H3C H3C SecPath F1800-A Operating instructions

H3C
Brand
H3C
Model
H3C SecPath F1800-A
Category
Routers
Type
Operating instructions
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Table of Contents
i
Table of Contents
Chapter 1 VLAN Configuration ....................................................................................................4-1
1.1 Introduction to VLAN..........................................................................................................4-1
1.1.1 The Potential Problems In LAN Interconnecting.....................................................4-1
1.1.2 Why Using VLAN.....................................................................................................4-2
1.1.3 VLAN Aggregation ..................................................................................................4-3
1.2 Configuring VLAN..............................................................................................................4-4
1.2.1 Creating an Ethernet Sub-interface ........................................................................4-5
1.2.2 Creating a VLAN and Entering VLAN View ............................................................4-5
1.2.3 Entering VLAN Interface View When a VLAN Is Created.......................................4-5
1.2.4 Adding a Port...........................................................................................................4-5
1.2.5 Configuring a Trunk Port.........................................................................................4-6
1.2.6 Setting Sub-interface Encapsulation Type and Related VLAN ID..........................4-6
1.3 Displaying and Debugging VLAN ......................................................................................4-6
1.4 Typical Example for Configuring VLAN............................................................................. 4-7
Chapter 2 PPP Configuration.....................................................................................................4-10
2.1 PPP Overview..................................................................................................................4-10
2.2 Configuring PPP ..............................................................................................................4-12
2.2.1 Configuring Link Layer Protocol for Interface Encapsulation as PPP...................4-12
2.2.2 Setting Polling Interval ..........................................................................................4-12
2.2.3 Setting PPP Authentication Mode User Name and User Password..................... 4-13
2.2.4 Configuring PPP Authentication Mode of AAA ..................................................... 4-15
2.2.5 Setting PPP Negotiation Parameters....................................................................4-15
2.2.6 Configuring PPP Compression ............................................................................. 4-16
2.2.7 Configuring PPP Link Quality Monitoring..............................................................4-16
2.2.8 Configuring Callback............................................................................................. 4-17
2.2.9 Configuring the Dialing String Needed for Firewall Callback................................4-17
2.2.10 Configuring DNS Address Negotiation................................................................4-18
2.2.11 Configuring VJ TCP Header Compression.........................................................4-18
2.3 Displaying and Debugging PPP.......................................................................................4-19
2.4 Typical Example for Configuring PPP..............................................................................4-19
2.4.1 PAP Authentication Example................................................................................4-19
2.4.2 CHAP Authentication Example ............................................................................. 4-20
2.5 Troubleshooting PPP.......................................................................................................4-20
Chapter 3 PPPoE Configuration ................................................................................................ 4-22
3.1 PPPoE Overview .............................................................................................................4-22
3.1.1 Introduction to the PPPoE Protocol ......................................................................4-22
3.1.2 Introduction to PPPoE Application........................................................................4-22
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Table of Contents
ii
3.2 PPPoE Server Configuration...........................................................................................4-23
3.2.1 Enabling or Disabling PPPoE................................................................................4-23
3.2.2 Setting PPPoE Parameters...................................................................................4-24
3.3 Configuring PPPoE Client................................................................................................4-24
3.3.1 Configuring a Dialer Interface ............................................................................... 4-24
3.3.2 Configuring a PPPoE Session .............................................................................. 4-25
3.3.3 Resetting or Deleting a PPPoE Session............................................................... 4-26
3.4 Displaying and Debugging PPPoE..................................................................................4-26
3.5 Typical Examples for Configuring PPPoE.......................................................................4-27
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration
4-1
Chapter 1 VLAN Configuration
1.1 Introduction to VLAN
1.1.1 The Potential Problems In LAN Interconnecting
The Ethernet is a kind of data network communication technology, which is based on
the shared communication medium of Carrier Sense Multiple Access with Collision
Detection (CSMA/CD). Under CSMA/CD, each node will use the shared medium to
send out frames in turn. Thus, in one moment, only one host can send out frames
while other hosts can only receive frames.
