Page 1: Procurve Secure Router
ProCurve Secure Router 7000dl Series December 2005 J04_01 Advanced Management and Configuration Guide...
Page 2 5991-3822 December 2005 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an Applicable Products additional warranty.
Page 3: Table Of Contents
Contents 1 Overview Contents ............1-1 Using This Guide .
Page 4 Troubleshooting Commands ....... . . 1-19 reload in ..........1-19 show .
Page 5: Configuring Backup Wan Connections
Troubleshooting MLPPP ........2-15 MRRU ..........2-15 ED .
Page 6 Configure the Number of Connect Sequence Attempts ..3-30 Configure the connect-sequence interface-recovery Option . . . 3-30 Understanding How the connect-sequence Commands Work . . 3-32 Configuring the idle-timeout Option ..... . . 3-34 Configuring the fast-idle Option .
Page 7 Configuring a Logical Interface for a Persistent Backup Connection ..........3-54 Creating a Backup PPP Interface .
Page 8 Viewing Information about Persistent Backup Connections and Troubleshooting Problems ........3-84 Viewing Backup Settings .
Page 9: Applying Access Control To Router Interfaces
Configuring ALGs ..........4-18 Enabling the FTP ALG .
Page 10: Inbound Interface Does Not Have An Acp; Outbound
Controlling FTP, HTTP, and Telnet Access to the Router ..5-21 Restricting FTP Access ........5-21 Restricting HTTP Access .
Page 11: Configuring Network Address Translation
Viewing ACLs and ACPs ........5-49 Displaying ACLs .
Page 12: Setting Up Quality Of Service
Viewing ACLs and ACPs ........6-16 Displaying ACLs .
Page 13 Configuring CBWFQ ..........7-18 Overview .
Page 14: Virtual Private Networks
Configuring QoS for Ethernet ........7-55 Overview .
Page 15: How The Procurve Secure Router Processes Ike Policies
IP Security (IPSec) ......... . 8-4 IPSec Headers .
Page 16 Configuring IPSec SA Parameters ......8-40 Transform Sets ......... 8-40 Crypto Maps .
Page 17 9 Configuring a Tunnel with Generic Routing Encapsulation Contents ............9-1 Overview .
Page 18 IGMP ........... . . 10-5 IGMP Queries .
Page 19 Building RP and SP Trees When the Source Begins Multicasting First ......... 11-15 A Source Begins Multicasting Before Any Hosts Join Its Group .
Page 20: Link Layer Discovery Protocol
Troubleshooting PIM-SM ........11-48 Monitoring the Multicast Routing Table .
Page 21: Ip Routing—Configuring Rip, Ospf, Bgp, And Pbr
13 IP Routing—Configuring RIP, OSPF, BGP, and PBR Contents ............13-1 Overview .
Page 22 Setting the Router ID ........13-41 Advertising Networks and Establishing OSPF Areas .
Page 23 Creating Prefix Lists: Configuring Filters for Route Exchange ..13-78 Naming the List ........13-80 Assigning the Entry an Order .
Page 24: Other Routers Not Receiving Routes To The Local
Configuring Load Sharing ........13-120 Configuring Policy-Based Routing .
Page 25 Quick Start ..........13-176 RIP Routing .
Page 26 Configuring NAT ......... . 14-36 Configuring Many-to-One NAT .
Page 27 Adding Remote IDs ........14-90 Obtaining Certificates .
Page 28 Configuring IP Routing ......... A-20 Berlin .
Page 29: Overview
Overview Contents Using This Guide ..........1-3 Understanding Command Syntax Statements .
Page 30 Overview Contents Troubleshooting Commands ....... . . 1-19 reload in ..........1-19 show .
Page 31: Using This Guide
Overview Using This Guide Using This Guide The ProCurve Secure Router Advanced Management and Configuration Guide describes how to use the ProCurve Secure Router 7000 series in a network environment. Specifically, it focuses on two models: ProCurve Secure Router 7102dl ProCurve Secure Router 7203dl Both this guide and the Basic Management and Configuration Guide describe how to use the command line interface (CLI) and the Web browser...
Page 32: Understanding Command Syntax Statements
Overview Using This Guide Understanding Command Syntax Statements This guide uses the following conventions for command syntax and information. Syntax: show access-lists [<listname>] Syntax: [permit | deny] [any | host <A.B.C.D> | <A.B.C.D> <wildcard bits>] Carats ( < > ) enclose a description of a command element, a part of the command in which you enter information specific to your particular router or WAN.
Page 33: Observing The Ip Address Convention
Overview Using This Guide For simplicity, throughout this manual the CLI prompt will be shown as: ProCurve> You can change the name displayed at the prompt of your router by changing the router’s hostname. For more instructions on changing the router’s host- name and other basic router functions, see the Basic Management and Configuration Guide, Chapter 1: Overview.
Page 34: Quick Start Sections
Overview Using This Guide For example, if you have a two-port T1 module in slot one, you would configure the left T1 port by entering: ProCurve(config)# interface t1 1/1 To configure the other T1 port, you would enter: ProCurve(config)# interface t1 1/2 As mentioned earlier, the Ethernet interfaces are also labeled in <slot>/<port>...
Page 35: Downloading Software Updates
Overview Using This Guide Click Product Manuals Figure 1-1. The ProCurve Technical Support Web Page Downloading Software Updates ProCurve Networking periodically updates the router software to include new features. You can download software updates and the corresponding release notes from ProCurve Networking’s Web site as described below. To download software, complete the following steps: Access the ProCurve Networking Web site at http://www.procurve.com.
Page 36: Downloading Software Updates
Overview Using This Guide Step 2 Step 3 Figure 1-2. Downloading Software Updates Release notes are included with the software updates and provide information about: new features and how to configure and use them software management, including downloading software to the router software fixes addressed in current and previous releases For information on how to configure basic router functions, see the Basic Management and Configuration Guide.
Page 37: Interface Management Options
Overview Interface Management Options Interface Management Options The ProCurve Secure Router includes two management interfaces: the command line interface (CLI) and the Web browser interface. To initially access the CLI, connect the COM port on your workstation to the console port on the front panel of the router. Use the serial cable (5184-1894) that was shipped with the ProCurve Secure Router.
Page 38: Accessing The Web Browser Interface
Overview Interface Management Options Figure 1-3. Configuring ACPs Using the Web Browser Interface Accessing the Web Browser Interface To access the Web browser interface, you must first establish a CLI session and configure at least one interface through which you can establish an HTTP session with the router.
Page 39: Using The Procurve Web Browser Interface
Overview Interface Management Options Using the ProCurve Web Browser Interface The ProCurve Web browser interface is organized into the following sections: System Router/Bridge Firewall Utilities The System section of the interface contains general router functions. In this section, you can: configure WAN and LAN connections configure IP services enable the Dynamic Host Configuration Protocol (DHCP) and Domain...
Page 40: Cli Tools
Overview CLI Tools router’s current OS and upload any necessary upgrades. You can click Reboot and restart the router, and you can also set up a Telnet session by clicking Telnet to Unit. N o t e In the CLI, boot and configuration files are referred to as software. In the Web browser interface, the boot and configuration files are called firmware.
Page 41: Editing Commands
Overview CLI Tools letter . If you know the beginning of a command but need to be reminded of the entire word or if you want a more limited list of commands, enter a letter or set of letters followed immediately by the command.
Page 42: Basic Commands
Overview CLI Tools Tab. The key is a shortcut of sorts. Press after typing the first few characters of a command. If you have typed enough characters to distinguish the command from all other available commands, the Secure Router OS will finish the word for you.
Page 43: Exit
Overview CLI Tools exit To leave a specific interface or configuration mode, type exit. The exit command moves you back one mode level. For example, if you were config- uring an ATM interface in the ATM interface configuration mode context and entered exit when you were finished, you would return to the global config- uration mode context.
Page 44 Overview CLI Tools This command is used to copy and save files in the router’s internal flash and compact flash memories. Table 1-2 gives the available options for the copy command. You can also use this command to save the changes you make in the running- config to the startup-config.
Page 45 Overview CLI Tools To save a configuration as a file on compact flash, enter the following com- mand from the enable mode context: Syntax: copy flash <config-file> cflash <filename> Replace <config-file> with either running-config or startup-config and replace <filename> with a name that you choose. Verify that the Percent Complete 100% message is displayed, indicating that the download is complete.
Page 46: Erase
Overview CLI Tools The copy command can be used for other file TFTP management tasks such as: loading a running-configuration file from the TFTP server—Enter copy tftp running-config. loading a startup-configuration from the TFTP server—Enter copy tftp startup-config. erase The erase command removes files from the specified file location. Syntax: erase <file location>...
Page 47: Autosynch
Overview CLI Tools autosynch The autosynch command is used with a compact flash card. Enabling the AutoSynch™ function allows the router to automatically keep the startup- config and SROS files in internal flash synchronized with the startup-config and SROS file on the compact flash card. The autosynch command is disabled in its default setting.
Page 48: Show
Overview CLI Tools Replace <mmm> with the number of minutes. You can specify a three-digit number. Replace <hhh:mm> with a time such as 1:15 (1 hour and 15 minutes). The CLI will prompt you to save the system configuration. If you have already made the configurations that you want to test, reply no.
Page 49: Safe-Mode
Overview CLI Tools N o t e The showtech.txt file is saved to internal flash. If you intend to use a compact flash card to transport the file, you must save the showtech.txt file to a compact flash card. The showtech.txt file contains a readout of many of the show commands. This readout allows a network administrator to pinpoint a router configuration problem without a connection to the router.
Page 50 Overview CLI Tools timer expires, a warning message is displayed in the CLI that allows you to reset the timer. Unless you enter the reset keystroke before the reload timer finishes counting down, the router reboots. This prevents you from being locked out of the router if you lose the connection and are unable to reset the timer.
Page 51 Overview CLI Tools Use the no form of the command to disable SafeMode and the countdown timer: ProCurve(safe-config)# no safe-mode ProCurve(config)# SafeMode Functioning. SafeMode events are displayed in the CLI. When the threshold timer reaches zero, a notice is displayed in the CLI reminding you to reset the timer: SAFEMODE: SafeMode will reboot in <threshold>...
Page 52: Managing Configuration Files Using A Text Editor
Overview Managing Configuration Files Using a Text Editor Managing Configuration Files Using a Text Editor Configuration files can be adjusted to each router’s needs using your com- puter’s text editor. This allows you to set up a configuration on one router, save it to a file, and edit it for installation on another router.
Page 53 Overview Managing Configuration Files Using a Text Editor Figure 1-4. Boot Error Messages The error messages in Figure 1-4 were displayed during bootup. In this particular case, the startup-config file has several VPNs configured, and the router that is booting does not have an IPSec VPN module to support it. The commands for the configuration of the VPNs are reported as errors.
Page 54 Overview Managing Configuration Files Using a Text Editor Error location Resulting message Figure 1-5. Using Boot Error Messages to Target a Configuration Problem The line number given in the error message is the line number in the running- config. You can use this information to repair any configuration problems. You will need to scroll up in your terminal session software window to read the error message.
Page 55: Quick Start
Overview Quick Start Quick Start This section provides the instructions you need to quickly access the ProCurve Secure Router CLI and configure an enable mode password to protect the router from unauthorized access. This section also explains how to configure the Ethernet interface and the HTTP server so that you can access the Web browser interface.
Page 56: Configuring The Enable Mode Password
Overview Quick Start Configuring the Enable Mode Password Configure an enable mode password. Syntax: enable password [md5] <password> Enter the md5 option to encrypt the password. Replace <password> with an alphanumeric string of up to 16 characters. For example, you might enter: ProCurve(config)# enable password md5 ProCurve N o t e The word ProCurve is shown as the password only for simplicity.
Page 57: Configuring Telnet Access
Overview Quick Start Configuring Telnet Access After you configure an Ethernet interface and establish a connection to the ProCurve Secure Router, you can configure Telnet access to the router. Complete the following steps: Establish a console session to the ProCurve Secure Router and move to the global configuration mode context.
Page 58: Configuring Http Access
Overview Quick Start Complete the following steps: Establish a console session to the ProCurve Secure Router and move to the global configuration mode context. ProCurve> enable ProCurve# configure terminal If you have not already done so, configure an enable mode password. Enter: Syntax: enable password <password>...
Page 59: Contents
Increasing Bandwidth Contents Overview ............2-2 Configuring MLPPP .
Page 60: Overview
Increasing Bandwidth Overview Overview Point-to-Point Protocol (PPP) and other Data Link Layer protocols establish point-to-point connections over a single carrier line, which may not provide sufficient bandwidth to meet a business’s requirements. In a Frame Relay network, a single Frame Relay port might carry several permanent virtual connections (PVCs), all of which must share the bandwidth provided by one carrier line.
Page 61: Configuring Mlppp
Increasing Bandwidth Configuring MLPPP Frame Router Frame E1 Line MLPPP Frag a Frag d Router Frame Frag c E1 Lines Frame fragments Figure 2-1. MLPPP, a Link Aggregation Protocol Configuring MLPPP Although using MLPPP to increase a connection’s bandwidth does not require deep technical expertise, you should understand: how a PPP session is established how MLPPP regulates the fragmentation and reconstruction of normal...
Page 62: Ppp
Increasing Bandwidth Configuring MLPPP The two peers at either end of a point-to-point connection establish a PPP session in four phases. (See Figure 2-2.) 1. Link establishment 2. Authentication (optional) PAP, CHAP, or EAP ProCurve ProCurve Secure Router Secure Router 3.
Page 63: Mlppp
Increasing Bandwidth Configuring MLPPP MLPPP MLPPP establishes a session between two peers using the same protocols and phases as typical PPP. However, MLPPP adds: three option fields to the LCP frames an MLPPP header to the information field of the PPP frame LCP Options The receiving peer must know that the sending peer will be fragmenting PPP frames and transmitting them over multiple carrier lines.
Page 64: Mlppp Configuration Concerns
Increasing Bandwidth Configuring MLPPP If peers agreed to use the short sequence number header format during the link establishment, the MLPPP header includes only two fields. The MLPPP header includes a flag and a sequence number. The sequence number indicates the fragment’s place in the reconstructed PPP frame. MLPPP Configuration Concerns When you enable MLPPP for a connection, the LCP automatically negotiates the necessary options, such as the MRRU and ED.
Page 65 Increasing Bandwidth Configuring MLPPP You should have already configured the physical interfaces. If you have not, see the Basic Management and Configuration Guide, Chapter 4: Configur- ing E1 and T1 Interfaces for instructions. To bind these interfaces to the PPP interface, you need the following information: type of carrier line (E1 or T1) dl module slot for the carrier line’s module...
Page 66: Configuring Mlfr
Increasing Bandwidth Configuring MLFR Configuring MLFR Like MLPPP, MLFR aggregates several physical connections into a single logical connection. MLFR helps provide greater access rates for PVCs, partic- ularly in environments in which the greater bandwidth of an E3- or T3-carrier line is not available.
Page 67: Enabling Mlfr
Increasing Bandwidth Configuring MLFR In essence, FRF.16 simply increases the committed information rate (CIR) you can negotiate for a Frame Relay port in a T1 or E1 environment. MLFR bundle Router B Frame Relay Router A network Router C DLCI 101 DLCI 102 Figure 2-3.
Page 68: Binding Multiple Carrier Lines To A Frame Relay Interface
Increasing Bandwidth Configuring MLFR Binding Multiple Carrier Lines to a Frame Relay Interface On the ProCurve Secure Router, links are always defined by the Data Link Layer rather than the Physical Layer. You bind a physical interface to a logical interface to grant the Data Link Layer protocol access to the physical media over which to transmit data.
Page 69: Configuring The Bundle Id
Increasing Bandwidth Configuring MLFR N o t e You bind the physical interfaces to the Frame Relay interface, not the Frame Relay subinterface. This is because Frame Relay subinterfaces define PVCs, which are virtual connections, while the Frame Relay interface defines the physical connection available to all the virtual ones.
Page 70: Troubleshooting Multilinks
Increasing Bandwidth Troubleshooting Multilinks Troubleshooting Multilinks Troubleshooting multilinks is similar to troubleshooting a link carried on a single carrier line. You can review this process in “Standard Procedure” on page 2-12. (For more troubleshooting tips, see the Basic Management and Configuration Guide, Chapter 6: Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.) “Troubleshooting MLPPP”...
Page 71 Increasing Bandwidth Troubleshooting Multilinks PPP. Common PPP problems include: mismatched DS0 or E0 channels incorrect authentication information incompatible network-level protocols Use the debug commands shown in Table 2-1 to determine where the PPP session establishment ends. A good strategy can be to first view only the errors and then pinpoint the problem from there.
Page 72 Increasing Bandwidth Troubleshooting Multilinks ProCurve# show frame-relay lmi LMI statistics for interface FR 1 LMI TYPE = ANSI Num Status Enq. Sent 24 Num Status Msgs Rcvd 7 Num Update Status Rcvd 1 Num Status Timeouts 3 Number of polls Number of polls received sent...
Page 73: Troubleshooting Mlppp
Increasing Bandwidth Troubleshooting Multilinks View the Frame Relay interface and verify that its signaling type matches that of your service provider. You can enter show interface fr <subinterface number> to view a subinterface (the PVC endpoint) and check DLCIs and the PVC state.
Page 74: Troubleshooting Mlfr
Increasing Bandwidth Troubleshooting Multilinks 2004.07.26 02:14:37 PPP.NEGOTIATION —-->>>> Multilink PPPrx[t1 1/1] LCP: Conf-Req ID=133 Len=29 ACCM(00000000) support MAGIC(c0b82465) MRRU(1500) ED(3:0000000c045b) PPPtx[t1 1/1] LCP: Conf-Ack ID=133 Len=29 ACCM(00000000) MAGIC(c0b82465) MRRU(1500) ED(3:0000000c045b) PPPrx[t1 2/1] LCP: Conf-Req ID=11 Len=29 ACCM(00000000) T1 1/1 and T1 2/1 are the MAGIC(c0b130b4) MRRU(1500) ED(3:0000000c045b) same link...
Page 75 Increasing Bandwidth Troubleshooting Multilinks ProCurve# debug frame-relay multilink 2005.07.12 12:12:39 FRAME_RELAY.MULTILINK (I): msg=HELLO, Link=t1 1/ 2 1, Bundle=MFR1, BL state=UP Message from service provider router 2005.07.12 12:12:39 FRAME_RELAY.MULTILINK (O): msg=HELLO_ACK, Link=t1 Routers confirm a link is still 1/2 1, Bundle=MFR1, BL state=UP active.
Page 76 Increasing Bandwidth Troubleshooting Multilinks ProCurve# debug frame-relay multilink 2005.07.12 12:11:54 FRAME_RELAY.MULTILINK (O): msg=ADD_LINK, Link=t1 1/2 1, Bundle=MFR1, BL state=ADD_SENT Message from local router 2005.07.12 12:11:54 FRAME_RELAY.MULTILINK (I): msg=ADD_LINK, Link=t1 1/2 1, Bundle=MFR1, BL state=ADD_SENT Routers exchange Message from service provider router requests to add a carrier line to the bundle 2005.07.12 12:11:54 FRAME_RELAY.MULTILINK (I): msg=ADD_LINK_ACK,...
Page 77: Quick Start
Increasing Bandwidth Quick Start Quick Start This section provides the commands you must enter to quickly configure: Multilink PPP (MLPPP) Multilink Frame Relay (MLFR) Only a minimal explanation is provided. If you need additional information about any of these options, check “Contents” on page 2-1 to locate the section that contains the explanation you need.
Page 78: Mlppp Configuration
Increasing Bandwidth Quick Start MLPPP Configuration Before you begin completing these instruction, you should connect the phys- ical interfaces to the appropriate public carrier equipment. You should also have a non-multilink PPP connection up and running. Move to the global configuration mode context and configure the physical interface(s) for the new carrier line(s): Move to the interface configuration mode context: Syntax: interface [e1 | t1] <slot>/<port>...
Page 79: Mlfr Configuration
Increasing Bandwidth Quick Start If you do not already have a PPP connection running, you must also: Assign the PPP interface an IP address: Syntax: ip address [<A.B.C.D> <subnet mask | /prefix length> | negotiated] For example, you might enter: ProCurve(config-ppp 1)# ip address 10.1.1.1 /30 You can also have the interface take its address from the far end of the link (negotiated).
Page 80 Increasing Bandwidth Quick Start Enabling multilink unbinds physical lines from the interface. As well as binding each new physical interface to the Frame Relay interface, you must rebind the original line: Syntax: bind <bind number> [e1 | t1] <slot>/<port> <tdm group number> frame- relay <interface number>...
Page 81: Contents
Configuring Backup WAN Connections Contents Backing Up Primary WAN Connections ......3-5 Analog Backup Connections ........3-5 ISDN-Backup Connections .
Page 82 Configuring Backup WAN Connections Contents Configure the connect-sequence interface-recovery Option ..........3-30 Understanding How the connect-sequence Commands Work .
Page 83 Configuring Backup WAN Connections Contents Configuring a Logical Interface for a Persistent Backup Connection ..........3-54 Creating a Backup PPP Interface .
Page 84 Configuring Backup WAN Connections Contents Viewing Information about Persistent Backup Connections and Troubleshooting Problems ....... 3-84 Viewing Backup Settings .
Page 85: Backing Up Primary Wan Connections
Configuring Backup WAN Connections Backing Up Primary WAN Connections Backing Up Primary WAN Connections To ensure that users can always exchange data between two offices, you may want to lease a dial-up WAN connection—such as an Integrated Services Digital Network (ISDN) or telephone line—which can be used as a redundant line in case a primary WAN connection fails.
Page 86: Isdn-Backup Connections
Configuring Backup WAN Connections Backing Up Primary WAN Connections Analog modems provide comparatively little bandwidth. (The ProCurve Secure Router analog module provides between 300 bps and 33.6 kbps.) When analog modems are incorporated into WAN routers, they are designed only to provide redundancy for other WAN lines, not to furnish a long-term WAN connection.
Page 87: Bri Isdn
Configuring Backup WAN Connections Backing Up Primary WAN Connections BRI ISDN BRI ISDN operates over the twisted-pair cabling that is used for ordinary telephones. All of the telecommunications infrastructure that is used to connect your LAN to the CO is collectively called the local loop. The local loop is divided into two sections by a line of demarcation (demarc), which separates your company’s wiring and equipment from the public car- rier’s wiring and equipment.
Page 88 Configuring Backup WAN Connections Backing Up Primary WAN Connections Wire span—Because public carrier networks were originally designed to carry analog voice calls, copper wire is the most common physical trans- mission medium used on the local loop. Although copper wire has a limited signal-carrying capacity, ISDN is designed to maximize its capability.
Page 89: Electrical Specifications For Bri Isdn
Configuring Backup WAN Connections Backing Up Primary WAN Connections ISDN Interfaces. The ISDN standard defines four interfaces, or points, at which equipment can be added to the ISDN network: U interface (between the NT1 and the NIU) T interface (between the NT2 and the NT1) S interface (between the TE1 and the NT2) R interface (between the TE2 and the TA) In Europe, Asia, and all other locations outside of North America, PTTs supply...
Page 90: Standards
Configuring Backup WAN Connections Backing Up Primary WAN Connections As Figure 3-2 shows, the backup module is installed over the data link module. Figure 3-2. Installing a Backup Module After the backup module is installed, it can back up any interface on the router, not only those interfaces installed in the same slot.
Page 91: Data Link Layer Protocols
Configuring Backup WAN Connections Determining a Backup Method In addition to these three options, the ISDN BRI S/T backup supports: Euro-ISDN—Also called Normes Européennes de Télécommunication 3 (NET3), Euro-ISDN was defined in the late 1980s by the European Com- mission so that equipment manufactured in one country could be used throughout Europe.
Page 92: Using Demand Routing For Backup Connections
Configuring Backup WAN Connections Determining a Backup Method You can configure a persistent backup connection, which is initiated immediately if a backup condition occurs on the primary connection and stays up until the primary connection is available again. Before you configure a backup connection, you should evaluate your network environment and then determine which option best meets your company’s particular needs.
Page 93 Configuring Backup WAN Connections Determining a Backup Method Branch Office B Switch 192.168.3.0 Edge Switch Branch Router Switch 192.168.4.0 Edge Switch Frame Relay over E1 Edge Switch The backup ISDN connection to Branch Office B is triggered only when the primary interface on the Main Core Switch Router goes down and traffic with destination address 192.168.3.0 /24 or 192.168.4.0 /24 is forwarded to demand...
Page 94: Using Persistent Backup Connections
Configuring Backup WAN Connections Determining a Backup Method If you use the backup ISDN modules, you cannot use MLPPP to aggregate channels. The ISDN backup modules support bonding, rather than channel aggregation. You can bond channels on an ISDN backup module only if: you configure a persistent backup connection the router connects to another ProCurve Secure Router If both of these conditions are met, you can use bonding to increase band-...
Page 95 Configuring Backup WAN Connections Determining a Backup Method Table 3-1. Differences Between Demand Routing and Persistent Backup Connections Option Demand Routing Persistent Backup Connection supported hardware • analog and BRI backup modules, which can analog and backup modules, which can be be installed on top of any narrow module installed on top of any narrow module •...
Page 96 Configuring Backup WAN Connections Determining a Backup Method Figure 3-4 shows how a backup connection is established if demand routing is configured. Figure 3-5 shows how a persistent backup connection is established. Connection Frame Relay triggered by 10.1.1.0 10.4.4.0 10.1.1.0 10.4.4.0 over E1 interesting traffic...
Page 97: Configuring Demand Routing For Backup Connections
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Frame Relay 10.1.1.0 10.4.4.0 10.1.1.0 10.4.4.0 over E1 Main Router Office Router Main Router Office Router Connection triggered Primary immediately connection 10.4.4.23 fails From: 10.2.2.5 Switch Switch Primary connection unavailable, Primary connection available, so so traffic is routed over dial-up traffic is routed over Frame Relay...
Page 98: Define The Traffic That Triggers The Connection
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Define the Traffic That Triggers the Connection You must first define the interesting traffic—the traffic that triggers, or acti- vates, the WAN connection. For example, if you are configuring demand routing for a backup connection between the main office and a branch office, the interesting traffic would be the packets destined for the branch office.
Page 99: Defining The Source And Destination Addresses
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections For demand routing, you may want to create an ACL that selects all the traffic to a particular subnet. In this case, you should specify ip as the protocol. Defining the Source and Destination Addresses When you create an extended ACL, you must configure both a source and a destination address for each entry.
Page 100: Configuring The Demand Interface
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Examples. For example, if you want any traffic to the far-end network 192.168.115.0 /24 to trigger the dial-up connection, you would enter: ProCurve(config-ext-nacl)# permit ip any 192.168.115.0 0.0.0.255 If you want any outbound traffic from a particular network segment to trigger a dial-up connection, use wildcard bits to specify that network as the source.
Page 101: Creating The Demand Interface
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Because the demand interface spoofs an up state, you can also create routes to any of the networks connected through a dial-up interface. When the ProCurve Secure Router detects traffic that must be routed through a demand interface, it processes the extended ACL that has been applied to it to select interesting traffic.
Page 102: Configuring An Ip Address
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Configuring an IP Address You have several options for setting up an IP address on the demand interface: you can assign the demand interface a static IP address, you can configure it to negotiate the IP address from its PPP peer, or you can configure it as an unnumbered interface.
Page 103: Matching The Interesting Traffic
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Spoofing. After you configure an IP address for the demand interface, its status should change to “up (spoofing),” and it should be listed as a directly connected interface in the routing table. To check the status of the demand interface, enter: ProCurve(config-demand 1)# do show interface demand 1 To view the routing table, enter:...
Page 104 Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Including in or out is optional. By default, the ProCurve Secure Router uses the ACL you specify to check both incoming and outgoing traffic. If you do not specify a direction, outbound traffic is matched to the specified ACL, and inbound traffic is matched to the reverse of the ACL.
Page 105 Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Applying an ACP or Another ACL to the Demand Interface. In addi- tion to using an ACL to determine which traffic triggers a dial-up connection, you can use ACLs to control incoming traffic and outgoing traffic on that connection.
Page 106: Specifying The Connect-Mode Option
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections keep the link active until it has completed its transfer of data and the idle timer has expired. If the idle timer expires when the second node is communicating with the server, the connection will be terminated because the second node’s traffic does not match the ACL specified in the match-interesting list command.
Page 107: Associating A Resource Pool With The Demand Interface
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections You could also configure the demand interface so that the match-interesting command selects outbound traffic and the connect-mode command is set to answer. In this mode, the router will not use demand routing to initiate a backup connection.
Page 108 Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections You can configure more than one connect sequence for a demand interface. For example, you may want to configure more than one connect sequence if the main office has more than one dial-up line that you are using for backup. Then, if one ISDN line is in use, the ProCurve Secure Router can dial another line to establish a connection.
Page 109: Specify The Order In Which Connect Sequences Are Used
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Specifying the busyout-threshold <value> is optional. Include a value between 1 and 65535 to specify the maximum number of times the ProCurve Secure Router will try this connect sequence. If you specify 0, the ProCurve Secure Router will make an unlimited number of attempts.
Page 110: Configure The Number Of Connect Sequence Attempts
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Configure the Number of Connect Sequence Attempts You can limit the number of times that the ProCurve Secure Router processes the connect sequences that are configured for a demand resource if it is unable to establish a connection.
Page 111 Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections A Dial-Up Interface Is Available, But the Call Fails. If a dial-up inter- face is available and the ProCurve Secure Router attempts to establish a connection, the call may fail for a number of reasons: a busy signal, no answer, connection timeout, and so on.
Page 112: Understanding How The Connect-Sequence Commands Work
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Replace <number> with a number between 0 and 65535. If you specify 0, the ProCurve Secure Router will continue to try to establish a connection until it is successful or you clear the interface. The number you specify overrides the connect-sequence attempts setting while the demand interface is in recov- ery mode.
Page 113 Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections If the ProCurve Secure Router processes all of the connect sequences and cannot establish a dial-up connection, the connect sequence attempt fails. For the configuration shown in Figure 3-8, the ProCurve Secure Router will make three activation attempts—that is, it will process all connect sequence 10 up to nine times and connect sequence 20 up to three times.
Page 114: Configuring The Idle-Timeout Option
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Processing connect-sequences 1. Check connect-order. 2. Process connect-sequence 2, based on connect-order. connect-order sequential connect-sequence 10 dial-string 5551212 forced-ISDN-64k busyout-threshold 3 connect-sequence 20 dial-string 5552222 forced-analog busyout-threshold 1 3. Check connect-mode. Can the 4.
Page 115: Configuring The Fast-Idle Option
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections ting to match the rates your public carrier charges for the ISDN (or analog) line. For example, if your public carrier charges you for every two minutes of usage, you should set the idle-timeout setting to be 120 seconds or just slightly less than 120 seconds.
Page 116: Defining The Caller-Number
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Defining the caller-number When an ISDN or analog call is established, the calling party supplies a Calling Line ID (CLID). If you configure a caller-number, the backup interface will check the CLID when it receives calls. If the CLID matches the caller-number you specified, the interface will answer the call.
Page 117: Configuring The Bri Or Modem Interface
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Replace <packets> with a number between 0 and 200. Replace <seconds> with a number between 0 and 255. By default, the ProCurve Secure Router holds 200 packets for 3 seconds. If the number of packets received before the connection is established exceeds 200 packets or if the connection is not established within 3 seconds, the ProCurve Secure Router empties the hold queue.
Page 118: Accessing The Bri Or Modem Interface
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Accessing the BRI or Modem Interface To access the configuration mode context for the BRI or modem interface, enter: Syntax: interface <interface> <slot>/<port> Replace <interface> with bri or modem. On the ProCurve Secure Router, the interface for each physical port is identi- fied by its slot number and port number.
Page 119: Configuring An Ldn For Isdn Bri S/T Modules
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Table 3-6. ISDN Signaling Types Signaling Type Command Syntax National ISDN-1 isdn switch-type basic-ni Euro ISDN isdn switch-type basic-net3 Northern Telecom DMS-100 isdn switch-type basic-dms Lucent/ATT 5ESS isdn switch-type basic-5ess The default settings are: ISDN BRI U modules, isdn switch-type basic-5ess ISDN BRI S/T modules, isdn switch-type basic-net3...
Page 120: Configuring A Spid And Ldn For Isdn Bri U Modules
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections If you are configuring an ISDN line in North America, you may also need to define a SPID. As described in the next section, you can set the SPID at the same time that you set the LDN.
Page 121: Assigning Bri Or Modem Interface To The Resource Pool
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections For example, you might enter: ProCurve(config)# modem countrycode Germany Enter modem countrycode ? for a complete list of keywords for countries. The default setting is USA and Canada. Assigning BRI or Modem Interface to the Resource Pool To assign backup interfaces to the resource pool, enter the following com- mand from the BRI or modem interface configuration mode context: Syntax: resource pool-member <pool name>...
Page 122: Caller Id Options For Isdn Bri Backup Modules
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Caller ID Options for ISDN BRI Backup Modules (Optional) The ProCurve Secure Router accepts ISDN calls based on whether the incom- ing call’s caller id matches a list of acceptable caller ids. You can override an incoming call’s caller id using the caller-id override option.
Page 123: Configuring Ppp Authentication For An Isdn Connection
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections ProCurve# show ip route 10.2.2.0/30 is directly connected, ppp 1 10.3.3.0/30 is directly connected, demand 1 IP route 10.10.10.0/30 is directly connected, ppp 2 through 192.168.20.0/24 is directly connected, eth 0/1 primary 192.168.30.0/24 [1/0] via 10.2.2.2, ppp 1 interface...
Page 124: Configuring Pap Authentication For A Demand Interface
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections You should also specify which authentication protocol the demand interfaces send to authenticate themselves to a peer when answering a call. From the global configuration mode context, enter: ProCurve(config)# data-call sent authentication protocol [chap | pap] By default no authentication protocol is specified for demand interfaces.
Page 125: Backup Connection
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections For example, you might enter: ProCurve(config-demand 1)# username SiteB password procurve For CHAP, the username should be the hostname of the peer. Example of Demand Routing with PAP Authentication for a Backup Connection Figure 3-12 shows a demand routing configuration that uses PAP authentica- tion.
Page 126: Configuring Peer Ip Address
Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Configuring Peer IP Address You can also configure the IP address of the PPP peer for the dial-up WAN connection. From the demand interface configuration mode context, enter: Syntax: peer default ip address <A.B.C.D> Replace <A.B.C.D>...
Page 127: Configuring A Persistent Backup Connection
Configuring Backup WAN Connections Configuring a Persistent Backup Connection Configuring a Persistent Backup Connection If your company needs a constant WAN connection between two offices, you should configure a persistent backup connection. Then, if the primary con- nection fails, the persistent backup connection will be established immedi- ately, and it will remain up until the primary WAN connection is available again.
Page 128 Configuring Backup WAN Connections Configuring a Persistent Backup Connection Setting the ISDN Signaling (Switch) Type. The BRI interface must implement the same type of ISDN signaling that your public carrier uses. (See “Electrical Specifications for BRI ISDN” on page 3-9 to learn more about the standards supported by the ProCurve Secure Router.) The signaling type does not necessarily have to be that of the CO switch’s manufacturer.
Page 129 Configuring Backup WAN Connections Configuring a Persistent Backup Connection For example, you might enter: ProCurve(config-bri 1/2)# isdn ldn1 5555551111 You can also set a secondary LDN using the isdn ldn2 command: ProCurve(config-bri 1/1)# isdn ldn2 5555552222 If you are configuring an ISDN line in North America, you may also need to define a SPID.
Page 130 Configuring Backup WAN Connections Configuring a Persistent Backup Connection bri 1/3 is UP Interface activated Line status: ready but not currently Caller ID will be used to route incoming calls providing Caller ID normal connection Switch protocol: AT&T 5ESS Number at which the SPID 1 25655522220101, LDN 1 5552222 local router can be SPID 2 n/a, LDN 2 n/a...
Page 131: Configuring A Modem Interface (Analog Only)
Configuring Backup WAN Connections Configuring a Persistent Backup Connection The txadd-timer command specifies the length of time the router will wait for additional calls to be connected before deciding that the bonding call has failed. When dialing overseas, you should enter a value above 60 seconds to allow for slower call routing.
Page 132 Configuring Backup WAN Connections Configuring a Persistent Backup Connection Optionally, you can: replace incoming caller ID with a set number use the modem for console dial-in Setting the Country. Depending on where the router is located, the analog backup module may need to use different signals to connect to the PSTN or PTT.
Page 133: Using The Modem For Console Dial-In
Configuring Backup WAN Connections Configuring a Persistent Backup Connection Using the Modem for Console Dial-In You can connect to the analog module on the ProCurve Secure Router and initiate a console session with it. C a u t i o n If you enable dial-in console sessions, you cannot use the module for backup.
Page 134: Configuring A Logical Interface For A Persistent Backup
Configuring Backup WAN Connections Configuring a Persistent Backup Connection Configuring a Logical Interface for a Persistent Backup Connection Although a backup connection provides redundancy for a primary WAN con- nection such as a Frame Relay connection or an ISP connection, it does not duplicate the primary WAN connection.
Page 135: Creating A Backup Ppp Interface
Configuring Backup WAN Connections Configuring a Persistent Backup Connection A backup interface is simply a supplemental PPP interface that you create and configure as you would any PPP interface. You must configure an IP address for the backup PPP interface. For best security practices, ProCurve Network- ing also recommends that you configure PPP authentication.
Page 136: Setting An Ip Address
Configuring Backup WAN Connections Configuring a Persistent Backup Connection Setting an IP Address The backup interface’s IP address must be on a different network than that of the primary connection. (The router does not allow more than one interface to be on the same network.) To configure the IP address, enter this command from the backup PPP interface configuration mode context: Syntax: ip address <A.B.C.D>...
