HP MSR Router Series Web-Based Configuration Guide(V5) Part number: 5998-2054 Software version: CMW520-R2511 Document version: 6PW103-20140128
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Web overview ······························································································································································ 1 Logging in to the Web interface······································································································································ 1 Logging out of the Web interface ································································································································
Configuration guidelines ··············································································································································· 61 Wireless configuration overview ······························································································································ 62 Overview·········································································································································································
Setting rate limiting ············································································································································· 126 Wireless QoS configuration example ························································································································ 127 CAC service configuration example ················································································································· 127 Static rate limiting configurati
Application control configuration example ··············································································································· 174 Webpage redirection configuration ······················································································································ 176 Overview······································································································································································· 176 Configuring webp
Configuring IP addresses excluded from dynamic allocation ················································································· 210 Configuring a DHCP server group ····························································································································· 211 DHCP configuration examples ···································································································································· 212 DHCP configuration example without DHCP r
Configuring access control ································································································································· 284 Configuring application control ························································································································· 285 Configuring bandwidth control ·························································································································· 286 Configuring packet filtering········
Configuring IPsec VPN ················································································································································ 1 Overview············································································································································································ 1 Recommended configuration procedure························································································································· 1 C
Configuring RADIUS authentication ···················································································································· 66 Configuring LDAP authentication ························································································································· 67 Configuring AD authentication ···························································································································· 69 Configuring combined authentication ·······
Switching to the management level ··················································································································· 134 Configuring system time ·············································································································································· 135 Setting the system time ········································································································································ 135 Setting the time zone
Basic settings ··························································································································································· 177 Introduction to basic settings ······································································································································· 177 Local number························································································································································ 1
Configuring other parameters of a local number ···························································································· 239 Configuring advanced settings of a call route ·········································································································· 240 Configuring coding parameters of a call route································································································ 240 Configuring other parameters for a call route ···················
Configuring registration parameters ················································································································· 297 Configuring voice mailbox server ····················································································································· 299 Configuring signaling security ··························································································································· 300 Configuring call release cause code mapping
Managing lines ······················································································································································· 354 FXS voice subscriber line ············································································································································· 354 FXO voice subscriber line ··········································································································································· 354
Configuring a service node ································································································································ 410 Configuring access number management ················································································································· 411 Configuring an access number ·························································································································· 411 Configuring advanced settings for the acc
Documents ···························································································································································· 486 Websites······························································································································································· 486 Conventions ·····························································································································································
Web overview The device provides Web-based configuration interfaces for visual device management and maintenance. Figure 1 Web-based network management operating environment Logging in to the Web interface Follow these guidelines when you log in to the Web interface: • The PC in Figure 1 is the one where you configure the device, but not necessarily the Web-based network management terminal.
Figure 2 Login page of the Web interface Logging out of the Web interface CAUTION: A logged-in user cannot automatically log out by directly closing the browser. Click Logout in the upper-right corner of the Web interface to quit Web-based network management. The system will not save the current configuration before you log out of the Web interface. Save the current configuration before logout.
Figure 3 Initial page of the Web interface 3
(1) Navigation area (2) Title area (3) Body area • Navigation area—Organizes the Web function menus in the form of a navigation tree, where you can select function menus as needed. The result is displayed in the body area.
Function menu WAN Interface Setup WAN Interface Setup VLAN Setup LAN Interface Setup VLAN Interface Setup Summary Interface Setup Access Service Wireless Configuration Radio Security Wireless QoS 5 Description User level Displays the configuration information of a WAN interface, and allows you to view interface statistics. Monitor Allows you to modify WAN interface configuration, and clear the statistics of a WAN interface. Configure Displays the configuration information of a VLAN.
Function menu Country Code 3G Information 3G PIN Code Management Dynamic NAT DMZ Host NAT Configurati on NAT Server Setup NAT Configuration ALG Nat Outbound Setup Security Setup Access 6 Description User level Allows you to configure wireless QoS and rate limiting, and clear radio and client information. Configure Displays configuration information of the country code. Monitor Allows you to set the country code.
Function menu URL Filter MAC Address Filtering Blacklist Attack Defend Intrusion Detection Application Control Application Control Load Application Custom Application Redirection ....Advance Route Setup Summary 7 Description User level Displays the information about URL filtering conditions. Monitor Allows you to add or delete URL filtering conditions. Configure Displays the information about MAC address filtering conditions.
Function menu Description User level Create Allows you to create IPv4 static routes. Configure Remove Allows you to delete IPv4 static routes. Configure Displays the IP address, mask and load sharing information of an interface. Monitor Allows you to modify the load sharing status and shared bandwidth of an interface. Configure Displays IP addresses, traffic ordering mode and traffic ordering interval for interfaces. Monitor Allows you to configure the traffic ordering mode and interval.
Function menu Set up Description User level Add Allows you to add an IPv4 ACL. Configure Basic Config Allows you to configure a basic rule for an IPv4 ACL. Configure Advanced Config Allows you to configure an advanced rule for an IPv4 ACL. Configure Link Config Allows you to configure a link layer rule for an IPv4 ACL. Configure Remove Allows you to remove an IPv4 ACL. Configure Displays the subnet limit configuration information.
Function menu Description User level Summary Displays QoS policy information. Monitor Create Allows you to create a QoS policy. Configure Setup Allows you to configure classifier-behavior associations. Configure Remove Allows you to remove a QoS policy. Configure Summary Displays QoS policy application information of a port. Monitor Setup Allows you to apply a QoS policy to a port. Configure Remove Allows you to remove a QoS policy from a port.
Function menu Description User level Displays the brief information of SNMP views. Monitor Allows you to create, modify, and remove an SNMP view. Configure Global Config Displays and allows you to set global bridging information. Configure Config Interface Displays and allows you to set interface bridging information. Configure Displays user group configuration. Monitor Allows you to configure user groups. Configure Displays user configuration. Monitor Displays users.
Function menu Port Global RADIUS Access ARP Table Gratuitous ARP ARP Management Dynamic Entry ARP Anti-Attack Scan Fix 12 Description User level Allows you to modify the MST region-related parameters and VLAN-to-MSTI mappings. Configure Displays MSTP port parameters. Monitor Allows you to modify MSTP port parameters. Configure Displays MSTP parameters globally. Configure Displays and allows you to add, modify, and delete a RADIUS scheme.
Function menu IPsec Connection IPsec VPN Monitoring Information VPN L2TP Configuration L2TP Tunnel Info GRE Entity Certificate Manageme nt Domain Certificate 13 Description User level Allows you to convert all dynamic ARP entries to static ones or delete all static ARP entries. Configure Displays IPsec connection configuration. Monitor Allows you to add, modify, delete, enable, or disable an IPsec connection.
Function menu Description User level Displays CRLs. Monitor Allows you to retrieve CRLs. Configure Allows you to save the current configuration to the configuration file to be used at the next startup. Configure Allows you to save the current configuration as the factory default configuration. Managem ent Initialize Allows you to restore all configurations on the device to the factory default configuration.
Function menu Description User level Modify User Allows you to modify user account. Managem ent Remove User Allows you to remove a user. Managem ent Switch To Management Allows you to switch the user access level to the management level. Visitor Displays SNMP configuration information. Monitor Allows you to configure SNMP. Configure Displays the current system time and its configurations. Monitor Allows you to set the system time.
Function menu Trace Route WiNet Management WiNet Setup User Management Configuration Wizard Voice Manageme nt Local Number Call Route Dial Plan Number Match 16 Description User level Allows you to execute the trace route command and view the result. Visitor Displays and refreshes the WiNet topology diagram and allows you to view the detailed device information.
Function menu Call Authority Control Number Substitution SIP Connection Call Connection SIP Server Group Management Digital Link Management Line Management Advanced Configuration Global Configuration Batch Configuration 17 Description User level Displays call authority control configuration information, and the maximum number of call connections in a set. Monitor Allows you to configure call authority control, and the maximum number of call connections in a set.
Function menu Call Statistics Statistics Connection Status Description User level Allows you to create local numbers, call routes, and manage lines in batches. Configure Allows you to view and refresh active and history call statistics. Monitor Allows you to view and refresh active and history call statistics, and clear history call statistics. Configure Allows you to view and refresh registration and subscription status.
Figure 4 Content display by pages Searching function The Web interface provides you with the basic and advanced searching functions to display only the entries that match specific searching criteria. • Basic search: As shown in Figure 4, input the keyword in the text box above the list, select a search item from the drop-down list and click the Search button to display the entries that match the criteria. Figure 5 shows an example of searching for entries with VLAN ID being 2.
Figure 6 Advanced search Take the ARP table shown in Figure 4 as an example. If you want to search for the ARP entries with interface being Ethernet 0/4, and IP address range being 192.168.1.50 to 192.168.1.59, follow these steps: 1. Click the Advanced Search link, specify the search criteria on the advanced search page as shown in Figure 7, and click Apply. The ARP entries with interface being Ethernet 0/4 are displayed. Figure 7 Advanced search function example (I) 2.
Figure 9 Advanced searching function example (III) Sorting function The Web interface provides you with the basic sorting function to display entries in certain orders. On a list page, you can click the blue heading item of each column to sort the entries based on the heading item you selected. After your clicking, the heading item is displayed with an arrow beside it as shown in Figure 10. The upward arrow indicates the ascending order, and the downward arrow indicates the descending order.
Task Command Disable the Web-based NM service. undo ip http enable Managing the current Web user Task Command Display the current login users. display web users Log out the specified user or all users.
2. Click the Security tab, and then select a Web content zone to specify its security settings, as shown in Figure 11. Figure 11 Internet Explorer setting (I) 3. Click Custom Level, and a dialog box Security Settings appears. 4. As shown in Figure 12, enable these functions: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for scripting and active scripting.
Figure 12 Internet Explorer setting (II) 5. Click OK in the Security Settings dialog box. Configuring Firefox Web browser settings 1. Open the Firefox Web browser, and then select Tools > Options. 2. Click the Content tab, select the Enable JavaScript check box, and click OK, as shown in Figure 13.
Figure 13 Firefox Web browser setting 25
Displaying device information When you are logged in to the Web interface, you are placed on the Device Info page. The Device Info page contains five parts, which correspond to the five tabs below the figure on the page except the Services Information and Recent System Logs tabs. When you put your cursor on a part of the figure, the system prompts you for the tab of the corresponding information, and you can jump to the tab by clicking this part.
• If you select a specific period, the system periodically refreshes the Device Info page. • If you select Manual, click Refresh to refresh the page. Displaying device information Table 3 Field description Field Description Device Model Device name. Software Version Software version of the device. Firmware Version Firmware version of the device. Hardware Version Hardware version of the device. Running Time Running time after the latest boot of the device. CPU Usage Real-time CPU usage.
Field Description RSSI Received signal strength indication (RSSI) of the 3G network. Displaying LAN information Table 6 Field description Field Description Interface Interface name. Link State Link state of the interface. Work Mode Rate and duplex mode of the interface. Displaying WLAN information Table 7 Field description Field Description SSID (WLAN Name) Name of the WLAN service. Service Status Whether the service is enabled or not.
Managing integrated services For devices with a card installed, if the card provides the Web interface access function, after specifying the URL address of the card on the integrated service management page, you can log in from the integrated service management page to the Web interface of the card to manage the card. When you are logged in to the Web interface, you are placed on the Device Info page. Click the Integrated Service Management tab to enter the page displaying card information of the device.
Basic services configuration This document guides you through quick configuration of basic services of routers, including configuring WAN interface parameters, LAN interface parameters, and WLAN interface parameters. For information about WAN interfaces, see "Configuring WAN interfaces." For information about LAN interfaces, see "Configuring VLANs." For information about WLAN interfaces, see "Wireless configuration overview.
Ethernet interface Figure 18 Setting Ethernet interface parameters Table 10 Configuration items (in auto mode) Item Description WAN Interface Select the Ethernet interface to be configured. Connect Mode: Auto Select the Auto connect mode to automatically obtain an IP address. Specify the MAC address of the Ethernet interface in either of the two ways: MAC Address • Use the MAC address of the device—Use the default MAC address of the Ethernet interface, which is displayed in the brackets.
Item Description DNS2 To configure the global DNS server on the page you enter, select Advanced > DNS Setup > DNS Configuration. The global DNS server has priority over the DNS servers of the interfaces. The DNS query is sent to the global DNS server first. If the query fails, the DNS query is sent to the DNS server of the interface until the query succeeds.
SA interface Figure 19 Setting SA parameters Table 13 Configuration items Item Description WAN Interface Select the SA interface to be configured. User Name Specify the user name for identity authentication. Password Display whether a password has been specified for identity authentication. An empty field indicates that no password is configured. New Password Specify or modify the password for identity authentication. TCP-MSS Set the maximum TCP segment length of an interface.
ADSL/G.SHDSL interface Figure 20 Setting ADSL/G.SHDSL parameters Table 14 Configuration items (in IPoA mode) Item Description WAN Interface Select the ADSL/G.SHDSL interface to be configured. Connect Mode: IPoA Select the IPoA connect mode. PVC Specify the VPI/VCI value for PVC. TCP-MSS Set the maximum TCP segment length of an interface. MTU Set the MTU of an interface. IP Address Specify the IP address of the ADSL/G.SHDSL interface. Subnet Mask Select a subnet mask for the ADSL/G.
Item Description Connect Mode: PPPoA Select the PPPoA connect mode. PVC Specify the VPI/VCI value for PVC. User Name Specify the user name for identity authentication. Password Displays whether a password has been specified for identity authentication. An empty field indicates that no password is configured. New Password Specify or modify the password for identity authentication. TCP-MSS Set the maximum TCP segment length of an interface. MTU Set the MTU of an interface.
Figure 21 Setting CE1/PR1 interface parameters (in E1 mode) Table 18 Configuration items (in E1 mode) Item Description WAN Interface Select the CE1/PR1 interface to be configured. Work Mode: E1 Select the E1 work mode. User Name Specify the user name for identity authentication. Password Display whether a password has been specified for identity authentication. An empty field indicates that no password is configured. New Password Specify or modify the password for identity authentication.
Table 19 Configuration items (in CE1 mode) Item Description WAN Interface Select the CE1/PR1 interface to be configured. Work Mode: CE1 Select the CE1 work mode. Select one of the following operation actions: Operation • Create—Binds timeslots. • Remove—Unbinds timeslots. Serial Select a number for the created Serial interface. Timeslot-List Specify the timeslots to be bound or unbound. User Name Specify the user name for identity authentication.
Item Description Serial Select the number for the created serial interface. Timeslot-List Specify the timeslots to be bound or unbound. User Name Specify the user name for identity authentication. Password Display whether a password has been specified for identity authentication. An empty field indicates that no password is configured. New Password Specify or modify the password for identity authentication. TCP-MSS Set the maximum TCP segment length of an interface.
Item Idle Timeout Description server if no data exchange occurs between it and the server within the specified time. After that, it automatically establishes the connection upon receiving a request for accessing the Internet from the LAN. When Online according to the Idle Timeout value is enabled, specify an idle timeout value. Setting LAN interface parameters After finishing the previous configuration, click Next.
Item Description IMPORTANT: End IP Address If the extended address pool is configured on an interface, when a DHCP client's request arrives at the interface, the server assigns an IP address from this extended address pool only. The client cannot obtain an IP address if no IP address is available in the extended address pool. Specify a gateway IP address in the DHCP address pool for DHCP clients.
Item Description Network Name (SSID) Specify a wireless network name. Network Hide Select whether to hide the network name. Radio Unit Select a radio unit supported by the AP, which can be 1 or 2. Which value is supported varies with device models. Select whether to enable data encryption. Enable Encrypt With data encryption enabled, data transmission between wireless client and wireless device can be secured. Encrypt Act Select an encryption mode for the wireless network, WEP40 or WEP104.
Figure 27 Checking the basic service configuration 42
Configuring WAN interfaces This chapter describes how to configure the following interfaces on the Web interface: • Ethernet interfaces. • SA interfaces. • ADSL/G.SHDSL interfaces. • CE1/PRI interfaces. • CT1/PRI interfaces. Configuring an Ethernet interface An Ethernet interface or subinterface supports the following connection modes: • Auto—The interface acts as a DHCP client to get an IP address through DHCP. • Manual—The IP address and subnet mask are configured manually for the interface.
Figure 29 Configuring an Ethernet interface Table 24 Configuration items (auto mode) Item Description WAN Interface Displays the name of the Ethernet interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up, but not connected, click Disable to shut down the interface.
Table 25 Configuration items (manual mode) Item Description WAN Interface Displays the name of the Ethernet interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface.
Item Password Description Displays whether a password is configured for authentication. If the field displays null, no password is configured for authentication. New Password Set or modify the password for authentication. TCP-MSS Configure the TCP MSS on the interface. MTU Configure the MTU on the interface. Set the idle timeout time for a connection: • Online for all time—The connection is maintained until being disconnected manually or upon an anomaly.
Figure 30 Configuring an SA interface Table 27 Configuration items Item Description WAN Interface Displays the name of the interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface.
Configuring an ADSL/G.SHDSL interface Overview The ADSL interface and the G.SHDSL interface support IPoA, IPoEoA, PPPoA, and PPPoEoA. IPoA IPoA enables IP packets to traverse an ATM network. In an IPoA implementation, ATM provides the data link layer for the IP hosts on the same network to communicate with one another, and IP packets must be adapted in order to traverse the ATM network.
Figure 31 Configuring an ADSL/G.SHDSL interface Table 28 Configuration items (IPoA) Item Description WAN Interface Displays the name of the ADSL/G.SHDSL interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface.
Item Description Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface. • Administratively Down—Indicating that the current interface is shut down by a network administrator, click Enable to bring up the interface. Connect Mode: IPoEoA Select IPoEoA as the connection mode.
Item Description Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface. • Administratively Down—Indicating that the current interface is shut down by a network administrator, click Enable to bring up the interface.
Configuration procedure To configure a CE1/PRI interface: 1. Select Interface Setup > WAN Interface Setup from the navigation tree. 2. Click the 3. Configure the CE1/PRI interface, as described in "Configuring a CE1/PRI interface in E1 mode" and "Configuring a CE1/PRI interface in CE1 mode." icon for the CE1/PRI interface.
Item Description MTU Configure the MTU on the interface. Configuring a CE1/PRI interface in CE1 mode Figure 33 Configuring a CE1/PRI interface in CE1 mode Table 33 Configuration items (in CE1 mode) Item Description WAN Interface Displays the name of the CE1/PRI interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface.
Item Password Description Displays whether a password is configured for authentication. If the field displays null, no password is configured for authentication. New Password Set or modify the password for authentication. TCP-MSS Configure the TCP MSS on the interface. MTU Configure the MTU on the interface. Configuring a CT1/PRI interface The CT1/PRI interface supports PPP connection mode. For more information about PPP, see "Configuring an SA interface.
Table 34 Configuration items Item Description WAN Interface Displays the name of the CT1/PRI interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface.
Figure 35 Sample interface statistics 56
Configuring VLANs You can configure the following port-based VLAN and VLAN interface functions through the Web interface: • Create or delete VLANs. • Add/remove member ports to/from a VLAN. • Create or delete VLAN interfaces. • Configure VLAN interface parameters. Overview Ethernet is a network technology based on the CSMA/CD mechanism. As the medium is shared, collisions and excessive broadcasts are common on Ethernet networks.
Step Remarks Optional. 2. Configuring parameters for a VLAN interface. Configure an IP address and MAC address for a VLAN interface. Select whether to enable the DHCP server function for a VLAN interface. If yes, configure the related parameters. You can also configure the DHCP server function in Advanced > DHCP Setup. For more information, see "Configuring DHCP." This chapter only describes the DHCP server configuration in the LAN Setup module.
Item Description Only Remove VLAN Interface Remove the VLAN interface of a VLAN without removing the VLAN. Configuring VLAN member ports The ports that you assign to a VLAN in the Web interface can only be set to untagged type. The VLAN member port list displayed on the VLAN Setup page includes both tagged and untagged member ports. You can configure a VLAN by assigning ports to it or removing ports from it. Select Interface Setup > LAN Interface Setup from the navigation tree.
Figure 37 VLAN interface setup page Table 37 Configuration items Item Description VLAN ID Select the ID of the VLAN interface you want to configure. IP Address Subnet Mask Set the VLAN interface's IP address and subnet mask.
Item Description Set the MAC address of the VLAN interface: • Use the MAC address of the device—Use the default MAC address of the VLAN MAC Address interface, which is displayed in the following brackets. • Use the customized MAC address—Manually set the MAC address of the VLAN interface. When you select this option, you must enter a MAC address in the text box below. Select whether to configure a DHCP server.
Wireless configuration overview The device allows you to perform the following configuration in the Web interface: • Configuring wireless access service • Displaying wireless access service • Client mode • Configuring data transmit rates • Displaying radio • Configuring the blacklist and white list functions • To configure user isolation • Configuring wireless QoS • Setting a district code • Channel busy test After these configurations, you can build an integrated, stable, secure, effect
Task Remarks Optional. Configuring WLAN security Allows you to control client access to improve wireless security. Optional. Configuring WLAN QoS Allows you to configure WLAN QoS to make full use of wireless resources. Optional. Allows you to configure district codes as needed to meet the specific country regulations and configure channel busy test.
Figure 39 Creating a wireless service Table 39 Configuration items Item Description Radio Unit Radio ID, 1 or 2. Mode Radio mode, which depends on your device model. Set the service set identifier (SSID). An SSID should be as unique as possible. For security, the company name should not be contained in the SSID. Meanwhile, it is not recommended to use a long random string as the SSID, because it only adds the Beacon frame length and usage complexity, without any improvement to wireless security.
Figure 40 Configuring clear type wireless service Table 40 Configuration items Item Description Wireless Service Display the selected Service Set Identifier (SSID). VLAN (Untagged) Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged) indicates that the port sends the traffic of the VLAN with the VLAN tag removed. Set the default VLAN of a port. Default VLAN Delete VLAN By default, the default VLAN of all ports is VLAN 1.
Figure 41 Configuring advanced settings for a clear type wireless service Table 41 Configuration items Item Description Maximum number of clients of an SSID to be associated with the same radio of the AP. Client Max Users IMPORTANT: When the number of clients of an SSID to be associated with the same radio of the AP reaches the maximum, the SSID is automatically hidden. Web interface management right of online clients.
Item Description • mac-authentication—Performs MAC address authentication on users. • mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication; upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.
Figure 42 Configuring MAC authentication Table 43 Configuration items Item Description Port Mode mac-authentication: MAC-based authentication is performed on access users. Max User Control the maximum number of users allowed to access the network through the port. MAC Authentication Select the MAC Authentication option. Select an existing domain from the list. The default domain is system.
Table 44 Configuration items Item Description • userlogin-secure—Perform port-based 802.1X authentication for access Port Mode users. In this mode, multiple 802.1X authenticated users can access the port, but only one user can be online. • userlogin-secure-ext—Perform MAC-based 802.1X authentication for access users. In this mode, the port supports multiple 802.1X users. Max User Control the maximum number of users allowed to access the network through the port.
Figure 44 Configuring port security for the other four security modes (mac-else-userlogin-secure is taken for example) Table 45 Configuration items Item Description • mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication. Upon receiving an 802.
Item Description • EAP—Use EAP. With EAP authentication, the authenticator encapsulates 802.1X Authentication Method user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication. It does not need to repackage the EAP packets into standard RADIUS packets for authentication. • CHAP—Use CHAP. By default, CHAP is used. CHAP transmits only usernames but not passwords over the network. Therefore this method is safer. • PAP—Use PAP.
Figure 45 Configuring crypto type wireless service See Table 40 for the configuration items of basic configuration of crypto type wireless service. Configuring advanced settings for crypto type wireless service 1. Select Interface Setup > Wireless > Access Service from the navigation tree. 2. Click the icon for the target crypto wireless service.
Item Description Set the TKIP countermeasure time. By default, the TKIP countermeasure time is 0 seconds, that is, the TKIP countermeasure policy is disabled. If the TKIP countermeasure time is set to a value other than 0, the TKIP countermeasure policy is enabled. TKIP CM Time MIC is designed to avoid hacker tampering. It uses the Michael algorithm and is extremely secure. When failures occur to MIC, the data may have been tampered, and the system may be under attack.
Table 47 Configuration items Item Description Link authentication method, which can be: • Open-System—No authentication. With this authentication mode enabled, all the clients will pass the authentication. Authentication Type • Shared-Key—The two parties must have the same shared key configured for this authentication mode. You can select this option only when WEP encryption mode is used. • Open-System and Shared-Key—You can select both open-system and shared-key authentication.
Item Description See Table 42. Parameters such as authentication type and encryption type determine the port mode. For details, see Table 50. After you select the Cipher Suite option, the following four port security modes are added: • mac and psk—MAC-based authentication must be performed on access users first. If Port Security MAC-based authentication succeeds, an access user has to use the pre-configured PSK to negotiate with the device.
Item Description Select an existing domain from the list. The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and type a new domain name in the Domain Name field. Domain • The selected domain name applies to only the current wireless service, and all clients accessing the wireless service use this domain for authentication, authorization, and accounting. • Do not delete a domain name in use.
2. Click the icon for the target wireless service to enter the page as shown in Figure 50. Figure 50 Binding an AP radio to a wireless service 3. Select the AP radio to be bound. 4. Click Bind. Security parameter dependencies In a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are described in Table 50.
Service type Authenticat ion mode Encryption type Selected Security IE Required Open-Syste m and Shared-Key Unselected Unavailable WEP encryption /key ID Port mode WEP encryption is required mac and psk The key ID can be 2, 3 or 4 userlogin-secure-ext WEP encryption is required The key ID can be 1, 2, 3 or 4 psk mac-authentication Displaying wireless access service Displaying wireless service Select Interface Setup > Wireless > Summary from the navigation tree and click the name of the spec
Field Description Service Template Type Service template type. Authentication Method SSID-hide Type of authentication used. WLAN service of the clear type only uses open system authentication. • Disable—The SSID is advertised in beacon frames. • Enable—Disables the advertisement of the SSID in beacon frames. Status of service template: Service Template Status • Enable—Enables WLAN service. • Disable—Disables WLAN service. Maximum clients per BSS Maximum number of associated clients per BSS.
Field Description GTK Rekey Method GTK rekey method configured: packet based or time based. Time for GTK rekey in seconds. • If Time is selected, the GTK is refreshed after a specified period of time. GTK Rekey Time(s) • If Packet is selected, the GTK is refreshed after a specified number of packets are transmitted. Status of service template: Service Template Status • Enable—Enables WLAN service. • Disable—Disables WLAN service.
Displaying connection history information about wireless service Figure 54 Displaying the connection history information about wireless service Displaying client Displaying client detailed information 1. Select Interface Setup > Wireless > Summary from the navigation tree. 2. Click the Client tab to enter the Client page. 3. Click the Detail Information tab on the page. 4. Click the name of the specified client to view the detailed information of the client.
Table 53 Client RSSI Field Description —Indicates that 0 < RSSI <= 20. —Indicates that 20 < RSSI <= 30. Client RSSI —Indicates that 30 < RSSI <= 35. —Indicates that 35 < RSSI <= 40. —Indicates that 40 < RSSI. Table 54 Field description Field Description MAC address MAC address of the client. AID Association ID of the client. Username of the client: • The field is displayed as -NA- if the client adopts plain-text authentication or cipher-text authentication with no username.
Field Description Four-way handshake states: • IDLE—Displayed in initial state. • PTKSTART—Displayed when the 4–way handshake is initialized. 4-Way Handshake State • PTKNEGOTIATING—Displayed after valid message 3 was sent. • PTKINITDONE—Displayed when the 4-way handshake is successful. Group key state: • IDLE—Displayed in initial state. • REKEYNEGOTIATE—Displayed after the AC sends the Group Key State initial message to the client. • REKEYESTABLISHED—Displayed when re-keying is successful.
Figure 56 Displaying client statistics Table 56 Field description Field Description AP Name Name of the associated access point. Radio Id Radio ID. SSID SSID of the device. BSSID MAC address of the device. MAC Address MAC Address of the client. RSSI Received signal strength indication. This value indicates the client signal strength detected by the device. Transmitted Frames Number of transmitted frames. Back Ground(Frames/Bytes) Statistics of background traffic, in frames or in bytes.
Figure 57 Viewing link test information Table 57 Field description Field Description No./MCS • Rate number for a non-802.11n client. • MCS value for an 802.11n client. Rate (Mbps) Rate at which the radio interface sends wireless ping frames. TxCnt Number of wireless ping frames that the radio interface sent. RxCnt Number of wireless ping frames that the radio interface received from the client. RSSI Received signal strength indication.
Figure 58 Network diagram IP network SSID:sevice1 Router Client Configuration procedure 1. Create a wireless service: a. Select Interface Setup > Wireless > Access Service from the navigation tree, and click Add. Figure 59 Creating a wireless service a. Select the radio unit 1, set the service name to service1, and select the wireless service type clear. b. Click Apply. 2. Enable the wireless service: a. Select Interface Setup > Wireless > Access Service from the navigation tree. b.
Figure 61 Enabling 802.11g radio Verifying the configuration If you select Interface Setup > Wireless > Summary from the navigation tree, and click the Client tab, you can view the online clients. Configuration guidelines Follow these guidelines when you configure a wireless service: • Select a correct district code. • Make sure the radio unit is enabled. Access service-based VLAN configuration example Network requirements An AP can provide multiple wireless access services.
d. Click Apply. After the wireless service is created, the system is automatically navigated to the wireless service page, where you can perform the VLAN settings (before this operation, select Network > VLAN and create VLAN 2 first). Figure 63 Setting the VLANs e. Type 2 in the VLAN (Untagged) input box. f. Type 2 in the Default VLAN input box. g. Type 1 in the Delete VLAN input box. For PSK-related configuration, see "PSK authentication configuration example.
On this page, you can see that the client 0014-6c8a-43ff, which accesses the SSID office, is in VLAN 3, while the client 0040-96b3-8a77, which accesses the SSID research, is in VLAN 2. Because the two clients are in different VLANs, they cannot access each other. PSK authentication configuration example Network requirements As shown in Figure 65, configure the client to access the wireless network by passing PSK authentication. Configure the same PSK key 12345678 on the client and AP.
Figure 67 Configuring security settings a. Select the Open-System from the Authentication Type list. b. Select the Cipher Suite option, select CCMP and TKIP (select an encryption type as needed), and then select WPA from the Security IE list. c. Select the Port Set option, and select psk from the Port Mode list. d. Select pass-phrase from the Preshared Key list, and type key ID 12345678. e. Click Apply. 3. Enable the wireless service: a.
Local MAC authentication configuration example Network requirements As shown in Figure 69, perform MAC authentication on the client. Figure 69 Network diagram Configuration procedure 1. Configure a wireless service: a. Select Interface Setup > Wireless > Access Service from the navigation tree. b. Click Add. Figure 70 Creating a wireless service c. Select the radio unit 1. d. Set the service name to mac-auth. e. Select the wireless service type clear. f. Click Apply. 2.
Figure 71 Configuring security settings a. Select the Open-System from the Authentication Type list. b. Select the Port Set option, and select mac-authentication from the Port Mode list. c. Select the MAC Authentication option, and select system from the Domain list. d. Click Apply. 3. Enable the wireless service: a. Select Interface Setup > Wireless > Access Service from the navigation tree. Figure 72 Enabling the wireless service a. Select the mac-auth option. b. Click Enable. 4.
Figure 73 Adding a MAC authentication list c. Add a local user in the MAC Address box. 00-14-6c-8a-43-ff is used in this example. d. Click Add. 5. (Optional.) Enable 802.11g radio. By default, 802.11g radio is enabled. Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure 802.11g is enabled. Verifying the configuration If the MAC address of the client is in the MAC authentication list, the client can pass authentication and access the WLAN network.
Figure 75 Creating a wireless service c. Select radio unit 1. d. Set the wireless service name as mac-auth. e. Select the wireless service type clear. f. Click Apply. 2. Configure MAC authentication: After you create a wireless service, the wireless service configuration page appears. Then you can configure MAC authentication on the Security Setup area. Figure 76 Configuring security settings a. Select Open-System from the Authentication Type list. b.
Figure 77 Enabling the wireless service b. Select the mac-auth option. c. Click Enable. 4. (Optional.) Enable 802.11g radio. By default, the 802.11g radio is enabled. Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure 802.11g is enabled. Configuring the RADIUS server The following takes the IMC (the IMC versions are IMC PLAT 5.0 and IMC UAM 5.0) as an example to illustrate the basic configurations of the RADIUS server. 1. Add an access device: a.
c. Click Add. d. On the page that appears, set the service name as mac, keep the default values for other parameters, and click OK. Figure 79 Adding a service 3. Add an account: a. Click the User tab. b. Select User > All Access Users from the navigation tree. c. Click Add. d. On the page that appears, enter username 00146c8a43ff, set the account name and password both as 00146c8a43ff, select the service mac, and click OK.
On the device, configure the shared key as expert, and configure the device to remove the domain name of a username before sending it to the RADIUS server. The IP address of the device is 10.18.1.1. Figure 81 Network diagram Configuring the router 1. Configure wireless service: a. Select Interface Setup > Wireless > Access Service from the navigation tree. b. Click Add. c.
Figure 83 Configuring security settings 3. Enable the wireless service: a. Select Interface Setup > Wireless > Access Service from the navigation tree. b. On the page that appears, select the dot1x option, and click Enable. 4. (Optional.) Enable 802.11g radio. By default, the 802.11g radio is enabled. Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure 802.11g is enabled.
Figure 84 Adding access device 2. Add a service: a. Click the Service tab. b. Select User Access Manager > Service Configuration from the navigation tree. c. Click Add. d. On the page that appears, set the service name to dot1x, select EAP-PEAP AuthN as the Certificate Type, and MS-CHAPV2 AuthN as the Certificate Sub-Type, and click OK. Figure 85 Adding a service 3. Add an account: a. Click the User tab. b. Select User > All Access Users from the navigation tree. c. Click Add.
d. On the page that appears, enter username user, set the account name user and password dot1x, select the service dot1x, and click OK. Figure 86 Adding an account Verifying the configuration • After you enter username user and password dot1x in the popup dialog box, the client can associate with the device and access the WLAN. • You can view the online clients by selecting Interface Setup > Wireless > Summary from the navigation tree, and then clicking the Client tab. 802.
Figure 88 Creating a wireless service 2. Enable the wireless service: a. Select Interface Setup > Wireless > Access Service from the navigation tree. b. Select the 11nservice option, and click Enable. Figure 89 Enabling the wireless service 3. (Optional.) Enable 802.11n(2.4GHZ) radio. By default, 802.11n(2.4GHZ) radio is enabled. Verifying the configuration If you select Interface Setup > Wireless > Summary from the navigation tree, and click the Client tab, you can view the online clients.
Client mode The client mode enables a router to operate as a client to access the wireless network. Multiple hosts or printers in the wired network can access the wireless network through the router. Figure 90 Client mode Enabling the client mode 1. Select Interface Setup > Wireless Service > Client Mode from the navigation tree. 2. Click Connect Setup. 3. Select the radio unit to be enabled, and then click Enable.
NOTE: • Support for radio mode types depends on your device model. • You cannot enable an access service or WDS service on a radio interface with the client mode enabled. • To modify the radio mode, select Radio > Radio from the navigation tree, click the radio, and change the radio mode in the Radio Mode option. icon of the target • If the 802.11(2.4GHz) client mode is used, the client can scan 802.11(2.4GHz) wireless services.
Table 58 Configuration items Item Description Specify the network authentication mode, which can be: • Open System—Open system authentication, namely, no authentication AuthMode • Shared Key—Shared key authentication, which requires the client and the device to be configured with the same shared key.
