H3C SecPath Series Operating instructions

H3C
Brand
H3C
Model
SecPath Series
Type
Operating instructions
Operation Manual – User Access
H3C SecPath Series Security Products Table of Contents
i
Table of Contents
Chapter 1 PPP Configuration.......................................................................................................1-1
1.1 Introduction to PPP............................................................................................................1-1
1.1.1 Introduction to PPP.................................................................................................1-1
1.2 Configuring PPP................................................................................................................1-2
1.2.1 Configuring PPP Encapsulation on the Interface....................................................1-3
1.2.2 Configuring the Polling Interval...............................................................................1-3
1.2.3 Configuring PPP Authentication Mode and Username and User Password..........1-4
1.2.4 Configuring PPP Negotiation Parameters...............................................................1-7
1.2.5 Configuring PPP Link Quality Control...................................................................1-12
1.2.6 Displaying and Debugging PPP............................................................................1-12
1.3 Configuring PPP Link Efficiency Mechanism................................................................... 1-13
1.3.1 Configuring IPHC .................................................................................................. 1-14
1.3.2 Configuring PPP STAC-LZS Compression........................................................... 1-16
1.3.3 Configuring VJ TCP Header Compression for PPP Packets................................1-16
1.3.4 Displaying and Debugging PPP Link Efficiency Mechanism................................1-16
1.4 Typical PPP Configuration Example................................................................................1-17
1.4.1 PAP Authentication ............................................................................................... 1-17
1.4.2 CHAP Authentication ............................................................................................1-18
1.5 Troubleshooting PPP.......................................................................................................1-19
Chapter 2 PPPoE Server Configuration......................................................................................2-1
2.1 Introduction to PPPoE .......................................................................................................2-1
2.2 PPPoE Server Configuration.............................................................................................2-1
2.2.1 Creating a Virtual Template ....................................................................................2-1
2.2.2 Enabling/Disabling PPPoE Server..........................................................................2-2
2.2.3 Configuring PPPoE Server Parameters..................................................................2-2
2.2.4 Enabling/Disabling the PPPoE Server to Output PPP-Related Log.......................2-3
2.3 Displaying and Debugging PPPoE Server ........................................................................2-3
2.4 PPPoE Configuration Example..........................................................................................2-4
Chapter 3 PPPoE Client Configuration ....................................................................................... 3-1
3.1 Introduction to PPPoE Client.............................................................................................3-1
3.2 Configuring the PPPoE Client............................................................................................3-2
3.2.1 Configuring a Dialer Interface ................................................................................. 3-2
3.2.2 Configuring a PPPoE Session ................................................................................3-3
3.2.3 Resetting/Deleting a PPPoE Session .....................................................................3-4
3.3 Displaying and Debugging the PPPoE Client....................................................................3-5
3.4 Typical PPPoE Client Configuration Example...................................................................3-5
3.4.1 Typical PPPoE Client Configuration Example ........................................................3-5
Operation Manual – User Access
H3C SecPath Series Security Products Table of Contents
ii
3.4.2 Connecting a LAN to the Internet Through an ADSL Modem.................................3-7
Chapter 4 VLAN Configuration ....................................................................................................4-1
4.1 Introduction to VLAN..........................................................................................................4-1
4.2 Basic VLAN Configuration.................................................................................................4-3
4.3 Displaying and Debugging VLAN ...................................................................................... 4-3
4.4 Typical VLAN Configuration Example................................................................................4-4
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-1
Chapter 1 PPP Configuration
1.1 Introduction to PPP
1.1.1 Introduction to PPP
The Point-to-Point Protocol (PPP) is one of link layer protocols that bearing network
layer packets over point-to-point link. It has found wide application since it can provide
user authentication, support synchronous/asynchronous communication and, can be
expanded easily.
