Page 1
HP MSR Router Series Web-Based Configuration Guide(V5) Part number: 5998-8174 Software version: CMW520-R2513 Document version: 6PW106-20150808...
Page 2
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an...
Contents Web overview ······························································································································································ 1 Logging in to the Web interface······································································································································ 1 Logging out of the Web interface ··································································································································· 2 Introduction to the Web interface ···································································································································· 2 User level············································································································································································ 4 Introduction to the Web-based NM functions ················································································································ 4 ...
Page 4
Configuration guidelines ··············································································································································· 61 Wireless configuration overview ······························································································································ 62 Overview ········································································································································································· 62 Configuration task list ···················································································································································· 62 Configuring wireless services ···································································································································· 63 Configuring wireless access service ····························································································································· 63 Creating a wireless access service ······················································································································ 63 ...
Page 5
Setting rate limiting ············································································································································· 126 Wireless QoS configuration example ························································································································ 127 CAC service configuration example ················································································································· 127 Static rate limiting configuration example ········································································································ 129 Dynamic rate limiting configuration example ·································································································· 130 Configuring advanced settings ······························································································································ 132 ...
Page 6
Application control configuration example ··············································································································· 174 Webpage redirection configuration ······················································································································ 176 Overview ······································································································································································· 176 Configuring webpage redirection ······························································································································ 176 Configuring routes ·················································································································································· 178 Overview ······································································································································································· 178 Creating an IPv4 static route ······································································································································· 178 Displaying the active route table ································································································································...
Page 7
Configuring IP addresses excluded from dynamic allocation ················································································· 210 Configuring a DHCP server group ····························································································································· 211 DHCP configuration examples ···································································································································· 212 DHCP configuration example without DHCP relay agent ··············································································· 213 DHCP relay agent configuration example ········································································································ 220 ...
Page 8
Configuring access control ································································································································· 284 Configuring application control ························································································································· 285 Configuring bandwidth control ·························································································································· 286 Configuring packet filtering ································································································································ 287 Synchronizing user group configuration for wan interfaces ··········································································· 289 User group configuration example····························································································································· 289 Configuring MSTP ···················································································································································...
Page 10
Configuring RADIUS authentication ·················································································································· 415 Configuring LDAP authentication ······················································································································· 416 Configuring AD authentication ·························································································································· 418 Configuring combined authentication ··············································································································· 419 Configuring a security policy ······································································································································ 420 Customizing the SSL VPN user interface ··················································································································· 424 Customizing the SSL VPN interface partially ····································································································...
Page 11
Switching to the management level ··················································································································· 483 Configuring system time ·············································································································································· 484 Setting the system time ········································································································································ 484 Setting the time zone and daylight saving time ······························································································· 486 Configuring TR-069 ····················································································································································· 487 TR-069 network framework ································································································································ 488 ...
Page 12
Basic settings ··························································································································································· 526 Introduction to basic settings ······································································································································· 526 Local number ························································································································································ 526 Call route ······························································································································································ 526 Basic settings ································································································································································ 527 Configuring a local number ······························································································································· 527 Configuring a call route ······································································································································ 528 ...
Page 13
Configuring other parameters of a local number ···························································································· 588 Configuring advanced settings of a call route ·········································································································· 589 Configuring coding parameters of a call route ································································································ 589 Configuring other parameters for a call route ································································································· 590 Advanced settings configuration example ················································································································...
Page 15
Managing lines ······················································································································································· 703 FXS voice subscriber line ············································································································································· 703 FXO voice subscriber line ··········································································································································· 703 E&M subscriber line ····················································································································································· 703 E&M introduction ················································································································································· 703 E&M start mode ··················································································································································· 703 One-to-one binding between FXS and FXO voice subscriber lines ········································································ 705 ...
Page 16
IVR information ····························································································································································· 831 Displaying IVR call states ···································································································································· 831 Displaying IVR play states ·································································································································· 832 About the HP MSR series Web-based Configuration Guide ··············································································· 833 Support and other resources ·································································································································· 835 Contacting HP ······························································································································································ 835 ...
Web overview The device provides Web-based configuration interfaces for visual device management and maintenance. Figure 1 Web-based network management operating environment Logging in to the Web interface Follow these guidelines when you log in to the Web interface: The PC in Figure 1 is the one where you configure the device, but not necessarily the Web-based •...
Figure 2 Login page of the Web interface Logging out of the Web interface CAUTION: A logged-in user cannot automatically log out by directly closing the browser. Click Logout in the upper-right corner of the Web interface to quit Web-based network management. The system will not save the current configuration before you log out of the Web interface.
Page 20
Figure 3 Initial page of the Web interface...
(1) Navigation area (2) Title area (3) Body area Navigation area—Organizes the Web function menus in the form of a navigation tree, where you • can select function menus as needed. The result is displayed in the body area. Title area—On the left, displays the path of the current configuration interface in the navigation •...
Page 22
Function menu Description User level Displays the configuration information of a WAN Monitor interface, and allows you to view interface statistics. Interface WAN Interface Setup Allows you to modify WAN Setup interface configuration, and Configure clear the statistics of a WAN interface.
Page 23
Function menu Description User level Allows you to configure wireless QoS and rate Configure limiting, and clear radio and client information. Displays configuration information of the country Monitor code. Country Code Allows you to set the country Configure code. Displays 3G modem information, UIM card 3G Information Monitor...
Page 24
Function menu Description User level Displays the information about URL filtering Monitor conditions. URL Filter Allows you to add or delete Configure URL filtering conditions. Displays the information about MAC address filtering Monitor conditions. MAC Address Filtering Allows you to set MAC address filtering types, add Configure or delete MAC addresses to...
Page 25
Function menu Description User level Allows you to create IPv4 Create Configure static routes. Allows you to delete IPv4 Remove Configure static routes. Displays the IP address, mask and load sharing Monitor information of an interface. User-based-sharing Allows you to modify the load sharing status and Configure shared bandwidth of an...
Page 26
Function menu Description User level Allows you to add an IPv4 Configure ACL. Allows you to configure a Basic Config Configure basic rule for an IPv4 ACL. Allows you to configure an Advanced Config advanced rule for an IPv4 Configure ACL.
Page 27
Function menu Description User level Displays QoS policy Summary Monitor information. Allows you to create a QoS Create Configure policy. Policy Allows you to configure Setup classifier-behavior Configure associations. Allows you to remove a QoS Remove Configure policy. Displays QoS policy Summary application information of a Monitor...
Page 28
Function menu Description User level Displays the brief Monitor information of SNMP views. View Allows you to create, modify, and remove an Configure SNMP view. Displays and allows you to Global Config set global bridging Configure information. Bridge Displays and allows you to Config Interface set interface bridging Configure...
Page 29
Function menu Description User level Allows you to modify the MST region-related Configure parameters and VLAN-to-MSTI mappings. Displays MSTP port Monitor parameters. Port Allows you to modify MSTP Configure port parameters. Displays MSTP parameters Global Configure globally. Displays and allows you to Managem RADIUS add, modify, and delete a...
Page 30
Function menu Description User level Allows you to convert all dynamic ARP entries to static Configure ones or delete all static ARP entries. Displays IPsec connection Monitor configuration. IPsec Connection Allows you to add, modify, delete, enable, or disable an Configure IPsec connection.
Page 31
Function menu Description User level Displays CRLs. Monitor Allows you to retrieve CRLs. Configure Allows you to save the current configuration to the Configure configuration file to be used at the next startup. Save Allows you to save the current configuration as the Managem factory default configuration.
Page 32
Function menu Description User level Allows you to modify user Managem Modify User account. Managem Remove User Allows you to remove a user. Allows you to switch the user Switch To Management access level to the Visitor management level. Displays SNMP Monitor configuration information.
Page 33
Function menu Description User level Allows you to execute the Trace Route trace route command and Visitor view the result. Displays and refreshes the WiNet topology diagram Monitor and allows you to view the detailed device information. Allows you to manually trigger the collection of WiNet Management topology information, save...
Page 34
Function menu Description User level Displays call authority control configuration information, and the Monitor maximum number of call connections in a set. Call Authority Control Allows you to configure call authority control, and the Configure maximum number of call connections in a set. Displays number substitution Monitor configuration information.
Function menu Description User level Allows you to create local numbers, call routes, and Configure manage lines in batches. Allows you to view and refresh active and history Monitor call statistics. Call Statistics Allows you to view and refresh active and history Statistics Configure call statistics, and clear...
Page 36
Figure 4 Content display by pages Searching function The Web interface provides you with the basic and advanced searching functions to display only the entries that match specific searching criteria. • Basic search: As shown in Figure 4, input the keyword in the text box above the list, select a search item from the drop-down list and click the Search button to display the entries that match the criteria.
Page 37
Figure 6 Advanced search Take the ARP table shown in Figure 4 as an example. If you want to search for the ARP entries with interface being Ethernet 0/4, and IP address range being 192.168.1.50 to 192.168.1.59, follow these steps: Click the Advanced Search link, specify the search criteria on the advanced search page as shown Figure 7, and click Apply.
Figure 9 Advanced searching function example (III) Sorting function The Web interface provides you with the basic sorting function to display entries in certain orders. On a list page, you can click the blue heading item of each column to sort the entries based on the heading item you selected.
Task Command Disable the Web-based NM service. undo ip http enable Managing the current Web user Task Command Display the current login users. display web users free web-users { all | user-id userid | user-name Log out the specified user or all users. username } Configuration guidelines The Web-based configuration interface supports the operating systems of Windows XP, Windows 2000,...
Page 40
Click the Security tab, and then select a Web content zone to specify its security settings, as shown Figure Figure 11 Internet Explorer setting (I) Click Custom Level, and a dialog box Security Settings appears. As shown in Figure 12, enable these functions: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for scripting and active scripting.
Page 41
Figure 12 Internet Explorer setting (II) Click OK in the Security Settings dialog box. Configuring Firefox Web browser settings Open the Firefox Web browser, and then select Tools > Options. Click the Content tab, select the Enable JavaScript check box, and click OK, as shown in Figure...
Displaying device information When you are logged in to the Web interface, you are placed on the Device Info page. The Device Info page contains five parts, which correspond to the five tabs below the figure on the page except the Services Information and Recent System Logs tabs. When you put your cursor on a part of the figure, the system prompts you for the tab of the corresponding information, and you can jump to the tab by clicking this part.
If you select a specific period, the system periodically refreshes the Device Info page. • • If you select Manual, click Refresh to refresh the page. Displaying device information Table 3 Field description Field Description Device Model Device name. Software Version Software version of the device.
Field Description RSSI Received signal strength indication (RSSI) of the 3G network. Displaying LAN information Table 6 Field description Field Description Interface Interface name. Link State Link state of the interface. Work Mode Rate and duplex mode of the interface. Displaying WLAN information Table 7 Field description Field...
Managing integrated services For devices with a card installed, if the card provides the Web interface access function, after specifying the URL address of the card on the integrated service management page, you can log in from the integrated service management page to the Web interface of the card to manage the card. When you are logged in to the Web interface, you are placed on the Device Info page.
Basic services configuration This document guides you through quick configuration of basic services of routers, including configuring WAN interface parameters, LAN interface parameters, and WLAN interface parameters. For information about WAN interfaces, see "Configuring WAN interfaces." For information about LAN interfaces, see "Configuring VLANs."...
Ethernet interface Figure 18 Setting Ethernet interface parameters Table 10 Configuration items (in auto mode) Item Description WAN Interface Select the Ethernet interface to be configured. Connect Mode: Auto Select the Auto connect mode to automatically obtain an IP address. Specify the MAC address of the Ethernet interface in either of the two ways: •...
Page 49
Item Description To configure the global DNS server on the page you enter, select Advanced > DNS Setup > DNS Configuration. The global DNS server has priority over the DNS servers of the interfaces. The DNS query is sent to the global DNS server first. If the DNS2 query fails, the DNS query is sent to the DNS server of the interface until the query succeeds.
Page 50
SA interface Figure 19 Setting SA parameters Table 13 Configuration items Item Description WAN Interface Select the SA interface to be configured. User Name Specify the user name for identity authentication. Display whether a password has been specified for identity authentication. Password An empty field indicates that no password is configured.
Page 51
ADSL/G.SHDSL interface Figure 20 Setting ADSL/G.SHDSL parameters Table 14 Configuration items (in IPoA mode) Item Description WAN Interface Select the ADSL/G.SHDSL interface to be configured. Connect Mode: IPoA Select the IPoA connect mode. Specify the VPI/VCI value for PVC. TCP-MSS Set the maximum TCP segment length of an interface.
Page 52
Item Description Connect Mode: PPPoA Select the PPPoA connect mode. Specify the VPI/VCI value for PVC. User Name Specify the user name for identity authentication. Displays whether a password has been specified for identity authentication. Password An empty field indicates that no password is configured. New Password Specify or modify the password for identity authentication.
Page 53
Figure 21 Setting CE1/PR1 interface parameters (in E1 mode) Table 18 Configuration items (in E1 mode) Item Description WAN Interface Select the CE1/PR1 interface to be configured. Work Mode: E1 Select the E1 work mode. User Name Specify the user name for identity authentication. Display whether a password has been specified for identity authentication.
Page 54
Table 19 Configuration items (in CE1 mode) Item Description WAN Interface Select the CE1/PR1 interface to be configured. Work Mode: CE1 Select the CE1 work mode. Select one of the following operation actions: • Operation Create—Binds timeslots. • Remove—Unbinds timeslots. Serial Select a number for the created Serial interface.
Page 55
Item Description Serial Select the number for the created serial interface. Timeslot-List Specify the timeslots to be bound or unbound. User Name Specify the user name for identity authentication. Display whether a password has been specified for identity authentication. Password An empty field indicates that no password is configured.
Item Description server if no data exchange occurs between it and the server within the specified time. After that, it automatically establishes the connection upon receiving a request for accessing the Internet from the LAN. Idle Timeout When Online according to the Idle Timeout value is enabled, specify an idle timeout value.
Item Description IMPORTANT: If the extended address pool is configured on an interface, when a DHCP client's request End IP Address arrives at the interface, the server assigns an IP address from this extended address pool only. The client cannot obtain an IP address if no IP address is available in the extended address pool.
Item Description Network Name Specify a wireless network name. (SSID) Network Hide Select whether to hide the network name. Select a radio unit supported by the AP, which can be 1 or 2. Radio Unit Which value is supported varies with device models. Select whether to enable data encryption.
Page 59
Figure 27 Checking the basic service configuration...
Configuring WAN interfaces This chapter describes how to configure the following interfaces on the Web interface: Ethernet interfaces. • SA interfaces. • ADSL/G.SHDSL interfaces. • • CE1/PRI interfaces. CT1/PRI interfaces. • Configuring an Ethernet interface An Ethernet interface or subinterface supports the following connection modes: Auto—The interface acts as a DHCP client to get an IP address through DHCP.
Page 61
Figure 29 Configuring an Ethernet interface Table 24 Configuration items (auto mode) Item Description WAN Interface Displays the name of the Ethernet interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface.
Page 62
Table 25 Configuration items (manual mode) Item Description WAN Interface Displays the name of the Ethernet interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status •...
Item Description Displays whether a password is configured for authentication. Password If the field displays null, no password is configured for authentication. New Password Set or modify the password for authentication. TCP-MSS Configure the TCP MSS on the interface. Configure the MTU on the interface. Set the idle timeout time for a connection: •...
Page 64
Figure 30 Configuring an SA interface Table 27 Configuration items Item Description WAN Interface Displays the name of the interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface.
Configuring an ADSL/G.SHDSL interface Overview The ADSL interface and the G.SHDSL interface support IPoA, IPoEoA, PPPoA, and PPPoEoA. IPoA IPoA enables IP packets to traverse an ATM network. In an IPoA implementation, ATM provides the data link layer for the IP hosts on the same network to communicate with one another, and IP packets must be adapted in order to traverse the ATM network.
Page 66
Figure 31 Configuring an ADSL/G.SHDSL interface Table 28 Configuration items (IPoA) Item Description WAN Interface Displays the name of the ADSL/G.SHDSL interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface.
Page 67
Item Description Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface. •...
Item Description Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface. •...
Configuration procedure To configure a CE1/PRI interface: Select Interface Setup > WAN Interface Setup from the navigation tree. Click the icon for the CE1/PRI interface. Configure the CE1/PRI interface, as described in "Configuring a CE1/PRI interface in E1 mode" "Configuring a CE1/PRI interface in CE1 mode."...
Page 70
Item Description Configure the MTU on the interface. Configuring a CE1/PRI interface in CE1 mode Figure 33 Configuring a CE1/PRI interface in CE1 mode Table 33 Configuration items (in CE1 mode) Item Description WAN Interface Displays the name of the CE1/PRI interface to be configured. Display and set the interface status: •...
Item Description Displays whether a password is configured for authentication. Password If the field displays null, no password is configured for authentication. New Password Set or modify the password for authentication. TCP-MSS Configure the TCP MSS on the interface. Configure the MTU on the interface. Configuring a CT1/PRI interface The CT1/PRI interface supports PPP connection mode.
Table 34 Configuration items Item Description WAN Interface Displays the name of the CT1/PRI interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status •...
VLAN, you can create one VLAN interface. You can configure VLAN interfaces to forward traffic at the network layer. For more information about VLANs and VLAN interfaces, see HP MSR Router Series (V5) Layer 2—LAN Switching Configuration Guide. Configuring a VLAN and its VLAN interface...
Step Remarks Optional. Configure an IP address and MAC address for a VLAN interface. Select whether to enable the DHCP server function for Configuring parameters for a VLAN a VLAN interface. If yes, configure the related parameters. interface. You can also configure the DHCP server function in Advanced > DHCP Setup.
Item Description Only Remove VLAN Remove the VLAN interface of a VLAN without removing the VLAN. Interface Configuring VLAN member ports The ports that you assign to a VLAN in the Web interface can only be set to untagged type. The VLAN member port list displayed on the VLAN Setup page includes both tagged and untagged member ports.
Page 77
Figure 37 VLAN interface setup page Table 37 Configuration items Item Description VLAN ID Select the ID of the VLAN interface you want to configure. IP Address Set the VLAN interface's IP address and subnet mask. Subnet Mask...
Item Description Set the MAC address of the VLAN interface: • Use the MAC address of the device—Use the default MAC address of the VLAN interface, which is displayed in the following brackets. MAC Address • Use the customized MAC address—Manually set the MAC address of the VLAN interface.
Wireless configuration overview The device allows you to perform the following configuration in the Web interface: Configuring wireless access service • Displaying wireless access service • Client mode • • Configuring data transmit rates Displaying radio • Configuring the blacklist and white list functions •...
Configuring wireless services For more information about WLAN user access, see WLAN Configuration Guide in HP MSR Router Series Configuration Guides (V5). Configuring wireless access service Creating a wireless access service Select Interface Setup >...
Figure 39 Creating a wireless service Table 39 Configuration items Item Description Radio Unit Radio ID, 1 or 2. Mode Radio mode, which depends on your device model. Set the service set identifier (SSID). An SSID should be as unique as possible. For security, the company name should not be contained in the SSID.
Page 82
Figure 40 Configuring clear type wireless service Table 40 Configuration items Item Description Wireless Service Display the selected Service Set Identifier (SSID). Enter the ID of the VLAN whose packets are to be sent untagged. VLAN (Untagged) VLAN (Untagged) indicates that the port sends the traffic of the VLAN with the VLAN tag removed.
Page 83
Figure 41 Configuring advanced settings for a clear type wireless service Table 41 Configuration items Item Description Maximum number of clients of an SSID to be associated with the same radio of the AP. Client Max Users IMPORTANT: When the number of clients of an SSID to be associated with the same radio of the AP reaches the maximum, the SSID is automatically hidden.
Page 84
Item Description • mac-authentication—Performs MAC address authentication on users. • mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication; upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.
Page 85
Figure 42 Configuring MAC authentication Table 43 Configuration items Item Description Port Mode mac-authentication: MAC-based authentication is performed on access users. Max User Control the maximum number of users allowed to access the network through the port. MAC Authentication Select the MAC Authentication option. Select an existing domain from the list.
Page 86
Therefore, the ports do not need to send 802.1X multicast trigger messages periodically for initiating authentication. HP recommends that you disable the multicast trigger function in a WLAN because the multicast trigger messages consume bandwidth.
Page 87
Figure 44 Configuring port security for the other four security modes (mac-else-userlogin-secure is taken for example) Table 45 Configuration items Item Description • mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication.
Item Description • EAP—Use EAP. With EAP authentication, the authenticator encapsulates 802.1X user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication. It does not need to repackage the EAP packets into standard RADIUS packets for authentication. Authentication Method •...
Page 89
Figure 45 Configuring crypto type wireless service Table 40 for the configuration items of basic configuration of crypto type wireless service. Configuring advanced settings for crypto type wireless service Select Interface Setup > Wireless > Access Service from the navigation tree. Click the icon for the target crypto wireless service.
Page 90
Item Description Set the TKIP countermeasure time. By default, the TKIP countermeasure time is 0 seconds, that is, the TKIP countermeasure policy is disabled. If the TKIP countermeasure time is set to a value other than 0, the TKIP countermeasure policy is enabled. TKIP CM Time MIC is designed to avoid hacker tampering.
Page 91
Table 47 Configuration items Item Description Link authentication method, which can be: • Open-System—No authentication. With this authentication mode enabled, all the clients will pass the authentication. Authentication • Shared-Key—The two parties must have the same shared key configured for this Type authentication mode.
Page 92
Item Description Table Parameters such as authentication type and encryption type determine the port mode. For details, see Table After you select the Cipher Suite option, the following four port security modes are added: • mac and psk—MAC-based authentication must be performed on access users first. If MAC-based authentication succeeds, an access user has to use the pre-configured PSK Port Security to negotiate with the device.
Item Description Select an existing domain from the list. The default domain is system. To create a domain, select Authentication > AAA from the navigation tree, click the Domain Setup tab, and type a new domain name in the Domain Name field. Domain •...
Click the icon for the target wireless service to enter the page as shown in Figure Figure 50 Binding an AP radio to a wireless service Select the AP radio to be bound. Click Bind. Security parameter dependencies In a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are described in Table Table 50 Security parameter dependencies...
Service Authenticat Encryption Security IE encryption Port mode type ion mode type /key ID encryption is mac and psk required Selected Required The key ID userlogin-secure-ext can be 2, 3 Open-Syste or 4 m and Shared-Key encryption is required Unselected Unavailable mac-authentication The key ID...
Page 96
Field Description Service Template Type Service template type. Type of authentication used. Authentication Method WLAN service of the clear type only uses open system authentication. • Disable—The SSID is advertised in beacon frames. SSID-hide • Enable—Disables the advertisement of the SSID in beacon frames. Status of service template: •...
Page 97
Field Description GTK Rekey Method GTK rekey method configured: packet based or time based. Time for GTK rekey in seconds. • If Time is selected, the GTK is refreshed after a specified GTK Rekey Time(s) period of time. • If Packet is selected, the GTK is refreshed after a specified number of packets are transmitted.
Displaying connection history information about wireless service Figure 54 Displaying the connection history information about wireless service Displaying client Displaying client detailed information Select Interface Setup > Wireless > Summary from the navigation tree. Click the Client tab to enter the Client page. Click the Detail Information tab on the page.
Page 99
Table 53 Client RSSI Field Description —Indicates that 0 < RSSI <= 20. —Indicates that 20 < RSSI <= 30. Client RSSI —Indicates that 30 < RSSI <= 35. —Indicates that 35 < RSSI <= 40. —Indicates that 40 < RSSI. Table 54 Field description Field Description...
Page 100
Field Description Four-way handshake states: • IDLE—Displayed in initial state. • PTKSTART—Displayed when the 4–way handshake is initialized. 4-Way Handshake State • PTKNEGOTIATING—Displayed after valid message 3 was sent. • PTKINITDONE—Displayed when the 4-way handshake is successful. Group key state: •...
Figure 56 Displaying client statistics Table 56 Field description Field Description AP Name Name of the associated access point. Radio Id Radio ID. SSID SSID of the device. BSSID MAC address of the device. MAC Address MAC Address of the client. Received signal strength indication.
Figure 57 Viewing link test information Table 57 Field description Field Description • Rate number for a non-802.1 1n client. No./MCS • MCS value for an 802.1 1n client. Rate (Mbps) Rate at which the radio interface sends wireless ping frames. TxCnt Number of wireless ping frames that the radio interface sent.
Page 103
Figure 58 Network diagram IP network SSID:sevice1 Router Client Configuration procedure Create a wireless service: Select Interface Setup > Wireless > Access Service from the navigation tree, and click Add. Figure 59 Creating a wireless service Select the radio unit 1, set the service name to service1, and select the wireless service type clear.
Figure 61 Enabling 802.11g radio Verifying the configuration If you select Interface Setup > Wireless > Summary from the navigation tree, and click the Client tab, you can view the online clients. Configuration guidelines Follow these guidelines when you configure a wireless service: Select a correct district code.
Page 105
Click Apply. After the wireless service is created, the system is automatically navigated to the wireless service page, where you can perform the VLAN settings (before this operation, select Network > VLAN and create VLAN 2 first). Figure 63 Setting the VLANs Type 2 in the VLAN (Untagged) input box.
On this page, you can see that the client 0014-6c8a-43ff, which accesses the SSID office, is in VLAN 3, while the client 0040-96b3-8a77, which accesses the SSID research, is in VLAN 2. Because the two clients are in different VLANs, they cannot access each other. PSK authentication configuration example Network requirements As shown in...
Page 107
Figure 67 Configuring security settings Select the Open-System from the Authentication Type list. Select the Cipher Suite option, select CCMP and TKIP (select an encryption type as needed), and then select WPA from the Security IE list. Select the Port Set option, and select psk from the Port Mode list. Select pass-phrase from the Preshared Key list, and type key ID 12345678.
Local MAC authentication configuration example Network requirements As shown in Figure 69, perform MAC authentication on the client. Figure 69 Network diagram Configuration procedure Configure a wireless service: Select Interface Setup > Wireless > Access Service from the navigation tree. Click Add.
Page 109
Figure 71 Configuring security settings Select the Open-System from the Authentication Type list. Select the Port Set option, and select mac-authentication from the Port Mode list. Select the MAC Authentication option, and select system from the Domain list. Click Apply. Enable the wireless service: Select Interface Setup >...
Figure 73 Adding a MAC authentication list Add a local user in the MAC Address box. 00-14-6c-8a-43-ff is used in this example. Click Add. (Optional.) Enable 802.11g radio. By default, 802.11g radio is enabled. Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure 802.11g is enabled.
Page 111
Figure 75 Creating a wireless service Select radio unit 1. Set the wireless service name as mac-auth. Select the wireless service type clear. Click Apply. Configure MAC authentication: After you create a wireless service, the wireless service configuration page appears. Then you can configure MAC authentication on the Security Setup area.
Page 112
Figure 77 Enabling the wireless service Select the mac-auth option. Click Enable. (Optional.) Enable 802.11g radio. By default, the 802.11g radio is enabled. Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure 802.11g is enabled.
Click Add. On the page that appears, set the service name as mac, keep the default values for other parameters, and click OK. Figure 79 Adding a service Add an account: Click the User tab. Select User > All Access Users from the navigation tree. Click Add.
Page 114
On the device, configure the shared key as expert, and configure the device to remove the domain name of a username before sending it to the RADIUS server. The IP address of the device is 10.18.1.1. Figure 81 Network diagram Configuring the router Configure wireless service: Select Interface Setup >...
Page 115
Figure 83 Configuring security settings Enable the wireless service: Select Interface Setup > Wireless > Access Service from the navigation tree. On the page that appears, select the dot1x option, and click Enable. (Optional.) Enable 802.11g radio. By default, the 802.11g radio is enabled. Select Interface Setup >...