Client mode configuration example Network requirements As shown in Figure 96, the router accesses the wireless network as a client. The Ethernet interface of the router connects to multiple hosts or printers in the wired network, and thus the wired network is connected to the wireless network through the router. • The AP accesses the wired LAN, and the router accesses the AP as a client. • The router accesses the wireless service psk by passing the RSN(CCMP)+PSK authentication.
c. Select the option corresponding to 802.11g and click Enable. With the client mode enabled, you can check the existing wireless services in the wireless service list. Figure 98 Checking the wireless service list 2. Connect the wireless service a. Click the Connect icon of the wireless service psk in the wireless service list. A SET CODE dialog box shown in Figure 99 appears. Figure 99 Setting a code b. Specify the AuthMode as RSN+PSK. c. Specify the CipherSuite as CCMP/AES. d.
Figure 100 Making sure the workgroup bridge is online • You can see that the client with MAC address 0014-6c8a-43ff and the router with MAC address 000f-e2333-5510 have been successfully associated with the AP. • The wired devices on the right (such as printers and PCs) can access the wireless network through the router. Configuration guidelines As shown in Figure 101, if the router uses two radio interfaces at the same time, the client connecting to radio 2 can access the AP through the router.
Table 59 Configuration items Item Description Radio Unit Selected radios. Radio Mode Selected radio mode. Transmit Power Maximum radio transmission power, which varies with country codes, channels, radio modes and antenna types. If you adopt the 802.11n mode, the maximum transmit power of the radio also depends on the bandwidth mode. Specify the working channel of the radio, which varies with radio types and country codes. Channel auto: The working channel is automatically selected.
Item Description Selecting the A-MPDU option enables A-MPDU. A-MPDU 802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY headers removed. This reduces the overhead in transmission and the number of ACK frames to be used, and thus improves network throughput. IMPORTANT: When 802.11n radios are used in a mesh WLAN, make sure that they have the same A-MSDU configuration.
Item Description Transmit Distance Maximum coverage of a radio. ANI Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device automatically adjusts the noise immunity level according to the surrounding signal environment to eliminate RF interference. Client Max Count Maximum number of clients that can be associated with one radio. • Enable—Enables ANI. • Disable—Disables ANI. Maximum length of frames that can be transmitted without fragmentation.
Configuring data transmit rates Configuring 802.11a/802.11b/802.11g rates Select Interface Setup > Wireless > Radio from the navigation tree, and click the Rate tab. Figure 104 Setting 802.11a/802.11b/802.11g rates Table 61 Configuration items Item Description Configure rates (in Mbps) for 802.11a. By default: 802.11a • Mandatory rates—6, 12, and 24. • Supported rates—9, 18, 36, 48, and 54. • Multicast rate—Automatically selected from the mandatory rates.
Configuring 802.11n MCS Configuration of mandatory and supported 802.11n rates is achieved by specifying the maximum Modulation and Coding Scheme (MCS) index. Select Interface Setup > Wireless > Radio from the navigation tree, and click the Rate tab Figure 105 Setting 802.11n rate Table 62 Configuration items Item Description Set the maximum MCS index for 802.11n mandatory rates. Mandatory Maximum MCS IMPORTANT: If you select the client dot11n-only option, you must configure the mandatory maximum MCS.
Figure 106 Displaying WLAN services bound to the radio The Noise Floor item in the table indicates various random electromagnetic waves during the wireless communication. For the environment with a high noise floor, you can improve the signal-to-noise ratio (SNR) by increasing the transmit power or reducing the noise floor. Displaying detailed radio information Select Interface Setup > Wireless > Summary from the navigation tree, and click the Radio tab.
Field channel Description Channel used by the interface. The keyword auto means the channel is automatically selected. If the channel is manually configured, the field will be displayed in the format of channel configured-channel. power(dBm) Transmit power of the interface (in dBm). Received: 2 authentication frames, 2 association frames Number of authentication and association frames received.
Configuring WLAN security When it comes to security, a WLAN is inherently weaker than a wired LAN because all the wireless devices use the air as the transmission media, which means that the data transmitted by one device can be received by any other device within the coverage of the WLAN. To improve WLAN security, you can use white and black lists and user isolation to control user access and behavior.
Figure 108 Configuring dynamic blacklist Table 64 Configuration items Item Description • Enable—Enables dynamic blacklist. • Disable—Disables dynamic blacklist. Dynamic Blacklist IMPORTANT: Before enabling the dynamic blacklist function, select the Flood Attack Detect option in the WIDS Setup page. Lifetime Configure the lifetime of the entries in the blacklist. When the lifetime of an entry expires, the entry is removed from the blacklist.
Table 65 Configuration items Item Description You can configure a static blacklist in the following two ways: MAC Address Select the MAC Address option, and then add a MAC address to the static black list. Select Current Connect Client If you select the option, the table below lists the current existing clients. Select the options of the clients to add their MAC addresses to the static blacklist. Configuring white list 1. Select Interface Setup > Wireless > Security from the navigation tree. 2.
Figure 111 Network diagram To configure user isolation: Select Interface Setup > Wireless > Security from the navigation tree, and click the User Isolate tab. Figure 112 Configuring user isolation Table 67 Configuration items Item Description • Enable—Enables user isolation on the AP to isolate the clients associated with it User Isolate at Layer 2. • Disable—Disables the user isolation. By default, wireless user isolation is disabled.
Configuring WLAN QoS An 802.11 network offers wireless access based on the carrier sense multiple access with collision avoidance (CSMA/CA) channel contention. All clients accessing the WLAN have equal channel contention opportunities, and all applications carried on the WLAN use the same channel contention parameters. A live WLAN, however, is required to provide differentiated access services to address diversified requirements of applications for bandwidth, delay, and jitter.
Figure 114 Enabling Wireless QoS 3. Click the icon in the Operation column for the desired radio in the AP list. Figure 115 Setting the SVP mapping AC Table 68 Configuration items Item Description Radio Selected radio. Select the SVP Mapping option, and then select the mapping AC to be used by the SVP service: SVP Mapping • • • • AC-VO. AC-VI. AC-BE. AC-BK. SVP mapping is applicable to only non-WMM client access. Setting CAC admission policy 1.
Table 69 Configuration items Item Description Client Number Users-based admission policy, namely, maximum number of clients allowed to be connected. A client is counted only once, even if it is using both AC-VO and AC-VI. By default, the users-based admission policy applies, with the maximum number of users being 20. Channel utilization-based admission policy, namely, the rate of the medium time of the accepted AC-VO and AC-VI traffic to the valid time during the unit time.
AC TXOP Limit AIFSN ECWmin ECWmax AC-BE 0 3 4 6 AC-VI 94 1 3 4 AC-VO 47 1 2 3 ECWmin cannot be greater than ECWmax. On a device operating in 802.11b radio mode, HP recommends you to set the TXOP-Limit to 0, 0, 188, and 102 for AC-BK, AC-BE, AC-VI, and AC-VO. Setting EDCA parameters for wireless clients 1. Select Interface Setup > Wireless > Wireless QoS from the navigation tree. 2. Click the QoS Service tab. 3.
Table 73 Default EDCA parameters for clients AC TXOP Limit AIFSN ECWmin ECWmax AC-BK 0 7 4 10 AC-BE 0 3 4 10 AC-VI 94 2 3 4 AC-VO 47 2 2 3 ECWmin cannot be greater than ECWmax. If all clients operate in 802.11b radio mode, you are recommended to set TXOPLimit to 188 and 102 for AC-VI and AC-VO. If some clients operate in 802.11b radio mode and some clients operate in 802.11g radio mode in the network, the TXOPLimit parameters in Table 73 are recommended.
Field Description QoS mode WMM indicates that QoS mode is enabled; None indicates that QoS mode is not enabled. Radio chip QoS mode Radio chip’s support for the QoS mode. Radio chip max AIFSN Maximum AIFSN allowed by the radio chip. Radio chip max ECWmin Maximum ECWmin allowed by the radio chip. Radio chip max TXOPLimit Maximum TXOPLimit allowed by the radio chip. Radio chip max ECWmax Maximum ECWmax allowed by the radio chip.
Field Description Ack Policy ACK policy adopted by an AC. CAC Indicates whether an AC is controlled by CAC: Disabled indicates that the AC is not controlled by CAC, Enabled indicates that the AC is controlled by CAC. Displaying client statistics 1. Select Interface Setup > Wireless > Wireless QoS from the navigation tree. 2. Click the Client Statistics tab. 3. Click a client name to see its details.
Field Description Uplink CAC packets Number of uplink CAC packets. Uplink CAC bytes Number of uplink CAC bytes. Downlink CAC packets Number of downlink CAC packets. Downlink CAC bytes Number of downlink CAC bytes. Downgrade packets Number of downgraded packets. Downgrade bytes Number of downgraded bytes. Discard packets Number of dropped packets. Discard bytes Number of dropped bytes. Setting rate limiting The WLAN provides limited bandwidth for each device.
Table 76 Configuration items Item Description Wireless Service Existing wireless service. Inbound or outbound. Direction • Inbound—From clients to the device. • Outbound—From the device to clients. • Both—Includes inbound (from clients to the device) and outbound (from the device to clients). Rate limiting mode, dynamic or static. Mode • Dynamic mode. • Static mode. Set the rate of the clients.
Figure 123 Enabling wireless QoS c. Select the radio unit to be configured in the list. d. Click the corresponding icon in the Operation column. e. In the Client EDCA list, select the priority type (AC_VO is taken for example here) to be modified. f. Click the corresponding icon in the Operation column. g. Select Enable from the CAC list. h. Click Apply. Figure 124 Enabling CAC a.
Verifying the configuration If the number of existing clients in the high-priority ACs plus the number of clients requesting access is smaller than or equal to the user-defined maximum number of users allowed in high-priority ACs, which is 10 in this example, the request is allowed. Otherwise, the request is rejected. Static rate limiting configuration example Network requirements As shown in Figure 126, two clients access the WLAN through a SSID named service1.
Verifying the configuration • Client 1 and Client 2 access the WLAN through an SSID named service1. • Check that traffic from Client 1 is rate limited to around 128 kbps, so is traffic from Client 2. Dynamic rate limiting configuration example Network requirements As shown in Figure 128, clients access the WLAN through a SSID named service2. Configure all clients to share 8000 kbps of bandwidth in any direction. Figure 128 Network diagram Configuration procedure 1.
Verifying the configuration Verify the following: • When only Client 1 accesses the WLAN through SSID service2, its traffic can pass through at a rate as high as 8000 kbps. • When both Client 1 and Client 2 access the WLAN through SSID service2, their traffic flows can each pass through at a rate as high as 4000 kbps.
Configuring advanced settings Radio frequencies for countries and regions vary based on country regulations. A district code determines characteristics such as frequency range, channel, and transmit power level. Configure the valid country code or area code for a WLAN device to meet the specific country regulations. Setting a district code Select Interface Setup > Wireless > District Code from the navigation tree.
Figure 131 Configuring channel busy test 2. Click the icon for the target AP. Figure 132 Testing busy rate of channels 3. Click Start to start the testing. Table 78 Configuration items Item Description Radio Unit Display the radio unit, which takes the value of 1 or 2. Radio Mode Display the radio mode of the router. Test time per channel Set a time period in seconds within which a channel is tested. The default value is 3 seconds.
Managing a 3G modem For 3G communications, you can connect a USB 3G modem to a router through the USB interface on the MPU of the router. The 3G modem uses a user identity module (UIM) or subscriber identity module (SIM) to access the wireless networks provided by service providers. After a 3G modem is connected to a router, you can maintain and manage the 3G modem through the Web interface of the router.
Figure 135 3G modem information (CDMA) Table 79 3G modem information Item Description Model Model of the 3G modem. Manufacturer Manufacturer of the 3G modem. Description Description for the 3G modem. Serial Number Serial number of the 3G modem. CMII ID CMII ID of the 3G modem. Hardware Version Hardware version of the 3G modem. Firmware Version Firmware version of the 3G modem. PRL Version Preferred roaming list version of the 3G modem. 3G modem status: Online Status • Online. • Offline.
Table 80 SIM card information (WCDMA) Item Description Status of the SIM card: • OK. • Fault. • Absent. SIM Status IMSI International Mobile Subscriber Identification number of the SIM card. Table 81 UIM card information (CDMA) Item Description State of the UIM card: UIM Status • • • • • • • • Absent. Being initialized. Fault. Destructed. PIN code protection is disabled. PIN code protection is enabled. Enter the PIN code for authentication.
Item Description Service status of the 3G network: Service Status (1xRtt) Roaming Status (1xRtt) RSSI (1xRtt) • Available. • Not available. Roaming status: • Home. • Roaming. Received signal strength indication of the 3G network. Configuring the cellular interface 1. Click the icon for the cellular interface in Figure 133. 2. On the cellular interface configuration page, click the Interface tab. 3. Configure the cellular interface as described in Table 84.
Managing the PIN Click PIN in Figure 136. Then you can manage the PIN. • PIN protection is disabled. To enable PIN protection, enter a PIN, a string of four to eight digits, and click Apply in the Enable PIN Code Protection area. Figure 137 Managing the PIN (PIN protection disabled) • PIN protection is enabled and the PIN is authenticated. To disable PIN protection, enter the PIN and click Apply in the Disable PIN Code Protection area.
Figure 139 Rebooting the 3G modem 139
Configuring NAT Overview Network Address Translation (NAT) provides a way of translating an IP address to another IP address for a packet. In practice, NAT is primarily used to allow private hosts to access public networks. With NAT, a few public IP addresses are used to translate a large number of internal IP addresses. This effectively solving the IP address depletion problem. For more information about NAT, see the Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Figure 140 Configuring dynamic NAT Table 85 Configuration items Item Description Interface Specify an interface on which the NAT policy is to be enabled. Select an address translation mode: • Interface Address—In this mode, the NAT gateway directly uses an interface's Translation Mode public IP address as the translated IP address. You do not need to configure any address pool for this mode. • PAT—In this mode, both IP addresses and port numbers of packets are translated.
Configuring a DMZ host Creating a DMZ host 1. From the navigation tree, select NAT Configuration > NAT Configuration. 2. Click the DMZ HOST tab. The DMZ host configuration page appears. Figure 141 Creating a DMZ host 3. Configure the parameters as described in Table 86. 4. Click Add. Table 86 Configuration items Item Description Host IP Address Specify the internal IP address of a DMZ host. Global IP Address Specify the external IP address of a DMZ host.
Figure 142 Enabling DMZ host on an interface Configuring an internal server 1. From the navigation tree, select NAT Configuration > NAT Configuration. 2. Click the Internal Server tab. The internal server configuration page appears.
Figure 143 Configuring an internal server 3. Configure the parameters as described in Table 87. 4. Click Add. Table 87 Configuration items Item Description Interface Specify an interface on which the NAT policy is to be enabled. Protocol Specify the type of the protocol carried by IP, which can be TCP or UDP. Global IP Address Specify the public IP address for the internal server. You can use the IP address of the current interface, or manually specify an IP address.
Item Description Specify internal port number for the internal server. From the list, you can: Host Port • Select Other and then enter a port number. If you enter 0, all types of services are provided. That is, only a static binding between the external IP address and the internal IP address is created. • Select a service and the corresponding port number is provided. You cannot modify the port number displayed. Enabling application layer protocol check 1.
Figure 145 Configuring connection limit 3. Configure the parameters as described in Table 89. 4. Click Apply. Table 89 Configuration items Item Description Enable connection limit Enable or disable connection limit. Max Connections Set the maximum number of connections that can be initiated from a source IP address.
Configuring internal hosts accessing public network 1. Configure the IP address of each interface. (Details not shown.) 2. Configure dynamic NAT on Ethernet 0/2: a. Select NAT Configuration > NAT Configuration to enter the dynamic NAT configuration page, as shown in Figure 147. b. Select Ethernet0/2 from the Interface list. c. Select PAT from the Translation Mode list. d. Enter 202.38.1.2 in the Start IP Address filed. e. Enter 202.38.1.3 in the End IP Address filed. f. Click Apply.
Figure 148 Configuring connection limit Internal server configuration example Network requirements A company provides one FTP server and two Web servers for external users to access. The internal network address is 10.110.0.0/16. The company has three public IP addresses in the range of 202.38.1.1/24 to 202.38.1.3/24. Specifically, the company has the following requirements: • External hosts can access the company internal servers. • 202.38.1.
Figure 150 Configuring the FTP server 2. Configure Web server 1: a. As shown in Figure 151, select Ethernet0/2 from the Interface list. b. Select the TCP option in the Protocol field. c. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1. d. Select http from the Global Port list. e. Enter 10.110.10.1 in the Host IP Address field. f. Select http from the Host Port list. g. Click Apply.
Figure 151 Configuring Web server 1 3. Configure Web server 2: a. Click Add in the internal server configuration page. b. As shown in Figure 152, select Ethernet0/2 from the Interface list. c. Select the TCP option in the Protocol field. d. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1. e. Enter 8080 in the Global Port field. f. Enter 10.110.10.2 in the Host IP Address field. g. Enter 8080 in the Host Port field. h. Click Apply.
Figure 152 Configuring Web server 2 151
Configuring access control Access control allows you to control access to the Internet from the LAN by setting the time range, IP addresses of computers in the LAN, port range, and protocol type. All data packets matching these criteria will be denied access to the Internet. You can configure up to ten access control policies. They are matched in ascending order of sequence number. The comparison stops immediately after the system finds one match.
Table 90 Configuration items Item Description Begin-End Time Set the time range of a day for the rule to take effect. The start time must be earlier than the end time. Week Select the days of a week for the rule to take effect. IMPORTANT: Set both types of time ranges or set neither of them. To set neither of them, make sure the Begin-End Time is 00:00 - 00:00 and no days of a week are selected. Setting neither of them means it takes effect all the time.
Figure 154 Network diagram Configuration procedure # Configure an access control policy to prohibit Host A to Host C from accessing the Internet during work time. • Select Security Setup > Access from the navigation tree. Figure 155 Configure an access control policy • Set the Begin-End Time to 09:00 - 18:00. • Select the boxes for Monday to Friday. • Select the Protocol of IP. • Enter source IP address range 10.1.1.1 - 10.1.1.3. • Click Apply.
Configuring URL filtering The URL filtering function allows you to deny access to certain Internet Web pages from the LAN by setting the filter types and the filtering conditions. The URL filtering function applies to only the outbound direction of WAN interfaces. Configuration procedure Select Security Setup > URL Filtering from the navigation tree to enter the page as shown in Figure 156.
Table 92 Configuration items Item Description Set the filter type: • Blacklist—Denies URLs that match the filtering conditions. URLs that do not match Filtering by the filtering conditions are permitted. • Whitelist—Permits URLs that match the filtering conditions. URLs that do not match the filtering conditions are denied. By default, the filter type is Blacklist. URL Add a URL filtering entry. You can enter a URL address or a regular expression.
Figure 158 Configure the URL filtering function 157
Configuring attack protection You can enable the blacklist function, add a blacklist entry manually, view blacklist entries, and configure intrusion detection in the Web interface. Overview Attack protection is an important network security feature. It can determine whether received packets are attack packets according to the packet contents and behaviors and, if detecting an attack, take measures to deal with the attack.
Table 93 Types of single-packet attacks Single-packet attack Description Fraggle A Fraggle attacker sends large amounts of UDP echo packets (with the UDP port number of 7) or Chargen packets (with the UDP port number of 19) to a subnet broadcast address. This will cause a large quantity of responses in the network, using up the network bandwidth of the subnet or crashing the target host.
Protection against scanning attacks Scanning attackers usually use some scanning tools to scan host addresses and ports in a network, so as to find possible targets and the services enabled on the targets and figure out the network topology, preparing for further attacks to the target hosts. The scanning attack protection function takes effect to only incoming packets. It monitors the rate at which an IP address initiates connections to destination systems.
Step Remarks 3. You can add blacklist entries manually, or enable the blacklist function globally, configure the scanning attack protection function, and enable the blacklist function for scanning attack protection to allow the device to add the IP addresses of detected scanning attackers to the blacklist automatically. For configuration of scanning attack protection, see "Configuring intrusion detection." Adding a blacklist entry manually By default, no blacklist entry exists.
Figure 160 Add a blacklist entry Table 94 Configuration items Item Description IP Address Specify the IP address to be added to the blacklist. This IP address cannot be a broadcast address, a class D address, a class E address, 127.0.0.0/8, or 255.0.0.0/8. Hold Time Configure the entry as a non-permanent entry and specify the hold time of the blacklist entry. Permanence Configure the entry as a permanent entry.
and then select the specific attack protection functions to be enabled. Then, click Apply to finish the configuration. Figure 161 Intrusion detection configuration page On MSR20/30/50/93X/1000 routers Select Security Setup > Attack Defend > Intrusion Detection to enter the page shown in Figure 162. Click Add to enter the page for adding a new intrusion detection policy, as shown in Figure 163. Select an interface and select the attack protection functions to be enabled, and then click Apply.
Figure 163 Add an intrusion detection policy Attack protection configuration examples Attack protection configuration example for MSR900/20-1X Network requirements As shown in Figure 164, internal users Host A, Host B, and Host C access the Internet through Router. The network security requirements are as follows: • Router always drops packets from Host D, an attacker. • Router denies packets from Host C for 50 minutes for temporary access control of Host C.
Figure 164 Network diagram Configuration procedure # Configure IP addresses for the interfaces. (Details not shown.) # Enable the blacklist function. • Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the following configurations, as shown in Figure 165. Figure 165 Enabling the blacklist function • Select the box before Enable Blacklist. • Click Apply. # Add blacklist entries manually.
• Enter IP address 5.5.5.5, the IP address of Host D. • Select Permanence for this blacklist entry. • Click Apply. • Click Add and then perform the following configurations, as shown in Figure 167: Figure 167 Adding a blacklist entry for Host C • Enter IP address 192.168.1.5, the IP address of Host C. • Select Hold Time and set the hold time of this blacklist entry to 50 minutes. • Click Apply.
• Select Enable Attack Defense Policy. • Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack Detection, and Add Source IP Address to the Blacklist. Clear all other options. • Click Apply. Verifying the configuration • Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist. • Router drops all packets from Host D unless you remove Host D from the blacklist. • Router drops packets from Host C within 50 minutes.
Figure 170 Enabling the blacklist function • Select the box before Enable Blacklist. • Click Apply. # Add blacklist entries manually. • Click Add and then perform the following configurations, as shown in Figure 171: Figure 171 Adding a blacklist entry for Host D • Enter IP address 5.5.5.5, the IP address of Host D. • Select Permanence for this blacklist entry. • Click Apply.
• Enter IP address 192.168.1.5, the IP address of Host C. • Select Hold Time and set the hold time of this blacklist entry to 50 minutes. • Click Apply. # Configure intrusion detection on Ethernet 0/2: Enable scanning attack protection, and enable blacklist function for it; enable Land attack protection and Smurf attack protection. • Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree. Click Add and then perform the following configurations, as shown in Figure 173.
• Upon detecting the Land or Smurf attack on Ethernet 0/2, Router outputs an alarm log and drops the attack packet.
Configuring application control You can load applications, configure a custom application, and enable application control in the Web interface. Application control allows you to control which applications and protocols users can access on the Internet by specifying the destination IP address, protocol, operation type, and port. Application control can be based on a group of users or all users in a LAN. This chapter describes the application control based on all users.
Figure 174 Loading applications Configuring a custom application Select Security Setup > Application Control from the navigation tree, and then select the Custom Application tab to enter the custom application list page, as shown in Figure 175. Click Add to enter the page for configuring a custom application, as shown in Figure 176.
Table 96 Configuration items Item Description Application Name Specify the name for the custom application. Protocol Specify the protocol to be used for transferring packets, including TCP, UDP, and All. All means all IP carried protocols. IP Address Specify the IP address of the server of the applications to be controlled. Match Rule Start Port Port Specify the port numbers of the applications to be controlled.
Application control configuration example Network requirements As shown in Figure 178, internal users access the Internet through Router. Configure application control on Router, so that no user can use MSN. Figure 178 Network diagram Configuration procedure # Load the application control file (assume that signature file p2p_default.mtd, which can prevent using of MSN, is stored on the device). • Select Security Setup > Application Control from the navigation tree.
Figure 180 Loaded applications # Enable application control. • Click the Application Control tab and then perform the following configurations, as shown in Figure 181. Figure 181 Configuring application control • Select MSN from the Loaded Applications area. • Click Apply.
Webpage redirection configuration Overview With webpage redirection configured on an interface, a user accessing a webpage through the interface for the first time is forcibly led to the specified webpage, which means the web access request of the user is redirected to the specified URL. After that, the user can access network resources correctly. If the user sends a web access request after a specified time interval, the specified webpage is displayed again.
Table 97 Configuration items Item Description Interface Select an interface on which webpage redirection is to be enabled. Redirection URL Type the address of the webpage to be displayed, which means the URL to which the web access request is redirected. For example, http://192.0.0.1. Interval Type the time interval at which webpage redirection is triggered.
Configuring routes The term "router" in this chapter refers to both routers and Layer 3 switches. This chapter mainly describes IPv4 route configuration. You can perform the following route configurations through the Web interface: • Create a static route. • Display the active route table. Overview Upon receiving a packet, a router determines the optimal route based on the destination address and forwards the packet to the next router in the path.
Figure 184 Static route configuration page 3. Configure static routes as described in Table 98. Table 98 Configuration items Item Description Destination IP Address Enter the destination IP address of the static route, in dotted decimal notation. Mask Enter the mask of the destination IP address. You can enter a mask length or a mask in dotted decimal notation. Enter a preference value for the static route. The smaller the number, the higher the preference.
Figure 185 Active route table Table 99 Field description Field Description Destination IP Address Destination IP address of the route. Mask Mask of the destination IP address. Protocol Routing protocol that discovered the route, including static route, direct route, and various dynamic routing protocols. Preference Preference for the route. Next Hop Next hop address of the route. Interface Output interface of the route.
Figure 186 Network diagram Configuration considerations 1. Configure a default route with Router B as the next hop on Router A. 2. On Router B, configure one static route with Router A as the next hop and the other with Router C as the next hop. 3. Configure a default route with Router B as the next hop on Router C. Configuration procedure 1. Configure the IP addresses of the interfaces. (Details not shown.) 2. Configure a default route on Router A: a.
a. Select Advanced > Route Setup from the navigation tree of Router B. b. Click the Create tab. c. Enter 1.1.2.0 for Destination IP Address, 24 for Mask, and 1.1.4.1 for Next Hop. d. Click Apply. e. Enter 1.1.3.0 for Destination IP Address, 24 for Mask, and 1.1.5.6 for Next Hop. f. Click Apply. The newly created static route is listed at the lower part of the page. 4. Configure a default route on Router C: a. Select Advanced > Route Setup from the navigation tree or Router C. b. Click the Create tab. c.
Configuration guidelines When you configure a static route, follow these guidelines: • If you do not specify the preference, the default preference is used. Reconfiguration of the default preference applies only to newly created static routes. The Web interface does not support configuration of the default preference.
Configuring user-based load sharing You can configure user-based load sharing through the Web interface. Overview A routing protocol can have multiple equal-cost routes to the same destination. These routes have the same preference, and are all used to accomplish load sharing if no route with a higher preference is available. The device supports user-based load sharing based on the user information (source IP addresses) of packets. Configuration procedure 1.
Table 100 Configuration items Item Description Interface This field displays the name of the interface on which user-based load sharing is configured. Status of user-based-sharing Set whether or not to enable user-based load sharing on the interface. Set the bandwidth of the interface. Bandwidth The load ratio of each interface is calculated based on the bandwidth of each interface.
Configuring traffic ordering You can do the following to configure traffic ordering on the Web interface: • Setting the traffic ordering interval • Specifying the traffic ordering mode • Displaying internal interface traffic ordering statistics • Displaying external interface traffic ordering statistics Overview When multiple packet flows (classified by their source addresses) are received or sent by a device, you can configure IP traffic ordering on the device to collect statistics of the flows in
Setting the traffic ordering interval Select Advanced > Traffic Ordering from the navigation tree to enter the default configuration page. You can set the interval for collecting traffic statistics in the lower part of the page. Figure 190 Traffic ordering configuration page Specifying the traffic ordering mode Select Advanced > Traffic Ordering from the navigation tree. You can view and configure the interface for collecting traffic statistics in the upper part of the page.
Select one item from the Arrange in list, enter a number in the Number of entries displayed field, and then click Refresh to display the list as needed. Figure 191 Internal interface traffic ordering statistics page Displaying external interface traffic ordering statistics Select Advanced > Traffic Ordering from the navigation tree and click the Statistics of External Interfaces page.
Configuring DNS Overview Domain Name System (DNS) is a distributed database that provides TCP/IP applications with the mappings between host names and IP addresses. With DNS, you can use easy-to-remember host names in some applications and let the DNS server translate them into correct IP addresses. For more information about DNS, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Configuring DNS proxy Task Remarks Required. Enabling DNS proxy Enable DNS proxy on the device. Disabled by default. Required. Specifying a DNS server Not specified by default. You can specify up to six DNS servers. Enabling dynamic domain name resolution 1. From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page as shown in Figure 193. 2. Select Enable for Dynamic DNS. 3. Click Apply.
Clearing the dynamic domain name cache 1. From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page as shown in Figure 193. 2. Select the Clear Dynamic DNS cache box. 3. Click Apply. Specifying a DNS server 1. From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page as shown in Figure 193. 2. Click Add IP to enter the page as shown in Figure 194. Figure 194 Adding a DNS server address 3.
Table 102 Configuration items Item Description DNS Domain Name Suffix Configure a domain name suffix. 4. Click Apply. Domain name resolution configuration example Network requirements As shown in Figure 196, Router B serves as a DNS client and Router A is specified as a DNS server. Dynamic domain name resolution and the domain name suffix are configured on Router B, and therefore Router B can use domain name host to access the host with the domain name host.com and the IP address 3.1.1.1/24.
Figure 197 Creating a zone 3. Create a mapping between the host name and the IP address: a. In Figure 198, right-click zone com. b. Select New Host to bring up a dialog box as shown in Figure 199. c. Enter host name host and IP address 3.1.1.1.
Figure 199 Adding a mapping between domain name and IP address Configuring the DNS proxy (Router A) 1. Enable DNS proxy on Router A: a. From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page, as shown in Figure 200. b. Select Enable for DNS Proxy. c. Click Apply. Figure 200 Enabling DNS proxy on Router A 2. Specify the DNS server address: a. Click Add IP to enter the page as shown in Figure 201. b. Enter 4.1.1.1 in DNS Server IP Address. c. Click Apply.
Figure 201 Specifying a DNS server address Configuring the DNS client (Router B) 1. Enable dynamic domain name resolution: a. From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page, as shown in Figure 202. b. Select Enable for Dynamic DNS. c. Click Apply. Figure 202 Enabling dynamic domain name resolution 2. Specify the DNS server address: a. Click Add IP to enter the page as shown in Figure 203. b. Enter 2.1.1.2 in DNS Server IP Address. c.
Figure 203 Specifying the DNS server address 3. Configure the domain name suffix: a. Click Add Suffix to enter the page as shown in Figure 204. b. Enter com in DNS Domain Name Suffix. c. Click Apply. Figure 204 Configuring DNS domain name suffix Verifying the configuration Select Other > Diagnostic Tools from the navigation tree and click the Ping tab. Use the ping host command to verify that the communication between Router B and the host is normal and that the corresponding destination IP address is 3.
Configuring DDNS Overview Although DNS allows you to access nodes in networks using their domain names, it provides only the static mappings between domain names and IP addresses. When you use the domain name to access a node whose IP address has changed, your access fails because DNS leads you to the IP address that is no longer where the node resides.
Configuration prerequisites • Visit the website of a DDNS service provider, register an account, and apply for a domain name for the DDNS client. • Specify the primary IP address of the interface and make sure the DDNS server and the interface can reach each other. • Configure static or dynamic domain name resolution to translate the domain name of the DDNS server into its IP address. Configuration procedure 1.
Item Description Settings Specify the server name of the DDNS server for domain name resolution. IMPORTANT: Server Name After the server provider is selected, the DDNS server name appears automatically. For example, if the server provider is 3322.org, the server name is members.3322.org. If the server provider is PeanutHull, the server name is phservice2.oray.net. Use the default server name for the server provider 3322.org. The server provider PeanutHull can use phservice2.oray.net, phddns60.oray.
Figure 208 Network diagram Configuring DDNS on the router Before configuring DDNS on Router, register at http://www.3322.org/ (username steven and password nevets in this example), add Router's host name-to-IP address mapping to the DNS server, and make sure the devices are reachable to each other. 1. Enable dynamic domain name resolution and set the IP address of the DNS server to 1.1.1.1. (Details not shown.) 2. Configure DDNS: a.
After the preceding configuration is completed, Router notifies the DNS server of its new domain name-to-IP address mapping through the DDNS server provided by www.3322.org whenever its IP address changes. Therefore, Router can always provide Web service at whatever.3322.org.
Configuring DHCP Introduction to DHCP The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. DHCP uses the client/server model. Figure 210 shows a typical DHCP application. Figure 210 A typical DHCP application A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent, as shown in Figure 211.
Recommended configuration procedure Configuring the DHCP server Task Remarks Required. Configuration guidelines Enable DHCP globally. Disabled by default. Optional. For detailed configuration, see "Configuring DHCP interface setup." Enabled by default.
Task Remarks Required. Configuring a DHCP server group To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server group. When the interface receives DHCP requests from clients, the relay agent forwards them to all the DHCP servers of the group. Required. For the detailed configuration, see "Configuring DHCP interface setup." By default, the interface works as DHCP server.
Figure 212 DHCP Enable Table 104 Configuration items Item Description DHCP Enable or disable DHCP globally. Configuring DHCP interface setup 1. Select Advanced > DHCP Setup from the navigation tree. 2. Click the DHCP Interface Setup tab. The DHCP interface setup configuration page appears, as shown in Figure 213. Figure 213 DHCP interface setup 3. Configure the DHCP interface setup as described in Table 105. 4. Click Apply.
Item Description Correlate the relay agent interface with a DHCP server group. DHCP server group You can correlate a DHCP server group with multiple interfaces. Make sure that you have already added DHCP server groups for selection. Configuring a static address pool for the DHCP server 1. Select Advanced > DHCP Setup from the navigation tree. 2. Click the DHCP Interface Setup tab to enter the DHCP interface setup configuration page as shown in Figure 213. 3.
Figure 214 Static address pool setup for the DHCP server 5. Configure the static address pool for the DHCP server as described in Table 106. 6. Click Apply. Table 106 Configuration items Item Description Pool Name Name of the static DHCP address pool. Address Allocation Mode: Static Binding Specify the static address allocation mode for the DHCP address pool.
Item Description IP Address IP address and its subnet mask of the static binding. A natural mask is adopted if no subnet mask is specified. IMPORTANT: Subnet Mask It cannot be the IP address of the DHCP server interface. Otherwise, IP address conflicts might occur, and the client cannot obtain the IP address. MAC Address A client's MAC address of the static binding. Specify a domain name suffix for the DHCP client.
Figure 215 Dynamic address pool setup for the DHCP server 5. Configure the dynamic address pool for the DHCP server as described in Table 107. 6. Click Apply. Table 107 Configuration items Item Description Pool Name Name of the dynamic DHCP address pool. Address Allocation Mode: Dynamic Allocation Specify the dynamic address allocation mode for the DHCP address pool. IP Address Specify an IP address for dynamic address allocation. A natural mask is adopted if no subnet mask is specified.
Item Description IMPORTANT: Subnet Mask Make sure the IP address is on the same network segment as the IP address of the DHCP server interface or the DHCP relay agent interface to avoid wrong IP address allocation. Specify the lease for IP addresses to be assigned. NOTE: Lease Duration • If the lease has an end time specified later than the year 2106, the system considers it an expired lease. • The lease duration does not have the inherit attribute. Specify a domain name suffix for the DHCP client.
