Download  Print this page
   
1
2
Table of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889

Advertisement

HP MSR Router Series
Web-Based
Configuration Guide(V5)
Part number: 5998-8174
Software version: CMW520-R2513
Document version: 6PW106-20150808

Advertisement

   Summary of Contents for HP MSR SERIES

  • Page 1 HP MSR Router Series Web-Based Configuration Guide(V5) Part number: 5998-8174 Software version: CMW520-R2513 Document version: 6PW106-20150808...
  • Page 2 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
  • Page 3: Table Of Contents

    Contents Web overview ······························································································································································ 1   Logging in to the Web interface······································································································································ 1   Logging out of the Web interface ··································································································································· 2   Introduction to the Web interface ···································································································································· 2   User level············································································································································································ 4   Introduction to the Web-based NM functions ················································································································ 4  ...
  • Page 4: Table Of Contents

    Configuration guidelines ··············································································································································· 61   Wireless configuration overview ······························································································································ 62   Overview ········································································································································································· 62   Configuration task list ···················································································································································· 62   Configuring wireless services ···································································································································· 63   Configuring wireless access service ····························································································································· 63   Creating a wireless access service ······················································································································ 63  ...
  • Page 5: Table Of Contents

    Setting rate limiting ············································································································································· 126   Wireless QoS configuration example ························································································································ 127   CAC service configuration example ················································································································· 127   Static rate limiting configuration example ········································································································ 129   Dynamic rate limiting configuration example ·································································································· 130   Configuring advanced settings ······························································································································ 132  ...
  • Page 6: Table Of Contents

    Application control configuration example ··············································································································· 174   Webpage redirection configuration ······················································································································ 176   Overview ······································································································································································· 176   Configuring webpage redirection ······························································································································ 176   Configuring routes ·················································································································································· 178   Overview ······································································································································································· 178   Creating an IPv4 static route ······································································································································· 178   Displaying the active route table ································································································································...
  • Page 7: Table Of Contents

    Configuring IP addresses excluded from dynamic allocation ················································································· 210   Configuring a DHCP server group ····························································································································· 211   DHCP configuration examples ···································································································································· 212   DHCP configuration example without DHCP relay agent ··············································································· 213   DHCP relay agent configuration example ········································································································ 220  ...
  • Page 8: Table Of Contents

    Configuring access control ································································································································· 284   Configuring application control ························································································································· 285   Configuring bandwidth control ·························································································································· 286   Configuring packet filtering ································································································································ 287   Synchronizing user group configuration for wan interfaces ··········································································· 289   User group configuration example····························································································································· 289   Configuring MSTP ···················································································································································...
  • Page 9: Table Of Contents

    Configuring IPsec VPN ··········································································································································· 350   Overview ······································································································································································· 350   Recommended configuration procedure···················································································································· 350   Configuring an IPsec connection ································································································································ 351   Displaying IPsec VPN monitoring information ·········································································································· 358   IPsec VPN configuration example ······························································································································ 359   Configuration guidelines ············································································································································· 361  ...
  • Page 10: Table Of Contents

    Configuring RADIUS authentication ·················································································································· 415   Configuring LDAP authentication ······················································································································· 416   Configuring AD authentication ·························································································································· 418   Configuring combined authentication ··············································································································· 419   Configuring a security policy ······································································································································ 420   Customizing the SSL VPN user interface ··················································································································· 424   Customizing the SSL VPN interface partially ····································································································...
  • Page 11: Table Of Contents

    Switching to the management level ··················································································································· 483   Configuring system time ·············································································································································· 484   Setting the system time ········································································································································ 484   Setting the time zone and daylight saving time ······························································································· 486   Configuring TR-069 ····················································································································································· 487   TR-069 network framework ································································································································ 488  ...
  • Page 12: Table Of Contents

    Basic settings ··························································································································································· 526   Introduction to basic settings ······································································································································· 526   Local number ························································································································································ 526   Call route ······························································································································································ 526   Basic settings ································································································································································ 527   Configuring a local number ······························································································································· 527   Configuring a call route ······································································································································ 528  ...
  • Page 13: Table Of Contents

    Configuring other parameters of a local number ···························································································· 588   Configuring advanced settings of a call route ·········································································································· 589   Configuring coding parameters of a call route ································································································ 589   Configuring other parameters for a call route ································································································· 590   Advanced settings configuration example ················································································································...
  • Page 14: Table Of Contents

    Configuring registration parameters ················································································································· 646   Configuring voice mailbox server ····················································································································· 648   Configuring signaling security ··························································································································· 649   Configuring call release cause code mapping ········································································································· 650   Configuring PSTN call release cause code mappings ···················································································· 650   Configuring SIP status code mappings ············································································································· 651  ...
  • Page 15: Table Of Contents

    Managing lines ······················································································································································· 703   FXS voice subscriber line ············································································································································· 703   FXO voice subscriber line ··········································································································································· 703   E&M subscriber line ····················································································································································· 703   E&M introduction ················································································································································· 703   E&M start mode ··················································································································································· 703   One-to-one binding between FXS and FXO voice subscriber lines ········································································ 705  ...
  • Page 16: Table Of Contents

    IVR information ····························································································································································· 831   Displaying IVR call states ···································································································································· 831   Displaying IVR play states ·································································································································· 832   About the HP MSR series Web-based Configuration Guide ··············································································· 833   Support and other resources ·································································································································· 835   Contacting HP ······························································································································································ 835  ...
  • Page 17 Documents ···························································································································································· 835   Websites ······························································································································································· 835   Conventions ·································································································································································· 836   Index ········································································································································································ 838  ...
  • Page 18: Web Overview

    Web overview The device provides Web-based configuration interfaces for visual device management and maintenance. Figure 1 Web-based network management operating environment Logging in to the Web interface Follow these guidelines when you log in to the Web interface: The PC in Figure 1 is the one where you configure the device, but not necessarily the Web-based •...
  • Page 19: Logging Out Of The Web Interface

    Figure 2 Login page of the Web interface Logging out of the Web interface CAUTION: A logged-in user cannot automatically log out by directly closing the browser. Click Logout in the upper-right corner of the Web interface to quit Web-based network management. The system will not save the current configuration before you log out of the Web interface.
  • Page 20 Figure 3 Initial page of the Web interface...
  • Page 21: User Level

    (1) Navigation area (2) Title area (3) Body area Navigation area—Organizes the Web function menus in the form of a navigation tree, where you • can select function menus as needed. The result is displayed in the body area. Title area—On the left, displays the path of the current configuration interface in the navigation •...
  • Page 22 Function menu Description User level Displays the configuration information of a WAN Monitor interface, and allows you to view interface statistics. Interface WAN Interface Setup Allows you to modify WAN Setup interface configuration, and Configure clear the statistics of a WAN interface.
  • Page 23 Function menu Description User level Allows you to configure wireless QoS and rate Configure limiting, and clear radio and client information. Displays configuration information of the country Monitor code. Country Code Allows you to set the country Configure code. Displays 3G modem information, UIM card 3G Information Monitor...
  • Page 24 Function menu Description User level Displays the information about URL filtering Monitor conditions. URL Filter Allows you to add or delete Configure URL filtering conditions. Displays the information about MAC address filtering Monitor conditions. MAC Address Filtering Allows you to set MAC address filtering types, add Configure or delete MAC addresses to...
  • Page 25 Function menu Description User level Allows you to create IPv4 Create Configure static routes. Allows you to delete IPv4 Remove Configure static routes. Displays the IP address, mask and load sharing Monitor information of an interface. User-based-sharing Allows you to modify the load sharing status and Configure shared bandwidth of an...
  • Page 26 Function menu Description User level Allows you to add an IPv4 Configure ACL. Allows you to configure a Basic Config Configure basic rule for an IPv4 ACL. Allows you to configure an Advanced Config advanced rule for an IPv4 Configure ACL.
  • Page 27 Function menu Description User level Displays QoS policy Summary Monitor information. Allows you to create a QoS Create Configure policy. Policy Allows you to configure Setup classifier-behavior Configure associations. Allows you to remove a QoS Remove Configure policy. Displays QoS policy Summary application information of a Monitor...
  • Page 28 Function menu Description User level Displays the brief Monitor information of SNMP views. View Allows you to create, modify, and remove an Configure SNMP view. Displays and allows you to Global Config set global bridging Configure information. Bridge Displays and allows you to Config Interface set interface bridging Configure...
  • Page 29 Function menu Description User level Allows you to modify the MST region-related Configure parameters and VLAN-to-MSTI mappings. Displays MSTP port Monitor parameters. Port Allows you to modify MSTP Configure port parameters. Displays MSTP parameters Global Configure globally. Displays and allows you to Managem RADIUS add, modify, and delete a...
  • Page 30 Function menu Description User level Allows you to convert all dynamic ARP entries to static Configure ones or delete all static ARP entries. Displays IPsec connection Monitor configuration. IPsec Connection Allows you to add, modify, delete, enable, or disable an Configure IPsec connection.
  • Page 31 Function menu Description User level Displays CRLs. Monitor Allows you to retrieve CRLs. Configure Allows you to save the current configuration to the Configure configuration file to be used at the next startup. Save Allows you to save the current configuration as the Managem factory default configuration.
  • Page 32 Function menu Description User level Allows you to modify user Managem Modify User account. Managem Remove User Allows you to remove a user. Allows you to switch the user Switch To Management access level to the Visitor management level. Displays SNMP Monitor configuration information.
  • Page 33 Function menu Description User level Allows you to execute the Trace Route trace route command and Visitor view the result. Displays and refreshes the WiNet topology diagram Monitor and allows you to view the detailed device information. Allows you to manually trigger the collection of WiNet Management topology information, save...
  • Page 34 Function menu Description User level Displays call authority control configuration information, and the Monitor maximum number of call connections in a set. Call Authority Control Allows you to configure call authority control, and the Configure maximum number of call connections in a set. Displays number substitution Monitor configuration information.
  • Page 35: Common Web Interface Elements

    Function menu Description User level Allows you to create local numbers, call routes, and Configure manage lines in batches. Allows you to view and refresh active and history Monitor call statistics. Call Statistics Allows you to view and refresh active and history Statistics Configure call statistics, and clear...
  • Page 36 Figure 4 Content display by pages Searching function The Web interface provides you with the basic and advanced searching functions to display only the entries that match specific searching criteria. • Basic search: As shown in Figure 4, input the keyword in the text box above the list, select a search item from the drop-down list and click the Search button to display the entries that match the criteria.
  • Page 37 Figure 6 Advanced search Take the ARP table shown in Figure 4 as an example. If you want to search for the ARP entries with interface being Ethernet 0/4, and IP address range being 192.168.1.50 to 192.168.1.59, follow these steps: Click the Advanced Search link, specify the search criteria on the advanced search page as shown Figure 7, and click Apply.
  • Page 38: Managing Web-based Nm Through Cli

    Figure 9 Advanced searching function example (III) Sorting function The Web interface provides you with the basic sorting function to display entries in certain orders. On a list page, you can click the blue heading item of each column to sort the entries based on the heading item you selected.
  • Page 39: Managing The Current Web User

    Task Command Disable the Web-based NM service. undo ip http enable Managing the current Web user Task Command Display the current login users. display web users free web-users { all | user-id userid | user-name Log out the specified user or all users. username } Configuration guidelines The Web-based configuration interface supports the operating systems of Windows XP, Windows 2000,...
  • Page 40 Click the Security tab, and then select a Web content zone to specify its security settings, as shown Figure Figure 11 Internet Explorer setting (I) Click Custom Level, and a dialog box Security Settings appears. As shown in Figure 12, enable these functions: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for scripting and active scripting.
  • Page 41 Figure 12 Internet Explorer setting (II) Click OK in the Security Settings dialog box. Configuring Firefox Web browser settings Open the Firefox Web browser, and then select Tools > Options. Click the Content tab, select the Enable JavaScript check box, and click OK, as shown in Figure...
  • Page 42 Figure 13 Firefox Web browser setting...
  • Page 43: Displaying Device Information

    Displaying device information When you are logged in to the Web interface, you are placed on the Device Info page. The Device Info page contains five parts, which correspond to the five tabs below the figure on the page except the Services Information and Recent System Logs tabs. When you put your cursor on a part of the figure, the system prompts you for the tab of the corresponding information, and you can jump to the tab by clicking this part.
  • Page 44 If you select a specific period, the system periodically refreshes the Device Info page. • • If you select Manual, click Refresh to refresh the page. Displaying device information Table 3 Field description Field Description Device Model Device name. Software Version Software version of the device.
  • Page 45: Displaying Lan Information

    Field Description RSSI Received signal strength indication (RSSI) of the 3G network. Displaying LAN information Table 6 Field description Field Description Interface Interface name. Link State Link state of the interface. Work Mode Rate and duplex mode of the interface. Displaying WLAN information Table 7 Field description Field...
  • Page 46: Managing Integrated Services

    Managing integrated services For devices with a card installed, if the card provides the Web interface access function, after specifying the URL address of the card on the integrated service management page, you can log in from the integrated service management page to the Web interface of the card to manage the card. When you are logged in to the Web interface, you are placed on the Device Info page.
  • Page 47: Basic Services Configuration

