hit counter script
HP 7102dl - ProCurve Secure Router Configuration Manual
  1. Manuals
  2. Brands
  3. HP Manuals
  4. Network Router
  5. ProCurve Secure 7102dl
  6. Configuration manual
HP 7102dl - ProCurve Secure Router Configuration Manual

HP 7102dl - ProCurve Secure Router Configuration Manual

Procurve secure router 7000dl series - advanced management and configuration guide
Hide thumbs Also See for 7102dl - ProCurve Secure Router:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

See also: Reference Manual
ProCurve Secure Router 7000dl
www.procurve.com
Advanced Management and
Configuration Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 7102dl - ProCurve Secure Router and is the answer not in the manual?

Questions and answers

Related Manuals for HP 7102dl - ProCurve Secure Router

Summary of Contents for HP 7102dl - ProCurve Secure Router

  • Page 1 Advanced Management and Configuration Guide ProCurve Secure Router 7000dl www.procurve.com...

  • Page 3: Procurve Secure Router

    ProCurve Secure Router 7000dl Series November 2006 J06_03 Advanced Management and Configuration Guide...
  • Page 4 INCLUDING, BUT NOT LIMITED TO, THE IMPLIED without the prior written consent of Hewlett-Packard. WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential Publication Number damages in connection with the furnishing, performance, or use of this material.

  • Page 5: Table Of Contents

    Contents 1 Overview Contents ............1-1 Using This Guide .
  • Page 6 Troubleshooting Commands ....... . . 1-20 reload in ..........1-20 show .

  • Page 7: Configuring Backup Wan Connections

    Troubleshooting Multilinks ........2-12 Standard Procedure .
  • Page 8 Configuring the Demand Interface ......3-20 Creating the Demand Interface ......3-22 Configuring an IP Address .
  • Page 9 Example of Demand Routing with PAP Authentication for a Backup Connection ........3-46 Configuring Peer IP Address .
  • Page 10 Viewing Information about Demand Routing and Troubleshooting Problems ........3-77 Viewing the Status of the Demand Interface .

  • Page 11: Procurve Secure Router Os Firewall—Protecting The Internal, Trusted Network

    4 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Contents ............4-1 Overview .

  • Page 12: Applying Access Control To Router Interfaces

    5 Applying Access Control to Router Interfaces Contents ............5-1 Access Control for Interfaces on the ProCurve Secure Router .

  • Page 13: Inbound Interface Has An Acp; Outbound Interface

    Configure ACPs ..........5-35 Action .

  • Page 14: Configuring Network Address Translation

    6 Configuring Network Address Translation Contents ............6-1 NAT Services on the ProCurve Secure Router .

  • Page 15: Content Filtering

    7 Content Filtering Contents ............7-1 Overview .

  • Page 16: Setting Up Quality Of Service

    8 Setting Up Quality of Service Contents ............8-1 Overview .
  • Page 17 Configuring LLQ ..........8-32 Overview .

  • Page 18: Enabling Application-Level Gateways For Applications

    Example: Configuring QoS for VoIP ......8-61 Enabling Application-Level Gateways for Applications with Special Needs .

  • Page 19: Associating A Track With A Default Route Received With

    Configuring Network Monitoring ....... . . 9-10 Configuring Probes ......... 9-11 Creating a Probe and Selecting Its Type .

  • Page 20: Virtual Private Networks

    Examples of Network Monitoring ......9-42 Monitor Connectivity to the Internet ..... . . 9-42 Monitor Static Routes to Remote Networks .
  • Page 21 Configuring a VPN Using IPSec ....... . . 10-15 Configuring IPSec with IKE ......10-15 Configuring IPSec with Manual Keying .

  • Page 22: Determining The Source Of The Problem: Permitting

    Using Extended Authentication (Xauth) (Optional) ... . . 10-49 Configuring an Xauth Server ......10-50 Configuring an Xauth Host .
  • Page 23 11 Configuring a Tunnel with Generic Routing Encapsulation Contents ............11-1 Overview .
  • Page 24 12 Configuring Multicast Support for a Stub Network Contents ............12-1 Overview .

  • Page 25: Building Rp And Sp Trees When The Source Begins

    13 Configuring Multicast Support with PIM-SM Contents ............13-1 Overview .

  • Page 26: Link Layer Discovery Protocol

    Changing PIM-SM Timers ........13-37 Join/Prune Period ........13-38 Hello Timer .

  • Page 27: Ip Routing—Configuring Rip, Ospf, Bgp, And Pbr

    15 IP Routing—Configuring RIP, OSPF, BGP, and PBR Contents ............15-1 Overview .

  • Page 28: Route Summarization (Abrs): Advertising A Link To

    Configuring OSPF ..........15-32 LSAs .
  • Page 29 Setting the Router ID ........15-74 Configuring a BGP Neighbor .
  • Page 30 Setting Administrative Distance for BGP Routes ....15-108 Altering BGP Intervals ........15-108 Configuration Examples .

  • Page 31: Other Routers Not Receiving Routes To The Local

    Troubleshooting RIP ........15-153 Router Not Receiving Routes .
  • Page 32 16 Using the Web Browser Interface for Advanced Configuration Tasks Contents ............16-1 Configuring Access to the Web Browser Interface .

  • Page 33: Configuring Policies To Control Management Access To The

    Configuring NAT ......... . 16-50 Configuring Many-to-One NAT .
  • Page 34 VPN Peers ..........16-102 Adding a Second Remote Site to the VPN .

  • Page 35: Overview

    Overview Contents Using This Guide ..........1-3 Understanding Command Syntax Statements .
  • Page 36 Overview Contents Troubleshooting Commands ....... . . 1-20 reload in ..........1-20 show .

  • Page 37: Using This Guide

    Overview Using This Guide Using This Guide The ProCurve Secure Router Advanced Management and Configuration Guide describes how to use the ProCurve Secure Router 7000dl series in a network environment. Specifically, it focuses on two models: ProCurve Secure Router 7102dl ProCurve Secure Router 7203dl Both this guide and the ProCurve Secure Router Basic Management and Configuration Guide describe how to use the command line interface (CLI)

  • Page 38: Understanding Command Syntax Statements

    Overview Using This Guide Understanding Command Syntax Statements This guide uses the following conventions for command syntax and information: Syntax: show access-lists [<listname>] Syntax: [permit | deny] [any | host <A.B.C.D> | <A.B.C.D> <wildcard bits>] Angle brackets ( < > ) enclose a description of a command element, a part of the command in which you enter information specific to your particular router or WAN.

  • Page 39: Ip Address Convention

    Overview Using This Guide For simplicity, throughout this manual the CLI prompt is shown as: ProCurve> You can change the name displayed at the prompt of your router by changing the router’s hostname. For more instructions on changing the router’s host- name and other basic router functions, see the Basic Management and Configuration Guide, Chapter 1: Overview.

  • Page 40: Quick Start Sections

    Overview Using This Guide For example, if you have a two-port T1 module in slot one, you would configure the left T1 port by entering: ProCurve(config)# interface t1 1/1 To configure the other T1 port, you would enter: ProCurve(config)# interface t1 1/2 As mentioned earlier, the Ethernet interfaces are also labeled in <slot>/<port>...

  • Page 41: Downloading Software Updates

    Overview Using This Guide You will need the Adobe Acrobat Reader to view documentation that you have saved. Click Product manuals Figure 1-1. The ProCurve Technical Support Web Page Downloading Software Updates ProCurve Networking periodically updates the router software to include new features.

  • Page 42: Downloading Software Updates

    Overview Using This Guide Step 2 Step 3 Figure 1-2. Downloading Software Updates Release notes are included with the software updates and provide information about: new features and how to configure and use them software management, including downloading software to the router software fixes addressed in current and previous releases For information on how to configure basic router functions, see the Basic Management and Configuration Guide.

  • Page 43: Interface Management Options

    Overview Interface Management Options Interface Management Options The ProCurve Secure Router includes two management interfaces: the command line interface (CLI) the Web browser interface The router also supports Simple Network Management Protocol (SNMP), which allows you to manage it through an SNMP management console. (For more information about SNMP support, see Chapter 2: Controlling Manage- ment Access to the ProCurve Secure Router in the ProCurve Secure Router Basic Management and Configuration Guide.)

  • Page 44: Accessing The Web Browser Interface

    Overview Interface Management Options Figure 1-3. Configuring ACPs Using the Web Browser Interface Accessing the Web Browser Interface To access the Web browser interface, you must first establish a CLI session and configure at least one interface through which you can establish an HTTP session with the router.

  • Page 45: Using The Procurve Web Browser Interface

    Overview Interface Management Options Configure a username and password for the HTTP server. This username and password also secure FTP and SSH access to the router. From the global configuration mode context, enter: Syntax: username <username> password <password> For more information on how to use the Web browser interface, see Chapter 16: Using the Web Browser Interface for Advanced Configuration Tasks.
  • Page 46 Overview Interface Management Options provides a Wizard to guide you through configuring network monitoring, or you can set up the feature manually by entering the necessary commands in the CLI. The firewall wizard can be found in the Firewall section. Click Firewall Wizard to open the wizard in a new window.

  • Page 47: Cli Tools

    Overview CLI Tools CLI Tools This section gives a brief description of the CLI tools and commands that will help you to configure and troubleshoot your router. If you need more detailed information on the commands available in the CLI, it is highly recommended that you consult the Basic Management and Configuration Guide.

  • Page 48: Editing Commands

    Overview CLI Tools Editing Commands The router’s CLI supports basic editing functions that can move the cursor through the command line and allow you to cycle through previous com- mands. Table 1-1 describes the ProCurve editing commands. Table 1-1. Keystrokes for Moving Around the CLI Editing Command Action Ctrl+p or up arrow...

  • Page 49: Basic Commands

    Overview CLI Tools be checked by pressing after typing en at the basic mode context prompt. Because the Secure Router OS is able to finish the word enable, it completes the truncated command. Basic Commands This section gives some basic CLI commands that you will need to operate your router.

  • Page 50: File Management Commands

    Overview CLI Tools This message is a reminder to save the configuration you have completed. All configuration changes are initially saved only in the router’s running-configu- ration file, which is stored in flash memory. If the router were powered down, the running config, and any changed that you have not saved, would be lost.
  • Page 51 Overview CLI Tools ProCurve# copy running-config startup-config Table 1-2. Options for the copy Command Source Location Options Destination Location Options cflash <filename> or • boot flash <filename> • cflash [<filename>] • flash [<filename>] • interface (only from flash <filename>) cflash or flash •...
  • Page 52 Overview CLI Tools To save a configuration as a file on internal flash, enter the following command from the enable mode context: ProCurve# copy <source file location> <source config-file> flash [<filename>] Replace <source file location> with the location of the configuration file you are saving.

  • Page 53: Erase

    Overview CLI Tools erase The erase command removes files from the specified file location. Syntax: erase <file location> <filename> For example, entering erase flash <filename> will delete the file you specify from internal flash: ProCurve# erase flash oldconfig This command also allows you to erase files from compact flash: ProCurve# erase cflash config1.cfg write This command is similar to the copy and erase commands.

  • Page 54: Troubleshooting Commands

    Overview CLI Tools The autosynch command is disabled in its default setting. To enable the AutoSynch™ technology, enter the global configuration mode and enter: ProCurve (config)# autosynch-mode AutoSynch: SROS.BIZ synched AutoSynch: startup-config synched To disable AutoSynch™, use the no command: ProCurve(config)# no autosynch-mode AutoSynch: SROS.BIZ not synched AutoSynch: startup-config not synched...

  • Page 55: Show

    Overview CLI Tools The CLI will prompt you to save the system configuration. If you have already made the configurations that you want to test, reply no. If you are getting ready to make the configurations to be tested and want to save previous configura- tions, reply yes.

  • Page 56: Safe-Mode

    Overview CLI Tools N o t e The showtech.txt file is saved to internal flash. If you intend to use a compact flash card to transport the file, you must save the showtech.txt file to a compact flash card. The showtech.txt file contains a readout of many of the show commands. This readout allows a network administrator to pinpoint a router configuration problem without a connection to the router.
  • Page 57 Overview CLI Tools After you enable SafeMode and set the time limit, a reload timer is activated for the Telnet and SSH access lines and begins to count down. You also set a threshold timer, which is shorter than the reload timer. When the threshold timer expires, a warning message is displayed in the CLI that allows you to reset the timer.
  • Page 58 Overview CLI Tools After the countdown for the reload timer has begun, it continues until you either reset it by pressing , you disable it by entering no safe-mode, or Ctrl+R you exit out of the global configuration mode context. Use the no form of the command to disable SafeMode and the countdown timer: ProCurve(safe-config)# no safe-mode...

  • Page 59: Managing Configuration Files Using A Text Editor

    Overview Managing Configuration Files Using a Text Editor Managing Configuration Files Using a Text Editor Configuration files can be adjusted to each router’s needs using your com- puter’s text editor. This allows you to set up a configuration on one router, save it to a file, and edit it for installation on another router.
  • Page 60 Overview Managing Configuration Files Using a Text Editor Figure 1-4. Boot Error Messages The error messages in Figure 1-4 were displayed during bootup. In this particular case, the startup-config file has several VPNs configured, and the router that is booting does not have an IPSec VPN module to support it. The commands for the configuration of the VPNs are reported as errors.
  • Page 61 Overview Managing Configuration Files Using a Text Editor Error location Resulting message Figure 1-5. Using Boot Error Messages to Target a Configuration Problem The line number given in the error message is the line number in the running- config. You can use this information to repair any configuration problems. You will need to scroll up in your terminal session software window to read the error message.

  • Page 62: Quick Start

    Overview Quick Start Quick Start This section provides the instructions you need to quickly access the ProCurve Secure Router CLI and configure an enable mode password to protect the router from unauthorized access. This section also explains how to configure the Ethernet interface and the HTTP server so that you can access the Web browser interface.

  • Page 63: Configuring The Enable Mode Password

    Overview Quick Start Configuring the Enable Mode Password Configure an enable mode password. Syntax: enable password [md5] <password> Enter the md5 option to encrypt the password. Replace <password> with an alphanumeric string of up to 16 characters. For example, you might enter: ProCurve(config)# enable password md5 ProCurve N o t e The word ProCurve is shown as the password only for simplicity.

  • Page 64: Configuring Telnet Access

    Overview Quick Start Configuring Telnet Access After you configure an Ethernet interface and establish a connection to the ProCurve Secure Router, you can configure Telnet access to the router. Complete the following steps: Establish a console session to the ProCurve Secure Router and move to the global configuration mode context.

  • Page 65: Configuring Http Access

    Overview Quick Start Complete the following steps: Establish a console session to the ProCurve Secure Router and move to the global configuration mode context. ProCurve> enable ProCurve# configure terminal If you have not already done so, configure an enable mode password. Enter: Syntax: enable password <password>...
  • Page 66 Overview Quick Start 1-32...

  • Page 67: Contents

    Increasing Bandwidth Contents Overview ............2-2 Configuring MLPPP .

  • Page 68: Overview

    Increasing Bandwidth Overview Overview Point-to-Point Protocol (PPP) and other Data Link Layer protocols establish point-to-point connections over a single carrier line, which may not provide sufficient bandwidth to meet a business’s requirements. In a Frame Relay network, a single Frame Relay port might carry several permanent virtual connections (PVCs), all of which must share the bandwidth provided by one carrier line.
  • Page 69 Increasing Bandwidth Overview Frame Router Frame E1 Line MLPPP Frag a Frag d Router Frame Frag c E1 Lines Frame fragments Figure 2-1. MLPPP, a Link Aggregation Protocol...

