Home » HP Manuals » Bridges & Routers » HP 7102dl » Manual Viewer

HP 7102dl Owners Manual - Page 788

Configuring OSPF Authentication, Table 15-9., Global OSPF Intervals

UPC - 829160731391

Add to My Manuals
Save this manual to your list of manuals

Page 788 highlights

IP Routing-Configuring RIP, OSPF, BGP, and PBR Configuring OSPF The refresh interval, which dictates how often routers must send out an LSA, must be such that routers can refresh their databases every 30 minutes. The shortest path first (SPF) delay and hold timers save processing power by preventing a router from continuously calculating new best routes. Table 15-9. Global OSPF Intervals Interval refresh shortest path first (SPF) delay: • calculation delay • SPF hold Meaning Default the maximum time 240 seconds before sending a new LSA • the time between receiving topological changes and beginning SFP calculations • the time between consecutive SFP calculations • 5 seconds • 10 seconds Range 10 to 1,800 seconds (maximum of 30 minutes) • 0 to 4,294,967,295 seconds • 0 to 4,294,967,295 seconds Command Syntax timers lsa-grouppacing timers spf Caution Do not change default intervals unless you have a great deal of experience working with OSPF and understand the implications of the changes. Improperly set intervals can disrupt router processes and congest the network. Configuring OSPF Authentication If you enable authentication on your OSPF network, then routers will not exchange their databases to achieve adjacency until they have authenticated each other with a password. OSPF authentication prevents network devices from inadvertently joining the wrong area. In addition, hackers and malware can send pseudo-OSPF packets to establish a neighbor relationship with the routers on your private network. After this relationship is established, the hackers and the malware writers would receive LSAs and learn valuable information about your network. OSPF authentication ensures that routers on your private network do not accept unauthorized packets. The ProCurve Secure Router supports two types of OSPF authentication: ■ OSPF simple password authentication ■ authentication with MD5 15-62

Section	Page
Copyright and Disclaimers	4
Contents	5
Overview	35
Contents	35
Using This Guide	37
Understanding Command Syntax Statements	38
CLI Prompt Convention	38
IP Address Convention	39
Interface Numbering Convention	39
Quick Start Sections	40
Obtaining Additional Information	40
Downloading Software Updates	41
Interface Management Options	43
CLI	43
Web Browser Interface	43
Accessing the Web Browser Interface	44
Using the ProCurve Web Browser Interface	45
CLI Tools	47
Help Tools	47
CLI Help Commands	47
Editing Commands	48
Basic Commands	49
no	49
do	49
exit	49
File Management Commands	50
copy	50
erase	53
write	53
autosynch	53
Troubleshooting Commands	54
reload in	54
show	55
show tech	55
safe-mode	56
Managing Configuration Files Using a Text Editor	59
Using Error Messages to Repair a Configuration	59
Quick Start	62
Accessing the Secure Router OS	62
Configuring the Enable Mode Password	63
Configuring the Ethernet Interface	63
Configuring Telnet Access	64
Configuring SSH Access	64
Configuring HTTP Access	65
Increasing Bandwidth	67
Contents	67
Overview	68
Configuring MLPPP	70
PPP	70
MLPPP	71
LCP Options	71
MLPPP Header	72
MLPPP Configuration Concerns	72
Enabling MLPPP	72
Binding Multiple Carrier Lines to a PPP Interface	73
Configuring MLFR	74
Enabling MLFR	75
Binding Multiple Carrier Lines to a Frame Relay Interface	76
Configuring the Bundle ID	77
Troubleshooting Multilinks	78
Standard Procedure	78
Physical Layer	78
Data Link Layer	78
Troubleshooting MLPPP	81
MRRU	81
ED	82
Troubleshooting MLFR	82
Quick Start	85
MLPPP Configuration	86
MLFR Configuration	87
Configuring Backup WAN Connections	89
Contents	89
Backing Up Primary WAN Connections	93
Analog Backup Connections	93
ISDN-Backup Connections	94
BRI ISDN	95
