Download Print this page

HPE FlexNetwork MSR Series Configuration Manual

HPE FlexNetwork MSR Series Configuration Manual

Comware 5 web-based

Hide thumbs Also See for FlexNetwork MSR Series:

Configuration manual (740 pages)

,

Comware 7 layer 3 - ip services configuration manuals (554 pages)

,

Comware 5 security configuration manual (547 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

HPE FlexNetwork MSR Router Series

Comware 5 Web-Based Configuration Guide

Part number: 5200-2307

Software version: CMW710-R2516

Document version: 6W107-20160831

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the FlexNetwork MSR Series and is the answer not in the manual?

Questions and answers

Summary of Contents for HPE FlexNetwork MSR Series

Page 1 HPE FlexNetwork MSR Router Series Comware 5 Web-Based Configuration Guide Part number: 5200-2307 Software version: CMW710-R2516 Document version: 6W107-20160831...
Page 2 © Copyright 2016 Hewlett Packard Enterprise Development LP The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Page 3: Table Of Contents
Contents Web overview ································································································· 1 Logging in to the Web interface ························································································································· 1 Logging out of the Web interface ······················································································································· 2 Introduction to the Web interface ······················································································································· 2 User level ··························································································································································· 4 Introduction to the Web-based NM functions ····································································································· 4 ...
Page 4 Configuring wireless services ······································································· 61 Configuring wireless access service ················································································································ 61 Creating a wireless access service ·········································································································· 61 Configuring clear type wireless service ···································································································· 62 Configuring crypto type wireless service ·································································································· 68 Binding an AP radio to a wireless service ································································································ 73 ...
Page 5 3G/4G connection ······················································································· 128 Displaying 3G/4G connection information ······································································································ 128 Configuring the cellular interface ··················································································································· 131 Managing the PIN ·········································································································································· 132 Rebooting the 3G/4G modem ························································································································ 133 Configuring NAT ························································································· 134 Overview ························································································································································ 134 ...
Page 6 Configuring user-based load sharing ·························································· 177 Overview ························································································································································ 177 Configuration procedure ································································································································ 177 Configuring traffic ordering ·········································································· 179 Overview ························································································································································ 179 Recommended configuration procedure ········································································································ 179 Setting the traffic ordering interval ················································································································· 179 Specifying the traffic ordering mode ··············································································································...
Page 7 Configuring subnet limit ································································································································· 228 Configuring advanced limit ····························································································································· 229 Configuring advanced queue ························································································································· 231 Configuring interface bandwidth ············································································································· 232 Configuring bandwidth guarantee ·········································································································· 233 QoS configuration examples ·························································································································· 235 Subnet limit configuration example ········································································································ 235 ...
Page 8 Configuring RADIUS ··················································································· 311 Overview ························································································································································ 311 Configuring a RADIUS scheme ····················································································································· 311 Configuring common parameters ··········································································································· 312 Adding RADIUS servers ························································································································· 315 RADIUS configuration example ····················································································································· 316 Configuration guidelines ································································································································ 322 Configuring login control ············································································· 324 ...
Page 9 Configuring the SSL VPN service ···················································································································· 35 Configuring Web proxy server resources ········································································································· 36 Configuring TCP application resources ··········································································································· 38 Configuring a remote access service resource ························································································ 38 Configuring a desktop sharing service resource ······················································································ 40 ...
Page 10 Destroying the RSA key pair ·························································································································· 101 Retrieving and displaying a certificate ··········································································································· 101 Requesting a local certificate ························································································································· 102 Retrieving and displaying a CRL ···················································································································· 103 PKI configuration examples ··························································································································· 104 Certificate request from a Windows 2003 CA server ············································································· 104 ...
Page 11 WiNet establishment configuration example ·························································································· 156 WiNet-based RADIUS authentication configuration example ································································ 160 Configuration wizard ··················································································· 164 Overview ························································································································································ 164 Basic service setup ········································································································································ 164 Entering the configuration wizard homepage ························································································· 164 Selecting a country ································································································································· 164 ...
Page 12 Configuring call forwarding ····················································································································· 209 Configuring call transfer ························································································································· 211 Configuring hunt group ··························································································································· 212 Configuring three-party conference ········································································································ 215 Configuring silent monitor and barge in ································································································· 217 Advanced settings ······················································································· 223 Introduction to advanced settings ·················································································································· 223 ...
Page 13 Configuring caller identity and privacy ··································································································· 281 Configuring SIP session refresh ············································································································· 282 Configuring compatibility ························································································································ 283 Configuring advanced settings ······················································································································· 284 Configuring the address hiding mode ···································································································· 284 Specifying the outbound proxy ··············································································································· 285 ...
Page 14 Managing lines ···························································································· 343 FXS voice subscriber line ······························································································································ 343 FXO voice subscriber line ······························································································································ 343 E&M subscriber line ······································································································································· 343 E&M introduction ···································································································································· 343 E&M start mode ····································································································································· 343 One-to-one binding between FXS and FXO voice subscriber lines ······························································· 345 ...
Page 15 Configure a secondary call on a call node (match the number length) ·················································· 403 Configure a secondary call on a call node (match a number) ································································ 406 Configure an extension secondary call on a call node ··········································································· 408 ...
Page 16: Web Overview
If you have configured the auto authentication mode for an HTTPS login user by using the web https-authorization mode command, the user is automatically authenticated by the PKI certificate, without inputting any username and password. For more information, see HPE FlexNetwork MSR Router Series Comware 5 Fundamentals Configuration Guide.
Page 17: Logging Out Of The Web Interface
Figure 2 Login page of the Web interface Logging out of the Web interface CAUTION: A logged-in user cannot automatically log out by directly closing the browser. Click Logout in the upper-right corner of the Web interface to quit Web-based network management. The system will not save the current configuration before you log out of the Web interface.
Page 18 Figure 3 Initial page of the Web interface...
Page 19: User Level
(1) Navigation area (2) Title area (3) Body area • Navigation area—Organizes the Web function menus in the form of a navigation tree, where you can select function menus as needed. The result is displayed in the body area. • Title area—On the left, displays the path of the current configuration interface in the navigation area;...
Page 20 User Function menu Description level Allows you to modify WAN interface configuration, and Configure clear the statistics of a WAN interface. Displays the configuration Monitor information of a VLAN. VLAN Setup Allows you to configure a Configure VLAN. LAN Interface Displays the configuration Setup information of a VLAN...
Page 21 User Function menu Description level Allows you to set the Configure country code. Displays 3G modem information, UIM card 3G Information Monitor information, and 3G network information. Displays UIM card status. Monitor PIN Code Management Allows you to manage PIN Configure codes.
Page 22 User Function menu Description level Displays and allows you to refresh the blacklist information and whether the Monitor blacklist filtering is enabled or not. Blacklist Allows you to add, modify, delete and clear blacklist Attack Defend entries, and set whether to Configure enable or disable blacklist filtering.
Page 23 User Function menu Description level Allows you to configure the traffic ordering mode and Configure interval. Displays inbound interface Statistics of Inbound Interfaces Monitor traffic ordering statistics. Statistics of Outbound Displays outbound interface Monitor Interfaces traffic ordering statistics. Displays DNS Monitor configurations.
Page 24 User Function menu Description level Displays the advanced limit Monitor configuration information. Advanced Limit Allows you to add, modify or Configure delete advanced limit rules. Displays advanced queue Monitor configuration information. Allows you to configure Advanced Queue interface bandwidth, add, Configure modify, or delete bandwidth guarantee policies.
Page 25 User Function menu Description level MSR30, and Allows you to configure Configure MSR50) SNMP. Displays the brief information of SNMP Monitor communities. Community Allows you to create, modify and remove an SNMP Configure community. Displays the brief information of SNMP Monitor groups.
Page 26 User Function menu Description level Displays configuration of Monitor access control. Connection Control Allows you to configure time range-based access Configure control. Displays custom application Monitor configuration. Application Control Allows you to customize Configure applications. Displays bandwidth Monitor management configuration. Bandwidth Allows you to configure Configure...
Page 27 User Function menu Description level Displays gratuitous ARP Monitor configuration information. Gratuitous ARP Allows you to configure Configure gratuitous ARP. Displays the number of dynamic ARP entries that Monitor an interface can learn. Allows you to enable or disable an interface to or Dynamic Entry from learning dynamic ARP entries, and change the...
Page 28 User Function menu Description level Allows you to add, modify or Configure delete a GRE tunnel. Displays PKI entity Monitor information. Entity Allows you to add, change, Configure and delete PKI entities. Displays PKI domain Monitor information. Domain Allows you to add, change, Configure and delete PKI domains.
Page 29 User Function menu Description level Allows you to reboot the Reboot Configure device. Displays related configuration of system Configure services. Service Management Allows you to set whether to Managem enable different services and set related parameters. Displays the brief User Summary Monitor information of users.
Page 30 User Function menu Description level Displays the number of logs that can be stored in the log buffer; allows you to set the Monitor refresh period on the log information displayed on Logset the Web interface. Allows you to set the number of logs that can be Configure stored in the log buffer.
Page 31 User Function menu Description level Allows you to create, modify, and delete a call Configure route. Displays number match Monitor configuration information. Number Match Allows you to configure Configure number match parameters. Displays call authority control configuration information, and the Monitor maximum number of call connections in a set.
Page 32: Common Web Interface Elements
User Function menu Description level Allows you to perform Configure global configurations. Displays batch Monitor configuration information. Batch Configuration Allows you to create local numbers, call routes, and Configure manage lines in batches. Allows you to view and refresh active and history Monitor call statistics.
Page 33 Content display by pages Figure 4. You can set the number of The Web interface can display contents by pages, as shown in entries displayed per page, and view the contents on the first, previous, next, and last pages, or go to any page that you want to check.
Page 34 Figure 6 Advanced search Figure 4 Take the ARP table shown in as an example. If you want to search for the ARP entries with interface being Ethernet 0/4, and IP address range being 192.168.1.50 to 192.168.1.59, follow these steps: Click the Advanced Search link, specify the search criteria on the advanced search page as Figure 7, and click Apply.
Page 35: Managing Web-Based Nm Through Cli
Figure 9 Advanced searching function example (III) Sorting function The Web interface provides you with the basic sorting function to display entries in certain orders. On a list page, you can click the blue heading item of each column to sort the entries based on the heading item you selected.
Page 36: Managing The Current Web User
Task Command Disable the Web-based NM service. undo ip http enable Managing the current Web user Task Command Display the current login users. display web users free web-users { all | user-id userid | user-name Log out the specified user or all users. username } Configuration guidelines The Web-based configuration interface supports the operating systems of Windows XP, Windows...
Page 37 Click the Security tab, and then select a Web content zone to specify its security settings, as Figure shown in Figure 11 Internet Explorer setting (I) Click Custom Level, and a dialog box Security Settings appears. Figure 12, enable these functions: Run ActiveX controls and plug-ins, script As shown in ActiveX controls marked safe for scripting and active scripting.
Page 38 Figure 12 Internet Explorer setting (II) Click OK in the Security Settings dialog box. Configuring Firefox Web browser settings Open the Firefox Web browser, and then select Tools > Options. Click the Content tab, select the Enable JavaScript check box, and click OK, as shown Figure...
Page 39 Figure 13 Firefox Web browser setting...
Page 40: Displaying Device Information
Displaying device information When you are logged in to the Web interface, you are placed on the Device Info page. The Device Info page contains five parts, which correspond to the five tabs below the figure on the page except the Services Information and Recent System Logs tabs. When you put your cursor on a part of the figure, the system prompts you for the tab of the corresponding information, and you can jump to the tab by clicking this part.
Page 41: Displaying Broadband Connection Information
Displaying device information Table 3 Field description Field Description Device Model Device name. Software Version Software version of the device. Firmware Version Firmware version of the device. Hardware Version Hardware version of the device. Running Time Running time after the latest boot of the device. CPU Usage Real-time CPU usage.
Page 42: Displaying Lan Information
Displaying LAN information Table 6 Field description Field Description Interface Interface name. Link State Link state of the interface. Work Mode Rate and duplex mode of the interface. Displaying WLAN information Table 7 Field description Field Description SSID (WLAN Name) Name of the WLAN service.
Page 43 Figure 15 Integrated service management • To change the URL address of the card, click of the target card. Enter the URL address in the field and click to apply the configuration or click to cancel the modification. • Correctly set the URL address of the card, and then connect the card to the LAN to which the Figure 15, click the Manage button, a page administrator belongs.
Page 44: Basic Services Configuration
Basic services configuration This document guides you through quick configuration of basic services of routers, including configuring WAN interface parameters, LAN interface parameters, and WLAN interface parameters. For information about WAN interfaces, see "Configuring WAN interfaces." For information about LAN interfaces, see "Configuring VLANs."...
Page 45: Ethernet Interface
Ethernet interface Figure 18 Setting Ethernet interface parameters Table 10 Configuration items (in auto mode) Item Description WAN Interface Select the Ethernet interface to be configured. Connect Mode: Auto Select the Auto connect mode to automatically obtain an IP address. Specify the MAC address of the Ethernet interface in either of the two ways: •...
Page 46 Item Description To configure the global DNS server on the page you enter, select Advanced > DNS Setup > DNS Configuration. The global DNS server has priority over the DNS servers of the interfaces. The DNS query is sent to the global DNS server DNS2 first.
Page 47 SA interface Figure 19 Setting SA parameters Table 13 Configuration items Item Description WAN Interface Select the SA interface to be configured. User Name Specify the user name for identity authentication. Display whether a password has been specified for identity authentication. Password An empty field indicates that no password is configured.
Page 48 Table 14 Configuration items (in IPoA mode) Item Description WAN Interface Select the ADSL/G.SHDSL interface to be configured. Connect Mode: IPoA Select the IPoA connect mode. Specify the VPI/VCI value for PVC. TCP-MSS Set the maximum TCP segment length of an interface. Set the MTU of an interface.
Page 49 Item Description User Name Specify the user name for identity authentication. Displays whether a password has been specified for identity authentication. Password An empty field indicates that no password is configured. New Password Specify or modify the password for identity authentication. TCP-MSS Set the maximum TCP segment length of an interface.
Page 50 Item Description Set the MTU of an interface. In CE1 mode Figure 22 Setting CE1/PR1 interface parameters (in CE1 mode) Table 19 Configuration items (in CE1 mode) Item Description WAN Interface Select the CE1/PR1 interface to be configured. Work Mode: CE1 Select the CE1 work mode.
Page 51 CT1/PR1 interface Figure 23 Setting CT1/PR1 parameters Table 20 Configuration items Item Description WAN Interface Select the CT1/PR1 interface to be configured. Work Mode: E1 Select the CT1 work mode. Select one of the following operation actions: • Operation Create—Binds timeslots. •...
Page 52: Setting Lan Interface Parameters
Cellular interface Figure 24 Setting Cellular parameters Table 21 Configuration items Item Description WAN Interface Select the Cellular interface to be configured. User Name Specify the user name for identity authentication. Display whether a password has been specified for identity authentication. Password An empty field indicates that no password is configured.
Page 53 Figure 25 Setting LAN parameters Table 22 Configuration items Item Description Display the ID of the VLAN interface to be configured. IMPORTANT: VLAN Interface By default, the VLAN interface on the device that has the smallest number is displayed. If no VLAN interface is available on the device, the system automatically creates an interface numbered 1 and displays it.
Page 54: Setting Wlan Interface Parameters
Setting WLAN interface parameters After finishing the previous configuration, click Next. Figure 26 Setting WLAN parameters Table 23 Configuration items Item Description WLAN Setting Select whether to make WLAN settings. Network Name Specify a wireless network name. (SSID) Network Hide Select whether to hide the network name.
Page 55: Validating The Basic Services Configuration
Item Description choose one of the configured keys. Key 1 • When you select WEP40 and ASCII, the generated or entered key is a 5-character string. • When you select WEP40 and HEX, the generated or entered key is a 10-digit Key 2 hexadecimal number.
Page 56: Configuring Wan Interfaces
Configuring WAN interfaces This chapter describes how to configure the following interfaces on the Web interface: • Ethernet interfaces. • SA interfaces. • ADSL/G.SHDSL interfaces. • CE1/PRI interfaces. • CT1/PRI interfaces. Configuring an Ethernet interface An Ethernet interface or subinterface supports the following connection modes: •...
Page 57 Figure 29 Configuring an Ethernet interface Table 24 Configuration items (auto mode) Item Description WAN Interface Displays the name of the Ethernet interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface.
Page 58 Table 25 Configuration items (manual mode) Item Description WAN Interface Displays the name of the Ethernet interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status •...
Page 59: Configuring An Sa Interface
Item Description New Password Set or modify the password for authentication. TCP-MSS Configure the TCP MSS on the interface. Configure the MTU on the interface. Set the idle timeout time for a connection: • Online for all time—The connection is maintained until being disconnected manually or upon an anomaly.
Page 60: Configuring An Adsl/G.shdsl Interface
Figure 30 Configuring an SA interface Table 27 Configuration items Item Description WAN Interface Displays the name of the interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface.
Page 61: Configuration Procedure
IPoA IPoA enables IP packets to traverse an ATM network. In an IPoA implementation, ATM provides the data link layer for the IP hosts on the same network to communicate with one another, and IP packets must be adapted in order to traverse the ATM network. IPoA makes full use of the advantages of ATM, including high speed point-to-point connections, which help improve the bandwidth performance of an IP network, excellent network performance, and complete, mature QoS services.
Page 62 Figure 31 Configuring an ADSL/G.SHDSL interface Table 28 Configuration items (IPoA) Item Description WAN Interface Displays the name of the ADSL/G.SHDSL interface to be configured. Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface.
Page 63 Item Description Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface. •...
Page 64: Configuring A Ce1/Pri Interface
Item Description Connect Mode: PPPoEoA Select PPPoEoA as the connection mode. Set the VPI/VCI value for the PVC. User Name Configure the username for authentication. Displays whether a password is configured for authentication. Password If the field displays null, no password is configured for authentication. New Password Set or modify the password for authentication.
Page 65 Configuring a CE1/PRI interface in E1 mode Figure 32 Configuring a CE1/PRI interface in E1 mode Table 32 Configuration items (in E1 mode) Item Description WAN Interface Displays the name of the CE1/PRI interface to be configured. Display and set the interface status: •...
Page 66 Configuring a CE1/PRI interface in CE1 mode Figure 33 Configuring a CE1/PRI interface in CE1 mode Table 33 Configuration items (in CE1 mode) Item Description WAN Interface Displays the name of the CE1/PRI interface to be configured. Display and set the interface status: •...
Page 67: Configuring A Ct1/Pri Interface
Item Description Configure the MTU on the interface. Configuring a CT1/PRI interface The CT1/PRI interface supports PPP connection mode. For more information about PPP, see "Configuring an SA interface." When it is operating as a CT1 interface, all the timeslots (numbered 1 to 24) can be randomly divided into groups.
Page 68: Displaying Interface Information And Statistics
Item Description Display and set the interface status: • Connected—Indicating that the current interface is up and connected, click Disable to shut down the interface. Interface Status • Not connected—Indicating that the current interface is up but not connected, click Disable to shut down the interface. •...
Page 69 Figure 35 Sample interface statistics...
Page 70: Configuring Vlans
For each VLAN, you can create one VLAN interface. You can configure VLAN interfaces to forward traffic at the network layer. For more information about VLANs and VLAN interfaces, see HPE FlexNetwork MSR Router Series Comware 5 Layer 2—LAN Switching Configuration Guide.
Page 71: Creating A Vlan And Its Vlan Interface
Creating a VLAN and its VLAN interface Select Interface Setup > LAN Interface Setup from the navigation tree. The system goes to the default page, VLAN Setup page. Figure 36 VLAN setup page Table 35 Configuration items Item Description VLAN Create And Set the operation type to Create or Remove.
Page 72: Configuring Parameters For A Vlan Interface
Select Interface Setup > LAN Interface Setup from the navigation tree. The system goes to the default page, VLAN Setup page. Table 36 Configuration items Item Description Select the ID of the VLAN that you want to assign ports to or remove ports VLAN ID from.
Page 73 Figure 37 VLAN interface setup page Table 37 Configuration items Item Description VLAN ID Select the ID of the VLAN interface you want to configure. IP Address Set the VLAN interface's IP address and subnet mask. Subnet Mask...
Page 74: Configuration Guidelines
Item Description Set the MAC address of the VLAN interface: • Use the MAC address of the device—Use the default MAC address of the VLAN interface, which is displayed in the following brackets. MAC Address • Use the customized MAC address—Manually set the MAC address of the VLAN interface.
Page 75: Wireless Configuration Overview
Wireless configuration overview The device allows you to perform the following configuration in the Web interface: Configuring wireless access service • Displaying wireless access service • Client mode • • Configuring data transmit rates Displaying radio • Configuring the blacklist and white list functions •...
Page 76: Configuring Wireless Services
Configuring wireless services For more information about WLAN user access, see HPE FlexNetwork MSR Router Series Comware 5 WLAN Configuration Guide. Configuring wireless access service Creating a wireless access service Select Interface Setup >...
Page 77: Configuring Clear Type Wireless Service
Table 39 Configuration items Item Description Radio Unit Radio ID, 1 or 2. Mode Radio mode, which depends on your device model. Set the service set identifier (SSID). An SSID should be as unique as possible. For security, the company name should not be contained Wireless Service Name in the SSID.
Page 78 Item Description • Enable—Disables the advertisement of the SSID in beacon frames. • Disable—Enables the advertisement of the SSID in beacon frames. By default, the SSID in beacon frames is advertised. IMPORTANT: SSID HIDE • If the advertising of the SSID in beacon frames is disabled, the SSID must be configured for the clients to associate with the device.
Page 79 Table 42 Configuration items Item Description Authentication For the clear type wireless service, select Open-System only. Type • mac-authentication—Performs MAC address authentication on users. • mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority.
Page 80 Figure 42 Configuring MAC authentication Table 43 Configuration items Item Description Port Mode mac-authentication: MAC-based authentication is performed on access users. Control the maximum number of users allowed to access the network through the Max User port. MAC Authentication Select the MAC Authentication option. Select an existing domain from the list.
Page 81 Table 44 Configuration items Item Description • userlogin-secure—Perform port-based 802.1X authentication for access users. In this mode, multiple 802.1X authenticated users can access the port, but only one user can be online. Port Mode • userlogin-secure-ext—Perform MAC-based 802.1X authentication for access users. In this mode, the port supports multiple 802.1X users.
Page 82 Figure 44 Configuring port security for the other four security modes (mac-else-userlogin-secure is taken for example) Table 45 Configuration items Item Description • mac-else-userlogin-secure—This mode is the combination of the mac-authentication and userlogin-secure modes, with MAC authentication having a higher priority. Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication.
Page 83: Configuring Crypto Type Wireless Service
Item Description • EAP—Use EAP. With EAP authentication, the authenticator encapsulates 802.1X user information in the EAP attributes of RADIUS packets and sends the packets to the RADIUS server for authentication. It does not need to repackage the EAP packets into standard RADIUS packets for authentication.
Page 84 Table 40 for the configuration items of basic configuration of crypto type wireless service. Configuring advanced settings for crypto type wireless service Select Interface Setup > Wireless > Access Service from the navigation tree. Click the icon for the target crypto wireless service. Figure 46 Configuring advanced settings for crypto type wireless service Table 46 Configuration items Item...
Page 85 Item Description Enable refreshing the GTK when some client goes offline. GTK User Down Status By default, the GTK is not refreshed when a client goes off-line. Configuring security settings for crypto type wireless service Select Interface Setup > Wireless > Access Service from the navigation tree. Click the icon for the target crypto type wireless service.
Page 86 Item Description Configure the key index, which can be: • 1—Key index 1. • 2—Key index 2. • 3—Key index 3. Key ID • 4—Key index 4. There are 4 static keys in WEP. The key index can be 1, 2, 3 or 4. The key corresponding to the specified key index will be used for encrypting and decrypting broadcast and multicast frames.
Page 87 Table 48 Configuration items Item Description mac and psk: MAC-based authentication must be performed on access users first. If MAC-based authentication succeeds, an access user has to use the Port Mode pre-configured PSK to negotiate with the device. Access to the port is allowed only after the negotiation succeeds.
Page 88: Binding An Ap Radio To A Wireless Service
Configure userlogin-secure/userlogin-secure-ext. Perform the configurations as shown in Binding an AP radio to a wireless service Select Interface Setup > Wireless > Access Service from the navigation tree. Figure Click the icon for the target wireless service to enter the page as shown in Figure 50 Binding an AP radio to a wireless service Select the AP radio to be bound.
Page 89: Displaying Wireless Access Service
Authentic Service Encryptio Security ation encryptio Port mode type n type mode n/key ID encryption is required Shared-Key Unavailable Unavailable mac-authentication The key ID can be 1, 2, 3 or 4 encryption mac and psk is required Selected Required The key ID userlogin-secure-ext can be 2, 3 Open-Syste...
Page 90 Table 51 Field description Field Description Service Template Number Current service template number. SSID Service set identifier (SSID) for the ESS. Service Template Type Service template type. Type of authentication used. Authentication Method WLAN service of the clear type only uses open system authentication.
Page 91 Field Description Cipher suite: CCMP, TKIP, WEP40, WEP104, or Cipher Suite WEP128. TKIP Countermeasure Time(s) TKIP countermeasure time in seconds. PTK Life Time(s) PTK lifetime in seconds. GTK Rekey GTK rekey configured. GTK rekey method configured: packet based or time GTK Rekey Method based.
