Download  Print this page

HP ProCurve Secure 7000dl Series Basic Management And Configuration Manual

Secure router procurve 7000dl series.
Hide thumbs
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817

Advertisement

7000dl Series
Basic Management and Configuration
Guide
December 2005
J04_01

Advertisement

   Also See for HP ProCurve Secure 7000dl Series

   Summary of Contents for HP ProCurve Secure 7000dl Series

  • Page 1: Procurve Secure Router

    ProCurve Secure Router 7000dl Series December 2005 J04_01 Basic Management and Configuration Guide...
  • Page 2 5991-3785 December 2005 The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an Applicable Products additional warranty.
  • Page 3: Table Of Contents

    Contents 1 Overview Contents ............1-1 Using This Guide .
  • Page 4: Table Of Contents

    LEDs for Slots 1 and 2 ........1-24 Status LEDs .
  • Page 5: Table Of Contents

    Telnet ..........1-42 Traceroute .
  • Page 6: Table Of Contents

    Troubleshooting ..........1-70 Compact Flash .
  • Page 7: Table Of Contents

    Configuring AAA for Authentication ......2-16 Creating a Named List for the Enable Mode Authentication ......... 2-16 Creating a Named List for User Authentication .
  • Page 8: Table Of Contents

    Quick Start ........... . 2-42 Configure the Enable Mode Password .
  • Page 9: Table Of Contents, Viewing All The Configuration Settings

    Viewing the Status of Ethernet Interfaces or Subinterfaces ... 3-19 show interfaces Command ........3-19 show running-config Commands .
  • Page 10: Table Of Contents, Connecting Your Premises To The Public Carrier's

    Viewing Information about E1 and T1 Interfaces ....4-26 show interfaces Command ........4-27 show running-config Command .
  • Page 11: Table Of Contents

    Viewing Information about the Serial Interface ..... 5-15 show interfaces serial Command ......5-15 show running-config interface Command .
  • Page 12: Table Of Contents

    Define the Frame Relay Signaling Type ....6-26 Configure Frame-Relay Counters ......6-26 Create the Frame Relay Subinterface .
  • Page 13: Table Of Contents

    Quick Start ........... . 6-70 PPP .
  • Page 14: Table Of Contents

    Defining the ATM Encapsulation ......7-20 Assigning the ATM Subinterface an IP Address ....7-20 OAM Settings .
  • Page 15: Table Of Contents

    Clear a PPPoE Connection ....... 7-52 debug pppoe client Command ......7-52 Troubleshooting the PPP Link Establishment Process .
  • Page 16: Table Of Contents

    Associating a Resource Pool with the Demand Interface ..8-30 Defining the Connect Sequence ......8-30 Specify the Order in Which Connect Sequences Are Used .
  • Page 17: Table Of Contents, Configuring Chap Authentication For

    Configuring CHAP Authentication for a Demand Interface ........8-54 Configuring the Username and Password That the Router Expects to Receive .
  • Page 18: Table Of Contents

    Configuring the E1 + G.703 Module ....... . 9- 4 Making the Physical Connection .
  • Page 19: Table Of Contents

    Quick Start ........... . 9-21 Configuring the E1 + G.703 Module .
  • Page 20: Table Of Contents, Determining Which Device Becomes Root

    Configuring RSTP ......... 10-17 Determining Which Device Becomes Root: Setting the Router’s Priority .
  • Page 21: Table Of Contents

    Configuring Static Routes ........11-13 Overview .
  • Page 22: Table Of Contents

    Configuring DNS ..........12-8 Enabling DNS .
  • Page 23: Table Of Contents

    Changing a Pool’s Lease Time ......13-10 Specifying DNS, WINS, and Other Servers ....13-11 Specifying a Domain Name for the Subnet .
  • Page 24: Table Of Contents

    14 Using the Web Browser Interface for Basic Configuration Tasks Contents ............14-1 Configuring Access to the Web Browser Interface .
  • Page 25: Table Of Contents

    Configuring PPPoE for the Ethernet Interface ....14-35 Dynamic DNS ......... 14-37 Secondary IP Settings .
  • Page 26: Table Of Contents

    Configuring PPPoE or PPPoA for the ADSL Connection ..14-68 Dynamic DNS ......... 14-70 Secondary IP Settings .
  • Page 27 Overview Contents Using This Guide ..........1-5 Understanding Command Syntax Statements .
  • Page 28 Overview Contents LEDs for Slots 1 and 2 ........1-24 Status LEDs .
  • Page 29 Overview Contents Terminal ..........1-43 Wall .
  • Page 30 Overview Contents Managing Configuration Files Using a Text Editor ....1-73 Creating and Transferring Configuration Files ....1-75 Configuration File Transfer Using the Console Port .
  • Page 31: Using This Guide, Understanding Command Syntax Statements

    Overview Using This Guide Using This Guide The ProCurve Secure Router Management and Configuration Guide describes how to use the ProCurve Secure Router 7000 series in a network environment. Specifically, it focuses on two models: ProCurve Secure Router 7102dl ProCurve Secure Router 7203dl This guide describes how to use the command line interface (CLI) and the Web browser interface to configure, manage, monitor, and troubleshoot basic router operation.
  • Page 32: Cli Prompt

    Overview Using This Guide Square brackets ( [ ] ) are used in two ways: • They enclose a set of options. When entering the command, you select one option from the set. For example, in the second command shown above, you would enter any or host <A.B.C.D>...
  • Page 33: Quick Starts, Obtaining Additional Information, Ip Address Notation Convention

    Overview Using This Guide IP Address Notation Convention You must sometimes enter an IP address or addresses as part of a command. For example, you might need to assign an IP address to a logical interface on the ProCurve Secure Router, or you might need to enter an IP address to be filtered by an ACL.
  • Page 34: Downloading Software Updates

    Overview Using This Guide When the document file opens, click the disk icon in the Acrobat® toolbar and save a copy of the file. Click Product Manuals Figure 1-1. The ProCurve Technical Support Web Page Downloading Software Updates ProCurve Networking periodically updates the router software to include new features.
  • Page 35 Overview Using This Guide Step 2 Step 3 Figure 1-2. Downloading Software Updates Release notes are included with the software updates and provide information about: new features and how to configure and use them software management, including downloading the new software to the router software fixes addressed in current and previous releases...
  • Page 36: Interface Management Options, Web Browser Interface

    Overview Interface Management Options Interface Management Options The ProCurve Secure Router includes two management interfaces: the com- mand line interface (CLI) and the Web browser interface. To initially access the CLI, connect the COM port on your workstation to the console port on the front panel of the router.
  • Page 37: Accessing The Web Browser Interface

    Overview Interface Management Options Figure 1-3. Configuring ACPs Using the Web Browser Interface Accessing the Web Browser Interface To access the Web browser interface, you must first establish a CLI session and configure at least one interface through which you can establish an HTTP session with the router.
  • Page 38: Using The Procurve Web Browser Interface

    Overview Interface Management Options Using the ProCurve Web Browser Interface The ProCurve Web browser interface is organized into the following sections: System Router/Bridge Firewall Utilities The System section of the interface contains general router functions. In this section, you can: configure WAN and LAN connections configure IP services enable the Dynamic Host Configuration Protocol (DHCP) and Domain...
  • Page 39: Hardware Overview, Procurve Secure Router Front Panel, Console Port

    Overview Hardware Overview router’s current OS and upload any necessary upgrades. You can click Reboot and restart the router, and you can also set up a Telnet session by clicking Telnet to Unit. N o t e In the CLI, boot and configuration files are referred to as software. In the Web browser interface, the boot and configuration files are called firmware.
  • Page 40: Ethernet Ports

    Overview Hardware Overview Console Port Figure 1-4. Connecting to the Console Port Ethernet Ports Because the two Ethernet ports are not modular, they are assigned a fixed slot and port number. For interface notation purposes, these ports are labeled Eth 0/1 and Eth 0/2.
  • Page 41 Overview Hardware Overview Slot 2 Slot 1 Figure 1-6. Two Narrow Slots Each slot can house one of the ten narrow modules available for WAN connections. (See Table 1-1.) Table 1-1. Narrow Slot Modules Module Type of Module Explanation E1 modules: E1 module with integrated DSU supports E1-carrier lines when the service provider does not provide an external DSU...
  • Page 42: E1 And T1 Modules

    Overview Hardware Overview N o t e For information on these or additional modules, please check the ProCurve Web site at www.procurve.com. Click on Products & Solutions in the left bar, then click on Secure Router 7000dl series under WAN. E1 and T1 Modules E-carrier lines are used in Europe, Asia, Australia, and South America.
  • Page 43 Overview Hardware Overview Figure 1-7. E1 Modules T1 Modules. If you are leasing a T1-carrier line and the public carrier does not provide a CSU/DSU, you will need to purchase one of the three narrow slot T1 modules, which include a built-in CSU/DSU. (See Figure 1-8.) Select: a one-port T1 module, which supports a full T1-carrier line (24 channels or 1.544 Mbps) a two-port T1 module, which provides 1.544 Mbps on each interface (3.088...
  • Page 44: Isdn Module

    Overview Hardware Overview Figure 1-9. Serial Module ADSL2+ Annex A or Annex B Module. The ADSL2+ modules provide bandwidth up to 25 Mbps downstream and 1.544 Mbps upstream. Because ADSL also supports analog voice on the local loop, existing telephone equip- ment and fax machines can continue to carry traffic on the same line.
  • Page 45: Backup Modules

    Overview Hardware Overview Figure 1-11. ISDN BRI Modules Backup Modules A backup connection protects a company’s WAN operations against system failure. Three types of backup modules are available for the ProCurve Secure Router: ISDN BRI S/T backup module for use outside of North America—supports a 64 Kbps backup call or a bonded 128 Kbps call ISDN BRI U backup module for use in the US and Canada—supports a 64 Kbps backup call or a bonded 128 Kbps call...
  • Page 46: Wide-slot Option Modules

    Overview Hardware Overview Figure 1-12. Installing a Backup Module on Top of a Narrow Slot Module Each backup module can be used to back up any WAN connection on the router, no matter where the backup module is housed. Wide-Slot Option Modules The ProCurve Secure Router 7203dl includes a third, wide-module slot.
  • Page 47 Overview Hardware Overview E1/T1 Toggle Switch Figure 1-13. E1/T1 Toggle Switch N o t e Although the ProCurve Secure Router 7203dl can support up to 12 E1 or T1 lines, the router only supports enough throughput for up to 8 E1 or T1 lines. You can configure each of the eight ports independently with separate clock sources, frame formats, and other specifications.
  • Page 48: Interface Numbering Conventions

    Overview Hardware Overview Figure 1-15. The Eight-port T1/E1 Serial Module Interface Numbering Conventions When configuring a WAN connection, you will need to specify the slot and port of the physical interface that is providing the connection. The syntax for specifying a physical interface is <interface> <slot>/<port>. Replace <interface>...
  • Page 49: Status Leds, Power Led, Fault Led

    Overview Hardware Overview Status LEDs ProCurve Secure Routers feature LEDs on the front panel to provide informa- tion about the condition of the router itself and of the modules you have installed. This section describes how to interpret these LEDs. Power LED The power LED indicates the router’s power status.
  • Page 50: Leds For Slots 1 And

    Overview Hardware Overview LEDs for Slots 1 and 2 Both the ProCurve Secure Router 7102dl and 7203dl have two columns of LEDs that report information about the modules installed in the narrow slots. As you would expect, column 1 reports information about the module in slot 1, and column 2 reports information about the module in slot 2.
  • Page 51: Backup Leds, Tx And Rx Leds, Slot 3 Leds

    Overview Hardware Overview Backup LEDs The second LED in each column reports the status of the backup module, if a backup module is installed. The LED in the first column corresponds to the backup module in slot one, and the LED in the second column corresponds to the module in slot two.
  • Page 52: Status Led, Activity Led, Test Led, Ethernet And Activity Leds

    Overview Hardware Overview Slot 3 LEDs Figure 1-18. On the ProCurve Secure Router 7203dl, the Third Column LEDs Report on the Wide Module. Status LED The first LED reports on the status of the wide module, indicating whether the wide module is installed and functional. No light—The module has not been installed or none of the interface ports have been activated.
  • Page 53: Activity Leds, Link Leds, Rear Panel, Optional Ipsec Vpn Module

    Overview Hardware Overview Link LED Activity LED Figure 1-19. LEDs for Ethernet Interfaces Activity LEDs Activity LEDs signal data transfer between the LAN and the router. No light—The Ethernet connection is inactive. Flashing yellow—The link is currently transmitting or receiving data. Link LEDs Link LEDs signal whether or not the router recognizes a valid connection to a LAN.
  • Page 54: Compact Flash Card

    Overview Hardware Overview Slot for the IPSec VPN module Figure 1-20. IPSec VPN Module To protect your network from security breaches through the Internet, the ProCurve Secure Router establishes secure VPN tunnels using the industry- standard IP Security (IPSec) protocol. The IPSec VPN module enables the software that supports the IPSec protocols and relieves the CPU of the overhead associated with processing the encryption algorithms.
  • Page 55: Redundant Power Source

    Overview Hardware Overview Redundant Power Source The RPS outlet on the back panel of the ProCurve Secure Router 7203dl provides increased router reliability for mission-critical applications. (See Figure 1-22.) The RPS slot can be used with the ProCurve 600 Redundant External Power Supply.
  • Page 56: Software Overview, Bootup Process

    Overview Software Overview Software Overview To manage your ProCurve Secure Router, you must understand basic router operations, including how the router uses: Secure Router OS (SROS) boot code SROS software the startup-config the running-config Further, you must understand how the Secure Router OS is organized so that you can properly configure the router and enable safeguards to protect the router from unauthorized access.
  • Page 57 Overview Software Overview The boot process begins when you power up the ProCurve Secure Router or manually reload it. It proceeds as follows: The router first loads the SROS boot software (which has been set through the copy <source> <filename> boot command). The router then searches compact flash for the SROS.BIZ file, which contains the Secure Router OS software.
  • Page 58: Advantages Of Booting From Compact Flash

    Overview Software Overview Figure 1-23 summarizes the boot process. ProCurve Secure Router Router loads the boot software (J0X_0X-boot.biz) from internal flash Checks compact flash (cflash) for SROS.BIZ compact flash internal flash Router boots in SROS.BIZ SROS.BIZ bootstrap mode Router boots using startup-config startup-config default settings...
  • Page 59: Saving Configuration Changes

    Overview Software Overview Setting Up a Compact Flash Card From Which to Boot the Router Newly shipped ProCurve Secure routers have an internal flash that contains two SROS software files: J0X_0X.biz SROS.BIZ The SROS.BIZ and J0X_0X.biz files are identical. The J0X_0X.biz file reflects the version number of the software, such as J04_01.biz.
  • Page 60: Secure Router Os Hierarchy, Autosynch™ Technology

    Overview Software Overview When the command is entered, the ProCurve Secure Router first tries to save these changes to a startup-config file on compact flash. If no compact flash card is inserted into the slot on the back panel, the router saves the changes to the startup-config file that is stored in internal flash.
  • Page 61: Basic Mode

    Overview Software Overview This section introduces the different mode contexts and describes the types of commands you can enter in each one. (See Figure 1-24.) Session now available Press to get started Return Return Basic mode context ProCurve> enable Security modes ProCurve# Enable mode context configure terminal...
  • Page 62 Overview Software Overview Basic Mode The basic mode allows restricted access to the router, providing only a limited number of commands. From this mode, you can view basic system informa- tion, verify some processes, and enter traceroute and ping commands. You do not have access to any of the options that allow you to configure the router.
  • Page 63: Global Configuration Mode

