Page 1 HP MSR Router Series Web-Based Configuration Guide(V5) Part number: 5998-8174 Software version: CMW520-R2513 Document version: 6PW106-20150808...
Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
Page 3: Table Of Contents
Contents Web overview ······························································································································································ 1 Logging in to the Web interface······································································································································ 1 Logging out of the Web interface ··································································································································· 2 Introduction to the Web interface ···································································································································· 2 User level············································································································································································ 4 Introduction to the Web-based NM functions ················································································································ 4 ...
Page 4 Configuration guidelines ··············································································································································· 61 Wireless configuration overview ······························································································································ 62 Overview ········································································································································································· 62 Configuration task list ···················································································································································· 62 Configuring wireless services ···································································································································· 63 Configuring wireless access service ····························································································································· 63 Creating a wireless access service ······················································································································ 63 ...
Page 5 Setting rate limiting ············································································································································· 126 Wireless QoS configuration example ························································································································ 127 CAC service configuration example ················································································································· 127 Static rate limiting configuration example ········································································································ 129 Dynamic rate limiting configuration example ·································································································· 130 Configuring advanced settings ······························································································································ 132 ...
Page 6 Application control configuration example ··············································································································· 174 Webpage redirection configuration ······················································································································ 176 Overview ······································································································································································· 176 Configuring webpage redirection ······························································································································ 176 Configuring routes ·················································································································································· 178 Overview ······································································································································································· 178 Creating an IPv4 static route ······································································································································· 178 Displaying the active route table ································································································································...
Page 7 Configuring IP addresses excluded from dynamic allocation ················································································· 210 Configuring a DHCP server group ····························································································································· 211 DHCP configuration examples ···································································································································· 212 DHCP configuration example without DHCP relay agent ··············································································· 213 DHCP relay agent configuration example ········································································································ 220 ...
Page 8 Configuring access control ································································································································· 284 Configuring application control ························································································································· 285 Configuring bandwidth control ·························································································································· 286 Configuring packet filtering ································································································································ 287 Synchronizing user group configuration for wan interfaces ··········································································· 289 User group configuration example····························································································································· 289 Configuring MSTP ···················································································································································...
Page 9 Configuring IPsec VPN ··········································································································································· 350 Overview ······································································································································································· 350 Recommended configuration procedure···················································································································· 350 Configuring an IPsec connection ································································································································ 351 Displaying IPsec VPN monitoring information ·········································································································· 358 IPsec VPN configuration example ······························································································································ 359 Configuration guidelines ············································································································································· 361 ...
Page 10 Configuring RADIUS authentication ·················································································································· 415 Configuring LDAP authentication ······················································································································· 416 Configuring AD authentication ·························································································································· 418 Configuring combined authentication ··············································································································· 419 Configuring a security policy ······································································································································ 420 Customizing the SSL VPN user interface ··················································································································· 424 Customizing the SSL VPN interface partially ····································································································...
Page 11 Switching to the management level ··················································································································· 483 Configuring system time ·············································································································································· 484 Setting the system time ········································································································································ 484 Setting the time zone and daylight saving time ······························································································· 486 Configuring TR-069 ····················································································································································· 487 TR-069 network framework ································································································································ 488 ...
Page 12 Basic settings ··························································································································································· 526 Introduction to basic settings ······································································································································· 526 Local number ························································································································································ 526 Call route ······························································································································································ 526 Basic settings ································································································································································ 527 Configuring a local number ······························································································································· 527 Configuring a call route ······································································································································ 528 ...
Page 13 Configuring other parameters of a local number ···························································································· 588 Configuring advanced settings of a call route ·········································································································· 589 Configuring coding parameters of a call route ································································································ 589 Configuring other parameters for a call route ································································································· 590 Advanced settings configuration example ················································································································...
Page 14 Configuring registration parameters ················································································································· 646 Configuring voice mailbox server ····················································································································· 648 Configuring signaling security ··························································································································· 649 Configuring call release cause code mapping ········································································································· 650 Configuring PSTN call release cause code mappings ···················································································· 650 Configuring SIP status code mappings ············································································································· 651 ...
Page 15 Managing lines ······················································································································································· 703 FXS voice subscriber line ············································································································································· 703 FXO voice subscriber line ··········································································································································· 703 E&M subscriber line ····················································································································································· 703 E&M introduction ················································································································································· 703 E&M start mode ··················································································································································· 703 One-to-one binding between FXS and FXO voice subscriber lines ········································································ 705 ...
Page 16 IVR information ····························································································································································· 831 Displaying IVR call states ···································································································································· 831 Displaying IVR play states ·································································································································· 832 About the HP MSR series Web-based Configuration Guide ··············································································· 833 Support and other resources ·································································································································· 835 Contacting HP ······························································································································································ 835 ...
Page 17 Documents ···························································································································································· 835 Websites ······························································································································································· 835 Conventions ·································································································································································· 836 Index ········································································································································································ 838 ...
Page 18: Web Overview
Web overview The device provides Web-based configuration interfaces for visual device management and maintenance. Figure 1 Web-based network management operating environment Logging in to the Web interface Follow these guidelines when you log in to the Web interface: The PC in Figure 1 is the one where you configure the device, but not necessarily the Web-based •...
Page 19: Logging Out Of The Web Interface
Figure 2 Login page of the Web interface Logging out of the Web interface CAUTION: A logged-in user cannot automatically log out by directly closing the browser. Click Logout in the upper-right corner of the Web interface to quit Web-based network management. The system will not save the current configuration before you log out of the Web interface.
Page 20 Figure 3 Initial page of the Web interface...
Page 21: User Level
(1) Navigation area (2) Title area (3) Body area Navigation area—Organizes the Web function menus in the form of a navigation tree, where you • can select function menus as needed. The result is displayed in the body area. Title area—On the left, displays the path of the current configuration interface in the navigation •...
Page 22 Function menu Description User level Displays the configuration information of a WAN Monitor interface, and allows you to view interface statistics. Interface WAN Interface Setup Allows you to modify WAN Setup interface configuration, and Configure clear the statistics of a WAN interface.
Page 23 Function menu Description User level Allows you to configure wireless QoS and rate Configure limiting, and clear radio and client information. Displays configuration information of the country Monitor code. Country Code Allows you to set the country Configure code. Displays 3G modem information, UIM card 3G Information Monitor...
Page 24 Function menu Description User level Displays the information about URL filtering Monitor conditions. URL Filter Allows you to add or delete Configure URL filtering conditions. Displays the information about MAC address filtering Monitor conditions. MAC Address Filtering Allows you to set MAC address filtering types, add Configure or delete MAC addresses to...
Page 25 Function menu Description User level Allows you to create IPv4 Create Configure static routes. Allows you to delete IPv4 Remove Configure static routes. Displays the IP address, mask and load sharing Monitor information of an interface. User-based-sharing Allows you to modify the load sharing status and Configure shared bandwidth of an...
Page 26 Function menu Description User level Allows you to add an IPv4 Configure ACL. Allows you to configure a Basic Config Configure basic rule for an IPv4 ACL. Allows you to configure an Advanced Config advanced rule for an IPv4 Configure ACL.
Page 27 Function menu Description User level Displays QoS policy Summary Monitor information. Allows you to create a QoS Create Configure policy. Policy Allows you to configure Setup classifier-behavior Configure associations. Allows you to remove a QoS Remove Configure policy. Displays QoS policy Summary application information of a Monitor...
Page 28 Function menu Description User level Displays the brief Monitor information of SNMP views. View Allows you to create, modify, and remove an Configure SNMP view. Displays and allows you to Global Config set global bridging Configure information. Bridge Displays and allows you to Config Interface set interface bridging Configure...
Page 29 Function menu Description User level Allows you to modify the MST region-related Configure parameters and VLAN-to-MSTI mappings. Displays MSTP port Monitor parameters. Port Allows you to modify MSTP Configure port parameters. Displays MSTP parameters Global Configure globally. Displays and allows you to Managem RADIUS add, modify, and delete a...
Page 30 Function menu Description User level Allows you to convert all dynamic ARP entries to static Configure ones or delete all static ARP entries. Displays IPsec connection Monitor configuration. IPsec Connection Allows you to add, modify, delete, enable, or disable an Configure IPsec connection.
Page 31 Function menu Description User level Displays CRLs. Monitor Allows you to retrieve CRLs. Configure Allows you to save the current configuration to the Configure configuration file to be used at the next startup. Save Allows you to save the current configuration as the Managem factory default configuration.
Page 32 Function menu Description User level Allows you to modify user Managem Modify User account. Managem Remove User Allows you to remove a user. Allows you to switch the user Switch To Management access level to the Visitor management level. Displays SNMP Monitor configuration information.
Page 33 Function menu Description User level Allows you to execute the Trace Route trace route command and Visitor view the result. Displays and refreshes the WiNet topology diagram Monitor and allows you to view the detailed device information. Allows you to manually trigger the collection of WiNet Management topology information, save...
Page 34 Function menu Description User level Displays call authority control configuration information, and the Monitor maximum number of call connections in a set. Call Authority Control Allows you to configure call authority control, and the Configure maximum number of call connections in a set. Displays number substitution Monitor configuration information.
Page 35: Common Web Interface Elements
Function menu Description User level Allows you to create local numbers, call routes, and Configure manage lines in batches. Allows you to view and refresh active and history Monitor call statistics. Call Statistics Allows you to view and refresh active and history Statistics Configure call statistics, and clear...
Page 36 Figure 4 Content display by pages Searching function The Web interface provides you with the basic and advanced searching functions to display only the entries that match specific searching criteria. • Basic search: As shown in Figure 4, input the keyword in the text box above the list, select a search item from the drop-down list and click the Search button to display the entries that match the criteria.
Page 37 Figure 6 Advanced search Take the ARP table shown in Figure 4 as an example. If you want to search for the ARP entries with interface being Ethernet 0/4, and IP address range being 192.168.1.50 to 192.168.1.59, follow these steps: Click the Advanced Search link, specify the search criteria on the advanced search page as shown Figure 7, and click Apply.
Page 38: Managing Web-Based Nm Through Cli
Figure 9 Advanced searching function example (III) Sorting function The Web interface provides you with the basic sorting function to display entries in certain orders. On a list page, you can click the blue heading item of each column to sort the entries based on the heading item you selected.
Page 39: Managing The Current Web User
Task Command Disable the Web-based NM service. undo ip http enable Managing the current Web user Task Command Display the current login users. display web users free web-users { all | user-id userid | user-name Log out the specified user or all users. username } Configuration guidelines The Web-based configuration interface supports the operating systems of Windows XP, Windows 2000,...
Page 40 Click the Security tab, and then select a Web content zone to specify its security settings, as shown Figure Figure 11 Internet Explorer setting (I) Click Custom Level, and a dialog box Security Settings appears. As shown in Figure 12, enable these functions: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for scripting and active scripting.
Page 41 Figure 12 Internet Explorer setting (II) Click OK in the Security Settings dialog box. Configuring Firefox Web browser settings Open the Firefox Web browser, and then select Tools > Options. Click the Content tab, select the Enable JavaScript check box, and click OK, as shown in Figure...
Page 42 Figure 13 Firefox Web browser setting...
Page 43: Displaying Device Information
Displaying device information When you are logged in to the Web interface, you are placed on the Device Info page. The Device Info page contains five parts, which correspond to the five tabs below the figure on the page except the Services Information and Recent System Logs tabs. When you put your cursor on a part of the figure, the system prompts you for the tab of the corresponding information, and you can jump to the tab by clicking this part.
Page 44: Displaying Device Information
If you select a specific period, the system periodically refreshes the Device Info page. • • If you select Manual, click Refresh to refresh the page. Displaying device information Table 3 Field description Field Description Device Model Device name. Software Version Software version of the device.
Page 45: Displaying Lan Information
Field Description RSSI Received signal strength indication (RSSI) of the 3G network. Displaying LAN information Table 6 Field description Field Description Interface Interface name. Link State Link state of the interface. Work Mode Rate and duplex mode of the interface. Displaying WLAN information Table 7 Field description Field...
Page 46: Managing Integrated Services
Managing integrated services For devices with a card installed, if the card provides the Web interface access function, after specifying the URL address of the card on the integrated service management page, you can log in from the integrated service management page to the Web interface of the card to manage the card. When you are logged in to the Web interface, you are placed on the Device Info page.
Page 47: Basic Services Configuration
Basic services configuration This document guides you through quick configuration of basic services of routers, including configuring WAN interface parameters, LAN interface parameters, and WLAN interface parameters. For information about WAN interfaces, see "Configuring WAN interfaces." For information about LAN interfaces, see "Configuring VLANs."...
Page 48: Ethernet Interface
Ethernet interface Figure 18 Setting Ethernet interface parameters Table 10 Configuration items (in auto mode) Item Description WAN Interface Select the Ethernet interface to be configured. Connect Mode: Auto Select the Auto connect mode to automatically obtain an IP address. Specify the MAC address of the Ethernet interface in either of the two ways: •...
Page 49 Item Description To configure the global DNS server on the page you enter, select Advanced > DNS Setup > DNS Configuration. The global DNS server has priority over the DNS servers of the interfaces. The DNS query is sent to the global DNS server first. If the DNS2 query fails, the DNS query is sent to the DNS server of the interface until the query succeeds.
Page 50 SA interface Figure 19 Setting SA parameters Table 13 Configuration items Item Description WAN Interface Select the SA interface to be configured. User Name Specify the user name for identity authentication. Display whether a password has been specified for identity authentication. Password An empty field indicates that no password is configured.
Page 51 ADSL/G.SHDSL interface Figure 20 Setting ADSL/G.SHDSL parameters Table 14 Configuration items (in IPoA mode) Item Description WAN Interface Select the ADSL/G.SHDSL interface to be configured. Connect Mode: IPoA Select the IPoA connect mode. Specify the VPI/VCI value for PVC. TCP-MSS Set the maximum TCP segment length of an interface.
Page 52 Item Description Connect Mode: PPPoA Select the PPPoA connect mode. Specify the VPI/VCI value for PVC. User Name Specify the user name for identity authentication. Displays whether a password has been specified for identity authentication. Password An empty field indicates that no password is configured. New Password Specify or modify the password for identity authentication.
Page 53 Figure 21 Setting CE1/PR1 interface parameters (in E1 mode) Table 18 Configuration items (in E1 mode) Item Description WAN Interface Select the CE1/PR1 interface to be configured. Work Mode: E1 Select the E1 work mode. User Name Specify the user name for identity authentication. Display whether a password has been specified for identity authentication.
Page 54 Table 19 Configuration items (in CE1 mode) Item Description WAN Interface Select the CE1/PR1 interface to be configured. Work Mode: CE1 Select the CE1 work mode. Select one of the following operation actions: • Operation Create—Binds timeslots. • Remove—Unbinds timeslots. Serial Select a number for the created Serial interface.
Page 55 Item Description Serial Select the number for the created serial interface. Timeslot-List Specify the timeslots to be bound or unbound. User Name Specify the user name for identity authentication. Display whether a password has been specified for identity authentication. Password An empty field indicates that no password is configured.
Page 56: Setting Lan Interface Parameters
Item Description server if no data exchange occurs between it and the server within the specified time. After that, it automatically establishes the connection upon receiving a request for accessing the Internet from the LAN. Idle Timeout When Online according to the Idle Timeout value is enabled, specify an idle timeout value.
Page 57: Setting Wlan Interface Parameters
Item Description IMPORTANT: If the extended address pool is configured on an interface, when a DHCP client's request End IP Address arrives at the interface, the server assigns an IP address from this extended address pool only. The client cannot obtain an IP address if no IP address is available in the extended address pool.
Page 58: Validating The Basic Services Configuration
Item Description Network Name Specify a wireless network name. (SSID) Network Hide Select whether to hide the network name. Select a radio unit supported by the AP, which can be 1 or 2. Radio Unit Which value is supported varies with device models. Select whether to enable data encryption.
Page 59 Figure 27 Checking the basic service configuration...
Page 60: Configuring Wan Interfaces
Configuring WAN interfaces This chapter describes how to configure the following interfaces on the Web interface: Ethernet interfaces. • SA interfaces. • ADSL/G.SHDSL interfaces. • • CE1/PRI interfaces. CT1/PRI interfaces. • Configuring an Ethernet interface An Ethernet interface or subinterface supports the following connection modes: Auto—The interface acts as a DHCP client to get an IP address through DHCP.
Page 61 Figure 29 Configuring an Ethernet interface Table 24 Configuration items (auto mode) Item Description WAN Interface Displays the name of the Ethernet interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface.
Page 62 Table 25 Configuration items (manual mode) Item Description WAN Interface Displays the name of the Ethernet interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status •...
Page 63: Configuring An Sa Interface
Item Description Displays whether a password is configured for authentication. Password If the field displays null, no password is configured for authentication. New Password Set or modify the password for authentication. TCP-MSS Configure the TCP MSS on the interface. Configure the MTU on the interface. Set the idle timeout time for a connection: •...
Page 64 Figure 30 Configuring an SA interface Table 27 Configuration items Item Description WAN Interface Displays the name of the interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface.
Page 65: Configuring An Adsl/G.shdsl Interface
Configuring an ADSL/G.SHDSL interface Overview The ADSL interface and the G.SHDSL interface support IPoA, IPoEoA, PPPoA, and PPPoEoA. IPoA IPoA enables IP packets to traverse an ATM network. In an IPoA implementation, ATM provides the data link layer for the IP hosts on the same network to communicate with one another, and IP packets must be adapted in order to traverse the ATM network.
Page 66 Figure 31 Configuring an ADSL/G.SHDSL interface Table 28 Configuration items (IPoA) Item Description WAN Interface Displays the name of the ADSL/G.SHDSL interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface.
Page 67 Item Description Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface. •...
Page 68: Configuring A Ce1/Pri Interface
Item Description Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface. •...
Page 69: Configuration Procedure
Configuration procedure To configure a CE1/PRI interface: Select Interface Setup > WAN Interface Setup from the navigation tree. Click the icon for the CE1/PRI interface. Configure the CE1/PRI interface, as described in "Configuring a CE1/PRI interface in E1 mode" "Configuring a CE1/PRI interface in CE1 mode."...
Page 70 Item Description Configure the MTU on the interface. Configuring a CE1/PRI interface in CE1 mode Figure 33 Configuring a CE1/PRI interface in CE1 mode Table 33 Configuration items (in CE1 mode) Item Description WAN Interface Displays the name of the CE1/PRI interface to be configured. Display and set the interface status: •...
Page 71: Configuring A Ct1/Pri Interface
Item Description Displays whether a password is configured for authentication. Password If the field displays null, no password is configured for authentication. New Password Set or modify the password for authentication. TCP-MSS Configure the TCP MSS on the interface. Configure the MTU on the interface. Configuring a CT1/PRI interface The CT1/PRI interface supports PPP connection mode.
Page 72: Displaying Interface Information And Statistics
Table 34 Configuration items Item Description WAN Interface Displays the name of the CT1/PRI interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status •...
Page 73 Figure 35 Sample interface statistics...
Page 74: Configuring Vlans
VLAN, you can create one VLAN interface. You can configure VLAN interfaces to forward traffic at the network layer. For more information about VLANs and VLAN interfaces, see HP MSR Router Series (V5) Layer 2—LAN Switching Configuration Guide. Configuring a VLAN and its VLAN interface...
Page 75: Creating A Vlan And Its Vlan Interface
Step Remarks Optional. Configure an IP address and MAC address for a VLAN interface. Select whether to enable the DHCP server function for Configuring parameters for a VLAN a VLAN interface. If yes, configure the related parameters. interface. You can also configure the DHCP server function in Advanced > DHCP Setup.
Page 76: Configuring Vlan Member Ports
Item Description Only Remove VLAN Remove the VLAN interface of a VLAN without removing the VLAN. Interface Configuring VLAN member ports The ports that you assign to a VLAN in the Web interface can only be set to untagged type. The VLAN member port list displayed on the VLAN Setup page includes both tagged and untagged member ports.
Page 77 Figure 37 VLAN interface setup page Table 37 Configuration items Item Description VLAN ID Select the ID of the VLAN interface you want to configure. IP Address Set the VLAN interface's IP address and subnet mask. Subnet Mask...
Page 78: Configuration Guidelines
Item Description Set the MAC address of the VLAN interface: • Use the MAC address of the device—Use the default MAC address of the VLAN interface, which is displayed in the following brackets. MAC Address • Use the customized MAC address—Manually set the MAC address of the VLAN interface.
Page 79: Wireless Configuration Overview
Wireless configuration overview The device allows you to perform the following configuration in the Web interface: Configuring wireless access service • Displaying wireless access service • Client mode • • Configuring data transmit rates Displaying radio • Configuring the blacklist and white list functions •...
Page 80: Configuring Wireless Services
Configuring wireless services For more information about WLAN user access, see WLAN Configuration Guide in HP MSR Router Series Configuration Guides (V5). Configuring wireless access service Creating a wireless access service Select Interface Setup >...
Page 81: Configuring Clear Type Wireless Service
Figure 39 Creating a wireless service Table 39 Configuration items Item Description Radio Unit Radio ID, 1 or 2. Mode Radio mode, which depends on your device model. Set the service set identifier (SSID). An SSID should be as unique as possible. For security, the company name should not be contained in the SSID.
Page 82 Figure 40 Configuring clear type wireless service Table 40 Configuration items Item Description Wireless Service Display the selected Service Set Identifier (SSID). Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged) VLAN (Untagged) indicates that the port sends the traffic of the VLAN with the VLAN tag removed.
Page 83 Figure 41 Configuring advanced settings for a clear type wireless service Table 41 Configuration items Item Description Maximum number of clients of an SSID to be associated with the same radio of the AP. Client Max Users IMPORTANT: When the number of clients of an SSID to be associated with the same radio of the AP reaches the maximum, the SSID is automatically hidden.
Page 84 Item Description • mac-authentication—Performs MAC address authentication on users. • mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication; upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.
Page 85 Figure 42 Configuring MAC authentication Table 43 Configuration items Item Description Port Mode mac-authentication: MAC-based authentication is performed on access users. Max User Control the maximum number of users allowed to access the network through the port. MAC Authentication Select the MAC Authentication option. Select an existing domain from the list.
Page 86 Therefore, the ports do not need to send 802.1X multicast trigger messages periodically for initiating authentication. HP recommends that you disable the multicast trigger function in a WLAN because the multicast trigger messages consume bandwidth.
Page 87 Figure 44 Configuring port security for the other four security modes (mac-else-userlogin-secure is taken for example) Table 45 Configuration items Item Description • mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication.
Page 88: Configuring Crypto Type Wireless Service
Item Description • EAP—Use EAP. With EAP authentication, the authenticator encapsulates 802.1X user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication. It does not need to repackage the EAP packets into standard RADIUS packets for authentication. Authentication Method •...
Page 89 Figure 45 Configuring crypto type wireless service Table 40 for the configuration items of basic configuration of crypto type wireless service. Configuring advanced settings for crypto type wireless service Select Interface Setup > Wireless > Access Service from the navigation tree. Click the icon for the target crypto wireless service.
Page 90 Item Description Set the TKIP countermeasure time. By default, the TKIP countermeasure time is 0 seconds, that is, the TKIP countermeasure policy is disabled. If the TKIP countermeasure time is set to a value other than 0, the TKIP countermeasure policy is enabled. TKIP CM Time MIC is designed to avoid hacker tampering.
Page 91 Table 47 Configuration items Item Description Link authentication method, which can be: • Open-System—No authentication. With this authentication mode enabled, all the clients will pass the authentication. Authentication • Shared-Key—The two parties must have the same shared key configured for this Type authentication mode.
Page 92 Item Description Table Parameters such as authentication type and encryption type determine the port mode. For details, see Table After you select the Cipher Suite option, the following four port security modes are added: • mac and psk—MAC-based authentication must be performed on access users first. If MAC-based authentication succeeds, an access user has to use the pre-configured PSK Port Security to negotiate with the device.
Page 93: Binding An Ap Radio To A Wireless Service
Item Description Select an existing domain from the list. The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and type a new domain name in the Domain Name field. Domain •...
Page 94: Security Parameter Dependencies
Click the icon for the target wireless service to enter the page as shown in Figure Figure 50 Binding an AP radio to a wireless service Select the AP radio to be bound. Click Bind. Security parameter dependencies In a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are described in Table Table 50 Security parameter dependencies...
Page 95: Displaying Wireless Access Service
Service Authenticat Encryption Security IE encryption Port mode type ion mode type /key ID encryption is mac and psk required Selected Required The key ID userlogin-secure-ext can be 2, 3 Open-Syste or 4 m and Shared-Key encryption is required Unselected Unavailable mac-authentication The key ID...
Page 96 Field Description Service Template Type Service template type. Type of authentication used. Authentication Method WLAN service of the clear type only uses open system authentication. • Disable—The SSID is advertised in beacon frames. SSID-hide • Enable—Disables the advertisement of the SSID in beacon frames. Status of service template: •...
Page 97 Field Description GTK Rekey Method GTK rekey method configured: packet based or time based. Time for GTK rekey in seconds. • If Time is selected, the GTK is refreshed after a specified GTK Rekey Time(s) period of time. • If Packet is selected, the GTK is refreshed after a specified number of packets are transmitted.
Page 98: Displaying Client
Displaying connection history information about wireless service Figure 54 Displaying the connection history information about wireless service Displaying client Displaying client detailed information Select Interface Setup > Wireless > Summary from the navigation tree. Click the Client tab to enter the Client page. Click the Detail Information tab on the page.
Page 99 Table 53 Client RSSI Field Description —Indicates that 0 < RSSI <= 20. —Indicates that 20 < RSSI <= 30. Client RSSI —Indicates that 30 < RSSI <= 35. —Indicates that 35 < RSSI <= 40. —Indicates that 40 < RSSI. Table 54 Field description Field Description...
Page 100 Field Description Four-way handshake states: • IDLE—Displayed in initial state. • PTKSTART—Displayed when the 4–way handshake is initialized. 4-Way Handshake State • PTKNEGOTIATING—Displayed after valid message 3 was sent. • PTKINITDONE—Displayed when the 4-way handshake is successful. Group key state: •...
Page 101: Displaying Rf Ping Information
Figure 56 Displaying client statistics Table 56 Field description Field Description AP Name Name of the associated access point. Radio Id Radio ID. SSID SSID of the device. BSSID MAC address of the device. MAC Address MAC Address of the client. Received signal strength indication.
Page 102: Wireless Access Service Configuration Examples
Figure 57 Viewing link test information Table 57 Field description Field Description • Rate number for a non-802.1 1n client. No./MCS • MCS value for an 802.1 1n client. Rate (Mbps) Rate at which the radio interface sends wireless ping frames. TxCnt Number of wireless ping frames that the radio interface sent.
Page 103 Figure 58 Network diagram IP network SSID：sevice1 Router Client Configuration procedure Create a wireless service: Select Interface Setup > Wireless > Access Service from the navigation tree, and click Add. Figure 59 Creating a wireless service Select the radio unit 1, set the service name to service1, and select the wireless service type clear.
Page 104: Access Service-Based Vlan Configuration Example
Figure 61 Enabling 802.11g radio Verifying the configuration If you select Interface Setup > Wireless > Summary from the navigation tree, and click the Client tab, you can view the online clients. Configuration guidelines Follow these guidelines when you configure a wireless service: Select a correct district code.
Page 105 Click Apply. After the wireless service is created, the system is automatically navigated to the wireless service page, where you can perform the VLAN settings (before this operation, select Network > VLAN and create VLAN 2 first). Figure 63 Setting the VLANs Type 2 in the VLAN (Untagged) input box.
Page 106: Psk Authentication Configuration Example
On this page, you can see that the client 0014-6c8a-43ff, which accesses the SSID office, is in VLAN 3, while the client 0040-96b3-8a77, which accesses the SSID research, is in VLAN 2. Because the two clients are in different VLANs, they cannot access each other. PSK authentication configuration example Network requirements As shown in...
Page 107 Figure 67 Configuring security settings Select the Open-System from the Authentication Type list. Select the Cipher Suite option, select CCMP and TKIP (select an encryption type as needed), and then select WPA from the Security IE list. Select the Port Set option, and select psk from the Port Mode list. Select pass-phrase from the Preshared Key list, and type key ID 12345678.
Page 108: Local Mac Authentication Configuration Example
Local MAC authentication configuration example Network requirements As shown in Figure 69, perform MAC authentication on the client. Figure 69 Network diagram Configuration procedure Configure a wireless service: Select Interface Setup > Wireless > Access Service from the navigation tree. Click Add.
Page 109 Figure 71 Configuring security settings Select the Open-System from the Authentication Type list. Select the Port Set option, and select mac-authentication from the Port Mode list. Select the MAC Authentication option, and select system from the Domain list. Click Apply. Enable the wireless service: Select Interface Setup >...
Page 110: Remote Mac Authentication Configuration Example
Figure 73 Adding a MAC authentication list Add a local user in the MAC Address box. 00-14-6c-8a-43-ff is used in this example. Click Add. (Optional.) Enable 802.11g radio. By default, 802.11g radio is enabled. Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure 802.11g is enabled.
Page 111 Figure 75 Creating a wireless service Select radio unit 1. Set the wireless service name as mac-auth. Select the wireless service type clear. Click Apply. Configure MAC authentication: After you create a wireless service, the wireless service configuration page appears. Then you can configure MAC authentication on the Security Setup area.
Page 112 Figure 77 Enabling the wireless service Select the mac-auth option. Click Enable. (Optional.) Enable 802.11g radio. By default, the 802.11g radio is enabled. Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure 802.11g is enabled.
Page 113: Remote 802.1X Authentication Configuration Example
Click Add. On the page that appears, set the service name as mac, keep the default values for other parameters, and click OK. Figure 79 Adding a service Add an account: Click the User tab. Select User > All Access Users from the navigation tree. Click Add.
Page 114 On the device, configure the shared key as expert, and configure the device to remove the domain name of a username before sending it to the RADIUS server. The IP address of the device is 10.18.1.1. Figure 81 Network diagram Configuring the router Configure wireless service: Select Interface Setup >...
Page 115 Figure 83 Configuring security settings Enable the wireless service: Select Interface Setup > Wireless > Access Service from the navigation tree. On the page that appears, select the dot1x option, and click Enable. (Optional.) Enable 802.11g radio. By default, the 802.11g radio is enabled. Select Interface Setup >...
Page 116 Figure 84 Adding access device Add a service: Click the Service tab. Select User Access Manager > Service Configuration from the navigation tree. Click Add. On the page that appears, set the service name to dot1x, select EAP-PEAP AuthN as the Certificate Type, and MS-CHAPV2 AuthN as the Certificate Sub-Type, and click OK.
Page 117: 802.11N Configuration Example
On the page that appears, enter username user, set the account name user and password dot1x, select the service dot1x, and click OK. Figure 86 Adding an account Verifying the configuration After you enter username user and password dot1x in the popup dialog box, the client can •...
