Download Print this page
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910

Advertisement

www.procurve.com
Basic Management and

Advertisement

Table Of Contents

Troubleshooting

   Summary of Contents for HP ProCurve 7000dl Series

  • Page 1

    Basic Management and Configuration Guide ProCurve Secure Router 7000dl www.procurve.com...

  • Page 3: Procurve Secure Router

    ProCurve Secure Router 7000dl Series November 2006 J06_03 Basic Management and Configuration Guide...

  • Page 4

    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED without the prior written consent of Hewlett-Packard. WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential Publication Number damages in connection with the furnishing, performance, or use of this material.

  • Page 5: Table Of Contents

    Contents 1 Overview Contents ............1-1 Using This Guide .

  • Page 6: Table Of Contents, Commands Available In The Basic, Enable, Or Global

    LEDs for Slots 1 and 2 ........1-24 Status LEDs .

  • Page 7: Table Of Contents

    Basic Mode Commands ........1-39 Clear .

  • Page 8: Table Of Contents

    Help Tools ........... . 1-65 CLI Help Commands .

  • Page 9: Table Of Contents

    2 Controlling Management Access to the ProCurve Secure Router Contents ............2-1 Securing Management Access to the ProCurve Secure Router .

  • Page 10: Table Of Contents, Create A Named List To Track New Connections Or

    Configuring AAA Accounting ....... . . 2-27 Creating a Named List to Track When Users Access the Basic or Enable Mode Context .

  • Page 11: Table Of Contents, Specifying Which Snmp Server Receives The Router's

    Configuring SNMP Groups and Users ......2-56 Create an SNMP Group ........2-56 Configure SNMP Users .

  • Page 12: Table Of Contents, Configuring The Ethernet Interface As An Unnumbered

    3 Configuring Ethernet Interfaces Contents ............3-1 Ethernet Interfaces .

  • Page 13: Table Of Contents

    4 Configuring E1 and T1 Interfaces Contents ............4-1 Overview of E1 and T1 WAN Connections .

  • Page 14: Table Of Contents

    5 Configuring Serial Interfaces for E1- and T1-Carrier Lines Contents ............5-1 Using the Serial Module for E1- or T1-Carrier Lines .

  • Page 15: Table Of Contents

    6 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Contents ............6-1 Configuring the Logical Interface .

  • Page 16: Table Of Contents

    Configuring HDLC as the Data Link Layer Protocol ....6-40 Create the HDLC Interface ....... 6-40 Activate the HDLC Interface .

  • Page 17: Table Of Contents, Adsl Wan Connections

    7 ADSL WAN Connections Contents ............7-1 ADSL Overview .

  • Page 18: Table Of Contents

    PPPoE Overview ..........7-29 Two Phases for Establishing a PPPoE Session .

  • Page 19: Table Of Contents

    Quick Start ........... 7-55 Configure the Physical Layer: the ADSL Interface .

  • Page 20: Table Of Contents

    Configuring the Demand Interface ......8-22 Creating the Demand Interface ......8-23 Configuring an IP Address .

  • Page 21: Table Of Contents

    Configuring PPP Authentication for an ISDN Connection ..8-53 Enabling PPP Authentication for All Demand Interfaces ..8-54 Configuring PAP Authentication for a Demand Interface ..8-54 Configuring CHAP Authentication for a Demand Interface .

  • Page 22: Table Of Contents

    9 Configuring the E1 + G.703 and T1 + DSX-1 Modules Contents ............9-1 Using an E1- or T1-Carrier Line for Data and Voice .

  • Page 23: Table Of Contents

    Troubleshooting the DSX-1 Interface ......9-21 Alarms or Errors That Will Not Clear ..... . 9-21 Yellow Alarm .

  • Page 24: Table Of Contents

    Configuring RSTP ......... 10-17 Determining Which Device Becomes Root: Setting the Router’s Priority .

  • Page 25: Table Of Contents, Domain Name System (dns) Services

    Configuring Static Routes ........11-13 Overview .

  • Page 26: Table Of Contents, Configuring A Dynamic Dns Client On A Procurve Secure

    Configuring DNS ..........12-8 Enabling DNS .

  • Page 27: Table Of Contents

    Creating a DHCP Pool ........13-7 Specifying the Network Address and Subnet Mask .

  • Page 28: Table Of Contents

    14 Using the Web Browser Interface for Basic Configuration Tasks Contents ............14-1 Configuring Access to the Web Browser Interface .

  • Page 29: Table Of Contents, Configuring The Local Router To Authenticate Itself To

    IP Settings ..........14-47 Dynamic DNS .

  • Page 30: Table Of Contents, Assigning An Isdn Group Or Bri Interface To The

    Configuring ADSL Interfaces ........14-78 Configure an ATM Interface ....... . 14-80 Configure the ATM Subinterface .

  • Page 31: Table Of Contents

    DNS Services ..........14-121 Configuring DNS Support .

  • Page 32

    xxviii...

  • Page 33: Contents

    Overview Contents Using This Guide ..........1-5 Understanding Command Syntax Statements .

  • Page 34: Table Of Contents

    Overview Contents LEDs for Slots 1 and 2 ........1-24 Status LEDs .

  • Page 35

    Overview Contents Terminal ..........1-43 Wall .

  • Page 36

    Overview Contents Managing Configuration Files Using a Text Editor ....1-75 Creating and Transferring Configuration Files ....1-77 Configuration File Transfer Using the Console Port .

  • Page 37: Using This Guide, Understanding Command Syntax Statements

    Overview Using This Guide Using This Guide The ProCurve Secure Router Basic Management and Configuration Guide describes how to use the ProCurve Secure Router 7000dl Series in a network environment. Specifically, it focuses on two router models: ProCurve Secure Router 7102dl ProCurve Secure Router 7203dl This guide describes how to use the command line interface (CLI) and the Web browser interface to configure, manage, monitor, and troubleshoot basic...

  • Page 38: Cli Prompt

    Overview Using This Guide Square brackets ( [ ] ) are used in two ways: • They enclose a set of options. When entering the command, you select one option from the set. For example, in the second command shown above, you would enter any or host <A.B.C.D>...

  • Page 39: Ip Address Notation Convention, Quick Start Sections, Obtaining Additional Information

    Overview Using This Guide IP Address Notation Convention You must sometimes enter an IP address or addresses as part of a command. For example, you might need to assign an IP address to a logical interface on the ProCurve Secure Router, or you might need to enter an IP address to be filtered by an ACL.

  • Page 40: Downloading Software Updates

    Overview Using This Guide When the document file opens, click the disk icon in the Acrobat® toolbar and save a copy of the file. You will need the Adobe Acrobat Reader to view the documentation that you have saved. Click Product Manuals Figure 1-1.

  • Page 41

    Overview Using This Guide Step 2 Step 3 Figure 1-2. Downloading Software Updates Release notes are included with the software updates and provide information about: new features and how to configure and use them software management, including downloading the new software to the router software fixes addressed in current and previous releases...

  • Page 42: Interface Management Options, Web Browser Interface

    Overview Interface Management Options Interface Management Options The ProCurve Secure Router includes two management interfaces: the command line interface (CLI) the Web browser interface The router also supports Simple Network Management Protocol (SNMP), which allows you to manage it through an SNMP management console. (For more information about SNMP support, see Chapter 2: Controlling Manage- ment Access to the ProCurve Secure Router.) To initially access the CLI, connect the COM port on your workstation to the...

  • Page 43: Accessing The Web Browser Interface

    Overview Interface Management Options Figure 1-3. Configuring ACPs Using the Web Browser Interface Accessing the Web Browser Interface To access the Web browser interface, you must first establish a CLI session and configure at least one interface through which you can establish an HTTP session with the router.

  • Page 44: Using The Procurve Web Browser Interface

    Overview Interface Management Options Using the ProCurve Web Browser Interface The ProCurve Web browser interface is organized into the following sections: System Router/Bridge Network Monitor Firewall Utilities The System section of the interface contains general router functions. In this section, you can: configure WAN and LAN connections configure IP services enable the Dynamic Host Configuration Protocol (DHCP) and Domain...

  • Page 45

    Overview Interface Management Options The VPN section includes a wizard that simplifies the process of configuring an IPSec-compliant VPN. The VPN section eliminates the difficulty of remem- bering the many commands necessary for configuring a VPN in the CLI. The VPN section only appears in the Web browser interface if you have installed an optional IPSec encryption module in the rear panel of your router.

  • Page 46: Hardware Overview, Procurve Secure Router Front Panel, Console Port

    Overview Hardware Overview Hardware Overview This section provides a brief overview of external features, slots, and modules on the ProCurve Secure Router 7000dl Series. The ProCurve Secure Router 7000dl Series includes two models: the ProCurve Secure Router 7102dl and the ProCurve Secure Router 7203dl. Both models include two narrow module slots.

  • Page 47: Ethernet Ports, Slots

    Overview Hardware Overview Ethernet Ports Because the two Ethernet ports are not modular, they are assigned a fixed slot and port number. For interface notation purposes, these ports are labeled Eth 0/1 and Eth 0/2. (See Figure 1-5.) Eth 0/1 Eth 0/2 Figure 1-5.

  • Page 48: E1 And T1 Modules

    Overview Hardware Overview Each slot can house one of the ten narrow modules available for WAN connections. (See Table 1-1.) Table 1-1. Narrow Slot Modules Module Type of Module Explanation E1 modules: E1 module with integrated DSU supports E1-carrier lines when the service provider does not provide an external DSU •...

  • Page 49

    Overview Hardware Overview N o t e Japan uses J-carrier lines for voice and both T-carrier and E-carrier lines for data. J-carrier lines are not supported by the ProCurve Secure Router. The type of module you purchase to support your E1 or T1 WAN connection depends on how your public carrier implements the Channel Service Unit/ Digital Service Unit (CSU/DSU) that is required for E1- and T1-carrier lines.

  • Page 50

    Overview Hardware Overview T1 Modules. If you are leasing a T1-carrier line and the public carrier does not provide a CSU/DSU, you will need to purchase one of the three narrow slot T1 modules, which include a built-in CSU/DSU. (See Figure 1-8.) Select: a one-port T1 module, which supports a full T1-carrier line (24 channels or 1.544 Mbps) a two-port T1 module, which provides 1.544 Mbps on each interface (3.088...

  • Page 51: Isdn Module, Backup Modules

    Overview Hardware Overview Figure 1-10. ADSL Modules ISDN Module The two-port ISDN module provides two Basic Rate Interface (BRI) lines for dial-up connections. Each ISDN BRI line can deliver a maximum bandwidth of 128 Kbps. (See Figure 1-11.) The S/T interface module is most often used outside North America.

  • Page 52: Wide-slot Option Modules

    Overview Hardware Overview N o t e Backup ISDN call bonding is currently a ProCurve proprietary technology. If you bond your BRI backup call, your router can only place the call to another ProCurve Secure Router. With the ProCurve Secure Router, it is not necessary to devote an entire module slot for a backup connection.

  • Page 53

    Overview Hardware Overview E1/T1 Toggle Switch Figure 1-13. E1/T1 Toggle Switch N o t e Although the ProCurve Secure Router 7203dl can support up to 12 E1 or T1 lines, the router supports full throughput for up to 8 E1 or T1 lines. You can configure each of the eight ports independently with separate clock sources, frame formats, and other specifications.

  • Page 54: Interface Numbering Conventions

    Overview Hardware Overview Figure 1-15. The Eight-port T1/E1 Serial Module Interface Numbering Conventions When configuring a WAN connection, you will need to specify the slot and port of the physical interface that is providing the connection. The syntax for specifying a physical interface is <interface> <slot>/<port>. Replace <interface>...

  • Page 55: Status Leds, Power Led, Fault Led

    Overview Hardware Overview Status LEDs ProCurve Secure Routers feature LEDs on the front panel to provide informa- tion about the condition of the router itself and of the modules you have installed. This section describes how to interpret these LEDs. Power LED The power LED indicates the router’s power status.

  • Page 56

    Overview Hardware Overview LEDs for Slots 1 and 2 Both the ProCurve Secure Router 7102dl and 7203dl have two columns of LEDs that report information about the modules installed in the narrow slots. As you would expect, column 1 reports information about the module in slot 1, and column 2 reports information about the module in slot 2.

  • Page 57: Backup Leds, Tx And Rx Leds, Slot 3 Leds

    Overview Hardware Overview Backup LEDs The second LED in each column reports the status of the backup module, if a backup module is installed. The LED in the first column corresponds to the backup module in slot one, and the LED in the second column corresponds to the module in slot two.

  • Page 58: Status Led, Activity Led, Test Led, Ethernet And Activity Leds

    Overview Hardware Overview Slot 3 LEDs Figure 1-18. On the ProCurve Secure Router 7203dl, the Third Column LEDs Report on the Wide Module. Status LED The first LED reports on the status of the wide module, indicating whether the wide module is installed and functional. No light—The module has not been installed, or none of the interface ports have been activated.

  • Page 59: Activity Leds, Link Leds, Rear Panel, Optional Ipsec Vpn Module

    Overview Hardware Overview Link LED Activity LED Figure 1-19. LEDs for Ethernet Interfaces Activity LEDs Activity LEDs signal data transfer between the LAN and the router. No light—The Ethernet connection is inactive. Flashing yellow—The link is currently transmitting or receiving data. Link LEDs Link LEDs signal whether or not the router recognizes a valid connection to a LAN.

  • Page 60: Compact Flash Card

    Overview Hardware Overview Slot for the IPSec VPN module Figure 1-20. IPSec VPN Module To protect your network from security breaches through the Internet, the ProCurve Secure Router establishes secure VPN tunnels using the industry- standard IP Security (IPSec) protocol. The IPSec VPN module enables the software that supports the IPSec protocols and relieves the CPU of the overhead associated with processing the encryption algorithms.

  • Page 61: Redundant Power Source, Memory

    Overview Hardware Overview Compact flash slot Figure 1-21. Compact Flash Slot on Rear Panel of the ProCurve Secure Router Redundant Power Source The RPS outlet on the back panel of the ProCurve Secure Router 7203dl provides increased router reliability for mission-critical applications. (See Figure 1-22.) The RPS slot can be used with the ProCurve 600 Redundant External Power Supply.

  • Page 62: Software Overview, Bootup Process

    Overview Software Overview Software Overview To manage your ProCurve Secure Router, you must understand basic router operations, including how the router uses: Secure Router OS boot code Secure Router OS the startup-config the running-config Further, you must understand how the Secure Router OS is organized so that you can properly configure the router and enable safeguards to protect the router from unauthorized access.

  • Page 63

    Overview Software Overview The boot process begins when you power up the ProCurve Secure Router or manually reload it. It proceeds as follows: The router first loads the Secure Router OS boot code. The router then searches compact flash for the SROS.BIZ file, which contains the Secure Router OS.

  • Page 64: Advantages Of Booting From Compact Flash

    Overview Software Overview Figure 1-23 summarizes the boot process. ProCurve Secure Router Router loads the boot software (J0X_0X-boot.biz) from internal flash Checks compact flash (cflash) for SROS.BIZ compact flash internal flash Router boots in SROS.BIZ SROS.BIZ bootstrap mode Router boots using startup-config startup-config default settings...

  • Page 65: Boot The Router, Saving Configuration Changes

    Overview Software Overview Setting Up a Compact Flash Card from Which to Boot the Router Newly shipped ProCurve Secure routers have an internal flash that contains two Secure Router OS files: J0X_0X.biz SROS.BIZ The SROS.BIZ and J0X_0X.biz files are identical. The J0X_0X.biz file reflects the version number of the software, such as J06_03.biz.

  • Page 66: Autosynch™ Technology, Secure Router Os Hierarchy

    Overview Software Overview When the command is entered, the ProCurve Secure Router first tries to save these changes to a startup-config file on compact flash. If no compact flash card is inserted into the slot on the back panel, the router saves the changes to the startup-config file that is stored in internal flash.

  • Page 67

    Overview Software Overview This section introduces the different mode contexts and describes the types of commands you can enter in each one. (See Figure 1-24.) Session now available Press to get started Return Return Basic mode context ProCurve> enable Security modes ProCurve# Enable mode context configure terminal...

  • Page 68: Basic Mode, Enable Mode

    Overview Software Overview Basic Mode The basic mode allows restricted access to the router, providing only a limited number of commands. From this mode, you can view basic system informa- tion, verify some processes, and enter traceroute and ping commands. You do not have access to any of the options that allow you to configure the router.

  • Page 69: Global Configuration Mode

    Overview Software Overview Global Configuration Mode From the global configuration mode, you can make configuration changes that apply to the entire router and all interfaces. You can configure the system’s global parameters, such as the hostname, passwords, and banners. You can also set parameters for IP services such as DHCP and DNS.

  • Page 70

    Overview Software Overview Router. You can configure dynamic routing protocols from the router con- figuration mode contexts. There are four router configuration modes: BGP, RIP, PIM-Sparse, and OSPF. To configure these protocols, move to the global configuration mode context and use this command: Syntax: router [bgp | ospf | pim-sparse | rip] For example, to configure RIP, enter: ProCurve(config)# router rip...

  • Page 71: Configuration Mode Contexts, Basic Mode Commands, Clear, Enable

    Overview Software Overview Commands Available in the Basic, Enable, or Global Configuration Mode Contexts The ProCurve Secure Router OS permits you to use certain commands only in specific modes. When you are managing the ProCurve Secure Router and you try to use a command that is not supported from the current mode context, you will receive an error message.

  • Page 72: Logout, Ping

    Overview Software Overview Logout Exit the current CLI session and return to the login screen. Syntax: logout Ping Send an ICMP echo to a specified destination. To send a default ping of 5 echoes, enter: Syntax: ping [<A.B.C.D > | <domain name>] When you begin sending ICMP echoes, the router displays a legend to describe the types of responses the router receives.