    Overview Software Overview Global Configuration Mode From the global configuration mode, you can make configuration changes that apply to the entire router and all interfaces. You can configure the system’s global parameters, such as the hostname, passwords, and banners. You can also set parameters for IP services such as DHCP and DNS.
  • Page 64 Overview Software Overview Router. You can configure dynamic routing protocols from the router con- figuration mode contexts. There are four router configuration modes: BGP, RIP, PIM-Sparse, and OSPF. To configure these protocols, move to the global configuration mode context and use this command: Syntax: router [bgp | ospf | pim-sparse | rip] For example, to configure RIP, enter: ProCurve(config)# router rip...
  • Page 65: Basic Mode Commands

    Overview Software Overview Commands Available in the Basic, Enable, or Global Configuration Mode Contexts The ProCurve Secure Router OS permits you to use certain commands only in specific modes. When you are managing the ProCurve Secure Router and you try to use a command that is not supported from the current mode context, you will receive an error message.
  • Page 66 Overview Software Overview Logout Exit the current CLI session and return to the login screen. Syntax: logout Ping Send an ICMP echo to a specified destination. To send a default ping of 5 echoes, enter: Syntax: ping [<A.B.C.D > | <domain name>] When you begin sending ICMP echoes, the router displays a legend to describe the types of responses the router receives.
  • Page 67 Overview Software Overview If you enter for the verbose option in the extended commands, the output reports the result of each ping with a description of the datagram size and the echo’s round-trip time. For example: Reply from 1.1.1.1: bytes = 100 time = 4 ms If you need to halt a ping operation, press Ctrl+C N o t e...
  • Page 68 Overview Software Overview Option Result show isdn-group [<interface number>] lists the ISDN group configurations and member interfaces show lldp [<cr> | device <name> | interface <interface ID> | displays LLDP settings and information, including <neighbors>] information on specific neighbors show memory heap [realtime] displays statistics for the router memory, including how much has been used and how much is available show modules...
  • Page 69: Enable Mode Commands

    Overview Software Overview Similar to the ping command, you can set extended options for tracing a route by entering traceroute and pressing without specifying the destination Enter address. Options include the source address at which the trace begins and the maximum number of hops.
  • Page 70 Overview Software Overview Clear The enable mode context expands the options for the clear command. To view these options, enter: Syntax: clear ? Table 1-4 lists the clear command options available in the enable mode context. Table 1-4. Enable Mode Context clear Commands Option Result clear access-list...
  • Page 71 Overview Software Overview Some examples of clear commands include the following: Syntax: clear ip policy-sessions This command clears all sessions established using the ACPs applied to router interfaces. Syntax: clear ip route [** | <A.B.C.D>] The ** option clears all routes learned through a routing protocol. Static routes are not affected.
  • Page 72 Overview Software Overview Configure There are four options to this command: memory, network, overwrite- network, and terminal. The configure memory, configure network, and configure overwrite-network commands allow you to retrieve and apply a configuration file by saving the file as the router’s running-config. Using this command causes your router to immediately begin using the specified config- uration without rebooting the router.
  • Page 73 Overview Software Overview To save configuration changes while using the CLI, enter: Syntax: copy running-config [<destination location> <destination filename> | <config-file>] ProCurve# copy running-config startup-config Verify that the Done. Success! message is displayed, indicating that the copy process is complete. Table 1-5.
  • Page 74 Overview Software Overview Verify that the Percent Complete 100% message is displayed, indicating that the download is complete. The current configuration is now saved in compact flash with the specified filename. To save a configuration as a file on internal flash, enter the following from the enable mode context: ProCurve# copy <source file location>...
  • Page 75 Overview Software Overview Debug Entering debug will display debug messages as packets arrive on the router. Debugging is useful when troubleshooting or testing your router’s operation. The Secure Router OS provides many debug commands, including options for most protocols and processes run on the router. For a list of debug commands, go to the enable mode context and enter: ProCurve# debug ? For example, you could debug the establishment of a PPP connection:...
  • Page 76 Overview Software Overview Disable To leave the enable mode context, type disable. The Secure Router OS will return you to basic mode context. Erase The erase command is a file management command. Table 1-6 shows the erase command options. Syntax: erase [{cflash | flash} <filename> | startup-config | file-system cflash] Table 1-6.
  • Page 77 Overview Software Overview Events The events command enables the Secure Router OS to display a notice to the CLI whenever an event occurs. This command is useful for troubleshooting, because it lets you immediately determine whether a connection is up and working properly.
  • Page 78 Overview Software Overview Option Result show configuration shows the startup configuration show connections lists all logical interface binds show crypto [ca | ike | ipsec | map] shows certificates and VPN configurations, such as IKE policies, transform sets, and crypto maps show debugging displays the active debugging switches show demand...
  • Page 79 Overview Software Overview Option Result show modules gives information on the router’s modules, including the type of module in each slot and the number of ports in each module show output-startup lists the startup-config error log show port-auth supplicant [interface <interface ID> | displays port authentication information summary] show pppoe...
  • Page 80 Overview Software Overview The verbose option is available for many show commands. This option displays all aspects of the item you are displaying. For example, the show running-config verbose command displays all the configurations currently running on your router, including default settings that have not been altered. The show interfaces command will display information on any of the router’s physical or logical interfaces.
  • Page 81 Overview Software Overview Interval 74 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds 0 Unavailable Seconds, 0 Path Code Violations 0 Line Code Violations, 0 Controlled Slip Seconds 0 Line Errored Seconds, 0 Degraded Minutes Interval 75 Performance Statistics: 0 Errored Seconds, 0 Bursty Errored Seconds 0 Severely Errored Seconds, 0 Severely Errored Frame Seconds...
  • Page 82 Overview Software Overview -------------------------------------------------------------------- t1 1/1 is UP Receiver has no alarms T1 coding is B8ZS, framing is ESF Clock source is through t1 1/2, FDL type is ANSI Line build-out is 0dB No remote loopbacks, No network loopbacks Acceptance of remote loopback requests enabled Tx Alarm Enable: rai Last clearing of counters never loss of frame...
  • Page 83: Show Tech

    Overview Software Overview to the compact flash card, if present, as startup-config. Otherwise the running-config will be saved as startup-config on the router’s internal flash. write erase. This command erases the startup-config. If you have a compact flash card, the startup-config is erased from cflash. If you are running the AutoSynch feature, this command erases startup-config from both flash and compact flash.
  • Page 84 Overview Software Overview show dial-backup interfaces show dialin show frame-relay lmi show frame-relay pvc show ip bgp neighbors show ip bgp neighbor summary show ip ospf neighbor show ip ospf neighbor summary-add show ip route show bridge show spanning-tree show ip interfaces show connections show arp show ip traffic...
  • Page 85: Updating The Boot Code

    Overview Software Overview Updating the Boot Code When applying a new boot configuration file, enter boot as the destination of a copy command. This command copies a file to the boot sector. For example, if you are upgrading from J03_01.biz to J04_01.biz, you might enter: ProCurve# copy flash J04_01-boot.biz boot The resulting text explains that other router tasks will be halted while the boot code is upgraded.
  • Page 86: Global Configuration Mode Commands, Hostname Command, Autosynch Command

    Overview Software Overview Global Configuration Mode Commands From enable mode, access the global configuration mode context by entering configure terminal. It is from this mode context that you enter the commands to configure the router; most of the commands in the global configuration mode context are discussed in the various chapters included in this guide.
  • Page 87: Support For Snmp

    SNMP traps on individual interfaces. MIBs for the ProCurve SR 7000dl series routers are available at the ProCurve Web site. To download the MIBs, go to http://www.hp.com/rnd/software/ securerouters.htm and click the latest version of the SR 7000dl Router MIB File.
  • Page 88 Overview Software Overview After you enable SafeMode and set the time limit, a reload timer is activated for the Telnet and SSH access lines and begins to count down. You also set a threshold timer, which is shorter than the reload timer. When the threshold timer expires, a warning message is displayed in the CLI that allows you to reset the timer.
  • Page 89 Overview Software Overview After the countdown for the reload timer has begun, it continues until you either reset it by pressing , you disable it by entering no safe-mode, or Ctrl+R you exit out of the global configuration mode context. Use the no form of the command to disable SafeMode and the countdown timer: ProCurve(safe-config)# no safe-mode...
  • Page 90: Help Tools, Cli Help Commands, Editing Commands

    Overview Help Tools Help Tools The Secure Router OS features help tools, editing functions, and global commands to help you navigate through the Secure Router OS and configure and maintain your WAN. CLI Help Commands You can enter the character to display the available command syntax for any command in the CLI.
  • Page 91 Overview Help Tools Table 1-8. Keystrokes for Moving Around the CLI Editing Command Action Ctrl+P or up arrow recall the most recent command Ctrl+A move to the beginning of the line (Home) Ctrl+E move to the end of the line (End) Ctrl+F or right arrow move forward one character Ctrl+B or left arrow...
  • Page 92: Bootstrap Mode Context

    Overview Help Tools In the enable and configuration mode contexts, typing the word no before a command negates that command. For example, if you want to stop event notices from displaying to the CLI screen, enter no events. If you need to execute an enable mode command from a configuration mode context, type do before you enter the command.
  • Page 93 Overview Help Tools The ProCurve Secure Router automatically enters the bootstrap mode context if it cannot locate valid SROS software or if the SROS software has been corrupted. You can also access the bootstrap mode by pressing during the first five seconds of the startup process. During the startup process, the screen will display a countdown, alerting you to how much time you have left to access the bootstrap mode context.
  • Page 94 Overview Help Tools After you configure the boot software settings, enter reload or boot to reboot the server. Use the boot [cflash | flash] <filename> option to immediately boot the router using the specified file. To set the backup boot code, replace <backup filename>...
  • Page 95 Overview Help Tools You can also copy the Secure Router OS software from a compact flash card. bootstrap# copy cflash <filename> flash [<filename>] If your router uses the standard boot process, you should copy the new software as SROS.BIZ to both the compact flash memory (if your router uses a compact flash card) and the internal flash.
  • Page 96: Troubleshooting, Compact Flash, Autosynch™ Error Messages

    Overview Troubleshooting Troubleshooting Compact Flash Compact flash performance can vary greatly between vendors. If there seems to be a delay when the ProCurve Secure Router saves changes to the compact flash card, the Secure Router OS is still functioning, though at times it may seem to be in a suspended state.
  • Page 97 Overview Troubleshooting Table 1-9. AutoSynch™ Error Messages Error Message Action compact flash removed Make sure the compact flash card is firmly mounted in the compact flash slot CFLASH startup-config From the enable mode context, enter write memory. Then begin does not exist synchronization by entering autosynch.
  • Page 98: Using The Reload In Command

    Overview Troubleshooting C a u t i o n Be very careful doing any kind of file management with the startup-config and SROS.BIZ files while the autosynch command is enabled. If you erase either the startup-config file or SROS.BIZ file from compact flash, the file will also be erased from the internal flash.
  • Page 99: Managing Configuration Files Using A Text Editor

    Overview Managing Configuration Files Using a Text Editor The CLI will prompt you to save the system configuration. If you have already made the configurations that you want to test, reply no. If you are getting ready to make the configurations to be tested and want to save previous configura- tions, reply yes.
  • Page 100 Overview Managing Configuration Files Using a Text Editor Figure 1-30. Boot Error Messages The error messages in Figure 1-30 were displayed during bootup. In this particular case, the startup-config file has VPNs configured, and the router that is booting does not have the IPSec VPN module that enables these commands.
  • Page 101: Creating And Transferring Configuration Files

    Overview Managing Configuration Files Using a Text Editor Error location Resulting message Figure 1-31. Using Boot Error Messages to Target a Configuration Problem The line number given in the error message is the line number in the running- config. You can use this information to locate and repair any configuration problems.
  • Page 102: Configuration File Transfer Using The Console Port

    Overview Managing Configuration Files Using a Text Editor If you do not want the base router to use the base configuration, you should save the base configuration as a .cfg or .txt file. From the enable mode context, enter: ProCurve# copy flash running-config <destination location> <destination filename> If you entered write memory and are running the AutoSynch function, the configuration is saved as the startup-config file on the flash and compact flash memories.
  • Page 103 Overview Managing Configuration Files Using a Text Editor Copy the edited text. Highlight the edited configuration in the text editor. Copy the highlighted text either by pressing , right-clicking the mouse and clicking Copy, Ctrl+C or clicking Edit > Copy in the window. Save the edited configuration on the router.
  • Page 104: Configuration File Transfer Using A Tftp Server

    Overview Managing Configuration Files Using a Text Editor Install the configuration. Copy the edited configuration file to startup-config. Syntax: copy <source location> <source filename> <destination location> <destination filename> ProCurve# copy flash configuration.txt flash startup-config The router will create the startup-config file and save the edited configu- ration to the file.
  • Page 105 Overview Managing Configuration Files Using a Text Editor Upload the file to the TFTP server. Syntax: copy <source location> tftp ProCurve# copy flash tftp Address of remote host? 192.168.100.2 Source filename? routerB.txt Destination filename? [routerB.txt] After you enter copy <source location> tftp from the enable mode context, the router will prompt you for the information it needs to suc- cessfully complete the TFTP file transfer.
  • Page 106 Overview Managing Configuration Files Using a Text Editor ProCurve# erase flash startup-config.bak Deleted NONVOL:/startup-config.bak ProCurve# erase cflash startup-config.bak Deleted CFLASH:/startup-config.bak To be sure that old configurations do not interfere with the new configu- ration, erase any startup-config files. This will reset the router to its factory defaults.
  • Page 107: Configuration File Transfer Using A Compact Flash Card

    Overview Managing Configuration Files Using a Text Editor Configuration File Transfer Using a Compact Flash Card Copy and rename the base configuration. Syntax: copy <source> <base configuration name> <destination> <destination filename.txt> For example, if your base configuration were the router’s startup-config, you would enter: ProCurve# copy cflash startup-config cflash routerB.txt Replace <source>...
  • Page 108 Overview Managing Configuration Files Using a Text Editor Open a session with the destination router and erase files that may conflict with the new configuration. Make sure there are no startup-configuration files on the router’s internal flash or compact flash. Backup files for the startup-config can also inter- fere with the installation of the new configuration.
  • Page 109: Quick Start, Accessing The Secure Router Os

    Overview Quick Start Quick Start This section provides the instructions you need to quickly access the ProCurve Secure Router CLI and establish a console session. Only minimal explanation is provided. It is strongly recommended that you read the entire chapter so that you understand how the Secure Router oper- ating system (OS) is organized and how to manage the OS.
  • Page 110 Overview Quick Start 1-84...
  • Page 111 Controlling Management Access to the ProCurve Secure Router Contents Securing Management Access to the ProCurve Secure Router ..2-4 Restricting Access to the Enable Mode Context ....2-4 Configuring a Password for Console Access .
  • Page 112 Controlling Management Access to the ProCurve Secure Router Contents Configuring Authorization ........2-23 Define a Named List for Authorization .
  • Page 113 Controlling Management Access to the ProCurve Secure Router Contents Configuring AAA ......... . . 2-45 Configuring Authentication with AAA .
  • Page 114: Securing Management Access To The Procurve Secure Router, Restricting Access To The Enable Mode Context

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router The ProCurve Secure Router supports both local and remote management. For local management, you can use a serial cable to attach your PC to the ProCurve Secure Router and establish a console terminal session.
  • Page 115: Configuring A Password For Console Access

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router Because you did not include the md5 option, the password you entered is stored as clear text and is displayed when you enter the show running-config command, as shown below.
  • Page 116: Enabling Remote Access To The Procurve Secure Router