  • Page 70: Configuring Mlppp

    Increasing Bandwidth Configuring MLPPP Configuring MLPPP Although using MLPPP to increase a connection’s bandwidth does not require deep technical expertise, you should understand: how a PPP session is established how MLPPP regulates the fragmentation and reconstruction of normal PPP frames Such an understanding will help you troubleshoot MLPPP connections and regulate data flow.

  • Page 71: Mlppp

    Increasing Bandwidth Configuring MLPPP Network Layer protocol—Peers exchange Network Control Protocol (NCP) frames to negotiate which Network Layer (Layer 3) protocol the PPP frames will encapsulate. NCP frames serve two functions: they specify which Network Layer protocol will be used, and they negotiate options for that protocol.

  • Page 72: Mlppp Header

    Increasing Bandwidth Configuring MLPPP Endpoint Discriminator (ED) options—Peers negotiate how the receiving peer will identify the sending peer. One of these methods is an ED, which can be generated from an IP address, media access control (MAC) address, or PPP magic number. Every carrier line in the MLPPP bundle originates from the same endpoint and is given the same ED.

  • Page 73: Binding Multiple Carrier Lines To A Ppp Interface

    Increasing Bandwidth Configuring MLPPP Binding Multiple Carrier Lines to a PPP Interface On the ProCurve Secure Router, links are always defined by the Data Link Layer (for example, a PPP interface), rather than by the Physical Layer. You bind a physical interface to a logical interface to grant the Data Link Layer protocol access to the physical media over which to transmit data.

  • Page 74: Configuring Mlfr

    Increasing Bandwidth Configuring MLFR Configuring MLFR Like MLPPP, MLFR aggregates several physical connections into a single logical connection. MLFR helps provide greater access rates for PVCs, partic- ularly in environments in which the greater bandwidth of an E3- or T3-carrier line is not available.

  • Page 75: Configuring Mlfr

    Increasing Bandwidth Configuring MLFR In essence, FRF.16 simply increases the committed information rate (CIR) you can negotiate for a Frame Relay port in a T1 or E1 environment. MLFR bundle Router B Frame Relay Router A network Router C DLCI 101 DLCI 102 Figure 2-3.

  • Page 76: Binding Multiple Carrier Lines To A Frame Relay Interface

    Increasing Bandwidth Configuring MLFR Binding Multiple Carrier Lines to a Frame Relay Interface On the ProCurve Secure Router, links are always defined by the Data Link Layer rather than the Physical Layer. You bind a physical interface to a logical interface to grant the Data Link Layer protocol access to the physical media over which to transmit data.

  • Page 77: Configuring The Bundle Id

    Increasing Bandwidth Configuring MLFR N o t e You bind the physical interfaces to the Frame Relay interface, not the Frame Relay subinterface. This is because Frame Relay subinterfaces define PVCs, which are virtual connections, while the Frame Relay interface defines the physical connection available to all the virtual ones.

  • Page 78: Troubleshooting Multilinks

    Increasing Bandwidth Troubleshooting Multilinks Troubleshooting Multilinks Troubleshooting multilinks is similar to troubleshooting a link carried on a single carrier line. You can review this process in “Standard Procedure” on page 2-12. (For more troubleshooting tips, see the Basic Management and Configuration Guide, Chapter 6: Configuring the Data Link Layer Protocol for E1, T1, and Serial Interfaces.) “Troubleshooting MLPPP”...
  • Page 79 Increasing Bandwidth Troubleshooting Multilinks PPP. Common PPP problems include: mismatched DS0 or E0 channels incorrect authentication information incompatible network-level protocols Use the debug commands shown in Table 2-1 to determine where the PPP session establishment ends. A good strategy can be to first view only the errors and then pinpoint the problem from there.
  • Page 80 Increasing Bandwidth Troubleshooting Multilinks ProCurve# show frame-relay lmi LMI statistics for interface FR 1 LMI TYPE = ANSI Num Status Enq. Sent 24 Num Status Msgs Rcvd 7 Num Update Status Rcvd 1 Num Status Timeouts 3 Number of polls Number of polls received sent...

  • Page 81: Troubleshooting Mlppp

    Increasing Bandwidth Troubleshooting Multilinks View the Frame Relay interface and verify that its signaling type matches that of your service provider. You can enter show interface fr <subinterface number> to view a subinterface (the PVC endpoint) and check DLCIs and the PVC state.

  • Page 82: Troubleshooting Mlfr

    Increasing Bandwidth Troubleshooting Multilinks 2004.07.26 02:14:37 PPP.NEGOTIATION —-->>>> Multilink PPPrx[t1 1/1] LCP: Conf-Req ID=133 Len=29 ACCM(00000000) support MAGIC(c0b82465) MRRU(1500) ED(3:0000000c045b) PPPtx[t1 1/1] LCP: Conf-Ack ID=133 Len=29 ACCM(00000000) MAGIC(c0b82465) MRRU(1500) ED(3:0000000c045b) PPPrx[t1 2/1] LCP: Conf-Req ID=11 Len=29 ACCM(00000000) T1 1/1 and T1 2/1 are the MAGIC(c0b130b4) MRRU(1500) ED(3:0000000c045b) same link...
  • Page 83 Increasing Bandwidth Troubleshooting Multilinks ProCurve# debug frame-relay multilink 2005.07.12 12:12:39 FRAME_RELAY.MULTILINK (I): msg=HELLO, Link=t1 1/ 2 1, Bundle=MFR1, BL state=UP Message from service provider router 2005.07.12 12:12:39 FRAME_RELAY.MULTILINK (O): msg=HELLO_ACK, Link=t1 Routers confirm a link is still 1/2 1, Bundle=MFR1, BL state=UP active.
  • Page 84 Increasing Bandwidth Troubleshooting Multilinks ProCurve# debug frame-relay multilink 2005.07.12 12:11:54 FRAME_RELAY.MULTILINK (O): msg=ADD_LINK, Link=t1 1/2 1, Bundle=MFR1, BL state=ADD_SENT Message from local router 2005.07.12 12:11:54 FRAME_RELAY.MULTILINK (I): msg=ADD_LINK, Link=t1 1/2 1, Bundle=MFR1, BL state=ADD_SENT Routers exchange Message from service provider router requests to add a carrier line to the bundle 2005.07.12 12:11:54 FRAME_RELAY.MULTILINK (I): msg=ADD_LINK_ACK,...

  • Page 85: Quick Start

    Increasing Bandwidth Quick Start Quick Start This section provides the commands you must enter to quickly configure: Multilink PPP (MLPPP) Multilink Frame Relay (MLFR) Only a minimal explanation is provided. If you need additional information about any of these options, check “Contents” on page 2-1 to locate the section that contains the explanation you need.

  • Page 86: Mlppp Configuration

    Increasing Bandwidth Quick Start MLPPP Configuration Before you begin completing these instruction, you should connect the phys- ical interfaces to the appropriate public carrier equipment. You should also have a non-multilink PPP connection up and running. Move to the global configuration mode context and configure the physical interface(s) for the new carrier line(s): Move to the interface configuration mode context: Syntax: interface [e1 | t1] <slot>/<port>...

  • Page 87: Mlfr Configuration

    Increasing Bandwidth Quick Start If you do not already have a PPP connection running, you must also: Assign the PPP interface an IP address: Syntax: ip address [<A.B.C.D> <subnet mask | /prefix length> | negotiated] For example, you might enter: ProCurve(config-ppp 1)# ip address 10.1.1.1 /30 You can also have the interface take its address from the far end of the link (negotiated).
  • Page 88 Increasing Bandwidth Quick Start Enabling multilink unbinds physical lines from the interface. As well as binding each new physical interface to the Frame Relay interface, you must rebind the original line: Syntax: bind <bind number> [e1 | t1] <slot>/<port> <tdm group number> frame- relay <interface number>...

  • Page 89: Contents

    Configuring Backup WAN Connections Contents Backing Up Primary WAN Connections ......3-5 Analog Backup Connections ........3-5 ISDN-Backup Connections .
  • Page 90 Configuring Backup WAN Connections Contents Configure the connect-sequence interface-recovery Option ..........3-31 Understanding How the connect-sequence Commands Work .
  • Page 91 Configuring Backup WAN Connections Contents Configuring a Logical Interface for a Persistent Backup Connection ..........3-56 Creating a Backup PPP Interface .
  • Page 92 Configuring Backup WAN Connections Contents Viewing Information about Persistent Backup Connections and Troubleshooting Problems ........3-86 Viewing Backup Settings .

  • Page 93: Backing Up Primary Wan Connections

    Configuring Backup WAN Connections Backing Up Primary WAN Connections Backing Up Primary WAN Connections To ensure that users can always exchange data between two offices, you may want to lease a dial-up WAN connection—such as an Integrated Services Digital Network (ISDN) or telephone line—which can be used as a redundant line in case a primary WAN connection fails.

  • Page 94: Isdn-Backup Connections

    Configuring Backup WAN Connections Backing Up Primary WAN Connections Analog modems provide comparatively little bandwidth. (The ProCurve Secure Router analog module provides between 300 bps and 33.6 kbps.) When analog modems are incorporated into WAN routers, they are designed only to provide redundancy for other WAN lines, not to furnish a long-term WAN connection.

  • Page 95: Bri Isdn

    Configuring Backup WAN Connections Backing Up Primary WAN Connections BRI ISDN BRI ISDN operates over the twisted-pair cabling that is used for ordinary telephones. All of the telecommunications infrastructure that is used to connect your LAN to the CO is collectively called the local loop. The local loop is divided into two sections by a line of demarcation (demarc), which separates your company’s wiring and equipment from the public car- rier’s wiring and equipment.
  • Page 96 Configuring Backup WAN Connections Backing Up Primary WAN Connections Wire span—Because public carrier networks were originally designed to carry analog voice calls, copper wire is the most common physical trans- mission medium used on the local loop. Although copper wire has a limited signal-carrying capacity, ISDN is designed to maximize its capability.

  • Page 97: Electrical Specifications For Bri Isdn

    Configuring Backup WAN Connections Backing Up Primary WAN Connections ISDN Interfaces. The ISDN standard defines four interfaces, or points, at which equipment can be added to the ISDN network: U interface (between the NT1 and the NIU) T interface (between the NT2 and the NT1) S interface (between the TE1 and the NT2) R interface (between the TE2 and the TA) In Europe, Asia, and all other locations outside of North America, PTTs supply...

  • Page 98: Standards

    Configuring Backup WAN Connections Backing Up Primary WAN Connections As Figure 3-2 shows, the backup module is installed over the data link module. Figure 3-2. Installing a Backup Module After the backup module is installed, it can back up any interface on the router, not only those interfaces installed in the same slot.

  • Page 99: Data Link Layer Protocols

    Configuring Backup WAN Connections Determining a Backup Method In addition to these three options, the ISDN BRI S/T backup supports: Euro-ISDN—Also called Normes Européennes de Télécommunication 3 (NET3), Euro-ISDN was defined in the late 1980s by the European Com- mission so that equipment manufactured in one country could be used throughout Europe.

  • Page 100: Using Demand Routing For Backup Connections

    Configuring Backup WAN Connections Determining a Backup Method You can configure a persistent backup connection, which is initiated immediately if a backup condition occurs on the primary connection and stays up until the primary connection is available again. Before you configure a backup connection, you should evaluate your network environment and then determine which option best meets your company’s particular needs.
  • Page 101 Configuring Backup WAN Connections Determining a Backup Method Branch Office B Switch 192.168.3.0 Edge Switch Branch Router Switch 192.168.4.0 Edge Switch Frame Relay over E1 Edge Switch The backup ISDN connection to Branch Office B is triggered only when the primary interface on the Main Core Switch Router goes down and traffic with destination address 192.168.3.0 /24 or 192.168.4.0 /24 is forwarded to demand...

  • Page 102: Using Persistent Backup Connections

    Configuring Backup WAN Connections Determining a Backup Method If you use the backup ISDN modules, you cannot use MLPPP to aggregate channels. The ISDN backup modules support bonding, rather than channel aggregation. You can bond channels on an ISDN backup module only if: you configure a persistent backup connection the router connects to another ProCurve Secure Router If both of these conditions are met, you can use bonding to increase band-...
  • Page 103 Configuring Backup WAN Connections Determining a Backup Method Table 3-1. Differences Between Demand Routing and Persistent Backup Connections Option Demand Routing Persistent Backup Connection supported hardware • analog and BRI backup modules, which can analog and backup modules, which can be be installed on top of any narrow module installed on top of any narrow module •...
  • Page 104 Configuring Backup WAN Connections Determining a Backup Method Figure 3-4 shows how a backup connection is established if demand routing is configured. Figure 3-5 shows how a persistent backup connection is established. Connection Frame Relay triggered by 10.1.1.0 10.4.4.0 10.1.1.0 10.4.4.0 over E1 interesting traffic...
  • Page 105 Configuring Backup WAN Connections Determining a Backup Method Frame Relay 10.1.1.0 10.4.4.0 10.1.1.0 10.4.4.0 over E1 Main Router Office Router Main Router Office Router Connection triggered Primary immediately connection 10.4.4.23 fails From: 10.2.2.5 Switch Switch Primary connection unavailable, Primary connection available, so so traffic is routed over dial-up traffic is routed over Frame Relay 10.2.2.0...

  • Page 106: Configuring Demand Routing For Backup Connections

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Configuring Demand Routing for Backup Connections To configure demand routing for backup connections, you must complete the following steps: Create an extended access control list (ACL) to define the traffic that will trigger the dial-up connection when the primary interface is unavailable.

  • Page 107: Specifying A Protocol

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Specifying a Protocol When you create a permit or deny statement for an extended ACL, you must always specify a protocol. Valid protocols include: ICMP You can also specify a number between 0 and 255 for the protocol. For demand routing, you may want to create an ACL that selects all the traffic to a particular subnet.

  • Page 108: Configuring The Demand Interface

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections When you enter wildcard bits, you use a zero to indicate that the Secure Router OS should match the corresponding bit in the IP address. You use a one to indicate that the Secure Router OS can ignore the corresponding bit in the IP address.
  • Page 109 Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections example, you assign the demand interface an IP address. From this interface, you apply the ACL that defines the interesting traffic that triggers the dial-up WAN connection. The demand interface is different from other logical interfaces, however. For one thing, the demand interface is not bound to a specific physical interface or interfaces.

  • Page 110: Creating The Demand Interface

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Creating the Demand Interface To create a demand interface and access the demand interface configuration mode context, enter this global configuration mode command: Syntax: interface demand <number> Replace <number> with a number between 1 and 1024. Each demand inter- face must have a unique number.
  • Page 111 Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Configure the Demand Interface as an Unnumbered Interface. To conserve IP addresses on your network, you may want to create the demand interface as an unnumbered interface. The demand interface will then use the IP address of another interface.

  • Page 112: Matching The Interesting Traffic

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Matching the Interesting Traffic To finish defining the interesting traffic that will trigger a dial-up connection, you must associate the ACL you created with the demand interface. From the demand interface configuration mode context, enter: Syntax: match-interesting [list | reverse list] <listname >...
  • Page 113 Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections When you view the demand interface in the running-config, you will see two commands, even though you entered only one. (See Figure 3-7.) interface demand 1 match-interesting list Backup out match-interesting reverse list Backup in Figure 3-7.
  • Page 114 Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections ACP to control access to an already-active backup connection. However, the connection will only be triggered by traffic that matches the ACL that you specify in the match-interesting list command. Because you can configure one ACL to trigger the dial-up connection and another ACL to control access to the dial-up connection, you can allow certain types of traffic to use a connection only when it is already established.