Page 116
Figure 84 Adding access device Add a service: Click the Service tab. Select User Access Manager > Service Configuration from the navigation tree. Click Add. On the page that appears, set the service name to dot1x, select EAP-PEAP AuthN as the Certificate Type, and MS-CHAPV2 AuthN as the Certificate Sub-Type, and click OK.
On the page that appears, enter username user, set the account name user and password dot1x, select the service dot1x, and click OK. Figure 86 Adding an account Verifying the configuration After you enter username user and password dot1x in the popup dialog box, the client can •...
Page 118
Figure 88 Creating a wireless service Enable the wireless service: Select Interface Setup > Wireless > Access Service from the navigation tree. Select the 11nservice option, and click Enable. Figure 89 Enabling the wireless service (Optional.) Enable 802.11n(2.4GHZ) radio. By default, 802.11n(2.4GHZ) radio is enabled. Verifying the configuration If you select Interface Setup >...
Client mode The client mode enables a router to operate as a client to access the wireless network. Multiple hosts or printers in the wired network can access the wireless network through the router. Figure 90 Client mode Enabling the client mode Select Interface Setup >...
NOTE: Support for radio mode types depends on your device model. • You cannot enable an access service or WDS service on a radio interface with the client mode enabled. • To modify the radio mode, select Radio > Radio from the navigation tree, click the icon of the target •...
Table 58 Configuration items Item Description Specify the network authentication mode, which can be: • Open System—Open system authentication, namely, no authentication AuthMode • Shared Key—Shared key authentication, which requires the client and the device to be configured with the same shared key.
Client mode configuration example Network requirements As shown in Figure 96, the router accesses the wireless network as a client. The Ethernet interface of the router connects to multiple hosts or printers in the wired network, and thus the wired network is connected to the wireless network through the router.
Page 123
Select the option corresponding to 802.11g and click Enable. With the client mode enabled, you can check the existing wireless services in the wireless service list. Figure 98 Checking the wireless service list Connect the wireless service Click the Connect icon of the wireless service psk in the wireless service list. A SET CODE dialog box shown in Figure 99 appears.
Figure 100 Making sure the workgroup bridge is online You can see that the client with MAC address 0014-6c8a-43ff and the router with MAC address • 000f-e2333-5510 have been successfully associated with the AP. The wired devices on the right (such as printers and PCs) can access the wireless network through •...
Page 125
Table 59 Configuration items Item Description Radio Unit Selected radios. Radio Mode Selected radio mode. Maximum radio transmission power, which varies with country codes, channels, Transmit Power radio modes and antenna types. If you adopt the 802.11n mode, the maximum transmit power of the radio also depends on the bandwidth mode.
Page 126
Item Description Selecting the A-MPDU option enables A-MPDU. 802.11n introduces the A-MPDU frame format. By using only one PHY header, each A-MPDU can accommodate multiple Message Protocol Data Units (MPDUs) which have their PHY headers removed. This reduces the overhead in transmission and the A-MPDU number of ACK frames to be used, and thus improves network throughput.
Page 127
Item Description Transmit Distance Maximum coverage of a radio. Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device automatically adjusts the noise immunity level according to the surrounding signal environment to eliminate RF interference. • Enable—Enables ANI. •...
Configuring data transmit rates Configuring 802.11a/802.11b/802.11g rates Select Interface Setup > Wireless > Radio from the navigation tree, and click the Rate tab. Figure 104 Setting 802.11a/802.11b/802.11g rates Table 61 Configuration items Item Description Configure rates (in Mbps) for 802.11a. By default: •...
Supported Maximum MCS Set the maximum MCS index for 802.11n supported rates. For more information about MCS, see WLAN Configuration Guide in HP MSR Router Series Configuration Guides (V5). Make the MCS configuration the same on all APs in mesh configuration.
Figure 106 Displaying WLAN services bound to the radio The Noise Floor item in the table indicates various random electromagnetic waves during the wireless communication. For the environment with a high noise floor, you can improve the signal-to-noise ratio (SNR) by increasing the transmit power or reducing the noise floor. Displaying detailed radio information Select Interface Setup >...
Page 131
Field Description Channel used by the interface. The keyword auto means the channel is automatically selected. channel If the channel is manually configured, the field will be displayed in the format of channel configured-channel. power(dBm) Transmit power of the interface (in dBm). Received: 2 authentication frames, 2 Number of authentication and association frames received.
Configuring WLAN security When it comes to security, a WLAN is inherently weaker than a wired LAN because all the wireless devices use the air as the transmission media, which means that the data transmitted by one device can be received by any other device within the coverage of the WLAN. To improve WLAN security, you can use white and black lists and user isolation to control user access and behavior.
Figure 108 Configuring dynamic blacklist Table 64 Configuration items Item Description • Enable—Enables dynamic blacklist. • Disable—Disables dynamic blacklist. Dynamic Blacklist IMPORTANT: Before enabling the dynamic blacklist function, select the Flood Attack Detect option in the WIDS Setup page. Configure the lifetime of the entries in the blacklist. When the lifetime of an entry Lifetime expires, the entry is removed from the blacklist.
Table 65 Configuration items Item Description You can configure a static blacklist in the following two ways: Select the MAC Address option, and then add a MAC address to the static black MAC Address list. Select Current Connect If you select the option, the table below lists the current existing clients. Select the Client options of the clients to add their MAC addresses to the static blacklist.
Page 135
Figure 111 Network diagram To configure user isolation: Select Interface Setup > Wireless > Security from the navigation tree, and click the User Isolate tab. Figure 112 Configuring user isolation Table 67 Configuration items Item Description • Enable—Enables user isolation on the AP to isolate the clients associated with it at Layer 2.
QoS provision devices of different vendors to interoperate. WMM makes a WLAN network capable of providing QoS services. For more information about the WLAN QoS terminology and the WMM protocol, see WLAN Configuration Guide in HP MSR Router Series Configuration Guides (V5). Configuring wireless QoS Enabling wireless QoS Select Interface Setup >...
Figure 114 Enabling Wireless QoS Click the icon in the Operation column for the desired radio in the AP list. Figure 115 Setting the SVP mapping AC Table 68 Configuration items Item Description Radio Selected radio. Select the SVP Mapping option, and then select the mapping AC to be used by the SVP service: •...
Table 69 Configuration items Item Description Users-based admission policy, namely, maximum number of clients allowed to be connected. A client is counted only once, even if it is using both AC-VO and AC-VI. Client Number By default, the users-based admission policy applies, with the maximum number of users being 20.
AC-VO ECWmin cannot be greater than ECWmax. On a device operating in 802.1 1b radio mode, HP recommends you to set the TXOP-Limit to 0, 0, 188, and 102 for AC-BK, AC-BE, AC-VI, and AC-VO. Setting EDCA parameters for wireless clients Select Interface Setup >...
Table 73 Default EDCA parameters for clients TXOP Limit AIFSN ECWmin ECWmax AC-BK AC-BE AC-VI AC-VO ECWmin cannot be greater than ECWmax. If all clients operate in 802.1 1b radio mode, you are recommended to set TXOPLimit to 188 and 102 for AC-VI and AC-VO.
Page 141
Field Description WMM indicates that QoS mode is enabled; None QoS mode indicates that QoS mode is not enabled. Radio chip QoS mode Radio chip’s support for the QoS mode. Radio chip max AIFSN Maximum AIFSN allowed by the radio chip. Radio chip max ECWmin Maximum ECWmin allowed by the radio chip.
Field Description Ack Policy ACK policy adopted by an AC. Indicates whether an AC is controlled by CAC: Disabled indicates that the AC is not controlled by CAC, Enabled indicates that the AC is controlled by CAC. Displaying client statistics Select Interface Setup >...
Field Description Uplink CAC packets Number of uplink CAC packets. Uplink CAC bytes Number of uplink CAC bytes. Downlink CAC packets Number of downlink CAC packets. Downlink CAC bytes Number of downlink CAC bytes. Downgrade packets Number of downgraded packets. Downgrade bytes Number of downgraded bytes.
Table 76 Configuration items Item Description Wireless Service Existing wireless service. Inbound or outbound. • Inbound—From clients to the device. Direction • Outbound—From the device to clients. • Both—Includes inbound (from clients to the device) and outbound (from the device to clients). Rate limiting mode, dynamic or static.
Page 145
Figure 123 Enabling wireless QoS Select the radio unit to be configured in the list. Click the corresponding icon in the Operation column. In the Client EDCA list, select the priority type (AC_VO is taken for example here) to be modified.
Verifying the configuration If the number of existing clients in the high-priority ACs plus the number of clients requesting access is smaller than or equal to the user-defined maximum number of users allowed in high-priority ACs, which is 10 in this example, the request is allowed. Otherwise, the request is rejected. Static rate limiting configuration example Network requirements As shown in...
Verifying the configuration Client 1 and Client 2 access the WLAN through an SSID named service1. • • Check that traffic from Client 1 is rate limited to around 128 kbps, so is traffic from Client 2. Dynamic rate limiting configuration example Network requirements As shown in Figure...
Page 148
Verifying the configuration Verify the following: • When only Client 1 accesses the WLAN through SSID service2, its traffic can pass through at a rate as high as 8000 kbps. When both Client 1 and Client 2 access the WLAN through SSID service2, their traffic flows can •...
Configuring advanced settings Radio frequencies for countries and regions vary based on country regulations. A district code determines characteristics such as frequency range, channel, and transmit power level. Configure the valid country code or area code for a WLAN device to meet the specific country regulations. Setting a district code Select Interface Setup >...
Page 150
Figure 131 Configuring channel busy test Click the icon for the target AP. Figure 132 Testing busy rate of channels Click Start to start the testing. Table 78 Configuration items Item Description Radio Unit Display the radio unit, which takes the value of 1 or 2. Radio Mode Display the radio mode of the router.
Managing a 3G modem For 3G communications, you can connect a USB 3G modem to a router through the USB interface on the MPU of the router. The 3G modem uses a user identity module (UIM) or subscriber identity module (SIM) to access the wireless networks provided by service providers.
Page 152
Figure 135 3G modem information (CDMA) Table 79 3G modem information Item Description Model Model of the 3G modem. Manufacturer Manufacturer of the 3G modem. Description Description for the 3G modem. Serial Number Serial number of the 3G modem. CMII ID CMII ID of the 3G modem.
Page 153
Table 80 SIM card information (WCDMA) Item Description Status of the SIM card: • SIM Status • Fault. • Absent. IMSI International Mobile Subscriber Identification number of the SIM card. Table 81 UIM card information (CDMA) Item Description State of the UIM card: •...
Item Description Service status of the 3G network: • Service Status (1xRtt) Available. • Not available. Roaming status: Roaming Status • Home. (1xRtt) • Roaming. RSSI (1xRtt) Received signal strength indication of the 3G network. Configuring the cellular interface Click the icon for the cellular interface in Figure 133.
Managing the PIN Click PIN in Figure 136. Then you can manage the PIN. PIN protection is disabled. • To enable PIN protection, enter a PIN, a string of four to eight digits, and click Apply in the Enable PIN Code Protection area. Figure 137 Managing the PIN (PIN protection disabled) PIN protection is enabled and the PIN is authenticated.
IP addresses are used to translate a large number of internal IP addresses. This effectively solving the IP address depletion problem. For more information about NAT, see the Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Page 158
Figure 140 Configuring dynamic NAT Table 85 Configuration items Item Description Interface Specify an interface on which the NAT policy is to be enabled. Select an address translation mode: • Interface Address—In this mode, the NAT gateway directly uses an interface's public IP address as the translated IP address.
Configuring a DMZ host Creating a DMZ host From the navigation tree, select NAT Configuration > NAT Configuration. Click the DMZ HOST tab. The DMZ host configuration page appears. Figure 141 Creating a DMZ host Configure the parameters as described in Table Click Add.
Figure 142 Enabling DMZ host on an interface Configuring an internal server From the navigation tree, select NAT Configuration > NAT Configuration. Click the Internal Server tab. The internal server configuration page appears.
Page 161
Figure 143 Configuring an internal server Configure the parameters as described in Table Click Add. Table 87 Configuration items Item Description Interface Specify an interface on which the NAT policy is to be enabled. Protocol Specify the type of the protocol carried by IP, which can be TCP or UDP. Specify the public IP address for the internal server.
Item Description Specify internal port number for the internal server. From the list, you can: • Select Other and then enter a port number. If you enter 0, all types of services are Host Port provided. That is, only a static binding between the external IP address and the internal IP address is created.
Figure 145 Configuring connection limit Configure the parameters as described in Table Click Apply. Table 89 Configuration items Item Description Enable connection limit Enable or disable connection limit. Set the maximum number of connections that can be initiated from a source IP Max Connections address.
Page 164
Configuring internal hosts accessing public network Configure the IP address of each interface. (Details not shown.) Configure dynamic NAT on Ethernet 0/2: Select NAT Configuration > NAT Configuration to enter the dynamic NAT configuration page, as shown in Figure 147. Select Ethernet0/2 from the Interface list.
Figure 148 Configuring connection limit Internal server configuration example Network requirements A company provides one FTP server and two Web servers for external users to access. The internal network address is 10.1 10.0.0/16. The company has three public IP addresses in the range of 202.38.1.1/24 to 202.38.1.3/24.
Page 166
Figure 150 Configuring the FTP server Configure Web server 1: As shown in Figure 151, select Ethernet0/2 from the Interface list. Select the TCP option in the Protocol field. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1. Select http from the Global Port list.
Page 167
Figure 151 Configuring Web server 1 Configure Web server 2: Click Add in the internal server configuration page. As shown in Figure 152, select Ethernet0/2 from the Interface list. Select the TCP option in the Protocol field. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1. Enter 8080 in the Global Port field.
Configuring access control Access control allows you to control access to the Internet from the LAN by setting the time range, IP addresses of computers in the LAN, port range, and protocol type. All data packets matching these criteria will be denied access to the Internet. You can configure up to ten access control policies.
Table 90 Configuration items Item Description Set the time range of a day for the rule to IMPORTANT: Begin-End Time take effect. The start time must be earlier Set both types of time ranges or set neither than the end time. of them.
Page 171
Figure 154 Network diagram Configuration procedure # Configure an access control policy to prohibit Host A to Host C from accessing the Internet during work time. • Select Security Setup > Access from the navigation tree. Figure 155 Configure an access control policy Set the Begin-End Time to 09:00 - 18:00.
Configuring URL filtering The URL filtering function allows you to deny access to certain Internet Web pages from the LAN by setting the filter types and the filtering conditions. The URL filtering function applies to only the outbound direction of WAN interfaces. Configuration procedure Select Security Setup >...
Table 92 Configuration items Item Description Set the filter type: • Blacklist—Denies URLs that match the filtering conditions. URLs that do not match the filtering conditions are permitted. Filtering by • Whitelist—Permits URLs that match the filtering conditions. URLs that do not match the filtering conditions are denied.
Page 174
Figure 158 Configure the URL filtering function...
Configuring attack protection You can enable the blacklist function, add a blacklist entry manually, view blacklist entries, and configure intrusion detection in the Web interface. Overview Attack protection is an important network security feature. It can determine whether received packets are attack packets according to the packet contents and behaviors and, if detecting an attack, take measures to deal with the attack.
Page 176
Table 93 Types of single-packet attacks Single-packet attack Description A Fraggle attacker sends large amounts of UDP echo packets (with the UDP port number of 7) or Chargen packets (with the UDP port number of 19) to a subnet Fraggle broadcast address.
Protection against scanning attacks Scanning attackers usually use some scanning tools to scan host addresses and ports in a network, so as to find possible targets and the services enabled on the targets and figure out the network topology, preparing for further attacks to the target hosts. The scanning attack protection function takes effect to only incoming packets.
Step Remarks You can add blacklist entries manually, or enable the blacklist function globally, configure the scanning attack protection function, and enable the blacklist function for scanning attack protection to allow the device to add the IP addresses of detected scanning attackers to the blacklist automatically.
Figure 160 Add a blacklist entry Table 94 Configuration items Item Description Specify the IP address to be added to the blacklist. This IP address cannot be a IP Address broadcast address, a class D address, a class E address, 127.0.0.0/8, or 255.0.0.0/8.
Page 180
and then select the specific attack protection functions to be enabled. Then, click Apply to finish the configuration. Figure 161 Intrusion detection configuration page On MSR20/30/50/93X/1000 routers Select Security Setup > Attack Defend > Intrusion Detection to enter the page shown in Figure 162.
Figure 163 Add an intrusion detection policy Attack protection configuration examples Attack protection configuration example for MSR900/20-1X Network requirements As shown in Figure 164, internal users Host A, Host B, and Host C access the Internet through Router. The network security requirements are as follows: Router always drops packets from Host D, an attacker.
Page 182
Figure 164 Network diagram Configuration procedure # Configure IP addresses for the interfaces. (Details not shown.) # Enable the blacklist function. Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the • following configurations, as shown in Figure 165.
Page 183
Enter IP address 5.5.5.5, the IP address of Host D. • • Select Permanence for this blacklist entry. Click Apply. • Click Add and then perform the following configurations, as shown in Figure 167: • Figure 167 Adding a blacklist entry for Host C Enter IP address 192.168.1.5, the IP address of Host C.
Select Enable Attack Defense Policy. • • Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack Detection, and Add Source IP Address to the Blacklist. Clear all other options. Click Apply. • Verifying the configuration • Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist. Router drops all packets from Host D unless you remove Host D from the blacklist.
Page 185
Figure 170 Enabling the blacklist function Select the box before Enable Blacklist. • Click Apply. • # Add blacklist entries manually. Click Add and then perform the following configurations, as shown in Figure 171: • Figure 171 Adding a blacklist entry for Host D •...
Page 186
Enter IP address 192.168.1.5, the IP address of Host C. • • Select Hold Time and set the hold time of this blacklist entry to 50 minutes. Click Apply. • # Configure intrusion detection on Ethernet 0/2: Enable scanning attack protection, and enable blacklist function for it;...
Page 187
Upon detecting the Land or Smurf attack on Ethernet 0/2, Router outputs an alarm log and drops • the attack packet.
Configuring application control You can load applications, configure a custom application, and enable application control in the Web interface. Application control allows you to control which applications and protocols users can access on the Internet by specifying the destination IP address, protocol, operation type, and port. Application control can be based on a group of users or all users in a LAN.
Figure 174 Loading applications Configuring a custom application Select Security Setup > Application Control from the navigation tree, and then select the Custom Application tab to enter the custom application list page, as shown in Figure 175. Click Add to enter the page for configuring a custom application, as shown in Figure 176.
Table 96 Configuration items Item Description Application Name Specify the name for the custom application. Specify the protocol to be used for transferring packets, including TCP, UDP, and All. Protocol All means all IP carried protocols. IP Address Specify the IP address of the server of the applications to be controlled. Specify the port numbers of the applications to be controlled.
Application control configuration example Network requirements As shown in Figure 178, internal users access the Internet through Router. Configure application control on Router, so that no user can use MSN. Figure 178 Network diagram Configuration procedure # Load the application control file (assume that signature file p2p_default.mtd, which can prevent using of MSN, is stored on the device).
Page 192
Figure 180 Loaded applications # Enable application control. Click the Application Control tab and then perform the following configurations, as shown in Figure • 181. Figure 181 Configuring application control • Select MSN from the Loaded Applications area. Click Apply. •...
Configuring webpage redirection CAUTION: Webpage redirection is ineffective on the interface with the portal function enabled. HP recommends not configuring both functions on an interface. Select Advanced > Redirection from the navigation tree to enter the page shown in Figure 182.
Page 194
Table 97 Configuration items Item Description Interface Select an interface on which webpage redirection is to be enabled. Type the address of the webpage to be displayed, which means the URL to which the Redirection URL web access request is redirected. For example, http://192.0.0.1. Interval Type the time interval at which webpage redirection is triggered.
You can manually configure routes. Such routes are called static routes. For more information about the routing table and static routes, see Layer 3—IP Routing Configuration Guide in HP MSR Router Series Configuration Guides (V5). Creating an IPv4 static route Select Advanced >...
Figure 184 Static route configuration page Configure static routes as described in Table Table 98 Configuration items Item Description Destination IP Address Enter the destination IP address of the static route, in dotted decimal notation. Enter the mask of the destination IP address. Mask You can enter a mask length or a mask in dotted decimal notation.
Figure 185 Active route table Table 99 Field description Field Description Destination IP Address Destination IP address of the route. Mask Mask of the destination IP address. Routing protocol that discovered the route, including static route, direct Protocol route, and various dynamic routing protocols. Preference Preference for the route.
Figure 186 Network diagram Configuration considerations Configure a default route with Router B as the next hop on Router A. On Router B, configure one static route with Router A as the next hop and the other with Router C as the next hop.
Page 199
Select Advanced > Route Setup from the navigation tree of Router B. Click the Create tab. Enter 1.1.2.0 for Destination IP Address, 24 for Mask, and 1.1.4.1 for Next Hop. Click Apply. Enter 1.1.3.0 for Destination IP Address, 24 for Mask, and 1.1.5.6 for Next Hop. Click Apply.
If the output interface is an NBMA or P2MP interface, which supports point-to-multipoint networks, the IP address-to-link layer address mapping must be established. HP recommends specifying the next hop when you configure it as the output interface.
Configuring user-based load sharing You can configure user-based load sharing through the Web interface. Overview A routing protocol can have multiple equal-cost routes to the same destination. These routes have the same preference, and are all used to accomplish load sharing if no route with a higher preference is available.
Page 202
Table 100 Configuration items Item Description This field displays the name of the interface on which user-based load sharing is Interface configured. Status of Set whether or not to enable user-based load sharing on the interface. user-based-sharing Set the bandwidth of the interface. The load ratio of each interface is calculated based on the bandwidth of each Bandwidth interface.
Configuring traffic ordering You can do the following to configure traffic ordering on the Web interface: Setting the traffic ordering interval • Specifying the traffic ordering mode • Displaying internal interface traffic ordering statistics • • Displaying external interface traffic ordering statistics Overview When multiple packet flows (classified by their source addresses) are received or sent by a device, you can configure IP traffic ordering on the device to collect statistics of the flows in the inbound/outbound...
Setting the traffic ordering interval Select Advanced > Traffic Ordering from the navigation tree to enter the default configuration page. You can set the interval for collecting traffic statistics in the lower part of the page. Figure 190 Traffic ordering configuration page Specifying the traffic ordering mode Select Advanced >...
Select one item from the Arrange in list, enter a number in the Number of entries displayed field, and then click Refresh to display the list as needed. Figure 191 Internal interface traffic ordering statistics page Displaying external interface traffic ordering statistics Select Advanced >...
IP addresses. With DNS, you can use easy-to-remember host names in some applications and let the DNS server translate them into correct IP addresses. For more information about DNS, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Configuring DNS proxy Task Remarks Required. Enabling DNS proxy Enable DNS proxy on the device. Disabled by default. Required. Not specified by default. Specifying a DNS server You can specify up to six DNS servers. Enabling dynamic domain name resolution From the navigation tree, select Advanced >...
Clearing the dynamic domain name cache From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page as shown in Figure 193. Select the Clear Dynamic DNS cache box. Click Apply. Specifying a DNS server From the navigation tree, select Advanced >...
Table 102 Configuration items Item Description DNS Domain Name Suffix Configure a domain name suffix. Click Apply. Domain name resolution configuration example Network requirements As shown in Figure 196, Router B serves as a DNS client and Router A is specified as a DNS server. Dynamic domain name resolution and the domain name suffix are configured on Router B, and therefore Router B can use domain name host to access the host with the domain name host.com and the IP address 3.1.1.1/24.
Page 210
Figure 197 Creating a zone Create a mapping between the host name and the IP address: Figure 198, right-click zone com. Select New Host to bring up a dialog box as shown in Figure 199. Enter host name host and IP address 3.1.1.1. Figure 198 Adding a host...
Page 211
Figure 199 Adding a mapping between domain name and IP address Configuring the DNS proxy (Router A) Enable DNS proxy on Router A: From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page, as shown in Figure 200.
Page 212
Figure 201 Specifying a DNS server address Configuring the DNS client (Router B) Enable dynamic domain name resolution: From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the configuration page, as shown in Figure 202. Select Enable for Dynamic DNS.
Page 213
Figure 203 Specifying the DNS server address Configure the domain name suffix: Click Add Suffix to enter the page as shown in Figure 204. Enter com in DNS Domain Name Suffix. Click Apply. Figure 204 Configuring DNS domain name suffix Verifying the configuration Select Other >...
Configuring DDNS Overview Although DNS allows you to access nodes in networks using their domain names, it provides only the static mappings between domain names and IP addresses. When you use the domain name to access a node whose IP address has changed, your access fails because DNS leads you to the IP address that is no longer where the node resides.
Configuration prerequisites • Visit the website of a DDNS service provider, register an account, and apply for a domain name for the DDNS client. Specify the primary IP address of the interface and make sure the DDNS server and the interface •...
Item Description Settings Specify the server name of the DDNS server for domain name resolution. IMPORTANT: After the server provider is selected, the DDNS server name appears Server Name automatically. For example, if the server provider is 3322.org, the server name is members.3322.org.
Page 217
Figure 208 Network diagram Configuring DDNS on the router Before configuring DDNS on Router, register at http://www.3322.org/ (username steven and password nevets in this example), add Router's host name-to-IP address mapping to the DNS server, and make sure the devices are reachable to each other. Enable dynamic domain name resolution and set the IP address of the DNS server to 1.1.1.1.
Page 218
After the preceding configuration is completed, Router notifies the DNS server of its new domain name-to-IP address mapping through the DDNS server provided by www.3322.org whenever its IP address changes. Therefore, Router can always provide Web service at whatever.3322.org.
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent, as shown in Figure 21 Figure 211 A typical DHCP relay agent application For more information about DHCP, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Recommended configuration procedure Configuring the DHCP server Task Remarks Required. Configuration guidelines Enable DHCP globally. Disabled by default. Optional. For detailed configuration, see "Configuring DHCP interface setup." Enabled by default. Configuring the DHCP server on an IMPORTANT: interface The DHCP server configuration is supported only on a Layer 3 Ethernet interface (or subinterface), virtual Ethernet interface, VLAN interface, Layer 3 aggregate interface, serial interface, ATM interface, MP-group interface, or loopback interface.
Task Remarks Required. To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface Configuring a DHCP server group with the server group. When the interface receives DHCP requests from clients, the relay agent forwards them to all the DHCP servers of the group.
Item Description Correlate the relay agent interface with a DHCP server group. DHCP server group You can correlate a DHCP server group with multiple interfaces. Make sure that you have already added DHCP server groups for selection. Configuring a static address pool for the DHCP server Select Advanced >...
Page 224
Figure 214 Static address pool setup for the DHCP server Configure the static address pool for the DHCP server as described in Table 106. Click Apply. Table 106 Configuration items Item Description Pool Name Name of the static DHCP address pool. Address Allocation Specify the static address allocation mode for the DHCP address pool.
Item Description IP address and its subnet mask of the static binding. A natural mask is adopted if no IP Address subnet mask is specified. IMPORTANT: It cannot be the IP address of the DHCP server interface. Otherwise, IP address conflicts Subnet Mask might occur, and the client cannot obtain the IP address.
Page 226
Figure 215 Dynamic address pool setup for the DHCP server Configure the dynamic address pool for the DHCP server as described in Table 107. Click Apply. Table 107 Configuration items Item Description Pool Name Name of the dynamic DHCP address pool. Address Allocation Mode: Specify the dynamic address allocation mode for the DHCP address pool.
Item Description IMPORTANT: Make sure the IP address is on the same network segment as the IP address of Subnet Mask the DHCP server interface or the DHCP relay agent interface to avoid wrong IP address allocation. Specify the lease for IP addresses to be assigned. NOTE: Lease Duration •...