PPP defines a whole set of protocols, including Link Control Protocol (LCP), Network
Control Protocol (NCP) and authentication protocols Password Authentication Protocol
(PAP) and CHAP (Challenge Handshake Authentication Protocol). Where,
z LCP is responsible for establishing, removing and monitoring data links.
z NCP is used to negotiate the format and type of the packets over data links.
z Authentication protocol suite used for network security
1) PAP authentication
PAP is a 2-way handshake authentication protocol and it sends the password in plain
text. The process of PAP authentication is as follows:
z The requester sends its username and password to the authenticating party.
z The authenticator will check if the username and password are correct according
to local user list and then return different responses (Acknowledge or Not
Acknowledge).
2) CHAP authentication
CHAP (Challenge-Handshake Authentication Protocol) is a 3-way handshake
authentication protocol and the password is sent encrypted. The process of CHAP
authentication is as follows:
z The authenticator actively initiates an authentication request by sending some
randomly generated packets (Challenge) to the authenticatee, carrying its own
username in the packets.
z When the authenticatee receives the authentication request initiated by the
authenticator, it looks up the user passwords in the local user database for a
match with the authenticator’s username in the received packet. If it finds a match,
the authenticatee will use the MD5 algorithm to encrypt this random packet with
packet ID and user’s key (password) and then send the generated ciphertext and
its own username back to the authenticator (Response); if the authenticator does
not find any match, it checks whether the ppp chap password command is
configured on its interface. If this command is configured, the authenticatee will
use the MD5 algorithm to encrypt this random packet with packet ID and user’s
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-2
key (password) and then send the generated cipher text and its own user name
back to the authenticator (Response).
z The authenticator encrypts the original random packet with the authenticatee
password that it has saved and the MD5 algorithm, compares the encryption result
with the received ciphertext, and returns a commensurate response (either
Acknowledge or Not Acknowledge) depending on the comparison result.
Following is how PPP operates (see
Figure 1-1):
1) Before setting up a PPP link, enter the Establish phase.
2) Carry out LCP negotiation in the Establish phase, which includes the negotiation in
operating mode (SP or MP), authentication mode and MRU. If the negotiation is
successful, LCP will enter the Opened status, indicating the setup of the bottom
layer link.
3) If the authentication (the remote verifies the local or the local verifies the remote) is
configured, it enters the Authenticate phase and starts the CHAP/PAP
authentication
4) If the authentication fails, it will enter the Terminate phase to remove the link and
the LCP will go down. If the authentication succeeds, it will proceed to start the
network negotiation (NCP). In this case, the LCP state is still Opened, while the
state of IP control protocol (IPCP) is changed from Initial to Request.
5) NCP negotiation supports the negotiation of IPCP, which primarily refers to the
negotiation of the IP addresses of the two parties. NCP negotiation is conducted
for the purpose of selecting and configuring a network layer protocol. Only the
network layer protocol that has been agreed upon by the two parties in the NCP
negotiation can send packets over the PPP link.
6) The PPP link will remain for communications until an explicit LCP or NCP frame
close it or some external events take place (for example, the intervention of the
user).
Dead Authenticate
Terminate
Establish
Network
UP OPENED
FAIL
FAIL
DOWN
CLOSING
S
UCCESS/NONE
rt
Figure 1-1 PPP operation flow cha
For the details of PPP, refer to RFC1661.
1.2 Configuring PPP
Fundamental PPP configuration tasks include:
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-3
z Configure the data link protocol encapsulated on the interface to be PPP
z Configure the polling interval
z Configure PPP authentication mode, user name and user password
Advanced PPP configuration tasks include:
z Configure PPP negotiation parameters
z Configure PPP link quality control (LQC)
The fundamental configuration is the parameter setting that must be performed for
running PPP on the firewall, whereas the advanced configurations are the options that
can be configured as needed.
1.2.1 Configuring PPP Encapsulation on the Interface
Perform the following configuration in interface view.
Table 1-1 Configure PPP encapsulation on the interface
Operation Command
Configure PPP encapsulation on the interface.
link-protocol ppp
The link layer protocol encapsulated on the dialer and virtual-template interfaces
defaults to PPP.
1.2.2 Configuring the Polling Interval
Data link protocols such as PPP, FR and HDLC use a timer to monitor the status of the
link periodically. The polling interval must be exactly equal at the two ends of the link for
properly working.
Perform the following configuration in interface view.
