Section |
Page |
Copyright and Disclaimers |
4 |
Contents |
5 |
Overview |
35 |
Contents |
35 |
Using This Guide |
37 |
Understanding Command Syntax Statements |
38 |
CLI Prompt Convention |
38 |
IP Address Convention |
39 |
Interface Numbering Convention |
39 |
Quick Start Sections |
40 |
Obtaining Additional Information |
40 |
Downloading Software Updates |
41 |
Interface Management Options |
43 |
CLI |
43 |
Web Browser Interface |
43 |
Accessing the Web Browser Interface |
44 |
Using the ProCurve Web Browser Interface |
45 |
CLI Tools |
47 |
Help Tools |
47 |
CLI Help Commands |
47 |
Editing Commands |
48 |
Basic Commands |
49 |
no |
49 |
do |
49 |
exit |
49 |
File Management Commands |
50 |
copy |
50 |
erase |
53 |
write |
53 |
autosynch |
53 |
Troubleshooting Commands |
54 |
reload in |
54 |
show |
55 |
show tech |
55 |
safe-mode |
56 |
Managing Configuration Files Using a Text Editor |
59 |
Using Error Messages to Repair a Configuration |
59 |
Quick Start |
62 |
Accessing the Secure Router OS |
62 |
Configuring the Enable Mode Password |
63 |
Configuring the Ethernet Interface |
63 |
Configuring Telnet Access |
64 |
Configuring SSH Access |
64 |
Configuring HTTP Access |
65 |
Increasing Bandwidth |
67 |
Contents |
67 |
Overview |
68 |
Configuring MLPPP |
70 |
PPP |
70 |
MLPPP |
71 |
LCP Options |
71 |
MLPPP Header |
72 |
MLPPP Configuration Concerns |
72 |
Enabling MLPPP |
72 |
Binding Multiple Carrier Lines to a PPP Interface |
73 |
Configuring MLFR |
74 |
Enabling MLFR |
75 |
Binding Multiple Carrier Lines to a Frame Relay Interface |
76 |
Configuring the Bundle ID |
77 |
Troubleshooting Multilinks |
78 |
Standard Procedure |
78 |
Physical Layer |
78 |
Data Link Layer |
78 |
Troubleshooting MLPPP |
81 |
MRRU |
81 |
ED |
82 |
Troubleshooting MLFR |
82 |
Quick Start |
85 |
MLPPP Configuration |
86 |
MLFR Configuration |
87 |
Configuring Backup WAN Connections |
89 |
Contents |
89 |
Backing Up Primary WAN Connections |
93 |
Analog Backup Connections |
93 |
ISDN-Backup Connections |
94 |
BRI ISDN |
95 |
Electrical Specifications for BRI ISDN |
97 |
Backup Modules for the ProCurve Secure Router |
97 |
Standards |
98 |
Data Link Layer Protocols |
99 |
Determining a Backup Method |
99 |
Using Demand Routing for Backup Connections |
100 |
Using Persistent Backup Connections |
102 |
Comparing Demand Routing and Persistent Backup Connections |
102 |
Configuring Demand Routing for Backup Connections |
106 |
Define the Traffic That Triggers the Connection |
106 |
Specifying a Protocol |
107 |
Defining the Source and Destination Addresses |
107 |
Configuring the Demand Interface |
108 |
Creating the Demand Interface |
110 |
Configuring an IP Address |
110 |
Matching the Interesting Traffic |
112 |
Specifying the connect-mode Option |
115 |
Associating a Resource Pool with the Demand Interface |
116 |
Defining a Connect Sequence |
116 |
Specify the Order in Which Connect Sequences Are Used |
118 |
Configure the Number of Connect Sequence Attempts |
118 |
Configure the connect-sequence interface-recovery Option |
119 |
Understanding How the connect-sequence Commands Work |
121 |
Configuring the idle-timeout Option |
124 |
Configuring the fast-idle Option |
124 |
Defining the caller-number |
125 |
Defining the called-number |
125 |
Configuring the Hold Queue |
125 |
Configuring the BRI or Modem Interface |
126 |
Accessing the BRI or Modem Interface |
127 |
Configuring the ISDN Signaling (Switch) Type |
127 |
Configuring an LDN for ISDN BRI S/T Modules |
128 |
Configuring a SPID and LDN for ISDN BRI U Modules |
129 |
Setting the Country for the Modem Interface |
129 |
Assigning BRI or Modem Interface to the Resource Pool |
130 |
Activating the Interface |
130 |
Caller ID Options for ISDN BRI Backup Modules (Optional) |
131 |
Configuring a Floating Static Route for the Demand Interface |
131 |
Configuring PPP Authentication for an ISDN Connection |
132 |
Enabling PPP Authentication for All Demand Interfaces |
133 |
Configuring PAP Authentication for a Demand Interface |
133 |
Configuring CHAP Authentication for a Demand Interface |
133 |
Configuring the Username and Password That the Router Expects to Receive |
134 |
Example of Demand Routing with PAP Authentication for a Backup Connection |