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router From the global configuration mode context, enter: ProCurve(config)# line console 0 The ProCurve Secure Router prompt will show that you are in the console line configuration mode context: ProCurve(config-con0)# Enter:...
  • Page 117: Configuring An Ethernet Interface

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router Configuring an Ethernet Interface This section provides the minimum steps required to configure an Ethernet interface. For more detailed information about configuring an Ethernet inter- face, see Chapter 3: Configuring Ethernet Interfaces.) Use a 10Base-T or 100Base-T cable to connect the Ethernet port to a device (such as a switch) on your LAN.
  • Page 118: Configuring Telnet Access

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router Configuring Telnet Access By default, the ProCurve Secure Router requires a login password for Telnet sessions. Unless you configure a password for a Telnet line or disable the login option, no one can establish a Telnet session with the ProCurve Secure Router.
  • Page 119 Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router For example, if you want to create the password as procurve, enter ProCurve(config-telnet0)# password md5 procurve N o t e You can also configure an access control list (ACL) to block or limit Telnet access.
  • Page 120: Configuring Local User Lists

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router Configuring an Enable Mode Password. To provide access to the enable mode context through a Telnet session, you must configure an enable mode password. If you do not configure an enable mode password, users will receive a message, telling them that no enable mode password is configured, and they will be denied access to the enable mode context.
  • Page 121: Encrypting All The Passwords Configured On The Router

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router Both the username and password can be an alphanumerical string up to 30 characters in length. You can add multiple usernames and passwords to the local user list, and these usernames and passwords can be used for HTTP, SSH, and FTP access.
  • Page 122: Managing Ssh Communications

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router When prompted, enter a username and password that you configured in the local user list. Managing SSH Communications With Telnet, communications between the server and your PC are sent over the wire in clear text.
  • Page 123: Using Ftp To Access The Router

    Controlling Management Access to the ProCurve Secure Router Securing Management Access to the ProCurve Secure Router N o t e If you want to use an ACL to restrict SSH access, you apply this ACL at the SSH line configuration mode context. For more information, see the Advanced Management and Configuration Guide, Chapter 5: Applying Access Control to Router Interfaces.
  • Page 124: Viewing Information About Users

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access To disable the SCP server, enter: Syntax: no ip scp server Viewing Information about Users At any time, you can view information about the users who are accessing the ProCurve Secure Router through the console, Telnet, SSH, FTP, and Web browser interface.
  • Page 125: Advantages Of Using The Aaa Subsystem, Enabling The Aaa Subsystem

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Advantages of Using the AAA Subsystem The AAA subsystem provides more flexibility than simple password-based authentication. If you enable the AAA subsystem, you can configure a list of authentication methods for the enable mode and for each access method.
  • Page 126: Configuring Aaa For Authentication, Creating A Named List For The Enable Mode Authentication

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access After you enable the AAA subsystem, the complete set of AAA commands becomes available in the ProCurve Secure Router OS. For example, you can then configure AAA-based authentication, authorization, and accounting for SSH lines.
  • Page 127 Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access The options you can select for the enable mode context are listed in Table 2-1: Table 2-1. Authentication Options for the Enable Named List Option Meaning none...
  • Page 128: Creating A Named List For User Authentication

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access N o t e If you enable the AAA subsystem but do not configure a named list for the enable mode, the Secure Router OS uses the enable mode password by default. Creating a Named List for User Authentication To create a named list for user authentication, you must determine the authentication methods you want to use and the order in which you want the...
  • Page 129: Criteria For Failure Of Authentication Methods

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access For example, when you configure a named list for user authentication, you may want to call this list UserLogin. You may also decide to use the following authentication methods: enable password line password...
  • Page 130: Assign The Named List

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Assign the Named List After you configure a named list, you must assign the list to the specific access method. To assign a list to the console, Telnet, or SSH lines, move to the appropriate line configuration mode context and enter: Syntax: login authentication <named list>...
  • Page 131 Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Table 2-3. Default Action if No Named List Is Configured Access Authentication Method console access no password required Telnet access Telnet password FTP access local user list HTTP access local user list...
  • Page 132 Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access To end the banner, you must enter the same character that you used to signal the beginning of the banner. Configuring a Fail Message. A fail message is displayed if the user’s attempts to log in to the router and fails.
  • Page 133: Configuring Authorization, Define A Named List For Authorization

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Configuring Authorization After you enable the AAA subsystem, you can use a TACACS+ server to control not only who can access the Secure Router OS but also who can actually enter unprivileged or privileged commands.
  • Page 134: Enable Authorization Commands For Console Line

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Include the if-authenticated option to authorize authenticated users. Use the none option to grant access immediately. You may want to enter none as a second option. That way, if the ProCurve Secure Router cannot contact the TACACS+ server, you will still be able to configure the router.
  • Page 135: Configuring A Named List For Accounting

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access N o t e Take care when you configure authorization for the console line. If you are not careful, you may prohibit yourself from entering commands from the console.
  • Page 136: Configure Update Settings

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Specify the level of commands for which you want to generate accounting: 1 is unprivileged access, which is the basic mode, and 15 is privileged access, which is the enable mode.
  • Page 137: Do Not Send Records For Null Users, Configuring A Radius Server For Authentication

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Include newinfo if you want all new records sent immediately, or include periodic if you want the records sent at specific intervals. If you specify periodic, replace <minutes>...
  • Page 138 Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Edge switch Edge switch ProCurve Secure Core switch Router RADIUS server Figure 2-2. Using a RADIUS Server for Authenticating Users Who Want to Manage the ProCurve Secure Router To set up this communication, you must specify the IP address of the RADIUS server.
  • Page 139: Define A Group Of Radius Servers

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Table 2-4. Customizing Settings for Individual RADIUS Servers Option Meaning Default Value acct-port <port number> configures the router to send accounting requests to the port acct-port 1813 you specify auth-port <port number>...
  • Page 140: Configure Global Settings For Radius Servers

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access From this context, use the following command to add RADIUS servers to the group: Syntax: server <hostname | A.B.C.D> Either replace <hostname> with the RADIUS server’s hostname or replace <A.B.C.D>...
  • Page 141: Configuring The Tacacs+ Server, Define The Tacacs+ Server

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Table 2-5. Global Settings for RADIUS Servers Option Meaning Default Value challenge-noecho disables echoing of user challenge-entry; users will see the text of the challenge as they type responses (enabling this option hides the text as it is being entered) deadtime <minutes>...
  • Page 142 Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access Edge switch Edge switch ProCurve Secure Core switch Router TACACS+ server Figure 2-3. Using a TACACS+ Server for Authenticating Users Who Want to Manage the ProCurve Secure Router To enable this communication, you must configure the IP address or host name of the TACACS+ server.
  • Page 143: Creating A Tacacs+ Group

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access You can use the complete tacacs-server command to configure other settings for a TACACS+ server, as shown below: Syntax: tacacs-server host <A.B.C.D | hostname> [port <number> | timeout <seconds>...
  • Page 144: Configure Global Settings For Tacacs+ Servers

    Controlling Management Access to the ProCurve Secure Router Using the AAA Subsystem to Control Management Access For example, the following command creates a group called tacacs and enters the TACACS+ group configuration mode context: ProCurve(config)# aaa group server tacacs+ tacacs ProCurve(config-sg-tacacs+)# Use the following command to add TACACS+ servers to the group: Syntax: server <hostname | A.B.C.D>...
  • Page 145: Troubleshooting Aaa, Debug Aaa Command

    Controlling Management Access to the ProCurve Secure Router Troubleshooting AAA Table 2-7. Global Settings for TACACS+ Servers Option Meaning Default Value tacacs-server key <key> Specifies the shared key to use with TACACS+ servers. Any none keys you configure for a particular TACACS+ server supersede the global key.
  • Page 146: Troubleshooting The Radius Server

    Controlling Management Access to the ProCurve Secure Router Troubleshooting AAA AAA: New Session on portal 'TELNET 0 (172.22.12.60:4867)'. No named list for Telnet line 0; AAA: No list mapped to 'TELNET 0'. Using 'default'. default aaa Default for configuration used AAA: Attempting authentication (username/password).
  • Page 147: Debug Radius Command, Troubleshooting The Tacacs+ Server

    Controlling Management Access to the ProCurve Secure Router Troubleshooting AAA Auth. Acct. Number of packets sent: Number of invalid responses: Number of timeouts: Average delay: 2 ms 0 ms Maximum delay: 3 ms 0 ms Figure 2-5. show radius statistics debug radius Command You can view debug messages about RADIUS servers in real time.
  • Page 148 Controlling Management Access to the ProCurve Secure Router Troubleshooting AAA Authentication Authorization Accounting Packets sent: Invalid responses: Timeouts: Average delay: Maximum delay: Socket Opens: Socket Closes: Socket Aborts: Socket Errors: Socket Timeouts: Socket Failed Connections: Socket Packets Sent: Socket Packets Received: Figure 2-6.
  • Page 149 Controlling Management Access to the ProCurve Secure Router Troubleshooting AAA TAC+ TX: Sending Authentication START pkt TAC+ TX: version=0xc0, type=Authentication, seq_no=1, flags=00 TAC+ TX: action=Login TAC+ TX: level=1 TAC+ TX: authen type=ASCII TAC+ TX: requested service=Login IP address of the TAC+ TX: username= device trying to TAC+ TX: port=TELNET 0 (192.168.7.23:1072)
  • Page 150: Port Authentication, Enabling Supplicant Functionality

    Controlling Management Access to the ProCurve Secure Router Port Authentication Port Authentication Allowing mobile devices unlimited access to a network poses a severe security risk. While it is beneficial to allow employees to plug in and gain access to a company’s LAN, there is the potential that unauthorized users may similarly gain access to your network.
  • Page 151: Troubleshooting Supplicant Functionality

    Controlling Management Access to the ProCurve Secure Router Port Authentication Troubleshooting Supplicant Functionality If the ProCurve Secure Router is unable to access the 802.1X-secured network, begin troubleshooting by checking the physical connection. Ensure that the 10Base-T or 100Base-T cable is connected and in the proper ports. Check the supplicant status and make sure that it is enabled and that you have entered the correct username and password.
  • Page 152: Configure The Enable Mode Password, Configure A Password For The Console Access

    Controlling Management Access to the ProCurve Secure Router Quick Start Quick Start This section provides the commands you must enter to quickly configure passwords to protect management access to the ProCurve Secure Router. Only a minimal explanation is provided. If you need additional information about any of these options, see “Contents” on page 2-1 to locate the section and page number that contains the explanation you need.
  • Page 153: Configuring Remote Access To The Procurve Secure Router

    Controlling Management Access to the ProCurve Secure Router Quick Start Configuring Remote Access to the ProCurve Secure Router You can access the ProCurve Secure Router through: Telnet HTTP Secure Copy (SCP) server Configuring an Ethernet Interface Before you can access the router through a remote location, you must enable at least one interface and provide a physical connection to either a LAN or WAN.
  • Page 154: Configuring A Password For Telnet Access

    Controlling Management Access to the ProCurve Secure Router Quick Start From the global configuration mode context, enter the Ethernet interface configuration mode context: ProCurve(config)# interface ethernet 0/<port> Assign the Ethernet interface an IP address. Syntax: ip address <A.B.C.D> [<subnet mask> | /<prefix-length>] For example, if you want to assign the Ethernet interface an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0, enter ProCurve(config-eth 0/1)# ip address 192.168.1.1 /24...
  • Page 155: Configuring Aaa

    Controlling Management Access to the ProCurve Secure Router Quick Start N o t e You can configure an access control list (ACL) to block Telnet access. For instructions on configuring this ACL, see Chapter 5: Applying Access Control to Router Interfaces in the Advanced Management and Configuration Guide. Configuring Local User Lists You can configure multiple usernames and passwords to be used for FTP, HTTP, and SSH access to the router.
  • Page 156: Configuring Authentication With Aaa, Configuring Authorization With Aaa

    Controlling Management Access to the ProCurve Secure Router Quick Start Configuring Authentication with AAA Create a list of authentication methods, called a named list, for the enable mode. Syntax: aaa authentication enable default {none | line | enable | [group <group- name>...
  • Page 157 Controlling Management Access to the ProCurve Secure Router Quick Start Use the group tacacs+ option to specify the default group of TACACS+ servers. Use the group <group name> if you have created a group of TACACS+ servers. Include the if-authenticated option to authorize authenticated users. Use the none option if authorization is not required.
  • Page 158: Defining A Radius Server, Defining A Tacacs+ Server, Enabling 802.1x Supplicant Status

    Controlling Management Access to the ProCurve Secure Router Quick Start Assign the named list to a console, Telnet, or SSH line. From the appro- priate line configuration mode context, enter: Syntax: accounting commands [1 | 15] [default | <named list>] Defining a RADIUS Server Define the IP address of the RADIUS server and the key that the ProCurve Secure Router must use to authenticate to the server (if a key is required).
  • Page 159: Table Of Contents

    Configuring Ethernet Interfaces Contents Ethernet Interfaces ..........3-2 Configuring the Ethernet Interface .
  • Page 160: Ethernet Interfaces

    Configuring Ethernet Interfaces Ethernet Interfaces Ethernet Interfaces The ProCurve Secure Router includes two Ethernet ports on the front panel, allowing you to connect two LAN segments to your WAN. You can also use the Ethernet ports to connect to a cable or Digital Subscriber Line (DSL) modem.
  • Page 161: Configuring The Ethernet Interface

    Configuring Ethernet Interfaces Ethernet Interfaces and Configuration Guide, Chapter 4: ProCurve Secure Router OS Firewall— Protecting the Internal, Trusted Network; for more information about access controls, see the Advanced Management and Configuration Guide, Chapter 5: Applying Access Control to Router Interfaces.) Configuring the Ethernet Interface The Ethernet interface is the only interface on the ProCurve Secure Router that you configure to control both the Physical and the Data Link Layers of a...
  • Page 162: Enabling The Ethernet Interface

    Configuring Ethernet Interfaces Ethernet Interfaces You can also use a truncated reference for both interface and Ethernet, as shown below: ProCurve(config)# int eth 0/1 When you truncate a command, you only need to enter enough of the com- mand to distinguish it from other commands. After you enter the int eth 0/1 command, the prompt will show that you are in the Ethernet 0/1 interface configuration mode context: ProCurve(config-eth 0/1)#...
  • Page 163: Configuring An Ip Address, Assigning A Static Ip Address

    Configuring Ethernet Interfaces Ethernet Interfaces Configuring an IP Address To assign the Ethernet interface an IP address, you must be at the Ethernet interface configuration mode context: ProCurve(config-eth 0/1)# You then have several options for assigning an IP address to an Ethernet interface: You can assign the Ethernet interface a static IP address.
  • Page 164 Configuring Ethernet Interfaces Ethernet Interfaces In addition to enabling the DHCP client, this command allows you to configure the settings shown in Table 3-1. Table 3-1. DHCP Client Settings Option Meaning Default Setting client-id configures the client id displayed in the DHCP media type and interface’s MAC address server’s table hostname...
  • Page 165 Configuring Ethernet Interfaces Ethernet Interfaces You should ensure that the DHCP client receives an IP address so that these requests do not consume router resources or bandwidth on your Ethernet link. To determine if the Ethernet interface has been assigned an IP address, enter: ProCurve(config-eth 0/1)# do show int eth 0/1 N o t e The do command allows you to enter enable mode commands from any...
  • Page 166 Configuring Ethernet Interfaces Ethernet Interfaces Overriding Settings Received from the DHCP Server. If the DHCP server is configured to provide a default-route, a domain name, or a domain name server (DNS), the DHCP client for the Ethernet interface will accept and use these settings.
  • Page 167 Configuring Ethernet Interfaces Ethernet Interfaces Configuring the Ethernet Interface as an Unnumbered Interface To conserve IP addresses on your network, you may want to create the Ethernet interface as an unnumbered interface. When you assign the Ethernet interface an IP address, that IP address cannot overlap with the IP addresses assigned to other interfaces on the router.
  • Page 168: Setting The Speed And The Duplex Settings