Electrical Specifications for BRI ISDN	97
Backup Modules for the ProCurve Secure Router	97
Standards	98
Data Link Layer Protocols	99
Determining a Backup Method	99
Using Demand Routing for Backup Connections	100
Using Persistent Backup Connections	102
Comparing Demand Routing and Persistent Backup Connections	102
Configuring Demand Routing for Backup Connections	106
Define the Traffic That Triggers the Connection	106
Specifying a Protocol	107
Defining the Source and Destination Addresses	107
Configuring the Demand Interface	108
Creating the Demand Interface	110
Configuring an IP Address	110
Matching the Interesting Traffic	112
Specifying the connect-mode Option	115
Associating a Resource Pool with the Demand Interface	116
Defining a Connect Sequence	116
Specify the Order in Which Connect Sequences Are Used	118
Configure the Number of Connect Sequence Attempts	118
Configure the connect-sequence interface-recovery Option	119
Understanding How the connect-sequence Commands Work	121
Configuring the idle-timeout Option	124
Configuring the fast-idle Option	124
Defining the caller-number	125
Defining the called-number	125
Configuring the Hold Queue	125
Configuring the BRI or Modem Interface	126
Accessing the BRI or Modem Interface	127
Configuring the ISDN Signaling (Switch) Type	127
Configuring an LDN for ISDN BRI S/T Modules	128
Configuring a SPID and LDN for ISDN BRI U Modules	129
Setting the Country for the Modem Interface	129
Assigning BRI or Modem Interface to the Resource Pool	130
Activating the Interface	130
Caller ID Options for ISDN BRI Backup Modules (Optional)	131
Configuring a Floating Static Route for the Demand Interface	131
Configuring PPP Authentication for an ISDN Connection	132
Enabling PPP Authentication for All Demand Interfaces	133
Configuring PAP Authentication for a Demand Interface	133
Configuring CHAP Authentication for a Demand Interface	133
Configuring the Username and Password That the Router Expects to Receive	134
Example of Demand Routing with PAP Authentication for a Backup Connection	134
Configuring Peer IP Address	135
Setting the MTU for Demand Interfaces	136
Configuring a Persistent Backup Connection	137
Configuring the Physical Interface for a Persistent Backup Connection	137
Configuring a BRI Interface (ISDN Only)	137
Configuring a Modem Interface (Analog Only)	141
Using the Modem for Console Dial-In	143
Replacing Incoming Caller ID for BRI and Modem Interfaces	143
Configuring a Logical Interface for a Persistent Backup Connection	144
Creating a Backup PPP Interface	145
Activating the Interface	145
Setting an IP Address	146
Enabling PPP Authentication	146
Configuring Persistent Backup Settings for a Primary Connection	148
Accessing the Primary Connection’s Logical Interface	148
Setting the Backup Call Mode	149
Adding a Number to a Backup Dial List	153
Controlling When a Backup Connection Can Be Established	154
Setting Backup Timers	156
Configuring a Floating Static Route for a Persistent Backup Connection	157
Configuring Persistent Backup for Multiple Connections	159
Viewing Backup Configurations and Troubleshooting Backup Connections	160
Viewing Information about BRI and Modem Interfaces and Troubleshooting Problems	160
Viewing the Status and Configuration of Backup Interfaces	161
Viewing Information about Demand Routing and Troubleshooting Problems	165
Viewing the Status of the Demand Interface	165
Viewing a Summary of Information about the Demand Interface	167
Viewing Demand Sessions	168
Viewing the Resource Pool	168
Show the Running-Config for the Demand Interface	169
Troubleshooting Demand Routing	169
Checking the Demand Interface	169
Checking the ACL That Defines the Interesting Traffic	170
Troubleshooting the Backup Connection	171
Test Calls for ISDN Lines	173
Troubleshooting PPP for a Demand Routing Backup Connection	174
Viewing Information about Persistent Backup Connections and Troubleshooting Problems	174
Viewing Backup Settings	175