134 |
Configuring Peer IP Address |
135 |
Setting the MTU for Demand Interfaces |
136 |
Configuring a Persistent Backup Connection |
137 |
Configuring the Physical Interface for a Persistent Backup Connection |
137 |
Configuring a BRI Interface (ISDN Only) |
137 |
Configuring a Modem Interface (Analog Only) |
141 |
Using the Modem for Console Dial-In |
143 |
Replacing Incoming Caller ID for BRI and Modem Interfaces |
143 |
Configuring a Logical Interface for a Persistent Backup Connection |
144 |
Creating a Backup PPP Interface |
145 |
Activating the Interface |
145 |
Setting an IP Address |
146 |
Enabling PPP Authentication |
146 |
Configuring Persistent Backup Settings for a Primary Connection |
148 |
Accessing the Primary Connection’s Logical Interface |
148 |
Setting the Backup Call Mode |
149 |
Adding a Number to a Backup Dial List |
153 |
Controlling When a Backup Connection Can Be Established |
154 |
Setting Backup Timers |
156 |
Configuring a Floating Static Route for a Persistent Backup Connection |
157 |
Configuring Persistent Backup for Multiple Connections |
159 |
Viewing Backup Configurations and Troubleshooting Backup Connections |
160 |
Viewing Information about BRI and Modem Interfaces and Troubleshooting Problems |
160 |
Viewing the Status and Configuration of Backup Interfaces |
161 |
Viewing Information about Demand Routing and Troubleshooting Problems |
165 |
Viewing the Status of the Demand Interface |
165 |
Viewing a Summary of Information about the Demand Interface |
167 |
Viewing Demand Sessions |
168 |
Viewing the Resource Pool |
168 |
Show the Running-Config for the Demand Interface |
169 |
Troubleshooting Demand Routing |
169 |
Checking the Demand Interface |
169 |
Checking the ACL That Defines the Interesting Traffic |
170 |
Troubleshooting the Backup Connection |
171 |
Test Calls for ISDN Lines |
173 |
Troubleshooting PPP for a Demand Routing Backup Connection |
174 |
Viewing Information about Persistent Backup Connections and Troubleshooting Problems |
174 |
Viewing Backup Settings |
175 |
Viewing the Backup PPP Interface |
177 |
Monitoring the Dial-Up Process |
177 |
Troubleshooting Persistent Backup Connections |
179 |
Standard Procedures |
179 |
Quick Start |
184 |
Configuring Demand Routing for Backup Connections |
185 |
Configuring a Persistent Backup Connection |
192 |
Backing up a Connection with an ISDN BRI S/T Backup Module |
196 |
Backing up a Connection with an Analog Module |
198 |
ProCurve Secure Router OS Firewall- Protecting the Internal, Trusted Network |
201 |
Contents |
201 |
Overview |
203 |
Advantages of an Integrated Firewall |
203 |
Stateful-Inspection Firewalls |
204 |
Packet-Filtering Firewall |
204 |
Circuit-level Gateway |
206 |
Application-level Gateway |
207 |
Attack Checking |
209 |
SYN-flood Attacks |
210 |
WinNuke Attacks |
211 |
Reflexive Traffic |
212 |
Event Logging |
212 |
Configuring Attack Checking |
214 |
Enabling the Secure Router OS Firewall |
214 |
Enabling and Disabling Optional Attack Checks |
215 |
Checking Reflexive Traffic |
216 |
Configuring Stealth Mode |
217 |
Configuring ALGs |
218 |
Enabling the FTP ALG |
219 |
Enabling the H.323 ALG for Voice and Videoconferencing |
219 |
Enabling the SIP ALG for Voice over IP |
219 |
Enabling the PPTP ALG for VPNs |
220 |
Enabling Firewall Traversal |
220 |
Configuring Timeouts for Sessions |
221 |
Setting the Timeout for a Protocol |
221 |
Setting Timeouts for Specific TCP and UDP Applications |
222 |
Configuring Logging |
224 |
Specifying the Priority Level for Logged Events |
224 |
Specifying How Many Attacks Generate a Log |
226 |
Specifying How Many Policy Matches Generate a Log |
227 |
Forwarding Logs to a Syslog Server |
227 |
Forwarding Logs to an Email Address |
229 |
Quick Start |
231 |
Applying Access Control to Router Interfaces |
233 |
Contents |
233 |
Access Control for Interfaces on the ProCurve Secure Router |
235 |
Access Control Mechanisms |
236 |
Using ACLs Alone to Configure Access Control |
238 |
Configure ACLs |
238 |
ACL Entries |
238 |
Types of ACLs |
239 |
Creating an ACL |
241 |
Creating a Standard ACL |
241 |
Creating an Extended ACL |
243 |
Entry Order |
248 |
Adding a Descriptive Tag to an ACL |
249 |