Table 1-2 Configure polling interval on the interface
Operation Command
Set the polling interval.
timer hold seconds
Reset polling interval
undo timer hold
The polling interval defaults to 10 seconds. The cyclic polling operation will be closed if
the polling interval is set to 0.
Elongate this time to prevent net fluctuation for long-delay and high-congestion
network.
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-4
1.2.3 Configuring PPP Authentication Mode and Username and User
Password
The local and the peer support both CHAP and PAP authentication approaches
between them. The configuration procedures in both approaches will be described in
the following subsections. This chapter only discusses local authentication. For
information about the remote AAA authentication, refer to the Security module in this
manual.
I. Configuring the local to authenticate the peer using PAP
Table 1-3 Configure the local to authenticate the peer with the PAP approach
Operation Command
Configure the local to authenticate the
peer in PAP mode (in interface view).
ppp authentication-mode pap
[[ call-in ] domain isp-name]
Disable the configured PPP
authentication mode, i.e. performing no
PPP authentication (in interface view).
undo ppp authentication-mode
Create a local user and enter the
corresponding view (in system view)
local-user username
Configure the password for the local
user (in local user view)
password { simple | cipher } password
Cancel the password of the local user (in
local user view)
undo password
Set the callback and caller number
attributes of the PPP user (in local user
view)
service-type ppp [ callback-nocheck |
callback-number callback-number |
call-number call-number
[ :subcall-number ] ]
Restore the default callback and caller
number attributes of the PPP user (in
local user view)
undo service-type ppp
[ callback-nocheck | callback-number
| call-number ]
Create an ISP domain or enter the view
of a created domain (in system view)
domain { isp-name | default { disable |
enable isp-name } }
Configure the user in the domain to use
the local authentication scheme (in
domain view)
scheme local
By default, PPP authentication is disabled.
If you configure the ppp authentication-mode { pap | chap } command without
specifying a domain, the system-default domain applies by default, adopting local
authentication. The address pool configured in the domain must be used. If a domain is
specified, you must configure an address pool in the specified domain.
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-5
If a received username includes a domain name, this domain name is used for
authentication (if the name does not exist, authentication is denied). Otherwise, the
domain name configured for PPP authentication applies.
II. Configuring the local to authenticate the peer using CHAP
Table 1-4 Configure the local to authenticate the peer with the CHAP approach
Operation Command
Configure the local to authenticate the
peer in CHAP mode (in interface view)
ppp authentication-mode chap
[ [ call-in] domain isp-name ]
Disable the configured PPP
authentication, i.e. performing no PPP
authentication (in interface view)
undo ppp authentication-mode
Configure the local username (in
interface view)
ppp chap user username
Delete the configured local username (in
interface view)
undo ppp chap user
Create a local user and enter the
corresponding view (in system view)
local-user username
Configure the password for the local
user (in local user view)
password { simple | cipher }
password
Cancel the password of the local user (in
local user view)
undo password
Set the callback and caller number
attributes of the PPP user (in local user
view)
service-type ppp [ callback-nocheck |
callback-number callback-number |
call-number call-number
[ :subcall-number ] ]
Restore the default callback and caller
number attributes of the PPP user (in
local user view)
undo service-type ppp
[ callback-nocheck | callback-number
| call-number ]
Create an ISP domain or enter the view
of a created domain (in system view)
domain { isp-name | default { disable |
enable isp-name } }
Configure the user in the domain to use
the local authentication scheme (in
domain view)
scheme local
By default, PPP authentication is disabled.
For authentication on a dial interface, you are recommended to configure
authentication on both the physical interface and the dialer interface. When the
physical interface receives a DCC call request, it first initiates PPP negotiation and
authenticates the dial-in user, and then it passes the call to the upper layer protocol.
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-6
III. Configuring the local to be authenticated by the peer using PAP
Table 1-5 Configure the local to be authenticated by the peer with the PAP approach
Operation Command
Configure PAP username and password
that the local will send when
authenticated by the peer in PAP mode
(in interface view)
ppp pap local-user username
password { simple | cipher } password
Delete the PAP username and
password that the local will send when
authenticated by the peer in PAP mode
(in interface view)
undo ppp pap local-user
By default, when the local firewall is authenticated by the peer in PAP mode, both the
username and password sent by the local firewall are null.
