3Com Router Configuration Guide for V1.20 http://www.3com.com/ Part No.
3Com Router Configuration Guide Addendum for V1.20 1.1. Introduction 1.1.1. Scope This manual provides configuration information for new software features found in V1.20 of the 3Com Router operating system. Use this addendum to supplement configuration information found in the 3Com Router Configuration Guide. 1.1.2. Online Resources Download the Router 3000 Installation Guide from: http://support.3com.com/infodeli/tools/routers/R3000Install.
Com Router Configuration Guide Addendum for V1.20 Chapter 1 Configuring Class-Based Queuing As an extension of WFQ, class based queuing (CBQ) provides users with class definition support. CBQ assigns individual FIFO reservation queues to the classes defined by each user to buffer data of the same class. When there is network congestion, CBQ matches outbound packets according to the classification rule defined by users to make them enter relevant queues.
3Com Router Configuration Guide Addendum for V1.20 policing upon congestion. If no congestion occurs, the priority class is permitted to use bandwidth exceeding the assigned value. In case of congestion, packets exceeding the assigned bandwidth of the priority class will be discarded. Burst size is also configurable under LLQ. When the system matches packets with rules, it matches priority classes before other classes.
3Com Router Configuration Guide Addendum for V1.20 Table 1-2 Define/delete the rule matching all packets Operation Define the rule matching all packets Delete the rule matching all packets 2) Command if-match [logic-not ] any undo if-match [logic- not ] any Define the class matching rule Perform the following configurations in class view.
3Com Router Configuration Guide Addendum for V1.20 The matching rules of the source MAC address are only meaningful for the policies in inbound direction and the interface of Ethernet type. 5) Define the inbound interface matching rule of a class Perform the following configurations in class view.
3Com Router Configuration Guide Addendum for V1.20 Use the corresponding command to configure the value of ip precedence during the configuration; otherwise, the configuration of the if-match ip precedence command will overwrite the previous configurations. 8) Define the RTP port matching rule Perform the following configurations in class view.
3Com Router Configuration Guide Addendum for V1.20 Perform the following configurations in the system view. Table 1-12 Define the policy and enter the policy view Operation Define the policy and enter the policy view Delete the specified policy Command qos policy policy-name undo qos policy policy-name If an interface applies this policy, this policy is not allowed to be deleted. You must remove the application of this policy on the interface and then delete the policy with the undo qos policy command.
3Com Router Configuration Guide Addendum for V1.20 configured with a maximum bandwidth, the system will assign the class an individual queue, called the default queue. Theoretically, each class can be configured with bandwidth of any size, but generally, the priority classes can occupy 70% of the total bandwidth, and other ordinary classes and the default class occupy less than 10%.
3Com Router Configuration Guide Addendum for V1.20 3) Configure the maximum queue length of the class Configure maximum queue length of the class and configure the drop type as tail drop. Perform the following configurations in the policy-class view.
3Com Router Configuration Guide Addendum for V1.20 Table 1-18 Configure exponential of average queue length calculated by WRED Operation Configure exponential of average queue length calculated by WRED Delete the configuration of exponential of average queue length calculated by WRED Command wred weighting-constant exponent undo wred weighting-constant This command can be used only after the af command has been configured and the wred command has been used to enable WRED discard mode.
3Com Router Configuration Guide Addendum for V1.20 The discarding mode based on WRED must already have been enabled via the wred ip-precedence command. When the configuration of qos wred is deleted, the wred ip-precedence is also deleted. When the af configuration is deleted, the configuration of discarding parameters will also be deleted. 8) Enable/Disable traffic policing Perform the following configurations in the policy-class view.
3Com Router Configuration Guide Addendum for V1.20 If qos gts is used in the class-policy that is applied to the interface, it can only be applied to the outbound interface. When the class including TS is applied to the interface, the original qos gts command that is configured on the interface will become invalid. If this command is repeatedly executed to configure the same class policy, the last configuration replaces the previous one.
3Com Router Configuration Guide Addendum for V1.20 The following is the rule for a policy to be applied in interface view. A policy configured with various features (including remark, car, gts, af, ef, wfq, and wred,) apply to a common physical interface and a virtual template interface over MP. The policy configured with TS (gts), and ef, af, wfq cannot be applied on the interface as an inbound policy. The sub-interface does not support ef, af, or wfq but supports TS (gts) and TP (car).
