Download Print this page
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990

Advertisement

www.procurve.com
Advanced Management and

Advertisement

Chapters

Troubleshooting

   Summary of Contents for HP 7102dl - ProCurve Secure Router

  • Page 1

    Advanced Management and Configuration Guide ProCurve Secure Router 7000dl www.procurve.com...

  • Page 3: Procurve Secure Router

    ProCurve Secure Router 7000dl Series November 2006 J06_03 Advanced Management and Configuration Guide...

  • Page 4

    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED without the prior written consent of Hewlett-Packard. WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential Publication Number damages in connection with the furnishing, performance, or use of this material.

  • Page 5: Table Of Contents

    Contents 1 Overview Contents ............1-1 Using This Guide .

  • Page 6: Table Of Contents

    Troubleshooting Commands ....... . . 1-20 reload in ..........1-20 show .

  • Page 7: Table Of Contents, Configuring Backup Wan Connections

    Troubleshooting Multilinks ........2-12 Standard Procedure .

  • Page 8: Table Of Contents

    Configuring the Demand Interface ......3-20 Creating the Demand Interface ......3-22 Configuring an IP Address .

  • Page 9: Table Of Contents

    Example of Demand Routing with PAP Authentication for a Backup Connection ........3-46 Configuring Peer IP Address .

  • Page 10: Table Of Contents

    Viewing Information about Demand Routing and Troubleshooting Problems ........3-77 Viewing the Status of the Demand Interface .

  • Page 11: Table Of Contents, Procurve Secure Router Os Firewall—protecting The Internal, Trusted Network

    4 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Contents ............4-1 Overview .

  • Page 12: Table Of Contents, Applying Access Control To Router Interfaces

    5 Applying Access Control to Router Interfaces Contents ............5-1 Access Control for Interfaces on the ProCurve Secure Router .

  • Page 13: Table Of Contents, Inbound Interface Has An Acp; Outbound Interface

    Configure ACPs ..........5-35 Action .

  • Page 14: Table Of Contents, Configuring Network Address Translation

    6 Configuring Network Address Translation Contents ............6-1 NAT Services on the ProCurve Secure Router .

  • Page 15: Table Of Contents, Content Filtering

    7 Content Filtering Contents ............7-1 Overview .

  • Page 16: Table Of Contents, Setting Up Quality Of Service

    8 Setting Up Quality of Service Contents ............8-1 Overview .

  • Page 17: Table Of Contents

    Configuring LLQ ..........8-32 Overview .

  • Page 18: Table Of Contents, Enabling Application-level Gateways For Applications, Network Monitoring

    Example: Configuring QoS for VoIP ......8-61 Enabling Application-Level Gateways for Applications with Special Needs .

  • Page 19: Table Of Contents, Associating A Track With A Default Route Received With

    Configuring Network Monitoring ....... . . 9-10 Configuring Probes ......... 9-11 Creating a Probe and Selecting Its Type .

  • Page 20: Table Of Contents, Virtual Private Networks

    Examples of Network Monitoring ......9-42 Monitor Connectivity to the Internet ..... . . 9-42 Monitor Static Routes to Remote Networks .

  • Page 21: Table Of Contents

    Configuring a VPN Using IPSec ....... . . 10-15 Configuring IPSec with IKE ......10-15 Configuring IPSec with Manual Keying .

  • Page 22: Table Of Contents, Determining The Source Of The Problem: Permitting

    Using Extended Authentication (Xauth) (Optional) ... . . 10-49 Configuring an Xauth Server ......10-50 Configuring an Xauth Host .

  • Page 23: Table Of Contents

    11 Configuring a Tunnel with Generic Routing Encapsulation Contents ............11-1 Overview .

  • Page 24: Table Of Contents

    12 Configuring Multicast Support for a Stub Network Contents ............12-1 Overview .

  • Page 25: Table Of Contents, Building Rp And Sp Trees When The Source Begins

    13 Configuring Multicast Support with PIM-SM Contents ............13-1 Overview .

  • Page 26: Table Of Contents, Link Layer Discovery Protocol

    Changing PIM-SM Timers ........13-37 Join/Prune Period ........13-38 Hello Timer .

  • Page 27: Table Of Contents, Ip Routing—configuring Rip, Ospf, Bgp, And Pbr

    15 IP Routing—Configuring RIP, OSPF, BGP, and PBR Contents ............15-1 Overview .

  • Page 28: Table Of Contents, Route Summarization (abrs): Advertising A Link To

    Configuring OSPF ..........15-32 LSAs .

  • Page 29: Table Of Contents

    Setting the Router ID ........15-74 Configuring a BGP Neighbor .

  • Page 30: Table Of Contents

    Setting Administrative Distance for BGP Routes ....15-108 Altering BGP Intervals ........15-108 Configuration Examples .

  • Page 31: Table Of Contents, Other Routers Not Receiving Routes To The Local

    Troubleshooting RIP ........15-153 Router Not Receiving Routes .

  • Page 32: Table Of Contents

    16 Using the Web Browser Interface for Advanced Configuration Tasks Contents ............16-1 Configuring Access to the Web Browser Interface .

  • Page 33: Table Of Contents, Configuring Policies To Control Management Access To The

    Configuring NAT ......... . 16-50 Configuring Many-to-One NAT .

  • Page 34: Table Of Contents

    VPN Peers ..........16-102 Adding a Second Remote Site to the VPN .

  • Page 35: Table Of Contents

    Overview Contents Using This Guide ..........1-3 Understanding Command Syntax Statements .

  • Page 36: Table Of Contents

    Overview Contents Troubleshooting Commands ....... . . 1-20 reload in ..........1-20 show .

  • Page 37: Using This Guide

    Overview Using This Guide Using This Guide The ProCurve Secure Router Advanced Management and Configuration Guide describes how to use the ProCurve Secure Router 7000dl series in a network environment. Specifically, it focuses on two models: ProCurve Secure Router 7102dl ProCurve Secure Router 7203dl Both this guide and the ProCurve Secure Router Basic Management and Configuration Guide describe how to use the command line interface (CLI)

  • Page 38: Understanding Command Syntax Statements, Cli Prompt Convention

    Overview Using This Guide Understanding Command Syntax Statements This guide uses the following conventions for command syntax and information: Syntax: show access-lists [<listname>] Syntax: [permit | deny] [any | host <A.B.C.D> | <A.B.C.D> <wildcard bits>] Angle brackets ( < > ) enclose a description of a command element, a part of the command in which you enter information specific to your particular router or WAN.

  • Page 39: Ip Address Convention, Interface Numbering Convention

    Overview Using This Guide For simplicity, throughout this manual the CLI prompt is shown as: ProCurve> You can change the name displayed at the prompt of your router by changing the router’s hostname. For more instructions on changing the router’s host- name and other basic router functions, see the Basic Management and Configuration Guide, Chapter 1: Overview.

  • Page 40: Quick Start Sections, Obtaining Additional Information

    Overview Using This Guide For example, if you have a two-port T1 module in slot one, you would configure the left T1 port by entering: ProCurve(config)# interface t1 1/1 To configure the other T1 port, you would enter: ProCurve(config)# interface t1 1/2 As mentioned earlier, the Ethernet interfaces are also labeled in <slot>/<port>...

  • Page 41: Downloading Software Updates

    Overview Using This Guide You will need the Adobe Acrobat Reader to view documentation that you have saved. Click Product manuals Figure 1-1. The ProCurve Technical Support Web Page Downloading Software Updates ProCurve Networking periodically updates the router software to include new features.

  • Page 42

    Overview Using This Guide Step 2 Step 3 Figure 1-2. Downloading Software Updates Release notes are included with the software updates and provide information about: new features and how to configure and use them software management, including downloading software to the router software fixes addressed in current and previous releases For information on how to configure basic router functions, see the Basic Management and Configuration Guide.

  • Page 43: Interface Management Options, Web Browser Interface

    Overview Interface Management Options Interface Management Options The ProCurve Secure Router includes two management interfaces: the command line interface (CLI) the Web browser interface The router also supports Simple Network Management Protocol (SNMP), which allows you to manage it through an SNMP management console. (For more information about SNMP support, see Chapter 2: Controlling Manage- ment Access to the ProCurve Secure Router in the ProCurve Secure Router Basic Management and Configuration Guide.)

  • Page 44: Accessing The Web Browser Interface

    Overview Interface Management Options Figure 1-3. Configuring ACPs Using the Web Browser Interface Accessing the Web Browser Interface To access the Web browser interface, you must first establish a CLI session and configure at least one interface through which you can establish an HTTP session with the router.

  • Page 45: Using The Procurve Web Browser Interface

    Overview Interface Management Options Configure a username and password for the HTTP server. This username and password also secure FTP and SSH access to the router. From the global configuration mode context, enter: Syntax: username <username> password <password> For more information on how to use the Web browser interface, see Chapter 16: Using the Web Browser Interface for Advanced Configuration Tasks.

  • Page 46

    Overview Interface Management Options provides a Wizard to guide you through configuring network monitoring, or you can set up the feature manually by entering the necessary commands in the CLI. The firewall wizard can be found in the Firewall section. Click Firewall Wizard to open the wizard in a new window.

  • Page 47: Cli Tools, Help Tools, Cli Help Commands

    Overview CLI Tools CLI Tools This section gives a brief description of the CLI tools and commands that will help you to configure and troubleshoot your router. If you need more detailed information on the commands available in the CLI, it is highly recommended that you consult the Basic Management and Configuration Guide.

  • Page 48: Editing Commands

    Overview CLI Tools Editing Commands The router’s CLI supports basic editing functions that can move the cursor through the command line and allow you to cycle through previous com- mands. Table 1-1 describes the ProCurve editing commands. Table 1-1. Keystrokes for Moving Around the CLI Editing Command Action Ctrl+p or up arrow...

  • Page 49: Basic Commands, Exit

    Overview CLI Tools be checked by pressing after typing en at the basic mode context prompt. Because the Secure Router OS is able to finish the word enable, it completes the truncated command. Basic Commands This section gives some basic CLI commands that you will need to operate your router.

  • Page 50: File Management Commands, Copy

    Overview CLI Tools This message is a reminder to save the configuration you have completed. All configuration changes are initially saved only in the router’s running-configu- ration file, which is stored in flash memory. If the router were powered down, the running config, and any changed that you have not saved, would be lost.

  • Page 51

    Overview CLI Tools ProCurve# copy running-config startup-config Table 1-2. Options for the copy Command Source Location Options Destination Location Options cflash <filename> or • boot flash <filename> • cflash [<filename>] • flash [<filename>] • interface (only from flash <filename>) cflash or flash •...

  • Page 52

    Overview CLI Tools To save a configuration as a file on internal flash, enter the following command from the enable mode context: ProCurve# copy <source file location> <source config-file> flash [<filename>] Replace <source file location> with the location of the configuration file you are saving.