    Configuring Ethernet Interfaces Ethernet Interfaces If you configure the Ethernet interface to support virtual LANs (VLANs), you can specify an Ethernet subinterface. For example, you would enter the following commands to configure a loop- back interface and then configure the Ethernet 0/1 interface to use the IP address assigned to that loopback interface: ProCurve(config)# interface loopback 1 ProCurve(config-loop 1)# ip address 10.1.1.1 /24...
  • Page 169: Setting The Mtu, Configuring The Line For Half-duplex Or Full-duplex

    Configuring Ethernet Interfaces Ethernet Interfaces For example, you might enter: ProCurve(config-eth 0/1)# speed 100 N o t e If you configure a default setting for speed, the Ethernet interfaces still negotiate the duplex setting—either full-duplex or half-duplex. Some Ethernet devices cannot negotiate duplex if the speed is manually set. To avoid possible problems, you may want to manually configure the duplex setting if the speed is manually set.
  • Page 170: Adding A Description

    Configuring Ethernet Interfaces Ethernet Interfaces adjacent if their MTU sizes do not match. You should ensure that the MTU on the device at the far end of the Ethernet connection is using the same MTU as the interface you are configuring. If routers and switches have different MTU sizes in a TCP/IP network, trans- missions and routing may be affected.
  • Page 171: Summary Of Ethernet Configuration Settings

    Configuring Ethernet Interfaces Ethernet Interfaces interface eth 0/1 description Attached to building 1 ip address 192.168.1.1 255.255.255.0 no shutdown You can also view the description by entering: ProCurve# show running-config interface eth 0/1 This command displays the running-config settings for only the Ethernet 0/1 interface.
  • Page 172 Configuring Ethernet Interfaces Ethernet Interfaces In addition to configuring these settings, you can: assign access control policies (ACPs) or access control lists (ACLs) to the interface enable bridging assign crypto maps to enable virtual private networks (VPNs) configure settings for routing protocols configure quality of service (QoS) settings These settings are discussed in other chapters, as shown in Table 3-3.
  • Page 173: Configure Vlan Support

    Configuring Ethernet Interfaces Configure VLAN Support Configure VLAN Support VLANs enable you to group users by logical function rather than physical location. Creating VLANs on your network provides several advantages: VLANs allow you to segment your network into smaller broadcast domains.
  • Page 174 Configuring Ethernet Interfaces Configure VLAN Support Destination Source 802.1Q Tag Type field Data field Ethernet II with address address 802.1Q tag 6 bytes 6 bytes 4 bytes 2 bytes Up to 1500 bytes 4 bytes Destination Source 802.1Q Tag Length Data field IEEE 802.3 with address...
  • Page 175: Configuring Vlan Support

    Configuring Ethernet Interfaces Configure VLAN Support Server Layer 2 switch Server Switch ProCurve Secure Router Routing between VLANs Switch Layer 2 switch Figure 3-4. Routing VLAN Traffic Between Layer 2 Switches If your company is using Layer 2 switches, you may want to enable VLAN support on the ProCurve Secure Router and configure it to route the VLAN traffic on your internal network.
  • Page 176 Configuring Ethernet Interfaces Configure VLAN Support Enabling VLAN Support. To configure the ProCurve Secure Router to rec- ognize the IEEE 802.1Q tag and route traffic accordingly, enter the following command from the Ethernet interface configuration mode context: ProCurve(config-eth 0/1)# encapsulation 802.1Q After you enter this command, the ProCurve Secure Router immediately recognizes that it must route traffic through this Ethernet interface to multiple VLANs with separate IP addresses.
  • Page 177: Viewing The Status Of Ethernet Interfaces Or Subinterfaces

    Configuring Ethernet Interfaces Viewing the Status of Ethernet Interfaces or Subinterfaces Assigning an IP Address You must assign the Ethernet subinterfaces a static IP address. From the Ethernet subinterface configuration mode context, enter: Syntax: ip address <A.B.C.D> <subnet mask | /<prefix length> For example, if you are configuring a subinterface for VLAN 2 and VLAN 2 encompasses the subnet 192.168.115.0 255.255.255.0, you might enter: ProCurve(config-eth 0/1.1)# ip address 192.168.115.5 /24...
  • Page 178 Configuring Ethernet Interfaces Viewing the Status of Ethernet Interfaces or Subinterfaces eth 0/1 is UP Physical Layer and Data eth 0/1 is UP, line protocol is UP Link Layer are up Hardware address is 00:15:55:05:35:D4 Ip address is 192.168.1.1, netmask is 255.255.255.0 MTU is 1500 bytes, BW is 100000 Kbit 100Mb/s, negotiated full-duplex, configured full-duplex ARP type: ARPA;...
  • Page 179: Show Running-config Commands

    Configuring Ethernet Interfaces Viewing the Status of Ethernet Interfaces or Subinterfaces ------------------------------------------------------------------- eth 0/1 is UP, line protocol is UP Hardware address is 00:12:79:05:25:B0 Ip address is 192.168.1.1, netmask is 255.255.255.0 MTU is 1500 bytes, BW is 100000 Kbit 100Mb/s, negotiated full-duplex, configured full-duplex ARP type: ARPA;...
  • Page 180: Viewing The Configurations That Have Been Entered, Viewing All The Configuration Settings Including Defaults

    Configuring Ethernet Interfaces Viewing the Status of Ethernet Interfaces or Subinterfaces Viewing the Configurations That Have Been Entered To view the settings that have been entered manually and are currently being used by the ProCurve Secure Router, move to the enable mode context and enter: ProCurve# show running-config This command displays the current configurations for the router.
  • Page 181 Configuring Ethernet Interfaces Viewing the Status of Ethernet Interfaces or Subinterfaces The display shows the current running-config file, including any default set- tings. Again, you will need to browse for the information relating to the Ethernet interface or subinterface you are checking. Alternately, you can enter the following command to display only information about a particular Ethernet interface or subinterface: Syntax: show running-config interface eth 0/<port number.subinterface number>...
  • Page 182: Troubleshooting An Ethernet Interface

    Configuring Ethernet Interfaces Troubleshooting an Ethernet Interface To understand the difference between the show running-config command and the show running-config verbose command, compare Figure 3-7 to Figure 3-8. For example, if you entered the IP address, a description, and the no shut command to configure the Ethernet interface, only those settings are listed when you enter the show running-config command.
  • Page 183: Debug Interface Ethernet Command, Show Event-history Command

    Configuring Ethernet Interfaces Troubleshooting an Ethernet Interface Depending on the error messages displayed, you should check the cabling or the configuration settings for the Ethernet interface. If the “eth 0/1 is DOWN” message is displayed, substitute a different 10Base-T or 100Base-T cable and make sure the connectors are securely seated in the Ethernet port on both the router and the far-end device.
  • Page 184 Configuring Ethernet Interfaces Quick Start 2005.08.27 15:31:53 ETHERNET_INTERFACE.eth 0/1 auto-negotiation in progress 2005.08.27 15:31:55 ETHERNET_INTERFACE.eth 0/1 auto-negotiation complete 2005.08.27 15:31:56 ETHERNET_INTERFACE.eth 0/1 link up 2005.08.27 15:31:56 ETHERNET_INTERFACE.eth 0/1 speed is 100Mbps, full duplex 2005.08.27 15:31:56 INTERFACE_STATUS.eth 0/1 changed state to up Figure 3-9.
  • Page 185 Configuring Ethernet Interfaces Quick Start Move to the global configuration mode context. ProCurve# configure terminal Access the Ethernet configuration mode context: Syntax: interface ethernet 0/<port> For example, if you want to configure the bottom Ethernet port, enter: ProCurve(config)# interface ethernet 0/1 Assign the Ethernet interface an IP address.
  • Page 186 Configuring Ethernet Interfaces Quick Start 3-28...
  • Page 187: Table Of Contents

    Configuring E1 and T1 Interfaces Contents Overview of E1 and T1 WAN Connections ......4-3 Elements of an E1- or T1-Carrier Line .
  • Page 188 Configuring E1 and T1 Interfaces Contents Troubleshooting E1 and T1 WAN Connections ..... 4-30 No Light ..........4-32 Red Light .
  • Page 189: Overview Of E1 And T1 Wan Connections

    Configuring E1 and T1 Interfaces Overview of E1 and T1 WAN Connections Overview of E1 and T1 WAN Connections Public carriers offer E1- and T1-carrier lines for customers who need dedicated, secure, point-to-point wide area network (WAN) connections. The connection is always active, so data can be immediately transmitted at any time, with no wait for a dial-up process.
  • Page 190: Connecting Your Premises To The Public Carrier: The Local Loop

    Configuring E1 and T1 Interfaces Overview of E1 and T1 WAN Connections Physical transmission media and electrical specifications are part of the Physical Layer (Layer 1) of the Open Systems Interconnection (OSI) model, and Data Link Layer protocols are part of the Data Link Layer (Layer 2). (See Figure 4-1.) Application layer Presentation layer...
  • Page 191 Configuring E1 and T1 Interfaces Overview of E1 and T1 WAN Connections Wire span Network CSU/ Interface Unit Repeater Router (DTE) Public (Smart Jack) Carrier’s CO Office Channel Unit (PTT’s CSU) Demarc Figure 4-2. Local Loop All carrier lines require the same basic components on the local loop, although the components may differ slightly in form and design.
  • Page 192 Configuring E1 and T1 Interfaces Overview of E1 and T1 WAN Connections Repeater—A repeater receives, amplifies, and retransmits the digital signal so that the signal is always strong enough to be read. The distance between repeaters depends on the type of connection, including the transmission media used.
  • Page 193 Configuring E1 and T1 Interfaces Overview of E1 and T1 WAN Connections Wire span Network CSU/ Interface Unit Repeater Router (DTE) Public (Smart Jack) Carrier’s CO Office Channel Unit (public carrier’s CSU) Demarc Figure 4-3. Router Connects Directly to an External CSU/DSU. If your public carrier does not provide the DSU, the router must include a built- in DSU.
  • Page 194: Procurve Secure Router Modules, E1 Modules With A Built-in Dsu

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules UTP cable with Wire span RJ-48C connectors Network Router w/ internal Interface Unit Repeater Public CSU/DSU (Smart Jack) Carrier’s CO Office Channel Unit (public carrier’s CSU) Demarc Figure 4-5. Router with a Built-in CSU/DSU ProCurve Secure Router Modules ProCurve Networking provides several E1 and T1 modules, which are described in the next sections.
  • Page 195: T1 Modules With A Built-in Csu/dsu

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Table 4-1. Standards Supported by E1 Modules Type of Standard Port E-carrier line • International Telecommunications Union (ITU) G.703 • ITU-T G.704 (CRC-4) • ITU-T G.823 • ITU-T G.797 Electrical/power • Norme Europeenne (EN) 60950 (EN is also referred to as European Standards.) •...
  • Page 196: E1 Or T1 Interfaces: Configuring The Physical Layer

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Table 4-2. Standards Supported by T1 Modules Type of Standard Port T-carrier line • AT&T TR194 • AT&T TR54016 • American National Standards Institute (ANSI) T1.403 Electrical/power • AT&T Pub 62411 (jitter tolerance) •...
  • Page 197: E1 Or T1 Interface Configuration Mode Context

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules The rest of this section describes these options in more detail and explains how to configure them from the command line interface (CLI). If you want to configure the E1 or T1 connection from the Web browser interface, see Chapter 14: Using the Web Browser Interface for Basic Configuration Tasks.
  • Page 198 Configuring E1 and T1 Interfaces ProCurve Secure Router Modules The settings that you must configure in order to establish an E1 or T1 WAN connection are explained in the following sections. Channels As mentioned earlier, E1- and T1-carrier lines provide different transmission speeds.
  • Page 199 Configuring E1 and T1 Interfaces ProCurve Secure Router Modules T1 Channels. When you configure a T1 module with a built-in CSU/DSU, you must configure the number of channels that the T1 WAN connection uses. If you lease an entire T1 line, you configure channels 1-24. If you lease a fractional T1 line, your public carrier will tell you which channels to configure for that connection.
  • Page 200: Line Coding

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Line Coding In addition to configuring the number of channels for the E1 or T1 connection, you must configure the interface to use the same line coding that your public carrier is using. Line coding defines how digital signals are configured for transport through a physical transmission medium.
  • Page 201: Frame Format

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Like HDB3, B8ZS was designed to overcome the deficiencies of AMI. To prevent synchronization loss, B8ZS replaces a string of eight zeros with a string that includes two logical ones of the same polarity as a timing mark. Because B8ZS has become the standard line coding used on T1-carrier lines, it is the default setting on the ProCurve Secure Router.
  • Page 202 Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Although E1 interfaces, including those for the G.703 port, support two frame formats, only one option is listed if you enter the following command from the E1 interface configuration mode context: ProCurve(config-e1 1/1)# framing ? Only the crc4 option is listed.
  • Page 203: Clock Source, Or Timing, For The E1- Or T1-carrier Line

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Clock Source, or Timing, for the E1- or T1-Carrier Line Because data transmission requires hosts to be synchronized, you must configure the clock source, or timing, for the E1 or T1 interface. You can configure the E1 or T1 interface with one of the following clock sources: Line—Use the line setting if the E1 or T1 interface will take the clock source from the public carrier.
  • Page 204: Transmit Signal Level (t1 Interfaces Only)

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules To configure the clock source, enter the following command from the E1 or T1 interface configuration mode context: Syntax: clock source [internal | line | through] For example, to configure the clock source as line, enter: ProCurve(config-e1 2/1)# clock source line N o t e You cannot connect two interfaces on one module to different service providers...
  • Page 205: Set The Fdl (t1 Interfaces Only)

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Replace <value> with one of the following numbers, which are in decibels (db): -22.5 -7.5 You should set the LBO to avoid overloading a receiver’s circuits. For sensitive interfaces or for interfaces that are connected with a long cable but separated by a short distance, use the more negative values to prevent the line from becoming too hot.
  • Page 206: Activate The E1 Or T1 Interface

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules If used on a T1-carrier line, the FDL channel must conform to one of the following standards: ANSI T1.403 standard ATT TR 54016 standard By default, the T1 interfaces on the ProCurve Secure Router use the ANSI standard.
  • Page 207: Threshold Commands

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules If you have connected the interface to either to the wall jack or the external CSU, the interface will try to establish the Physical Layer of the WAN connec- tion. If the E1 or T1 interface successfully establishes that Physical Layer, another message should be displayed: INTERFACE_STATUS.e1 1/1 changed state to up INTERFACE_STATUS.t1 1/1 changed state to up...
  • Page 208: Types Of Line Errors

    Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Table 4-4 lists the default settings for line error thresholds. Table 4-4. Threshold Commands Setting Description 15-Minute 24-Hour Default Default Bursty Errored Seconds Controlled Slip Seconds Degraded Minutes Errored Seconds Line Code Violations 13340 133400 Line Errored Seconds...
  • Page 209 Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Table 4-5. Events That Trigger Line Errors Error Type Triggers 1-320 Path Coding Violations (PCV) Controlled Slip Seconds (CSS) Bit Error Rate (BER) between .000001 and .001 ESF and CRC4: – PCV –...
  • Page 210 Configuring E1 and T1 Interfaces ProCurve Secure Router Modules Error Type Triggers • D4 errors: – Framing error – OOF – 1544+ LCVs • 10+ SESs • Line failure + SES The following is a list of the line errors and a brief description of each. BES.
  • Page 211 Configuring E1 and T1 Interfaces ProCurve Secure Router Modules same polarity without an intervening pulse of the opposite polarity. An EXZ is the occurrence of any zero string length equal to or greater than three for B3ZS or greater than four for HDB3. LCVs usually signal a mismatch in line coding type.
  • Page 212: Viewing Information About E1 And T1 Interfaces