Figure 216 IP address excluded from dynamic allocation setup 5. Configure IP addresses excluded from dynamic allocation as described in Table 108. 6. Click Apply Table 108 Configuration items Item Description Start IP Address Specify the lowest IP address excluded from dynamic allocation. Specify the highest IP address excluded from dynamic allocation. End IP Address The end IP address must not be lower than the start IP address.
Figure 217 DHCP server group setup 5. Configure DHCP server group as described in Table 109. 6. Click Apply. Table 109 Configuration items Item Group ID Description DHCP server group ID. You can create at most 20 DHCP server groups. Specifies the DHCP server IP addresses for the DHCP server group. Server IP Address IMPORTANT: The IP address of a DHCP server cannot be on the same network segment as that of the DHCP relay agent interface. Otherwise, DHCP clients might fail to obtain IP addresses.
DHCP configuration example without DHCP relay agent Network requirements The DHCP server (Router A) assigns IP addresses to clients on subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25. The IP addresses of Ethernet 0/1 and Ethernet 0/2 on Router A are 10.1.1.1/25 and 10.1.1.129/25 respectively. In subnet 10.1.1.0/25, the lease is ten days and twelve hours, the domain name suffix is aabbcc.com, the DNS server address is 10.1.1.2/25, and the gateway address is 10.1.1.126/25.
Figure 219 Enabling DHCP 3. Enable the DHCP server on interface Ethernet 0/1. (By default, the DHCP server is enabled on interface Ethernet 0/1. Details not shown.) 4. Configure a DHCP static address pool, and bind IP address 10.1.1.5 to Router B: a. Click the DHCP Interface Setup tab. b. Select the Server option in the Type field and expand the Assignable IP Addresses node. c. Enter pool-static in the Pool Name field and select the Static Binding option in the Address Allocation Mode field. d.
Figure 220 DHCP static address pool configuration 5. Configure DHCP address pool 0 (including the address range, client domain name suffix and DNS server address): a. Enter pool0 in the Pool Name field, as shown in Figure 221. b. Select the Dynamic Allocation option in the Address Allocation Mode field. c. Enter 10.1.1.0 in the IP Address field and select the Subnet Mask box, and then enter 255.255.255.0. d. Select the Domain Name box, and then enter aabbcc.com. e.
Figure 221 DHCP address pool 0 configuration 6. Configure DHCP address pool 1 (including the address range, lease duration, and gateway address): a. Enter poo1 in the Pool Name field, as shown in Figure 222. b. Select Dynamic Allocation in the Address Allocation Mode field. c. Enter 10.1.1.0 in the IP Address field. d. Select the Subnet Mask box, and then enter 255.255.255.128. e. Set the Lease Duration to 10 days, 12 hours, and 0 minutes. f. Select the Gateway IP Address box, and then enter 10.1.1.126.
Figure 222 DHCP address pool 1 configuration 7. Configure DHCP address pool 2 (including the address range, lease duration and gateway IP address): a. Enter pool2 in the Pool Name field, as shown in Figure 223. b. Select the Dynamic Allocation option in the Address Allocation Mode field. c. Enter 10.1.1.128 in the IP Address field. d. Select the Subnet Mask box, and then enter 255.255.255.128. e. Set the Lease Duration to 5 days, 0 hours, and 0 minutes. f.
Figure 223 DHCP address pool 2 configuration 8. Exclude IP addresses from dynamic allocation (DNS server and gateway addresses): a. Expand the Forbidden IP Addresses node. b. Enter 10.1.1.2 in the Start IP Address field, enter 10.1.1.2 in the End IP Address field, click Apply, enter 10.1.1.126 in the Start IP Address field, as shown in Figure 224, enter 10.1.1.126 in the End IP Address field, click Apply, enter 10.1.1.254 in the Start IP Address field, as shown in Figure 224, and enter 10.1.1.
Figure 224 Excluding IP addresses from dynamic allocation Configuring the DHCP client (Router B) To enable the DHCP client on interface Ethernet 0/1: 1. Select Advanced > DHCP Setup from the navigation tree, and then click the DHCP Interface Setup tab. 2. Select Ethernet0/1 from the Interface list. 3. Select the Client option in the Type field. 4. Click Apply.
Figure 225 Enabling the DHCP client on interface Ethernet 0/1 DHCP relay agent configuration example Network requirements Ethernet 0/1 on the DHCP relay agent (Router A) connects to the network where DHCP clients reside. The IP address of Ethernet 0/1 is 10.10.1.1/24 and IP address of Ethernet 0/2 is 10.1.1.2/24 that connects to the DHCP server 10.1.1.1/24 (Router B). Router A forwards DHCP messages so that the DHCP clients on the network segment 10.10.1.
b. Select the Enable option in the DHCP field. c. Click Apply. Figure 227 DHCP enable 3. Create a DHCP server group: a. Click the DHCP Interface Setup tab. b. Select Ethernet0/1 from the Interface list. c. Select the Relay option in the Type field. d. Expand the Add DHCP Server Group node. e. Enter 1 in the Group ID field. f. Enter 10.1.1.1 in the Server IP Address field. g. Click Apply. Figure 228 DHCP server group creating 4. Enable the DHCP relay agent on interface Ethernet 0/1.
a. Select 1 from the DHCP Server Group list. b. Click Apply. Figure 229 The page for enabling the DHCP relay agent on interface Ethernet 0/1 Configuring the DHCP server (Router B) 1. 2. Specify addresses for interfaces. (Details now shown.) Enable DHCP: a. Select Advanced > DHCP Setup from the navigation tree of Router B The default DHCP Enable tab appears, as shown in Figure 230. b. Select the Enable option in the DHCP field. c. Click Apply. Figure 230 Enable DHCP 3.
c. Enter pool1 in the Pool Name field and select the Dynamic Allocation option in the Address Allocation Mode field. d. Enter 10.10.1.0 in the IP Address field, select the Subnet Mask box, and then enter 255.255.255.0. e. Set the Lease Duration to 7 days, 0 hours, and 0 minutes. f. Select the Domain Name box, and then enter aabbcc.com. g. Select the Gateway IP Address box, and then enter 10.10.1.126. h. Select the Primary DNS Server box, and then enter 10.10.1.2. i. Click Apply.
Figure 232 IP address excluded from dynamic allocation configuration Configure the DHCP client (Router C) To enable the DHCP client on interface Ethernet 0/1: 1. Select Advanced > DHCP Setup from the navigation tree. 2. Click the DHCP Interface Setup tab. 3. Select Ethernet0/1 in the Interface field. 4. Select the Client option in the Type field. 5. Click Apply.
Figure 233 Enabling the DHCP client on interface Ethernet 0/1 225
Configuring ACLs The Web interface provides the following ACL configuration functions: • Configuring an IPv4 ACL • Configuring a rule for a basic IPv4 ACL • Configuring a rule for an advanced IPv4 ACL • Configuring a rule for an Ethernet frame header ACL Overview An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are essentially used for packet filtering.
Configuration guidelines When you configure an ACL, follow these guidelines: • You cannot create a rule with or modify a rule to have the same permit/deny statement as an existing rule in the ACL. • You can only modify the existing rules of an ACL that uses the match order of config. When you modify a rule of such an ACL, you can choose to change just some of the settings, in which case the other settings remain the same.
Configuring a rule for a basic IPv4 ACL Select Advanced > QoS Setup > ACL IPv4 from the navigation tree and then select the Basic Config tab to enter the rule configuration page for a basic IPv4 ACL. Figure 235 The page for configuring an basic IPv4 ACL Table 112 Configuration items Item ACL Description Select the basic IPv4 ACL for which you want to configure rules. ACLs available for selection are basic IPv4 ACLs. Select the Rule ID box, and enter a number for the rule.
Item Description Select this box to keep a log of matched IPv4 packets. Check Logging A log entry contains the ACL rule number, action on the matched packets, protocol that IP carries, source/destination address, source/destination port number, and number of matched packets. Source IP Address Select the Source IP Address box, and enter a source IPv4 address and source wildcard, in dotted decimal notation. Source Wildcard Select the time range during which the rule takes effect.
Figure 236 The page for configuring an advanced IPv4 ACL 230
Table 113 Configuration items Item Description Select the advanced IPv4 ACL for which you want to configure rules. You can use command line interface to create advanced IPv4 ACLs. For more information, see ACL and QoS Configuration Guide in HP MSR Router Series Configuration Guides (V5). Also, when you configure advanced bandwidth limit and advanced bandwidth guarantee, the system automatically creates advanced IPv4 ACLs. For more information, see "Configuring QoS.
Item Description Select this box to make the rule match packets used for establishing and maintaining TCP connections. TCP Connection Established These items are available only when you select 6 TCP from the Protocol list. A rule with this item configured matches TCP connection packets with the ACK or RST flag. Source Select the operators and, enter the source port numbers and destination port numbers as required. These items are available only when you select 6 TCP or 17 UDP from the Protocol list.
Figure 237 The page for configuring a rule for an Ethernet frame header ACL Table 114 Configuration items Item Description Select the Ethernet frame header IPv4 ACL for which you want to configure rules. ACL You can use command line interface to create Ethernet frame header IPv4 ACLs. For more information, see ACL and QoS Configuration Guide in HP MSR Router Series Configuration Guides (V5). Select the Rule ID box, and enter a number for the rule.
Item Description Select the action to be performed for IPv4 packets matching the rule: • Permit—Allows matched packets to pass. • Deny—Drops matched packets. Action Source MAC Address MAC Address Filter Source Mask Destination MAC Address Destination Mask COS(802.1p priority) Type Filter Select the Source MAC Address box, and enter a source MAC address and wildcard. Select the Destination MAC Address box, and enter a destination MAC address and wildcard. Specify the 802.1p priority for the rule.
Configuring QoS The Web interface provides the following QoS configuration functions: • Configuring subnet limit • Configuring advanced limit • Configuring advanced queue Overview Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs. Generally, QoS focuses on improving services under certain conditions rather than grading services precisely.
interface, interface bandwidth limit is a better approach than subnet limit and advanced limit. This is because working at the IP layer the latter two functions do not take effect on packets not processed by the IP layer. • Bandwidth guarantee—When congestion occurs to a port, class-based queuing (CBQ) classifies packets into different classes according to user-defined match criteria and assigns these classes to their queues. Before assigning packets to a queue, CBQ performs bandwidth restriction check.
Table 115 Configuration items Item Start Address End Address Description Set the address range of the subnet where rate limit is to be performed. Interface Specify the interface to which the subnet limit is to be applied. CIR Set the average traffic rate allowed. Set the rate limit method: • Share—Limits the total rate of traffic for all IP addresses on the subnet, and dynamically allocates bandwidth to an IP address based on traffic size.
Figure 241 Advanced limit setting 238
Table 116 Configuration items Item Description Description Configure a description for the advanced limit policy for management sake. Interface Specify the interface to which the advanced limit is to apply. Set the direction where the rate limit applies: Direction • Download—Limits the rate of incoming packets of the interface. • Upload—Limits the rate of outgoing packets of the interface. CIR Set the average traffic rate allowed.
Configuring advanced queue To use the advanced queue function on tunnel interfaces, sub-interfaces, or VT and dialer interfaces with PPPoE, PPPoA, PPPoEoA, or PPPoFR at the data link layer, you must configure interface bandwidth for these interfaces. Configuring interface bandwidth Select Advance > QoS Setup > Advanced Queue from the navigation tree to enter the Advanced Queue page. Select an interface from the Interface Name list, and then configure and view the CIR of the interface.
Item Description Set the average traffic rate allowed for the interface. HP recommends that you configure the interface bandwidth to be smaller than the actual available bandwidth of a physical interface or logical link. If you have specified the interface bandwidth, the maximum interface bandwidth used for bandwidth check when CBQ enqueues packets is 1000000 kbps.
Figure 243 Creating a bandwidth guarantee policy Table 118 Configuration items Item Description Description Configure a description for the bandwidth guarantee policy for management sake.
Item Description Set the service class queue type: • EF (Expedited Forwarding)—Provides absolutely preferential queue scheduling for Queue Type the EF service so as to ensure low delay for real-time data traffic. At the same time, by restricting bandwidth for high-priority traffic, it can overcome the disadvantage that some low-priority queues are not serviced.
QoS configuration examples Subnet limit configuration example Network requirements As shown in Figure 244, limit the rate of packets leaving Ethernet 1/1 of Router. Perform per-IP rate limiting for traffic sourced from Host A through Host Z, which are on the network segments 2.1.1.1 through 2.1.1.100, with the per-IP limit being 5 kbps. Figure 244 Network diagram Configuration procedure # Configure the bandwidth limit settings for the network segment. 1.
3. Enter 2.1.1.100 in the End Address field. 4. Select interface Ethernet 1/1. 5. Enter 5 in the CIR field. 6. Select Per IP in the Type list. 7. Select Upload from the Direction list. 8. Click Apply. Advanced queue configuration example Network requirements As shown in Figure 246, data traffic from Router C reaches Router D by the way of Router A and then Router B. The data traffic from Router C is classified into three classes based on DSCP fields of IP packets.
Figure 247 Configuring assured forwarding a. Enter the description test-af. b. Select AF (Assured Forwarding) in the Queue Type list. c. Select interface Ethernet0/0. d. Enter 40 in the Bandwidth field. e. Enter 10, 18 in the DSCP field. f. Click Apply. # Perform EF for traffic with DSCP field EF. g. Select Advance > QoS Setup > Advanced Queue from the navigation tree, and click Add on the displayed page.
Figure 248 Configuring expedited forwarding a. Enter the description test-ef. b. Select EF (Expedited Forwarding) in the Queue Type list. c. Select interface Ethernet0/0. d. Enter 240 in the Bandwidth field. e. Enter 46 in the DSCP field. f. Click Apply. After the configurations are completed, EF traffic is forwarded preferentially when congestion occurs in the network.
Appendix Packet precedences IP precedence and DSCP values Figure 249 DS field and ToS field As shown in Figure 249, the ToS field of the IP header contains 8 bits: the first 3 bits (0 to 2) represent IP precedence from 0 to 7. According to RFC 2474, the ToS field of the IP header is redefined as the differentiated services (DS) field, where a differentiated service code point (DSCP) value is represented by the first 6 bits (0 to 5) and is in the range 0 to 63. The remaining 2 bits (6 and 7) are reserved.
DSCP value (decimal) DSCP value (binary) Keyword 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000000 be(default) 802.1p priority 802.1p priority lies in the Layer 2 packet header and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2. Figure 250 An Ethernet frame with an 802.
802.1p priority (decimal) 802.
Configuring SNMP This chapter is only applicable to the MSR20/30/50/93X/1000 routers. For information about configuring SNMP from the Web interface for the MSR900/20-1X routers, see "Configuring SNMP (lite version)." Overview The Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies.
Task Remarks Optional. Configuring an SNMP view After creating SNMP views, you can specify an SNMP view for an SNMP group to limit the MIB objects that can be accessed by the SNMP group. Configuring an SNMP community Required. Optional. Configuring the SNMP trap function Allows you to configure that the agent can send SNMP traps to the NMS, and configure information about the target host of the SNMP traps. By default, an agent is allowed to send SNMP traps to the NMS.
On the upper part of the page, you can select to enable or disable the SNMP agent function and configure parameters such as SNMP version. On the lower part of the page, you can view the SNMP statistics, which helps you understand the running status of the SNMP after your configuration. Figure 252 Setup tab 2. Configure the SNMP agent, as shown in Table 122. Table 122 Configuration items Item Description SNMP Specify to enable or disable the SNMP agent function.
Item Description Configure the local engine ID. Local Engine ID The validity of a user after it is created depends on the engine ID of the SNMP agent. If the engine ID when the user is created is not identical to the current engine ID, the user is invalid. Maximum Packet Size Configure the maximum size of an SNMP packet that the agent can receive or send. Set a character string to describe the contact information for system maintenance.
Figure 255 Creating an SNMP view (2) Table 123 describes the configuration items for creating an SNMP view. After configuring the parameters of a rule, click Add to add the rule into the list box at the lower part of the page. After configuring all rules, click Apply to create an SNMP view. The view will not be created if you click Cancel. Table 123 Configuration items Item Description View Name Set the SNMP view name.
Figure 256 Adding rules to an SNMP view You can also click the icon corresponding to the specified view on the page as shown in Figure 253, and then you can enter the page to modify the view. Configuring an SNMP community 1. Select Advanced > SNMP from the navigation tree, then click the Community tab to enter the page as shown in Figure 257. Figure 257 Configuring an SNMP community 2. Click Add to enter the Add SNMP Community page. Figure 258 Creating an SNMP Community 3.
Table 124 Configuration items Item Description Community Name Set the SNMP community name. Configure SNMP NMS access right: • Read only—The NMS can perform read-only operations to the MIB objects when it uses this community name to access the agent. Access Right • Read and write—The NMS can perform both read and write operations to the MIB objects when it uses this community name to access the agent.
Figure 260 Creating an SNMP group 2. Configure the SNMP group, as shown in Table 125. Table 125 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group. The available security levels are: Security Level • NoAuth/NoPriv—No authentication no privacy. • Auth/NoPriv—Authentication without privacy. • Auth/Priv—Authentication and privacy. IMPORTANT: The security level for an existing SNMP group cannot be modified.
Figure 261 SNMP user 1. Click Add to enter the Add SNMP User page, as shown in Figure 262. Figure 262 Creating an SNMP user 2. Configure the SNMP user, as shown in Table 126. Table 126 Configuration items Item Description User Name Set the SNMP user name. Select the security level for the SNMP group. The available security levels are: Security Level • NoAuth/NoPriv—No authentication no privacy. • Auth/NoPriv—Authentication without privacy. • Auth/Priv—Authentication and privacy.
Item Description Select an SNMP group to which the user belongs: • When the security level is NoAuth/NoPriv, you can select an SNMP group with no authentication no privacy. Group Name • When the security level is Auth/NoPriv, you can select an SNMP group with no authentication no privacy or authentication without privacy. • When the security level is Auth/Priv, you can select an SNMP group of any security level.
2. Click Add to enter the Add Trap Target Host page, as shown in Figure 264. Figure 264 Adding a target host of SNMP traps 3. Configure the SNMP traps, as shown in Table 127. Table 127 Configuration items Item Description Set the destination IP address. Destination IP Address Security Name Select the IP address type: IPv4/domain name or IPv6, and then type the corresponding IP address or domain name in the field according to the IP address type.
Item Description Security Level Set the authentication and privacy mode for SNMP traps when the security model is selected as v3. The available security levels are: no authentication no privacy, authentication but no privacy, and authentication and privacy. If you select v1 or v2c in the Security Model list, the security level can only be no authentication no privacy, and cannot be modified. Displaying SNMP packet statistics Select Advanced > SNMP from the navigation tree to enter the Setup tab page.
Figure 266 Network diagram Configuring the agent 1. Enable SNMP: a. Select Advanced > SNMP from the navigation tree, and you will enter the Setup page. Perform the following configuration as shown in Figure 267. b. Select the Enable radio box. c. Set the SNMP version to both v1 and v2c. d. Click Apply. Figure 267 Enabling SNMP 2. Configure an SNMP community: a. Click the Community tab and then click Add. Perform the following configuration as shown in Figure 268. b.
Figure 268 Configuring SNMP community named public Figure 269 Configuring SNMP community named private f. Type private in the field of Community Name. g. Select Read and write from the Access Right list. h. Click Apply. 3. Enable Agent to send SNMP traps: a. Click the Trap tab and perform the following configuration as shown in Figure 270. b. Select the Enable SNMP Trap box. c. Click Apply.
Figure 270 Enabling Agent to send SNMP traps 4. Add target hosts of SNMP traps: a. On the Trap tab page, click Add and perform the following configuration as shown in Figure 271. b. Select the destination IP address type as IPv4/Domain. c. Type the destination address 1.1.1.2. d. Type the security username public. e. Select v1 from the Security Model list. (This configuration must be the same as that running on the NMS; otherwise, the NMS cannot receive any trap.) f. Click Apply.
3. Create a read and write community and name it private. For more information about configuring the NMS, see the NMS manual. Verifying the configuration • After the configuration, an SNMP connection is established between the NMS and the agent. The NMS can get and configure the values of some parameters on the agent through MIB nodes. • Shut down or bring up an idle interface on the agent, and the NMS receives the corresponding trap.
Figure 273 Enabling SNMP 2. Configure an SNMP view: a. Click the View tab and then click Add. Perform the following configuration as shown in Figure 274. b. Type view1 in the field of View Name. c. Click Apply and enter the page of view1. Perform the following configuration as shown in Figure 275.
Figure 275 Adding a view named view1 d. Select the Included radio box. e. Type the MIB subtree OID interfaces. f. Click Add. g. Click Apply. A configuration progress dialog box appears, as shown in Figure 276. h. After the configuration process is complete, click Close. Figure 276 Configuration progress dialog box 3. Configure an SNMP group: a. Click the Group tab and then click Add. Perform the following configuration as shown in Figure 277. b. Type group1 in the Group Name field. c.
Figure 277 Configuring an SNMP group 4. Configure an SNMP user: a. Click the User tab and then click Add. Perform the following configuration as shown in Figure 278. b. Type user1 in the User Name field. c. Select Auth/Pri from the Security Level list. d. Select group1 (Auth/Priv) from the Group Name list. e. Select MD5 from the Authentication Mode list. f. Type authkey in the Authentication Password and Confirm Authentication Password fields. g. Select DES56 from the Privacy Mode list. h.
5. Enable Agent to send SNMP traps: a. Click the Trap tab and perform the following configuration as shown in Figure 279. b. Select the Enable SNMP Trap box. c. Click Apply. Figure 279 Adding target hosts of SNMP traps 6. Add target hosts of SNMP traps: a. On the Trap tab page, click Add and perform the following configuration as shown in Figure 280. b. Select the destination IP address type as IPv4/Domain. c. Type the destination address 1.1.1.2. d. Type the user name user1. e.
Configuring the NMS The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform corresponding operations. 1. Specify the SNMP version for the NMS as v3. 2. Create an SNMP user user1. 3. Enable both authentication and privacy functions. 4. Use MD5 for authentication and DES56 for encryption. 5. Set the authentication key to authkey and the privacy key to prikey. For more information about configuring the NMS, see the NMS manual.
Configuring bridging Through the Web interface, you can configure the following transparent bridging functions: • Enabling a bridge set • Adding an interface to a bridge set Overview A bridge is a store-and-forward device that connects and transfers traffic between LAN segments at the data-link layer.
Figure 281 Host A sends an Ethernet frame to Host B on LAN 1 MAC address: 00e0.fcbb. bbbb MAC address: 00e0.fcaa.aaaa Host B Host A Source address 00e0.fcaa.aaaa Destination address 00e0. fcbb.bbbb LAN segment 1 Bridge interface 1 Bridge Bridge interface 2 LAN segment 2 Host C Host D MAC address: 00e0.fccc.cccc MAC address: 00e0.fcdd.
Figure 283 The bridge determines that Host B is also attached to interface 1 MAC address: 00e0.fcbb.bbbb MAC address: 00e0.fcaa.aaaa Host B Host A Source address 00e0.fcbb. bbbb MAC address Interface Bridge interface 1 1 1 Bridge 00e 0.fcbb.bbbb 00e0.fcaa.aaaa LAN segment 1 Bridge table 00e 0.fcaa.aaaa Destination address Bridge interface 2 LAN segment 2 Host C Host D MAC address: 00e0.fcdd.dddd MAC address: 00e0.fccc.
Figure 285 Forwarding MAC address: 00e0.fcbb.bbbb MAC address: 00e0. fcaa.aaaa Host B Host A Source address Destination address 00e0.fcaa.aaaa 00e0. fccc. cccc Bridge table MAC address LAN segment 1 Interface 00e0.fcaa.aaaa 00e0.fcbb.bbbb 00e0.fccc.cccc 00e0.fcdd.dddd Bridge interface 1 1 1 2 2 Bridge Bridge interface 2 LAN segment 2 Source address Destination address 00e0.fcaa.aaaa 00e0.fccc.cccc Host C Host D MAC address: 00e 0.fcdd.dddd MAC address: 00e0.fccc.
Figure 287 The proper MAC-to-interface mapping is not found in the bridge table When a bridge receives a broadcast or multicast frame, it forwards the frame to all interfaces other than the receiving interface. VLAN transparency VLAN transparency enables a bridge to forward VLAN-tagged packets without processing their VLAN tags. If your device does not support VLAN tags, enable VLAN transparency on any interfaces that might receive VLAN-tagged packets to avoid dropping of VLAN tags.
Figure 288 Global config Table 128 Configuration items Item Remarks Bridge Group id Set the ID of the bridge set you want to enable. Adding an interface to a bridge set Select Advanced > Bridge from the navigation tree, and click the Config interface tab to enter the page shown in Figure 289.
Figure 289 Configuring interface Table 129 Configuration items Item Remarks Interface Select the interface you want to configure. Bridge Group Set the ID of the bridge set to which you want add the interface. Enable or disable VLAN transparency on the interface. VLAN Transmit HP recommends not enabling this function on a subinterface. A VLAN interface does not support this function.
Figure 290 Network diagram Office area A Switch B Switch A Eth1/1 Office area B Eth1/1 Trunk Trunk Eth1/1 Eth1/2 Eth1/1 Eth1/2 Router A Router B Configuration procedure 1. Configure Router A: # Enable bridge set 2. a. Select Advanced > Bridge from the navigation tree to enter the Global config page. Figure 291 Enabling bridge set 2 a. Enter 2 as the bridge group ID. b. Click Apply. # Assign Ethernet 1/1 to bridge set 2, and enable VLAN transparency. c. Click the Config interface tab.
Figure 292 Assigning Ethernet 1/1 to bridge set 2 and enable VLAN transparency b. Select Ethernet1/1 from the Interface list. c. Select 2 from the Bridge Group list. d. Select Enable from the VLAN Transmit list. e. Click Apply. # Assign Ethernet 1/2 to bridge set 2, and enable VLAN transparency. Figure 293 Assigning Ethernet 1/2 to bridge set 2 and enable VLAN transparency b. Select Ethernet1/2 from the Interface list. c. Select 2 from the Bridge Group list. d. Select Enable from the VLAN Transmit list.
e. Click Apply. 2. Configure Router B in the same way Router A is configured.
Configuring user groups You can add hosts in a LAN to a user group and perform access control, application control, bandwidth control, and packet filtering on a per user group basis. • Access control—Allows you to deny access from hosts during specific time ranges. All data packets matching these criteria will be denied access to the Internet.
Configuring a user group Select Advanced > Security > Usergroup from the navigation tree. The group configuration page appears, as shown in Figure 294. Figure 294 User group configuration Table 131 describes the user group configuration item. Table 131 Configuration item Item Description Set the name of the group to be added. User Group Name The group name is a character string beginning with letters. The string cannot contain any question mark (?) or space.
Figure 295 User configuration Table 132 describes the user configuration items. Table 132 Configuration items Item Description Please select a user group Select the group to which you want to add users. Set the mode in which the users are added. Add Mode • Static—In this mode, type the username and IP address manually in the following fields. • Dynamic—The system displays all devices connected to the device for you to select. Set the username.
Figure 296 Access control configuration Table 133 describes the access control configuration items. Table 133 Configuration items Item Description Select a user group for access control. Please select a user group Days Time When there is more than one user group, the option all is available. Selecting all means that the access control configuration applies to all the user groups. Set the time range in which access to the Internet is denied.
Figure 297 Application control Table 134 describes the application control configuration items. Table 134 Configuration items Item Please select a user group Description Select a user group for application control. When there is more than one user group, the option all is available. Selecting all means that the application control configuration applies to all the user groups. Select the applications and protocols to be controlled.
Figure 298 Bandwidth control configuration Table 135 describes the bandwidth control configuration items. Table 135 Configuration items Item Please select a user group CIR Description Set the user group for bandwidth control configuration. When there are more than one user group, the option all is available. Selecting all means that the bandwidth control configuration applies to all the user groups. Set the committed information rate (CIR), that is, the permitted average rate of traffic.
Figure 299 Packet filtering configuration Table 136 describes the packet filtering configuration items. Table 136 Configuration items Item Description Select a user group to which packet filtering is applied. Please select a user group When there is more than one user group, the option all is available. Selecting all means that the packet filtering configuration applies to all the user groups. Protocol Select a protocol.
Item Description configurable. Port • If you select NotCheck as the operator, port numbers will not be checked and no ports need to be specified. • If you select Range as the operator, you must specify both start and end ToPort ports to define a port range. • If you select other option as the operator, only a start port needs to be specified. Synchronizing user group configuration for wan interfaces 1.
Figure 301 Network diagram Creating user groups staff (for common users) and manager (for the manager) 1. Select Advanced > Security > Usergroup to enter the group configuration page. Perform the configurations as shown in Figure 302. Figure 302 Creating user groups staff and manager 2. Enter staff as a user group name. 3. Click Apply. 4. Enter manager as a user group name. 5. Click Apply. Adding users to user groups 1. Select Advanced > Security > Usergroup, and then select the User tab.
Figure 303 Adding users to user group staff 2. Select staff from the user group list. 3. Select Dynamic as the add mode. The following area then displays the IP addresses and MAC addresses of all the hosts in the private network that connects to the Router. 4. Select the entries of Host B, Host C, and Host D. 5. Click Apply. A configuration progress dialog box appears, as shown in Figure 304.
6. After the configuration process is complete, click Close. Figure 305 Adding users to user group manager 7. Select manager from the user group list. 8. Select Static for Add Mode. 9. Enter hosta as the username. 10. Enter 192.168.1.11 as the IP address. 11. Click Apply. A configuration progress dialog box appears. 12. After the configuration process is complete, click Close. Configuring access control for user group staff 1. Select Advanced > Security > Connect Control.
Figure 306 Configuring access control for user group staff 2. Select staff from the user group list. 3. Select the boxes for Monday through Friday. 4. Specify 09:00 as the start time. 5. Specify 18:00 as the end time. 6. Click Apply. A configuration progress dialog box appears. 7. After the configuration process is complete, click Close. Loading the application control file (assume the signature file is stored on the device) 1.
2. Select the From Device option, and select file p2p_default. 3. Click Apply. Then, you can view MSN is in the loaded applications on the lower part of the page. Configuring application control for user group staff 1. Select Advanced > Security > Application Control from the navigation tree, and perform the configurations as shown in Figure 308. Figure 308 Configuring application control to user group staff 2. Select staff from the user group list. 3. Select MSN from the Loaded Applications area.
Figure 309 Configuring bandwidth control to user groups staff and manager 2. Select the staff user group. 3. Enter 8 for the CIR. 4. Click Apply. A configuration progress dialog box appears. 5. After the configuration process is complete, click Close. 6. Select the manager user group. 7. Enter 54 for the CIR. 8. Click Apply. A configuration progress dialog box appears. 9. After the configuration process is complete, click Close. Configuring packet filtering for user group staff 1.
Figure 310 Configuring packet filtering for user group staff 2. Select staff from the user group list. 3. Select IP as the protocol. 4. Select the Destination IP Address box. 5. Enter 2.2.2.1 as the destination IP address. 6. Enter 0.0.0.0 as the destination wildcard. 7. Click Apply. A configuration progress dialog box appears. 8. After the configuration process is complete, click Close.
Configuring MSTP Only MSR20/30/50/93X/1000 routers support this feature. As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and allows for link redundancy. Like many other protocols, STP evolves as the network grows. The later versions of STP are the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP). This chapter describes the characteristics of STP, RSTP, and MSTP.
Root port On a non-root bridge, the port nearest to the root bridge is the root port. The root port is responsible for communication with the root bridge. Each non-root bridge has one and only one root port. The root bridge has no root port. Designated bridge and designated port Classification Designated bridge Designated port For a device Device directly connected to the local device and responsible for forwarding BPDUs to the local device.
• Root path cost—Cost of the shortest path to the root bridge. • Designated bridge ID—Consisting of the priority and MAC address of the designated bridge. • Designated port ID—Designated port priority plus port name. • Message age—Age of the configuration BPDU while it propagates in the network. • Max age—Maximum age of the configuration BPDU can be maintained on a device. • Hello time—Configuration BPDU interval.
Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge. 4. Root port and designated ports selection on a non-root device.
Figure 312 The STP algorithm 1. State initialization of each device. Table 139 Initial state of each device Device Device A Device B Device C 2. Port name BPDU of port AP1 {0, 0, 0, AP1} AP2 {0, 0, 0, AP2} BP1 {1, 0, 1, BP1} BP2 {1, 0, 1, BP2} CP1 {2, 0, 2, CP1} CP2 {2, 0, 2, CP2} BPDU comparisons on each device.
Device BPDU of port after comparison Comparison process • Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1. • Port BP2 receives the configuration BPDU of Device C {2, 0, 2, CP2}.
Device BPDU of port after comparison Comparison process After comparison: • Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU of CP2 is elected as the optimum BPDU, and CP2 is elected as the root port, the messages of which will not be changed.
However, the newly calculated configuration BPDU will not be propagated throughout the network immediately, so the old root ports and designated ports that have not detected the topology change continue forwarding data along the old path. If the new root ports and designated ports begin to forward data as soon as they are elected, a temporary loop might occur. STP timers STP calculation involves the following timers: • Forward delay—The delay time for device state transition.
MSTP includes the following features: • MSTP supports mapping VLANs to MST instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP can reduce communication overheads and resource usage by mapping multiple VLANs to one MSTI. • MSTP divides a switched network into multiple regions, each containing multiple spanning trees that are independent of one another. • MSTP prunes a loop network into a loop-free tree, avoiding proliferation and endless cycling of packets in a loop network.
• They have the same region name. • They have the same VLAN-to-instance mapping configuration. • They have the same MSTP revision level configuration. • They are physically linked with one another. For example, all the devices in region A0 in Figure 314 have the same MST region configuration. • The same region name. • The same VLAN-to-instance mapping configuration (VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to the common and internal spanning tree (CIST or MSTI 0).
For example, in region D0 in Figure 314, the regional root of MSTI 1 is device B, and that of MSTI 2 is device C. Common root bridge The common root bridge is the root bridge of the CIST. In Figure 314, for example, the common root bridge is a device in region A0. Boundary port A boundary port is a port that connects an MST region to another MST region, or to a single spanning-tree region running STP, or to a single spanning-tree region running RSTP. It is at the boundary of an MST region.
Figure 315 Port roles Connecting to the common root bridge Boundary port MST region Port 2 Port 1 Master port Alternate port A B C Port 6 Port 5 Backup port D Designated port Port 3 Port 4 In Figure 315, devices A, B, C, and D constitute an MST region. Port 1 and port 2 of device A are connected to the common root bridge, port 5 and port 6 of device C form a loop, and port 3 and port 4 of Device D are connected downstream to the other MST regions.
How MSTP works MSTP divides an entire Layer 2 network into multiple MST regions, which are interconnected by a calculated CST. Inside an MST region, multiple spanning trees are calculated, each being an MSTI (Among these MSTIs, MSTI 0 is called the CIST). Similar to RSTP, MSTP uses configuration BPDUs to calculate spanning trees. The only difference between the two protocols is that an MSTP BPDU carries the MSTP configuration on the device from which this BPDU is sent.
• Two or more MSTP-enabled devices belong to the same MST region only if they are configured with the same format selector (0 by default, not configurable), MST region name, VLAN-to-instance mapping entries in the MST region, and MST region revision level, and they are interconnected through physical links. • After specifying the current device as the root bridge or a secondary root bridge, you cannot change the priority of the device.
Figure 316 MST region 2. Click Modify. The MSTP region configuration page appears, as shown in Figure 317. Figure 317 Modifying an MST region Table 142 Configuration items Item Region Name Description MST region name. The MST region name is the bridge MAC address of the device by default. Revision Level Revision level of the MST region. Manual (Instance ID and VLAN ID) Manually add VLAN-to-instance mappings. Click Apply to add a VLAN-to-instance mapping entry to the list.