Page 118 Figure 88 Creating a wireless service Enable the wireless service: Select Interface Setup > Wireless > Access Service from the navigation tree. Select the 11nservice option, and click Enable. Figure 89 Enabling the wireless service (Optional.) Enable 802.11n(2.4GHZ) radio. By default, 802.11n(2.4GHZ) radio is enabled. Verifying the configuration If you select Interface Setup >...
Page 119: Client Mode
Client mode The client mode enables a router to operate as a client to access the wireless network. Multiple hosts or printers in the wired network can access the wireless network through the router. Figure 90 Client mode Enabling the client mode Select Interface Setup >...
Page 120: Connecting The Wireless Service
NOTE: Support for radio mode types depends on your device model. • You cannot enable an access service or WDS service on a radio interface with the client mode enabled. • To modify the radio mode, select Radio > Radio from the navigation tree, click the icon of the target •...
Page 121: Displaying Statistics
Table 58 Configuration items Item Description Specify the network authentication mode, which can be: • Open System—Open system authentication, namely, no authentication AuthMode • Shared Key—Shared key authentication, which requires the client and the device to be configured with the same shared key.
Page 122: Client Mode Configuration Example
Client mode configuration example Network requirements As shown in Figure 96, the router accesses the wireless network as a client. The Ethernet interface of the router connects to multiple hosts or printers in the wired network, and thus the wired network is connected to the wireless network through the router.
Page 123 Select the option corresponding to 802.11g and click Enable. With the client mode enabled, you can check the existing wireless services in the wireless service list. Figure 98 Checking the wireless service list Connect the wireless service Click the Connect icon of the wireless service psk in the wireless service list. A SET CODE dialog box shown in Figure 99 appears.
Page 124: Configuring Radios
Figure 100 Making sure the workgroup bridge is online You can see that the client with MAC address 0014-6c8a-43ff and the router with MAC address • 000f-e2333-5510 have been successfully associated with the AP. The wired devices on the right (such as printers and PCs) can access the wireless network through •...
Page 125 Table 59 Configuration items Item Description Radio Unit Selected radios. Radio Mode Selected radio mode. Maximum radio transmission power, which varies with country codes, channels, Transmit Power radio modes and antenna types. If you adopt the 802.11n mode, the maximum transmit power of the radio also depends on the bandwidth mode.
Page 126 Item Description Selecting the A-MPDU option enables A-MPDU. 802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY headers removed. This reduces the overhead in transmission and the A-MPDU number of ACK frames to be used, and thus improves network throughput.
Page 127 Item Description Transmit Distance Maximum coverage of a radio. Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device automatically adjusts the noise immunity level according to the surrounding signal environment to eliminate RF interference. • Enable—Enables ANI. •...
Page 128: Configuring Data Transmit Rates
Configuring data transmit rates Configuring 802.11a/802.11b/802.11g rates Select Interface Setup > Wireless > Radio from the navigation tree, and click the Rate tab. Figure 104 Setting 802.11a/802.11b/802.11g rates Table 61 Configuration items Item Description Configure rates (in Mbps) for 802.11a. By default: •...
Page 129: Configuring 802.11N Mcs
Supported Maximum MCS Set the maximum MCS index for 802.11n supported rates. For more information about MCS, see WLAN Configuration Guide in HP MSR Router Series Configuration Guides (V5). Make the MCS configuration the same on all APs in mesh configuration.
Page 130: Displaying Detailed Radio Information
Figure 106 Displaying WLAN services bound to the radio The Noise Floor item in the table indicates various random electromagnetic waves during the wireless communication. For the environment with a high noise floor, you can improve the signal-to-noise ratio (SNR) by increasing the transmit power or reducing the noise floor. Displaying detailed radio information Select Interface Setup >...
Page 131 Field Description Channel used by the interface. The keyword auto means the channel is automatically selected. channel If the channel is manually configured, the field will be displayed in the format of channel configured-channel. power(dBm) Transmit power of the interface (in dBm). Received: 2 authentication frames, 2 Number of authentication and association frames received.
Page 132: Configuring Wlan Security
Configuring WLAN security When it comes to security, a WLAN is inherently weaker than a wired LAN because all the wireless devices use the air as the transmission media, which means that the data transmitted by one device can be received by any other device within the coverage of the WLAN. To improve WLAN security, you can use white and black lists and user isolation to control user access and behavior.
Page 133: Configuring Static Blacklist
Figure 108 Configuring dynamic blacklist Table 64 Configuration items Item Description • Enable—Enables dynamic blacklist. • Disable—Disables dynamic blacklist. Dynamic Blacklist IMPORTANT: Before enabling the dynamic blacklist function, select the Flood Attack Detect option in the WIDS Setup page. Configure the lifetime of the entries in the blacklist. When the lifetime of an entry Lifetime expires, the entry is removed from the blacklist.
Page 134: Configuring White List
Table 65 Configuration items Item Description You can configure a static blacklist in the following two ways: Select the MAC Address option, and then add a MAC address to the static black MAC Address list. Select Current Connect If you select the option, the table below lists the current existing clients. Select the Client options of the clients to add their MAC addresses to the static blacklist.
Page 135 Figure 111 Network diagram To configure user isolation: Select Interface Setup > Wireless > Security from the navigation tree, and click the User Isolate tab. Figure 112 Configuring user isolation Table 67 Configuration items Item Description • Enable—Enables user isolation on the AP to isolate the clients associated with it at Layer 2.
Page 136: Configuring Wlan Qos
QoS provision devices of different vendors to interoperate. WMM makes a WLAN network capable of providing QoS services. For more information about the WLAN QoS terminology and the WMM protocol, see WLAN Configuration Guide in HP MSR Router Series Configuration Guides (V5). Configuring wireless QoS Enabling wireless QoS Select Interface Setup >...
Page 137: Setting Cac Admission Policy
Figure 114 Enabling Wireless QoS Click the icon in the Operation column for the desired radio in the AP list. Figure 115 Setting the SVP mapping AC Table 68 Configuration items Item Description Radio Selected radio. Select the SVP Mapping option, and then select the mapping AC to be used by the SVP service: •...
Page 138: Setting Radio Edca Parameters For Aps
Table 69 Configuration items Item Description Users-based admission policy, namely, maximum number of clients allowed to be connected. A client is counted only once, even if it is using both AC-VO and AC-VI. Client Number By default, the users-based admission policy applies, with the maximum number of users being 20.
Page 139: Setting Edca Parameters For Wireless Clients
AC-VO ECWmin cannot be greater than ECWmax. On a device operating in 802.1 1b radio mode, HP recommends you to set the TXOP-Limit to 0, 0, 188, and 102 for AC-BK, AC-BE, AC-VI, and AC-VO. Setting EDCA parameters for wireless clients Select Interface Setup >...
Page 140: Displaying Radio Statistics
Table 73 Default EDCA parameters for clients TXOP Limit AIFSN ECWmin ECWmax AC-BK AC-BE AC-VI AC-VO ECWmin cannot be greater than ECWmax. If all clients operate in 802.1 1b radio mode, you are recommended to set TXOPLimit to 188 and 102 for AC-VI and AC-VO.
Page 141 Field Description WMM indicates that QoS mode is enabled; None QoS mode indicates that QoS mode is not enabled. Radio chip QoS mode Radio chip’s support for the QoS mode. Radio chip max AIFSN Maximum AIFSN allowed by the radio chip. Radio chip max ECWmin Maximum ECWmin allowed by the radio chip.
Page 142: Displaying Client Statistics
Field Description Ack Policy ACK policy adopted by an AC. Indicates whether an AC is controlled by CAC: Disabled indicates that the AC is not controlled by CAC, Enabled indicates that the AC is controlled by CAC. Displaying client statistics Select Interface Setup >...
Page 143: Setting Rate Limiting
Field Description Uplink CAC packets Number of uplink CAC packets. Uplink CAC bytes Number of uplink CAC bytes. Downlink CAC packets Number of downlink CAC packets. Downlink CAC bytes Number of downlink CAC bytes. Downgrade packets Number of downgraded packets. Downgrade bytes Number of downgraded bytes.
Page 144: Wireless Qos Configuration Example
Table 76 Configuration items Item Description Wireless Service Existing wireless service. Inbound or outbound. • Inbound—From clients to the device. Direction • Outbound—From the device to clients. • Both—Includes inbound (from clients to the device) and outbound (from the device to clients). Rate limiting mode, dynamic or static.
Page 145 Figure 123 Enabling wireless QoS Select the radio unit to be configured in the list. Click the corresponding icon in the Operation column. In the Client EDCA list, select the priority type (AC_VO is taken for example here) to be modified.
Page 146: Static Rate Limiting Configuration Example
Verifying the configuration If the number of existing clients in the high-priority ACs plus the number of clients requesting access is smaller than or equal to the user-defined maximum number of users allowed in high-priority ACs, which is 10 in this example, the request is allowed. Otherwise, the request is rejected. Static rate limiting configuration example Network requirements As shown in...
Page 147: Dynamic Rate Limiting Configuration Example
Verifying the configuration Client 1 and Client 2 access the WLAN through an SSID named service1. • • Check that traffic from Client 1 is rate limited to around 128 kbps, so is traffic from Client 2. Dynamic rate limiting configuration example Network requirements As shown in Figure...
Page 148 Verifying the configuration Verify the following: • When only Client 1 accesses the WLAN through SSID service2, its traffic can pass through at a rate as high as 8000 kbps. When both Client 1 and Client 2 access the WLAN through SSID service2, their traffic flows can •...
Page 149: Configuring Advanced Settings
Configuring advanced settings Radio frequencies for countries and regions vary based on country regulations. A district code determines characteristics such as frequency range, channel, and transmit power level. Configure the valid country code or area code for a WLAN device to meet the specific country regulations. Setting a district code Select Interface Setup >...
Page 150 Figure 131 Configuring channel busy test Click the icon for the target AP. Figure 132 Testing busy rate of channels Click Start to start the testing. Table 78 Configuration items Item Description Radio Unit Display the radio unit, which takes the value of 1 or 2. Radio Mode Display the radio mode of the router.
Page 151: Managing A 3G Modem
Managing a 3G modem For 3G communications, you can connect a USB 3G modem to a router through the USB interface on the MPU of the router. The 3G modem uses a user identity module (UIM) or subscriber identity module (SIM) to access the wireless networks provided by service providers.
Page 152 Figure 135 3G modem information (CDMA) Table 79 3G modem information Item Description Model Model of the 3G modem. Manufacturer Manufacturer of the 3G modem. Description Description for the 3G modem. Serial Number Serial number of the 3G modem. CMII ID CMII ID of the 3G modem.
Page 153 Table 80 SIM card information (WCDMA) Item Description Status of the SIM card: • SIM Status • Fault. • Absent. IMSI International Mobile Subscriber Identification number of the SIM card. Table 81 UIM card information (CDMA) Item Description State of the UIM card: •...
Page 154: Configuring The Cellular Interface
Item Description Service status of the 3G network: • Service Status (1xRtt) Available. • Not available. Roaming status: Roaming Status • Home. (1xRtt) • Roaming. RSSI (1xRtt) Received signal strength indication of the 3G network. Configuring the cellular interface Click the icon for the cellular interface in Figure 133.
Page 155: Managing The Pin
Managing the PIN Click PIN in Figure 136. Then you can manage the PIN. PIN protection is disabled. • To enable PIN protection, enter a PIN, a string of four to eight digits, and click Apply in the Enable PIN Code Protection area. Figure 137 Managing the PIN (PIN protection disabled) PIN protection is enabled and the PIN is authenticated.
Page 156 Figure 139 Rebooting the 3G modem...
Page 157: Configuring Nat
IP addresses are used to translate a large number of internal IP addresses. This effectively solving the IP address depletion problem. For more information about NAT, see the Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Page 158 Figure 140 Configuring dynamic NAT Table 85 Configuration items Item Description Interface Specify an interface on which the NAT policy is to be enabled. Select an address translation mode: • Interface Address—In this mode, the NAT gateway directly uses an interface's public IP address as the translated IP address.
Page 159: Configuring A Dmz Host
Configuring a DMZ host Creating a DMZ host From the navigation tree, select NAT Configuration > NAT Configuration. Click the DMZ HOST tab. The DMZ host configuration page appears. Figure 141 Creating a DMZ host Configure the parameters as described in Table Click Add.
Page 160: Configuring An Internal Server
Figure 142 Enabling DMZ host on an interface Configuring an internal server From the navigation tree, select NAT Configuration > NAT Configuration. Click the Internal Server tab. The internal server configuration page appears.
Page 161 Figure 143 Configuring an internal server Configure the parameters as described in Table Click Add. Table 87 Configuration items Item Description Interface Specify an interface on which the NAT policy is to be enabled. Protocol Specify the type of the protocol carried by IP, which can be TCP or UDP. Specify the public IP address for the internal server.
Page 162: Enabling Application Layer Protocol Check
Item Description Specify internal port number for the internal server. From the list, you can: • Select Other and then enter a port number. If you enter 0, all types of services are Host Port provided. That is, only a static binding between the external IP address and the internal IP address is created.
Page 163: Nat Configuration Examples
Figure 145 Configuring connection limit Configure the parameters as described in Table Click Apply. Table 89 Configuration items Item Description Enable connection limit Enable or disable connection limit. Set the maximum number of connections that can be initiated from a source IP Max Connections address.
Page 164 Configuring internal hosts accessing public network Configure the IP address of each interface. (Details not shown.) Configure dynamic NAT on Ethernet 0/2: Select NAT Configuration > NAT Configuration to enter the dynamic NAT configuration page, as shown in Figure 147. Select Ethernet0/2 from the Interface list.
Page 165: Internal Server Configuration Example
Figure 148 Configuring connection limit Internal server configuration example Network requirements A company provides one FTP server and two Web servers for external users to access. The internal network address is 10.1 10.0.0/16. The company has three public IP addresses in the range of 202.38.1.1/24 to 202.38.1.3/24.
Page 166 Figure 150 Configuring the FTP server Configure Web server 1: As shown in Figure 151, select Ethernet0/2 from the Interface list. Select the TCP option in the Protocol field. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1. Select http from the Global Port list.
Page 167 Figure 151 Configuring Web server 1 Configure Web server 2: Click Add in the internal server configuration page. As shown in Figure 152, select Ethernet0/2 from the Interface list. Select the TCP option in the Protocol field. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1. Enter 8080 in the Global Port field.
Page 168 Figure 152 Configuring Web server 2...
Page 169: Configuring Access Control
Configuring access control Access control allows you to control access to the Internet from the LAN by setting the time range, IP addresses of computers in the LAN, port range, and protocol type. All data packets matching these criteria will be denied access to the Internet. You can configure up to ten access control policies.
Page 170: Access Control Configuration Example
Table 90 Configuration items Item Description Set the time range of a day for the rule to IMPORTANT: Begin-End Time take effect. The start time must be earlier Set both types of time ranges or set neither than the end time. of them.
Page 171 Figure 154 Network diagram Configuration procedure # Configure an access control policy to prohibit Host A to Host C from accessing the Internet during work time. • Select Security Setup > Access from the navigation tree. Figure 155 Configure an access control policy Set the Begin-End Time to 09:00 - 18:00.
Page 172: Configuring Url Filtering
Configuring URL filtering The URL filtering function allows you to deny access to certain Internet Web pages from the LAN by setting the filter types and the filtering conditions. The URL filtering function applies to only the outbound direction of WAN interfaces. Configuration procedure Select Security Setup >...
Page 173: Url Filtering Configuration Example
Table 92 Configuration items Item Description Set the filter type: • Blacklist—Denies URLs that match the filtering conditions. URLs that do not match the filtering conditions are permitted. Filtering by • Whitelist—Permits URLs that match the filtering conditions. URLs that do not match the filtering conditions are denied.
Page 174 Figure 158 Configure the URL filtering function...
Page 175: Configuring Attack Protection
Configuring attack protection You can enable the blacklist function, add a blacklist entry manually, view blacklist entries, and configure intrusion detection in the Web interface. Overview Attack protection is an important network security feature. It can determine whether received packets are attack packets according to the packet contents and behaviors and, if detecting an attack, take measures to deal with the attack.
Page 176 Table 93 Types of single-packet attacks Single-packet attack Description A Fraggle attacker sends large amounts of UDP echo packets (with the UDP port number of 7) or Chargen packets (with the UDP port number of 19) to a subnet Fraggle broadcast address.
Page 177: Configuring The Blacklist Function
Protection against scanning attacks Scanning attackers usually use some scanning tools to scan host addresses and ports in a network, so as to find possible targets and the services enabled on the targets and figure out the network topology, preparing for further attacks to the target hosts. The scanning attack protection function takes effect to only incoming packets.
Page 178: Enabling The Blacklist Function
Step Remarks You can add blacklist entries manually, or enable the blacklist function globally, configure the scanning attack protection function, and enable the blacklist function for scanning attack protection to allow the device to add the IP addresses of detected scanning attackers to the blacklist automatically.
Page 179: Viewing Blacklist Entries
Figure 160 Add a blacklist entry Table 94 Configuration items Item Description Specify the IP address to be added to the blacklist. This IP address cannot be a IP Address broadcast address, a class D address, a class E address, 127.0.0.0/8, or 255.0.0.0/8.
Page 180 and then select the specific attack protection functions to be enabled. Then, click Apply to finish the configuration. Figure 161 Intrusion detection configuration page On MSR20/30/50/93X/1000 routers Select Security Setup > Attack Defend > Intrusion Detection to enter the page shown in Figure 162.
Page 181: Attack Protection Configuration Examples
Figure 163 Add an intrusion detection policy Attack protection configuration examples Attack protection configuration example for MSR900/20-1X Network requirements As shown in Figure 164, internal users Host A, Host B, and Host C access the Internet through Router. The network security requirements are as follows: Router always drops packets from Host D, an attacker.
Page 182 Figure 164 Network diagram Configuration procedure # Configure IP addresses for the interfaces. (Details not shown.) # Enable the blacklist function. Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the • following configurations, as shown in Figure 165.
Page 183 Enter IP address 5.5.5.5, the IP address of Host D. • • Select Permanence for this blacklist entry. Click Apply. • Click Add and then perform the following configurations, as shown in Figure 167: • Figure 167 Adding a blacklist entry for Host C Enter IP address 192.168.1.5, the IP address of Host C.
Page 184: For Msr20/30/50/93X/1000 Routers
Select Enable Attack Defense Policy. • • Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack Detection, and Add Source IP Address to the Blacklist. Clear all other options. Click Apply. • Verifying the configuration • Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist. Router drops all packets from Host D unless you remove Host D from the blacklist.
Page 185 Figure 170 Enabling the blacklist function Select the box before Enable Blacklist. • Click Apply. • # Add blacklist entries manually. Click Add and then perform the following configurations, as shown in Figure 171: • Figure 171 Adding a blacklist entry for Host D •...
Page 186 Enter IP address 192.168.1.5, the IP address of Host C. • • Select Hold Time and set the hold time of this blacklist entry to 50 minutes. Click Apply. • # Configure intrusion detection on Ethernet 0/2: Enable scanning attack protection, and enable blacklist function for it;...
Page 187 Upon detecting the Land or Smurf attack on Ethernet 0/2, Router outputs an alarm log and drops • the attack packet.
Page 188: Configuring Application Control
Configuring application control You can load applications, configure a custom application, and enable application control in the Web interface. Application control allows you to control which applications and protocols users can access on the Internet by specifying the destination IP address, protocol, operation type, and port. Application control can be based on a group of users or all users in a LAN.
Page 189: Configuring A Custom Application
Figure 174 Loading applications Configuring a custom application Select Security Setup > Application Control from the navigation tree, and then select the Custom Application tab to enter the custom application list page, as shown in Figure 175. Click Add to enter the page for configuring a custom application, as shown in Figure 176.
Page 190: Enabling Application Control
Table 96 Configuration items Item Description Application Name Specify the name for the custom application. Specify the protocol to be used for transferring packets, including TCP, UDP, and All. Protocol All means all IP carried protocols. IP Address Specify the IP address of the server of the applications to be controlled. Specify the port numbers of the applications to be controlled.
Page 191: Application Control Configuration Example
Application control configuration example Network requirements As shown in Figure 178, internal users access the Internet through Router. Configure application control on Router, so that no user can use MSN. Figure 178 Network diagram Configuration procedure # Load the application control file (assume that signature file p2p_default.mtd, which can prevent using of MSN, is stored on the device).
Page 192 Figure 180 Loaded applications # Enable application control. Click the Application Control tab and then perform the following configurations, as shown in Figure • 181. Figure 181 Configuring application control • Select MSN from the Loaded Applications area. Click Apply. •...
Page 193: Webpage Redirection Configuration
Configuring webpage redirection CAUTION: Webpage redirection is ineffective on the interface with the portal function enabled. HP recommends not configuring both functions on an interface. Select Advanced > Redirection from the navigation tree to enter the page shown in Figure 182.
Page 194 Table 97 Configuration items Item Description Interface Select an interface on which webpage redirection is to be enabled. Type the address of the webpage to be displayed, which means the URL to which the Redirection URL web access request is redirected. For example, http://192.0.0.1. Interval Type the time interval at which webpage redirection is triggered.
Page 195: Configuring Routes
You can manually configure routes. Such routes are called static routes. For more information about the routing table and static routes, see Layer 3—IP Routing Configuration Guide in HP MSR Router Series Configuration Guides (V5). Creating an IPv4 static route Select Advanced >...
Page 196: Displaying The Active Route Table
Figure 184 Static route configuration page Configure static routes as described in Table Table 98 Configuration items Item Description Destination IP Address Enter the destination IP address of the static route, in dotted decimal notation. Enter the mask of the destination IP address. Mask You can enter a mask length or a mask in dotted decimal notation.
Page 197: Ipv4 Static Route Configuration Example
Figure 185 Active route table Table 99 Field description Field Description Destination IP Address Destination IP address of the route. Mask Mask of the destination IP address. Routing protocol that discovered the route, including static route, direct Protocol route, and various dynamic routing protocols. Preference Preference for the route.
Page 198: Configuration Considerations
Figure 186 Network diagram Configuration considerations Configure a default route with Router B as the next hop on Router A. On Router B, configure one static route with Router A as the next hop and the other with Router C as the next hop.
Page 199 Select Advanced > Route Setup from the navigation tree of Router B. Click the Create tab. Enter 1.1.2.0 for Destination IP Address, 24 for Mask, and 1.1.4.1 for Next Hop. Click Apply. Enter 1.1.3.0 for Destination IP Address, 24 for Mask, and 1.1.5.6 for Next Hop. Click Apply.
Page 200: Configuration Guidelines
If the output interface is an NBMA or P2MP interface, which supports point-to-multipoint networks, the IP address-to-link layer address mapping must be established. HP recommends specifying the next hop when you configure it as the output interface.
Page 201: Configuring User-Based Load Sharing
Configuring user-based load sharing You can configure user-based load sharing through the Web interface. Overview A routing protocol can have multiple equal-cost routes to the same destination. These routes have the same preference, and are all used to accomplish load sharing if no route with a higher preference is available.
Page 202 Table 100 Configuration items Item Description This field displays the name of the interface on which user-based load sharing is Interface configured. Status of Set whether or not to enable user-based load sharing on the interface. user-based-sharing Set the bandwidth of the interface. The load ratio of each interface is calculated based on the bandwidth of each Bandwidth interface.
Page 203: Configuring Traffic Ordering
Configuring traffic ordering You can do the following to configure traffic ordering on the Web interface: Setting the traffic ordering interval • Specifying the traffic ordering mode • Displaying internal interface traffic ordering statistics • • Displaying external interface traffic ordering statistics Overview When multiple packet flows (classified by their source addresses) are received or sent by a device, you can configure IP traffic ordering on the device to collect statistics of the flows in the inbound/outbound...
Page 204: Setting The Traffic Ordering Interval
Setting the traffic ordering interval Select Advanced > Traffic Ordering from the navigation tree to enter the default configuration page. You can set the interval for collecting traffic statistics in the lower part of the page. Figure 190 Traffic ordering configuration page Specifying the traffic ordering mode Select Advanced >...
Page 205: Displaying External Interface Traffic Ordering Statistics
Select one item from the Arrange in list, enter a number in the Number of entries displayed field, and then click Refresh to display the list as needed. Figure 191 Internal interface traffic ordering statistics page Displaying external interface traffic ordering statistics Select Advanced >...
Page 206: Configuring Dns
IP addresses. With DNS, you can use easy-to-remember host names in some applications and let the DNS server translate them into correct IP addresses. For more information about DNS, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Page 207: Configuring Dns Proxy
Configuring DNS proxy Task Remarks Required. Enabling DNS proxy Enable DNS proxy on the device. Disabled by default. Required. Not specified by default. Specifying a DNS server You can specify up to six DNS servers. Enabling dynamic domain name resolution From the navigation tree, select Advanced >...
Page 208: Clearing The Dynamic Domain Name Cache
Clearing the dynamic domain name cache From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page as shown in Figure 193. Select the Clear Dynamic DNS cache box. Click Apply. Specifying a DNS server From the navigation tree, select Advanced >...
Page 209: Domain Name Resolution Configuration Example
Table 102 Configuration items Item Description DNS Domain Name Suffix Configure a domain name suffix. Click Apply. Domain name resolution configuration example Network requirements As shown in Figure 196, Router B serves as a DNS client and Router A is specified as a DNS server. Dynamic domain name resolution and the domain name suffix are configured on Router B, and therefore Router B can use domain name host to access the host with the domain name host.com and the IP address 3.1.1.1/24.
Page 210 Figure 197 Creating a zone Create a mapping between the host name and the IP address: Figure 198, right-click zone com. Select New Host to bring up a dialog box as shown in Figure 199. Enter host name host and IP address 3.1.1.1. Figure 198 Adding a host...
Page 211 Figure 199 Adding a mapping between domain name and IP address Configuring the DNS proxy (Router A) Enable DNS proxy on Router A: From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page, as shown in Figure 200.
Page 212 Figure 201 Specifying a DNS server address Configuring the DNS client (Router B) Enable dynamic domain name resolution: From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page, as shown in Figure 202. Select Enable for Dynamic DNS.
Page 213 Figure 203 Specifying the DNS server address Configure the domain name suffix: Click Add Suffix to enter the page as shown in Figure 204. Enter com in DNS Domain Name Suffix. Click Apply. Figure 204 Configuring DNS domain name suffix Verifying the configuration Select Other >...
Page 214: Configuring Ddns
Configuring DDNS Overview Although DNS allows you to access nodes in networks using their domain names, it provides only the static mappings between domain names and IP addresses. When you use the domain name to access a node whose IP address has changed, your access fails because DNS leads you to the IP address that is no longer where the node resides.
Page 215: Configuration Prerequisites
Configuration prerequisites • Visit the website of a DDNS service provider, register an account, and apply for a domain name for the DDNS client. Specify the primary IP address of the interface and make sure the DDNS server and the interface •...
Page 216: Ddns Configuration Example
Item Description Settings Specify the server name of the DDNS server for domain name resolution. IMPORTANT: After the server provider is selected, the DDNS server name appears Server Name automatically. For example, if the server provider is 3322.org, the server name is members.3322.org.
Page 217 Figure 208 Network diagram Configuring DDNS on the router Before configuring DDNS on Router, register at http://www.3322.org/ (username steven and password nevets in this example), add Router's host name-to-IP address mapping to the DNS server, and make sure the devices are reachable to each other. Enable dynamic domain name resolution and set the IP address of the DNS server to 1.1.1.1.
Page 218 After the preceding configuration is completed, Router notifies the DNS server of its new domain name-to-IP address mapping through the DDNS server provided by www.3322.org whenever its IP address changes. Therefore, Router can always provide Web service at whatever.3322.org.
Page 219: Configuring Dhcp
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent, as shown in Figure 21 Figure 211 A typical DHCP relay agent application For more information about DHCP, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Page 220: Recommended Configuration Procedure
Recommended configuration procedure Configuring the DHCP server Task Remarks Required. Configuration guidelines Enable DHCP globally. Disabled by default. Optional. For detailed configuration, see "Configuring DHCP interface setup." Enabled by default. Configuring the DHCP server on an IMPORTANT: interface The DHCP server configuration is supported only on a Layer 3 Ethernet interface (or subinterface), virtual Ethernet interface, VLAN interface, Layer 3 aggregate interface, serial interface, ATM interface, MP-group interface, or loopback interface.
Page 221: Configuring The Dhcp Client
Task Remarks Required. To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface Configuring a DHCP server group with the server group. When the interface receives DHCP requests from clients, the relay agent forwards them to all the DHCP servers of the group.
Page 222: Configuring Dhcp Interface Setup
Figure 212 DHCP Enable Table 104 Configuration items Item Description DHCP Enable or disable DHCP globally. Configuring DHCP interface setup Select Advanced > DHCP Setup from the navigation tree. Click the DHCP Interface Setup tab. The DHCP interface setup configuration page appears, as shown in Figure 213.
Page 223: Configuring A Static Address Pool For The Dhcp Server
Item Description Correlate the relay agent interface with a DHCP server group. DHCP server group You can correlate a DHCP server group with multiple interfaces. Make sure that you have already added DHCP server groups for selection. Configuring a static address pool for the DHCP server Select Advanced >...
Page 224 Figure 214 Static address pool setup for the DHCP server Configure the static address pool for the DHCP server as described in Table 106. Click Apply. Table 106 Configuration items Item Description Pool Name Name of the static DHCP address pool. Address Allocation Specify the static address allocation mode for the DHCP address pool.
Page 225: Configuring A Dynamic Address Pool For The Dhcp Server
Item Description IP address and its subnet mask of the static binding. A natural mask is adopted if no IP Address subnet mask is specified. IMPORTANT: It cannot be the IP address of the DHCP server interface. Otherwise, IP address conflicts Subnet Mask might occur, and the client cannot obtain the IP address.
Page 226 Figure 215 Dynamic address pool setup for the DHCP server Configure the dynamic address pool for the DHCP server as described in Table 107. Click Apply. Table 107 Configuration items Item Description Pool Name Name of the dynamic DHCP address pool. Address Allocation Mode: Specify the dynamic address allocation mode for the DHCP address pool.
Page 227: Configuring Ip Addresses Excluded From Dynamic Allocation
Item Description IMPORTANT: Make sure the IP address is on the same network segment as the IP address of Subnet Mask the DHCP server interface or the DHCP relay agent interface to avoid wrong IP address allocation. Specify the lease for IP addresses to be assigned. NOTE: Lease Duration •...
Page 228: Configuring A Dhcp Server Group
Figure 216 IP address excluded from dynamic allocation setup Configure IP addresses excluded from dynamic allocation as described in Table 108. Click Apply Table 108 Configuration items Item Description Start IP Address Specify the lowest IP address excluded from dynamic allocation. Specify the highest IP address excluded from dynamic allocation.
Page 229: Dhcp Configuration Examples
Figure 217 DHCP server group setup Configure DHCP server group as described in Table 109. Click Apply. Table 109 Configuration items Item Description DHCP server group ID. Group ID You can create at most 20 DHCP server groups. Specifies the DHCP server IP addresses for the DHCP server group. IMPORTANT: Server IP Address The IP address of a DHCP server cannot be on the same network segment as that of the...
