTIATION PPPFSM: layer up, Protocol=80212005.08.12 17:51:02 PPP.NEGOTIATION ppp 1: IPCP up

LCP successful

NCP successful

6-62

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces

Figure 6-24. PAP Authentication Messages

The Authen-Req message is the message the authenticating peer sends with its username and password. If you see such a message marked with PPPtx, you know that your router is attempting to authenticate itself to the remote endpoint. The PeerID and Password fields are the values that this router sends as its username and password. When the interface receives an Authen-Nak, as shown above, the peer has rejected these values.

In this example, the interface has not been configured to send a password. You would need to obtain the correct username and password from your peer and configure them in the PPP interface configuration mode context.

When the local router is the authenticator, you can check the debug messages for the username and password the remote router is sending. Because PAP does not use encryption, the password will be readable in plain text. (See Figure 6-25.)

Figure 6-25. Finding the Peer’s PAP Password

If you recognize the PeerID as that of a legitimate endpoint and the password seems correct, make sure that the username and password in the PPP data-base have been entered correctly. Enter show run interface ppp <interface number> and look for username and password. Otherwise, contact the remote site and inform it that it is sending the wrong password.

ProCurve# debug ppp authentication2005.07.08 09:03:44 PPP.AUTHENTICATION PPPtx[t1 1/1] PAP: Authen-Req ID=1 Len=10 PeerID(Local) Password()2005.07.08 09:03:44 PPP.AUTHENTICATION PPPrx[t1 1/1] PAP: Authen-Nak ID=1 Len=5 Message()

The local router is attempting to authenticate itself.

The remote router rejects the password.

ProCurve# debug ppp authentication

2005.07.08 09:03:44 PPP.AUTHENTICATION PPPrx[t1 1/1] PAP: Authen-Req ID=1 Len=10 PeerID(Remote) Password(procurve)

Peer’s username Peer’s password

6-63

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces

When a peer successfully authenticates itself, the authenticator returns an Authen-Ack:

2005.07.08 09:05:08 PPP.AUTHENTICATION PPPtx[t1 1/1] PAP: Authen-Ack ID=1 Len=10 Message(Hello)

N o t e Usernames and passwords are case-sensitive.

Troubleshooting CHAP. If you are using CHAP authentication, look for messages such as those shown in Figure 6-26.

Figure 6-26. CHAP Authentication Messages

The Challenge message indicates which router requires the other to authenti-cate itself. In this example, the router with the hostname Local authenticates Remote. (The PPPtx also indicates that the local router transmits the chal-lenge.) The Failure message indicates that Remote could not correctly identify itself.

View the running config for the interface (show run int ppp <interface number>) and look for miskeyed passwords.

If the local router cannot authenticate itself, check the ppp chap hostname and ppp chap password. If they seem correct, contact the remote site or ISP and explain your problem.

If the remote router cannot authenticate itself, check the ppp username and password in the running config, which may have been miskeyed. If they are correct, contact the remote site and inform the network administrator that the router is sending the wrong authentication information.

N o t e Usernames and passwords are case sensitive.

ProCurve# debug ppp authentication

2005.07.08 08:59:02 PPP.AUTHENTICATION PPPtx[t1 1/1] CHAP: Challenge ID=1 Len=28 ValLen=16 Name(Local)

2005.07.08 08:59:02 PPP.AUTHENTICATION PPPrx[t1 1/1] CHAP: Response ID=1 Len=25 ValLen=16 Name(Remote)

2005.07.08 08:59:02 PPP.AUTHENTICATION PPPtx[t1 1/1] CHAP: Failure ID=1 Len=4 Message()

Peer’s hostname

6-64

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces

Incompatible Authentication Protocols. If you do not receive any PPP authentication debug messages at all, the local and remote routers may be requesting different authentication protocols. In this case, the LCP state will not come up because the peers cannot negotiate the authentication option.

You could test this theory by debugging PPP negotiation events and looking for a Conf-Nak message. This message indicates that one of the peer’s must refuse an option proposed by the other.

C a u t i o n PPP debug messages are processor intensive: peers exchange LCP frames again and again in an attempt to negotiate the session. If the router is currently supporting network traffic, debugs can compromise its functions. When you suspect that authentication is keeping a connection from going up, you can simply try changing the type of authentication you require or send. If the PPP connection then goes up (or if PPP authentication debug messages appear), you know that incompatible authentication protocols were at least partially at fault.

In Figure 6-27, the local router requires PAP, but the remote router is config-ured for CHAP.

Figure 6-27. Debugs for Incompatible Authentication Protocols

Troubleshooting the Frame Relay Interface

When you troubleshoot the Frame Relay connection, you should first check the Frame Relay interface and then check the Frame Relay subinterface. From the enable mode context, enter the following command to check the status of a Frame Relay interface that is bound to the E1, T1, or serial interface:

Syntax: show interface frame-relay <number>

ProCurve# debug ppp negotiation

2005.07.08 09:11:12 PPP.NEGOTIATION PPPrx[t1 1/1] LCP: Conf-Req ID=74 Len=20 ACCM(00000000) AP(PAP)MAGIC(da5bf7de)

2005.07.08 09:11:12 PPP.NEGOTIATION PPPtx[t1 1/1] LCP: Conf-Nak D=74 Len=9 AP(CHAP)

Peer requires PAP

Peer requests PAP, but the local router requires CHAP

Message from the peer

6-65

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces

If the interface is administratively down, you need to activate it. From the Frame Relay interface configuration mode context, enter no shutdown.

If the interface is down, check your configuration and ensure that you are using the same Frame Relay signaling type as your Frame Relay carrier. Ensure that you have entered the correct bind command to bind this interface to the physical interface that is providing the connection.

If the Frame Relay interface is up, check the status of the Frame Relay subinterface. From the enable mode context, enter:

Syntax: show interface frame-relay <number.subinterface number>

If the status of the Frame Relay subinterface is “deleted,” the DLCI that you entered does not match the DLCI that the provider is using. Recheck the DLCI with your Frame Relay service provider. If the status of the Frame Relay subinterface is “inactive,” check the IP address and other configuration settings.

Table 6-13 shows the commands that you can use to troubleshoot a Frame Relay interface.

Table 6-13. show and debug Commands for Troubleshooting Frame Relay

View LMI Statistics. From the enable mode context, enter:

ProCurve# show frame-relay lmi

Examine the polling information.

■ “Num Status Enq. Sent” indicates the number of polls that the interface has sent. By default, the interface sends out one poll every 10 seconds.

■ “Num Status Msgs Rcvd” indicates the number of polls that the interface has received from the other end of the connection. If the other endpoint is using typical Frame Relay settings, the interface should receive one poll every 10 seconds.

Command Explanation

show frame-relay lmi displays LMI (signaling) type and information about LMI messages and updates

show frame-relay pvc displays TX and RX status messages and the DLCI state

debug frame-relay lmi displays LMI messages in real-time

undebug all turns off debug messages

6-66

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces

■ “Num Update Status Rcvd” indicates the number of full status reports the interface has received. By default, the interface receives one full status report every six polls, or one every 60 seconds.

■ “Num Status Timeouts” indicate the number of times the signal has been lost. When the router misses three out of four polls, it takes down the connection. When the interface continually sends out polls for which it does not receive a reply, the link has a problem, such as:

• Signaling-type mismatch—Steadily incrementing status timeouts sig-nal mismatched signaling-types. Check the signaling type listed in the LMI statistics as “LMI Type” and verify that it matches that of the service provider.

• DS0 channel mismatch—If you double-check your Data Link Layer configurations but cannot discover what is causing the problem, you may want to recheck the physical interface, even if its status is up. Mismatched channels might not cause a problem until you attempt to transmit data across a link. Use the show interface command for the physical interface and check that you have dedicated the same num-ber of channels to the carrier line as your service provider. Use the tdm-group command to establish the correct number of channels for the interface.

• DLCI error—If you have configured the wrong DLCI number for the Frame Relay interface, the Frame Relay connection cannot be estab-lished. Double-check the DLCI to ensure that you are using the correct setting.

Displaying the PVC Status. You can view PVC statistics to monitor the connection end-to-end and check for problems with traffic congestion and dropped packets. From the enable mode context, enter:

ProCurve# show frame-relay pvc

The CLI displays information about each Frame Relay port, including how many active, inactive, and deleted connections it has established. Table 6-14 shows possible PVC status terms and explains what each one means.

6-67

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces

Table 6-14. Status of the PVC

Information about each PVC is listed under the sublink’s DLCI and subinter-face numbers. Check the settings listed in Table 6-15.

Table 6-15. Checking the Frame Relay Settings

View LMI Messages. To receive real-time messages, enter the following command from the enable mode context:

ProCurve# debug frame-relay lmi

Status of the PVC Explanation

active The PVC is functional, end-to-end, from the local router to the switch and then to the far-end router

inactive The PVC is functional from the router to the Frame Relay switch. The other side of the connection is not configured or is down.

deleted The PVC was announced to the Frame Relay switch but was then deleted. This status appears if the DLCI on the router does not match the DLCI configured for this PVC at the Frame Relay switch.

Status of the PVC Explanation

DLCI Misconfiguring the DLCI can prevent traffic from reaching its destination. Verify that the sublink’s DLCI is valid. You should configure a unique DLCI in a separate subinterface for each site to which you want to make a Frame Relay connection.

dropped packets The interface may drop more packets when the Frame Relay network is congested or when the two endpoints of a PVC use different amounts of bandwidth.

FECN/BECN packets

The endpoint that is transmitting data sends forward explicit congestion notification (FECN) packets when the receiver is sending too many requests for data. When its queues fill, the endpoint that is receiving data sends backward explicit congestion notification (BECN) packets to request the source to stop sending so many packets. Endpoints use these messages to minimize the number of dropped packets.

A large number of incoming FECN and BECN packets indicate that the other end of the circuit cannot transmit and receive data as quickly as this interface. This discrepancy can lead to dropped packets.

DE packets When the interface bursts data across the PVC at rates beyond its CIR, the excess packets are marked with the DE bit. If the network becomes congested, these packets will be the first to be dropped.

6-68

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesTroubleshooting Logical Interfaces

The CLI displays events dealing with the establishment and negotiation of connec-tion as they occur. You can then determine when and why problems occur.

LMI statistics report on the LMI messages that are exchanged between the Frame Relay DTE and the DCE. The DCE uses LMI messages to advertise its DLCI. In addition, the LMI messages serve as a local keepalive, indicating that the interface is receiving polls from the other end of the connection.

Clear Counters. If you view the LMI statistics, you will see a running count of polls sent and received, including those incremented before the interface began having a problem. Because you are not interested in how many polls the interface was receiving when it was functioning properly, you should reset the counters to isolate the problem. To reset all counters associated with a Frame Relay interface, enter the following command from the enable mode context:

Syntax: clear counters frame-relay <number>

After you clear the counters, you can reproduce the problem and then view the LMI statistics to check whether the interface is receiving polls.

Troubleshooting HDLC

You should begin troubleshooting the HDLC interface by entering the show

interface hdlc command. From the enable mode context, enter:

Syntax: show interface hdlc <number>

Replace <number> with the number you assigned the HDLC interface.

If the HDLC interface is administratively down, enter no shutdown from the HDLC interface configuration mode context. If the HDLC interface is down, check the running-config to ensure that the HDLC interface is bound to the correct physical interface. From the enable mode context, enter:

Syntax: show running-config interface hdlc <number>

Debug HDLC. You can view real-time events about the HDLC interface by entering:

Syntax: debug hdlc [errors | verbose]

Use the errors option to view statistics and messages about protocol errors. Use the verbose option to increase the level of detail provided in the debug messages.

6-69

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start

To disable the hdlc debug messages, enter one of the following commands from the enable mode context:

ProCurve# no debug hdlc [errors | verbose]

or

ProCurve# undebug all

Quick Start

After you configure the physical connection—the E1, T1, or serial interface—you must configure the Data Link Layer protocol that controls the data being transmitted across the WAN link. The ProCurve Secure Router supports the following Data Link Layer protocols for E1, T1, and serial interfaces:

■ Point-to-Point Protocol (PPP)

■ Frame Relay

■ High-Level Data Link Control (HDLC)

This section provides the commands you must enter to quickly configure the Data Link Layer protocol for an E1, T1, or serial interface. Only a minimal explanation is provided.

If you need additional information about any of these options, see “Contents” on page 6-1 to locate the section and page number that contains the explana-tion you need. (For information about E1 or T1 interface, see Chapter 4:

Configuring E1 and T1 Interfaces. For information about serial interfaces, see Chapter 5: Configuring Serial Interfaces for E1- and T1-Carrier Lines.)

PPP

To configure PPP for an E1, T1, or serial interface, complete these steps:

1. From the global configuration mode context, create a PPP interface.

Syntax: interface <interface> <number>

For example, you might enter:

ProCurve(config)# interface ppp 1

6-70

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start

2. Set a static IP address.

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

For example, you might enter:

ProCurve(config-ppp 1)# ip address 10.1.1.1 /24

3. Activate the PPP interface

ProCurve(config-ppp 1)# no shutdown

4. Bind the physical interface to the logical interface.

Syntax: bind <number> <physical interface> <slot>/<port> [<tdm-group number>] <logical interface> <logical interface number>

For example, to bind the T1 interface to the PPP interface, enter:

ProCurve(config-ppp 1)# bind 1 t1 1/1 1 ppp 1

To bind the serial interface to the PPP interface, enter:

ProCurve(config-ppp 1)# bind 1 ser 1/1 ppp 1

N o t e If you are binding a serial interface to the PPP interface, you do not include the TDM group number because you do not use TDM groups on a serial interface.

5. View the status of the PPP interface.

ProCurve(config-ppp 1)# do show interface ppp 1

PPP Authentication

If you are configuring PPP authentication, you may want to print Table 6-16 and enter the information for your router.

Table 6-16. Quick Start Worksheet

Parameter Your Setting

PPP interface number

authentication protocol

Are you requiring the peer to authenticate itself?

Yes/No

peer username

peer password

6-71

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start

Requiring the Peer to Authenticate Itself

1. Move to the PPP interface for the connection whose endpoint you want to authenticate. From the global configuration mode context, enter:

Syntax: interface ppp <interface number>

2. Choose the authentication type:

Syntax: ppp authentication [chap | pap]

3. Enter the peer’s username and password. If you are using CHAP, the username should be the peer’s hostname:

Syntax: username <username> password <password>

For example, if the peer’s hostname is Remote and the password is procurve, enter:

ProCurve(config-ppp 1)# username Remote password procurve

Authenticating to a Peer

1. Move to the PPP interface for the connection whose endpoint requires the router to authenticate itself. From the global configuration mode context, enter:

Syntax: interface ppp <interface number>

2. Determine whether the peer uses PAP or CHAP authentication.

3. For PAP, enter the username and password you have agreed upon for the

local router:

Syntax: ppp pap sent-username <username> password <password>

For example, you might enter:

ProCurve(config-ppp 1)# ppp pap sent-username Local password procurve

4. For CHAP, enter the password you have agreed upon for the local router:

Syntax: ppp chap password <password>

Are you authenticating to the peer? Yes/No

local router’s username

local router’s password

Parameter Your Setting

6-72

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start

5. For CHAP, enter a username only if it is different from the router’s hostname:

Syntax: ppp chap hostname <username>

For example, you might enter:

ProCurve(config-ppp 1)# ppp chap hostname ProCurveA

Frame Relay

Before you begin to configure the Frame Relay interface, you should know the settings that you must enter for the following:

■ Frame Relay signaling role:

• user, or data terminal equipment (DTE)

• network, or data communications equipment (DCE)

• both, or network-to-network interfaces (NNI)

■ Frame Relay signaling type, which is referred to as the link management interface (LMI)

■ data link connection identifier (DLCI)

■ your negotiated committed information rate (CIR), which is configured as your Bc

■ your negotiated excess information rate (EIR), which is configured as your Be.

Your public carrier should provide you with this information.

N o t e With few exceptions, you will configure the signaling role as DTE. However, the other options are available if you need to change the setting for any reason. For example, you may want the router to act as a DCE in a test WAN environment.

To configure Frame Relay for an E1, T1, or serial interface, complete these steps:

1. From the global configuration mode context, create a Frame Relay inter-face.

Syntax: interface <interface> <number>

ProCurve(config)# interface frame-relay 1

6-73

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start

2. Define the signaling role for the Frame Relay interface. The default setting is dte, or user.

Syntax: frame-relay intf-type [dce | dte | nni]

ProCurve(config-fr 1)# frame-relay intf-type dte

3. Define the signaling type (the LMI). The default setting is ansi, or Annex D.

Syntax: frame-relay lmi-type [ansi | auto | cisco | none | q933a]

For example, to set the signaling type to auto, enter:

ProCurve(config-fr 1)# frame-relay lmi-type auto

4. Activate the Frame Relay interface.

ProCurve(config-fr 1)# no shutdown

5. Create a Frame Relay subinterface for each permanent virtual circuit (PVC). Enter any number from 16 to 1007 for the sublink number. Using the same number as the subinterface’s DLCI will help you keep track of and troubleshoot the sublink.

Syntax: interface frame-relay <number.subinterface number>

ProCurve(config-fr 1)# interface frame-relay 1.103

6. Assign the subinterface a DLCI.

Syntax: frame-relay interface-dlci <DLCI>

ProCurve(config-fr 1.103)# frame-relay interface-dlci 103

7. Assign the interface a static IP address.

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

ProCurve(config-fr 1.103)# ip address 10.1.1.1 /24

8. Configure a CIR.

Syntax: frame-relay bc <committed burst value>

Replace <committed burst value> with your CIR expressed in bytes. For example, you might enter:

ProCurve(config-fr 1.1)# frame-relay bc 128000

9. Set the excessive burst rate.

Syntax: frame-relay be <excessive burst value>

Replace <excessive burst value> with a burst rate, expressed in bytes. For example, you might enter:

ProCurve(config-fr 1.1)# frame-relay be 64000

6-74

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start

N o t e Together, the frame-relay bc command and the frame-relay be command define the amount of bandwidth you can use on the Frame Relay link. The sum of the values you specify for these two settings should be greater than 8000.

10. Bind the physical interface—the E1, T1, or serial interface—to the Frame Relay interface. From the global configuration mode context, enter:

Syntax: bind <number> <physical interface> <slot> /<port> [<tdm-group number>] <logical interface> <logical interface number>

For example, to bind the E1 1/1 interface to the Frame Relay 1 interface, enter:

ProCurve(config)# bind 1 e1 1/1 1 fr 1

To bind the serial 1/1 interface to the Frame Relay 1 interface, enter:

ProCurve(config)# bind 1 ser 1/1 fr 1

N o t e If you are binding a serial interface to the Frame Relay interface, you do not include the TDM group number because you do not use TDM groups on a serial interface.

11. View the status of the Frame Relay interface and subinterface. From the enable mode context, enter:

ProCurve# show interface fr 1ProCurve# show interface fr 1.103

HDLC

To configure HDLC for an E1, T1, or serial interface, complete these steps:

1. From the global configuration mode context, create an HDLC interface.

Syntax: interface <interface> <number>

ProCurve(config)# interface hdlc 1

2. Enter the IP address.

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

ProCurve(config-hdlc 1)# ip address 10.1.1.1 /24

3. Activate the HDLC 1 interface

ProCurve(config-hdlc 1)# no shutdown

6-75

Configuring the Data Link Layer Protocol for E1, T1, and Serial InterfacesQuick Start

4. Bind the physical interface—the E1, T1, or serial interface—to the logical interface.

Syntax: bind <number> <physical interface> <slot>/<port> [<tdm-group number>] <logical interface> <logical interface number>

For example, to bind the E1 1/1 interface to the HDLC 1 interface, enter:

ProCurve(config-hdlc 1)# bind 1 e1 1/1 1 hdlc 1

To bind the serial 1/1 interface to the HDLC 1 interface, enter:

ProCurve(config-hdlc 1)# bind 1 ser 1/1 hdlc 1

N o t e If you are binding a serial interface to the HDLC interface, you do not include the TDM group number because you do not use TDM groups on a serial interface.

5. View the status of the HDLC interface. From the enable mode context, enter:

ProCurve# show interface hdlc 1

6-76

7

ADSL WAN Connections

Contents

ADSL Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4

ADSL Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5

ADSL2 and ADSL2+: Enhancing Transmission Speeds . . . . . . . . 7-5

READSL: Supporting Greater Distances . . . . . . . . . . . . . . . . . . . . . 7-6

Elements of an ADSL Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6

ADSL Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7

ADSL Annex A and Annex B: Sharing the Line with Analog or ISDN Voice Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8

ADSL Splitters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9

ADSL Without Splitters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10

ADSL Modules for the ProCurve Secure Router . . . . . . . . . . . . . . . . . . . . 7-11

Configuring the ADSL Interface: the Physical Layer . . . . . . . . . . . . . 7-12

Accessing the ADSL Interface Configuration Mode Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12

Activating the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13

Defining the Training Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13

Setting the SNR-Margin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-15

Monitoring the SNR-Margin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16

Manually Forcing Retraining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-16

Configuring the Data Link Layer for the ADSL Connection . . . . . . . 7-17

Creating the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17

Activating the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17

Configuring a Subinterface for each PVC . . . . . . . . . . . . . . . . . . . . . . 7-18

Creating the Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-18

Activating the ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19

Configuring the VPI/VCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19

7-1

ADSL WAN ConnectionsContents

Defining the ATM Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20

Assigning the ATM Subinterface an IP Address . . . . . . . . . . . . . . 7-20

OAM Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-26

Bind the ADSL Interface to the ATM Interface . . . . . . . . . . . . . . . . . . 7-27

Additional Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-27

PPPoE Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-28

Two Phases for Establishing a PPPoE Session . . . . . . . . . . . . . . . . . . 7-29

Discovery Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-29

PPP Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-31

Creating the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-32

Assigning an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-33

Binding the ATM Subinterface to the PPP Interface . . . . . . . . . . . . . 7-33

Identifying the Access Concentrator . . . . . . . . . . . . . . . . . . . . . . . . . . 7-34

Identifying PPPoE Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-35

PPPoA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-35

Creating the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37

Assigning an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-37

Binding the ATM Subinterface to the PPP Interface . . . . . . . . . . . . . 7-38

Routed Bridged Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-39

Viewing the Status and Configuration of Interfaces . . . . . . . . . . . . . . . . . 7-41

Viewing the Status of the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . 7-41

Viewing the Status of the ATM Interface and Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-44

Troubleshooting the ADSL Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46

Troubleshooting the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46

Identifying the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-46

debug interface adsl events Command . . . . . . . . . . . . . . . . . . . . . 7-47

Troubleshooting the ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-48

Troubleshooting the ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . 7-49

debug atm oam Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-49

Troubleshooting PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-50

Troubleshooting the PPPoE Discovery Process . . . . . . . . . . . . . 7-50

show pppoe Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-51

Clear a PPPoE Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-52

debug pppoe client Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-52

Troubleshooting the PPP Link Establishment Process . . . . . . . . . . . 7-52

7-2

ADSL WAN ConnectionsContents

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-54

Configure the Physical Layer: the ADSL Interface . . . . . . . . . . . . . . . 7-54

Configure the Data Link Layer: the ATM Interface and Subinterface 7-56

Configure ATM Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-56

Configure RBE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-58

Configure PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-59

Configure PPPoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-61

7-3

ADSL WAN ConnectionsADSL Overview

ADSL Overview

Digital Subscriber Line (DSL) technologies provide high-speed wide area network (WAN) connections—typically for a lower cost than older WAN technologies such as E1- or T1-carrier lines. A variety of DSL technologies have been developed, and these technologies are sometimes collectively referred to as x-type DSL, or xDSL. The “x” is replaced with one to three letters that represent a particular type of DSL, such as:

■ ADSL, or asymmetric DSL

■ HDSL, or high bit-rate DSL

■ SHDSL, or single wire HDSL

■ READSL, or reach extended ADSL

■ VDSL, or very high bit-rate DSL

The various types of xDSL operate at different speeds. They also differ in how much bandwidth is dedicated to upstream and downstream transmissions. Downstream refers to the traffic being sent from the public carrier’s central office (CO) to the customer’s premises, as shown in Figure 7-1. Upstream refers to the traffic being sent from the customer’s premises to the public carrier’s CO.

Figure 7-1. Upstream and Downstream Transmissions

If a DSL technology transmits data at the same speed both upstream and downstream, it is symmetric. If a DSL technology provides different transmis-sion speeds for upstream and downstream, it is asymmetric.

Public Carrier’s Central Office (CO)

Customer’s Premises

WAN router

LAN Downstream

Upstream

7-4

ADSL WAN ConnectionsADSL Overview

With asymmetric DSL technologies, the transmission speed for downstream is higher than the transmission speed for upstream. This makes asymmetric DSL technologies ideal for Internet use because users typically download more data from the Internet than they upload. Asymmetric DSL technologies are also well-suited for video-on-demand or high-definition television (HDTV).

ADSL Technologies

Asymmetric DSL (ADSL) has emerged as one of the most widely used DSL technologies. ADSL provides an end-to-end digital connection between the source device and the destination device. Like an E1- or T1-carrier line, ADSL is a leased private line and is always available.

ADSL service is usually provided through a partnership between an Internet service provider (ISP) and a public carrier. (The public carrier is frequently called the ADSL service provider.) The ISP provides the connection to the Internet, and the public carrier provides the ADSL connection to the customer.

ADSL2 and ADSL2+: Enhancing Transmission Speeds

Originally providing transmission speeds of up to 8 Mbps downstream and 1.544 Mbps upstream, ADSL has been enhanced twice:

■ ADSL2 offers up to 12 Mbps downstream and 1.544 Mbps upstream.

■ ADSL2+ provides up to 25 Mbps downstream and 1.544 Mbps upstream.

The maximum available bandwidth for either downstream or upstream depends on factors such as:

■ Distance between the customer’s premises and the public carrier’s CO—The greater the distance, the slower the transmission rate.

■ Line quality—The more noise on the line, the slower the transmission rate.

As Table 7-1 shows, to qualify for ADSL or ADSL2, customers can be a maximum of 5.49 to 5.67 km from the public carrier’s CO. For ADSL2+, customers can be only 1.52 km away from the CO. If a company or home is too far away from the public carrier’s CO, ADSL is not even an option.

Table 7-1. Distance Supported by ADSL, ADSL2, and ADSL2+

Type of ADSL Distance from CO

ADSL 3.66 km to 5.49 km (12,000 to 18,000 feet)

ADSL2 3.84 to 5.67 km (12,600 to 18,600 feet)

ADSL2+ 1.52 km (5,000 feet)

7-5

ADSL WAN ConnectionsADSL Overview

READSL: Supporting Greater Distances

To make ADSL available to more customers, reach extended ADSL2 (READSL) was developed to support greater distances between a customer’s premises and the public carrier’s CO. (READSL is an ADSL2 or ADSL2+ technology, which is sometimes called READSL and sometimes called READSL2.) According to CommsDesign.com, READSL extends the reach of ADSL “up to 2500 ft., allowing ADSL systems to reach as far as 20,000 ft.” (Marcus Tzannes, “RE-ADSL2: Helping Extend ADSL’s Reach,” May 13, 2003.)

Currently, READSL2+ is designed to share the local loop with POTS traffic, just as ADSL Annex A does.

Elements of an ADSL Connection

All WAN connections, including ADSL connections, consist of three basic elements:

■ the physical transmission media, such as the cabling, switches, routers, and other infrastructure required to create and maintain the connection

■ electrical signaling specifications for generating, transmitting, and receiv-ing signals through the various transmission media

■ Data Link Layer protocols, which provide logical flow control for moving data between WAN peers (the devices at either end of a WAN connection)

Physical transmission media and electrical specifications are part of the Physical Layer (or Layer 1) of the Open Systems Interconnection (OSI) model, and Data Link Layer protocols are part of the Data Link Layer (or Layer 2). (See Figure 7-2.)

Figure 7-2. Physical and Data Link Layers of the OSI Model

Physical Layer

Data link Layer

Network Layer

Transport Layer

Session Layer

Presentation Layer

Application Layer

1

2

3

4

5

6

7

ATM

ADSL

7-6

ADSL WAN ConnectionsADSL Overview

When you configure an ADSL connection, you must configure both the Phys-ical Layer and the Data Link Layer (which is also called the Logical Layer). The Physical Layer is, of course, ADSL. The Data Link Layer protocol is Asynchronous Transfer Mode (ATM).

ADSL Infrastructure

When you purchase an ADSL connection, your company’s premises must be connected to the public carrier’s nearest CO. All of the telecommunications infrastructure that is used to connect your company’s premises to the CO is collectively called the local loop.

ADSL uses modulation to increase the speed at which data can be transmitted over the plain copper wire that is used for most local loops. Once the ADSL traffic reaches the public carrier’s CO, it is sent to a DSL Access Multiplexer (DSLAM) and then routed over the regional broadband, or packet, network. (See Figure 7-3.) Traffic transmitted over E1- and T1-carrier lines, on the other hand, is sent to a voice switch before being transmitted through the public carrier network.

Figure 7-3. The ADSL Network

The regional broadband network is connected to the Internet. (See Figure 7-4.)

Public Carrier’s Central OfficeCustomer’s Premises

WAN router

DSLAMLocal loop

Regional broadband

network

Public carrier

networkLAN Voice or

ISDN switch

ATM

ATM

ATM

7-7

ADSL WAN ConnectionsADSL Overview

Figure 7-4. ADSL Connection to the Internet

Moving high-speed WAN connections onto a separate network infrastructure alleviates a serious problem for most public carriers: congestion in the tradi-tional public carrier network. With the increasing popularity of the Internet, more and more businesses and residential users are connecting to the Internet through the public carrier network, which is not built to handle the high-volume caused by many Internet connections.

ADSL Annex A and Annex B: Sharing the Line with Analog or ISDN Voice Traffic

ADSL is designed to share the local loop with analog voice or Integrated Services Digital Network (ISDN) traffic used for either voice or fax transmis-sions. (ADSL cannot share the local loop with an ISDN WAN connection, which is used to transmit data.) To share the local loop, ADSL devices reserve the bottom frequencies for analog voice and ISDN traffic. (See Figure 7-5.)

In the ADSL standards, support for analog voice is called ADSL over Plain Old Telephone Service (POTS), or ADSL Annex A. The customer’s existing tele-phone equipment can continue to send voice traffic over the same pair of wires that carry ADSL traffic.

Central OfficeCustomer’s Premises

WAN router DSLAMLocal loop

Regional broadband

network

LAN

Internet

Internet core router

Broadband switch (ATM)

Broadband access server

Other DSLAMs

7-8

ADSL WAN ConnectionsADSL Overview

Customers who have ISDN equipment such as telephones and fax machines can continue using this equipment while moving their Internet or WAN con-nection to ADSL. Support for ISDN is called ADSL over ISDN, or ADSL Annex B, and is common in countries such as Germany where ISDN is popular.

Figure 7-5. ADSL with POTS or ADSL with ISDN

ADSL Splitters

Because ADSL supports analog voice or ISDN traffic, the local loop is a shared medium. In an ADSL Annex A environment, telephones send analog voice over the local loop, and the WAN router sends digital data. At the CO, the analog voice must be transmitted to the voice switch and then routed over the public carrier network. The digital data, on the other hand, must be transmitted to the DSLAM and then routed over the regional broadband network. At the customer’s premises, the analog voice must be sent to the telephones, and the digital data must be sent to the WAN router.

To separate the analog voice from the ADSL data, a POTS splitter is installed at both the customer’s premises and the public carrier’s CO. The POTS splitter filters the traffic at both ends of the local loop and ensures that the analog voice and the ADSL traffic are sent to the appropriate device at each location.

In an ADSL Annex B environment, ISDN equipment and the WAN router transmit data over the local loop. At the CO, the ISDN traffic must be trans-mitted to the ISDN switch and then routed over the public carrier network. The ADSL data must be transmitted to the DSLAM and then routed over the regional broadband network. At the customer’s premises, the ISDN data must be sent to the ISDN equipment, and the ADSL data must be sent to the WAN router.

0 .14 MHz 2.2 MHz

ISDN DownstreamUpstream

DownstreamPOTS Upstream

ADSL with ISDN

ADSL with POTS

7-9

ADSL WAN ConnectionsADSL Overview

To separate the ISDN data from the ADSL data, an ISDN splitter is installed at both the customer’s premises and the CO. This splitter ensures that each type of traffic is transmitted to the appropriate device at each location. (See Figure 7-6.)

Figure 7-6. ADSL Network

ADSL Without Splitters

ADSL Lite, or G.lite, was developed to provide a low-cost, no-hassle WAN connection. Instead of the up to 8 Mbps downstream transmission rate of ADSL, ADSL Lite provides just 1 Mbps downstream. The upstream rate is only 512 Kbps, rather than the 1.544 Mbps offered by ADSL.

In addition to the low cost, subscribers receive the following advantages:

■ No splitter—No splitter is required at the customer’s premises. Instead, ADSL Lite uses a microfilter, which is easy to install. Typically, the microfilter is a small device that is attached on the wire that connects the DSL modem to the wall jack at the customer’s premises.

■ Easy installation—With ADSL Lite, no modifications need to be made to the local loop, so the customer does not have to wait for a service call from the local carrier. After the DSL modem and the microfilter are plugged in, the installation is complete.

Central OfficeCustomer’s Premises

WAN router DSLAMLocal loop

Splitter

Regional broadband

network

Splitter

LAN

Internet

Internet core router

Broadband switch (ATM)

Broadband access server

Other DSLAMs

Voice or ISDN switch

Voice or ISDN traffic is sent to the voice or ISDN switch

ADSL traffic is sent to the DSLAM

7-10

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

ADSL Modules for the ProCurve Secure Router

ProCurve Networking offers two ADSL modules:

■ ADSL2+ Annex A module for ADSL over POTS

■ ADSL2+ Annex B module for ADSL over ISDN

ADSL2+ Annex A modules are used primarily in the United States and Canada. ADSL2+ Annex B modules are used in Europe, South America, Asia (except Japan), and Australia.

N o t e Japan uses ADSL Annex C. Currently, the ProCurve Secure Router does not support ADSL Annex C.

The ProCurve ADSL2+ Annex A and Annex B modules support standards for ADSL, ATM, Point-to-Point Protocol over Ethernet (PPPoE), and PPP over ATM (PPPoA). (See Table 7-2.)

Table 7-2. Standards Supported by the ADSL Modules

ADSL Module ADSL Standards ATM Standards PPPoA and PPPoE

ADSL2+ Annex A (ADSL over POTS)

• International Telecommunica-tions Union (ITU) G.992.1 Annex A (G.dmt)

• ITU G.992.2 Annex A (G.lite)• ITU G.992.3 Annex A ADSL2

(G.dmt.bis)• ITU G.992.3 Annex L READSL2• ITU G.992.5 Annex A ADSL2+• ANSI T1.413 Issue 2

• Multiple Protocol over AAL5 (Request for Comments [RFC] 2684)

• ATM Forum UNI 3.1/4.0 PVC• ATM Class of Service (UBR)• ATM F5 OAM

• PPP over ATM AAL5 (RFC 2364)

• PPP over Ethernet (RFC 2516)

ADSL2+ Annex B (ADSL over ISDN)

• ITU G.992.1 Annex B (G.dmt)• ITU G.992.3 Annex B ADSL2

(G.dmt.bis)• ITU G.992.5 Annex B ADSL2+

• Multiple Protocol over AAL5 (RFC 2684)

• ATM Forum UNI 3.1/4.0 PVC• ATM Class of Service (UBR)• ATM F5 OAM

• PPP over ATM AAL5 (RFC 2364)

• PPP over Ethernet (RFC 2516)

7-11

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

Configuring the ADSL Interface: the Physical Layer

To connect the ADSL interface on the front panel of the ProCurve Secure Router to the wall jack provided by your service provider, you use unshielded twisted pair (UTP) ribbon cable with RJ-11 connectors.

N o t e In some countries, the ADSL service provider supplies the customer premises equipment (CPE), which requires an RJ-45 connector.

You must then configure the physical interface for the ADSL connection.

Accessing the ADSL Interface Configuration Mode Context

To begin configuring the ADSL module that will provide the WAN connection, you must access the appropriate configuration mode context. Move to the global configuration mode context and enter:

Syntax: interface <interface> <slot>/<port>

When you are configuring an ADSL interface, you replace <interface> with adsl.

On the ProCurve Secure Router, each physical interface is identified by its slot number and port number.

The possible slot numbers for ADSL modules are:

■ 1 = dl option module slot 1

■ 2 = dl option module slot 2

For ADSL modules, the port number is always one. For example, if the ADSL module is located in slot one, enter.

ProCurve(config)# interface adsl 1/1

The router prompt indicates that you have entered the proper interface configuration mode context:

ProCurve(config-adsl 1/1)#

From the configuration mode context, you can enter the ? help command to display the commands available from this configuration mode context.

ProCurve(config-adsl 1/1)# ?

The settings that you must configure in order to establish an ADSL WAN connection are explained in the following sections.

7-12

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

Activating the ADSL Interface

By default, all interfaces on the ProCurve Secure Router are shutdown. You must activate the ADSL interface. From the ADSL interface configuration mode context, enter:

ProCurve(config-adsl 1/1)# no shutdown

A message is displayed at the CLI, indicating that the interface is now admin-istratively up. Messages such as this are displayed by default. To disable these messages, enter the following command from the enable mode context:

ProCurve# no events

To enable these messages again, enter:

ProCurve# events

Defining the Training Mode

Like other ADSL routers and modems, the ProCurve Secure Router must go through a training phase. During the training phase, the ADSL interface and the DSLAM evaluate the quality of the line and identify the best way to use the available bandwidth to achieve the highest transmission rate possible.

After the training phase, the ProCurve Secure Router and the DSLAM establish an ADSL connection and exchange Physical Layer signaling. This phase of the connection is called showtime. Although the two devices have established a physical connection, they have not yet begun to exchange ATM cells or to communicate at the Data Link Layer.

You must select the standard that the ADSL interface uses during the training mode. Table 7-3 lists the training mode options, the standards on which each one is based, and a brief description.

7-13

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

Table 7-3. Training Modes Supported by the ProCurve Secure Router

Table 7-4 shows which options are supported by the ADSL2+ Annex A module and which options are supported by the Annex B module. As you can see, the ADSL2+ Annex A module supports all the options listed. The ADSL2+ Annex B module, on the other hand, supports ADSL2, ADSL2+, and G.DMT. The ADSL2+ Annex B module also supports the Multi-Mode option, but when this option is used with this module, only three training modes are possible: ADSL2, ADSL2+, and G.DMT. (In future versions of the Secure Router OS, additional training modes will be supported by the ADSL2+ Annex B module.)

Command Option Standard Description

training-mode ADSL2 ITU G.922.3 ADSL2 (G.dmt.bis)

Trains the interface for the ADSL2 transmission rate. This mode requires a splitter at both the user’s and the public carrier’s premises to divide traffic between voice and data lines.

training-mode ADSL2+ ITU G.922.5 ADSL2+ Trains the interface for the ADSL2+ transmission rate. This mode requires a splitter at both the user’s and the public carrier’s premises to divide traffic between voice and data lines.

training-mode G.DMT ITU G.992.1 (G.dmt) Trains the interface in the full-rate ANSI standard. This mode requires a splitter at both the user’s and the public carrier’s premises to divide traffic between voice and data lines.

training-mode G.LITE ITU G.922.2 (G.lite) Supports the splitterless ANSI standard with a smaller bandwidth than the full-rate ANSI standard.

training-mode Multi-Mode Automatically detects the appropriate configuration and conforms to the standard used by the DSLAM. This is the default setting.

training-mode READSL2 ITU G.992.3 Annex L READSL2

Trains the interface to use READSL2.

training-mode T1.413 ANSI T1.413 Issue 2 Supports lower-speed connections than the full-rate ANSI standard.

7-14

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

Table 7-4. Training Modes Supported by the ProCurve Secure Router

To define the training mode, enter the following command from the ADSL interface configuration mode context.

Syntax: training-mode [ADSL2 | ADSL2+ | G.DMT | G.LITE | Multi-Mode | READSL2 | T1.413]

For example, to set the training mode for ADSL2, enter:

ProCurve(config-adsl 2/1)# training-mode ADSL2

The default setting for both the ADSL2+ Annex A module and the ADSL2+ Annex B module is Multi-Mode.

Setting the SNR-Margin

Because ADSL connections are affected by line interference, you must specify the level at which the quality of the signal on the ADSL line is acceptable. This quality of the signal is determined by the signal-to-noise ratio (SNR) margin.

The SNR margin is calculated logarithmically. An SNR margin of 15 means the signal is approximately 5.6 times stronger than background noise, while a signal with an SNR margin of 1 is only marginally stronger than the background noise.

Because transmission speeds on ADSL lines are affected by line interference, you want to maximize the signal and minimize the background noise. When you narrow the signaling band to maximize the signal, however, you also decrease the transmission rate.

Command Option ADSL2+ Annex A ADSL2+ Annex B

training-mode ADSL2 Yes Yes

training-mode ADSL2+ Yes Yes

training-mode G.DMT Yes Yes

training-mode G.LITE Yes No

training-mode Multi-Mode Yes Yes

training-mode READSL2 Yes No

training-mode T1.413 Yes No

7-15

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

Determining the minimum SNR margin is a compromise: the higher the SNR margin, the slower the transmission rate. However, if you set the SNR margin too low, the line may go down, or your data may be garbled.

To set the SNR margin, enter the following command from the ADSL config-uration mode context:

Syntax: snr-margin <margin>

Replace <margin> with a number between 1 and 15 decibels (db).

For example, if you want to set the SNR margin to 4, enter:

ProCurve(config-adsl 2/1)# snr-margin 4

Monitoring the SNR-Margin

You can enable monitors to ensure that the minimum SNR is maintained on the line during both the ADSL training and the ADSL showtime phases. These monitors periodically check the line to ensure that the SNR margin does not fall below your setting.

To enable the monitors, enter the following command from the ADSL config-uration mode context:

Syntax: snr-margin [showtime-monitor | training-monitor]

For example, to enable the showtime monitor, enter:

ProCurve(config-adsl 2/1)# snr-margin showtime-monitor

Manually Forcing Retraining

After you configure the ADSL interface options, you can force the ADSL interface to retrain itself. From the ADSL interface configuration mode context, enter:

ProCurve(config-adsl 2/1)# retrain

When the line reaches an acceptable SNR margin, its status will change to up.

7-16

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

Configuring the Data Link Layer for the ADSL Connection

You can configure the ADSL line with ATM as the Data Link Layer, or you can configure ADSL with either PPPoE or PPPoA. No matter which option you use, however, your configuration will include ATM, and you will need to configure both an ATM interface and an ATM subinterface.

Creating the ATM Interface

To begin configuring ATM for an ADSL connection, you must create a logical interface. From the global configuration mode context, enter:

Syntax: interface <interface> <number>

Replace <interface> with atm and replace <number> with any number between 1 and 1024. Each ATM interface you configure on the router must have a unique number.

For example, if you are configuring the first ATM interface on the router, you might enter:

ProCurve(config)# interface atm 1

The router prompt indicates that you have entered the appropriate interface configuration mode context:

ProCurve(config-atm 1)#

You can then enter the ? help command to display the commands available from this configuration mode context.

ProCurve(config-atm 1)# ?

Activating the ATM Interface

By default, all logical interfaces on the ProCurve Secure Router are shutdown, so you must activate the ATM interface. From the ATM interface configuration mode context, enter:

ProCurve(config-atm 1)# no shutdown

7-17

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

Configuring a Subinterface for each PVC

You must configure an ATM subinterface to define the endpoint of the ADSL connection. By default, each ATM interface supports up to 16 permanent virtual circuits (PVCs), so you can create a maximum of 16 subinterfaces on each ATM interface.

Configuring a subinterface involves the following basic steps:

1. Create the ATM subinterface.

2. Activate the ATM subinterface.

3. Assign the subinterface a virtual path identifier (VPI) and virtual channel identifier (VCI).

4. Set the encapsulation type.

5. Assign an IP address to the ATM subinterface.

If you are configuring PPPoE or PPPoA for the ADSL connection, you will need to complete some additional steps. You will also need to assign the IP address to the PPP interface, rather than to the ATM subinterface.

These are the basic steps for configuring the ATM subinterface, but you can configure other settings (such as quality of service, access controls, and backup settings) for the subinterface as well.

Creating the Subinterface

From the global configuration mode context or the ATM interface configura-tion mode context, enter:

Syntax: interface <interface> <number.subinterface number>

Replace <interface> with atm, and replace <number> with the number of the ATM interface you created previously. Then replace <subinterface> with a number between 1 and 65535.

For example, if you want to configure the ATM 1.1 subinterface, enter:

ProCurve(config-atm 1)# interface atm 1.1

7-18

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

Activating the ATM Subinterface

By default, all subinterfaces on the ProCurve Secure Router are shut down. You must activate the ATM subinterface. From the ATM interface configura-tion mode context, enter:

ProCurve(config-atm 1.1)# no shutdown

Configuring the VPI/VCI

ATM networks are fundamentally connection-oriented, which means that a logical connection must be set up across the ATM network before any data can be transmitted. After this connection is set up, there is only one possible path for cells to take, so they cannot be received in the wrong order.

ATM setup standards define two types of ATM connections. (See Figure 7-7.)

■ Virtual path (VP)—Identified by a virtual path identifier (VPI)

■ Virtual channel (VC)—Identified by the VPI and a virtual channel identifier (VCI)

VPIs and VCIs are established during the ATM connection setup phase. These values are carried in the headers of ATM cells to facilitate ATM cell switching.

Figure 7-7. The VPI/VCI

Your public carrier will provide the VPI and VCI values for your ADSL connection. From the ATM subinterface configuration mode context, set the VPI/VCI by entering:

Syntax: pvc <vpi>/<vci>

Replace <vpi> with the number that your ADSL service provider gave you for the VPI. The VPI can be a number between 0 and 255. Replace <vci> with the unique number that your service provider has assigned to this connection. If you establish more than one subinterface on an ATM interface, each subinter-face will have a unique VCI. The VCI can be a number between 32 and 65535.

Virtual path (VP)

Virtual path (VP)

Transmission path Virtual channels (VC)

Virtual channels (VC)

7-19

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

For example, to assign the ATM subinterface a VPI/VCI of 0/33, enter:

ProCurve(config-atm 1.1)# pvc 0/33

Defining the ATM Encapsulation

The ATM Data Link Layer for the ADSL connection includes these sublayers:

■ the ATM adaptation layer (AAL), which is called Layer 2-1

■ the point-to-point layer, which is referred to as Layer 2-2

You must configure the adaptation layer by specifying an encapsulation type. Enter one of the following commands to enable the encapsulation type specified by your service provider:

Syntax: encapsulation aal5snap

or

Syntax: encapsulation aal5mux [ip | ppp]

The default setting is aal5snap, which establishes an encapsulation type that supports the Link Layer Control/Sub-Network Access Protocol (LLC/SNAP). AAL5 LLC/SNAP encapsulation works with any type of protocol for the ADSL connection: bridging, PPPoA, PPPoE, and IP with and without bridging.

Use the aal5mux encapsulation setting for multiplexed virtual circuits. You must then specify a protocol for each subinterface to use: IP or PPP.

If your service provider is using PPPoE, you must set the encapsulation to aal5snap or aal5mux ppp, as shown below:

ProCurve(config-atm 1.1)# encapsulation aal5snap

or

ProCurve(config-atm 1.1)# encapsulation aal5mux ppp

Assigning the ATM Subinterface an IP Address

If you are configuring just ATM as the Data Link Layer protocol, you assign the IP address to the ATM subinterface. If you are configuring PPPoE or PPPoA, you assign the IP address to the PPP interface.

7-20

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

If you are configuring the IP address on the ATM subinterface, you can configure:

■ a static IP address

■ the ATM subinterface as a DHCP client

■ the ATM subinterface as an unnumbered interface

Configuring a Static Address. To assign the ATM subinterface a static IP address, use the following command syntax:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

For example, you might enter:

ProCurve(config-atm 1.1)# ip address 10.1.1.1 255.255.255.0

Because the ProCurve Secure Router supports Classless Inter-Domain Rout-ing (CIDR) notations, you could also enter:

ProCurve(config-atm 1.1)# ip address 10.1.1.1 /24

N o t e You must include a space between the IP address and the / symbol in front of the prefix length.

Configuring the ATM Subinterface as a DHCP Client. Your service provider may want you to configure the ATM subinterface as a DHCP client. To enable the DHCP client for the ATM subinterface, use one of the following commands:

Syntax: ip address dhcp [client-id {<ethernet 0/<port> | HH:HH:HH:HH:HH:HH:HH} | hostname <word>]

Syntax: ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]

In addition to enabling the DHCP client, these commands allow you to configure the settings shown in Table 7-5.

7-21

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

Table 7-5. Default Settings for the DHCP Client

Before you enable the DHCP client, you must decide whether or not you want to configure the settings listed in Table 7-5, and you must then include the settings in the same command you enter to enable the DHCP client. After you enable the DHCP client, it immediately begins to search for a DHCP server and negotiate a lease. You cannot impose settings on that lease after it is established.

Accepting the Default Settings. If you want to use all of the default DHCP settings for ATM subinterface, you can simply enter:

ProCurve(config-atm 1.1)# ip address dhcp

The DHCP client on the ATM subinterface will immediately begin to send DHCP discovery messages to find a DHCP server. When a DHCP server responds, the client will negotiate an IP address.

The DHCP client will send DHCP discovery messages whether or not the ATM subinterface is activated or a valid connection has been established. It will continue to send DHCP discovery messages until a DHCP server responds.

You should ensure that the DHCP client receives an IP address so that these requests do not consume router resources or bandwidth on your ADSL link. To determine if the ATM subinterface has been assigned an IP address, enter:

ProCurve(config-atm 1.1)# do show int atm 1.1

Option Meaning Default Setting

client-id configures the client identifier displayed for this interface in the DHCP server’s table

media type and interface’s MAC address

hostname configures the hostname displayed for this interface in the DHCP server’s table

router hostname

no-default-route specifies that the DHCP client should not accept the default route obtained through DHCP

accept default route from the DHCP server

no-domain-name specifies that the DHCP client should not accept the domain name included with the other lease settings sent by the DHCP server

accept the domain name setting from the DHCP server

no-nameservers specifies that the DHCP client should not accept the Domain Name System (DNS) setting included with the other lease settings sent by the DHCP server

accept DNS settings from the DHCP server

7-22

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

N o t e The do command allows you to enter enable mode commands from any context (except the basic mode context).

Configuring a Client Identifier. By default, the Secure Router OS populates the client identifier with the media type and the interface’s media access control (MAC) address. You can specify that the DHCP client uses the MAC address of an Ethernet port, or you can configure a customized client identifier.

To configure a client identifier when you enable the DHCP client, enter:

Syntax: ip address dhcp client-id [ethernet 0/<port> | HH:HH:HH:HH:HH:HH:HH]

In the same command in which you configure the client identifier, you can also configure a hostname, as explained in the next section.

Configuring a Hostname. The Secure Router OS uses the router’s host-name as the ATM subinterface’s default DHCP client hostname. If you want to override this name when you enable the DHCP client, enter the following command:

Syntax: ip address dhcp hostname <word>

For example, you might want to specify that the hostname is RouterB. In this case, you would enter:

ProCurve(config-atm 1.1)# ip address dhcp hostname RouterB

You can also configure a client identifier at the same time as the hostname, as shown below.

ProCurve(config-atm 1.1)# ip address dhcp client-id ethernet 0/1 hostname RouterB

If you enter this command, the DHCP client will use the MAC address of the Ethernet 0/1 interface as its client identifier. The DHCP client will also use the hostname RouterB.

Alternatively, you can specify the hostname and configure the client to ignore the settings received from the DHCP server. These commands are described in the following sections.

7-23

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

Overriding Settings Received from the DHCP Server. If the DHCP server is configured to provide a default route, a domain name, or the IP address of a domain name system (DNS) server, the DHCP client for the ATM subinterface will accept and use these settings. If you do not want to use one or more of these settings, enter the appropriate options when you enable the DHCP client:

Syntax: ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]

For example, if you do not want the DHCP client to use the default gateway and DNS name server addresses that it receives from the DHCP server, enter:

ProCurve(config-atm 1.1)# ip address dhcp no-default-route no-nameservers

Changing a Setting for the DHCP Client. If you want to change a setting for the DHCP client, you must first disable the client. Then you can enter the command to enable the client with the setting that you want to change.

Before you disable the client, you should release the IP address obtained through DHCP. This will prevent the DHCP server from holding the IP address and allow it to assign the IP address to another client.

Releasing or Renewing an IP address. If you want to manually force the ATM subinterface to release or renew an IP address, enter these commands from the ATM subinterface configuration mode context:

ProCurve(config-atm 1.1)# ip dhcp releaseProCurve(config-atm 1.1)# ip dhcp renew

Removing the DHCP Client Setting. If you decide that you no longer want the ATM subinterface to be a DHCP client, enter:

ProCurve(config-atm 1.1)# no ip address dhcp

Configuring the ATM Subinterface as an Unnumbered Interface. To conserve IP addresses on your network, you may want to create the ATM subinterface as an unnumbered interface. When you assign the ATM subinter-face an IP address, that IP address cannot overlap with the IP addresses assigned to other interfaces on your network. As a result, each interface that has an IP address represents an entire subnet. Depending on the subnetting scheme you use, this could use more IP addresses than you can spare.

7-24

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

You can configure the ATM subinterface as an unnumbered interface. The ATM subinterface will then use the IP address of the interface you specify. The Secure Router OS uses the IP address of the specified interface when sending routing updates over the unnumbered interface.

Before configuring the ATM subinterface as an unnumbered interface, you should be aware of a potential disadvantage: if the interface to which the IP address is actually assigned goes down, the ATM subinterface will be unavail-able. For example, suppose you configure the ATM 1.1 subinterface as an unnumbered interface that takes its IP address from an Ethernet interface. If the Ethernet interface goes down, the ATM 1.1 subinterface will be unavailable as well.

To minimize the chances of the ATM subinterface becoming unavailable, you can assign the IP address to a loopback interface, which typically does not go down.

To configure the ATM subinterface as an unnumbered interface, enter the following command from the ATM subinterface configuration mode context:

Syntax: ip unnumbered <interface>

Valid interfaces from which the ATM subinterface can takes its address include:

■ other ATM subinterfaces

■ demand interfaces

■ Ethernet interfaces or subinterfaces

■ Frame Relay subinterfaces

■ HDLC interfaces

■ loopback interfaces

■ PPP interfaces

If you configure an Ethernet interface to support virtual LANs (VLANs), you can specify an Ethernet subinterface.

For example, you would enter the following commands to configure a loop-back interface and then to configure the ATM 1.1 subinterface to use the IP address assigned to that loopback interface:

ProCurve(config)# interface loopback 1ProCurve(config-loop 1)# ip address 10.1.1.1 /24ProCurve(config-loop 1)# interface atm 1.1ProCurve(config-atm 1.1)# ip unnumbered loopback 1ProCurve(config-atm 1.1)# no shut

7-25

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

N o t e You do not have to enter no shutdown to activate a loopback interface. The status of a loopback interface automatically changes to up after you enter the interface loopback <number> command.

OAM Settings

By default, an activated ATM interface sends F5 Operation, Administration, and Maintenance (OAM) cells over a reserved VCI to monitor the ATM link and ensure that is open from end-to-end. The oam retry command enables you to configure the OAM settings that the ProCurve Secure Router OS uses to determine if a PVC is up or down.

Syntax: oam retry <up-count> <down-count> <retry-frequency>

The <up-count> option determines the number of consecutive, end-to-end F5 OAM loopback cell responses that the ADSL interface must receive before the Secure Router OS changes a PVC connection state to up.

Replace <up-count> with a number between 1 and 255. The default setting is 3.

The <down-count> option determines the number of consecutive, end-to-end F5 OAM loopback cell responses that the ATM subinterface must miss before the Secure Router OS changes the PVC state to down.

Replace <down-count> with a number between 1 and 255. The default setting is 5.

The <retry-frequency> option determines the frequency (in seconds) at which the ADSL interface transmits F5 OAM loopback cells when verifying a PVC state change. Replace <retry-frequency> with a number of seconds between 1 and 600. The default setting is 1 second.

The value you specify for the <retry-frequency> option is used only when the Secure Router OS is verifying a change in the state of a PVC. To configure the time delay between OAM loopback cells for all other circumstances, you enter this command from the ATM subinterface configuration mode context:

Syntax: oam-pvc managed <frequency>

This command determines the number of seconds the Secure Router OS waits between transmitting OAM loopback cells. The range is 0 to 600 seconds, and the default setting is 1 second.

7-26

ADSL WAN ConnectionsADSL Modules for the ProCurve Secure Router

For example, to configure the Secure Router OS to wait 4 seconds between transmitting OAM loopback cells, enter:

ProCurve(config-atm 1.1)# oam-pvc managed 4

Bind the ADSL Interface to the ATM Interface

When you configure WAN connections on the ProCurve Secure Router, you must bind the physical interface to the logical interface. For ADSL WAN connections, you must bind the ADSL interface to the ATM interface. Enter the following command from the global configuration mode context:

Syntax: bind <number> <physical interface> <slot number>/<port number> <logical interface> <logical interface number>

You can also enter this command from the ATM interface configuration mode context.

For example, if you want to bind the ADSL 1/1 interface to the ATM 1 interface, enter:

ProCurve(config)# bind 1 adsl 1/1 atm 1

The ATM interface may take a few minutes to establish a connection. To view the status of the ATM interface and subinterface, enter:

ProCurve(config)# do show interface atm 1ProCurve(config)# do show interface atm 1.1

N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context).

If you need to configure PPPoE for your ADSL connection, see “PPPoE Overview” on page 7-28. If you need to configure PPPoA for your ADSL connection, see “PPPoA Overview” on page 7-35.

Additional Settings

In addition to configuring the settings to enable and establish the ADSL connection, you can configure settings such as access controls on the ATM subinterfaces. Table 7-6 lists additional configurations that you can enter from the ATM interface and subinterface and the page number where you can find information about those configurations.

7-27

ADSL WAN ConnectionsPPPoE Overview

Table 7-6. Additional Configurations for the ATM Interface or Subinterface

PPPoE Overview

Your service provider may use PPPoE for several reasons:

■ Each host can use its own protocol stack, enabling each user to continue using a familiar interface.

■ The service provider can control access, track usage, provide services, and bill for usage on a per-user basis, rather than on a per-site basis.

■ The service provider can use PPP authentication to ensure that the hosts requesting access to network services are authorized to use those services.

If an individual user is using ADSL with PPPoE to connect from his or her home to the service provider, that user must load a PPPoE client on his workstation. For a company environment, the PPPoE client is frequently configured on the router establishing the ADSL connection. In this case, the users on the company’s LAN do not have to run a PPPoE client on their workstation.

To implement PPPoE, the service provider must set up an access concentrator, or access server. This access concentrator negotiates the PPPoE session with the client—which is, in this case, the ProCurve Secure Router. (See Figure 7-8.)

Settings Apply to ATM Interface or Subinterface

Configuration Guide Page

access controls to filter incoming and outgoing traffic

ATM subinterface Advanced 5-18, 5-37

bridging ATM subinterface Basic 10-6

VPNs ATM subinterface Advanced 8-46

routing commands for OSPF, RIP, or BGP ATM subinterface Advanced 13-1

quality of service settings ATM interface Advanced 7-28

7-28

ADSL WAN ConnectionsPPPoE Overview

Figure 7-8. Access Concentrator for PPPoE Access

Two Phases for Establishing a PPPoE Session

To establish a PPPoE session, the client and the access concentrator must successfully complete two phases:

■ discovery phase

■ PPP session

Discovery Phase

During the discovery phase, the PPPoE client must find an access concentra-tor, obtain the access concentrator’s Ethernet MAC address, and learn the session ID that the access concentrator assigns this PPPoE session. If the PPPoE client fails to obtain any of this information, the discovery phase fails, and the PPPoE session is not established.

The PPPoE discovery phase includes four steps, as shown in Figure 7-9.

Central OfficeCustomer’s Premises

Router DSLAMLocal loop

Splitter

Regional broadband

network

Splitter

LAN

Broadband switch (ATM)

Access concentrator

Other DSLAMs

Negotiates PPPoE session with router

Negotiates PPPoE session with access concentrator

7-29

ADSL WAN ConnectionsPPPoE Overview

Figure 7-9. Discovery Stage for Negotiating a PPPoE Session

Step 1. The PPPoE client broadcasts a PPPoE Active Discovery Initiation (PADI) frame to locate the available access concentrators. This frame con-tains at least one service name tag, which specifies the service that the PPPoE client is requesting. As outlined in RFC 2516, the PADI frame (including the PPPoE header) cannot be larger than 1484 bytes.

Step 2. The available access concentrators that can provide the service (or services) specified in the PADI frame send a PPPoE Active Discovery Offer (PADO) frame to the Ethernet MAC address of the PPPoE client. This frame contains the name of the access concentrator and the service name tag that was included in the PADI frame from the PPPoE client. In addition, the PADO frame may include information about other services available from the access concentrator.

Step 3. If the PPPoE client receives a PADO frame from more than one access concentrator, it reviews the offers and selects one, based on either name or services offered. For example, the PPPoE client may be configured to accept the offer from a particular access concentrator. In this case, the client makes the selection based on access concentrator name. Alternatively, the PPPoE client may be configured to accept the offer based on the services offered.

After making the selection, the PPPoE client sends a unicast frame called a PPPoE Active Discovery Request (PADR) to the MAC address of the access concentrator it selected. This frame contains the service name tag of the service the PPPoE client is requesting.

1. PPPoE client broadcasts a PADI (initiation) frame

2. Access concentrator sends a PADO (offer) frame

3. PPPoE client sends a PADR (request) frame

4. Access concentrator sends a (PADS) confirmation frame

RouterAccess

concentrator

Discovery Stage

If negotiation is successful, PPP session begins

Goal: Learn session ID and peer’s Ethernet MAC address

7-30

ADSL WAN ConnectionsPPPoE Overview

Step 4. When the access concentrator receives the PADR frame, it checks the service name tag. If it accepts the service name tag, the access concentrator generates a unique session ID. It includes this ID and the service name tag in a PPPoE Active Discovery Session-confirmation (PADS) frame and sends this frame to the PPPoE client.

If the access concentrator rejects the service name tag included in the PADR, it sends a PADS frame that includes a service-name error tag and a session ID of 0x0000. This signals to the PPPoE client that the access concentrator cannot provide that service.

PPP Session

After the PPPoE client receives the PADS frame, the PPP session begins, and the two devices begin exchanging frames in the customary sequence for PPP. The devices exchange the PPP frames in the order shown in Figure 7-10.

Figure 7-10. Establishing a PPP Session

Step 1. The devices exchange link control protocol (LCP) frames to estab-lish, configure, and control the link.

Step 2. If the devices are configured for authentication, they use one of the following protocols to verify that they are establishing a session with the correct PPP peer: Password Authentication Protocol (PAP), Challenge Hand-shake Authentication Protocol (CHAP), or Extensible Authentication Proto-col (EAP). Exchanging authentication frames is optional.

The ProCurve Secure Router supports PAP and CHAP. For more information about configuring PPP authentication on the ProCurve Secure Router, see “PPP Authentication” on page 6-71 in Chapter 6: Configuring the Data Link

Layer Protocol for E1, T1, and Serial Interfaces.

1. Link establishmentLCP

2. Authentication (optional) PAP, CHAP, or EAP

3. Negotiation of network layer protocols NCP: IPCP, BCP, IPXCP, and so on

4. Session established PPP

Router

Access concentrator

7-31

ADSL WAN ConnectionsPPPoE Overview

Step 3. The devices use network control protocol (NCP) frames to enable the exchange of Network Layer protocols, such as IP, across the link.

Step 4. The devices use PPP frames to transmit the actual data.

(For more information about establishing a PPP session, see Chapter 6:

Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.)

During the process of establishing a PPP session, the devices will also nego-tiate the maximum receive unit (MRU) size. For PPPoE, the negotiated MRU cannot be larger than 1492 bytes because Ethernet has a maximum payload size of 1500 bytes. The PPPoE header is 6 bytes, and the PPP protocol ID is 2 bytes. With this overhead of 8 bytes, the PPP MTU cannot be larger than 1492 bytes.

Creating the PPP Interface

To configure PPPoE, you first configure the ADSL interface, the ATM inter-face, and the ATM subinterface. (These instructions begin with “Configuring the ADSL Interface: the Physical Layer” on page 7-12.) When configuring the ATM subinterface, you must set the encapsulation to aal5snap or aal5mux

ppp, as shown below:

Syntax: encapsulation aal5snap

or

Syntax: encapsulation aal5mux [ip | ppp]

Your service provider should tell you which encapsulation to use.

Setting the encapsulation type configures the ATM adaptation layer (which is called Layer 2-1). When you use PPPoE, you must also configure the ATM point-to-point layer (which is called Layer 2-2). To configure this layer, you create a PPP interface and then bind this interface to the ATM subinterface.

To create a PPP interface, move to the global configuration mode context and enter:

Syntax: interface <interface> <number>

Replace <interface> with ppp and replace <number> with a number to distinguish this PPP interface from other PPP interfaces created on the router.

7-32

ADSL WAN ConnectionsPPPoE Overview

Assigning an IP Address

Because you are configuring a PPP interface on top of the ATM subinterface, the PPP interface handles the IP address. Rather than configuring an IP address on the ATM subinterface, you configure the IP address on the PPP interface.

You can configure a static IP address, or you can configure the PPP interface to negotiate an IP address from the service provider’s access concentrator. To assign the PPP interface a static IP address, enter the following command from the PPP interface configuration mode context:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

Replace <A.B.C.D> with the IP address. To specify a subnet mask, replace <subnet mask> with the subnet mask or replace </prefix length> with the CIDR notation.

To configure the PPP interface to negotiate an IP address, enter:

Syntax: ip address negotiated

If you need to configure authentication protocols for the connection, see “PPP Authentication” on page 6-71 of Chapter 6: Configuring the Data Link Layer

Protocol for E1, T1, and Serial Interfaces.

Binding the ATM Subinterface to the PPP Interface

To finish defining the point-to-point layer for the ADSL connection, you must bind the ATM subinterface to the PPP interface. Enter the following command from either the global configuration mode context or the PPP interface configuration mode context:

Syntax: bind <bind number> atm <interface number.subinterface number> ppp <inter-face number> pppoe-client

Replace <bind number> with a bind number that you have not yet used on the ProCurve Secure Router. Enter the interface numbers for the ATM sub-interface and PPP interface that you want to bind together. Include the pppoe-

client option to enable the PPPoE client to establish a PPPoE session with the service provider’s access concentrator.

7-33

ADSL WAN ConnectionsPPPoE Overview

You can enter the show running-config command from the enable mode context to ensure that you have entered the two bind commands that are required for an ADSL connection that uses PPPoE. Figure 7-11 shows a sample running-config for an ADSL interface, ATM interface, ATM subinterface, and PPP interface.

Figure 7-11. Using the show running-config Command to Check the Two bind Commands Required for PPPoE

Identifying the Access Concentrator

You can configure the name of the access concentrator with which the Secure Router OS should establish a PPPoE session. Your service provider may ask you to configure this setting if there are multiple access concentrators and the service provider wants you to establish a connection with a particular one. You may also want to configure this option to ensure that the ProCurve Secure Router establishes a PPPoE session only with your service provider’s access concentrator.

From the PPP interface configuration mode context, enter:

Syntax: pppoe ac-name <name>

Replace <name> with a text string of up to 255 characters that corresponds to the AC-Name Tag as defined in RFC 2516. The AC value may be a combination of trademark, model, and serial ID information (or simply the MAC address of the access concentrator).

interface adsl 2/1 snr-margin 6 no shutdown!interface atm 1 point-to-point no shutdown bind 3 adsl 2/1 atm 1!interface atm 1.1 point-to-point no shutdown pvc 0/35!interface ppp 3 ip address 10.1.1.1 255.255.255.252 no shutdown bind 4 atm 1.1 ppp 3 pppoe-client

Bind the ADSL interface to the ATM interface

Bind the ATM subinterface to the PPP interface

7-34

ADSL WAN ConnectionsPPPoA Overview

If you do not include this field, any access concentrator is acceptable. By default, no access concentrator is specified.

Identifying PPPoE Services

You can also control which PPPoE session offer the Secure Router OS accepts by specifying the PPPoE services that are required. From the PPP interface configuration mode context, enter:

Syntax: pppoe service-name <name>

Replace <name> with a text string of up to 255 characters that identifies the service-name tags outlined in RFC 2516. If you need to configure the Secure Router OS to select an access concentrator by service name, your service provider will give you the service name to enter.

By default, no service names are specified.

PPPoA Overview

Like PPPoE, PPPoA provides several advantages to service providers, includ-ing the following:

■ Service providers can control access, track usage, provide services, and bill for usage on a per-user basis, rather than on a per-site basis.

■ Service providers can use PPP authentication to ensure that the hosts requesting access to network services are authorized to use those ser-vices.

■ Service providers can build a scalable infrastructure because they can terminate a large number of PPP sessions through one access concentrator.

After the ADSL physical connection is established, the router will try to establish a PPP connection with an access concentrator on the other side of the DSLAM. The two devices will begin exchanging frames in the customary sequence for PPP.

PPP peers exchange PPP frames in the order shown in Figure 7-12.

7-35

ADSL WAN ConnectionsPPPoA Overview

Figure 7-12. Establishing a PPP Session

Step One. The devices exchange link control protocol (LCP) frames to establish, configure, and control the link.

Step Two. If the devices are configured for authentication, they use one of the following protocols to verify that they establish the PPP session with the correct peer: Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Extensible Authentication Protocol (EAP). Exchanging authentication frames is optional.

The ProCurve Secure Router supports PAP and CHAP. For more information about configuring PPP authentication on the ProCurve Secure Router, see “PPP Authentication” on page 6-71 in Chapter 6: Configuring the Data Link

Layer Protocol for E1, T1, and Serial Interfaces.

Step Three. The devices use network control protocol (NCP) frames to enable the exchange of Network Layer protocols, such as IP, across the link.

Step Four. The devices use PPP frames to transmit the actual data.

(For more information about establishing a PPP session, see Chapter 6:

Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.)

1. Link establishmentLCP

2. Authentication (optional) PAP, CHAP, or EAP

3. Negotiation of network layer protocols NCP: IPCP, BCP, IPXCP, and so on

4. Session established PPP

Router

Access concentrator

7-36

ADSL WAN ConnectionsPPPoA Overview

Creating the PPP Interface

To configure PPPoA, you configure the ADSL interface, the ATM interface, and the ATM subinterface. (These instructions begin with “Configuring the ADSL Interface: the Physical Layer” on page 7-12.) When configuring the ATM subinterface, you must set the encapsulation to aal5snap or aal5mux ppp, as shown below:

Syntax: encapsulation aal5snap

or

Syntax: encapsulation aal5mux [ip | ppp]

Your service provider should tell you which encapsulation to use.

The encapsulation setting configures the ATM adaptation layer (which is called Layer 2-1). When you use PPPoA, you must also configure the ATM point-to-point layer (which is called Layer 2-2). To configure this layer, you create a PPP interface and then bind this interface to the ATM subinterface.

To create a PPP interface, move to the global configuration mode context and enter:

Syntax: interface <interface> <number>

Replace <interface> with ppp and replace <number> with a number to distinguish this PPP interface from other PPP interfaces on the router.

Assigning an IP Address

Because you are configuring a PPP interface on top of the ATM subinterface, the PPP interface handles the IP address. Rather than configuring an IP address on the ATM subinterface, you configure the IP address on the PPP interface.

You can configure a static IP address, or you can configure the PPP interface to negotiate an IP address from the service provider’s access concentrator.

To assign the PPP interface a static IP address, enter the following command from the PPP interface configuration mode context:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

To configure the PPP interface to negotiate an IP address, enter:

Syntax: ip address negotiated

7-37

ADSL WAN ConnectionsPPPoA Overview

If you need to configure authentication protocols for the connection, see “PPP Authentication” on page 6-71 in Chapter 6: Configuring the Data Link Layer

Protocol for E1, T1, and Serial Interfaces.

Binding the ATM Subinterface to the PPP Interface

To finish defining the point-to-point layer for the ADSL connection, you must bind the ATM subinterface to the PPP interface. Enter the following command from either the global configuration mode context or the PPP interface configuration mode context:

Syntax: bind <bind number> atm <number.subinterface number> ppp <number>

Replace <bind number> with a bind number that you have not yet used on the ProCurve Secure Router. Enter the interface numbers for the ATM sub-interface and PPP interface that you want to bind together.

You can enter the show running-config command from the enable mode context to ensure that you have entered the two bind commands that are required for an ADSL connection that uses PPPoA. Figure 7-13 shows a section of the running-config relating to an ADSL interface, ATM interface, ATM subinterface, and PPP interface.

Figure 7-13. Using the show running-config Command to Check the Two bind Commands Required for PPPoA

interface adsl 2/1 snr-margin 5 no shutdown!interface atm 1 point-to-point no shutdown bind 1 adsl 2/1 atm 1!interface atm 1.1 point-to-point no shutdown pvc 0/33!interface ppp 1 ip address 10.1.1.1 255.255.255.252 no shutdown bind 2 atm 1.1 ppp 1

Bind the ADSL interface to the ATM interface

Bind the ATM subinterface to the PPP interface

7-38

ADSL WAN ConnectionsRouted Bridged Encapsulation

Routed Bridged Encapsulation

Some DSLAMs use routed bridged encapsulation (RBE) to route IP over bridged Ethernet traffic. RBE is sometimes referred to as “half bridging,” because it provides some of the advantages of bridging combined with some of the advantages of routing.

With RBE, the ADSL service provider uses an aggregation device to establish a bridge with the customer’s ADSL modem—in this case, the ProCurve Secure Router. (See Figure 7-14.) With RBE, however, the router forwards packets based on the Layer 3, or IP, header. In a pure bridging environment, the router would use the Layer 2 header to forward packets.

When a device sends a packet that must be transmitted on the ATM subinter-face, the router disregards the Layer 2 header and uses the Layer 3 header to forward the packet. Likewise, when packets are received on the ATM subinter-face, the ProCurve Secure Router examines the IP header. It then consults its internal tables and identifies the MAC address associated with that IP address and places that MAC address in the Layer 2 frame. If the ProCurve Secure Router does not know the MAC address, it sends an Address Resolution Protocol (ARP) frame to request that information.

ADSL service providers use RBE because it minimizes the configuration required at the customer’s premises. It also provides better security than pure bridging environments because each customer’s ADSL device establishes a point-to-point connection with the service provider’s aggregation device. This point-to-point connection also eliminates broadcast storms that are typical in pure bridging environments.

7-39

ADSL WAN ConnectionsRouted Bridged Encapsulation

Figure 7-14. RBE Environment

To configure RBE, complete the steps for configuring the ADSL interfaces as explained in “Configuring the ADSL Interface: the Physical Layer” on page 7-12. Then configure the ATM interface as explained in “Configuring the Data Link Layer for the ADSL Connection” on page 7-17 and configure the ATM subinter-face as described in “Configuring a Subinterface for each PVC” on page 7-18.

When you configure the ATM subinterface, you must enter an additional command. From the ATM subinterface configuration mode context, enter:

ProCurve(config-atm 1.1)# atm routed-bridged ip

Figure 7-15 shows the running-config for an ADSL connection that is using RBE.

Figure 7-15. Running-config for an ADSL Connection That Is Using RBE

Central OfficeCustomer’s Premises

Router DSLAMLocal loop

Splitter

Regional broadband

network

Splitter

LAN

Broadband switch (ATM)

Aggregation device

Other DSLAMs

Establishes Ethernet bridge with ProCurve Secure Router

interface adsl 2/1 snr-margin 6 training-mode G.DMT no shutdown

interface atm 1 point-to-point no shutdown bind 2 adsl 2/1 atm 1

interface atm 1.1 point-to-point no shutdown pvc 0/33 encapsulation aal5snap atm routed-bridged ip ip address 10.1.1.1 255.255.255.252 bandwidth 896

RBE is configured on the ATM subinterface.

7-40

ADSL WAN ConnectionsViewing the Status and Configuration of Interfaces

Viewing the Status and Configuration of Interfaces

You can view information about all of the interfaces that are used to create the ADSL connection.

Viewing the Status of the ADSL Interface

To view the status of the ADSL interface, enter:

Syntax: show interfaces adsl <slot>/<port>

Replace <slot> with the slot where the ADSL interface is installed, and replace <port> with 1.

Figure 7-16 shows the output from this command for a sample network if the ADSL connection is up. The first line of the display reports the status of the ADSL interface and the line protocol—the logical interface to which you have bound the ADSL interface.

7-41

ADSL WAN ConnectionsViewing the Status and Configuration of Interfaces

Figure 7-16. show interfaces adsl Command

The “Link Status” indicates the training mode standard. If the ADSL interface has established the Physical Layer, the “Line Type” and “Line Length” fields will be populated with information about that particular ADSL connection. In Figure 7-16, for example, the “Line Type” is Fast, and the “Line Length” is 933 feet.

!adsl 2/1 is UP, line protocol is UP Link Status Up G.DMT Line Type Fast Line Length 933 ft

Downstream Upstream Line Rate 8128 kbps 896 kbps Current margin 10.0 dB 8.0 dB Attenuation 1.0 dB 0.0 dB Power 0 dBm 12 dBm Prev Rate 0 kbps 0 kbps Actual Delay 0 msecs 0 msecs Loss of Framing Seconds 0 0 Loss of Signal Seconds 0 0 Loss of Power Seconds 0 0 Errored Seconds 0 0 Line Inits 1 N/A Rx Blocks 7443 7443 Tx Blocks 7443 7443 Corrected Blocks 0 0 UncorrectedBlocks 0 0 Last Failure NONE Last Failure Time N/A

DMT Bits Per Bin 000: 0 0 0 0 0 0 0 A B B C C B B B B 010: A A A B B B B B A A A 9 9 8 7 0 020: 0 2 4 5 7 7 8 9 9 A A A B B B B 030: C B C C C C C C C C C C C B B B 040: 0 B B B B B B B B B B B B B B B 050: B B B B B B B B B B B B B B B B 060: B B B B B B B B B A A A A A A A 070: A A A A A A A A A A A A A A A A 080: A A A A A A A A A A A A A A A A 090: A A A A A A 9 9 9 9 9 9 9 9 9 9 0A0: 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0B0: 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0C0: 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0D0: 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0E0: 9 9 8 9 9 8 9 9 9 9 9 9 9 9 9 9 0F0: 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9

Status of physical and logical interface

Training mode used

Actual downstream and upstream rates

One indicator of line condition

Watch for steadily incre-menting losses or errors

7-42

ADSL WAN ConnectionsViewing the Status and Configuration of Interfaces

Next, the output from the show interfaces adsl command displays the downstream and upstream transmission rates for the connection. This section of the output also reports the attenuation on the line and any framing, signaling, and power losses, as well as error seconds.

To view the commands that have been entered to configure the ADSL inter-face, use the following enable mode command:

Syntax: show running-config interface adsl <slot>/<port>

For example, if the ADSL interface is in slot two, port one, enter:

ProCurve# show running-config interface adsl 2/1

This command displays the running-config for just the ADSL 2/1 interface. In the configuration shown in Figure 7-17, only two commands were entered: the snr-margin and the no shutdown commands. For this network, the default setting for training-mode was used.

Figure 7-17. show running-config interface adsl Command

The output from the show running-config interface adsl command will not include default settings that were not entered manually from the CLI or configured through the Web browser interface. To view all the settings for an ADSL interface—those entered manually and the default settings—include the verbose option, as shown below:

Syntax: show running-config interface adsl <slot>/<port> verbose

For example, to view all the settings for the ADSL 2/1 interface, enter:

ProCurve# show running-config interface adsl 2/1 verbose

Figure 7-18 shows the verbose output for the same interface shown in Figure 7-17.

interface adsl 2/1 snr-margin 5 no shutdown

Displays the commands entered for this interface

7-43

ADSL WAN ConnectionsViewing the Status and Configuration of Interfaces

Figure 7-18. show running-config interface adsl verbose Command

Viewing the Status of the ATM Interface and Subinterface

To view the status of the ATM interface, enter the following command from the enable mode context:

Syntax: show interfaces atm <number>

Replace <number> with the unique number that you assigned the ATM interface. For the ATM 1 interface, enter:

ProCurve# show interfaces atm 1

Figure 7-19 shows the output from this command for a sample network. As you can see, this command displays the status of the interface and the number of virtual circuits active on the interface.

Figure 7-19. show interfaces atm Command

To view the status of the ATM subinterface, enter the following command from the enable mode context:

Syntax: show interfaces atm <number.subinterface number>

interface adsl 2/1 description "" alias "" snr-margin 5 training-mode Multi-Mode no shutdown

Displays all the settings for the interface, including defaults

atm 1 is UP, line protocol is UP BW 896 Kbit/s 16 maximum active VCCs, 16 VCCs per VP, 1 current VCCsQueueing strategy: Per VC Queueing 5 minute input rate 58120 bits/sec, 0 packets/sec 5 minute output rate 58200 bits/sec, 0 packets/sec 10007 packets input, 2520900 bytes 0 pkts discarded, 0 error pkts, 0 unknown protocol pkts 60024 cells received, 0 OAM cells received 10062 packets output, 2524900 bytes 0 tx pkts discarded, 0 tx error pkts 60123 cells sent, 0 OAM cells sent

Interface is up

Number of virtual circuits

7-44

ADSL WAN ConnectionsViewing the Status and Configuration of Interfaces

Replace <number.subinterface number> with the unique number and subinterface number that you assigned the ATM interface. For the ATM 1.1 subinterface, enter:

ProCurve# show interfaces atm 1.1

Figure 7-20 shows the output from this command for a sample network. As you can see, this command displays the status of the interface and settings such as the ATM encapsulation, the IP address, and the MTU size. The interface shown in Figure 7-20 is configured to use RBE.

Figure 7-20. show interface atm Command for the Subinterface

To view the configuration settings entered for the ATM interface or subinter-face, enter the appropriate command from the enable mode context:

Syntax: show running-config interface atm <number> [verbose]

or

Syntax: show running-config interface atm <number.subinterface number> [verbose]

To view all of the configuration settings for the ATM interface or subinterface, include the verbose option at the end of these commands.

atm 1.1 is Active ATM Routed Bridge Encapsulation: IP Ip address is 192.168.1.20, mask is 255.255.255.0 MTU is 1500 bytes Encapsulation is AAL5 Encapsulation method is SNAP VC tx ring limit: 2 Output Queue: 0/1/200/0 (size/highest/max total/drops) 10007 packets input, 2881152 bytes 10066 packets output, 2886240 bytes 60024 cells input, 60130 cells output 0 OAM cells input, 0 OAM cells output AAL5 CRC errors : 0 AAL5 SAR Timeouts : 0 AAL5 Oversized SDUs : 0 AAL5 length violations : 0

Interface is up

ATM encapsulation

Interface is configured for RBE

7-45

ADSL WAN ConnectionsTroubleshooting the ADSL Connection

Troubleshooting the ADSL Connection

When troubleshooting WAN connections, you should try to isolate the prob-lem and determine if the problem is occurring on the physical interface or the logical interface. With an ADSL WAN connection, you should begin trouble-shooting the ADSL interface.

Troubleshooting the ADSL Interface

Your first tool in troubleshooting is always the show command. To trouble-shoot the ADSL interface, enter the following command from the enable mode context:

Syntax: show interfaces adsl <slot>/<port>

Replace <slot> with the slot where the ADSL interface is installed, and replace <port> with 1.

If the status of the physical interface is administratively down, you should activate it by entering no shutdown from the ADSL interface configuration mode context. If the physical interface is down, you must fix a problem on the Physical Layer level.

Identifying the Problem

You should first check the ADSL configurations. The interface readout indi-cates the training-mode standard next to “Link Status.” Verify that this stan-dard matches that used by your service provider. If you have configured the interface to use a different training mode than that used by the service provider, the physical connection cannot be established.

In Figure 7-21, for example, the show interfaces adsl command shows that the Physical Layer and the Data Link Layer are down. In this case, the training mode set on the router did not match the training mode set on the DSLAM. The “Training” setting was reported as unknown.

7-46

ADSL WAN ConnectionsTroubleshooting the ADSL Connection

Figure 7-21. show interfaces adsl Command

If the signal attenuation is high, you may want to adjust the SNR margin setting. The interface may have shut itself down because the line could not support the SNR margin at the limit you set. You may want to increase the SNR margin and see if the ADSL interface can establish and maintain the connection over time.

If the ADSL configuration settings appear to be correct, you should check the physical links for disconnected or bad cables. If you have another UTP ribbon cable, try using it to connect the ADSL interface to the wall jack.

debug interface adsl events Command

In addition to viewing information about the ADSL interface, you can view events related to the ADSL connection in real time. From the enable mode context, enter:

Syntax: debug interface adsl events

adsl 2/1 is DOWN, line protocol is DOWN Link Status Training UNKNOWN Line Type Line Length 0 ft

Downstream Upstream Line Rate 0 kbps 0 kbps Current margin 0.0 dB 0.0 dB Attenuation 0.0 dB 0.0 dB Power 0.0 dB 0.0 dB Prev Rate 0 kbps 0 kbps Actual Delay 0 msecs 0 msecs Loss of Framing Seconds 0 0 Loss of Signal Seconds 0 0 Loss of Power Seconds 0 0 Errored Seconds 0 0 Line Inits 0 N/A Rx Blocks 0 0 Tx Blocks 0 0 Corrected Blocks 0 0 UncorrectedBlocks 0 0 Last Failure NONE Last Failure Time N/A

DMT Bits Per Bin 000:

The training mode does not match the training mode used by the DSLAM

7-47

ADSL WAN ConnectionsTroubleshooting the ADSL Connection

Figure 7-22 shows the debug commands for a connection that was established successfully.

Figure 7-22. Debug Output When a Connection Was Established Successfully

You can use the debug information to pinpoint when and why the line goes down.

N o t e Debug commands are bandwidth intensive.

To turn off debugging, enter:

Syntax: no debug interface adsl events

Troubleshooting the ATM Interface

If the physical interface is up but the line protocol is down, you will need to troubleshoot the logical interface. Use the show interfaces atm command to examine the status and configuration of the ATM interface. From the enable mode context, enter:

Syntax: show interfaces atm <number>

2005.08.09 19:02:40 ADSL.EVENTS Current DSL state: ATU_RIDLE2005.08.09 19:02:40 INTERFACE_STATUS.adsl 2/1 changed state to down2005.08.09 19:02:54 ADSL.EVENTS Current DSL state: GDMT_NEGO2005.08.09 19:02:54 ADSL.EVENTS Current DSL state: GDMT_ACKX2005.08.09 19:02:55 ADSL.EVENTS Current DSL state: ATU_RECT2005.08.09 19:02:57 ADSL.EVENTS Current DSL state: ATU_RSEGUE12005.08.09 19:03:01 ADSL.EVENTS Current DSL state: ATU_RMSGS12005.08.09 19:03:01 ADSL.EVENTS Current DSL state: ATU_RRATES22005.08.09 19:03:01 ADSL.EVENTS Current DSL state: ATU_RREVERB52005.08.09 19:03:02 ADSL.EVENTS Current DSL state: ATU_RSHOWTIME2005.08.09 19:03:02 INTERFACE_STATUS.adsl 2/1 changed state to up

Negotiating to use the G.DMT training mode

Connection is established

7-48

ADSL WAN ConnectionsTroubleshooting the ADSL Connection

The output from this command shows the status of the logical interface as well as the information shown in Table 7-7.

Table 7-7. Information Displayed by the show interfaces atm Command

The readout also displays the number of frames received and discarded, and it lists errors. Check the number of OAM cells sent to look for problems in the end-to-end ATM connection.

Troubleshooting the ATM Subinterface

From the enable mode context, enter the appropriate show interfaces command to troubleshoot specific ATM sublinks:

Syntax: show interfaces atm <number.subinterface number>

Examine the subinterface for problems across a particular connection. For example, a subinterface can be Active or Inactive, depending on whether this virtual end-to-end link is currently active. An inactive ATM connection can be caused by a failed ADSL line (in which case, you would need to resolve Physical Layer problems), by a misconfigured VPI/VCI, or by a problem at the remote endpoint.

You can view information such as the encapsulation method (MUX for multi-plexed circuits or SNAP for circuits that use LLC/SNAP protocol). You can also view output queues and bytes in and out. Check OAM cells to diagnose problems with the end-to-end connection.

debug atm oam Command

You can use the debug atm oam command to display OAM frames for a PVC, identified by an ATM virtual circuit descriptor (VCD).

Information Meaning

<number> maximum active VCC displays the maximum number of virtual channels, or connection paths, this interface can carry over the bandwidth allocated to it

<number> VCC per VP reports how many of these channels can be linked through a single virtual path

<number> current VCCs reports how many virtual circuits are currently established on this interface

7-49

ADSL WAN ConnectionsTroubleshooting the ADSL Connection

Syntax: debug atm oam <interface number.subinterface number> [loopback {end-to-end | segment} {<LLID>}]

Replace <interface number.subinterface number> with the subinterface ID for the PVC. This command displays the OAM frames for a specific PVC.