IV. Configuring the local to be authenticated by the peer using CHAP
Table 1-6 Configure the local to be authenticated by the peer with the CHAP approach
Operation Command
Create a local user and enter the local
user view (system view)
local-user username
Set a password for the local user in local
user view
password { simple | cipher }
password
Cancel the password for the local user in
local user view
undo password
Configure the local name (in interface
view)
ppp chap user username
Delete the configured local name (in
interface view)
undo ppp chap user
Set the default CHAP authentication
password in interface view (use this
password when the local user name and
password are not configured)
ppp chap password { simple | cipher }
password
Delete the default CHAP authentication
password in interface view
undo ppp chap password
In the above table, simple means to send password in plain text and cipher in
ciphertext.
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-7
Note:
When configuring CHAP authentication, you should configure the same username with
the local-user command executed as that with the ppp chap user command executed
for the peer. You should also configure the same password for both sides. If the peer
does not use the local-user command to configure the local user, the peer
encapsulates the received authentication request from all PPP users using the key (the
key is configured by the ppp chap password command) and responds to the local user.
1.2.4 Configuring PPP Negotiation Parameters
The following PPP negotiation parameters can be configured:
Time interval between negotiation timeout. During PPP negotiation, if the response
message of the peer is not received within this time interval, PPP will retransmit the
message. The timeout interval ranges from 1 to 10 seconds.
For some negotiation parameters of NCP such as the configuration of local IP address
and the IP address assigned to the peer, refer to the “Network Protocol Configuration”
part in this manual. For example, the ip address ppp-negotiate command can be
used to ask the peer to assign IP address for the local, while the remote address
command can be used to designate the local to assign IP address for the peer.
Perform the following configuration in interface view.
I. Configuring the time interval of PPP negotiation timeout
Perform the following configuration in interface view.
Table 1-7 Configure the time interval of PPP negotiation timeout
Operation Command
Configure the time interval of negotiation timeout
ppp timer negotiate seconds
Restore the default value of time interval of
negotiation timeout
undo ppp timer negotiate
The timeout interval defaults to 3 seconds.
II. Negotiating IP address using PPP
1) Configure client
Suppose PPP has been encapsulated on local and remote interfaces. If the local
interface has no IP address while the remote interface has one, you may configure the
local interface to allow it to negotiate an IP address using PPP and accept the IP
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-8
address thus assigned by the remote interface. When accessing the Internet via an ISP,
you may make this configuration to get an IP address from the ISP.
Perform the following configuration in interface view.
Table 1-8 Configure an interface to negotiate IP address using PPP
Operation Command
Configure an interface to negotiate IP
address using PPP.
ip address ppp-negotiate
Disable PPP negotiation.
undo ip address ppp-negotiate
By default, the system does not allow the interface to negotiate the IP address.
Caution:
z Because PPP supports IP address negotiation, you can configure the interface to
negotiate the IP address only when PPP is encapsulated on the interface. When
PPP is disabled, the negotiated IP address will be deleted.
z If the interface has an IP address, the original IP address is deleted after you
configure the interface to negotiate IP addresses.
z After you configure the interface to negotiate IP addresses, you are not allowed to
assign an IP address for the interface. The negotiation can generate an IP address.
z After you configure the interface to negotiate IP addresses twice, the IP address
generated by the first negotiation is deleted, and the IP address generated by the
second negotiation is used.
z After the IP address generated by the negotiation is deleted, the interface has no IP
address.
2) Configure server
If a firewall is functioning as server to assign IP address for a client, you can use the
following three methods to assign IP address for a PPP user:
Method1: Assign directly the specified IP address for the peer on the interface without
configuring an address pool.
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-9
Table 1-9 Assign directly the specified IP address for the peer on the interface
Operation Command
Assign an IP address for the PPP user
remote address ip-address
Remove the configuration
undo remote address
By default, if the remote address pool command and the domain address pool are not
configured, the specified IP address is not assigned for the peer on the interface.