Page 230: Dhcp Configuration Example Without Dhcp Relay Agent
DHCP configuration example without DHCP relay agent Network requirements The DHCP server (Router A) assigns IP addresses to clients on subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25. The IP addresses of Ethernet 0/1 and Ethernet 0/2 on Router A are 10.1.1.1/25 and 10.1.1.129/25 respectively.
Page 231 Figure 219 Enabling DHCP Enable the DHCP server on interface Ethernet 0/1. (By default, the DHCP server is enabled on interface Ethernet 0/1. Details not shown.) Configure a DHCP static address pool, and bind IP address 10.1.1.5 to Router B: Click the DHCP Interface Setup tab.
Page 232 Figure 220 DHCP static address pool configuration Configure DHCP address pool 0 (including the address range, client domain name suffix and DNS server address): Enter pool0 in the Pool Name field, as shown in Figure 221. Select the Dynamic Allocation option in the Address Allocation Mode field. Enter 10.1.1.0 in the IP Address field and select the Subnet Mask box, and then enter 255.255.255.0.
Page 233 Figure 221 DHCP address pool 0 configuration Configure DHCP address pool 1 (including the address range, lease duration, and gateway address): Enter poo1 in the Pool Name field, as shown in Figure 222. Select Dynamic Allocation in the Address Allocation Mode field. Enter 10.1.1.0 in the IP Address field.
Page 234 Figure 222 DHCP address pool 1 configuration Configure DHCP address pool 2 (including the address range, lease duration and gateway IP address): Enter pool2 in the Pool Name field, as shown in Figure 223. Select the Dynamic Allocation option in the Address Allocation Mode field. Enter 10.1.1.128 in the IP Address field.
Page 235 Figure 223 DHCP address pool 2 configuration Exclude IP addresses from dynamic allocation (DNS server and gateway addresses): Expand the Forbidden IP Addresses node. Enter 10.1.1.2 in the Start IP Address field, enter 10.1.1.2 in the End IP Address field, click Apply, enter 10.1.1.126 in the Start IP Address field, as shown in Figure 224, enter...
Page 236 Figure 224 Excluding IP addresses from dynamic allocation Configuring the DHCP client (Router B) To enable the DHCP client on interface Ethernet 0/1: Select Advanced > DHCP Setup from the navigation tree, and then click the DHCP Interface Setup tab. Select Ethernet0/1 from the Interface list.
Page 237: Dhcp Relay Agent Configuration Example
Figure 225 Enabling the DHCP client on interface Ethernet 0/1 DHCP relay agent configuration example Network requirements Ethernet 0/1 on the DHCP relay agent (Router A) connects to the network where DHCP clients reside. The IP address of Ethernet 0/1 is 10.10.1.1/24 and IP address of Ethernet 0/2 is 10.1.1.2/24 that connects to the DHCP server 10.1.1.1/24 (Router B).
Page 238 Select the Enable option in the DHCP field. Click Apply. Figure 227 DHCP enable Create a DHCP server group: Click the DHCP Interface Setup tab. Select Ethernet0/1 from the Interface list. Select the Relay option in the Type field. Expand the Add DHCP Server Group node. Enter 1 in the Group ID field.
Page 239 Select 1 from the DHCP Server Group list. Click Apply. Figure 229 The page for enabling the DHCP relay agent on interface Ethernet 0/1 Configuring the DHCP server (Router B) Specify addresses for interfaces. (Details now shown.) Enable DHCP: Select Advanced > DHCP Setup from the navigation tree of Router B The default DHCP Enable tab appears, as shown in Figure 230.
Page 240 Enter pool1 in the Pool Name field and select the Dynamic Allocation option in the Address Allocation Mode field. Enter 10.10.1.0 in the IP Address field, select the Subnet Mask box, and then enter 255.255.255.0. Set the Lease Duration to 7 days, 0 hours, and 0 minutes. Select the Domain Name box, and then enter aabbcc.com.
Page 241 Figure 232 IP address excluded from dynamic allocation configuration Configure the DHCP client (Router C) To enable the DHCP client on interface Ethernet 0/1: Select Advanced > DHCP Setup from the navigation tree. Click the DHCP Interface Setup tab. Select Ethernet0/1 in the Interface field. Select the Client option in the Type field.
Page 242 Figure 233 Enabling the DHCP client on interface Ethernet 0/1...
Page 243: Configuring Acls
Layer 2 header fields, such as source and destination MAC 4000 to 4999 header ACLs addresses, 802.1p priority, and link layer protocol type For more information about IPv4 ACL, see ACL and QoS Configuration Guide in HP MSR Router Series Configuration Guides (V5). Recommended IPv4 ACL configuration procedure Step Remarks Required.
Page 244: Configuration Guidelines
Configuration guidelines When you configure an ACL, follow these guidelines: You cannot create a rule with or modify a rule to have the same permit/deny statement as an • existing rule in the ACL. You can only modify the existing rules of an ACL that uses the match order of config. When you •...
Page 245: Configuring A Rule For A Basic Ipv4 Acl
Configuring a rule for a basic IPv4 ACL Select Advanced > QoS Setup > ACL IPv4 from the navigation tree and then select the Basic Config tab to enter the rule configuration page for a basic IPv4 ACL. Figure 235 The page for configuring an basic IPv4 ACL Table 112 Configuration items Item Description...
Page 246: Configuring A Rule For An Advanced Ipv4 Acl
Item Description Select this box to keep a log of matched IPv4 packets. A log entry contains the ACL rule number, action on the matched packets, protocol Check Logging that IP carries, source/destination address, source/destination port number, and number of matched packets. Source IP Address Select the Source IP Address box, and enter a source IPv4 address and source wildcard, in dotted decimal notation.
Page 247 Figure 236 The page for configuring an advanced IPv4 ACL...
Page 248 You can use command line interface to create advanced IPv4 ACLs. For more information, see ACL and QoS Configuration Guide in HP MSR Router Series Configuration Guides (V5). Also, when you configure advanced bandwidth limit and advanced bandwidth guarantee, the system automatically creates advanced IPv4 ACLs.
Page 249: Configuring A Rule For An Ethernet Frame Header Acl
Item Description Select this box to make the rule match packets used for establishing and maintaining TCP connections. TCP Connection These items are available only when you select 6 TCP from the Established Protocol list. A rule with this item configured matches TCP connection packets with the ACK or RST flag.
Page 250 You can use command line interface to create Ethernet frame header IPv4 ACLs. For more information, see ACL and QoS Configuration Guide in HP MSR Router Series Configuration Guides (V5). Select the Rule ID box, and enter a number for the rule.
Page 251 Item Description Select the action to be performed for IPv4 packets matching the rule: • Action Permit—Allows matched packets to pass. • Deny—Drops matched packets. Source MAC Select the Source MAC Address box, and enter a source MAC address and Address wildcard.
Page 252: Configuring Qos
Configuring QoS The Web interface provides the following QoS configuration functions: Configuring subnet limit • Configuring advanced limit • Configuring advanced queue • Overview Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs.
Page 253: Configuring Subnet Limit
interface, interface bandwidth limit is a better approach than subnet limit and advanced limit. This is because working at the IP layer the latter two functions do not take effect on packets not processed by the IP layer. • Bandwidth guarantee—When congestion occurs to a port, class-based queuing (CBQ) classifies packets into different classes according to user-defined match criteria and assigns these classes to their queues.
Page 254: Configuring Advanced Limit
Table 115 Configuration items Item Description Start Address Set the address range of the subnet where rate limit is to be performed. End Address Interface Specify the interface to which the subnet limit is to be applied. Set the average traffic rate allowed. Set the rate limit method: •...
Page 255 Figure 241 Advanced limit setting...
Page 256 Table 116 Configuration items Item Description Description Configure a description for the advanced limit policy for management sake. Interface Specify the interface to which the advanced limit is to apply. Set the direction where the rate limit applies: • Direction Download—Limits the rate of incoming packets of the interface.
Page 257: Configuring Advanced Queue
Configuring advanced queue To use the advanced queue function on tunnel interfaces, sub-interfaces, or VT and dialer interfaces with PPPoE, PPPoA, PPPoEoA, or PPPoFR at the data link layer, you must configure interface bandwidth for these interfaces. Configuring interface bandwidth Select Advance >...
Page 258: Configuring Bandwidth Guarantee
Description Set the average traffic rate allowed for the interface. HP recommends that you configure the interface bandwidth to be smaller than the actual available bandwidth of a physical interface or logical link. If you have specified the interface bandwidth, the maximum interface bandwidth used for bandwidth check when CBQ enqueues packets is 1000000 kbps.
Page 259 Figure 243 Creating a bandwidth guarantee policy Table 118 Configuration items Item Description Description Configure a description for the bandwidth guarantee policy for management sake.
Page 260 Item Description Set the service class queue type: • EF (Expedited Forwarding)—Provides absolutely preferential queue scheduling for the EF service so as to ensure low delay for real-time data traffic. At the same time, Queue Type by restricting bandwidth for high-priority traffic, it can overcome the disadvantage that some low-priority queues are not serviced.
Page 261: Qos Configuration Examples
QoS configuration examples Subnet limit configuration example Network requirements As shown in Figure 244, limit the rate of packets leaving Ethernet 1/1 of Router. Perform per-IP rate limiting for traffic sourced from Host A through Host Z, which are on the network segments 2.1.1.1 through 2.1.1.100, with the per-IP limit being 5 kbps.
Page 262: Advanced Queue Configuration Example
Enter 2.1.1.100 in the End Address field. Select interface Ethernet 1/1. Enter 5 in the CIR field. Select Per IP in the Type list. Select Upload from the Direction list. Click Apply. Advanced queue configuration example Network requirements As shown in Figure 246, data traffic from Router C reaches Router D by the way of Router A and then Router B.
Page 263 Figure 247 Configuring assured forwarding Enter the description test-af. Select AF (Assured Forwarding) in the Queue Type list. Select interface Ethernet0/0. Enter 40 in the Bandwidth field. Enter 10, 18 in the DSCP field. Click Apply. # Perform EF for traffic with DSCP field EF. Select Advance >...
Page 264 Figure 248 Configuring expedited forwarding Enter the description test-ef. Select EF (Expedited Forwarding) in the Queue Type list. Select interface Ethernet0/0. Enter 240 in the Bandwidth field. Enter 46 in the DSCP field. Click Apply. After the configurations are completed, EF traffic is forwarded preferentially when congestion occurs in the network.
Page 265: Appendix Packet Precedences
Appendix Packet precedences IP precedence and DSCP values Figure 249 DS field and ToS field As shown in Figure 249, the ToS field of the IP header contains 8 bits: the first 3 bits (0 to 2) represent IP precedence from 0 to 7. According to RFC 2474, the ToS field of the IP header is redefined as the differentiated services (DS) field, where a differentiated service code point (DSCP) value is represented by the first 6 bits (0 to 5) and is in the range 0 to 63.
Page 266 DSCP value (decimal) DSCP value (binary) Keyword 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be(default) 802.1p priority 802.1p priority lies in the Layer 2 packet header and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
Page 267 802.1p priority (decimal) 802.1p priority (binary) Keyword background spare excellent-effort controlled-load video voice network-management...
Page 268: Configuring Snmp
• send traps to the NMS when some events, such as interface state change, occur. HP supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same SNMP version to communicate with each other. SNMPv1—Uses community names for authentication. To access an SNMP agent, an NMS must use •...
Page 269: Enabling The Snmp Agent Function
Task Remarks Optional. After creating SNMP views, you can specify an SNMP view for Configuring an SNMP view an SNMP group to limit the MIB objects that can be accessed by the SNMP group. Configuring an SNMP community Required. Optional. Allows you to configure that the agent can send SNMP traps to Configuring the SNMP trap function the NMS, and configure information about the target host of the...
Page 270 On the upper part of the page, you can select to enable or disable the SNMP agent function and configure parameters such as SNMP version. On the lower part of the page, you can view the SNMP statistics, which helps you understand the running status of the SNMP after your configuration.
Page 271: Configuring An Snmp View
Item Description Configure the local engine ID. The validity of a user after it is created depends on the engine ID of the SNMP Local Engine ID agent. If the engine ID when the user is created is not identical to the current engine ID, the user is invalid.
Page 272 Figure 255 Creating an SNMP view (2) Table 123 describes the configuration items for creating an SNMP view. After configuring the parameters of a rule, click Add to add the rule into the list box at the lower part of the page. After configuring all rules, click Apply to create an SNMP view.
Page 273: Configuring An Snmp Community
Figure 256 Adding rules to an SNMP view You can also click the icon corresponding to the specified view on the page as shown in Figure 253, and then you can enter the page to modify the view. Configuring an SNMP community Select Advanced >...
Page 274: Configuring An Snmp Group
Table 124 Configuration items Item Description Community Name Set the SNMP community name. Configure SNMP NMS access right: • Read only—The NMS can perform read-only operations to the MIB objects when it uses this community name to access the agent. Access Right •...
Page 275: Configuring An Snmp User
Figure 260 Creating an SNMP group Configure the SNMP group, as shown in Table 125. Table 125 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group. The available security levels are: •...
Page 276 Figure 261 SNMP user Click Add to enter the Add SNMP User page, as shown in Figure 262. Figure 262 Creating an SNMP user Configure the SNMP user, as shown in Table 126. Table 126 Configuration items Item Description User Name Set the SNMP user name.
Page 277: Configuring The Snmp Trap Function
Item Description Select an SNMP group to which the user belongs: • When the security level is NoAuth/NoPriv, you can select an SNMP group with no authentication no privacy. • When the security level is Auth/NoPriv, you can select an Group Name SNMP group with no authentication no privacy or authentication without privacy.
Page 278 Click Add to enter the Add Trap Target Host page, as shown in Figure 264. Figure 264 Adding a target host of SNMP traps Configure the SNMP traps, as shown in Table 127. Table 127 Configuration items Item Description Set the destination IP address. Select the IP address type: IPv4/domain name or IPv6, and then Destination IP Address type the corresponding IP address or domain name in the field...
Page 279: Displaying Snmp Packet Statistics
Item Description Set the authentication and privacy mode for SNMP traps when the security model is selected as v3. The available security levels are: no authentication no privacy, authentication but no privacy, and authentication and privacy. Security Level If you select v1 or v2c in the Security Model list, the security level can only be no authentication no privacy, and cannot be modified.
Page 280 Figure 266 Network diagram Configuring the agent Enable SNMP: Select Advanced > SNMP from the navigation tree, and you will enter the Setup page. Perform the following configuration as shown in Figure 267. Select the Enable radio box. Set the SNMP version to both v1 and v2c. Click Apply.
Page 281 Figure 268 Configuring SNMP community named public Figure 269 Configuring SNMP community named private Type private in the field of Community Name. Select Read and write from the Access Right list. Click Apply. Enable Agent to send SNMP traps: Click the Trap tab and perform the following configuration as shown in Figure 270.
Page 282 Figure 270 Enabling Agent to send SNMP traps Add target hosts of SNMP traps: On the Trap tab page, click Add and perform the following configuration as shown in Figure 271. Select the destination IP address type as IPv4/Domain. Type the destination address 1.1.1.2. Type the security username public.
Page 283: Snmpv3 Configuration Example
Create a read and write community and name it private. For more information about configuring the NMS, see the NMS manual. Verifying the configuration After the configuration, an SNMP connection is established between the NMS and the agent. The • NMS can get and configure the values of some parameters on the agent through MIB nodes.
Page 284 Figure 273 Enabling SNMP Configure an SNMP view: Click the View tab and then click Add. Perform the following configuration as shown in Figure 274. Type view1 in the field of View Name. Click Apply and enter the page of view1. Perform the following configuration as shown Figure 275.
Page 285 Figure 275 Adding a view named view1 Select the Included radio box. Type the MIB subtree OID interfaces. Click Add. Click Apply. A configuration progress dialog box appears, as shown in Figure 276. After the configuration process is complete, click Close. Figure 276 Configuration progress dialog box Configure an SNMP group: Click the Group tab and then click Add.
Page 286 Figure 277 Configuring an SNMP group Configure an SNMP user: Click the User tab and then click Add. Perform the following configuration as shown in Figure 278. Type user1 in the User Name field. Select Auth/Pri from the Security Level list. Select group1 (Auth/Priv) from the Group Name list.
Page 287 Enable Agent to send SNMP traps: Click the Trap tab and perform the following configuration as shown in Figure 279. Select the Enable SNMP Trap box. Click Apply. Figure 279 Adding target hosts of SNMP traps Add target hosts of SNMP traps: On the Trap tab page, click Add and perform the following configuration as shown in Figure 280.
Page 288 Configuring the NMS The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform corresponding operations. Specify the SNMP version for the NMS as v3. Create an SNMP user user1. Enable both authentication and privacy functions. Use MD5 for authentication and DES56 for encryption.
Page 289: Configuring Bridging
A transparent bridging device keeps a bridge table, which contains mappings between destination MAC addresses and outbound interfaces. For more information about transparent bridging, see Layer 2—WAN Configuration Guide in HP MSR Router Series Configuration Guides (V5). Major functionalities of bridges Maintaining the bridge table A bridge relies on its bridge table to forward data.
Page 290 Figure 281 Host A sends an Ethernet frame to Host B on LAN 1 MAC address: 00e0.fcbb. bbbb MAC address: 00e0.fcaa.aaaa Host B Host A Source address Destination address 00e0.fcaa.aaaa 00e0. fcbb.bbbb LAN segment 1 Bridge interface 1 Bridge Bridge interface 2 LAN segment 2 Host C Host D...
Page 291: Forwarding And Filtering
Figure 283 The bridge determines that Host B is also attached to interface 1 MAC address: 00e0.fcbb.bbbb MAC address: 00e0.fcaa.aaaa Host B Host A Source address Destination address 00e0.fcbb. bbbb 00e0.fcaa.aaaa LAN segment 1 Bridge table MAC address Interface Bridge interface 1 00e 0.fcaa.aaaa Bridge 00e 0.fcbb.bbbb...
Page 292 Figure 285 Forwarding MAC address: 00e0.fcbb.bbbb MAC address: 00e0. fcaa.aaaa Host B Host A Source address Destination address 00e0.fcaa.aaaa 00e0. fccc. cccc Bridge table LAN segment 1 MAC address Interface Bridge interface 1 00e0.fcaa.aaaa Bridge 00e0.fcbb.bbbb 00e0.fccc.cccc Bridge interface 2 00e0.fcdd.dddd LAN segment 2 Source address Destination address...
Page 293: Vlan Transparency
Figure 287 The proper MAC-to-interface mapping is not found in the bridge table When a bridge receives a broadcast or multicast frame, it forwards the frame to all interfaces other than the receiving interface. VLAN transparency VLAN transparency enables a bridge to forward VLAN-tagged packets without processing their VLAN tags.
Page 294: Adding An Interface To A Bridge Set
Figure 288 Global config Table 128 Configuration items Item Remarks Bridge Group id Set the ID of the bridge set you want to enable. Adding an interface to a bridge set Select Advanced > Bridge from the navigation tree, and click the Config interface tab to enter the page shown in Figure 289.
Page 295: Bridging Configuration Example
Set the ID of the bridge set to which you want add the interface. Enable or disable VLAN transparency on the interface. VLAN Transmit HP recommends not enabling this function on a subinterface. A VLAN interface does not support this function. Bridging configuration example...
Page 296 Figure 290 Network diagram Office Office Switch A Switch B area A area B Eth1/1 Eth1/1 Trunk Trunk Eth1/1 Eth1/1 Eth1/2 Eth1/2 Router A Router B Configuration procedure Configure Router A: # Enable bridge set 2. Select Advanced > Bridge from the navigation tree to enter the Global config page. Figure 291 Enabling bridge set 2 Enter 2 as the bridge group ID.
Page 297 Figure 292 Assigning Ethernet 1/1 to bridge set 2 and enable VLAN transparency Select Ethernet1/1 from the Interface list. Select 2 from the Bridge Group list. Select Enable from the VLAN Transmit list. Click Apply. # Assign Ethernet 1/2 to bridge set 2, and enable VLAN transparency. Figure 293 Assigning Ethernet 1/2 to bridge set 2 and enable VLAN transparency Select Ethernet1/2 from the Interface list.
Page 298 Click Apply. Configure Router B in the same way Router A is configured.
Page 299: Configuring User Groups
Configuring user groups You can add hosts in a LAN to a user group and perform access control, application control, bandwidth control, and packet filtering on a per user group basis. • Access control—Allows you to deny access from hosts during specific time ranges. All data packets matching these criteria will be denied access to the Internet.
Page 300: Configuring A User Group
Configuring a user group Select Advanced > Security > Usergroup from the navigation tree. The group configuration page appears, as shown in Figure 294. Figure 294 User group configuration Table 131 describes the user group configuration item. Table 131 Configuration item Item Description Set the name of the group to be added.
Page 301: Configuring Access Control
Figure 295 User configuration Table 132 describes the user configuration items. Table 132 Configuration items Item Description Please select a user group Select the group to which you want to add users. Set the mode in which the users are added. •...
Page 302: Configuring Application Control
Figure 296 Access control configuration Table 133 describes the access control configuration items. Table 133 Configuration items Item Description Select a user group for access control. Please select a user group When there is more than one user group, the option all is available. Selecting all means that the access control configuration applies to all the user groups.
Page 303: Configuring Bandwidth Control
Figure 297 Application control Table 134 describes the application control configuration items. Table 134 Configuration items Item Description Select a user group for application control. Please select a user When there is more than one user group, the option all is available. Selecting all group means that the application control configuration applies to all the user groups.
Page 304: Configuring Packet Filtering
Figure 298 Bandwidth control configuration Table 135 describes the bandwidth control configuration items. Table 135 Configuration items Item Description Set the user group for bandwidth control configuration. Please select a user When there are more than one user group, the option all is available. Selecting all group means that the bandwidth control configuration applies to all the user groups.
Page 305 Figure 299 Packet filtering configuration Table 136 describes the packet filtering configuration items. Table 136 Configuration items Item Description Select a user group to which packet filtering is applied. When there is more than one user group, the option all is available. Please select a user group Selecting all means that the packet filtering configuration applies to all the user groups.
Page 306: Synchronizing User Group Configuration For Wan Interfaces
Item Description configurable. Port • If you select NotCheck as the operator, port numbers will not be checked and no ports need to be specified. • If you select Range as the operator, you must specify both start and end ports to define a port range.
Page 307 Figure 301 Network diagram Creating user groups staff (for common users) and manager (for the manager) Select Advanced > Security > Usergroup to enter the group configuration page. Perform the configurations as shown in Figure 302. Figure 302 Creating user groups staff and manager Enter staff as a user group name.
Page 308 Figure 303 Adding users to user group staff Select staff from the user group list. Select Dynamic as the add mode. The following area then displays the IP addresses and MAC addresses of all the hosts in the private network that connects to the Router. Select the entries of Host B, Host C, and Host D.
Page 309 After the configuration process is complete, click Close. Figure 305 Adding users to user group manager Select manager from the user group list. Select Static for Add Mode. Enter hosta as the username. Enter 192.168.1.11 as the IP address. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close.
Page 310 Figure 306 Configuring access control for user group staff Select staff from the user group list. Select the boxes for Monday through Friday. Specify 09:00 as the start time. Specify 18:00 as the end time. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close.
Page 311 Select the From Device option, and select file p2p_default. Click Apply. Then, you can view MSN is in the loaded applications on the lower part of the page. Configuring application control for user group staff Select Advanced > Security > Application Control from the navigation tree, and perform the configurations as shown in Figure 308.
Page 312 Figure 309 Configuring bandwidth control to user groups staff and manager Select the staff user group. Enter 8 for the CIR. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Select the manager user group. Enter 54 for the CIR.
Page 313 Figure 310 Configuring packet filtering for user group staff Select staff from the user group list. Select IP as the protocol. Select the Destination IP Address box. Enter 2.2.2.1 as the destination IP address. Enter 0.0.0.0 as the destination wildcard. Click Apply.
Page 314: Configuring Mstp
Configuring MSTP Only MSR20/30/50/93X/1000 routers support this feature. As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and allows for link redundancy. Like many other protocols, STP evolves as the network grows. The later versions of STP are the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP).
Page 315: How Stp Works
Root port On a non-root bridge, the port nearest to the root bridge is the root port. The root port is responsible for communication with the root bridge. Each non-root bridge has one and only one root port. The root bridge has no root port.
Page 316 Root path cost—Cost of the shortest path to the root bridge. • • Designated bridge ID—Consisting of the priority and MAC address of the designated bridge. Designated port ID—Designated port priority plus port name. • Message age—Age of the configuration BPDU while it propagates in the network. •...
Page 317 Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge. Root port and designated ports selection on a non-root device.
Page 318 Figure 312 The STP algorithm State initialization of each device. Table 139 Initial state of each device Device Port name BPDU of port {0, 0, 0, AP1} Device A {0, 0, 0, AP2} {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2}...
Page 319 BPDU of port after Device Comparison process comparison • Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1.
Page 320 BPDU of port after Device Comparison process comparison After comparison: • Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU Blocked port CP2: of CP2 is elected as the optimum BPDU, and CP2 is elected...
Page 321: Introduction To Rstp
However, the newly calculated configuration BPDU will not be propagated throughout the network immediately, so the old root ports and designated ports that have not detected the topology change continue forwarding data along the old path. If the new root ports and designated ports begin to forward data as soon as they are elected, a temporary loop might occur.
Page 322: Mstp Basic Concepts
MSTP includes the following features: • MSTP supports mapping VLANs to MST instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP can reduce communication overheads and resource usage by mapping multiple VLANs to one MSTI. MSTP divides a switched network into multiple regions, each containing multiple spanning trees •...
Page 323 They have the same region name. • • They have the same VLAN-to-instance mapping configuration. They have the same MSTP revision level configuration. • They are physically linked with one another. • For example, all the devices in region A0 in Figure 314 have the same MST region configuration.
Page 324 For example, in region D0 in Figure 314, the regional root of MSTI 1 is device B, and that of MSTI 2 is device C. Common root bridge The common root bridge is the root bridge of the CIST. Figure 314, for example, the common root bridge is a device in region A0.
Page 325 Figure 315 Port roles Connecting to the common root bridge Boundary port Port 2 MST region Port 1 Master port Alternate port Port 6 Port 5 Backup port Designated port Port 3 Port 4 Figure 315, devices A, B, C, and D constitute an MST region. Port 1 and port 2 of device A are connected to the common root bridge, port 5 and port 6 of device C form a loop, and port 3 and port 4 of Device D are connected downstream to the other MST regions.
Page 326: How Mstp Works
How MSTP works MSTP divides an entire Layer 2 network into multiple MST regions, which are interconnected by a calculated CST. Inside an MST region, multiple spanning trees are calculated, each being an MSTI (Among these MSTIs, MSTI 0 is called the CIST). Similar to RSTP, MSTP uses configuration BPDUs to calculate spanning trees.
Page 327: Recommended Mstp Configuration Procedure
The values of forward delay, hello time, and max age are interdependent. Incorrect settings of these • values might cause network flapping. HP recommends you to set the network diameter and let the device automatically set an optimal hello time, forward delay, and max age. The settings of hello time, forward delay and max age must meet the following formulae: 2 ×...
Page 328 Figure 316 MST region Click Modify. The MSTP region configuration page appears, as shown in Figure 317. Figure 317 Modifying an MST region Table 142 Configuration items Item Description MST region name. Region Name The MST region name is the bridge MAC address of the device by default. Revision Level Revision level of the MST region.
Page 329: Configuring Mstp Globally
Configuring MSTP globally From the navigation tree, select Advanced > MSTP > Global. The Global MSTP Configuration page appears, as shown in Figure 318. Figure 318 Configuring MSTP globally Table 143 Configuration items Item Description Enable or disable STP globally: •...
Page 330 Item Description Set the STP operating mode: • STP mode—All ports of the device send out STP BPDUs. • RSTP mode—All ports of the device send out RSTP BPDUs. If the device detects that it is connected to a legacy STP device, the port connecting to the Mode legacy STP device will automatically migrate to STP-compatible mode.
Page 331 If the hello time is set too short, the device will send repeated configuration BPDUs frequently. This adds to the device burden Timers and wastes network resources. HP recommends that you use the default setting. • Max Age—Set the maximum length of time a configuration BPDU can be held by the device.
Page 332: Configuring Mstp On A Port
Configuring MSTP on a port From the navigation tree, select Advanced > MSTP > Port. The MSTP Port Configuration page appears, as shown in Figure 319. Figure 319 MSTP configuration of a port (1) Click the Operation icon for a port. The MSTP Port Configuration page of the port appears, as shown in Figure 320.
Page 333 Transmit Limit The larger the transmit limit is, the more network resources will be occupied. HP recommends you to use the default value. In a switched network, if a port on an MSTP device connects to an STP device, this port will automatically migrate to the STP-compatible mode.
Page 334: Mstp Configuration Example
MSTP configuration example Network requirements As shown in Figure 321, all routers on the network are in the same MST region. Router A and Router B work on the distribution layer. Router C and Router D work on the access layer. Configure MSTP so that packets of different VLANs are forwarded along different instances: packets of VLAN 10 along MSTI 1, those of VLAN 30 along MSTI 3, those of VLAN 40 along MSTI 4, and those of VLAN 20 along MSTI 0.
Page 335 Set the revision level to 0. Select the Manual radio button. Select 1 from the Instance list. Set the VLAN ID to 10. Click Apply to map VLAN 10 to MSTI 1, and add the VLAN-to-instance mapping entry to the VLAN-to-instance mapping list.
Page 336 Figure 323 Configuring global MSTP parameters on Router A Configure Router B: # Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. Configure the MST region in the same way the MST region is configured on Router A.
Page 337 Click Apply to submit the settings. Configure Router D: # Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. Configure the MST region in the same way the MST region is configured on Router A.
Page 338 Ethernet0/1 ROOT FORWARDING NONE Ethernet0/2 ALTE DISCARDING NONE Ethernet0/3 ALTE DISCARDING NONE Ethernet0/1 ROOT FORWARDING NONE Ethernet0/2 ALTE DISCARDING NONE Ethernet0/3 ROOT FORWARDING NONE Based on the above information, draw the MSTI corresponding to each VLAN, as shown in Figure 324.
Page 339: Configuring Radius
RADIUS provides access authentication, authorization, and accounting services. The accounting function collects and records network resource usage information. For more information about RADIUS and AAA, see HP MSR Router Series Configuration Guides (V5). Configuring a RADIUS scheme A RADIUS scheme defines a set of parameters that the device uses to exchange information with the RADIUS servers.
Page 340: Configuring Common Parameters
Figure 326 RADIUS scheme configuration page Configure the parameters, as described in Table 146. Click Apply. Table 146 Configuration items Item Description Scheme Name Enter a name for the RADIUS scheme. Configure the common parameters for the RADIUS scheme, including the server type, the username format, and the shared keys for authentication and accounting Common Configuration packets.