  • Page 73: Show

    Overview Software Overview If you enter for the verbose option in the extended commands, the output reports the result of each ping with a description of the datagram size and the echo’s round-trip time. For example: Reply from 1.1.1.1: bytes = 100 time = 4 ms If you need to halt a ping operation, press Ctrl+C N o t e...

  • Page 74: Telnet, Traceroute

    Overview Software Overview Option Result show isdn-group [<interface number>] lists the ISDN group configurations and member interfaces show lldp [<cr> | device <name> | interface <interface ID> | displays LLDP settings and information, including <neighbors>] information on specific neighbors show memory heap [realtime] displays statistics for the router memory, including how much has been used and how much is available show modules...

  • Page 75: Terminal, Wall, Enable Mode Commands

    Overview Software Overview Similar to the ping command, you can set extended options for tracing a route by entering traceroute and pressing without specifying the destination Enter address. Options include the source address at which the trace begins and the maximum number of hops.

  • Page 76: Clear

    Overview Software Overview Clear The enable mode context expands the options for the clear command. To view these options, enter: Syntax: clear ? Table 1-4 lists the clear command options available in the enable mode context. Table 1-4. Enable Mode Context clear Commands Option Result clear access-list...

  • Page 77: Clock

    Overview Software Overview Some examples of clear commands include the following: Syntax: clear ip policy-sessions This command clears all sessions established using the ACPs applied to router interfaces. Syntax: clear ip route [** | <A.B.C.D>] The ** option clears all routes learned through a routing protocol. Static routes are not affected.

  • Page 78: Configure, Copy

    Overview Software Overview Configure There are four options to this command: memory, network, overwrite- network, and terminal. The configure memory, configure network, and configure overwrite-network commands allow you to retrieve and apply a configuration file by saving the file as the router’s running-config. Using this command causes your router to immediately begin using the specified config- uration without rebooting the router.

  • Page 79

    Overview Software Overview To save configuration changes while using the CLI, enter: Syntax: copy running-config [<destination location> <destination filename> | <config-file>] ProCurve# copy running-config startup-config Verify that the Done. Success! message is displayed, indicating that the copy process is complete. Table 1-5.

  • Page 80

    Overview Software Overview Verify that the Percent Complete 100% message is displayed, indicating that the download is complete. The current configuration is now saved in compact flash with the specified filename. To save a configuration as a file on internal flash, enter the following from the enable mode context: ProCurve# copy <source file location>...

  • Page 81: Debug

    Overview Software Overview Debug Entering debug will display debug messages as packets arrive on the router. Debugging is useful when troubleshooting or testing your router’s operation. The Secure Router OS provides many debug commands, including options for most protocols and processes run on the router. For a list of debug commands, go to the enable mode context and enter: ProCurve# debug ? For example, you could debug the establishment of a PPP connection:...

  • Page 82: Disable, Erase

    Overview Software Overview Disable To leave the enable mode context, type disable. The Secure Router OS will return you to basic mode context. Erase The erase command is a file management command. Table 1-6 shows the erase command options. Syntax: erase [{cflash | flash} <filename> | startup-config | file-system cflash] Table 1-6.

  • Page 83: Events, Reload, Show

    Overview Software Overview Events The events command enables the Secure Router OS to display a notice to the CLI whenever an event occurs. This command is useful for troubleshooting, because it lets you immediately determine whether a connection is up and working properly.

  • Page 84

    Overview Software Overview Option Result show configuration shows the startup configuration show connections lists all logical interface binds show crypto [ca | ike | ipsec | map] shows certificates and VPN configurations, such as IKE policies, transform sets, and crypto maps show debugging displays the active debugging switches show demand...

  • Page 85

    Overview Software Overview Option Result show modules gives information on the router’s modules, including the type of module in each slot and the number of ports in each module show output-startup lists the startup-config error log show port-auth supplicant [interface <interface ID> | displays port authentication information summary] show pppoe...

  • Page 86

    Overview Software Overview The show running-config command can be particularly useful for trouble- shooting problems. To help you troubleshoot more efficiently, the command includes options that allow you to view the settings for a particular router feature. For example, you can view the settings entered for a particular interface.

  • Page 87

    Overview Software Overview show running-config Options Description track Displays settings for the network monitoring tracks you have configured on the router. verbose Displays the default settings and the settings you have configured. You can use this option with any other option listed for the show running-config command.

  • Page 88

    Overview Software Overview Interval 74 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes Interval 75 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds...

  • Page 89: Undebug, Write

    Overview Software Overview -------------------------------------------------------------------- t1 1/1 is UP Receiver has no alarms T1 coding is B8ZS, framing is ESF Clock source is through t1 1/2, FDL type is ANSI Line build-out is 0dB No remote loopbacks, No network loopbacks Acceptance of remote loopback requests enabled Tx Alarm Enable: rai Last clearing of counters never loss of frame...

  • Page 90: Show Tech

    Overview Software Overview to the compact flash card, if present, as startup-config. Otherwise the running-config will be saved as startup-config on the router’s internal flash. write erase. This command erases the startup-config. If you have a compact flash card, the startup-config is erased from cflash. If you are running the AutoSynch feature, this command erases startup-config from both flash and compact flash.

  • Page 91

    Overview Software Overview show dial-backup interfaces show dialin show frame-relay lmi show frame-relay pvc show ip bgp neighbors show ip bgp neighbor summary show ip ospf neighbor show ip ospf neighbor summary-add show ip route show bridge show spanning-tree show ip interfaces show connections show arp show ip traffic...

  • Page 92: Updating The Boot Code

    Overview Software Overview Updating the Boot Code When applying a new boot configuration file, enter boot as the destination of a copy command. This command copies a file to the boot sector. For example, if you are upgrading from J05.biz to J06_03.biz, you might enter: ProCurve# copy flash J06_03-boot.biz boot The resulting text explains that other router tasks will be halted while the boot code is upgraded.

  • Page 93: Global Configuration Mode Commands, Hostname Command, Autosynch Command

    Overview Software Overview Global Configuration Mode Commands From enable mode, access the global configuration mode context by entering configure terminal. It is from this mode context that you enter the commands to configure the router; most of the commands in the global configuration mode context are discussed in the various chapters included in this guide.

  • Page 94: Safemode

    Overview Software Overview SafeMode SafeMode is a CLI feature that allows you to perform configuration changes without the fear of being disconnected from a Telnet or SSH session. Some configuration changes can interrupt network connectivity. If you are managing a router remotely via SSH or Telnet, you can inadvertently lose your connection to the router.

  • Page 95

    Overview Software Overview Enabling SafeMode. To enable SafeMode, access the global configuration mode context and enter: Syntax: safe-mode [<reload time> <threshold time>] For example: ProCurve(config)# safe-mode 600 500 ProCurve(safe-config)# Set the <reload time> to the number of seconds to countdown until the router reboots.

  • Page 96

    Overview Software Overview When you activate SafeMode, or when you leave and re-enter the configuration mode context while SafeMode is enabled, the reload timer is activated and a message is displayed in the CLI: SAFEMODE: SafeMode enabled. Reboot in <n> seconds! After SafeMode is enabled, you or any other CLI user can reset the timer by entering You can reset the timer at any time, as often as you need to...

  • Page 97: Help Tools, Cli Help Commands, Editing Commands

    Overview Help Tools Help Tools The Secure Router OS features help tools, editing functions, and global commands to help you navigate through the Secure Router OS and configure and maintain your WAN. CLI Help Commands You can enter the character to display the available command syntax for any command in the CLI.

  • Page 98

    Overview Help Tools Table 1-9. Keystrokes for Moving Around the CLI Editing Command Action Ctrl+P or up arrow recall the most recent command Ctrl+A move to the beginning of the line (Home) Ctrl+E move to the end of the line (End) Ctrl+F or right arrow move forward one character Ctrl+B or left arrow...

  • Page 99: Exit, Bootstrap Mode Context

    Overview Help Tools In the enable and configuration mode contexts, typing the word no before a command negates that command. For example, if you want to stop event notices from displaying to the CLI screen, enter no events. If you need to execute an enable mode command from a configuration mode context, type do before you enter the command.

  • Page 100

    Overview Help Tools The ProCurve Secure Router automatically enters the bootstrap mode context if it cannot locate a valid Secure Router OS or if the Secure Router OS has been corrupted. You can also access the bootstrap mode by pressing during the first five seconds of the startup process.

  • Page 101

    Overview Help Tools After you configure the boot software settings, enter reload or boot to reboot the server. Use the boot [cflash | flash] <filename> option to immediately boot the router using the specified file. To set the backup boot code, replace <backup filename>...

  • Page 102

    Overview Help Tools Copy the Secure Router OS software from a TFTP server by entering: bootstrap# copy tftp flash Address of remote host? <A.B.C.D> Source of filename? J06_03.biz Destination filename? J06_03.biz You can also copy the Secure Router OS software from a compact flash card.

  • Page 103: Troubleshooting, Compact Flash, Autosynch™ Error Messages

    Overview Troubleshooting Troubleshooting Compact Flash Compact flash performance can vary greatly between vendors. If there seems to be a delay when the ProCurve Secure Router saves changes to the compact flash card, the Secure Router OS is still functioning, though at times it may seem to be in a suspended state.

  • Page 104

    Overview Troubleshooting Table 1-10. AutoSynch™ Error Messages Error Message Action compact flash removed Make sure the compact flash card is firmly mounted in the compact flash slot CFLASH startup-config From the enable mode context, enter write memory. does not exist CFLASH SROS.BIZ does From the enable mode context, enter copy fl SROS.BIZ cfl not exist...

  • Page 105: Using The Reload In Command

    Overview Troubleshooting C a u t i o n Be very careful doing any kind of file management with the startup-config and SROS.BIZ files while the autosynch command is enabled. If you erase either the startup-config file or SROS.BIZ file from compact flash, the file will also be erased from the internal flash.

  • Page 106

    Overview Troubleshooting The CLI will prompt you to save the system configuration. If you have already made the configurations that you want to test, reply no. If you are getting ready to make the configurations to be tested and want to save previous configura- tions, reply yes.

  • Page 107: Managing Configuration Files Using A Text Editor

    Overview Managing Configuration Files Using a Text Editor Managing Configuration Files Using a Text Editor Configuration files can be adjusted to each router’s needs using your com- puter’s text editor. This allows you to set up a configuration on one router, save it to a file, and edit it for installation on another router.

  • Page 108

    Overview Managing Configuration Files Using a Text Editor Figure 1-30. Boot Error Messages The error messages in Figure 1-30 were displayed during bootup. In this particular case, the startup-config file has VPNs configured, and the router that is booting does not have the IPSec VPN module that enables these commands.

  • Page 109: Creating And Transferring Configuration Files

    Overview Managing Configuration Files Using a Text Editor Error location Resulting message Figure 1-31. Using Boot Error Messages to Target a Configuration Problem The line number given in the error message is the line number in the running- config. You can use this information to locate and repair any configuration problems.

  • Page 110: Configuration File Transfer Using The Console Port

    Overview Managing Configuration Files Using a Text Editor If you do not want the base router to use the base configuration, you should save the base configuration as a .cfg or .txt file. From the enable mode context, enter: ProCurve# copy flash running-config <destination location> <destination filename> If you entered write memory and are running the AutoSynch function, the configuration is saved as the startup-config file on the flash and compact flash memories.

  • Page 111

    Overview Managing Configuration Files Using a Text Editor Copy the edited text. Highlight the edited configuration in the text editor. Copy the highlighted text either by pressing , right-clicking the mouse and clicking Copy, Ctrl+C or clicking Edit > Copy in the window. Save the edited configuration on the router.

  • Page 112: Configuration File Transfer Using A Tftp Server

    Overview Managing Configuration Files Using a Text Editor Install the configuration. Copy the edited configuration file to startup-config. Syntax: copy <source location> <source filename> <destination location> <destination filename> ProCurve# copy flash configuration.txt flash startup-config The router will create the startup-config file and save the edited configu- ration to the file.

  • Page 113

    Overview Managing Configuration Files Using a Text Editor Upload the file to the TFTP server. Syntax: copy <source location> tftp ProCurve# copy flash tftp Address of remote host? 192.168.100.2 Source filename? routerB.txt Destination filename? [routerB.txt] After you enter copy <source location> tftp from the enable mode context, the router will prompt you for the information it needs to suc- cessfully complete the TFTP file transfer.

  • Page 114

    Overview Managing Configuration Files Using a Text Editor ProCurve# erase flash startup-config.bak Deleted NONVOL:/startup-config.bak ProCurve# erase cflash startup-config.bak Deleted CFLASH:/startup-config.bak To be sure that old configurations do not interfere with the new configu- ration, erase any startup-config files. This will reset the router to its factory defaults.

  • Page 115: Configuration File Transfer Using A Compact Flash Card

    Overview Managing Configuration Files Using a Text Editor Configuration File Transfer Using a Compact Flash Card Copy and rename the base configuration. Syntax: copy <source> <base configuration name> <destination> <destination filename.txt> For example, if your base configuration were the router’s startup-config, you would enter: ProCurve# copy cflash startup-config cflash routerB.txt Replace <source>...

  • Page 116

    Overview Managing Configuration Files Using a Text Editor Open a session with the destination router and erase files that may conflict with the new configuration. Make sure there are no startup-configuration files on the router’s internal flash or compact flash. Backup files for the startup-config can also inter- fere with the installation of the new configuration.

  • Page 117: Using The Ftp Server On The Procurve Secure Router, Troubleshooting The Ftp Server

    Overview Using the FTP Server on the ProCurve Secure Router Using the FTP Server on the ProCurve Secure Router The J06_03 release of the Secure Router OS includes an FTP server, which you can use to store files and allow network administrators to download these files to other devices.

  • Page 118: Enabling The Sntp Server On The Procurve Secure Router

    Overview Enabling the SNTP Server on the ProCurve Secure Router ProCurve# FTP: USER command - Password required for 'procurve'. FTP: USER command - Login incorrect. FTP: USER command - Password required for 'procurve'. FTP: USER command - Login incorrect. Figure 1-32. Debug Messages for the FTP Server Enabling the SNTP Server on the ProCurve Secure Router The J06_03 release of the Secure Router OS also includes a Simple Network...

  • Page 119: Configuring A Source Address For The Sntp Server

    Overview Enabling the SNTP Server on the ProCurve Secure Router Include version 1, 2, or 3 to specify the version of NTP that the ProCurve Secure Router should use. If you do not specify a version, the router uses version 1 by default. For example, you might want to configure the ProCurve Secure Router to contact a National Institute of Standards and Technology (NIST) Internet time server to request the current time.

  • Page 120: Viewing Sntp Settings, Troubleshooting Sntp

    Overview Enabling the SNTP Server on the ProCurve Secure Router Viewing SNTP Settings To view the current SNTP settings and the status of the SNTP client or server, enter the following command from the enable mode context: Syntax: show sntp Troubleshooting SNTP To troubleshoot SNTP, enter the following command from the enable mode context:...

  • Page 121: Quick Start, Accessing The Secure Router Os

    Overview Quick Start Quick Start This section provides the instructions you need to quickly access the ProCurve Secure Router CLI and establish a console session. Only minimal explanation is provided. It is strongly recommended that you read the entire chapter so that you understand how the Secure Router oper- ating system (OS) is organized and how to manage the OS.

  • Page 122: Enabling The Ftp Server, Configuring Sntp On The Procurve Secure Router

    Overview Quick Start Enabling the FTP Server To enable the FTP server, enter the following command from the global configuration mode context: Syntax: ip ftp server [default-filesystem {flash | cflash}] Enter default-filesystem flash to use the router’s internal flash as the FTP server’s data store.

  • Page 123

    Overview Quick Start Replace the <interface> option with the interface that you want to provide the source address for SNTP traffic. Supported interfaces include: • demand <number> • ethernet <slot>/<port> • frame-relay <number> • hdlc <number> • loopback <number> • tunnel <number>...

  • Page 124

    Overview Quick Start 1-92...

  • Page 125

    Controlling Management Access to the ProCurve Secure Router Contents Securing Management Access to the ProCurve Secure Router ..2-4 Restricting Access to the Enable Mode Context ....2-4 Configuring a Password for Console Access .

  • Page 126: Table Of Contents

    Controlling Management Access to the ProCurve Secure Router Contents Configuring Authorization ........2-24 Creating a Named List to Allow Authorized Users to Access the Basic Mode Context or the Enable Mode Context .

  • Page 127: Table Of Contents

    Controlling Management Access to the ProCurve Secure Router Contents Configuring SNMP Identity Information ..... . . 2-48 Change the Default Setting for the Router’s Chassis ID ..2-48 Specify the Router’s Location .

  • Page 128: Restricting Access To The Enable Mode Context, Securing Management Access To The Procurve Secure Router

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router The ProCurve Secure Router supports both local and remote management. For local management, you can use a serial cable to attach your PC to the ProCurve Secure Router and establish a console terminal session.

  • Page 129: Configuring A Password For Console Access

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router Replace <password> with any combination of up to 30 characters. Include the Message Digest 5 (md5) option to encrypt the password. For example, if you want to set the password as procurve, enter: ProCurve(config)# enable password procurve Because you did not include the md5 option, the password you entered is stored as clear text and is displayed when you enter the show running-config...

  • Page 130

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router Configuring a password for the console access is a three-step process: Access the console line configuration mode context. Enter the login command, which requires users to provide a password before they can access the ProCurve Secure Router OS through a console session.

  • Page 131: Enabling Remote Access To The Procurve Secure Router, Configuring An Ethernet Interface

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router Enabling Remote Access to the ProCurve Secure Router As mentioned earlier, you can access the ProCurve Secure Router through the Web browser interface, Telnet session, SSH session, or FTP session. To establish this access, you must configure at least one interface, such as an Ethernet interface.

  • Page 132: Configuring Telnet Access

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router Activate the Ethernet interface. ProCurve(config-eth 0/1)# no shutdown Save your configuration. ProCurve(config-eth 0/1)# do write memory Configuring Telnet Access By default, the ProCurve Secure Router requires a login password for Telnet sessions.