Include the loopback option to configure an OAM loopback. You have two choices when configuring a loopback: end-to-end or segment.

You can optionally replace <LLID> with a 16-byte hexidecimal OAM loop-back location ID (LLID).

To disable the display of OAM frames, use the no form of the command you entered.

Troubleshooting PPPoE

If the PPPoE negotiation fails and a PPPoE session is not established, you must first verify that the ADSL interface, the ATM interface, and ATM subinter-face are up. You should check the status of each interface, and if any one of the interfaces is down, follow the steps for troubleshooting that particular interface.

Troubleshooting the PPPoE Discovery Process

After you ensure that the ADSL interface, the ATM interface, and the ATM subinterface are up, you should check the status of the PPP interface that is bound to the ATM subinterface. From the enable mode context, enter:

Syntax: show interfaces ppp <interface number>

If the other interfaces are up and the PPP interface is down, either the PPPoE discovery process failed, or the PPP link establishment process failed. You should begin to focus on the PPPoE negotiation process and determine where the failure is occurring. To begin troubleshooting the process, move to the enable mode context and enter:

Syntax: debug pppoe client

If you included the pppoe-client option when you entered the command to bind the ATM subinterface to the PPP interface, the PPPoE client will contin-ually try to establish a PPPoE session, and debug messages will be displayed at the CLI. You can compare these messages to the PPPoE discovery process to identify the cause of the problem.

7-50

ADSL WAN ConnectionsTroubleshooting the ADSL Connection

For example, if the PPPoE client keeps sending PADI frames but does not receive any PADO frames, you know that for some reason the access concen-trator is not responding. If the ADSL interface, the ATM interface, and the ATM subinterface are up, you should call your service provider and report the problem. The service provider will need to ensure that the access concentrator is up and the configuration is correct.

Figure 7-23 shows other possible debug messages that may occur. In this example, the PPPoE client on the ProCurve Secure Router went through the entire negotiation process but could not “open PPPoE session.” The cause of this problem was a configuration problem on the access concentrator.

Figure 7-23. Debug Messages for the PPPoE Client

N o t e Debug commands are processor intensive.

Stopping the Debug Messages. Enter one of the following commands from the enable mode context to end the debug messages:

Syntax: no debug pppoe client

or

Syntax: undebug all

After successfully negotiating a PPPoE session, the ProCurve Secure Router begins the process of establishing a PPP session. For information about troubleshooting this process, see “Troubleshooting the PPP Link Establish-ment Process” on page 7-52.

show pppoe Command

To view all of the PPPoE settings, enter the following command from the enable mode context:

Syntax: show pppoe

2005.07.20 17:05:10 PPPOE.CLIENT Sending PADR: Xid = 0xe34b02542005.07.20 17:05:10 PPPOE.CLIENT Processing PADS Message2005.07.20 17:05:10 PPPOE.CLIENT PADS: Session Id Rcvd = 02005.07.20 17:05:10 PPPOE.CLIENT PADS: Access Concentrator Error: AC: Cannot open PPPoE session.

Negotiation failed at final step

7-51

ADSL WAN ConnectionsTroubleshooting the ADSL Connection

Figure 7-24 shows the output from this command.

Figure 7-24. Viewing PPPoE Settings

Clear a PPPoE Connection

If you are having problems with a PPPoE connection or if you need to change some configurations for the connection, you can clear the connection. From the enable mode context, enter:

Syntax: clear pppoe <interface id>

Replace <interface id> with the number of the PPP interface that you bound to the ATM subinterface. For example, if you bound the PPP 3 interface to the ATM subinterface, enter:

ProCurve# clear pppoe 3

debug pppoe client Command

You can display all events related to the PPPoE client in real-time. From the enable mode context, enter:

Syntax: debug pppoe client

Troubleshooting the PPP Link Establishment Process

If you are using PPPoE or PPPoA, you must ensure that the PPP session is established. From the enable mode context, enter:

Syntax: show interfaces ppp <interface number>

ppp 1Outgoing Interface: eth 0/1Outgoing Interface MAC Address: 00:A0:C8:00:85:20Access-Concentrator Name Requested: FIRST VALIDAccess-Concentrator Name Received: 13021109813703-LRVLGSROS20W_IFITLAccess-Concentrator MAC Address: 00:10:67:00:1D:B8Session Id: 64508Service Name Requested: ANYService Name Available:PPPoE Client State: Bound (3)Redial retries: unlimitedRedial delay: 10 seconds

7-52

ADSL WAN ConnectionsTroubleshooting the ADSL Connection

When you view the status of the PPP interface, you must ensure that both the interface and the Network Layer protocol are up. For example, Figure 7-25 shows a PPP interface that is up. However, the user cannot send traffic over the link. If you look more closely at Figure 7-25, you can see the reason: the Network Layer protocol—IP—is down.

Figure 7-25. The PPP interface is up, but IP is down.

To determine why IP is down, use the debug ppp commands. Table 7-8 lists the debug commands you can use to monitor PPP interfaces.

Table 7-8. debug ppp Commands

ppp 1 is UP Configuration: Keep-alive is set (10 sec.) No multilink MTU = 1492 No authentication IP is configured 192.168.1.20 255.255.255.0 Link thru atm 1.1 is UP; LCP state is OPENED, negotiated MTU is 1492 Receive: bytes=3596, pkts=442, errors=0 Transmit: bytes=3508, pkts=292, errors=0 5 minute input rate 624 bits/sec, 1 packets/sec 5 minute output rate 496 bits/sec, 1 packets/sec Bundle information Queueing method: fifo HDLC tx ring limit: 0 Output queue: 0/1/200/0 (size/highest/max total/drops) IP is DOWN, IPCP state is REQSENT LLDPCP State is REQ SENT

First, make sure the interface is up

Next, ensure that IP is up

Command Explanation

debug ppp verbose displays detailed information about all PPP frames as they arrive on the PPP interface

debug ppp errors displays error messages relating to PPP

debug ppp negotiations displays events relating to link negotiation; shows if links protocols are able to open; and reveals when negotiations between two PPP peers fail

debug ppp authentication displays real-time messages relating to PAP and CHAP

undebug all turns off debug messages

7-53

ADSL WAN ConnectionsQuick Start

Quick Start

This section provides the commands you will need to quickly configure an Asymmetric Digital Subscriber Line (ADSL) WAN connection on the ProCurve Secure Router. Only a minimal explanation is provided.

If you need additional information about any of these options, see “Contents” on page 7-1 to locate the section and page number that contains the explana-tion you need.

Configure the Physical Layer: the ADSL Interface

Before you begin to configure the ADSL interface, you should know the settings that you must enter for the following:

■ signal-to-noise ratio (SNR) margin

■ training mode

Your service provider should tell you the settings you need to enter.

To configure the ADSL interface, complete these steps:

1. Use ribbon cabling with RJ-11 connectors to connect the ADSL port on the ProCurve Secure Router to the wall jack provided by your service provider.

2. Establish a terminal console session or Telnet session with the ProCurve Secure Router.

ProCurve>

3. Move to the enable mode context. If you have configured a password for the enable mode context, enter that password when you are prompted to do so.

ProCurve> enablePassword:

4. Move to the global configuration mode context.

ProCurve# configure terminal

7-54

ADSL WAN ConnectionsQuick Start

5. Access the ADSL interface configuration mode context.

Syntax: interface adsl <slot>/1

For example, if the ADSL module is in slot two, enter:

ProCurve(config)# interface adsl 2/1

6. Activate the interface.

ProCurve(config-adsl 2/1)# no shutdown

7. Set the SNR margin.

Syntax: snr-margin <margin>

Replace <margin> with 1-15, which refers to decibels. For example, your service provider may tell you to set the SNR margin to 6.

ProCurve(config-adsl 1)# snr-margin 6

8. Define the training mode. The default setting is Multi-Mode. For a list of settings supported by the ADSL2+ Annex A module and the ADSL2+ Annex B module, see Table 7-9 on page 7-56.

Syntax: training-mode [ADSL2 | ADSL2+ | G.DMT | G.LITE | Multi-Mode | READSL2 | T1.413]

ProCurve(config-adsl 2/1)# training-mode multi-mode

N o t e If you want to use a default setting, it is not necessary to enter the command.

9. Manually retrain the interface

ProCurve(config-adsl 2/1)# retrain

Retraining may take a minute. The ADSL interface will go down and then back up.

10. View the status of the ADSL interface.

ProCurve(config-adsl 2/1)# do show interface adsl 2/1

N o t e The do command enables you to enter enable mode commands (such as show commands) from any context (except the basic mode context).

7-55

ADSL WAN ConnectionsQuick Start

Table 7-9. Training Modes Supported by the ProCurve Secure Router

Configure the Data Link Layer: the ATM Interface and Subinterface

Before you configure the Data Link Layer for the ADSL connection, you must know the settings that you should enter for the following:

■ Data Link Layer protocol

• Asynchronous Transfer Mode (ATM) only

• point-to-point protocol (PPP) over Ethernet (PPPoE)

• PPP over ATM (PPPoA)

• routed bridged encapsulation (RBE)

■ virtual path identifier/virtual channel identifier (VPI/VCI)

■ ATM encapsulation

■ IP address

• static IP address

• unnumbered interface

• IP address negotiated with the service provider’s router

Your service provider should tell you which settings to enter.

Configure ATM Only

1. From the global configuration mode context, create the ATM interface.

Syntax: interface <interface> <number>

Command Option ADSL2+ Annex A ADSL2+ Annex B

training-mode ADSL2 Yes Yes

training-mode ADSL2+ Yes Yes

training-mode G.DMT Yes Yes

training-mode G.LITE Yes No

training-mode Multi-Mode Yes Yes

training-mode READSL2 Yes No

training-mode T1.413 Yes No

7-56

ADSL WAN ConnectionsQuick Start

Replace <interface> with atm, and replace <number> with a unique number for this ADSL connection. For example, to create ATM 1 interface, enter:

ProCurve(config)# interface atm 1

2. Activate the interface.

ProCurve(config-atm 1)# no shutdown

3. Create a subinterface for each permanent virtual circuit (PVC). ATM interfaces on the ProCurve Secure Router can support up to 16 PVCs.

Syntax: interface atm <number.sublink number>

ProCurve(config-atm 1)# interface atm 1.1

4. Configure a VPI/VCI for the subinterface.

Syntax: pvc <vpi>/<vci>

For example, if your service provider assigns you a VPI/VCI of 0/33, enter:

ProCurve(config-atm 1.1)# pvc 0/33

5. Define the ATM encapsulation. The default setting is aal5snap.

Syntax: encapsulation aalsnap

or

Syntax: encapsulation aal5mux [ip | ppp]

For example, to set the encapsulation to multiplexed AAL5 that encapsu-lates the packet at the IP header, enter:

ProCurve(config-atm 1.1)# encapsulation aal5mux ip

6. Configure an IP address.

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

For example, to set the IP address to 10.1.1.1 /24, enter:

ProCurve(config-atm 1.1)# ip address 10.1.1.1 /24

7. Bind the physical interface—the ADSL interface—to the logical interface.

Syntax: bind <number> <physical interface> <slot>/<port> <logical interface> <logical interface number>

ProCurve(config-atm 1)# bind 1 adsl 2/1 atm 1

8. View the status of the ATM interface and subinterface.

ProCurve(config-atm 1)# do show interface atm 1

ProCurve(config-atm 1)# do show interface atm 1.1

7-57

ADSL WAN ConnectionsQuick Start

N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context).

Configure RBE

Your ADSL service provider may ask you to configure the ATM subinterface to use routed RBE, which routes IP over bridged Ethernet traffic. RBE is sometimes referred to as “half bridging,” because it provides some of the advantages of bridging and some of the advantages of routing.

To use RBE, complete the steps for configuring ATM as outlined in “Configure ATM Only” on page 7-56. When you configure the ATM subinterface, you need to enter one additional command:

ProCurve(config-atm 1.1)# atm routed-bridged ip

When you view the running-config, this command should be listed under the ATM subinterface, as shown in Figure 7-26.

Figure 7-26. Viewing the Running-config for an ADSL Connection Using RBE

interface adsl 2/1 snr-margin 6 training-mode G.DMT no shutdown

interface atm 1 point-to-point no shutdown bind 2 adsl 2/1 atm 1

interface atm 1.1 point-to-point no shutdown pvc 0/33 encapsulation aal5snap atm routed-bridged ip ip address 10.1.1.1 255.255.255.252 bandwidth 896

RBE is configured on the ATM subinterface.

7-58

ADSL WAN ConnectionsQuick Start

Configure PPPoE

If your service provider wants you to configure PPPoE for your ADSL connec-tion, complete these steps:

1. Create the ATM interface.

Syntax: interface atm <number>

ProCurve(config)# interface atm 1

2. Activate the interface.

ProCurve(config-atm 1)# no shutdown

3. Create a subinterface for each PVC. ATM interfaces on the ProCurve Secure Router can support up to 16 PVCs.

Syntax: interface atm <number.sublink number>

ProCurve(config-atm 1)# interface atm 1.1

4. Configure a VPI/VCI for the subinterface. For example, if your service provider assigns you a VPI/VCI of 0/33, you would enter:

Syntax: pvc <vpi>/<vci>

ProCurve(config-atm 1.1)# pvc 0/33

5. Define the ATM encapsulation. For PPPoE, you must set the encapsula-tion at aal5snap or aal5mux ppp. The default setting is aal5snap.

ProCurve(config-atm 1.1)# encapsulation aal5snap

Syntax: encapsulation aal5snap

or

Syntax: encapsulation aal5mux [ip | ppp]

6. Bind the physical interface—the ADSL interface—to the logical interface.

Syntax: bind <number> <physical interface> <slot>/<port> <logical interface> <logical interface number>

ProCurve(config-atm 1)# bind 1 adsl 2/1 atm 1

7. View the status of the ATM interface and subinterface.

ProCurve(config-atm 1)# do show interface atm 1

ProCurve(config-atm 1)# do show interface atm 1.1

7-59

ADSL WAN ConnectionsQuick Start

N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context).

8. Create the PPP interface.

Syntax: interface ppp <number>

ProCurve(config)# interface ppp 1

9. Configure a static IP address or configure the interface to negotiate the IP address with the service provider’s router.

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

or

Syntax: ip address negotiated

For example, to assign the PPP interface a static IP address of 10.1.1.1 /24, enter:

ProCurve(config-ppp 1)# ip address 10.1.1.1 /24

10. Bind the PPP interface to the ATM subinterface.

Syntax: bind <bind number> atm <number.subinterface number> ppp <number> pppoe-client

ProCurve(config-ppp 1)# bind 2 atm 1.1 ppp 1 pppoe-client

11. View the status of the PPP interface.

ProCurve(config-ppp 1)# do show interface ppp 1

12. View the running-config to ensure that you have entered two bind com-mands: one to bind the ADSL interface to the ATM interface and one to bind the ATM subinterface to the PPP interface. (See Figure 7-27.) Enter:

ProCurve(config-ppp 1)# do show running-config

7-60

ADSL WAN ConnectionsQuick Start

Figure 7-27. Using the show running-config Command to Check the Two bind Commands Required for PPPoE

Configure PPPoA

If your service provider wants you to configure PPPoA for your ADSL connec-tion, complete these steps:

1. Create the ATM interface.

Syntax: interface atm <number>

ProCurve(config)# interface atm 1

2. Activate the interface.

ProCurve(config-atm 1)# no shutdown

3. Create a subinterface for each PVC. ATM interfaces on the ProCurve Secure Router can support up to 16 PVCs.

Syntax: interface atm <number.sublink number>

ProCurve(config-atm 1)# interface atm 1.1

4. Configure a VPI/VCI for the subinterface. For example, if your service provider assigns you a VPI/VCI of 0/33, you would enter:

Syntax: pvc <vpi>/<vci>

ProCurve(config-atm 1.1)# pvc 0/33

interface adsl 2/1 snr-margin 6 no shutdown!interface atm 1 point-to-point no shutdown bind 3 adsl 2/1 atm 1!interface atm 1.1 point-to-point no shutdown pvc 0/35!interface ppp 3 ip address 10.1.1.1 255.255.255.252 no shutdown bind 4 atm 1.1 ppp 3 pppoe-client

Bind the ADSL interface to the ATM interface

Bind the ATM subinterface to the PPP interface

7-61

ADSL WAN ConnectionsQuick Start

5. Define the ATM encapsulation. For PPPoA, you must set the encapsula-tion at aal5snap or aal5mux ppp. The default setting is aal5snap.

Syntax: encapsulation aal5snap

or

Syntax: encapsulation aal5mux [ip | ppp]

For example, to use aal5snap, enter:

ProCurve(config-atm 1.1)# encapsulation aal5snap

6. Bind the physical interface—the ADSL interface—to the logical interface.

Syntax: bind <number> <physical interface> <slot>/<port> <logical interface> <logical interface number>

ProCurve(config-atm 1)# bind 1 adsl 2/1 atm 1

7. View the status of the ATM interface and subinterface.

ProCurve(config-atm 1)# do show interface atm 1

ProCurve(config-atm 1)# do show interface atm 1.1

N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context).

8. Create the PPP interface.

Syntax: interface ppp <number>

ProCurve(config)# interface ppp 1

9. Configure an IP address or configure the interface to negotiate the IP address with the service provider’s router.

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

or

Syntax: ip address negotiated

ProCurve(config-ppp 1)# ip address 10.1.1.1 /24

10. Bind the PPP interface to the ATM subinterface.

Syntax: bind <bind number> atm <number.subinterface number> ppp <number>

ProCurve(config-ppp 1)# bind 2 atm 1.1 ppp 1

11. View the status of the PPP interface.

ProCurve(config-ppp 1)# do show interface ppp 1

7-62

ADSL WAN ConnectionsQuick Start

View the running-config to ensure that you have entered two bind com-mands: one to bind the ADSL interface to the ATM interface and one to bind the ATM subinterface to the PPP interface. (See Figure 7-28.) Enter:

ProCurve(config-ppp 1)# do show running-config

Figure 7-28. Using the show running-config Command to Check the Two bind Commands Required for PPPoA

interface adsl 2/1 snr-margin 5 no shutdown!interface atm 1 point-to-point no shutdown bind 1 adsl 2/1 atm 1!interface atm 1.1 point-to-point no shutdown pvc 0/33!interface ppp 1 ip address 10.1.1.1 255.255.255.252 no shutdown bind 2 atm 1.1 ppp 1

Bind the ADSL interface to the ATM interface

Bind the ATM subinterface to the PPP interface

7-63

ADSL WAN ConnectionsQuick Start

7-64

8

Configuring Demand Routing for Primary ISDN Modules

Contents

Overview of ISDN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-4

Elements of an ISDN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

The Local Loop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5

ISDN Interfaces: Connecting Equipment to the ISDN Network . . . . . 8-8

Line Coding for ISDN BRI Connections . . . . . . . . . . . . . . . . . . . . . . . . . 8-9

ISDN Data Link Layer Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9

LAPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-10

Q.931 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11

Call Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-11

ProCurve Secure Router ISDN Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13

Primary ISDN Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-15

Using Demand Routing for ISDN Connections . . . . . . . . . . . . . . . . . . . . . . 8-16

Define the Traffic That Triggers the Connection . . . . . . . . . . . . . . . . 8-18

Specifying a Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-19

Defining the Source and Destination Addresses . . . . . . . . . . . . . 8-20

Configuring the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-22

Creating the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-23

Configuring an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-24

Matching the Interesting Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-26

Specifying the connect-mode Option . . . . . . . . . . . . . . . . . . . . . . 8-29

Associating a Resource Pool with the Demand Interface . . . . . . 8-30

Defining the Connect Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-30

Specify the Order in Which Connect Sequences Are Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-32

Configure the Number of Connect Sequence Attempts . . . . . . . 8-33

Configure Settings for the Recovery State . . . . . . . . . . . . . . . . . . 8-33

8-1

Configuring Demand Routing for Primary ISDN ModulesContents

Understanding How the connect-sequence Commands Work . . 8-35

Configuring the idle-timeout Option . . . . . . . . . . . . . . . . . . . . . . . 8-37

Configuring the fast-idle Option . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-38

Defining the caller-number Option . . . . . . . . . . . . . . . . . . . . . . . . 8-38

Defining the called-number Option . . . . . . . . . . . . . . . . . . . . . . . . 8-39

Configuring the Hold Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-39

Configuring the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40

Accessing the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-40

Configuring the ISDN Signaling (Switch) Type . . . . . . . . . . . . . . 8-41

Configuring a SPID and LDN for ISDN BRI U Modules . . . . . . . 8-42

Configuring an LDN for BRI S/T Modules . . . . . . . . . . . . . . . . . . . 8-43

Activating the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43

Caller ID Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-43

Configuring the ISDN Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-44

Creating an ISDN Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-44

Assigning BRI Interfaces to the ISDN Group . . . . . . . . . . . . . . . . 8-44

Assigning the ISDN Group to a Resource Pool . . . . . . . . . . . . . . 8-45

Configuring the incoming-accept-number . . . . . . . . . . . . . . . . . . 8-45

Configuring a Static Route for the Demand Interface . . . . . . . . . . . . 8-46

Example of a Successful Demand Interface Call . . . . . . . . . . . . . . . . 8-48

MLPPP: Increasing Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-50

Configuring MLPPP for Incoming Calls . . . . . . . . . . . . . . . . . . . . 8-50

Configuring MLPPP for Demand Interfaces . . . . . . . . . . . . . . . . . 8-51

Example of MLPPP with Demand Routing . . . . . . . . . . . . . . . . . . 8-52

Configuring PPP Authentication for an ISDN Connection . . . . . . . . 8-53

Enabling PPP Authentication for All Demand Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54

Configuring PAP Authentication for a Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54

Configuring CHAP Authentication for a Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-54

Configuring the Username and Password That the Router Expects to Receive . . . . . . . . . . . . . . . . . . . . . . . 8-55

Configuring Peer IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-55

Example of Demand Routing with PAP Authentication . . . . . . . . . . 8-55

Setting the MTU for Demand Interfaces . . . . . . . . . . . . . . . . . . . . . . . 8-56

8-2

Configuring Demand Routing for Primary ISDN ModulesContents

Configuring an ISDN Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-57

Using Call Types and Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-59

Default ISDN Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-60

Viewing Information about Demand Routing . . . . . . . . . . . . . . . . . . . . . . . 8-61

Viewing the Status of the Demand Interface . . . . . . . . . . . . . . . . . . . . 8-61

Viewing a Summary of Information about the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-63

Viewing the Status of the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . 8-64

Viewing Demand Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-66

Viewing the Resource Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-67

Show the Running-Config for the Demand Interface . . . . . . . . . . . . . 8-67

Troubleshooting Demand Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-68

Checking the Demand Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-68

Checking the BRI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-69

Checking the ACL That Defines the Interesting Traffic . . . . . . . . . . . 8-71

Troubleshooting the ISDN Connection . . . . . . . . . . . . . . . . . . . . . . . . 8-72

Test Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-73

Line Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-75

Troubleshooting with Loopbacks . . . . . . . . . . . . . . . . . . . . . . . . . 8-75

Troubleshooting PPP for the ISDN Connection . . . . . . . . . . . . . . . . . 8-75

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-76

8-3

Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections

Overview of ISDN Connections

Integrated Services Digital Network (ISDN) connections are point-to-point dial-up connections that can handle both voice and data over a single line. ISDN provides WAN connections at a lower cost than dedicated WAN connec-tions such as E1- or T1-carrier lines. Like telephone calls, ISDN connections incur costs only when the connection is established.

To establish and maintain the connection through the public carrier network, ISDN connections are divided into two types of channels:

■ bearer (B)

■ data (D)

B channels carry voice and data over the connection and transmit data at 56 or 64 Kbps. The D channel maintains the connection and transmits the signaling and call-control information at 16 or 64 Kbps.

Two types of ISDN connections are available:

■ ISDN Basic Rate Interface (BRI)

■ ISDN Primary Rate Interface (PRI)

ISDN BRI provides two 64-Kbps B channels and one 16 Kbps D channel. If you bond or multilink the two B channels in a ISDN BRI connection, the total transmission rate is 128 Kbps. (Multilinking the two channels is discussed in more detail later in this chapter.)

PRI ISDN, on the other hand, provides 23 B channels and 1 D channel in North America and Japan and 30 B channels and 1 D channel in Europe, Asia (except Japan), Australia, and South America. (When PRI includes 30 B channels, channel 0 is used to maintain synchronization and is not counted as either a B or D channel.) The transmission rates for PRI ISDN match the transmission rates for an E1- or T1-carrier line. In North America and Japan, PRI ISDN provides 1.544 Mbps. In other areas, PRI ISDN provides 2.048 Mbps.

In an ISDN connection, the B channels are treated independently. They can be used for simultaneous voice and data; in other words, you can talk on the phone and surf the Web at the same time. For example, if you have an ISDN BRI connection, you can use both channels for data only, or you can use each channel to connect to a different remote office.

The ProCurve Secure Router currently supports ISDN BRI connections. Consequently, this chapter focuses on ISDN BRI.

8-4

Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections

Elements of an ISDN Connection

All WAN connections, including ISDN lines, consist of three basic elements:

■ the physical transmission media, such as the cabling, switches, routers, and other infrastructure required to create and maintain the connection

■ electrical signaling specifications for generating, transmitting, and receiv-ing signals through the various transmission media

■ Data Link Layer protocols, which provide logical flow control for trans-mitting data between the two WAN peers (devices at either a connection)

Physical transmission media and electrical specifications are part of the Physical Layer (Layer 1) of the Open Systems Interconnection (OSI) model, and Data Link Layer protocols are part of the Data Link Layer (Layer 2). (See Figure 8-1.)

Figure 8-1. Physical and Data Link Layers of the OSI Model

When you configure an ISDN WAN connection, you must configure both the Physical Layer and the Data Link Layer (which is also called the Logical Layer).

The Local Loop

Like other WAN technologies, ISDN connections are provided through public carrier networks. When you lease an ISDN line, your company’s equipment must be connected to your public carrier’s nearest central office (CO). All of the telecommunications infrastructure—such as repeaters, switches, cable, and connectors—that connects a subscriber’s premises to the CO is referred to as the local loop.

Physical Layer

Data Link Layer

Network Layer

Transport Layer

Session Layer

Presentation Layer

Application Layer

1

2

3

4

5

6

7

PPPHDLCATMFrame Relay

ISDN

8-5

Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections

Because public carrier networks were originally designed to carry analog voice calls, copper wire is the most common physical transmission medium used on the local loop. Copper wire has a limited signal-carrying capacity, making local loops that use copper wire the slowest, least capable component of a WAN connection. ISDN, like DSL, was designed to maximize the limited capability of local loop copper wiring.

ISDN provides integrated voice and data services by means of a fully digital local loop. ISDN is a local-loop-only technology. When ISDN traffic reaches the public carrier’s nearest CO, it is converted for transport through the existing public carrier infrastructure.

On the local loop, ISDN requires at least Category 3 (CAT 3) unshielded twisted pair (UTP) cabling. The number of wires required depends on the ISDN service: ISDN BRI requires two wires, or one twisted pair. PRI ISDN requires four wires, or two twisted pairs.

The local loop is divided into two sections by a line of demarcation (demarc), which separates your company’s wiring and equipment from the public car-rier’s wiring and equipment. (See Figure 8-2.) As a general rule, your company owns, operates, and maintains the wiring and equipment on its side of the demarc, and the public carrier owns, operates, and maintains the wiring and equipment on its side of the demarc. For ISDN connections, the position of the demarc varies, depending on which ISDN equipment the public carrier provides.

Figure 8-2. ISDN Network

Wire span

Network Interface Unit (Smart Jack)

Public Carrier’s CO

RepeaterISDN

Switch

Demarc(North America)

Demarc (outside North America)

NT2 NT1

TE1(Router)

S interface

T interface

Uinterface

Terminal adapter

TE2

R interface

8-6

Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections

In addition to wire and the demarc, the local loop for an ISDN connection includes:

■ ISDN switch—At the public carrier’s CO, the ISDN switch multiplexes and de-multiplexes channels on the twisted pair wiring of the local loop. It provides the physical and electrical termination for the ISDN line and then forwards the data onto the public carrier’s network.

■ Repeater—A repeater receives, amplifies, and retransmits the digital signal so that the signal is always strong enough to be read. Because ISDN lines use 2B1Q coding, which operates at a lower frequency range than T1 or E1 encoding, repeaters are only required every 5.49 km (18,000 feet). In contrast, T1 or E1 encoding requires a repeater approximately every 1.6 km (1 mile or 5,280 feet).

■ Network Interface Unit (NIU)—The NIU automatically maintains the WAN connection and enables public carrier employees to perform simple management tasks from a remote location. The NIU is usually located outside the subscriber’s premises so that public carrier employees can always access it. (The NIU is commonly referred to as the “smart jack” in North America.)

■ Network Termination (NT) 1—The NT1 provides the physical and electri-cal termination for the ISDN line. It monitors the line, maintains timing, and provides power to the ISDN line. In Europe and Asia, public carriers supply the NT1. In North America, however, the subscriber provides the NT1. In fact, many ISDN vendors are now building the NT1 directly into ISDN equipment such as routers.

■ NT2—PRI ISDN also requires an NT2, which provides switching functions and data concentration for managing traffic across multiple B channels. In many regions, the NT1 and NT2 are combined into a single device, which is called an NT12 (NT-one-two) or just NT.

■ Terminal equipment (TE) 1—TE1 devices are ISDN-ready devices and can be connected directly to the NT1 or the NT2. TE1 devices include routers, digital phones, and digital fax machines.

■ TE2—TE2 devices do not support ISDN and cannot connect directly to an ISDN network. TE2 devices require a terminal adapter (TA) to convert the analog signals produced by the TE2 device into digital signals that can be transmitted over an ISDN connection. TE2 devices include analog telephones and analog fax machines.

■ Terminal adapter (TA)—A TA allows you to connect a TE2 device to an ISDN network.

8-7

Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections

ISDN Interfaces: Connecting Equipment to the ISDN Network

ISDN supports both RJ-11 and RJ-45 connectors. Public carriers typically install an RJ-45 jack to connect the subscriber’s premises to the local loop.

You can add equipment at four interface points on the subscriber’s side of an ISDN network:

■ U interface

■ T interface

■ S interface

■ R interface

These interfaces define the mechanical connectors, the electrical signals, and the protocols used for connections between the ISDN equipment.

U Interface. The U interface provides the connection between the local loop and NT1. For ISDN BRI, the U interface is one twisted pair. For PRI ISDN, the U interface is two twisted pairs.

Because public carriers in Europe and Asia provide the NT1, these regions do not use the U interface. In regions that support the U interface, there can be only one U interface on the ISDN network.

T Interface. The T interface is used to connect the NT1 to the NT2. This interface is a four-wire connection, or two twisted pair. Each pair handles the traffic sent in one direction.

In the United States and Canada, the T interface—along with the NT1 and NT2—is often built into an ISDN device such as a router. In other regions, the T interface is the first interface at the subscriber’s premises.

S Interface. The S interface is used to connect the NT2 or the NT1 to the TE1 or TA. This interface is a four-wire connection, or two twisted pair.

On an ISDN BRI connection, all of the TEs or TAs connected to the S interface must take turns transmitting traffic. Because the S interface is a shared medium, the TEs and TAs must be able to detect collisions. PRI ISDN does not support multiple TEs at the S interface.

The S and T interfaces are often combined as the S/T interface.

8-8

Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections

R Interface. The R interface is used to connect a TE2 device to the TA. Because there are no standards for the R interface, the vendor providing the TA determines how the TA connects to and interacts with the TE2.

Line Coding for ISDN BRI Connections

To provide higher transmission rates on ordinary telephone wire, ISDN BRI uses a compressed encoding scheme called 2B1Q. Essentially, this transmis-sion scheme uses four signal levels, each of which encode one quaternary symbol. A single quaternary symbol, in turn, represents two bits.

The two encoded bits can have up to four different values, each expressed as a different voltage level on the transmission line, as shown in Table 8-1.

Table 8-1. 2B1Q Compressed Line Encoding Scheme

Note that zero voltage is not a valid signal level.

In addition to compressing data, 2B1Q operates in full duplex mode, allowing data to be transmitted simultaneously in both directions on the local loop.

ISDN Data Link Layer Protocols

As mentioned earlier, the signaling information used to create and maintain ISDN connections is transmitted over the D channel. The ITU Telecommuni-cations Standardization Sector (ITU-T) has defined two protocols for ISDN signaling. These protocols operate at Layer 2 (Data Link Layer) and Layer 3 (Network Layer) of the OSI model:

■ Q.921, which is also called Link Access Procedure for D channel (LAPD)

■ Q.931

Binary Quartenary Symbol Line Voltage

00 -3 -2.5

01 -1 -0.833

10 +3 +2.5

11 +1 +0.833

8-9

Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections

ISDN also supports the following B-channel Data Link Layer protocols:

■ Point-to-Point (PPP)

■ High-Level Data Link Control (HDLC)

■ Frame Relay

LAPD

LAPD establishes the ISDN connection between two endpoints. Exchanged over the D channel, LAPD frames provide the addressing for the dial-up connection, including the service access point identifier (SAPI) and the ter-minal endpoint identifier (TEI). The SAPI identifies the ISDN service associ-ated with the signaling frame, and the TEI identifies the TE on the subscriber’s ISDN line. In addition, LAPD provides error checking and call control.

LAPD frames consist of six main fields. (See Figure 8-3).

Figure 8-3. LAPD Frame Format

Flag. The flag field is one octet and always has a value of 0x7E.

Address Field. The address field is two octets: In the first octet, the first six bits define the SAPI. The seventh bit is the Command/Response bit (C/R), which designates a command frame or a response frame. The LAPD frame is a command frame:

■ when the LAPD frame is from the user and the C/R bit is set to one

■ when the frame is from the network and the C/R bit is set to zero,

Other values designate a response frame. The eighth bit is the first address extension bit and is always set to zero.

LAPD frame structure

Flag Control field Information FCS FlagAddress field

SAPI

8 7 6 5 4 3 2 1

TEI

C/R EA1

EA2

8-10

Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections

In the second octet, the first seven bits designate the connection’s TEI. TEIs can be assigned statically or dynamically. A statically assigned TEI will have a value between 0 to 63; dynamically assigned TEI range from 64 to 126. A value of 127 designates a broadcast connection meant for all TEs. The eighth bit is the second address extension bit and is always set to one.

Control Field. The third field of an LAPD frame is the control field, which can be either one to two octets. This field identifies the type of frame and contains sequence numbers, control features, and error tracking. The control field identifies the frame as one of the following:

■ supervisory frame

■ unnumbered frame

■ information frame

Information Field. The fourth field of an LAPD frame varies in length and contains the frame’s data payload and information. The information field often contains encapsulated Q.931 packets.

FCS Field. The fifth field is the frame check sequence (FCS), which contains a CRC checksum of the address, control, and payload fields.

Flag. The sixth field is a one-octet flag, which signals the end of the frame.

Q.931

The subscriber’s ISDN devices and the public carriers devices exchange Q.931 frames to establish, control, and terminate an ISDN call. Q.931 packets are encapsulated in the LAPD frame in the information field.

Call Process

When an ISDN call is placed, the devices go through a procedure to ensure that the connection is made. A basic knowledge of this procedure can help you troubleshoot your ISDN connection. (See Figure 8-4).

8-11

Configuring Demand Routing for Primary ISDN ModulesOverview of ISDN Connections

Figure 8-4. ISDN Call Setup Process

Placing a Call. When you use your telephone to place a call, you pick up the phone and get a dialtone, which signals that the phone and voice switch are ready. After you dial a number, your telephone, the public carrier’s voice switches, and the receiving phone must exchange frames to establish the connection.

Similarly, when an ISDN modem initiates a connection to another modem, the calling modem, the public carrier’s switches, and the receiving modem, must exchange D channel frames. The following is the procedure when placing an ISDN call:

1. The calling modem is activated and sends a SETUP to the switch.

2. If the ISDN switch is available and ready, it sends a CALL PROC to the caller and a SETUP to the receiver.

Connected

Setup1

ISDN

Switch

pick up and dial

Caller Receiver

Call Process Setup2

Alerting3

Phone rings

Alerting4

Connect5

pick up the phone

Connect6

Connect_ack7

Connect_ack8

9

8-12

Configuring Demand Routing for Primary ISDN ModulesProCurve Secure Router ISDN Modules

3. The receiver gets the SETUP. If the receiver is available and ready, it rings the phone and sends an ALERTING message to the switch.

4. The switch forwards the ALERTING to the caller.

5. The receiving ISDN modem sends a CONNECT message to the switch.

6. The switch forwards the CONNECT message to the caller.

7. The caller sends a CONNECT_ACK to the switch.

8. The switch forwards the CONNECT_ACK to the receiver.

9. The call is now connected.

ProCurve Secure Router ISDN Modules

ProCurve Networking offers two types of ISDN modules:

■ narrow modules for primary WAN connections

■ backup modules for backup WAN connections

Like other narrow modules, the primary ISDN modules fit into the narrow slots on the front of the ProCurve Secure Router. The backup ISDN modules, on the other hand, snap onto the top of narrow modules before those modules are installed into the ProCurve Secure Router. Each narrow module contains a backup port that is enabled for use when a backup module is snapped into place. In fact, the two-port ISDN primary modules contain a backup port, which means you can install a backup module on top of the ISDN primary module.

Both primary and backup ISDN modules provide ISDN BRI connections. However, there are some differences between the modules that may deter-mine which type of modules you purchase for your company’s WAN. Some of these differences are listed in Table 8-2.

8-13

Configuring Demand Routing for Primary ISDN ModulesProCurve Secure Router ISDN Modules

Table 8-2. Differences Between Primary and Backup ISDN Modules

N o t e Demand routing is supported with the J.04.01 release of the Secure Router operating system (OS).

Both primary and backup ISDN modules use PPP as the Data Link Layer protocol for the WAN connection and support PPP authentication. This chapter describes how to configure and manage ISDN connections established through the primary ISDN modules. For more information about backup modules, see the Advanced Management and Configuration Guide, Chapter 3: Configuring Backup WAN Connections.

ISDN Module Hardware Requirements

Applications Activation Method Increasing Bandwidth

primary uses one narrow slot on the ProCurve Secure Router

primary or backup WAN connection between two offices that exchange data periodically and need a low-cost WAN solution

established only when traffic that you identify as “interesting” needs to be transmitted across the connection

supports Multilink PPP (MLPPP), which can aggregate multiple B channels across different ISDN lines

backup does not use a narrow slot; installed on top of any narrow module, enabling the use of the backup port on the module

• backup for two locations that must maintain a persistent WAN connection

• backup for two locations that require high availability

two activation methods:• persistent backup

connection, which is established immediately when the primary connection fails and maintained until the primary connection is re-established

• demand routing connection, which is established when two conditions are met:– primary WAN

connection fails– traffic you identify

as “interesting” needs to be transmitted across the connection

• supports channel bonding with another ProCurve Secure Router when you configure a persistent backup connection

• does not support channel bonding with demand routing

8-14

Configuring Demand Routing for Primary ISDN ModulesProCurve Secure Router ISDN Modules

Primary ISDN Modules

For primary WAN connections, ProCurve Networking currently offers two types of modules:

■ ISDN BRI U module—used in the United States and Canada

■ ISDN BRI S/T module—used in all other countries

Both of these ISDN modules support the following standards:

■ National ISDN-1—Defined in the mid 1990s by the National Institute of Standards and Technology (NIS) and Bellcore (now called Telcordia), National ISDN-1 outlines a common set of options that ISDN manufactur-ers and public carriers must provide.

■ Northern Telecom Digital Multiplex System (DMS)-100—DMS-100 is another standard for transmitting voice and data over an ISDN line.

■ AT&T 5ESS—AT&T switches use Lucent signaling.

In addition, the ISDN BRI S/T module supports:

■ Euro-ISDN—Also called Normes Européennes de Télécommunication 3 (NET3), Euro-ISDN was defined in the late 1980s by the European Com-mission so that equipment manufactured in one country could be used throughout Europe.

N o t e Because the two-port ISDN modules have a single TDM clock, you cannot use one module to connect to two separate service providers. If you lease ISDN lines from two different service providers, you will need to use two separate ISDN modules—either 2 two-port ISDN modules or 1 two-port ISDN module and one ISDN backup module.

Table 8-3 lists the supported ISDN switches, the classifications, and electrical standards for each ISDN module.

8-15

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Table 8-3. Supported ISDN Standards

Using Demand Routing for ISDN Connections

When you lease an ISDN line, you pay only for the time when the connection is established. If no one is sending traffic that must be transmitted over the dial-up WAN connection, you do not want the connection to be up. However, as soon as a user sends data that must be transmitted over the dial-up WAN connection, you want that connection to be established immediately.

When you purchase primary ISDN modules for the ProCurve Secure Router, you configure demand routing to manage the ISDN connection so that when traffic is sent from one site to another the dial-up connection is established. For example, you might lease an ISDN line to connect a branch office to the main office. When a workstation at the branch office sends a packet that must be forwarded to the main office, demand routing triggers the ISDN connection and ensures that the traffic is forwarded across the established link. If no more traffic is transmitted from the branch office to the main office, demand routing ensures that the ISDN connection is terminated until it is required again. (See Figure 8-5.) If you configure demand routing correctly, you can minimize the amount your company pays for its ISDN connection.

Type Switch Types Classifications Electrical

ISDN BRI S/T module • National ISDN-1• Northern Telecom DMS-

100• AT&T 5ESS• DSS1 ETSI Euro-ISDN

• ACIF S031• ETSI TBR 3• EN 60950• IEC 60950• AS/NZS 60950• V.54 loopback support

• FCC Part 15 Class A• EN 55022 Class A• EN 55024• EN 61000-3-2• EN 61000-3-3

ISDN BRI U module • National ISDN-1• Northern Telecom DMS-

100• AT&T 5ESS

• ACTA/FCC Part 68• IC CS-03• UL/CUL 60950• V.54 loopback support

• FCC Part 15 Class A• EN 55022 Class A• EN 55024• EN 61000-3-2• EN 61000-3-3

8-16

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Figure 8-5. Using Demand Routing to Establish Dial-Up Connections for Primary and Backup Interfaces

Demand routing can also be used for backup dial-up connections, ensuring that they are established only when the primary interface is down and traffic must be transmitted to another site. (For more information about using demand routing for backup dial-up connections, see the Advanced Manage-

ment and Configuration Guide, Chapter 3: Configuring Backup WAN

Connections.)

Branch Office C

Branch Office B

Branch Office A

192.168.1.0

ISDN connection to Branch Office A triggered by traffic with destination address 192.168.4.0 /24

Edge Switch

Edge Switch

Edge Switch

192.168.2.0

Core Switch

Core Switch

Edge Switch

Edge Switch

Main Router

Backup ISDN connection to Branch Office B triggered only when primary interface goes down and traffic with destination address 192.168.5.0 /24 or 192.168.6.0 /24 is forwarded to demand interface

192.168.4.0SwitchRouter A

192.168.5.0Switch

192.168.6.0SwitchRouter B

ISDN connection to Branch Office C triggered only when traffic with destination address 192.168.7.0 /24 or 192.168.8.0 /24 is forwarded to demand interface

192.168.7.0Switch

192.168.8.0SwitchRouter C

Frame Relay over E1

ISDN connection

ISDN connection

Backup connection

8-17

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

To configure demand routing for a primary ISDN module, you must complete the following steps:

1. Create an extended access control list (ACL) to define the traffic that will trigger the dial-up connection.

2. Configure a demand interface.

3. Configure the BRI interface.

4. Configure an ISDN group.

5. Create a static route to the far-end network.

Define the Traffic That Triggers the Connection

When configuring demand routing, you must define the interesting traffic—the traffic that triggers, or activates, the WAN connection. For example, if you are configuring demand routing for an ISDN connection between the main office and a branch office, the interesting traffic would be the packets destined for the branch office. (See Figure 8-6.)

Figure 8-6. Connection Triggered When Interesting Traffic Is Received on a Router Interface

To: 10.4.4.23From: 10.2.2.5

Main Router Office Router

Switch

10.1.1.0 10.4.4.0

10.2.2.0

Main Router Office Router

Switch

To: 10.4.4.23From: 10.2.2.5

Connection triggered

10.1.1.0 10.4.4.0

ACL configured on Main Router:

ip access-list extended OfficeConnection

permit ip 10.1.1.0 0.0.0.255 10.4.4.0 0.0.0.255

permit ip 10.2.2.0 0.0.0.255 10.4.4.0 0.0.0.255

10.2.2.0

8-18

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

To define the interesting traffic, you create an extended ACL. The ProCurve Secure Router will use this ACL to identify and select traffic that triggers a dial-up connection.

From the global configuration mode context, enter:

Syntax: ip access-list extended <listname>

Replace <listname> with an alphanumeric descriptor that is meaningful to you. The listname is case sensitive.

After you enter this command, you are moved to the extended ACL configu-ration mode context, as shown below:

ProCurve(config-ext-nacl)#

You can now enter permit statements to define the traffic that will trigger the dial-up connection. Use the following command syntax:

Syntax: [permit | deny] <protocol> <source address> <source port> <destination address> <destination port> [log | log-input]

You must specify a <protocol>, <source address>, and <destination address>. However, the following are optional:

■ <source port> for TCP or UDP traffic

■ <destination port> for TCP or UDP traffic

■ [log | log-input]

Specifying a Protocol

When you create a permit or deny statement for an extended ACL, you must always specify a protocol. Valid protocols include:

■ AHP

■ ESP

■ GRE

■ ICMP

■ IP

■ TCP

■ UDP

You can also specify the number of the protocol. Valid numbers include any number between 0 and 255.

8-19

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

For demand routing, you might want to create an ACL that selects all of the traffic to a particular subnet. In this case, you should specify ip as the protocol.

Defining the Source and Destination Addresses

When you create an extended ACL, you must configure both a source and a destination address for each entry. You specify the source address first and then you specify the destination address.

To specify the source address and the destination address, use the following syntax:

[any | host {<A.B.C.D> | <hostname>} | <A.B.C.D> <wildcard bits>]

Table 8-4 lists the options you have for specifying both the source address and the destination address.

Table 8-4. Options for Specifying Source and Destination Addresses in an ACL

For example, you may want any traffic to the far-end network to trigger the dial-up connection. If the far-end network has a network address of 192.168.115.0 /24, enter:

ProCurve(config-ext-nacl)# permit ip any 192.168.115.0 0.0.0.255

If you want any outbound traffic from a particular network segment to trigger a dial-up connection, enter:

ProCurve(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 any

You might want the IP traffic from a specific host to a specific destination to trigger an ISDN connection. In this case, enter:

ProCurve(config-ext-nacl)# permit ip host 192.168.1.1 host 192.168.115.100

Using Wildcard Bits. You use wildcard bits to permit or deny a range of IP addresses. Wildcard bits determine which bits in the specified address the Secure Router OS should match to a packet and which address bits it should ignore. When you enter wildcard bits, you use a 0 to indicate that the Secure

Option Meaning

any match all hosts

host [<A.B.C.D> | <hostname>] specify a single IP address or a single host

<A.B.C.D> <wildcard bits> specify a range of IP addresses

8-20

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Router OS should match the corresponding bit in the IP address. You use a 1 to indicate that the Secure Router OS should ignore the corresponding bit in the IP address. In other words, the Secure Router OS does not have to match that bit.

For example, you might enter:

ProCurve(config-ext-nacl)# deny ip any 192.115.1.0 0.0.0.255

Essentially, you use the wildcard bits to specify the subnet that you want the Secure Router OS to match for a particular packet field (such as the source address). For example, if you enter 192.115.1.90 with the wildcard bits 0.0.0.255, the Secure Router OS will not match any address bits in the fourth octet of the IP address. The Secure Router OS will match incoming packets to the IP subnet address 192.115.1.0 /24 (because it will not match the bits in the fourth octet). (See Figure 8-7.)

Figure 8-7. Understanding Wildcard Bits

Implicit “Deny Any” Entry. Each ACL includes an implicit “deny any” entry at the end of the list. If a packet does not match any entry in the ACL you create, it matches the implicit “deny any” entry.

When you configure an ACL to select interesting traffic, you should permit at least one host. Otherwise, you will, in effect, prevent the dial-up connection from becoming active.

Log. Include the log option if you want the Secure Router OS to log a message:

■ when debug access-list is enabled for this ACL

■ when a packet matches this ACL

For example, a log will be generated when a packet triggers the dial-up connection.

Ignore the last two address bits in the fourth octet

192.168.1.0 0.0.0.31

192.168.1.0 0.0.0.255

128 68 32 16 8 4 2 1

0 0 0 0 0 0 1 1

0 0 0 1 1 1 1 1

1 1 1 1 1 1 1 1

192.168.1.0 0.0.0.3Ignore last five address bits in the fourth octet

Do not match address bits in the fourth octet

8-21

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Exit the ACL. After you have finished creating the ACL, enter exit to return to the global configuration mode context, as shown below:

ProCurve(config-ext-nacl)# exitProCurve(config)#

After you create the ACL, you must apply it to the demand interface. In fact, the ACL will have no effect until you apply it to the demand interface. (For more information about configuring ACLs, see the Advanced Management

and Configuration Guide, Chapter 5: Applying Access Control to Router

Interfaces.)

Configuring the Demand Interface

You must create a demand interface for each router to which the ProCurve Secure Router will connect through a dial-up connection. The demand inter-face provides the Data Link Layer for the physical dial-up interface.

Like other logical interfaces such as Frame Relay or PPP, the demand interface controls the logical functions for the WAN connection. In many ways, you configure the demand interface as you do any other logical interface. For example, you assign the demand interface an IP address. From this interface, you apply the ACL that defines the interesting traffic that triggers the dial-up WAN connection. You can also apply other ACLs or an access control policy (ACP) to this interface if you want to block certain traffic from being transmitted over the connection.

The demand interface is different from other logical interfaces, however. For one thing, the demand interface is not bound to a specific physical interface or interfaces. Instead, the demand interface is associated with a pool of physical interfaces.

The demand interface must also handle its status differently: it must always be up, whether or not the physical dial-up interface associated with the demand interface is up. Because the demand interface cannot actually be up if the Physical Layer is down, it “spoofs” an up state. As a result, the demand interface can be listed as a directly connected interface in the router’s routing table, even when the dial-up interface is not in use.

Because the demand interface spoofs an up state, you can add routes to networks reached through the dial-up connection managed by the demand interface. The demand interface is the forwarding interface for these routes.

8-22

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

When the ProCurve Secure Router detects traffic that must be routed through a demand interface, it processes the extended ACL applied to the demand interface to define the interesting traffic. If the traffic matches that ACL, the router attempts to establish the ISDN connection.

After the physical ISDN connection is established, the ProCurve Secure Router uses PPP to set up the Data Link Layer. To ensure that only authorized routers establish ISDN connections to your router, you should configure PPP authentication for the dial-up connection.

To configure the demand interface, complete the following steps:

1. Create a demand interface.

2. Configure an IP address for the demand interface.

3. Apply the ACL that defines interesting traffic to the demand interface.

4. Specify whether the demand interface can originate a call, answer a call, or both.

5. Create a resource pool.

6. Configure instructions for placing a call by entering connect-sequence commands.

7. Configure timers, caller, and hold queue settings (optional).

8. Configure caller settings (optional).

9. Configure PPP authentication (optional but recommended).

You must complete steps 1-6. Steps 7-9 are optional.

Creating the Demand Interface

To create a demand interface and access the demand interface configuration mode context, enter the following command from the global configuration mode context:

Syntax: interface demand <number>

Replace <number> with a number between 1 and 1024 for this demand interface. You should configure a different demand interface for each connec-tion to a remote site or device, and each demand interface must have a unique number.

8-23

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Like loopback interfaces, demand interfaces do not have to be activated. That is, you do not have to enter no shutdown. After you create the demand interface, its status automatically changes to administratively up. The demand interface will begin spoofing an up status after you configure an IP address for it.

Shut Down the Demand Interface. You may need to shut down the demand interface. For example, you may need to shut down the interface to correct a configuration setting or to troubleshoot a problem with the ISDN line. Enter:

ProCurve(config-demand 1)# shutdown

To activate the interface again, enter:

ProCurve(config-demand 1)# no shutdown

Configuring an IP Address

Because the demand interface uses PPP as the Date Link Layer protocol, you have several options for setting up an IP address: you can assign the demand interface a static IP address, you can configure it to negotiate the IP address from its PPP peer, or you can configure it as an unnumbered interface.

Configure a Static IP Address. To assign the demand interface a static IP address, enter:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

For example, you might enter:

ProCurve(config-demand 1)# ip address 10.10.10.1 255.255.255.252

or

ProCurve(config-demand 1)# ip address 10.1.1.1 /30

Configure a Negotiated IP Address. If you want the demand interface to negotiate an IP address with its PPP peer, enter the following command from the demand interface configuration mode context:

Syntax: ip address negotiated

8-24

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Configure the Demand Interface as an Unnumbered Interface. To conserve IP addresses on your network, you may want to create the demand interface as an unnumbered interface. When you assign a logical interface on the router an IP address, that IP address cannot overlap with the IP addresses assigned to other logical interfaces. As a result, each interface that has an IP address represents an entire subnet. Depending on the subnetting scheme you use, you may not have enough IP addresses to assign to each active interface on your router.

To conserve IP addresses, you may want the demand interface to use the IP address of another interface. However, if the interface to which the IP address is actually assigned goes down, the demand interface will be unavailable as well. Because there is little chance that a loopback interface will go down, you may want to assign the IP address to a loopback interface.

To configure the demand interface as an unnumbered interface, enter the following command from the demand interface configuration mode context:

Syntax: ip unnumbered <interface ID>

Valid interfaces from which the demand interface can takes its address include:

■ Ethernet interfaces and subinterfaces

■ Frame Relay subinterfaces

■ PPP interfaces

■ loopback interfaces

■ Asynchronous Transfer Mode (ATM) subinterfaces

For example, you would enter the following commands to configure a loop-back interface and then configure the demand 1 interface to use the IP address assigned to that loopback interface:

ProCurve(config)# interface loopback 1ProCurve(config-loop 1)# ip address 192.168.115.1 /24ProCurve(config-loop 1)# interface demand 1ProCurve(config-demand 1)# ip unnumbered loopback 1

Spoofing. After you configure an IP address for the demand interface, its status should change to “up (spoofing),” and it should be listed as a directly connected interface in the routing table. To check the status of the demand interface, use the do command to enter a show command from the demand interface configuration mode context:

ProCurve(config-demand 1)# do show interface demand 1

8-25

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

To view the routing table, enter:

ProCurve(config-demand 1)# do show ip route

Figure 8-8 shows a routing table that includes demand interface 1, a directly connected interface.

Figure 8-8. Routing Table That Includes a Demand Interface

Matching the Interesting Traffic

To finish defining the interesting traffic that will trigger a dial-up connection, you must associate the ACL you created with the demand interface. From the demand interface configuration mode context, enter:

Syntax: match-interesting [list | reverse list] <listname > [in | out]

Include the list option if you want the ProCurve Secure Router to use standard matching logic for the ACL. That is, the router will try to match the packet’s source address to the source address that is defined in the extended ACL. Likewise, the router will try to match the packet’s destination address with the destination address that is defined in the extended ACL.

Include the reverse list option if you want the ProCurve Secure Router to use reverse matching logic when processing the ACL. The ProCurve Secure Router will use the ACL to match traffic that is transmitted in the opposite direction, eliminating the need to create another ACL for the traffic inbound on the WAN connection. The router will try to match the packet’s source address with the destination address that is defined in the ACL. The router will then try to match the packet’s destination address with the source address that is defined in the ACL.

Replace <listname> with the ACL that you created to define the interesting traffic. You can specify only extended ACLs.

Including in or out is optional. By default, the ProCurve Secure Router uses the ACL you specify to check both incoming and outgoing traffic. If you do not specify a direction, outbound traffic is matched to the specified ACL, and inbound traffic is matched to the reverse of the ACL.

C 10.2.2.0/30 is directly connected, ppp 1C 10.3.3.0/30 is directly connected, demand 1C 192.168.20.0/24 is directly connected, eth 0/1

8-26

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

If you include the in option when you enter the match-interesting command, the ProCurve Secure Router will check only the traffic received on the demand interface. If you include the out option, the router will check only the traffic transmitted from the interface.

For example, suppose that you configured the Branch ACL to select traffic from the local network destined to a branch office network. If you want both traffic outbound to the branch office and inbound from the branch office to trigger the dial-up connection, apply the Branch ACL to demand 1 interface:

ProCurve(config-demand 1)# match-interesting list Branch

When you view the demand interface in the running-config, you will see two commands, even though you entered only one. (See Figure 8-9.)

Figure 8-9. The match-interesting Command as Displayed in the Running-Config

Entering the following two commands would accomplish the same thing:

ProCurve(config-demand 1)# match-interesting list Branch outProCurve(config-demand 1)# match-interesting reverse list Branch in

N o t e After you configure demand routing, you should monitor usage of the dial-up connection to determine if you have correctly configured the ACL to select interesting traffic. To avoid any problems when the bill for the dial-up connection arrives, ensure that the connection is being triggered only when you want it to be. To minimize costs, you may need to change the ACL by further limiting the traffic that triggers the connection.

Applying an ACP or Another ACL to the Demand Interface. In addition to using an ACL to determine which traffic triggers a dial-up connection, you can use ACLs to control incoming traffic and outgoing traffic on that connection. You have two options for controlling traffic:

■ You can apply ACLs directly to the demand interface. If you choose this option, you can apply one ACL directly to the interface to control incoming traffic, and you can apply another ACL directly to the interface to control outgoing traffic. (For best practices, you typically apply an extended ACL closest to the source of incoming traffic so that you do not waste the router’s processing time on traffic that will ultimately be discarded.)

interface demand 1 match-interesting list Branch out match-interesting reverse list Branch in

8-27

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

■ You can apply an access control policy (ACP) to the demand interface. ACPs control incoming traffic and can contain multiple ACLs.

You use the ip access-group command to apply ACLs directly to the demand interface, or you use the access-policy command to apply an ACP to the demand interface. (For more information about using ACLs separately or in combination with ACPs, see Chapter 5: Applying Access Control to Router

Interfaces.) The ProCurve Secure Router will match traffic to the ACLs or the ACP to control access to an already-active backup connection. However, the connection will only be triggered by traffic that matches the ACL that you specify in the match-interesting list command.

Because you can configure one ACL to trigger the dial-up connection and another ACL to control access to the dial-up connection, you can allow certain types of traffic to use a connection only when it is already established. For example, if you apply an ACL for outbound traffic to the demand interface, the router will match traffic destined out the demand interface against this list first. If the router determines that a packet is allowed, it will then check the ACL specified with the match-interesting list command to determine if the packet should trigger the backup connection. If the packet is not defined as interesting traffic, the ProCurve Secure Router will not attempt to establish the connection. However, if the connection is already established, the router will transmit packets that are permitted by the ACL, but not selected as interesting traffic, over the ISDN link. These packets will not reset the idle timer for the demand interface. (The idle timer determines how long the dial-up connection will remain connected in the absence of interesting traffic. When the router receives interesting traffic, it resets the idle timer. For more information about timers, see “Configuring the idle-timeout Option” on page 8-37 and “Configuring the fast-idle Option” on page 8-38.)

For example, suppose two nodes at a remote site need to communicate with a server at a local site. One node is specified in the ACL that triggers the connection, but the other node is not. The first node’s communication will keep the link active until it has completed its transfer of data and the idle timer has expired. If the idle timer expires when the second node is communicating with the server, the connection will be terminated because the second node’s traffic does not match the ACL specified in the match-interesting list command.

In addition to applying an ACL to control outbound traffic, you can apply an ACL for inbound traffic or an ACP to the demand interface. In this case, the ACL or the ACP will filter inbound traffic to your network over the backup connection. If the router determines that a packet is allowed, it will forward

8-28

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

the packet. However, the router will reset the dial-up connection’s idle timer only if the packet also matches the ACL specified with the match-interesting reverse list command.

Specifying the connect-mode Option

You can control whether the demand interface can be used to originate a call, answer a call, or both. From the demand interface configuration mode context, enter:

Syntax: connect-mode [originate | answer | either]

Table 8-5 shows each option and when you would use it. The default setting is either.

Table 8-5. Options for the connect-mode Command

No matter what you configure as interesting traffic, the connect-mode com-mand controls whether or not the demand interface can originate or answer a call. When the demand interface receives outbound interesting traffic, it will originate a connection only if the connect mode you configured for the demand interface allows it to originate a call.

If a demand interface receives outbound interesting traffic and a dial-up connection is already established on this interface, the ProCurve Secure Router resets the idle timer on the connected link. (The idle timer determines how long the ISDN connection can remain up if no traffic is transmitted over it.) The router also resets the idle timer when it receives inbound interesting traffic through the demand interface.

If you want the demand interface to originate a call when it receives interesting traffic, you must set the connect-mode to originate or either. You could also configure the demand interface so that an ACL selects outbound traffic (match-interesting list <listname>) but the connect-mode command is set to answer. In this mode, the outbound traffic will not trigger a connection, but it will keep the connection up after the demand interface answers a call.

Option Explanation

originate The demand interface can make calls but cannot answer them.

answer The demand interface can answer calls but cannot make them.

either The demand interface can make calls and answer them.

8-29

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

N o t e Currently, it is not possible to have outbound traffic that will originate a call but not keep the link up. Because the match-interesting command controls both the traffic that triggers a connection and the traffic that resets the idle timer, any outbound interesting traffic that initiates a connection also keep the link up.

To return the connect-mode to its default setting of either, enter:

ProCurve(config-demand 1)# no connect-mode

Associating a Resource Pool with the Demand Interface

Rather than using a bind command to create a persistent, one-to-one connec-tion between the demand interface and a physical interface, you use the resource pool command to link the demand interface to one or multiple ISDN BRI interfaces. The resource pool command creates a resource pool and associates it with a particular demand interface. Each demand interface can be associated with only one resource pool.

To create a resource pool and associate it with the demand interface, enter:

ProCurve(config-demand 1)# resource pool <poolname>

Replace <poolname> with the name of the resource pool that contains the physical interfaces that this demand interface will use to originate or answer connections.

This resource pool is empty until you assign members to it. For primary ISDN connections, you will assign an ISDN group to the resource pool. You must be at the configuration mode context for the ISDN group. (For more information, see “Configuring the ISDN Group” on page 8-44.)

Defining the Connect Sequence

You must configure a connect sequence to specify:

■ the telephone number that the demand interface dials to connect to the other site

■ the type of dial-up connection to establish

When the ProCurve Secure Router detects interesting traffic and no connec-tions are currently established to carry this traffic, it uses a connect sequence to try to establish a connection. This process is called an activation attempt.

8-30

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

You can configure more than one connect sequence for a demand interface. For example, you may want to configure more than one connect sequence if the main office has more than on ISDN line. Then, if one ISDN line is in use, the ProCurve Secure Router can dial another line to establish a connection. You may also want to configure more than one connect sequence to connect to a different router at the main office. Then if one router at the main office is down, the router at a branch office can still connect to the main office.

To configure a connect sequence, enter the following command from the demand interface configuration mode context:

Syntax: connect-sequence <sequence-number> dial-string <string> [<resource-type>] [busyout-threshold <value>]

Replace <sequence-number> with a number between 1 and 65535 to identify this set of connection instructions.

Replace <string> with the telephone number that the demand interface should dial to make the connection.

Replace <resource-type> with one of the options listed in Table 8-6. The option you enter will limit this connection to a particular type of dial-up connection.

Table 8-6. Defining a Resource Type for a Connect Sequence

Because you are setting up a connect sequence for an ISDN connection, you should enter the forced-isdn-64k or forced-isdn-56k options, depending on the speed of the B channel. Your service provider should tell you which option to use.

Option Description

isdn-64k Any dial resource can be used, but if ISDN is used, the call must be placed using a 64-Kbps channel.

isdn-56k Any dial resource can be used, but if ISDN is used, the call must be placed using a 56-Kbps channel.

forced-analog Only analog resources can be used. (This option is used when you configure demand routing with a backup analog line.)

forced-isdn-64k Only ISDN resources can be used, and the call must be placed using a 64-Kbps channel.

forced-isdn-56k Only ISDN resources can be used, and the call must be placed using a 56-Kbps channel.

8-31

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Specifying the busyout-threshold <value> is optional. Include a value to specify the maximum number of times the ProCurve Secure Router will try this connect sequence in a single call attempt. If you specify 0, the ProCurve Secure Router will make an unlimited number of attempts. If you specify any other number, the ProCurve Secure Router will skip this connect sequence after it reaches the maximum number. (Depending on your configuration, the ProCurve Secure Router may cycle through the list of connect sequences more than once in its attempt to establish a connection. For more information, see “Configure the Number of Connect Sequence Attempts” on page 8-33.)

There is no default connect sequence. If you do not enter at least one connect-

sequence command, the demand interface will not be able to originate a dial-up connection.

Deleting a Connect Sequence. To delete a connect sequence entry, enter the following command from the demand interface configuration mode context:

Syntax: no connect-sequence <sequence-number>

Specify the Order in Which Connect Sequences Are Used

If you enter more than one connect-sequence command, you can configure the order in which each connect sequence is used. From the demand interface configuration mode context, enter:

Syntax: connect-order [sequential | last-successful | round-robin]

Table 8-7 lists each option with a brief description.

Table 8-7. Options for Processing the Connect Sequences

The default setting is sequential.

Option Description

sequential Process each connect sequence in numerical order, starting with the lowest number and ending with the highest number.

last-successful Process the last-successful connect sequence first. If that connect sequence is not successful, process those remaining in numerical order, starting with the lowest number and ending with the highest number.

round-robin First, process the connect sequence that follows the last-successful connect sequence. If that connect sequence fails, process the next highest sequence. (If no connection has been made, process the first connect sequence.)

8-32

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Returning to the Default Connect Sequence Processing Order. To return the connect-order command to its default setting of sequential, enter:

ProCurve(config-demand 1)# no connect-order

Configure the Number of Connect Sequence Attempts

You can limit the number of times that the ProCurve Secure Router processes the connect sequences configured for a demand interface if it is unable to establish a connection. The router will process the connect sequences in the order you specify (with the connect-order command). If the router processes all of the connect sequences and is unable to establish a connection, the router has made one connect sequence attempt. (Note that in one attempt, the router can retry a particular connect sequence as many times as specified for that connect sequence’s busyout-threshold setting.) The router then repeats the process until it reaches the number that you have specified in the connect-

sequence attempts command.

From the demand interface configuration mode context, enter:

Syntax: connect-sequence attempts <value>

Replace <value> with the number of times the ProCurve Secure Router will cycle through the connect sequences specified for a demand interface. You can specify a number between 0 and 65535. The default setting is 1. Specifying 0 places no limit on the number of attempts.

Configure Settings for the Recovery State

When the ProCurve Secure Router tries to establish a connection, one of the following conditions will result:

A BRI Interface Is Available, and the Call Is Connected. If the ProCurve Secure Router successfully establishes a physical connection (Layer 1), it will begin to negotiate a PPP session with the far-end router.

No BRI Interfaces Are Available. If no BRI interface in the associated resource pool is available for use, the ProCurve Secure Router places all interfaces in the resource pool in fast-idle mode, which decreases the amount of time an interface can remain idle before the router disconnects the ISDN connection. The router then monitors the BRI interfaces until one becomes

8-33

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

available. If a BRI interface becomes available, the ProCurve Secure Router uses that interface to dial a connect-sequence. At the same time, the router cancels the fast-idle mode for the resource pool. (For more information about fast-idle mode, see “Configuring the fast-idle Option” on page 8-38.)

A BRI Interface Is Available, But the Call Fails. if a BRI interface is available and the ProCurve Secure Router attempts to establish a connection, the call may fail for a number of reasons: a busy signal, no answer, connection timeout, and so on. When a connection attempt fails, the router increments the failure count for that connect sequence and then tries to use the next connect sequence to establish a dial-up connection. The busyout-threshold

option determines the number of times the ProCurve Secure Router processes a particular connect sequence during each connect sequence attempt.

For example, if connect sequence 10 has a busyout-threshold of 3 and connect sequence 11 has a busyout-threshold of 2, the router will process connect sequence 10 three times and connect sequence 11 twice (alternating between the two sequences). If, at the end of the five total attempts, the router cannot establish a connection, it has made one connect sequence attempt.

If the router reaches the maximum number of connect sequence attempts, the ProCurve Secure Router will, by default, change the status of the demand interface to “DOWN (recovery active).” The router will remove the IP address from the demand interface and any associated routes from the routing table. No interesting traffic will be forwarded to the demand interface. If you have configured an alternate route for traffic, the ProCurve Secure Router will activate and use that route.

While the demand interface is in this recovery active state, the ProCurve Secure Router will periodically process the connect sequences and try to establish a dial-up connection. If the router can successfully establish a connection, it will change the status of the demand interface to up, reinstate the routes through the interface, and begin forwarding interesting traffic to the demand interface.

However, if the ProCurve Secure Router cannot establish a connection, it will, by default, continue to try the connect sequences every 120 seconds. You can change the default settings for the recovery mode: you can configure how often the ProCurve Secure Router attempts to establish a connection and the number of attempts it makes in the recovery mode. From the demand interface configuration mode context, enter:

Syntax: connect-sequence interface-recovery retry-interval <seconds> max-retries <number>

8-34

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Replace <seconds> with the number of seconds you want the demand interface to wait between connect sequence attempts. You can specify a number between 1 and 65535. The default setting is 120 seconds.

Replace <number> with a number between 0 and 65535. If you specify 0, the ProCurve Secure Router will continue to try to establish a connection until it is successful or you clear the interface. The number you specify overrides the connect-sequence attempts setting while the demand interface is in recov-ery mode. The default setting is 0, or unlimited. That is, the demand interface remains in recovery mode until it successfully establishes a call or until you shutdown the interface.

To disable the recovery mode, enter the following command from the demand interface configuration mode context:

ProCurve(config-demand 1)# no connect-sequence interface-recovery

Understanding How the connect-sequence Commands Work

Before you configure all the settings for connect sequences, you should understand how these settings interrelate. For example, consider the con-figuration shown in Figure 8-10:

Figure 8-10. Connection Instructions for a Demand Interface

The resource pool for this demand interface contains two BRI interfaces. If interesting traffic is forwarded to this demand interface, the ProCurve Secure Router will first process connect sequence 10 (because the connect-order is sequential). If the BRI interface is available, the ProCurve Secure Router will try to call 5551212. (See Figure 8-11.)

interface demand 1 connect-order sequential connect-sequence attempts 3 connect-sequence 10 dial-string 5551212 forced-isdn-64k busyout-threshold 3 connect-sequence 20 dial-string 5552222 forced-isdn-64k busyout-threshold 1 connect-sequence interface-recovery retry-interval 60 max-retries 5 resource pool Pool

8-35

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Figure 8-11. Trying to Establish an ISDN Connection

If the ISDN connection is not established, the ProCurve Secure Router will try to process connect sequence 20. Because the busyout-threshold setting is 1, the ProCurve Secure Router will try this connection only once. If the second connect sequence is unsuccessful, the ProCurve Secure Router will try connect sequence 10 up to two more times (for a total of three times).

connect-sequence 10 dial-string 5551212 forced-ISDN-64k busyout-threshold 3

connect-sequence 20 dial-string 5552222 forced-ISDN-64k busyout-threshold 1

connect-mode either

connect-order sequential

1. Check connect-order.

Processing connect-sequences

2. Process connect-sequence 2, based on connect-order.

3. Check connect-mode. Can the interface answer or originate a call?

4. Was the call successful? Yes = PPP session begins No = process connect-sequence 20

5. Was the call for connect-sequence 20 successful? Yes = PPP session beginsNo = process connect-sequence 10 up to three times or until a call is successful

6. Based on connect-sequence attempts command, repeat steps 2 through 5 until a call is successful or a maximum of two more times.

7. If the demand interface cannot successfully establish a call, the router puts it into the recovery state.

8. In the recovery state, the demand interface attempts to establish a connection every 60 seconds. Based on the configuration, it tries a maximum of five times. If the interface is not successful, its status changes to down.

connect-sequence attempts 3

connect-sequence interface-recovery retry-interval 60 max-retries 5

8-36

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

If the ProCurve Secure Router processes all of the connect sequences and cannot establish a dial-up connection, the connect sequence attempt fails. For the configuration shown in Figure 8-10, the ProCurve Secure Router will cycle through the connect sequences three times. That is, it will attempt to call 5551212 (connect sequence 10) up to nine times in total and 5552222 (connect sequence 20) up to three times in total.

If all three attempts are unsuccessful, the ProCurve Secure Router will change the status of the demand interface to down (recovery active). Further, the router will remove the demand interface’s IP address and any routes referenc-ing the interface (allowing any routes with higher administrative distances to take their place).

In 60 seconds, the ProCurve Secure Router will try to process the connect sequences again (although the demand interface will remain in recovery active mode). That is, the router will call 5551212 once, 5552222 once, and then 5551212 twice again. If that attempt is unsuccessful, the ProCurve Secure Router will try again in 60 seconds. Based on the configuration in Figure 8-10, the ProCurve Secure Router will try up to five times or until a connection is successful.

If all the connection attempts made during the recovery active mode are unsuccessful, the ProCurve Secure Router will change the status of the demand interface to down (recovery failed) until you take some action to intervene. (See “Troubleshooting Demand Routing” on page 8-68.) If a connec-tion is successful, the ProCurve Secure Router will change the status of the demand interface to up (connected), activate the IP address for the interface, and reinstate any routes to the interface.

Configuring the idle-timeout Option

You can configure the amount of time that the demand interface remains up in the absence of interesting traffic. From the demand interface configuration mode context, enter:

Syntax: idle-timeout <seconds>

Replace <seconds> with a number between 1 and 2147483. (The range is 1 second to more than 596 hours.)

The default setting is 120 seconds.

8-37

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Configuring the fast-idle Option

You can assign BRI interfaces to more than one resource pool. For example, you might want to assign backup interfaces to more than one resource pool because it would be unlikely that two primary interfaces would go down at the same time. If at all possible, however, ProCurve Networking recommends that you design resource pools and the connect sequences to avoid contention for BRI interfaces—especially for primary BRI interfaces.

If all the BRI interfaces in a resource pool are in use and the ProCurve Secure Router needs to establish another connection, the fast-idle option determines the number of seconds that the existing ISDN connections will remain up in the absence of interesting traffic. Because BRI interfaces are in contention, the fast-idle option drastically reduces the time the demand remains up when it is not in use.

To configure this setting, enter the following command from the demand interface configuration mode context:

Syntax: fast-idle <seconds>

Replace <seconds> with a number between 1 and 2147483. (The range is 1 second to more than 596 hours.)

The default setting is 20 seconds.

To return the option to the default setting, enter:

ProCurve(config-demand 1)# no fast-idle

Defining the caller-number Option

When an ISDN call is established, the calling party supplies a Calling Line ID (CLID). If you configure a caller-number, the demand interface will check the CLID when it receives calls. If the CLID matches one of the numbers that you have specified, the demand interface will answer the call. If the number does not match a number, the interface will not answer the call.

You can enter multiple caller-number commands, allowing the BRI interface to accept calls from different remote offices or devices.

From the demand interface configuration mode context, enter:

Syntax: caller-number <CLID>

8-38

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Replace <CLID> with the calling party’s telephone number.

By default, the caller-number list does not include any numbers so all calls are accepted.

Defining the called-number Option

You can also configure the Dialed Number Identification Service (DNIS) that the demand interface provides when answering a call. From the demand configuration mode context, enter:

Syntax: called-number <DNIS>

Replace <DNIS> with the telephone number that you want the BRI interface to provide when answering or making a call. This command allows the router to provide the same caller ID to a remote peer no matter which physical interface it uses to make the connection.

You can enter multiple called-number commands. By default, no number is specified for the called-number command.

Configuring the Hold Queue

When the ProCurve Secure Router detects interesting traffic, it begins to hold these packets in a queue while it tries to set up a dial-up connection. When the connection is established, the ProCurve Secure Router transmits all the packets in the hold queue.

You can configure the maximum number of interesting packets that the router keeps in the hold queue and the length of time the packets are held while a connection is being made. From the demand interface configuration mode context, enter:

Syntax: demand-hold-queue <packets> timeout <seconds>

Replace <packets> with a number between 0 and 200. Replace <seconds>

with a number between 0 and 255.

By default, the ProCurve Secure Router holds 200 packets for 3 seconds. If the number of packets received before the connection is established exceeds 200 packets or if the connection is not established within 3 seconds, the ProCurve Secure Router empties the hold queue. However, emptying the hold queue does not terminate an activation attempt.

8-39

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Configuring the BRI Interface

To configure the BRI interface, you need the following information from your service provider:

■ ISDN signaling (switch) type

■ assigned telephone numbers (LDNs)

■ service profile IDs (SPIDs), if you are located in the United States or Canada

You should have this information available before you begin configuring the BRI interface. You must then complete the following steps:

1. Access the BRI interface configuration mode context.

2. Specify the ISDN switch type.

3. Assign the BRI interface a SPID and LDN if you are using a BRI U interface module.

4. Assign the interface an LDN if you are using a BRI S/T interface.

5. Activate the BRI interface.

Accessing the BRI Interface

To access the BRI interface configuration mode context, enter:

Syntax: interface <interface> <slot>/<port>

Replace <interface> with bri.

On the ProCurve Secure Router, each physical interface is identified by its slot number and port number.

The possible slot numbers for a primary ISDN interface are:

■ 1 = dl option module slot 1

■ 2 = dl option module slot 2

The port number you enter depends on the location of the module you are configuring. Each of the ProCurve ISDN modules has three ports: two ISDN BRI ports (ports 1 and 2) and a backup ISDN BRI port (port 3). For more information about backup ports, see the Advanced Management and Configuration Guide, Chapter 3: Configuring Backup WAN Connections.

8-40

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

For example, if the ISDN module is located in slot 1 and you are configuring the interface for port 2, enter.

ProCurve(config)# interface bri 1/2

The prompt should indicate that you have entered the appropriate interface configuration mode context:

ProCurve(config-bri 1/2)#

Configuring the ISDN Signaling (Switch) Type

The ProCurve Secure Router ISDN module supports the AT&T 5ESS, Northern DMS-100, Euro NET3, and National ISDN-1 standards. You must configure the BRI interface to use the ISDN signaling that your public carrier uses. The signaling type does not necessarily have to be that of the ISDN switch’s manufacturer. For example, a Lucent switch can implement National ISDN-1 signaling. Your public carrier should inform you which signaling method it uses.

To set the signaling type, enter the following command from the BRI interface configuration mode context:

Syntax: isdn switch-type [basic-5ess | basic-dms | basic-net3 | basic-ni]

ProCurve(config-bri 1/2)# isdn switch-type basic-5ess

Table 8-8 lists the command syntax for specifying each signaling type.

Table 8-8. ISDN Signaling Types

The default settings are:

■ ISDN BRI U modules, isdn switch-type basic-5ess

■ ISDN BRI S/T modules, isdn switch-type basic-net3

Signaling Type Command Syntax

National ISDN-1 isdn switch-type basic-ni

Euro ISDN isdn switch-type basic-net3

Northern Telecom DMS-100 isdn switch-type basic-dms

Lucent/ATT 5ESS isdn switch-type basic-5ess

8-41

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

If your public carrier is using the default signaling type, you do not have to enter the isdn switch-type command. You can simply accept the default setting.

Configuring a SPID and LDN for ISDN BRI U Modules

In North America, some ISDN switches require a SPID to identify each TE on the subscriber’s premises and to determine the types of services that the TE can access. A SPID is typically a 14-digit number that includes the interface’s 10-digit telephone or local directory number (LDN) and a two- to four-digit identifier. This identifier specifies the type of service on the line (data or voice). If the public carrier’s switch requires a SPID, you must specify it when you set up your ISDN equipment.

If you are configuring a router for an ISDN connection in North America, enter the following command to set the SPID:

Syntax: isdn spid1 <SPID1>

Some public carriers assign two SPIDs to ISDN connections that use both channels. You must set the second SPID in order for the second B channel to properly receive data. You set the second SPID using the isdn spid2 command:

Syntax: isdn spid2 <SPID2>

You can set a SPID and an LDN in one command. Enter:

Syntax: isdn spid1 <SPID1> <LDN1>

For example, you might enter:

ProCurve(config-bri 1/3)# isdn spid1 70455511110101 5555551111

Similarly, you can set a second LDN at the same time that you set the second SPID.

ProCurve(config-bri 1/3)# isdn spid2 70455511120101 5555551112

Alternatively, you can set an LDN using a separate command.

Syntax: isdn ldn1 <LDN1>Syntax: isdn ldn2 <LDN2>

8-42

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

N o t e You can set LDNs using the isdn ldn1, isdn ldn2, isdn spid1, or isdn spid2 commands. The router uses whatever LDN1 or LDN2 value that was most recently entered using one of these commands.

Configuring an LDN for BRI S/T Modules

The LDN is the PTT or PSTN number that the remote peer calls to reach the BRI interface and establish the WAN link. You must set the LDN in order for the interface to answer calls.

Setting the LDN. Enter the LDN with the isdn ldn1 command:

Syntax: isdn ldn1 <LDN>

For example, you might enter:

ProCurve(config-bri 1/2)# isdn ldn1 5555551111

You can also set a secondary LDN using the isdn ldn2 command:

ProCurve(config-bri 1/1)# isdn ldn2 5555552222

If you are configuring an ISDN line that uses SPIDs (typically a North American ISDN line), you can set the SPID at the same time that you set the LDN.

Activating the Interface

The BRI interface must be manually activated. From the BRI interface configuration mode context, enter:

Syntax: no shutdown

Caller ID Options

If you configure the ProCurve Secure Router to accept ISDN calls from certain numbers, the router checks each incoming call’s caller ID to ensure it matches your list of acceptable numbers. You can override an incoming call’s caller ID using the caller-id override option. Enter:

Syntax: caller-id override [always <number> | if-no-cid <number>]

Replace <number> with the phone number that you want to use to override the incoming caller id number. The always option replaces the caller ID for all incoming calls with the number you specify. The if-no-cid option uses the specified number only when an incoming call does not have a caller ID.

8-43

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Configuring the ISDN Group

When you configure demand routing for a primary ISDN connection, you must configure an ISDN group by completing the following steps:

1. Create an ISDN group.

2. Assign BRI interfaces to the group.

3. Make the ISDN group a member of a resource pool.

4. Configure an incoming-accept-number.

Creating an ISDN Group

From the global configuration mode context, enter:

Syntax: isdn-group <number>

Replace <number> with a number between 1 and 255 to uniquely identify this ISDN group.

You are moved to the ISDN group configuration mode context, as shown below:

ProCurve(config-isdn-group 1)#

From here, you can assign primary BRI interfaces to the group, and you can make this group a member of a resource pool. You can also configure the maximum and minimum number of links for an MLPPP connection. (This is explained in “MLPPP: Increasing Bandwidth” on page 8-50.)

Assigning BRI Interfaces to the ISDN Group

To assign a BRI interface to the ISDN group, enter the following command:

Syntax: connect bri <slot>/<port>

Replace <slot> and <port> with the numbers that identify where the BRI interface is installed. You can assign multiple BRI interfaces to the ISDN group. For example, you might enter:

ProCurve(config-isdn-group 1)# connect bri 2/1ProCurve(config-isdn-group 1)# connect bri 2/2

8-44

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Assigning the ISDN Group to a Resource Pool

To use the ISDN group for demand routing, you must make the group a member of a resource pool. The resource pool must be associated with at least one demand interface.

From the ISDN group configuration mode context, enter:

Syntax: resource pool-member <poolname>

For example, if the resource pool is called Branch, enter:

ProCurve(config-isdn-group 1)# resource pool-member Branch

N o t e The ISDN group can be a member of only one resource pool.

Configuring the incoming-accept-number

You can control which calls the BRI interfaces in the ISDN group accept. From the ISDN group configuration mode context, enter:

Syntax: incoming-accept-number <number>

Replace <number> with the number that should be accepted for this ISDN group. The number you enter should match the digits that populate the called party information element (IE) received on the BRI interface answering the call.

You can use the wildcard characters listed in Table 8-9 to specify a range of numbers.

Table 8-9. Wildcard Characters for incoming-accept-number

Table 8-10 provide some examples of using wildcard characters.

Wildcard Characters Explanation

X Matches any single digit between 0 and 9

N Matches any single digit between 2 and 9

$ Matches any number (multiple numbers)

[ ] Matches any digit in the list. For example, if you enter [2,4,6] the ProCurve Secure Router matches only 2, 4, and 6. If you enter [4-6,8] the ProCurve Secure Router matches 4, 5, 6, and 8.

8-45

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Table 8-10. Examples of Using Wildcard Characters to Specify incoming-accept-number

Using wildcard characters is especially useful if your company uses ISDN hunt groups and all the ISDN interfaces are assigned to the same ISDN group. ISDN hunt groups bundle multiple ISDN interfaces with unique LDNs together into a single group at the public carrier’s CO. When the public carrier’s CO receives a call to any of the LDNs assigned to the ISDN interfaces in the hunt group, the public carrier’s switch sends the call to the first available ISDN interface. The ISDN group, therefore, must be able to accept calls to multiple LDNs. You can use wildcard characters to create a single entry that matches several numbers.

If the number for the BRI interface that is trying to establish a call does not match the incoming-accept-number, the call will be rejected.

Configuring a Static Route for the Demand Interface

As explained earlier, the demand interface spoofs an up status, allowing you to create static routes to the far-end network connected through the dial-up interface. To configure a static route to a far-end network, you must enter the following information:

■ destination address and subnet mask

■ next-hop address or forwarding interface

By default, the administrative distance for a static route is 1 and the metric is 0.

Types of incoming-accept-numbers Pattern

calls for a particular U.S. or Canadian area code 916$

calls for two numbers—such as 555-1111 and 555-1112 555-111[1,2]

calls for a group of numbers—such as the numbers between 555-1000 and 555-2000

555-[1,2]XXX

8-46

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

N o t e ProCurve Networking recommends that you use static routes for ISDN con-nections, rather than a dynamic routing protocol. Because routing protocols regularly exchange updates, these updates frequently initiate the ISDN con-nection, resulting in higher cost for your company’s ISDN line. (If you want to send routing updates over the ISDN link, you can configure the ACL that defines interesting traffic so that it does not include routing updates. You can then apply an ACL or ACP to the demand interface to allow the routing updates if the ISDN connection is already established. For more information, see “Applying an ACP or Another ACL to the Demand Interface” on page 8-27.)

You can view the type of information the ProCurve Secure Router stores in its routing table by entering the following command from the enable mode context:

ProCurve# show ip route

Figure 8-12 shows the type of information that is displayed.

Figure 8-12. Routing Table with Static Routes

To configure a static route, enter the following command from the global configuration mode context:

Syntax: ip route <destination A.B.C.D> <subnet mask | /prefix length> <next hop A.B.C.D | forwarding interface ID>

Replace <destination A.B.C.D> with the IP address for the far-end network. For example, the far-end network might be network 192.168.7.0. Next, either specify the complete subnet mask (such as 255.255.255.0) or enter the prefix length (such as /24). Then, specify the forwarding interface as demand <number>. To configure a route to network 192.168.7.0 /24 through demand interface 1, enter:

ProCurve(config)# ip route 192.168.7.0 /24 demand 1

ProCurve# show ip routeC 10.2.2.0/30 is directly connected, ppp 1C 10.3.3.0/30 is directly connected, demand 1C 192.168.20.0/24 is directly connected, eth 0/1S 192.168.30.0/24 [1/0] via 10.2.2.2, ppp 1S 192.168.7.0/24 [1/0] via 0.0.0.0, demand 1

8-47

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

For more information about configuring static routes, see “Static Routing” on page 11-9 of Chapter 11: IP Routing—Configuring Static Routes.

After you have configured the static route, you should test your configuration to ensure that the ISDN connection is triggered by the appropriate traffic. (For example, you can use the extended ping command to simulate a packet that matches the criteria for interesting traffic.) If the ISDN connection is not established successfully, you should check your configuration. Enter show

running-config from the enable mode context and look for any obvious configuration errors. If you do not immediately find a problem, see “Trouble-shooting Demand Routing” on page 8-68.

Example of a Successful Demand Interface Call

Figure 8-13 shows the successful establishment of an ISDN connection using the demand interface.

8-48

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Figure 8-13. Successful Demand Interface Call Setup

When a packet is received on the router, it goes through several processes before it is finally forwarded across a WAN connection. If fast caching is enabled, the router takes a moment to check the fast-cache table. In this example, all traffic to the 192.168.1.0 network has a fast-cache route through the demand 1 interface. The router matches the incoming packet with this route and forwards it to the demand interface. (If the packet did not match an entry in the fast-cache table, the router would match it a route in its standard routing table.)

Allowed?

connect-sequence 2

No

ACL Match?