Figure 216 IP address excluded from dynamic allocation setup Configure IP addresses excluded from dynamic allocation as described in Table 108. Click Apply Table 108 Configuration items Item Description Start IP Address Specify the lowest IP address excluded from dynamic allocation. Specify the highest IP address excluded from dynamic allocation.
Figure 217 DHCP server group setup Configure DHCP server group as described in Table 109. Click Apply. Table 109 Configuration items Item Description DHCP server group ID. Group ID You can create at most 20 DHCP server groups. Specifies the DHCP server IP addresses for the DHCP server group. IMPORTANT: Server IP Address The IP address of a DHCP server cannot be on the same network segment as that of the...
DHCP configuration example without DHCP relay agent Network requirements The DHCP server (Router A) assigns IP addresses to clients on subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25. The IP addresses of Ethernet 0/1 and Ethernet 0/2 on Router A are 10.1.1.1/25 and 10.1.1.129/25 respectively.
Page 231
Figure 219 Enabling DHCP Enable the DHCP server on interface Ethernet 0/1. (By default, the DHCP server is enabled on interface Ethernet 0/1. Details not shown.) Configure a DHCP static address pool, and bind IP address 10.1.1.5 to Router B: Click the DHCP Interface Setup tab.
Page 232
Figure 220 DHCP static address pool configuration Configure DHCP address pool 0 (including the address range, client domain name suffix and DNS server address): Enter pool0 in the Pool Name field, as shown in Figure 221. Select the Dynamic Allocation option in the Address Allocation Mode field. Enter 10.1.1.0 in the IP Address field and select the Subnet Mask box, and then enter 255.255.255.0.
Page 233
Figure 221 DHCP address pool 0 configuration Configure DHCP address pool 1 (including the address range, lease duration, and gateway address): Enter poo1 in the Pool Name field, as shown in Figure 222. Select Dynamic Allocation in the Address Allocation Mode field. Enter 10.1.1.0 in the IP Address field.
Page 234
Figure 222 DHCP address pool 1 configuration Configure DHCP address pool 2 (including the address range, lease duration and gateway IP address): Enter pool2 in the Pool Name field, as shown in Figure 223. Select the Dynamic Allocation option in the Address Allocation Mode field. Enter 10.1.1.128 in the IP Address field.
Page 235
Figure 223 DHCP address pool 2 configuration Exclude IP addresses from dynamic allocation (DNS server and gateway addresses): Expand the Forbidden IP Addresses node. Enter 10.1.1.2 in the Start IP Address field, enter 10.1.1.2 in the End IP Address field, click Apply, enter 10.1.1.126 in the Start IP Address field, as shown in Figure 224, enter...
Page 236
Figure 224 Excluding IP addresses from dynamic allocation Configuring the DHCP client (Router B) To enable the DHCP client on interface Ethernet 0/1: Select Advanced > DHCP Setup from the navigation tree, and then click the DHCP Interface Setup tab. Select Ethernet0/1 from the Interface list.
Figure 225 Enabling the DHCP client on interface Ethernet 0/1 DHCP relay agent configuration example Network requirements Ethernet 0/1 on the DHCP relay agent (Router A) connects to the network where DHCP clients reside. The IP address of Ethernet 0/1 is 10.10.1.1/24 and IP address of Ethernet 0/2 is 10.1.1.2/24 that connects to the DHCP server 10.1.1.1/24 (Router B).
Page 238
Select the Enable option in the DHCP field. Click Apply. Figure 227 DHCP enable Create a DHCP server group: Click the DHCP Interface Setup tab. Select Ethernet0/1 from the Interface list. Select the Relay option in the Type field. Expand the Add DHCP Server Group node. Enter 1 in the Group ID field.
Page 239
Select 1 from the DHCP Server Group list. Click Apply. Figure 229 The page for enabling the DHCP relay agent on interface Ethernet 0/1 Configuring the DHCP server (Router B) Specify addresses for interfaces. (Details now shown.) Enable DHCP: Select Advanced > DHCP Setup from the navigation tree of Router B The default DHCP Enable tab appears, as shown in Figure 230.
Page 240
Enter pool1 in the Pool Name field and select the Dynamic Allocation option in the Address Allocation Mode field. Enter 10.10.1.0 in the IP Address field, select the Subnet Mask box, and then enter 255.255.255.0. Set the Lease Duration to 7 days, 0 hours, and 0 minutes. Select the Domain Name box, and then enter aabbcc.com.
Page 241
Figure 232 IP address excluded from dynamic allocation configuration Configure the DHCP client (Router C) To enable the DHCP client on interface Ethernet 0/1: Select Advanced > DHCP Setup from the navigation tree. Click the DHCP Interface Setup tab. Select Ethernet0/1 in the Interface field. Select the Client option in the Type field.
Page 242
Figure 233 Enabling the DHCP client on interface Ethernet 0/1...
Layer 2 header fields, such as source and destination MAC 4000 to 4999 header ACLs addresses, 802.1p priority, and link layer protocol type For more information about IPv4 ACL, see ACL and QoS Configuration Guide in HP MSR Router Series Configuration Guides (V5). Recommended IPv4 ACL configuration procedure Step Remarks Required.
Configuration guidelines When you configure an ACL, follow these guidelines: You cannot create a rule with or modify a rule to have the same permit/deny statement as an • existing rule in the ACL. You can only modify the existing rules of an ACL that uses the match order of config. When you •...
Configuring a rule for a basic IPv4 ACL Select Advanced > QoS Setup > ACL IPv4 from the navigation tree and then select the Basic Config tab to enter the rule configuration page for a basic IPv4 ACL. Figure 235 The page for configuring an basic IPv4 ACL Table 112 Configuration items Item Description...
Item Description Select this box to keep a log of matched IPv4 packets. A log entry contains the ACL rule number, action on the matched packets, protocol Check Logging that IP carries, source/destination address, source/destination port number, and number of matched packets. Source IP Address Select the Source IP Address box, and enter a source IPv4 address and source wildcard, in dotted decimal notation.
Page 247
Figure 236 The page for configuring an advanced IPv4 ACL...
Page 248
You can use command line interface to create advanced IPv4 ACLs. For more information, see ACL and QoS Configuration Guide in HP MSR Router Series Configuration Guides (V5). Also, when you configure advanced bandwidth limit and advanced bandwidth guarantee, the system automatically creates advanced IPv4 ACLs.
Item Description Select this box to make the rule match packets used for establishing and maintaining TCP connections. TCP Connection These items are available only when you select 6 TCP from the Established Protocol list. A rule with this item configured matches TCP connection packets with the ACK or RST flag.
Page 250
You can use command line interface to create Ethernet frame header IPv4 ACLs. For more information, see ACL and QoS Configuration Guide in HP MSR Router Series Configuration Guides (V5). Select the Rule ID box, and enter a number for the rule.
Page 251
Item Description Select the action to be performed for IPv4 packets matching the rule: • Action Permit—Allows matched packets to pass. • Deny—Drops matched packets. Source MAC Select the Source MAC Address box, and enter a source MAC address and Address wildcard.
Configuring QoS The Web interface provides the following QoS configuration functions: Configuring subnet limit • Configuring advanced limit • Configuring advanced queue • Overview Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs.
interface, interface bandwidth limit is a better approach than subnet limit and advanced limit. This is because working at the IP layer the latter two functions do not take effect on packets not processed by the IP layer. • Bandwidth guarantee—When congestion occurs to a port, class-based queuing (CBQ) classifies packets into different classes according to user-defined match criteria and assigns these classes to their queues.
Table 115 Configuration items Item Description Start Address Set the address range of the subnet where rate limit is to be performed. End Address Interface Specify the interface to which the subnet limit is to be applied. Set the average traffic rate allowed. Set the rate limit method: •...
Page 256
Table 116 Configuration items Item Description Description Configure a description for the advanced limit policy for management sake. Interface Specify the interface to which the advanced limit is to apply. Set the direction where the rate limit applies: • Direction Download—Limits the rate of incoming packets of the interface.
Configuring advanced queue To use the advanced queue function on tunnel interfaces, sub-interfaces, or VT and dialer interfaces with PPPoE, PPPoA, PPPoEoA, or PPPoFR at the data link layer, you must configure interface bandwidth for these interfaces. Configuring interface bandwidth Select Advance >...
Description Set the average traffic rate allowed for the interface. HP recommends that you configure the interface bandwidth to be smaller than the actual available bandwidth of a physical interface or logical link. If you have specified the interface bandwidth, the maximum interface bandwidth used for bandwidth check when CBQ enqueues packets is 1000000 kbps.
Page 259
Figure 243 Creating a bandwidth guarantee policy Table 118 Configuration items Item Description Description Configure a description for the bandwidth guarantee policy for management sake.
Page 260
Item Description Set the service class queue type: • EF (Expedited Forwarding)—Provides absolutely preferential queue scheduling for the EF service so as to ensure low delay for real-time data traffic. At the same time, Queue Type by restricting bandwidth for high-priority traffic, it can overcome the disadvantage that some low-priority queues are not serviced.
QoS configuration examples Subnet limit configuration example Network requirements As shown in Figure 244, limit the rate of packets leaving Ethernet 1/1 of Router. Perform per-IP rate limiting for traffic sourced from Host A through Host Z, which are on the network segments 2.1.1.1 through 2.1.1.100, with the per-IP limit being 5 kbps.
Enter 2.1.1.100 in the End Address field. Select interface Ethernet 1/1. Enter 5 in the CIR field. Select Per IP in the Type list. Select Upload from the Direction list. Click Apply. Advanced queue configuration example Network requirements As shown in Figure 246, data traffic from Router C reaches Router D by the way of Router A and then Router B.
Page 263
Figure 247 Configuring assured forwarding Enter the description test-af. Select AF (Assured Forwarding) in the Queue Type list. Select interface Ethernet0/0. Enter 40 in the Bandwidth field. Enter 10, 18 in the DSCP field. Click Apply. # Perform EF for traffic with DSCP field EF. Select Advance >...
Page 264
Figure 248 Configuring expedited forwarding Enter the description test-ef. Select EF (Expedited Forwarding) in the Queue Type list. Select interface Ethernet0/0. Enter 240 in the Bandwidth field. Enter 46 in the DSCP field. Click Apply. After the configurations are completed, EF traffic is forwarded preferentially when congestion occurs in the network.
Appendix Packet precedences IP precedence and DSCP values Figure 249 DS field and ToS field As shown in Figure 249, the ToS field of the IP header contains 8 bits: the first 3 bits (0 to 2) represent IP precedence from 0 to 7. According to RFC 2474, the ToS field of the IP header is redefined as the differentiated services (DS) field, where a differentiated service code point (DSCP) value is represented by the first 6 bits (0 to 5) and is in the range 0 to 63.
Page 266
DSCP value (decimal) DSCP value (binary) Keyword 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be(default) 802.1p priority 802.1p priority lies in the Layer 2 packet header and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
• send traps to the NMS when some events, such as interface state change, occur. HP supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same SNMP version to communicate with each other. SNMPv1—Uses community names for authentication. To access an SNMP agent, an NMS must use •...
Task Remarks Optional. After creating SNMP views, you can specify an SNMP view for Configuring an SNMP view an SNMP group to limit the MIB objects that can be accessed by the SNMP group. Configuring an SNMP community Required. Optional. Allows you to configure that the agent can send SNMP traps to Configuring the SNMP trap function the NMS, and configure information about the target host of the...
Page 270
On the upper part of the page, you can select to enable or disable the SNMP agent function and configure parameters such as SNMP version. On the lower part of the page, you can view the SNMP statistics, which helps you understand the running status of the SNMP after your configuration.
Item Description Configure the local engine ID. The validity of a user after it is created depends on the engine ID of the SNMP Local Engine ID agent. If the engine ID when the user is created is not identical to the current engine ID, the user is invalid.
Page 272
Figure 255 Creating an SNMP view (2) Table 123 describes the configuration items for creating an SNMP view. After configuring the parameters of a rule, click Add to add the rule into the list box at the lower part of the page. After configuring all rules, click Apply to create an SNMP view.
Figure 256 Adding rules to an SNMP view You can also click the icon corresponding to the specified view on the page as shown in Figure 253, and then you can enter the page to modify the view. Configuring an SNMP community Select Advanced >...
Table 124 Configuration items Item Description Community Name Set the SNMP community name. Configure SNMP NMS access right: • Read only—The NMS can perform read-only operations to the MIB objects when it uses this community name to access the agent. Access Right •...
Figure 260 Creating an SNMP group Configure the SNMP group, as shown in Table 125. Table 125 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group. The available security levels are: •...
Page 276
Figure 261 SNMP user Click Add to enter the Add SNMP User page, as shown in Figure 262. Figure 262 Creating an SNMP user Configure the SNMP user, as shown in Table 126. Table 126 Configuration items Item Description User Name Set the SNMP user name.
Item Description Select an SNMP group to which the user belongs: • When the security level is NoAuth/NoPriv, you can select an SNMP group with no authentication no privacy. • When the security level is Auth/NoPriv, you can select an Group Name SNMP group with no authentication no privacy or authentication without privacy.
Page 278
Click Add to enter the Add Trap Target Host page, as shown in Figure 264. Figure 264 Adding a target host of SNMP traps Configure the SNMP traps, as shown in Table 127. Table 127 Configuration items Item Description Set the destination IP address. Select the IP address type: IPv4/domain name or IPv6, and then Destination IP Address type the corresponding IP address or domain name in the field...
Item Description Set the authentication and privacy mode for SNMP traps when the security model is selected as v3. The available security levels are: no authentication no privacy, authentication but no privacy, and authentication and privacy. Security Level If you select v1 or v2c in the Security Model list, the security level can only be no authentication no privacy, and cannot be modified.
Page 280
Figure 266 Network diagram Configuring the agent Enable SNMP: Select Advanced > SNMP from the navigation tree, and you will enter the Setup page. Perform the following configuration as shown in Figure 267. Select the Enable radio box. Set the SNMP version to both v1 and v2c. Click Apply.
Page 281
Figure 268 Configuring SNMP community named public Figure 269 Configuring SNMP community named private Type private in the field of Community Name. Select Read and write from the Access Right list. Click Apply. Enable Agent to send SNMP traps: Click the Trap tab and perform the following configuration as shown in Figure 270.
Page 282
Figure 270 Enabling Agent to send SNMP traps Add target hosts of SNMP traps: On the Trap tab page, click Add and perform the following configuration as shown in Figure 271. Select the destination IP address type as IPv4/Domain. Type the destination address 1.1.1.2. Type the security username public.
Create a read and write community and name it private. For more information about configuring the NMS, see the NMS manual. Verifying the configuration After the configuration, an SNMP connection is established between the NMS and the agent. The • NMS can get and configure the values of some parameters on the agent through MIB nodes.
Page 284
Figure 273 Enabling SNMP Configure an SNMP view: Click the View tab and then click Add. Perform the following configuration as shown in Figure 274. Type view1 in the field of View Name. Click Apply and enter the page of view1. Perform the following configuration as shown Figure 275.
Page 285
Figure 275 Adding a view named view1 Select the Included radio box. Type the MIB subtree OID interfaces. Click Add. Click Apply. A configuration progress dialog box appears, as shown in Figure 276. After the configuration process is complete, click Close. Figure 276 Configuration progress dialog box Configure an SNMP group: Click the Group tab and then click Add.
Page 286
Figure 277 Configuring an SNMP group Configure an SNMP user: Click the User tab and then click Add. Perform the following configuration as shown in Figure 278. Type user1 in the User Name field. Select Auth/Pri from the Security Level list. Select group1 (Auth/Priv) from the Group Name list.
Page 287
Enable Agent to send SNMP traps: Click the Trap tab and perform the following configuration as shown in Figure 279. Select the Enable SNMP Trap box. Click Apply. Figure 279 Adding target hosts of SNMP traps Add target hosts of SNMP traps: On the Trap tab page, click Add and perform the following configuration as shown in Figure 280.
Page 288
Configuring the NMS The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform corresponding operations. Specify the SNMP version for the NMS as v3. Create an SNMP user user1. Enable both authentication and privacy functions. Use MD5 for authentication and DES56 for encryption.
A transparent bridging device keeps a bridge table, which contains mappings between destination MAC addresses and outbound interfaces. For more information about transparent bridging, see Layer 2—WAN Configuration Guide in HP MSR Router Series Configuration Guides (V5). Major functionalities of bridges Maintaining the bridge table A bridge relies on its bridge table to forward data.
Page 290
Figure 281 Host A sends an Ethernet frame to Host B on LAN 1 MAC address: 00e0.fcbb. bbbb MAC address: 00e0.fcaa.aaaa Host B Host A Source address Destination address 00e0.fcaa.aaaa 00e0. fcbb.bbbb LAN segment 1 Bridge interface 1 Bridge Bridge interface 2 LAN segment 2 Host C Host D...
Figure 283 The bridge determines that Host B is also attached to interface 1 MAC address: 00e0.fcbb.bbbb MAC address: 00e0.fcaa.aaaa Host B Host A Source address Destination address 00e0.fcbb. bbbb 00e0.fcaa.aaaa LAN segment 1 Bridge table MAC address Interface Bridge interface 1 00e 0.fcaa.aaaa Bridge 00e 0.fcbb.bbbb...
Page 292
Figure 285 Forwarding MAC address: 00e0.fcbb.bbbb MAC address: 00e0. fcaa.aaaa Host B Host A Source address Destination address 00e0.fcaa.aaaa 00e0. fccc. cccc Bridge table LAN segment 1 MAC address Interface Bridge interface 1 00e0.fcaa.aaaa Bridge 00e0.fcbb.bbbb 00e0.fccc.cccc Bridge interface 2 00e0.fcdd.dddd LAN segment 2 Source address Destination address...
Figure 287 The proper MAC-to-interface mapping is not found in the bridge table When a bridge receives a broadcast or multicast frame, it forwards the frame to all interfaces other than the receiving interface. VLAN transparency VLAN transparency enables a bridge to forward VLAN-tagged packets without processing their VLAN tags.
Figure 288 Global config Table 128 Configuration items Item Remarks Bridge Group id Set the ID of the bridge set you want to enable. Adding an interface to a bridge set Select Advanced > Bridge from the navigation tree, and click the Config interface tab to enter the page shown in Figure 289.
Set the ID of the bridge set to which you want add the interface. Enable or disable VLAN transparency on the interface. VLAN Transmit HP recommends not enabling this function on a subinterface. A VLAN interface does not support this function. Bridging configuration example...
Page 296
Figure 290 Network diagram Office Office Switch A Switch B area A area B Eth1/1 Eth1/1 Trunk Trunk Eth1/1 Eth1/1 Eth1/2 Eth1/2 Router A Router B Configuration procedure Configure Router A: # Enable bridge set 2. Select Advanced > Bridge from the navigation tree to enter the Global config page. Figure 291 Enabling bridge set 2 Enter 2 as the bridge group ID.
Page 297
Figure 292 Assigning Ethernet 1/1 to bridge set 2 and enable VLAN transparency Select Ethernet1/1 from the Interface list. Select 2 from the Bridge Group list. Select Enable from the VLAN Transmit list. Click Apply. # Assign Ethernet 1/2 to bridge set 2, and enable VLAN transparency. Figure 293 Assigning Ethernet 1/2 to bridge set 2 and enable VLAN transparency Select Ethernet1/2 from the Interface list.
Page 298
Click Apply. Configure Router B in the same way Router A is configured.
Configuring user groups You can add hosts in a LAN to a user group and perform access control, application control, bandwidth control, and packet filtering on a per user group basis. • Access control—Allows you to deny access from hosts during specific time ranges. All data packets matching these criteria will be denied access to the Internet.
Configuring a user group Select Advanced > Security > Usergroup from the navigation tree. The group configuration page appears, as shown in Figure 294. Figure 294 User group configuration Table 131 describes the user group configuration item. Table 131 Configuration item Item Description Set the name of the group to be added.
Figure 295 User configuration Table 132 describes the user configuration items. Table 132 Configuration items Item Description Please select a user group Select the group to which you want to add users. Set the mode in which the users are added. •...
Figure 296 Access control configuration Table 133 describes the access control configuration items. Table 133 Configuration items Item Description Select a user group for access control. Please select a user group When there is more than one user group, the option all is available. Selecting all means that the access control configuration applies to all the user groups.
Figure 297 Application control Table 134 describes the application control configuration items. Table 134 Configuration items Item Description Select a user group for application control. Please select a user When there is more than one user group, the option all is available. Selecting all group means that the application control configuration applies to all the user groups.
Figure 298 Bandwidth control configuration Table 135 describes the bandwidth control configuration items. Table 135 Configuration items Item Description Set the user group for bandwidth control configuration. Please select a user When there are more than one user group, the option all is available. Selecting all group means that the bandwidth control configuration applies to all the user groups.
Page 305
Figure 299 Packet filtering configuration Table 136 describes the packet filtering configuration items. Table 136 Configuration items Item Description Select a user group to which packet filtering is applied. When there is more than one user group, the option all is available. Please select a user group Selecting all means that the packet filtering configuration applies to all the user groups.
Item Description configurable. Port • If you select NotCheck as the operator, port numbers will not be checked and no ports need to be specified. • If you select Range as the operator, you must specify both start and end ports to define a port range.
Page 307
Figure 301 Network diagram Creating user groups staff (for common users) and manager (for the manager) Select Advanced > Security > Usergroup to enter the group configuration page. Perform the configurations as shown in Figure 302. Figure 302 Creating user groups staff and manager Enter staff as a user group name.
Page 308
Figure 303 Adding users to user group staff Select staff from the user group list. Select Dynamic as the add mode. The following area then displays the IP addresses and MAC addresses of all the hosts in the private network that connects to the Router. Select the entries of Host B, Host C, and Host D.
Page 309
After the configuration process is complete, click Close. Figure 305 Adding users to user group manager Select manager from the user group list. Select Static for Add Mode. Enter hosta as the username. Enter 192.168.1.11 as the IP address. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close.
Page 310
Figure 306 Configuring access control for user group staff Select staff from the user group list. Select the boxes for Monday through Friday. Specify 09:00 as the start time. Specify 18:00 as the end time. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close.
Page 311
Select the From Device option, and select file p2p_default. Click Apply. Then, you can view MSN is in the loaded applications on the lower part of the page. Configuring application control for user group staff Select Advanced > Security > Application Control from the navigation tree, and perform the configurations as shown in Figure 308.
Page 312
Figure 309 Configuring bandwidth control to user groups staff and manager Select the staff user group. Enter 8 for the CIR. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Select the manager user group. Enter 54 for the CIR.
Page 313
Figure 310 Configuring packet filtering for user group staff Select staff from the user group list. Select IP as the protocol. Select the Destination IP Address box. Enter 2.2.2.1 as the destination IP address. Enter 0.0.0.0 as the destination wildcard. Click Apply.
Configuring MSTP Only MSR20/30/50/93X/1000 routers support this feature. As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and allows for link redundancy. Like many other protocols, STP evolves as the network grows. The later versions of STP are the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP).
Root port On a non-root bridge, the port nearest to the root bridge is the root port. The root port is responsible for communication with the root bridge. Each non-root bridge has one and only one root port. The root bridge has no root port.
Page 316
Root path cost—Cost of the shortest path to the root bridge. • • Designated bridge ID—Consisting of the priority and MAC address of the designated bridge. Designated port ID—Designated port priority plus port name. • Message age—Age of the configuration BPDU while it propagates in the network. •...
Page 317
Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge. Root port and designated ports selection on a non-root device.
Page 318
Figure 312 The STP algorithm State initialization of each device. Table 139 Initial state of each device Device Port name BPDU of port {0, 0, 0, AP1} Device A {0, 0, 0, AP2} {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2}...
Page 319
BPDU of port after Device Comparison process comparison • Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1.
Page 320
BPDU of port after Device Comparison process comparison After comparison: • Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU Blocked port CP2: of CP2 is elected as the optimum BPDU, and CP2 is elected...
However, the newly calculated configuration BPDU will not be propagated throughout the network immediately, so the old root ports and designated ports that have not detected the topology change continue forwarding data along the old path. If the new root ports and designated ports begin to forward data as soon as they are elected, a temporary loop might occur.
MSTP includes the following features: • MSTP supports mapping VLANs to MST instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP can reduce communication overheads and resource usage by mapping multiple VLANs to one MSTI. MSTP divides a switched network into multiple regions, each containing multiple spanning trees •...
Page 323
They have the same region name. • • They have the same VLAN-to-instance mapping configuration. They have the same MSTP revision level configuration. • They are physically linked with one another. • For example, all the devices in region A0 in Figure 314 have the same MST region configuration.
Page 324
For example, in region D0 in Figure 314, the regional root of MSTI 1 is device B, and that of MSTI 2 is device C. Common root bridge The common root bridge is the root bridge of the CIST. Figure 314, for example, the common root bridge is a device in region A0.
Page 325
Figure 315 Port roles Connecting to the common root bridge Boundary port Port 2 MST region Port 1 Master port Alternate port Port 6 Port 5 Backup port Designated port Port 3 Port 4 Figure 315, devices A, B, C, and D constitute an MST region. Port 1 and port 2 of device A are connected to the common root bridge, port 5 and port 6 of device C form a loop, and port 3 and port 4 of Device D are connected downstream to the other MST regions.
How MSTP works MSTP divides an entire Layer 2 network into multiple MST regions, which are interconnected by a calculated CST. Inside an MST region, multiple spanning trees are calculated, each being an MSTI (Among these MSTIs, MSTI 0 is called the CIST). Similar to RSTP, MSTP uses configuration BPDUs to calculate spanning trees.
The values of forward delay, hello time, and max age are interdependent. Incorrect settings of these • values might cause network flapping. HP recommends you to set the network diameter and let the device automatically set an optimal hello time, forward delay, and max age. The settings of hello time, forward delay and max age must meet the following formulae: 2 ×...
Page 328
Figure 316 MST region Click Modify. The MSTP region configuration page appears, as shown in Figure 317. Figure 317 Modifying an MST region Table 142 Configuration items Item Description MST region name. Region Name The MST region name is the bridge MAC address of the device by default. Revision Level Revision level of the MST region.
Configuring MSTP globally From the navigation tree, select Advanced > MSTP > Global. The Global MSTP Configuration page appears, as shown in Figure 318. Figure 318 Configuring MSTP globally Table 143 Configuration items Item Description Enable or disable STP globally: •...
Page 330
Item Description Set the STP operating mode: • STP mode—All ports of the device send out STP BPDUs. • RSTP mode—All ports of the device send out RSTP BPDUs. If the device detects that it is connected to a legacy STP device, the port connecting to the Mode legacy STP device will automatically migrate to STP-compatible mode.
Page 331
If the hello time is set too short, the device will send repeated configuration BPDUs frequently. This adds to the device burden Timers and wastes network resources. HP recommends that you use the default setting. • Max Age—Set the maximum length of time a configuration BPDU can be held by the device.
Configuring MSTP on a port From the navigation tree, select Advanced > MSTP > Port. The MSTP Port Configuration page appears, as shown in Figure 319. Figure 319 MSTP configuration of a port (1) Click the Operation icon for a port. The MSTP Port Configuration page of the port appears, as shown in Figure 320.
Page 333
Transmit Limit The larger the transmit limit is, the more network resources will be occupied. HP recommends you to use the default value. In a switched network, if a port on an MSTP device connects to an STP device, this port will automatically migrate to the STP-compatible mode.
MSTP configuration example Network requirements As shown in Figure 321, all routers on the network are in the same MST region. Router A and Router B work on the distribution layer. Router C and Router D work on the access layer. Configure MSTP so that packets of different VLANs are forwarded along different instances: packets of VLAN 10 along MSTI 1, those of VLAN 30 along MSTI 3, those of VLAN 40 along MSTI 4, and those of VLAN 20 along MSTI 0.
Page 335
Set the revision level to 0. Select the Manual radio button. Select 1 from the Instance list. Set the VLAN ID to 10. Click Apply to map VLAN 10 to MSTI 1, and add the VLAN-to-instance mapping entry to the VLAN-to-instance mapping list.