  • Page 133

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router You can then enter the password command: Syntax: password [md5] <password> The md5 option encrypts the password as it is sent over the wire and when it is stored in the running-config.

  • Page 134

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router If a user cannot enter the correct password, the router terminates the Telnet session. It does not allow the user to access the next Telnet line. If you place a password that only you know on Telnet line 0, no other user will be able to access the other Telnet lines for which they do know the password—except in the unlikely event that you have already established a Telnet session with...

  • Page 135: Configuring Local User Lists, Enabling Access To The Web Browser Interface

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router Configuring Local User Lists By default, access to HTTP, SSH, and FTP is controlled through the local user list. To add a username and password to the local user list, enter the following command from the global configuration mode: Syntax: username <username>...

  • Page 136: Managing Ssh Communications

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router When prompted, enter a username and password that you configured in the local user list. Managing SSH Communications With Telnet, communications between the server and your PC are sent over the wire in clear text.

  • Page 137: Using Ftp To Access The Router

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router N o t e If you want to use an ACL to restrict SSH access, you apply this ACL at the SSH line configuration mode context. For more information, see the Advanced Management and Configuration Guide, Chapter 5: Applying Access Control to Router Interfaces.

  • Page 138: Enabling Secure Copy Server, Viewing Information About Users

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router N o t e The service password-encryption command is supported in the Secure Router OS version J.04 and above. If you upgrade to this version of the OS, enter this command but then need to revert back to a previous version (such as J.03.01), you must first disable this command and re-enter all the necessary passwords so that they are stored in clear text.

  • Page 139: Advantages Of Using The Aaa Subsystem, Using The Aaa Subsystem To Control Management Access

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access - CONSOLE 0 ‘password-only’ logged in and enabled Idle for 00:00:00 - TELNET 0 (192.168.20.25:1029) 'geoff' logged in and enabled Idle for 00:00:09 Figure 2-1. Viewing the Users Who Are Accessing the Router Through the Console, Telnet, SSH, FTP, and Web Browser Interface Using the AAA Subsystem to Control Management Access...

  • Page 140: Criteria For Failure Of Authentication Methods

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access You configure the list of authentication methods in the order in which you want them used. Then, if one method fails, the next method is used. (For information about what constitutes a failure, see “Criteria for Failure of Authentication Methods”...

  • Page 141: Enabling The Aaa Subsystem, Configuring Aaa For Authentication

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Enabling the AAA Subsystem By default, the AAA subsystem is disabled. To enable it, move to the global configuration mode context and enter: ProCurve(config)# aaa on After you enable the AAA subsystem, the complete set of AAA commands becomes available in the ProCurve Secure Router OS.

  • Page 142: Creating A Named List For The Enable Mode Authentication

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Creating a Named List for the Enable Mode Authentication To create a named list for the enable mode, you must determine the authenti- cation methods you want to use and the order in which you want the authenti- cation methods applied.

  • Page 143: Creating A Named List For User Authentication

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access TACACS+ enable You would enter: ProCurve(config)# aaa authentication enable default group tacacs+ enable If you create this named list, the ProCurve Secure Router will first try to authenticate the user through the TACACS+ server.

  • Page 144

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Table 2-2. Authentication Options for Named Lists Option Meaning enable Requires users to enter the password configured for the enable mode context. line Requires users to enter the password configured for the Telnet or the console line.

  • Page 145: Assign The Named List

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access If no enable password has been defined, the AAA subsystem moves to the line username and password. If no username and password have been defined for the line, the AAA subsystem moves to the local user database and tries to match the username and password that the user enters to a username and password in that database.

  • Page 146: Messages, And Prompts

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Table 2-3. Default Action if No Named List Is Configured Access Authentication Method console access no password required Telnet access Telnet password FTP access local user list HTTP access local user list...

  • Page 147

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Configuring a Fail Message. A fail message is displayed if the user’s attempts to log in to the router fails. By default, the fail message is: Authentication Failed To customize a fail message, move to the global configuration mode context and enter the aaa authentication fail-message command followed by a character...

  • Page 148: Configuring Authorization

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Configuring Authorization After you enable the AAA subsystem, you can use a TACACS+ server to control not only who can access the Secure Router OS but also who can actually enter unprivileged or privileged commands.

  • Page 149: Create A Named List That Allows Authorized Users To Immediately Enter Into The Enable Mode Context

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Specify default to create the default authorization list, or replace <named list> to create a named list with the name you specify. Use the group tacacs+ option to specify the default group of TACACS+ servers.

  • Page 150

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access contacts a TACACS+ server in the first group and that server does not authorize the user to enter the enable mode context, the ProCurve Secure Router will not attempt to authorize that user with any other TACACS+ groups listed.

  • Page 151: Enable Authorization Commands For Console Line, Configuring Aaa Accounting

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Assign a Named List That Allows Immediate Entry to the Enable Mode Context. To assign a named list that allows authorized users to immediately enter the enable mode context when they start a new CLI session, enter the following command from the appropriate line configuration mode context: Syntax: authorization exec [default | <named list>]...

  • Page 152: Basic Or Enable Mode Context

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Configuring accounting involves the following steps: Create a list to specify which events are tracked by the TACACS+ server. In this guide and in the SROS Command Line Interface Reference Guide, this list is called a “named list.”...

  • Page 153: Outbound Telnet Connections

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Include the group tacacs+ option if you want the ProCurve Secure Router to send the accounting information to the default group of TACACS+ servers. Replace group <groupname>...

  • Page 154

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access For example, the following command creates the Admin named list and sends the connection records to the TACACS+ server when the connection is terminated: ProCurve (config)# aaa accounting exec Admin stop-only group tacacs+ As another example, the following command creates the Admin named list and sends the outbound Telnet connection information to the TACACS+...

  • Page 155: Configure Update Settings, Do Not Send Records For Null Users

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Configure Update Settings You can configure when the ProCurve Secure Router sends updates to the TACACS+ server. To configure updates, enter the following command from the global configuration mode context: Syntax: aaa accounting update [newinfo | periodic <minutes>] Include newinfo if you want all new records sent immediately, or include...

  • Page 156

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Edge switch Edge switch ProCurve Secure Core switch Router RADIUS server Figure 2-2. Using a RADIUS Server for Authenticating Users Who Want to Manage the ProCurve Secure Router To set up this communication, you must specify the IP address of the RADIUS server.

  • Page 157: Define A Group Of Radius Servers

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Table 2-4. Customizing Settings for Individual RADIUS Servers Option Meaning Default Value acct-port <port number> Configures the router to send accounting requests to the port acct-port 1813 you specify.

  • Page 158: Configure Global Settings For Radius Servers

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access From this context, use the following command to add RADIUS servers to the group: Syntax: server <hostname | A.B.C.D> [acct-port <port> | auth-port <port> ] Either replace <hostname>...

  • Page 159: Configuring The Tacacs+ Server, Define The Tacacs+ Server

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access You must enter this command from the global configuration mode context. Table 2-5 lists all the options and what they do. Table 2-5. Global Settings for RADIUS Servers Option Meaning Default Value...

  • Page 160

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Edge switch Edge switch ProCurve Secure Core switch Router TACACS+ server Figure 2-3. Using a TACACS+ Server for Authenticating Users Who Want to Manage the ProCurve Secure Router To enable this communication, you must configure the IP address or host name of the TACACS+ server.

  • Page 161: Creating A Tacacs+ Group

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access You can use the complete tacacs-server command to configure other settings for a TACACS+ server, as shown below: Syntax: tacacs-server host <A.B.C.D | hostname> [port <number> | timeout <seconds>...

  • Page 162: Configure Global Settings For Tacacs+ Servers

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access For example, the following command creates a group called tacacs and enters the TACACS+ group configuration mode context: ProCurve(config)# aaa group server tacacs+ tacacs ProCurve(config-sg-tacacs+)# Use the following command to add TACACS+ servers to the group: Syntax: server <hostname | A.B.C.D>...

  • Page 163: Troubleshooting Aaa, Debug Aaa Command

    Controlling Management Access to the ProCurve Secure Router Troubleshooting AAA Table 2-7. Global Settings for TACACS+ Servers Option Meaning Default Value tacacs-server key <key> Specifies the shared key to use with TACACS+ servers. Any none keys you configure for a particular TACACS+ server supersede the global key.

  • Page 164: Troubleshooting The Radius Server

    Controlling Management Access to the ProCurve Secure Router Troubleshooting AAA AAA: New Session on portal 'TELNET 0 (192.168.1.60:4867)'. No named list for Telnet line 0; Default AAA: No list mapped to 'TELNET 0'. Using 'default'. default aaa setting for Telnet is configuration used AAA: Attempting authentication (username/password).

  • Page 165: Debug Radius Command, Troubleshooting The Tacacs+ Server

    Controlling Management Access to the ProCurve Secure Router Troubleshooting AAA Auth. Acct. Number of packets sent: Number of invalid responses: Number of timeouts: Average delay: 2 ms 0 ms Maximum delay: 3 ms 0 ms Figure 2-5. show radius statistics debug radius Command You can view debug messages about RADIUS servers in real time.

  • Page 166

    Controlling Management Access to the ProCurve Secure Router Troubleshooting AAA Authentication Authorization Accounting Packets sent: Invalid responses: Timeouts: Average delay: Maximum delay: Socket Opens: Socket Closes: Socket Aborts: Socket Errors: Socket Timeouts: Socket Failed Connections: Socket Packets Sent: Socket Packets Received: Figure 2-6.

  • Page 167

    Controlling Management Access to the ProCurve Secure Router Troubleshooting AAA TAC+ TX: Sending Authentication START pkt TAC+ TX: version=0xc0, type=Authentication, seq_no=1, flags=00 TAC+ TX: action=Login TAC+ TX: level=1 TAC+ TX: authen type=ASCII TAC+ TX: requested service=Login IP address of the TAC+ TX: username= device trying to TAC+ TX: port=TELNET 0 (192.168.7.23:1072)

  • Page 168: Using Snmp To Manage The Procurve Secure Router, Snmp Architecture

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router SNMP is an industry-standard protocol that allows you to manage and monitor a variety of network devices from a central location. Specifically, you can configure these SNMP-compliant devices and apply consistent security and management policies to these devices across your network.

  • Page 169: Snmp Versions

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Users Group 1 Group 2 View 1 View 2 1.4.6.2.8.1 1.4.6.2.8.2 1.4.6.2.8.3 Network Network devices devices Figure 2-8. Overview of Managed Objects in a MIB SNMP Versions Three versions of SNMP are currently implemented in SNMP agents and servers: SNMP v1, v2, and v3.

  • Page 170

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router SNMP-compliant devices typically use public as the default read-only commu- nity and private as the default read-write community. Because many organi- zations do not change these default settings, their managed devices and SNMP servers are vulnerable to hackers.

  • Page 171: Snmp Support In The Procurve Secure Router

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Security Levels—SNMP v3 also provides three optional security levels which determine whether the data integrity and encryption described above are used: • noAuthNoPriv—This level does not provide authentication (data integrity) or privacy (encryption) and is, therefore, not recom- mended.

  • Page 172: Configuring Snmp Identity Information, Change The Default Setting For The Router's Chassis Id

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Configuring SNMP Identity Information You can enter the snmp-server commands in this section to configure the information the ProCurve Secure Router will submit in response to queries from authorized SNMP servers.

  • Page 173: Specify The Snmp Server Contact Information

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Specify the SNMP Server Contact Information In large organizations, management tasks are distributed among a team of IT professionals. The IT professional who manages the SNMP server is probably not the same person who is responsible for managing the ProCurve Secure Router.

  • Page 174: Specify The Snmp Server Management Url Information

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Use the no form of the command to remove contact information. Syntax: no snmp-server contact [email | pager | phone | <string>]] Specify the SNMP Server Management URL Information You can use the snmp-server management-url command to specify the URL for the router’s management software.

  • Page 175: Change The Engine Id For A Local Machine

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Change the Engine ID for a Local Machine SNMP v3 requires unique engine IDs for all systems in the SNMP management domain. The ProCurve Secure Router has a default engine ID, and you should not change this ID unless you have a specific reason for doing so.

  • Page 176: Specifying The Engine Id For A Remote Server, Configuring Snmp Views

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Specifying the Engine ID for a Remote Server When you configure a username to grant a user access to the ProCurve Secure Router, you can specify that the user’s account is stored on a remote server. (See “Configure SNMP Users”...

  • Page 177

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router For example, you could create a view named view1 that includes a given subtree of OIDs in the MIB, as well as a view named view2 that includes the given subtree as a whole, but excludes a portion of the subtree.

  • Page 178: Configuring Snmp Communities

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Table 2-9. Configuration Options for snmp-server view Command Option Meaning <viewname> Specifies the name of the view being created or modified. The name can be a maximum of 32 characters. <oidtree>...

  • Page 179

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router To specify a community string to control access to SNMP information, enter the following command from the global configuration mode context: Syntax: snmp-server community <community> [view <viewname>] [ro | rw] [<listname>] Table 2-10 lists the options for the snmp-server community command.

  • Page 180: Configuring Snmp Groups And Users, Create An Snmp Group

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Configuring SNMP Groups and Users SNMP groups are used to map SNMP users to SNMP views. That is: When you create a group, you will specify one or more views that member users will have access to.

  • Page 181

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Table 2-11. Configuration Options for snmp-server group Command Option Meaning <groupname> Specifies the name of the SNMP group. The name can be a maximum of 31 characters. v1 | v2c | v3 Specifies the SNMP security model version.

  • Page 182: Configure Snmp Users

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router In both examples, the users that you assign to the groups (using the snmp-server user command) will have the access to views that are specified in the respective snmp-server group commands.

  • Page 183

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Table 2-12. Configuration Options for snmp-server user Command Option Meaning <username> Specifies the name of the user on the SNMP host that connects to the managed object. The username can be a maximum of 15 characters.

  • Page 184: Configuring Snmp Traps And Informs, Enabling Snmp Traps

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Use the no form of the command to remove a user from a specified group. Syntax: no snmp-server user <username> <groupname> [v1 | v2c | v3 {auth [md5 | sha] <password>} | {priv des <password>}] Syntax: no snmp-server user <username>...

  • Page 185: Notifications

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Table 2-13. Supported SNMP Traps Trap Indication coldStart The ProCurve Secure Router has reset, and its configuration may be altered. warmStart The router is reinitializing itself, but the managed objects in its view have not been altered.

  • Page 186: Specify The Response Retry Attempts And Wait Time

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Sending Informs. To send informs (which require a response) to a server, from the global configuration mode context, enter: Syntax: snmp-server host <ip address> informs [version 1 <community> | version 2c <community>...

  • Page 187: Specify The Source Interface For Snmp

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router From the global configuration mode context, enter: Syntax: snmp-server inform [retries <number>] [timeout <value>] Table 2-15 lists the options for the snmp-server inform command: Table 2-15.

  • Page 188: Viewing Snmp Information

    Controlling Management Access to the ProCurve Secure Router Using SNMP to Manage the ProCurve Secure Router Viewing SNMP Information You can use show snmp commands to view the SNMP identity information and SNMP statistics on the ProCurve Secure Router. From the basic or enable mode context, enter: ProCurve>...

  • Page 189: The Procurve Secure Router As An 802.1x Supplicant, Enabling Supplicant Functionality

    Controlling Management Access to the ProCurve Secure Router The ProCurve Secure Router as an 802.1X Supplicant The ProCurve Secure Router as an 802.1X Supplicant Allowing mobile devices unlimited access to a network poses a severe security risk. While it is beneficial to allow employees to plug in and gain access to a company’s LAN, there is the potential that unauthorized users may similarly gain access to your network.

  • Page 190: Troubleshooting Supplicant Functionality

    Controlling Management Access to the ProCurve Secure Router The ProCurve Secure Router as an 802.1X Supplicant Troubleshooting Supplicant Functionality If the ProCurve Secure Router is unable to access the 802.1X-secured network, begin troubleshooting by checking the physical connection. Ensure that the 10Base-T or 100Base-T cable is connected and in the proper ports.

  • Page 191: Configure The Enable Mode Password, Quick Start, Configure A Password For The Console Access

    Controlling Management Access to the ProCurve Secure Router Quick Start Quick Start This section provides the commands you must enter to quickly configure passwords to protect management access to the ProCurve Secure Router. Only a minimal explanation is provided. If you need additional information about any of these options, see “Contents” on page 2-1 to locate the section and page number that contains the explanation you need.

  • Page 192: Configuring Remote Access To The Procurve Secure Router, Configuring An Ethernet Interface

    Controlling Management Access to the ProCurve Secure Router Quick Start Configuring Remote Access to the ProCurve Secure Router You can access the ProCurve Secure Router through: Telnet HTTP Secure Copy (SCP) server Configuring an Ethernet Interface Before you can access the router through a remote location, you must enable at least one interface and provide a physical connection to either a LAN or WAN.

  • Page 193: Configuring A Password For Telnet Access

    Controlling Management Access to the ProCurve Secure Router Quick Start From the global configuration mode context, enter the Ethernet interface configuration mode context: ProCurve(config)# interface ethernet 0/<port> Assign the Ethernet interface an IP address. Syntax: ip address <A.B.C.D> [<subnet mask> | /<prefix-length>] For example, if you want to assign the Ethernet interface an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0, enter ProCurve(config-eth 0/1)# ip address 192.168.1.1 /24...

  • Page 194

    Controlling Management Access to the ProCurve Secure Router Quick Start N o t e You can configure an access control list (ACL) to block Telnet access. For instructions on configuring this ACL, see Chapter 5: Applying Access Control to Router Interfaces in the Advanced Management and Configuration Guide. Configuring Local User Lists You can configure multiple usernames and passwords to be used for FTP, HTTP, and SSH access to the router.