Configuring MSTP globally 1. From the navigation tree, select Advanced > MSTP > Global. The Global MSTP Configuration page appears, as shown in Figure 318. Figure 318 Configuring MSTP globally Table 143 Configuration items Item Description Enable or disable STP globally: Enable STP Globally • Enable—Enable STP globally. • Disable—Disable STP globally. Other MSTP configurations can take effect only after you enable STP globally.
Item Description Set the STP operating mode: • STP mode—All ports of the device send out STP BPDUs. • RSTP mode—All ports of the device send out RSTP BPDUs. If the device Mode detects that it is connected to a legacy STP device, the port connecting to the legacy STP device will automatically migrate to STP-compatible mode. • MSTP—All ports of the device send out MSTP BPDUs.
Item Description Set the timers: • Forward Delay—Set the delay for the root and designated ports to transit to the forwarding state. The length of the forward delay time is related to the network diameter of the switched network. The larger the network diameter is, the longer the forward delay time should be. If the forward delay setting is too small, temporary redundant paths might be introduced. If the forward delay setting is too big, it might take a long time for the network to converge.
Configuring MSTP on a port 1. From the navigation tree, select Advanced > MSTP > Port. The MSTP Port Configuration page appears, as shown in Figure 319. Figure 319 MSTP configuration of a port (1) 2. Click the Operation icon for a port. The MSTP Port Configuration page of the port appears, as shown in Figure 320. Figure 320 MSTP configuration of a port (2) Table 144 Configuration items Item Description Port Number Select the port you want to configure.
Item Protection Type Description Set the type of protection enabled on the port: • Not Set—No protection is enabled on the port. • Edged Port, Root Protection, Loop Protection—For more information, see Table 145. Specify whether the port is connected to a point-to-point link: Point to Point Transmit Limit mCheck • Auto—Automatically detects whether the link type of the port is point-to-point. • Force False—Specifies that the link type for the port is not point-to-point link.
MSTP configuration example Network requirements As shown in Figure 321, all routers on the network are in the same MST region. Router A and Router B work on the distribution layer. Router C and Router D work on the access layer. Configure MSTP so that packets of different VLANs are forwarded along different instances: packets of VLAN 10 along MSTI 1, those of VLAN 30 along MSTI 3, those of VLAN 40 along MSTI 4, and those of VLAN 20 along MSTI 0.
c. Set the revision level to 0. d. Select the Manual radio button. e. Select 1 from the Instance list. f. Set the VLAN ID to 10. g. Click Apply to map VLAN 10 to MSTI 1, and add the VLAN-to-instance mapping entry to the VLAN-to-instance mapping list. h. Repeat the preceding steps to map VLAN 30 to MSTI 3 and VLAN 40 to MSTI 4, and then add the VLAN-to-instance mapping entries to the VLAN-to-instance mapping list. i. Click Activate to end the operation.
Figure 323 Configuring global MSTP parameters on Router A 3. Configure Router B: # Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. Configure the MST region in the same way the MST region is configured on Router A. # Enable MSTP globally and configure the current device as the root bridge of MSTI 3: a. From the navigation tree, select Advanced > MSTP > Global. b.
g. Click Apply to submit the settings. Configure Router D: 5. # Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. Configure the MST region in the same way the MST region is configured on Router A. # Enable MSTP globally: a. From the navigation tree, select Advanced > MSTP > Global. b. On the page that appears, select Enable from the Enable STP Globally list. c.
0 Ethernet0/1 ROOT FORWARDING NONE 0 Ethernet0/2 ALTE DISCARDING NONE 0 Ethernet0/3 ALTE DISCARDING NONE 3 Ethernet0/1 ROOT FORWARDING NONE 3 Ethernet0/2 ALTE DISCARDING NONE 4 Ethernet0/3 ROOT FORWARDING NONE Based on the above information, draw the MSTI corresponding to each VLAN, as shown in Figure 324.
Configuring RADIUS You can configure RADIUS through the Web interface. Overview Remote Authentication Dial-In User Service (RADIUS) protocol is a distributed information interaction protocol that uses a client/server model to implement AAA. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.
Figure 326 RADIUS scheme configuration page 3. Configure the parameters, as described in Table 146. 4. Click Apply. Table 146 Configuration items Item Description Scheme Name Enter a name for the RADIUS scheme. Common Configuration Configure the common parameters for the RADIUS scheme, including the server type, the username format, and the shared keys for authentication and accounting packets. For more information about common configuration, see "Configuring common parameters.
Figure 327 Common configuration 2. Configure the parameters, as described in Table 147. Table 147 Configuration items Item Description Select the type of the RADIUS servers supported by the device: • Standard—Standard RADIUS servers. The RADIUS client and RADIUS Server Type server communicate by using the standard RADIUS protocol and packet format defined in RFC 2865/2866 or later. • Extended—Extended RADIUS servers, usually running on IMC.
Item Description Select the format of usernames to be sent to the RADIUS server: Original format, With domain name, or Without domain name. Username Format Typically, a username is in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain for the user.
Item Description Realtime Accounting Attempts Set the maximum number of attempts for sending a real-time accounting request. Unit for Data Flows Specify the unit for data flows sent to the RADIUS server: byte, kilo-byte, mega-byte, or giga-byte. Unit for Packets Specify the unit for data packets sent to the RADIUS server: one-packet, kilo-packet, mega-packet, or giga-packet. Specify the VPN to which the RADIUS scheme belongs.
Figure 328 RADIUS server configuration 2. Configure the parameters, as described in Table 148. 3. Click Apply. You can repeat the above steps to configure multiple RADIUS servers for the RADIUS scheme. Table 148 Configuration items Item Description Server Type Select the type of the RADIUS server to be configured. Possible values include primary authentication server, primary accounting server, secondary authentication server, and secondary accounting server.
• Add an account on the RADIUS server, with the username and password being hello@bbb and abc. If the user passes authentication, it is assigned a privilege level of 3. Figure 329 Network diagram Configuring the RADIUS server on IMC This example assumes that the RADIUS server runs on IMC PLAT 5.0. 1. Add the router to IMC as an access device: a. Log in to IMC: b. Click the Service tab. c. Select Access Service > Service Configuration from the navigation tree. d. Click Add. e.
Figure 330 Adding an access device 2. Add a user account: a. Log in to IMC: b. Click the User tab. c. Select Access User View > All Access Users from the navigation tree. d. Click Add. e. Enter hello@bbb as the username. f. Enter abc as the password and confirm the password. g. Select Telnet as the service type. h. Enter 3 as the EXEC privilege level. This value identifies the privilege level of the Telnet user after login, which is 0 by default. i.
Figure 331 Adding an account for device management Configuring the router 1. Configure the IP address of each interface. (Details not shown.) 2. Configure a RADIUS scheme: a. Select Advanced > RADIUS from the navigation tree. b. Click Add. c. To add a RADIUS scheme, enter system as the scheme name, select Extended as the server type, select Without domain name for the username format. d.
e. To add the primary accounting server, click Add again in the RADIUS Server Configuration area. select Primary Accounting as the server type, enter 10.1.1.1 as the IP address, enter 1813 as the port, enter expert as the key, enter expert to confirm the key, and click Apply. The RADIUS scheme configuration page refreshes and the added servers appear in the server list. Figure 333 RADIUS accounting server configuration page f. Click Apply. Figure 334 RADIUS scheme configuration page 3.
5. Use either approach to configure the AAA methods for domain bbb: Configure the same scheme for authentication and authorization in domain bbb because RADIUS authorization information is included in the authentication response message.
If you remove an authentication or accounting server in use, the communication of the device with the server will soon time out, and the device will look for a server in the active state by checking any primary server first and then the secondary servers in the order they are configured. When the primary server and secondary servers are all in the blocked state, the device communicates with the primary server. If the primary server is available, its statues changes to active.
Configuring login control The login control feature allows you to control Web or Telnet logins by IP address and login type. Configuration procedure 1. Select Advanced > Access from the navigation tree. The login control configuration page appears. The upper part of the page allows you to configure login control rules, and the lower part displays existing login control rules. You can also delete existing rules. Figure 335 Login control configuration 2.
Login control configuration example Network requirements As shown in Figure 336, configure login control rules so Host A cannot Telnet to Router, and Host B cannot access Router through the Web. Figure 336 Network diagram Configuring a login control rule so Host A cannot Telnet to Router 1. Select Advanced > Access from the navigation tree. Figure 337 Configuring a login control rule so Host A cannot Telnet to Router 2. Select Telnet as the login type to be restricted. 3. Enter the user IP address 10.
6. Click OK. A configuration progress dialog box appears, as shown in Figure 338. Figure 338 Configuration progress dialog box 7. After the setting is complete, click Close. Configuring a login control rule so Host B cannot access Router through the Web 1. From the navigation tree, select Advanced > Access. The page for configuring login control rules appears. 2. Select Web as the login type to be restricted. 3. Enter the user IP address 10.1.1.2 and the wildcard 0.0.0.0. 4. Click Apply.
Figure 339 Configuring a login control rule so Host B cannot access Router through the Web 337
Configuring ARP Overview The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address, such as an Ethernet MAC address. In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding MAC address. For more information about ARP, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Creating a static ARP entry 1. From the navigation tree, select Advanced > ARP Management > ARP Table. The ARP table management page appears, as shown in Figure 340. 2. Click Add. The New Static ARP Entry page appears. Figure 341 Adding a static ARP entry 3. Configure the parameters as described in Table 151. 4. Click Apply. Table 151 Configuration items Item Description IP Address Enter an IP address for the static ARP entry. MAC Address Enter a MAC address for the static ARP entry.
Enabling learning of dynamic ARP entries From the navigation tree, select Advanced > ARP Management > Dynamic Entry. The dynamic entry management page appears, as shown in Figure 342. Figure 342 Managing dynamic entries • To disable all the listed interfaces from learning dynamic ARP entries, click Disable all. • To disable specific interfaces from learning dynamic ARP entries, select target interfaces and click Disable selected.
If you enable an interface to learn dynamic ARP entries on the dynamic entry management page, the number of dynamic ARP entries that the interface can learn restores the default. Configuring gratuitous ARP From the navigation tree, select Advanced > ARP Management > Gratuitous ARP. The gratuitous ARP configuration page appears, as shown in Figure 344.
Figure 345 Network diagram Configuring static ARP 1. Create VLAN 10 and VLAN-interface 10: a. From the navigation tree, select Interface Setup > LAN Interface Setup. The default VLAN Setup page appears. b. Select the Create option, as shown in Figure 346. c. Enter 10 for VLAN IDs. d. Select the Create VLAN Interface box. e. Click Apply. Figure 346 Creating VLAN 10 and VLAN-interface 10 2. Add Ethernet 0/1 to VLAN 10: a. As shown in Figure 347, on the VLAN Setup page, select 10 in the VLAN Config field.
b. Select Ethernet0/1 from the list. c. Click Add to bring up the configuration progress dialog box, as shown in Figure 348. d. After the configuration process is complete, click Close. Figure 347 Adding Ethernet 0/1 to VLAN 10 Figure 348 The configuration progress dialog box 3. Configure the IP address of VLAN-interface 10: a. Click the VLAN Interface Setup tab. b. Select 10 for Select a VLAN as shown in Figure 349. c. Enter 192.168.1.2 for IP Address. d. Enter 255.255.255.0 for Subnet Mask. e.
Figure 349 Configuring the IP address of VLAN-interface 10 4. Create a static ARP entry: a. From the navigation tree, select Advanced > ARP Management > ARP Table and click Add. b. Enter 192.168.1.1 for IP Address as shown in Figure 350. c. Enter 00e0-fc01-0000 for MAC Address. d. Select the Advanced Options box. e. Enter 10 for VLAN ID. f. Select Ethernet0/1 for Port. g. Click Apply.
5. View information about static ARP entries: a. After the previous configuration is complete, the page returns to display ARP entries. Select Type for Search. b. Enter Static. c. Click Search. You can view the static ARP entries of Router A, as shown in Figure 351.
Configuring ARP attack protection Overview ARP is easy to implement, but it provides no security mechanism. Therefore, it is prone to network attacks. ARP attacks and viruses threaten LAN security. The device can provide the following features to detect and prevent such attacks. Periodic sending of gratuitous ARP packets Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their corresponding ARP entries or MAC entries in time.
Figure 352 Configuring Gratuitous ARP sending Table 153 Configuration items Item Description Select one or more interfaces on which gratuitous ARP packets are sent out periodically, and set the interval at which gratuitous ARP packets are sent. To enable an interface to send out gratuitous ARP packets periodically, select the interface from the Standby Interface list and click <<.
Figure 353 Configuring ARP Scanning Table 154 Configuration items Item Description Interface Specify the interface on which ARP automatic scanning is to be performed. Enter the address range for ARP automatic scanning. • To reduce the scanning time, you can specify the address range for scanning.
The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device might fail to change all dynamic ARP entries into static. Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is S.
Contents 350
Configuring IPsec VPN You can perform the following IPsec VPN configurations in the Web interface: • Configure an IPsec connection. • Display IPsec VPN monitoring information. Overview IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It is a Layer 3 VPN technology that transmits data in a secure tunnel established between two endpoints.
Step Remarks Optional. 2. Displaying IPsec VPN monitoring information Displays configuration and status information of IPsec connections, and information of IPsec tunnels. Allows you to delete tunnels that are set up with configuration of an IPsec connection, and delete all ISAKMP SAs of all IPsec connections. Configuring an IPsec connection 1. Select VPN > IPsec VPN from the navigation tree to enter the IPsec connection management page. Figure 355 IPsec connection management page 2.
Figure 356 Adding an IPsec connection 3. Perform basic connection configurations as described in Table 155. Table 155 Configuration items Item Description IPsec Connection Name Enter a name for the IPsec connection. Interface Select an interface where IPsec is performed. Network Type Select a network type, site-to-site or PC-to-site.
Item Description Enter the address of the remote gateway, which can be an IP address or a host name. Remote Gateway Address/Hostname The IP address can be a host IP address or an IP address range. If the local end is the initiator of IKE negotiation, it can have only one remote IP address and its remote IP address must match the local IP address configured on its peer.
Item Source Address/Wildcard Description • Characteristics of Traffic—Identifies traffic to be protected based on the source address/wildcard and destination address/wildcard specified. • Designated by Remote Gateway—The remote gateway determines the data to be protected.
Figure 357 Advanced configuration 5. Perform advanced connection configuration as described in Table 156. 6. Click Apply. Table 156 Configuration items Item Description Phase 1 Select the IKE negotiation mode in phase 1, which can be main or aggressive. IMPORTANT: Exchange Mode • If the IP address of one end of an IPsec tunnel is obtained dynamically, the IKE negotiation mode must be aggressive. In this case, SAs can be established as long as the username and password are correct.
Item Description Select the encryption algorithm to be used in IKE negotiation. Options include: Encryption Algorithm • • • • • DES-CBC—Uses the DES algorithm in CBC mode and 56-bit key. 3DES-CBC—Uses the 3DES algorithm in CBC mode and 168-bit key. AES-128—Uses the AES algorithm in CBC mode and 128-bit key. AES-192—Uses the AES algorithm in CBC mode and 192-bit key. AES-256—Uses the AES algorithm in CBC mode and 256-bit key. Select the DH group to be used in key negotiation phase 1.
Item Description Select the encryption algorithm for ESP when you select ESP or AH-ESP for Security Protocol. Options include: ESP Encryption Algorithm • • • • • • 3DES—Uses the 3DES algorithm and 168-bit key for encryption. DES—Uses the DES algorithm and 56-bit key for encryption. AES128—Uses the AES algorithm and 128-bit key for encryption. AES192—Uses the AES algorithm and 192-bit key for encryption. AES256—Uses the AES algorithm and 256-bit key for encryption. NULL—Performs no encryption.
Item Description DPD Packet Retransmission Interval Enter the interval after which DPD packet retransmission will occur if no DPD response is received. Displaying IPsec VPN monitoring information 1. Select VPN > IPsec VPN from the navigation tree. 2. Click the Monitoring Information tab to enter the page that displays the IPsec connection configuration and status information. 3. Select an IPsec connection.
Field Description The most recent error, if any. Possible values include: • • • • Last Connection Error ERROR_NONE—No error occurred. ERROR_QM_FSM_ERROR—State machine error. ERROR_PHASEI_FAIL—Error occurred in phase 1. ERROR_PHASEI_PROPOSAL_UNMATCHED—No matching security proposal in phase 1. • ERROR_PHASEII_PROPOSAL_UNMATCHED—No matching security proposal in phase 2. • • • • ERROR_NAT_TRAVERSAL_ERROR—NAT traversal error. ERROR_PHASEII_FAIL—Error occurred in phase 2. ERROR_INVALID_SPI—SPI error.
b. Click Add. The IPsec connection configuration page appears. c. Enter map1 as the IPsec connection name. d. Select interface Ethernet0/1. e. Enter 2.2.3.1 as the remote gateway IP address. f. Select the Pre-Shared-Key box, and then enter abcde in both the Key and Confirm Key fields. g. In the Selector area, select Characteristics of Traffic as the selector type. h. Specify 10.1.1.0/0.0.0.255 as the source address/wildcard. Specify 10.1.2.0/0.0.0.255 as the destination address/wildcard. i.
The page as shown in Figure 361 appears. c. Enter 10.1.1.0 as the destination IP address. d. Enter 24 as the mask. e. Select Interface and then select Ethernet0/1 as the interface. f. Click Apply. Figure 361 Configuring a static route to Host A 3. Configure an IPsec connection. a. Select VPN > IPsec VPN from the navigation tree. b. Click Add to enter the IPsec connection configuration page (see Figure 360). c. Enter map1 as the IPsec connection name. d. Select interface Ethernet0/1. e. Enter 2.2.2.
• If you enable both IPsec and QoS on an interface, traffic of an IPsec SA might be put into different queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay operation, packets outside the anti-replay window in the inbound direction might be discarded, resulting in packet loss. When using IPsec together with QoS, make sure the characteristics of traffic in IPsec are the same as traffic classification in QoS.
Configuring L2TP A VPDN is a VPN that utilizes the dial-up function of public networks such as ISDN or PSTN networks to provide access services for enterprises, small ISPs, and telecommuters. VPDN provides an economical and effective, point-to-point way for remote users to connect to their private LANs. Layer 2 Tunneling Protocol (L2TP) is the most widely-used VPDN tunneling protocol. Figure 362 shows a typical VPDN built by using L2TP.
Enabling L2TP 1. Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration page, as shown in Figure 363. 2. On the upper part of the page, select the box before Enable L2TP. 3. Click Apply. Figure 363 L2TP configuration page Adding an L2TP group 1. Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration page, as shown in Figure 363. 2. On the lower part of the page, click Add to add an L2TP group.
3. Configure the L2TP group information, as described in Table 159. 4. Click Apply. Table 159 Configuration items Item Description L2TP Group Name Specify the name of the L2TP group. Peer Tunnel Name Specify the peer name of the tunnel. Local Tunnel Name Specify the local name of the tunnel. Tunnel Authentication Enable or disable L2TP tunnel authentication in the group. If you enable tunnel authentication, you need to set the authentication password.
Item Description Specify the address pool for assigning IP addresses to users on the peer end, or assign an IP address to a user directly. If you have specified an ISP domain in PPP authentication configuration, the address pools in the ISP domain are listed in the User Address list. You can: User Address • Click Add to add an address pool, as shown in Figure 366. For information about the configuration items, see Table 161.
Item Description Configure user authentication on an LNS. Mandatory CHAP You can configure an LNS to authenticate a user who has passed authentication on the LAC to increase security. In this case, an L2TP tunnel can be set up only when both of the authentications succeed. An LNS can authenticate users the following ways: • Mandatory CHAP authentication—A VPN user who depends on a NAS to initiate tunneling requests is authenticated twice, once when accessing the NAS and once on the LNS by using CHAP.
Figure 365 Adding an ISP domain Table 160 Configuration items Item Description ISP Domain Specify the name of the ISP domain. Select the primary authentication method for PPP users. • HWTACACS—HWTACACS authentication, which uses the HWTACACS scheme system. Primary • Local—Local authentication. • None—No authentication. All users are trusted and no authentication is performed. Authentication Methods • RADIUS—RADIUS authentication, which uses the RADIUS scheme system.
Item Description Specify whether to enable the accounting optional function. Accounting Optional For an online user, with the accounting optional function disabled, if no accounting server is available or communication with the current accounting server fails, the user will be disconnected. However, with the accounting optional function enabled, the user can still use the network resources in such case, but the system will not send the accounting information of the user to the accounting server any more.
Item Description End IP The number of addresses between the start IP address and end IP address must not exceed 1024. If you specify only the start IP address, the IP address pool will contain only one IP address, namely, the start IP address. Displaying L2TP tunnel information 1. Select VPN > L2TP > Tunnel Info from the navigation tree to enter the L2TP tunnel information page. Figure 367 L2TP tunnel information 2. View the L2TP tunnel information.
Figure 368 Network diagram Configure the VPN user Assign an IP address (2.1.1.1 in this example) to the user host, configure a route to ensure the reachability of the LNS (1.1.2.2), and create a virtual private network connection using the Windows operating system, or install L2TP client software such as WinVPN Client and connect to the Internet in dial-up mode.
Figure 369 Adding a local user 2. Enable L2TP: a. Select VPN > L2TP > L2TP Config from the navigation tree. The L2TP configuration page appears, as shown in Figure 370. b. Select the box before Enable L2TP. c. Click Apply. Figure 370 Enabling L2TP 3. Modify the PPP authentication method of the ISP domain system: a. On the L2TP configuration page, click Add to enter the L2TP group configuration page. b. Select CHAP as the PPP authentication method. c. Select ISP domain system (the default ISP domain). d.
Figure 371 Selecting local authentication for VPN users 4. Configure the address pool used to assign IP addresses to users: a. On the L2TP group configuration page, click the Add button of the User Address parameter. The IP address pool configuration page appears, as shown in Figure 372. b. Select ISP domain system. c. Enter 1 as the IP address pool number. d. Enter the start IP address 192.168.0.2. e. Enter the end IP address 192.168.0.100. f.
f. Select pool1 from the User Address list. g. Select Enable from the Assign Address Forcibly list. h. Click Apply. Figure 373 L2TP group configurations Verifying the configuration 1. On the user host, initiate an L2TP connection to the LNS. The host will obtain an IP address (192.168.0.2) and will be able to ping the private address of the LNS (192.168.0.1). 2. On the LNS, select VPN > L2TP > Tunnel Info from the navigation tree.
Configuring GRE You can configure GRE over IPv4 tunnels through the Web interface. Overview Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example, IP). GRE is a tunneling technology and serves as a Layer 3 tunneling protocol. A GRE tunnel is a virtual point-to-point connection for transferring encapsulated packets.
Figure 376 GRE tunnel configuration page 2. Click Add to add a GRE tunnel, as shown in Figure 377. Figure 377 Adding a GRE tunnel Table 163 Configuration items Item Description Tunnel Interface Specify the number of the tunnel interface. Specify the IP address and subnet mask of the tunnel interface. IP/Mask IMPORTANT: When configuring a static route on the tunnel interface, note that the destination IP address of the static route must not be in the subnet of the tunnel interface.
Item Description GRE Key Specify the key for the GRE tunnel interface. This configuration is to prevent the tunnel ends from servicing or receiving packets from other places. IMPORTANT: The two ends of a tunnel must have the same key or have no key at the same time. GRE Packet Checksum Enable or disable the GRE packet checksum function. Enable or disable the GRE keepalive function.
Figure 379 Configuring interface Ethernet 0/0 2. Configure an IP address for interface Ethernet 0/1, the physical interface of the tunnel: a. Click the icon for interface Ethernet 0/1. b. Select Manual for Connect Mode. c. Enter IP address 1.1.1.1. d. Select IP mask 24 (255.255.255.0). e. Click Apply.
3. Create a GRE tunnel: a. Select VPN > GRE from the navigation tree. b. Click Add. The Add Tunnel page appears, as shown in Figure 381. c. Enter 0 in the Tunnel Interface field. d. Enter IP address/mask 10.1.2.1/24. e. Enter the source end IP address 1.1.1.1, the IP address of Ethernet 0/1. f. Enter the destination end IP address 2.2.2.2, the IP address of Ethernet 0/1 on Router B. g. Click Apply. Figure 381 Setting up a GRE tunnel 4.
Figure 382 Adding a static route from Router A through interface Tunnel 0 to Group 2 Configuring Router B 1. Configure an IPv4 address for interface Ethernet 0/0: a. Select Interface Setup > WAN Interface Setup from the navigation tree. b. Click the icon for interface Ethernet 0/0 and then perform the configurations shown in Figure 383. c. Select Manual for Connect Mode. d. Enter IP address 10.1.3.1. e. Select IP mask 24 (255.255.255.0). f. Click Confirm. Figure 383 Configuring interface Ethernet 0/0 2.
a. Click the icon for interface Ethernet 0/1 and then perform the configurations shown in Figure 384. b. Select Manual for Connect Mode. c. Enter IP address 2.2.2.2. d. Select IP mask 24 (255.255.255.0). e. Click Confirm. Figure 384 Configuring interface Ethernet 0/1 3. Create a GRE tunnel: a. Select VPN > GRE from the navigation tree. b. Click Add and then perform the configurations shown in Figure 385. c. Enter 0 in the Tunnel Interface field. d. Enter IP address/mask 10.1.2.2/24. e.
Figure 385 Setting up a GRE tunnel 4. Configure a static route from Router B through interface Tunnel 0 to Group 1: a. Select Advanced > Route Setup from the navigation tree. b. Click the Create tab and then perform the configurations shown in Figure 386. c. Enter 10.1.1.0 as the destination IP address. d. Enter the mask length 24. e. Select the box before Interface, and then select egress interface Tunnel0. f. Click Apply.
Figure 387 Verifying the configuration 34
SSL VPN overview SSL VPN is a VPN technology based on SSL. It works between the transport layer and the application layer. Using the certificate-based identity authentication, data encryption, and integrity verification mechanisms that SSL provides, SSL VPN can establish secure connections for communications at the application layer. SSL VPN has been widely used for secure, remote Web-based access. For example, it can allow remote users to access the corporate network securely.
5. The SSL VPN gateway resolves the request, interacts with the corresponding server, and then forwards the server's reply to the user. Advantages of SSL VPN Support for various application protocols Any application can be secured by SSL VPN without knowing the details.
Configuring SSL VPN gateway To perform the configurations described in this chapter, log in to the Web interface of the router. The default login address is http://192.168.1.1, username is admin, and password is admin. Recommended configuration procedure Step Remarks Required. 1. Configuring the SSL VPN service 2. Configuring Web proxy server resources 3. Configuring TCP application resources 4.
Step Remarks Optional. 10. Configuring authentication policies Configure authentication methods and authentication parameters for an SSL VPN domain. IMPORTANT: Local authentication is always enabled. To use other authentication methods, you must manually enable them. Optional. 11. Configuring a security policy Configure the check items and protected resources for a security policy. Only user hosts that pass the security policy's check can access the configured resources.
39
Configuring Web proxy server resources Typically, Web servers provide services in webpages. Users can get desired information by clicking the links on the pages. On the Internet, information exchanged between Web servers and users is transmitted in plain text. The HTTP data might be intercepted in transit. SSL VPN provides secure connections for users to access Web servers, and can prevent illegal users from accessing the protected Web servers. 1.
Item Description Specify the Website address for providing Web services. It must start with http:// and end with /, for example, http://www.domain.com/web1/. Website Address Default Page The website address can be an IP address or a domain name. If you specify a domain name, make sure you configure domain name resolution on Advanced > DNS Setup > DNS Configuration. Specify the home page to be displayed after an SSL VPN user logs in. For example, index.htm.
Table 166 Configuration items Item Description Select this box to allow IP access to the resource. If you select this item, you must configure an IP network resource for a website and associate the IP network resource with the relevant users. When such a user accesses the website from the SSL VPN Web interface, the system logs the user in automatically to the website through the IP network resource. Use IP network If you do not select this item, users access the resource through the Web proxy server.
Configuring a remote access service resource The remote access service includes remote character terminal services (such as Telnet and SSH) and traditional terminal services (such as IBM3270). These services each simulate a server's terminal window on a local host through which you can control a remote host as if you were sitting before it. Between the local and remote hosts, data is transmitted in plain text over the Internet.
Item Description Remote Port Specify the port number that the remote host uses for the remote access service. Local Host Specify a loopback address or a character string that represents a loopback address. Local Port Specify the port number that the local host uses for the remote access service. HP recommends using a port number greater than 1024 that is rarely used. Configure the Windows command for the resource.
4. Configure the desktop sharing service as described in Table 168. 5. Click Apply. Table 168 Configuration items Item Description Enter a name for the desktop sharing service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
Figure 398 Adding an email service resource 4. Configure the email service resource as described in Table 169. 5. Click Apply. Table 169 Configuration items Item Description Enter a name for the email service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
Figure 399 Notes services 3. Click Add to enter the page for adding a Notes service. Figure 400 Adding a Notes service resource 4. Configure the Notes service resource as described in Table 170. 5. Click Apply. Table 170 Configuration items Item Description Enter a name for the Notes service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
Configuring a common TCP service resource The common TCP service of SSL VPN is designed to support various client/server applications. It is widely used to access client/server TCP applications other than the previously mentioned ones. Generally, you can configure all network ports that are possibly used by applications in common TCP services.
Item Description Service Type Enter the type for the TCP service. Remote Host Enter the host name or IP address of the remote host that provides the common TCP service. Remote Port Enter the port number that the remote host uses for the common TCP service. Local Host Enter a loopback address or a character string that represents a loopback address. Local Port Enter the port number that the local host uses for the common TCP service. Command Configure the Windows command for the resource.
Figure 403 Global configuration page 2. Configure the global parameters as described in Table 172. 3. Click Apply. Table 172 Configuration items Item Description Start IP End IP Specify the IP address pool from which the gateway assigns IP addresses for clients' virtual network adapters. Subnet Mask Enter the subnet mask to be assigned to a client's virtual network adapter. Gateway IP Enter the default gateway IP address to be assigned to a client's virtual network adapter.
Figure 404 Host configuration 3. Click Add to enter the page for adding a host resource. Figure 405 Adding a host resource 4. Enter a name for the host resource. 5. Click the Add button under the network services list to enter the page for adding a network service.
6. Add a network service that the host resource provides for users, as described in Table 173. Table 173 Configuration items Item Description Destination IP Enter the destination address of the network service. Subnet Mask Enter the subnet mask of the network service. Protocol Specify the protocol type of the network service, which can be IP, TCP, or UDP. Enter a description for the network service.
3. Click Add to enter the page for adding a user-IP binding. Figure 409 Adding a user-IP binding 4. Configure the user-IP binding as described in Table 174. 5. Click Apply. Table 174 Configuration items Item Description Username Specify the username to be bound with an IP address. The username must contain the domain name. For example, aaa@local. Specify the IP address to be bound with the username.
4. Configure the predefined domain name as described in Table 175. 5. Click Apply. Table 175 Configuration items Item Description Domain Name Enter a domain name to be issued to clients. Select the IP setting method, including Dynamic and Static. • Dynamic: To use this method, you also need to navigate to page Advanced > DNS IP Setting Method Setup > DNS Configuration to configure domain name resolution.
Figure 413 Adding a resource group 3. Configure the resource group as describe in Table 176. 4. Click Apply. Table 176 Configuration items Item Description Resource Group Name Enter a name for the resource group. Selected Resources Available Resources Specify resources for the resource group.
Configuring local users Configure SSL VPN users for local authentication in the following methods: • Configure local users one by one in the SSL VPN system. In this method, you can configure all parameters for a user at the same time, including the user name, password, the certificate and MAC addresses to be bound, public account settings, user status, and user groups. • Write the information of the users into a text file, and then import the users to the SSL VPN system.
Figure 415 Adding a local user 3. Configure the local user information as described in Table 177. 4. Click Apply. Table 177 Configuration items Item Description Username Enter a name for the local user. Description Enter a description for the local user. Password Specify a password for the local user and enter the password again to confirm the password. Confirm Password Certificate SN Specify a certificate sequence number for the local user.
Item Enable public account Description Select this item to set the local user account as a public account. A public account can be concurrently used by multiple users to log in to the SSL VPN system. If you do not select this item, only one user can use the local user account to log in to the SSL VPN system at a time. Max Number of Users Set the maximum number of concurrent users that can log in to the SSL VPN system by using the public account.
Figure 416 Batch import of local users Configuring a user group 1. Select VPN > SSL VPN > User Management > User Group from the navigation tree. The user group list page appears. Figure 417 User groups 2. Click Add to add a user group.
Figure 418 Adding a user group 3. Configure the user group as described in Table 178. 4. Click Apply. Table 178 Configuration items Item Description User Group Name Enter a name for the user group. Selected Resource Groups Select resource groups for the user group. Users in the user group will be able to access the resources in the selected resource groups. Available Resources Selected Local Users Available Local Users Select local users for the user group.
Viewing user information Viewing online user information 1. Select VPN > SSL VPN > User Management > User Information from the navigation tree. The Online Users tab appears, displaying the information of the current online users. Figure 419 Online users 2. View information of the online users. Table 179 Field description Field Description Login Time Time when the user logged in to the SSL VPN system. Username Username of the user, with the domain name. IP Address IP address of the user host.
Figure 420 History information Performing basic configurations for the SSL VPN domain Configure a domain policy, caching policy, and a bulletin: • Domain policy—Defines the common parameters and functions for the SSL VPN domain. • Caching policy—Specifies which cached contents to clear from user hosts when users log out from the SSL VPN system. • Bulletin management—Allows you to provide different information to different users. Configuring the domain policy 1.
Table 180 Configuration items Item Description Select this item to enable security check. Enable security check With security check enabled, the SSL VPN system checks a user host based on the security policy and determines whether to allow the user to access resources according to the check result. IMPORTANT: To implement user host security check, you must also configure the security policy. See "Configuring a security policy." Select this item to use verification codes.
Configuring the caching policy 1. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. 2. Click the Caching Policy tab. The caching policy configuration page appears, as shown in Figure 422. 3. Select the operations to be done on a user host when the user logs out, including: Clear cached webpages. Clear cookies. Clear downloaded programs.
Figure 424 Adding a bulletin 4. Configure the bulletin settings as described in Table 181. 5. Click Apply. Table 181 Configuration items Item Description Title Enter a name for the bulletin. Content Enter the contents of the bulletin. Selected User Groups Available User Groups Select the user groups that can view the bulletin.
• Password—Authenticates only a user's password. • Password+Certificate—Authenticates a user's password and client certificate. • Certificate—Authenticates only a user's client certificate. RADIUS authentication supports only two authentication policies: password and password+certificate. Configuring local authentication Local authentication authenticates users by using the user information saved on the SSL VPN gateway.
Figure 426 RADIUS authentication 3. Configure the RADIUS authentication settings as described in Table 182. 4. Click Apply. Table 182 Configuration items Item Description Enable RADIUS authentication Select this item to enable RADIUS authentication. Authentication Mode Select an authentication mode for RADIUS authentication. Options include Password and Password+Certificate. Enable RADIUS accounting Select this item to enable RADIUS accounting.
Figure 427 LDAP authentication 3. Configure the LDAP authentication settings as described in Table 183. 4. Click Apply. Table 183 Configuration items Item Description Enable LDAP authentication Select this item to enable LDAP authentication. LDAP Sever IP Specify the IP address of the LDAP server. Server Port Specify the TCP port number used by the LDAP server. Version Specify the supported LDAP protocol version. Authentication Mode Select an authentication mode for LDAP authentication.
Configuring AD authentication Active Directory (AD) is a directory service provided by Windows 2000 Server and later versions. It saves information of objects on a network and allows administrators and users to query the information. AD uses structured data storage, which is the basis of the directory information logical structure. The SSL VPN system can cooperate with the existing AD server of an enterprise seamlessly to provide AD authentication for users in the enterprise.