    Configuring E1 and T1 Interfaces Viewing Information about E1 and T1 Interfaces To return a threshold to its default setting, enter this command from the global configuration mode context: Syntax: no thresholds [BES | CSS | DM | ES | LCV | LES | PCV | SEFS | SES | UAS] [15Min | 24Hr] For example, to return the 15-minute SES threshold to its default setting of 10, enter:...
  • Page 213: Show Interfaces Command

    Configuring E1 and T1 Interfaces Viewing Information about E1 and T1 Interfaces show interfaces Command You can use the show interfaces <interface> <slot>/<port> command to view detailed information about the status of the E1 or T1 interface. For example, if you want to view the status of the E1 1/1 interface, enter the following command from the enable mode context: ProCurve# show interfaces e1 1/1 Figure 4-7 shows the results of this command for an E1 interface.
  • Page 214: Show Running-config Command

    Configuring E1 and T1 Interfaces Viewing Information about E1 and T1 Interfaces The first line indicates whether the interface is up or down. The second line lists alarms, if there are any. The next two lines show current configurations for line coding, framing, and clock source. For T1 interfaces, the FDL type and the line build out settings are also listed.
  • Page 215: Show Running-config Verbose Command

    Configuring E1 and T1 Interfaces Viewing Information about E1 and T1 Interfaces This command displays the configuration that you have entered for the entire router. You must then scroll through the running-config until you locate the appropriate E1 or T1 interface. To save time, you can enter the following command from the enable mode context: Syntax: show running-config interface <interface>...
  • Page 216: Troubleshooting E1 And T1 Wan Connections

    Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections interface e1 1/1 description This is the default setting; the no framing crc4 E1-carrier line is using the E1 clock source internal frame format. coding hdb3 lbo long 0 remote-loopback sa4tx-bit 0 loop-alarm-detect...
  • Page 217 Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections You should start by troubleshooting the physical interface because it must be up before the logical connection can be established. You can quickly check the LEDs on the front of the ProCurve Secure Router to determine the status of a physical interface.
  • Page 218: Red Light

    Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections The color of the lights and a more detailed explanation are provided below. No Light If no light appears, ensure that you are checking the LED that corresponds to the slot in which the E1 or T1 module is installed, as shown in Figure 4-10.
  • Page 219 Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections e1 1/1 is DOWN If the interface is Encapsulation is not set down, look for Transmitter is sending remote alarm reported alarms Receiver has loss of signal, loss of frame E1 coding is HDB3, framing is E1 Check configuration Clock source is internal...
  • Page 220: Yellow Light

    Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections Table 4-8. Alarms and Their Possible Causes Alarm Possible Cause Possible Solutions LOS—loss of • You may be using a different type of • Check all the settings, including the setting for line signal line coding than that used by the coding.
  • Page 221: Green Light, Viewing Performance Statistics

    Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections If the loopback was not initiated on the ProCurve Secure Router, your public carrier is testing the line. Call your public carrier to have the loopback canceled or to determine the reason for the loopback test. Green Light If the stat LED for the physical interface is green but the WAN connection is down, you should still check the configuration for the E1 or T1 interface.
  • Page 222 Configuring E1 and T1 Interfaces Troubleshooting E1 and T1 WAN Connections For example, to view performance statistics accumulated on the T1 1/1 interface over all 15-minute intervals in the past 24 hours, enter: ProCurve# show interfaces t1 1/1 performance-statistics To view only certain 15-minute intervals, replace <range of intervals> with numbers between 1 and 96.
  • Page 223 Configuring E1 and T1 Interfaces Quick Start -------------------------------------------------------------------- t1 1/1 is UP Receiver has no alarms T1 coding is B8ZS, framing is ESF Clock source is through t1 1/2, FDL type is ANSI Line build-out is 0dB No remote loopbacks, No network loopbacks Acceptance of remote loopback requests enabled Tx Alarm Enable: rai Last clearing of counters never...
  • Page 224: Configuring An E1 Or T1 Interface

    Configuring E1 and T1 Interfaces Quick Start Configuring an E1 or T1 Interface Before you begin to configure an E1 or T1 interface, you should know the settings that you must enter for the following: number of channels used line coding frame format clock source Your public carrier should provide you with this information.
  • Page 225 Configuring E1 and T1 Interfaces Quick Start For example, to assign the E1 or T1 interface all the channels, enter: ProCurve(config-e1 1/1)# tdm-group 1 timeslots 1-31 ProCurve(config-t1 1/1)# tdm-group 1 timeslots 1-24 Configure the line coding. For E1 interfaces, use the following syntax: Syntax: coding [ami | hdb3] ProCurve(config-e1 1/1)# coding ami HDB3 is the default setting for E1 interfaces.
  • Page 226 Configuring E1 and T1 Interfaces Quick Start Table 4-9 shows the default settings for the clock source on each type of E1 or T1 module. Table 4-9. Default clock source settings for E1 and T1 modules Module Port Default Clock Source One-port E1 or T1 module line Two-port E1 or T1 module...
  • Page 227 Configuring E1 and T1 Interfaces Quick Start 12. View the status of the E1 or T1 interface. ProCurve(config-e1 1/1)# do show interface e1 1/1 ProCurve(config-t1 1/1)# do show interface t1 1/1 N o t e The do command enables you to enter enable mode commands (such as show commands) from any context.
  • Page 228 Configuring E1 and T1 Interfaces Quick Start 4-42...
  • Page 229: Table Of Contents

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Contents Using the Serial Module for E1- or T1-Carrier Lines ....5-3 Elements of an E1- or T1-Carrier Line ......5-3 Connecting Your Premises to the Public Carrier’s Central Office: the Local Loop .
  • Page 230: Solving A Specific Problem: The Line Between The Serial Module

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Contents Troubleshooting a Serial Connection ......5-17 Checking the LED for the Serial Module .
  • Page 231: Using The Serial Module For E1- Or T1-carrier Lines

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Using the Serial Module for E1- or T1-Carrier Lines Using the Serial Module for E1- or T1-Carrier Lines When companies require dedicated, secure point-to-point wide area network (WAN) connections, one of the available solutions is a leased E1- or T1-carrier line.
  • Page 232 Configuring Serial Interfaces for E1- and T1-Carrier Lines Using the Serial Module for E1- or T1-Carrier Lines Application Layer Presentation Layer Session Layer Transport Layer Network Layer Frame Relay Data Link Layer HDLC Physical Layer E1- and T1-carrier lines Figure 5-1. Physical and Data Link Layers of the OSI Model When you configure the ProCurve Secure Router to support an E1 or T1 WAN connection, you must configure: the Physical Layer...
  • Page 233 Configuring Serial Interfaces for E1- and T1-Carrier Lines Using the Serial Module for E1- or T1-Carrier Lines Wire span Public Carrier’s CO Network CSU/ Interface Unit Repeater Router (DTE) (Smart Jack) Office Channel Unit (PTT’s CSU) Demarc Figure 5-2. Local Loop All carrier lines require the same basic components on the local loop, although the components may differ slightly in form and design.
  • Page 234 Configuring Serial Interfaces for E1- and T1-Carrier Lines Using the Serial Module for E1- or T1-Carrier Lines Repeater—A repeater receives, amplifies, and retransmits the digital signal so that the signal is always strong enough to be read. The distance between repeaters depends on the type of connection, including the transmission media used.
  • Page 235: Serial Module For The Procurve Secure Router, Standards Supported By The Serial Module

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Using the Serial Module for E1- or T1-Carrier Lines Serial Module for the ProCurve Secure Router The ProCurve Secure WAN serial modules are used when the public carrier provides an external CSU/DSU for an E1- or T1-carrier line. (See Figure 5-2 on page 5-5.) ProCurve Networking offers two serial modules: one-port narrow module eight-port, or octal, wide module...
  • Page 236: Serial Interface: Configuring The Physical Layer

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer Serial Interface: Configuring the Physical Layer Because the external CSU/DSU manages timing, framing, and signaling for the E1- or T1-carrier line, the serial interface does not have to perform these functions.
  • Page 237 Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer If you are not sure which type of cable you have, this chapter provides illustrations of the three cable connectors. For example, Figure 5-4 shows the pinouts for ProCurve Networking’s implementation of the V.35 cable connec- tor and lists how each pin is used.
  • Page 238 Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer Figure 5-5 shows the pinouts for ProCurve Networking’s implementation of the X.21 cable connector and lists how each pin is used. X.21 DB-15 (DA-15) X.27-compatible connector pinout Signal/Circuit Name Unused TD_A, Transmit A...
  • Page 239 Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer If you have an EIA 530 cable that you purchased from another vendor, the ProCurve Secure Router supports it. You can also use Figure 5-6, which shows the pinouts for EIA 530, to create this type of connector.
  • Page 240: Serial Interface Configuration Mode Context, Configuring The Interface For The Appropriate Cable

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer Serial Interface Configuration Mode Context To begin configuring the serial interface for the E1 or T1 connection, you must access the appropriate configuration mode context. In the ProCurve Secure Router command line interface (CLI), move to the global configuration mode context and enter: Syntax: interface serial <slot>/<port>...
  • Page 241: Configuring The Clock Source, Inverting Txclock Or Rxclock, Inverting Et-clock

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer Configuring the Clock Source The serial interface must have a clock source to synchronize the transmission of data. The clock source for the serial interface is called the external transmit reference clock (et-clock).
  • Page 242: Activating The Serial Interface, Configuring The Data Link Layer Protocol

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Serial Interface: Configuring the Physical Layer If you enter the invert txclock command, the serial interface will invert the transmit clock that is taken from the data stream. The serial interface inverts the transmit clock before it transmits a signal.
  • Page 243: Viewing Information About The Serial Interface, Show Interfaces Serial Command

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Viewing Information about the Serial Interface Viewing Information about the Serial Interface You can view information about the E1- and T1-carrier line associated with the serial interface, and you can view the configuration settings that have been entered for the serial interface.
  • Page 244: Show Running-config Interface Command

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Viewing Information about the Serial Interface If the interface is administratively down, you must enter no shutdown from the serial interface configuration mode context to activate it. If the interface is down, you should begin troubleshooting the problem, as explained in “Troubleshooting a Serial Connection”...
  • Page 245: View All The Wan Connections Configured On The Router, Troubleshooting A Serial Connection

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Troubleshooting a Serial Connection View All the WAN Connections Configured on the Router If your ProCurve Secure Router is providing several WAN connections for your company, you may want to view a list of these connections. The show connections command provides a quick view of all the connections on the router.
  • Page 246: Checking The Led For The Serial Module

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Troubleshooting a Serial Connection Check the logical layer. Check to ensure that a Data Link Layer protocol has been defined and is bound to the serial interface. b. Check the configurations to ensure that you are using the correct settings.
  • Page 247 Configuring Serial Interfaces for E1- and T1-Carrier Lines Troubleshooting a Serial Connection No Light Ensure that you are checking the LED that corresponds to the slot where the serial module is installed. Next, view the status of the serial interface by entering: ProCurve# show interfaces serial <slot>/<port>...
  • Page 248 Configuring Serial Interfaces for E1- and T1-Carrier Lines Troubleshooting a Serial Connection • If you have an extra X.21, V.35, or EIA 530 cable, try using that cable to connect the serial module to the CSU/DSU. • Check the LEDs on the CSU/DSU and ensure that it is up. The CSU/ DSU may be turned off, or it may have experienced a hardware failure.
  • Page 249 Configuring Serial Interfaces for E1- and T1-Carrier Lines Troubleshooting a Serial Connection Green Light If the serial interface is up, you should begin troubleshooting the logical interface. See Chapter 6: Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces. Solving a Specific Problem: the Line Between the Serial Module and the CSU/DSU Keeps Going Down If the line between the serial module and the CSU/DSU keeps going down, you...
  • Page 250: Configure A Serial Interface

    Configuring Serial Interfaces for E1- and T1-Carrier Lines Quick Start To return the interface to the default setting, enter: ProCurve(config-ser 1/1)# no ignore dcd Quick Start This section provides the commands you must enter to quickly configure a serial module on the ProCurve Secure Router. Only a minimal explanation is provided.
  • Page 251 Configuring Serial Interfaces for E1- and T1-Carrier Lines Quick Start Configure the interface for the cable that you used to connect the serial module to the CSU/DSU. The default setting is V35. Syntax: serial-mode [EIA530 | V35 | X21] For example, to configure the serial interface to use an X.21 cable, enter: ProCurve(config-ser 1/1)# serial-mode X21 Activate the serial interface.
  • Page 252 Configuring Serial Interfaces for E1- and T1-Carrier Lines Quick Start 5-24...
  • Page 253 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Contents Configuring the Logical Interface ........6-3 PPP Overview .
  • Page 254: Viewing The Status Of Frame Relay Interfaces

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Contents Configuring HDLC as the Data Link Layer Protocol ....6-39 Create the HDLC Interface ....... 6-39 Activate the HDLC Interface .
  • Page 255: Configuring The Logical Interface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Configuring the Logical Interface As outlined in Chapter 4: Configuring E1 and T1 Interfaces, all WAN connections—including E1- and T1-carrier lines—require both a Physical Layer and a Data Link Layer.
  • Page 256: Ppp Overview, Establishing A Ppp Connection

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface PPP Overview PPP is a suite of protocols, rather than just a single protocol. (See Figure 6-2.) The PPP suite includes several types of protocols: link control protocol (LCP) authentication protocols network control protocols (NCPs)
  • Page 257 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Exchanging an authentication protocol is optional. Understanding how a PPP session is established can help you troubleshoot problems if they occur. (See Figure 6-3.) 1.
  • Page 258 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface NCP. PPP uses an NCP to enable the exchange of Network Layer protocols— such as IP—across a WAN link. As Figure 6-2 shows, there is a specific NCP for each support Network Layer protocol.
  • Page 259 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Table 6-1 shows the main settings that you must configure for an E1, T1, or serial interface connection that uses PPP. Table 6-1. Options for Configuring an E1, T1, or Serial Interface with PPP Interface Command Explanation...
  • Page 260: Configuring An Ip Address For The Wan Connection

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface The PPP settings are described in the sections that follow. (For information about E1 and T1 interface settings, see Chapter 4: Configuring E1 and T1 Interfaces.
  • Page 261 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Configure the PPP Interface as an Unnumbered Interface. To con- serve IP addresses on your network, you may want to create the PPP interface as an unnumbered interface.
  • Page 262: Activating The Ppp Interface, Binding The Physical Interface To The Logical Interface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface For example, you would enter the following commands to configure a loop- back interface and then configure the PPP 1 interface to use the IP address assigned to that loopback interface: ProCurve(config)# interface loopback 1 ProCurve(config-loop 1)# ip address 10.1.2.2 /30...
  • Page 263: Ppp Authentication