When many hosts are connected to the hub (with star topology) through the twisted
pairs, or connected together by the coaxial cables (with bus topology), all the hosts
interconnected to the shared physical media forms a physical collision domain, which
is usually regarded as a LAN segmentation.
Based on the Ethernet principles mentioned above, you can see that the following
problems may occur in connecting LAN through hub:
z Severe collision
z Flooding broadcast
z Performance reduction
z Unavailability of network
The above problems can be solved by using the Transparent Bridge or LAN switch to
interconnect the LANs. The switch establishes a MAC-PORT mapping table with the
source MAC addresses of received frames.
For the received data frames, the switch will look up their destination MAC address in
the mapping table. If it can find the destination MAC address, the switch will send the
frame only to the corresponding port; if it cannot find the destination MAC address, the
switch will send the frame to all the ports.
In this way, the collision domains are separated in their own ports and will not be
extended to other ports. The switch, as a kind of transparent device, does not change
the source and destination addresses of the Ethernet frames, but forwards them to
the proper LAN segmentations.
Although the switch has solved the problem of severe collision caused by using hub, it
still cannot separate the broadcast. In fact, all the hosts (perhaps including many
switches) interconnected by switches are in one broadcast domain. For the broadcast
packets with full "F" (0xffffffffffff) as their destination MAC address, such as the ARP
request packet, the switch will forward them to all the ports. In this case, the broadcast
storm will be caused and the performance of the entire network will be degraded.
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration
4-2
1.1.2 Why Using VLAN
The LAN interconnection by means of switches cannot restrict the broadcast. The
technology of Virtual Local Area Network (VLAN) comes into being to solve the
problem. In this way, one LAN is divided into several logical "LAN"s (VLANs), with
each VLAN as a broadcast domain. In each VLAN, the hosts can communicate with
each other just as they are in a LAN, but the VLANs cannot interact with one another
directly. Therefore, the broadcast packets are restricted in one VLAN, as shown in
Figure 1-1.
VLAN A
VLAN B
VLAN A
VLAN B
VLAN A
VLAN B
LAN Switch
LAN Switch
Router
Figure 1-1 An example of VLAN
The buildup of VLAN is not restricted by physical locations, that is to say, one VLAN
can be within in one switch or across switches, or even across routers.
The VLAN can be classified:
z Based on the port
z Based on the MAC address
z Based on the protocol type
z Based on IP address mapping
z Based on multicast
z Based on the policy
At present, the VLAN is usually classified based on the port. In this manual, the
VLANs are all classified based on the port except special declaration.
The advantages of using VLAN are listed as follows:
1) It can restrict broadcast packets (broadcast storm), save the bandwidth and thus
improve the performance of the network.
The Broadcast domain is restricted in one VLAN and the switch would not directly
send frames from one VLAN to another except that it is a layer 3 switch.
2) It can enhance the security of LAN.
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration
4-3
VLANs cannot directly communicate with one another, that is, the users in one VLAN
cannot directly access those in other VLANs. They need help of such layer 3 devices
as routers and Layer 3 switches to fulfill the access.
3) It provides the virtual workgroup.
VLAN can be used to group users to different workgroups. When the workgroups
change, the users need not change their physical locations. In the application, users
of the same workgroup usually cooperate with each other at the same place, and
there are few cases that users are in different places.
On a switch, the common ports can only belong to one VLAN, that is, they can only
identify and send packets of the VLAN they belong to. However, when the VLAN is
across switches, it is necessary that the ports (links) among the switches can identify
and send packets of several VLANs at the same time. The same problem exists
among the switches and routers that support VLAN.
The link of this type is called Trunk, which has two meanings:
z One is "trunking".
Namely, transparently transmit the VLAN packets to the interconnected switches or
routers so as to extend the VLAN.
z The other is "super trunk".
Namely, several VLANs run on such a link.