Page 92: Displaying Client
Displaying connection history information about wireless service Figure 54 Displaying the connection history information about wireless service Displaying client Displaying client detailed information Select Interface Setup > Wireless > Summary from the navigation tree. Click the Client tab to enter the Client page. Click the Detail Information tab on the page.
Page 93 Table 53 Client RSSI Field Description —Indicates that 0 < RSSI <= 20. —Indicates that 20 < RSSI <= 30. Client RSSI —Indicates that 30 < RSSI <= 35. —Indicates that 35 < RSSI <= 40. —Indicates that 40 < RSSI. Table 54 Field description Field Description...
Page 94 Field Description Four-way handshake states: • IDLE—Displayed in initial state. • PTKSTART—Displayed when the 4–way handshake is initialized. 4-Way Handshake State • PTKNEGOTIATING—Displayed after valid message 3 was sent. • PTKINITDONE—Displayed when the 4-way handshake is successful. Group key state: •...
Page 95: Displaying Rf Ping Information
Figure 56 Displaying client statistics Table 56 Field description Field Description AP Name Name of the associated access point. Radio Id Radio ID. SSID SSID of the device. BSSID MAC address of the device. MAC Address MAC Address of the client. Received signal strength indication.
Page 96: Wireless Access Service Configuration Examples
Figure 57 Viewing link test information Table 57 Field description Field Description • Rate number for a non-802.11n client. No./MCS • MCS value for an 802.11n client. Rate (Mbps) Rate at which the radio interface sends wireless ping frames. TxCnt Number of wireless ping frames that the radio interface sent.
Page 97 Figure 58 Network diagram IP network SSID：sevice1 Router Client Configuration procedure Create a wireless service: a. Select Interface Setup > Wireless > Access Service from the navigation tree, and click Add. Figure 59 Creating a wireless service a. Select the radio unit 1, set the service name to service1, and select the wireless service type clear.
Page 98: Access Service-Based Vlan Configuration Example
Figure 61 Enabling 802.11g radio Verifying the configuration If you select Interface Setup > Wireless > Summary from the navigation tree, and click the Client tab, you can view the online clients. Configuration guidelines Follow these guidelines when you configure a wireless service: •...
Page 99 After the wireless service is created, the system is automatically navigated to the wireless service page, where you can perform the VLAN settings (before this operation, select Network > VLAN and create VLAN 2 first). Figure 63 Setting the VLANs e.
Page 100: Psk Authentication Configuration Example
PSK authentication configuration example Network requirements Figure 65, configure the client to access the wireless network by passing PSK As shown in authentication. Configure the same PSK key 12345678 on the client and AP. Figure 65 Network diagram Configuration procedure Configure a wireless service: a.
Page 101 Figure 67 Configuring security settings a. Select the Open-System from the Authentication Type list. b. Select the Cipher Suite option, select CCMP and TKIP (select an encryption type as needed), and then select WPA from the Security IE list. c. Select the Port Set option, and select psk from the Port Mode list. d.
Page 102: Local Mac Authentication Configuration Example
Local MAC authentication configuration example Network requirements Figure 69, perform MAC authentication on the client. As shown in Figure 69 Network diagram Configuration procedure Configure a wireless service: a. Select Interface Setup > Wireless > Access Service from the navigation tree. b.
Page 103 Figure 71 Configuring security settings a. Select the Open-System from the Authentication Type list. b. Select the Port Set option, and select mac-authentication from the Port Mode list. c. Select the MAC Authentication option, and select system from the Domain list. d.
Page 104: Remote Mac Authentication Configuration Example
c. Add a local user in the MAC Address box. 00-14-6c-8a-43-ff is used in this example. d. Click Add. (Optional.) Enable 802.11g radio. By default, 802.11g radio is enabled. Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure 802.11g is enabled.
Page 105 c. Select radio unit 1. d. Set the wireless service name as mac-auth. e. Select the wireless service type clear. f. Click Apply. Configure MAC authentication: After you create a wireless service, the wireless service configuration page appears. Then you can configure MAC authentication on the Security Setup area.
Page 106 Configuring the RADIUS server (IMCv5) The following takes the IMC (the IMC versions are IMC PLAT 5.0 and IMC UAM 5.0) as an example to illustrate the basic configurations of the RADIUS server. Add an access device: a. Click the Service tab. b.
Page 107: Remote 802.1X Authentication Configuration Example
Figure 80 Adding an account Verifying the configuration During authentication, the user does not need to input the username or password. After passing MAC authentication, the client can associate with the device and access the WLAN. You can view the online clients by selecting Interface Setup > Wireless > Summary from the navigation tree and then clicking the Client tab.
Page 108 Figure 82 Creating a wireless service Configure 802.1X authentication: After you create a wireless service, the wireless service configuration page appears. a. In the Security Setup area, select Open-System from the Authentication Type list, select the Cipher Suite option, select CCMP from the Cipher Suite list, and select WPA2 from the Security IE list.
Page 109 Configuring the RADIUS server (IMCv5) The following takes the IMC (the IMC versions are IMC PLAT 5.0 and IMC UAM 5.0) as an example to illustrate the basic configurations of the RADIUS server. Add an access device: a. Click the Service tab in the IMC Platform. b.
Page 110: 802.11N Configuration Example
Add an account: a. Click the User tab. b. Select User > All Access Users from the navigation tree. c. Click Add. d. On the page that appears, enter username user, set the account name user and password dot1x, select the service dot1x, and click OK. Figure 86 Adding an account Verifying the configuration •...
Page 111: Client Mode
Figure 88 Creating a wireless service Enable the wireless service: a. Select Interface Setup > Wireless > Access Service from the navigation tree. b. Select the 11nservice option, and click Enable. Figure 89 Enabling the wireless service (Optional.) Enable 802.11n(2.4GHZ) radio. By default, 802.11n(2.4GHZ) radio is enabled. Verifying the configuration If you select Interface Setup >...
Page 112: Enabling The Client Mode
Figure 90 Client mode Enabling the client mode Select Interface Setup > Wireless Service > Client Mode from the navigation tree. Click Connect Setup. Select the radio unit to be enabled, and then click Enable. Figure 91 Enabling the client mode NOTE: •...
Page 113: Connecting The Wireless Service
Figure 92 Checking the wireless service list Connecting the wireless service Method 1 Click the Connect icon of the wireless service in the wireless service list, and a SET CODE Figure 93 dialog box shown in appears. Figure 93 Setting a code The following authentication modes are supported: Open System Shared key...
Page 114: Displaying Statistics
Item Description There are four static keys in WEP. Their key indexes are 1, 2, 3, KeyID and 4. The key corresponding to the specified key index will be used for encrypting and decrypting frames. Method 2 You can also enter a wireless service to specify the wireless service to be connected on the page displayed after clicking the Connect icon of the wireless service.
Page 115 Figure 96 Network diagram Internet Gateway Client Client Router Printer Client Configuration procedure Enable the client mode: a. Select Interface Setup > Wireless Service > Client Mode from the navigation tree. b. Click Connect Setup. Figure 97 Enabling the client mode c.
Page 116 Figure 98 Checking the wireless service list Connect the wireless service a. Click the Connect icon of the wireless service psk in the wireless service list. Figure 99 A SET CODE dialog box shown in appears. Figure 99 Setting a code b.
Page 117: Configuring Radios
Configuration guidelines Figure 101, if the router uses two radio interfaces at the same time, the client connecting As shown in to radio 2 can access the AP through the router. Figure 101 Network diagram Client Gateway Internet Radio1 Client Configuring radios 802.11b/g operates in 2.4 GHz band, 802.11a in 5 GHz band, and 802.11n in both 2.4 GHz and 5 GHz bands.
Page 118 Item Description 802.11n can bond two adjacent 20-MHz channels together to form a 40-MHz channel. During data forwarding, the two 20-MHz channels can work separately with one acting as the primary channel and the other acting as the secondary channel or work together as a 40-MHz channel. This provides a simple way of doubling the data rate.
Page 119 Figure 103 Configuring advanced settings for the radio Table 60 Configuration items Item Description Preamble is a pattern of bits at the beginning of a frame so that the receiver can sync up and be ready for the real data. There are two different kinds of preambles: •...
Page 120: Configuring Data Transmit Rates
Item Description Request to send (RTS) threshold length. If a frame is larger than this value, the RTS mechanism will be used. RTS is used to avoid data collisions in a WLAN. A smaller RTS threshold causes RTS packets to be sent more often, thus consuming more available bandwidth.
Page 121: Configuring 802.11N Mcs
Table 61 Configuration items Item Description Configure rates (in Mbps) for 802.11a. By default: • Mandatory rates—6, 12, and 24. 802.11a • Supported rates—9, 18, 36, 48, and 54. • Multicast rate—Automatically selected from the mandatory rates. The transmission rate of multicasts in a BSS is selected from the mandatory rates supported by all the clients.
Page 122: Displaying Radio
Supported Maximum MCS Set the maximum MCS index for 802.11n supported rates. For more information about MCS, see HPE FlexNetwork MSR Router Series Comware 5 WLAN Configuration Guide. Make the MCS configuration the same on all APs in mesh configuration.
Page 123 Figure 107 Displaying detailed radio information Table 63 Field description Field Description WLAN-Radio1/0 current state: UP State of the radio interface. IP Packet Frame Type Output frame encapsulation type. Hardware Address MAC address of the radio interface. Radio-type dot11a WLAN protocol type used by the interface. Channel used by the interface.
Page 124 Field Description Output packet statistics of the interface: • Number of packets, number of bytes. Output: 3436 packets, 492500 bytes • Number of unicast packets, number of bytes of unicast : 3116 unicasts, 449506 bytes packets. : 320 multicasts/broadcasts, 42994 •...
Page 125: Configuring Wlan Security
Configuring WLAN security When it comes to security, a WLAN is inherently weaker than a wired LAN because all the wireless devices use the air as the transmission media, which means that the data transmitted by one device can be received by any other device within the coverage of the WLAN. To improve WLAN security, you can use white and black lists and user isolation to control user access and behavior.
Page 126: Configuring Static Blacklist
Figure 108 Configuring dynamic blacklist Table 64 Configuration items Item Description • Enable—Enables dynamic blacklist. • Disable—Disables dynamic blacklist. Dynamic Blacklist IMPORTANT: Before enabling the dynamic blacklist function, select the Flood Attack Detect option in the WIDS Setup page. Configure the lifetime of the entries in the blacklist. When the lifetime of an entry Lifetime expires, the entry is removed from the blacklist.
Page 127: Configuring White List
Table 65 Configuration items Item Description You can configure a static blacklist in the following two ways: Select the MAC Address option, and then add a MAC address to the static MAC Address black list. Select Current Connect If you select the option, the table below lists the current existing clients. Select Client the options of the clients to add their MAC addresses to the static blacklist.
Page 128 Figure 111 Network diagram To configure user isolation: Select Interface Setup > Wireless > Security from the navigation tree, and click the User Isolate tab. Figure 112 Configuring user isolation Table 67 Configuration items Item Description • Enable—Enables user isolation on the AP to isolate the clients associated with it at Layer 2.
Page 129: Configuring Wlan Qos
QoS provision devices of different vendors to interoperate. WMM makes a WLAN network capable of providing QoS services. For more information about the WLAN QoS terminology and the WMM protocol, see HPE FlexNetwork MSR Router Series Comware 5 WLAN Configuration Guide.
Page 130: Setting Cac Admission Policy
Figure 114 Enabling Wireless QoS Click the icon in the Operation column for the desired radio in the AP list. Figure 115 Setting the SVP mapping AC Table 68 Configuration items Item Description Radio Selected radio. Select the SVP Mapping option, and then select the mapping AC to be used by the SVP service: •...
Page 131: Setting Radio Edca Parameters For Aps
Table 69 Configuration items Item Description Users-based admission policy, namely, maximum number of clients allowed to be connected. A client is counted only once, even if it is using both AC-VO and AC-VI. Client Number By default, the users-based admission policy applies, with the maximum number of users being 20.
Page 132: Setting Edca Parameters For Wireless Clients
TXOP Limit AIFSN ECWmin ECWmax AC-VI AC-VO ECWmin cannot be greater than ECWmax. On a device operating in 802.11b radio mode, H3C recommends you to set the TXOP-Limit to 0, 0, 188, and 102 for AC-BK, AC-BE, AC-VI, and AC-VO. Setting EDCA parameters for wireless clients Select Interface Setup >...
Page 133: Displaying Radio Statistics
TXOP Limit AIFSN ECWmin ECWmax AC-VO ECWmin cannot be greater than ECWmax. If all clients operate in 802.11b radio mode, you are recommended to set TXOPLimit to 188 and 102 for AC-VI and AC-VO. If some clients operate in 802.11b radio mode and some clients operate in 802.11g radio mode in the Table 73 network, the TXOPLimit parameters in are recommended.
Page 134: Displaying Client Statistics
Field Description Number of clients that have been admitted to access Client accepted the radio, including the number of clients that have been admitted to access the AC-VO and the AC-VI. Total requested medium time, including that of the Total request mediumtime(us) AC-VO and the AC-VI.
Page 135 Click a client name to see its details. Figure 120 Displaying client statistics Table 75 Field description Field Description MAC address MAC address of the client. SSID Service set ID (SSID). QoS mode, which can be: • QoS Mode WMM—Indicates that the client is a QoS client. •...
Page 136: Setting Rate Limiting
Setting rate limiting The WLAN provides limited bandwidth for each device. As the bandwidth is shared by wireless clients attached to the device, aggressive use of bandwidth by a client will affect other clients. To ensure fair use of bandwidth, you can rate limit traffic of clients in either of the following two approaches: •...
Page 137: Wireless Qos Configuration Example
Wireless QoS configuration example CAC service configuration example Network requirements Figure 122, an AP with WMM enabled accesses the Ethernet. Enable CAC for the As shown in AC-VO and AC-VI queues of the clients of the fat AP. Use the user number-based admission policy to limit the number of access users to 10, so that the clients using high-priority queues (including the AC-VO and AC-VI queues) can be guaranteed of enough bandwidth.
Page 138: Static Rate Limiting Configuration Example
a. Enable CAC for AC_VI in the same way: select Interface Setup > Wireless > Wireless QoS from the navigation tree, click the QoS Service tab, find the radio unit to be configured in the list, and click the corresponding icon in the Operation column.
Page 139: Dynamic Rate Limiting Configuration Example
d. On the page that appears, select service1 from the Wireless Service list, select inbound from the direction list, select static from the mode list, enter 128000 in the static rate field, and click Apply. Figure 127 Configuring static rate limiting Verifying the configuration •...
Page 140 Figure 129 Configuring dynamic rate limiting Verifying the configuration Verify the following: • When only Client 1 accesses the WLAN through SSID service2, its traffic can pass through at a rate as high as 8000 kbps. • When both Client 1 and Client 2 access the WLAN through SSID service2, their traffic flows can each pass through at a rate as high as 4000 kbps.
Page 141: Configuring Advanced Settings
Configuring advanced settings Radio frequencies for countries and regions vary based on country regulations. A district code determines characteristics such as frequency range, channel, and transmit power level. Configure the valid country code or area code for a WLAN device to meet the specific country regulations. Setting a district code Select Interface Setup >...
Page 142 Click the icon for the target AP. Figure 132 Testing busy rate of channels Click Start to start the testing. Table 78 Configuration items Item Description Radio Unit Display the radio unit, which takes the value of 1 or 2. Radio Mode Display the radio mode of the router.
Page 143: 3G/4G Connection
3G/4G connection For 3G/4G communications, you can connect a USB 3G/4G modem to the USB port on the router. The 3G/4G modem uses a user identity module (UIM) or subscriber identity module (SIM) to access the wireless networks provided by service providers. The router supports 3G/4G modems from different vendors.
Page 144 Figure 135 3G connection information (CDMA) Figure 136 4G connection information (LTE) Table 79 3G/4G modem information Item Description Model Model of the 3G/4G modem.
Page 145 Item Description Manufacturer Manufacturer of the 3G/4G modem. Serial Number Serial number of the 3G/4G modem. Hardware Version Hardware version of the 3G/4G modem. Firmware Version Firmware version of the 3G/4G modem. PRL Version Preferred roaming list version of the 3G/4G modem. 3G/4G modem status: •...
Page 146: Configuring The Cellular Interface
Item Description Network selection mode: • Network selection mode Manual. • Automatic. Mobile Country Code. For example, the MCC of Mainland China is 460. Mobile Network Code. For example, the MNC of China Mobile is 00. Location Area Code. CELL ID Cell ID.
Page 147: Managing The Pin
Table Configure the cellular interface as described in Figure 137 Configuring the cellular interface Table 84 Configuration items Item Description Interface Interface type and number. Authentication method Method for identity authentication. User Name Username for identity authentication. Password for identity authentication. If the field is empty, no password is Password configured for identity authentication.
Page 148: Rebooting The 3G/4G Modem
To disable PIN protection, enter the PIN and click Apply in the Disable PIN Code Protection area. To modify the PIN, perform the following in the PIN Code Modification area: Enter the current PIN in the Current PIN Code field. Enter the new PIN in the New PIN Code field.
Page 149: Configuring Nat
With NAT, a few public IP addresses are used to translate a large number of internal IP addresses. This effectively solving the IP address depletion problem. For more information about NAT, see HPE FlexNetwork MSR Router Series Comware 5 Layer 3—IP Services Configuration Guide.
Page 150 Figure 141 Configuring dynamic NAT Table 85 Configuration items Item Description Interface Specify an interface on which the NAT policy is to be enabled. Select an address translation mode: • Interface Address—In this mode, the NAT gateway directly uses an interface's public IP address as the translated IP address.
Page 151: Configuring A Dmz Host
Configuring a DMZ host Creating a DMZ host From the navigation tree, select NAT Configuration > NAT Configuration. Click the DMZ HOST tab. The DMZ host configuration page appears. Figure 142 Creating a DMZ host Table Configure the parameters as described in Click Add.
Page 152: Configuring An Internal Server
Figure 143 Enabling DMZ host on an interface Configuring an internal server From the navigation tree, select NAT Configuration > NAT Configuration. Click the Internal Server tab. The internal server configuration page appears.
Page 153 Figure 144 Configuring an internal server Table Configure the parameters as described in Click Add. Table 87 Configuration items Item Description Interface Specify an interface on which the NAT policy is to be enabled. Protocol Specify the type of the protocol carried by IP, which can be TCP or UDP. Specify the public IP address for the internal server.
Page 154: Enabling Application Layer Protocol Check
Enabling application layer protocol check From the navigation tree, select NAT Configuration > NAT Configuration. Click the Application Layer Inspection tab. The application layer protocol check configuration page appears. Figure 145 Enabling application layer protocol check Table Configure the parameters as described in Click Apply.
Page 155: Nat Configuration Examples
Table 89 Configuration items Item Description Enable connection limit Enable or disable connection limit. Set the maximum number of connections that can be initiated from a source IP Max Connections address. NAT configuration examples Internal hosts accessing public network configuration example Network requirements Figure...
Page 156: Internal Server Configuration Example
Figure 148 Configuring dynamic NAT Configure the connection limit: a. Click the Connection Limit tab to enter the connection limit configuration page, as shown Figure 149. b. Select Enable connection limit. c. Enter 1000 in Max Connections. d. Click Apply. Figure 149 Configuring connection limit Internal server configuration example Network requirements...
Page 157 Figure 150 Network diagram Configuring internal server Configure the FTP server: a. From the navigation tree, select NAT Configuration > NAT Configuration and click the Figure 151. Internal Server tab to enter the internal server configuration page, as shown in b.
Page 158 b. Select the TCP option in the Protocol field. c. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1. d. Select http from the Global Port list. e. Enter 10.110.10.1 in the Host IP Address field. f.
Page 159 Figure 153 Configuring Web server 2...
Page 160: Configuring Access Control
Configuring access control Access control allows you to control access to the Internet from the LAN by setting the time range, IP addresses of computers in the LAN, port range, and protocol type. All data packets matching these criteria will be denied access to the Internet. You can configure up to ten access control policies.
Page 161: Access Control Configuration Example
Item Description neither of them. To set neither of them, make sure the Begin-End Time is 00:00 - Select the days of a week for the rule to 00:00 and no days of a week are Week take effect. selected. Setting neither of them means it takes effect all the time.
Page 162 Figure 155 Network diagram Configuration procedure # Configure an access control policy to prohibit Host A to Host C from accessing the Internet during work time. • Select Security Setup > Access from the navigation tree. Figure 156 Configure an access control policy •...
Page 163: Configuring Url Filtering
Configuring URL filtering The URL filtering function allows you to deny access to certain Internet Web pages from the LAN by setting the filter types and the filtering conditions. The URL filtering function applies to only the outbound direction of WAN interfaces. Configuration procedure Figure Select Security Setup >...
Page 164: Url Filtering Configuration Example
Table 92 Configuration items Item Description Set the filter type: • Blacklist—Denies URLs that match the filtering conditions. URLs that do not match the filtering conditions are permitted. Filtering by • Whitelist—Permits URLs that match the filtering conditions. URLs that do not match the filtering conditions are denied.
Page 165 Figure 159 Configure the URL filtering function...
Page 166: Configuring Attack Protection
Configuring attack protection You can enable the blacklist function, add a blacklist entry manually, view blacklist entries, and configure intrusion detection in the Web interface. Overview Attack protection is an important network security feature. It can determine whether received packets are attack packets according to the packet contents and behaviors and, if detecting an attack, take measures to deal with the attack.
Page 167 Table 93 Types of single-packet attacks Single-packet Description attack A Fraggle attacker sends large amounts of UDP echo packets (with the UDP port number of 7) or Chargen packets (with the UDP port number of 19) to a subnet Fraggle broadcast address.
Page 168: Configuring The Blacklist Function
Protection against scanning attacks Scanning attackers usually use some scanning tools to scan host addresses and ports in a network, so as to find possible targets and the services enabled on the targets and figure out the network topology, preparing for further attacks to the target hosts. The scanning attack protection function takes effect to only incoming packets.
Page 169: Enabling The Blacklist Function
Step Remarks You can add blacklist entries manually, or enable the blacklist function globally, configure the scanning attack protection function, and enable the blacklist function for scanning attack protection to allow the device to add the IP addresses of detected scanning attackers to the blacklist automatically.
Page 170: Viewing Blacklist Entries
Table 94 Configuration items Item Description Specify the IP address to be added to the blacklist. This IP address cannot be a IP Address broadcast address, a class D address, a class E address, 127.0.0.0/8, or 255.0.0.0/8. Configure the entry as a non-permanent entry and specify the hold time of the Hold Time blacklist entry.
Page 171 Figure 162 Intrusion detection configuration page On MSR20/30/36/50/930 routers Figure Select Security Setup > Attack Defend > Intrusion Detection to enter the page shown in 163. Click Add to enter the page for adding a new intrusion detection policy, as shown in Figure 164.
Page 172: Attack Protection Configuration Examples
Figure 164 Add an intrusion detection policy Attack protection configuration examples Attack protection configuration example for MSR900/20-1X Network requirements Figure 165, internal users Host A, Host B, and Host C access the Internet through Router. As shown in The network security requirements are as follows: •...
Page 173 Figure 165 Network diagram Configuration procedure # Configure IP addresses for the interfaces. (Details not shown.) # Enable the blacklist function. • Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform Figure 166. the following configurations, as shown in Figure 166 Enabling the blacklist function •...
Page 174 Figure 167 Adding a blacklist entry for Host D • Enter IP address 5.5.5.5, the IP address of Host D. • Select Permanence for this blacklist entry. • Click Apply. Figure 168: • Click Add and then perform the following configurations, as shown in Figure 168 Adding a blacklist entry for Host C •...
Page 175: For Msr20/30/36/50/930 Routers
Figure 169 Configuring intrusion detection • Select Enable Attack Defense Policy. • Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack Detection, and Add Source IP Address to the Blacklist. Clear all other options. • Click Apply. Verifying the configuration •...
Page 176 • Router provides Land attack protection and Smurf attack protection on Ethernet 0/2. Figure 170 Network diagram Configuration procedure # Configure IP addresses for the interfaces. (Details not shown.) # Enable the blacklist function. • Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform Figure 171.
Page 177 Figure 172 Adding a blacklist entry for Host D • Enter IP address 5.5.5.5, the IP address of Host D. • Select Permanence for this blacklist entry. • Click Apply. Figure 173: • Click Add and then perform the following configurations, as shown in Figure 173 Adding a blacklist entry for Host C •...
Page 178 Figure 174 Configuring intrusion detection • Select interface Ethernet0/2. • Select Enable Attack Defense Policy. • Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack Detection, and Add Source IP Address to the Blacklist. Clear all other options. •...
Page 179: Configuring Application Control
Configuring application control You can load applications, configure a custom application, and enable application control in the Web interface. Application control allows you to control which applications and protocols users can access on the Internet by specifying the destination IP address, protocol, operation type, and port. Application control can be based on a group of users or all users in a LAN.
Page 180: Configuring A Custom Application
Figure 175 Loading applications Configuring a custom application Select Security Setup > Application Control from the navigation tree, and then select the Custom Figure 176. Click Add to enter Application tab to enter the custom application list page, as shown in Figure 177.
Page 181: Enabling Application Control
Table 96 Configuration items Item Description Application Name Specify the name for the custom application. Specify the protocol to be used for transferring packets, including TCP, UDP, and Protocol All. All means all IP carried protocols. IP Address Specify the IP address of the server of the applications to be controlled. Specify the port numbers of the applications to be controlled.
Page 182: Application Control Configuration Example
Application control configuration example Network requirements Figure 179, internal users access the Internet through Router. Configure application As shown in control on Router, so that no user can use MSN. Figure 179 Network diagram Configuration procedure # Load the application control file (assume that signature file p2p_default.mtd, which can prevent using of MSN, is stored on the device).
Page 183 Figure 181 Loaded applications # Enable application control. • Click the Application Control tab and then perform the following configurations, as shown Figure 182. Figure 182 Configuring application control • Select MSN from the Loaded Applications area. • Click Apply.
Page 184: Configuring Webpage Redirection
Configuring webpage redirection CAUTION: Webpage redirection does not take effect on an interface where the portal function is enabled. Do not configure both functions on an interface. Webpage redirection leads an access user to a specified webpage when the user accesses the network for the first time.
Page 185 Item Description Enter a URL address to which the Web request is redirected. For example, Redirection URL http://192.0.0.1. Interval Type the time interval at which webpage redirection is triggered.
Page 186: Configuring Routes
(FIB) table to guide packet forwarding. Each router maintains a routing table and a FIB table. You can manually configure routes. Such routes are called static routes. For more information about the routing table and static routes, see HPE FlexNetwork MSR Router Series Comware 5 Layer 3—IP Routing Configuration Guide.
Page 187: Displaying The Active Route Table
Figure 185 Static route configuration page Table Configure static routes as described in Table 98 Configuration items Item Description Enter the destination IP address of the static route, in dotted decimal Destination IP Address notation. Enter the mask of the destination IP address. Mask You can enter a mask length or a mask in dotted decimal notation.
Page 188: Ipv4 Static Route Configuration Example
Figure 186 Active route table Table 99 Field description Field Description Destination IP Address Destination IP address of the route. Mask Mask of the destination IP address. Routing protocol that discovered the route, including static route, direct Protocol route, and various dynamic routing protocols. Preference Preference for the route.
Page 189: Configuration Considerations
Figure 187 Network diagram Configuration considerations Configure a default route with Router B as the next hop on Router A. On Router B, configure one static route with Router A as the next hop and the other with Router C as the next hop. Configure a default route with Router B as the next hop on Router C.
Page 190 a. Select Advanced > Route Setup from the navigation tree of Router B. b. Click the Create tab. c. Enter 1.1.2.0 for Destination IP Address, 24 for Mask, and 1.1.4.1 for Next Hop. d. Click Apply. e. Enter 1.1.3.0 for Destination IP Address, 24 for Mask, and 1.1.5.6 for Next Hop. f.
Page 191: Configuration Guidelines
Configuration guidelines When you configure a static route, follow these guidelines: • If you do not specify the preference, the default preference is used. Reconfiguration of the default preference applies only to newly created static routes. The Web interface does not support configuration of the default preference.
Page 192: Configuring User-Based Load Sharing
Configuring user-based load sharing You can configure user-based load sharing through the Web interface. Overview A routing protocol can have multiple equal-cost routes to the same destination. These routes have the same preference, and are all used to accomplish load sharing if no route with a higher preference is available.
Page 193 Item Description Set the bandwidth of the interface. The load ratio of each interface is calculated based on the bandwidth of each Bandwidth interface. For example, if the bandwidth of Ethernet 0/0 and Ethernet 0/1 is set to 200 kbps and 100 kbps, respectively, the load ratio is 2:1.
Page 194: Configuring Traffic Ordering
Configuring traffic ordering You can do the following to configure traffic ordering on the Web interface: Setting the traffic ordering interval • Specifying the traffic ordering mode • Displaying internal interface traffic ordering statistics • • Displaying external interface traffic ordering statistics Overview When multiple packet flows (classified by their source addresses) are received or sent by a device, you can configure IP traffic ordering on the device to collect statistics of the flows in the...
Page 195: Specifying The Traffic Ordering Mode
Figure 191 Traffic ordering configuration page Specifying the traffic ordering mode Select Advanced > Traffic Ordering from the navigation tree. You can view and configure the interface for collecting traffic statistics in the upper part of the page. Select one or more boxes in front of the interfaces in the list: •...
Page 196: Displaying External Interface Traffic Ordering Statistics
Figure 192 Internal interface traffic ordering statistics page Displaying external interface traffic ordering statistics Select Advanced > Traffic Ordering from the navigation tree and click the Statistics of External Interfaces page. By default, the system arranges the entries in descending order of the total inbound traffic statistics, and displays the top five entries.
Page 197: Configuring Dns
IP addresses. With DNS, you can use easy-to-remember host names in some applications and let the DNS server translate them into correct IP addresses. For more information about DNS, see HPE FlexNetwork MSR Router Series Comware 5 Layer 3—IP Services Configuration Guide.
Page 198: Configuring Dns Proxy
Configuring DNS proxy Task Remarks Required. Enabling DNS proxy Enable DNS proxy on the device. Disabled by default. Required. Specifying a DNS server Not specified by default. You can specify up to six DNS servers. Enabling dynamic domain name resolution From the navigation tree, select Advanced >...
Page 199: Clearing The Dynamic Domain Name Cache
Clearing the dynamic domain name cache From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the Figure 194. configuration page as shown in Select the Clear Dynamic DNS cache box. Click Apply. Specifying a DNS server From the navigation tree, select Advanced >...
Page 200: Domain Name Resolution Configuration Example
Click Apply. Domain name resolution configuration example Network requirements Figure 197, Router B serves as a DNS client and Router A is specified as a DNS server. As shown in Dynamic domain name resolution and the domain name suffix are configured on Router B, and therefore Router B can use domain name host to access the host with the domain name host.com and the IP address 3.1.1.1/24.
Page 201 Figure 198 Creating a zone Create a mapping between the host name and the IP address: Figure 199, right-click zone com. a. In Figure 200. b. Select New Host to bring up a dialog box as shown in c. Enter host name host and IP address 3.1.1.1. Figure 199 Adding a host...
Page 202 Figure 200 Adding a mapping between domain name and IP address Configuring the DNS proxy (Router A) Enable DNS proxy on Router A: a. From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter Figure 201. the configuration page, as shown in b.
Page 203 Figure 202 Specifying a DNS server address Configuring the DNS client (Router B) Enable dynamic domain name resolution: a. From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter Figure 203. the configuration page, as shown in b.