  • Page 195: Enabling Aaa, Configuring Authentication With Aaa

    Controlling Management Access to the ProCurve Secure Router Quick Start Enabling AAA If you want to use AAA for authentication, authorization, or accounting, you must first enable the AAA subsystem by entering the following command from the global configuration mode context: ProCurve(config)# aaa on Configuring Authentication with AAA Create a list of authentication methods, called a named list, for the enable...

  • Page 196: Configuring Authorization With Aaa

    Controlling Management Access to the ProCurve Secure Router Quick Start Configuring Authorization with AAA Configuring authorization with AAA includes two basic steps: Define a named list for authorization. You can define a named list to authorize users to: • access the basic mode context or the enable mode context •...

  • Page 197

    Controlling Management Access to the ProCurve Secure Router Quick Start Include the if-authenticated option for authorization to succeed if the user authenticates. Include the none option to grant access automatically. Include the group tacacs+ option if you want the ProCurve Secure Router to use the TACACS+ server for authorization.

  • Page 198: Configuring Accounting With Aaa

    Controlling Management Access to the ProCurve Secure Router Quick Start Configuring Accounting with AAA Configuring accounting includes two basic steps: Configure an accounting named list. You can define accounting named lists to track the following events: • a user accesses the basic or enable mode context •...

  • Page 199

    Controlling Management Access to the ProCurve Secure Router Quick Start N o t e You can initiate an outbound Telnet session from both the basic and enable mode context. You simply enter telnet <A.B.C.D>, replacing <A.B.C.D> with the IP address of the device that you want to access. From the global configuration mode context, enter: Syntax: aaa accounting [exec | connection] [default | <named list>] [none | start-stop | stop-only] [group {tacacs+ | <groupname>}]...

  • Page 200: Defining A Radius Server, Defining A Tacacs+ Server, Using Snmp To Monitor Network Devices

    Controlling Management Access to the ProCurve Secure Router Quick Start • If you have created a named list to track all connections, or logins, or if you have created a named list to track outbound Telnet connections, enter: Syntax: accounting [connection | exec] [default | <named list>] Include the connection option if you want to track all outbound Telnet connections made from this line.

  • Page 201

    Controlling Management Access to the ProCurve Secure Router Quick Start Specify a community string by entering the following command from the global configuration mode context: Syntax: snmp-server community <community> [view <viewname>] [ro | rw] [<listname>] Create an SNMP group by entering the following command from the global configuration mode context: Syntax: snmp-server group <groupname>...

  • Page 202: Enabling 802.1x Supplicant Status

    Controlling Management Access to the ProCurve Secure Router Quick Start Enabling 802.1X Supplicant Status To enable the router to function as a supplicant, complete the following steps: Move to the configuration mode context for the Ethernet interface that you want to use to access the 802.1X-secured network. ProCurve(config)# interface eth 0/1 ProCurve(config-eth 0/1)# Configure the supplicant username and password:...

  • Page 203

    Configuring Ethernet Interfaces Contents Ethernet Interfaces ..........3-2 Configuring the Ethernet Interface .

  • Page 204: Ethernet Interfaces

    Configuring Ethernet Interfaces Ethernet Interfaces Ethernet Interfaces The ProCurve Secure Router includes two Ethernet ports on the front panel, allowing you to connect two LAN segments to your WAN. You can also use the Ethernet ports to connect to a cable or Digital Subscriber Line (DSL) modem.

  • Page 205: Configuring The Ethernet Interface

    Configuring Ethernet Interfaces Ethernet Interfaces and Configuration Guide, Chapter 4: ProCurve Secure Router OS Firewall— Protecting the Internal, Trusted Network; for more information about access controls, see the Advanced Management and Configuration Guide, Chapter 5: Applying Access Control to Router Interfaces.) Configuring the Ethernet Interface The Ethernet interface is the only interface on the ProCurve Secure Router that you configure to control both the Physical and the Data Link Layers of a...

  • Page 206: Enabling The Ethernet Interface

    Configuring Ethernet Interfaces Ethernet Interfaces You can also use a truncated reference for both interface and Ethernet, as shown below: ProCurve(config)# int eth 0/1 When you truncate a command, you only need to enter enough of the com- mand to distinguish it from other commands. After you enter the int eth 0/1 command, the prompt will show that you are in the Ethernet 0/1 interface configuration mode context: ProCurve(config-eth 0/1)#...

  • Page 207: Configuring An Ip Address, Assigning A Static Ip Address

    Configuring Ethernet Interfaces Ethernet Interfaces Configuring an IP Address To assign the Ethernet interface an IP address, you must be at the Ethernet interface configuration mode context: ProCurve(config-eth 0/1)# You then have several options for assigning an IP address to an Ethernet interface: You can assign the Ethernet interface a static IP address.

  • Page 208

    Configuring Ethernet Interfaces Ethernet Interfaces In addition to enabling the DHCP client, this command allows you to configure the settings shown in Table 3-1. Table 3-1. DHCP Client Settings Option Meaning Default Setting client-id configures the client id displayed in the DHCP media type and interface’s MAC address server’s table hostname...

  • Page 209

    Configuring Ethernet Interfaces Ethernet Interfaces You should ensure that the DHCP client receives an IP address so that these requests do not consume router resources or bandwidth on your Ethernet link. To determine if the Ethernet interface has been assigned an IP address, enter: ProCurve(config-eth 0/1)# do show int eth 0/1 N o t e The do command allows you to enter enable mode commands from any...

  • Page 210

    Configuring Ethernet Interfaces Ethernet Interfaces Overriding Settings Received from the DHCP Server. If the DHCP server is configured to provide a default-route, a domain name, or a domain name server (DNS), the DHCP client for the Ethernet interface will accept and use these settings.

  • Page 211

    Configuring Ethernet Interfaces Ethernet Interfaces Setting the Administrative Distance. In any of the variations of the ip address dhcp command, you can specify the administrative distance to use when adding the DHCP gateway into the route table. The ProCurve Secure Router uses the administrative distance to determine the best route when multiple routes to the same destination exist.

  • Page 212: Interface

    Configuring Ethernet Interfaces Ethernet Interfaces Configuring the Ethernet Interface as an Unnumbered Interface To conserve IP addresses on your network, you may want to create the Ethernet interface as an unnumbered interface. When you assign the Ethernet interface an IP address, that IP address cannot overlap with the IP addresses assigned to other interfaces on the router.

  • Page 213: Setting The Speed And The Duplex Settings

    Configuring Ethernet Interfaces Ethernet Interfaces If you configure the Ethernet interface to support virtual LANs (VLANs), you can specify an Ethernet subinterface. For example, you would enter the following commands to configure a loop- back interface and then configure the Ethernet 0/1 interface to use the IP address assigned to that loopback interface: ProCurve(config)# interface loopback 1 ProCurve(config-loop 1)# ip address 10.1.1.1 /24...

  • Page 214: Configuring The Line For Half-duplex Or Full-duplex, Setting The Mtu

    Configuring Ethernet Interfaces Ethernet Interfaces For example, you might enter: ProCurve(config-eth 0/1)# speed 100 N o t e If you configure a default setting for speed, the Ethernet interfaces still negotiate the duplex setting—either full-duplex or half-duplex. Some Ethernet devices cannot negotiate duplex if the speed is manually set. To avoid possible problems, you may want to manually configure the duplex setting if the speed is manually set.

  • Page 215: Adding A Description

    Configuring Ethernet Interfaces Ethernet Interfaces adjacent if their MTU sizes do not match. You should ensure that the MTU on the device at the far end of the Ethernet connection is using the same MTU as the interface you are configuring. If routers and switches have different MTU sizes in a TCP/IP network, trans- missions and routing may be affected.

  • Page 216: Summary Of Ethernet Configuration Settings

    Configuring Ethernet Interfaces Ethernet Interfaces interface eth 0/1 description Attached to building 1 ip address 192.168.1.1 255.255.255.0 no shutdown You can also view the description by entering: ProCurve# show running-config interface eth 0/1 This command displays the running-config settings for only the Ethernet 0/1 interface.

  • Page 217

    Configuring Ethernet Interfaces Ethernet Interfaces In addition to configuring these settings, you can: assign access control policies (ACPs) or access control lists (ACLs) to the interface enable bridging assign crypto maps to enable virtual private networks (VPNs) configure settings for routing protocols configure quality of service (QoS) settings These settings are discussed in other chapters, as shown in Table 3-3.

  • Page 218: Configure Vlan Support

    Configuring Ethernet Interfaces Configure VLAN Support Configure VLAN Support VLANs enable you to group users by logical function rather than physical location. Creating VLANs on your network provides several advantages: VLANs allow you to segment your network into smaller broadcast domains.

  • Page 219

    Configuring Ethernet Interfaces Configure VLAN Support Destination Source 802.1Q Tag Type field Data field Ethernet II with address address 802.1Q tag 6 bytes 6 bytes 4 bytes 2 bytes Up to 1500 bytes 4 bytes Destination Source 802.1Q Tag Length Data field IEEE 802.3 with address...

  • Page 220: Configuring Vlan Support

    Configuring Ethernet Interfaces Configure VLAN Support Server Layer 2 switch Server Switch ProCurve Secure Router Routing between VLANs Switch Layer 2 switch Figure 3-4. Routing VLAN Traffic Between Layer 2 Switches If your company is using Layer 2 switches, you may want to enable VLAN support on the ProCurve Secure Router and configure it to route the VLAN traffic on your internal network.

  • Page 221

    Configuring Ethernet Interfaces Configure VLAN Support Enabling VLAN Support. To configure the ProCurve Secure Router to rec- ognize the IEEE 802.1Q tag and route traffic accordingly, enter the following command from the Ethernet interface configuration mode context: ProCurve(config-eth 0/1)# encapsulation 802.1Q After you enter this command, the ProCurve Secure Router immediately recognizes that it must route traffic through this Ethernet interface to multiple VLANs with separate IP addresses.

  • Page 222: Assigning An Ip Address, Viewing The Status Of Ethernet Interfaces Or Subinterfaces, Show Interfaces Command

    Configuring Ethernet Interfaces Viewing the Status of Ethernet Interfaces or Subinterfaces Assigning an IP Address You must assign the Ethernet subinterfaces a static IP address. From the Ethernet subinterface configuration mode context, enter: Syntax: ip address <A.B.C.D> <subnet mask | /<prefix length> For example, if you are configuring a subinterface for VLAN 2 and VLAN 2 encompasses the subnet 192.168.115.0 255.255.255.0, you might enter: ProCurve(config-eth 0/1.1)# ip address 192.168.115.5 /24...

  • Page 223

    Configuring Ethernet Interfaces Viewing the Status of Ethernet Interfaces or Subinterfaces eth 0/1 is UP Physical Layer and Data eth 0/1 is UP, line protocol is UP Link Layer are up Hardware address is 00:15:55:05:35:D4 Ip address is 192.168.1.1, netmask is 255.255.255.0 MTU is 1500 bytes, BW is 100000 Kbit 100Mb/s, negotiated full-duplex, configured full-duplex ARP type: ARPA;...

  • Page 224: Show Running-config Commands

    Configuring Ethernet Interfaces Viewing the Status of Ethernet Interfaces or Subinterfaces ------------------------------------------------------------------- eth 0/1 is UP, line protocol is UP Hardware address is 00:12:79:05:25:B0 Ip address is 192.168.1.1, netmask is 255.255.255.0 MTU is 1500 bytes, BW is 100000 Kbit 100Mb/s, negotiated full-duplex, configured full-duplex ARP type: ARPA;...

  • Page 225: Viewing The Configurations That Have Been Entered, Viewing All The Configuration Settings Including Defaults

    Configuring Ethernet Interfaces Viewing the Status of Ethernet Interfaces or Subinterfaces Viewing the Configurations That Have Been Entered To view the settings that have been entered manually and are currently being used by the ProCurve Secure Router, move to the enable mode context and enter: ProCurve# show running-config This command displays the current configurations for the router.

  • Page 226

    Configuring Ethernet Interfaces Viewing the Status of Ethernet Interfaces or Subinterfaces The display shows the current running-config file, including any default set- tings. Again, you will need to browse for the information relating to the Ethernet interface or subinterface you are checking. Alternately, you can enter the following command to display only information about a particular Ethernet interface or subinterface: Syntax: show running-config interface eth 0/<port number.subinterface number>...

  • Page 227: Troubleshooting An Ethernet Interface

    Configuring Ethernet Interfaces Troubleshooting an Ethernet Interface To understand the difference between the show running-config command and the show running-config verbose command, compare Figure 3-7 to Figure 3-8. For example, if you entered the IP address, a description, and the no shut command to configure the Ethernet interface, only those settings are listed when you enter the show running-config command.

  • Page 228: Show Event-history Command, Debug Interface Ethernet Command

    Configuring Ethernet Interfaces Troubleshooting an Ethernet Interface Depending on the error messages displayed, you should check the cabling or the configuration settings for the Ethernet interface. If the “eth 0/1 is DOWN” message is displayed, substitute a different 10Base-T or 100Base-T cable and make sure the connectors are securely seated in the Ethernet port on both the router and the far-end device.

  • Page 229

    Configuring Ethernet Interfaces Quick Start 2005.08.27 15:31:53 ETHERNET_INTERFACE.eth 0/1 auto-negotiation in progress 2005.08.27 15:31:55 ETHERNET_INTERFACE.eth 0/1 auto-negotiation complete 2005.08.27 15:31:56 ETHERNET_INTERFACE.eth 0/1 link up 2005.08.27 15:31:56 ETHERNET_INTERFACE.eth 0/1 speed is 100Mbps, full duplex 2005.08.27 15:31:56 INTERFACE_STATUS.eth 0/1 changed state to up Figure 3-9.

  • Page 230

    Configuring Ethernet Interfaces Quick Start Move to the global configuration mode context. ProCurve# configure terminal Access the Ethernet configuration mode context: Syntax: interface ethernet 0/<port> For example, if you want to configure the bottom Ethernet port, enter: ProCurve(config)# interface ethernet 0/1 Assign the Ethernet interface an IP address.

  • Page 231

    Configuring E1 and T1 Interfaces Contents Overview of E1 and T1 WAN Connections ......4-3 Elements of an E1- or T1-Carrier Line .

  • Page 232

    Configuring E1 and T1 Interfaces Contents Troubleshooting E1 and T1 WAN Connections ..... 4-31 No Light ..........4-33 Red Light .

  • Page 233: Overview Of E1 And T1 Wan Connections, Elements Of An E1- Or T1-carrier Line

    Configuring E1 and T1 Interfaces Overview of E1 and T1 WAN Connections Overview of E1 and T1 WAN Connections Public carriers offer E1- and T1-carrier lines for customers who need dedicated, secure, point-to-point wide area network (WAN) connections. The connection is always active, so data can be immediately transmitted at any time, with no wait for a dial-up process.

  • Page 234: Connecting Your Premises To The Public Carrier: The Local Loop

    Configuring E1 and T1 Interfaces Overview of E1 and T1 WAN Connections Physical transmission media and electrical specifications are part of the Physical Layer (Layer 1) of the Open Systems Interconnection (OSI) model, and Data Link Layer protocols are part of the Data Link Layer (Layer 2). (See Figure 4-1.) Application layer Presentation layer...

  • Page 235

    Configuring E1 and T1 Interfaces Overview of E1 and T1 WAN Connections Wire span Network CSU/ Interface Unit Repeater Router (DTE) Public (Smart Jack) Carrier’s CO Office Channel Unit (PTT’s CSU) Demarc Figure 4-2. Local Loop All carrier lines require the same basic components on the local loop, although the components may differ slightly in form and design.

  • Page 236: External Or Built-in Csu/dsu

    Configuring E1 and T1 Interfaces Overview of E1 and T1 WAN Connections Repeater—A repeater receives, amplifies, and retransmits the digital signal so that the signal is always strong enough to be read. The distance between repeaters depends on the type of connection, including the transmission media used.

  • Page 237

    Configuring E1 and T1 Interfaces Overview of E1 and T1 WAN Connections Wire span Network CSU/ Interface Unit Repeater Router (DTE) Public (Smart Jack) Carrier’s CO Office Channel Unit (public carrier’s CSU) Demarc Figure 4-3. Router Connects Directly to an External CSU/DSU. If your public carrier does not provide the DSU, the router must include a built- in DSU.

  • Page 238: Procurve Secure Router Modules, E1 Modules With A Built-in Dsu, Supported Standards

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules UTP cable with Wire span RJ-48C connectors Network Router w/ internal Interface Unit Repeater Public CSU/DSU (Smart Jack) Carrier’s CO Office Channel Unit (public carrier’s CSU) Demarc Figure 4-5. Router with a Built-in CSU/DSU ProCurve Secure Router Modules ProCurve Networking provides several E1 and T1 modules, which are described in the next sections.

  • Page 239: T1 Modules With A Built-in Csu/dsu, Supported Standards

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Table 4-1. Standards Supported by E1 Modules Type of Standard Port E-carrier line • International Telecommunications Union (ITU) G.703 • ITU-T G.704 (CRC-4) • ITU-T G.823 • ITU-T G.797 Electrical/power • Norme Europeenne (EN) 60950 (EN is also referred to as European Standards.) •...

  • Page 240: E1 Or T1 Interfaces: Configuring The Physical Layer

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Table 4-2. Standards Supported by T1 Modules Type of Standard Port T-carrier line • AT&T TR194 • AT&T TR54016 • American National Standards Institute (ANSI) T1.403 Electrical/power • AT&T Pub 62411 (jitter tolerance) •...

  • Page 241: E1 Or T1 Interface Configuration Mode Context

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules The rest of this section describes these options in more detail and explains how to configure them from the command line interface (CLI). If you want to configure the E1 or T1 connection from the Web browser interface, see Chapter 14: Using the Web Browser Interface for Basic Configuration Tasks.