Item Description Password Set a password for the administrator account, and enter the password again to confirm the password. Confirm Password Username Format Set the username format used to log in to the AD server. Options include Without the AD domain name, With the AD domain name, and Login name.
Configuring a security policy Insecure user hosts might bring potential security threats to the internal network. You can configure security policies for the SSL VPN system so that when a user logs in, the SSL VPN system checks the user host's operating systems, browsers, antivirus software, firewall software, files and processes, and determines which resources to provide for the user according to the check result.
3. Configure the security policy as describe in Table 186. 4. Click Apply. Table 186 Configuration items Item Description Name Enter a name for the security policy. Set a level for the security policy. A larger number means a higher level. If multiple security policies are defined, the system first uses the security policy with the highest priority to check the user host.
Item Description Set an operator for the browser version check. Operator • • • • • >=: A user host must use the specified version or a later version. >: A user host must use a version later than the specified version. =: A user host must use the specified version. <=: A user host must use the specified version or an earlier version. <: A user host must use a version earlier than the specified version. Specify the browser version.
Item File Process Description Rule Name Enter a name for the file rule. File Name Specify the files. A user host must have the specified files to pass security check. Rule Name Enter a name for the process rule. Process Name Specify the processes. A user host must have the specified processes to pass security check.
Customizing the SSL VPN user interface The SSL VPN system allows you to customize the user interface partially or fully as desired: • Partial customization—You can use the webpage files provided by the system and edit some contents in the files as needed, including the login page title, login page welcome information, login page logo, service page banner information, service page logo, and service page background.
Figure 433 Specifying a login page logo picture Configuring the service page logo 1. Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. 2. Click the Service Page Logo tab to enter the page shown in Figure 434. 3. Click Browse to select a local picture file. 4. Set whether to directly overwrite the file with the same name on the device. 5. Click Apply to upload the picture file to the SSL VPN system and use it as the logo picture on the service page.
Figure 435 Specifying a service page background picture Customizing the SSL VPN interface fully Before full customization of the SSL VPN interface, upload the customized page file to the SSL VPN gateway through FTP or TFTP. 1. Select VPN > SSL VPN > Page Customization > Full Customization from the navigation tree. The full customization page appears. Figure 436 Full customization 2. Configure the full customization settings as described in Table 188. 3. Click Apply.
User access to SSL VPN This chapter introduces user access to the SSL VPN service interface provided by the system. It is not suitable for user access to a fully customized SSL VPN service interface. After you finish configurations on the SSL VPN gateway, remote users can establish HTTPS connections to the SSL VPN gateway, and access resources through the user service interface provided by the SSL VPN gateway.
Figure 438 SSL VPN service interface Figure 439 SSL VPN client software Accessing SSL VPN resources After logging in to the SSL VPN service interface, a user can see all resources that you have authorized the user to access, and perform the following operations: • Clicking a resource name under Websites to access the website.
receiving and sending servers according to the email resource name, logs in by using the username and password, and then uses the email service. • For an IP network resource, the user can access any host in any accessible network segment and can click a shortcut name to execute the corresponding command of the shortcut. Getting help information To get help information, a user only needs to click the Help link in the right upper corner of the SSL VPN service interface.
1. Click the Configure button in the upper right corner of the SSL VPN service interface to enter the page shown in Figure 441. 2. Enter the new password, and confirm the new password. 3. Click Apply. When the user logs in again, the user must enter the new password.
SSL VPN configuration example Network requirements As shown in Figure 442, request a certificate and enable SSL VPN service on the SSL VPN gateway so that users can use HTTPS to log in to the SSL VPN gateway to access the internal resources of the corporate network. In this configuration example: • In this example, the CA runs the Windows Server and the SCEP plugin is required on the CA. • The IP address of the SSL VPN gateway is 10.1.1.1/24. The IP address of the CA is 10.2.1.
Configuration procedure Configuring the SSL VPN service 1. Configure a PKI entity named en: a. Select Certificate Management > Entity from the navigation tree. b. Click Add to enter the PKI configuration page, as shown in Figure 443. c. Enter the PKI entity name en. d. Enter common name http-server for the entity. e. Click Apply. Figure 443 Configuring a PKI entity named en 2. Configure a PKI domain named sslvpn: a. Select Certificate Management > Domain from the navigation tree. b. Click Add. c.
Figure 444 Configuring a PKI domain named sslvpn 3. Generate an RSA key pair: a. Select Certificate Management > Certificate from the navigation tree. b. Click Create Key to enter the key generation page, as shown in Figure 445. c. Set the key length to 1024. d. Click Apply. Figure 445 Generating an RSA key pair 4. Retrieve the CA certificate: a. After the key pair is generated, click the Retrieve Cert button on the certificate management page.
Figure 446 Retrieving the CA certificate to the local device 5. Request a local certificate: a. After the CA certificate retrieval operation is complete, click Request Cert on the certificate management page. b. Select sslvpn as the PKI domain. c. Click Apply. The system displays "Certificate request has been submitted." d. Click OK to confirm the operation. Figure 447 Requesting a local certificate You can view the retrieved CA certificate and the local certificate on the certificate management page.
Figure 448 Certificate management page 6. Enable SSL VPN, and configure a port and a PKI domain for the SSL VPN service: a. Select VPN > SSL VPN > Service Management from the navigation tree. b. Select the box before Enable SSL VPN. c. Set the port number to 443. d. Select sslvpn as the PKI domain. e. Click Apply. Figure 449 SSL VPN service management page Configuring SSL VPN resources 1. Configure a Web proxy resource named tech for the internal technology website 10.153.1.223: a.
d. Enter the website address http://10.153.1.223/. e. Click Apply. Figure 450 Configuring a Web proxy resource 2. Configure a resource named desktop for the desktop sharing service provided by host 10.153.70.120: a. Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree. b. Click the Desktop Sharing Service tab. c. Click Add. The desktop sharing service configuration page appears, as shown in Figure 451. d. Enter the resource name desktop, enter the remote host address 10.
Figure 451 Configuring a desktop sharing service resource 3. Configure global parameters for IP network resources: a. Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree. The Global Configuration tab appears, as shown in Figure 452. b. Enter the start IP address 192.168.0.1. c. Enter the end IP address 192.168.0.100. d. Enter the subnet mask 24. e. Enter the gateway IP address 192.168.0.101. f. Click Apply. Figure 452 Configuring global parameters for IP network resources 4.
c. Click Add to enter the host resource configuration page. d. Enter the resource name sec_srv. e. Click the Add button under the Network Services list. f. On the page that appears, as shown in Figure 453, enter the destination IP address 10.153.2.0, enter the subnet mask 24, select IP as the protocol type, specify the description information as 10.153.2.0/24, and click Apply. The network service is added to the host resource. g. Click the Add button under the Shortcuts list. h.
Figure 455 Configuring a host resource 5. Configure resource group res_gr1, and add resource desktop to it: a. Select VPN > SSL VPN > Resource Management > Resource Group from the navigation tree to enter the resource group list page. b. Click Add to enter the resource group configuration page, as shown in Figure 456. c. Enter the resource group name res_gr1. d. Select desktop on the Available Resources list and click the << button to add it to the Selected Resources list. e. Click Apply.
b. Enter the resource group name res_gr2. c. Select resources tech and sec_srv on the Available Resources list and click the << button to add them to the Selected Resources list. d. Click Apply. Figure 457 Configuring resource group res_gr2 Configuring SSL VPN users 1. Configure a local user account usera: a. Select VPN > SSL VPN > User Management > Local User from the navigation tree. b. Click Add. The local user configuration page appears, as shown in Figure 458. c.
Figure 458 Adding local user usera 2. Configure user group user_gr1, assign resource group res_gr1 to the user group and add local user usera to the user group: a. Select VPN > SSL VPN > User Management > User Group from the navigation tree to enter the user group list page. b. Click Add. The user group configuration page appears, as shown in Figure 459. c. Enter the user group name user_gr1. d.
Figure 459 Configuring user group user_gr1 3. Configure user group user_gr2, and assign resource group res_gr2 to the user group: a. On the user group list page, click Add. b. Enter the user group name user_gr2. c. Select res_gr2 on the Available Resource Groups list and click << to add it to the Selected Resource Groups list. d. Click Apply.
Figure 460 Configuring user group user_gr2 Configuring an SSL VPN domain 1. Configure the default authentication method for the SSL VPN domain as RADIUS and enable verification code authentication: a. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. The Domain Policy tab appears, as shown in Figure 461. b. Select the box before Use verification code. c. Select RADIUS as the default authentication method. d. Click Apply.
Figure 461 Configuring the domain policy 2. Configure a RADIUS scheme named system: a. Select Advanced > RADIUS from the navigation tree. b. Click Add to enter the RADIUS scheme configuration page. c. Enter the scheme name system. d. In the Common Configuration area, select Extended as the supported RADIUS server type, and select Without domain name as the username format. e. Click the Add button in the RADIUS Server Configuration area.
Figure 463 Configuring RADIUS scheme named system 3. Enable RADIUS authentication for the SSL VPN domain: a. Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree. b. Click the RADIUS Authentication tab. c. Select the box before Enable RADIUS authentication. d. Click Apply. Figure 464 Enable RADIUS authentication Verifying the configuration Launch a browser on a host, and enter https://10.1.1.1/svpn/ in the address bar to enter the SSL VPN login page.
Select Local from the Auth Mode list. Use the public account usera to log in. You can see the resource desktop, as shown in Figure 465. Clicking the resource name, you can access the shared desktop of the specified host, as shown in Figure 466.
Assume that a user named userb is configured and added to user group user_gr2 on the RADIUS server. Use this user account and the default authentication method RADIUS to log in. You can see website tech, subnet resource 10.153.2.0/24, and a shortcut to the security server, as shown in Figure 467. Click tech to access the technology website. Click shortcut ftp_security-server to access the security server through FTP, as shown in Figure 468.
Managing certificates Overview Public Key Infrastructure (PKI) offers an infrastructure for securing network services. PKI, also called asymmetric key infrastructure, uses a pair of keys (one private and one public) for data encryption and decryption. Data encrypted with the public key can be decrypted only with the private key, and vice versa.
Recommended configuration procedure for manual request Step Remarks Required. Create a PKI entity and configure the identity information. 1. Creating a PKI entity A certificate is the binding of a public key and the identity information of an entity, where the distinguished name (DN) shows the identity information of the entity. A CA identifies a certificate applicant uniquely by an entity DN. The DN settings of an entity must be compliant to the CA certificate issue policy.
Step Remarks Required. When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in online mode or offline mode. 5. Requesting a local certificate • In online mode, if the request is granted, the local certificate will be retrieved to the local system automatically.
Task Remarks Required. Create a PKI domain, setting the certificate request mode to Auto. 2. Creating a PKI domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is called a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance. Optional. 3.
Figure 470 Creating a PKI entity 3. Configure the parameters as described in Table 189. 4. Click Apply. Table 189 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity. Enter the FQDN for the entity. FQDN An FQDN is a unique identifier of an entity on the network. It consists of a host name and a domain name and can be resolved to an IP address. For example, www.
Figure 471 PKI domains 2. Click Add. Figure 472 Creating a PKI domain 3. Configure the parameters as described in Table 190. 4. Click Apply. Table 190 Configuration items Item Description Domain Name Enter the name for the PKI domain. Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility of certificate registration, distribution, and revocation, and query.
Item Description Select the local PKI entity. Entity Name When submitting a certificate request to a CA, an entity needs to show its identity information. Available PKI entities are those that have been configured. Select the authority for certificate request. • CA—Entity requests a certificate from a CA. • RA—Entity requests a certificate from an RA. Institution Generally, an independent RA is in charge of certificate request management.
Item Polling Count Polling Interval Enable CRL Checking Description Set the polling interval and attempt limit for querying the certificate request status. After an entity makes a certificate request, the CA might need a long period of time if it verifies the certificate request in manual mode. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed.
Figure 474 Generating an RSA key pair 3. Set the key length. 4. Click Apply. Destroying the RSA key pair 1. From the navigation tree, select Certificate Management > Certificate. 2. Click Destroy Key. 3. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 475 Destroying the RSA key pair Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally.
4. Click Apply. Table 191 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Certificate Type Select the type of the certificate to be retrieved, which can be CA or local. Enable Offline Mode Select this box to retrieve a certificate in offline mode (that is, by an out-of-band means like FTP, disk, or email).
Requesting a local certificate 1. From the navigation tree, select Certificate Management > Certificate. 2. Click Request Cert. Figure 478 Requesting a certificate 3. Configure the parameters as described in Table 192. Table 192 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation. Select this box to request a certificate in offline mode, that is, by an out-of-band means like FTP, disk, or email.
Retrieving and displaying a CRL 1. From the navigation tree, select Certificate Management > CRL. Figure 480 CRLs 2. Click Retrieve CRL to retrieve the CRL of a domain. 3. Click View CRL for the domain to display the contents of the CRL.
Figure 482 Network diagram Configuring the CA server 1. Install the CA server component: a. From the start menu, select Control Panel > Add or Remove Programs. b. Select Add/Remove Windows Components. c. In the pop-up dialog box, select Certificate Services. d. Click Next to begin the installation. 2.
Figure 483 Creating a PKI entity 2. Create a PKI domain: a. From the navigation tree, select Certificate Management > Domain. b. Click Add. The page in Figure 484 appears. c. In upper area of the page, enter torsa as the PKI domain name, enter CA server as the CA identifier, select aaa as the local entity, select RA as the authority for certificate request, enter http://4.4.4.1:8080/certsrv/mscep/mscep.
c. Enter 1024 as the key length, and click Apply. Figure 485 Generating an RSA key pair 4. Retrieve the CA certificate: a. From the navigation tree, select Certificate Management > Certificate. b. Click Retrieve Cert. c. Select torsa as the PKI domain, select CA as the certificate type, and click Apply. Figure 486 Retrieving the CA certificate 5. Request a local certificate: a. From the navigation tree, select Certificate Management > Certificate. b. Click Request Cert. c.
Figure 487 Requesting a certificate Verifying the configuration After the configuration, you can select Certificate Management > Certificate from the navigation tree, and then click View Cert corresponding to the certificate of PKI domain torsa to display the certificate information. You can also click View Cert corresponding to the CA certificate of PKI domain torsa to display the CA certificate information.
After completing the configuration, perform CRL related configurations. In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to http://4.4.4.133:447/myca.crl. After the configuration, make sure the system clock of the router is synchronous to that of the CA, so that the router can request certificates and retrieve CRLs properly. Configuring the router 1. Create a PKI entity: a. From the navigation tree, select Certificate Management > Entity. b. Click Add. c.
Figure 490 Creating a PKI domain 3. Generate an RSA key pair: a. From the navigation tree, select Certificate Management > Certificate. b. Click Create Key. c. Set the key length to 1024, and click Apply. Figure 491 Generating an RSA key pair 4. Retrieve the CA certificate: a. From the navigation tree, select Certificate Management > Certificate. b. Click Retrieve Cert. c. Select torsa as the PKI domain, select CA as the certificate type, and click Apply.
Figure 492 Retrieving the CA certificate 5. Request a local certificate: a. From the navigation tree, select Certificate Management > Certificate. b. Click Request Cert. c. Select torsa as the PKI domain, select Password, enter "challenge-word" as the password, and click Apply. The system displays "Certificate request has been submitted." d. Click OK to confirm. Figure 493 Requesting a certificate 6. Retrieve the CRL: a.
Figure 494 Retrieving the CRL Verifying the configuration After the configuration, select Certificate Management > Certificate from the navigation tree to display detailed information about the retrieved CA certificate and local certificate, or select Certificate Management > CRL from the navigation tree to display detailed information about the retrieved CRL.
Figure 495 Network diagram Configuring Router A 1. Create a PKI entity: a. From the navigation tree, select Certificate Management > Entity. b. Click Add. c. Enter en as the PKI entity name, enter router-a as the common name, enter 2.2.2.1 as the IP address of the entity, and click Apply.
2. Create a PKI domain: a. From the navigation tree, select Certificate Management > Domain. b. Click Add. The page in Figure 497 appears. c. Enter 1 as the PKI domain name, enter CA1 as the CA identifier, select en as the local entity, select RA as the authority for certificate request, enter http://1.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request (the RA URL given here is just an example. Configure the RA URL as required), enter 1.1.1.
Figure 498 Generating an RSA key pair 4. Retrieve the CA certificate: a. From the navigation tree, select Certificate Management > Certificate. b. Click Retrieve Cert. c. Select 1 as the PKI domain, select CA as the certificate type, and click Apply. Figure 499 Retrieving the CA certificate 5. Request a local certificate: a. From the navigation tree, select Certificate Management > Certificate. b. Click Request Cert. c. Select 1 as the PKI domain, and click Apply.
Figure 500 Requesting a certificate 6. Configure an IPsec connection: a. From the navigation tree, select VPN > IPsec VPN. b. Click Add. c. Enter con as the IPsec connection name, select Ethernet0/2 as the gateway interface, enter 3.3.3.1 as the remote gateway IP address, select Certificate as the authentication method, select CN=router-a for the certificate, select Characteristics of Traffic as the selector type, enter 11.1.1.0/0.0.0.255 as the source IP address/wildcard, and enter 10.1.1.0/0.0.0.
1. Create a PKI entity: a. From the navigation tree, select Certificate Management > Entity. b. Click Add. c. Enter en as the PKI entity name, enter router-b as the common name, and enter 3.3.3.1 as the IP address of the entity. d. Click Apply. 2. Create a PKI domain: a. From the navigation tree, select Certificate Management > Domain. b. Click Add. The configuration page appears. c.
c. Enter con as the IPsec connection name, select Ethernet0/2 as the gateway interface, enter 2.2.2.1 as the remote gateway IP address, select Certificate as the authentication method, and select CN=router-b for the certificate, select Characteristics of Traffic as the selector type, enter 10.1.1.0/0.0.0.255 as the source IP address/wildcard, and enter 11.1.1.0/0.0.0.255 as the destination IP address/wildcard. d. Click Apply.
Managing the system Configuring Web management This module enables you to set the Web connection idle-timeout timer. If you do not perform any operations on the Web interface before this timer expires, you are logged out of the Web page. By default, the idle-timeout timer is 10 minutes. To set an idle-timeout timer: 1. From the navigation tree, select System Management > Device Basic. The page for setting the idle-timeout timer appears. 2. In the Idle timeout field, enter an idle-timeout timer value. 3.
To save the configuration: 1. From the navigation tree, select System Management > Configuration. The save configuration page appears. Figure 503 Saving the configuration 2. Perform one of the following operations: To save the current configuration to the next-startup configuration file, click Save Current Settings. To save the current configuration to both the next-startup configuration file and the factory default configuration file, click Save As Factory-Default Settings.
• View the next-startup configuration file, including the .cfg file and .xml file. • Back up the next-startup configuration file, including the .cfg file and .xml file, to your local host. To back up the configuration: 1. From the navigation tree, select System Management > Configuration. 2. Click the Backup tab. The page for backing up the configuring file appears. Figure 505 Backing up the configuration file 3.
3. Click one of the Browse… buttons: When you click the upper Browse… button in this figure, the file upload dialog box appears. You can select a .cfg file to upload. When you click the lower Browse… button in this figure, the file upload dialog box appears. You can select an .xml file to upload. 4. Click Apply. Backing up and restoring device files through the USB port The files needed in device running, such as startup files and configuration files, are stored in the storage medium of the device.
Figure 507 Backing up and restoring device files through the USB port 3. Perform one of the following operations: In the Device File(s) area, select the files to be backed up, and click the Backup button to backup the selected files to the destination device. In the USB File(s) area, select the files to be restored, and click the Restore button to transfer the selected files to the device through the USB port.
check is successful, the system reboots the device. Otherwise, a dialog box appears, telling you that the current configuration and the saved configuration are inconsistent, and the reboot fails. In this case, save the current configuration manually before you can reboot the device. If you do not select the option, the system reboots the device directly. 2. Click Apply. Figure 508 Rebooting the device Managing services This module provides six types of services: FTP, Telnet, SSH, SFTP, HTTP, and HTTPS.
To manage services: 1. From the navigation tree, select System Management> Service Management. The service management configuration page appears. 2. Configure the service management as described in Table 193. 3. Click Apply. Figure 509 Service management Table 193 Configuration items Item Description Enable FTP service. FTP ACL. Specify whether to enable the FTP service. The FTP service is disabled by default. Associate the FTP service with an ACL.
Item Description ACL. Enable HTTPS service. Certificate. Associate the HTTP service with an ACL. Only the clients that pass the ACL filtering are permitted to use the HTTP service. You can view this configuration item by clicking the expanding button in front of HTTP. Specify whether to enable the HTTPS service. The HTTPS service is disabled by default. Configure the local certificate for the HTTPS service. The list displays the certificate subjects.
Figure 510 Creating a user Table 194 Configuration items Item Description Username Set the username for a user. Set the access level for a user. Users of different levels can perform different operations. Listed from low to high, Web user levels are as follows: • Visitor—Users of this level can use the network diagnostic tools ping and trace route. They can neither access the device data nor configure the device.
1. From the navigation tree, select System Management > Users. 2. Click the Super Password tab. The super password configuration page appears. 3. Configure the super password as described in Table 195. 4. Click Apply. Figure 511 Super password configuration page Table 195 Configuration items Item Description Set the operation type: Create/Remove • Create—Configure or modify the super password. • Remove—Remove the current super password.
Figure 512 Access level switching page Configuring system time Configure a correct system time so the device can work with other devices correctly. The device supports setting and displaying the system time, and setting the time zone and daylight saving time through manual configuration and automatic synchronization of NTP server time.
Figure 513 System time configuration page Table 196 Configuration items Item Description Enable clock automatic synchronization with an NTP server. You can specify two NTP servers by entering their IP addresses. NTP Server 1 is the primary and NTP Server 2 is the secondary. NTP Server 1. IMPORTANT: • With automatic synchronization configured, the device periodically synchronizes its time with the NTP server. If the synchronization fails, the system uses the manually configured time.
Figure 514 Calendar page Setting the time zone and daylight saving time 1. From the navigation tree, select System Management > System Time. 2. Click the Time Zone tab. The page for setting time zone appears. 3. Configure the time zone as described in Figure 515. 4. Click Apply. Figure 515 Setting the time zone Table 197 Configuration items Item Description Time Zone Set the time zone for the system.
Item Description Adjust the system clock for daylight saving time changes, which means adding one hour to the current system time. Click Adjust clock for daylight saving time changes to expand the option, as shown in Figure 516. You can configure the daylight saving time changes in the following ways: Adjust clock for daylight saving time changes • Specify that the daylight saving time starts on a specific date and ends on a specific date.
TR-069 network framework Figure 517 Network diagram The basic network elements of TR-069 are: • ACS—Auto-Configuration Server, which is the management device in the network. • CPE—Customer Premise Equipment, which is the managed device in the network. • DNS server—Domain Name System server. TR-069 defines that an ACS and a CPE use URLs to identify and access each other. DNS is used to resolve the URLs.
• ACS address (URL) • ACS username (Username) • ACS password (Password) • Inform message auto sending flag (PeriodicInformEnable) • Inform message auto sending interval (PeriodicInformInterval) • Inform message auto sending time (PeriodicInformTime) • CPE username (ConnectionRequestUsername) • CPE password (ConnectionRequestPassword) CPE system software image and configuration file management The administrator can store important files such as the system software image and configuration file
• CPE address • CPE username • CPE password For the TR-069 mechanism, see Network Management and Monitoring Configuration Guide in HP MSR Router Series Configuration Guides (V5). Configuration procedure The TR-069 parameters of CPE can be configured automatically through ACS remote management, and also can be configured manually through Web, which is described in detail in this section. To configure TR-069 manually: 1. From the navigation tree, select System Management > TR-069.
Item Description Password. Configure the password used by the CPE to authenticate the connection sent from the ACS. You can specify a username without a password that is used in the authentication. If so, the configuration on the ACS and that on the CPE must be the same. Sending Inform. Enable or disable CPE's periodical sending of Inform messages. Interval. Configure the interval between sending the Inform messages. CPE Interface. Set the CPE connection interface.
Figure 519 Software upgrade configuration page Table 199 Configuration items Item Description Specify the filename of the local application file, which must be suffixed with the .app or .bin extension. File IMPORTANT: The filename is main.bin when the file is saved on the device. Reboot after the upgrading finished Specify whether to reboot the device to make the upgraded software take effect after the application file is uploaded. Upgrading software (for the MSR20/30/50/93X/1000) 1.
Table 200 Configuration items Item Description File Specify the filename of the local application file, which must be suffixed with the .app or .bin extension. Specify the type of the system software image for the next boot: File Type If a file with same name already exists, overwrite it without any prompt Reboot after the upgrading finished • Main. • Backup. Specify whether to overwrite the file with the same name.
Configuring SNMP (lite version) This chapter is only applicable to the MSR900/20-1X routers. For information about configuring SNMP from the Web interface for the MSR20/30/50/93X/1000 routers, see "Configuring SNMP." Overview The Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies.
Figure 521 SNMP page 2. Configure the SNMP agent, as shown in Table 201. Table 201 Configuration items Item Description Specify to enable or disable the SNMP agent. SNMP IMPORTANT: If the SNMP agent function is disabled, all SNMP agent-related configurations will be removed. Set the SNMP version run by the system. SNMP Version Contact Sysname Device Location The option SNMPv1 & v2 represents SNMPv1 and SNMPv2c. The SNMP version on the agent must be the same as that running on the NMS.
Item Description Security Username Set the SNMP security username when you select the SNMP version SNMPv3. The security name on the agent must be the same as that on the NMS. Set the authentication password when you select the SNMP version SNMPv3. Authentication Password The authentication password on the agent must be the same as that on the NMS. The authentication mode on the agent is MD5, and the authentication mode on the NMS must be MD5.
Figure 522 Network diagram Configuring the SNMP agent 1. Select System Management > SNMP from the navigation tree, and then perform configuration as shown in Figure 523. Figure 523 Configuring the SNMP agent 2. Select the Enable option. 3. Select the SNMPv1 & v2 option. 4. Type readonly in the field of Read Password. 5. Type read&write in the field of Read & Write Password. 6. Type read&write in the field of Trap Password. 7. Type 1.1.1.2 in the field of Trap Target Host Address/Domain. 8.
Verifying the configuration • After the configuration, an SNMP connection is established between the NMS and the agent. The NMS can get and configure the values of some parameters on the agent through MIB nodes. • Disable or enable an idle interface on the device, and the NMS receives the corresponding trap. SNMPv3 configuration example Network requirements As shown in Figure 524, the NMS (1.1.1.2/24) uses SNMPv3 to monitor and manage the interface status of the agent (1.1.1.
6. Type prikey in the field of Privacy Password. 7. Type 1.1.1.2 in the field of Trusted Host. 8. Type 1.1.1.2 in the field of Trap Target Host Address/Domain. 9. Click Apply. Configuring the SNMP NMS The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform corresponding operations. 1. Specify the SNMP version for the NMS as v3. 2. Create an SNMP user user1. 3. Enable both authentication and privacy functions 4.
Configuring syslogs System logs record network and device information, including running status and configuration changes. With system log information, network administrators can find network or security problems, and take corresponding actions against them. The system sends system logs to the following destinations: • Console • Monitor terminal, a terminal that has logged in to the device through the AUX, VTY, or TTY user interface • Log buffer • Log host • Web interface Displaying syslogs 1.
2. View system logs. To clear all system logs in the log cache, click Reset. To refresh system logs, click Refresh. To make the syslog display page refresh automatically, set the refresh interval on the syslog configuration page. For more information, see "Setting buffer capacity and refresh interval." Table 202 Syslog display items Item Description Time/Date Displays the time/date when the system log was generated. Source Displays the module that generated the system log.
Figure 527 Loghost configuration page 3. Configure the log host as described in Table 203. 4. Click Apply. Table 203 Configuration items Item IPv4/Domain Loghost IP/Domain IPv6 Loghost IP Description Set the IPv4 address or domain name of the log host. Set the IPv6 address of the log host. Setting buffer capacity and refresh interval 1. Select Other > Syslog from the navigation tree. 2. Click the Log Setup tab. The syslog configuration page appears, as shown in Figure 528.
Figure 528 Log setup 3. Configure buffer capacity and refresh interval as described in Table 204. 4. Click Apply. Table 204 Configuration items Item Description Buffer Capacity Set the number of logs that can be stored in the log buffer. Set the refresh interval of log information. You can select manual refresh or automatic refresh: Refresh Interval • Manual—Click Refresh to refresh the Web interface. • Automatic—Select to refresh the Web interface every 1 minute, 5 minutes, or 10 minutes.
Using diagnostic tools This chapter describes how to use the ping and traceroute facilities. Traceroute By using the traceroute facility, you can trace Layer 3 devices involved in delivering a packet from source to destination. You can traceroute the IP address or the host name of a device. If the target host name cannot be resolved, a prompt appears. A traceroute operation involves the following steps: 1. The source device sends a packet with a Time to Live (TTL) value of 1 to the destination device. 2.
To perform a traceroute operation: 1. Log in to the Web interface, and select Other > Diagnostic Tools from the navigation tree to enter the traceroute operation page, as shown in Figure 529. 2. Enter the destination IP address or host name. 3. Click Start. You can see the result in the Summary box. Figure 529 Traceroute configuration page Ping operation The Web interface does not support IPv6 ping. To perform a ping operation: 1. Select Other > Diagnostic Tools from the navigation tree. 2.
Figure 530 Ping configuration page 157
Configuring WiNet The Wisdom Network (WiNet) technology helps you centrally manage a large number of scattered network devices by using a small number of public IP addresses. WiNet has the following benefits: • Integration—WiNet is integrated in network devices as a function without needing any dedicated management device. • Easy to deploy—To build a WiNet, you only need to select a management device to complete network configurations. • Low cost—No additional software is needed.
1. Select WiNet from the navigation tree. When WiNet is disabled, a dialog box Only the WiNet administrator supports the function appears. 2. Click OK to enter the Setup page, as shown in Figure 532. 3. Configure WiNet, as shown in Table 205. Figure 532 WiNet setup page Table 205 Configuration items Item Description WiNet Name Enter a WiNet name. Enter a management VLAN ID in the WiNet. You can enter an existing static VLAN only. The management VLAN is used by WiNet packets for communication.
To customize the background image, click Browse, locate the image you want to use, and click Upload. To remove the customized background image, click Clear. Managing WiNet To manage WiNet members, make sure the port that connects your host to the administrator permits packets of the management VLAN. Select WiNet from the navigation tree to enter the default WiNet Management page. Figure 533 WiNet management page On the WiNet Management page, you can perform these operations: 1.
6. After the authentication center starts up, the Open AuthN Center button changes to Close AuthN Center. Click the Close AuthN Center to remove the RADIUS server and the guest user. 7. Drag the icon of a specific device in the WiNet topology and place it to a position as needed. If the browser is configured to accept cookies, the latest position information of each device is stored after you click Network Snapshot. 8.
b. Select one or multiple Layer 2 Ethernet interfaces on the panel diagram of the device, and click Port Guard to enable Layer 2 portal authentication on the interfaces. CAUTION: You cannot enable Layer 2 portal authentication on an interface that connects to a member/candidate device, connects to an external network, or connects to the console terminal. c. If a member is selected, click Manage Device to log in to the Web interface for configuring the member.
Figure 537 Adding a user Table 206 Configuration items Item Description Username Enter the name of the user. Password Confirm Password Set a user password and confirm it. IMPORTANT: The leading spaces (if any) of a password will be omitted. Enter an authorized VLAN ID for the user. VLAN IMPORTANT: If the access device does not support authorized VLANs, users with the authorized VLAN ID specified cannot pass authentication. Enter an authorized ACL number for the user.
Batch importing and exporting RADIUS users Select WiNet from the navigation tree, and click the User Management tab to enter the page as shown in Figure 536. 1. Click Export and click Save in the dialog box that appears. 2. Set the local path and file name for saving the exported files. 3. Click Save to export all the RADIUS user information in the files to the local host. 4. Click Import. The page for importing files appears. 5. Click Browse to locate the local xml files to be imported. 6.
display the password, for example, . WiNet configuration example WiNet establishment configuration example Network requirements As shown in Figure 540, a WiNet comprises an administrator and two members. • The administrator is connected to the external network through Ethernet 0/1, and is connected to the members through Ethernet 0/2 and Ethernet 0/3. • The WiNet management VLAN is VLAN 10.
Figure 541 Creating VLAN 10 and VLAN-interface 10 a. Select the Create option. b. Enter 10 for VLAN IDs. c. Select the Create VLAN Interface box. d. Click Apply. # Assign Ethernet 0/1, Ethernet 0/2, and Ethernet 0/3 to VLAN 10. Figure 542 Assigning interfaces to VLAN 10 a. On the VLAN Setup page, select 10 in the VLAN Config field. b. Select Ethernet0/1, Ethernet0/2, and Ethernet0/3 from the list.
c. Click Add. The configuration progress dialog box appears. Figure 543 Configuration progress dialog box d. After the configuration is complete, click Close. # Configure the IP address of VLAN-interface 10. e. Click the VLAN Interface Setup tab.
b. Select 10 for VLAN ID. c. Enter 163.172.55.1 for IP Address. d. Enter 255.255.255.0 for Subnet Mask. e. Click Apply. # Enable WiNet. f. Select WiNet from the navigation tree. When WiNet is disabled, a dialog box Only the WiNet administrator supports the function appears. g. Click OK. Figure 545 Enabling WiNet c. Enter WiNet for WiNet Name. d. Click Advance Options. e. Enter 10 for Management VLAN. f. Enter 192.168.0.1 for IP Pool (Administrator IP). g. Select 255.255.255.0 for Mask of IP Pool. h.
Figure 546 WiNet topology diagram WiNet-based RADIUS authentication configuration example Network requirements As shown in Figure 547, a WiNet comprises an administrator (Device B ) and two members (Device A and Device C). The client connects to Device A through Ethernet 0/2. Deploy security authentication in the WiNet so that the client can access external networks after passing authentication on Device B.
Figure 547 Network diagram Configuration procedure 1. Establish a WiNet. See "WiNet establishment configuration example." 2. Configure WiNet-based RADIUS authentication. # Specify a RADIUS user. a. Log in to Device B through Ethernet 0/1. b. Select WiNet from the navigation tree on Device B. c. Click the User Management tab. d. Click Add. Figure 548 Configure WiNet-based RADIUS authentication e.
Figure 549 Setting up a RADIUS server a. Click the WiNet Management tab. b. Click Open AuthN Center. # Enable Layer 2 portal authentication on Ethernet 0/2 of Device A.
a. Click Device A on the topology diagram. b. Click Ethernet 0/2 on the panel diagram. c. Click Port Guard.
Configuration wizard Overview The configuration wizard helps you establish a basic call, and configure local numbers and connection properties. Basic service setup Entering the configuration wizard homepage From the navigation tree, select Voice Management > Configuration Wizard to access the configuration wizard homepage, as shown in Figure 551. Figure 551 Configuration wizard homepage Selecting a country In the wizard homepage, click Start to access the country selection page, as shown in Figure 552.
Figure 552 Country selection page Table 207 Configuration item Item Description Call Progress Tone Country Mode Configure the device to play the call progress tones of a specified country or region. Configuring local numbers In the country tone configuration page, click Next to access the local number configuration page, as shown in Figure 553. Figure 553 Local number configuration page Table 208 Configuration items Item Description Line Specify the FXS voice subscriber lines.
Configuring connection properties After you finish the local number configuration, click Next to access the connection property configuration page, as shown in Figure 554. Figure 554 Connection property configuration page Table 209 Configuration items Item Description Main Registrar Address Specify the address of the main registrar. It can be an IP address or a domain name. Main Registrar Port Number Specify the port number of the main registrar.