3Com Router Configuration Guide Addendum for V1.20 In terms of service, service flow 1 must occupy a bandwidth of 10K, service flow 2 must occupy a bandwidth of 20K, under the premise of ensuring voice service. PC1 1.1.1.1/24 1.1.4.1/24 E0 1.1.1.2/24 E1 10.1.1.2/24 PC2 10.1.1.1/24 s0 1.1.6.2/24 s0 1.1.6.1 Router A PC3 E0 1.1.4.2/24 E1: 10.1.4.2/24 10.1.4.
3Com Router Configuration Guide Addendum for V1.
3Com Router Configuration Guide Addendum for V1.20 Chapter 2 Configuring TACACS+ TACACS+ is facilitated with AAA to control PPP, VPDN, and login access to routers. CISCO ACS is the only application software that is supported. Compared to RADIUS, TACACS+ features more reliable transmission and encryption, and is more suitable for security control. The following table lists the primary differences between TACACS+ and RADIUS protocols.
3Com Router Configuration Guide Addendum for V1.20 2.2 The Basic Message Interaction Flow of TACACS+ For example, use TACACS+ to implement AAA on a telnet user, and the basic message interaction flow described below is used: 1) A user requests access to the router. The router(TACACS+ client) sends the authentication start packet to the TACACS+ server upon receipt of the request. 2) The TACACS+ server sends an authentication response packet requesting the user name.
3Com Router Configuration Guide Addendum for V1.
3Com Router Configuration Guide Addendum for V1.20 Standby/Primary server switchover interval The shared key for the AAA negotiation between the router and TACACS+ Server Set the timeout time waiting for a TACACS+ server to make a response Specify a source IP address for all the TACACS+ packets to be transmitted 2.4.1 Create a TACACS+ server group Before a TACACS+ server can be used to implement AAA, you should first create a TACACS+ server group and put the TACACS+ server into the group.
3Com Router Configuration Guide Addendum for V1.20 Note: When this command is used without being configured with the parameter shared-key key-string for negotiation, the default key configured using the shared-key command will be used. 2.4.
3Com Router Configuration Guide Addendum for V1.20 Caution: 1) The entered key must match the key used by the TACACS+ server. 2) All the leading spaces and ending spaces in a key string will be ignored. In addition, a key that contains spaces in the middle is not supported. 2.4.5 Specify a Source IP Address for the TACACS+ Packets to be Transmitted You can specify a source IP address for the TACACS+ packets sent from different interfaces on the router.
3Com Router Configuration Guide Addendum for V1.20 2.5 Displaying and Debugging TACACS+ Execute the following commands in all views. Table 2-7 Display and debug AAA and RADIUS Operation Command display hwtacacs accounting [ verbose ] Display all the accounting details. Display all the router-TACACS+ interaction details. Clear all the accounting details. Clear all the router-TACACS+ interaction details.
3Com Router Configuration Guide Addendum for V1.20 2 Configure “mykey” as the shared key for the AAA negotiation with the TACACS+ server. [3Com-HWTACACS-tactemplate1]shared-key mykey [3Com-HWTACACS-tactemplate1] quit 3 Enable AAA. [3Com]aaa-enable 4 Implement authentication on telnet login users.
3Com Router Configuration Guide Addendum for V1.20 [3Com-serial0] quit 12 Assign an IP address to the interface Ethernet0. [3Com]interface ethernet 0 [3Com-ethernet0]ip address 10.110.1.10 255.255.0.0 13 Assign an IP address to Ethernet1. [3Com-ethernet0]interface ethernet 1 [3Com-ethernet0]ip address 192.10.1.1 255.255.255.0 [3Com-ethernet0]return 2.6.
3Com Router Configuration Guide Addendum for V1.20 [3Com-HWTACACS-tactemplate1] shared-key mykey [3Com-HWTACACS-tactemplate1] quit 5 Configure the IP address, authentication port, and accounting port on the RADIUS server. [3Com]radius server 10.110.1.2 6 Configure the key, retransmission times, and the timeout time for the RADIUS server. [3Com] radius shared-key my-secret [3Com] radius retry 2 [3Com] radius timer response-timeout 5 7 Configure authentication of Telnet login users.
3Com Router Configuration Guide Addendum for V1.20 13 Apply the default scheme for accounting on telnet login users. [3Com]login-method accounting-mode login telnet default 14 Enable accounting on Serial0, and configure and apply the default accounting scheme. [3Com] aaa accounting-scheme ppp default radius template tactemplate1 [3Com]interface Serial0 [3Com-Serial0]link-protocol ppp [3Com-Serial0]ppp accounting default [3Com-serial0] quit 15 Assign an IP address to Ethernet0.