Page 341 Figure 327 Common configuration Configure the parameters, as described in Table 147. Table 147 Configuration items Item Description Select the type of the RADIUS servers supported by the device: • Standard—Standard RADIUS servers. The RADIUS client and RADIUS server communicate by using the standard RADIUS protocol and packet Server Type format defined in RFC 2865/2866 or later.
Page 342 Item Description Select the format of usernames to be sent to the RADIUS server: Original format, With domain name, or Without domain name. Typically, a username is in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain for the user. If a RADIUS Username Format server (such as a RADIUS server of some early version) does not accept a username that contains an ISP domain name, you can configure the device to...
Page 343: Adding Radius Servers
RADIUS server. RADIUS Packet Source IP HP recommends using a loopback interface address instead of a physical interface address as the source IP address. If the physical interface is down, the response packets from the server cannot reach the device.
Page 344: Radius Configuration Example
Figure 328 RADIUS server configuration Configure the parameters, as described in Table 148. Click Apply. You can repeat the above steps to configure multiple RADIUS servers for the RADIUS scheme. Table 148 Configuration items Item Description Select the type of the RADIUS server to be configured. Possible values include Server Type primary authentication server, primary accounting server, secondary authentication server, and secondary accounting server.
Page 345 Enter 1812 and 1813 as the ports for authentication and accounting, respectively. Select Device Management Service as the service type. Select HP as the access device type. Select the access device from the device list, or manually add the device with the IP address of 10.1.1.2.
Page 346 Figure 330 Adding an access device Add a user account: Log in to IMC: Click the User tab. Select Access User View > All Access Users from the navigation tree. Click Add. Enter hello@bbb as the username. Enter abc as the password and confirm the password. Select Telnet as the service type.
Page 347 Figure 331 Adding an account for device management Configuring the router Configure the IP address of each interface. (Details not shown.) Configure a RADIUS scheme: Select Advanced > RADIUS from the navigation tree. Click Add. To add a RADIUS scheme, enter system as the scheme name, select Extended as the server type, select Without domain name for the username format.
Page 348 To add the primary accounting server, click Add again in the RADIUS Server Configuration area. select Primary Accounting as the server type, enter 10.1.1.1 as the IP address, enter 1813 as the port, enter expert as the key, enter expert to confirm the key, and click Apply. The RADIUS scheme configuration page refreshes and the added servers appear in the server list.
Page 349: Configuration Guidelines
Use either approach to configure the AAA methods for domain bbb: Configure the same scheme for authentication and authorization in domain bbb because RADIUS authorization information is included in the authentication response message. [Router] domain bbb [Router-isp-bbb] authentication login radius-scheme system [Router-isp-bbb] authorization login radius-scheme system [Router-isp-bbb] accounting login radius-scheme system [Router-isp-bbb] quit...
Page 350 If you remove an authentication or accounting server in use, the communication of the device with the server will soon time out, and the device will look for a server in the active state by checking any primary server first and then the secondary servers in the order they are configured.
Page 351: Configuring Login Control
Configuring login control The login control feature allows you to control Web or Telnet logins by IP address and login type. Configuration procedure Select Advanced > Access from the navigation tree. The login control configuration page appears. The upper part of the page allows you to configure login control rules, and the lower part displays existing login control rules.
Page 352: Login Control Configuration Example
Login control configuration example Network requirements As shown in Figure 336, configure login control rules so Host A cannot Telnet to Router, and Host B cannot access Router through the Web. Figure 336 Network diagram Configuring a login control rule so Host A cannot Telnet to Router Select Advanced >...
Page 353: Configuring A Login Control Rule So Host B Cannot Access Router Through The Web
Click OK. A configuration progress dialog box appears, as shown in Figure 338. Figure 338 Configuration progress dialog box After the setting is complete, click Close. Configuring a login control rule so Host B cannot access Router through the Web From the navigation tree, select Advanced >...
Page 354 Figure 339 Configuring a login control rule so Host B cannot access Router through the Web...
Page 355: Configuring Arp
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding MAC address. For more information about ARP, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Page 356: Creating A Static Arp Entry
Creating a static ARP entry From the navigation tree, select Advanced > ARP Management > ARP Table. The ARP table management page appears, as shown in Figure 340. Click Add. The New Static ARP Entry page appears. Figure 341 Adding a static ARP entry Configure the parameters as described in Table 151.
Page 357: Enabling Learning Of Dynamic Arp Entries
Enabling learning of dynamic ARP entries From the navigation tree, select Advanced > ARP Management > Dynamic Entry. The dynamic entry management page appears, as shown in Figure 342. Figure 342 Managing dynamic entries To disable all the listed interfaces from learning dynamic ARP entries, click Disable all. •...
Page 358: Configuring Gratuitous Arp
If you enable an interface to learn dynamic ARP entries on the dynamic entry management page, the number of dynamic ARP entries that the interface can learn restores the default. Configuring gratuitous ARP From the navigation tree, select Advanced > ARP Management > Gratuitous ARP. The gratuitous ARP configuration page appears, as shown in Figure 344.
Page 359 Figure 345 Network diagram Configuring static ARP Create VLAN 10 and VLAN-interface 10: From the navigation tree, select Interface Setup > LAN Interface Setup. The default VLAN Setup page appears. Select the Create option, as shown in Figure 346. Enter 10 for VLAN IDs. Select the Create VLAN Interface box.
Page 360 Select Ethernet0/1 from the list. Click Add to bring up the configuration progress dialog box, as shown in Figure 348. After the configuration process is complete, click Close. Figure 347 Adding Ethernet 0/1 to VLAN 10 Figure 348 The configuration progress dialog box Configure the IP address of VLAN-interface 10: Click the VLAN Interface Setup tab.
Page 361 Figure 349 Configuring the IP address of VLAN-interface 10 Create a static ARP entry: From the navigation tree, select Advanced > ARP Management > ARP Table and click Add. Enter 192.168.1.1 for IP Address as shown in Figure 350. Enter 00e0-fc01-0000 for MAC Address. Select the Advanced Options box.
Page 362 View information about static ARP entries: After the previous configuration is complete, the page returns to display ARP entries. Select Type for Search. Enter Static. Click Search. You can view the static ARP entries of Router A, as shown in Figure 351.
Page 363: Configuring Arp Attack Protection
Configuring ARP attack protection Overview ARP is easy to implement, but it provides no security mechanism. Therefore, it is prone to network attacks. ARP attacks and viruses threaten LAN security. The device can provide the following features to detect and prevent such attacks. Periodic sending of gratuitous ARP packets Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their corresponding ARP entries or MAC entries in time.
Page 364: Configuring Arp Automatic Scanning
Figure 352 Configuring Gratuitous ARP sending Table 153 Configuration items Item Description Select one or more interfaces on which gratuitous ARP packets are sent out periodically, and set the interval at which gratuitous ARP packets are sent. To enable an interface to send out gratuitous ARP packets periodically, select the interface from the Standby Interface list and click <<.
Page 365: Configuring Fixed Arp
Figure 353 Configuring ARP Scanning Table 154 Configuration items Item Description Interface Specify the interface on which ARP automatic scanning is to be performed. Enter the address range for ARP automatic scanning. • To reduce the scanning time, you can specify the address range for scanning. If the specified address range covers multiple network segments of the interface's addresses, the sender IP address in the ARP request is the Start IP Address...
Page 366 The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device might fail to change all dynamic ARP entries into static. Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is S. When the dynamic ARP entries are changed into static, new dynamic ARP entries might be created (suppose the number is M) and some of the dynamic ARP entries might be aged out (suppose the number is N).
Page 367: Configuring Ipsec Vpn
Even if a third party captures all exchanged data for calculating the keys, it cannot calculate the keys. For more information about IPsec and IKE, see Security Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Page 368: Configuring An Ipsec Connection
Step Remarks Optional. Displays configuration and status information of IPsec Displaying IPsec VPN connections, and information of IPsec tunnels. monitoring information Allows you to delete tunnels that are set up with configuration of an IPsec connection, and delete all ISAKMP SAs of all IPsec connections. Configuring an IPsec connection Select VPN >...
Page 369 Figure 356 Adding an IPsec connection Perform basic connection configurations as described in Table 155. Table 155 Configuration items Item Description IPsec Connection Name Enter a name for the IPsec connection. Interface Select an interface where IPsec is performed. Network Type Select a network type, site-to-site or PC-to-site.
Page 370 Item Description Enter the address of the remote gateway, which can be an IP address or a host name. The IP address can be a host IP address or an IP address range. If the local end is the initiator of IKE negotiation, it can have only one remote IP address and its remote IP Remote Gateway address must match the local IP address configured on its peer.
Page 371 Item Description • Characteristics of Traffic—Identifies traffic to be protected based on the source Source address/wildcard and destination address/wildcard specified. Address/Wildcard • Designated by Remote Gateway—The remote gateway determines the data to be protected. IMPORTANT: • To make sure SAs can be set up, configure the source address/wildcard on one peer as the destination address/wildcard on the other, and the destination Destination address/wildcard on one peer as the source address/wildcard on the other.
Page 372 Figure 357 Advanced configuration Perform advanced connection configuration as described in Table 156. Click Apply. Table 156 Configuration items Item Description Phase 1 Select the IKE negotiation mode in phase 1, which can be main or aggressive. IMPORTANT: • If the IP address of one end of an IPsec tunnel is obtained dynamically, the IKE Exchange Mode negotiation mode must be aggressive.
Page 373 Item Description Select the encryption algorithm to be used in IKE negotiation. Options include: • DES-CBC—Uses the DES algorithm in CBC mode and 56-bit key. • 3DES-CBC—Uses the 3DES algorithm in CBC mode and 168-bit key. Encryption Algorithm • AES-128—Uses the AES algorithm in CBC mode and 128-bit key. •...
Page 374 Item Description Select the encryption algorithm for ESP when you select ESP or AH-ESP for Security Protocol. Options include: • 3DES—Uses the 3DES algorithm and 168-bit key for encryption. • DES—Uses the DES algorithm and 56-bit key for encryption. • AES128—Uses the AES algorithm and 128-bit key for encryption.
Page 375: Displaying Ipsec Vpn Monitoring Information
Item Description DPD Packet Enter the interval after which DPD packet retransmission will occur if no DPD response Retransmission is received. Interval Displaying IPsec VPN monitoring information Select VPN > IPsec VPN from the navigation tree. Click the Monitoring Information tab to enter the page that displays the IPsec connection configuration and status information.
Page 376: Ipsec Vpn Configuration Example
Field Description The most recent error, if any. Possible values include: • ERROR_NONE—No error occurred. • ERROR_QM_FSM_ERROR—State machine error. • ERROR_PHASEI_FAIL—Error occurred in phase 1. • ERROR_PHASEI_PROPOSAL_UNMATCHED—No matching security proposal in phase 1. Last Connection Error • ERROR_PHASEII_PROPOSAL_UNMATCHED—No matching security proposal in phase 2.
Page 377 Click Add. The IPsec connection configuration page appears. Enter map1 as the IPsec connection name. Select interface Ethernet0/1. Enter 2.2.3.1 as the remote gateway IP address. Select the Pre-Shared-Key box, and then enter abcde in both the Key and Confirm Key fields. In the Selector area, select Characteristics of Traffic as the selector type.
Page 378: Configuration Guidelines
The page as shown in Figure 361 appears. Enter 10.1.1.0 as the destination IP address. Enter 24 as the mask. Select Interface and then select Ethernet0/1 as the interface. Click Apply. Figure 361 Configuring a static route to Host A Configure an IPsec connection.
Page 379 If you enable both IPsec and QoS on an interface, traffic of an IPsec SA might be put into different • queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay operation, packets outside the anti-replay window in the inbound direction might be discarded, resulting in packet loss.
Page 380: Configuring L2Tp
PPP session tunneled by the LAC. The L2TP extends the termination point of a PPP session from a NAS to an LNS, logically. For more information about L2TP, see Layer 2—WAN Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Page 381: Enabling L2Tp
Enabling L2TP Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration page, as shown in Figure 363. On the upper part of the page, select the box before Enable L2TP. Click Apply. Figure 363 L2TP configuration page Adding an L2TP group Select VPN >...
Page 382 Configure the L2TP group information, as described in Table 159. Click Apply. Table 159 Configuration items Item Description L2TP Group Name Specify the name of the L2TP group. Peer Tunnel Name Specify the peer name of the tunnel. Local Tunnel Name Specify the local name of the tunnel.
Page 383 Item Description Specify the address pool for assigning IP addresses to users on the peer end, or assign an IP address to a user directly. If you have specified an ISP domain in PPP authentication configuration, the address pools in the ISP domain are listed in the User Address list.
Page 384 Item Description Configure user authentication on an LNS. You can configure an LNS to authenticate a user who has passed authentication on the LAC to increase security. In this case, an L2TP tunnel can be set up only when both of the authentications Mandatory CHAP succeed.
Page 385 Figure 365 Adding an ISP domain Table 160 Configuration items Item Description ISP Domain Specify the name of the ISP domain. Select the primary authentication method for PPP users. • HWTACACS—HWTACACS authentication, which uses the HWTACACS scheme system. • Local—Local authentication. Primary •...
Page 386 Item Description Specify whether to enable the accounting optional function. For an online user, with the accounting optional function disabled, if no accounting server is available or communication with the current accounting Accounting server fails, the user will be disconnected. However, with the accounting Optional optional function enabled, the user can still use the network resources in such case, but the system will not send the accounting information of the user to the...
Page 387: Displaying L2Tp Tunnel Information
Item Description The number of addresses between the start IP address and end IP address must not exceed 1024. If you specify only the start IP address, the IP address End IP pool will contain only one IP address, namely, the start IP address. Displaying L2TP tunnel information Select VPN >...
Page 388 Figure 368 Network diagram Configure the VPN user Assign an IP address (2.1.1.1 in this example) to the user host, configure a route to ensure the reachability of the LNS (1.1.2.2), and create a virtual private network connection using the Windows operating system, or install L2TP client software such as WinVPN Client and connect to the Internet in dial-up mode.
Page 389 Figure 369 Adding a local user Enable L2TP: Select VPN > L2TP > L2TP Config from the navigation tree. The L2TP configuration page appears, as shown in Figure 370. Select the box before Enable L2TP. Click Apply. Figure 370 Enabling L2TP Modify the PPP authentication method of the ISP domain system: On the L2TP configuration page, click Add to enter the L2TP group configuration page.
Page 390 Figure 371 Selecting local authentication for VPN users Configure the address pool used to assign IP addresses to users: On the L2TP group configuration page, click the Add button of the User Address parameter. The IP address pool configuration page appears, as shown in Figure 372.
Page 391 Select pool1 from the User Address list. Select Enable from the Assign Address Forcibly list. Click Apply. Figure 373 L2TP group configurations Verifying the configuration On the user host, initiate an L2TP connection to the LNS. The host will obtain an IP address (192.168.0.2) and will be able to ping the private address of the LNS (192.168.0.1).
Page 392: Configuring Gre
Figure 375 X protocol networks interconnected through the GRE tunnel For more information about GRE, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5). Configuring a GRE over IPv4 tunnel...
Page 393 Figure 376 GRE tunnel configuration page Click Add to add a GRE tunnel, as shown in Figure 377. Figure 377 Adding a GRE tunnel Table 163 Configuration items Item Description Tunnel Interface Specify the number of the tunnel interface. Specify the IP address and subnet mask of the tunnel interface. IMPORTANT: IP/Mask When configuring a static route on the tunnel interface, note that the destination IP...
Page 394: Gre Over Ipv4 Tunnel Configuration Example
Item Description Specify the key for the GRE tunnel interface. This configuration is to prevent the tunnel ends from servicing or receiving packets from other places. GRE Key IMPORTANT: The two ends of a tunnel must have the same key or have no key at the same time. GRE Packet Checksum Enable or disable the GRE packet checksum function.
Page 395 Figure 379 Configuring interface Ethernet 0/0 Configure an IP address for interface Ethernet 0/1, the physical interface of the tunnel: Click the icon for interface Ethernet 0/1. Select Manual for Connect Mode. Enter IP address 1.1.1.1. Select IP mask 24 (255.255.255.0). Click Apply.
Page 396 Create a GRE tunnel: Select VPN > GRE from the navigation tree. Click Add. The Add Tunnel page appears, as shown in Figure 381. Enter 0 in the Tunnel Interface field. Enter IP address/mask 10.1.2.1/24. Enter the source end IP address 1.1.1.1, the IP address of Ethernet 0/1. Enter the destination end IP address 2.2.2.2, the IP address of Ethernet 0/1 on Router B.
Page 397 Figure 382 Adding a static route from Router A through interface Tunnel 0 to Group 2 Configuring Router B Configure an IPv4 address for interface Ethernet 0/0: Select Interface Setup > WAN Interface Setup from the navigation tree. Click the icon for interface Ethernet 0/0 and then perform the configurations shown Figure 383.
Page 398 Click the icon for interface Ethernet 0/1 and then perform the configurations shown Figure 384. Select Manual for Connect Mode. Enter IP address 2.2.2.2. Select IP mask 24 (255.255.255.0). Click Confirm. Figure 384 Configuring interface Ethernet 0/1 Create a GRE tunnel: Select VPN >...
Page 399 Figure 385 Setting up a GRE tunnel Configure a static route from Router B through interface Tunnel 0 to Group 1: Select Advanced > Route Setup from the navigation tree. Click the Create tab and then perform the configurations shown in Figure 386.
Page 400 Figure 387 Verifying the configuration...
Page 401: Ssl Vpn Overview
SSL VPN overview SSL VPN is a VPN technology based on SSL. It works between the transport layer and the application layer. Using the certificate-based identity authentication, data encryption, and integrity verification mechanisms that SSL provides, SSL VPN can establish secure connections for communications at the application layer.
Page 402: Advantages Of Ssl Vpn
The SSL VPN gateway resolves the request, interacts with the corresponding server, and then forwards the server's reply to the user. Advantages of SSL VPN Support for various application protocols Any application can be secured by SSL VPN without knowing the details. SSL VPN classifies the service resources provided by applications into three categories: Web proxy server resources—Web-based access enables users to establish HTTPS connections to •...
Page 403: Configuring Ssl Vpn Gateway
Configuring SSL VPN gateway To perform the configurations described in this chapter, log in to the Web interface of the router. The default login address is http://192.168.1.1, username is admin, and password is admin. Recommended configuration procedure Step Remarks Required. Configuring the SSL VPN service Enable SSL VPN, and configure the port number for the SSL VPN service and the PKI domain to be used.
Page 404: Configuring The Ssl Vpn Service
Step Remarks Optional. Configure authentication methods and authentication parameters for an SSL VPN domain. 10. Configuring authentication policies IMPORTANT: Local authentication is always enabled. To use other authentication methods, you must manually enable them. Optional. Configure the check items and protected resources for a security policy.
Page 406: Configuring Web Proxy Server Resources
Configuring Web proxy server resources Typically, Web servers provide services in webpages. Users can get desired information by clicking the links on the pages. On the Internet, information exchanged between Web servers and users is transmitted in plain text. The HTTP data might be intercepted in transit. SSL VPN provides secure connections for users to access Web servers, and can prevent illegal users from accessing the protected Web servers.
Page 407 Item Description Specify the Website address for providing Web services. It must start with http:// and end with /, for example, http://www.domain.com/web1/. Website Address The website address can be an IP address or a domain name. If you specify a domain name, make sure you configure domain name resolution on Advanced >...
Page 408: Configuring Tcp Application Resources
Table 166 Configuration items Item Description Select this box to allow IP access to the resource. If you select this item, you must configure an IP network resource for a website and associate the IP network resource with the relevant users. When such a user Use IP network accesses the website from the SSL VPN Web interface, the system logs the user in automatically to the website through the IP network resource.
Page 409: Configuring A Remote Access Service Resource
Resource Name IMPORTANT: If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
Page 410: Configuring A Desktop Sharing Service Resource
Local Host Specify a loopback address or a character string that represents a loopback address. Specify the port number that the local host uses for the remote access service. HP Local Port recommends using a port number greater than 1024 that is rarely used.
Page 411: Configuring An Email Service Resource
Local Host Specify a loopback address or a character string that represents a loopback address. Specify the port number that the local host uses for the remote access service. HP Local Port recommends using a port number greater than 1024 that is rarely used.
Page 412: Configuring A Notes Service Resource
Resource Name IMPORTANT: If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
Page 413 Resource Name IMPORTANT: If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
Page 414: Configuring A Common Tcp Service Resource
Resource Name IMPORTANT: If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
Page 415: Configuring Ip Network Resources
Item Description Service Type Enter the type for the TCP service. Enter the host name or IP address of the remote host that provides the common TCP Remote Host service. Remote Port Enter the port number that the remote host uses for the common TCP service. Local Host Enter a loopback address or a character string that represents a loopback address.
Page 416: Configuring Host Resources
Figure 403 Global configuration page Configure the global parameters as described in Table 172. Click Apply. Table 172 Configuration items Item Description Start IP Specify the IP address pool from which the gateway assigns IP addresses for clients' virtual network adapters. End IP Subnet Mask Enter the subnet mask to be assigned to a client's virtual network adapter.
Page 417 Figure 404 Host configuration Click Add to enter the page for adding a host resource. Figure 405 Adding a host resource Enter a name for the host resource. Click the Add button under the network services list to enter the page for adding a network service. Figure 406 Adding an available network service...
Page 418: Configuring A User-Ip Binding
Enter a description for the network service. IMPORTANT: Description If you have configured the system to show network services by description, HP recommends that you include the network services' network information (subnet IP/mask) in the description so that users can view desired information after they log in to the SSL VPN system.
Page 419: Configuring A Predefined Domain Name
Click Add to enter the page for adding a user-IP binding. Figure 409 Adding a user-IP binding Configure the user-IP binding as described in Table 174. Click Apply. Table 174 Configuration items Item Description Specify the username to be bound with an IP address. The username must contain the Username domain name.
Page 420: Configuring A Resource Group
Configure the predefined domain name as described in Table 175. Click Apply. Table 175 Configuration items Item Description Domain Name Enter a domain name to be issued to clients. Select the IP setting method, including Dynamic and Static. • Dynamic: To use this method, you also need to navigate to page Advanced > DNS Setup >...
Page 421 Figure 413 Adding a resource group Configure the resource group as describe in Table 176. Click Apply. Table 176 Configuration items Item Description Resource Group Name Enter a name for the resource group. Selected Resources Specify resources for the resource group. Available Resources...
Page 422: Configuring Local Users
Configuring local users Configure SSL VPN users for local authentication in the following methods: Configure local users one by one in the SSL VPN system. In this method, you can configure all • parameters for a user at the same time, including the user name, password, the certificate and MAC addresses to be bound, public account settings, user status, and user groups.
Page 423 Figure 415 Adding a local user Configure the local user information as described in Table 177. Click Apply. Table 177 Configuration items Item Description Username Enter a name for the local user. Description Enter a description for the local user. Password Specify a password for the local user and enter the password again to confirm the password.
Page 424: Importing Local Users In Bulk
Item Description Select this item to set the local user account as a public account. A public account can be concurrently used by multiple users to log in to the SSL VPN system. Enable public account If you do not select this item, only one user can use the local user account to log in to the SSL VPN system at a time.
Page 425: Configuring A User Group
Figure 416 Batch import of local users Configuring a user group Select VPN > SSL VPN > User Management > User Group from the navigation tree. The user group list page appears. Figure 417 User groups Click Add to add a user group.
Page 426 Figure 418 Adding a user group Configure the user group as described in Table 178. Click Apply. Table 178 Configuration items Item Description User Group Name Enter a name for the user group. Selected Resource Groups Select resource groups for the user group. Users in the user group will be able to access the resources in the selected resource groups.
Page 427: Viewing User Information
Viewing user information Viewing online user information Select VPN > SSL VPN > User Management > User Information from the navigation tree. The Online Users tab appears, displaying the information of the current online users. Figure 419 Online users View information of the online users. Table 179 Field description Field Description...
Page 428: Performing Basic Configurations For The Ssl Vpn Domain
Figure 420 History information Performing basic configurations for the SSL VPN domain Configure a domain policy, caching policy, and a bulletin: Domain policy—Defines the common parameters and functions for the SSL VPN domain. • Caching policy—Specifies which cached contents to clear from user hosts when users log out from •...
Page 429 Table 180 Configuration items Item Description Select this item to enable security check. With security check enabled, the SSL VPN system checks a user host based on the security policy and determines whether to allow the user to access resources according to the check result.
Page 430: Configuring The Caching Policy
Configuring the caching policy Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. Click the Caching Policy tab. The caching policy configuration page appears, as shown in Figure 422. Select the operations to be done on a user host when the user logs out, including: Clear cached webpages.
Page 431: Configuring Authentication Policies
Figure 424 Adding a bulletin Configure the bulletin settings as described in Table 181. Click Apply. Table 181 Configuration items Item Description Title Enter a name for the bulletin. Content Enter the contents of the bulletin. Selected User Groups Select the user groups that can view the bulletin. Available User Groups Configuring authentication policies SSL VPN supports local authentication, RADIUS authentication, LDAP authentication, AD authentication,...
Page 432: Configuring Local Authentication
Password—Authenticates only a user's password. • • Password+Certificate—Authenticates a user's password and client certificate. Certificate—Authenticates only a user's client certificate. • RADIUS authentication supports only two authentication policies: password and password+certificate. Configuring local authentication Local authentication authenticates users by using the user information saved on the SSL VPN gateway. This authentication method is the fastest because user information is locally saved, and the SSL VPN gateway does not need to exchange information with an external authentication server.
Page 433: Configuring Ldap Authentication
Figure 426 RADIUS authentication Configure the RADIUS authentication settings as described in Table 182. Click Apply. Table 182 Configuration items Item Description Enable RADIUS Select this item to enable RADIUS authentication. authentication Select an authentication mode for RADIUS authentication. Options include Password Authentication Mode and Password+Certificate.
Page 434 Figure 427 LDAP authentication Configure the LDAP authentication settings as described in Table 183. Click Apply. Table 183 Configuration items Item Description Enable LDAP Select this item to enable LDAP authentication. authentication LDAP Sever IP Specify the IP address of the LDAP server. Server Port Specify the TCP port number used by the LDAP server.
Page 435: Configuring Ad Authentication
Configuring AD authentication Active Directory (AD) is a directory service provided by Windows 2000 Server and later versions. It saves information of objects on a network and allows administrators and users to query the information. AD uses structured data storage, which is the basis of the directory information logical structure. The SSL VPN system can cooperate with the existing AD server of an enterprise seamlessly to provide AD authentication for users in the enterprise.
Page 436: Configuring Combined Authentication
Item Description Password Set a password for the administrator account, and enter the password again to confirm the password. Confirm Password Set the username format used to log in to the AD server. Options include Without the Username Format AD domain name, With the AD domain name, and Login name. Configuring combined authentication A combination authentication method can combine any two of the four authentication methods (local authentication, RADIUS authentication, LDAP authentication, and AD authentication) in any order.
Page 437: Configuring A Security Policy
Configuring a security policy Insecure user hosts might bring potential security threats to the internal network. You can configure security policies for the SSL VPN system so that when a user logs in, the SSL VPN system checks the user host's operating systems, browsers, antivirus software, firewall software, files and processes, and determines which resources to provide for the user according to the check result.
Page 438 Configure the security policy as describe in Table 186. Click Apply. Table 186 Configuration items Item Description Name Enter a name for the security policy. Set a level for the security policy. A larger number means a higher level. If multiple security policies are defined, the system first uses the security policy with the highest priority to check the user host.
Page 439 Item Description Set an operator for the browser version check. • >=: A user host must use the specified version or a later version. • >: A user host must use a version later than the specified version. Operator • =: A user host must use the specified version.
Page 440 Item Description Rule Name Enter a name for the file rule. File Specify the files. A user host must have the specified files to pass security File Name check. Rule Name Enter a name for the process rule. Process Specify the processes. A user host must have the specified processes to pass Process Name security check.
Page 441: Customizing The Ssl Vpn User Interface
Customizing the SSL VPN user interface The SSL VPN system allows you to customize the user interface partially or fully as desired: Partial customization—You can use the webpage files provided by the system and edit some • contents in the files as needed, including the login page title, login page welcome information, login page logo, service page banner information, service page logo, and service page background.
Page 442 Figure 433 Specifying a login page logo picture Configuring the service page logo Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. Click the Service Page Logo tab to enter the page shown in Figure 434.
Page 443: Customizing The Ssl Vpn Interface Fully
Figure 435 Specifying a service page background picture Customizing the SSL VPN interface fully Before full customization of the SSL VPN interface, upload the customized page file to the SSL VPN gateway through FTP or TFTP. Select VPN > SSL VPN > Page Customization > Full Customization from the navigation tree. The full customization page appears.
Page 444: User Access To Ssl Vpn
User access to SSL VPN This chapter introduces user access to the SSL VPN service interface provided by the system. It is not suitable for user access to a fully customized SSL VPN service interface. After you finish configurations on the SSL VPN gateway, remote users can establish HTTPS connections to the SSL VPN gateway, and access resources through the user service interface provided by the SSL VPN gateway.
Page 445: Accessing Ssl Vpn Resources
Figure 438 SSL VPN service interface Figure 439 SSL VPN client software Accessing SSL VPN resources After logging in to the SSL VPN service interface, a user can see all resources that you have authorized the user to access, and perform the following operations: Clicking a resource name under Websites to access the website.
Page 446: Getting Help Information
receiving and sending servers according to the email resource name, logs in by using the username and password, and then uses the email service. For an IP network resource, the user can access any host in any accessible network segment and •...
Page 447 Click the Configure button in the upper right corner of the SSL VPN service interface to enter the page shown in Figure 441. Enter the new password, and confirm the new password. Click Apply. When the user logs in again, the user must enter the new password. Figure 441 Changing login password...
Page 448: Ssl Vpn Configuration Example
SSL VPN configuration example Network requirements As shown in Figure 442, request a certificate and enable SSL VPN service on the SSL VPN gateway so that users can use HTTPS to log in to the SSL VPN gateway to access the internal resources of the corporate network.
Page 449: Configuration Procedure
Configuration procedure Configuring the SSL VPN service Configure a PKI entity named en: Select Certificate Management > Entity from the navigation tree. Click Add to enter the PKI configuration page, as shown in Figure 443. Enter the PKI entity name en. Enter common name http-server for the entity.
Page 450 Figure 444 Configuring a PKI domain named sslvpn Generate an RSA key pair: Select Certificate Management > Certificate from the navigation tree. Click Create Key to enter the key generation page, as shown in Figure 445. Set the key length to 1024. Click Apply.
Page 451 Figure 446 Retrieving the CA certificate to the local device Request a local certificate: After the CA certificate retrieval operation is complete, click Request Cert on the certificate management page. Select sslvpn as the PKI domain. Click Apply. The system displays "Certificate request has been submitted." Click OK to confirm the operation.
Page 452: Configuring Ssl Vpn Resources
Figure 448 Certificate management page Enable SSL VPN, and configure a port and a PKI domain for the SSL VPN service: Select VPN > SSL VPN > Service Management from the navigation tree. Select the box before Enable SSL VPN. Set the port number to 443.