Editing an Existing ACL |
250 |
Deleting an Existing ACL |
250 |
Applying the ACL to an Interface |
251 |
Selecting the Packet and Controlling the Action |
252 |
Controlling FTP, HTTP, and Telnet Access to the Router |
253 |
Restricting FTP Access |
254 |
Restricting HTTP Access |
254 |
Restricting Telnet Access |
255 |
Examples of Applying ACLs |
255 |
Using ACPs to Control Access to Router Interfaces |
258 |
Enable the Firewall |
258 |
Configure ACLs |
259 |
Types of ACLs |
259 |
Creating an ACL |
261 |
Creating a Standard ACL |
261 |
Creating an Extended ACL |
264 |
Configure ACPs |
267 |
Action |
267 |
Selector |
268 |
Creating an ACP |
268 |
Creating Entries in the ACP |
269 |
Editing ACPs |
269 |
Deleting an ACP |
269 |
Assigning the ACP to an Interface |
270 |
Using the reload Command |
270 |
Processing ACPs |
271 |
ACP Action Summary |
274 |
Traffic Flow through Interfaces with ACPs |
276 |
Inbound Interface Has an ACP; Outbound Interface Does Not Have an ACP |
277 |
Inbound Interface Has an ACP; Outbound Interface Has a Different ACP |
277 |
Inbound Interface Does Not Have an ACP; Outbound Interface Has an ACP |
278 |
Traffic in and out Through a Single Interface |
279 |
Examples of ACPs |
279 |
Viewing ACLs and ACPs |
283 |
Displaying ACLs |
283 |
Displaying ACPs |
284 |
Viewing Access Policy Sessions |
285 |
Viewing Access Policy Statistics |
286 |
Troubleshooting |
288 |
show Commands |
288 |
Monitoring Packets Matched to an ACP |
288 |
Clearing Existing Policy Sessions |
288 |
Clear ACL Counters |
290 |
Debug ACLs |
291 |
Quick Start |
292 |
Enabling the Built-in Firewall |
292 |
Configuring an ACL and Applying It Directly to an Interface |
293 |
Configuring ACPs |
295 |
Configuring Network Address Translation |
299 |
Contents |
299 |
NAT Services on the ProCurve Secure Router |
300 |
Many-to-One NAT for Outbound Traffic |
300 |
Using NAT with PAT |
301 |
One-to-One NAT for Inbound Traffic |
303 |
One-to-One NAT with Port Translation |
304 |
Configuring NAT |
306 |
Enabling the Firewall |
306 |
Configuring an ACL |
306 |
Types of ACLs |
307 |
Configuring an ACP |
311 |
Configuring Many-to-One NAT for Outbound Traffic |
312 |
Configuring One-to-One NAT for Inbound Traffic |
312 |
Configuring One-to-One NAT with Port Translation |
313 |
Assigning the ACP to an Interface |
314 |
Viewing ACLs and ACPs |
315 |
Displaying ACLs |
316 |
Displaying ACPs |
316 |
Viewing Access Policy Sessions |
317 |
Viewing Access Policy Statistics |
318 |
Troubleshooting |
319 |
Monitoring Packets Matched to an ACP |
319 |
Clearing Existing Policy Sessions |
320 |
Clearing ACL Counters |
322 |
Debugging ACLs |
322 |
Quick Start |
323 |
Using the CLI to Configure Many-to-One NAT |
323 |
Using the CLI to Configure One-to-One NAT |
325 |
Content Filtering |
329 |
Contents |
329 |
Overview |
330 |
Risks Posed by Non-Work-Related Use of the Internet |
330 |
Web Content Filtering on the ProCurve Secure Router 7000dl Series |
331 |
The Role of the Websense Enterprise Solution |
331 |
The Role of the ProCurve Secure Router |
332 |
Configuring Web Content Filtering |
333 |
Creating a Filter on the ProCurve Secure Router |
333 |
Specifying the Websense Server’s IP Address |
334 |
Applying a Filter to a Router Interface |
334 |
Specifying Behavior When the Server Is Unreachable |
336 |
Defining Exclusive Domains-Domains the Router Automatically Allows or Blocks |
336 |
Specifying the Maximum Number of Outstanding Requests to the Websense Server |
338 |
Specifying the Maximum Number of Buffered Web Server Responses |
338 |
Troubleshooting Web Content Filtering |
339 |
Troubleshooting Tools-show, debug, and clear Commands |
339 |
Troubleshooting Common Problems |
342 |
Web Content Filtering Does Not Take Effect |
342 |
Users Cannot Access the Web Sites They Need |
345 |
The Router Cannot Connect to the Websense Server |
346 |
Web Sites Do Not Load, Load Slowly, or Load Incompletely |
348 |
Quick Start |
349 |
Setting Up Quality of Service |
351 |
Contents |
351 |
Overview |
354 |
Evaluating Traffic on Your Network |
354 |
QoS Mechanisms on the ProCurve Secure Router |
355 |
ToS Field |
356 |
First In, First Out |
360 |
WFQ |
361 |
CBWFQ |
361 |
LLQ |
361 |
FRF.12 |
362 |
QoS Maps |
362 |