3Com Router Configuration Guide Addendum for V1.20 Chapter 3 Configuring SSH Terminal Service Secure Shell (SSH) is a feature that provides information about security and powerful authentication functions, which can protect a router from the attacks such as IP address spoofing and plain text password. This is especially evident for remote users who access the router from a nonsecure network environment. The router provides simultaneous access of multiple SSH clients.
3Com Router Configuration Guide Addendum for V1.20 To set up a secure and authenticated SSH connection, the server and client must go through the communication procedure that falls into five stages; version negotiation, key algorithm negotiation, authentication type negotiation, session request, and session interaction. 3.1 Configuring SSH The basic configuration of SSH is required for the SSH Client to connect to the SSH Server (router) successfully. Advanced SSH configurations are optional.
3Com Router Configuration Guide Addendum for V1.20 Table 3-2 Configure and destroy RSA key-pairs Operation Command Generate RSA key-pairs rsa local-key-pair create Destroy the RSA key-pairs rsa local-key-pair destroy Caution: An essential operation underlying a successful SSH login is generating local RSA key-pairs. Before performing any other SSH configuration tasks, you must generate a local key-pair by configuring the rsa local-key-pair create command.
3Com Router Configuration Guide Addendum for V1.20 Set a server key-pair updating interval ssh server rekey-interval hours Restore the default updating interval undo ssh server rekey-interval By default, the system does not update the server key-pair. Perform this task to set an SSH authentication timeout time period. Perform the following configuration in system view.
3Com Router Configuration Guide Addendum for V1.20 when entering key data but they will be deleted by the system. The configured public key must be a consecutive hexadecimal character string coded in the public key format. Execute the public-key-code end command to stop public key editing and save the key. Before you save the key however, you should verify the validity of the key in case the key data are rendered useless due to illegal characters contained in the public key string.
3Com Router Configuration Guide Addendum for V1.20 Perform the following configuration in system view. Table 3-11 Close SSH processes by force Operation Kill SSH process(es) by force Command kill ssh { all | userID userid } VI. Display and Debug SSH Information After finishing the configurations described above, view the running state of SSH by executing the display commands in all views to verify the configuration. You can debug the SSH information by executing the debugging commands in all views.
3Com Router Configuration Guide Addendum for V1.20 Choose the proper SSH version. Generally the client provides several SSH versions. V1.20 supports SSH Server 1.5, so you must choose 1.5 or lower. Specify the RSA key file. If you have configured to choose RSA authentication at the server, you must specify the RSA key file at the client.
3Com Router Configuration Guide Addendum for V1.20 III. Choose the SSH version Click “SSH” under “Connection” in the left “Category” of the interface, then the following interface appears. Figure 3-2 SSH Client configuration interface (2) Specify the SSH version to “1”, as shown in the above interface. IV. Enable the SSH connection in password authentication mode Click [Open] button and the SSH Client interface appears.
3Com Router Configuration Guide Addendum for V1.20 Figure 3-3 SSH Client login interface (in password authentication mode ) After you have entered the correct user name and password, you can implement the connection. To log out, just use the logout command. V. Enable the SSH connection in RAS authentication mode To enable the SSH connection in RSA mode, you need to configure the RSA key on both the SSH server and client. Take the following method to generate keys using PuTTY key generator software.
3Com Router Configuration Guide Addendum for V1.20 Figure 3-4 PuTTY Generator Software interface (1) Choose “SSH1(RSA)” or “SSH2 RSA” as the parameter and enter the number of bits in the key. Click [Generate] button to generate the RSA key. To ensure the random key, you are required to move the mouse. Once you stop moving the cursor, the generating process will pause. After the key is generated, the following interface appears.
3Com Router Configuration Guide Addendum for V1.20 Figure 3-5 PuTTY Key Generator interface (2) Enter a passphrase, if you want to use one. Save the key After you have generated the keys, you have an RSA public key and an RSA private key. Click [Save public key] button and [Save private key] menu to save the keys into files (e.g., publicMyKey.ppk and privateMykey.ppk). Configure RSA public keys on the server For details about configuring RSA public keys on the server, please refer to “2.7.
3Com Router Configuration Guide Addendum for V1.20 If you need to perform an RSA authentication, you must specify the RSA private key file. If you only need to perform the password authentication, it is not necessary. Click the “auth” under “SSH” in the PuTTY configuration interface and the following figure appears. Figure 3-6 SSH Client Configuration interface (3) Click [Browse] button and a file selection dialog box will pop up. After you have chosen the private key file, click the [open] button.