Page 336
Figure 323 Configuring global MSTP parameters on Router A Configure Router B: # Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. Configure the MST region in the same way the MST region is configured on Router A.
Page 337
Click Apply to submit the settings. Configure Router D: # Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. Configure the MST region in the same way the MST region is configured on Router A.
Page 338
Ethernet0/1 ROOT FORWARDING NONE Ethernet0/2 ALTE DISCARDING NONE Ethernet0/3 ALTE DISCARDING NONE Ethernet0/1 ROOT FORWARDING NONE Ethernet0/2 ALTE DISCARDING NONE Ethernet0/3 ROOT FORWARDING NONE Based on the above information, draw the MSTI corresponding to each VLAN, as shown in Figure 324.
RADIUS provides access authentication, authorization, and accounting services. The accounting function collects and records network resource usage information. For more information about RADIUS and AAA, see HP MSR Router Series Configuration Guides (V5). Configuring a RADIUS scheme A RADIUS scheme defines a set of parameters that the device uses to exchange information with the RADIUS servers.
Figure 326 RADIUS scheme configuration page Configure the parameters, as described in Table 146. Click Apply. Table 146 Configuration items Item Description Scheme Name Enter a name for the RADIUS scheme. Configure the common parameters for the RADIUS scheme, including the server type, the username format, and the shared keys for authentication and accounting Common Configuration packets.
Page 341
Figure 327 Common configuration Configure the parameters, as described in Table 147. Table 147 Configuration items Item Description Select the type of the RADIUS servers supported by the device: • Standard—Standard RADIUS servers. The RADIUS client and RADIUS server communicate by using the standard RADIUS protocol and packet Server Type format defined in RFC 2865/2866 or later.
Page 342
Item Description Select the format of usernames to be sent to the RADIUS server: Original format, With domain name, or Without domain name. Typically, a username is in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain for the user. If a RADIUS Username Format server (such as a RADIUS server of some early version) does not accept a username that contains an ISP domain name, you can configure the device to...
RADIUS server. RADIUS Packet Source IP HP recommends using a loopback interface address instead of a physical interface address as the source IP address. If the physical interface is down, the response packets from the server cannot reach the device.
Figure 328 RADIUS server configuration Configure the parameters, as described in Table 148. Click Apply. You can repeat the above steps to configure multiple RADIUS servers for the RADIUS scheme. Table 148 Configuration items Item Description Select the type of the RADIUS server to be configured. Possible values include Server Type primary authentication server, primary accounting server, secondary authentication server, and secondary accounting server.
Page 345
Enter 1812 and 1813 as the ports for authentication and accounting, respectively. Select Device Management Service as the service type. Select HP as the access device type. Select the access device from the device list, or manually add the device with the IP address of 10.1.1.2.
Page 346
Figure 330 Adding an access device Add a user account: Log in to IMC: Click the User tab. Select Access User View > All Access Users from the navigation tree. Click Add. Enter hello@bbb as the username. Enter abc as the password and confirm the password. Select Telnet as the service type.
Page 347
Figure 331 Adding an account for device management Configuring the router Configure the IP address of each interface. (Details not shown.) Configure a RADIUS scheme: Select Advanced > RADIUS from the navigation tree. Click Add. To add a RADIUS scheme, enter system as the scheme name, select Extended as the server type, select Without domain name for the username format.
Page 348
To add the primary accounting server, click Add again in the RADIUS Server Configuration area. select Primary Accounting as the server type, enter 10.1.1.1 as the IP address, enter 1813 as the port, enter expert as the key, enter expert to confirm the key, and click Apply. The RADIUS scheme configuration page refreshes and the added servers appear in the server list.
Use either approach to configure the AAA methods for domain bbb: Configure the same scheme for authentication and authorization in domain bbb because RADIUS authorization information is included in the authentication response message. [Router] domain bbb [Router-isp-bbb] authentication login radius-scheme system [Router-isp-bbb] authorization login radius-scheme system [Router-isp-bbb] accounting login radius-scheme system [Router-isp-bbb] quit...
Page 350
If you remove an authentication or accounting server in use, the communication of the device with the server will soon time out, and the device will look for a server in the active state by checking any primary server first and then the secondary servers in the order they are configured.
Configuring login control The login control feature allows you to control Web or Telnet logins by IP address and login type. Configuration procedure Select Advanced > Access from the navigation tree. The login control configuration page appears. The upper part of the page allows you to configure login control rules, and the lower part displays existing login control rules.
Login control configuration example Network requirements As shown in Figure 336, configure login control rules so Host A cannot Telnet to Router, and Host B cannot access Router through the Web. Figure 336 Network diagram Configuring a login control rule so Host A cannot Telnet to Router Select Advanced >...
Click OK. A configuration progress dialog box appears, as shown in Figure 338. Figure 338 Configuration progress dialog box After the setting is complete, click Close. Configuring a login control rule so Host B cannot access Router through the Web From the navigation tree, select Advanced >...
Page 354
Figure 339 Configuring a login control rule so Host B cannot access Router through the Web...
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding MAC address. For more information about ARP, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Creating a static ARP entry From the navigation tree, select Advanced > ARP Management > ARP Table. The ARP table management page appears, as shown in Figure 340. Click Add. The New Static ARP Entry page appears. Figure 341 Adding a static ARP entry Configure the parameters as described in Table 151.
Enabling learning of dynamic ARP entries From the navigation tree, select Advanced > ARP Management > Dynamic Entry. The dynamic entry management page appears, as shown in Figure 342. Figure 342 Managing dynamic entries To disable all the listed interfaces from learning dynamic ARP entries, click Disable all. •...
If you enable an interface to learn dynamic ARP entries on the dynamic entry management page, the number of dynamic ARP entries that the interface can learn restores the default. Configuring gratuitous ARP From the navigation tree, select Advanced > ARP Management > Gratuitous ARP. The gratuitous ARP configuration page appears, as shown in Figure 344.
Page 359
Figure 345 Network diagram Configuring static ARP Create VLAN 10 and VLAN-interface 10: From the navigation tree, select Interface Setup > LAN Interface Setup. The default VLAN Setup page appears. Select the Create option, as shown in Figure 346. Enter 10 for VLAN IDs. Select the Create VLAN Interface box.
Page 360
Select Ethernet0/1 from the list. Click Add to bring up the configuration progress dialog box, as shown in Figure 348. After the configuration process is complete, click Close. Figure 347 Adding Ethernet 0/1 to VLAN 10 Figure 348 The configuration progress dialog box Configure the IP address of VLAN-interface 10: Click the VLAN Interface Setup tab.
Page 361
Figure 349 Configuring the IP address of VLAN-interface 10 Create a static ARP entry: From the navigation tree, select Advanced > ARP Management > ARP Table and click Add. Enter 192.168.1.1 for IP Address as shown in Figure 350. Enter 00e0-fc01-0000 for MAC Address. Select the Advanced Options box.
Page 362
View information about static ARP entries: After the previous configuration is complete, the page returns to display ARP entries. Select Type for Search. Enter Static. Click Search. You can view the static ARP entries of Router A, as shown in Figure 351.
Configuring ARP attack protection Overview ARP is easy to implement, but it provides no security mechanism. Therefore, it is prone to network attacks. ARP attacks and viruses threaten LAN security. The device can provide the following features to detect and prevent such attacks. Periodic sending of gratuitous ARP packets Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their corresponding ARP entries or MAC entries in time.
Figure 352 Configuring Gratuitous ARP sending Table 153 Configuration items Item Description Select one or more interfaces on which gratuitous ARP packets are sent out periodically, and set the interval at which gratuitous ARP packets are sent. To enable an interface to send out gratuitous ARP packets periodically, select the interface from the Standby Interface list and click <<.
Figure 353 Configuring ARP Scanning Table 154 Configuration items Item Description Interface Specify the interface on which ARP automatic scanning is to be performed. Enter the address range for ARP automatic scanning. • To reduce the scanning time, you can specify the address range for scanning. If the specified address range covers multiple network segments of the interface's addresses, the sender IP address in the ARP request is the Start IP Address...
Page 366
The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device might fail to change all dynamic ARP entries into static. Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is S. When the dynamic ARP entries are changed into static, new dynamic ARP entries might be created (suppose the number is M) and some of the dynamic ARP entries might be aged out (suppose the number is N).
Even if a third party captures all exchanged data for calculating the keys, it cannot calculate the keys. For more information about IPsec and IKE, see Security Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Step Remarks Optional. Displays configuration and status information of IPsec Displaying IPsec VPN connections, and information of IPsec tunnels. monitoring information Allows you to delete tunnels that are set up with configuration of an IPsec connection, and delete all ISAKMP SAs of all IPsec connections. Configuring an IPsec connection Select VPN >...
Page 369
Figure 356 Adding an IPsec connection Perform basic connection configurations as described in Table 155. Table 155 Configuration items Item Description IPsec Connection Name Enter a name for the IPsec connection. Interface Select an interface where IPsec is performed. Network Type Select a network type, site-to-site or PC-to-site.
Page 370
Item Description Enter the address of the remote gateway, which can be an IP address or a host name. The IP address can be a host IP address or an IP address range. If the local end is the initiator of IKE negotiation, it can have only one remote IP address and its remote IP Remote Gateway address must match the local IP address configured on its peer.
Page 371
Item Description • Characteristics of Traffic—Identifies traffic to be protected based on the source Source address/wildcard and destination address/wildcard specified. Address/Wildcard • Designated by Remote Gateway—The remote gateway determines the data to be protected. IMPORTANT: • To make sure SAs can be set up, configure the source address/wildcard on one peer as the destination address/wildcard on the other, and the destination Destination address/wildcard on one peer as the source address/wildcard on the other.
Page 372
Figure 357 Advanced configuration Perform advanced connection configuration as described in Table 156. Click Apply. Table 156 Configuration items Item Description Phase 1 Select the IKE negotiation mode in phase 1, which can be main or aggressive. IMPORTANT: • If the IP address of one end of an IPsec tunnel is obtained dynamically, the IKE Exchange Mode negotiation mode must be aggressive.
Page 373
Item Description Select the encryption algorithm to be used in IKE negotiation. Options include: • DES-CBC—Uses the DES algorithm in CBC mode and 56-bit key. • 3DES-CBC—Uses the 3DES algorithm in CBC mode and 168-bit key. Encryption Algorithm • AES-128—Uses the AES algorithm in CBC mode and 128-bit key. •...
Page 374
Item Description Select the encryption algorithm for ESP when you select ESP or AH-ESP for Security Protocol. Options include: • 3DES—Uses the 3DES algorithm and 168-bit key for encryption. • DES—Uses the DES algorithm and 56-bit key for encryption. • AES128—Uses the AES algorithm and 128-bit key for encryption.
Item Description DPD Packet Enter the interval after which DPD packet retransmission will occur if no DPD response Retransmission is received. Interval Displaying IPsec VPN monitoring information Select VPN > IPsec VPN from the navigation tree. Click the Monitoring Information tab to enter the page that displays the IPsec connection configuration and status information.
Field Description The most recent error, if any. Possible values include: • ERROR_NONE—No error occurred. • ERROR_QM_FSM_ERROR—State machine error. • ERROR_PHASEI_FAIL—Error occurred in phase 1. • ERROR_PHASEI_PROPOSAL_UNMATCHED—No matching security proposal in phase 1. Last Connection Error • ERROR_PHASEII_PROPOSAL_UNMATCHED—No matching security proposal in phase 2.
Page 377
Click Add. The IPsec connection configuration page appears. Enter map1 as the IPsec connection name. Select interface Ethernet0/1. Enter 2.2.3.1 as the remote gateway IP address. Select the Pre-Shared-Key box, and then enter abcde in both the Key and Confirm Key fields. In the Selector area, select Characteristics of Traffic as the selector type.
The page as shown in Figure 361 appears. Enter 10.1.1.0 as the destination IP address. Enter 24 as the mask. Select Interface and then select Ethernet0/1 as the interface. Click Apply. Figure 361 Configuring a static route to Host A Configure an IPsec connection.
Page 379
If you enable both IPsec and QoS on an interface, traffic of an IPsec SA might be put into different • queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay operation, packets outside the anti-replay window in the inbound direction might be discarded, resulting in packet loss.
PPP session tunneled by the LAC. The L2TP extends the termination point of a PPP session from a NAS to an LNS, logically. For more information about L2TP, see Layer 2—WAN Configuration Guide in HP MSR Router Series Configuration Guides (V5).
Enabling L2TP Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration page, as shown in Figure 363. On the upper part of the page, select the box before Enable L2TP. Click Apply. Figure 363 L2TP configuration page Adding an L2TP group Select VPN >...
Page 382
Configure the L2TP group information, as described in Table 159. Click Apply. Table 159 Configuration items Item Description L2TP Group Name Specify the name of the L2TP group. Peer Tunnel Name Specify the peer name of the tunnel. Local Tunnel Name Specify the local name of the tunnel.
Page 383
Item Description Specify the address pool for assigning IP addresses to users on the peer end, or assign an IP address to a user directly. If you have specified an ISP domain in PPP authentication configuration, the address pools in the ISP domain are listed in the User Address list.
Page 384
Item Description Configure user authentication on an LNS. You can configure an LNS to authenticate a user who has passed authentication on the LAC to increase security. In this case, an L2TP tunnel can be set up only when both of the authentications Mandatory CHAP succeed.
Page 385
Figure 365 Adding an ISP domain Table 160 Configuration items Item Description ISP Domain Specify the name of the ISP domain. Select the primary authentication method for PPP users. • HWTACACS—HWTACACS authentication, which uses the HWTACACS scheme system. • Local—Local authentication. Primary •...
Page 386
Item Description Specify whether to enable the accounting optional function. For an online user, with the accounting optional function disabled, if no accounting server is available or communication with the current accounting Accounting server fails, the user will be disconnected. However, with the accounting Optional optional function enabled, the user can still use the network resources in such case, but the system will not send the accounting information of the user to the...
Item Description The number of addresses between the start IP address and end IP address must not exceed 1024. If you specify only the start IP address, the IP address End IP pool will contain only one IP address, namely, the start IP address. Displaying L2TP tunnel information Select VPN >...
Page 388
Figure 368 Network diagram Configure the VPN user Assign an IP address (2.1.1.1 in this example) to the user host, configure a route to ensure the reachability of the LNS (1.1.2.2), and create a virtual private network connection using the Windows operating system, or install L2TP client software such as WinVPN Client and connect to the Internet in dial-up mode.
Page 389
Figure 369 Adding a local user Enable L2TP: Select VPN > L2TP > L2TP Config from the navigation tree. The L2TP configuration page appears, as shown in Figure 370. Select the box before Enable L2TP. Click Apply. Figure 370 Enabling L2TP Modify the PPP authentication method of the ISP domain system: On the L2TP configuration page, click Add to enter the L2TP group configuration page.
Page 390
Figure 371 Selecting local authentication for VPN users Configure the address pool used to assign IP addresses to users: On the L2TP group configuration page, click the Add button of the User Address parameter. The IP address pool configuration page appears, as shown in Figure 372.
Page 391
Select pool1 from the User Address list. Select Enable from the Assign Address Forcibly list. Click Apply. Figure 373 L2TP group configurations Verifying the configuration On the user host, initiate an L2TP connection to the LNS. The host will obtain an IP address (192.168.0.2) and will be able to ping the private address of the LNS (192.168.0.1).
Figure 375 X protocol networks interconnected through the GRE tunnel For more information about GRE, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5). Configuring a GRE over IPv4 tunnel...
Page 393
Figure 376 GRE tunnel configuration page Click Add to add a GRE tunnel, as shown in Figure 377. Figure 377 Adding a GRE tunnel Table 163 Configuration items Item Description Tunnel Interface Specify the number of the tunnel interface. Specify the IP address and subnet mask of the tunnel interface. IMPORTANT: IP/Mask When configuring a static route on the tunnel interface, note that the destination IP...
Item Description Specify the key for the GRE tunnel interface. This configuration is to prevent the tunnel ends from servicing or receiving packets from other places. GRE Key IMPORTANT: The two ends of a tunnel must have the same key or have no key at the same time. GRE Packet Checksum Enable or disable the GRE packet checksum function.
Page 395
Figure 379 Configuring interface Ethernet 0/0 Configure an IP address for interface Ethernet 0/1, the physical interface of the tunnel: Click the icon for interface Ethernet 0/1. Select Manual for Connect Mode. Enter IP address 1.1.1.1. Select IP mask 24 (255.255.255.0). Click Apply.
Page 396
Create a GRE tunnel: Select VPN > GRE from the navigation tree. Click Add. The Add Tunnel page appears, as shown in Figure 381. Enter 0 in the Tunnel Interface field. Enter IP address/mask 10.1.2.1/24. Enter the source end IP address 1.1.1.1, the IP address of Ethernet 0/1. Enter the destination end IP address 2.2.2.2, the IP address of Ethernet 0/1 on Router B.
Page 397
Figure 382 Adding a static route from Router A through interface Tunnel 0 to Group 2 Configuring Router B Configure an IPv4 address for interface Ethernet 0/0: Select Interface Setup > WAN Interface Setup from the navigation tree. Click the icon for interface Ethernet 0/0 and then perform the configurations shown Figure 383.
Page 398
Click the icon for interface Ethernet 0/1 and then perform the configurations shown Figure 384. Select Manual for Connect Mode. Enter IP address 2.2.2.2. Select IP mask 24 (255.255.255.0). Click Confirm. Figure 384 Configuring interface Ethernet 0/1 Create a GRE tunnel: Select VPN >...
Page 399
Figure 385 Setting up a GRE tunnel Configure a static route from Router B through interface Tunnel 0 to Group 1: Select Advanced > Route Setup from the navigation tree. Click the Create tab and then perform the configurations shown in Figure 386.
Page 400
Figure 387 Verifying the configuration...
SSL VPN overview SSL VPN is a VPN technology based on SSL. It works between the transport layer and the application layer. Using the certificate-based identity authentication, data encryption, and integrity verification mechanisms that SSL provides, SSL VPN can establish secure connections for communications at the application layer.
The SSL VPN gateway resolves the request, interacts with the corresponding server, and then forwards the server's reply to the user. Advantages of SSL VPN Support for various application protocols Any application can be secured by SSL VPN without knowing the details. SSL VPN classifies the service resources provided by applications into three categories: Web proxy server resources—Web-based access enables users to establish HTTPS connections to •...
Configuring SSL VPN gateway To perform the configurations described in this chapter, log in to the Web interface of the router. The default login address is http://192.168.1.1, username is admin, and password is admin. Recommended configuration procedure Step Remarks Required. Configuring the SSL VPN service Enable SSL VPN, and configure the port number for the SSL VPN service and the PKI domain to be used.
Step Remarks Optional. Configure authentication methods and authentication parameters for an SSL VPN domain. 10. Configuring authentication policies IMPORTANT: Local authentication is always enabled. To use other authentication methods, you must manually enable them. Optional. Configure the check items and protected resources for a security policy.
Configuring Web proxy server resources Typically, Web servers provide services in webpages. Users can get desired information by clicking the links on the pages. On the Internet, information exchanged between Web servers and users is transmitted in plain text. The HTTP data might be intercepted in transit. SSL VPN provides secure connections for users to access Web servers, and can prevent illegal users from accessing the protected Web servers.
Page 407
Item Description Specify the Website address for providing Web services. It must start with http:// and end with /, for example, http://www.domain.com/web1/. Website Address The website address can be an IP address or a domain name. If you specify a domain name, make sure you configure domain name resolution on Advanced >...
Table 166 Configuration items Item Description Select this box to allow IP access to the resource. If you select this item, you must configure an IP network resource for a website and associate the IP network resource with the relevant users. When such a user Use IP network accesses the website from the SSL VPN Web interface, the system logs the user in automatically to the website through the IP network resource.
Resource Name IMPORTANT: If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
Local Host Specify a loopback address or a character string that represents a loopback address. Specify the port number that the local host uses for the remote access service. HP Local Port recommends using a port number greater than 1024 that is rarely used.
Local Host Specify a loopback address or a character string that represents a loopback address. Specify the port number that the local host uses for the remote access service. HP Local Port recommends using a port number greater than 1024 that is rarely used.
Resource Name IMPORTANT: If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
Page 413
Resource Name IMPORTANT: If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
Resource Name IMPORTANT: If you do not configure the command for Command, HP recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
Item Description Service Type Enter the type for the TCP service. Enter the host name or IP address of the remote host that provides the common TCP Remote Host service. Remote Port Enter the port number that the remote host uses for the common TCP service. Local Host Enter a loopback address or a character string that represents a loopback address.
Figure 403 Global configuration page Configure the global parameters as described in Table 172. Click Apply. Table 172 Configuration items Item Description Start IP Specify the IP address pool from which the gateway assigns IP addresses for clients' virtual network adapters. End IP Subnet Mask Enter the subnet mask to be assigned to a client's virtual network adapter.
Page 417
Figure 404 Host configuration Click Add to enter the page for adding a host resource. Figure 405 Adding a host resource Enter a name for the host resource. Click the Add button under the network services list to enter the page for adding a network service. Figure 406 Adding an available network service...
Enter a description for the network service. IMPORTANT: Description If you have configured the system to show network services by description, HP recommends that you include the network services' network information (subnet IP/mask) in the description so that users can view desired information after they log in to the SSL VPN system.
Click Add to enter the page for adding a user-IP binding. Figure 409 Adding a user-IP binding Configure the user-IP binding as described in Table 174. Click Apply. Table 174 Configuration items Item Description Specify the username to be bound with an IP address. The username must contain the Username domain name.
Configure the predefined domain name as described in Table 175. Click Apply. Table 175 Configuration items Item Description Domain Name Enter a domain name to be issued to clients. Select the IP setting method, including Dynamic and Static. • Dynamic: To use this method, you also need to navigate to page Advanced > DNS Setup >...
Page 421
Figure 413 Adding a resource group Configure the resource group as describe in Table 176. Click Apply. Table 176 Configuration items Item Description Resource Group Name Enter a name for the resource group. Selected Resources Specify resources for the resource group. Available Resources...
Configuring local users Configure SSL VPN users for local authentication in the following methods: Configure local users one by one in the SSL VPN system. In this method, you can configure all • parameters for a user at the same time, including the user name, password, the certificate and MAC addresses to be bound, public account settings, user status, and user groups.
Page 423
Figure 415 Adding a local user Configure the local user information as described in Table 177. Click Apply. Table 177 Configuration items Item Description Username Enter a name for the local user. Description Enter a description for the local user. Password Specify a password for the local user and enter the password again to confirm the password.
Item Description Select this item to set the local user account as a public account. A public account can be concurrently used by multiple users to log in to the SSL VPN system. Enable public account If you do not select this item, only one user can use the local user account to log in to the SSL VPN system at a time.
Figure 416 Batch import of local users Configuring a user group Select VPN > SSL VPN > User Management > User Group from the navigation tree. The user group list page appears. Figure 417 User groups Click Add to add a user group.
Page 426
Figure 418 Adding a user group Configure the user group as described in Table 178. Click Apply. Table 178 Configuration items Item Description User Group Name Enter a name for the user group. Selected Resource Groups Select resource groups for the user group. Users in the user group will be able to access the resources in the selected resource groups.
Viewing user information Viewing online user information Select VPN > SSL VPN > User Management > User Information from the navigation tree. The Online Users tab appears, displaying the information of the current online users. Figure 419 Online users View information of the online users. Table 179 Field description Field Description...
Figure 420 History information Performing basic configurations for the SSL VPN domain Configure a domain policy, caching policy, and a bulletin: Domain policy—Defines the common parameters and functions for the SSL VPN domain. • Caching policy—Specifies which cached contents to clear from user hosts when users log out from •...
Page 429
Table 180 Configuration items Item Description Select this item to enable security check. With security check enabled, the SSL VPN system checks a user host based on the security policy and determines whether to allow the user to access resources according to the check result.
Configuring the caching policy Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. Click the Caching Policy tab. The caching policy configuration page appears, as shown in Figure 422. Select the operations to be done on a user host when the user logs out, including: Clear cached webpages.
Figure 424 Adding a bulletin Configure the bulletin settings as described in Table 181. Click Apply. Table 181 Configuration items Item Description Title Enter a name for the bulletin. Content Enter the contents of the bulletin. Selected User Groups Select the user groups that can view the bulletin. Available User Groups Configuring authentication policies SSL VPN supports local authentication, RADIUS authentication, LDAP authentication, AD authentication,...
Password—Authenticates only a user's password. • • Password+Certificate—Authenticates a user's password and client certificate. Certificate—Authenticates only a user's client certificate. • RADIUS authentication supports only two authentication policies: password and password+certificate. Configuring local authentication Local authentication authenticates users by using the user information saved on the SSL VPN gateway. This authentication method is the fastest because user information is locally saved, and the SSL VPN gateway does not need to exchange information with an external authentication server.
Figure 426 RADIUS authentication Configure the RADIUS authentication settings as described in Table 182. Click Apply. Table 182 Configuration items Item Description Enable RADIUS Select this item to enable RADIUS authentication. authentication Select an authentication mode for RADIUS authentication. Options include Password Authentication Mode and Password+Certificate.
Page 434
Figure 427 LDAP authentication Configure the LDAP authentication settings as described in Table 183. Click Apply. Table 183 Configuration items Item Description Enable LDAP Select this item to enable LDAP authentication. authentication LDAP Sever IP Specify the IP address of the LDAP server. Server Port Specify the TCP port number used by the LDAP server.
Configuring AD authentication Active Directory (AD) is a directory service provided by Windows 2000 Server and later versions. It saves information of objects on a network and allows administrators and users to query the information. AD uses structured data storage, which is the basis of the directory information logical structure. The SSL VPN system can cooperate with the existing AD server of an enterprise seamlessly to provide AD authentication for users in the enterprise.
Item Description Password Set a password for the administrator account, and enter the password again to confirm the password. Confirm Password Set the username format used to log in to the AD server. Options include Without the Username Format AD domain name, With the AD domain name, and Login name. Configuring combined authentication A combination authentication method can combine any two of the four authentication methods (local authentication, RADIUS authentication, LDAP authentication, and AD authentication) in any order.
Configuring a security policy Insecure user hosts might bring potential security threats to the internal network. You can configure security policies for the SSL VPN system so that when a user logs in, the SSL VPN system checks the user host's operating systems, browsers, antivirus software, firewall software, files and processes, and determines which resources to provide for the user according to the check result.
Page 438
Configure the security policy as describe in Table 186. Click Apply. Table 186 Configuration items Item Description Name Enter a name for the security policy. Set a level for the security policy. A larger number means a higher level. If multiple security policies are defined, the system first uses the security policy with the highest priority to check the user host.
Page 439
Item Description Set an operator for the browser version check. • >=: A user host must use the specified version or a later version. • >: A user host must use a version later than the specified version. Operator • =: A user host must use the specified version.
Page 440
Item Description Rule Name Enter a name for the file rule. File Specify the files. A user host must have the specified files to pass security File Name check. Rule Name Enter a name for the process rule. Process Specify the processes. A user host must have the specified processes to pass Process Name security check.
Customizing the SSL VPN user interface The SSL VPN system allows you to customize the user interface partially or fully as desired: Partial customization—You can use the webpage files provided by the system and edit some • contents in the files as needed, including the login page title, login page welcome information, login page logo, service page banner information, service page logo, and service page background.
Page 442
Figure 433 Specifying a login page logo picture Configuring the service page logo Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. Click the Service Page Logo tab to enter the page shown in Figure 434.
Figure 435 Specifying a service page background picture Customizing the SSL VPN interface fully Before full customization of the SSL VPN interface, upload the customized page file to the SSL VPN gateway through FTP or TFTP. Select VPN > SSL VPN > Page Customization > Full Customization from the navigation tree. The full customization page appears.