    Basic services configuration This document guides you through quick configuration of basic services of routers, including configuring WAN interface parameters, LAN interface parameters, and WLAN interface parameters. For information about WAN interfaces, see "Configuring WAN interfaces." For information about LAN interfaces, see "Configuring VLANs."...
  • Page 48: Ethernet Interface

    Ethernet interface Figure 18 Setting Ethernet interface parameters Table 10 Configuration items (in auto mode) Item Description WAN Interface Select the Ethernet interface to be configured. Connect Mode: Auto Select the Auto connect mode to automatically obtain an IP address. Specify the MAC address of the Ethernet interface in either of the two ways: •...
  • Page 49 Item Description To configure the global DNS server on the page you enter, select Advanced > DNS Setup > DNS Configuration. The global DNS server has priority over the DNS servers of the interfaces. The DNS query is sent to the global DNS server first. If the DNS2 query fails, the DNS query is sent to the DNS server of the interface until the query succeeds.
  • Page 50 SA interface Figure 19 Setting SA parameters Table 13 Configuration items Item Description WAN Interface Select the SA interface to be configured. User Name Specify the user name for identity authentication. Display whether a password has been specified for identity authentication. Password An empty field indicates that no password is configured.
  • Page 51 ADSL/G.SHDSL interface Figure 20 Setting ADSL/G.SHDSL parameters Table 14 Configuration items (in IPoA mode) Item Description WAN Interface Select the ADSL/G.SHDSL interface to be configured. Connect Mode: IPoA Select the IPoA connect mode. Specify the VPI/VCI value for PVC. TCP-MSS Set the maximum TCP segment length of an interface.
  • Page 52 Item Description Connect Mode: PPPoA Select the PPPoA connect mode. Specify the VPI/VCI value for PVC. User Name Specify the user name for identity authentication. Displays whether a password has been specified for identity authentication. Password An empty field indicates that no password is configured. New Password Specify or modify the password for identity authentication.
  • Page 53 Figure 21 Setting CE1/PR1 interface parameters (in E1 mode) Table 18 Configuration items (in E1 mode) Item Description WAN Interface Select the CE1/PR1 interface to be configured. Work Mode: E1 Select the E1 work mode. User Name Specify the user name for identity authentication. Display whether a password has been specified for identity authentication.
  • Page 54 Table 19 Configuration items (in CE1 mode) Item Description WAN Interface Select the CE1/PR1 interface to be configured. Work Mode: CE1 Select the CE1 work mode. Select one of the following operation actions: • Operation Create—Binds timeslots. • Remove—Unbinds timeslots. Serial Select a number for the created Serial interface.
  • Page 55 Item Description Serial Select the number for the created serial interface. Timeslot-List Specify the timeslots to be bound or unbound. User Name Specify the user name for identity authentication. Display whether a password has been specified for identity authentication. Password An empty field indicates that no password is configured.
  • Page 56: Setting Lan Interface Parameters

    Item Description server if no data exchange occurs between it and the server within the specified time. After that, it automatically establishes the connection upon receiving a request for accessing the Internet from the LAN. Idle Timeout When Online according to the Idle Timeout value is enabled, specify an idle timeout value.
  • Page 57: Setting Wlan Interface Parameters

    Item Description IMPORTANT: If the extended address pool is configured on an interface, when a DHCP client's request End IP Address arrives at the interface, the server assigns an IP address from this extended address pool only. The client cannot obtain an IP address if no IP address is available in the extended address pool.
  • Page 58: Validating The Basic Services Configuration

    Item Description Network Name Specify a wireless network name. (SSID) Network Hide Select whether to hide the network name. Select a radio unit supported by the AP, which can be 1 or 2. Radio Unit Which value is supported varies with device models. Select whether to enable data encryption.
  • Page 59 Figure 27 Checking the basic service configuration...
  • Page 60: Configuring Wan Interfaces

    Configuring WAN interfaces This chapter describes how to configure the following interfaces on the Web interface: Ethernet interfaces. • SA interfaces. • ADSL/G.SHDSL interfaces. • • CE1/PRI interfaces. CT1/PRI interfaces. • Configuring an Ethernet interface An Ethernet interface or subinterface supports the following connection modes: Auto—The interface acts as a DHCP client to get an IP address through DHCP.
  • Page 61 Figure 29 Configuring an Ethernet interface Table 24 Configuration items (auto mode) Item Description WAN Interface Displays the name of the Ethernet interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface.
  • Page 62 Table 25 Configuration items (manual mode) Item Description WAN Interface Displays the name of the Ethernet interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status •...
  • Page 63: Configuring An Sa Interface

    Item Description Displays whether a password is configured for authentication. Password If the field displays null, no password is configured for authentication. New Password Set or modify the password for authentication. TCP-MSS Configure the TCP MSS on the interface. Configure the MTU on the interface. Set the idle timeout time for a connection: •...
  • Page 64 Figure 30 Configuring an SA interface Table 27 Configuration items Item Description WAN Interface Displays the name of the interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface.
  • Page 65: Configuring An Adsl/g.shdsl Interface

    Configuring an ADSL/G.SHDSL interface Overview The ADSL interface and the G.SHDSL interface support IPoA, IPoEoA, PPPoA, and PPPoEoA. IPoA IPoA enables IP packets to traverse an ATM network. In an IPoA implementation, ATM provides the data link layer for the IP hosts on the same network to communicate with one another, and IP packets must be adapted in order to traverse the ATM network.
  • Page 66 Figure 31 Configuring an ADSL/G.SHDSL interface Table 28 Configuration items (IPoA) Item Description WAN Interface Displays the name of the ADSL/G.SHDSL interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface.
  • Page 67 Item Description Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface. •...
  • Page 68: Configuring A Ce1/pri Interface

    Item Description Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface. •...
  • Page 69: Configuration Procedure

    Configuration procedure To configure a CE1/PRI interface: Select Interface Setup > WAN Interface Setup from the navigation tree. Click the icon for the CE1/PRI interface. Configure the CE1/PRI interface, as described in "Configuring a CE1/PRI interface in E1 mode" "Configuring a CE1/PRI interface in CE1 mode."...
  • Page 70 Item Description Configure the MTU on the interface. Configuring a CE1/PRI interface in CE1 mode Figure 33 Configuring a CE1/PRI interface in CE1 mode Table 33 Configuration items (in CE1 mode) Item Description WAN Interface Displays the name of the CE1/PRI interface to be configured. Display and set the interface status: •...
  • Page 71: Configuring A Ct1/pri Interface

    Item Description Displays whether a password is configured for authentication. Password If the field displays null, no password is configured for authentication. New Password Set or modify the password for authentication. TCP-MSS Configure the TCP MSS on the interface. Configure the MTU on the interface. Configuring a CT1/PRI interface The CT1/PRI interface supports PPP connection mode.
  • Page 72: Displaying Interface Information And Statistics

    Table 34 Configuration items Item Description WAN Interface Displays the name of the CT1/PRI interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status •...
  • Page 73 Figure 35 Sample interface statistics...
  • Page 74: Configuring Vlans

    VLAN, you can create one VLAN interface. You can configure VLAN interfaces to forward traffic at the network layer. For more information about VLANs and VLAN interfaces, see HP MSR Router Series (V5) Layer 2—LAN Switching Configuration Guide. Configuring a VLAN and its VLAN interface...
  • Page 75: Creating A Vlan And Its Vlan Interface

    Step Remarks Optional. Configure an IP address and MAC address for a VLAN interface. Select whether to enable the DHCP server function for Configuring parameters for a VLAN a VLAN interface. If yes, configure the related parameters. interface. You can also configure the DHCP server function in Advanced > DHCP Setup.
  • Page 76: Configuring Vlan Member Ports

    Item Description Only Remove VLAN Remove the VLAN interface of a VLAN without removing the VLAN. Interface Configuring VLAN member ports The ports that you assign to a VLAN in the Web interface can only be set to untagged type. The VLAN member port list displayed on the VLAN Setup page includes both tagged and untagged member ports.
  • Page 77 Figure 37 VLAN interface setup page Table 37 Configuration items Item Description VLAN ID Select the ID of the VLAN interface you want to configure. IP Address Set the VLAN interface's IP address and subnet mask. Subnet Mask...
  • Page 78: Configuration Guidelines

    Item Description Set the MAC address of the VLAN interface: • Use the MAC address of the device—Use the default MAC address of the VLAN interface, which is displayed in the following brackets. MAC Address • Use the customized MAC address—Manually set the MAC address of the VLAN interface.
  • Page 79: Wireless Configuration Overview

    Wireless configuration overview The device allows you to perform the following configuration in the Web interface: Configuring wireless access service • Displaying wireless access service • Client mode • • Configuring data transmit rates Displaying radio • Configuring the blacklist and white list functions •...
  • Page 80: Configuring Wireless Services

    Configuring wireless services For more information about WLAN user access, see WLAN Configuration Guide in HP MSR Router Series Configuration Guides (V5). Configuring wireless access service Creating a wireless access service Select Interface Setup >...
  • Page 81: Configuring Clear Type Wireless Service

    Figure 39 Creating a wireless service Table 39 Configuration items Item Description Radio Unit Radio ID, 1 or 2. Mode Radio mode, which depends on your device model. Set the service set identifier (SSID). An SSID should be as unique as possible. For security, the company name should not be contained in the SSID.
  • Page 82 Figure 40 Configuring clear type wireless service Table 40 Configuration items Item Description Wireless Service Display the selected Service Set Identifier (SSID). Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged) VLAN (Untagged) indicates that the port sends the traffic of the VLAN with the VLAN tag removed.
  • Page 83 Figure 41 Configuring advanced settings for a clear type wireless service Table 41 Configuration items Item Description Maximum number of clients of an SSID to be associated with the same radio of the AP. Client Max Users IMPORTANT: When the number of clients of an SSID to be associated with the same radio of the AP reaches the maximum, the SSID is automatically hidden.
  • Page 84 Item Description • mac-authentication—Performs MAC address authentication on users. • mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication; upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.
  • Page 85 Figure 42 Configuring MAC authentication Table 43 Configuration items Item Description Port Mode mac-authentication: MAC-based authentication is performed on access users. Max User Control the maximum number of users allowed to access the network through the port. MAC Authentication Select the MAC Authentication option. Select an existing domain from the list.
  • Page 86 Therefore, the ports do not need to send 802.1X multicast trigger messages periodically for initiating authentication. HP recommends that you disable the multicast trigger function in a WLAN because the multicast trigger messages consume bandwidth.
  • Page 87 Figure 44 Configuring port security for the other four security modes (mac-else-userlogin-secure is taken for example) Table 45 Configuration items Item Description • mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication.
  • Page 88: Configuring Crypto Type Wireless Service

    Item Description • EAP—Use EAP. With EAP authentication, the authenticator encapsulates 802.1X user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication. It does not need to repackage the EAP packets into standard RADIUS packets for authentication. Authentication Method •...
  • Page 89 Figure 45 Configuring crypto type wireless service Table 40 for the configuration items of basic configuration of crypto type wireless service. Configuring advanced settings for crypto type wireless service Select Interface Setup > Wireless > Access Service from the navigation tree. Click the icon for the target crypto wireless service.
  • Page 90 Item Description Set the TKIP countermeasure time. By default, the TKIP countermeasure time is 0 seconds, that is, the TKIP countermeasure policy is disabled. If the TKIP countermeasure time is set to a value other than 0, the TKIP countermeasure policy is enabled. TKIP CM Time MIC is designed to avoid hacker tampering.
  • Page 91 Table 47 Configuration items Item Description Link authentication method, which can be: • Open-System—No authentication. With this authentication mode enabled, all the clients will pass the authentication. Authentication • Shared-Key—The two parties must have the same shared key configured for this Type authentication mode.
  • Page 92 Item Description Table Parameters such as authentication type and encryption type determine the port mode. For details, see Table After you select the Cipher Suite option, the following four port security modes are added: • mac and psk—MAC-based authentication must be performed on access users first. If MAC-based authentication succeeds, an access user has to use the pre-configured PSK Port Security to negotiate with the device.
  • Page 93: Binding An Ap Radio To A Wireless Service

    Item Description Select an existing domain from the list. The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and type a new domain name in the Domain Name field. Domain •...
  • Page 94: Security Parameter Dependencies

    Click the icon for the target wireless service to enter the page as shown in Figure Figure 50 Binding an AP radio to a wireless service Select the AP radio to be bound. Click Bind. Security parameter dependencies In a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are described in Table Table 50 Security parameter dependencies...
  • Page 95: Displaying Wireless Access Service

    Service Authenticat Encryption Security IE encryption Port mode type ion mode type /key ID encryption is mac and psk required Selected Required The key ID userlogin-secure-ext can be 2, 3 Open-Syste or 4 m and Shared-Key encryption is required Unselected Unavailable mac-authentication The key ID...
  • Page 96 Field Description Service Template Type Service template type. Type of authentication used. Authentication Method WLAN service of the clear type only uses open system authentication. • Disable—The SSID is advertised in beacon frames. SSID-hide • Enable—Disables the advertisement of the SSID in beacon frames. Status of service template: •...
  • Page 97 Field Description GTK Rekey Method GTK rekey method configured: packet based or time based. Time for GTK rekey in seconds. • If Time is selected, the GTK is refreshed after a specified GTK Rekey Time(s) period of time. • If Packet is selected, the GTK is refreshed after a specified number of packets are transmitted.
  • Page 98: Displaying Client