Page 204 Figure 204 Specifying the DNS server address Configure the domain name suffix: Figure 205. a. Click Add Suffix to enter the page as shown in b. Enter com in DNS Domain Name Suffix. c. Click Apply. Figure 205 Configuring DNS domain name suffix Verifying the configuration Select Other >...
Page 205: Configuring Ddns
Configuring DDNS Overview Although DNS allows you to access nodes in networks using their domain names, it provides only the static mappings between domain names and IP addresses. When you use the domain name to access a node whose IP address has changed, your access fails because DNS leads you to the IP address that is no longer where the node resides.
Page 206: Configuration Prerequisites
Configuration prerequisites • Visit the website of a DDNS service provider, register an account, and apply for a domain name for the DDNS client. • Specify the primary IP address of the interface and make sure the DDNS server and the interface can reach each other.
Page 207: Ddns Configuration Example
Item Description Settings Specify the server name of the DDNS server for domain name resolution. IMPORTANT: After the server provider is selected, the DDNS server name appears automatically. For example, if the server provider is 3322.org, the server Server Name name is members.3322.org.
Page 208 Figure 209 Network diagram Configuring DDNS on the router Before configuring DDNS on Router, register at http://www.3322.org/ (username steven and password nevets in this example), add Router's host name-to-IP address mapping to the DNS server, and make sure the devices are reachable to each other. Enable dynamic domain name resolution and set the IP address of the DNS server to 1.1.1.1.
Page 209 After the preceding configuration is completed, Router notifies the DNS server of its new domain name-to-IP address mapping through the DDNS server provided by www.3322.org whenever its IP address changes. Therefore, Router can always provide Web service at whatever.3322.org.
Page 210: Configuring Dhcp
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on Figure 212. another subnet through a DHCP relay agent, as shown in Figure 212 A typical DHCP relay agent application For more information about DHCP, see HPE FlexNetwork MSR Router Series Comware 5 Layer 3—IP Services Configuration Guide.
Page 211: Recommended Configuration Procedure
Recommended configuration procedure Configuring the DHCP server Task Remarks Configuration guidelines If multiple VLAN interfaces sharing one MAC address request IP addresses using DHCP, the DHCP server cannot be a Windows Required. 2000 server or a Enable DHCP globally. Windows 2003 Disabled by default.
Page 212: Configuring The Dhcp Relay Agent
Task Remarks Optional. Exclude IP addresses from automatic allocation in the DHCP address pool. To avoid address conflicts, the DHCP server excludes IP addresses used by the gateway or FTP server from dynamic Configuring IP addresses excluded from allocation. dynamic allocation By default, all IP addresses in the address pool, except the IP address of the DHCP server, can be assigned automatically.
Page 213: Configuring The Dhcp Client
Task Remarks Required. "Configuring DHCP interface For the detailed configuration, see setup." By default, the interface works as DHCP server. IMPORTANT: Configure the DHCP relay agent on • At present, the DHCP relay agent configuration is supported the current interface and correlate it only on a Layer 3 Ethernet interface (or subinterface), virtual with the DHCP server group.
Page 214: Configuring Dhcp Interface Setup
Figure 213 DHCP Enable Table 104 Configuration items Item Description DHCP Enable or disable DHCP globally. Configuring DHCP interface setup Select Advanced > DHCP Setup from the navigation tree. Click the DHCP Interface Setup tab. Figure 214. The DHCP interface setup configuration page appears, as shown in Figure 214 DHCP interface setup Table 105.
Page 215: Configuring A Static Address Pool For The Dhcp Server
Configuring a static address pool for the DHCP server Select Advanced > DHCP Setup from the navigation tree. Click the DHCP Interface Setup tab to enter the DHCP interface setup configuration page as Figure 214. shown in Select the Server option in the Type field and expand the Assignable IP Addresses node. Select Static Binding option in the Address Allocation Mode field to expand the static address pool setup configuration section.
Page 216: Configuring A Dynamic Address Pool For The Dhcp Server
Table 106 Configuration items Item Description Pool Name Name of the static DHCP address pool. Address Allocation Specify the static address allocation mode for the DHCP address pool. Mode: Static Binding IP address and its subnet mask of the static binding. A natural mask is adopted if no subnet mask is specified.
Page 217 Figure 216 Dynamic address pool setup for the DHCP server Table 107. Configure the dynamic address pool for the DHCP server as described in Click Apply. Table 107 Configuration items Item Description Pool Name Name of the dynamic DHCP address pool. Address Allocation Mode: Specify the dynamic address allocation mode for the DHCP address pool.
Page 218: Configuring Ip Addresses Excluded From Dynamic Allocation
Item Description Specify the lease for IP addresses to be assigned. NOTE: Lease Duration • If the lease has an end time specified later than the year 2106, the system considers it an expired lease. • The lease duration does not have the inherit attribute. Specify a domain name suffix for the DHCP client.
Page 219: Configuring A Dhcp Server Group
Figure 217 IP address excluded from dynamic allocation setup Table 108. Configure IP addresses excluded from dynamic allocation as described in Click Apply Table 108 Configuration items Item Description Start IP Address Specify the lowest IP address excluded from dynamic allocation. Specify the highest IP address excluded from dynamic allocation.
Page 220: Dhcp Configuration Examples
Figure 218 DHCP server group setup Table 109. Configure DHCP server group as described in Click Apply. Table 109 Configuration items Item Description DHCP server group ID. Group ID You can create at most 20 DHCP server groups. Specifies the DHCP server IP addresses for the DHCP server group. IMPORTANT: Server IP Address The IP address of a DHCP server cannot be on the same network segment as that of...
Page 221: Dhcp Configuration Example Without Dhcp Relay Agent
DHCP configuration example without DHCP relay agent Network requirements The DHCP server (Router A) assigns IP addresses to clients on subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25. The IP addresses of Ethernet 0/1 and Ethernet 0/2 on Router A are 10.1.1.1/25 and 10.1.1.129/25 respectively.
Page 222 Figure 220 Enabling DHCP Enable the DHCP server on interface Ethernet 0/1. (By default, the DHCP server is enabled on interface Ethernet 0/1. Details not shown.) Configure a DHCP static address pool, and bind IP address 10.1.1.5 to Router B: a.
Page 223 Figure 221 DHCP static address pool configuration Configure DHCP address pool 0 (including the address range, client domain name suffix and DNS server address): Figure 222. a. Enter pool0 in the Pool Name field, as shown in b. Select the Dynamic Allocation option in the Address Allocation Mode field. c.
Page 224 Figure 222 DHCP address pool 0 configuration Configure DHCP address pool 1 (including the address range, lease duration, and gateway address): Figure 223. a. Enter poo1 in the Pool Name field, as shown in b. Select Dynamic Allocation in the Address Allocation Mode field. c.
Page 225 Figure 223 DHCP address pool 1 configuration Configure DHCP address pool 2 (including the address range, lease duration and gateway IP address): Figure 224. a. Enter pool2 in the Pool Name field, as shown in b. Select the Dynamic Allocation option in the Address Allocation Mode field. c.
Page 226 Figure 224 DHCP address pool 2 configuration Exclude IP addresses from dynamic allocation (DNS server and gateway addresses): a. Expand the Forbidden IP Addresses node. b. Enter 10.1.1.2 in the Start IP Address field, enter 10.1.1.2 in the End IP Address field, Figure 225, enter click Apply, enter 10.1.1.126 in the Start IP Address field, as shown in...
Page 227 Figure 225 Excluding IP addresses from dynamic allocation Configuring the DHCP client (Router B) To enable the DHCP client on interface Ethernet 0/1: Select Advanced > DHCP Setup from the navigation tree, and then click the DHCP Interface Setup tab. Select Ethernet0/1 from the Interface list.
Page 228: Dhcp Relay Agent Configuration Example
Figure 226 Enabling the DHCP client on interface Ethernet 0/1 DHCP relay agent configuration example Network requirements Ethernet 0/1 on the DHCP relay agent (Router A) connects to the network where DHCP clients reside. The IP address of Ethernet 0/1 is 10.10.1.1/24 and IP address of Ethernet 0/2 is 10.1.1.2/24 that connects to the DHCP server 10.1.1.1/24 (Router B).
Page 229 c. Click Apply. Figure 228 DHCP enable Create a DHCP server group: a. Click the DHCP Interface Setup tab. b. Select Ethernet0/1 from the Interface list. c. Select the Relay option in the Type field. d. Expand the Add DHCP Server Group node. e.
Page 230 Figure 230 The page for enabling the DHCP relay agent on interface Ethernet 0/1 Configuring the DHCP server (Router B) Specify addresses for interfaces. (Details now shown.) Enable DHCP: a. Select Advanced > DHCP Setup from the navigation tree of Router B Figure 231.
Page 231 g. Select the Gateway IP Address box, and then enter 10.10.1.126. h. Select the Primary DNS Server box, and then enter 10.10.1.2. i. Click Apply. Figure 232 Dynamic DHCP address pool configuration Exclude IP addresses from dynamic allocation (DNS server and gateway addresses): Figure 233.
Page 232 Figure 233 IP address excluded from dynamic allocation configuration Configure the DHCP client (Router C) To enable the DHCP client on interface Ethernet 0/1: Select Advanced > DHCP Setup from the navigation tree. Click the DHCP Interface Setup tab. Select Ethernet0/1 in the Interface field. Select the Client option in the Type field.
Page 233: Configuring Acls
Layer 2 header fields, such as source and destination MAC 4000 to 4999 header ACLs addresses, 802.1p priority, and link layer protocol type For more information about IPv4 ACLs, see HPE FlexNetwork MSR Router Series Comware 5 ACL and QoS Configuration Guide. Recommended IPv4 ACL configuration procedure Step Remarks Required.
Page 234: Adding An Ipv4 Acl
• You can only modify the existing rules of an ACL that uses the match order of config. When you modify a rule of such an ACL, you can choose to change just some of the settings, in which case the other settings remain the same. Adding an IPv4 ACL Select Advanced >...
Page 235 Figure 236 The page for configuring an basic IPv4 ACL Table 112 Configuration items Item Description Select the basic IPv4 ACL for which you want to configure rules. ACLs available for selection are basic IPv4 ACLs. Select the Rule ID box, and enter a number for the rule. If you do not specify the rule number, the system will assign one automatically.
Page 236: Configuring A Rule For An Advanced Ipv4 Acl
Item Description Select the time range during which the rule takes effect. Time Range The time ranges available for selection must have been created at the CLI on the router. Configuring a rule for an advanced IPv4 ACL Select Advanced > QoS Setup > ACL IPv4 from the navigation tree and then select the Advanced Config tab to enter the rule configuration page for an advanced IPv4 ACL.
Page 237 Figure 237 The page for configuring an advanced IPv4 ACL...
Page 238 Select the advanced IPv4 ACL for which you want to configure rules. You can use command line interface to create advanced IPv4 ACLs. For more information, see HPE FlexNetwork MSR Router Series Comware 5 ACL and QoS Configuration Guide. Also, when you configure advanced bandwidth limit and advanced bandwidth guarantee, the system automatically creates advanced IPv4 ACLs.
Page 239: Configuring A Rule For An Ethernet Frame Header Acl
Item Description Source Select the operators and, enter the source port numbers and destination port numbers as required. These items are available only when you select 6 TCP or 17 UDP from the Protocol list. Different operators have different configuration requirements for the port number fields: •...
Page 240 You can use command line interface to create Ethernet frame header IPv4 ACLs. For more information, see HPE FlexNetwork MSR Router Series Comware 5 ACL and QoS Configuration Guide. Select the Rule ID box, and enter a number for the rule.
Page 241 Item Description Source MAC Select the Source MAC Address box, and enter a source MAC address Address and wildcard. Source Mask Address Destination MAC Filter Select the Destination MAC Address box, and enter a destination MAC Address address and wildcard. Destination Mask COS(802.1p priority) Specify the 802.1p priority for the rule.
Page 242: Configuring Qos
Configuring QoS The Web interface provides the following QoS configuration functions: • Configuring subnet limit • Configuring advanced limit • Configuring advanced queue Overview Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs.
Page 243: Configuring Subnet Limit
• Bandwidth guarantee—When congestion occurs to a port, class-based queuing (CBQ) classifies packets into different classes according to user-defined match criteria and assigns these classes to their queues. Before assigning packets to a queue, CBQ performs bandwidth restriction check. When being dequeued, packets are scheduled by WFQ. Advanced queue applies to only outgoing packets of interfaces.
Page 244: Configuring Advanced Limit
Table 115 Configuration items Item Description Start Address Set the address range of the subnet where rate limit is to be performed. End Address Interface Specify the interface to which the subnet limit is to be applied. Set the average traffic rate allowed. Set the rate limit method: •...
Page 245 Figure 242 Advanced limit setting Table 116 Configuration items Item Description Description Configure a description for the advanced limit policy for management sake.
Page 246: Configuring Advanced Queue
Item Description Interface Specify the interface to which the advanced limit is to apply. Set the direction where the rate limit applies: • Direction Download—Limits the rate of incoming packets of the interface. • Upload—Limits the rate of outgoing packets of the interface. Set the average traffic rate allowed.
Page 247: Configuring Interface Bandwidth
Configuring interface bandwidth Select Advance > QoS Setup > Advanced Queue from the navigation tree to enter the Advanced Queue page. Select an interface from the Interface Name list, and then configure and view the CIR of the interface. Figure 243 Advanced queue Table 117 Configuration items Item Description...
Page 248: Configuring Bandwidth Guarantee
Configuring bandwidth guarantee Select Advance > QoS Setup > Advanced Queue from the navigation tree to enter the Advanced Queue page. In the Application Bandwidth area, all bandwidth guarantee policies are displayed. Click Add to enter the page for creating a bandwidth guarantee policy. Figure 244 Creating a bandwidth guarantee policy...
Page 249 Table 118 Configuration items Item Description Description Configure a description for the bandwidth guarantee policy for management sake. Set the service class queue type: • EF (Expedited Forwarding)—Provides absolutely preferential queue scheduling for the EF service so as to ensure low delay for real-time data traffic. At the same time, by restricting bandwidth for high-priority traffic, it can Queue Type overcome the disadvantage that some low-priority queues are not serviced.
Page 250: Qos Configuration Examples
QoS configuration examples Subnet limit configuration example Network requirements Figure 245, limit the rate of packets leaving Ethernet 1/1 of Router. As shown in Perform per-IP rate limiting for traffic sourced from Host A through Host Z, which are on the network segments 2.1.1.1 through 2.1.1.100, with the per-IP limit being 5 kbps.
Page 251: Advanced Queue Configuration Example
Select interface Ethernet 1/1. Enter 5 in the CIR field. Select Per IP in the Type list. Select Upload from the Direction list. Click Apply. Advanced queue configuration example Network requirements Figure 247, data traffic from Router C reaches Router D by the way of Router A and then As shown in Router B.
Page 252 Figure 248 Configuring assured forwarding a. Enter the description test-af. b. Select AF (Assured Forwarding) in the Queue Type list. c. Select interface Ethernet0/0. d. Enter 40 in the Bandwidth field. e. Enter 10, 18 in the DSCP field. f. Click Apply. # Perform EF for traffic with DSCP field EF.
Page 253 Figure 249 Configuring expedited forwarding a. Enter the description test-ef. b. Select EF (Expedited Forwarding) in the Queue Type list. c. Select interface Ethernet0/0. d. Enter 240 in the Bandwidth field. e. Enter 46 in the DSCP field. f. Click Apply. After the configurations are completed, EF traffic is forwarded preferentially when congestion occurs in the network.
Page 254: Appendix Packet Precedences
Appendix Packet precedences IP precedence and DSCP values Figure 250 DS field and ToS field Figure 250, the ToS field of the IP header contains 8 bits: the first 3 bits (0 to 2) represent As shown in IP precedence from 0 to 7. According to RFC 2474, the ToS field of the IP header is redefined as the differentiated services (DS) field, where a differentiated service code point (DSCP) value is represented by the first 6 bits (0 to 5) and is in the range 0 to 63.
Page 255 DSCP value (decimal) DSCP value (binary) Keyword 011110 af33 100010 af41 100100 af42 100110 af43 001000 010000 011000 100000 101000 110000 111000 000000 be(default) 802.1p priority 802.1p priority lies in the Layer 2 packet header and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2.
Page 256 802.1p priority (decimal) 802.1p priority (binary) Keyword spare excellent-effort controlled-load video voice network-management...
Page 257: Configuring Snmp
SNMP agent—Works on a managed device to receive and handle requests from the NMS, and send traps to the NMS when some events, such as interface state change, occur. HPE devices support SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same SNMP version to communicate with each other.
Page 258: Enabling The Snmp Agent Function
Task Remarks Configuring an SNMP community Required. Optional. Allows you to configure that the agent can send SNMP traps to Configuring the SNMP trap function the NMS, and configure information about the target host of the SNMP traps. By default, an agent is allowed to send SNMP traps to the NMS. Displaying SNMP packet statistics Optional.
Page 259 Figure 253 Setup tab Table 122. Configure the SNMP agent, as shown in Table 122 Configuration items Item Description SNMP Specify to enable or disable the SNMP agent function. Configure the local engine ID. The validity of a user after it is created depends on the engine ID of the SNMP Local Engine ID agent.
Page 260: Configuring An Snmp View
Item Description Set a character string to describe the contact information for system maintenance. Contact If the device is faulty, the maintainer can contact the manufacture factory according to contact information for the device. Location Set a character string to describe the physical location of the device. SNMP Version Set the SNMP version run by the system.
Page 261 Figure 256 Creating an SNMP view (2) Table 123 describes the configuration items for creating an SNMP view. After configuring the parameters of a rule, click Add to add the rule into the list box at the lower part of the page. After configuring all rules, click Apply to create an SNMP view.
Page 262: Configuring An Snmp Community
Figure 257 Adding rules to an SNMP view Figure You can also click the icon corresponding to the specified view on the page as shown in 254, and then you can enter the page to modify the view. Configuring an SNMP community Select Advanced >...
Page 263: Configuring An Snmp Group
Table 124 Configuration items Item Description Community Name Set the SNMP community name. Configure SNMP NMS access right: • Read only—The NMS can perform read-only operations to the MIB objects when it uses this community name to access Access Right the agent.
Page 264: Configuring An Snmp User
Figure 261 Creating an SNMP group Table 125. Configure the SNMP group, as shown in Table 125 Configuration items Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group. The available security levels are: •...
Page 265 Figure 262 SNMP user Figure 263. Click Add to enter the Add SNMP User page, as shown in Figure 263 Creating an SNMP user Table 126. Configure the SNMP user, as shown in Table 126 Configuration items Item Description User Name Set the SNMP user name.
Page 266: Configuring The Snmp Trap Function
Item Description Select an SNMP group to which the user belongs: • When the security level is NoAuth/NoPriv, you can select an SNMP group with no authentication no privacy. Group Name • When the security level is Auth/NoPriv, you can select an SNMP group with no authentication no privacy or authentication without privacy.
Page 267: Displaying Snmp Packet Statistics
Figure 265 Adding a target host of SNMP traps Table 127. Configure the SNMP traps, as shown in Table 127 Configuration items Item Description Set the destination IP address. Select the IP address type: IPv4/domain name or IPv6, and then type Destination IP Address the corresponding IP address or domain name in the field according to the IP address type.
Page 268: Snmpv1/V2C Configuration Example
Figure 266 SNMP Statistics page SNMPv1/v2c configuration example Network requirements Figure 267, the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the SNMP As shown in agent at 1.1.1.1/24, and the agent automatically sends traps to report events to the NMS. Figure 267 Network diagram Configuring the agent Enable SNMP:...
Page 269 Figure 268 Enabling SNMP Configure an SNMP community: a. Click the Community tab and then click Add. Perform the following configuration as shown Figure 269. b. Type public in the field of Community Name. c. Select Read only from the Access Right list. d.
Page 270 Figure 270 Configuring SNMP community named private f. Type private in the field of Community Name. g. Select Read and write from the Access Right list. h. Click Apply. Enable Agent to send SNMP traps: Figure 271. a. Click the Trap tab and perform the following configuration as shown in b.
Page 271: Snmpv3 Configuration Example
e. Select v1 from the Security Model list. (This configuration must be the same as that running on the NMS; otherwise, the NMS cannot receive any trap.) f. Click Apply. Figure 272 Adding target hosts of SNMP traps Configuring the NMS The configuration on NMS must be consistent with that on the agent.
Page 272 Figure 273 Network diagram Configuring the agent Enable SNMP: a. Select Advanced > SNMP from the navigation tree, and you will enter the Setup page. Figure 274. Perform the following configuration as shown in b. Select the Enable radio box. c.
Page 273 Figure 275 Setting the name of the view to be created Figure 276 Adding a view named view1 d. Select the Included radio box. e. Type the MIB subtree OID interfaces. f. Click Add. Figure 277. g. Click Apply. A configuration progress dialog box appears, as shown in h.
Page 274 Figure 277 Configuration progress dialog box Configure an SNMP group: a. Click the Group tab and then click Add. Perform the following configuration as shown Figure 278. b. Type group1 in the Group Name field. c. Select view1 from the Read View list. d.
Page 275 f. Type authkey in the Authentication Password and Confirm Authentication Password fields. g. Select DES56 from the Privacy Mode list. h. Type prikey in the Privacy Password and Confirm Privacy Password fields. i. Click Apply. Figure 279 Configuring an SNMP user Enable Agent to send SNMP traps: Figure 280.
Page 276: Configuring The Nms
b. Select the destination IP address type as IPv4/Domain. c. Type the destination address 1.1.1.2. d. Type the user name user1. e. Select v3 from the Security Model list. f. Select Auth/Priv from the Security Level list. g. Click Apply. Figure 281 Adding target hosts of SNMP traps Configuring the NMS The configuration on the NMS must be consistent with that on the agent.
Page 277: Configuring Bridging
A transparent bridging device keeps a bridge table, which contains mappings between destination MAC addresses and outbound interfaces. For more information about transparent bridging, see HPE FlexNetwork MSR Router Series Comware 5 Layer 2—WAN Configuration Guide. Major functionalities of bridges Maintaining the bridge table A bridge relies on its bridge table to forward data.
Page 278 Figure 282 Host A sends an Ethernet frame to Host B on LAN 1 MAC address: 00e0.fcbb. bbbb MAC address: 00e0.fcaa.aaaa Host B Host A Source address Destination address 00e0.fcaa.aaaa 00e0. fcbb.bbbb LAN segment 1 Bridge interface 1 Bridge Bridge interface 2 LAN segment 2 Host C Host D...
Page 279: Forwarding And Filtering
Figure 284 The bridge determines that Host B is also attached to interface 1 MAC address: 00e0.fcbb.bbbb MAC address: 00e0.fcaa.aaaa Host B Host A Source address Destination address 00e0.fcbb. bbbb 00e0.fcaa.aaaa LAN segment 1 Bridge table MAC address Interface Bridge interface 1 00e 0.fcaa.aaaa Bridge 00e 0.fcbb.bbbb...
Page 280 Figure 286 Forwarding MAC address: 00e0.fcbb.bbbb MAC address: 00e0. fcaa.aaaa Host B Host A Source address Destination address 00e0.fcaa.aaaa 00e0. fccc. cccc Bridge table LAN segment 1 MAC address Interface Bridge interface 1 00e0.fcaa.aaaa Bridge 00e0.fcbb.bbbb 00e0.fccc.cccc Bridge interface 2 00e0.fcdd.dddd LAN segment 2 Source address Destination address...
Page 281: Vlan Transparency
Figure 288 The proper MAC-to-interface mapping is not found in the bridge table When a bridge receives a broadcast or multicast frame, it forwards the frame to all interfaces other than the receiving interface. VLAN transparency VLAN transparency enables a bridge to forward VLAN-tagged packets without processing their VLAN tags.
Page 282: Adding An Interface To A Bridge Set
Figure 289 Global config Table 128 Configuration items Item Remarks Bridge Group id Set the ID of the bridge set you want to enable. Adding an interface to a bridge set Select Advanced > Bridge from the navigation tree, and click the Config interface tab to enter the Figure 290.
Page 283: Bridging Configuration Example
Figure 290 Configuring interface Table 129 Configuration items Item Remarks Interface Select the interface you want to configure. Bridge Group Set the ID of the bridge set to which you want add the interface. Enable or disable VLAN transparency on the interface. Hewlett Packard Enterprise recommends not enabling this function on a VLAN Transmit subinterface.
Page 284 Figure 291 Network diagram Office Office Switch A Switch B area A area B Eth1/1 Eth1/1 Trunk Trunk Eth1/1 Eth1/1 Eth1/2 Eth1/2 Router A Router B Configuration procedure Configure Router A: # Enable bridge set 2. a. Select Advanced > Bridge from the navigation tree to enter the Global config page. Figure 292 Enabling bridge set 2 a.
Page 285 Figure 293 Assigning Ethernet 1/1 to bridge set 2 and enable VLAN transparency b. Select Ethernet1/1 from the Interface list. c. Select 2 from the Bridge Group list. d. Select Enable from the VLAN Transmit list. e. Click Apply. # Assign Ethernet 1/2 to bridge set 2, and enable VLAN transparency. Figure 294 Assigning Ethernet 1/2 to bridge set 2 and enable VLAN transparency b.
Page 286: Configuring User Groups
Configuring user groups You can add hosts in a LAN to a user group and perform access control, application control, bandwidth control, and packet filtering on a per user group basis. • Access control—Allows you to deny access from hosts during specific time ranges. All data packets matching these criteria will be denied access to the Internet.
Page 287: Configuring A User
Figure 295 User group configuration Table 131 describes the user group configuration item. Table 131 Configuration item Item Description Set the name of the group to be added. User Group Name The group name is a character string beginning with letters. The string cannot contain any question mark (?) or space.
Page 288: Configuring Access Control
Figure 296 User configuration Table 132 describes the user configuration items. Table 132 Configuration items Item Description Please select a user group Select the group to which you want to add users. Set the mode in which the users are added. •...
Page 289: Configuring Application Control
Figure 297 Access control configuration Table 133 describes the access control configuration items. Table 133 Configuration items Item Description Select a user group for access control. Please select a user group When there is more than one user group, the option all is available. Selecting all means that the access control configuration applies to all the user groups.
Page 290: Configuring Bandwidth Control
Figure 298 Application control Table 134 describes the application control configuration items. Table 134 Configuration items Item Description Select a user group for application control. Please select a user When there is more than one user group, the option all is available. Selecting all group means that the application control configuration applies to all the user groups.
Page 291: Configuring Packet Filtering
Figure 299 Bandwidth control configuration Table 135 describes the bandwidth control configuration items. Table 135 Configuration items Item Description Set the user group for bandwidth control configuration. Please select a user When there are more than one user group, the option all is available. Selecting all group means that the bandwidth control configuration applies to all the user groups.
Page 292 Figure 300 Packet filtering configuration Table 136 describes the packet filtering configuration items. Table 136 Configuration items Item Description Select a user group to which packet filtering is applied. When there is more than one user group, the option all is available. Please select a user group Selecting all means that the packet filtering configuration applies to all the user groups.
Page 293: Synchronizing User Group Configuration For Wan Interfaces
Item Description • If you select Range as the operator, you must specify both start and end ports to define a port range. ToPort • If you select other option as the operator, only a start port needs to be specified.
Page 294 Figure 302 Network diagram Creating user groups staff (for common users) and manager (for the manager) Select Advanced > Security > Usergroup to enter the group configuration page. Perform the Figure 303. configurations as shown in Figure 303 Creating user groups staff and manager Enter staff as a user group name.
Page 295 Figure 304 Adding users to user group staff Select staff from the user group list. Select Dynamic as the add mode. The following area then displays the IP addresses and MAC addresses of all the hosts in the private network that connects to the Router. Select the entries of Host B, Host C, and Host D.
Page 296 After the configuration process is complete, click Close. Figure 306 Adding users to user group manager Select manager from the user group list. Select Static for Add Mode. Enter hosta as the username. 10. Enter 192.168.1.11 as the IP address. 11.
Page 297 Figure 307 Configuring access control for user group staff Select staff from the user group list. Select the boxes for Monday through Friday. Specify 09:00 as the start time. Specify 18:00 as the end time. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close.
Page 298 Select the From Device option, and select file p2p_default. Click Apply. Then, you can view MSN is in the loaded applications on the lower part of the page. Configuring application control for user group staff Select Advanced > Security > Application Control from the navigation tree, and perform the Figure 309.
Page 299 Figure 310 Configuring bandwidth control to user groups staff and manager Select the staff user group. Enter 8 for the CIR. Click Apply. A configuration progress dialog box appears. After the configuration process is complete, click Close. Select the manager user group. Enter 54 for the CIR.
Page 300 Figure 311 Configuring packet filtering for user group staff Select staff from the user group list. Select IP as the protocol. Select the Destination IP Address box. Enter 2.2.2.1 as the destination IP address. Enter 0.0.0.0 as the destination wildcard. Click Apply.
Page 301: Configuring Mstp
Configuring MSTP Only MSR20/30/36/50 routers support this feature. As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and allows for link redundancy. Like many other protocols, STP evolves as the network grows. The later versions of STP are the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP).
Page 302: How Stp Works
Designated bridge and designated port Classification Designated bridge Designated port Device directly connected to the local Port through which the designated bridge For a device device and responsible for forwarding forwards BPDUs to the local device. BPDUs to the local device. Device responsible for forwarding Port through which the designated bridge For a LAN...
Page 303 • Forward delay—Delay used by STP bridges to transit the state of the root and designated ports to forwarding. For simplicity, the descriptions and examples in this document involve only the following fields in the configuration BPDUs: • Root bridge ID (represented by device priority) •...
Page 304 Step Description Based on the configuration BPDU and the path cost of the root port, the device calculates a designated port configuration BPDU for each of the rest ports. • The root bridge ID is replaced with that of the configuration BPDU of the root port.
Page 305 Device Port name BPDU of port {0, 0, 0, AP2} {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2} BPDU comparisons on each device. Table 140 Comparison process and result on each device BPDU of port after Device Comparison process...
Page 306 BPDU of port after Device Comparison process comparison • Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1.
Page 307 Figure 314 The final calculated spanning tree STP configuration BPDU forwarding mechanism • Upon network initiation, every device regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval. •...
Page 308: Introduction To Rstp
Introduction to RSTP Developed based on the 802.1w standard of IEEE, RSTP is an optimized version of STP. It achieves rapid network convergence by allowing a newly elected root port or designated port to enter the forwarding state much quicker under certain conditions than in STP. In RSTP, a newly elected root port can enter the forwarding state rapidly if this condition is met: the old root port on the device has stopped forwarding data and the upstream designated port has started forwarding data.
Page 309: Mstp Basic Concepts
MSTP basic concepts Figure 315 Basic concepts in MSTP Figure 315 Assume that all devices in are running MSTP. This section explains some basic concepts of MSTP. MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them.
Page 310 VLAN-to-instance mapping table As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping Figure 315, for example, the VLAN-to-instance mapping relationships between VLANs and MSTIs. In table of region A0 is: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP achieves load balancing by means of the VLAN-to-instance mapping table.
Page 311: Port Roles
Port roles MSTP calculation involves the following port roles: root port, designated port, master port, boundary port, alternate port, and backup port. • Root port—Port responsible for forwarding data to the root bridge. • Designated port—Port responsible for forwarding data to the downstream network segment or device.
Page 312: How Mstp Works
A port can have different port states in different MSTIs. A port state is not exclusively associated with Table 141 a port role. lists the port states supported by each port role. ("√" indicates that the port state is available for the corresponding port role and "—" indicates that the port state is not available for the corresponding port role.) Table 141 Ports states supported by different port roles Port role...
Page 313: Protocols And Standards
• Support for hot swapping of interface cards and active/standby changeover Protocols and standards • IEEE 802.1d, Spanning Tree Protocol • IEEE 802.1w, Rapid Spanning Tree Protocol • IEEE 802.1s, Multiple Spanning Tree Protocol Configuration restrictions and guidelines When you configure MSTP, follow these restrictions and guidelines: •...
Page 314: Configuring An Mst Region
Step Remarks Required. Configuring MSTP Enable MSTP globally and configure MSTP parameters. globally. By default, MSTP is disabled globally. All MSTP parameters have default values. Optional. Configuring MSTP on Enable MSTP on a port and configure MSTP parameters. port. By default, MSTP is enabled on a port, and all MSTP parameters adopt the default values.
Page 315: Configuring Mstp Globally
Table 142 Configuration items Item Description MST region name. Region Name The MST region name is the bridge MAC address of the device by default. Revision Level Revision level of the MST region. Manual (Instance ID Manually add VLAN-to-instance mappings. Click Apply to add a and VLAN ID) VLAN-to-instance mapping entry to the list.
Page 316 Figure 319 Configuring MSTP globally Table 143 Configuration items Item Description Enable or disable STP globally: • Enable—Enable STP globally. • Enable STP Globally Disable—Disable STP globally. Other MSTP configurations can take effect only after you enable STP globally. Enable or disable BPDU guard globally: •...