  • Page 242: Interface Range Command

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules interface range Command To save time, you can use the interface range command to configure multiple E1 or T1 interfaces at the same time. You can configure a range of contiguous interfaces, or you can configure multiple noncontiguous interfaces.

  • Page 243: Channels

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Again, the router context should indicate all of the interfaces you specified: ProCurve(config-e1 3/2, 3/6, 3/8)# To specify a range of contiguous interfaces and multiple noncontiguous T1 ports, enter: ProCurve(config)# interface range t1 3/1-4, 3/6, 3/8 The settings that you must configure to establish an E1 or T1 WAN connection are explained in the following sections.

  • Page 244

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules E1 Channels. When you configure an E1 module with a built-in DSU, you must configure the number of channels that the E1 WAN connection uses. You can configure channels 1-31. One channel—channel 0—is used to maintain the connection and cannot be used for data or voice.

  • Page 245: Line Coding

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules By default, the speed for channels is 64 kbps, and this setting will be used for all E1-carrier lines and most T1-carrier lines. The speed 56 setting is used only if your public carrier is using a 56 Kbps setting for the connection. In this case, your public carrier will tell you to set the speed for each channel to 56 kbps.

  • Page 246: Frame Format

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules T1 Line Coding. T1-carrier lines use the following line coding schemes: Bipolar 8-Zero Substitution (B8ZS) Like HDB3, B8ZS was designed to overcome the deficiencies of AMI. To prevent synchronization loss, B8ZS replaces a string of eight zeros with a string that includes two logical ones of the same polarity as a timing mark.

  • Page 247

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Although E1 interfaces, including those for the G.703 port, support two frame formats, only one option is listed if you enter the following command from the E1 interface configuration mode context: ProCurve(config-e1 1/1)# framing ? Only the crc4 option is listed.

  • Page 248: Clock Source, Or Timing, For The E1- Or T1-carrier Line

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Clock Source, or Timing, for the E1- or T1-Carrier Line Because data transmission requires hosts to be synchronized, you must configure the clock source, or timing, for the E1 or T1 interface. You can configure the E1 or T1 interface with one of the following clock sources: Line—Use the line setting if the E1 or T1 interface will take the clock source from the public carrier.

  • Page 249: Transmit Signal Level (t1 Interfaces Only), Transmit Signal Level (t1 Interfaces Only)

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules To configure the clock source, enter the following command from the E1 or T1 interface configuration mode context: Syntax: clock source [internal | line | through] For example, to configure the clock source as line, enter: ProCurve(config-e1 2/1)# clock source line N o t e You cannot connect two interfaces on one module to different service providers...

  • Page 250: Set The Fdl (t1 Interfaces Only), Set The Fdl (t1 Interfaces Only)

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Replace <value> with one of the following numbers, which are in decibels (db): -22.5 -7.5 You should set the LBO to avoid overloading a receiver’s circuits. For sensitive interfaces or for interfaces that are connected with a long cable but separated by a short distance, use the more negative values to prevent the line from becoming too hot.

  • Page 251: Activate The E1 Or T1 Interface

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules If used on a T1-carrier line, the FDL channel must conform to one of the following standards: ANSI T1.403 standard ATT TR 54016 standard By default, the T1 interfaces on the ProCurve Secure Router use the ANSI standard.

  • Page 252: Threshold Commands

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules If you have connected the interface to either to the wall jack or the external CSU, the interface will try to establish the Physical Layer of the WAN connec- tion. If the E1 or T1 interface successfully establishes that Physical Layer, another message should be displayed: INTERFACE_STATUS.e1 1/1 changed state to up INTERFACE_STATUS.t1 1/1 changed state to up...

  • Page 253: Types Of Line Errors

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Table 4-4 lists the default settings for line error thresholds. Table 4-4. Threshold Commands Setting Description 15-Minute 24-Hour Default Default Bursty Errored Seconds Controlled Slip Seconds Degraded Minutes Errored Seconds Line Code Violations 13340 133400 Line Errored Seconds...

  • Page 254

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Table 4-5. Events That Trigger Line Errors Error Type Triggers 1-320 Path Coding Violations (PCV) Controlled Slip Seconds (CSS) Bit Error Rate (BER) between .000001 and .001 ESF and CRC4: – PCV –...

  • Page 255

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Error Type Triggers • D4 errors: – Framing error – OOF – 1544+ LCVs • 10+ SESs • Line failure + SES The following is a list of the line errors and a brief description of each. BES.

  • Page 256

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules same polarity without an intervening pulse of the opposite polarity. An EXZ is the occurrence of any zero string length equal to or greater than three for B3ZS or greater than four for HDB3. LCVs usually signal a mismatch in line coding type.

  • Page 257: Viewing Information About E1 And T1 Interfaces

    Configuring E1 and T1 Interfaces Viewing Information about E1 and T1 Interfaces To return a threshold to its default setting, enter this command from the global configuration mode context: Syntax: no thresholds [BES | CSS | DM | ES | LCV | LES | PCV | SEFS | SES | UAS] [15Min | 24Hr] For example, to return the 15-minute SES threshold to its default setting of 10, enter:...

  • Page 258: Show Interfaces Command

    Configuring E1 and T1 Interfaces Viewing Information about E1 and T1 Interfaces show interfaces Command You can use the show interfaces <interface> <slot>/<port> command to view detailed information about the status of the E1 or T1 interface. For example, if you want to view the status of the E1 1/1 interface, enter the following command from the enable mode context: ProCurve# show interfaces e1 1/1 Figure 4-7 shows the results of this command for an E1 interface.

  • Page 259: Show Running-config Command

    Configuring E1 and T1 Interfaces Viewing Information about E1 and T1 Interfaces The first line indicates whether the interface is up or down. The second line lists alarms, if there are any. The next two lines show current configurations for line coding, framing, and clock source. For T1 interfaces, the FDL type and the line build out settings are also listed.

  • Page 260: Show Running-config Verbose Command

    Configuring E1 and T1 Interfaces Viewing Information about E1 and T1 Interfaces This command displays the configuration that you have entered for the entire router. You must then scroll through the running-config until you locate the appropriate E1 or T1 interface. To save time, you can enter the following command from the enable mode context: Syntax: show running-config interface <interface>...

  • Page 261: Troubleshooting E1 And T1 Wan Connections

    Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections interface e1 1/1 description This is the default setting; the no framing crc4 E1-carrier line is using the E1 clock source internal frame format. tdm-group 1 timeslots 1-31 coding hdb3 lbo long 0 remote-loopback sa4tx-bit 0...

  • Page 262

    Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections You should start by troubleshooting the physical interface because it must be up before the logical connection can be established. You can quickly check the LEDs on the front of the ProCurve Secure Router to determine the status of a physical interface.

  • Page 263: No Light, Red Light

    Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections The color of the lights and a more detailed explanation are provided below. No Light If no light appears, ensure that you are checking the LED that corresponds to the slot in which the E1 or T1 module is installed, as shown in Figure 4-10.

  • Page 264

    Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections e1 1/1 is DOWN If the interface is Encapsulation is not set down, look for Transmitter is sending remote alarm reported alarms Receiver has loss of signal, loss of frame E1 coding is HDB3, framing is E1 Check configuration Clock source is internal...

  • Page 265: Yellow Light

    Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections Table 4-8. Alarms and Their Possible Causes Alarm Possible Cause Possible Solutions LOS—loss of • You may be using a different type of • Check all the settings, including the setting for line signal line coding than that used by the coding.

  • Page 266: Green Light, Viewing Performance Statistics

    Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections If the loopback was not initiated on the ProCurve Secure Router, your public carrier is testing the line. Call your public carrier to have the loopback canceled or to determine the reason for the loopback test. Green Light If the stat LED for the physical interface is green but the WAN connection is down, you should still check the configuration for the E1 or T1 interface.

  • Page 267

    Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections For example, to view performance statistics accumulated on the T1 1/1 interface over all 15-minute intervals in the past 24 hours, enter: ProCurve# show interfaces t1 1/1 performance-statistics To view only certain 15-minute intervals, replace <range of intervals> with numbers between 1 and 96.

  • Page 268

    Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections -------------------------------------------------------------------- t1 1/1 is UP Receiver has no alarms T1 coding is B8ZS, framing is ESF Clock source is through t1 1/2, FDL type is ANSI Line build-out is 0dB No remote loopbacks, No network loopbacks Acceptance of remote loopback requests enabled Tx Alarm Enable: rai...

  • Page 269: Configuring An E1 Or T1 Interface, Quick Start

    Configuring E1 and T1 Interfaces Quick Start Quick Start This section provides the commands you must enter to quickly configure an E1 or T1 interface on the ProCurve Secure Router. Only a minimal explanation is provided. If you need additional information about any of these options, see “Contents” on page 4-1 to locate the section and page number that contains the explana- tion you need.

  • Page 270

    Configuring E1 and T1 Interfaces Quick Start Move to the E1 or T1 interface configuration mode context. Syntax: interface <interface> <slot>/<port> For example, if you are configuring a one-port E1 or T1 module that is installed in slot one, enter: ProCurve(config)# interface e1 1/1 ProCurve(config)# interface t1 1/1 You can also specify a range of interfaces to configure.

  • Page 271

    Configuring E1 and T1 Interfaces Quick Start Configure the frame format for the E1- or T1-carrier line. For E1-carrier lines, use the following syntax: Syntax: framing crc4 If your public carrier is using E1 framing format, do not enter a framing command.

  • Page 272

    Configuring E1 and T1 Interfaces Quick Start 10. For T1 interfaces only, configure the line build out (lbo). If the cable connecting the T1 interface to the wall jack is longer than 655 feet, use the following lbo command: Syntax: lbo long <value> Replace <value>...

  • Page 273

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Contents Using the Serial Module for E1- or T1-Carrier Lines ....5-3 Elements of an E1- or T1-Carrier Line ......5-3 Connecting Your Premises to the Public Carrier’s Central Office: the Local Loop .

  • Page 274

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Contents Troubleshooting a Serial Connection ......5-18 Checking the LED for the Serial Module .

  • Page 275: Using The Serial Module For E1- Or T1-carrier Lines

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Using the Serial Module for E1- or T1-Carrier Lines Using the Serial Module for E1- or T1-Carrier Lines When companies require dedicated, secure point-to-point wide area network (WAN) connections, one of the available solutions is a leased E1- or T1-carrier line.

  • Page 276: The Local Loop, Connecting Your Premises To The Public Carrier's Central, Office: The Local Loop

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Using the Serial Module for E1- or T1-Carrier Lines Application Layer Presentation Layer Session Layer Transport Layer Network Layer Frame Relay Data Link Layer HDLC Physical Layer E1- and T1-carrier lines Figure 5-1. Physical and Data Link Layers of the OSI Model When you configure the ProCurve Secure Router to support an E1 or T1 WAN connection, you must configure: the Physical Layer...

  • Page 277

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Using the Serial Module for E1- or T1-Carrier Lines Wire span Public Carrier’s CO Network CSU/ Interface Unit Repeater Router (DTE) (Smart Jack) Office Channel Unit (PTT’s CSU) Demarc Figure 5-2. Local Loop All carrier lines require the same basic components on the local loop, although the components may differ slightly in form and design.

  • Page 278

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Using the Serial Module for E1- or T1-Carrier Lines Repeater—A repeater receives, amplifies, and retransmits the digital signal so that the signal is always strong enough to be read. The distance between repeaters depends on the type of connection, including the transmission media used.

  • Page 279: Serial Module For The Procurve Secure Router, Standards Supported By The Serial Module

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Using the Serial Module for E1- or T1-Carrier Lines Serial Module for the ProCurve Secure Router The ProCurve Secure WAN serial modules are used when the public carrier provides an external CSU/DSU for an E1- or T1-carrier line. (See Figure 5-2 on page 5-5.) ProCurve Networking offers two serial modules: one-port narrow module eight-port, or octal, wide module...

  • Page 280: Serial Interface: Configuring The Physical Layer, Making The Physical Connection

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer Serial Interface: Configuring the Physical Layer Because the external CSU/DSU manages timing, framing, and signaling for the E1- or T1-carrier line, the serial interface does not have to perform these functions.

  • Page 281

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer If you are not sure which type of cable you have, this chapter provides illustrations of the three cable connectors. For example, Figure 5-4 shows the pinouts for ProCurve Networking’s implementation of the V.35 cable connec- tor and lists how each pin is used.

  • Page 282

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer Figure 5-5 shows the pinouts for ProCurve Networking’s implementation of the X.21 cable connector and lists how each pin is used. X.21 DB-15 (DA-15) X.27-compatible connector pinout Signal/Circuit Name Unused TD_A, Transmit A...

  • Page 283

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer If you have an EIA 530 cable that you purchased from another vendor, the ProCurve Secure Router supports it. You can also use Figure 5-6, which shows the pinouts for EIA 530, to create this type of connector.

  • Page 284: Serial Interface Configuration Mode Context, Configuring The Interface For The Appropriate Cable

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer Serial Interface Configuration Mode Context To begin configuring the serial interface for the E1 or T1 connection, you must access the appropriate configuration mode context. In the ProCurve Secure Router command line interface (CLI), move to the global configuration mode context and enter: Syntax: interface serial <slot>/<port>...

  • Page 285: Configuring The Clock Source, Inverting Et-clock, Inverting Txclock Or Rxclock

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer Configuring the Clock Source The serial interface must have a clock source to synchronize the transmission of data. The clock source for the serial interface is called the external transmit reference clock (et-clock).

  • Page 286: Activating The Serial Interface, Configuring The Data Link Layer Protocol

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer If you enter the invert txclock command, the serial interface will invert the transmit clock that is taken from the data stream. The serial interface inverts the transmit clock before it transmits a signal.

  • Page 287: Viewing Information About The Serial Interface, Show Interfaces Serial Command

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Viewing Information about the Serial Interface Viewing Information about the Serial Interface You can view information about the E1- and T1-carrier line associated with the serial interface, and you can view the configuration settings that have been entered for the serial interface.

  • Page 288: Show Running-config Interface Command

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Viewing Information about the Serial Interface If the interface is administratively down, you must enter no shutdown from the serial interface configuration mode context to activate it. If the interface is down, you should begin troubleshooting the problem, as explained in “Troubleshooting a Serial Connection”...

  • Page 289: View All The Wan Connections Configured On The Router

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Viewing Information about the Serial Interface View All the WAN Connections Configured on the Router If your ProCurve Secure Router is providing several WAN connections for your company, you may want to view a list of these connections. The show connections command provides a quick view of all the connections on the router.

  • Page 290: Troubleshooting A Serial Connection, Checking The Led For The Serial Module

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Troubleshooting a Serial Connection Troubleshooting a Serial Connection When you troubleshoot a serial interface, you should isolate the problem to determine if it is a problem with the Physical Layer or the Data Link Layer. Follow this standard process for troubleshooting WAN connections: Check the Physical Layer.

  • Page 291: Red Light, No Light

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Troubleshooting a Serial Connection Table 5-1. Check the LEDs Color Meaning Action no light No module is installed, or the interface is not • Use the show interfaces serial <slot>/<port> activated. command to determine if you need to activate the interface.

  • Page 292

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Troubleshooting a Serial Connection Figure 5-10 shows a serial interface that is down. ser 2/1 is down, line protocol is DOWN Encapsulation is not set Transmit clock source is TCLK DCD=up DSR=up DTR=down RTS=down CTS=up...

  • Page 293: And The Csu/dsu Keeps Going Down, Yellow Light, Green Light

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Troubleshooting a Serial Connection interface ser 2/1 description et-clock-source txclock no ignore dcd no invert txclock no invert rxclock no invert etclock serial-mode V35 alias snmp trap link-status no shutdown Figure 5-11. Viewing the Output for the show running-config interface serial verbose Command The public carrier is experiencing a problem.

  • Page 294

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Troubleshooting a Serial Connection The router transmits the following signals to the CSU/DSU: data terminal ready (DTR) request to send (RTS) The router receives these signals from the CSU/DSU: clear to send (CTS) data carrier detected (DCD) data set ready (DSR) test-mode (TM)

  • Page 295: Configure A Serial Interface, Quick Start

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Quick Start Quick Start This section provides the commands you must enter to quickly configure a serial module on the ProCurve Secure Router. Only a minimal explanation is provided. If you need additional information about any of these options, check “Con- tents”...

  • Page 296

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Quick Start Activate the serial interface. ProCurve(config-ser 1/1)# no shutdown By default, the ProCurve Secure Router immediately notifies you that the interface is administratively up. It will take a few moments to establish the serial connection, however.

  • Page 297

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Contents Configuring the Logical Interface ........6-3 PPP Overview .

  • Page 298

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Contents Configuring HDLC as the Data Link Layer Protocol ....6-40 Create the HDLC Interface ....... 6-40 Activate the HDLC Interface .

  • Page 299: Configuring The Logical Interface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Configuring the Logical Interface As outlined in Chapter 4: Configuring E1 and T1 Interfaces, all WAN connections—including E1- and T1-carrier lines—require both a Physical Layer and a Data Link Layer.

  • Page 300: Ppp Overview, Establishing A Ppp Connection

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface PPP Overview PPP is a suite of protocols, rather than just a single protocol. (See Figure 6-2.) The PPP suite includes several types of protocols: link control protocol (LCP) authentication protocols network control protocols (NCPs)

  • Page 301

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Exchanging an authentication protocol is optional. Understanding how a PPP session is established can help you troubleshoot problems if they occur. (See Figure 6-3.) 1.

  • Page 302: Creating A Ppp Interface On The Procurve Secure Router

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface NCP. PPP uses an NCP to enable the exchange of Network Layer protocols— such as IP—across a WAN link. As Figure 6-2 shows, there is a specific NCP for each support Network Layer protocol.

  • Page 303

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Table 6-1 shows the main settings that you must configure for an E1, T1, or serial interface connection that uses PPP. Table 6-1. Options for Configuring an E1, T1, or Serial Interface with PPP Interface Command Explanation...