Page 137 Configuring Backup WAN Connections Configuring a Persistent Backup Connection To require CHAP authentication from the peer: Move to the configuration mode for the backup PPP interface. Enable CHAP authentication: ProCurve(config-ppp 2)# ppp authentication chap Add the peer router’s hostname and password to the PPP database: ProCurve(config-ppp 2)# username LondonRouter password procurve Providing Authentication to the Peer.
Page 138: Configuring Persistent Backup Settings For A Primary
Configuring Backup WAN Connections Configuring a Persistent Backup Connection Configuring Persistent Backup Settings for a Primary Connection Even though you install a backup module in a specific module slot, the corresponding backup line can provide redundancy for any of the WAN connections on the router.
Page 139: Setting The Backup Call Mode
Configuring Backup WAN Connections Configuring a Persistent Backup Connection N o t e You configure separate backup connections for every PVC in a Frame Relay network or ATM connection. Therefore, you enter the backup commands from the Frame Relay or ATM subinterface. The analog or ISDN line can only provide active backup for one PVC at a time.
Page 140 Configuring Backup WAN Connections Configuring a Persistent Backup Connection Dialing out Line failure B doesn’t A calls answer B answers 555-2222 555-1111 555-2222 originate answer-always A calls A negotiates 555-3333 connection with Router A Router B B using PPP4 Backup dial list Backup dial list 555-1111 PPP2 555-2222 PPP4...
Page 141 Configuring Backup WAN Connections Configuring a Persistent Backup Connection If the call fails to connect, the Secure Router OS checks the backup dial list in the primary interface for a second number, which references a different backup PPP interface. If there is a second number, the Secure Router OS attempts to connect to it.
Page 142 Configuring Backup WAN Connections Configuring a Persistent Backup Connection Table 3-9. Backup Call Modes Command Syntax Description backup call-mode answer If the primary connection fails, the backup interface will answer backup calls but not place them. backup call-mode answer- The backup interface will always answer backup calls, even always when the primary connection is up.
Page 143: Adding A Number To A Backup Dial List
Configuring Backup WAN Connections Configuring a Persistent Backup Connection Router A refuses Backup call mode call answer FR 1.101 Frame Relay Router A Router B network FR 1.102 Disconnected Physically Physically down Router C ISDN Backup call mode answer always FR 1.101 Frame Relay Router A...
Page 144: Controlling When A Backup Connection Can Be Established
Configuring Backup WAN Connections Configuring a Persistent Backup Connection For digital modules, you must also specify whether the ISDN line will use a single channel (56 or 64 Kbps) or a bonded channel (112 or 128 Kbps). You do so by entering the minimum and maximum DS0 or E0 channels. N o t e Bonding calls is a proprietary feature.
Page 145 Configuring Backup WAN Connections Configuring a Persistent Backup Connection You do not actually activate the backup connection by specifying times when a backup connection can be established. Rather, you enable the router to establish a backup connection if the primary connection fails during those times.
Page 146: Setting Backup Timers
Configuring Backup WAN Connections Configuring a Persistent Backup Connection C a u t i o n Make sure that your router is set with the correct time and date. From the enable mode context, enter: ProCurve# show clock If you need to configure the router to receive time from an SNTP server, enter the following command from the global configuration mode context: Syntax: sntp server [<hostname>|<A.B.C.D>] [version <1-3 >] If you want to manually set the clock, enter the following command from the...
Page 147: Configuring A Floating Static Route For A Persistent Backup
Configuring Backup WAN Connections Configuring a Persistent Backup Connection Table 3-10. Backup Timers Command Syntax Function Default Range backup auto-backup | no backup automatic backup initiation after a — auto-backup connections fails backup backup-delay <seconds> time between line failure and placing a 10 seconds 10-86,400 seconds backup call...
Page 148 Configuring Backup WAN Connections Configuring a Persistent Backup Connection You can specify the local backup interface as the forwarding interface to ensure that the route will be accurate even if the peer changes its backup IP address. If you do enter a next hop address, remember that this address should be that of the peer’s backup interface, which like the local backup interface, is on a different network from the primary connection.
Page 149: Configuring Persistent Backup For Multiple Connections
Configuring Backup WAN Connections Configuring a Persistent Backup Connection Configuring Persistent Backup for Multiple Connections A single analog or ISDN module can back up any number of connections, although, of course, it can only actively back up one failed connection at a time.
Page 150: Viewing Backup Configurations And Troubleshooting Backup
Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Viewing Backup Configurations and Troubleshooting Backup Connections The steps you take to view and troubleshoot backup connections vary, depending on whether you are using demand routing or persistent backup connections.
Page 151: Viewing The Status And Configuration Of Backup Interfaces
Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Table 3-11. Backup LEDs Color Meaning The backup interface has not been activated. The backup interface is down. solid green The backup interface is up and ready to provide a connection. flashing green The backup interface is active and providing the current connection.
Page 152 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections bri 1/2 is UP Line status: connected Caller ID will be used to route incoming calls Caller ID normal Switch protocol: Net3 Euro ISDN SPID 1 n/a, LDN 1 9631111 SPID 2 n/a, LDN 2 n/a 5 minute input rate 112 bits/sec, 0 packets/sec 5 minute output rate 112 bits/sec, 0 packets/sec...
Page 153 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Verify that the SPID(s) and/or LDN(s) are correct. If you are located in North America, double-check whether your public carrier has assigned you one or two SPIDs. When you use both B channels, public carriers that use National ISDN and Northern Telecom DMS-100 sometimes require you to configure a SPID for each channel.
Page 154 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Table 3-13. BRI Line Status Status Meaning Next Best Step layer 1 down There is no activity on the Check the physical hardware, including ISDN line. the cabling and wall jack. getting TEI #1 The switch cannot identify •...
Page 155: Viewing Information About Demand Routing And Troubleshooting Problems
Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Viewing Information about Demand Routing and Troubleshooting Problems You can use show commands to view different aspects of your demand routing configuration. For example, you can view the status of a demand interface and any dial-up connections that are established through a demand interface.
Page 156 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Figure 3-22 shows the results of this command if demand interface 1 is spoofing its up status and a dial-up connection has not been established. In addition to showing the status of the interface, this command displays settings for the following commands: connect-mode resource pool...
Page 157: Interface
Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Figure 3-23 provides the results of the show interfaces demand 1 command when an ISDN connection has been established. Demand 1 is UP (connected) A dial-up connection has Configuration: been established Keep-alive is set (10 sec.) connect-mode,...
Page 158: Viewing Demand Sessions
Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Viewing Demand Sessions You can view all of the dial-up connections currently established through demand routing. From the enable mode context, enter: ProCurve# show demand sessions The sessions are listed in the order in which they were established. (See Figure 3-24.) For each session, this command lists: demand interface through which the connection was established IP address of the demand interface and the far-end router...
Page 159: Show The Running-Config For The Demand Interface
Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Show the Running-Config for the Demand Interface To check your demand routing configuration, you must view the running- config file. From the enable mode context, enter: ProCurve# show running-config You must then scroll through the file to find the various commands you entered for demand routing.
Page 160: Checking The Acl That Defines The Interesting Traffic
Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections make a connection. (For more information about checking the BRI or modem interfaces, see “Viewing Information about BRI and Modem Interfaces and Troubleshooting Problems” on page 3-70.) Use the show interfaces demand command to view the status of the demand interface, which should be up (spoofing).
Page 161: Troubleshooting The Backup Connection
Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections the source address for the ping to a local network address). Before you send the sample traffic, enable debugging for demand routing. From the enable mode context, enter: ProCurve# debug demand-routing If you have configured your ACL correctly, debug messages for demand routing should appear immediately.
Page 162 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Command Description debug isdn resource-manager displays resource manager errors and messages debug isdn verbose display all errors and messages N o t e Debug functions are processor intensive. Some of the debug isdn commands display a high volume of messages, which are displayed too quickly to read.
Page 163: Test Calls For Isdn Lines
Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Test Calls for ISDN Lines You can also set up a test call to test the ISDN circuit. When you initiate a test call, you connect the two endpoints through an ISDN call without setting up a Data Link Layer connection;...
Page 164: Connection
Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections To hang up a specific channel, enter the number of the B channel you want to disconnect. For example, if you wanted to hang up channel B2, you would enter: ProCurve(config-bri 2/3)# test-call hangup channel 2 Test calls allow you to check the physical ISDN connection, end to end,...
Page 165: Viewing Backup Settings
Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections To verify this information, you can use the show commands in Table 3-17. Table 3-17. Backup show Commands View Command Syntax backup dial list show backup interfaces days and times backup is enabled show backup interfaces backup PPP interface IP address •...
Page 166 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections ProCurve# show backup interfaces Dial-backup interfaces... ppp 1 backup interface: Backup state is Backup state:in dial backup using bri 1/3 active through Backup protocol: BRI 1/3 Call mode: answer Auto-backup: enabled Auto-restore:...
Page 167: Viewing The Backup Ppp Interface
Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Backup phone number list—This is the backup dial list, which includes: • Number—the peer’s phone number • Call type—analog, digital 56K, or digital 64K • Min/max DS0s—for ISDN lines only; the setting should read “1 2” for bonded lines •...
Page 168 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections When the local router successfully connects to a peer, you should receive messages such as those shown in Figure 3-29. ProCurve# debug backup ProCurve# debug dialup-interfaces DIALUP_INTERFACE.bri 1/3 Dialing 8882222 DIALUP_INTERFACE.bri 1/3 Connect (CONNECT 64000) DIAL_BACKUP.bri 1/3 establishing ppp 1 backup to 8882222.
Page 169: Troubleshooting Persistent Backup Connections
Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections The router will not answer a call if the number is not in its dial backup list. The router will receive a message such as this: DIAL_BACKUP.MGR: Ignoring incoming call on bri 1/3 from 0005552222 because no match was found for this call source.
Page 170 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections If the call mode does not include originate, the router must wait to receive a call from the other end of the line. Either contact the remote site and have it initiate a connection or change the setting so the local router can place a call.
Page 171 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections In a PPP connection, when one end loses the connection the other does as well. If both endpoints are allowed to place a backup call, the calls may collide. In this situation, you may want to configure one router to answer calls and one to receive them.
Page 172 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections The Call Connects But the Backup Connection Does Not Go Up. C a u t i o n These instructions explain how you can view PPP debug messages to deter- mine why the Data Link Layer will not go up.
Page 173 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections The username and password the router accepts are listed under user- name and password. Remember that these might be different than those in the local database configured from the global configuration mode context.
Page 174: Quick Start
Configuring Backup WAN Connections Quick Start Whenever you want the router to be able to contact more than one number for a backup connection, you should limit the number of times the router can attempt a call. Enter this command from the logical interface for the primary connection: Syntax: backup maximum-retry <attempts>...
Page 175 Configuring Backup WAN Connections Quick Start Table 3-19. Settings for Configuring Demand Routing for a Backup Module Required Configuration Options Your Setting Define the traffic that should initiate the Permit and deny statements in the ACL: dial-up connection if the primary [permit | deny] <protocol>...
Page 176 Configuring Backup WAN Connections Quick Start Required Configuration Options Your Setting For ISDN connections, specify the LDN, Obtained from service provider the local telephone number for the ISDN line. Create a floating static route to the far- • Obtain the destination network end network.
Page 177 Configuring Backup WAN Connections Quick Start Replace <protocol> with one of the following: – – – – icmp – – – – number between 0 and 255 To specify the source and destination address, use the following: Syntax: [any | host <A.B.C.D> |hostname <hostname> | <A.B.C.D> <wildcard bits>] For example, you might want to specify that the interesting traffic is the IP traffic from any source to network 192.168.115.0 /24.
Page 178 Configuring Backup WAN Connections Quick Start Include the list option if you want the ProCurve Secure Router to use standard matching logic for the ACL. Include the reverse list option if you want the ProCurve Secure Router to use reverse matching logic when processing the ACL.
Page 179 Configuring Backup WAN Connections Quick Start Replace <value> with the number of times between 1 and 65535 that the demand interface should attempt the call. (Enter 0 to have the demand interface make an unlimited number of attempts.) Table 3-20. Defining a Resource Type for Connection Instructions Option Description isdn-64k...
Page 180 Configuring Backup WAN Connections Quick Start Table 3-21 lists the command syntax for each signaling type. Table 3-21. ISDN Signaling Types Signaling Type Command Syntax National ISDN-1 isdn switch-type basic-ni Euro ISDN isdn switch-type basic-net3 Northern Telecom DMS-100 isdn switch-type basic-dms Lucent/ATT 5ESS isdn switch-type basic-5ess Set the LDN.
Page 181: Configuring A Persistent Backup Connection
Configuring Backup WAN Connections Quick Start Replace <destination A.B.C.D> with the IP address for the far-end network. For example, the far-end network might be network 192.168.7.0 /24. Then, either specify the complete subnet mask (such as 255.255.255.0) or enter the prefix length. Specify the forwarding interface as demand <number>...
Page 182 Configuring Backup WAN Connections Quick Start Table 3-22. Backup Settings Required Configuration Options Your Setting Access the configuration mode <backup interface> = bri or modem context for the backup interface. <slot> = 1 or 2 <port> = 2 or 3 For an analog interface, specify the Enter modem country code ? for a country in which the router is located.
Page 183 Configuring Backup WAN Connections Quick Start Required Configuration Options Your Setting Specify days that backup will not be • • sunday provided. • monday • tuesday • wednesday • thursday • friday • saturday Specify time when backup support is hh:mm:ss turned off.
Page 184 Configuring Backup WAN Connections Quick Start Create a backup PPP interface. Syntax: interface ppp <backup interface number> Assign the backup interface a static IP address on a different network than the primary interface. Syntax: ip address <backup A.B.C.D> <subnet mask | /prefix length> Activate the interface.
Page 185: Backing Up A Connection With An Isdn Bri S/T Backup Module
Configuring Backup WAN Connections Quick Start Enter times in twenty-four hour clock format. For example: ProCurve(config-fr 1.102)# no backup schedule saturday ProCurve(config-fr 1.102)# backup schedule disable-time 18:00:00 ProCurve(config-fr 1.102)# backup schedule enable-time 8:00:00 14. If you are using static routing, add a floating static route to the remote site.
Page 186 Configuring Backup WAN Connections Quick Start Create a backup PPP interface. Syntax: interface ppp <backup interface number> Assign the backup interface an IP address on a different network than the primary interface. Syntax: ip address <backup A.B.C.D> <subnet mask | /prefix length> Activate the interface.
Page 187: Backing Up A Connection With An Analog Module
Configuring Backup WAN Connections Quick Start Enter times in 24-hour clock format. For example: ProCurve(config-fr 1.102)# no backup schedule saturday ProCurve(config-fr 1.102)# backup schedule disable-time 18:00:00 ProCurve(config-fr 1.102)# backup schedule enable-time 8:00:00 14. If you are using static routing, add a floating static route to the remote site. Syntax: ip route <remote network A.B.C.D>...
Page 188 Configuring Backup WAN Connections Quick Start Move to the logical interface for the primary connection. Syntax: interface <interface ID> For example: ProCurve(config)# interface frame-relay 1.102 Add the remote site’s telephone number to the backup call list. Syntax: backup number <remote site’s LDN> analog ppp <backup interface number>...
Page 189: Contents
ProCurve Secure Router OS Firewall— Protecting the Internal, Trusted Network Contents Overview ............4-3 Advantages of an Integrated Firewall .
Page 190 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Contents Configuring Timeouts for Sessions ....... 4-21 Setting the Timeout for a Protocol .
Page 191: Overview
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Overview The Internet offers many valuable resources, often free and open to all users. In addition, it allows businesses and consumers to reach each other more easily than ever before. A connection to the Internet is practically mandatory for most organizations.
Page 192: Stateful-Inspection Firewalls
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview A router firewall protects your network entry points, stopping threats before they get through the router. An integrated firewall is less expensive. A firewall integrated on a router allows an organization to enforce a standard security policy for all hosts.
Page 193: Circuit-Level Gateway
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Packet 1 Permitted Packet 1 source IP Internet Router Private network Packet 2 Denied source IP Packet 2 Figure 4-1. Packet-Filtering Firewall ACLs specify certain settings for packets’ full association information. For example, the ACL can permit packets from a range of IP addresses destined to a specific IP address on a specific port.
Page 194 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Attack Checking. A circuit-level gateway monitors TCP handshakes between trusted clients or servers and untrusted hosts to determine whether or not a requested session is legitimate. A circuit-level gateway authorizes a requested session only if the SYN (synchronize) flags, ACK (acknowledge) flags, and sequence numbers involved in the TCP handshake are logical.
Page 195: Application-Level Gateway
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Circuit-level gateway Internet Router A 192.168.1.99 10.1.1.1 Session Session Secure Router OS firewall Internet Router A 192.168.1.99 10.1.1.1 Session Source IP NATed 192.168.1.99 10.1.1.1 Figure 4-2. Circuit-Level Gateway Versus Secure Router OS Firewall For information on how to configure NAT, see Chapter 6: Configuring Network Address Translation.
Page 196 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview A stateful-inspection firewall, like that on the ProCurve Secure Router, can analyze Application Layer data without having to act as a proxy server. Instead, the firewall monitors sessions between hosts in the trusted and untrusted networks.
Page 197: Attack Checking
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Firewall Feature OSI Layer Function ProCurve Secure Router Configuration application-level Application (7) allows a specific application enable ALGs “Configuring ALGs” gateway to work correctly in the on page 4-18 presence of the firewall Attack Checking This chapter focuses on configuring the Secure Router OS firewall to block attacks.
Page 198: Syn-Flood Attacks
ProCurve periodically updates the Secure Router operating system (SROS) to block new attacks as these attacks are reported. You can download new SROS software at www.hp.com/rnd/software/securerouters.htm. See the Basic Management and Configuration Guide, Chapter 1: Overview to learn how to update the software.
Page 199: Winnuke Attacks
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview SYN/ACK Source: 192.168.3.4 /32 no route SYN/ACK Source: 172.16.1.26 /32 Attacking system Target host no route SYN/ACK Source: 10.0.3.28 /32 no route Figure 4-3. Syn-flood Attack The result of both attacks is extremely degraded performance or, worse, a system crash.
Page 200: Reflexive Traffic
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Reflexive Traffic Reflexive traffic is traffic that is received on an interface and then forwarded out the same interface. For example, in a multi-netted environment, traffic will sometimes arrive on and leave by the same Ethernet interface. Figure 4-4 shows an example of such a network.
Page 201 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview You can examine logs to look for information to help you in troubleshooting or to see what kind of attacks have been targeted at your system. (You can also view events as they occur on the terminal by activating the events command from the enable mode context.) Events include: blocked attacks policy matches (packets filtered by an ACL or ACP)
Page 202: Configuring Attack Checking
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Attack Checking Configuring Attack Checking To configure the Secure Router OS firewall to block attacks, you only have to: enable the firewall You can also: enable and disable optional checks check reflexive traffic enable stealth mode Enabling the Secure Router OS Firewall...
Page 203: Enabling And Disabling Optional Attack Checks
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Attack Checking Packet Associated Attack all ICMP packets except: Twinge • echo • echo-reply • ttl expired • destination unreachable • quench falsified IP header (the length bit does not match •...
Page 204: Checking Reflexive Traffic
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Attack Checking The WinNuke attack affects Windows NT 3.51 and 4.0, Windows 95, and Windows 3.11. It does not usually cause permanent damage. However, it can cause open Windows applications to crash and hosts to lose connectivity; you should consider enabling this check when your network uses affected systems.
Page 205: Configuring Stealth Mode
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Attack Checking does not process traffic that it immediately forwards through the interface on which the traffic was received. It assumes that the traffic is from a trusted source. Router 1 Router 2 Eth 0/1 Eth 0/1...
Page 206: Configuring Algs
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring ALGs Configuring ALGs ALGs monitor sessions on the OSI Application Layer. An ALG helps a firewall read packets and filter them for the particular commands or information relating to the ALG’s application. Each application has a distinct ALG that deals with its special concerns.
Page 207: Enabling The Ftp Alg
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring ALGs Enabling the FTP ALG FTP allows computers to exchange files through the Internet. It is often used to upload Web pages to a Web server or to download files from a server to a PC.
Page 208: Enabling The Pptp Alg For Vpns
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring ALGs On the ProCurve Secure Router, the default port number that the ALG uses for SIP is 5060. If any SIP applications in your network use different port numbers, then you must enable those ports as well. Use the optional udp keyword and enter the port number.
Page 209: Configuring Timeouts For Sessions
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Timeouts for Sessions Configuring Timeouts for Sessions As well as screening TCP and UDP packets for attacks, the Secure Router OS firewall monitors all ICMP, TCP, and UDP sessions established through the router.
Page 210: Setting Timeouts For Specific Tcp And Udp Applications
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Timeouts for Sessions The default settings for these timeouts are usually adequate. However, you can alter them in accordance with your organization’s policies with this command: Syntax: ip policy-timeout [ahp | esp | gre | icmp] <seconds> Syntax: ip policy-timeout [tcp | udp] all-ports <seconds>...
Page 211: Configuring Logging
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging For a complete list of protocol keywords, refer to your SROS CLI reference guide. You can also use the ? help command. For example: ProCurve(config)# ip policy-timeout tcp ? You can similarly set individual timeouts for a specific UDP application.
Page 212: Specifying The Priority Level For Logged Events
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Specifying the Priority Level for Logged Events The router’s event-history log is enabled by default. However, in order for the firewall to log events to it, you must specify the priority level for logged events. The firewall classifies events into five priority levels according to the risk posed to your system.
Page 213 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging The firewall logs all events of the specified priority and greater. For example, to log all events to the event-history, enter: ProCurve(config)# event-history priority info To disable logging to the event history, enter: ProCurve(config)# no event-history on To re-enable logging, enter: ProCurve(config)# event-history on...
Page 214: Specifying How Many Attacks Generate A Log
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Specifying How Many Attacks Generate a Log By default, the firewall generates a log after it blocks 100 attacks. This setting is called the attack log threshold. (An attack log has an error priority.) You can alter this threshold.
Page 215: Forwarding Logs To A Syslog Server
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Forwarding Logs to a Syslog Server Syslog servers collect information about devices on a network. You can then analyze this information for a picture of network functions as a whole. The ProCurve Secure Router can log events to a syslog server.
Page 216 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Table 4-4. Syslog Facilities Syslog Facility Keyword authorization system auth cron facility cron system daemon daemon kernel kern locally defined messages local0–local7 line printer system mail system mail USENET news news system use sys9–sys14...
Page 217: Forwarding Logs To An Email Address
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Forwarding Logs to an Email Address You can also configure the ProCurve Secure Router to send logs to email accounts. In this way, you and other network administrators can check up on a network.
Page 218 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Enter the email addresses of the people who should receive the exception reports in the same way that you entered addresses for emailed logs. Specify the priority level for events that the router forwards to the email addresses: Syntax: logging email priority-level [info | notice | warning | error | fatal] For example:...
Page 219: Quick Start
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Quick Start Quick Start This section provides the commands you must enter to quickly: enable the firewall check for optional attacks enable and disable ALGs set policy timeouts configure log forwarding Only a minimal explanation is provided.
Page 220 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Quick Start You can also configure individual timeouts for various TCP and UDP protocols such as Telnet, SNMP, and HTTP. Enter: Syntax: ip policy-timeout [tcp | udp] [all-ports | <port> | range <first port> <last port>] <seconds>...
Page 221: Contents
Applying Access Control to Router Interfaces Contents Access Control for Interfaces on the ProCurve Secure Router ..5-3 Access Control Mechanisms ........5-4 Using ACLs Alone to Configure Access Control .
Page 222 Applying Access Control to Router Interfaces Contents Configure ACPs ..........5-34 Action .
Page 223: Access Control For Interfaces On The Procurve Secure Router
Applying Access Control to Router Interfaces Access Control for Interfaces on the ProCurve Secure Router Access Control for Interfaces on the ProCurve Secure Router In addition to blocking known cyber attacks with its stateful-inspection firewall, the ProCurve Secure Router OS can filter both inbound and outbound traffic, enabling you to control the traffic that enters and exits your corporate network.
Page 224: Access Control Mechanisms
Applying Access Control to Router Interfaces Access Control for Interfaces on the ProCurve Secure Router Table 5-1. Evaluating Traffic Patterns on Your WAN Interface Usage Traffic That Must Be Outgoing Traffic That Incoming Traffic That Transmitted Should Should Be Blocked Be Blocked E1 1/1 and PPP 1 connection to...
Page 225: Using Acls Alone To Configure Access Control
Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control ACPs also allow you to perform certain actions on traffic that ACLs do not. For example, you must use an ACP to configure Network Address Translation (NAT) on the ProCurve Secure Router. (For more information about NAT, see Chapter 6: Configuring Network Address Translation.) Table 5-2 lists the main differences between ACLs and ACPs.
Page 226: Configure Acls
Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Configure ACLs You can create and apply two ACLs to each interface: one ACL to control incoming traffic one ACL to control outgoing traffic If you apply ACLs directly to router interfaces, the ProCurve Secure Router uses the ACL to both select the traffic and to perform the action on that traffic.
Page 227 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control N o t e The ProCurve Secure Router supports “named” ACLs. That is, when you configure a standard or an extended ACL, you assign it a unique name. A standard ACL matches only one packet pattern: the source IP address.
Page 228: Creating An Acl
Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Server Extended ACL is applied to the PPP 1 interface Server Router Internet Is this source address permitted or denied? Core Switch Is this destination address permitted or denied? Is this protocol and port permitted or denied? Edge Switch...
Page 229 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Permit or Deny Traffic. You can now begin to enter permit and deny entries. The ACL is empty until you add these entries. To create permit and deny entries for standard ACLs, you use the following command syntax: Syntax: [permit | deny] <source address>...
Page 230 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Use Wildcard Bits. You can use wildcard bits to permit or deny a range of IP addresses. Wildcard bits define which address bits the Secure Router OS should match and which address bits it should ignore.
Page 231: Creating An Extended Acl
Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Selecting the log Option. Include the log option if you want the Secure Router OS to log a message when these two conditions are met: debug access-list is enabled for this ACL a packet matches this ACL Exit the ACL After you have finished creating the ACL, enter exit to return to the global...
Page 232 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control All of the command options are explained in the sections that follow. Specify a Protocol. When you configure extended ACLs, you must specify a protocol. Valid protocols include: AH (ahp) ESP (esp) GRE (gre)
Page 233 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control To deny all ICMP traffic from a specific host, such as host 192.168.1.1, to any destination, you enter: ProCurve(config-ext-nacl)# deny icmp host 192.168.1.1 any To deny ICMP traffic from a range of IP addresses to a specific destination, enter: Syntax: deny icmp <A.B.C.D>...
Page 234 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control In practice, you would use the any keyword only if you want to match all traffic from a particular port. You can also view options for selecting the port by entering the ? help command after specifying a particular source or destination.
Page 235: Entry Order
Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Specifying Bits in the Packets. To protect your network against attacks and hackers scanning your network for information, you can block packets based on certain bits set in the packet. You can specify the following bits: Selecting the log Option.
Page 236 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control In Figure 5-4, for example, the device with the IP address 168.44.1.10 is trying to send a packet to a device on the LAN attached to Router A. The network administrator has configured a standard ACL called WAN and assigned this ACL to incoming traffic on the PPP 1 interface.
Page 237: Adding A Descriptive Tag To An Acl
Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Adding a Descriptive Tag to an ACL To document why you created an ACL, you can use the remark command to add a descriptive tag to either a standard or an extended ACL. This tag can be up to 80 alphanumeric characters.
Page 238: Deleting An Existing Acl
Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Deleting an Existing ACL To delete an entire ACL, move to the global configuration mode context and enter: Syntax: no ip access-list [extended | standard] <listname> Replace <listname> with the name of the list you want to delete. For example, if you wanted to delete an extended ACL list called Inside, you would enter: ProCurve (config)# no ip access-list extended Inside...
Page 239: Selecting The Packet And Controlling The Action
Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Table 5-6. Locating Information about Applying ACLs Topic Page applying ACLs to an ACP 5-25 applying ACLs to FTP, HTTP, and Telnet traffic destined to the 5-21 router applying ACLs to allow routing updates 5-24...
Page 240 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control If you wanted to configure the Secure Router OS to allow only Telnet traffic and traffic to subnet 192.168.115.0 /24 to enter the Ethernet 0/1 interface, you could create an extended ACL and apply it to this interface: ProCurve(config)# ip access-list extended Outside ProCurve(config-ext-nacl)# permit tcp any any eq telnet...
Page 241: Controlling Ftp, Http, And Telnet Access To The Router
Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Controlling FTP, HTTP, and Telnet Access to the Router The ProCurve Secure Router allows you to control FTP, HTTP, and Telnet access globally for the entire router. This feature greatly simplifies the effort required to manage FTP, HTTP, and Telnet access.
Page 242: Restricting Telnet Access
Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control In this ACL, the first entry permits HTTP traffic from network 192.168.1.0 /24, and the second entry permits HTTP traffic from network 192.168.115.0 /24. Because each ACL contains an implicit “deny any” at the end of the list, this will be the only HTTP traffic that is allowed to access the Web browser interface once the ACL is applied to the router.
Page 243: Examples Of Applying Acls
Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control The ProCurve Secure Router would then allow only the Telnet traffic that matches the criteria permitted by the specified ACL. Examples of Applying ACLs When you create ACLs, you may want to first record the transport protocol, source IP address, source port, destination IP address, and destination port for each type of traffic that you want to control, specifying also whether this traffic will be permitted or denied.
Page 244 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control N o t e If the Secure Router OS firewall and the FTP ALG are enabled, you do not have to configure an entry to allow traffic on FTP data port (21). The FTP ALG automatically allows the return traffic for established FTP sessions.
Page 245: Using Acps To Control Access To Router Interfaces
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Using ACPs to Control Access to Router Interfaces By themselves, ACLs have some limitations: you can assign only one ACL to each interface to control inbound traffic and one ACL to control outbound traffic.
Page 246: Configure Acls
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces If you do not enable the firewall, you can still configure ACPs. However, when you try to apply an ACP to an interface, the ProCurve Secure Router displays a message similar to the following: Firewall is disabled, access policy commands applied but not used Configure ACLs...
Page 247 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces A standard ACL matches only one packet pattern: the source IP address. An extended ACL matches more complex packet patterns: source and a destination address most fields in the IP, TCP, and UDP header, including IP protocol and TCP or UDP source or destination port You should create a standard ACL if you want to select traffic based only on the source IP address.
Page 248: Creating An Acl
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Server Server Router Internet Is this source address permitted or denied? Core Switch Is this destination address permitted or denied? Edge Switch Edge Switch Is this protocol and port permitted or denied? User Figure 5-7.
Page 249 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Using Permit and Deny Entries to Select Traffic. To create permit and deny entries for standard ACLs, you use the following command syntax: Syntax: [permit | deny] [any | host {<A.B.C.D> | <hostname>} | <A.B.C.D> <wildcard bits>] Table 5-7 lists the options for specifying the source address.
Page 250 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces You can also omit the host keyword to select a specific IP address: ProCurve(config-std-nacl)# permit 192.168.115.80 ProCurve(config-std-nacl)# deny 192.168.115.80 Using Wildcard Bits. Finally, you can use wildcard bits to permit or deny a range of IP addresses.
Page 251: Creating An Extended Acl
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Selecting the log Option. Include the log option if you want the Secure Router OS to log a message when these two conditions are met: debug access-list is enabled for this ACL a packet matches this ACL Exit the ACL.
Page 252 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces All of the command options are explained in the sections that follow. Specifying a Protocol. When you configure extended ACLs, you must spec- ify a protocol. Valid protocols include: AH (ahp) ESP (esp) GRE (gre)
Page 253 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces To exclude ICMP traffic from a range of IP addresses to a specific destination, enter: ProCurve(config-ext-nacl)# deny icmp <A.B.C.D> <wildcard bits> host <A.B.C.D> Specifying a Source or Destination Port for TCP and UDP. If you are configuring ACL entries to select TCP or UDP traffic, you can also specify source and destination ports—although this is optional.
Page 254: Configure Acps
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces To view a list of well-known ports, enter the help command after one of the port commands (such as eq, gt, or neq). The list of options is displayed in alphabetical order.
Page 255: Selector
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Each ACP contains an implicit “discard all” at the end. Packets are discarded if they do not match any ACL listed in the ACP. This chapter explains how to create entries that allow or discard packets. For information about NAT, see Chapter 6: Configuring Network Address Translation.
Page 256: Creating Entries In The Acp
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Creating Entries in the ACP From the policy class configuration mode context, you can begin to enter allow, discard, and NAT entries. To create an allow entry, enter: Syntax: allow list <listname>...
Page 257: Assigning The Acp To An Interface
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Assigning the ACP to an Interface An ACP does not become active until you assign it to an interface (and enable the firewall). Then it affects only the incoming traffic on the interface to which it is assigned.
Page 258: Processing Acps
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces For example, if you configure an ACP that blocks your Telnet access to the ProCurve Secure Router, you will lose your ability to manage the router through a Telnet session and must use another access method to correct your error.
Page 259 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces When a packet enters an interface that has been assigned an ACP, the Secure Router OS firewall checks the first entry in the ACP. The firewall then reads the associated ACL to determine if the packet matches the IP address and any other fields that are specified.
Page 260 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Subnet 192.168.1.0 PPP 1 PPP 2 Eth 0/1 Edge Switch Router B Router A Router B interface ppp 2 ip address 10.1.1.1 255.255.255.252 ip access-list standard Group1 No match access-policy Private permit host 192.168.1.10 log...
Page 261: Acp Action Summary
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces However, the action specified in the ACL is deny, and when an ACL is part of an ACP, deny means do not take the action specified in the ACP. The allow list MatchAll entry is the last in the ACP.
Page 262 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Table 5-10. Actions Based on ACP Configuration Action deny does not matter Secure Route OS firewall: • does not take the specified action on the packet •...
Page 263: Traffic Flow Through Interfaces With Acps
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Route Packet in Interface lookup Process entries in ACP from top down Drop Drop Another ACL Another ACL packet packet Allow in ACP? in ACP? Discard ACL Process entries in Process entries in ACL from top down...