  • Page 115: Specifying The Connect-Mode Option

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Specifying the connect-mode Option You can control whether the demand interface can be used to originate a call, answer a call, or both. From the demand interface configuration mode con- text, enter: Syntax: connect-mode [originate | answer | either] Table 3-3 shows each option and when you would use it.

  • Page 116: Associating A Resource Pool With The Demand Interface

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Associating a Resource Pool with the Demand Interface Rather than using a bind command to create a persistent, one-to-one connec- tion between the demand interface and a physical interface, you use the resource pool command to link the demand interface to one or multiple dial- up interfaces.
  • Page 117 Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Replace <string> with the telephone number that the demand interface should dial to make the connection. Replace <resource-type> with one of the options listed in Table 3-4. The option you enter will limit this connection to a particular type of dial-up connection.

  • Page 118: Specify The Order In Which Connect Sequences Are Used

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Specify the Order in Which Connect Sequences Are Used If you configure more than one connect sequence, you can configure the order in which each one is used. From the demand interface configuration mode context, enter: Syntax: connect-order [sequential | last-successful | round-robin] Table 3-5 lists each option with a brief description.

  • Page 119: Configure The Connect-Sequence Interface-Recovery Option

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Replace <value> with the number of times the ProCurve Secure Router will cycle through the connect sequences specified for a demand interface. You can specify a number between 0 and 65535. The default setting is 1. Specifying 0 places no limit on the number of attempts.
  • Page 120 Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections If the router reaches the maximum number of connect sequence attempts, the ProCurve Secure Router will, by default, change the status of the demand interface to “DOWN (recovery active).” The router will remove the IP address from the demand interface and any associated routes from the routing table.

  • Page 121: Work

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Understanding How the connect-sequence Commands Work Because you can configure a number of settings for connect sequences, it is important to understand how these settings interrelate. For example, consider the configuration shown in Figure 3-8. interface demand 1 connect-order sequential connect-sequence attempts 3...
  • Page 122 Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections In 60 seconds, the ProCurve Secure Router will try to process the connect sequences again (although the demand interface will remain down in recovery active mode). If that attempt is unsuccessful, the ProCurve Secure Router will try again in 60 seconds.
  • Page 123 Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Processing connect-sequences 1. Check connect-order. 2. Process connect-sequence 2, based on connect-order. connect-order sequential connect-sequence 10 dial-string 5551212 forced-ISDN-64k busyout-threshold 3 connect-sequence 20 dial-string 5552222 forced-analog busyout-threshold 1 3. Check connect-mode. Can the 4.

  • Page 124: Configuring The Idle-Timeout Option

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Configuring the idle-timeout Option You can configure the amount of time that the demand interface remains up in the absence of interesting traffic. The idle timer helps to keep the backup connection cost-effective: backup is only active when it is truly necessary.

  • Page 125: Defining The Caller-Number

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Defining the caller-number When an ISDN or analog call is established, the calling party supplies a Calling Line ID (CLID). If you configure a caller-number, the backup interface will check the CLID when it receives calls. If the CLID matches the caller-number you specified, the interface will answer the call.

  • Page 126: Configuring The Bri Or Modem Interface

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Replace <packets> with a number between 0 and 200. Replace <seconds> with a number between 0 and 255. By default, the ProCurve Secure Router holds 200 packets for 3 seconds. If the number of packets received before the connection is established exceeds 200 packets or if the connection is not established within 3 seconds, the ProCurve Secure Router empties the hold queue.

  • Page 127: Accessing The Bri Or Modem Interface

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Accessing the BRI or Modem Interface To access the configuration mode context for the BRI or modem interface, enter: Syntax: interface <interface> <slot>/<port> Replace <interface> with bri or modem. On the ProCurve Secure Router, the interface for each physical port is identi- fied by its slot number and port number.

  • Page 128: Configuring An Ldn For Isdn Bri S/T Modules

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Table 3-6. ISDN Signaling Types Signaling Type Command Syntax National ISDN-1 isdn switch-type basic-ni Euro ISDN isdn switch-type basic-net3 Northern Telecom DMS-100 isdn switch-type basic-dms Lucent/ATT 5ESS isdn switch-type basic-5ess The default settings are: ISDN BRI U modules, isdn switch-type basic-5ess ISDN BRI S/T modules, isdn switch-type basic-net3...

  • Page 129: Configuring A Spid And Ldn For Isdn Bri U Modules

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections If you are configuring an ISDN line in North America, you may also need to define a SPID. As described in the next section, you can set the SPID at the same time that you set the LDN.

  • Page 130: Assigning Bri Or Modem Interface To The Resource Pool

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections For example, you might enter: ProCurve(config)# modem countrycode Germany Enter modem countrycode ? for a complete list of keywords for countries. The default setting is USA and Canada. Assigning BRI or Modem Interface to the Resource Pool To assign backup interfaces to the resource pool, enter the following com- mand from the BRI or modem interface configuration mode context: Syntax: resource pool-member <pool name>...

  • Page 131: Caller Id Options For Isdn Bri Backup Modules (Optional)

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Caller ID Options for ISDN BRI Backup Modules (Optional) The ProCurve Secure Router accepts ISDN calls based on whether the incom- ing call’s caller id matches a list of acceptable caller ids. You can override an incoming call’s caller id using the caller-id override option.

  • Page 132: Configuring Ppp Authentication For An Isdn Connection

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections ProCurve# show ip route 10.2.2.0/30 is directly connected, ppp 1 10.3.3.0/30 is directly connected, demand 1 IP route 10.10.10.0/30 is directly connected, ppp 2 through 192.168.20.0/24 is directly connected, eth 0/1 primary 192.168.30.0/24 [1/0] via 10.2.2.2, ppp 1 interface...

  • Page 133: Enabling Ppp Authentication For All Demand Interfaces

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Enabling PPP Authentication for All Demand Interfaces You must configure the PPP authentication protocol that the router uses for inbound calls. To configure the authentication protocol that the demand interfaces expect to receive for inbound calls, enter the following command from the global configuration mode context: Syntax: data-call authentication protocol [chap | pap] Include either the chap option or the pap option, depending on which PPP...

  • Page 134: Configuring The Username And Password That The Router

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections When you replace <password>, ensure that you are using the same settings that are configured on the far-end router. The username that is sent is the hostname of the router. Configuring the Username and Password That the Router Expects to Receive You must also configure the username and password that the ProCurve Secure...

  • Page 135: Configuring Peer Ip Address

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections data-call authentication protocol pap data-call commands to data-call sent authentication protocol pap enable PAP authentication interface bri 2/1 isdn ldn1 968483940096 resource pool-member Pool no shutdown interface bri 2/2 isdn ldn1 978484540055 resource pool-member Pool no shutdown interface demand 1...

  • Page 136: Setting The Mtu For Demand Interfaces

    Configuring Backup WAN Connections Configuring Demand Routing for Backup Connections Setting the MTU for Demand Interfaces When establishing a link, PPP peers must agree on how much data can be contained in the information field of PPP frames. The value that communi- cates this frame size is called the maximum receive unit (MRU).

  • Page 137: Configuring A Persistent Backup Connection

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Configuring a Persistent Backup Connection If your company needs a constant WAN connection between two offices, you should configure a persistent backup connection. Then, if the primary con- nection fails, the persistent backup connection will be established immedi- ately, and it will remain up until the primary WAN connection is available again.
  • Page 138 Configuring Backup WAN Connections Configuring a Persistent Backup Connection Setting the ISDN Signaling (Switch) Type. The BRI interface must implement the same type of ISDN signaling that your public carrier uses. (See “Electrical Specifications for BRI ISDN” on page 3-9 to learn more about the standards supported by the ProCurve Secure Router.) The signaling type does not necessarily have to be that of the CO switch’s manufacturer.
  • Page 139 Configuring Backup WAN Connections Configuring a Persistent Backup Connection For example, you might enter: ProCurve(config-bri 1/2)# isdn ldn1 5555551111 You can also set a secondary LDN using the isdn ldn2 command: ProCurve(config-bri 1/1)# isdn ldn2 5555552222 If you are configuring an ISDN line in North America, you may also need to define a SPID.
  • Page 140 Configuring Backup WAN Connections Configuring a Persistent Backup Connection bri 1/3 is UP Interface activated Line status: ready but not currently Caller ID will be used to route incoming calls providing Caller ID normal connection Switch protocol: AT&T 5ESS Number at which the SPID 1 25655522220101, LDN 1 5552222 local router can be SPID 2 n/a, LDN 2 n/a...

  • Page 141: Configuring A Modem Interface (Analog Only)

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection The txadd-timer command specifies the length of time the router will wait for additional calls to be connected before deciding that the bonding call has failed. When dialing overseas, you should enter a value above 60 seconds to allow for slower call routing.
  • Page 142 Configuring Backup WAN Connections Configuring a Persistent Backup Connection Optionally, you can: replace incoming caller ID with a set number use the modem for console dial-in Setting the Country. Depending on where the router is located, the analog backup module may need to use different signals to connect to the PSTN or PTT.

  • Page 143: Using The Modem For Console Dial-In

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Using the Modem for Console Dial-In You can connect to the analog module on the ProCurve Secure Router and initiate a console session with it. C a u t i o n If you enable dial-in console sessions, you cannot use the module for backup.

  • Page 144: Configuring A Logical Interface For A Persistent Backup

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Configuring a Logical Interface for a Persistent Backup Connection Although a backup connection provides redundancy for a primary WAN con- nection such as a Frame Relay connection or an ISP connection, it does not duplicate the primary WAN connection.

  • Page 145: Creating A Backup Ppp Interface

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection A backup interface is simply a supplemental PPP interface that you create and configure as you would any PPP interface. You must configure an IP address for the backup PPP interface. For best security practices, ProCurve Network- ing also recommends that you configure PPP authentication.

  • Page 146: Setting An Ip Address

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Setting an IP Address The backup interface’s IP address must be on a different network than that of the primary connection. (The router does not allow more than one interface to be on the same network.) To configure the IP address, enter this command from the backup PPP interface configuration mode context: Syntax: ip address <A.B.C.D>...
  • Page 147 Configuring Backup WAN Connections Configuring a Persistent Backup Connection To require CHAP authentication from the peer: Move to the configuration mode for the backup PPP interface. Enable CHAP authentication: ProCurve(config-ppp 2)# ppp authentication chap Add the peer router’s hostname and password to the PPP database: ProCurve(config-ppp 2)# username LondonRouter password procurve Providing Authentication to the Peer.

  • Page 148: Configuring Persistent Backup Settings For A Primary

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Configuring Persistent Backup Settings for a Primary Connection Even though you install a backup module in a specific module slot, the corresponding backup line can provide redundancy for any of the WAN connections on the router.

  • Page 149: Setting The Backup Call Mode

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection N o t e You configure separate backup connections for every PVC in a Frame Relay network or ATM connection. Therefore, you enter the backup commands from the Frame Relay or ATM subinterface. The analog or ISDN line can only provide active backup for one PVC at a time.
  • Page 150 Configuring Backup WAN Connections Configuring a Persistent Backup Connection Dialing out Line failure B doesn’t A calls answer B answers 555-2222 555-1111 555-2222 originate answer-always A calls A negotiates 555-3333 connection with Router A Router B B using PPP4 Backup dial list Backup dial list 555-1111 PPP2 555-2222 PPP4...
  • Page 151 Configuring Backup WAN Connections Configuring a Persistent Backup Connection If the call fails to connect, the Secure Router OS checks the backup dial list in the primary interface for a second number, which references a different backup PPP interface. If there is a second number, the Secure Router OS attempts to connect to it.
  • Page 152 Configuring Backup WAN Connections Configuring a Persistent Backup Connection Table 3-9. Backup Call Modes Command Syntax Description backup call-mode answer If the primary connection fails, the backup interface will answer backup calls but not place them. backup call-mode answer- The backup interface will always answer backup calls, even always when the primary connection is up.

  • Page 153: Adding A Number To A Backup Dial List

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Router A refuses Backup call mode call answer FR 1.101 Frame Relay Router A Router B network FR 1.102 Disconnected Physically Physically down Router C ISDN Backup call mode answer always FR 1.101 Frame Relay Router A...

  • Page 154: Established

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection For digital modules, you must also specify whether the ISDN line will use a single channel (56 or 64 Kbps) or a bonded channel (112 or 128 Kbps). You do so by entering the minimum and maximum DS0 or E0 channels. N o t e Bonding calls is a proprietary feature.
  • Page 155 Configuring Backup WAN Connections Configuring a Persistent Backup Connection You do not actually activate the backup connection by specifying times when a backup connection can be established. Rather, you enable the router to establish a backup connection if the primary connection fails during those times.

  • Page 156: Setting Backup Timers

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection C a u t i o n Make sure that your router is set with the correct time and date. From the enable mode context, enter: ProCurve# show clock If you need to configure the router to receive time from an SNTP server, enter the following command from the global configuration mode context: Syntax: sntp server [<hostname>|<A.B.C.D>] [version <1-3 >] If you want to manually set the clock, enter the following command from the...

  • Page 157: Configuring A Floating Static Route For A Persistent Backup

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection Table 3-10. Backup Timers Command Syntax Function Default Range backup auto-backup | no backup automatic backup initiation after a — auto-backup connections fails backup backup-delay <seconds> time between line failure and placing a 10 seconds 10-86,400 seconds backup call...
  • Page 158 Configuring Backup WAN Connections Configuring a Persistent Backup Connection You can specify the local backup interface as the forwarding interface to ensure that the route will be accurate even if the peer changes its backup IP address. If you do enter a next hop address, remember that this address should be that of the peer’s backup interface, which like the local backup interface, is on a different network from the primary connection.

  • Page 159: Configuring Persistent Backup For Multiple Connections

    Configuring Backup WAN Connections Configuring a Persistent Backup Connection N o t e If your router uses routing protocols to learn routes to the remote destination, you must enter an administrative distance for the floating static route that is higher than the administrative distance for the routing protocol. For example, the administrative distance for OSPF routes is 110, so you could enter this command: ProCurve(config)# ip route 192.168.64.0 /18 ppp 2 120...

  • Page 160: Viewing Backup Configurations And Troubleshooting Backup

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Viewing Backup Configurations and Troubleshooting Backup Connections The steps you take to view and troubleshoot backup connections vary, depending on whether you are using demand routing or persistent backup connections.

  • Page 161: Viewing The Status And Configuration Of Backup Interfaces

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Table 3-11. Backup LEDs Color Meaning The backup interface has not been activated. The backup interface is down. solid green The backup interface is up and ready to provide a connection. flashing green The backup interface is active and providing the current connection.
  • Page 162 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections The first line of the display reports the status of the interface and of the ISDN line. (See Figure 3-21.) bri 1/2 is UP Line status: connected Caller ID will be used to route incoming calls Caller ID normal Switch protocol: Net3 Euro ISDN SPID 1 n/a, LDN 1 9631111...
  • Page 163 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Verify that the SPID(s) and/or LDN(s) are correct. If you are located in North America, double-check whether your public carrier has assigned you one or two SPIDs. When you use both B channels, public carriers that use National ISDN and Northern Telecom DMS-100 sometimes require you to configure a SPID for each channel.
  • Page 164 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Table 3-13. BRI Line Status Status Meaning Next Best Step layer 1 down There is no activity on the Check the physical hardware, including ISDN line. the cabling and wall jack. getting TEI #1 The switch cannot identify •...