Page 317 Item Description Set the STP operating mode: • STP mode—All ports of the device send out STP BPDUs. • RSTP mode—All ports of the device send out RSTP BPDUs. If the device detects that it is connected to a legacy STP device, the port connecting to the legacy STP device will automatically migrate to Mode STP-compatible mode.
Page 318 Item Description Set the timers: • Forward Delay—Set the delay for the root and designated ports to transit to the forwarding state. The length of the forward delay time is related to the network diameter of the switched network. The larger the network diameter is, the longer the forward delay time should be.
Page 319: Configuring Mstp On A Port
Configuring MSTP on a port From the navigation tree, select Advanced > MSTP > Port. Figure 320. The MSTP Port Configuration page appears, as shown in Figure 320 MSTP configuration of a port (1) Click the Operation icon for a port. Figure 321.
Page 320 Item Description Specify whether the port is connected to a point-to-point link: • Auto—Automatically detects whether the link type of the port is point-to-point. Point to Point • Force False—Specifies that the link type for the port is not point-to-point link. •...
Page 321: Mstp Configuration Example
MSTP configuration example Network requirements Figure 322, all routers on the network are in the same MST region. Router A and Router As shown in B work on the distribution layer. Router C and Router D work on the access layer. Configure MSTP so that packets of different VLANs are forwarded along different instances: packets of VLAN 10 along MSTI 1, those of VLAN 30 along MSTI 3, those of VLAN 40 along MSTI 4, and those of VLAN 20 along MSTI 0.
Page 322 e. Select 1 from the Instance list. f. Set the VLAN ID to 10. g. Click Apply to map VLAN 10 to MSTI 1, and add the VLAN-to-instance mapping entry to the VLAN-to-instance mapping list. h. Repeat the preceding steps to map VLAN 30 to MSTI 3 and VLAN 40 to MSTI 4, and then add the VLAN-to-instance mapping entries to the VLAN-to-instance mapping list.
Page 323 Figure 324 Configuring global MSTP parameters on Router A Configure Router B: # Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. Configure the MST region in the same way the MST region is configured on Router A.
Page 324 # Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. Configure the MST region in the same way the MST region is configured on Router A. # Enable MSTP globally: a.
Page 325 Ethernet0/2 ALTE DISCARDING NONE Ethernet0/3 ROOT FORWARDING NONE Figure Based on the above information, draw the MSTI corresponding to each VLAN, as shown in 325. Figure 325 MSTIs corresponding to different VLANs...
Page 326: Configuring Radius
RADIUS provides access authentication, authorization, and accounting services. The accounting function collects and records network resource usage information. For more information about RADIUS and AAA, see HPE FlexNetwork MSR Router Series Comware 5 Security Command Reference. Configuring a RADIUS scheme A RADIUS scheme defines a set of parameters that the device uses to exchange information with the RADIUS servers.
Page 327: Configuring Common Parameters
Figure 327 RADIUS scheme configuration page Table 146. Configure the parameters, as described in Click Apply. Table 146 Configuration items Item Description Scheme Name Enter a name for the RADIUS scheme. Configure the common parameters for the RADIUS scheme, including the server type, the username format, and the shared keys for authentication and Common Configuration accounting packets.
Page 328 Figure 328 Common configuration Table 147. Configure the parameters, as described in Table 147 Configuration items Item Description Select the type of the RADIUS servers supported by the device: • Standard—Standard RADIUS servers. The RADIUS client and RADIUS server communicate by using the standard RADIUS Server Type protocol and packet format defined in RFC 2865/2866 or later.
Page 329 Item Description Set the shared key for authenticating RADIUS authentication packets and that for authenticating RADIUS accounting packets. The RADIUS client and the RADIUS server use MD5 to encrypt RADIUS Authentication Key packets. They verify packets through the specified shared key. The client and the server can receive and respond to packets from each other only Confirm Authentication Key when they use the same shared key.
Page 330: Adding Radius Servers
Item Description Security Policy Server Specify the IP address of the security policy server. Specify the source IP address for the device to use in RADIUS packets sent to the RADIUS server. Hewlett Packard Enterprise recommends using a loopback interface RADIUS Packet Source IP address instead of a physical interface address as the source IP address.
Page 331: Radius Configuration Example
Table 148 Configuration items Item Description Select the type of the RADIUS server to be configured. Possible values include Server Type primary authentication server, primary accounting server, secondary authentication server, and secondary accounting server. Specify the IPv4 or IPv6 address of the RADIUS server. The IP addresses of the primary and secondary servers for a scheme must be IP Address different.
Page 332 f. Log in to CAMS. g. Select System Management > System Configuration from the navigation tree. h. In the System Configuration page, click Modify for Access Device. i. Click Add. j. Enter 10.1.1.2 as the IP address of the device. k.
Page 333 Figure 332 Adding a user account Configuring the RADIUS server on IMC This example assumes that the RADIUS server runs on IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102. Add the router to IMC as an access device: a. Log in to IMC: b.
Page 334 Figure 333 Adding an access device 文件中找不到关系为 rId418 的图像部件。 Add a user account: a. Log in to IMC: b. Click the User tab. c. Select Access User View > All Access Users from the navigation tree. d. Click Add. e.
Page 335 Figure 334 Adding an account for device management Configuring the router Configure the IP address of each interface. (Details not shown.) Configure a RADIUS scheme: a. Select Advanced > RADIUS from the navigation tree. b. Click Add. c. To add a RADIUS scheme, enter system as the scheme name, select Extended as the server type, select Without domain name for the username format.
Page 336 e. To add the primary accounting server, click Add again in the RADIUS Server Configuration area. select Primary Accounting as the server type, enter 10.1.1.1 as the IP address, enter 1813 as the port, enter expert as the key, enter expert to confirm the key, and click Apply.
Page 337: Configuration Guidelines
Use either approach to configure the AAA methods for domain bbb: Configure the same scheme for authentication and authorization in domain bbb because RADIUS authorization information is included in the authentication response message. [Router] domain bbb [Router-isp-bbb] authentication login radius-scheme system [Router-isp-bbb] authorization login radius-scheme system [Router-isp-bbb] accounting login radius-scheme system [Router-isp-bbb] quit...
Page 338 When the primary server and secondary servers are all in the blocked state, the device communicates with the primary server. If the primary server is available, its statues changes to active. Otherwise, its status remains to be blocked. If one server is in the active state but all the others are in the blocked state, the device only tries to communicate with the server in the active state, even if the server is unavailable.
Page 339: Configuring Login Control
Configuring login control The login control feature allows you to control Web or Telnet logins by IP address and login type. Configuration procedure Select Advanced > Access from the navigation tree. The login control configuration page appears. The upper part of the page allows you to configure login control rules, and the lower part displays existing login control rules.
Page 340: Login Control Configuration Example
Login control configuration example Network requirements Figure 339, configure login control rules so Host A cannot Telnet to Router, and Host B As shown in cannot access Router through the Web. Figure 339 Network diagram Configuring a login control rule so Host A cannot Telnet to Router Select Advanced >...
Page 341: Configuring A Login Control Rule So Host B Cannot Access Router Through The Web
Figure 341. A configuration progress dialog box appears, as shown in Figure 341 Configuration progress dialog box After the setting is complete, click Close. Configuring a login control rule so Host B cannot access Router through the Web From the navigation tree, select Advanced > Access. The page for configuring login control rules appears.
Page 342 Figure 342 Configuring a login control rule so Host B cannot access Router through the Web...
Page 343: Configuring Arp
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding MAC address. For more information about ARP, see HPE FlexNetwork MSR Router Series Comware 5 Layer 3—IP Services Configuration Guide.
Page 344: Removing Arp Entries
Figure 343. The ARP table management page appears, as shown in Click Add. The New Static ARP Entry page appears. Figure 344 Adding a static ARP entry Table 151. Configure the parameters as described in Click Apply. Table 151 Configuration items Item Description IP Address...
Page 345: Configuring Gratuitous Arp
Figure 345 Managing dynamic entries • To disable all the listed interfaces from learning dynamic ARP entries, click Disable all. • To disable specific interfaces from learning dynamic ARP entries, select target interfaces and click Disable selected. • To allow all the listed interfaces to learn dynamic ARP entries, click Enable all. •...
Page 346: Static Arp Configuration Example
Figure 347 Configuring gratuitous ARP Table 152 Configuration items Item Description Disable learning of ARP entries according to Disable gratuitous ARP packets learning function gratuitous ARP packets. Enable the device to send gratuitous ARP packets Send gratuitous ARP packets when receiving ARP upon receiving ARP requests from another network requests from another network segment segment.
Page 347 c. Enter 10 for VLAN IDs. d. Select the Create VLAN Interface box. e. Click Apply. Figure 349 Creating VLAN 10 and VLAN-interface 10 Add Ethernet 0/1 to VLAN 10: Figure 350, on the VLAN Setup page, select 10 in the VLAN Config field. a.
Page 348 Figure 351 The configuration progress dialog box Configure the IP address of VLAN-interface 10: a. Click the VLAN Interface Setup tab. Figure 352. b. Select 10 for Select a VLAN as shown in c. Enter 192.168.1.2 for IP Address. d. Enter 255.255.255.0 for Subnet Mask. e.
Page 349 c. Enter 00e0-fc01-0000 for MAC Address. d. Select the Advanced Options box. e. Enter 10 for VLAN ID. f. Select Ethernet0/1 for Port. g. Click Apply. Figure 353 Creating a static ARP entry View information about static ARP entries: a. After the previous configuration is complete, the page returns to display ARP entries. Select Type for Search.
Page 350: Configuring Arp Attack Protection
Configuring ARP attack protection Overview ARP is easy to implement, but it provides no security mechanism. Therefore, it is prone to network attacks. ARP attacks and viruses threaten LAN security. The device can provide the following features to detect and prevent such attacks. Periodic sending of gratuitous ARP packets Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their corresponding ARP entries or MAC entries in time.
Page 351: Configuring Arp Automatic Scanning
Table 153 Configuration items Item Description Select one or more interfaces on which gratuitous ARP packets are sent out periodically, and set the interval at which gratuitous ARP packets are sent. To enable an interface to send out gratuitous ARP packets periodically, select the interface from the Standby Interface list and click <<.
Page 352: Configuring Fixed Arp
Item Description Enter the address range for ARP automatic scanning. • To reduce the scanning time, you can specify the address range for scanning. If the specified address range covers multiple network segments of the interface's addresses, the sender IP address in the ARP request is the interface's address on the smallest network segment.
Page 353 Figure 357 Configuring fixed ARP • To change all dynamic ARP entries into static, click Fix All. This operation does not affect existing static ARP entries. • To remove all static ARP entries, click Del All Fixed. This operation does not affect dynamic ARP entries.
Page 354 Contents...
Page 355: Configuring Ipsec Vpn
Even if a third party captures all exchanged data for calculating the keys, it cannot calculate the keys. For more information about IPsec and IKE, see HPE MSR Router Series Comware 5 Security Configuration Guide.
Page 356: Configuring An Ipsec Connection
Configuring an IPsec connection Select VPN > IPsec VPN from the navigation tree to enter the IPsec connection management page. Figure 358 IPsec connection management page Click Add to enter the page for adding an IPsec connection. Figure 359 Adding an IPsec connection Table 155.
Page 357 Item Description Enter the address of the remote gateway, which can be an IP address or a host name. The IP address can be a host IP address or an IP address range. If the local end is the initiator of IKE negotiation, it can have only one remote IP address and its remote IP address must match the local IP address configured on its peer.
Page 358 Item Description • Characteristics of Traffic—Identifies traffic to be protected based on the Source source address/wildcard and destination address/wildcard specified. Address/Wildcard • Designated by Remote Gateway—The remote gateway determines the data to be protected. IMPORTANT: • To make sure SAs can be set up, configure the source address/wildcard on one peer as the destination address/wildcard on the other, and the Destination destination address/wildcard on one peer as the source address/wildcard on...
Page 359 Figure 360 Advanced configuration Table 156. Perform advanced connection configuration as described in Click Apply. Table 156 Configuration items Item Description Phase 1 Select the IKE negotiation mode in phase 1, which can be main or aggressive. IMPORTANT: • If the IP address of one end of an IPsec tunnel is obtained dynamically, the IKE negotiation mode must be aggressive.
Page 360 Item Description Select the encryption algorithm to be used in IKE negotiation. Options include: • DES-CBC—Uses the DES algorithm in CBC mode and 56-bit key. • 3DES-CBC—Uses the 3DES algorithm in CBC mode and 168-bit key. Encryption Algorithm • AES-128—Uses the AES algorithm in CBC mode and 128-bit key. •...
Page 361: Displaying Ipsec Vpn Monitoring Information
Item Description Select the IP packet encapsulation mode. Options include: • Encapsulation Mode Tunnel—Uses the tunnel mode. • Transport—Uses the transport mode. Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature. Options include: • None—Disables PFS. •...
Page 362 To delete all ISAKMP SAs of all IPsec connections, click Delete ISAKMP SA. To delete IPsec tunnels that use the configuration of an IPsec connection, select the IPsec connection, and click Delete Selected Connection's Tunnels. Figure 361 Monitoring information Table 157 Fields of the IPsec connection list Field Description Status of an IPsec connection.
Page 363: Ipsec Vpn Configuration Example
IPsec VPN configuration example Network requirements Figure 362, configure an IPsec tunnel between Router A and Router B to protect traffic As shown in between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Enable IPsec RRI on Router A and specify the next hop as 2.2.2.2. Figure 362 Network diagram Configuring Router A Assign IP addresses to the interfaces.
Page 364 Figure 363 Adding an IPsec connection Configuring Router B Assign IP addresses to the interfaces. (Details not shown.) Configure a static route to Host A: a. Select Advanced > Route Setup from the navigation tree. b. Click the Create tab. Figure 364 The page as shown in appears.
Page 365: Configuration Guidelines
Configure an IPsec connection. a. Select VPN > IPsec VPN from the navigation tree. Figure 363). b. Click Add to enter the IPsec connection configuration page (see c. Enter map1 as the IPsec connection name. d. Select interface Ethernet0/1. e. Enter 2.2.2.1 as the remote gateway IP address. f.
Page 366: Configuring L2Tp
PPP session tunneled by the LAC. The L2TP extends the termination point of a PPP session from a NAS to an LNS, logically. For more information about L2TP, see HPE FlexNetwork MSR Router Series Comware 5 Layer 2—WAN Configuration Guide.
Page 367: Enabling L2Tp
Enabling L2TP Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration Figure 366. page, as shown in On the upper part of the page, select the box before Enable L2TP. Click Apply. Figure 366 L2TP configuration page Adding an L2TP group Select VPN >...
Page 368 Table 159. Configure the L2TP group information, as described in Click Apply. Table 159 Configuration items Item Description L2TP Group Name Specify the name of the L2TP group. Peer Tunnel Name Specify the peer name of the tunnel. Local Tunnel Name Specify the local name of the tunnel.
Page 369 Item Description Specify the address pool for assigning IP addresses to users on the peer end, or assign an IP address to a user directly. If you have specified an ISP domain in PPP authentication configuration, the address pools in the ISP domain are listed in the User Address list.
Page 370 Item Description Configure user authentication on an LNS. You can configure an LNS to authenticate a user who has passed authentication on the LAC to increase security. In this case, an L2TP tunnel can be set up only when both of the authentications succeed.
Page 371 Figure 368 Adding an ISP domain Table 160 Configuration items Item Description ISP Domain Specify the name of the ISP domain. Select the primary authentication method for PPP users. • HWTACACS—HWTACACS authentication, which uses the HWTACACS scheme system. • Local—Local authentication. •...
Page 372 Item Description Specify whether to enable the accounting optional function. For an online user, with the accounting optional function disabled, if no accounting server is available or communication with the current Accounting accounting server fails, the user will be disconnected. However, with the Optional accounting optional function enabled, the user can still use the network resources in such case, but the system will not send the accounting...
Page 373: Displaying L2Tp Tunnel Information
Displaying L2TP tunnel information Select VPN > L2TP > Tunnel Info from the navigation tree to enter the L2TP tunnel information page. Figure 370 L2TP tunnel information View the L2TP tunnel information. Table 162 Field description Field Description Local Tunnel ID Local ID of the tunnel.
Page 374 operating system, or install L2TP client software such as WinVPN Client and connect to the Internet in dial-up mode. Then, perform the following configurations (the configuration order varies with the client software): • Specify the VPN username as vpdnuser and the password as Hello. •...
Page 375 Figure 373 Enabling L2TP Modify the PPP authentication method of the ISP domain system: a. On the L2TP configuration page, click Add to enter the L2TP group configuration page. b. Select CHAP as the PPP authentication method. c. Select ISP domain system (the default ISP domain). d.
Page 376 Figure 375 Adding an IP address pool Add an L2TP group: Continue to perform the following configurations on the L2TP group configuration page, as Figure 376. shown in a. Enter the L2TP group name test. b. Enter the peer tunnel name vpdnuser. c.
Page 377 On the LNS, select VPN > L2TP > Tunnel Info from the navigation tree. Information of the Figure 377. established L2TP tunnel should appears, as shown in Figure 377 L2TP tunnel information...
Page 378: Configuring Gre
Figure 378 X protocol networks interconnected through the GRE tunnel For more information about GRE, see HPE FlexNetwork MSR Router Series Comware 5 Layer 3—IP Services Configuration Guide. Configuring a GRE over IPv4 tunnel...
Page 379 Figure 379 GRE tunnel configuration page Figure 380. Click Add to add a GRE tunnel, as shown in Figure 380 Adding a GRE tunnel Table 163 Configuration items Item Description Tunnel Interface Specify the number of the tunnel interface. Specify the IP address and subnet mask of the tunnel interface. IMPORTANT: IP/Mask When configuring a static route on the tunnel interface, note that the destination...
Page 380: Gre Over Ipv4 Tunnel Configuration Example
Item Description Specify the key for the GRE tunnel interface. This configuration is to prevent the tunnel ends from servicing or receiving packets from other places. GRE Key IMPORTANT: The two ends of a tunnel must have the same key or have no key at the same time.
Page 381 Figure 382 Configuring interface Ethernet 0/0 Configure an IP address for interface Ethernet 0/1, the physical interface of the tunnel: a. Click the icon for interface Ethernet 0/1. b. Select Manual for Connect Mode. c. Enter IP address 1.1.1.1. d. Select IP mask 24 (255.255.255.0). e.
Page 382 a. Select VPN > GRE from the navigation tree. b. Click Add. Figure 384. The Add Tunnel page appears, as shown in c. Enter 0 in the Tunnel Interface field. d. Enter IP address/mask 10.1.2.1/24. e. Enter the source end IP address 1.1.1.1, the IP address of Ethernet 0/1. f.
Page 383 Configuring Router B Configure an IPv4 address for interface Ethernet 0/0: a. Select Interface Setup > WAN Interface Setup from the navigation tree. b. Click the icon for interface Ethernet 0/0 and then perform the configurations shown Figure 386. c. Select Manual for Connect Mode. d.
Page 384 Figure 387 Configuring interface Ethernet 0/1 Create a GRE tunnel: a. Select VPN > GRE from the navigation tree. Figure 388. b. Click Add and then perform the configurations shown in c. Enter 0 in the Tunnel Interface field. d. Enter IP address/mask 10.1.2.2/24. e.
Page 385: Verifying The Configuration
Figure 389. b. Click the Create tab and then perform the configurations shown in c. Enter 10.1.1.0 as the destination IP address. d. Enter the mask length 24. e. Select the box before Interface, and then select egress interface Tunnel0. f.
Page 386: Ssl Vpn Overview
SSL VPN overview SSL VPN is a VPN technology based on SSL. It works between the transport layer and the application layer. Using the certificate-based identity authentication, data encryption, and integrity verification mechanisms that SSL provides, SSL VPN can establish secure connections for communications at the application layer.
Page 387: Advantages Of Ssl Vpn
Advantages of SSL VPN Support for various application protocols Any application can be secured by SSL VPN without knowing the details. SSL VPN classifies the service resources provided by applications into three categories: • Web proxy server resources—Web-based access enables users to establish HTTPS connections to the SSL VPN gateway through a browser and thereby access the Web proxy server resources of the servers.
Page 388: Configuring Ssl Vpn Gateway
Configuring SSL VPN gateway To perform the configurations described in this chapter, log in to the Web interface of the router. The default login address is http://192.168.1.1, username is admin, and password is admin. Recommended configuration procedure Step Remarks Required. Configuring the SSL VPN service Enable SSL VPN, and configure the port number for the SSL VPN service and the PKI domain to be used.
Page 389: Configuring The Ssl Vpn Service
Step Remarks Optional. Configure the check items and protected resources for a security policy. Only user hosts that pass the security policy's check can access the configured resources. Configuring a security policy IMPORTANT: To perform security check for user hosts, you must also enable security check in the domain policy.
Page 390: Configuring Web Proxy Server Resources
Configuring Web proxy server resources Typically, Web servers provide services in webpages. Users can get desired information by clicking the links on the pages. On the Internet, information exchanged between Web servers and users is transmitted in plain text. The HTTP data might be intercepted in transit. SSL VPN provides secure connections for users to access Web servers, and can prevent illegal users from accessing the protected Web servers.
Page 391 Item Description Specify the Website address for providing Web services. It must start with http:// and end with /, for example, http://www.domain.com/web1/. Website Address The website address can be an IP address or a domain name. If you specify a domain name, make sure you configure domain name resolution on Advanced >...
Page 392: Configuring Tcp Application Resources
Table 166 Configuration items Item Description Select this box to allow IP access to the resource. If you select this item, you must configure an IP network resource for a website and associate the IP network resource with the relevant users. When such a Use IP network user accesses the website from the SSL VPN Web interface, the system logs the user in automatically to the website through the IP network resource.
Page 393 ensure the security of data transmission, SSL VPN uses the SSL encryption technology to encrypt service data. Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree. The Remote Access Service page appears. Figure 396 Remote access service resource list Click Add to enter the page for adding a remote access service.
Page 394: Configuring A Desktop Sharing Service Resource
Item Description Configure the Windows command for the resource. After you configure the command, users can start the related application to access the remote server by clicking the resource name on the SSL VPN service interface. Command For example, you can configure the command for a Telnet service in the format telnet <local address>...
Page 395: Configuring An Email Service Resource
Table 168 Configuration items Item Description Enter a name for the desktop sharing service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names. Resource Name IMPORTANT: If you do not configure the command for Command, H3C recommends including the resource type, local address, and local port in the resource name so that users can view the desired information after they log in to the SSL VPN system.
Page 396: Configuring A Notes Service Resource
Figure 401 Adding an email service resource Table 169. Configure the email service resource as described in Click Apply. Table 169 Configuration items Item Description Enter a name for the email service resource. The resource name must be unique in the SSL VPN system. Resources are uniquely identified by their names.
Page 397 Figure 402 Notes services Click Add to enter the page for adding a Notes service. Figure 403 Adding a Notes service resource Table 170. Configure the Notes service resource as described in Click Apply. Table 170 Configuration items Item Description Enter a name for the Notes service resource.
Page 398: Configuring A Common Tcp Service Resource
Configuring a common TCP service resource The common TCP service of SSL VPN is designed to support various client/server applications. It is widely used to access client/server TCP applications other than the previously mentioned ones. Generally, you can configure all network ports that are possibly used by applications in common TCP services.
Page 399: Configuring Ip Network Resources
Item Description Enter the host name or IP address of the remote host that provides the common TCP Remote Host service. Remote Port Enter the port number that the remote host uses for the common TCP service. Local Host Enter a loopback address or a character string that represents a loopback address. Local Port Enter the port number that the local host uses for the common TCP service.
Page 400: Configuring Host Resources
Figure 406 Global configuration page Table 172. Configure the global parameters as described in Click Apply. Table 172 Configuration items Item Description Start IP Specify the IP address pool from which the gateway assigns IP addresses for clients' virtual network adapters. End IP Subnet Mask Enter the subnet mask to be assigned to a client's virtual network adapter.
Page 401 Figure 407 Host configuration Click Add to enter the page for adding a host resource. Figure 408 Adding a host resource Enter a name for the host resource. Click the Add button under the network services list to enter the page for adding a network service.
Page 402: Configuring A User-Ip Binding
Table 173. Add a network service that the host resource provides for users, as described in Table 173 Configuration items Item Description Destination IP Enter the destination address of the network service. Subnet Mask Enter the subnet mask of the network service. Protocol Specify the protocol type of the network service, which can be IP, TCP, or UDP.
Page 403: Configuring A Predefined Domain Name
Figure 412 Adding a user-IP binding Table 174. Configure the user-IP binding as described in Click Apply. Table 174 Configuration items Item Description Specify the username to be bound with an IP address. The username must contain Username the domain name. For example, aaa@local. Specify the IP address to be bound with the username.
Page 404: Configuring A Resource Group
Table 175. Configure the predefined domain name as described in Click Apply. Table 175 Configuration items Item Description Domain Name Enter a domain name to be issued to clients. Select the IP setting method, including Dynamic and Static. • Dynamic: To use this method, you also need to navigate to page Advanced > DNS Setup >...
Page 405 Figure 416 Adding a resource group Table 176. Configure the resource group as describe in Click Apply. Table 176 Configuration items Item Description Resource Group Enter a name for the resource group. Name Selected Resources Specify resources for the resource group. Available Resources...
Page 406: Configuring Local Users
Configuring local users Configure SSL VPN users for local authentication in the following methods: • Configure local users one by one in the SSL VPN system. In this method, you can configure all parameters for a user at the same time, including the user name, password, the certificate and MAC addresses to be bound, public account settings, user status, and user groups.
Page 407 Figure 418 Adding a local user Table 177. Configure the local user information as described in Click Apply. Table 177 Configuration items Item Description Username Enter a name for the local user. Description Enter a description for the local user. Password Specify a password for the local user and enter the password again to confirm the password.
Page 408: Importing Local Users In Bulk
Item Description Select this item to set the local user account as a public account. A public account can be concurrently used by multiple users to log in to the SSL VPN system. Enable public account If you do not select this item, only one user can use the local user account to log in to the SSL VPN system at a time.
Page 409: Configuring A User Group
Figure 419 Batch import of local users Configuring a user group Select VPN > SSL VPN > User Management > User Group from the navigation tree. The user group list page appears. Figure 420 User groups Click Add to add a user group.
Page 410 Figure 421 Adding a user group Table 178. Configure the user group as described in Click Apply. Table 178 Configuration items Item Description User Group Name Enter a name for the user group. Selected Resource Groups Select resource groups for the user group. Users in the user group will be able to access the resources in the selected resource groups.
Page 411: Viewing User Information
Viewing user information Viewing online user information Select VPN > SSL VPN > User Management > User Information from the navigation tree. The Online Users tab appears, displaying the information of the current online users. Figure 422 Online users View information of the online users. Table 179 Field description Field Description...
Page 412: Performing Basic Configurations For The Ssl Vpn Domain
Figure 423 History information Performing basic configurations for the SSL VPN domain Configure a domain policy, caching policy, and a bulletin: • Domain policy—Defines the common parameters and functions for the SSL VPN domain. • Caching policy—Specifies which cached contents to clear from user hosts when users log out from the SSL VPN system.
Page 413 Table 180 Configuration items Item Description Select this item to enable security check. With security check enabled, the SSL VPN system checks a user host based on the security policy and determines whether to allow the user to access resources Enable security according to the check result.
Page 414: Configuring The Caching Policy
Configuring the caching policy Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. Click the Caching Policy tab. The caching policy configuration page appears, as shown Figure 425. Select the operations to be done on a user host when the user logs out, including: Clear cached webpages.
Page 415: Configuring Authentication Policies
Figure 427 Adding a bulletin Table 181. Configure the bulletin settings as described in Click Apply. Table 181 Configuration items Item Description Title Enter a name for the bulletin. Content Enter the contents of the bulletin. Selected User Groups Select the user groups that can view the bulletin. Available User Groups Configuring authentication policies SSL VPN supports local authentication, RADIUS authentication, LDAP authentication, AD...
Page 416: Configuring Local Authentication
• Password+Certificate—Authenticates a user's password and client certificate. • Certificate—Authenticates only a user's client certificate. RADIUS authentication supports only authentication policies: password password+certificate. Configuring local authentication Local authentication authenticates users by using the user information saved on the SSL VPN gateway.
Page 417: Configuring Ldap Authentication
Table 182. Configure the RADIUS authentication settings as described in Click Apply. Table 182 Configuration items Item Description Enable RADIUS Select this item to enable RADIUS authentication. authentication Select an authentication mode for RADIUS authentication. Options include Authentication Mode Password and Password+Certificate. Enable RADIUS Select this item to enable RADIUS accounting.
Page 418 Figure 430 LDAP authentication Table 183. Configure the LDAP authentication settings as described in Click Apply. Table 183 Configuration items Item Description Enable LDAP Select this item to enable LDAP authentication. authentication LDAP Sever IP Specify the IP address of the LDAP server. Server Port Specify the TCP port number used by the LDAP server.
Page 419: Configuring Ad Authentication
Configuring AD authentication Active Directory (AD) is a directory service provided by Windows 2000 Server and later versions. It saves information of objects on a network and allows administrators and users to query the information. AD uses structured data storage, which is the basis of the directory information logical structure.
Page 420: Configuring Combined Authentication
Item Description Password Set a password for the administrator account, and enter the password again to confirm the password. Confirm Password Set the username format used to log in to the AD server. Options include Without Username Format the AD domain name, With the AD domain name, and Login name. Configuring combined authentication A combination authentication method can combine any two of the four authentication methods (local authentication, RADIUS authentication, LDAP authentication, and AD authentication) in any order.
Page 421: Configuring A Security Policy
Configuring a security policy Insecure user hosts might bring potential security threats to the internal network. You can configure security policies for the SSL VPN system so that when a user logs in, the SSL VPN system checks the user host's operating systems, browsers, antivirus software, firewall software, files and processes, and determines which resources to provide for the user according to the check result.
Page 422 Click Apply. Table 186 Configuration items Item Description Name Enter a name for the security policy. Set a level for the security policy. A larger number means a higher level. If multiple security policies are defined, the system first uses the security policy with the highest priority to check the user host.
Page 423 Item Description Specify the browser version. IMPORTANT: Version An IE browser version must be a floating point number with up to two digits after the radix point. Specify the browser patches. The browser of a user host must have the Patch specified patches installed to pass security check.
Page 424: Customizing The Ssl Vpn User Interface
Customizing the SSL VPN user interface The SSL VPN system allows you to customize the user interface partially or fully as desired: • Partial customization—You can use the webpage files provided by the system and edit some contents in the files as needed, including the login page title, login page welcome information, login page logo, service page banner information, service page logo, and service page background.
Page 425: Customizing The Ssl Vpn Interface Fully
Configuring the service page logo Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. Figure 437. Click the Service Page Logo tab to enter the page shown in Click Browse to select a local picture file. Set whether to directly overwrite the file with the same name on the device.