Page 453 Enter the website address http://10.153.1.223/. Click Apply. Figure 450 Configuring a Web proxy resource Configure a resource named desktop for the desktop sharing service provided by host 10.153.70.120: Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree. Click the Desktop Sharing Service tab.
Page 454 Figure 451 Configuring a desktop sharing service resource Configure global parameters for IP network resources: Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree. The Global Configuration tab appears, as shown in Figure 452. Enter the start IP address 192.168.0.1.
Page 455 Click Add to enter the host resource configuration page. Enter the resource name sec_srv. Click the Add button under the Network Services list. On the page that appears, as shown in Figure 453, enter the destination IP address 10.153.2.0, enter the subnet mask 24, select IP as the protocol type, specify the description information as 10.153.2.0/24, and click Apply.
Page 456 Figure 455 Configuring a host resource Configure resource group res_gr1, and add resource desktop to it: Select VPN > SSL VPN > Resource Management > Resource Group from the navigation tree to enter the resource group list page. Click Add to enter the resource group configuration page, as shown in Figure 456.
Page 457: Configuring Ssl Vpn Users
Enter the resource group name res_gr2. Select resources tech and sec_srv on the Available Resources list and click the << button to add them to the Selected Resources list. Click Apply. Figure 457 Configuring resource group res_gr2 Configuring SSL VPN users Configure a local user account usera: Select VPN >...
Page 458 Figure 458 Adding local user usera Configure user group user_gr1, assign resource group res_gr1 to the user group and add local user usera to the user group: Select VPN > SSL VPN > User Management > User Group from the navigation tree to enter the user group list page.
Page 459 Figure 459 Configuring user group user_gr1 Configure user group user_gr2, and assign resource group res_gr2 to the user group: On the user group list page, click Add. Enter the user group name user_gr2. Select res_gr2 on the Available Resource Groups list and click << to add it to the Selected Resource Groups list.
Page 460: Configuring An Ssl Vpn Domain
Figure 460 Configuring user group user_gr2 Configuring an SSL VPN domain Configure the default authentication method for the SSL VPN domain as RADIUS and enable verification code authentication: Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. The Domain Policy tab appears, as shown in Figure 461.
Page 461 Figure 461 Configuring the domain policy Configure a RADIUS scheme named system: Select Advanced > RADIUS from the navigation tree. Click Add to enter the RADIUS scheme configuration page. Enter the scheme name system. In the Common Configuration area, select Extended as the supported RADIUS server type, and select Without domain name as the username format.
Page 462: Verifying The Configuration
Figure 463 Configuring RADIUS scheme named system Enable RADIUS authentication for the SSL VPN domain: Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree. Click the RADIUS Authentication tab. Select the box before Enable RADIUS authentication. Click Apply.
Page 463 Select Local from the Auth Mode list. Use the public account usera to log in. You can see the resource desktop, as shown in Figure 465. Clicking the resource name, you can access the shared desktop of the specified host, as shown in Figure 466.
Page 464 Assume that a user named userb is configured and added to user group user_gr2 on the RADIUS server. Use this user account and the default authentication method RADIUS to log in. You can see website tech, subnet resource 10.153.2.0/24, and a shortcut to the security server, as shown in Figure 467.
Page 465: Managing Certificates
HP's PKI system provides certificate management for IPsec, and SSL. The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI has a wide range of applications. Here are some application examples: VPN—A VPN is a private data communication network built on the public communication...
Page 466: Recommended Configuration Procedure For Manual Request
Recommended configuration procedure for manual request Step Remarks Required. Create a PKI entity and configure the identity information. A certificate is the binding of a public key and the identity information of an entity, where the distinguished name (DN) shows the identity information of Creating a PKI entity the entity.
Page 467: Recommended Configuration Procedure For Automatic Request
Step Remarks Required. When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in online mode or offline mode.
Page 468: Creating A Pki Entity
Task Remarks Required. Create a PKI domain, setting the certificate request mode to Auto. Before requesting a PKI certificate, an entity needs to be configured with Creating a PKI domain some enrollment information, which is called a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance.
Page 469: Creating A Pki Domain
Figure 470 Creating a PKI entity Configure the parameters as described in Table 189. Click Apply. Table 189 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity.
Page 470 Figure 471 PKI domains Click Add. Figure 472 Creating a PKI domain Configure the parameters as described in Table 190. Click Apply. Table 190 Configuration items Item Description Domain Name Enter the name for the PKI domain. Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA.
Page 471 It does not issue any certificate. Sometimes, the registration management function is provided by the CA, in which case no independent RA is required. HP recommends that you deploy an independent RA. Enter the URL of the RA.
Page 472: Generating An Rsa Key Pair
Item Description Set the polling interval and attempt limit for querying the certificate request status. Polling Count After an entity makes a certificate request, the CA might need a long period of time if it verifies the certificate request in manual mode. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after Polling Interval the certificate is signed.
Page 473: Destroying The Rsa Key Pair
Figure 474 Generating an RSA key pair Set the key length. Click Apply. Destroying the RSA key pair From the navigation tree, select Certificate Management > Certificate. Click Destroy Key. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 475 Destroying the RSA key pair Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally.
Page 474 Click Apply. Table 191 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Certificate Type Select the type of the certificate to be retrieved, which can be CA or local. Enable Offline Select this box to retrieve a certificate in offline mode (that is, by an out-of-band means Mode like FTP, disk, or email).
Page 475: Requesting A Local Certificate
Requesting a local certificate From the navigation tree, select Certificate Management > Certificate. Click Request Cert. Figure 478 Requesting a certificate Configure the parameters as described in Table 192. Table 192 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation.
Page 476: Retrieving And Displaying A Crl
Retrieving and displaying a CRL From the navigation tree, select Certificate Management > CRL. Figure 480 CRLs Click Retrieve CRL to retrieve the CRL of a domain. Click View CRL for the domain to display the contents of the CRL. Figure 481 Displaying CRL information PKI configuration examples Certificate request from a Windows 2003 CA server...
Page 477 Figure 482 Network diagram Configuring the CA server Install the CA server component: From the start menu, select Control Panel > Add or Remove Programs. Select Add/Remove Windows Components. In the pop-up dialog box, select Certificate Services. Click Next to begin the installation. Install the SCEP add-on: Because a CA server running Windows 2003 server operating system does not support SCEP by default, be sure to install the SCEP add-on to provide the router with automatic certificate...
Page 478 Figure 483 Creating a PKI entity Create a PKI domain: From the navigation tree, select Certificate Management > Domain. Click Add. The page in Figure 484 appears. In upper area of the page, enter torsa as the PKI domain name, enter CA server as the CA identifier, select aaa as the local entity, select RA as the authority for certificate request, enter http://4.4.4.1:8080/certsrv/mscep/mscep.dll as the URL for certificate request (the URL must be in the format of http://host:port/certsrv/mscep/mscep.dll, where host and port are the...
Page 479 Enter 1024 as the key length, and click Apply. Figure 485 Generating an RSA key pair Retrieve the CA certificate: From the navigation tree, select Certificate Management > Certificate. Click Retrieve Cert. Select torsa as the PKI domain, select CA as the certificate type, and click Apply. Figure 486 Retrieving the CA certificate Request a local certificate: From the navigation tree, select Certificate Management >...
Page 480: Certificate Request From An Rsa Keon Ca Server
Figure 487 Requesting a certificate Verifying the configuration After the configuration, you can select Certificate Management > Certificate from the navigation tree, and then click View Cert corresponding to the certificate of PKI domain torsa to display the certificate information. You can also click View Cert corresponding to the CA certificate of PKI domain torsa to display the CA certificate information.
Page 481 After completing the configuration, perform CRL related configurations. In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to http://4.4.4.133:447/myca.crl. After the configuration, make sure the system clock of the router is synchronous to that of the CA, so that the router can request certificates and retrieve CRLs properly.
Page 482 Figure 490 Creating a PKI domain Generate an RSA key pair: From the navigation tree, select Certificate Management > Certificate. Click Create Key. Set the key length to 1024, and click Apply. Figure 491 Generating an RSA key pair Retrieve the CA certificate: From the navigation tree, select Certificate Management >...
Page 483 Figure 492 Retrieving the CA certificate Request a local certificate: From the navigation tree, select Certificate Management > Certificate. Click Request Cert. Select torsa as the PKI domain, select Password, enter "challenge-word" as the password, and click Apply. The system displays "Certificate request has been submitted." Click OK to confirm.
Page 484: Ike Negotiation With Rsa Digital Signature
Figure 494 Retrieving the CRL Verifying the configuration After the configuration, select Certificate Management > Certificate from the navigation tree to display detailed information about the retrieved CA certificate and local certificate, or select Certificate Management > CRL from the navigation tree to display detailed information about the retrieved CRL. IKE negotiation with RSA digital signature Network requirements An IPsec tunnel is set up between Router A and Router B to secure the traffic between Host A on subnet...
Page 485 Figure 495 Network diagram Configuring Router A Create a PKI entity: From the navigation tree, select Certificate Management > Entity. Click Add. Enter en as the PKI entity name, enter router-a as the common name, enter 2.2.2.1 as the IP address of the entity, and click Apply.
Page 486 Create a PKI domain: From the navigation tree, select Certificate Management > Domain. Click Add. The page in Figure 497 appears. Enter 1 as the PKI domain name, enter CA1 as the CA identifier, select en as the local entity, select RA as the authority for certificate request, enter http://1.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request (the RA URL given here is just an example.
Page 487 Figure 498 Generating an RSA key pair Retrieve the CA certificate: From the navigation tree, select Certificate Management > Certificate. Click Retrieve Cert. Select 1 as the PKI domain, select CA as the certificate type, and click Apply. Figure 499 Retrieving the CA certificate Request a local certificate: From the navigation tree, select Certificate Management >...
Page 488 Figure 500 Requesting a certificate Configure an IPsec connection: From the navigation tree, select VPN > IPsec VPN. Click Add. Enter con as the IPsec connection name, select Ethernet0/2 as the gateway interface, enter 3.3.3.1 as the remote gateway IP address, select Certificate as the authentication method, select CN=router-a for the certificate, select Characteristics of Traffic as the selector type, enter 11.1.1.0/0.0.0.255 as the source IP address/wildcard, and enter 10.1.1.0/0.0.0.255 as the destination IP address/wildcard.
Page 489 Create a PKI entity: From the navigation tree, select Certificate Management > Entity. Click Add. Enter en as the PKI entity name, enter router-b as the common name, and enter 3.3.3.1 as the IP address of the entity. Click Apply. Create a PKI domain: From the navigation tree, select Certificate Management >...
Page 490: Configuration Guidelines
Enter con as the IPsec connection name, select Ethernet0/2 as the gateway interface, enter 2.2.2.1 as the remote gateway IP address, select Certificate as the authentication method, and select CN=router-b for the certificate, select Characteristics of Traffic as the selector type, enter 10.1.1.0/0.0.0.255 as the source IP address/wildcard, and enter 11.1.1.0/0.0.0.255 as the destination IP address/wildcard.
Page 491: Managing The System
Managing the system Configuring Web management This module enables you to set the Web connection idle-timeout timer. If you do not perform any operations on the Web interface before this timer expires, you are logged out of the Web page. By default, the idle-timeout timer is 10 minutes.
Page 492: Restoring Factory Defaults
To save the configuration: From the navigation tree, select System Management > Configuration. The save configuration page appears. Figure 503 Saving the configuration Perform one of the following operations: To save the current configuration to the next-startup configuration file, click Save Current Settings.
Page 493: Restoring Configuration
View the next-startup configuration file, including the .cfg file and .xml file. • • Back up the next-startup configuration file, including the .cfg file and .xml file, to your local host. To back up the configuration: From the navigation tree, select System Management > Configuration. Click the Backup tab.
Page 494: Backing Up And Restoring Device Files Through The Usb Port
Click one of the Browse… buttons: When you click the upper Browse… button in this figure, the file upload dialog box appears. You can select a .cfg file to upload. When you click the lower Browse… button in this figure, the file upload dialog box appears. You can select an .xml file to upload.
Page 495: Rebooting The Device
Figure 507 Backing up and restoring device files through the USB port Perform one of the following operations: In the Device File(s) area, select the files to be backed up, and click the Backup button to backup the selected files to the destination device. In the USB File(s) area, select the files to be restored, and click the Restore button to transfer the selected files to the device through the USB port.
Page 496: Managing Services
check is successful, the system reboots the device. Otherwise, a dialog box appears, telling you that the current configuration and the saved configuration are inconsistent, and the reboot fails. In this case, save the current configuration manually before you can reboot the device. If you do not select the option, the system reboots the device directly.
Page 497 To manage services: From the navigation tree, select System Management> Service Management. The service management configuration page appears. Configure the service management as described in Table 193. Click Apply. Figure 509 Service management Table 193 Configuration items Item Description Specify whether to enable the FTP service. Enable FTP service.
Page 498: Managing Users
Item Description Associate the HTTP service with an ACL. Only the clients that pass the ACL filtering are permitted to use the HTTP service. ACL. You can view this configuration item by clicking the expanding button in front of HTTP. Specify whether to enable the HTTPS service.
Page 499: Setting The Super Password
Figure 510 Creating a user Table 194 Configuration items Item Description Username Set the username for a user. Set the access level for a user. Users of different levels can perform different operations. Listed from low to high, Web user levels are as follows: •...
Page 500: Switching To The Management Level
From the navigation tree, select System Management > Users. Click the Super Password tab. The super password configuration page appears. Configure the super password as described in Table 195. Click Apply. Figure 511 Super password configuration page Table 195 Configuration items Item Description Set the operation type:...
Page 501: Configuring System Time
Figure 512 Access level switching page Configuring system time Configure a correct system time so the device can work with other devices correctly. The device supports setting and displaying the system time, and setting the time zone and daylight saving time through manual configuration and automatic synchronization of NTP server time.
Page 502 Figure 513 System time configuration page Table 196 Configuration items Item Description Enable clock automatic synchronization with an NTP server. You can specify two NTP servers by entering their IP addresses. NTP Server 1 is the primary and NTP Server 2 is the secondary. NTP Server 1.
Page 503: Setting The Time Zone And Daylight Saving Time
Figure 514 Calendar page Setting the time zone and daylight saving time From the navigation tree, select System Management > System Time. Click the Time Zone tab. The page for setting time zone appears. Configure the time zone as described in Figure 515.
Page 504: Configuring Tr-069
Item Description Adjust the system clock for daylight saving time changes, which means adding one hour to the current system time. Click Adjust clock for daylight saving time changes to expand the option, as shown Figure 516. You can configure the daylight saving time changes in the following ways: •...
Page 505: Tr-069 Network Framework
TR-069 network framework Figure 517 Network diagram The basic network elements of TR-069 are: ACS—Auto-Configuration Server, which is the management device in the network. • • CPE—Customer Premise Equipment, which is the managed device in the network. DNS server—Domain Name System server. TR-069 defines that an ACS and a CPE use URLs to •...
Page 506 ACS address (URL) • • ACS username (Username) ACS password (Password) • Inform message auto sending flag (PeriodicInformEnable) • • Inform message auto sending interval (PeriodicInformInterval) Inform message auto sending time (PeriodicInformTime) • CPE username (ConnectionRequestUsername) • CPE password (ConnectionRequestPassword) •...
Page 507: Configuration Procedure
CPE username CPE password • For the TR-069 mechanism, see Network Management and Monitoring Configuration Guide in HP MSR Router Series Configuration Guides (V5). Configuration procedure The TR-069 parameters of CPE can be configured automatically through ACS remote management, and also can be configured manually through Web, which is described in detail in this section.
Page 508: Configuration Guidelines
Item Description Configure the password used by the CPE to authenticate the connection sent from the ACS. Password. You can specify a username without a password that is used in the authentication. If so, the configuration on the ACS and that on the CPE must be the same. Sending Enable or disable CPE's periodical sending of Inform messages.
Page 509: Upgrading Software (For The Msr20/30/50/93X/1000)
Figure 519 Software upgrade configuration page Table 199 Configuration items Item Description Specify the filename of the local application file, which must be suffixed with the .app or .bin extension. File IMPORTANT: The filename is main.bin when the file is saved on the device. Reboot after the upgrading Specify whether to reboot the device to make the upgraded software take finished...
Page 510 Table 200 Configuration items Item Description Specify the filename of the local application file, which must be suffixed with File the .app or .bin extension. Specify the type of the system software image for the next boot: • File Type Main.
Page 511: Configuring Snmp (Lite Version)
• send traps to the NMS when some events, such as interface state change, occur. HP supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same SNMP version to communicate with each other. SNMPv1—Uses community names for authentication. To access an SNMP agent, an NMS must use •...
Page 512 Figure 521 SNMP page Configure the SNMP agent, as shown in Table 201. Table 201 Configuration items Item Description Specify to enable or disable the SNMP agent. IMPORTANT: SNMP If the SNMP agent function is disabled, all SNMP agent-related configurations will be removed.
Page 513: Snmp Configuration Examples
Item Description Set the SNMP security username when you select the SNMP version SNMPv3. Security Username The security name on the agent must be the same as that on the NMS. Set the authentication password when you select the SNMP version SNMPv3.
Page 514 Figure 522 Network diagram Configuring the SNMP agent Select System Management > SNMP from the navigation tree, and then perform configuration as shown in Figure 523. Figure 523 Configuring the SNMP agent Select the Enable option. Select the SNMPv1 & v2 option. Type readonly in the field of Read Password.
Page 515: Snmpv3 Configuration Example
Verifying the configuration After the configuration, an SNMP connection is established between the NMS and the agent. The • NMS can get and configure the values of some parameters on the agent through MIB nodes. • Disable or enable an idle interface on the device, and the NMS receives the corresponding trap. SNMPv3 configuration example Network requirements As shown in...
Page 516 Type prikey in the field of Privacy Password. Type 1.1.1.2 in the field of Trusted Host. Type 1.1.1.2 in the field of Trap Target Host Address/Domain. Click Apply. Configuring the SNMP NMS The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform corresponding operations.
Page 517: Configuring Syslogs
Configuring syslogs System logs record network and device information, including running status and configuration changes. With system log information, network administrators can find network or security problems, and take corresponding actions against them. The system sends system logs to the following destinations: Console •...
Page 518: Setting The Log Host
View system logs. To clear all system logs in the log cache, click Reset. To refresh system logs, click Refresh. To make the syslog display page refresh automatically, set the refresh interval on the syslog configuration page. For more information, see "Setting buffer capacity and refresh interval."...
Page 519: Setting Buffer Capacity And Refresh Interval
Figure 527 Loghost configuration page Configure the log host as described in Table 203. Click Apply. Table 203 Configuration items Item Description IPv4/Domain Set the IPv4 address or domain name of the log host. Loghost IP/Domain IPv6 Set the IPv6 address of the log host. Loghost IP Setting buffer capacity and refresh interval Select Other >...
Page 520 Figure 528 Log setup Configure buffer capacity and refresh interval as described in Table 204. Click Apply. Table 204 Configuration items Item Description Buffer Capacity Set the number of logs that can be stored in the log buffer. Set the refresh interval of log information. You can select manual refresh or automatic refresh: Refresh Interval •...
Page 521: Using Diagnostic Tools
Using diagnostic tools This chapter describes how to use the ping and traceroute facilities. Traceroute By using the traceroute facility, you can trace Layer 3 devices involved in delivering a packet from source to destination. You can traceroute the IP address or the host name of a device. If the target host name cannot be resolved, a prompt appears.
Page 522: Ping Operation
To perform a traceroute operation: Log in to the Web interface, and select Other > Diagnostic Tools from the navigation tree to enter the traceroute operation page, as shown in Figure 529. Enter the destination IP address or host name. Click Start.
Page 523 Figure 530 Ping configuration page...
Page 524: Configuring Winet
Configuring WiNet The Wisdom Network (WiNet) technology helps you centrally manage a large number of scattered network devices by using a small number of public IP addresses. WiNet has the following benefits: Integration—WiNet is integrated in network devices as a function without needing any dedicated •...
Page 525: Setting The Background Image For The Winet Topology Diagram
Select WiNet from the navigation tree. When WiNet is disabled, a dialog box Only the WiNet administrator supports the function appears. Click OK to enter the Setup page, as shown in Figure 532. Configure WiNet, as shown in Table 205. Figure 532 WiNet setup page Table 205 Configuration items Item...
Page 526: Managing Winet
To customize the background image, click Browse, locate the image you want to use, and click Upload. To remove the customized background image, click Clear. Managing WiNet To manage WiNet members, make sure the port that connects your host to the administrator permits packets of the management VLAN.
Page 527 After the authentication center starts up, the Open AuthN Center button changes to Close AuthN Center. Click the Close AuthN Center to remove the RADIUS server and the guest user. Drag the icon of a specific device in the WiNet topology and place it to a position as needed. If the browser is configured to accept cookies, the latest position information of each device is stored after you click Network Snapshot.
Page 528: Configuring A Radius User
Select one or multiple Layer 2 Ethernet interfaces on the panel diagram of the device, and click Port Guard to enable Layer 2 portal authentication on the interfaces. CAUTION: You cannot enable Layer 2 portal authentication on an interface that connects to a member/candidate device, connects to an external network, or connects to the console terminal.
Page 529 Figure 537 Adding a user Table 206 Configuration items Item Description Username Enter the name of the user. Set a user password and confirm it. Password IMPORTANT: Confirm Password The leading spaces (if any) of a password will be omitted. Enter an authorized VLAN ID for the user.
Page 530: How The Guest Administrator Obtains The Guest Password
Batch importing and exporting RADIUS users Select WiNet from the navigation tree, and click the User Management tab to enter the page as shown Figure 536. Click Export and click Save in the dialog box that appears. Set the local path and file name for saving the exported files. Click Save to export all the RADIUS user information in the files to the local host.
Page 531: Winet Configuration Example
display the password, for example, <script type="text/javascript">if (szPTGuestPWD !="") document.write("Guest password is " + szPTGuestPWD);</script>. WiNet configuration example WiNet establishment configuration example Network requirements As shown in Figure 540, a WiNet comprises an administrator and two members. • The administrator is connected to the external network through Ethernet 0/1, and is connected to the members through Ethernet 0/2 and Ethernet 0/3.
Page 532 Figure 541 Creating VLAN 10 and VLAN-interface 10 Select the Create option. Enter 10 for VLAN IDs. Select the Create VLAN Interface box. Click Apply. # Assign Ethernet 0/1, Ethernet 0/2, and Ethernet 0/3 to VLAN 10. Figure 542 Assigning interfaces to VLAN 10 On the VLAN Setup page, select 10 in the VLAN Config field.
Page 533 Click Add. The configuration progress dialog box appears. Figure 543 Configuration progress dialog box After the configuration is complete, click Close. # Configure the IP address of VLAN-interface 10. Click the VLAN Interface Setup tab. Figure 544 Specifying an IP address for VLAN-interface 10...
Page 534 Select 10 for VLAN ID. Enter 163.172.55.1 for IP Address. Enter 255.255.255.0 for Subnet Mask. Click Apply. # Enable WiNet. Select WiNet from the navigation tree. When WiNet is disabled, a dialog box Only the WiNet administrator supports the function appears.
Page 535: Winet-Based Radius Authentication Configuration Example
Figure 546 WiNet topology diagram WiNet-based RADIUS authentication configuration example Network requirements As shown in Figure 547, a WiNet comprises an administrator (Device B ) and two members (Device A and Device C). The client connects to Device A through Ethernet 0/2. Deploy security authentication in the WiNet so that the client can access external networks after passing authentication on Device B.
Page 536 Figure 547 Network diagram Configuration procedure Establish a WiNet. "WiNet establishment configuration example." Configure WiNet-based RADIUS authentication. # Specify a RADIUS user. Log in to Device B through Ethernet 0/1. Select WiNet from the navigation tree on Device B. Click the User Management tab. Click Add.
Page 537 Figure 549 Setting up a RADIUS server Click the WiNet Management tab. Click Open AuthN Center. # Enable Layer 2 portal authentication on Ethernet 0/2 of Device A. Figure 550 Enabling Layer 2 portal authentication on Ethernet 0/2 of Device A...
Page 538 Click Device A on the topology diagram. Click Ethernet 0/2 on the panel diagram. Click Port Guard.
Page 539: Configuration Wizard
Configuration wizard Overview The configuration wizard helps you establish a basic call, and configure local numbers and connection properties. Basic service setup Entering the configuration wizard homepage From the navigation tree, select Voice Management > Configuration Wizard to access the configuration wizard homepage, as shown in Figure 551.
Page 540: Configuring Local Numbers
Figure 552 Country selection page Table 207 Configuration item Item Description Call Progress Tone Configure the device to play the call progress tones of a specified country or region. Country Mode Configuring local numbers In the country tone configuration page, click Next to access the local number configuration page, as shown in Figure 553.
Page 541: Configuring Connection Properties
Configuring connection properties After you finish the local number configuration, click Next to access the connection property configuration page, as shown in Figure 554. Figure 554 Connection property configuration page Table 209 Configuration items Item Description Specify the address of the main registrar. It can be an IP address or a Main Registrar Address domain name.
Page 542: Local Number And Call Route
Local number and call route This chapter describes local numbers, call routes, fax and modem, call services, and advanced settings. Local numbers and call routes Local numbers and call routes are basic settings for making voice calls. Local number configuration includes setting a local telephone number and authentication •...
Page 543: Basic Settings
Basic settings This section provides information about configuring basic settings. Introduction to basic settings Local number Local number configuration includes setting a local telephone number and authentication information used for registration. Call route Call route configuration includes setting a destination telephone number and call route type. The call route type can be either SIP routing or trunk routing.
Page 544: Basic Settings
Configuring trunking mode calling for the configuration example of using the trunking routing as the call route type. Basic settings Configuring a local number Select Voice Management > Local Number from the navigation tree, and click Add to access the page for creating a local number, as shown in Figure 557.
Page 545: Configuring A Call Route
Item Description This list displays all FXS voice subscriber lines. Select a voice subscriber line to be Bound Line bound with the local number. Description Specify the description of the number. • Enable—Select this option to buffer the voice packets received from the IP side, so Jitter-buffer Adaptive that the received voice packets can be played out evenly.
Page 546 Figure 558 Call route configuration page Table 211 Configuration items Item Description Call Route ID Enter a call route ID in the range of 1 to 2147483647. Destination Enter the called telephone number. Number...
Page 547 Item Description Route Description Enter the description of the call route. Use a SIP proxy server to complete Proxy Server calling. Use the SIP protocol to perform direct calling. It you select this option, you must IP Routing provide the destination address and port number.
Page 548: Configuration Examples Of Local Number And Call Route
Configuration examples of local number and call route Configuring direct calling for SIP UAs through the SIP protocol (configuring static IP address) Network requirements As shown in Figure 559, Router A and Router B can directly call each other as SIP UAs using the SIP protocol (configuring static IP addresses).
Page 549 Enter 1 for Number ID. Enter 1111 for Number. Select subscriber-line 8/0 from the Bound Line list. Enter Telephone A for Description. Click Apply. # Create a call route. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Page 550 Figure 561 Creating call route 2222 Enter 2 for Call Route ID. Enter 2222 for Destination Number. Select IP Routing for SIP Routing, and type 192.168.2.2 for Destination Address. Click Apply.
Page 551 Configuring Router B Select Voice Management > Local Number from the navigation tree, and then click Add to access the page for creating a local number. Figure 562 Creating local number 2222 Enter 1 for Number ID. Enter 2222 for Number. Select subscriber-line 8/0 from the Bound Line list.
Page 552 Figure 563 Creating call route 1111 Enter 2 for Call Route ID. Enter 1111 for Destination Number. Select IP Routing for SIP Routing, and enter 192.168.2.1 for Destination Address. Click Apply. Verifying the configuration After the previous configuration, you can use telephone 1 1 1 1 to call telephone 2222, or use •...
Page 553: Configuring Direct Calling For Sip Uas Through The Sip Protocol (Configuring Domain Name)
Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access • the Active Call Summary page, which displays the statistics of ongoing calls. Configuring direct calling for SIP UAs through the SIP protocol (configuring domain name) Network requirements As shown in Figure...
Page 554 Figure 565 Creating local number 1111 Enter 1 for Number ID. Enter 1111 for Number. Select subscriber-line 8/0 from the Bound Line list. Enter Telephone A for Description. Click Apply. # Create a call route. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Page 555 Figure 566 Creating call route 2222 Enter 2 for Call Route ID. Enter 2222 for Destination Number. Select IP Routing for SIP Routing, and type cc.news.com for Destination Address. Click Apply.
Page 556 Configuring Router B Select Voice Management > Local Number from the navigation tree, and then click Add to access the page for creating a local number. Figure 567 Creating local number 2222 Enter 1 for Number ID. Enter 2222 for Number. Select subscriber-line 8/0 from the Bound Line list.
Page 557 Figure 568 Creating call route 1111 Enter 2 for Call Route ID. Enter 1111 for Destination Number. Select IP Routing for SIP Routing, and enter 192.168.2.1 for Destination Address. Click Apply.
Page 558: Configuring Proxy Server Involved Calling For Sip Uas
Verifying the configuration After the previous configuration, you can use telephone 1 1 1 1 to call telephone 2222 by using the • DNS server to get the destination address, and you can use telephone 2222 to call telephone 1 1 1 1 by querying the static IP address of the called party.
Page 559 Enter 1 for Number ID. Enter 1111 for Number. Select subscriber-line 8/0 from the Bound Line list. Enter Telephone A for Description. Click Apply. # Create a call route. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Page 560 Figure 571 Creating call route 2222 Enter 10000 for Call Route ID. Enter 2222 for Destination Number. Select SIP Routing for Call Route Type. Select Proxy Server for SIP Routing. Click Apply.
Page 561 # Configure the registrar and the proxy server. Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the connection properties configuration page. Figure 572 Configuring registration information Select Enable for Register State. Enter 192.168.2.3 for Main Registrar Address. Enter Router A for Username and abc for Password.
Page 562 Figure 573 Creating local number 2222 Enter 1 for Number ID. Enter 2222 for Number. Select subscriber-line 8/0 from the Bound Line list. Enter Telephone B for Description. Click Apply. # Create a call route Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Page 563 Figure 574 Creating call route 1111 Enter 1 for Call Route ID. Enter 1111 for Destination Number. Select SIP for Call Route Type. Select Proxy Server for SIP Routing. Click Apply. # Configure the registrar and the proxy server. Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the connection properties configuration page.
Page 564 Figure 575 Configuring registration information Select Enable for Register State. Enter 192.168.2.3 for Main Registrar Address. In the Proxy Server area, enter 192.168.2.3 for Server Address. Enter Router A for Username and abc for Password. Click Apply. Verifying the configuration After the local numbers of the two sides are registered on the registrar successfully, telephone 1 1 1 1 •...
Page 565: Configuring Trunking Mode Calling
Configuring trunking mode calling Network requirements As shown in Figure 576, Router A and Router B are connected through an FXO trunk line. It is required that Telephone 1 1 1 1 can call telephone 2222. Figure 576 Network diagram Configuring Router A # Create a local number.