  • Page 165: Problems

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Viewing Information about Demand Routing and Troubleshooting Problems You can use show commands to view different aspects of your demand routing configuration. For example, you can view the status of a demand interface and any dial-up connections that are established through a demand interface.
  • Page 166 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Figure 3-23 shows the results of this command if demand interface 1 is spoofing its up status and a dial-up connection has not been established. In addition to showing the status of the interface, this command displays settings for the following commands: connect-mode resource pool...

  • Page 167: Interface

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Figure 3-24 provides the results of the show interfaces demand 1 command when an ISDN connection has been established. Demand 1 is UP (connected) A dial-up connection has Configuration: been established Keep-alive is set (10 sec.) connect-mode,...

  • Page 168: Viewing Demand Sessions

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Viewing Demand Sessions You can view all of the dial-up connections currently established through demand routing. From the enable mode context, enter: ProCurve# show demand sessions The sessions are listed in the order in which they were established. (See Figure 3-25.) For each session, this command lists: demand interface through which the connection was established IP address of the demand interface and the far-end router...

  • Page 169: Show The Running-Config For The Demand Interface

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Show the Running-Config for the Demand Interface To check your demand routing configuration, you must view the running- config file. From the enable mode context, enter: ProCurve# show running-config You must then scroll through the file to find the various commands you entered for demand routing.

  • Page 170: Checking The Acl That Defines The Interesting Traffic

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections make a connection. (For more information about checking the BRI or modem interfaces, see “Viewing Information about BRI and Modem Interfaces and Troubleshooting Problems” on page 3-72.) Use the show interfaces demand command to view the status of the demand interface, which should be up (spoofing).

  • Page 171: Troubleshooting The Backup Connection

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections the source address for the ping to a local network address). Before you send the sample traffic, enable debugging for demand routing. From the enable mode context, enter: ProCurve# debug demand-routing If you have configured your ACL correctly, debug messages for demand routing should appear immediately.
  • Page 172 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Command Description debug isdn resource-manager displays resource manager errors and messages debug isdn verbose display all errors and messages N o t e Debug functions are processor intensive. Some of the debug isdn commands display a high volume of messages, which are displayed too quickly to read.

  • Page 173: Test Calls For Isdn Lines

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Test Calls for ISDN Lines You can also set up a test call to test the ISDN circuit. When you initiate a test call, you connect the two endpoints through an ISDN call without setting up a Data Link Layer connection;...

  • Page 174: Connection

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections To hang up a specific channel, enter the number of the B channel you want to disconnect. For example, if you wanted to hang up channel B2, you would enter: ProCurve(config-bri 2/3)# test-call hangup channel 2 Test calls allow you to check the physical ISDN connection, end to end,...

  • Page 175: Viewing Backup Settings

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections To verify this information, you can use the show commands in Table 3-17. Table 3-17. Backup show Commands View Command Syntax backup dial list show backup interfaces days and times backup is enabled show backup interfaces backup PPP interface IP address •...
  • Page 176 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections ProCurve# show backup interfaces Dial-backup interfaces... ppp 1 backup interface: Backup state is Backup state:in dial backup using bri 1/3 active through Backup protocol: BRI 1/3 Call mode: answer Auto-backup: enabled Auto-restore:...

  • Page 177: Viewing The Backup Ppp Interface

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections Backup phone number list—This is the backup dial list, which includes: • Number—the peer’s phone number • Call type—analog, digital 56K, or digital 64K • Min/max DS0s—for ISDN lines only; the setting should read “1 2” for bonded lines •...
  • Page 178 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections When the local router successfully connects to a peer, you should receive messages such as those shown in Figure 3-30. ProCurve# debug backup ProCurve# debug dialup-interfaces DIALUP_INTERFACE.bri 1/3 Dialing 8882222 DIALUP_INTERFACE.bri 1/3 Connect (CONNECT 64000) DIAL_BACKUP.bri 1/3 establishing ppp 1 backup to 8882222.

  • Page 179: Troubleshooting Persistent Backup Connections

    Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections The router will not answer a call if the number is not in its dial backup list. The router will receive a message such as this: DIAL_BACKUP.MGR: Ignoring incoming call on bri 1/3 from 0005552222 because no match was found for this call source.
  • Page 180 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections If the call mode does not include originate, the router must wait to receive a call from the other end of the line. Either contact the remote site and have it initiate a connection or change the setting so the local router can place a call.
  • Page 181 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections In a PPP connection, when one end loses the connection the other does as well. If both endpoints are allowed to place a backup call, the calls may collide. In this situation, you may want to configure one router to answer calls and one to receive them.
  • Page 182 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections The Call Connects But the Backup Connection Does Not Go Up. C a u t i o n These instructions explain how you can view PPP debug messages to deter- mine why the Data Link Layer will not go up.
  • Page 183 Configuring Backup WAN Connections Viewing Backup Configurations and Troubleshooting Backup Connections If the local router requires the remote router to authenticate itself, view the running-config for the backup PPP interface (show run int ppp <interface number>) and verify that the interface contains the correct username and password for the peer.

  • Page 184: Quick Start

    Configuring Backup WAN Connections Quick Start However, by default, the number of times the router reattempts to connect a call is set to unlimited. The router will continue to try the first number rather than moving on to the second. Whenever you want the router to be able to contact more than one number for a backup connection, you should limit the number of times the router can attempt a call.

  • Page 185: Configuring Demand Routing For Backup Connections

    Configuring Backup WAN Connections Quick Start Configuring Demand Routing for Backup Connections You may want to use Table 3-19 to record the information you will need to configure demand routing for a backup module. 3-97...
  • Page 186 Configuring Backup WAN Connections Quick Start Table 3-19. Settings for Configuring Demand Routing for a Backup Module Required Configuration Options Your Setting Define the traffic that should initiate the Permit and deny statements in the ACL: dial-up connection if the primary [permit | deny] <protocol>...
  • Page 187 Configuring Backup WAN Connections Quick Start Required Configuration Options Your Setting For ISDN connections, specify the LDN, Obtained from service provider the local telephone number for the ISDN line. Create a floating static route to the far- • Obtain the destination network end network.
  • Page 188 Configuring Backup WAN Connections Quick Start Replace <protocol> with one of the following: – – – – icmp – – – – number between 0 and 255 To specify the source and destination address, use the following: Syntax: [any | host <A.B.C.D> |hostname <hostname> | <A.B.C.D> <wildcard bits>] For example, you might want to specify that the interesting traffic is the IP traffic from any source to network 192.168.115.0 /24.
  • Page 189 Configuring Backup WAN Connections Quick Start Include the list option if you want the ProCurve Secure Router to use standard matching logic for the ACL. Include the reverse list option if you want the ProCurve Secure Router to use reverse matching logic when processing the ACL.
  • Page 190 Configuring Backup WAN Connections Quick Start Replace <value> with the number of times between 1 and 65535 that the demand interface should attempt the call. (Enter 0 to have the demand interface make an unlimited number of attempts.) Table 3-20. Defining a Resource Type for Connection Instructions Option Description isdn-64k...
  • Page 191 Configuring Backup WAN Connections Quick Start Table 3-21 lists the command syntax for each signaling type. Table 3-21. ISDN Signaling Types Signaling Type Command Syntax National ISDN-1 isdn switch-type basic-ni Euro ISDN isdn switch-type basic-net3 Northern Telecom DMS-100 isdn switch-type basic-dms Lucent/ATT 5ESS isdn switch-type basic-5ess Set the LDN.

  • Page 192: Configuring A Persistent Backup Connection

    Configuring Backup WAN Connections Quick Start Replace <destination A.B.C.D> with the IP address for the far-end network. For example, the far-end network might be network 192.168.7.0 /24. Then, either specify the complete subnet mask (such as 255.255.255.0) or enter the prefix length. Specify the forwarding interface as demand <number>...
  • Page 193 Configuring Backup WAN Connections Quick Start Table 3-22. Backup Settings Required Configuration Options Your Setting Access the configuration mode <backup interface> = bri or modem context for the backup interface. <slot> = 1 or 2 <port> = 2 or 3 For an analog interface, specify the Enter modem country code ? for a country in which the router is located.
  • Page 194 Configuring Backup WAN Connections Quick Start Required Configuration Options Your Setting Specify days that backup will not be • • sunday provided. • monday • tuesday • wednesday • thursday • friday • saturday Specify time when backup support is hh:mm:ss turned off.
  • Page 195 Configuring Backup WAN Connections Quick Start Create a backup PPP interface. Syntax: interface ppp <backup interface number> Assign the backup interface a static IP address on a different network than the primary interface. Syntax: ip address <backup A.B.C.D> <subnet mask | /prefix length> Activate the interface.

  • Page 196: Backing Up A Connection With An Isdn Bri S/T Backup

    Configuring Backup WAN Connections Quick Start 13. Disable backup for the days and times you do not want to provide backup. Syntax: no backup schedule day <day> Syntax: backup schedule disable-time <hh:mm:ss> Syntax: backup schedule enable-time <hh:mm:ss> Enter times in twenty-four hour clock format. For example: ProCurve(config-fr 1.102)# no backup schedule saturday ProCurve(config-fr 1.102)# backup schedule disable-time 18:00:00 ProCurve(config-fr 1.102)# backup schedule enable-time 8:00:00...
  • Page 197 Configuring Backup WAN Connections Quick Start Activate the interface. ProCurve(config-bri 1/3)# no shutdown Create a backup PPP interface. Syntax: interface ppp <backup interface number> Assign the backup interface an IP address on a different network than the primary interface. Syntax: ip address <backup A.B.C.D> <subnet mask | /prefix length> Activate the interface.

  • Page 198: Backing Up A Connection With An Analog Module

    Configuring Backup WAN Connections Quick Start 13. Disable backup for the days and times you do not want to provide backup. Syntax: no backup schedule day <day> Syntax: backup schedule disable-time <hh:mm:ss> Syntax: backup schedule enable-time <hh:mm:ss> Enter times in 24-hour clock format. For example: ProCurve(config-fr 1.102)# no backup schedule saturday ProCurve(config-fr 1.102)# backup schedule disable-time 18:00:00 ProCurve(config-fr 1.102)# backup schedule enable-time 8:00:00...
  • Page 199 Configuring Backup WAN Connections Quick Start Activate the interface. ProCurve(config-ppp 2)# no shutdown Move to the logical interface for the primary connection. Syntax: interface <interface ID> For example: ProCurve(config)# interface frame-relay 1.102 Add the remote site’s telephone number to the backup call list. Syntax: backup number <remote site’s LDN>...
  • Page 200 Configuring Backup WAN Connections Quick Start 3-112...

  • Page 201: Contents

    ProCurve Secure Router OS Firewall— Protecting the Internal, Trusted Network Contents Overview ............4-3 Advantages of an Integrated Firewall .
  • Page 202 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Contents Configuring Logging ..........4-24 Specifying the Priority Level for Logged Events .

  • Page 203: Overview

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Overview The Internet offers many valuable resources, often free and open to all users. In addition, it allows businesses and consumers to reach each other more easily than ever before. A connection to the Internet is practically mandatory for most organizations.

  • Page 204: Stateful-Inspection Firewalls

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview A router firewall protects your network entry points, stopping threats before they get through the router. An integrated firewall is less expensive. A firewall integrated on a router allows an organization to enforce a standard security policy for all hosts.
  • Page 205 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Packet 1 Permitted Packet 1 source IP Internet Router Private network Packet 2 Denied source IP Packet 2 Figure 4-1. Packet-Filtering Firewall ACLs specify certain settings for packets’ full association information. For example, the ACL can permit packets from a range of IP addresses destined to a specific IP address on a specific port.

  • Page 206: Circuit-Level Gateway

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Circuit-level Gateway A circuit-level gateway acts at the OSI Session Layer (Layer 5) to monitor the establishment of sessions between trusted and untrusted devices. Some circuit-level gateways establish proxy sessions to untrusted hosts for their clients.

  • Page 207: Application-Level Gateway

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Circuit-level gateway Internet Router A 192.168.1.99 10.1.1.1 Session Session Secure Router OS firewall Internet Router A 192.168.1.99 10.1.1.1 Session Source IP NATed 192.168.1.99 10.1.1.1 Figure 4-2. Circuit-Level Gateway Versus Secure Router OS Firewall For information on how to configure NAT, see Chapter 6: Configuring Network Address Translation.
  • Page 208 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview A stateful-inspection firewall, like that on the ProCurve Secure Router, can analyze Application Layer data without having to act as a proxy server. Instead, the firewall monitors sessions between hosts in the trusted and untrusted networks.

  • Page 209: Attack Checking

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Firewall Feature OSI Layer Function ProCurve Secure Router Configuration application-level Application (7) allows a specific application enable ALGs “Configuring ALGs” gateway to work correctly in the on page 4-18 presence of the firewall Attack Checking This chapter focuses on configuring the Secure Router OS firewall to block attacks.

  • Page 210: Syn-Flood Attacks

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview The firewall also checks for TCP SYN packets with ACK, URG, RST, or FIN flags and packets: with the broadcast address for the source address with an invalid TCP sequence number with an enabled source route option You do not have to configure the firewall to screen these attacks;...

  • Page 211: Winnuke Attacks

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview SYN/ACK Source: 192.168.3.4 /32 no route SYN/ACK Source: 172.16.1.26 /32 Attacking system Target host no route SYN/ACK Source: 10.0.3.28 /32 no route Figure 4-3. Syn-flood Attack The result of both attacks is extremely degraded performance or, worse, a system crash.

  • Page 212: Reflexive Traffic

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview Reflexive Traffic Reflexive traffic is traffic that is received on an interface and then forwarded out the same interface. For example, in a multi-netted environment, traffic will sometimes arrive on and leave by the same Ethernet interface. Figure 4-4 shows an example of such a network.
  • Page 213 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Overview You can examine logs to look for information to help you in troubleshooting or to see what kind of attacks have been targeted at your system. (You can also view events as they occur on the terminal by activating the events command from the enable mode context.) Events include: blocked attacks policy matches (packets filtered by an ACL or ACP)

  • Page 214: Configuring Attack Checking

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Attack Checking Configuring Attack Checking To configure the Secure Router OS firewall to block attacks, you only have to: enable the firewall You can also: enable and disable optional checks check reflexive traffic enable stealth mode Enabling the Secure Router OS Firewall...

  • Page 215: Enabling And Disabling Optional Attack Checks

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Attack Checking Packet Associated Attack all ICMP packets except: Twinge • echo • echo-reply • ttl expired • destination unreachable • quench falsified IP header (the length bit does not match •...

  • Page 216: Checking Reflexive Traffic

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Attack Checking The WinNuke attack affects Windows NT 3.51 and 4.0, Windows 95, and Windows 3.11. It does not usually cause permanent damage. However, it can cause open Windows applications to crash and hosts to lose connectivity; you should consider enabling this check when your network uses affected systems.

  • Page 217: Configuring Stealth Mode

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Attack Checking does not process traffic that it immediately forwards through the interface on which the traffic was received. It assumes that the traffic is from a trusted source. Router 1 Router 2 Eth 0/1 Eth 0/1...

  • Page 218: Configuring Algs

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring ALGs Configuring ALGs ALGs monitor sessions on the OSI Application Layer. An ALG helps a firewall read packets and filter them for the particular commands or information relating to the ALG’s application. Each application has a distinct ALG that deals with its special concerns.

  • Page 219: Enabling The Ftp Alg

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring ALGs Enabling the FTP ALG FTP allows computers to exchange files through the Internet. It is often used to upload Web pages to a Web server or to download files from a server to a PC.