Configuring WFQ |
364 |
Overview |
364 |
Conversations |
364 |
Weight |
365 |
Shortcomings |
365 |
Packet Marking |
366 |
Enabling WFQ |
367 |
Setting the Queue Size |
368 |
Configuring CBWFQ |
369 |
Overview |
369 |
Configuring Classes for CBWFQ |
369 |
Creating a QoS Map Entry |
370 |
Defining a Class |
371 |
Allocating Bandwidth to a Class |
376 |
Assigning the QoS Map to an Interface |
378 |
Special Considerations for CBWFQ with Multilinks |
379 |
CBWFQ Example Configuration |
380 |
Configuring LLQ |
382 |
Overview |
382 |
Determining Bandwidth for the Queue |
382 |
Determining Bandwidth for VoIP |
383 |
Determining Bandwidth for Video Streaming |
386 |
Placing Traffic in a Low-Latency Queue |
387 |
Creating a QoS Map Entry |
387 |
Selecting the Traffic to Be Placed in the Low-Latency Queue |
387 |
Setting the Bandwidth Guaranteed the Queue |
392 |
Marking Low Latency Packets with a ToS Value |
394 |
Assigning the QoS Map to an Interface |
394 |
Marking Packets with a ToS value |
395 |
Creating a QoS Map Entry |
395 |
Selecting the Traffic to Be Marked |
396 |
Setting the ToS Value |
400 |
Assigning the QoS Map to an Interface |
401 |
Example Packet Marking Configuration |
401 |
Configuring Rate Limiting for Frame Relay |
403 |
Overview |
403 |
Rate Limiting |
403 |
FRF.12 |
403 |
Configuring Rate Limiting |
404 |
Setting the Committed Burst Rate |
405 |
Setting the Excessive Burst Rate |
405 |
Configuring Frame Relay Fragmentation |
406 |
Example Frame Relay QoS Configuration |
407 |
Configuring QoS for Ethernet |
408 |
Overview |
408 |
Rate Limiting |
408 |
Configuring Rate Limiting on an Ethernet Interface |
408 |
Configuring QoS Policies on an Ethernet Interface |
409 |
Example: Configuring QoS for VoIP |
411 |
Enabling Application-Level Gateways for Applications with Special Needs |
412 |
Enabling SIP Services |
412 |
Defining VoIP Traffic |
414 |
Determining the Required Bandwidth |
415 |
Marking Signaling Traffic for Special Treatment |
416 |
Configuring Frame Relay Rate Limiting |
417 |
Monitoring QoS |
418 |
Viewing QoS Maps |
419 |
Managing Queues |
420 |
Troubleshooting Common Configuration Problems |
421 |
A Map Becoming Inactive |
421 |
An Ethernet Interface Refusing to Take a QoS-Policy |
422 |
Quick Start |
422 |
Configuring WFQ |
422 |
Configuring CBWFQ |
423 |
Configuring a Low-Latency Queue |
425 |
Marking Packets |
426 |
Configuring Frame Relay Fragmentation |
427 |
Configuring QoS on an Ethernet Interface |
428 |
Network Monitoring |
429 |
Contents |
429 |
Overview |
431 |
Network Monitor Probes |
431 |
Probe Characteristics |
432 |
Probe States |
433 |
Network Monitor Tracks |
433 |
Track Characteristics |
433 |
Track States |
433 |
Track Actions |
433 |
Purposes of Network Monitoring |
434 |
Testing Static Routes |
434 |
Monitoring Network Performance |
437 |
Routing Probe Traffic using Policy-Based Routing (PBR) |
437 |
Configuring Network Monitoring |
438 |
Configuring Probes |
439 |
Creating a Probe and Selecting Its Type |
439 |
Specifying the Probe’s Destination |
440 |
Specifying the Test’s Timeout |
442 |
Specifying the Probe’s Tolerance |
442 |
Specifying the Probe’s Period |
444 |
Setting the Source Address for Probe Packets |
445 |
Setting the Source Port for Probe Packets |
445 |
Special Considerations for Configuring Probes |
446 |
Special Considerations for ICMP Echo Probes |
446 |
Special Considerations for TCP Connect Probes |
448 |
Special Considerations for HTTP Request Probes |
448 |
Activating and Shutting Down the Probe |
453 |
Configuring Tracks |
454 |
Creating a Track |
454 |
Specifying the Track’s Probes |
455 |
Configuring a Dampening Interval |
456 |
Enabling a Track to Log Changes |
457 |
Activating and Shutting Down a Track |
458 |
Configuring the Track’s Action-Associating the Track with a Route |
459 |
Associating a Track with a Static Route |
459 |
Associating a Track with a DHCP Default Route |
460 |
Associating a Track with a Default Route Received with a Negotiated Address |
461 |
Implementing PBR to Route Probe Traffic |
462 |
Using NAT with Network Monitoring |
465 |
Overview |
465 |
Configuration Steps |
466 |
Example |
467 |
Disabling the RPF Check |
468 |
Examples of Network Monitoring |
470 |