Viewing the Backup PPP Interface	177
Monitoring the Dial-Up Process	177
Troubleshooting Persistent Backup Connections	179
Standard Procedures	179
Quick Start	184
Configuring Demand Routing for Backup Connections	185
Configuring a Persistent Backup Connection	192
Backing up a Connection with an ISDN BRI S/T Backup Module	196
Backing up a Connection with an Analog Module	198
ProCurve Secure Router OS Firewall- Protecting the Internal, Trusted Network	201
Contents	201
Overview	203
Advantages of an Integrated Firewall	203
Stateful-Inspection Firewalls	204
Packet-Filtering Firewall	204
Circuit-level Gateway	206
Application-level Gateway	207
Attack Checking	209
SYN-flood Attacks	210
WinNuke Attacks	211
Reflexive Traffic	212
Event Logging	212
Configuring Attack Checking	214
Enabling the Secure Router OS Firewall	214
Enabling and Disabling Optional Attack Checks	215
Checking Reflexive Traffic	216
Configuring Stealth Mode	217
Configuring ALGs	218
Enabling the FTP ALG	219
Enabling the H.323 ALG for Voice and Videoconferencing	219
Enabling the SIP ALG for Voice over IP	219
Enabling the PPTP ALG for VPNs	220
Enabling Firewall Traversal	220
Configuring Timeouts for Sessions	221
Setting the Timeout for a Protocol	221
Setting Timeouts for Specific TCP and UDP Applications	222
Configuring Logging	224
Specifying the Priority Level for Logged Events	224
Specifying How Many Attacks Generate a Log	226
Specifying How Many Policy Matches Generate a Log	227
Forwarding Logs to a Syslog Server	227
Forwarding Logs to an Email Address	229
Quick Start	231
Applying Access Control to Router Interfaces	233
Contents	233
Access Control for Interfaces on the ProCurve Secure Router	235
Access Control Mechanisms	236
Using ACLs Alone to Configure Access Control	238
Configure ACLs	238
ACL Entries	238
Types of ACLs	239
Creating an ACL	241
Creating a Standard ACL	241
Creating an Extended ACL	243
Entry Order	248
Adding a Descriptive Tag to an ACL	249
Editing an Existing ACL	250
Deleting an Existing ACL	250
Applying the ACL to an Interface	251
Selecting the Packet and Controlling the Action	252
Controlling FTP, HTTP, and Telnet Access to the Router	253
Restricting FTP Access	254
Restricting HTTP Access	254
Restricting Telnet Access	255
Examples of Applying ACLs	255
Using ACPs to Control Access to Router Interfaces	258
Enable the Firewall	258
Configure ACLs	259
Types of ACLs	259
Creating an ACL	261
Creating a Standard ACL	261
Creating an Extended ACL	264
Configure ACPs	267
Action	267
Selector	268
Creating an ACP	268
Creating Entries in the ACP	269
Editing ACPs	269
Deleting an ACP	269
Assigning the ACP to an Interface	270
Using the reload Command	270
Processing ACPs	271
ACP Action Summary	274
Traffic Flow through Interfaces with ACPs	276
Inbound Interface Has an ACP; Outbound Interface Does Not Have an ACP	277
Inbound Interface Has an ACP; Outbound Interface Has a Different ACP	277
Inbound Interface Does Not Have an ACP; Outbound Interface Has an ACP	278
Traffic in and out Through a Single Interface	279
Examples of ACPs	279
Viewing ACLs and ACPs	283
Displaying ACLs	283
Displaying ACPs	284
Viewing Access Policy Sessions	285
Viewing Access Policy Statistics	286
Troubleshooting	288
show Commands	288
Monitoring Packets Matched to an ACP	288
Clearing Existing Policy Sessions	288
Clear ACL Counters	290
Debug ACLs	291
Quick Start	292
Enabling the Built-in Firewall	292
Configuring an ACL and Applying It Directly to an Interface	293
Configuring ACPs	295
Configuring Network Address Translation	299
Contents	299
NAT Services on the ProCurve Secure Router	300
Many-to-One NAT for Outbound Traffic	300
Using NAT with PAT	301
One-to-One NAT for Inbound Traffic	303
One-to-One NAT with Port Translation	304
Configuring NAT	306
Enabling the Firewall	306
Configuring an ACL	306
Types of ACLs	307
Configuring an ACP	311
Configuring Many-to-One NAT for Outbound Traffic	312
Configuring One-to-One NAT for Inbound Traffic	312