  • Page 220: Enabling The Pptp Alg For Vpns

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring ALGs On the ProCurve Secure Router, the default port number that the ALG uses for SIP is 5060. If any SIP applications in your network use different port numbers, then you must enable those ports as well. Use the optional udp keyword and enter the port number.

  • Page 221: Configuring Timeouts For Sessions

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Timeouts for Sessions Configuring Timeouts for Sessions As well as screening TCP and UDP packets for attacks, the Secure Router OS firewall monitors all ICMP, TCP, and UDP sessions established through the router.

  • Page 222: Setting Timeouts For Specific Tcp And Udp Applications

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Timeouts for Sessions The default settings for these timeouts are usually adequate. However, you can alter them in accordance with your organization’s policies with this command: Syntax: ip policy-timeout [ahp | esp | gre | icmp] <seconds> Syntax: ip policy-timeout [tcp | udp] all-ports <seconds>...
  • Page 223 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Timeouts for Sessions For a complete list of protocol keywords, refer to your SROS CLI reference guide. You can also use the ? help command. For example: ProCurve(config)# ip policy-timeout tcp ? You can similarly set individual timeouts for a specific UDP application.

  • Page 224: Configuring Logging

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Configuring Logging By default, the Secure Router OS firewall logs events to the router’s event- history log. It also creates a log for every 100 attacks it blocks and every 100 packets it matches to a policy.
  • Page 225 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Table 4-3. Priority Level for Common Events Priority Level Example Events informational policy matches notification session login warning Frame Relay subinterface becoming active or inactive error • PPP session opening: –...

  • Page 226: Specifying How Many Attacks Generate A Log

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging To examine the logs stored in the event history, enter the following command: ProCurve# show event-history Logs are marked with the date and time at which they occurred. They are also labeled with the type of event.

  • Page 227: Specifying How Many Policy Matches Generate A Log

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Specifying How Many Policy Matches Generate a Log The Secure Router OS firewall is a stateful-inspection firewall that supports packet filtering. You customize filters, or ACPs, that the firewall uses to determine whether it should forward or drop each packet that arrives on an interface.
  • Page 228 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging To configure log forwarding to a syslog server, you must: Enable log forwarding. From the global configuration mode context, enter: ProCurve(config)# logging forwarding on Specify the IP address of the syslog server: Syntax: logging forwarding receiver-ip <A.B.C.D>...

  • Page 229: Forwarding Logs To An Email Address

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging Syslog Facility Keyword system log syslog user process user UNIX-to-UNIX copy system uucp Specify the priority level for events that the router forwards to the syslog server: Syntax: logging forwarding priority-level [info | notice | warning | error | fatal] For example: ProCurve(config)# logging forwarding priority-level notice The priority level can be the same as or different than that for events...
  • Page 230 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Configuring Logging To configure the router to forward event logs to an email address or addresses, you must: Enable log forwarding to an email address. Enter: ProCurve(config)# logging email on Specify the IP address of the email server. You can use either the IP address of the email server or the hostname: Syntax: logging email receiver-ip [<A.B.C.D>...

  • Page 231: Quick Start

    ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Quick Start You can also specify what will appear in the From field of the email message by entering: Syntax: logging email sender <source> The message will simply consist of logs without any explanation, so the From field must give recipients enough information to know which device originated the logs.
  • Page 232 ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network Quick Start Set the priority level for events logged to the router’s event history. Syntax: event-history priority [info | notice | warning | error | fatal] For example: ProCurve(config)# event-history priority info If so desired, change the timeouts for TCP and UDP and ICMP sessions: Syntax: ip policy-timeout [tcp | udp] all-ports <seconds>...

  • Page 233: Contents

    Applying Access Control to Router Interfaces Contents Access Control for Interfaces on the ProCurve Secure Router ..5-3 Access Control Mechanisms ........5-4 Using ACLs Alone to Configure Access Control .
  • Page 234 Applying Access Control to Router Interfaces Contents Configure ACPs ..........5-35 Action .

  • Page 235: Access Control For Interfaces On The Procurve Secure Router

    Applying Access Control to Router Interfaces Access Control for Interfaces on the ProCurve Secure Router Access Control for Interfaces on the ProCurve Secure Router In addition to blocking known cyber attacks with its stateful-inspection firewall, the ProCurve Secure Router OS can filter both inbound and outbound traffic, enabling you to control the traffic that enters and exits your corporate network.

  • Page 236: Access Control Mechanisms

    Applying Access Control to Router Interfaces Access Control for Interfaces on the ProCurve Secure Router Table 5-1. Evaluating Traffic Patterns on Your WAN Interface Usage Traffic That Must Be Outgoing Traffic That Incoming Traffic That Transmitted Should Should Be Blocked Be Blocked E1 1/1 and PPP 1 connection to...
  • Page 237 Applying Access Control to Router Interfaces Access Control for Interfaces on the ProCurve Secure Router ACPs also allow you to perform certain actions on traffic that ACLs do not. For example, you must use an ACP to configure Network Address Translation (NAT) on the ProCurve Secure Router.

  • Page 238: Configure Acls

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Using ACLs Alone to Configure Access Control When you use ACLs alone to configure access controls on router interfaces, you must complete two main steps: Configure the ACL. Apply the ACL directly to an interface.

  • Page 239: Types Of Acls

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control For example, an ACL could include entries such as: deny host 192.168.115.91 deny host 192.168.44.53 permit 192.168.115.0 0.0.0.255 permit 192.168.44.0 0.0.0.255 The first two entries deny access to the devices with the IP addresses 192.168.115.91 and 192.168.44.53.
  • Page 240 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Server Standard ACL is applied to the PPP 1 interface Server Router Internet Is this source address permitted or denied? Core Switch Edge Switch Edge Switch User Figure 5-1.

  • Page 241: Creating An Acl

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Creating an ACL To create an ACL, you enter the ip access-list command from the global configuration mode context: Syntax: ip access-list [standard |extended] <listname> Enter either the standard or extended option, depending on the type of ACL you are configuring, and replace <listname>...
  • Page 242 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control For example, if you want to permit all traffic that enters through the Ethernet interface, you create a permit entry in the ACL: ProCurve(config-std-nacl)# permit any You can also permit or deny a specific host: ProCurve(config-std-nacl)# permit host <A.B.C.D>...

  • Page 243: Creating An Extended Acl

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control As a general rule, you should specify the network address for the subnet you are using the wildcard bits to select. Adding the wildcard bits to the network address gives you the last address in the range.
  • Page 244 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Replace <listname> with an alphanumeric descriptor that is meaningful to you. The name is case sensitive. After you enter this command, you are moved to the extended ACL configu- ration mode context, as shown below: ProCurve(config-ext-nacl)# Permit or Deny Traffic.
  • Page 245 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control To specify a source or destination address, you use the following syntax: [any | host <A.B.C.D> | hostname <hostname> | <A.B.C.D> <wildcard bits>] Table 5-4 lists the options you have for specifying both the source address and the destination address.
  • Page 246 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Replace the second <A.B.C.D> with the IP address for the destination device. For example, if you want to block all traffic from the 192.168.1.0 /24 network to the server with the IP address 10.15.1.1, you would replace <A.B.C.D> with 10.15.1.1.
  • Page 247 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Table 5-5. Specifying Ports in Extended ACLs Option Meaning eq <port number> matches a specific port gt <port number> matches all ports that are a larger number than the port number you specify (not including the specified port) lt <port number>...

  • Page 248: Entry Order

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Enter the log-input option if you want the log to include the interface on which the matching packet was received. Entry Order The order in which you add entries to an ACL is important. The Secure Router OS processes entries one-by-one in the order in which they are listed.

  • Page 249: Adding A Descriptive Tag To An Acl

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control PPP 1 Router A Router B 172.16.1.10 Core Switch interface ppp 1 ip access-group WAN in ip access-list standard WAN deny host 192.168.115.91 no match deny host 192.168.44.53 no match permit 192.168.115.0 0.0.0.255 no match...

  • Page 250: Editing An Existing Acl

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control You and other network administrators can view this remark by entering one of the following commands from the enable mode context: ProCurve# show running-config ProCurve# show access-lists Figure 5-5 displays the output from the show access-lists command.

  • Page 251: Applying The Acl To An Interface

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Applying the ACL to an Interface After you configure an ACL, it will have not control access to an interface until you apply it to one of the following: interface As discussed above, you can also apply an ACL to all FTP, HTTP, and Telnet traffic destined to the router.

  • Page 252: Selecting The Packet And Controlling The Action

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Selecting the Packet and Controlling the Action When you assign an ACL directly to an interface, the Secure Router OS uses it to both to select traffic and to determine which action it should take on this traffic.

  • Page 253: Controlling Ftp, Http, And Telnet Access To The Router

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control You may also want to create an ACL to control traffic to your company’s two Web servers: one is an Internet server, accessible to anyone on the Internet, and one is an intranet server, accessible only to company users.

  • Page 254: Restricting Ftp Access

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Restricting FTP Access To control access to the FTP server on the router, you first create a standard ACL that permits the FTP traffic you want to access the router and denies the FTP traffic that you want to block.

  • Page 255: Restricting Telnet Access

    Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control For example, if you wanted to apply an ACL called webaccess, you would enter: ProCurve(config)# ip http access-class webaccess in Restricting Telnet Access Restricting Telnet access to the router is similar to restricting access to an interface.
  • Page 256 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control This section contains some sample ACLs to help you understand both the type of ACLs that may be required for your network and the way you configure them.
  • Page 257 Applying Access Control to Router Interfaces Using ACLs Alone to Configure Access Control Permit Routing Updates. When you configure ACLs, remember that any traffic that you do not explicitly permit will match the implicit “deny any” entry at the end of the ACL. If you have configured a routing protocol and routing updates are being sent to a router interface, you should ensure that these routing updates are permitted by the ACL you assign to that interface.

  • Page 258: Enable The Firewall

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Using ACPs to Control Access to Router Interfaces By themselves, ACLs have some limitations: you can assign only one ACL to each interface to control inbound traffic and one ACL to control outbound traffic.

  • Page 259: Configure Acls

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces If you do not enable the firewall, you can still configure ACPs. However, when you try to apply an ACP to an interface, the ProCurve Secure Router displays a message similar to the following: Firewall is disabled, access policy commands applied but not used Configure ACLs...
  • Page 260 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces A standard ACL matches only one packet pattern: the source IP address. An extended ACL matches more complex packet patterns: source and a destination address most fields in the IP, TCP, and UDP header, including IP protocol and TCP or UDP source or destination port You should create a standard ACL if you want to select traffic based only on the source IP address.

  • Page 261: Creating A Standard Acl

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Server Server Router Internet Is this source address permitted or denied? Core Switch Is this destination address permitted or denied? Edge Switch Edge Switch Is this protocol and port permitted or denied? User Figure 5-7.
  • Page 262 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Using Permit and Deny Entries to Select Traffic. To create permit and deny entries for standard ACLs, you use the following command syntax: Syntax: [permit | deny] [any | host {<A.B.C.D> | <hostname>} | <A.B.C.D> <wildcard bits>] Table 5-7 lists the options for specifying the source address.
  • Page 263 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces You can also omit the host keyword to select a specific IP address: ProCurve(config-std-nacl)# permit 192.168.115.80 ProCurve(config-std-nacl)# deny 192.168.115.80 Using Wildcard Bits. Finally, you can use wildcard bits to permit or deny a range of IP addresses.

  • Page 264: Creating An Extended Acl

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Selecting the log Option. Include the log option if you want the Secure Router OS to log a message when these two conditions are met: debug access-list is enabled for this ACL a packet matches this ACL Exit the ACL.
  • Page 265 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces All of the command options are explained in the sections that follow. Specifying a Protocol. When you configure extended ACLs, you must spec- ify a protocol. Valid protocols include: AH (ahp) ESP (esp) GRE (gre)
  • Page 266 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces To exclude ICMP traffic from a range of IP addresses to a specific destination, enter: ProCurve(config-ext-nacl)# deny icmp <A.B.C.D> <wildcard bits> host <A.B.C.D> Specifying a Source or Destination Port for TCP and UDP. If you are configuring ACL entries to select TCP or UDP traffic, you can also specify source and destination ports—although this is optional.

  • Page 267: Configure Acps

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces To view a list of well-known ports, enter the help command after one of the port commands (such as eq, gt, or neq). The list of options is displayed in alphabetical order.

  • Page 268: Selector

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Each ACP contains an implicit “discard all” at the end. Packets are discarded if they do not match any ACL listed in the ACP. This chapter explains how to create entries that allow or discard packets. For information about NAT, see Chapter 6: Configuring Network Address Translation.

  • Page 269: Creating Entries In The Acp

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Creating Entries in the ACP From the policy class configuration mode context, you can begin to enter allow, discard, and NAT entries. To create an allow entry, enter: Syntax: allow list <listname>...

  • Page 270: Assigning The Acp To An Interface

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Assigning the ACP to an Interface An ACP does not become active until you assign it to an interface (and enable the firewall). Then it affects only the incoming traffic on the interface to which it is assigned.

  • Page 271: Processing Acps

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces For example, if you configure an ACP that blocks your Telnet access to the ProCurve Secure Router, you will lose your ability to manage the router through a Telnet session and must use another access method to correct your error.
  • Page 272 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces When a packet enters an interface that has been assigned an ACP, the Secure Router OS firewall checks the first entry in the ACP. The firewall then reads the associated ACL to determine if the packet matches the IP address and any other fields that are specified.
  • Page 273 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Subnet 192.168.1.0 PPP 1 PPP 2 Eth 0/1 Edge Switch Router B Router A Router B interface ppp 2 ip address 10.1.1.1 255.255.255.252 ip access-list standard Group1 No match access-policy Private permit host 192.168.1.10 log...

  • Page 274: Acp Action Summary

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces However, the action specified in the ACL is deny, and when an ACL is part of an ACP, deny means do not take the action specified in the ACP. The allow list MatchAll entry is the last in the ACP.
  • Page 275 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Table 5-10. Actions Based on ACP Configuration Action deny does not matter Secure Route OS firewall: • does not take the specified action on the packet •...

  • Page 276: Traffic Flow Through Interfaces With Acps

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Route Packet in Interface lookup Process entries in ACP from top down Drop Drop Another ACL Another ACL packet packet Allow in ACP? in ACP? Discard ACL Process entries in Process entries in ACL from top down...

  • Page 277: Does Not Have An Acp

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Inbound Interface Has an ACP; Outbound Interface Does Not Have an ACP When you assign an ACP to an interface, the Secure Router OS firewall uses that ACP to filter inbound traffic—traffic arriving on the interface.

  • Page 278: Interface Has An Acp

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Traffic Router allowed by Inside Interface with Interface with ACP; Inside ACP Outside ACP Outside Traffic ACP is allowed by Inside ACP not used Figure 5-13. Inside ACP Filters Incoming Traffic on an Ethernet Interface However, if traffic arrives on the PPP 1 interface, the roles are reversed: the Secure Router OS firewall will use the Outside ACP to filter traffic.