Page 264: Has A Different Acp
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Inbound Interface Has an ACP; Outbound Interface Does Not Have an ACP When you assign an ACP to an interface, the Secure Router OS firewall uses that ACP to filter inbound traffic—traffic arriving on the interface.
Page 265: Interface Has An Acp
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Traffic Router allowed by Inside Interface with Interface with ACP; Inside ACP Outside ACP Outside Traffic ACP is allowed by Inside ACP not used Figure 5-13. Inside ACP Filters Incoming Traffic on an Ethernet Interface However, if traffic arrives on the PPP 1 interface, the roles are reversed: the Secure Router OS firewall will use the Outside ACP to filter traffic.
Page 266: Traffic In And Out Through A Single Interface
Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Router Interface without Interface with an ACP an ACP No ACP is applied Figure 5-15. No ACP Applied to the Inbound Interface, so all Traffic Is Allowed If you have enabled the firewall on the ProCurve Secure Router, it will still check this traffic for known attacks and block those attacks.
Page 267 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Block Telnet Traffic. To strengthen security on your WAN, you may want to deny any Telnet session that users attempt to establish with the ProCurve Secure Router. You must first create an extended ACL and give it a name, such as Telnet.
Page 268 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces You may also want to permit Domain Name System (DNS) traffic on WAN interfaces that are connected to the Internet. To permit DNS traffic, enter: ProCurve(config-ext-nacl)# permit tcp any any eq domain You can then create an ACP, as shown below: ProCurve(config)# ip policy-class WAN ProCurve(config-policy-class)# allow list Internet...
Page 269: Viewing Acls And Acps
Applying Access Control to Router Interfaces Viewing ACLs and ACPs When you are using ACLs with ACPs, remember that you must use a permit entry to both select traffic and to have the Secure Router OS firewall take the action configured in the ACP. If you want to explicitly deny access to a subnet, you must create a permit entry in the ACL and then create a discard entry in the ACP.
Page 270: Displaying Acls
Applying Access Control to Router Interfaces Viewing ACLs and ACPs Command Explanation show ip policy-sessions displays the total number of sessions associated with ACPs, the number of sessions per ACP, and detailed information about each device that has established a session show ip policy-sessions displays the number of sessions associated with the...
Page 271: Displaying Acps
Applying Access Control to Router Interfaces Viewing ACLs and ACPs You can use this information to review the ACLs that are configured and to ensure that they are configured correctly. Displaying ACPs To view all of the ACPs that are configured on the ProCurve Secure Router, move to the enable mode context and enter: Syntax: show ip policy-class If you are in any other mode context (except the basic mode context), you...
Page 272: Viewing Access Policy Sessions
Applying Access Control to Router Interfaces Viewing ACLs and ACPs Viewing Access Policy Sessions After you enable the firewall and assign an ACP to an interface, the Secure Router OS firewall checks all the packets entering that interface. When a packet matches an ACL, the Secure Router OS treats it as specified in the ACP.
Page 273: Viewing Access Policy Statistics
Applying Access Control to Router Interfaces Viewing ACLs and ACPs If you want to view information about the sessions associated with a specific ACP, enter: Syntax: show ip policy-sessions <policyname> Replace <policyname> with the name of the specific ACL. Viewing Access Policy Statistics You can also display a summary of ACP statistics by entering the following command from the enable mode context: Syntax: show ip policy-stats...
Page 274: Troubleshooting
Applying Access Control to Router Interfaces Troubleshooting Troubleshooting show Commands In addition to using show commands to view information about ACLs and ACPs and to verify that your configuration is correct, you can use these commands for troubleshooting. For example, suppose that several users call you, complaining that they cannot send traffic to a remote site.
Page 275 Applying Access Control to Router Interfaces Troubleshooting You can also clear a particular policy session. For example, if you enter the show ip policy-sessions command and determine that an existing session should be terminated, you can use one of the following commands: Syntax: clear ip policy-sessions <policyname>...
Page 276: Clear Acl Counters
Applying Access Control to Router Interfaces Troubleshooting Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port ---------------- --------- -------------- -------- --------------- ------- Policy class "Inside": tcp (80) 192.168.20.1 2001 172.16.1.1 d 10.10.3.10 Policy class "Outside": tcp (20) 192.168.100.99 1908...
Page 277: Quick Start
Applying Access Control to Router Interfaces Quick Start Replace <listname> with the name of the ACL you want to debug. For example, if you want to debug the Inside ACL, enter: ProCurve# debug access-list Inside To end the debug, enter one of the following commands: Syntax: no debug access-list <listname>...
Page 278: Enabling The Built-In Firewall
Applying Access Control to Router Interfaces Quick Start N o t e If you are not familiar with ACLs and ACPs, ProCurve Networking strongly recommends that you read the entire chapter before you begin configuring and applying access controls to the interfaces on your ProCurve Secure Router.
Page 279 Applying Access Control to Router Interfaces Quick Start Before you begin configuring an ACL, you must determine if you want to configure a standard ACL or an extended ACL. To configure an ACL and apply it to an interface, complete the following steps: Create the ACL.
Page 280: Configuring Acps
Applying Access Control to Router Interfaces Quick Start To deny all ICMP traffic from a specific host, such as host 192.168.115.90, to any destination, enter: ProCurve(config-ext-nacl)# deny icmp host 192.168.115.90 any To deny ICMP traffic from a range of IP addresses to a specific destination, enter: ProCurve(config-ext-nacl)# deny icmp <A.B.C.D>...
Page 281 Applying Access Control to Router Interfaces Quick Start Although ACPs are a little more complicated to configure and apply, they provide greater flexibility than ACLs do by themselves. With ACPs, you can apply more than two ACLs to an interface. Each ACP can include an unlimited number of entries, which reference an unlimited number of ACLs.
Page 282 Applying Access Control to Router Interfaces Quick Start To configure an ACL and apply it to an ACP, complete the following steps: Create the ACL. From the global configuration mode context, enter: Syntax: ip access-list [standard |extended] <listname> For example, to create an extended ACL, enter: ProCurve(config)# ip access-list extended Inside From the ACL configuration mode context, configure permit or deny entries.
Page 283 Applying Access Control to Router Interfaces Quick Start If you want to exclude all ICMP traffic from a specific host, such as host 192.168.115.90, to any destination, enter: ProCurve(config-ext-nacl)# deny icmp host 192.168.115.90 any To exclude ICMP traffic from a range of IP addresses to a specific destination, enter: Syntax: deny icmp <A.B.C.D>...
Page 284 Applying Access Control to Router Interfaces Quick Start Valid interfaces include PPP interfaces, Frame Relay subinterfaces, ATM subinterfaces, HDLC interfaces, Ethernet interfaces, and demand inter- faces. (If you have enabled support for virtual LANs [VLANs], you must apply the ACL to an Ethernet subinterface.) Apply the ACP to the interface by entering the following command from the appropriate interface configuration mode context: Syntax: access-policy <policyname>...
Page 285: Contents
Configuring Network Address Translation Contents NAT Services on the ProCurve Secure Router ..... . . 6-2 Many-to-One NAT for Outbound Traffic ......6-2 Using NAT with PAT .
Page 286: Nat Services On The Procurve Secure Router
Configuring Network Address Translation NAT Services on the ProCurve Secure Router NAT Services on the ProCurve Secure Router When you enable the ProCurve Secure Router OS firewall, you can configure it to perform Network Address Translation (NAT) on traffic exchanged between the internal, trusted network and the untrusted, public network.
Page 287: Using Nat With Pat
Configuring Network Address Translation NAT Services on the ProCurve Secure Router 192.168.115.1 192.168.115.2 Edge switch 192.168.115.3 Core switch Router Internet Users 192.168.1.10 NAT all private IP Edge switch addresses to one 192.168.1.11 Source address IP address such as of all packets is 10.1.1.1 now 10.1.1.1 192.168.1.12...
Page 288 Configuring Network Address Translation NAT Services on the ProCurve Secure Router Table 6-1. Information Recorded in a Port-Mapping Table for a Sample Network Private IP Address Translated Public Translated Port Destination IP Address Destination Port IP Address 192.168.1.10 10.1.1.1 4000 10.20.1.1 192.168.1.11 10.1.1.1...
Page 289: One-To-One Nat For Inbound Traffic
Configuring Network Address Translation NAT Services on the ProCurve Secure Router One-to-One NAT for Inbound Traffic The Secure Router OS firewall performs one-to-one NAT on inbound traffic— traffic being transmitted from the outside, public network to a device on the internal, trusted network.
Page 290: One-To-One Nat With Port Translation
Configuring Network Address Translation NAT Services on the ProCurve Secure Router 1 Internet user sends 2) NAT destination request to Edge switch address on incoming Web server requests for Web at 10.10.10.1 server to 192.168.1.2 Edge switch ProCurve Secure Core switch Internet Router server...
Page 291: Configuring Nat
Configuring Network Address Translation Configuring NAT translates the public IP address to the private IP address, it can also perform port translation, assigning the traffic to the particular port used by the internal device. (See Figure 6-4.) 1a Internet 1b) NAT destination user sends address on incoming request to...
Page 292: Enabling The Firewall
Configuring Network Address Translation Configuring NAT Enabling the Firewall You enable the firewall by entering the following command from the global configuration mode context: ProCurve(config)# ip firewall When you assign an ACP to an interface, that ACP will take effect only if the firewall is enabled.
Page 293: Types Of Acls
Configuring Network Address Translation Configuring NAT Types of ACLs The Secure Router OS firewall supports two types of ACLs: standard extended If you want to define patterns based solely on source address, you should configure a standard ACL. If you want to define patterns based on source and destination addresses and on other fields in the IP, TCP, or UDP header, you should create an extended ACL.
Page 294 Configuring Network Address Translation Configuring NAT For example, if you want to NAT all traffic that enters through the Ethernet interface, you create this permit entry in the ACL: ProCurve(config-std-nacl)# permit any If you want to NAT a subnet, enter: ProCurve(config-std-nacl)# permit <A.B.C.D>...
Page 295 Configuring Network Address Translation Configuring NAT Replace <protocol> with one of the following: icmp You can also specify a port number between 0 and 255. To specify a source address or destination address, you use the following syntax: Syntax: [any | host <A.B.C.D> | hostname <hostname> | <A.B.C.D> <wildcard bits>] Table 6-3 shows the options for specifying source and destination addresses.
Page 296 Configuring Network Address Translation Configuring NAT Table 6-4. Specifying Ports in Extended ACLs Option Explanation eq <port number> specific port gt <port number> all ports that are a larger number than the port number you specify (not including the specified port) lt <port number>...
Page 297: Configuring An Acp
Configuring Network Address Translation Configuring NAT Configuring an ACP After you create the ACL that will select the traffic that you want to NAT, you must create the ACP. In the ACP, you define the action that the Secure Router OS firewall will take on the selected traffic.
Page 298: Configuring One-To-One Nat For Inbound Traffic
Configuring Network Address Translation Configuring NAT For example, to configure the Secure Router OS firewall to NAT all traffic selected by the MatchAll ACL to the IP address 10.10.1.1, enter: ProCurve(config-policy-class)# nat source list MatchAll address 10.10.1.1 overload After you configure the ACP, you must assign it to an interface, or it will have no affect on the traffic entering the router.
Page 299: Assigning The Acp To An Interface
Configuring Network Address Translation Configuring NAT You then create a second ACL called FTPserver, to select traffic from any device that is destined for the public IP address (in this example, 10.1.10.1) on port 21, the well-known port for FTP traffic. ProCurve(config)# ip access-list extended FTPServer ProCurve(config-ext-nacl)# permit tcp any host 10.1.10.1 eq 21 ProCurve(config-ext-nacl)# exit...
Page 300: Viewing Acls And Acps
Configuring Network Address Translation Viewing ACLs and ACPs Viewing ACLs and ACPs After you configure NAT on the ProCurve Secure Router, you can use show commands to: view ACLs configured to select the traffic for NAT view NAT entries in ACPs display information about connections associated with particular ACPs The show commands related to ACLs and ACPs are listed in Table 6-5.
Page 301: Displaying Acls
Configuring Network Address Translation Viewing ACLs and ACPs Displaying ACLs To view all of the ACLs that are configured on the ProCurve Secure Router, move to the enable mode context and enter: ProCurve# show access-lists As Figure 6-5 shows, this command lists the following information for each ACL: type of ACL—standard or extended all entries in the ACLs...
Page 302: Viewing Access Policy Sessions
Configuring Network Address Translation Viewing ACLs and ACPs ProCurve# show ip policy-class Policy-class "Inside": Entry 1 - nat source list Internet address 10.1.1.1 overload Policy-class "Outside": Entry 1 - allow list Region Entry 2 - nat destination list Webserver address 192.168.2.11 Entry 3 - nat destination list FTPserver address 192.168.2.12 Figure 6-6.
Page 303: Viewing Access Policy Statistics
Configuring Network Address Translation Viewing ACLs and ACPs ProCurve# show ip policy-sessions Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port ---------------- --------- -------------- -------- --------------- ------- Policy class "Inside": tcp (80) 192.168.20.1 2001 172.16.1.1 d 10.10.3.10 Policy class "Outside":...
Page 304: Troubleshooting
Configuring Network Address Translation Troubleshooting ProCurve# show ip policy-stats Global 0 current sessions (255300 max) Policy-class "Inside": 121 current sessions (85100 max) Entry 1 - allow list MatchAll 1424221 in bytes, 14222323 out bytes, 123 hits Policy-class "Outside": 554 current sessions (85100 max) Entry 1 - allow list Region 2345352 in bytes, 56363536 out bytes, 554 hits Entry 2 - allow list InWeb...
Page 305: Clearing Existing Policy Sessions
Configuring Network Address Translation Troubleshooting Clearing Existing Policy Sessions Whenever you change your ACP configurations, you are prompted to clear the existing sessions. This enables you to apply your new configurations. Other- wise, an existing session may violate an ACP that you just configured. To clear all of the policy sessions on the router, move to the enable mode context and enter: ProCurve# clear ip policy-sessions...
Page 306: Clearing Acl Counters
Configuring Network Address Translation Troubleshooting Replace <nat A.B.C.D> with the IP address that replaced the original IP address. Replace <nat port> with the port used by NAT. Use hexadecimal format for AHP, ESP, and GRE; use decimal format for all other protocols. N o t e Rather than input this entire command, you can enter the show ip policy- sessions command to display the current sessions and then copy the second...
Page 307: Debugging Acls
Configuring Network Address Translation Troubleshooting If you want to clear counters for a particular ACL, use the <listname> option: ProCurve# clear access-list <listname> For example, if you want to clear the counters for the Inside ACL, enter: ProCurve# clear access-list Inside Debugging ACLs You can debug events associated with a particular ACL.
Page 308: Quick Start
Configuring Network Address Translation Quick Start Quick Start This “Quick Start” section provides the CLI commands you will need to configure network address translation (NAT) on the ProCurve Secure Router. Only a minimal explanation is provided. If you need additional information about any of these options, check the “Contents”...
Page 309 Configuring Network Address Translation Quick Start Create entries in the ACL to select the traffic that you want to NAT. Syntax: [permit | deny] [any | host <A.B.C.D> | hostname <hostname> | <A.B.C.D> <wildcard bits>] For example, to NAT all traffic, enter: ProCurve(config-std-nacl)# permit any To NAT traffic from subnet 192.168.115.0 /24, use wildcard bits to specify a range of IP addresses.
Page 310: Using The Cli To Configure One-To-One Nat
Configuring Network Address Translation Quick Start To apply the ACP to an interface, move to the configuration mode context for that interface. Syntax: interface <interface> <number> Valid interfaces include PPP interfaces, Frame Relay subinterfaces, ATM subinterfaces, HDLC, Ethernet interfaces, and demand interfaces. (If you have enabled support for virtual LANs [VLANs], you must apply the ACP to an Ethernet subinterface.) Apply the ACP to the interface by entering the following command from...
Page 311 Configuring Network Address Translation Quick Start Define the traffic that you want to NAT. For example, if you want to NAT all traffic with the destination address of the Web server, enter: Syntax: [permit | deny] <protocol> [any | host <A.B.C.D> | hostname <hostname> | <A.B.C.D>...
Page 312 Configuring Network Address Translation Quick Start To apply the ACP to an interface, move to the configuration mode context for that interface. Syntax: interface <interface> <number> Valid interfaces include PPP interface, Frame Relay subinterfaces, ATM subinterfaces, HDLC, Ethernet interfaces, and demand interfaces. (If you have enabled support for virtual LANs [VLANs], you must apply the ACP to an Ethernet subinterface.) 10.
Page 313: Contents
Setting Up Quality of Service Contents Overview ............7-4 Evaluating Traffic on Your Network .
Page 314 Setting Up Quality of Service Contents Configuring LLQ ..........7-31 Overview .
Page 315 Setting Up Quality of Service Contents Determining the Required Bandwidth ......7-61 Marking Signaling Traffic for Special Treatment ....7-62 Configuring Frame Relay Rate Limiting .
Page 316: Overview
Setting Up Quality of Service Overview Overview Quality of service (QoS) protocols allow a router to distinguish different classes of traffic and serve each class according to its priority and needs. Evaluating Traffic on Your Network Several factors define the QoS that traffic receives, including: bandwidth delay number of dropped packets...
Page 317: Qos Mechanisms On The Procurve Secure Router
Setting Up Quality of Service Overview Control plane traffic—The router always reserves bandwidth for control traffic. This traffic, such as Open Shortest Path First (OSPF) hellos and routing updates, must run on the interface and will always be transmitted no matter what queuing method the interface implements. You should configure different QoS mechanisms depending on the type of traffic the router is serving.
Page 318: Tos Field
Setting Up Quality of Service Overview However, neither IP precedence nor DiffServ addresses the second issue: how a router actually provides differentiated service. You must configure other protocols to provide the service requested by the ToS value. You can configure the ProCurve Secure Router to: grant traffic with a higher IP precedence value relatively more bandwidth using WFQ...
Page 319 Setting Up Quality of Service Overview The four ToS bits within the ToS field each request a different type of service from forwarding nodes: a one in the first bit requests low delay a one in the second bit requests high throughput a one in the third bit requests high reliability a one in the fourth bit requests low cost N o t e...
Page 320 Setting Up Quality of Service Overview The DSCP marks packets for a specific per-hop behavior (PHB). PHBs describe forwarding behavior. That is, standards for PHBs determine such issues as which packets should be forwarded first and which packets should be dropped during network congestion. DiffServ defines four types of PHBs: Default PHB—The Default PHB is for traffic with DSCP 0 (not set) or any undefined DSCP.
Page 321 Setting Up Quality of Service Overview Table 7-2. Assured Forwarding PHB AF Class Drop Precedence DSCP DiffServ Value 001010 medium 001100 high 001110 010010 medium 010100 high 010110 011010 medium 011100 high 011110 100010 medium 100100 high 100110 For example, you can define three subclasses with AF1. The third subclass would have a higher drop precedence that the first two.
Page 322: First In, First Out
Setting Up Quality of Service Overview Only 13 DSCP values have actually been standardized. Individual network administrators define in more detail which set of DSCP values match to a specific PHB. This allows them to use DiffServ with the QoS policies already implemented in a network.
Page 323: Cbwfq
Setting Up Quality of Service Overview Router Queue Figure 7-1. First In, First Out FIFO treats all packets in the same way. If you want the router to take packets’ ToS settings, or other criteria, into account when deciding how to treat them, you must implement a different queuing method.
Page 324: Frf.12
Setting Up Quality of Service Overview Guaranteed bandwidth VoIP VoIP Router Queue VoIP Figure 7-2. Low Latency Queuing FRF.12 FRF.12 fragments large data frames so that a Frame Relay interface can forward each frame with less delay. This allows low latency frames, such as VoIP, more opportunities to be forwarded and minimizes delay.
Page 325 Setting Up Quality of Service Overview It designates the order in which the ProCurve Secure Router matches traffic to these entries—The ProCurve Secure Router searches QoS entries with the lowest number first. Sequence numbers are only signifi- cant within the named map; QoS maps with different names can have entries with the same sequence number.
Page 326: Configuring Wfq
Setting Up Quality of Service Configuring WFQ Configuring WFQ Overview WFQ is one method for granting differentiated service to various types of traffic. It classifies traffic according to the source and destination IP addresses and protocol port, and allocates traffic bandwidth relative to IP precedence value.
Page 327: Weight
Setting Up Quality of Service Configuring WFQ Weight The router also assigns each conversation a weight based on the IP prece- dence value of its packets (see Figure 7-3). The rate at which that conversation gets serviced is proportional to the conversation's assigned weight, preventing high-weighted interactive traffic such as Telnet from being starved out by high- volume, lower-weighted traffic.
Page 328: Packet Marking
Setting Up Quality of Service Configuring WFQ Now, consider an interface that handles more conversations at once—for example, 100 routine subqueues, 5 subqueues with a precedence of 3, and 2 queues for VoIP traffic with a precedence of 5. Even though VoIP traffic receives relatively more bandwidth than any individual routine subqueue, routine traffic altogether consumes 75 percent of the bandwidth.
Page 329: Enabling Wfq
Setting Up Quality of Service Configuring WFQ Table 7-5. Mapping DiffServ to IP Precedence DiffServ IP Precedence 8-15 16-23 24-31 32-39 40-47 48-55 56-63 If applications and devices outside the router will handle all packet marking, you only need to enable WFQ and set a threshold level for subqueues. If you want the router itself to mark packets with an IP precedence or DiffServ value, you must configure a QoS map to do so.
Page 330: Setting The Queue Size
Setting Up Quality of Service Configuring CBWFQ Specifying the threshold when you enable WFQ is optional. The threshold determines the maximum number of packets the interface can hold in each conversation subqueue. When the queue reaches this limit, the ProCurve Secure Router discards any subsequent packets it receives.
Page 331: Configuring Classes For Cbwfq
Setting Up Quality of Service Configuring CBWFQ WFQ automatically classifies traffic into conversations according to source and destination IP address, port number, and protocol type. With CBWFQ, you manually configure how traffic is classified. You define a class according to IP header fields, and the interface places all traffic that fits that definition into the same subqueue.
Page 332: Creating A Qos Map Entry
Setting Up Quality of Service Configuring CBWFQ Creating a QoS Map Entry To create a QoS map, enter the following command from the global configu- ration mode context: Syntax: qos map <mapname> <sequence number> The mapname is alphanumeric and case-sensitive. Valid sequence numbers range from 0 to 65,535.
Page 333 Setting Up Quality of Service Configuring CBWFQ Each QoS map entry can use only one set of criteria to match traffic. To match another group of traffic, you must configure another entry. Enter one of the match commands shown in Table 7-6 to select traffic. Different options for the match command will be discussed separately in the following sections.
Page 334 Setting Up Quality of Service Configuring CBWFQ Table 7-7. Example of Assured Forwarding PHB AF Class Drop Precedence DSCP DiffServ Value 001010 medium 001100 high 001110 010010 medium 010100 high 010110 011010 medium 011100 high 011110 100010 medium 100100 high 100110 You would enter these commands to match classes to the four simple AF PHBs:...
Page 335 Setting Up Quality of Service Configuring CBWFQ less that interface can grant higher priority subqueues significantly greater bandwidth. Dividing traffic into a small number of classes alleviates this problem. You classify traffic in this way by matching the QoS map entry to an extended access control list (ACL).
Page 336 Setting Up Quality of Service Configuring CBWFQ You can also select certain types of traffic (for example, HTTP or Telnet) by specifying a protocol such as TCP or UDP and then indicating the source or destination port after the address: Syntax: [deny | permit] <protocol>...
Page 337 Setting Up Quality of Service Configuring CBWFQ For more information about configuring ACLs, see Chapter 5: Applying Access Control to Router Interfaces. Matching a QoS Map Entry to an ACL. Move to the configuration mode context for the QoS map entry you have created. Then enter this command: Syntax: match list <ACL listname>...
Page 338: Allocating Bandwidth To A Class
Setting Up Quality of Service Configuring CBWFQ Instead of placing all bridged traffic in a class, you can place only NetBIOS Extended User Interface (NetBEUI) traffic. NetBEUI allows hosts to commu- nicate within the LAN. You can define such traffic as a class of its own. For example: ProCurve(config)# qos map Class 12 ProCurve(config-qos-map)# match protocol bridge netbeui...
Page 339 Setting Up Quality of Service Configuring CBWFQ To specify bandwidth as a percentage of the bandwidth not allocated to low- latency queues, use the remaining percent keyword. The remaining per- cent keyword calculates bandwidth from the amount remaining after the bandwidth guaranteed to low latency queues has been subtracted from the available bandwidth.
Page 340: Assigning The Qos Map To An Interface
Setting Up Quality of Service Configuring CBWFQ Assigning the QoS Map to an Interface You must create a separate QoS map entry for each class you want to define, giving each entry the same name but a different sequence number. You can define up to four classes.
Page 341: Cbwfq Example Configuration
Setting Up Quality of Service Configuring CBWFQ N o t e Even when you assign bandwidth to classes as a percentage, the router assigns it as an absolute value of the bandwidth normally available on the interface. This means that when one or more lines in a multilink bundle goes down, the router does not automatically readjust the bandwidth allocated to various classes.
Page 342 Setting Up Quality of Service Configuring CBWFQ b. Match traffic from the Web server: ProCurve(config)# ip access-list extended WebTrafficOut ProCurve(config-ext-nacl)# permit tcp host 192.168.1.26 eq www any Match the ACLs to the classes and set the bandwidth for each: First, define the class for traffic from the Web server. Set the entry number lower than that for the class for Network 1 traffic so that the router does not inadvertently match traffic from the server to the wrong class:...
Page 343: Configuring Llq
Setting Up Quality of Service Configuring LLQ Configuring LLQ Overview LLQ is a method for guaranteeing a set amount of bandwidth to certain traffic and reducing this traffic’s latency. You should use LLQ for voice and other real- time applications that involve traffic that cannot tolerate excessive or variable delay (jitter).
Page 344: Determining Bandwidth For Voip
Setting Up Quality of Service Configuring LLQ Determining Bandwidth for VoIP One of the most common applications for a low-latency queue is VoIP traffic. You calculate the bandwidth necessary for VoIP traffic by: calculating the bandwidth necessary for one call making adjustments to this calculation according to the capabilities of your VoIP devices multiplying the per-call bandwidth by the number of calls the router needs...
Page 345 Setting Up Quality of Service Configuring LLQ Standard Bit Rate Codec (Sample Time) Sample Size Packets Per Second G.728 16 Kbps 2.5 ms • 5 bytes • often more than one sample per packet— for example, 4 samples per packet for 20 bytes G.729 8 Kbps 10 ms...
Page 346 Setting Up Quality of Service Configuring LLQ Table 7-9. Example Bandwidth Calculations for VoIP Standard Packets per Second Voice Payload Size Total Size with MLPPP Per-Call Bandwidth or Frame Relay header G.711 • 140 bytes • 187 bytes • 74.8 Kbps •...
Page 347: Determining Bandwidth For Video Streaming
Setting Up Quality of Service Configuring LLQ Making Adjustments. Calls typically contain bursts of noise when a person speaks and periods of silence when the person listens. Some VoIP applications use Voice Activity Detection (VAD) to suppress transmission of VoIP frames when the line is silent.
Page 348: Placing Traffic In A Low-Latency Queue
Setting Up Quality of Service Configuring LLQ Placing Traffic in a Low-Latency Queue The ProCurve Secure Router guarantees traffic in a low-latency queue the amount of bandwidth you specify. Traffic can burst above this bandwidth, but if the line becomes congested, the router will drop bursting packets in favor of other traffic.
Page 349 Setting Up Quality of Service Configuring LLQ Table 7-10. QoS Map Criteria Criteria Match Command ToS value—IP precedence match precedence <0-7> ToS value—DiffServ match dscp <0-63> IP header—source or destination match list <ACL listname> IP address and protocol port destination UDP protocol port match ip rtp <first port number>...
Page 350 Setting Up Quality of Service Configuring LLQ Placing Traffic Destined to a UDP Protocol Port in a Low-Latency Queue. VoIP and other real-time traffic requires special handling. Congestion affects this traffic far more negatively than it does bursty data traffic. One way of classifying VoIP traffic is noting the UDP ports on which your VoIP appli- cations operate.
Page 351 Setting Up Quality of Service Configuring LLQ Configuring an ACL. Create an ACL by entering a command such as this from the global configuration mode context: ProCurve(config)# ip access-list extended LowLatencyTraffic ACLs exclude all traffic that you do not explicitly permit, so you may not need to enter any deny statements.
Page 352 Setting Up Quality of Service Configuring LLQ Network 1 at Site A, shown in Figure 7-6, contains VoIP equipment that communicates with equipment at Network 4 at Site B. Host 26 on Network 1 is an email server; it does not send real-time data. To select the traffic to be placed in a low-latency queue, enter: ProCurve(config)# ip access-list extended LowLatencyTraffic ProCurve(config-ext-nacl)# deny ip host 172.16.1.26 any...
Page 353: Setting The Bandwidth Guaranteed The Queue
Setting Up Quality of Service Configuring LLQ For Frame Relay connections, packets are queued on the Frame Relay inter- face. When one of the Frame Relay subinterfaces is part of a bridge group, you can place bridged traffic in a low-latency queue to speed processing and transmission.
Page 354: Marking Low Latency Packets With A Tos Value
Setting Up Quality of Service Configuring LLQ C a u t i o n Do not assign a queue unlimited bandwidth lightly. Even if the traffic in the queue is important, it is rarely critical enough to be worth starving out all other traffic.
Page 355: Marking Packets With A Tos Value
Setting Up Quality of Service Marking Packets with a ToS value N o t e When specifying the QoS map, you include only the name, not the sequence number. This allows the interface to grant QoS to many different kinds of traffic.
Page 356: Creating A Qos Map Entry
Setting Up Quality of Service Marking Packets with a ToS value No matter what type of traffic you want to mark, you configure the router in the same way: Create a QoS map entry. Select the traffic to be marked. Set the QoS value.
Page 357 Setting Up Quality of Service Marking Packets with a ToS value Each QoS map entry can use only one set of criteria to match traffic. To match another group of traffic, you must configure another entry. Marking Traffic Already Set to a ToS Value. You can change the QoS value for packets that are already marked with an IP precedence or DiffServ value.
Page 358 Setting Up Quality of Service Marking Packets with a ToS value You select the traffic to be marked by matching the QoS map entry to an extended ACL. The ACL actually selects the traffic. An extended ACL can define traffic according to its source and destination IP address as well as a variety of fields in the IP, TCP, or UDP header.
Page 359 Setting Up Quality of Service Marking Packets with a ToS value Marking Traffic Destined to a UDP Protocol Port. It can be important to prioritize traffic to specific, well-known UDP ports. For example, you do not want user traffic to starve out customers accessing your business’s Web server.
Page 360: Setting The Tos Value
Setting Up Quality of Service Marking Packets with a ToS value Marking Bridged Traffic. You can configure one or more interfaces on a the ProCurve Secure Router to act as a bridge. In effect, the router extends a LAN throughout two or more remote sites. Traffic between hosts at each local site can obviously travel faster than that between hosts at different sites.
Page 361: Assigning The Qos Map To An Interface
Setting Up Quality of Service Marking Packets with a ToS value Assigning the QoS Map to an Interface The QoS map does not take effect until you apply it to a logical interface. Valid interfaces include: PPP interfaces HDLC interfaces Frame Relay interfaces ATM subinterfaces demand interfaces...
Page 362: Overview
Setting Up Quality of Service Configuring Rate Limiting for Frame Relay You would complete the following configurations: Create a QoS map entry for lowering the precedence for traffic with IP precedence 5: ProCurve(config)# qos map InternetConnection 10 ProCurve(config-qos-map)# match precedence 5 ProCurve(config-qos-map)# set precedence 3 Configure an ACL to select SIP signaling traffic, which travels to TCP and UDP port 5060:...
Page 363: Frf.12
Setting Up Quality of Service Configuring Rate Limiting for Frame Relay Rate limiting defines the maximum amount of bandwidth a PVC is allowed to consume. You can set different rate limits for when the line is congested and when it is free. FRF.12 When running voice or other real-time, delay-sensitive applications over a Frame Relay interface, you may want to fragment Frame Relay frames.
Page 364: Configuring Rate Limiting
Setting Up Quality of Service Configuring Rate Limiting for Frame Relay Configuring Rate Limiting By default, Frame Relay interfaces always forward packets at their transmis- sion rate. However, because Frame Relay networks operate over shared lines, the network may sometimes be congested and unable to forward all the traffic the router sends it.
Page 365: Setting The Excessive Burst Rate
Setting Up Quality of Service Configuring Rate Limiting for Frame Relay You can set a B between 0 and 4,294,967,294 bps. For example, if your SLA guarantees a CIR of 1 Mbps, enter: ProCurve(config-fr 1.101)# frame-relay bc 1000000 Setting the Excessive Burst Rate The B sets the maximum number of bits that the router can transmit during T.
Page 366: Configuring Frame Relay Fragmentation
Setting Up Quality of Service Configuring Rate Limiting for Frame Relay The sum of the committed and excessive burst values is the upper limit for bandwidth available on the interface, which should always exceed 8000 bps. You can dedicate up to 75 percent of the available bandwidth to low-latency queues and CBWFQ classes.
Page 367: Configuring Qos For Ethernet
Setting Up Quality of Service Configuring QoS for Ethernet other end, so you decide to set the maximum transmission rate to 2.048 Mbps. (You can calculate the B by subtracting the B from the maximum transmis- sion rate: 2,048,000 bits - 1,500,000 bits = 548,000 bits.) Because the Frame Relay network carries VoIP frames, you must fragment large data frames to maintain QoS for the voice traffic.
Page 368: Configuring Rate Limiting On An Ethernet Interface
Setting Up Quality of Service Configuring QoS for Ethernet Configuring Rate Limiting on an Ethernet Interface Move to the Ethernet interface configuration mode context. Set the maximum bandwidth that the Ethernet interface will transmit with this command: Syntax: traffic-shape rate <bps> You can set the bandwidth between 1000 and 100,000,000 bps (100 Mbps).
Page 369: Example: Configuring Qos For Voip
Setting Up Quality of Service Example: Configuring QoS for VoIP You would enter these commands to configure the QoS policy: ProCurve(config)# ip access-list extended WebTraffic ProCurve(config-ext-nacl)# permit tcp any host 192.168.1.20 eq www ProCurve(config-ext-nacl)# exit ProCurve(config)# ip access-list extended RemoteTraffic ProCurve(config-ext-nacl)# permit ip 192.168.4.0 0.0.0.255 any ProCurve(config)# qos map Outside 10 ProCurve(config-qos-map)# match ip rtp 16384 32764 all...
Page 370: Enabling Application-Level Gateways For Applications
Setting Up Quality of Service Example: Configuring QoS for VoIP This organization uses general switched telephone network (GSTN) tele- phones that follow the G.711 standard. VoIP calls must be carried from the headquarters to each remote site. The organization anticipates that at the busiest time of day the network should support up to 12 calls.
Page 371: Enabling Sip Services
Setting Up Quality of Service Example: Configuring QoS for VoIP Enabling SIP Services The VoIP application in this example uses H.323. However, if users in your network use SIP applications, then your router may need to act as a SIP proxy and registrar server.
Page 372: Defining Voip Traffic
Setting Up Quality of Service Example: Configuring QoS for VoIP You should also configure your router to act as a registrar: From the global configuration mode context, enable the SIP registrar: Syntax: ip sip registrar b. Enable the proxy server to save the registration information that it receives from users to a local location database: Syntax: ip sip database local You can configure various settings for the router’s registrar functions,...
Page 373: Determining The Required Bandwidth
Setting Up Quality of Service Example: Configuring QoS for VoIP One of the best solutions is to have your VoIP application mark VoIP frames with the DSCP 46 for Expedited Forwarding. (The closer to the edge a packet is marked, the better ToS packet marking functions.) You would then match packets with a DSCP 46 to the QoS map entry: ProCurve(config-qos-map)# match dscp 46 If the VoIP application cannot implement DiffServ or IP precedence, you can...
Page 374: Marking Signaling Traffic For Special Treatment
Setting Up Quality of Service Example: Configuring QoS for VoIP When the connection is not congested, VoIP traffic can burst up to the 3.0 Mbps provided by the two T1 carrier lines. If your VoIP devices automatically mark signaling packets for special treat- ment, you can now apply the QoS map to the WAN interface.
Page 375: Configuring Frame Relay Rate Limiting
Setting Up Quality of Service Example: Configuring QoS for VoIP Then configure the QoS map entry. It should have the same name as, but a different number than, the low-latency queue. For example: ProCurve(config-ext-nacl)# qos map VoiceMap 21 Match the map to the ACL and set the DiffServ value: ProCurve(config-qos-map)# match list VoiceSignaling ProCurve(config-qos-map)# set dscp 26 Finally, apply the entire QoS map to the Frame Relay interface:...
Page 376: Monitoring Qos
Setting Up Quality of Service Monitoring QoS Configuring Frame Relay Fragmentation It does not matter how much bandwidth you guarantee a queue if other frames clog up the interface when it is their turn to be transmitted. You should enable the interface to fragment large data frames to reduce serialization delay.
Page 377: Viewing Qos Maps
Setting Up Quality of Service Monitoring QoS Viewing QoS Maps When monitoring QoS on the router, you should first eliminate problems arising from misconfigurations that result in the QoS policy not being applied to the traffic at all. The following are possible scenarios: Criteria was misconfigured—Examples include a miskeyed IP prece- dence value or misconfigured wildcard bits in an ACL.
Page 378: Managing Queues
Setting Up Quality of Service Monitoring QoS You can modify a QoS map entry by entering its configuration mode context and reentering commands. You can delete a QoS map entry by entering: Syntax: no qos map <mapname> [sequence number] For example: ProCurve(config)# no qos map VoiceMap 20 You can then reconfigure the map entry.
Page 379: Troubleshooting Common Configuration Problems
Setting Up Quality of Service Monitoring QoS controls the amount of traffic passed to the lower-speed WAN interfaces. Rate limiting Ethernet traffic prevents the router from receiving and processing a great number of packets that it will only have to drop. The show queue command also displays the number of currently active conversations on an interface as well as the highest number of conversations ever active at once.
Page 380: An Ethernet Interface Refusing To Take A Qos-Policy
Setting Up Quality of Service Quick Start Using the percent remaining keywords helps to avoid this problem. The Secure Router OS allocates bandwidth from only that which remains after low- latency queues have been served. However, you can still make errors, so plan carefully before configuring the map.
Page 381: Configuring Cbwfq
Setting Up Quality of Service Quick Start Enable WFQ and set the threshold level for how many packets each subqueue can hold (between 16 and 512): ProCurve(config-ppp 1)# fair-queue <packet threshold> Configuring CBWFQ If you plan to define classes according to the traffic’s source and destina- tion IP address, you must create an extended ACL to select the network or networks that belong to a class.