Drop packet

Yes

Router

permit ip any 192.168.2.0 0.0.0.255

permit ip any 192.168.1.0 0.0.0.255

Fast-cache Table

192.168.1.0/24 demand 1

Resource Pool Pool 1

ISDN group 1bri 2/1bri 2/2

Yes int bri 2/1

connect-sequence 2 dial-string 10997161683

forced-ISDN-64k

connect-sequence 4 dial-string 10995555683

forced-ISDN-64k

Successfully Place Call and Establish Connection

To: 192.168.1.29

connect-modeeither

Resource Available?

Yes

Demand Interface

connect-order?

sequential

8-49

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

After the packet has been sent to the demand interface, the router checks the fields in the packet’s IP header (such as source and destination address) against the match-interesting list ACL. If the packet does not match the list, the router drops it. If the packet does match, the demand interface checks its resource pools.

The demand interface searches for the first available interface in its resource pool. In this example, the first resource in resource pool Pool1 is ISDN group 1. Within the ISDN group, the first interface is BRI 2/1. If the BRI 2/1 interface is available, the demand interface begins checking its connect sequences for one that matches with the BRI interface resource.

If a connect sequence is found that permits the demand interface to use the BRI resource interface, the demand interface next checks the connect mode configuration.

If the connect mode is set to the originate or either options, the demand interface places a call through the BRI resource interface. If the call connects, the demand interface can then forward the packet through the BRI interface toward its destination.

MLPPP: Increasing Bandwidth

If you are configuring demand routing for a primary BRI interface, you can aggregate multiple B channels to increase bandwidth. Specifically, you use multilink PPP (MLPPP) to aggregate the multiple channels. To configure MLPPP for BRI interfaces, you must:

1. Enable MLPPP for incoming calls.

2. Enable MLPPP for the demand interface that is managing the BRI inter-faces that you want to aggregate.

3. Configure the minimum and maximum channels for the ISDN group.

Configuring MLPPP for Incoming Calls

To enable the negotiation of MLPPP for incoming calls, enter the following command from the global configuration mode context:

ProCurve(config)# data-call multilink

To disable MLPPP for incoming calls, enter:

ProCurve(config)# no data-call multilink

By default, MLPPP is disabled for incoming calls.

8-50

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Configuring MLPPP for Demand Interfaces

To enable MLPPP, enter the following command from the demand interface configuration mode context:

ProCurve(config-demand 1)# ppp multilink

By default, MLPPP is not enabled.

Configuring the Maximum Number of Interfaces. You can configure the maximum number of interfaces that the demand interface can aggregate for an MLPPP connection. From the demand interface configuration mode context, enter:

Syntax: ppp multilink maximum <interfaces>

Replace <interfaces> with a number between 1 and 8. If MLPPP is enabled for the demand interface, the default value for the maximum number of interfaces is 8.

N o t e The ppp multilink maximum command does not affect the number of links used when an interface answers a call, only when it originates a call.

Configuring the MLPPP Interleave. If you configure quality of service (QoS) for the dial-up connections established through the demand interface, you may also want to enable MLPPP interleave. Certain types of high-priority packets may be adversely affected if they are transmitted over an MLPPP connection. If interleave is enabled, the demand interface handles high-priority packets differently. When the demand interface receives a high-priority packet, it encapsulates the packet as PPP (rather than MLPPP) and sends it on the next available link.

To enable MLPPP interleave, enter:

ProCurve(config-demand 1)# ppp multilink interleave

N o t e If the MTU for the demand interface is lower than the size of the high-priority packet, the demand interface will drop the packet.

8-51

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Configuring MLPPP Fragmentation. When a packet is to be transmitted across an MLPPP connection, the demand interface divides the packet into fragments of equal length. If possible, the number of fragments equals the number of active links in the MLPPP and are transmitted simultaneously over each link. Fragmentation may also be controlled by the MTU setting of the demand routing interface.

To enable fragmentation for MLPPP, enter the following command from the demand interface configuration mode context:

ProCurve(config-demand 1)# ppp multilink fragmentation

Configuring the Minimum and Maximum Channels. When you config-ure MLPPP for primary BRI interfaces, you must configure the minimum and maximum number of B channels that can be aggregated into a single MLPPP connection. Aggregated channels belong to BRI interfaces that are in the same ISDN group, so you specify the minimum and maximum numbers from an ISDN group configuration mode context. Enter:

Syntax: min-channels <number>Syntax: max-channels <number>

Although the range for <number> is between 1 and 255, the actual number of channels you can enter is limited by the number of BRI interfaces assigned to the ISDN group. For example, if the ISDN group includes two BRI inter-faces, the highest number of channels that can be used is 4 (two channels from each interface.)

Example of MLPPP with Demand Routing

Figure 8-14 shows an example configuration of MLPPP configured for a demand interface.

8-52

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Figure 8-14. MLPPP Configuration for Demand Routing

Configuring PPP Authentication for an ISDN Connection

If you want to ensure that only authorized peers establish a PPP connection with the demand interfaces on the ProCurve Secure Router, you can configure PPP authentication. The ProCurve Secure Router supports Password Authen-tication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) for PPP authentication.

N o t e To protect your WAN, ProCurve Networking strongly recommends that you enable PPP authentication for the ISDN connection.

interface bri 2/1 isdn ldn1 968483940096 no shutdown!interface bri 2/2 isdn ldn1 978484540055 no shutdown!interface demand 1 idle-timeout 240 resource pool Pool match-interesting list Call out match-interesting reverse list Call in connect-sequence 1 dial-string 9633333 forced-isdn-64k busyout-threshold 3 connect-sequence 2 dial-string 9634444 forced-isdn-64k busyout-threshold 3 connect-sequence interface-recovery retry-interval 120 max-retries 0 ip address 10.1.1.1 255.255.255.0 ppp multilink ppp multilink maximum 2 no shutdown!isdn-group 1 min-channels 4 max-channels 4 resource pool-member Pool connect bri 2/1 connect bri 2/2!ip access-list extended Call permit ip any 192.168.2.0 0.0.0.255!ip route 192.168.2.0 255.255.255.0 demand 1

MLPPP enabled

channels

8-53

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Enabling PPP Authentication for All Demand Interfaces

You must configure the PPP authentication protocol that the router uses for inbound calls. To configure the authentication protocol that the demand interfaces expect to receive for inbound calls, enter the following command from the global configuration mode context:

Syntax: data-call authentication protocol [chap | pap]

Include either the chap option or the pap option, depending on which PPP authentication protocol you want to use to authenticate peers.

You should also specify which authentication protocol the demand interfaces send to authenticate themselves to a peer when answering a call. From the global configuration mode context, enter:

ProCurve(config)# data-call sent authentication protocol [chap | pap]

By default no authentication protocol is specified for demand interfaces.

Disabling the Authentication Protocol. To disable the global setting for the PPP authentication protocol that is used for demand routing interfaces, enter:

ProCurve(config)# no data-call authentication protocolProCurve(config)# no data-call sent authentication protocol

Configuring PAP Authentication for a Demand Interface

If you want to use PAP as the authentication protocol, you must configure the username and password that the ProCurve Secure Router sends when the far-end router requests authentication information from a demand interface. From the demand interface configuration mode context, enter:

Syntax: ppp pap sent-username <username> password <password>

Configuring CHAP Authentication for a Demand Interface

If you want to use CHAP, you must configure the password that the ProCurve Secure Router sends when the far-end router requests authentication infor-mation from a demand interface. From the demand interface configuration mode context, enter:

Syntax: ppp chap password <password>

8-54

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

When you replace <password>, ensure that you are using the same settings that are configured on the far-end router.

The username that is sent is the hostname of the router. If necessary, you can override this username with this demand interface configuration command:

Syntax: ppp chap hostname <hostname>

Configuring the Username and Password That the Router Expects to Receive

You must also configure the username and password that the ProCurve Secure Router expects to receive from the far-end router. From the demand interface configuration mode context, enter:

Syntax: username <username> password <password>

For example, you might enter:

ProCurve(config-demand 1)# username SiteB password procurve

For CHAP, the username should be the hostname of the peer.

Configuring Peer IP Address

You can also configure the IP address of the PPP peer for the dial-up WAN connection. From the demand interface configuration mode context, enter:

Syntax: peer default ip address <A.B.C.D>

Replace <A.B.C.D> with the IP address of the far-end router.

Example of Demand Routing with PAP Authentication

Figure 8-15 shows a demand routing configuration that uses PAP authentica-tion. The data-call commands enable PAP authentication for all demand interfaces configured on the router. The ppp authentication pap command enables PAP for the demand interface. The username command establishes the username and password that the PPP peer will submit to the ProCurve Secure Router. The ppp pap sent command configures the username and password that the ProCurve Secure Router will send its peer.

8-55

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Figure 8-15. Using PAP Authentication with Demand Routing

Setting the MTU for Demand Interfaces

When establishing a link, PPP peers must agree on how much data can be contained in the information field of PPP frames. The value that communi-cates this frame size is called the maximum receive unit (MRU). To increase

data-call authentication protocol papdata-call sent authentication protocol pap!interface bri 2/1 isdn ldn1 968483940096 no shutdown!interface bri 2/2 isdn ldn1 978484540055 no shutdown!interface demand 1 idle-timeout 240 resource pool Pool match-interesting list Call out match-interesting reverse list Call in connect-sequence 1 dial-string 9633333 forced-isdn-64k busyout-threshold 3 connect-sequence 2 dial-string 9634444 forced-isdn-64k busyout-threshold 3 connect-sequence interface-recovery retry-interval 120 max-retries 0 ip address 10.1.1.1 255.255.255.0 ppp authentication pap ppp multilink ppp multilink maximum 2 username procurve password procurve ppp pap sent-username procurve password procurve no shutdown!!isdn-group 1 min-channels 4 max-channels 4 resource pool-member Pool connect bri 2/1 connect bri 2/2!ip access-list extended Call permit ip any 192.168.2.0 0.0.0.255!ip route 192.168.2.0 255.255.255.0 demand 1

data-call commands to enable PAP authentication

PAP configured for this demand interface

username and password that the demand interface expects to receive from its PPP peer

username and password that the demand interface sends to its PPP peer

8-56

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

or decrease the value of the MRU, a PPP peer sets the MRU configuration option in the Link Control Protocol (LCP). (LCP is one of the protocols in the PPP suite. LCP is used to establish and control the PPP connection.)

To control the MRU that is negotiated between the two PPP peers, you configure the maximum transmission unit (MTU), which defines the largest size for a frame that the router can send over the connection. By default, demand interfaces (which use PPP) have an MTU of 1500 bytes. If a frame exceeds the MTU, it must be fragmented.

To successfully negotiate a PPP session, the two peers should be using the same MTU.

To configure the MTU for all PPP connections used with demand routing, enter:

ProCurve(config)# data-call mtu <number>

Replace <number> with a value between 64 and 1520.

To disable this setting for interfaces used with demand routing, enter:

ProCurve(config)# no data-call mtu

Configuring an ISDN Template

Some companies may want to use an ISDN template to encode the caller-

number and called-number for inbound and outbound calls. This template allows you to configure the prefix and call type globally.

N o t e Entering this command is optional; an ISDN template is not required for demand routing.

To create an ISDN template, enter the following command from the global configuration mode context:

Syntax: isdn-number-template <template id> prefix <prefix> [abbreviated | international | national | network-specific | subscriber | unknown} <pattern>

Replace <template id> with a number between 1 and 255.

Replace <prefix> with the expected prefix for the call type. If you do not want to specify a prefix, leave this option blank by entering double quotation marks (“”). Do not enter a space between the quotation marks. If you want to specify

8-57

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

a prefix, you can enter unlimited-length strings of 0s and 1s. For example, for international calls made from within the United States, you might enter a prefix of 011.

Specify a call type by entering one of the options listed in Table 8-11.

Table 8-11. Options for Call Type

Use the options in Table 8-12 to specify a <pattern> for the call type.

Call Type Explanation

abbreviated Specifies abbreviated (bits 110) in the Type of Number octet. This option is used primarily for private ISDN network applications, and the implementation is network-dependent.

international Specifies international (bits 001) in the Type of Number octet. This option is used for calls destined outside the national calling area.

national Specifies national (bits 010) in the Type of Number octet. This option is used for calls inside the national calling area. That is, the calls do not cross an international local access and transport area (LATA).

network-specific Specifies network-specific (bits 011) in the Type of Number octet. This option is used for calls that require special access to a private network. Because the prefix that must be stripped off once access to the network has been gained, the dialing prefix is removed.

subscriber Specifies Subscriber (bits 100) in the Type of Number octet. This option is used for intra-LATA calls (local calls). By default, the area code is removed for these calls.

unknown Specifies Unknown (bits 000) in the Type of Number octet. This option is used if the actual types of the number are not known. Unknown numbers are assumed to have no prefix, and the entire dialed number is used.

8-58

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

Table 8-12. Characters for Call Patterns

For example, if you want to create a pattern for U.S. local calls, you would enter NXX-XXXX. The N wildcard specifies that the first number can be between 2 and 9. Each X can be any number between 0 and 9.

Other examples of using wildcard characters are listed in Table 8-13.

Table 8-13. Using Characters for Call Pattern

Using Call Types and Patterns

Call types and patterns are interdependent, as explained below:

International. If you specify the international call type, the prefix is removed. For example, an international call from within the United States consists of 011-N$. The international prefix is 011, and N$ represents the digits necessary for routing the call at the destination. You would enter:

ProCurve(config)# isdn-number-template 1 prefix 011 international N$

Valid Characters Explanation

0-9 Match exact digit only

X Match any single digit between 0 and 9

N Match any single digit between 2 and 9

M Match any single digit between 1 and 8

$ Match any number

[ ] Match any digit in the list. For example, if you enter [1,4,6] the ProCurve Secure Router matches only 1, 4, and 6. If you enter [1-3,5] the ProCurve Secure Router matches 1, 2, 3, and 5.

Incoming Numbers That Should Be Accepted Pattern

calls from one U.S. or Canadian area to another NXX-NXX-XXXX

calls from one country to another N$

calls for a particular U.S. or Canadian area code 916$

calls for two numbers—such as 555-1111 and 555-1112 555-111[1,2]

calls for a group of numbers—such as the numbers between 555-1000 and 555-2000

555-[1,2]XXX

8-59

Configuring Demand Routing for Primary ISDN ModulesUsing Demand Routing for ISDN Connections

When the called party information element (IE) is created for this call, the router removes the prefix and places the N$ digits in the Number Digits field.

National. For national calls, the dialing prefix is removed. For example, a call from one U.S. LATA to another uses the format 1-NXX-NXX-XXXX. The U.S. prefix is 1, and NXX-NXX-XXXX represents the 10-digit number necessary for routing the call. When the router creates the called party IE for this call, it removes the prefix and places the NXX-NXX-XXXX digits in the Number Digits field.

Network-Specific. If you specify the network-specific call type, the ProCurve Secure Router removes the prefix for the call when it prepares the called party IE. For example, if the router is making a call to 700-N$, the dialing prefix is 700 and N$ represents the digits necessary for routing the call at the destination. The ProCurve Secure Router removes the prefix and places the N$ in the Number Digits field.

Subscriber. The ProCurve Secure Router also removes the prefix if you specify the subscriber call. For example, if the router is making a call to 916-555-1212, it would remove the 916 prefix and place 555-1212 in the Number Digits field. For areas with mandatory 10-digit dialing, you should enter a blank prefix to ensure that all ten digits are passed to the Number Digits field.

Default ISDN Template

By default, there is one isdn-number-template entry:

isdn-number-template 0 prefix “” subscriber 911

This entry allows you to make emergency calls within the United States.

8-60

Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing

Viewing Information about Demand Routing

You can use show commands to view different aspects of your demand routing configuration. For example, you can view the status of a demand interface and any dial-up connections that are established through a demand interface. Table 8-14 lists the show commands for demand routing.

Table 8-14. show Commands for Demand Routing

Viewing the Status of the Demand Interface

To view the status of the demand interface, enter the following command from the enable mode context:

Syntax: show interfaces demand <number>

For example, to view the status of demand interface 1, enter:

ProCurve# show interfaces demand 1

Command Description

show interface demand <number> displays the status of the demand interface

show demand interface demand <number>

displays a summary of information about the demand interface, including the timers, state, physical interface in use (if connection is up), last outgoing call, and last incoming call

show interface <dial-up interface> <slot>/<port>

displays status of physical interface

show demand sessions displays information about existing dial-up connections established through demand routing

show demand resource pool <pool name>

lists the resources assigned to the resource pool and the demand interface associated with the resource pool

show running-config displays the current configuration

show running-config interface demand <number>

displays the current configuration for a demand interface

8-61

Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing

Figure 8-16 shows the results of this command if demand interface 1 is spoofing its up status and a dial-up connection has not been established. In addition to showing the status of the interface, this command displays settings for the following commands:

■ connect-mode

■ resource pool

■ connect-sequence

■ idle-timeout

■ fast-idle

■ ip address

Figure 8-16. Viewing the Status of the Demand Interface When a Dial-Up Connection Has Not Been Established

If a connection has been established through the demand interface, the show

interfaces demand 1 command shows:

■ the number of seconds until the ISDN connection is terminated

■ the number of frames in and out

■ the traffic that triggered the connection (the interesting traffic)

■ the amount of time the connection has been up

■ the BRI interface and channel through which the connection was established

Demand 1 is UP (Spoofing) Configuration: Keep-alive is set (10 sec.) Admin MTU = 1500 Mode: Either, 1 dial entries, idleTime = 120, fastIdle = 20 Resource pool Pool No authentication configured IP address 10.10.10.1 255.255.255.252 Recovery enabled, interval = 60, max-retries = 5 Connect Sequence: Successes = 1, Failures = 0 Seq DialString Technology Successes Busys NoAnswers NoAuths InUse 1 9634444 IsdnForced 1 0 0 0 Current values: Local IP address 10.10.10.1, Peer IP address 0.0.0.0 Queueing method: weighted fair Output queue: 0/1/428/64/0 (size/highest/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Available Bandwidth 48 kilobits/sec Bandwidth=64 Kbps

Demand interface is spoofing its up status; a dial-up connection is not actually established

Information configured in the connect sequence: dial-string (the number the interface will call) and technology

Resource poolconnect-mode, idle time, and fast idle

8-62

Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing

Figure 8-17 provides the results of the show interfaces demand 1 command when an ISDN connection has been established.

Figure 8-17. Viewing the Status of the Demand Interface When an ISDN Connection Is Established

Viewing a Summary of Information about the Demand InterfaceTo view a summary of information about the demand interface, enter:

Syntax: show demand interfaces demand <number>

This command displays:

■ settings for the idle-timeout and fast-idle

■ state of the dial-up connection

■ traffic that triggered the dial-up connection

■ time until disconnect

■ last incoming and outgoing call

Demand 1 is UP (connected) Configuration: Keep-alive is set (10 sec.) Admin MTU = 1500 Mode: Either, 1 dial entries, idleTime = 120, fastIdle = 20 Resource pool Pool1 No authentication configured IP address 10.1.1.1 255.255.255.252 Recovery enabled, interval = 120 Connect Sequence: Successes = 1, Failures = 0 Seq DialString Technology Successes Busys NoAnswers NoAuths InUse 1 9631111 ISDNForced 1 0 0 0 YES Current values: Local IP address 10.1.1.1, Peer IP address 10.2.2.2 Seconds until disconnect: 36 Interesting pkt: ICMP: src=192.168.1.1 dest=192.168.6.1 Queueing method: weighted fair Output queue: 0/1/428/64/0 (size/highest/max total/threshold/drops) Conversations 0/1/256 (active/max active/max total) Available Bandwidth 48 kilobits/sec Bandwidth=0 Kbps Link through ISDN Group 1:Ch 0(bri 2/1), Uptime 0:01:40 IN: Octets 1064, Frames 44, Errors 0 OUT: Octets 1063, Frames 44, Errors 0 Last called num 9631111

A dial-up connection has been established

connect sequence in use

Resource pool

connect-mode, idle time, and fast idle

Time until disconnect

Physical dial-up interface used to make the connection; length of time connection has been established

Traffic that triggered connection

8-63

Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing

As Figure 8-18 shows, this command also lists multiple channels if MLPPP is configured for the ISDN connection.

Figure 8-18. Summary Information for Demand 1 Interface

Viewing the Status of the BRI Interface

To view the status of a BRI interface that is associated with the demand interface, enter:

Syntax: show interface bri <slot>/<port>

Replace <slot> with the slot number in which the backup module is installed, and replace <port> with the appropriate port number.

For example, to view the status of the BRI 2/1 interface, enter:

ProCurve# show interface bri 2/1

This command reports the status of the BRI interface and the status of the line. The status of the BRI interface should always be up, indicating that it is either available to make a connection or it is already maintaining a connection. If the BRI interface is down, you must bring it up, or it will not be able to place or receive any calls.

The line status indicates whether or not the BRI interface has established a connection. If the interface has not established a connection, the line status should be “ready,” as shown in Figure 8-19.

demand 1Idle timer (120 secs), Fast idle timer (20)Dialer state is data link layer upDial reason: ip (s=192.168.1.23, d=192.168.2.23)Link thru 1_0(bri 2/1.1) is upTime until disconnect 106Last outgoing callLast incoming callLink thru 1_1(bri 2/1.2) is upTime until disconnect 106Last outgoing callLast incoming call

Number of active calls = 2

MLPPP is enabled

8-64

Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing

Figure 8-19. Viewing the Status of a BRI Interface

In addition to displaying status information, the show interfaces bri com-mand lists settings such as the ISDN switch signaling type, LDN, and SPID (if a SPID is configured) so you can use this command to verify that these settings are configured correctly.

If your public carrier requires a SPID, double-check to see if you were assigned one or two SPIDs. When you use both B channels, public carriers using National ISDN and Northern Telecom DMS-100 switching sometimes require you to configure a SPID for each channel.

Figure 8-20 shows the results of entering the show interfaces bri command for a BRI interface that is in use. If the BRI interface is in use, you can view packet statistics and errors for the ISDN connection. (For information about other line status settings, see “Checking the Demand Interface” on page 8-68.)

bri 1/1 is UP Line status: ready Caller ID will be used to route incoming calls Caller ID normal Switch protocol: Net3 Euro ISDN SPID 1 n/a, LDN 1 9631111 SPID 2 n/a, LDN 2 n/a B1 - Idle B2 - Idle D - Allocated 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame 0 abort, 0 discards, 0 overruns 0 packets output, 0 bytes, 0 underruns

Interface activated but not providing connection

Number at which the local router can be reached

8-65

Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing

Figure 8-20. Viewing the Status of a BRI Interface That Is in Use

Viewing Demand Sessions

You can view all of the dial-up connections currently established through demand routing. From the enable mode context, enter:

ProCurve# show demand sessions

The sessions are listed in the order in which they were established. (See Figure 8-21.) For each session, this command lists:

■ demand interface through which the connection was established

■ IP address of the demand interface and the far-end router

■ interesting traffic that triggered the connection

■ number of links for each session if MLPPP is enabled

■ BRI interfaces through which the links were established

■ connection time

■ idle-timeout setting

bri 1/2 is UP Line status: connected Caller ID will be used to route incoming calls Caller ID normal Switch protocol: Net3 Euro ISDN SPID 1 n/a, LDN 1 9631111 SPID 2 n/a, LDN 2 n/a 5 minute input rate 112 bits/sec, 0 packets/sec 5 minute output rate 112 bits/sec, 0 packets/sec 155 packets input, 8467 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame 0 abort, 0 discards, 0 overruns 157 packets output, 8408 bytes, 0 underruns

8-66

Configuring Demand Routing for Primary ISDN ModulesViewing Information about Demand Routing

Figure 8-21. Viewing Demand Sessions

Viewing the Resource Pool

You can view which interfaces or ISDN groups have been assigned to a particular resource pool. You can also view which demand interfaces use the pool. (See Figure 8-22.) From the enable mode context, enter:

ProCurve# show demand resource pool <poolname>

Figure 8-22. Viewing a Resource Pool

Show the Running-Config for the Demand Interface

To check your demand routing configuration, you must view the entire running-config file. From the enable mode context, enter:

ProCurve# show running-config

You must then scroll through the file to find the various commands you entered for demand routing.

To view the configuration of just the demand interface, enter:

ProCurve# show running-config interface demand <number>

Session 1Interface demand 1Local IP address = 10.1.1.1Remote IP address = 10.2.2.1Remote Username =Dial reason: ip (s=192.168.1.23, d=192.168.2.23)Link 1 Dialed number = Resource interface = 1_0(bri 2/1.1), Multilink Connect time: 0:1:28 Idle Timer: 120Link 1 Dialed number = Resource interface = 1_1(bri 2/1.2), Multilink Connect time: 0:1:28 Idle Timer: 120

Connection is through channel 1 and channel 2 on the BRI 2/1 interface (bri 2/1.1 and bri 2/1.2)

Pool backup Resources: 1_0, 1_1, bri 1/3 Demand Interfaces: demand 1

8-67

Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing

Figure 8-23 shows the running-config for a demand interface that is configured to use MLPPP and PPP authentication.

Figure 8-23. Viewing the Running-Config for a Demand Interface

Troubleshooting Demand Routing

After you configure demand routing, you should test your configuration to ensure that it is working correctly. Is the right traffic triggering the connection, and can the BRI interface successfully establish a connection to the far-end router? Are your settings for the idle-timeout and the fast-idle sufficient for your WAN environment?

Checking the Demand Interface

The first step you should take to check your configuration is also the first step you should take to troubleshoot demand routing. You should ensure that the demand interface and its associated BRI interfaces are ready to make a connection.

Use the show interfaces demand command to view the status of the demand interface, which should be up (spoofing). If the demand interface is down, ensure that you have assigned it a valid IP address. If you configured the demand interface as an unnumbered interface, make sure that the interface with the actual IP address is up.

interface demand 1 idle-timeout 240 resource pool Pool match-interesting list Call out match-interesting reverse list Call in connect-sequence 1 dial-string 9633333 forced-isdn-64k busyout-threshold 3 connect-sequence 2 dial-string 9634444 forced-isdn-64k busyout-threshold 3 connect-sequence interface-recovery retry-interval 120 max-retries 0 ip address 10.1.1.1 255.255.255.0 ppp authentication pap ppp multilink ppp multilink maximum 2 username procurve password procurve ppp pap sent-username procurve password procurve no shutdown

8-68

Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing

If the demand interface went down because it could not establish a connection during the recovery mode, its status will be down (recovery failed). In this case, you must identify the problem causing the failure and then you must clear the connection so that the status of the demand interface returns to up (spoofing). Until then, the demand interface cannot establish an ISDN connection.

To clear the ISDN connection, shut down the demand interface. From the demand interface configuration mode context, enter:

ProCurve(config-demand 1)# shutdown

To re-activate the interface, enter:

ProCurve(config-demand 1)# no shutdown

Checking the BRI Interface

To ensure that the status of the BRI interface is up and the line status is ready, enter the following command from the enable mode context:

ProCurve# show interface bri <slot>/<number>

If the BRI interface is administratively down, enter no shutdown to activate it.

When you activate the BRI interface, it exchanges a series of messages with the ISDN switch at the CO. First, the BRI interface and the switch complete a handshaking process to bring up the Physical Layer. Then the ISDN switch polls the line for terminal equipment identifiers (TEIs), which identify the ISDN line.

The TEI #1 identifies the first B channel, and the TEI #2 identifies the second. The BRI interface sends the LDNs and/or SPIDs configured for the channels (SPID1 for the TEI #1 and SPID2 for the TEI #2). After the switch receives the correct SPIDs or LDNs, the ISDN line goes up.

When you enter the show interfaces bri command, the line status indicates the point at which the handshaking process breaks down. For example, in Figure 8-24 the ISDN switch is attempting to get the BRI interface’s SPID1.

8-69

Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing

Figure 8-24. Troubleshooting a BRI Interface

Table 8-15 lists the possible designations for the line status and the steps you might take to change the status.

Table 8-15. BRI Line Status

bri 1/2 is DOWN Line status: getting TEI #1 Caller ID will be used to route incoming calls Caller ID normal Switch protocol: AT&T 5ESS SPID 1 25655522220101, LDN 1 5552222 SPID 2 n/a, LDN 2 n/a 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1115 packets input, 0 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame 0 abort, 0 discards, 0 overruns 1117 packets output, 0 bytes, 0 underruns

The switch at the CO cannot identify the interface.

Check the SPID and LDN

Status Meaning Next Best Step

disconnected The interface is up but has disconnected from the peer. Settings on the demand interface may be preventing the call from connecting. For example, the peer’s caller ID does not match number specified with the calling-number command.

This status may indicate that an unauthorized peer tried to connect to your router. If the peer is authorized, however, check the settings on the BRI interface or demand interface and change them as needed to allow the connection. Also, check the configuration on the peer to ensure that its settings allow a connection to this BRI interface.

deactivated The interface may be up or down. The CO has deactivated the interface. The BRI interface may be in the process of communicating with the switch at the CO.

Check with your service provider.

layer 1 down There is no activity on the ISDN line.

Check the physical hardware, including the cabling and wall jack.

getting TEI #1 The switch cannot identify the BRI interface.

• Check for a miskeyed SPID1 and/or LDN.• Verify that the isdn switch-type setting matches the

public carrier’s signaling type.

8-70

Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing

Miskeyed SPIDs and LDNs are the most common problems. Try reentering the SPID and, if necessary, reloading the router so that the BRI interface will be forced to re-initiate the handshaking process. Or enter maintenance reset to reset the port hardware.

Remember, however, that the wrong configuration for the switch-type can also cause the status to remain at “getting TE1 #1” or “getting TE1 #2.” The switch-type depends on the type of ISDN signaling the public carrier institutes on the line, which depends on its software, not necessarily on the switch’s manufacturer.

Checking the ACL That Defines the Interesting Traffic

If the demand interface is up, you should ensure that the interesting traffic actually triggers the ISDN connection. Check the routing table to ensure that the demand interface is listed as a directly connected interface and that the route you entered for the far-end network lists the demand interface as the forwarding interface. From the enable mode context, enter:

ProCurve# show ip route

If the route is correct, you can send some traffic to the far-end network to determine if the ACL is triggering ISDN traffic. Even a simple ping command should start the demand routing process (as long as the ping matches the ACL—for example, you may need to use the extended ping commands to set the source address for the ping to a local network address). Before you send the sample traffic, enable debugging for demand routing. From the enable mode context, enter:

ProCurve# debug demand-routing

If you have configured your ACL correctly, debug messages for demand routing should appear immediately. If no messages appear, you may have configured the ACL incorrectly. Double-check the permit statement you con-figured, and ensure that you applied the ACL to the demand interface. To check this information, enter the show running-config command from the enable mode context.

getting TEI #2 The switch cannot identify the BRI interface (second B channel).

• Check for a miskeyed SPID2 and/or LDN.• If you should not have to enter a second SPID, the

interface may be configured for the wrong signaling type.

TEI #2 OKGetting SPID #2

The switch is having trouble bringing the interface up.

• Try resetting the connection. You may need to reload the router, if possible.

Status Meaning Next Best Step

8-71

Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing

If you can troubleshoot the problem after business hours (when you will not inadvertently interrupt the flow of traffic to other interfaces), you may want to change the ACL to select all traffic from any source to any destination. The ACL should then trigger the ISDN connection. You can then begin to narrow the scope of the ACL to limit the traffic selected.

Troubleshooting the ISDN Connection

If the interesting traffic triggers the ISDN connection, the ProCurve Secure Router will find the appropriate connect-sequence command to process (based on your configuration) and try to establish a connection. If the router is unable to establish this connection, you will need to monitor the call setup.

The Secure Router OS provides a number of ISDN debug commands, which are listed in Table 8-16.

Table 8-16. debug Commands for ISDN

N o t e Debug functions are processor intensive. The debug isdn commands in par-ticular display a high volume of messages to the CLI.

Some of the debug isdn commands display numerous messages, which are displayed too quickly to read. You will probably need to stop the messages and review them to determine the problem. For example, Figure 8-25 shows a small portion of the debug messages displayed as a call connects.

Command Description

debug isdn cc-ie displays information about the ISDN call control

debug isdn cc-messages displays call control messages

debug isdn endpoint displays events related to ISDN endpoints

debug isdn events displays information about ISDN events

debug isdn group display errors and messages related to ISDN groups

debug isdn interface displays ISDN interface events

debug isdn l2-formatted displays Layer 2 formatted messages

debug isdn l2-messages displays Layer 2 message

debug isdn resource-manager displays resource manager errors and messages

debug isdn verbose display all errors and messages

8-72

Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing

Figure 8-25. Viewing ISDN debug Messages

Test Calls

You can also set up a test call to test the ISDN circuit. When you initiate a test call, you connect the two endpoints through an ISDN call without setting up a Data Link Layer connection; test calls only connect at the Physical Layer. When you initiate a test call, the ProCurve Secure Router assigns the BRI interface to ISDN group 0 for the duration of the call.

2005.10.08 11:23:09 L2_MSG BRI 2/1 Recd = 02 FF 03 08 01 01 05 A1 04 02 88 90 18 01 89 6C2005.10.08 11:23:09 L2_MSG BRI 2/1 0C 21 80 30 30 30 39 36 33 31 31 31 31 70 08 C12005.10.08 11:23:09 L2_MSG BRI 2/1 39 36 33 33 33 33 332005.10.08 11:23:09 L2_FMT BRI 2/1 =============================================2005.10.08 11:23:09 L2_FMT BRI 2/1 Recd = Sapi:00 C/R:C Tei:7F2005.10.08 11:23:09 L2_FMT BRI 2/1 Ctl:UI2005.10.08 11:23:09 L2_FMT BRI 2/1 Prot:08 CRL:1 CRV:00012005.10.08 11:23:09 L2_FMT BRI 2/1 M - 05 SETUP2005.10.08 11:23:09 L2_FMT BRI 2/1 IE - A1 SENDING COMPLETE Len=02005.10.08 11:23:09 L2_FMT BRI 2/1 IE - 04 BEARER CAPABILITY Len=22005.10.08 11:23:09 L2_FMT BRI 2/1 88 Xfer Cap.:UNRESTRICTED DIG.2005.10.08 11:23:09 L2_FMT BRI 2/1 90 Xfer Rate:64k2005.10.08 11:23:09 L2_FMT BRI 2/1 IE - 18 CHANNEL ID Len=12005.10.08 11:23:09 L2_FMT BRI 2/1 89 Basic Rate2005.10.08 11:23:09 L2_FMT BRI 2/1 Intfc ID:IMPLICIT2005.10.08 11:23:09 L2_FMT BRI 2/1 Pref/Excl:EXCLUSIVE2005.10.08 11:23:09 L2_FMT BRI 2/1 D-Chan Indicated:NO2005.10.08 11:23:09 L2_FMT BRI 2/1 Chan. Sel:B12005.10.08 11:23:09 L2_FMT BRI 2/1 IE - 6C CALLING PARTY # Len=122005.10.08 11:23:09 L2_FMT BRI 2/1 21 Numb. Type:NATIONAL2005.10.08 11:23:09 L2_FMT BRI 2/1 Numb. Plan:ISDN/Telephony2005.10.08 11:23:09 L2_FMT BRI 2/1 80 Presentation:ALLOWED2005.10.08 11:23:09 L2_FMT BRI 2/1 Ph.# 00096311112005.10.08 11:23:09 L2_FMT BRI 2/1 IE - 70 CALLED PARTY # Len=82005.10.08 11:23:09 L2_FMT BRI 2/1 C1 Numb. Type:SUBSCRIBER2005.10.08 11:23:09 L2_FMT BRI 2/1 Numb. Plan:ISDN/Telephony2005.10.08 11:23:09 L2_FMT BRI 2/1 Ph.# 96333332005.10.08 11:23:09 CC_MSG BRI 2/1 CC>>Host: 01 000b SETUP_IND2005.10.08 11:23:09 CC_IE BRI 2/1 ie: 00 04 04 80 88 80 902005.10.08 11:23:09 CC_IE BRI 2/1 ie: 00 18 04 80 81 80 812005.10.08 11:23:09 CC_IE BRI 2/1 ie: 00 6C 0E 82 81 80 80 30 30 30 39 36 33 31 31 31 312005.10.08 11:23:09 CC_IE BRI 2/1 ie: 00 70 09 84 81 39 36 33 33 33 33 332005.10.08 11:23:09 EP BRI 2/1 Incoming call :'9633333' from '0009631111'.2005.10.08 11:23:09 CC_MSG BRI 2/1 Host>>CC: 01 000b CALL_PROCEEDING_REQ2005.10.08 11:23:09 EP BRI 2/1 Incoming call to '9633333' accepted2005.10.08 11:23:09 L2_MSG BRI 2/1 Sent = FC FF 03 0F 11 25 01 FF

8-73

Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing

To set up a test call, enter the following from the BRI interface configuration mode context:

Syntax: test-call [dial <number> | answer | hangup]

To enter test call mode, enter:

ProCurve(config- bri 2/1)# test-call answer

This command configures the router to receive test calls.

To dial a test call, enter:

Syntax: test-call dial <number>

Replace <number> with the LDN of the ISDN interface you want to connect to. Enter the LDN without using any special characters. For example, you may enter:

ProCurve(config-bri 2/1)# test-call dial 15555551212

The router will then make a call. Once the test call is connected, the routers will exchange keepalives every 10 seconds.

To disconnect the test call and free the allocated BRI channels, enter:

Syntax: test-call hangup [channels <channel range>]

Entering the hangup option disconnects the entire ISDN test call. You can also hang up a single B channel by using the hangup channels option and specifying on which channel or channels you want to terminate the connec-tion. For example, if you want to hang up both B channels but leave the D channel connected, enter:

ProCurve(config-bri 2/1)# test-call hangup channels 1,2

or

ProCurve(config-bri 2/1)# test-call hangup channels 1-2

To hang up a specific channel, enter the number of the B channel you want to disconnect. For example, if you wanted to hang up channel B2, you would enter:

ProCurve(config-bri 2/1)# test-call hangup channel 2

Test calls allow you to check the physical ISDN connection, end to end, between the calling router and the receiving router.

8-74

Configuring Demand Routing for Primary ISDN ModulesTroubleshooting Demand Routing

Line Maintenance

You can also perform some basic maintenance on your ISDN line. Enter:

Syntax: maintenance [restart-d | reset]

Use the restart-d option to reset and restart the D channel. This may help in cases where there is a problem in the call process and one of the channels becomes hung.

Use the reset option to reset the port hardware. Occasionally the port interface may get into a loop if the disconnect process isn’t completed before the connection is lost. To reset all the channels and the port hardware, enter:

ProCurve(config-bri 1/1)# maintenance reset

Troubleshooting with Loopbacks

A loopback call tests the ability of the router to initiate and terminate an ISDN call, verifying that the ISDN circuit is up and running. To test and diagnose your ISDN lines, you can set loopbacks using the following commands:

Syntax: loopback network [b1 | b2 | both]Syntax: loopback local [b1 | b2 | all]

Use the network option to set a loopback toward the switch. This tests that the line between your router and the switch is operational. Use the local option to set a loopback within your local network. This tests whether there is a problem within your LAN that is preventing the connection.

You can specify which B channel you want to test using the b1, b2, and both options. Using the b1 or b2 options sets up a loopback call using the channel you specified and the D channel. To test both B channels and the D channel, enter the all option.

Troubleshooting PPP for the ISDN Connection

Because PPP is the Data Link Layer for dial-up connections, you may need to troubleshoot the negotiation of a PPP session or PPP authentication (if you have configured authentication for the connections). Table 8-17 lists the debug commands you can use to monitor PPP interfaces.

8-75

Configuring Demand Routing for Primary ISDN ModulesQuick Start

Table 8-17. debug Commands for PPP Interfaces

Quick Start

This section provides the commands you must enter to quickly configure demand routing for:

■ an ISDN BRI U module

■ an ISDN BRI S/T module

Only a minimal explanation is provided. If you need additional information about any of these options, check “Contents” on page 8-1 to locate the section that contains the explanation you need.

When you configure demand routing, you will need to enter information about your ISDN connection as well as information about the far-end network. You can use Table 8-18 to record this information before you begin to configure demand routing for the ISDN connection.

Table 8-18. Configuration Settings

Command Explanation

debug ppp verbose displays detailed information about all PPP frames as they arrive on the PPP interface

debug ppp errors displays error messages relating to PPP

debug ppp negotiations displays events relating to link negotiation; shows if link protocols are able to open; reveals when negotiations between two PPP peers fail

debug ppp authentication displays real-time messages relating to PAP and CHAP

undebug all turns off debug messages

Setting Description Your Setting

interface bri <slot>/<port> specifies the location of the ISDN module and the port you are configuring

isdn switch-type [basic-5ess | basic-ni | basic-dms | basic-net3]

specifies the ISDN signaling that the service provider implements on the line

isdn ldn1 <number>isdn ldn2 <number>

specifies the telephone number (or numbers) for ISDN BRI modules

8-76

Configuring Demand Routing for Primary ISDN ModulesQuick Start

1. Enter the global configuration mode context:

ProCurve> enPassword:ProCurve# configure terminal

2. Create an access control list (ACL) to define the interesting traffic.

a. From the global configuration mode context, enter:

Syntax: ip access-list [standard |extended] <listname>

For example, you might enter:

ProCurve(config)# ip access-list extended Callb. From the ACL configuration mode context, configure permit or deny

entries. Enter:

Syntax: [permit | deny] <protocol> <source address> <source port> <destination address> <destination port> [log | log-input]

Replace <protocol> with one of the following: – AHP– ESP– GRE – ICMP– IP– TCP– UDP

isdn spid1 <number> <ldn1> isdn spid2 <number> <ldn2>

specifies the telephone number and identifiers for each TE on the line; used for ISDN BRI U modules

connect-sequence <sequence-number> dial-string <string> [<resource-type>] [busyout-threshold <value>]

specifies:• number to call to establish a

connection (dial-string <string>)• type of connection to establish

(<resource-type>—ISDN 64 Kbps or ISDN 56 Kbps)

• number of times to call the number if a connection cannot be made (busyout-threshold <value>)

ip route <destination A.B.C.D> <subnet mask | /prefix length> <next hop A.B.C.D | forwarding interface ID>

specifies the route to the far-end network

Setting Description Your Setting

8-77

Configuring Demand Routing for Primary ISDN ModulesQuick Start

To specify the source and destination address, use the following:

Syntax: [any | host <A.B.C.D> | <A.B.C.D> <wildcard bits>]

For example, you might want to specify that the interesting traffic is the IP traffic from any source to network 192.168.115.0 /24. You use wildcard bits to specify a range of addresses. Enter:

ProCurve(config-ext-nacl)# permit ip any 192.168.115.0 0.0.0.255c. After configuring the entries for the ACL, enter:

ProCurve(config-ext-nacl)# exit

3. Configure the demand interface.

a. Create the demand interface by entering:

ProCurve(config)# interface demand <number>

Replace <number> with a number between 1 and 1024 for this demand interface. Each demand interface must have a unique number.

b. Assign the demand interface an IP address:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

For example, you might enter:

ProCurve(config-demand 1)# ip address 10.10.10.1 255.255.255.252

or

ProCurve(config-demand 1)# ip address 10.1.1.1 /30c. Associate the ACL you created with the demand interface. From the

demand interface configuration mode context, enter:

Syntax: match-interesting [list | reverse list] <listname > [in | out]

Include the list option if you want the ProCurve Secure Router to use standard matching logic for the ACL. Include the reverse list option if you want the ProCurve Secure Router to use reverse matching logic when processing the ACL. In this case, the router will try to match the packet’s source address with the destination address that is defined in the ACL. The router will then try to match the packet’s destination address with the source address that is defined in the ACL.

Replace <listname> with the ACL that you created to define the interesting traffic. You can specify only extended ACLs.

8-78

Configuring Demand Routing for Primary ISDN ModulesQuick Start

Including in or out is optional. By default, the ProCurve Secure Router uses the ACL you specify to check both incoming and outgoing traffic. If you do not specify a direction, outbound traffic is matched to the specified ACL, and inbound traffic is matched to the reverse of the ACL.

For example, if you want to apply the Branch1 ACL to the demand 1 interface, enter:

ProCurve(config-demand 1)# match-interesting list Branch1

The router will allow both traffic outbound to and inbound from the networks specified in the Branch1 ACL to trigger the dial-up connection.

d. Create a resource pool and associate it with the demand resource. Enter:

ProCurve(config-demand 1)# resource pool <poolname>

Replace <poolname> with the name of the resource pool that this demand routing interface will use to originate or answer connections.

e. Configure a connect sequence to specify: – the telephone number that the demand interface dials to connect

to the other remote peer– the type of dial-up interface used to establish the connection

Enter the following command from the demand interface configura-tion mode context:

Syntax: connect-sequence <sequence-number> dial-string <string> [<resource-type>] [busyout-threshold <value>]

Replace <sequence-number> with a number between 1 and 65535 to identify this set of connection instructions.

Replace <string> with the telephone number that the demand interface should dial to make the connection.

Replace <resource-type> with one of the options listed in Table 8-19. The option you enter will limit this connection to a particular type of dial-up connection.

8-79

Configuring Demand Routing for Primary ISDN ModulesQuick Start

Table 8-19. Defining a Resource Type for a Connect Sequence

4. Configure the BRI interface.

a. To access the BRI interface configuration mode context, enter:

Syntax: interface bri <slot>/<port>

For example, you might enter:

ProCurve(config)# interface bri 1/1b. Set the ISDN signaling (switch) type if your service provider is not

using the default setting for your ISDN. For the ISDN BRI U module, the default setting is isdn switch-type basic-5ess. For the ISDN BRI S/T modules, the default setting is isdn switch-type basic-net3. If your service provider is using a different ISDN signaling type, enter:

Syntax: isdn switch-type [basic-5ess | basic-ni | basic-dms | basic-net3]

Table 8-20 lists the command syntax for each signaling type.

Table 8-20. ISDN Signaling Types

Option Description

isdn-64k Any dial resource can be used, but if ISDN is used, the call must be placed using a 64-Kbps channel.

isdn-56k Any dial resource can be used, but if ISDN is used, the call must be placed using a 56-Kbps channel.

forced-analog Only analog resources can be used. (This option is used when you configure demand routing for a backup analog line.)

forced-isdn-64k Only ISDN resources can be used, and the call must be placed using a 64-Kbps channel.

forced-isdn-56k Only ISDN resources can be used, and the call must be placed using a 56-Kbps channel.

Signaling Type Command Syntax

National ISDN-1 isdn switch-type basic-ni

Euro ISDN isdn switch-type basic-net3

Northern Telecom DMS-100 isdn switch-type basic-dms

Lucent/ATT 5ESS isdn switch-type basic-5ess

8-80

Configuring Demand Routing for Primary ISDN ModulesQuick Start

c. Set the LDN. (If your public carrier has assigned you a SPID, skip this step and go to the next step.) Otherwise, enter:

Syntax: isdn ldn1 <number>

Replace <number> with the LDN phone number assigned to the ISDN line you are configuring. For example, you might enter:

ProCurve(config-bri 1/1)# isdn ldn1 5555551212d. Set the SPID and LDN. If your public carrier has assigned you a SPID,

you should set the SPID and the LDN at the same time. Enter:

Syntax: isdn spid1 <number> <ldn1>

For example, you might enter:

ProCurve(config-bri 1/1)# isdn spid1 12355512120101 5551212e. Activate the interface. Enter:

ProCurve(config-bri 1/1)# no shutdown

5. Configure an ISDN group.

a. Create an ISDN group by enter the following command from the global configuration mode context:

Syntax: isdn-group <number>

Replace <number> with a number between 1 and 255 to uniquely identify this ISDN group.

b. Assign a BRI interface to the ISDN group. Enter:

Syntax: connect bri <slot>/<port>

Replace <slot> and <port> with the numbers that identify where the BRI interface is installed. You can assign multiple BRI interfaces to the ISDN group. For example, you might enter:

ProCurve(config-isdn-group 1)# connect bri 2/1ProCurve(config-isdn-group 1)# connect bri 2/2

c. Assign the ISDN group to a resource pool. From the ISDN group configuration mode context, enter:

Syntax: resource pool-member <poolname>

For example, if the resource pool is called Branch, enter:

ProCurve(config-isdn-group 1)# resource pool-member Branch

N o t e The ISDN group can be a member of only one resource pool.

8-81

Configuring Demand Routing for Primary ISDN ModulesQuick Start

d. To control which calls the BRI interfaces in the ISDN group accept, enter the following command from the ISDN group configuration mode context:

Syntax: incoming-accept-number <number>

For example, you might enter:

ProCurve(config-isdn-group 1)# incoming-accept-number 5551212

You can use the wildcard characters listed in Table 8-9 to specify a range of numbers.

Table 8-21. Wildcard Characters for incoming-accept-number

6. Create a static route to the far-end network. From the global configuration mode context, enter:

Syntax: ip route <destination A.B.C.D> <subnet mask | /prefix length> <next hop A.B.C.D | forwarding interface ID>

Replace <destination A.B.C.D> with the IP address for the far-end network. For example, the far-end network might be network 192.168.7.0 /24. Then, either specify the complete subnet mask (such as 255.255.255.0) or enter the prefix length (such as /24). Finally, specify the forwarding interface as demand <number>.

For example, to configure a route to network 192.168.7.0 /24 through demand interface 1, enter:

ProCurve(config)# ip route 192.168.7.0 /24 demand 1

For more information about configuring static routes, see “Static Routing” on page 11-9 in Chapter 11: IP Routing—Configuring Static Routes.

Wildcard Characters Explanation

X Matches any single digit between 0 and 9

N Matches any single digit between 2 and 9

$ Matches any number (multiple numbers)

[ ] Matches any digit in the list. For example, if you enter [2,4,6] the ProCurve Secure Router matches only 2, 4, and 6. If you enter [4-6,8] the ProCurve Secure Router matches 4, 5, 6, and 8.

8-82

9

Configuring the E1 + G.703 and T1 + DSX-1 Modules

Contents

Using an E1- or T1-Carrier Line for Data and Voice . . . . . . . . . . . . . . . . . . . 9-3

Drop-and-Insert Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3

Standards Supported by the Drop-and-Insert Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3

Configuring the E1 + G.703 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4

Configuring the E1 Interface for Data Communications . . . . . . . . . . . 9-5

Assigning Channels to the E1 Interface . . . . . . . . . . . . . . . . . . . . . 9-5

Setting the Clock Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7

Accessing the G.703 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7

Configuring Line Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7

Configuring Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8

Enabling TS16 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9

Activating the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-10

Checking the Status of the G.703 Interface . . . . . . . . . . . . . . . . . . . . . 9-10

Viewing Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-11

Troubleshooting the G.703 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 9-12

Alarms or Errors That Will Not Clear . . . . . . . . . . . . . . . . . . . . . . 9-12

Yellow Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

Interface Is Accruing Errored Seconds and Clock Slips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

Configuring the T1 + DSX-1 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-13

Configuring the T1 Interface for Data Communications . . . . . . . . . . 9-14

Assigning Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-14

Setting the Clock Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-15

9-1

Configuring the E1 + G.703 and T1 + DSX-1 ModulesContents

Accessing the T1 Interface for the DSX-1 Port . . . . . . . . . . . . . . . . . . 9-16

Configuring Line Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-16

Configuring Frame Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-17

Setting the Line Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18

Configuring Signaling Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-18

Activating the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-19

Checking the Status of the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . 9-19

Viewing Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20

Troubleshooting the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 9-20

Alarms or Errors That Will Not Clear . . . . . . . . . . . . . . . . . . . . . . 9-20

Yellow Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21

Interface Is Accruing Errored Seconds and Clock Slips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-21

Configuring the E1 + G.703 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22

Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22

Configuring the E1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-22

Configuring the G.703 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-23

Configuring the T1 + DSX-1 Module . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-24

Making the Physical Connection . . . . . . . . . . . . . . . . . . . . . . . . . . 9-24

Assigning the Channels to the T1 Interface . . . . . . . . . . . . . . . . . 9-24

Configuring the DSX-1 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 9-25

9-2

Configuring the E1 + G.703 and T1 + DSX-1 ModulesUsing an E1- or T1-Carrier Line for Data and Voice

Using an E1- or T1-Carrier Line for Data and Voice

You may be able to lower your data communications and telephone costs by leasing an E1 or T1-carrier line and using some of the bandwidth for data and some of the bandwidth for TDM (or traditional) voice. You will then have an affordable WAN solution or Internet connection, and depending on your existing telephone setup, you may have additional phone lines as well. This solution is particularly attractive for small-to-medium businesses (SMBs).

Drop-and-Insert Modules

If you want to use your E1- or T1-carrier line for both data and voice, you must purchase and install a drop-and-insert module for the ProCurve Secure Router. These modules are called drop-and-insert modules because they pass, or drop, some of the bandwidth from the E1- or T1-carrier line into a private branch exchange (PBX).

Two drop and insert modules are available for the ProCurve Secure Router:

■ E1 + G.703 module

■ T1 + DSX-1 module

If you live in Europe, South America, Australia, or Asia (except Japan), and can lease an E1-carrier line for your WAN connection, you should purchase and install the E1 + G.703 module. If you live in the United States or Canada, and can lease a T1-carrier line for your WAN connection, you should purchase and install the T1 + DSX-1 module. If you live in Japan, you will need to check with your Public Telephone and Telegraph (PTT) authority because many PTTs in Japan offer T1-carrier lines for data. For voice, however, these PTTs offer J1-carrier lines.

Standards Supported by the Drop-and-Insert Modules

The E1 + G.703 and T1 + DSX-1 modules are standards-based. Specifically, they support the standards listed in Table 9-1.

9-3

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module

Table 9-1. Standards Supported by ProCurve Drop-and-Insert Modules

Configuring the E1 + G.703 Module

The E1 + G.703 module has:

■ an E1 port

■ a G.703 port

The E1 port handles the data communications. The G.703 port receives all the channels from the E1-carrier line that are not mapped for data and drops these channels into a PBX. When you configure an E1 + G.703 module, you must configure it to synchronize the data transfer between the public carrier, the two ports (or interfaces), and the PBX. You must also configure which channels are dropped into the PBX.

Making the Physical Connection

Like other ProCurve Networking E1 modules, the E1 port on E1 + G.703 modules include a built-in Digital Service Unit (DSU). You use unshielded twisted pair (UTP) cabling with RJ-48C connectors to connect the E1 interface to the Channel Service Unit (CSU) provided by your public carrier. (For more information about the DSU or CSU and other public carrier equipment used in an E1 connection, see Chapter 4: Configuring E1 and T1 Interfaces.)

Module Standard

E1 + G.703 • International Telecommunications Union (ITU) G.703, ITU-T G.704 (CRC-4), ITU-T G.823, and ITU-T G.797

• FCC Part 15 Class A, Norme Europeenne (EN) 55022 Class, EN 55024, EN 61000-3-2, EN 61000-3-3 (EN is also referred to as European Standards.)

• ACIF S016, ETSI TBR 12/TBR 13• EN 60950 and Australian Standard/New Zealand Standard (AS/NZS)

60950

T1 + DSX-1 • T1 Interface: AT&T Pub 62411• ESF Format Interface: TR 194• ESF Performance Monitoring: TR 54016, ANSI T1.403• FCC Part 15 Class A, EN 55022 Class A• ACTA/FCC Part 68, IC CS-03, UL/cUL 60950, IEC 60950

9-4

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module

You connect the G.703 port to the PBX using crossover UTP cabling with RJ-48C connectors.

Configuring the E1 Interface for Data Communications

The first step in configuring the E1 + G.703 module is to configure the E1 interface that will handle data. Two settings for the E1 interface directly affect the G.703 interface:

■ channel assignment

■ clock source

Assigning Channels to the E1 Interface

When you configure the E1 interface, you assign the E1 interface a certain number of channels that will be “nailed” to that interface. By default, any channels that you do not assign to the E1 interface are passed to the G.703 interface.

An E1-carrier line includes a total of 32 channels: one channel is used to maintain the connection, the other 31 channels can be used for data or voice. When you divide these channels between the E1 interface and the DSX-1 interface, you must create two groups of contiguous channels. Typically, you will reserve channel 16 and all subsequent channels for the G.703 interface.

You assign the channels to the E1 interface using the tdm-group command. The remaining channels are automatically assigned to the G.703 interface.

To assign channels 1–15 to the E1 interface, move to the E1 interface config-uration mode context and enter the tdm-group command:

Syntax: tdm-group <number> timeslots <range of numbers>

ProCurve(config-e1 1/1)# tdm-group 1 timeslots 1-15

If you view the status of the E1 interface (after you bind the physical interface to the logical interface using the bind command), you will see that channels 1–15 are “nailed” to that interface, while channels 16–31 are assigned to the G.703 interface. (See Figure 9-1.)

Enter show interface e1 <slot>/<port> at the enable mode context prompt:

ProCurve# show interface e1 1/1

9-5

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module

N o t e If you have not yet entered a bind command to join the physical interface to the logical interface, the channel assignment will not be displayed correctly.

Figure 9-1. Viewing the Channel Assignments for the E1 and G.703 Interfaces

After you ensure that the channel assignments are correct, you will need to configure the settings for the G.703 interface.

e1 1/1 is UP Receiver has no alarms E1 coding is HDB3, framing is E1 Clock source is line No network loopbacks Last clearing of counters never loss of frame : 0 loss of signal : 0 AIS alarm : 0 Remote alarm : 0

Timeslot Status: 01234567890123456789012345678901 FNNNNNNNNNNNNNNNDDDDDDDDDDDDDDDD Status Legend: '-' = Timeslot is unallocated 'N' = Timeslot is dedicated (nailed) 'D' = Timeslot is allocated to G703 drop port 'F' = Timeslot is dedicated for framing

Line Status: -- No Alarms --

5 minute input rate 120 bits/sec, 0 packets/sec 5 minute output rate 120 bits/sec, 0 packets/sec Current Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes

TDM group 1, line protocol is UP Encapsulation PPP (ppp 1) 74 packets input, 4622 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 66 input errors, 24 CRC, 42 frame 0 abort, 0 discards, 0 overruns 127 packets output, 5554 bytes, 0 underruns

Channels 1-15 are “nailed” to the E1 interface.

Channels 16-31 are allocated to the G.703 interface.

9-6

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module

Setting the Clock Source

The other setting that directly affects the G.703 interface is the clock source. Each narrow ProCurve Secure Router module can have only one clock source. For E1 + G.703 modules, you set the clock source on the E1 interface that is used for data. By default, the clock source for this E1 interface is line. With this setting, the E1 interface takes its timing from the public carrier’s equip-ment. The G.703 interface, in turn, takes its clock from the E1 interface.

You may want the E1 + G.703 module to take timing from the PBX rather than from the public carrier’s equipment. To change the clock source setting for the E1 interface to through, enter:

ProCurve(config-e1 1/1)# clock source through

For detailed information about configuring other settings for the E1 interface, see Chapter 4: Configuring E1 and T1 Interfaces.

Accessing the G.703 Interface

The ProCurve Secure Router treats the G.703 port as an E1 interface. Because it is the second port of the E1 + G.703 module, you access the G.703 interface by entering the following command from the global configuration mode context:

Syntax: interface e1 <slot>/2

For example, if the E1 + G.703 module is installed in slot 1, enter:

ProCurve(config)# interface e1 1/2

From this configuration mode context, you can begin to configure the G.703 interface.

Configuring Line Coding

You configure the line coding for the G.703 interface just as you would for an E1 interface. The settings you select must match those used by the PBX.

■ Alternate mark inversion (AMI)

■ High-Density Bipolar order of 3 (HDB3)

9-7

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module

AMI uses alternating positive and negative voltage (referred to as alternating polarity, or bipolarity) to represent logical ones, and zero voltage to represent logical zeros. Because AMI uses zero voltage for logical zeros, it can cause synchronization loss between peers at each end of a WAN connection when a data stream contains a long string of logical zeros.

Although HDB3 is based on AMI, HDB3 prevents synchronization loss by limiting the number of consecutive zeros in a data stream to four. HDB3 replaces the zeros with three logical zeros and a violation bit with the same polarity as the last AMI logical one detected.

HDB3 is the most common line-coding scheme used in E1-carrier lines and is the default setting for all E1 interfaces on the ProCurve Secure Router.

To configure the line coding, use the following command:

Syntax: coding [ami | hdb3]

For example, to configure the coding option to ami, you would enter:

ProCurve(config-e1 1/2)# coding ami

Because HDB3 is the default setting, you do not have to enter the coding command if your PBX uses HDB3.

Configuring Frame Format

E1 interfaces on the ProCurve Secure Router support two frame formats:

■ E1

■ Cyclic Redundancy Check 4 (CRC4)

In the E1 frame format, a channel (or timeslot) is called a TS, and the 32 channels are numbered TS0 to TS31. Two channels are used to establish and maintain synchronization and signaling; specifically, TS0 is used for synchro-nization, error detection, and alarms, and TS16 is used for signaling. The other channels are used to transmit data or voice.

CRC4 is based on the E1 frame format but includes additional error detection. A checksum bit is included in all even E1 frames with CRC4 format: frame numbers 0, 2, 4, 6, 8, 10, 12, and 14. A total of 8 checksum bits are used.

9-8

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module

Although E1 interfaces, including those for the G.703 port, support two frame formats, only one option is listed if you enter the following command from the E1 interface configuration mode context:

ProCurve(config-e1 1/2)# framing ?

Only CRC4 is listed.

By default, the frame format is E1. If your public carrier is using the E1 frame format, you simply accept the default setting; you do not have to enter a framing command.

However, if your public carrier is using the CRC4 frame format, enter:

Syntax: framing crc4

ProCurve(config-e1 1/2)# framing crc4

To return to the E1 frame format, enter:

ProCurve(config-e1 1/2)# no framing

Enabling TS16

TS16 is used when there is a requirement to pass through “signaling” information in a non-proprietary manner. Two types of signaling are used for E1-carrier lines that carry voice—Channel Associated Signaling (CAS) and Common Channel Signaling (CCS). ProCurve Secure Routers support only CAS. For example, they will “split” an E1-carrier line into channels 1-15 and channels 17-31. Typically, this is not an issue because a vast majority of E1 circuits use CAS rather than CCS. (See Bradley Dunsmore and Toby Skandier, Telecommunications Technologies Reference [ISBN 1587050366], p. 155.)

Enter the following command to enable the ProCurve Secure Router to check timeslot 16 for the multiframes it receives on the G.703 interface:

ProCurve(config-e1 1/2)# ts16

The only time there is a signaling requirement and you do not need to configure TS16 is when the signaling is “out-of-band,” or out of the E1 circuit. In this situation, the signaling must be handled by a separate circuit or some propri-etary method that your PBX devices use. In other words, if a router allows the mapping of channels 18-31 to the PBX and allows for 18 to accomplish signaling, then the PBXs on both side of the E1-carrier line must know they are to communicate on this channel for signaling.

9-9

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module

Activating the Interface

All interfaces on the ProCurve Secure Router are administratively down by default and must be activated. From the E1 interface configuration mode context, enter:

ProCurve(config-e1 1/2)# no shut

Checking the Status of the G.703 Interface

After you assign the correct number of channels to each interface and then configure the G.703 interface, the connection between the G.703 port and your PBX should come up. You can use the show commands listed in Table 9-2 to view both the status and the configuration information for the G.703 interface.

Table 9-2. show Commands

For example, to check the status of the G.703 interface, enter:

ProCurve# show interfaces e1 <slot>/2

If you are not in the enable mode context, you can use the do command and enter:

Syntax: do show interfaces e1 <slot>/2

Command Explanation

show interfaces displays information about all the interfaces—active or inactive—on the ProCurve Secure Router

show interface <interface> <slot>/<port> displays information about a specific physical

show running-config displays all of the settings that you have configured for the ProCurve Secure Router

show running-config verbose displays the entire running-config, including the default settings

show running-config interface <interface ID>

displays the settings that you have configured for a particular interface

show running-config interface <interface ID> verbose

displays the running-config for a particular interface, including the default settings

9-10

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module

Figure 9-2 shows the output when you enter this command. The first line reports whether the interface is up or down. The first block of text indicates the current configurations for the interface, such as line coding and framing. It also reports any alarms.

The second block of text under “Current Performance Statistics” displays errors. If the number of errors is steadily incrementing, you should check your configuration.

Figure 9-2. show interface e1 Command for the G.703 Port

Viewing Configuration Information

To view the settings that have been entered on the ProCurve Secure Router, enter:

ProCurve# show running-config

N o t e Use the do command to enter root commands (such as show commands) from outside the enable mode context.

You must then browse through the output to find the G.703 interface. To view only the running-config for the G.703 interface, enter:

Syntax: show running-config interface e1 <slot>/2

Figure 9-3 shows the running-config for both the E1 and G.703 interfaces.

e1 1/2 is UP Receiver has no alarms E1 coding is HDB3, framing is E1MF No network loopbacks Last clearing of counters never loss of frame : 0 loss of signal : 0 AIS alarm : 0 Remote alarm : 0 Line Status: -- No Alarms --

Current Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes

No channel assignments are displayed here for the G.703 interface

To view channel assignments for this interface, enter:

show interface e1 <slot>/1

MF (in E1MF) indicates that the TS16 option has been enabled on the G.703 interface

9-11

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the E1 + G.703 Module

Figure 9-3. show running-config Command for the E1 and G.703 Interfaces

To view all the settings for the E1 or G.703 interfaces, add the verbose option to the show command:

Syntax: show running-config interface e1 <slot>/2 verbose

Troubleshooting the G.703 Interface

If the G.703 interface is down, you should first check your configuration settings and ensure that they match the settings used on your PBX. In particular, check:

■ Line coding—Is the PBX using AMI or HDB3?

■ Frame format—Is the PBX using E1 or CRC4?

■ Channels—Are the channels allocated correctly for the E1 interface and the G.703 interface?

You can use the show commands described in the previous section to check the configuration settings for the G.703 interface.

If the settings you have configured match those configured on the PBX, you must isolate the problem. Is the problem with the PBX or the G.703 interface?

Alarms or Errors That Will Not Clear

If you are unable to clear alarms or errors in the ProCurve Secure Router OS, the device at the other end of the connection may be causing the problem. To isolate the problem, disconnect the cable from the PBX and loop the G.703 interface back on itself using an external cable. If the unit goes out of alarm, the PBX is at fault. If the unit stays in alarm, use another cable. If the router now goes out of alarm, the cable is obviously the problem.

ProCurveSR7102dl# show running-config interface e1 1/1interface e1 1/1 tdm-group 1 timeslots 1-15 speed 64 no shutdown

ProCurveSR7102dl#show running-config interface e1 1/2interface e1 1/2 no framing crc4 no shutdown

Channel assignments are listed under the E1 <slot>/1 interface

9-12

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module

Yellow Alarm

A yellow alarm indicates that the G.703 interface is receiving signals from a PBX that is in red alarm. The PBX may not be capable of handling the signal that the interface is sending to it. If this problem occurs, recheck the config-uration on the PBX and verify that the cable is good.

Interface Is Accruing Errored Seconds and Clock Slips

If the PBX is not at fault, the problem may be with the synchronization. To detect synchronization problems, view the G.703 interface status using the show interfaces command. When you view the status report, you should not see steadily increasing errors. Clock slips indicate that the hosts on either end of the line are unable to properly synchronize their signals.

Check the clock source setting on both the E1 interface and the G.703 interface. Each module can have only one clock source. If the E1 interface is configured to take the clock source from the line, the G.703 interface must have the clock source setting of through. If, on the other hand, the G.703 interface is configured to take the clock source from the line—the PBX—the E1 interface should have a clock source setting of through.

Configuring the T1 + DSX-1 Module

The T1 + DSX-1 module has:

■ a T1 port

■ a DSX-1 port

The T1 port handles the data communications. The DSX-1 port receives all the channels from the T1-carrier line that are not mapped for data and drops these channels into a PBX. When you configure a T1 + DSX-1 module, you must configure it to synchronize the data transfer between the public carrier, the two ports (or interfaces), and the PBX. You must also configure which channels are dropped into the PBX.

Making the Physical Connection

The T1 port on the T1 + DSX-1 module includes a built-in CSU/DSU. You use UTP cabling with RJ-48C connectors to connect the T1 interface to the wall jack provided by your public carrier. (For more information about the CSU/DSU and

9-13

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module

other public carrier equipment used in a T1 connection, see Chapter 4:

Configuring E1 and T1 Interfaces.) You connect the DSX-1 interface to the PBX, using a crossover cable with an RJ-48C connector.

Configuring the T1 Interface for Data Communications

The first step in configuring the DSX-1 drop-and-insert module is to configure the T1 interface that will handle data. Two settings for the T1 interface directly affect the DSX-1 interface:

■ channel assignment

■ clock source

Assigning Channels

When you configure the T1 interface, you assign it a certain number of channels that will be “nailed” to that interface. By default, any channels that you do not assign to the T1 interface are passed to the DSX-1 interface.

A T1-carrier line includes a total of 24 channels. When you divide these channels between the T1 interface and the DSX-1 interface, you must create two groups of contiguous channels.

For example, you could assign channels 1-12 to the T1 interface. Channels 13-24 are then automatically assigned to the DSX-1 module. To assign channels to the T1 interface, move to the T1 interface configuration mode context and enter the tdm-group command:

Syntax: tdm-group <number> timeslots <range of numbers>

ProCurve(config-t1 1/1)# tdm-group 1 timeslots 1-12

If you view the status of the T1 interface (after you configure a logical interface and bind it to the T1 interface), you will see that channels 1-12 are marked with an N. This means that they are “nailed,” or assigned, to the T1 interface. The channels assigned to the DSX-1 interface are marked with a D. (See Figure 9-4.)

N o t e If you have not yet entered a bind command to bind the T1 interface to a logical interface, the channel assignments will not be displayed correctly.

9-14

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module

Figure 9-4. Viewing the Channel Assignments for the T1 and DSX-1 Interfaces

Setting the Clock Source

Each narrow ProCurve Secure Router module can have only one clock source. For T1 + DSX-1 modules, you configure the clock source on the line that is used for data. By default, the clock source for this T1 interface is line. With this setting, the T1 interface takes its timing from the public carrier’s equip-ment. The DSX-1 interface, in turn, takes its clock from the T1 interface.

t1 2/1 is UP Receiver has no alarms T1 coding is B8ZS, framing is ESF Clock source is through t1 2/2, FDL type is ANSI Line build-out is 0dB No remote loopbacks, No network loopbacks Acceptance of remote loopback requests enabled Tx Alarm Enable: rai Last clearing of counters never loss of frame : 0 loss of signal : 0 AIS alarm : 0 Remote alarm : 1, last occurred 00:01:57

DS0 Status: 123456789012345678901234 NNNNNNNNNNNNDDDDDDDDDDDD Status Legend: '-' = DS0 is unallocated 'N' = DS0 is dedicated (nailed) 'D' = DS0 is allocated to DSX port

Line Status: -- No Alarms --

5 minute input rate 16 bits/sec, 0 packets/sec 5 minute output rate 16 bits/sec, 0 packets/sec Current Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 3 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 1 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes

TDM group 1, line protocol is UP Encapsulation PPP (ppp 2) 22 packets input, 714 bytes, 0 no buffer 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame

Channels 1-12 are “nailed” to the T1 interface.

Channels 13-24 are allocated to the DSX-1 interface.

Clock source is set to through

9-15

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module

You may want the T1 + DSX-1 module to take its timing from the PBX rather than from the public carrier’s equipment. To change the clock source for the T1 interface to through, enter:

ProCurve(config-t1 1/1)# clock source through

For detailed information about configuring T1 interfaces, see Chapter 4:

Configuring E1 and T1 Interfaces.

Accessing the T1 Interface for the DSX-1 Port

The ProCurve Secure Router treats the DSX-1 port as a T1 interface. Because it is the second port of the T1 + DSX-1 module, you access the DSX-1 interface by entering the following command from the global configuration mode context:

Syntax: interface t1 <slot>/2

For example, if the T1 + DSX-1 module is in slot 1, enter:

ProCurve(config)# interface t1 1/2

You will need to configure the DSX-1 interface to match the settings used by the PBX to which it connects. Both ends of the connection must use the same methods of coding data and dividing it into frames.

As with any T1 interface, you will also need to set the transmit signal level. This setting depends on the distance between the interface and the equipment to which it connects. Properly configuring the signal level compensates for attenuation across distant connections and keeps the signal from becoming “too hot” across short cables.

Finally, you will need to set the signaling mode to determine how the ProCurve Secure Router carries signaling information for the DS0 channels.

Configuring Line Coding

You must configure the DSX-1 interface to use the same line coding that your PBX uses:

■ Alternate Mark Inversion (AMI)

■ Bipolar 8-Zero Substitution (B8ZS)

9-16

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module

In AMI, zero voltage represents logical zeros, and alternating positive and negative voltage represent logical ones, thus maintaining a net zero voltage across the line. AMI has at least one drawback: a long string of logical zeros can result in hosts losing synchronization.

When eight or more consecutive logical zeros are received, B8ZS addresses the synchronization problem by inserting two bipolar violations in the fourth and seventh positions of the 8-bit string, which creates a timing mark. Because B8ZS eliminates the synchronization problems, it has become the standard line coding used on T1-carrier lines. Consequently, B8ZS is the default setting on the ProCurve Secure Router, although the router supports both AMI and B8ZS.

To configure the line coding, enter the following command from the T1 configuration mode context:

Syntax: coding [ami | b8zs]

For example, to configure the T1 interface to use AMI, enter:

ProCurve(config-t1 1/2)# coding ami

Configuring Frame Format

You must also configure the T1 interface to use the same frame format as that used by the PBX:

■ D4

■ ESF

D4 framing combines 12 DS0 frames into a single superframe. The ESF standard multiplexes 24 DS0 frames into an extended superframe.

The ESF format has essentially replaced the D4 framing standard because it frees up bits that can be used to maintain the connection. Due to its popularity, ESF is the default setting for T1 modules on the ProCurve Secure Router.

To configure the frame format, enter the following command from the T1 configuration mode context:

Syntax: framing [d4 | esf]

For example, to configure the T1 interface to use D4, enter:

ProCurve(config-t1 1/2)# framing d4

9-17

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module

Setting the Line Length

The ProCurve Secure Router uses transmission line length to determine which voltage to use for data transfer. The greater the distance between equipment, the stronger the signal must be to counteract attenuation. You configure how long the cable is, and the Secure Router OS establishes the proper signal level. Enter:

Syntax: line-length [<0-655> | -7.5]

You can specify the length of the cable up to 655 feet, or you can fix the signal output at -7.5 dB. Use the -7.5 setting to prevent the line becoming too hot.

Use the no command to return the line-length setting to its default setting of 0 db.

Configuring Signaling Mode

Use the signaling-mode commands to control how the ProCurve Secure Router transmits signaling information for traffic carried on the DSX-1 inter-face. You use the following command to set the signaling mode:

Syntax: signaling-mode [message-oriented | none | robbed-bit]

Message-oriented signaling sets only channel 24 to clear channel signaling. In other words, one channel is reserved for signaling data, and the other 23 carry voice applications. Use this mode for QSIG installations. Enter:

ProCurve(config-t1 1/2)# signaling-mode message-oriented

Set the signaling-mode to none to configure all channels as clear channels. Use this signaling-mode for data-only transmissions or for PBXs that use Integrated Services Digital Network (ISDN) telephone equipment. To config-ure the DSX-1 interface to use all channels as clear channels, enter:

ProCurve(config-t1 1/2)# signaling-mode none

The signaling-mode none command is different from the no signaling-

mode command, which returns the interface to the default setting of robbed-bit signaling.

Robbed-bit signaling takes a bit from the extended frame to use for transmit-ting signaling information. You should use this signaling mode when you want to use your DSX-1 line for voice-over applications. Enter:

ProCurve(config-t1 1/2)# signaling-mode robbed-bit

9-18

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module

Activating the DSX-1 Interface

By default, all interfaces on the ProCurve Secure Router are administratively down. To activate the interface, enter:

ProCurve(config-t1 1/2)# no shutdown

Checking the Status of the DSX-1 Interface

To check the status of the DSX-1 interface, enter the following command from the enable mode context:

Syntax: show interfaces t1 <slot>/2

Figure 9-5 shows the output for a sample DSX-1 interface.

Figure 9-5. show interface t1 Command for the DSX-1 Port

The first line in the output tells you whether the interface is up or down. The first block of text indicates the current configurations for the interface, including line length and signaling mode, as well as line coding and framing.

The second block of text, headed “Current Performance Statistics,” displays errors. Steadily incrementing errors indicate that you need to resolve prob-lems with the configuration.

t1 2/2 is UP Receiver has no alarms T1 coding is B8ZS, framing is ESF Line length is 55 feet Signaling mode: robbed bit No remote loopbacks, No network loopbacks Tx Alarm Enable: rai Last clearing of counters never loss of frame : 0 loss of signal : 0 AIS alarm : 0 Remote alarm : 0 Line Status: -- No Alarms --

Current Performance Statistics: 5 Errored Seconds, 0 Bursty Errored Seconds 5 Severely Errored Seconds, 5 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 1 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes

No channel assignments are displayed here for the DSX-1 interface

To view channel assignments for this interface, enter:

show interface t1 <slot>/1

9-19

Configuring the E1 + G.703 and T1 + DSX-1 ModulesConfiguring the T1 + DSX-1 Module

Viewing Configuration Information

To view the settings that have been entered on the ProCurve Secure Router, enter:

ProCurve# show running-config

You must then browse through the output to find the DSX-1 interface. To view only the running-config for the DSX-1 interface, enter:

ProCurve# show running-config interface t1 <slot>/2

Figure 9-6 shows the running-config for both the T1 and DSX-1 interfaces.

Figure 9-6. show running-config Command for the T1 and DSX-1 Interfaces

To view all the settings (including default settings) for the T1 interface or DSX-1 interface, add the verbose option to the show command:

ProCurve# show running-config interface t1 <slot>/2 verbose

Troubleshooting the DSX-1 Interface

To troubleshoot a DSX-1 interface, you must first isolate the problem. Is the problem with the PBX? With the DSX-1 interface? With the T1 interface? Or is the problem with the public carrier’s equipment?

Alarms or Errors That Will Not Clear

When you are unable to clear alarms or errors in the Secure Router OS, the device at the other end of the cable is often at fault. To isolate the problem, disconnect the cable from the PBX and loop the DSX-1 interface back on itself using an external cable. If the unit goes out of alarm, you know that the PBX is at fault.

ProCurveSR7102dl# show running-config interface t1 2/1interface t1 2/1 clock source through tdm-group 1 timeslots 1-12 speed 64 no shutdown

ProCurveSR7102dl#show running-config interface t1 2/2interface t1 2/2 signaling-mode none no shutdown

Channel assignment is listed under the E1 <slot>/1 interface

9-20

Configuring the E1 + G.703 and T1 + DSX-1 ModulesQuick Start

If the unit stays in alarm, change the cable. If the router now goes out of alarm, again, you know that the cable, and not the interface, is the problem.

Troubleshoot connections between the T1 interface and the wall jack in the same way.

Yellow Alarm

A yellow alarm indicates that although the DSX-1 is receiving signals, the PBX is in red alarm. The PBX may not be capable of handling the signal that the interface is sending to it. Try lowering the signal output, either by setting a shorter line length or by configuring the signal at -7.5 decibels.

Interface Is Accruing Errored Seconds and Clock Slips

If, on the other hand, the PBX or CSU is not at fault, you might have a problem with synchronization. You can detect this problem by using the show inter-

faces command to view the DSX-1 interface status. When you view the output, you should not see steadily increasing errors. Clock slips indicate that the ends of the line are unable to properly synchronize their signals.

Check the clock source setting for both interfaces on the T1 + DSX-1 module. If the DSX-1 interface is taking the clock from the PBX, change the clock source to the through option for the T1 interface that controls port 1 on the T1 + DSX-1 module.

Quick Start

This section provides the commands you must enter to quickly configure a G.703 interface or a DSX-1 interface on the ProCurve Secure Router. Only a minimal explanation is provided.

If you need additional information about any of these options, see “Contents” on page 9-1 to locate the section and page number that contains the explana-tion you need.

9-21

Configuring the E1 + G.703 and T1 + DSX-1 ModulesQuick Start

Configuring the E1 + G.703 Module

Making the Physical Connection

1. Use unshielded twisted pair (UTP) cabling with RJ-48C connectors to connect the E1 interface to the CSU provided by your Public Telephone and Telegraph (PTT) authority.

2. Use crossover UTP cabling with RJ-48C connectors to connect the G.703 interface to the PBX.

Configuring the E1 Interface

When you configure a G.703 module, you first configure the E1 interface to handle data communications. As part of this configuration, you assign the number of channels that you will use for data to the E1 interface, and the remaining channels are automatically assigned to the G.703 interface.

In addition, you can configure the clock source (rather than simply accepting the default setting of line). For an E1 + G.703 module, the clock source is set only on the E1 interface.

To assign the channels to the E1 interface, complete these steps:

1. From the global configuration mode context, enter the following command:

Syntax: interface e1 <slot>/1

Replace <slot> with the slot number in which the module is installed. For example, if the module is in slot one, enter:

ProCurve(config)# interface e1 1/1

2. Use the following command to create a TDM group and assign it the number of channels used for data.

Syntax: tdm-group <number> timeslots <range of numbers>

When you divide channels between the E1 interface and the G.703 inter-face, you must create two groups of contiguous channels. Typically, you will reserve channel 16 and all subsequent channels for the G.703 inter-face. Enter:

ProCurve(config-e1 1/1)# tdm-group 1 timeslots 1-15

The remaining channels—in this case, channels 16-31—are automatically assigned to the G.703 interface.

9-22

Configuring the E1 + G.703 and T1 + DSX-1 ModulesQuick Start

3. If you want the E1 + G.703 module to take its clock source from the PBX, enter:

ProCurve(config-e1 1/1)# clock source through

This chapter includes only the steps for configuring the E1 interface that directly affects the G.703 interface. After you enter the tdm-group com-mand, you must configure the other settings for the E1-carrier line: you must then configure the Data Link Layer protocol and bind the physical interface to the logical interface. For detailed information about configuring the E1 interface for data communications, see Chapter 4:

Configuring E1 and T1 Interfaces.

Configuring the G.703 Interface

1. Access the E1 interface for the G.703 port:

Syntax: interface e1 <slot>/2

For example, if the E1 + G.703 module is in slot 1, enter

ProCurve(config)# interface e1 1/2

2. Configure the line coding. You should match the line coding used on your PBX:

Syntax: coding [ami | hdb3]

The default setting is HDB3.

For example, to configure the line coding as AMI, enter:

ProCurve(config-e1 1/2)# coding ami

3. Configure frame format. If your PBX uses the E1 frame format, you do not need to enter any commands because this is the default setting. If your PBX uses the CRC4 frame format, enter:

Syntax: framing crc4

ProCurve(config-e1 1/2)# framing crc4

4. Configure TS16 signaling.

ProCurve(config-e1 1/2)# ts16

5. Activate the G.703 interface.

ProCurve(config-e1 1/2)# no shutdown

9-23

Configuring the E1 + G.703 and T1 + DSX-1 ModulesQuick Start

Configuring the T1 + DSX-1 Module

Making the Physical Connection

1. Use UTP cabling with RJ-48C connectors to connect the T1 interface to the wall jack provided by your public carrier.

2. Use crossover UTP cabling with RJ-48C connectors to connect the DSX-1 interface to the PBX.

Assigning the Channels to the T1 Interface

When you configure a DSX-1 interface, you first configure the T1 interface to handle the data communications. As part of this configuration, you assign the number of channels that you will use for data to the T1 interface, and the remainder of the channels are automatically passed to the DSX-1 module.

In addition, you can configure the clock source (rather than simply accepting the default setting of line). For a T1 + DSX-1 module, the clock source is set only on the T1 interface.

To assign the channels to the T1 interface, complete these steps:

1. From T1 interface configuration mode context, enter the following command:

Syntax: interface t1 <slot>/1

Replace <slot> with the slot number where the T1 module is housed. For example, if the T1 module is in slot 1, enter:

ProCurve(config)# interface t1 1/1

2. When you divide channels between the T1 interface and the DSX-1 inter-face, you must create two groups of contiguous channels. Use the follow-ing command to create a TDM group and assign it the number of channels used for data.

Syntax: tdm-group <number> timeslots <range of numbers>

For example, if you want to use channels 1-12 for data, enter:

ProCurve(config-t1 1/1)# tdm-group 1 timeslots 1-12

3. Configure the clock source for the interface. By default the clock source for the interface is through. To configure the T1 + DSX-1 interface to take the timing from the PBX, enter:

ProCurve(config-t1 1/2)# clock source line

9-24

Configuring the E1 + G.703 and T1 + DSX-1 ModulesQuick Start

This chapter includes only the T1 configuration steps that directly affect the DSX-1 interface. You must configure the other settings for the T1-carrier line, configure the Data Link Layer protocol, and bind the physical interface to the logical interface. For detailed information about configuring the T1 interface for data communications, see Chapter 4: Configuring E1 and T1 Interfaces.

Configuring the DSX-1 Interface

1. Access the T1 interface for the DSX-1 module:

Syntax: interface t1 <slot>/2

For example, if the T1 + DSX-1 module is in slot 1, enter

ProCurve(config)# interface t1 1/2

2. Configure the line coding to match the coding used by the PBX. The default setting is B8ZS.

Syntax: coding [ami | b8zs]

For example, to configure the T1 interface to use the coding ami option, enter:

ProCurve(config-t1 1/2)# coding ami

3. Configure the frame format. The default setting is ESF.

Syntax: framing [d4 | esf]

For example, to configure the T1 interface to use D4, enter:

ProCurve(config-t1 1/2)# framing d4

4. Enter the cable length setting so that the Secure Router OS can establish the proper signal level. Enter:

Syntax: line-length <cable length>

Replace <cable length> with -7.5 or the length of the cable in feet, up to 655 feet.

5. Configure the signaling mode:

Syntax: signaling-mode [message-oriented | none | robbed-bit]

6. Activate the interface

ProCurve(config-t1 1/2)# no shutdown

9-25

Configuring the E1 + G.703 and T1 + DSX-1 ModulesQuick Start

9-26

10

Bridging—Transmitting Non-IP Traffic or Merging Two Networks

Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-3

Transmitting Non-IP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Merging Two Remote Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4

Configuring Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5

Configuring a Bridge Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6

Assigning an Interface to the Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6

Disabling IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7

Viewing the Bridge Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8

Troubleshooting Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-10

Configuring Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-11

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12

STP BPDUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-12

STP States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-13

RSTP Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-14

RSTP and STP Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17

Configuring RSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-17

Determining Which Device Becomes Root: Setting the Router’s Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-18

Determining Which Links Are Chosen: Setting Link Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-18

Setting Interface Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-19

Altering Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-22

Configuring STP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-23

Using the BPDU Filter to Disable STP or RSTP . . . . . . . . . . . . . . . . 10-23

10-1

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksContents

Troubleshooting Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24

Testing Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-24

Addressing Common Spanning Tree Problems . . . . . . . . . . . . . . . . . 10-25

Slow Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-27

Incorrect Path Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-28

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-29

10-2

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksOverview

Overview

The ProCurve Secure Router can function as a bridge as well as a router. A bridge, like a switch, is a Layer 2 device that operates at the Data Link Layer of the Open Systems Interconnection (OSI) model. A bridge connects two or more LAN segments together. Bridges and switches also minimize traffic on network segments by breaking up traffic areas, reducing data transmission delays, and increasing the efficiency of the network. A bridged network can provide traffic management by reducing collisions and limiting the amount of bandwidth wasted with unnecessary transmissions when routing is not necessary.

Each device connected by a bridge must be on the same logical network because Layer 2 devices translate and filter only hardware (MAC) addresses. Bridges and switches make forwarding and filtering decisions based on these MAC addresses; upper-Layer protocols—such as IP—are transparent to them.

Bridges can be categorized as either local or remote (see Figure 10-1). Local bridges provide connectivity for multiple LAN segments in one area. A remote bridge, on the other hand, connects LAN segments in different areas. Because remote bridges must connect geographically distant LAN segments, they have special design considerations, including the buffering of the LAN-to-WAN connection speed variation.

Figure 10-1. Local and Remote Bridges

LANSegment 1

172.16.0.0/16 172.16.0.0/16

Local bridge

LANSegment 2

Remote bridge

LANSegment 3

Local bridge

LANSegment 4

Remote bridge

10-3

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksOverview

The ProCurve Secure Router supports bridging using the IEEE 802.2 stan-dards. You would configure a ProCurve Secure Router to act as a remote bridge to allow it to:

■ transmit non-IP traffic

■ merge two remote networks

Transmitting Non-IP Traffic

The ProCurve Secure Router only routes IP traffic. If one or more of the networks in a WAN use a different Layer 3 protocol, you must configure the router to bridge this traffic. The router will simply pass the traffic through interfaces in the bridge group without examining or modifying the Layer 3 header.

Layer 3 protocols that must be bridged include:

■ NetBIOS

■ IPX

■ AppleTalk

■ DecNet

Merging Two Remote Networks

When you configure the ProCurve Secure Router to act as a bridge, you extend a LAN through WAN connections. In essence, the WAN becomes a single LAN. The distance between the bridges does not matter; they connect segments of a single network.