The common protocol used to implement Trunk is IEEE 802.1Q (dot1q) is a standard
protocol of IEEE. It identifies the VLAN through adding a 4-byte VLAN tag to the end
of the source address field in the original Ethernet packet.
VLANs cannot directly interconnect with each other. So routers supporting VLAN
must be used to connect each VLAN to implement the interconnection among VLANs.
Usually, this is a kind of layer 3 (IP layer) interconnection.
1.1.3 VLAN Aggregation
In the application of broadband network, a large number of VLAN users need to be
connected to the router (firewall). A typical way for connecting residential users of
metropolitan area network (MAN) to broadband via Ethernet is: Connect the users
through Ethernet switch and isolate, mark and manage users through VLAN.
A problem exists in such networking model: Each VLAN occupies a separate address
segment and the upstream gateway is various. Thus, many IP addresses are wasted.
In addition, it’s not convenient for the network management and extension because
various users need to be allocated various gateways if Dynamic Host Configuration
Protocol (DHCP) is not adopted.
VLAN aggregation is brought forward to solve the above networking problem.
Through VLAN aggregation, a sub-interface can be configured a VLAN, but several
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration
4-4
VLANs can share a same network segment. Thus, users can share the same IP
address of the gateway.
VLAN aggregation is realized by performing Address Resolution Protocol (ARP)
Proxy over IP addresses of various VLANs.
Caution:
Do not use VLAN aggregation on interconnecting of layer3 equipment because it may
create various useless protocol control packets.
1.2 Configuring VLAN
VLAN can be used only on the Ethernet sub-interface or GE Ethernet sub-interface.
When configuring VLAN, do as follows:
1) In routing mode
z Creating a sub-interface
z Assigning the IP address to the sub-interface
z Setting the encapsulation type and associated VLAN ID for the sub-interface
2) In transparent mode
Only high speed interfaces, such as, 8FE interfaces and GE interfaces, support the
transparent mode.
When configuring the relevant VLAN, do as follows.
z Creating a VLAN and entering VLAN view
z Entering VLAN interface view when a VLAN is created
z Adding or deleting a port
z Configuring a Trunk port
3) In composite mode
Only high speed interfaces, such as, 8FE interfaces and GE interfaces, support the
transparent mode. Use the portswitch command in interface view to switch the
interface to the transparent mode.
For VLAN configuration of interfaces working in transparent mode, refer to 2).
For VLAN configuration of interfaces working in routing mode, refer to 1).
You can use the ip address command in interface view to assign the IP address to
the sub-interface.
For this command in detail, refer to "05-Network and Routing Protocol Operation" in
this manual.
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration
4-5
1.2.1 Creating an Ethernet Sub-interface
Do as follows in system view.
Table 1-1 Creating an Ethernet sub-interface
Action Command
Create an Ethernet sub-interface.
interface { ethernet |
gigabitethernet }
interface-number.subnumber
Remove an Ethernet sub-interface.
undo interface { ethernet |
gigabitethernet }
interface-number.subnumber
1.2.2 Creating a VLAN and Entering VLAN View
Do as follows in system view.
Table 1-2 Creating a VLAN and entering VLAN view
Action Command
Create a VLAN and enter VLAN view.
vlan vlan-id
Delete a VLAN.
undo vlan vlan-id
1.2.3 Entering VLAN Interface View When a VLAN Is Created
Do as follows in system view.
Table 1-3 Entering VLAN interface view when a VLAN is created
Action Command
Enter VLAN interface view when a VLAN is created.
interface vlanif vlan-id
1.2.4 Adding a Port
Do as follows in VLAN view.
Table 1-4 Adding or deleting an interface
Action Command
Add an interface to a VLAN.
port interface interface-type interface-number
Delete an interface from a
VLAN.
undo port interface interface-type
interface-number
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration
4-6
Do as follows in Ethernet interface view or GE interface view.