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Replace <physical interface> with the type of WAN connection, such as E1, T1, or serial. Replace <slot> and <port> with the correct numbers to identify this interface’s location on the ProCurve Secure Router.
  • Page 264 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface returns an authentication acknowledge. The two peers can then send NCPs to negotiate the Network Layer protocols. If this negotiation is successful, the PPP session is established. With PAP, the two peers authenticate only once, and the username and password are sent in clear text across the connecting private circuit.
  • Page 265 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Authenticator Peer Challenge Calculate Calculate hash hash Compares Hash hash values Acknowledge Figure 6-4. CHAP Process When you configure CHAP on the ProCurve Secure Router, you only need to set the password.
  • Page 266 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface You must add the password you have agreed upon for the peer to the PPP database. The PPP database for each connection is separate and distinct from the global username and password database and the databases of other PPP connections.
  • Page 267 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface For example, you might enter: ProCurve(config-ppp 1)# ppp pap sent-username SiteA password procurve N o t e PAP will be used only to authenticate this WAN connection. You do not have to actually enable the PAP protocol.
  • Page 268: Additional Settings

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Option Your Setting peer password Are you authenticating to the peer? Yes/No local router’s username local router’s password This worksheet will help you enter the PPP authentication command for your router.
  • Page 269 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Set the MTU. The maximum transmission unit (MTU) defines the largest size that a PPP frame can be. If a frame exceeds this size, it must be fragmented.
  • Page 270 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Replace <line> with a phrase up to 80 characters. For example, you might enter: ProCurve(config-ppp 1)# description WAN link to Denver office This description is displayed only when you enter the show running-config command.
  • Page 271: Frame Relay Overview

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Table 6-3. Additional Configuration Settings for the PPP Interface Settings Configuration Page Number Guide access controls to filter incoming and outgoing traffic Advanced 5-18, 5-37 bridging Basic 10-6...
  • Page 272: Packet-switching Network

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Subscriber 1 Transmitting an average of 640 Kbps with bursts to 832 Kbps Router Frame Relay Public Carrier’s CO switch Frame Relay over T1 Frame Relay switch Frame Relay...
  • Page 273: Components Of A Frame Relay Network

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Subscriber 1 PVC between Subscriber 1 and Subscriber 2 Router Frame Relay Public Carrier’s CO switch Frame Relay over T1 Frame Relay switch Frame Relay over T1 Frame Relay switch...
  • Page 274 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Frame Relay Router (DTE) Switch (DCE) Frame Relay Router (DTE) Switch (DCE) Frame Relay Router (DTE) Switch (DCE) UNI: DTE to DCE NNI: DCE to DCE Figure 6-7.
  • Page 275 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface The 10-bit field enables 1024 possible DLCI numbers, but some are reserved for special purposes: 0 signals Annex A and D 1-15 and 1008-1022 are reserved 1023 signals the Link Management Interface (LMI) The remaining 976 DLCI numbers between 16 and 1007 are available to users.
  • Page 276 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface From this configuration mode context, you can enter the help command to display the commands available from this configuration mode context. ProCurve(config-fr 1)# ? Table 6-4 shows the main settings that you must configure for an E1, T1, or serial interface that uses Frame Relay.
  • Page 277: Activate The Frame Relay Interface, Define The Signaling Role

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Interface Command Description Page Configuration Mode Context frame-relay • frame-relay interface-dlci <dlci> • defines the DLCI for the PVC 6-28 subinterface • ip address <A.B.C.D> <subnet mask | /prefix •...
  • Page 278: Define The Frame Relay Signaling Type, Configure Frame-relay Counters

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface To configure the signaling role, enter the following command from the Frame Relay interface configuration mode context: Syntax: frame-relay intf-type [dte | dce | nni] Define the Frame Relay Signaling Type You must configure the Frame Relay interface to use the same signaling type that your Frame Relay service provider uses.
  • Page 279 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Table 6-6 lists the Frame Relay counters, the possible settings, and the polls that each one controls. Table 6-6. Frame Relay Counters Frame Relay Counter Possible Default Description...
  • Page 280: Create The Frame Relay Subinterface, Assign A Dlci To The Frame Relay Subinterface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Create the Frame Relay Subinterface You must create a Frame Relay subinterface for each PVC that you want to establish through this Frame Relay interface. To create a Frame Relay sub- interface, enter the following command from the global configuration context or from the Frame Relay interface configuration mode context: Syntax: interface frame-relay <number.subinterface number>...
  • Page 281: Configure The Ip Address For The Wan Connection

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface For example, if the Frame Relay service provider assigned your company a DLCI of 16, enter: ProCurve(config-fr 1.16)# frame-relay interface-dlci 16 Configure the IP Address for the WAN Connection You configure the IP address for the WAN connection on the Frame Relay subinterface, rather than on the physical interface or the Frame Relay inter- face.
  • Page 282 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Table 6-7. Default Settings for the DHCP Client Option Default Setting client-id configures the client identifier displayed in the DHCP media type and interface’s MAC address server’s table hostname configures the hostname displayed in the DHCP...
  • Page 283 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Configuring a Client Identifier. By default, the Secure Router OS popu- lates the client identifier with the media type and the interface’s media access control (MAC) address.
  • Page 284 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface For example, if you do not want the DHCP client to use the default route and name server settings that it receives from the DHCP server, enter: ProCurve(config-fr 1.1)# ip address dhcp no-default-route no-nameservers Changing a Setting for the DHCP Client.
  • Page 285 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface unnumbered interface that takes its IP address from the Ethernet 0/1 interface. If the Ethernet 0/1 interface goes down, the Frame Relay 1.16 subinterface will be unavailable as well.
  • Page 286 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface The CIR is calculated from the B , which is the maximum number of bits that the Frame Relay carrier guarantees to forward during a certain interval of time (T).
  • Page 287 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Replace <excessive burst value> with a burst rate, expressed in bits. You can set a B between 0 and 4,294,967,294 bps. For example, you might enter: ProCurve(config-fr 1.1)# frame-relay be 64000 Discard Eligible (DE) Bit.
  • Page 288 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface For example, if you want to bind the E1 1/1 interface to the Frame Relay 1 interface, enter: ProCurve(config)# bind 1 e1 1/1 1 fr 1 N o t e You bind the physical interface to the Frame Relay interface (not to the subinterface).
  • Page 289 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Set the MTU. The MTU defines the largest size that a frame can be before it must be fragmented. The MTU size on the Frame Relay subinterface should match the MTU used by the remote router and the intervening network devices.
  • Page 290: Settings Explained In Other Chapters

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface This command displays the running-config settings for only the Frame Relay 1.16 subinterface, as shown below: interface fr 1.16 frame-relay interface-dlci 16 description WAN link to London office ip address 192.168.1.1 255.255.255.0 no shutdown Settings Explained in Other Chapters...
  • Page 291: Configuring Hdlc As The Data Link Layer Protocol, Create The Hdlc Interface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Configuring HDLC as the Data Link Layer Protocol One of the oldest Data Link Layer protocols for a WAN, HDLC actually predates the PC. Although it was developed for a mainframe environment, which includes primary and secondary devices, HDLC has been updated for use in the PC environment.
  • Page 292 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface The router prompt indicates that you have entered the appropriate interface configuration mode context: ProCurve(config-hdlc 1)# From this configuration mode context, you can enter the help command to display the commands available from this configuration mode context.
  • Page 293: Activate The Hdlc Interface, Configure An Ip Address For The Wan Connection

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface Interface Command Explanation Page Configuration Mode Context hdlc • no shutdown • activates the interface 6-41 • ip address <A.B.C.D> <subnet mask | / •...
  • Page 294 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface You can replace <subnet mask> with the complete subnet mask, or you can replace </prefix length> with the CIDR notation. For example, you might enter: ProCurve(config-hdlc 1)# ip address 10.1.1.1 /24 Configure the HDLC Interface as an Unnumbered Interface.
  • Page 295 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface For example, you would enter the following commands to configure a loop- back interface and then configure the HDLC 1 interface to use the IP address assigned to that loopback interface: ProCurve(config)# interface loopback 1 ProCurve(config-loop 1)# ip address 192.168.5.1 /24...
  • Page 296 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface For example, if you want to bind the T1 2/1 interface to the HDLC 1 interface, enter: ProCurve(config)# bind 1 t1 2/1 hdlc 1 If you want to bind the serial interface to the HDLC interface, enter: ProCurve(config)# bind 1 serial 1/1 hdlc 1 N o t e...
  • Page 297 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Configuring the Logical Interface N o t e If you have enabled Open Shortest Path First (OSPF) routing on the ProCurve Secure Router, you should take special care when setting the MTU. OSPF routers cannot become adjacent if their MTU sizes do not match.
  • Page 298: Example Networks

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Example Networks Settings Explained in Other Chapters In addition to configuring these settings for an HDLC interface, you can: assign ACPs or ACLs to control access to the HDLC interface enable bridging assign crypto maps to enable VPNs configure settings for routing protocols...
  • Page 299 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Example Networks Finally, the company set up an Asymmetric Digital Subscriber (ADSL) line to a local Internet Service Provider (ISP). Through this connection, the com- pany’s employees can access the Internet. (For information about ADSL, see Chapter 7: ADSL WAN Connections.) Paris E1 with...
  • Page 300 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Example Networks interface e1 1/1 tdm-group 1 timeslots 1-31 speed 64 no shutdown interface e1 1/2 clock source through tdm-group 1 timeslots 1-31 speed 64 no shutdown interface fr 1 point-to-point frame-relay intf-type dte frame-relay lmi-type q933a no shutdown...
  • Page 301 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Example Networks To connect the Atlanta office to the London office, the company chose Frame Relay, which allows them to cross country borders at a more affordable cost than dedicated T1-and E1-carrier lines.
  • Page 302 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Example Networks interface t1 1/1 lbo short 550 tdm-group 1 timeslots 1-24 speed 64 no shutdown interface t1 1/2 clock source through lbo short 550 tdm-group 1 timeslots 1-24 speed 64 no shutdown interface fr 1 point-to-point frame-relay intf-type dte...
  • Page 303 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Example Networks You would configure Local as follows: Access the PPP interface configuration mode context: Local(config)# interface ppp 1 Configure the router to authenticate Remote with PAP: Local(config-ppp 1)# ppp authentication pap Set Remote’s username and password: Local(config-ppp 1)# username Remote password YYY Set the router’s own PAP username and password:...
  • Page 304 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Example Networks Remote would be configured as follows: Remote(config)# interface ppp 1 Remote(config-ppp 1)# ppp chap password YYY Example 5: CHAP Authentication to an ISP. In this example, the ISP has provided an ID (ID-GIVEN-BY-ISP) and password (PWD-GIVEN-BY-ISP) to be used when authenticating through CHAP.
  • Page 305: Checking The Status Of Logical Interfaces, View The Status Of Interfaces

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Checking the Status of Logical Interfaces Checking the Status of Logical Interfaces After you configure the physical and logical interfaces and bind them together, the ProCurve Secure Router should be able to exchange data with the device at the other end of the WAN connection.
  • Page 306: Queuing Method

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Checking the Status of Logical Interfaces ppp 1 is UP Status of interface Configuration: Keep-alive is set (10 sec.) No multilink No authentication is configured MTU = 1492 No authentication IP is configured IP address...
  • Page 307 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Checking the Status of Logical Interfaces Viewing the Status of Frame Relay Interfaces and Subinterfaces For Frame Relay, you can view the status of both the interface and the subinterface.
  • Page 308 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Checking the Status of Logical Interfaces ------------------------------------------------------------------- fr 1 is UP Configuration: Signaling type is ANSI, signaling role is USER Multilink disabled Polling interval is 10 seconds, full inquiry interval is 6 polling intervals Link information: 5 minute input rate 24 bits/sec, 0 packets/sec 5 minute output rate 8 bits/sec, 0 packets/sec...
  • Page 309: Viewing The Status Of Hdlc Interfaces

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Checking the Status of Logical Interfaces Viewing the Status of HDLC Interfaces To view information about the HDLC interface, enter the following command from the enable mode context: Syntax: show interface hdlc <number>...
  • Page 310: Troubleshooting Logical Interfaces, Troubleshooting The Ppp Interface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces Troubleshooting Logical Interfaces If the physical interface is up but the logical interface is not, the steps you take to troubleshoot the problem vary, depending on the Data Link Layer protocol you are using.
  • Page 311 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces ppp 2 is DOWN Configuration: Keep-alive is set (10 sec.) No multilink MTU = 1500 No authentication IP is configured 15.1.1.1 255.0.0.0 Link thru ser 2/1 is DOWN; LCP state is INITIAL Receive: bytes=0, pkts=0, errors=0 Transmit: bytes=0, pkts=0, errors=0 5 minute input rate 0 bits/sec, 0 packets/sec...
  • Page 312 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces If the LCP status is not opened, you may need to double-check your configu- ration settings with your public carrier. For example, the carrier may have allocated a different number of DS0 channels to the physical line.
  • Page 313 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces N o t e Debug commands are processor intensive. Table 6-12 lists the debug commands you can use to monitor PPP interfaces. Table 6-12. Debug commands for PPP Interfaces Command Explanation debug ppp verbose...
  • Page 314: Troubleshooting Ppp Authentication

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces 2005.08.12 17:51:01 PPP.NEGOTIATION PPPrx[e1 1/1] LCP: Conf-Ack ID=33 Len=16 ACCM(00000000) MAGIC(d418e92e) 2005.08.12 17:51:02 PPP.NEGOTIATION PPPrx[e1 1/1] LCP: Conf-Req ID=188 Len=16 ACCM(00000000) MAGIC(2656e0ba) 2005.08.12 17:51:02 PPP.NEGOTIATION PPPtx[e1 1/1] LCP: Conf-Ack ID=188 Len=16 ACCM(00000000) MAGIC(2656e0ba) 2005.08.12 17:51:02 PPP.NEGOTIATION PPPFSM: layer up, Protocol=c021...
  • Page 315 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces ProCurve# debug ppp authentication The local router is 2005.07.08 09:03:44 PPP.AUTHENTICATION PPPtx[t1 1/1] PAP: Authen-Req attempting to ID=1 Len=10 PeerID(Local) Password() authenticate 2005.07.08 09:03:44 PPP.AUTHENTICATION PPPrx[t1 1/1] PAP: Authen-Nak itself.
  • Page 316 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces When a peer successfully authenticates itself, the authenticator returns an Authen-Ack: 2005.07.08 09:05:08 PPP.AUTHENTICATION PPPtx[t1 1/1] PAP: Authen-Ack ID=1 Len=10 Message(Hello) N o t e Usernames and passwords are case-sensitive.
  • Page 317: Troubleshooting The Frame Relay Interface

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces Incompatible Authentication Protocols. If you do not receive any PPP authentication debug messages at all, the local and remote routers may be requesting different authentication protocols. In this case, the LCP state will not come up because the peers cannot negotiate the authentication option.
  • Page 318 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces If the interface is administratively down, you need to activate it. From the Frame Relay interface configuration mode context, enter no shutdown. If the interface is down, check your configuration and ensure that you are using the same Frame Relay signaling type as your Frame Relay carrier.
  • Page 319 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces “Num Update Status Rcvd” indicates the number of full status reports the interface has received. By default, the interface receives one full status report every six polls, or one every 60 seconds. “Num Status Timeouts”...
  • Page 320 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces Table 6-14. Status of the PVC Status of the PVC Explanation active The PVC is functional, end-to-end, from the local router to the switch and then to the far-end router inactive The PVC is functional from the router to the Frame Relay switch.
  • Page 321: Troubleshooting Hdlc