  • Page 279: Traffic In And Out Through A Single Interface

    Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Router Interface without Interface with an ACP an ACP No ACP is applied Figure 5-15. No ACP Applied to the Inbound Interface, so all Traffic Is Allowed If you have enabled the firewall on the ProCurve Secure Router, it will still check this traffic for known attacks and block those attacks.
  • Page 280 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces Block Telnet Traffic. To strengthen security on your WAN, you may want to deny any Telnet session that users attempt to establish with the ProCurve Secure Router. You must first create an extended ACL and give it a name, such as Telnet.
  • Page 281 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces You may also want to permit Domain Name System (DNS) traffic on WAN interfaces that are connected to the Internet. To permit DNS traffic, enter: ProCurve(config-ext-nacl)# permit tcp any any eq domain You can then create an ACP, as shown below: ProCurve(config)# ip policy-class WAN ProCurve(config-policy-class)# allow list Internet...
  • Page 282 Applying Access Control to Router Interfaces Using ACPs to Control Access to Router Interfaces When you are using ACLs with ACPs, remember that you must use a permit entry to both select traffic and to have the Secure Router OS firewall take the action configured in the ACP.

  • Page 283: Viewing Acls And Acps

    Applying Access Control to Router Interfaces Viewing ACLs and ACPs Viewing ACLs and ACPs Table 5-11 lists the show commands that you can use to view and troubleshoot ACLs and ACPs. Table 5-11. show Commands for ACLs and ACPs Command Explanation show access-lists displays all of the ACLs configured on the ProCurve Secure...

  • Page 284: Displaying Acps

    Applying Access Control to Router Interfaces Viewing ACLs and ACPs As Figure 5-16 shows, this command lists the following information for each ACL: type of ACL—standard or extended all entries in the ACLs number of packets matched to each entry ProCurve# show access-lists Extended IP access list Internet permit tcp any...

  • Page 285: Viewing Access Policy Sessions

    Applying Access Control to Router Interfaces Viewing ACLs and ACPs ProCurve# show ip policy-class Policy-class "Inside": Entry 1 - allow list MatchAll Policy-class "Outside": Entry 1 - allow list Region Entry 2 - allow list InWeb Entry 3 - discard list MatchAll Figure 5-17.

  • Page 286: Viewing Access Policy Statistics

    Applying Access Control to Router Interfaces Viewing ACLs and ACPs If the traffic has been manipulated using NAT, the NAT IP address and port are also listed. Figure 5-18 illustrates a sample display of sessions. ProCurve# show ip policy-sessions Src IP Address Src Port Dest IP Address Dst Port...
  • Page 287 Applying Access Control to Router Interfaces Viewing ACLs and ACPs See Figure 5-19 for a sample display. ProCurve# show ip policy-stats Global 0 current sessions (255300 max) Policy-class "Inside": 121 current sessions (85100 max) Entry 1 - allow list MatchAll 1424221 in bytes, 14222323 out bytes, 123 hits Policy-class "Outside": 554 current sessions (85100 max)

  • Page 288: Troubleshooting

    Applying Access Control to Router Interfaces Troubleshooting Troubleshooting show Commands In addition to using show commands to view information about ACLs and ACPs and to verify that your configuration is correct, you can use these commands for troubleshooting. For example, suppose that several users call you, complaining that they cannot send traffic to a remote site.
  • Page 289 Applying Access Control to Router Interfaces Troubleshooting You can also clear a particular policy session. For example, if you enter the show ip policy-sessions command and determine that an existing session should be terminated, you can use one of the following commands: Syntax: clear ip policy-sessions <policyname>...

  • Page 290: Clear Acl Counters

    Applying Access Control to Router Interfaces Troubleshooting Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port ---------------- --------- -------------- -------- --------------- ------- Policy class "Inside": tcp (80) 192.168.20.1 2001 172.16.1.1 d 10.10.3.10 Policy class "Outside": tcp (20) 192.168.100.99 1908...

  • Page 291: Debug Acls

    Applying Access Control to Router Interfaces Troubleshooting Debug ACLs You can debug events associated with a particular ACL. From the enable mode context, enter: Syntax: debug access-list <listname> Replace <listname> with the name of the ACL you want to debug. For example, if you want to debug the Inside ACL, enter: ProCurve# debug access-list Inside To end the debug, enter one of the following commands:...

  • Page 292: Enabling The Built-In Firewall

    Applying Access Control to Router Interfaces Quick Start Quick Start This section provides the commands you will need to quickly configure and apply access controls to interfaces on the ProCurve Secure Router. There are two access control mechanisms on the ProCurve Secure Router: access control lists (ACLs) access control policies (ACPs) ACLs can be used alone or in combination with ACPs.

  • Page 293: Configuring An Acl And Applying It Directly To An Interface

    Applying Access Control to Router Interfaces Quick Start Configuring an ACL and Applying It Directly to an Interface This section explains how to use ACLs by themselves to enforce access control on particular interfaces. If you use ACLs in this way, you can apply two ACLs to each interface: one ACL to control incoming traffic and one ACL to control outgoing traffic.
  • Page 294 Applying Access Control to Router Interfaces Quick Start To permit or deny a specific host, use the host keyword. For example, enter: ProCurve(config-std-nacl)# deny host 192.168.115.90 b. If you are configuring an extended ACL, enter: Syntax: permit | deny <protocol> <source address> <source port> <desti- nation address>...

  • Page 295: Configuring Acps

    Applying Access Control to Router Interfaces Quick Start Valid interfaces include PPP interfaces, Frame Relay subinterfaces, ATM subinterfaces, HDLC interfaces, Ethernet interfaces, and demand inter- faces. (If you have enabled support for virtual LANs [VLANs], you must apply the ACL to an Ethernet subinterface.) Apply the ACL to the interface by entering the following command from the appropriate interface configuration mode context: Syntax: ip access-group <listname>...
  • Page 296 Applying Access Control to Router Interfaces Quick Start When an ACL is used in conjunction with an ACP, a permit entry means that the traffic defined by the packet pattern is selected for the action specified in the ACP. A deny entry, on the other hand, means that the traffic is excluded from the action specified in the ACP.
  • Page 297 Applying Access Control to Router Interfaces Quick Start To exclude a specific host from the action that you will specify in the ACP, enter: ProCurve(config-std-nacl)# deny host 192.168.115.90 b. If you are configuring an extended ACL, enter: Syntax: permit | deny <protocol> <source address> <source port> <destina- tion address>...
  • Page 298 Applying Access Control to Router Interfaces Quick Start From the global configuration mode context, enter the following com- mand to create an ACP: Syntax: ip policy-class <policyname> Replace <policyname> with a unique name that is a maximum of 255 alphanumeric characters. You are moved to the policy class configuration mode context.

  • Page 299: Contents

    Configuring Network Address Translation Contents NAT Services on the ProCurve Secure Router ..... . . 6-2 Many-to-One NAT for Outbound Traffic ......6-2 Using NAT with PAT .

  • Page 300: Nat Services On The Procurve Secure Router

    Configuring Network Address Translation NAT Services on the ProCurve Secure Router NAT Services on the ProCurve Secure Router When you enable the ProCurve Secure Router OS firewall, you can configure it to perform Network Address Translation (NAT) on traffic exchanged between the internal, trusted network and the untrusted, public network.

  • Page 301: Using Nat With Pat

    Configuring Network Address Translation NAT Services on the ProCurve Secure Router 192.168.115.1 192.168.115.2 Edge switch 192.168.115.3 Core switch Router Internet Users 192.168.1.10 NAT all private IP Edge switch addresses to one 192.168.1.11 Source address IP address such as of all packets is 10.1.1.1 now 10.1.1.1 192.168.1.12...
  • Page 302 Configuring Network Address Translation NAT Services on the ProCurve Secure Router Table 6-1. Information Recorded in a Port-Mapping Table for a Sample Network Private IP Address Translated Public Translated Port Destination IP Address Destination Port IP Address 192.168.1.10 10.1.1.1 4000 10.20.1.1 192.168.1.11 10.1.1.1...

  • Page 303: One-To-One Nat For Inbound Traffic

    Configuring Network Address Translation NAT Services on the ProCurve Secure Router One-to-One NAT for Inbound Traffic The Secure Router OS firewall performs one-to-one NAT on inbound traffic— traffic being transmitted from the outside, public network to a device on the internal, trusted network.

  • Page 304: One-To-One Nat With Port Translation

    Configuring Network Address Translation NAT Services on the ProCurve Secure Router 1 Internet user sends 2) NAT destination request to Edge switch address on incoming Web server requests for Web at 10.10.10.1 server to 192.168.1.2 Edge switch ProCurve Secure Core switch Internet Router server...
  • Page 305 Configuring Network Address Translation NAT Services on the ProCurve Secure Router translates the public IP address to the private IP address, it can also perform port translation, assigning the traffic to the particular port used by the internal device. (See Figure 6-4.) 1a Internet 1b) NAT destination user sends...

  • Page 306: Configuring Nat

    Configuring Network Address Translation Configuring NAT Configuring NAT Configuring NAT is a four-step process—the steps required to configure an access control policy (ACP): Enable the firewall on the ProCurve Secure Router. Configure at least one access control list (ACL). Configure the ACP. Assign the ACP to specific interfaces.

  • Page 307: Types Of Acls

    Configuring Network Address Translation Configuring NAT Deny means that the traffic is excluded from the action specified in the ACP entry. If you do not want to NAT certain traffic, you should create a deny entry. If a packet matches a deny entry, the Secure Router OS will stop processing that particular ACL and the related ACP entry and move to the next entry in the ACP (if there is another entry).
  • Page 308 Configuring Network Address Translation Configuring NAT You can then use the following command to select the traffic that you want to NAT: Syntax: [permit | deny] [any | host <A.B.C.D> | hostname <hostname> | <A.B.C.D> <wildcard bits>] Table 6-2 lists the options for specifying a source address. Table 6-2.
  • Page 309 Configuring Network Address Translation Configuring NAT If you enter 192.168.115.0 with the wildcard bits 0.0.0.31, the Secure Router OS firewall will not match the last five address bits in the fourth octet. The firewall will match all hosts with addresses between 192.168.115.1 and 192.168.115.31 to the deny entry.
  • Page 310 Configuring Network Address Translation Configuring NAT Table 6-3. Options for Specifying Source and Destination Addresses Option Meaning match all hosts host <A.B.C.D> specify a single host or a single IP address hostname <hostname> specify a single host by name rather than by IP address <A.B.C.D>...

  • Page 311: Configuring An Acp

    Configuring Network Address Translation Configuring NAT Configuring an Extended ACL for Many-to-One NAT. You can also con- figure an extended ACL for many-to-one NAT. You may need to use this option if your router provides both an Internet connection and a connection to a remote private network.

  • Page 312: Configuring Many-To-One Nat For Outbound Traffic

    Configuring Network Address Translation Configuring NAT For example, to create an ACP called NATInside, enter: ProCurve(config)# ip policy-class NATInside The router prompt shows that you are at the policy class configuration mode context: ProCurve(config-policy-class)# Configuring Many-to-One NAT for Outbound Traffic When you configure many-to-one NAT, you base NAT on the source IP address.

  • Page 313: Configuring One-To-One Nat With Port Translation

    Configuring Network Address Translation Configuring NAT Replace <listname> with the name of the ACL that selects traffic for one-to- one NAT, and replace <A.B.C.D> with the public destination IP address. Because this is one-to-one NAT, you do not include the overload keyword. For example, to configure the Secure Router OS firewall to NAT all traffic selected by the Outside ACL to the IP address 192.168.1.10, enter: ProCurve(config-policy-class)# nat destination list Outside address 192.168.1.10...

  • Page 314: Assigning The Acp To An Interface

    Configuring Network Address Translation Configuring NAT Next, you create an ACP with two entries: one for the Web server and one for the FTP server. Traffic selected by the Webserver ACL is assigned the desti- nation IP address of 192.168.2.11, the actual IP address of the Web server on the internal network.

  • Page 315: Viewing Acls And Acps

    Configuring Network Address Translation Viewing ACLs and ACPs Viewing ACLs and ACPs After you configure NAT on the ProCurve Secure Router, you can use show commands to: view ACLs configured to select the traffic for NAT view NAT entries in ACPs display information about connections associated with particular ACPs The show commands related to ACLs and ACPs are listed in Table 6-5.

  • Page 316: Displaying Acls

    Configuring Network Address Translation Viewing ACLs and ACPs Displaying ACLs To view all of the ACLs that are configured on the ProCurve Secure Router, move to the enable mode context and enter: ProCurve# show access-lists As Figure 6-5 shows, this command lists the following information for each ACL: type of ACL—standard or extended all entries in the ACLs...

  • Page 317: Viewing Access Policy Sessions

    Configuring Network Address Translation Viewing ACLs and ACPs ProCurve# show ip policy-class Policy-class "Inside": Entry 1 - nat source list Internet address 10.1.1.1 overload Policy-class "Outside": Entry 1 - allow list Region Entry 2 - nat destination list Webserver address 192.168.2.11 Entry 3 - nat destination list FTPserver address 192.168.2.12 Figure 6-6.

  • Page 318: Viewing Access Policy Statistics

    Configuring Network Address Translation Viewing ACLs and ACPs ProCurve# show ip policy-sessions Src IP Address Src Port Dest IP Address Dst Port NAT IP Address NAT Port ---------------- --------- -------------- -------- --------------- ------- Policy class "Inside": tcp (80) 192.168.20.1 2001 172.16.1.1 d 10.10.3.10 Policy class "Outside":...

  • Page 319: Troubleshooting

    Configuring Network Address Translation Troubleshooting ProCurve# show ip policy-stats Global 0 current sessions (255300 max) Policy-class "Inside": 121 current sessions (85100 max) Entry 1 - allow list MatchAll 1424221 in bytes, 14222323 out bytes, 123 hits Policy-class "Outside": 554 current sessions (85100 max) Entry 1 - allow list Region 2345352 in bytes, 56363536 out bytes, 554 hits Entry 2 - allow list InWeb...

  • Page 320: Clearing Existing Policy Sessions

    Configuring Network Address Translation Troubleshooting Clearing Existing Policy Sessions Whenever you change your ACP configurations, you are prompted to clear the existing sessions. This enables you to apply your new configurations. Other- wise, an existing session may violate an ACP that you just configured. To clear all of the policy sessions on the router, move to the enable mode context and enter: ProCurve# clear ip policy-sessions...
  • Page 321 Configuring Network Address Translation Troubleshooting The remaining options apply only to NAT: Include the destination option to select a session that uses one-to-one NAT (NAT based on the destination address). Include the source option to select a session that uses many-to-one NAT (NAT based on the source IP address).

  • Page 322: Clearing Acl Counters

    Configuring Network Address Translation Troubleshooting Clearing ACL Counters Clearing ACL counters helps you to troubleshoot and isolate problems with the ACLs that are configured on a router. When you clear the counters, the Secure Router OS resets the number of matches to every ACL entries. You can then reproduce a problem and check the number of matches for a particular entry to determine whether the ACL is selecting traffic correctly.

  • Page 323: Quick Start

    Configuring Network Address Translation Quick Start Quick Start This “Quick Start” section provides the CLI commands you will need to configure network address translation (NAT) on the ProCurve Secure Router. Only a minimal explanation is provided. If you need additional information about any of these options, check the “Contents”...
  • Page 324 Configuring Network Address Translation Quick Start Create entries in the ACL to select the traffic that you want to NAT. Syntax: [permit | deny] [any | host <A.B.C.D> | hostname <hostname> | <A.B.C.D> <wildcard bits>] For example, to NAT all traffic, enter: ProCurve(config-std-nacl)# permit any To NAT traffic from subnet 192.168.115.0 /24, use wildcard bits to specify a range of IP addresses.