Page 382 Setting Up Quality of Service Quick Start Match the entry to the criterion for the class with one of the commands shown in Table 7-14. For example: ProCurve(config-qos-map)# match list Network1 Table 7-14. QoS Map Criteria Criteria Match Command ToS value—IP precedence match precedence <0-7>...
Page 383: Configuring A Low-Latency Queue
Setting Up Quality of Service Quick Start Assign the QoS map to the logical interface for the WAN connection on which you want to enable CBWFQ. For example: ProCurve(config)# interface ppp 1 ProCurve(config-ppp 1)# qos-policy out Class Configuring a Low-Latency Queue Create a QoS map entry to define the queue.
Page 384: Marking Packets
Setting Up Quality of Service Quick Start If so desired, configure another queue. You can also configure classes for CBWFQ to be used with traffic that does not meet the criteria for low-latency queues. The map entries for the low-latency queues and the CBWFQ classes should use the same map name, but different map numbers.
Page 385: Configuring Frame Relay Fragmentation
Setting Up Quality of Service Quick Start If so desired, configure another entry to mark other packets. Assign the QoS map to the logical interface that transmits the packets: ProCurve(config)# interface ppp 1 ProCurve(config-ppp 1)# qos-policy out <mapname> Configuring Frame Relay Fragmentation Enable rate limiting on a PVC: Move to the Frame Relay subinterface for the PVC: ProCurve(config)# interface frame-relay <subinterface number>...
Page 386 Setting Up Quality of Service Quick Start 7-74...
Page 387: Contents
Virtual Private Networks Contents Overview ............8-4 VPN Tunnels .
Page 388 Virtual Private Networks Contents Configuring a Remote ID List for a VPN that Uses Digital Certificates ..........8-34 Mapping the Remote ID to an IKE Policy and Crypto Map Entry .
Page 389 Virtual Private Networks Contents Troubleshooting a VPN That Uses IPSec ......8-73 Tools and Procedures ........8-73 Troubleshooting Commands .
Page 390: Overview
Virtual Private Networks Overview Overview When your organization leases dedicated lines to establish a WAN, it is guaranteed a secure, private connection. Your organization controls what networks can access the private lines. However, leasing private lines can be costly. When you establish a WAN through the Internet, you capitalize on pre- existing public connections to link networks with a minimum of expense.
Page 391: Ipsec Headers
Virtual Private Networks Overview IPSec Headers Operating on the Network Level of the Open Systems Interconnection (OSI) model, IPSec authenticates the endpoints of a tunnel by encapsulating an IP packet with an IPSec header. The IPSec header is either an Authentication Header (AH) and/or an Encapsulation Security Payload (ESP) header.
Page 392: Hash And Encryption Algorithms
Virtual Private Networks Overview IPSec tunnel mode, which acts at the Network Layer (Layer 3), allows a gateway device (such as a router) to provide IPSec support for many hosts. The router receives a packet already encapsulated with an IP header. It then encapsulates the IP packet with an IPSec header, adding a new IP header to direct the packet to the location where it will be processed.
Page 393: Ipsec Vpn Tunnels
Virtual Private Networks Overview IPSec VPN Tunnels A private WAN connection physically defines the path between two hosts over which data can be transmitted. Only authorized hosts can exchange data because only authorized hosts have access to the physical media that transmit the data.
Page 394 Virtual Private Networks Overview Defining an SA Manually. You can define the IPSec SA yourself, specifying the algorithms to be used to secure data, defining the SA’s SPI, and inputting the actual keys. (See “Configuring a VPN using IPSec with Manual Keying” on page 8-64.) However, because this method of configuration is relatively inse- cure and complex, ProCurve Networking does not recommend it.
Page 395 Virtual Private Networks Overview Key generation. You will recall that an algorithm is simply the set method for transforming data using a key. The key is what actually defines and secures the tunnel and it must be unique. When you use IKE, however, you only need to configure the algorithms IKE proposes in the first exchange.
Page 396 Virtual Private Networks Overview Router Router Internet Security proposals for IKE SA Matching proposal Both compute Diffie-Hellman public value Diffie-Hellman public value Diffie-Hellman public value Both compute encryption and authentication lays Authentication information (encrypted) Authentication information (encrypted) Figure 8-2. IKE Phase 1 Authentication.
Page 397 Virtual Private Networks Overview who receives the certificate first extracts the public key and uses it to decrypt the digital signature. It then decondenses the signature and compares it to the certificate. A signature that matches the certificate testifies to the certificate’s integrity.
Page 398 Virtual Private Networks Overview Table 8-1. IKE Phase 1 Exchanges IKE Phase 1 Exchange Message Includes You Must Configure Reference security proposal • hash algorithm IKE attribute policy page 8-28 • encryption algorithm • authentication method • Diffie-Hellman group • IKE SA lifetime Diffie-Hellman key public value —...
Page 399: Vpn Overlay
Virtual Private Networks Overview Table 8-2. IKE Phase 2 Exchanges IKE Phase 2 Exchange Message Includes You Must Configure Reference security proposal • one to three • transform set page 8-40 algorithms: containing the algorithm(s) – AH hash • crypto map entry –...
Page 400: Physical Setup
Virtual Private Networks Physical Setup GRE tunnels are commonly used to send multicasts through a network (such as the Internet) that cannot route multicast messages. For example, routing protocols such as RIP v2 and OSPF send multicast updates. A tunnel can encapsulate the updates and carry them through the network that does not support multicasts.
Page 401: Configuring A Vpn Using Ipsec
Virtual Private Networks Configuring a VPN Using IPSec Configuring a VPN Using IPSec In order to establish a VPN connection, you must define how the IPSec SA is to be negotiated and with what peers. The IPSec SA can be created either manually or using IKE.
Page 402 Virtual Private Networks Configuring a VPN Using IPSec Table 8-3. Policies for IKE Phase 1: IKE SA Establishment *Must Match Peer Parameter Options Default Configured in Reference *hash algorithm • MD5 IKE attribute policy page 8-28 • SHA *encryption algorithm •...
Page 403 Virtual Private Networks Configuring a VPN Using IPSec Refer to Table 8-5 for a summary of how you configure security policies for the IPSec SA. You do not have to specify the same algorithms and other options for the IKE SA and the IPSec SA. However, you must be sure to configure IPSec proposals that match your peer’s.
Page 404 Virtual Private Networks Configuring a VPN Using IPSec Table 8-6. Authorized Peer ID Parameter Options Default Configured in Reference peer ID (for establishing • public IP address (site-to- no default • IKE policy page 8-24 communications) site) • crypto map entry page 8-42 •...
Page 405: Configuring Ipsec With Manual Keying
Virtual Private Networks Configuring a VPN Using IPSec Table 8-7. Configuring VPN Traffic Parameter Options Default Configured in Reference Local network(s) subnet (IP range indicated by No default extended ACL permit page 8-35 wildcard bits) statement (source IP) Remote network(s) subnet (IP range indicated by No default extended ACL permit...
Page 406: How The Procurve Secure Router Processes Ike Policies
Virtual Private Networks Configuring a VPN Using IPSec Table 8-9. Inbound and Outbound Manually Configured Keys Parameter Options Default Configured in Reference key protocol • AH no default crypto map, set session-key page 8-64 command • ESP 256 to 4294967295 no default crypto map, set session-key page 8-64...
Page 407 Virtual Private Networks Configuring a VPN Using IPSec matches the packet already exists, then the router secures the packet with the keys contained in the SA, inserts the associated SPI, and forwards the packet to its destination. Internet Router Router crypto map VPN VPN tunnel...
Page 408 Virtual Private Networks Configuring a VPN Using IPSec If the packet does not match an active IPSec SA, then the ProCurve Secure Router looks up the IKE policy associated with the peer specified in the entry. It uses this policy to initiate IKE with the peer, establish an IKE SA, and negotiate an IPSec SA to secure the packet.
Page 409: Configuration Tasks
Virtual Private Networks Configuring a VPN Using IPSec Configuration Tasks In order to configure a VPN connect using IKE, you must: enable crypto commands configure an IKE policy configure an IKE attribute policy add an entry for the peer in a remote ID list configure a transform set specify VPN traffic in an ACL configure a crypto map entry...
Page 410: Peer Id
Virtual Private Networks Configuring a VPN Using IPSec You can also alter the default settings for: initiate mode response mode IKE SA security parameters stored in the attribute policy, including: • hash algorithm • encryption algorithm • Diffie-Hellman group • authentication method To begin configuring an IKE policy, enter this command from the global configuration mode context:...
Page 411 Virtual Private Networks Configuring a VPN Using IPSec 10.2.2.2 Local Router Peer Router Internet LAN1 LAN2 LAN1 LAN2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.4.0/24 Peer ID Figure 8-4. Peer ID To configure Local Router shown in Figure 8-4, you should enter: ProCurve(config-ike)# peer 10.2.2.2 Even in a VPN with several sites, your ProCurve Secure Router creates an individual VPN tunnel to each site.
Page 412: Initiate And Response Mode
Virtual Private Networks Configuring a VPN Using IPSec Client-to-Site Configuration. A client-to-site VPN connects mobile users (such as telecommuters) to a private network through the individual users’ Internet connection. It would not be feasible for you to configure a peer ID for each mobile user, even if they all had a static IP addresses.
Page 413 Virtual Private Networks Configuring a VPN Using IPSec Site-to-Site Configuration. Typically, you can leave the initiate and respond modes at their defaults. However, if the remote router takes a dynamic address, the local router cannot initiate IKE. To prevent the router from initiating IKE, enter: ProCurve(config-ike)# no initiate Conversely, if the WAN interface on your ProCurve Secure Router has a dynamic address, it must initiate IKE.
Page 414: Attribute Policy
Virtual Private Networks Configuring a VPN Using IPSec Client-to-Site Configuration. The router cannot initiate IKE with mobile users in a client-to-site configuration. Enter the following command: ProCurve(config-ike)# no initiate Setting the respond mode to main can cause problems in a client-to-site VPN: main mode requires the peer to use an IP address for its ID, but you may need to use a different type of ID for mobile users.
Page 415 Virtual Private Networks Configuring a VPN Using IPSec The attribute policy is accessible only to the IKE policy in which you configure it. This means that you cannot assume IKE can propose parameters to one peer that you have configured for another peer. Table 8-12.
Page 416 Virtual Private Networks Configuring a VPN Using IPSec stronger security parameters. The policy for the mobile clients would include a higher-priority attribute policy for the preferred security parameters, but also an attribute policy with lower security options. IKE SA Mobile Users Proposals for mobile users 10.2.2.1...
Page 417: Enabling Nat-Traversal (Nat-T) For A Client-To-Site Vpn
Virtual Private Networks Configuring a VPN Using IPSec Configure the high security IKE SA proposals in an attribute policy: ProCurve(config-ike)# attribute 10 ProCurve(config-ike-attribute)# authentication dss-sig ProCurve(config-ike-attribute)# encryption 3des ProCurve(config-ike-attribute)# lifetime 240 ProCurve(config-ike-attribute)# group 2 Configure a second set of IKE SA proposals for mobile users in a lower priority (higher index) attribute policy: ProCurve(config-ike-attribute)# attribute 20 ProCurve(config-ike-attribute)# authentication dss-sig...
Page 418: Configuring A Peer's Remote Id And Preshared Key
Virtual Private Networks Configuring a VPN Using IPSec If the peers discover NAT, then they encapsulate packets in the UDP/IP header. The peer behind the NAT device should also use a one-byte UDP packet that ensures that it keeps the same NAT assignment for the duration of the VPN tunnel.
Page 419: Site-To-Site Configuration
Virtual Private Networks Configuring a VPN Using IPSec Table 8-13. Remote ID Types Remote ID Type Example (Figure 8-6) Wildcard Command Syntax IP address 10.1.20.1 10.1.0.0 0.0.255.255 crypto ike remote-id address <A.B.C.D> <wildcard bits> domain name siteb.procurve.com *procurve.com crypto ike remote-id fqdn <domain name>...
Page 420: Client-To-Site Configuration
Virtual Private Networks Configuring a VPN Using IPSec You should identify the peer in the way most supported by your organization’s policies. You can also use the wildcard character (*) to ease configuration. For example, if you are connecting multiple sites that all use your organiza- tion’s domain name, you might want to enter an FQDN that consists of a wildcard character and your organization’s domain name so that you only have to enter one command.
Page 421: Map Entry
Virtual Private Networks Configuring a VPN Using IPSec If peers’ digital certificates use ASN-DNs, you must enter the fields exactly as they are in the certificate. You can use the wildcard character (*) for some of the fields. See Table 8-13 on page 8-33 for the command syntax for specifying the remote ID.
Page 422: Restricting Specified Hosts
Virtual Private Networks Configuring a VPN Using IPSec Extended ACLs allow you to select traffic according to its source and destination IP address (among other fields in the IP header). To create an ACL that selects traffic transmitted between two networks, enter the following command: Syntax: ip access-list extended <listname>...
Page 423: Permitting Local And Remote Networks
Virtual Private Networks Configuring a VPN Using IPSec Permitting Local and Remote Networks You will need to add a permit statement specifying each local network allowed to access the VPN tunnel as the source IP address. The destination depends on the type of VPN. N o t e The IP addresses selected by the ACL must match the peer’s configuration exactly.
Page 424: Applying The Acl To A Crypto Map
Virtual Private Networks Configuring a VPN Using IPSec To permit traffic from Site A to Site B, you enter: ProCurve(config-ext-nacl)# permit ip 10.1.0.0 0.0.15.255 10.1.16.0 0.0.15.255 You can also use wildcard bits to include only part of a subnet, according to topology of your VPN.
Page 425: Example Configuration
Virtual Private Networks Configuring a VPN Using IPSec Example Configuration Figure 8-7 illustrates a VPN between two remote sites, each of which includes two LANs. At Site B, only one LAN is allowed in the VPN. At Site A, independent on-site contractors have been assigned addresses in VLAN 99—192.168.2.192 to 192.168.2.223.
Page 426: Configuring Ipsec Sa Parameters
Virtual Private Networks Configuring a VPN Using IPSec pass through the WAN interface and so receive the router’s public IP address. However, only traffic from local private networks can access the VPN tunnel, so the traffic cannot reach its destination. You can force all traffic sent to a server to use the IP address of LAN interface so that it can access the remote VPN site.
Page 427 Virtual Private Networks Configuring a VPN Using IPSec Specify the algorithms: If using AH, you can select: • an AH hash algorithm b. If using ESP, you can select: • an encryption algorithm • a hash algorithm (optional) If using AH and ESP, you can select: •...
Page 428: Crypto Maps
Virtual Private Networks Configuring a VPN Using IPSec You complete the first four steps in a single command entered from the global configuration mode context. Refer to Table 8-14 for the exact command syntax for configuring a transform set. Enter commands such as the following: ProCurve(config)# crypto ipsec transform-set T1ah-sha-hmac esp-3des ProCurve(config)# crypto ipsec transform-set T2 ah-md5-hmac esp-aes-128-cbc esp- sha-hmac...
Page 429 Virtual Private Networks Configuring a VPN Using IPSec To create a crypto map entry, enter the following command from the global configuration mode context: Syntax: crypto map <mapname> <map index> [ipsec-ike | ipsec-manual] The mapname is an alphanumeric string. You can configure a set of crypto map entries that have the same name but different map indexes, which you apply together to an interface.
Page 430 Virtual Private Networks Configuring a VPN Using IPSec Unlike an IKE policy, you can only set one peer for the crypto map entry. This is because the crypto map entry actually defines the VPN tunnel, and a VPN tunnel is a point-to-point connection. N o t e If the remote gateway has a dynamic address, you cannot set the peer ID.
Page 431 Virtual Private Networks Configuring a VPN Using IPSec Traffic Carried over the VPN Tunnel. To specify which traffic will be car- ried over the VPN tunnel (in other words which networks make up the VPN), you must match the crypto map entry to an extended ACL: Syntax: match address <listname>...
Page 432: Applying A Crypto Map To An Interface
Virtual Private Networks Configuring a VPN Using IPSec Parameter Options (From Most to Least Secure) Default Command Syntax PFS group • Diffie-Hellman group 2 PFS not used set pfs [group2 | group1] • Diffie-Hellman group 1 IPSec SA lifetime • 2560 to 536,870,912 kilobytes 8 hours set security-association lifetime [kilobytes...
Page 433: Granting Remote Users A Private Network Address With Ike Mode Config (Required For Client-To-Site Vpns)
Virtual Private Networks Configuring a VPN Using IPSec You should apply the crypto map to the logical interface on which traffic will be transmitted. Typically this is a WAN interface that connects the Internet. Valid interfaces include: PPP interfaces Frame Relay subinterfaces HDLC interfaces ATM subinterfaces Ethernet interfaces...
Page 434: Configuring An Ike Client Configuration Pool
Virtual Private Networks Configuring a VPN Using IPSec The remote user requests an IP address from the ProCurve Secure Router between IKE phase 1 and phase 2 negotiations. It may also request addresses for Domain Name System (DNS) and NetBIOS Windows Internet Naming Service (WINS) servers.
Page 435: Applying The Pool To An Ike Policy
Virtual Private Networks Configuring a VPN Using IPSec For example, include the entire 192.168.100.0 /24 subnet: ProCurve(config-ike-client-pool)# ip-range 192.168.100.1 192.168.100.254 Use the commands shown in Table 8-16 to configure optional configurations such as server addresses. Table 8-16. IKE Client Configuration Pools Parameter Function Command Syntax...
Page 436: Configuring An Xauth Server
Virtual Private Networks Configuring a VPN Using IPSec Configuring an Xauth Server Complete the following steps: Configure an authentication, authorization, and accounting (AAA) list to inform the Xauth server which database to search for usernames and passwords. Enable the Xauth server in an IKE policy. If you have not already done so, you will also need to configure the local username database or RADIUS server group.
Page 437 Virtual Private Networks Configuring a VPN Using IPSec First, specify the IP address of the server from the global configuration mode context: Syntax: radius-server host [<A.B.C.D>| <hostname>] Syntax: tacacs-server host [<A.B.C.D>| <hostname>] You can enter either the server’s IP address or its hostname. For example: ProCurve(config)# radius-server host 10.2.3.4 You can specify more than one server.
Page 438 Virtual Private Networks Configuring a VPN Using IPSec Table 8-17. AAA List Authentication Methods Database Location Keyword Command Syntax router local aaa authentication login <aaa listname> local RADIUS server or servers group aaa authentication login <aaa listname> group [radius | <groupname>] TACACS+ server or servers group aaa authentication login...
Page 439: Configuring An Xauth Host
Virtual Private Networks Configuring a VPN Using IPSec Configuring an Xauth Host The ProCurve Secure Router can act as an Xauth host and authenticate itself to a peer that requires Xauth. Complete the following steps: Create or move to the configuration mode context of the IKE policy for the peer that requires Xauth.
Page 440: Using Digital Certificates (Optional)
Virtual Private Networks Configuring a VPN Using IPSec Setting the Username, Password, and Passphrase for One-time Password (OTP) Authentication. OTP provides increased security by using a passphrase to generate a series of passwords, each of which is used only once. This prevents hackers from intercepting and hijacking an autho- rized VPN user’s authentication information.
Page 441 Virtual Private Networks Configuring a VPN Using IPSec When the peer receives the digital certificate, it extracts the host’s public key and hash function. It decrypts and unhashes the signature and compares it to the certificate. If they match, the peer knows that no one has tampered with the certificate en route.
Page 442 Virtual Private Networks Configuring a VPN Using IPSec RSA is the most commonly used algorithm and is extremely secure. Your CA will tell you which standard it uses. You should configure this standard in the IKE attribute policy. (See the discussion of authentication methods in “IKE Phase 1”...
Page 443: Obtaining Digital Certificates
Virtual Private Networks Configuring a VPN Using IPSec Obtaining Digital Certificates First, select a CA server. If your CA server supports SCEP, you must complete three steps to load the necessary certificates into the ProCurve Secure Router’s operating system: Create a CA profile. Load the CA certificate.
Page 444 Virtual Private Networks Configuring a VPN Using IPSec For example: ProCurve(ca-profile)# enrollment url http://isakmp-test.ssh.fi/ The domain name should be fully qualified. If you do not include a program name, the router will use the default program pkiclient.exe. If you will be loading certificates manually, use this option for the command: ProCurve(ca-profile)# enrollment terminal N o t e The url and terminal options are mutually exclusive, and the most recently...
Page 445 Virtual Private Networks Configuring a VPN Using IPSec If you are using automatic enrollment, you only need to enter the command. Then press to accept the certificate that the OS automatically loads. If you are obtaining the certificate manually, follow the directions in the CLI to cut and paste the certificate into the command line.
Page 446 Virtual Private Networks Configuring a VPN Using IPSec The OS will then initiate a dialog with you. (See Figure 8-10.) The OS will ask you to enter any information that you have not already configured from the CA profile configuration mode context. ProCurve(config)# crypto ca enroll MyCA **** Press CTRL+C to exit enrollment request dialog.
Page 447: Managing Certificates
Virtual Private Networks Configuring a VPN Using IPSec Importing a Self Certificate and CRL. You only need to complete this step if you obtaining certificates manually. After your CA server has sent you a self certificate and CRL, you must import them into the CA profile configured on the router.
Page 448 Virtual Private Networks Configuring a VPN Using IPSec Viewing Certificates. You can use the show crypto ca commands to view: certificates CRLs CA profiles Enter the command from the enable mode context: Syntax: show crypto ca [certificates | crls | profiles] For example: ProCurve# show crypto ca certificates The certificates option shows both CA and self certificates.
Page 449 Virtual Private Networks Configuring a VPN Using IPSec ProCurve# show crypto ca certificates CA Certificate Status: Available Use when deleting Certificate Serial Number: 012d Subject Name: /C=FI/O=SSH Communications Security/OU=Web test/CN=Test CA 1 Issuer: /C=FI/O=SSH Communications Security/OU=Web test/CN=Test CA 1 CRL Dist. Pt: /C=FI/O=SSH Communications Security/OU=Web test/CN=Test CA 1 Start date is Jan 9 16:25:15 2003 GMT...
Page 450: Configuring A Vpn Using Ipsec With Manual Keying
Virtual Private Networks Configuring a VPN Using IPSec For example to delete the self certificate shown in Figure 8-12, enter: ProCurve(config)# crypto ca certificate chain MyCA ProCurve(config-cert-chain)# no certificate 3f9fdcd9 N o t e The Secure Router OS uses the commands in the certificate chain command set to load certificates.
Page 451: Configuring The Transform Set
Virtual Private Networks Configuring a VPN Using IPSec For these reasons, you are advised to always use IKE with IPSec. However, if you are establishing a VPN with a site that does not support IKE, you will have to use manual keying. To maintain security and reduce the chance of misconfigurations, you should only use manual keying to connect two sites managed by the same IT staff.
Page 452 Virtual Private Networks Configuring a VPN Using IPSec You must select at least one algorithm. You can select one each of an AH hash, ESP encryption, or an ESP hash algorithm. (See Table 8-19.) For example, enter: ProCurve(config)# crypto ipsec transform-set T1 ah-md5-hmac esp-3des esp-sha-hmac See “Transform Sets”...
Page 453: Configuring Crypto Maps For Manual Ipsec
Virtual Private Networks Configuring a VPN Using IPSec Table 8-20. Key Lengths for Standard Algorithms Algorithm Minimum Key Length in Bits Minimum Key length in HEX • 128 • 16 • 192 • 24 • 256 • 32 3DES Configuring Crypto Maps for Manual IPSec You define the IPSec SA in a crypto map entry.
Page 454 Virtual Private Networks Configuring a VPN Using IPSec Each crypto map entry should include one inbound and one outbound key for the protocol(s) selected in the associated transform sets. If you have selected more than one transform set, then the key must meet the longest minimum length requirement.
Page 455: Example Configuration
Virtual Private Networks Configuring a VPN Using IPSec Site B Site A Router 10.10.10.1 Router 10.10.10.2 Internet SP1 2222 SP1 2222 encryption: 1234... encryption: 1234... authentication: 1212... authentication: 1212... LAN1 LAN2 192.168.1.0/24 192.168.2.0/24 SP1 1111 SP1 1111 encryption: 9876... encryption: 9876... authentication: 2121...
Page 456: Monitoring A Vpn
Virtual Private Networks Monitoring a VPN Monitoring a VPN You can monitor the VPN tunnels supported on your router. Enter this enable mode command to view all active SAs: Syntax: show crypto [ike | ipsec] sa Enter the ike keyword to view IKE SAs, which are open only temporarily to allow peers to negotiate a VPN connection securely.
Page 457 Virtual Private Networks Monitoring a VPN If you determine that a VPN connection has been established that should not have been, you can enter one of these enable mode commands to terminate it: Syntax: clear crypto ipsec sa entry <A.B.C.D> [ah | esp] <SPI> Syntax: clear crypto ipsec sa peer <A.B.C.D>...
Page 458 Virtual Private Networks Monitoring a VPN Table 8-22. VPN show Commands View Command Syntax all IKE SAs show crypto ike sa all IPSec SA show crypto ipsec sa all IPSec SA to a specific peer show crypto ipsec sa address <A.B.C.D> all IPSec SA established with a specific show crypto ipsec sa map <mapname>...
Page 459: Troubleshooting A Vpn That Uses Ipsec
Virtual Private Networks Troubleshooting a VPN That Uses IPSec Troubleshooting a VPN That Uses IPSec When you have correctly configured a VPN, it should quickly go up. You can verify that the VPN has been established by pinging a location on the remote network from the local network.
Page 460: Troubleshooting Commands
Virtual Private Networks Troubleshooting a VPN That Uses IPSec the local router’s settings for this VPN connection exactly match those of the peer. If you are unable to learn the peer’s settings, you can try using default settings to connect to the peer in the fifth step. Troubleshooting Commands The tools you will use as you follow this procedure are the show and debug commands, which are enable mode commands.
Page 461: Checking Wan Connections
Virtual Private Networks Troubleshooting a VPN That Uses IPSec Checking WAN Connections Before you waste time searching through convoluted configurations for an error, you should verify that your connection to the Internet (or other public network) is up. Check that the Physical (Layer 1) connection is good and the Data Link (Layer 2) state is open.
Page 462: Monitoring The Ike Process Using Debug Commands
Virtual Private Networks Troubleshooting a VPN That Uses IPSec Syntax: show ip access-list <listname> Review the ACL, looking for miskeyed entries or problems with the wildcard bits. Remember that for a client-to-site VPN, the destination should be the network in the IKE client configuration pool. See Chapter 5: Applying Access Control to Router Interfaces for more information on how to correctly con- figure an extended ACL.
Page 463 Virtual Private Networks Troubleshooting a VPN That Uses IPSec Message Possible Problem Best Next Step • IkeGetPreSharedKey invalid authentication • Double-check your failed information preshared key with your peer. • IKEIDWaitProcess • Double-check the ID in the remote ID list and verify that it matches the peer’s.
Page 464 Virtual Private Networks Troubleshooting a VPN That Uses IPSec When you scan debug messages for clues to the source of a problem, pay particular attention to messages that indicate the step that IKE is performing. You can then determine what settings you need to modify. You will learn more about specific problems and debug messages in the following pages.
Page 465 Virtual Private Networks Troubleshooting a VPN That Uses IPSec Table 8-26. Debug Messages Messages Associated with IKE Messages Associated with IKE Phase 1 Problems Phase 2 Problems IKEDeleteIsakmpSA IKEFindIPSecSAbySPI IANA for protocol: Isakmp IANA for protocol: IPSec Once you have determined which IKE phase is causing your problem, you should move to “Comparing VPN Policies”...
Page 466: Comparing Vpn Policies
Virtual Private Networks Troubleshooting a VPN That Uses IPSec To change the initiate mode for IKE, move to the IKE policy configuration mode context and enter: Syntax: initiate [main | aggressive] Invalid Authentication Information. If IKE sends or receives main mode message 5 again and again, it is unable to authenticate the peer.
Page 467 Virtual Private Networks Troubleshooting a VPN That Uses IPSec 2005.08.13 14:20:49 1: Sent out first message of main mode 2005.08.13 14:20:49 <POLICY: 1> PAYLOADS: SA,PROP,TRANS,VID,VID,VID “Sent” indicates that these are the local router’s 2005.08.13 14:20:49 SA PAYLOAD policies. 2005.08.13 14:20:49 DOI: 1 2005.08.13 14:20:49 Situation: 1...
Page 468 Virtual Private Networks Troubleshooting a VPN That Uses IPSec Table 8-28. TRANSFORM ATTRIBUTES (IKE SA Security Proposals) SA Attribute Value Options Remote Setting Router Options Local Setting Configuration Group Description • DH Group 1 IKE attribute • 1 policy: • DH Group 2 •...
Page 469 Virtual Private Networks Troubleshooting a VPN That Uses IPSec When IKE cannot progress past quick mode message 1, it is unable to negotiate the IPSec SA. If possible, have your peer attempt to initiate a connection with you. In this way you can search through the debug messages for the peer’s IPSec SA proposal and determine which settings do not match local settings.
Page 470 Virtual Private Networks Troubleshooting a VPN That Uses IPSec Table 8-29 and Table 8-30 show where in the local router’s running-config you can find the settings that should match the IPSec security policies proposed by the peer. Table 8-29. IANA Transform ID Message Value Options Remote Setting...
Page 471 Virtual Private Networks Troubleshooting a VPN That Uses IPSec SA Attribute Value Options Remote Setting Setting in the Options Local Setting Running-Config Life Type • seconds crypto map • kilobytes <mapname> • kilobytes • seconds <mapindex> set security- association lifetime Life Time •...
Page 472: Returning Vpn Policies To Their Defaults
Virtual Private Networks Troubleshooting a VPN That Uses IPSec You can compare the peer’s settings to yours in two ways: Initiate a connection with the peer and view the debug messages with the local proposals View the VPN configurations on the local router for the connection To view the configuration on the local router, you can view the running-config as shown above in 8-17.
Page 473 Virtual Private Networks Troubleshooting a VPN That Uses IPSec Return the crypto map settings to the defaults: ProCurve(config-crypto map)# no set pfs ProCurve(config-crypto map)# no security-association lifetime Try to ping the remote location from the local network. If the connection goes up, you know that you had a problem with the security policies.
Page 474: Quick Start
Virtual Private Networks Quick Start Quick Start This section provides the commands you must enter to quickly configure: a site-to-site VPN a client-to-site VPN digital certificates Only a minimal explanation is provided. If you need additional information about any of these options, see “Contents” on page 8-1 to locate the section and page number that contains the explanation you need.
Page 475 Virtual Private Networks Quick Start Parameters Options Obtain Setting From Your Setting IKE SA encryption • DES match peer algorithm • 3DES • AES 128-bit • AES 192-bit • AES 256-bit IKE SA lifetime 60 to 86,400 seconds match peer IPSec SA proposals •...
Page 476: Configuring A Site-To-Site Vpn
Virtual Private Networks Quick Start Parameters Options Obtain Setting From Your Setting crypto mapname alphanumeric string same name for every entry establishing a connection on the same interface crypto map index number 0 to 65,535 different index number for every entry establishing a connection to a different site 10.2.2.2 Local Router...
Page 477 Virtual Private Networks Quick Start Create an IKE policy: Syntax: crypto ike policy <IKE policynumber> Configure the initiate mode: Syntax: [no] initiate [main | aggressive] For example: ProCurve(config-crypto-ike)# initiate aggressive If the peer has a dynamic address, set the mode to no initiate. Set the peer ID or peer IDs: Syntax: peer [any | <peer A.B.C.D>] Create an attribute policy:...
Page 478 Virtual Private Networks Quick Start • ESP protocol: Syntax: crypto ipsec transform-set <setname> [esp-des | esp-3des | esp- aes-128-cbc | esp-aes-192-cbc | esp-aes-256-cbc | esp-null] [esp-md5- hmac | esp-sha-hmac] • AH and ESP protocol: Syntax: crypto ipsec transform-set <setname> [ah-md5-hmac | ah-sha- hmac] [esp-des | esp-3des | esp-aes-128-cbc | esp-aes-192-cbc | esp-aes- 256-cbc | esp-null] [esp-md5-hmac | esp-sha-hmac] 11.
Page 479 Virtual Private Networks Quick Start 16. You can associate the crypto map entry with the IKE policy configured for the remote peer. Syntax: ike-policy <policy number> 17. Assign up to six transform sets to the crypto map entry: Syntax: set transform-set <setname1> [<setname2>] [<setname3>] [<setname4>] [<setname5>] [<setname6>] 18.
Page 480: Configuring A Client-To-Site Vpn
Virtual Private Networks Quick Start • distinguished name (with digital certificates only): Syntax: crypto ike remote-id asn1-dn <distinguished name> [ike-policy <pol- icy number>] [crypto map <mapname> <map sequence>] You can use the * wildcard character to configure a remote ID that matches multiple remote peers.
Page 481 Virtual Private Networks Quick Start Parameters Options Obtain Setting From Your Setting IKE mode config poolname alphanumeric string — range of private addresses for first A.B.C.D organizational policy IKE mode config to assign to last A.B.C.D mobile users DNS server(s) for IKE mode A.B.C.D organizational policy config (optional)
Page 482 Virtual Private Networks Quick Start Parameters Options Obtain Setting From Your Setting ESP authentication algorithm • MD5 match peer (optional, unless you select • SHA-1 ESP null) IPSec SA lifetime type • kilobytes match peer • seconds IPSec SA lifetime in kilobytes 2560 to 536,870,912 kilobytes match peer (optional)
Page 483 Virtual Private Networks Quick Start Create an IKE policy: Syntax: crypto ike policy <IKE policynumber> For example: ProCurve(config)# crypto ike policy 10 Prevent the router from initiating IKE: ProCurve(config-crypto-ike)# no initiate Set the peer ID: ProCurve(config-crypto-ike)# peer any Apply the IKE client pool to the IKE policy: Syntax: client configuration pool <poolname>...
Page 484 Virtual Private Networks Quick Start • AH and ESP protocol: Syntax: crypto ipsec transform-set <setname> [ah-md5-hmac | ah-sha- hmac] [esp-des | esp-3des | esp-aes-128-cbc | esp-aes-192-cbc | esp-aes- 256-cbc | esp-null] [esp-md5-hmac | esp-sha-hmac] 15. Set the mode to tunnel: ProCurve(cfg-crypto-trans)# mode tunnel 16.
Page 485 Virtual Private Networks Quick Start 20. Assign up to six transform sets to the crypto map entry: Syntax: set transform-set <setname1> [<setname2>] [<setname3>] [<setname4>] [<setname5>] [<setname6>] 21. Apply the ACL to the crypto map entry: Syntax: match address <ACL listname> 22.
Page 486: Obtaining Digital Certificates
Virtual Private Networks Quick Start Use the wildcard character (*) to make the remote ID entry apply to multiple mobile users. This allows you to use the same IKE policy to respond to all mobile users. 25. Apply the crypto map to the WAN interface that connects to the Internet. Move to the logical interface configuration mode context and enter: Syntax: crypto map <mapname>...
Page 487: Contents
Configuring a Tunnel with Generic Routing Encapsulation Contents Overview ............9-2 GRE Tunnels .
Page 488: Overview
Configuring a Tunnel with Generic Routing Encapsulation Overview Overview The ProCurve Secure Router supports tunneling using Generic Routing Encapsulation (GRE). GRE is a Layer 2 protocol that encapsulates higher-level protocols and renders them transparent. Routers use GRE to send traffic through an intervening network that does not support such traffic.
Page 489: Advantages And Disadvantages Of Gre
Configuring a Tunnel with Generic Routing Encapsulation Overview For example, on the ProCurve Secure Router, a GRE tunnel can: transit multicast routing protocols, such as Routing Information Protocol (RIP) and Open Shortest Path First (OSPF), through the Internet transit any multicast messages, such as those for a video stream transit traffic through a network that uses the same IP addresses (useful for integrating sites that use overlapping addresses) GRE is often used in conjunction with IPSec.
Page 490: Configuring Gre
Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE Configuring GRE To configure a GRE tunnel on the ProCurve Secure Router, you must: create a tunnel interface configure the tunnel source and destination endpoints assign the tunnel an IP address If you want to secure the tunnel, you can also configure a tunnel key specify traffic allowed to access the tunnel...
Page 491: Configuring The Tunnel Source
Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE When a packet arrives on the tunnel interface, GRE encapsulates it with a GRE header. This header includes a field identifying the encapsulated packet’s protocol. GRE next encapsulates the GRE header with another IP header. This is the delivery header: it directs the packet through the tunnel to the remote endpoint.
Page 492: Configuring The Tunnel Destination
Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE The IP address that you enter is the address that the delivery IP header will include as the source address. If you enter an interface, the IP header will include the address of that interface. The interface must be configured with an IP address before you can use it as the tunnel source.
Page 493: Configuring The Tunnel's Ip Address
Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE Configuring the Tunnel’s IP Address The IP address for the tunnel interface places the tunnel in a local network. To configure the address, enter this command from the tunnel interface configuration mode context: Syntax: ip address <A.B.C.D>...
Page 494: Sending Routing Updates Over The Tunnel
Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE N o t e To eliminate recursive routing, the actual tunnel destination must be routed through a logical interface, not through the tunnel interface. Sending Routing Updates over the Tunnel Enable the routing protocol on the network on which the tunnel interface has its IP address.
Page 495: Sending Multicasts Over The Tunnel
Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE Enable OSPF on the local networks, including the tunnel’s network: ProCurve(config)# router ospf ProCurve(config-ospf)# network 192.168.1.0 0.0.0.255 area 0 ProCurve(config-ospf)# network 192.168.10.0 0.0.0.3 area 0 Sending Multicasts over the Tunnel You can configure Protocol Independent Multicast-Sparse Mode (PIM-SM) on the tunnel interface to tunnel multicasts through the Internet.
Page 496: Sending All Traffic To A Network Over The Tunnel
Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE Sending all Traffic to a Network over the Tunnel You can add a static route to the destination network through the tunnel. From the global configuration mode context, enter: Syntax: ip route <destination A.B.C.D> <subnet mask | /prefix length> tunnel <inter- face number>...
Page 497: Filtering Traffic That Arrives On The Tunnel
Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE Filtering Traffic that Arrives on the Tunnel You can restrict certain traffic from entering the tunnel by applying an access control policy (ACP). For example, you might want only traffic sent from a multicasting video streamer to be able to access the router through the tunnel.
Page 498: Enabling Checksum Verification
Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE Enabling Checksum Verification A router can include a checksum in outgoing packets’ GRE headers. A check- sum is a value computed from the contents of a packet, and is often based on the sum of the bits.
Page 499: Troubleshooting Gre Configuration
Configuring a Tunnel with Generic Routing Encapsulation Troubleshooting GRE Configuration Troubleshooting GRE Configuration You can use the show interfaces command to view: the status of the tunnel (up or down) the tunnel’s IP address packets transmitted and received over the tunnel To track packets as the tunnel encapsulates and sends or receives and decap- sulates them, use this enable mode command: Syntax: debug interface tunnel...
Page 500: The Router Does Not Receive Traffic Through The Tunnel
Configuring a Tunnel with Generic Routing Encapsulation Troubleshooting GRE Configuration The Router Does Not Receive Traffic through the Tunnel Enter the show interfaces command and double-check the tunnel key. You should check the IP routing table and determine whether any traffic is being sent through the tunnel.
Page 501: Quick Start
Configuring a Tunnel with Generic Routing Encapsulation Quick Start Quick Start This section provides the commands you must enter to quickly configure a GRE tunnel and use it to carry routing updates. Only minimal explanation is provided. If you need additional information about any of these options, check “Contents”...
Page 502 Configuring a Tunnel with Generic Routing Encapsulation Quick Start Enable the routing protocol on the network on which the tunnel has its IP address (not its source address): If you are using RIP, enter: ProCurve(config)# router rip Syntax: network <A.B.C.D> <subnet mask> For example: ProCurve(config-rip)# network 192.168.10.0 255.255.255.0 b.
Page 503: Contents
Configuring Multicast Support for a Stub Network Contents Overview ........... . . 10-2 Multicast Applications .
Page 504: Overview
Configuring Multicast Support for a Stub Network Overview Overview This overview describes IP multicasting and Internet Group Management Protocol (IGMP). The overview then explains how the ProCurve Secure Router can support multicasting by running either Protocol Independent Multicast-Sparse Mode (PIM-SM), which is a multicast routing protocol, or IGMP proxy.
Page 505: Ip Multicasting