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Troubleshooting Logical Interfaces The CLI displays events dealing with the establishment and negotiation of connec- tion as they occur. You can then determine when and why problems occur. LMI statistics report on the LMI messages that are exchanged between the Frame Relay DTE and the DCE.
  • Page 322 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start To disable the hdlc debug messages, enter one of the following commands from the enable mode context: ProCurve# no debug hdlc [errors | verbose] ProCurve# undebug all Quick Start After you configure the physical connection—the E1, T1, or serial interface—...
  • Page 323 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start Set a static IP address. Syntax: ip address <A.B.C.D> <subnet mask | /prefix length> For example, you might enter: ProCurve(config-ppp 1)# ip address 10.1.1.1 /24 Activate the PPP interface ProCurve(config-ppp 1)# no shutdown Bind the physical interface to the logical interface.
  • Page 324: Requiring The Peer To Authenticate Itself, Authenticating To A Peer

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start Parameter Your Setting Are you authenticating to the peer? Yes/No local router’s username local router’s password Requiring the Peer to Authenticate Itself Move to the PPP interface for the connection whose endpoint you want to authenticate.
  • Page 325: Frame Relay

    Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start For CHAP, enter a username only if it is different from the router’s hostname: Syntax: ppp chap hostname <username> For example, you might enter: ProCurve(config-ppp 1)# ppp chap hostname ProCurveA Frame Relay Before you begin to configure the Frame Relay interface, you should know the settings that you must enter for the following:...
  • Page 326 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start Define the signaling role for the Frame Relay interface. The default setting is dte, or user. Syntax: frame-relay intf-type [dce | dte | nni] ProCurve(config-fr 1)# frame-relay intf-type dte Define the signaling type (the LMI).
  • Page 327 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start N o t e Together, the frame-relay bc command and the frame-relay be command define the amount of bandwidth you can use on the Frame Relay link. The sum of the values you specify for these two settings should be greater than 8000.
  • Page 328 Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces Quick Start Bind the physical interface—the E1, T1, or serial interface—to the logical interface. Syntax: bind <number> <physical interface> <slot>/<port> [<tdm-group number>] <logical interface> <logical interface number> For example, to bind the E1 1/1 interface to the HDLC 1 interface, enter: ProCurve(config-hdlc 1)# bind 1 e1 1/1 1 hdlc 1 To bind the serial 1/1 interface to the HDLC 1 interface, enter: ProCurve(config-hdlc 1)# bind 1 ser 1/1 hdlc 1...
  • Page 329 ADSL WAN Connections Contents ADSL Overview ..........7-4 ADSL Technologies .
  • Page 330 ADSL WAN Connections Contents Defining the ATM Encapsulation ......7-20 Assigning the ATM Subinterface an IP Address ....7-20 OAM Settings .
  • Page 331: Table Of Contents

    ADSL WAN Connections Contents Quick Start ........... . 7-54 Configure the Physical Layer: the ADSL Interface .
  • Page 332: Adsl Overview

    ADSL WAN Connections ADSL Overview ADSL Overview Digital Subscriber Line (DSL) technologies provide high-speed wide area network (WAN) connections—typically for a lower cost than older WAN technologies such as E1- or T1-carrier lines. A variety of DSL technologies have been developed, and these technologies are sometimes collectively referred to as x-type DSL, or xDSL.
  • Page 333: Adsl Technologies, Adsl2 And Adsl2+: Enhancing Transmission Speeds

    ADSL WAN Connections ADSL Overview With asymmetric DSL technologies, the transmission speed for downstream is higher than the transmission speed for upstream. This makes asymmetric DSL technologies ideal for Internet use because users typically download more data from the Internet than they upload. Asymmetric DSL technologies are also well-suited for video-on-demand or high-definition television (HDTV).
  • Page 334: Elements Of An Adsl Connection, Readsl: Supporting Greater Distances

    ADSL WAN Connections ADSL Overview READSL: Supporting Greater Distances To make ADSL available to more customers, reach extended ADSL2 (READSL) was developed to support greater distances between a customer’s premises and the public carrier’s CO. (READSL is an ADSL2 or ADSL2+ technology, which is sometimes called READSL and sometimes called READSL2.) According to CommsDesign.com, READSL extends the reach of ADSL “up to 2500 ft., allowing ADSL systems to reach as far as 20,000 ft.”...
  • Page 335: Adsl Infrastructure

    ADSL WAN Connections ADSL Overview When you configure an ADSL connection, you must configure both the Phys- ical Layer and the Data Link Layer (which is also called the Logical Layer). The Physical Layer is, of course, ADSL. The Data Link Layer protocol is Asynchronous Transfer Mode (ATM).
  • Page 336 ADSL WAN Connections ADSL Overview Customer’s Premises Central Office Regional broadband network Other Local DSLAMs loop DSLAM Broadband WAN router switch (ATM) Broadband access server Internet Internet core router Figure 7-4. ADSL Connection to the Internet Moving high-speed WAN connections onto a separate network infrastructure alleviates a serious problem for most public carriers: congestion in the tradi- tional public carrier network.
  • Page 337: Adsl Splitters

    ADSL WAN Connections ADSL Overview Customers who have ISDN equipment such as telephones and fax machines can continue using this equipment while moving their Internet or WAN con- nection to ADSL. Support for ISDN is called ADSL over ISDN, or ADSL Annex B, and is common in countries such as Germany where ISDN is popular.
  • Page 338: Adsl Without Splitters

    ADSL WAN Connections ADSL Overview To separate the ISDN data from the ADSL data, an ISDN splitter is installed at both the customer’s premises and the CO. This splitter ensures that each type of traffic is transmitted to the appropriate device at each location. (See Figure 7-6.) Customer’s Premises Central Office...
  • Page 339: Adsl Modules For The Procurve Secure Router

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router ADSL Modules for the ProCurve Secure Router ProCurve Networking offers two ADSL modules: ADSL2+ Annex A module for ADSL over POTS ADSL2+ Annex B module for ADSL over ISDN ADSL2+ Annex A modules are used primarily in the United States and Canada. ADSL2+ Annex B modules are used in Europe, South America, Asia (except Japan), and Australia.
  • Page 340: Configuring The Adsl Interface: The Physical Layer

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Configuring the ADSL Interface: the Physical Layer To connect the ADSL interface on the front panel of the ProCurve Secure Router to the wall jack provided by your service provider, you use unshielded twisted pair (UTP) ribbon cable with RJ-11 connectors.
  • Page 341: Activating The Adsl Interface, Defining The Training Mode

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Activating the ADSL Interface By default, all interfaces on the ProCurve Secure Router are shutdown. You must activate the ADSL interface. From the ADSL interface configuration mode context, enter: ProCurve(config-adsl 1/1)# no shutdown A message is displayed at the CLI, indicating that the interface is now admin- istratively up.
  • Page 342 ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Table 7-3. Training Modes Supported by the ProCurve Secure Router Command Option Standard Description training-mode ADSL2 ITU G.922.3 ADSL2 Trains the interface for the ADSL2 (G.dmt.bis) transmission rate. This mode requires a splitter at both the user’s and the public carrier’s premises to divide traffic between voice and...
  • Page 343: Setting The Snr-margin

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Table 7-4. Training Modes Supported by the ProCurve Secure Router Command Option ADSL2+ Annex A ADSL2+ Annex B training-mode ADSL2 training-mode ADSL2+ training-mode G.DMT training-mode G.LITE training-mode Multi-Mode training-mode READSL2 training-mode T1.413 To define the training mode, enter the following command from the ADSL interface configuration mode context.
  • Page 344: Manually Forcing Retraining, Monitoring The Snr-margin

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Determining the minimum SNR margin is a compromise: the higher the SNR margin, the slower the transmission rate. However, if you set the SNR margin too low, the line may go down, or your data may be garbled. To set the SNR margin, enter the following command from the ADSL config- uration mode context: Syntax: snr-margin <margin>...
  • Page 345: Configuring The Data Link Layer For The Adsl Connection, Activating The Atm Interface

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Configuring the Data Link Layer for the ADSL Connection You can configure the ADSL line with ATM as the Data Link Layer, or you can configure ADSL with either PPPoE or PPPoA. No matter which option you use, however, your configuration will include ATM, and you will need to configure both an ATM interface and an ATM subinterface.
  • Page 346: Configuring A Subinterface For Each Pvc

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Configuring a Subinterface for each PVC You must configure an ATM subinterface to define the endpoint of the ADSL connection. By default, each ATM interface supports up to 16 permanent virtual circuits (PVCs), so you can create a maximum of 16 subinterfaces on each ATM interface.
  • Page 347: Activating The Atm Subinterface, Configuring The Vpi/vci

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Activating the ATM Subinterface By default, all subinterfaces on the ProCurve Secure Router are shut down. You must activate the ATM subinterface. From the ATM interface configura- tion mode context, enter: ProCurve(config-atm 1.1)# no shutdown Configuring the VPI/VCI ATM networks are fundamentally connection-oriented, which means that a...
  • Page 348: Defining The Atm Encapsulation

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router For example, to assign the ATM subinterface a VPI/VCI of 0/33, enter: ProCurve(config-atm 1.1)# pvc 0/33 Defining the ATM Encapsulation The ATM Data Link Layer for the ADSL connection includes these sublayers: the ATM adaptation layer (AAL), which is called Layer 2-1 the point-to-point layer, which is referred to as Layer 2-2 You must configure the adaptation layer by specifying an encapsulation type.
  • Page 349 ADSL WAN Connections ADSL Modules for the ProCurve Secure Router If you are configuring the IP address on the ATM subinterface, you can configure: a static IP address the ATM subinterface as a DHCP client the ATM subinterface as an unnumbered interface Configuring a Static Address.
  • Page 350 ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Table 7-5. Default Settings for the DHCP Client Option Meaning Default Setting client-id configures the client identifier displayed for this media type and interface’s MAC address interface in the DHCP server’s table hostname configures the hostname displayed for this interface router hostname...
  • Page 351 ADSL WAN Connections ADSL Modules for the ProCurve Secure Router N o t e The do command allows you to enter enable mode commands from any context (except the basic mode context). Configuring a Client Identifier. By default, the Secure Router OS populates the client identifier with the media type and the interface’s media access control (MAC) address.
  • Page 352 ADSL WAN Connections ADSL Modules for the ProCurve Secure Router Overriding Settings Received from the DHCP Server. If the DHCP server is configured to provide a default route, a domain name, or the IP address of a domain name system (DNS) server, the DHCP client for the ATM subinterface will accept and use these settings.
  • Page 353 ADSL WAN Connections ADSL Modules for the ProCurve Secure Router You can configure the ATM subinterface as an unnumbered interface. The ATM subinterface will then use the IP address of the interface you specify. The Secure Router OS uses the IP address of the specified interface when sending routing updates over the unnumbered interface.
  • Page 354: Oam Settings

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router N o t e You do not have to enter no shutdown to activate a loopback interface. The status of a loopback interface automatically changes to up after you enter the interface loopback <number>...
  • Page 355: Bind The Adsl Interface To The Atm Interface

    ADSL WAN Connections ADSL Modules for the ProCurve Secure Router For example, to configure the Secure Router OS to wait 4 seconds between transmitting OAM loopback cells, enter: ProCurve(config-atm 1.1)# oam-pvc managed 4 Bind the ADSL Interface to the ATM Interface When you configure WAN connections on the ProCurve Secure Router, you must bind the physical interface to the logical interface.
  • Page 356: Pppoe Overview

    ADSL WAN Connections PPPoE Overview Table 7-6. Additional Configurations for the ATM Interface or Subinterface Settings Apply to ATM Interface or Configuration Guide Page Subinterface access controls to filter incoming and outgoing ATM subinterface Advanced 5-18, 5-37 traffic bridging ATM subinterface Basic 10-6 VPNs...
  • Page 357: Two Phases For Establishing A Pppoe Session, Discovery Phase

    ADSL WAN Connections PPPoE Overview Customer’s Premises Central Office Regional broadband network Other Local DSLAMs loop DSLAM Broadband Router Splitter Splitter switch (ATM) Negotiates PPPoE session Access with access concentrator concentrator Negotiates PPPoE session with router Figure 7-8. Access Concentrator for PPPoE Access Two Phases for Establishing a PPPoE Session To establish a PPPoE session, the client and the access concentrator must successfully complete two phases:...
  • Page 358 ADSL WAN Connections PPPoE Overview Discovery Stage Goal: Learn session ID and peer’s Ethernet MAC address 1. PPPoE client broadcasts a PADI (initiation) frame 2. Access concentrator sends a PADO (offer) frame Access concentrator Router 3. PPPoE client sends a PADR (request) frame 4.
  • Page 359 ADSL WAN Connections PPPoE Overview Step 4. When the access concentrator receives the PADR frame, it checks the service name tag. If it accepts the service name tag, the access concentrator generates a unique session ID. It includes this ID and the service name tag in a PPPoE Active Discovery Session-confirmation (PADS) frame and sends this frame to the PPPoE client.
  • Page 360: Creating The Ppp Interface

    ADSL WAN Connections PPPoE Overview Step 3. The devices use network control protocol (NCP) frames to enable the exchange of Network Layer protocols, such as IP, across the link. Step 4. The devices use PPP frames to transmit the actual data. (For more information about establishing a PPP session, see Chapter 6: Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.) During the process of establishing a PPP session, the devices will also nego-...
  • Page 361: Assigning An Ip Address, Binding The Atm Subinterface To The Ppp Interface

    ADSL WAN Connections PPPoE Overview Assigning an IP Address Because you are configuring a PPP interface on top of the ATM subinterface, the PPP interface handles the IP address. Rather than configuring an IP address on the ATM subinterface, you configure the IP address on the PPP interface.
  • Page 362: Identifying The Access Concentrator

    ADSL WAN Connections PPPoE Overview You can enter the show running-config command from the enable mode context to ensure that you have entered the two bind commands that are required for an ADSL connection that uses PPPoE. Figure 7-11 shows a sample running-config for an ADSL interface, ATM interface, ATM subinterface, and PPP interface.
  • Page 363: Identifying Pppoe Services, Pppoa Overview

    ADSL WAN Connections PPPoA Overview If you do not include this field, any access concentrator is acceptable. By default, no access concentrator is specified. Identifying PPPoE Services You can also control which PPPoE session offer the Secure Router OS accepts by specifying the PPPoE services that are required.
  • Page 364 ADSL WAN Connections PPPoA Overview 1. Link establishment Access 2. Authentication (optional) concentrator PAP, CHAP, or EAP Router 3. Negotiation of network layer protocols NCP: IPCP, BCP, IPXCP, and so on 4. Session established Figure 7-12. Establishing a PPP Session Step One.
  • Page 365 ADSL WAN Connections PPPoA Overview Creating the PPP Interface To configure PPPoA, you configure the ADSL interface, the ATM interface, and the ATM subinterface. (These instructions begin with “Configuring the ADSL Interface: the Physical Layer” on page 7-12.) When configuring the ATM subinterface, you must set the encapsulation to aal5snap or aal5mux ppp, as shown below: Syntax: encapsulation aal5snap...
  • Page 366 ADSL WAN Connections PPPoA Overview If you need to configure authentication protocols for the connection, see “PPP Authentication” on page 6-71 in Chapter 6: Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces. Binding the ATM Subinterface to the PPP Interface To finish defining the point-to-point layer for the ADSL connection, you must bind the ATM subinterface to the PPP interface.
  • Page 367: Routed Bridged Encapsulation

    ADSL WAN Connections Routed Bridged Encapsulation Routed Bridged Encapsulation Some DSLAMs use routed bridged encapsulation (RBE) to route IP over bridged Ethernet traffic. RBE is sometimes referred to as “half bridging,” because it provides some of the advantages of bridging combined with some of the advantages of routing.
  • Page 368 ADSL WAN Connections Routed Bridged Encapsulation Central Office Customer’s Premises Regional broadband network Other Local DSLAMs loop DSLAM Broadband Router Splitter Splitter switch (ATM) Aggregation device Establishes Ethernet bridge with ProCurve Secure Router Figure 7-14. RBE Environment To configure RBE, complete the steps for configuring the ADSL interfaces as explained in “Configuring the ADSL Interface: the Physical Layer”...
  • Page 369: Viewing The Status And Configuration Of Interfaces, Viewing The Status Of The Adsl Interface