    Displaying connection history information about wireless service Figure 54 Displaying the connection history information about wireless service Displaying client Displaying client detailed information Select Interface Setup > Wireless > Summary from the navigation tree. Click the Client tab to enter the Client page. Click the Detail Information tab on the page.
  • Page 99 Table 53 Client RSSI Field Description —Indicates that 0 < RSSI <= 20. —Indicates that 20 < RSSI <= 30. Client RSSI —Indicates that 30 < RSSI <= 35. —Indicates that 35 < RSSI <= 40. —Indicates that 40 < RSSI. Table 54 Field description Field Description...
  • Page 100 Field Description Four-way handshake states: • IDLE—Displayed in initial state. • PTKSTART—Displayed when the 4–way handshake is initialized. 4-Way Handshake State • PTKNEGOTIATING—Displayed after valid message 3 was sent. • PTKINITDONE—Displayed when the 4-way handshake is successful. Group key state: •...
  • Page 101: Displaying Rf Ping Information

    Figure 56 Displaying client statistics Table 56 Field description Field Description AP Name Name of the associated access point. Radio Id Radio ID. SSID SSID of the device. BSSID MAC address of the device. MAC Address MAC Address of the client. Received signal strength indication.
  • Page 102: Wireless Access Service Configuration Examples

    Figure 57 Viewing link test information Table 57 Field description Field Description • Rate number for a non-802.1 1n client. No./MCS • MCS value for an 802.1 1n client. Rate (Mbps) Rate at which the radio interface sends wireless ping frames. TxCnt Number of wireless ping frames that the radio interface sent.
  • Page 103 Figure 58 Network diagram IP network SSID:sevice1 Router Client Configuration procedure Create a wireless service: Select Interface Setup > Wireless > Access Service from the navigation tree, and click Add. Figure 59 Creating a wireless service Select the radio unit 1, set the service name to service1, and select the wireless service type clear.
  • Page 104: Access Service-based Vlan Configuration Example

    Figure 61 Enabling 802.11g radio Verifying the configuration If you select Interface Setup > Wireless > Summary from the navigation tree, and click the Client tab, you can view the online clients. Configuration guidelines Follow these guidelines when you configure a wireless service: Select a correct district code.
  • Page 105 Click Apply. After the wireless service is created, the system is automatically navigated to the wireless service page, where you can perform the VLAN settings (before this operation, select Network > VLAN and create VLAN 2 first). Figure 63 Setting the VLANs Type 2 in the VLAN (Untagged) input box.
  • Page 106: Psk Authentication Configuration Example

    On this page, you can see that the client 0014-6c8a-43ff, which accesses the SSID office, is in VLAN 3, while the client 0040-96b3-8a77, which accesses the SSID research, is in VLAN 2. Because the two clients are in different VLANs, they cannot access each other. PSK authentication configuration example Network requirements As shown in...
  • Page 107 Figure 67 Configuring security settings Select the Open-System from the Authentication Type list. Select the Cipher Suite option, select CCMP and TKIP (select an encryption type as needed), and then select WPA from the Security IE list. Select the Port Set option, and select psk from the Port Mode list. Select pass-phrase from the Preshared Key list, and type key ID 12345678.
  • Page 108: Local Mac Authentication Configuration Example

    Local MAC authentication configuration example Network requirements As shown in Figure 69, perform MAC authentication on the client. Figure 69 Network diagram Configuration procedure Configure a wireless service: Select Interface Setup > Wireless > Access Service from the navigation tree. Click Add.
  • Page 109 Figure 71 Configuring security settings Select the Open-System from the Authentication Type list. Select the Port Set option, and select mac-authentication from the Port Mode list. Select the MAC Authentication option, and select system from the Domain list. Click Apply. Enable the wireless service: Select Interface Setup >...
  • Page 110: Remote Mac Authentication Configuration Example

    Figure 73 Adding a MAC authentication list Add a local user in the MAC Address box. 00-14-6c-8a-43-ff is used in this example. Click Add. (Optional.) Enable 802.11g radio. By default, 802.11g radio is enabled. Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure 802.11g is enabled.
  • Page 111 Figure 75 Creating a wireless service Select radio unit 1. Set the wireless service name as mac-auth. Select the wireless service type clear. Click Apply. Configure MAC authentication: After you create a wireless service, the wireless service configuration page appears. Then you can configure MAC authentication on the Security Setup area.
  • Page 112 Figure 77 Enabling the wireless service Select the mac-auth option. Click Enable. (Optional.) Enable 802.11g radio. By default, the 802.11g radio is enabled. Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure 802.11g is enabled.
  • Page 113: Remote 802.1x Authentication Configuration Example

    Click Add. On the page that appears, set the service name as mac, keep the default values for other parameters, and click OK. Figure 79 Adding a service Add an account: Click the User tab. Select User > All Access Users from the navigation tree. Click Add.
  • Page 114 On the device, configure the shared key as expert, and configure the device to remove the domain name of a username before sending it to the RADIUS server. The IP address of the device is 10.18.1.1. Figure 81 Network diagram Configuring the router Configure wireless service: Select Interface Setup >...
  • Page 115 Figure 83 Configuring security settings Enable the wireless service: Select Interface Setup > Wireless > Access Service from the navigation tree. On the page that appears, select the dot1x option, and click Enable. (Optional.) Enable 802.11g radio. By default, the 802.11g radio is enabled. Select Interface Setup >...
  • Page 116 Figure 84 Adding access device Add a service: Click the Service tab. Select User Access Manager > Service Configuration from the navigation tree. Click Add. On the page that appears, set the service name to dot1x, select EAP-PEAP AuthN as the Certificate Type, and MS-CHAPV2 AuthN as the Certificate Sub-Type, and click OK.
  • Page 117: N Configuration Example

    On the page that appears, enter username user, set the account name user and password dot1x, select the service dot1x, and click OK. Figure 86 Adding an account Verifying the configuration After you enter username user and password dot1x in the popup dialog box, the client can •...
  • Page 118 Figure 88 Creating a wireless service Enable the wireless service: Select Interface Setup > Wireless > Access Service from the navigation tree. Select the 11nservice option, and click Enable. Figure 89 Enabling the wireless service (Optional.) Enable 802.11n(2.4GHZ) radio. By default, 802.11n(2.4GHZ) radio is enabled. Verifying the configuration If you select Interface Setup >...
  • Page 119: Client Mode

    Client mode The client mode enables a router to operate as a client to access the wireless network. Multiple hosts or printers in the wired network can access the wireless network through the router. Figure 90 Client mode Enabling the client mode Select Interface Setup >...
  • Page 120: Connecting The Wireless Service

    NOTE: Support for radio mode types depends on your device model. • You cannot enable an access service or WDS service on a radio interface with the client mode enabled. • To modify the radio mode, select Radio > Radio from the navigation tree, click the icon of the target •...
  • Page 121: Displaying Statistics

    Table 58 Configuration items Item Description Specify the network authentication mode, which can be: • Open System—Open system authentication, namely, no authentication AuthMode • Shared Key—Shared key authentication, which requires the client and the device to be configured with the same shared key.
  • Page 122: Client Mode Configuration Example

    Client mode configuration example Network requirements As shown in Figure 96, the router accesses the wireless network as a client. The Ethernet interface of the router connects to multiple hosts or printers in the wired network, and thus the wired network is connected to the wireless network through the router.
  • Page 123 Select the option corresponding to 802.11g and click Enable. With the client mode enabled, you can check the existing wireless services in the wireless service list. Figure 98 Checking the wireless service list Connect the wireless service Click the Connect icon of the wireless service psk in the wireless service list. A SET CODE dialog box shown in Figure 99 appears.
  • Page 124: Configuring Radios

    Figure 100 Making sure the workgroup bridge is online You can see that the client with MAC address 0014-6c8a-43ff and the router with MAC address • 000f-e2333-5510 have been successfully associated with the AP. The wired devices on the right (such as printers and PCs) can access the wireless network through •...
  • Page 125 Table 59 Configuration items Item Description Radio Unit Selected radios. Radio Mode Selected radio mode. Maximum radio transmission power, which varies with country codes, channels, Transmit Power radio modes and antenna types. If you adopt the 802.11n mode, the maximum transmit power of the radio also depends on the bandwidth mode.
  • Page 126 Item Description Selecting the A-MPDU option enables A-MPDU. 802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY headers removed. This reduces the overhead in transmission and the A-MPDU number of ACK frames to be used, and thus improves network throughput.
  • Page 127 Item Description Transmit Distance Maximum coverage of a radio. Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device automatically adjusts the noise immunity level according to the surrounding signal environment to eliminate RF interference. • Enable—Enables ANI. •...
  • Page 128: Configuring Data Transmit Rates

    Configuring data transmit rates Configuring 802.11a/802.11b/802.11g rates Select Interface Setup > Wireless > Radio from the navigation tree, and click the Rate tab. Figure 104 Setting 802.11a/802.11b/802.11g rates Table 61 Configuration items Item Description Configure rates (in Mbps) for 802.11a. By default: •...
  • Page 129: Configuring 802.11n Mcs

    Supported Maximum MCS Set the maximum MCS index for 802.11n supported rates. For more information about MCS, see WLAN Configuration Guide in HP MSR Router Series Configuration Guides (V5). Make the MCS configuration the same on all APs in mesh configuration.
  • Page 130: Displaying Detailed Radio Information

    Figure 106 Displaying WLAN services bound to the radio The Noise Floor item in the table indicates various random electromagnetic waves during the wireless communication. For the environment with a high noise floor, you can improve the signal-to-noise ratio (SNR) by increasing the transmit power or reducing the noise floor. Displaying detailed radio information Select Interface Setup >...
  • Page 131 Field Description Channel used by the interface. The keyword auto means the channel is automatically selected. channel If the channel is manually configured, the field will be displayed in the format of channel configured-channel. power(dBm) Transmit power of the interface (in dBm). Received: 2 authentication frames, 2 Number of authentication and association frames received.
  • Page 132: Configuring Wlan Security

    Configuring WLAN security When it comes to security, a WLAN is inherently weaker than a wired LAN because all the wireless devices use the air as the transmission media, which means that the data transmitted by one device can be received by any other device within the coverage of the WLAN. To improve WLAN security, you can use white and black lists and user isolation to control user access and behavior.
  • Page 133: Configuring Static Blacklist

    Figure 108 Configuring dynamic blacklist Table 64 Configuration items Item Description • Enable—Enables dynamic blacklist. • Disable—Disables dynamic blacklist. Dynamic Blacklist IMPORTANT: Before enabling the dynamic blacklist function, select the Flood Attack Detect option in the WIDS Setup page. Configure the lifetime of the entries in the blacklist. When the lifetime of an entry Lifetime expires, the entry is removed from the blacklist.
  • Page 134: Configuring White List

    Table 65 Configuration items Item Description You can configure a static blacklist in the following two ways: Select the MAC Address option, and then add a MAC address to the static black MAC Address list. Select Current Connect If you select the option, the table below lists the current existing clients. Select the Client options of the clients to add their MAC addresses to the static blacklist.
  • Page 135 Figure 111 Network diagram To configure user isolation: Select Interface Setup > Wireless > Security from the navigation tree, and click the User Isolate tab. Figure 112 Configuring user isolation Table 67 Configuration items Item Description • Enable—Enables user isolation on the AP to isolate the clients associated with it at Layer 2.
  • Page 136: Configuring Wlan Qos

    QoS provision devices of different vendors to interoperate. WMM makes a WLAN network capable of providing QoS services. For more information about the WLAN QoS terminology and the WMM protocol, see WLAN Configuration Guide in HP MSR Router Series Configuration Guides (V5). Configuring wireless QoS Enabling wireless QoS Select Interface Setup >...
  • Page 137: Setting Cac Admission Policy

    Figure 114 Enabling Wireless QoS Click the icon in the Operation column for the desired radio in the AP list. Figure 115 Setting the SVP mapping AC Table 68 Configuration items Item Description Radio Selected radio. Select the SVP Mapping option, and then select the mapping AC to be used by the SVP service: •...
  • Page 138: Setting Radio Edca Parameters For Aps

    Table 69 Configuration items Item Description Users-based admission policy, namely, maximum number of clients allowed to be connected. A client is counted only once, even if it is using both AC-VO and AC-VI. Client Number By default, the users-based admission policy applies, with the maximum number of users being 20.
  • Page 139: Setting Edca Parameters For Wireless Clients

    AC-VO ECWmin cannot be greater than ECWmax. On a device operating in 802.1 1b radio mode, HP recommends you to set the TXOP-Limit to 0, 0, 188, and 102 for AC-BK, AC-BE, AC-VI, and AC-VO. Setting EDCA parameters for wireless clients Select Interface Setup >...
  • Page 140: Displaying Radio Statistics