However, practically, LAN connections transmit at much higher speeds than WAN connections. As you design your network, you should take this difference into account. While flooding messages between remote segments is logically equivalent to flooding them between local segments, sending messages to a remote segment costs more in terms of time and relative bandwidth as well as money.

Spanning Tree Protocol

When you configure the ProCurve Secure Router as a bridge, it loses its routing capabilities. Like a switch, it must run a spanning tree protocol to eliminate loops and respond to network topology changes. Bridged interfaces on the ProCurve Secure Router automatically run rapid spanning tree protocol (RSTP), IEEE 802.1W. If necessary, you can alter the default spanning tree settings. See “Configuring Spanning Tree” on page 10-11.

10-4

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Bridging

Configuring Bridging

You configure the ProCurve Secure Router to function as a bridge by assigning logical interfaces to be part of a bridge group. For example, you could assign the Ethernet interface and the Point-to-Point Protocol (PPP) interface to a bridge group, or you could assign the Ethernet interface and the Frame Relay subinterface to a bridge group.

When the router receives a packet on a bridged interface, it floods the packet out all interfaces in the bridge group. The router also stores the source MAC address of the packet in a bridge table, together with the interface from which it received the packet. When a packet arrives destined for that address, the router then knows through which interface to forward it. In this way, the router gradually learns how to forward traffic and contain packets.

Figure 10-2. Bridging Example

In Figure 10-2, networks at sites A, B, and C use IPX. The sites connect through a Frame Relay network. When configuring bridging for the traffic between these sites, you would assign the Ethernet interface and Frame Relay subinter-faces to the same bridge group. When Router A receives a packet from a local host on its Ethernet interface, it searches its bridge table for the entry corresponding to its destination MAC address. It then transmits it out the correct Frame Relay subinterface, leaving the IPX header unexamined and intact. Router B receives the packet on its Frame Relay subinterface and transmits it out its Ethernet interface. The network at site B can now process the IPX packet.

IPX LAN

Router AFrame Relay Router B

Router C

IPX LAN

IPX LAN

Bridge Table

00:10:4B:A0:DF:8F FR 1.16MAC address:

00:10:4B:A0:DF:8F17

16

10-5

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Bridging

To configure bridging, you must:

■ configure a bridge group

■ assign interfaces to the bridge group

■ disable IP routing, if you are bridging IP traffic

N o t e The ProCurve Secure Router does not both route and bridge IP traffic. If you want to bridge IP traffic, you must disable IP routing.

However, the router can route IP traffic and bridge non-IP traffic at the same time. It can even route IP traffic and bridge non-traffic IP traffic on the same Frame Relay or ATM interface. For example, you could configure Frame Relay subinterface 1.101 as part of a bridge group for non-IP traffic, but route IP traffic through Frame Relay subinterface 1.102.

Configuring a Bridge Group

You create bridge groups from the global configuration mode context. When you create the bridge, you must specify that it uses IEEE:

Syntax: bridge <group number> protocol ieee

The group number can be between 1 and 255. For example:

ProCurve(config)# bridge 1 protocol ieee

Assigning an Interface to the Bridge

You configure bridging on Data Link Layer interfaces. Typically, you will assign both LAN and WAN interfaces to the bridge group.

LAN interfaces include:

■ Ethernet interfaces

When you enable 802.1Q encapsulation on an Ethernet interface, you can no longer assign it to a bridge group; the interface can now carry traffic for multiple VLANs and you cannot bridge traffic between different VLANs.

WAN interfaces on which you can configure bridging include:

■ PPP interfaces

■ High-level Data Link Control (HDLC) interfaces

■ Frame Relay subinterfaces

■ Asynchronous Transfer Mode (ATM) subinterfaces

10-6

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Bridging

If you want to configure bridging between more than one switch, remember to assign both Ethernet interfaces to the bridge group. If the router is acting as a remote bridge to more than one remote site (for example, the headquar-ters router in the Frame Relay network shown in Figure 10-2), you should assign all WAN interfaces to the bridge.

You can also assign only WAN interfaces to a bridge, although you probably would not use this application. In this case, the router would simply act as a corridor between remote sites.

To assign an interface to a bridge group:

1. Move to the logical interface configuration mode context:

ProCurve(config)# int ppp 1

2. Assign the interface to the bridge group:

Syntax: bridge-group <group number>

For example:

ProCurve(config-ppp 1)# bridge-group 1

N o t e Only one interface in the bridge group should have an IP address. You should remove all IP addresses from other interfaces before configuring the bridge.

N o t e Remember that every host in a bridged network must be on the same subnet.

If you want to bridge traffic between hosts on multiple subnets, you can change the subnet mask so that all hosts are on the same subnet. You could also enable a different bridge group on interfaces connecting to different subnet. However, in the second case these subnets will not communicate between each other unless a different device supports routing between the subnets.

Disabling IP Routing

The router cannot both route and bridge IP traffic. You must disable IP routing when the router acts as a remote bridge to join two sites using addresses on the same IP network.

Enter the following command to disable IP routing:

ProCurve(config)# no ip routing

10-7

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Bridging

Rather than use the router as a bridge in this situation, you could use variable-length subnetting to divide the network into two subnets. This solution works when the sites include contiguous, evenly divided addresses. For example, in Figure 10-3 an organization uses network 192.168.1.0 /24. Site A uses addresses 192.168.1.1 through 192.168.1.127 and Site B uses addresses 192.168.1.128 through 192.168.1.254. You could divide the subnet into subnets 192.168.1.0 /25 and 192.168.1.128 /25.

Figure 10-3. Variable-Length Subnetting

Viewing the Bridge Table

The ProCurve Secure Router stores information about how to forward bridged packets in a bridge table. To view the bridge table, move to the enable mode context and enter:

Syntax: show bridge <group number>

For example:

ProCurve# show bridge 1

N o t e You must either enter show commands from the enable mode context or add do to the command. For example, to view the bridge table from the global configuration mode context, you would enter do show bridge.

The bridge table contains MAC addresses for hosts in the bridged network and the interface through which the router connects to these hosts. It also displays the age of the entry and the number of frames transmitted to and received from the host. (See Figure 10-4.)

192.168.1.128 - 192.168.1.254

Router A

Site A 192.168.1.0 /25

Router B

192.168.1.1 - 192.168.1.127

Site B 192.168.1.128 /25

10-8

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Bridging

Figure 10-4. Viewing a Bridge Table

You can also view specific portions of the bridge table. Use the commands shown in Table 10-1.

If necessary, you can manually add a host to the bridge table with this global configuration mode context command:

Syntax: mac address-table static <mac address> bridge <group number> <interface ID>

Identify the host by its MAC address and enter the number of the bridge group and the forwarding interface.

Table 10-1. Viewing Portions of the Bridge Table

Display Hosts Connected Through Command Syntax

a specific bridge group show bridge <group number>

a specific Ethernet interface show bridge ethernet <slot>/<port>

a specific PPP interface show bridge ppp <interface number>

a specific Frame Relay subinterface show bridge frame-relay <subinterface number>

a specific HDLC interface show bridge hdlc <interface number>

ProCurveSR7102dl# show bridge 1Bridge Group 1:

Total of 1024 station blocks, 1024 freeCode: P - permanent

Address Action Interface Age RX count TX count00:10:4B:A0:DF:8F forward fr 1.16 2 41 1000:D0:59:24:43:B5 forward eth 0/1 0 8 0

Host can be reached through this interface

Host identified by MAC address

Packets received from and sent to the host

10-9

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksTroubleshooting Bridging

Troubleshooting Bridging

When traffic is not able to reach its destination, follow this standard trouble-shooting process:

1. Check the Physical Layer:

a. If the Stat LED for the carrier line’s module slot is green, the physical line is up. Move to the second step.

b. If the Stat LED for the line is red, the physical line is down. Check for bad cables, then for configuration mismatches. (For more detailed instructions, see “Troubleshooting an Ethernet Interface” on page 3-24, “Troubleshooting E1 and T1 WAN Connections” on page 4-30, “Troubleshooting a Serial Connection” on page 5-17, or “Trouble-shooting the ADSL Connection” on page 7-46.)

2. Check the Data Link Layer:

a. View the status of logical interfaces, including Ethernet interfaces. For example:

ProCurve# show interface frame-relay 1b. If the interface is up, move to step 3.

c. If the interface is down, follow the troubleshooting tips in “Trouble-shooting an Ethernet Interface” on page 3-24, “Troubleshooting Log-ical Interfaces” on page 6-58, or “Troubleshooting the ATM Interface” on page 7-48.

3. Check that all interfaces that should be members of a bridge group are members. View the running-config for the interface and look for the bridge group number:

ProCurve# show run int eth 0/1

4. If an interface refuses to join a bridge group, try removing other interfaces from the group (enter no bridge-group <group number> from the interface configuration mode context). Then configure the Ethernet inter-face to join the bridge group first.

5. If you are using the bridge to connect remote sites using addresses on the same subnet, you should disable IP routing. Verify that IP routing has been disabled:

ProCurve# show running-config

10-10

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree

6. Verify that all hosts participating in a bridge group are on the same subnet. You can also try viewing the bridge table. If the table does not show entries for an interface, this is a good hint that the devices on the other end of that connection are on a different subnet.

7. The bridge runs more smoothly if you remove IP addresses from every interface in the bridge except one. For example, you can assign only the Ethernet interface an IP address. Enter show ip interfaces and verify that WAN interfaces in the bridge group do no have IP addresses.

Configuring Spanning Tree

When the router acts as a bridge, it automatically enables Rapid Spanning Tree Protocol (RSTP), or IEEE 802.1W. RSTP eliminates network loops and is fully backwards compatible with Spanning Tree Protocol (STP), or IEEE 802.D.

The router only supports RSTP and STP when it acts as a bridge. The following interfaces join the spanning tree when they join a bridge group:

■ Ethernet interfaces

■ Frame Relay subinterfaces

■ ATM subinterfaces

Often, the router will be able to run RSTP adequately without additional configuration: the default settings match most WAN topologies.

You can configure spanning tree functions on the router in order to:

■ raise the router’s priority for being elected root device

■ change the cost of a connection

■ connect the router to an edge device

■ connect the router to a hub

■ have the router run STP

Configuring spanning tree on a WAN router is usually simpler than configuring it on a switch. A switch might provide many connections—some redundant, some necessary, some faster, some slower, some to end users, some to another switch, some to a hub. The ProCurve Secure Router typically has fewer connections—and these only to other routers and switches—and is part of few or no loops. Therefore, you need not understand STP and RSTP in great technical depth.

10-11

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree

The overview provides a brief background in STP and RSTP for those who want to learn more about how the protocols function.

Overview

Network devices in a Data Link Layer network, such as bridges and switches, run STP or RSTP. Bridged interfaces on the ProCurve Secure Router also participate in the spanning tree protocol. The protocol helps devices to generate a loopless topology.

Unlike routers, switches do not time out messages. Loops in a network topol-ogy can lead to duplicated messages and broadcast storms, which can bring a network down. However, the redundant links that cause loops can also be desirable: they protect against loss of connectivity when a connection fails.

STP allows network devices to generate a shared loopless topology, blocking all redundant links. However, if active connections fail, redundant links can become active for as long as the original path is down.

RSTP is now the spanning tree standard. It improves convergence time to less than one second and is the recommended implementation.

STP BPDUs

Devices running STP send and listen for configuration bridge protocol data units (BPDUs) to determine the spanning tree topology. Each BPDU includes:

■ the identifier (priority plus MAC address) of the source port

■ the identifier of the root device

■ the cost between the source port and root device

Using these BPDUs, each device can determine:

■ Which device is root—The root is the device from which the tree topology originates. All ports on the root must remain active. When STP is originally implemented, each device believes that it is the root. In the initial exchange of BPDUs, the device with the lowest identifier is elected root. You can ensure that a router interface is elected by lowering its priority number.

■ Which switch provides the local device the best connection to the root—This switch becomes the device’s designated switch.

■ Which port provides the best connection to the designated switch—This becomes the root port.

10-12

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree

A device then marks the following ports for activation (forwarding frames):

■ the root port

■ designated ports—which connect to devices that consider the local device as their designated switch (and ports that connect to end users)

All other ports become inactive.

The root device periodically sends BPDUs. If the router is root, these BPDUs will consume some bandwidth. Other devices only send topology change notification BPDUs (TCN BPDUs).

When a device receives a TCN BPDU, it re-evaluates which ports are marked for activation. If necessary, it transmits its own TCN BPDU, informing other devices on the change. The port (or ports) through which the device transmits a BPDU is not necessarily the one that received the BPDU that prompted the change.

Devices determine which ports process BPDUs, learn information about the network topology, forward BPDUs, and forward network traffic according to the ports’ STP state.

STP States

STP includes the following port states:

■ disabled

■ blocking

■ listening

■ learning

■ forwarding

In a stable network, all ports are in either the forwarding or blocking state. Only ports in the forwarding state forward frames. Ports in the blocking state are not considered part of the network topology.

N o t e When using STP, it is important to understand the difference between disabled and blocking ports. Neither type forwards frames or learns addresses. Neither processes or transmits BPDUs. However, blocking ports receive BPDUs, while disabled ports do not. If you disable a port, it will not participate in STP at all.

10-13

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree

When a change in network topology makes STP determine that a new port must become active, the port first passes through the listening and learning states. (When STP is initially enabled and devices exchange configuration BPDUs, all ports move through the listening and learning states until STP determines whether they should become blocked or forwarding ports.)

In the listening state, the port processes BPDUs to determine whether it is indeed the best connection to the root. If within 15 seconds it does not receive a BPDU advertising a better connection, the port enters the learning state.

In the learning state, the port begins to transmit BPDUs as well as receive them. This notifies other active ports of its presence, and the learning port becomes part of the network topology. The port also listens for frames to build up its address database. After 15 seconds, it enters the forwarding state and begins to forward traffic. (If the port receives a better BPDU than it can transmit during this interval, it returns to blocking.)

As you can see, the process of a port moving from blocked to forwarding can be quite lengthy. A network running STP usually takes a minute to converge after a link failure, and the network outage during this delay is not acceptable for many environments.

RSTP Improvements

RSTP can reduce convergence time to less than 1 second.

RSTP does not always force ports to go through the listening and learning states and removes the distinction between blocked and disabled ports.

RSTP speeds convergence by:

■ defining new roles for certain ports:

• edge ports

• backup ports

• alternate ports

• ports on a point-to-point connection

■ using sync to activate point-to-point ports

■ immediately purging old information

New Roles. In RSTP, edge ports immediately become forwarding ports; they must forward frames because they are the only connection to the end client. You can configure ports on the ProCurve Secure Router to be edge ports

10-14

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree

(although this is not a typical application for the router). Important configu-rations for edge ports are BPDU guards and filters which keep the router from receiving BPDUs from user software or rogue devices.

Blocking ports are divided into backup and alternate ports. Backup ports provide a redundant connection to the root through a different device. Alter-nate ports provide a redundant connection to the root through the same device. If the root port goes down, alternate ports are allowed to move rapidly into the forwarding state.

Ports on a point-to-point connection can use the rapid sync method to move into the forwarding state. On the ProCurve Secure Router, ports will almost always be on point-to-point connections. You can configure this setting, or you can leave the interface at its default auto setting, which defines full-duplex interfaces as point-to-point ports.

Sync. STP assumes that devices best decide which ports to activate by collecting a great deal of information about the network. Therefore, it sets conservative timers for listening for TCN BPDUs. Ports were forced to spend 30 seconds passing through the listening and learning phases before they could begin to forward user traffic.

Many devices now connect through point-to-point connections rather than through shared media. RSTP relies on the fact that the single neighbor at the other end can refuse to activate a link if it has a better connection. Rather than wait 30 seconds collecting information, a port can start forwarding user traffic after a single rapid exchange with its neighbor.

10-15

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree

Figure 10-5. Asserting Sync

When network topology changes, devices assert sync to propagate new paths in an ordered flow from devices closer to the root to devices further from the root. A device sends a BDPU to a neighbor on a potential designated port. The BPDU has a proposal flag set, which requests that the two ports immediately transition to the forwarding state. If the neighbor determines that this BPDU is best (the transmitting port is closest to the root), it replies with an agreement BPDU. The neighbor also asserts sync: it makes the port on which it received the BPDU its root port and shuts down all other ports except edge ports.

The neighbor then sends its own proposal BPDUs through the blocked ports. If a neighboring device determines that the connection is best, it brings up its port as root port and continues the process. Otherwise, it sends a non-acknowledgement, and ports on both sides of the link enter the blocking state.

In this way, topology changes propagate rapidly from the root through to edge nodes.

Blocking

Reject

Designated Root

Designated

Root

Root

Designated

RootDesignatedBridge ARoot bridge

Bridge B

Bridge ARoot bridge

Bridge B

Sync

Sync

Sync2. A new link is added.

1. The network is stable.

Root

Blocking

Reject

Designated Root

Designated

Root

Root

Designated

RootDesignatedBridge ARoot bridge

Bridge B

Bridge ARoot bridge

Bridge B

Sync

Sync

Sync2. A new link is added.

1. The network is stable.

Root

10-16

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree

For example, in Figure 10-5, a connection is added between Bridge B and the root. The root bridge first asserts sync with Bridge B. Bridge B blocks its connection to Bridge A. Bridge B attempts to assert sync with Bridge A, but Bridge A rejects the offer because it has a better connection to the root. The link between Bridge A and Bridge B remains blocked.

Immediate Purging. In STP, when devices receive a TCN BPDU withdraw-ing an entry, they set the timer for the entry in the database to short. Only when this timer expires do they flush the entry. In RSTP, devices purge old informa-tion as soon as they receive a BPDU indicating a topology change.

RSTP and STP Compatibility

RSTP is designed to be compatible with STP. Even if the LAN is using STP, you should enable RSTP on your router. RSTP automatically detects ports con-nected to non-RSTP devices and communicates with those devices using 802.1D STP BPDU packets.

Because RSTP is so much more efficient at establishing the network path, it is highly recommended that all your network devices be updated to support RSTP.

Configuring RSTP

RSTP is automatically activated on these interfaces when they act as bridge ports:

■ Ethernet interfaces

■ Frame Relay subinterfaces

■ ATM subinterfaces

You should typically run a spanning tree protocol on these interfaces to prevent the router from handling more traffic than it must. PPP and HDLC interfaces do not participate in the spanning tree.

For most networks, RSTP runs smoothly without any further configuration. However, you can also:

■ set the router’s priority to influence the election of the root device

■ set link cost to influence the selection of a link

■ set roles for interfaces

■ alter timers

10-17

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree

Determining Which Device Becomes Root: Setting the Router’s Priority

Spanning tree bridges elect the device with the lowest ID as the root. A bridge’s ID consists of its priority value plus its MAC address. By default, all interfaces on the router have a priority of 32,768 (the standard default setting). Unless you alter the priority setting, the switch with the lowest MAC address becomes root.

Default settings, then, leave much to chance. A relatively unimportant device may become root for an entire WAN. Your organization’s IT staff should agree on a hub router to become root for the bridged WAN. Lower this router’s priority with this global configuration mode command:

Syntax: spanning-tree priority <value>

Valid values are from 0 to 63535. Remember that lower values grant higher priority.

Determining Which Links Are Chosen: Setting Link Cost

A BPDU includes the cost of the connection from the source of the BPDU to the root device. Devices calculate this cost from the cost of all intervening links. A device chooses which interface to make its root port according to which interface receives the BPDU with the lowest cost.

A WAN router may have several connections with widely varying link speeds—for example, a 100-Mbps connection to a switch and 3.0-Mbps connection carried on two T1-carrier lines to a Frame Relay network. Assigning a higher cost to the low-speed connection allows the router to take this discrepancy into account when calculating best paths.

The Secure Router OS automatically calculates path cost from bandwidth, and this setting is usually adequate. However, you may also want to consider the monetary cost of link. If you are using a connection as a redundant link, you should raise its cost to keep the router from choosing it as its primary link.

To change the cost of connection, move to the logical interface configuration mode context for that link. Enter this command:

Syntax: spanning-tree path-cost <value>

Valid values are from 1 to 63,535. Remember to raise the cost for lower-speed or redundant connections.

10-18

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree

Another way to force the router to choose one connection over another is to set the port priority. The router only uses this value to choose between two interfaces that have equal cost connections to the root. To set a logical interface’s port priority, enter:

Syntax: spanning-tree port-priority <value>

Valid values are between 1 and 255. Remember that lower values grant higher priority to the connection. You can only enter values in increments of 16.

Setting Interface Roles

RSTP allows you to define special characteristics for certain ports. These categories speed convergence. Edge ports immediately begin to forward frames. Point-to-point interfaces use sync for rapid activation. (See the “RSTP Improvements” on page 10-14 for more information.)

It is important that interfaces be set to the proper role so that the router can capitalize on RSTP improvements. The ProCurve Secure Router automatically assigns interfaces the roles that they will almost always play.

Interfaces automatically determine whether they are on point-to-point or shared media connections according to the duplex setting. However, if the router connects to a hub, you can manually force the connecting interface to the shared media role.

If the router connects to an end device, you should configure edge port settings.

Configuring an Edge Port. The edge port designation allows interfaces that connect to end devices to immediately enter the forwarding state. This prevents applications on the end device from timing out while they wait for their default gateway to come up. Currently, you will almost always connect your ProCurve Secure Router to a core switch or comparable device, so the edge port option is disabled by default.

However, the ProCurve Secure Router does support edge port capabilities. You can enable these capabilities either globally or on an individual interface. Use the commands shown in Table 10-2.

10-19

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree

Table 10-2. Defining Edge Ports

This global configuration mode command defines all interfaces assigned to a bridge group as edge ports:

Syntax: spanning-tree edgeport default

The default setting is no spanning-tree edgeport default. In the default setting, interfaces do not act as edge ports. Generally, you should leave this global setting and simply override it for the interface that connects to the end device.

N o t e The command to enable an Ethernet interface to act as an edge port is slightly different from the command to enable Frame Relay or ATM subinterfaces to act as edge ports.

To override the global setting for Ethernet interfaces, move to the Ethernet configuration mode context and enter:

Syntax: spanning-tree edgeport [enable | disable]

Enter the command with the enable option to allow the interface to act as an edge port. If you have configured a global setting that defines all interfaces as edge ports, the disable option overrides this setting.

Function Command Syntax CLI Context

define all spanning tree interfaces on the router as edge ports

spanning-tree edgeport default global configuration mode

define all spanning tree interfaces on the router as non-edge ports (default setting)

no spanning-tree edgeport default global configuration mode

enable an Ethernet interface to act as an edge port (overrides global setting)

spanning-tree edgeport enable Ethernet interface configuration mode

prevent an Ethernet interface from acting as an edge port (overrides global setting)

spanning-tree edgeport disable Ethernet interface configuration mode

enable a Frame Relay or ATM subinterface to act as an edge port (overrides global setting)

spanning-tree edgeport Frame Relay or ATM subinterface configuration mode

prevent a Frame Relay or ATM subinterface from acting as an edge port (overrides global setting)

no spanning-tree edgeport Frame Relay or ATM subinterface configuration mode

10-20

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree

To enable Frame Relay and ATM subinterfaces to act as edge ports, move to the logical interface configuration mode context and enter:

Syntax: spanning-tree edgeport

When the global setting defines all interfaces as edge ports by default, use the no form of the command to disable the edgeport setting on the individual subinterface.

You should consider implementing the BPDU guard on edge ports. End devices should not participate in the spanning tree. However, a user running software that implements STP or RSTP can join spanning tree and disrupt the network. If the default priority setting on the user software is low, the end device can even become the root. The BPDU guard prevents the router interface from receiving BPDU messages from the end device. It also prevents the interface from being connected to an unauthorized switch.

You configure the BPDU guard on an individual logical interface with this command:

Syntax: spanning-tree bpduguard [enable | disable]

Use the enable option to activate the guard.

You can also configure the BPDU guard on all interfaces from the global configuration mode context:

Syntax: spanning-tree edgeport bpduguard default

You can then override this setting for an individual interface by entering this form of the command from the interface configuration mode context:

ProCurve(config-fr 1.1)# spanning-tree bpduguard disable

Configuring an Interface for a Point-to-Point Versus a Shared

Connection. RSTP must know whether an interface uses a point-to-point or shared connection to implement sync.

Point-to-point interfaces use sync to rapidly transition from discarding to forwarding frames. One interface sends a BPDU proposing that it become the neighbor’s designated switch. If the neighbor agrees, both interfaces become immediately active.

Interfaces on shared media, which reach more than one neighbor on the same connection, cannot exchange sync BPDUs to activate a connection.

10-21

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree

By default, the ProCurve Secure Router uses the auto option to determine the connection type. RSTP assumes that full-duplex interfaces are point-to-point and half-duplex interfaces are shared.

If, for whatever reason, you must override this setting, move to the logical interface’s configuration mode context and enter this command:

Syntax: spanning-tree link-type [auto | point-to-point | shared]

For example, the Ethernet interface 0/1 connects to a hub. Enter:

ProCurve(config-eth 0/1)# spanning-tree link-type shared

Altering Timers

C a u t i o n You should not alter spanning tree timers unless you have a great deal of experience working with spanning tree.

You configure the timers from the global configuration mode context. Use the commands shown in Table 10-3.

Table 10-3. Spanning Tree Timers

Forward Timer. The forwarding interval determines how long a device waits to forward BPDUs. With STP, this setting determines how long the device stays first in the listening and then in the learning stage.

Hello Timer. Interfaces periodically transmit hellos. If an interface misses three hellos, neighbors assume the connection is down and send out TCN BPDUs to this effect. Take care when altering this timer because incompatible settings can cause devices to believe a connection is down when it is not.

Timer Function Default Range Command Syntax

forward timer minimum time between forwarding BPDUs

15 seconds 4 to 30 spanning-tree forward-time <seconds>

hello timer time between hellos 2 seconds 0 to 10 spanning-tree hello-time <seconds>

maximum age timer how long a BPDU remains valid

20 seconds 6 to 40 spanning-tree max-age <seconds>

10-22

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksConfiguring Spanning Tree

Maximum Age Timer. BPDUs include a maximum age timer. Devices dis-card information received from a BPDU when this timer expires. With STP, the timer determines how long a device will wait to receive information about a connection from the root before assuming the connection is down.

Configuring STP

It is highly recommended that you implement RSTP, which can reduce net-work convergence time from more than a minute to less than a second. RSTP is fully compatible with STP, so the router can use it even when some devices on the local network only run STP. When an interface detects STP BPDUs, the router implements STP on that interface. (RSTP improvements will not be enabled for that segment of the network.)

However, the ProCurve Secure Router does support STP, if, for whatever reason, you decide to implement it.

To configure STP, you must:

■ change the spanning tree version to STP

Move to the global configuration mode context and enter this command:

ProCurve(config)# spanning-tree mode stp

Syntax: spanning-tree mode [stp | rstp]

You can also:

■ set the router’s priority to influence the election of the root device

■ set link cost to influence the selection of a link

■ alter STP timers

You configure these options exactly as you would for RSTP. See “Determining Which Device Becomes Root: Setting the Router’s Priority” on page 10-18, “Determining Which Links Are Chosen: Setting Link Cost” on page 10-18, and “Altering Timers” on page 10-22. When deciding on the root device, remember that it will be the only device to periodically flood BDPU.

Using the BPDU Filter to Disable STP or RSTP

The BPDU filter prevents interfaces from receiving and transmitting BPDUs. With it, you can remove the entire router from the spanning tree or you can remove a single interface.

10-23

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksTroubleshooting Spanning Tree

In a test environment, the filter keeps all connections up so that you can test them.

C a u t i o n You should not use the global BPDU filter on a live network.

When you enable the filter from the global configuration mode context, the filter applies to all interfaces on the router. Enter this command:

Syntax: [no] spanning-tree edgeport bpdufilter default

To configure a interface to override the global BPDU filter, move to its interface configuration mode context and enter this command:

Syntax: spanning-tree bpdufilter [enable | disable]

The enable option removes the interface from the spanning tree. The disable option enables an interface to run a spanning tree protocol on a router that blocks it globally. Because the router should always run RSTP or STP, you will very rarely use this option.

Troubleshooting Spanning Tree

This section describes how to test and troubleshoot the router’s spanning tree functions.

N o t e You must enter show and debug commands from the enable mode context or preface the command with do.

Testing Spanning Tree

You can run spanning tree debug commands to test a router’s spanning tree functions. (Generally, you will not use these debug commands in a live network.) You can view debug messages to verify that:

■ the router chooses the correct primary connection

■ appropriate interfaces move quickly into the forwarding state

■ when a connection goes down, the network converges within one or two seconds

The syntax for the debug commands is shown in Table 10-4.

10-24

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksTroubleshooting Spanning Tree

Table 10-4. Spanning Tree debug Commands

The debug spanning-tree events command displays messages dealing with reconvergence when the network topology changes. When you enter the debug spanning-tree command with one of the bpdu options, the terminal displays a message every time an interface sends or receives a BPDU, or both.

C a u t i o n The debug spanning-tree events and debug spanning-tree bpdu commands are particularly draining on the processor.

You can also use the BPDU debug commands to determine whether interfaces are actually participating in the spanning tree. If interfaces are not receiving BPDUs at all, you should check the running-config for an inadvertently applied BPDU guard or filter.

Addressing Common Spanning Tree Problems

Problems with spanning tree include slow convergence and routers selecting the wrong primary connection.

Some problems may be caused by other switches on the local network.

You can view information that will help you troubleshoot with this enable mode command:

Syntax: show spanning-tree [<bridge group number>] [realtime]

View Command Syntax

general messages debug spanning-tree general

messages when configuration changes occur debug spanning-tree config

periodic hellos and messages when a change in topology occurs

debug spanning-tree events

all BPDUs received debug spanning-tree bpdu receive

all BPDUs transmitted debug spanning-tree bpdu transmit

all BPDUs transmitted and received debug spanning-tree bpdu all

10-25

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksTroubleshooting Spanning Tree

You enter the command without any options to view the following spanning tree information for all bridge groups:

■ root ID

■ timers

■ bridge ID

■ interfaces:

• role

• status

For example, Figure 10-6 displays the spanning tree instance for bridge group 1.

Figure 10-6. Viewing Spanning Tree Information

When the router supports more than one bridge, you may want to view only the information for the bridge group in question. Enter the command with the bridge group number.

ProCurve# show spanning-tree STP 0 Bridge Group 1 Spanning Tree enabled protocol ieee 802.1w (Rapid Spanning-Tree) Root ID Priority 32768 Address 00:12:79:05:25:b0 Cost 19 Port 1 (eth 0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32768 Address 00:12:79:05:25:d4 Aging Time 300

Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- -----------------------eth 0/1 Root FWD 19 128.1 P2pfr 1.1 Altn BLK 651 128.2 P2p

Currently the Frame Relay subinterface 1.1 provides a redundant connection to the root and cannot forward frames

10-26

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksTroubleshooting Spanning Tree

You can enter the command with the realtime option to view periodic updates of the spanning tree information without re-entering the command. The CLI displays the information in a new screen. You can exit the screen by pressing Ctrl+C. You can also pause and restart the display of the updates. (See Figure 10-7).

Figure 10-7. Viewing Real-Time Spanning Tree

Slow Convergence

The best way to solve slow convergence is to update all network devices from STP to RSTP.

When a router running RSTP connects to an STP device, it automatically runs STP on that interface. If you have recently updated network devices to RSTP, you may need to force connecting router interfaces to stop running STP. Use this enable mode command:

Syntax: clear spanning-tree detected-protocol [interface ethernet <slot>/<port>]

--------------------------------------------------------------------STP 0 Bridge Group 1 Spanning Tree enabled protocol ieee 802.1w (Rapid Spanning-Tree) Root ID Priority 32768 Address 00:12:79:05:25:b0 Cost 651 Port 2 (fr 1.1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32768 Address 00:12:79:05:25:d4 Aging Time 300

Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- -----------------------fr 1.1 Desg LIS 651 128.2 P2p--------------------------------------------------------------------Exit - 'Ctrl-C', Freeze - 'f', Resume - 'r'

Return to the command line Stop and start the refresh

10-27

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksTroubleshooting Spanning Tree

You can force the entire router to return to RSTP by simply entering clear

spanning-tree detected-protocol. Or you can force the single interface that connects to the updated device. For example:

ProCurve# clear spanning-tree detected-protocol interface eth 0/1

Relatively slow convergence with RSTP may be caused by incorrectly config-ured point-to-point interfaces. View the status for each bridged interface and make sure that it is using full duplex. The router should automatically assign it the point-to-point role. If necessary, force this role by entering this command in the logical interface configuration mode context:

ProCurve(config-fr 1.1)# spanning-tree link-type point-to-point

Incorrect Path Selection

Devices may choose paths that seem illogical for several reasons:

■ an end device or rogue device has been elected root

■ connections are configured with an inappropriate cost

■ a guard or filter has been applied to an interface

When an interface connects to an end device, enable the BPDU guard so that the router refuses BPDUs from it. Otherwise, software running on the device may cause it to be elected root. (You can view what device has actually been elected root with the show spanning-tree command.)

The router selects the primary connection according to which connection provides the lowest-cost link to the root. The show spanning-tree command displays which interfaces are active (status = FWD). You can force the router to select a specific connection by lowering its cost.

You can also assign two equivalent connections the same cost, but still have the router choose one as primary and one as redundant. Simply lower the port priority for the primary connection. (See “Determining Which Links Are Chosen: Setting Link Cost” on page 10-18.) Again, the show spanning-tree command displays the cost and priority for each interface in the bridge.

If an interface is not participating in the spanning tree, check the running-config for guards or filters that may have been inadvertently assigned to it. Also view the global spanning tree configuration and make sure that the global BPDU guard and/or filter has not been applied.

10-28

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksQuick Start

Quick Start

This section provides the commands you must enter to quickly configure the router to bridge traffic. Only a minimal explanation is provided.

If you need additional information about any of these options, see “Contents” on page 10-1 to locate the section that contains the explanation you need.

1. If you are using the bridge to extend a subnet to a remote site, move to the global configuration mode context and disable routing.

ProCurve(config)# no ip routing

2. Create a bridge group.

Syntax: bridge <group number> protocol ieee

3. Assign the Ethernet interface(s) to the bridge group from its interface configuration mode context.

Syntax: bridge-group <group number>

4. Assign the WAN interface(s) to the bridge group. You can assign PPP and HDLC interfaces and Frame Relay and ATM subinterfaces to a bridge. Enter the following command from the logical interface configuration mode context:

Syntax: bridge-group <group number>

For example:

ProCurve(config)# interface frame-relay 1.1

ProCurve(config-fr 1.1)# bridge-group 1

5. If necessary, remove IP addresses from the WAN interfaces. For example:

ProCurve(config-ppp 1)# no ip address 10.1.1.1 /30

The ProCurve Secure Router automatically implements RSTP on bridged Ethernet interfaces and Frame Relay and ATM subinterfaces. Usually, you will not need to make any further configurations. However, you can complete any of the following steps:

1. If so desired, change the spanning tree version from RSTP to STP. (RSTP is fully compatible with STP.) Move to the global configuration mode context and enter:

Syntax: spanning-tree mode [rstp | stp]

10-29

Bridging—Transmitting Non-IP Traffic or Merging Two NetworksQuick Start

2. If so desired, change the router’s priority for becoming the root of the spanning tree.

Syntax: spanning-tree priority <value>

The value can be from 0 to 63535.

3. If so desired, configure the cost of the connections on the router from the logical interface for the connection.

Syntax: spanning-tree path-cost <value>

The cost can be from 1 to 63535. A higher cost lowers the chance that the connection will be chosen. For example:

ProCurve(config-fr 1.1)# spanning-tree path-cost 60000

4. If a router interface connects to an edge device, configure the interface as an edge port and enable the BPDU guard. Move to the logical interface and enter:

ProCurve(config-eth 0/1)# spanning-tree edgeport enableProCurve(config-eth 0/1)# spanning-tree bpduguard enable

For Frame Relay and ATM subinterfaces enter:

ProCurve(config-fr 1.1)# spanning-tree edgeportProCurve(config-fr 1.1)# spanning-tree bpduguard enable

10-30

11

IP Routing—Configuring Static Routes

Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-3

Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4

Network Addresses and Subnet Masks . . . . . . . . . . . . . . . . . . . . . 11-4

Classful Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5

CIDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-6

Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7

Destination Network Address and Subnet Mask . . . . . . . . . . . . . 11-7

Next-Hop Address and Forwarding Interface . . . . . . . . . . . . . . . 11-8

Administrative Distance and Metric . . . . . . . . . . . . . . . . . . . . . . . 11-8

Other Information Stored in a Route . . . . . . . . . . . . . . . . . . . . . . . 11-9

Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9

Dynamic Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-10

Static Routing Versus Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . 11-10

Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11

Fast Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-12

Configuring Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13

Configuring a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14

Configuring a Floating Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . 11-16

Configuring a Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-17

Configuring a Route through the Null Interface . . . . . . . . . . . . . . . . 11-18

Configuring Load Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-20

Enabling Fast Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-22

11-1

IP Routing—Configuring Static RoutesContents

Troubleshooting Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23

Monitoring the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-23

Using the Routing Table to Troubleshoot Static Routing . . . . . 11-25

Monitoring Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-26

Clearing Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-27

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30

Static Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-30

Connecting Simple Remote Sites . . . . . . . . . . . . . . . . . . . . . . . . . 11-30

Routing Traffic to an ISP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-31

11-2

IP Routing—Configuring Static RoutesOverview

Overview

Unlike a simple switch, a router can route a packet from one network to another. When the ProCurve Secure Router receives a packet, it matches the packet’s destination address to a route in its routing table. This route specifies the interface through which the router must forward the packet in order for the packet to reach its destination.

This chapter describes the ProCurve Secure Router’s routing table and explains how to add static routes to this table. In this chapter you will also learn how to configure a default route. In a small network with a single WAN connection, static and default routes provide the simplest and most reliable configuration for IP routing.

The ProCurve Secure Router also supports several routing protocols that allow the router to discover routing information from other routers. You should implement at least one of these protocols when your network has a large or complicated topology. Chapter 13: IP Routing—Configuring RIP,

OSPF, BGP, and PBR in the Advanced Management and Configuration

Guide describes how to configure these protocols.

Before configuring routing, you should understand the basics of IP addressing and networks. You should also understand how a router uses its routing table to forward traffic.

IP Addressing

Devices route packets by looking at their Layer 3 headers, typically their IP headers. (Currently, the ProCurve Secure Router only routes IP traffic.)

A packet’s IP header contains a field for its source address and a field for its destination address. The router reads the destination IP address to determine where it should forward the packet.

An IP address is a field that uniquely identifies a host or device in the Internet or other network. In IP version 4 (IPv4) this field is 32 bits. A 32-bit IP address divides into four 8-bit octets. Typically, you will see IP addresses written in digital form. Therefore, IP address 11000000.10101000.000101101.01100011 is usually written as 192.168.45.99.

11-3

IP Routing—Configuring Static RoutesOverview

Unlike MAC addresses, IP addresses are not permanent or hardware specific. A host can change its address, and it can receive a temporary address from a server. However, public IP addresses must be unique and globally significant. (Otherwise, hosts could never be certain that data would arrive at the desti-nation they intended.) Certain IP addresses are reserved for private networks; these addresses are locally significant and can be used by any number of different private organizations.

Networks

A network is a group of hosts that share a network address. Traffic between these hosts can be forwarded by bridges or switches. However, when a packet must be sent into a new network—that is, when its source and destination have different network addresses—the packet must be routed.

Network Addresses and Subnet Masks

A network address is the first part of a host’s IP address. The second part of the IP address uniquely identifies the host within that network.

A subnet mask defines which bits identify the network and which identify the individual host. The subnet mask consists of 32 bits—first, a string of contin-uous ones; then, a string of continuous zeros.

All bits in the IP address that correspond with a one in the subnet mask are network bits; all bits that correspond with a zero are the host bits. (See Figure 11-1.)

Networks can be of varying sizes, depending on how many bits are allocated for the network address and how many for the host address. The greater the number of network bits, the fewer the addresses the network contains. (Because most of the bits define the network, there are fewer bits in which to store different addresses on that network.)

The first address (all zero host bits) in every network is reserved for identifying the network, and the last address (all one host bits) for broadcasting.

11-4

IP Routing—Configuring Static RoutesOverview

Figure 11-1. Subnet Masks

Classful Networks

In the early days of IP addressing, routing protocols did not always use subnet masks. The address itself needed to identify which bits were network bits and which host bits. Classful networks met this need. The first four bits of a classful IP address identified how many octets belonged to the network address.

Classful network addresses always end evenly at the end of an octet:

■ Class A networks have 8-bit network addresses. They are identified by a 0 in the first bit. Therefore, the 126 class A networks range from 1.0.0.0 to 126.0.0.0. (127.0.0.0 is reserved for loopback and 0.0.0.0 for default routes.) Each class A network can accommodate up to 16,777,214 hosts.

■ Class B network addresses always start with 10 in the first two bits, which indicates that the network has a 16-bit network address. The 16,384 class B networks range from 128.0.0.0 to 191.255.0.0. Each network can accom-modate up to 65,534 hosts.

■ Class C networks have 24-bit network addresses and always start with 110 in the first three bits. The 2,097,252 class C networks range from 192.0.0.0 to 223.255.255.0. Each class C network can accommodate up to 254 hosts.

■ Class D networks have 32-bit network addresses and always include 1110 in the first four bits. These networks are used for multicasting and range from 224.0.0.0 to 239.255.255.255.

You might notice that this schema leaves networks beginning with 1111 undefined. Such networks are called Class E networks and have not been assigned a specific function.

Host Address

AND

Subnet Mask

=

Network Address

10101100 00010000 10000100 01100011

11111111 11111111 00000000 00000000

172.16.0.0

10101100 00010000 00000000 00000000

172.16.132.99 255.255.0.0

11-5

IP Routing—Configuring Static RoutesOverview

CIDR

Classful networks condense more information into fewer bits: a router can resolve an address into its network and host bits without a 32-bit subnet mask. However, classful networks do not use IP addresses efficiently. Class C networks only provide addresses for 254 hosts, while Class B networks provide addresses for 65,534.

Many organizations need more addresses than a Class C network provides, but fewer than a Class B network does. Using Class C networks, an organiza-tion must request another network every time it needs more addresses. However, if the organization requests a Class B network so that it will have sufficient addresses, it usually wastes the vast majority of these addresses.

Most IP routers today support Classless Inter-Domain Routing (CIDR), which allows network administrators to define networks of any size. CIDR typically uses a prefix length instead of a subnet mask; the number in the prefix is the number of network bits in the address. For example, a network address with the subnet mask 255.255.0.0 has a /16 prefix length.

Network administrators can subdivide classful networks into smaller, variable-length networks by changing the prefix length.

For example, your organization is using the Class B network 172.16.0.0. Your organization needs at least six subnets, each with at least 500 hosts. With future expansion, your organization will need ten subnets. You round this number up to the nearest power of two and decide to divide the network into sixteen subnets. You calculate that each of the sixteen subnets can hold 4,094 hosts, which more than meets your organization’s requirements.

To subdivide the network, you add one bit to the prefix length for every time you divide the network in half. For example, half of a /16 network is a /17 network, a fourth of a /16 network is a /18 network, and so forth. Sixteen is 24, so in the scenario outlined above, you would divide the 16-bit network four times, into sixteen 20-bit subnets:

■ 172.16.0.0 /20 (255.255.240.0)

■ 172.16.16.0 /20

■ 172.16.32.0 /20

■ 172.16.48.0 /20

■ ...

■ 172.16.240.0 /20

11-6

IP Routing—Configuring Static RoutesOverview

When you use prefix lengths in this way, the bit length becomes, in a sense, part of the address. 172.16.0.0 /20 is a different network than 172.16.0.0 /16. The second is the network address for the entire class B network, while the first is a network that includes only hosts from 172.16.0.1 to 172.16.15.254.

Therefore, when you define routes to variable-length subnets, you must always be careful to specify the correct bit length. If a router thinks that it knows a route to network 172.16.0.0 /16 when the route should actually be to 172.16.0.0 /20, it may misroute traffic to the other fifteen 20-bit networks in the 172.16.0.0/16 range.

Routing Table

A routing table stores the following information for each network that the router knows how to reach:

■ destination network address

■ subnet mask

■ next-hop address

■ forwarding interface

■ metric

■ administrative distance

Destination Network Address and Subnet Mask

The destination network address and subnet mask identify the route. When a router receives a packet, it matches the packet’s destination IP address to a network address in the routing table. The subnet mask defines how many bits the router examines when matching the two addresses. For example, a routing table entry for 172.16.0.0 with a subnet mask 255.255.0.0 refers to all packets destined to IP addresses of which the first 16 bits are 172.16.

If a packet matches more than one entry, the router uses the more-specific route (the route with a longer subnet mask), which it assumes is more accurate for that packet.

The subnet mask condenses the routing table: an individual router’s table need not include a separate entry for each host or subnet in the 172.16.0.0/16 network when the next hop to all these destinations is the same. Routers nearer a particular destination may include more specific entries that allow them to forward traffic to individual networks that have been subdivided from a larger network.

11-7

IP Routing—Configuring Static RoutesOverview

Next-Hop Address and Forwarding Interface

A route’s next-hop address and forwarding interface instruct the router how to forward packets that match the destination address for the route.

The next-hop address is the address of the next directly-connected device en route to the destination address. The router determines the forwarding interface for the route by looking up, in its routing table, the interface that connects to the next-hop address. (Because the next-hop address should be a directly connected device, the routing table will automatically include this information.)

Only a forwarding interface is absolutely necessary for a route. When you add a static route to the routing table, you can specify a forwarding interface instead of a next-hop address. The next-hop address is then listed as 0.0.0.0.

Administrative Distance and Metric

A router may learn more than one route to the same destination. The router compares the administrative distances and metrics of identical routes to select the single best route that it will add to its routing table. (You can also enable the router to select more than one best route. See “Load Sharing” on page 11-11.)

The ProCurve Secure Router uses administrative distance to compare routes learned by different routing protocols or methods. The ProCurve Secure Router uses metrics to compare routes learned by the same routing protocol. That is, each routing protocol used on a router has its own database of routes. When a routing protocol knows more than one route to a destination, it selects the route with the lowest metric as its best route. The router then compares the best routes of each method and selects the route with the lowest administrative distance.

A route’s administrative distance indicates how reliable the router considers the method through which it discovered the route. The lower the administrative distance the more trustworthy the route.

If you are only using static routes, you generally do not need to worry about administrative distance. However, if you are using static routing in conjunc-tion with a routing protocol, you should understand how the ProCurve Secure Router uses administrative distance to choose between identical routes learned using different methods. The ProCurve Secure Router always selects the route with the lower administrative distance. For example, statically configured routes have a default administrative distance of 1, while Routing Information Protocol (RIP) routes have a default administrative distance of 120. When the router knows an identical RIP and static route, it only adds the static route to the routing table.

11-8

IP Routing—Configuring Static RoutesOverview

A route’s metric is the cost of sending traffic on that route and can be based on various criteria:■ number of hops to the destination

■ link conditions:

• bandwidth

• delay

• reliability

■ organization policies

• monetary cost

• autonomous systems through which the packet must travel

Number of hops and bandwidth are among the most common criteria for computing a route’s metric.

Each routing protocol has its own method for computing a route’s metric. The protocol compares the metric of identical routes to determine the best route. The protocol chooses the route with the smallest metric.

Other Information Stored in a Route

Routing tables can also include information such as:

■ route type—whether the destination subnet is directly attached or remote

■ source of the route—directly connected, statically configured, or discov-ered with a routing protocol

■ route age

■ maximum transmission unit (MTU) over the link used in the route

The ProCurve Secure Router tracks all of these parameters. When you view your router’s routing table, you can see the route type and source of the route.

A routing table should, most importantly, provide reliable routes that get traffic to its destination. Ideally, routes should also minimize congestion and delay. One of your must important tasks when configuring your ProCurve Secure Router is to construct a routing table with reliable best routes.

Static Routing

The most straightforward method for constructing a routing table is static routing. Static routes are routes that you manually add to the routing table. When you enter a static route, you specify the destination network address and subnet mask and either the next-hop address or forwarding interface for that destination.

11-9

IP Routing—Configuring Static RoutesOverview

Dynamic Routing Protocols

Routers can also construct their routing tables using dynamic routing proto-cols. The ProCurve Secure Router supports three routing protocols, each of which it can use alone or in conjunction with the others:

■ RIP versions 1 and 2

■ Open Shortest Path First (OSPF) version 2

■ Border Gateway Protocol (BGP) version 4

See Chapter 13: IP Routing—Configuring RIP, OSPF, BGP, and PBR in the ProCurve Secure Router Advanced Management and Configuration Guide to learn how to configure these protocols.

Static Routing Versus Dynamic Routing

Static routing is secure because it provides you the tightest control over traffic flow: you determine exactly which connection the router uses to forward traffic to each destination. Static routing is also relatively reliable (although it does open room for human error).

On a router in a small network with a single exit to a remote site or the Internet, static routing is effective and simple to configure.

However, as a network expands, configuring all the necessary static routes can become more and more complicated and time-consuming. Ensuring that all routes remain accurate can also unduly burden an IT staff. Every time you want to add a connection or change a route, you must configure the change on every router in the network. Routers do not automatically respond to a failed connection, so traffic can be misrouted.

Dynamic routing can provide reliable routes. OSPF selects routes according to fairly sophisticated criteria, such as link state and bandwidth, and BGP, though complicated to configure, can take an organization’s policies into account when selecting routes. What is the best route at one moment may not always be the best route, and dynamic routing protocols can track these changes. Dynamic routing also adapts well to changes in network topology, such as node failures and network expansion.

On the other hand, routing protocols consume bandwidth and CPU processes; routers must exchange updates and calculate the best routes. A router that has been carelessly configured may send updates to unauthorized devices, opening a security vulnerability. However, a well-designed network eliminates many of these problems.

11-10

IP Routing—Configuring Static RoutesOverview

You should not implement a dynamic routing protocol on a demand interface that is used with a dial-up connection because the routing updates may keep the line up longer than is necessary, costing your organization money. Instead, configure a static route that uses the demand interface as the forwarding interface. If you are using the dial-up connection for backup, you can configure a floating static route. (See “Configuring a Floating Static Route” on page 11-16.)

You can use static routing in conjunction with one or more dynamic routing protocols. A static route will always supersede a discovered route because static routes have low administrative distance. Table 11-1 shows the default administrative distance for the various types of routes that the ProCurve Secure Router can learn. As you can see, besides routes to directly connected networks, static routes are considered to be the most reliable.

Table 11-1. Hierarchy of Routes (Most Trusted to Least Trusted)

Load Sharing

Typically, a routing table can only include one best route for each destination. If you enter more than one route to the same destination, the router will only add this route to its routing table if the first route that you entered is removed or if the forwarding interface for this route goes down. However, the ProCurve Secure Router can also implement load sharing, which enables it to activate up to routes to the same destination. This option enables the router to use redundant connections to the same remote site.

When you enable load sharing, the router can place up to six routes to the same destination in its active routing table. The routes must all have the same metric and administrative distance; otherwise, only the route with the lowest values will be selected.

Route Type Default Administrative Distance

directly connected 0

static 1

BGP • 20 for external routes• 200 for internal and local routes

OSPF 110

RIP v1 and v2 120

11-11

IP Routing—Configuring Static RoutesOverview

The router can share traffic over the routes based on destination, assigning traffic destined to some hosts to one route and traffic destined to other hosts to another route. In this case, the traffic may not be exactly balanced over the multiple connections, but the more sessions the router supports, the more evenly balanced the traffic will be.

The router can also share the traffic in a round-robin manner, alternating between the routes every time it routes a new packet to the destination network. Configuring the router to load share in this way, however, can cause packets to arrive at the destination out of order and is not generally recommended.

Fast Caching

One of a router’s tasks is to forward the packets it receives with a minimum of delay. However, the router must also accurately route packets, and looking up routes takes time and processing power. When a router uses process switching, it considers route lookup to be no more important than any other process and forces packets to wait in a queue until it finishes other tasks. When CPU usage spikes, packets can be delayed longer than acceptable.

Fast caching, or fast-switching cache, is designed to speed processing of packets that follow often-used routes. In addition to the routing table, the router keeps a fast-cache table, which contains entries for recently received packets. A fast-cache entry includes the destination address and the forward-ing interface. When the router receives a packet, the CPU postpones other tasks to immediately check the fast-cache table for a matching entry. If the router finds a matching entry, it rewrites the packet’s header and forwards it to the appropriate interface. (See Figure 11-2.) If the router does not find a match in the fast-cache table, it sends the packet to the appropriate queue to await processing. When the router processes these packets, it checks the routing table to determine where the packets should be forwarded.

On the ProCurve Secure Router, you can enable fast caching for individual interfaces. However, if you enable the firewall, the ProCurve Secure Router uses process switching because firewall features can require extensive com-putations. For example, the firewall must check packets for known cyber attacks, ensure packet integrity, track connections, and determine if packets match access control lists (ACLs).

11-12

IP Routing—Configuring Static RoutesConfiguring Static Routes

Figure 11-2. Fast Caching Versus Process Switching

Configuring Static Routes

Overview

A static route is a route that you add manually to a routing table. You can construct a router’s entire table manually. (The table will also automatically include directly connected networks with a metric and an administrative distance of zero.)

When you use static routing in exclusion of other routing protocols, the router will not share its routing table with other routers. This means that the hosts serviced by this router will only be able to reach a destination if you add an entry for that destination. In large and complicated networks, configuring static routing can be prohibitively time-consuming and cumbersome. How-ever, in a relatively uncomplicated environment with few subnets, you can quickly configure the necessary routes while maintaining tight control over your network.

Static routing is best suited for networks that have:

■ a simple topology and a single router at each site

■ a single destination for traffic—for example, to an Internet service pro-vider (ISP)

■ only one path for IP traffic

InternetRouter

InternetRouter

Fast-cache table

Queue

Fast caching

Process switching

11-13

IP Routing—Configuring Static RoutesConfiguring Static Routes

You can use static routing with dynamic routing. In this case, you supplement routes discovered through various protocols with manually added routes. You can configure the router to advertise these routes using a routing protocol, or you can keep the routes private. (See Chapter 13: IP Routing—Configuring

RIP, OSPF, BGP, and PBR in the Advanced Management and Configuration

Guide to learn how to configure a routing protocol.)

For example, you can run a routing protocol, but configure a static default route. (See “Configuring a Default Route” on page 11-17.)

Configuring a Static Route

When you configure a static route, you must enter the following information:

■ destination address and subnet mask

■ next-hop address or forwarding interface

By default, the administrative distance for a static route is 1 and the metric 0. You can view the kind of information the ProCurve Secure Router stores in its routing table in Figure 11-3.

Figure 11-3. Routing Table with Static Routes

The destination address is the network address for the destination subnet. The subnet mask indicates how long this network address is. (The ProCurve Secure Router also allows you to enter a prefix length instead of a subnet mask.) When the router looks for a route that matches a packet’s destination, it only compares the bits specified by the subnet mask.

ProCurve# show ip routeC 10.2.2.0/30 is directly connected, ppp 1C 10.3.3.0/30 is directly connected, ppp 2C 192.168.20.0/24 is directly connected, eth 0/1S 192.168.30.0/24 [1/0] via 10.2.2.2, ppp 1S 0.0.0.0/0 [1/0] via 10.3.3.2, ppp 2 Forwarding interface

Administrative distance

Metric Next-hop address

11-14

IP Routing—Configuring Static RoutesConfiguring Static Routes

Figure 11-4. Prefix Lengths with Static Routing

You add routes to the routing table from the global configuration mode context. Enter this command:

Syntax: ip route <destination network A.B.C.D> <subnet mask | /prefix length> <next hop A.B.C.D | forwarding interface ID> [<administrative distance>]

Specifying administrative distance is optional. By default, static routes have an administrative distance of 1 and are considered to be more reliable than any other routes (except those to directly connected networks).

You should make the network address and subnet as short possible for the next-hop address to still be valid for all matching packets. For example, to configure a route to network 10.1.3.0 /24 on Router A shown in Figure 11-4, you could enter a route to the entire 10.1.0.0 /16 network:

ProCurve(config)# ip route 10.1.0.0 255.255.0.0 10.1.1.2

You would have to configure a more specific route to network 10.1.3.0 /24 on Router B:

ProCurve(config)# ip route 10.1.3.0 255.255.255.0 10.1.30.2

For point-to-point connections, instead of the next-hop IP address, you can specify the forwarding interface (for example, PPP 1 or Frame Relay 1.103). It is often a good idea to specify the forwarding interface rather than the next-hop address, particularly when connecting to an external network, because IP addresses can change without notice.

The route in the routing table includes the forwarding interfaces, but allows any next-hop neighbor that connects to the interface. See Figure 11-5.

Router A Router B

Routing table

10.1.0.0/16 B

Router C

10.1.2.0/24

Router D

10.1.3.0/24

Routing table

10.1.2.0/24 C10.1.3.0/24 D

10.1.1.2 10.1.20.2

10.1.30.2

10.2.8.0/24

11-15

IP Routing—Configuring Static RoutesConfiguring Static Routes

Figure 11-5. Static Route with a Forwarding Interface

Configuring a Floating Static Route

When the router has a redundant connection to a network, it needs two routes to that network, one of which uses the primary interface as the forwarding interface and one of which uses the redundant interface. However, the routing table can only include a single active route to a particular network. (See “Configuring Load Sharing” on page 11-20 for an exception to this rule.)

You can configure a floating static route that uses the redundant, or backup interface, and that will only appear if the forwarding interface for the primary route goes down. You configure the floating static route by assigning it a higher administrative distance than that for the primary route.

For example, your router can reach remote site 192.168.115.0 /24 through the PPP 1 interface. If this connection goes down, it can reach the remote site through the backup PPP 2 interface. Configure the routes as follows:

ProCurve(config)# ip route 192.168.115.0 /24 ppp 1ProCurve(config)# ip route 192.168.115.0 /24 ppp 2 2

You can also configure a floating static route that only appears when a route discovered using a routing protocol becomes invalid and is removed from the routing table. Simply, specify an administrative distance in the floating static route that is higher than that for the protocol.

For example, your router has learned a route to network 192.168.115.0 /24 by running OSPF on the PPP 1 interface. The router uses an ISDN module for backup. Configure a floating static route through the demand interface that will only appear if the PPP 1 interface fails:

ProCurve(config)# ip route 192.168.115.0 /24 demand 1 120

ProCurve# show ip routeC 10.2.2.0/30 is directly connected, ppp 1C 10.3.3.0/30 is directly connected, ppp 2C 192.168.20.0/24 is directly connected, eth 0/1S 192.168.30.0/24 [1/0] via 10.2.2.2, ppp 1S 0.0.0.0/0 [1/0] via 0.0.0.0, ppp 2 Forwarding interface

Administrative distance

Metric Next-hop address not specified

11-16

IP Routing—Configuring Static RoutesConfiguring Static Routes

Because OSPF routes have an administrative distance of 110, specify 120 for the floating static route’s administrative distance. (Refer to Table 11-1 on page 11-11 for the administrative distance of various routing protocols.)

Configuring a Default Route

A default route is a special static route that applies to all traffic. Typically, when the router receives a packet that it does not know how to forward, it drops it. A default route allows the router to forward all such packets toward the destination most likely to be able to route them.

To configure a default route, enter a route to a destination address of all zeros with an all-zero subnet mask. The all-zero subnet mask indicates to the router that a packet’s IP address does not have to match any of the destination address bits in order for the route to be valid. Because the router always matches traffic to the most specific route, it will only use the default route for traffic that would otherwise be dropped.

To configure the default route, move to the global configuration mode context and enter this command:

Syntax: ip route 0.0.0.0 [0.0.0.0 | /0] <next hop A.B.C.D | forwarding interface ID> [<administrative distance>]

The ProCurve Secure Router allows you to enter the default route in CIDR notation.

Instead of configuring a route to a default next-hop address, you can configure a default forwarding interface. A default route is often used to forward external traffic. In this case, specifying the WAN interface as the default forwarding interface can be a good idea so that the default remains valid no matter what IP address the remote router has.

For example, your router connects to the Internet with a PPP connection. You could configure the following default route for all external traffic:

ProCurve(config)# ip route 0.0.0.0 0.0.0.0 ppp 1

Default routes can be especially useful for routers with a single point-to-point WAN connection. If necessary, add static routes for any local subnets that are not directly connected to the Ethernet ports. (Directly connected networks are automatically added.) Then add a default route for all other traffic through the WAN interface.

11-17

IP Routing—Configuring Static RoutesConfiguring Static Routes

For example, to configure Router A shown in Figure 11-6, you would enter:

ProCurve(config)# ip route 192.168.10.0 /24 192.168.12.2ProCurve(config)# ip route 0.0.0.0 /0 ppp 1

Figure 11-6. Default Routing

Default routes are used with dynamic routing as well as static routing. For example, OSPF stub routers in an OSPF network do not receive many of the OSPF link state advertisements (LSAs). This keeps the protocol’s overhead down and stub router memory uncluttered with routes that are not needed. Instead, stub routers can receive a default route for all external traffic.

Configuring a Route through the Null Interface

When the router matches a packet to a route through the null interface, it drops the packet. You can use the null interface to force the router to drop certain traffic.

To configure a null route, enter this command from the global configuration mode context:

Syntax: ip route <A.B.C.D> <subnet mask | /prefix length> null 0 [<administrative distance>]

You might configure a route through the null interface in order to drop traffic to network addresses that do not yet exist in your network.

InternetRouter A

192.168.10.0 /24

PPP 1

192.168.1.0 /24

Router B192.168.12.2

11-18

IP Routing—Configuring Static RoutesConfiguring Static Routes

For example, an organization has allocated the address space 192.168.20.0 /24 to a remote site. However, currently the site is only using half of the addresses. Network management have divided the network into two /25 subnets and left the second subnet (192.168.20.128 /25) unused. You can prevent the local router from forwarding traffic across the WAN link that will only dropped by the remote router. Enter this command:

ProCurve(config)# ip route 192.168.20.128 /25 null 0

You could also use a null route in order to force the router to:

■ drop traffic to destinations that you have determined to be unauthorized

However, a better way to control traffic is to use an ACL or an ACP. (See Chapter 5: Applying Access Control to Router Interfaces of the Advanced

Management and Configuration Guide.)

■ advertise a route not included in its routing table

When a router uses a routing protocol, its routing table must include a route in order to advertise that route. You could configure a null route if you wanted the router to advertise a route, but not to forward traffic using that route. (For more information on this topic, see “Advertising Local Networks” on page 13-71 in Chapter 13: IP Routing—Configuring RIP,

OSPF, BGP, and PBR of the Advanced Management and Configuration

Guide.)

11-19

IP Routing—Configuring Static RoutesConfiguring Load Sharing

Configuring Load Sharing

Your ProCurve Secure Router may have more than one connection to the same remote site or to the Internet. However, a router can typically select a single best route for a destination; without further configuration, traffic destined to the site will travel over only one of the connections.

For example, your router provides a connection to one ISP through its PPP 1 interface. For redundancy, you connect the router to a second ISP through the PPP 2 interface. You configure a default route through PPP 1. All Internet traffic is carried over this WAN connection, and the redundant connection is unused unless the first connection fails—not a cost-effective solution.

Load sharing allows the router to place up to six routes to the same destination in its routing table. (See Figure 11-7.) The routes must have the same metric and administrative distance. When load-sharing is implemented, the router will sends some traffic over one route and some traffic over the other route.

To enable load sharing, enter this command from the global configuration mode context:

Syntax: ip load-sharing [per-destination | per-packet]

You can configure the router to balance traffic:

■ per destination

■ per packet

When the router balances traffic per destination, it assigns packets to routes based on the packets’ source and destination addresses. That is, when the router must forward a packet to a destination for which multiple routes exit, it hashes the packet’s source and destination and, according to this value, assigns the packet to a route. (The router performs the hash function such that a source and destination can only resolve to as many different values as routes are available in the routing table.) Therefore, per-destination load sharing does not balance traffic exactly equally; two successive packets may be sent over the same route, even if they have different source and destination addresses. Packets in the same session always take the same route because they have the same source and destination address. The more traffic that the router supports, the more evenly it will balance the traffic.

11-20

IP Routing—Configuring Static RoutesConfiguring Load Sharing

When the router balances traffic per packet, it sends each new packet over each route in turn. Although this option balances traffic more exactly, it is not generally recommended. Because each successive packet takes a different route, packets may arrive at the destination out of order.

Figure 11-7. Routing Table with Load Sharing

After enabling load sharing, add the multiple static routes. For example, enter:

ProCurve(config)# ip route 0.0.0.0 /0 ppp 1ProCurve(config)# ip route 0.0.0.0 /0 ppp 2ProCurve(config)# ip route 0.0.0.0 /0 ppp 3

The routing table can hold up to six routes for the same destination. If you enter more than six routes, then the router will learn the extra routes, but not add them to the routing table. If you delete one of the routes in the routing table, or if the forwarding interface for one of these routes fails, then one of the extra routes will take its place.

Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP IA - OSPF inter area, N1 - OSPF NSSA external type 1 N2 - OSPF NSSA external type 2, E1 - OSPF external type 1 E2 - OSPF external type 2

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S 0.0.0.0/0 [1/0] via 0.0.0.0, ppp 1 [1/0] via 0.0.0.0, ppp 2 [1/0] via 0.0.0.0, ppp 3C 10.1.1.0/30 is directly connected, ppp 1C 10.1.1.1/32 is directly connected, ppp 1C 10.1.1.4/30 is directly connected, ppp 2C 10.1.1.5/32 is directly connected, ppp 2C 10.1.1.8/30 is directly connected, ppp 3C 10.1.1.9/32 is directly connected, ppp 3C 192.168.50.0/24 is directly connected, eth 0/1C 192.168.51.0/24 is directly connected, eth 0/2

Multiple static routes

11-21

IP Routing—Configuring Static RoutesEnabling Fast Caching

Enabling Fast Caching

The ProCurve Secure Router can route incoming packets using either:

■ process switching

■ fast caching

A router using process switching:

■ places packets in a queue to await processing

■ looks up routes in the routing table, which contains all routes

A router using fast caching:

■ interrupts other processes to serve packets immediately

■ looks up routes in the fast-cache table, which contains only recently-used routes

Fast caching is a valuable tool for speeding packets through the router and maintaining quality of service (QoS).

By default, fast caching is enabled on:

■ Ethernet interfaces

■ Point-to-Point Protocol (PPP) interfaces

■ Frame Relay subinterfaces

Although fast caching is not enabled on Asynchronous Transfer Mode (ATM) subinterfaces by default, ATM subinterfaces also support it.

You can disable fast caching on specific interfaces. If you disable fast caching, the ProCurve Secure Router will use process switching. With process switch-ing, the router places all packets in the appropriate queue, where they wait until the router can process them.

You enable and disable fast caching for individual interfaces. One interface can use fast caching and another interface can use process switching.

To enable or disable fast caching on an interface, you must first move to the configuration mode context for that interface. Then enter this command:

Syntax: [no] ip route-cache

11-22

IP Routing—Configuring Static RoutesTroubleshooting Static Routing

For example:

ProCurve(config)# int eth 0/1ProCurve(config-eth 0/1)# no ip route-cache

N o t e Fast caching is forcibly disabled when you use the following processes:

■ the ProCurve Secure Router OS firewall

■ any firewall processes, such as ACLs and ACPs

■ policy based routing (PBR)

If you enable the firewall, the ProCurve Secure Router must use process switching because firewall features require the router to make more-extensive computations than simple route determination, including checks for attacks and packet filtering according to an access policy. Similarly, PBR requires the router to screen packets to determine whether to route them according to a route map or according to the routing table.

To optimize packet switching for firewall processes, the ProCurve Secure Router uses a separate table so that it does not have to check long ACLs each time it receives a packet. This table speeds up firewall computations.

Troubleshooting Static Routing

When you receive reports that traffic is not reaching its destination, first attempt to ping the destination from the router to verify that a host or other network node is not the root of the problem. If the ping confirms that the router cannot reach the destination, next view the routing table.

N o t e The show and debug commands described in the following sections are enable mode commands. You can also enter the commands from configuration mode contexts by adding the do option.

Monitoring the Routing Table

To view the routing table, enter this enable mode command:

Syntax: show ip route

11-23

IP Routing—Configuring Static RoutesTroubleshooting Static Routing

The screen displays the destinations to which the router can route traffic. (See Figure 11-8.) For each destination, the routing table also records:

■ the method the router used to discover the route

• B—BGP

• C—directly connected

• O—OSPF

• R—RIP

• S—entered manually (static)

■ the administrative distance—the trustworthiness of the route, used to choose between two identical routes discovered through different methods

■ the metric—the cost for the route

■ the next-hop address

■ the forwarding interface

Figure 11-8. Routing Table

You can also view specific portions of the routing table. Use the commands in Table 11-2.

ProCurve#show ip routeCodes: C - connected, S - static, R - RIP, O - OSPF, B - BGP IA - OSPF inter area, N1 - OSPF NSSA external type 1 N2 - OSPF NSSA external type 2, E1 - OSPF external type 1 E2 - OSPF external type 2

Gateway of last resort 192.168.128.1

C 10.1.1.0/30 is directly connected, ppp 1C 10.1.1.1/32 is directly connected, ppp 1C 10.2.2.0/30 is directly connected, ppp 2C 10.2.2.1/32 is directly connected, ppp 2R 172.16.1.0/24 [120/1] via 10.1.1.1, ppp 1R 172.16.3.0/24 [120/1] via 10.1.1.1, ppp 1R 172.16.4.0/24 [120/1] via 10.1.1.1, ppp 1O 192.168.65.0/24 [110/51] via 10.2.2.1, ppp 2

O 192.168.72.0/24 [110/51] via 10.2.2.1, ppp 2O 192.168.100.0/24 [110/51] via 10.2.2.1, ppp 2C 192.168.128.0/24 is directly connected, eth 0/1C 192.168.129.0/24 is directly connected, eth 0/2

OSPF route Administrative distance

Next-hop and forwarding interface

Cost

11-24

IP Routing—Configuring Static RoutesTroubleshooting Static Routing

Table 11-2. Viewing the Routing Table

Using the Routing Table to Troubleshoot Static Routing

Several problems can prevent the router from using static routes to forward traffic to its destination correctly:

■ You have not added a route to the destination.

■ The router cannot use the route.

■ The route to the destination is faulty.

Enter the show ip route command to determine what route, if any, the router is using to forward traffic to the destination in question.

When the routing table does not include a route for the destination, you should try adding the route. If adding new static routes on each new device become too cumbersome, you can configure a dynamic routing protocol. See Chapter

13: IP Routing—Configuring RIP, OSPF, BGP, and PBR in the Advanced

Management and Configuration Guide.

Even if you have configured a static route for a destination, you may not see that route when you enter the show ip route command. The routing table only displays the routes that the router can use to forward packets. The router may know routes that it is not using because:

■ the forwarding interface is down

■ the router knows an identical route with a smaller metric or administrative distance

■ the router knows an identical route with the same metric and administra-tive distance and load sharing is not enabled

Table Section Command Syntax

directly connected routes show ip route connected

statically entered routes show ip route static

BGP show ip route bgp

RIP show ip route rip

OSPF show ip route ospf

routes displayed in table format show ip route table

the number of routes stored in the routing table

show ip route summary

11-25

IP Routing—Configuring Static RoutesTroubleshooting Static Routing

If a static route will not appear in the routing table, verify that the associated forwarding interface is up. If necessary, troubleshoot that interface. If you have configured a next hop address for the static route, you should check the routing table to ensure that it includes a route to that next hop.

If you want the router to use more than one route to the same destination, you must enable load sharing with the ip load-sharing command.

If you see a route to the destination that hosts cannot reach, several problems could be causing traffic to be misrouted:

■ Another router en route to the destination cannot route the traffic—In this case, you should use the traceroute command to pinpoint the router that is not forwarding the traffic. (See “Monitoring Routes” on page 11-26.) Remember that in order for a ping to be successful, routers must also know a route back to the source of the ping. You should always make sure that routes are two-way: the local router knows routes to remote destina-tions, and remote routers know routes to the local networks.

■ The route in the local routing table is invalid—Check for miskeyed information such as the wrong interface number for the forwarding interface. You must remove the route before re-entering the route with the correct information. (When you configure more than one static route to the same destination, the router automatically assigns the second route a higher administrative distance. Therefore, if you fail to remove the faulty route, your correction will not take affect.)

■ Your router’s routing table includes the correct route, but it also includes a more-specific, incorrect route. For example, the router may have dis-covered a more-specific route using a routing protocol. See “Clearing Routes” on page 11-27 to learn how to remove dynamic routes from the table. See Chapter 13: IP Routing—Configuring RIP, OSPF, BGP,

and PBR in the Advanced Management and Configuration Guide to learn how to troubleshoot routing protocols.

Monitoring Routes

You can monitor the route that packets actually take through the network by using the traceroute command. Enter the command followed by the destina-tion address for the route you want to trace:

Syntax: traceroute <A.B.C.D>

The router sends out a series of pings with steadily incrementing TTLs, so that each successive ping reaches one hop closer to the destination. The router records the addresses of the routers that return the pings, thus building up a list of every hop between itself and the destination. (See Figure 11-9.)

11-26

IP Routing—Configuring Static RoutesTroubleshooting Static Routing

Figure 11-9. Traceroute Command

Tracing routes allows you to monitor actual traffic flow (although in a neces-sarily limited fashion). When traffic does not reach its destination, you can determine which network node cannot forward it. You can then troubleshoot the device with the problem.

When traffic can take more than one route through a network, you can use the traceroute command to discover which path routers have selected. If you determine that routers are using high-cost paths unnecessarily, you can make adjustments accordingly. For example, you can configure a routing protocol, such as OSPF, that takes link cost into account. Or you can configure PBR to allow the router to forward traffic over different paths depending on certain characteristics of the traffic. (See Chapter 13: IP Routing—Configuring RIP,

OSPF, BGP, and PBR in the Advanced Management and Configuration

Guide.)

Clearing Routes

In addition to the routes that you add to your router’s routing table, your router may learn routes using a dynamic routing protocol. If your router has learned unreliable routes, you can clear them using this command:

Syntax: clear ip route [* | <A.B.C.D> <subnet mask | /prefix length>

You can enter *, which clears all routes, or the destination for the specific route you want to remove.

ProCurveSR7102dl#traceroute 192.168.100.2Type CTRL+C to abort.Tracing route to 192.168.100.2 over a maximum of 30 hops

1 2ms 2ms 2ms 10.1.1.2 2 4ms 4ms 4ms 10.2.2.1 3 4ms 5ms 4ms 192.168.100.2

Next hop—directly connected neighbor

Destination

11-27

IP Routing—Configuring Static RoutesTroubleshooting Static Routing

N o t e Clearing a route is not necessarily enough to solve a problem. Unless you address the reason that the router learned the inaccurate route, the router may only learn the inaccurate route again.

If your router should not be receiving dynamic routes at all, then you should enter these commands:

ProCurve(config)# no router ripProCurve(config)# no router ospfProCurve(config)# no router bgp <AS>

If your do want your router to use a routing protocol in addition to static routes, you should troubleshoot the routing protocol as described in Chapter

13: IP Routing—Configuring RIP, OSPF, BGP, and PBR in the Advanced

Management and Configuration Guide.

The clear command only removes learned routes. To clear a static route, you must enter the no form of the command you used to enter it:

Syntax: no ip route <destination A.B.C.D> <subnet mask | /prefix length> <next hop A.B.C.D | forwarding interface ID>

Remember that, unlike the clear ip route command, the no ip route command is entered from the global configuration mode context.

11-28

IP Routing—Configuring Static RoutesTroubleshooting Static Routing

Figure 11-10. Clearing Routes

For example, your router has the routes in the routing table shown in Figure 11-10. The routes to 192.168.65.0 /24 and 172.168.0.0 /16 are faulty and you want to clear them. The first is a learned route, so you enter:

ProCurve# clear ip route 192.168.65.0 /24

The second is a static route, so you move to the global configuration mode context and enter:

ProCurve(config)# no ip route 172.168.0.0 /16 ppp 1

ProCurve#show ip routeCodes: C - connected, S - static, R - RIP, O - OSPF, B - BGP IA - OSPF inter area, N1 - OSPF NSSA external type 1 N2 - OSPF NSSA external type 2, E1 - OSPF external type 1 E2 - OSPF external type 2

Gateway of last resort 192.168.128.1

C 10.1.1.0/30 is directly connected, ppp 1C 10.1.1.1/32 is directly connected, ppp 1C 10.2.2.0/30 is directly connected, ppp 2C 10.2.2.1/32 is directly connected, ppp 2S 172.16.0.0/16 [1/0] via 10.1.1.1, ppp 1R 172.16.3.0/24 [120/1] via 10.1.1.1, ppp 1R 172.16.4.0/24 [120/1] via 10.1.1.1, ppp 1O 192.168.65.0/24 [110/51] via 10.2.2.1, ppp 2

C 192.168.128.0/24 is directly connected, eth 0/1C 192.168.129.0/24 is directly connected, eth 0/2

Faulty route

Misconfigured route

11-29

IP Routing—Configuring Static RoutesQuick Start

Quick Start

This section provides the commands you must enter to quickly configure static routes.

Only a minimal explanation is provided. If you need additional information about any of these options, check “Contents” on page 11-1 to locate the section that contains the explanation you need.

Static Routing

Static routing may be good solution for your WAN if:

■ you are connecting remote sites that each only have one router

■ the router only needs to route traffic to an ISP

■ only one path is available to forward IP traffic

Connecting Simple Remote Sites

1. Configure a route to the remote network using the remote router’s WAN IP address as the next-hop address:

Syntax: ip route <destination network A.B.C.D> <subnet mask | /prefix length> <next hop A.B.C.D | forwarding interface ID>

For example:

ProCurve(config)# ip route 192.168.3.0 /24 10.2.2.1

You can alternatively specify the connecting WAN interface on the local router as the forwarding interface:

ProCurve(config)# ip route 192.168.3.0 /24 ppp 1

For Frame Relay connections, use the Frame Relay subinterface for the PVC you want to use as the forwarding interface.

It can be a good idea to use the logical interface as the reference for the route because IP addresses could change.

2. If necessary, add a route to another remote network.

11-30

IP Routing—Configuring Static RoutesQuick Start

Routing Traffic to an ISP

Configure a default route to the ISP router:

ProCurve(config)# ip route 0.0.0.0 /0 ppp 1

Syntax: ip route 0.0.0.0 /0 <subnet mask | /prefix length> <next hop A.B.C.D | forward-ing interface ID>

Again, you should specify the WAN interface as the forwarding interface so that the route is still valid even if the IP address changes.

11-31

IP Routing—Configuring Static RoutesQuick Start

11-32

12

Domain Name System (DNS) Services

Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Host and Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Host Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-3

Authoritative and Caching Name Servers . . . . . . . . . . . . . . . . . . . . . . 12-4

DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4

ProCurve Secure Router DNS Support . . . . . . . . . . . . . . . . . . . . . . . . . 12-5

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6

Static DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7

Custom DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7

Configuring DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8

Enabling DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8

Adding an Entry to the Router’s Host Table . . . . . . . . . . . . . . . . . . . . 12-9

Specifying DNS Server Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10

Enabling the Router to Act as a Name Server . . . . . . . . . . . . . . . . . . 12-10

Troubleshooting DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11

Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11

Debugging DNS Server Activity . . . . . . . . . . . . . . . . . . . . . . . . . . 12-11

Debugging DNS Client Activity . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14

Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-15

Opening an Account with DynDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16

Configuring the Interface’s IP Address . . . . . . . . . . . . . . . . . . . . . . . . 12-16

Setting a Dynamic Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-16

Specifying a Static Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17

Activating the Dynamic DNS Client . . . . . . . . . . . . . . . . . . . . . . . . . . 12-17

Special Considerations for Configuring Custom DNS . . . . . . . . . . . 12-18

12-1

Domain Name System (DNS) ServicesContents

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-19

Configuring the ProCurve Secure Router as a DNS Client . . . . . . . 12-19

Configuring the ProCurve Secure Router as a Name Server . . . . . . 12-20

Configuring a Dynamic DNS Client on a ProCurve Secure Router Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-20

12-2

Domain Name System (DNS) ServicesOverview

Overview

Domain Name System (DNS) is the Internet protocol for translating domain names or hostnames into IP addresses. The hostname is the familiar, alpha-numeric name for a host on the Internet (for example, www.hp.com), and the IP address is the 32-bit address that machines use to reach each other. DNS allows users to enter more readily memorable and intuitive hostnames rather than IP addresses. It also allows a host to keep the same hostname even if it changes its IP address.

Host and Domain Names

The domain name of a single host is also called a hostname. A hostname is typically made up of at least three domain levels. For example, the top-level domain of www.hp.com is “com.” The Internet is divided into hundreds of top-level domains. The most common include com, gov, org, and two-letter codes for every country.

There are millions of first-level domains (hp, in our example), each designating an organization. When you want to reserve a domain name, you work through the proper channel for your top-level domain. The top-level organization ensures that every first-level domain in the top-level domain is unique.

The second (or third or fourth) domain level refers to the specific machine. For example, www often identifies a domain’s Web server. An organization can subdivide its domain, so a hostname might include four or more levels.

Host Tables

In the very early days of the Internet, Stanford Research Institute’s Network Information Center (SRI-NIC) maintained a single host table mapping all hostnames in the Internet to their IP addresses. Individual network adminis-trators would download new entries to their name servers. However, as the Internet exploded with new domains, SRI-NIC simply could not manage all the new entries, nor could name servers hold them all.

DNS distributes host tables throughout many DNS servers or name servers. The host table is divided into many zones, and each name server only holds the information for a few zones. Every organization maintains the host table for its own domain on its name server or servers. It is up to the organization to keep its own information accurate and up to date.

12-3

Domain Name System (DNS) ServicesOverview

This system diffuses domain records throughout the Internet. Hosts anywhere on the Internet can still reach each other because name servers can query each other for the hostnames they cannot translate.

Authoritative and Caching Name Servers

Most name servers function as an authoritative server for one or several zones and as a caching server for all other zones. A name server’s host table includes entries for all hosts in the zones on which it is authoritative. When a client requests the IP address for one of these hosts, the authoritative server can immediately provide it. The server caches the most recently requested entries for hosts in other zones. It has received these entries from other servers through a query process.

DNS Queries

When a server receives a request to translate a hostname that is not in its host table or cache, it runs its resolver and queries its root server. Root servers know the addresses for the top-level name servers, which in turn know the addresses for the name servers of their first-level domains. These servers provide IP addresses for hosts in their domain. (See Figure 12-1 for an example of a DNS query.)

Caching addresses speeds up the query process. Clients are constantly requesting .com addresses. A name server will hold the top-level name server’s address in its cache, instead of having to query its root server for it each time a client requests an address ending in .com.

12-4

Domain Name System (DNS) ServicesOverview

Figure 12-1. DNS Queries

Similarly, when a client accesses several hosts in the same first-level domain, the DNS server caches the IP address for the first-level domain server.

ProCurve Secure Router DNS Support

The ProCurve Secure Router can function as an authoritative name server for hosts in your domain. The router stores a host table with the entries for local hosts. It can also act as a caching server. When the ProCurve Secure Router runs DNS proxy, it can ask another server to resolve clients’ queries for hostnames not in its own table.

In addition, the ProCurve Secure Router can run a DNS client for itself. The DNS client lets you enter hostnames instead of IP addresses for ping, traceroute, and other troubleshooting commands. When the router acts as a client, it can look up names for itself in its host table. It can also send DNS requests to its external DNS servers.

Root server

Top-level

server

DNS server

DNS server

DNS server

Organization A

Organization B

Organization C

Request for www.C.com

Request for .com

Request for C.com

12-5

Domain Name System (DNS) ServicesOverview

Dynamic DNS

Your device’s IP address may change, and such changes are not always under your control. For example, your router may receive a dynamic address from your Internet service provider (ISP). When a device’s address changes, DNS servers will no longer be able to resolve its hostname, and customers will not be able to access the device.

In order to map a dynamic IP address with a static hostname, you should register with an organization that provides dynamic DNS services.

The ProCurve Secure Router supports a client that is compatible with Dynamic Networking Services, Inc. (www.dyndns.org), or DynDNS. The client runs on a router interface. It automatically notifies DynDNS whenever the interface’s IP address changes, and DynDNS propagates the change throughout its system of DNS servers.

DynDNS provides several types of services:

■ Dynamic DNSSM

■ Static DNSSM

■ Custom DNSSM

Depending on the service you select, you can register a hostname in one of the domains provided by DynDNS or in your own domain.

Dynamic DNS

Dynamic DNS is a free service that allows you to map dynamic addresses to up to five hostnames. You must register hostnames in one of 68 set domains. (See http://www.dyndns.org/services/dns/dyndns/domains.html for a list of available domains.)

The client running on the ProCurve Secure Router interface automatically updates DynDNS when the interface’s IP address changes. (If DynDNS does not receive at least one update every 35 days, it deletes the hostname.) DynDNS provides five globally redundant DNS servers to ensure that your hostname will always resolve.

Dynamic DNS is primarily designed for private users. For commercial appli-cations, you should probably purchase an account upgrade or Custom DNS.

12-6

Domain Name System (DNS) ServicesOverview

Static DNS

You can use Static DNS to register a device with a free hostname in one of the domains used with Dynamic DNS. Static DNS provides many of the same services as Dynamic DNS, but it is tailored for devices whose IP addresses rarely change. When you use Static DNS, new information takes longer to propagate; however, DynDNS maintains a device’s hostname even when the device does not send an update within 35 days.

Static DNS may be a good solution for you when:

■ your device’s IP address rarely changes

■ you want to assign the device a static, easy-to-remember hostname, but you do not want to purchase a domain name

Custom DNS

You can use Custom DNS with both static and dynamic IP addresses. Custom DNS provides all the features of Dynamic DNS, with several additions.

With Custom DNS, you can map a dynamic IP address to a hostname in nearly any domain. (Exceptions include domains in alternate roots; see http://

www.dyndns.org/services/dns/custom/supported-domains.html for more information.) You can also use your own domain, over which you have com-plete control. You can purchase the domain name from another organization or from DynDNS.

You can configure various hostnames in the domain. You can also specify various subdomains, which can point to the same IP address or different IP addresses.

You can configure Custom DNS using DynDNS’s standard or expert interface. The standard interface automatically provides services such as having www.yourdomain.com point to the same address as yourdomain.com.

12-7

Domain Name System (DNS) ServicesConfiguring DNS

Configuring DNS

The extent to which you enable DNS functions on the ProCurve Secure Router depends on whether you want the router to simply be able to run the DNS client or to act as a name server for your organization.

If you only want the router to act as a DNS client, you must:

■ enable DNS (which is enabled by default)

■ specify at least one external DNS server

You can also:

■ add entries for local hosts to the router’s host table

If you want the router to act as a name server for hosts in your network, you must:

■ enable DNS (which is enabled by default)

■ specify at least one external DNS server

■ add entries for local hosts to the router’s host table

■ enable DNS proxy

Enabling DNS

The ProCurve Secure Router automatically supports DNS. You can turn DNS on and off with the following global configuration mode command:

Syntax: [no] ip domain-lookup

This command enables the DNS client on the router. You can input Web addresses instead of IP addresses for applications such as ping, Telnet, and traceroute, and the router will either translate the names itself using its host table or query its primary DNS server.

In order for the router to translate hostnames for itself, you must add entries for hosts in its domain to its host table.

In order for the router to resolve the names of hosts outside its domain, you must specify the IP address of the DNS server it should query.

The router will only act as a name server for connected hosts if you enable DNS proxy. (See “Enabling the Router to Act as a Name Server” on page 12-10.)

12-8

Domain Name System (DNS) ServicesConfiguring DNS

Adding an Entry to the Router’s Host Table

DNS distributes the now overwhelmingly vast host table throughout many name servers. Network administrators maintain entries for their own domains, which keeps the table accurate and under control. You manage only the small section of the table on which you are an expert. You should configure the host table on your ProCurve Secure Router only with entries for hosts on its own network.

If the router is acting as a Dynamic Host Configuration Protocol (DHCP) server, the Secure Router OS automatically adds the router’s clients to the host table. If the router is acting as an authoritative server for its own network, you should also manually add entries for any devices with a static address that users may need to access such as your organization’s Web and email servers. Do not add entries for external hosts or any other host for which the router can get information from other servers.

To add a hostname to the table, enter:

Syntax: ip host <hostname> <A.B.C.D>

For example:

ProCurve(config)# ip host www 192.168.1.25

A hostname can be any combination of numbers and letters under 256 char-acters. However, the hostname cannot constitute a valid IP address. Use the

no form of this command to remove names from the hostname table.