Method 2: Assign an IP address for the peer using a global address pool
Define a global address pool in system view first, and then use the remote address
pool command on the interface to specify a global address pool number (only one
number can be specified).
Table 1-10 Assign an IP address for the peer using a global address pool
Operation Command
Define a global IP address pool
ip pool pool-number low-ip-address
[ high-ip-address ]
Remove the configuration
undo ip pool pool-number
Use the global address pool to assign an
IP address for the PPP user
remote address pool [ pool-number ]
Remove the configuration
undo remote address
By default, if the remote address pool command and the domain address pool are not
configured, the IP address is not assigned for the peer. When you configure the remote
address pool command but do not configure the pool-number parameter, the system
uses global address pool 0 by default.
If you do not authenticate the PPP user, you can use methods 1 and 2. If you need to
authenticate the PPP user, you should use method 3 as follows:
Method 3: Assign an IP address for the peer using the address pool for the domain
Define a address pool for the domain in domain view first, and then use the remote
address pool command to specify the address pool number for the domain (you can
specify only one number); if you do not configure the remote address pool command,
use the address pools of the corresponding domains in turn to assign IP addresses for
users during authentication negotiation.
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-10
Table 1-11 Assign an IP address for the PPP user using the address pool for the
domain
Operation Command
Define a global IP address pool
ip pool pool-number low-ip-address
[ high-ip-address ]
Remove the configuration
undo ip pool pool-number
Assign an IP address for the PPP user
using the global IP address pool
remote address pool [ pool-number ]
Remove the configuration
undo remote address
By default, if the remote address pool command and the domain address pool are not
configured, the IP address is not assigned for the peer.
The following section describes how to assign an IP address for the PPP user:
1) For the domain user (including userid and userid@isp-name), assign the IP
address as follows:
z In the case of RADIUS or TACACS authentication and authorization, when the
server delivers an IP address for the PPP user, the delivered IP address is used.
z If the server delivers an IP address pool instead of an IP address, the system
searches for the IP address pool in turn in domain view, and assigns an IP address
for the PPP user.
z If the system assigns no IP address using the above two methods, or the local
authentication is adopted, the system searches for the address pool in turn in
domain view, and assigns an IP address for the PPP user.
2) For users not to be authenticated, the system uses the specified global address
pool (the address pool defined in system view) on the interface to assign an IP
address for the PPP user.
When directly specifying the IP address for the peer on the interface or uses the global
address pool to assign the IP address, the system allows the peer to use its
self-configured IP address after the remote address command is configured; if the
system does not want (or allow) the peer to use its self-configured IP address, and
orders the peer to receive the IP address assigned by the local user, you must
configure the peer IP address assigned by negotiation and execute the following
commands in interface view on server side.
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-11
Table 1-12 Enable/disable forced IP address assignment with PPP IPCP negotiation
Operation Command
Forbid the peer to use a self-configured
fix IP address in PPP IPCP negotiation.
ppp ipcp remote-address forced
Disable forced address assignment in
PPP IPCP negotiation.
undo ppp ipcp remote-address
forced
By default, the peer can use its self-configured IP address in PPP IPCP negotiation. If
the peer explicitly requests this end for an address, this end acts as requested; if the
peer already has a self-configured IP address, this end does not allocate one to the
peer.
III. Configuring DNS address negotiation
While negotiating PPP address, the firewall can negotiate DNS server address as a
DNS server address provider or recipient, depending on the connected device.
When a PC connects to the firewall using PPP, through dialup for example, the firewall
should allocate a DNS server address to the PC so that the PC can use its domain
name to access the Internet.
When connected using PPP to the network access server (NAS) of the service provider,
the firewall should be able to request the NAS for a DNS server address or accept the
unsolicited DNS server address for revolving domain names.
Perform the following configuration in interface view.