Configuring One-to-One NAT with Port Translation	313
Assigning the ACP to an Interface	314
Viewing ACLs and ACPs	315
Displaying ACLs	316
Displaying ACPs	316
Viewing Access Policy Sessions	317
Viewing Access Policy Statistics	318
Troubleshooting	319
Monitoring Packets Matched to an ACP	319
Clearing Existing Policy Sessions	320
Clearing ACL Counters	322
Debugging ACLs	322
Quick Start	323
Using the CLI to Configure Many-to-One NAT	323
Using the CLI to Configure One-to-One NAT	325
Content Filtering	329
Contents	329
Overview	330
Risks Posed by Non-Work-Related Use of the Internet	330
Web Content Filtering on the ProCurve Secure Router 7000dl Series	331
The Role of the Websense Enterprise Solution	331
The Role of the ProCurve Secure Router	332
Configuring Web Content Filtering	333
Creating a Filter on the ProCurve Secure Router	333
Specifying the Websense Server’s IP Address	334
Applying a Filter to a Router Interface	334
Specifying Behavior When the Server Is Unreachable	336
Defining Exclusive Domains-Domains the Router Automatically Allows or Blocks	336
Specifying the Maximum Number of Outstanding Requests to the Websense Server	338
Specifying the Maximum Number of Buffered Web Server Responses	338
Troubleshooting Web Content Filtering	339
Troubleshooting Tools-show, debug, and clear Commands	339
Troubleshooting Common Problems	342
Web Content Filtering Does Not Take Effect	342
Users Cannot Access the Web Sites They Need	345
The Router Cannot Connect to the Websense Server	346
Web Sites Do Not Load, Load Slowly, or Load Incompletely	348
Quick Start	349
Setting Up Quality of Service	351
Contents	351
Overview	354
Evaluating Traffic on Your Network	354
QoS Mechanisms on the ProCurve Secure Router	355
ToS Field	356
First In, First Out	360
WFQ	361
CBWFQ	361
LLQ	361
FRF.12	362
QoS Maps	362
Configuring WFQ	364
Overview	364
Conversations	364
Weight	365
Shortcomings	365
Packet Marking	366
Enabling WFQ	367
Setting the Queue Size	368
Configuring CBWFQ	369
Overview	369
Configuring Classes for CBWFQ	369
Creating a QoS Map Entry	370
Defining a Class	371
Allocating Bandwidth to a Class	376
Assigning the QoS Map to an Interface	378
Special Considerations for CBWFQ with Multilinks	379
CBWFQ Example Configuration	380
Configuring LLQ	382
Overview	382
Determining Bandwidth for the Queue	382
Determining Bandwidth for VoIP	383
Determining Bandwidth for Video Streaming	386
Placing Traffic in a Low-Latency Queue	387
Creating a QoS Map Entry	387
Selecting the Traffic to Be Placed in the Low-Latency Queue	387
Setting the Bandwidth Guaranteed the Queue	392
Marking Low Latency Packets with a ToS Value	394
Assigning the QoS Map to an Interface	394
Marking Packets with a ToS value	395
Creating a QoS Map Entry	395
Selecting the Traffic to Be Marked	396
Setting the ToS Value	400
Assigning the QoS Map to an Interface	401
Example Packet Marking Configuration	401
Configuring Rate Limiting for Frame Relay	403
Overview	403
Rate Limiting	403
FRF.12	403
Configuring Rate Limiting	404
Setting the Committed Burst Rate	405
Setting the Excessive Burst Rate	405
Configuring Frame Relay Fragmentation	406
Example Frame Relay QoS Configuration	407
Configuring QoS for Ethernet	408
Overview	408
Rate Limiting	408
Configuring Rate Limiting on an Ethernet Interface	408
Configuring QoS Policies on an Ethernet Interface	409
Example: Configuring QoS for VoIP	411
Enabling Application-Level Gateways for Applications with Special Needs	412
Enabling SIP Services	412
Defining VoIP Traffic	414
Determining the Required Bandwidth	415
Marking Signaling Traffic for Special Treatment	416
Configuring Frame Relay Rate Limiting	417
Monitoring QoS	418
Viewing QoS Maps	419
Managing Queues	420
Troubleshooting Common Configuration Problems	421
A Map Becoming Inactive	421
An Ethernet Interface Refusing to Take a QoS-Policy	422
Quick Start	422
Configuring WFQ	422
Configuring CBWFQ	423
Configuring a Low-Latency Queue	425