Do not include the domain name for hostnames. Instead, you should specify your organization’s domain name as the default name the router uses to resolve hostnames. Enter:

Syntax: ip domain-name <domain name>

Do not include the initial period that separates an unresolved name from the domain name. For example:

ProCurve(config)# ip domain-name procurve.com

If you enable DNS proxy, the router can also use the default domain name when forwarding requests. If the external name server cannot resolve a query, the router appends the default domain name to the original query and resends the request.

12-9

Domain Name System (DNS) ServicesConfiguring DNS

Specifying DNS Server Addresses

No single DNS server contains the entire host table for every host on the Internet. In order for the Internet to do its job—to allow a host in one location to access a host in any other location—name servers must be able to query each other about the many hosts not in their own tables.

You must specify at least one external name server for the router. This can be a root server, or it can be a DNS server in your organization’s WAN that knows how to reach the root server. The router will contact this server:■ to resolve hostnames for the router (when the router is acting as a DNS

client)

■ to resolve hostnames for connected hosts (when the router is running DNS proxy)

To configure the address for the router’s DNS server, enter:

Syntax: ip name-server <A.B.C.D> <secondary server A.B.C.D>

You may enter addresses for up to six servers (separate each with a space). The ProCurve Secure Router will first send DNS requests to the first address listed. For example, enter three:

ProCurve(config)# ip name-server 10.1.1.1 10.2.2.2 10.3.3.3

Use the no form of the command to remove a server from the list.

Enabling the Router to Act as a Name Server

The router will automatically act as a server for itself (for example, when you ping a device by its hostname) as long as DNS lookup is enabled. To enable the ProCurve Secure Router to act as a name server for connected hosts, enter:

ProCurve(config)# ip domain-proxy

When the ProCurve Secure Router receives a request from a client to translate a hostname, it follows this process:

1. It checks its local host table for a matching entry. (See “Adding an Entry to the Router’s Host Table” on page 12-9 to learn how to create this table.) If it finds a match, it sends the IP address stored for the host to the client.

2. If it does not find a match, it forwards the request to an external DNS server. (See “Specifying DNS Server Addresses” on page 12-10.) When the router receives a reply, it forwards it to the client.

3. If the external server cannot resolve the name, the router appends the default domain name (if configured) and resends the request.

12-10

Domain Name System (DNS) ServicesTroubleshooting DNS

Troubleshooting DNS

When the ProCurve Secure Router cannot correctly resolve domain names, you can monitor DNS error messages to pinpoint the source of the problem.

You should be able to interpret DNS messages well enough to track the DNS process and determine where problems arise.

C a u t i o n Enabling DNS debug messages can seriously compromise the network as the router is forced to debug the many DNS requests arriving from clients.

Before enabling debug messages, you can check for some of the most common problems described in the next section.

You should also determine that all connections are up and that hosts can ping each other. In other words, you should be certain that basic connectivity is not the root of the problem.

Process

First, determine whether the router is acting as a DNS client or a DNS server. Then activate the corresponding debug messages.

The ProCurve Secure Router acts as a DNS server when it:

■ receives DNS requests from hosts on its network

■ checks its host table for a matching entry

■ forwards queries to an external DNS server

■ forwards the IP address for a hostname to a DNS client

The ProCurve Secure Router acts as a DNS client when it:

■ sends a query to an external name server on its own behalf

Debugging DNS Server Activity

To monitor the router’s activity as it receives, forwards, and responds to DNS requests, enter the following enable mode context command:

ProCurve# debug ip dns-proxy

12-11

Domain Name System (DNS) ServicesTroubleshooting DNS

N o t e You can also start displaying the debug messages from any mode context with the do command.

Then, have the DNS client again attempt to access the host. Track the router’s activity. It should pass through the steps shown in Table 12-1. Determine where the process breaks down and troubleshoot the problem accordingly.

Table 12-1. DNS Proxy Process

Step IP.DNS PROXY Messages Likely Problem If The Message Does Not Appear

Likely Problem If The Message Repeats

1. The router receives a request to translate a hostname.

Received request from <DNS client>

DNS proxy is not enabled. The router cannot resolve the hostname. (See Steps 2, 3, and 5 for possible causes.)

2. If the hostname is in the local host table, the router sends its IP address to the client.

Serving reply for “<hostname>” from host database: <host A.B.C.D>

The host table does not include the hostname.

——

3. If the hostname is not in the table, the router queries its own DNS server.

Forwarding query for “<hostname>” to <DNS A.B.C.D>

You have not specified at least one external DNS server.

• The external server cannot translate the hostname.

• The router cannot reach the external server.

4. If the server can translate the name, the router forwards the response to the client.

• Received response from server

• Transmitting response to <DNS client>

• The external server cannot translate the hostname.

• The router cannot reach the external server.

——

5. If the server cannot translate the name, the router appends the default domain name to the request and resends it.

Forwarding query for “<hostname>.<default domain name>” to <DNS server A.B.C.D>

You have not configured a default domain name.

• The external server cannot translate the hostname.

• The router cannot reach the external server.

6. If the server can translate the name, the router forwards the response to the client.

• Received response from server

• Transmitting response to <DNS client>

• The external server cannot translate the hostname.

• The router cannot reach the external server.

——

12-12

Domain Name System (DNS) ServicesTroubleshooting DNS

Host Table Does Not Include a Hostname. If necessary, add an entry to the host table. You can view the current entries in the running-config. Look for a miskeyed entry. Delete the faulty entry from the host table before adding the correct entry. (It is very easy to edit an entry in the Web browser interface; see Chapter 14: Using the Web Browser Interface for Basic Configuration

Tasks.)

Often, however, the local host table does not contain the entry for a host because it should not. The router only should have local hostnames in its host table. The router should be able to communicate with external name servers to receive IP addresses for hosts outside its own domain.

No External DNS Server. If the debug messages indicate that the router is not forwarding queries, you should specify an IP address for at least one DNS server. (See “Specifying DNS Server Addresses” on page 12-10.)

Forwarding Debug Message Repeats. If, on the other hand, you continu-ally receive the Forwarding query... message, the router either cannot reach the DNS server or the server cannot translate the hostname.

If the server cannot translate the name, there is little you can do beyond adding another DNS server in hopes that it will provide better service. It is also quite possible that the hostname is invalid.

If the server consistently fails to translate hostnames, you should remove it from the system by entering no ip name-server <server A.B.C.D>. (Find the address in the running-config.)

However, before writing hostnames and servers off, you should determine that the router is actually reaching the server. Verify that the connection is up and attempt to ping the server. (Tips for bringing up an interface can be found in Chapter 3: Configuring Ethernet Interfaces, Chapter 4: Configuring E1 and

T1 Interfaces, Chapter 5: Configuring Serial Interfaces for E1- and T1-Car-

rier Lines, Chapter 6: Configuring the Data Link Layer Protocol for E1, T1,

and Serial Interfaces, and Chapter 7: ADSL WAN Connections.) If the router cannot reach the server, verify that it knows a route to the server’s subnet (enter show ip route). You can learn how to add a static route and trouble-shoot routing protocols in Chapter 11: IP Routing—Configuring Static

Routes.

No Default Domain Name. Also, check that the router is appending a default domain name to resent queries and that this domain name is correct. See “Adding an Entry to the Router’s Host Table” on page 12-9 to learn how to configure the default domain name.

12-13

Domain Name System (DNS) ServicesTroubleshooting DNS

Debugging DNS Client Activity

DNS client activity deals only with the DNS requests the router makes on its own behalf. (The router always checks its own host table first. If it finds a match, no debug messages appear.)

To monitor DNS client messages, move to the enable mode context and enter:

ProCurve# debug ip dns-client

Real-time debug messages tracking the ProCurve Secure Router’s DNS client activity will display. For example, if you try to ping a hostname that the ProCurve Secure Router cannot find in its hostname table, the following message appears:

DNS: CLIENT Transmitting query packet for <hostname>

If this message does not appear, then you have not specified an IP address for the external server and should do so. (See “Specifying DNS Server Addresses” on page 12-10.)

The command line interface (CLI) should next display this message:

DNS: CLIENT Received query response

If you do not receive this message, the external DNS server cannot resolve the hostname. It is possible that the hostname is not valid. It is also possible that the DNS server address has been miskeyed and is not that of a valid name server. Find the address the router is contacting in the running-config (enter show running-config and look for ip name-server <A.B.C.D>).

Before deleting the address and entering a new one, ping the server and verify that the router can reach it. If the server does not reply, the server may be down or the router’s connection to the server may be down. The Stat LED for the interface through which the router reaches the DNS server should be green. See Chapter 3: Configuring Ethernet Interfaces, Chapter 4: Config-

uring E1 and T1 Interfaces, Chapter 5: Configuring Serial Interfaces for

E1- and T1-Carrier Lines, Chapter 6: Configuring the Data Link Layer

Protocol for E1, T1, and Serial Interfaces, and Chapter 7: ADSL WAN Con-

nections for tips on troubleshooting a connection.

Also verify that the route table includes a route to the server’s subnet. See Chapter 11: IP Routing—Configuring Static Routes for more information about the route table.

12-14

Domain Name System (DNS) ServicesConfiguring Dynamic DNS

If the interface can reach the server, but the server consistently fails to translate hostnames, you should remove the server. If necessary, specify a new one. You can specify up to six DNS servers.

Configuring Dynamic DNS

When an interface has a dynamic IP address—for example, when your ISP provides its address—you should register its hostname with a dynamic DNS service provider. Dynamic DNS keeps track of the static hostname and ensures that, even when the associated device’s IP address changes, the hostname resolves to the correct address.

The ProCurve Secure Router supports a client that is compatible with Dynamic Networking Services, Inc., or DynDNS.

The dynamic DNS client on the ProCurve Secure Router can request one of these three levels of service:

■ Dynamic DNSSM

■ Static DNSSM

■ Custom DNSSM

Dynamic DNS and Static DNS are currently free services. Dynamic DNS allows you to map a dynamic address to a static hostname in one of 68 domains. Static DNS provides much the same services, but for devices whose IP addresses rarely change. DynDNS provides both these services for up to five hostnames.

You can purchase Custom DNS for a complete DNS solution. Custom DNS grants you control over an entire domain name: either one that you purchase from DynDNS or one that you have already purchased from another organi-zation. You can also configure subdomains and map them to the same IP address or different IP addresses.

You should visit www.dyndns.org for more information about these services.

The following router interfaces can register for dynamic DNS services:

■ Ethernet interfaces

■ Ethernet subinterfaces (VLAN interfaces)

■ Point-to-Point Protocol (PPP) interfaces

■ High-level Data Link Control (HDLC) interfaces

■ Frame Relay subinterfaces

■ Asynchronous Transfer Mode (ATM) subinterfaces

12-15

Domain Name System (DNS) ServicesConfiguring Dynamic DNS

You must complete three steps to configure a DynDNS service for a router interface:

1. Open an account with DynDNS.

2. Configure the logical interface’s IP address.

3. Activate the dynamic DNS client.

Opening an Account with DynDNS

You should first register with DynDNS for a hostname. Visit the Web site at www.dyndns.org and create an account. Select either the static or dynamic option. DynDNS will guide you through the process of selecting a domain from the 68 that it supports.

If you select the custom service, you can lease your own domain name.

N o t e DynDNS allows you to map a wildcard hostname to the address. You should use this option, for example, to allow users to access the same device by entering yourdomain.com or www.yourdomain.com.

Configuring the Interface’s IP Address

On the ProCurve Secure Router, move to the configuration mode context for the interface whose IP address you want to map to the static hostname.

The interface must have an IP address to run the dynamic DNS client. If you have not already done so, configure the IP address.

Setting a Dynamic Address

When using Dynamic DNS, this address is generally a dynamic address—for example, one obtained using DHCP. Interfaces using Custom DNS can also have a dynamic address.

Enter:

Syntax: ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]

When you activate the DHCP client on an interface, you can optionally enter a hostname for the interface, which your ISP may advertise to its DNS servers. You can request that your ISP accept the hostname that you will register with

12-16

Domain Name System (DNS) ServicesConfiguring Dynamic DNS

DynDNS. You would then enter that hostname for the hostname option. See Chapter 13: Dynamic Host Configuration Protocol (DHCP) for more infor-mation on configuring a DHCP client.

You can configure a PPP interface to take a dynamic address from a service provider with this interface configuration mode command:

Syntax: ip address negotiated [no-default]

See Chapter 6: Configuring the Data Link Layer Protocol for E1, T1, and

Serial Interfaces for more information on configuring IP addresses for logical interfaces.

Specifying a Static Address

If you selected the Static DNS service, you should assign the interface a static address. An interface that uses Custom DNS can also have a static address, if you so choose.

From the Ethernet or logical interface configuration mode context, enter:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

See Chapter 6: Configuring the Data Link Layer Protocol for E1, T1, and

Serial Interfaces for more information on configuring IP addresses for logical interfaces.

Activating the Dynamic DNS Client

You should now activate the client that automatically updates DynDNS when the interface’s dynamic IP address changes. Use this command, entered from the interface configuration mode context:

Syntax: dynamic-dns [dyndns | dyndns-custom | dyndns-static] <hostname> <user-name> <password>

Select the dyndns option for the Dynamic DNS service, the dyndns-static option for the Static DNS service, and the dyndns-custom option for Custom DNS. Enter the hostname you have selected for the router interface. Then enter the username and password that you established when creating your DynDNS account.

For example:

ProCurve(config-atm 1.1)# dynamic-dns dyndns procurve admin secret

12-17

Domain Name System (DNS) ServicesConfiguring Dynamic DNS

Special Considerations for Configuring Custom DNS

Custom DNS expands the services provided by Dynamic and Static DNS. For example:

■ You control your own domain name, which you may already possess or which you may purchase from DynDNS.

■ You can turn your hostname into a subdomain, which is handled by your own DNS servers.

■ You can customize the TTL for hostnames, depending on whether the device has a static, pseudo-static, or dynamic IP address.

When you open your account, the DynDNS standard interface will guide you through setting up these services. (Experienced users can use the expert interface.)

N o t e If you purchased your domain name from a different organization, you must tell that organization to use DynDNS’s DNS servers to resolve hostnames in your domain. DynDNS will instruct you how to do so.

12-18

Domain Name System (DNS) ServicesQuick Start

Quick Start

This section provides the commands you must enter to quickly configure the ProCurve Secure Router to act as:

■ a DNS client

■ a proxy name server

It also shows you how to configure a router interface to run a client that updates a dynamic DNS service when the interface’s IP address changes.

Only minimal explanation is provided. If you need additional information about any of these options, check “Contents” on page 12-1 to locate the section that contains the explanation you need.

Configuring the ProCurve Secure Router as a DNS Client

1. The router automatically acts as a DNS client. If this function has been turned off, you can re-enable it from the global configuration mode context.

Syntax: ip domain-lookup

2. Specify IP address(es) for the router’s name server(s) from the global configuration mode context.

Syntax: ip name-server <A.B.C.D> <secondary A.B.C.D>

You can enter up to six name servers.

3. If so desired, add entries for devices on the network to the local host table. Enter this command from the global configuration mode context:

Syntax: ip host <hostname> <A.B.C.D>

For example:

ProCurve(config)# ip host www 192.168.3.25

4. Configure a default domain name for the router.

Syntax: ip domain-name <domain name>

For example:

ProCurve(config)# ip domain-name procurve.com

12-19

Domain Name System (DNS) ServicesQuick Start

Configuring the ProCurve Secure Router as a Name Server

1. Enable DNS proxy from the global configuration mode context:

Syntax: ip domain-proxy

2. Add entries for static devices on the network to the local host table.

Syntax: ip host <hostname> <A.B.C.D>

For example:

ProCurve(config)# ip host www 192.168.3.25

3. Configure a default domain name for the router.

Syntax: ip domain-name <domain name>

For example:

ProCurve(config)# ip domain-name procurve.com

4. Specify IP address(es) for the DNS server(s) to which the router should forward requests it cannot translate.

Syntax: ip name-server <A.B.C.D> <secondary A.B.C.D>

You can specify up to six DNS servers.

Configuring a Dynamic DNS Client on a ProCurve Secure Router Interface

These interfaces can run the Dynamic DNS client:

■ Ethernet interfaces

■ Ethernet subinterfaces (VLAN interfaces)

■ PPP interfaces

■ HDLC interfaces

■ Frame Relay subinterfaces

■ ATM subinterfaces

1. From the global configuration mode context, move to the correct inter-face configuration mode context.

Syntax: interface <interface ID>

For example:

ProCurve(config)# interface atm 1.1

12-20

Domain Name System (DNS) ServicesQuick Start

2. If you have not already done so, configure the interface’s IP address:

a. To configure a dynamic IP address for an Ethernet interface, Frame Relay subinterface, or ATM subinterface, enter:

Syntax: ip address dhcp [hostname <word> | no-default-route | no-domain-name | no-nameservers]

b. To configure a dynamic IP address for a PPP interface, enter:

Syntax: ip address negotiated [no-default]c. To configure a static address, enter:

Syntax: ip address <A.B.C.D> <subnet mask | /prefix length>

3. Activate the dynamic DNS client.

Syntax: dynamic-dns [dyndns | dyndns-custom | dyndns-static] <hostname> <username> <password>

Select dyndns if you have registered for Dynamic DNS, dyndns-custom if you have registered for Custom DNS, and dyndns-static if you have registered for Static DNS.

Enter the interface’s hostname. Enter the username and password for your account with DynDNS.

For example:

ProCurve(config-atm 1.1)# dynamic-dns dyndns-custom procurve admin secret

12-21

Domain Name System (DNS) ServicesQuick Start

12-22

13

Dynamic Host Configuration Protocol (DHCP)

Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3

DHCP Request Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-3

The ProCurve Secure Router as a DHCP Server . . . . . . . . . . . . . . . . . 13-4

The ProCurve Secure Router as a DHCP Client . . . . . . . . . . . . . . . . . 13-5

DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6

Configuring a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-6

Excluding Static Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7

Creating a DHCP Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-7

Specifying the Network Address and Subnet Mask . . . . . . . . . . . 13-8

Specifying the Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-9

Changing a Pool’s Lease Time . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-10

Specifying DNS, WINS, and Other Servers . . . . . . . . . . . . . . . . . 13-11

Specifying a Domain Name for the Subnet . . . . . . . . . . . . . . . . . 13-12

Specifying a Bootfile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-12

Configuring Parent and Child Pools . . . . . . . . . . . . . . . . . . . . . . . . . . 13-13

Example DHCP Pool Configuration . . . . . . . . . . . . . . . . . . . . . . 13-14

Assigning a Fixed Address to a Host through a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-14

Configuring DHCP Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-15

Configuring the DHCP Server’s Ping Settings . . . . . . . . . . . . . . . . . . 13-17

Managing and Troubleshooting the DHCP Server . . . . . . . . . . . . . . . . . . 13-18

Viewing DHCP Client Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-19

Monitoring the DHCP Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-19

Clients Unable to Receive a DHCP Address . . . . . . . . . . . . . . . . 13-20

Client Receiving the Wrong Fixed DHCP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-21

13-1

Dynamic Host Configuration Protocol (DHCP)Contents

Configuring a Router Interface as a DHCP Client . . . . . . . . . . . . . . . . . . 13-21

Configuring a Dynamic Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-22

Setting an Interface’s Client ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-23

Setting the Interface’s Hostnatme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-24

Preventing the Interface from Taking Other Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-24

Configuring a Static Hostname for an Interface with a Dynamic Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-25

Managing and Troubleshooting the DHCP Client . . . . . . . . . . . . . . . . . . 13-26

Viewing the Interface’s Lease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-26

Releasing and Renewing Dynamic Addresses . . . . . . . . . . . . . . . . . . 13-27

Monitoring DHCP Client Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-27

Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-30

Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-32

Configuring a DHCP Server for a Network . . . . . . . . . . . . . . . . . . . . 13-33

Assigning a Fixed DHCP Address to a Single Host . . . . . . . . . . . . . . 13-34

Configuring a Router Interface as a DHCP Client . . . . . . . . . . . . . . . 13-36

13-2

Dynamic Host Configuration Protocol (DHCP)Overview

Overview

Every computer or device that connects to the Internet or to an IP network needs an IP address. Most users do not have the expertise to configure an IP address, subnet mask, and gateway. In addition, whenever a computer changes its location in the network, it must receive a new address. Somehow, the address assigned to each device and the addresses that are still available must both be tracked. Most companies do not have the time, resources, or staff to devote to managing such configurations. In addition, networks operate with a finite number of IP addresses. It is most efficient for a host to reserve an address only when it is using it.

Dynamic Host Configuration Protocol (DHCP) enables hosts on an IP net-work, called DHCP clients, to lease a temporary IP address from a DHCP server. The server can also issue other configurations to the client that help it function on the network (such as the addresses of Domain Name System [DNS] and Windows Internet Naming Service [WINS] servers). This protocol helps reduce administrative overhead on an IP-based network.

The ProCurve Secure Router can act as a DHCP server for hosts on directly connected subnets. Router interfaces can also act as DHCP clients and receive a dynamic address from a directly connected DHCP server.

DHCP Request Process

Understanding the basics of DHCP will help you understand and remember how to configure a DHCP pool. If you can track the DHCP process, you will also find it much easier to troubleshoot the router’s DHCP activity.

The DHCP request process breaks down into four steps (see Figure 13-1):

1. The client broadcasts a DHCPDISCOVER packet, requesting an IP address and other configurations.

2. The server responds with a DHCPOFFER, which includes an available network address.

3. The client sends a DHCPREQUEST, accepting the offer and requesting the complete configuration from the server.

13-3

Dynamic Host Configuration Protocol (DHCP)Overview

4. The server responds with a DHCPACK, which includes:

• the agreed-upon network address

• a default gateway

• a lease time

• the address of one or more DNS servers (optional)

• the address of one or more WINS servers (optional)

Figure 13-1. DHCP Request Process

Depending on how you configure the ProCurve Secure Router, the router can act as the DHCP server and/or one of its interfaces can act as a DHCP client. (However, an interface that acts as a DHCP client cannot also act as a server.)

The ProCurve Secure Router as a DHCP Server

A router that also functions as a DHCP server is particularly useful for a small-to-medium site at which all subnets connect to the WAN router. The ProCurve Secure Router can connect to up to two switches on its Ethernet ports.

Requests IP address and other options

DHCPDISCOVER1

ProCurve Secure Router

DHCP clients DHCP server

Offers IP address

DHCPOFFER2

Accepts offer and asks for its configuration

DHCPREQUEST3

Responds with committed IP address

and other options

DHCPPACK4

13-4

Dynamic Host Configuration Protocol (DHCP)Overview

Figure 13-2. ProCurve Secure Router DHCP Server

You should configure one DHCP pool for each subnet. For the default gateway, you would specify the IP address of the Ethernet interface through which the router connects to the subnet. (See Figure 13-2.)

The switches may also connect to several VLANs. In this case, you would configure VLAN support on the Ethernet interfaces. (See Chapter 3: Config-

uring Ethernet Interfaces.) You would then create a DHCP pool for each VLAN.

A WAN interface can also act as a server for DHCP clients. However, usually the router at the remote site or a DHCP server would act as the remote network’s server. On the other hand, when you bridge two remote sites, one router should act as a DHCP server for all clients in the network.

The ProCurve Secure Router as a DHCP Client

Some service providers require their subscribers to lease a dynamic address from them. In particular, Frame Relay service providers often require their customers to use DHCP when connecting to their network. Each permanent virtual circuit (PVC) endpoint receives an IP address only when it needs it. This allows the service provider to conserve the limited number of IP addresses it owns. Internet service providers (ISPs) also often require sub-scribers to receive an IP address and other configurations from them.

You must configure the interface that connects to such a provider to act as a DHCP client.

Router

LAN 1 192.168.1.0 /24

LAN 2 192.168.2.0 /24

Switch

Switch Eth 0/1

Eth 0/2

13-5

Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server

Ethernet interfaces can also be DHCP clients on the connected subnet. Usually, however, it is a good idea to assign network nodes a static address.

Interfaces on the ProCurve Secure Router that can take a dynamic address are:

■ Ethernet interfaces

■ Frame Relay subinterfaces

■ Asynchronous Transfer Mode (ATM) subinterfaces

■ Point-to-Point Protocol (PPP) interfaces (only when bridging traffic)

DHCP Relay

Rather than acting as the server for connected DHCP clients, the router can run DHCP relay, which allows hosts on one subnet to receive configurations from a server on a different subnet. The router receives DHCP packets from clients and forwards them to a remote server on behalf of the clients. Similarly, it receives the committed IP addresses from the server and forwards them to the clients.

Configuring a DHCP Server

You configure the ProCurve Secure Router to act as a DHCP server by configuring a DHCP pool for each connecting subnet. The pool specifies the subnet’s address and default gateway. It can also include other configurations such as a DNS server address.

To configure the router as a DHCP server, you must:

1. Exclude static addresses from DHCP.

2. Create a DHCP pool:

a. Specify the network address and subnet mask.

b. Define the default gateway.

c. Specify DNS and WINS (NetBIOS) server addresses—You should specify at least one DNS server.

Optionally:

■ For a DHCP pool, you can:

• change the lease time

• specify a domain name for clients on a subnet

13-6

Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server

■ You can also:

• configure a parent pool from which child pools import global settings

• assign a fixed DHCP address to a single client

• configure ping settings for the DHCP server

Excluding Static Addresses

Certain IP addresses in your network may be statically assigned to specific hosts: for example, the router itself, the Ethernet interface, DNS and Web servers, and switches. Often administrators reserve an entire block of addresses for such devices. You must exclude all statically defined addresses from the pool of addresses the router assigns clients.

To specify that a range of addresses cannot be assigned to DHCP clients, move to the global configuration mode context and enter the following command:

Syntax: ip dhcp-server excluded-address <first A.B.C.D> [<last A.B.C.D>]

For example, your organization uses the first ten addresses on a subnet for routers and switches and the second ten for servers. You enter:

ProCurve(config)# ip dhcp-server excluded-address 192.168.1.1 192.168.1.20

You can also exclude a single address:

ProCurve(config)# ip dhcp-server excluded-address 192.168.1.254

Use the no form of this command to remove an IP address from the restricted list.

Creating a DHCP Pool

You should create a DHCP pool for each subnet that connects directly to the ProCurve Secure Router and for which you want the router to act as a DHCP server.

Use the following command to create the pool:

Syntax: ip dhcp-server pool <poolname>

Assign the pool an alphanumeric name meaningful within your network. For example:

ProCurve(config)# ip dhcp-server pool LAN1

13-7

Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server

The command line interface (CLI) displays Configuring New Pool “<pool-name>” and moves you into the DHCP server pool configuration mode context.

You can also edit a pool with the same command. The CLI displays Configuring Existing Pool “<poolname>”.

You can create multiple DHCP server address pools to provide configurations to different segments of the network. If the subnets are contiguous, you can create a parent pool with global settings for all subnets and separate child pools, each with settings particular to an individual subnet. (See “Configuring Parent and Child Pools” on page 13-13.)

From the DCHP server address pool configuration mode context, you configure:

■ subnet address

■ default gateway address

■ lease time

■ DNS server addresses

■ WINS server addresses

■ domain name

Every pool must include a subnet address, default gateway, and lease time. You can accept the default lease time (1 day), but you must configure the subnet address and default gateway. You should also configure at least one DNS server.

Specifying the Network Address and Subnet Mask

You assign a subnet to the DHCP server address pool by specifying the network address and subnet mask:

Syntax: network <network A.B.C.D> <subnet mask | /prefix length>

For example, to specify a private Class C subnet:

ProCurve(config-dhcp)# network 192.168.1.0 255.255.255.0

The DHCP server on the ProCurve Secure Router supports Classless Inter-Domain Routing (CIDR) addresses, so you can enter a bit length for the network address rather than a subnet mask. For example, your organization may have divided the Class B network 172.16.0.0 into sixteen subnets, includ-ing 172.16.32.0 /20 and 172.16.48.0 /20. For the first DHCP pool, you would enter:

ProCurve(config-dhcp)# network 172.16.32.0 /20

13-8

Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server

See the overview in Chapter 11: IP Routing—Configuring Static Routes for more information on network addresses, subnet masks, and prefix lengths.

N o t e If you do not specify a subnet mask or prefix length, the server will use the class A, B, or C natural mask associated with the network address. If your LAN does use CIDR network addresses, take care to indicate the correct prefix length; otherwise hosts may end up with an address on the wrong subnet.

Specifying the Default Gateway

A client’s default gateway is the address on its network to which it sends all traffic. The gateway knows how to route and service the traffic. The ProCurve Secure Router acts as the gateway device for the subnets connected through its interfaces.

A DHCP pool’s default gateway, or default router, is the interface through which the clients for the pool connect. This interface is almost always an Ethernet interface. (Although nothing technically prohibits a WAN interface from being a default gateway, it usually has an address on a different network from hosts on a LAN. Even when it does not, it almost always makes more sense to have the Ethernet interface be the gateway for local hosts and a remote device the gateway for clients on the remote network.)

You specify a pool’s default gateway by entering the connected interface’s IP address in the DHCP pool configuration mode context:

Syntax: default-router <A.B.C.D> [<secondary A.B.C.D>]

Another device on the network, such as a second router interface, router, or a routing switch, may also be able to route traffic for the client. You may add an optional address for this secondary device. For example:

ProCurve(config-dhcp)# default-router 192.168.1.1 192.168.1.10

N o t e Addresses for both the primary and secondary gateway must be on the subnet defined for the pool using the network command.

13-9

Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server

Changing a Pool’s Lease Time

Whenever a DHCP server sends a DCHPACK message to a client with its committed IP address and other network configurations, the server includes a lease time. This time puts a limit on how long the client can reserve the address. Temporary leases allow networks to satisfy multiple users with a limited pool of IP addresses. They also allow users to change addresses painlessly as the users change location in the network. Typically, active clients periodically request to keep their addresses before the lease expires so that data transmission is not interrupted.

The default lease time for DHCP pools on the ProCurve Secure Router is one day. This setting suits many environments, allowing clients to keep configu-rations throughout the workday, but also making it easy for a client to receive a new address when it changes location in the network.

However, subnets for various kinds of users require different lease times. For example, a subnet that provides public access computers, which are randomly used by many different people, may need a shorter lease time. Try not to set the lease shorter than necessary because DHCP exchanges consume band-width and router processing resources.

You can configure an individual lease time for each DHCP pool established on the router, according to your organization’s policies. For example, you can set a lease time of 1 hour. From the configuration mode context of the pool, enter:

Syntax: lease <days> <hours> <minutes>

The Secure Router OS always sets the first number entered as the number of days for the lease, the second as hours, and the third as minutes. You must enter a zero to indicate that you are skipping a number. For example, to set a lease time of 15 minutes, enter:

ProCurve(config-dhcp)# lease 0 0 15

You do not have to input zeroes after the last significant number. For example, a lease time of 30 days is specified as:

ProCurve(config-dhcp)# lease 30

See your ProCurve SROS Command Line Interface Reference Guide for valid ranges for lease time.

13-10

Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server

Specifying DNS, WINS, and Other Servers

DHCP clients often need other configurations besides an IP address. The DHCP server can also issue addresses to clients for the devices that provide various services for the subnet.

DNS Server. A DNS server tracks the IP addresses associated with specific hostnames. It translates a hostname into its IP address in response to requests from DNS clients. Clients need a DNS server so that users can enter hostnames to reach other hosts and browse the Internet. You should designate at least one DNS server for the DHCP client by entering the following command:

Syntax: dns-server <A.B.C.D> [<second A.B.C.D>]

You may specify an optional secondary DNS server by adding a second IP address. For example:

ProCurve(config-dhcp)# dns-server 192.168.1.25 15.3.1.20

WINS (NetBIOS) Server. A WINS server maps computers’ NetBIOS names to IP addresses. It ensures that hosts on the same network do not have the same hostname, and it performs DNS-type services for hosts with dynamic addresses. When a computer changes location in the network, the WINS server automatically updates the entry for its hostname with its new DHCP address.

If your private network uses NetBIOS, you should give the DHCP client the address of the WINS server. Enter:

Syntax: netbios-name-server <A.B.C.D> [<second A.B.C.D>]

You may specify IP addresses for up to two WINS servers.

Other Servers. You can also assign clients a Trivial File Transfer Protocol (TFTP) server and a Network Time Protocol (NTP) server.

Clients download config and software files from TFTP servers.

NTP servers ensure that all clients’ clocks are synchronized, which can be very important for some organizations. If the NTP server is in a different timezone than the DHCP clients, you must set a timezone offset. The range for the offset is -12 to 12. For example, to set an offset for a server 2 hours ahead of the local router, enter timezone-offset -2.

13-11

Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server

Enter these commands:

Syntax: tftp-server <A.B.C.D>Syntax: ntp-server <A.B.C.D>Syntax: timezone-offset <-12 to 12>

Specifying a Domain Name for the Subnet

If your organization wants users to have the organization’s domain name, you should configure the DHCP server to issue this name with the IP address. Specify the domain name for the subnet from the configuration mode context of the corresponding DHCP server pool:

Syntax: domain-name <domain name>

Do not include the period before the name. For example:

ProCurve(config-dhcp)# domain-name procurve.com

Specifying a Bootfile

DHCP clients that do not store the correct boot software on an internal flash drive can receive a bootfile from a TFTP server. If your ProCurve Secure Router serves as the DHCP server for such clients, it should notify these clients:

■ which bootfile to use

■ the address for the TFTP server

Enter this command from the DHCP pool configuration mode context to specify the boot file:

Syntax: bootfile <filename>

Enter the name of a file exactly as it is stored on the TFTP server.

You must also specify the address of the TFTP server. From the DHCP pool configuration mode context, enter this command:

Syntax: tftp-server <A.B.C.D>

For example, enter:

ProCurve(config-dhcp)# bootfile ClientBoot.bizProCurve(config-dhcp)# tftp-server 192.168.1.15

13-12

Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server

Configuring Parent and Child Pools

If your ProCurve Secure Router supports contiguous subnets, you can config-ure a single parent pool for the range of subnets. In this pool, you would specify settings that apply to all of the subnets, such as domain name, DNS servers, WINS servers, and lease time.

You would then configure child pools, each of which would have its own subnet address and default gateway. The other settings would be automati-cally imported from the parent pool, saving you time and minimizing oppor-tunities for miskeying a server address.

When you configure a parent pool, you specify the range of subnets by entering the network address bits the subnets have in common followed by the (now shorter) prefix length.

Figuring out the exact number of bits that two subnets have in common involves converting from decimal to binary and can be complicated. The simplest method is to use the address and bit length for the last common octet.

For example, you want to configure a parent pool for subnets 192.168.1.0 /24 and 192.168.2.0 /24. The parent pool network address could be 192.168.0.0 /16.

However, you should be careful using this method, especially when your network uses variable-length subnets.

Figure 13-3. Example DHCP Pool Configuration

192.168.1.0 /24Gateway

192.168.1.1

192.168.2.0 /24Gateway

192.168.2.1

192.168.0.0 /16DNS servers

WINS serversLease

Router ALAN 1

192.168.1.0 /24

LAN 1 192.168.2.0 /24

Parent pool

Child poolChild poolWINS server

DNS server

DNS server

13-13

Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server

You do not specify a default router for a parent pool.

You configure the child pools just as you do any DHCP pool, but you only have to configure the subnet address and default router. If you alter a setting, such as the lease time, the configuration in the child pool overrides that in the parent pool.

Example DHCP Pool Configuration

In Figure 13-3, a router connects to two subnets. The figure also shows the network’s DNS and WINS servers. This LAN reserves addresses 1 to 29 on each subnet for various network devices, such as routers, switches, and servers. To configure this router to act as a DHCP server for its local subnets, you would complete these steps:

1. Exclude static addresses:

ProCurve(config)# ip dhcp-server excluded-address 192.168.1.1 192.168.1.29ProCurve(config)# ip dhcp-server excluded-address 192.168.2.1 192.168.2.29

2. Create the parent pool with global settings:

ProCurve(config)# ip dhcp-server pool ParentProCurve(config-dhcp)# network 192.168.0.0 /16ProCurve(config-dhcp)# dns-server 192.168.1.25 192.168.2.23ProCurve(config-dhcp)# netbios-name-server 192.168.2.26ProCurve(config-dhcp)# lease 0 12

3. Create the child pools, each with its own subnet and default gateway:

ProCurve(config-dhcp)# ip dhcp-server pool LAN1ProCurve(config-dhcp)# network 192.168.1.0 /24ProCurve(config-dhcp)# default-router 192.168.1.1ProCurve(config-dhcp)# ip dhcp-server pool LAN2ProCurve(config-dhcp)# network 192.168.2.0 /24ProCurve(config-dhcp)# default-router 192.168.2.1

Assigning a Fixed Address to a Host through a DHCP Server

Certain devices should almost always be given static addresses so that routes remain accurate, the network design logical and consistent, and the traffic flow uninterrupted. However, sometimes such a device is also required to take a dynamic address from a DHCP server. You can configure the router to assign a fixed DHCP address to this device.

13-14

Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server

Also, when you want to assign a particular host a permanent address, some-times it is better to configure this address through a server, rather than through whatever application is on the host. DHCP automatically tracks addresses so that two devices are not inadvertently given the same address.

To assign a fixed address to a single host:

1. Create a new DHCP server pool with a name indicative of the host.

2. Identify the fixed-address host by its MAC address:

Syntax: hardware-address <MAC address>

For example:

ProCurve(config-dhcp)# hardware-address d2:17:04:91:11:50

3. Specify the IP address for the host. The router automatically assigns the address with its natural mask. If your organization uses variable-length subnetting, make sure to include the subnet mask or prefix length for the host’s subnet:

Syntax: host <A.B.C.D> <subnet mask | /prefix length>

4. Specify the default gateway:

Syntax: default-router <A.B.C.D>

5. Configure other settings such as DNS and WINS servers and a domain name. (See “Specifying DNS, WINS, and Other Servers” on page 13-11). You can also assign the client a name:

Syntax: client-name <name>

For example:

ProCurve(config-dhcp)# client-name LAN2Switch

Configuring DHCP Scopes

The ProCurve Secure Router supports VLAN tagging so that it can receive traffic from more than one VLAN on the same Ethernet interface. Therefore, the ProCurve Secure Router might receive DHCP requests from clients on different subnets on the same physical interface.

You can configure a separate DHCP scope to accommodate each VLAN. Simply configure the DHCP pool with the VLAN’s network address just as you would configure a typical DHCP pool.

13-15

Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server

After you enable 802.1Q encapsulation (for VLAN tagging) on the Ethernet interface, you can configure Ethernet subinterfaces. You assign the subinter-faces a VLAN ID and an IP address. To configure the DHCP scope, you simply specify that IP address as the default router of the DHCP pool configured for the VLAN.

These are the only configurations that you must make on the ProCurve Secure Router. You can add options for the server addresses and lease time in the same way that you would for any pool. (You would also configure the connect-ing switch to pass DHCP packets from hosts on a specific VLAN to the address of the corresponding Ethernet subinterface on the router. This configuration ensures that clients receive an address on the correct subnet.)

Figure 13-4. DHCP Scopes with VLANs

In Figure 13-4, Router A connects to Switch B on its Ethernet 0/1 interface. Switch B connects to hosts in VLANs 101 and 102. You enable VLAN tagging on the router so that traffic to both VLANs can be carried over the same cable. You configure IP address 192.168.1.1 /24 on Ethernet subinterface 0/1.1 and IP address 192.168.2.1 /24 on Ethernet subinterface 0/1.2.

You would configure the DHCP scopes as follows:

1. Enable VLAN tagging:

ProCurve(config)# interface eth 0/1ProCurve(config-eth 0/1)# encapsulation 802.1qProCurve(config-eth 0/1)# no shutdown

10.2.1.0 /24Gateway10.2.1.1

10.3.1.0 /24Gateway10.3.1.1

Router A

VLAN 10110.2.1.0/24

VLAN 10210.3.1.0/24

Scope 2Scope 1

Switch B

Eth 0/1.1 10.2.1.1

Eth 0/1.2 10.3.1.1

13-16

Dynamic Host Configuration Protocol (DHCP)Configuring a DHCP Server

2. Configure the VLAN interfaces:

ProCurve(config-eth 0/1)# interface eth 0/1.1ProCurve(config-eth 0/1.1)# description Scope 1 interfaceProCurve(config-eth 0/1.1)# vlan-id 101ProCurve(config-eth 0/1.1)# ip address 10.2.1.1 255.255.255.0ProCurve(config-eth 0/1.1)# no shutdownProCurve(config-eth 0/1.1)# interface eth 0/1.2ProCurve(config-eth 0/1.2)# description Scope 2 interfaceProCurve(config-eth 0/1.2)# vlan-id 102ProCurve(config-eth 0/1.2)# ip address 10.3.1.1 255.255.255.0ProCurve(config-eth 0/1.2)# no shutdown

3. Reserve addresses for the VLAN interfaces and other servers by excluding them from DHCP:

ProCurve(config)# ip dhcp excluded-address 10.2.1.1 10.2.1.20ProCurve(config)# ip dhcp excluded-address 10.3.1.1 10.3.1.20

4. Configure a DCHP pool for each VLAN, and set the IP address of the default router to that of the corresponding VLAN interface:

ProCurve(config)# ip dhcp-server pool Scope1ProCurve(config-dhcp-pool)# network 10.2.1.0 255.255.255.0ProCurve(config-dhcp-pool)# default-router 10.2.1.1ProCurve(config-dhcp-pool)# ip dhcp-server pool Scope2ProCurve(config-dhcp-pool)# network 10.3.1.0 255.255.255.0ProCurve(config-dhcp-pool)# default-router 10.3.1.1

Configuring the DHCP Server’s Ping Settings

The DHCP server sends ping packets to verify that an address is available before assigning it to a DHCP client. You can configure two settings for DHCP server pings:

■ Timeout—This determines how long the DHCP server waits for a reply to a ping.

■ Ping packet count—The DHCP server pings an address without result this many times before assigning the address to a requesting client.

By default, the router times out a ping after 500 ms and pings an address twice before assuming it is available.

Ping settings apply to DHCP on the router as a whole, not to individual DHCP pools. You configure them from the global configuration mode context.

13-17

Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Server

To change the timeout setting, enter:

Syntax: ip dhcp-server ping timeout <milliseconds>

The valid range is from 10 to 1000 ms.

To change the ping packet count, enter:

Syntax: ip dhcp-server ping packets <count>

The count can be from 0 to 100.

For example, enter:

ProCurve(config-dhcp)# ip dhcp-server ping timeout 700ProCurve(config-dhcp)# ip dhcp-server ping packets 5

If you do not want the router to use ping packets to check that an address is available, enter 0 for the ping packet count.

N o t e You should not rely on the DHCP server’s ping functions to exclude IP addresses that are permanently assigned to devices. If these devices go down, the DHCP server will assume the IP addresses assigned to these devices are available and assign them to clients, which can lead to many problems. A client that takes a server’s address, for example, can congest a network as devices send it requests it cannot fulfill. A client that takes a router address will not be able to route traffic. Always use the ip dhcp-server excluded-address

command to exclude statically assigned addresses.

Managing and Troubleshooting the DHCP Server

As you troubleshoot DHCP functions, you will enter show and debug com-mands. You can enter these commands either from the enable mode context or from configuration mode contexts. If you enter one of these commands from a configuration mode context, you must add do to the command. For example:

ProCurve(config-dhcp)# do show ip dhcp-server binding

13-18

Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Server

Viewing DHCP Client Bindings

The ProCurve Secure Router stores a table of DHCP bindings. In this table, you can view the IP addresses for all active DHCP clients served by the router. This can be helpful for troubleshooting. For example, you can ping a work-station to see if it can respond. Or you can zero-in on a host that is flooding a network with messages.

To view the bindings for all DHCP clients supported by the router, enter:

ProCurve# show ip dhcp-server binding

The table displays:

■ IP Address—the committed IP address

■ Client ID—usually a MAC address

■ Lease Expiration—date and time the lease for the address expires

■ Client Name—the user-selected name on the computer or device

Figure 13-5 shows an example of the information that displays when you enter the show ip dhcp-server binding command.

Figure 13-5. Viewing DHCP Clients Supported by the Router

Monitoring the DHCP Process

When troubleshooting a router’s DHCP functions, it is often helpful to track the DHCP process. (To review this process, refer to “DHCP Request Process” on page 13-3.)

You can view DHCP messages as they arrive on the interface by entering:

ProCurve# debug ip dhcp-server

ProCurveSR7102dl# show ip dhcp-server bindingIP Address Client Id Lease Expiration Client Name172.16.1.4 01:00:50:04:91:ee:19 Aug 27 2004 3:04 PM HunterPC172.16.2.28 01:00:01:02:51:c9:f6 Aug 27 2004 3:26 PM ShanePC172.16.1.7 01:00:10:4b:a0:df:0a Aug 27 2004 3:28 PM TreyPC

User-selected name on the computer or device

Client’s MAC address

13-19

Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Server

C a u t i o n Debug messages can tie up the router’s processor. Therefore, you should be very cautious about using them in a live network. You should begin by troubleshooting the host experiencing the problem and rule out a connectivity problem.

In a large network, you should not use DHCP debug messages to fix a problem for a single host. The router may be flooded with DHCP messages from other hosts, and displaying them all could potentially compromise network performance.

DHCP messages generally break down into the steps of the DHCP request process. You can look for a message that repeats several times to determine where the process begins to break down.

View Table 13-1 for a quick guide to what steps you should take when you see a debug message repeat again and again.

Table 13-1. DHCP Debug Messages

Clients Unable to Receive a DHCP Address

If the router continually receives the “Processing Discover Message” event, it is having difficulty preparing an offer for the client. One of the most common reasons for this difficulty is that the server cannot find an available IP address. It is possible that all available addresses are being used (view the DHCP client bindings by entering show ip dhcp-server binding). However, it could be that the default router for the pool is not on the same subnet as the network address, which prevents the router from finding a valid IP address.

View the running-config (show run) and look for the DHCP pool for the clients unable to get an address. This is the pool whose default router is the interface to which the client connects. The address for the network should match the network bits in the default router address.

Repeated Message Possible Problem Best Next Step

Processing Discover message

• There are no addresses available.

• The default gateway is on the wrong subnet.

• Check the DHCP client bindings.

• Check settings for the pool.

Server sent an Offer to the Client

The client will not accept the address and configurations.

Troubleshoot the host.

13-20

Dynamic Host Configuration Protocol (DHCP)Configuring a Router Interface as a DHCP Client

A router interface must have its primary address on the subnet specified in the pool in order to respond to requests. You should also check that the DHCP network matches the address for the connecting router interface.

Client Receiving the Wrong Fixed DHCP Address

If a host is unable to get the fixed address you configured for it in a single host DHCP pool, or if it receives an address from a different pool, check the running-config. Make sure that you have not excluded the fixed address.

Configuring a Router Interface as a DHCP Client

Your service provider may require the router to receive an address from one of its DHCP servers. For example, some Frame Relay providers conserve IP addresses by only assigning them to a PVC endpoint when the PVC is open and active. In this case, you must configure the WAN interface that connects to the provider as a DHCP client.

Ethernet interfaces can also be DHCP clients. For example, the interface could take an address from a server on the local network. When possible, it is a good idea to assign network devices static addresses. However, DHCP does auto-matically track IP addresses assigned to devices as well as which addresses are still available, relieving IT staff of this task. You can configure the DHCP server to assign the Ethernet interface a fixed DHCP address.

Interfaces that receive a DHCP address can receive other configurations, too. This is particularly useful for interfaces that connect to the Internet. For example, an ATM subinterface can receive the address for a DNS server.

To learn about assigning various types of IP addresses to interfaces, see Chapter 3: Configuring Ethernet Interfaces, Chapter 6: Configuring the

Data Link Layer Protocol for E1, T1, and Serial Interfaces, Chapter 7: ADSL

WAN Connections, and Chapter 8: Configuring Demand Routing for Pri-

mary ISDN Modules.

To configure an interface as a DHCP client, you must:

■ configure the interface with a dynamic address

13-21

Dynamic Host Configuration Protocol (DHCP)Configuring a Router Interface as a DHCP Client

You can also:

■ set the interface’s client ID

■ set the interface’s hostname

■ enable the interface to take configurations other than the IP address

Configuring a Dynamic Address

You enable the DHCP client on an individual interface. Interfaces that can act as DHCP clients are:

■ Frame Relay subinterfaces

■ ATM subinterfaces

■ Ethernet interfaces

■ PPP interfaces (only when bridging traffic)

Move to the appropriate interface configuration mode context and enter one of these commands:

Syntax: ip address dhcp [hostname <name> | no-default-route | no-domain-name | no-nameservers]Syntax: ip address dhcp [client-id {<ethernet <slot>/<port> | HH:HH:HH:HH:HH:HH:HH} | hostname <name>]

You can enter this command without any options to initiate the client with the default client ID and host name:

ProCurve(config-fr 1.101)# ip address dhcp

You will learn more about adding options to the command in “Setting an Interface’s Client ID” on page 13-23, “Setting the Interface’s Hostnatme” on page 13-24, and “Preventing the Interface from Taking Other Configurations” on page 13-24.

N o t e As soon as you enable the DHCP client with this command, the interface sends a Discover message to the server and attempts to take a dynamic address. If you want to configure any of the options discussed below, you must add these options to the command before entering it. Otherwise, the interface will have already received its configurations; you will have to release the address, disable the DHCP client (by entering no ip address dhcp), and re-enter the command with the optional settings.

13-22

Dynamic Host Configuration Protocol (DHCP)Configuring a Router Interface as a DHCP Client

Setting an Interface’s Client ID

DHCP servers use client identifiers to index their database of address bind-ings. This database maps clients to their temporary IP addresses and other configurations. A client sends its identifier in its Discover messages. Each client on a subnet must use a unique client identifier. Because MAC addresses are by definition unique, they are most commonly used.

The Secure Router OS automatically populates the client identifier for an interface with the interface’s media type and MAC address. Typically, you should assume that the server accepts this type of ID and not alter it.

You can, however, have a WAN interface use an Ethernet interface’s MAC address. For example, you might want to identify the router using a single MAC address. If your organization later purchases a different module to connect to the provider, you can receive the same IP address. When you configure the interface to take a dynamic address, enter this command:

Syntax: ip address dhcp client-id ethernet <slot>/<port>

You can alternatively manually enter a hexadecimal string for the client identifier.

The client identifier does not have to be based on a MAC address, although it almost always is. In the past, some administrators opted for customized identifiers so that a user could receive the same address even after changing network hardware. You can use a unique identifier instead of a MAC address for this same purpose: you can change how you connect to a service provider without having to negotiate a new address.

Your service provider should inform you what type of identifier it uses. You can then agree upon a unique identifier for your interface, if necessary.

You enter a customized ID as a hexadecimal number or a text string (which the router converts to a hexadecimal value):

Syntax: ip address dhcp client-id [<HH:HH:HH:HH:HH:HH:HH> | <text string>]

If you enter a hexadecimal number, you must enter seven numbers separated by colon delimiters. For example:

ProCurve(config-atm 1.102)# ip address dhcp client-id 0f:ff:ff:ff:ff:ff:ff

13-23

Dynamic Host Configuration Protocol (DHCP)Configuring a Router Interface as a DHCP Client

Setting the Interface’s Hostnatme

If necessary, you can change the hostname for the single interface only. For example, you could register for a hostname with a dynamic DNS service. (See Chapter 12: Domain Name System (DNS) Services.) You could then ask your ISP to advertise this hostname, which you specify with the following command:

Syntax: ip address dhcp hostname “<name>”

You should put quotation marks around the hostname. For example:

ProCurve(config-fr 1.101)# ip address dhcp hostname “procurve”

N o t e Remember that you must override client identifiers and hostnames at the same time that you enable the DHCP client. For example:

ProCurve(config-fr 1.101)# ip address dhcp client-id eth 0/1 hostname “procurve”

Preventing the Interface from Taking Other Configurations

One of the advantages for an interface that receives a DHCP address is that it can receive other configurations as well. This can be particularly useful for connections to the Internet. The interface can receive an IP address and DNS server address at the same time.

Interfaces running the DHCP client can receive these configurations:

■ a default route

■ a domain name

■ a DNS server

However, the seeming advantage also poses risks. For example, when a router has more than one WAN connection, the default route should not always be to the server providing the temporary address. Some organizations prefer to control their own settings for routing, domain names, and DNS, rather than relying on a remote or foreign device.

If you want to prevent the interface from taking configurations other than an IP address, you must do so before you activate the DHCP client.

13-24

Dynamic Host Configuration Protocol (DHCP)Configuring a Router Interface as a DHCP Client

Move to the interface configuration mode context. Then enter the ip address

dhcp command with the keyword for the configuration that you do not want the router to accept:

Syntax: ip address dhcp [no-default-route | no-domain-name | no-name-servers]

To disable more than one configuration, string the keywords together in the same command. For example, enter:

ProCurve(config-fr 1.1)# ip address dhcp no-default-route no-domain-name

N o t e You must trust the DHCP server and be absolutely clear on what configura-tions it will send the interface. An incorrect domain name and default route could disrupt the entire network.

If the interface has already received configurations that it should not have, you must release the address. Enter no ip address dhcp, and re-enter the command with the keywords to reject the configurations.

Configuring a Static Hostname for an Interface with a Dynamic Address

Your organization may have a device behind the ProCurve Secure Router that remote users should be able to reach. For example, customers may need to access your Web server.

Often, a Web server’s address is linked to the public IP address on a router interface using Network Address Translation (NAT). If the router’s interface changes IP address, the entry for the Web server in the DNS servers’ host tables will no longer be correct. Users will no longer be able to reach the device.

When an interface receives a dynamic IP address from an ISP, its IP address may change relatively frequently or without warning. In this situation, you should run dynamic DNS on the router interface to ensure that customers can always reach a device when they enter its hostname.

The ProCurve Secure Router supports a client that works with Dynamic Networking Services, Inc. (DynDNS). After you register a hostname with DynDNS, the dynamic DNS client automatically informs DynDNS whenever the associated interface’s IP address changes. DynDNS propagates the change throughout its DNS servers so that you do not lose connectivity with your customers.

See Chapter 12: Domain Name System (DNS) Services to learn how to configure dynamic DNS.

13-25

Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Client

Managing and Troubleshooting the DHCP Client

You should carefully monitor interfaces with dynamic addresses to ensure that they have an address and are using the proper configurations.

Viewing the Interface’s Lease

To view the active DHCP client leases on the router, enter:

ProCurve# show ip dhcp-client lease

The CLI displays all interfaces with dynamic addresses. For each interface, it lists:

■ Temp IP address—the dynamic address

■ DHCP lease server

■ Lease—total time for the lease

■ Temp default gateway address

■ Client ID—typically, based on the MAC address

■ Primary DNS server

Figure 13-6 shows an example of a DHCP lease for an Ethernet 0/1 interface.

Figure 13-6. Viewing Dynamic Configurations for Router Interfaces

If you see that the interface has received a configuration that it should not have, such as a default route, you will have to restart the DHCP client. Follow these steps:

1. Move to the configuration mode context for the DHCP client interface:

ProCurve(config)# interface frame-relay 1.101

ProCurve# show ip dhcp-client leaseInterface: Ethernet 0/1 Temp IP address: 192.168.10.2, Mask: 255.255.255.0 DHCP Lease server: 192.168.10.1, State: Bound (3) Lease: 86400 seconds Temp default gateway address: 192.168.10.1 Temp Primary DNS: 10.1.1.1 Temp Secondary DNS: 0.0.0.0 Client-ID: 01:00:12:79:05:25:B0

Default routeName servers

13-26

Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Client

2. Turn off the DHCP client:

ProCurve(config)# no ip address dhcp

This command disables the DHCP client on the interface, which then immediately sends a message to release its DHCP-assigned address.

3. Re-enter the ip address dhcp command with the keywords for preventing the interface from taking optional configurations. For example:

ProCurve(config)# ip add dhcp no-default-route no-domain-name no-name-servers

Releasing and Renewing Dynamic Addresses

You can force an interface to give up the address it has received from a server. Move to the interface configuration mode context for the DCHP client inter-face and enter:

ProCurve(config-eth 0/1)# ip dhcp release

N o t e Take care when releasing an address; you could inadvertently lock yourself out of the router. If you are managing the ProCurve Secure Router with a Telnet or Web connection through that interface, your session will be immediately terminated. You will not be able to reconnect until a DHCP server issues another IP address to the interface.

You should then force the interface to request a new address:

ProCurve(config-eth 0/1)# ip dhcp renew

Alternatively, you can configure a static address on the interface.

You should only have to manually force the interface to renew its lease after releasing an address. The DHCP client will periodically request to keep its address so that data flow is not disrupted.

Monitoring DHCP Client Activity

If the interface will not take a dynamic address, you should track the DHCP request process to determine what is going wrong. (For more information on this process, refer to “DHCP Request Process” on page 13-3.)

To view real-time DHCP client messages, enter:

ProCurve# debug ip dhcp-client

13-27

Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Client

C a u t i o n Debug messages can tie up the router’s processor and compromise the net-work’s functions. Therefore, you should take care when using them with active networks.

Before you run debug messages, you should verify that the interface is up and double-check your client ID.

Scan the debug messages. The interface should produce debug messages such as those shown in Figure 13-7:

Figure 13-7. An Interface Successfully Receiving a Dynamic Address

When the DHCP client’s state is “Bound,” the interface has received the address. The client sets two timers, which expire before the lease does. When these timers expire, the client requests to keep its address.

Usually, problems with the DHCP client occur after sending a Discover message. The server does not return an Offer message, and so the interface continues sending out Discover message after Discover message. The state toggles between “Selecting” and “Init.”

Causes for this condition include:

■ the interface is down

■ the interface’s client identifier does not match that expected by the DHCP server

■ the server has no available addresses

ProCurve# debug ip dhcp-client2005.07.08 19:15:23 DHCP.CLIENT Loading timer 1 with 1 seconds2005.07.08 19:15:23 DHCP.CLIENT Loading timer 2 with 3 2005.07.08 19:15:24 DHCP.CLIENT Timer 1 Expired2005.07.08 19:15:24 DHCP.CLIENT Sending Discover Message: Xid = 346817642005.07.08 19:15:24 DHCP.CLIENT Loading timer 1 with 3 seconds2005.07.08 19:15:24 DHCP.CLIENT Current State = Selecting2005.07.08 19:15:25 DHCP.CLIENT Processing Offer Message: Xid = 346817642005.07.08 19:15:25 DHCP.CLIENT Sending Request Message: Xid = 346817642005.07.08 19:15:25 DHCP.CLIENT Loading timer 1 with 2 seconds2005.07.08 19:15:25 DHCP.CLIENT Current State = Requesting2005.07.08 19:15:25 DHCP.CLIENT Processing Ack Message: Xid = 346817642005.07.08 19:15:25 DHCP.CLIENT Loading timer 1 with 43200 seconds2005.07.08 19:15:25 DHCP.CLIENT Loading timer 2 with 64800 seconds2005.07.08 19:15:25 DHCP.CLIENT Current State = Bound

13-28

Dynamic Host Configuration Protocol (DHCP)Managing and Troubleshooting the DHCP Client

An individual interface does not have to be up with an active network link for the router to run the DHCP client. Before looking for problems with the DHCP client configuration, make sure that the interface is up with the show inter-

faces command.

If the status is “administratively down,” move to the configuration mode context for the interface and enter no shutdown. If the status is down, troubleshoot the interface. (See Chapter 3: Configuring Ethernet Interfaces, Chapter 4: Configuring E1 and T1 Interfaces, Chapter 5: Configuring Serial

Interfaces for E1- and T1-Carrier Lines, Chapter 6: Configuring the Data

Link Layer Protocol for E1, T1, and Serial Interfaces, Chapter 7: ADSL WAN

Connections, and Chapter 8: Configuring Demand Routing for Primary

ISDN Modules.)

You can also try pinging the DHCP server to test connectivity.

Once you have determined that the interface can actually reach the DHCP server, you should troubleshoot the client configuration.

You can view the client ID in the configuration for the client interface (by entering, for example, show run int fr 1.100). If you are using a customized identifier, you can try returning to the default MAC address. For example, enter:

ProCurve(config-eth 0/1)# no ip add dhcpProCurve(config-eth 0/1)# ip add dhcp

If the default ID does not work, you should check with the service provider or other entity administering the DHCP server to find out what identifier it expects from the router.

If the problem is at the service provider’s end, then you will have to wait for your ISP to resolve the problem.

13-29

Dynamic Host Configuration Protocol (DHCP)Configuring DHCP Relay

Configuring DHCP Relay

DHCP relies on clients being able to reach a server by broadcasting a request. The DHCP request is limited by being broadcast to the application port for DHCP (the BOOTPS port, 67). Limited broadcasts propagate only throughout the local subnet. If the client is not on the same subnet as the server, the broadcast will not reach the server.

However, your network does not need a separate DHCP server on each subnet (or VLAN). You can configure network devices to forward DHCP requests from directly connected hosts to a server on a different network. This function is sometimes called DHCP relay.

Often a switch will perform DHCP relay for the local hosts. However, if your router may receive DHCP requests from hosts, you should configure it to forward these requests to the appropriate DHCP server. For example, the router may need to forward DHCP requests to a remote server so that hosts at a site that does not have a DHCP server can receive IP addresses and other necessary configurations.

To enable DHCP relay, you configure the router to forward packets received on the DHCP application port to a helper address.

N o t e You cannot configure the router to forward DHCP requests if the router itself is acting as a DHCP server.

To configure the router to forward DHCP packets, move to the global config-uration mode context and enter this command:

Syntax: ip forward-protocol udp bootps

Next, set the address of the helper address. The helper address is the address of the DHCP server or a device on the same subnet as the server. Set this address from the configuration mode context of the interface that connects to the clients:

Syntax: ip helper-address <A.B.C.D>

13-30

Dynamic Host Configuration Protocol (DHCP)Configuring DHCP Relay

You can set different helper addresses for different interfaces. For example, if your LAN uses different servers for different subnets, you could configure the router to forward DHCP requests received on one Ethernet (or VLAN) interface to one address and requests received on another interface to a different address.

For example:

ProCurve(config)# interface eth 0/1ProCurve(config-eth 0/1)# ip helper-address 10.1.1.1ProCurve(config-eth 0/1)# interface eth 0/2ProCurve(config-eth 0/2)# ip helper-address 10.2.1.1

The router does not simply forward the DHCP packets. It also examines them, checks their validity, and adds any appropriate changes, such as the IP address of the interface that received the packets. The remote server uses this address to determine from which pool it should select the IP address that it offers to the client.

For example, an Ethernet interface with the IP address 192.168.1.1 /24 receives a DHCP packet and forwards it to a remote server. The server searches its database for a DHCP pool for the 192.168.1.0 /24 network and returns an offer for IP address 192.168.1.36 to the local router at 192.168.1.1. The local router then forwards this offer to the client.

13-31

Dynamic Host Configuration Protocol (DHCP)Quick Start

Quick Start

This section provides the commands you must enter to quickly configure:

■ the router to act as a DHCP server for a subnet

■ the router to assign a fixed DHCP address to a single host

■ a router interface to act as a DHCP client

Only a minimal explanation is provided. If you need additional information about any of these options, check “Contents” on page 13-1 to locate the section that contains the explanation you need.

Table 13-2. DHCP Server Settings

Configurations Parameters Your Setting

network’s static IP addresses

first address in range

last address in range

other static address

parent pool for a range of subnets (optional)

pool name

range of subnets and prefix length for range

DHCP pool for a subnet pool name

subnet address and mask (or prefix length)

default gateway

servers primary DNS server

secondary DNS server

primary WINS (NetBIOS) server

secondary WINS (NetBIOS) server

TFTP server

NTP server

13-32

Dynamic Host Configuration Protocol (DHCP)Quick Start

Figure 13-8. Example DHCP Network

Configuring a DHCP Server for a Network

If you so choose, you can print and fill out Table 13-2 and refer to it while configuring the DHCP server on your router.

Figure 13-8 illustrates a simplified example of a router acting as a DHCP server for two local networks.

1. Move to the global configuration mode context and exclude all static address on DHCP subnets.

Syntax: ip dhcp-server excluded <A.B.C.D>

You can also exclude a range of addresses.

Syntax: ip dhcp-server excluded <first A.B.C.D> <last A.B.C.D>

2. If you are configuring DHCP for a range of subnets, create a parent DHCP server pool from the global configuration mode context. Otherwise, move to step 5.

Syntax: ip dhcp-server pool <parent poolname>

other configurations lease in days, hours, and minutes

domain name

timezone offset

Configurations Parameters Your Setting

RouterLAN 1

192.168.32.0 /19

LAN 2 192.168.64.0 /19

.1

.1

13-33

Dynamic Host Configuration Protocol (DHCP)Quick Start

3. Specify the range of subnets for the parent pool.

Syntax: network <network A.B.C.D> <subnet mask | /prefix length>

For example:

ProCurve(config-dhcp)# network 192.168.0.0 /16

4. Specify optional global settings such as DNS servers, WINS servers, and lease time.

Syntax: dns-server <A.B.C.D> <secondary server A.B.C.D>Syntax: netbios-name-server <WINS server A.B.C.D> <secondary server A.B.C.D>Syntax: lease <days> <hours> <minutes>Syntax: tftp-server <A.B.C.D>Syntax: ntp-server <A.B.C.D>Syntax: timezone-offset <-12 to 12>Syntax: domain-name <domain>

5. Create a DHCP server pool for an individual subnet.

ProCurve(config)# ip dhcp-server pool <poolname>

6. Specify the subnet address and subnet mask for the pool.

Syntax: network <network A.B.C.D> <subnet mask | /prefix length>

Use a prefix length for variable length networks. For example:

ProCurve(config-dhcp)# network 192.168.32.0 /19

7. Specify the default gateway.

Syntax: default-router <gateway A.B.C.D>

For example:

ProCurve(config-dhcp)# default-router 192.168.32.1

8. If you did not do so in a parent pool, specify a primary DNS server.

Syntax: dns-server <A.B.C.D>

9. You can also configure settings such as addresses for other servers and lease time. See step 4. (The settings in the pool with the most specific network address override settings in any parent pool.)

Assigning a Fixed DHCP Address to a Single Host

If you so choose, you can print and fill out Table 13-3 and refer to it while configuring the pool for the single host.

13-34

Dynamic Host Configuration Protocol (DHCP)Quick Start

Table 13-3. Settings for Assigning a Host a Fixed Address

1. Move to the global configuration mode context and create a DHCP client pool for the host.

Syntax: ip dhcp-server pool <poolname>

2. Identify the host by its MAC address.

Syntax: hardware-address <MAC address>

For example:

ProCurve(config-dhcp)# hardware-address d2:17:04:91:11:50

3. Specify the IP address for the host, including its subnet mask. If your organization uses variable-length subnetting, be particularly careful to enter the correct subnet mask or prefix length.

Syntax: host <fixed A.B.C.D> <subnet mask | /prefix length>

4. Specify the default gateway.

Syntax: default-router <gateway A.B.C.D>

Configuration Parameter Your Setting

host DHCP Pool pool name

host MAC address

fixed IP address

default gateway IP address

servers primary DNS server

secondary DNS server

primary WINS (NetBIOS) server

TFTP server

NTP server

other configurations lease in days, hours, and minutes

client name

domain name

timezone offset

13-35

Dynamic Host Configuration Protocol (DHCP)Quick Start

5. Configure other necessary settings such as servers and a domain name. You can also assign the client a name.

Syntax: dns-server <DNS server A.B.C.D> <secondary DNS server A.B.C.D>Syntax: netbios-name-server <WINS server A.B.C.D> <secondary WINS server A.B.C.D>Syntax: lease <days> <hours> <minutes>Syntax: tftp-server <TFTP server A.B.C.D>Syntax: ntp-server <NTP server A.B.C.D>Syntax: timezone-offset <-12 to 12>Syntax: client-name <name>Syntax: domain-name <name>

Configuring a Router Interface as a DHCP Client

The following interfaces can take dynamic addresses:

■ Ethernet interfaces

■ Frame Relay subinterfaces

■ ATM subinterfaces

■ bridged PPP interfaces

You call fill in the settings for the interface on your router in Table 13-4.

Table 13-4. DHCP Client Settings

1. Move to the interface configuration mode context. For example:

ProCurve(config) int fr 1.101

Configuration Parameter Your Setting

interface • <slot>/<port> (for Ethernet)

• subinterface number (for Frame Relay or ATM)

• interface number (for bridged PPP)

hostname

client ID

13-36

Dynamic Host Configuration Protocol (DHCP)Quick Start

2. Configure the router to take a dynamic address from a server.

Syntax: ip address dhcpa. For a default configuration, simply enter the command without any

options. For example:

ProCurve(config-fr 1.101)# ip address dhcpb. You may not want the interface to take its default gateway, domain

name, or DNS servers from the DHCP server. In this case, enter the ip address dhcp command with one or more of the following options:

Syntax: ip address dhcp [hostname <name> | no-default-route | no-domain-name | no-nameservers]

c. You should usually accept the default ID generated from the inter-face’s MAC address. However, you can configure a customized client ID. You can also configure a hostname for the interface that is differ-ent from the router’s hostname. Enter the ip address dhcp command with one of these options:

Syntax: ip address dhcp [client-id {<ethernet <slot>/<port> | HH:HH:HH:HH:HH:HH:HH} | hostname <name>]

For example, enter:

ProCurve(config-fr 1.101)# ip address dhcp client-id 0f:ff:ff:ff:ff:ff:ff

13-37

Dynamic Host Configuration Protocol (DHCP)Quick Start

13-38

14

Using the Web Browser Interface for Basic Configuration Tasks

Contents

Configuring Access to the Web Browser Interface . . . . . . . . . . . . . . . . . . 14-4

Enabling Access to the Web Browser Interface . . . . . . . . . . . . . . . . . 14-4

Managing Files, Firmware, Boot Software, and the AutoSynch™ Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5

The AutoSynch™ Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-5

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-7

Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-10

Reboot Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13

Telnet to Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-14

Enabling IP Services on the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-15

Web Access Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17

Configuring Passwords to Control Management Access to the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-18

Encrypting All the Passwords 18

Configuring a Local User List: Passwords for Web, SSH, and FTP Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19

Configuring an Enable Mode Password . . . . . . . . . . . . . . . . . . . . . . . 14-21

Configuring a Password for Telnet Access . . . . . . . . . . . . . . . . . . . . 14-22

Configuring a Password for Console Access . . . . . . . . . . . . . . . . . . . 14-23

Configuring a Password for SSH Access . . . . . . . . . . . . . . . . . . . . . . 14-24

Configuring a Password for HTTP Access . . . . . . . . . . . . . . . . . . . . . 14-25

Configuring a Password for FTP Access . . . . . . . . . . . . . . . . . . . . . . 14-26

Using the AAA Subsystem to Control Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-27

Configuring Authentication Using a RADIUS Server . . . . . . . . 14-28

Configuring Authentication Using a TACACS+ Server . . . . . . . 14-29

14-1

Using the Web Browser Interface for Basic Configuration TasksContents

Configuring Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-31

IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-32

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-33

Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-34

Ethernet Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-34

Releasing/Renewing a DCHP IP Address . . . . . . . . . . . . . . . . . . . . . . 14-34

Configuring PPPoE for the Ethernet Interface . . . . . . . . . . . . . . . . . 14-35

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-37

Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-37

View Statistics for the PPP Interface . . . . . . . . . . . . . . . . . . . . . . . . . 14-38

Configuring E1 and T1 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-39

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-42

Configuring a Serial Interface for an E1- or T1-Carrier Line . . . . . . . . . 14-44

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46

Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-46

Configure PPP as the Data Link Layer Protocol . . . . . . . . . . . . . . . . 14-47

IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-48

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-49

Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-49

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-50

PPP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-50

Requiring a Peer to Authenticate Itself to the Local Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-50

Configuring the Local Router to Authenticate Itself to a Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-51

Configure Frame Relay as the Data Link Layer Protocol . . . . . . . . . 14-52

Configure a Permanent Virtual Circuit (PVC) . . . . . . . . . . . . . . 14-54

Configure IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-56

Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-56

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-56

Configure HDLC as the Data Link Layer Protocol . . . . . . . . . . . . . . 14-58

IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-59

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-59

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-60

14-2

Using the Web Browser Interface for Basic Configuration TasksContents

Configuring ADSL Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-61

Configure an ATM Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-63

Configure the ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-63

Configuring ATM Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-66

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-68

Configuring PPPoE or PPPoA for the ADSL Connection . . . . . . . . 14-68

Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-70

Secondary IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-70

View Statistics for the PPP Interface . . . . . . . . . . . . . . . . . . . . . . 14-70

ISDN Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-71

E1 + G.703 and T1 + DSX-1 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-74

Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-76

Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-77

Configuring Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-77

Configuring the Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . 14-80

Viewing a Spanning Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-81

Setting Global Spanning Tree Parameters . . . . . . . . . . . . . . . . . 14-82

Configuring Spanning Tree Settings for Individual Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-84

Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-86

Configuring a Static Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-86

Configuring a Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-88

DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-89

Configuring DNS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-89

Configuring Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-91

Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-94

Configuring a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-94

Configuring a DHCP Pool for a Subnet . . . . . . . . . . . . . . . . . . . . 14-95

Assigning a Single Host a Fixed Address . . . . . . . . . . . . . . . . . . 14-97

Configuring an Interface as a DHCP Client . . . . . . . . . . . . . . . . . . . . 14-98

Configuring UDP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-100

14-3

Using the Web Browser Interface for Basic Configuration TasksConfiguring Access to the Web Browser Interface

Configuring Access to the Web Browser Interface

You can use the Web browser interface to configure interfaces on your router. To access the Web browser interface, you must first use the command line interface (CLI) to enable the HTTP server on the ProCurve Secure Router and to configure a username and password for HTTP access.

You must also configure at least one interface on the ProCurve Secure Router and establish a connection through which you can send HTTP traffic. For example, if you want to access the router from a workstation on your WAN, you must configure the Ethernet interface and establish a connection between it and your LAN. (For information about setting up an Ethernet interface, see Chapter 3: Configuring Ethernet Interfaces.)

Enabling Access to the Web Browser Interface

From the global configuration mode context, enter:

ProCurveSR7102dl(config)# ip http server

If you want to use Secure Sockets Layer (SSL) to protect the communication between your PC and the router, enter:

ProCurveSR7102dl(config)# ip http secure-server

You must then configure a username and password, which will also be used for HTTP, Secure Shell (SSH), and FTP access. From the global configuration mode context, enter:

Syntax: username <username> password <password>

Both the username and password can be an alphanumerical string up to 30 characters in length. In addition, both are case-sensitive.

After configuring the ProCurve Secure Router for HTTP access, open an Internet browser and enter the IP address assigned to the router interface through which you want to establish a HTTP session. For example, if you want to access the router from your LAN and the IP address of the Ethernet 0/1 interface is 192.168.1.1, you would enter: http://192.168.1.1.You will be prompted to enter the username and password that you configured for HTTP access.

14-4

Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function

Managing Files, Firmware, Boot Software, and the AutoSynch™ Function

In the Utilities section of the Web browser interface, you can do basic file management tasks, manage the AutoSynch function, and set the router’s firmware and boot software using the Web browser interface.

The Utilities section of the Web browser interface includes five subsections:

■ AutoSynch

■ Configuration

■ Firmware

■ Reboot Unit

■ Telnet to Unit

The AutoSynch section allows you to enable the AutoSynch technology and force synchronization. For more information about AutoSynch functions, see Chapter 1: Overview.

The Configuration section allows you to create and manage configuration files.

In the Firmware section, you can configure the router’s primary and backup firmware files, view the drive space used and free on the router’s internal flash and compact flash memories, upload, and delete firmware files.

The Reboot Unit section provides two options for rebooting the router: save and reboot or reboot without saving.

The Telnet to Unit section opens a terminal session software on your PC and begins to negotiate a Telnet session between your PC and the router.

The AutoSynch™ Feature

1. To manage the AutoSynch feature in the Web browser interface, click Utilities > AutoSynch in the left navigation bar. The AutoSynch Mode window is displayed. From this window, you can enable the AutoSynch function, force synchronization, and troubleshoot AutoSynch operation.

2. To enable the AutoSynch technology, click the AutoSynch Mode box.

3. Click Apply. This will signal the AutoSynch function to begin synchronization efforts.

14-5

Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function

N o t e The AutoSynch function is a feature that allows the router to maintain exact, up-to-date copies of the boot code and startup-config files on the router’s internal flash and a mounted compact flash card. The AutoSynch feature is not available for routers without a mounted compact flash card.

AutoSynch technology will work only if you have a copy of the router’s boot code file (SROS.BIZ) and a startup-config file on your compact flash card.

Figure 14-1. AutoSynch Window

4. When the AutoSynch function is enabled, you can force synchronization by clicking the AutoSynch button in the AutoSynch Execute window. The following dialog box is displayed:

“You are about to activate AutoSynch. Continue?”

5. Click the OK button. The boot code file and the startup-config file will be coped from internal flash to compact flash, and synchronization will begin.

14-6

Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function

The AutoSynch Status window displays AutoSynch messages, such as the current synchronization status of the software (SROS.BIZ) file and startup-config file and any AutoSynch error messages. For a list of AutoSynch error messages and troubleshooting methods, see Chapter 1: Overview.

Configuration

The configuration section supports basic configuration file management.

Startup-Config. The Startup-Config section allows you to set the primary and secondary startup-config files. The startup-config file contains your router’s saved configurations. If you have more than one startup configuration on internal flash or compact flash, you can set the router to boot from file you want and from the location you specify.

Figure 14-2. Startup Config Window

When the ProCurve Secure Router boots, it looks for the boot code software on the internal flash. After the ProCurve Secure Router locates the boot code and begins to boot, it looks on compact flash for a valid startup-config file. If the router cannot find a valid startup-config on compact flash, it looks on the internal flash memory for a valid file.

1. To set the primary startup config file, click the pull-down menu. A list of configuration files on the internal flash memory (and compact flash if installed) is displayed.

2. Click the file you want the router to use to boot.

14-7

Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function

3. To set the secondary startup config file, click the desired configuration file from the pull-down menu.

4. To save these changes to the running-config file, click Apply.

N o t e If the AutoSynch function is enabled, the primary and backup startup-config files and locations are automatically set and cannot be changed.

Save-Config. The Save-Config window allows you to save the running-config file to the startup-config file. The current configurations will be saved, and the router can then boot with these configurations after it is powered down.

Click the Save button. If the AutoSynch feature is enabled, the running-config is saved as startup-config on both the internal flash memory and the compact flash card.

Figure 14-3. Save Config

Download Config. The Download Config section allows you to save the startup-config to a file on your PC. This feature is particularly useful when you must configure several routers with similar settings and you need to edit the configuration to tailor it to another router.

Figure 14-4. Download Config

1. Click the Download button. The File Download window with the Open, Save, Cancel, and More Info buttons is displayed. The file is automatically named <hostname>-<date>.cfg. For example, if you configured your router’s hostname as HQRouter and today’s date were May 5, 2007, the filename would be HQRouter-05-05-2007.cfg.

14-8

Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function

2. Click Save. The Save As dialog box is displayed.

3. Locate the folder where you want to save the file and click Save.

After you have downloaded the configuration file onto your PC, you can open and edit it in a text editor program such as Notepad.

Upload Config. The Upload Config section allows you to upload a configu-ration file from your PC.

Figure 14-5. Upload Config

1. Click the Browse . . . button next to the Select File box and choose the file you want to upload.

2. Select either Flash or CFlash to specify the destination location for the file.

3. To upload the file, click the Upload button at the bottom of the window. The file is uploaded to your router.

Delete Config File. If you have an old or outdated configuration file or if you need the room on your router’s flash or cflash memory, you can delete the file.

14-9

Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function

Figure 14-6. Delete Config File

1. In the Delete Config File section, use the pull-down menu to display all the files on flash and cflash and select the file you want to delete.

2. Click the Delete button to erase the file. A confirmation dialog box is displayed.

3. Click OK to delete the file.

For information about advanced file management functions such as renaming uploading or downloading files, see Chapter 1: Overview.

Firmware

The Firmware section allows you to manage Secure Router OS files. You can select the Secure Router OS file that is loaded when the ProCurve Secure Router. You can also upload new OS files and delete old files.

Be careful when setting and managing router firmware; setting the wrong file may prevent your router from booting with the proper configuration or even from booting at all.

Set Primary/Backup Firmware. The Secure Router OS, or firmware, files have the .biz extension. The primary firmware file is always named SROS.BIZ. From the Web browser interface, you can select the firmware file that the router loads when it is booted.

1. Click Utilities > Firmware in the left navigation bar. The Set Primary /

Backup Firmware window is displayed.

14-10

Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function

Figure 14-7. Set Primary/Backup Firmware

2. Use the pull-down menu for the Primary Firmware box to select the file you want for your primary firmware. This file should be cflash SROS.BIZ.

3. To set the backup firmware, use the pull-down menu for the Backup

Firmware box to select the file you want for your backup software. This file should be SROS.BIZ.

This window also shows the current memory statistics for the internal flash and cflash drives. The Flash memory statistics are displayed as the bytes used / the total memory and the drive space free. The CFlash memory statistics are displayed below the Flash statistics in the same format.

It is always a good idea to keep track of the amount of memory you have available when saving multiple configurations to your router. For information about deleting files, see “Delete Config File” on page 14-9.

14-11

Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function

Upload Firmware. This section allows you to upload boot code and OS updates to your router. To get these updates, go to www.procurve.com and download the new firmware files to your PC.

Figure 14-8. Upload Firmware

1. To upload the file from your PC or terminal to the router, click the Browse

button next to the Select Firmware File: box.

N o t e All firmware files have a .biz extension.

2. After you’ve selected the new firmware file, select either Flash or CFlash to specify the router memory location you are saving the file to.

3. Click the Upload button.

Delete Firmware. This window allows you to delete old firmware versions. Firmware files are usually the largest files in memory, and if you need to free up memory for configuration files, you may want to delete older firmware.

14-12

Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function

Figure 14-9. Delete Firmware

1. Use the pull-down menu for the Delete Firmware box to select the file that you want to delete.

2. Click the Delete button.

C a u t i o n Deleting the current firmware version or deleting all firmware from the router’s memory may prevent the router from booting. Be very careful when deleting your router’s firmware. You may want to keep a backup copy of the current firmware version.

Reboot Unit

After you have uploaded new firmware or done some configuration work, you may need to reboot the router to make the changes active.

Figure 14-10.Reboot Unit

14-13

Using the Web Browser Interface for Basic Configuration TasksManaging Files, Firmware, Boot Software, and the AutoSynch™ Function

1. Click the Save and Reboot button to save a copy of the current configura-tion to a startup-config file. If you are running the AutoSynch feature, a copy is saved to both internal flash and compact flash. This option allows you to keep the current configuration and reboot the router.

C a u t i o n If you have made changes to the Ethernet or WAN interface that you are using to access the Web browser interface, or if you have made changes to any security policies, saving and rebooting may lock you out of the router.

2. Click the Reboot (Do Not Save) button to immediately reboot the router without keeping any changes made to the configuration since the last save. If you have made experimental changes to the router or if you have made changes that are causing operation problems, you may want to reboot the router and have it revert to a previous working configuration.

Telnet to Unit

The Telnet section opens up a Telnet session between your router and your PC. To successfully establish a Telnet session to your router, you first need to configure the router to accept Telnet access.

1. Set an enable mode password.

a. On the left panel of the Web browser interface, click Passwords >

Service Authentication.

b. Click the Enable Password tab.

c. Select Use Password and enter an enable password. Enter the pass-word again in the Confirm Password box.

d. Click Apply.

2. Set a Telnet password.

a. Click the Telnet password tab.

b. Select Use Password and enter the password in the box. Re-enter the password int he Confirm Password box.

3. In the left navigation bar, click Telnet to Unit. The PC will open a terminal session and begin to establish a Telnet session.

4. When the terminal session software begins, it will prompt you for a password. Enter the Telnet/SSH/Console password.

5. The session software will display the CLI in the basic mode context. To enter the enable mode context, enter enable. When the router prompts you for the enable mode password, enter the password you configured. From this Telnet session, you can configure the router using the CLI.

14-14

Using the Web Browser Interface for Basic Configuration TasksEnabling IP Services on the Router

Enabling IP Services on the Router

In the IP Services section, you can enable or disable the following servers on the router:

■ Simple Network Management Protocol (SNMP)

■ FTP

■ TFTP

■ HTTP

■ HTTPS

■ Secure Copy

You can also configure settings for the Web browser interface.

In addition to enabling these servers, you must configure passwords for them so that users can access the router. To configure passwords for management access, see “Configuring Passwords to Control Management Access to the Router” on page 14-18.

1. Click System > IP Services in the left navigation bar. The IP Services

Enable/Disable window is displayed.

14-15

Using the Web Browser Interface for Basic Configuration TasksEnabling IP Services on the Router

Figure 14-11. IP Services Enable/Disable

2. To enable the router as an SNMP Server, click the box.

3. To enable the router as an FTP Server, click the box.

4. To enable the router as a TFTP server, click the box.

5. To access the Web browser interface, you enabled the router’s HTTP Server from the CLI. To disable the HTTP Server, click the box.

C a u t i o n Disabling the HTTP Server will cause the Web browser interface to stop functioning.

6. To change the HTTP Server Port, enter the desired port number in the box. The default port is 80.

7. To enable the HTTPS Server, click the box.

14-16

Using the Web Browser Interface for Basic Configuration TasksEnabling IP Services on the Router

8. To change the HTTPS Server Port, enter the desired port number in the box. The default is 443.

9. To enable the router’s Secure Copy Server, click the box.

10. To make the changes effective, click Apply. If you want to return to the previously configured settings, click Cancel to reset to the defaults.

Web Access Configuration

By default, the timeout for the HTTP server is 10 minutes. If your HTTP connection to the router is inactive for 10 minutes, you must log in again to use the Web browser interface.

Figure 14-12.Web Access Configuration

1. To change the Inactivity Timeout, enter the number of hours, minutes, and seconds in the boxes.

2. You can set the maximum number of concurrent connections to the Web browser interface by entering the number in the Max Sessions: box.

3. To make the changes effective, click Apply. Click Cancel to reset to the previously configured settings.

14-17

Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router

Configuring Passwords to Control Management Access to the Router

The ProCurve Secure Router uses usernames and passwords to control man-agement access to the router. In addition to configuring usernames and passwords for each access method, you can enable the Authentication, Autho-rization, and Accounting (AAA) subsystem, which allows you to configure multiple access methods in case an access method fails. The AAA subsystem also supports RADIUS servers for authentication and TACACS+ servers for authentication, authorization, and accounting.

Encrypting All the Passwords

You can encrypt all passwords that you establish on the ProCurve Secure Router. These include

■ enable mode password

■ telnet and console line passwords

■ passwords for SSH, HTTP, and FTP access

■ passwords in the router’s local username database

The Secure Router OS can perform an MD5 hashing function on these pass-words so that they are encrypted in the running-config and when they are sent over the line.

To enable password encryption globally, complete these steps:

1. Select Passwords under System in the lefthand navigation bar.

2. Check the Encryption Enabled box in the Password Encryption window. See Figure 14-13.

14-18

Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router

Figure 14-13. Add/Modify/Delete Users Window

Configuring a Local User List: Passwords for Web, SSH, and FTP Access

When you configured the router for HTTP or HTTPS access, you entered a username and password. You can use this username and password to access the ProCurve Secure Router through Secure Shell (SSH) and FTP.

All of the usernames and passwords that you configure using the username command from the global configuration mode context in the CLI are stored in the local user list. The Web browser interface simplifies management of this local user list. You can view all of the usernames and passwords that have been configured in the local user list, and you can add or delete usernames and passwords.

14-19

Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router

1. To view the local user list from the Web browser interface, select Pass-

words in the left navigation bar. The Add/Modify/Delete Users window is displayed, and the usernames that have been configured are listed under the Modify/Delete User heading.

Figure 14-14. Add/Modify/Delete Users Window

2. To add a new user, enter the username in the space provided.

3. Enter the password for the username in the Password box.

4. Re-enter the password in the Confirm Password box.

5. Click Add. The username is now listed under the Modify/Delete User heading.

6. To remove a username, select it and click Delete.

14-20

Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router

Configuring an Enable Mode Password

To configure an enable mode password, complete these steps:

1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.

2. Select the Enable tab.

Figure 14-15. Configuring a Password for the Enable Mode

3. Select Use password and then enter and confirm the password you want to use.

4. If you want to use a RADIUS or TACACS+ server to control enable mode access, then you must enable the AAA subsystem. See “Using the AAA Subsystem to Control Management Access” on page 14-27 for instructions on configuring these options.

5. Click Apply.

14-21

Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router

Configuring a Password for Telnet Access

To configure a password for Telnet access, complete these steps:

1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.

2. Select the Telnet tab.

Figure 14-16. Configuring Passwords for Telnet Access

3. Select the Use local user list option if you want to use the usernames and passwords configured in this list for Telnet access.

4. Select the Use password option if you want to configure a separate password for Telnet access.

5. If you want to use a RADIUS or TACACS+ server to control Telnet access, then you must enable the AAA subsystem. See “Using the AAA Subsystem to Control Management Access” on page 14-27 for instructions on config-uring these options.

6. Click Apply.

14-22

Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router

Configuring a Password for Console Access

To configure a password for console access, complete these steps:

1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.