  • Page 325: Using The Cli To Configure One-To-One Nat

    Configuring Network Address Translation Quick Start To apply the ACP to an interface, move to the configuration mode context for that interface. Syntax: interface <interface> <number> Valid interfaces include PPP interfaces, Frame Relay subinterfaces, ATM subinterfaces, HDLC, Ethernet interfaces, and demand interfaces. (If you have enabled support for virtual LANs [VLANs], you must apply the ACP to an Ethernet subinterface.) Apply the ACP to the interface by entering the following command from...
  • Page 326 Configuring Network Address Translation Quick Start Define the traffic that you want to NAT. For example, if you want to NAT all traffic with the destination address of the Web server, enter: Syntax: [permit | deny] <protocol> [any | host <A.B.C.D> | hostname <hostname> | <A.B.C.D>...
  • Page 327 Configuring Network Address Translation Quick Start To apply the ACP to an interface, move to the configuration mode context for that interface. Syntax: interface <interface> <number> Valid interfaces include PPP interface, Frame Relay subinterfaces, ATM subinterfaces, HDLC, Ethernet interfaces, and demand interfaces. (If you have enabled support for virtual LANs [VLANs], you must apply the ACP to an Ethernet subinterface.) 10.
  • Page 328 Configuring Network Address Translation Quick Start 6-30...

  • Page 329: Contents

    Content Filtering Contents Overview ............7-2 Risks Posed by Non-Work-Related Use of the Internet .

  • Page 330: Overview

    Content Filtering Overview Overview For most companies, the Internet has become an invaluable work tool, pro- viding new ways to do business and a high-level of contact with customers and suppliers. But with all its benefits, the Internet introduces costs. Almost everyone now realizes the risks posed by attacks launched through the Internet;...

  • Page 331: Web Content Filtering On The Procurve Secure Router

    Content Filtering Overview Web Content Filtering on the ProCurve Secure Router 7000dl Series Web content filtering is the best way to minimize the problems associated with misuse of the Internet at work. Web content filtering prevents undesirable Internet activity while allowing mission-critical traffic and applications. Firewalls and access control lists (ACLs) are valuable security tools, but they are not designed to prevent legitimate users from accessing inappropriate content.

  • Page 332: The Role Of The Procurve Secure Router

    Content Filtering Overview Your policies can be quite flexible, varying from user group to user group. You can also integrate the Websense policies with other security measures. For example, the Websense server can integrate with your authentication or directory service solution; the server automatically applies the correct filter- ing policies to a user who has logged in to the private network.

  • Page 333: Configuring Web Content Filtering

    Content Filtering Configuring Web Content Filtering Configuring Web Content Filtering To configure Web content filtering on a ProCurve Secure Router 7000dl, you must complete these tasks: Install your Websense solution and configure filtering policies on the Websense server. On the ProCurve Secure Router: •...

  • Page 334: Specifying The Websense Server's Ip Address

    Content Filtering Configuring Web Content Filtering Filtering settings include: Websense server IP address or addresses router’s default behavior when the Websense server is unreachable list of domains about which the router can make its own decisions maximum number of outstanding requests to the Websense server number of buffered responses from Web servers on the Internet Specifying the Websense Server’s IP Address You need to configure only one setting for the filter to function: the Websense...
  • Page 335 Content Filtering Configuring Web Content Filtering Filters control traffic on logical interfaces, which, on the ProCurve Secure Router, include: Ethernet interfaces Ethernet subinterfaces Point-to-Point Protocol (PPP) interfaces Frame Relay subinterfaces Asynchronous Transfer Mode (ATM) subinterfaces demand routing interfaces tunnel interfaces You can apply the filter to inbound HTTP traffic that arrives on the interface or to outbound HTTP traffic that the interface transmits.

  • Page 336: Specifying Behavior When The Server Is Unreachable

    Content Filtering Configuring Web Content Filtering N o t e Remember to enable the firewall: ProCurve(config)# ip firewall For more information on the firewall, see Chapter 4: ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network. Specifying Behavior When the Server Is Unreachable A failed network connection might prevent the ProCurve Secure Router from receiving instructions from the Websense server about how to filter HTTP traffic.
  • Page 337 Content Filtering Configuring Web Content Filtering denied through the ProCurve Secure Router operating system (OS). The router then automatically passes traffic associated with the permitted domains and blocks traffic associated with the denied domains. (Note that you must still apply a filter to an interface in order for exclusive domains to take effect.) Because the router allows or denies access to the exclusive domains without ever contacting the Websense server, the policy set by the ip urlfilter exclu-...

  • Page 338: Specifying The Maximum Number Of Outstanding Requests

    Content Filtering Configuring Web Content Filtering For example, enter: ProCurve(config)# ip urlfilter exclusive-domain permit www.procurve.com To specify an FQDN that users can never access, enter this command from the global configuration mode context: Syntax: ip urlfilter exclusive-domain deny <FQDN> You can specify multiple domain names by entering multiple commands. To view the exclusive domain names, as well as whether they are permitted or denied, enter this command: ProCurve# show ip urlfilter exclusive-domain...

  • Page 339: Troubleshooting Web Content Filtering

    Content Filtering Troubleshooting Web Content Filtering workstations until it knows that access to them is allowed. While waiting for the Websense server’s decisions, the router buffers the external Web servers’ responses. At any one time, the ProCurve Secure Router can buffer up to 100 responses.
  • Page 340 Content Filtering Troubleshooting Web Content Filtering Table 7-1. Web Content Filtering show Commands Command Syntax View show ip urlfilter Filtering configuration: • filter name or names • interface or interfaces to which each filter has been applied (including the traffic direction) •...
  • Page 341 Content Filtering Troubleshooting Web Content Filtering When troubleshooting, you often follow this standard practice: Clear statistics. Reproduce a problem. View statistics. To clear filtering statistics, enter this enable mode command: ProCurve# clear ip urlfilter statistics For more detailed troubleshooting, you can view all event messages related to Web content filtering.

  • Page 342: Troubleshooting Common Problems

    Content Filtering Troubleshooting Web Content Filtering Table 7-2. Web Content Filtering Debug Messages Messages Meaning Possible Problems • Could not connect to Websense The router cannot connect to the • The link to the Websense server is Enterprise server A.B.C.D Websense server.
  • Page 343 Content Filtering Troubleshooting Web Content Filtering Then, check these settings by entering show ip urlfilter: The filter is applied to the correct interface. The filter is applied to traffic in the correct direction (usually inbound on an Ethernet interface or outbound on a WAN interface). The Websense server’s IP address is correct.
  • Page 344 Content Filtering Troubleshooting Web Content Filtering current problem. If Allow mode is enabled, it may very well be that the router cannot contact the Websense server. See “The Router Cannot Connect to the Websense Server” on page 7-18 to diagnose and fix this problem. Finally, it is possible that the filtering policy on the Websense server is misconfigured.

  • Page 345: Users Cannot Access The Web Sites They Need

    Content Filtering Troubleshooting Web Content Filtering Users Cannot Access the Web Sites They Need Web content filtering should, of course, block some sites, but not all. All Internet Access Is Blocked. No matter what site users try to visit, they see a screen telling them that they are prohibited from viewing that site.

  • Page 346: The Router Cannot Connect To The Websense Server

    Content Filtering Troubleshooting Web Content Filtering For example, you have attempted to allow users to access the ProCurve Web site even if the router cannot reach the Websense server. You entered this command: ProCurve(config)# ip urlfilter exclusive-domain permit www.procurve.com One afternoon the Websense server fails; users try to access the ProCurve Web site, but they cannot open any pages within the site.
  • Page 347 Content Filtering Troubleshooting Web Content Filtering ProCurve# show ip urlfilter statistics Current outstanding requests to filter server: 0 Current response packets buffered from web server: 0 Max outstanding requests to filter server: 8 Max response packets buffered from web server: 4 Total requests sent to filter server: 543 Total responses received from filter server: 541 Total requests allowed: 541...

  • Page 348: Incompletely

    Content Filtering Troubleshooting Web Content Filtering No matter what you discover, remember to define the router’s behavior while you fix the problem, enabling Allow mode if you want to grant users tempo- rary, complete Internet access. Web Sites Do Not Load, Load Slowly, or Load Incompletely Filtering traffic adds a bit of latency while the router waits for the Websense server to issue policy decisions.

  • Page 349: Quick Start

    Content Filtering Quick Start Quick Start This section provides the commands you must enter to quickly configure Web content filtering. Only a minimal explanation is provided. If you need additional information about any of these options, see “Contents” on page 7-1 to locate the section and page number that contains the explanation you need.
  • Page 350 Content Filtering Quick Start For advanced configuration, complete this step. Otherwise, move directly to step 6. Add domain names that the router either permits or denies without contacting the Websense server: Syntax: ip urlfilter exclusive-domain <permit | deny> <FQDN> b. Specify the maximum number of outstanding requests the router allows to the Websense server (before dropping new requests): Syntax: ip urlfilter max-request <1 to 500>...

  • Page 351: Contents

    Setting Up Quality of Service Contents Overview ............8-4 Evaluating Traffic on Your Network .
  • Page 352 Setting Up Quality of Service Contents Configuring LLQ ..........8-32 Overview .
  • Page 353 Setting Up Quality of Service Contents Example: Configuring QoS for VoIP ......8-61 Enabling Application-Level Gateways for Applications with Special Needs .

  • Page 354: Overview

    Setting Up Quality of Service Overview Overview Quality of service (QoS) protocols allow a router to distinguish different classes of traffic and serve each class according to its priority and needs. Evaluating Traffic on Your Network Several factors define the QoS that traffic receives, including: bandwidth delay number of dropped packets...

  • Page 355: Qos Mechanisms On The Procurve Secure Router

    Setting Up Quality of Service Overview Control plane traffic—The router always reserves bandwidth for control traffic. This traffic, such as Open Shortest Path First (OSPF) hellos and routing updates, must run on the interface and will always be transmitted no matter what queuing method the interface implements. You should configure different QoS mechanisms depending on the type of traffic the router is serving.

  • Page 356: Tos Field

    Setting Up Quality of Service Overview However, neither IP precedence nor DiffServ addresses the second issue: how a router actually provides differentiated service. You must configure other protocols to provide the service requested by the ToS value. You can configure the ProCurve Secure Router to: grant traffic with a higher IP precedence value relatively more bandwidth using WFQ...
  • Page 357 Setting Up Quality of Service Overview The four ToS bits within the ToS field each request a different type of service from forwarding nodes: a one in the first bit requests low delay a one in the second bit requests high throughput a one in the third bit requests high reliability a one in the fourth bit requests low cost N o t e...
  • Page 358 Setting Up Quality of Service Overview The DSCP marks packets for a specific per-hop behavior (PHB). PHBs describe forwarding behavior. That is, standards for PHBs determine such issues as which packets should be forwarded first and which packets should be dropped during network congestion. DiffServ defines four types of PHBs: Default PHB—The Default PHB is for traffic with DSCP 0 (not set) or any undefined DSCP.
  • Page 359 Setting Up Quality of Service Overview Table 8-2. Assured Forwarding PHB AF Class Drop Precedence DSCP DiffServ Value 001010 medium 001100 high 001110 010010 medium 010100 high 010110 011010 medium 011100 high 011110 100010 medium 100100 high 100110 For example, you can define three subclasses with AF1. The third subclass would have a higher drop precedence that the first two.

  • Page 360: First In, First Out

    Setting Up Quality of Service Overview Only 13 DSCP values have actually been standardized. Individual network administrators define in more detail which set of DSCP values match to a specific PHB. This allows them to use DiffServ with the QoS policies already implemented in a network.

  • Page 361: Cbwfq

    Setting Up Quality of Service Overview Router Queue Figure 8-1. First In, First Out FIFO treats all packets in the same way. If you want the router to take packets’ ToS settings, or other criteria, into account when deciding how to treat them, you must implement a different queuing method.

  • Page 362: Frf.12

    Setting Up Quality of Service Overview Guaranteed bandwidth VoIP VoIP Router Queue VoIP Figure 8-2. Low Latency Queuing FRF.12 FRF.12 fragments large data frames so that a Frame Relay interface can forward each frame with less delay. This allows low latency frames, such as VoIP, more opportunities to be forwarded and minimizes delay.
  • Page 363 Setting Up Quality of Service Overview It designates the order in which the ProCurve Secure Router matches traffic to these entries—The ProCurve Secure Router searches QoS entries with the lowest number first. Sequence numbers are only signifi- cant within the named map; QoS maps with different names can have entries with the same sequence number.

  • Page 364: Configuring Wfq

    Setting Up Quality of Service Configuring WFQ Configuring WFQ Overview WFQ is one method for granting differentiated service to various types of traffic. It classifies traffic according to the source and destination IP addresses and protocol port, and allocates traffic bandwidth relative to IP precedence value.

  • Page 365: Weight

    Setting Up Quality of Service Configuring WFQ Weight The router also assigns each conversation a weight based on the IP prece- dence value of its packets (see Figure 8-3). The rate at which that conversation gets serviced is proportional to the conversation's assigned weight, preventing high-weighted interactive traffic such as Telnet from being starved out by high- volume, lower-weighted traffic.

  • Page 366: Packet Marking

    Setting Up Quality of Service Configuring WFQ Now, consider an interface that handles more conversations at once—for example, 100 routine subqueues, 5 subqueues with a precedence of 3, and 2 queues for VoIP traffic with a precedence of 5. Even though VoIP traffic receives relatively more bandwidth than any individual routine subqueue, routine traffic altogether consumes 75 percent of the bandwidth.

  • Page 367: Enabling Wfq

    Setting Up Quality of Service Configuring WFQ Table 8-5. Mapping DiffServ to IP Precedence DiffServ IP Precedence 8-15 16-23 24-31 32-39 40-47 48-55 56-63 If applications and devices outside the router will handle all packet marking, you only need to enable WFQ and set a threshold level for subqueues. If you want the router itself to mark packets with an IP precedence or DiffServ value, you must configure a QoS map to do so.

  • Page 368: Setting The Queue Size

    Setting Up Quality of Service Configuring WFQ Specifying the threshold when you enable WFQ is optional. The threshold determines the maximum number of packets the interface can hold in each conversation subqueue. When the queue reaches this limit, the ProCurve Secure Router discards any subsequent packets it receives.

  • Page 369: Configuring Cbwfq

    Setting Up Quality of Service Configuring CBWFQ Configuring CBWFQ Overview CBWFQ is an extension of WFQ that allows you to tailor a QoS policy to your organization’s needs. With CBWFQ, you control: how traffic is divided into conversation subqueues how much bandwidth is allocated to each subqueue You exercise this control by defining classes.

  • Page 370: Creating A Qos Map Entry

    Setting Up Quality of Service Configuring CBWFQ To configure CBWFQ, you must complete these steps: Create a QoS map entry. Define a class. You can define classes according to: • ToS value • IP header fields—source and destination IP address, port, and protocol •...

  • Page 371: Defining A Class

    Setting Up Quality of Service Configuring CBWFQ Defining a Class You define a class by matching the QoS map entry to packets that meet certain criteria. Table 8-6. QoS Map Criteria Criteria Match Command ToS value—IP precedence match precedence <0-7> ToS value—DiffServ match dscp <0-63>...
  • Page 372 Setting Up Quality of Service Configuring CBWFQ N o t e This ToS value is set by an application or device before the packet arrives on the interface. Although the router can mark traffic with ToS values, these values are generally used in the network to which the router forwards the packet.
  • Page 373 Setting Up Quality of Service Configuring CBWFQ You would enter these commands to match classes to the four simple AF PHBs: ProCurve(config)# qos map Class 11 ProCurve(config-qos-map)# match dscp 10 ProCurve(config)# qos map Class 12 ProCurve(config-qos-map)# match dscp 18 ProCurve(config)# qos map Class 13 ProCurve(config-qos-map)# match dscp 26 ProCurve(config)# qos map Class 14 ProCurve(config-qos-map)# match dscp 34...
  • Page 374 Setting Up Quality of Service Configuring CBWFQ For example: ProCurve(config)# ip access-list extended ClassSelector ACLs exclude all traffic that you do not explicitly permit, so you may not need to enter any deny statements. However, you will often permit an entire range of addresses.
  • Page 375 Setting Up Quality of Service Configuring CBWFQ Network 1 Network 4 192.168.1.0/24 192.168.4.0/24 Router A Router B Internet Server Figure 8-4. Classifying Network Traffic In Figure 8-4, Network 1 at site A transmits mission-critical data to network 4 at site B. Host 26 on network 4 is a local DHCP server; it does not need to receive this critical data.