Table 1-13 Configure DNS address negotiation
Operation Command
Enable the firewall to accept the
unsolicited DNS server address
ppp ipcp dns admit-any
Disable the firewall to accept the
unsolicited DNS server address
undo ppp ipcp dns admit-any
Enable the firewall to allocate a DNS
server address to the peer
ppp ipcp dns primary-dns-address
[ secondary-dns-address ]
Disable the firewall to allocate a DNS
server address to the peer
undo ppp ipcp dns
primary-dns-address
[ secondary-dns-address ]
Enable the firewall to request for a DNS
server address
ppp ipcp dns request
Disable the firewall to request for a DNS
server address
undo ppp ipcp dns request
By default, DNS address negotiation is disabled.
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-12
1.2.5 Configuring PPP Link Quality Control
You may use PPP link quality control (LQC) to monitor quality of PPP links. The system
shuts down a link when its quality decreased below the forbidden-percentage and
brings it up when its quality ameliorates exceeding the resumptive-percentage. When
re-enabling the link, PPP LQC experiences a delay to avoid link flapping.
Perform the following configuration in interface view.
Table 1-14 Configure PPP link quality control
Operation Command
Enable PPP LQC ppp lqc forbidden-percentage [ resumptive-percentage ]
Disable PPP LQC
undo ppp lqc
By default, the arguments resumptive-percentage and forbidden-percentage are equal.
Note:
Before you enable LQC, the PPP interface sends keepalive packets to the peer
regularly. After you enable LQC on the interface, the PPP interface sends link quality
reports (LQRs) instead for monitoring the link.
When the quality of the link is normal, the system calculates link quality based on each
LQR and shuts down the link if the results of two consecutive calculations are below the
forbidden-percentage. After shutting down the link, the system calculates link quality
every ten L QRs, and brings the link up again if the results of three consecutive
calculations are higher than the resumptive-percentage. That means a disabled link
must experience 30 keepalive periods before it can go up again. If a large keepalive
period is specified, it may take long time for the link to go up.
1.2.6 Displaying and Debugging PPP
When finishing the above configuration, execute display commands in all views to
view running status after the PPP configuration and to verify the effect of the
configuration. And you can debug PPP by executing debugging command in user
view.
Table 1-15 Displaying and debugging
Operation Command
Display the PPP
configuration and status
of a interface
display interface interface-name
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-13
Operation Command
Enable part of debug
switches of PPP
debugging ppp { chap { all | event | error | packet |
state }| pap { all | event | error | packet | state }|
vjcomp packet } [ interface interface-type
interface-number ]
Enable part of debug
switches of PPP
debugging ppp compression iphc { rtp | tcp } { all |
context_state | error | full_header | general_info }
Enable part of debug
switches of PPP
debugging ppp { core event | ip packet| ipcp { all |
event | error | packet | state } | lcp { all | event | error
| packet | state } | lqc packet | mp { all | event | error |
packet } } [ interface interface-type interface-number ]
Enable part of debug
switches of PPP
debugging ppp { all | cbcp packet | ccp { all | event |
error | packet | state } | scp packet } [ interface
interface-type interface-number ]
1.3 Configuring PPP Link Efficiency Mechanism
Four mechanisms are available for improving transmission efficiency on PPP links.
They are IP header compression (IPHC), STAC Lempel-Ziv standard (STAC-LZS)
compression on PPP packets, V. Jacobson Compressing TCP/IP Headers (VJ TCP
header compression), and link fragmentation and interleaving (LFI).
I. IP header compression
IPHC is a host-to-host protocol that applies to transmit multimedia services such as
voice and video over IP networks. To decrease the bandwidth consumed by headers,
you may enable IP header compression on PP links to compress RTP (including IP,
UDP, and RTP) headers or TCP headers. The following describes how compression
operates taking RTP header compression for example.
The real-time transport protocol (RTP) is virtually a UDP protocol using fixed port
number and format. Since its publication as RFC 1889, there has been growing interest
in using RTP as one step to achieve interoperability among different implementations of
network audio/video applications. However, there is also concern that 40-byte
IP/UDP/RTP header containing a 20-byte IP header, 8-byte UDP header and 12-byte
RTP header, is too large an overhead for 20-byte or 160-byte payloads.
To reduce overhead, you can use IPHC to compress headers. In many cases, all three
headers can be compressed to 2 to 5 bytes. The effect of the header compression
proves considerable that a payload of 40 bytes can be compressed to 5 bytes through
the process with the compression ratio as (40+40) / (40+5), about 1.78. The process of
IPHC is illustrated in the following figure.