    Table 73 Default EDCA parameters for clients TXOP Limit AIFSN ECWmin ECWmax AC-BK AC-BE AC-VI AC-VO ECWmin cannot be greater than ECWmax. If all clients operate in 802.1 1b radio mode, you are recommended to set TXOPLimit to 188 and 102 for AC-VI and AC-VO.
  • Page 141 Field Description WMM indicates that QoS mode is enabled; None QoS mode indicates that QoS mode is not enabled. Radio chip QoS mode Radio chip’s support for the QoS mode. Radio chip max AIFSN Maximum AIFSN allowed by the radio chip. Radio chip max ECWmin Maximum ECWmin allowed by the radio chip.
  • Page 142: Displaying Client Statistics

    Field Description Ack Policy ACK policy adopted by an AC. Indicates whether an AC is controlled by CAC: Disabled indicates that the AC is not controlled by CAC, Enabled indicates that the AC is controlled by CAC. Displaying client statistics Select Interface Setup >...
  • Page 143: Setting Rate Limiting

    Field Description Uplink CAC packets Number of uplink CAC packets. Uplink CAC bytes Number of uplink CAC bytes. Downlink CAC packets Number of downlink CAC packets. Downlink CAC bytes Number of downlink CAC bytes. Downgrade packets Number of downgraded packets. Downgrade bytes Number of downgraded bytes.
  • Page 144: Wireless Qos Configuration Example

    Table 76 Configuration items Item Description Wireless Service Existing wireless service. Inbound or outbound. • Inbound—From clients to the device. Direction • Outbound—From the device to clients. • Both—Includes inbound (from clients to the device) and outbound (from the device to clients). Rate limiting mode, dynamic or static.
  • Page 145 Figure 123 Enabling wireless QoS Select the radio unit to be configured in the list. Click the corresponding icon in the Operation column. In the Client EDCA list, select the priority type (AC_VO is taken for example here) to be modified.
  • Page 146: Static Rate Limiting Configuration Example

    Verifying the configuration If the number of existing clients in the high-priority ACs plus the number of clients requesting access is smaller than or equal to the user-defined maximum number of users allowed in high-priority ACs, which is 10 in this example, the request is allowed. Otherwise, the request is rejected. Static rate limiting configuration example Network requirements As shown in...
  • Page 147: Dynamic Rate Limiting Configuration Example

    Verifying the configuration Client 1 and Client 2 access the WLAN through an SSID named service1. • • Check that traffic from Client 1 is rate limited to around 128 kbps, so is traffic from Client 2. Dynamic rate limiting configuration example Network requirements As shown in Figure...
  • Page 148 Verifying the configuration Verify the following: • When only Client 1 accesses the WLAN through SSID service2, its traffic can pass through at a rate as high as 8000 kbps. When both Client 1 and Client 2 access the WLAN through SSID service2, their traffic flows can •...
  • Page 149: Configuring Advanced Settings

    Configuring advanced settings Radio frequencies for countries and regions vary based on country regulations. A district code determines characteristics such as frequency range, channel, and transmit power level. Configure the valid country code or area code for a WLAN device to meet the specific country regulations. Setting a district code Select Interface Setup >...
  • Page 150 Figure 131 Configuring channel busy test Click the icon for the target AP. Figure 132 Testing busy rate of channels Click Start to start the testing. Table 78 Configuration items Item Description Radio Unit Display the radio unit, which takes the value of 1 or 2. Radio Mode Display the radio mode of the router.
  • Page 151: Managing A 3g Modem

    Managing a 3G modem For 3G communications, you can connect a USB 3G modem to a router through the USB interface on the MPU of the router. The 3G modem uses a user identity module (UIM) or subscriber identity module (SIM) to access the wireless networks provided by service providers.
  • Page 152 Figure 135 3G modem information (CDMA) Table 79 3G modem information Item Description Model Model of the 3G modem. Manufacturer Manufacturer of the 3G modem. Description Description for the 3G modem. Serial Number Serial number of the 3G modem. CMII ID CMII ID of the 3G modem.
  • Page 153 Table 80 SIM card information (WCDMA) Item Description Status of the SIM card: • SIM Status • Fault. • Absent. IMSI International Mobile Subscriber Identification number of the SIM card. Table 81 UIM card information (CDMA) Item Description State of the UIM card: •...
  • Page 154: Configuring The Cellular Interface

    Item Description Service status of the 3G network: • Service Status (1xRtt) Available. • Not available. Roaming status: Roaming Status • Home. (1xRtt) • Roaming. RSSI (1xRtt) Received signal strength indication of the 3G network. Configuring the cellular interface Click the icon for the cellular interface in Figure 133.
  • Page 155: Managing The Pin

    Managing the PIN Click PIN in Figure 136. Then you can manage the PIN. PIN protection is disabled. • To enable PIN protection, enter a PIN, a string of four to eight digits, and click Apply in the Enable PIN Code Protection area. Figure 137 Managing the PIN (PIN protection disabled) PIN protection is enabled and the PIN is authenticated.
  • Page 156 Figure 139 Rebooting the 3G modem...
  • Page 157: Configuring Nat

    IP addresses are used to translate a large number of internal IP addresses. This effectively solving the IP address depletion problem. For more information about NAT, see the Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
  • Page 158 Figure 140 Configuring dynamic NAT Table 85 Configuration items Item Description Interface Specify an interface on which the NAT policy is to be enabled. Select an address translation mode: • Interface Address—In this mode, the NAT gateway directly uses an interface's public IP address as the translated IP address.
  • Page 159: Configuring A Dmz Host

    Configuring a DMZ host Creating a DMZ host From the navigation tree, select NAT Configuration > NAT Configuration. Click the DMZ HOST tab. The DMZ host configuration page appears. Figure 141 Creating a DMZ host Configure the parameters as described in Table Click Add.
  • Page 160: Configuring An Internal Server

    Figure 142 Enabling DMZ host on an interface Configuring an internal server From the navigation tree, select NAT Configuration > NAT Configuration. Click the Internal Server tab. The internal server configuration page appears.
  • Page 161 Figure 143 Configuring an internal server Configure the parameters as described in Table Click Add. Table 87 Configuration items Item Description Interface Specify an interface on which the NAT policy is to be enabled. Protocol Specify the type of the protocol carried by IP, which can be TCP or UDP. Specify the public IP address for the internal server.
  • Page 162: Enabling Application Layer Protocol Check

    Item Description Specify internal port number for the internal server. From the list, you can: • Select Other and then enter a port number. If you enter 0, all types of services are Host Port provided. That is, only a static binding between the external IP address and the internal IP address is created.
  • Page 163: Nat Configuration Examples

    Figure 145 Configuring connection limit Configure the parameters as described in Table Click Apply. Table 89 Configuration items Item Description Enable connection limit Enable or disable connection limit. Set the maximum number of connections that can be initiated from a source IP Max Connections address.
  • Page 164 Configuring internal hosts accessing public network Configure the IP address of each interface. (Details not shown.) Configure dynamic NAT on Ethernet 0/2: Select NAT Configuration > NAT Configuration to enter the dynamic NAT configuration page, as shown in Figure 147. Select Ethernet0/2 from the Interface list.
  • Page 165: Internal Server Configuration Example

    Figure 148 Configuring connection limit Internal server configuration example Network requirements A company provides one FTP server and two Web servers for external users to access. The internal network address is 10.1 10.0.0/16. The company has three public IP addresses in the range of 202.38.1.1/24 to 202.38.1.3/24.
  • Page 166 Figure 150 Configuring the FTP server Configure Web server 1: As shown in Figure 151, select Ethernet0/2 from the Interface list. Select the TCP option in the Protocol field. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1. Select http from the Global Port list.
  • Page 167 Figure 151 Configuring Web server 1 Configure Web server 2: Click Add in the internal server configuration page. As shown in Figure 152, select Ethernet0/2 from the Interface list. Select the TCP option in the Protocol field. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1. Enter 8080 in the Global Port field.
  • Page 168 Figure 152 Configuring Web server 2...
  • Page 169: Configuring Access Control

    Configuring access control Access control allows you to control access to the Internet from the LAN by setting the time range, IP addresses of computers in the LAN, port range, and protocol type. All data packets matching these criteria will be denied access to the Internet. You can configure up to ten access control policies.
  • Page 170: Access Control Configuration Example

    Table 90 Configuration items Item Description Set the time range of a day for the rule to IMPORTANT: Begin-End Time take effect. The start time must be earlier Set both types of time ranges or set neither than the end time. of them.
  • Page 171 Figure 154 Network diagram Configuration procedure # Configure an access control policy to prohibit Host A to Host C from accessing the Internet during work time. • Select Security Setup > Access from the navigation tree. Figure 155 Configure an access control policy Set the Begin-End Time to 09:00 - 18:00.
  • Page 172: Configuring Url Filtering

    Configuring URL filtering The URL filtering function allows you to deny access to certain Internet Web pages from the LAN by setting the filter types and the filtering conditions. The URL filtering function applies to only the outbound direction of WAN interfaces. Configuration procedure Select Security Setup >...
  • Page 173: Url Filtering Configuration Example

    Table 92 Configuration items Item Description Set the filter type: • Blacklist—Denies URLs that match the filtering conditions. URLs that do not match the filtering conditions are permitted. Filtering by • Whitelist—Permits URLs that match the filtering conditions. URLs that do not match the filtering conditions are denied.
  • Page 174 Figure 158 Configure the URL filtering function...
  • Page 175: Configuring Attack Protection

    Configuring attack protection You can enable the blacklist function, add a blacklist entry manually, view blacklist entries, and configure intrusion detection in the Web interface. Overview Attack protection is an important network security feature. It can determine whether received packets are attack packets according to the packet contents and behaviors and, if detecting an attack, take measures to deal with the attack.
  • Page 176 Table 93 Types of single-packet attacks Single-packet attack Description A Fraggle attacker sends large amounts of UDP echo packets (with the UDP port number of 7) or Chargen packets (with the UDP port number of 19) to a subnet Fraggle broadcast address.
  • Page 177: Configuring The Blacklist Function

    Protection against scanning attacks Scanning attackers usually use some scanning tools to scan host addresses and ports in a network, so as to find possible targets and the services enabled on the targets and figure out the network topology, preparing for further attacks to the target hosts. The scanning attack protection function takes effect to only incoming packets.
  • Page 178: Enabling The Blacklist Function

    Step Remarks You can add blacklist entries manually, or enable the blacklist function globally, configure the scanning attack protection function, and enable the blacklist function for scanning attack protection to allow the device to add the IP addresses of detected scanning attackers to the blacklist automatically.
  • Page 179: Viewing Blacklist Entries

    Figure 160 Add a blacklist entry Table 94 Configuration items Item Description Specify the IP address to be added to the blacklist. This IP address cannot be a IP Address broadcast address, a class D address, a class E address, 127.0.0.0/8, or 255.0.0.0/8.
  • Page 180 and then select the specific attack protection functions to be enabled. Then, click Apply to finish the configuration. Figure 161 Intrusion detection configuration page On MSR20/30/50/93X/1000 routers Select Security Setup > Attack Defend > Intrusion Detection to enter the page shown in Figure 162.
  • Page 181: Attack Protection Configuration Examples

    Figure 163 Add an intrusion detection policy Attack protection configuration examples Attack protection configuration example for MSR900/20-1X Network requirements As shown in Figure 164, internal users Host A, Host B, and Host C access the Internet through Router. The network security requirements are as follows: Router always drops packets from Host D, an attacker.
  • Page 182 Figure 164 Network diagram Configuration procedure # Configure IP addresses for the interfaces. (Details not shown.) # Enable the blacklist function. Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the • following configurations, as shown in Figure 165.
  • Page 183 Enter IP address 5.5.5.5, the IP address of Host D. • • Select Permanence for this blacklist entry. Click Apply. • Click Add and then perform the following configurations, as shown in Figure 167: • Figure 167 Adding a blacklist entry for Host C Enter IP address 192.168.1.5, the IP address of Host C.
  • Page 184: For Msr20/30/50/93x/1000 Routers

    Select Enable Attack Defense Policy. • • Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack Detection, and Add Source IP Address to the Blacklist. Clear all other options. Click Apply. • Verifying the configuration • Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist. Router drops all packets from Host D unless you remove Host D from the blacklist.
  • Page 185 Figure 170 Enabling the blacklist function Select the box before Enable Blacklist. • Click Apply. • # Add blacklist entries manually. Click Add and then perform the following configurations, as shown in Figure 171: • Figure 171 Adding a blacklist entry for Host D •...
  • Page 186 Enter IP address 192.168.1.5, the IP address of Host C. • • Select Hold Time and set the hold time of this blacklist entry to 50 minutes. Click Apply. • # Configure intrusion detection on Ethernet 0/2: Enable scanning attack protection, and enable blacklist function for it;...
  • Page 187 Upon detecting the Land or Smurf attack on Ethernet 0/2, Router outputs an alarm log and drops • the attack packet.
  • Page 188: Configuring Application Control

    Configuring application control You can load applications, configure a custom application, and enable application control in the Web interface. Application control allows you to control which applications and protocols users can access on the Internet by specifying the destination IP address, protocol, operation type, and port. Application control can be based on a group of users or all users in a LAN.
  • Page 189: Configuring A Custom Application

    Figure 174 Loading applications Configuring a custom application Select Security Setup > Application Control from the navigation tree, and then select the Custom Application tab to enter the custom application list page, as shown in Figure 175. Click Add to enter the page for configuring a custom application, as shown in Figure 176.
  • Page 190: Enabling Application Control