2. Select the Console tab.

Figure 14-17. Configuring Passwords for Console Access

3. Select the Use local user list option if you want to use the usernames and passwords configured in this list for console access.

4. Select the Use password option if you want to configure a separate password for console access.

5. If you want to use a RADIUS or TACACS+ server to control console access, then you must enable the AAA subsystem. See “Using the AAA Subsystem to Control Management Access” on page 14-27 for instructions on configuring these options.

6. Click Apply.

14-23

Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router

Configuring a Password for SSH Access

To configure a password for SSH access, complete these steps:

1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.

2. Select the SSH tab.

Figure 14-18. Configuring Passwords for SSH Access

3. Select the Use local user list option if you want to use the usernames and passwords configured in this list for SSH access. (This is the default option.)

4. If you want to use a RADIUS or TACACS+ server to authenticate users attempting to initiate an SSH session with the router, then you must enable the AAA subsystem. See “Using the AAA Subsystem to Control Manage-ment Access” on page 14-27 for instructions on configuring these options.

5. Click Apply.

14-24

Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router

Configuring a Password for HTTP Access

To configure a password for Web access, complete these steps:

1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.

2. Select the HTTP tab.

Figure 14-19. Configuring Passwords for Web Access

3. Select the Use local user list option if you want to use the usernames and passwords configured in this list for access to the router’s Web server. (This is the default setting.)

4. If you want to use a RADIUS or TACACS+ server to control access to the Web browser, then you must enable the AAA subsystem. See “Using the AAA Subsystem to Control Management Access” on page 14-27 for instructions on configuring these options.

5. Click Apply.

14-25

Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router

Configuring a Password for FTP Access

To configure a password for FTP access, complete these steps:

1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.

2. Select the FTP tab.

Figure 14-20. Configuring Passwords for FTP Access

3. Select the Use local user list option if you want to use the usernames and passwords configured in this list for FTP access. (This is the default setting.)

4. If you want to use a RADIUS or TACACS+ server to control FTP access, then you must enable the AAA subsystem. See “Using the AAA Subsystem to Control Management Access” on page 14-27 for instructions on config-uring these options.

5. Click Apply.

14-26

Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router

Using the AAA Subsystem to Control Management Access

Authentication, authorization, and accounting (AAA) is an industry standard for controlling:

■ which users can access a system (authentication)

■ what they can do once they are granted access (authorization)

■ what is recorded about their activities (accounting)

The AAA subsystem on the ProCurve Secure Router currently supports authentication using a remote Remote Authentication Dial-In User Service (RADIUS) server. The ProCurve Secure Router also supports authentication, authorization, and accounting using a remote TACACS+ server.

When you enable the AAA subsystem, you can specify a list of authentication methods for each type of access. If one authentication method fails, the ProCurve Secure Router will allow the user to try another access method.

The ProCurve Secure Router has specific criteria for failure:

■ Line and enable passwords fail if there are no line or enable passwords configured.

■ RADIUS and TACACS+ servers fail if the ProCurve Secure Router cannot reach the server on the network.

■ The local user list fails if the given user is not in the database.

For example, if you configure the authentication methods with RADIUS as the first option and the RADIUS server goes down, the AAA subsystem tries the next authentication method you configured. If you listed the local user list after the RADIUS server, the AAA subsystem will use that authentication method next.

However, if a user enters the wrong username or the wrong password for a particular username, the user failed to authenticate to the router; the access method did not fail. In this case, the user will be denied access to the router.

You can use the Web browser interface to specify the RADIUS and TACACS+ servers that the ProCurve Secure Router can contact. You can also configure authentication using RADIUS or TACACS+ from the Web browser interface. However, you must configure authorization and accounting using TACACS+ from the CLI.

14-27

Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router

Configuring Authentication Using a RADIUS Server

If you want to use a RADIUS server to authenticate users who access the router, you must enable the AAA subsystem.

1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.

2. In the Service Authentication section, select AAA Mode Enabled.

3. Click Apply to enable the AAA subsystem.

4. Configure the settings for a RADIUS server.

a. Select the Radius tab.

Figure 14-21. Configure the Settings for a RADIUS Server

b. For Address, enter the IP address of the RADIUS server.

c. For Shared Key, enter the shared key. Re-enter the key to confirm it.

d. For Username, enter and confirm the username that the router should use to authenticate itself to the RADIUS server.

14-28

Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router

e. For TCP Port, accept the default port unless the RADIUS server is operating on a different port.

f. For Retries, configure the number of attempts that the ProCurve Secure Router will make to contact the RADIUS server.

g. For Timeout, configure the number of seconds that the ProCurve Secure Router will wait to receive a reply from the RADIUS server.

h. Click Apply to save the settings for the RADIUS server.

5. Select the tab for the type of access you want to configure:

• Enable Password

• Telnet

• Console

• SSH

• HTTP

• FTP

6. Select the Use remote RADIUS server option.

7. Click Apply to save your settings.

Configuring Authentication Using a TACACS+ Server

If you want to use a TACACS+ server to authenticate users who access the router, you must enable the AAA subsystem.

1. Select Passwords in the left navigation bar and scroll to the bottom of the Add/Modify/Delete Users window.

2. In the Service Authentication section, select AAA Mode Enabled.

3. Click Apply to enable the AAA subsystem.

4. Configure the settings for a TACACS+ server.

a. Select the TACACS+ tab.

14-29

Using the Web Browser Interface for Basic Configuration TasksConfiguring Passwords to Control Management Access to the Router

Figure 14-22. Configure the Settings for a TACACS+ Server

b. For Address, enter the IP address of the TACACS+ server.

c. For Shared Key, enter the shared key. Re-enter the key to confirm it.

d. For TCP Port, accept the default port unless the TACACS+ server is operating on a different port.

e. For Retries, configure the number of attempts that the ProCurve Secure Router will make to contact the TACACS+ server.

f. Click Apply to save the settings for the TACACS+ server.

5. Select the tab for the type of access you want to configure:

• Enable Password

• Telnet

• Console

• SSH

• HTTP

• FTP

6. Select the Use remote TACACS+ server option.

7. Click Apply to save your settings.

14-30

Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces

Configuring Ethernet Interfaces

To configure an Ethernet interface from the Web browser interface, complete the following steps. If you need more information about any of the options, see Chapter 3: Configuring Ethernet Interfaces.

1. Click Physical Interfaces in the left navigation bar.

2. Select the Ethernet port you want to configure (eth 0/1 or eth 0/2). The Configuration for Ethernet window is displayed.

Figure 14-23. Configuration for Ethernet Window

3. If you want to document information about this Ethernet interface, enter an alphanumeric string up to 80 characters in the Description box.

4. Click the Enable box and then click Apply at the bottom of the window to activate the Ethernet interface immediately. You can also complete the Ethernet configuration before clicking Apply.

14-31

Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces

5. Use the pull-down menu to configure the Speed/Duplex setting:

a. To select an automatically negotiated connection, select Auto.

b. To specify a 10 Mbps connection with half-or full-duplex, select 10Mbps/half or 10Mbps/full.

c. To specify a connection at 100 Mbps using a half- or full-duplex setting, select 100Mbps/half or 100Mbps/full.

6. The factory-set MAC Address for the Ethernet interface is displayed beneath the Speed/Duplex box. If you want to keep the MAC address of the router’s interfaces uniform, you can enable MAC Address Masquerade by clicking the box. Then, enter the desired MAC address, in hexadecimal, in the boxes provided.

7. Configure supplicant information if the Ethernet interface connects to a network that requires 802.1X authentication.

a. Click the Supplicant box. Supplicant Username and Supplicant

Password boxes are displayed.

b. In these boxes, enter the username and password required to allow the router to access the 802.1X network. (For more information about the router functioning as an 802.1X client, see “Port Authentication” on page 2-40.)

8. The Interface Mode pull-down allows you to choose IP routing or PPP over Ethernet (PPPoE). The default setting is IP Routing. If you select PPPoE and then click Apply, the PPPoE Configuration window is dis-played. If you want to configure PPPoE for this interface, see “Configuring PPPoE for the Ethernet Interface” on page 14-35.

9. Click Apply to save the changes you have made to the startup-config.

IP Settings

The IP Settings section allows you to configure the IP address and dynamic Domain Name System (DNS) settings for the Ethernet interface.

14-32

Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces

Figure 14-24.IP Settings Section

10. Use the pull-down menu to configure the Address Type:

• None—Select this setting if you intend to set up a bridge group with the Ethernet interface.

• Static—Select this setting if you want to configure a static IP address. The boxes to enter the IP address and subnet mask are displayed, so that you can enter the appropriate address for the Ethernet interface.

• DHCP—Select this setting to configure the interface as a Dynamic Host Configuration Protocol (DHCP) client.

• Unnumbered—To set up the Ethernet interface with the same IP address as another interface, click the Unnumbered option. The Interface box is displayed.

Use the pull-down menu for the Interface box to select the appropri-ate interface. The menu will display any ATM subinterfaces, Frame-Relay subinterfaces, HDLC interfaces, loopback interfaces, and PPP interfaces that are already configured.

Dynamic DNS

11. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.

a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,

DynDNS.org Static, or DynDNS.org Custom. Choose the service for which you registered with DynDNS.org. Additional boxes are dis-played, allowing you to configure information about your account with DynDNS.org.

14-33

Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces

b. For Dynamic DNS Hostname, enter the hostname you are registering for the interface.

c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.

d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.

Secondary IP Settings

12. To set secondary IP addresses for your Ethernet interface, click Add a

new Secondary IP Address. Then enter the IP address and subnet mask in the boxes provided.

13. Click Apply to save your configurations.

Ethernet Interface Statistics

You can view status information about the Ethernet interface at the bottom of the Ethernet Configuration window. This display provides basic informa-tion; for a more comprehensive readout, access the CLI and enter show

interface ethernet 0/<port> at the enable mode context.

Releasing/Renewing a DCHP IP Address

If the Ethernet interface receives its IP address from a DHCP server, the first line of the Status for Ethernet section reports the DHCP address state. If the interface has successfully received an address, this should display “Bound.” Next to “Bound” are the words Release and Renew highlighted in blue.

14. To release the current IP address, click Release.

15. To receive an IP address, click Renew. When the interface receives an address, the DHCP field should display “Bound.”

16. To clear the current statistics, click the Clear Statistics button.

17. This section does not display realtime information. To get updates, click the Continuous Refresh button. Click the Stop Updates button to end the continuous refresh.

C a u t i o n Clicking the Continuous Refresh button requires the router to send continuous updates. This consumes bandwidth and consumer router resources.

14-34

Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces

Figure 14-25.Status for Ethernet Interface

Configuring PPPoE for the Ethernet Interface

To configure PPPoE, complete the following steps:

1. Access the Configuration for Ethernet window, select PPPoE for the Interface Mode, and click Apply. The PPPoE Configuration for “ppp

<interface number>” window displays.

2. Enter a description if you need to document information about PPPoE settings. This information will be displayed in the running-config under the appropriate PPP interface heading.

3. Click the Enabled box to activate the PPP interface.

4. For most environments, accept the default setting of 1500 for the MTU. The ProCurve Secure Router OS will negotiate an MTU of 1492 with the PPP peer. If the two peers fail to negotiate an MTU of 1492, you may need to set the MTU manually.

5. Select Default Peer Address if you want to configure the IP address of the PPP peer.

14-35

Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces

Figure 14-26.PPPoE for the Ethernet Interface

6. If you want to configure PPP authentication, see “PPP Authentication” on page 14-50.

7. Configure IP settings. For Address Type select one of the following.

• None—Select this setting if you intend to set up a bridge group with the PPP interface.

• Static—Select this setting if you want to configure a static IP address. The boxes to enter the IP address and subnet mask are displayed, so that you can enter the appropriate address for the PPP interface.

• Negotiated—Select this setting if you want the PPP interface to negotiate an IP address from your service provider. Select Default

Route if you want to configure the interface to receive a default gateway from the peer.

• Unnumbered—To set up the PPP interface with the same IP address as another interface, click the Unnumbered option. The Interface box is displayed.

Use the pull-down menu for the Interface box to select the appropri-ate interface. The menu will display any ATM subinterfaces, Frame-Relay subinterfaces, HDLC interfaces, loopback interfaces, and PPP interfaces that are already configured.

14-36

Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces

Figure 14-27.Configure IP Settings

Dynamic DNS

8. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.

a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,

DynDNS.org Static, or DynDNS.org Custom. Additional boxes are displayed, allowing you to configure information about your account with DynDNS.org.

b. For Dynamic DNS Hostname, enter the hostname required to register the interface’s IP address.

c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.

d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.

Secondary IP Settings

9. To configure secondary IP addresses for the PPP interface, click Add a

new Secondary IP Address. Then enter the IP address and subnet mask in the boxes provided.

10. Click Apply to activate your configurations.

14-37

Using the Web Browser Interface for Basic Configuration TasksConfiguring Ethernet Interfaces

View Statistics for the PPP Interface

Status information is displayed at the bottom of the Configuration PPPoE window. After you apply your changes, the PPP Link State will be “starting,” indicating that the ProCurve Secure Router OS is trying to establish a PPP connection with its peer. Ensure that the PPP Link State is eventually “up.” For information about troubleshooting PPPoE, see “Troubleshooting PPPoE” on page 7-50.

This readout is not in real-time. To update the readout to the current statistics, click the Continuous Refresh button. To stop continuous refresh, click the Stop Updates button. To reset the statistics, click the Clear Statistics button.

Figure 14-28.View Statistics for PPPoE

14-38

Using the Web Browser Interface for Basic Configuration TasksConfiguring E1 and T1 Interfaces

Configuring E1 and T1 Interfaces

When you set up an E1- or T1-carrier line, you must configure the Physical Layer and the Data Link Layer. This section explains how to configure the Physical Layer—the E1 or T1 interface—if you have purchased:

■ an E1 module that includes a built-in Digital Service Unit (DSU)

■ a T1 module that includes a built-in Channel Service Unit (CSU)/DSU

If your public carrier provides an external CSU/DSU, see “Configuring a Serial Interface for an E1- or T1-Carrier Line” on page 14-44.

When you configure the E1 or T1 interface, you must configure the same settings that your public carrier’s equipment uses. If you need additional information about any of the options, see Chapter 4: Configuring E1 and T1

Interfaces.

1. In the left navigation bar of the Web browser interface, select Physical

Interfaces. The interfaces for all of the modules installed in the router are listed on the Physical Interfaces window.

Figure 14-29.Physical Interfaces Window

2. Select the E1 or T1 interface that you want to configure. The Configura-

tion for the <interface> <slot>/<port> window is displayed.

14-39

Using the Web Browser Interface for Basic Configuration TasksConfiguring E1 and T1 Interfaces

Figure 14-30. Configuration for E1 Interface Window

3. Enter a description in the Description box if you want to document information about the E1 or T1 interface. This information will be dis-played in the running-config under the appropriate interface heading.

4. To activate the interface, select the Enable box and then click Apply at the bottom of the window.

14-40

Using the Web Browser Interface for Basic Configuration TasksConfiguring E1 and T1 Interfaces

5. Configure the clock source for the interface in the Clocking pull-down menu.

• Select line if you want the interface to take its timing from the public carrier’s equipment.

• Select internal if you want the interface to provide the timing for the connection.

• Select through if you have a module with more than one E1 or T1 port and you want this interface to take its timing from the other interface. (See Chapter 4: Configuring E1 and T1 Interfaces for more informa-tion about clock sources and when to use the through setting.)

6. Set the frame format to match your service provider’s settings:

• If you are configuring an E1 interface, use the pull-down menu to select E1 or CRC4. E1 is the default setting.

• If you are configuring a T1 interface, click ESF or D4. ESF is the default setting.

N o t e Select the TS16 box to enable TS16 signaling only if you are configuring the G.703 interface for an E1 + G.703 module. For more information, see “E1 + G.703 and T1 + DSX-1 Modules” on page 14-74.

7. Use the Coding pull-down menu to configure the coding to match your service provider’s settings:

• If you are configuring an E1 interface, use the pull-down menu to select HDB3 or AMI. HDB3 is the default setting.

• If you are configuring a T1 interface, use the pull-down menu to select B8ZS or AMI. B8ZS is the default setting.

8. If you are configuring a T1 interface, use the pull-down menu to set the facility data link (FDL). The default setting is ANSI. You can also select ATT or None.

9. If you are configuring an E1 interface, you can set the Sa4Tx-Bit to 0 or 1. The default setting is 0.

10. In the Data DS0s field, configure the channels for the connection. This setting must match the channels configured on your service provider’s equipment, or the Data Link Layer protocol cannot establish a connection.

• If you are leasing the entire E1-carrier line, set the timeslots to 1 to 31.

• If you are leasing the entire T1-carrier line, set the timeslots to 1 to 24.

14-41

Using the Web Browser Interface for Basic Configuration TasksConfiguring E1 and T1 Interfaces

11. Accept the default setting of 64 Kbps for the DS0 speed unless your public carrier tells you to change this setting. Typically, you will change the setting only if you are leasing a T1-carrier line and are using the D4 frame format. In this case, use the pull-down menu to select 56 Kbps.

12. Select the Data Link Layer protocol for this interface—PPP, Frame Relay, or High-level Data Link Control (HDLC)—and click Apply. The <Protocol> Configuration Settings window is displayed.

• If your WAN connection is using PPP, see “Configure PPP as the Data Link Layer Protocol” on page 14-47.

• If your WAN connection is using Frame Relay, see “Configure Frame Relay as the Data Link Layer Protocol” on page 14-52.

• If your WAN connection is using HDLC, see “Configure HDLC as the Data Link Layer Protocol” on page 14-58.

N o t e If you are using PPP or Frame Relay, you can configure a multilink connection. For instructions on configuring this multilink, see Chapter 2: Increasing

Bandwidth in the Advanced Management and Configuration Guide.

Status Information

After you configure the Data Link Layer protocol, a new Data Link Layer section is displayed on the E1 or T1 configuration window. You can now access the configuration window for the Data Link Layer protocol from the E1 or T1 configuration window.

Status information is displayed at the bottom of the E1 or T1 configuration window. This readout is not in real-time. To update the readout to the current statistics, click the Continuous Refresh button. To end continuous refresh, click the Stop Updates button. To reset the statistics, click the Clear Statistics button.

14-42

Using the Web Browser Interface for Basic Configuration TasksConfiguring E1 and T1 Interfaces

Figure 14-31. Status for E1 Interface

C a u t i o n Clicking the Continuous Refresh button requires the router to send continuous updates, consuming bandwidth and router resources.

14-43

Using the Web Browser Interface for Basic Configuration TasksConfiguring a Serial Interface for an E1- or T1-Carrier Line

Configuring a Serial Interface for an E1- or T1-Carrier Line

If your public carrier provided you with an external CSU/DSU, you purchased a serial module for the ProCurve Secure Router. When you set up an E1- or T1-carrier line, you must configure the Physical Layer and the Data Link Layer. This section explains how to configure the Physical Layer—the serial inter-face. If you need additional information about any of the options, see Chapter

4: Configuring E1 and T1 Interfaces.

1. In the left navigation bar of the Web browser interface, select Physical

Interfaces. The interfaces for all of the modules installed in the router are listed on the Physical Interfaces window.

2. Select the serial interface that you want to configure. The Configuration

for Serial <port number>/<slot number> window is displayed.

Figure 14-32. Configuration for Serial Window

14-44

Using the Web Browser Interface for Basic Configuration TasksConfiguring a Serial Interface for an E1- or T1-Carrier Line

3. Enter a string of up to 80 characters in the Description field if you want to document information about this interface.

4. Select the Enable box to activate the interface.

5. For Mode, select V.35 or X.21, depending on the type of cable you are using to connect the serial module to the external CSU/DSU. The default setting is V.35. If you want to use an EIA 530 cable from another vendor, the ProCurve Secure Router supports this setting from the CLI. For more information, see Chapter 5: Configuring Serial Interfaces for E1- and

T1-Carrier Lines.

6. Configure the clock settings.

a. For TX Clock, accept the default setting of Normal or select Invert if the router is a long distance from the CSU/DSU.

b. For Rx Clock, accept the default setting of Normal or select Invert if the router is a long distance from the CSU/DSU.

c. For ET Clock, accept the default setting of Normal or select Invert if the router is a long distance from the CSU/DSU.

d. For ET Clock Source, accept the default setting of Tx Clock or select Rx Clock if your public carrier tells you to change this setting.

7. For Encapsulation, select the Data Link Layer protocol that your public carrier is using. The <Protocol> Configuration Settings window is dis-played.

• If your WAN connection is using PPP, see “Configure PPP as the Data Link Layer Protocol” on page 14-47.

• If your WAN connection is using Frame Relay, see “Configure Frame Relay as the Data Link Layer Protocol” on page 14-52.

• If your WAN connection is using HDLC, see “Configure HDLC as the Data Link Layer Protocol” on page 14-58.

N o t e If you are using PPP or Frame Relay, you can configure a multilink connection. For instructions on configuring this multilink, see the Advanced Management

and Configuration Guide: “Configuring MLPPP” on page 14-18 or “Configuring MLFR” on page 14-20.

14-45

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

Status Information

Status information is displayed at the bottom of the Configuration for Serial window. This readout is not in real-time. To update the readout to the current statistics, click the Continuous Refresh button. To end continuous refresh, click the Stop Refreshing button. To reset the statistics, click the Clear

Statistics button.

Figure 14-33. Status for Serial Interface

C a u t i o n Clicking the Continuous Refresh button requires the router to send continuous updates, consuming bandwidth and router resources.

Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

This section explains how to configure the Data Link Layer protocol for an E1, T1, or Serial interface. You should configure the physical interface to use the same Data Link Layer protocol that your public carrier is using:

■ For PPP, see “Configure PPP as the Data Link Layer Protocol” below.

■ For Frame Relay, see “Configure Frame Relay as the Data Link Layer Protocol” on page 14-52.

■ For HDLC, see “Configure HDLC as the Data Link Layer Protocol” on page 14-58.

If you need additional information about any of the options, see Chapter 6:

Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.

14-46

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

Configure PPP as the Data Link Layer Protocol

The following steps explain the initial configuration of PPP as the Data Link Layer protocol. It is assumed that you have configured the Physical Layer—the E1, T1, or serial interface—and you have selected PPP as the Data Link Layer protocol. As a result, the PPP Configuration window is displayed.

Figure 14-34. PPP Configuration Window

1. From the PPP Configuration window, enter a string of text up to 80 characters in the Description box if you want to record information about the PPP interface. This description will be displayed in the running-config.

2. Select the Enabled box to activate the interface.

3. If you do not want the interface to use Weighted Fair Queuing (WFQ), click the box to deselect it. For more information about WFQ, see “Configuring WFQ” on page 14-45 in the Advanced Management and

Configuration Guide.

4. For most environments, you will accept the default MTU of 1500. If you need to adjust the MTU, however, enter the new value in the MTU box.

5. Verify that the PPP interface is bound to the correct physical interface.

14-47

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

6. If you have not set a QoS Policy, None is displayed for its QoS policy. To create a QoS policy, see “Configuring Quality of Service” on page 14-44 in the Advanced Management and Configuration Guide.

7. To configure the IP address of the PPP peer, select the Default Peer IP

Address box, and enter the IP address in the boxes provided.

8. To configure authentication, see “PPP Authentication” on page 14-50.

IP Settings

9. For Address Type select one of the following.

• None—Select this setting if you intend to set up a bridge group with the PPP interface.

• Static—Select this setting if you want to configure a static IP address. The boxes to enter the IP address and subnet mask are displayed, so that you can enter the appropriate address for the PPP interface.

• Negotiated—Select this setting if you want the PPP interface to negotiate an IP address from your service provider. Select Default

Route if you want to configure the interface to receive a default gateway from the peer.

• Unnumbered—To set up the PPP interface with the same IP address as another interface, click the Unnumbered option. The Interface box is displayed.

Use the pull-down menu for the Interface box to select the appropri-ate interface. The menu will display any ATM subinterfaces, Frame-Relay subinterfaces, HDLC interfaces, loopback interfaces, and PPP interfaces that are already configured.

14-48

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

Figure 14-35. IP Settings

Dynamic DNS

10. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.

a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,

DynDNS.org Static, or DynDNS.org Custom. Additional boxes are displayed, allowing you to configure information about your account with DynDNS.org.

b. For Dynamic DNS Hostname, enter the hostname required to register the interface’s IP address.

c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.

d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.

Secondary IP Settings

11. To configure secondary IP addresses for your PPP interface, click Add a

new Secondary IP Address. Then enter the IP address and subnet mask in the boxes provided.

12. Click Apply to activate your configurations.

14-49

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

Status Information

Status information is displayed at the bottom of the Configuration PPP window. After you apply your changes, the PPP Link State will be “starting,” indicating that the ProCurve Secure Router OS is trying to establish a PPP connection with its peer. Ensure that the PPP Link State is eventually “up.” For information about troubleshooting PPP, see “Troubleshooting the PPP Interface” on page 6-58.

PPP Authentication

The ProCurve Secure Router supports to authentication protocols for PPP: Password Authentication Protocol (PAP) and Challenge Handshake Authen-tication Protocol (CHAP).

When a ProCurve Secure Router asks a peer to authenticate itself using PAP, the peer sends its password in clear text over the wire. The first router matches the password to the password in its PPP database.

CHAP is more secure becomes the actual password does not cross the wire, where anyone could intercept it. The peer that is authenticating itself hashes its password and sends the hash value to the challenging peer instead. The challenger, who has the password stored in its PPP database, performs the same hash function. It compares the result with the value it received from the peer.

Both peers must use the same protocol.

You can configure the ProCurve Secure Router to require authentication from a peer, or to authenticate itself to a peer, or both.

Requiring a Peer to Authenticate Itself to the Local Router

1. Select Physical Interfaces under System in the left navigation bar.

2. Choose the logical interface for the connection whose remote endpoint you want to authenticate. (It must, of course, be a PPP interface.)

3. You will enter the PPP Config window. Move to Authentication Settings in the PPP configuration for “ppp <interface number>” window.

14-50

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

Figure 14-36. Configuring Two-Way PAP Authentication

4. In the pull-down menu for Peer Authentication Type, select PAP or CHAP.

5. Enter the remote endpoint’s username and password in the Peer Username

and Peer Password fields. For example, in Figure 14-36, the peer’s user-name is RouterB and its password is YYY. For CHAP the username should be the peer’s hostname.

6. Click Apply.

7. You also configure the local router to authenticate itself to the peer although this is not necessary. (See “Configuring the Local Router to Authenticate Itself to a Peer” on page 14-51.)

Configuring the Local Router to Authenticate Itself to a Peer

1. Select System > Physical Interfaces.

2. Choose the logical interface for the connection whose remote endpoint requires the router to authenticate itself (for example, your ISP).

3. You will enter the PPP Config window. Move to Authentication Settings in the PPP configuration for “ppp <interface number>” window.

14-51

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

Figure 14-37. Configuring the Local Router to Authenticate Itself

4. In the pull-down menu for Sent Authentication Type, select PAP or CHAP. The protocol must match that requested by the peer. If you do not know the protocol your peer is using, you will either have to contact the peer or view PPP debug messages in the CLI. (See “PPP Authentication” on page 6-11.)

5. Enter the local router’s username and password in the Sent Username

and Sent Password fields. If you are using CHAP, you only have to enter a username if it is different from the router’s hostname.

6. Click Apply.

Configure Frame Relay as the Data Link Layer Protocol

The following steps explain the initial configuration of Frame Relay as the Data Link Layer protocol. It is assumed that you have configured the Physical Layer—the E1, T1, or serial interface—and you have selected Frame Relay as the Data Link Layer protocol. As a result, the Frame Relay Configuration

window is displayed.

14-52

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

Figure 14-38. Frame Relay Configuration Window

1. From the Frame Relay Configuration window, enter a string of text up to 80 characters in the Description box if you want to record information about the WAN connection. This information will be displayed in the running-config.

2. Select the Enabled box to activate the interface.

3. Use the pull-down menu to select the Link Management Protocol that your Frame Relay service provider is using:

• ansi (Annex D)

• cisco (Group of Four)

• none

• q933a (Annex A)

• auto

The default setting is ansi.

4. Weighted Fair Queuing (WFQ) is enabled by default. If you do not want the interface to use WFQ, click the box to deselect it. For more informa-tion about WFQ, see “Configuring WFQ” on page 14-45 in the Management

and Configuration Guide.

14-53

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

5. Use the pull-down menu to select the Frame Relay’s signaling role:

• If this interface is acting as Data Terminal Equipment, select Connect

to a switch (DTE). For most environments, you will select this setting.

• If this device is acting as Data Communications Equipment, select Act

like a switch (DCE).

• If this Frame Relay interface will act as both DTE and DCE, select Both.

6. Verify that the Frame Relay interface is bound to the correct physical interface. The Physical Interface field displays the interface <slot>/<port> that is connected to the logical Frame Relay interface that you are configuring.

7. If you have not set a QoS Policy, this Frame Relay interface will display None for its QoS policy. For instructions on setting a QoS policy, see “Configuring Quality of Service” on page 14-44 in the Advanced Manage-

ment and Configuration Guide.

8. Click Apply to activate the settings.

Configure a Permanent Virtual Circuit (PVC)

The Configured Permanent Virtual Circuits section allows you to create and display PVCs for this WAN connection.

Figure 14-39. Configured Permanent Virtual Circuits Section

9. To create and configure a PVC, click the Add button. The Configuration

window is displayed.

14-54

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

Figure 14-40.Configuration for Frame Relay Subinterface Window

1. Enter a string of text up to 80 characters in the Description box if you want to record information about the Frame Relay subinterface. This description will be displayed in the running-config under the appropriate interface heading.

2. Set the FRF.12 fragment threshold by entering the size in the Fragment box.

3. Set the committed burst rate in the BC box.

4. Set the excess burst rate in the BE box.

5. In the DLCI Number box, enter the DLCI that your Frame Relay service provider assigned you. This number must be between 16 and 992.

14-55

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

Configure IP Settings

6. Configure the IP settings for the Frame Relay subinterface.

• None—Select this setting if you intend to set up a bridge group with the Frame Relay subinterface.

• Static—Select this setting if you want to configure a static IP address. The boxes to enter the IP address and subnet mask are displayed, so that you can enter the appropriate address for the Frame Relay subinterface.

• DHCP—Select this setting to configure the subinterface as a Dynamic Host Configuration Protocol (DHCP) client.

• Unnumbered—To set up the Frame Relay subinterface with the same IP address as another interface, click the Unnumbered option. The Interface box is displayed.

Use the pull-down menu for the Interface box to select the appropri-ate interface. The menu will display any ATM subinterfaces, Frame-Relay subinterfaces, HDLC interfaces, loopback interfaces, and PPP interfaces that are already configured.

Configure Dynamic DNS

7. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.

a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,

DynDNS.org Static, or DynDNS.org Custom. Additional boxes are displayed, allowing you to configure information about your account with DynDNS.org.

b. For Dynamic DNS Hostname, enter the hostname required to register the interface’s IP address.

c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.

d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.

8. Click Apply to activate your settings.

9. Repeat steps 9-17 for each PVC you need to configure for the Frame Relay interface.

Status Information

10. To view information about the Frame Relay subinterface, scroll to the bottom of the Configuration for Frame Relay subinterface window.

14-56

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

Figure 14-41. Statistics for Frame Relay Subinterface

11. Reset statistics by clicking the Clear Statistics button.

12. Get continuous updates by clicking the Continuous Refresh button. To stop the continuous updates, click the Stop Refreshing button.

13. To view status information about the Frame Relay interface and LMI status, return to the Frame Relay Configuration window and scroll to the bottom of the window.

Figure 14-42.Statistics for Frame Relay Interface

14-57

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

Configure HDLC as the Data Link Layer Protocol

The following steps explain the initial configuration of HDLC as the Data Link Layer protocol. It is assumed that you have configured the Physical Layer—the E1, T1, or serial interface—and you have selected HDLC as the Data Link Layer protocol. As a result, the HDLC Configuration window is displayed.

Figure 14-43.HDLC Configuration Window

1. Enter a description in the Description box if you want to record some information about the HDLC interface. This information will be displayed in the interface’s running-config.

2. Click the Enabled box to activate the interface.

3. If you do not want the interface to use Weighted Fair Queuing, click the box to deselect it. For more information about WFQ, see “Configuring Quality of Service” on page 14-44 in the Advanced Management and

Configuration Guide.

4. For most environments, you will accept the default MTU of 1500. If you need to adjust the MTU, however, enter the new value in the MTU box.

14-58

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

5. Verify that the HDLC is bound to the proper physical interface by checking the Physical Interface field.

6. If you have not set a QoS Policy, this HDLC interface will display None for its QoS policy. To set a QoS policy, see “Configuring Quality of Service” on page 14-44 in the Advanced Management and Configuration Guide.

IP Settings

7. Configure IP Settings.

• None—Select this setting if you intend to set up a bridge group with the HDLC interface.

• Static—Select this setting if you want to configure a static IP address. The boxes to enter the IP address and subnet mask are displayed, so that you can enter the appropriate address for the HDLC interface.

• DHCP—Select this setting to configure the HDLC interface as a DHCP client.

• Unnumbered—To set up the HDLC interface with the same IP address as another interface, click the Unnumbered option. The Interface box is displayed.

Use the pull-down menu for the Interface box to select the appropri-ate interface. The menu will display any ATM subinterfaces, Frame-Relay subinterfaces, HDLC interfaces, loopback interfaces, and PPP interfaces that are already configured.

Dynamic DNS

8. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.

a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,

DynDNS.org Static, or DynDNS.org Custom. Additional boxes are displayed, allowing you to configure information about your account with DynDNS.org.

b. For Dynamic DNS Hostname, enter the hostname required to register the interface’s IP address.

c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.

d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.

9. Click Apply to activate your settings.

14-59

Using the Web Browser Interface for Basic Configuration TasksConfiguring the Data Link Layer Protocol for E1, T1, and Serial Interfaces

Status Information

You can also check the HDLC interface statistics in the Status for “hdlc

<interface>” section. To reset the statistics, click the Clear Statistics button. To get real-time updates, click Continuous Refresh. To stop continuous refresh, click the Stop Refreshing button.

Figure 14-44. Status for HDLC Interface

14-60

Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces

Configuring ADSL Interfaces

To configure the ProCurve Secure Router to support an Asymmetric Digital Subscriber Line (ADSL), complete the following steps. If you need more information about any of the ADSL or Asynchronous Transfer Mode (ATM) options, see Chapter 7: ADSL WAN Connections.

1. From the left navigation bar, click Physical Interfaces. The Physical

Interfaces window is displayed.

Figure 14-45.Physical Interfaces Window

2. From the list of physical interfaces that are listed, click the ADSL interface that you want to configure. The Configuration for ADSL window is displayed.

14-61

Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces

Figure 14-46.Configuration for ADSL Window

3. Enter a description for the interface if you want to document information about the ADSL connection. The description is displayed when you view the running-config file.

4. Click the Enable box to activate the ADSL interface.

5. Use the pull-down menu to select the Training Mode that your ADSL service provider is using.

6. Select the Showtime-Monitor if you want to monitor the signal-to-noise ratio (SNR)-margin after the physical connection has been established.

7. Select the Training-Monitor if you want to monitor the SNR-margin during the training phase.

8. In the box provided for the SNR-Margin, enter the SNR margin in decibels.

9. The ADSL Version displays the type of ADSL module installed in the router and information about the modules boot ROM and firmware.

10. Select ATM as the encapsulation.

11. Click Apply to save your changes to the startup-config. The Configuration

for “atm <interface>” window is displayed. (See Figure 14-47.)

14-62

Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces

Configure an ATM Interface

Figure 14-47.Configuration for ATM Interface Window

12. Enter a description if you want to document information about the ATM interface.

13. Click the Enabled box to activate the ATM interface.

14. Click Apply to save your changes to the startup-config.

Configure the ATM Subinterface

15. In the Configured Permanent Virtual Circuits section, click the Add button to begin configuring the permanent virtual circuit (PVC). The Configuration for “atm <subinterface>” window is displayed.

14-63

Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces

Figure 14-48. Configuration for ATM Subinterface Window

16. Click the Enabled box to activate the subinterface.

17. For PVC, enter the virtual path identifier (VPI) in the first box, and enter the virtual channel identifier (VCI) in the second box. For example, if your ADSL service provider assigned you a VPI/VCI of 0/33, you would enter 0 in the first box and 33 in the second box.

18. For Interface Mode, use the pull-down menu to select one of the following:

• IP routing, if you are configuring just ATM as the Data Link Layer protocol

• PPPoE client, if you are configuring PPPoE for the ADSL interface

• PPP, if you are configuring PPPoA

19. If your ADSL service provider uses routed bridged encapsulation (RBE), select the Routed-Bridge IP box.

20. To configure the ATM encapsulation method, quality of service (QoS) settings, and Operation, Administration, and Maintenance (OAM) set-tings, click the Advanced Configuration box at the top of the Configura-

tion for ATM Subinterface window. The Advanced Configuration section is displayed.

14-64

Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces

Figure 14-49. Advanced Configuration Section

21. Configure Fair-Queue, Fair-Queue Threshold, and Hold-Queue settings if you want to configure QoS on this interface. For more information about QoS, see“Configuring Quality of Service” on page 14-44 in the Advanced

Management and Configuration Guide.

22. Select Managed OAM-PVC to manage the Operation, Administration, and Maintenance (OAM) cells. These cells are sent over a reserved VCI to monitor the ATM link, ensuring that is open from end-to-end. After you select the Managed OAM-PVC option, you can then configure:

• OAM Retry Up-Counts—determines the number of consecutive, end-to-end F5 OAM loopback cell responses that the ADSL interface must receive before the Secure Router OS changes a PVC connection state to up. For this option, configure a number between 1 and 255. The default setting is 3.

• OAM Down-Counts—determines the number of consecutive, end-to-end F5 OAM loopback cell responses that are not received before the Secure Router OS changes the PVC state to down. Specify a number between 1 and 255. The default setting is 5.

• OAM Retry Frequency—determines the frequency (in seconds) at which the ADSL interface transmits F5 OAM loopback cells when verifying a PVC state change. Specify a number of seconds between 1 and 600. The default setting is 1 second.

14-65

Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces

• OAM PVC Frequency—determines the time delay between OAM loopback cells. This setting is used unless the router is verifying a PVC state change (in which case it uses the OAM retry frequency setting). Specify a number between 0 to 600 seconds. The default setting is 1 second.

23. Select the encapsulation setting that your ADSL service provider is using:

• aalsnap

• aalmux ip

• aalmux ppp

24. Click Apply to save your settings to the startup-config.

If you are configuring just ATM as the Data Link Layer protocol, continue with “Configuring ATM Only” on page 14-66. If you are configuring PPPoE or PPPoA, you must configure a PPP interface. See “Configuring PPPoE or PPPoA for the ADSL Connection” on page 14-68.

Configuring ATM Only

25. After you select IP routing, a new section called IP Settings, is displayed.

Figure 14-50.IP Settings Section

14-66

Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces

26. For Address Type, use the pull-down menu to select:

• None—Select None if you want this interface to be part of a bridge.

• Static—Select Static if you want to configure a fixed IP address for the interface. When new fields are displayed, enter an IP address and subnet mask.

• DHCP—Select DHCP if your ADSL service provider wants you to receive an IP address from its DHCP server.

27. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.

a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,

DynDNS.org Static, or DynDNS.org Custom. Additional boxes are displayed, allowing you to configure information about your account with DynDNS.org.

b. For Dynamic DNS Hostname, enter the hostname required to register the interface’s IP address.

c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.

d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.

28. Click Apply to save your configuration.

Figure 14-51. Configuring Dynamic DNS in the IP Settings Section

14-67

Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces

Status Information

You can view information about both the ATM interface and subinterface. To view information about the ATM interface, move to the Configuration for

“atm <interface>” window and scroll to the bottom of the window. Likewise, you can view the status of the ATM subinterface by scrolling to the bottom of the Configuration for “atm <subinterface>” window.

Configuring PPPoE or PPPoA for the ADSL Connection

After you select PPPoE Client or PPP as the Interface Mode for the ATM subinterface, a PPP configuration screen is displayed. (See Figure 14-52.) You must then configure the PPP interface:

1. Enter a description if you need to document information about the PPP interface. This information will be displayed in the running-config under the appropriate PPP interface heading.

2. Click the Enabled box to activate the PPP interface.

3. For most environments, you can accept the default setting of 1500 for the MTU. If you selected the PPPoE Client setting for the ATM Interface Mode, the ProCurve Secure Router OS will automatically negotiate an MTU of 1492 with the PPP peer. If the two peers fail to negotiate an MTU of 1492, you may need to set the MTU manually.

4. Select Default Peer Address if you want to configure the IP address of the PPP peer.

5. If you want to configure PPP authentication, see “PPP Authentication” on page 14-50.

14-68

Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces

Figure 14-52.PPPoE Configuration Window

6. Configure IP settings. For Address Type select one of the following.

• None—Select this setting if you intend to set up a bridge group with the PPP interface.

• Static—Select this setting if you want to configure a static IP address. The boxes to enter the IP address and subnet mask are displayed, so that you can enter the appropriate address for the PPP interface.

• Negotiated—Select this setting if you want the PPP interface to negotiate an IP address from your service provider.

14-69

Using the Web Browser Interface for Basic Configuration TasksConfiguring ADSL Interfaces

• Unnumbered—To set up the PPP interface with the same IP address as another interface, click the Unnumbered option. The Interface box is displayed.

Use the pull-down menu for the Interface box to select the appropri-ate interface. The menu will display any ATM subinterfaces, Frame-Relay subinterfaces, HDLC interfaces, loopback interfaces, and PPP interfaces that are already configured.

7. Select Default Route if you want this interface to provide the default route for the router.

Dynamic DNS

8. Configure dynamic DNS, if needed. For more information about dynamic DNS, see “Configuring Dynamic DNS” on page 14-91.

a. For Dynamic DNS, use the pull-down menu to select DynDNS.org,

DynDNS.org Static, or DynDNS.org Custom. Additional boxes are displayed, allowing you to configure information about your account with DynDNS.org.

b. For Dynamic DNS Hostname, enter the hostname required to register the interface’s IP address.

c. For Dynamic DNS Username, enter the username for your company’s account with DynDNS.org.

d. For Dynamic DNS Password, enter the password for your company’s account with DynDNS.org.

Secondary IP Settings

9. To configure secondary IP addresses for the PPP interface, click Add a

new Secondary IP Address. Then enter the IP address and subnet mask in the boxes provided.

10. Click Apply to activate your configurations.

View Statistics for the PPP Interface

Status information is displayed at the bottom of the PPP configuration win-dow. After you apply your changes, the PPP Link State will be “starting,” indicating that the ProCurve Secure Router OS is trying to establish a PPP connection with its peer. Ensure that the PPP Link State is eventually “up.” For information about troubleshooting PPPoE, see “Troubleshooting PPPoE” on page 7-50. For information about troubleshooting PPP, see “Troubleshoot-ing the PPP Interface” on page 6-58.

14-70

Using the Web Browser Interface for Basic Configuration TasksISDN Modules

ISDN Modules

The two-port ISDN modules provide basic rate interface (BRI) ISDN for a primary WAN connection. Each ISDN line can provide up to two 64 Kbps channels. You can aggregate multiple channels for a single ISDN connection. (However, you must configure the aggregation from the CLI.)

The ISDN BRI S/T module provides an interface to connect the router to Network Termination 2 (NT2) or NT1 equipment. This module is used in areas outside of North America.

The ISDN BRI U module provides an interface to connect the router to a Network Interface Unit (NIU), or smart jack. This module is used in North America.

Complete these steps to configure the physical interfaces on the ISDN module:

1. In the left navigation bar of the Web browser interface, select Physical

Interfaces. The interfaces for all of the modules installed in the router are listed on the Physical Interfaces window.

2. The ports on the ISDN module are listed as BRI interfaces. Select the BRI interface that you want to configure. The Configuration for the BRI

<slot>/<port> window is displayed.

14-71

Using the Web Browser Interface for Basic Configuration TasksISDN Modules

Figure 14-53. Configuration for a BRI Interface

3. Enter a description in the Description box if you want to document information about the BRI interface. This information will be displayed in the running-config under the appropriate interface heading.

4. To activate the interface, select the Enable box.

5. If you want the BRI interface to replace the caller ID of incoming calls with a different number, select the Caller Id Override box. Enter the number that replaces incoming numbers in the Override Number field.

6. Select the ISDN signaling used by your service provider from the Switch-

Type pull-down menu.

7. Enter the local directory number (LDN) for the ISDN line in the LDN1 field.

8. If your service provider has assigned this line a secondary LDN, enter it in the LDN2 field.

9. In North America, service providers assign ISDN lines Service Profile Identifiers (SPIDs). Enter your line’s primary SPID in the SPID1 field. If the line has been assigned a secondary SPID, enter it in the SPID2 field.

10. Click Apply.

ISDN connections on the ProCurve Secure Router use demand routing for the Data Link Layer. You must configure demand routing from the CLI.

14-72

Using the Web Browser Interface for Basic Configuration TasksISDN Modules

After you activate the BRI interface, you can view its status. Scroll to the Status for BRI window. The Line Status indicates whether the interface is up or down and whether it currently active. You can view the B1 State, B2 State, and D-Channel State to determine which channels are currently active. You can also view statistics for inbound and outbound packets and for errors.

Click the Continuous Refresh button to view the statistics in real-time. Click the Stop Refreshing button to freeze the display.

C a u t i o n Clicking the Continuous Refresh button requires the router to send continuous updates. This consumes bandwidth and may create a security issue.

The line status for the BRI interface shown in Figure 14-54 is “Disabled;” the interface has not succeeded in negotiating with the ISDN switch to bring up the line.

Figure 14-54. Viewing the BRI Interface’s Status

You can use the options in the Maintenance window to troubleshoot a BRI interface:

■ Occasionally, a BRI interface may enter a loop if it does not complete the call disconnect process. Select the Reset option and click Apply to reset the port hardware.

14-73

Using the Web Browser Interface for Basic Configuration TasksE1 + G.703 and T1 + DSX-1 Modules

■ You can restart the D-channel by selecting the Restart-d option and clicking Apply. For example, you might need to restart the D-channel if a problem occurs during the call process.

E1 + G.703 and T1 + DSX-1 Modules

The E1 + G.703 and the T1 + DSX-1 modules allow you to use some channels of a carrier line for data and some channels for analog voice. When you configure one of these modules, you should first configure the E1 or T1 interface that will be used for data. As part of this configuration, you must assign the channels that will be used for data to the E1 or T1 interface. The remaining channels are then automatically assigned to the G.703 or DSX-1 interface.

When you configure the E1 or T1 interface, you set the clock source for the entire module. If you set the clock source to line, the module will take its timing from the public carrier’s equipment that is attached to the E1 or T1 interface. If you set the clock source to through, the module will take its timing from the PBX that is attached to the G.703 or DSX-1 interface.

For more information about E1 or T1 settings, see “Configuring E1 and T1 Interfaces” on page 14-39.

In the Secure Router OS, the G.703 interface is referred to as an E1 interface. Specifically, it is the interface for port 2 in the slot where the E1 + G.703 module is installed. For example, if the E1 + G.703 module is installed in slot 2, the G.703 interface is E1 2/2.

The DSX-1 interface is referred to as a T1 interface. It is the interface for port 2 in the slot where the T1 + DSX-1 module is installed. For example, if the T1 + DSX-1 module is installed in port 1, the DSX-1 interface is T1 1/2.

However, to avoid confusion between the interfaces used for data and the interfaces used for analog voice, these instructions will use the terms G.703

interface and DSX-1 interface.

14-74

Using the Web Browser Interface for Basic Configuration TasksE1 + G.703 and T1 + DSX-1 Modules

When you configure the G.703 or DSX-1 interface, the settings you enter should match those used by your private branch exchange (PBX). To configure the G.703 or DSX-1 interface from the Web browser interface, complete the following steps:

1. From the left navigation bar, click Physical Interfaces. The Physical

Interfaces window is displayed.

2. Select the G.703 or DSX-1 interface. The configuration window for that interface is displayed.

Figure 14-55.Configuration Window for G.703 Interface

3. Enter a description in the Description box if you want to document information about the G.703 or DSX-1 interface. This information will be displayed in the running-config under the appropriate interface heading.

14-75

Using the Web Browser Interface for Basic Configuration TasksE1 + G.703 and T1 + DSX-1 Modules

4. To activate the interface, select the Enable box.

5. Ignore the clock source because you set the clock source for this module on the E1 or T1 interface.

6. Set the frame format:

• If you are configuring a G.703 interface, use the pull-down menu to select E1 or CRC4. E1 is the default setting.

• If you are configuring a DSX-1 interface, click ESF or D4. ESF is the default setting.

7. Select the TS16 box to enable TS16 signaling if you are configuring a G.703 interface. For more information about this setting, see Chapter 9:

Configuring the E1 + G.703 and T1 + DSX-1 Modules.

N o t e By default, the signaling-mode setting for the DSX-1 interface is set to robbed-bit. If you need to change this setting, you must enter the command from the CLI. You must also adjust the line-length setting from the CLI. For information about these settings, see Chapter 9: Configuring the E1 + G.703

and T1 + DSX-1 Modules.

8. Use the pull-down menu to configure the coding:

• If you are configuring a G.703 interface, use the pull-down menu to select HDB3 or AMI. HDB3 is the default setting.

• If you are configuring a DSX-1 interface, use the pull-down menu to select B8ZS or AMI. B8ZS is the default setting.

9. Ignore the Data DS0s field because you configure channels for the E1 or T1 interface and the remaining channels are assigned to the G.703 or DSX-1 interface.

10. Click Apply to save your configurations.

Status Information

Status information is displayed at the bottom of the configuration for the G.703 or DSX-1 window. This readout is not in real-time. To update the readout to the current statistics, click the Continuous Refresh button. To end continuous refresh, click the Stop Updates button. To reset the statistics, click the Clear

Statistics button.

14-76

Using the Web Browser Interface for Basic Configuration TasksBridging

Bridging

You can configure the router to act as a remote bridge so that it can:

■ bridge non-IP protocols

■ bridge two sites using addresses on the same subnet

The ProCurve Secure Router automatically implements Rapid Spanning Tree Protocol (RSTP), or IEEE 802.1w on all bridged interfaces. Bridges and switches run RSTP to eliminate loops from the network topology.

Configuring Bridging

You configure a bridge by assigning interfaces to it. These interfaces then act like bridge ports. They learn the MAC addresses for frames so that they can properly forward frames received on other bridged interfaces.

To configure bridging, complete the following steps:

1. If you are configuring the router to bridge two remote segments of the same subnet, you must set the default gateway and disable IP routing before configuring the bridge:

a. In the left navigation bar under Router/Bridge, select Default Gate-

way. Enter the IP address for the router’s default gateway. This address should either be a router interface or a unit that knows how to reach the router; otherwise, you will lock yourself out of the Web browser interface. Click Apply.

b. Under Router/Bridge in the left navigation bar, select Routing. Uncheck the IP Routing box. Click Apply.

14-77

Using the Web Browser Interface for Basic Configuration TasksBridging

Figure 14-56. Disabling Routing

2. In the left navigation bar, select Bridging under Router/Bridge.

3. Enter a number between 1 and 255 in the Bridge Number box in the Add/

Modify/Delete Bridge window.

4. Click Add.

14-78

Using the Web Browser Interface for Basic Configuration TasksBridging

Figure 14-57. Configuring a Bridge

5. The Assign Interfaces to a Bridge window displays all Ethernet and logical interfaces on the router. (For Frame Relay and ATM, it displays subinterfaces.) For each interface that should participate in the bridge, select the bridge group from the pull-down menu. (You should assign at least two interfaces to every bridge.)

6. Click Apply.

14-79

Using the Web Browser Interface for Basic Configuration TasksBridging

Figure 14-58. Viewing the Bridge Table

A bridge group on ProCurve Secure Router listens for frames from connected hosts. It stores the frame’s source MAC address with the interface on which the frame arrived in a bridge table. The bridge will then only send frames through the interface that connects to the host to which the frames are destined, rather than flood the frames through all interfaces.

You can view the bridge table at the bottom of the window. This table includes the MAC addresses of connected hosts with their forwarding interface. For example, in Figure 14-58 the router knows to forward frames destined to 00:01:03:20:C0:F9 through the Ethernet 0/2 interface.

You can manually add a host by entering its MAC address in the corresponding fields of the MAC Forwarding Entries window. Select the forwarding inter-face from the Interface pull-down menu.

Configuring the Spanning Tree Protocol

Typically, RSTP will run on your WAN without any further configurations. However, you can:

■ view information about the spanning tree

■ configure the router to run the legacy version, STP, rather than RSTP

■ change the router’s bridge priority

■ alter spanning tree timers

■ configure properties for individual interfaces

14-80

Using the Web Browser Interface for Basic Configuration TasksBridging

Viewing a Spanning Tree

RSTP and STP prune connections in a looped topology. All nodes participating in the same bridge group generate a shared, loopless topology. You can view information about this topology, called a spanning tree instance. Follow these steps:

1. In the left navigation bar, select Spanning Tree under Router/Bridge.

2. Scroll down to the Spanning Tree Properties window and select the Spanning Tree Instance that you want to view.

3. A window, such as that displayed in Figure 14-59, will display information which you can view to determine:

• Which network device is root

• Which interfaces are forwarding packets

• Which interfaces have been disabled—For example, in Figure 14-59 the Frame Relay 1.102 subinterface provides a redundant connection to the root, so its role is “Blocking” and it does not forward packets.

• Which interface role each interface is playing—Root ports are on the best path to the root device. Designated ports connect to root ports on neighbors further from the root. Edge ports connect to end devices. For example, in Figure 14-59 the Ethernet 0/2 interface connects the local device to the root and the Ethernet 0/1 interface provides a connection to the root for a connected network.

The Spanning Tree Properties “STP <instance number>” window dis-plays information about the root bridge in the Root ID column and the local device in the Bridge ID column. For example, in Figure 14-59, the root is identified by its MAC address 00:12:79:05:25:D4, and it is connected to the local router through the Ethernet 0/2 interface.

The Spanning Tree Port Information “STP <instance number>” window displays information about the interfaces on the local router, including their role in the spanning tree, whether they are forwarding packets, and the cost for their connection.

14-81

Using the Web Browser Interface for Basic Configuration TasksBridging

Figure 14-59.Viewing a Spanning Tree

Setting Global Spanning Tree Parameters

You set the spanning tree protocol version, router’s bridge priority, and spanning tree timers in the Spanning Tree window.

1. Select Spanning Tree under Router/Bridge in the left navigation bar.

2. RSTP is fully backwards compatible with STP. When an RSTP interface detects an STP message, it automatically implements STP. You should generally run RSTP, which reduces convergence time from about a minute to less than a second.

However, if, for whatever reason you decide to use STP, select Legacy STP

(802.1d) from the Spanning Tree Mode pull-down menu.

14-82

Using the Web Browser Interface for Basic Configuration TasksBridging

Figure 14-60. Configuring Spanning Tree Properties

3. Bridges elect the device with the lowest bridge ID (priority plus MAC address) root. You can manipulate which device becomes root by chang-ing devices’ priorities. Enter a number between 0 and 65535 in the Bridge

Priority field. For example, enter 0 to ensure that the local router becomes root. In Figure 14-60, the priority has been set to 0 to ensure that it becomes root. (The default priority is 32768.)

C a u t i o n Only alter timers if you have a great deal of experience working with spanning tree protocols. Otherwise, you could slow convergence or cause interfaces to toggle between forwarding and blocked states.

4. Enter times for the forward delay, hello, and maximum age timers in the corresponding fields. Click Apply.

The Restore Factory Defaults button returns the timers and STP version to their defaults. The Reset button returns to the settings that were established the last time you clicked Apply.

14-83

Using the Web Browser Interface for Basic Configuration TasksBridging

Table 14-1. Spanning Tree Timers

Configuring Spanning Tree Settings for Individual Interfaces

You can manually configure settings such as cost for the connection for each bridged interface.

1. Select Spanning Tree from the left navigation bar.

2. Scroll to the Spanning Tree Properties window and select the Spanning

Tree Instance.

3. Select the interface that you want to configure from the Spanning Tree

Port Information window that displays.

4. The Spanning Tree Port Information window will display. (See Figure You can then alter certain settings:

a. You can alter the port priority for the connection. A lower priority increases the connection’s chance of being selected. (Priority only comes into account when two connections have the same cost.) Select the priority from the ID pull-down menu.

b. RSTP allows point-to-point interfaces to assert sync to rapidly transi-tion to the forwarding state. Interfaces automatically determine whether they are on point-to-point or shared connections by their duplex setting.

Timer Function Default Range

hello time Each forwarding interface periodically transmits BPDU hellos. If neighbors miss three hellos from an interface, they assume the connection is down and send out TC BPDU to this effect. Take care when altering this timer as incompatible settings can cause devices to believe a connection is down when it is not.

2 seconds 0 to 1,000,000

max age The device discards information from a BPDU when its maximum age timer expires.With STP, the timer determines how long a device will wait to receive information on a connection from the root before assuming the connection is down.

20 seconds 6 to 40

forward delay The device waits this interval before forwarding BPDU. With STP, this setting determines how long the device stays first in the listening and then in the learning stage.

15 seconds 4 to 30

14-84

Using the Web Browser Interface for Basic Configuration TasksBridging

If necessary, you can override this setting and manually set the connection type. Select Forced Point-to-Point or Forced Shared from the Link Type Configuration pull-down menu.

If you leave this setting at the default Automatically determined, then the Link Type displays the setting used on the interface.

Figure 14-61.Spanning Tree Options on an Interface

c. Edge ports connect directly to end devices. RSTP allows such inter-faces to immediately begin forwarding packets so that applications on the user device do not timeout.

To configure an interface to be an edge port, select Enabled from the Edge Port Configuration. You can then check the BPDU Guard box to prevent the end device from joining the spanning tree.

d. The Secure Router OS automatically calculates a cost for each con-nection based on its bandwidth. You can alter this cost by selecting Specify from the Cost pull-down menu. Then enter a cost between 1 and 200,000,000 in the field that appears.

14-85

Using the Web Browser Interface for Basic Configuration TasksRouting

Routing

The ProCurve Secure Router stores routes in a route table, which it uses to route traffic from one network to another. Each route includes:

■ destination IP address and subnet mask

■ administrative distance—the reliability of the route

■ metric—the cost of reaching the destination

■ next hop address or forwarding interface

■ type—how the router learned the route

The router automatically adds directly connected networks to its route table. It must learn routes to all other networks to which it will forward traffic. A router can learn:

■ static routes, which you add manually

■ dynamic routes, which it discovers using a routing protocol

This section explains how to configure static routing.

Configuring a Static Route

Static routing can be a good solution for your network when your network has:

■ a simple topology and a single router at each site

■ a single destination for traffic—for example, to an ISP

■ only one path for IP traffic

Follow these steps to add a static route:

1. In the left navigation bar, select Route Table under Router/Bridge.

2. The Add a Static Route to the Route Table window will display. Enter the destination network’s IP address and subnet mask in the Destination

Address and Destination Mask fields.

3. Specify how the router will forward packets that arrive for this destination in the Gateway field.:

a. You can configure a next hop address, which is the address of a router that is one hop closer to the destination than the local router. Select Address and enter this address.

14-86

Using the Web Browser Interface for Basic Configuration TasksRouting

b. You can alternatively specify the local interface through the router will forward traffic destined to the destination network. Select Interface and choose the forwarding interface from the pull-down menu.

This option has several advantages, particularly when you are connecting to an ISP router:– You do not need to know the IP address of the connecting router.– The route will remain valid even if the connecting router changes

its IP address.

Figure 14-62.Adding a Static Route

4. If so desired, you can configure an administrative distance for the route. Enter the distance in the Administrative Distance field.

A router can learn routes in many different ways. A route’s administrative distance informs the router how reliable the route is. When the router knows more than one route to a destination, it chooses the route with the lowest administrative distance. By default, static routes have an adminis-trative distance of 1. When you configure more than one static route to

14-87

Using the Web Browser Interface for Basic Configuration TasksRouting

the same destination (for example, one through a primary connection and one through a backup connection), you should assign the route with lower priority a higher administrative distance. The router will only add the second route if the first route becomes unavailable.

5. Click Add.

6. The Route Table window displays all routes that the router is currently using to forward traffic, including any static routes. You can delete a static route by clicking the Delete button to its right.

Configuring a Default Route

A default route is a special static route. It is a route to network 0.0.0.0 0.0.0.0. The all-zero subnet mask ensures that all traffic matches this route. When a packet arrives en route to a destination to which the router does not know a more specific route, it uses the default route rather than dropping the packet.

For example, your network connects to the Internet through PPP interface 1 only. Rather than learning routes to all external networks from the ISP router, the router can simply forward all external traffic (that is, traffic for which it does not know another route) through the PPP interface.

Configure a default route as you would any other static route:

1. In the left navigation bar, select Route Table under Router/Bridge.

2. Enter 0.0.0.0 in the Destination Address field and 0.0.0.0 in the Destination

Mask field.

3. It is often a good idea to use a forwarding interface as the gateway rather than a next hop address. In this way, the route remains valid even if the peer router’s IP address changes. Select Interface and choose the forward-ing interface from the pull-down menu.

14-88

Using the Web Browser Interface for Basic Configuration TasksDNS Services

Figure 14-63. Configuring a Default Route

DNS Services

The ProCurve Secure Router automatically acts as a DNS client. You must, however, specify the address for its DNS server or servers. You can also:

■ add entries to the router’s host table for any local hosts whose addresses the router should be able to resolve on its own

■ enable DNS proxy so that the router can act as a name server for clients

■ configure dynamic DNS so that an interface with a dynamic address will automatically update its dynamic DNS service provider when its address changes

Configuring DNS Support

To configure DNS support in the Web browser interface, you should follow this process:

1. In the left navigation bar, select Hostname/DNS under System.

2. If you have not already done so, you can change the router’s hostname. Enter a name that is significant for your network in the Host Name field.

14-89

Using the Web Browser Interface for Basic Configuration TasksDNS Services

3. Enter your network’s domain name in the Domain field.

4. The Enable DNS Lookup box should be checked. If it is not, select it. This allows the router to act as a DNS client, look up its own requests in the local host table, and sent its own DNS requests to an external server.

Figure 14-64. Configuring DNS Settings

5. Enter the IP address for the DNS server to which the router should send queries in the Primary DNS IP Address field. You can enter the address for an optional additional server in the Secondary DNS IP Address field.

6. If you want to enable the router to act as a name server for clients and to forward their queries to an external DNS server, click the Enable DNS

Proxy box.

14-90

Using the Web Browser Interface for Basic Configuration TasksDNS Services

Figure 14-65. Configuring the Local Host Table

7. Configure the router’s local host table:

a. In the Add/Modify/Delete DNS Host Entries window, enter a host-name and the corresponding IP address. The host should be in the router’s default domain, so you do not need to include the domain name. Click Add.

b. The host table automatically includes all of the router’s DHCP clients. (For example, in Figure 14-65, the entry labeled “Dynamic” is a DHCP client.) You can edit or remove the entries for these clients, as well as any entries that you have entered manually. Click the hostname. The interface automatically populates the correct fields with the host’s information. Edit the entry and click Modify.

c. To remove an entry entirely, click the Delete button to its right.

8. Click Apply.

Configuring Dynamic DNS

Networks change, and so may an interface’s IP address. When you connect your router to an ISP, the ISP may require it to receive a dynamic address. The ISP can change this address at any time.

14-91

Using the Web Browser Interface for Basic Configuration TasksDNS Services

Your customers may need to access devices on your network, such as Web servers, whose addresses are linked to the dynamic public address. However, if this address changes, the hostname stored in DNS servers throughout the Internet will no longer match the device’s actual IP address.

To allow your customers to always use the same hostname to access a device with a dynamic address, you should receive a static hostname from a dynamic DNS service provider. The ProCurve Secure Router supports dynamic DNS with Dynamic Networking Services, Inc., also called DynDNS.

1. Before activating dynamic DNS on an interface, you should go to www.dyndns.org and open an account.

a. When you open an account, you will select a username and password.

b. You will also select a service type. DynDNS currently provides Dynamic and Static DNS services free of charge. If you select Dynamic or Static DNS, you must place the router in one of the 68 domains provided by DynDNS.

Dynamic and Static DNS grant much the same services; however, Static DNS is designed for an interface with an address that does not change or rarely changes.

If you purchase Custom DNS services, you can use your own domain name (either pre-existing or purchased from DynDNS). For more information on the various services, see Chapter 12: Domain Name

System (DNS) Services or the DynDNS Web site at www.dyndns.org.

c. When you open the account, you will also specify the domain name the router interface will use.

14-92

Using the Web Browser Interface for Basic Configuration TasksDNS Services

Figure 14-66.Configuring Dynamic DNS in the Configuration Window for an IP Interface

2. Return to the Web browser interface.

3. Click IP Interfaces under Router/Bridge in the left navigation bar. (If you have not yet configured the logical interface for the connection to the Internet, you must do so. See “Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces” on page 14-46 or “Configuring Ethernet Interfaces” on page 14-31. The interface must also have an IP address, whether a dynamic address assigned by a connecting device or a static address.)

4. The configuration window for the interface will display.

5. By default, Dynamic DNS is disabled. To enable the interface to report to DynDNS when its IP address changes, click the arrow in the Dynamic

DNS box. From the pull-down menu that displays, choose the service for which you have registered:

a. Choose DynDNS.org if you have selected Dynamic DNS services.

b. Choose DynDNS.org Static if you have selected Static DNS services.

c. Choose DynDNS.org Custom if you have selected Custom DNS services.

14-93

Using the Web Browser Interface for Basic Configuration TasksDynamic Host Configuration Protocol

6. Enter the hostname for the device in the Dynamic DNS Hostname box.

7. Enter the username and password you created for your DynDNS account in the Dynamic DNS Username and Dynamic DNS Password boxes.

Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol (DHCP) allows hosts, acting as DHCP clients, to receive temporary configurations (such as an IP address, default gateway, and various server addresses) from a DHCP server. DHCP eases configuration and ensures that every device receives a unique address on the proper network. DHCP also conserves IP addresses by assigning them tem-porarily to active hosts only.

The ProCurve Secure Router can act as a DHCP server. Ethernet interfaces, bridged PPP interfaces, and Frame Relay and ATM subinterfaces can also act as DHCP clients.

Configuring a DHCP Server

You can configure the DHCP server to distribute configurations to an entire connected subnet. You can also configure it to assign a fixed address to a single host.

You create DHCP pools with the configurations that the router will issue to clients. Each pool must include:

■ a network address and subnet mask

■ a default gateway

■ a DNS server

■ a lease time

The pool can also include:

■ a secondary DNS server

■ primary and secondary NetBIOS Windows Internet Naming Service (WINS) servers

■ a TFTP server

■ an NTP server

14-94

Using the Web Browser Interface for Basic Configuration TasksDynamic Host Configuration Protocol

Configuring a DHCP Pool for a Subnet

Complete these steps:

1. Under System in the left navigation bar, select DHCP Server.

2. You should exclude all IP addresses permanently assigned to devices (such as routers, switches, and servers). Scroll to the second window in the window, (Optional) Add/Delete DHCP Excluded Ranges.

Figure 14-67. Excluding Static Addresses from DHCP Pools

3. Enter the first IP address in the range of excluded addresses in the Start

IP Address field. Enter the last address in the range in the End IP Address

field. If you want to exclude only one address, enter it in the Start IP

Address field and leave the End IP Address field blank. Click Add.

4. You can repeat step 3 to configure multiple ranges of excluded addresses.

5. Move to the Add/Modify/Delete DHCP Server Pool window at the top of the window and create the pool:

a. Under Add New DHCP server pool, enter a name in the Pool Name

box that is significant for the subnet or group of users. Click Add.

b. You can also modify an existing pool. The interface displays existing pools under Modify/Delete DHCP server pool. For each pool it lists the name and network address. To edit the pool, click the name.

6. You will move to the DHCP Pool “<poolname>” window.

14-95

Using the Web Browser Interface for Basic Configuration TasksDynamic Host Configuration Protocol

Figure 14-68.Required Configurations for a DHCP Pool

7. Click the Required Configuration tab:

a. Under IP Addresses, select Assign IP addresses to all DHCP clients

on a subnet and complete the Subnet Address and Subnet Mask fields.

b. Under DHCP Options, enter the address for the Default Gateway. This address must be on the subnet specified for the Subnet Address and is typically the router interface that connects to the clients. If you are configuring a DHCP pool (or scope) for a VLAN, the default gateway address should be the IP address on the Ethernet subinter-face associated with that VLAN.

c. Enter the IP address for the DNS server that the client should use in the Primary DNS field under DHCP Options.

d. The default lease is 1 day. You can alter this time according to your organization’s policies. Enter the lease time in days, hours, and min-utes in the Lease Time field.

8. Click Apply.

14-96

Using the Web Browser Interface for Basic Configuration TasksDynamic Host Configuration Protocol

Figure 14-69. Optional Configurations for a DHCP Pool

9. Click the Optional Configuration tab to specify optional configurations that the router should send to clients, including:

• domain name

• addresses for:– secondary DNS server– primary WINS server (WINS servers translate NetBIOS names to

DHCP IP addresses)– secondary WINS server– TFTP server– NTP server

• timezone offset—used if the NTP server and client are in different timezones

10. Click Apply.

Assigning a Single Host a Fixed Address

Sometimes you may want to assign a host a fixed address through a DHCP server. For example, a device that is required to receive its address from a server may also need the stability of a static address to ensure that traffic is forwarded normally.

14-97

Using the Web Browser Interface for Basic Configuration TasksDynamic Host Configuration Protocol

Figure 14-70. Assigning a Fixed Address to a Single Host

Follow the process outlined in “Configuring a DHCP Pool for a Subnet” on page 14-95. However, in step 7a, select Reserve a fixed address for a single

host. Then enter the host’s MAC address and the IP address you wish to assign it. Also enter the subnet mask for the network for the IP address.

Configuring an Interface as a DHCP Client

Some service providers, particularly ISPs, require you to take configurations from them. These configurations can include:

■ a temporary IP address

■ a default route

■ a DNS server address

■ a domain name

14-98

Using the Web Browser Interface for Basic Configuration TasksDynamic Host Configuration Protocol

You can configure the following router interfaces to receive a dynamic address from a service provider or other DHCP server:

■ Ethernet interfaces

■ Frame Relay subinterfaces

■ ATM subinterfaces

■ bridged PPP interfaces

You can prevent the router from receiving a default route, DNS server address, or domain name from the external DHCP server, but you must do so from the CLI. See Chapter 13: Dynamic Host Configuration Protocol (DHCP).

These instructions assume that you have already created the logical interface by selecting the encapsulation method for the physical interface. If you have not done so, see “Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces” on page 14-46. Stop before you assign the logical interface an IP address and return to this section.

Figure 14-71. Enabling the DHCP Client on an Interface

To configure the interface to receive a dynamic address, follow these steps:

1. In the left navigation bar, select IP Interfaces under Router/Bridge.

2. In the IP Interfaces window that appears, select the interface that you want to take the dynamic address. The Configuration window for that interface displays.

3. Scroll to the IP Settings section. Select DHCP from the Address Type pull-down menu.

4. Click Apply.

14-99

Using the Web Browser Interface for Basic Configuration TasksConfiguring UDP Relay

Configuring UDP Relay

You can configure the ProCurve Secure Router to forward packets destined to certain UDP ports to a helper address. For example, your LAN may include a DHCP server in only one of its VLANs. If your router will be routing between the VLANs, it might receive DHCP discover requests from some clients. You could configure the router to forward these requests to your network’s DHCP server.

Follow these steps to configure UDP relay:

1. Select UDP Relay from the lefthand navigation bar.

2. Move to the IP Helper Address window.

3. Enter the IP address of the server to which the router should forward packets in the IP Helper Address fields.

4. From the Interface pull-down menu, select the interface on which the router will receive the packets that need to be forwarded.

5. Click Add.

6. If necessary, configure the helper address for a different interface. Repeat steps 3 through 5.

Figure 14-72. Configuring the Helper Address for UDP Relay

7. Move to the UDP Forward Protocol window.

14-100

Using the Web Browser Interface for Basic Configuration TasksConfiguring UDP Relay

8. Select the protocol for the packets that you want the router to forward from the UDP Protocol pull-down menu. For example, you could select bootps (67) to configure the router to forward DHCP requests.

9. Click Add.

10. You can specify multiple protocols by repeating steps 8 and 9.

Figure 14-73. Configuring the Helper Address for UDP Relay

14-101

Using the Web Browser Interface for Basic Configuration TasksConfiguring UDP Relay

14-102

A

Appendix A: Configuring the Router to Boot from Compact Flash

Updating the Boot Process

If your router was shipped before July 2005, your router can be updated to boot, by default, from compact flash. Follow these steps:

1. Update the router Boot ROM to version J02_02A.biz or later.

2. Load and boot from the updated Boot ROM file (J02_02A.biz or later).

3. Make any necessary changes to the router’s configuration and save the running-config file.

ProCurve>ProCurve> enableProCurve# write memory

You now have a current startup-config in flash.

4. Rename the current software file to SROS.BIZ. The file name must be in

all capital letters.

Syntax: copy flash J0X_0X.biz flash SROS.BIZ

ProCurve# copy flash J03_01.biz flash SROS.BIZ

5. Copy the SROS.BIZ file and the startup-config file to compact flash. If you are not currently using a compact flash card, go to step 6.

Syntax: copy flash startup-config cflash startup-configSyntax: copy flash J0X_0X.biz cflash SROS.BIZ

6. Change the primary boot path to boot from compact flash first, and from flash as a backup.

ProCurve# configure terminalProCurve(config)# boot system cflash SROS.BIZ flash SROS.BIZProCurve(config)# boot config cflash startup-config flash startup-config

A-1

Appendix A: Configuring the Router to Boot from Compact FlashUpdating the Boot Process

A-2

B

Appendix B: Glossary

Numeric

2B+D 2 Bearer + 1 Data. A method for describing channel designations in ISDN lines. Bearer channels transmit data and voice. Data channels are reserved for signaling information and call control. See also ISDN.

2B1Q 2 Bits 1 Quaternary. A compressed encoding scheme used by BRI ISDN that provides for two bits to be encoded into one quaternary signal. 2B1Q can transmit up to 5.49 km with few signal losses. As a result, 2B1Q requires fewer repeaters on the local loop than E1- and T1-carrier lines require. 2B1Q operates in full-duplex mode.

3DES Triple DES. A well-known public encryption standard that encrypts informa-tion multiple times (encrypts, decrypts, and encrypts again). Each phase uses a 56-bit key, making the total key length 168 bits. This 168-bit key provides 2168 or approximately 3.741e+50 possible combinations. IPSec, the industry standard for VPNs, supports 3DES. See also IPSec and VPN.

10Base-T A standard line-hardware type that uses a twisted-pair cable with maximum lengths of 100 meters. Cables in the 10Base-T system connect with RJ-45 connectors and operate up to 10 Mbps using baseband transmission methods.

100Base-T A standard line-hardware type that operates at 100 Mbps and uses baseband transmission methods based on the older Ethernet standard.

A

AAA Authentication, Authorization, and Accounting. AAA is used to control net-work access and enforce security policies. Authentication refers to the process of confirming each user’s identity and is accomplished through the use of passwords, keys, and often a Remote Authentication Dial-in User Service (RADIUS) or TACACS+ server. Authorization ensures that the authenticated user can access only the network resources to which that user has rights. Accounting refers to the process of collecting information about how resources are used. The collected information can then be used for trend analysis, billing, or auditing. For more information about AAA, see Request for Comments (RFC) 2989 (at http://www.ietf.org/rfc/rfc2989.txt).

B-1

Appendix B: Glossary

AAL Asynchronous Transfer Mode (ATM) Adaptation Layer. The AAL is the interface between the higher layer protocols and the ATM layer. When relaying information it receives from the higher layer protocols, the AAL segments the data into ATM cells. When relaying information it receives from the ATM layer, the AAL reassembles the payload into a format the higher layers can understand. This process is called Segmentation and Reassembly (SAR). Different classes of AAL have been defined to support different types of traffic or services: AAL1, AAL2, AAL3/4, and AAL5. See also AAL5.

AAL5 ATM Adaptation Layer 5. AAL5 supports services with varying bit rate demands. It offers low bandwidth overhead and simpler processing require-ments in exchange for reduced bandwidth capacity and error-recovery capability. AAL5, is used for IP and WAN applications. See also AAL.

ABM Asynchronous Balance Mode. ABM designates a type of HDLC connection, where devices at both ends of a connection are configured to be both primary and secondary devices. Both devices can establish a link, transmit data without permission, and terminate the link. See also NRM, ARM.

ABR Area Border Router. In an network running the open shortest path first (OSPF) routing protocol, an ABR is a router in the network backbone that has interfaces in more than one area. ABRs are responsible for generating a summary advertisement of the range of networks in a connected stub area, as well as for distributing summary advertisements for others areas to routers in the stub area so that these routers can forward inter-area traffic. ABRs receives traffic from routers in stub areas and routes the traffic through the network backbone to the destination area.

ACK Acknowledge, one of the Transport Control Protocol (TCP) flags, used by one peer to acknowledge that it has received a TCP packet from another peer. ACKs help to maintain TCP’s reliability in initiating, managing, and terminating sessions. For example, setting TCP packets’ ACK flag is part of the three-way handshake used to establish a session between a server and a client. Because TCP requires a peer to receive an acknowledge before continuing the process, peers can be sure that they have successfully exchanged necessary information with a legitimate peer.

ACL Access Control List. An ACL selects packets according to values in their IP headers, including protocol, source and destination IP address, and source and destination port. Routers compare packets that arrive an interface against ACLs to determine whether the packet needs special handling. For example, an ACL applied to a quality of service (QoS) map can select traffic for a low-latency queue. An ACL can also be used to select traffic for policy-based routing (PBR), for network address translation (NAT), or for a virtual private network (VPN) connection.

B-2

Appendix B: Glossary

ACP Access Control Policy. An ACP filters the traffic that arrives on an interface, either dropping the traffic selected by an ACL or allowing that traffic to pass.

Address and

Control Field

Compression

An LCP option that allows peers to compress the address and control fields in PPP frames and thus minimize overhead. These fields have static values and are easily compressed.

ADPCM Adaptive Differential Pulse Code Modulation. A technique for converting sound or analog information to binary information by taking frequent samples of the sound and expressing the value in binary terms. Used to convert analog so that it can be sent over DS0, E0, and J0 channels.

ADSL Asymmetric Digital Subscriber Line. A form of DSL that runs on a single pair of wires. Like DSL, ADSL supports the two-way transmission of data over voice lines. However, ADSL is asymmetrical: more bandwidth is reserved for downstream traffic, so data transfer speeds are quicker than upstream data transfer speeds.

ADSL2 ADSL with improved modulation, signal processing and initialization. ADSL2 has faster downstream rates, supports longer distances over the local loop, and uses less power than ADSL. ADSL2 can run on existing ADSL equipment.

ADSL2+ ADSL2 with double the downstream speed and the ability to increase the upstream speed. ADSL2+ doesn’t suffer from the crosstalk problem of ADSL2. ProCurve supports ADSL2+, which provides up to 25 Mbps downstream and 1.5 Mbps upstream data rates. ADSL2+ also reserves channels for analog voice on the local loop (Annex A) or for digital voice over ISDN (Annex B).

AES Advanced Encryption Standard. One of the encryption algorithm used by IPSec to transform data sent over a VPN tunnel. AES is a symmetric algorithm, which means that the encryption key is the same of the decryption key, and it works on multiple OSI Layers simultaneously. A block-cipher, AES supports 128-, 192-, and 256-bit keys.

AF Assured Forwarding. In a Frame Relay network, AF is a DiffServ PHB group that allows delivery of packets in up to four independently forwarded traffic classes. These classes are denoted as AF1, AF2, AF3, and AF4. For more information on Assured Forwarding, see RFC 2597 (at http://www.ietf.org/rfc/

rfc2597.txt).

Aggressive Mode A mode of Internet Key Exchange (IKE) that compresses the six exchanges typically necessary for negotiating an IKE Security Association (SA) into only three exchanges. Because peers must send their authentication data before exchanges are encrypted, aggressive is less secure, though quicker and less processor-intensive than main mode. See also IKE.

B-3

Appendix B: Glossary

AH Authentication Header. One of the IPSec protocols that can encapsulate packets sent over a VPN tunnel. AH uses authentication algorithms to ensure the integrity of the packet contents. AH authenticates the entire IPSec packet, including the delivery IP header. See also IPSec.

ALG Application Level Gateway. A protocol that acts as a proxy server between a trusted client behind a firewall and an untrusted client. ALGs analyze and filter packets at the OSI Application Layer and provide applications the special services that they need to function through a firewall. Each application must have its own ALG.

AMI Alternate Mark Inversion. A line-coding scheme used with T1 and E1 connec-tions. Logical zeros are transmitted as zero voltage, and logical ones are transmitted as pulses with alternating polarity.

Analog A continuously varying electrical sinusoidal signal. This signal type is used for voice or data transmission.

ANI Automatic Number Identification. A service that provides the receiver of a telephone call with the number of the calling phone. Also known as Caller ID.

ANSI American National Standards Institute. An organization that fosters the devel-opment of technology standards in the United States. For more information on ANSI, visit the ANSI Web site at http://www.ansi.org/.

AO/DI Always On/Dynamic ISDN. A form of ISDN connection that allows the BRI D channel to be used for a low-speed data connection. Because the D channel is always active, this connection is considered always on.

Application Layer Layer 7 of the OSI model. This layer supports application services for file transfers, e-mail, and other network software services. Telnet and FTP are applications that work at the Application Layer.

ARCFour A symmetric encryption algorithm supported by IP Security (IPSec), the industry standard for virtual private networks (VPNs). ARCFour is a stream cipher that supports keys ranging from 8 to 2048 bits in length.

ARM Asynchronous Response Mode. ARM designates a type of High-Level Data-Link Control (HDLC) connection between a primary and secondary device, during which the secondary device can initiate a transmission, but the primary device controls the establishment and termination of the link. See also HDLC.

ARP Address Resolution Protocol. A Network Layer Ethernet protocol used to convert a network IP address into a physical address. A host that wants to obtain a physical address broadcasts an ARP request onto the TCP/IP network.

B-4

Appendix B: Glossary

The host on the network that has this IP address replies with its physical hardware address. Most often used in Ethernet networks using IPv4. For more information about ARP, see RFC 826 (at http://www.ietf.org/rfc/rfc0826.txt).

ARPANET Advanced Research Projects Agency NETwork. The world’s first operational packet-switching network composed of mostly educational entities. ARPA-NET was a precursor to the Internet.

AS Autonomous system. A network, or group of networks, controlled by a single organization.

ASP Application Service Provider. A company that offers software applications to individuals or enterprises from centralized data centers over the Internet.

Asynchronous A method of data transmission that allows devices to send data at non-predetermined intervals by preceding and ending each packet with a start bit and stop bit.

AT Command Set Hayes Attention Commands. AT commands are modem commands, prefaced by the characters “AT” in the command line code, which control the modem’s dialing, timers, error handling, and tests.

ATCP AppleTalk Control Protocol. A network control protocol (NCP) in the Point-to-Point Protocol (PPP) suite, ATCP is used to exchange AppleTalk packets over a WAN link. See also NCP.

ATM Asynchronous Transfer Mode. A cell relay network protocol that encodes data traffic into small, fixed-sized cells instead of variable sized packets. These cells are 53 bytes—48 bytes of data and 5 bytes of header information. ATM enables the high-speed transfer of voice, video, images, graphics, and data through public and private networks. For more information about ATM, see RFC 2225 (at http://www.mfaforum.org/tech/atm_specs.shtml).

Authentication The process of confirming a device’s or a user’s identity before granting a network connection. Authentication can be implemented through the use of passwords or keys. A RADIUS or TACACS+ server can handle authentication for the entire network.

Authentication

Protocols

Protocols that allow the peers in a connection to verify each other’s identity. In the PPP protocol suite, authentication protocols include PAP, CHAP, and EAP. See also CHAP, EAP, PAP, and PPP.

B-5

Appendix B: Glossary

B

BACP Bandwidth Allocation Control Protocol. An NCP in the PPP protocol suite that manages the BAP config option. BACP frames determine which peer will be favored in the event of a simultaneous submission. Because it is an NCP used in establishing a PPP connection, BACP frames must be exchanged before any BAP (LCP) frames are exchanged. For more information about BACP, see RFC 2125 (at http://www.ietf.org/rfc/rfc2125.txt) See also BAP, LCP, and NCP.

Bandwidth The amount of data that can flow through a set of transmission lines at a given time. Bandwidth is usually measured in the number of bits per second.

BAP Bandwidth Allocation Protocol. A link-management protocol that can be used with MLPPP. BAP configures, maintains, and terminates individual links in a multilink environment. For more information about BAP, see RFC 2125 (at http://www.ietf.org/rfc/rfc2125.txt). See also MLPPP.

BECN Backward Explicit Congestion Notification. A device in a Frame Relay net-work sets the BECN to notify the sending device (DTE) that it cannot receive data at the rate that the sending device is transmitting it. The sending DTE (usually a router) can then attempt to slow the traffic by buffering frames. See

also Frame Relay.

BER Bit Error Rate. In any kind of data transmission, the BER is the ratio of bits that have errors relative to the total number of bits received in a transmission. The BER is usually expressed as 10 to a negative power. For example, a transmission might have a BER of 10 to the minus six, meaning that out of 1,000,000 bits transmitted, one bit was in error.

BERT Bit Error Rate Test. A procedure or device that measures the BER for a given transmission.

BGP Border Gateway Protocol. A protocol for exchanging routing information between gateway host routers in an autonomous network system. Routers on the Internet use BGP to route data. BGP routers maintain RIBs and routing updates, and can also determine the best routes to other devices. For more information about BGP, see RFC 1771 (at http://www.ietf.org/rfc/rfc1771.txt). See also Routing Information Base.

B-ISDN Broadband Integrated Services Digital Network. An ISDN standard for trans-mitting simultaneous voice, video, and data over fiber optic lines.

Blowfish A symmetric encryption algorithm supported by IPSec, the industry standard for VPNs. Blowfish is many times faster than DES and supports key lengths up to 448 bits. See also DES, IPSec, and VPN.

B-6

Appendix B: Glossary

BNC Connectors Bayonet Neill Concelman connectors. Also called British Naval Connector, or Bayonet Nut Connector. A type of connector used with coaxial cables such as the RG-58 A/U cable that is used in 10Base-2 Ethernet systems. The basic BNC connector is a male connector, which is placed at each end of a cable. This connector has a center pin connected to the center cable conductor and a metal tube connected to the outer cable shield. A rotating ring outside the tube locks the cable in place.

BONDING Bandwidth ON Demand INteroperability Group. An organization that created and raised awareness about the bonding protocol, which is used for aggregat-ing ISDN channels and links. See also ISDN.

Boot The process of loading and executing the software and commands required to begin device operation.

bps Bits per second. In data communications, bps is a common measure of data speed for computer modem and transmission carriers. As the term implies, the speed in bps is equal to the number of bits transmitted or received each second.

BRI Basic Rate Interface. An ISDN network interface consisting of two 64 kbps bearer (B) channels and one 16 kbps signaling (D) channel. The B channels carry data, voice, or video traffic. The D channel is used to set up calls on the B channels and carry packet data. A single BRI connection provides a total of 128 Kbps of data across a twisted pair telephone cable. See also ISDN.

BU Backup. A failover power mechanism that allows a system to keep running in the event of a power failure. This term can also be used to describe a retrievable copy of data that allows the recovery of important work in the event of an equipment failure.

Burstiness Sporadic or sudden high usage of bandwidth.

B8ZS Bipolar 8-Zero Substitution. A line coding scheme used to maintain logical-one density on a T1-carrier line circuit. When a string of 8 zeros is detected, B8ZS inserts two deliberate bipolar violations that replace the 4th and 7th consecutive zero bits. These bipolar violations act as timing bits to prevent synchronization loss. See also T1-carrier line.

C

C-bit Parity A framing format for E3- and T3-carrier lines. C-bit parity creates a block of unmultiplexed data that uses the C-bit to signal framing.

B-7

Appendix B: Glossary

CA Certificate Authority. A trusted third-party that verifies the identity of two parties that want to communicate with one another. CAs are responsible for generating, distributing, and revoking digital authentication certificates. Veri-Sign is an example of a CA.

CAP Carrierless Amplitude/Phase. An ADSL modulation technique that divides the available bandwidth into three channels: analog voice over 0-4 kHz, upstream traffic over 25-160 kHz, and downstream traffic over 240 kHz-1.5 MHz. By creating three widely separated channels, CAP minimizes interference between the channels on one line and different lines. See also ADSL and DMT.

CAR Committed Access Rate. A QoS mechanism for policing traffic. You can set the classification for packets, limit the bandwidth according to the traffic classification, and then set parameters for how traffic is to be handled in the event that congestion matches or exceeds the set rate limit. See also QoS.