  • Page 53: Erase, Write, Autosynch

    Overview CLI Tools erase The erase command removes files from the specified file location. Syntax: erase <file location> <filename> For example, entering erase flash <filename> will delete the file you specify from internal flash: ProCurve# erase flash oldconfig This command also allows you to erase files from compact flash: ProCurve# erase cflash config1.cfg write This command is similar to the copy and erase commands.

  • Page 54: Troubleshooting Commands, Reload In

    Overview CLI Tools The autosynch command is disabled in its default setting. To enable the AutoSynch™ technology, enter the global configuration mode and enter: ProCurve (config)# autosynch-mode AutoSynch: SROS.BIZ synched AutoSynch: startup-config synched To disable AutoSynch™, use the no command: ProCurve(config)# no autosynch-mode AutoSynch: SROS.BIZ not synched AutoSynch: startup-config not synched...

  • Page 55: Show, Show Tech

    Overview CLI Tools The CLI will prompt you to save the system configuration. If you have already made the configurations that you want to test, reply no. If you are getting ready to make the configurations to be tested and want to save previous configura- tions, reply yes.

  • Page 56: Safe-mode

    Overview CLI Tools N o t e The showtech.txt file is saved to internal flash. If you intend to use a compact flash card to transport the file, you must save the showtech.txt file to a compact flash card. The showtech.txt file contains a readout of many of the show commands. This readout allows a network administrator to pinpoint a router configuration problem without a connection to the router.

  • Page 57

    Overview CLI Tools After you enable SafeMode and set the time limit, a reload timer is activated for the Telnet and SSH access lines and begins to count down. You also set a threshold timer, which is shorter than the reload timer. When the threshold timer expires, a warning message is displayed in the CLI that allows you to reset the timer.

  • Page 58

    Overview CLI Tools After the countdown for the reload timer has begun, it continues until you either reset it by pressing , you disable it by entering no safe-mode, or Ctrl+R you exit out of the global configuration mode context. Use the no form of the command to disable SafeMode and the countdown timer: ProCurve(safe-config)# no safe-mode...

  • Page 59: Managing Configuration Files Using A Text Editor, Using Error Messages To Repair A Configuration

    Overview Managing Configuration Files Using a Text Editor Managing Configuration Files Using a Text Editor Configuration files can be adjusted to each router’s needs using your com- puter’s text editor. This allows you to set up a configuration on one router, save it to a file, and edit it for installation on another router.

  • Page 60

    Overview Managing Configuration Files Using a Text Editor Figure 1-4. Boot Error Messages The error messages in Figure 1-4 were displayed during bootup. In this particular case, the startup-config file has several VPNs configured, and the router that is booting does not have an IPSec VPN module to support it. The commands for the configuration of the VPNs are reported as errors.

  • Page 61

    Overview Managing Configuration Files Using a Text Editor Error location Resulting message Figure 1-5. Using Boot Error Messages to Target a Configuration Problem The line number given in the error message is the line number in the running- config. You can use this information to repair any configuration problems. You will need to scroll up in your terminal session software window to read the error message.

  • Page 62: Quick Start, Accessing The Secure Router Os

    Overview Quick Start Quick Start This section provides the instructions you need to quickly access the ProCurve Secure Router CLI and configure an enable mode password to protect the router from unauthorized access. This section also explains how to configure the Ethernet interface and the HTTP server so that you can access the Web browser interface.

  • Page 63: Configuring The Enable Mode Password, Configuring The Ethernet Interface

    Overview Quick Start Configuring the Enable Mode Password Configure an enable mode password. Syntax: enable password [md5] <password> Enter the md5 option to encrypt the password. Replace <password> with an alphanumeric string of up to 16 characters. For example, you might enter: ProCurve(config)# enable password md5 ProCurve N o t e The word ProCurve is shown as the password only for simplicity.

  • Page 64: Configuring Telnet Access, Configuring Ssh Access

    Overview Quick Start Configuring Telnet Access After you configure an Ethernet interface and establish a connection to the ProCurve Secure Router, you can configure Telnet access to the router. Complete the following steps: Establish a console session to the ProCurve Secure Router and move to the global configuration mode context.

  • Page 65: Configuring Http Access

    Overview Quick Start Complete the following steps: Establish a console session to the ProCurve Secure Router and move to the global configuration mode context. ProCurve> enable ProCurve# configure terminal If you have not already done so, configure an enable mode password. Enter: Syntax: enable password <password>...

  • Page 66

    Overview Quick Start 1-32...

  • Page 67: Contents

    Increasing Bandwidth Contents Overview ............2-2 Configuring MLPPP .

  • Page 68: Overview

    Increasing Bandwidth Overview Overview Point-to-Point Protocol (PPP) and other Data Link Layer protocols establish point-to-point connections over a single carrier line, which may not provide sufficient bandwidth to meet a business’s requirements. In a Frame Relay network, a single Frame Relay port might carry several permanent virtual connections (PVCs), all of which must share the bandwidth provided by one carrier line.

  • Page 69

    Increasing Bandwidth Overview Frame Router Frame E1 Line MLPPP Frag a Frag d Router Frame Frag c E1 Lines Frame fragments Figure 2-1. MLPPP, a Link Aggregation Protocol...

  • Page 70: Configuring Mlppp

    Increasing Bandwidth Configuring MLPPP Configuring MLPPP Although using MLPPP to increase a connection’s bandwidth does not require deep technical expertise, you should understand: how a PPP session is established how MLPPP regulates the fragmentation and reconstruction of normal PPP frames Such an understanding will help you troubleshoot MLPPP connections and regulate data flow.

  • Page 71: Mlppp, Lcp Options

    Increasing Bandwidth Configuring MLPPP Network Layer protocol—Peers exchange Network Control Protocol (NCP) frames to negotiate which Network Layer (Layer 3) protocol the PPP frames will encapsulate. NCP frames serve two functions: they specify which Network Layer protocol will be used, and they negotiate options for that protocol.

  • Page 72: Mlppp Header, Mlppp Configuration Concerns, Enabling Mlppp

    Increasing Bandwidth Configuring MLPPP Endpoint Discriminator (ED) options—Peers negotiate how the receiving peer will identify the sending peer. One of these methods is an ED, which can be generated from an IP address, media access control (MAC) address, or PPP magic number. Every carrier line in the MLPPP bundle originates from the same endpoint and is given the same ED.

  • Page 73: Binding Multiple Carrier Lines To A Ppp Interface

    Increasing Bandwidth Configuring MLPPP Binding Multiple Carrier Lines to a PPP Interface On the ProCurve Secure Router, links are always defined by the Data Link Layer (for example, a PPP interface), rather than by the Physical Layer. You bind a physical interface to a logical interface to grant the Data Link Layer protocol access to the physical media over which to transmit data.

  • Page 74: Configuring Mlfr

    Increasing Bandwidth Configuring MLFR Configuring MLFR Like MLPPP, MLFR aggregates several physical connections into a single logical connection. MLFR helps provide greater access rates for PVCs, partic- ularly in environments in which the greater bandwidth of an E3- or T3-carrier line is not available.

  • Page 75: Enabling Mlfr

    Increasing Bandwidth Configuring MLFR In essence, FRF.16 simply increases the committed information rate (CIR) you can negotiate for a Frame Relay port in a T1 or E1 environment. MLFR bundle Router B Frame Relay Router A network Router C DLCI 101 DLCI 102 Figure 2-3.

  • Page 76: Binding Multiple Carrier Lines To A Frame Relay Interface

    Increasing Bandwidth Configuring MLFR Binding Multiple Carrier Lines to a Frame Relay Interface On the ProCurve Secure Router, links are always defined by the Data Link Layer rather than the Physical Layer. You bind a physical interface to a logical interface to grant the Data Link Layer protocol access to the physical media over which to transmit data.

  • Page 77: Configuring The Bundle Id

    Increasing Bandwidth Configuring MLFR N o t e You bind the physical interfaces to the Frame Relay interface, not the Frame Relay subinterface. This is because Frame Relay subinterfaces define PVCs, which are virtual connections, while the Frame Relay interface defines the physical connection available to all the virtual ones.

  • Page 78: Troubleshooting Multilinks, Standard Procedure, Physical Layer, Data Link Layer

    Increasing Bandwidth Troubleshooting Multilinks Troubleshooting Multilinks Troubleshooting multilinks is similar to troubleshooting a link carried on a single carrier line. You can review this process in “Standard Procedure” on page 2-12. (For more troubleshooting tips, see the Basic Management and Configuration Guide, Chapter 6: Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.) “Troubleshooting MLPPP”...

  • Page 79

    Increasing Bandwidth Troubleshooting Multilinks PPP. Common PPP problems include: mismatched DS0 or E0 channels incorrect authentication information incompatible network-level protocols Use the debug commands shown in Table 2-1 to determine where the PPP session establishment ends. A good strategy can be to first view only the errors and then pinpoint the problem from there.

  • Page 80

    Increasing Bandwidth Troubleshooting Multilinks ProCurve# show frame-relay lmi LMI statistics for interface FR 1 LMI TYPE = ANSI Num Status Enq. Sent 24 Num Status Msgs Rcvd 7 Num Update Status Rcvd 1 Num Status Timeouts 3 Number of polls Number of polls received sent...

  • Page 81: Troubleshooting Mlppp, Mrru

    Increasing Bandwidth Troubleshooting Multilinks View the Frame Relay interface and verify that its signaling type matches that of your service provider. You can enter show interface fr <subinterface number> to view a subinterface (the PVC endpoint) and check DLCIs and the PVC state.

  • Page 82: Troubleshooting Mlfr

    Increasing Bandwidth Troubleshooting Multilinks 2004.07.26 02:14:37 PPP.NEGOTIATION —-->>>> Multilink PPPrx[t1 1/1] LCP: Conf-Req ID=133 Len=29 ACCM(00000000) support MAGIC(c0b82465) MRRU(1500) ED(3:0000000c045b) PPPtx[t1 1/1] LCP: Conf-Ack ID=133 Len=29 ACCM(00000000) MAGIC(c0b82465) MRRU(1500) ED(3:0000000c045b) PPPrx[t1 2/1] LCP: Conf-Req ID=11 Len=29 ACCM(00000000) T1 1/1 and T1 2/1 are the MAGIC(c0b130b4) MRRU(1500) ED(3:0000000c045b) same link...

  • Page 83

    Increasing Bandwidth Troubleshooting Multilinks ProCurve# debug frame-relay multilink 2005.07.12 12:12:39 FRAME_RELAY.MULTILINK (I): msg=HELLO, Link=t1 1/ 2 1, Bundle=MFR1, BL state=UP Message from service provider router 2005.07.12 12:12:39 FRAME_RELAY.MULTILINK (O): msg=HELLO_ACK, Link=t1 Routers confirm a link is still 1/2 1, Bundle=MFR1, BL state=UP active.