Local number and call route This chapter describes local numbers, call routes, fax and modem, call services, and advanced settings. Local numbers and call routes Local numbers and call routes are basic settings for making voice calls. • Local number configuration includes setting a local telephone number and authentication information used for registration. • Call route configuration includes setting a destination telephone number and call route type.
Basic settings This section provides information about configuring basic settings. Introduction to basic settings Local number Local number configuration includes setting a local telephone number and authentication information used for registration. Call route Call route configuration includes setting a destination telephone number and call route type. The call route type can be either SIP routing or trunk routing.
See Configuring trunking mode calling for the configuration example of using the trunking routing as the call route type. Basic settings Configuring a local number Select Voice Management > Local Number from the navigation tree, and click Add to access the page for creating a local number, as shown in Figure 557. Figure 557 Local number configuration page Table 210 Configuration items Item Description Number ID Enter a local number ID in the range of 1 to 2147483647. Number Enter a local number.
Item Description Bound Line This list displays all FXS voice subscriber lines. Select a voice subscriber line to be bound with the local number. Description Specify the description of the number. Jitter-buffer Adaptive Mode • Enable—Select this option to buffer the voice packets received from the IP side, so that the received voice packets can be played out evenly. • Disable—Select this option to not buffer the voice packers received from the IP side.
Figure 558 Call route configuration page Table 211 Configuration items Item Description Call Route ID Enter a call route ID in the range of 1 to 2147483647. Destination Number Enter the called telephone number.
Item Description Route Description Enter the description of the call route. Proxy Server Use a SIP proxy server to complete calling. IP Routing Use the SIP protocol to perform direct calling. It you select this option, you must provide the destination address and port number. Binding Server Group Select a server group from the Server Group list. You can add SIP server groups into the list in Voice Management > Call Connection > SIP Server Group Management.
Configuration examples of local number and call route Configuring direct calling for SIP UAs through the SIP protocol (configuring static IP address) Network requirements As shown in Figure 559, Router A and Router B can directly call each other as SIP UAs using the SIP protocol (configuring static IP addresses). Figure 559 Network diagram Configuring Router A # Create a local number.
1. Enter 1 for Number ID. 2. Enter 1111 for Number. 3. Select subscriber-line 8/0 from the Bound Line list. 4. Enter Telephone A for Description. 5. Click Apply. # Create a call route. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Figure 561 Creating call route 2222 6. Enter 2 for Call Route ID. 7. Enter 2222 for Destination Number. 8. Select IP Routing for SIP Routing, and type 192.168.2.2 for Destination Address. 9. Click Apply.
Configuring Router B 1. Select Voice Management > Local Number from the navigation tree, and then click Add to access the page for creating a local number. Figure 562 Creating local number 2222 2. Enter 1 for Number ID. 3. Enter 2222 for Number. 4. Select subscriber-line 8/0 from the Bound Line list. 5. Enter Telephone B for Description. 6. Click Apply. # Create a call route. 7.
Figure 563 Creating call route 1111 8. Enter 2 for Call Route ID. 9. Enter 1111 for Destination Number. 10. Select IP Routing for SIP Routing, and enter 192.168.2.1 for Destination Address. 11. Click Apply. Verifying the configuration • After the previous configuration, you can use telephone 1111 to call telephone 2222, or use telephone 2222 to call telephone 1111.
• Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access the Active Call Summary page, which displays the statistics of ongoing calls. Configuring direct calling for SIP UAs through the SIP protocol (configuring domain name) Network requirements As shown in Figure 564, acting as SIP UAs, Router A and Router B can first query destination addresses through a DNS server and then make calls using the SIP protocol.
Figure 565 Creating local number 1111 1. Enter 1 for Number ID. 2. Enter 1111 for Number. 3. Select subscriber-line 8/0 from the Bound Line list. 4. Enter Telephone A for Description. 5. Click Apply. # Create a call route. 6. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Figure 566 Creating call route 2222 7. Enter 2 for Call Route ID. 8. Enter 2222 for Destination Number. 9. Select IP Routing for SIP Routing, and type cc.news.com for Destination Address. 10. Click Apply.
Configuring Router B 1. Select Voice Management > Local Number from the navigation tree, and then click Add to access the page for creating a local number. Figure 567 Creating local number 2222 2. Enter 1 for Number ID. 3. Enter 2222 for Number. 4. Select subscriber-line 8/0 from the Bound Line list. 5. Enter Telephone B for Description. 6. Click Apply. # Create a call route. 7.
Figure 568 Creating call route 1111 8. Enter 2 for Call Route ID. 9. Enter 1111 for Destination Number. 10. Select IP Routing for SIP Routing, and enter 192.168.2.1 for Destination Address. 11. Click Apply.
Verifying the configuration • After the previous configuration, you can use telephone 1111 to call telephone 2222 by using the DNS server to get the destination address, and you can use telephone 2222 to call telephone 1111 by querying the static IP address of the called party. • Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access the Active Call Summary page, which displays the statistics of ongoing calls.
2. Enter 1 for Number ID. 3. Enter 1111 for Number. 4. Select subscriber-line 8/0 from the Bound Line list. 5. Enter Telephone A for Description. 6. Click Apply. # Create a call route. 7. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Figure 571 Creating call route 2222 8. Enter 10000 for Call Route ID. 9. Enter 2222 for Destination Number. 10. Select SIP Routing for Call Route Type. 11. Select Proxy Server for SIP Routing. 12. Click Apply.
# Configure the registrar and the proxy server. 13. Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the connection properties configuration page. Figure 572 Configuring registration information 14. Select Enable for Register State. 15. Enter 192.168.2.3 for Main Registrar Address. 16. Enter Router A for Username and abc for Password. 17. In the Proxy Server area, enter 192.168.2.3 for Server Address. 18. Click Apply. Configuring Router B 1.
Figure 573 Creating local number 2222 2. Enter 1 for Number ID. 3. Enter 2222 for Number. 4. Select subscriber-line 8/0 from the Bound Line list. 5. Enter Telephone B for Description. 6. Click Apply. # Create a call route 7. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Figure 574 Creating call route 1111 8. Enter 1 for Call Route ID. 9. Enter 1111 for Destination Number. 10. Select SIP for Call Route Type. 11. Select Proxy Server for SIP Routing. 12. Click Apply. # Configure the registrar and the proxy server. 13. Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the connection properties configuration page.
Figure 575 Configuring registration information 14. Select Enable for Register State. 15. Enter 192.168.2.3 for Main Registrar Address. 16. In the Proxy Server area, enter 192.168.2.3 for Server Address. 17. Enter Router A for Username and abc for Password. 18. Click Apply. Verifying the configuration • After the local numbers of the two sides are registered on the registrar successfully, telephone 1111 and telephone 2222 can call each other through the proxy server.
Configuring trunking mode calling Network requirements As shown in Figure 576, Router A and Router B are connected through an FXO trunk line. It is required that Telephone 1111 can call telephone 2222. Figure 576 Network diagram Configuring Router A # Create a local number. 1. Select Voice Management > Local Number from the navigation tree, and then click Add to access the page for creating a local number. Figure 577 Creating local number 1111 2. Enter 1 for Number ID. 3. Enter 1111 for Number. 4.
7. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route. Figure 578 Creating call route 2222 8. Enter 2 for Call Route ID. 9. Enter 2222 for Destination Number. 10. Select Trunk for Call Route Type. 11. Select subscriber-line 1/0 from the Trunk Route Line list. 12. Click Apply. # Configure number sending mode. 13.
Figure 579 Configuring number sending mode 14. Select Send All Digits of a Called Number for Called Number Sending Mode. 15. Click Apply. Configuring Router B 1. Select Voice Management > Local Number from the navigation tree, and then click Add to access the page for creating a local number. Figure 580 Creating local number 2222 2. Enter 1 for Number ID. 3. Enter 2222 for Number.
4. Select subscriber-line 8/0 from the Bound Line list. 5. Enter Telephone B for Description. 6. Click Apply. Verifying the configuration • Telephone 1111 can call telephone 2222 over the trunk line. • Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access the Active Call Summary page, which displays the statistics of ongoing calls.
Fax and modem Traditional fax machines transmit and receive faxes over PSTN. As time passes, fax has gained wide applications owing to its advantages such as various information, high transmission speed, and simple operations. By far, G3 fax machines are dominant in the fax communications. A G3 fax machine adopts the signal digitizing technology.
or D/A conversion for fax signals (that is, the router demodulates analog signals from PSTN into digital signals, or modulates digital signals from the IP network into analog signals), but does not need to compress fax signals. A real-time fax process consists of five phases: 1. Fax call setup phase. This phase is similar to the process of a telephone call setup. The difference is that the fax tones identifying the sending/receiving terminals are included. 2. Prior-messaging phase.
pass-through function, which can help remote PSTN users to log in to internal network devices through dialup. Configuring fax and modem Before you configure fax and modem, you must configure local numbers and call routes. See Basic settings for details.
Item Description Configure the protocol used for fax communication with other devices. • T.38—With this protocol, a fax connection can be set up quickly. • Standard T.38—It supports H.323 and SIP. Fax Protocol Configure the fax pass-through mode. • G.711 A-law. • G.711 μ-law. The pass-through mode is subject to such factors as loss of packet, jitter, and delay, so the clocks on both communication sides must be kept synchronized. Only G.711 A-law and G.
Item Description Specify the fax training mode: • Local—The gateways participate in the rate training between fax terminals. In this mode, rate training is performed between fax terminals and gateways, respectively, and then the receiving gateway sends the training result of the receiving fax terminal to the transmitting gateway. The transmitting gateway finalizes the packet transmission rate by comparing the received training result with its own training result.
Item Description As defined in ITU-T, the ECM is required for a half duplex and fax message transmission using the half-duplex and half-modulation system of ITU-T V.34 protocol. Besides, the G3 fax terminals working in full duplex mode are required to support half-duplex mode, that is, ECM. ECM Fax The fax machines using ECM can correct errors, provide the automatic repeat request (ARQ) function, and transmit fax packets in the format of HDLC frames.
Figure 583 Call route fax and modem configuration page For call route fax and modem configuration items, see Table 212 for details.
Call services More and more VoIP-based services are demanded as voice application environments expand. On basis of basic calls, new features are implemented to meet different application requirements of VoIP subscribers. Call waiting When subscriber C calls subscriber A who is already engaged in a call with subscriber B, the call is not be rejected if call waiting is enabled.
Call transfer Subscriber A (originator) and subscriber B (recipient) are in a conversation. Subscriber A presses the flash hook and the call is put on hold. Subscriber A dials another number to originate a call to subscriber C (final recipient). After Subscriber A hangs up, the call between subscriber B and subscriber C is established. This is call transfer.
Silent monitor and barge in services Silent monitor service—Allows a supervisor to monitor active calls without being heard. Barge in service—Allows a supervisor to participate in a monitored call to implement three-party conference. For example, suppose subscribers A and B are in a conversation and subscriber C is the supervisor. If C wants to join the conversation, it sends a request to A. If A permits, the three-party conference can be held.
• O if the terminating PBX fails to obtain the calling number (for example, the originating PBX end does not send it) A message in the MDMF contains the following information: • Date and time when the voice call occurs (MM DD hh:mm) • Calling number and calling name if CID is enabled on the device • Two Ps for the calling number and the calling name, respectively, if CID is disabled on the device • O if the terminating PBX fails to obtain the calling number (for example, the originating PBX end doe
Figure 584 Call services configuration page Table 213 Configuration items Item Description The Forwarded-to Number for Call Forwarding no Reply—Enter the forwarded-to number for call forwarding no reply. Call Forwarding The Forwarded-to Number for Call Forwarding Busy—Enter the forwarded-to number for call forwarding busy. Call Forwarding Unconditional—Enter the forwarded-to number for forwarding unconditional.
Configuring other voice functions Select Voice Management > Local Number from the navigation tree, and then click the icon of the local number to be configured to access the call services configuration page as shown in Figure 585. Figure 585 Call services configuration page Table 214 Configuration items Item Calling Name Description Set the calling name, a string of case-sensitive characters including numbers 0 through 9, letters A through Z or a through z, underlines (_), hyphens (-),dots (.
Item Incoming Call Barring Password for Outgoing Call Barring Description • Enable. • Disable. By default, incoming call barring is disabled. Set a password to lock your telephone when you do not want others to use your telephone. Door Opening Password. Enable the door opening control service and set a password for opening the door and the door open duration before the door control relay locks the door. By default, the door opening service is disabled. Door Open Service IMPORTANT: Door Open Duration.
Configuring call services of a call route Select Voice Management > Call Route from the navigation tree, and then click the icon of the call route to be configured to access the call route call services configuration page as shown in Figure 586. After completing the trunk configuration of a call route, you can configure the call services of the call route. The SIP call route does not support call services configuration.
Item Description • Enable. • Disable. Hunt Group By default, hunt group function is disabled. IMPORTANT: To use the hunt group feature, you must select the Enable option of all call routes involved in this service. Hotline Numbers Configure the private line auto ring-down (PLAR) function. The number is an E.164 telephone number of the terminating end.
Figure 588 Configuring call waiting b. Select Enable for Call Waiting. c. Click Apply. Verifying the configuration Verify the two call waiting operation modes: • Operation 1—When the subscriber at Telephone C dials 1000 to call Telephone A which is already engaged in a call with Telephone B, the subscriber at Telephone C hears ringback tones, while the subscriber at Telephone A hears call waiting tones that remind that a call is waiting on the line.
Figure 589 Network diagram Router A Router B Eth1/1 10.1.1.1/24 1000 Telephone A Eth1/2 10.1.1.2/24 Eth1/1 20.1.1.2/24 Eth1/1 20.1.1.1/24 Router C 3000 Telephone C 2000 Telephone B Configuration procedure Before performing the following configuration, make sure Router A, Router B and Router C are reachable to each other. 1. Complete basic voice call configurations: complete basic voice call configurations on Router A, Router B, and Router C. 2.
Verifying the configuration Place a call from Telephone A to Telephone B. Router B forwards the call to Telephone C when Telephone B is busy. Finally, Telephone A and Telephone C start a conversation Configuring call transfer Network requirements As shown in Figure 591, call transfer enables Telephone A to transfer Telephone B to Telephone C. After the call transfer is completed, Telephone B and Telephone C are in a conversation. The whole process is as follows: 1.
Figure 592 Configuring call transfer Verifying the configuration The whole process is as follows: 1. Call Telephone B from Telephone A, and then Telephone B and Telephone A are in a conversation. 2. Perform a hookflash at Telephone A to put the call with Telephone B on hold. 3. Call Telephone C (3000) from Telephone A after hearing dial tones. 4. Hang up Telephone A. 5. Telephone B and Telephone C are in a conversation and call transfer is completed.
Figure 593 Network diagram Configuration procedure Before performing the following configuration, make sure that Router A, Router B and Router C are routable to each other. 1. Complete basic voice call configurations: complete basic voice call configurations on Router A, Router B, and Router C. 2. Configure hunt group: # Configure a number selection priority for Telephone A2 on Router A. Keep the default priority 0 (the highest priority) for Telephone A1. a.
Figure 594 Configuring number selection priority of Telephone A2 b. Select 4 from the Number Selection Priority list. c. Click Apply. # Configure hunt group on Router A. d. Select Voice Management > Local Number from the navigation tree, click the icon of local number 1000 of Telephone A1 in the local number list to access the call services configuration page.
Figure 595 Configuring hunt group b. Select Enable for Hunt Group. c. Click Apply. Perform the same configuration for the local number 1000 of Telephone A2. The configuration procedure is not included here. Verifying the configuration Dial number 1000 from Telephone B (2000). Because Telephone A1 has a higher priority, Telephone B is connected to Telephone A1.
Figure 596 Network diagram Router A 1000 Telephone A Router B Eth1/0 10.1.1.1/24 Eth1/0 10.1.1.2/24 Eth1/0 20.1.1.2/24 Router C Eth1/1 20.1.1.1/24 3000 Telephone C 2000 Telephone B Configuration procedure Before performing the following configuration, make sure that Router A, Router B and Router C are routable to each other. 1. Complete basic voice call configurations: complete basic voice call configurations on Router A, Router B, and Router C. 2. Configure three-party conference.
Figure 598 Configuring call hold b. Select Enable for Call Hold. c. Select Enable for Three-Party Conference. d. Click Apply. Verifying the configuration Now Telephone B, as the conference initiator, can establish a three-party conference with participants Telephone A and Telephone C.
Figure 599 Network diagram Configure the VCX Open the Web interface of the VCX and select Central Management Console. Configure the information of Telephone A, Telephone B, and Telephone C. The following takes Telephone A as an example. Figure 600 Telephone configuration page # Configure the silent-monitor authority 1. Click Features of number 1000 to access the feature configuration page, and then click Edit Feature of the Silent Monitor and Barge In feature to access the page as shown in Figure 601.
Figure 601 Silent monitor and barge in feature configuration page (1) 2. Click Assign External Phones to specify that number 3000 has the authority to monitor number 1000. After this configuration, the page as shown in Figure 602 appears. Figure 602 Silent monitor and barge in feature configuration page (2) After the previous configuration, Telephone C with the number 3000 can monitor and barge in the conversations of Telephone A with the number 1000.
Figure 603 Enabling the feature service and the silent monitor and barge in function 6. Select Enable for Monitor and Barge In. 7. Select Enable for Feature Service. 8. Click Apply. Configure Router B # Configure a local number and call routes.
1. Configure a local number: specify the local number ID as 2000 and the number as 2000, and bind the number to line line 1/0 on the local number configuration page. 2. Configure the call route to Router A: specify the call route ID as 1000, the destination number as 1000, and the call route type as SIP, and use a SIP proxy server to complete calls on the call route configuration page. 3.
6. Select RFC2833 for DTMF Transmission Mode. 7. Click Apply. # Enable the feature service. 8. Select Voice Management > Local Number from the navigation tree, and click the number 3000 to access the call services page as shown in Figure 605. icon of local Figure 605 Enabling the feature service 9. Select Enable for Feature Service. 10. Click Apply.
Advanced settings This section provides information on configuring various advanced settings. Introduction to advanced settings Coding parameters The configuration of coding parameters includes specifying codec priorities and packet assembly intervals. The codecs include: g711alaw, g711ulaw, g723r53, g723r63, g726r16, g726r24, g726r32, g726r40, g729a, g729br8, and g729r8. The following are the characteristics of different codecs.
Table 217 G.711 algorithm (A-law and μ-law) Packet assembly interval Bytes coded in a time unit Packet length (IP) (bytes) Network bandwidth (IP) Packet length (IP+PPP) (bytes) Network bandwidth (IP+PPP) Coding latency 10 ms 80 120 96 kbps 126 100.8 kbps 10 ms 20 ms 160 200 80 kbps 206 82.4 kbps 20 ms 30 ms 240 280 74.7 kbps 286 76.3 kbps 30 ms G.711 algorithm (A-law and μ-law): media stream bandwidth 64 kbps, minimum packet assembly interval 10 ms. Table 218 G.
Packet assembly interval Bytes coded in a time unit Packet length (IP) (bytes) Network bandwidth (IP) Packet length (IP+PPP) (bytes) Network bandwidth (IP+PPP) Coding latency 30 ms 60 100 26.7 kbps 106 28.3 kbps 30 ms 40 ms 80 120 24 kbps 126 22.1 kbps 40 ms 50 ms 100 140 22.4 kbps 146 23.4 kbps 50 ms 60 ms 120 160 21.3 kbps 166 11.4 kbps 60 ms 70 ms 140 180 20.6 kbps 186 21.3 kbps 70 ms 80 ms 160 200 20 kbps 206 20.6 kbps 80 ms 90 ms 180 220 19.
Table 223 G.726 r40 algorithm Packet assembly interval Bytes coded in a time unit Packet length (IP) (bytes) Network bandwidt h (IP) Packet length (IP+PPP) (bytes) Network bandwidth (IP+PPP) Coding latency 10 ms 50 90 72 kbps 96 76.8 kbps 10 ms 20 ms 100 140 56 kbps 146 58.4 kbps 20 ms 30 ms 150 190 50.7 kbps 196 52.3 kbps 30 ms 40 ms 200 240 48 kbps 246 49.2 kbps 40 ms G.726 r40 algorithm: media stream bandwidth 40 kbps, minimum packet assembly interval 10 ms.
NOTE: • The packet assembly interval is the duration to encapsulate information into a voice packet. • Bytes coded in a time unit = packet assembly interval × media stream bandwidth. • Packet length (IP) = IP header + RTP header + UDP header + voice information length = 20+12+8+data. • Packet length (IP+PPP) = PPP header + IP header + RTP header + UDP header + voice information length = 6+20+12+8+data. • Network bandwidth = Bandwidth of the media stream × packet length/bytes coded in a time unit.
Figure 606 Configuring coding parameters of the local number Table 226 Configuration items Item Description Codec with the First Priority Specify a codec with the first priority. Codec with the Second Priority Specify a codec with the second priority. Codec with the Third Priority Specify a codec with the third priority. Specify the codecs and their priority levels. The available codes are: • g711alaw—G.
Item Description Packet Assembly Interval of G726r16 Specify the packet assembly interval for g726r16 codec. Packet Assembly Interval of G726r24 Specify the packet assembly interval for g726r24 codec. Packet Assembly Interval of G726r32 Specify the packet assembly interval for g726r32 codec. Packet Assembly Interval of G726r40 Specify the packet assembly interval for g726r40 codec. Packet Assembly Interval of G729 Specify the packet assembly interval for g729r8, g729br8, and g729a codecs.
Item Called Number Sending Mode DTMF Transmission Mode DSCP Field Value VAD Description Send a Truncated Called Number Send a truncated called number. Send All Digits of a Called Number Send all digits of a called number. Send Certain Number of Digits Send a certain number of digits (that are extracted from the end of a number) of a called number. The specified value should be not greater than the total number of digits of the called number.
Figure 608 Configuring coding parameters of the call route For coding parameters configuration items of the call route, see Table 227. Configuring other parameters for a call route Select Voice Management > Call Route from the navigation tree, and then click the route to be configured to access the advanced settings configuration page.
Advanced settings configuration example Configuring out-of-band DTMF transmission mode for SIP Network requirements Two routers work as SIP UAs. After establishing a call connection, the calling and called parties adopt DTMF SIP out-of-band transmission to make the transmission of DTMF digits more reliable. Figure 610 Network diagram Configuration procedure 1. Configure voice basic calling settings.
b. Select Out-of-band Transmission for DTMF Transmission Mode. c. Click Apply. Figure 612 Configure out-of-band DTMF transmission mode Verifying the configuration After a call connection is established, if one side presses the telephone keys, the DTMF digits are transmitted to the other side using out of band signaling, and the other side hears short DTMF tones from the handset.
SIP-to-SIP connections Configuring media parameters for SIP-to-SIP connections 1. Select Voice Management > Call Route from the navigation tree. 2. Click the icon of the call route to be configured. The page for configuring SIP-to-SIP connection parameters appears. Figure 613 Configuring media parameters 3. Configure media parameters for SIP-to-SIP connections as described in Table 229.
Item Description In the scenario where the SIP trunk device controls the results of media capability negotiation, if the SIP trunk device cannot find a common codec for two parties during negotiation, the two parties fail to establish a call. In this case, you can select the Enable option to enable codec transcoding on the SIP trunk device. Codec Transcoding With this function enabled, the SIP trunk device uses its own codec capability set to negotiate with the calling and called parties respectively.
Figure 614 Configuring signal process 3. Configure signaling parameters for SIP-to-SIP connections as described in Table 230. Table 230 Configuration items Item Description • Remote process—The SIP trunk device transparently transfers the Call-forwarding Signal SIP messages carrying call forwarding information to the endpoints, and the endpoints perform the call forwarding. • Local process—The SIP trunk device processes the SIP messages carrying call forwarding information locally.
Configuring dial plans More requirements on dial plans arise with the wide application of VoIP. A desired dial plan should be flexible, reasonable, and operable. Also it should be able to help a voice gateway to manage numbers in a unified way, making number management more convenient and reasonable. The dial plan process on the calling side differs from that on the called side. The following discusses these two dial plan processes, respectively.
On the called side Figure 616 shows the dial plan operation process on the called side. Figure 616 Flow chart for dial plan operation process on the called side 1. After receiving a voice call (the called number), the voice gateway on the called side performs global calling/called number substitution. 2. The voice gateway on the called side selects proper local numbers or call routes based on the local number or call route selection priority rules.
Meta-character Meaning # and * Each indicates a valid digit. . Wildcard, which can match any valid digit. For example, 555…. can match any number beginning with 555 and ending in four additional characters. - Hyphen (connecting element), used to connect two numbers (The smaller comes before the larger) to indicate a range of numbers, for example, 1-9 inclusive. [] Delimits a range for matching. It can be used together with signs such as !, %, and +.
Dial plan functions Number match Dial terminator In areas where variable-length numbers are used, you can specify a character as the dial terminator so that the voice gateway can dial out the number before the dialing interval expires. The dial terminator identifies the end of a dialing process, and a call connection is established based on the received digits when the dial terminator is received. The voice gateway does not wait for further digits even if the longest match mode has been globally configured.
Entity type selection priority rules You can configure the priorities for different types of entities. When multiple local numbers or call routes are qualified for a call connection, the system selects a suitable local number or call route whose entity type has the highest priority. Match order of number selection rules You can configure the match order of local number or call route selection rules.
• Global number substitution—The voice gateway substitutes calling and called numbers of all incoming and outgoing calls according to the number substitution rules configured in dial program view. Multiple number substitution rule lists can be bound for global calling and called number substitution of incoming and outgoing calls. If there is no match in the first number substitution rule list, the voice gateway matches against other number substitution rule lists.
Item Description Number Match Mode • Longest Number Match—Matches the longest number. • Shortest Number Match—Matches the shortest number. By default, the shortest-number match mode is adopted. Number Match Policy • Specify service first. • Specify number first. Select Based on Voice Entity Type Select the Enable option, the sequence of the voice entities in the Selection Sequence box determines the match order, and you can click the Up and Down buttons to move a voice entity.
Figure 618 Number group page a. Click Add. The number group configuration page appears. Figure 619 Number group configuration page a. Configure the number group as described in Table 232. b. Click Apply. Table 233 Configuration items Item Description Group ID Specify the ID of the number group. Description Specify the description of the number group. Numbers in the Group Specify the input subscriber numbers to be added into the group in the field. You can add a number by clicking Add. Add 2.
Figure 620 Local number binding page a. Configure local number binding as describe in Table 234. b. Click the box in front of the ID column, and click Apply. Table 234 Configuration items Item Description Binding Mode • Permit the calls from the number group. • Deny the calls from the number group. A local number can be bound to multiple number groups in the same binding mode, that is, a local number can either permit or deny the calls from bound number groups. 3.
Figure 621 Max-call-connection set page c. Click Add to access the Max-Call-Connection Set Configuration page as shown in Figure 622. Figure 622 Max-call-connection set configuration page Table 235 Configuration items Item Description Connection Set ID Specify the ID of the max-call-connection set. Max Number of Call Connections in the Set Specify the maximum number of call connections in the max-call-connection set. 2. Bind local numbers to a max-call-connection set: a.
The configuration of IVR number binding is similar to that of local number binding. Therefore, it is not included here. Configuring number substitution When you configure number substitution, you need to first add a number substitution list, and then bind a number substitution list to global, local numbers, call routes, or lines. 1. Add a number substitution list: a.
Table 236 Configuration items Item Description Number Substitution Rule List ID Specify the ID of the number substitution rule list. • End-Only—Reserve the digits to which all ending dots (.) in the input number correspond. • Left-to-Right—Reserve from left to right the digits to which the dots in the input number correspond. • Right-to-Left—Reserve from right to left the digits to which the dots in the input number correspond. Dot Match Rule By default, the dot match rule is End-Only.
2. Bind a number substitution list to global, local numbers, call routes, or lines: Click Not Bound in the Global Binding, Local Numbers Bound, Call Routes Bound, or Bound Line column to access the corresponding binding page. The configurations of these bindings are similar to that of local number binding in call control. Therefore is not included here.
2. Longest number match a. Configure Router A: select Voice Management > Dial Plan > Number Match from the navigation tree to access the number match configuration page, as shown in Figure 627. Figure 627 Number match mode configuration page a. Select Longest Number Match for Number Match Mode. c. Click Apply. After you dial number 20001234 at Telephone A and wait for some time (during this period, you can continue dialing), the dialed number 20001234 matches call route 2000 and Telephone B is alerted.
After you dial 20001234# at Telephone A, the number immediately matches call route 2000 and Telephone B is alerted. Configuring the match order of number selection rules Network requirements As shown in Figure 629, configure different number selection rule match orders for calls from Telephone A to Telephone B. Figure 629 Network diagram Configuring Router A 1. Add a local number: Specify the number ID as 1000, the number as 10001234$, and the bound line as 1/0 on the local number configuration page. 2.
4. Add a call route: Specify the call route ID as 2001, the destination number as 2000123.$, and the destination address as 1.1.1.2 on the call route configuration page. 5. Configure the call route: a. Select Voice Management > Call Route from the navigation tree to access the call route list page. b. Find the call route with the ID of 2001 in the list, and click its corresponding icon the advanced setting page. to access c. Select 5 from the Call Route Selection Priority list. d. Click Apply.
Figure 632 Match order of number selection rules configuration page 2. Select Exact Match from the First Rule in the Match Order list. 3. Select Priority from the Second Rule in the Match Order list. 4. Select Random Selection from the Third Rule in the Match Order list. 5. Click Apply. After you dial number 20001234 at Telephone A, the number matches call route 2000.
4. Select Random Selection from the Third Rule in the Match Order list. 5. Click Apply. After you dial number 20001234 at Telephone A, the number matches call route 2002. Configuring the number selection rule as random selection Configure Router A: 1. Select Voice Management > Dial Plan > Number Match from the navigation tree to access the page for configuring the match order of number selection rules. Figure 634 Match order of number selection rules configuration page 2.
2. Find the digital link VE1 5/0 in the list, click its corresponding icon parameters configuration page. to access the E1 Figure 636 E1 parameters configuration page 3. Select PRI Trunk Signaling for Working Mode. 4. Select Internal for TDM Clock Source. (Internal is the default setting) 5. Select the Network Side Mode for ISDN Working Mode. 6. Click Apply.
Configuring Router B Select Voice Management > Digital Link Management from the navigation tree to access the digital link list page. Find the digital link VE1 5/0 in the list, click its corresponding icon to access the E1 parameters configuration page. Figure 637 E1 parameters configuration page • Select PRI Trunk Signaling for Working Mode. • Select User Side Mode for ISDN Working Mode. (User Side Mode is the default setting) • Select Line for TDM Clock Source. • Click Apply.
Figure 638 Entity type selection priority rule configuration page (1) • Configure the order of the voice entities in the Selection Sequence box: the first is VOIP, the second is POTS, the third is VoFR, and the last is IVR. • Click Apply. After you dial 20001234 at Telephone A, the number will match call route 2000 (VoIP entity). Configuring the system to first select POTS entity Configure Router A.
Configuring call authority control Network requirements As shown in Figure 640, Router A, Router B, and Router C are located at place A, place B, and place C, respectively. They are all connected to the SIP server to allow subscribers to make SIP calls. When VoIP links fail for some reason, PSTN links that provide backup for VoIP links can be automatically brought up.
2. Type 1100.. for Numbers in the Group. 3. Click Add to add numbers into the group. 4. Click Apply. Enter the number group configuration page again to add another number group: 5. Type 2 for Group ID. 6. Type 1200.. for Numbers in the Group. 7. Click Add to add numbers into the group. 8. Click Apply. # Add a call route for place B: specify the call route ID as 2000, the destination number as 2..., and use a proxy server for SIP routing on the call route configuration page.
Figure 643 Call route binding page (1) 9. Select Permit the calls from the number group for Binding Mode. 10. Select the box of call route 2100. 11. Click Apply. # Bind a call route to the number group 2 to allow that subscribers whose telephone number beginning with 1200 can originate calls to both place B and place C. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree to access the page as shown in Figure 644.
Figure 645 Call route binding page (II) 12. Select Permit the calls from the number group for Binding Mode. 13. Select the checkboxes of call routes 2100 and 3100. 14. Click Apply. Configuring Router B Add a call route: 1. Specify the call route ID as 2100, the destination number as 2…, and the trunk route line as 1/0:15 on the call route configuration page. 2.
at place A, and the caller ID displayed on the terminal at place A is 0211234, that is, the area code of place B + telephone number of the financial department at place B. Figure 646 Network diagram Place B Place A Market Dept. 3366 Market Dept. 6788 FXO Line 1/0 Financial Dept. 1688 PBX Eth2/1 2.2.2.2/24 WAN Eth2/1 1.1.1.1/24 FXO Line 1/0 FXO Line 1/1 FXO Line 1/1 Router B Router A PBX Sales Dept. 2323 Financial Dept. 1234 Sales Dept.
Figure 647 Number substitution configuration page (1) 1. Type 21101 for Number Substitution Rule List ID. 2. Add three number substitution rules as shown in Figure 647. 3. Click Apply. # Add another number substitution rule list for calling numbers of outgoing calls. Select Voice Management > Dial Plan > Number Substitution from the navigation tree, click Add to access the number substitution configuration page.
Figure 648 Number substitution configuration page (2) 4. Type 21102 for Number Substitution Rule List ID. 5. Add three number substitution rules as shown in Figure 648. 6. Click Apply. # Enter the call route binding page of number substitution list 21101. Figure 649 Call routing binding page of number substitution list 21101 7. Select Apply Call Routing Binding Rule to Called Numbers for Binding Mode. 8. Select call route 10. 9. Click Apply.
Figure 650 Call routing binding page of number substitution list 21102 10. Select Apply Call Routing Binding Rule to Calling Numbers for Binding Mode. 11. Select call route 10. 12. Click Apply. Configuring Router A # Set the IP address of the Ethernet interface to 1.1.1.1. # Add a call route: specify the call route ID as 1010, the destination number as …., and the trunk route line as FXO line 1/0 on the call route configuration page.
Figure 651 Number substitution configuration page (3) 1. Type 101 for Number Substitution Rule List ID. 2. Add three number substitution rules as shown in Figure 651. 3. Click Apply. # Add another number substitution rule list for calling numbers of incoming calls. Select Voice Management > Dial Plan > Number Substitution from the navigation tree, click Add to access the number substitution configuration page.
Figure 652 Number substitution configuration page (4) 4. Type 102 for Number Substitution Rule List ID. 5. Add three number substitution rules as shown in Figure 652. 6. Click Apply. # Enter the global binding page of number substitution list 101. Figure 653 Global binding page of number substitution list 101 7. Select Incoming Calling for Incoming Binding Type. 8. Click Apply. # Enter the global binding page of number substitution list 102.
Figure 654 Global binding page of number substitution list 102 9. Select Incoming Called for Incoming Binding Type. 10. Click Apply.
Call connection Introduction to SIP The Session Initiation Protocol (SIP) is an application layer control protocol that can establish, modify, and terminate multimedia sessions such as IP phone calls, multimedia session and multimedia conferences. It is the core component in the multimedia data and control architecture of the IETF (RFC 3261). SIP is responsible for signaling control in IP networks and communication with soft switch platforms.
Redirect server A redirect server sends a new connection address to a requesting client. For example, when it receives a request from a calling UA, the redirect server searches for the location information of the called UA and returns the location information to the UA. This location can be that of the called UA or another proxy server, to which the UA can initiate the session request again. The subsequent procedure is the same as that for calling a called UA directly or for calling a proxy server.
• Consistent communication method. Management becomes easier as the result of consistency in dialup mode and system access method used by branches, SOHOs, and traveling personnel. • Quick launch. The system can be updated quickly to accommodate new branches and personnel, and changes resulting from job rotation or relocation. • Easy to install and maintain. Nonprofessional individuals can install and maintain SIP systems.