Table 1-5 Adding or deleting the current port
Action Command
Add the current port to a VLAN.
port default vlan vlan-id
Delete the current port from a VLAN.
undo port default vlan vlan-id
1.2.5 Configuring a Trunk Port
When you configure a port with one or more allowed VLANs, the port will become a
Trunk port.
When you remove all allowed VLANs from a Trunk port, the port will not be a Trunk
port any more.
Do as follows in Ethernet interface view.
Table 1-6 Configuring a Trunk port
Action Command
Configure a port as Trunk port and set the
allowed VLAN ID on the port.
port trunk allow-pass vlan { { vlan-id
[ to vlan-id ] } & <1-10> | all }
Configure a Trunk port to non-trunk port
and delete all the allowed VLAN IDs.
undo port trunk allow-pass vlan
{ { vlan-id [ to vlan-id ] } & <1-10> | all }
1.2.6 Setting Sub-interface Encapsulation Type and Related VLAN ID
Do as follows in Ethernet sub-interface view.
Table 1-7 Setting sub-interface encapsulation type and related VLAN ID
Action Command
Set sub-interface encapsulation type and
related VLAN ID.
vlan-type dot1q vlan-id ]
1.3 Displaying and Debugging VLAN
You can use the display command in any view to view the running state and thus
verify the effect of VLAN.
You can use the debugging command in user view to debug VLAN.
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration
4-7
Table 1-8 Displaying and debugging VLAN
Action Command
View the status of a VLAN and
the ports it contains.
display vlan vlan-id
View the untagged ports of all or
a specified VLAN.
display vlan port-default [ vid vlan-id ]
View the tagged port of all or a
specified VLAN.
display vlan port-trunk [ vid vlan-id ]
Debug VLAN packets.
debugging vlan packet [ interface
interface-type interface-number ] [ vid vlan-id ]
Disable VLAN packet debugging.
undo debugging vlan packet [ interface
interface-name ] [ vid vlan-id ]
Note:
If you do not specify any optional parameter for the debugging vlan packet
command, you will debug all the packets of all the VLAN sub-interfaces.
1.4 Typical Example for Configuring VLAN
I. Networking Requirements
The following is a configuration example of layer 3 forwarding mode (sub-interface).
As shown in Figure 1-2, Switch 1 and Switch 2 specify the VLAN attributes of ports.
Thus, the workstations A, B, C and D connected to these Switches belong to VLAN 10
or VLAN 20.
It is required:
z The addresses of the SecPath F1800-A sub-interfaces Ethernet 3/0/0.1,
Ethernet 3/0/0.2, Ethernet 4/0/0.1, and Ethernet 4/0/0.2 are 1.0.0.1, 2.0.0.1,
3.0.0.1, and 4.0.0.1 respectively.
z Communication can be carried out between workstation A and B as well as
between C and D. Namely, through the same switch, workstations in different
VLANs can communicate with each other.
z Communication can be carried out between workstation A and C, as well as
between B and D. Namely, through different switches, workstations in the same
VLAN can communicate with each other.
z Communications can be carried out between workstations A and D, and between
B and C. Namely, different switches and different VLANs can communicate with
each other.
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration
4-8
II. Networking Diagram
port1
non-trunk port
port3
trunk port
eth3/0/0.2
2.0.0.1/8
VLAN 20
port2
non-trunk port
port4
A
VLAN10
B
VLAN 20
2.2.2.2/81.1.1.1/8
4.4.4.4/8
VLAN 20
D
C
VLAN10
3.3.3.3/8
eth3/0/0.1
1.0.0.1/8
VLAN 10
trunk port
eth 4/0/0.1
3.0.0.1/8
VLAN 10
eth 4/0/0.2
4.0.0.1/8
VLAN 20
Internet
LAN Switch
LAN Switch
SecPath
Figure 1-2 VLAN networking diagram of L3 switching mode
III. Configuration Procedure
The SecPath F1800-A is configured as follows:
# Create an Ethernet sub-interface Ethernet 3/0/0.1 and enter its view.
<SecPath> system-view
[SecPath] interface ethernet 3/0/0.1
# Assign the IP address to Ethernet 3/0/0.1.
[SecPath-Ethernet3/0/0.1] ip address 1.0.0.1 255.0.0.0
# Set the encapsulation type of Ethernet 3/0/0.1 and the related VLAN ID.
[SecPath-Ethernet3/0/0.1] vlan-type dot1q 10
Note:
The encapsulation type of the Ethernet sub-interface must be the same as that of the
switch port.