Monitor Connectivity to the Internet |
470 |
Monitor Static Routes to Remote Networks |
473 |
Monitor Connectivity to a Mission-Critical TCP Server |
475 |
Monitor Network Congestion and the Performance of Servers |
478 |
Submit Information to a Remote Web Server |
479 |
Viewing Network Monitor Tracks and Probes |
483 |
Viewing Network Monitor Tracks |
483 |
Debugging Network Monitor Tracks |
484 |
Viewing Network Monitor Probes |
484 |
Debugging Network Monitor Probes |
485 |
Clearing Statistics |
485 |
Troubleshooting Network Monitoring |
486 |
Track Fails to Take Action |
486 |
Track Takes an Inappropriate Action |
487 |
Backup Route Fails to Be Added |
488 |
Failed Primary Route Periodically Reappears in the Routing Table |
489 |
Quick Start |
490 |
Virtual Private Networks |
495 |
Contents |
495 |
Overview |
498 |
VPN Tunnels |
498 |
IP Security (IPSec) |
498 |
IPSec Headers |
499 |
Hash and Encryption Algorithms |
500 |
IPSec VPN Tunnels |
501 |
Security Associations (SAs) |
501 |
IKE |
502 |
VPN Overlay |
507 |
Physical Setup |
508 |
Configuring a VPN Using IPSec |
509 |
Configuring IPSec with IKE |
509 |
Configuring IPSec with Manual Keying |
513 |
How the ProCurve Secure Router Processes IKE Policies and Crypto Maps |
514 |
Configuration Tasks |
517 |
Enabling Crypto Commands |
517 |
Configuring IKE Policies |
517 |
Peer ID |
518 |
Initiate and Response Mode |
520 |
Attribute Policy |
522 |
Enabling NAT-Traversal (NAT-T) for a Client-to-Site VPN |
525 |
Configuring a Peer’s Remote ID and Preshared Key |
526 |
Site-to-Site Configuration |
527 |
Client-to-Site Configuration |
528 |
Configuring a Remote ID List for a VPN that Uses Digital Certificates |
528 |
Mapping the Remote ID to an IKE Policy and Crypto Map Entry |
529 |
Defining Traffic Allowed over the VPN Tunnel |
529 |
Restricting Specified Hosts |
530 |
Permitting Local and Remote Networks |
531 |
Applying the ACL to a Crypto Map |
532 |
Example Configuration |
533 |
Enabling Router Traffic to Servers at a Remote VPN Site |
533 |
Configuring IPSec SA Parameters |
534 |
Transform Sets |
534 |
Crypto Maps |
536 |
Applying a Crypto Map to an Interface |
540 |
Granting Remote Users a Private Network Address with IKE Mode Config (Required for Client-to-Site VPNs) |
541 |
IKE Mode Config |
541 |
Configuring an IKE Client Configuration Pool |
542 |
Applying the Pool to an IKE Policy |
543 |
Using Extended Authentication (Xauth) (Optional) |
543 |
Configuring an Xauth Server |
544 |
Configuring an Xauth Host |
547 |
Using Digital Certificates (Optional) |
548 |
Overview |
548 |
Obtaining Digital Certificates |
551 |
Managing Certificates |
555 |
Configuring a VPN using IPSec with Manual Keying |
558 |
Configuring the Transform Set |
559 |
Configuring Crypto Maps for Manual IPSec |
561 |
Example Configuration |
563 |
Monitoring a VPN |
564 |
Troubleshooting a VPN That Uses IPSec |
567 |
Tools and Procedures |
567 |
Troubleshooting Commands |
568 |
Checking WAN Connections |
569 |
Determining the Source of the Problem: Permitting All Traffic in a VPN |
569 |
Monitoring the IKE Process using Debug Commands |
570 |
Comparing VPN Policies |
574 |
Returning VPN Policies to Their Defaults |
580 |
Quick Start |
582 |
Configuring a Site-to-Site VPN |
584 |
Configuring a Client-to-Site VPN |
588 |
Obtaining Digital Certificates |
595 |
Configuring a Tunnel with Generic Routing Encapsulation |
597 |
Contents |
597 |
Overview |
598 |
GRE Tunnels |
598 |
Advantages and Disadvantages of GRE |
599 |
Configuring GRE |
600 |
Creating the Tunnel Interface |
600 |
Configuring the Tunnel’s Source and Destination and IP Address |
600 |
Configuring the Tunnel Source |
601 |
Configuring the Tunnel Destination |
602 |
Configuring the Tunnel’s IP Address |
603 |
Configuring the Tunnel Key |
603 |
Specifying Tunnel Traffic |
603 |
Sending Routing Updates over the Tunnel |
604 |
Sending Multicasts over the Tunnel |
605 |
Sending all Traffic to a Network over the Tunnel |
606 |
Filtering Traffic that Arrives on the Tunnel |
607 |
Enabling Checksum Verification |
608 |
Troubleshooting GRE Configuration |
609 |
The Tunnel Goes Down |
609 |
The Router Does Not Receive Traffic through the Tunnel |
610 |
The Router Does Not Receive Routing Updates |