  • Page 84

    Increasing Bandwidth Troubleshooting Multilinks ProCurve# debug frame-relay multilink 2005.07.12 12:11:54 FRAME_RELAY.MULTILINK (O): msg=ADD_LINK, Link=t1 1/2 1, Bundle=MFR1, BL state=ADD_SENT Message from local router 2005.07.12 12:11:54 FRAME_RELAY.MULTILINK (I): msg=ADD_LINK, Link=t1 1/2 1, Bundle=MFR1, BL state=ADD_SENT Routers exchange Message from service provider router requests to add a carrier line to the bundle 2005.07.12 12:11:54 FRAME_RELAY.MULTILINK (I): msg=ADD_LINK_ACK,...

  • Page 85

    Increasing Bandwidth Quick Start Quick Start This section provides the commands you must enter to quickly configure: Multilink PPP (MLPPP) Multilink Frame Relay (MLFR) Only a minimal explanation is provided. If you need additional information about any of these options, check “Contents” on page 2-1 to locate the section that contains the explanation you need.

  • Page 86: Mlppp Configuration

    Increasing Bandwidth Quick Start MLPPP Configuration Before you begin completing these instruction, you should connect the phys- ical interfaces to the appropriate public carrier equipment. You should also have a non-multilink PPP connection up and running. Move to the global configuration mode context and configure the physical interface(s) for the new carrier line(s): Move to the interface configuration mode context: Syntax: interface [e1 | t1] <slot>/<port>...

  • Page 87: Mlfr Configuration

    Increasing Bandwidth Quick Start If you do not already have a PPP connection running, you must also: Assign the PPP interface an IP address: Syntax: ip address [<A.B.C.D> <subnet mask | /prefix length> | negotiated] For example, you might enter: ProCurve(config-ppp 1)# ip address 10.1.1.1 /30 You can also have the interface take its address from the far end of the link (negotiated).

  • Page 88

    Increasing Bandwidth Quick Start Enabling multilink unbinds physical lines from the interface. As well as binding each new physical interface to the Frame Relay interface, you must rebind the original line: Syntax: bind <bind number> [e1 | t1] <slot>/<port> <tdm group number> frame- relay <interface number>...

  • Page 89

    Configuring Backup WAN Connections Contents Backing Up Primary WAN Connections ......3-5 Analog Backup Connections ........3-5 ISDN-Backup Connections .

  • Page 90: Table Of Contents

    Configuring Backup WAN Connections Contents Configure the connect-sequence interface-recovery Option ..........3-31 Understanding How the connect-sequence Commands Work .

  • Page 91: Table Of Contents

    Configuring Backup WAN Connections Contents Configuring a Logical Interface for a Persistent Backup Connection ..........3-56 Creating a Backup PPP Interface .

  • Page 92

    Configuring Backup WAN Connections Contents Viewing Information about Persistent Backup Connections and Troubleshooting Problems ........3-86 Viewing Backup Settings .

  • Page 93: Backing Up Primary Wan Connections, Analog Backup Connections

    Configuring Backup WAN Connections Backing Up Primary WAN Connections Backing Up Primary WAN Connections To ensure that users can always exchange data between two offices, you may want to lease a dial-up WAN connection—such as an Integrated Services Digital Network (ISDN) or telephone line—which can be used as a redundant line in case a primary WAN connection fails.

  • Page 94: Isdn-backup Connections

    Configuring Backup WAN Connections Backing Up Primary WAN Connections Analog modems provide comparatively little bandwidth. (The ProCurve Secure Router analog module provides between 300 bps and 33.6 kbps.) When analog modems are incorporated into WAN routers, they are designed only to provide redundancy for other WAN lines, not to furnish a long-term WAN connection.

  • Page 95: Bri Isdn

    Configuring Backup WAN Connections Backing Up Primary WAN Connections BRI ISDN BRI ISDN operates over the twisted-pair cabling that is used for ordinary telephones. All of the telecommunications infrastructure that is used to connect your LAN to the CO is collectively called the local loop. The local loop is divided into two sections by a line of demarcation (demarc), which separates your company’s wiring and equipment from the public car- rier’s wiring and equipment.

  • Page 96

    Configuring Backup WAN Connections Backing Up Primary WAN Connections Wire span—Because public carrier networks were originally designed to carry analog voice calls, copper wire is the most common physical trans- mission medium used on the local loop. Although copper wire has a limited signal-carrying capacity, ISDN is designed to maximize its capability.

  • Page 97: Electrical Specifications For Bri Isdn, Backup Modules For The Procurve Secure Router

    Configuring Backup WAN Connections Backing Up Primary WAN Connections ISDN Interfaces. The ISDN standard defines four interfaces, or points, at which equipment can be added to the ISDN network: U interface (between the NT1 and the NIU) T interface (between the NT2 and the NT1) S interface (between the TE1 and the NT2) R interface (between the TE2 and the TA) In Europe, Asia, and all other locations outside of North America, PTTs supply...

  • Page 98: Standards

    Configuring Backup WAN Connections Backing Up Primary WAN Connections As Figure 3-2 shows, the backup module is installed over the data link module. Figure 3-2. Installing a Backup Module After the backup module is installed, it can back up any interface on the router, not only those interfaces installed in the same slot.

  • Page 99: Data Link Layer Protocols, Determining A Backup Method

    Configuring Backup WAN Connections Determining a Backup Method In addition to these three options, the ISDN BRI S/T backup supports: Euro-ISDN—Also called Normes Européennes de Télécommunication 3 (NET3), Euro-ISDN was defined in the late 1980s by the European Com- mission so that equipment manufactured in one country could be used throughout Europe.

  • Page 100: Using Demand Routing For Backup Connections

    Configuring Backup WAN Connections Determining a Backup Method You can configure a persistent backup connection, which is initiated immediately if a backup condition occurs on the primary connection and stays up until the primary connection is available again. Before you configure a backup connection, you should evaluate your network environment and then determine which option best meets your company’s particular needs.

  • Page 101

    Configuring Backup WAN Connections Determining a Backup Method Branch Office B Switch 192.168.3.0 Edge Switch Branch Router Switch 192.168.4.0 Edge Switch Frame Relay over E1 Edge Switch The backup ISDN connection to Branch Office B is triggered only when the primary interface on the Main Core Switch Router goes down and traffic with destination address 192.168.3.0 /24 or 192.168.4.0 /24 is forwarded to demand...

  • Page 102: Using Persistent Backup Connections, Connections

    Configuring Backup WAN Connections Determining a Backup Method If you use the backup ISDN modules, you cannot use MLPPP to aggregate channels. The ISDN backup modules support bonding, rather than channel aggregation. You can bond channels on an ISDN backup module only if: you configure a persistent backup connection the router connects to another ProCurve Secure Router If both of these conditions are met, you can use bonding to increase band-...

  • Page 103

    Configuring Backup WAN Connections Determining a Backup Method Table 3-1. Differences Between Demand Routing and Persistent Backup Connections Option Demand Routing Persistent Backup Connection supported hardware • analog and BRI backup modules, which can analog and backup modules, which can be be installed on top of any narrow module installed on top of any narrow module •...

  • Page 104

    Configuring Backup WAN Connections Determining a Backup Method Figure 3-4 shows how a backup connection is established if demand routing is configured. Figure 3-5 shows how a persistent backup connection is established. Connection Frame Relay triggered by 10.1.1.0 10.4.4.0 10.1.1.0 10.4.4.0 over E1 interesting traffic...

  • Page 105

    Configuring Backup WAN Connections Determining a Backup Method Frame Relay 10.1.1.0 10.4.4.0 10.1.1.0 10.4.4.0 over E1 Main Router Office Router Main Router Office Router Connection triggered Primary immediately connection 10.4.4.23 fails From: 10.2.2.5 Switch Switch Primary connection unavailable, Primary connection available, so so traffic is routed over dial-up traffic is routed over Frame Relay 10.2.2.0...

  • Page 106: Configuring Demand Routing For Backup Connections, Define The Traffic That Triggers The Connection

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Configuring Demand Routing for Backup Connections To configure demand routing for backup connections, you must complete the following steps: Create an extended access control list (ACL) to define the traffic that will trigger the dial-up connection when the primary interface is unavailable.

  • Page 107: Specifying A Protocol, Defining The Source And Destination Addresses

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Specifying a Protocol When you create a permit or deny statement for an extended ACL, you must always specify a protocol. Valid protocols include: ICMP You can also specify a number between 0 and 255 for the protocol. For demand routing, you may want to create an ACL that selects all the traffic to a particular subnet.

  • Page 108: Configuring The Demand Interface

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections When you enter wildcard bits, you use a zero to indicate that the Secure Router OS should match the corresponding bit in the IP address. You use a one to indicate that the Secure Router OS can ignore the corresponding bit in the IP address.

  • Page 109

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections example, you assign the demand interface an IP address. From this interface, you apply the ACL that defines the interesting traffic that triggers the dial-up WAN connection. The demand interface is different from other logical interfaces, however. For one thing, the demand interface is not bound to a specific physical interface or interfaces.

  • Page 110: Creating The Demand Interface, Configuring An Ip Address

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Creating the Demand Interface To create a demand interface and access the demand interface configuration mode context, enter this global configuration mode command: Syntax: interface demand <number> Replace <number> with a number between 1 and 1024. Each demand inter- face must have a unique number.

  • Page 111

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Configure the Demand Interface as an Unnumbered Interface. To conserve IP addresses on your network, you may want to create the demand interface as an unnumbered interface. The demand interface will then use the IP address of another interface.

  • Page 112: Matching The Interesting Traffic

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Matching the Interesting Traffic To finish defining the interesting traffic that will trigger a dial-up connection, you must associate the ACL you created with the demand interface. From the demand interface configuration mode context, enter: Syntax: match-interesting [list | reverse list] <listname >...

  • Page 113

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections When you view the demand interface in the running-config, you will see two commands, even though you entered only one. (See Figure 3-7.) interface demand 1 match-interesting list Backup out match-interesting reverse list Backup in Figure 3-7.

  • Page 114

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections ACP to control access to an already-active backup connection. However, the connection will only be triggered by traffic that matches the ACL that you specify in the match-interesting list command. Because you can configure one ACL to trigger the dial-up connection and another ACL to control access to the dial-up connection, you can allow certain types of traffic to use a connection only when it is already established.

  • Page 115: Specifying The Connect-mode Option

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Specifying the connect-mode Option You can control whether the demand interface can be used to originate a call, answer a call, or both. From the demand interface configuration mode con- text, enter: Syntax: connect-mode [originate | answer | either] Table 3-3 shows each option and when you would use it.

  • Page 116: Associating A Resource Pool With The Demand Interface, Defining A Connect Sequence

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Associating a Resource Pool with the Demand Interface Rather than using a bind command to create a persistent, one-to-one connec- tion between the demand interface and a physical interface, you use the resource pool command to link the demand interface to one or multiple dial- up interfaces.

  • Page 117

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Replace <string> with the telephone number that the demand interface should dial to make the connection. Replace <resource-type> with one of the options listed in Table 3-4. The option you enter will limit this connection to a particular type of dial-up connection.

  • Page 118: Specify The Order In Which Connect Sequences Are Used

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Specify the Order in Which Connect Sequences Are Used If you configure more than one connect sequence, you can configure the order in which each one is used. From the demand interface configuration mode context, enter: Syntax: connect-order [sequential | last-successful | round-robin] Table 3-5 lists each option with a brief description.