  • Page 304: Configuring An Ip Address For The Wan Connection

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface The PPP settings are described in the sections that follow. (For information about E1 and T1 interface settings, see Chapter 4: Configuring E1 and T1 Interfaces.

  • Page 305

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Configure the PPP Interface as an Unnumbered Interface. To con- serve IP addresses on your network, you may want to create the PPP interface as an unnumbered interface.

  • Page 306: Activating The Ppp Interface, Binding The Physical Interface To The Logical Interface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface For example, you would enter the following commands to configure a loop- back interface and then configure the PPP 1 interface to use the IP address assigned to that loopback interface: ProCurve(config)# interface loopback 1 ProCurve(config-loop 1)# ip address 10.1.2.2 /30...

  • Page 307: Ppp Authentication

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Replace <physical interface> with the type of WAN connection, such as E1, T1, or serial. Replace <slot> and <port> with the correct numbers to identify this interface’s location on the ProCurve Secure Router.

  • Page 308

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface PAP. PAP is the simplest possible authentication scheme. It requires a two- way message exchange. One peer sends the password previously agreed upon to the other peer, which is called the authenticator. The authenticator looks up the password in its database.

  • Page 309

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Authenticator Peer Challenge Calculate Calculate hash hash Compares Hash hash values Acknowledge Figure 6-4. CHAP Process When you configure CHAP on the ProCurve Secure Router, you only need to set the password.

  • Page 310

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface You must add the password you have agreed upon for the peer to the PPP database. The PPP database for each connection is separate and distinct from the global username and password database and the databases of other PPP connections.

  • Page 311

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface For example, you might enter: ProCurve(config-ppp 1)# ppp pap sent-username SiteA password procurve N o t e PAP will be used only to authenticate this WAN connection. You do not have to actually enable the PAP protocol.

  • Page 312: Additional Settings

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Option Your Setting peer password Are you authenticating to the peer? Yes/No local router’s username local router’s password This worksheet will help you enter the PPP authentication command for your router.

  • Page 313

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Set the MTU. The maximum transmission unit (MTU) defines the largest size that a PPP frame can be. If a frame exceeds this size, it must be fragmented.

  • Page 314: Settings Explained In Other Chapters

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Replace <line> with a phrase up to 80 characters. For example, you might enter: ProCurve(config-ppp 1)# description WAN link to Denver office This description is displayed only when you enter the show running-config command.

  • Page 315: Frame Relay Overview

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Table 6-3. Additional Configuration Settings for the PPP Interface Settings Configuration Page Number Guide access controls to filter incoming and outgoing traffic Advanced 5-19, 5-38 bridging Basic 10-6...

  • Page 316: Packet-switching Network

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Subscriber 1 Transmitting an average of 640 Kbps with bursts to 832 Kbps Router Frame Relay Public Carrier’s CO switch Frame Relay over T1 Frame Relay switch Frame Relay...

  • Page 317: Components Of A Frame Relay Network

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Subscriber 1 PVC between Subscriber 1 and Subscriber 2 Router Frame Relay Public Carrier’s CO switch Frame Relay over T1 Frame Relay switch Frame Relay over T1 Frame Relay switch...

  • Page 318: Dlci

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Frame Relay Router (DTE) Switch (DCE) Frame Relay Router (DTE) Switch (DCE) Frame Relay Router (DTE) Switch (DCE) UNI: DTE to DCE NNI: DCE to DCE Figure 6-7.

  • Page 319: Create The Frame Relay Interface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface The 10-bit field enables 1024 possible DLCI numbers, but some are reserved for special purposes: 0 signals Annex A and D 1-15 and 1008-1022 are reserved 1023 signals the Link Management Interface (LMI) The remaining 976 DLCI numbers between 16 and 1007 are available to users.

  • Page 320

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface From this configuration mode context, you can enter the help command to display the commands available from this configuration mode context. ProCurve(config-fr 1)# ? Table 6-4 shows the main settings that you must configure for an E1, T1, or serial interface that uses Frame Relay.

  • Page 321: Activate The Frame Relay Interface, Define The Signaling Role

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Interface Command Description Page Configuration Mode Context frame-relay • frame-relay interface-dlci <dlci> • defines the DLCI for the PVC 6-28 subinterface • ip address <A.B.C.D> <subnet mask | /prefix •...

  • Page 322: Define The Frame Relay Signaling Type, Configure Frame-relay Counters

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface To configure the signaling role, enter the following command from the Frame Relay interface configuration mode context: Syntax: frame-relay intf-type [dte | dce | nni] Define the Frame Relay Signaling Type You must configure the Frame Relay interface to use the same signaling type that your Frame Relay service provider uses.

  • Page 323

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Table 6-6 lists the Frame Relay counters, the possible settings, and the polls that each one controls. Table 6-6. Frame Relay Counters Frame Relay Counter Possible Default Description...

  • Page 324: Create The Frame Relay Subinterface, Assign A Dlci To The Frame Relay Subinterface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Create the Frame Relay Subinterface You must create a Frame Relay subinterface for each PVC that you want to establish through this Frame Relay interface. To create a Frame Relay sub- interface, enter the following command from the global configuration context or from the Frame Relay interface configuration mode context: Syntax: interface frame-relay <number.subinterface number>...

  • Page 325: Configure The Ip Address For The Wan Connection

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface For example, if the Frame Relay service provider assigned your company a DLCI of 16, enter: ProCurve(config-fr 1.16)# frame-relay interface-dlci 16 Configure the IP Address for the WAN Connection You configure the IP address for the WAN connection on the Frame Relay subinterface, rather than on the physical interface or the Frame Relay inter- face.

  • Page 326

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Table 6-7. Default Settings for the DHCP Client Option Default Setting client-id configures the client identifier displayed in the DHCP media type and interface’s MAC address server’s table hostname configures the hostname displayed in the DHCP...

  • Page 327

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface You should ensure that the DHCP client receives an IP address so that these discovery messages do not consume router resources or bandwidth on your Frame Relay link.

  • Page 328

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Overriding Settings Received from the DHCP Server. If the DHCP server is configured to provide a default-route, a domain name, or a domain name system (DNS) server, the DHCP client for the Frame-Relay subinterface will accept and use these settings.

  • Page 329

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Setting the Administrative Distance. You can specify the administrative distance to use when adding the DHCP gateway to the route table. The router uses the administrative distance to determine the best route when multiple routes to the same destination exist.

  • Page 330

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Before configuring the Frame Relay subinterface as an unnumbered interface, you should be aware of a potential disadvantage: If the interface to which the IP address is actually assigned goes down, the Frame Relay subinterface will be unavailable.

  • Page 331

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Set the CIR You can configure the CIR for the Frame Relay link using the frame-relay bc command. As explained earlier, the CIR is the bandwidth that your Frame Relay service provider guarantees your company.

  • Page 332: Bind The Physical Interface To The Logical Interface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface N o t e If you enter a value for the frame-relay bc command, you should also configure a burst rate for the Frame Relay link. Otherwise, the link will be limited to the bandwidth you specified in the frame-relay bc command.

  • Page 333

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Replace <physical interface> with E1, T1, or serial. The <slot> and <port> pinpoint this interface’s location on the ProCurve Secure Router and distin- guish multiple lines of the same type from each other. If you are binding the Frame Relay interface to an E1 or T1 interface, replace <tdm-group number>...

  • Page 334

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface For example, you might enter: ProCurve(config-fr 1.1)# ip address 192.168.115.1 255.255.255.252 secondary To remove the secondary IP address, enter: Syntax: no ip address <A.B.C.D> <subnet mask | /prefix length> secondary You can include an unlimited number of secondary IP addresses.

  • Page 335

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface This description is displayed when you enter the show running-config command. From the enable mode context, enter: ProCurve# show running-config You can also view the description by entering: ProCurve# show running-config interface fr 1.16 This command displays the running-config settings for only the Frame Relay 1.16 subinterface, as shown below:...

  • Page 336: Configuring Hdlc As The Data Link Layer Protocol, Create The Hdlc Interface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Configuring HDLC as the Data Link Layer Protocol One of the oldest Data Link Layer protocols for a WAN, HDLC actually predates the PC. Although it was developed for a mainframe environment, which includes primary and secondary devices, HDLC has been updated for use in the PC environment.

  • Page 337

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface The router prompt indicates that you have entered the appropriate interface configuration mode context: ProCurve(config-hdlc 1)# From this configuration mode context, you can enter the help command to display the commands available from this configuration mode context.

  • Page 338: Activate The Hdlc Interface, Configure An Ip Address For The Wan Connection

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Interface Command Explanation Page Configuration Mode Context hdlc • no shutdown • activates the interface 6-42 • ip address <A.B.C.D> <subnet mask | / •...

  • Page 339

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface You can replace <subnet mask> with the complete subnet mask, or you can replace </prefix length> with the CIDR notation. For example, you might enter: ProCurve(config-hdlc 1)# ip address 10.1.1.1 /24 Configure the HDLC Interface as an Unnumbered Interface.

  • Page 340

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface For example, you would enter the following commands to configure a loop- back interface and then configure the HDLC 1 interface to use the IP address assigned to that loopback interface: ProCurve(config)# interface loopback 1 ProCurve(config-loop 1)# ip address 192.168.5.1 /24...

  • Page 341

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface For example, if you want to bind the T1 2/1 interface to the HDLC 1 interface, enter: ProCurve(config)# bind 1 t1 2/1 hdlc 1 If you want to bind the serial interface to the HDLC interface, enter: ProCurve(config)# bind 1 serial 1/1 hdlc 1 N o t e...

  • Page 342

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface N o t e If you have enabled Open Shortest Path First (OSPF) routing on the ProCurve Secure Router, you should take special care when setting the MTU. OSPF routers cannot become adjacent if their MTU sizes do not match.

  • Page 343

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Settings Explained in Other Chapters In addition to configuring these settings for an HDLC interface, you can: assign ACPs or ACLs to control access to the HDLC interface enable bridging assign crypto maps to enable VPNs configure settings for routing protocols...

  • Page 344: Example Networks

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Example Networks Example Networks This section outlines examples of E1- and T1-carrier lines that use PPP, Frame Relay, and HDLC as the Data Link Layer protocol. It also provides examples of WANs that are using PPP authentication.

  • Page 345

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Example Networks interface e1 1/1 tdm-group 1 timeslots 1-31 speed 64 no shutdown interface e1 1/2 clock source through tdm-group 1 timeslots 1-31 speed 64 no shutdown interface fr 1 point-to-point frame-relay intf-type dte frame-relay lmi-type q933a no shutdown...

  • Page 346

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Example Networks To connect the Atlanta office to the London office, the company chose Frame Relay, which allows them to cross country borders at a more affordable cost than dedicated T1-and E1-carrier lines.

  • Page 347

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Example Networks interface t1 1/1 lbo short 550 tdm-group 1 timeslots 1-24 speed 64 no shutdown interface t1 1/2 clock source through lbo short 550 tdm-group 1 timeslots 1-24 speed 64 no shutdown interface fr 1 point-to-point frame-relay intf-type dte...

  • Page 348

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Example Networks You would configure Local as follows: Access the PPP interface configuration mode context: Local(config)# interface ppp 1 Configure the router to authenticate Remote with PAP: Local(config-ppp 1)# ppp authentication pap Set Remote’s username and password: Local(config-ppp 1)# username Remote password YYY Set the router’s own PAP username and password:...

  • Page 349

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Example Networks Remote would be configured as follows: Remote(config)# interface ppp 1 Remote(config-ppp 1)# ppp chap password YYY Example 5: CHAP Authentication to an ISP. In this example, the ISP has provided an ID (ID-GIVEN-BY-ISP) and password (PWD-GIVEN-BY-ISP) to be used when authenticating through CHAP.

  • Page 350: Checking The Status Of Logical Interfaces, View The Status Of Interfaces

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Checking the Status of Logical Interfaces Checking the Status of Logical Interfaces After you configure the physical and logical interfaces and bind them together, the ProCurve Secure Router should be able to exchange data with the device at the other end of the WAN connection.

  • Page 351: Queuing Method

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Checking the Status of Logical Interfaces ppp 1 is UP Status of interface Configuration: Keep-alive is set (10 sec.) No multilink No authentication is configured MTU = 1492 No authentication IP is configured IP address...

  • Page 352: Subinterfaces

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Checking the Status of Logical Interfaces Viewing the Status of Frame Relay Interfaces and Subinterfaces For Frame Relay, you can view the status of both the interface and the subinterface.

  • Page 353

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Checking the Status of Logical Interfaces ------------------------------------------------------------------- fr 1 is UP Configuration: Signaling type is ANSI, signaling role is USER Multilink disabled Polling interval is 10 seconds, full inquiry interval is 6 polling intervals Link information: 5 minute input rate 24 bits/sec, 0 packets/sec 5 minute output rate 8 bits/sec, 0 packets/sec...

  • Page 354: Viewing The Status Of Hdlc Interfaces, Viewing Configuration Information

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Checking the Status of Logical Interfaces Viewing the Status of HDLC Interfaces To view information about the HDLC interface, enter the following command from the enable mode context: Syntax: show interface hdlc <number>...

  • Page 355: Troubleshooting Logical Interfaces, Troubleshooting The Ppp Interface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces Troubleshooting Logical Interfaces If the physical interface is up but the logical interface is not, the steps you take to troubleshoot the problem vary, depending on the Data Link Layer protocol you are using.

  • Page 356

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces ppp 2 is DOWN Configuration: Keep-alive is set (10 sec.) No multilink MTU = 1500 No authentication IP is configured 15.1.1.1 255.0.0.0 Link thru ser 2/1 is DOWN; LCP state is INITIAL Receive: bytes=0, pkts=0, errors=0 Transmit: bytes=0, pkts=0, errors=0 5 minute input rate 0 bits/sec, 0 packets/sec...

  • Page 357

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces If the LCP status is not opened, you may need to double-check your configu- ration settings with your public carrier. For example, the carrier may have allocated a different number of DS0 channels to the physical line.

  • Page 358

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces N o t e Debug commands are processor intensive. Table 6-12 lists the debug commands you can use to monitor PPP interfaces. Table 6-12. Debug commands for PPP Interfaces Command Explanation debug ppp verbose...

  • Page 359: Troubleshooting Ppp Authentication

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces 2005.08.12 17:51:01 PPP.NEGOTIATION PPPrx[e1 1/1] LCP: Conf-Ack ID=33 Len=16 ACCM(00000000) MAGIC(d418e92e) 2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] LCP: Conf-Req ID=188 Len=16 ACCM(00000000) MAGIC(2656e0ba) 2005.08.12 17:51:02 PPP.NEGOTIATION PPPtx[e1 1/1] LCP: Conf-Ack ID=188 Len=16 ACCM(00000000) MAGIC(2656e0ba) 2005.08.12 17:51:02 PPP.NEGOTIATION PPPFSM: layer up, Protocol=c021...

  • Page 360

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces ProCurve# debug ppp authentication The local router is 2005.07.08 09:03:44 PPP.AUTHENTICATION PPPtx[t1 1/1] PAP: Authen-Req attempting to ID=1 Len=10 PeerID(Local) Password() authenticate 2005.07.08 09:03:44 PPP.AUTHENTICATION PPPrx[t1 1/1] PAP: Authen-Nak itself.

  • Page 361

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces When a peer successfully authenticates itself, the authenticator returns an Authen-Ack: 2005.07.08 09:05:08 PPP.AUTHENTICATION PPPtx[t1 1/1] PAP: Authen-Ack ID=1 Len=10 Message(Hello) N o t e Usernames and passwords are case-sensitive.

  • Page 362: Troubleshooting The Frame Relay Interface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces Incompatible Authentication Protocols. If you do not receive any PPP authentication debug messages at all, the local and remote routers may be requesting different authentication protocols. In this case, the LCP state will not come up because the peers cannot negotiate the authentication option.

  • Page 363

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces If the interface is administratively down, you need to activate it. From the Frame Relay interface configuration mode context, enter no shutdown. If the interface is down, check your configuration and ensure that you are using the same Frame Relay signaling type as your Frame Relay carrier.

  • Page 364

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces “Num Update Status Rcvd” indicates the number of full status reports the interface has received. By default, the interface receives one full status report every six polls, or one every 60 seconds. “Num Status Timeouts”...

  • Page 365

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces Table 6-14. Status of the PVC Status of the PVC Explanation active The PVC is functional, end-to-end, from the local router to the switch and then to the far-end router inactive The PVC is functional from the router to the Frame Relay switch.

  • Page 366: Troubleshooting Hdlc

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces The CLI displays events dealing with the establishment and negotiation of connec- tion as they occur. You can then determine when and why problems occur. LMI statistics report on the LMI messages that are exchanged between the Frame Relay DTE and the DCE.

  • Page 367

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start To disable the hdlc debug messages, enter one of the following commands from the enable mode context: ProCurve# no debug hdlc [errors | verbose] ProCurve# undebug all Quick Start After you configure the physical connection—the E1, T1, or serial interface—...

  • Page 368

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start Set a static IP address. Syntax: ip address <A.B.C.D> <subnet mask | /prefix length> For example, you might enter: ProCurve(config-ppp 1)# ip address 10.1.1.1 /24 Activate the PPP interface ProCurve(config-ppp 1)# no shutdown Bind the physical interface to the logical interface.

  • Page 369: Requiring The Peer To Authenticate Itself, Authenticating To A Peer

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start Parameter Your Setting Are you authenticating to the peer? Yes/No local router’s username local router’s password Requiring the Peer to Authenticate Itself Move to the PPP interface for the connection whose endpoint you want to authenticate.

  • Page 370: Frame Relay

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start For CHAP, enter a username only if it is different from the router’s hostname: Syntax: ppp chap hostname <username> For example, you might enter: ProCurve(config-ppp 1)# ppp chap hostname ProCurveA Frame Relay Before you begin to configure the Frame Relay interface, you should know the settings that you must enter for the following:...