Configuring Multicast Support for a Stub Network Overview IP multicasting allows hosts to send messages to multiple hosts simulta- neously. Hosts join multicast host groups to be become eligible to receive specific multicasts. The ProCurve Secure Router supports the routing of such multicasts using either PIM-SM or IGMP proxy.
Page 506: Multicast Addresses
Configuring Multicast Support for a Stub Network Overview Network 1 192.168.1.0/24 Packet destination 232.0.0.10 Switch Router Switch Figure 10-2. Multicasting Multicast Addresses The destination address in the IP header of a multicast message is the multicast address. Only hosts that have joined the group for this multicast address receive the message.
Page 507: Multicast Routing Protocols
Configuring Multicast Support for a Stub Network Overview IGMP IGMP helps a router to determine which host groups have members in which networks so that the router can properly forward multicast messages. Some multicast routing protocols (including the protocol supported on the ProCurve Secure Router) suppress multicasts unless a router or network specifically requests them.
Page 508: Igmp Queries
Configuring Multicast Support for a Stub Network Overview Multicast packet Switch Group 99 Multicast packet Router Switch Figure 10-4. Multicasting with IGMP IGMP Queries On the ProCurve Secure Router, you enable an interface to act as a multicast agent when you do one of the following: configure the interface as a multicast stub downstream interface enable PIM-SM on the interface The multicast agent broadcasts IGMP queries to all hosts, asking them to...
Page 509: Multicast Routing Protocols
Configuring Multicast Support for a Stub Network Overview Hosts send their IGMP reports to the multicast address rather then simply to the multicast agent. When the other hosts in the group receive this report, they cancel the report they would otherwise send out. In this way, the multicast agent should receive one, and only one, report for each multicast address for which a host group exists on a stub network.
Page 510: Igmp Proxy
Configuring Multicast Support for a Stub Network Overview tured, unidirectional path. However, a router running IGMP proxy cannot establish different routes for different multicast groups. It must receive all multicasts on the same incoming, or upstream, interface. In addition, a router running IGMP proxy cannot transit multicast traffic.
Page 511 Configuring Multicast Support for a Stub Network Overview at the helper address considers the upstream interface to be a multicast host that is a member of every group to which at least one host in the stub networks belongs. IGMP report Group 99 Group 99 IGMP report...
Page 512: Configuring Igmp Proxy For Multicast Stub Routing Support
Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support Configuring IGMP Proxy for Multicast Stub Routing Support You should not use IGMP proxy for multicast support unless your ProCurve Secure Router acts as a stub router. (Even when your router is a stub router, it can be a good idea to enable a multicast routing protocol such as PIM-SM.) A stub router is a router in a stub network.
Page 513: Enabling Ip Multicast Routing
Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support You can also: have the router stack join an IGMP group alter IGMP intervals (for experienced administrators only) Enabling IP Multicast Routing The ProCurve Secure Router must implement multicast routing to keep track of which interfaces forward packets destined to certain multicast addresses.
Page 514: Determining Which Interfaces Are Downstream And Which
Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support For example, to set the helper address for the router in Figure 10-6, you would enter: ProCurve(config)# ip mcast-stub helper-address 10.1.1.2 N o t e The router must know a route to the helper address.
Page 515: Configuring A Downstream Interface
Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support Configuring a Downstream Interface First, move to the configuration mode context for the interface: Syntax: interface <interface ID> For example: ProCurve(config)# int eth 0/1 A downstream interface typically should perform three functions: IGMP multicast agent—send IGMP queries and listen for IGMP messages IGMP proxy—forward IGMP messages to a remote multicast server multicast forwarding—forward multicast messages if the corresponding...
Page 516: Enabling Igmp Proxy
Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support Enabling IGMP Proxy If you want a stub network to receive multicast messages from a remote network, you must enable IGMP proxy on the interface connecting to the stub network.
Page 517: Configuring An Upstream Interface
Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support Configuring an Upstream Interface An upstream interface is a forwarding helper interface: an interface through which the router reaches the helper address. The multicast server considers the upstream interface to be the multicast host.
Page 518: Adding The Router Stack To A Multicast Group
Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support The router at the remote endpoint removes the GRE header from the packet and forwards the multicast packet through the correct interfaces to members of the multicast host group. You can configure the tunnel interface as an upstream interface.
Page 519 Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support Although the default settings are usually adequate, you can alter IGMP inter- vals. For example, in a network with relatively stable group memberships, you may determine that routers are sending too many IGMP messages. In that case, you could raise the IGMP query interval.
Page 520 Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support Interval Function Default Range Command Syntax query timeout Only one router on a subnet 2 times the query 60 to 300 seconds ip igmp querier- acts as the designated interval timeout <seconds>...
Page 521: Troubleshooting Multicast Stub Routing And Igmp
Configuring Multicast Support for a Stub Network Troubleshooting Multicast Stub Routing and IGMP Troubleshooting Multicast Stub Routing and IGMP This section gives strategies for troubleshooting multicast support on the stub router only. If you determine that a problem originates on one of the remote routers running the multicast routing protocol, then you must troubleshoot that router and protocol.
Page 522: Procedure For Troubleshooting Multicast Stub Routing
Configuring Multicast Support for a Stub Network Troubleshooting Multicast Stub Routing and IGMP Table 10-2. Multicast and IGMP Troubleshooting Commands View Command Syntax Displays Function group memberships show ip igmp groups • multicast address verify that the router knows that a stored on the router group exists on a network •...
Page 523 Configuring Multicast Support for a Stub Network Troubleshooting Multicast Stub Routing and IGMP If the interface in question does not have the group membership, the router will not forward the multicasts into the network. The lack of the entry could stem from several sources: •...
Page 524 Configuring Multicast Support for a Stub Network Troubleshooting Multicast Stub Routing and IGMP If the correct group membership exists, then the router should know to forward multicast messages into the host’s network. You should verify that the router is receiving the multicast messages. View the status of the upstream interface with the show interfaces command and check that it is receiving multicast packets.
Page 525: Quick Start
Configuring Multicast Support for a Stub Network Quick Start If the table does not exist, multicast routing may not be enabled. You must enable multicast routing in order for downstream interfaces to forward multicast messages. Enter: ProCurve(config)# ip multicast-routing Make sure that you have configured an upstream interface. View the portion of the running config for the upstream interface (for example, enter show run int ppp 1) and look for ip mcast-stub upstream.
Page 526 Configuring Multicast Support for a Stub Network Quick Start Information Required Setting Your Setting upstream interfaces interface ID: • Ethernet interface – <slot> – <port> • WAN interface: – <interface type> – <interface number> IGMP version 1 or 2 Group 1 Multicast 1 Multicast 1 Multicast...
Page 527 Configuring Multicast Support for a Stub Network Quick Start Move to the configuration mode context of the downstream interface. (See Figure 10-8.) Syntax: interface <interface ID> Enable IGMP and multicast forwarding. ProCurve(config-eth 0/1)# ip mcast-stub downstream Enable IGMP proxy to the helper address. ProCurve(config-eth 0/1)# ip mcast-stub helper-enable If so desired, configure another downstream interface.
Page 528 Configuring Multicast Support for a Stub Network Quick Start 10-26...
Page 529: Contents
Configuring Multicast Support with PIM-SM Contents Overview ........... . . 11-3 Multicast Trees .
Page 530 Configuring Multicast Support with PIM-SM Contents Specifying When the Router Switches to the SP Tree ... 11-35 Forcing the Router to Use the RP Tree Permanently ... . 11-36 Changing an Interface’s DR Priority .
Page 531: Overview
Configuring Multicast Support with PIM-SM Overview Overview In order to receive multicast packets from one network and route them to hosts in different networks, a router must implement a multicast routing protocol. The ProCurve Secure Router supports Protocol Independent Multi- cast-Sparse Mode (PIM-SM).
Page 532: Multicast Trees
Configuring Multicast Support with PIM-SM Overview An entry in the multicast routing table lists connections to downstream routers and networks as outgoing interfaces and the connection to the upstream router as the incoming interface. A router only accepts a multicast packet if it arrives on the appropriate incoming interface.
Page 533: Sp Tree
Configuring Multicast Support with PIM-SM Overview these sources may change. In addition, when hosts join a multicast group, they do not know the address of the source. Sources and receivers need a common point at which to discover each other, and the RP provides this point. The DR of each subnet forwards join/prunes toward the RP so that the RP can begin forwarding multicasts to the appropriate routers as soon as a source begins transmitting.
Page 534: Multicast Routing Table
Configuring Multicast Support with PIM-SM Overview The process for switching from an RP to an SP tree will be described in more detail in “Switching from an RP to an SP Tree” on page 11-9. Multicast Routing Table Just as a unicast routing table has an entry for each unicast destination address to which the route can forward traffic, a multicast routing table has an entry for every multicast group for which the router must transit traffic.
Page 535 Configuring Multicast Support with PIM-SM Overview Each entry includes a list of outgoing interfaces. Unlike a unicast routing table entry, a multicast table entry can include multiple forwarding, or outgoing, interfaces. Because a multicast address applies to all hosts who have joined the multicast group, and because these hosts may be in different networks, the router may copy packets destined to a single multicast address and route them out multiple interfaces.
Page 536: Joining A Shared Or Rp Tree
Configuring Multicast Support with PIM-SM Overview Although (S, G) entries relate to SP trees, routers that are only part of an RP tree can also store special (S, G) entries with the RP-bit set. These entries prune downstream neighbors from the RP tree for multicasts from a specific source, but allow the neighbors to remain in the RP tree for traffic from other sources for the group.
Page 537: Switching From An Rp To An Sp Tree
Configuring Multicast Support with PIM-SM Overview (*, G) Join IGMP Join Router C Router B Multicast host RP tree (*, G) Join Router A—RP Figure 11-2. Joining a Shared, or RP, Tree Switching from an RP to an SP Tree Once a router begins to receive a multicast stream along the RP tree, it can change to an SP tree.
Page 538 Configuring Multicast Support with PIM-SM Overview The RP follows this process to generate an SP tree to the source. (See Figure 11-3): A source registers with the RP and the RP generates an SP tree to draw the multicast traffic towards itself and down the RP tree. The RP initially receives encapsulated multicast traffic from a new source in unicast register packets.
Page 539 Configuring Multicast Support with PIM-SM Overview A source registers with the RP Router B RP for Group X Multicast Source of RP Tree Router A Router C Multicast Intermediate Group X Router D Edge router Host Y The RP joins SP tree Router B RP Tree RP for Group X...
Page 540: Edge Routers
Configuring Multicast Support with PIM-SM Overview ProCurve# show ip mroute IP Multicast Routing Table Flags: S - Sparse, C - Connected, P - Pruned, J - Join SPT, T - SPT- bit Set, F - Register, R - RP-bit Set Timers: Uptime/Expires The (*, G) entry (*, 239.255.255.1), 01:10:32/00:00:00, RP 10.1.1.1, Flags: SJ...
Page 541 Configuring Multicast Support with PIM-SM Overview The router creates the (S, G) entry, but continues to accept traffic from the RP tree. An (S, G) entry’s SPT-bit signals that the router is using the SP tree exclusively. When the router first creates the (S, G) entry, it clears the SPT- bit so that the multicast stream will not be disrupted while the SP tree is established.
Page 542: A Source's Dr
Configuring Multicast Support with PIM-SM Overview The router receives multicasts on the SP tree. As soon as the original router receives a packet on the incoming interface for the (S, G) entry, it sets the entry’s SPT-bit, signaling that the SP tree is active.
Page 543: Building Rp And Sp Trees When The Source Begins Multicasting First
Configuring Multicast Support with PIM-SM Overview The DR continues forwarding multicasts over the SP tree. Figure 11-6 shows the multicast routing table of a ProCurve Secure Router acting as the DR for a source. ProCurve# show ip mroute IP Multicast Routing Table Flags: S - Sparse, C - Connected, P - Pruned, J - Join SPT, T - SPT- bit Set,...
Page 544: A Host Joins A Group After Routers Have Already Switched To An Sp Tree
Configuring Multicast Support with PIM-SM Overview Although the RP creates the (S, G) entry, because the entry’s outgoing interface list is null, the RP does not send a join for the SP tree. The RP also sends a register-stop to the source’s DR. The DR stops sending the encapsulated multicasts.
Page 545: Rp Selection
Configuring Multicast Support with PIM-SM Overview RP Selection When a router adds an entry for a new group to its multicast routing table, it must determine the RP for that group. The router searches its RP set for up to four routers that can support that group. An RP set includes the IP address of every router allowed to become an RP and the multicast groups that each router can support.
Page 546: Pim-Sm Packets
Configuring Multicast Support with PIM-SM Overview RP Set RP Set Router A 244.0.0.0 7.255.255.255 Router A 244.0.0.0 7.255.255.255 Router B Any Router B Any Router A Router B RP Set Router C Router A 244.0.0.0 7.255.255.255 Router B Any Figure 11-7. Static RP Selection N o t e Because you must configure exactly the same RP set on each router in the domain, attempts to assign specific routers to specific groups can lead to...
Page 547 Configuring Multicast Support with PIM-SM Overview If the router is sending the packet to its RP to either join or withdraw from the group’s RP tree, the join or prune list contains a wildcard entry with the RP’s address. An exception to this rule occurs when a router withdraws from an RP tree in order to join an SP tree.
Page 548 Configuring Multicast Support with PIM-SM Overview If a group’s prune list includes the specific source, the router deletes (or schedules for deletion) the interface from the corresponding (S, G) entry’s outgoing interface list. Receiving (S, G) RP-bit Prunes. The prune list for a group may include a specific source marked with an RP-bit.
Page 549 Configuring Multicast Support with PIM-SM Overview If the upstream neighbor is itself part of the SP tree, it prunes the downstream router from its branch of the SP tree. If the upstream neighbor is not part of the SP tree, it creates an (S, G) RP-bit entry to prune the downstream router from its RP tree.
Page 550 Configuring Multicast Support with PIM-SM Overview When such a router receives an (S, G) RP-bit prune, it deletes the interface on which it received the packet from its (S, G) entry’s outgoing interface list. This action removes the downstream router from the upstream router’s branch of the SP tree.
Page 551 Configuring Multicast Support with PIM-SM Overview Table 11-1. Triggered Join/Prune Packets Event Action Packet Includes Sent to • The router receives an IGMP join The router joins the RP tree. join for the group with upstream RP neighbor for a new or inactive group. a wildcard source •...
Page 552 Configuring Multicast Support with PIM-SM Overview Event Action Packet Includes Sent to The router receives multicast traffic If the SP incoming interface is prune for the group upstream RP neighbor on its SP tree. different from the RP incoming with a specific source interface, the router sets the STP- address (RP-bit set) bit for the (S, G) entry.
Page 553: Register Packets
Configuring Multicast Support with PIM-SM Overview For example, Router A has an entry for (*, 239.255.1.1) with incoming interface PPP 1, outgoing interface Ethernet 0/2, and RP 192.168.1.1. Router A periodi- cally sends a join/prune packet on PPP 1 which contains an entry for multicast group 239.255.1.1.
Page 554: Register-Stop Packets
Configuring Multicast Support with PIM-SM Overview Register-Stop Packets After an RP begins receiving multicasts on the SP tree, it no longer needs the register packets. The RP sends register-stops to the DR for the source, instruct- ing the DR to stop sending the encapsulated traffic. Register-stops are trig- gered when the RP has an (S, G) with the STP-bit set and receives a register packet.
Page 555 Configuring Multicast Support with PIM-SM Overview Redundant Multicasts Network 10.1.1.0/24 Group: 239.255.1.1 Router B Multicast Source: 10.10.10.10 PPP1 Group: 239.255.1.1 Eth 0/1 PPP1 Multicast Routing Table Router A PPP1 (10.10.10.10, 239.255.1.1) ISDN Incoming: PPP1 Internet Router C Outgoing: Eth 0/1 Eth 0/1 Asserts Sent Network...
Page 556: Configuring Pim-Sm
Configuring Multicast Support with PIM-SM Configuring PIM-SM Configuring PIM-SM To configure PIM-SM on a router, you must: enable PIM-SM on router interfaces specify the RP PIM-SM relies on RPF to determine upstream neighbors. The protocol works with whatever routing methods the router uses, including: static routing Routing Internet Protocol (RIP) Open Shortest Path First (OSPF)
Page 557: Enabling Pim-Sm
Configuring Multicast Support with PIM-SM Configuring PIM-SM Enabling PIM-SM You must enable PIM-SM on every interface that connects to a network in the PIM domain. These networks include: LAN networks with hosts that may join the multicast groups LAN networks through which multicast traffic must transit WAN networks through which multicast traffic will travel between remote sites The Layer 2 interfaces on the ProCurve Secure Router that support PIM-SM...
Page 558: Configuring A Static Rp Set
Configuring Multicast Support with PIM-SM Configuring PIM-SM From the PIM sparse configuration mode context, you can: specify static RPs change the threshold for switching to an SP tree force the router to use the RP tree permanently change the interval at which the router sends periodic join/prune mes- sages Configuring a Static RP Set An RP for a multicast group forms the root of that group’s RP tree.
Page 559: Specifying Static Rps That Support All Groups
Configuring Multicast Support with PIM-SM Configuring PIM-SM For the simplest configuration, and the configuration least prone to errors, you should allow all RPs to support any group. There is no reason to configure different RPs for various groups unless you expect these conditions to be true: only certain areas of the network will use certain groups having a router act as RP for groups expected in its area will significantly decrease bandwidth usage...
Page 560 Configuring Multicast Support with PIM-SM Configuring PIM-SM You should only use this option if your organization has a particular reason for doing so. Usually, since routers immediately switch to an SP tree, the location of the RP is not as important as it may seem. However, if you force routers to use the RP tree permanently, the location of the RP in the network topology becomes more important.
Page 561 Configuring Multicast Support with PIM-SM Configuring PIM-SM streamer in Figure 11-11 is the only source that sends traffic to 239.255.255.1. You could associate Router A with this single group when you configure the static RP set on each router in the WAN. PIM-SIM Router B Multicast...
Page 562 Configuring Multicast Support with PIM-SM Configuring PIM-SM For example, you want Router 1 to be RP for all multicast groups except for group 239.255.255.1, which will be used in only one section of the network. You would configure the ACL for Router 1 to exclude the specific group: ProCurve(config-std-nacl)# deny host 239.255.255.1 You would then enter a permit statement to allow all multicast addresses...
Page 563: Specifying When The Router Switches To The Sp Tree
Configuring Multicast Support with PIM-SM Configuring PIM-SM Specifying When the Router Switches to the SP Tree After a source registers with the RP, the RP builds an SP tree to the source. The RP can then distribute multicast traffic from this source to routers in the RP tree.
Page 564: Forcing The Router To Use The Rp Tree Permanently
Configuring Multicast Support with PIM-SM Configuring PIM-SM Forcing the Router to Use the RP Tree Permanently A router’s SP tree is tailored to be the best connection between the router and a specific source, and you should almost always allow your ProCurve Secure Router to use this tree as soon as it can.
Page 565: Changing Pim-Sm Timers
Configuring Multicast Support with PIM-SM Configuring PIM-SM You only need to set a priority on interfaces on multi-access networks. On the ProCurve Secure Router, these are Ethernet interfaces and subinterfaces. To specify the priority, move to the interface configuration mode context and enter: Syntax: ip pim-sparse dr-priority <value>...
Page 566: Join/Prune Period
Configuring Multicast Support with PIM-SM Configuring PIM-SM Table 11-2. PIM-SM Timers Timer Meaning Command Syntax Configured From Range Default join/prune period time between sending join-prune-msg- PIM configuration 10 to 65535 60 seconds period join/prunes interval <seconds> mode context seconds hello timer time between sending ip pim-sparse hello- Ethernet or WAN...
Page 567: Hello Timer
Configuring Multicast Support with PIM-SM Configuring PIM-SM Hello Timer Routers transmit periodic hellos through PIM interfaces to signal that the connection is still active. The hello-timer option determines how often an interface sends a hello. The router also uses this setting to compute the hello holdtime, which it includes in hello packets to instruct neighbors how long to wait for the next hello before removing the connection from any outgoing interface lists.
Page 568: Configuration Examples
Configuring Multicast Support with PIM-SM Configuring PIM-SM pruning the interface is determined by the sum of the override timer and the propagation delay. Take care in altering these timers; they should match on all neighboring routers so that one router does not delete an entry too soon. Configuration Examples This section guides you through the process of configuring PIM-SM in several simplified scenarios.
Page 569 Configuring Multicast Support with PIM-SM Configuring PIM-SM You should configure PIM-SM on each router interface in the network. Because all sources are at the headquarters, you decide to configure the HQ WAN router as the single RP. Figure 11-13 shows the running-config for the HQ WAN router (showing only the sections of the configuration necessary for PIM-SM).
Page 570 Configuring Multicast Support with PIM-SM Configuring PIM-SM Configure a routing protocol. In this example, the network uses OSPF. The headquarters is the network backbone (area 0), Site A is stub area 1, and Site B is stub area 2. Note that routers in these areas receive summaries for inter-area traffic, not a default route.
Page 571 Configuring Multicast Support with PIM-SM Configuring PIM-SM hostname "HQRouter" ip multicast-routing interface loop 1 ip address 10.1.63.1 255.255.255.0 no shutdown interface eth 0/1 ip address 10.1.1.1 255.255.255.0 ip pim sparse-mode no shutdown interface eth 0/2 ip address 10.1.32.1 255.255.255.0 ip pim sparse-mode no shutdown interface t1 1/1 tdm-group 1 timeslots 1-24 speed 64...
Page 572 Configuring Multicast Support with PIM-SM Configuring PIM-SM You would need to make the same configurations on the WAN routers at Site A and Site B. Figure 11-14 shows the running-config for the Router at Site A. hostname "RouterA" ip multicast-routing interface loop 1 ip address 10.1.66.10...
Page 573: Specific Groups
Configuring Multicast Support with PIM-SM Configuring PIM-SM hostname "RouterA" ip multicast-routing ip mcast-stub helper-address 10.1.64.1 interface eth 0/1 ip address 10.1.65.1 255.255.255.0 ip mcast-stub downstream ip mcast-stub helper-enable no shutdown interface t1 1/1 tdm-group 1 timeslots 1-24 speed 64 no shutdown interface fr 1 point-to-point frame-relay lmi-type ansi no shutdown...
Page 574 Configuring Multicast Support with PIM-SM Configuring PIM-SM Site B Site A Multicast source Router A Router B 10.1.66.10 10.1.129.2 10.1.66.0/24 10.1.32.0/30 HQ Router Router D 10.1.63.1 10.1.62.2 10.1.1.0/30 Multicast Router C source 10.1.20.0/24 Figure 11-16. Example 2 Network To configure the HQ WAN router, you would follow these steps: Follow steps 1 through 6 described in Example 1 to configure all router interfaces, to enable Layer 2 interfaces to run PIM-SM, and to configure the routing protocol.
Page 575 Configuring Multicast Support with PIM-SM Configuring PIM-SM The LAN at Site A supports a multicast server transmitting to 239.255.255.1. Configure an ACL that permits Router A (10.1.66.10) to support only this multicast group: HQRouter(config)# ip access-list standard rp3 HQRouter(config-std-nacl)# permit host 239.255.255.1 Configure the RP set: HQRouter(config)# router pim-sparse HQRouter(config-pim-sparse)# rp-address 10.1.63.1 access-group rp1...
Page 576: Troubleshooting Pim-Sm
Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Troubleshooting PIM-SM When hosts are not receiving multicasts, you must determine where the traffic is going astray. Because PIM-SM relies on unidirectional trees, you should first troubleshoot the router that directly connects to the hosts, then proceed to the next hop upstream router until you find the point at which the traffic is disrupted.
Page 577: Flags
Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM ProCurve# show ip mroute IP Multicast Routing Table Legend for entry Flags: S - Sparse, C - Connected, P - Pruned, J - Join SPT, T - SPT- flags bit Set, F - Register, R - RP-bit Set Timers: Uptime/Expires (*, 239.255.255.1), 01:06:23/00:00:00, RP 10.1.1.1, Flags: SCJ (*, G) entry for the...
Page 578: First Line Of A Multicast Routing Table Entry
Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Flag Name Meaning Valid for Entry Type Join SPT • For a (*, G) entry on an RP, the RP will generate • (*, G) an SP tree for group traffic immediately after a •...
Page 579 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM ProCurve# show ip mroute IP Multicast Routing Table Flags: S - Sparse, C - Connected, P - Pruned, J - Join SPT, T - SPT- bit Set, F - Register, R - RP-bit Set Timers: Uptime/Expires (*, G) entry (*, 239.255.255.1), 01:06:23/00:00:00, RP 10.1.1.1, Flags: SCJ...
Page 580: Incoming Interface
Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Table 11-4. Flags in Typical Multicast Routing Table Entries Flags Meaning (*, G) entry The router is an edge router for this group. (*, G) entry Typically, the router is RP for this group. (*, G) entry Typically, the router is RP for this group, and it also connects directly to hosts that are members of this group.
Page 581: Outgoing Interface List
Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM A router should never have an (S, G) entry without an incoming interface. ProCurve# show ip mroute IP Multicast Routing Table Flags: S - Sparse, C - Connected, P - Pruned, J - Join SPT, T - SPT- bit Set, F - Register, R - RP-bit Set Timers: Uptime/Expires...
Page 582: Viewing Pim-Sm Information
Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM The outgoing interface list for an (S, G) RP-bit entry includes the interfaces that connect to routers who have not joined an SP tree and still need multicasts from the shared RP tree. (See Figure 11-21.) ProCurve# show ip mroute IP Multicast Routing Table Flags:...
Page 583 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Table 11-5. PIM-SM show Commands View Command Syntax • intervals for sending join/prune packets show ip pim-sparse • SPT threshold interfaces running PIM: show ip pim-sparse interface • interface status • DR for the interface’s network •...
Page 584: Pim-Sm Troubleshooting Process
Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Table 11-6. PIM-SM debug Commands View Command Syntax all messages debug ip pim-sparse assert messages debug ip pim-sparse assert hellos debug ip pim-sparse hello PIM join and prunes debug ip pim-sparse joinprune detailed information in PIM messages debug ip pim-sparse packets registers and register-stops debug ip pim-sparse register...
Page 585 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM If you see the group that you are troubleshooting in the list of group memberships, move to step 3. If the list of group memberships does not include necessary groups, then you must troubleshoot IGMP. Remember that you should enable PIM on LAN interfaces in order for those interfaces to run IGMP.
Page 586 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM If the multicast routing table does have an entry for the group in question, view the list of outgoing interfaces in this entry. If the local interface that connects to the network experiencing the problems is not in this list, then the router will not forward multicasts to it.
Page 587 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM ProCurve# show ip mroute IP Multicast Routing Table Flags: S - Sparse, C - Connected, P - Pruned, J - Join SPT, T - SPT- bit Set, F - Register, R - RP-bit Set Timers: Uptime/Expires (*, G) entry for the (*, 239.255.255.1), 00:41:58/00:03:22, RP 10.1.1.1, Flags: SCJ...
Page 588 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM This table must include an explicit route to the RP or source (depending on the type of entry) in order for the router to determine the incoming interface for an multicast entry. You must either enable a routing protocol on the router or configure a static route to each RP and network that may include a multicast source.
Page 589: Neighbors
Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM You can also enter show ip pim-sparse traffic to verify that the router is sending join/prune messages. If you want to see the actual messages being sent then you must use the debug ip pim-sparse joinprune command as shown in Figure 11-27.
Page 590 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Troubleshooting RP Sets. When a router does not receive multicast traffic from its upstream neighbors, one of the most likely problems is that the local router and its upstream neighbors have incompatible RP sets. If neighbors select different RPs for a group, the upstream router ignores joins for that group from the downstream router.
Page 591 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Enter this command from the CLI of the router that is using the wrong RP to view its RP set: ProCurve# show ip pim-sparse rp-set Compare this RP set to that configured on a neighboring router that has selected the correct RP.
Page 592 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM RouterA# show ip pim-sparse rp-set Group address Static-RP-address ----------------------------------- 10.1.1.1 10.1.1.2 10.3.3.2 RouterA# show access-lists Standard IP access list rp1 permit host 239.255.255.1 (1 matches) Standard IP access list rp2 deny host 239.255.255.1 (1 matches) permit 224.0.0.0 15.255.255.255 (3 matches) permit 224.0.0.0 7.255.255.255 (0 matches) Standard IP access list rp3...
Page 593 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Note the difference in Router B’s ACL for the RP at 10.1.1.2. On Router B, this RP only supports the half of all possible multicast groups (224.0.0.0 through 231.255.255.255) rather than all of the groups. Figure 11-32 shows which RPs Router A and B have actually selected for each active group.
Page 594 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM RouterA# show ip pim-sparse rp-set Group address Static-RP-address ----------------------------------- 10.1.1.1 10.1.1.2 10.3.3.2 RouterA# show access-lists Standard IP access list rp1 permit host 239.255.255.1 (1 matches) Standard IP access list rp2 deny host 239.255.255.1 (1 matches) permit 224.0.0.0 15.255.255.255 (3 matches) permit 224.0.0.0 7.255.255.255 (0 matches) Remove this...
Page 595 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM RouterA# show ip pim-sparse rp-set Group address Static-RP-address ----------------------------------- 10.1.1.2 10.3.3.2 RouterA# show access-lists Extended IP access list rp1 permit ip any 224.0.0.0 7.255.255.255 (0 matches) Extended IP access list rp2 permit ip any 232.0.0.0 7.255.255.255 (1 matches) The IP address for the multicast host address should be in the source position.
Page 596: Quick Start
Configuring Multicast Support with PIM-SM Quick Start Quick Start This section provides the commands you must enter to quickly configure PIM- SM for multicast routing. Only a minimal explanation is provided. If you need additional information about any of these options, see “Contents” on page 11-1 to locate the section and page number that contains the expla- nation you need.
Page 597 Configuring Multicast Support with PIM-SM Quick Start You can also prohibit the router from using SP trees at all. Enter this command from the PIM sparse configuration mode context: Syntax: spt-threshold infinity You can configure different RPs to support different multicast groups. Configure the address or range of addresses for groups that the RP should support in a standard ACL.
Page 598 Configuring Multicast Support with PIM-SM Quick Start 11-70...
Page 599 Link Layer Discovery Protocol Contents Overview ........... . . 12-2 LLDP .
Page 600: Lldp Messages
Link Layer Discovery Protocol Overview Overview Routing protocols allow routers to learn about each other dynamically as a network expands and changes. However, these protocols run over Layer 3 of the Open Systems Interconnection (OSI) model. Devices such as switches, which operate on Layer 2, do not participate.
Page 601: Lldp Messages
Link Layer Discovery Protocol Overview LLDP runs over the Data Link Layer, so devices that use different Network Layer protocols can still identify each other. The ProCurve Secure Router automatically participates in LLDP so that the router can learn about the devices to which it connects and so that it can inform other devices of its presence.
Page 602: Viewing Lldp Information
Link Layer Discovery Protocol Viewing LLDP Information The ProCurve Secure Router supports a network control protocol (NCP) called the LLDP Control Protocol (LLDPCP). This protocol allows PPP peers to negotiate the exchange of LLDP messages encapsulated in PPP frames. The router can also exchange LLDP messages over a Frame Relay or an ATM PVC.
Page 603: Viewing Lldp Neighbor Information
Link Layer Discovery Protocol Viewing LLDP Information By scanning LLDP information, you can determine which devices the router can reach on the WAN—and whether any unauthorized devices have con- tacted the local router. You can also discover useful information about neigh- boring devices such as their capabilities and model numbers.
Page 604 Link Layer Discovery Protocol Viewing LLDP Information ProCurve# show lldp neighbors detail If you want to limit the display to the neighbor (or, for a multi-access network, neighbors) of a specific interface, use the interface <interface ID> option. For example, enter: ProCurve# show lldp neighbors interface eth 0/1 detail ProCurve# show lldp neighbors detail Chassis ID: 00:12:79:05:25:D4 (MAC Address)
Page 605 Link Layer Discovery Protocol Viewing LLDP Information ProCurve# show lldp neighbors Capability Codes: R - Router, B - Bridge, H - Host, D - DOCSIS Device, W - WLAN Access Point, r - Repeater, T - Telephone System Name Port ID Cap.
Page 606: Viewing Local Lldp Activity
Link Layer Discovery Protocol Viewing LLDP Information -------------------------------------------------------------------- Capability Codes: R - Router, B - Bridge, H - Host, D - DOCSIS Device, W - WLAN Access Point, r - Repeater, T - Telephone System Name Port ID Cap. Platform Local Int ---------------- ----------- ----...
Page 607: Viewing Real-Time Lldp Messages: Debug Lldp Commands
Link Layer Discovery Protocol Viewing LLDP Information ProCurve# show lldp interface eth 0/1 (TX/RX) 240 packets input 0 input errors 0 TLV errors, 0 TLVs Discarded 0 packets discarded 241 packets output 0 neighbor ageouts fr 1.1 (TX/RX) 235 packets input 0 input errors 0 TLV errors, 0 TLVs Discarded 0 packets discarded...
Page 608 Link Layer Discovery Protocol Viewing LLDP Information You can view the LLDP messages that are arriving on interfaces in real time by entering: Syntax: debug lldp rx [verbose] If an interface seems to be receiving an undue number of messages, you can enter the show lldp neighbors interface <interface ID>...
Page 609: Viewing Lldp Timers
Link Layer Discovery Protocol Viewing LLDP Information ProCurve# debug lldp tx verbose LLDP: TTL 120 LLDP: System Description "ProCurve Secure Router 7203dl" LLDP: System Name "ProCurve" LLDP: System Description "ProCurve Secure Router 7203dl, Version: 03.01, Date: Fri Aug 12 08:41:29 2005" LLDP: System Capabilities: LLDP:...
Page 610: Configuring Lldp
Link Layer Discovery Protocol Configuring LLDP Configuring LLDP All active interfaces on the ProCurve Secure Router, except for ATM subinter- faces, automatically send out LLDP messages. (See Table 12-2 on page 12-15 for the default transmit intervals.) For most networks, the default settings for LLDP are adequate. If you so choose, you can attempt to minimize overhead or to restrict the information the router transmits about itself by: preventing an interface from sending certain LLDP messages...
Page 611 Link Layer Discovery Protocol Configuring LLDP Enter no lldp send without any options to prevent the interface from trans- mitting any messages. You can restrict the interface from sending only certain messages by entering the no form of the lldp send command followed by the specific option. For example, if a WAN interface transmits the management address into an untrusted environment, hackers could attempt to access your router.
Page 612: Preventing An Interface From Receiving Lldp Messages
Link Layer Discovery Protocol Configuring LLDP Preventing an Interface from Receiving LLDP Messages You can prevent an interface from listening for LLDP messages by moving to its configuration mode context and entering: Syntax: no lldp receive You cannot filter out certain types of information. The interface either receives all LLDP messages or none.
Page 613: Quick Start
Link Layer Discovery Protocol Quick Start Table 12-2. LLDP Intervals Interval Meaning Default Range Command Syntax transmit interval time between sending 30 seconds 5 to 32,768 seconds lldp transmit-interval LLDP messages during <seconds> normal operations minimum transmit minimum time the 2 seconds 1 to 8192 lldp minimum-...
Page 614 Link Layer Discovery Protocol Quick Start b. You can also prevent the router from sending any LLDP messages, while still allowing it to listen for messages. Syntax: no lldp send To only prevent the router from receiving LLDP messages, enter: Syntax: no lldp receive Enter a command without the no option to re-enable the function.
Page 615: Contents
IP Routing—Configuring RIP, OSPF, BGP, and PBR Contents Overview ........... . . 13-6 Routing Protocols .
Page 616 IP Routing—Configuring RIP, OSPF, BGP, and PBR Contents Configuring OSPF ..........13-29 LSAs .
Page 617 IP Routing—Configuring RIP, OSPF, BGP, and PBR Contents Configuring a BGP Neighbor ....... . 13-72 Setting the BGP Neighbor ID .
Page 618 IP Routing—Configuring RIP, OSPF, BGP, and PBR Contents Configuration Examples ........13-106 Example 1: Baseline BGP Configuration .
Page 619 IP Routing—Configuring RIP, OSPF, BGP, and PBR Contents Troubleshooting OSPF ........13-153 Troubleshooting an Internal Router .
Page 620: Overview
IP Routing—Configuring RIP, OSPF, BGP, and PBR Overview Overview This chapter describes how to configure routing protocols and policy based routing (PBR). Before attempting to configure a routing protocol, you should understand: IP addressing, including how a subnet mask divides an IP address into a network address and a host address classful and classless IP networks classless interdomain routing (CIDR) notation...
Page 621: How Routing Protocols Work
IP Routing—Configuring RIP, OSPF, BGP, and PBR Overview Dynamic Routing Protocols Supported on the ProCurve Secure Router The ProCurve Secure Router supports three routing protocols—each of which it can use alone or in conjunction with the others: Routing Information Protocol (RIP) versions 1 and 2 Open Shortest Path First (OSPF) version 2 Border Gateway Protocol (BGP) version 4 RIP and OSPF are Interior Gateway Protocols (IGPs);...
Page 622 IP Routing—Configuring RIP, OSPF, BGP, and PBR Overview What information routers include in routing updates—With some routing protocols, routers exchange their entire routing tables. With other routing protocols, routers exchange only portions of the routing table. Routers that are running a link-state protocol, such as OSPF, do not exchange actual routes.
Page 623 IP Routing—Configuring RIP, OSPF, BGP, and PBR Overview Table 13-1. Routing Protocol Comparison Option OSPF Metric Number of hops to the • Inverse bandwidth Variety of policies: computation destination. • Type of service (ToS) (rarely • external or internal route and route used) •...
Page 624: Advantages And Disadvantages Of Routing Protocols
IP Routing—Configuring RIP, OSPF, BGP, and PBR Overview Advantages and Disadvantages of Routing Protocols Dynamic routing can provide reliable routes. OSPF, for example, can select routes according to fairly sophisticated criteria, such as link state and band- width, and BGP can take an organization’s policies into account. The best route at one moment may not always be the best route, and dynamic routing protocols can track these changes.
Page 625: Load Sharing
IP Routing—Configuring RIP, OSPF, BGP, and PBR Overview Protocol Advantages Disadvantages Uses • ISPs use BGP. • Configuration is complicated. • Connecting to an ISP • BGP provides tight control • The network must also run an • Not used over dial-up over which routes are IGP.
Page 626: Configuring Rip
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP lowest values will be selected. Because different routing protocols have different administrative distances, the multiple routes will generally be dis- covered using the same dynamic protocol. The router can share traffic over the routes based on destination, assigning traffic destined to some hosts to one route and traffic destined to other hosts to another route.
Page 627: Rip Updates, V1 And V2