  • Page 119: Configure The Connect-sequence Interface-recovery Option

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Replace <value> with the number of times the ProCurve Secure Router will cycle through the connect sequences specified for a demand interface. You can specify a number between 0 and 65535. The default setting is 1. Specifying 0 places no limit on the number of attempts.

  • Page 120

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections If the router reaches the maximum number of connect sequence attempts, the ProCurve Secure Router will, by default, change the status of the demand interface to “DOWN (recovery active).” The router will remove the IP address from the demand interface and any associated routes from the routing table.

  • Page 121: Work

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Understanding How the connect-sequence Commands Work Because you can configure a number of settings for connect sequences, it is important to understand how these settings interrelate. For example, consider the configuration shown in Figure 3-8. interface demand 1 connect-order sequential connect-sequence attempts 3...

  • Page 122

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections In 60 seconds, the ProCurve Secure Router will try to process the connect sequences again (although the demand interface will remain down in recovery active mode). If that attempt is unsuccessful, the ProCurve Secure Router will try again in 60 seconds.

  • Page 123

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Processing connect-sequences 1. Check connect-order. 2. Process connect-sequence 2, based on connect-order. connect-order sequential connect-sequence 10 dial-string 5551212 forced-ISDN-64k busyout-threshold 3 connect-sequence 20 dial-string 5552222 forced-analog busyout-threshold 1 3. Check connect-mode. Can the 4.

  • Page 124: Configuring The Idle-timeout Option, Configuring The Fast-idle Option

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Configuring the idle-timeout Option You can configure the amount of time that the demand interface remains up in the absence of interesting traffic. The idle timer helps to keep the backup connection cost-effective: backup is only active when it is truly necessary.

  • Page 125: Defining The Caller-number, Defining The Called-number, Configuring The Hold Queue

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Defining the caller-number When an ISDN or analog call is established, the calling party supplies a Calling Line ID (CLID). If you configure a caller-number, the backup interface will check the CLID when it receives calls. If the CLID matches the caller-number you specified, the interface will answer the call.

  • Page 126: Configuring The Bri Or Modem Interface

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Replace <packets> with a number between 0 and 200. Replace <seconds> with a number between 0 and 255. By default, the ProCurve Secure Router holds 200 packets for 3 seconds. If the number of packets received before the connection is established exceeds 200 packets or if the connection is not established within 3 seconds, the ProCurve Secure Router empties the hold queue.

  • Page 127: Accessing The Bri Or Modem Interface, Configuring The Isdn Signaling (switch) Type

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Accessing the BRI or Modem Interface To access the configuration mode context for the BRI or modem interface, enter: Syntax: interface <interface> <slot>/<port> Replace <interface> with bri or modem. On the ProCurve Secure Router, the interface for each physical port is identi- fied by its slot number and port number.

  • Page 128: Configuring An Ldn For Isdn Bri S/t Modules

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Table 3-6. ISDN Signaling Types Signaling Type Command Syntax National ISDN-1 isdn switch-type basic-ni Euro ISDN isdn switch-type basic-net3 Northern Telecom DMS-100 isdn switch-type basic-dms Lucent/ATT 5ESS isdn switch-type basic-5ess The default settings are: ISDN BRI U modules, isdn switch-type basic-5ess ISDN BRI S/T modules, isdn switch-type basic-net3...

  • Page 129: Configuring A Spid And Ldn For Isdn Bri U Modules

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections If you are configuring an ISDN line in North America, you may also need to define a SPID. As described in the next section, you can set the SPID at the same time that you set the LDN.

  • Page 130: Assigning Bri Or Modem Interface To The Resource Pool, Activating The Interface

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections For example, you might enter: ProCurve(config)# modem countrycode Germany Enter modem countrycode ? for a complete list of keywords for countries. The default setting is USA and Canada. Assigning BRI or Modem Interface to the Resource Pool To assign backup interfaces to the resource pool, enter the following com- mand from the BRI or modem interface configuration mode context: Syntax: resource pool-member <pool name>...

  • Page 131: Caller Id Options For Isdn Bri Backup Modules (optional)

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Caller ID Options for ISDN BRI Backup Modules (Optional) The ProCurve Secure Router accepts ISDN calls based on whether the incom- ing call’s caller id matches a list of acceptable caller ids. You can override an incoming call’s caller id using the caller-id override option.

  • Page 132: Configuring Ppp Authentication For An Isdn Connection

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections ProCurve# show ip route 10.2.2.0/30 is directly connected, ppp 1 10.3.3.0/30 is directly connected, demand 1 IP route 10.10.10.0/30 is directly connected, ppp 2 through 192.168.20.0/24 is directly connected, eth 0/1 primary 192.168.30.0/24 [1/0] via 10.2.2.2, ppp 1 interface...

  • Page 133: Enabling Ppp Authentication For All Demand Interfaces, Configuring Pap Authentication For A Demand Interface

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Enabling PPP Authentication for All Demand Interfaces You must configure the PPP authentication protocol that the router uses for inbound calls. To configure the authentication protocol that the demand interfaces expect to receive for inbound calls, enter the following command from the global configuration mode context: Syntax: data-call authentication protocol [chap | pap] Include either the chap option or the pap option, depending on which PPP...

  • Page 134: Receive, A Backup Connection

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections When you replace <password>, ensure that you are using the same settings that are configured on the far-end router. The username that is sent is the hostname of the router. Configuring the Username and Password That the Router Expects to Receive You must also configure the username and password that the ProCurve Secure...

  • Page 135: Configuring Peer Ip Address

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections data-call authentication protocol pap data-call commands to data-call sent authentication protocol pap enable PAP authentication interface bri 2/1 isdn ldn1 968483940096 resource pool-member Pool no shutdown interface bri 2/2 isdn ldn1 978484540055 resource pool-member Pool no shutdown interface demand 1...

  • Page 136: Setting The Mtu For Demand Interfaces

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Setting the MTU for Demand Interfaces When establishing a link, PPP peers must agree on how much data can be contained in the information field of PPP frames. The value that communi- cates this frame size is called the maximum receive unit (MRU).

  • Page 137: Configuring A Persistent Backup Connection, Connection, Configuring A Bri Interface (isdn Only)

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Configuring a Persistent Backup Connection If your company needs a constant WAN connection between two offices, you should configure a persistent backup connection. Then, if the primary con- nection fails, the persistent backup connection will be established immedi- ately, and it will remain up until the primary WAN connection is available again.

  • Page 138

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Setting the ISDN Signaling (Switch) Type. The BRI interface must implement the same type of ISDN signaling that your public carrier uses. (See “Electrical Specifications for BRI ISDN” on page 3-9 to learn more about the standards supported by the ProCurve Secure Router.) The signaling type does not necessarily have to be that of the CO switch’s manufacturer.

  • Page 139

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection For example, you might enter: ProCurve(config-bri 1/2)# isdn ldn1 5555551111 You can also set a secondary LDN using the isdn ldn2 command: ProCurve(config-bri 1/1)# isdn ldn2 5555552222 If you are configuring an ISDN line in North America, you may also need to define a SPID.

  • Page 140

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection bri 1/3 is UP Interface activated Line status: ready but not currently Caller ID will be used to route incoming calls providing Caller ID normal connection Switch protocol: AT&T 5ESS Number at which the SPID 1 25655522220101, LDN 1 5552222 local router can be SPID 2 n/a, LDN 2 n/a...

  • Page 141: Configuring A Modem Interface (analog Only), Configuring A Modem Interface (analog Only)

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection The txadd-timer command specifies the length of time the router will wait for additional calls to be connected before deciding that the bonding call has failed. When dialing overseas, you should enter a value above 60 seconds to allow for slower call routing.

  • Page 142

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Optionally, you can: replace incoming caller ID with a set number use the modem for console dial-in Setting the Country. Depending on where the router is located, the analog backup module may need to use different signals to connect to the PSTN or PTT.

  • Page 143: Using The Modem For Console Dial-in, Replacing Incoming Caller Id For Bri And Modem Interfaces

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Using the Modem for Console Dial-In You can connect to the analog module on the ProCurve Secure Router and initiate a console session with it. C a u t i o n If you enable dial-in console sessions, you cannot use the module for backup.

  • Page 144: Connection, Configuring A Logical Interface For A Persistent Backup

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Configuring a Logical Interface for a Persistent Backup Connection Although a backup connection provides redundancy for a primary WAN con- nection such as a Frame Relay connection or an ISP connection, it does not duplicate the primary WAN connection.

  • Page 145: Creating A Backup Ppp Interface, Activating The Interface

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection A backup interface is simply a supplemental PPP interface that you create and configure as you would any PPP interface. You must configure an IP address for the backup PPP interface. For best security practices, ProCurve Network- ing also recommends that you configure PPP authentication.

  • Page 146: Setting An Ip Address, Enabling Ppp Authentication

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Setting an IP Address The backup interface’s IP address must be on a different network than that of the primary connection. (The router does not allow more than one interface to be on the same network.) To configure the IP address, enter this command from the backup PPP interface configuration mode context: Syntax: ip address <A.B.C.D>...

  • Page 147

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection To require CHAP authentication from the peer: Move to the configuration mode for the backup PPP interface. Enable CHAP authentication: ProCurve(config-ppp 2)# ppp authentication chap Add the peer router’s hostname and password to the PPP database: ProCurve(config-ppp 2)# username LondonRouter password procurve Providing Authentication to the Peer.

  • Page 148: Accessing The Primary Connection's Logical Interface, Connection, Configuring Persistent Backup Settings For A Primary

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Configuring Persistent Backup Settings for a Primary Connection Even though you install a backup module in a specific module slot, the corresponding backup line can provide redundancy for any of the WAN connections on the router.

  • Page 149: Setting The Backup Call Mode

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection N o t e You configure separate backup connections for every PVC in a Frame Relay network or ATM connection. Therefore, you enter the backup commands from the Frame Relay or ATM subinterface. The analog or ISDN line can only provide active backup for one PVC at a time.

  • Page 150

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Dialing out Line failure B doesn’t A calls answer B answers 555-2222 555-1111 555-2222 originate answer-always A calls A negotiates 555-3333 connection with Router A Router B B using PPP4 Backup dial list Backup dial list 555-1111 PPP2 555-2222 PPP4...

  • Page 151

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection If the call fails to connect, the Secure Router OS checks the backup dial list in the primary interface for a second number, which references a different backup PPP interface. If there is a second number, the Secure Router OS attempts to connect to it.

  • Page 152

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Table 3-9. Backup Call Modes Command Syntax Description backup call-mode answer If the primary connection fails, the backup interface will answer backup calls but not place them. backup call-mode answer- The backup interface will always answer backup calls, even always when the primary connection is up.