After the encapsulation type is set for the Ethernet sub-interface, the sub-interface is
allowed for trunk.
# Create an Ethernet sub-interface Ethernet 3/0/0.2 and enter its view.
[SecPath] interface ethernet 3/0/0.2
[
SecPath-Ethernet3/0/0.2] ip address 2.0.0.1 255.0.0.0
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 1 VLAN Configuration
4-9
# Set the encapsulation type of Ethernet 3/0/0.2 and the related VLAN ID.
[SecPath-Ethernet3/0/0.2] vlan-type dot1q 20
# Create an Ethernet sub-interface Ethernet 4/0/0.1 and enter its view.
[SecPath] interface ethernet 4/0/0.1
# Assign the IP address to Ethernet 4/0/0.1.
[SecPath-Ethernet4/0/0.1] ip address 3.0.0.1 255.0.0.0
# Set the encapsulation of Ethernet 4/0/0.1 and the related VLAN ID.
[SecPath-Ethernet4/0/0.1] vlan-type dot1q 10
# Create an Ethernet sub-interface Ethernet 4/0/0.2 and enter its view.
[SecPath] interface ethernet 4/0/0.2
# Assign the IP address to Ethernet 4/0/0.2.
[SecPath-Ethernet4/0/0.2] ip address 4.0.0.1 255.0.0.0
# Set the encapsulation of Ethernet 4/0/0.2 and the related VLAN ID.
[SecPath-Ethernet4/0/0.2] vlan-type dot1q 20
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration
4-10
Chapter 2 PPP Configuration
2.1 PPP Overview
I. PPP
The Point-to-Point Protocol (PPP) is one of link layer protocols that bearing network
layer packets over the point-to-point link.
It has been widely used since it can provide user authentication, support synchronous
and asynchronous communication and can be expanded easily.
PPP defines a whole set of protocols, including:
z Link Control Protocol (LCP)
z Network Control Protocol (NCP)
z Authentication protocols (including Password Authentication Protocol (PAP) and
Challenge-Handshake Authentication Protocol (CHAP))
Among them:
z LCP is used to negotiate some parameters on the link, and establish and monitor
the data link.
z NCP is used to negotiate parameters of network layer protocols.
II. PPP Authentication
1) PAP authentication
PAP is a 2-way handshake authentication protocol and it sends the user name and
password in plain text.
The process of PAP authentication is as follows:
z The requester under authentication sends its user name and password to the
authenticator.
z The authenticator checks if the user name exists and the password are correct
based on the local user list. If the user name exists and the password is correct,
the authenticator returns the “Acknowledge” response; if the user name does not
exist and the password is incorrect, the authenticator returns the “Not
Acknowledge” response.
2) CHAP authentication
CHAP is a 3-way handshake authentication protocol and the password is sent in
encrypted text (key).
The process of CHAP authentication is as follows:
z The authenticator sends some randomly generated messages to the requester,
and at the same time it sends its own hostname to the requester.
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration
4-11
z The requester will look for the user password based on the authenticator’s
hostname in the received packet and its own user list. If it finds the user in the
user list with the same name as the authenticator’s hostname, the requester
encrypts this random packet with the packet ID, user’s key (password) by using
the MD5 algorithm. Then it sends the generated encrypted text and its own
hostname to the authenticator.
z The authenticator encrypts the original random packet with its locally saved
password of requestor by using the MD5 algorithm. Then it compares the
encryption result with the response from the requester. If both are identical, the
“Acknowledge” response is returned; if both are different, the “Not Acknowledge
response is returned.