Page 566 Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route. Figure 578 Creating call route 2222 Enter 2 for Call Route ID. Enter 2222 for Destination Number. Select Trunk for Call Route Type.
Page 567 Figure 579 Configuring number sending mode Select Send All Digits of a Called Number for Called Number Sending Mode. Click Apply. Configuring Router B Select Voice Management > Local Number from the navigation tree, and then click Add to access the page for creating a local number.
Page 568 Select subscriber-line 8/0 from the Bound Line list. Enter Telephone B for Description. Click Apply. Verifying the configuration • Telephone 1 1 1 1 can call telephone 2222 over the trunk line. Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access •...
Page 569: Fax And Modem
Fax and modem Traditional fax machines transmit and receive faxes over PSTN. As time passes, fax has gained wide applications owing to its advantages such as various information, high transmission speed, and simple operations. By far, G3 fax machines are dominant in the fax communications. A G3 fax machine adopts the signal digitizing technology.
Page 570: Introduction To Fax Methods
or D/A conversion for fax signals (that is, the router demodulates analog signals from PSTN into digital signals, or modulates digital signals from the IP network into analog signals), but does not need to compress fax signals. A real-time fax process consists of five phases: Fax call setup phase.
Page 571: Configuring Fax And Modem
pass-through function, which can help remote PSTN users to log in to internal network devices through dialup. Configuring fax and modem Before you configure fax and modem, you must configure local numbers and call routes. See Basic settings for details. Configuring fax and modem parameters of a local number Select Voice Management >...
Page 572 Item Description Configure the protocol used for fax communication with other devices. • T.38—With this protocol, a fax connection can be set up quickly. • Standard T.38—It supports H.323 and SIP. Configure the fax pass-through mode. Fax Protocol • G.71 1 A-law. •...
Page 573 Item Description Specify the fax training mode: • Local—The gateways participate in the rate training between fax terminals. In this mode, rate training is performed between fax terminals and gateways, respectively, and then the receiving gateway sends the training result of the receiving fax terminal to Fax Training the transmitting gateway.
Page 574: Configuring Fax And Modem Parameters Of A Call Route
Item Description As defined in ITU-T, the ECM is required for a half duplex and fax message transmission using the half-duplex and half-modulation system of ITU-T V.34 protocol. Besides, the G3 fax terminals working in full duplex mode are required to support half-duplex mode, that is, ECM.
Page 575 Figure 583 Call route fax and modem configuration page For call route fax and modem configuration items, see Table 212 for details.
Page 576: Call Services
Call services More and more VoIP-based services are demanded as voice application environments expand. On basis of basic calls, new features are implemented to meet different application requirements of VoIP subscribers. Call waiting When subscriber C calls subscriber A who is already engaged in a call with subscriber B, the call is not be rejected if call waiting is enabled.
Page 577: Call Transfer
Call transfer Subscriber A (originator) and subscriber B (recipient) are in a conversation. Subscriber A presses the flash hook and the call is put on hold. Subscriber A dials another number to originate a call to subscriber C (final recipient). After Subscriber A hangs up, the call between subscriber B and subscriber C is established.
Page 578: Silent Monitor And Barge In Services
Silent monitor and barge in services Silent monitor service—Allows a supervisor to monitor active calls without being heard. Barge in service—Allows a supervisor to participate in a monitored call to implement three-party conference. For example, suppose subscribers A and B are in a conversation and subscriber C is the supervisor.
Page 579: Cid On The Fxo Voice Subscriber Line
Support for SIP voice service of the VCX Together with a server, the VCX implements the application of multiple voice features such as Silent Monitor, Camp On, and FwdMail Toggle by using the HP proprietary SIP Feature messages. Configuring call services of a local number...
Page 580 Figure 584 Call services configuration page Table 213 Configuration items Item Description The Forwarded-to Number for Call Forwarding no Reply—Enter the forwarded-to number for call forwarding no reply. The Forwarded-to Number for Call Forwarding Busy—Enter the forwarded-to number for call forwarding busy. Call Forwarding Call Forwarding Unconditional—Enter the forwarded-to number for forwarding unconditional.
Page 581: Configuring Other Voice Functions
Configuring other voice functions Select Voice Management > Local Number from the navigation tree, and then click the icon of the local number to be configured to access the call services configuration page as shown in Figure 585. Figure 585 Call services configuration page Table 214 Configuration items Item Description...
Page 582 Item Description • Enable. Incoming Call • Disable. Barring By default, incoming call barring is disabled. Password for Set a password to lock your telephone when you do not want others to use your Outgoing Call telephone. Barring Door Opening Enable the door opening control service and set a password for Password.
Page 583: Configuring Call Services Of A Call Route
Configuring call services of a call route Select Voice Management > Call Route from the navigation tree, and then click the icon of the call route to be configured to access the call route call services configuration page as shown in Figure 586.
Page 584: Call Services Configuration Examples
Item Description • Enable. • Disable. By default, hunt group function is disabled. Hunt Group IMPORTANT: To use the hunt group feature, you must select the Enable option of all call routes involved in this service. Configure the private line auto ring-down (PLAR) function. The number is an E.164 Hotline Numbers telephone number of the terminating end.
Page 585: Configuring Call Forwarding
Figure 588 Configuring call waiting Select Enable for Call Waiting. Click Apply. Verifying the configuration Verify the two call waiting operation modes: Operation 1—When the subscriber at Telephone C dials 1000 to call Telephone A which is • already engaged in a call with Telephone B, the subscriber at Telephone C hears ringback tones, while the subscriber at Telephone A hears call waiting tones that remind that a call is waiting on the line.
Page 586 Figure 589 Network diagram Router A Router B Router C Eth1/1 Eth1/1 10.1.1.1/24 20.1.1.2/24 Eth1/2 Eth1/1 1000 10.1.1.2/24 20.1.1.1/24 3000 Telephone A Telephone C 2000 Telephone B Configuration procedure Before performing the following configuration, make sure Router A, Router B and Router C are reachable to each other.
Page 587: Configuring Call Transfer
Verifying the configuration Place a call from Telephone A to Telephone B. Router B forwards the call to Telephone C when Telephone B is busy. Finally, Telephone A and Telephone C start a conversation Configuring call transfer Network requirements As shown in Figure 591, call transfer enables Telephone A to transfer Telephone B to Telephone C.
Page 588: Configuring Hunt Group
Figure 592 Configuring call transfer Verifying the configuration The whole process is as follows: Call Telephone B from Telephone A, and then Telephone B and Telephone A are in a conversation. Perform a hookflash at Telephone A to put the call with Telephone B on hold. Call Telephone C (3000) from Telephone A after hearing dial tones.
Page 589 Figure 593 Network diagram Configuration procedure Before performing the following configuration, make sure that Router A, Router B and Router C are routable to each other. Complete basic voice call configurations: complete basic voice call configurations on Router A, Router B, and Router C. Configure hunt group: # Configure a number selection priority for Telephone A2 on Router A.
Page 590 Figure 594 Configuring number selection priority of Telephone A2 Select 4 from the Number Selection Priority list. Click Apply. # Configure hunt group on Router A. Select Voice Management > Local Number from the navigation tree, click the icon of local number 1000 of Telephone A1 in the local number list to access the call services configuration page.
Page 591: Configuring Three-Party Conference
Figure 595 Configuring hunt group Select Enable for Hunt Group. Click Apply. Perform the same configuration for the local number 1000 of Telephone A2. The configuration procedure is not included here. Verifying the configuration Dial number 1000 from Telephone B (2000). Because Telephone A1 has a higher priority, Telephone B is connected to Telephone A1.
Page 592 Figure 596 Network diagram Router A Router B Router C Eth1/0 Eth1/0 10.1.1.1/24 20.1.1.2/24 Eth1/0 Eth1/1 1000 10.1.1.2/24 20.1.1.1/24 3000 Telephone A Telephone C 2000 Telephone B Configuration procedure Before performing the following configuration, make sure that Router A, Router B and Router C are routable to each other.
Page 593: Configuring Silent Monitor And Barge In
Figure 598 Configuring call hold Select Enable for Call Hold. Select Enable for Three-Party Conference. Click Apply. Verifying the configuration Now Telephone B, as the conference initiator, can establish a three-party conference with participants Telephone A and Telephone C. If you also enable three-party conference on the FXS lines of Telephone A and Telephone C on Router A and Router C, then during the conference, a new call can be initiated from Telephone A or Telephone C to invite another passive participant.
Page 594 Figure 599 Network diagram Configure the VCX Open the Web interface of the VCX and select Central Management Console. Configure the information of Telephone A, Telephone B, and Telephone C. The following takes Telephone A as an example. Figure 600 Telephone configuration page # Configure the silent-monitor authority Click Features of number 1000 to access the feature configuration page, and then click Edit Feature of the Silent Monitor and Barge In feature to access the page as shown in...
Page 595 Figure 601 Silent monitor and barge in feature configuration page (1) Click Assign External Phones to specify that number 3000 has the authority to monitor number 1000. After this configuration, the page as shown in Figure 602 appears. Figure 602 Silent monitor and barge in feature configuration page (2) After the previous configuration, Telephone C with the number 3000 can monitor and barge in the conversations of Telephone A with the number 1000.
Page 596 Figure 603 Enabling the feature service and the silent monitor and barge in function Select Enable for Monitor and Barge In. Select Enable for Feature Service. Click Apply. Configure Router B # Configure a local number and call routes.
Page 597 Configure a local number: specify the local number ID as 2000 and the number as 2000, and bind the number to line line 1/0 on the local number configuration page. Configure the call route to Router A: specify the call route ID as 1000, the destination number as 1000, and the call route type as SIP, and use a SIP proxy server to complete calls on the call route configuration page.
Page 598 Select RFC2833 for DTMF Transmission Mode. Click Apply. # Enable the feature service. Select Voice Management > Local Number from the navigation tree, and click the icon of local number 3000 to access the call services page as shown in Figure 605.
Page 599: Advanced Settings
Advanced settings This section provides information on configuring various advanced settings. Introduction to advanced settings Coding parameters The configuration of coding parameters includes specifying codec priorities and packet assembly intervals. The codecs include: g71 1alaw, g71 1ulaw, g723r53, g723r63, g726r16, g726r24, g726r32, g726r40, g729a, g729br8, and g729r8.
Page 600 Table 217 G.711 algorithm (A-law and μ-law) Packet Packet Network Packet length Network Bytes coded Coding assembly length (IP) bandwidth (IP+PPP) bandwidth in a time unit latency interval (IP) (bytes) (IP+PPP) (bytes) 10 ms 96 kbps 100.8 kbps 10 ms 20 ms 80 kbps 82.4 kbps...
Page 601 Packet Bytes coded Packet Network Packet length Network Coding assembly in a time length (IP) bandwidth (IP+PPP) bandwidth latency interval unit (bytes) (IP) (bytes) (IP+PPP) 30 ms 26.7 kbps 28.3 kbps 30 ms 40 ms 24 kbps 22.1 kbps 40 ms 50 ms 22.4 kbps 23.4 kbps...
Page 602 Table 223 G.726 r40 algorithm Packet Packet Network Network Bytes coded Packet length Coding assembly length (IP) bandwidt bandwidth in a time unit (IP+PPP) (bytes) latency interval h (IP) (IP+PPP) (bytes) 10 ms 72 kbps 76.8 kbps 10 ms 20 ms 56 kbps 58.4 kbps 20 ms...
Page 603: Other Parameters
NOTE: The packet assembly interval is the duration to encapsulate information into a voice packet. • Bytes coded in a time unit = packet assembly interval × media stream bandwidth. • Packet length (IP) = IP header + RTP header + UDP header + voice information length = 20+12+8+data. •...
Page 604 Figure 606 Configuring coding parameters of the local number Table 226 Configuration items Item Description Specify a codec Specify the codecs and their priority levels. The available Codec with the First Priority with the first codes are: priority. • g71 1alaw—G.71 1 A-law codec (defining the pulse code modulation technology), requiring a bandwidth of 64 Specify a codec Codec with the Second...
Page 605: Configuring Other Parameters Of A Local Number
Item Description Packet Assembly Interval of Specify the packet assembly interval for g726r16 codec. G726r16 Packet Assembly Interval of Specify the packet assembly interval for g726r24 codec. G726r24 Packet Assembly Interval of Specify the packet assembly interval for g726r32 codec. G726r32 Packet Assembly Interval of Specify the packet assembly interval for g726r40 codec.
Page 606: Configuring Advanced Settings Of A Call Route
Item Description Send a Truncated Send a truncated called number. Called Number Send All Digits of Called Number Send all digits of a called number. a Called Number Sending Mode Send a certain number of digits (that are extracted from the end of a Send Certain number) of a called number.
Page 607: Configuring Other Parameters For A Call Route
Figure 608 Configuring coding parameters of the call route For coding parameters configuration items of the call route, see Table 227. Configuring other parameters for a call route Select Voice Management > Call Route from the navigation tree, and then click the icon of the call route to be configured to access the advanced settings configuration page.
Page 608: Advanced Settings Configuration Example
Advanced settings configuration example Configuring out-of-band DTMF transmission mode for SIP Network requirements Two routers work as SIP UAs. After establishing a call connection, the calling and called parties adopt DTMF SIP out-of-band transmission to make the transmission of DTMF digits more reliable. Figure 610 Network diagram Configuration procedure Configure voice basic calling settings.
Page 609 Select Out-of-band Transmission for DTMF Transmission Mode. Click Apply. Figure 612 Configure out-of-band DTMF transmission mode Verifying the configuration After a call connection is established, if one side presses the telephone keys, the DTMF digits are transmitted to the other side using out of band signaling, and the other side hears short DTMF tones from the handset.
Page 610: Sip-To-Sip Connections
SIP-to-SIP connections Configuring media parameters for SIP-to-SIP connections Select Voice Management > Call Route from the navigation tree. Click the icon of the call route to be configured. The page for configuring SIP-to-SIP connection parameters appears. Figure 613 Configuring media parameters Configure media parameters for SIP-to-SIP connections as described in Table 229.
Page 611: Configuring Signaling Parameters For Sip-To-Sip Connections
Item Description In the scenario where the SIP trunk device controls the results of media capability negotiation, if the SIP trunk device cannot find a common codec for two parties during negotiation, the two parties fail to establish a call. In this case, you can select the Enable option to enable codec transcoding on the SIP trunk device.
Page 612 Figure 614 Configuring signal process Configure signaling parameters for SIP-to-SIP connections as described in Table 230. Table 230 Configuration items Item Description • Remote process—The SIP trunk device transparently transfers the SIP messages carrying call forwarding information to the endpoints, and the endpoints perform the call forwarding. Call-forwarding Signal •...
Page 613: Configuring Dial Plans
Configuring dial plans More requirements on dial plans arise with the wide application of VoIP. A desired dial plan should be flexible, reasonable, and operable. Also it should be able to help a voice gateway to manage numbers in a unified way, making number management more convenient and reasonable. The dial plan process on the calling side differs from that on the called side.
Page 614: Regular Expression
On the called side Figure 616 shows the dial plan operation process on the called side. Figure 616 Flow chart for dial plan operation process on the called side After receiving a voice call (the called number), the voice gateway on the called side performs global calling/called number substitution.
Page 615 Meta-character Meaning # and * Each indicates a valid digit. Wildcard, which can match any valid digit. For example, 555…. can match any number beginning with 555 and ending in four additional characters. Hyphen (connecting element), used to connect two numbers (The smaller comes before the larger) to indicate a range of numbers, for example, 1-9 inclusive.
Page 616: Dial Plan Functions
Dial plan functions Number match Dial terminator In areas where variable-length numbers are used, you can specify a character as the dial terminator so that the voice gateway can dial out the number before the dialing interval expires. The dial terminator identifies the end of a dialing process, and a call connection is established based on the received digits when the dial terminator is received.
Page 617: Call Control
Entity type selection priority rules You can configure the priorities for different types of entities. When multiple local numbers or call routes are qualified for a call connection, the system selects a suitable local number or call route whose entity type has the highest priority.
Page 618: Configuring Dial Plan
Global number substitution—The voice gateway substitutes calling and called numbers of all • incoming and outgoing calls according to the number substitution rules configured in dial program view. Multiple number substitution rule lists can be bound for global calling and called number substitution of incoming and outgoing calls.
Page 619: Configuring Call Control
Item Description • Longest Number Match—Matches the longest number. • Shortest Number Match—Matches the shortest number. Number Match Mode By default, the shortest-number match mode is adopted. • Specify service first. Number Match Policy • Specify number first. Select Based on Voice Entity Type Select the Enable option, the sequence of the voice entities in the Selection Sequence box determines the match order, and you can click the Up and Down buttons to move a voice entity.
Page 620 Figure 618 Number group page Click Add. The number group configuration page appears. Figure 619 Number group configuration page Configure the number group as described in Table 232. Click Apply. Table 233 Configuration items Item Description Group ID Specify the ID of the number group. Description Specify the description of the number group.
Page 621 Figure 620 Local number binding page Configure local number binding as describe in Table 234. Click the box in front of the ID column, and click Apply. Table 234 Configuration items Item Description • Permit the calls from the number group. Binding Mode •...
Page 622 Figure 621 Max-call-connection set page Click Add to access the Max-Call-Connection Set Configuration page as shown in Figure 622. Figure 622 Max-call-connection set configuration page Table 235 Configuration items Item Description Connection Set ID Specify the ID of the max-call-connection set. Max Number of Call Specify the maximum number of call connections in the max-call-connection set.
Page 623: Configuring Number Substitution
The configuration of IVR number binding is similar to that of local number binding. Therefore, it is not included here. Configuring number substitution When you configure number substitution, you need to first add a number substitution list, and then bind a number substitution list to global, local numbers, call routes, or lines.
Page 624 Table 236 Configuration items Item Description Number Substitution Rule Specify the ID of the number substitution rule list. List ID • End-Only—Reserve the digits to which all ending dots (.) in the input number correspond. • Left-to-Right—Reserve from left to right the digits to which the dots in the input number correspond.
Page 625: Dial Plan Configuration Examples
Bind a number substitution list to global, local numbers, call routes, or lines: Click Not Bound in the Global Binding, Local Numbers Bound, Call Routes Bound, or Bound Line column to access the corresponding binding page. The configurations of these bindings are similar to that of local number binding in call control. Therefore is not included here.
Page 626 Longest number match Configure Router A: select Voice Management > Dial Plan > Number Match from the navigation tree to access the number match configuration page, as shown in Figure 627. Figure 627 Number match mode configuration page Select Longest Number Match for Number Match Mode. Click Apply.
Page 627: Configuring The Match Order Of Number Selection Rules
After you dial 20001234# at Telephone A, the number immediately matches call route 2000 and Telephone B is alerted. Configuring the match order of number selection rules Network requirements As shown in Figure 629, configure different number selection rule match orders for calls from Telephone A to Telephone B.
Page 628 Add a call route: Specify the call route ID as 2001, the destination number as 2000123.$, and the destination address as 1.1.1.2 on the call route configuration page. Configure the call route: Select Voice Management > Call Route from the navigation tree to access the call route list page.
Page 629 Figure 632 Match order of number selection rules configuration page Select Exact Match from the First Rule in the Match Order list. Select Priority from the Second Rule in the Match Order list. Select Random Selection from the Third Rule in the Match Order list. Click Apply.
Page 630: Configuring Entity Type Selection Priority Rules
Select Random Selection from the Third Rule in the Match Order list. Click Apply. After you dial number 20001234 at Telephone A, the number matches call route 2002. Configuring the number selection rule as random selection Configure Router A: Select Voice Management > Dial Plan > Number Match from the navigation tree to access the page for configuring the match order of number selection rules.
Page 631 Find the digital link VE1 5/0 in the list, click its corresponding icon to access the E1 parameters configuration page. Figure 636 E1 parameters configuration page Select PRI Trunk Signaling for Working Mode. Select Internal for TDM Clock Source. (Internal is the default setting) Select the Network Side Mode for ISDN Working Mode.
Page 632 Configuring Router B Select Voice Management > Digital Link Management from the navigation tree to access the digital link list page. Find the digital link VE1 5/0 in the list, click its corresponding icon to access the E1 parameters configuration page. Figure 637 E1 parameters configuration page Select PRI Trunk Signaling for Working Mode.
Page 633 Figure 638 Entity type selection priority rule configuration page (1) Configure the order of the voice entities in the Selection Sequence box: the first is VOIP, the second • is POTS, the third is VoFR, and the last is IVR. Click Apply.
Page 634: Configuring Call Authority Control
Configuring call authority control Network requirements As shown in Figure 640, Router A, Router B, and Router C are located at place A, place B, and place C, respectively. They are all connected to the SIP server to allow subscribers to make SIP calls. When VoIP links fail for some reason, PSTN links that provide backup for VoIP links can be automatically brought up.
Page 635 Type 1100.. for Numbers in the Group. Click Add to add numbers into the group. Click Apply. Enter the number group configuration page again to add another number group: Type 2 for Group ID. Type 1200.. for Numbers in the Group. Click Add to add numbers into the group.
Page 636 Figure 643 Call route binding page (1) Select Permit the calls from the number group for Binding Mode. Select the box of call route 2100. Click Apply. # Bind a call route to the number group 2 to allow that subscribers whose telephone number beginning with 1200 can originate calls to both place B and place C.
Page 637: Configuring Number Substitution
Figure 645 Call route binding page (II) Select Permit the calls from the number group for Binding Mode. Select the checkboxes of call routes 2100 and 3100. Click Apply. Configuring Router B Add a call route: Specify the call route ID as 2100, the destination number as 2…, and the trunk route line as 1/0:15 on the call route configuration page.
Page 638 at place A, and the caller ID displayed on the terminal at place A is 021 1234, that is, the area code of place B + telephone number of the financial department at place B. Figure 646 Network diagram Place B Place A Market Dept.
Page 639 Figure 647 Number substitution configuration page (1) Type 21101 for Number Substitution Rule List ID. Add three number substitution rules as shown in Figure 647. Click Apply. # Add another number substitution rule list for calling numbers of outgoing calls. Select Voice Management >...
Page 640 Figure 648 Number substitution configuration page (2) Type 21102 for Number Substitution Rule List ID. Add three number substitution rules as shown in Figure 648. Click Apply. # Enter the call route binding page of number substitution list 21 101. Figure 649 Call routing binding page of number substitution list 21101 Select Apply Call Routing Binding Rule to Called Numbers for Binding Mode.
Page 641 Figure 650 Call routing binding page of number substitution list 21102 Select Apply Call Routing Binding Rule to Calling Numbers for Binding Mode. Select call route 10. Click Apply. Configuring Router A # Set the IP address of the Ethernet interface to 1.1.1.1. # Add a call route: specify the call route ID as 1010, the destination number as …., and the trunk route line as FXO line 1/0 on the call route configuration page.
Page 642 Figure 651 Number substitution configuration page (3) Type 101 for Number Substitution Rule List ID. Add three number substitution rules as shown in Figure 651. Click Apply. # Add another number substitution rule list for calling numbers of incoming calls. Select Voice Management >...
Page 643 Figure 652 Number substitution configuration page (4) Type 102 for Number Substitution Rule List ID. Add three number substitution rules as shown in Figure 652. Click Apply. # Enter the global binding page of number substitution list 101. Figure 653 Global binding page of number substitution list 101 Select Incoming Calling for Incoming Binding Type.
Page 644 Figure 654 Global binding page of number substitution list 102 Select Incoming Called for Incoming Binding Type. Click Apply.
Page 645: Call Connection
Call connection Introduction to SIP The Session Initiation Protocol (SIP) is an application layer control protocol that can establish, modify, and terminate multimedia sessions such as IP phone calls, multimedia session and multimedia conferences. It is the core component in the multimedia data and control architecture of the IETF (RFC 3261).
Page 646: Functions And Features Of Sip
Redirect server A redirect server sends a new connection address to a requesting client. For example, when it receives a request from a calling UA, the redirect server searches for the location information of the called UA and returns the location information to the UA. This location can be that of the called UA or another proxy server, to which the UA can initiate the session request again.
Page 647: Sip Messages
Consistent communication method. Management becomes easier as the result of consistency in • dialup mode and system access method used by branches, SOHOs, and traveling personnel. Quick launch. The system can be updated quickly to accommodate new branches and personnel, •...
Page 648 Figure 655 Message exchange for a UA to register with a Registrar Call setup SIP operates in the Client/Server mode and sets up calls through communication between UA and proxy server. Figure 656 Network diagram In the previous figure, Telephone A wants to call Telephone B, and Router A and Router B work as SIP endpoints (UAs).
Page 649 Figure 657 Call setup procedures involving a proxy server This is a simplified scenario where only one proxy server is involved and no registrar is present. However, a complex scenario can involve multiple proxy servers and registrars. Call redirection When a SIP redirect server receives a session request, it sends back a response indicating the address of the called SIP endpoint instead of forwarding the request.
Page 650: Support For Transport Layer Protocols
Figure 658 Call redirection procedure for UAs Internet User agent User agent Redirect Server INVITE 100 Trying 302 Moved Temporarily INVITE 100 Trying 200 OK This is a common application. Fundamentally, a redirect server can respond with the address of a proxy server as well.
Page 651: Signaling Encryption
RTP/RTCP packets. For more information about the encryption engine, see Security Configuration Guide in HP MSR Router Series Configuration Guides (V5). SRTP is available only for SIP calls. SIP trunk devices do not support SRTP. For information about SIP trunk,...
Page 652: Tls-Srtp Combinations
TLS-SRTP combinations TLS protects control signaling, and SRTP encrypts and authenticates voice media flows. You can use them separately or together. The following table shows four combinations of TLS and SRTP. Table 239 TLS-SRTP combinations SRTP Description Signaling packets are secured. Personal information is protected. Media packets are secured.
Page 653: Configuring Sip Connections
Configuring SIP connections This section describes how to configure SIP connections. Configuring connection properties Configuring registrar Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the connection properties configuration page as shown in Figure 659.
Page 654 Item Description • UDP—Apply the UDP transport layer protocol when the device registers to the main registrar. • TCP—Apply the TCP transport layer protocol when the device registers to the Main Registrar Transport main registrar. Layer Protocol • TLS—Apply the TLS transport layer protocol when the device registers to the main registrar.
Page 655: Configuring Proxy Server
Configuring proxy server Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the proxy server configuration page, as shown in Figure 660. Figure 660 Proxy server configuration page Table 241 Configuration items Item Description Select a server group from the list as the proxy server.
Page 656 Source IP address binding is supported on the Layer 3 Ethernet interface, GigabitEthernet interface, or dialer interface. For information about DHCP, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5). Configuring source address binding Select Voice Management >...
Page 657: Configuring Sip Listening
Table 243 Application of the source address binding settings in different states Settings made when… Result • For SIP media streams, the source IP address binding settings does not take effect until the next SIP call. The call is active •...
Page 658: Configuring Media Security
Table 244 Configuration items Item Description • UDP—Specify UDP as the transport layer protocol for incoming SIP calls and enables UDP listening port 5060. • TCP—Specify TCP as the transport layer protocol for incoming SIP calls and enables TCP listening port 5060. •...
Page 659: Configuring Caller Identity And Privacy
Configuring caller identity and privacy Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the Session Properties tab to access the caller identity and privacy configuration page, as shown in Figure 664. Figure 664 Caller identity and privacy configuration page Table 246 Configuration items Item Description...
Page 660: Configuring Sip Session Refresh
Configuring SIP session refresh Introduction to SIP session refresh In a high-volume traffic environment, if a BYE message gets lost for a session, the call proxy server will not know that the session has ended. Therefore, it still maintains the state information for the call, which wastes resources of the server.
Page 661 Figure 666 Compatibility configuration page Table 248 Configuration items Item Description The devices of some vendors do not strictly follow the SIP protocol. To interoperate with such devices, you must configure the SIP compatibility options. • Enable—Configure the device to use the address (IP address or DNS domain name) in the To header field as the address in the From header field when Use the address in the To sending a SIP request.
Page 662: Configuring Advanced Settings
Item Description UAC Product Version Specify the product version of the UAC. UAS Product Name Specify the product name of the UAS. UAS Product Version Specify the product version of the UAS. Configuring advanced settings Registration timers are available to SIP trunk accounts. For information about SIP trunk, see "Configuring SIP trunk."...
Page 663: Configuring Registration Parameters
Table 250 Configuration items Item Description Address Specify the IP address or domain name of the proxy server. Port Specify the port number of the proxy server. Configuring registration parameters Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the Advanced Settings tab to access the configuration page as shown in Figure 669.
Page 664 Item Description Registration Percentage To ensure the validity of registration information of a local number or an SIP trunk account on the registrar, the local number or SIP trunk account must re-register with the registrar at a specified time before the registration expiration interval is reached.
Page 665: Configuring Voice Mailbox Server
Item Description Fuzzy telephone number registration refers to the use of a wildcard (including the dot . and the character T), rather than a standard E.164 number in the match template of a POTS entity. After enabling fuzzy telephone number registration, the voice gateway (router) retains dots and substitutes asterisks (*) for Ts when sending REGISTER messages.
Page 666: Configuring Signaling Security
Table 252 Configuration items Item Description • UDP—Specify UDP as the transport layer protocol to be used during the subscription. • TCP—Specify TCP as the transport layer protocol to be used during the subscription. Transport Layer Protocol • TLS—Specify TLS as the transport layer protocol to be used during the subscription.
Page 667: Configuring Call Release Cause Code Mapping
Table 253 Configuration items Item Description TCP Connection Set the aging time for TCP connections. If the idle time of an established TCP Aging Time connection reaches the specified aging time, the connection will be closed. TLS Connection Aging Set the aging time for TLS connections. If the idle time of an established TLS connection Time reaches the specified aging time, the connection will be closed.
Page 668: Configuring Sip Status Code Mappings
Configuring SIP status code mappings Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the SIP Status Code Mapping tab to access the page as shown in Figure 673. Figure 673 SIP status code mapping configuration page You can select the values in the PSTN Release Cause Code fields.
Page 669 Figure 674 Network diagram Configuration procedure Configure basic voice calls: configure a local number and the call route to Router B. Configure a local number: specify the local number ID as 1111 and the number as 1111, and bind the number to line line 1/0 on the local number configuration page. Configure the call route to Router B: specify the call route ID as 2222, the destination number as 2222, the call route type as SIP, the SIP routing as IP routing, and the destination address as 192.168.2.2 on the call route configuration page.
Page 670: Configuring Srtp For Sip Calls
Figure 676 Configuring caller identity presentation restriction mode Select P-Asserted-Identity for Caller Identity Presentation Restriction Mode. Click Apply. Verifying the configuration After the above configuration, when you use telephone 1 1 1 1 to call telephone 2222, the calling number 1 1 1 1 will not be displayed on telephone 2222.
Page 671: Configuring Tcp To Carry Outgoing Sip Calls
Verifying the configuration SIP calls use the SRTP protocol to encrypt and authenticate media flows, and call conversations are well protected. Configuring TCP to carry outgoing SIP calls Network requirements Two routers Router A and Router B work as SIP UAs. It is required that SIP calls between the two parties be carried over TCP.