  • Page 153: Adding A Number To A Backup Dial List

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Router A refuses Backup call mode call answer FR 1.101 Frame Relay Router A Router B network FR 1.102 Disconnected Physically Physically down Router C ISDN Backup call mode answer always FR 1.101 Frame Relay Router A...

  • Page 154: Established

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection For digital modules, you must also specify whether the ISDN line will use a single channel (56 or 64 Kbps) or a bonded channel (112 or 128 Kbps). You do so by entering the minimum and maximum DS0 or E0 channels. N o t e Bonding calls is a proprietary feature.

  • Page 155

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection You do not actually activate the backup connection by specifying times when a backup connection can be established. Rather, you enable the router to establish a backup connection if the primary connection fails during those times.

  • Page 156: Setting Backup Timers

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection C a u t i o n Make sure that your router is set with the correct time and date. From the enable mode context, enter: ProCurve# show clock If you need to configure the router to receive time from an SNTP server, enter the following command from the global configuration mode context: Syntax: sntp server [<hostname>|<A.B.C.D>] [version <1-3 >] If you want to manually set the clock, enter the following command from the...

  • Page 157

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Table 3-10. Backup Timers Command Syntax Function Default Range backup auto-backup | no backup automatic backup initiation after a — auto-backup connections fails backup backup-delay <seconds> time between line failure and placing a 10 seconds 10-86,400 seconds backup call...

  • Page 158

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection You can specify the local backup interface as the forwarding interface to ensure that the route will be accurate even if the peer changes its backup IP address. If you do enter a next hop address, remember that this address should be that of the peer’s backup interface, which like the local backup interface, is on a different network from the primary connection.

  • Page 159: Configuring Persistent Backup For Multiple Connections

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection N o t e If your router uses routing protocols to learn routes to the remote destination, you must enter an administrative distance for the floating static route that is higher than the administrative distance for the routing protocol. For example, the administrative distance for OSPF routes is 110, so you could enter this command: ProCurve(config)# ip route 192.168.64.0 /18 ppp 2 120...

  • Page 160: Connections, Troubleshooting Problems

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Viewing Backup Configurations and Troubleshooting Backup Connections The steps you take to view and troubleshoot backup connections vary, depending on whether you are using demand routing or persistent backup connections.

  • Page 161: Interfaces, Viewing The Status And Configuration Of Backup Interfaces

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Table 3-11. Backup LEDs Color Meaning The backup interface has not been activated. The backup interface is down. solid green The backup interface is up and ready to provide a connection. flashing green The backup interface is active and providing the current connection.

  • Page 162

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections The first line of the display reports the status of the interface and of the ISDN line. (See Figure 3-21.) bri 1/2 is UP Line status: connected Caller ID will be used to route incoming calls Caller ID normal Switch protocol: Net3 Euro ISDN SPID 1 n/a, LDN 1 9631111...

  • Page 163

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Verify that the SPID(s) and/or LDN(s) are correct. If you are located in North America, double-check whether your public carrier has assigned you one or two SPIDs. When you use both B channels, public carriers that use National ISDN and Northern Telecom DMS-100 sometimes require you to configure a SPID for each channel.

  • Page 164

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Table 3-13. BRI Line Status Status Meaning Next Best Step layer 1 down There is no activity on the Check the physical hardware, including ISDN line. the cabling and wall jack. getting TEI #1 The switch cannot identify •...

  • Page 165: Troubleshooting Problems, Viewing The Status Of The Demand Interface

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Viewing Information about Demand Routing and Troubleshooting Problems You can use show commands to view different aspects of your demand routing configuration. For example, you can view the status of a demand interface and any dial-up connections that are established through a demand interface.

  • Page 166

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Figure 3-23 shows the results of this command if demand interface 1 is spoofing its up status and a dial-up connection has not been established. In addition to showing the status of the interface, this command displays settings for the following commands: connect-mode resource pool...

  • Page 167: Interface

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Figure 3-24 provides the results of the show interfaces demand 1 command when an ISDN connection has been established. Demand 1 is UP (connected) A dial-up connection has Configuration: been established Keep-alive is set (10 sec.) connect-mode,...

  • Page 168: Viewing Demand Sessions, Viewing The Resource Pool

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Viewing Demand Sessions You can view all of the dial-up connections currently established through demand routing. From the enable mode context, enter: ProCurve# show demand sessions The sessions are listed in the order in which they were established. (See Figure 3-25.) For each session, this command lists: demand interface through which the connection was established IP address of the demand interface and the far-end router...

  • Page 169: Show The Running-config For The Demand Interface, Troubleshooting Demand Routing, Checking The Demand Interface

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Show the Running-Config for the Demand Interface To check your demand routing configuration, you must view the running- config file. From the enable mode context, enter: ProCurve# show running-config You must then scroll through the file to find the various commands you entered for demand routing.

  • Page 170: Checking The Acl That Defines The Interesting Traffic

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections make a connection. (For more information about checking the BRI or modem interfaces, see “Viewing Information about BRI and Modem Interfaces and Troubleshooting Problems” on page 3-72.) Use the show interfaces demand command to view the status of the demand interface, which should be up (spoofing).

  • Page 171: Troubleshooting The Backup Connection

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections the source address for the ping to a local network address). Before you send the sample traffic, enable debugging for demand routing. From the enable mode context, enter: ProCurve# debug demand-routing If you have configured your ACL correctly, debug messages for demand routing should appear immediately.

  • Page 172

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Command Description debug isdn resource-manager displays resource manager errors and messages debug isdn verbose display all errors and messages N o t e Debug functions are processor intensive. Some of the debug isdn commands display a high volume of messages, which are displayed too quickly to read.

  • Page 173: Test Calls For Isdn Lines

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Test Calls for ISDN Lines You can also set up a test call to test the ISDN circuit. When you initiate a test call, you connect the two endpoints through an ISDN call without setting up a Data Link Layer connection;...

  • Page 174: And Troubleshooting Problems, Connection

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections To hang up a specific channel, enter the number of the B channel you want to disconnect. For example, if you wanted to hang up channel B2, you would enter: ProCurve(config-bri 2/3)# test-call hangup channel 2 Test calls allow you to check the physical ISDN connection, end to end,...

  • Page 175: Viewing Backup Settings

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections To verify this information, you can use the show commands in Table 3-17. Table 3-17. Backup show Commands View Command Syntax backup dial list show backup interfaces days and times backup is enabled show backup interfaces backup PPP interface IP address •...

  • Page 176

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections ProCurve# show backup interfaces Dial-backup interfaces... ppp 1 backup interface: Backup state is Backup state:in dial backup using bri 1/3 active through Backup protocol: BRI 1/3 Call mode: answer Auto-backup: enabled Auto-restore:...

  • Page 177: Viewing The Backup Ppp Interface, Monitoring The Dial-up Process

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Backup phone number list—This is the backup dial list, which includes: • Number—the peer’s phone number • Call type—analog, digital 56K, or digital 64K • Min/max DS0s—for ISDN lines only; the setting should read “1 2” for bonded lines •...

  • Page 178

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections When the local router successfully connects to a peer, you should receive messages such as those shown in Figure 3-30. ProCurve# debug backup ProCurve# debug dialup-interfaces DIALUP_INTERFACE.bri 1/3 Dialing 8882222 DIALUP_INTERFACE.bri 1/3 Connect (CONNECT 64000) DIAL_BACKUP.bri 1/3 establishing ppp 1 backup to 8882222.

  • Page 179: Troubleshooting Persistent Backup Connections, Standard Procedures

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections The router will not answer a call if the number is not in its dial backup list. The router will receive a message such as this: DIAL_BACKUP.MGR: Ignoring incoming call on bri 1/3 from 0005552222 because no match was found for this call source.

  • Page 180

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections If the call mode does not include originate, the router must wait to receive a call from the other end of the line. Either contact the remote site and have it initiate a connection or change the setting so the local router can place a call.

  • Page 181

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections In a PPP connection, when one end loses the connection the other does as well. If both endpoints are allowed to place a backup call, the calls may collide. In this situation, you may want to configure one router to answer calls and one to receive them.

  • Page 182

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections The Call Connects But the Backup Connection Does Not Go Up. C a u t i o n These instructions explain how you can view PPP debug messages to deter- mine why the Data Link Layer will not go up.

  • Page 183

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections If the local router requires the remote router to authenticate itself, view the running-config for the backup PPP interface (show run int ppp <interface number>) and verify that the interface contains the correct username and password for the peer.

  • Page 184

    Configuring Backup WAN Connections Quick Start However, by default, the number of times the router reattempts to connect a call is set to unlimited. The router will continue to try the first number rather than moving on to the second. Whenever you want the router to be able to contact more than one number for a backup connection, you should limit the number of times the router can attempt a call.

  • Page 185

    Configuring Backup WAN Connections Quick Start Configuring Demand Routing for Backup Connections You may want to use Table 3-19 to record the information you will need to configure demand routing for a backup module. 3-97...

  • Page 186

    Configuring Backup WAN Connections Quick Start Table 3-19. Settings for Configuring Demand Routing for a Backup Module Required Configuration Options Your Setting Define the traffic that should initiate the Permit and deny statements in the ACL: dial-up connection if the primary [permit | deny] <protocol>...

  • Page 187

    Configuring Backup WAN Connections Quick Start Required Configuration Options Your Setting For ISDN connections, specify the LDN, Obtained from service provider the local telephone number for the ISDN line. Create a floating static route to the far- • Obtain the destination network end network.

  • Page 188

    Configuring Backup WAN Connections Quick Start Replace <protocol> with one of the following: – – – – icmp – – – – number between 0 and 255 To specify the source and destination address, use the following: Syntax: [any | host <A.B.C.D> |hostname <hostname> | <A.B.C.D> <wildcard bits>] For example, you might want to specify that the interesting traffic is the IP traffic from any source to network 192.168.115.0 /24.

  • Page 189

    Configuring Backup WAN Connections Quick Start Include the list option if you want the ProCurve Secure Router to use standard matching logic for the ACL. Include the reverse list option if you want the ProCurve Secure Router to use reverse matching logic when processing the ACL.

  • Page 190

    Configuring Backup WAN Connections Quick Start Replace <value> with the number of times between 1 and 65535 that the demand interface should attempt the call. (Enter 0 to have the demand interface make an unlimited number of attempts.) Table 3-20. Defining a Resource Type for Connection Instructions Option Description isdn-64k...

  • Page 191

    Configuring Backup WAN Connections Quick Start Table 3-21 lists the command syntax for each signaling type. Table 3-21. ISDN Signaling Types Signaling Type Command Syntax National ISDN-1 isdn switch-type basic-ni Euro ISDN isdn switch-type basic-net3 Northern Telecom DMS-100 isdn switch-type basic-dms Lucent/ATT 5ESS isdn switch-type basic-5ess Set the LDN.

  • Page 192

    Configuring Backup WAN Connections Quick Start Replace <destination A.B.C.D> with the IP address for the far-end network. For example, the far-end network might be network 192.168.7.0 /24. Then, either specify the complete subnet mask (such as 255.255.255.0) or enter the prefix length. Specify the forwarding interface as demand <number>...