    Table 96 Configuration items Item Description Application Name Specify the name for the custom application. Specify the protocol to be used for transferring packets, including TCP, UDP, and All. Protocol All means all IP carried protocols. IP Address Specify the IP address of the server of the applications to be controlled. Specify the port numbers of the applications to be controlled.
  • Page 191: Application Control Configuration Example

    Application control configuration example Network requirements As shown in Figure 178, internal users access the Internet through Router. Configure application control on Router, so that no user can use MSN. Figure 178 Network diagram Configuration procedure # Load the application control file (assume that signature file p2p_default.mtd, which can prevent using of MSN, is stored on the device).
  • Page 192 Figure 180 Loaded applications # Enable application control. Click the Application Control tab and then perform the following configurations, as shown in Figure • 181. Figure 181 Configuring application control • Select MSN from the Loaded Applications area. Click Apply. •...
  • Page 193: Webpage Redirection Configuration

    Configuring webpage redirection CAUTION: Webpage redirection is ineffective on the interface with the portal function enabled. HP recommends not configuring both functions on an interface. Select Advanced > Redirection from the navigation tree to enter the page shown in Figure 182.
  • Page 194 Table 97 Configuration items Item Description Interface Select an interface on which webpage redirection is to be enabled. Type the address of the webpage to be displayed, which means the URL to which the Redirection URL web access request is redirected. For example, http://192.0.0.1. Interval Type the time interval at which webpage redirection is triggered.
  • Page 195: Configuring Routes

    You can manually configure routes. Such routes are called static routes. For more information about the routing table and static routes, see Layer 3—IP Routing Configuration Guide in HP MSR Router Series Configuration Guides (V5). Creating an IPv4 static route Select Advanced >...
  • Page 196: Displaying The Active Route Table

    Figure 184 Static route configuration page Configure static routes as described in Table Table 98 Configuration items Item Description Destination IP Address Enter the destination IP address of the static route, in dotted decimal notation. Enter the mask of the destination IP address. Mask You can enter a mask length or a mask in dotted decimal notation.
  • Page 197: Ipv4 Static Route Configuration Example

    Figure 185 Active route table Table 99 Field description Field Description Destination IP Address Destination IP address of the route. Mask Mask of the destination IP address. Routing protocol that discovered the route, including static route, direct Protocol route, and various dynamic routing protocols. Preference Preference for the route.
  • Page 198: Configuration Considerations

    Figure 186 Network diagram Configuration considerations Configure a default route with Router B as the next hop on Router A. On Router B, configure one static route with Router A as the next hop and the other with Router C as the next hop.
  • Page 199 Select Advanced > Route Setup from the navigation tree of Router B. Click the Create tab. Enter 1.1.2.0 for Destination IP Address, 24 for Mask, and 1.1.4.1 for Next Hop. Click Apply. Enter 1.1.3.0 for Destination IP Address, 24 for Mask, and 1.1.5.6 for Next Hop. Click Apply.
  • Page 200 If the output interface is an NBMA or P2MP interface, which supports point-to-multipoint networks, the IP address-to-link layer address mapping must be established. HP recommends specifying the next hop when you configure it as the output interface.
  • Page 201: Configuring User-based Load Sharing

    Configuring user-based load sharing You can configure user-based load sharing through the Web interface. Overview A routing protocol can have multiple equal-cost routes to the same destination. These routes have the same preference, and are all used to accomplish load sharing if no route with a higher preference is available.
  • Page 202 Table 100 Configuration items Item Description This field displays the name of the interface on which user-based load sharing is Interface configured. Status of Set whether or not to enable user-based load sharing on the interface. user-based-sharing Set the bandwidth of the interface. The load ratio of each interface is calculated based on the bandwidth of each Bandwidth interface.
  • Page 203: Configuring Traffic Ordering

    Configuring traffic ordering You can do the following to configure traffic ordering on the Web interface: Setting the traffic ordering interval • Specifying the traffic ordering mode • Displaying internal interface traffic ordering statistics • • Displaying external interface traffic ordering statistics Overview When multiple packet flows (classified by their source addresses) are received or sent by a device, you can configure IP traffic ordering on the device to collect statistics of the flows in the inbound/outbound...
  • Page 204: Setting The Traffic Ordering Interval

    Setting the traffic ordering interval Select Advanced > Traffic Ordering from the navigation tree to enter the default configuration page. You can set the interval for collecting traffic statistics in the lower part of the page. Figure 190 Traffic ordering configuration page Specifying the traffic ordering mode Select Advanced >...
  • Page 205: Displaying External Interface Traffic Ordering Statistics

    Select one item from the Arrange in list, enter a number in the Number of entries displayed field, and then click Refresh to display the list as needed. Figure 191 Internal interface traffic ordering statistics page Displaying external interface traffic ordering statistics Select Advanced >...
  • Page 206: Configuring Dns

    IP addresses. With DNS, you can use easy-to-remember host names in some applications and let the DNS server translate them into correct IP addresses. For more information about DNS, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
  • Page 207: Configuring Dns Proxy

    Configuring DNS proxy Task Remarks Required. Enabling DNS proxy Enable DNS proxy on the device. Disabled by default. Required. Not specified by default. Specifying a DNS server You can specify up to six DNS servers. Enabling dynamic domain name resolution From the navigation tree, select Advanced >...
  • Page 208: Clearing The Dynamic Domain Name Cache

    Clearing the dynamic domain name cache From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page as shown in Figure 193. Select the Clear Dynamic DNS cache box. Click Apply. Specifying a DNS server From the navigation tree, select Advanced >...
  • Page 209: Domain Name Resolution Configuration Example

    Table 102 Configuration items Item Description DNS Domain Name Suffix Configure a domain name suffix. Click Apply. Domain name resolution configuration example Network requirements As shown in Figure 196, Router B serves as a DNS client and Router A is specified as a DNS server. Dynamic domain name resolution and the domain name suffix are configured on Router B, and therefore Router B can use domain name host to access the host with the domain name host.com and the IP address 3.1.1.1/24.
  • Page 210 Figure 197 Creating a zone Create a mapping between the host name and the IP address: Figure 198, right-click zone com. Select New Host to bring up a dialog box as shown in Figure 199. Enter host name host and IP address 3.1.1.1. Figure 198 Adding a host...
  • Page 211 Figure 199 Adding a mapping between domain name and IP address Configuring the DNS proxy (Router A) Enable DNS proxy on Router A: From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page, as shown in Figure 200.
  • Page 212 Figure 201 Specifying a DNS server address Configuring the DNS client (Router B) Enable dynamic domain name resolution: From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page, as shown in Figure 202. Select Enable for Dynamic DNS.
  • Page 213 Figure 203 Specifying the DNS server address Configure the domain name suffix: Click Add Suffix to enter the page as shown in Figure 204. Enter com in DNS Domain Name Suffix. Click Apply. Figure 204 Configuring DNS domain name suffix Verifying the configuration Select Other >...
  • Page 214: Configuring Ddns

    Configuring DDNS Overview Although DNS allows you to access nodes in networks using their domain names, it provides only the static mappings between domain names and IP addresses. When you use the domain name to access a node whose IP address has changed, your access fails because DNS leads you to the IP address that is no longer where the node resides.
  • Page 215: Configuration Prerequisites

    Configuration prerequisites • Visit the website of a DDNS service provider, register an account, and apply for a domain name for the DDNS client. Specify the primary IP address of the interface and make sure the DDNS server and the interface •...
  • Page 216: Ddns Configuration Example

    Item Description Settings Specify the server name of the DDNS server for domain name resolution. IMPORTANT: After the server provider is selected, the DDNS server name appears Server Name automatically. For example, if the server provider is 3322.org, the server name is members.3322.org.
  • Page 217 Figure 208 Network diagram Configuring DDNS on the router Before configuring DDNS on Router, register at http://www.3322.org/ (username steven and password nevets in this example), add Router's host name-to-IP address mapping to the DNS server, and make sure the devices are reachable to each other. Enable dynamic domain name resolution and set the IP address of the DNS server to 1.1.1.1.
  • Page 218 After the preceding configuration is completed, Router notifies the DNS server of its new domain name-to-IP address mapping through the DDNS server provided by www.3322.org whenever its IP address changes. Therefore, Router can always provide Web service at whatever.3322.org.
  • Page 219: Configuring Dhcp

    A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent, as shown in Figure 21 Figure 211 A typical DHCP relay agent application For more information about DHCP, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
  • Page 220: Recommended Configuration Procedure

    Recommended configuration procedure Configuring the DHCP server Task Remarks Required. Configuration guidelines Enable DHCP globally. Disabled by default. Optional. For detailed configuration, see "Configuring DHCP interface setup." Enabled by default. Configuring the DHCP server on an IMPORTANT: interface The DHCP server configuration is supported only on a Layer 3 Ethernet interface (or subinterface), virtual Ethernet interface, VLAN interface, Layer 3 aggregate interface, serial interface, ATM interface, MP-group interface, or loopback interface.
  • Page 221: Configuring The Dhcp Client

    Task Remarks Required. To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface Configuring a DHCP server group with the server group. When the interface receives DHCP requests from clients, the relay agent forwards them to all the DHCP servers of the group.
  • Page 222: Configuring Dhcp Interface Setup

    Figure 212 DHCP Enable Table 104 Configuration items Item Description DHCP Enable or disable DHCP globally. Configuring DHCP interface setup Select Advanced > DHCP Setup from the navigation tree. Click the DHCP Interface Setup tab. The DHCP interface setup configuration page appears, as shown in Figure 213.
  • Page 223: Configuring A Static Address Pool For The Dhcp Server

    Item Description Correlate the relay agent interface with a DHCP server group. DHCP server group You can correlate a DHCP server group with multiple interfaces. Make sure that you have already added DHCP server groups for selection. Configuring a static address pool for the DHCP server Select Advanced >...
  • Page 224 Figure 214 Static address pool setup for the DHCP server Configure the static address pool for the DHCP server as described in Table 106. Click Apply. Table 106 Configuration items Item Description Pool Name Name of the static DHCP address pool. Address Allocation Specify the static address allocation mode for the DHCP address pool.
  • Page 225: Configuring A Dynamic Address Pool For The Dhcp Server

    Item Description IP address and its subnet mask of the static binding. A natural mask is adopted if no IP Address subnet mask is specified. IMPORTANT: It cannot be the IP address of the DHCP server interface. Otherwise, IP address conflicts Subnet Mask might occur, and the client cannot obtain the IP address.
  • Page 226 Figure 215 Dynamic address pool setup for the DHCP server Configure the dynamic address pool for the DHCP server as described in Table 107. Click Apply. Table 107 Configuration items Item Description Pool Name Name of the dynamic DHCP address pool. Address Allocation Mode: Specify the dynamic address allocation mode for the DHCP address pool.
  • Page 227: Configuring Ip Addresses Excluded From Dynamic Allocation

    Item Description IMPORTANT: Make sure the IP address is on the same network segment as the IP address of Subnet Mask the DHCP server interface or the DHCP relay agent interface to avoid wrong IP address allocation. Specify the lease for IP addresses to be assigned. NOTE: Lease Duration •...
  • Page 228: Configuring A Dhcp Server Group

    Figure 216 IP address excluded from dynamic allocation setup Configure IP addresses excluded from dynamic allocation as described in Table 108. Click Apply Table 108 Configuration items Item Description Start IP Address Specify the lowest IP address excluded from dynamic allocation. Specify the highest IP address excluded from dynamic allocation.
  • Page 229: Dhcp Configuration Examples

    Figure 217 DHCP server group setup Configure DHCP server group as described in Table 109. Click Apply. Table 109 Configuration items Item Description DHCP server group ID. Group ID You can create at most 20 DHCP server groups. Specifies the DHCP server IP addresses for the DHCP server group. IMPORTANT: Server IP Address The IP address of a DHCP server cannot be on the same network segment as that of the...
  • Page 230: Dhcp Configuration Example Without Dhcp Relay Agent