Page 426 Figure 439 Full customization Table 188. Configure the full customization settings as described in Click Apply. Table 188 Configuration items Item Description Enable full customization Select this item to enable the full customization function. Enter the directory where the customized page files are saved on the Directory SSL VPN gateway.
Page 427: User Access To Ssl Vpn
User access to SSL VPN This chapter introduces user access to the SSL VPN service interface provided by the system. It is not suitable for user access to a fully customized SSL VPN service interface. After you finish configurations on the SSL VPN gateway, remote users can establish HTTPS connections to the SSL VPN gateway, and access resources through the user service interface provided by the SSL VPN gateway.
Page 428: Accessing Ssl Vpn Resources
Figure 441 SSL VPN service interface Figure 442 SSL VPN client software Accessing SSL VPN resources After logging in to the SSL VPN service interface, a user can see all resources that you have authorized the user to access, and perform the following operations: •...
Page 429: Getting Help Information
email receiving and sending servers according to the email resource name, logs in by using the username and password, and then uses the email service. • For an IP network resource, the user can access any host in any accessible network segment and can click a shortcut name to execute the corresponding command of the shortcut.
Page 430 Click the Configure button in the upper right corner of the SSL VPN service interface to enter Figure 444. the page shown in Enter the new password, and confirm the new password. Click Apply. When the user logs in again, the user must enter the new password. Figure 444 Changing login password...
Page 431: Ssl Vpn Configuration Example
SSL VPN configuration example Network requirements Figure 445, request a certificate and enable SSL VPN service on the SSL VPN gateway As shown in so that users can use HTTPS to log in to the SSL VPN gateway to access the internal resources of the corporate network.
Page 432: Configuration Procedure
Configuration procedure Configuring the SSL VPN service Configure a PKI entity named en: a. Select Certificate Management > Entity from the navigation tree. Figure 446. b. Click Add to enter the PKI configuration page, as shown in c. Enter the PKI entity name en. d.
Page 433 Figure 447 Configuring a PKI domain named sslvpn Generate an RSA key pair: a. Select Certificate Management > Certificate from the navigation tree. Figure 448. b. Click Create Key to enter the key generation page, as shown in c. Set the key length to 1024. d.
Page 434 Figure 449 Retrieving the CA certificate to the local device Request a local certificate: a. After the CA certificate retrieval operation is complete, click Request Cert on the certificate management page. b. Select sslvpn as the PKI domain. c. Click Apply. The system displays "Certificate request has been submitted."...
Page 435: Configuring Ssl Vpn Resources
Figure 451 Certificate management page Enable SSL VPN, and configure a port and a PKI domain for the SSL VPN service: a. Select VPN > SSL VPN > Service Management from the navigation tree. b. Select the box before Enable SSL VPN. c.
Page 436 Figure 453 Configuring a Web proxy resource Configure a resource named desktop for the desktop sharing service provided by host 10.153.70.120: a. Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree. b. Click the Desktop Sharing Service tab. c.
Page 437 a. Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree. Figure 455. The Global Configuration tab appears, as shown in b. Enter the start IP address 192.168.0.1. c. Enter the end IP address 192.168.0.100. d.
Page 438 Figure 456 Adding a network service to the host resource Figure 457 Adding a shortcut to the host resource Figure 458 Configuring a host resource Configure resource group res_gr1, and add resource desktop to it: a. Select VPN > SSL VPN > Resource Management > Resource Group from the navigation tree to enter the resource group list page.
Page 439: Configuring Ssl Vpn Users
Figure 459 Configuring resource group res_gr1 Configure resource group res_gr2, and add resources tech and sec_srv to it: a. On the resource group list page, click Add. b. Enter the resource group name res_gr2. c. Select resources tech and sec_srv on the Available Resources list and click the << button to add them to the Selected Resources list.
Page 440 b. Click Add. Figure 461. The local user configuration page appears, as shown in c. Enter the username usera, enter the password passworda, confirm the password, select the box before Enable public account, set the maximum number of users for the public account to 1, and select Permitted as the user status.
Page 441 Figure 462 Configuring user group user_gr1 Configure user group user_gr2, and assign resource group res_gr2 to the user group: a. On the user group list page, click Add. b. Enter the user group name user_gr2. c. Select res_gr2 on the Available Resource Groups list and click << to add it to the Selected Resource Groups list.
Page 442: Configuring An Ssl Vpn Domain
Figure 463 Configuring user group user_gr2 Configuring an SSL VPN domain Configure the default authentication method for the SSL VPN domain as RADIUS and enable verification code authentication: a. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree.
Page 443 Figure 464 Configuring the domain policy Configure a RADIUS scheme named system: a. Select Advanced > RADIUS from the navigation tree. b. Click Add to enter the RADIUS scheme configuration page. c. Enter the scheme name system. d. In the Common Configuration area, select Extended as the supported RADIUS server type, and select Without domain name as the username format.
Page 444: Verifying The Configuration
Figure 466 Configuring RADIUS scheme named system Enable RADIUS authentication for the SSL VPN domain: a. Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree. b. Click the RADIUS Authentication tab. c. Select the box before Enable RADIUS authentication. d.
Page 445 Select Local from the Auth Mode list. Use the public account usera to log in. You can see the Figure 468. Clicking the resource name, you can access the shared resource desktop, as shown in Figure 469. desktop of the specified host, as shown in Figure 468 Resource that the public account usera can access Figure 469 Access the desktop sharing resource Assume that a user named userb is configured and added to user group user_gr2 on the RADIUS...
Page 446 website tech, subnet resource 10.153.2.0/24, and a shortcut to the security server, as shown Figure 470. Click tech to access the technology website. Click shortcut ftp_security-server to Figure 471. access the security server through FTP, as shown in Figure 470 Resources that a non-public account can access Figure 471 Access the IP network resource...
Page 447: Managing Certificates
Managing certificates Overview Public Key Infrastructure (PKI) offers an infrastructure for securing network services. PKI, also called asymmetric key infrastructure, uses a pair of keys (one private and one public) for data encryption and decryption. Data encrypted with the public key can be decrypted only with the private key, and vice versa.
Page 448: Recommended Configuration Procedure For Manual Request
Recommended configuration procedure for manual request Step Remarks Required. Create a PKI entity and configure the identity information. A certificate is the binding of a public key and the identity information of an entity, where the distinguished name (DN) shows the identity information of the entity.
Page 449: Recommended Configuration Procedure For Automatic Request
Step Remarks Required. When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in online mode or offline mode.
Page 450: Creating A Pki Entity
Task Remarks Required. Create a PKI domain, setting the certificate request mode to Auto. Before requesting a PKI certificate, an entity needs to be configured with Creating a PKI domain some enrollment information, which is called a PKI domain. A PKI domain is intended only for convenience of reference by other applications like IKE and SSL, and has only local significance.
Page 451: Creating A Pki Domain
Figure 473 Creating a PKI entity Table 189. Configure the parameters as described in Click Apply. Table 189 Configuration items Item Description Entity Name Enter the name for the PKI entity. Common Name Enter the common name for the entity. IP Address Enter the IP address of the entity.
Page 452 Figure 474 PKI domains Click Add. Figure 475 Creating a PKI domain Table 190. Configure the parameters as described in Click Apply. Table 190 Configuration items Item Description Domain Name Enter the name for the PKI domain. Enter the identifier of the trusted CA. An entity requests a certificate from a trusted CA.
Page 453 Item Description Select the local PKI entity. When submitting a certificate request to a CA, an entity needs to show its identity Entity Name information. Available PKI entities are those that have been configured. Select the authority for certificate request. •...
Page 454: Generating An Rsa Key Pair
Item Description verifies the certificate request in manual mode. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible Polling Interval after the certificate is signed. Enable CRL Select this box to specify that CRL checking is required during certificate verification.
Page 455: Destroying The Rsa Key Pair
Destroying the RSA key pair From the navigation tree, select Certificate Management > Certificate. Click Destroy Key. Click Apply to destroy the existing RSA key pair and the corresponding local certificate. Figure 478 Destroying the RSA key pair Retrieving and displaying a certificate You can retrieve an existing CA certificate or local certificate from the CA server and save it locally.
Page 456: Requesting A Local Certificate
Item Description • If the certificate file is saved on the device, select Get File From Device and then specify the path and name of the file on the device. If no file is specified, the system, by default, gets the file domain-name_ca.cer (for the CA certificate) or domain-name_local.cer (for the local certificate) under the root directory of the Get File From PC device.
Page 457: Retrieving And Displaying A Crl
Figure 481 Requesting a certificate Table 192. Configure the parameters as described in Table 192 Configuration items Item Description Domain Name Select the PKI domain for the certificate. Password Enter the password for certificate revocation. Select this box to request a certificate in offline mode, that is, by an out-of-band means like FTP, disk, or email.
Page 458: Pki Configuration Examples
Figure 483 CRLs Click Retrieve CRL to retrieve the CRL of a domain. Click View CRL for the domain to display the contents of the CRL. Figure 484 Displaying CRL information PKI configuration examples Certificate request from a Windows 2003 CA server Network requirements Figure 485, configure the router to work as the PKI entity, so that:...
Page 459 Figure 485 Network diagram Configuring the CA server Install the CA server component: a. From the start menu, select Control Panel > Add or Remove Programs. b. Select Add/Remove Windows Components. c. In the pop-up dialog box, select Certificate Services. d.
Page 460 Figure 486 Creating a PKI entity Create a PKI domain: a. From the navigation tree, select Certificate Management > Domain. b. Click Add. Figure 487 The page in appears. c. In upper area of the page, enter torsa as the PKI domain name, enter CA server as the CA identifier, select aaa as the local entity, select RA as the authority for certificate request, enter http://4.4.4.1:8080/certsrv/mscep/mscep.dll as the URL for certificate request (the URL must be in the format of http://host:port/certsrv/mscep/mscep.dll, where host and port...
Page 461 Figure 488 Generating an RSA key pair Retrieve the CA certificate: a. From the navigation tree, select Certificate Management > Certificate. b. Click Retrieve Cert. c. Select torsa as the PKI domain, select CA as the certificate type, and click Apply. Figure 489 Retrieving the CA certificate Request a local certificate: a.
Page 462: Certificate Request From An Rsa Keon Ca Server
Figure 490 Requesting a certificate Verifying the configuration After the configuration, you can select Certificate Management > Certificate from the navigation tree, and then click View Cert corresponding to the certificate of PKI domain torsa to display the certificate information. You can also click View Cert corresponding to the CA certificate of PKI domain torsa to display the CA certificate information.
Page 463: Configuring The Router
In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to http://4.4.4.133:447/myca.crl. After the configuration, make sure the system clock of the router is synchronous to that of the CA, so that the router can request certificates and retrieve CRLs properly. Configuring the router Create a PKI entity: a.
Page 464 Figure 493 Creating a PKI domain Generate an RSA key pair: a. From the navigation tree, select Certificate Management > Certificate. b. Click Create Key. c. Set the key length to 1024, and click Apply. Figure 494 Generating an RSA key pair Retrieve the CA certificate: a.
Page 465 Figure 495 Retrieving the CA certificate Request a local certificate: a. From the navigation tree, select Certificate Management > Certificate. b. Click Request Cert. c. Select torsa as the PKI domain, select Password, enter "challenge-word" as the password, and click Apply. The system displays "Certificate request has been submitted."...
Page 466: Ike Negotiation With Rsa Digital Signature
Figure 497 Retrieving the CRL Verifying the configuration After the configuration, select Certificate Management > Certificate from the navigation tree to display detailed information about the retrieved CA certificate and local certificate, or select Certificate Management > CRL from the navigation tree to display detailed information about the retrieved CRL.
Page 467 Figure 498 Network diagram Configuring Router A Create a PKI entity: a. From the navigation tree, select Certificate Management > Entity. b. Click Add. c. Enter en as the PKI entity name, enter router-a as the common name, enter 2.2.2.1 as the IP address of the entity, and click Apply.
Page 468 a. From the navigation tree, select Certificate Management > Domain. b. Click Add. Figure 500 The page in appears. c. Enter 1 as the PKI domain name, enter CA1 as the CA identifier, select en as the local entity, select RA as the authority for certificate request, enter http://1.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request (the RA URL given here is just an example.
Page 469 Figure 501 Generating an RSA key pair Retrieve the CA certificate: a. From the navigation tree, select Certificate Management > Certificate. b. Click Retrieve Cert. c. Select 1 as the PKI domain, select CA as the certificate type, and click Apply. Figure 502 Retrieving the CA certificate Request a local certificate: a.
Page 470 Figure 503 Requesting a certificate Configure an IPsec connection: a. From the navigation tree, select VPN > IPsec VPN. b. Click Add. c. Enter con as the IPsec connection name, select Ethernet0/2 as the gateway interface, enter 3.3.3.1 as the remote gateway IP address, select Certificate as the authentication method, select CN=router-a for the certificate, select Characteristics of Traffic as the selector type, enter 11.1.1.0/0.0.0.255 as the source IP address/wildcard, and enter 10.1.1.0/0.0.0.255 as the destination IP address/wildcard.
Page 471 a. From the navigation tree, select Certificate Management > Entity. b. Click Add. c. Enter en as the PKI entity name, enter router-b as the common name, and enter 3.3.3.1 as the IP address of the entity. d. Click Apply. Create a PKI domain: a.
Page 472: Configuration Guidelines
Configuration guidelines When you configure PKI, follow these guidelines: • Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of certificates will be abnormal. • The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the PKI entity identity information in a certificate request goes beyond a certain limit, the server will not respond to the certificate request.
Page 473: Managing The System
Managing the system Configuring Web management This module enables you to set the Web connection idle-timeout timer. If you do not perform any operations on the Web interface before this timer expires, you are logged out of the Web page. By default, the idle-timeout timer is 10 minutes.
Page 474: Restoring Factory Defaults
Figure 506 Saving the configuration Perform one of the following operations: To save the current configuration to the next-startup configuration file, click Save Current Settings. To save the current configuration to both the next-startup configuration file and the factory default configuration file, click Save As Factory-Default Settings. Restoring factory defaults This function allows you to clear the current configuration file.
Page 475: Restoring Configuration
Click the Backup tab. The page for backing up the configuring file appears. Figure 508 Backing up the configuration file Click one of the Backup buttons: When you click the upper Backup button in this figure, a file download dialog box appears. You can select to view the .cfg file or to save the file locally.
Page 476: Backing Up And Restoring Device Files Through The Usb Port
Backing up and restoring device files through the USB port The files needed in device running, such as startup files and configuration files, are stored in the storage medium of the device. To facilitate management of the files on the device, the device provides the fast backup and restoration function.
Page 477: Rebooting The Device
You can restore multiple files at a time, but only one startup file or configuration file can be included in these files for restoration. Rebooting the device CAUTION: Before rebooting the device, save the configuration. Otherwise, all unsaved configuration will be lost after reboot.
Page 478 • SFTP service—Uses the SSH connection to provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The device can also serve as an SFTP client, enabling a user to log in from the device to a remote device for secure file transfer.
Page 479: Managing Users
Item Description Specify whether to enable the SFTP service. The SFTP service is disabled by default. Enable SFTP SFTP service. IMPORTANT: When you enable the SFTP service, the SSH service must be enabled. Specify whether to enable the HTTP service. Enable HTTP service.
Page 480 The page for creating local users appears. Table 194. Create the user as described in Click Apply. Figure 513 Creating a user Table 194 Configuration items Item Description Username Set the username for a user. Set the access level for a user. Users of different levels can perform different operations.
Page 481: Setting The Super Password
Setting the super password Users of the management level can specify the password for a lower-level user to switch from the current access level to the management level. If no such a password is configured, the switchover fails. To set the super password for switching to the management level: From the navigation tree, select System Management >...
Page 482: Configuring System Time
Enter the super password. Click Login. Figure 515 Access level switching page Configuring system time Configure a correct system time so the device can work with other devices correctly. The device supports setting and displaying the system time, and setting the time zone and daylight saving time through manual configuration and automatic synchronization of NTP server time.
Page 483 Figure 516 System time configuration page Table 196 Configuration items Item Description Enable clock automatic synchronization with an NTP server. You can specify two NTP servers by entering their IP addresses. NTP Server 1 is the primary and NTP Server 2 is the secondary. IMPORTANT: NTP Server 1.
Page 484: Setting The Time Zone And Daylight Saving Time
Figure 517 Calendar page Setting the time zone and daylight saving time From the navigation tree, select System Management > System Time. Click the Time Zone tab. The page for setting time zone appears. Figure 518. Configure the time zone as described in Click Apply.
Page 485 Item Description Adjust the system clock for daylight saving time changes, which means adding one hour to the current system time. Click Adjust clock for daylight saving time changes to expand the option, as Figure 519. You can configure the daylight saving time changes in the shown in following ways: •...
Page 486: Tr-069 Network Framework
TR-069 network framework Figure 520 Network diagram The basic network elements of TR-069 are: • ACS—Auto-Configuration Server, which is the management device in the network. • CPE—Customer Premise Equipment, which is the managed device in the network. • DNS server—Domain Name System server. TR-069 defines that an ACS and a CPE use URLs to identify and access each other.
Page 487 ACS address • ACS username • ACS password • PeriodicInformEnable • PeriodicInformInterval • PeriodicInformTime • CPE address • CPE username • CPE password For the TR-069 mechanism, see HPE FlexNetwork MSR Router Series Comware 5 Network Management and Monitoring Configuration Guide.
Page 488: Configuration Procedure
Configuration procedure The TR-069 parameters of CPE can be configured automatically through ACS remote management, and also can be configured manually through Web, which is described in detail in this section. To configure TR-069 manually: From the navigation tree, select System Management > TR-069. The TR-069 configuration page appears.
Page 489: Configuration Guidelines
Item Description Set the CPE connection interface. The CPE sends inform packets carrying the IP address of this interface to make the ACS establish a connection with the CPE Interface. using this IP address. Configuration guidelines TR-069 configuration through ACS is of higher priority than that through Web. You cannot use a configuration mode to modify parameters configured through a configuration mode with a higher priority.
Page 490: Upgrading Software (For The Msr20/30/50)
Table 199 Configuration items Item Description Specify the filename of the local application file, which must be suffixed with the .app or .bin extension. File IMPORTANT: The filename is main.bin when the file is saved on the device. Reboot after the upgrading Specify whether to reboot the device to make the upgraded software take finished effect after the application file is uploaded.
Page 491: Configuring Snmp (Lite Version)
SNMP agent—Works on a managed device to receive and handle requests from the NMS, and send traps to the NMS when some events, such as interface state change, occur. HPE devices support SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same SNMP version to communicate with each other.
Page 492 Figure 524 SNMP page Table 201. Configure the SNMP agent, as shown in Table 201 Configuration items Item Description Specify to enable or disable the SNMP agent. IMPORTANT: SNMP If the SNMP agent function is disabled, all SNMP agent-related configurations will be removed. Set the SNMP version run by the system.
Page 493: Snmp Configuration Examples
Item Description Set the SNMP security username when you select the SNMP version SNMPv3. Security Username The security name on the agent must be the same as that on the NMS. Set the authentication password when you select the SNMP version SNMPv3.
Page 494 Figure 525 Network diagram Configuring the SNMP agent Select System Management > SNMP from the navigation tree, and then perform configuration Figure 526. as shown in Figure 526 Configuring the SNMP agent Select the Enable option. Select the SNMPv1 & v2 option. Type readonly in the field of Read Password.
Page 495: Snmpv3 Configuration Example
Verifying the configuration • After the configuration, an SNMP connection is established between the NMS and the agent. The NMS can get and configure the values of some parameters on the agent through MIB nodes. • Disable or enable an idle interface on the device, and the NMS receives the corresponding trap. SNMPv3 configuration example Network requirements Figure...
Page 496 Type 1.1.1.2 in the field of Trusted Host. Type 1.1.1.2 in the field of Trap Target Host Address/Domain. Click Apply. Configuring the SNMP NMS The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform corresponding operations.
Page 497: Configuring Syslogs
Configuring syslogs System logs record network and device information, including running status and configuration changes. With system log information, network administrators can find network or security problems, and take corresponding actions against them. The system sends system logs to the following destinations: •...
Page 498: Setting The Log Host
To clear all system logs in the log cache, click Reset. To refresh system logs, click Refresh. To make the syslog display page refresh automatically, set the refresh interval on the syslog "Setting buffer capacity and refresh interval." configuration page. For more information, see Table 202 Syslog display items Item Description...
Page 499: Setting Buffer Capacity And Refresh Interval
Table 203. Configure the log host as described in Click Apply. Table 203 Configuration items Item Description IPv4/Domain Set the IPv4 address or domain name of the log host. Loghost IP/Domain IPv6 Set the IPv6 address of the log host. Loghost IP Setting buffer capacity and refresh interval Select Other >...
Page 500: Using Diagnostic Tools
Using diagnostic tools This chapter describes how to use the ping and traceroute facilities. Traceroute By using the traceroute facility, you can trace Layer 3 devices involved in delivering a packet from source to destination. You can traceroute the IP address or the host name of a device. If the target host name cannot be resolved, a prompt appears.
Page 501: Ping Operation
Enter the destination IP address or host name. Click Start. You can see the result in the Summary box. Figure 532 Traceroute configuration page Ping operation The Web interface does not support IPv6 ping. To perform a ping operation: Select Other > Diagnostic Tools from the navigation tree. Click the Ping tab, as shown in 3.
Page 502 Figure 533 Ping configuration page...
Page 503: Configuring Winet
Configuring WiNet The Wisdom Network (WiNet) technology helps you centrally manage a large number of scattered network devices by using a small number of public IP addresses. WiNet has the following benefits: • Integration—WiNet is integrated in network devices as a function without needing any dedicated management device.
Page 504: Setting The Background Image For The Winet Topology Diagram
Figure 535. Click OK to enter the Setup page, as shown in Table 205. Configure WiNet, as shown in Figure 535 WiNet setup page Table 205 Configuration items Item Description WiNet Name Enter a WiNet name. Enter a management VLAN ID in the WiNet. You can enter an existing static VLAN only.
Page 505: Managing Winet
Managing WiNet To manage WiNet members, make sure the port that connects your host to the administrator permits packets of the management VLAN. Select WiNet from the navigation tree to enter the default WiNet Management page. Figure 536 WiNet management page On the WiNet Management page, you can perform these operations: Set the refresh period for automatic refreshing of the WiNet topology diagram.
Page 506 Drag the icon of a specific device in the WiNet topology and place it to a position as needed. If the browser is configured to accept cookies, the latest position information of each device is stored after you click Network Snapshot. Double-click a device on the WiNet topology map to show details about the device, including the hostname, MAC address, device model, IP address, version, number of hops, and WiNet Figure...
Page 507: Configuring A Radius User
CAUTION: You cannot enable Layer 2 portal authentication on an interface that connects to a member/candidate device, connects to an external network, or connects to the console terminal. c. If a member is selected, click Manage Device to log in to the Web interface for configuring the member.
Page 508 Figure 540 Adding a user Table 206 Configuration items Item Description Username Enter the name of the user. Set a user password and confirm it. Password IMPORTANT: Confirm Password The leading spaces (if any) of a password will be omitted. Enter an authorized VLAN ID for the user.
Page 509: How The Guest Administrator Obtains The Guest Password
Set the local path and file name for saving the exported files. Click Save to export all the RADIUS user information in the files to the local host. Click Import. The page for importing files appears. Click Browse to locate the local xml files to be imported. Click Apply to import the user information in the files to the device.
Page 510: Winet Configuration Example
WiNet configuration example WiNet establishment configuration example Network requirements Figure 543, a WiNet comprises an administrator and two members. As shown in • The administrator is connected to the external network through Ethernet 0/1, and is connected to the members through Ethernet 0/2 and Ethernet 0/3. •...
Page 511 Figure 544 Creating VLAN 10 and VLAN-interface 10 a. Select the Create option. b. Enter 10 for VLAN IDs. c. Select the Create VLAN Interface box. d. Click Apply. # Assign Ethernet 0/1, Ethernet 0/2, and Ethernet 0/3 to VLAN 10. Figure 545 Assigning interfaces to VLAN 10 a.
Page 512 The configuration progress dialog box appears. Figure 546 Configuration progress dialog box d. After the configuration is complete, click Close. # Configure the IP address of VLAN-interface 10. e. Click the VLAN Interface Setup tab. Figure 547 Specifying an IP address for VLAN-interface 10 b.
Page 513 c. Enter 163.172.55.1 for IP Address. d. Enter 255.255.255.0 for Subnet Mask. e. Click Apply. # Enable WiNet. f. Select WiNet from the navigation tree. When WiNet is disabled, a dialog box Only the WiNet administrator supports the function appears. g.
Page 514: Winet-Based Radius Authentication Configuration Example
Figure 549 WiNet topology diagram WiNet-based RADIUS authentication configuration example Network requirements Figure 550, a WiNet comprises an administrator (Device B ) and two members (Device As shown in A and Device C). The client connects to Device A through Ethernet 0/2. Deploy security authentication in the WiNet so that the client can access external networks after passing authentication on Device B.
Page 515 Figure 550 Network diagram Configuration procedure Establish a WiNet. "WiNet establishment configuration example." Configure WiNet-based RADIUS authentication. # Specify a RADIUS user. a. Log in to Device B through Ethernet 0/1. b. Select WiNet from the navigation tree on Device B. c.
Page 516 Figure 552 Setting up a RADIUS server a. Click the WiNet Management tab. b. Click Open AuthN Center. # Enable Layer 2 portal authentication on Ethernet 0/2 of Device A. Figure 553 Enabling Layer 2 portal authentication on Ethernet 0/2 of Device A...
Page 517 a. Click Device A on the topology diagram. b. Click Ethernet 0/2 on the panel diagram. c. Click Port Guard.
Page 518: Configuration Wizard
Configuration wizard Overview The configuration wizard helps you establish a basic call, and configure local numbers and connection properties. Basic service setup Entering the configuration wizard homepage From the navigation tree, select Voice Management > Configuration Wizard to access the Figure 554.
Page 519: Configuring Local Numbers
Table 207 Configuration item Item Description Call Progress Tone Configure the device to play the call progress tones of a specified country or region. Country Mode Configuring local numbers In the country tone configuration page, click Next to access the local number configuration page, as Figure 556.
Page 520: Finishing Configuration Wizard
Figure 557 Connection property configuration page Table 209 Configuration items Item Description Specify the address of the main registrar. It can be an IP address or a Main Registrar Address domain name. Main Registrar Port Number Specify the port number of the main registrar. Specify the address of the backup registrar.
Page 521: Local Number And Call Route
Local number and call route This chapter describes local numbers, call routes, fax and modem, call services, and advanced settings. Local numbers and call routes Local numbers and call routes are basic settings for making voice calls. • Local number configuration includes setting a local telephone number and authentication information used for registration.
Page 522: Basic Settings
Basic settings This section provides information about configuring basic settings. Introduction to basic settings Local number Local number configuration includes setting a local telephone number and authentication information used for registration. Call route Call route configuration includes setting a destination telephone number and call route type. The call route type can be either SIP routing or trunk routing.
Page 523: Basic Settings
Configuring trunking mode calling for the configuration example of using the trunking routing as the call route type. Basic settings Configuring a local number Select Voice Management > Local Number from the navigation tree, and click Add to access the Figure 560.
Page 524: Configuring A Call Route
Item Description Description Specify the description of the number. • Enable—Select this option to buffer the voice packets received from the IP side, so that the received voice packets can be played out evenly. Jitter-buffer Adaptive Mode • Disable—Select this option to not buffer the voice packers received from the IP side.
Page 525 Figure 561 Call route configuration page Table 211 Configuration items Item Description Call Route ID Enter a call route ID in the range of 1 to 2147483647. Destination Enter the called telephone number. Number...
Page 526 Item Description Route Description Enter the description of the call route. Use a SIP proxy server to complete Proxy Server calling. Use the SIP protocol to perform direct calling. It you select this option, you IP Routing must provide the destination address and port number.
Page 527: Configuration Examples Of Local Number And Call Route
Configuration examples of local number and call route Configuring direct calling for SIP UAs through the SIP protocol (configuring static IP address) Network requirements Figure 562, Router A and Router B can directly call each other as SIP UAs using the SIP As shown in protocol (configuring static IP addresses).
Page 528 Enter 1 for Number ID. Enter 1111 for Number. Select subscriber-line 8/0 from the Bound Line list. Enter Telephone A for Description. Click Apply. # Create a call route. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Page 529 Figure 564 Creating call route 2222 Enter 2 for Call Route ID. Enter 2222 for Destination Number. Select IP Routing for SIP Routing, and type 192.168.2.2 for Destination Address. Click Apply.
Page 530 Configuring Router B Select Voice Management > Local Number from the navigation tree, and then click Add to access the page for creating a local number. Figure 565 Creating local number 2222 Enter 1 for Number ID. Enter 2222 for Number. Select subscriber-line 8/0 from the Bound Line list.
Page 531 Figure 566 Creating call route 1111 Enter 2 for Call Route ID. Enter 1111 for Destination Number. 10. Select IP Routing for SIP Routing, and enter 192.168.2.1 for Destination Address. 11. Click Apply. Verifying the configuration • After the previous configuration, you can use telephone 1111 to call telephone 2222, or use telephone 2222 to call telephone 1111.
Page 532: Configuring Direct Calling For Sip Uas Through The Sip Protocol (Configuring Domain Name)
• Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access the Active Call Summary page, which displays the statistics of ongoing calls. Configuring direct calling for SIP UAs through the SIP protocol (configuring domain name) Network requirements Figure 567, acting as SIP UAs, Router A and Router B can first query destination...
Page 533 Figure 568 Creating local number 1111 Enter 1 for Number ID. Enter 1111 for Number. Select subscriber-line 8/0 from the Bound Line list. Enter Telephone A for Description. Click Apply. # Create a call route. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Page 534 Figure 569 Creating call route 2222 Enter 2 for Call Route ID. Enter 2222 for Destination Number. Select IP Routing for SIP Routing, and type cc.news.com for Destination Address. 10. Click Apply.
Page 535 Configuring Router B Select Voice Management > Local Number from the navigation tree, and then click Add to access the page for creating a local number. Figure 570 Creating local number 2222 Enter 1 for Number ID. Enter 2222 for Number. Select subscriber-line 8/0 from the Bound Line list.
Page 536 Figure 571 Creating call route 1111 Enter 2 for Call Route ID. Enter 1111 for Destination Number. 10. Select IP Routing for SIP Routing, and enter 192.168.2.1 for Destination Address. 11. Click Apply. Verifying the configuration • After the previous configuration, you can use telephone 1111 to call telephone 2222 by using the DNS server to get the destination address, and you can use telephone 2222 to call telephone 1111 by querying the static IP address of the called party.
Page 537: Configuring Proxy Server Involved Calling For Sip Uas
• Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access the Active Call Summary page, which displays the statistics of ongoing calls. Configuring proxy server involved calling for SIP UAs Network requirements Figure 572, Router A and Router B act as SIP UAs and SIP calls are made through a SIP As shown in proxy server.
Page 538 Enter 1111 for Number. Select subscriber-line 8/0 from the Bound Line list. Enter Telephone A for Description. Click Apply. # Create a call route. Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Page 539 Figure 574 Creating call route 2222 Enter 10000 for Call Route ID. Enter 2222 for Destination Number. 10. Select SIP Routing for Call Route Type. 11. Select Proxy Server for SIP Routing. 12. Click Apply. # Configure the registrar and the proxy server.
Page 540 13. Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the connection properties configuration page. Figure 575 Configuring registration information 14. Select Enable for Register State. 15. Enter 192.168.2.3 for Main Registrar Address. 16. Enter Router A for Username and abc for Password. 17.
Page 541 Figure 576 Creating local number 2222 Enter 1 for Number ID. Enter 2222 for Number. Select subscriber-line 8/0 from the Bound Line list. Enter Telephone B for Description. Click Apply. # Create a call route Select Voice Management > Call Route List from the navigation tree, and then click Add to access the page for creating a call route.
Page 542 Figure 577 Creating call route 1111 Enter 1 for Call Route ID. Enter 1111 for Destination Number. 10. Select SIP for Call Route Type. 11. Select Proxy Server for SIP Routing. 12. Click Apply. # Configure the registrar and the proxy server. 13.
Page 543 Figure 578 Configuring registration information 14. Select Enable for Register State. 15. Enter 192.168.2.3 for Main Registrar Address. 16. In the Proxy Server area, enter 192.168.2.3 for Server Address. 17. Enter Router A for Username and abc for Password. 18. Click Apply. Verifying the configuration •...
Page 544: Configuring Trunking Mode Calling
Configuring trunking mode calling Network requirements Figure 579, Router A and Router B are connected through an FXO trunk line. It is As shown in required that Telephone 1111 can call telephone 2222. Figure 579 Network diagram Configuring Router A # Create a local number.
Page 545 Figure 581 Creating call route 2222 Enter 2 for Call Route ID. Enter 2222 for Destination Number. 10. Select Trunk for Call Route Type. 11. Select subscriber-line 1/0 from the Trunk Route Line list. 12. Click Apply. # Configure number sending mode. 13.
Page 546 Figure 582 Configuring number sending mode 14. Select Send All Digits of a Called Number for Called Number Sending Mode. 15. Click Apply. Configuring Router B Select Voice Management > Local Number from the navigation tree, and then click Add to access the page for creating a local number.
Page 547 Select subscriber-line 8/0 from the Bound Line list. Enter Telephone B for Description. Click Apply. Verifying the configuration • Telephone 1111 can call telephone 2222 over the trunk line. • Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access the Active Call Summary page, which displays the statistics of ongoing calls.
Page 548: Fax And Modem
Fax and modem Traditional fax machines transmit and receive faxes over PSTN. As time passes, fax has gained wide applications owing to its advantages such as various information, high transmission speed, and simple operations. By far, G3 fax machines are dominant in the fax communications. A G3 fax machine adopts the signal digitizing technology.
Page 549: Introduction To Fax Methods
A real-time fax process consists of five phases: Fax call setup phase. This phase is similar to the process of a telephone call setup. The difference is that the fax tones identifying the sending/receiving terminals are included. Prior-messaging phase. During this phase, fax faculty negotiation and training are performed. Messaging phase.
Page 550: Configuring Fax And Modem
Configuring fax and modem Basic Before you configure fax and modem, you must configure local numbers and call routes. See settings for details. Configuring fax and modem parameters of a local number Select Voice Management > Local Number from the navigation tree, and then click the icon of the local number to be configured to access the local number fax and modem configuration page, as Figure...
Page 551 Item Description Configure the protocol used for fax communication with other devices. • T.38—With this protocol, a fax connection can be set up quickly. • Standard T.38—It supports H.323 and SIP. Configure the fax pass-through mode. Fax Protocol • G.711 A-law. •...
Page 552 Item Description When rate training is carried on between fax terminals, the transmitting terminal transmits "zero-filled" TCF data (the filling time per packet is 1.5±10% seconds) to the receiving fax terminal, and the receiving fax terminal decides whether the current rate is acceptable according to the received TCF data.
Page 553: Configuring Fax And Modem Parameters Of A Call Route
Item Description Implements the CNG fax switchover is mainly used to implement the fax mailbox service through communication with the VCX. When the local fax machine A originates a fax call to the peer fax machine B, if B is busy or is unattended, A can send the CNG Fax originated fax to the fax mailbox of the VCX.
Page 554: Call Services
Call services More and more VoIP-based services are demanded as voice application environments expand. On basis of basic calls, new features are implemented to meet different application requirements of VoIP subscribers. Call waiting When subscriber C calls subscriber A who is already engaged in a call with subscriber B, the call is not be rejected if call waiting is enabled.
Page 555: Call Backup
subscriber C (final recipient). After Subscriber A hangs up, the call between subscriber B and subscriber C is established. This is call transfer. To perfect the call transfer feature, the device supports the call recovery function after the call transfer fails, that is, if subscriber C in the previous example is in a conversation with another subscriber and cannot establish a conversation with subscriber B, the call between subscriber A and subscriber B is recovered.
Page 556: Calling Party Control
supervisor. If C wants to join the conversation, it sends a request to A. If A permits, the three-party conference can be held. In this example, C is called the active participant of the conference, A is the voice mixer, and B is the original participant of the conversation. Silent monitor and barge in services can be considered as the extensions of three-party conference.
Page 557: Cid On The Fxo Voice Subscriber Line
• O if the terminating PBX fails to obtain the calling name (for example, the originating PBX end does not send it) The FXS voice subscriber line sends the calling identity information to the called telephone. The calling identity information is sent to the called telephone through FSK) modulation between first and second rings.
Page 558 Figure 587 Call services configuration page Table 213 Configuration items Item Description The Forwarded-to Number for Call Forwarding no Reply—Enter the forwarded-to number for call forwarding no reply. The Forwarded-to Number for Call Forwarding Busy—Enter the forwarded-to number for call forwarding busy. Call Forwarding Call Forwarding Unconditional—Enter the forwarded-to number for forwarding unconditional.
Page 559: Configuring Other Voice Functions
Configuring other voice functions Select Voice Management > Local Number from the navigation tree, and then click the icon of Figure the local number to be configured to access the call services configuration page as shown in 588. Figure 588 Call services configuration page Table 214 Configuration items Item Description...
Page 560 Item Description • Enable. Incoming Call • Disable. Barring By default, incoming call barring is disabled. Password for Set a password to lock your telephone when you do not want others to use your Outgoing Call telephone. Barring Door Opening Enable the door opening control service and set a password for Password.
Page 561: Configuring Call Services Of A Call Route
Configuring call services of a call route Select Voice Management > Call Route from the navigation tree, and then click the icon of the Figure call route to be configured to access the call route call services configuration page as shown in 589.
Page 562: Call Services Configuration Examples
Item Description • Enable. • Disable. By default, hunt group function is disabled. Hunt Group IMPORTANT: To use the hunt group feature, you must select the Enable option of all call routes involved in this service. Configure the private line auto ring-down (PLAR) function. The number is an E.164 Hotline Numbers telephone number of the terminating end.
Page 563: Configuring Call Forwarding
Figure 591 Configuring call waiting b. Select Enable for Call Waiting. c. Click Apply. Verifying the configuration Verify the two call waiting operation modes: • Operation 1—When the subscriber at Telephone C dials 1000 to call Telephone A which is already engaged in a call with Telephone B, the subscriber at Telephone C hears ringback tones, while the subscriber at Telephone A hears call waiting tones that remind that a call is waiting on the line.
Page 564 Figure 592 Network diagram Router A Router B Router C Eth1/1 Eth1/1 10.1.1.1/24 20.1.1.2/24 Eth1/2 Eth1/1 1000 10.1.1.2/24 20.1.1.1/24 3000 Telephone A Telephone C 2000 Telephone B Configuration procedure Before performing the following configuration, make sure Router A, Router B and Router C are reachable to each other.
Page 565: Configuring Call Transfer
Configuring call transfer Network requirements Figure 594, call transfer enables Telephone A to transfer Telephone B to Telephone C. As shown in After the call transfer is completed, Telephone B and Telephone C are in a conversation. The whole process is as follows: Call Telephone B from Telephone A, and then Telephone B and Telephone A are in a conversation.
Page 566: Configuring Hunt Group
Figure 595 Configuring call transfer Verifying the configuration The whole process is as follows: Call Telephone B from Telephone A, and then Telephone B and Telephone A are in a conversation. Perform a hookflash at Telephone A to put the call with Telephone B on hold. Call Telephone C (3000) from Telephone A after hearing dial tones.
Page 567 Figure 596 Network diagram Configuration procedure Before performing the following configuration, make sure that Router A, Router B and Router C are routable to each other. Complete basic voice call configurations: complete basic voice call configurations on Router A, Router B, and Router C. Configure hunt group: # Configure a number selection priority for Telephone A2 on Router A.
Page 568 Figure 597 Configuring number selection priority of Telephone A2 b. Select 4 from the Number Selection Priority list. c. Click Apply. # Configure hunt group on Router A. d. Select Voice Management > Local Number from the navigation tree, click the icon of local number 1000 of Telephone A1 in the local number list to access the call services configuration page.
Page 569: Configuring Three-Party Conference
Figure 598 Configuring hunt group b. Select Enable for Hunt Group. c. Click Apply. Perform the same configuration for the local number 1000 of Telephone A2. The configuration procedure is not included here. Verifying the configuration Dial number 1000 from Telephone B (2000). Because Telephone A1 has a higher priority, Telephone B is connected to Telephone A1.
Page 570 Figure 599 Network diagram Router A Router B Router C Eth1/0 Eth1/0 10.1.1.1/24 20.1.1.2/24 Eth1/0 Eth1/1 1000 10.1.1.2/24 20.1.1.1/24 3000 Telephone A Telephone C 2000 Telephone B Configuration procedure Before performing the following configuration, make sure that Router A, Router B and Router C are routable to each other.
Page 571: Configuring Silent Monitor And Barge In
Figure 601 Configuring call hold b. Select Enable for Call Hold. c. Select Enable for Three-Party Conference. d. Click Apply. Verifying the configuration Now Telephone B, as the conference initiator, can establish a three-party conference with participants Telephone A and Telephone C. If you also enable three-party conference on the FXS lines of Telephone A and Telephone C on Router A and Router C, then during the conference, a new call can be initiated from Telephone A or Telephone C to invite another passive participant.
Page 572 Figure 602 Network diagram Configure the VCX Open the Web interface of the VCX and select Central Management Console. Configure the information of Telephone A, Telephone B, and Telephone C. The following takes Telephone A as an example. Figure 603 Telephone configuration page # Configure the silent-monitor authority Click Features of number 1000 to access the feature configuration page, and then click Edit Figure...
Page 573 Figure 604 Silent monitor and barge in feature configuration page (1) Click Assign External Phones to specify that number 3000 has the authority to monitor Figure 605 number 1000. After this configuration, the page as shown in appears. Figure 605 Silent monitor and barge in feature configuration page (2) After the previous configuration, Telephone C with the number 3000 can monitor and barge in the conversations of Telephone A with the number 1000.
Page 574 Figure 606 Enabling the feature service and the silent monitor and barge in function Select Enable for Monitor and Barge In. Select Enable for Feature Service. Click Apply. Configure Router B # Configure a local number and call routes.
Page 575 Configure a local number: specify the local number ID as 2000 and the number as 2000, and bind the number to line line 1/0 on the local number configuration page. Configure the call route to Router A: specify the call route ID as 1000, the destination number as 1000, and the call route type as SIP, and use a SIP proxy server to complete calls on the call route configuration page.
Page 576 Select Voice Management > Local Number from the navigation tree, and click the icon of Figure 608. local number 3000 to access the call services page as shown in Figure 608 Enabling the feature service Select Enable for Feature Service. 10.
Page 577: Advanced Settings
Advanced settings This section provides information on configuring various advanced settings. Introduction to advanced settings Coding parameters The configuration of coding parameters includes specifying codec priorities and packet assembly intervals. The codecs include: g711alaw, g711ulaw, g723r53, g723r63, g726r16, g726r24, g726r32, g726r40, g729a, g729br8, and g729r8.
Page 578 Table 217 G.711 algorithm (A-law and µ-law) Packet Packet Packet Bytes Network Network length length Coding assembly coded in a bandwidt bandwidth (IP) (IP+PPP) latency interval time unit h (IP) (IP+PPP) (bytes) (bytes) 10 ms 96 kbps 100.8 kbps 10 ms 20 ms 80 kbps 82.4 kbps...
Page 579 Packet Packet Packet Bytes Network Network length length Coding assembly coded in a bandwidth bandwidth (IP) (IP+PPP) latency interval time unit (IP) (IP+PPP) (bytes) (bytes) 20 ms 32 kbps 34.4 kbps 20 ms 30 ms 26.7 kbps 28.3 kbps 30 ms 40 ms 24 kbps 22.1 kbps...
Page 580 Table 223 G.726 r40 algorithm Packet Packet Bytes Network Packet length Network length Coding assembly coded in a bandwid (IP+PPP) bandwidth (IP) latency interval time unit th (IP) (bytes) (IP+PPP) (bytes) 10 ms 72 kbps 76.8 kbps 10 ms 20 ms 56 kbps 58.4 kbps 20 ms...
Page 581: Other Parameters
NOTE: • The packet assembly interval is the duration to encapsulate information into a voice packet. • Bytes coded in a time unit = packet assembly interval × media stream bandwidth. • Packet length (IP) = IP header + RTP header + UDP header + voice information length = 20+12+8+data.
Page 582 Figure 609 Configuring coding parameters of the local number Table 226 Configuration items Item Description Specify a codec Specify the codecs and their priority levels. The available Codec with the First with the first codes are: Priority priority. • g711alaw—G.711 A-law codec (defining the pulse code modulation technology), requiring a bandwidth Specify a codec Codec with the Second...
Page 583: Configuring Other Parameters Of A Local Number
Item Description Packet Assembly Interval Specify the packet assembly interval for g726r32 codec. of G726r32 Packet Assembly Interval Specify the packet assembly interval for g726r40 codec. of G726r40 Packet Assembly Interval Specify the packet assembly interval for g729r8, g729br8, and g729a codecs. of G729 Two communication parties can communicate correctly only if they share some identical coding/decoding algorithms.
Page 584: Configuring Advanced Settings Of A Call Route
Item Description Mode Out-of-band Specify the out-of-band SIP DTMF transmission mode. Transmission Adopt DTMF named telephone event (NTE) transmission mode. RFC2833 When you adopt this transmission mode, you can configure the payload type field in RTP packets. Set the DSCP value in the ToS field in the IP packets that carry Pre-defined the RTP stream.
Page 585: Advanced Settings Configuration Example
Figure 612 Configuring other parameters of the call route Table 227 Table 228. For the configuration items of other parameters of the call route, see Table 228 Configuration items Item Description Call Route Selection Set the priority of the call route. The smaller the value, the higher the priority. Priority •...
Page 586 Configure out-of-band DTMF transmission mode for SIP. # Configure the out-of-band DTMF transmission mode on Router A for the call route. a. Select Voice Management > Call Route from the navigation tree, find call route 2222 in the list, and click its icon to access its advanced settings page.
Page 587: Sip-To-Sip Connections
SIP-to-SIP connections Configuring media parameters for SIP-to-SIP connections Select Voice Management > Call Route from the navigation tree. Click the icon of the call route to be configured. The page for configuring SIP-to-SIP connection parameters appears. Figure 616 Configuring media parameters Table 229.
Page 588: Configuring Signaling Parameters For Sip-To-Sip Connections
Item Description In the scenario where the SIP trunk device controls the results of media capability negotiation, if the SIP trunk device cannot find a common codec for two parties during negotiation, the two parties fail to establish a call. In this case, you can select the Enable option to enable codec transcoding on the SIP trunk device.
Page 589 Figure 617 Configuring signal process Table 230. Configure signaling parameters for SIP-to-SIP connections as described in Table 230 Configuration items Item Description • Remote process—The SIP trunk device transparently transfers the SIP messages carrying call forwarding information to the endpoints, and the endpoints perform the call forwarding.
Page 590: Configuring Dial Plans
Configuring dial plans More requirements on dial plans arise with the wide application of VoIP. A desired dial plan should be flexible, reasonable, and operable. Also it should be able to help a voice gateway to manage numbers in a unified way, making number management more convenient and reasonable. The dial plan process on the calling side differs from that on the called side.
Page 591: Regular Expression
Figure 619 Flow chart for dial plan operation process on the called side After receiving a voice call (the called number), the voice gateway on the called side performs global calling/called number substitution. The voice gateway on the called side selects proper local numbers or call routes based on the local number or call route selection priority rules.
Page 592: Dial Plan Functions
Meta-character Meaning Hyphen (connecting element), used to connect two numbers (The smaller comes before the larger) to indicate a range of numbers, for example, 1-9 inclusive. Delimits a range for matching. It can be used together with signs such as !, %, and +. For example, [235-9] indicates one number of 2, 3, and 5 through 9.
Page 593 received digits when the dial terminator is received. The voice gateway does not wait for further digits even if the longest match mode has been globally configured. Maximum number of local numbers or call routes found before a search process stops This function enables you to define the maximum number of qualified local numbers or call routes to be found before a search process stops.
Page 594: Call Control
• If the first rule cannot decide which local number or call route should be selected, the system applies the second rule. If the second rule still cannot decide a local number or call route, the system applies the third rule. •...
Page 595: Configuring Dial Plan
Configuring dial plan Configuring number match Select Voice Management > Dial Plan > Number Match from the navigation tree to access the Figure 620. number match configuration page, as shown in Figure 620 Number match configuration page Table 232 Configuration items Item Description Configure a special character as the dial terminator for length-variable...
Page 596: Configuring Call Control
Item Description rule once a digit cannot be matched uniquely. • Priority—Number priorities are divided into 11 levels numbered from 0 to 10. The smaller the value is, the higher the priority is. That means level 0 has the highest priority. •...
Page 597 Figure 622 Number group configuration page Table 232. a. Configure the number group as described in b. Click Apply. Table 233 Configuration items Item Description Group ID Specify the ID of the number group. Description Specify the description of the number group. Numbers in the Group Specify the input subscriber numbers to be added into the group in the field.
Page 598 Bind call routes to the call number group: Click Not Bound in the Call Routes Bound column on the Number Group tab page to access the call route binding page. The configuration of call route binding is similar to that of local number binding, and is not shown.
Page 599: Configuring Number Substitution
a. Click Not Bound in the Local Numbers Bound column to access the local call number Figure 626. binding page shown in Figure 626 Local number binding page b. Click the box in front of the ID column, and then click Apply to complete local number binding.
Page 600 Figure 628 Number substitution configuration page Table 234. a. Add a number substitution list as described in b. Click Apply. Table 236 Configuration items Item Description Number Substitution Rule Specify the ID of the number substitution rule list. List ID •...
Page 601: Dial Plan Configuration Examples
Item Description Specify the input number involved in number substitution, in the format of [ ^ ] [ + ] input number [ $ ], up to 31 characters. The signs are explained as follows: • ^—Caret. The match begins with the first character of a number string. That is, the device begins with the first character of the match string to match a user number.
Page 602 Figure 629 Network diagram Configuration procedure Shortest number match a. Configure Router A: # Add a local number: specify the number ID as 1000, the number as 10001234$, and the bound line as line 1/0 on the local number configuration page. # Add a call route: specify the call route ID as 2000, the destination number as 20001234$, and the destination address as 1.1.1.2 on the call route configuration page.
Page 603 Figure 630 Number match mode configuration page a. Select Longest Number Match for Number Match Mode. c. Click Apply. After you dial number 20001234 at Telephone A and wait for some time (during this period, you can continue dialing), the dialed number 20001234 matches call route 2000 and Telephone B is alerted.
Page 604: Configuring The Match Order Of Number Selection Rules
Configuring the match order of number selection rules Network requirements Figure 632, configure different number selection rule match orders for calls from As shown in Telephone A to Telephone B. Figure 632 Network diagram Configuring Router A Add a local number: Specify the number ID as 1000, the number as 10001234$, and the bound line as 1/0 on the local number configuration page.
Page 605 a. Select Voice Management > Call Route from the navigation tree to access the call route list page. b. Find the call route with the ID of 2001 in the list, and click its corresponding icon access the advanced setting page. c.
Page 606 Figure 635 Match order of number selection rules configuration page Select Exact Match from the First Rule in the Match Order list. Select Priority from the Second Rule in the Match Order list. Select Random Selection from the Third Rule in the Match Order list. Click Apply.
Page 607: Configuring Entity Type Selection Priority Rules
Click Apply. After you dial number 20001234 at Telephone A, the number matches call route 2002. Configuring the number selection rule as random selection Configure Router A: Select Voice Management > Dial Plan > Number Match from the navigation tree to access the page for configuring the match order of number selection rules.
Page 608 Figure 639 E1 parameters configuration page Select PRI Trunk Signaling for Working Mode. Select Internal for TDM Clock Source. (Internal is the default setting) Select the Network Side Mode for ISDN Working Mode. Click Apply. # Add a local number: specify the number ID as 1000, the number as 10001234$, and the bound line as 1/0 on the local number configuration page.
Page 609 Figure 640 E1 parameters configuration page • Select PRI Trunk Signaling for Working Mode. • Select User Side Mode for ISDN Working Mode. (User Side Mode is the default setting) • Select Line for TDM Clock Source. • Click Apply. # Add a local number: specify the number ID as 2000, the number as 20001234$, and the bound line as 1/0 on the local number configuration page.
Page 610 Figure 641 Entity type selection priority rule configuration page (1) • Configure the order of the voice entities in the Selection Sequence box: the first is VOIP, the second is POTS, the third is VoFR, and the last is IVR. •...
Page 611: Configuring Call Authority Control
Configuring call authority control Network requirements Figure 643, Router A, Router B, and Router C are located at place A, place B, and place As shown in C, respectively. They are all connected to the SIP server to allow subscribers to make SIP calls. When VoIP links fail for some reason, PSTN links that provide backup for VoIP links can be automatically brought up.
Page 612 Click Add to add numbers into the group. Click Apply. Enter the number group configuration page again to add another number group: Type 2 for Group ID. Type 1200.. for Numbers in the Group. Click Add to add numbers into the group. Click Apply.
Page 613 Figure 646 Call route binding page (1) Select Permit the calls from the number group for Binding Mode. 10. Select the box of call route 2100. 11. Click Apply. # Bind a call route to the number group 2 to allow that subscribers whose telephone number beginning with 1200 can originate calls to both place B and place C.
Page 614: Configuring Number Substitution
Figure 648 Call route binding page (II) 12. Select Permit the calls from the number group for Binding Mode. 13. Select the checkboxes of call routes 2100 and 3100. 14. Click Apply. Configuring Router B Add a call route: Specify the call route ID as 2100, the destination number as 2…, and the trunk route line as 1/0:15 on the call route configuration page.
Page 615 Figure 649 Network diagram Place B Place A Market Dept. 3366 Market Dept. 6788 Eth2/1 Eth2/1 FXO Line 1/0 FXO Line 1/0 2.2.2.2/24 1.1.1.1/24 FXO Line 1/1 FXO Line 1/1 Financial Dept. 1688 Financial Dept. 1234 Router B Router A Sales Dept.
Page 616 Figure 650 Number substitution configuration page (1) Type 21101 for Number Substitution Rule List ID. Figure 650. Add three number substitution rules as shown in Click Apply. # Add another number substitution rule list for calling numbers of outgoing calls. Select Voice Management >...
Page 617 Figure 651 Number substitution configuration page (2) Type 21102 for Number Substitution Rule List ID. Figure 651. Add three number substitution rules as shown in Click Apply. # Enter the call route binding page of number substitution list 21101. Figure 652 Call routing binding page of number substitution list 21101 Select Apply Call Routing Binding Rule to Called Numbers for Binding Mode.
Page 618 Figure 653 Call routing binding page of number substitution list 21102 10. Select Apply Call Routing Binding Rule to Calling Numbers for Binding Mode. 11. Select call route 10. 12. Click Apply. Configuring Router A # Set the IP address of the Ethernet interface to 1.1.1.1. # Add a call route: specify the call route ID as 1010, the destination number as …., and the trunk route line as FXO line 1/0 on the call route configuration page.
Page 619 Figure 654 Number substitution configuration page (3) Type 101 for Number Substitution Rule List ID. Figure 654. Add three number substitution rules as shown in Click Apply. # Add another number substitution rule list for calling numbers of incoming calls. Select Voice Management >...
Page 620 Figure 655 Number substitution configuration page (4) Type 102 for Number Substitution Rule List ID. Figure 655. Add three number substitution rules as shown in Click Apply. # Enter the global binding page of number substitution list 101. Figure 656 Global binding page of number substitution list 101 Select Incoming Calling for Incoming Binding Type.
Page 621 Figure 657 Global binding page of number substitution list 102 Select Incoming Called for Incoming Binding Type. 10. Click Apply.
Page 622: Call Connection
Call connection Introduction to SIP The Session Initiation Protocol (SIP) is an application layer control protocol that can establish, modify, and terminate multimedia sessions such as IP phone calls, multimedia session and multimedia conferences. It is the core component in the multimedia data and control architecture of the IETF (RFC 3261).
Page 623: Functions And Features Of Sip
again. The subsequent procedure is the same as that for calling a called UA directly or for calling a proxy server. Location server A location server is a device that provides UA information to proxy and redirect servers. It retains UA information received by a registrar.
Page 624: Sip Messages
SIP messages SIP messages, including SIP request messages and SIP response messages, are encoded in text mode. SIP request messages include INVITE, ACK, OPTIONS, BYE, CANCEL, and REGISTER. RFC 3261 defines the following six request messages: • INVITE—Used to invite a user to join a call. •...
Page 625: Call Setup
Figure 658 Message exchange for a UA to register with a Registrar Call setup SIP operates in the Client/Server mode and sets up calls through communication between UA and proxy server. Figure 659 Network diagram In the previous figure, Telephone A wants to call Telephone B, and Router A and Router B work as SIP endpoints (UAs).
Page 626 Figure 660 Call setup procedures involving a proxy server This is a simplified scenario where only one proxy server is involved and no registrar is present. However, a complex scenario can involve multiple proxy servers and registrars. Call redirection When a SIP redirect server receives a session request, it sends back a response indicating the address of the called SIP endpoint instead of forwarding the request.
Page 627: Support For Transport Layer Protocols
Figure 661 Call redirection procedure for UAs Internet User agent User agent Redirect Server INVITE 100 Trying 302 Moved Temporarily INVITE 100 Trying 200 OK This is a common application. Fundamentally, a redirect server can respond with the address of a proxy server as well.
Page 628: Signaling Encryption
When you use SRTP to encrypt RTP/RTCP packets, the encryption engine, if enabled, encrypts and authenticates RTP/RTCP packets. If the encryption engine is disabled, the CPU encrypts and authenticates RTP/RTCP packets. For more information about the encryption engine, see HPE FlexNetwork MSR Router Series Comware 5 Security Configuration Guide.
Page 629: Tls-Srtp Combinations
TLS-SRTP combinations TLS protects control signaling, and SRTP encrypts and authenticates voice media flows. You can use them separately or together. The following table shows four combinations of TLS and SRTP. Table 239 TLS-SRTP combinations SRTP Description Signaling packets are secured. Personal information is protected. Media packets are secured.
Page 630: Configuring Sip Connections
Configuring SIP connections This section describes how to configure SIP connections. Configuring connection properties Configuring registrar Select Voice Management > Call Connection > SIP Connection from the navigation tree to Figure 662. access the connection properties configuration page as shown in Figure 662 Registrar configuration page Table 240 Configuration items Item...
Page 631: Configuring Proxy Server
Item Description • SIP—Apply the SIP scheme as the URL scheme when the device registers to the main registrar. Main Registrar URL • SIPS—Apply the SIPS scheme as the URL scheme when the device Scheme registers to the main registrar. By default, the SIP scheme is applied.
Page 632: Configuring Session Properties
Figure 663 Proxy server configuration page Table 241 Configuration items Item Description Select a server group from the list as the proxy server. You can add a server Use Server Group group on the page that can be accessed by selecting Voice Management > Call Connection >...
Page 633 Source IP address binding is supported on the Layer 3 Ethernet interface, GigabitEthernet interface, or dialer interface. For information about DHCP, see HPE FlexNetwork MSR Router Series Comware 5 Layer 3—IP Services Configuration Guide. Configuring source address binding Select Voice Management > Call Connection > SIP Connection from the navigation tree, and...
Page 634: Configuring Sip Listening
Table 243 Application of the source address binding settings in different states Settings made when… Result • For SIP media streams, the source IP address binding settings does not take effect until the next SIP call. The call is active •...
Page 635: Configuring Media Security
Table 244 Configuration items Item Description • UDP—Specify UDP as the transport layer protocol for incoming SIP calls and enables UDP listening port 5060. • TCP—Specify TCP as the transport layer protocol for incoming SIP calls and enables TCP listening port 5060. •...
Page 636: Configuring Sip Session Refresh
Figure 667 Caller identity and privacy configuration page Table 246 Configuration items Item Description • None—Neither the P-Preferred-Identity header field nor the P-Asserted-Identity header field is added. • P-Assented-Identity—Add the P-Asserted-Identity header field. The Privacy header field indicates whether caller identity presentation is enabled Caller Identity or not, and the P-Asserted-Identity header field contains the caller’s number.
Page 637: Configuring Compatibility
• Session-Expires—Conveys the maximum session duration, that is, if no refresh request is received during this time, the session is considered ended. • Min-SE—Conveys the minimum session duration, which is used to avoid frequent refresh requests from occupying network bandwidth. Configuring SIP session refresh Select Voice Management >...
Page 638: Configuring Advanced Settings
Table 248 Configuration items Item Description The devices of some vendors do not strictly follow the SIP protocol. To interoperate with such devices, you must configure the SIP compatibility options. • Enable—Configure the device to use the address (IP address or DNS domain name) in the To header field as the address in the From header Use the address in the field when sending a SIP request.
Page 639: Specifying The Outbound Proxy
Figure 670 Configuring address hiding Table 249. Configure the address hiding function as described in Table 249 Configuration items Item Description Specify the address hiding function enables the SIP trunk device to replace the endpoints' addresses carried in SIP messages with the addresses of the corresponding egress interfaces.
Page 640 Figure 672 Configuring advanced settings Table 251 Configuration items Item Description Set the interval for the local number or SIP trunk account to re-register with the Re-registration Interval registrar after a registration failure. Set the registration expiration time. A local number or an SIP trunk account Registration Expiration expires after it has registered with the registrar for a specified period of time, Time...
Page 641: Configuring Voice Mailbox Server
Item Description • Parking—The SIP trunk device sends the OPTIONS or REGISTER message to the current server. When the current server is not available, the SIP trunk device selects the member server with the second highest priority in the SIP server group as the current server even if the original current server recovers.
Page 642 Configuring voice mailbox server Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the Advanced Settings tab to access the voice mailbox server configuration page as shown Figure 673. Figure 673 Voice mailbox server configuration page Table 252 Configuration items Item Description...
Page 643: Configuring Signaling Security
Generally, the voice gateway sends a SUBSCRIBE to the server, and receives a NOTIFY from the server if the subscription is successful, and gets the status of the voice mailbox afterwards. Configuring signaling security Select Voice Management > Call Connection > SIP Connection from the navigation tree, and Figure 674.
Page 644: Configuring Sip Status Code Mappings
Figure 675 PSTN release cause code mapping configuration page You can enter the SIP status code into the corresponding SIP Status Code (400-699) field. Because the PSTN release cause code 16 corresponds to a SIP request message, instead of a SIP status code, you can configure no SIP status code for 16.