  • Page 193

    Configuring Backup WAN Connections Quick Start Table 3-22. Backup Settings Required Configuration Options Your Setting Access the configuration mode <backup interface> = bri or modem context for the backup interface. <slot> = 1 or 2 <port> = 2 or 3 For an analog interface, specify the Enter modem country code ? for a country in which the router is located.

  • Page 194

    Configuring Backup WAN Connections Quick Start Required Configuration Options Your Setting Specify days that backup will not be • • sunday provided. • monday • tuesday • wednesday • thursday • friday • saturday Specify time when backup support is hh:mm:ss turned off.

  • Page 195

    Configuring Backup WAN Connections Quick Start Create a backup PPP interface. Syntax: interface ppp <backup interface number> Assign the backup interface a static IP address on a different network than the primary interface. Syntax: ip address <backup A.B.C.D> <subnet mask | /prefix length> Activate the interface.

  • Page 196: Module

    Configuring Backup WAN Connections Quick Start 13. Disable backup for the days and times you do not want to provide backup. Syntax: no backup schedule day <day> Syntax: backup schedule disable-time <hh:mm:ss> Syntax: backup schedule enable-time <hh:mm:ss> Enter times in twenty-four hour clock format. For example: ProCurve(config-fr 1.102)# no backup schedule saturday ProCurve(config-fr 1.102)# backup schedule disable-time 18:00:00 ProCurve(config-fr 1.102)# backup schedule enable-time 8:00:00...

  • Page 197

    Configuring Backup WAN Connections Quick Start Activate the interface. ProCurve(config-bri 1/3)# no shutdown Create a backup PPP interface. Syntax: interface ppp <backup interface number> Assign the backup interface an IP address on a different network than the primary interface. Syntax: ip address <backup A.B.C.D> <subnet mask | /prefix length> Activate the interface.

  • Page 198: Backing Up A Connection With An Analog Module

    Configuring Backup WAN Connections Quick Start 13. Disable backup for the days and times you do not want to provide backup. Syntax: no backup schedule day <day> Syntax: backup schedule disable-time <hh:mm:ss> Syntax: backup schedule enable-time <hh:mm:ss> Enter times in 24-hour clock format. For example: ProCurve(config-fr 1.102)# no backup schedule saturday ProCurve(config-fr 1.102)# backup schedule disable-time 18:00:00 ProCurve(config-fr 1.102)# backup schedule enable-time 8:00:00...

  • Page 199

    Configuring Backup WAN Connections Quick Start Activate the interface. ProCurve(config-ppp 2)# no shutdown Move to the logical interface for the primary connection. Syntax: interface <interface ID> For example: ProCurve(config)# interface frame-relay 1.102 Add the remote site’s telephone number to the backup call list. Syntax: backup number <remote site’s LDN>...

  • Page 200

    Configuring Backup WAN Connections Quick Start 3-112...

  • Page 201

    ProCurve Secure Router OS Firewall— Protecting the Internal, Trusted Network Contents Overview ............4-3 Advantages of an Integrated Firewall .

  • Page 202: Table Of Contents

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Contents Configuring Logging ..........4-24 Specifying the Priority Level for Logged Events .

  • Page 203: Advantages Of An Integrated Firewall, Overview

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Overview The Internet offers many valuable resources, often free and open to all users. In addition, it allows businesses and consumers to reach each other more easily than ever before. A connection to the Internet is practically mandatory for most organizations.

  • Page 204: Stateful-inspection Firewalls, Packet-filtering Firewall

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview A router firewall protects your network entry points, stopping threats before they get through the router. An integrated firewall is less expensive. A firewall integrated on a router allows an organization to enforce a standard security policy for all hosts.

  • Page 205

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Packet 1 Permitted Packet 1 source IP Internet Router Private network Packet 2 Denied source IP Packet 2 Figure 4-1. Packet-Filtering Firewall ACLs specify certain settings for packets’ full association information. For example, the ACL can permit packets from a range of IP addresses destined to a specific IP address on a specific port.

  • Page 206: Circuit-level Gateway

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Circuit-level Gateway A circuit-level gateway acts at the OSI Session Layer (Layer 5) to monitor the establishment of sessions between trusted and untrusted devices. Some circuit-level gateways establish proxy sessions to untrusted hosts for their clients.

  • Page 207: Application-level Gateway

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Circuit-level gateway Internet Router A 192.168.1.99 10.1.1.1 Session Session Secure Router OS firewall Internet Router A 192.168.1.99 10.1.1.1 Session Source IP NATed 192.168.1.99 10.1.1.1 Figure 4-2. Circuit-Level Gateway Versus Secure Router OS Firewall For information on how to configure NAT, see Chapter 6: Configuring Network Address Translation.

  • Page 208

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview A stateful-inspection firewall, like that on the ProCurve Secure Router, can analyze Application Layer data without having to act as a proxy server. Instead, the firewall monitors sessions between hosts in the trusted and untrusted networks.

  • Page 209: Attack Checking

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Firewall Feature OSI Layer Function ProCurve Secure Router Configuration application-level Application (7) allows a specific application enable ALGs “Configuring ALGs” gateway to work correctly in the on page 4-18 presence of the firewall Attack Checking This chapter focuses on configuring the Secure Router OS firewall to block attacks.

  • Page 210: Syn-flood Attacks

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview The firewall also checks for TCP SYN packets with ACK, URG, RST, or FIN flags and packets: with the broadcast address for the source address with an invalid TCP sequence number with an enabled source route option You do not have to configure the firewall to screen these attacks;...

  • Page 211: Winnuke Attacks

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview SYN/ACK Source: 192.168.3.4 /32 no route SYN/ACK Source: 172.16.1.26 /32 Attacking system Target host no route SYN/ACK Source: 10.0.3.28 /32 no route Figure 4-3. Syn-flood Attack The result of both attacks is extremely degraded performance or, worse, a system crash.

  • Page 212: Reflexive Traffic, Event Logging

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Reflexive Traffic Reflexive traffic is traffic that is received on an interface and then forwarded out the same interface. For example, in a multi-netted environment, traffic will sometimes arrive on and leave by the same Ethernet interface. Figure 4-4 shows an example of such a network.

  • Page 213

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview You can examine logs to look for information to help you in troubleshooting or to see what kind of attacks have been targeted at your system. (You can also view events as they occur on the terminal by activating the events command from the enable mode context.) Events include: blocked attacks policy matches (packets filtered by an ACL or ACP)

  • Page 214: Configuring Attack Checking, Enabling The Secure Router Os Firewall

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Attack Checking Configuring Attack Checking To configure the Secure Router OS firewall to block attacks, you only have to: enable the firewall You can also: enable and disable optional checks check reflexive traffic enable stealth mode Enabling the Secure Router OS Firewall...

  • Page 215: Enabling And Disabling Optional Attack Checks

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Attack Checking Packet Associated Attack all ICMP packets except: Twinge • echo • echo-reply • ttl expired • destination unreachable • quench falsified IP header (the length bit does not match •...

  • Page 216: Checking Reflexive Traffic

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Attack Checking The WinNuke attack affects Windows NT 3.51 and 4.0, Windows 95, and Windows 3.11. It does not usually cause permanent damage. However, it can cause open Windows applications to crash and hosts to lose connectivity; you should consider enabling this check when your network uses affected systems.

  • Page 217: Configuring Stealth Mode

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Attack Checking does not process traffic that it immediately forwards through the interface on which the traffic was received. It assumes that the traffic is from a trusted source. Router 1 Router 2 Eth 0/1 Eth 0/1...

  • Page 218: Configuring Algs

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring ALGs Configuring ALGs ALGs monitor sessions on the OSI Application Layer. An ALG helps a firewall read packets and filter them for the particular commands or information relating to the ALG’s application. Each application has a distinct ALG that deals with its special concerns.

  • Page 219: Enabling The Ftp Alg, Enabling The H.323 Alg For Voice And Videoconferencing

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring ALGs Enabling the FTP ALG FTP allows computers to exchange files through the Internet. It is often used to upload Web pages to a Web server or to download files from a server to a PC.

  • Page 220: Enabling The Pptp Alg For Vpns, Enabling Firewall Traversal

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring ALGs On the ProCurve Secure Router, the default port number that the ALG uses for SIP is 5060. If any SIP applications in your network use different port numbers, then you must enable those ports as well. Use the optional udp keyword and enter the port number.

  • Page 221: Configuring Timeouts For Sessions, Setting The Timeout For A Protocol

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Timeouts for Sessions Configuring Timeouts for Sessions As well as screening TCP and UDP packets for attacks, the Secure Router OS firewall monitors all ICMP, TCP, and UDP sessions established through the router.

  • Page 222: Setting Timeouts For Specific Tcp And Udp Applications

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Timeouts for Sessions The default settings for these timeouts are usually adequate. However, you can alter them in accordance with your organization’s policies with this command: Syntax: ip policy-timeout [ahp | esp | gre | icmp] <seconds> Syntax: ip policy-timeout [tcp | udp] all-ports <seconds>...

  • Page 223

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Timeouts for Sessions For a complete list of protocol keywords, refer to your SROS CLI reference guide. You can also use the ? help command. For example: ProCurve(config)# ip policy-timeout tcp ? You can similarly set individual timeouts for a specific UDP application.

  • Page 224: Configuring Logging, Specifying The Priority Level For Logged Events

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Configuring Logging By default, the Secure Router OS firewall logs events to the router’s event- history log. It also creates a log for every 100 attacks it blocks and every 100 packets it matches to a policy.

  • Page 225

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Table 4-3. Priority Level for Common Events Priority Level Example Events informational policy matches notification session login warning Frame Relay subinterface becoming active or inactive error • PPP session opening: –...

  • Page 226: Specifying How Many Attacks Generate A Log

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging To examine the logs stored in the event history, enter the following command: ProCurve# show event-history Logs are marked with the date and time at which they occurred. They are also labeled with the type of event.

  • Page 227: Specifying How Many Policy Matches Generate A Log, Forwarding Logs To A Syslog Server

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Specifying How Many Policy Matches Generate a Log The Secure Router OS firewall is a stateful-inspection firewall that supports packet filtering. You customize filters, or ACPs, that the firewall uses to determine whether it should forward or drop each packet that arrives on an interface.

  • Page 228

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging To configure log forwarding to a syslog server, you must: Enable log forwarding. From the global configuration mode context, enter: ProCurve(config)# logging forwarding on Specify the IP address of the syslog server: Syntax: logging forwarding receiver-ip <A.B.C.D>...

  • Page 229: Forwarding Logs To An Email Address

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Syslog Facility Keyword system log syslog user process user UNIX-to-UNIX copy system uucp Specify the priority level for events that the router forwards to the syslog server: Syntax: logging forwarding priority-level [info | notice | warning | error | fatal] For example: ProCurve(config)# logging forwarding priority-level notice The priority level can be the same as or different than that for events...