Figure 655 Message exchange for a UA to register with a Registrar Call setup SIP operates in the Client/Server mode and sets up calls through communication between UA and proxy server. Figure 656 Network diagram In the previous figure, Telephone A wants to call Telephone B, and Router A and Router B work as SIP endpoints (UAs). The following is the procedure for connecting a call from Telephone A to Telephone B: 1. Telephone A sends the number of Telephone B. 2.
Figure 657 Call setup procedures involving a proxy server This is a simplified scenario where only one proxy server is involved and no registrar is present. However, a complex scenario can involve multiple proxy servers and registrars. Call redirection When a SIP redirect server receives a session request, it sends back a response indicating the address of the called SIP endpoint instead of forwarding the request.
Figure 658 Call redirection procedure for UAs Internet User agent User agent Redirect Server INVITE 100 Trying 302 Moved Temporarily ACK INVITE 100 Trying 200 OK ACK This is a common application. Fundamentally, a redirect server can respond with the address of a proxy server as well. The subsequent call procedures are the same as the call procedures involving proxy servers.
Signaling encryption TLS runs over TCP and provides a complete set of authentication and encryption solutions for application layer protocols. When you establish a TLS connection, both sides must authenticate each other by using their own digital certificates. They can communicate with each other only after passing authentication. SIP messages are encrypted during SIP over TLS transmissions to prevent your data from being sniffed and increases the security of voice communications.
TLS-SRTP combinations TLS protects control signaling, and SRTP encrypts and authenticates voice media flows. You can use them separately or together. The following table shows four combinations of TLS and SRTP. Table 239 TLS-SRTP combinations TLS SRTP Description Signaling packets are secured. Personal information is protected. On On Media packets are secured. Call conversations are protected. Recommended. Off On On Off Off Off Signaling packets are not secured.
Configuring SIP connections This section describes how to configure SIP connections. Configuring connection properties Configuring registrar Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the connection properties configuration page as shown in Figure 659. Figure 659 Registrar configuration page Table 240 Configuration items Item Description Registrar State • Enable—Select the option to enable the SIP registrar.
Item Description • UDP—Apply the UDP transport layer protocol when the device registers to the main registrar. Main Registrar Transport Layer Protocol • TCP—Apply the TCP transport layer protocol when the device registers to the main registrar. • TLS—Apply the TLS transport layer protocol when the device registers to the main registrar. By default, the UDP protocol is applied. • SIP—Apply the SIP scheme as the URL scheme when the device registers to the Main Registrar URL Scheme main registrar.
Configuring proxy server Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the proxy server configuration page, as shown in Figure 660. Figure 660 Proxy server configuration page Table 241 Configuration items Item Description Use Server Group Select a server group from the list as the proxy server. You can add a server group on the page that can be accessed by selecting Voice Management > Call Connection > SIP Server Group Management from the navigation tree.
source of SIP signaling and media streams to avoid manual IP address configuration, and therefore help network management. Source IP address binding is supported on the Layer 3 Ethernet interface, GigabitEthernet interface, or dialer interface. For information about DHCP, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Table 243 Application of the source address binding settings in different states Settings made when… Result • For SIP media streams, the source IP address binding settings does The call is active not take effect until the next SIP call. • For SIP signaling streams, the source IP address binding settings take effect immediately.
Table 244 Configuration items Item Description • UDP—Specify UDP as the transport layer protocol for incoming SIP calls and enables UDP listening port 5060. • TCP—Specify TCP as the transport layer protocol for incoming SIP calls and enables TCP listening port 5060. • TLS—Specify TLS as the transport layer protocol for incoming SIP calls and enables TLS listening port 5061. If you select this option, you must select a certificate from the Certificate list.
Configuring caller identity and privacy Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the Session Properties tab to access the caller identity and privacy configuration page, as shown in Figure 664. Figure 664 Caller identity and privacy configuration page Table 246 Configuration items Item Description • None—Neither the P-Preferred-Identity header field nor the P-Asserted-Identity header field is added.
Configuring SIP session refresh Introduction to SIP session refresh In a high-volume traffic environment, if a BYE message gets lost for a session, the call proxy server will not know that the session has ended. Therefore, it still maintains the state information for the call, which wastes resources of the server.
Figure 666 Compatibility configuration page Table 248 Configuration items Item Description The devices of some vendors do not strictly follow the SIP protocol. To interoperate with such devices, you must configure the SIP compatibility options. • Enable—Configure the device to use the address (IP address or DNS domain Use the address in the To header field as the address in the From header field name) in the To header field as the address in the From header field when sending a SIP request.
Item Description UAC Product Version Specify the product version of the UAC. UAS Product Name Specify the product name of the UAS. UAS Product Version Specify the product version of the UAS. Configuring advanced settings Registration timers are available to SIP trunk accounts. For information about SIP trunk, see "Configuring SIP trunk." Configuring the address hiding mode 1. Select Voice Management > Call Connection > SIP Connection from the navigation tree. 2. Click the Advanced Settings tab.
Table 250 Configuration items Item Description Address Specify the IP address or domain name of the proxy server. Port Specify the port number of the proxy server. Configuring registration parameters Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the Advanced Settings tab to access the configuration page as shown in Figure 669.
Item Description Registration Percentage To ensure the validity of registration information of a local number or an SIP trunk account on the registrar, the local number or SIP trunk account must re-register with the registrar at a specified time before the registration expiration interval is reached. You can set the registration percentage or lead time before registration to set the time when the local number or SIP trunk account re-registers with the registrar.
Item Description Fuzzy telephone number registration refers to the use of a wildcard (including the dot . and the character T), rather than a standard E.164 number in the match template of a POTS entity. After enabling fuzzy telephone number registration, the voice gateway (router) retains dots and substitutes asterisks (*) for Ts when sending REGISTER messages. Fuzzy Telephone Number Registration • Enable—Enable fuzzy telephone number registration. • Disable—Disable fuzzy telephone number registration.
Table 252 Configuration items Item Description • UDP—Specify UDP as the transport layer protocol to be used during the subscription. • TCP—Specify TCP as the transport layer protocol to be used during the Transport Layer Protocol subscription. • TLS—Specify TLS as the transport layer protocol to be used during the subscription. By default, UDP is adopted. URL Scheme • SIP—Specify SIP as the URL scheme to be used during subscription. • SIPS—Specify SIPS as the URL scheme to be used during subscription.
Table 253 Configuration items Item Description TCP Connection Aging Time Set the aging time for TCP connections. If the idle time of an established TCP connection reaches the specified aging time, the connection will be closed. TLS Connection Aging Time Set the aging time for TLS connections. If the idle time of an established TLS connection reaches the specified aging time, the connection will be closed.
Configuring SIP status code mappings Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the SIP Status Code Mapping tab to access the page as shown in Figure 673. Figure 673 SIP status code mapping configuration page You can select the values in the PSTN Release Cause Code fields. You can also click Load Default Value to restore the default mappings between PSTN release cause codes and SIP status codes.
Figure 674 Network diagram Configuration procedure 1. Configure basic voice calls: configure a local number and the call route to Router B. a. Configure a local number: specify the local number ID as 1111 and the number as 1111, and bind the number to line line 1/0 on the local number configuration page. b. Configure the call route to Router B: specify the call route ID as 2222, the destination number as 2222, the call route type as SIP, the SIP routing as IP routing, and the destination address as 192.
Figure 676 Configuring caller identity presentation restriction mode a. Select P-Asserted-Identity for Caller Identity Presentation Restriction Mode. b. Click Apply. Verifying the configuration After the above configuration, when you use telephone 1111 to call telephone 2222, the calling number 1111 will not be displayed on telephone 2222. Configuring SRTP for SIP calls Network requirements Two routers Router A and Router B work as SIP UAs.
Verifying the configuration SIP calls use the SRTP protocol to encrypt and authenticate media flows, and call conversations are well protected. Configuring TCP to carry outgoing SIP calls Network requirements Two routers Router A and Router B work as SIP UAs. It is required that SIP calls between the two parties be carried over TCP. Figure 679 Network diagram Configuration procedure 1. Configure basic voice calls, see "Configure basic voice calls: configure a local number and the call route to Router B.
Figure 681 Specifying listening transport layer protocol a. Select TCP for SIP Listening Transport Layer Protocol. b. Click Apply. Verifying the configuration SIP calls from telephone 1111 to telephone 2222 are carried over TCP. You can view information about TCP connections on the TCP Connection Information tab page by selecting Voice Management > States and Statistics > SIP UA States from the navigation tree and clicking the TCP Connection Information tab.
Figure 683 Specifying transport layer protocol for outgoing calls a. Select TLS for Transport Layer Protocol for SIP Calls. b. Click Apply. # Specify TLS as the transport layer protocol for incoming SIP calls. Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the Session Properties tab to access the transport layer protocol configuration page as shown in Figure 684. Figure 684 Specifying listening transport layer protocol a.
Managing SIP server groups A SIP server group is used to manage the registrar and call servers. A SIP server group can be configured with up to five member servers. An index represents the priority of a member server in the SIP server group. The smaller the index value, the higher the priority. The currently used SIP server is called the current server. Each server in the SIP server group can be the current server, but there is only one current server at a time. Creating a SIP server group 1.
2. Click Add. The page for configuring a server group appears. Figure 686 Configuring real-time switching 3. Configure real-time switching as described in Table 255. Table 255 Configuration items Item Description Enable or disable the real-time switching function.
Table 256 Configuration items Item Description The keep-alive function is used to detect whether the SIP servers in a SIP server group are reachable. The SIP trunk device selects a server according to the detect result and the redundancy mode. If the keep-alive function is disabled, the SIP trunk device always uses the server with the highest priority in the SIP server group. Keep-Alive Mode • Disabled—Disable the keep-alive function.
Item Description IPv4 Address Bound with the Media Stream If you select IPv4 Address Binding as the media stream binding mode, you must type the IPv4 address to be bound in this field. Interface Bound with the Media Stream If you select Interface Binding as the media stream binding mode, you need to specify the interface to be bound from the list. Only the Layer 3 Ethernet interface, GE interface, and dialer interface are supported. Configure source address binding mode for signaling streams.
2. Click Add. The page for configuring a server group appears. Figure 689 Configuring server information management 3. Configure server information management as described in Table 258. 4. Click Apply. Table 258 Configuration items Item Description Server ID Set server ID. A SIP server group can be configured with up to five member servers. A server ID represents the priority of the server in the SIP server group. The smaller the ID, the higher the priority.
Configuring SIP trunk As shown in Figure 690, on a typical telephone network, internal calls of the enterprise are made through the internal PBX, and external calls are placed over a PSTN trunk. Figure 690 Typical telephone network With the development of IP technology, many enterprises deploy SIP-based IP-PBX networks as shown in Figure 691. Internal calls of the enterprise are made by using the SIP protocol, and external calls are still placed over a PSTN trunk.
Figure 692 All IP-based network All IP-based network ITSP Enterprise intranet SIP SIP SIP trunk Router IP-PBX SIP server SIP trunk device SIP server Features SIP trunk has the following features: 1. Only one secure and QoS guaranteed SIP trunk link is required between a SIP trunk device and the ITSP. The SIP trunk link can carry multiple concurrent calls, and the carrier only authenticates the link instead of each SIP call carried on this link. 2.
Figure 693 SIP trunk network diagram Protocols and standards SIP trunk-related protocols and standards are as follows: • RFC 3261 • RFC 3515 • SIPconnect Technical Recommendation v1.1 Configuring SIP trunk This section describes how to configure SIP trunk. Configuration task list Task Remarks Enabling the SIP trunk function Required. Configuring a SIP server group Configuring a SIP trunk account Configuring a call route for outbound call Creating a SIP server group Required.
Enabling the SIP trunk function Select Voice Management > SIP Trunk Management > Service Configuration from the navigation tree. Figure 694 Configuring services Table 259 Configuration item Item Description Enable the SIP trunk function before you can use other SIP trunk functions. HP recommends not using a device enabled with the SIP trunk function as a SIP UA. SIP Trunk Function • Enable. • Disable. By default, the SIP trunk function is disabled.
Select Voice Management > SIP Trunk Management > Account Management from the navigation tree, and click Add. The following page appears. Figure 695 Configuring a SIP trunk account Table 260 Configuration items Item Description Account ID Enter a SIP trunk account ID. SIP Server Group for Registration Select the SIP server group used by the SIP trunk account for registration. SIP server group can be configured in Voice Management > Call Connection > SIP Server Group Management.
Item Description • Enable. • Disable. Registration Function By default, the registration function of the SIP trunk account is disabled. Authentication Username Enter the authentication username for the SIP trunk account. Authentication Password Enter the authentication password for the SIP trunk account. To perform registration, you must provide the host username or associate the account with a SIP server group.
Figure 696 Configuring a call route Table 261 Configuration items Item Description Call Route ID Enter a call route ID. Destination Number Enter the called telephone number. Bound Account Select a SIP trunk account to be bound to the voice entity. Description Enter a description for the call route. Proxy Server. Use a SIP proxy server to complete calling. If you select this option, you must configure the proxy server beforehand in Voice Management > Call Connection > SIP Connection.
Item Description Status • Enable. • Disable. Configuring fax and modem parameters of the call route of a SIP trunk account Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and click the icon of the call route to be configured to access the call route fax and modem configuration page. The fax and modem parameters of the call route of a SIP trunk account are the same as those of a call route. For more information about fax and modem parameters, see "Fax and modem.
Item Description • Specify the prefix of a source host name as a call match rule. The specified source Match a Source Host Name Prefix host name prefix is used to match against the source host names of calls. If the INVITE message received by the SIP trunk device carries the Remote-Party-ID header, the source host name is abstracted from this header field.
Configuring media parameters for SIP-to-SIP connections 1. Select Voice Management > Call Route from the navigation tree. 2. Click the icon of the call route to be configured. The page for configuring SIP-to-SIP connection parameters appears. Figure 698 Configuring media parameters 3. Configure media parameters for SIP-to-SIP connections as described in Table 263.
Item Description Select the media flow mode: • Around—Enable the media packets to pass directly between two Media Flow Mode SIP endpoints, without the intervention of the SIP trunk device. The media packets flow around the SIP trunk device. • Relay—Specify the SIP trunk device to act as the RTP trunk proxy to forward the media packets. By default, the Relay option is selected. • Enable—Enable delayed offer to early offer (DO-EO) conversion Delayed Offer to Early Offer on the SIP trunk device.
Item Description • Remote process—If the session timer mechanism is initiated by Mid-call Signal the calling party, and the called party also supports this mechanism, you can select this option to enable the called party to process the session update information. Otherwise, the session timer mechanism only works between the calling party and the SIP trunk device. The interval for sending session update requests is negotiated by endpoints. For more information, see RFC 4028.
1. Select Voice Management > Local Number from the navigation tree and click Add. Figure 701 Configuring a local number 2. Enter 2000 for Number ID. 3. Enter 2000 for Number. 4. Select subscriber-line 8/0 from the Bound Line list. 5. Click Apply. # Configure a call route. 6. Select Voice Management > Call Route from the navigation tree and click Add. Figure 702 Configuring a call route 7. Enter 10000 for Call Route ID. 8. Enter 1000 for Destination Number. 9.
10. Enter 1.1.1.2 for Destination Address. 11. Click Apply. Configuring the SIP trunk device # Enable the SIP trunk function. 1. Select Voice Management > SIP Trunk Management > Service Configuration from the navigation tree. Figure 703 Configuring services 2. Select Enable for SIP Trunk Function. 3. Click Apply. # Create SIP server group 1. Add a SIP server into the server group: the ID and the IPv4 address of the server are 1 and 10.1.1.2 respectively. 4.
5. Enter 1 for Server Group ID. 6. Enter 1 for Server ID. 7. Enter 10.1.1.2 for Server Address. 8. Click Add the Server. 9. Click Apply. # Create SIP trunk account 1 with the host username 2000, and associate the account with SIP server group 1. 10. Select Voice Management > SIP Trunk Management > Account Management from the navigation tree, and click Add. Figure 705 Configuring a SIP trunk account 11. Enter 1 for Account ID. 12.
Figure 706 Configuring a call route for the SIP trunk account 17. Enter 20000 for Call Route ID. 18. Enter 1000 for Destination Number. 19. Select account1 from the Bound Account list. 20. Select Bind to Server Group for SIP Trunk Routing. 21. Select server-group-1 from the Server Group list. 22. Click Apply. # Configure the call route for the inbound calls from public network user 1000 to private network user 2000. Configure the IP address of the peer end as 1.1.1.
25. Enter 2000 for Destination Number. 26. Select IP Routing for SIP Route Type. 27. Enter 1.1.1.1 for Destination Address. 28. Click Apply. Configuring Router B # Configure a local call number. 1. Select Voice Management > Local Number from the navigation tree and click Add. Figure 708 Configuring a local number 2. Enter 1000 for Number ID. 3. Enter 1000 for Number. 4. Select subscriber-line 8/0 from the Bound Line list. 5. Click Apply. # Configure a call route. 6.
8. Enter 2000 for Destination Number. 9. Select SIP for Call Route Type. 10. Select Proxy Server for SIP Routing. 11. Click Apply. # Configure the IPv4 address of the registrar as 10.1.1.2 and enable the registrar. 12. Select Voice Management > Call Connection > SIP Connection from the navigation tree and click the Connection Properties tab. Figure 710 Configuring connection properties 13. Select Enable for Register State. 14. Enter 10.1.1.2 for Main Registrar Address. 15. Click Apply.
Figure 711 Network diagram ITSP-A SIP server 10.1.1.3/24 Enterprise private network Public network 1.1.1.1/24 1.1.1.2/24 2.1.1.1/24 2000 Router A IP SIP trunk SIP trunk device 2.1.1.2/24 Router B 1000 SIP server 10.1.1.2/24 Configuration procedure # Enable the SIP trunk function. (Details not shown.) # Create SIP server group 1. Add two SIP servers into the server group: the IP addresses are 10.1.1.2 and 10.1.1.3, and the server with the address 10.1.1.2 has a higher priority value.
Figure 712 Configuring server group 2. Enter 1 for Server Group ID. 3. Select Enable for Real-Time Switching. 4. Select Options for Keep-Alive Mode. 5. Enter 1 for Server ID. 6. Enter 10.1.1.2 for Server Address. 7. Click Add the Server. 8. Enter 3 for Server ID. 9. Enter 10.1.1.3 for Server Address. 10. Click Add the Server. 11. Click Apply. # Set the redundancy mode for SIP server group 1 to parking. (Optional. The redundancy mode for a SIP server group is parking by default.) 12.
Figure 713 Advanced settings 13. Select Parking for Redundancy Mode. 14. Click Apply. Other configurations on the SIP trunk device and on other devices are the same as those described in "Configuring a SIP server group with only one member server." Verifying the configuration 1. When the SIP server with IP address 10.1.1.2 fails, the SIP server with IP address 10.1.1.3 takes over communications between the private network and the public network. After that, the communications recover. 2.
Figure 714 Network diagram Configuration procedure # Configurations on the SIP trunk device and on other devices are the same as those described in "Configuring a SIP server group with only one member server." # Configure Router A2: Configure a local number 2001 and a call route to Router B. For the configuration procedure, see "Configuring Router A." # Configure Router B: Configure a call route to Router A2. For configuration procedure, see "Configuring Router B.
2. Select IPv4 Address from the Match a Source Address list. 3. Enter 1.1.1.1 for IPv4 Address. 4. Click Apply. Verifying the configuration 1. Private network users connected to Router A1 can call public network users, but private network users connected to Router A2 cannot call public network users. 2. Public network users can call any private network user.
Managing data links This section provides information about data link management and configuration. Overview Introduction to E1 and T1 Plesiochronous digital hierarchy (PDH) includes two major communications systems: ITU-T E1 system and ANSI T1 system. The E1 system is dominant in European and some non-Europe countries. The T1 system is dominant in USA, Canada and Japan. E1 and T1 use the same sampling frequency (8 kHz), PCM frame length (125 μs), bits per code (8 bits) and timeslot bit rate (64 kbps).
E1 and T1 interfaces E1 interface An E1 interface is logically divided into timeslots (TSs) with TS16 being a signaling channel. On E1 interfaces, you can create PRI groups or TS sets. You can use an E1 interface as an ISDN PRI or CE1 interface: 1. As an ISDN PRI interface, the E1 interface adopts DSS1 or QSIG signaling.
Features of E1 and T1 E1 and T1 are characterized by the following: • Signaling modes • Fax function • Protocols and standards Signaling modes E1/T1 interfaces support these types of signaling: • DSS1/QSIG user signaling, adopted on the D channel between ISDN user and network interface (UNI). It has a data link layer protocol and a Layer 3 protocol used for basic call control. • ITU-T R2 signaling, which includes digital line signaling and interregister signaling.
Generally, a BSV interface is used to connect an ISDN digital telephone. Also, it can be used as a trunk interface connecting to a PBX digital trunk. If it cooperates with an FXS or FXO interface, a BSV interface can realize flexible routing policies for voice callings. Configuring digital link management You can click the link of a digital link name to access the page displaying the link state. For more information, see Displaying ISDN link state.
Item Description • Internal—Set the internal crystal oscillator time division multiplexing (TDM) clock as the TDM clock source on the E1 interface. After that, the E1 interface obtains clock from the crystal oscillator on the main board. If it fails to do that, the interface obtains clock from the crystal oscillator on its E1 card. Because SIC cards are not available with crystal oscillator clocks, E1 interfaces on SIC cards can only obtain clock from the main board.
Figure 718 E1 parameters configuration page (2) You are not allowed to configure the following parameters on an ISDN interface if there is still a call on it: • ISDN Overlap-Sending • Switch to ACTIVE State Without Receiving a Connect-Ack Message • Carry High Layer Compatibility Information • Carry Low Layer Compatibility Information • ISDN Call Reference Length These parameters can take effect only if it is configured when there is no call on the interface.
Item ISDN Protocol Type ISDN Working Mode Description Set the ISDN protocol to be run on an ISDN interface: DSS1, QSIG, or ETSI. By default, an ISDN interface runs DSS1. Set the ISDN working mode: network side mode or user side mode. By default, an ISDN interface operates in user side mode. Configure local ISDN B channel management. • Disable—Local ISDN B channel management is disabled and is in the charge of ISDN switch.
Item Description • Enable for outgoing direction—Configure the ISDN protocol to switch to the ACTIVE state after receiving a Connect message without having to send a Connect-Ack message. • Enable for incoming direction—Configure the ISDN protocol to switch to the ACTIVE state to start Connect and voice service communications after sending a Connect message without having to wait for a Connect-Ack message.
Item Description • Enable for outgoing direction—Configure the ISDN protocol to send Setup messages without the Sending-Complete Information Element when placing a call. • Enable for incoming direction—Configure the ISDN protocol to ignore the Sending-Complete Information Element in Setup messages when receiving a call.
Table 268 Configuration items Item Description Physical Parameters Configuration Configure the working mode of the T1 interface: Working Mode • None—Remove the existing bundle. • PRI Trunk Signaling—Bundle timeslots on a T1 interface into a PRI group. By default, no PRI group is created. Bound Timeslot Number Specify the timeslots to be bundled. Frame Check Mode • ESF—Perform extended super frame (ESF). • SF—Perform super frame (SF).
Figure 720 T1 parameters configuration page (2) ISDN protocol types supported by VT1 are DSS1, ATT, ANSI, ETSI, NTT, QSIG, NI2, and 5ESS. Table 267 describes the ISDN parameters configuration items. Configuring BSV line Select Voice Management > Digital Link Management from the navigation tree, and then click the icon of the BSV line to be configured to access the BSV parameters configuration page.
Figure 721 BSV parameters configuration page Table 269 Configuration items Item Description ISDN Protocol Type Set the ISDN protocol to be run on an ISDN interface: DSS1, ANSI, NI, NTT, or ETSI. By default, an ISDN interface runs DSS1. ISDN Working Mode Set the ISDN working mode: network side mode or user side mode. By default, an ISDN interface operates in user side mode.
Item Description Configure local ISDN B channel management. • Disable—Local ISDN B channel management is disabled and is in the charge of ISDN switch. • Common management—The device operates in local B channel management mode to select available B channels for calls. However, the ISDN switch still has a higher priority in B channel selection. If a locally selected B channel is different from that selected by the ISDN switch, the one indicated by the ISDN switch is used for communication.
Item Description • Enable for outgoing direction—Configure the ISDN protocol to switch to the ACTIVE state after receiving a Connect message without having to send a Connect-Ack message. • Enable for incoming direction—Configure the ISDN protocol to switch to the ACTIVE state to start Connect and voice service communications after sending a Connect message without having to wait for a Connect-Ack message.
Item Description • Enable for outgoing direction—Configure the ISDN protocol to send Setup messages without the Sending-Complete Information Element when placing a call. • Enable for incoming direction—Configure the ISDN protocol to ignore the Sending-Complete Information Element in Setup messages when receiving a call.
Item Description Set length of the call reference used when a call is placed on an ISDN interface. ISDN Call Reference Length Status The call reference is equal to the sequence number that the protocol assigns to each call. It is 1 or 2 bytes in length and can be used cyclically. When the device receives a call from a remote device, it can automatically identify the length of the call reference. However, some devices on the network do not have this capability.
Figure 723 Network diagram Configuration procedure 1. Configure Router A: # Configure an ISDN PRI group. Select Voice Management > Digital Link Management from the navigation tree, and then click the icon of E1 1/1 to access the E1 parameters configuration page. Figure 724 E1 parameters configuration page a. Select the PRI Trunk Signaling option. For other options, use the default settings. b. Click Apply. # Configure local numbers and call routes. c.
# Configure an ISDN PRI group. Select Voice Management > Digital Link Management from the navigation tree, and then click the icon of E1 1/1 to access the E1 parameters configuration page. Figure 725 E1 parameters configuration page a. Select the PRI Trunk Signaling option. For other options, use the default settings. b. Click Apply. # Configure call routes. c.
Managing lines This section provides information on managing and configuring various types of subscriber lines. FXS voice subscriber line A foreign exchange station (FXS) interface uses a standard RJ-11 connector and a telephone cable to directly connect with an ordinary telephone or a fax machine. An FXS interface accomplishes signaling exchange based on the level changes on the Tip/Ring line and provides ring, voltage, and dial tone.
Figure 726 Immediate start mode Hang up Pick up the phone, requesting for service Calling side (E/M) Send the called number Conversation Conversation Called side (M/E) Hang up Pick up the phone to answer • Delay start—In this mode, the caller first picks up the phone to seize the trunk line, and the called side (such as the peer PBX) also enters the off-hook state in response to the off-hook action of the caller.
One-to-one binding between FXS and FXO voice subscriber lines The one-to-one binding between FXS voice subscriber lines and FXO voice subscriber lines improves the reliability of voice solutions. For industry-specific users, highly reliable communication over FXS voice subscriber lines is required. That is, dedicated FXO voice subscriber lines can be used for communication over PSTN when the IP network is unavailable.
Symptom Parameters adjusted Effect There are loud environment noises. Increase the maximum amplitude of comfortable noises. Too large amplitude might make noises uncomfortable. A user hears his or her voice when speaking. Enlarge the control factor of mixed proportion of noises. Too high a control factor leads to audio discontinuity. There are echoes when both parties speak at the same time. Enlarge the judgment threshold for bidirectional conversation.
Figure 730 FXS line configuration page Table 272 Configuration items Item Description Basic Configurations Description Specify the description of the FXS line. Specify the maximum interval for the user to dial the next digit. Max Interval for Dialing the Next Digit Max Interval between Off-hook and Dialing the First Digit Max Duration of Playing Ringback Tones This timer will restart each time the user dials a digit and will work in this way until all the digits of the number are dialed.
Item Description Status • Enable. • Disable. Advanced Settings Dial Delay Time Specify the dial delay in seconds. Lower Limit for Hookflash Detection Specify the time range for the duration of an on-hook condition that will be detected as a hookflash. That is, if an on-hook condition that lasts for a period that falls within the hookflash duration range (that is, the period is longer than the lower limit and shorter than the upper limit) is considered a hookflash.
Configuring an FXO voice subscriber line Select Voice Management > Line Management from the navigation tree, and then click the icon of the FXO line to be configured to access the FXO line configuration page, as show in Figure 731. Figure 731 FXO line configuration page Table 273 Configuration items Item Description Basic Configurations Description Specify the description of the FXO line.
Item Description Specify the maximum interval for the user to dial the next digit. Max Interval for Dialing the Next Digit Max Interval between Off-hook and Dialing the First Digit This timer restarts each time the user dials a digit and will work in this way until all the digits of the number are dialed. If the timer expires before the dialing is completed, the user will be prompted to hook up and the call is terminated.
Item Description Set the silence threshold. VAD Threshold If the amplitude of voice signals from the switch is smaller than this value, the system regards the voice signals as silence. Generally, the signal amplitude on the links without traffic is in the range of 2 to 5. By default, the silence threshold is 20. Set the silence duration for automatic on-hook. On-hook Duration for VAD Upon expiration of this duration, the system performs on-hook automatically.
Item Comfortable Noise Function Description Generate some comfortable background noise to replace the toneless intervals during a conversation. If no comfortable noise is generated, the toneless intervals will make both parties in conversation feel uncomfortable. • Enable. • Disable. By default, the comfortable noise function is enabled. Busy Tone Sending • Enable. • Disable. Duration of Busy Tone With the busy-tone sending function enabled, you can set the duration of busy tones.
Figure 732 E&M line configuration page Table 274 Configuration items Item Description Basic Configurations Description Description of the E&M line. Select the E&M interface cable type: 4-wire or 2-wire. By default, the cable type is 4-wire. Cable Type When you configure the cable type, make sure the cable type is the same as that of the peer device. Otherwise, only unidirectional voice service is available. The configuration will be applied to all E&M interfaces of the card.
Item Description Specify the signal type. Types 1, 2, 3, and 5 are the four signal types (that is, types I, II, III, and V) of the analog E&M subscriber line. When you configure the signal type, make sure the signal type is the same as that of the peer device. Signal Type The configuration will be applied to all analog E&M lines in the corresponding slot. Specify the maximum interval for the user to dial the next digit.
Item Description Input Gain on the Voice Interface When the voice signals on the line attenuate to a relatively great extent, increase the voice input gain value. Output Gain on the Voice Interface SLIC Chip Output Gain When a relatively small voice signal power is needed on the output line, increase the voice output gain value. IMPORTANT: Gain adjustment might lead to call failures. HP recommends not adjusting the gain. If necessary, do it with the guidance of technical personnel.
Figure 733 ISDN line configuration page Table 275 Configuration items Item Description Description Description of the ISDN line. Comfortable Noise Function Generate some comfortable background noise to replace the toneless intervals during a conversation. If no comfortable noise is generated, the toneless intervals will make both parties in conversation feel uncomfortable. • Enable. • Disable. By default, the comfortable noise function is enabled. Echo Cancellation Function • Enable. • Disable.
Item Description Set the DTMF detection sensitivity level. • Low—In this mode, the reliability is high, but DTMF tones might fail to be DTMF Detection Sensitivity Level detected. • High—In this mode, the reliability is low and detection errors might occur. • Enable. • Disable.
Configuring an MoH line Select Voice Management > Line Management from the navigation tree, and then click the icon of the paging line to be configured to access the MoH interface configuration page, as shown in Figure 735. Figure 735 Configuring SIC-audio MoH interface Table 277 Configuration items Item Description Line Description Specify the description of the MoH line.
Line management configuration examples Configuring an FXO voice subscriber line Network requirements As shown in Figure 736, the FXO voice subscriber line connected to Router B operates in PLAR mode, and the default remote phone number is 010-1001. Dialing the number 0755-2003 on phone 0755-2001 connects to Router B. Because Router B operates in private-line mode (that is, the hotline mode), it requests connection to the preset remote number 010-1001 at Router A.
Figure 737 Hotline number configuration page 4. Enter 0101001 in the Hotline Numbers field. 5. Click Apply. Verifying the configuration If you dial the number 0755-2003 on phone 0755-2001, a connection is established to number 010-1001 at Router A. Configuring one-to-one binding between FXS and FXO Network requirements • Router A and Router B are connected over an IP network and a PSTN.
Figure 738 Network diagram Configuration considerations • Configure one-to-one binding between FXS and FXO voice subscriber lines. • When the IP network is available, the VoIP entity is preferably used to make calls over the IP network. • When the IP network is unavailable, the POTS entity is used to make calls through the bound FXO voice subscriber line over the PSTN. Configuration procedure Router A and Router B are routable to each other. The configuration of interface IP addresses is not shown.
Figure 739 Permitted call number group configuration page b. Enter 1 in the Group ID field. c. Enter 0101001 in the Numbers in the Group field and click Add. d. Click Apply. e. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and then click Not Bound to access the call route binding page of permitted call number group 1. Figure 740 Call route binding page a. Select the Permit the calls from the number group option. b. Select call route 211. c. Click Apply.
Figure 741 Hotline number configuration page a. Enter 0101001 in the Hotline Numbers field. b. Click Apply. # Configure the delay off-hook binding for the FXO line. c. Select Voice Management > Line Management from the navigation tree, and then click the icon of FXO line 4/0 to access the FXO line configuration page. Figure 742 FXO line delay off-hook binding configuration page b. Select the Delay Off-hook option. c. Select subscriber-line 3/0 from the Binding FXS Line list. d. Click Apply.
Figure 743 Entity type selection sequence configuration page b. Select Enable in the Select Based on Voice Entity Type area. c. Configure the order of the voice entities in the Selection Sequence box: the first is VOIP, the second is POTS, the third is VoFR, and the last is IVR. d. Click Apply. 2. Configure Router B: # Configure a local number and two call routes. a. Configure a call route in the call route configuration page: The call route ID is 10, the destination number is 010….
b. Type 1 in the Group ID field. c. Type 2101002 in the Numbers in the Group field and click Add. d. Click Apply. e. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and then click Not Bound to access the call route binding page of permitted call number group 1. Figure 745 211 Call route binding page a. Select the Permit the calls from the number group option. b. Select call route 211. c. Click Apply. # Configure the hotline number. d.
Figure 747 FXO line delay off-hook binding configuration page b. Select the Delay Off-hook option. c. Select subscriber-line 3/0 from the Binding FXS Line list. d. Click Apply. # Configure the system to first select VoIP entity. e. Select Voice Management > Dial Plan > Number Match from the navigation tree to access the number match configuration page. Figure 748 Entity type selection sequence configuration page b. Select Enable in the Select Based on Voice Entity Type area. c.
Verifying the configuration In the case that the IP network is unavailable, calls can be made over PSTN.
Configuring SIP local survival IP phones have been deployed throughout the headquarters and branches of many enterprises and organizations. Typically, a voice server is deployed at the headquarters to control calls originated by IP phones at branches. The local survival feature enables the voice router at a branch to automatically detect the reachability to the headquarter voice server, and process calls originated by attached IP phones when the headquarters voice server is unreachable.
Configuring SIP local survival Service configuration Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to access the page as shown in Figure 750. Figure 750 Configuring service Table 278 Configuration items Item Description Server Running State • Enable—Enable the local SIP server. • Disable—Disable the local SIP server. By default, the local SIP server is disabled.
Item Description • Alone—The local SIP server in alone mode acts as a small voice server. • Alive—The local SIP server in alive mode supports the local survival feature. That is, when the communication with the remote server fails, the local SIP server accepts registrations and calls; when the communication resumes, the remote server accepts registrations and calls again and the local SIP server rejects registrations and calls.
Trusted nodes Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to access the page as shown in Figure 752. Figure 752 Configuring a trusted node Table 280 Configuration items Item Description By default, no trusted node is configured. A trusted node can directly originate calls without being authenticated by the local SIP server. You do not need to configure user information for the number of the trusted node. Enter the port number of the trusted node.
Figure 753 Configuring a call-out route Table 281 Configuration items Item Description ID Enter the ID of the call-out route. Destination Number Prefix Enter the destination number prefix and length. Suppose the destination number prefix is 4100, and the number length is 6. This configuration matches destination numbers that are 6-digit long and start with 4100. Number length A dot can be used after a number to represent a character. This configuration does not support other characters.