Page 645: Sip Connection Configuration Examples
Figure 676 SIP status code mapping configuration page You can select the values in the PSTN Release Cause Code fields. You can also click Load Default Value to restore the default mappings between PSTN release cause codes and SIP status codes. SIP connection configuration examples Configuring basic SIP calling features For information about how to implement direct SIP calling through static IP addressing, configure...
Page 646 a. Configure a local number: specify the local number ID as 1111 and the number as 1111, and bind the number to line line 1/0 on the local number configuration page. b. Configure the call route to Router B: specify the call route ID as 2222, the destination number as 2222, the call route type as SIP, the SIP routing as IP routing, and the destination address as 192.168.2.2 on the call route configuration page.
Page 647: Configuring Srtp For Sip Calls
Configuring SRTP for SIP calls Network requirements Two routers Router A and Router B work as SIP UAs. It is required that SIP calls use the SRTP protocol to protect call conversations. Figure 680 Network diagram Configuration procedure "Configure basic voice calls: configure a local number and the Configure basic voice calls, see call route to Router B."...
Page 648 Figure 682 Network diagram Configuration procedure "Configure basic voice calls: configure a local number and the Configure basic voice calls, see call route to Router B." Specify the transport layer protocol: # Specify TCP as the transport layer protocol for outgoing calls on Router A. Select Voice Management >...
Page 649: Configuring Tls To Carry Outgoing Sip Calls
Management > States and Statistics > SIP UA States from the navigation tree and clicking the TCP Connection Information tab. Configuring TLS to carry outgoing SIP calls Network requirements Two routers Router A and Router B work as SIP UAs. It is required that the SIP calls between the two parties be carried over TLS.
Page 650 # Specify TLS as the transport layer protocol for incoming SIP calls. Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the Session Properties tab to access the transport layer protocol configuration page Figure 687.
Page 651: Managing Sip Server Groups
Managing SIP server groups A SIP server group is used to manage the registrar and call servers. A SIP server group can be configured with up to five member servers. An index represents the priority of a member server in the SIP server group.
Page 652: Configuring The Keep-Alive Mode
Figure 689 Configuring real-time switching Table 255. Configure real-time switching as described in Table 255 Configuration items Item Description Enable or disable the real-time switching function. When the real-time switching function is enabled: • If the SIP trunk device receives no response message or receives response message 408 or 5XX (excluding 502, 504, 505, and 513) after sending a registration request to the SIP server, the SIP trunk device tries to connect to the member server with the second highest priority value in...
Page 653: Configuring The Source Address Binding Mode
Item Description Interval for Sending Set the interval for sending OPTIONS messages to the SIP servers when the OPTIONS Messages keep-alive mode is set to Options. Configuring the source address binding mode Select Voice Management > Call Connection > SIP Server Group Management from the navigation tree.
Page 654: Configuring Server Information Management
The following table describes how source address binding works upon different conditions: Condition Result • A new source address binding for media does not take effect for ongoing SIP media sessions but takes effect for Configure a source address binding when subsequent SIP media sessions.
Page 655 Click Apply. Table 258 Configuration items Item Description Set server ID. A SIP server group can be configured with up to five member Server ID servers. A server ID represents the priority of the server in the SIP server group. The smaller the ID, the higher the priority.
Page 656: Configuring Sip Trunk
Configuring SIP trunk Figure 693, on a typical telephone network, internal calls of the enterprise are made As shown in through the internal PBX, and external calls are placed over a PSTN trunk. Figure 693 Typical telephone network With the development of IP technology, many enterprises deploy SIP-based IP-PBX networks as Figure 694.
Page 657: Features
Figure 695 All IP-based network All IP-based network ITSP Enterprise intranet SIP trunk SIP server Router IP-PBX SIP trunk device SIP server Features SIP trunk has the following features: Only one secure and QoS guaranteed SIP trunk link is required between a SIP trunk device and the ITSP.
Page 658: Protocols And Standards
Figure 696 SIP trunk network diagram Protocols and standards SIP trunk-related protocols and standards are as follows: • RFC 3261 • RFC 3515 • SIP connect Technical Recommendation v1.1 Configuring SIP trunk This section describes how to configure SIP trunk. Configuration task list Task Remarks...
Page 659: Enabling The Sip Trunk Function
Task Remarks Configuring a call route for inbound calls Required. Enabling the SIP trunk function Select Voice Management > SIP Trunk Management > Service Configuration from the navigation tree. Figure 697 Configuring services Table 259 Configuration item Item Description Enable the SIP trunk function before you can use other SIP trunk functions. Hewlett Packard Enterprise recommends not using a device enabled with the SIP trunk function as a SIP UA.
Page 660: Configuring A Sip Trunk Account
Configuring a SIP trunk account Configuring a SIP trunk account A SIP trunk account contains information allocated to users by the carrier, including authentication username, authentication password, host name, host username, and the associated SIP server group. Select Voice Management > SIP Trunk Management > Account Management from the navigation tree, and click Add.
Page 661: Configuring A Call Route For Outbound Calls
Item Description • Enable. • Disable. Registration By default, the registration function of the SIP trunk account is disabled. Function To perform registration, you must provide the host username or associate the account with a SIP server group. Authentication Enter the authentication username for the SIP trunk account. Username Authentication Enter the authentication password for the SIP trunk account.
Page 662 Figure 699 Configuring a call route Table 261 Configuration items Item Description Call Route ID Enter a call route ID. Destination Number Enter the called telephone number. Bound Account Select a SIP trunk account to be bound to the voice entity. Description Enter a description for the call route.
Page 663: Configuring Fax And Modem Parameters Of The Call Route Of A Sip Trunk Account
Configuring fax and modem parameters of the call route of a SIP trunk account Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and click the icon of the call route to be configured to access the call route fax and modem configuration page.
Page 664 Item Description • Specify the prefix of a source host name as a call match rule. The specified source host name prefix is used to match against the source host names of calls. If the INVITE message received by the SIP trunk device carries the Remote-Party-ID header, the source host name is abstracted from this header field.
Page 665: Configuring Media Parameters For Sip-To-Sip Connections
Configuring media parameters for SIP-to-SIP connections Select Voice Management > Call Route from the navigation tree. Click the icon of the call route to be configured. The page for configuring SIP-to-SIP connection parameters appears. Figure 701 Configuring media parameters Table 263.
Page 666: Configuring Signaling Parameters For Sip-To-Sip Connections
Item Description Select the media flow mode: • Around—Enable the media packets to pass directly between two SIP endpoints, without the intervention of the SIP trunk device. The media packets flow around the SIP Media Flow Mode trunk device. • Relay—Specify the SIP trunk device to act as the RTP trunk proxy to forward the media packets.
Page 667: Configuring A Call Route For Inbound Calls
Item Description • Remote process—If the session timer mechanism is initiated by the calling party, and the called party also supports this mechanism, you can select this option to enable the called party to process the session update information. Otherwise, the session timer mechanism only works between the calling party and the SIP trunk device.
Page 668 Figure 704 Configuring a local number Enter 2000 for Number ID. Enter 2000 for Number. Select subscriber-line 8/0 from the Bound Line list. Click Apply. # Configure a call route. Select Voice Management > Call Route from the navigation tree and click Add. Figure 705 Configuring a call route Enter 10000 for Call Route ID.
Page 669 Configuring the SIP trunk device # Enable the SIP trunk function. Select Voice Management > SIP Trunk Management > Service Configuration from the navigation tree. Figure 706 Configuring services Select Enable for SIP Trunk Function. Click Apply. # Create SIP server group 1. Add a SIP server into the server group: the ID and the IPv4 address of the server are 1 and 10.1.1.2 respectively.
Page 670 Click Apply. # Create SIP trunk account 1 with the host username 2000, and associate the account with SIP server group 1. 10. Select Voice Management > SIP Trunk Management > Account Management from the navigation tree, and click Add. Figure 708 Configuring a SIP trunk account 11.
Page 671 Figure 709 Configuring a call route for the SIP trunk account 17. Enter 20000 for Call Route ID. 18. Enter 1000 for Destination Number. 19. Select account1 from the Bound Account list. 20. Select Bind to Server Group for SIP Trunk Routing. 21.
Page 672 27. Enter 1.1.1.1 for Destination Address. 28. Click Apply. Configuring Router B # Configure a local call number. Select Voice Management > Local Number from the navigation tree and click Add. Figure 711 Configuring a local number Enter 1000 for Number ID. Enter 1000 for Number.
Page 673: Configuring A Sip Server Group With Multiple Member Servers
# Configure the IPv4 address of the registrar as 10.1.1.2 and enable the registrar. 12. Select Voice Management > Call Connection > SIP Connection from the navigation tree and click the Connection Properties tab. Figure 713 Configuring connection properties 13. Select Enable for Register State. 14.
Page 674 Figure 714 Network diagram ITSP-A SIP server 10.1.1.3/24 Enterprise private network Public network 1.1.1.1/24 1.1.1.2/24 2.1.1.1/24 2.1.1.2/24 SIP trunk Router B 1000 2000 Router A SIP trunk device SIP server 10.1.1.2/24 Configuration procedure # Enable the SIP trunk function. (Details not shown.) # Create SIP server group 1.
Page 675 Figure 715 Configuring server group Enter 1 for Server Group ID. Select Enable for Real-Time Switching. Select Options for Keep-Alive Mode. Enter 1 for Server ID. Enter 10.1.1.2 for Server Address. Click Add the Server. Enter 3 for Server ID. Enter 10.1.1.3 for Server Address.
Page 676: Configuring Call Match Rules
Figure 716 Advanced settings 13. Select Parking for Redundancy Mode. 14. Click Apply. Other configurations on the SIP trunk device and on other devices are the same as those described "Configuring a SIP server group with only one member server." Verifying the configuration When the SIP server with IP address 10.1.1.2 fails, the SIP server with IP address 10.1.1.3 takes over communications between the private network and the public network.
Page 677 Figure 717 Network diagram Configuration procedure # Configurations on the SIP trunk device and on other devices are the same as those described in "Configuring a SIP server group with only one member server." # Configure Router A2: Configure a local number 2001 and a call route to Router B. For the "Configuring Router A."...
Page 678 Click Apply. Verifying the configuration Private network users connected to Router A1 can call public network users, but private network users connected to Router A2 cannot call public network users. Public network users can call any private network user.
Page 679: Managing Data Links
Managing data links This section provides information about data link management and configuration. Overview Introduction to E1 and T1 Plesiochronous digital hierarchy (PDH) includes two major communications systems: ITU-T E1 system and ANSI T1 system. The E1 system is dominant in European and some non-Europe countries.
Page 680: Features Of E1 And T1
As an ISDN PRI interface, the E1 interface adopts DSS1 or QSIG signaling. As TS0 is used to transfer synchronization information and TS16 is used as a D channel to transfer signaling, you can arbitrarily bind any timeslot other than TS0 and TS16 as a logical interface, which is equivalent to an ISDN PRI interface.
Page 681: Introduction To Bsv Interface
• DSS1/QSIG user signaling, adopted on the D channel between ISDN user and network interface (UNI). It has a data link layer protocol and a Layer 3 protocol used for basic call control. • ITU-T R2 signaling, which includes digital line signaling and interregister signaling. Digital line signaling is transmitted in TS16 (ABCD bits) of E1 trunk.
Page 682 Figure 720 E1 parameters configuration page (1) Table 266 Configuration items Item Description Physical Parameters Configuration Configure the working mode of the E1 interface: • None—Remove the existing bundle. Working Mode • PRI trunk signaling—Bundle timeslots on an E1 interface into a PRI group. By default, no PRI group is created.
Page 683 Item Description • Internal—Set the internal crystal oscillator time division multiplexing (TDM) clock as the TDM clock source on the E1 interface. After that, the E1 interface obtains clock from the crystal oscillator on the main board. If it fails to do that, the interface obtains clock from the crystal oscillator on its E1 card.
Page 684 Figure 721 E1 parameters configuration page (2) You are not allowed to configure the following parameters on an ISDN interface if there is still a call on it: • ISDN Overlap-Sending • Switch to ACTIVE State Without Receiving a Connect-Ack Message •...
Page 685 Item Description Set the ISDN working mode: network side mode or user side mode. ISDN Working Mode By default, an ISDN interface operates in user side mode. Configure local ISDN B channel management. • Disable—Local ISDN B channel management is disabled and is in the charge of ISDN switch.
Page 686 Item Description • Enable for outgoing direction—Configure the ISDN protocol to switch to the ACTIVE state after receiving a Connect message without having to send a Connect-Ack message. • Enable for incoming direction—Configure the ISDN protocol to switch to the ACTIVE state to start Connect and voice service communications after sending a Connect message without having to wait for a Connect-Ack message.
Page 687: Configuring Vt1 Line
Item Description • Enable for outgoing direction—Configure the ISDN protocol to send Setup messages without the Sending-Complete Information Element when placing a call. • Enable for incoming direction—Configure the ISDN protocol to ignore the Sending-Complete Information Element in Setup messages when receiving a call.
Page 688 Table 268 Configuration items Item Description Physical Parameters Configuration Configure the working mode of the T1 interface: • None—Remove the existing bundle. Working Mode • PRI Trunk Signaling—Bundle timeslots on a T1 interface into a PRI group. By default, no PRI group is created. Bound Timeslot Specify the timeslots to be bundled.
Page 689: Configuring Bsv Line
Figure 723 T1 parameters configuration page (2) ISDN protocol types supported by VT1 are DSS1, ATT, ANSI, ETSI, NTT, QSIG, NI2, and Table 267 5ESS. describes the ISDN parameters configuration items. Configuring BSV line Select Voice Management > Digital Link Management from the navigation tree, and then click the icon of the BSV line to be configured to access the BSV parameters configuration page.
Page 690 Figure 724 BSV parameters configuration page Table 269 Configuration items Item Description Set the ISDN protocol to be run on an ISDN interface: DSS1, ANSI, NI, NTT, or ETSI. ISDN Protocol Type By default, an ISDN interface runs DSS1. Set the ISDN working mode: network side mode or user side mode. ISDN Working Mode By default, an ISDN interface operates in user side mode.
Page 691 Item Description Configure local ISDN B channel management. • Disable—Local ISDN B channel management is disabled and is in the charge of ISDN switch. • Common management—The device operates in local B channel management mode to select available B channels for calls. However, the ISDN switch still has a higher priority in B channel selection.
Page 692 Item Description • Enable for outgoing direction—Configure the ISDN protocol to switch to the ACTIVE state after receiving a Connect message without having to send a Connect-Ack message. • Enable for incoming direction—Configure the ISDN protocol to switch to the ACTIVE state to start Connect and voice service communications after sending a Connect message without having to wait for a Connect-Ack message.
Page 693 Item Description • Enable for outgoing direction—Configure the ISDN protocol to send Setup messages without the Sending-Complete Information Element when placing a call. • Enable for incoming direction—Configure the ISDN protocol to ignore the Sending-Complete Information Element in Setup messages when receiving a call.
Page 694: Displaying Isdn Link State
Item Description Set length of the call reference used when a call is placed on an ISDN interface. The call reference is equal to the sequence number that the protocol assigns to each call. It is 1 or 2 bytes in length and can be used cyclically. When the device receives a call from a remote device, it can automatically ISDN Call Reference Length identify the length of the call reference.
Page 695 Figure 726 Network diagram Configuration procedure Configure Router A: # Configure an ISDN PRI group. Select Voice Management > Digital Link Management from the navigation tree, and then click the icon of E1 1/1 to access the E1 parameters configuration page. Figure 727 E1 parameters configuration page a.
Page 696 Select Voice Management > Digital Link Management from the navigation tree, and then click the icon of E1 1/1 to access the E1 parameters configuration page. Figure 728 E1 parameters configuration page a. Select the PRI Trunk Signaling option. For other options, use the default settings. b.
Page 697: Managing Lines
Managing lines This section provides information on managing and configuring various types of subscriber lines. FXS voice subscriber line A foreign exchange station (FXS) interface uses a standard RJ-11 connector and a telephone cable to directly connect with an ordinary telephone or a fax machine. An FXS interface accomplishes signaling exchange based on the level changes on the Tip/Ring line and provides ring, voltage, and dial tone.
Page 698 Figure 729 Immediate start mode Hang up Pick up the phone, requesting for service Calling side Conversation Send the called number (E/M) Conversation Called side Hang up (M/E) Pick up the phone to answer • Delay start—In this mode, the caller first picks up the phone to seize the trunk line, and the called side (such as the peer PBX) also enters the off-hook state in response to the off-hook action of the caller.
Page 699: One-To-One Binding Between Fxs And Fxo Voice Subscriber Lines
One-to-one binding between FXS and FXO voice subscriber lines The one-to-one binding between FXS voice subscriber lines and FXO voice subscriber lines improves the reliability of voice solutions. For industry-specific users, highly reliable communication over FXS voice subscriber lines is required. That is, dedicated FXO voice subscriber lines can be used for communication over PSTN when the IP network is unavailable.
Page 700: Enabling The Nonlinear Function Of Echo Cancellation
Symptom Parameters adjusted Effect A user hears his or her voice Enlarge the control factor of Too high a control factor leads to audio when speaking. mixed proportion of noises. discontinuity. Too high a judgment threshold slows There are echoes when both Enlarge the judgment threshold down the convergence of the filter parties speak at the same time.
Page 701 Figure 733 FXS line configuration page Table 272 Configuration items Item Description Basic Configurations Description Specify the description of the FXS line. Specify the maximum interval for the user to dial the next digit. This timer will restart each time the user dials a digit and will work in this way Max Interval for Dialing until all the digits of the number are dialed.
Page 702: Configuring An Fxo Voice Subscriber Line
Item Description Advanced Settings Dial Delay Time Specify the dial delay in seconds. Lower Limit for Hookflash Specify the time range for the duration of an on-hook condition that will be Detection detected as a hookflash. That is, if an on-hook condition that lasts for a period that falls within the hookflash duration range (that is, the period is longer than Upper Limit for Hookflash the lower limit and shorter than the upper limit) is considered a hookflash.
Page 703 Figure 734 FXO line configuration page Table 273 Configuration items Item Description Basic Configurations Description Specify the description of the FXO line. Specify the maximum interval for the user to dial the next digit. This timer restarts each time the user dials a digit and will work in this way Max Interval for Dialing the until all the digits of the number are dialed.
Page 704 Item Description Specify the maximum interval in seconds between off-hook and dialing the Max Interval between first digit. Off-hook and Dialing the Upon the expiration of the timer, the user will be prompted to hook up and the First Digit call is terminated.
Page 705 Item Description When the signal values of two successive sampling points are Set the silence duration for automatic less than the silence detection on-hook. threshold, the system considers Upon expiration of this duration, the that the line goes into the silent On-hook Duration for VAD system performs on-hook automatically.
Page 706: Configuring An E&M Subscriber Line
Item Description • Enable. Nonlinear Function of Echo • Cancellation Disable. Set the DTMF detection sensitivity level. • Low—In this mode, the reliability is high, but DTMF tones might fail to be detected. • Medium—In this mode, the reliability is medium. If you select this option, DTMF Detection Sensitivity you can specify the Frequency Tolerance of Medium DTMF Detection Level...
Page 707 Figure 735 E&M line configuration page Table 274 Configuration items Item Description Basic Configurations Description Description of the E&M line. Select the E&M interface cable type: 4-wire or 2-wire. By default, the cable type is 4-wire. When you configure the cable type, make sure the cable type is Cable Type the same as that of the peer device.
Page 708 Item Description Specify the signal type. Types 1, 2, 3, and 5 are the four signal types (that is, types I, II, III, and V) of the analog E&M subscriber line. Signal Type When you configure the signal type, make sure the signal type is the same as that of the peer device.
Page 709: Configuring An Isdn Line
Item Description Enterprise recommends not When a relatively small voice adjusting the gain. If signal power is needed on the necessary, do it with the Output Gain on the Voice Interface output line, increase the voice guidance of technical output gain value. personnel.
Page 710 Figure 736 ISDN line configuration page Table 275 Configuration items Item Description Description Description of the ISDN line. Generate some comfortable background noise to replace the toneless intervals during a conversation. If no comfortable noise is generated, the toneless intervals will make both parties in conversation feel uncomfortable. Comfortable Noise Function •...
Page 711: Configuring A Paging Line
Item Description Set the DTMF detection sensitivity level. • Low—In this mode, the reliability is high, but DTMF tones might fail to DTMF Detection Sensitivity be detected. Level • High—In this mode, the reliability is low and detection errors might occur.
Page 712: Configuring An Moh Line
Item Description Set the value of the audio input gain, in the range of –24.0 to +12.0 with a step of 1. When a relatively small voice signal power is needed on the output line, increase the voice output gain value. Voice Output Gain IMPORTANT: Gain adjustment might lead to call failures.
Page 713: Line Management Configuration Examples
Line management configuration examples Configuring an FXO voice subscriber line Network requirements Figure 739, the FXO voice subscriber line connected to Router B operates in PLAR As shown in mode, and the default remote phone number is 010-1001. Dialing the number 0755-2003 on phone 0755-2001 connects to Router B. Because Router B operates in private-line mode (that is, the hotline mode), it requests connection to the preset remote number 010-1001 at Router A.
Page 714: Configuring One-To-One Binding Between Fxs And Fxo
Figure 740 Hotline number configuration page Enter 0101001 in the Hotline Numbers field. Click Apply. Verifying the configuration If you dial the number 0755-2003 on phone 0755-2001, a connection is established to number 010-1001 at Router A. Configuring one-to-one binding between FXS and FXO Network requirements •...
Page 715 Configuration considerations • Configure one-to-one binding between FXS and FXO voice subscriber lines. • When the IP network is available, the VoIP entity is preferably used to make calls over the IP network. • When the IP network is unavailable, the POTS entity is used to make calls through the bound FXO voice subscriber line over the PSTN.
Page 716 Figure 743 Call route binding page a. Select the Permit the calls from the number group option. b. Select call route 211. c. Click Apply. # Configure the hotline number. d. Select Voice Management > Call Route from the navigation tree, and then click the icon of call route 211 to access the call services configuration page.
Page 717 Figure 745 FXO line delay off-hook binding configuration page b. Select the Delay Off-hook option. c. Select subscriber-line 3/0 from the Binding FXS Line list. d. Click Apply. # Configure the system to first select VoIP entity. e. Select Voice Management > Dial Plan > Number Match from the navigation tree to access the number match configuration page.
Page 718 c. Configure the backup call route 211 for the FXO line in the call route configuration page: The destination address is .T, call route type is Trunk, and the trunk route line is 4/0. In addition, select the Send All Digits of a Called Number option in the Called Number Sending Mode area when you configure the advanced settings of this call route.
Page 719 Figure 749 Hotline number configuration page b. Type 2101002 in the Hotline Numbers field. c. Click Apply. # Configure the delay off-hook binding for the FXO line. d. Select Voice Management > Line Management from the navigation tree, and then click icon of the FXO line 4/0 to access the FXO line configuration page.
Page 720 Figure 751 Entity type selection sequence configuration page b. Select Enable in the Select Based on Voice Entity Type area. c. Configure the order of the voice entities in the Selection Sequence box: the first is VoIP, the second is POTS, the third is VoFR, and the last is IVR. d.
Page 721: Configuring Sip Local Survival
Configuring SIP local survival IP phones have been deployed throughout the headquarters and branches of many enterprises and organizations. Typically, a voice server is deployed at the headquarters to control calls originated by IP phones at branches. The local survival feature enables the voice router at a branch to automatically detect the reachability to the headquarter voice server, and process calls originated by attached IP phones when the headquarters voice server is unreachable.
Page 722: Service Configuration
Configuring SIP local survival Service configuration Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree Figure 753. to access the page as shown in Figure 753 Configuring service Table 278 Configuration items Item Description • Enable—Enable the local SIP server.
Page 723: User Management
Item Description Enter the IP address of the remote SIP server. Remote Server IP When the alive mode is selected, the IP address of the remote SIP server must address be provided. Remote Server Port Enter the port number of the remote SIP server. Interval for Sending Specify the interval for sending Options messages to the remote SIP server.
Page 724: Call-Out Route
Figure 755 Configuring a trusted node Table 280 Configuration items Item Description Enter the IP address of the trusted A trusted node can directly originate calls without node. being authenticated by the local SIP server. You do IP address not need to configure user information for the By default, no trusted node is number of the trusted node.
Page 725: Area Prefix
Item Description Destination Number Enter the destination number prefix and length. Suppose the destination Prefix number prefix is 4100, and the number length is 6. This configuration matches destination numbers that are 6-digit long and start with 4100. A dot can be used after a number to represent a character. This configuration Number length does not support other characters.
Page 726 Figure 758 Configuring a call rule set Table 282 Configuration items Item Description Rule Set ID Enter the ID of the call rule set. Rule Rule ID Enter the rule ID. • Outgoing—Applies the rule to outgoing calls. Call Direction •...
Page 727: Sip Local Survival Configuration Examples
Figure 759 Applying the call rule set Table 283 Configuration items Item Description Rule Set ID Displays the call rule set ID. • Enable—Applies the call rule set to all registered users. • Applied Globally Disable—Specifies that the call rule set does not apply to any registered users.
Page 728 Figure 760 Network diagram Configuring Router C # Configure the router to operate in the alone mode. Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to access the following page. Figure 761 Configuring alone mode Select Enable for Server Running State.
Page 729: Configuring Local Sip Server To Operate In Alive Mode
Figure 762 Configuring a user Enter 1000 for User ID. Enter 1000 for Telephone Number. Enter 1000 for Authentication Username. 10. Enter 1000 for Authentication Password. 11. Click Apply. # Configure user 5000 in the similar way. Configuring Router A Configure a local number in the local number configuration page: The ID is 1000, the number is 1000, the bound line is line2/0, the username is 1000, and the password is 1000.
Page 730 Figure 763 Network diagram Configuring Router A # Configure the IP address of Ethernet 1/1 as 1.1.1.2, and the IP address of the sub interface as 2.1.1.2. (Details not shown.) # Configure the local SIP server to operate in alive mode. Select Voice Management >...
Page 731: Configuring Call Authority Control
Figure 765 Configuring a user Enter 1000 for User ID. Enter 1000 for Telephone Number. 10. Click Apply. # Configure user 5000 in the similar way. Configuring Router A Configure a local number in the local number configuration page: The ID is 1000, the number is 1000, and the bound line is line2/0.
Page 732 • Phone 5000 is not allowed to call phone 1000. Figure 766 Network diagram Configuring the local SIP server on Router C # Configure the local SIP server to operate in alone mode. Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to access the following page.
Page 733 Figure 768 Configuring a user Enter 1000 for User ID. Enter 1000 for Telephone Number. Enter 1000 for Authentication Username. 10. Enter 1000 for Authentication Password. 11. Click Apply. # Configure users with phone numbers 1111, 5000, and 5555 in the similar way. # Configure call rule set 0.
Page 734 Figure 770 Applying call rule set 0 17. Select Enable for Applied Globally. 18. Click Apply. # Configure call rule set 2. 19. Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click Add to access the following page. Figure 771 Configuring call rule set 2 20.
Page 735 22. Click Apply. # Apply call rule set 2. 23. Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and click the icon of call rule set 2 to access the following page. Figure 772 Applying call rule set 2 24.
Page 736: Configuring An Area Prefix
Configure SIP registration in the connection properties configuration page: Enable SIP registration, and configure the main registrar’s IP address as 2.1.1.2. Verifying the configuration • Select Voice Management > States and Statistics > Local Survival Service States from the navigation tree. You can find that numbers 1000, 1111, 5000, and 5000 have been registered with the local SIP server on Router C.
Page 737 Click Apply. # Configure Router A as a trusted node. Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to access the following page. Figure 775 Configuring a trusted node Type 1.1.1.1 for IP Address. Click Apply.
Page 738: Configuring A Call-Out Route
14. Enter 5000 for User ID. 15. Enter 5000 for Telephone Number. 16. Enter 5000 for Authentication Username. 17. Enter 5000 for Authentication Password. 18. Click Apply. Configuring Router A Configure a local number in the local number configuration page: The ID is 55661000, the number is 55661000, and the bound line is line2/0.
Page 739 Figure 779 Configuring alone mode Select Enable for Server Running State. Enter 2.1.1.2 in IP Address Bound to the Server. Select Alone for Server Operation Mode. Click Apply. # Configure a call-out route Select Voice Management > SIP Local Survival > Call-Out Route from the navigation tree, and click Add to access the following page.
Page 740 Figure 781 Configuring user 1000 13. Enter 1000 for User ID. 14. Enter 1000 for Telephone Number. 15. Enter 1000 for Authentication Username. 16. Enter 1000 for Authentication Password. 17. Click Apply. Configuring Router A Configure a local number in the local number configuration page: The ID is 1000, the number is 1000, the bound line is line2/0, the user name is 1000, and the password is 1000.
Page 741: Configuring Ivr
Configuring IVR Overview Interactive voice response (IVR) is used in voice communications. You can use the IVR system to customize interactive operations and humanize other services. If a subscriber dials an IVR access number, the IVR system plays the prerecorded voice telling the subscriber what to do. For example, it might tell the subscriber to dial a number.
Page 742: Error Processing Methods
Error processing methods The IVR system provides three error processing methods: terminate the call, jump to a specified node, and return to the previous node. You can select an error processing method for a call node, a jump node, or globally to handle errors. Timeout processing methods The IVR system provides three timeout processing methods: terminate the call, jump to a specified node, and return to the previous node.
Page 743: Importing A Media Resource Through An Moh Audio Input Port
Figure 783 Configuring media resource Table 284 Configuration items Item Description Media Resource ID Set a media resource ID. Rename Media Type a name for the media resource file. Resource Upload Media Resource Upload media resource files for g729r8, g711alaw, g711ulaw, and g723r53. Importing a media resource through an MoH audio input port Select Voice Management >...
Page 744: Configuring The Global Key Policy
Table 285 Configuration item Item Description Media resource ID Set a media resource ID. Configuring the global key policy Select Voice Management > IVR Services > Advanced Settings from the navigation tree, and click the Global Key Policy tab. Figure 786 Global key policy Table 286 Configuration items Item Description...
Page 745: Configuring Ivr Nodes
Item Description Input Timeout Processing Method Max Count of Input Set the maximum number of input timeouts. Timeouts Timeout Time Set the timeout time. • Enable. Play Voice Prompts for • Disable. Input Timeout Not enabled by default. Select a voice prompt file. You can configure voice prompt files in Voice Voice Prompts Management >...
Page 746 Figure 787 Configuring a call node Table 287 Configuration items Item Description Node ID Enter a node ID. Description Enter a description for the node.
Page 747 Item Description • Enable. • Disable. Disabled by default. The following options are available for playing voice prompts: • Mandatory play—Only after the voice prompts end can the subscriber Play Voice Prompts press keys effectively. • Voice prompts—Select a voice prompt file. Voice prompt files can be configured in Voice Management >...
Page 748: Configuring A Jump Node
Item Description • Match the terminator of the numbers. • Match the length of the numbers. • Match the local number and route. Number Match Mode Either the number match mode or the extension secondary call must be configured at least. Length of Numbers Enter the number length.
Page 749 Figure 788 Configuring a jump node...
Page 750: Configuring A Service Node
Table 288 Configuration items Item Description Node ID Enter a node ID. Description Enter a description for the node. Table 287 for description about other items. Map actions with keys. Actions include: • Terminate the call. • Jump to a specified node. If this option is selected, you need to select the Key mapping target node from the Specify a node list.