3Com Router Configuration Guide Addendum for V1.20 Figure 3-7 SSH Client login interface (in RSA authentication mode) After you have entered the correct username, you can perform the SSH connection. If a passphrase was used when generating the keys, the passphrase is also required before a successful SSH connection can be achieved. Note: The key generator may be different, depending on the SSH Client configuration interface.
3Com Router Configuration Guide Addendum for V1.20 Note: If a local key-pair exists, you can omit this step. Authenticate login users with the password approach [3Com] protocol inbound ssh 5 [3Com] local-user client001 service-type operator ssh password simple 3Com [3Com] ssh user client001 authentication-type password You can adopt the default SSH authentication timeout time, retry times, and server key updating interval in the system. After finishing the configuration, you can run the SSH1.
3Com Router Configuration Guide Addendum for V1.20 Chapter 4 Configuring NTP As provisioned in RFC1305, Network Time Protocol (NTP) is a protocol of the TCP/IP suite, which is used to synchronize the timekeeping among a set of distributed time servers and clients on a network. The transmission relies on UDP. NTPmessage 10:00:00am Netw ork 1. Router A Router B NTPmessage 10:00:00am 11:00:01am Netw ork 2. Router B Router A NTPmessage 10:00:00am 11:00:01am 11:00:02am 3.
3Com Router Configuration Guide Addendum for V1.20 Upon the departure of the NTP message, Router B adds its timestamp 11:00:02am (T3) again. Upon the receipt of the response, Router A adds a new timestamp, that is, 10:00:03am (T4). In this way, Router A obtains adequate information for calculating two essential parameters. They are: Roundtrip delay of a NTP message, that is, Delay = (T4-T1) – (T3-T2). The clock offset of Router A relative to Router B, that is, offset = ( (T2-T1) + (T3-T4) ) / 2.
3Com Router Configuration Guide Addendum for V1.20 Configure the NTP server mode Configure the NTP peer mode Configure the NTP broadcast server mode Configure NTP broadcast client mode Configure NTP multicast server mode Configure NTP multicast client mode I. Configure NTP Server Mode This task sets a remote server as the local time server by specifying its address X.X.X.X. X.X.X.X which represents a host address.
3Com Router Configuration Guide Addendum for V1.20 Table 4-2 Configure NTP peer mode Operation Command ntp-service unicast-peer X.X.X.X [ version number | authentication-key Configure NTP peer mode Disable NTP peer mode keyid | source-interface { { interface-name | interface-type } interface-number } | priority ] * undo ntp-service unicast-peer X.X.X.X NTP version is in the range of 1 to 3 and defaults to 3, and authentication key ID is in the range of 1 to 4294967295.
3Com Router Configuration Guide Addendum for V1.20 Table 4-4 Configure NTP broadcast client mode Operation Configure NTP broadcast client mode Disable NTP broadcast client mode Command ntp-service broadcast-client undo ntp-service broadcast-client This command must be configured on the interface to be used for receiving NTP broadcast messages. V. Configure NTP multicast server mode This task specifies an interface on the local router to send NTP multicast messages.
3Com Router Configuration Guide Addendum for V1.20 Table 4-6 Configure NTP multicast client mode Operation Command ntp-service multicast-client [ X.X.X.X ] undo ntp-service multicast-client Configure NTP multicast client mode Disable NTP multicast client mode Multicast IP address X.X.X.X defaults to 224.0.1.1. This command must be configured on the interface to be used for receiving NTP multicast messages. 4.2.
3Com Router Configuration Guide Addendum for V1.20 4.2.4 Specify Reliable Key You must specify a key to be a reliable one before it can be used for authentication. For example, if two routers want to use keyid 1 for authentication, both of them must specify it to be a reliable one. Perform the following configuration in system view.
3Com Router Configuration Guide Addendum for V1.20 Table 4-11 Set an external reference clock or the local clock as the NTP master clock Operation Set an external reference clock or the local clock as the NTP master clock Disable the NTP master clock setting Command ntp-service refclock-master [ X.X.X.X ] [ stratum ] undo ntp-service refclock-master [ X.X.X.X ] X.X.X.X represents the IP address 127.127.t.u of reference clock. Where, t is in the range of 0 to 37 and u in the range of 0 to 3.
3Com Router Configuration Guide Addendum for V1.
3Com Router Configuration Guide Addendum for V1.20 Perform the debugging command in all views to debug the NTP information.
3Com Router Configuration Guide Addendum for V1.20 4.3.2 ntp-service source-interface disable Syntax ntp-service source-interface disable undo ntp-service source-interface disable View Interface view Parameter None Description Using the ntp-service source-interface disable command, you can disable an interface to receive NTP messages. Using the undo ntp-service source-interface disable command, you can enable the interface to receive NTP messages.