  • Page 371

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start Define the signaling role for the Frame Relay interface. The default setting is dte, or user. Syntax: frame-relay intf-type [dce | dte | nni] ProCurve(config-fr 1)# frame-relay intf-type dte Define the signaling type (the LMI).

  • Page 372: Hdlc

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start N o t e Together, the frame-relay bc command and the frame-relay be command define the amount of bandwidth you can use on the Frame Relay link. The sum of the values you specify for these two settings should be greater than 8000.

  • Page 373

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start Bind the physical interface—the E1, T1, or serial interface—to the logical interface. Syntax: bind <number> <physical interface> <slot>/<port> [<tdm-group number>] <logical interface> <logical interface number> For example, to bind the E1 1/1 interface to the HDLC 1 interface, enter: ProCurve(config-hdlc 1)# bind 1 e1 1/1 1 hdlc 1 To bind the serial 1/1 interface to the HDLC 1 interface, enter: ProCurve(config-hdlc 1)# bind 1 ser 1/1 hdlc 1...

  • Page 374

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start 6-78...

  • Page 375

    ADSL WAN Connections Contents ADSL Overview ..........7-4 ADSL Technologies .

  • Page 376

    ADSL WAN Connections Contents Bind the ADSL Interface to the ATM Interface ....7-28 Additional Settings ......... 7-28 PPPoE Overview .

  • Page 377

    ADSL WAN Connections Contents Quick Start ........... . 7-55 Configure the Physical Layer: the ADSL Interface .

  • Page 378: Adsl Overview

    ADSL WAN Connections ADSL Overview ADSL Overview Digital Subscriber Line (DSL) technologies provide high-speed wide area network (WAN) connections—typically for a lower cost than older WAN technologies such as E1- or T1-carrier lines. A variety of DSL technologies have been developed, and these technologies are sometimes collectively referred to as x-type DSL, or xDSL.

  • Page 379: Adsl Technologies, Adsl2 And Adsl2+: Enhancing Transmission Speeds

    ADSL WAN Connections ADSL Overview With asymmetric DSL technologies, the transmission speed for downstream is higher than the transmission speed for upstream. This makes asymmetric DSL technologies ideal for Internet use because users typically download more data from the Internet than they upload. Asymmetric DSL technologies are also well-suited for video-on-demand or high-definition television (HDTV).

  • Page 380: Readsl: Supporting Greater Distances, Elements Of An Adsl Connection

    ADSL WAN Connections ADSL Overview READSL: Supporting Greater Distances To make ADSL available to more customers, reach extended ADSL2 (READSL) was developed to support greater distances between a customer’s premises and the public carrier’s CO. (READSL is an ADSL2 or ADSL2+ technology, which is sometimes called READSL and sometimes called READSL2.) According to CommsDesign.com, READSL extends the reach of ADSL “up to 2500 ft., allowing ADSL systems to reach as far as 20,000 ft.”...

  • Page 381: Adsl Infrastructure

    ADSL WAN Connections ADSL Overview When you configure an ADSL connection, you must configure both the Phys- ical Layer and the Data Link Layer (which is also called the Logical Layer). The Physical Layer is, of course, ADSL. The Data Link Layer protocol is Asynchronous Transfer Mode (ATM).

  • Page 382: Or Isdn Voice Traffic

    ADSL WAN Connections ADSL Overview Customer’s Premises Central Office Regional broadband network Other Local DSLAMs loop DSLAM Broadband WAN router switch (ATM) Broadband access server Internet Internet core router Figure 7-4. ADSL Connection to the Internet Moving high-speed WAN connections onto a separate network infrastructure alleviates a serious problem for most public carriers: congestion in the tradi- tional public carrier network.

  • Page 383: Adsl Splitters

    ADSL WAN Connections ADSL Overview Customers who have ISDN equipment such as telephones and fax machines can continue using this equipment while moving their Internet or WAN con- nection to ADSL. Support for ISDN is called ADSL over ISDN, or ADSL Annex B, and is common in countries such as Germany where ISDN is popular.

  • Page 384: Adsl Without Splitters

    ADSL WAN Connections ADSL Overview To separate the ISDN data from the ADSL data, an ISDN splitter is installed at both the customer’s premises and the CO. This splitter ensures that each type of traffic is transmitted to the appropriate device at each location. (See Figure 7-6.) Customer’s Premises Central Office...

  • Page 385: Adsl Modules For The Procurve Secure Router

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router ADSL Modules for the ProCurve Secure Router ProCurve Networking offers two ADSL modules: ADSL2+ Annex A module for ADSL over POTS ADSL2+ Annex B module for ADSL over ISDN ADSL2+ Annex A modules are used primarily in the United States and Canada. ADSL2+ Annex B modules are used in Europe, South America, Asia (except Japan), and Australia.

  • Page 386: Configuring The Adsl Interface: The Physical Layer, Accessing The Adsl Interface Configuration Mode Context

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Configuring the ADSL Interface: the Physical Layer To connect the ADSL interface on the front panel of the ProCurve Secure Router to the wall jack provided by your service provider, you use unshielded twisted pair (UTP) ribbon cable with RJ-11 connectors.

  • Page 387: Activating The Adsl Interface, Defining The Training Mode

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Activating the ADSL Interface By default, all interfaces on the ProCurve Secure Router are shutdown. You must activate the ADSL interface. From the ADSL interface configuration mode context, enter: ProCurve(config-adsl 1/1)# no shutdown A message is displayed at the CLI, indicating that the interface is now admin- istratively up.

  • Page 388

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Table 7-3. Training Modes Supported by the ProCurve Secure Router Command Option Standard Description training-mode ADSL2 ITU G.922.3 ADSL2 Trains the interface for the ADSL2 (G.dmt.bis) transmission rate. This mode requires a splitter at both the user’s and the public carrier’s premises to divide traffic between voice and...

  • Page 389: Setting The Snr-margin

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Table 7-4. Training Modes Supported by the ProCurve Secure Router Command Option ADSL2+ Annex A ADSL2+ Annex B training-mode ADSL2 training-mode ADSL2+ training-mode G.DMT training-mode G.LITE training-mode Multi-Mode training-mode READSL2 training-mode T1.413 To define the training mode, enter the following command from the ADSL interface configuration mode context.

  • Page 390: Monitoring The Snr-margin, Manually Forcing Retraining

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Determining the minimum SNR margin is a compromise: the higher the SNR margin, the slower the transmission rate. However, if you set the SNR margin too low, the line may go down, or your data may be garbled. To set the SNR margin, enter the following command from the ADSL config- uration mode context: Syntax: snr-margin <margin>...

  • Page 391: Configuring The Data Link Layer For The Adsl Connection, Creating The Atm Interface

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Configuring the Data Link Layer for the ADSL Connection You can configure the ADSL line with ATM as the Data Link Layer, or you can configure ADSL with either PPPoE or PPPoA. No matter which option you use, however, your configuration will include ATM, and you will need to configure both an ATM interface and an ATM subinterface.

  • Page 392: Configuring A Subinterface For Each Pvc, Creating The Subinterface

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Configuring a Subinterface for each PVC You must configure an ATM subinterface to define the endpoint of the ADSL connection. By default, each ATM interface supports up to 16 permanent virtual circuits (PVCs), so you can create a maximum of 16 subinterfaces on each ATM interface.

  • Page 393: Activating The Atm Subinterface, Configuring The Vpi/vci

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Activating the ATM Subinterface By default, all subinterfaces on the ProCurve Secure Router are shut down. You must activate the ATM subinterface. From the ATM interface configura- tion mode context, enter: ProCurve(config-atm 1.1)# no shutdown Configuring the VPI/VCI ATM networks are fundamentally connection-oriented, which means that a...

  • Page 394: Defining The Atm Encapsulation, Assigning The Atm Subinterface An Ip Address

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router For example, to assign the ATM subinterface a VPI/VCI of 0/33, enter: ProCurve(config-atm 1.1)# pvc 0/33 Defining the ATM Encapsulation The ATM Data Link Layer for the ADSL connection includes these sublayers: the ATM adaptation layer (AAL), which is called Layer 2-1 the point-to-point layer, which is referred to as Layer 2-2 You must configure the adaptation layer by specifying an encapsulation type.

  • Page 395

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router If you are configuring the IP address on the ATM subinterface, you can configure: a static IP address the ATM subinterface as a DHCP client the ATM subinterface as an unnumbered interface Configuring a Static Address.

  • Page 396

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Table 7-5. Default Settings for the DHCP Client Option Meaning Default Setting client-id configures the client identifier displayed for this media type and interface’s MAC address interface in the DHCP server’s table hostname configures the hostname displayed for this interface router hostname...

  • Page 397

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router ProCurve(config-atm 1.1)# do show int atm 1.1 N o t e The do command allows you to enter enable mode commands from any context (except the basic mode context). Configuring a Client Identifier. By default, the Secure Router OS populates the client identifier with the media type and the interface’s media access control (MAC) address.

  • Page 398

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Overriding Settings Received from the DHCP Server. If the DHCP server is configured to provide a default route, a domain name, or the IP address of a domain name system (DNS) server, the DHCP client for the ATM subinterface will accept and use these settings.

  • Page 399

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Setting the Administrative Distance. You can specify the administrative distance to use when adding the DHCP gateway into the route table. The router uses the administrative distance to determine the best route when multiple routes to the same destination exist.

  • Page 400

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Before configuring the ATM subinterface as an unnumbered interface, you should be aware of a potential disadvantage: if the interface to which the IP address is actually assigned goes down, the ATM subinterface will be unavail- able.

  • Page 401: Oam Settings

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router OAM Settings By default, an activated ATM interface sends F5 Operation, Administration, and Maintenance (OAM) cells over a reserved VCI to monitor the ATM link and ensure that is open from end-to-end. The oam retry command enables you to configure the OAM settings that the ProCurve Secure Router OS uses to determine if a PVC is up or down.

  • Page 402: Bind The Adsl Interface To The Atm Interface, Additional Settings

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Bind the ADSL Interface to the ATM Interface When you configure WAN connections on the ProCurve Secure Router, you must bind the physical interface to the logical interface. For ADSL WAN connections, you must bind the ADSL interface to the ATM interface.

  • Page 403: Pppoe Overview

    ADSL WAN Connections PPPoE Overview Table 7-6. Additional Configurations for the ATM Interface or Subinterface Settings Apply to ATM Interface or Configuration Guide Page Subinterface access controls to filter incoming and outgoing ATM subinterface Advanced 5-19, 5-38 traffic bridging ATM subinterface Basic 10-6 VPNs...

  • Page 404: Two Phases For Establishing A Pppoe Session, Discovery Phase

    ADSL WAN Connections PPPoE Overview Customer’s Premises Central Office Regional broadband network Other Local DSLAMs loop DSLAM Broadband Router Splitter Splitter switch (ATM) Negotiates PPPoE session Access with access concentrator concentrator Negotiates PPPoE session with router Figure 7-8. Access Concentrator for PPPoE Access Two Phases for Establishing a PPPoE Session To establish a PPPoE session, the client and the access concentrator must successfully complete two phases:...

  • Page 405

    ADSL WAN Connections PPPoE Overview Discovery Stage Goal: Learn session ID and peer’s Ethernet MAC address 1. PPPoE client broadcasts a PADI (initiation) frame 2. Access concentrator sends a PADO (offer) frame Access concentrator Router 3. PPPoE client sends a PADR (request) frame 4.

  • Page 406: Ppp Session

    ADSL WAN Connections PPPoE Overview Step 4. When the access concentrator receives the PADR frame, it checks the service name tag. If it accepts the service name tag, the access concentrator generates a unique session ID. It includes this ID and the service name tag in a PPPoE Active Discovery Session-confirmation (PADS) frame and sends this frame to the PPPoE client.

  • Page 407: Creating The Ppp Interface

    ADSL WAN Connections PPPoE Overview Step 3. The devices use network control protocol (NCP) frames to enable the exchange of Network Layer protocols, such as IP, across the link. Step 4. The devices use PPP frames to transmit the actual data. (For more information about establishing a PPP session, see Chapter 6: Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.) During the process of establishing a PPP session, the devices will also nego-...

  • Page 408: Binding The Atm Subinterface To The Ppp Interface, Assigning An Ip Address

    ADSL WAN Connections PPPoE Overview Assigning an IP Address Because you are configuring a PPP interface on top of the ATM subinterface, the PPP interface handles the IP address. Rather than configuring an IP address on the ATM subinterface, you configure the IP address on the PPP interface.

  • Page 409: Identifying The Access Concentrator

    ADSL WAN Connections PPPoE Overview You can enter the show running-config command from the enable mode context to ensure that you have entered the two bind commands that are required for an ADSL connection that uses PPPoE. Figure 7-11 shows a sample running-config for an ADSL interface, ATM interface, ATM subinterface, and PPP interface.

  • Page 410: Identifying Pppoe Services, Pppoa Overview

    ADSL WAN Connections PPPoA Overview If you do not include this field, any access concentrator is acceptable. By default, no access concentrator is specified. Identifying PPPoE Services You can also control which PPPoE session offer the Secure Router OS accepts by specifying the PPPoE services that are required.

  • Page 411

    ADSL WAN Connections PPPoA Overview 1. Link establishment Access 2. Authentication (optional) concentrator PAP, CHAP, or EAP Router 3. Negotiation of network layer protocols NCP: IPCP, BCP, IPXCP, and so on 4. Session established Figure 7-12. Establishing a PPP Session Step One.

  • Page 412

    ADSL WAN Connections PPPoA Overview Creating the PPP Interface To configure PPPoA, you configure the ADSL interface, the ATM interface, and the ATM subinterface. (These instructions begin with “Configuring the ADSL Interface: the Physical Layer” on page 7-12.) When configuring the ATM subinterface, you must set the encapsulation to aal5snap or aal5mux ppp, as shown below: Syntax: encapsulation aal5snap...

  • Page 413

    ADSL WAN Connections PPPoA Overview If you need to configure authentication protocols for the connection, see “PPP Authentication” on page 6-72 in Chapter 6: Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces. Binding the ATM Subinterface to the PPP Interface To finish defining the point-to-point layer for the ADSL connection, you must bind the ATM subinterface to the PPP interface.

  • Page 414: Routed Bridged Encapsulation

    ADSL WAN Connections Routed Bridged Encapsulation Routed Bridged Encapsulation Some DSLAMs use routed bridged encapsulation (RBE) to route IP over bridged Ethernet traffic. RBE is sometimes referred to as “half bridging,” because it provides some of the advantages of bridging combined with some of the advantages of routing.

  • Page 415

    ADSL WAN Connections Routed Bridged Encapsulation Central Office Customer’s Premises Regional broadband network Other Local DSLAMs loop DSLAM Broadband Router Splitter Splitter switch (ATM) Aggregation device Establishes Ethernet bridge with ProCurve Secure Router Figure 7-14. RBE Environment To configure RBE, complete the steps for configuring the ADSL interfaces as explained in “Configuring the ADSL Interface: the Physical Layer”...

  • Page 416: Viewing The Status And Configuration Of Interfaces, Viewing The Status Of The Adsl Interface

    ADSL WAN Connections Viewing the Status and Configuration of Interfaces Viewing the Status and Configuration of Interfaces You can view information about all of the interfaces that are used to create the ADSL connection. Viewing the Status of the ADSL Interface To view the status of the ADSL interface, enter: Syntax: show interfaces adsl <slot>/<port>...

  • Page 417

    ADSL WAN Connections Viewing the Status and Configuration of Interfaces !adsl 2/1 is UP, line protocol is UP Status of physical and logical Link Status Up G.DMT interface Line Type Fast Training mode used Line Length 933 ft Actual downstream Downstream Upstream and upstream rates...

  • Page 418

    ADSL WAN Connections Viewing the Status and Configuration of Interfaces Next, the output from the show interfaces adsl command displays the downstream and upstream transmission rates for the connection. This section of the output also reports the attenuation on the line and any framing, signaling, and power losses, as well as error seconds.

  • Page 419: Viewing The Status Of The Atm Interface And Subinterface

    ADSL WAN Connections Viewing the Status and Configuration of Interfaces interface adsl 2/1 Displays all the settings for the description "" interface, including defaults alias "" snr-margin 5 training-mode Multi-Mode no shutdown Figure 7-18. show running-config interface adsl verbose Command Viewing the Status of the ATM Interface and Subinterface To view the status of the ATM interface, enter the following command from the enable mode context:...

  • Page 420

    ADSL WAN Connections Viewing the Status and Configuration of Interfaces Replace <number.subinterface number> with the unique number and subinterface number that you assigned the ATM interface. For the ATM 1.1 subinterface, enter: ProCurve# show interfaces atm 1.1 Figure 7-20 shows the output from this command for a sample network. As you can see, this command displays the status of the interface and settings such as the ATM encapsulation, the IP address, and the MTU size.

  • Page 421: Troubleshooting The Adsl Connection, Troubleshooting The Adsl Interface, Identifying The Problem

    ADSL WAN Connections Troubleshooting the ADSL Connection Troubleshooting the ADSL Connection When troubleshooting WAN connections, you should try to isolate the prob- lem and determine if the problem is occurring on the physical interface or the logical interface. With an ADSL WAN connection, you should begin trouble- shooting the ADSL interface.

  • Page 422: Debug Interface Adsl Events Command

    ADSL WAN Connections Troubleshooting the ADSL Connection adsl 2/1 is DOWN, line protocol is DOWN Link Status Training UNKNOWN Line Type The training mode does not Line Length 0 ft match the training mode used by the DSLAM Downstream Upstream Line Rate 0 kbps 0 kbps...