You can configure up to eight call-in number prefixes. The local SIP server adopts longest match to deal with a called number. Call authority control Configure a call rule set Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click Add to access the page as shown in Figure 755. Figure 755 Configuring a call rule set Table 282 Configuration items Item Description Rule Set ID Enter the ID of the call rule set. Rule Rule ID Enter the rule ID.
Figure 756 Applying the call rule set Table 283 Configuration items Item Description Rule Set ID Displays the call rule set ID. Applied Globally • Enable—Applies the call rule set to all registered users. • Disable—Specifies that the call rule set does not apply to any registered users. • In the Available register users field, select registered users and click << to add Register users bound to the rule set them to Register users bound to the rule set.
Figure 757 Network diagram Configuring Router C # Configure the router to operate in the alone mode. 1. Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to access the following page. Figure 758 Configuring alone mode 2. Select Enable for Server Running State. 3. Enter 2.1.1.2 in IP Address Bound to the Server. 4. Select Alone for Server Operation Mode. 5. Click Apply. # Configure user 1000. 6.
Figure 759 Configuring a user 7. Enter 1000 for User ID. 8. Enter 1000 for Telephone Number. 9. Enter 1000 for Authentication Username. 10. Enter 1000 for Authentication Password. 11. Click Apply. # Configure user 5000 in the similar way. Configuring Router A 1. Configure a local number in the local number configuration page: The ID is 1000, the number is 1000, the bound line is line2/0, the username is 1000, and the password is 1000. 2.
Configuring local SIP server to operate in alive mode Network requirements Router A and Router B carry out call services through the remote voice server VCX. Configure the local SIP server on Router A to operate in alive mode, so that calls can be originated or received through Router A when the VCX fails. When the VCX recovers, it will take over call services again. Figure 760 Network diagram Configuring Router A # Configure the IP address of Ethernet 1/1 as 1.1.1.
5. Enter 3.1.1.1 for Remote Server IP Address. 6. Click Apply. # Configure user 1000. 7. Select Voice Management > SIP Local Survival > User Management from the navigation tree, and click Add to access the following page. Figure 762 Configuring a user 8. Enter 1000 for User ID. 9. Enter 1000 for Telephone Number. 10. Click Apply. # Configure user 5000 in the similar way. Configuring Router A 1.
Verifying the configuration • When the VCX fails, the local SIP server on Router A starts to accept registrations from phones, which then can call each other through Router A. Select Voice Management > States and Statistics > Local Survival Service States from the navigation tree. You can find that numbers 1000 and 5000 have been registered with the local SIP server on Router A. • When the VCX recovers, Router A disables the local SIP server, and the phones register with the VCX again.
Figure 764 Configuring alone mode 2. Select Enable for Server Running State. 3. Enter 2.1.1.2 in IP Address Bound to the Server. 4. Select Alone for Server Operation Mode. 5. Click Apply. # Configure user 1000. 6. Select Voice Management > SIP Local Survival > User Management from the navigation tree, and click Add to access the following page. Figure 765 Configuring a user 7. Enter 1000 for User ID. 8. Enter 1000 for Telephone Number. 9. Enter 1000 for Authentication Username. 10.
# Configure call rule set 0. 12. Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click Add to access the following page. Figure 766 Configuring call rule set 0 13. Enter 0 for Rule Set ID. 14. Add three rules as shown in Figure 766. 15. Click Apply. # Apply call rule set 0. 16. Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click the icon of call rule set 0 to access the following page.
Figure 767 Applying call rule set 0 17. Select Enable for Applied Globally. 18. Click Apply. # Configure call rule set 2. 19. Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click Add to access the following page. Figure 768 Configuring call rule set 2 20. Enter 2 for Rule Set ID.
21. Add a rule as shown in Figure 768. 22. Click Apply. # Apply call rule set 2. 23. Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click the icon of call rule set 2 to access the following page. Figure 769 Applying call rule set 2 24. Click 5000 in Available register users, and then click << to add it to Register users bound to the rule set. 25. Click Apply. Configuring Router A 1.
2. Configure a local number in the local number configuration page: The ID is 5555, the number is 5555, the bound line is line2/1, the user name is 5555, and the password is 5555. 3. Configure a call route to Router A in the call route configuration page: The ID is 1000, the destination number is 1…, the routing type is SIP, and the SIP routing method is proxy server. 4.
Figure 771 Configuring alone mode 2. Select Enable for Server Running State. 3. Enter 2.1.1.2 in IP Address Bound to the Server. 4. Select Alone for Server Operation Mode. 5. Click Apply. # Configure Router A as a trusted node. 6. Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to access the following page. Figure 772 Configuring a trusted node 7. Type 1.1.1.1 for IP Address. 8. Click Apply. # Configure area prefix 8899. 9.
Figure 773 Configuring an area prefix 10. Enter 8899 for Area Prefix. 11. Click Add a Prefix. 12. Click Apply. # Configure user 5000. 13. Select Voice Management > SIP Local Survival > User Management from the navigation tree, and click Add to access the following page. Figure 774 Configuring user 5000 14. Enter 5000 for User ID. 15. Enter 5000 for Telephone Number. 16. Enter 5000 for Authentication Username. 17. Enter 5000 for Authentication Password. 18. Click Apply. Configuring Router A 1.
Verifying the configuration • Select Voice Management > States and Statistics > Local Survival Service States from the navigation tree. You can find that number 5000 has been registered with the local SIP server on Router C. • Place a call from phone 55661000 to phone 88995000. The local SIP server on Router C removes the area prefix 8899 from the called number, and alerts internal phone 5000. Pick up phone 5000. The call is established.
4. Select Alone for Server Operation Mode. 5. Click Apply. # Configure a call-out route 6. Select Voice Management > SIP Local Survival > Call-Out Route from the navigation tree, and click Add to access the following page. Figure 777 Configuring a call-out route 7. Enter 0 for ID. 8. Enter 55665000 for Destination Number Prefix, and 8 for Number Length. 9. Enter 2.1.1.1 for Destination IP Address. 10. Enter 8899 for Area Prefix. 11. Click Apply. # Configure user 1000. 12.
Configuring Router A 1. Configure a local number in the local number configuration page: The ID is 1000, the number is 1000, the bound line is line2/0, the user name is 1000, and the password is 1000. 2. Configure a call route to Router B in the call route configuration page: The ID is 55665000, the destination number is 55665000, the routing type is SIP, and the routing method is proxy server. Configuring Router B 1.
Configuring IVR Overview Interactive voice response (IVR) is used in voice communications. You can use the IVR system to customize interactive operations and humanize other services. If a subscriber dials an IVR access number, the IVR system plays the prerecorded voice telling the subscriber what to do. For example, it might tell the subscriber to dial a number. Advantages A conventional interactive voice system uses fixed audio files and operations.
Successive jumping The IVR process can realize successive jumping at most eight times from node to node. Error processing methods The IVR system provides three error processing methods: terminate the call, jump to a specified node, and return to the previous node. You can select an error processing method for a call node, a jump node, or globally to handle errors.
You can click to save the media resource file to a specified directory. Click Add. The following page appears. Figure 780 Configuring media resource Table 284 Configuration items Item Description Media Resource ID Set a media resource ID. Rename Media Resource Type a name for the media resource file. Upload Media Resource Upload media resource files for g729r8, g711alaw, g711ulaw, and g723r53.
Figure 782 Modifying a media resource Table 285 Configuration item Item Description Media resource ID Set a media resource ID. Configuring the global key policy Select Voice Management > IVR Services > Advanced Settings from the navigation tree, and click the Global Key Policy tab.
Table 286 Configuration items Item Description Input Error Processing Method Max Count of Input Errors Play Voice Prompts for Input Errors Enter the maximum number of input errors. • Enable. • Disable. Not enabled by default. Voice Prompts Select a voice prompt file. You can configure voice prompt files in Voice Management > IVR Services > Media Resources Management. Voice Prompts Play Count Set the number of voice prompts.
Figure 784 Configuring a call node Table 287 Configuration items Item Description Node ID Enter a node ID. Description Enter a description for the node.
Item Description • Enable. • Disable. Disabled by default. The following options are available for playing voice prompts: Play Voice Prompts • Mandatory play—Only after the voice prompts end can the subscriber press keys effectively. • Voice prompts—Select a voice prompt file. Voice prompt files can be configured in Voice Management > IVR Services > Media Resources Management. • Play count: Number of play times. By default, mandatory play is disabled, and the play count is 1.
Item Description Secondary-Call Number Match Mode • Match the terminator of the numbers. • Match the length of the numbers. • Match the local number and route. Either the number match mode or the extension secondary call must be configured at least. Length of Numbers Enter the number length. Terminator Enter the terminator. Extension Secondary-Call Extension Number Corresponding Number Associate the extension number with the corresponding number.
Figure 785 Configuring a jump node 409
Table 288 Configuration items Item Description Node ID Enter a node ID. Description Enter a description for the node. See Table 287 for description about other items. Map actions with keys. Actions include: Key mapping • Terminate the call. • Jump to a specified node. If this option is selected, you need to select the target node from the Specify a node list. • Return to the previous node. No key mapping is configured by default.
Table 289 Configuration items Item Description Node ID Enter a node ID. Description Enter a description for the node. • Terminate the call. • Jump to a specified node. If this operation is selected, you must select a node from the Specify A Node list. Operation Configuration • Return to the previous node. • Play voice prompts. If this operation is selected, you must select a voice prompt file from the Voice Prompt File list. • Immediate secondary-call.
Item Description Number Enter the access number. Bind to Menu Bind a node in the list to the access number. You can configure the nodes in Voice Management > IVR Services > Advanced Settings. Description Enter a description for the access number. • Enable. The following registration parameters are configurable when Enable is Register Function selected. • Disable. Register Username Enter the username for registration. Register Password Enter the password for registration.
IVR configuration examples Configure a secondary call on a call node (match the terminator of numbers) Network requirements As shown in Figure 789, configure an IVR access number and call node functions on Router B to meet the following requirements. • After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio file welcome.wav. • The subscriber dials 50# at Telephone A to originate a secondary call and then Telephone B1 rings.
Figure 790 Uploading a media resource file 1. Enter 10001 for Media Resource ID. 2. Enter welcome for Rename Media Resource. 3. Click the Browse button of g729r8 codec to select the target file. 4. Click Apply. Use the same method to upload other g729r8 media resource files timeout, input_error, and bye. # Configure global error and timeout processing methods to achieve the following purposes: • If no number is dialed at Telephone A within the timeout time, Router B plays audio file timeout.wav.
Figure 791 Configuring the global key policy 5. Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice Prompts list. 6. Type 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice Prompts for Input Timeout; select timeout from the Voice Prompts list. 7. Click Apply. Configure the call node to achieve the following: 8. The subscriber dials the number 300 at Telephone A, and hears the voice prompts of audio file welcome.wav.
Figure 792 Configuring a call node 10. Type 10 for Node ID. 11. Type play-welcome for Description. 12. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. 13. Select Match the terminator of the numbers from the Number Match Mode list; type # for Terminator. 14. Click Apply. # Configure the access number. Select Voice Management > IVR Services > Access Number Management from the navigation tree, and click Add to access the following page.
Figure 793 Configuring an access number 15. Type 30000 for Number ID. 16. Type 300 for Number. 17. Select play-welcome from the Bind to Menu list. 18. Click Apply. Verifying the configuration 1. Dial the number 300 at Telephone A. The call node plays audio file welcome.wav. 2. Dial 50# at Telephone A, Telephone B1 rings.
Figure 794 Network diagram 50 Telephone B1 Eth1/1 1.1.1.1/24 100 Telephone A Eth1/1 1.1.1.2/24 Router A Router B 500 Telephone B2 Configuration procedure 1. Configure Router A: See Configuring Router A. 2. Configure Router B: # Configure the call node. Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the Configure Call Node tab, and click Add to access the following page.
Figure 795 Configuring the call node a. Type 10 for Node ID. b. Type play-welcome for Description. c. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. d. Select Match the length of the numbers from the Number Match Mode list; type 3 for Length of Numbers. e. Click Apply. For other settings, see Configuring Router B. Verifying the configuration 1. Dial 300 at Telephone A. Router B plays the audio file welcome.wav. 2. Dial 500. Telephone B2 rings.
Configure a secondary call on a call node (match a number) Network requirements As shown in Figure 796, configure an IVR access number and call node functions on Router B to meet the following requirements. • After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio file welcome.wav. Configure number match so that when the subscriber dials 50, Telephone B1 rings. • If the subscriber dials a wrong number at Telephone A, Router B plays the audio file input_error.wav.
Figure 797 Configuring a call node a. Type 10 for Node ID. b. Type play-welcome for Description. c. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. d. Select Match the local number and route from the Number Match Mode list. e. Click Apply. For other settings, see Configuring Router B. Verifying the configuration 1. Dial 300 at Telephone A. Router B plays the audio file welcome.wav. 2. Dial 50. Telephone B1 rings.
Configure an extension secondary call on a call node Network requirements As shown in Figure 798, configure an IVR access number and call node functions on Router B to meet the following requirements. • After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio file welcome.wav. Then the subscriber dials 0, and Router B makes an extension secondary call so that Telephone B rings.
Figure 799 Configuring a call node a. Type 10 for Node ID. b. Type play-welcome for Description. c. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. d. Select 0 for Extension Number. e. Select 500 for Corresponding Number. f. Click Apply. For other settings, see Configuring Router B.
Verifying the configuration 1. Dial 300 at Telephone A. Router B plays the audio file welcome.wav. 2. Dial 0. Telephone B rings. Configure a jump node Network requirements As shown in Figure 800, configure an IVR access number and jump node functions on Router B to meet the following requirements. • After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio file welcome.wav. Then if the subscriber dials #, Router B terminates the call.
Figure 801 Configuring a jump node 425
a. Type 10 for Node ID. b. Type play-welcome for Description. c. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. d. Select Terminate the call for Key#. e. Click Apply. For other settings, see Configuring Router B. Verifying the configuration 1. Dial 300 at Telephone A. Router B plays the audio file welcome.wav. 2. Dial #. The call is terminated.
Figure 803 Configuring a service node a. Type 10 for Node ID. b. Type play-welcome for Description. c. Add two operations as shown in Figure 803. d. Click Apply. # Configure an access number. Select Voice Management > IVR Services > Access Number Management from the navigation tree, and click Add to access the following page.
a. Type 30000 for Number ID. b. Type 300 for Number. c. Select call500 from the Bind to Menu list. d. Click Apply. For other settings, see Configuring Router B. Verifying the configuration Dial 300 at Telephone A. Telephone B rings. Configure a secondary call on a service node Network requirements As shown in Figure 805, configure an IVR access number and service node functions on Router B to meet the following requirements.
Figure 806 Configuring a service node a. Type 10 for Node ID. b. Type reject-call for Description. c. Add two operations as shown in Figure 806. d. Click Apply. # Configure an access number. Select Voice Management > IVR Services > Access Number Management from the navigation tree, and click Add to access the following page.
Figure 807 Configuring an access number a. Type 30000 for Number ID. b. Type 300 for Number. c. Select reject-call from the Bind to Menu list. d. Click Apply. For other settings, see Configuring Router B. Verifying the configuration Dial number 300 at Telephone A. Router B plays the audio file bye.wav, and then terminates the call.
Figure 808 Network diagram Configuration procedure 1. Configure Router A: See Configuring Router A. 2. Configure Router B: # Configure a local number in the local number configuration page. The number ID is 500, the number is 500, and the bound line is line 1/0. # Upload a g729r8 media resource file. Select Voice Management > IVR Services > Media Resources Management from the navigation tree to access the following page. Figure 809 Uploading a g729r8 media resource file a.
Figure 810 Configuring the global key policy a. Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice Prompts list. b. Enter 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice Prompts for Input Timeout; select timeout from the Voice Prompts list. c. Click Apply. # Configure a call node.
Figure 811 Configuring a call node a. Enter 10 for Node ID. b. Enter play-call for Description. c. Select Enable for Play Voice Prompts, select Enable for Mandatory Play, and select call from the Voice Prompts list. d. Enter 1 for Extension Number, Enter 500 for Corresponding Number, and click Add a Rule. e. Click Apply. # Configure a service node.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the Configure Service Node tab, and click Add to access the following page. Figure 812 Configuring a service node a. Enter 20 for Node ID. b. Enter reject-call for Description. c. Add two operations as shown in Figure 812. d. Click Apply. # Configure a jump node.
Figure 813 Configuring a jump node a. Enter 10 for Node ID. b. Enter play-welcome for Description. c. Select Enable for both Play Voice Prompts and Mandatory Play. d. Select welcome from the Voice Prompts list.
e. Select Jump to a specified node from the Key* list, and reject-all from its Specify a node list. f. Select Jump to a specified node from the Key# list, and play-all from its Specify a node list. g. Click Apply. # Configure an access number. Select Voice Management > IVR Services > Access Number Management from the navigation tree, and click Add to access the following page. Figure 814 Configuring an access number a. Enter 30000 for Number ID. b. Enter 300 for Number. c.
jump, terminate the call, enter the next menu, return to the previous menu, dial immediately, and secondary call. Configure a Jump menu Select Jump from the Menu Type list to access the following page. Figure 815 Configuring a jump menu Table 291 Configuration items Item Description Menu Node ID Enter a menu ID. Menu Name Enter a menu name. Menu Type Play Voice Prompts When the User Enters the Menu Select Jump. By default, Jump is selected. Select an audio file.
Item Description Select one of the following methods: Input Error Processing Method • Terminate the call. • Jump. • Return to the previous menu. By default, no method is set. Specify A Menu Input Error Prompts Specify the target menu. This setting is available when the Input Error Processing Method is Jump to a menu. Select an audio file. No audio file is selected by default. Select one of the following methods: Input Timeout Processing Method • Terminate the call. • Jump to a specified node.
Item Description Menu Name Enter a menu name. Menu Type Play Voice Prompts When the User Enters the Menu Select Terminate the call. By default, Jump is selected. Select an audio file. No audio file is selected by default. Configure a menu of type Enter the next menu Select Enter the next menu from the Menu Type list to access the following page. Figure 817 Entering the next menu Table 293 Configuration items Item Description Menu Node ID Enter a menu ID. Menu Name Enter a menu name.
Figure 818 Returning to the previous menu Table 294 Configuration items Item Description Menu Node ID Enter a menu ID. Menu Name Enter a menu name. Menu Type Play Voice Prompts When the User Enters the Menu Select Return to the previous menu. By default, Jump is selected. Select an audio file. No audio file is selected by default. Configure a Dial immediately menu Select Dial immediately from the Menu Type list to access the following page.
Item Description Play Voice Prompts When the User Enters the Menu Select an audio file. Call immediately Enter the target number. No audio file is selected by default. Configure a Secondary-call menu Select Secondary-call from the Menu Type list to access the following page. Figure 820 Secondary-call menu Table 296 Configuration items Item Description Menu Node ID Enter a menu ID. Menu Name Enter a menu name. Menu Type Play Voice Prompts When the User Enters the Menu Select Secondary-call.
Item Description Select one of the following methods: Input Error Processing Method • Terminate the call. • Jump to a menu. • Return to the previous menu. By default, the menu uses the input error processing method configured in the global key policy. Specify A Menu Input Error Prompts Specify the target menu. This setting is available when the Input Error Processing Method is Jump to a menu. Select an audio file.
Figure 821 Binding an access number Select the box of the target access number, and click Apply. Customize IVR services Enter the Customize IVR Services interface Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree, and click the icon of the target menu to access the Customize IVR Services page. NOTE: To perform any operation to the previous page, you must close the Customize IVR Services page first. Otherwise, you will get errors.
Figure 823 Adding a submenu You can configure the type of the new menu as jump, terminate the call, enter the next menu, return to the previous menu, dial immediately, or secondary-call. For information about the menu configuration, see Create a menu. NOTE: If new settings are made on the page, click Apply to save them first before you select Add a new menu. Otherwise, the new settings might get lost. Delete a menu Enter the Customize IVR Services page, click the target menu, and click Delete the menu.
If the user dials 2, the system jumps to the government product sales department menu. If the user dials #, the system terminates the call. 2. Marketing and sales department menu This menu plays the audio file Welcome1.wav. Then, the following events occur: If the user dials 0, the system dials the number 500 to call the attendant. If the user dials 1, the system jumps to the major financial customer department menu. If the user dials 2, the system jumps to the carrier customer department menu.
Figure 824 Configuring media resource a. Enter 1000 for Media Resource ID. b. Enter Hello for Rename Media Resource. c. Click the Browse button of g729r8 codec to select the target file. d. Click Apply. Use the same method to upload other g729r8 media resource files. You can see these uploaded files in Voice Management > IVR Services > Media Resources Management, as shown in Figure 825 Figure 825 Media file list 2. Configure the access number: # Configure the access number.
Figure 826 Configuring an access number a. Enter 300 for Number ID. b. Enter 300 for Number. c. Enter Voice Menu Access Number for Description. d. Click Apply. # Create a menu. Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree, and click Add to create a menu. Figure 827 Configuring a menu a. Enter 1 for Menu Node ID. b. Enter Voice Menu System of Company A for Menu Name. c.
Figure 828 Binding the access number Select the box of the access number 300, and click Apply. 3. Configure the voice menu system: # Enter the Customize IVR Services page. Select Voice Management > IVR Services > Processing Methods Customization from the navigation icon of the menu to access the tree to access the page shown in Figure 829. Click the Customize IVR Services page shown in Figure 830.
Select the voice menu system of Company A from the navigation tree to access the following page. Figure 831 Voice menu system of Company A a. Select Add A New Node from the Jump to submenu list of key 0. b. Click OK on the popup dialog box to access the following page. Figure 832 Creating a submenu for the marketing and sales department a. Enter 2 for Menu Node ID. b. Enter Marketing and Sales Dept for Menu Description. c.
Figure 833 Adding a submenu for the telecom product sales department Figure 834 Adding a submenu for the government product sales department Return to the Customize IVR Service page. Figure 835 Voice menu system of Company A a. Select Terminate the call from the Operation list of key #. b. Click Apply. c. Configure the marketing and sales department submenu: Select Marketing and Sales Dept from the navigation tree.
Figure 836 Marketing and sales department submenu a. Select Jump from the Operation list, and Add A New Node from the Jump to submenu list for key 0. b. Click OK on the popup dialog box to access the following page. Figure 837 Adding a submenu a. Enter 8 for Menu Node ID. b. Enter Attendant for Menu Description. c. Select Dial immediately from the Menu Type list, and type 500 for Call immediately. d. Click Apply.
Figure 838 Marketing and sales department submenu a. Select Return to the previous node from the Operation list of key *. b. Click Apply. After the configuration, the marketing and sales department submenu is as shown in Figure 838 4. Configure the telecom product sales department submenu: a. Select Telecom Product Sales Dept from the navigation tree. Figure 839 Telecom product sales department submenu a. Select Jump from the Operation list, and Attendant from the Jump to submenu list of key 0.
b. Select Jump from the Operation list, and Add A New Node from the Jump to submenu list of key 1. c. Click OK on the popup dialog box to access the following page. Figure 840 Adding a submenu a. Enter 9 for Menu Node ID. b. Enter Introduction to Product A for Menu Description. c. Select Return to the previous node from the Menu Type list, and ProductA from the Play Voice Prompts When the User Enters the Menu list. d. Click Apply. Use the same method to add submenus for introductions to Products B and C.
Select Government Product Sales Dept from the navigation tree. Configure the submenu as shown in Figure 842. The configuration procedure is identical with the configuration of the telecom product sales department submenu. Figure 842 Government product sales department submenu After all the configuration, the Customize IVR Services page is as shown in Figure 842.
Advanced configuration This section provides global configuration and batch configuration. Global configuration Select Voice Management > Advanced Configuration > Global Configuration from the navigation tree to access the global configuration page, as shown in Figure 843. Figure 843 Global configuration page Table 297 Configuration items Item Description • Silent—The calling party does not play any tones to the called party during call Tone Playing Mode for Call Hold hold.
Item Description Specify the backup rule: • Strict—One of the following three conditions will trigger strict call backup: The device does not receive any reply from the peer after sending out a call request. Backup Rule The device fails to initiate a call to the IP network side. The device fails to register on the voice server.
Figure 844 VRF-aware SIP Batch configuration Local number Creating numbers in batch Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree, and then click the Create Numbers in Batch link in the Local Number area to access the page for creating numbers in batch, as shown in Figure 845.
Table 298 Configuration items Item Description Start Number Specify the start number, and then a serial of consecutive numbers starting with the start number will be bound to the selected voice subscriber lines. For example, if you specify the start number as 3000 and select lines 3/0 and line 3/1, then line 3/0 is bound to number 3000, and line 3/1 is bound to number 3001. Register Mode • Username and Password are the Same as Number. • No Username and No Password.
Table 299 Configuration items Item Description Configure the protocol used for fax communication with other devices. • T.38—Use T.38 fax protocol. With this protocol, a fax connection can be set up quickly. • Standard T.38—Use the standard T38 protocol of H.323 or SIP. The fax negotiation mode depends on the protocol used (H323 or SIP). Fax Protocol Configure the fax pass-through mode. • G.711 A-law. • G.711 μ-law.
Item Description Configure the value of NTE payload type for the NTE-compatible switching mode. NET Payload Type Field This option is configurable only when NTE Compatible G.711 A-law or NTE Compatible G.711 μ-law is selected in the Codec Type and Switching Mode for SIP Modem Pass-through list. By default, the value of the NTE payload type is 100.
Table 300 Configuration items Item Description Configure call forwarding: • Enable. • Disable. By default, call forwarding is disabled. After you enable a call forwarding, enter the corresponding forwarded-to number: Call Forwarding • The Forwarded-to Number for Call Forwarding no Reply—Enter the forwarded-to number. • The Forwarded-to Number for Call Forwarding Busy—Enter the forwarded-to number. • The Forwarding Unconditional—Enter the forwarded-to number.
Item Description Configure call waiting: • Enable. • Disable. By default, call waiting is disabled. Call Waiting After call waiting is enabled, configure the following parameters as needed: • Number of Call Waiting Tone Play Times. • Number of Tones Played at One Time. • Interval for Playing Call Waiting Tones. By default, two call waiting tones are played once, and if the value of Number of Tones in a Call Waiting Tone is greater than 1, the Interval for Playing Call Waiting Tones is 15 seconds.
Figure 848 Local number advanced settings page Table 301 Configuration items Item Description Codec with the First Priority. Codecs and Priorities Codec with the Second Priority. Codec with the Third Priority. Codec with the Lowest Priority. Specify DTMF transmission mode: DTMF Transmission Mode • In-band Transmission. • Out-of-band Transmission. • RFC2833—Adopt DTMF named telephone event (NTE) transmission mode.
Item Description Configure a dial prefix for the local number. For a trunk type call route, the dial prefix is added to the called number to be sent out. Dial Prefix • Enable. • Disable—Remove the configured dial prefix. If you select to enable the function, you must enter the dial prefix. VAD Configure VAD. The VAD discriminates between silence and speech on a voice connection according to their energies.
Table 302 Configuration items Item Description Specify the protocol used for fax communication with other devices. • T.38—Use T.38 fax protocol. With this protocol, a fax connection can be set up quickly. • Standard T.38— Use the standard T38 protocol of H323 or SIP. The fax negotiation mode depends on the protocol used (H323 or SIP). Fax Protocol Configure the fax pass-through mode. • G.711 A-law. • G.711 μ-law.
Item Description Configure the value of the NTE payload type for the NTE-compatible switching mode. NET Payload Type Field This option is configurable only when NTE Compatible G.711 A-law or NTE Compatible G.711 μ-law is selected in the Codec Type and Switching Mode for SIP Modem Pass-through list. By default, the value of the NTE payload type is 100.
Item Description Route Selection Priority Set the priority of the call route. The smaller the value, the higher the priority. VAD The VAD discriminates between silence and speech on a voice connection according to their energies. VAD reduces the bandwidth requirements of a voice connection by not generating traffic during periods of silence in an active voice connection. Speech signals are generated and transmitted only when an active voice segment is detected.
Table 304 Configuration items Item Max Interval for Dialing the Next Digit Max Interval between Off-hook and Dialing the First Digit Dial Delay Time Description Specify the maximum interval for the user to dial the next digit. This timer will restart each time the user dials a digit and will work in this way until all the digits of the number are dialed. If the timer expires before the dialing is completed, the user will be prompted to hang up and the call is terminated.
Figure 852 FXO line configuration page Table 305 Configuration items Item Max Interval for Dialing the Next Digit Max Interval between Off-hook and Dialing the First Digit Dial Delay Time Description Specify the maximum interval for the user to dial the next digit. This timer will restart each time the user dials a digit and will work in this way until all the digits of the number are dialed.
Item Description Select the Line(s) Select the boxes of desired lines, and then click the Apply to Selected Line(s) button to apply the above settings to the selected FXO lines. E&M line configuration Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree, and then click the E&M Line Configuration link in the Line Management area to access the E&M line configuration page, as shown in Figure 853.
Figure 854 ISDN line configuration page Table 307 Configuration items Item Description Input Gain on the Voice Interface When the voice signals on the line attenuate to a relatively great extent, increases the voice input gain. Output Gain on the Voice Interface When a relatively small voice signal power is needed on the output line, increases the voice output attenuation value.
Table 308 Configuration items Item Description Start Number Specify the telephone number of the first user to be registered. Register User Quantity Specify the number of users to be registered. For example, if you specify the start number as 2000 and set the register user quantity to 5, the device automatically generates five registered users with telephone numbers from 2000 to 2004. Set the registration mode: Registration Mode • No username and password.
States and statistics This section provides information on displaying various states and statistics. Line states Use this page to view information about all voice subscriber lines. Select Voice Management > States and Statistics > Line States from the navigation tree. The Line State Information page appears. Figure 856 Line state information page This page supports two types of voice subscriber lines: • Analog voice subscriber lines—FXS, FXO, paging, MoH, and E&M.
Field Description • Physical Down—Voice subscriber line is physically down, possibly because no Subscriber Line Status physical link is present or the link has failed. • UP—Voice subscriber line is administratively down. • Shutdown—Voice subscriber line is up both administratively and physically. Displaying detailed information about analog voice subscriber lines For analog voice subscriber lines FXS, FXO, paging, MoH, and E&M, click the Details link to view details.
Figure 858 ISDN line details Click a timeslot (TS) link to view the details about the TS. Figure 859 Timeslot details Call statistics The following pages display call statistics. • Active Call Summary page—Displays statistics about ongoing calls. • History Call Summary page—Displays statistics about ended calls.
Displaying active call summary Select Voice Management > States and Statistics > Call Statistics from the navigation tree. The Active Call Summary page appears. Figure 860 Active call summary page Table 310 Field description Field Type Description Call type. Only Speech and Fax are supported. Call status: Status • • • • Unknown—The call status is unknown. Connecting—A connection attempt (outgoing call) is being made. Connected—A connection attempt (incoming call) is being made.
SIP UA states The following pages show SIP UA states: • TCP Connection Information page—Displays information about all TCP-based call connections. • TLS Connection Information page—Displays information about all TLS-based call connections. • Number Register Status page—Displays number register information when you use SIP servers to manage SIP calls. • Number Subscriber Status pages—Displays the subscription status information of MWI when MWI is in use.
Figure 863 TLS connection information For information items, see Table 311. Connection status Displaying number register status Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree and click the Number Register Status tab. Figure 864 Number register status Table 312 Field description Field Description Number Registered phone number. Registrar Address of the registrar, in the format of IP address plus port number or domain name.
Displaying number subscription status Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree and click the Number Subscription Status tab. Figure 865 Number subscription status Table 313 Field description Field Description Number Phone number. Subscription Server MWI server address, in the format of IP address plus port number or domain name. Remaining Aging Time (Sec) Remaining aging time of the subscription, that is, the remaining time before the next subscription.
Table 314 Field description Field Description Server operation mode: Server Operation Mode • Alone. • Alive. Server running state: Server Status • Enabled. • Disabled. User ID User ID. Phone Number Registered phone number. State of the registered user: • Online—User is online. • Offline—User is offline. State SIP trunk account states Displaying SIP trunk account states Select Voice Management > States and Statistics > SIP Trunk Account States from the navigation tree.
Displaying dynamic contact states Select Voice Management > States and Statistics > SIP Trunk Account States from the navigation tree. The page for displaying dynamic contact states appears. Figure 868 Dynamic contact states Table 316 Field description Field Description Telephone number, which could be one of the following types: Number • • • • Roaming user registration number that is temporarily saved on the device. Roaming user subscription number that is temporarily saved on the device.
Figure 869 Server group information This page shows the configuration information of group servers. For information about how to configure group servers, see "Managing SIP server groups." IVR information The following pages show IVR information: • IVR Call States page—Display information about ongoing IVR calls. • IVR Play States page—Displays information about ongoing IVR playing. Displaying IVR call states Select Voice Management > States and Statistics > IVR Information from the navigation tree.
Displaying IVR play states Select Voice Management > States and Statistics > IVR Information from the navigation tree. The IVR Play States page appears. Figure 871 IVR play states Table 318 Field description Field Description Play Count Play times of the media file. Play State • Playing. • Not playing. Play Type • PSTN—Called party is from PSTN. • IP—IP address of the peer media.
About the HP MSR series Web-based Configuration Guide The HP MSR series web-based configuration guide describe the software features on the web for the HP MSR Series Routers, and guide you through the software configuration procedures.
Model HP MSR30 HP MSR50 HP MSR1000 • • • • • • • • • • • • • • • MSR 30-10 • • • • MSR 50-40 MSR 30-11E MSR 30-11F MSR 30-16 MSR 30-20 MSR 30-40 MSR 30-60 MSR 30-10 DC MSR 30-20 DC MSR 30-40 DC MSR 30-60 DC MSR 30-16 PoE MSR 30-20 PoE MSR 30-40 PoE MSR 30-60 PoE MSR 50-60 MSR 50-40 DC MSR 50-60 DC • MSR1003-8 485
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHILMNOPQRSTUVW Configuration guidelines,183 A Configuration prerequisites,198 Access control configuration example,153 Configuration prerequisites,82 Accessing SSL VPN resources,79 Configuration procedure,184 Adding an IPv4 ACL,227 Configuration procedure,198 Adding an L2TP group,15 Configuration procedure,152 Advanced settings,176 Configuration procedure,155 Advanced settings configuration example,242 Configuration procedure,334 Advantages,401 Configuration procedure,83 Advant
Configuring the cellular interface,137 Configuring an Ethernet interface,43 Configuring an internal server,143 Configuring the global key policy,404 Configuring an IPsec connection,2 Configuring the SSL VPN service,38 Configuring an MST region,310 Configuring TR-069,138 Configuring an SA interface,46 Configuring user isolation,117 Configuring ARP automatic scanning,347 Configuring Web management,125 Configuring authentication policies,65 Configuring Web proxy server resources,40 Configuring bas
Displaying the active route table,179 Line management configuration,357 Displaying wireless access service,78 Line management configuration examples,370 Displaying WLAN information,28 Line states,473 Domain name resolution configuration example,192 Local numbers and call routes,176 E Local survival service states,479 Logging in to the SSL VPN service interface,78 E&M subscriber line,354 Logging in to the Web interface,1 E1 voice DSS1 signaling configuration example,351 Logging out of the Web in
Overview,186 Setting the log host,152 Overview,322 Setting the traffic ordering interval,187 Overview,145 SIP connection configuration examples,302 Overview,401 SIP local survival configuration examples,385 P SIP modem pass-through function,204 Performing basic configurations for the SSL VPN domain,62 SIP trunk account states,480 SIP security,284 SIP trunk configuration examples,324 Ping,155 SIP UA states,477 Ping operation,156 SNMP agent configuration task list,251 PKI configuration exampl