610 |
Quick Start |
611 |
Configuring Multicast Support for a Stub Network |
613 |
Contents |
613 |
Overview |
615 |
Multicast Applications |
615 |
IP Multicasting |
616 |
Multicast Addresses |
617 |
Host Groups |
617 |
IGMP |
618 |
IGMP Queries |
619 |
IGMP Reports |
619 |
Multicast Routing Protocols |
620 |
IGMP Proxy |
621 |
Configuring IGMP Proxy for Multicast Stub Routing Support |
623 |
Enabling IP Multicast Routing |
624 |
Setting the Multicast Helper Address |
624 |
Determining Which Interfaces are Downstream and Which Upstream |
625 |
Configuring a Downstream Interface |
626 |
Configuring an IGMP Multicast Agent |
626 |
Enabling IGMP Proxy |
627 |
Enabling Multicast Forwarding |
627 |
Configuring an Upstream Interface |
628 |
Configuring Multicast Routing through a Fixed Interface |
628 |
Tunneling Multicast Traffic through the Internet |
629 |
Adding the Router Stack to a Multicast Group |
630 |
Altering IGMP Query Intervals |
631 |
Troubleshooting Multicast Stub Routing and IGMP |
633 |
Strategies and Tools |
633 |
Procedure for Troubleshooting Multicast Stub Routing |
635 |
Quick Start |
638 |
Configuring Multicast Support with PIM-SM |
641 |
Contents |
641 |
Overview |
643 |
Multicast Trees |
644 |
RP Tree |
644 |
SP Tree |
645 |
Multicast Routing Table |
646 |
Joining a Shared or RP Tree |
648 |
Switching from an RP to an SP Tree |
649 |
RPs |
649 |
Edge Routers |
652 |
A Source’s DR |
654 |
Building RP and SP Trees When the Source Begins Multicasting First |
655 |
A Source Begins Multicasting Before Any Hosts Join Its Group |
655 |
A Host Joins a Group After Routers Have Already Switched to an SP Tree |
656 |
RP Selection |
657 |
PIM-SM Packets |
658 |
Join/Prune Packets |
658 |
Register Packets |
665 |
Register-Stop Packets |
666 |
Bootstrap Packets |
666 |
Hellos |
666 |
Asserts |
666 |
Configuring PIM-SM |
668 |
Enabling PIM-SM |
669 |
Configuring a Static RP Set |
670 |
Specifying Static RPs that Support All Groups |
671 |
Specifying a Static RP for a Specific Group |
672 |
Specifying When the Router Switches to the SP Tree |
675 |
Forcing the Router to Use the RP Tree Permanently |
676 |
Changing an Interface’s DR Priority |
676 |
Changing PIM-SM Timers |
677 |
Join/Prune Period |
678 |
Hello Timer |
679 |
Override and Propagation Delay Timers |
679 |
Configuration Examples |
680 |
Example 1: Configuring PIM-SM in a Network with a Headquarters and Two Small Remote Sites |
680 |
Example 2: Configuring Specific RPs to Support Specific Groups |
685 |
Troubleshooting PIM-SM |
688 |
Monitoring the Multicast Routing Table |
688 |
Flags |
689 |
First Line of a Multicast Routing Table Entry |
690 |
Incoming Interface |
692 |
Outgoing Interface List |
693 |
Viewing PIM-SM Information |
694 |
PIM-SM Troubleshooting Process |
696 |
Troubleshooting an Edge Router |
696 |
Troubleshooting A Router in Conjunction with Its PIM Neighbors |
701 |
Quick Start |
708 |
Link Layer Discovery Protocol |
711 |
Contents |
711 |
Overview |
712 |
LLDP |
712 |
LLDP Messages |
713 |
Viewing LLDP Information |
715 |
Viewing LLDP Neighbor Information |
715 |
Viewing Local LLDP Activity |
718 |
Viewing Real-Time LLDP Messages: debug lldp Commands |
719 |
Viewing LLDP Timers |
721 |
Configuring LLDP |
722 |
Preventing an Interface from Sending Certain LLDP Messages |
722 |
Preventing an Interface from Receiving LLDP Messages |
724 |
Altering LLDP Timers |
724 |
Quick Start |
725 |
IP Routing-Configuring RIP, OSPF, BGP, and PBR |
727 |
Contents |
727 |
Overview |
732 |
Routing Protocols |
732 |
Dynamic Routing Protocols Supported on the ProCurve Secure Router |
733 |
How Routing Protocols Work |
733 |
Advantages and Disadvantages of Routing Protocols |
736 |
Load Sharing |
737 |
Configuring RIP |
738 |
RIP Process |
738 |
RIP Updates, v1 and v2 |
739 |
Speeding Convergence: Split Horizon, Poison Reverse, and Triggered Updates |
741 |
RIP Timing Intervals |
743 |
RIP Configuration Considerations |
744 |
Selecting a RIP Version |
745 |
Setting a Global RIP Version |
746 |
Setting RIP Versions for Particular Interfaces |
746 |
Specifying Networks That Will Participate in RIP |
747 |
Redistributing Routes |
748 |
Redistributing Connected Routes |
749 |
Redistributing OSPF Routes |