  • Page 423: Troubleshooting The Atm Interface

    ADSL WAN Connections Troubleshooting the ADSL Connection Figure 7-22 shows the debug commands for a connection that was established successfully. 2005.08.09 19:02:40 ADSL.EVENTS Current DSL state: ATU_RIDLE 2005.08.09 19:02:40 INTERFACE_STATUS.adsl 2/1 changed state to down 2005.08.09 19:02:54 ADSL.EVENTS Current DSL state: GDMT_NEGO Negotiating to use the 2005.08.09 19:02:54 ADSL.EVENTS Current DSL state:...

  • Page 424: Troubleshooting The Atm Subinterface, Debug Atm Oam Command

    ADSL WAN Connections Troubleshooting the ADSL Connection The output from this command shows the status of the logical interface as well as the information shown in Table 7-7. Table 7-7. Information Displayed by the show interfaces atm Command Information Meaning <number>...

  • Page 425: Troubleshooting Pppoe, Troubleshooting The Pppoe Discovery Process

    ADSL WAN Connections Troubleshooting the ADSL Connection Syntax: debug atm oam <interface number.subinterface number> [loopback {end-to- end | segment} {<LLID>}] Replace <interface number.subinterface number> with the subinterface ID for the PVC. This command displays the OAM frames for a specific PVC. Include the loopback option to configure an OAM loopback.

  • Page 426: Show Pppoe Command

    ADSL WAN Connections Troubleshooting the ADSL Connection For example, if the PPPoE client keeps sending PADI frames but does not receive any PADO frames, you know that for some reason the access concen- trator is not responding. If the ADSL interface, the ATM interface, and the ATM subinterface are up, you should call your service provider and report the problem.

  • Page 427: Clear A Pppoe Connection, Debug Pppoe Client Command, Troubleshooting The Ppp Link Establishment Process

    ADSL WAN Connections Troubleshooting the ADSL Connection Figure 7-24 shows the output from this command. ppp 1 Outgoing Interface: eth 0/1 Outgoing Interface MAC Address: 00:A0:C8:00:85:20 Access-Concentrator Name Requested: FIRST VALID Access-Concentrator Name Received: 13021109813703-LRVLGSROS20W_IFITL Access-Concentrator MAC Address: 00:10:67:00:1D:B8 Session Id: 64508 Service Name Requested: ANY Service Name Available: PPPoE Client State: Bound (3)

  • Page 428

    ADSL WAN Connections Troubleshooting the ADSL Connection When you view the status of the PPP interface, you must ensure that both the interface and the Network Layer protocol are up. For example, Figure 7-25 shows a PPP interface that is up. However, the user cannot send traffic over the link.

  • Page 429: Configure The Physical Layer: The Adsl Interface, Quick Start

    ADSL WAN Connections Quick Start Quick Start This section provides the commands you will need to quickly configure an Asymmetric Digital Subscriber Line (ADSL) WAN connection on the ProCurve Secure Router. Only a minimal explanation is provided. If you need additional information about any of these options, see “Contents” on page 7-1 to locate the section and page number that contains the explana- tion you need.

  • Page 430

    ADSL WAN Connections Quick Start Access the ADSL interface configuration mode context. Syntax: interface adsl <slot>/1 For example, if the ADSL module is in slot two, enter: ProCurve(config)# interface adsl 2/1 Activate the interface. ProCurve(config-adsl 2/1)# no shutdown Set the SNR margin. Syntax: snr-margin <margin>...

  • Page 431: Configure The Data Link Layer: The Atm Interface And Subinterface, Configure Atm Only

    ADSL WAN Connections Quick Start Table 7-9. Training Modes Supported by the ProCurve Secure Router Command Option ADSL2+ Annex A ADSL2+ Annex B training-mode ADSL2 training-mode ADSL2+ training-mode G.DMT training-mode G.LITE training-mode Multi-Mode training-mode READSL2 training-mode T1.413 Configure the Data Link Layer: the ATM Interface and Subinterface Before you configure the Data Link Layer for the ADSL connection, you must know the settings that you should enter for the following:...

  • Page 432

    ADSL WAN Connections Quick Start Replace <interface> with atm, and replace <number> with a unique number for this ADSL connection. For example, to create ATM 1 interface, enter: ProCurve(config)# interface atm 1 Activate the interface. ProCurve(config-atm 1)# no shutdown Create a subinterface for each permanent virtual circuit (PVC). ATM interfaces on the ProCurve Secure Router can support up to 16 PVCs.

  • Page 433: Configure Rbe

    ADSL WAN Connections Quick Start N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context). Configure RBE Your ADSL service provider may ask you to configure the ATM subinterface to use routed RBE, which routes IP over bridged Ethernet traffic.

  • Page 434: Configure Pppoe

    ADSL WAN Connections Quick Start Configure PPPoE If your service provider wants you to configure PPPoE for your ADSL connec- tion, complete these steps: Create the ATM interface. Syntax: interface atm <number> ProCurve(config)# interface atm 1 Activate the interface. ProCurve(config-atm 1)# no shutdown Create a subinterface for each PVC.

  • Page 435

    ADSL WAN Connections Quick Start N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context). Create the PPP interface. Syntax: interface ppp <number> ProCurve(config)# interface ppp 1 Configure a static IP address or configure the interface to negotiate the IP address with the service provider’s router.

  • Page 436: Configure Pppoa

    ADSL WAN Connections Quick Start interface adsl 2/1 snr-margin 6 no shutdown interface atm 1 point-to-point no shutdown bind 3 adsl 2/1 atm 1 Bind the ADSL interface to the ATM interface interface atm 1.1 point-to-point no shutdown pvc 0/35 interface ppp 3 ip address 10.1.1.1...

  • Page 437

    ADSL WAN Connections Quick Start Define the ATM encapsulation. For PPPoA, you must set the encapsula- tion at aal5snap or aal5mux ppp. The default setting is aal5snap. Syntax: encapsulation aal5snap Syntax: encapsulation aal5mux [ip | ppp] For example, to use aal5snap, enter: ProCurve(config-atm 1.1)# encapsulation aal5snap Bind the physical interface—the ADSL interface—to the logical interface.

  • Page 438

    ADSL WAN Connections Quick Start View the running-config to ensure that you have entered two bind com- mands: one to bind the ADSL interface to the ATM interface and one to bind the ATM subinterface to the PPP interface. (See Figure 7-28.) Enter: ProCurve(config-ppp 1)# do show running-config interface adsl 2/1 snr-margin 5...

  • Page 439

    Configuring Demand Routing for Primary ISDN Modules Contents Overview of ISDN Connections ........8-4 Elements of an ISDN Connection .

  • Page 440

    Configuring Demand Routing for Primary ISDN Modules Contents Understanding How the connect-sequence Commands Work ........8-35 Configuring the idle-timeout Option .

  • Page 441

    Configuring Demand Routing for Primary ISDN Modules Contents Configuring an ISDN Template ....... 8-57 Using Call Types and Patterns .

  • Page 442: Overview Of Isdn Connections

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections Overview of ISDN Connections Integrated Services Digital Network (ISDN) connections are point-to-point dial-up connections that can handle both voice and data over a single line. ISDN provides WAN connections at a lower cost than dedicated WAN connec- tions such as E1- or T1-carrier lines.

  • Page 443: Elements Of An Isdn Connection, The Local Loop

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections Elements of an ISDN Connection All WAN connections, including ISDN lines, consist of three basic elements: the physical transmission media, such as the cabling, switches, routers, and other infrastructure required to create and maintain the connection electrical signaling specifications for generating, transmitting, and receiv- ing signals through the various transmission media Data Link Layer protocols, which provide logical flow control for trans-...

  • Page 444

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections Because public carrier networks were originally designed to carry analog voice calls, copper wire is the most common physical transmission medium used on the local loop. Copper wire has a limited signal-carrying capacity, making local loops that use copper wire the slowest, least capable component of a WAN connection.

  • Page 445

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections In addition to wire and the demarc, the local loop for an ISDN connection includes: ISDN switch—At the public carrier’s CO, the ISDN switch multiplexes and de-multiplexes channels on the twisted pair wiring of the local loop. It provides the physical and electrical termination for the ISDN line and then forwards the data onto the public carrier’s network.

  • Page 446: Isdn Interfaces: Connecting Equipment To The Isdn Network

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections ISDN Interfaces: Connecting Equipment to the ISDN Network ISDN supports both RJ-11 and RJ-45 connectors. Public carriers typically install an RJ-45 jack to connect the subscriber’s premises to the local loop. You can add equipment at four interface points on the subscriber’s side of an ISDN network: U interface...

  • Page 447: Line Coding For Isdn Bri Connections, Isdn Data Link Layer Protocols

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections R Interface. The R interface is used to connect a TE2 device to the TA. Because there are no standards for the R interface, the vendor providing the TA determines how the TA connects to and interacts with the TE2. Line Coding for ISDN BRI Connections To provide higher transmission rates on ordinary telephone wire, ISDN BRI uses a compressed encoding scheme called 2B1Q.

  • Page 448: Lapd

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections ISDN also supports the following B-channel Data Link Layer protocols: Point-to-Point (PPP) High-Level Data Link Control (HDLC) Frame Relay LAPD LAPD establishes the ISDN connection between two endpoints. Exchanged over the D channel, LAPD frames provide the addressing for the dial-up connection, including the service access point identifier (SAPI) and the ter- minal endpoint identifier (TEI).

  • Page 449: Q.931, Call Process

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections In the second octet, the first seven bits designate the connection’s TEI. TEIs can be assigned statically or dynamically. A statically assigned TEI will have a value between 0 to 63; dynamically assigned TEI range from 64 to 126. A value of 127 designates a broadcast connection meant for all TEs.

  • Page 450

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections Caller ISDN Receiver Switch Setup pick up and dial Call Process Setup Alerting Phone rings Alerting Connect pick up the phone Connect Connect_ack Connect_ack Connected Figure 8-4. ISDN Call Setup Process Placing a Call.

  • Page 451: Procurve Secure Router Isdn Modules

    Configuring Demand Routing for Primary ISDN Modules ProCurve Secure Router ISDN Modules The receiver gets the SETUP. If the receiver is available and ready, it rings the phone and sends an ALERTING message to the switch. The switch forwards the ALERTING to the caller. The receiving ISDN modem sends a CONNECT message to the switch.

  • Page 452

    Configuring Demand Routing for Primary ISDN Modules ProCurve Secure Router ISDN Modules Table 8-2. Differences Between Primary and Backup ISDN Modules ISDN Module Hardware Applications Activation Method Increasing Bandwidth Requirements primary uses one narrow primary or backup WAN established only when supports Multilink PPP slot on the connection between two...

  • Page 453: Primary Isdn Modules

    Configuring Demand Routing for Primary ISDN Modules ProCurve Secure Router ISDN Modules Primary ISDN Modules For primary WAN connections, ProCurve Networking currently offers two types of modules: ISDN BRI U module—used in the United States and Canada ISDN BRI S/T module—used in all other countries Both of these ISDN modules support the following standards: National ISDN-1—Defined in the mid 1990s by the National Institute of Standards and Technology (NIS) and Bellcore (now called Telcordia),...

  • Page 454: Using Demand Routing For Isdn Connections

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Table 8-3. Supported ISDN Standards Type Switch Types Classifications Electrical ISDN BRI S/T module • National ISDN-1 • ACIF S031 • FCC Part 15 Class A • Northern Telecom DMS- •...

  • Page 455

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Branch Office A Switch 192.168.4.0 Router A Edge Switch Edge Switch ISDN connection to Branch Office A triggered by traffic with destination address 192.168.4.0 /24 ISDN Edge Switch connection Core Switch Branch Office B...

  • Page 456: Define The Traffic That Triggers The Connection

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections To configure demand routing for a primary ISDN module, you must complete the following steps: Create an extended access control list (ACL) to define the traffic that will trigger the dial-up connection.

  • Page 457: Specifying A Protocol

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections To define the interesting traffic, you create an extended ACL. The ProCurve Secure Router will use this ACL to identify and select traffic that triggers a dial-up connection. From the global configuration mode context, enter: Syntax: ip access-list extended <listname>...

  • Page 458: Defining The Source And Destination Addresses

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections For demand routing, you might want to create an ACL that selects all of the traffic to a particular subnet. In this case, you should specify ip as the protocol. Defining the Source and Destination Addresses When you create an extended ACL, you must configure both a source and a destination address for each entry.

  • Page 459

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Router OS should match the corresponding bit in the IP address. You use a 1 to indicate that the Secure Router OS should ignore the corresponding bit in the IP address.

  • Page 460: Configuring The Demand Interface

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Exit the ACL. After you have finished creating the ACL, enter exit to return to the global configuration mode context, as shown below: ProCurve(config-ext-nacl)# exit ProCurve(config)# After you create the ACL, you must apply it to the demand interface. In fact, the ACL will have no effect until you apply it to the demand interface.

  • Page 461: Creating The Demand Interface

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections When the ProCurve Secure Router detects traffic that must be routed through a demand interface, it processes the extended ACL applied to the demand interface to define the interesting traffic. If the traffic matches that ACL, the router attempts to establish the ISDN connection.

  • Page 462

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Like loopback interfaces, demand interfaces do not have to be activated. That is, you do not have to enter no shutdown. After you create the demand interface, its status automatically changes to administratively up. The demand interface will begin spoofing an up status after you configure an IP address for it.

  • Page 463

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Configure the Demand Interface as an Unnumbered Interface. To conserve IP addresses on your network, you may want to create the demand interface as an unnumbered interface. When you assign a logical interface on the router an IP address, that IP address cannot overlap with the IP addresses assigned to other logical interfaces.

  • Page 464: Matching The Interesting Traffic

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections To view the routing table, enter: ProCurve(config-demand 1)# do show ip route Figure 8-8 shows a routing table that includes demand interface 1, a directly connected interface. 10.2.2.0/30 is directly connected, ppp 1 10.3.3.0/30 is directly connected, demand 1 192.168.20.0/24 is directly connected, eth 0/1...

  • Page 465

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections If you include the in option when you enter the match-interesting command, the ProCurve Secure Router will check only the traffic received on the demand interface. If you include the out option, the router will check only the traffic transmitted from the interface.

  • Page 466

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections You can apply an access control policy (ACP) to the demand interface. ACPs control incoming traffic and can contain multiple ACLs. You use the ip access-group command to apply ACLs directly to the demand interface, or you use the access-policy command to apply an ACP to the demand interface.

  • Page 467: Specifying The Connect-mode Option

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections the packet. However, the router will reset the dial-up connection’s idle timer only if the packet also matches the ACL specified with the match-interesting reverse list command. Specifying the connect-mode Option You can control whether the demand interface can be used to originate a call, answer a call, or both.

  • Page 468: Associating A Resource Pool With The Demand Interface, Defining The Connect Sequence

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections N o t e Currently, it is not possible to have outbound traffic that will originate a call but not keep the link up. Because the match-interesting command controls both the traffic that triggers a connection and the traffic that resets the idle timer, any outbound interesting traffic that initiates a connection also keep the link up.

  • Page 469

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections You can configure more than one connect sequence for a demand interface. For example, you may want to configure more than one connect sequence if the main office has more than on ISDN line. Then, if one ISDN line is in use, the ProCurve Secure Router can dial another line to establish a connection.

  • Page 470: Specify The Order In Which Connect Sequences Are Used

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Specifying the busyout-threshold <value> is optional. Include a value to specify the maximum number of times the ProCurve Secure Router will try this connect sequence in a single call attempt. If you specify 0, the ProCurve Secure Router will make an unlimited number of attempts.

  • Page 471: Configure The Number Of Connect Sequence Attempts, Configure Settings For The Recovery State

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Returning to the Default Connect Sequence Processing Order. To return the connect-order command to its default setting of sequential, enter: ProCurve(config-demand 1)# no connect-order Configure the Number of Connect Sequence Attempts You can limit the number of times that the ProCurve Secure Router processes the connect sequences configured for a demand interface if it is unable to establish a connection.

  • Page 472

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections available. If a BRI interface becomes available, the ProCurve Secure Router uses that interface to dial a connect-sequence. At the same time, the router cancels the fast-idle mode for the resource pool. (For more information about fast-idle mode, see “Configuring the fast-idle Option”...

  • Page 473: Commands Work

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Replace <seconds> with the number of seconds you want the demand interface to wait between connect sequence attempts. You can specify a number between 1 and 65535. The default setting is 120 seconds. Replace <number>...

  • Page 474

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Processing connect-sequences 1. Check connect-order. 2. Process connect-sequence 2, based on connect-order. connect-order sequential connect-sequence 10 dial-string 5551212 forced-ISDN-64k busyout-threshold 3 connect-sequence 20 dial-string 5552222 forced-ISDN-64k busyout-threshold 1 3.

  • Page 475: Configuring The Idle-timeout Option

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections If the ProCurve Secure Router processes all of the connect sequences and cannot establish a dial-up connection, the connect sequence attempt fails. For the configuration shown in Figure 8-10, the ProCurve Secure Router will cycle through the connect sequences three times.

  • Page 476: Configuring The Fast-idle Option, Defining The Caller-number Option

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Configuring the fast-idle Option You can assign BRI interfaces to more than one resource pool. For example, you might want to assign backup interfaces to more than one resource pool because it would be unlikely that two primary interfaces would go down at the same time.

  • Page 477: Defining The Called-number Option, Configuring The Hold Queue

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Replace <CLID> with the calling party’s telephone number. By default, the caller-number list does not include any numbers so all calls are accepted. Defining the called-number Option You can also configure the Dialed Number Identification Service (DNIS) that the demand interface provides when answering a call.

  • Page 478: Configuring The Bri Interface, Accessing The Bri Interface

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Configuring the BRI Interface To configure the BRI interface, you need the following information from your service provider: ISDN signaling (switch) type assigned telephone numbers (LDNs) service profile IDs (SPIDs), if you are located in the United States or Canada You should have this information available before you begin configuring the BRI interface.

  • Page 479: Configuring The Isdn Signaling (switch) Type

    Configuring Demand Routing for Primary ISDN Modules Using Dema