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP When a router receives a route that it does not know from a neighbor, it adds it to its routing table. The source of the update becomes the next-hop address for the destination, and the metric is the advertised metric plus one. That is, because the router is one hop from the source of the update, the router is also one more hop from the destination.
Page 628 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP an address family field—set at 2, indicating that addresses are in IPv4 format up to 25 entries, each consisting of: • a destination IP address • a metric, which is the number of hops to the destination address from the router that is sending the packet When a router discovers a new or better route from a RIP v1 update, it assumes that the neighbor from which it received the update is the next hop for the...
Page 629: And Triggered Updates
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Speeding Convergence: Split Horizon, Poison Reverse, and Triggered Updates One shortcoming of RIP is its relatively slow convergence in some network environments. Routers send updates every 30 seconds. In a large network, a router may not receive accurate and up-to-date information on a route for several minutes.
Page 630 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP As long as the network remains stable, this process continues smoothly. However, problems arise if the topology changes. Consider what happens when the link between Router B and Network 1 fails. (See Figure 13-2.) Router B begins advertising a route to Network 1 with a metric of 16 to indicate that it is unreachable.
Page 631: Rip Timing Intervals
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Worse, the count to infinity interferes with convergence to an actual valid route. For example, Router C in Figure 13-2 also connects to Network 1 through a five-hop redundant route. Router C waits until the count to infinity for the invalid route reaches 6 before it starts using and advertising the correct route.
Page 632: Rip Configuration Considerations
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP The timeout interval determines the amount of time the router will wait without receiving information about a route before declaring that route invalid. When the router times out a route, it sends out poison updates for that route for the next two update cycles.
Page 633: Selecting A Rip Version
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Options RIP Specification Configuration Considerations which routers send • all router interfaces on RIP • specifying RIP networks and receive updates networks (page 13-21) • passive interfaces, which • configuring passive receive updates but do not interfaces (page 13-26) send them...
Page 634: Setting A Global Rip Version
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Setting a Global RIP Version This command specifies which type of RIP updates the ProCurve Secure Router will both send and listen for: Syntax: version [1 | 2] The default version is 1. Because RIP v2 provides significant advantages over RIP v1, you may want to use v2 if possible.
Page 635: Specifying Networks That Will Participate In Rip
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP For example: ProCurve(config)# interface eth 0/1 ProCurve(config-eth 0/1)# ip rip send version 1 ProCurve(config-eth 0/1)# ip rip receive version 1 If the router connects to an external network (for example, an ISP), you should implement RIP v2, which can act as an EGP.
Page 636: Redistributing Routes
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP For example, you would configure Router A in Figure 13-3 as follows: ProCurve(config-rip)# network 192.168.1.0 255.255.255.0 ProCurve(config-rip)# network 10.1.1.0 255.255.255.252 WAN Connection 10.1.1.0 /30 Router B Router A Network 1 Network 2 192.168.1.0/24 192.168.2.0/24 Figure 13-3.
Page 637: Redistributing Connected Routes
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP routing updates. (See Chapter 9: Configuring a Tunnel with Generic Routing Encapsulation.) A router that receives and accepts the redistributed route adds it to its routing table as a RIP route. By default, RIP interfaces advertise redistributed routes with a metric of zero, as if they were directly connected.
Page 638: Redistributing Ospf Routes
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Redistributing OSPF Routes Various routing protocols discover routes in different ways. Some routing protocols produce more reliable routes in certain topologies than other rout- ing protocols can. For some networks, you might need to use several routing protocols.
Page 639 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP With route summarization, an interface can broadcast: Destination IP Address Next-Hop IP address Metric 10.0.0.0 255.0.0.0 10.1.1.1 Route summarization is particularly useful for limiting the amount of band- width routers consume with RIP updates. It also limits the memory the routing table occupies.
Page 640: Configuring A Passive Interface: Prohibiting An Interface
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP For example, in Figure 13-4, Router B connects to Router A through subnet 1.1.1.0 /30, and to Router C through subnet 2.2.2.0 /30. Both Router A and C attempt to advertise network 10.0.0.0 /8. When the route is accurate for Network 3, Router B misroutes traffic to Networks 1 and 2 and vice versa.
Page 641 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Enter the following RIP configuration command to configure a passive interface: Syntax: passive-interface <interface ID> For example, you might want the PPP 1 interface to be a passive interface: ProCurve(config-rip)# passive-interface ppp 1 The following interfaces can be passive interfaces: Ethernet interfaces Ethernet subinterfaces (VLAN interfaces)
Page 642: Altering Rip Intervals
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Altering RIP Intervals You can alter the update and the timeout interval on the ProCurve Secure Router. The update interval determines how often router interfaces advertise RIP routes. The default interval is 30 seconds. You can change the update timer by entering this command from the RIP configuration mode context: Syntax: update-timer <seconds>...
Page 643: Configuring Ospf
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Configuring OSPF OSPF was designed to cope with several of RIP’s shortcomings. For example, OSPF provides quicker convergence and more sophisticated methods of computing best routes. Instead of sending routing table entries, routers send link state advertisements (LSAs) that allow peers to construct a more com- prehensive, accurate, moment-to-moment topology of the network.
Page 644: Lsas
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF You will recall that a routing protocol must dictate options such as: how routers compute a route’s metric and select the best route for their routing table what information routers include in routing updates which routers and router interfaces send and receive updates when routers send and receive updates You can read this overview to learn in more detail how OSPF handles such...
Page 645: Areas
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF In a multi-access subnet, such as an Ethernet network, a router can become a neighbor with all other routers on the subnet. To minimize OSPF packets, routers elect a DR and a BDR with which all other routers establish full adjacency.
Page 646 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF area network to the ABR that advertised it. When this traffic arrives in area 0, the ABRs route it toward the correct area. When the traffic arrives in the new area, internal routers use intra-area routing to direct it to its destination. Autonomous system border routers (ASBRs) support external traffic (in WANs with one area or with multiple areas.) An ASBR connects to an external network and runs both OSPF and the external network’s routing protocol.
Page 647: Lsa Types
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Routers in the stub area deal primarily with intra-area LSAs. The ABR sum- marizes routes to the area and sends these route to other ABRs in the backbone to support inter-area routing. The ABR also send summary routes (Type 3 LSAs) for other areas into the stub area.
Page 648 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Table 13-6. LSA Types LSA Type Contains Originated By Link State ID Flooded To Routing Table Entry 1—router link • all directly connected any router router ID all other routers (or links: DRs) in the area –...
Page 649: Route Computation
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF All routers generate Type 1 LSAs, which they use to advertise their own links. A Type 1 LSA includes: the link ID—in a point-to-point link, the neighboring router’s ID (typically its loopback interface address); in a link to a network, the network IP address the type of link—point to point, stub network, transit network link status...
Page 650: Ospf Configuration Concerns
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Depending on the type of LSAs that the router receives, the database can also include: links to ranges of networks in other areas links to external networks The router would use this information to generate inter-area and external routes.
Page 651 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF One common topology for a WAN is a headquarters, defined as area 0, that connects to stub areas at one or more remote sites. In this topology, the headquarters’ routers that connect to the remote sites are ABRs. The routers at the remote sites are internal routers.
Page 652 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Area 1 Area 0 Area 2 Network 1 Network 3 ABR A ABR B Internal Internal Router C Router D Network 4 Network 2 Figure 13-7. OSPF Network with WAN as Area 0 If these routers are the only routers at the remote sites or if the remote sites are quite small, you could leave the network undivided.
Page 653: Setting The Router Id
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Refer to Table 13-7 for a summary of how OSPF manages route exchanges and what parameters you can configure for the protocol. Table 13-7. OSPF Parameters Parameter OSPF Specification Configuration Considerations Information in •...
Page 654 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Parameter OSPF Specification Configuration Considerations When routers • Routers send LSAs: optional: send LSAs and – not more than every 5 seconds • Configuring intervals for an OSPF interface other messages (page 13-57) –...
Page 655: Setting The Router Id
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF In addition, for ABRs you can: prohibit a summary LSA from being advertised You complete most OSPF configurations from the OSPF configuration mode context. However, you alter OSPF intervals for individual interfaces from that interface’s configuration mode context.
Page 656: Advertising Networks And Establishing Ospf Areas
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF to identify the routers at remote sites. In addition, loopback interfaces are always up as long as the router has at least one functioning link. Conse- quently, the router’s ID will not change if an interface goes down and up again.
Page 657: Configuring Stub Areas
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF If your entire WAN is only one area, you should define all networks as part of area 0. Move to the OSPF configuration mode context and enter: Syntax: network <A.B.C.D> <wildcard bits> area <area ID | A.B.C.D> You use wildcard bits to define networks rather than a subnet mask.
Page 658: Route Summarization (Abrs): Advertising A Link To One Area To Routers In Another Area
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Note You must configure each device in the stub area with the area <area ID> stub command. Otherwise, devices will not be able to achieve adjacency. Even though routers in a stub area only handle intra-area routing, hosts can still reach other areas.
Page 659 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Route summarization offers two distinct advantages: Saving bandwidth and router memory—Routers can transmit more infor- mation at once. Routing tables are simplified. Cordoning off problem networks—OSPF routers generate a network topology according to the messages they receive about link states; when- ever a link goes down or up, the network topology changes.
Page 660 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF 10.1.3.0 /24 HQ—Area 0 Router C 10.1.2.0 /24 10.1.1.0 /24 Stub 10.1.8.0 /24 area 3 ABR B ABR A Router F 10.1.4.0 /24 10.1.6.0 /24 Router E Router D Site 3 10.1.9.0 /24 Stub Stub area 1...
Page 661 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF An area often contains several subnets. As long as these subnets are contigu- ous, you can specify all of them at the same time by altering the subnet mask. For example, in Figure 13-10, area 1 includes two 24-bit subnets, 10.1.4.0 /24 and 10.1.5.0 /24.
Page 662 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF 192.168.1.0 255.255.192.0 Network Address 11000000 10101000 00000001 00000000 Subnet Mask 11111111 11111111 11000000 00000000 Network Address 10101000 00101101 00000000 00000000 192.168.0.0 192.168.63.0 255.255.192.0 Host Address 11000000 10101000 00111111 00000000 Subnet Mask 11111111 11111111 11000000 00000000 Same Network 10101000 00101101 00000000 00000000...
Page 663: Example Configuration Of Ospf Areas
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF For example, suppose that traffic between area 1 and the ABR must travel over a relatively low-speed link. In this case, you might change the default- cost setting to 20: ProCurve(config-ospf)# area 1 default-cost 20 Example Configuration of OSPF Areas The WAN shown in Figure 13-12 connects the company’s headquarters to three remote sites in a Frame Relay network.
Page 664 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF In the example configuration commands, note that the network commands enable OSPF on the /20 subnets on which the ABR interfaces reside. The area <area ID> range commands, on the other hand, specify the range of four / 20 subnets that belong to each area.
Page 665: Prohibiting The Advertisement Of Networks
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF N o t e Take care to define the network that the ABR and the stub router have in common as part of the stub area. Otherwise, each stub router becomes an ABR.
Page 666: Configuring Route Summaries For Asbrs
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF The default route may come from one of three sources: The routing table includes a static default route. The router has received a default route from the external network. For example, the WAN interface may receive an IP address and default route from the remote router in the external network.
Page 667 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF N o t e The ASBR’s OSPF database must include the external networks in order to advertise summaries for them. Therefore, you must redistribute RIP routes into OSPF in order for the summary-address command to take effect. One situation in which you could configure route summaries is when a router connects to a network at a remote site using an exterior gateway protocol.
Page 668: Configuring Cost Calculation For A Link
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Configuring Cost Calculation for a Link OSPF was designed for great flexibility in computing a route’s metric. An OSPF route’s metric is the sum of the cost for each link between the router and the destination.
Page 669: Redistributing Routes Discovered By Other Protocols (Asbrs)
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF The default reference bandwidth is 100 Mbps. Because the lowest cost is one, a 1000 Mbps connection would be assigned the same cost as a 100 Mbps connection. If your network uses various connections with a speed higher than 100 Mbps, you should change the reference bandwidth so that the router can take the lower cost of these links into account when computing best routes.
Page 670: Redistributing Rip Routes
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF N o t e Because redistributed routes are external, you cannot redistribute routes on a stub router. When you redistribute any routes, even connected ones, into OSPF, the router is automatically considered an ASBR. Redistributing RIP Routes When a ProCurve Secure Router connects an OSPF network to an external network, it acts as an ASBR.
Page 671: Configuring The Default Metric For Redistributed Routes
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF You can also redistribute static routes into OSPF. You can configure a metric for redistributed connected or static routes just as you configure the metric for RIP routes: ProCurve(config-ospf)# redistribute static metric 30 N o t e The redistribute connected command does not enable interfaces to send or receive OSPF updates.
Page 672: Altering Ospf Intervals
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Altering OSPF Intervals OSPF can be a relatively chatty protocol. For example, an interface sends its neighbor a hello message every 10 seconds to notify it that the link is still up. If necessary, you can change the timing intervals for such messages.
Page 673 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Interval Meaning Default Setting Range Command Syntax retransmit the minimum time 5 seconds 1 to 65,535 seconds ip ospf retransmit-interval before sending a <seconds> new LSA transmit delay the time assumed for 1 second 1 to 65,535 seconds ip ospf transmit-delay <seconds>...
Page 674: Configuring Ospf Authentication
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Configuring OSPF Authentication If you enable authentication on your OSPF network, then routers will not exchange their databases to achieve adjacency until they have authenti- cated each other with a password. OSPF authentication prevents network devices from inadvertently joining the wrong area.
Page 675: Example Ospf Configuration
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF To configure a simple password for an interface, move to the interface configuration mode context and enter the following command: Syntax: ip ospf authentication-key <password> For example, enter the following command to configure secret as the pass- word: ProCurve(config-fr 1.101)# ip ospf authentication-key secret To configure a message digest key, enter:...
Page 676 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF 10.1.8.0 /24 Area 0 Internal Router 192.168.253.3 10.1.3.0 /24 Total stub area 5 10.1.1.0 /24 10.1.2.0 /24 10.1.5.0 /24 ASBR Router B 192.168.255.1 192.168.251.5 192.168.254.2 Site B 10.1.6.0 /24 10.200.1.0 /24 10.1.4.0 /24 Router A 192.168.252.4...
Page 677 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Define the connected OSPF networks in each area. This step also enables OSPF on interfaces on those networks: ProCurve(config-ospf)# network 10.1.1.0 0.0.0.255 area 0 ProCurve(config-ospf)# network 10.1.3.0 0.0.0.255 area 0 ProCurve(config-ospf)# network 10.1.4.0 0.0.0.255 area 4 ProCurve(config-ospf)# network 10.1.5.0 0.0.0.255 area 5 Define the stub and total stub areas: ProCurve(config-ospf)# area 4 stub...
Page 678 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF To configure the ASBR at the HQ, you would complete these steps: Assign IP addresses to the Ethernet and WAN interfaces: ProCurve(config-eth 0/1)# ip address 10.1.1.1 /24 ProCurve(config-eth 0/2)# ip address 10.1.2.1 /24 ProCurve(config-ppp 1)# ip address 10.200.1.1 /24 Define the router ID by configuring a loopback interface: ProCurve(config)# interface loop 1...
Page 679: Configuring Bgp
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Configuring BGP BGP is an external protocol: it allows different autonomous systems to exchange routes. BGP is the protocol most ISPs use, and it was designed to allow diverse, sometimes competitive organizations to communicate: BGP can filter both the routes it receives and those that it sends according to bit length, thereby minimizing the number of routes exchanged.
Page 680: Vrf And Mpls
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP With static routing, you configure a default route on the local router to the ISP router. The ISP manually configures routes to the private sites on its edge routers directly connecting to these sites. RIP v2 runs on the network between the private router and the ISP router.
Page 681: Multihoming
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Routing table A Routing table B 10.1.1.0 /24 1.1.1.2 10.1.1.0 /24 2.2.2.2 Customer A Router A 1.1.1.2/30 Network 10.1.1.0 /24 2.2.2.2 Router B Customer B Network 10.1.1.0 /24 Figure 13-15. VFR The ISP edge router connecting to the local site forms an MPLS Label Switch Path (LSP) with the ISP edge router connecting to the authorized remote site.
Page 682: Bgp Neighbors
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP to different neighbors. BGP keeps one link from being overused while leaving the other idle. This ensures that your organization actually receives the benefit of the connections for which it has paid. BGP Neighbors BGP routers advertise routes to their neighbors.
Page 683 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP configure at least one BGP neighbor: • set the BGP neighbor ID (IP address) • specify the remote AS number You can also: configure policies for exchanging routes with a neighbor: •...
Page 684: Enabling Bgp
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Table 13-10. BGP Protocol Parameter BGP Specification Configuration Considerations the routers that send and BGP routers communicate only with • configuring the router ID (page 13-72) receive updates manually configured neighbors. •...
Page 685: Advertising Local Networks
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Advertising Local Networks Specify the local networks that remote sites should be able to access. You should only advertise networks that originate in your AS. To allow BGP to advertise a network, enter the following command: Syntax: network <A.B.C.D>...
Page 686: Setting The Router Id
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP N o t e If you want to send certain routes to one neighbor but not another, you must apply an outbound prefix list filter to the neighbor. (See “Creating Prefix Lists: Configuring Filters for Route Exchange”...
Page 687: Specifying The Local And Remote As
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP N o t e Be aware that you must enter the address for the interface that the remote router is using as its update source. For example, the neighbor may be using a loopback interface as the update source for several connections.
Page 688: Load Balancing
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Load Balancing A multihomed BGP router connects to more than one ISP or more than one ISP router. Such a router can legitimately forward external traffic through more than one connection. Load balancing ensures that one connection is not used to the exclusion of another.
Page 689 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP When the ProCurve Secure Router receives a route from a neighbor, it sets the update source as the forwarding interface for the route. Because the loopback interface becomes the forwarding interface rather than a specific WAN inter- face, the router automatically distributes packets over all links to the neighbor.
Page 690: Balancing Loads Over Connections To Different Neighbors
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Load balancing inbound traffic is more difficult. In many ways, it is up to the ISP to decide through which connection to route traffic. Balancing Loads over Connections to Different Neighbors You may connect to multiple ISP routers through two or more interfaces on the same router or on different routers.
Page 691 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Customer Router A Network 1 Network 2 Router B Network 3 Network 4 Figure 13-17. Balancing Loads between a Connection to Two Neighbors You can also attempt to manually balance outbound traffic by having the router accept certain routes from one neighbor and the remaining routes from another.
Page 692: Creating Prefix Lists: Configuring Filters For Route Exchange
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP In this case, even through you advertise only certain routes to one neighbor, the ISPs’ routers will probably aggregate these routes when they advertise them. For example, you configure one interface to advertise routes to networks 192.168.1.0 /24 through 192.168.127.0 /24 and the other to advertise routes to networks 192.168.128.0 /24 through 192.168.255.0 /24.
Page 693 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP For example, a BGP router might connect to another AS that includes a /16 network many contiguous subnets of variable lengths. The neighbor would know many routes, perhaps a route to each individual subnet; however, the local BGP router can get by with only the next-hop address that leads to the entire range.
Page 694: Naming The List
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Naming the List You apply a list to a neighbor by its name. You can apply only one list to each neighbor for an inbound filter and one for an outbound filter. You should therefore give the same name to every entry that applies to the routes that your router will receive from a neighbor.
Page 695: Applying Filters
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP However, you can permit (or deny) routes to subnets within the larger network by specifying a permitted range of prefix lengths. For example, the filter could allow all routes to subnets in the 10.1.0.0 /16 network with a prefix length up to and including 24: ProCurve(config)# ip prefix-list FilterIn seq 10 permit 10.1.0.0/16 le 24 The ge keyword indicates that the length must be greater than or equal to that...
Page 696 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP If you want to use the prefix list to create more complicated policies, you should apply it to a route map entry instead of to the BGP neighbor. You can then configure the policy in the route map entry and apply the route map to the neighbor.
Page 697 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Customer A External traffic Router A ISP Router External routes External traffic ISP Router Figure 13-18. Problem with BGP Multihoming To prevent this problem from arising, you should configure an outbound filter list that advertises only the null route (the route to your private network’s range of addresses) to the ISPs.
Page 698 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP For example, your organization uses private networks 192.168.1.0 /24 through 192.168.16.0 /24. You could configure one prefix list to allow the advertisement of networks 192.168.1.0 /24 through 192.168.7.0 /24: ProCurve(config)# ip prefix-list ISP1Out seq 1 permit 192.168.0.0/21 ge 24 le 24 You would then apply the prefix list to routes advertised to one BGP neighbor: ProCurve(config)# router bgp 1 ProCurve(config-bgp)# neighbor 10.1.1.1...
Page 699: Example Prefix List Configuration
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP For example, Router A in Figure 13-19 connects to ISP 1 and ISP 2 through two PPP interfaces. You permit PPP interface 1, which connects to ISP 1, to receive routes for networks 1.0.0.0 /8 through 126.0.0.0 /8. PPP interface 2 receives routes for networks 128.0.0.0 /16 through 223.255.255.0 /24.
Page 700: Configuring Route Maps: Creating More Complex Policies For
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP You should configure filters to advertise only the local routes and accept only the remote private routes as follows: ProCurve(config)# ip prefix-list FilterOut seq 1 permit 10.1.0.0/20 ProCurve(config)# ip prefix-list FilterIn seq 1 permit 10.1.0.0/16 ge 20 le 20 ProCurve(config)# router bgp 1 ProCurve(config-bgp)# neighbor 1.1.1.1 ProCurve(config-bgp-neighbor)# prefix-list FilterOut out...
Page 701: Creating A Route Map Entry
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP requesting that the neighbor advertise the route to certain communities only prepending private AS numbers to specific routes to help balance inbound traffic setting a multi-exit discriminator on specific routes to help balance inbound traffic When you apply a route map to inbound data, it determines which of the ISP- advertised routes the local router accepts.
Page 702: Configuring A Community List
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP For example, you can create an outbound route map that sets one route’s multi-exit discriminator metric and places another route in a community. You simply create two route map entries with the same name: ProCurve(config)# route-map ISP1out 10 ProCurve(config-route-map)# exit ProCurve(config)# route-map ISP1out 20...
Page 703: Configuring An As Path List
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP To deny a community from the list, enter this command from the community list configuration mode context: Syntax: deny [internet | local-as | no-advertise | no-export | <1-42949672957>] Again, you can enter multiple keywords in the same command. Configuring an AS Path List You can use an AS path list to select routes for a policy according to values in the routes’...
Page 704 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP You select the routes that the BGP interface will advertise by entering a match command in an outbound route-map entry. (See Table 13-11.) Table 13-11. Controlling Advertised Routes Filtering According To Command Syntax network address and/or prefix length match ip address prefix <listname>...
Page 705 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Remember that the local router’s routing table must include this exact route in order for the router to advertise it. If your network uses subnetted networks, you may need to add a null route to the range of subnets. For example: ProCurve(config)# ip route 10.1.0.0 /16 null 0 If you want the router to advertise separate routes for the subnets, you must permit the address for the complete network and then specify the bit length...
Page 706 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP administrators must define policies that apply to the community, specifying, in particular, the neighbors to which the local routers may advertise routes in that community. You can create such a policy by configuring a route map for each of your router’s BGP neighbors.
Page 707 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP After configuring the community list, create a route map entry: ProCurve(config)# route-map ISPOut 10 Then enter this command: Syntax: match community <listname> N o t e This command does not define a community for routes. It selects routes according to their predefined community or communities.
Page 708: Placing A Route In A Community: Requesting A Neighbor To Advertise A Route To Certain Peers Only
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP ProCurve(config-as-path-list)# permit 1 ProCurve(config-as-path-list)# permit 2 Permitting AS number 1 selects any routes that include that value, even if the AS field also includes other values. In other words, entering permit 1 permits routes through AS 1 and routes through AS 1 and AS 2, while entering permit 1 2 only permits routes through both AS 1 and AS 2.
Page 709 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP BGP specifies several well-defined communities, which are displayed in Table 13-13. Table 13-13. BGP Communities Community Includes internet all peers local-as all peers in the local AS no-advertise no peers no-export internal peers only You can place a route in a community according to any attribute in that route.
Page 710: Prepending Private As Numbers For Load Balancing
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Table 13-14. Placing a Network in a BGP Community Keyword Purpose Use this keyword to append communities to selected routes. internet The neighbor can advertise the route to any peer. local-as The neighbor can advertise the route to peers in the local AS only, not to external peers or to peers in the same confederation.
Page 711 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP You can attempt to load balance inbound traffic over multiple Internet con- nections by influencing the ISP routers’ selection process. One way to do so is to prepend extra hops in the AS path of certain routes. For example, a router connects to ISPs A and B, but inbound traffic always arrives over the connection to ISP A.
Page 712: Load Balancing
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP You can add a string a fictive AS. For example: ProCurve(config-route-map)# set as-path prepend 65000 65100 You should consult with your ISP about prepending the AS numbers so that the fictive AS path does not conflict with route policies that the ISP router implements.
Page 713 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Select the set of routes using a match command. You can use various attributes to select routes, including the destination network address and prefix length or community. Classifying routes according to their destination address is the typical way to group routes to one section of your network.
Page 714: Filtering Inbound Routes
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP ProCurve(config-route-map)# match ip address prefix MultiExit2 ProCurve(config-route-map)# set metric 200 ProCurve(config-route-map)# exit ProCurve(config)# route-map ISP2 10 ProCurve(config-route-map)# match ip address prefix MultiExit1 ProCurve(config-route-map)# set metric 200 ProCurve(config-route-map)# route-map ISP2 20 ProCurve(config-route-map)# match ip address prefix MultiExit2 ProCurve(config-route-map)# set metric 160 ProCurve(config-route-map)# exit ProCurve(config)# router bgp 1...
Page 715 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP To use a route map to filter inbound routes according to network address and prefix length, first create the prefix list and then enter these commands: Syntax: route-map <mapname> <sequence number> Syntax: match ip address prefix <listname>...
Page 716: Applying Policies To Inbound Routes
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Applying Policies to Inbound Routes In addition to controlling whether your router accepts routes from a neighbor, you can configure the router to apply policies to routes that it accepts. First, select a set of routes and then set attributes for those routes. Selecting and Grouping Routes.
Page 717: Deleting Communities From A Route
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP N o t e You can only set a local preference for inbound routes. You cannot set the local preference for routes outbound to an external neighbor. To place the route in a community defined in the local network, enter this command: Syntax: set community [add | internet | local-as | no-advertise | no-export | none | <1-4294967295>...
Page 718: Applying A Route Map Entry To A Bgp Neighbor
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP N o t e If you are also using the route map to filter routes, you should delete the communities in the route map entry that filters routes. This is because the router stops processing a route map as soon as it finds a match.
Page 719: Disabling Igp Synchronization
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Disabling IGP Synchronization If a BGP router advertises a route to external neighbors that routers within the AS have not yet learned, the internal routers may receive, and be forced to drop, traffic they cannot handle. IGP synchronization was used by earlier applications of BGP to solve this problem.
Page 720: Altering Bgp Intervals
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP The administrative distance should be between 1 and 255. The default for external routes is 20; for internal routes, 200; and for local routes, 200. For example, enter: ProCurve(config-bgp 1)# distance bgp 40 150 220 Altering BGP Intervals Compared to OSPF and RIP, BGP routers exchange few messages.
Page 721: Example 1: Baseline Bgp Configuration
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP AS 1 10.1.1.0 /24 Network 1 AS 2 Customer ISP 1 RouterA ISP 2 10.1.0.0 /24 10.2.0.0 /24 AS 3 Figure 13-20. Example BGP Configuration Example 1: Baseline BGP Configuration A baseline configuration allows Router A to: connect to BGP neighbors—in this example, the ISP routers advertise the local network to all neighbors receive all routes that neighbors advertise to it...
Page 722 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP interface eth 0/1 Connection to ip address 10.1.1.1 255.255.255.0 no shutdown interface eth 0/2 no ip address shutdown interface adsl 1/1 snr-margin 6 training-mode multi-mode no shutdown interface adsl 2/1 snr-margin 6 training-mode multi-mode no shutdown interface atm 1...
Page 723 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Configure the router to advertise the local network to BGP neighbors and to receive routes from these neighbors (See Figure 13-22): ProCurve(config)# router bgp 3 ProCurve(config-bgp)# bgp router-id 10.1.0.3 ProCurve(config-bgp)# network 10.1.1.0 mask 255.255.255.0 ProCurve(config-bgp)# neighbor 10.1.0.1 ProCurve(config-bgp-neighbor)# remote-as 1 ProCurve(config-bgp-neighbor)# exit...
Page 724 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP You would then complete the steps explained in “Example 1: Baseline BGP Configuration” on page 13-107. When specifying advertised networks, enter the OSPF routes in the routing table as well as the local route. For example, the LAN may use area summaries such as: area 0 = 10.1.0.0 /23 area 1 = 10.1.2.0 /23...
Page 725: Example 3: Configuring A Standard Bgp Policy On A Router That Receives Routes To Remote Private Sites
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Example 3: Configuring a Standard BGP Policy on a Router That Receives Routes to Remote Private Sites If the local router provides the only connection to the Internet, you may want to use a default route for external traffic and BGP routes for traffic to remote private sites.
Page 726 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP AS 1 10.1.1.0 /24 Network 1 Remote Site RouterB ISP 1 RouterA 10.1.0.0 /24 AS 3 10.1.2.0 /24 Figure 13-24.Configuring a Router to Receive BGP Routes to a Remote Site 13-112...
Page 727: Multihomes
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP hostname “RouterA” interface eth 0/1 ip address 10.1.1.1 255.255.255.0 no shutdown interface eth 0/2 no ip address shutdown interface t1 1/1 tdm-group 1 timeslots 1-24 speed 64 no shutdown interface ppp 1 ip address 10.10.0.3 255.255.255.0...
Page 728 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP prefers certain routes from certain neighbors to help distribute outbound traffic over the connections clears any policies on inbound routes that prevent the router from adver- tising them as necessary To configure the router’s IGP and its connection to the BGP neighbors, see “Example 2: Baseline BGP Configuration for a Router that Runs an IGP”...
Page 729 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Create two prefix lists for external traffic, each of which specifies routes to half of all IP networks. You can configure the router to accept only routes with longer prefixes so that the router does not learn too many over-specific routes.
Page 730 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Permit the router to advertise the other half of the local routes to this neighbor and specify a higher multi-exit discriminator metric for load balancing. (Again, filter out routes that should not be advertised to external neighbors.) ProCurve(config)# route-map ISP1Out 30 ProCurve(config-route-map)# match ip address prefix-list LAN2...
Page 731 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Apply the policies to the neighbors. Allow the router to advertise commu- nity attributes if so desired and if permitted by your ISP. ProCurve(config)# router bgp 3 ProCurve(config-bgp)# neighbor 10.10.0.1 ProCurve(config-bgp-neighbor)# route-map ISP1In in ProCurve(config-bgp-neighbor)# route-map ISP1Out out ProCurve(config-bgp-neighbor)# send-community standard ProCurve(config-bgp-neighbor)# neighbor 10.20.0.1...
Page 732 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP hostname "RouterA" router ospf default-information-originate always network 10.1.1.0 0.0.0.255 area 0 ip prefix-list LAN1 seq 10 permit 10.1.0.0/17 Divides local ip prefix-list LAN2 seq 10 permit 10.1.128.0/17 network ip prefix-list Private seq 10 permit 10.1.112.0/20 ge 20 ip prefix-list External1 seq 10 permit 0.0.0.0/1 le 8 Divides external ip prefix-list External2 seq 10 permit 128.0.0.0/1 le 16...
Page 733 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP route-map ISP2In permit 10 match ip address prefix-list External1 set local-preference 125 Clears community set comm-list clear delete attributes from set community no-export received routes route-map ISP2In permit 20 Sets higher match ip address prefix-list External2 preference for Prevents the router...
Page 734: Configuring Load Sharing
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Load Sharing Configuring Load Sharing Load sharing allows the router to select up to six best routes to a destination. Load sharing is important when your router connects to a remote site (or to the Internet) through connections to multiple remote routers.
Page 735 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Load Sharing If you select the per-packet option, the router uses multiple routes in a round- robin fashion, assigning each new packet that matches the routes to the route listed after the route last used. Although this option balances traffic more exactly, it is not generally recommended.
Page 736 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Load Sharing If both connections to the central office provide the same bandwidth, then your router will calculate two routes to the central office that have the same metric. However, without load sharing, the router will only be able to add one of these routes in its routing table, and one of the connections will be not be used.
Page 737: Configuring Policy-Based Routing
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Configuring Policy-Based Routing Policy-based routing (PBR) on the ProCurve Router allows you to implement basic traffic engineering: you can manipulate the path a packet follows based on characteristics of that packet. Routers use PBR to route traffic with the same destination over different paths according to the traffic’s priority, source, or size.
Page 738 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing For example, a university might allow professors, staff, and administra- tors to access the Internet directly. However, university policies dictate that traffic from subnets used by students and guests must be processed by the IDS before being forwarded to the Internet.
Page 739: Configuring A Route Map For Pbr
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing N o t e Fast caching will not work in conjunction with PBR. The ProCurve Secure Router maintains a fast cache for each interface. This fast cache stores the most recently used routes. When a packet arrives that can use a route in the fast cache, the route immediately forwards the packet, rather than placing it in a queue to await its turn to be processed.
Page 740: Selecting Traffic For A Route Map Entry
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing You should therefore pay attention to the sequence number that you assign to a route map entry. For example, if you want to use a route map to route a packet and to mark this packet with a QoS value, you should enter the set commands for both these policies in the same route map entry.
Page 741: Implementing Pbr According To Source