750 |
RIP Route Filtering |
750 |
Creating an ACL to Act as a RIP Filter |
751 |
Applying a RIP Filter |
751 |
Example RIP Filter |
753 |
Enabling and Disabling Route Summarization for Classful Subnets |
753 |
Configuring a Passive Interface: Prohibiting an Interface from Sending Updates |
756 |
Altering RIP Intervals |
757 |
Configuring OSPF |
758 |
LSAs |
759 |
Point-to-Point Versus Multi-Access Networks |
760 |
Areas |
760 |
LSA Types |
763 |
Route Computation |
764 |
OSPF Configuration Concerns |
765 |
Setting the Router ID |
770 |
Advertising Networks and Establishing OSPF Areas |
771 |
Defining an OSPF Network Within an Area |
771 |
Configuring Stub Areas |
772 |
Route Summarization (ABRs): Advertising a Link to One Area to Routers in Another Area |
773 |
Example Configuration of OSPF Areas |
778 |
Prohibiting the Advertisement of Networks |
780 |
Generating a Default External Route (ASBR) |
780 |
Configuring Route Summaries for ASBRs |
781 |
Configuring Cost Calculation for a Link |
782 |
Redistributing Routes Discovered by Other Protocols (ASBRs) |
784 |
Redistributing RIP Routes |
784 |
Redistributing Connected and Static Routes |
785 |
Configuring the Default Metric for Redistributed Routes |
786 |
Changing a Router’s DR Priority |
786 |
Altering OSPF Intervals |
786 |
Configuring OSPF Authentication |
788 |
Example OSPF Configuration |
790 |
Configuring BGP |
793 |
BGP Advantages |
794 |
VRF and MPLS |
795 |
Multihoming |
796 |
BGP Neighbors |
796 |
BGP Messages |
797 |
BGP Configuration Concerns |
797 |
Enabling BGP |
799 |
Advertising Local Networks |
799 |
Setting the Router ID |
800 |
Configuring a BGP Neighbor |
801 |
Setting the BGP Neighbor ID |
801 |
Specifying the Local and Remote AS |
801 |
Load Balancing |
802 |
Balancing Loads over Multiple Connections to the Same Neighbor: Specifying the Source for Updates |
803 |
Balancing Loads over Connections to Different Neighbors |
804 |
Creating Prefix Lists: Configuring Filters for Route Exchange |
807 |
Naming the List |
808 |
Assigning the Entry an Order |
808 |
Discarding or Allowing Routes |
808 |
Specifying the Network Address |
808 |
Specifying the Range of Prefix Lengths |
809 |
Applying Filters |
809 |
Example BGP Policies |
810 |
Example Prefix List Configuration |
814 |
Configuring Route Maps: Creating More Complex Policies for Route Exchange |
814 |
Creating a Route Map Entry |
816 |
Configuring a Community List |
816 |
Configuring an AS Path List |
817 |
Defining the Routes that a Router Can Advertise |
818 |
Placing a Route in a Community: Requesting a Neighbor to Advertise a Route to Certain Peers Only |
823 |
Prepending Private AS Numbers for Load Balancing |
825 |
Setting a Multi-Exit Discriminator Metric for Load Balancing |
826 |
Filtering Inbound Routes |
829 |
Applying Policies to Inbound Routes |
830 |
Deleting Communities from a Route |
831 |
Applying a Route Map Entry to a BGP Neighbor |
832 |
Enabling Soft Reconfiguration |
833 |
Prohibiting the Advertisement of Default Routes |
833 |
Disabling IGP Synchronization |
833 |
Configuring Route Summarizations |
834 |
Setting Administrative Distance for BGP Routes |
834 |
Altering BGP Intervals |
834 |
Configuration Examples |
835 |
Example 1: Baseline BGP Configuration |
835 |
Example 2: Baseline BGP Configuration for a Router that Runs an IGP |
837 |
Example 3: Configuring a Standard BGP Policy on a Router That Receives Routes to Remote Private Sites |
839 |
Example 4: Configuring BGP Policies for a Router That Multihomes |
841 |
Configuring Load Sharing |
848 |
Configuring Policy-Based Routing |
851 |
Overview |
851 |
Configuring a Route Map for PBR |
853 |
Selecting Traffic for a Route Map Entry |
854 |
Implementing PBR According to Source |
855 |
Implementing PBR According to Application |
858 |
Implementing PBR According to Traffic Priority |
860 |
Implementing PBR According to Payload Size |
863 |
Setting the Routing Policy in a Route Map Entry |
864 |
Configuring Default Routes in a Route Map Entry |
866 |
Using a Route Map to Mark Packets with a QoS Value |
867 |
Setting the Don’t Fragment Bit |
869 |
Assigning a Route Map to an Interface |
870 |
Applying a Route Map to Router Traffic |
870 |
PBR Configuration Examples |