    DHCP configuration example without DHCP relay agent Network requirements The DHCP server (Router A) assigns IP addresses to clients on subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25. The IP addresses of Ethernet 0/1 and Ethernet 0/2 on Router A are 10.1.1.1/25 and 10.1.1.129/25 respectively.
  • Page 231 Figure 219 Enabling DHCP Enable the DHCP server on interface Ethernet 0/1. (By default, the DHCP server is enabled on interface Ethernet 0/1. Details not shown.) Configure a DHCP static address pool, and bind IP address 10.1.1.5 to Router B: Click the DHCP Interface Setup tab.
  • Page 232 Figure 220 DHCP static address pool configuration Configure DHCP address pool 0 (including the address range, client domain name suffix and DNS server address): Enter pool0 in the Pool Name field, as shown in Figure 221. Select the Dynamic Allocation option in the Address Allocation Mode field. Enter 10.1.1.0 in the IP Address field and select the Subnet Mask box, and then enter 255.255.255.0.
  • Page 233 Figure 221 DHCP address pool 0 configuration Configure DHCP address pool 1 (including the address range, lease duration, and gateway address): Enter poo1 in the Pool Name field, as shown in Figure 222. Select Dynamic Allocation in the Address Allocation Mode field. Enter 10.1.1.0 in the IP Address field.
  • Page 234 Figure 222 DHCP address pool 1 configuration Configure DHCP address pool 2 (including the address range, lease duration and gateway IP address): Enter pool2 in the Pool Name field, as shown in Figure 223. Select the Dynamic Allocation option in the Address Allocation Mode field. Enter 10.1.1.128 in the IP Address field.
  • Page 235 Figure 223 DHCP address pool 2 configuration Exclude IP addresses from dynamic allocation (DNS server and gateway addresses): Expand the Forbidden IP Addresses node. Enter 10.1.1.2 in the Start IP Address field, enter 10.1.1.2 in the End IP Address field, click Apply, enter 10.1.1.126 in the Start IP Address field, as shown in Figure 224, enter...
  • Page 236 Figure 224 Excluding IP addresses from dynamic allocation Configuring the DHCP client (Router B) To enable the DHCP client on interface Ethernet 0/1: Select Advanced > DHCP Setup from the navigation tree, and then click the DHCP Interface Setup tab. Select Ethernet0/1 from the Interface list.
  • Page 237: Dhcp Relay Agent Configuration Example

    Figure 225 Enabling the DHCP client on interface Ethernet 0/1 DHCP relay agent configuration example Network requirements Ethernet 0/1 on the DHCP relay agent (Router A) connects to the network where DHCP clients reside. The IP address of Ethernet 0/1 is 10.10.1.1/24 and IP address of Ethernet 0/2 is 10.1.1.2/24 that connects to the DHCP server 10.1.1.1/24 (Router B).
  • Page 238 Select the Enable option in the DHCP field. Click Apply. Figure 227 DHCP enable Create a DHCP server group: Click the DHCP Interface Setup tab. Select Ethernet0/1 from the Interface list. Select the Relay option in the Type field. Expand the Add DHCP Server Group node. Enter 1 in the Group ID field.
  • Page 239 Select 1 from the DHCP Server Group list. Click Apply. Figure 229 The page for enabling the DHCP relay agent on interface Ethernet 0/1 Configuring the DHCP server (Router B) Specify addresses for interfaces. (Details now shown.) Enable DHCP: Select Advanced > DHCP Setup from the navigation tree of Router B The default DHCP Enable tab appears, as shown in Figure 230.
  • Page 240 Enter pool1 in the Pool Name field and select the Dynamic Allocation option in the Address Allocation Mode field. Enter 10.10.1.0 in the IP Address field, select the Subnet Mask box, and then enter 255.255.255.0. Set the Lease Duration to 7 days, 0 hours, and 0 minutes. Select the Domain Name box, and then enter aabbcc.com.
  • Page 241 Figure 232 IP address excluded from dynamic allocation configuration Configure the DHCP client (Router C) To enable the DHCP client on interface Ethernet 0/1: Select Advanced > DHCP Setup from the navigation tree. Click the DHCP Interface Setup tab. Select Ethernet0/1 in the Interface field. Select the Client option in the Type field.
  • Page 242 Figure 233 Enabling the DHCP client on interface Ethernet 0/1...
  • Page 243: Configuring Acls

    Layer 2 header fields, such as source and destination MAC 4000 to 4999 header ACLs addresses, 802.1p priority, and link layer protocol type For more information about IPv4 ACL, see ACL and QoS Configuration Guide in HP MSR Router Series Configuration Guides (V5). Recommended IPv4 ACL configuration procedure Step Remarks Required.
  • Page 244 Configuration guidelines When you configure an ACL, follow these guidelines: You cannot create a rule with or modify a rule to have the same permit/deny statement as an • existing rule in the ACL. You can only modify the existing rules of an ACL that uses the match order of config. When you •...
  • Page 245: Configuring A Rule For A Basic Ipv4 Acl

    Configuring a rule for a basic IPv4 ACL Select Advanced > QoS Setup > ACL IPv4 from the navigation tree and then select the Basic Config tab to enter the rule configuration page for a basic IPv4 ACL. Figure 235 The page for configuring an basic IPv4 ACL Table 112 Configuration items Item Description...
  • Page 246: Configuring A Rule For An Advanced Ipv4 Acl

    Item Description Select this box to keep a log of matched IPv4 packets. A log entry contains the ACL rule number, action on the matched packets, protocol Check Logging that IP carries, source/destination address, source/destination port number, and number of matched packets. Source IP Address Select the Source IP Address box, and enter a source IPv4 address and source wildcard, in dotted decimal notation.
  • Page 247 Figure 236 The page for configuring an advanced IPv4 ACL...
  • Page 248 You can use command line interface to create advanced IPv4 ACLs. For more information, see ACL and QoS Configuration Guide in HP MSR Router Series Configuration Guides (V5). Also, when you configure advanced bandwidth limit and advanced bandwidth guarantee, the system automatically creates advanced IPv4 ACLs.
  • Page 249: Configuring A Rule For An Ethernet Frame Header Acl

    Item Description Select this box to make the rule match packets used for establishing and maintaining TCP connections. TCP Connection These items are available only when you select 6 TCP from the Established Protocol list. A rule with this item configured matches TCP connection packets with the ACK or RST flag.
  • Page 250 You can use command line interface to create Ethernet frame header IPv4 ACLs. For more information, see ACL and QoS Configuration Guide in HP MSR Router Series Configuration Guides (V5). Select the Rule ID box, and enter a number for the rule.
  • Page 251 Item Description Select the action to be performed for IPv4 packets matching the rule: • Action Permit—Allows matched packets to pass. • Deny—Drops matched packets. Source MAC Select the Source MAC Address box, and enter a source MAC address and Address wildcard.
  • Page 252: Configuring Qos

    Configuring QoS The Web interface provides the following QoS configuration functions: Configuring subnet limit • Configuring advanced limit • Configuring advanced queue • Overview Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs.
  • Page 253: Configuring Subnet Limit

    interface, interface bandwidth limit is a better approach than subnet limit and advanced limit. This is because working at the IP layer the latter two functions do not take effect on packets not processed by the IP layer. • Bandwidth guarantee—When congestion occurs to a port, class-based queuing (CBQ) classifies packets into different classes according to user-defined match criteria and assigns these classes to their queues.
  • Page 254: Configuring Advanced Limit

    Table 115 Configuration items Item Description Start Address Set the address range of the subnet where rate limit is to be performed. End Address Interface Specify the interface to which the subnet limit is to be applied. Set the average traffic rate allowed. Set the rate limit method: •...
  • Page 255 Figure 241 Advanced limit setting...
  • Page 256 Table 116 Configuration items Item Description Description Configure a description for the advanced limit policy for management sake. Interface Specify the interface to which the advanced limit is to apply. Set the direction where the rate limit applies: • Direction Download—Limits the rate of incoming packets of the interface.
  • Page 257: Configuring Advanced Queue

    Configuring advanced queue To use the advanced queue function on tunnel interfaces, sub-interfaces, or VT and dialer interfaces with PPPoE, PPPoA, PPPoEoA, or PPPoFR at the data link layer, you must configure interface bandwidth for these interfaces. Configuring interface bandwidth Select Advance >...
  • Page 258: Configuring Bandwidth Guarantee

    Description Set the average traffic rate allowed for the interface. HP recommends that you configure the interface bandwidth to be smaller than the actual available bandwidth of a physical interface or logical link. If you have specified the interface bandwidth, the maximum interface bandwidth used for bandwidth check when CBQ enqueues packets is 1000000 kbps.
  • Page 259 Figure 243 Creating a bandwidth guarantee policy Table 118 Configuration items Item Description Description Configure a description for the bandwidth guarantee policy for management sake.
  • Page 260 Item Description Set the service class queue type: • EF (Expedited Forwarding)—Provides absolutely preferential queue scheduling for the EF service so as to ensure low delay for real-time data traffic. At the same time, Queue Type by restricting bandwidth for high-priority traffic, it can overcome the disadvantage that some low-priority queues are not serviced.
  • Page 261: Qos Configuration Examples

    QoS configuration examples Subnet limit configuration example Network requirements As shown in Figure 244, limit the rate of packets leaving Ethernet 1/1 of Router. Perform per-IP rate limiting for traffic sourced from Host A through Host Z, which are on the network segments 2.1.1.1 through 2.1.1.100, with the per-IP limit being 5 kbps.
  • Page 262: Advanced Queue Configuration Example

    Enter 2.1.1.100 in the End Address field. Select interface Ethernet 1/1. Enter 5 in the CIR field. Select Per IP in the Type list. Select Upload from the Direction list. Click Apply. Advanced queue configuration example Network requirements As shown in Figure 246, data traffic from Router C reaches Router D by the way of Router A and then Router B.
  • Page 263 Figure 247 Configuring assured forwarding Enter the description test-af. Select AF (Assured Forwarding) in the Queue Type list. Select interface Ethernet0/0. Enter 40 in the Bandwidth field. Enter 10, 18 in the DSCP field. Click Apply. # Perform EF for traffic with DSCP field EF. Select Advance >...
  • Page 264 Figure 248 Configuring expedited forwarding Enter the description test-ef. Select EF (Expedited Forwarding) in the Queue Type list. Select interface Ethernet0/0. Enter 240 in the Bandwidth field. Enter 46 in the DSCP field. Click Apply. After the configurations are completed, EF traffic is forwarded preferentially when congestion occurs in the network.
  • Page 265: Appendix Packet Precedences

    Appendix Packet precedences IP precedence and DSCP values Figure 249 DS field and ToS field As shown in Figure 249, the ToS field of the IP header contains 8 bits: the first 3 bits (0 to 2) represent IP precedence from 0 to 7. According to RFC 2474, the ToS field of the IP header is redefined as the differentiated services (DS) field, where a differentiated service code point (DSCP) value is represented by the first 6 bits (0 to 5) and is in the range 0 to 63.
  • Page 266 DSCP value (decimal) DSCP value (binary) Keyword 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be(default) 802.1p priority 802.1p priority lies in the Layer 2 packet header and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
  • Page 267 802.1p priority (decimal) 802.1p priority (binary) Keyword background spare excellent-effort controlled-load video voice network-management...
  • Page 268: Configuring Snmp

    • send traps to the NMS when some events, such as interface state change, occur. HP supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same SNMP version to communicate with each other. SNMPv1—Uses community names for authentication. To access an SNMP agent, an NMS must use •...
  • Page 269: Enabling The Snmp Agent Function

    Task Remarks Optional. After creating SNMP views, you can specify an SNMP view for Configuring an SNMP view an SNMP group to limit the MIB objects that can be accessed by the SNMP group. Configuring an SNMP community Required. Optional. Allows you to configure that the agent can send SNMP traps to Configuring the SNMP trap function the NMS, and configure information about the target host of the...
  • Page 270 On the upper part of the page, you can select to enable or disable the SNMP agent function and configure parameters such as SNMP version. On the lower part of the page, you can view the SNMP statistics, which helps you understand the running status of the SNMP after your configuration.
  • Page 271: Configuring An Snmp View

    Item Description Configure the local engine ID. The validity of a user after it is created depends on the engine ID of the SNMP Local Engine ID agent. If the engine ID when the user is created is not identical to the current engine ID, the user is invalid.
  • Page 272 Figure 255 Creating an SNMP view (2) Table 123 describes the configuration items for creating an SNMP view. After configuring the parameters of a rule, click Add to add the rule into the list box at the lower part of the page. After configuring all rules, click Apply to create an SNMP view.
  • Page 273: Configuring An Snmp Community

    Figure 256 Adding rules to an SNMP view You can also click the icon corresponding to the specified view on the page as shown in Figure 253, and then you can enter the page to modify the view. Configuring an SNMP community Select Advanced >...
  • Page 274: Configuring An Snmp Group

    Table 124 Configuration items Item Description Community Name Set the SNMP community name. Configure SNMP NMS access right: • Read only—The NMS can perform read-only operations to the MIB objects when it uses this community name to access the agent. Access Right •...
  • Page 275: Configuring An Snmp User

    Figure 260 Creating an SNMP group Configure the SNMP group, as shown in Table 125. Table 125 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group. The available security levels are: •...
  • Page 276 Figure 261 SNMP user Click Add to enter the Add SNMP User page, as shown in Figure 262. Figure 262 Creating an SNMP user Configure the SNMP user, as shown in Table 126. Table 126 Configuration items Item Description User Name Set the SNMP user name.
  • Page 277: Configuring The Snmp Trap Function

    Item Description Select an SNMP group to which the user belongs: • When the security level is NoAuth/NoPriv, you can select an SNMP group with no authentication no privacy. • When the security level is Auth/NoPriv, you can select an Group Name SNMP group with no authentication no privacy or authentication without privacy.
  • Page 278 Click Add to enter the Add Trap Target Host page, as shown in Figure 264. Figure 264 Adding a target host of SNMP traps Configure the SNMP traps, as shown in Table 127. Table 127 Configuration items Item Description Set the destination IP address. Select the IP address type: IPv4/domain name or IPv6, and then Destination IP Address type the corresponding IP address or domain name in the field...
  • Page 279: Displaying Snmp Packet Statistics