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing If you enter more than one match command in a particular entry (identified by the sequence number), a packet must match the criteria for all of the match commands. If a packet does not match all criteria for the entry, the router attempts to match it to the route map entry with the next sequence number.
Page 742 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing When you use a standard ACL, the router routes all traffic from a source according to the policy you configure in the route map. You should be certain that the route applies to all traffic. For example, if you are configuring a policy to forward external traffic from certain sources to a device for further processing, you might not want the router to send local traffic to that device.
Page 743 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing To configure an ACL to route traffic based on its source as well as its destination, complete these steps: From the global configuration mode, create an extended ACL: Syntax: ip access-list extended <listname> The routing policy may not apply to traffic destined to certain addresses.
Page 744: Implementing Pbr According To Application
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing N o t e s Note that you enter the deny statement first. This prevents the router from matching student traffic to the permit statement before it has a chance to match it to the deny statement.
Page 745 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Next, enter the source address and port and then the destination address and port. Use the any keyword for the source and destination addresses if you want to allow all traffic for the application. (Use the any keyword for the source address, but enter a specific destination address, if you want to allow all traffic to a specific server.) Specify the application by entering the destination port after the destina-...
Page 746: Implementing Pbr According To Traffic Priority
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Implementing PBR According to Traffic Priority A packet’s IP header includes a type of service (ToS) field that can be marked with various values to request a certain quality of service (QoS) for that packet. The ToS field can include either an IP precedence value or a Differentiated Service Code Point (DSCP).
Page 747 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Table 13-16. IP Precedence Values Value Priority routine priority immediate flash flash-override critical internet network If your network uses DiffServ, you can select traffic according to its per-hop behavior (PHB) setting. In networks that support DiffServ, a PHB defines such settings as the bandwidth allocated to traffic and the traffic dropped first when congestion occurs.
Page 748 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Table 13-17. Class-Selector PHBs DiffServ Value DSCP First 3 bits IP Precedence 000000 001000 010000 011000 100000 101000 110000 111000 AF divides traffic into classes, which can be assigned varying drop prece- dences and amounts of bandwidth.
Page 749: Implementing Pbr According To Payload Size
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing AF Class Drop Precedence DSCP DiffServ Value AF33 high 011110 AF4—most bandwidth AF41 100010 AF42 medium 100100 AF43 high 100110 You can also select traffic marked for expedited forwarding (DSCP 46), a PHB that is guaranteed low-latency and a set amount of bandwidth: Syntax: match ip dscp ef To select a specific DSCP defined within your network, enter this command:...
Page 750: Setting The Routing Policy In A Route Map Entry
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing You can enter 0 for the minimum length if you simply want to ensure that the packet does not exceed a specific size. For example, if you knew that packets for interactive traffic in your network were generally smaller than 200 bytes, you could enter this command to select interactive traffic: ProCurve(config-route-map)# match length 0 200...
Page 751 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing You can specify multiple next hop addresses or forwarding interfaces in a single command. For example: ProCurve(config-route-map)# set ip next-hop 10.1.1.1 10.2.2.1 The router first attempts to forward a selected packet to the first address or interface specified.
Page 752: Configuring Default Routes In A Route Map Entry
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing The routing table for this router shown in Figure 13-31. When a routine packet (IP precedence 0) destined to 192.168.66.12 arrives on the Ethernet interface, the router looks up the entry for network 192.168.64.0 /20 in its routing table and forwards the packet out PPP 2.
Page 753: Using A Route Map To Mark Packets With A Qos Value
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing The router would still route this traffic as indicated in the routing table when the table includes an explicit route for the traffic’s destination (for example, a local network). However, when the table does not contain a route to the destination, the router would forward the high-priority traffic according to the default route in the route map entry instead of the default route in the routing table.
Page 754 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing The AF PHB divide traffic into four classes, each of which is granted progres- sively more relative bandwidth. Each class is divided into three subclass, the first of which is granted to highest drop priority: routers will drop packets in the first subclass last if the network becomes congested.
Page 755: Setting The Don't Fragment Bit
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Setting the Don’t Fragment Bit Packets may travel over a path that includes routers with varying MTUs. When a router prepares to forward a packet, it checks the packet’s size against the MTU of the link that connects to the next hop router.
Page 756: Assigning A Route Map To An Interface
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Assigning a Route Map to an Interface In order to activate a routing policy, you must associate the route map with an Ethernet or WAN interface. The router matches incoming packets to the route map and, if it finds a match, routes them as indicated in the map.
Page 757 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing In this example, a university uses a ProCurve Secure Router to connect to the Internet. The university wants to provide the many resources of the Internet to both its students and its professors. However, the administration is aware that students, in particular, often pose security risks.
Page 758: Routing Traffic To A Caching Server
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing How should the router forward the student traffic? The router must send the student traffic to the university’s IDS. You could configure the IDS appliance’s IP address as the next-hop address, or the interface that connects to the IDS as the forwarding interface, or both.
Page 759: Reserving A Connection For Voip And Video Traffic
IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Reserving a Connection for VoIP and Video Traffic You could use PBR to reserve a connection for VoIP and video conferencing traffic, which require low latency. You could also reserve a connection for mission-critical traffic.
Page 760: Troubleshooting Routing
IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Configure the route map as follows: ProCurve(config)# route-map RealTime 10 ProCurve(config-route-map)# match ip precedence 5 ProCurve(config-route-map)# set interface ppp 1 ProCurve(config-route-map)# set ip dscp ef ProCurve(config-route-map)# set ip df ProCurve(config-route-map)# exit ProCurve(config)# interface eth 0/1 ProCurve(config-eth 0/1)# ip policy route-map RealTime Troubleshooting Routing...
Page 761 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing The screen displays the destinations to which the router can route traffic. (See Figure 13-33.) For each destination, the routing table also records: the method the router used to discover the route •...
Page 762 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Table 13-20. Viewing the Routing Table Portion of the Table Command Syntax directly connected routes show ip route connected statically entered routes show ip route static show ip route bgp show ip route rip OSPF show ip route ospf summary...
Page 763: Monitoring Routes
IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Monitoring Routes You can monitor the route that packets actually take through the network by using the traceroute command. Enter the command follow by the destination address for the route you want to trace: Syntax: traceroute <A.B.C.D>...
Page 764 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Enter **, which clears all routes, or enter the destination for the specific route you want to remove. The clear command only removes learned routes. To clear a static route, you must enter the no form of the global configuration mode command you used to enter it: Syntax: no ip route <A.B.C.D>...
Page 765: Troubleshooting Rip
IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Troubleshooting RIP You can scan RIP events to determine the problem by entering the debug commands shown in Table 13-21 on page 13-148. For example, enter: ProCurve# debug ip rip Examine Table 13-22 to learn about the messages associated with particular problems.
Page 766: Router's Subnets
IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing An interface only participates in RIP when the network on which it has its primary address has been added to RIP. You can see which interfaces are running RIP by viewing the running-config. The interface may not participate in RIP if the subnet mask for its address has been entered incorrectly.
Page 767: Troubleshooting Ospf
IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing View the running-config for the interface that connects to the peer that is not receiving routes. If the send version does not match that implemented by the peer, you must change it: ProCurve(config-ppp 1)# ip rip send version [1 | 2] If the interface is not transmitting any RIP messages, it may be configured as a passive interface: it listens for updates but does not send them.
Page 768 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Table 13-23. Viewing OSPF Debug Messages Message Command Syntax all events debug ip ospf OSPF packets debug ip ospf packet adjacency events debug ip ospf adj hello debug ip ospf hello LSA generation debug ip ospf lsa-generation SPF generation...
Page 769 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Table 13-24. Viewing OSPF Information View Command Syntax • router ID show ip ospf • the number of areas configured on a router • areas’ types: – normal – stub – NSSA •...
Page 770: Troubleshooting An Internal Router
IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing View Command Syntax OSPF database: show ip ospf database [external | router | network | summary] • complete (no keyword) • external LSAs • router LSAs • network LSAs • summary LSAs summary of the OSPF database show ip ospf database database-summary particular entry in an OSPF database:...
Page 771 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing ProCurve#show ip route Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP IA - OSPF inter area, N1 - OSPF NSSA external type 1 N2 - OSPF NSSA external type 2, E1 - OSPF external type 1 E2 - OSPF external type 2 Gateway of last resort is 10.2.2.2 to network 0.0.0.0...
Page 772 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing View the OSPF interfaces (show ip ospf interface) and verify that all interfaces that should be running OSPF are listed. Also make sure that the interfaces are up and active. If an interface that should be running OSPF is not, you have found your problem.
Page 773 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing OSPF: Update LSA: id=192.168.3.1 rtid=192.168.3.1 area=0.0.0.2 type=1 b09:46:01: Receiving OSPF packet from 10.20.20.1 to 224.0.0.5 on tunnel 1 CurrentTime=5641597. Database Description Packet from Router ID:192.168.100.1; Ver:2 Length:32 Area ID:0.0.0.2 Checksum:0x305d; Using Null Authentication:0:0 Neighbor’s MTU MTU:1472 Options:0x0 Sequence Number:104111321 Router is the Master;...
Page 774: Troubleshooting An Abr
IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing If the router has established full adjacency with its neighbors, but it still lacks routes to destinations in the area, other routers may be the source of the problem. Troubleshoot these routers as you would a router not sending the correct routes.
Page 775 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Other problems with an ABR include: not sending route summaries to the areas that need them misrouting inter-area traffic An ABR That Does Not Send Route Summaries. The area that is not receiving summaries may be defined as a total stub area.
Page 776: Troubleshooting Bgp
IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing However, different areas often use subnets from the same classful network, and the range should only apply to the one area. You must then calculate exactly which network bits the range of subnets have in common. For example, if area 1 includes subnets 172.16.0.0 /20 and 172.16.16.0 /20, and area 2 includes 172.16.32.0 /20 and 172.16.48.0 /20, the IP address range for area 1 is not 172.16.0.0 /16.
Page 777 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Table 13-25. Viewing BGP Debug Messages Message Command Syntax updates: debug ip bgp updates • new route • withdrawn routes events, such as a change in the neighbor’s debug ip bgp events status all BGP messages except keepalives: debug ip bgp [in | out]...
Page 778 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing View Command Syntax BGP neighbors: show ip bgp neighbors • neighbor IP address • neighbor ID • remote AS • settings for BGP intervals • connection status • number of messages: –...
Page 779 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing N o t e Typically, you should use soft resets because hard resets can disrupt the network. A hard reset terminates the TCP connection to the neighbor, causing all routes to flap. If you enter only the identifier for the neighbor (*, AS number, or IP address), the router automatically institutes a hard reset.
Page 780 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Clear the neighbor with a soft reset and see if the router begins to receive routes. If it does, you have confirmed that the filter is the problem. Reconfigure the prefix list or route map, keeping in mind that the router processes entries in order by sequence number and stops as soon as it finds a match.
Page 781 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Table 13-27. Checking BGP Configurations Configuration How to View Your Setting local AS show ip bgp [summary] local router ID show ip bgp [summary] local router IP address show ip bgp neighbor neighbor router ID show ip bgp neighbor neighbor IP address...
Page 782 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing ProCurve#show ip bgp neighbor BGP neighbor is 10.1.1.1, remote AS 1, external link Configured hold time is 180, keepalive interval is 60 seconds Default minimum time between advertisement runs is 30 seconds Connections established 1;...
Page 783 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing ProCurveSR7102dl#show ip bgp neighbor 10.1.1.1 routes BGP local router ID is 192.168.140.1, local AS is 1. Status codes: * valid, > best, i - internal, o - local Origin codes: i - IGP, e - EGP, ? - incomplete Network NextHop Metric LocPrf Path...
Page 784: Troubleshooting A Prefix List
IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing If you want a router to advertise routes it receives from one BGP neighbor to another, you must configure the AS it should add to the AS path. You configure this setting from the configuration mode context of the BGP neighbor from which the router receives the route.
Page 785: Troubleshooting A Route Map
IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Keep these tips in mind as you search a prefix list for misconfigurations: If a statement does not include a range of prefixes, then a route must match the statement exactly in order to be selected. Make sure that the prefix length is correct.
Page 786: Other Common Bgp Problems
IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing When examining the route map for misconfigurations keep these tips in mind: If you want to apply attributes to routes filtered by an inbound route map, you must enter the set command for the attributes in the same route map entry in which you enter the match command to select permitted routes.
Page 787: Monitoring And Troubleshooting Pbr
IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing The BGP neighbor defines different policies for the community. Or the BGP neighbor does not accept community attributes in customer routes. You should consult with your ISP about what communities it supports. You may also have problems with the local policy that you have configured for communities on your router.
Page 788 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Router# show route-map route-map PBR, permit, sequence 10 Criteria for Match clauses: selecting length 150 200 traffic Set clauses: ip next-hop 10.10.10.254 Number of routes BGP Filtering matches: 0 packets, 0 bytes matches by Policy routing matches: 4 packets, 600 bytes this map entry...
Page 789 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing You can also select a source address for ping so that you can simulate the traffic for source-based PBR. If the ping is not successful, then you should look for misconfigurations in the set clauses. Verify that specified interfaces are up and that the router’s routing table includes a route to the next-hop address.
Page 790: Quick Start
IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start Quick Start This section provides the commands you must enter to quickly configure: OSPF: • internal router • • ASBR You can use more than one routing protocol. When the router learns identical routes through different routing protocols, it uses the administrative distances shown in Table 13-28 to choose between them.
Page 791: Rip Routing
IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start RIP Routing Move to the global configuration mode context and access the RIP con- figuration mode context. ProCurve(config)# router rip Specify the RIP version. Syntax: version [1 | 2] Advertise local subnets. Interfaces on these subnets will send and receive RIP updates.
Page 792: Configuring An Internal Router
IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start Area 0 192.168.254.2 192.168.255.1 10.2.1.0 /24 Internal Network 1 Router 10.1.2.0 /24 Network 2 ASBR 10.2.2.0 /24 192.168.252.4 Stub area 1 10.3.1.0 /24 External Network Internal Total stub Router area 2 192.168.253.3 Network 4 10.3.2.0 /24...
Page 793: Configuring An Abr
IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start Specify the network and area of each interface that should run OSPF: Syntax: network <network A.B.C.D> <wildcard bits> area <area ID> For example: ProCurve(config-ospf)# network 10.2.0.0 0.0.255.255 area 1 Specify that this area is a stub area: Syntax: area <area ID>...
Page 794: Configuring An Asbr
IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start If the ABR will be sending summary LSAs, define the address ranges for these summaries. Select which routes the ABR should advertise and which it should not. Syntax: area <area ID> range <network A.B.C.D> <subnet mask> [advertise | not- advertise] If you do not select an option for advertising, the router will automatically advertise the summary.
Page 795: Configuring Bgp
IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start Force the router to advertise a default route for external routes. Syntax: default-information-originate [always] [metric <value>] [metric <type>] If the router does not have its own default route, use the always option. Specifying a metric or metric type is optional.
Page 796: Configuring Pbr
IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start Configure a BGP neighbor. Syntax: neighbor <neighbor A.B.C.D> Specify the neighbor’s IP address as its ID. For example: ProCurve(config-bgp)# neighbor 1.1.1.1 Specify the remote AS. Syntax: remote-as <remote AS> If so desired, specify a loopback interface as the update source, which can add stability to the BGP session.
Page 797 IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start If the router will be routing traffic according to source and destination IP address or application data, you must create an extended ACL. Create the ACL. Syntax: ip access-list extended <listname> b.
Page 798 IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start To route traffic based on DiffServ value, enter this command: Syntax: match ip dscp [af11 | af12 | af13 | af 21 | af 22 | af23 | af31 | af 32 | af 33 | af 41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef | <0-63>] You can select default traffic (no DiffServ value set);...
Page 799 IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start Apply the route map to LAN interfaces to enable PBR for traffic outbound to the WAN. (This is the typical application.) You can also apply route maps to any logical interface. Move to the Ethernet or logical interface configuration mode context and enter this command: Syntax: ip policy route-map <mapname>...
Page 800 IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start 13-186...
Page 801: Contents
Using the Web Browser Interface for Advanced Configuration Tasks Contents Configuring Access to the Web Browser Interface ....14-4 Enabling Access to the Web Browser Interface ....14-4 Managing AutoSynchTM, Files, Firmware, and Boot Software .
Page 802 Using the Web Browser Interface for Advanced Configuration Tasks Contents Configuring Policies to Control Management Access to the ProCurve Secure Router ....... . 14-39 Customizing Your Policies .
Page 803 Using the Web Browser Interface for Advanced Configuration Tasks Contents Setting Up Generic Routing Encapsulation (GRE) Tunnels ..14-104 Multicast ........... 14-108 Configuring LLDP .
Page 804: Configuring Access To The Web Browser Interface
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access to the Web Browser Interface Configuring Access to the Web Browser Interface You can use the Web browser interface to configure interfaces on your router. To access the Web browser interface, you must first use the command line interface (CLI) to enable the HTTP server on the ProCurve Secure Router and to configure a username and password for HTTP access.
Page 805: Managing Autosynchtm, Files, Firmware, And Boot Software
Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynchTM, Files, Firmware, and Boot Software Managing AutoSynch , Files, Firmware, and Boot Software In the Utilities section of the Web browser interface, you can do basic file management tasks, manage AutoSynch™, and set the router’s firmware and boot software using the Web browser interface.
Page 806 Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynchTM, Files, Firmware, and Boot Software N o t e AutoSynch™ is a feature that allows the router to maintain exact, up-to-date copies of the Secure Router OS (SROS) software and startup-config files on the router’s internal flash and a mounted compact flash card.
Page 807: Configuration
Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynchTM, Files, Firmware, and Boot Software The AutoSynch Status window displays AutoSynch™ messages, such as the current synchronization status of the SROS file (SROS.BIZ) and startup- config file and any AutoSynch™ error messages. For a list of AutoSynch™ error messages and troubleshooting methods, see “AutoSynch™...
Page 808 Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynchTM, Files, Firmware, and Boot Software To set the secondary startup-config file, select the desired configuration file from the corresponding pull-down menu. To save these changes, click Apply. N o t e If AutoSynch™...
Page 809 Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynchTM, Files, Firmware, and Boot Software Figure 14-4. Download Config After you have downloaded the configuration file onto your PC, you can open and edit it in a text editor program such as Notepad. Upload Config.
Page 810: Firmware
Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynchTM, Files, Firmware, and Boot Software In the Delete Config File section, select the file that you want to delete from the Delete Config pull-down menu. This menu will display all the files on flash and cflash that do not have a .biz extension.
Page 811 Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynchTM, Files, Firmware, and Boot Software Figure 14-7. Set Primary/Backup Firmware This window also shows the current memory statistics for the internal flash and cflash drives. The Flash memory statistics are displayed as the bytes used / the total memory and the drive space free.
Page 812 Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynchTM, Files, Firmware, and Boot Software Figure 14-8. Upload Firmware To upload the file from your PC or terminal to the router, click the Browse button next to the Select Firmware File: box. N o t e All firmware files have a .biz extension.
Page 813: Reboot Unit
Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynchTM, Files, Firmware, and Boot Software Figure 14-9. Delete Firmware Select the file that you want to delete from the Delete Firmware pull-down menu, which lists all files in the router’s memory that have a .biz extension. Click the Delete button.
Page 814: Telnet To Unit
Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynchTM, Files, Firmware, and Boot Software Click the Save and Reboot button to save a copy of the current configura- tion to a startup-config file. If you are running AutoSynch™, a copy is saved to both internal flash and compact flash.
Page 815: Enabling Ip Services On The Router
Using the Web Browser Interface for Advanced Configuration Tasks Enabling IP Services on the Router The session software will display the CLI in the basic mode context. To enter the enable mode context, enter enable. When the router prompts you for the enable mode password, enter the password you configured. From this Telnet session, you can configure the router using the CLI.
Page 816 Using the Web Browser Interface for Advanced Configuration Tasks Enabling IP Services on the Router Figure 14-11. Enabling and Disabling IP Services To enable the router as an SNMP server, click the box. To enable the router as an FTP server, click the box. To enable the router as a TFTP server, click the box.
Page 817: Web Access Configuration
Using the Web Browser Interface for Advanced Configuration Tasks Enabling IP Services on the Router To change the port for HTTPS server, enter the desired port number in the box. The default is 443. To enable the router’s Secure Copy server, click the box. 10.
Page 818: Increasing Bandwidth
Using the Web Browser Interface for Advanced Configuration Tasks Increasing Bandwidth Increasing Bandwidth Link-aggregation protocols allow a router to bundle multiple carrier-lines into a single logical connection to a peer. Link-aggregation allows you to increase the bandwidth on your router without purchasing an expensive T3 or E3 line. The ProCurve Secure Router supports: Multilink Point-to-Point Protocol (MLPPP) Multilink Frame Relay (MLFR)
Page 819 Using the Web Browser Interface for Advanced Configuration Tasks Increasing Bandwidth 10. Click the name of the interface for the second physical carrier-line to move to its Configuration window. If necessary, configure the interface as described in “Configuring E1 and T1 Interfaces” on page 14-39 of the Basic Management and Configuration Guide.
Page 820: Configuring Mlfr
Using the Web Browser Interface for Advanced Configuration Tasks Increasing Bandwidth Configuring MLFR In the left navigation bar, select Physical Interfaces. Choose the interface for the first physical carrier-line. You will move to the physical interface’s Configuration window. If you have not already done so, configure the interface as described in “Config- uring E1 and T1 Interfaces”...
Page 821: Backup Modules
Using the Web Browser Interface for Advanced Configuration Tasks Backup Modules Backup Modules The ProCurve Secure Router supports Basic Rate Interface (BRI) Integrated Services Digital Network (ISDN) and analog backup. You must purchase and install a backup module to activate backup. You must then configure backup settings from the CLI.
Page 822: Configuring The Procurve Secure Router Os Firewall
Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Table 14-1. Packets Automatically Dropped by the Secure Router OS Firewall Packet Associated Attack larger than the IP max (65,535 bytes) Ping of death fragmented packets with errors when •...
Page 823: Enabling Attack Checking
Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Unlike a true circuit level gateway, the Secure Router OS firewall does not establish a proxy session to the untrusted host on behalf of the trusted host, which saves processor power.
Page 824: Enabling Algs
Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Figure 14-14. Configuring General Firewall Settings After you enable the firewall, the ProCurve Secure Router automatically guards against all attacks shown in table 14-1, “Packets Automatically Dropped by the Secure Router OS Firewall”, as well as against SYN-floods.
Page 825: Configuring Session Timeouts
Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall The default port for the SIP ALG is UDP 5060. If you so desire, you can add protocol ports to the ALG. Enter the number of the UDP port in the Port field of the Add SIP ALG Port section.
Page 826: Using The Firewall Wizard
Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Figure 14-16.Configuring Individual TCP and UDP Timeouts You can also set different timeouts for specific TCP and UDP protocols. These settings override the global, default setting. In the General Firewall window, move to the Add/Modify/Delete IP Policy Timeout window.
Page 827 Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall N o t e The firewall wizard overwrites policies applied to both the private and public interface. You should therefore use the firewall wizard before configuring other security policies.
Page 828 Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall If your private network includes a server that Internet users need to access, specify it in the Port Forwarding window. Select the server type from the list under Yes.
Page 829 Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Figure 14-19. Viewing Settings Established by the Firewall Wizard 10. Review the NAT settings in the Confirm Settings window. All hosts that connect through the Private Interface will use the address on the public interface.
Page 830: Configuring Access Control From The Web Browser Interface
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Configuring Access Control from the Web Browser Interface If you use the Web browser interface to configure access controls on router interfaces, you must first enable the Secure Router OS firewall. In the left navigation bar, select Firewall >...
Page 831 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Click the Rename button next to the Security Zone that you want to edit. The Configure Security Zone Name window is displayed. Figure 14-21. Configure Security Zone Name Window Enter a name for the security zone and click Apply.
Page 832 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Figure 14-23. Add New Policy to Security Zone Window From this window, you can: • filter, or block traffic—see “Filtering, or Blocking, Traffic” on page 14-33 •...
Page 833: Filtering, Or Blocking, Traffic
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Filtering, or Blocking, Traffic To block certain traffic from entering an interface, use the pull-down menu to select Filter for the Policy Type in the Add New Policy window. Click Continue.
Page 834: Allowing Traffic
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface In the Protocol pull-down menu, select a protocol from the following choices: • • • • ICMP • • • • Specify If you select Specify, enter the number for the protocol in the field to the left.
Page 835 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Figure 14-25. Permitting Traffic to Enter an Interface 13. Enter a policy descriptor, which will be displayed when you view the running-config. For example, you may want to use the policy descriptor to document how the ACP is going to be used.
Page 836: Configuring Nat
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface 15. For Source IP Address/Mask, select any or enter a specific IP address or a specific subnet. 16. Select a Destination IP Address/Mask. Again, you can select any or enter a specific IP address or a specific subnet.
Page 837: Configuring One-To-One Nat
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Figure 14-26.Configuring Many-to-One NAT 20. Enter a policy descriptor, which will be displayed when you view the running-config. 21. Configure which hosts you want to share the public IP address: all or a specific subnet.
Page 838 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Figure 14-27. Configuring One-to-One NAT 25. Enter a policy descriptor, which will be displayed when you view the running-config. 26. For Public IP Address, use the pull-down menu to select Any or one of the interfaces configured on the router.
Page 839: Configuring Policies To Control Management Access To
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface 29. To further define the traffic that will be translated to the private IP address. Select one of the following: – Forward only traffic specified below –...
Page 840: Customizing Your Policies
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Figure 14-28. Policies for Controlling Management Access to the Router 32. For Public Address, select Any or specify a subnet. This setting deter- mines the source address—the hosts that you want to be able to access the router.
Page 841 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface 35. use the pull-down menu to select Advanced for the Policy Type in the Add New Policy window. Click Continue. The Add New Policy to Security Zone window is displayed.
Page 842 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface 38. If you select NAT as the Policy Action, the NAT options are enabled. • Select Source with Overloading to configure many-to-one NAT. •...
Page 843: Changing The Order Of Policies
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface 47. If you select UDP or TCP as the protocol, you can select a destination port. 48. Click Apply. Changing the Order of Policies The policies you create for a security zone are listed and processed in the order shown on the Configure Policies for Security Zone window.
Page 844: Configuring Quality Of Service
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Configuring Quality of Service Your ProCurve Secure Router may route several types of traffic: data, which can tolerate high latency and bursts, as well as be fragmented and reconstructed real-time traffic, such as Voice of IP (VoIP), and interactive traffic, such as Telnet, which require low latency and low jitter...
Page 845: Configuring Wfq
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service You can configure WFQ, LLQ, and packet marking in the Web browser inter- face. Currently, you must configure CBWFQ in the CLI. The QoS Wizard will help you set up a QoS policy for VoIP traffic. N o t e Because the QoS Wizard writes over any QoS map entries already applied to the interface that you select to carry VoIP traffic, you should always use the...
Page 846 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Figure 14-32. Configuring WFQ on an Interface To configure WFQ for ATM connections, follow these steps: Depending on the type of encapsulation you are using for your ADSL connection, the ATM subinterface may or may not have an IP address.
Page 847: Configuring Qos For Voip With The Qos Wizard
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Figure 14-33. Configuring WFQ on an ATM Subinterface If so desired, you can set how many packets the interface allows in each conversational subqueue. Enter a value between 16 and 512 in the Fair- Queue Threshold field.
Page 848 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Select QoS Wizard under Router/Bridge in the left navigation bar. You will move to the wizard’s Welcome window. Click Next. In the Select WAN Interface window, select the interface used to carry VoIP traffic from the WAN interface pull-down menu.
Page 849 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service – Select Precedence. Enter the IP precedence value used by your application or accept the default value 5 (for critical priority). Figure 14-35.Defining VoIP Traffic The router can also match traffic from a certain IP address or net- work.
Page 850 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Figure 14-36. Specifying the Maximum Bandwidth Guaranteed to a Queue The documentation for your VoIP application may instruct you how to determine the necessary bandwidth. You can also see Chapter 7: Setting Up Quality of Service for some general guidelines.
Page 851 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Table 14-2. Assured-Forwarding PHB AF Class Drop Precedence DSCP DiffServ Value 001010 medium 001100 high 001110 010010 medium 010100 high 010110 011010 medium 011100 high 011110 100010 medium 100100 high...
Page 852 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Review your settings in the Confirm window: Use the Back button to reconfigure any incorrect settings. You can also click the name of a window in the left navigation bar. For example, you can select RTP Traffic to change how the router selects traffic for the queue.
Page 853: Configuring Llq
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Configuring LLQ To enable LLQ in the Web browser interface, first configure a QoS map with an entry for each low latency queue. The entry defines the criteria for traffic and sets the maximum bandwidth guaranteed to such traffic.
Page 854 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service N o t e Remember that if you want to establish the queue to an interface for which you have already configure a map using the QoS wizard, you must enter the name of that map.
Page 855 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service To place bridged packets in a queue, select Bridged. NetBIOS Extended User Interface (NetBEUI) allows hosts to commu- nicate within the LAN. To place only NetBEUI bridged packets in the queue, select NetBEUI.
Page 856: Configuring Packet Marking
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Return to the QoS Map window. The Apply a QoS-policy to an Interface window lists the name of all logical interfaces active on the router. The display includes an Ethernet interface only if you have configured rate limiting for it.
Page 857 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Figure 14-42.Marking Packets with a ToS Value Move to the Packet Marking window. Enter the value with which the router should mark packets: Select DSCP to enter a DiffServ value between 0 and 63. b.
Page 858: Configuring Frame Relay Fragmentation And Rate Limiting
Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Return to the QoS Map window. The Apply a QoS-policy to an Interface window lists the name of all logical interfaces active on the router. The display includes an Ethernet interface only if you have configured rate limiting for it.
Page 859: Setting Up Virtual Private Networks
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks committed burst rate at which the interface can transmit data. In other words, the BC plus the BE equals the total maximum bandwidth available on the rate limited PVC. Click Apply.
Page 860: Vpn Wizard
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks You can also use advanced options to alter security parameters according to your organization’s policies. To access the VPN wizard, select VPN Wizard under VPN in the left navigation bar.
Page 861: Public Interface
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Public Interface The wizard will first prompt you for the local router’s public interface, or the interface through which you connect to the VPN peer. Typically, this is the WAN interface that connects to the Internet.
Page 862: Mobile Vpn Peer Settings (Client-To-Site Vpn Only)
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks N o t e You cannot initiate IKE with a dynamic peer. You can only respond to the peer’s request to open a VPN tunnel. For this reason, at least one of the routers in the VPN connection must have a static address.
Page 863: Extended Authentication (Client-To-Site Vpn Only)
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks You can optionally configure IP addresses for up to two DNS servers and up to two WINS servers. These servers will resolve hostnames to IP addresses for the clients.
Page 864: Remote Network
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-47. Enabling Xauth Select the database you wish to use from the pull-down menu. If you do not want to use Xauth, leave the pull-down menu at the Disable Xauth option. Remote Network If you are configuring a site-to-site VPN, then you must specify the remote networks that are part of the VPN.
Page 865: Authentication Type
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-48.Specifying the Local VPN Network If you need to allow a range of subnets access to the VPN, some of which are not directly connected to the router, you should leave the Use Network from pull-down menu at <Specified>.
Page 866: Remote Id
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-49.Configuring the Authentication Method Remote ID By default, the VPN wizard identifies the peer by its domain name. It fills in the Remote ID Value field with the name you gave to the VPN peer. If you did not enter this name, you should now change the entry in this field to the remote device’s domain name.
Page 867: Ike Settings (Custom Setup Only)
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Select one of these options from the Local ID Type pull-down menu. By default, the VPN wizard uses Domain Name as the Local ID Type and the hostname configured on the local router as the Local ID Value.
Page 868 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks You can also alter the security parameters IKE proposes for the IKE SA, including: hash algorithm encryption algorithm Diffie-Hellman key group IKE SA lifetime Select the desired setting from the pull-down menu for each parameter. Table 14-3 displays settings available for these parameters.
Page 869: Ipsec Settings (Custom Setup Only)
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-51. Establishing Security Parameters for the IPSec SA IPSec Settings (Custom Setup Only) In this window, you can alter the settings IKE proposes for the IKE SA, including: PFS Diffie-Hellman group—If you specify a perfect forward secrecy (PFS) group, IKE uses the Diffie-Hellman protocol to generate entirely new keys...
Page 870: Confirm Settings
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Table 14-4. Settings for IPSec Security Parameters Parameter Setting hash and encryption algorithms • AH—one hash algorithm: – MD5 – SHA • ESP—one encryption algorithm or any combination of one encryption and one hash algorithm: Encryption algorithms: –...
Page 871 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-52. Reviewing VPN Settings Review the information and ensure that it matches your network topology. Also verify that the default security settings are adequate to enforce your organization's security policies.
Page 872: Vpn Peers