III. PPP Operation Process
1) When the physical layer is unavailable, the PPP link is in the “dead” phase. The
link must start with and end in this phase. When the physical layer becomes
available, the PPP link enters the “establish” phase.
2) LCP negotiation should be carried out on the PPP link in the “establish” phase,
including operating mode (SP or MP), authentication mode and MTU. After LCP
negotiation is successful, the status of LCP is “opened”, which indicates that the
lower layer link has been established.
3) If the authentication is not configured, it enters network negotiation phase. At this
moment, the status of LCP is still “opened”, while the status of NCP changes
from “initial” to “request-sent” and enters 5); If the authentication (the remote
verifies the local or the local verifies the remote) is configured, it enters the
“authenticate” phase and begins CHAP or PAP authentication and enters 4).
4) If the authentication fails, it enters the “terminate” phase, the link is removed and
LCP turns to Down. After successful authentication, the network negotiation
phase (NCP) begins. At this time, the status of LCP is still “opened”, while the
status of NCP is changed from “initial” to “request-sent”.
5) NCP negotiation supports the negotiations of IPCP and IPXCP, of which IPCP
negotiation mainly includes the IP addresses of two parties. Network layer
protocols are selected and configured through the NCP negotiation. The related
network layer protocol must be negotiated successfully before this network layer
protocol sends messages through this PPP link.
6) PPP link will remain in communication status until a specific LCP or NCP frame
closes this link or some external events take place (for example, the intervention
of users).
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration
4-12
Dead Establish
Opened
Authenticate
NetworkTerminate
Fail
Down
Fail
Closing
Success/None
Figure 2-1 PPP operation flow chart
For detailed description of PPP, refer to RFC1661.
2.2 Configuring PPP
Mandatory PPP configuration includes:
z Configuring the link layer protocol for interface encapsulation as PPP
z Setting polling interval
z Setting PPP authentication mode, user name and user password
z Applying AAA authentication and accounting parameter of PPP
Optional PPP configuration includes:
z Setting PPP negotiation parameters
z Configuring PPP compression algorithm
z Configuring PPP link quality monitoring
z Configuring callback
z Configuring dialing string needed for the SecPath F1800-A callback
z Configuring DNS server address negotiation
z Configuring VJ TCP header compression
2.2.1 Configuring Link Layer Protocol for Interface Encapsulation as PPP
Do as follows in interface view.
Table 2-1 Configuring the link layer protocol for interface encapsulation as PPP
Action Command
Configure the link layer protocol for
interface encapsulation as PPP.
link-protocol ppp
2.2.2 Setting Polling Interval
Do as follows in interface view.
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration
4-13
Table 2-2 Setting polling interval
Action Command
Set polling interval.
timer hold seconds
Disable link detection.
undo timer hold
2.2.3 Setting PPP Authentication Mode User Name and User Password
Two authentication modes are supported between the local and the peer: CHAP and
PAP.
The authentication configuration steps vary with authentication directions and modes.
All the following PPP authentication commands are used in interface view except that
the local-user command is used in AAA view.
I. Configuring the Local SecPath F1800-A to Authenticate the Peer in CHAP
and PAP Modes
Table 2-3 Configuring the local SecPath F1800-A to authenticate the peer in CHAP
and PAP modes
Action Command
Configure the local device to support both
CHAP and PAP modes.
ppp authentication-mode chap
pap
Remove CHAP and PAP negotiation modes.
undo ppp authentication-mode
After configuration, the local device authenticates the peer in CHAP negotiation first. If
the remote does not support CHAP, the local device then authenticates the peer in
PAP negotiation. CHAP and PAP authentication cannot be negotiated at the same
time during a PPP negotiation.