    Item Description Set the authentication and privacy mode for SNMP traps when the security model is selected as v3. The available security levels are: no authentication no privacy, authentication but no privacy, and authentication and privacy. Security Level If you select v1 or v2c in the Security Model list, the security level can only be no authentication no privacy, and cannot be modified.
  • Page 280 Figure 266 Network diagram Configuring the agent Enable SNMP: Select Advanced > SNMP from the navigation tree, and you will enter the Setup page. Perform the following configuration as shown in Figure 267. Select the Enable radio box. Set the SNMP version to both v1 and v2c. Click Apply.
  • Page 281 Figure 268 Configuring SNMP community named public Figure 269 Configuring SNMP community named private Type private in the field of Community Name. Select Read and write from the Access Right list. Click Apply. Enable Agent to send SNMP traps: Click the Trap tab and perform the following configuration as shown in Figure 270.
  • Page 282 Figure 270 Enabling Agent to send SNMP traps Add target hosts of SNMP traps: On the Trap tab page, click Add and perform the following configuration as shown in Figure 271. Select the destination IP address type as IPv4/Domain. Type the destination address 1.1.1.2. Type the security username public.
  • Page 283: Snmpv3 Configuration Example

    Create a read and write community and name it private. For more information about configuring the NMS, see the NMS manual. Verifying the configuration After the configuration, an SNMP connection is established between the NMS and the agent. The • NMS can get and configure the values of some parameters on the agent through MIB nodes.
  • Page 284 Figure 273 Enabling SNMP Configure an SNMP view: Click the View tab and then click Add. Perform the following configuration as shown in Figure 274. Type view1 in the field of View Name. Click Apply and enter the page of view1. Perform the following configuration as shown Figure 275.
  • Page 285 Figure 275 Adding a view named view1 Select the Included radio box. Type the MIB subtree OID interfaces. Click Add. Click Apply. A configuration progress dialog box appears, as shown in Figure 276. After the configuration process is complete, click Close. Figure 276 Configuration progress dialog box Configure an SNMP group: Click the Group tab and then click Add.
  • Page 286 Figure 277 Configuring an SNMP group Configure an SNMP user: Click the User tab and then click Add. Perform the following configuration as shown in Figure 278. Type user1 in the User Name field. Select Auth/Pri from the Security Level list. Select group1 (Auth/Priv) from the Group Name list.
  • Page 287 Enable Agent to send SNMP traps: Click the Trap tab and perform the following configuration as shown in Figure 279. Select the Enable SNMP Trap box. Click Apply. Figure 279 Adding target hosts of SNMP traps Add target hosts of SNMP traps: On the Trap tab page, click Add and perform the following configuration as shown in Figure 280.
  • Page 288 Configuring the NMS The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform corresponding operations. Specify the SNMP version for the NMS as v3. Create an SNMP user user1. Enable both authentication and privacy functions. Use MD5 for authentication and DES56 for encryption.
  • Page 289: Configuring Bridging

    A transparent bridging device keeps a bridge table, which contains mappings between destination MAC addresses and outbound interfaces. For more information about transparent bridging, see Layer 2—WAN Configuration Guide in HP MSR Router Series Configuration Guides (V5). Major functionalities of bridges Maintaining the bridge table A bridge relies on its bridge table to forward data.
  • Page 290 Figure 281 Host A sends an Ethernet frame to Host B on LAN 1 MAC address: 00e0.fcbb. bbbb MAC address: 00e0.fcaa.aaaa Host B Host A Source address Destination address 00e0.fcaa.aaaa 00e0. fcbb.bbbb LAN segment 1 Bridge interface 1 Bridge Bridge interface 2 LAN segment 2 Host C Host D...
  • Page 291: Forwarding And Filtering

    Figure 283 The bridge determines that Host B is also attached to interface 1 MAC address: 00e0.fcbb.bbbb MAC address: 00e0.fcaa.aaaa Host B Host A Source address Destination address 00e0.fcbb. bbbb 00e0.fcaa.aaaa LAN segment 1 Bridge table MAC address Interface Bridge interface 1 00e 0.fcaa.aaaa Bridge 00e 0.fcbb.bbbb...
  • Page 292 Figure 285 Forwarding MAC address: 00e0.fcbb.bbbb MAC address: 00e0. fcaa.aaaa Host B Host A Source address Destination address 00e0.fcaa.aaaa 00e0. fccc. cccc Bridge table LAN segment 1 MAC address Interface Bridge interface 1 00e0.fcaa.aaaa Bridge 00e0.fcbb.bbbb 00e0.fccc.cccc Bridge interface 2 00e0.fcdd.dddd LAN segment 2 Source address Destination address...
  • Page 293: Vlan Transparency

    Figure 287 The proper MAC-to-interface mapping is not found in the bridge table When a bridge receives a broadcast or multicast frame, it forwards the frame to all interfaces other than the receiving interface. VLAN transparency VLAN transparency enables a bridge to forward VLAN-tagged packets without processing their VLAN tags.
  • Page 294: Adding An Interface To A Bridge Set

    Figure 288 Global config Table 128 Configuration items Item Remarks Bridge Group id Set the ID of the bridge set you want to enable. Adding an interface to a bridge set Select Advanced > Bridge from the navigation tree, and click the Config interface tab to enter the page shown in Figure 289.
  • Page 295: Bridging Configuration Example

    Set the ID of the bridge set to which you want add the interface. Enable or disable VLAN transparency on the interface. VLAN Transmit HP recommends not enabling this function on a subinterface. A VLAN interface does not support this function. Bridging configuration example...
  • Page 296 Figure 290 Network diagram Office Office Switch A Switch B area A area B Eth1/1 Eth1/1 Trunk Trunk Eth1/1 Eth1/1 Eth1/2 Eth1/2 Router A Router B Configuration procedure Configure Router A: # Enable bridge set 2. Select Advanced > Bridge from the navigation tree to enter the Global config page. Figure 291 Enabling bridge set 2 Enter 2 as the bridge group ID.
  • Page 297 Figure 292 Assigning Ethernet 1/1 to bridge set 2 and enable VLAN transparency Select Ethernet1/1 from the Interface list. Select 2 from the Bridge Group list. Select Enable from the VLAN Transmit list. Click Apply. # Assign Ethernet 1/2 to bridge set 2, and enable VLAN transparency. Figure 293 Assigning Ethernet 1/2 to bridge set 2 and enable VLAN transparency Select Ethernet1/2 from the Interface list.
  • Page 298 Click Apply. Configure Router B in the same way Router A is configured.
  • Page 299: Configuring User Groups

    Configuring user groups You can add hosts in a LAN to a user group and perform access control, application control, bandwidth control, and packet filtering on a per user group basis. • Access control—Allows you to deny access from hosts during specific time ranges. All data packets matching these criteria will be denied access to the Internet.
  • Page 300: Configuring A User Group

    Configuring a user group Select Advanced > Security > Usergroup from the navigation tree. The group configuration page appears, as shown in Figure 294. Figure 294 User group configuration Table 131 describes the user group configuration item. Table 131 Configuration item Item Description Set the name of the group to be added.
  • Page 301 Figure 295 User configuration Table 132 describes the user configuration items. Table 132 Configuration items Item Description Please select a user group Select the group to which you want to add users. Set the mode in which the users are added. •...
  • Page 302 Figure 296 Access control configuration Table 133 describes the access control configuration items. Table 133 Configuration items Item Description Select a user group for access control. Please select a user group When there is more than one user group, the option all is available. Selecting all means that the access control configuration applies to all the user groups.
  • Page 303: Configuring Bandwidth Control

    Figure 297 Application control Table 134 describes the application control configuration items. Table 134 Configuration items Item Description Select a user group for application control. Please select a user When there is more than one user group, the option all is available. Selecting all group means that the application control configuration applies to all the user groups.
  • Page 304: Configuring Packet Filtering

    Figure 298 Bandwidth control configuration Table 135 describes the bandwidth control configuration items. Table 135 Configuration items Item Description Set the user group for bandwidth control configuration. Please select a user When there are more than one user group, the option all is available. Selecting all group means that the bandwidth control configuration applies to all the user groups.
  • Page 305 Figure 299 Packet filtering configuration Table 136 describes the packet filtering configuration items. Table 136 Configuration items Item Description Select a user group to which packet filtering is applied. When there is more than one user group, the option all is available. Please select a user group Selecting all means that the packet filtering configuration applies to all the user groups.
  • Page 306: Synchronizing User Group Configuration For Wan Interfaces

    Item Description configurable. Port • If you select NotCheck as the operator, port numbers will not be checked and no ports need to be specified. • If you select Range as the operator, you must specify both start and end ports to define a port range.
  • Page 307 Figure 301 Network diagram Creating user groups staff (for common users) and manager (for the manager) Select Advanced > Security > Usergroup to enter the group configuration page. Perform the configurations as shown in Figure 302. Figure 302 Creating user groups staff and manager Enter staff as a user group name.
  • Page 308 Figure 303 Adding users to user group staff Select staff from the user group list. Select Dynamic as the add mode. The following area then displays the IP addresses and MAC addresses of all the hosts in the private network that connects to the Router. Select the entries of Host B, Host C, and Host D.
  • Page 309 After the configuration process is complete, click Close. Figure 305 Adding users to user group manager Select manager from the user group list. Select Static for Add Mode. Enter hosta as the username. Enter 192.168.1.11 as the IP address. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close.
  • Page 310 Figure 306 Configuring access control for user group staff Select staff from the user group list. Select the boxes for Monday through Friday. Specify 09:00 as the start time. Specify 18:00 as the end time. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close.
  • Page 311 Select the From Device option, and select file p2p_default. Click Apply. Then, you can view MSN is in the loaded applications on the lower part of the page. Configuring application control for user group staff Select Advanced > Security > Application Control from the navigation tree, and perform the configurations as shown in Figure 308.
  • Page 312 Figure 309 Configuring bandwidth control to user groups staff and manager Select the staff user group. Enter 8 for the CIR. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Select the manager user group. Enter 54 for the CIR.
  • Page 313 Figure 310 Configuring packet filtering for user group staff Select staff from the user group list. Select IP as the protocol. Select the Destination IP Address box. Enter 2.2.2.1 as the destination IP address. Enter 0.0.0.0 as the destination wildcard. Click Apply.
  • Page 314: Configuring Mstp

    Configuring MSTP Only MSR20/30/50/93X/1000 routers support this feature. As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and allows for link redundancy. Like many other protocols, STP evolves as the network grows. The later versions of STP are the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP).
  • Page 315: How Stp Works

    Root port On a non-root bridge, the port nearest to the root bridge is the root port. The root port is responsible for communication with the root bridge. Each non-root bridge has one and only one root port. The root bridge has no root port.
  • Page 316 Root path cost—Cost of the shortest path to the root bridge. • • Designated bridge ID—Consisting of the priority and MAC address of the designated bridge. Designated port ID—Designated port priority plus port name. • Message age—Age of the configuration BPDU while it propagates in the network. •...
  • Page 317 Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge. Root port and designated ports selection on a non-root device.
  • Page 318 Figure 312 The STP algorithm State initialization of each device. Table 139 Initial state of each device Device Port name BPDU of port {0, 0, 0, AP1} Device A {0, 0, 0, AP2} {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2}...
  • Page 319 BPDU of port after Device Comparison process comparison • Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1.
  • Page 320 BPDU of port after Device Comparison process comparison After comparison: • Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU Blocked port CP2: of CP2 is elected as the optimum BPDU, and CP2 is elected...
  • Page 321: Introduction To Rstp

    However, the newly calculated configuration BPDU will not be propagated throughout the network immediately, so the old root ports and designated ports that have not detected the topology change continue forwarding data along the old path. If the new root ports and designated ports begin to forward data as soon as they are elected, a temporary loop might occur.
  • Page 322: Mstp Basic Concepts

    MSTP includes the following features: • MSTP supports mapping VLANs to MST instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP can reduce communication overheads and resource usage by mapping multiple VLANs to one MSTI. MSTP divides a switched network into multiple regions, each containing multiple spanning trees •...
  • Page 323 They have the same region name. • • They have the same VLAN-to-instance mapping configuration. They have the same MSTP revision level configuration. • They are physically linked with one another. • For example, all the devices in region A0 in Figure 314 have the same MST region configuration.
  • Page 324 For example, in region D0 in Figure 314, the regional root of MSTI 1 is device B, and that of MSTI 2 is device C. Common root bridge The common root bridge is the root bridge of the CIST. Figure 314, for example, the common root bridge is a device in region A0.
  • Page 325 Figure 315 Port roles Connecting to the common root bridge Boundary port Port 2 MST region Port 1 Master port Alternate port Port 6 Port 5 Backup port Designated port Port 3 Port 4 Figure 315, devices A, B, C, and D constitute an MST region. Port 1 and port 2 of device A are connected to the common root bridge, port 5 and port 6 of device C form a loop, and port 3 and port 4 of Device D are connected downstream to the other MST regions.
  • Page 326: How Mstp Works

    How MSTP works MSTP divides an entire Layer 2 network into multiple MST regions, which are interconnected by a calculated CST. Inside an MST region, multiple spanning trees are calculated, each being an MSTI (Among these MSTIs, MSTI 0 is called the CIST). Similar to RSTP, MSTP uses configuration BPDUs to calculate spanning trees.
  • Page 327: Recommended Mstp Configuration Procedure