CAST-128 Carlisle Adams and Stanford Tavares -128. A symmetric encryption algorithm supported by IPSec, the industry standard for VPNs. CAST-128 is a block cipher with a varying key size up to 128 bits. See also IPSec and VPN.

CBQ Class-Based Queuing. A QoS mechanism that is used to avoid traffic conges-tion across a WAN line. CBQ is an open packet-scheduling algorithm that enables different queues to be set up for different traffic classes. Bandwidth can then be statically assigned to each queue. See also QoS.

CBR Constant Bit Rate. A quality of service mechanism that specifies a constant data output rate. CBR is useful for streaming multimedia content on limited capacity channels because the maximum bit rate matters, rather than the average bit rate. CBR could take advantage of all of the capacity. See also QoS.

CCP Compression Control Protocol. Part of the PPP suite, CCP configures, enables, and disables data compression algorithms on both ends of a point-to-point link. For more information about CCP, see RFC 1962 (at http://www.ietf.org/

rfc/rfc1962.txt).

CCITT Consultative Committee for International Telegraph and Telephone. The CCITT, now known as the International Telecommunications Union–Telecom-munications Services Sector (ITU-T), is an international body that fosters cooperative standards for telecommunications equipment and systems.

CDMA Code Division Multiple Access. A digital cellular technology that uses spread-spectrum techniques. CDMA does not assign a specific frequency to each user. Instead, every channel uses the full available spectrum, spreading the signal over the entire available bandwidth. Multiple calls are overlaid over each other on the channel, and each one is assigned a unique sequence code.

B-8

Appendix B: Glossary

CEPT Conference of European Postal and Telecommunications. A standardizing body. For more information about CEPT, see the CEPT website at http://

www.cept.org.

CEPT Hierarchy The signal hierarchy used with E-carrier lines. See also E1-carrier line and E-3 carrier line.

Table 2-1. CEPT signal hierarchy

Certificate See Digital Certificate.

Channelized A circuit that is created by multiplexing and demultiplexing voice and/or data using analog or digital techniques.

CHAP Challenge Handshake Authentication Protocol. An authentication protocol that is supported by PPP. With CHAP, the authenticator challenges the peer. The peer creates a hash value from its pre-shared password and a string of text. The authenticator also creates a hash value. The authenticator compares the hash values. If they match, authentication succeeds, and the link is established. For more information about CHAP, see RFC 2759 (at http://

www.ietf.org/rfc/rfc2759.txt). See also PAP and PPP.

CIDR Classless Inter-Domain Routing. An IP addressing scheme that replaces the older system based on A, B, and C classful addresses. With CIDR, a single IP address can be used to designate many unique IP addresses. A CIDR IP address resembles a normal IP address except that it ends with a slash followed by a number called the IP network prefix, which specifies how many addresses are included in the CIDR address. Lower numbers include more addresses. An IP network prefix of /12, for example, can be used to specify 1,048,576 former Class C addresses. CIDR addresses reduce the size of routing tables and make more IP addresses available within organizations. For more information about CIDR, see RFC 1519 (at http://www.ietf.org/rfc/rfc1519.txt).

Physical carrier

DSD EO multiple E1 multiple Transmission rate

— E0 1 — 64 Kbps

E1 E1 32 — 2.048 Mbps

E2 E2 128 4 8.448 Mbps

E3 E3 512 16 34.368 Mbps

E4 E4 2048 64 139.264 Mbps

E5 E5 8192 256 565.148 Mbps

B-9

Appendix B: Glossary

Cipher Text Encrypted data.

CIR Committed Information Rate. For Frame Relay networks, the CIR is the bandwidth that the carrier guarantees to be available for a particular PVC under normal circumstances. Typically, the CIR is specified in the Frame Relay SLA. See also EIR, Frame Relay, PVC, and SLA.

Circuit-Level

Gateways

This type of firewall operates at the OSI Session Layer. Circuit-level gateways monitor TCP handshakes between packets from trusted clients or servers to untrusted hosts (and vice versa) to determine whether a requested session is legitimate. The session is legitimate only if the SYN flags, ACK flags, and sequence numbers involved in the TCP handshakes are logical.

Clear Text Unencrypted text.

CLEC Competitive Local Exchange Carrier. In the United States and Canada, a CLEC is a company that competes with the already established local telephone business by providing its own network and switching. The term distinguishes new or potential competitors from established local exchange carriers. The existence of CLECs arises from the Telecommunications Act of 1996, which was intended to promote competition among both long-distance and local phone service providers.

CLI Command Line Interface. The interface that allows an administrator to enter line commands to interact with and configure the router.

CO Central Office. The service provider’s office to which a subscriber’s home and business lines are connected through the local loop. The CO has equipment that can switch calls locally or to long-distance carrier phone offices.

Coaxial Cable This cable consists of a center wire that is surrounded by insulation, which is encased in a grounded shield of braided wire. The shield minimizes electrical and radio frequency interference.

Compression The process of reducing information size or transmission bulk without affecting information content.

Configure To define the parameter values that allow network equipment to run in the manner required for a particular environment.

Console A terminal attached to a minicomputer, network device, or mainframe that is used to configure and monitor the status of the system.

CoS Class of Service. A method of managing traffic in a network by grouping similar types of traffic together and treating each group as a class with its own level of service priority. See also QoS.

B-10

Appendix B: Glossary

CPE Customer Premises Equipment. The public carrier access equipment that a customer must purchase and maintain. This equipment is not maintained or owned by the Local Exchange Carrier. Some examples of this equipment are CSU/DSUs, modems and telephones.

CRC Cyclic Redundancy Checking. A method of checking for errors in data that is transmitted between two devices. The sending device applies a 16- or 32-bit polynomial to data, appends the resulting cyclic redundancy code to the data, and then sends the data. The receiving device applies the same polynomial to the data and checks the results against the appended results. If the two do not match, an error has occurred during the transmission.

CRC4 A framing format supported by a separate framing channel in E1 technology. CRC4 is based on the E1 frame format but includes additional error detection. A checksum bit is included in all even frames: frames 0, 2, 4, 6, 8, 10, 12, and 14. A total of 8 checksum bits is used. See also E1 frame format.

Crossover Cable Also called a null-modem cable. A specially designed cable that allows a user to connect two computers directly to each other via their communications (RS-232) ports.

Crypto Map In a ProCurve Secure Router environment, a crypto map defines parameters for the IKE and IPSec SA negotiation for a VPN. See also IKE, IPSec, SA and VPN.

CSS Controlled Slip Second. An error designation that describes a one-second interval containing one or more controlled slips. A controlled slip is the replication or deletion of the payload bits of a DS1 or E1 frame, and may be caused by a difference between the timing of a synchronous receiving terminal and the received signal.

CSU Channel Service Unit. Used in carrier-line connections, the CSU is a device that provides signal generation/regeneration. A CSU provides local loop equal-ization, transient protection, isolation, and Central Office (CO) loopback testing capability. In the United States and Canada, the CSU is sometimes provided in conjunction with the DSU and referred to as the CSU/DSU. See

also DSU.

CVoDSL Channelized Voice over DSL. An ADSL feature that eliminates the need to use IP or ATM to encapsulate voice. CVoDSL is transmitted directly to the voice switch at the public carrier’s CO.

B-11

Appendix B: Glossary

D

D4 A superframe format used on T1-carrier lines. The D4 frames consists of 12 193-bit frames combined into a single superframe.

DACS Digital Access and Cross-connect System (US). In the United States, a DACS is a telecommunications device used to route T1-carrier lines. A DACS uses D3/D4 framing to cross-connect any T1 DS0 channel (or a complete T1-carrier line) in the system with any other T1 DS0 channel or line also in the system. DACS can also be used with SONET.

DACS Digital Access Carrier System (UK). A digital system in the UK that provides two subscriber lines over one copper twisted pair wire. DACS works by digitizing the analog signal and sending the combined digital information for both lines over the same copper pair between the exchange and the pole. The cost of the DACS equipment is significantly less than the cost of installing additional copper pairs; however, the maximum speed of an analog modem is reduced on a line that uses DACS. This is because DACS involves an additional conversion between analog and digital signaling.

Data Link Layer Layer 2 of the OSI model. At this layer, data frames are encoded and decoded into bits. The Data Link Layer is divided into two sublayers: The Media Access Control (MAC) layer and the Logical Link Control (LLC) layer. The MAC sublayer controls how a computer on the network gains access to the data and permission to transmit it. The LLC layer controls frame synchronization, flow control, and error checking. See also OSI.

Data Link Layer

Protocols

A protocol that operates at the Data Link Layer of a network. Data Link Layer Protocols provide service for Network Layer operations.

DBU Dial Back-Up. DBUs provide connection recovery and dial-up redundant connectivity in case a primary WAN connection circuit fails.

DB/E-9 A nine-pin serial connector with a roughly trapezoidal (D) shape. This connector is often used for serial interfaces.

B-12

Appendix B: Glossary

D-sub 9 connector

DB-25 A 25-pin D-shaped serial connector. This connector is often used with printer serial cables and serial connections.

DB-25 connector

DCE Data Communications Equipment. A device that communicates with a DTE device. In a Frame Relay network, the DCE is the Frame Relay switch, which establishes and maintains the Frame Relay connection. When the DCE receives frames from the DTE, it converts the frames into signals supported by the physical media of the Frame Relay network. The DCE also reads the DLCI on incoming packets, checks its switch lookup table, and then forwards data to the appropriate outgoing port—which leads to the correct virtual endpoint. See also DTE.

DE bit Discard Eligibility bit. A Frame Relay header mark indicating that a particular frame may be discarded in preference to other frames if congestion occurs. When a subscriber exceeds the CIR, the packets transmitted over the CIR are marked with the DE bit. See also CIR.

Decryption The process of decoding data that has been encrypted. Decryption requires a string of characters, called a key, and an algorithm.

Dedicated Circuits A WAN access circuit that is reserved for the use of a single subscriber. When the bandwidth is not in use, it remains idle.

1 5

6 9

D-sub 9 male D-sub 9 female

5 1

9 6

1 13

14 25

DB-25 male DB-25 female

13 1

25 14

B-13

Appendix B: Glossary

Demarc Point of demarcation. The point at which the public carrier’s network ends and the subscriber’s local network begins.

DES Data Encryption Standard. DES is a published encryption algorithm that uses a 56-bit symmetric key to encrypt data in 64-bit blocks. IPSec, the industry standard for VPNs, supports 3DES. See also 3DES, IPSec, and VPN.

DHCP Dynamic Host Configuration Protocol. A protocol that allows network admin-istrators to set up a server that manages IP addresses, automatically assigning IP addresses to devices on the network. For more information about DHCP, see RFC 2131 (at http://www.ietf.org/rfc/rfc2131.txt).

Diffie-Hellman A secure method for generating a unique, shared key without sending it over the connection and thus rendering it vulnerable to interception. Each host selects a private value, which is then modified (using prime number modulation) into a public value. Hosts exchange the public values. Each uses the other’s public value and their own private value to compute a new value. The computation function is such that these values will be the same.

DiffServ Differentiated Services. A QoS mechanism for classifying traffic and determin-ing forwarding behavior. The DiffServ protocol redefines the Type of Service (ToS) field in the IPv4 header as the Differentiated Services (DS) field. With DiffServ, traffic can be assigned to one of 63 different traffic classes, and each traffic class is granted service based on the priority assigned to its DiffServ value. For more information about DiffServ uses and values, see RFC 3260 (at http://www.ietf.org/rfc/rfc3260.txt).

Digital

Certificates

An electronic document that contains a public key and is digitally signed by a third-party issuer such as a CA. Digital certificates are used for network authentication. They contain the certificate holder’s name, a serial number, the expiration dates, and a copy of the certificate holder’s public key (used for encrypting and decrypting messages). See also CA.

Digital Signal

Hierarchies

Hierarchies that determine the combinations of channels that compose the bandwidths for an E-, J-, or T-carrier line. In Europe, Asia (except Japan), South America, and Australia, the CEPT hierarchy is used. In Japan, the J-carrier signal hierarchy is used for voice transmissions. In the United States and Canada, the DSX hierarchy is used.

DLC Digital Loop Carrier. Equipment that bundles a number of individual phone line signals into a single multiplexed digital signal. This signal includes local traffic moving between a CO and a business complex or other outlying service area. See also CO.

B-14

Appendix B: Glossary

DLCI Data Link Connection Identifier. In a Frame Relay network, the DLCI is a 10-bit field within the address field that specifies the PVC path that a particular frame takes. DLCIs have only local significance; the value is changed at each switch. DLCI values can be from 0 to 1023. Values 16-991 are reserved for subscribers to assign to virtual circuits. DLCI values of 0 and 1023 are reserved for use by Frame Relay management protocols.

DMT Discrete MultiTone. The standard ADSL modulation technique. Bandwidth is divided into 256 subchannels (bins) of approximately 4 kHz each. In Annex A, subchannels 1-6 are reserved for analog voice. In Annex B, subchannels 1-30 are reserved for ISDN traffic. The rest of the subchannels are used for ADSL data except for channel 0 and channel 256, which cannot be used for analog voice or data. See also ADSL and CAP.

DMZ De-Militarized Zone. A small subnetwork between a trusted internal network and an untrusted external network. The DMZ is placed to provide an additional layer of security and separation between the two networks.

DN Directory Number. The telephone number assigned to an ISDN receiver.

DNIS Dialed Number Identification Service. A telephone service that provides the caller’s number to the call receiver. DNIS is a common feature of 800 and 900 lines. If there are multiple 800 or 900 lines for the same company, DNIS tells which number was called.

DNS Domain Name System. A system that translates URLs to their associated IP addresses and communicates this information throughout the Internet. DNS allows users to enter a URL, which is much easier to remember than an IP address, into their Internet browsers while providing a way for network devices to find and reconcile the URL with its Internet IP address. For more information, see RFC 3696 (at http://www.ietf.org/rfc/rfc3696.txt).

Domain Name The URL name associated with a particular IP address (or group of IP addresses).

DoS Denial of Service. A type of attack designed to disable a server or network service by bombarding it with service requests. DoS attacks prevent legitimate users from accessing the resource.

DSA Digital Signature Algorithm. A U.S. government standard for creating and verifying secure digital signatures. Digital signatures authenticate electronic documents. One such document is a digital certificate, which peers in a VPN use to authenticate each other.

B-15

Appendix B: Glossary

DSCP Differentiated Services Code Point. Six bits in the DiffServ header that can be set with values that define up to 63 traffic classes. For more information about DSCP values and usage, see RFC 2983 (at http://www.ietf.org/rfc/rfc2983.txt). See also DiffServ.

DSL Digital Subscriber Line. A broadband technology, DSL provides high-speed WAN connections over existing local loops. Two types of DSL technologies are available: symmetric DSL, which dedicates the same amount of data to upstream and downstream transmissions, and asymmetric DSL, which dedicates most of the available bandwidth to downstream transmissions.

DSLAM Digital Subscriber Line Access Multiplexer. A network device, usually at a service provider’s central office (CO), that receives signals from multiple customer DSL connections and puts the signals on the high-speed infrastructure backbone using multiplexing techniques.

DS0 Digital Signal Zero. DS0 is a digital channel operating at 64 Kbps, the amount of bandwidth required to transmit a single analog voice call through a digital telecommunications network. DS0 is the fundamental unit of bandwidth—the fundamental channel—in all copper-based T-, E-, and J-carrier systems. In E-carrier systems, DS0 is called E0, and in J-carrier systems, DS0 is called J0. However, the basic signal is virtually identical in all three carrier systems.

DS1 Digital Signal at the First Level. A bipolar signal combination of 24 DS0s that is transmitted at 1.544 Mbps. Also called T1.

DSU Digital Service Unit. The DSU accepts data from the router at the customer’s premises and translates it from the signaling format used on the LAN to the format necessary for transmission on the WAN. In the United States and Canada, the public carrier may provide the DSU in conjunction with the CSU. In this case, it is referred to as the CSU/DSU.

DSS Digital Signature Standard. A DSA used to create digital signatures, which authenticate electronic documents such as digital certificates. DSS creates and verifies a digital signature using a pair of asymmetric keys. The private key in the pair, which is known only by the signer, transforms and “signs” the certificate. The public key, which can be distributed to any host, verifies the signature.

DSX Hierarchy Digital Signal X. The signal hierarchy used with T-carrier systems.

B-16

Appendix B: Glossary

Table 2-2. Digital Signal X (DSX) hierarchy

DSX-1 Digital Signal X-1. A 1.544 Mbps T1 connection.

DTE Data Terminal Equipment. A device that controls data flowing to or from a computer. On a Frame Relay network, the DTE receives data from the LAN in the form of multiple protocol packets and encapsulates each packet into a Frame Relay frame. The header of such a frame is called the Data Link Connection Identifier (DLCI) and contains the frame’s ultimate destination. See also DCE.

DTMF Dual Tone Multi-Frequency. The signal to the phone company that is generated when ordinary telephone touch keys are pressed. In the United States, this is known as “touch-tone” dialing.

DVB Digital Video Broadcasting. A suite of internationally accepted, open standards for digital television maintained by the DVB Project, an industry consortium with more than 300 members. The DVB standards use current, existing satellite, cable and terrestrial infrastructures.

DVMRP Distance Vector Multicast Routing Protocol. An OSI Layer 3 multicast routing protocol for use within a single AS. DVMRP generates a multicast routing table and forwards packets accordingly. It uses Internet Group Management Protocol (IGMP) messages to exchange information with other routers. For more information, see RFC 1075 (at http://www.ietf.org/rfc/rfc1075.txt).

DWDM Dense Wavelength Division Multiplexing. A technology that puts data from different sources together on fiber optic. Each signal is carried on its own separate light wavelength, and up to 80 (and theoretically more) separate wavelengths or channels of data can be multiplexed into a lightstream trans-mitted on a single optical fiber. In a system with each channel carrying 2.5 Gbps, up to 200 billion bits can be delivered per second by the optical fiber.

Physical carrier

DSD DSX interface DSO multiple T1 multiple Transmission rate

— DS0 — 1 — 64 Kbps

T1 DS1 DSX-1 24 — 1.544 Mbps

T2 DS2 DSX-2 96 4 6.312 Mbps

T3 DS3 DSX-3 672 28 44.736 Mbps

T4 DS4 DSX-4 4032 168 274.176 Mbps

T5 DS5 DSX-5 8064 336 560.160 Mbps

B-17

Appendix B: Glossary

DWDM is also sometimes called Wave Division Multiplexing (WDM). For information about IP over optical networks, see RFC 3717 (at http://

www.ietf.org/rfc/rfc3717.txt).

E

E0 The base bandwidth multiple of E-carrier systems. E0 channels can transmit at up to 64 Kbps.

E1-carrier line Provides a dedicated WAN connection. This multiplexed carrier-line includes 32 E0 channels for a total bandwidth of 2.048 Mbps. E-1 carrier lines are offered in Europe, Asia, Australia, and South America. (In Japan, PTTs offer J-carrier lines for voice and T1- or E1-carrier lines for data.) See also PTT.

E1 frame format A frame format used for E1-carrier lines. In the E1 frame format, a channel (or timeslot) is called a TS, and the 32 channels are numbered TS0 to TS31. Two channels are used to establish and maintain synchronization and signal-ing: Specifically, TS0 is used for synchronization, error detection, and alarms, and TS16 is used for signaling. The other channels are used to transmit data

E3-carrier line A carrier line that includes 512 E0 channels (or 16 E1 channels) for a total transmission rate of 34.368 Mbps.

EAP Extensible Authentication Protocol. A protocol that allows PPP to use authen-tication protocols that are not part of the PPP suite. For more information about EAP, see RFC 3748 (at http://www.ietf.org/rfc/rfc3748.txt). See also CHAP, PAP, and PPP.

eBGP External Border Gateway Protocol. A BGP routing protocol that allows exter-nal route broadcasting to routers in other Autonomous Systems. See also BGP.

Echo Cancellation In digital voice transmissions over packet-based networks, echo cancellation is a technique that filters unwanted signals called “echoes.” Echoes are usually generated by background noise or hybrid/acoustic noise.

ECP Encryption Control Protocol. An NCP in the PPP suite that allows you to configure options for encrypting PPP datagrams. ECP is responsible for negotiating and managing the use of encryption on a PPP link. For more information about ECP, see RFC 1968 (at http://www.ietf.org/rfc/rfc1968.txt). See also NCP and PPP.

EGP Exterior Gateway Protocol. The first exterior LAN routing protocol used on the Internet. EGP’s basic functions are to identify neighbors and share reach-ability information, poll neighbors to determine if they’re still available, and advertise system information. Because EGP cannot determine the best route

B-18

Appendix B: Glossary

to send WAN traffic, BGP replaced it as the routing protocol for the Internet. For more information about EGP, see RFC 827 (at http://www.ietf.org/rfc/

rfc0827.txt). See also BGP.

EIR Excess Information Rate. In a Frame Relay network, the EIR is the bandwidth, in excess of the CIR, that the carrier attempts to deliver when the virtual circuit is not congested. This rate is not guaranteed and is delivered on a best-effort basis. See also CIR and Frame Relay.

Line Encoding A binary format for data transmission over a carrier-line. E-carrier systems use HDB3 and AMI line encoding schemes; T-carrier systems use the B8ZS and AMI line encoding schemes.

Encryption Scrambling data in such a way that it can be unscrambled only through the application of the appropriate key.

Encryption

Control Protocol

See ECP.

Endpoint

Discriminator

In a MLPPP connection, the endpoint discriminator allows the router to determine whether an incoming packet is part of an already established multilink bundle or part of a new bundle. Aggregated links in a multilink bundle share the same endpoint discriminator. See also MLPPP.

ESF Extended Superframe Format. Used on T-carrier lines, ESF combines 24 consecutive 193-bit frames into an extended superframe. ESF uses the 193rd bit to provide maintenance and diagnostic functions.

ESP Encapsulating Security Payload. An IPSec security protocol that encrypts the packet payload before transmission. ESP can also provide limited authentica-tion services for the packet payload only. For more information about ESP, see RFC 2406 (at http://www.ietf.org/rfc/rfc2406.txt). See also IPSec and VPN.

ETSI European Telecommunications Standards Institute. A standardization organi-zation composed of equipment makers and network operators. For more information about ETSI, visit the Web site at http://www.etsi.org/.

F

FDL Facility Data Link. In T-carrier lines that use the ESF frame format, this out-of-band channel is used to transmit line diagnostics information. See also ESF.

FDM Frequency Division Multiplexing. A telecommunications technique in which numerous voice channels are combined for transmission on a single physical line. Each channel is assigned a different frequency (subchannel) spaced four kHz apart and the composite signal is transmitted over the line. Modern telecommunications systems using digital signaling and TDM instead of FDM.

B-19

Appendix B: Glossary

FECN Forward Explicit Congestion Notification. The DTE sending data can set this bit to indicate that the network is experiencing congestion and the destination DTE should stop sending so many requests for data. See also Frame Relay and BECN.

Fiber Optics An optical transmission medium consisting of thin, plastic or glass strands that reflect light pulses within their interior core all along their length. Fiber optics can provide a great deal of bandwidth.

Fiber Optic

Carrier Network

A network that supports fiber optic voice and data transmission.

Field A space allocated in a protocol header or packet for a particular item of information.

FIFO First In First Out. A queuing method that sends packets over a line strictly according to the order in which they were received. FIFO does not require the receiver to reassemble out-of-order packets because packets always arrive in order.

Firewall A security device that establishes a barrier between a trusted and an untrusted network. The firewall contains designated network traffic within a specified area and protects the interior network from unauthorized traffic. Depending on its type, the firewall may screen packets at the Network, Session, or Application Layer, or some combination of these layers. For example, a firewall can be programmed to drop certain kinds of external traffic destined to the private network or to monitor TCP sessions and ensure that they are legitimate.

Flash A solid-state electronic memory device that does not lose information when no longer connected to a power source.

FQDN Fully-Qualified Domain Name. An FQDN is a domain name that includes both a hostname and domain name. For example, www.ProCurve.com is a fully-qualified domain name. The hostname is www, and ProCurve is the domain name within the top-level domain, com.

FRAD Frame Relay Assembler/Disassembler. A generic name for a device that encapsulates packets in Frame Relay headers to prepare them for transmis-sion across a Frame Relay network. (The device also decapsulates incoming packets.) The router or other DTE that connects to the Frame Relay network usually includes the FRAD.

B-20

Appendix B: Glossary

Frame A packet of information that has been encapsulated by a Data Link Layer protocol. Each Data Link Layer protocol defines a frame header, which includes the information that the receiver needs to process the frame and recover the data in the encapsulated packet. Devices must use the same data link layer protocol in order to exchange frames.

Frame Formatting The format that a Physical Layer protocol gives to frames sent across a carrier line. Frame formatting defines how a device transmits bits over multiplexed carrier lines so that the device at the other end of the link can Frames are run through several protocols, each of which format the frame to fit protocol specifications. Protocols may encapsulate already encapsulated frames, creating protocol stacks that must be stripped one at a time to recover the data being transmitted.

Frame Relay An OSI Data Link Layer (Layer 2) protocol. Frame Relay supports data transfer over WAN connections such as T1- and E1-carrier lines. Frame Relay is packet switching technology, which means that a service provider switches packets from multiple customers over the same physical lines. Permanent virtual circuit (PVC) connects one network device to another, ensuring that packets are switched to the correct location. For more information on Frame Relay, see RFC 2427 (at http://www.ietf.org/rfc/rfc2427.txt). See also DCE, DTE, and PVC.

FRF Frame Relay Forum. A standards body that merged with the MPLS forum to become the MPLS and Frame Relay Alliance.

FRTS Frame Relay Traffic Shaping. FRTS uses priority queueing or custom framing and is a quality-of-service traffic-shaping mechanism. High-priority-queue data is transmitted before low-priority data. Custom framing allows the queues to take turns.

FSAN Full Service Access Network Group. A standards group.

FT1 Fractional T1. A portion of a T1 circuit. A full T1 circuit has a capacity of 1.544 Mbps and is composed of twenty-four (24) 64 kbps channels. A customer may save money by leasing only a portion of the full circuit. A fractional T1 can only be configured in increments of 64 Kbps (one channel).

FTP File Transfer Protocol. An OSI Layer 7 protocol that transfers files between computers, which can use widely differing operating systems. For more information on FTP, see RFC 959 (at http://www.ietf.org/rfc/rfc0959.txt).

FTTB Fiber-To-The-Building. Refers to the installation of fiber optic cable directly to a building.

B-21

Appendix B: Glossary

FTTC Fiber-To-The-Curb. Refers to the installation of fiber optic cable directly to the curbs near homes or businesses. Fiber optic cable, which provides much greater transmission speeds than copper wiring, is already used for much of the POTS long-distance infrastructure. By decreasing the time it takes data to travel from a customer to the customer’s provider, FTTC would greatly increase individual users’ data-transmission speeds.

FTTH Fiber-To-The-Home. Refers to the installation of high-speed fiber optic cable, rather than copper cable, directly to the home.

FX Foreign eXchange. A telephone service, using VoIP technology, that allows a user to have a number with an exchange that is not the normal exchange for the user’s geographic area.

FXO Foreign Exchange Office. A VoIP telephone interface, usually a standard analog telephone, that receives calls over POTS. The FX0 generates the on-hook and off-hook indicators used to signal a loop closure at the FXO’s end of the circuit. The FXO must be connected to the FSX interface.

FXS Foreign Exchange Station. A VoIP telephone device that provides battery power, sends the dial tone, and generates ringing voltage for the FXO. The FXO plugs directly into the FXS to provide telephone service for the VoIP device.

F5 OAM F5 Operation And Maintenance. ATM devices send OAM cells over an ATM link to monitor the link. F5 OAM cells verify that an ATM link is open from end-to-end.

G

GRE Generic Routing Encapsulation. A Layer 2 protocol that can encapsulate many types of OSI Layer 2 or Layer 3 protocols and place them in IP packets. Routers can use GRE to tunnel packets, such as multicast packets, that could other-wise be sent over the Internet. Routers can also use GRE to create virtual point-to-point links through an IP network. For more information on GRE, see RFC 2784 (at http://www.ietf.org/rfc/rfc2784.txt).

GS Ground Start. A method by which a device signals a switch to start a call. An on-hook condition begins as a completed circuit. An off-hook condition opens a circuit by grounding a 2600-Hz tone, informing the switch to provide dial tone. See also LS.

GTS Generic Traffic Shaping. A QoS traffic-shaping mechanism. GTS reduces con-gestion for outbound traffic by constraining specified traffic to a particular bit rate. Certain types of traffic can be shaped to meet downstream requirements,

B-22

Appendix B: Glossary

eliminating bottlenecks in topologies with data rate mismatches. GTS is supported by Data Link Layer protocols like Ethernet, SMDS, and Frame Relay. GTS uses WFQ as the method for shaping the traffic. See also WFQ and QoS.

GUI Graphical User Interface. A user interface that substitutes graphics for characters or text for ease of use.

H

Hash A number generated by running a string of text through an algorithm. The hash is substantially smaller than the text itself and—because algorithms transform data in such a way that it is extremely unlikely that some other text will produce the same hash value—unique.

H-channel An ISDN PRI channel technology developed to offer high transmission speeds of up to 135 Mbps. Because H channels allow bits to be sent and received in the same order, they eliminate the delay of reassembling bits.

HDB3 High Density Bipolar order of 3. A line encoding scheme. HDB3 limits the number of consecutive logical zeros in a data stream so that devices so not lose synchronization. HDB3 transforms a stream of four logical zeros into three zero signals and a violation bit of the same polarity as the last logical one detected. HDB3 is the predominant line encoding scheme used in E-carrier lines.

HDLC High-level Data Link Control. A Data Link Layer protocol suite used by network nodes to initiate, maintain, and terminate data transfer. HDLC, which was originally used for signaling between mainframes and dumb terminals, requires devices on either end of a link to be designated as either a primary or secondary device. The HDLC transmission mode determines which devices can transmit and receive data, and establish and terminate the link. See also ABM, ARM, and NRM.

HDSL High bit rate DSL. A type of symmetric xDSL. HDSL eliminates the need for repeaters and employs a 2B1Q modulation technique across the same type of cabling used with metallic T1 delivery systems. Typically, rather than offering HDSL to customers as a DSL option, service providers use HDSL to provide the local loop connection for dedicated T1/E1 carrier lines. HDSL has some distinct disadvantages: it requires two pairs of wires and does not support analog voice.

HDSL2 An improvement over HDSL that allows service providers to deliver full T1 or E1 over a single twisted pair of wires. Also known as G.SHDSL or SHDSL. HDSL2 is a symmetric xDSL and, like HDSL, does not support analog voice.

B-23

Appendix B: Glossary

HFC Hybrid Fiber Coax. A telecommunication technology in which fiber optic cable and coaxial cable are used in different portions of a network to carry broadband content (such as video, data, and voice). The service provider installs fiber optic cable from their distribution center to serving nodes located close to business and residential users. From these nodes, copper coaxial cable brings the line to individual businesses and homes.

HMAC Hashed Message Authentication Code. The hash value for a packet, generated by running the packet through a cryptographic hash function in combination with a secret key. The IPSec AH protocol generates an HMAC for a packet so that a VPN peer can verify the packet’s authenticity and the integrity of its data. A protocol can use any iterative cryptographic hash function to calculate the HMAC. AH uses MD5 or SHA-1. For more information on HMAC, see RFC 2104 (at http://www.ietf.org/rfc/rfc2104.txt).

Host Any machine or computer that is connected to a network. Each host in a network should have a unique network address.

HSSI High Speed Serial Interface. A serial interface typically used to connect a LAN device to a device with a higher-speed WAN connection. HSSI operates at up to 52 Mbps and connects devices that are less than 50 feet apart.

HTTP HyperText Transfer Protocol. The protocol used by the World Wide Web. HTTP defines how messages are formatted and transmitted and what actions Web servers and browsers should take in response to various commands. For more information about HTTP, see RFC 2616 (at http://www.ietf.org/rfc/

rfc2616.txt).

I

IANA Internet Assigned Numbers Authority. IANA controls numbers for protocols, assigns the Country Code Top Level Domains (such as, .uk for the United Kingdom or .de for Germany), and maintains the IP addresses allotted to various purposes or organizations.

ICMP Internet Control Message Protocol. ICMP is part of the IP suite. The operating systems of computers that use IP as their network protocol chiefly use ICMP to send error messages—indicating, for instance, that a requested service is not available or that a host or router could not be reached. For more information, see RFC 792 (at http://www.ietf.org/rfc/rfc0792.txt).

ICV Integrity Check Value. A checksum that authenticates every part of a packet except the authentication field. Both AH and ESP use the ICV as part of the IPSec standard authentication process.

B-24

Appendix B: Glossary

IDEA International Data Encryption Algorithm. A symmetric encryption algorithm supported by IPSec. IDEA, which is a block cipher, is a fast 3DES equivalent.

IDSL ISDN DSL. A ISDN DSL service that uses 2B1Q but unlike traditional ISDN is always on. IDSL is backward compatible with ISDN equipment and can transmit and receive data up to 144 Kbps.

IEC InterExchange Carrier. A long-distance public carrier. See IXC.

IEEE Institute of Electrical and Electronics Engineers. An organization composed of engineers, scientists, and students. The IEEE is best known for developing standards, such as the LAN 802 standards, for the computer and electronics industry. For more information on IEEE, visit their Web site at http://

www.ieee.org/.

IETF Internet Engineering Task Force. A large international community of network designers, operators, vendors, and researchers concerned with developing Internet architecture and maintaining the smooth operation of the Internet. The IETF is responsible for publishing RFCs. For more information on IETF, visit their Web site at http://www.ietf.org/.

IKE Internet Key Exchange. An IPSec protocol used to negotiate an IPSec SA (a VPN tunnel between two peers) in a protected manner. In its first phase, IKE establishes security parameters for a preliminary security association, the IKE SA. IKE also authenticates the peer before opening the IKE SA. In IKE phase 2, peers exchange secure, encrypted messages over the IKE SA. These mes-sages negotiate the security parameters and encryption and authentication keys for the permanent IPSec SA. For more information on IKE, see RFC 2409 (at http://www.ietf.org/rfc/rfc2409.txt).

IKE mode config Before opening an IPSec SA between a remote peer and a network gateway device, IKE mode config can send configurations to the remote peer. These configurations include a local network IP address, as well as the addresses of DNS and WINS servers.

ILEC Incumbent Local Exchange Carrier. A telephone company in the United States that was providing local service in a specific geographic area when the Telecommunications Act of 1996 was enacted. ILECs include the former Bell operating companies, grouped into Regional Bell Operating Companies (RBOCs), that had been created when the Bell System was broken up by a 1983 consent decree.

Interface A boundary across which two independent entities or systems meet and communicate.

B-25

Appendix B: Glossary

IP Internet Protocol. A Network Layer (Layer 3) protocol that controls how packets of data are addressed and routed from one device to another. IP is the network protocol used on the Internet, as well as in many private networks. Each host on the Internet has at least one IP address that uniquely identifies it. For more information, see RFC 791 (at http://www.ietf.org/rfc/rfc0791.txt).

IPCP IP Control Protocol. An NCP in the PPP suite. Peers that are establishing a PPP session exchange IPCP frames to signal that PPP frames will encapsulate IP packets. IPCP frames also negotiate configuration options for the IP packets. IPCP uses the same exchange mechanism as the PPP Link Control Protocol (LCP). For more information on IPCP, see RFC 1332 (at http://

www.ietf.org/rfc/rfc1332.txt).

IP Precedence A value within the IP header used to grant certain packets priority over other packets. A higher IP precedence value in a packet’s header requests better QoS for that packet. The type of service actually granted to the packet depends on the QoS mechanisms configured in a network. IP precedence is often used with WFQ—packets in a traffic flow with a higher precedence receive rela-tively more bandwidth—or with LLQ—the packet receives priority handling instead of being sent to the end of the queue on each network node. For more information on the IP Precedence field in the IP header, see RFC 1812 (at http:/

/www.ietf.org/rfc/rfc1812.txt).

IPSec IP Security. A set of protocols that supports the secure exchange of packets at the IP layer. For example, devices can use IPSec to establish a virtual private network (VPN) through an untrusted IP network such as the Internet. The VPN connection, secure by IPSec, can connect remote sites or provide indi-vidual remote users access to the private network through their Internet connections. For more information on IPSec, see RFC 2401 (at http://

www.ietf.org/rfc/rfc2401.txt).

IPv4 Internet Protocol version 4. The Internet addressing scheme currently in use. IPv4 uses four octets (32 bits) of address space, which means that it provides 232 addresses. An IPv4 IP address is typically represented as four digital numbers, each representing one octet. Every host on the Internet must have a unique IP address, but because of the way IPv4 addresses were distributed as large blocks of addresses in a classful network, there are not enough free IP addresses to meet growing demand.

IPv6 Internet Protocol version 6. The emerging Internet addressing scheme. IPv6 addresses are 128 bits in length, typically denoted as eight two-digit hex numbers followed by a CIDR notation prefix length.

B-26

Appendix B: Glossary

IPX Internetwork Packet eXchange. A Layer 3 networking protocol used in Novell NetWare operating system environments. Like UDP/IP, IPX is a datagram protocol used for routing packets in connectionless communications. For more information on IPX use in Ethernet networks, see RFC 1132 (at http://

www.ietf.org/rfc/rfc1132.txt).

IPXCP Internetwork Packet eXchange Control Protocol. An NCP in the PPP protocol suite. Peers establishing a PPP session exchange IPXCP to negotiate options for the IPXCP packets that will be encapsulated in PPP frames. For more information on IPXCP, see RFC 1552 (at http://www.ietf.org/rfc/rfc1552.txt).

ISDN Integrated Services Digital Network. A type of circuit-switched telephone network system designed to allow devices to send voice and data digitally over ordinary telephone copper wires. More broadly, ISDN is a set of protocols for establishing and tearing down circuit-switched connections and for providing advanced call features to an end user. An ISDN connection is divided into two types of channels: bearer (B) channels, which transmit voice and data over the line, and data (D) channels, which transmit signals for controlling, setting up, and disconnecting the call. Each B channel supports data transfer rates of 64 Kbps. BRI ISDN provides two B channels; PRI ISDN supports up to T1 (24 B channels) or E1 (30 B channels) bandwidth. See also BRI and PRI.

ISO International Standards Office. The group responsible for setting CCITT/ITU standards for the transmission of digital voice and data over ordinary telephone copper wire, as well as over other media.

ISP Internet Service Provider. A company that provides individuals and businesses access to the Internet and other related services such as website building and virtual hosting. An ISP owns and maintains the equipment and the telecom-munication lines that allow it to have a Point of Presence (POP) on the Internet for the geographic area served.

ITU-T International Telecommunications Union-Telecommunications Standardiza-tion Sector. An international body created to foster cooperative standards for telecommunications equipment and systems. For more information on ITU-T, see their website at http://www.itu.int/.

IXC Inter eXchange Carriers. A telephone company that provides connections between local exchanges in different geographic areas. IXCs provide interlocal access and transport service as described in the Telecommunications Act of 1996. In the United States, IXCs include long-distance telecom carriers like Sprint, AT&T and MCI.

B-27

Appendix B: Glossary

J

Japanese

Hierarchy

A digital signal hierarchy used in Japan for voice transmission. A J0 line is defines a one channel. The Japanese hierarchy closely matches the T-carrier system.

Table 2-3. Japanese digital signal hierarchy

J1 The base bandwidth multiple of J-carrier systems. J1-carrier systems consist of 24 J0 channels with a maximum transmission rate of 1.544 Mbps. The J1 standard is used for voice transmissions only.

K

Kbps Kilobits per second. One thousand bits per second. A measure of bandwidth on a data transmission medium. Higher bandwidths are more conveniently expressed in Megabits per second (Mbps or millions of bits per second) or in Gigabits per second (Gbps, or billions of bits per second).

Key In cryptography, a key is a unique value or string of text that is combined with data when that data is run through an encryption or hash algorithm. In order to decrypt or dehash the data, a device must apply the correct key to the transformed data. With symmetric keys, the same key encrypts and decrypts (or hashes and dehashes) data. With asymmetric keys, a private key trans-forms data and a public key reverses the transformation. The length of a key generally determines how difficult it will be to decrypt the data.

KS Key System. A key system is essentially a scaled-down PBX. Key systems typically have one unit, either an attendant phone or a separate box, that acts as controller over a limited number of lines (usually about 4) for a limited number of extensions (as many as 20).

Physical carrier

DSD J0 multiple J1 multiple Transmission rate

— J0 1 — 64 Kbps

J1 J1 24 — 1.544 Mbps

J2 J2 96 4 6.312 Mbps

J3 J3 480 30 32.064 Mbps

J4 J4 5760 240 397.200 Mbps

B-28

Appendix B: Glossary

L

LAN Local Area Network. A group of computers and associated devices within a small geographic area that share a common communications line. The com-puters also often the resources of a single server or set of servers.

LAPD Link Access Procedure for D-channel. An ISDN Data Link Layer protocol that operates over the D channel. LAPD provides ISDN call control and setup.

LATA Local Access and Transport Area. A term used in the United States to describe a geographic area covered by one or more local exchange carriers (LECs).

LBO Line Build Out. The level of attenuation, signal strength, and impedance on a line. When a signal is sent over a long distance, it can degrade. You can adjust the LBO on a T1 line to maximize the signal clarity and coherence. On ProCurve Secure Router, LBO is usually specified by cable length for shorter connections and by level of attenuation, in decibels, for longer connections.

LCP Link Control Protocol. Part of the PPP suite. LCP frames are used to establish, negotiate options for, and maintain the link between peers. LCP frames must successfully establish before peers can exchange PPP frames that encapsulate actual data. For more information on the PPP LCP, see RFC 1570 (at http://

www.ietf.org/rfc/rfc1570.txt).

LDAP Lightweight Directory Access Protocol. A set of protocols that allow a host to access and lookup information in information directories. LDAP should even-tually make it possible for almost any application running on virtually any computer platform to obtain public directory information such as hosts’ email addresses and public keys. For more information on LDAP, see RFC 2251 (at http://www.ietf.org/rfc/rfc2251.txt).

LDN Local Directory Number. The number listed in the phone directory. The LDN is used to establish a dial-up connection, such as an ISDN connection.

LEC Local Exchange Carrier. The term for a public telephone company in the United States that provides local service. The LEC can be either one of the Bell operating companies or an independent company.

LED Light Emitting Diode. A light, often mounted on the front of a device and used to convey information about the status of the device to the user. Users can interpret different LED colors (red, yellow, green) and behaviors (flashing, steady, off) to troubleshoot the device.

Link Quality

Reporting

See LQR.

B-29

Appendix B: Glossary

Line The hardware that connects two devices. Materials for lines include fiber optic, coaxial, and phone-grade twisted pair cables.

LLC/SNAP Logical Link Control/Subnetwork Access Protocol. An 8-byte packet encap-sulation header added by the WAN router to outgoing Ethernet or ATM traffic. The LLC/SNAP header enables devices in a connectionless network to send frames to the devices that can switch them to their destination. The LLC header is three bytes; it set SNAP as both the Source Service Access Point (SSAP) and the Destination Service Access Point (DSAP) protocol. The 5-byte SNAP header follows with a 3-byte organization code and a 2-byte code that indicates the data type (for example, IP).

LLDP Link Layer Discovery Protocol. LLDP provides a standard method for Ethernet network devices (such as switches, routers, and wireless LAN access points) to advertise information about themselves to other nodes on the network and to store the information they discover from other nodes.

LLQ Low-Latency Queuing. A QoS mechanism that places high-priority traffic in a special queue that is served first with a set amount of bandwidth.

LMI Local Management Interface. LMI is a set of enhancements to the basic Frame Relay specifications. It provides global addressing, virtual circuit status messages, and multicasting capabilities.

LMP Link Management Protocol. In a multilink WAN connection, LMP is a protocol that allows multiple carrier-lines to be treated as a single data link. Among other functions, LMP verifies the physical connectivity of lines in the link and localizes link failures for protection/restoration purposes. For more informa-tion on LMP, see the IETF Internet draft at http://www.ietf.org/internet-

drafts/draft-ietf-ccamp-lmp-10.txt/.

Local Loop The connection between a subscriber’s premises and the public carrier’s nearest central office (CO). The local loop includes telecom infrastructure devices such as repeaters, switches, cable, and connectors.

Loopback A loopback channel is a communications channel with only one endpoint. A signal sent on the loopback channel simply returns to the interface that sent it. The loopback function serves to test the line.

LQR Link Quality Report. An LCP link-configuration protocol that monitors how many frames are being dropped over a link. LQR is part of the PPP suite.

LS Loop Start. A method of signaling a switch that it should start a call. An on-hook conditions consists of an open circuit. An off-hook phone condition completes a closed circuit, which informs the switch to provide dial tone. See

also GS.

B-30

Appendix B: Glossary

LSA Link-state advertisement (LSA). Packet sent by an OSPF router advertising its connections to a network or to another router. OSPF routers use LSAs to generate an OSPF database with the topology of the entire OSPF network. See

also OSPF.

L2F Layer 2 Forwarding. A tunneling protocol developed by Cisco Systems. L2F is similar to the PPTP protocol developed by Microsoft; it enables organizations to set up VPNs that tunnel packets between private sites through the Internet.

L2TP Layer 2 Tunneling Protocol. An IETF standard based on PPTP and Cisco’s L2F protocol. L2TP is an extension of the PPTP used by ISPs to enable the operation of a VPN over the Internet. L2TP uses IPSec to authenticate and encrypt IP packets and PPP to encapsulation the packets; L2TP itself routes the PPP packet through the IP network. For more information on L2TP, see RFC 2661 (at http://www.ietf.org/rfc/rfc2661.txt).

M

MAC Media Access Control. The MAC layer is lowest Data Link sublayer, and it interfaces directly with the network medium. A MAC address is a hardware address that uniquely identifies each node of a network.

Main Mode An IKE security mode in which peers exchange three pairs of messages (six total) to negotiate the IKE SA. Because peers generate encryption and authen-tication keys to secure packets before they exchange authentication informa-tion, IKE main mode provides endpoint anonymity. IKE main mode is therefore slower, but much more secure than aggressive mode. See also IKE and Aggressive Mode. See also IKE.

Magic Number A number added to an outgoing frame to enable a device to detect loopback links. A magic number is a random number that the sending peer assigns to the packet. If the sending peer receives a packet with an unchanged magic number, it detects a loopback condition.

MAN Metropolitan Area Network. A network that interconnects users with com-puter resources in a geographic area or region larger than that covered by a large local area network, but smaller than the area covered by a wide area network. A MAN typically extends as far as 50 kilometers and operates at speeds between 1 Mbps and 200 Mbps.

Mbps Megabits bits per second (a million bits per second). The measure of band-width on a data transmission medium such as twisted-pair copper cable, coaxial cable, or optical fiber line.

B-31

Appendix B: Glossary

MD5 Message Digest 5. A hash algorithm used to create digital signatures. MD5 is a one-way hash function, which transforms and condenses data into a fixed string of digits called a message digest. A variety of protocols, including AH and ESP, use MD5 to check a message’s data integrity as well as authenticate the sender. The ProCurve Secure Router uses MD5 transformation to encrypt various system passwords.

Mediation An old style or legacy system still used in the telecom world. This term refers to the conversion of various telephone properties into a standard Call Detail Record (CDR) format.

MFR Multilink Frame Relay. See MLFR.

MIB Management Information Base. An SNMP object. The MIB is a database list of objects and is used to manage entities (such as routers and switches) in an SNMP-enabled network. Objects in the MIB are defined using Abstract Syntax Notation One (ASN.1). The database is hierarchical (tree structured) and entries are addressed through object identifiers. See also SNMP.

MIPS Millions of Instructions Per Second. A general measure of computing perfor-mance and, by implication, the amount of work a computer can do. Generally, this refers to the number of instructions that can be processed by the CPU in a given second.

MLFR MultiLink Frame Relay. A Frame Relay protocol that bundles multiple carrier-lines together, which allows faster transmission speeds. FRF.15 supports MLFR end-to-end on a PVC without CO support: both ends of the link must support MLFR and use the same number of carrier-lines. FRF.16.1 requires CO support but offers many advantages over FRF.15: the bundle of carrier-lines can support more than one PVC and endpoints do not have to use the same number of carrier-lines.

MLPPP Multilink PPP. A line-aggregation protocol that bundles multiple T1 or E1 lines into a single data link, which greatly increases throughput. MLPPP fragments and reassembles frames sent over separate channels in the multilink connec-tion. For more information on Multilink PPP, see RFC 1990 (at http://

www.ietf.org/rfc/rfc1990.txt).

MOSPF Multicast Open Shortest Path First. A multicast Layer 3 routing protocol based on OSPF. This protocol allows the router to build a multicast forwarding table for each local group using the additional information included in the MOSPF messages. For more information on MOSPF, see RFC 1585 (at http://

www.ietf.org/rfc/rfc1585.txt).

MP Multilink PPP. See MLPPP.

B-32

Appendix B: Glossary

MPLS Multiprotocol Label Switching. A process that allows packets to be routed according to their pre-defined labels instead of according to their IP addresses and routing protocol table entries. Incoming packets are assigned a label by a label edge router (LER). Packets are forwarded along a label switch path (LSP), on which each label switch router (LSR) makes forwarding decisions based solely on the contents of the label. At each hop, the LSR strips off the existing label and applies a new label which tells the next hop how to forward the packet. An LSP can cross multiple Layer 2 transports such as ATM, Frame Relay or Ethernet. Because MPLS forwards packets based on configured LSPs, rather than on IP addresses, it supports the routing of packets with private IP addresses through a public network. For more information on MPLS, see RFC 2702 (at http://www.ietf.org/rfc/rfc2702.txt).

MPPE Microsoft Point-to-Point Encryption. An encryption algorithm that uses RSA RC4 and 40- or 128-bit keys to secure data transmitted across a WAN tunnel. For more information on MPPE, see RFC 3078 (at http://www.ietf.org/rfc/

rfc3078.txt).

MPPP Multilink Point-to-Point Protocol. See MLPPP.

MRRU Maximum Receive Reconstructed Unit. An LCP configuration option used with MLPPP connections. The MRRU specifies the maximum size of a reas-sembled frame that can be sent over a link. The default value is 1500 octets. A device sets a value in an LCP frame’s MRRU field to indicate to the peer that it wants to establish an MLPPP connection. See also LCP, MLPPP, and PPP.

MRU Maximum Receive Unit. An LCP option that communicates the maximum frame size to be sent over the PPP connection. The default value is 1500 octets. See also LCP and PPP.

MTBF Mean Time Between Failures. A measure of how reliable a hardware product or component is. For most components, the measure is typically in thousands or even tens of thousands of hours between failures.

MTU Maximum Transmission Unit. The largest unit of data that can be sent across a given medium.

Multilink Frame

Relay

See MLFR.

Multimode Fiber Optical fiber that is designed to carry multiple light rays or groups of light rays (modes) concurrently, each at a slightly different reflection angle within the optical fiber core. Multimode fiber transmission is used for relatively short distances because the modes tend to disperse over longer lengths.

B-33

Appendix B: Glossary

Multiplexing Combining and transmitting multiple signals over a single channel. Also known as “muxing.” The most important type of multiplexing for data transfer is time-division multiplexing (TDM), which is used with digital signals. See

also TDM.

Multiplexer Also known as a MUX. A communications device that multiplexes (combines) signals from multiple sources for transmission over a single medium.

M13 Multiplex 1-to-3. A device that converts 28 T1 inputs into a single T3 output.

N

NAT Network Address Translation. An application created to ease conserve IP addresses. NAT acts as a gateway between a two networks, translating IP addresses used in one network to different IP addresses known within another network. Typically, NAT translates many private network addresses to one or a few public IP addresses. For more information on NAT, see RFC 3022 (at http://www.ietf.org/rfc/rfc3022.txt).

NAT D NAT Discovery. Packets exchanged during IKE phase 1 that include hashes of devices’ source and destination IP addresses and ports. Devices attempting to create a VPN connection can exchange NAT D packets to determine whether and where NAT is used between them. In this case, peers must use a NAT-traversal (NAT T) over the VPN connection. See also NAT T.

NAT T NAT Traversal. Provides address and port translation for packets traveling through an IPSec VPN. Because NAT alters information in a packet’s IP header, it can cause the packet to fail IPSec security checks. NAT T encapsulates packets in a UDP/IP header with the translated IP address, leaving the IPSec packet untouched. For more information on NAT Traversal and NAT Discov-ery, see RFC 3947 (at http://www.ietf.org/rfc/rfc3947.txt).

NCP Network Control Protocol. A group of protocols within the PPP suite. NCPs carry information about how to manage higher-level protocols, primarily Network Layer (Layer 3) protocols. Each Network Layer protocol that can be encapsulated in a PPP frame has a separate NCP with its own configuration options. When establishing a PPP session, peers exchange the NCP for the Network Layer protocol used by the packets that they will send across the link. See also IPCP, IPXCP, PPP, and SNACP.

NEBS Network Equipment Building Standards. A set of technical requirements designed to make central office equipment and switches error proof. These requirements cover spatial, hardware, interface, thermal, fire resistance, han-dling and transportation, earthquake and vibration, airborne contaminants, grounding, acoustical noise, illumination, EMC, and ESD requirements. NEBS

B-34

Appendix B: Glossary

testing is required for vendors who wish to sell equipment to the Regional Bell Operating Companies (RBOCs) and the Competitive Local Exchange Carriers (CLECs). Level 3 testing is the most stringent level of testing.

Network A generic term describing computers that are interconnected and can com-municate with each other. Used more specifically, a network divides hosts into groups that can communicate without a router. A packet sent from one host to another host in the same network can be switched to its destination according to information in the Layer 2 header. A packet sent to a host in a different network must be routed by a device (such as a router) that can read the packet’s Layer 3 header. In telecommunications, a network usually refers to infrastructure that provides voice and data transmission to users.

Network Layer Layer 3 of the OSI model. This layer provides switching and routing protocols that control how packets are moved from node to node to their destinations. Routing and forwarding are functions of this layer, as well as addressing, internetworking, error handling, congestion control, and packet sequencing.

NEXT Near End Crosstalk. An error condition that can occur when connectors are attached to twisted pair cabling. NEXT is usually caused by crossed or crushed wire pairs and occurs when the conductors inside the wires become exposed. Two conductors only need to be close enough that the radiating signal from one of the wires is able to interfere with the signal traveling on the other wire for the connection to have a crosstalk problem.

NIC Network Interface Card. Hardware that grants a computer the ability to access the network. A NIC is identified by a MAC address.

NIU Network Interface Unit. Also known as the smart jack in the United States. The NIU automatically maintains the WAN connection and allows public carrier employees to perform simple management tasks remotely. The NIU is past the subscriber’s line of demarc and is part of the public carrier’s equipment.

NNI Network-to-Network Interface. A standard that defines the interface between two ATM or Frame Relay switches. Sometimes, however, the interface between a switch in a private network and a switch in a public interface is defined as a user-to-network interface (UNI). See also UNI.

NOC Network Operations Center. A place from which a telecommunications net-work is supervised, monitored, and maintained. Enterprises with large net-works and large network service providers typically have an NOC.

NRM Normal Response Mode. In an HDLC connection between two devices, a secondary device may only transmit when the primary device expressly instructs it to do so. See also HDLC, ABM, ARM.

B-35

Appendix B: Glossary

NT1 Network Termination 1. A device at the physical and electrical termination of the ISDN line. The NT1 monitors the line, maintains timing, and provides power to the ISDN line. This device is purchased and maintained by the subscriber.

NT12 Network Termination 1 2. A device that functions as both an NT1 and an NT2 device.

NT2 Network Termination 2. A device required for PRI ISDN. The NT2 provides switching functions and manages traffic across the multiple B channels.

NVRAM Non-Volatile Random Access Memory. A data-storage medium that retains memory when powered down.

O

OAM Operations, Administration, and Maintenance. OAM ATM cells are sent over a VCI to maintain the link. OAM cells are divided into five levels, and the functions of each level are separate from those of each other level. See also F5 OAM.

OC-1 Optical Carrier-1. In the Synchronous Digital Hierarchy, OC-1 is the base multiple for SONET systems and transmits as 51.84 Mbps.

OC-N Optical Carrier Level N. The fundamental transmission rates for SONET, where N=1 (51.84 Mbps), 3 (155.52 Mbps), 12 (622 Mbps), 24 (1.244 Gbps), 48 (2.488 Gbps) or 192 (9.953 Gbps).

OCU Office Channel Unit. A Central Office (CO) device that is used for direct handling of 56K and 64K DDS services. The OCU is usually a special card incorporated into multiplexers at the CO.

OCUDP Office Channel Unit Data Port. A CO device that provides signal conversion from the transmission rates on the customer side of the local loop to a single DS0 time slot. It provides the interface between Switched 56/64K or DDS interfaces and the telecom infrastructure.

Option Parameters or variables supported by a protocol. For example, the PPP LCP protocol includes options for whether or not peers will use LQR, magic numbers, protocol-field compression, address and control field compression, or an authentication protocol. The MRU option specifies the maximum size for packets sent over the connection.

OS Operating System. A system of software that performs basic tasks, such as recognizing input from the keyboard, sending output to the display screen, keeping track of files and directories, and controlling peripheral devices. For

B-36

Appendix B: Glossary

large systems, the operating system ensures that different programs and users running at the same time do not interfere with each other. The operating system is also responsible for security, ensuring that unauthorized users do not access the system.

OSI Open Systems Interconnection. Developed in 1982, the OSI was a joint effort between ITU-T and ISO to create industry standards for network connections. The OSI model was developed to allow for multi-vendor interoperability and describes seven layers of connectivity.

Figure 2-1. The OSI model

OSPF Open Shortest Path First. A link-state routing protocol typically used within larger networks. OSPF is an interior gateway protocol (IGP), which means that it is used within a single AS. OSPF routers advertise the cost of their connections to networks and to other routers so that they can compile a topology of the network as a whole. Each router then generates a route to each network in the AS. Routers select best routes according to link cost, which is typically based on inverse bandwidth. OSPF is preferred over RIP, an older routing protocol. For more information on OSPF, see RFC 2328 (at http:/

/www.ietf.org/rfc/rfc2328.txt). See also AS, LSA, and RIP.

OUI Organization Unique Identifier. A designation purchased from the IEEE for a network-connected device. The OUI is a 48-bit unique MAC address that specifies a single, specific piece of hardware on your network.

Physical Layer

Data Link Layer

Network Layer

Transport Layer

Session Layer

Presentation Layer

Application Layer

1

2

3

4

5

6

7

B-37

Appendix B: Glossary

P

Packet A block of data encapsulated within one or more protocol headers. These headers provide information about the packet’s application and about how the packet is to be handled and routed as it travels through the network. A packet that has been encapsulated within a Data Link Layer protocol is called a frame or a cell (ATM).

Packet-filtering

Firewall

Firewall software that has been configured to screen incoming and outgoing packets at the Network Layer (Layer 3). Packet-filtering firewalls pass or drop packets based on the content of their TCP/IP headers. For example, a firewall may be configured to drop all packets from a certain source or using a certain application.

PAP Password Authentication Protocol. An authentication protocol that is part of the PPP suite. Because PAP authenticates hosts by transmitting unencrypted ASCII passwords over the network, PAP is considered insecure. See also CHAP and EAP.

Password A secret string of characters that allows a user to access a computer or other protected material. Passwords on the ProCurve Secure Router can be plain-text or encrypted using MD5.

PAT Port Address Translation. A NAT technology that allows hosts with multiple private IP addresses to share a single public IP address. PAT maps each host in the LAN to the same global IP address, but to a unique UDP or TCP port number. Return traffic is sent to that port, so it can be forwarded to the correct host.

Payload The data that is encapsulated into a packet and transmitted over a network.

PBR Policy-based Routing. A technique that allows a router to make routing decisions based on policies set by the network administrator instead of purely on destination address. For more information on types of PBR, see RFC 1104 (at http://www.ietf.org/rfc/rfc1104.txt).

PBX Private Branch eXchange. A telephone exchange system that operates on-site and is maintained and owned by the customer.

PCM Pulse Code Modulation. A technique for digitizing analog signals (such audio or voice signals) by periodically sampling the analog signal and converting the signal’s amplitude to a digital value. PCM samples the signal 8000 times a second; each sample is represented by 8 bits for a total of 64 Kbps. PCM is used in T-, E-, and J-carrier systems.

B-38

Appendix B: Glossary

PDP Policy Decision Point. In QoS-managed systems, a PDP is a server that makes policy decisions. This server has global knowledge of network policies and is consulted by the network devices (like routers) that enforce the policies.

PEM Format Privacy-Enhanced Mail Format. Base64-encoded data surrounded by header lines. Some digital certificates use this format.

PEP Policy Enforcement Point. In QoS-managed systems, a PEP is a device on which policy decisions are carried out—usually a network node like a router or a switch.

PFC Protocol Field Compression. A PPP configuration option that allows routers to agree that they will compress the PPP protocol field into a single octet. See

also LCP and PPP.

PFS Perfect Forward Secrecy. A key-establishment protocol used for establishing secure VPN communications—for example, through an IPSec SA. PFS ensures that each new encryption key generated to secure the VPN tunnel does not rely on any previous key. If one encryption key is compromised, only data encrypted by that specific key is compromised.

PHB Per Hop Behavior. A quality of service designation. PHBs define what type of service labeled with a particular DiffServ value should receive. PHB can define such parameters as how much absolute or relative bandwidth is allocated to a certain type of traffic and which traffic is dropped first if a network becomes congested. For information on PHB identification codes, see RFC 3140 (at http://www.ietf.org/rfc/rfc3140.txt). See also DiffServ.

Physical Layer Layer 1 of the OSI model. This layer conveys the bit stream through the network at the electrical and mechanical level. It includes a line’s physical media and defines standards such as those for signaling and frame formatting. Ethernet and ATM are protocols with physical layer components.

PKI Public Key Infrastructure. A system of digital certificates, CAs, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction. PKI enables users to privately exchange data using a public infrastructure, like the Internet, by managing keys and certificates. A user obtains a public and private key pair from a trusted CA. The user authenticates itself with a certificate, which includes its identifica-tion information, public key, and a CA signature. The user can authenticate messages with its private key. See also CA, digital certificates, and DSS.

B-39

Appendix B: Glossary

PON Passive Optical Network. A system that brings optical fiber cabling and signals all or most of the way to the end user using passive equipment, which saves power and cost. Depending on where the PON terminates, the system can be described as Fiber-To-The-Curb (FTTC), Fiber-To-The-Building (FTTB), or Fiber-To-The-Home (FTTH). See also FTTC, FTTB, or FTTH.

POP Point of Presence. An access point to the Internet. Your ISP or online service provider has at least one POP on the Internet. A POP usually includes routers, digital/analog call aggregators, servers, and, frequently, Frame Relay or ATM switches.

Port The point of physical connection between a device and a circuit. The port’s signaling capacity determines the greatest amount of data that can be trans-mitted over the connection at any given time.

POTS Plain Old Telephone Service. A term used to describe the analog, voice-only telephone service in the local loop.

PPP Point-to-Point Protocol. A suite of Data Link Layer protocols. PPP connects two peers in an end-to-end link. To establish a PPP session, the two peers must exchange frames, in order, from at least three protocols: LCP, an NCP, and PPP. As its name suggests, PPP is typically used for Internet connections originating from a dial-up line or a high-speed modem. For more information on PPP, see RFC 1661 (at http://www.ietf.org/rfc/rfc1661.txt).

PPPoA Point-to-Point Protocol over ATM. A Data Link Layer network protocol that encapsulates PPP frames in ATM AAL5 cells. PPPoA offers standard PPP features such as authentication, encryption, and compression for cable modem, DSL, or ADSL connections. If used as the connection encapsulation method on an ATM-based network, PPPoA can slightly reduce overhead (around 0.58%) in comparison to PPPoE. For more information on PPPoA, see RFC 2364 (at http://www.ietf.org/rfc/rfc2364.txt).

PPPoE Point-to-Point Protocol over Ethernet. A Data Link Layer network protocol that encapsulates PPP frames inside Ethernet frames. It is used mainly to allow multiple users on an Ethernet network to connect to an ISP using the same cable modem or DSL connection. PPPoE offers standard PPP features such as authentication, encryption, and field compression. For more informa-tion on PPPoE, see RFC 2516 (at http://www.ietf.org/rfc/rfc2516.txt).

PPTP Point-to-Point Tunneling Protocol. A protocol that allows organizations to extend their own corporate network through private “tunnels” over the Inter-net. PPTP encapsulates PPP frames and creates a tunnel for them to travel across the IP network. For more information on PPTP, see RFC 2637 (at http:/

/www.ietf.org/rfc/rfc2637.txt).

B-40

Appendix B: Glossary

Presentation

Layer

Layer 6 of the OSI model. This layer is responsible for the delivery and formatting of information to the Application Layer for further processing or display. This layer deals with issues such as how strings are represented. It also formats and encrypts data to be sent across a network, providing freedom from compatibility problems. Layer 6 is sometimes called the syntax layer.

PRI Primary Rate Interface. A type of ISDN service offered by public carriers that consists of one 64-Kbps D channel, and 23 64 Kbps B channels in North America or 30 64 Kbps B channels in all other countries. The B channels carry data, voice, or video traffic. The D channel is used to carry packet data and to set up and maintain calls on the B channels.

Preshared Key A preshared key is an alphanumeric character string agreed upon by two parties in advance. In IKE negotiations, peers can exchange a preshared key that is between 8 and 255 characters in length to authenticate each other before opening the IKE SA.

Protocol A set of standard rules required to send mutually-coherent information over a communications channel. Each layer of the OSI model can include many different protocols. For example, Data Link Layer protocols include (among others) Ethernet, Frame Relay, PPP, and ATM, and these protocols dictate how links between hosts on a network are initiated, maintained, and terminated.

Protocol Field

Compression

See PFC.

PSTN Public Switched Telephone Network. The public network that provides switched digital/analog voice and data services to customers.

PTT Public Telephone and Telegraph. State-owned and regulated companies, pri-marily in Europe, that provide telecom services.

Public Carrier A generic term used to describe the public entity that provides telephone services, as well as data communications services like DSL and ISDN. The public carrier may be private or government-owned.

PVC Permanent Virtual Circuit. A logical connection between two nodes. A PVC is a virtual circuit established for repeated use between the same data terminal equipment (DTE). Like a dedicated physical connection, a PVC is an always-open connection between two endpoints. However, the actual physical path that frames take over the PVC may vary. PVCs are used in Frame Relay networks, where each PVC is identified by a DLCI and in ATM networks, where each PVC is identified by a VCI/VPI.

B-41

Appendix B: Glossary

Q

QoS Quality of Service. The “quality” of the packet forwarding service provided to a packet. A value set in the packet’s ToS field can request a specific level of QoS. QoS mechanisms regulate and manage traffic across a WAN link to lower latency for high-priority packets and to increase the quality and speed of data transmissions. QoS mechanisms include queuing methods, buffering, drop-ping of excess traffic, and traffic shaping. For more information on current QoS architecture, see RFC 2990 (at http://www.ietf.org/rfc/rfc2990.txt). See also DiffServ, FRTS, GTS, IP precedence, LLQ, and WFQ.

QSIG Q SIGnaling. An channel-signaling protocol based on ISDN Q.931 standards and used by many digital PBXs. QSIG is used for to establish and release calls and to control many call features.

R

R-interface In an ISDN network connection, the R interface connects the TE2 to the TA.

RADIUS Remote Authentication Dial-In User Service. An AAA protocol that allows a server to store all the security information for a network in a single, central database. The server stores and manages user information so that it can authenticate these users. The server also maps users to the services that they are allowed to access. For more information on RADIUS, see RFC 2865 (at http://www.ietf.org/rfc/rfc2865.txt).

RADSL Rate Adaptive DSL. By using DMT modulation, RADSL can adapt to varying line conditions to maximize the transmission speed on a particular line. Since standard ADSL also does this, there is little difference between RADSL and ADSL.

RAL Ringer Approximated Loading. See REN.

RAS Remote Access Server. A server that is dedicated to handling users that are not on a LAN but need remote access to it. The remote access server allows users to gain access to files and print services on the LAN from a remote location.

RBOC Regional Bell Operating Companies. The United States’ Regional telephone companies (or their successors) that were created as a result of the breakup of American Telephone and Telegraph Company (AT&T, known also as the Bell System) by a United States Federal Court consent decree on December 31, 1983. The seven original RBOCs were Ameritech, Bell Atlantic, BellSouth, NYNEX, Pacific Bell, Southwestern Bell, and US West. Each of these

B-42

Appendix B: Glossary

companies owned at least two Bell operating companies. The BOCs were given the right to provide local phone service while AT&T was allowed to retain its long distance service. The RBOCs and their constituent BOCs are LECs.

RBS Robbed-Bit Signaling. A signaling standard used by T-carrier lines. The least significant bit in the 6th and 12th frame (of a SuperFrame T1) and the 18 and 24th frame (of an Extended SuperFrame T1) are “robbed” and used as signaling bits.

RC5 Rivest Cipher 5. A symmetric encryption algorithm supported by IPSec. RC5 is a block cipher with variable key length up to 2040 bits.

READSL Reach Extended ADSL. A form of ADSL that is delivered over very long twisted pairs and provides DSL service to rural areas. Most commonly available in France.

REN Ringer Equivalency Number, also called Ringer Approximated Loading (RAL). An arbitrary number that denotes the telephone ringer loading on the line. A ringer equivalency number of 1 represents the loading effect of a single “traditional” telephone ringing circuit. Modern telephone equipment may have a REN significantly lower than 1. For example, you may have a cordless phone with a REN equivalency of .35, and attached to the same line you have another older phone with a REN of 1. The total REN is the sum of all RENs on the line. The total REN on one line must not exceed 5 in the United States, or 4 in the UK on BT lines.

Repeater An electronic device that receives weak or low-level signals and retransmits them with a higher signal level so that the signal can cover longer distances without degradation.

RFC Request For Comment. The core method of publishing Internet specifications. RFCs are a series of technical documents submitted to IETF and published on the Internet. An Internet Document can be submitted to the IETF by anyone, but the IETF decides whether the document becomes an RFC. Even-tually, if it gains enough interest, the RFC may evolve into an Internet standard.

RIB Routing Information Base. In BGP, the RIB is a database table of entries that identifies a destination address, the next hop to which packets should be forwarded to reach that destination, and the routing metric. The metric is used to determine the best route for a particular packet or class of packets; it may be based on characteristics of a route, such as its delay properties or its expected error rate. The RIB may contain information about more than one next hop to the same destination if it is important to be able to send packets over different paths. See also BGP.

B-43

Appendix B: Glossary

RIP Routing Information Protocol. A routing protocol that manages routing infor-mation within a self-contained network such as a LAN or an interconnected group of LANs. RIP is an older routing protocol, best suited for smaller networks, that selects best routes based on lowest hop count. For more information on RIP, see RFC 2453 (at http://www.ietf.org/rfc/rfc2453.txt).

RJ-11 Registered Jack 11. A four- or six-wire connector used primarily to connect telephone equipment in the United States. RJ-11 connectors are also used to connect some types of local-area networks (LANs), although RJ-45 connectors are more common.

RJ-11 Connector

RJ-45 Registered Jack 45. A modular 8-wire jack/connector used with copper cable having four twisted pairs.

1 6

1 6

RJ-11 Connector

Pin Description

1–2 Unused3 Ring4 Tip5–6 Unused

B-44

Appendix B: Glossary

WAN/LAN connector

RJ-48C Registered Jack 48C. A miniature 8-position keyed jack/connector used with cable having four twisted-pairs. The connector itself is slightly smaller than the RJ-45 and is often used for T1 or E1 connections.

T1 Carrier-line connector

RMON Remote MONitoring. A standard that allows administrators to monitor and manage network equipment remotely. RMON enables various network moni-tors and console systems to exchange network monitoring data using SNMP and MIBs.

1 8

1 8

RJ-45 connector—uses two twisted pairs

Pin T=tip, R=ring, P=pair

1 TX1, transmit positive2 TX2, transmit negative3 RX1, receive positive4 —5 —6 RX2, receive negative7 —8 —

1 8

1 8

RJ-48C connector—uses pins 1, 2, 4, and 5

Pin T=tip, R=ring, P=pair

1 R (transmit data toward DTE)2 T (transmit data toward DTE)3 —4 R1 (receive data from DTE)5 T1 (receive data from DTE)6 —7 —8 —

B-45

Appendix B: Glossary

Router A device that forwards data packets from one network to another. A router connects at least two different networks. A WAN router often connects LANs to WANs or to an ISP. A router uses a packet’s Layer 3 header to determine the route over which it should send it. The router uses its routing table, which can be configured manually or generated using routing protocols, to determine the best routes for forwarding packets.

RPS Redundant Power Source. A power source that becomes active should the primary power source fail. The RPS ensures the router’s continued operation during a power outage or other power service interruption.

RSA Rivest-Shamir-Adleman. A public-key, or digital signature, encryption technol-ogy developed by RSA Data Security, Inc. The RSA algorithm is based on the fact that there is no efficient way to factor very large numbers. Deducing an RSA key, therefore, requires an extraordinary amount of computer processing power and time. RSA supports keys between 1024 and 2048 bits in length. RSA keys can be used for signing digital certificates.

RSVP Resource reSerVation Protocol. An NCP in the PPP protocol suite that enables Internet applications to request differing QoS for various data flows. RSVP works with routing protocols to provide IP networks with the capability to support differing application types. For more information on RSVP, see RFC 2205 (at http://www.ietf.org/rfc/rfc2205.txt).

S

S-interface The connection from the TE1 or TA to the NT2 in an ISDN network. The S-interface uses a four-wire/two twisted pair connection. The S- and T-interfaces are often combined into the S/T-interface.

SA Security Association. In IPSec, the SA defines the tunnel, or secure VPN connection, between two peers. The SA includes information for managing the tunnel, such as encryption and authentication keys for securing data and an SPI for identifying the SA. If IKE is used to negotiate the SA, then a preliminary SA, called the IKE SA, is established so that the permanent SA, called the IPSec SA, can be negotiated securely. If both AH and ESP are used to secure IPSec packets, then each protocol must use a separate SA.

SAPI Service Access Point Identifier. A standardized value in LAPD frames that identifies the ISDN service associated with the signaling frame.

SC-connector A square-like fiber optic connector with a push-pull latching mechanism that provides quick insertion and removal while also ensuring a positive connection.

B-46

Appendix B: Glossary

Figure 2-2. SC connector

SCEP Simple Certificate Enrollment Protocol. A Cisco protocol that, used with LDAP, streamlines the process of acquiring a certificate from a CA. SCEP allows network devices to be issued certificates automatically in a scalable manner.

SCSI Small Computer Systems Interface. A parallel interface standard for attaching peripheral devices to computers.

SDH Synchronous Digital Hierarchy. The signal hierarchy for fiber optic networks outside of North America and Japan. SDH is a standard technology for synchronous data transmission on optical media. Both SDH and SONET technologies provide faster and less-expensive network interconnection than traditional Plesiochronous Digital Hierarchy equipment. See also SONET.

SDLC Synchronous Data Link Control. The exclusive transport protocol for an SNA network. A version of HDLC.

SDSL Symmetric DSL. A single-pair version of HDSL. SDSL is based on ISDN with 2B1Q, but is a symmetric DSL. SDSL provides bandwidth for downstream and upstream traffic of up to 2.3 Mbps each. SDSL standards are not interoperable and vary with the carrier.

Serial A connection between two devices over which information is transferred FIFO, one bit at a time.

Session Layer Layer 5 of the OSI model. This layer establishes, manages and terminates connections between applications. The Session Layer sets up, coordinates, and terminates conversations, exchanges, and dialogues between the applica-tions at each end. It allows information on different streams, perhaps origi-nating from different sources, to be properly combined. In particular, the Session Layer deals with synchronization issues.

SHA-1 Secure Hash Algorithm 1. A hash algorithm that produces a 160-bit message digest, SHA-1 is improves on MD5, an earlier, still widely-used hash function. In an IPSec VPN, AH can use SHA-1 to authenticate a packet.

B-47

Appendix B: Glossary

SHDSL Symmetric High Bit Rate DSL. SHDSL provides a guaranteed level of high symmetric bandwidth and low interference with other telecommunications services. SHDSL is a single-wire HDSL and is also called G.SHDSL. SHDSL provides a higher transmission speed than HDSL2 or SDSL over longer dis-tances. SHDSL is adaptive and has the capability to determine the highest possible transmission speed when initialized.

Showtime For ADSL, the time after the training phase during which the router and the DSLAM establish an ADSL connection and exchange physical-layer packets. At this point, the two devices have not yet begun to exchange ATM cells or to communicate at the Data Link Layer.

Single Mode Fiber Optical fiber that carries data using a single ray (or mode) of light. Single mode fiber is used for long-distance signal transmission.

SIP Session Initial Protocol. An Application Layer control protocol that hosts use to establish sessions for exchanging packets with multimedia data. SIP enables such features as audio/videoconferencing, interactive gaming, and call forwarding to be deployed over IP networks. It also enables service providers to integrate basic IP telephony services with Web, e-mail, and chat services. Although, in theory, SIP is a user-to-user protocol, in practice, SIP relies on proxy and register servers, which help the user initiating a session to find the intended remote user. For more detailed information on SIP, see RFC 3261 (at http://www.ietf.org/rfc/rfc3261.txt)

SLA Service Level Agreement. A Frame Relay contract between the subscriber and service provider that specifies the amount of bandwidth that a PVC is guaran-teed (the CIR) when the network is congested. The SLA can also specify such parameters as how far past the CIR traffic is allowed to burst when the network is not congested (the EIR).

SMART Jack Self-Monitoring, Analysis, and Reporting Technology jack. An access port to public carrier services. The smart jack is usually owned and maintained by the service provider. See NIU.

SMB Small-to-Medium Business. Typically, a company with fewer than 250 employees.

SMDS Switched Multimegabit Data Service. A type of high-speed packet-switched data communications service that operates at T1 or T3 speeds. SMDS uses the SIP protocol to encapsulate packets into cells for transport.

SNA Systems Network Architecture. IBM’s proprietary mainframe-to-terminal networking architecture. Developed and implemented in the 1970s, SNA maps to all seven layers of the OSI model.

B-48

Appendix B: Glossary

SNACP SNA Control Protocol. An NCP in the PPP protocol suite that is used to establish a point-to-point connection between hosts sending SNA packets. For more information on SNACP, see RFC 2043 (at http://www.ietf.org/rfc/rfc2043.txt).

SNMP Simple Network Management Protocol. An Application Layer protocol that supports the exchange of management information between network devices. An SNMP network consists of agents, managed devices, and network-manage-ment systems. Hierarchically organized information about network devices is stored in and accessed from a management information base (MIB). For more information on SNMP, see RFC 1157 (at http://www.ietf.org/rfc/rfc1157.txt).

SNR Signal-to-Noise Ratio. The ratio of the amplitude of a desired analog or digital data signal to the amplitude of noise in a transmission channel. The SNR measures the quality of a transmission channel or of an audio signal over a network channel. ADSL devices periodically measure a line’s SNR to determine whether the line needs to be taken down and retrained.

SONET Synchronous Optical NETwork. The ANSI standard for synchronous data transmission on optical media. The equivalent international standard is SDH. Complementary standards set by SDH and ANSI allow digital networks to interconnect internationally. The standards also allow existing transmission systems to take advantage of optical media through tributary attachments. SONET is backward compatible with T-carrier lines. See also SDH.

Table 2-4. SONET and SDH digital hierarchies

SPI Security Parameters Index. An arbitrary value that uniquely identifies an SA; the SPI is used by VPN peers to match packets to keys contained in that SA. Peers agree up the SPI when they negotiate the IPSec SA. When a peer secures a packet to be sent over an IPSec SA, it adds the corresponding SPI to the packet’s ESP or AH header. When a device receives a packet over a VPN tunnel, it reads the packet’s SPI to determine which keys to use to authenticate and decrypt the packet.

SONET STS designator

SONET OCX designator

SDH STM designator

Line rate (Mbps)

Overhead rate (Mbps)

Payload rate (Mbps)

STS-1 OC-1 — 51.840 1.728 50.112

STS-3 OC-3 STM-1 155.520 5.184 150.336

STS-12 OC-12 STM-4 622.080 20.736 601.344

STS-48 OC-48 STM-16 2488.320 82.944 2405.376

STS-192 OC-192 STM-64 9953.280 331.776 9621.504

B-49

Appendix B: Glossary

SPID Service Profile IDentifications. A unique identifier used to identify a particular ISDN line and the service and features that line provides. The SPID is generally a 10+ digit number that includes the LDN.

Splitter A splitter electronically isolates the lower frequencies of the telephone signal from the higher frequencies of the DSL signals. Typically, the CO contains the splitter. Splitters are also used to run dedicated wiring for a DSL signal because they physically isolate the DSL wiring from the POTS wiring.

SROS Secure Router Operating System. The operating system that allows a user to configure the ProCurve Secure Router.

SSH Secure SHell. A program/network protocol that allows a user to log into another computer over a network, execute commands in the remote machine’s OS, and move files from one machine to another. SSH provides strong authentication. It secures communications over insecure channels and can be used when tunneling. For more information on SSH, see the Internet Draft at http://www.free.lp.se/fish/rfc.txt/.

SSL Secure Sockets Layer. SSL is protocol for securing the transmission of mes-sages over the Internet. SSL works by using asymmetric keys to encrypt message data.

SS7 Signaling System 7. SS7 is a type of out-of-band signaling that supports the call-establishment, billing, routing, and information-exchange functions of the PSTN. It is used to set up and tear down the vast majority of telephone calls.

ST Connector A fiber-optic cable connector that uses a bayonet plug and socket. The ST connector was the first de-facto standard connector for most commercial fiber optic wiring.

Figure 2-3. ST connector

Stateful

Inspection

Firewall

A firewall that screens incoming traffic on several OSI layers. The stateful-inspection firewall monitors each session to make sure that it is legitimate. Stateful-inspection firewalls also use an advanced packet-filtering technology

B-50

Appendix B: Glossary

to detect suspicious activity and to drop packets prohibited by an organization’s policies. Many network security experts recommend stateful-inspection as the most trusted firewall technology.

S/T Interface A common way of referring to either S or T Interfaces, which are often combined in ISDN connections. This interface connects TE1 or a TA directly to a PRI ISDN NT2 device or a BRI ISDN NT1 device. ISDN devices outside of North America usually provide an S/T interface to communicate with the service provider, which supplies the NT2 and/or NT1.

STM STatistical Multiplexing. A method that service providers use to multiplex packets and send the datagrams FIFO. Statistical multiplexing is similar to time-division multiplexing (TDM), except that rather than arbitrarily assigning a time slot to each signal, each signal is assigned a slot according to priority and need. Statistical multiplexing ensures that timeslots will not be wasted, but it consumes time and processes.

STP Shielded Twisted Pair. A kind of copper wiring where each twisted pair is covered in an insulating tube. The covering is designed to protect the wire from electromagnetic interference and functions as a ground. This extra protection, however, limits the wire’s flexibility.

Straight-through

Cable

A cable that has each internal twisted pair of wires connected to the same pin number at each end.

SVC Switched Virtual Circuit. A temporary physical circuit that is created when a connection is established and that is relinquished after the connection is terminated. The connection path is different each time the subscriber con-nects. This connection is most often used for dial-up WAN access like ISDN lines.

SYN Synchronize. One of the TCP flags, used when initiating a session to set the first sequence number for the packets that will be transmitted during the session. A circuit-level gateway monitors packets with SYN-flags to determine whether a requested session is legitimate.

Synchronous

Transmission

A method of data transmission that allows bits to be sent in a continuous stream; the beginning of one character is contiguous with the end of the preceding one. The separation of characters requires the receiver to maintain synchronization with a master timing source.

B-51

Appendix B: Glossary

T

T-interface Connects the NT1 to the NT2 in an ISDN network. The T-interface is a four-wire/two twisted pair connection. Outside North America, the T-interface is the first interface at the subscriber’s premises.

T1-carrier line A carrier-line that carries speech or data at the DS-1 rate. T1 lines operate with 24 DS0 channels of 64 Kbps each for a total of 1.544 Mbps bandwidth.

T3 A digital carrier signal designed to transmit speech or data at the DS-3 rate. T3 lines transmit data with 28 multiples of T1 bandwidth (1.544 Mbps each) for a total of 44.736 Mbps.

TA Terminal Adapter. A device that converts TE2 analog signals into ISDN-ready digital signals.

TACACS+ A client/server protocol that transports data between a TACACS+ client and server. The TACACS+ server contains a database of information on network hosts and users. It provides a client authentication at the client’s request. TACACS+ can also provide a client authorization to access certain network applications, and TACACS+ can log, or account, for clients’ activity. TACACS+ allows independent handling of the aspects of AAA. For more information on the original TACACS protocol, see RFC 1492 (at http://www.ietf.org/rfc/

rfc1492.txt). See also AAA.

TCP Transmission Control Protocol. An OSI Transport Layer protocol that is part of the IP protocol suite. TCP allows applications on networked hosts to create connections to one another over which they can exchange data. TCP guaran-tees reliable and in-order data delivery. TCP also distinguishes data for multi-ple, concurrent applications (e.g. a web server and an email server) running on the same host. TCP protocols include, among many others, HTTP, email, and SSH. For more information on TCP, see RFC 793 (at http://www.ietf.org/

rfc/rfc0793.txt).

TDM Time Division Multiplexing. A type of digital multiplexing that allows multiple signals to share the same physical line. TDM interleaves pulses representing bits from different channels into a bit stream. Each DS0/E0 channel receives an equal slice of time in a rotating, repeated sequence. The receiving device can derive the two or more channels from the bit stream.

TEI Terminal Endpoint Identifier. A field in an LAPD signaling frame that identifies the terminal endpoint on the subscriber’s ISDN line. TEIs can be statically or automatically assigned.

Telco American slang for the telephone company.

B-52

Appendix B: Glossary

Telnet TELephone NETwork. A TCP/IP protocol/program. The purpose of the Telnet Protocol is to provide a fairly general, bi-directional, 8-bit byte-oriented com-munications facility. It is typically used to provide user-oriented command line login sessions between hosts on the Internet. The name “Telnet” came about because the protocol was designed to emulate a single terminal attached to the other computer. For more information about the Telnet protocol, see RFC 854 (at http://www.ietf.org/rfc/rfc0854.txt).

TE1 Terminal Equipment 1. Equipment that can be directly connected to the ISDN line (often using an S/ T Interface). Examples include ISDN phones, routers, ISDN computers, digital phones, and digital fax machines.

TE2 Terminal Equipment 2. ISDN equipment that requires a connection to a TA before being connected to the NT1 or NT2. Examples are PCs with EIA 232 interfaces and analog telephones and fax machines.

TFTP Trivial File Transfer Protocol. A protocol that uses UDP to transmit and receive files and provides no security features. TFTP is often used by servers to boot diskless workstations, X-terminals, and routers. It can also be used as a file server. For more information about TFTP, see RFC 1350 (at http://

www.ietf.org/rfc/rfc1350.txt).

Timeslot A placeholder for network traffic; a window of time that can be reserved for a particular transmission. Because channels in T1/E1 connections use TDM, channels are considered timeslots since each channel gets an equal amount of time to transmit.

ToS Type of Service. An 8-bit header field in IPv4 packets, which allows you to mark traffic for special handling. Two standards define how the ToS field defines traffic: IP precedence, the original standard for using this field, and DiffServ. For more information about the ToS field in the IP header, see the RFC 791 on IP (at http://www.ietf.org/rfc/rfc0791.txt). See also IP precedence and DiffServ.

Transform Set A combination of security protocols, algorithms, and other settings that will be applied to IPSec-protected traffic. During the IPSec SA negotiation, the VPN peers agree to use a particular transform set when protecting a particular data flow. See also SA.

Transport Layer Layer 4 of the OSI model. The purpose of the Transport Layer is to provide transparent data transfer between end users. This layer is also responsible for end-to-end error recovery and flow control.

Tunnel A virtual point-to-point connection in which data is encrypted and encapsu-lated at one endpoint for secure transmission across a public or untrusted network, and de-encapsulated and decrypted at the receiving endpoint.

B-53

Appendix B: Glossary

U

UBR Unspecified Bit Rate. An ATM bandwidth-allocation service that does not guarantee any throughput levels and uses only available bandwidth. UBR is often used when transmitting data that can tolerate delays.

U-interface In an ISDN connection, the U-interface is the connection between the local loop and NT1. For BRI ISDN, the U-interface is one twisted pair. For PRI ISDN, the U-interface is two twisted pairs. There is only one U-interface on an ISDN network.

UDP User Datagram Protocol. A stateless protocol that is part of the IP protocol suite. Using UDP, programs on network computers can send datagrams to one another. UDP does not provide the reliability and ordering guarantees that TCP does; datagrams may arrive out of order or go missing without notice. However, UDP is faster and more efficient for many lightweight or time-sensitive programs. For more information about UDP, see RFC 768 (at http://

www.ietf.org/rfc/rfc0768.txt).