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-14
incoming packets
Traffic classifying
Sending queue
queue
RTP header
cpmpression
Non RTP traffic
Figure 1-2 IP header compression
II. STAC-LZS compression
STAC-LZS compression is a link-layer data compression standard developed by Stac
Electronics. STAC-LZS is a Lempel-Ziv-based algorithm that compresses only packet
payloads. It replaces a continuous data flow with binary code that can accommodate to
the change of data. While allowing for more flexibility, this requires more CPU
resources.
III. VJ TCP header compression
VJ TCP header compression was defined in RFC1144 for use on low-speed links.
Each TCP/IP packet transmitted over a TCP connection contains a typical 40-byte
TCP/IP header containing an IP header and a TCP header that are 20-byte long each.
The information in some fields of these headers, however, is unchanged through the
lifetime of the connection and needs sending only once, while the information in some
other fields changes but regularly and within a definite range. Based on this idea, VJ
TCP header compression may compress a 40-byte TCP/IP header to 3 to 5 bytes. It
can significantly improve the transmission speed of some applications, such as FTP, on
a low-speed serial link like PPP.
1.3.1 Configuring IPHC
IPHC configuration tasks are described in the following sections:
z Enabling/disabling IPHC
z Configuring maximum number of compression-enabled TCP connections
z Configuring maximum number of compression-enabled RTP connections
I. Enabling/disabling IPHC
Executing the command in the following table can enable the IP header compression
on some interface. Enabling IP header compression enables the system to compress
the TCP packets for RTP session setup. Likewise, disabling IP header compression
disables the system to compress the TCP packets for RTP session setup.
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-15
You must configure IP header compression at the endpoints of a link.
Perform the following configuration in interface view.
Table 1-16 Enable/disable IPHC
Operation Command
Enable IPHC. ppp compression iphc [ nonstandard ]
Disable IPHC.
undo ppp compression iphc
II. Configuring maximum number of compression-enabled TCP connections
You can configure maximum number of compression-enabled TCP connections.
Perform the following configuration in interface view.
Table 1-17 Configure maximum number of compression-enabled TCP connections
Operation Command
Configure maximum number of compres
sion-enabled TCP connections
ppp compression iphc
tcp-connections number
Restore the default
undo ppp compression iphc
tcp-connections
The parameter number indicates the maximum connection number (from 3 to 256) of
TCP compression mode on the interface. It is 16 by default.
III. Configuring maximum number of compression-enabled RTP connections
You can configure maximum number of compression-enabled RTP connections.
Perform the following configuration in interface view.
Table 1-18 Configure maximum number of compression-enabled RTP connections
Operation Command
Configure maximum number of compres
sion-enabled RTP connections
ppp compression iphc
rtp-connections number
Restore the default
undo ppp compression iphc
rtp-connections
The number argument specifies the maximum number of compression-enabled RTP
connections (in the range 3 to 1000) on the interface. It defaults to 16.
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-16
1.3.2 Configuring PPP STAC-LZS Compression
Perform the following configuration in interface view.
The current system version supports the Stac compression described in RFC 1974.
Table 1-19 Configure PPP STAC-LZS compression
Operation Command
Enable Stac LZS compression on the interface.
ppp compression stac-lzs
Disable Stac LZS compression on the interface.
undo ppp compression
stac-lzs
By default, compression is disabled.
1.3.3 Configuring VJ TCP Header Compression for PPP Packets
Perform the following configuration in interface view.
Table 1-20 Configure VJ TCP header compression
Operation Command
Enable VJ TCP header compression on
the PPP interface.
ip tcp vjcompress
Disable VJ TCP header compression on
the PPP interface.
undo ip tcp vjcompress
By default, VJ TCP header compression is disabled on the PPP interface.