    The values of forward delay, hello time, and max age are interdependent. Incorrect settings of these • values might cause network flapping. HP recommends you to set the network diameter and let the device automatically set an optimal hello time, forward delay, and max age. The settings of hello time, forward delay and max age must meet the following formulae: 2 ×...
  • Page 328 Figure 316 MST region Click Modify. The MSTP region configuration page appears, as shown in Figure 317. Figure 317 Modifying an MST region Table 142 Configuration items Item Description MST region name. Region Name The MST region name is the bridge MAC address of the device by default. Revision Level Revision level of the MST region.
  • Page 329: Configuring Mstp Globally

    Configuring MSTP globally From the navigation tree, select Advanced > MSTP > Global. The Global MSTP Configuration page appears, as shown in Figure 318. Figure 318 Configuring MSTP globally Table 143 Configuration items Item Description Enable or disable STP globally: •...
  • Page 330 Item Description Set the STP operating mode: • STP mode—All ports of the device send out STP BPDUs. • RSTP mode—All ports of the device send out RSTP BPDUs. If the device detects that it is connected to a legacy STP device, the port connecting to the Mode legacy STP device will automatically migrate to STP-compatible mode.
  • Page 331 If the hello time is set too short, the device will send repeated configuration BPDUs frequently. This adds to the device burden Timers and wastes network resources. HP recommends that you use the default setting. • Max Age—Set the maximum length of time a configuration BPDU can be held by the device.
  • Page 332: Configuring Mstp On A Port

    Configuring MSTP on a port From the navigation tree, select Advanced > MSTP > Port. The MSTP Port Configuration page appears, as shown in Figure 319. Figure 319 MSTP configuration of a port (1) Click the Operation icon for a port. The MSTP Port Configuration page of the port appears, as shown in Figure 320.
  • Page 333 Transmit Limit The larger the transmit limit is, the more network resources will be occupied. HP recommends you to use the default value. In a switched network, if a port on an MSTP device connects to an STP device, this port will automatically migrate to the STP-compatible mode.
  • Page 334: Mstp Configuration Example

    MSTP configuration example Network requirements As shown in Figure 321, all routers on the network are in the same MST region. Router A and Router B work on the distribution layer. Router C and Router D work on the access layer. Configure MSTP so that packets of different VLANs are forwarded along different instances: packets of VLAN 10 along MSTI 1, those of VLAN 30 along MSTI 3, those of VLAN 40 along MSTI 4, and those of VLAN 20 along MSTI 0.
  • Page 335 Set the revision level to 0. Select the Manual radio button. Select 1 from the Instance list. Set the VLAN ID to 10. Click Apply to map VLAN 10 to MSTI 1, and add the VLAN-to-instance mapping entry to the VLAN-to-instance mapping list.
  • Page 336 Figure 323 Configuring global MSTP parameters on Router A Configure Router B: # Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. Configure the MST region in the same way the MST region is configured on Router A.
  • Page 337 Click Apply to submit the settings. Configure Router D: # Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. Configure the MST region in the same way the MST region is configured on Router A.
  • Page 338 Ethernet0/1 ROOT FORWARDING NONE Ethernet0/2 ALTE DISCARDING NONE Ethernet0/3 ALTE DISCARDING NONE Ethernet0/1 ROOT FORWARDING NONE Ethernet0/2 ALTE DISCARDING NONE Ethernet0/3 ROOT FORWARDING NONE Based on the above information, draw the MSTI corresponding to each VLAN, as shown in Figure 324.
  • Page 339: Configuring Radius

    RADIUS provides access authentication, authorization, and accounting services. The accounting function collects and records network resource usage information. For more information about RADIUS and AAA, see HP MSR Router Series Configuration Guides (V5). Configuring a RADIUS scheme A RADIUS scheme defines a set of parameters that the device uses to exchange information with the RADIUS servers.
  • Page 340: Configuring Common Parameters

    Figure 326 RADIUS scheme configuration page Configure the parameters, as described in Table 146. Click Apply. Table 146 Configuration items Item Description Scheme Name Enter a name for the RADIUS scheme. Configure the common parameters for the RADIUS scheme, including the server type, the username format, and the shared keys for authentication and accounting Common Configuration packets.
  • Page 341 Figure 327 Common configuration Configure the parameters, as described in Table 147. Table 147 Configuration items Item Description Select the type of the RADIUS servers supported by the device: • Standard—Standard RADIUS servers. The RADIUS client and RADIUS server communicate by using the standard RADIUS protocol and packet Server Type format defined in RFC 2865/2866 or later.
  • Page 342 Item Description Select the format of usernames to be sent to the RADIUS server: Original format, With domain name, or Without domain name. Typically, a username is in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain for the user. If a RADIUS Username Format server (such as a RADIUS server of some early version) does not accept a username that contains an ISP domain name, you can configure the device to...
  • Page 343: Adding Radius Servers

    RADIUS server. RADIUS Packet Source IP HP recommends using a loopback interface address instead of a physical interface address as the source IP address. If the physical interface is down, the response packets from the server cannot reach the device.
  • Page 344: Radius Configuration Example

    Figure 328 RADIUS server configuration Configure the parameters, as described in Table 148. Click Apply. You can repeat the above steps to configure multiple RADIUS servers for the RADIUS scheme. Table 148 Configuration items Item Description Select the type of the RADIUS server to be configured. Possible values include Server Type primary authentication server, primary accounting server, secondary authentication server, and secondary accounting server.
  • Page 345 Enter 1812 and 1813 as the ports for authentication and accounting, respectively. Select Device Management Service as the service type. Select HP as the access device type. Select the access device from the device list, or manually add the device with the IP address of 10.1.1.2.
  • Page 346 Figure 330 Adding an access device Add a user account: Log in to IMC: Click the User tab. Select Access User View > All Access Users from the navigation tree. Click Add. Enter hello@bbb as the username. Enter abc as the password and confirm the password. Select Telnet as the service type.
  • Page 347 Figure 331 Adding an account for device management Configuring the router Configure the IP address of each interface. (Details not shown.) Configure a RADIUS scheme: Select Advanced > RADIUS from the navigation tree. Click Add. To add a RADIUS scheme, enter system as the scheme name, select Extended as the server type, select Without domain name for the username format.
  • Page 348 To add the primary accounting server, click Add again in the RADIUS Server Configuration area. select Primary Accounting as the server type, enter 10.1.1.1 as the IP address, enter 1813 as the port, enter expert as the key, enter expert to confirm the key, and click Apply. The RADIUS scheme configuration page refreshes and the added servers appear in the server list.
  • Page 349 Use either approach to configure the AAA methods for domain bbb: Configure the same scheme for authentication and authorization in domain bbb because RADIUS authorization information is included in the authentication response message. [Router] domain bbb [Router-isp-bbb] authentication login radius-scheme system [Router-isp-bbb] authorization login radius-scheme system [Router-isp-bbb] accounting login radius-scheme system [Router-isp-bbb] quit...
  • Page 350 If you remove an authentication or accounting server in use, the communication of the device with the server will soon time out, and the device will look for a server in the active state by checking any primary server first and then the secondary servers in the order they are configured.
  • Page 351: Configuring Login Control

    Configuring login control The login control feature allows you to control Web or Telnet logins by IP address and login type. Configuration procedure Select Advanced > Access from the navigation tree. The login control configuration page appears. The upper part of the page allows you to configure login control rules, and the lower part displays existing login control rules.
  • Page 352: Login Control Configuration Example

    Login control configuration example Network requirements As shown in Figure 336, configure login control rules so Host A cannot Telnet to Router, and Host B cannot access Router through the Web. Figure 336 Network diagram Configuring a login control rule so Host A cannot Telnet to Router Select Advanced >...
  • Page 353: Configuring A Login Control Rule So Host B Cannot Access Router Through The Web

    Click OK. A configuration progress dialog box appears, as shown in Figure 338. Figure 338 Configuration progress dialog box After the setting is complete, click Close. Configuring a login control rule so Host B cannot access Router through the Web From the navigation tree, select Advanced >...
  • Page 354 Figure 339 Configuring a login control rule so Host B cannot access Router through the Web...
  • Page 355: Configuring Arp

    In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding MAC address. For more information about ARP, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
  • Page 356: Creating A Static Arp Entry

    Creating a static ARP entry From the navigation tree, select Advanced > ARP Management > ARP Table. The ARP table management page appears, as shown in Figure 340. Click Add. The New Static ARP Entry page appears. Figure 341 Adding a static ARP entry Configure the parameters as described in Table 151.
  • Page 357: Enabling Learning Of Dynamic Arp Entries

    Enabling learning of dynamic ARP entries From the navigation tree, select Advanced > ARP Management > Dynamic Entry. The dynamic entry management page appears, as shown in Figure 342. Figure 342 Managing dynamic entries To disable all the listed interfaces from learning dynamic ARP entries, click Disable all. •...
  • Page 358: Configuring Gratuitous Arp

    If you enable an interface to learn dynamic ARP entries on the dynamic entry management page, the number of dynamic ARP entries that the interface can learn restores the default. Configuring gratuitous ARP From the navigation tree, select Advanced > ARP Management > Gratuitous ARP. The gratuitous ARP configuration page appears, as shown in Figure 344.
  • Page 359 Figure 345 Network diagram Configuring static ARP Create VLAN 10 and VLAN-interface 10: From the navigation tree, select Interface Setup > LAN Interface Setup. The default VLAN Setup page appears. Select the Create option, as shown in Figure 346. Enter 10 for VLAN IDs. Select the Create VLAN Interface box.
  • Page 360 Select Ethernet0/1 from the list. Click Add to bring up the configuration progress dialog box, as shown in Figure 348. After the configuration process is complete, click Close. Figure 347 Adding Ethernet 0/1 to VLAN 10 Figure 348 The configuration progress dialog box Configure the IP address of VLAN-interface 10: Click the VLAN Interface Setup tab.
  • Page 361 Figure 349 Configuring the IP address of VLAN-interface 10 Create a static ARP entry: From the navigation tree, select Advanced > ARP Management > ARP Table and click Add. Enter 192.168.1.1 for IP Address as shown in Figure 350. Enter 00e0-fc01-0000 for MAC Address. Select the Advanced Options box.
  • Page 362 View information about static ARP entries: After the previous configuration is complete, the page returns to display ARP entries. Select Type for Search. Enter Static. Click Search. You can view the static ARP entries of Router A, as shown in Figure 351.
  • Page 363: Configuring Arp Attack Protection

    Configuring ARP attack protection Overview ARP is easy to implement, but it provides no security mechanism. Therefore, it is prone to network attacks. ARP attacks and viruses threaten LAN security. The device can provide the following features to detect and prevent such attacks. Periodic sending of gratuitous ARP packets Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their corresponding ARP entries or MAC entries in time.
  • Page 364: Configuring Arp Automatic Scanning

    Figure 352 Configuring Gratuitous ARP sending Table 153 Configuration items Item Description Select one or more interfaces on which gratuitous ARP packets are sent out periodically, and set the interval at which gratuitous ARP packets are sent. To enable an interface to send out gratuitous ARP packets periodically, select the interface from the Standby Interface list and click <<.
  • Page 365: Configuring Fixed Arp

    Figure 353 Configuring ARP Scanning Table 154 Configuration items Item Description Interface Specify the interface on which ARP automatic scanning is to be performed. Enter the address range for ARP automatic scanning. • To reduce the scanning time, you can specify the address range for scanning. If the specified address range covers multiple network segments of the interface's addresses, the sender IP address in the ARP request is the Start IP Address...
  • Page 366 The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device might fail to change all dynamic ARP entries into static. Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is S. When the dynamic ARP entries are changed into static, new dynamic ARP entries might be created (suppose the number is M) and some of the dynamic ARP entries might be aged out (suppose the number is N).
  • Page 367: Configuring Ipsec Vpn

    Even if a third party captures all exchanged data for calculating the keys, it cannot calculate the keys. For more information about IPsec and IKE, see Security Configuration Guide in HP MSR Router Series Configuration Guides (V5).
  • Page 368: Configuring An Ipsec Connection

    Step Remarks Optional. Displays configuration and status information of IPsec Displaying IPsec VPN connections, and information of IPsec tunnels. monitoring information Allows you to delete tunnels that are set up with configuration of an IPsec connection, and delete all ISAKMP SAs of all IPsec connections. Configuring an IPsec connection Select VPN >...
  • Page 369 Figure 356 Adding an IPsec connection Perform basic connection configurations as described in Table 155. Table 155 Configuration items Item Description IPsec Connection Name Enter a name for the IPsec connection. Interface Select an interface where IPsec is performed. Network Type Select a network type, site-to-site or PC-to-site.
  • Page 370 Item Description Enter the address of the remote gateway, which can be an IP address or a host name. The IP address can be a host IP address or an IP address range. If the local end is the initiator of IKE negotiation, it can have only one remote IP address and its remote IP Remote Gateway address must match the local IP address configured on its peer.
  • Page 371 Item Description • Characteristics of Traffic—Identifies traffic to be protected based on the source Source address/wildcard and destination address/wildcard specified. Address/Wildcard • Designated by Remote Gateway—The remote gatew