Page 751: Configuring Access Number Management
Item Description Description Enter a description for the node. • Terminate the call. • Jump to a specified node. If this operation is selected, you must select a node from the Specify A Node list. • Return to the previous node. Operation Configuration •...
Page 752: Configuring Advanced Settings For The Access Number
Item Description • Enable. The following registration parameters are configurable when Enable is selected. Register Function • Disable. Register Username Enter the username for registration. Register Password Enter the password for registration. Cnonce Name Enter the cnonce name for handshake authentication. Enter the realm name for handshake authentication.
Page 753 • The subscriber dials 50# at Telephone A to originate a secondary call and then Telephone B1 rings. • If the subscriber dials a wrong number at Telephone A, Router B plays the audio file input_error.wav. • If no number is dialed at Telephone A within the timeout time, Router B plays the audio file timeout.wav.
Page 754 Figure 793 Uploading a media resource file Enter 10001 for Media Resource ID. Enter welcome for Rename Media Resource. Click the Browse button of g729r8 codec to select the target file. Click Apply. Use the same method to upload other g729r8 media resource files timeout, input_error, and bye. # Configure global error and timeout processing methods to achieve the following purposes: •...
Page 755 Figure 794 Configuring the global key policy Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice Prompts list. Type 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice Prompts for Input Timeout;...
Page 756 Figure 795 Configuring a call node 10. Type 10 for Node ID. 11. Type play-welcome for Description. 12. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. 13. Select Match the terminator of the numbers from the Number Match Mode list; type # for Terminator.
Page 757: Configure A Secondary Call On A Call Node (Match The Number Length)
Figure 796 Configuring an access number 15. Type 30000 for Number ID. 16. Type 300 for Number. 17. Select play-welcome from the Bind to Menu list. 18. Click Apply. Verifying the configuration Dial the number 300 at Telephone A. The call node plays audio file welcome.wav. Dial 50# at Telephone A, Telephone B1 rings.
Page 758 Figure 797 Network diagram Telephone B1 Eth1/1 Eth1/1 1.1.1.1/24 1.1.1.2/24 Router A Router B Telephone A Telephone B2 Configuration procedure Configuring Router Configure Router A: See Configure Router B: # Configure the call node. Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the Configure Call Node tab, and click Add to access the following page.
Page 759 Figure 798 Configuring the call node a. Type 10 for Node ID. b. Type play-welcome for Description. c. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. d. Select Match the length of the numbers from the Number Match Mode list; type 3 for Length of Numbers.
Page 760: Configure A Secondary Call On A Call Node (Match A Number)
Configure a secondary call on a call node (match a number) Network requirements Figure 799, configure an IVR access number and call node functions on Router B to As shown in meet the following requirements. • After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio file welcome.wav.
Page 761 Figure 800 Configuring a call node a. Type 10 for Node ID. b. Type play-welcome for Description. c. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. d. Select Match the local number and route from the Number Match Mode list. e.
Page 762: Configure An Extension Secondary Call On A Call Node
Configure an extension secondary call on a call node Network requirements Figure 801, configure an IVR access number and call node functions on Router B to As shown in meet the following requirements. • After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio file welcome.wav.
Page 763 Figure 802 Configuring a call node a. Type 10 for Node ID. b. Type play-welcome for Description. c. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. d. Select 0 for Extension Number. e. Select 500 for Corresponding Number. f.
Page 764: Configure A Jump Node
Verifying the configuration Dial 300 at Telephone A. Router B plays the audio file welcome.wav. Dial 0. Telephone B rings. Configure a jump node Network requirements Figure 803, configure an IVR access number and jump node functions on Router B to As shown in meet the following requirements.
Page 765 Figure 804 Configuring a jump node...
Page 766: Configure An Immediate Secondary Call On A Service Node
a. Type 10 for Node ID. b. Type play-welcome for Description. c. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list. d. Select Terminate the call for Key#. e. Click Apply. Configuring Router For other settings, see Verifying the configuration Dial 300 at Telephone A.
Page 767 Figure 806 Configuring a service node a. Type 10 for Node ID. b. Type play-welcome for Description. Figure 806. c. Add two operations as shown in d. Click Apply. # Configure an access number. Select Voice Management > IVR Services > Access Number Management from the navigation tree, and click Add to access the following page.
Page 768: Configure A Secondary Call On A Service Node
b. Type 300 for Number. c. Select call500 from the Bind to Menu list. d. Click Apply. Configuring Router For other settings, see Verifying the configuration Dial 300 at Telephone A. Telephone B rings. Configure a secondary call on a service node Network requirements Figure 808, configure an IVR access number and service node functions on Router B to...
Page 769 Figure 809 Configuring a service node a. Type 10 for Node ID. b. Type reject-call for Description. Figure 809. c. Add two operations as shown in d. Click Apply. # Configure an access number. Select Voice Management > IVR Services > Access Number Management from the navigation tree, and click Add to access the following page.
Page 770: Configure A Call Node, Jump Node, And Service Node
a. Type 30000 for Number ID. b. Type 300 for Number. c. Select reject-call from the Bind to Menu list. d. Click Apply. Configuring Router For other settings, see Verifying the configuration Dial number 300 at Telephone A. Router B plays the audio file bye.wav, and then terminates the call. Configure a call node, jump node, and service node Network requirements Figure 81...
Page 771 Figure 812 Uploading a g729r8 media resource file a. Enter 10001 for Media Resource ID. b. Enter welcome for Rename Media Resource. c. Click the Browse button of g729r8 codec to select the target file. d. Click Apply. Use the same method to upload other g729r8 media resource files timeout, input_error, and bye.
Page 772 Figure 813 Configuring the global key policy a. Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice Prompts list. b. Enter 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice Prompts for Input Timeout;...
Page 773 Figure 814 Configuring a call node a. Enter 10 for Node ID. b. Enter play-call for Description. c. Select Enable for Play Voice Prompts, select Enable for Mandatory Play, and select call from the Voice Prompts list. d. Enter 1 for Extension Number, Enter 500 for Corresponding Number, and click Add a Rule.
Page 774 Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the Configure Service Node tab, and click Add to access the following page. Figure 815 Configuring a service node a. Enter 20 for Node ID. b. Enter reject-call for Description. Figure 815.
Page 775 Figure 816 Configuring a jump node a. Enter 10 for Node ID. b. Enter play-welcome for Description. c. Select Enable for both Play Voice Prompts and Mandatory Play. d. Select welcome from the Voice Prompts list.
Page 776: Customizing Ivr Services
e. Select Jump to a specified node from the Key* list, and reject-all from its Specify a node list. f. Select Jump to a specified node from the Key# list, and play-all from its Specify a node list. g. Click Apply. # Configure an access number.
Page 777: Create A Menu
Create a menu Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree, and click Add to create a menu. The following describes settings for different types of menus, including jump, terminate the call, enter the next menu, return to the previous menu, dial immediately, and secondary call.
Page 778 Item Description Play Voice Prompts Select an audio file. When the User No audio file is selected by default. Enters the Menu Select one of the following methods: • Terminate the call. Input Error • Jump. Processing Method • Return to the previous menu. By default, no method is set.
Page 779 Table 292 Configuration items Item Description Menu Node ID Enter a menu ID. Menu Name Enter a menu name. Select Terminate the call. Menu Type By default, Jump is selected. Select an audio file. Play Voice Prompts When the User Enters the Menu No audio file is selected by default.
Page 780 Figure 821 Returning to the previous menu Table 294 Configuration items Item Description Menu Node ID Enter a menu ID. Menu Name Enter a menu name. Select Return to the previous menu. Menu Type By default, Jump is selected. Select an audio file. Play Voice Prompts When the User Enters the Menu No audio file is selected by default.
Page 781 Configure a Secondary-call menu Select Secondary-call from the Menu Type list to access the following page. Figure 823 Secondary-call menu Table 296 Configuration items Item Description Menu Node ID Enter a menu ID. Menu Name Enter a menu name. Select Secondary-call. Menu Type By default, Jump is selected.
Page 782: Bind An Access Number
Item Description Specify the target menu. Specify A Menu This setting is available when the Input Error Processing Method is Jump to a menu. Select an audio file. Voice prompt files can be configured in Voice Management > Input Error Prompts IVR Services >...
Page 783: Customize Ivr Services
Customize IVR services Enter the Customize IVR Services interface Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree, and click the icon of the target menu to access the Customize IVR Services page. NOTE: To perform any operation to the previous page, you must close the Customize IVR Services page first.
Page 784: Custom Ivr Service Configuration Example
Figure 826 Adding a submenu You can configure the type of the new menu as jump, terminate the call, enter the next menu, return to the previous menu, dial immediately, or secondary-call. For information about the menu Create a menu. configuration, see NOTE: If new settings are made on the page, click Apply to save them first before you select Add a new...
Page 785 Marketing and sales department menu This menu plays the audio file Welcome1.wav. Then, the following events occur: If the user dials 0, the system dials the number 500 to call the attendant. If the user dials 1, the system jumps to the major financial customer department menu. If the user dials 2, the system jumps to the carrier customer department menu.
Page 786 b. Enter Hello for Rename Media Resource. c. Click the Browse button of g729r8 codec to select the target file. d. Click Apply. Use the same method to upload other g729r8 media resource files. You can see these uploaded files in Voice Management > IVR Services > Media Resources Management, as Figure 828 shown in Figure 828 Media file list...
Page 787 c. Enter Voice Menu Access Number for Description. d. Click Apply. # Create a menu. Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree, and click Add to create a menu. Figure 830 Configuring a menu a.
Page 788 Figure 833 Customize IVR services # Add submenus for the marketing and sales department, telecom product sales department, and government product sales department. Select the voice menu system of Company A from the navigation tree to access the following page. Figure 834 Voice menu system of Company A a.
Page 789 Figure 835 Creating a submenu for the marketing and sales department a. Enter 2 for Menu Node ID. b. Enter Marketing and Sales Dept for Menu Description. c. Select Jump from the Menu Type list, and welcome1 from the Player Voice Prompts When the User Enters the Menu list.
Page 790 Figure 838 Voice menu system of Company A a. Select Terminate the call from the Operation list of key #. b. Click Apply. c. Configure the marketing and sales department submenu: Select Marketing and Sales Dept from the navigation tree. Figure 839 Marketing and sales department submenu a.
Page 791 Figure 840 Adding a submenu a. Enter 8 for Menu Node ID. b. Enter Attendant for Menu Description. c. Select Dial immediately from the Menu Type list, and type 500 for Call immediately. d. Click Apply. Use the same method to add submenus for the major financial customer department, carrier customer department, and SMB department.
Page 792 Figure 842 Telecom product sales department submenu a. Select Jump from the Operation list, and Attendant from the Jump to submenu list of key b. Select Jump from the Operation list, and Add A New Node from the Jump to submenu list of key 1.
Page 793 Figure 844 Telecom product sales department submenu a. Select Return to the previous node from the Operation list of key *. b. Click Apply. Figure After the configuration, the telecom product sales department submenu is as shown in 844. Configure the government product sales department submenu: Select Government Product Sales Dept from the navigation tree.
Page 794 Figure 845. After all the configuration, the Customize IVR Services page is as shown in...
Page 795: Advanced Configuration
Advanced configuration This section provides global configuration and batch configuration. Global configuration Select Voice Management > Advanced Configuration > Global Configuration from the Figure 846. navigation tree to access the global configuration page, as shown in Figure 846 Global configuration page Table 297 Configuration items Item Description...
Page 796: Vrf-Aware Sip
Item Description Specify the backup rule: • Strict—One of the following three conditions will trigger strict call backup: The device does not receive any reply from the peer after sending out a call request. The device fails to initiate a call to the IP network side. Backup Rule The device fails to register on the voice server.
Page 797: Batch Configuration
Figure 847 VRF-aware SIP Batch configuration Local number Creating numbers in batch Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree, and then click the Create Numbers in Batch link in the Local Number area to Figure 848.
Page 798 Table 298 Configuration items Item Description Specify the start number, and then a serial of consecutive numbers starting with the start number will be bound to the selected voice subscriber lines. For example, if you Start Number specify the start number as 3000 and select lines 3/0 and line 3/1, then line 3/0 is bound to number 3000, and line 3/1 is bound to number 3001.
Page 799 Table 299 Configuration items Item Description Configure the protocol used for fax communication with other devices. • T.38—Use T.38 fax protocol. With this protocol, a fax connection can be set up quickly. • Standard T.38—Use the standard T38 protocol of H.323 or SIP. The fax negotiation mode depends on the protocol used (H323 or SIP).
Page 800 Call services Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree, and then click the Call Services link in the Local Number area to access the local Figure 850. number call services configuration page, as shown in Figure 850 Call services configuration page...
Page 801 Table 300 Configuration items Item Description Configure call forwarding: • Enable. • Disable. By default, call forwarding is disabled. After you enable a call forwarding, enter the corresponding forwarded-to number: • The Forwarded-to Number for Call Forwarding no Reply—Enter the Call Forwarding forwarded-to number.
Page 802 Item Description Configure hunt group: • Enable. Hunt Group • Disable. By default, hunt group is disabled. Configure Feature service: • Enable. Feature Service • Disable. By default, Feature service is disabled. Configure MWI: • Enable. • Disable. By default, MWI is disabled. Message Waiting Indicator IMPORTANT:...
Page 803 Figure 851 Local number advanced settings page Table 301 Configuration items Item Description Codec with the First Priority. Codec with the Second Priority. Codecs and Priorities Codec with the Third Priority. Codec with the Lowest Priority. Specify DTMF transmission mode: •...
Page 804: Call Route
Item Description Configure VAD. The VAD discriminates between silence and speech on a voice connection according to their energies. VAD reduces the bandwidth requirements of a voice connection by not generating traffic during periods of silence in an active voice connection. Speech signals are generated and transmitted only when an active voice segment is detected.
Page 805 Item Description Configure the fax pass-through mode. • G.711 A-law. • G.711 μ-law. The pass-through mode is subject to such factors as packet loss, jitter and delay, so the clocks on both communication sides must be kept synchronized. Only G.711 A-law and G.711 μ−law are supported, and the VAD function should be disabled.
Page 806 Figure 853 Call route advanced settings page Table 303 Configuration items Item Description Codec with the First Priority. Codec with the Second Priority. Codecs and Priorities Codec with the Third Priority. Codec with the Lowest Priority. Specify DTMF transmission mode: •...
Page 807: Line Management
Line management FXS line configuration Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree, and then click the FXS Line Configuration link in the Line Management area to Figure 854. access the FXS line configuration page, as shown in Figure 854 FXS line configuration page Table 304 Configuration items Item...
Page 808 Item Description Set the DTMF detection sensitivity level. • Low—In this mode, the reliability is high, but DTMF tones might fail to be detected. DTMF Detection • Medium—In this mode, the reliability is medium. If you select this option, you Sensitivity Level can specify the Frequency Tolerance of Medium DTMF Detection Sensitivity Level.
Page 809 Item Description When the voice signals on the line Input Gain on the attenuate to a relatively great extent, IMPORTANT: Voice Interface increases the voice input gain value. Gain adjustment might lead to call failures. You are not recommended to When a relatively small voice signal Output Gain on the adjust the gain.
Page 810: Sip Local Survival Services
Item Description failures. You are not recommended to When a relatively small voice signal Output Gain on the adjust the gain. If necessary, do it with power is needed on the output line, Voice Interface the guidance of technical personnel. increases the voice output gain value.
Page 811 Figure 858 Creating users in batches Table 308 Configuration items Item Description Specify the telephone number of the For example, if you specify the start Start Number first user to be registered. number as 2000 and set the register user quantity to 5, the device automatically generates five registered Specify the number of users to be Register User Quantity...
Page 812: States And Statistics
States and statistics This section provides information on displaying various states and statistics. Line states Use this page to view information about all voice subscriber lines. Select Voice Management > States and Statistics > Line States from the navigation tree. The Line State Information page appears.
Page 813: Displaying Detailed Information About Analog Voice Subscriber Lines
Field Description • Physical Down—Voice subscriber line is physically down, possibly because no physical link is present or the link has failed. • UP—Voice subscriber line is administratively down. Subscriber Line Status • Shutdown—Voice subscriber line is up both administratively and physically.
Page 814: Call Statistics
Figure 861 ISDN line details Click a timeslot (TS) link to view the details about the TS. Figure 862 Timeslot details Call statistics The following pages display call statistics. • Active Call Summary page—Displays statistics about ongoing calls. • History Call Summary page—Displays statistics about ended calls.
Page 815: Displaying Active Call Summary
Displaying active call summary Select Voice Management > States and Statistics > Call Statistics from the navigation tree. The Active Call Summary page appears. Figure 863 Active call summary page Table 310 Field description Field Description Call type. Type Only Speech and Fax are supported. Call status: •...
Page 816: Sip Ua States
SIP UA states The following pages show SIP UA states: • TCP Connection Information page—Displays information about all TCP-based call connections. • TLS Connection Information page—Displays information about all TLS-based call connections. • Number Register Status page—Displays number register information when you use SIP servers to manage SIP calls.
Page 817: Connection Status
Figure 866 TLS connection information Table 31 For information items, see Connection status Displaying number register status Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree and click the Number Register Status tab. Figure 867 Number register status Table 312 Field description Field Description...
Page 818: Displaying Number Subscription Status
Displaying number subscription status Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree and click the Number Subscription Status tab. Figure 868 Number subscription status Table 313 Field description Field Description Number Phone number. MWI server address, in the format of IP address plus port number or Subscription Server domain name.
Page 819: Sip Trunk Account States
Table 314 Field description Field Description Server operation mode: • Server Operation Mode Alone. • Alive. Server running state: • Server Status Enabled. • Disabled. User ID User ID. Phone Number Registered phone number. State of the registered user: • State Online—User is online.
Page 820: Displaying Dynamic Contact States
Displaying dynamic contact states Select Voice Management > States and Statistics > SIP Trunk Account States from the navigation tree. The page for displaying dynamic contact states appears. Figure 871 Dynamic contact states Table 316 Field description Field Description Telephone number, which could be one of the following types: •...
Page 821: Ivr Information
This page shows the configuration information of group servers. For information about how to configure group servers, see "Managing SIP server groups." IVR information The following pages show IVR information: • IVR Call States page—Display information about ongoing IVR calls. •...
Page 822 Table 318 Field description Field Description Play Count Play times of the media file. • Playing. Play State • Not playing. • PSTN—Called party is from PSTN. Play Type • IP—IP address of the peer media.
Page 823: Document Conventions And Icons
Document conventions and icons Conventions This section describes the conventions used in the documentation. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
Page 824: Network Topology Icons
Network topology icons Convention Description Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 825: Support And Other Resources
Support and other resources Accessing Hewlett Packard Enterprise Support • For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance • To access documentation and support services, go to the Hewlett Packard Enterprise Support Center website: www.hpe.com/support/hpesc Information to collect •...
Page 826: Websites
For more information and device support details, go to the following website: www.hpe.com/info/insightremotesupport/docs Documentation feedback Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (docsfeedback@hpe.com). When submitting your feedback, include the document title,...
Page 827 part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
Page 828: Index
Index Numerics WLAN client mode statistics, WLAN RF ping information, 3G wireless card state access control displaying, configuration, 145, 3G/4G modem user group configuration, cellular interface configuration, access number displaying, configuration, managment, accessing PIN management, SSL VPN resources (Web), 3G/4Gmodem reboot, configuration, 802.11...
Page 829 global configuration, WLAN wireless QoS WMM AP radio EDCA parameters, voice call route configuration, Appendix (packet precedence), voice line management, application voice local number configuration, configuring custom application, voice SIP local survival services, loading, advanced configuration application control batch configuration, configuration, 164, global configuration, configuring custom application,...
Page 830 protection against single-packet attack VLAN transparency, (intrusion detection), bridging viewing blacklist entry, adding interface to bridge set, auto bridge set enabling, security ARP automatic scanning, 335, bridge table maintenance, configuration, 262, 266, filtering, backing up forwarding, configuration (Web), major bridge functionality, device files through USB port (Web), source-route bridging, backup port (MST),...
Page 831 configuring, 203, message waiting indication, no reply, silent monitor, unavailable, three-party conference, unconditional, VCX support, call hold call transfer configuring, configuring, 203, call hold feature, call transfer feature, call match rules (configuring), 309, call waiting call node configuring, 203, extension secondary call configuration, call waiting feature, secondary call configuration (number length calling party control service,...
Page 832 WLAN wireless QoS WMM client EDCA restoring configuration (Web), parameters, restoring device files through the USB WLAN wireless QoS WMM statistics port(Web), display, restoring factory defaults (Web), coding parameters saving the configuration (Web), g711alaw, configuration procedure g711ulaw, PKI configuration, g723r53, configuring g723r63, 3G/4G modem cellular interface,...
Page 833 coding parameters of local number, jump node, 394, 410, connection properties, keepalive function (SIP trunk), custom application, L2TP, custom IVR service, local number, 165, 169, DHCP, 195, local SIP server operation mode (alive mode, Web), DHCP client, local SIP server operation mode (alone mode, DHCP interface setup, Web), DHCP relay agent, 197,...
Page 834 service (SIP local survival, Web), TCP application resources (Web), service node, 396, Telnet login control rule, signaling parameters for SIP-to-SIP three-party conference, 203, connection, 234, traffic ordering, silent monitor, trunking mode calling, SIP, trusted node (SIP local survival, Web), SIP address hiding mode, URL filtering, 148, SIP advanced settings, user,...
Page 835 STP path cost, MST port, creating STP bridge, a GRE tunnel, STP port, ARP static entry, destination IP creating user (Web), subnet limit (QoS), 227, DMZ host, destroying PKI domain, RSA key pair, PKI entity, device static route (IPv4), IP services DDNS configuration, WLAN access service, IP services DNS proxy configuration, creating SIP server group, 297,...
Page 836 configuring max-call-connection set, number register status, configuring number group, number subscription status, configuring number match, PKI certificate, configuring number match mode, recent system logs, configuring number substitution, 245, server group information, function, service information, number match, 236, 238, SIP trunk account state, number substitution, 236, 240, SIP UA state, number substitution regular expression,...
Page 837 dynamic domain name resolution, enable dynamic domain name resolution DHCP, enabling, enabling IP services DDNS configuration, 190, application control, WLAN wireless QoS WMM rate limiting application layer protocol check, configuration (dynamic/service-based), blacklist, Dynamic Domain Name System. Use DDNS bridge set, Dynamic Host Configuration Protocol.
Page 838 configuration, WAN interface configuration, external network NAT, managing services (Web), function dial plan, fax and modem, keepalive (configuring for SIP trunk), fax flow, real-time switching (configuring), fax release phase, real-time switching (enabling), fax setup, redundancy (configuring for SIP trunk), messaging phase, SIP keepalive, post-messaging phase, SIP trunk (enabling),...
Page 839 packet learning, configuration, 137, periodic packet send, Internet periodic packet sending configuration, NMM SNMP configuration, 242, SNMPv1 configuration, 253, configuration, SNMPv2c configuration, 253, creating a tunnel, SNMPv3 configuration, 256, GRE/IPv4 configuration, interval GRE/IPv4 tunnel configuration, traffic ordering configuration, guest Introduction how WiNet guest administrator obtains guest E1 T1, password,...
Page 840 GRE configuration, secondary call configuration, GRE/IPv4 configuration, secondary call configuration (number length match), GRE/IPv4 tunnel configuration, secondary call configuration (number match), IPsec secondary call configuration (terminator number connection configuration, match), displaying VPN monitoring information, secondary call type, PKI configuration (certificate service customization, management), service node configuration, 396,...
Page 841 client-initiated VPN configuration, RSTP configuration, configuration, STP configuration, displaying, load balancing enabling L2TP, WLAN advanced settings configuration, LNS configuration, load sharing VPDN, user-based load sharing configuration (Web), VPN user configuration, loading L2TP for VPN application, enabling, local call L3VPN authentication, VRF-aware SIP, local number configuration,...
Page 842 manual Modulation and Coding Scheme, 106, See also Use adding blacklist entry, MoH line mapping configuration, MSTP VLAN-to-instance mapping table, monitoring master port (MST), displaying IPsec VPN monitoring information, max age timer (STP), CIST, WLAN RRM data transmit rates (802.11n MCS), common root bridge, media...
Page 843 WLAN access wireless service/AP radio binding, configuring NAT connection limit, WLAN advanced settings channel busy test, external network, WLAN advanced settings district code internal network, configuration, private address, WLAN client detailed information, public address, WLAN client mode statistics, network WLAN RF ping information, ARP static configuration, WLAN RRM configuration, ARP static entry creation,...
Page 844 SNMPv1 configuration, 253, optimizing SNMPv2c configuration, 253, WLAN advanced settings configuration, SNMPv3 configuration, 256, other parameters (configuring), static route creation (IPv4), outbound calls static routing configuration (IPv4), configuring call routes, STP configuration, overview SSL VPN, syslog configuration (Web), traceroute, traffic ordering, packet user configuration, IP routing configuration,...
Page 845 destroying RSA key pair, configuring 3G/4G modem cellular interface, generating RSA key pair, configuring access control, 145, requesting certificate from RSA Keon CA configuring access number, server, configuring access number management, requesting certificate from Windows 2003 CA configuring ACL rule (Ethernet frame server, header), requesting local certificate,...
Page 846 configuring intrusion detection, configuring server information management, configuring IP network resources (Web), configuring SIP address hiding mode, configuring IP services DDNS, configuring SIP advanced settings, configuring IP services DNS proxy, configuring SIP call release cause code mapping, configuring IP services gratuitous ARP periodic packet sending, configuring SIP caller identity, configuring IP services GRE/IPv4,...
Page 847 configuring VE1 line, customizing IVR services, configuring VT1 line, customizing SSL VPN user interface (Web), configuring WAN interface destroying RSA key pair, (ADSL/G.SHDSL), displaying 3G wireless card state, configuring WAN interface (CE1/PRI), displaying 3G/4G modem, configuring WAN interface (CT1/PRI), displaying active route table, configuring WAN interface displaying broadband connection information, (Ethernet/subinterface),...
Page 848 enabling WLAN wireless QoS, setting WLAN wireless QoS WMM CAC admission policy, entering configuration wizard homepage, setting WLAN wireless QoS WMM client EDCA finishing configuration wizard, parameters, generating RSA key pair, setting WLAN wireless QoS WMM rate getting SSL VPN help information (Web), limiting, identifying node failure with traceroute, setting WLAN wireless QoS WMM SVP...
Page 849 CBQ, 227, WLAN RRM data transmit rates, configuration, WLAN RRM data transmit rates (802.11), configuring ACL rule (Ethernet frame WLAN RRM data transmit rates (802.11n header), MCS), configuring advanced limit, WLAN wireless QoS WMM rate limiting, configuring advanced queue, 231, WLAN wireless QoS WMM rate limiting configuration (dynamic/service-based), configuring bandwidth guarantee,...
Page 850 dynamic domain name resolution enabling, configuring IKE negotiation with RSA digital IP services DDNS configuration, 190, signature, IP services DNS configuration, destroying key pair, resource generating key pair, configuring IP network resources (Web), requesting PKI certificate from RSA Keon CA server, configuring resource group (Web), requesting PKI certificate from Windows 2003 CA...
Page 851 configuring intrusion detection, viewing user information (Web), configuring IP network resources (Web), WiNet configuration, configuring IPv4 ACL rule (advanced), WiNet configuration (WEb), configuring IPv4 ACL rule (basic), WLAN access service security parameter dependencies, configuring local user (Web), WLAN security. See WLAN security configuring resource group (Web), selecting...
Page 852 immediate secondary call configuration, configuring call release cause code mapping, secondary call configuration, configuring caller identity, session configuring caller privacy, configuring SIP session properties, configuring outbound proxy, configuring SIP session refresh, 282, configuring registrar, Session Initiation Protocol. Use configuring registration parameters, session management configuring session properties, SIP,...
Page 853 multimedia, SIP-to-SIP connection SIP media flow encryption configuration, SDP negotiation, configuring media parameters, 233, SRTP encryption, configuring signaling parameters, 234, transmission monitor, SNMP SIP proxy server agent enabling, 243, request, community configuration, SIP routing, configuration, 242, SIP security group configuration, media flow encryption, 273, packet statistics displaying, signaling encryption, 273,...
Page 854 accessing SSL VPN resources (Web), configuration, advantages, CST, changing login password (Web), designated bridge, configuring authentication policies (Web), designated port, configuring IP network resources (Web), how it works, configuring local user (Web), IST, loop detection, configuring resource group (Web), configuring service (Web), MST common root bridge, configuring TCP application resources MST port roles,...
Page 855 user configuration, user group configuration, 271, 271, SIP support, user group configuration synchronization for TCP/IP wan interface, IP services DDNS configuration, 190, Web CLI NM, IP services DNS configuration, Web common page features, Telnet Web interface, login control, 324, Web overview, login control rule, Web user group access control managing services (Web),...
Page 856 displaying internal interface traffic ordering accessing SSL VPN resources (Web), statistics, adding WiNet RADIUS user, ordering configuration, changing SSL VPN login password (Web), QoS, 227, configuring access to SSL VPN (Web), setting traffic ordering interval, configuring local user (Web), specifying traffic ordering mode, configuring user group (Web), subnet limit (QoS), 227, configuring WiNet RADIUS user,...
Page 857 configuring SIP registrar, local number, configuring SIP registration parameters, voice entity configuring SIP session refresh, configuring SIP registrar, configuring SIP source address binding, dial plan process (called side), configuring SIP voice mailbox server, dial plan process (calling side), custom IVR service configuration, voice gateway customizing IVR services, pass-through fax,...
Page 858 E&M voice subscriber line, configuring call authority control, E1 voice DSS1 signaling configuration, configuring call control, echo adjustment, configuring dial plan, fax and modem, 167, configuring entity type selection priority rules, fax and modem configuration, configuring match order of number selection rules, fax and modem configuration (call route), configuring number match,...
Page 859 analog line state displaying, 3G/4G modem cellular interface application control configuration, configuration, area prefix configuration (SIP local survival), 3G/4G modem management, backing up configuration, 3G/4G modem PIN management, backing up device files through USB port, 3G/4G modem reboot, bandwidth control configuration, interface configuration, call authority control configuration (SIP local interface configuration (ADSL/G.SHDSL),...
Page 860 performing basic configurations for SSL VPN configuring functions, domain, wide area network, 41, See also see also Use WAN PKI configuration, Windows 2003 rebooting the device, requesting PKI certificate from Windows 2003 CA restoring configuration, server, restoring device files through USB port, WiNet restoring factory defaults, adding RADIUS user,...
Page 861 entering configuration homepage, WLAN wireless QoS radio statistics display, finishing, WLAN wireless QoS rate limiting, selecting country, WLAN wireless QoS rate limiting configuration (dynamic/service-based), WLAN WLAN wireless QoS rate limiting configuration access service configuration, 61, 61, (static), access service creating, WLAN wireless QoS SVP service set, access service security parameter dependencies,...