User access to SSL VPN This chapter introduces user access to the SSL VPN service interface provided by the system. It is not suitable for user access to a fully customized SSL VPN service interface. After you finish configurations on the SSL VPN gateway, remote users can establish HTTPS connections to the SSL VPN gateway, and access resources through the user service interface provided by the SSL VPN gateway.
Figure 438 SSL VPN service interface Figure 439 SSL VPN client software Accessing SSL VPN resources After logging in to the SSL VPN service interface, a user can see all resources that you have authorized the user to access, and perform the following operations: Clicking a resource name under Websites to access the website.
receiving and sending servers according to the email resource name, logs in by using the username and password, and then uses the email service. For an IP network resource, the user can access any host in any accessible network segment and •...
Page 447
Click the Configure button in the upper right corner of the SSL VPN service interface to enter the page shown in Figure 441. Enter the new password, and confirm the new password. Click Apply. When the user logs in again, the user must enter the new password. Figure 441 Changing login password...
SSL VPN configuration example Network requirements As shown in Figure 442, request a certificate and enable SSL VPN service on the SSL VPN gateway so that users can use HTTPS to log in to the SSL VPN gateway to access the internal resources of the corporate network.
Configuration procedure Configuring the SSL VPN service Configure a PKI entity named en: Select Certificate Management > Entity from the navigation tree. Click Add to enter the PKI configuration page, as shown in Figure 443. Enter the PKI entity name en. Enter common name http-server for the entity.
Page 450
Figure 444 Configuring a PKI domain named sslvpn Generate an RSA key pair: Select Certificate Management > Certificate from the navigation tree. Click Create Key to enter the key generation page, as shown in Figure 445. Set the key length to 1024. Click Apply.
Page 451
Figure 446 Retrieving the CA certificate to the local device Request a local certificate: After the CA certificate retrieval operation is complete, click Request Cert on the certificate management page. Select sslvpn as the PKI domain. Click Apply. The system displays "Certificate request has been submitted." Click OK to confirm the operation.
Figure 448 Certificate management page Enable SSL VPN, and configure a port and a PKI domain for the SSL VPN service: Select VPN > SSL VPN > Service Management from the navigation tree. Select the box before Enable SSL VPN. Set the port number to 443.
Page 453
Enter the website address http://10.153.1.223/. Click Apply. Figure 450 Configuring a Web proxy resource Configure a resource named desktop for the desktop sharing service provided by host 10.153.70.120: Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree. Click the Desktop Sharing Service tab.
Page 454
Figure 451 Configuring a desktop sharing service resource Configure global parameters for IP network resources: Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree. The Global Configuration tab appears, as shown in Figure 452. Enter the start IP address 192.168.0.1.
Page 455
Click Add to enter the host resource configuration page. Enter the resource name sec_srv. Click the Add button under the Network Services list. On the page that appears, as shown in Figure 453, enter the destination IP address 10.153.2.0, enter the subnet mask 24, select IP as the protocol type, specify the description information as 10.153.2.0/24, and click Apply.
Page 456
Figure 455 Configuring a host resource Configure resource group res_gr1, and add resource desktop to it: Select VPN > SSL VPN > Resource Management > Resource Group from the navigation tree to enter the resource group list page. Click Add to enter the resource group configuration page, as shown in Figure 456.
Enter the resource group name res_gr2. Select resources tech and sec_srv on the Available Resources list and click the << button to add them to the Selected Resources list. Click Apply. Figure 457 Configuring resource group res_gr2 Configuring SSL VPN users Configure a local user account usera: Select VPN >...
Page 458
Figure 458 Adding local user usera Configure user group user_gr1, assign resource group res_gr1 to the user group and add local user usera to the user group: Select VPN > SSL VPN > User Management > User Group from the navigation tree to enter the user group list page.
Page 459
Figure 459 Configuring user group user_gr1 Configure user group user_gr2, and assign resource group res_gr2 to the user group: On the user group list page, click Add. Enter the user group name user_gr2. Select res_gr2 on the Available Resource Groups list and click << to add it to the Selected Resource Groups list.
Figure 460 Configuring user group user_gr2 Configuring an SSL VPN domain Configure the default authentication method for the SSL VPN domain as RADIUS and enable verification code authentication: Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. The Domain Policy tab appears, as shown in Figure 461.
Page 461
Figure 461 Configuring the domain policy Configure a RADIUS scheme named system: Select Advanced > RADIUS from the navigation tree. Click Add to enter the RADIUS scheme configuration page. Enter the scheme name system. In the Common Configuration area, select Extended as the supported RADIUS server type, and select Without domain name as the username format.
Figure 463 Configuring RADIUS scheme named system Enable RADIUS authentication for the SSL VPN domain: Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree. Click the RADIUS Authentication tab. Select the box before Enable RADIUS authentication. Click Apply.
Page 463
Select Local from the Auth Mode list. Use the public account usera to log in. You can see the resource desktop, as shown in Figure 465. Clicking the resource name, you can access the shared desktop of the specified host, as shown in Figure 466.
Page 464
Assume that a user named userb is configured and added to user group user_gr2 on the RADIUS server. Use this user account and the default authentication method RADIUS to log in. You can see website tech, subnet resource 10.153.2.0/24, and a shortcut to the security server, as shown in Figure 467.
HP's PKI system provides certificate management for IPsec, and SSL. The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI has a wide range of applications. Here are some application examples: VPN—A VPN is a private data communication network built on the public communication...
Recommended configuration procedure for manual request Step Remarks Required. Create a PKI entity and configure the identity information. A certificate is the binding of a public key and the identity information of an entity, where the distinguished name (DN) shows the identity information of Creating a PKI entity the entity.
Step Remarks Required. When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in online mode or offline mode.
Task Remarks Required. Create a PKI domain, setting the certificate request mode to Auto. Before requesting a PKI certificate, an entity needs to be configured with Creating a PKI domain some enrollment information, which is called a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance.
Figure 470 Creating a PKI entity Configure the parameters as described in Table 189. Click Apply. Table 189 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity.
Page 470
Figure 471 PKI domains Click Add. Figure 472 Creating a PKI domain Configure the parameters as described in Table 190. Click Apply. Table 190 Configuration items Item Description Domain Name Enter the name for the PKI domain. Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA.
Page 471
It does not issue any certificate. Sometimes, the registration management function is provided by the CA, in which case no independent RA is required. HP recommends that you deploy an independent RA. Enter the URL of the RA.
Item Description Set the polling interval and attempt limit for querying the certificate request status. Polling Count After an entity makes a certificate request, the CA might need a long period of time if it verifies the certificate request in manual mode. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after Polling Interval the certificate is signed.
Figure 474 Generating an RSA key pair Set the key length. Click Apply. Destroying the RSA key pair From the navigation tree, select Certificate Management > Certificate. Click Destroy Key. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 475 Destroying the RSA key pair Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally.
Page 474
Click Apply. Table 191 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Certificate Type Select the type of the certificate to be retrieved, which can be CA or local. Enable Offline Select this box to retrieve a certificate in offline mode (that is, by an out-of-band means Mode like FTP, disk, or email).
Requesting a local certificate From the navigation tree, select Certificate Management > Certificate. Click Request Cert. Figure 478 Requesting a certificate Configure the parameters as described in Table 192. Table 192 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation.
Retrieving and displaying a CRL From the navigation tree, select Certificate Management > CRL. Figure 480 CRLs Click Retrieve CRL to retrieve the CRL of a domain. Click View CRL for the domain to display the contents of the CRL. Figure 481 Displaying CRL information PKI configuration examples Certificate request from a Windows 2003 CA server...
Page 477
Figure 482 Network diagram Configuring the CA server Install the CA server component: From the start menu, select Control Panel > Add or Remove Programs. Select Add/Remove Windows Components. In the pop-up dialog box, select Certificate Services. Click Next to begin the installation. Install the SCEP add-on: Because a CA server running Windows 2003 server operating system does not support SCEP by default, be sure to install the SCEP add-on to provide the router with automatic certificate...
Page 478
Figure 483 Creating a PKI entity Create a PKI domain: From the navigation tree, select Certificate Management > Domain. Click Add. The page in Figure 484 appears. In upper area of the page, enter torsa as the PKI domain name, enter CA server as the CA identifier, select aaa as the local entity, select RA as the authority for certificate request, enter http://4.4.4.1:8080/certsrv/mscep/mscep.dll as the URL for certificate request (the URL must be in the format of http://host:port/certsrv/mscep/mscep.dll, where host and port are the...
Page 479
Enter 1024 as the key length, and click Apply. Figure 485 Generating an RSA key pair Retrieve the CA certificate: From the navigation tree, select Certificate Management > Certificate. Click Retrieve Cert. Select torsa as the PKI domain, select CA as the certificate type, and click Apply. Figure 486 Retrieving the CA certificate Request a local certificate: From the navigation tree, select Certificate Management >...
Figure 487 Requesting a certificate Verifying the configuration After the configuration, you can select Certificate Management > Certificate from the navigation tree, and then click View Cert corresponding to the certificate of PKI domain torsa to display the certificate information. You can also click View Cert corresponding to the CA certificate of PKI domain torsa to display the CA certificate information.
Page 481
After completing the configuration, perform CRL related configurations. In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to http://4.4.4.133:447/myca.crl. After the configuration, make sure the system clock of the router is synchronous to that of the CA, so that the router can request certificates and retrieve CRLs properly.
Page 482
Figure 490 Creating a PKI domain Generate an RSA key pair: From the navigation tree, select Certificate Management > Certificate. Click Create Key. Set the key length to 1024, and click Apply. Figure 491 Generating an RSA key pair Retrieve the CA certificate: From the navigation tree, select Certificate Management >...
Page 483
Figure 492 Retrieving the CA certificate Request a local certificate: From the navigation tree, select Certificate Management > Certificate. Click Request Cert. Select torsa as the PKI domain, select Password, enter "challenge-word" as the password, and click Apply. The system displays "Certificate request has been submitted." Click OK to confirm.
Figure 494 Retrieving the CRL Verifying the configuration After the configuration, select Certificate Management > Certificate from the navigation tree to display detailed information about the retrieved CA certificate and local certificate, or select Certificate Management > CRL from the navigation tree to display detailed information about the retrieved CRL. IKE negotiation with RSA digital signature Network requirements An IPsec tunnel is set up between Router A and Router B to secure the traffic between Host A on subnet...
Page 485
Figure 495 Network diagram Configuring Router A Create a PKI entity: From the navigation tree, select Certificate Management > Entity. Click Add. Enter en as the PKI entity name, enter router-a as the common name, enter 2.2.2.1 as the IP address of the entity, and click Apply.
Page 486
Create a PKI domain: From the navigation tree, select Certificate Management > Domain. Click Add. The page in Figure 497 appears. Enter 1 as the PKI domain name, enter CA1 as the CA identifier, select en as the local entity, select RA as the authority for certificate request, enter http://1.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request (the RA URL given here is just an example.
Page 487
Figure 498 Generating an RSA key pair Retrieve the CA certificate: From the navigation tree, select Certificate Management > Certificate. Click Retrieve Cert. Select 1 as the PKI domain, select CA as the certificate type, and click Apply. Figure 499 Retrieving the CA certificate Request a local certificate: From the navigation tree, select Certificate Management >...
Page 488
Figure 500 Requesting a certificate Configure an IPsec connection: From the navigation tree, select VPN > IPsec VPN. Click Add. Enter con as the IPsec connection name, select Ethernet0/2 as the gateway interface, enter 3.3.3.1 as the remote gateway IP address, select Certificate as the authentication method, select CN=router-a for the certificate, select Characteristics of Traffic as the selector type, enter 11.1.1.0/0.0.0.255 as the source IP address/wildcard, and enter 10.1.1.0/0.0.0.255 as the destination IP address/wildcard.
Page 489
Create a PKI entity: From the navigation tree, select Certificate Management > Entity. Click Add. Enter en as the PKI entity name, enter router-b as the common name, and enter 3.3.3.1 as the IP address of the entity. Click Apply. Create a PKI domain: From the navigation tree, select Certificate Management >...
Enter con as the IPsec connection name, select Ethernet0/2 as the gateway interface, enter 2.2.2.1 as the remote gateway IP address, select Certificate as the authentication method, and select CN=router-b for the certificate, select Characteristics of Traffic as the selector type, enter 10.1.1.0/0.0.0.255 as the source IP address/wildcard, and enter 11.1.1.0/0.0.0.255 as the destination IP address/wildcard.
Managing the system Configuring Web management This module enables you to set the Web connection idle-timeout timer. If you do not perform any operations on the Web interface before this timer expires, you are logged out of the Web page. By default, the idle-timeout timer is 10 minutes.
To save the configuration: From the navigation tree, select System Management > Configuration. The save configuration page appears. Figure 503 Saving the configuration Perform one of the following operations: To save the current configuration to the next-startup configuration file, click Save Current Settings.
View the next-startup configuration file, including the .cfg file and .xml file. • • Back up the next-startup configuration file, including the .cfg file and .xml file, to your local host. To back up the configuration: From the navigation tree, select System Management > Configuration. Click the Backup tab.
Click one of the Browse… buttons: When you click the upper Browse… button in this figure, the file upload dialog box appears. You can select a .cfg file to upload. When you click the lower Browse… button in this figure, the file upload dialog box appears. You can select an .xml file to upload.
Figure 507 Backing up and restoring device files through the USB port Perform one of the following operations: In the Device File(s) area, select the files to be backed up, and click the Backup button to backup the selected files to the destination device. In the USB File(s) area, select the files to be restored, and click the Restore button to transfer the selected files to the device through the USB port.
check is successful, the system reboots the device. Otherwise, a dialog box appears, telling you that the current configuration and the saved configuration are inconsistent, and the reboot fails. In this case, save the current configuration manually before you can reboot the device. If you do not select the option, the system reboots the device directly.
Page 497
To manage services: From the navigation tree, select System Management> Service Management. The service management configuration page appears. Configure the service management as described in Table 193. Click Apply. Figure 509 Service management Table 193 Configuration items Item Description Specify whether to enable the FTP service. Enable FTP service.
Item Description Associate the HTTP service with an ACL. Only the clients that pass the ACL filtering are permitted to use the HTTP service. ACL. You can view this configuration item by clicking the expanding button in front of HTTP. Specify whether to enable the HTTPS service.
Figure 510 Creating a user Table 194 Configuration items Item Description Username Set the username for a user. Set the access level for a user. Users of different levels can perform different operations. Listed from low to high, Web user levels are as follows: •...
From the navigation tree, select System Management > Users. Click the Super Password tab. The super password configuration page appears. Configure the super password as described in Table 195. Click Apply. Figure 511 Super password configuration page Table 195 Configuration items Item Description Set the operation type:...
Figure 512 Access level switching page Configuring system time Configure a correct system time so the device can work with other devices correctly. The device supports setting and displaying the system time, and setting the time zone and daylight saving time through manual configuration and automatic synchronization of NTP server time.
Page 502
Figure 513 System time configuration page Table 196 Configuration items Item Description Enable clock automatic synchronization with an NTP server. You can specify two NTP servers by entering their IP addresses. NTP Server 1 is the primary and NTP Server 2 is the secondary. NTP Server 1.
Figure 514 Calendar page Setting the time zone and daylight saving time From the navigation tree, select System Management > System Time. Click the Time Zone tab. The page for setting time zone appears. Configure the time zone as described in Figure 515.
Item Description Adjust the system clock for daylight saving time changes, which means adding one hour to the current system time. Click Adjust clock for daylight saving time changes to expand the option, as shown Figure 516. You can configure the daylight saving time changes in the following ways: •...
TR-069 network framework Figure 517 Network diagram The basic network elements of TR-069 are: ACS—Auto-Configuration Server, which is the management device in the network. • • CPE—Customer Premise Equipment, which is the managed device in the network. DNS server—Domain Name System server. TR-069 defines that an ACS and a CPE use URLs to •...
Page 506
ACS address (URL) • • ACS username (Username) ACS password (Password) • Inform message auto sending flag (PeriodicInformEnable) • • Inform message auto sending interval (PeriodicInformInterval) Inform message auto sending time (PeriodicInformTime) • CPE username (ConnectionRequestUsername) • CPE password (ConnectionRequestPassword) •...
CPE username CPE password • For the TR-069 mechanism, see Network Management and Monitoring Configuration Guide in HP MSR Router Series Configuration Guides (V5). Configuration procedure The TR-069 parameters of CPE can be configured automatically through ACS remote management, and also can be configured manually through Web, which is described in detail in this section.
Item Description Configure the password used by the CPE to authenticate the connection sent from the ACS. Password. You can specify a username without a password that is used in the authentication. If so, the configuration on the ACS and that on the CPE must be the same. Sending Enable or disable CPE's periodical sending of Inform messages.
Figure 519 Software upgrade configuration page Table 199 Configuration items Item Description Specify the filename of the local application file, which must be suffixed with the .app or .bin extension. File IMPORTANT: The filename is main.bin when the file is saved on the device. Reboot after the upgrading Specify whether to reboot the device to make the upgraded software take finished...
Page 510
Table 200 Configuration items Item Description Specify the filename of the local application file, which must be suffixed with File the .app or .bin extension. Specify the type of the system software image for the next boot: • File Type Main.
• send traps to the NMS when some events, such as interface state change, occur. HP supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same SNMP version to communicate with each other. SNMPv1—Uses community names for authentication. To access an SNMP agent, an NMS must use •...
Page 512
Figure 521 SNMP page Configure the SNMP agent, as shown in Table 201. Table 201 Configuration items Item Description Specify to enable or disable the SNMP agent. IMPORTANT: SNMP If the SNMP agent function is disabled, all SNMP agent-related configurations will be removed.
Item Description Set the SNMP security username when you select the SNMP version SNMPv3. Security Username The security name on the agent must be the same as that on the NMS. Set the authentication password when you select the SNMP version SNMPv3.
Page 514
Figure 522 Network diagram Configuring the SNMP agent Select System Management > SNMP from the navigation tree, and then perform configuration as shown in Figure 523. Figure 523 Configuring the SNMP agent Select the Enable option. Select the SNMPv1 & v2 option. Type readonly in the field of Read Password.
Verifying the configuration After the configuration, an SNMP connection is established between the NMS and the agent. The • NMS can get and configure the values of some parameters on the agent through MIB nodes. • Disable or enable an idle interface on the device, and the NMS receives the corresponding trap. SNMPv3 configuration example Network requirements As shown in...
Page 516
Type prikey in the field of Privacy Password. Type 1.1.1.2 in the field of Trusted Host. Type 1.1.1.2 in the field of Trap Target Host Address/Domain. Click Apply. Configuring the SNMP NMS The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform corresponding operations.
Configuring syslogs System logs record network and device information, including running status and configuration changes. With system log information, network administrators can find network or security problems, and take corresponding actions against them. The system sends system logs to the following destinations: Console •...
View system logs. To clear all system logs in the log cache, click Reset. To refresh system logs, click Refresh. To make the syslog display page refresh automatically, set the refresh interval on the syslog configuration page. For more information, see "Setting buffer capacity and refresh interval."...
Figure 527 Loghost configuration page Configure the log host as described in Table 203. Click Apply. Table 203 Configuration items Item Description IPv4/Domain Set the IPv4 address or domain name of the log host. Loghost IP/Domain IPv6 Set the IPv6 address of the log host. Loghost IP Setting buffer capacity and refresh interval Select Other >...
Page 520
Figure 528 Log setup Configure buffer capacity and refresh interval as described in Table 204. Click Apply. Table 204 Configuration items Item Description Buffer Capacity Set the number of logs that can be stored in the log buffer. Set the refresh interval of log information. You can select manual refresh or automatic refresh: Refresh Interval •...
Using diagnostic tools This chapter describes how to use the ping and traceroute facilities. Traceroute By using the traceroute facility, you can trace Layer 3 devices involved in delivering a packet from source to destination. You can traceroute the IP address or the host name of a device. If the target host name cannot be resolved, a prompt appears.
To perform a traceroute operation: Log in to the Web interface, and select Other > Diagnostic Tools from the navigation tree to enter the traceroute operation page, as shown in Figure 529. Enter the destination IP address or host name. Click Start.
Configuring WiNet The Wisdom Network (WiNet) technology helps you centrally manage a large number of scattered network devices by using a small number of public IP addresses. WiNet has the following benefits: Integration—WiNet is integrated in network devices as a function without needing any dedicated •...
Select WiNet from the navigation tree. When WiNet is disabled, a dialog box Only the WiNet administrator supports the function appears. Click OK to enter the Setup page, as shown in Figure 532. Configure WiNet, as shown in Table 205. Figure 532 WiNet setup page Table 205 Configuration items Item...
To customize the background image, click Browse, locate the image you want to use, and click Upload. To remove the customized background image, click Clear. Managing WiNet To manage WiNet members, make sure the port that connects your host to the administrator permits packets of the management VLAN.
Page 527
After the authentication center starts up, the Open AuthN Center button changes to Close AuthN Center. Click the Close AuthN Center to remove the RADIUS server and the guest user. Drag the icon of a specific device in the WiNet topology and place it to a position as needed. If the browser is configured to accept cookies, the latest position information of each device is stored after you click Network Snapshot.
Select one or multiple Layer 2 Ethernet interfaces on the panel diagram of the device, and click Port Guard to enable Layer 2 portal authentication on the interfaces. CAUTION: You cannot enable Layer 2 portal authentication on an interface that connects to a member/candidate device, connects to an external network, or connects to the console terminal.
Page 529
Figure 537 Adding a user Table 206 Configuration items Item Description Username Enter the name of the user. Set a user password and confirm it. Password IMPORTANT: Confirm Password The leading spaces (if any) of a password will be omitted. Enter an authorized VLAN ID for the user.
Batch importing and exporting RADIUS users Select WiNet from the navigation tree, and click the User Management tab to enter the page as shown Figure 536. Click Export and click Save in the dialog box that appears. Set the local path and file name for saving the exported files. Click Save to export all the RADIUS user information in the files to the local host.
display the password, for example, <script type="text/javascript">if (szPTGuestPWD !="") document.write("Guest password is " + szPTGuestPWD);</script>. WiNet configuration example WiNet establishment configuration example Network requirements As shown in Figure 540, a WiNet comprises an administrator and two members. • The administrator is connected to the external network through Ethernet 0/1, and is connected to the members through Ethernet 0/2 and Ethernet 0/3.
Page 532
Figure 541 Creating VLAN 10 and VLAN-interface 10 Select the Create option. Enter 10 for VLAN IDs. Select the Create VLAN Interface box. Click Apply. # Assign Ethernet 0/1, Ethernet 0/2, and Ethernet 0/3 to VLAN 10. Figure 542 Assigning interfaces to VLAN 10 On the VLAN Setup page, select 10 in the VLAN Config field.
Page 533
Click Add. The configuration progress dialog box appears. Figure 543 Configuration progress dialog box After the configuration is complete, click Close. # Configure the IP address of VLAN-interface 10. Click the VLAN Interface Setup tab. Figure 544 Specifying an IP address for VLAN-interface 10...
Page 534
Select 10 for VLAN ID. Enter 163.172.55.1 for IP Address. Enter 255.255.255.0 for Subnet Mask. Click Apply. # Enable WiNet. Select WiNet from the navigation tree. When WiNet is disabled, a dialog box Only the WiNet administrator supports the function appears.
Figure 546 WiNet topology diagram WiNet-based RADIUS authentication configuration example Network requirements As shown in Figure 547, a WiNet comprises an administrator (Device B ) and two members (Device A and Device C). The client connects to Device A through Ethernet 0/2. Deploy security authentication in the WiNet so that the client can access external networks after passing authentication on Device B.
Page 536
Figure 547 Network diagram Configuration procedure Establish a WiNet. "WiNet establishment configuration example." Configure WiNet-based RADIUS authentication. # Specify a RADIUS user. Log in to Device B through Ethernet 0/1. Select WiNet from the navigation tree on Device B. Click the User Management tab. Click Add.
Page 537
Figure 549 Setting up a RADIUS server Click the WiNet Management tab. Click Open AuthN Center. # Enable Layer 2 portal authentication on Ethernet 0/2 of Device A. Figure 550 Enabling Layer 2 portal authentication on Ethernet 0/2 of Device A...
Page 538
Click Device A on the topology diagram. Click Ethernet 0/2 on the panel diagram. Click Port Guard.
Configuration wizard Overview The configuration wizard helps you establish a basic call, and configure local numbers and connection properties. Basic service setup Entering the configuration wizard homepage From the navigation tree, select Voice Management > Configuration Wizard to access the configuration wizard homepage, as shown in Figure 551.
Figure 552 Country selection page Table 207 Configuration item Item Description Call Progress Tone Configure the device to play the call progress tones of a specified country or region. Country Mode Configuring local numbers In the country tone configuration page, click Next to access the local number configuration page, as shown in Figure 553.
Configuring connection properties After you finish the local number configuration, click Next to access the connection property configuration page, as shown in Figure 554. Figure 554 Connection property configuration page Table 209 Configuration items Item Description Specify the address of the main registrar. It can be an IP address or a Main Registrar Address domain name.
Local number and call route This chapter describes local numbers, call routes, fax and modem, call services, and advanced settings. Local numbers and call routes Local numbers and call routes are basic settings for making voice calls. Local number configuration includes setting a local telephone number and authentication •...
Basic settings This section provides information about configuring basic settings. Introduction to basic settings Local number Local number configuration includes setting a local telephone number and authentication information used for registration. Call route Call route configuration includes setting a destination telephone number and call route type. The call route type can be either SIP routing or trunk routing.
Configuring trunking mode calling for the configuration example of using the trunking routing as the call route type. Basic settings Configuring a local number Select Voice Management > Local Number from the navigation tree, and click Add to access the page for creating a local number, as shown in Figure 557.
Item Description This list displays all FXS voice subscriber lines. Select a voice subscriber line to be Bound Line bound with the local number. Description Specify the description of the number. • Enable—Select this option to buffer the voice packets received from the IP side, so Jitter-buffer Adaptive that the received voice packets can be played out evenly.
Page 546
Figure 558 Call route configuration page Table 211 Configuration items Item Description Call Route ID Enter a call route ID in the range of 1 to 2147483647. Destination Enter the called telephone number. Number...
Page 547
Item Description Route Description Enter the description of the call route. Use a SIP proxy server to complete Proxy Server calling. Use the SIP protocol to perform direct calling. It you select this option, you must IP Routing provide the destination address and port number.
Configuration examples of local number and call route Configuring direct calling for SIP UAs through the SIP protocol (configuring static IP address) Network requirements As shown in Figure 559, Router A and Router B can directly call each other as SIP UAs using the SIP protocol (configuring static IP addresses).
Page 549
Enter 1 for Number ID. Enter 1111 for Number. Select subscriber-line 8/0 from the Bound Line list. Enter Telephone A for Description. Click Apply. # Create a call route. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Page 550
Figure 561 Creating call route 2222 Enter 2 for Call Route ID. Enter 2222 for Destination Number. Select IP Routing for SIP Routing, and type 192.168.2.2 for Destination Address. Click Apply.
Page 551
Configuring Router B Select Voice Management > Local Number from the navigation tree, and then click Add to access the page for creating a local number. Figure 562 Creating local number 2222 Enter 1 for Number ID. Enter 2222 for Number. Select subscriber-line 8/0 from the Bound Line list.
Page 552
Figure 563 Creating call route 1111 Enter 2 for Call Route ID. Enter 1111 for Destination Number. Select IP Routing for SIP Routing, and enter 192.168.2.1 for Destination Address. Click Apply. Verifying the configuration After the previous configuration, you can use telephone 1 1 1 1 to call telephone 2222, or use •...
Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access • the Active Call Summary page, which displays the statistics of ongoing calls. Configuring direct calling for SIP UAs through the SIP protocol (configuring domain name) Network requirements As shown in Figure...