UNI User to Network Interface. A term used in ATM and Frame Relay networks, UNI is the interface between the ATM or Frame Relay end user and a private ATM/Frame Relay switch. It also can represent the interface between a private ATM/Frame Relay switch and the public carrier ATM/Frame Relay network.

UTP Unshielded Twisted Pair. A common form of wiring in which two conductors are wound around each other for the purposes of canceling out electromag-netic interference, which can cause crosstalk. The number of twists per meter make up part of the specification for a given type of cable. The greater the number of twists, the more crosstalk is reduced. UTP is an unshielded form of twisted pair wiring and is the primary wire type for telephone usage. UTP is also common for computer networking, especially in patch cables or temporary network connections.

V

VBR Variable Bit Rate. A quality of service setting. VBR encoding varies the amount of output data in each time segment based on the complexity of the input data in that segment. The goal is to maintain constant quality instead of maintaining a constant data rate. VBR is preferred for storage (as opposed to streaming) because it makes better use of storage space. See also CBR.

VC Virtual Circuit. A circuit or path between points in a network that appears to be a discrete, physical path, but is not. The VC is actually a managed pool of circuit resources from which specific circuits are allocated, as needed, to meet traffic requirements.

B-54

Appendix B: Glossary

VCI Virtual Channel Identifier. A 16-bit field in an ATM cell’s header that identifies the cell’s next destination. The VCI is similar to the DLCI in a Frame Relay network.

VDSL Very high bit rate DSL. VDSL runs on fiber optic, providing extremely high-speed WAN connections. VDSL is ideal for HDTV and supports data, video, and voice transmissions simultaneously. VDSL can transmit data symmetrically or asymmetrically.

VLAN Virtual Local Area Network. The IEEE 802.1Q standard enables you to group users by logical function rather than by physical location. By creating VLANs on switches, you can segment networks into smaller broadcast domains, enhance network security, and simplify network management.

VP Virtual Path. In an ATM connection, the VP is a bundle of virtual channels that have the same endpoint.

VPI Virtual Path Identifier. An eight-bit field in the ATM header that identifies the virtual path through an ATM network to which the packet belongs.

VPN Virtual Private Network. A virtual point-to-point connection that transfers data over the public telecommunication infrastructure while maintaining privacy through the use of a tunneling protocol and security procedures. A VPN has comparable security with a system of owned or leased lines that can only be used by one company. For more information about VPNs, see RFC 2764 (at http://www.ietf.org/rfc/rfc2764.txt). See also IPSec.

VRRP Virtual Router Redundancy Protocol. VRRP is a protocol that allows routers to work together to ensure hosts always have a default gateway. Instead of designating a single default gateway router, VRRP defines a group of routers as one “virtual router,” which acts as the default gateway to the hosts. The group of routers are set up in a hierarchy where a subordinate router may take over as master router in the event of a master router failure. For more information about VRRP, see RFC 3768 (at http://www.ietf.org/rfc/rfc3768.txt).

V.35 An ITU standard for high-speed synchronous data exchange. In the United States and Canada, V.35 is the interface standard most public carriers use to connect routers to a standalone CSU/DSU.

W

WAN A high-speed network within a wide geographical area (usually larger than a city or metropolitan area) that shares data, programs, or equipment.

B-55

Appendix B: Glossary

WFQ Weighted Fair Queue. A queuing mechanism where the administrator is able to create multiple queues for different traffic classes and assign a “weight” value to each queue in proportion to its traffic priority level. See also QoS.

Wildcard Bits Wildcard bits use reverse logic to allow the user to specify bits within an IP address that must match (0) and that do not need to match (1).

WRED Weighted Random Early Discard. A quality of service congestion-avoidance mechanism. WRED begins to discard packets before the queue reaches full capacity in order to slow TCP traffic. Packets to be dropped are chosen according to assigned traffic classes and priorities, and the dropped packets signal the TCP server to slow the transmission rate. See also QoS.

X

X-Authentication Between phase one and phase two of IKE negotiations, X-authentication is the process of authenticating the host that is originating the transmission to the network. IKE normally authenticates only the WAN gateway.

xDSL X-type DSL. A term that collectively refers to the different types of DSL.

X.21 A type of physical and electrical interface that uses two types of circuits: balanced (X.27N.1 1) and unbalanced (X.26N.10). CCITT X.21 uses the DB-15 connector. The physical interface between the DTE and the local PTT-supplied DCE is defined in ITU-T recommendation X.21. The DCE provides a full-duplex, bit-serial, synchronous transmission path between the DTE and the local service provider. It can operate at data rates from 600 bps to 64 Kbps.

X509 An ITU-T standard for defining digital certificates. X509 is the signing system used for SSL. See also PKI.

Sources

AIInet at www.aiinet.com/documents/html/aiconnect/m/config/10x/glossary.htm/

Answers.com at http://www.answers.com/

BCR’s Guild to Important Abbreviations and Acronyms in Data Communica-tions and Networking

Business Communications Review: January 2000–August 2000 issues.

CertCities.com at http://www.certcities.com/

DSLReports.com at http://www.dslreports.com/faq/6114/

B-56

Appendix B: Glossary

Fastforward Networks. Multimedia Terms (Handbook for MultiMediaCom 2000)

IETF RFCs at http://www.ietf.org/

Inclusive.com at http://www.inclusive.com/mmr/prodtypes/pbx.htm/

Intelligent Network 2000: Comprehensive Report

International Engineering Consortium. Digital Subscriber Line 2000: Compre-hensive Report.

Iona.com at http://www.iona.com/support/docs/manuals/orbix/ 33/html/orbixsslcxx33_pguide/Validating_Certificates_C++.html/

Javvin.com at http://www.javvin.com/protocolAAL.html/

mpirical.com at http://www.mpirical.com/

The MPLS Resource Center at http://mplsrc.com/

msdn.microsoft.com/

Networksorcery.com at http://www.networksorcery.com/

Newton’s Telecom Dictionary, 2000

Webopedia at http://www.webopedia.com/

Whatis.com at http://www.whatiscom

Wikipedia at http://www.wikipedia.com/

B-57

Appendix B: Glossary

B-58

Master Index

B = Basic Management and Configuration GuideA = Advanced Management and Configuration Guide

Numerics100Base-T cable … B:3-210Base-T cable … B:3-22B1Q line coding, for BRI ISDN … B:8-9, A:3-7, A:3-9802 Slow Protocol frame … A:12-3802.1Q

encapsulation … B:3-18support for … B:3-15tag … B:3-15

802.1X protocol … B:2-40

AAAA subsystem

accounting … B:2-25assigning named list … B:2-26named list for … B:2-25

advantages of … B:2-15authentication

assigning named list … B:2-20banner … B:2-21configuring … B:2-16failure message … B:2-21named list for enable mode … B:2-16named list for management access … B:2-18prompts … B:2-21

authorization … B:2-23assigning named list … B:2-24enabling for console line … B:2-24named list for … B:2-23

configuring through CLI … B:2-14configuring through Web browser

interface … B:14-27criteria for failure … B:2-19debug command for … B:2-35enabling … B:2-15RADIUS server … B:2-27TACACS server … B:2-31troubleshooting … B:2-35using with Xauth … A:8-50, A:8-51

AAL … B:7-20AAL5SNAP … B:7-20

ABM … B:6-39access control

AAA subsystem … B:2-14ACLs and ACPs … A:5-4management access to router … B:2-4

access policy sessionsclearing … A:5-54viewing … A:5-52

accountingwith AAA subsystem … B:2-25

ACLaction taken … A:5-34applying directly to interface … A:5-6applying to interface … A:5-18clear counters … A:5-56command syntax … A:5-8creating … A:5-8debug … A:5-56defined … A:5-4deleting … A:5-18descriptive tag … A:5-17different from ACP … A:5-5editing … A:5-17entry order … A:5-15examples … A:5-23extended

command syntax for entry … A:5-11defined … A:5-7destination address … A:5-12destination port … A:5-13for demand routing … B:8-19, A:3-18implicit "deny any" … B:8-21log option … B:8-21, A:5-15packet bits … A:5-15permit entry … A:5-11source address … A:5-12source port … A:5-13specify protocol … A:5-12

for FTP access … A:5-21for HTTP access … A:5-21for NAT … A:6-8

many-to-one … A:6-9one-to-one … A:6-10, A:6-12

Index – 1

for VPN trafficapplying to crypto map … A:8-38, A:8-45configuring … A:8-35matching an outgoing packet … A:8-22restricting traffic … A:8-36troubleshooting … A:8-75

implicit deny any … A:5-10processing entries in … A:5-15QoS … A:7-13

CBWFQ … A:7-23LLQ … A:7-38packet marking … A:7-45

standardcommand syntax for entry … A:5-9defined … A:5-7deny entry … A:5-9, A:5-11log … A:5-11specifying source address … A:5-9

troubleshooting … A:5-54viewing … A:5-49

ACPACL

as traffic selector … A:5-35configure … A:5-26extended … A:5-31standard … A:5-28

assign to interface … A:5-37, A:6-15command syntax for … A:5-35configuring with Web browser interface … A:14-30configuring, for NAT … A:6-13creating … A:5-35defined … A:5-4different from ACL … A:5-5editing … A:5-36entry

command syntax for … A:5-36importance of order … A:5-38

examples of … A:5-46flow chart … A:5-42for Telnet access … A:5-22implicit “discard all” … A:5-35logging matches … A:4-26monitoring connections … A:6-20processing … A:5-38summary of action taken … A:5-41traffic flow through interface … A:5-43

viewing … A:5-49active sessions … A:5-52for NAT … A:6-16statistics … A:5-53, A:6-18

administrative distancedefault, for OSPF … B:13-36default, for static and dynamic routes … B:11-11,

B:13-11in floating static route … B:11-16selecting routes based on … B:11-8setting, for BGP routes … B:13-105specifying … B:11-15

ADSLADSL Lite … B:7-10ADSL2 … B:7-5ADSL2+ … B:7-5Annex A … B:7-8, B:7-9Annex B … B:7-8, B:7-9distance supported … B:7-5downstream traffic … B:7-4DSLAM … B:7-7elements of, connection … B:7-6infrastructure … B:7-7READSL2 … B:7-6See also ADSL interfaceshowtime … B:7-13splitterless … B:7-10splitters … B:7-9upstream traffic … B:7-4

ADSL interfaceaccessing … B:7-12activating … B:7-13binding to ATM interface … B:7-27configuring through CLI … B:7-12configuring through Web browser

interface … B:14-61Data Link Layer for … B:7-7, B:7-17debug commands … B:7-47force retraining … B:7-16port number … B:7-12See also ADSLslot number … B:7-12SNR-Margin … B:7-15SNR-margin monitors … B:7-16training mode … B:7-13, B:7-15troubleshooting … B:7-46viewing status of … B:7-41

2 – Index

ADSL moduleADSL2+ Annex A … B:7-11ADSL2+ Annex B … B:7-11supported standards … B:7-11

AF … A:7-22DiffServ values … A:7-22DSCP … A:7-22

AF traffic classes … A:7-8, A:7-9DiffServ values … A:7-9subclasses … A:7-9, A:7-21

AHauthenticating a packet … A:8-6finding algorithm used by peer … A:8-84header … A:8-5incompatibility with NAT-T … A:8-32manually defining key for … A:8-67, A:8-68specifying algorithm for … A:8-41, A:8-65

ALGconfiguring … A:4-18definition of … A:4-7FTP … A:4-19H.323 … A:4-19PPTP … A:4-20SIP … A:4-19supported by ProCurve Secure Router … A:4-8

algorithm … A:8-6See also encryption algorithm and hash algorithm

analog backup … A:3-5See also modem interface and backup

application-level gatewaySee ALG

area border routerSee OSPF, ABR

ARM … B:6-39AS

definition of … B:13-7routing between … B:13-7, B:13-65with OSPF … B:13-35

ASBRSee OSPF, ASBR

assured forwardingSee AF

asymmetric DSLSee ADSL

Asynchronous Balanced Mode … B:6-39Asynchronous Response Mode … B:6-39ATM adaptation layer … B:7-20

ATM interfaceactivating … B:7-17binding to ADSL interface … B:7-27configuring through Web browser

interface … B:14-63creating … B:7-17subinterface

AAL configuration … B:7-20activating … B:7-19as a DHCP client … B:7-21as an unnumbered interface … B:7-24binding to PPP for PPPoA … B:7-38binding to PPP for PPPoE … B:7-33configuring … B:7-18creating … B:7-18debug commands … B:7-49IP address … B:7-20OAM … B:7-26PVC … B:7-18, B:7-19RBE … B:7-40troubleshooting … B:7-49viewing status of … B:7-44VPI/VCI … B:7-19

troubleshooting … B:7-48troubleshooting OAM … B:7-49viewing status of … B:7-44

attack checking … A:4-6, A:4-9Denial of Service … A:4-10drop packets … A:4-9enabling firewall … A:4-14logging attacks … A:4-26optional checks … A:4-15reflexive traffic … A:4-12, A:4-16SYN-flood attack check … A:4-16types of attacks … A:4-9, A:4-14WinNuke attack check … A:4-15

authenticationfailure of AAA methods … B:2-19RADIUS server … B:2-27TACACS+ server … B:2-31with AAA subsystem … B:2-16

Authentication HeaderSee AH

authorizationwith AAA subsystem … B:2-23

auto MDIX, Ethernet ports … B:3-2autonomous system

See AS

Index – 3

AutoSynch™ … B:1-34configuring with Web browser interface … B:14-5,

A:14-5enabling … B:1-60, A:1-19troubleshooting … B:1-70

BB channel for ISDN … B:8-4backup

choices for configuring … A:3-11, A:3-14demand routing for … A:3-12

See also demand routingfailover conditions … A:3-11LEDs … B:1-25module … B:1-19persistent backup connections … A:3-14

backup call modes … A:3-62described … A:3-14dial list … A:3-63dial-up process … A:3-60example of … A:3-17floating static route for … A:3-67IP address for PPP interface … A:3-56monitoring dial-up … A:3-87multiple … A:3-69PPP authentication … A:3-56PPP interface … A:3-55primary connection settings … A:3-58troubleshooting … A:3-84viewing dial list … A:3-86

basic mode context … B:1-36clear commands … B:1-39commands … B:1-39show commands … B:1-41

BGP … B:13-65, B:13-104advantages … B:13-65advertising a network … B:13-71, B:13-170clear session … B:13-164compared to RIP and OSPF … B:13-9configuration examples … B:13-106configuration tasks … B:13-68, B:13-70default administrative distance … B:13-11enabling … B:13-70exterior gateway protocol … B:13-7intervals … B:13-106load balancing … B:13-74, B:13-76, B:13-84

local AS … B:13-73advertising external traffic … B:13-170viewing … B:13-167

messages … B:13-68multihoming … B:13-67, B:13-82

troubleshooting … B:13-172neighbor … B:13-68

configuration … B:13-72neighbor ID … B:13-72, B:13-167troubleshooting … B:13-166viewing … B:13-162, B:13-168

policies, examples of … B:13-81prefix list … B:13-78

applying to an interface … B:13-81discarding or allowing routes … B:13-80entry order with … B:13-80example configuration … B:13-85filtering routes … B:13-79load balancing with … B:13-84naming … B:13-80network address … B:13-80prefix length, specifying … B:13-80prohibiting advertisement of external

traffic … B:13-82troubleshooting … B:13-165

remote AS … B:13-73route maps … B:13-86

applying policies to inbound routes … B:13-102

applying to neighbor … B:13-104communities, deleting … B:13-103controlling routes neighbor

advertises … B:13-94entry in … B:13-87filtering inbound routes … B:13-100load balancing … B:13-96routes advertised … B:13-89

route summaries … B:13-105router ID … B:13-72soft reconfiguration … B:13-104troubleshooting … B:13-162

common problems … B:13-172binding

ADSL interface to ATM … B:7-27ADSL interface to ATM interface … B:7-27ATM subinterface to PPP interface … B:7-33,

B:7-38

4 – Index

multiple carrier lines to Frame Relay interface … A:2-10

multiple carrier lines to PPP interface … A:2-6physical interface to Frame Relay

interface … B:6-35physical interface to HDLC interface … B:6-43physical interface to PPP interface … B:6-10

Boink attack … A:4-9Bonk attack … A:4-9boot

code … B:1-30updating … B:1-59

error messages … A:1-25using to troubleshoot configurations … A:1-26

bootstrap mode context … B:1-66commands … B:1-67

bootup process … B:1-30Border Gateway Protocol

See BGPBRI backup interface

demand routingactivating … A:3-41caller ID … A:3-42configuring … A:3-37LDN for BRI S/T … A:3-39resource pool member … A:3-41SPID for BRI U … A:3-40switch type … A:3-38

line status … A:3-72persistent backup connection

activating interface … A:3-49bonding channels … A:3-50, A:3-64caller ID … A:3-53configuring … A:3-47LDN for BRI S/T … A:3-48SPID for BRI U … A:3-49switch type … A:3-48

See also BRI primary interfacetest calls … A:3-83troubleshooting … A:3-70

BRI ISDNlocal loop … B:8-5, A:3-7

BRI primary interfaceaccessing … B:8-40activating … B:8-43assigning to ISDN group … B:8-44caller ID options … B:8-43configuring … B:8-40

LDN for BRI S/T module … B:8-43line maintenance … B:8-75See also BRI backup interfacesignaling (switch) type … B:8-41SPID and LDN for BRI U module … B:8-42test calls … B:8-73troubleshooting … B:8-69viewing status of … B:8-64

bridge table … B:10-5, B:10-11viewing … B:10-8, B:10-9

bridgingbridge group configuration … B:10-6, B:10-7configuring … B:10-5interfaces … B:10-7IP addresses with … B:10-7overview … B:10-3protocol … B:10-4, B:10-6QoS … A:7-25, A:7-40, A:7-48remote … B:10-3

disabling IP routing … B:10-7, B:10-10merging remote networks … B:10-4

tableSee bridge table

troubleshooting … B:10-10valid interfaces … B:10-6

broadband network, regional … B:7-7

CCA

certificate … A:8-56loading … A:8-58

profile … A:8-57, A:8-58role in IKE authentication … A:8-10SCEP … A:8-56, A:8-57selecting … A:8-55submitting self certificate request to … A:8-59

cable100Base-T … B:3-210Base-T … B:3-2Category 3 … B:1-14Category 5 … B:1-14crossover … B:9-14EIA 530 … B:5-11for DSX-1 … B:9-14for G.703 … B:9-5serial … B:1-10, B:1-13UTP for E1 or T1 connection … B:4-7

Index – 5

UTP ribbon … B:7-12V.35 … B:5-9X.21 … B:5-10

callISDN, setup process … B:8-12

caller IDcaller-number … B:8-38, A:3-36overriding … B:8-43, A:3-42

CBWFQ … A:7-11, A:7-18, A:7-19bandwidth allocating … A:7-26, A:7-27class defining … A:7-20

bridged traffic … A:7-25IP header … A:7-22RTP … A:7-25ToS value … A:7-21UDP port … A:7-25

example configuration … A:7-29percent versus remaining percent … A:7-27, A:7-56,

A:7-68with multilinks … A:7-28, A:7-29

central officeSee CO

certificate authoritySee CA

certificate revocation listSee CRL

Challenge Handshake Authentication ProtocolSee CHAP

Channel Service Unit/Digital Service UnitSee CSU/DSU

channelsE1- and T1-carrier lines … B:4-12FDL, for T1 interface … B:4-19for E1 interface … B:4-12for ISDN … B:8-4for T1 interface … B:4-13

CHAPexample configuration … B:6-51for backup interfaces … A:3-43for primary ISDN interfaces … B:8-53hashing … B:6-12password … B:6-14, B:6-15password, case-sensitive … B:6-64troubleshooting … B:6-64username (hostname) … B:6-13, B:6-15username, case-sensitive … B:6-64

Chargen attack … A:4-9

CIDRDHCP pool … B:13-8, B:13-9IP address for ATM subinterface … B:7-21IP address for Frame Relay subinterface … B:6-29IP address for HDLC interface … B:6-42IP address for PPP interface … B:6-8notation … B:11-6static route … B:11-14

CIRFrame Relay … B:6-19setting … B:6-33

class-based weighted fair queuingSee CBWFQ

CLI … B:1-5accessing … B:1-10editing commands … B:1-64, A:1-13events displayed in … B:1-51file management using the copy command … A:1-15help tools … B:1-64, A:1-12initial access … A:1-9IP address convention … B:1-7, A:1-5prompt convention … B:1-6, A:1-4using to set up Web browser interface

access … B:1-11, A:1-10client ID

interface as DHCP client … B:13-23viewing, for DHCP client … B:13-19

client-to-site VPNIKE mode config … A:8-47IKE mode for … A:8-28NAT-T with … A:8-31peer ID

in crypto map … A:8-44in IKE policy … A:8-26in remote ID list … A:8-34

specifying traffic for … A:8-38, A:8-48Xauth with … A:8-49

clock sourcefor E1 interface … B:4-17for primary BRI interface … B:8-15for serial interface … B:5-13for T1 interface … B:4-17

COADSL distance and service … B:7-5ADSL infrastructure … B:7-4local loop … B:5-4of public carrier … B:4-4

6 – Index

commandsbasic mode … B:1-39clear commands … B:1-39, B:1-44clear event-history … A:4-25clock … B:1-45configure … B:1-46copy … B:1-46, A:1-15do … B:1-66, A:1-14editing … B:1-64, A:1-13enable mode … B:1-43erase … B:1-50events … B:1-51exit … B:1-66, A:1-15global configuration mode … B:1-60help … B:1-64, A:1-12no … B:1-66, A:1-14reload … B:1-51reload in … B:1-72show … A:1-20show event-history … A:4-25show tech … B:1-57show, list of … B:1-51syntax conventions for … B:1-5write … B:1-56

communitiesBGP … B:13-95

community listfor route map … B:13-88

compact flashadvantages of booting from … B:1-32configuring, card … B:1-33file transfer with … B:1-81slot location … B:1-28troubleshooting … B:1-70

configuration fileediting using a text editor … B:1-73, A:1-24running-config … B:1-30startup-config … B:1-30transfer using

compact flash … B:1-81console port … B:1-76TFTP … B:1-78

connect sequencefor demand interface … B:8-30, A:3-28

connectorRJ-11 … B:7-12, B:8-8RJ-45 … B:3-2, B:8-8RJ-48C … B:4-7, B:9-14

consoleconfiguring password through Web browser

interface … B:14-23establishing a terminal session with … A:1-9file transfer with … B:1-76password for … B:2-5port … B:1-13terminal session with … B:1-10

contextbasic mode … B:1-35, B:1-36bootstrap mode … B:1-66enable mode … B:1-35, B:1-36global configuration mode … B:1-36, B:1-37,

B:1-46, B:1-60counters

clear ACL … A:5-56clearing Frame Relay counters … B:6-69clearing interface counters … B:1-39Frame Relay … B:6-26, B:6-69

CRC4 frame format … B:4-15CRL

deleting … A:8-64importing manually … A:8-61managing … A:8-64

crypto mapapplying to an interface … A:8-46associating with IKE policy … A:8-44creating … A:8-43IKE, configuring with … A:8-42manual keying

configuration tasks … A:8-65, A:8-67example configuration … A:8-69setting session key … A:8-67, A:8-68setting SPI … A:8-68transform set … A:8-65, A:8-66

peer ID, setting … A:8-43processed by router … A:8-20transform set, specifying … A:8-44viewing … A:8-71, A:8-86

CSUexternal … B:4-7purpose of … B:4-5, B:5-5

CSU/DSUbuilt into router … B:4-7external … B:4-7purpose of … B:1-16, B:4-5, B:5-5

Index – 7

DD channel

ISDN … B:8-4LAPD transmitted over … B:8-10

D4 frame format … B:4-16data communications equipment … B:6-21Data Link Layer

ATM … B:7-17configuring through Web browser

interface … B:14-46for backup … A:3-11Frame Relay … B:6-19HDLC … B:6-39LLDP … A:12-2PPP … B:6-6purpose of … B:4-3, B:5-3Q.921, or LAPD … B:8-9Q.931 … B:8-9

data terminal equipment … B:6-21DCE … B:6-21DE bit … B:6-35debug commands … B:1-49

ADSL … B:7-47ATM OAM … B:7-49BGP … B:13-163crypto ike … A:8-74crypto ipsec … A:8-74crypto pki … A:8-74DHCP client … B:13-27, B:13-28DHCP server … B:13-19, B:13-20DNS client … B:12-14DNS proxy … B:12-11, B:12-12Ethernet … B:3-25Frame Relay … B:6-66, B:6-68, A:2-16HDLC … B:6-69IKE messages … A:8-78, A:8-79, A:8-81interface tunnel … A:9-13ISDN … B:8-72, A:3-81LLDP … A:12-9, A:12-11OSPF … B:13-153PPP … B:6-60, A:2-13, A:2-15PPP authentication … B:6-14, B:6-62PPP for PPPoE … B:7-53PPPoE … B:7-50RIP … B:13-151spanning tree … B:10-24VPN … A:8-74VPN debug messages … A:8-76

default routeconfiguring … B:11-17receiving from a DHCP server … B:13-24with dynamic routing … B:11-18with OSPF … B:13-35, B:13-51

demand interfaceACL for interesting traffic … B:8-27, A:3-24ACL to control access to … B:8-27, A:3-25answer/originate call … B:8-29, A:3-26called-number … B:8-39, A:3-36caller-number … B:8-38, A:3-36configuration summary … B:8-63, A:3-77connect sequence … B:8-30, A:3-27connect sequence attempts … B:8-33, A:3-30connect-order … B:8-32, A:3-29creating … B:8-23, A:3-21establishing an ISDN call … B:8-48fast-idle option … B:8-38, A:3-35hold queue … B:8-39, A:3-36idle-timeout option … B:8-37, A:3-34inter-relationship of connect-sequence

commands … B:8-35, A:3-32IP address … B:8-24, A:3-22MLPPP … B:8-50MLPPP fragmentation … B:8-52MLPPP interleave … B:8-51MTU … B:8-56, A:3-46PPP authentication … B:8-54, A:3-43recovery state … B:8-33, A:3-30resource pool … B:8-30, A:3-27spoofing up state … B:8-22, A:3-23static route … B:8-46static route, floating … A:3-42troubleshooting … B:8-68, A:3-79viewing information about … B:8-61, A:3-80viewing resource pool … B:8-67, A:3-78viewing running-config for … B:8-67, A:3-79

demand routingbackup connections

configuring … A:3-17connection instructions … A:3-32example … A:3-13, A:3-16initiating … A:3-12

8 – Index

primary ISDN modules … B:8-16configuration steps … B:8-18connection instructions … B:8-30example … B:8-53initiating … B:8-26ISDN groups … B:8-44

viewing sessions … B:8-66, A:3-78demarc

carrier line … B:4-5ISDN connections … B:8-7, A:3-7location for carrier lines … B:5-5

demultiplexing channels … B:4-12Denial of Service attack … A:4-16designated router

See OSPF, DRDHCP

clientSee DHCP client

configuring through Web browser interface … B:14-94

excluded addresses … B:13-7, B:13-18overview … B:13-3pool

See DHCP poolrelay … B:13-6, B:13-30request process … B:13-3, B:13-4, B:13-19scope for VLAN … B:13-5, B:13-16server

See DHCP server … B:13-4DHCP client

ATM subinterface as … B:7-21Ethernet interface as … B:3-5Frame Relay subinterface as … B:6-29interface as … B:13-5

activating … B:13-21, B:13-22client ID … B:13-23hostname for … B:12-16receiving optional configurations … B:13-21,

B:13-24releasing address … B:13-27renewing address … B:13-27troubleshooting … B:13-26, B:13-27, B:13-28valid interfaces … B:13-6viewing lease … B:13-26

viewing connected clients … B:13-19DHCP pool

child … B:13-13creating … B:13-7

default gateway … B:13-9example configuration … B:13-14lease time … B:13-10multiple … B:13-8network address … B:13-8parent … B:13-13single fixed address … B:13-14, B:13-21VLAN … B:13-15

DHCP serverclient names in host table … B:12-9configuring router as … B:13-5, B:13-6functions … B:13-3ping settings … B:13-17, B:13-18troubleshooting … B:13-18viewing client bindings … B:13-19

Diffie-Hellman keyautomatic generation with IKE … A:8-9, A:8-64key lengths … A:8-67PFS group for … A:8-46specifying group for IKE SA … A:8-24, A:8-29

DiffServ … A:7-5, A:7-7, A:7-10AF mapping … A:7-9CBWFQ classes … A:7-10, A:7-21DSCP marking … A:7-10, A:7-43, A:7-48

See also packet markingIP precedence mapping … A:7-8, A:7-10, A:7-17LLQ values … A:7-10, A:7-37WFQ mapping … A:7-10, A:7-16, A:7-17

digital certificateadvantages … A:8-55CA certificate … A:8-56configuring with Web browser interface … A:14-93CRL … A:8-64deleting … A:8-63keys used with … A:8-10loading CA certificate … A:8-59obtaining automatically … A:8-57, A:8-59obtaining manually

configuring profile … A:8-58importing self certificate … A:8-61loading CA certificate … A:8-59requesting self certificate … A:8-60

overview … A:8-54peer ID for peer that uses … A:8-34See also CA and CRLstandards … A:8-29, A:8-55viewing … A:8-62

digital signal zero … B:4-12

Index – 9

Digital Subscriber LineSee DSL

Discard Eligible Bit … B:6-35DLCI … B:6-22

assigning to Frame Relay subinterface … B:6-28DNS … B:12-8

clientenabling … B:12-8functions … B:12-5troubleshooting … B:12-14

configuration tasks … B:12-8host table … B:12-3

See host tableoverview … B:12-3proxy

See DNS proxyserver

See DNS serversupport on ProCurve Secure Router … B:12-5

DNS proxy … B:12-8default domain name for … B:12-9enabling … B:12-10external DNS server for … B:12-10troubleshooting … B:12-11, B:12-12

DNS server … B:12-3configuring through Web browser

interface … B:14-89external, specifying … B:12-10, B:12-13in DHCP pool … B:13-11in IKE mode config pool … A:8-48receiving from a DHCP server … B:13-24, B:13-26router as … B:12-10

See also DNS proxydo command … B:1-66domain name

default … B:12-9definition … B:12-3DHCP pool, in … B:13-12

DRSee OSPF, DRSee PIM-SM, DR

drop-and-insert moduledescription of … B:9-3DSX-1 interface

assigning channels to T1 interface … B:9-14setting clock source on T1 interface … B:9-15viewing configuration of … B:9-20

DSX-1 modulephysical connection … B:9-13supported standards … B:9-3

G.703 interfaceassigning channels to E1 interface … B:9-5setting clock source on E1 interface … B:9-7viewing configuration of … B:9-11

G.703 modulephysical connection … B:9-4supported standards … B:9-3

DS0 … B:4-12DSCP

See DiffServDSL

description of … B:7-4types of … B:7-4

DSL access multiplexerSee DSLAM

DSLAM … B:7-7, B:7-9RBE … B:7-39training phase with ADSL interface … B:7-13

DSUbuilt into router … B:4-7purpose of … B:4-5, B:5-5

DSX-1 interfaceaccessing … B:9-16activating … B:9-19checking the status of … B:9-19configuring … B:9-13

frame format … B:9-17line coding … B:9-16line length … B:9-18signaling mode … B:9-18

configuring through Web browser interface … B:14-74

T1 interfaceassigning channels … B:9-14setting the clock source … B:9-15

troubleshootingaccruing errored seconds and clock

slips … B:9-21alarms or errors that will not clear … B:9-20yellow alarm … B:9-21

DSX-1 modulephysical connection to … B:9-13standards supported … B:9-4

DTE … B:6-21

10 – Index

duplex settingfor Ethernet interface … B:3-10

dynamic DNS … B:12-15, B:13-25activating the client … B:12-16, B:12-17configuration tasks … B:12-16overview … B:12-6, B:12-15services

Custom DNS … B:12-7, B:12-16, B:12-17, B:12-18

Dynamic DNS … B:12-6, B:12-16Static DNS … B:12-7, B:12-17

EE1 + G.703

See G.703 interface and drop-and-insert moduleE1 frame format … B:4-15E1 interface

activating … B:4-20binding

to Frame Relay interface … B:6-35to HDLC interface … B:6-43to PPP interface … B:6-11

channels for … B:4-12clock source … B:4-17configuration mode context for … B:4-11configuring through CLI … B:4-10configuring through Web browser

interface … B:14-39Data Link Layer

Frame Relay … B:6-23HDLC … B:6-39PPP … B:6-6

example Frame Relay configuration … B:6-47example PPP configuration … B:6-46, B:6-47frame format … B:4-15line coding … B:4-14line errors … B:4-22port number … B:4-11slot number … B:4-11speed for channel … B:4-13threshold commands … B:4-22troubleshooting … B:4-30viewing configuration of … B:4-28viewing status of … B:4-26

E1 modulestandards supported … B:4-8with built-in DSU … B:4-8

E1-carrier line2.048 Mbps bandwidth … B:4-332 channels … B:4-12analog voice on … B:4-3elements of … B:4-3external CSU … B:4-7for analog voice … B:9-3local loop … B:4-4serial interface for … B:5-3with G.703 interface … B:9-3

eBGP multihop … B:13-75EIA 530 cable … B:5-11enable mode context … B:1-36

AAA named list for … B:2-16clear commands … B:1-44commands … B:1-43configuring password through Web browser

interface … B:14-21password … B:2-4show commands … B:1-51

encryptionSee also ESPspecifying algorithms for … A:8-40with IPSec … A:8-6

encryption algorithmdefinition of … A:8-6for IKE SA … A:8-29for IPSec SA … A:8-41minimum key lengths for … A:8-67

error messageAutoSynch™ … B:1-70bootup … B:1-74, B:1-75DSX-1 … B:9-20Ethernet … B:3-24, B:3-25for serial interface … B:5-15for unsupported commands … B:1-39G.703 … B:9-12logging priority … A:4-26, A:4-30SafeMode … B:1-62, A:1-22thresholds for E1 … B:4-22thresholds for T1 … B:4-22

ESF frame format … B:4-16ESP

authenticating a packet … A:8-6default algorithms (VPN Wizard) … A:8-87encrypting a packet … A:8-6finding algorithm used by peer … A:8-83header … A:8-5

Index – 11

manually defining key for … A:8-67, A:8-68specifying algorithm for … A:8-41, A:8-65with NAT-T … A:8-32without encryption … A:8-42

et-clock setting … B:5-13Ethernet frame

setting maximum size of … B:3-11Ethernet interface

accessing … B:3-3activating … B:3-4as DHCP client … B:3-5configuring through CLI … B:3-3configuring through Web browser

interface … B:14-31debug commands … B:3-25description for … B:3-12duplex settings … B:3-11IP address … B:3-5MTU … B:3-11speed settings … B:3-10subinterface

for VLANs … B:3-18IP address … B:3-19viewing configurations for … B:3-21viewing status of … B:3-19VLAN ID … B:3-18

summary of settings … B:3-13troubleshooting … B:3-24unnumbered interface … B:3-9viewing configuration of … B:3-21viewing status of … B:3-19VLAN support … B:3-15

Ethernet portsauto MDIX … B:3-2connection speeds … B:1-14LED … B:1-26number of … B:1-14, B:3-2slot number … B:3-3

event-history, displaying … B:3-25events

displaying … B:1-51logging … A:4-12messages, disabling … B:3-4

exit command … B:1-66extended authentication

See Xauth

Ffair queuing

See WFQfast caching … B:11-12, B:11-22, A:7-10

disabled … B:11-23disabled with PBR … B:13-125

FDL channel … B:4-19FIFO … A:7-10, A:7-11, A:7-17, A:7-31

packet threshold … A:7-18file management

copy command … B:1-46erase command … B:1-50with Web browser interface … B:14-7, A:14-7write command … B:1-56

firewallALGs, configuring … A:4-18application-level gateway … A:4-7, A:4-9attack checking … A:4-6, A:4-9, A:4-14blocking attacks … A:4-9circuit-level gateway … A:4-8

as proxy server … A:4-6explained … A:4-5illustration of … A:4-7

configuring with Web browser interface … A:14-21enabling … A:4-14packet-filtering … A:4-8

definition of … A:4-4illustration of … A:4-5

purpose of … A:4-3reflexive traffic check … A:4-16stateful-inspection … A:4-4, A:4-6, A:4-8

timeouts … A:4-21stealth mode … A:4-17SYN-flood attack check … A:4-16WinNuke attack check … A:4-15

firmwaremanagement of … B:1-46

floating static route … B:11-16Fraggle attack … A:4-9frame

802 Slow Protocol … A:12-3Frame Relay … A:7-51

fragmentation … A:7-51, A:7-54, A:7-64, A:7-68

header size … A:7-34GRE … A:9-2headers … A:7-32, A:7-35IP … A:9-2

12 – Index

IP header … A:7-6, A:7-19, A:7-22, A:7-34RTP compression … A:7-34

LAPD … B:8-10LLDP … A:12-3MLFR

flag … A:7-34header … A:7-34, A:7-64

MLPPPflag … A:7-34header … A:7-34

PPPoE … B:7-29PADI … B:7-30PADO … B:7-30PADR … B:7-30PADS … B:7-31

QoS frames per second … A:7-33RTP header … A:7-34UDP header … A:7-34VoIP … A:7-51, A:7-58, A:7-61

frame formatCRC4 … B:4-15D4 … B:4-16E1 … B:4-15E1 interface … B:4-15ESF … B:4-16T1 interface … B:4-16

Frame Relay … B:6-19Be … A:7-53, A:7-54CIR … B:6-19, A:7-52, A:7-54DCE … B:6-21DE … A:7-53DLCI … B:6-22DTE … B:6-21EIR … A:7-53FRF.12 … A:2-8, A:7-5, A:7-12, A:7-51, A:7-54

See also Frame Relay fragmentationLMI … B:6-23network components … B:6-21NNI … B:6-21PVC … B:6-20, A:7-50PVC endpoint … B:6-22rate limiting … A:7-50, A:7-51, A:7-52SLA … B:6-19, B:6-34UNI … B:6-21VoIP QoS … A:7-51

Frame Relay fragmentation … A:7-12, A:7-34, A:7-51, A:7-54configuring … A:7-64

fragment size … A:7-54packet header size … A:7-34

Frame Relay interfaceactivating … B:6-25binding to physical interface … B:6-35configuring through CLI … B:6-23configuring through Web browser

interface … B:14-52counters … B:6-26debug commands … B:6-66example configuration … B:6-46, B:6-49LMI statistics … B:6-66show commands … B:6-53, B:6-66signaling role … B:6-25signaling type … B:6-26subinterface

as a DHCP client … B:6-29CIR … B:6-33creating … B:6-28DE bit … B:6-35description … B:6-37DLCI for … B:6-28EIR … B:6-34IP address … B:6-29MTU … B:6-37secondary IP address … B:6-36unnumbered interface … B:6-32

summary of main settings … B:6-24troubleshooting … B:6-65, A:2-13

clearing counters … B:6-69LMI messages … B:6-68LMI statistics … B:6-66PVC status … B:6-67

FRF.12See Frame Relay fragmentation

FTPACL to control access … A:5-21ALG for … A:4-19configuring password through Web browser

interface … B:14-19, B:14-26controlling, access … B:2-13local user list … B:2-10traffic through a firewall … A:4-5

FTP serverenabling through the Web browser

interface … B:14-15, A:14-15full-duplex

Ethernet interface settings … B:3-11

Index – 13

GG.703 interface

accessing … B:9-7activating … B:9-10checking the status of … B:9-10configuring … B:9-4

frame format … B:9-8line coding … B:9-7TS16 … B:9-9

configuring through Web browser interface … B:14-74

E1 interfaceassigning channels … B:9-5setting clock source … B:9-7

show commands … B:9-10troubleshooting … B:9-12

accruing errored seconds and clock slips … B:9-13

alarms or errors that will not clear … B:9-12yellow alarm … B:9-13

TS16 … B:9-9G.703 module

physical connection … B:9-4standards supported … B:9-4

G.lite … B:7-10gateway

application-level … A:4-7circuit-level … A:4-5

Generic Routing EncapsulationSee GRE

global configuration mode context … B:1-37commands … B:1-60interface configuration mode context … B:1-37line configuration mode context … B:1-38router configuration mode context … B:1-38

GRE … A:9-2advantages and disadvantages of … A:8-13checksum verification … A:9-12encapsulation … A:9-5tunnel configuration … A:9-4, A:9-5, A:9-7

See also tunneltunneling … A:9-5

advantages and disadvantages of … A:9-3multicasts … A:9-9routing updates … A:9-8

VPN overlay … A:8-13

HH.323 … A:7-35, A:7-58, A:7-62

ALG for … A:4-19half-duplex

Ethernet interface settings … B:3-11hash algorithm

definition … A:8-6for IKE SA … A:8-29for IPSec SA … A:8-41key length for … A:8-67

HDLCABM … B:6-39ARM … B:6-39NRM … B:6-39

HDLC interfaceactivating … B:6-41binding to physical interface … B:6-43configuring through CLI … B:6-39configuring through Web browser

interface … B:14-58description … B:6-45example configuration … B:6-49IP address … B:6-41MTU … B:6-44secondary IP address … B:6-44show commands … B:6-53troubleshooting … B:6-69unnumbered interface … B:6-42

HDSL … B:7-4help

? command … B:1-64tools for CLI … B:1-64, A:1-12

helper addressfor UDP forwarding … B:13-30

high-priority queuingSee LLQ

host tableadding an entry … B:12-9, B:12-13altering an entry … B:12-13dynamic hosts, adding … B:12-9queries to … B:12-10, B:12-12

hostnameadding to local table … B:12-9definition … B:12-3interface … B:12-16, B:13-24LLDP message, in … A:12-4preventing LLDP advertisement of … A:12-13setting router hostname … B:1-60

14 – Index

static hostname with dynamic address … B:13-25See also dynamic DNS

viewing neighbors’ … A:12-5wildcard … B:12-16

HTTP serverACL to control access … A:5-21enabling … B:2-11enabling through Web browser interface … B:14-15local user list … B:2-10

HTTPS serverenabling … B:2-11enabling through web browser interface … B:14-15,

A:14-15local user list … B:2-10

IICMP

flood … A:4-9session timeout … A:4-21

IEEEbridging support … B:10-4, B:10-6See also bridging

IEEE 802.1Q standard … B:3-15IEEE 802.1w

See RSTPIEEE 802.D

See STPIGMP … A:10-6, A:10-7, A:10-8

downstream interface … A:10-8, A:10-12, A:10-13, A:10-21, A:10-22

enabling on interface … A:11-29interval … A:10-16multicasting agent

configuring … A:10-13description … A:10-5

proxy … A:10-8, A:10-9, A:10-14, A:10-22enabling on downstream interface … A:10-14

queryaltering interval … A:10-16description … A:10-6

report … A:10-6show commands … A:10-20troubleshooting … A:10-19upstream interface … A:10-12, A:10-15version … A:10-7, A:10-13, A:10-21

IKEadvantages … A:8-64

authentication information, needed for … A:8-19authentication methods … A:8-10Diffie-Hellman key generation … A:8-9monitoring … A:8-76, A:8-78

phase 2 … A:8-84negotiating IPSec SA … A:8-8phase 1

description of … A:8-8monitoring … A:8-77security proposals … A:8-29settings for … A:8-12, A:8-15

phase 2description of … A:8-12monitoring … A:8-77settings for … A:8-13, A:8-16

troubleshooting … A:8-78, A:8-79comparing IKE policies … A:8-80, A:8-82comparing IPSec policies … A:8-82viewing peer’s IPSec policies … A:8-83viewing security parameters … A:8-81

XauthSee Xauth

IKE attribute policyconfiguring … A:8-28, A:8-29

IKE mode … A:8-26aggressive

definition … A:8-11specifying … A:8-27

default … A:8-26initiate, specifying … A:8-27main … A:8-34

definition … A:8-11specifying … A:8-27with client-to-site VPN … A:8-28, A:8-34

respond, specifying … A:8-27IKE mode config

applying pool to IKE policy … A:8-49pool configuration … A:8-48viewing a pool … A:8-71

IKE policycompatibility with peer … A:8-80configuring … A:8-23, A:8-24default … A:8-26example configuration … A:8-29, A:8-30for multiple peers … A:8-25peer ID … A:8-24processed by router … A:8-20viewing … A:8-71

Index – 15

IKE SAclearing … A:8-71compatibility with peer … A:8-80, A:8-82configuring security parameters for … A:8-23default settings … A:8-16, A:8-29definition … A:8-8lifetime … A:8-29security parameters for … A:8-15, A:8-29specifying peer ID … A:8-24viewing … A:8-70

interesting trafficdefining, for backup with demand routing … A:3-18,

A:3-23defining, for demand routing … B:8-18

interfaceADSL … B:7-12applying ACL to … A:5-18assigning a QoS map to … A:7-28, A:7-42, A:7-49assigning ACP to … A:5-37ATM … B:7-17BRI … B:8-40, A:3-38, A:3-47demand … B:8-23, A:3-20E1 … B:4-10, B:9-5

G.703 … B:9-7Ethernet … B:3-2Frame Relay … B:6-23HDLC … B:6-39helper address for UDP applications … B:13-30loopback

tunnel source … A:9-6modem … A:3-38, A:3-51numbering convention … B:1-22passive, with RIP … B:13-26PPP … B:6-6, A:7-15PPP, for PPPoE … B:7-32R, for ISDN … B:8-9, A:3-9router numbering convention … A:1-5S, for ISDN … B:8-8, A:3-9serial … B:5-3T, for ISDN … B:8-8, A:3-9T1 … B:4-10, B:9-14

DSX-1 … B:9-16tunnel … A:9-4, A:9-13

filtering traffic … A:9-11IGMP … A:9-9PIM-SM … A:9-9sending routing updates … A:9-8

U, for ISDN … B:8-8, A:3-9

internal flash memorySee memory

IP addressACL … A:7-23, A:7-38, A:7-46ATM subinterface … B:7-20bridge group … B:10-7CBWFQ … A:7-19, A:7-69compared to hostname … B:12-3definition … B:11-3demand interface … A:3-22DHCP subnet … B:13-8dynamic

IKE mode with … A:8-27interface … B:13-21releasing and renewing interface’s dynamic

address … B:13-27See also DHCP clientSee also dynamic DNSstatic hostname with … B:12-6, B:12-15,

B:13-25Ethernet interface … B:3-5Ethernet subinterface … B:3-19excluding from DHCP … B:13-7fixed DHCP address … B:13-14Frame Relay subinterface … B:6-29GRE … A:9-4HDLC interface … B:6-41helper address for UDP packets … B:13-30LLQ … A:7-36, A:7-38network address … B:11-4notation convention … B:1-7PPP backup interface … A:3-56PPP interface … B:6-8PPP interface, for PPPoE … B:7-33QoS map … A:7-20routing according to … B:11-7SIP … A:7-60ToS … A:7-43, A:7-45tunnel … A:9-4, A:9-7VPN peer’s, specifying … A:8-24WFQ … A:7-11, A:7-14

IP precedence … A:7-5, A:7-6, A:7-7, A:7-37CBWFQ value … A:7-7, A:7-21LLQ priority … A:7-7TOS setting … A:7-48WFQ value … A:7-7, A:7-15, A:7-16

16 – Index

IP Security (IPSec)configuring a VPN using … A:8-15definition of … A:8-4Diffie-Hellman key

key length … A:8-67specifying group for … A:8-46

encryption algorithmpurpose … A:8-6specifying … A:8-40

hash algorithmpurpose … A:8-6specifying … A:8-40

header … A:8-5IKE with … A:8-8mode

specifying … A:8-42transport … A:8-5tunnel … A:8-5

module for … A:8-14protocols … A:8-5

See also AH and ESPSee also VPN, crypto map, IKE, and transform setVPN tunnel … A:8-7

IP spoofing attack … A:4-9IPSec SA

clearing … A:8-71configuring with IKE

advantages … A:8-8tasks … A:8-15, A:8-23

definition of … A:8-7manual keying

crypto map configuration … A:8-65, A:8-67example configuration … A:8-69key length … A:8-67other crypto map configurations … A:8-68setting session key … A:8-67, A:8-68setting SPI … A:8-68transform set … A:8-65, A:8-66

security parameterscompatibility with peer … A:8-82configuring … A:8-40configuring in crypto map … A:8-44, A:8-45configuring in transform set … A:8-40default settings … A:8-87finding peer’s using debug

commands … A:8-83overview … A:8-16viewing … A:8-85

viewing … A:8-71

ISDNand ADSL … B:7-9backup methods using … A:3-11BRI transmission rates … B:8-4, A:3-9call setup … B:8-12channels … B:8-4, A:3-6characteristics of … B:8-4, A:3-5Data Link Layer … B:8-9, A:3-12, A:3-55elements of, connection … B:8-5, A:3-7establishing a connection … B:8-36line coding for BRI … B:8-9PRI … B:8-4R interface … B:8-9, A:3-9S interface … B:8-8, A:3-9switch … B:8-7, A:3-7switch type for … B:8-41, A:3-39T interface … B:8-8, A:3-9U interface … B:8-8, A:3-9

ISDN backup moduleBRI S/T … A:3-9BRI U … A:3-9

ISDN groupassigning BRI interface to … B:8-44assigning to resource pool … B:8-45configuring … B:8-44creating … B:8-44

ISDN primary moduleBRI S/T … B:8-15BRI U … B:8-15supported standards … B:8-15

JJ1-carrier line … B:4-3Jolt attack … A:4-9Jolt2 attack … A:4-9

Kkey

definition of … A:8-6manually specifying for VPN tunnel … A:8-68

Index – 17

LLAN

connecting router to … B:3-2Land attack … A:4-9LAPD … B:8-10

frames … B:8-10LBO

setting, for T1 interfaces … B:4-18LDN

backup ISDN connection (demand routing) … A:3-39

persistent backup connections … A:3-48primary ISDN modules … B:8-43viewing LDN for peer … A:3-87

LEDbackup … B:1-25, A:3-71Ethernet … B:1-26fault … B:1-23power … B:1-23Stat … B:1-24troubleshooting E1 or T1 interface using … B:4-31troubleshooting serial interface using … B:5-18Tx and Rx … B:1-25wide slot … B:1-25

Line Build Out … B:4-18line coding

for E1 interface … B:4-14for T1 interface … B:4-14

Link Management Interface … B:6-23link state advertisement

See OSPF, LSALLDP … A:12-2

detailed information, viewing … A:12-6enabling and disabling … A:12-12, A:12-13frame format … A:12-3message

information in … A:12-3monitoring … A:12-9viewing complete … A:12-10

neighbor, viewing … A:12-5, A:12-7timers

setting … A:12-14viewing … A:12-11

LLQ … A:7-6, A:7-11, A:7-31bandwidth guarantee … A:7-41, A:7-42bridged traffic … A:7-40CBWFQ … A:7-20, A:7-30IP header value … A:7-38

RTP … A:7-38ToS value … A:7-37

LMI … B:6-23statistics, viewing … B:6-66

local loopADSL … B:7-7

broadband network … B:7-7DSLAM … B:7-7splitters … B:7-9

carrier lineCSU/DSU … B:4-5demarc … B:4-5NIU … B:4-5office channel unit … B:4-6repeater … B:4-6structure of … B:4-4wire span … B:4-5

demarc … B:5-5ISDN … B:8-5, A:3-7

interfaces for connecting equipment … B:8-8ISDN switch … B:8-7, A:3-7NIU … B:8-7, A:3-8NT1 … B:8-7, A:3-8NT2 … B:8-7, A:3-8repeater … B:8-7, A:3-7TA … B:8-7, A:3-8TE1 … B:8-7, A:3-8TE2 … B:8-7, A:3-8

serial interfaceNIU … B:5-5repeater … B:5-6structure of … B:5-4

local user list … B:2-10encrypting passwords … B:2-11

loggingACP matches … A:4-26attacks … A:4-26events … A:4-12, A:4-23, A:4-24forwarding to email address … A:4-29forwarding to syslog server … A:4-27priority level … A:4-24

logical interfaceATM … B:7-17demand interface … B:8-23, A:3-20for persistent backup connection … A:3-54Frame Relay … B:6-19HDLC … B:6-39PPP … B:6-6

18 – Index

loopback interfaceeBGP multihop with … B:13-75, B:13-166load balancing with … B:13-74OSPF router ID … B:13-41

low-latency queuingSee LLQ

LSASee OSPF, LSA

MMAC address

LLDP message, in … A:12-4viewing neighbors’ … A:12-5

management accessconfiguring policies to control … A:14-39

match command … A:7-25dscp … A:7-45ip rtp … A:7-38, A:7-47list … A:7-40, A:7-46match list … A:7-25protocol bridge … A:7-41, A:7-48QoS map options … A:7-20, A:7-37, A:7-70

memoryinternal flash size … B:1-29types of … B:1-29

MLFRbinding multiple carrier lines to Frame Relay

interface … A:2-10bundle ID … A:2-11, A:2-18CBWFQ … A:7-28configuring with Web browser interface … A:14-20enabling … A:2-9QoS … A:7-28, A:7-34, A:7-64

per-call bandwidth … A:7-61troubleshooting … A:2-16understanding … A:2-8

MLPPPbinding multiple carrier lines to PPP

interface … A:2-6CBWFQ … A:7-28configuring … A:2-3configuring with Web browser interface … A:14-18enabling … A:2-6example of, with demand routing … B:8-52for demand interface … B:8-50fragmentation … B:8-52header … A:2-5

interleave … B:8-51LCP options for … A:2-5MRRU … A:2-5, A:2-15QoS … A:7-28, A:7-34session … A:2-5troubleshooting … A:2-15

modem interfacedemand routing

configuring … A:3-37countrycode … A:3-40resource pool-member … A:3-41

persistent backup connectionsactivating interface … A:3-52countrycode … A:3-51

troubleshooting … A:3-74using for a console session … A:3-53

moduleADSL2+ … B:1-18ADSL2+ Annex A … B:7-11ADSL2+ Annex B … B:7-11backup … B:1-19

installing … A:3-10standards supported … A:3-10

E1 … B:1-16, B:4-8E1+G.703 … B:9-4IPSec VPN … B:1-27, A:8-14, A:8-23ISDN primary … B:1-18, B:8-13list of modules … B:1-15T1 … B:1-17, B:4-9T1+DSX-1 … B:9-13wide slot … B:1-20

MPLSused by ISP … B:13-66

MRRU … A:2-5, A:2-16MTU

for demand interface … B:8-56, A:3-46for Ethernet interface … B:3-11for Frame Relay subinterface … B:6-37for HDLC interface … B:6-44for PPP interface … B:6-17OSPF concerns with … B:13-158routing table, in … B:11-9tunnel keys … A:9-14

Index – 19

multicast routing table(*, G) entry … A:11-7, A:11-8, A:11-49(S, G) entry … A:11-8, A:11-11, A:11-13, A:11-49flags … A:11-49, A:11-50, A:11-52

RP-bit … A:11-50SPT-bit … A:11-13, A:11-14

incoming interface … A:11-4, A:11-10, A:11-52monitoring … A:11-48, A:11-51null incoming interface … A:11-58outgoing interface list … A:11-4, A:11-53SG entry … A:11-7

multicasting … A:10-3, A:10-11adding router stack … A:10-16addresses … A:10-4applications of … A:10-2downstream interface

configuring … A:10-13description … A:10-12

enabling IP routing … A:10-11forwarding

downstream … A:10-14helper address … A:10-11, A:10-12, A:10-14,

A:10-15, A:10-21, A:10-22, A:10-24setting of … A:10-11

host group … A:10-4, A:10-6, A:10-16, A:10-20multicast stub routing … A:10-10route table … A:10-22routing protocols … A:10-7show commands … A:10-20troubleshooting … A:10-19, A:10-20tunneling traffic through Internet … A:10-15upstream interface

configuring … A:10-15description … A:10-12

multihomingtroubleshooting … B:13-172with BGP … B:13-67, B:13-82

multi-netted environment … A:4-16protecting … A:4-12See also reflexive traffic … A:4-16

multiplexing channels … B:4-12

Nnamed list

accounting … B:2-25authentication … B:2-18authorization … B:2-23

NATACL … A:6-8ACP … A:6-13

assign to interface … A:6-15many-to-one … A:6-13one-to-one … A:6-14port translation … A:6-14

compatibility with a VPN … A:8-31configuring … A:6-7configuring ACL for many-to-one … A:6-9many-to-one … A:6-2one-to-one … A:6-5one-to-one, with port translation … A:6-6troubleshooting … A:6-20with PAT … A:6-3

NAT Discovery (NAT-D) … A:8-31NAT-Traversal (NAT-T)

correct IPSec protocol for … A:8-32enabling … A:8-31, A:8-32NAT-D packet … A:8-31router performance … A:8-32version … A:8-32

neighborsviewing LLDP information … A:12-5viewing LLDP information, real time … A:12-7

Nestea attack … A:4-9network interface unit

See NIUNetwork Termination 1 … B:8-7, A:3-8Network Termination 2 … B:8-7, A:3-8network-to-network interface … B:6-21Newtear attack … A:4-9NIU … B:5-5

carrier line … B:4-5ISDN connection … B:8-7, A:3-8

NNI … B:6-21no command … B:1-66Normal Response Mode … B:6-39NRM … B:6-39NT1 … B:8-7, A:3-8NT2 … B:8-7, A:3-8null interface … B:11-18

20 – Index

OOAM

debug commands for … B:7-49settings … B:7-26

office channel unitcarrier line … B:4-6

Open Shortest Path FirstSee OSPF

Open Systems Interconnection modelSee OSI model … B:4-4

Opentear attack … A:4-9Operation, administration, and maintenance (OAM)

See OAMOSI model

circuit-level gateway and … A:4-5displayed … B:4-4, B:5-4, B:8-5layers used in WAN connection … B:4-4, B:8-5packet-filtering firewall and … A:4-4

OSPFABR … B:13-31

area configuration on … B:13-42, B:13-50LSAs with … B:13-34, B:13-35route summaries … B:13-44troubleshooting … B:13-160

advertising a network … B:13-42, B:13-51, B:13-56area … B:13-31

configuration … B:13-36, B:13-42example configuration … B:13-32, B:13-37,

B:13-38, B:13-49minimizing overhead … B:13-29

as an interior gateway protocol … B:13-7ASBR

default route … B:13-51route summaries … B:13-52

authentication … B:13-29, B:13-60problems with … B:13-159

compared to RIP and BGP … B:13-9configuration tasks … B:13-39, B:13-40configuring with Web browser

interface … A:14-116default administrative distance … B:13-11DR … B:13-31

LSAs with … B:13-34priority for … B:13-57

example configuration … B:13-61intervals … B:13-58, B:13-59, A:14-123

LSA … B:13-30, B:13-34intervals for … B:13-58types … B:13-33, B:13-34, B:13-35

multicast routing, with … A:11-28network backbone or area 0 … B:13-33, B:13-43overview … B:13-29route summaries

ABR configuration … B:13-44, B:13-47advantages of … B:13-45ASBR configuration … B:13-52problems with … B:13-160, B:13-161

router ID … B:13-34, B:13-41stub area … B:13-32, B:13-34, B:13-43, B:13-44total stub area … B:13-33, B:13-35, B:13-44

LSAs with … B:13-34troubleshooting … B:13-153, B:13-156, B:13-160

problems router ID … B:13-159

Ppacket marking

example configuration … A:7-49LLQ … A:7-42selecting traffic … A:7-44

bridged traffic … A:7-48IP header … A:7-45RTP … A:7-47

ToS value setting … A:7-45, A:7-48PAP

clear text … B:6-12example configuration … B:6-50finding peer’s password … B:6-63for backup interfaces … A:3-43for primary ISDN interfaces … B:8-53password … B:6-14password, case-sensitive … B:6-64troubleshooting … B:6-62username … B:6-14username, case-sensitive … B:6-64

passwordCHAP … B:6-15configuring through Web browser

interface … B:14-19console … B:2-5enable mode … B:2-4encrypting all … B:2-11local user list … B:2-10PAP … B:6-14Telnet … B:2-8

Index – 21

Password Authentication ProtocolSee PAP

PATwith NAT … A:6-3

PBR … B:13-123applying route map to router traffic … B:13-142assigning route map to interface … B:13-142configuration examples … B:13-142default routes … B:13-138don’t fragment bit … B:13-141implementation

application … B:13-130payload size … B:13-135source … B:13-127traffic priority … B:13-132

marking packets with QoS value … B:13-139route map … B:13-125selecting traffic … B:13-126setting the routing policy … B:13-136troubleshooting … B:13-173uses for … B:13-123

PEM … A:8-59, A:8-61perfect forward secrecy

See PFSpermanent virtual circuit

See PVCPFS

default setting … A:8-87specifying group … A:8-46

PHB … A:7-8, A:7-10assured forwarding … A:7-8, A:7-9, A:7-21, A:7-22class-selector … A:7-8, B:13-134default … A:7-8expedited forwarding … A:7-9, A:7-48IP Precedence … A:7-8marking traffic … A:7-45, A:7-48

Physical Layerof OSI model … B:4-4of WAN connection … B:5-3purpose of … B:8-5

PIM-SM … A:11-3asserts … A:11-26, A:11-27, A:11-58configuration examples … A:11-40, A:11-45configuration tasks … A:11-28DR … A:11-3, A:11-14DR, viewing … A:11-55enabling on interface … A:11-29IGMP, with … A:11-8, A:11-29

join/prunes … A:11-18, A:11-19, A:11-61periodic … A:11-24, A:11-38triggered … A:11-22, A:11-23

monitoring … A:11-48, A:11-54, A:11-55, A:11-56, A:11-61

multi-access networks, special considerations with … A:11-26, A:11-36, A:11-39

null incoming interface … A:11-59pruning a connection … A:11-14, A:11-21, A:11-58receiver joins after source … A:11-16register … A:11-10, A:11-25RP

See RPRP tree … A:11-4, A:11-8

(*, G) entry, with … A:11-7joining … A:11-8, A:11-15using permanently … A:11-36

SP tree … A:11-5, A:11-7SP tree, disabling … A:11-36switching to an SP tree … A:11-9, A:11-23

edge router … A:11-12, A:11-13receiver joins after … A:11-16threshold for … A:11-35threshold, viewing … A:11-55

timers … A:11-37, A:11-38, A:11-39, A:11-51troubleshooting … A:11-48, A:11-54, A:11-55,

A:11-56, A:11-61unicast routing, with … A:11-7, A:11-28, A:11-32,

A:11-60ping command … B:1-36

default … B:1-40extended options … B:1-40

ping of death attack … A:4-9PKI

debug command … A:8-74definition … A:8-55

policy-based routing See PBR

port authentication … B:2-40port number

backup modules … A:3-38, A:3-47E1+G.703 module … B:9-4Ethernet interface … B:3-3for ADSL interfaces … B:7-12for DSX-1 … B:9-16for G.703 … B:9-7for serial interface … B:5-12ISDN interface … B:8-44T1+DSX-1 module … B:9-13

22 – Index

port translation … A:6-14port-mapping table … A:6-3POTS

and ADSL … B:7-9power source, redundant … B:1-29PPP

authentication for demand interface … B:8-53LCP … A:2-4NCP … A:2-4phases … B:6-5, A:2-4See also PPP Authenticationsession … B:6-5suite of protocols … B:6-4

PPP authentication … B:6-11configuring through Web browser

interface … B:14-50demand routing … A:3-43determining protocol … B:6-14, B:6-65peer password … B:6-14peer username … B:6-14persistent backup connection … A:3-56See also PAP and CHAPtroubleshooting … B:6-62

PPP backup interfaceconfiguring … A:3-55

PPP interface See also PPPoA and PPPoEactivating … B:6-10binding physical interface to … B:6-10bridging … B:13-6configuring through Web browser

interface … B:14-47creating … B:6-6debug authentication … B:6-14debug commands … B:6-60, A:2-13description for … B:6-17DHCP client on … B:13-6example configuration … B:6-46for PPPoE … B:7-31IP address … B:6-8MTU … B:6-17negotiated IP address … B:6-8secondary IP address … B:6-16show commands … B:6-53summary of settings … B:6-7troubleshooting … B:6-58, A:2-13unnumbered interface … B:6-9

PPPoA … B:7-11binding ATM subinterface to PPP

interface … B:7-38configuring … B:7-37IP address … B:7-37PPP interface for … B:7-37troubleshooting PPP … B:7-52

debug commands … B:7-53understanding … B:7-35

PPPoE … B:7-11binding ATM subinterface to PPP

interface … B:7-33description of … B:7-28discovery phases … B:7-29IP address … B:7-33MTU size … B:6-17PPP interface for … B:7-32setting access concentrator name … B:7-34setting PPPoE service name … B:7-35show command … B:7-51troubleshooting … B:7-50troubleshooting PPP … B:7-52

debug commands … B:7-53PPTP

ALG for … A:4-20preshared key

adding to VPN remote ID list … A:8-32for VPN … A:8-10viewing VPN … A:8-71

Privacy Enhanced Mail … A:8-59, A:8-61ProCurve Secure Router

models … B:1-5product documentation … B:1-7Protocol Independent Multicast-Sparse Mode

See PIM-SMPSTN … B:4-4, B:5-4PTT authorities … B:4-3, B:5-3public carrier

central office of … B:4-4, B:5-4, A:3-7See also local loop

public key infrastructureSee PKI

public switched telephone network … B:4-4, B:5-4Public Telephone and Telegraph authorities … B:4-3,

B:5-3PVC

ATM … B:7-18Frame Relay subinterface for … B:6-28

Index – 23

QQ.931 … B:8-11QoS

CBWFQ … A:7-11, A:7-18configuration wizard … A:14-47configuring with Web browser interface … A:14-44data packets … A:7-4Ethernet … A:7-55

example configuration … A:7-57FIFO … A:7-10Frame Relay … A:7-50, A:7-51

example configuration … A:7-54rate limiting … A:7-52

FRF.12 … A:7-12, A:7-51high-priority traffic … A:7-4LLQ … A:7-11, A:7-31maps

See QoS mapmatch command

dscp … A:7-37ip rtp … A:7-25list … A:7-37precedence … A:7-37

mechanisms … A:7-5monitoring … A:7-64

managing queues … A:7-66QoS maps … A:7-65

OSPF … A:7-5SIP … A:7-59Telnet … A:7-4ToS field … A:7-6

DiffServ … A:7-7IP precedence … A:7-6PHBs … A:7-8

ToS marking … A:7-43VoIP … A:7-4WFQ … A:7-11, A:7-14

QoS map … A:7-12, A:7-13configuring … A:7-20, A:7-44deleting … A:7-66entry order … A:7-12forced inactive … A:7-67

match command … A:7-70dscp … A:7-45, A:7-61ip rtp … A:7-38, A:7-47, A:7-61list … A:7-40, A:7-46, A:7-63, A:7-70precedence … A:7-45protocol bridge … A:7-25, A:7-41, A:7-48,

A:7-70ToS marking … A:7-13viewing … A:7-65

queuemonitoring … A:7-66subqueue … A:7-14, A:7-16, A:7-66

queuinglow-latency

See LLQ … A:7-6weighted fair

See WFQ

RR interface … B:8-9, A:3-9RADIUS server

authentication … B:2-18configuring through Web browser

interface … B:14-28defining … B:2-27defining group … B:2-29global settings … B:2-30troubleshooting … B:2-36Xauth with … A:8-50, A:8-52

RAM … B:1-29rapid spanning tree protocol

See RSTPrate limiting

Ethernet … A:7-55, A:7-68Frame Relay … A:7-50, A:7-52, A:7-63

RBE … B:7-39configuring … B:7-40example environment … B:7-40

READSL … B:7-4, B:7-6real-time transport protocol

See RTPrebooting router

with Web browser interface … B:14-13, A:14-13redundant power source … B:1-29reflexive traffic … A:4-10, A:4-12

attack check … A:4-16illustration of … A:4-12, A:4-17

24 – Index

reload command … A:5-37reload in command … B:1-72rendezvous point

See RPrepeater … B:5-6

carrier line … B:4-6ISDN connection … B:8-7, A:3-7

resource pool … A:3-27assigning ISDN group … B:8-45for demand interface … B:8-30viewing … B:8-67, A:3-78

RIPadvertising a network … B:13-21advertising a non-RIP network … B:13-23as an interior gateway protocol … B:13-7compared to OSPF and BGP … B:13-9compatibility between versions … B:13-14,

B:13-151configuration options … B:13-18configuring with Web browser

interface … A:14-113default administrative distance … B:13-11default intervals … B:13-18overview … B:13-12passive interface … B:13-26poison reverse … B:13-15, B:13-17redistributing routes

connected … B:13-23OSPF … B:13-24static … B:13-24

route summarization … B:13-24split horizon … B:13-15, B:13-17timing intervals … B:13-17triggered updates … B:13-15, B:13-17troubleshooting … B:13-151updates … B:13-15version … B:13-13version for an interface … B:13-20version, configuring … B:13-20

RJ-11 connector … B:7-12, B:8-8RJ-45 connector … B:3-2, B:8-8RJ-48C connector … B:4-7, B:9-14route maps

applying policies to inbound routes … B:13-102applying to neighbor … B:13-104controlling routes advertised … B:13-89controlling routes neighbor advertises … B:13-94creating … B:13-86

deleting communities from … B:13-103entry in … B:13-87filtering inbound routes … B:13-100filtering routes

AS path … B:13-93community … B:13-91network address … B:13-90

load balancing … B:13-96, B:13-98routed bridged encapsulation

See RBErouter management

configuration files … B:1-30, B:1-33contexts … B:1-35controlling access … B:2-4rebooting using reload … B:1-51remote access … B:2-6saving changes … B:1-33software updates … B:1-8

routingadministrative distances … B:13-11advantages of routing protocols … B:13-10clearing routes … B:11-27, B:13-149comparing routing protocols … B:13-9configuring through Web browser

interface … B:14-88disadvantages of routing protocols … B:13-10dynamic … B:11-10dynamic routing

Layer 2 devices with … A:12-2floating static route … B:11-16monitoring routes … B:11-26non-IP traffic … B:10-4RIP updates … B:13-15See also PBRstatic

See static routetunneling updates … A:8-14, A:9-8, B:13-23,

B:13-152updates

BGP … B:13-70, B:13-163OSPF … B:13-39, B:13-57

Routing Information ProtocolSee RIP

routing tableinformation included in … B:11-7, B:11-9matching packet to route … B:11-7multicast

See multicast routing table

Index – 25

OSPF … B:13-157viewing … B:11-23, B:11-24, B:13-146, B:13-147with routing protocols … B:13-7

routing, dynamic routingSee RIP, OSPF, and BGP

RP … A:11-3, A:11-6RP set … A:11-17selecting … A:11-17, A:11-30, A:11-62set

See RP setSP tree, joining … A:11-10, A:11-26, A:11-35,

A:11-50static … A:11-17, A:11-18supporting all groups … A:11-31supporting specific groups only … A:11-31,

A:11-32RP set

configuring … A:11-32, A:11-67troubleshooting … A:11-62

RPS … B:1-29RSTP

BPDU … B:10-12BPDU guard … B:10-21compatibility with STP … B:10-17configuration tasks … B:10-11, B:10-17connection type … B:10-15, B:10-21disabling … B:10-23edge port … B:10-14, B:10-19improvements over STP … B:10-14link cost … B:10-18, B:10-28overview … B:10-4priority for becoming root … B:10-18sync … B:10-15timers … B:10-22troubleshooting … B:10-24, B:10-25valid interfaces … B:10-11viewing the spanning tree … B:10-25, B:10-26

RTP … A:7-25, A:7-34, A:7-38, A:7-47compression … A:7-34cRTP … A:7-34

running-config … B:1-30

SS interface … B:8-8, A:3-9SA … A:8-7

See also IKE SA and IPSec SASafeMode … B:1-61

SAPI … B:8-10saving changes … B:1-56SCEP … A:8-56, A:8-57secure copy server

enabling … B:2-13secure router operating system

See SROSsecurity

AAA subsystem … B:2-14accounting … B:2-25ACL … A:5-5ACP … A:5-25authorization … B:2-23console password … B:2-5enable mode password … B:2-4encrypting passwords … B:2-11local user lists … B:2-10management access … B:2-4RADIUS server … B:2-27remote access … B:2-6show users … B:2-14TACACS+ server … B:2-31Telnet password … B:2-8

security parameter indexSee SPI

self certificatedefinition … A:8-56importing manually … A:8-61requesting … A:8-59

serial interfaceaccessing … B:5-12activating … B:5-14binding

to Frame Relay interface … B:6-35to HDLC interface … B:6-43to PPP interface … B:6-11

clock source … B:5-13configuring … B:5-12configuring through Web browser

interface … B:14-44Data Link Layer

Frame Relay … B:6-23HDLC … B:6-39PPP … B:6-6

rxclock, inverting … B:5-14serial-mode setting … B:5-12

26 – Index

troubleshooting … B:5-17problem with line going down … B:5-21solutions to problems … B:5-19

txclock, inverting … B:5-13viewing configuration of … B:5-16

serial modulecable shipped with … B:5-8connecting to CSU/DSU … B:5-8for E1- carrier lines … B:5-3for T1-carrier line … B:5-3port number … B:5-12slot number … B:5-12standards supported … B:5-7used with external CSU/DSU … B:5-7

service access point identifier … B:8-10Service Level Agreement … B:6-19service level agreement

and EIR … B:6-34session initiation protocol

See SIPSHDSL … B:7-4show command … A:7-65

basic mode context … B:1-41bridge table … B:10-8crypto ike … A:8-72crypto ipsec … A:8-72crypto map … A:8-72DHCP client binding table … B:13-18DHCP lease on router interface … B:13-26enable mode commands … B:1-51event-history … A:4-25Frame Relay … A:2-14interfaces

ADSL … B:7-41ATM … B:7-44BRI … B:8-64, A:3-71demand … B:8-61, A:3-75DSX-1 … B:9-19E1 … B:4-27, B:9-5E1 for G.703 … B:9-13Ethernet … B:3-19G.703 … B:9-10modem … A:3-74T1 … B:4-27T1 for DSX-1 … B:9-19tunnel … A:9-13

ip access-lists … A:8-72LLDP activity … A:12-8

LLDP neighbors … A:12-6, A:12-7LLDP neighbors, real time … A:12-7LLDP timers … A:12-11logical interfaces … B:6-53persistent backup … A:3-85PPPoE … B:7-51qos map … A:7-65qos map interface … A:7-65queue … A:7-66routing table … B:11-23running-config

DSX-1 … B:9-20G.703 … B:9-11

show connections … B:5-17show tech … B:1-57, A:1-20spanning tree … B:10-25verbose option … B:1-54

showtimefor ADSL … B:7-13monitor for ADSL … B:7-16

signalingelectrical, for WAN connection … B:4-3

Simple Certificate Enrollment Protocol … A:8-56, A:8-57

SIP … A:7-50, A:7-58, A:7-60ALG for … A:4-19configuring … A:7-59definition … A:7-59destination port … A:7-62enabling, services … A:7-59

site-to-site VPNIKE mode for … A:8-27peer ID in crypto map … A:8-43peer ID in IKE policy … A:8-24peer ID in remote ID list … A:8-33specifying traffic for … A:8-37Xauth with … A:8-49

SLA … B:6-19and EIR … B:6-34

slotnarrow … B:1-14supported modules … B:1-15wide … B:1-20

slot numberfor ADSL interfaces … B:7-12for backup BRI interfaces … A:3-37, A:3-47for backup modem interfaces … A:3-37for BRI interfaces … B:8-40

Index – 27

for E1 interfaces … B:4-11for Ethernet interfaces … B:3-3for serial interface … B:5-12for T1 interfaces … B:4-11

smart jack … B:4-5for ISDN … A:3-8

Smurf attack … A:4-9SNMP … A:12-2

support … B:1-61enabling through Web browser

interface … B:14-15viewing neighbors’ management agent … A:12-5

SNR-margin … B:7-15monitoring … B:7-16

softwaredownloading updates … B:1-8, A:1-7transfer … B:1-76transfer using

compact flash … B:1-81TFTP … B:1-78

spanning tree protocolSee RSTPSee STP

speedEthernet connection settings … B:3-10

SPIdisplaying … A:8-71manually setting … A:8-67, A:8-68matching packets to VPN tunnel … A:8-22role in IPSec SA … A:8-7

SPIDdemand routing … A:3-40persistent backup connection … A:3-49troubleshooting problems with … A:3-73

spoofingdemand interface … A:3-23

SROSand AutoSynch™ technology … B:1-34basic mode … B:1-36boot code … B:1-30enable mode … B:1-36global configuration mode … B:1-37hierarchy … B:1-34managing with Web browser interface … A:14-10software … B:1-30version

viewing neighbors’ … A:12-5

SSHconfiguring password through Web browser

interface … B:14-19, B:14-24lines … B:2-12local user list … B:2-10

startup-config … B:1-30static route … B:11-9

advantages and disadvantages of … B:11-10applications … B:11-13configuring … B:11-13, B:11-14, B:11-15deleting … B:11-28, B:13-150floating … B:11-16

demand routing … A:3-42persistent backup connections … A:3-67

for demand interface … B:8-46null interface, through … B:11-18redistributing … B:13-56redistributing through RIP … B:13-24troubleshooting … B:11-23

stealth mode … A:4-17STP

BPDU … B:10-12configuration tasks … B:10-11, B:10-23configuring through Web browser

interface … B:14-80disabling … B:10-23link cost … B:10-18, B:10-28overview … B:10-4priority for becoming root … B:10-18states … B:10-13timers … B:10-22troubleshooting … B:10-24, B:10-25valid interfaces … B:10-11viewing the spanning tree … B:10-25, B:10-26

subinterfaceATM … B:7-18, A:7-17Ethernet … B:3-18Frame Relay … B:6-28, A:7-54

Syndrop attack … A:4-9SYN-flood

attack … A:4-9, A:4-10attack check … A:4-16

syslog serverforwarding logs to … A:4-27

28 – Index

TT interface … B:8-8, A:3-9T1 + DSX-1

See DSX-1 interface and drop-and-insert module … B:9-13

T1 interfaceactivating … B:4-20binding

to Frame Relay interface … B:6-35to HDLC interface … B:6-43to PPP interface … B:6-11

channels for … B:4-13clock source … B:4-17configuration mode context for … B:4-11configuring through CLI … B:4-10configuring through Web browser

interface … B:14-39Data Link Layer

Frame Relay … B:6-23HDLC … B:6-39PPP … B:6-6

FDL channel … B:4-19frame format … B:4-16LBO … B:4-18line coding … B:4-14line errors … B:4-22port number … B:4-11slot number … B:4-11speed for channel … B:4-13threshold commands … B:4-22troubleshooting … B:4-30viewing configuration of … B:4-28viewing status of … B:4-26

T1 modulestandards supported … B:4-9with built-in CSU/DSU … B:4-9

T1-carrier line1.544 Mbps bandwidth … B:4-324 channels … B:4-12analog voice on … B:4-3CSU/DSU in router … B:4-7elements of … B:4-3external CSU/DSU … B:4-6for analog voice … B:9-3local loop … B:4-4serial interface for … B:5-3with DSX-1 interface … B:9-3

TA … B:8-7, A:3-8

TACACS+ serveraccounting … B:2-25authentication … B:2-18authorization … B:2-23clear statistics … B:2-38defining … B:2-31global settings … B:2-34group of … B:2-33troubleshooting … B:2-37Xauth with … A:8-50, A:8-52

Targa attack … A:4-9TCP

attacks … A:4-10session timeout … A:4-21, A:4-22

TDMused in carrier lines … B:4-12

TE1 … B:8-7, A:3-8TE2 … B:8-7, A:3-8TearDrop attack … A:4-9TEI … B:8-10Telnet … A:5-21

ACL to control access … A:5-22configuring access to … B:2-8configuring password through Web browser

interface … B:14-22password for … B:2-8QoS … A:7-4, A:7-40using local user list for access … B:2-13

terminal adapter … B:8-7, A:3-8terminal endpoint identifier … B:8-10terminal equipment 1 … B:8-7, A:3-8terminal equipment 2 … B:8-7, A:3-8TFTP

enabling support through Web browser interface … A:14-15

file transfer with … B:1-78server, specifying in DHCP pool … B:13-11support, enabling through Web browser

interface … B:14-15threshold

E1 … B:4-21T1 … B:4-21

time division multiplexing … B:4-12timeout

application … A:4-22protocol … A:4-21session … A:4-21

Index – 29

timersLLDP

setting … A:12-14viewing … A:12-11

ToS … A:7-5, A:7-6, A:7-7, A:7-37assured forwarding … A:7-9bits … A:7-7CBWFQ … A:7-19classifying traffic … A:7-21definition … A:7-6DiffServ … A:7-7, A:7-9IP precedence … A:7-6, A:7-8LLQ … A:7-36, A:7-42, A:7-71marking … A:7-43, A:7-45, A:7-48, A:7-61values … A:7-8, A:7-9, A:7-20, A:7-37

viewing … A:7-65VoIP … A:7-47WFQ … A:7-11

traceroute command … B:1-36, B:11-26traffic

filtering with ACL … A:5-5filtering with ACP … A:5-25interesting, for backup with demand

routing … A:3-23traffic shaping

Ethernet … A:7-56, A:7-68, A:7-73Frame Relay … A:7-52, A:7-55, A:7-63See also rate limiting

training phaseADSL … B:7-13

training-monitorfor ADSL … B:7-16

transform setalgorithms, specifying … A:8-40tunnel mode … A:8-42viewing … A:8-71, A:8-86

transmission media … B:4-3troubleshooting

AAA subsystem … B:2-35ACL … A:5-54ACL for demand routing … B:8-71, A:3-80ACP … A:5-54ADSL interface … B:7-46ATM interface … B:7-48ATM subinterface … B:7-49AutoSynch™ … B:1-70BGP … B:13-162BRI backup interfaces … A:3-70

bridging … B:10-10CHAP … B:6-64compact flash performance … B:1-70debug commands … B:1-49debug isdn commands … B:8-72, A:3-81demand routing … B:8-68, A:3-79DHCP client … B:13-26DHCP server … B:13-18DNS … B:12-11DSX-1 interface … B:9-20E1 interface … B:4-30Ethernet interface … B:3-24events command … B:1-51firewall … A:4-13, A:4-25, A:4-29Frame Relay interface … B:6-65G.703 interface … B:9-12GRE … A:9-13HDLC interface … B:6-69IKE … A:8-76IPSec … A:8-73MLFR … A:2-16MLPPP … A:2-15multilinks … A:2-12OSPF … B:13-153persistent backup connection … A:3-90PIM-SM … A:11-48, A:11-56PPP authentication … B:6-62PPP interface … B:6-58PPPoE … B:7-50QoS … A:7-67RADIUS server … B:2-36RIP … B:13-151routing … B:13-146serial interface … B:5-17static routing … B:11-23T1 interface … B:4-30TACACS+ server … B:2-37tunnel … A:9-13VPN … A:8-73with reload in command … B:1-72

TS16configuring … B:9-9description … B:9-9

tunnel … A:8-4, A:9-4configuring with Web browser

interface … A:14-104destination … A:9-4, A:9-5, A:9-6, A:9-8IP address … A:9-4, A:9-7

30 – Index

key … A:9-7multicast … A:10-15See also VPN tunnelsource … A:9-4, A:9-5troubleshooting … A:9-13

Twinge attack … A:4-9type of service

See ToS

UU interface … B:8-8, A:3-9UDP

forwarding DHCP … B:13-30session timeout … A:4-21, A:4-22

UNIfor Frame Relay … B:6-21

unnumbered interfaceATM subinterface as … B:7-24Ethernet interface as … B:3-9Frame Relay subinterface as … B:6-32HDLC interface as … B:6-42PPP interface as … B:6-9

updatingboot code … B:1-59

usersviewing, accessing router … B:2-14

user-to-network interfacesFrame Relay … B:6-21

VV.35 cable … B:5-9VCI … B:7-19VDSL … B:7-4

See also ADSLverbose option

for show commands … B:1-54videoconferencing

ALG for … A:4-19virtual channel identifier … B:7-18virtual path identifier … B:7-18virtual private network

See VPNvirtual routing and forwarding

used by ISP … B:13-66VLAN

DHCP scopes … B:13-5, B:13-15, B:13-16

enabling support for … B:3-17ID for Ethernet subinterface … B:3-18IP address for Ethernet subinterface … B:3-19routing, traffic … B:3-16support for … B:3-15tagging … B:3-15

VLAN trunkingSee VLAN, tagging

VoIPALG for … A:4-19bandwidth for … A:7-31, A:7-32packets … A:7-33QoS … A:7-4

example configuration … A:7-57Frame Relay … A:7-51LLQ … A:7-38packet marking … A:7-47, A:7-62signaling traffic … A:7-45, A:7-62

VPI … B:7-19VPN

applying crypto map to interface … A:8-46client-to-site … A:8-4configuration

overview … A:8-15tasks … A:8-23with Web browser interface … A:14-59wizard … A:14-60

GRE tunnel … A:8-13IPSec module for … A:8-14module … B:1-27, A:8-23monitoring … A:8-70multiple sites … A:8-45peer

See VPN peerSee also client-to-site VPN, crypto map, IKE, IP Se-

curity (IPSec), site-to-site VPNsite-to-site … A:8-4traffic

defining in a crypto map … A:8-45defining in an ACL … A:8-35, A:8-37example configuration … A:8-39restricting hosts … A:8-36

troubleshooting … A:8-73comparing policies … A:8-80, A:8-84debugging IKE … A:8-82permitting all traffic … A:8-75returning policies to defaults … A:8-86

tunnel … A:8-4

Index – 31

VPN peeradding to remote ID list … A:8-32associating with IPSec policies … A:8-35dynamic peer

IKE initiate mode with … A:8-27peer ID in crypto map … A:8-44peer ID in IKE policy … A:8-25

IDspecifying … A:8-17types … A:8-18, A:8-33with IKE main mode … A:8-34

mobile userspeer ID in crypto map … A:8-44peer ID in IKE policy … A:8-26problems with IKE main mode … A:8-28See also IKE mode config and Xauth

static peerpeer ID in crypto map … A:8-43peer ID in IKE policy … A:8-24

viewing remote ID list … A:8-71VPN tunnel … A:8-4, A:8-7

See also IP Security (IPSec)

WWAN connection

dedicated … B:4-3elements of … B:4-3, B:5-3view active … B:5-17

Web browser interface … B:1-5, B:1-10AAA subsystem … B:14-27accessing … B:1-11, B:14-4, A:1-10ACPs … A:14-30ADSL interface … B:14-61ATM interface … B:14-63AutoSynch™ … B:14-5, A:14-5bridging … B:14-77certificates … A:14-93default route … B:14-88description … A:1-9DHCP … B:14-94DNS server … B:14-89DSX-1 interface … B:14-74E1 interface … B:14-39enable mode password … B:14-21enabling access to … A:14-4enabling IP services … B:14-15Ethernet interface … B:14-31

file management … B:14-7, A:14-7firewall … A:14-21Frame Relay interface … B:14-52G.703 interface … B:14-74HDLC interface … B:14-58IP services … A:14-15LLDP … A:14-108managing Secure Router OS … B:14-10, A:14-10MLFR … A:14-20MLPPP … A:14-18organization of … B:1-12, A:1-11OSPF … A:14-116passwords … B:14-19PPP authentication … B:14-50PPP interface … B:14-47QoS … A:14-44QoS wizard … A:14-47RADIUS server … B:14-28RIP … A:14-113serial module … B:14-44spanning tree protocol … B:14-80static route … B:14-86T1 … B:14-39TACACS+ server … B:14-29tunnels … A:14-104VPN wizard … A:14-60

weighted fair queuingSee WFQ

WFQ … A:7-11, A:7-14conversation subqueue … A:7-11, A:7-14, A:7-15

packet threshold … A:7-18, A:7-66enabling … A:7-17queue size … A:7-18shortcomings … A:7-15, A:7-16, A:7-22, A:7-47,

A:7-67weight … A:7-15

wildcard bitsACL for NAT … A:6-9in ACL … B:8-20, A:5-10

WinNukeattack … A:4-10, A:4-11optional firewall check … A:4-15

WINS serverDHCP pool, in … B:13-11in IKE mode config pool … A:8-48

wizardQoS … A:14-47

32 – Index

XX.21 cable … B:5-10Xauth

hostconfiguration tasks … A:8-53generic authentication … A:8-53OTP authentication … A:8-54RADIUS authentication … A:8-53

serverconfiguration tasks … A:8-50enabling … A:8-52local username database for … A:8-50RADIUS database for … A:8-50, A:8-51TACACS+ database for … A:8-50, A:8-51

Index – 33

Technical information in this documentis subject to change without notice.

© Copyright 2005.Hewlett-Packard Development Company, L.P.Reproduction, adaptation, or translationwithout prior written permission is prohibitedexcept as allowed under the copyright laws.

December 2005

Manual Part Number5991-3785