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks VPN Peers The VPN Peers window allows you to add new VPN connections. You can also alter IKE and IPSec SA parameters. The window should display when you close the VPN wizard.
Page 873 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-53.Adding VPN Peers The interface then takes you to a new window with several windows that guide you through the process of adding the site. Often you will want to use the same security settings for each connection.
Page 874 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-54. Configuring a Second VPN Site Site-to-Site Configuration. Complete the following steps: In the Step 1 of 4: VPN Peer Configuration for “<VPN mapname>” window, enter the new peer’s domain name (or another name indicative of the connection).
Page 875 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-55. Configuring IKE for a VPN Connection Now move to the IKE Configuration section of the VPN Peer Configu- ration for “<VPN mapname>” window. If you have selected Static Addressed, the wizard will display a section for the Peer IP Address.
Page 876 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks If you have based the policy on a pre-existing policy and you want to use the same security settings and allow the same local networks, you can move to step 11.
Page 877 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks If you based the policy on a previous policy, the window already includes the local network(s) for that policy. If necessary, delete it. 11. Enter the IP address and subnet mask for the remote network in the Step 4 of 4: Destination Networks Allowed to Connect Using “<VPN mapname>”...
Page 878 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks The interface adds the new network, but also keeps the first. If you do not want to include this network, you must delete it by clicking the Delete button to the right of the entry for the remote network.
Page 879 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks C a u t i o n Take care when altering default security settings. Security parameters for both the IKE and the IPSec SA must match those proposed by the peer. Move to the Step 3 of 5: Remote IDs Allowed to Connect to “<VPN mapname>”...
Page 880 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-59. Configuring the Remote ID for Mobile Peers When your VPN uses digital certificates for authentication, you can select Distinguished Name. You must enter the fields exactly as they are in the certificate.
Page 881 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-60.Assigning IP Addresses to Remote VPN Users N o t e You specify the first and the last address in a range when configuring addresses for remote users from this window.
Page 882 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-61. Specifying the Local and Remote Networks for a Client-to-Site VPN 10. A new window displays, in which you can configure the VPN connection to include the network containing addresses for the remote client. Leave the Filter type at the default, permit, and the protocol at the default, any.
Page 883: Configuring Advanced Vpn Parameters
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks 11. If you have based this connection on previous one, you may need to delete a VPN selector. For example, the policy may permit traffic between two remote sites, but you only want to use this policy for mobile users.
Page 884 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-62. Adding or Modifying an IKE Policy The IKE Policy “<policynumber>” window displays. If you have created a new IKE policy, make certain to configure a different peer for the policy.
Page 885 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-63.Configuring Advanced IKE Options You can modify security parameters in the Add/Modify/Delete IKE Attributes for Priority ID <policynumber> window. These parameters include: • encryption/hash algorithm •...
Page 886: Configuring Ipsec Sa Parameters
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Table 14-5. Settings for IKE Security Parameters Parameter Settings encryption algorithm • DES • 3DES • AES (128-bit) • AES (192-bit) • AES (256-bit) hash algorithm •...
Page 887 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks You should be in the Advanced VPN Policies window. Scroll to the Add/ Modify/Delete IPSec Policies window. You have several choices: You can modify an existing policy. You should select this option if simply you want to change the security parameters for a VPN conec- tion.
Page 888 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Table 14-6. Settings for IPSec Security Parameters Parameter Setting hash and encryption algorithms • AH—one hash algorithm: – MD5 – SHA • ESP—one encryption algorithm or any combination of one encryption and one hash algorithm: Encryption algorithms:...
Page 889: Enabling Xauth
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Enabling Xauth Xauth allows IKE to request authentication information from remote users in between establishing the IKE SA and the IPSec SA. (This authentication information is different from the authentication method configured for IKE phase 1;...
Page 890: Adding Remote Ids
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks If IKE will refer to a RADIUS server for VPN peers’ passwords, you must configure the router to communicate with this server. See “Configuring Authentication Using a RADIUS Server” on page 14-28 of the Basic Management and Configuration Guide.
Page 891 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-67. Configuring the Remote ID List Select VPN Peers under VPN in the left navigation bar. Move to the Advanced VPN Policies window and click the Advanced VPN Policies button.
Page 892 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-68. Adding a Remote ID The field below is altered according to the ID type that you select. You enter the peer’s identification information in this field. For example, in figure 14-68 the Remote ID Type is Domain Name, so the field becomes the Domain Name field.
Page 893: Obtaining Certificates
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks You can check the Allow Xauth box for increased security with client-to- site VPN connections. See “Enabling Xauth” on page 14-89. You can associate the remote ID with the IKE and IPSec policies you have configured for this peer.
Page 894 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks To obtain these certificates: Select the Certificates option under VPNs in the left navigation bar. In the Add/Modify Certificate Authority Profiles window, click Add New CA Profile. Figure 14-69.
Page 895: Obtaining Certificates Manually
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks N o t e If necessary, you can change from manual to automatic enrollment, or vice versa, during the process of obtaining the certificates. Move to the Step 1 of 4: Configure an Existing Certificate Authority (CA) Profile window.
Page 896 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks You can manually paste in the CA certificate. Choose the Paste circle. Obtain the CA certificate in PEM format from your CA server. Copy the certificate and paste it into the field below. Click Upload CA Certificate.
Page 897 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Figure 14-73. Generating a Self Certificate Request b. Fill in information about the router in the Subject Name Information and Lightweight Directory Access Protocol (LDAP) Information sections: Complete at least one of the fields in the Subject Name Informa- tion section.
Page 898 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Click Generate Request. Figure 14-74. Obtaining the Self Certificate Manually The window is renamed Step 3 of 4: Enter or Upload a Self Certificate. Copy the certificate request that displays in the Self Certificate Request - Base64 Encoded section.
Page 899 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks In the Web browser interface, return to the Step 3 of 4: Enter or Upload a Self Certificate window. Move to the Load Self Certificate - Base64 Encoded section and load the certificate into the system: You can manually paste in a PEM format certificate.
Page 900: Obtaining Certificates Automatically
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Obtaining Certificates Automatically If you selected Automatic Entry (SCEP), complete these steps: When you select automatic enrollment using SCEP, you must specify the URL for you CA server. In the Step 2 of 4: Automated CA Certificate Download (SCEP) window, enter your CA server’s fully-qualified domain name in the URL field.
Page 901 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks When the Secure Router OS succeeds in obtaining the certificate, it renames the window Step 2 of 4: CA Certificate Uploaded. The window now displays information about the CA certificate including its serial number, the issuer’s subject name, and the dates it is valid.
Page 902 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Complete the Set SCEP Parameters section to allow the router to submit the request and obtain the self certificate automatically: The URL field should display the CA server’s fully-qualified domain name.
Page 903 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Virtual Private Networks Fill in information about the router in the Subject Name Information and Lightweight Directory Access Protocol (LDAP) Information sections: Complete at least one of the fields in the Subject Name Informa- tion section.
Page 904: Setting Up Generic Routing Encapsulation (Gre) Tunnels
Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Generic Routing Encapsulation (GRE) Tunnels b. Return to the CA Profiles window in the Web browser interface. Move to the Step 4 of 4 (optional): Enter/Upload a Certificate Revocation List window.
Page 905 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Generic Routing Encapsulation (GRE) Tunnels To understand the difference between the tunnel’s IP address, its source, and its destination, you should understand how GRE encapsulates traffic. When the router forwards a packet out a GRE tunnel, it first adds a GRE header, which can encapsulate all protocols that Ethernet can encapsu- late.
Page 906 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Generic Routing Encapsulation (GRE) Tunnels Enter the tunnel’s source address in the Tunnel Source section. The tunnel’s source is the endpoint that the peer knows how to reach, often the router’s public IP address.
Page 907 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Generic Routing Encapsulation (GRE) Tunnels You can configure a key, which guards against unauthorized packets accessing the tunnel. (However, this key is not as secure as those, for example, established using IPSec.) Check the box to the left of the Tunnel Key Value field and enter the same key that is configured for the remote tunnel endpoint.
Page 908: Configuring Lldp
Using the Web Browser Interface for Advanced Configuration Tasks Multicast Multicast Many videoconferencing and other streaming applications send multicast messages. Multicasting allows multiple hosts to receive messages without broadcasting the message to an entire network or set of networks. Routers can run Internet Group Management Protocol (IGMP) to keep track of which hosts should receive which multicasts.
Page 909: Setting Lldp Timers
Using the Web Browser Interface for Advanced Configuration Tasks Configuring LLDP Setting LLDP Timers LLDP can be a chatty protocol. You can increase LLDP intervals to minimize overhead. An LLDP header includes a TTL field that tells neighboring devices how long to store the information in the message.
Page 910: Enabling And Disabling Lldp On An Interface
Using the Web Browser Interface for Advanced Configuration Tasks Configuring LLDP Click Apply. Clicking the Reset button returns settings to those established the last time you clicked Apply. The Reset button does not return settings to the factory defaults. Enabling and Disabling LLDP on an Interface By default, all Ethernet and WAN interfaces send and receive all types of LLDP messages.
Page 911: Viewing Lldp Neighbors
Using the Web Browser Interface for Advanced Configuration Tasks Configuring LLDP By default, all interfaces can both transmit and receive LLDP messages: To restrict an interface from participating in LLDP, deselect the Tx/Rx box by its name. b. To allow an interface to receive messages but not send them, select the Rx box by its name.
Page 912 Using the Web Browser Interface for Advanced Configuration Tasks Configuring LLDP The Unit Access feature is particularly useful. You can access the device’s management interface to configure it or to address any issues you noticed from its LLDP information. To initiate a Web session with the device, click Browse. To initiate a Telnet session, click Telnet.
Page 913: Routing
Using the Web Browser Interface for Advanced Configuration Tasks Routing Routing The ProCurve Secure Router stores routes in a route table, which it uses to route traffic from one network to another. Each route includes: destination IP address and subnet mask administrative distance—the reliability of the route metric—the cost of reaching the destination next hop address or forwarding interface...
Page 914 Using the Web Browser Interface for Advanced Configuration Tasks Routing Figure 14-87.Configuring RIP In the RIP Configuration window, select Version 1 or Version 2 from the RIP Version pull-down menu. Figure 14-88.Selecting the RIP Version Click Apply. 14-114...
Page 915 Using the Web Browser Interface for Advanced Configuration Tasks Routing Specify the networks that should participate in RIP in the Add a Network to be Advertised by RIP window. Enter the network address in the IP Network fields and the subnet mask in the Subnet Mask fields. (Note that you enter a subnet mask rather than wildcard bits.) The router will advertise routes to the specified networks.
Page 916: Configuring Ospf
Using the Web Browser Interface for Advanced Configuration Tasks Routing Configuring OSPF OSPF is a link-state routing protocol. Rather than advertising actual routes, routers advertise links—connections to other routers and connections to networks. A router uses the link-state advertisements (LSAs) that it receives to compile an OSPF database.
Page 917: Specifying Ospf Networks
Using the Web Browser Interface for Advanced Configuration Tasks Routing You may not need to divide a simple network into areas. In this case, you should place all subnets in area 0. See Chapter 13: IP Routing—Configuring RIP, OSPF, BGP, and PBR for more information on designing areas. Your main task when using the Web interface to configure OSPF is to specify OSPF networks.
Page 918 Using the Web Browser Interface for Advanced Configuration Tasks Routing Complete these steps to advertise and enable OSPF on a network: Access to the OSPF screen. Move to the second window, Add a Network to be Advertised by OSPF. Specify a network: If your LAN uses OSPF, enter the network address and subnet mask for the network on which your router has its Ethernet interface.
Page 919: Redistributing Routes Into Ospf
Using the Web Browser Interface for Advanced Configuration Tasks Routing Redistributing Routes into OSPF Your ProCurve Secure Router’s route table may include routes discovered in several different ways. For example, you may have manually added a static route to the table. A WAN interface may have discovered routes from an external network that uses a different routing protocol, such as RIP.
Page 920: Generating A Default Route (Asbr)
Using the Web Browser Interface for Advanced Configuration Tasks Routing If so desired, check the Redistribute Static box to enable the router to advertise routes manually added to its route table. Check the Redistribute RIP box to redistribute routes discovered by RIP into the OSPF protocol.
Page 921: Advertising Summary Routes (Asbr)
Using the Web Browser Interface for Advanced Configuration Tasks Routing N o t e Your router must have a default route in its route table in order to advertise it. OSPF also allows an ASBR to generate a default route, but you must configure this option in the CLI.
Page 922: Configuring Global Ospf Parameters
Using the Web Browser Interface for Advanced Configuration Tasks Routing Configuring Global OSPF Parameters For advanced OSPF configuration, you can configure global OSPF settings: metric for redistributed routes reference bandwidth global timers Complete these steps to configure any or all of these parameters: Move to the main OSPF windows.
Page 923 Using the Web Browser Interface for Advanced Configuration Tasks Routing If your network uses very high speed connections, you may need to change the reference bandwidth. The router uses the reference bandwidth to calculate the cost for all connections on the router. It computes the connection’s cost by comparing its bandwidth to the reference bandwidth.
Page 924: Configuring Ospf Parameters For Individual Interfaces
Using the Web Browser Interface for Advanced Configuration Tasks Routing Configuring OSPF Parameters for Individual Interfaces Advanced OSPF configuration also allows you to: enable authentication (you must set the key in the CLI) set the cost for a link set OSPF timers for individual interfaces Complete these steps Move to the main OSPF windows.
Page 925 Using the Web Browser Interface for Advanced Configuration Tasks Routing Figure 14-94. Setting OSPF Parameters for Individual Interfaces By default, the ProCurve Secure Router determines whether on interface is on a point-to-point or multi-access network by its duplex setting. This setting can be important because OSPF provides special options for multi- access subnets.
Page 926: Viewing Ospf Information
Using the Web Browser Interface for Advanced Configuration Tasks Routing Table 14-8. Interface OSPF Intervals Interval Meaning Default Range hello the time between sending hellos 10 seconds 1 to 65,535 seconds dead the time to wait for a hello before 40 seconds 1 to 65,535 seconds determining a link is down...
Page 927 Using the Web Browser Interface for Advanced Configuration Tasks Routing The router’s OSPF link state database displays the networks and routers for which the local router has received a link state advertisement (LSA). Type 1 links are the links to routers and networks in the local area (or, if this router is an ABR, areas).
Page 928 Using the Web Browser Interface for Advanced Configuration Tasks Routing 14-128...
Page 929: Contents
Appendix A: Example Configuration Contents Overview ............A-2 Needs Assessment .
Page 930: Overview
Appendix A: Example Configuration Overview Overview This appendix describes a hypothetical company that needs a WAN to connect branch offices to each other and to the main office. In addition to providing the configuration files for each router, this appendix gives step-by-step instructions for configuring the WAN for this company.
Page 931 Appendix A: Example Configuration Overview Before determining the type of WAN connections to purchase, ProCurve Retail determines which offices need to exchange data, the type of data that must transmitted, the volume of data, and the frequency of transmissions. The company also factors in other requirements such as security and the location of each office.
Page 932 Appendix A: Example Configuration Overview Office Requirements Solution Router Prague • Constantly exchange data with main • Frame Relay over E1-carrier ProCurve Secure Router office, which is located in Germany. line 7102dl Find cost-effective, secure solution. • two-port E1 module •...
Page 933 Appendix A: Example Configuration Overview To set up this WAN, ProCurve Retail requires a WAN router at each office: The Berlin office needs a a ProCurve Secure Router 7203dl with a two- port E1 module, an ADSL Annex B module, and an octal E1 module. This router also needs a backup module that is placed over the ADSL module, and an IPSec VPN module.
Page 934: Configuring The Physical And Data Link Layers
Appendix A: Example Configuration Configuring the Physical and Data Link Layers Configuring the Physical and Data Link Layers This example does not include the steps for setting up a console session with the router and accessing the Secure Router OS. You should be familiar with these processes before reviewing this example.
Page 935 Appendix A: Example Configuration Configuring the Physical and Data Link Layers Configure and activate the Ethernet connections to the LANs. (For more information about how to configure Ethernet connections, including instructions for designating connections to VLANs, see the Basic Man- agement and Configuration Guide, Chapter 3: Configuring Ethernet Interfaces.) To configure the two Ethernet connections, enter: Berlin(config)# interface ethernet 0/1...
Page 936 Appendix A: Example Configuration Configuring the Physical and Data Link Layers Configure and activate the E1 interfaces for the connections to the Dublin and Prague branch offices: Berlin(config)# interface e1 1/2 Berlin(config-e1 1/2)# tdm-group 1 timeslots 1-31 Berlin(config-e1 1/2)# no shutdown Berlin(config-e1 1/2)# interface e1 3/1 Berlin(config-e1 3/1)# tdm-group 1 timeslots 1-31 Berlin(config-e1 3/1)# no shutdown...
Page 937 Appendix A: Example Configuration Configuring the Physical and Data Link Layers Configure the ADSL interface for the connection between Berlin and Mannheim. Berlin(config)# interface adsl 2/1 Berlin(config-adsl 2/1)# training-mode multi-mode Berlin(config-adsl 2/1)# snr-margin 6 Berlin(config-adsl 2/1)# no shutdown Berlin(config-adsl 2/1)# retrain Configure the Data Link Layer protocols for the ADSL connection.
Page 938: Mannheim
Appendix A: Example Configuration Configuring the Physical and Data Link Layers The isdn switch-type command is not entered because the service provider for the backup line uses Euro-ISDN, which is the default setting. b. Configure a backup PPP interface to initiate and maintain the backup connection.
Page 939 Appendix A: Example Configuration Configuring the Physical and Data Link Layers Configure and activate the two Ethernet interfaces. Manneheim(config)# interface ethernet 0/1 Mannheim(config-eth 0/1)# ip address 192.168.128.1 /24 Mannheim(config-eth 0/1)# no shutdown Mannheim(config-eth 0/1)# interface ethernet 0/2 Mannheim(config-eth 0/2)# ip address 192.168.129.1 /24 Mannheim(config-eth 0/2)# no shutdown Configure the connection to the ISP.
Page 940 Appendix A: Example Configuration Configuring the Physical and Data Link Layers Create and configure the ATM subinterface. Mannheim(config-atm 1)# interface atm 1.1 Mannheim(config-atm 1.1)# pvc 3/35 Mannheim(config-atm 1.1)# encapsulation aal5snap Mannheim(config-atm 1.1)# atm routed-bridged ip Mannheim(config-atm 1.1)# description Connection to Berlin Mannheim(config-atm 1.1)# no shutdown d.
Page 941 Appendix A: Example Configuration Configuring the Physical and Data Link Layers Configure a backup dial list for the Data Link Layer interface of the ADSL connection. Berlin(config-ppp 3)# interface ppp 2 Berlin(config-ppp 2)# backup number 496211111111 digital-64k 1 2 ppp 3 Berlin(config-ppp 2)# exit d.
Page 942 Appendix A: Example Configuration Configuring the Physical and Data Link Layers N o t e You can add 1 to the wildcard bits for the source address to select traffic from both LANs at Mannheim in the same command. That is, 192.168.128.0 0.0.1.255 matches both 192.168.128.0 /24 and 192.168.129.0 /24.
Page 943: Dublin
Appendix A: Example Configuration Configuring the Physical and Data Link Layers Configure and activate the BRI ISDN interfaces. Mannheim(config-isdn-group 2)# interface bri 1/1 Mannheim(config-bri 1/1)# isdn ldn1 496215551212 Mannheim(config-bri 1/1)# no shutdown Mannheim(config-bri 1/1)# interface bri 1/2 Mannheim(config-bri 1/2)# isdn ldn1 496215551222 Mannheim(config-bri 1/2)# no shutdown Mannheim(config-bri 1/2)# exit Configure a static route to the Dublin network.
Page 944 Appendix A: Example Configuration Configuring the Physical and Data Link Layers Bind the E1 interface to the PPP interface. Dublin(config-ppp 1)# bind 1 e1 1/1 1 ppp 1 Dublin(config-ppp 1)# exit N o t e Before connecting to the ISP, administrators activate the Secure Router OS firewall to protect the private network.
Page 945: Prague
Appendix A: Example Configuration Configuring the Physical and Data Link Layers Create and configure the demand interface. Dublin(config)# interface demand 1 Dublin(config-demand 1)# ip address 10.2.3.2 /30 Dublin(config-demand 1)# match-interesting list Demand1 Dublin(config-demand 1)# description Connection to Mannheim Dublin(config-demand 1)# resource pool Pool1 Dublin(config-demand 1)# connect-sequence 10 dial-string 00496215551212 forced-isdn-64k busyout-threshold 4 Configure the ISDN group to bridge the bri interface with the demand...
Page 946 Appendix A: Example Configuration Configuring the Physical and Data Link Layers Configure the connection to the ISP. Configure the E1 interface. Prague(config-eth 0/1)# interface e1 1/1 Prague(config-e1 1/1)# tdm-group 1 timeslots 1-31 Prague(config-e1 1/1)# no shutdown b. Configure the PPP interface. Prague(config-e1 1/1)# interface ppp 1 Prague(config-ppp 1)# ip address 10.40.1.1 /30 Prague(config-ppp 1)# description Connection to ISP...
Page 947 Appendix A: Example Configuration Configuring the Physical and Data Link Layers Create and configure an ACL for the demand interface. This ACL selects traffic from the Prague LAN with a destination to either of Mannheim’s LANs. Prague(config)# ip access-list extended Demand1 Prague(config-ext-nacl)# permit ip 192.168.224.0 0.0.0.255 192.168.128.0 0.0.0.255 Prague(config-ext-nacl)# permit ip 192.168.224.0 0.0.0.255 192.168.129.0 0.0.0.255 Prague(config-ext-nacl)# exit...
Page 948: Configuring Ip Routing
Appendix A: Example Configuration Configuring IP Routing Configuring IP Routing The WAN in this example uses OSPF routing. The HQ at Berlin is the network backbone, or area 0. Each remote site is a stub area. Mannheim is area 2; Dublin, area 3;...
Page 949: Berlin
Appendix A: Example Configuration Configuring IP Routing Area 0 Network backbone Dublin Prague Berlin FR/E1 FR/E1 Mannheim Stub area 4 Stub area 3 Stub area 2 Figure 15-3. ProCurve Retail OSFP Network Berlin The ProCurve Secure Router at this central site is the area border router (ABR).
Page 950 Appendix A: Example Configuration Configuring IP Routing The Berlin router connects to the Mannheim router through a PPPoE session. In this example, this connection is on the ADSL service provider’s network, which includes intervening routers that do not run OSPF. The Berlin and Mannheim routers must establish a tunnel so that they can send each other multicasts, including the multicasts for OSPF updates.
Page 951: Mannheim
Appendix A: Example Configuration Configuring IP Routing Because only the Berlin area includes a wide range of networks, network administrators decide that it is only necessary to configure a summary for this area. Berlin(config-ospf)# area 0 range 192.168.0.0 255.255.128.0 To routers in other areas, the Berlin router will advertise a single link to area 0, which includes many variable length subnets in the 192.168.0.0 /17 range.
Page 952 Appendix A: Example Configuration Configuring IP Routing As discussed for the Berlin router, the Mannheim router must tunnel the multicast routing updates to the Berlin router. To configure the routing protocols on the Mannheim router, you must com- plete these steps. Configure the loopback address for the router’s OSPF ID.
Page 953: Dublin
Appendix A: Example Configuration Configuring IP Routing Configure a floating static route to the Berlin network through the backup interface. This route must have a higher administrative distance than OSPF routes so that they will only appear if the primary connection fails. Mannheim(config)# ip route 192.168.0.0 /17 ppp 3 120 Save the configuration.
Page 954: Prague
Appendix A: Example Configuration Configuring IP Routing Configure area 3 as a stub area. Dublin(config-ospf)# area 3 stub Save the configuration. Dublin(config-ospf)# do write memory Prague The ProCurve Secure Router at Prague must fulfill the same tasks as the router at Dublin.
Page 955: Configuring A Client-To-Site Virtual Private Network (Vpn)
Appendix A: Example Configuration Configuring a Client-to-Site Virtual Private Network (VPN) Configuring a Client-to-Site Virtual Private Network (VPN) Some employees at the Berlin office need to access the private network when they are away from the office. For example, they may need to check their email or download a file stored on a private network server.
Page 956 Appendix A: Example Configuration Configuring a Client-to-Site Virtual Private Network (VPN) These are the steps to configure the Berlin router as a gateway device for the client-to-site VPN: Enable crypto commands. (The optional IPSec VPN module must be installed in the router’s rear panel.) Berlin(config)# ip crypto Configure an IKE mode config pool.
Page 957 Appendix A: Example Configuration Configuring a Client-to-Site Virtual Private Network (VPN) Define security proposals in an IKE attribute policy. These are the settings that the remote users’ VPN clients should match for IKE phase 1, or the negotiation of the IKE SA. The security settings on the Berlin router are configured as follows: Berlin(config-ike)# attribute 1 Berlin(config-ike-attribute)# encryption 3des...
Page 958: Configuring Multicast Support
Appendix A: Example Configuration Configuring Multicast Support Configuring Multicast Support Occasionally, the company prepares video presentations, which a server multicasts to employees at the central Berlin office and branch offices. Video conferences between employees at the different offices also rely on multicast servers.
Page 959: Mannheim
Appendix A: Example Configuration Configuring Multicast Support Complete these steps to configure PIM-SM on the Berlin router: Enable PIM-SM on the router’s LAN and WAN interfaces. For the connec- tion to Mannheim, enable PIM-SM on the tunnel interface. Berlin(config)# interface eth 0/1 Berlin(config-eth 0/1)# ip pim sparse-mode Berlin(config-eth 0/1)# interface eth 0/2 Berlin(config-eth 0/2)# ip pim sparse-mode...
Page 960: Dublin And Prague
Appendix A: Example Configuration Configuring Multicast Support Access the PIM-SM configuration mode context and enter the Berlin router’s loopback IP address for the RP. Mannheim(config)# router pim-sparse Mannheim(config-pim-sparse)# rp-address 192.168.127.1 Mannheim(config-pim-sparse)# exit Save your configurations. Mannheim(config)# do write memory Dublin and Prague The same configuration enables the Dublin and Prague ProCurve Secure Routers to receive multicasts for hosts at the local site that need such traffic.
Page 961: Running Configurations
Appendix A: Example Configuration Running Configurations Running Configurations This section includes the running-config file for each router in this example. The configuration has been edited to include only the configurations relevant to the example. Berlin hostname “Berlin” ip routing ip firewall aaa on tacacs-server host 192.168.1.23 key password aaa authentication login xauth group tacacs+...
Page 962 Appendix A: Example Configuration Running Configurations crypto map VPN 10 ipsec-ike match address VPNTraffic set transform-set MyTrans ike-policy 1 interface loop 1 ip address 192.168.127.1 255.255.255.0 no shutdown interface eth 0/1 ip address 192.168.1.1 255.255.255.0 ip pim sparse-mode no shutdown interface eth 0/2 ip address 192.168.2.1 255.255.255.0 ip pim sparse-mode...
Page 963 Appendix A: Example Configuration Running Configurations no shutdown pvc 0/33 description Connection to Mannheim atm routed-bridged ip no ip address interface bri 2/2 isdn ldn1 496211111111 no shutdown interface fr 1 point-to-point frame-relay lmi-type ansi frame-relay multilink no shutdown bind 1 e1 1/1 frame-relay 1 bind 2 e1 1/2 1 frame-relay 1 interface fr 1.1 point-to-point frame-relay interface-dlci 103...
Page 964 Appendix A: Example Configuration Running Configurations ppp authentication chap username Mannheim password branch ppp chap hostname ProCurveSR7203dl ppp chap password hq no shutdown interface tunnel 1 ip address 192.168.191.1 255.255.255.0 ip pim sparse-mode tunnel mode gre tunnel source ppp 2 tunnel destination 10.1.2.200 no shutdown router ospf...
Page 965: Mannheim
Appendix A: Example Configuration Running Configurations Mannheim hostname “Mannheim” ip routing ip firewall interface loop 1 ip address 192.168.135.2 255.255.255.0 no shutdown interface eth 0/1 ip address 192.168.128.1 255.255.255.0 ip pim sparse-mode no shutdown interface eth 0/2 ip address 192.168.129.1 255.255.255.0 ip pim sparse-mode no shutdown interface e1 3/1...
Page 966 Appendix A: Example Configuration Running Configurations interface bri 1/1 isdn ldn1 496215551212 no shutdown interface bri 1/2 isdn ldn1 496215551222 no shutdown interface ppp 1 description Connection to ISP ip address 10.20.1.1 255.255.255.252 no shutdown bind 1 e1 3/1 1 ppp 1 interface ppp 2 ip address 10.1.2.200 255.255.255.0 ip pim sparse-mode...
Page 967 Appendix A: Example Configuration Running Configurations connect-sequence 10 dial-string 4202551214 forced-isdn-64k busyout-threshold 3 connect-sequence 20 dial-string 4202551224 forced-isdn-64k busyout-threshold 3 connect-sequence interface-recovery retry-interval 120 max-retries 0 description Connection to Prague ip address 10.2.4.1 255.255.255.252 no shutdown interface tunnel 1 ip address 192.168.191.2 255.255.255.0 ip pim sparse-mode tunnel mode gre tunnel source ppp 2...
Page 968: Dublin
Appendix A: Example Configuration Running Configurations ip route 192.168.0.0 255.255.128.0 ppp 3 120 ip route 192.168.192.0 255.255.255.0 demand 1 ip route 192.168.224.0 255.255.255.0 demand 2 Dublin hostname “Dublin” ip routing ip firewall interface loop 1 ip address 192.168.193.3 255.255.255.0 no shutdown interface eth 0/1 ip address 192.168.192.1 255.255.255.0 ip pim sparse-mode...
Page 969 Appendix A: Example Configuration Running Configurations interface fr 1.1 point-to-point frame-relay interface-dlci 101 description Connection to Berlin ip address 10.1.3.2 255.255.255.252 ip pim sparse-mode interface ppp 1 description Connection to ISP ip address 10.30.1.1 255.255.255.252 no shutdown bind 1 e1 1/1 1 ppp 1 interface demand 1 resource pool Pool1 match-interesting list Demand1 out...
Page 970: Prague
Appendix A: Example Configuration Running Configurations Prague hostname “Prague” ip routing ip firewall interface loop 1 ip address 192.168.255.4 255.255.255.0 no shutdown interface eth 0/1 ip address 192.168.224.1 255.255.255.0 ip pim sparse-mode no shutdown interface e1 1/1 clock source internal tdm-group 1 timeslots 1-31 speed 64 no shutdown interface e1 1/2...
Page 971 Appendix A: Example Configuration Running Configurations interface ppp 1 description Connection to ISP ip address 10.40.1.1 255.255.255.252 no shutdown bind 1 e1 1/1 1 ppp 1 interface demand 1 resource pool Pool1 match-interesting list Demand1 out match-interesting reverse list Demand1 in connect-sequence 10 dial-string 496215551222 forced-isdn-64k busyout-threshold 0 connect-sequence interface-recovery retry-interval 120 max-retries 0 description Connection to Mannheim...
Page 972 Appendix A: Example Configuration Running Configurations A-44...
Page 973 Master Index B = Basic Management and Configuration Guide ABM … B:6-39 access control A = Advanced Management and Configuration Guide AAA subsystem … B:2-14 ACLs and ACPs … A:5-4 Numerics management access to router … B:2-4 access policy sessions 100Base-T cable …...
Page 974 for VPN traffic viewing … A:5-49 applying to crypto map … A:8-38, A:8-45 active sessions … A:5-52 configuring … A:8-35 for NAT … A:6-16 matching an outgoing packet … A:8-22 statistics … A:5-53, A:6-18 restricting traffic … A:8-36 administrative distance troubleshooting …...
Page 975 ADSL module ATM interface ADSL2+ Annex A … B:7-11 activating … B:7-17 ADSL2+ Annex B … B:7-11 binding to ADSL interface … B:7-27 supported standards … B:7-11 configuring through Web browser AF … A:7-22 interface … B:14-63 DiffServ values … A:7-22 creating …...
Page 976 AutoSynch™ … B:1-34 local AS … B:13-73 configuring with Web browser interface … B:14-5, advertising external traffic … B:13-170 A:14-5 viewing … B:13-167 enabling … B:1-60, A:1-19 messages … B:13-68 troubleshooting … B:1-70 multihoming … B:13-67, B:13-82 troubleshooting … B:13-172 neighbor …...
Page 977 multiple carrier lines to Frame Relay LDN for BRI S/T module … B:8-43 interface … A:2-10 line maintenance … B:8-75 multiple carrier lines to PPP interface … A:2-6 See also BRI backup interface physical interface to Frame Relay signaling (switch) type … B:8-41 interface …...
Page 978 UTP ribbon … B:7-12 CIDR V.35 … B:5-9 DHCP pool … B:13-8, B:13-9 X.21 … B:5-10 IP address for ATM subinterface … B:7-21 call IP address for Frame Relay subinterface … B:6-29 ISDN, setup process … B:8-12 IP address for HDLC interface … B:6-42 caller ID IP address for PPP interface …...
Page 979 commands console basic mode … B:1-39 configuring password through Web browser clear commands … B:1-39, B:1-44 interface … B:14-23 clear event-history … A:4-25 establishing a terminal session with … A:1-9 clock … B:1-45 file transfer with … B:1-76 configure … B:1-46 password for …...
Page 980 default route configuring … B:11-17 D channel receiving from a DHCP server … B:13-24 ISDN … B:8-4 with dynamic routing … B:11-18 LAPD transmitted over … B:8-10 with OSPF … B:13-35, B:13-51 D4 frame format … B:4-16 demand interface data communications equipment … B:6-21 ACL for interesting traffic …...
Page 981 primary ISDN modules … B:8-16 default gateway … B:13-9 configuration steps … B:8-18 example configuration … B:13-14 connection instructions … B:8-30 lease time … B:13-10 example … B:8-53 multiple … B:13-8 initiating … B:8-26 network address … B:13-8 ISDN groups … B:8-44 parent …...
Page 982 Digital Subscriber Line DSX-1 module See DSL physical connection … B:9-13 Discard Eligible Bit … B:6-35 supported standards … B:9-3 DLCI … B:6-22 G.703 interface assigning to Frame Relay subinterface … B:6-28 assigning channels to E1 interface … B:9-5 DNS … B:12-8 setting clock source on E1 interface …...
Page 983 duplex setting E1-carrier line for Ethernet interface … B:3-10 2.048 Mbps bandwidth … B:4-3 dynamic DNS … B:12-15, B:13-25 32 channels … B:4-12 activating the client … B:12-16, B:12-17 analog voice on … B:4-3 configuration tasks … B:12-16 elements of … B:4-3 overview …...
Page 984 manually defining key for … A:8-67, A:8-68 specifying algorithm for … A:8-41, A:8-65 fair queuing with NAT-T … A:8-32 See WFQ without encryption … A:8-42 fast caching … B:11-12, B:11-22, A:7-10 et-clock setting … B:5-13 disabled … B:11-23 Ethernet frame disabled with PBR …...
Page 985 IP header … A:7-6, A:7-19, A:7-22, A:7-34 Frame Relay fragmentation … A:7-12, A:7-34, A:7-51, RTP compression … A:7-34 A:7-54 LAPD … B:8-10 configuring … A:7-64 LLDP … A:12-3 fragment size … A:7-54 MLFR packet header size … A:7-34 flag … A:7-34 Frame Relay interface header …...
Page 986 FTP server tunneling … A:9-5 enabling through the Web browser advantages and disadvantages of … A:9-3 interface … B:14-15, A:14-15 multicasts … A:9-9 full-duplex routing updates … A:9-8 Ethernet interface settings … B:3-11 VPN overlay … A:8-13 G.703 interface H.323 … A:7-35, A:7-58, A:7-62 accessing …...
Page 987 hostname report … A:10-6 adding to local table … B:12-9 show commands … A:10-20 definition … B:12-3 troubleshooting … A:10-19 interface … B:12-16, B:13-24 upstream interface … A:10-12, A:10-15 LLDP message, in … A:12-4 version … A:10-7, A:10-13, A:10-21 preventing LLDP advertisement of … A:12-13 setting router hostname …...
Page 988 IKE policy T, for ISDN … B:8-8, A:3-9 compatibility with peer … A:8-80 T1 … B:4-10, B:9-14 configuring … A:8-23, A:8-24 DSX-1 … B:9-16 default … A:8-26 tunnel … A:9-4, A:9-13 example configuration … A:8-29, A:8-30 filtering traffic … A:9-11 for multiple peers …...
Page 989 VPN peer’s, specifying … A:8-24 security parameters WFQ … A:7-11, A:7-14 compatibility with peer … A:8-82 IP precedence … A:7-5, A:7-6, A:7-7, A:7-37 configuring … A:8-40 CBWFQ value … A:7-7, A:7-21 configuring in crypto map … A:8-44, A:8-45 LLQ priority … A:7-7 configuring in transform set …...
Page 990 timers setting … A:12-14 viewing … A:12-11 definition of … A:8-6 LLQ … A:7-6, A:7-11, A:7-31 manually specifying for VPN tunnel … A:8-68 bandwidth guarantee … A:7-41, A:7-42 bridged traffic … A:7-40 CBWFQ … A:7-20, A:7-30 IP header value … A:7-38 RTP …...
Page 991 logical interface configuring … A:2-3 ATM … B:7-17 configuring with Web browser interface … A:14-18 demand interface … B:8-23, A:3-20 enabling … A:2-6 for persistent backup connection … A:3-54 example of, with demand routing … B:8-52 Frame Relay … B:6-19 for demand interface …...
Page 992 routing table, in … B:11-9 tunnel keys … A:9-14 named list multicast routing table accounting … B:2-25 (*, G) entry … A:11-7, A:11-8, A:11-49 authentication … B:2-18 (S, G) entry … A:11-8, A:11-11, A:11-13, A:11-49 authorization … B:2-23 flags … A:11-49, A:11-50, A:11-52 RP-bit …...
Page 993 LSA … B:13-30, B:13-34 intervals for … B:13-58 types … B:13-33, B:13-34, B:13-35 debug commands for … B:7-49 multicast routing, with … A:11-28 settings … B:7-26 network backbone or area 0 … B:13-33, B:13-43 office channel unit overview … B:13-29 carrier line …...
Page 994 Password Authentication Protocol join/prunes … A:11-18, A:11-19, A:11-61 See PAP periodic … A:11-24, A:11-38 triggered … A:11-22, A:11-23 monitoring … A:11-48, A:11-54, A:11-55, A:11-56, with NAT … A:6-3 A:11-61 PBR … B:13-123 multi-access networks, special considerations applying route map to router traffic … B:13-142 with …...
Page 995 port translation … A:6-14 PPPoA … B:7-11 port-mapping table … A:6-3 binding ATM subinterface to PPP POTS interface … B:7-38 and ADSL … B:7-9 configuring … B:7-37 power source, redundant … B:1-29 IP address … B:7-37 PPP interface for … B:7-37 authentication for demand interface …...
Page 996 match command … A:7-70 dscp … A:7-45, A:7-61 Q.931 … B:8-11 ip rtp … A:7-38, A:7-47, A:7-61 list … A:7-40, A:7-46, A:7-63, A:7-70 CBWFQ … A:7-11, A:7-18 precedence … A:7-45 configuration wizard … A:14-47 protocol bridge … A:7-25, A:7-41, A:7-48, configuring with Web browser interface …...
Page 997 reload command … A:5-37 deleting communities from … B:13-103 reload in command … B:1-72 entry in … B:13-87 rendezvous point filtering inbound routes … B:13-100 See RP filtering routes repeater … B:5-6 AS path … B:13-93 carrier line … B:4-6 community …...
Page 998 OSPF … B:13-157 SAPI … B:8-10 viewing … B:11-23, B:11-24, B:13-146, B:13-147 saving changes … B:1-56 with routing protocols … B:13-7 SCEP … A:8-56, A:8-57 routing, dynamic routing secure copy server See RIP, OSPF, and BGP enabling … B:2-13 RP … A:11-3, A:11-6 secure router operating system RP set …...
Page 999 troubleshooting … B:5-17 LLDP neighbors … A:12-6, A:12-7 problem with line going down … B:5-21 LLDP neighbors, real time … A:12-7 solutions to problems … B:5-19 LLDP timers … A:12-11 txclock, inverting … B:5-13 logical interfaces … B:6-53 viewing configuration of … B:5-16 persistent backup …...
Page 1000 for E1 interfaces … B:4-11 for Ethernet interfaces … B:3-3 configuring password through Web browser for serial interface … B:5-12 interface … B:14-19, B:14-24 for T1 interfaces … B:4-11 lines … B:2-12 smart jack … B:4-5 local user list … B:2-10 for ISDN …...

This manual is also suitable for:

Procurve secure router 7102 dl

HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual

Table of Contents

13 IP Routing-Configuring Rip, Ospf, Bgp, and Pbr

A Appendix A: Example Configuration

2 Increasing Bandwidth

3 Configuring Backup WAN Connections

4 Procurve Secure Router os Firewall- Protecting the Internal, Trusted Network

5 Applying Access Control to Router Interfaces

6 Configuring Network Address Translation

Quick Links

ProCurve Secure Router

Chapters

Troubleshooting

Related Manuals for HP ProCurve Secure Router 7203 dl

Summary of Contents for HP ProCurve Secure Router 7203 dl