Page 554
Figure 565 Creating local number 1111 Enter 1 for Number ID. Enter 1111 for Number. Select subscriber-line 8/0 from the Bound Line list. Enter Telephone A for Description. Click Apply. # Create a call route. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Page 555
Figure 566 Creating call route 2222 Enter 2 for Call Route ID. Enter 2222 for Destination Number. Select IP Routing for SIP Routing, and type cc.news.com for Destination Address. Click Apply.
Page 556
Configuring Router B Select Voice Management > Local Number from the navigation tree, and then click Add to access the page for creating a local number. Figure 567 Creating local number 2222 Enter 1 for Number ID. Enter 2222 for Number. Select subscriber-line 8/0 from the Bound Line list.
Page 557
Figure 568 Creating call route 1111 Enter 2 for Call Route ID. Enter 1111 for Destination Number. Select IP Routing for SIP Routing, and enter 192.168.2.1 for Destination Address. Click Apply.
Verifying the configuration After the previous configuration, you can use telephone 1 1 1 1 to call telephone 2222 by using the • DNS server to get the destination address, and you can use telephone 2222 to call telephone 1 1 1 1 by querying the static IP address of the called party.
Page 559
Enter 1 for Number ID. Enter 1111 for Number. Select subscriber-line 8/0 from the Bound Line list. Enter Telephone A for Description. Click Apply. # Create a call route. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Page 560
Figure 571 Creating call route 2222 Enter 10000 for Call Route ID. Enter 2222 for Destination Number. Select SIP Routing for Call Route Type. Select Proxy Server for SIP Routing. Click Apply.
Page 561
# Configure the registrar and the proxy server. Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the connection properties configuration page. Figure 572 Configuring registration information Select Enable for Register State. Enter 192.168.2.3 for Main Registrar Address. Enter Router A for Username and abc for Password.
Page 562
Figure 573 Creating local number 2222 Enter 1 for Number ID. Enter 2222 for Number. Select subscriber-line 8/0 from the Bound Line list. Enter Telephone B for Description. Click Apply. # Create a call route Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Page 563
Figure 574 Creating call route 1111 Enter 1 for Call Route ID. Enter 1111 for Destination Number. Select SIP for Call Route Type. Select Proxy Server for SIP Routing. Click Apply. # Configure the registrar and the proxy server. Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the connection properties configuration page.
Page 564
Figure 575 Configuring registration information Select Enable for Register State. Enter 192.168.2.3 for Main Registrar Address. In the Proxy Server area, enter 192.168.2.3 for Server Address. Enter Router A for Username and abc for Password. Click Apply. Verifying the configuration After the local numbers of the two sides are registered on the registrar successfully, telephone 1 1 1 1 •...
Configuring trunking mode calling Network requirements As shown in Figure 576, Router A and Router B are connected through an FXO trunk line. It is required that Telephone 1 1 1 1 can call telephone 2222. Figure 576 Network diagram Configuring Router A # Create a local number.
Page 566
Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route. Figure 578 Creating call route 2222 Enter 2 for Call Route ID. Enter 2222 for Destination Number. Select Trunk for Call Route Type.
Page 567
Figure 579 Configuring number sending mode Select Send All Digits of a Called Number for Called Number Sending Mode. Click Apply. Configuring Router B Select Voice Management > Local Number from the navigation tree, and then click Add to access the page for creating a local number.
Page 568
Select subscriber-line 8/0 from the Bound Line list. Enter Telephone B for Description. Click Apply. Verifying the configuration • Telephone 1 1 1 1 can call telephone 2222 over the trunk line. Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access •...
Fax and modem Traditional fax machines transmit and receive faxes over PSTN. As time passes, fax has gained wide applications owing to its advantages such as various information, high transmission speed, and simple operations. By far, G3 fax machines are dominant in the fax communications. A G3 fax machine adopts the signal digitizing technology.
or D/A conversion for fax signals (that is, the router demodulates analog signals from PSTN into digital signals, or modulates digital signals from the IP network into analog signals), but does not need to compress fax signals. A real-time fax process consists of five phases: Fax call setup phase.
pass-through function, which can help remote PSTN users to log in to internal network devices through dialup. Configuring fax and modem Before you configure fax and modem, you must configure local numbers and call routes. See Basic settings for details. Configuring fax and modem parameters of a local number Select Voice Management >...
Page 572
Item Description Configure the protocol used for fax communication with other devices. • T.38—With this protocol, a fax connection can be set up quickly. • Standard T.38—It supports H.323 and SIP. Configure the fax pass-through mode. Fax Protocol • G.71 1 A-law. •...
Page 573
Item Description Specify the fax training mode: • Local—The gateways participate in the rate training between fax terminals. In this mode, rate training is performed between fax terminals and gateways, respectively, and then the receiving gateway sends the training result of the receiving fax terminal to Fax Training the transmitting gateway.
Item Description As defined in ITU-T, the ECM is required for a half duplex and fax message transmission using the half-duplex and half-modulation system of ITU-T V.34 protocol. Besides, the G3 fax terminals working in full duplex mode are required to support half-duplex mode, that is, ECM.
Page 575
Figure 583 Call route fax and modem configuration page For call route fax and modem configuration items, see Table 212 for details.
Call services More and more VoIP-based services are demanded as voice application environments expand. On basis of basic calls, new features are implemented to meet different application requirements of VoIP subscribers. Call waiting When subscriber C calls subscriber A who is already engaged in a call with subscriber B, the call is not be rejected if call waiting is enabled.
Call transfer Subscriber A (originator) and subscriber B (recipient) are in a conversation. Subscriber A presses the flash hook and the call is put on hold. Subscriber A dials another number to originate a call to subscriber C (final recipient). After Subscriber A hangs up, the call between subscriber B and subscriber C is established.
Silent monitor and barge in services Silent monitor service—Allows a supervisor to monitor active calls without being heard. Barge in service—Allows a supervisor to participate in a monitored call to implement three-party conference. For example, suppose subscribers A and B are in a conversation and subscriber C is the supervisor.
Support for SIP voice service of the VCX Together with a server, the VCX implements the application of multiple voice features such as Silent Monitor, Camp On, and FwdMail Toggle by using the HP proprietary SIP Feature messages. Configuring call services of a local number...
Page 580
Figure 584 Call services configuration page Table 213 Configuration items Item Description The Forwarded-to Number for Call Forwarding no Reply—Enter the forwarded-to number for call forwarding no reply. The Forwarded-to Number for Call Forwarding Busy—Enter the forwarded-to number for call forwarding busy. Call Forwarding Call Forwarding Unconditional—Enter the forwarded-to number for forwarding unconditional.
Configuring other voice functions Select Voice Management > Local Number from the navigation tree, and then click the icon of the local number to be configured to access the call services configuration page as shown in Figure 585. Figure 585 Call services configuration page Table 214 Configuration items Item Description...
Page 582
Item Description • Enable. Incoming Call • Disable. Barring By default, incoming call barring is disabled. Password for Set a password to lock your telephone when you do not want others to use your Outgoing Call telephone. Barring Door Opening Enable the door opening control service and set a password for Password.
Configuring call services of a call route Select Voice Management > Call Route from the navigation tree, and then click the icon of the call route to be configured to access the call route call services configuration page as shown in Figure 586.
Item Description • Enable. • Disable. By default, hunt group function is disabled. Hunt Group IMPORTANT: To use the hunt group feature, you must select the Enable option of all call routes involved in this service. Configure the private line auto ring-down (PLAR) function. The number is an E.164 Hotline Numbers telephone number of the terminating end.
Figure 588 Configuring call waiting Select Enable for Call Waiting. Click Apply. Verifying the configuration Verify the two call waiting operation modes: Operation 1—When the subscriber at Telephone C dials 1000 to call Telephone A which is • already engaged in a call with Telephone B, the subscriber at Telephone C hears ringback tones, while the subscriber at Telephone A hears call waiting tones that remind that a call is waiting on the line.
Page 586
Figure 589 Network diagram Router A Router B Router C Eth1/1 Eth1/1 10.1.1.1/24 20.1.1.2/24 Eth1/2 Eth1/1 1000 10.1.1.2/24 20.1.1.1/24 3000 Telephone A Telephone C 2000 Telephone B Configuration procedure Before performing the following configuration, make sure Router A, Router B and Router C are reachable to each other.
Verifying the configuration Place a call from Telephone A to Telephone B. Router B forwards the call to Telephone C when Telephone B is busy. Finally, Telephone A and Telephone C start a conversation Configuring call transfer Network requirements As shown in Figure 591, call transfer enables Telephone A to transfer Telephone B to Telephone C.
Figure 592 Configuring call transfer Verifying the configuration The whole process is as follows: Call Telephone B from Telephone A, and then Telephone B and Telephone A are in a conversation. Perform a hookflash at Telephone A to put the call with Telephone B on hold. Call Telephone C (3000) from Telephone A after hearing dial tones.
Page 589
Figure 593 Network diagram Configuration procedure Before performing the following configuration, make sure that Router A, Router B and Router C are routable to each other. Complete basic voice call configurations: complete basic voice call configurations on Router A, Router B, and Router C. Configure hunt group: # Configure a number selection priority for Telephone A2 on Router A.
Page 590
Figure 594 Configuring number selection priority of Telephone A2 Select 4 from the Number Selection Priority list. Click Apply. # Configure hunt group on Router A. Select Voice Management > Local Number from the navigation tree, click the icon of local number 1000 of Telephone A1 in the local number list to access the call services configuration page.
Figure 595 Configuring hunt group Select Enable for Hunt Group. Click Apply. Perform the same configuration for the local number 1000 of Telephone A2. The configuration procedure is not included here. Verifying the configuration Dial number 1000 from Telephone B (2000). Because Telephone A1 has a higher priority, Telephone B is connected to Telephone A1.
Page 592
Figure 596 Network diagram Router A Router B Router C Eth1/0 Eth1/0 10.1.1.1/24 20.1.1.2/24 Eth1/0 Eth1/1 1000 10.1.1.2/24 20.1.1.1/24 3000 Telephone A Telephone C 2000 Telephone B Configuration procedure Before performing the following configuration, make sure that Router A, Router B and Router C are routable to each other.
Figure 598 Configuring call hold Select Enable for Call Hold. Select Enable for Three-Party Conference. Click Apply. Verifying the configuration Now Telephone B, as the conference initiator, can establish a three-party conference with participants Telephone A and Telephone C. If you also enable three-party conference on the FXS lines of Telephone A and Telephone C on Router A and Router C, then during the conference, a new call can be initiated from Telephone A or Telephone C to invite another passive participant.
Page 594
Figure 599 Network diagram Configure the VCX Open the Web interface of the VCX and select Central Management Console. Configure the information of Telephone A, Telephone B, and Telephone C. The following takes Telephone A as an example. Figure 600 Telephone configuration page # Configure the silent-monitor authority Click Features of number 1000 to access the feature configuration page, and then click Edit Feature of the Silent Monitor and Barge In feature to access the page as shown in...
Page 595
Figure 601 Silent monitor and barge in feature configuration page (1) Click Assign External Phones to specify that number 3000 has the authority to monitor number 1000. After this configuration, the page as shown in Figure 602 appears. Figure 602 Silent monitor and barge in feature configuration page (2) After the previous configuration, Telephone C with the number 3000 can monitor and barge in the conversations of Telephone A with the number 1000.
Page 596
Figure 603 Enabling the feature service and the silent monitor and barge in function Select Enable for Monitor and Barge In. Select Enable for Feature Service. Click Apply. Configure Router B # Configure a local number and call routes.
Page 597
Configure a local number: specify the local number ID as 2000 and the number as 2000, and bind the number to line line 1/0 on the local number configuration page. Configure the call route to Router A: specify the call route ID as 1000, the destination number as 1000, and the call route type as SIP, and use a SIP proxy server to complete calls on the call route configuration page.
Page 598
Select RFC2833 for DTMF Transmission Mode. Click Apply. # Enable the feature service. Select Voice Management > Local Number from the navigation tree, and click the icon of local number 3000 to access the call services page as shown in Figure 605.
Advanced settings This section provides information on configuring various advanced settings. Introduction to advanced settings Coding parameters The configuration of coding parameters includes specifying codec priorities and packet assembly intervals. The codecs include: g71 1alaw, g71 1ulaw, g723r53, g723r63, g726r16, g726r24, g726r32, g726r40, g729a, g729br8, and g729r8.
Page 600
Table 217 G.711 algorithm (A-law and μ-law) Packet Packet Network Packet length Network Bytes coded Coding assembly length (IP) bandwidth (IP+PPP) bandwidth in a time unit latency interval (IP) (bytes) (IP+PPP) (bytes) 10 ms 96 kbps 100.8 kbps 10 ms 20 ms 80 kbps 82.4 kbps...
Page 601
Packet Bytes coded Packet Network Packet length Network Coding assembly in a time length (IP) bandwidth (IP+PPP) bandwidth latency interval unit (bytes) (IP) (bytes) (IP+PPP) 30 ms 26.7 kbps 28.3 kbps 30 ms 40 ms 24 kbps 22.1 kbps 40 ms 50 ms 22.4 kbps 23.4 kbps...
Page 602
Table 223 G.726 r40 algorithm Packet Packet Network Network Bytes coded Packet length Coding assembly length (IP) bandwidt bandwidth in a time unit (IP+PPP) (bytes) latency interval h (IP) (IP+PPP) (bytes) 10 ms 72 kbps 76.8 kbps 10 ms 20 ms 56 kbps 58.4 kbps 20 ms...
NOTE: The packet assembly interval is the duration to encapsulate information into a voice packet. • Bytes coded in a time unit = packet assembly interval × media stream bandwidth. • Packet length (IP) = IP header + RTP header + UDP header + voice information length = 20+12+8+data. •...
Page 604
Figure 606 Configuring coding parameters of the local number Table 226 Configuration items Item Description Specify a codec Specify the codecs and their priority levels. The available Codec with the First Priority with the first codes are: priority. • g71 1alaw—G.71 1 A-law codec (defining the pulse code modulation technology), requiring a bandwidth of 64 Specify a codec Codec with the Second...
Item Description Packet Assembly Interval of Specify the packet assembly interval for g726r16 codec. G726r16 Packet Assembly Interval of Specify the packet assembly interval for g726r24 codec. G726r24 Packet Assembly Interval of Specify the packet assembly interval for g726r32 codec. G726r32 Packet Assembly Interval of Specify the packet assembly interval for g726r40 codec.
Item Description Send a Truncated Send a truncated called number. Called Number Send All Digits of Called Number Send all digits of a called number. a Called Number Sending Mode Send a certain number of digits (that are extracted from the end of a Send Certain number) of a called number.
Figure 608 Configuring coding parameters of the call route For coding parameters configuration items of the call route, see Table 227. Configuring other parameters for a call route Select Voice Management > Call Route from the navigation tree, and then click the icon of the call route to be configured to access the advanced settings configuration page.
Advanced settings configuration example Configuring out-of-band DTMF transmission mode for SIP Network requirements Two routers work as SIP UAs. After establishing a call connection, the calling and called parties adopt DTMF SIP out-of-band transmission to make the transmission of DTMF digits more reliable. Figure 610 Network diagram Configuration procedure Configure voice basic calling settings.
Page 609
Select Out-of-band Transmission for DTMF Transmission Mode. Click Apply. Figure 612 Configure out-of-band DTMF transmission mode Verifying the configuration After a call connection is established, if one side presses the telephone keys, the DTMF digits are transmitted to the other side using out of band signaling, and the other side hears short DTMF tones from the handset.
SIP-to-SIP connections Configuring media parameters for SIP-to-SIP connections Select Voice Management > Call Route from the navigation tree. Click the icon of the call route to be configured. The page for configuring SIP-to-SIP connection parameters appears. Figure 613 Configuring media parameters Configure media parameters for SIP-to-SIP connections as described in Table 229.
Item Description In the scenario where the SIP trunk device controls the results of media capability negotiation, if the SIP trunk device cannot find a common codec for two parties during negotiation, the two parties fail to establish a call. In this case, you can select the Enable option to enable codec transcoding on the SIP trunk device.
Page 612
Figure 614 Configuring signal process Configure signaling parameters for SIP-to-SIP connections as described in Table 230. Table 230 Configuration items Item Description • Remote process—The SIP trunk device transparently transfers the SIP messages carrying call forwarding information to the endpoints, and the endpoints perform the call forwarding. Call-forwarding Signal •...
Configuring dial plans More requirements on dial plans arise with the wide application of VoIP. A desired dial plan should be flexible, reasonable, and operable. Also it should be able to help a voice gateway to manage numbers in a unified way, making number management more convenient and reasonable. The dial plan process on the calling side differs from that on the called side.
On the called side Figure 616 shows the dial plan operation process on the called side. Figure 616 Flow chart for dial plan operation process on the called side After receiving a voice call (the called number), the voice gateway on the called side performs global calling/called number substitution.
Page 615
Meta-character Meaning # and * Each indicates a valid digit. Wildcard, which can match any valid digit. For example, 555…. can match any number beginning with 555 and ending in four additional characters. Hyphen (connecting element), used to connect two numbers (The smaller comes before the larger) to indicate a range of numbers, for example, 1-9 inclusive.
Dial plan functions Number match Dial terminator In areas where variable-length numbers are used, you can specify a character as the dial terminator so that the voice gateway can dial out the number before the dialing interval expires. The dial terminator identifies the end of a dialing process, and a call connection is established based on the received digits when the dial terminator is received.
Entity type selection priority rules You can configure the priorities for different types of entities. When multiple local numbers or call routes are qualified for a call connection, the system selects a suitable local number or call route whose entity type has the highest priority.
Global number substitution—The voice gateway substitutes calling and called numbers of all • incoming and outgoing calls according to the number substitution rules configured in dial program view. Multiple number substitution rule lists can be bound for global calling and called number substitution of incoming and outgoing calls.
Item Description • Longest Number Match—Matches the longest number. • Shortest Number Match—Matches the shortest number. Number Match Mode By default, the shortest-number match mode is adopted. • Specify service first. Number Match Policy • Specify number first. Select Based on Voice Entity Type Select the Enable option, the sequence of the voice entities in the Selection Sequence box determines the match order, and you can click the Up and Down buttons to move a voice entity.
Page 620
Figure 618 Number group page Click Add. The number group configuration page appears. Figure 619 Number group configuration page Configure the number group as described in Table 232. Click Apply. Table 233 Configuration items Item Description Group ID Specify the ID of the number group. Description Specify the description of the number group.
Page 621
Figure 620 Local number binding page Configure local number binding as describe in Table 234. Click the box in front of the ID column, and click Apply. Table 234 Configuration items Item Description • Permit the calls from the number group. Binding Mode •...
Page 622
Figure 621 Max-call-connection set page Click Add to access the Max-Call-Connection Set Configuration page as shown in Figure 622. Figure 622 Max-call-connection set configuration page Table 235 Configuration items Item Description Connection Set ID Specify the ID of the max-call-connection set. Max Number of Call Specify the maximum number of call connections in the max-call-connection set.
The configuration of IVR number binding is similar to that of local number binding. Therefore, it is not included here. Configuring number substitution When you configure number substitution, you need to first add a number substitution list, and then bind a number substitution list to global, local numbers, call routes, or lines.
Page 624
Table 236 Configuration items Item Description Number Substitution Rule Specify the ID of the number substitution rule list. List ID • End-Only—Reserve the digits to which all ending dots (.) in the input number correspond. • Left-to-Right—Reserve from left to right the digits to which the dots in the input number correspond.
Bind a number substitution list to global, local numbers, call routes, or lines: Click Not Bound in the Global Binding, Local Numbers Bound, Call Routes Bound, or Bound Line column to access the corresponding binding page. The configurations of these bindings are similar to that of local number binding in call control. Therefore is not included here.
Page 626
Longest number match Configure Router A: select Voice Management > Dial Plan > Number Match from the navigation tree to access the number match configuration page, as shown in Figure 627. Figure 627 Number match mode configuration page Select Longest Number Match for Number Match Mode. Click Apply.
After you dial 20001234# at Telephone A, the number immediately matches call route 2000 and Telephone B is alerted. Configuring the match order of number selection rules Network requirements As shown in Figure 629, configure different number selection rule match orders for calls from Telephone A to Telephone B.
Page 628
Add a call route: Specify the call route ID as 2001, the destination number as 2000123.$, and the destination address as 1.1.1.2 on the call route configuration page. Configure the call route: Select Voice Management > Call Route from the navigation tree to access the call route list page.
Page 629
Figure 632 Match order of number selection rules configuration page Select Exact Match from the First Rule in the Match Order list. Select Priority from the Second Rule in the Match Order list. Select Random Selection from the Third Rule in the Match Order list. Click Apply.
Select Random Selection from the Third Rule in the Match Order list. Click Apply. After you dial number 20001234 at Telephone A, the number matches call route 2002. Configuring the number selection rule as random selection Configure Router A: Select Voice Management > Dial Plan > Number Match from the navigation tree to access the page for configuring the match order of number selection rules.
Page 631
Find the digital link VE1 5/0 in the list, click its corresponding icon to access the E1 parameters configuration page. Figure 636 E1 parameters configuration page Select PRI Trunk Signaling for Working Mode. Select Internal for TDM Clock Source. (Internal is the default setting) Select the Network Side Mode for ISDN Working Mode.
Page 632
Configuring Router B Select Voice Management > Digital Link Management from the navigation tree to access the digital link list page. Find the digital link VE1 5/0 in the list, click its corresponding icon to access the E1 parameters configuration page. Figure 637 E1 parameters configuration page Select PRI Trunk Signaling for Working Mode.
Page 633
Figure 638 Entity type selection priority rule configuration page (1) Configure the order of the voice entities in the Selection Sequence box: the first is VOIP, the second • is POTS, the third is VoFR, and the last is IVR. Click Apply.
Configuring call authority control Network requirements As shown in Figure 640, Router A, Router B, and Router C are located at place A, place B, and place C, respectively. They are all connected to the SIP server to allow subscribers to make SIP calls. When VoIP links fail for some reason, PSTN links that provide backup for VoIP links can be automatically brought up.
Page 635
Type 1100.. for Numbers in the Group. Click Add to add numbers into the group. Click Apply. Enter the number group configuration page again to add another number group: Type 2 for Group ID. Type 1200.. for Numbers in the Group. Click Add to add numbers into the group.
Page 636
Figure 643 Call route binding page (1) Select Permit the calls from the number group for Binding Mode. Select the box of call route 2100. Click Apply. # Bind a call route to the number group 2 to allow that subscribers whose telephone number beginning with 1200 can originate calls to both place B and place C.
Figure 645 Call route binding page (II) Select Permit the calls from the number group for Binding Mode. Select the checkboxes of call routes 2100 and 3100. Click Apply. Configuring Router B Add a call route: Specify the call route ID as 2100, the destination number as 2…, and the trunk route line as 1/0:15 on the call route configuration page.
Page 638
at place A, and the caller ID displayed on the terminal at place A is 021 1234, that is, the area code of place B + telephone number of the financial department at place B. Figure 646 Network diagram Place B Place A Market Dept.
Page 639
Figure 647 Number substitution configuration page (1) Type 21101 for Number Substitution Rule List ID. Add three number substitution rules as shown in Figure 647. Click Apply. # Add another number substitution rule list for calling numbers of outgoing calls. Select Voice Management >...
Page 640
Figure 648 Number substitution configuration page (2) Type 21102 for Number Substitution Rule List ID. Add three number substitution rules as shown in Figure 648. Click Apply. # Enter the call route binding page of number substitution list 21 101. Figure 649 Call routing binding page of number substitution list 21101 Select Apply Call Routing Binding Rule to Called Numbers for Binding Mode.
Page 641
Figure 650 Call routing binding page of number substitution list 21102 Select Apply Call Routing Binding Rule to Calling Numbers for Binding Mode. Select call route 10. Click Apply. Configuring Router A # Set the IP address of the Ethernet interface to 1.1.1.1. # Add a call route: specify the call route ID as 1010, the destination number as …., and the trunk route line as FXO line 1/0 on the call route configuration page.
Page 642
Figure 651 Number substitution configuration page (3) Type 101 for Number Substitution Rule List ID. Add three number substitution rules as shown in Figure 651. Click Apply. # Add another number substitution rule list for calling numbers of incoming calls. Select Voice Management >...
Page 643
Figure 652 Number substitution configuration page (4) Type 102 for Number Substitution Rule List ID. Add three number substitution rules as shown in Figure 652. Click Apply. # Enter the global binding page of number substitution list 101. Figure 653 Global binding page of number substitution list 101 Select Incoming Calling for Incoming Binding Type.
Page 644
Figure 654 Global binding page of number substitution list 102 Select Incoming Called for Incoming Binding Type. Click Apply.
Call connection Introduction to SIP The Session Initiation Protocol (SIP) is an application layer control protocol that can establish, modify, and terminate multimedia sessions such as IP phone calls, multimedia session and multimedia conferences. It is the core component in the multimedia data and control architecture of the IETF (RFC 3261).
Redirect server A redirect server sends a new connection address to a requesting client. For example, when it receives a request from a calling UA, the redirect server searches for the location information of the called UA and returns the location information to the UA. This location can be that of the called UA or another proxy server, to which the UA can initiate the session request again.
Consistent communication method. Management becomes easier as the result of consistency in • dialup mode and system access method used by branches, SOHOs, and traveling personnel. Quick launch. The system can be updated quickly to accommodate new branches and personnel, •...
Page 648
Figure 655 Message exchange for a UA to register with a Registrar Call setup SIP operates in the Client/Server mode and sets up calls through communication between UA and proxy server. Figure 656 Network diagram In the previous figure, Telephone A wants to call Telephone B, and Router A and Router B work as SIP endpoints (UAs).
Page 649
Figure 657 Call setup procedures involving a proxy server This is a simplified scenario where only one proxy server is involved and no registrar is present. However, a complex scenario can involve multiple proxy servers and registrars. Call redirection When a SIP redirect server receives a session request, it sends back a response indicating the address of the called SIP endpoint instead of forwarding the request.
Figure 658 Call redirection procedure for UAs Internet User agent User agent Redirect Server INVITE 100 Trying 302 Moved Temporarily INVITE 100 Trying 200 OK This is a common application. Fundamentally, a redirect server can respond with the address of a proxy server as well.
RTP/RTCP packets. For more information about the encryption engine, see Security Configuration Guide in HP MSR Router Series Configuration Guides (V5). SRTP is available only for SIP calls. SIP trunk devices do not support SRTP. For information about SIP trunk,...
TLS-SRTP combinations TLS protects control signaling, and SRTP encrypts and authenticates voice media flows. You can use them separately or together. The following table shows four combinations of TLS and SRTP. Table 239 TLS-SRTP combinations SRTP Description Signaling packets are secured. Personal information is protected. Media packets are secured.
Configuring SIP connections This section describes how to configure SIP connections. Configuring connection properties Configuring registrar Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the connection properties configuration page as shown in Figure 659.
Page 654
Item Description • UDP—Apply the UDP transport layer protocol when the device registers to the main registrar. • TCP—Apply the TCP transport layer protocol when the device registers to the Main Registrar Transport main registrar. Layer Protocol • TLS—Apply the TLS transport layer protocol when the device registers to the main registrar.
Configuring proxy server Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the proxy server configuration page, as shown in Figure 660. Figure 660 Proxy server configuration page Table 241 Configuration items Item Description Select a server group from the list as the proxy server.
Page 656
Source IP address binding is supported on the Layer 3 Ethernet interface, GigabitEthernet interface, or dialer interface. For information about DHCP, see Layer 3—IP Services Configuration Guide in HP MSR Router Series Configuration Guides (V5). Configuring source address binding Select Voice Management >...
Table 243 Application of the source address binding settings in different states Settings made when… Result • For SIP media streams, the source IP address binding settings does not take effect until the next SIP call. The call is active •...