1.3.4 Displaying and Debugging PPP Link Efficiency Mechanism
Table 1-21 Display and debug PPP link efficiency mechanism
Operation Command
Display statistics about TCP header
compression
display ppp compression iphc tcp
[ interface-type interface-number ]
Display statistics about RTP header
compression
display ppp compression iphc rtp
[ interface-type interface-number ]
Display statistics about stac-lzs header
compression
display ppp compression stac-lzs
[ interface-type interface-number ]
Enable TCP header compression
debugging
debugging ppp compression iphc rtp
{ all | context_state | error |
full_header | general_info }
Enable RTP header compression
debugging
debugging ppp compression iphc tcp
{ all | context_state | error |
full_header | general_info }
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-17
Operation Command
Clear all statistics about IP header
compression
reset ppp compression iphc
[ interface-type interface-number ]
Clear all statistics about Stac-lzs header
compression
reset ppp compression stac-lzs
[ interface-type interface-number ]
1.4 Typical PPP Configuration Example
1.4.1 PAP Authentication
I. Configuration requirements
As shown in Figure 1-3, the firewalls SecPath 1 and SecPath 2 are interconnected on
Ethernet1/0/0. SecPath 1 authenticates SecPath 2 with the PAP approach.
II. Network diagram
SecPath1
SecPath 2
Ethernet1/0/0 Ethernet1/0/0
Figure 1-3 Network diagram of PAP and CHAP authentication
III. Configuration procedure
1) Configure SecPath1
# Add a PPPoE user.
[H3C] local-user secpath2
[H3C-luser-secpath2] password simple pwd
[H3C-luser-secpath2] service-type ppp
# Configure virtual template parameters on SecPath1.
[H3C] interface virtual-template 1
[H3C-Virtual-Template1] ppp authentication-mode pap
[H3C-Virtual-Template1] ip address 1.1.1.1 255.0.0.0
[H3C-Virtual-Template1] remote address 1.1.1.2
# Configure the PPPoE parameter on the SecPath1.
[H3C] interface ethernet 1/0/0
[H3C-Ethernet1/0/0] pppoe-server bind virtual-template 1
2) Configure SecPath2.
[H3C] dialer-rule 1 ip permit
[H3C] interface dialer 1
[H3C-Dialer1] dialer user secpath1
Operation Manual – User Access
H3C SecPath Series Security Products Chapter 1
PPP Configuration
1-18
[H3C-Dialer1] dialer-group 1
[H3C-Dialer1] dialer bundle 1
[H3C-Dialer1] ip address ppp-negotiate
[H3C-Dialer1] ppp pap local-user secpath2 password simple pwd
# Configure PPPoE session.
[H3C] interface ethernet 1/0/0
[H3C-Ethernet1/0/0] pppoe-client dial-bundle-number 1
1.4.2 CHAP Authentication
I. Configuration requirements
In Figure 1-3, SecPath 1 authenticates SecPath 2 with the CHAP approach.
II. Network diagram
See Figure 1-3.
III. Configuration procedure
1) Configure SecPath1
# Add a PPPoE user.
[H3C] local-user secpath2
[H3C-luser-secpath2] password simple pwd
# Configure virtual template parameters on SecPath1.
[H3C] interface virtual-template 1
[H3C-Virtual-Template1] ppp authentication-mode chap
[H3C-Virtual-Template1] ppp chap user secpath1
[H3C-Virtual-Template1] ip address 1.1.1.1 255.0.0.0
[H3C-Virtual-Template1] remote address 1.1.1.2
# Configure the PPPoE parameter on SecPath1.
[H3C] interface ethernet 1/0/0
[H3C-Ethernet1/0/0] pppoe-server bind virtual-template 1
2) Configure SecPath2
[H3C] dialer-rule 1 ip permit
[H3C] interface dialer 1
[H3C-Dialer1] dialer user secpath1
[H3C-Dialer1] dialer-group 1
[H3C-Dialer1] dialer bundle 1
[H3C-Dialer1] ip address ppp-negotiate
[H3C-Dialer1] ppp chap user secpath2
[H3C] local-user secpath1
[H3C-luser-secpath1] password simple pwd
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41

H3C SecPath Series Operating instructions

H3C
Brand
H3C
Model
SecPath Series
Type
Operating instructions
Download PDF
report

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI

Related papers

Other documents