3Com Router Configuration Guide Addendum for V1.20 version: Defines NTP version number. number: NTP version number in the range of 1 to 3. authentication-keyid: Defines an authentication key. keyid: The key ID carried in the messages transmitted to the remote server, which is in the range of 1 to 4294967295. source-interface: Specifies interface name. interface-name: Interface name.
3Com Router Configuration Guide Addendum for V1.20 4.3.4 ntp-service unicast-server Syntax ntp-service unicast-server X.X.X.X [ version number | authentication-keyid keyid | source-interface { interface-name | interface-type interface-number } | priority ] * undo ntp-service unicast-server X.X.X.X View System view Parameter X.X.X.X: IP address of the remote server. version: Defines NTP version. number: NTP version number in the range of 1 to 3. authentication-keyid: Defines authentication key ID.
3Com Router Configuration Guide Addendum for V1.20 This command declares that the local time server is the remote server specified by X.X.X.X. X.X.X.X represents a host address, which must not be a broadcast or multicast address, or the IP address of the reference clock. Configured with this command, the local device is working in client mode and therefore it is up to the local client to synchronize with the remote server rather than vice versa.
3Com Router Configuration Guide Addendum for V1.20 Chapter 5 Configuring X2T The X.25 to TCP switch (X2T) technology can interconnect X.25 and IP networks and enables access between X.25 and IP hosts. X.25 Network TCP/IP Network X.25 Terminal Router IP Host TCP TCP X2T X.25 X.25 IP IP LAPB LAPB Data Link Layer Data Link Layer Physical Layer Physical Layer Figure 5-1 Typical X2T networking From the perspective of an X.25 host, each IP host is associated with an X.121 address.
3Com Router Configuration Guide Addendum for V1.20 Configure X2T route I. Enabling X.25 Switching Before configuring X2T, you must enable X.25 switching. Perform the following configuration in system view. Table 5-1 Configure X.25 switching Operation Enable X.25 switching Disable X.25 switching Command x25 switching undo x25 switching 5.2.2 Configuring the Interface at the X.25 Network Side For information about the configuration of the interface at the X.25 network side, see “Configure X.
3Com Router Configuration Guide Addendum for V1.20 forwarding route Delete the X.25-to-IP X2T forwarding route 2) undo translate x25 x.121-address Configuring an IP-to-X.25 X2T forwarding route Perform the following configuration in system view. Table 5-4 Configure an IP-to-X.25 X2T forwarding route Operation Command Configure an IP-to-X.25 X2T forwarding route Delete the IP-to-X.25 X2T forwarding route translate ip ip-address port port-number x25 x.
3Com Router Configuration Guide Addendum for V1.20 2 Configure the interface at the X.25 network side. [3Com]interface serial 0 [3Com-Serial0]link-protocol x25 dce [3Com-Serial0]x25 x121-address 1111 3 Configure the interface at the IP network side. [3Com]interface ethernet 0 [3Com-Ethernet0]ip address 10.1.1.1 255.255.255.0 4 Configure an X.25 route [3Com]x25 switch svc 2222 interface serial 0 5 Configure an X2T route [3Com]translate ip 10.1.1.1 port 102 x25 2222 [3Com]translate x25 1111 ip 10.
3Com Router Configuration Guide Addendum for V1.20 Chapter 6 Configuring Additional ISDN Support ISDN configuration includes the following tasks: • Configuring the ISDN signaling type. • Configuring the negotiation parameters of ISDN Layer 3. • Configuring the SPID parameters of the National (NI) ISDN protocol. 6.1 Configuring ISDN Signaling Type By default, DSS1 signaling is used on ISDN interfaces.
3Com Router Configuration Guide Addendum for V1.20 Configure the router to become ACTIVE to start data exchange before receiving CONNECT ACK messages.
3Com Router Configuration Guide Addendum for V1.20 These can optionally be removed from the SETUP message. 6.2.3 ATT 5ESS (Lucent 5E) Table 6-5 Required ATT 5ESS Commands Operation Disable the Sending-Complete Information Element in the Setup message Disable the SETUP ACK messages if the received SETUP messages in data service calls do not carry the called number information.
3Com Router Configuration Guide Addendum for V1.20 Restore the SETUP message. Configure the router to wait for CONNECT ACK message replies from the connected exchange until switching to the ACTIVE state. Configure the router to become ACTIVE to start data exchange before receiving CONNECT ACK messages.