Table 244 Configuration items Item Description • UDP—Specify UDP as the transport layer protocol for incoming SIP calls and enables UDP listening port 5060. • TCP—Specify TCP as the transport layer protocol for incoming SIP calls and enables TCP listening port 5060. •...
Configuring caller identity and privacy Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the Session Properties tab to access the caller identity and privacy configuration page, as shown in Figure 664. Figure 664 Caller identity and privacy configuration page Table 246 Configuration items Item Description...
Configuring SIP session refresh Introduction to SIP session refresh In a high-volume traffic environment, if a BYE message gets lost for a session, the call proxy server will not know that the session has ended. Therefore, it still maintains the state information for the call, which wastes resources of the server.
Page 661
Figure 666 Compatibility configuration page Table 248 Configuration items Item Description The devices of some vendors do not strictly follow the SIP protocol. To interoperate with such devices, you must configure the SIP compatibility options. • Enable—Configure the device to use the address (IP address or DNS domain name) in the To header field as the address in the From header field when Use the address in the To sending a SIP request.
Item Description UAC Product Version Specify the product version of the UAC. UAS Product Name Specify the product name of the UAS. UAS Product Version Specify the product version of the UAS. Configuring advanced settings Registration timers are available to SIP trunk accounts. For information about SIP trunk, see "Configuring SIP trunk."...
Table 250 Configuration items Item Description Address Specify the IP address or domain name of the proxy server. Port Specify the port number of the proxy server. Configuring registration parameters Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the Advanced Settings tab to access the configuration page as shown in Figure 669.
Page 664
Item Description Registration Percentage To ensure the validity of registration information of a local number or an SIP trunk account on the registrar, the local number or SIP trunk account must re-register with the registrar at a specified time before the registration expiration interval is reached.
Item Description Fuzzy telephone number registration refers to the use of a wildcard (including the dot . and the character T), rather than a standard E.164 number in the match template of a POTS entity. After enabling fuzzy telephone number registration, the voice gateway (router) retains dots and substitutes asterisks (*) for Ts when sending REGISTER messages.
Table 252 Configuration items Item Description • UDP—Specify UDP as the transport layer protocol to be used during the subscription. • TCP—Specify TCP as the transport layer protocol to be used during the subscription. Transport Layer Protocol • TLS—Specify TLS as the transport layer protocol to be used during the subscription.
Table 253 Configuration items Item Description TCP Connection Set the aging time for TCP connections. If the idle time of an established TCP Aging Time connection reaches the specified aging time, the connection will be closed. TLS Connection Aging Set the aging time for TLS connections. If the idle time of an established TLS connection Time reaches the specified aging time, the connection will be closed.
Configuring SIP status code mappings Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the SIP Status Code Mapping tab to access the page as shown in Figure 673. Figure 673 SIP status code mapping configuration page You can select the values in the PSTN Release Cause Code fields.
Page 669
Figure 674 Network diagram Configuration procedure Configure basic voice calls: configure a local number and the call route to Router B. Configure a local number: specify the local number ID as 1111 and the number as 1111, and bind the number to line line 1/0 on the local number configuration page. Configure the call route to Router B: specify the call route ID as 2222, the destination number as 2222, the call route type as SIP, the SIP routing as IP routing, and the destination address as 192.168.2.2 on the call route configuration page.
Figure 676 Configuring caller identity presentation restriction mode Select P-Asserted-Identity for Caller Identity Presentation Restriction Mode. Click Apply. Verifying the configuration After the above configuration, when you use telephone 1 1 1 1 to call telephone 2222, the calling number 1 1 1 1 will not be displayed on telephone 2222.
Verifying the configuration SIP calls use the SRTP protocol to encrypt and authenticate media flows, and call conversations are well protected. Configuring TCP to carry outgoing SIP calls Network requirements Two routers Router A and Router B work as SIP UAs. It is required that SIP calls between the two parties be carried over TCP.
Figure 681 Specifying listening transport layer protocol Select TCP for SIP Listening Transport Layer Protocol. Click Apply. Verifying the configuration SIP calls from telephone 1 1 1 1 to telephone 2222 are carried over TCP. You can view information about TCP connections on the TCP Connection Information tab page by selecting Voice Management >...
Page 673
Figure 683 Specifying transport layer protocol for outgoing calls Select TLS for Transport Layer Protocol for SIP Calls. Click Apply. # Specify TLS as the transport layer protocol for incoming SIP calls. Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the Session Properties tab to access the transport layer protocol configuration page as shown Figure 684.
Managing SIP server groups A SIP server group is used to manage the registrar and call servers. A SIP server group can be configured with up to five member servers. An index represents the priority of a member server in the SIP server group.
Click Add. The page for configuring a server group appears. Figure 686 Configuring real-time switching Configure real-time switching as described in Table 255. Table 255 Configuration items Item Description Enable or disable the real-time switching function. When the real-time switching function is enabled: •...
Table 256 Configuration items Item Description The keep-alive function is used to detect whether the SIP servers in a SIP server group are reachable. The SIP trunk device selects a server according to the detect result and the redundancy mode. If the keep-alive function is disabled, the SIP trunk device always uses the server with the highest priority in the SIP server group.
Item Description IPv4 Address Bound with If you select IPv4 Address Binding as the media stream binding mode, you must the Media Stream type the IPv4 address to be bound in this field. If you select Interface Binding as the media stream binding mode, you need to Interface Bound with the specify the interface to be bound from the list.
Page 678
Click Add. The page for configuring a server group appears. Figure 689 Configuring server information management Configure server information management as described in Table 258. Click Apply. Table 258 Configuration items Item Description Set server ID. A SIP server group can be configured with up to five member servers. Server ID A server ID represents the priority of the server in the SIP server group.
Configuring SIP trunk As shown in Figure 690, on a typical telephone network, internal calls of the enterprise are made through the internal PBX, and external calls are placed over a PSTN trunk. Figure 690 Typical telephone network With the development of IP technology, many enterprises deploy SIP-based IP-PBX networks as shown Figure 691.
Figure 692 All IP-based network All IP-based network ITSP Enterprise intranet SIP trunk SIP server Router IP-PBX SIP trunk device SIP server Features SIP trunk has the following features: Only one secure and QoS guaranteed SIP trunk link is required between a SIP trunk device and the ITSP.
Figure 694 Configuring services Table 259 Configuration item Item Description Enable the SIP trunk function before you can use other SIP trunk functions. HP recommends not using a device enabled with the SIP trunk function as a SIP UA. • Enable.
Page 683
Select Voice Management > SIP Trunk Management > Account Management from the navigation tree, and click Add. The following page appears. Figure 695 Configuring a SIP trunk account Table 260 Configuration items Item Description Account ID Enter a SIP trunk account ID. Select the SIP server group used by the SIP trunk account for registration.
Item Description • Enable. • Disable. Registration By default, the registration function of the SIP trunk account is disabled. Function To perform registration, you must provide the host username or associate the account with a SIP server group. Authentication Enter the authentication username for the SIP trunk account. Username Authentication Enter the authentication password for the SIP trunk account.
Page 685
Figure 696 Configuring a call route Table 261 Configuration items Item Description Call Route ID Enter a call route ID. Destination Number Enter the called telephone number. Bound Account Select a SIP trunk account to be bound to the voice entity. Description Enter a description for the call route.
Item Description • Enable. Status • Disable. Configuring fax and modem parameters of the call route of a SIP trunk account Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and click the icon of the call route to be configured to access the call route fax and modem configuration page. The fax and modem parameters of the call route of a SIP trunk account are the same as those of a call route.
Page 687
Item Description • Specify the prefix of a source host name as a call match rule. The specified source host name prefix is used to match against the source host names of calls. If the INVITE message received by the SIP trunk device carries the Remote-Party-ID header, the source host name is abstracted from this header field.
Configuring media parameters for SIP-to-SIP connections Select Voice Management > Call Route from the navigation tree. Click the icon of the call route to be configured. The page for configuring SIP-to-SIP connection parameters appears. Figure 698 Configuring media parameters Configure media parameters for SIP-to-SIP connections as described in Table 263.
Item Description Select the media flow mode: • Around—Enable the media packets to pass directly between two SIP endpoints, without the intervention of the SIP trunk device. The media packets flow around the SIP trunk device. Media Flow Mode • Relay—Specify the SIP trunk device to act as the RTP trunk proxy to forward the media packets.
Item Description • Remote process—If the session timer mechanism is initiated by the calling party, and the called party also supports this mechanism, you can select this option to enable the called party to process the session update information. Otherwise, the session timer mechanism only works between the calling party and the Mid-call Signal SIP trunk device.
Page 691
Select Voice Management > Local Number from the navigation tree and click Add. Figure 701 Configuring a local number Enter 2000 for Number ID. Enter 2000 for Number. Select subscriber-line 8/0 from the Bound Line list. Click Apply. # Configure a call route. Select Voice Management >...
Page 692
Enter 1.1.1.2 for Destination Address. Click Apply. Configuring the SIP trunk device # Enable the SIP trunk function. Select Voice Management > SIP Trunk Management > Service Configuration from the navigation tree. Figure 703 Configuring services Select Enable for SIP Trunk Function. Click Apply.
Page 693
Enter 1 for Server Group ID. Enter 1 for Server ID. Enter 10.1.1.2 for Server Address. Click Add the Server. Click Apply. # Create SIP trunk account 1 with the host username 2000, and associate the account with SIP server group 1.
Page 694
Figure 706 Configuring a call route for the SIP trunk account Enter 20000 for Call Route ID. Enter 1000 for Destination Number. Select account1 from the Bound Account list. Select Bind to Server Group for SIP Trunk Routing. Select server-group-1 from the Server Group list. Click Apply.
Page 695
Enter 2000 for Destination Number. Select IP Routing for SIP Route Type. Enter 1.1.1.1 for Destination Address. Click Apply. Configuring Router B # Configure a local call number. Select Voice Management > Local Number from the navigation tree and click Add. Figure 708 Configuring a local number Enter 1000 for Number ID.
Enter 2000 for Destination Number. Select SIP for Call Route Type. Select Proxy Server for SIP Routing. Click Apply. # Configure the IPv4 address of the registrar as 10.1.1.2 and enable the registrar. Select Voice Management > Call Connection > SIP Connection from the navigation tree and click the Connection Properties tab.
Page 697
Figure 711 Network diagram ITSP-A SIP server 10.1.1.3/24 Enterprise private network Public network 1.1.1.1/24 1.1.1.2/24 2.1.1.1/24 2.1.1.2/24 SIP trunk Router B 1000 2000 Router A SIP trunk device SIP server 10.1.1.2/24 Configuration procedure # Enable the SIP trunk function. (Details not shown.) # Create SIP server group 1.
Page 698
Figure 712 Configuring server group Enter 1 for Server Group ID. Select Enable for Real-Time Switching. Select Options for Keep-Alive Mode. Enter 1 for Server ID. Enter 10.1.1.2 for Server Address. Click Add the Server. Enter 3 for Server ID. Enter 10.1.1.3 for Server Address.
Figure 713 Advanced settings Select Parking for Redundancy Mode. Click Apply. Other configurations on the SIP trunk device and on other devices are the same as those described in "Configuring a SIP server group with only one member server." Verifying the configuration When the SIP server with IP address 10.1.1.2 fails, the SIP server with IP address 10.1.1.3 takes over communications between the private network and the public network.
Page 700
Figure 714 Network diagram Configuration procedure # Configurations on the SIP trunk device and on other devices are the same as those described in "Configuring a SIP server group with only one member server." # Configure Router A2: Configure a local number 2001 and a call route to Router B. For the configuration procedure, see "Configuring Router A."...
Page 701
Select IPv4 Address from the Match a Source Address list. Enter 1.1.1.1 for IPv4 Address. Click Apply. Verifying the configuration Private network users connected to Router A1 can call public network users, but private network users connected to Router A2 cannot call public network users. Public network users can call any private network user.
Managing data links This section provides information about data link management and configuration. Overview Introduction to E1 and T1 Plesiochronous digital hierarchy (PDH) includes two major communications systems: ITU-T E1 system and ANSI T1 system. The E1 system is dominant in European and some non-Europe countries. The T1 system is dominant in USA, Canada and Japan.
E1 and T1 interfaces E1 interface An E1 interface is logically divided into timeslots (TSs) with TS16 being a signaling channel. On E1 interfaces, you can create PRI groups or TS sets. You can use an E1 interface as an ISDN PRI or CE1 interface: As an ISDN PRI interface, the E1 interface adopts DSS1 or QSIG signaling.
Features of E1 and T1 E1 and T1 are characterized by the following: Signaling modes • Fax function • Protocols and standards • Signaling modes E1/T1 interfaces support these types of signaling: DSS1/QSIG user signaling, adopted on the D channel between ISDN user and network interface •...
Generally, a BSV interface is used to connect an ISDN digital telephone. Also, it can be used as a trunk interface connecting to a PBX digital trunk. If it cooperates with an FXS or FXO interface, a BSV interface can realize flexible routing policies for voice callings. Configuring digital link management You can click the link of a digital link name to access the page displaying the link state.
Page 706
Item Description • Internal—Set the internal crystal oscillator time division multiplexing (TDM) clock as the TDM clock source on the E1 interface. After that, the E1 interface obtains clock from the crystal oscillator on the main board. If it fails to do that, the interface obtains clock from the crystal oscillator on its E1 card.
Page 707
Figure 718 E1 parameters configuration page (2) You are not allowed to configure the following parameters on an ISDN interface if there is still a call on ISDN Overlap-Sending • Switch to ACTIVE State Without Receiving a Connect-Ack Message • Carry High Layer Compatibility Information •...
Page 708
Item Description Set the ISDN protocol to be run on an ISDN interface: DSS1, QSIG, or ETSI. ISDN Protocol Type By default, an ISDN interface runs DSS1. Set the ISDN working mode: network side mode or user side mode. ISDN Working Mode By default, an ISDN interface operates in user side mode.
Page 709
Item Description • Enable for outgoing direction—Configure the ISDN protocol to switch to the ACTIVE state after receiving a Connect message without having to send a Connect-Ack message. • Enable for incoming direction—Configure the ISDN protocol to switch to the ACTIVE state to start Connect and voice service communications after sending a Connect message without having to wait for a Connect-Ack message.
Item Description • Enable for outgoing direction—Configure the ISDN protocol to send Setup messages without the Sending-Complete Information Element when placing a call. • Enable for incoming direction—Configure the ISDN protocol to ignore the Sending-Complete Information Element in Setup messages when receiving a call.
Page 711
Table 268 Configuration items Item Description Physical Parameters Configuration Configure the working mode of the T1 interface: • None—Remove the existing bundle. Working Mode • PRI Trunk Signaling—Bundle timeslots on a T1 interface into a PRI group. By default, no PRI group is created. Bound Timeslot Specify the timeslots to be bundled.
Figure 720 T1 parameters configuration page (2) ISDN protocol types supported by VT1 are DSS1, ATT, ANSI, ETSI, NTT, QSIG, NI2, and 5ESS. Table describes the ISDN parameters configuration items. Configuring BSV line Select Voice Management > Digital Link Management from the navigation tree, and then click the icon of the BSV line to be configured to access the BSV parameters configuration page.
Page 713
Figure 721 BSV parameters configuration page Table 269 Configuration items Item Description Set the ISDN protocol to be run on an ISDN interface: DSS1, ANSI, NI, NTT, or ETSI. ISDN Protocol Type By default, an ISDN interface runs DSS1. Set the ISDN working mode: network side mode or user side mode. ISDN Working Mode By default, an ISDN interface operates in user side mode.
Page 714
Item Description Configure local ISDN B channel management. • Disable—Local ISDN B channel management is disabled and is in the charge of ISDN switch. • Common management—The device operates in local B channel management mode to select available B channels for calls. However, the ISDN switch still has a higher priority in B channel selection.
Page 715
Item Description • Enable for outgoing direction—Configure the ISDN protocol to switch to the ACTIVE state after receiving a Connect message without having to send a Connect-Ack message. • Enable for incoming direction—Configure the ISDN protocol to switch to the ACTIVE state to start Connect and voice service communications after sending a Connect message without having to wait for a Connect-Ack message.
Page 716
Item Description • Enable for outgoing direction—Configure the ISDN protocol to send Setup messages without the Sending-Complete Information Element when placing a call. • Enable for incoming direction—Configure the ISDN protocol to ignore the Sending-Complete Information Element in Setup messages when receiving a call.
Item Description Set length of the call reference used when a call is placed on an ISDN interface. The call reference is equal to the sequence number that the protocol assigns to each call. It is 1 or 2 bytes in length and can be used cyclically. ISDN Call Reference Length When the device receives a call from a remote device, it can automatically identify the length of the call reference.
Page 718
Figure 723 Network diagram Configuration procedure Configure Router A: # Configure an ISDN PRI group. Select Voice Management > Digital Link Management from the navigation tree, and then click the icon of E1 1/1 to access the E1 parameters configuration page. Figure 724 E1 parameters configuration page Select the PRI Trunk Signaling option.
Page 719
# Configure an ISDN PRI group. Select Voice Management > Digital Link Management from the navigation tree, and then click the icon of E1 1/1 to access the E1 parameters configuration page. Figure 725 E1 parameters configuration page Select the PRI Trunk Signaling option. For other options, use the default settings. Click Apply.
Managing lines This section provides information on managing and configuring various types of subscriber lines. FXS voice subscriber line A foreign exchange station (FXS) interface uses a standard RJ- 1 1 connector and a telephone cable to directly connect with an ordinary telephone or a fax machine. An FXS interface accomplishes signaling exchange based on the level changes on the Tip/Ring line and provides ring, voltage, and dial tone.
Page 721
Figure 726 Immediate start mode Hang up Pick up the phone, requesting for service Calling side Conversation Send the called number (E/M) Conversation Called side Hang up (M/E) Pick up the phone to answer Delay start—In this mode, the caller first picks up the phone to seize the trunk line, and the called •...
One-to-one binding between FXS and FXO voice subscriber lines The one-to-one binding between FXS voice subscriber lines and FXO voice subscriber lines improves the reliability of voice solutions. For industry-specific users, highly reliable communication over FXS voice subscriber lines is required. That is, dedicated FXO voice subscriber lines can be used for communication over PSTN when the IP network is unavailable.
Symptom Parameters adjusted Effect There are loud environment Increase the maximum Too large amplitude might make noises noises. amplitude of comfortable noises. uncomfortable. A user hears his or her voice Enlarge the control factor of Too high a control factor leads to audio when speaking.
Page 724
Figure 730 FXS line configuration page Table 272 Configuration items Item Description Basic Configurations Description Specify the description of the FXS line. Specify the maximum interval for the user to dial the next digit. Max Interval for Dialing the This timer will restart each time the user dials a digit and will work in this way until Next Digit all the digits of the number are dialed.
Page 725
Interface increase the voice input gain value. Gain adjustment might lead to call failures. HP recommends not adjusting When a relatively small voice signal Output Gain on the Voice the gain. If necessary, do it with the...
Configuring an FXO voice subscriber line Select Voice Management > Line Management from the navigation tree, and then click the icon of the FXO line to be configured to access the FXO line configuration page, as show in Figure 731. Figure 731 FXO line configuration page Table 273 Configuration items Item...
Page 727
Item Description Specify the maximum interval for the user to dial the next digit. Max Interval for Dialing the This timer restarts each time the user dials a digit and will work in this way until Next Digit all the digits of the number are dialed. If the timer expires before the dialing is completed, the user will be prompted to hook up and the call is terminated.
Page 728
Interface Gain adjustment might lead to call increase the input gain value. failures. HP recommends not When a relatively small voice signal adjusting the gain. If necessary, do Output gain on the Voice power is needed on the output line,...
Item Description Generate some comfortable background noise to replace the toneless intervals during a conversation. If no comfortable noise is generated, the toneless intervals will make both parties in conversation feel uncomfortable. Comfortable Noise Function • Enable. • Disable. By default, the comfortable noise function is enabled. •...
Page 730
Figure 732 E&M line configuration page Table 274 Configuration items Item Description Basic Configurations Description Description of the E&M line. Select the E&M interface cable type: 4-wire or 2-wire. By default, the cable type is 4-wire. When you configure the cable type, make sure the cable type is the Cable Type same as that of the peer device.
Page 731
Item Description Specify the signal type. Types 1, 2, 3, and 5 are the four signal types (that is, types I, II, III, and V) of the analog E&M subscriber line. When you configure the signal type, make sure the signal type is the Signal Type same as that of the peer device.
Input Gain on the Voice Interface great extent, increase the voice Gain adjustment might lead to input gain value. call failures. HP recommends not When a relatively small voice adjusting the gain. If necessary, signal power is needed on the...
Page 733
Interface Gain adjustment might lead to call increase the input gain value. failures. HP recommends not When a relatively small voice signal adjusting the gain. If necessary, do Output Gain on the Voice power is needed on the output line,...
When a relatively small voice signal power is needed on the output line, increase the voice output gain value. Voice Interface Output IMPORTANT: Gain Gain adjustment might lead to call failures. HP recommends not adjusting the gain. If necessary, do it with the guidance of technical personnel. • Enable. •...
When a relatively small voice signal power is needed on the output line, increase the voice output gain value. Voice Interface Output IMPORTANT: Gain Gain adjustment might lead to call failures. HP recommends not adjusting the gain. If necessary, do it with the guidance of technical personnel. • Enable. •...
Line management configuration examples Configuring an FXO voice subscriber line Network requirements As shown in Figure 736, the FXO voice subscriber line connected to Router B operates in PLAR mode, and the default remote phone number is 010- 1 001. Dialing the number 0755-2003 on phone 0755-2001 connects to Router B.
Figure 737 Hotline number configuration page Enter 0101001 in the Hotline Numbers field. Click Apply. Verifying the configuration If you dial the number 0755-2003 on phone 0755-2001, a connection is established to number 010- 1 001 at Router A. Configuring one-to-one binding between FXS and FXO Network requirements Router A and Router B are connected over an IP network and a PSTN.
Page 738
Figure 738 Network diagram Configuration considerations Configure one-to-one binding between FXS and FXO voice subscriber lines. • When the IP network is available, the VoIP entity is preferably used to make calls over the IP • network. • When the IP network is unavailable, the POTS entity is used to make calls through the bound FXO voice subscriber line over the PSTN.
Page 739
Figure 739 Permitted call number group configuration page Enter 1 in the Group ID field. Enter 0101001 in the Numbers in the Group field and click Add. Click Apply. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and then click Not Bound to access the call route binding page of permitted call number group 1.
Page 740
Figure 741 Hotline number configuration page Enter 0101001 in the Hotline Numbers field. Click Apply. # Configure the delay off-hook binding for the FXO line. Select Voice Management > Line Management from the navigation tree, and then click the icon of FXO line 4/0 to access the FXO line configuration page. Figure 742 FXO line delay off-hook binding configuration page Select the Delay Off-hook option.
Page 741
Figure 743 Entity type selection sequence configuration page Select Enable in the Select Based on Voice Entity Type area. Configure the order of the voice entities in the Selection Sequence box: the first is VOIP, the second is POTS, the third is VoFR, and the last is IVR. Click Apply.
Page 742
Type 1 in the Group ID field. Type 2101002 in the Numbers in the Group field and click Add. Click Apply. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and then click Not Bound to access the call route binding page of permitted call number group 1. Figure 745 211 Call route binding page Select the Permit the calls from the number group option.
Page 743
Figure 747 FXO line delay off-hook binding configuration page Select the Delay Off-hook option. Select subscriber-line 3/0 from the Binding FXS Line list. Click Apply. # Configure the system to first select VoIP entity. Select Voice Management > Dial Plan > Number Match from the navigation tree to access the number match configuration page.
Page 744
Verifying the configuration In the case that the IP network is unavailable, calls can be made over PSTN.
Configuring SIP local survival IP phones have been deployed throughout the headquarters and branches of many enterprises and organizations. Typically, a voice server is deployed at the headquarters to control calls originated by IP phones at branches. The local survival feature enables the voice router at a branch to automatically detect the reachability to the headquarter voice server, and process calls originated by attached IP phones when the headquarters voice server is unreachable.
Configuring SIP local survival Service configuration Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to access the page as shown in Figure 750. Figure 750 Configuring service Table 278 Configuration items Item Description • Enable—Enable the local SIP server.
Item Description • Alone—The local SIP server in alone mode acts as a small voice server. • Alive—The local SIP server in alive mode supports the local survival feature. That is, when the communication with the remote server fails, the local SIP server accepts registrations and calls;...
Trusted nodes Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to access the page as shown in Figure 752. Figure 752 Configuring a trusted node Table 280 Configuration items Item Description Enter the IP address of the trusted node. A trusted node can directly originate calls without being authenticated by the local SIP server.
Figure 753 Configuring a call-out route Table 281 Configuration items Item Description Enter the ID of the call-out route. Destination Number Enter the destination number prefix and length. Suppose the destination number Prefix prefix is 4100, and the number length is 6. This configuration matches destination numbers that are 6-digit long and start with 4100.
You can configure up to eight call-in number prefixes. The local SIP server adopts longest match to deal with a called number. Call authority control Configure a call rule set Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click Add to access the page as shown in Figure 755.
Figure 756 Applying the call rule set Table 283 Configuration items Item Description Rule Set ID Displays the call rule set ID. • Enable—Applies the call rule set to all registered users. Applied Globally • Disable—Specifies that the call rule set does not apply to any registered users. •...
Page 752
Figure 757 Network diagram Configuring Router C # Configure the router to operate in the alone mode. Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to access the following page. Figure 758 Configuring alone mode Select Enable for Server Running State.
Page 753
Figure 759 Configuring a user Enter 1000 for User ID. Enter 1000 for Telephone Number. Enter 1000 for Authentication Username. Enter 1000 for Authentication Password. Click Apply. # Configure user 5000 in the similar way. Configuring Router A Configure a local number in the local number configuration page: The ID is 1000, the number is 1000, the bound line is line2/0, the username is 1000, and the password is 1000.
Configuring local SIP server to operate in alive mode Network requirements Router A and Router B carry out call services through the remote voice server VCX. Configure the local SIP server on Router A to operate in alive mode, so that calls can be originated or received through Router A when the VCX fails.
Page 755
Enter 3.1.1.1 for Remote Server IP Address. Click Apply. # Configure user 1000. Select Voice Management > SIP Local Survival > User Management from the navigation tree, and click Add to access the following page. Figure 762 Configuring a user Enter 1000 for User ID.
Verifying the configuration When the VCX fails, the local SIP server on Router A starts to accept registrations from phones, • which then can call each other through Router A. Select Voice Management > States and Statistics > Local Survival Service States from the navigation tree. You can find that numbers 1000 and 5000 have been registered with the local SIP server on Router A.
Page 757
Figure 764 Configuring alone mode Select Enable for Server Running State. Enter 2.1.1.2 in IP Address Bound to the Server. Select Alone for Server Operation Mode. Click Apply. # Configure user 1000. Select Voice Management > SIP Local Survival > User Management from the navigation tree, and click Add to access the following page.
Page 758
# Configure call rule set 0. Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click Add to access the following page. Figure 766 Configuring call rule set 0 Enter 0 for Rule Set ID. Add three rules as shown in Figure 766.
Page 759
Figure 767 Applying call rule set 0 Select Enable for Applied Globally. Click Apply. # Configure call rule set 2. Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click Add to access the following page. Figure 768 Configuring call rule set 2 Enter 2 for Rule Set ID.
Page 760
Add a rule as shown in Figure 768. Click Apply. # Apply call rule set 2. Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click the icon of call rule set 2 to access the following page. Figure 769 Applying call rule set 2 Click 5000 in Available register users, and then click <<...
Configure a local number in the local number configuration page: The ID is 5555, the number is 5555, the bound line is line2/1, the user name is 5555, and the password is 5555. Configure a call route to Router A in the call route configuration page: The ID is 1000, the destination number is 1…, the routing type is SIP, and the SIP routing method is proxy server.