II. Configuring the Local Device to Authenticate the Peer in PAP Mode
Table 2-4 Configuring the local device to authenticate the peer in PAP mode
Action Command
Configure the local to authenticate the peer
(in PAP mode).
ppp authentication-mode pap
Remove the PPP authentication. That is, do
not carry out PPP authentication.
undo ppp authentication-mode
Add the user name and password of the peer
to the local user list.
local-user user-name password
{ simple | cipher } password
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration
4-14
III. Configuring the Peer to Authenticate the Local Device in CHAP Mode
Table 2-5 Configuring the peer to authenticate the local device in CHAP mode
Action Command
Configure the local to authenticate the
peer (in CHAP mode).
ppp authentication-mode chap
Remove the PPP authentication. That
is, do not carry out PPP authentication.
undo ppp authentication-mode
Set the local user name.
ppp chap user user-name
Delete the local user name.
undo ppp chap user
Add the user name and password of
the peer to the local user list.
local-user user-name password { simple
| cipher } password
IV. Configuring the Peer to Authenticate the Local Device in PAP Mode
Table 2-6 Configuring the peer to authenticate the local device in PAP mode
Action Command
Set PAP user name and password sent by
the local when the peer authenticates the
local in PAP mode.
ppp pap local-user user-name
password { simple | cipher }
password
Delete the user name and password sent
during authentication in PAP mode.
undo ppp pap local-user
V. Configuring the Peer to Authenticate the Local Device in CHAP Mode
Table 2-7 Configuring the peer to authenticate the local device in CHAP mode
Action Command
Set a local user name.
ppp chap user user-name
Delete the local user name.
undo ppp chap user
Set the password of the local for authentication in
CHAP mode.
ppp chap password { simple |
cipher } password
Delete the password of the local during
authentication in CHAP mode.
undo ppp chap password
Add the user name and password of the peer into
the local user list.
local-user user-name
password { simple | cipher }
password
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration
4-15
2.2.4 Configuring PPP Authentication Mode of AAA
After PPP authentication, whether the PPP user passes the authentication will be
finally decided by AAA.
AAA can authenticate the PPP user:
z At local
z Through the RADIUS server
z Through the TACACS server
z Local authentication is to authenticate the PPP user based on the information on
the local user configured with the local-user user-name password { simple |
cipher } password command.
z RADIUS or TACACS server authentication is to authenticate the PPP user
based on the information on the user database on the RADIUS or TACACS
server.
Table 2-8 Configuring AAA authentication and accounting of PPP
Action Command
Apply the PPP authentication mode
of the AAA authentication scheme.
ppp authentication-mode { chap [ pap ] |
pap } [ call-in ]
For PPP authentication method of AAA, refer to the "06-Security Defence Operation"
module in this manual.
After the above configuration, basic PPP configuration is completed. You can
configure the following advanced configuration as required.
2.2.5 Setting PPP Negotiation Parameters
The following PPP negotiation parameters can be set.
z Interval between negotiation timeout
During PPP negotiation, if the response message of the peer is not received within
this interval, PPP will resend the former message. The interval of timeout ranges from
1 to 10 seconds.
z Some negotiation parameters of NCP
They include the local IP address, or the IP address assigned to the peer.
For example, use the ip address ppp-negotiate command to require the peer to
assign IP address for the local; use the remote address command to make the local
device to assign IP address for the peer.
For these configurations, refer to the "05-Network and Routing Protocol Operation"
part in this manual.
Do as follows in interface view.
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration
4-16
Table 2-9 Setting the interval of PPP negotiation timeout
Action Command
Set the interval of negotiation timeout.
ppp timer negotiate seconds
Restore the default interval of negotiation
timeout.
undo ppp timer negotiate
2.2.6 Configuring PPP Compression
The current system version supports:
z The Stac compression
z The IP head compression
Do as follows in interface view.