870 |
Routing Traffic to a Security Appliance |
870 |
Routing Traffic to a Caching Server |
872 |
Reserving a Connection for VoIP and Video Traffic |
873 |
Troubleshooting Routing |
874 |
Monitoring the Routing Table |
874 |
Monitoring Routes |
877 |
Clearing Routes |
877 |
Troubleshooting RIP |
879 |
Router Not Receiving Routes |
879 |
Other Routers Not Receiving Routes to the Local Router’s Subnets |
880 |
Troubleshooting OSPF |
881 |
Troubleshooting an Internal Router |
884 |
Troubleshooting an ABR |
888 |
Troubleshooting BGP |
890 |
Strategies and Tools |
890 |
Troubleshooting a Prefix List |
898 |
Troubleshooting a Route Map |
899 |
Other Common BGP Problems |
900 |
Monitoring and Troubleshooting PBR |
901 |
Quick Start |
904 |
RIP Routing |
905 |
OSPF Routing |
905 |
Configuring an Internal Router |
906 |
Configuring an ABR |
907 |
Configuring an ASBR |
908 |
Configuring BGP |
909 |
Configuring PBR |
910 |
Using the Web Browser Interface for Advanced Configuration Tasks |
915 |
Contents |
915 |
Configuring Access to the Web Browser Interface |
918 |
Enabling Access to the Web Browser Interface |
918 |
The Web Browser Interface Navigation Panel |
919 |
Managing AutoSynch™, Files, Firmware, Logging, and Boot Software |
920 |
AutoSynch™ |
921 |
Configuration |
922 |
Firmware |
925 |
Debug |
928 |
Reboot Unit |
932 |
Telnet to Unit |
933 |
Enabling IP Services on the Router |
934 |
Web Access Configuration |
936 |
Increasing Bandwidth |
938 |
Configuring MLPPP |
938 |
Configuring MLFR |
940 |
Backup Modules |
941 |
Configuring the ProCurve Secure Router OS Firewall |
941 |
Enabling Attack Checking |
943 |
Enabling Event Logging |
944 |
Enabling Email Forwarding |
946 |
Enabling Syslog Forwarding |
947 |
Display the Event History |
948 |
Enabling ALGs |
948 |
Configuring Session Timeouts |
949 |
Using the Firewall Wizard |
951 |
Configuring Access Control from the Web Browser Interface |
955 |
Configuring Access Control Lists (ACLs) |
955 |
Configuring Access Control Policies (ACPs) |
958 |
Filtering, or Blocking, Traffic |
960 |
Allowing Traffic |
962 |
Configuring NAT |
964 |
Configuring Many-to-One NAT |
964 |
Configuring One-to-One NAT |
965 |
Configuring Policies to Control Management Access to the ProCurve Secure Router |
967 |
Customizing Your Policies |
967 |
Changing the Order of Policies |
971 |
Assigning the Security Zone (the ACP) to an Interface |
971 |
Configuring Quality of Service |
972 |
Configuring WFQ |
973 |
Configuring QoS for VoIP with the QoS Wizard |
976 |
Configuring LLQ |
981 |
Configuring Packet Marking |
985 |
Configuring Frame Relay Fragmentation and Rate Limiting |
987 |
Setting Up Network Monitoring |
989 |
Network Monitor Wizard |
989 |
Creating a Network Monitor Probe |
998 |
Creating a Network Monitor Track |
1000 |
Setting Up Virtual Private Networks |
1003 |
VPN Wizard |
1003 |
VPN Peer Name |
1004 |
Public Interface |
1004 |
Peer Type |
1004 |
Mobile VPN Peer Settings (Client-to-site VPN Only) |
1006 |
Extended Authentication (Client-to-site VPN Only) |
1007 |
Remote Network |
1008 |
Local Network |
1008 |
Authentication Type |
1009 |
Remote ID |
1009 |
Local ID |
1010 |
IKE Settings (Custom Setup Only) |
1010 |
IPSec Settings (Custom Setup Only) |
1013 |
Confirm Settings |
1014 |
VPN Peers |
1016 |
Adding a Second Remote Site to the VPN |
1016 |
Configuring Advanced VPN Parameters |
1027 |
Configuring IKE SA Parameters |
1027 |
Configuring IPSec SA Parameters |
1030 |
Enabling Xauth |
1033 |
Adding Remote IDs |
1034 |
Obtaining Certificates |
1037 |
Obtaining Certificates Manually |
1039 |
Obtaining Certificates Automatically |
1045 |
Setting Up Generic Routing Encapsulation (GRE) Tunnels |
1050 |
Multicast |
1054 |
Configuring LLDP |
1055 |
Setting LLDP Timers |
1055 |
Enabling and Disabling LLDP on an Interface |
1056 |
Viewing LLDP Neighbors |
1057 |
Routing |
1059 |
Configuring RIP |
1060 |
Configuring OSPF |
1062 |
Specifying OSPF Networks |
1064 |
Redistributing Routes into OSPF |
1065 |
Generating a Default Route (ASBR) |
1066 |
Advertising Summary Routes (ASBR) |
1067 |
Configuring Global OSPF Parameters |
1068 |
Configuring OSPF Parameters for Individual Interfaces |
1070 |
Viewing OSPF Information |
1073 |