Page 762
Figure 771 Configuring alone mode Select Enable for Server Running State. Enter 2.1.1.2 in IP Address Bound to the Server. Select Alone for Server Operation Mode. Click Apply. # Configure Router A as a trusted node. Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to access the following page.
Page 763
Figure 773 Configuring an area prefix Enter 8899 for Area Prefix. Click Add a Prefix. Click Apply. # Configure user 5000. Select Voice Management > SIP Local Survival > User Management from the navigation tree, and click Add to access the following page. Figure 774 Configuring user 5000 Enter 5000 for User ID.
Verifying the configuration Select Voice Management > States and Statistics > Local Survival Service States from the • navigation tree. You can find that number 5000 has been registered with the local SIP server on Router C. • Place a call from phone 55661000 to phone 88995000. The local SIP server on Router C removes the area prefix 8899 from the called number, and alerts internal phone 5000.
Page 765
Select Alone for Server Operation Mode. Click Apply. # Configure a call-out route Select Voice Management > SIP Local Survival > Call-Out Route from the navigation tree, and click Add to access the following page. Figure 777 Configuring a call-out route Enter 0 for ID.
Page 766
Configuring Router A Configure a local number in the local number configuration page: The ID is 1000, the number is 1000, the bound line is line2/0, the user name is 1000, and the password is 1000. Configure a call route to Router B in the call route configuration page: The ID is 55665000, the destination number is 55665000, the routing type is SIP, and the routing method is proxy server.
Configuring IVR Overview Interactive voice response (IVR) is used in voice communications. You can use the IVR system to customize interactive operations and humanize other services. If a subscriber dials an IVR access number, the IVR system plays the prerecorded voice telling the subscriber what to do. For example, it might tell the subscriber to dial a number.
Successive jumping The IVR process can realize successive jumping at most eight times from node to node. Error processing methods The IVR system provides three error processing methods: terminate the call, jump to a specified node, and return to the previous node. You can select an error processing method for a call node, a jump node, or globally to handle errors.
You can click to save the media resource file to a specified directory. Click Add. The following page appears. Figure 780 Configuring media resource Table 284 Configuration items Item Description Media Resource ID Set a media resource ID. Rename Media Resource Type a name for the media resource file.
Figure 782 Modifying a media resource Table 285 Configuration item Item Description Media resource ID Set a media resource ID. Configuring the global key policy Select Voice Management > IVR Services > Advanced Settings from the navigation tree, and click the Global Key Policy tab.
Table 286 Configuration items Item Description Input Error Processing Method Max Count of Input Errors Enter the maximum number of input errors. • Enable. Play Voice Prompts for • Disable. Input Errors Not enabled by default. Select a voice prompt file. You can configure voice prompt files in Voice Voice Prompts Management >...
Page 772
Figure 784 Configuring a call node Table 287 Configuration items Item Description Node ID Enter a node ID. Description Enter a description for the node.
Page 773
Item Description • Enable. • Disable. Disabled by default. The following options are available for playing voice prompts: • Mandatory play—Only after the voice prompts end can the subscriber press Play Voice Prompts keys effectively. • Voice prompts—Select a voice prompt file. Voice prompt files can be configured in Voice Management >...
Item Description Secondary-Call • Match the terminator of the numbers. • Match the length of the numbers. • Number Match Mode Match the local number and route. Either the number match mode or the extension secondary call must be configured at least.
Table 288 Configuration items Item Description Node ID Enter a node ID. Description Enter a description for the node. Table 287 for description about other items. Map actions with keys. Actions include: • Terminate the call. • Jump to a specified node. If this option is selected, you need to select the target Key mapping node from the Specify a node list.
Table 289 Configuration items Item Description Node ID Enter a node ID. Description Enter a description for the node. • Terminate the call. • Jump to a specified node. If this operation is selected, you must select a node from the Specify A Node list. •...
Item Description Number Enter the access number. Bind a node in the list to the access number. You can configure the nodes in Voice Bind to Menu Management > IVR Services > Advanced Settings. Description Enter a description for the access number. •...
IVR configuration examples Configure a secondary call on a call node (match the terminator of numbers) Network requirements As shown in Figure 789, configure an IVR access number and call node functions on Router B to meet the following requirements. After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio •...
Page 780
Figure 790 Uploading a media resource file Enter 10001 for Media Resource ID. Enter welcome for Rename Media Resource. Click the Browse button of g729r8 codec to select the target file. Click Apply. Use the same method to upload other g729r8 media resource files timeout, input_error, and bye. # Configure global error and timeout processing methods to achieve the following purposes: If no number is dialed at Telephone A within the timeout time, Router B plays audio file timeout.wav.
Page 781
Figure 791 Configuring the global key policy Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice Prompts list. Type 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice Prompts for Input Timeout;...
Page 782
Figure 792 Configuring a call node Type 10 for Node ID. Type play-welcome for Description. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. Select Match the terminator of the numbers from the Number Match Mode list; type # for Terminator.
Figure 793 Configuring an access number Type 30000 for Number ID. Type 300 for Number. Select play-welcome from the Bind to Menu list. Click Apply. Verifying the configuration Dial the number 300 at Telephone A. The call node plays audio file welcome.wav. Dial 50# at Telephone A, Telephone B1 rings.
Page 784
Figure 794 Network diagram Telephone B1 Eth1/1 Eth1/1 1.1.1.1/24 1.1.1.2/24 Router A Router B Telephone A Telephone B2 Configuration procedure Configure Router A: See Configuring Router Configure Router B: # Configure the call node. Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the Configure Call Node tab, and click Add to access the following page.
Page 785
Figure 795 Configuring the call node Type 10 for Node ID. Type play-welcome for Description. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. Select Match the length of the numbers from the Number Match Mode list; type 3 for Length of Numbers.
Configure a secondary call on a call node (match a number) Network requirements As shown in Figure 796, configure an IVR access number and call node functions on Router B to meet the following requirements. After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio •...
Page 787
Figure 797 Configuring a call node Type 10 for Node ID. Type play-welcome for Description. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. Select Match the local number and route from the Number Match Mode list. Click Apply.
Configure an extension secondary call on a call node Network requirements As shown in Figure 798, configure an IVR access number and call node functions on Router B to meet the following requirements. After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio •...
Page 789
Figure 799 Configuring a call node Type 10 for Node ID. Type play-welcome for Description. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. Select 0 for Extension Number. Select 500 for Corresponding Number. Click Apply. For other settings, see Configuring Router...
Verifying the configuration Dial 300 at Telephone A. Router B plays the audio file welcome.wav. Dial 0. Telephone B rings. Configure a jump node Network requirements As shown in Figure 800, configure an IVR access number and jump node functions on Router B to meet the following requirements.
Type 10 for Node ID. Type play-welcome for Description. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. Select Terminate the call for Key#. Click Apply. For other settings, see Configuring Router Verifying the configuration Dial 300 at Telephone A. Router B plays the audio file welcome.wav.
Page 793
Figure 803 Configuring a service node Type 10 for Node ID. Type play-welcome for Description. Add two operations as shown in Figure 803. Click Apply. # Configure an access number. Select Voice Management > IVR Services > Access Number Management from the navigation tree, and click Add to access the following page.
Type 30000 for Number ID. Type 300 for Number. Select call500 from the Bind to Menu list. Click Apply. For other settings, see Configuring Router Verifying the configuration Dial 300 at Telephone A. Telephone B rings. Configure a secondary call on a service node Network requirements As shown in Figure...
Page 795
Figure 806 Configuring a service node Type 10 for Node ID. Type reject-call for Description. Add two operations as shown in Figure 806. Click Apply. # Configure an access number. Select Voice Management > IVR Services > Access Number Management from the navigation tree, and click Add to access the following page.
Figure 807 Configuring an access number Type 30000 for Number ID. Type 300 for Number. Select reject-call from the Bind to Menu list. Click Apply. For other settings, see Configuring Router Verifying the configuration Dial number 300 at Telephone A. Router B plays the audio file bye.wav, and then terminates the call. Configure a call node, jump node, and service node Network requirements As shown in...
Page 797
Figure 808 Network diagram Configuration procedure Configure Router A: See Configuring Router Configure Router B: # Configure a local number in the local number configuration page. The number ID is 500, the number is 500, and the bound line is line 1/0. # Upload a g729r8 media resource file.
Page 798
Figure 810 Configuring the global key policy Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice Prompts list. Enter 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice Prompts for Input Timeout;...
Page 799
Figure 811 Configuring a call node Enter 10 for Node ID. Enter play-call for Description. Select Enable for Play Voice Prompts, select Enable for Mandatory Play, and select call from the Voice Prompts list. Enter 1 for Extension Number, Enter 500 for Corresponding Number, and click Add a Rule. Click Apply.
Page 800
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the Configure Service Node tab, and click Add to access the following page. Figure 812 Configuring a service node Enter 20 for Node ID. Enter reject-call for Description. Add two operations as shown in Figure 812.
Page 801
Figure 813 Configuring a jump node Enter 10 for Node ID. Enter play-welcome for Description. Select Enable for both Play Voice Prompts and Mandatory Play. Select welcome from the Voice Prompts list.
Select Jump to a specified node from the Key* list, and reject-all from its Specify a node list. Select Jump to a specified node from the Key# list, and play-all from its Specify a node list. Click Apply. # Configure an access number. Select Voice Management >...
Page 803
jump, terminate the call, enter the next menu, return to the previous menu, dial immediately, and secondary call. Configure a Jump menu Select Jump from the Menu Type list to access the following page. Figure 815 Configuring a jump menu Table 291 Configuration items Item Description...
Page 804
Item Description Select one of the following methods: • Terminate the call. Input Error Processing • Jump. Method • Return to the previous menu. By default, no method is set. Specify the target menu. Specify A Menu This setting is available when the Input Error Processing Method is Jump to a menu. Select an audio file.
Page 805
Item Description Menu Name Enter a menu name. Select Terminate the call. Menu Type By default, Jump is selected. Select an audio file. Play Voice Prompts When the User Enters the Menu No audio file is selected by default. Configure a menu of type Enter the next menu Select Enter the next menu from the Menu Type list to access the following page.
Page 806
Figure 818 Returning to the previous menu Table 294 Configuration items Item Description Menu Node ID Enter a menu ID. Menu Name Enter a menu name. Select Return to the previous menu. Menu Type By default, Jump is selected. Select an audio file. Play Voice Prompts When the User Enters the Menu No audio file is selected by default.
Page 807
Item Description Select an audio file. Play Voice Prompts When the User Enters the Menu No audio file is selected by default. Call immediately Enter the target number. Configure a Secondary-call menu Select Secondary-call from the Menu Type list to access the following page. Figure 820 Secondary-call menu Table 296 Configuration items Item...
Item Description Select one of the following methods: • Terminate the call. • Jump to a menu. Input Error Processing Method • Return to the previous menu. By default, the menu uses the input error processing method configured in the global key policy.
Figure 821 Binding an access number Select the box of the target access number, and click Apply. Customize IVR services Enter the Customize IVR Services interface Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree, and click the icon of the target menu to access the Customize IVR Services page.
Figure 823 Adding a submenu You can configure the type of the new menu as jump, terminate the call, enter the next menu, return to the previous menu, dial immediately, or secondary-call. For information about the menu configuration, Create a menu.
Page 811
If the user dials 2, the system jumps to the government product sales department menu. If the user dials #, the system terminates the call. Marketing and sales department menu This menu plays the audio file Welcome1.wav. Then, the following events occur: If the user dials 0, the system dials the number 500 to call the attendant.
Page 812
Figure 824 Configuring media resource Enter 1000 for Media Resource ID. Enter Hello for Rename Media Resource. Click the Browse button of g729r8 codec to select the target file. Click Apply. Use the same method to upload other g729r8 media resource files. You can see these uploaded files in Voice Management >...
Page 813
Figure 826 Configuring an access number Enter 300 for Number ID. Enter 300 for Number. Enter Voice Menu Access Number for Description. Click Apply. # Create a menu. Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree, and click Add to create a menu.
Page 814
Figure 828 Binding the access number Select the box of the access number 300, and click Apply. Configure the voice menu system: # Enter the Customize IVR Services page. Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree to access the page shown in Figure 829.
Page 815
Select the voice menu system of Company A from the navigation tree to access the following page. Figure 831 Voice menu system of Company A Select Add A New Node from the Jump to submenu list of key 0. Click OK on the popup dialog box to access the following page. Figure 832 Creating a submenu for the marketing and sales department Enter 2 for Menu Node ID.
Page 816
Figure 833 Adding a submenu for the telecom product sales department Figure 834 Adding a submenu for the government product sales department Return to the Customize IVR Service page. Figure 835 Voice menu system of Company A Select Terminate the call from the Operation list of key #. Click Apply.
Page 817
Figure 836 Marketing and sales department submenu Select Jump from the Operation list, and Add A New Node from the Jump to submenu list for key 0. Click OK on the popup dialog box to access the following page. Figure 837 Adding a submenu Enter 8 for Menu Node ID.
Page 818
Figure 838 Marketing and sales department submenu Select Return to the previous node from the Operation list of key *. Click Apply. After the configuration, the marketing and sales department submenu is as shown in Figure 838 Configure the telecom product sales department submenu: Select Telecom Product Sales Dept from the navigation tree.
Page 819
Select Jump from the Operation list, and Add A New Node from the Jump to submenu list of key 1. Click OK on the popup dialog box to access the following page. Figure 840 Adding a submenu Enter 9 for Menu Node ID. Enter Introduction to Product A for Menu Description.
Page 820
Select Government Product Sales Dept from the navigation tree. Configure the submenu as shown Figure 842. The configuration procedure is identical with the configuration of the telecom product sales department submenu. Figure 842 Government product sales department submenu After all the configuration, the Customize IVR Services page is as shown in Figure 842.
Advanced configuration This section provides global configuration and batch configuration. Global configuration Select Voice Management > Advanced Configuration > Global Configuration from the navigation tree to access the global configuration page, as shown in Figure 843. Figure 843 Global configuration page Table 297 Configuration items Item Description...
Item Description Specify the backup rule: • Strict—One of the following three conditions will trigger strict call backup: The device does not receive any reply from the peer after sending out a call request. The device fails to initiate a call to the IP network side. Backup Rule The device fails to register on the voice server.
Figure 844 VRF-aware SIP Batch configuration Local number Creating numbers in batch Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree, and then click the Create Numbers in Batch link in the Local Number area to access the page for creating numbers in batch, as shown in Figure 845.
Page 824
Table 298 Configuration items Item Description Specify the start number, and then a serial of consecutive numbers starting with the start number will be bound to the selected voice subscriber lines. For example, if you specify Start Number the start number as 3000 and select lines 3/0 and line 3/1, then line 3/0 is bound to number 3000, and line 3/1 is bound to number 3001.
Page 825
Table 299 Configuration items Item Description Configure the protocol used for fax communication with other devices. • T.38—Use T.38 fax protocol. With this protocol, a fax connection can be set up quickly. • Standard T.38—Use the standard T38 protocol of H.323 or SIP. The fax negotiation mode depends on the protocol used (H323 or SIP).
Page 826
Item Description Configure the value of NTE payload type for the NTE-compatible switching mode. This option is configurable only when NTE Compatible G.711 A-law or NTE Compatible NET Payload Type G.711 μ-law is selected in the Codec Type and Switching Mode for SIP Modem Field Pass-through list.
Page 827
Table 300 Configuration items Item Description Configure call forwarding: • Enable. • Disable. By default, call forwarding is disabled. After you enable a call forwarding, enter the corresponding forwarded-to number: • The Forwarded-to Number for Call Forwarding no Reply—Enter the forwarded-to Call Forwarding number.
Page 828
Item Description Configure call waiting: • Enable. • Disable. By default, call waiting is disabled. After call waiting is enabled, configure the following parameters as needed: Call Waiting • Number of Call Waiting Tone Play Times. • Number of Tones Played at One Time. •...
Page 829
Figure 848 Local number advanced settings page Table 301 Configuration items Item Description Codec with the First Priority. Codec with the Second Priority. Codecs and Priorities Codec with the Third Priority. Codec with the Lowest Priority. Specify DTMF transmission mode: •...
Item Description Configure a dial prefix for the local number. For a trunk type call route, the dial prefix is added to the called number to be sent out. • Enable. Dial Prefix • Disable—Remove the configured dial prefix. If you select to enable the function, you must enter the dial prefix. Configure VAD.
Page 831
Table 302 Configuration items Item Description Specify the protocol used for fax communication with other devices. • T.38—Use T.38 fax protocol. With this protocol, a fax connection can be set up quickly. • Standard T.38— Use the standard T38 protocol of H323 or SIP. The fax negotiation mode depends on the protocol used (H323 or SIP).
Page 832
Item Description Configure the value of the NTE payload type for the NTE-compatible switching mode. This option is configurable only when NTE Compatible G.711 A-law or NTE Compatible NET Payload Type G.711 μ-law is selected in the Codec Type and Switching Mode for SIP Modem Field Pass-through list.
Item Description Route Selection Set the priority of the call route. The smaller the value, the higher the priority. Priority The VAD discriminates between silence and speech on a voice connection according to their energies. VAD reduces the bandwidth requirements of a voice connection by not generating traffic during periods of silence in an active voice connection.
Page 834
Table 304 Configuration items Item Description Specify the maximum interval for the user to dial the next digit. Max Interval for This timer will restart each time the user dials a digit and will work in this way until all Dialing the Next the digits of the number are dialed.
Page 835
Figure 852 FXO line configuration page Table 305 Configuration items Item Description Specify the maximum interval for the user to dial the next digit. Max Interval for This timer will restart each time the user dials a digit and will work in this way until all Dialing the Next the digits of the number are dialed.
Page 836
Item Description Select the boxes of desired lines, and then click the Apply to Selected Line(s) button to Select the Line(s) apply the above settings to the selected FXO lines. E&M line configuration Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree, and then click the E&M Line Configuration link in the Line Management area to access the E&M line configuration page, as shown in Figure...
Figure 854 ISDN line configuration page Table 307 Configuration items Item Description When the voice signals on the line Input Gain on the attenuate to a relatively great extent, IMPORTANT: Voice Interface increases the voice input gain. Gain adjustment might lead to call failures. When a relatively small voice signal You are not recommended to adjust the Output Gain on the...
Page 838
Table 308 Configuration items Item Description Specify the telephone number of the first For example, if you specify the start Start Number user to be registered. number as 2000 and set the register user quantity to 5, the device automatically generates five registered Specify the number of users to be Register User Quantity users with telephone numbers from...
States and statistics This section provides information on displaying various states and statistics. Line states Use this page to view information about all voice subscriber lines. Select Voice Management > States and Statistics > Line States from the navigation tree. The Line State Information page appears.
Field Description • Physical Down—Voice subscriber line is physically down, possibly because no physical link is present or the link has failed. Subscriber Line Status • UP—Voice subscriber line is administratively down. • Shutdown—Voice subscriber line is up both administratively and physically. Displaying detailed information about analog voice subscriber lines For analog voice subscriber lines FXS, FXO, paging, MoH, and E&M, click the Details link to view...
Figure 858 ISDN line details Click a timeslot (TS) link to view the details about the TS. Figure 859 Timeslot details Call statistics The following pages display call statistics. • Active Call Summary page—Displays statistics about ongoing calls. History Call Summary page—Displays statistics about ended calls. •...
Displaying active call summary Select Voice Management > States and Statistics > Call Statistics from the navigation tree. The Active Call Summary page appears. Figure 860 Active call summary page Table 310 Field description Field Description Call type. Type Only Speech and Fax are supported. Call status: •...
SIP UA states The following pages show SIP UA states: TCP Connection Information page—Displays information about all TCP-based call connections. • TLS Connection Information page—Displays information about all TLS-based call connections. • Number Register Status page—Displays number register information when you use SIP servers to •...
Figure 863 TLS connection information For information items, see Table 31 Connection status Displaying number register status Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree and click the Number Register Status tab. Figure 864 Number register status Table 312 Field description Field Description...
Displaying number subscription status Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree and click the Number Subscription Status tab. Figure 865 Number subscription status Table 313 Field description Field Description Number Phone number. MWI server address, in the format of IP address plus port number or domain Subscription Server name.
Table 314 Field description Field Description Server operation mode: • Server Operation Mode Alone. • Alive. Server running state: • Server Status Enabled. • Disabled. User ID User ID. Phone Number Registered phone number. State of the registered user: • State Online—User is online.
Displaying dynamic contact states Select Voice Management > States and Statistics > SIP Trunk Account States from the navigation tree. The page for displaying dynamic contact states appears. Figure 868 Dynamic contact states Table 316 Field description Field Description Telephone number, which could be one of the following types: •...
Figure 869 Server group information This page shows the configuration information of group servers. For information about how to configure group servers, see "Managing SIP server groups." IVR information The following pages show IVR information: IVR Call States page—Display information about ongoing IVR calls. •...
Displaying IVR play states Select Voice Management > States and Statistics > IVR Information from the navigation tree. The IVR Play States page appears. Figure 871 IVR play states Table 318 Field description Field Description Play Count Play times of the media file. •...
About the HP MSR series Web-based Configuration Guide The HP MSR series web-based configuration guide describe the software features on the web for the HP MSR Series Routers, and guide you through the software configuration procedures. These configuration guides apply to the following models of the HP MSR series routers: Model •...
Related information Documents To find related documents, browse to the Manuals page of the HP Business Support Center website: http://www.hp.com/support/manuals For related documentation, navigate to the Networking section, and select a networking category. •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 854
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 866
configuration, 709, help information one-to-one binding, about SSL VPN (Web), FXS voice HTTP subscriber line, managing services (Web), FXS voice subscriber line HTTPS configuration, managing services (Web), one-to-one binding, hunt group configuring, hunt group feature, G.71 1 codec pass-through fax, gateway ICMP configuring authentication policies,...
Page 867
BSV interface, creating a GRE tunnel, GRE/IPv4 configuration, intrusion detection GRE/IPv4 tunnel configuration, configuration, static route creation, protection against flood attack, static routing configuration, protection against scanning attack, WLAN QoS configuration, protection against single-packet attack, IPv6 IP address WLAN QoS configuration, login control, 334, ISDN WiNet configuration, 507, 514,...
Page 868
service node configuration, 759, VPDN, successive jumping, VPN user configuration, timeout processing method, L2TP for VPN uploading media resource files, enabling, IVR advantage L3VPN call node, VRF-aware SIP, codecs, customizable process, user group configuration, customizable voice prompt, LAN information error processing method, displaying, extension secondary call, flexible node configuration,...
Page 869
load sharing manual user-based load sharing configuration (Web), adding blacklist entry, loading mapping application, MSTP VLAN-to-instance mapping table, local call master port (MST), authentication, max age timer (STP), local number configuration, WLAN RRM data transmit rates (802.1 1n number substitution, MCS), 1 12 logging...
Page 870
Modulation and Coding Scheme, 12, See also Use IP services DNS configuration, IP services DNS proxy configuration, IP services DNS proxy enabling, MoH line configuration, configuring NAT connection limit, monitoring external network, displaying IPsec VPN monitoring internal network, information, private address, public address, CIST, network...
Page 876
setting time zone (Web), Public Key Infrastructure. Use setting traffic ordering interval, setting WiNet topology background image, setting WLAN wireless QoS WMM AP radio EDCA parameters, ACL, setting WLAN wireless QoS WMM CAC adding IPv4 ACL, admission policy, advanced limit, 235, 235, 237, setting WLAN wireless QoS WMM client EDCA advanced queue, 235, parameters,...
Page 877
scheme common parameters configuration pass-through modem, (Web), removing scheme configuration (Web), IP services ARP entry, scheme server configuration (Web), request Web configuration, 322, SIP client, WiNet-based RADIUS authentication requesting configuration, local certificate, rate PKI certificate from RSA Keon CA server, WLAN RRM data transmit rates, 1 1 1 PKI certificate from Windows 2003 CA...
Page 878
static routing configuration (IPv4), security router accessing SSL VPN resources (Web), ACL, WAN interface configuration, adding blacklist entry, routing adding IPv4 ACL, ACL, ARP automatic scanning, 346, IP services DDNS configuration, 197, blacklist, IP services DNS configuration, changing SSL VPN login password (Web), IP services DNS proxy configuration, configuring access control, 152, IP services DNS proxy enabling,...
Page 879
performing basic configurations for SSL VPN WLAN access service creation, domain (Web), 41 1 WLAN access service security parameter PKI configuration, dependencies, PKI configuration guidelines, WLAN access service-based VLAN protection against flood attack (intrusion configuration, detection), WLAN access wireless service detailed protection against scanning attack (intrusion information, detection),...
Page 880
signaling registrar, security, configuring SIP security, service configuration, silent monitor SIP connection configuration, 636, 651, configuring, SIP server group management, silent monitor service, support for extension, SIM/UIM card support for transport layer protocol, PIN management, trunk, trunk configuration, Simple Network Management Protocol. Use SNMP trusted node configuration, advanced configuration,...
Page 881
configuring fax and modem parameters for call source address (configuring binding), route, source IP configuring media parameters for SIP-to-SIP subnet limit (QoS), 235, connection, source-route bridging, configuring signaling parameters for SIP-to-SIP source-route translational bridging, connection, specifying configuring SIP server group, DNS server, configuring SIP server group with multiple traffic ordering mode,...
Page 882
static ARP configuration, WLAN wireless QoS WMM service set, 1 19 WLAN wireless QoS WMM rate limiting switching configuration (static), to management level (Web), static routing synchronizing configuration (IPv4), user group configuration for wan interface, configuration guideline, syslog route creation (IPv4), configuration (Web), statistics display (Web),...
Page 883
setting super password(Web), setting WiNet topology background image, setting system time (Web), STP TCN BPDU protocol packets, setting time zone (Web), TR-069 switching to management level (Web), auto connection between ACS and CPE, upgrading software (Web), 474, auto-configuration, upgrading software (Web) basic functions, (MSR20/30/50), configuration (Web),...
Page 884
creating a GRE tunnel, creating user (Web), IP services GRE configuration, setting super password (Web), IP services GRE/IPv4 configuration, switching to management level (Web), IP services GRE/IPv4 tunnel configuration, IPsec VPN configuration, 350, VCX support for SIP voice service, viewing UA.
Page 885
IVR node configuration, batch local number configuration, IVR service customization, batch voice line management, jump node configuration, 757, 773, call authority control configuration, 733, line management, call route, location server, call route configuration, 528, proxy server, call rule set configuration, redirect server, call service, 525, registrar,...
Page 886
local number configuration, 527, LAC, local server operation mode configuration (alive LNS, mode, Web), local server operation mode configuration (alone accessing SSL VPN resources (Web), mode, Web), adding L2TP group, local survival service state displaying, changing SSL VPN login password (Web), number register status displaying, client-initiated VPN configuration, number subscription status displaying,...
Page 887
PKI configuration (certificate management), configuring resource group, configuring SSL VPN gateway, configuring SSL VPN service, 387, adding blacklist entry, configuring system time, common page features, configuring TCP application resources, configuring access control, 152, configuring TR-069, configuring application control, 171, configuring user access to SSL VPN, configuring attack protection, 158, configuring user group, configuring blacklist,...
Page 888
SIP trunk, 662, 664, roles, SIP trunk account state displaying, setting WiNet topology background image, SIP UA state displaying, wireless QoS state displaying, configuration, 1 19 statistics displaying, enable, 1 19 switching to the management level, WMM, syslog configuration, WMM AP radio EDCA parameters, system management, WMM CAC service configuration, TCP connection information displaying,...
Page 889
client mode enabling, configuring white list functions, 1 15 client mode statistics, white list, 1 15 connecting wireless service, QoSconfiguration, WLAN wireless QoS AP radio EDCA RF ping information, parameters, RRM data transmit rates configuration, 1 1 1 WLAN wireless QoS CAC admission policy, RRM data transmit rates configuration WLAN wireless QoS CAC service (802.1 1),...