Page 672: Configuring Tls To Carry Outgoing Sip Calls
Figure 681 Specifying listening transport layer protocol Select TCP for SIP Listening Transport Layer Protocol. Click Apply. Verifying the configuration SIP calls from telephone 1 1 1 1 to telephone 2222 are carried over TCP. You can view information about TCP connections on the TCP Connection Information tab page by selecting Voice Management >...
Page 673 Figure 683 Specifying transport layer protocol for outgoing calls Select TLS for Transport Layer Protocol for SIP Calls. Click Apply. # Specify TLS as the transport layer protocol for incoming SIP calls. Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the Session Properties tab to access the transport layer protocol configuration page as shown Figure 684.
Page 674: Managing Sip Server Groups
Managing SIP server groups A SIP server group is used to manage the registrar and call servers. A SIP server group can be configured with up to five member servers. An index represents the priority of a member server in the SIP server group.
Page 675: Configuring The Keep-Alive Mode
Click Add. The page for configuring a server group appears. Figure 686 Configuring real-time switching Configure real-time switching as described in Table 255. Table 255 Configuration items Item Description Enable or disable the real-time switching function. When the real-time switching function is enabled: •...
Page 676: Configuring The Source Address Binding Mode
Table 256 Configuration items Item Description The keep-alive function is used to detect whether the SIP servers in a SIP server group are reachable. The SIP trunk device selects a server according to the detect result and the redundancy mode. If the keep-alive function is disabled, the SIP trunk device always uses the server with the highest priority in the SIP server group.
Page 677: Configuring Server Information Management
Item Description IPv4 Address Bound with If you select IPv4 Address Binding as the media stream binding mode, you must the Media Stream type the IPv4 address to be bound in this field. If you select Interface Binding as the media stream binding mode, you need to Interface Bound with the specify the interface to be bound from the list.
Page 678 Click Add. The page for configuring a server group appears. Figure 689 Configuring server information management Configure server information management as described in Table 258. Click Apply. Table 258 Configuration items Item Description Set server ID. A SIP server group can be configured with up to five member servers. Server ID A server ID represents the priority of the server in the SIP server group.
Page 679: Configuring Sip Trunk
Configuring SIP trunk As shown in Figure 690, on a typical telephone network, internal calls of the enterprise are made through the internal PBX, and external calls are placed over a PSTN trunk. Figure 690 Typical telephone network With the development of IP technology, many enterprises deploy SIP-based IP-PBX networks as shown Figure 691.
Page 680: Features
Figure 692 All IP-based network All IP-based network ITSP Enterprise intranet SIP trunk SIP server Router IP-PBX SIP trunk device SIP server Features SIP trunk has the following features: Only one secure and QoS guaranteed SIP trunk link is required between a SIP trunk device and the ITSP.
Page 681: Protocols And Standards
Figure 693 SIP trunk network diagram Protocols and standards SIP trunk-related protocols and standards are as follows: RFC 3261 • • RFC 3515 SIPconnect Technical Recommendation v1.1 • Configuring SIP trunk This section describes how to configure SIP trunk. Configuration task list Task Remarks Enabling the SIP trunk function...
Page 682: Enabling The Sip Trunk Function
Figure 694 Configuring services Table 259 Configuration item Item Description Enable the SIP trunk function before you can use other SIP trunk functions. HP recommends not using a device enabled with the SIP trunk function as a SIP UA. • Enable.
Page 683 Select Voice Management > SIP Trunk Management > Account Management from the navigation tree, and click Add. The following page appears. Figure 695 Configuring a SIP trunk account Table 260 Configuration items Item Description Account ID Enter a SIP trunk account ID. Select the SIP server group used by the SIP trunk account for registration.
Page 684: Configuring A Call Route For Outbound Calls
Item Description • Enable. • Disable. Registration By default, the registration function of the SIP trunk account is disabled. Function To perform registration, you must provide the host username or associate the account with a SIP server group. Authentication Enter the authentication username for the SIP trunk account. Username Authentication Enter the authentication password for the SIP trunk account.
Page 685 Figure 696 Configuring a call route Table 261 Configuration items Item Description Call Route ID Enter a call route ID. Destination Number Enter the called telephone number. Bound Account Select a SIP trunk account to be bound to the voice entity. Description Enter a description for the call route.
Page 686: Configuring Fax And Modem Parameters Of The Call Route Of A Sip Trunk Account
Item Description • Enable. Status • Disable. Configuring fax and modem parameters of the call route of a SIP trunk account Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and click the icon of the call route to be configured to access the call route fax and modem configuration page. The fax and modem parameters of the call route of a SIP trunk account are the same as those of a call route.
Page 687 Item Description • Specify the prefix of a source host name as a call match rule. The specified source host name prefix is used to match against the source host names of calls. If the INVITE message received by the SIP trunk device carries the Remote-Party-ID header, the source host name is abstracted from this header field.
Page 688: Configuring Media Parameters For Sip-To-Sip Connections
Configuring media parameters for SIP-to-SIP connections Select Voice Management > Call Route from the navigation tree. Click the icon of the call route to be configured. The page for configuring SIP-to-SIP connection parameters appears. Figure 698 Configuring media parameters Configure media parameters for SIP-to-SIP connections as described in Table 263.
Page 689: Configuring Signaling Parameters For Sip-To-Sip Connections
Item Description Select the media flow mode: • Around—Enable the media packets to pass directly between two SIP endpoints, without the intervention of the SIP trunk device. The media packets flow around the SIP trunk device. Media Flow Mode • Relay—Specify the SIP trunk device to act as the RTP trunk proxy to forward the media packets.
Page 690: Configuring A Call Route For Inbound Calls
Item Description • Remote process—If the session timer mechanism is initiated by the calling party, and the called party also supports this mechanism, you can select this option to enable the called party to process the session update information. Otherwise, the session timer mechanism only works between the calling party and the Mid-call Signal SIP trunk device.
Page 691 Select Voice Management > Local Number from the navigation tree and click Add. Figure 701 Configuring a local number Enter 2000 for Number ID. Enter 2000 for Number. Select subscriber-line 8/0 from the Bound Line list. Click Apply. # Configure a call route. Select Voice Management >...
Page 692 Enter 1.1.1.2 for Destination Address. Click Apply. Configuring the SIP trunk device # Enable the SIP trunk function. Select Voice Management > SIP Trunk Management > Service Configuration from the navigation tree. Figure 703 Configuring services Select Enable for SIP Trunk Function. Click Apply.
Page 693 Enter 1 for Server Group ID. Enter 1 for Server ID. Enter 10.1.1.2 for Server Address. Click Add the Server. Click Apply. # Create SIP trunk account 1 with the host username 2000, and associate the account with SIP server group 1.
Page 694 Figure 706 Configuring a call route for the SIP trunk account Enter 20000 for Call Route ID. Enter 1000 for Destination Number. Select account1 from the Bound Account list. Select Bind to Server Group for SIP Trunk Routing. Select server-group-1 from the Server Group list. Click Apply.
Page 695 Enter 2000 for Destination Number. Select IP Routing for SIP Route Type. Enter 1.1.1.1 for Destination Address. Click Apply. Configuring Router B # Configure a local call number. Select Voice Management > Local Number from the navigation tree and click Add. Figure 708 Configuring a local number Enter 1000 for Number ID.
Page 696: Configuring A Sip Server Group With Multiple Member Servers
Enter 2000 for Destination Number. Select SIP for Call Route Type. Select Proxy Server for SIP Routing. Click Apply. # Configure the IPv4 address of the registrar as 10.1.1.2 and enable the registrar. Select Voice Management > Call Connection > SIP Connection from the navigation tree and click the Connection Properties tab.
Page 697 Figure 711 Network diagram ITSP-A SIP server 10.1.1.3/24 Enterprise private network Public network 1.1.1.1/24 1.1.1.2/24 2.1.1.1/24 2.1.1.2/24 SIP trunk Router B 1000 2000 Router A SIP trunk device SIP server 10.1.1.2/24 Configuration procedure # Enable the SIP trunk function. (Details not shown.) # Create SIP server group 1.
Page 698 Figure 712 Configuring server group Enter 1 for Server Group ID. Select Enable for Real-Time Switching. Select Options for Keep-Alive Mode. Enter 1 for Server ID. Enter 10.1.1.2 for Server Address. Click Add the Server. Enter 3 for Server ID. Enter 10.1.1.3 for Server Address.
Page 699: Configuring Call Match Rules
Figure 713 Advanced settings Select Parking for Redundancy Mode. Click Apply. Other configurations on the SIP trunk device and on other devices are the same as those described in "Configuring a SIP server group with only one member server." Verifying the configuration When the SIP server with IP address 10.1.1.2 fails, the SIP server with IP address 10.1.1.3 takes over communications between the private network and the public network.
Page 700 Figure 714 Network diagram Configuration procedure # Configurations on the SIP trunk device and on other devices are the same as those described in "Configuring a SIP server group with only one member server." # Configure Router A2: Configure a local number 2001 and a call route to Router B. For the configuration procedure, see "Configuring Router A."...
Page 701 Select IPv4 Address from the Match a Source Address list. Enter 1.1.1.1 for IPv4 Address. Click Apply. Verifying the configuration Private network users connected to Router A1 can call public network users, but private network users connected to Router A2 cannot call public network users. Public network users can call any private network user.
Page 702: Managing Data Links
Managing data links This section provides information about data link management and configuration. Overview Introduction to E1 and T1 Plesiochronous digital hierarchy (PDH) includes two major communications systems: ITU-T E1 system and ANSI T1 system. The E1 system is dominant in European and some non-Europe countries. The T1 system is dominant in USA, Canada and Japan.
Page 703: E1 And T1 Interfaces
E1 and T1 interfaces E1 interface An E1 interface is logically divided into timeslots (TSs) with TS16 being a signaling channel. On E1 interfaces, you can create PRI groups or TS sets. You can use an E1 interface as an ISDN PRI or CE1 interface: As an ISDN PRI interface, the E1 interface adopts DSS1 or QSIG signaling.
Page 704: Features Of E1 And T1
Features of E1 and T1 E1 and T1 are characterized by the following: Signaling modes • Fax function • Protocols and standards • Signaling modes E1/T1 interfaces support these types of signaling: DSS1/QSIG user signaling, adopted on the D channel between ISDN user and network interface •...
Page 705: Configuring Digital Link Management
Generally, a BSV interface is used to connect an ISDN digital telephone. Also, it can be used as a trunk interface connecting to a PBX digital trunk. If it cooperates with an FXS or FXO interface, a BSV interface can realize flexible routing policies for voice callings. Configuring digital link management You can click the link of a digital link name to access the page displaying the link state.
Page 706 Item Description • Internal—Set the internal crystal oscillator time division multiplexing (TDM) clock as the TDM clock source on the E1 interface. After that, the E1 interface obtains clock from the crystal oscillator on the main board. If it fails to do that, the interface obtains clock from the crystal oscillator on its E1 card.
Page 707 Figure 718 E1 parameters configuration page (2) You are not allowed to configure the following parameters on an ISDN interface if there is still a call on ISDN Overlap-Sending • Switch to ACTIVE State Without Receiving a Connect-Ack Message • Carry High Layer Compatibility Information •...
Page 708 Item Description Set the ISDN protocol to be run on an ISDN interface: DSS1, QSIG, or ETSI. ISDN Protocol Type By default, an ISDN interface runs DSS1. Set the ISDN working mode: network side mode or user side mode. ISDN Working Mode By default, an ISDN interface operates in user side mode.
Page 709 Item Description • Enable for outgoing direction—Configure the ISDN protocol to switch to the ACTIVE state after receiving a Connect message without having to send a Connect-Ack message. • Enable for incoming direction—Configure the ISDN protocol to switch to the ACTIVE state to start Connect and voice service communications after sending a Connect message without having to wait for a Connect-Ack message.
Page 710: Configuring Vt1 Line
Item Description • Enable for outgoing direction—Configure the ISDN protocol to send Setup messages without the Sending-Complete Information Element when placing a call. • Enable for incoming direction—Configure the ISDN protocol to ignore the Sending-Complete Information Element in Setup messages when receiving a call.
Page 711 Table 268 Configuration items Item Description Physical Parameters Configuration Configure the working mode of the T1 interface: • None—Remove the existing bundle. Working Mode • PRI Trunk Signaling—Bundle timeslots on a T1 interface into a PRI group. By default, no PRI group is created. Bound Timeslot Specify the timeslots to be bundled.
Page 712: Configuring Bsv Line
Figure 720 T1 parameters configuration page (2) ISDN protocol types supported by VT1 are DSS1, ATT, ANSI, ETSI, NTT, QSIG, NI2, and 5ESS. Table describes the ISDN parameters configuration items. Configuring BSV line Select Voice Management > Digital Link Management from the navigation tree, and then click the icon of the BSV line to be configured to access the BSV parameters configuration page.
Page 713 Figure 721 BSV parameters configuration page Table 269 Configuration items Item Description Set the ISDN protocol to be run on an ISDN interface: DSS1, ANSI, NI, NTT, or ETSI. ISDN Protocol Type By default, an ISDN interface runs DSS1. Set the ISDN working mode: network side mode or user side mode. ISDN Working Mode By default, an ISDN interface operates in user side mode.
Page 714 Item Description Configure local ISDN B channel management. • Disable—Local ISDN B channel management is disabled and is in the charge of ISDN switch. • Common management—The device operates in local B channel management mode to select available B channels for calls. However, the ISDN switch still has a higher priority in B channel selection.
Page 715 Item Description • Enable for outgoing direction—Configure the ISDN protocol to switch to the ACTIVE state after receiving a Connect message without having to send a Connect-Ack message. • Enable for incoming direction—Configure the ISDN protocol to switch to the ACTIVE state to start Connect and voice service communications after sending a Connect message without having to wait for a Connect-Ack message.
Page 716 Item Description • Enable for outgoing direction—Configure the ISDN protocol to send Setup messages without the Sending-Complete Information Element when placing a call. • Enable for incoming direction—Configure the ISDN protocol to ignore the Sending-Complete Information Element in Setup messages when receiving a call.
Page 717: Displaying Isdn Link State
Item Description Set length of the call reference used when a call is placed on an ISDN interface. The call reference is equal to the sequence number that the protocol assigns to each call. It is 1 or 2 bytes in length and can be used cyclically. ISDN Call Reference Length When the device receives a call from a remote device, it can automatically identify the length of the call reference.
Page 718 Figure 723 Network diagram Configuration procedure Configure Router A: # Configure an ISDN PRI group. Select Voice Management > Digital Link Management from the navigation tree, and then click the icon of E1 1/1 to access the E1 parameters configuration page. Figure 724 E1 parameters configuration page Select the PRI Trunk Signaling option.
Page 719 # Configure an ISDN PRI group. Select Voice Management > Digital Link Management from the navigation tree, and then click the icon of E1 1/1 to access the E1 parameters configuration page. Figure 725 E1 parameters configuration page Select the PRI Trunk Signaling option. For other options, use the default settings. Click Apply.
Page 720: Managing Lines
Managing lines This section provides information on managing and configuring various types of subscriber lines. FXS voice subscriber line A foreign exchange station (FXS) interface uses a standard RJ- 1 1 connector and a telephone cable to directly connect with an ordinary telephone or a fax machine. An FXS interface accomplishes signaling exchange based on the level changes on the Tip/Ring line and provides ring, voltage, and dial tone.
Page 721 Figure 726 Immediate start mode Hang up Pick up the phone, requesting for service Calling side Conversation Send the called number (E/M) Conversation Called side Hang up (M/E) Pick up the phone to answer Delay start—In this mode, the caller first picks up the phone to seize the trunk line, and the called •...
Page 722: One-To-One Binding Between Fxs And Fxo Voice Subscriber Lines
One-to-one binding between FXS and FXO voice subscriber lines The one-to-one binding between FXS voice subscriber lines and FXO voice subscriber lines improves the reliability of voice solutions. For industry-specific users, highly reliable communication over FXS voice subscriber lines is required. That is, dedicated FXO voice subscriber lines can be used for communication over PSTN when the IP network is unavailable.
Page 723: Enabling The Nonlinear Function Of Echo Cancellation
Symptom Parameters adjusted Effect There are loud environment Increase the maximum Too large amplitude might make noises noises. amplitude of comfortable noises. uncomfortable. A user hears his or her voice Enlarge the control factor of Too high a control factor leads to audio when speaking.
Page 724 Figure 730 FXS line configuration page Table 272 Configuration items Item Description Basic Configurations Description Specify the description of the FXS line. Specify the maximum interval for the user to dial the next digit. Max Interval for Dialing the This timer will restart each time the user dials a digit and will work in this way until Next Digit all the digits of the number are dialed.
Page 725 Interface increase the voice input gain value. Gain adjustment might lead to call failures. HP recommends not adjusting When a relatively small voice signal Output Gain on the Voice the gain. If necessary, do it with the...
Page 726: Configuring An Fxo Voice Subscriber Line
Configuring an FXO voice subscriber line Select Voice Management > Line Management from the navigation tree, and then click the icon of the FXO line to be configured to access the FXO line configuration page, as show in Figure 731. Figure 731 FXO line configuration page Table 273 Configuration items Item...
Page 727 Item Description Specify the maximum interval for the user to dial the next digit. Max Interval for Dialing the This timer restarts each time the user dials a digit and will work in this way until Next Digit all the digits of the number are dialed. If the timer expires before the dialing is completed, the user will be prompted to hook up and the call is terminated.
Page 728 Interface Gain adjustment might lead to call increase the input gain value. failures. HP recommends not When a relatively small voice signal adjusting the gain. If necessary, do Output gain on the Voice power is needed on the output line,...
Page 729: Configuring An E&M Subscriber Line
Item Description Generate some comfortable background noise to replace the toneless intervals during a conversation. If no comfortable noise is generated, the toneless intervals will make both parties in conversation feel uncomfortable. Comfortable Noise Function • Enable. • Disable. By default, the comfortable noise function is enabled. •...
Page 730 Figure 732 E&M line configuration page Table 274 Configuration items Item Description Basic Configurations Description Description of the E&M line. Select the E&M interface cable type: 4-wire or 2-wire. By default, the cable type is 4-wire. When you configure the cable type, make sure the cable type is the Cable Type same as that of the peer device.
Page 731 Item Description Specify the signal type. Types 1, 2, 3, and 5 are the four signal types (that is, types I, II, III, and V) of the analog E&M subscriber line. When you configure the signal type, make sure the signal type is the Signal Type same as that of the peer device.
Page 732: Configuring An Isdn Line
Input Gain on the Voice Interface great extent, increase the voice Gain adjustment might lead to input gain value. call failures. HP recommends not When a relatively small voice adjusting the gain. If necessary, signal power is needed on the...
Page 733 Interface Gain adjustment might lead to call increase the input gain value. failures. HP recommends not When a relatively small voice signal adjusting the gain. If necessary, do Output Gain on the Voice power is needed on the output line,...
Page 734: Configuring A Paging Line
When a relatively small voice signal power is needed on the output line, increase the voice output gain value. Voice Interface Output IMPORTANT: Gain Gain adjustment might lead to call failures. HP recommends not adjusting the gain. If necessary, do it with the guidance of technical personnel. • Enable. •...
Page 735: Configuring An Moh Line
When a relatively small voice signal power is needed on the output line, increase the voice output gain value. Voice Interface Output IMPORTANT: Gain Gain adjustment might lead to call failures. HP recommends not adjusting the gain. If necessary, do it with the guidance of technical personnel. • Enable. •...
Page 736: Line Management Configuration Examples
Line management configuration examples Configuring an FXO voice subscriber line Network requirements As shown in Figure 736, the FXO voice subscriber line connected to Router B operates in PLAR mode, and the default remote phone number is 010- 1 001. Dialing the number 0755-2003 on phone 0755-2001 connects to Router B.
Page 737: Configuring One-To-One Binding Between Fxs And Fxo
Figure 737 Hotline number configuration page Enter 0101001 in the Hotline Numbers field. Click Apply. Verifying the configuration If you dial the number 0755-2003 on phone 0755-2001, a connection is established to number 010- 1 001 at Router A. Configuring one-to-one binding between FXS and FXO Network requirements Router A and Router B are connected over an IP network and a PSTN.
Page 738 Figure 738 Network diagram Configuration considerations Configure one-to-one binding between FXS and FXO voice subscriber lines. • When the IP network is available, the VoIP entity is preferably used to make calls over the IP • network. • When the IP network is unavailable, the POTS entity is used to make calls through the bound FXO voice subscriber line over the PSTN.
Page 739 Figure 739 Permitted call number group configuration page Enter 1 in the Group ID field. Enter 0101001 in the Numbers in the Group field and click Add. Click Apply. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and then click Not Bound to access the call route binding page of permitted call number group 1.
Page 740 Figure 741 Hotline number configuration page Enter 0101001 in the Hotline Numbers field. Click Apply. # Configure the delay off-hook binding for the FXO line. Select Voice Management > Line Management from the navigation tree, and then click the icon of FXO line 4/0 to access the FXO line configuration page. Figure 742 FXO line delay off-hook binding configuration page Select the Delay Off-hook option.
Page 741 Figure 743 Entity type selection sequence configuration page Select Enable in the Select Based on Voice Entity Type area. Configure the order of the voice entities in the Selection Sequence box: the first is VOIP, the second is POTS, the third is VoFR, and the last is IVR. Click Apply.
Page 742 Type 1 in the Group ID field. Type 2101002 in the Numbers in the Group field and click Add. Click Apply. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and then click Not Bound to access the call route binding page of permitted call number group 1. Figure 745 211 Call route binding page Select the Permit the calls from the number group option.
Page 743 Figure 747 FXO line delay off-hook binding configuration page Select the Delay Off-hook option. Select subscriber-line 3/0 from the Binding FXS Line list. Click Apply. # Configure the system to first select VoIP entity. Select Voice Management > Dial Plan > Number Match from the navigation tree to access the number match configuration page.
Page 744 Verifying the configuration In the case that the IP network is unavailable, calls can be made over PSTN.
Page 745: Configuring Sip Local Survival
Configuring SIP local survival IP phones have been deployed throughout the headquarters and branches of many enterprises and organizations. Typically, a voice server is deployed at the headquarters to control calls originated by IP phones at branches. The local survival feature enables the voice router at a branch to automatically detect the reachability to the headquarter voice server, and process calls originated by attached IP phones when the headquarters voice server is unreachable.
Page 746: Configuring Sip Local Survival
Configuring SIP local survival Service configuration Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to access the page as shown in Figure 750. Figure 750 Configuring service Table 278 Configuration items Item Description • Enable—Enable the local SIP server.
Page 747: User Management
Item Description • Alone—The local SIP server in alone mode acts as a small voice server. • Alive—The local SIP server in alive mode supports the local survival feature. That is, when the communication with the remote server fails, the local SIP server accepts registrations and calls;...
Page 748: Trusted Nodes
Trusted nodes Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to access the page as shown in Figure 752. Figure 752 Configuring a trusted node Table 280 Configuration items Item Description Enter the IP address of the trusted node. A trusted node can directly originate calls without being authenticated by the local SIP server.
Page 749: Area Prefix
Figure 753 Configuring a call-out route Table 281 Configuration items Item Description Enter the ID of the call-out route. Destination Number Enter the destination number prefix and length. Suppose the destination number Prefix prefix is 4100, and the number length is 6. This configuration matches destination numbers that are 6-digit long and start with 4100.
Page 750: Call Authority Control
You can configure up to eight call-in number prefixes. The local SIP server adopts longest match to deal with a called number. Call authority control Configure a call rule set Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click Add to access the page as shown in Figure 755.
Page 751: Sip Local Survival Configuration Examples
Figure 756 Applying the call rule set Table 283 Configuration items Item Description Rule Set ID Displays the call rule set ID. • Enable—Applies the call rule set to all registered users. Applied Globally • Disable—Specifies that the call rule set does not apply to any registered users. •...
Page 752 Figure 757 Network diagram Configuring Router C # Configure the router to operate in the alone mode. Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to access the following page. Figure 758 Configuring alone mode Select Enable for Server Running State.
Page 753 Figure 759 Configuring a user Enter 1000 for User ID. Enter 1000 for Telephone Number. Enter 1000 for Authentication Username. Enter 1000 for Authentication Password. Click Apply. # Configure user 5000 in the similar way. Configuring Router A Configure a local number in the local number configuration page: The ID is 1000, the number is 1000, the bound line is line2/0, the username is 1000, and the password is 1000.
Page 754: Configuring Local Sip Server To Operate In Alive Mode
Configuring local SIP server to operate in alive mode Network requirements Router A and Router B carry out call services through the remote voice server VCX. Configure the local SIP server on Router A to operate in alive mode, so that calls can be originated or received through Router A when the VCX fails.
Page 755 Enter 3.1.1.1 for Remote Server IP Address. Click Apply. # Configure user 1000. Select Voice Management > SIP Local Survival > User Management from the navigation tree, and click Add to access the following page. Figure 762 Configuring a user Enter 1000 for User ID.
Page 756: Configuring Call Authority Control
Verifying the configuration When the VCX fails, the local SIP server on Router A starts to accept registrations from phones, • which then can call each other through Router A. Select Voice Management > States and Statistics > Local Survival Service States from the navigation tree. You can find that numbers 1000 and 5000 have been registered with the local SIP server on Router A.
Page 757 Figure 764 Configuring alone mode Select Enable for Server Running State. Enter 2.1.1.2 in IP Address Bound to the Server. Select Alone for Server Operation Mode. Click Apply. # Configure user 1000. Select Voice Management > SIP Local Survival > User Management from the navigation tree, and click Add to access the following page.
Page 758 # Configure call rule set 0. Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click Add to access the following page. Figure 766 Configuring call rule set 0 Enter 0 for Rule Set ID. Add three rules as shown in Figure 766.
Page 759 Figure 767 Applying call rule set 0 Select Enable for Applied Globally. Click Apply. # Configure call rule set 2. Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click Add to access the following page. Figure 768 Configuring call rule set 2 Enter 2 for Rule Set ID.
Page 760 Add a rule as shown in Figure 768. Click Apply. # Apply call rule set 2. Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click the icon of call rule set 2 to access the following page. Figure 769 Applying call rule set 2 Click 5000 in Available register users, and then click <<...
Page 761: Configuring An Area Prefix
Configure a local number in the local number configuration page: The ID is 5555, the number is 5555, the bound line is line2/1, the user name is 5555, and the password is 5555. Configure a call route to Router A in the call route configuration page: The ID is 1000, the destination number is 1…, the routing type is SIP, and the SIP routing method is proxy server.
Page 762 Figure 771 Configuring alone mode Select Enable for Server Running State. Enter 2.1.1.2 in IP Address Bound to the Server. Select Alone for Server Operation Mode. Click Apply. # Configure Router A as a trusted node. Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to access the following page.
Page 763 Figure 773 Configuring an area prefix Enter 8899 for Area Prefix. Click Add a Prefix. Click Apply. # Configure user 5000. Select Voice Management > SIP Local Survival > User Management from the navigation tree, and click Add to access the following page. Figure 774 Configuring user 5000 Enter 5000 for User ID.
Page 764: Configuring A Call-Out Route
Verifying the configuration Select Voice Management > States and Statistics > Local Survival Service States from the • navigation tree. You can find that number 5000 has been registered with the local SIP server on Router C. • Place a call from phone 55661000 to phone 88995000. The local SIP server on Router C removes the area prefix 8899 from the called number, and alerts internal phone 5000.
Page 765 Select Alone for Server Operation Mode. Click Apply. # Configure a call-out route Select Voice Management > SIP Local Survival > Call-Out Route from the navigation tree, and click Add to access the following page. Figure 777 Configuring a call-out route Enter 0 for ID.
Page 766 Configuring Router A Configure a local number in the local number configuration page: The ID is 1000, the number is 1000, the bound line is line2/0, the user name is 1000, and the password is 1000. Configure a call route to Router B in the call route configuration page: The ID is 55665000, the destination number is 55665000, the routing type is SIP, and the routing method is proxy server.
Page 767: Configuring Ivr
Configuring IVR Overview Interactive voice response (IVR) is used in voice communications. You can use the IVR system to customize interactive operations and humanize other services. If a subscriber dials an IVR access number, the IVR system plays the prerecorded voice telling the subscriber what to do. For example, it might tell the subscriber to dial a number.
Page 768: Successive Jumping
Successive jumping The IVR process can realize successive jumping at most eight times from node to node. Error processing methods The IVR system provides three error processing methods: terminate the call, jump to a specified node, and return to the previous node. You can select an error processing method for a call node, a jump node, or globally to handle errors.
Page 769: Importing A Media Resource Through An Moh Audio Input Port
You can click to save the media resource file to a specified directory. Click Add. The following page appears. Figure 780 Configuring media resource Table 284 Configuration items Item Description Media Resource ID Set a media resource ID. Rename Media Resource Type a name for the media resource file.
Page 770: Configuring The Global Key Policy
Figure 782 Modifying a media resource Table 285 Configuration item Item Description Media resource ID Set a media resource ID. Configuring the global key policy Select Voice Management > IVR Services > Advanced Settings from the navigation tree, and click the Global Key Policy tab.
Page 771: Configuring Ivr Nodes
Table 286 Configuration items Item Description Input Error Processing Method Max Count of Input Errors Enter the maximum number of input errors. • Enable. Play Voice Prompts for • Disable. Input Errors Not enabled by default. Select a voice prompt file. You can configure voice prompt files in Voice Voice Prompts Management >...
Page 772 Figure 784 Configuring a call node Table 287 Configuration items Item Description Node ID Enter a node ID. Description Enter a description for the node.
Page 773 Item Description • Enable. • Disable. Disabled by default. The following options are available for playing voice prompts: • Mandatory play—Only after the voice prompts end can the subscriber press Play Voice Prompts keys effectively. • Voice prompts—Select a voice prompt file. Voice prompt files can be configured in Voice Management >...
Page 774: Configuring A Jump Node
Item Description Secondary-Call • Match the terminator of the numbers. • Match the length of the numbers. • Number Match Mode Match the local number and route. Either the number match mode or the extension secondary call must be configured at least.
Page 775 Figure 785 Configuring a jump node...
Page 776: Configuring A Service Node
Table 288 Configuration items Item Description Node ID Enter a node ID. Description Enter a description for the node. Table 287 for description about other items. Map actions with keys. Actions include: • Terminate the call. • Jump to a specified node. If this option is selected, you need to select the target Key mapping node from the Specify a node list.
Page 777: Configuring Access Number Management
Table 289 Configuration items Item Description Node ID Enter a node ID. Description Enter a description for the node. • Terminate the call. • Jump to a specified node. If this operation is selected, you must select a node from the Specify A Node list. •...
Page 778: Configuring Advanced Settings For The Access Number
Item Description Number Enter the access number. Bind a node in the list to the access number. You can configure the nodes in Voice Bind to Menu Management > IVR Services > Advanced Settings. Description Enter a description for the access number. •...
Page 779: Ivr Configuration Examples
IVR configuration examples Configure a secondary call on a call node (match the terminator of numbers) Network requirements As shown in Figure 789, configure an IVR access number and call node functions on Router B to meet the following requirements. After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio •...