Marking Packets	426
Configuring Frame Relay Fragmentation	427
Configuring QoS on an Ethernet Interface	428
Network Monitoring	429
Contents	429
Overview	431
Network Monitor Probes	431
Probe Characteristics	432
Probe States	433
Network Monitor Tracks	433
Track Characteristics	433
Track States	433
Track Actions	433
Purposes of Network Monitoring	434
Testing Static Routes	434
Monitoring Network Performance	437
Routing Probe Traffic using Policy-Based Routing (PBR)	437
Configuring Network Monitoring	438
Configuring Probes	439
Creating a Probe and Selecting Its Type	439
Specifying the Probe’s Destination	440
Specifying the Test’s Timeout	442
Specifying the Probe’s Tolerance	442
Specifying the Probe’s Period	444
Setting the Source Address for Probe Packets	445
Setting the Source Port for Probe Packets	445
Special Considerations for Configuring Probes	446
Special Considerations for ICMP Echo Probes	446
Special Considerations for TCP Connect Probes	448
Special Considerations for HTTP Request Probes	448
Activating and Shutting Down the Probe	453
Configuring Tracks	454
Creating a Track	454
Specifying the Track’s Probes	455
Configuring a Dampening Interval	456
Enabling a Track to Log Changes	457
Activating and Shutting Down a Track	458
Configuring the Track’s Action-Associating the Track with a Route	459
Associating a Track with a Static Route	459
Associating a Track with a DHCP Default Route	460
Associating a Track with a Default Route Received with a Negotiated Address	461
Implementing PBR to Route Probe Traffic	462
Using NAT with Network Monitoring	465
Overview	465
Configuration Steps	466
Example	467
Disabling the RPF Check	468
Examples of Network Monitoring	470
Monitor Connectivity to the Internet	470
Monitor Static Routes to Remote Networks	473
Monitor Connectivity to a Mission-Critical TCP Server	475
Monitor Network Congestion and the Performance of Servers	478
Submit Information to a Remote Web Server	479
Viewing Network Monitor Tracks and Probes	483
Viewing Network Monitor Tracks	483
Debugging Network Monitor Tracks	484
Viewing Network Monitor Probes	484
Debugging Network Monitor Probes	485
Clearing Statistics	485
Troubleshooting Network Monitoring	486
Track Fails to Take Action	486
Track Takes an Inappropriate Action	487
Backup Route Fails to Be Added	488
Failed Primary Route Periodically Reappears in the Routing Table	489
Quick Start	490
Virtual Private Networks	495
Contents	495
Overview	498
VPN Tunnels	498
IP Security (IPSec)	498
IPSec Headers	499
Hash and Encryption Algorithms	500
IPSec VPN Tunnels	501
Security Associations (SAs)	501
IKE	502
VPN Overlay	507
Physical Setup	508
Configuring a VPN Using IPSec	509
Configuring IPSec with IKE	509
Configuring IPSec with Manual Keying	513
How the ProCurve Secure Router Processes IKE Policies and Crypto Maps	514
Configuration Tasks	517
Enabling Crypto Commands	517
Configuring IKE Policies	517
Peer ID	518
Initiate and Response Mode	520
Attribute Policy	522
Enabling NAT-Traversal (NAT-T) for a Client-to-Site VPN	525
Configuring a Peer’s Remote ID and Preshared Key	526
Site-to-Site Configuration	527
Client-to-Site Configuration	528
Configuring a Remote ID List for a VPN that Uses Digital Certificates	528
Mapping the Remote ID to an IKE Policy and Crypto Map Entry	529
Defining Traffic Allowed over the VPN Tunnel	529
Restricting Specified Hosts	530
Permitting Local and Remote Networks	531
Applying the ACL to a Crypto Map	532
Example Configuration	533
Enabling Router Traffic to Servers at a Remote VPN Site	533
Configuring IPSec SA Parameters	534
Transform Sets	534
Crypto Maps	536
Applying a Crypto Map to an Interface	540
Granting Remote Users a Private Network Address with IKE Mode Config (Required for Client-to-Site VPNs)	541
IKE Mode Config	541
Configuring an IKE Client Configuration Pool	542
Applying the Pool to an IKE Policy	543
Using Extended Authentication (Xauth) (Optional)	543
Configuring an Xauth Server	544