  • Page 230

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging To configure the router to forward event logs to an email address or addresses, you must: Enable log forwarding to an email address. Enter: ProCurve(config)# logging email on Specify the IP address of the email server. You can use either the IP address of the email server or the hostname: Syntax: logging email receiver-ip [<A.B.C.D>...

  • Page 231

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Quick Start You can also specify what will appear in the From field of the email message by entering: Syntax: logging email sender <source> The message will simply consist of logs without any explanation, so the From field must give recipients enough information to know which device originated the logs.

  • Page 232

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Quick Start Set the priority level for events logged to the router’s event history. Syntax: event-history priority [info | notice | warning | error | fatal] For example: ProCurve(config)# event-history priority info If so desired, change the timeouts for TCP and UDP and ICMP sessions: Syntax: ip policy-timeout [tcp | udp] all-ports <seconds>...

  • Page 233

    Applying Access Control to Router Interfaces Contents Access Control for Interfaces on the ProCurve Secure Router ..5-3 Access Control Mechanisms ........5-4 Using ACLs Alone to Configure Access Control .

  • Page 234: Table Of Contents

    Applying Access Control to Router Interfaces Contents Configure ACPs ..........5-35 Action .

  • Page 235: Access Control For Interfaces On The Procurve Secure Router

    Applying Access Control to Router Interfaces Access Control for Interfaces on the ProCurve Secure Router Access Control for Interfaces on the ProCurve Secure Router In addition to blocking known cyber attacks with its stateful-inspection firewall, the ProCurve Secure Router OS can filter both inbound and outbound traffic, enabling you to control the traffic that enters and exits your corporate network.

  • Page 236: Access Control Mechanisms

    Applying Access Control to Router Interfaces Access Control for Interfaces on the ProCurve Secure Router Table 5-1. Evaluating Traffic Patterns on Your WAN Interface Usage Traffic That Must Be Outgoing Traffic That Incoming Traffic That Transmitted Should Should Be Blocked Be Blocked E1 1/1 and PPP 1 connection to...

  • Page 237

    Applying Access Control to Router Interfaces Access Control for Interfaces on the ProCurve Secure Router ACPs also allow you to perform certain actions on traffic that ACLs do not. For example, you must use an ACP to configure Network Address Translation (NAT) on the ProCurve Secure Router.

  • Page 238: Configure Acls, Acl Entries, Using Acls Alone To Configure Access Control

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Using ACLs Alone to Configure Access Control When you use ACLs alone to configure access controls on router interfaces, you must complete two main steps: Configure the ACL. Apply the ACL directly to an interface.

  • Page 239: Types Of Acls

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control For example, an ACL could include entries such as: deny host 192.168.115.91 deny host 192.168.44.53 permit 192.168.115.0 0.0.0.255 permit 192.168.44.0 0.0.0.255 The first two entries deny access to the devices with the IP addresses 192.168.115.91 and 192.168.44.53.

  • Page 240

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Server Standard ACL is applied to the PPP 1 interface Server Router Internet Is this source address permitted or denied? Core Switch Edge Switch Edge Switch User Figure 5-1.

  • Page 241: Creating An Acl, Creating A Standard Acl

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Creating an ACL To create an ACL, you enter the ip access-list command from the global configuration mode context: Syntax: ip access-list [standard |extended] <listname> Enter either the standard or extended option, depending on the type of ACL you are configuring, and replace <listname>...

  • Page 242

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control For example, if you want to permit all traffic that enters through the Ethernet interface, you create a permit entry in the ACL: ProCurve(config-std-nacl)# permit any You can also permit or deny a specific host: ProCurve(config-std-nacl)# permit host <A.B.C.D>...

  • Page 243: Creating An Extended Acl

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control As a general rule, you should specify the network address for the subnet you are using the wildcard bits to select. Adding the wildcard bits to the network address gives you the last address in the range.

  • Page 244

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Replace <listname> with an alphanumeric descriptor that is meaningful to you. The name is case sensitive. After you enter this command, you are moved to the extended ACL configu- ration mode context, as shown below: ProCurve(config-ext-nacl)# Permit or Deny Traffic.

  • Page 245

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control To specify a source or destination address, you use the following syntax: [any | host <A.B.C.D> | hostname <hostname> | <A.B.C.D> <wildcard bits>] Table 5-4 lists the options you have for specifying both the source address and the destination address.

  • Page 246

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Replace the second <A.B.C.D> with the IP address for the destination device. For example, if you want to block all traffic from the 192.168.1.0 /24 network to the server with the IP address 10.15.1.1, you would replace <A.B.C.D> with 10.15.1.1.

  • Page 247

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Table 5-5. Specifying Ports in Extended ACLs Option Meaning eq <port number> matches a specific port gt <port number> matches all ports that are a larger number than the port number you specify (not including the specified port) lt <port number>...

  • Page 248: Entry Order

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Enter the log-input option if you want the log to include the interface on which the matching packet was received. Entry Order The order in which you add entries to an ACL is important. The Secure Router OS processes entries one-by-one in the order in which they are listed.

  • Page 249: Adding A Descriptive Tag To An Acl

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control PPP 1 Router A Router B 172.16.1.10 Core Switch interface ppp 1 ip access-group WAN in ip access-list standard WAN deny host 192.168.115.91 no match deny host 192.168.44.53 no match permit 192.168.115.0 0.0.0.255 no match...

  • Page 250: Editing An Existing Acl, Deleting An Existing Acl

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control You and other network administrators can view this remark by entering one of the following commands from the enable mode context: ProCurve# show running-config ProCurve# show access-lists Figure 5-5 displays the output from the show access-lists command.

  • Page 251: Applying The Acl To An Interface

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Applying the ACL to an Interface After you configure an ACL, it will have not control access to an interface until you apply it to one of the following: interface As discussed above, you can also apply an ACL to all FTP, HTTP, and Telnet traffic destined to the router.

  • Page 252: Selecting The Packet And Controlling The Action

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Selecting the Packet and Controlling the Action When you assign an ACL directly to an interface, the Secure Router OS uses it to both to select traffic and to determine which action it should take on this traffic.

  • Page 253: Controlling Ftp, Http, And Telnet Access To The Router

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control You may also want to create an ACL to control traffic to your company’s two Web servers: one is an Internet server, accessible to anyone on the Internet, and one is an intranet server, accessible only to company users.

  • Page 254: Restricting Ftp Access, Restricting Http Access

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Restricting FTP Access To control access to the FTP server on the router, you first create a standard ACL that permits the FTP traffic you want to access the router and denies the FTP traffic that you want to block.

  • Page 255: Restricting Telnet Access, Examples Of Applying Acls

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control For example, if you wanted to apply an ACL called webaccess, you would enter: ProCurve(config)# ip http access-class webaccess in Restricting Telnet Access Restricting Telnet access to the router is similar to restricting access to an interface.

  • Page 256

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control This section contains some sample ACLs to help you understand both the type of ACLs that may be required for your network and the way you configure them.

  • Page 257

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Permit Routing Updates. When you configure ACLs, remember that any traffic that you do not explicitly permit will match the implicit “deny any” entry at the end of the ACL. If you have configured a routing protocol and routing updates are being sent to a router interface, you should ensure that these routing updates are permitted by the ACL you assign to that interface.

  • Page 258: Enable The Firewall, Using Acps To Control Access To Router Interfaces

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Using ACPs to Control Access to Router Interfaces By themselves, ACLs have some limitations: you can assign only one ACL to each interface to control inbound traffic and one ACL to control outbound traffic.

  • Page 259

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces If you do not enable the firewall, you can still configure ACPs. However, when you try to apply an ACP to an interface, the ProCurve Secure Router displays a message similar to the following: Firewall is disabled, access policy commands applied but not used Configure ACLs...

  • Page 260

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces A standard ACL matches only one packet pattern: the source IP address. An extended ACL matches more complex packet patterns: source and a destination address most fields in the IP, TCP, and UDP header, including IP protocol and TCP or UDP source or destination port You should create a standard ACL if you want to select traffic based only on the source IP address.

  • Page 261: Creating A Standard Acl, Creating An Acl

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Server Server Router Internet Is this source address permitted or denied? Core Switch Is this destination address permitted or denied? Edge Switch Edge Switch Is this protocol and port permitted or denied? User Figure 5-7.

  • Page 262

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Using Permit and Deny Entries to Select Traffic. To create permit and deny entries for standard ACLs, you use the following command syntax: Syntax: [permit | deny] [any | host {<A.B.C.D> | <hostname>} | <A.B.C.D> <wildcard bits>] Table 5-7 lists the options for specifying the source address.

  • Page 263

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces You can also omit the host keyword to select a specific IP address: ProCurve(config-std-nacl)# permit 192.168.115.80 ProCurve(config-std-nacl)# deny 192.168.115.80 Using Wildcard Bits. Finally, you can use wildcard bits to permit or deny a range of IP addresses.

  • Page 264

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Selecting the log Option. Include the log option if you want the Secure Router OS to log a message when these two conditions are met: debug access-list is enabled for this ACL a packet matches this ACL Exit the ACL.

  • Page 265

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces All of the command options are explained in the sections that follow. Specifying a Protocol. When you configure extended ACLs, you must spec- ify a protocol. Valid protocols include: AH (ahp) ESP (esp) GRE (gre)

  • Page 266

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces To exclude ICMP traffic from a range of IP addresses to a specific destination, enter: ProCurve(config-ext-nacl)# deny icmp <A.B.C.D> <wildcard bits> host <A.B.C.D> Specifying a Source or Destination Port for TCP and UDP. If you are configuring ACL entries to select TCP or UDP traffic, you can also specify source and destination ports—although this is optional.

  • Page 267: Configure Acps, Action

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces To view a list of well-known ports, enter the help command after one of the port commands (such as eq, gt, or neq). The list of options is displayed in alphabetical order.

  • Page 268: Selector, Creating An Acp

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Each ACP contains an implicit “discard all” at the end. Packets are discarded if they do not match any ACL listed in the ACP. This chapter explains how to create entries that allow or discard packets. For information about NAT, see Chapter 6: Configuring Network Address Translation.

  • Page 269: Creating Entries In The Acp, Editing Acps, Deleting An Acp

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Creating Entries in the ACP From the policy class configuration mode context, you can begin to enter allow, discard, and NAT entries. To create an allow entry, enter: Syntax: allow list <listname>...

  • Page 270: Assigning The Acp To An Interface, Using The Reload Command

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Assigning the ACP to an Interface An ACP does not become active until you assign it to an interface (and enable the firewall). Then it affects only the incoming traffic on the interface to which it is assigned.

  • Page 271: Processing Acps

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces For example, if you configure an ACP that blocks your Telnet access to the ProCurve Secure Router, you will lose your ability to manage the router through a Telnet session and must use another access method to correct your error.

  • Page 272

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces When a packet enters an interface that has been assigned an ACP, the Secure Router OS firewall checks the first entry in the ACP. The firewall then reads the associated ACL to determine if the packet matches the IP address and any other fields that are specified.