Page 780 Figure 790 Uploading a media resource file Enter 10001 for Media Resource ID. Enter welcome for Rename Media Resource. Click the Browse button of g729r8 codec to select the target file. Click Apply. Use the same method to upload other g729r8 media resource files timeout, input_error, and bye. # Configure global error and timeout processing methods to achieve the following purposes: If no number is dialed at Telephone A within the timeout time, Router B plays audio file timeout.wav.
Page 781 Figure 791 Configuring the global key policy Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice Prompts list. Type 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice Prompts for Input Timeout;...
Page 782 Figure 792 Configuring a call node Type 10 for Node ID. Type play-welcome for Description. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. Select Match the terminator of the numbers from the Number Match Mode list; type # for Terminator.
Page 783: Configure A Secondary Call On A Call Node (Match The Number Length)
Figure 793 Configuring an access number Type 30000 for Number ID. Type 300 for Number. Select play-welcome from the Bind to Menu list. Click Apply. Verifying the configuration Dial the number 300 at Telephone A. The call node plays audio file welcome.wav. Dial 50# at Telephone A, Telephone B1 rings.
Page 784 Figure 794 Network diagram Telephone B1 Eth1/1 Eth1/1 1.1.1.1/24 1.1.1.2/24 Router A Router B Telephone A Telephone B2 Configuration procedure Configure Router A: See Configuring Router Configure Router B: # Configure the call node. Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the Configure Call Node tab, and click Add to access the following page.
Page 785 Figure 795 Configuring the call node Type 10 for Node ID. Type play-welcome for Description. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. Select Match the length of the numbers from the Number Match Mode list; type 3 for Length of Numbers.
Page 786: Configure A Secondary Call On A Call Node (Match A Number)
Configure a secondary call on a call node (match a number) Network requirements As shown in Figure 796, configure an IVR access number and call node functions on Router B to meet the following requirements. After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio •...
Page 787 Figure 797 Configuring a call node Type 10 for Node ID. Type play-welcome for Description. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. Select Match the local number and route from the Number Match Mode list. Click Apply.
Page 788: Configure An Extension Secondary Call On A Call Node
Configure an extension secondary call on a call node Network requirements As shown in Figure 798, configure an IVR access number and call node functions on Router B to meet the following requirements. After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio •...
Page 789 Figure 799 Configuring a call node Type 10 for Node ID. Type play-welcome for Description. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. Select 0 for Extension Number. Select 500 for Corresponding Number. Click Apply. For other settings, see Configuring Router...
Page 790: Configure A Jump Node
Verifying the configuration Dial 300 at Telephone A. Router B plays the audio file welcome.wav. Dial 0. Telephone B rings. Configure a jump node Network requirements As shown in Figure 800, configure an IVR access number and jump node functions on Router B to meet the following requirements.
Page 791 Figure 801 Configuring a jump node...
Page 792: Configure An Immediate Secondary Call On A Service Node
Type 10 for Node ID. Type play-welcome for Description. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. Select Terminate the call for Key#. Click Apply. For other settings, see Configuring Router Verifying the configuration Dial 300 at Telephone A. Router B plays the audio file welcome.wav.
Page 793 Figure 803 Configuring a service node Type 10 for Node ID. Type play-welcome for Description. Add two operations as shown in Figure 803. Click Apply. # Configure an access number. Select Voice Management > IVR Services > Access Number Management from the navigation tree, and click Add to access the following page.
Page 794: Configure A Secondary Call On A Service Node
Type 30000 for Number ID. Type 300 for Number. Select call500 from the Bind to Menu list. Click Apply. For other settings, see Configuring Router Verifying the configuration Dial 300 at Telephone A. Telephone B rings. Configure a secondary call on a service node Network requirements As shown in Figure...
Page 795 Figure 806 Configuring a service node Type 10 for Node ID. Type reject-call for Description. Add two operations as shown in Figure 806. Click Apply. # Configure an access number. Select Voice Management > IVR Services > Access Number Management from the navigation tree, and click Add to access the following page.
Page 796: Configure A Call Node, Jump Node, And Service Node
Figure 807 Configuring an access number Type 30000 for Number ID. Type 300 for Number. Select reject-call from the Bind to Menu list. Click Apply. For other settings, see Configuring Router Verifying the configuration Dial number 300 at Telephone A. Router B plays the audio file bye.wav, and then terminates the call. Configure a call node, jump node, and service node Network requirements As shown in...
Page 797 Figure 808 Network diagram Configuration procedure Configure Router A: See Configuring Router Configure Router B: # Configure a local number in the local number configuration page. The number ID is 500, the number is 500, and the bound line is line 1/0. # Upload a g729r8 media resource file.
Page 798 Figure 810 Configuring the global key policy Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice Prompts list. Enter 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice Prompts for Input Timeout;...
Page 799 Figure 811 Configuring a call node Enter 10 for Node ID. Enter play-call for Description. Select Enable for Play Voice Prompts, select Enable for Mandatory Play, and select call from the Voice Prompts list. Enter 1 for Extension Number, Enter 500 for Corresponding Number, and click Add a Rule. Click Apply.
Page 800 Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the Configure Service Node tab, and click Add to access the following page. Figure 812 Configuring a service node Enter 20 for Node ID. Enter reject-call for Description. Add two operations as shown in Figure 812.
Page 801 Figure 813 Configuring a jump node Enter 10 for Node ID. Enter play-welcome for Description. Select Enable for both Play Voice Prompts and Mandatory Play. Select welcome from the Voice Prompts list.
Page 802: Customizing Ivr Services
Select Jump to a specified node from the Key* list, and reject-all from its Specify a node list. Select Jump to a specified node from the Key# list, and play-all from its Specify a node list. Click Apply. # Configure an access number. Select Voice Management >...
Page 803 jump, terminate the call, enter the next menu, return to the previous menu, dial immediately, and secondary call. Configure a Jump menu Select Jump from the Menu Type list to access the following page. Figure 815 Configuring a jump menu Table 291 Configuration items Item Description...
Page 804 Item Description Select one of the following methods: • Terminate the call. Input Error Processing • Jump. Method • Return to the previous menu. By default, no method is set. Specify the target menu. Specify A Menu This setting is available when the Input Error Processing Method is Jump to a menu. Select an audio file.
Page 805 Item Description Menu Name Enter a menu name. Select Terminate the call. Menu Type By default, Jump is selected. Select an audio file. Play Voice Prompts When the User Enters the Menu No audio file is selected by default. Configure a menu of type Enter the next menu Select Enter the next menu from the Menu Type list to access the following page.
Page 806 Figure 818 Returning to the previous menu Table 294 Configuration items Item Description Menu Node ID Enter a menu ID. Menu Name Enter a menu name. Select Return to the previous menu. Menu Type By default, Jump is selected. Select an audio file. Play Voice Prompts When the User Enters the Menu No audio file is selected by default.
Page 807 Item Description Select an audio file. Play Voice Prompts When the User Enters the Menu No audio file is selected by default. Call immediately Enter the target number. Configure a Secondary-call menu Select Secondary-call from the Menu Type list to access the following page. Figure 820 Secondary-call menu Table 296 Configuration items Item...
Page 808: Bind An Access Number
Item Description Select one of the following methods: • Terminate the call. • Jump to a menu. Input Error Processing Method • Return to the previous menu. By default, the menu uses the input error processing method configured in the global key policy.
Page 809: Customize Ivr Services
Figure 821 Binding an access number Select the box of the target access number, and click Apply. Customize IVR services Enter the Customize IVR Services interface Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree, and click the icon of the target menu to access the Customize IVR Services page.
Page 810: Custom Ivr Service Configuration Example
Figure 823 Adding a submenu You can configure the type of the new menu as jump, terminate the call, enter the next menu, return to the previous menu, dial immediately, or secondary-call. For information about the menu configuration, Create a menu.
Page 811 If the user dials 2, the system jumps to the government product sales department menu. If the user dials #, the system terminates the call. Marketing and sales department menu This menu plays the audio file Welcome1.wav. Then, the following events occur: If the user dials 0, the system dials the number 500 to call the attendant.
Page 812 Figure 824 Configuring media resource Enter 1000 for Media Resource ID. Enter Hello for Rename Media Resource. Click the Browse button of g729r8 codec to select the target file. Click Apply. Use the same method to upload other g729r8 media resource files. You can see these uploaded files in Voice Management >...
Page 813 Figure 826 Configuring an access number Enter 300 for Number ID. Enter 300 for Number. Enter Voice Menu Access Number for Description. Click Apply. # Create a menu. Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree, and click Add to create a menu.
Page 814 Figure 828 Binding the access number Select the box of the access number 300, and click Apply. Configure the voice menu system: # Enter the Customize IVR Services page. Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree to access the page shown in Figure 829.
Page 815 Select the voice menu system of Company A from the navigation tree to access the following page. Figure 831 Voice menu system of Company A Select Add A New Node from the Jump to submenu list of key 0. Click OK on the popup dialog box to access the following page. Figure 832 Creating a submenu for the marketing and sales department Enter 2 for Menu Node ID.
Page 816 Figure 833 Adding a submenu for the telecom product sales department Figure 834 Adding a submenu for the government product sales department Return to the Customize IVR Service page. Figure 835 Voice menu system of Company A Select Terminate the call from the Operation list of key #. Click Apply.
Page 817 Figure 836 Marketing and sales department submenu Select Jump from the Operation list, and Add A New Node from the Jump to submenu list for key 0. Click OK on the popup dialog box to access the following page. Figure 837 Adding a submenu Enter 8 for Menu Node ID.
Page 818 Figure 838 Marketing and sales department submenu Select Return to the previous node from the Operation list of key *. Click Apply. After the configuration, the marketing and sales department submenu is as shown in Figure 838 Configure the telecom product sales department submenu: Select Telecom Product Sales Dept from the navigation tree.
Page 819 Select Jump from the Operation list, and Add A New Node from the Jump to submenu list of key 1. Click OK on the popup dialog box to access the following page. Figure 840 Adding a submenu Enter 9 for Menu Node ID. Enter Introduction to Product A for Menu Description.
Page 820 Select Government Product Sales Dept from the navigation tree. Configure the submenu as shown Figure 842. The configuration procedure is identical with the configuration of the telecom product sales department submenu. Figure 842 Government product sales department submenu After all the configuration, the Customize IVR Services page is as shown in Figure 842.
Page 821: Advanced Configuration
Advanced configuration This section provides global configuration and batch configuration. Global configuration Select Voice Management > Advanced Configuration > Global Configuration from the navigation tree to access the global configuration page, as shown in Figure 843. Figure 843 Global configuration page Table 297 Configuration items Item Description...
Page 822: Vrf-Aware Sip
Item Description Specify the backup rule: • Strict—One of the following three conditions will trigger strict call backup: The device does not receive any reply from the peer after sending out a call request. The device fails to initiate a call to the IP network side. Backup Rule The device fails to register on the voice server.
Page 823: Batch Configuration
Figure 844 VRF-aware SIP Batch configuration Local number Creating numbers in batch Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree, and then click the Create Numbers in Batch link in the Local Number area to access the page for creating numbers in batch, as shown in Figure 845.
Page 824 Table 298 Configuration items Item Description Specify the start number, and then a serial of consecutive numbers starting with the start number will be bound to the selected voice subscriber lines. For example, if you specify Start Number the start number as 3000 and select lines 3/0 and line 3/1, then line 3/0 is bound to number 3000, and line 3/1 is bound to number 3001.
Page 825 Table 299 Configuration items Item Description Configure the protocol used for fax communication with other devices. • T.38—Use T.38 fax protocol. With this protocol, a fax connection can be set up quickly. • Standard T.38—Use the standard T38 protocol of H.323 or SIP. The fax negotiation mode depends on the protocol used (H323 or SIP).
Page 826 Item Description Configure the value of NTE payload type for the NTE-compatible switching mode. This option is configurable only when NTE Compatible G.711 A-law or NTE Compatible NET Payload Type G.711 μ-law is selected in the Codec Type and Switching Mode for SIP Modem Field Pass-through list.
Page 827 Table 300 Configuration items Item Description Configure call forwarding: • Enable. • Disable. By default, call forwarding is disabled. After you enable a call forwarding, enter the corresponding forwarded-to number: • The Forwarded-to Number for Call Forwarding no Reply—Enter the forwarded-to Call Forwarding number.
Page 828 Item Description Configure call waiting: • Enable. • Disable. By default, call waiting is disabled. After call waiting is enabled, configure the following parameters as needed: Call Waiting • Number of Call Waiting Tone Play Times. • Number of Tones Played at One Time. •...
Page 829 Figure 848 Local number advanced settings page Table 301 Configuration items Item Description Codec with the First Priority. Codec with the Second Priority. Codecs and Priorities Codec with the Third Priority. Codec with the Lowest Priority. Specify DTMF transmission mode: •...
Page 830: Call Route
Item Description Configure a dial prefix for the local number. For a trunk type call route, the dial prefix is added to the called number to be sent out. • Enable. Dial Prefix • Disable—Remove the configured dial prefix. If you select to enable the function, you must enter the dial prefix. Configure VAD.
Page 831 Table 302 Configuration items Item Description Specify the protocol used for fax communication with other devices. • T.38—Use T.38 fax protocol. With this protocol, a fax connection can be set up quickly. • Standard T.38— Use the standard T38 protocol of H323 or SIP. The fax negotiation mode depends on the protocol used (H323 or SIP).
Page 832 Item Description Configure the value of the NTE payload type for the NTE-compatible switching mode. This option is configurable only when NTE Compatible G.711 A-law or NTE Compatible NET Payload Type G.711 μ-law is selected in the Codec Type and Switching Mode for SIP Modem Field Pass-through list.
Page 833: Line Management
Item Description Route Selection Set the priority of the call route. The smaller the value, the higher the priority. Priority The VAD discriminates between silence and speech on a voice connection according to their energies. VAD reduces the bandwidth requirements of a voice connection by not generating traffic during periods of silence in an active voice connection.
Page 834 Table 304 Configuration items Item Description Specify the maximum interval for the user to dial the next digit. Max Interval for This timer will restart each time the user dials a digit and will work in this way until all Dialing the Next the digits of the number are dialed.
Page 835 Figure 852 FXO line configuration page Table 305 Configuration items Item Description Specify the maximum interval for the user to dial the next digit. Max Interval for This timer will restart each time the user dials a digit and will work in this way until all Dialing the Next the digits of the number are dialed.
Page 836 Item Description Select the boxes of desired lines, and then click the Apply to Selected Line(s) button to Select the Line(s) apply the above settings to the selected FXO lines. E&M line configuration Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree, and then click the E&M Line Configuration link in the Line Management area to access the E&M line configuration page, as shown in Figure...
Page 837: Sip Local Survival Services
Figure 854 ISDN line configuration page Table 307 Configuration items Item Description When the voice signals on the line Input Gain on the attenuate to a relatively great extent, IMPORTANT: Voice Interface increases the voice input gain. Gain adjustment might lead to call failures. When a relatively small voice signal You are not recommended to adjust the Output Gain on the...
Page 838 Table 308 Configuration items Item Description Specify the telephone number of the first For example, if you specify the start Start Number user to be registered. number as 2000 and set the register user quantity to 5, the device automatically generates five registered Specify the number of users to be Register User Quantity users with telephone numbers from...
Page 839: States And Statistics
States and statistics This section provides information on displaying various states and statistics. Line states Use this page to view information about all voice subscriber lines. Select Voice Management > States and Statistics > Line States from the navigation tree. The Line State Information page appears.
Page 840: Displaying Detailed Information About Analog Voice Subscriber Lines
Field Description • Physical Down—Voice subscriber line is physically down, possibly because no physical link is present or the link has failed. Subscriber Line Status • UP—Voice subscriber line is administratively down. • Shutdown—Voice subscriber line is up both administratively and physically. Displaying detailed information about analog voice subscriber lines For analog voice subscriber lines FXS, FXO, paging, MoH, and E&M, click the Details link to view...
Page 841: Call Statistics
Figure 858 ISDN line details Click a timeslot (TS) link to view the details about the TS. Figure 859 Timeslot details Call statistics The following pages display call statistics. • Active Call Summary page—Displays statistics about ongoing calls. History Call Summary page—Displays statistics about ended calls. •...
Page 842: Displaying Active Call Summary
Displaying active call summary Select Voice Management > States and Statistics > Call Statistics from the navigation tree. The Active Call Summary page appears. Figure 860 Active call summary page Table 310 Field description Field Description Call type. Type Only Speech and Fax are supported. Call status: •...
Page 843: Sip Ua States
SIP UA states The following pages show SIP UA states: TCP Connection Information page—Displays information about all TCP-based call connections. • TLS Connection Information page—Displays information about all TLS-based call connections. • Number Register Status page—Displays number register information when you use SIP servers to •...
Page 844: Connection Status
Figure 863 TLS connection information For information items, see Table 31 Connection status Displaying number register status Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree and click the Number Register Status tab. Figure 864 Number register status Table 312 Field description Field Description...
Page 845: Displaying Number Subscription Status
Displaying number subscription status Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree and click the Number Subscription Status tab. Figure 865 Number subscription status Table 313 Field description Field Description Number Phone number. MWI server address, in the format of IP address plus port number or domain Subscription Server name.
Page 846: Sip Trunk Account States
Table 314 Field description Field Description Server operation mode: • Server Operation Mode Alone. • Alive. Server running state: • Server Status Enabled. • Disabled. User ID User ID. Phone Number Registered phone number. State of the registered user: • State Online—User is online.
Page 847: Displaying Dynamic Contact States
Displaying dynamic contact states Select Voice Management > States and Statistics > SIP Trunk Account States from the navigation tree. The page for displaying dynamic contact states appears. Figure 868 Dynamic contact states Table 316 Field description Field Description Telephone number, which could be one of the following types: •...
Page 848: Ivr Information
Figure 869 Server group information This page shows the configuration information of group servers. For information about how to configure group servers, see "Managing SIP server groups." IVR information The following pages show IVR information: IVR Call States page—Display information about ongoing IVR calls. •...
Page 849: Displaying Ivr Play States
Displaying IVR play states Select Voice Management > States and Statistics > IVR Information from the navigation tree. The IVR Play States page appears. Figure 871 IVR play states Table 318 Field description Field Description Play Count Play times of the media file. •...
Page 850: About The Hp Msr Series Web-Based Configuration Guide
About the HP MSR series Web-based Configuration Guide The HP MSR series web-based configuration guide describe the software features on the web for the HP MSR Series Routers, and guide you through the software configuration procedures. These configuration guides apply to the following models of the HP MSR series routers: Model •...
Page 851 MSR 20- 1 0 • MSR 20- 1 1 • MSR 20- 1 2 • MSR 20- 1 2-W • HP MSR20-1X MSR 20- 1 2-T • MSR 20- 1 2-T-W(NA) • MSR 20- 1 3 • MSR 20- 1 3-W •...
Page 852: Support And Other Resources
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Page 853: Conventions
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 854 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 855: Index
Index Numerics WLAN client mode configuration, 102, WLAN client mode enabling, 3G modem WLAN client mode statistics, cellular interface configuration, WLAN RF ping information, displaying, access control managment, configuration, 152, PIN management, user group configuration, reboot, access number 3G wireless card state configuration, displaying, accessing...
Page 856 ADSL/G.SHDSL interface alternate port (MST), WAN configuration, advanced WLAN access wireless service/AP radio binding, batch configuration, WLAN advanced settings configuration, configuration, WLAN wireless QoS WMM AP radio EDCA global configuration, parameters, voice call route configuration, voice line management, Appendix (packet precedence), voice local number configuration, application voice SIP local survival services,...
Page 857 configuring intrusion detection, bridge enabling blacklist, bridge table maintenance, intrusion detection, enabling bridge set, 276, protection against flood attack (intrusion filtering, detection), forwarding, protection against scanning attack (intrusion major functionality, detection), MST common root bridge, 307, protection against single-packet attack (intrusion MST regional root bridge, detection), STP designated bridge,...
Page 858 call backup feature, call hold, call transfer, call barring feature, call waiting, call connection calling party control, SIP configuration, CID on FXO voice line, SIP functions and features, CID on FXS voice line, call control configuration examples, call authority control, configuring barge in, configuring max-call-connection set, configuring call forwarding, 562,...
Page 859 retrieving and displaying CRL, configuration file retrieving and displaying PKI certificate, backing up configuration (Web), changing backing up device files through USB port(Web), SSL VPN login password (Web), restoring configuration (Web), channel restoring device files through USB port(Web), WLAN advanced settings channel busy test, restoring factory defaults (Web), CID on FXO voice line, saving device configuration (Web),...
Page 860 call authority control, 617, IKE negotiation with RSA digital signature, call authority control (SIP local survival, immediate secondary call, Web), internal hosts accessing public network, call control, internal server, 143, call forwarding, 562, intrusion detection, call hold, IP network resources (Web), call match rules, 669, IP routing, call node, 754,...
Page 861 QoS advanced limit, SIP voice mailbox server, QoS advanced queue, SNMP community, QoS bandwidth guarantee, SNMP group, QoS interface bandwidth, SNMP trap function, QoS subnet limit, SNMP user, RADIUS scheme (Web), SNMP view, RADIUS scheme common parameters (Web), SNMPv1, 262, redundancy function (SIP trunk), SNMPv2c, 262, resource group (Web),...
Page 862 WLAN QoS, 127, CPE system software image management, WLAN RRM data transmit rates, 1 1 1 network framework, WLAN RRM data transmit rates (802.1 1), 1 1 1 WLAN RRM data transmit rates (802.1 1n data MCS), 1 12 WLAN RRM setup, WLAN RRM data transmit rates, 1 1 1 WLAN security,...
Page 863 device information active route table, analog line state, displaying, broadband connection information, DHCP call statistics, client configuration, client mode statistics, configuration, 202, connection status, configuration guidelines, CRL, configuring DHCP interface setup, device information, configuring exclusive IP addresses, digital line state, dynamic server address pool configuration, dynamic contact state, enabling,...
Page 864 DNS, 197, See also DDNS CE1 interface, ISDN PRI interface, configuration, configuring domain name suffix, E1 T1 DDNS configuration, 197, fax function, domain name resolution, feature, dynamic domain name cache clearing, interface, dynamic domain name resolution, introduction, dynamic domain name resolution enabling, PDH, proxy configuration, protocol,...
Page 865 Ethernet hunt group, message waiting indication, ARP configuration, SIP trunk, ARP static configuration, source address binding, DHCP client configuration, three-party conference, DHCP configuration, DHCP server configuration, features gratuitous ARP configuration, fax function, security ARP attack protection configuration, protocol, Ethernet/subinterface signaling mode, standard, WAN configuration, filtering...
Page 866 configuration, 709, help information one-to-one binding, about SSL VPN (Web), FXS voice HTTP subscriber line, managing services (Web), FXS voice subscriber line HTTPS configuration, managing services (Web), one-to-one binding, hunt group configuring, hunt group feature, G.71 1 codec pass-through fax, gateway ICMP configuring authentication policies,...
Page 867 BSV interface, creating a GRE tunnel, GRE/IPv4 configuration, intrusion detection GRE/IPv4 tunnel configuration, configuration, static route creation, protection against flood attack, static routing configuration, protection against scanning attack, WLAN QoS configuration, protection against single-packet attack, IPv6 IP address WLAN QoS configuration, login control, 334, ISDN WiNet configuration, 507, 514,...
Page 868 service node configuration, 759, VPDN, successive jumping, VPN user configuration, timeout processing method, L2TP for VPN uploading media resource files, enabling, IVR advantage L3VPN call node, VRF-aware SIP, codecs, customizable process, user group configuration, customizable voice prompt, LAN information error processing method, displaying, extension secondary call, flexible node configuration,...
Page 869 load sharing manual user-based load sharing configuration (Web), adding blacklist entry, loading mapping application, MSTP VLAN-to-instance mapping table, local call master port (MST), authentication, max age timer (STP), local number configuration, WLAN RRM data transmit rates (802.1 1n number substitution, MCS), 1 12 logging...
Page 870 Modulation and Coding Scheme, 12, See also Use IP services DNS configuration, IP services DNS proxy configuration, IP services DNS proxy enabling, MoH line configuration, configuring NAT connection limit, monitoring external network, displaying IPsec VPN monitoring internal network, information, private address, public address, CIST, network...
Page 871 WLAN access wireless service detailed security ARP attack protection configuration, information, SNMPv1 configuration, 262, WLAN access wireless service/AP radio SNMPv2c configuration, 262, binding, SNMPv3 configuration, 266, WLAN advanced settings channel busy test, static route creation (IPv4), WLAN advanced settings district code static routing configuration (IPv4), configuration, STP configuration,...
Page 872 configuration, configuration guidelines, configuring IKE negotiation with RSA digital optimizing signature, WLAN advanced settings configuration, creating PKI domain, other parameters (configuring), creating PKI entity, outbound calls destroying RSA key pair, configuring call routes, generating RSA key pair, overview requesting certificate from RSA Keon CA server, SSL VPN, requesting certificate from Windows 2003 CA...
Page 873 backing up configuration (Web), configuring FXS voice subscriber line, backing up device files through USB port configuring global advanced configuration, (Web), configuring gratuitous ARP, binding access number, configuring IKE negotiation with RSA digital changing SSL VPN login password (Web), signature, clearing dynamic domain name cache, configuring internal server, 143, configuring 3G modem cellular interface,...
Page 874 configuring resource group (Web), configuring user access to SSL VPN (Web), configuring security ARP automatic configuring user group, scanning, 346, configuring user group (Web), configuring security fixed ARP, 346, configuring user isolation, 1 17 configuring security IPsec connection, configuring user-based load sharing (Web), configuring server information management, configuring VE1 line, configuring SIP address hiding mode,...
Page 875 creating SIP server group, 657, enabling L2TP for VPN, creating static route (IPv4), enabling real-time switching, creating user (Web), enabling SIP trunk function, creating WLAN access services, enabling SNMP agent, 252, customizing IVR services, enabling WiNet, customizing SSL VPN user interface (Web), enabling WLAN client mode, destroying RSA key pair, enabling WLAN wireless QoS,...
Page 876 setting time zone (Web), Public Key Infrastructure. Use setting traffic ordering interval, setting WiNet topology background image, setting WLAN wireless QoS WMM AP radio EDCA parameters, ACL, setting WLAN wireless QoS WMM CAC adding IPv4 ACL, admission policy, advanced limit, 235, 235, 237, setting WLAN wireless QoS WMM client EDCA advanced queue, 235, parameters,...
Page 877 scheme common parameters configuration pass-through modem, (Web), removing scheme configuration (Web), IP services ARP entry, scheme server configuration (Web), request Web configuration, 322, SIP client, WiNet-based RADIUS authentication requesting configuration, local certificate, rate PKI certificate from RSA Keon CA server, WLAN RRM data transmit rates, 1 1 1 PKI certificate from Windows 2003 CA...
Page 878 static routing configuration (IPv4), security router accessing SSL VPN resources (Web), ACL, WAN interface configuration, adding blacklist entry, routing adding IPv4 ACL, ACL, ARP automatic scanning, 346, IP services DDNS configuration, 197, blacklist, IP services DNS configuration, changing SSL VPN login password (Web), IP services DNS proxy configuration, configuring access control, 152, IP services DNS proxy enabling,...
Page 879 performing basic configurations for SSL VPN WLAN access service creation, domain (Web), 41 1 WLAN access service security parameter PKI configuration, dependencies, PKI configuration guidelines, WLAN access service-based VLAN protection against flood attack (intrusion configuration, detection), WLAN access wireless service detailed protection against scanning attack (intrusion information, detection),...
Page 880 signaling registrar, security, configuring SIP security, service configuration, silent monitor SIP connection configuration, 636, 651, configuring, SIP server group management, silent monitor service, support for extension, SIM/UIM card support for transport layer protocol, PIN management, trunk, trunk configuration, Simple Network Management Protocol. Use SNMP trusted node configuration, advanced configuration,...
Page 881 configuring fax and modem parameters for call source address (configuring binding), route, source IP configuring media parameters for SIP-to-SIP subnet limit (QoS), 235, connection, source-route bridging, configuring signaling parameters for SIP-to-SIP source-route translational bridging, connection, specifying configuring SIP server group, DNS server, configuring SIP server group with multiple traffic ordering mode,...
Page 882 static ARP configuration, WLAN wireless QoS WMM service set, 1 19 WLAN wireless QoS WMM rate limiting switching configuration (static), to management level (Web), static routing synchronizing configuration (IPv4), user group configuration for wan interface, configuration guideline, syslog route creation (IPv4), configuration (Web), statistics display (Web),...
Page 883 setting super password(Web), setting WiNet topology background image, setting system time (Web), STP TCN BPDU protocol packets, setting time zone (Web), TR-069 switching to management level (Web), auto connection between ACS and CPE, upgrading software (Web), 474, auto-configuration, upgrading software (Web) basic functions, (MSR20/30/50), configuration (Web),...
Page 884 creating a GRE tunnel, creating user (Web), IP services GRE configuration, setting super password (Web), IP services GRE/IPv4 configuration, switching to management level (Web), IP services GRE/IPv4 tunnel configuration, IPsec VPN configuration, 350, VCX support for SIP voice service, viewing UA.
Page 885 IVR node configuration, batch local number configuration, IVR service customization, batch voice line management, jump node configuration, 757, 773, call authority control configuration, 733, line management, call route, location server, call route configuration, 528, proxy server, call rule set configuration, redirect server, call service, 525, registrar,...
Page 886 local number configuration, 527, LAC, local server operation mode configuration (alive LNS, mode, Web), local server operation mode configuration (alone accessing SSL VPN resources (Web), mode, Web), adding L2TP group, local survival service state displaying, changing SSL VPN login password (Web), number register status displaying, client-initiated VPN configuration, number subscription status displaying,...
Page 887 PKI configuration (certificate management), configuring resource group, configuring SSL VPN gateway, configuring SSL VPN service, 387, adding blacklist entry, configuring system time, common page features, configuring TCP application resources, configuring access control, 152, configuring TR-069, configuring application control, 171, configuring user access to SSL VPN, configuring attack protection, 158, configuring user group, configuring blacklist,...
Page 888 SIP trunk, 662, 664, roles, SIP trunk account state displaying, setting WiNet topology background image, SIP UA state displaying, wireless QoS state displaying, configuration, 1 19 statistics displaying, enable, 1 19 switching to the management level, WMM, syslog configuration, WMM AP radio EDCA parameters, system management, WMM CAC service configuration, TCP connection information displaying,...
Page 889 client mode enabling, configuring white list functions, 1 15 client mode statistics, white list, 1 15 connecting wireless service, QoSconfiguration, WLAN wireless QoS AP radio EDCA RF ping information, parameters, RRM data transmit rates configuration, 1 1 1 WLAN wireless QoS CAC admission policy, RRM data transmit rates configuration WLAN wireless QoS CAC service (802.1 1),...

HP MSR SERIES Configuration Manual

Quick Links

Related Manuals for HP MSR SERIES

Summary of Contents for HP MSR SERIES