Table 2-10 Configure PPP compression
Action Command
Enable the Stac compression on an
interface.
ppp compression stac-lzs
Cancel the Stac compression on an
interface.
undo ppp compression stac-lzs
Allow the IPHC compression on an
interface.
ppp compression iphc [ nonstandard |
rtp-connections rtp-connections |
tcp-connections tcp-connections ]
Disable the IPHC compression on
an interface.
undo ppp compression iphc
[ rtp-connections | tcp-connections ]
2.2.7 Configuring PPP Link Quality Monitoring
PPP link quality monitoring can monitor the PPP link quality (including PPP links
bound to MP) in real time.
When link quality is lower than the Disabled Quality Percentage, link will be disabled.
When link quality restores to the Restoring Link Quality Percentage, link will be
automatically resumed.
To ensure that links do not repeatedly oscillate between disabled status and restoring
status, there will be time delay when PPP link quality monitoring resumes the link.
Do as follows in interface view.
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration
4-17
Table 2-11 Configuring PPP link quality monitoring
Action Command
Enable PPP link quality monitoring.
ppp lqc close-percentage
[ resume-percentage ]
Disable PPP link quality monitoring.
undo ppp lqc
Note:
After PPP link quality monitoring is enabled, the serial port will send Link Quality
Reports (LQR) packets at each polling interval to replace the original polling interval
packets.
When link quality is normal, the system will calculate the link quality in each LQR
packet. If the calculation results turn out to be unqualified for two consecutive times,
the link will be disabled. After the link is disabled, the system will calculate the link
quality in every ten LQR packets. The link will not be resumed unless the calculation
results of link quality are qualified for three consecutive times. Therefore, the link can
only be resumed after at least 30 polling intervals when it is disabled. If the polling
interval is set too long, it may cause the link fails to resume for a long time.
2.2.8 Configuring Callback
Do as follows in interface view.
Table 2-12 Configuring callback
Action Command
Configure an interface as a callback server or
client.
ppp callback
{
client | server
}
Disable the interface as a callback server or
client.
undo ppp callback
{
client |
server
}
Note that one interface cannot serve as server and client at the same time.
2.2.9 Configuring the Dialing String Needed for Firewall Callback
Do as follows in interface view.
Do as follows when the firewall serves as the client of CBCP callback and meanwhile
the server permits calling back to the number specified by the user.
Operation Manual - Link Layer Protocol
H3C SecPath F1800-A Firewall Chapter 2 PPP Configuration
4-18
Table 2-13 Configuring the dialing string needed for firewall callback
Action Command
Configure the dialing string needed for firewall
callback.
ppp callback ntstring dial-string
Cancel the callback dialing string.
undo ppp callback ntstring
[ dial-string ]
2.2.10 Configuring DNS Address Negotiation
Do as follows in interface view.
Table 2-14 Configuring DNS address negotiation
Action Command
Admit the request for DNS address
negotiation from the peer.
ppp ipcp dns admit-any
Configure the DNS address of local
negotiation.
ppp ipcp dns primary-dns-address
[ secondary-dns-address ]
Remove the DNS address
configuration.
undo ppp ipcp dns
{
primary-dns-address
[ secondary-dns-address ] | admit-any }
By default, DNS address negotiation is denied.
Currently, only the firewall can serve as DNS address negotiation server.
2.2.11 Configuring VJ TCP Header Compression
Van Jacobson TCP Header Compression (VJ TCP Header Compression), is a kind of
compression algorithm. It reduces the size of a TCP/IP header to about 3 bytes and
as a result improves the efficiency of slow speed line.
For description of VJ TCP header compression in detail, refer to RFC1144.
Do as follows in interface view.
Table 2-15 Configuring VJ TCP header compression
Action Command
Enable VJ TCP header compression on a PPP interface.
ip tcp vjcompress
Disable VJ TCP header compression on a PPP
interface.
undo ip tcp
vjcompress
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30

H3C H3C SecPath F1800-A Operating instructions

H3C
Brand
H3C
Model
H3C SecPath F1800-A
Category
Routers
Type
Operating instructions
Download PDF
report

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI

Related papers

Other documents