    ADSL WAN Connections Viewing the Status and Configuration of Interfaces Viewing the Status and Configuration of Interfaces You can view information about all of the interfaces that are used to create the ADSL connection. Viewing the Status of the ADSL Interface To view the status of the ADSL interface, enter: Syntax: show interfaces adsl <slot>/<port>...
  • Page 370 ADSL WAN Connections Viewing the Status and Configuration of Interfaces !adsl 2/1 is UP, line protocol is UP Status of physical and logical Link Status Up G.DMT interface Line Type Fast Training mode used Line Length 933 ft Actual downstream Downstream Upstream and upstream rates...
  • Page 371 ADSL WAN Connections Viewing the Status and Configuration of Interfaces Next, the output from the show interfaces adsl command displays the downstream and upstream transmission rates for the connection. This section of the output also reports the attenuation on the line and any framing, signaling, and power losses, as well as error seconds.
  • Page 372: Viewing The Status Of The Atm Interface And Subinterface

    ADSL WAN Connections Viewing the Status and Configuration of Interfaces interface adsl 2/1 Displays all the settings for the description "" interface, including defaults alias "" snr-margin 5 training-mode Multi-Mode no shutdown Figure 7-18. show running-config interface adsl verbose Command Viewing the Status of the ATM Interface and Subinterface To view the status of the ATM interface, enter the following command from the enable mode context:...
  • Page 373 ADSL WAN Connections Viewing the Status and Configuration of Interfaces Replace <number.subinterface number> with the unique number and subinterface number that you assigned the ATM interface. For the ATM 1.1 subinterface, enter: ProCurve# show interfaces atm 1.1 Figure 7-20 shows the output from this command for a sample network. As you can see, this command displays the status of the interface and settings such as the ATM encapsulation, the IP address, and the MTU size.
  • Page 374: Troubleshooting The Adsl Connection, Troubleshooting The Adsl Interface, Identifying The Problem

    ADSL WAN Connections Troubleshooting the ADSL Connection Troubleshooting the ADSL Connection When troubleshooting WAN connections, you should try to isolate the prob- lem and determine if the problem is occurring on the physical interface or the logical interface. With an ADSL WAN connection, you should begin trouble- shooting the ADSL interface.
  • Page 375: Debug Interface Adsl Events Command

    ADSL WAN Connections Troubleshooting the ADSL Connection adsl 2/1 is DOWN, line protocol is DOWN Link Status Training UNKNOWN Line Type The training mode does not Line Length 0 ft match the training mode used by the DSLAM Downstream Upstream Line Rate 0 kbps 0 kbps...
  • Page 376: Troubleshooting The Atm Interface

    ADSL WAN Connections Troubleshooting the ADSL Connection Figure 7-22 shows the debug commands for a connection that was established successfully. 2005.08.09 19:02:40 ADSL.EVENTS Current DSL state: ATU_RIDLE 2005.08.09 19:02:40 INTERFACE_STATUS.adsl 2/1 changed state to down 2005.08.09 19:02:54 ADSL.EVENTS Current DSL state: GDMT_NEGO Negotiating to use the 2005.08.09 19:02:54 ADSL.EVENTS Current DSL state:...
  • Page 377: Troubleshooting The Atm Subinterface, Debug Atm Oam Command

    ADSL WAN Connections Troubleshooting the ADSL Connection The output from this command shows the status of the logical interface as well as the information shown in Table 7-7. Table 7-7. Information Displayed by the show interfaces atm Command Information Meaning <number>...
  • Page 378: Troubleshooting Pppoe, Troubleshooting The Pppoe Discovery Process

    ADSL WAN Connections Troubleshooting the ADSL Connection Syntax: debug atm oam <interface number.subinterface number> [loopback {end-to- end | segment} {<LLID>}] Replace <interface number.subinterface number> with the subinterface ID for the PVC. This command displays the OAM frames for a specific PVC. Include the loopback option to configure an OAM loopback.
  • Page 379: Show Pppoe Command

    ADSL WAN Connections Troubleshooting the ADSL Connection For example, if the PPPoE client keeps sending PADI frames but does not receive any PADO frames, you know that for some reason the access concen- trator is not responding. If the ADSL interface, the ATM interface, and the ATM subinterface are up, you should call your service provider and report the problem.
  • Page 380: Clear A Pppoe Connection, Debug Pppoe Client Command, Troubleshooting The Ppp Link Establishment Process

    ADSL WAN Connections Troubleshooting the ADSL Connection Figure 7-24 shows the output from this command. ppp 1 Outgoing Interface: eth 0/1 Outgoing Interface MAC Address: 00:A0:C8:00:85:20 Access-Concentrator Name Requested: FIRST VALID Access-Concentrator Name Received: 13021109813703-LRVLGSROS20W_IFITL Access-Concentrator MAC Address: 00:10:67:00:1D:B8 Session Id: 64508 Service Name Requested: ANY Service Name Available: PPPoE Client State: Bound (3)
  • Page 381 ADSL WAN Connections Troubleshooting the ADSL Connection When you view the status of the PPP interface, you must ensure that both the interface and the Network Layer protocol are up. For example, Figure 7-25 shows a PPP interface that is up. However, the user cannot send traffic over the link.
  • Page 382: Configure The Physical Layer: The Adsl Interface

    ADSL WAN Connections Quick Start Quick Start This section provides the commands you will need to quickly configure an Asymmetric Digital Subscriber Line (ADSL) WAN connection on the ProCurve Secure Router. Only a minimal explanation is provided. If you need additional information about any of these options, see “Contents” on page 7-1 to locate the section and page number that contains the explana- tion you need.
  • Page 383 ADSL WAN Connections Quick Start Access the ADSL interface configuration mode context. Syntax: interface adsl <slot>/1 For example, if the ADSL module is in slot two, enter: ProCurve(config)# interface adsl 2/1 Activate the interface. ProCurve(config-adsl 2/1)# no shutdown Set the SNR margin. Syntax: snr-margin <margin>...
  • Page 384: Configure Atm Only, Configure The Data Link Layer: The Atm Interface And Subinterface

    ADSL WAN Connections Quick Start Table 7-9. Training Modes Supported by the ProCurve Secure Router Command Option ADSL2+ Annex A ADSL2+ Annex B training-mode ADSL2 training-mode ADSL2+ training-mode G.DMT training-mode G.LITE training-mode Multi-Mode training-mode READSL2 training-mode T1.413 Configure the Data Link Layer: the ATM Interface and Subinterface Before you configure the Data Link Layer for the ADSL connection, you must know the settings that you should enter for the following:...
  • Page 385 ADSL WAN Connections Quick Start Replace <interface> with atm, and replace <number> with a unique number for this ADSL connection. For example, to create ATM 1 interface, enter: ProCurve(config)# interface atm 1 Activate the interface. ProCurve(config-atm 1)# no shutdown Create a subinterface for each permanent virtual circuit (PVC). ATM interfaces on the ProCurve Secure Router can support up to 16 PVCs.
  • Page 386: Configure Rbe

    ADSL WAN Connections Quick Start N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context). Configure RBE Your ADSL service provider may ask you to configure the ATM subinterface to use routed RBE, which routes IP over bridged Ethernet traffic.
  • Page 387: Configure Pppoe

    ADSL WAN Connections Quick Start Configure PPPoE If your service provider wants you to configure PPPoE for your ADSL connec- tion, complete these steps: Create the ATM interface. Syntax: interface atm <number> ProCurve(config)# interface atm 1 Activate the interface. ProCurve(config-atm 1)# no shutdown Create a subinterface for each PVC.
  • Page 388 ADSL WAN Connections Quick Start N o t e The do command allows you to enter enable mode commands (such as show commands) from any context (except the basic mode context). Create the PPP interface. Syntax: interface ppp <number> ProCurve(config)# interface ppp 1 Configure a static IP address or configure the interface to negotiate the IP address with the service provider’s router.
  • Page 389: Configure Pppoa

    ADSL WAN Connections Quick Start interface adsl 2/1 snr-margin 6 no shutdown interface atm 1 point-to-point no shutdown bind 3 adsl 2/1 atm 1 Bind the ADSL interface to the ATM interface interface atm 1.1 point-to-point no shutdown pvc 0/35 interface ppp 3 ip address 10.1.1.1...
  • Page 390 ADSL WAN Connections Quick Start Define the ATM encapsulation. For PPPoA, you must set the encapsula- tion at aal5snap or aal5mux ppp. The default setting is aal5snap. Syntax: encapsulation aal5snap Syntax: encapsulation aal5mux [ip | ppp] For example, to use aal5snap, enter: ProCurve(config-atm 1.1)# encapsulation aal5snap Bind the physical interface—the ADSL interface—to the logical interface.
  • Page 391 ADSL WAN Connections Quick Start View the running-config to ensure that you have entered two bind com- mands: one to bind the ADSL interface to the ATM interface and one to bind the ATM subinterface to the PPP interface. (See Figure 7-28.) Enter: ProCurve(config-ppp 1)# do show running-config interface adsl 2/1 snr-margin 5...
  • Page 392 ADSL WAN Connections Quick Start 7-64...
  • Page 393 Configuring Demand Routing for Primary ISDN Modules Contents Overview of ISDN Connections ........8-4 Elements of an ISDN Connection .
  • Page 394: Table Of Contents

    Configuring Demand Routing for Primary ISDN Modules Contents Understanding How the connect-sequence Commands Work . . 8-35 Configuring the idle-timeout Option ..... . . 8-37 Configuring the fast-idle Option .
  • Page 395: Viewing A Summary Of Information About

    Configuring Demand Routing for Primary ISDN Modules Contents Configuring an ISDN Template ....... 8-57 Using Call Types and Patterns .
  • Page 396: Overview Of Isdn Connections

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections Overview of ISDN Connections Integrated Services Digital Network (ISDN) connections are point-to-point dial-up connections that can handle both voice and data over a single line. ISDN provides WAN connections at a lower cost than dedicated WAN connec- tions such as E1- or T1-carrier lines.
  • Page 397: Elements Of An Isdn Connection, The Local Loop

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections Elements of an ISDN Connection All WAN connections, including ISDN lines, consist of three basic elements: the physical transmission media, such as the cabling, switches, routers, and other infrastructure required to create and maintain the connection electrical signaling specifications for generating, transmitting, and receiv- ing signals through the various transmission media Data Link Layer protocols, which provide logical flow control for trans-...
  • Page 398 Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections Because public carrier networks were originally designed to carry analog voice calls, copper wire is the most common physical transmission medium used on the local loop. Copper wire has a limited signal-carrying capacity, making local loops that use copper wire the slowest, least capable component of a WAN connection.
  • Page 399 Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections In addition to wire and the demarc, the local loop for an ISDN connection includes: ISDN switch—At the public carrier’s CO, the ISDN switch multiplexes and de-multiplexes channels on the twisted pair wiring of the local loop. It provides the physical and electrical termination for the ISDN line and then forwards the data onto the public carrier’s network.
  • Page 400: Isdn Interfaces: Connecting Equipment To The Isdn Network

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections ISDN Interfaces: Connecting Equipment to the ISDN Network ISDN supports both RJ-11 and RJ-45 connectors. Public carriers typically install an RJ-45 jack to connect the subscriber’s premises to the local loop. You can add equipment at four interface points on the subscriber’s side of an ISDN network: U interface...
  • Page 401: Line Coding For Isdn Bri Connections, Isdn Data Link Layer Protocols

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections R Interface. The R interface is used to connect a TE2 device to the TA. Because there are no standards for the R interface, the vendor providing the TA determines how the TA connects to and interacts with the TE2. Line Coding for ISDN BRI Connections To provide higher transmission rates on ordinary telephone wire, ISDN BRI uses a compressed encoding scheme called 2B1Q.
  • Page 402 Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections ISDN also supports the following B-channel Data Link Layer protocols: Point-to-Point (PPP) High-Level Data Link Control (HDLC) Frame Relay LAPD LAPD establishes the ISDN connection between two endpoints. Exchanged over the D channel, LAPD frames provide the addressing for the dial-up connection, including the service access point identifier (SAPI) and the ter- minal endpoint identifier (TEI).
  • Page 403: Call Process

    Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections In the second octet, the first seven bits designate the connection’s TEI. TEIs can be assigned statically or dynamically. A statically assigned TEI will have a value between 0 to 63; dynamically assigned TEI range from 64 to 126. A value of 127 designates a broadcast connection meant for all TEs.
  • Page 404 Configuring Demand Routing for Primary ISDN Modules Overview of ISDN Connections Caller ISDN Receiver Switch Setup pick up and dial Call Process Setup Alerting Phone rings Alerting Connect pick up the phone Connect Connect_ack Connect_ack Connected Figure 8-4. ISDN Call Setup Process Placing a Call.
  • Page 405: Procurve Secure Router Isdn Modules

    Configuring Demand Routing for Primary ISDN Modules ProCurve Secure Router ISDN Modules The receiver gets the SETUP. If the receiver is available and ready, it rings the phone and sends an ALERTING message to the switch. The switch forwards the ALERTING to the caller. The receiving ISDN modem sends a CONNECT message to the switch.
  • Page 406 Configuring Demand Routing for Primary ISDN Modules ProCurve Secure Router ISDN Modules Table 8-2. Differences Between Primary and Backup ISDN Modules ISDN Module Hardware Applications Activation Method Increasing Bandwidth Requirements primary uses one narrow primary or backup WAN established only when supports Multilink PPP slot on the connection between two...
  • Page 407: Primary Isdn Modules

    Configuring Demand Routing for Primary ISDN Modules ProCurve Secure Router ISDN Modules Primary ISDN Modules For primary WAN connections, ProCurve Networking currently offers two types of modules: ISDN BRI U module—used in the United States and Canada ISDN BRI S/T module—used in all other countries Both of these ISDN modules support the following standards: National ISDN-1—Defined in the mid 1990s by the National Institute of Standards and Technology (NIS) and Bellcore (now called Telcordia),...
  • Page 408: Using Demand Routing For Isdn Connections

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Table 8-3. Supported ISDN Standards Type Switch Types Classifications Electrical ISDN BRI S/T module • National ISDN-1 • ACIF S031 • FCC Part 15 Class A • Northern Telecom DMS- •...
  • Page 409 Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections Branch Office A Switch 192.168.4.0 Router A Edge Switch Edge Switch ISDN connection to Branch Office A triggered by traffic with destination address 192.168.4.0 /24 ISDN Edge Switch connection Core Switch Branch Office B...
  • Page 410: Define The Traffic That Triggers The Connection

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections To configure demand routing for a primary ISDN module, you must complete the following steps: Create an extended access control list (ACL) to define the traffic that will trigger the dial-up connection.
  • Page 411: Specifying A Protocol

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections To define the interesting traffic, you create an extended ACL. The ProCurve Secure Router will use this ACL to identify and select traffic that triggers a dial-up connection. From the global configuration mode context, enter: Syntax: ip access-list extended <listname>...
  • Page 412: Defining The Source And Destination Addresses

    Configuring Demand Routing for Primary ISDN Modules Using Demand Routing for ISDN Connections For demand routing, you might want to create an ACL that selects all of the traffic to a particular subnet. In this case, you should specify ip as the protocol. Defining the Source and Destination Addresses When you create an extended ACL, you must configure both a source and a destination address for each entry.