  • Page 273

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Subnet 192.168.1.0 PPP 1 PPP 2 Eth 0/1 Edge Switch Router B Router A Router B interface ppp 2 ip address 10.1.1.1 255.255.255.252 ip access-list standard Group1 No match access-policy Private permit host 192.168.1.10 log...

  • Page 274: Acp Action Summary

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces However, the action specified in the ACL is deny, and when an ACL is part of an ACP, deny means do not take the action specified in the ACP. The allow list MatchAll entry is the last in the ACP.

  • Page 275

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Table 5-10. Actions Based on ACP Configuration Action deny does not matter Secure Route OS firewall: • does not take the specified action on the packet •...

  • Page 276: Traffic Flow Through Interfaces With Acps

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Route Packet in Interface lookup Process entries in ACP from top down Drop Drop Another ACL Another ACL packet packet Allow in ACP? in ACP? Discard ACL Process entries in Process entries in ACL from top down...

  • Page 277: Does Not Have An Acp, Has A Different Acp

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Inbound Interface Has an ACP; Outbound Interface Does Not Have an ACP When you assign an ACP to an interface, the Secure Router OS firewall uses that ACP to filter inbound traffic—traffic arriving on the interface.

  • Page 278: Interface Has An Acp

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Traffic Router allowed by Inside Interface with Interface with ACP; Inside ACP Outside ACP Outside Traffic ACP is allowed by Inside ACP not used Figure 5-13. Inside ACP Filters Incoming Traffic on an Ethernet Interface However, if traffic arrives on the PPP 1 interface, the roles are reversed: the Secure Router OS firewall will use the Outside ACP to filter traffic.

  • Page 279: Traffic In And Out Through A Single Interface, Examples Of Acps

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Router Interface without Interface with an ACP an ACP No ACP is applied Figure 5-15. No ACP Applied to the Inbound Interface, so all Traffic Is Allowed If you have enabled the firewall on the ProCurve Secure Router, it will still check this traffic for known attacks and block those attacks.

  • Page 280

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Block Telnet Traffic. To strengthen security on your WAN, you may want to deny any Telnet session that users attempt to establish with the ProCurve Secure Router. You must first create an extended ACL and give it a name, such as Telnet.

  • Page 281

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces You may also want to permit Domain Name System (DNS) traffic on WAN interfaces that are connected to the Internet. To permit DNS traffic, enter: ProCurve(config-ext-nacl)# permit tcp any any eq domain You can then create an ACP, as shown below: ProCurve(config)# ip policy-class WAN ProCurve(config-policy-class)# allow list Internet...

  • Page 282

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces When you are using ACLs with ACPs, remember that you must use a permit entry to both select traffic and to have the Secure Router OS firewall take the action configured in the ACP.

  • Page 283: Viewing Acls And Acps, Displaying Acls

    Applying Access Control to Router Interfaces Viewing ACLs and ACPs Viewing ACLs and ACPs Table 5-11 lists the show commands that you can use to view and troubleshoot ACLs and ACPs. Table 5-11. show Commands for ACLs and ACPs Command Explanation show access-lists displays all of the ACLs configured on the ProCurve Secure...

  • Page 284: Displaying Acps

    Applying Access Control to Router Interfaces Viewing ACLs and ACPs As Figure 5-16 shows, this command lists the following information for each ACL: type of ACL—standard or extended all entries in the ACLs number of packets matched to each entry ProCurve# show access-lists Extended IP access list Internet permit tcp any...

  • Page 285: Viewing Access Policy Sessions

    Applying Access Control to Router Interfaces Viewing ACLs and ACPs ProCurve# show ip policy-class Policy-class "Inside": Entry 1 - allow list MatchAll Policy-class "Outside": Entry 1 - allow list Region Entry 2 - allow list InWeb Entry 3 - discard list MatchAll Figure 5-17.

  • Page 286: Viewing Access Policy Statistics

    Applying Access Control to Router Interfaces Viewing ACLs and ACPs If the traffic has been manipulated using NAT, the NAT IP address and port are also listed. Figure 5-18 illustrates a sample display of sessions. ProCurve# show ip policy-sessions Src IP Address Src Port Dest IP Address Dst Port...

  • Page 287

    Applying Access Control to Router Interfaces Viewing ACLs and ACPs See Figure 5-19 for a sample display. ProCurve# show ip policy-stats Global 0 current sessions (255300 max) Policy-class "Inside": 121 current sessions (85100 max) Entry 1 - allow list MatchAll 1424221 in bytes, 14222323 out bytes, 123 hits Policy-class "Outside": 554 current sessions (85100 max)

  • Page 288: Troubleshooting, Show Commands, Monitoring Packets Matched To An Acp, Clearing Existing Policy Sessions

    Applying Access Control to Router Interfaces Troubleshooting Troubleshooting show Commands In addition to using show commands to view information about ACLs and ACPs and to verify that your configuration is correct, you can use these commands for troubleshooting. For example, suppose that several users call you, complaining that they cannot send traffic to a remote site.

  • Page 289

    Applying Access Control to Router Interfaces Troubleshooting You can also clear a particular policy session. For example, if you enter the show ip policy-sessions command and determine that an existing session should be terminated, you can use one of the following commands: Syntax: clear ip policy-sessions <policyname>...

  • Page 290: Clear Acl Counters

    Applying Access Control to Router Interfaces Troubleshooting Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port ---------------- --------- -------------- -------- --------------- ------- Policy class "Inside": tcp (80) 192.168.20.1 2001 172.16.1.1 d 10.10.3.10 Policy class "Outside": tcp (20) 192.168.100.99 1908...

  • Page 291: Debug Acls

    Applying Access Control to Router Interfaces Troubleshooting Debug ACLs You can debug events associated with a particular ACL. From the enable mode context, enter: Syntax: debug access-list <listname> Replace <listname> with the name of the ACL you want to debug. For example, if you want to debug the Inside ACL, enter: ProCurve# debug access-list Inside To end the debug, enter one of the following commands:...

  • Page 292: Enabling The Built-in Firewall, Quick Start

    Applying Access Control to Router Interfaces Quick Start Quick Start This section provides the commands you will need to quickly configure and apply access controls to interfaces on the ProCurve Secure Router. There are two access control mechanisms on the ProCurve Secure Router: access control lists (ACLs) access control policies (ACPs) ACLs can be used alone or in combination with ACPs.

  • Page 293: Configuring An Acl And Applying It Directly To An Interface

    Applying Access Control to Router Interfaces Quick Start Configuring an ACL and Applying It Directly to an Interface This section explains how to use ACLs by themselves to enforce access control on particular interfaces. If you use ACLs in this way, you can apply two ACLs to each interface: one ACL to control incoming traffic and one ACL to control outgoing traffic.

  • Page 294

    Applying Access Control to Router Interfaces Quick Start To permit or deny a specific host, use the host keyword. For example, enter: ProCurve(config-std-nacl)# deny host 192.168.115.90 b. If you are configuring an extended ACL, enter: Syntax: permit | deny <protocol> <source address> <source port> <desti- nation address>...

  • Page 295: Configuring Acps

    Applying Access Control to Router Interfaces Quick Start Valid interfaces include PPP interfaces, Frame Relay subinterfaces, ATM subinterfaces, HDLC interfaces, Ethernet interfaces, and demand inter- faces. (If you have enabled support for virtual LANs [VLANs], you must apply the ACL to an Ethernet subinterface.) Apply the ACL to the interface by entering the following command from the appropriate interface configuration mode context: Syntax: ip access-group <listname>...

  • Page 296

    Applying Access Control to Router Interfaces Quick Start When an ACL is used in conjunction with an ACP, a permit entry means that the traffic defined by the packet pattern is selected for the action specified in the ACP. A deny entry, on the other hand, means that the traffic is excluded from the action specified in the ACP.

  • Page 297

    Applying Access Control to Router Interfaces Quick Start To exclude a specific host from the action that you will specify in the ACP, enter: ProCurve(config-std-nacl)# deny host 192.168.115.90 b. If you are configuring an extended ACL, enter: Syntax: permit | deny <protocol> <source address> <source port> <destina- tion address>...

  • Page 298

    Applying Access Control to Router Interfaces Quick Start From the global configuration mode context, enter the following com- mand to create an ACP: Syntax: ip policy-class <policyname> Replace <policyname> with a unique name that is a maximum of 255 alphanumeric characters. You are moved to the policy class configuration mode context.

  • Page 299

    Configuring Network Address Translation Contents NAT Services on the ProCurve Secure Router ..... . . 6-2 Many-to-One NAT for Outbound Traffic ......6-2 Using NAT with PAT .

  • Page 300: Nat Services On The Procurve Secure Router, Many-to-one Nat For Outbound Traffic

    Configuring Network Address Translation NAT Services on the ProCurve Secure Router NAT Services on the ProCurve Secure Router When you enable the ProCurve Secure Router OS firewall, you can configure it to perform Network Address Translation (NAT) on traffic exchanged between the internal, trusted network and the untrusted, public network.

  • Page 301: Using Nat With Pat

    Configuring Network Address Translation NAT Services on the ProCurve Secure Router 192.168.115.1 192.168.115.2 Edge switch 192.168.115.3 Core switch Router Internet Users 192.168.1.10 NAT all private IP Edge switch addresses to one 192.168.1.11 Source address IP address such as of all packets is 10.1.1.1 now 10.1.1.1 192.168.1.12...

  • Page 302

    Configuring Network Address Translation NAT Services on the ProCurve Secure Router Table 6-1. Information Recorded in a Port-Mapping Table for a Sample Network Private IP Address Translated Public Translated Port Destination IP Address Destination Port IP Address 192.168.1.10 10.1.1.1 4000 10.20.1.1 192.168.1.11 10.1.1.1...

  • Page 303: One-to-one Nat For Inbound Traffic

    Configuring Network Address Translation NAT Services on the ProCurve Secure Router One-to-One NAT for Inbound Traffic The Secure Router OS firewall performs one-to-one NAT on inbound traffic— traffic being transmitted from the outside, public network to a device on the internal, trusted network.

  • Page 304: One-to-one Nat With Port Translation

    Configuring Network Address Translation NAT Services on the ProCurve Secure Router 1 Internet user sends 2) NAT destination request to Edge switch address on incoming Web server requests for Web at 10.10.10.1 server to 192.168.1.2 Edge switch ProCurve Secure Core switch Internet Router server...

  • Page 305

    Configuring Network Address Translation NAT Services on the ProCurve Secure Router translates the public IP address to the private IP address, it can also perform port translation, assigning the traffic to the particular port used by the internal device. (See Figure 6-4.) 1a Internet 1b) NAT destination user sends...

  • Page 306: Configuring Nat, Enabling The Firewall, Configuring An Acl

    Configuring Network Address Translation Configuring NAT Configuring NAT Configuring NAT is a four-step process—the steps required to configure an access control policy (ACP): Enable the firewall on the ProCurve Secure Router. Configure at least one access control list (ACL). Configure the ACP. Assign the ACP to specific interfaces.

  • Pag