  • Page 376: Allocating Bandwidth To A Class

    Setting Up Quality of Service Configuring CBWFQ You use this command: Syntax: match ip rtp <first port number> <last port number> [all] The match ip rtp command configures the router to match all UDP packets destined to even port numbers in the specified range. (Typically, servers listen for user traffic on even ports.) If you want to match traffic to both even and odd ports, you must add the all keyword.
  • Page 377 Setting Up Quality of Service Configuring CBWFQ If you have configured one or more low-latency queues on the interface, you might want to divide the remaining bandwidth rather than the total band- width. This option eases the configuration process; you do not have to figure out how much bandwidth must be reserved for the low-latency queues.

  • Page 378: Assigning The Qos Map To An Interface

    Setting Up Quality of Service Configuring CBWFQ N o t e The bandwidth available for queues on a ProCurve Secure Router is 75 percent of an interface’s access rate or rate-limited rate. The Secure Router OS will deactivate a QoS map when you assign it to an interface that does not have enough bandwidth available to grant the guaranteed rate.

  • Page 379: Special Considerations For Cbwfq With Multilinks

    Setting Up Quality of Service Configuring CBWFQ Next, apply the QoS map to the logical interface for the connection on which you want to enable CBWFQ. Move to the interface configuration mode context and enter: Syntax: qos-policy out <mapname> For example: ProCurve(config)# interface frame-relay 1 ProCurve(config-fr 1)# qos-policy out Class Special Considerations for CBWFQ with Multilinks...

  • Page 380: Cbwfq Example Configuration

    Setting Up Quality of Service Configuring CBWFQ CBWFQ Example Configuration In Figure 8-5, Site A includes two networks that connect to the Internet. It also connects to remote Site B through a virtual private network (VPN). Your organization does not want Internet traffic to starve out traffic to the remote site.
  • Page 381 Setting Up Quality of Service Configuring CBWFQ Match the ACLs to the classes and set the bandwidth for each: First, define the class for traffic from the Web server. Set the entry number lower than that for the class for Network 1 traffic so that the router does not inadvertently match traffic from the server to the wrong class: ProCurve(config)# qos map Class 10...

  • Page 382: Configuring Llq

    Setting Up Quality of Service Configuring LLQ Configuring LLQ Overview LLQ is a method for guaranteeing a set amount of bandwidth to certain traffic and reducing this traffic’s latency. You should use LLQ for voice and other real- time applications that involve traffic that cannot tolerate excessive or variable delay (jitter).

  • Page 383: Determining Bandwidth For Voip

    Setting Up Quality of Service Configuring LLQ Determining Bandwidth for VoIP One of the most common applications for a low-latency queue is VoIP traffic. You calculate the bandwidth necessary for VoIP traffic by: calculating the bandwidth necessary for one call making adjustments to this calculation according to the capabilities of your VoIP devices multiplying the per-call bandwidth by the number of calls the router needs...
  • Page 384 Setting Up Quality of Service Configuring LLQ Standard Bit Rate Codec (Sample Time) Sample Size Packets Per Second G.728 16 Kbps 2.5 ms • 5 bytes • often more than one sample per packet— for example, 4 samples per packet for 20 bytes G.729 8 Kbps 10 ms...
  • Page 385 Setting Up Quality of Service Configuring LLQ Table 8-9. Example Bandwidth Calculations for VoIP Standard Packets per Second Voice Payload Size Total Size with MLPPP Per-Call Bandwidth or Frame Relay header G.711 • 140 bytes • 187 bytes • 74.8 Kbps •...

  • Page 386: Determining Bandwidth For Video Streaming

    Setting Up Quality of Service Configuring LLQ Making Adjustments. Calls typically contain bursts of noise when a person speaks and periods of silence when the person listens. Some VoIP applications use Voice Activity Detection (VAD) to suppress transmission of VoIP frames when the line is silent.

  • Page 387: Placing Traffic In A Low-Latency Queue

    Setting Up Quality of Service Configuring LLQ Placing Traffic in a Low-Latency Queue The ProCurve Secure Router guarantees traffic in a low-latency queue the amount of bandwidth you specify. Traffic can burst above this bandwidth, but if the line becomes congested, the router will drop bursting packets in favor of other traffic.
  • Page 388 Setting Up Quality of Service Configuring LLQ Table 8-10. QoS Map Criteria Criteria Match Command ToS value—IP precedence match precedence <0-7> ToS value—DiffServ match dscp <0-63> IP header—source or destination match list <ACL listname> IP address and protocol port destination UDP protocol port match ip rtp <first port number>...
  • Page 389 Setting Up Quality of Service Configuring LLQ Placing Traffic Destined to a UDP Protocol Port in a Low-Latency Queue. VoIP and other real-time traffic requires special handling. Congestion affects this traffic far more negatively than it does bursty data traffic. One way of classifying VoIP traffic is noting the UDP ports on which your VoIP appli- cations operate.
  • Page 390 Setting Up Quality of Service Configuring LLQ Configuring an ACL. Create an ACL by entering a command such as this from the global configuration mode context: ProCurve(config)# ip access-list extended LowLatencyTraffic ACLs exclude all traffic that you do not explicitly permit, so you may not need to enter any deny statements.
  • Page 391 Setting Up Quality of Service Configuring LLQ Network 1 at Site A, shown in Figure 8-6, contains VoIP equipment that communicates with equipment at Network 4 at Site B. Host 26 on Network 1 is an email server; it does not send real-time data. To select the traffic to be placed in a low-latency queue, enter: ProCurve(config)# ip access-list extended LowLatencyTraffic ProCurve(config-ext-nacl)# deny ip host 172.16.1.26 any...

  • Page 392: Setting The Bandwidth Guaranteed The Queue

    Setting Up Quality of Service Configuring LLQ For Frame Relay connections, packets are queued on the Frame Relay inter- face. When one of the Frame Relay subinterfaces is part of a bridge group, you can place bridged traffic in a low-latency queue to speed processing and transmission.
  • Page 393 Setting Up Quality of Service Configuring LLQ The traffic placed in the queue receives priority above all other traffic until it reaches the bandwidth specified in the command. If the link is uncongested, priority traffic is allowed to burst up to the interface rate;...

  • Page 394: Marking Low Latency Packets With A Tos Value

    Setting Up Quality of Service Configuring LLQ Marking Low Latency Packets with a ToS Value You can use the same QoS map entry to place packets in a low-latency queue and to mark these packets with a ToS value. Simply enter a set command as well as a priority command.

  • Page 395: Marking Packets With A Tos Value

    Setting Up Quality of Service Marking Packets with a ToS value Marking Packets with a ToS value The ProCurve Secure Router can mark the ToS field of packets it forwards with an IP precedence or DiffServ value. These ToS values grant packets different types of service according to configurations in the connecting net- work.

  • Page 396: Selecting The Traffic To Be Marked

    Setting Up Quality of Service Marking Packets with a ToS value For example: ProCurve(config)# qos map PacketMarking 10 The sequence number indicates the priority for the QoS map entry. Because the ProCurve Secure Router searches entries with the lowest numbers first, the lower the map’s number, the higher its priority.
  • Page 397 Setting Up Quality of Service Marking Packets with a ToS value The specific type of service granted to packets with different ToS values has only been loosely standardized. Devices in your network might use different values than devices in an external network to which the router is forwarding traffic.
  • Page 398 Setting Up Quality of Service Marking Packets with a ToS value To mark traffic selected by an ACL, you must complete several steps: Configure an ACL. Create an extended ACL. b. Add any necessary deny entries to the ACL. Add permit entries for the addresses to or from which you want to mark traffic.
  • Page 399 Setting Up Quality of Service Marking Packets with a ToS value Marking Traffic Destined to a UDP Protocol Port. It can be important to prioritize traffic to specific, well-known UDP ports. For example, you do not want user traffic to starve out customers accessing your business’s Web server.

  • Page 400: Setting The Tos Value

    Setting Up Quality of Service Marking Packets with a ToS value Marking Bridged Traffic. You can configure one or more interfaces on a the ProCurve Secure Router to act as a bridge. In effect, the router extends a LAN throughout two or more remote sites. Traffic between hosts at each local site can obviously travel faster than that between hosts at different sites.

  • Page 401: Assigning The Qos Map To An Interface

    Setting Up Quality of Service Marking Packets with a ToS value Assigning the QoS Map to an Interface The QoS map does not take effect until you apply it to a logical interface. Valid interfaces include: PPP interfaces HDLC interfaces Frame Relay interfaces ATM subinterfaces demand interfaces...
  • Page 402 Setting Up Quality of Service Marking Packets with a ToS value You would complete the following configurations: Create a QoS map entry for lowering the precedence for traffic with IP precedence 5: ProCurve(config)# qos map InternetConnection 10 ProCurve(config-qos-map)# match precedence 5 ProCurve(config-qos-map)# set precedence 3 Configure an ACL to select SIP signaling traffic, which travels to TCP and UDP port 5060:...

  • Page 403: Configuring Rate Limiting For Frame Relay

    Setting Up Quality of Service Configuring Rate Limiting for Frame Relay Configuring Rate Limiting for Frame Relay Overview Rate limiting helps to maintain QoS on a Frame Relay connection and to minimize the number of packets dropped during congestion. Rate Limiting The permanent virtual circuits (PVCs) established on a Frame Relay connec- tion must share the bandwidth available to the carrier line.

  • Page 404: Configuring Rate Limiting

    Setting Up Quality of Service Configuring Rate Limiting for Frame Relay Without Frame Relay fragmentation VoIP Data frame Router VoIP Data frame Serialization delay With Frame Relay fragmentation Frag Frag VoIP Frag Router VoIP Data frame Figure 8-7. Frame Relay Fragmentation Serialization delay is the time it takes the router to transmit data out an interface.

  • Page 405: Setting The Committed Burst Rate

    Setting Up Quality of Service Configuring Rate Limiting for Frame Relay You shape Frame Relay traffic by setting the committed burst value (B the excessive burst value (B ).These values determine how much bandwidth the Frame Relay subinterface can use when the line is and is not congested. The total burst values for all PVCs on an interface should be less than the interface’s access rate to save bandwidth for overhead bits the router does not count when calculating transmission rates.

  • Page 406: Configuring Frame Relay Fragmentation

    Setting Up Quality of Service Configuring Rate Limiting for Frame Relay Your SLA probably includes terms for bursting traffic past the CIR. Some providers allow subscribers to burst any amount of traffic. You could set the so that, with the B , it equals the physical access rate.

  • Page 407: Example Frame Relay Qos Configuration

    Setting Up Quality of Service Configuring Rate Limiting for Frame Relay For example: ProCurve(config-fr 1.101)# frame-relay fragment 100 The threshold is the fragment size in bytes. Valid fragment sizes are between 64 and 1600 bytes. Because fragmentation is not implemented by default, there is no default fragment size.

  • Page 408: Configuring Qos For Ethernet

    Setting Up Quality of Service Configuring QoS for Ethernet Configuring QoS for Ethernet The ProCurve Secure Router allows you to apply rate limiting and QoS to Ethernet interfaces. These QoS mechanisms affect traffic passed through the router to the LAN. Overview You can configure these QoS mechanisms on Ethernet interfaces: rate limiting...

  • Page 409: Configuring Qos Policies On An Ethernet Interface

    Setting Up Quality of Service Configuring QoS for Ethernet Configuring QoS Policies on an Ethernet Interface When you apply a QoS map to the interface, it can only draw on 75 percent of the maximum bandwidth set with the traffic-shape rate command. For example, Network 1, which is shown in Figure 8-8, uses VoIP and main- tains a Web server.
  • Page 410 Setting Up Quality of Service Configuring QoS for Ethernet You would enter these commands to configure the QoS policy: ProCurve(config)# ip access-list extended WebTraffic ProCurve(config-ext-nacl)# permit tcp any host 192.168.1.20 eq www ProCurve(config-ext-nacl)# exit ProCurve(config)# ip access-list extended RemoteTraffic ProCurve(config-ext-nacl)# permit ip 192.168.4.0 0.0.0.255 any ProCurve(config)# qos map Outside 10 ProCurve(config-qos-map)# match ip rtp 16384 32764 all ProCurve(config-qos-map)# priority 2000...

  • Page 411: Example: Configuring Qos For Voip

    Setting Up Quality of Service Example: Configuring QoS for VoIP Example: Configuring QoS for VoIP You should now be able to configure QoS for specific applications. You will be guided through the process of configuring VoIP for the Frame Relay network shown in Figure 8-9.

  • Page 412: Enabling Application-Level Gateways For Applications

    Setting Up Quality of Service Example: Configuring QoS for VoIP Enabling Application-Level Gateways for Applications with Special Needs G.711 is an H.323 application, which handles VoIP traffic. The application may cause the VoIP traffic to behave in a different manner than data traffic. For example, it sends VoIP traffic on one port and receives it on another port.
  • Page 413 Setting Up Quality of Service Example: Configuring QoS for VoIP Although SIP can theoretically operate directly between two end users, in practice, SIP proxy and registrar servers are usually necessary. For example, a user’s SIP device needs certain information in order to invite a second user to open a call, or session.

  • Page 414: Defining Voip Traffic

    Setting Up Quality of Service Example: Configuring QoS for VoIP You can configure various settings for the router’s registrar functions, including user authentication, expire times, and the registrar’s realm. Use these commands: Syntax: ip sip registrar [authentication | default-expires <1-2592000> | max- expires <1-2592000>...

  • Page 415: Determining The Required Bandwidth

    Setting Up Quality of Service Example: Configuring QoS for VoIP If the VoIP application cannot implement DiffServ or IP precedence, you can match packets according to their UTP RTP port destination. The documenta- tion for your VoIP application should indicate this port. However, it can sometimes be difficult to determine the ports used by an application because they can vary widely.

  • Page 416: Marking Signaling Traffic For Special Treatment

    Setting Up Quality of Service Example: Configuring QoS for VoIP In this example, you would move to the Frame Relay interface and enter: ProCurve(config-fr 1)# qos-policy out VoiceMap Marking Signaling Traffic for Special Treatment H.323 specifies that peers exchange signaling information to establish and maintain the call.

  • Page 417: Configuring Frame Relay Rate Limiting

    Setting Up Quality of Service Example: Configuring QoS for VoIP Match the map to the ACL and set the DiffServ value: ProCurve(config-qos-map)# match list VoiceSignaling ProCurve(config-qos-map)# set dscp 26 Finally, apply the entire QoS map to the Frame Relay interface: ProCurve(config)# interface frame-relay 1 ProCurve(config-fr 1)# qos-policy out VoiceMap Configuring Frame Relay Rate Limiting...

  • Page 418: Monitoring Qos

    Setting Up Quality of Service Monitoring QoS Configuring Frame Relay Fragmentation It does not matter how much bandwidth you guarantee a queue if other frames clog up the interface when it is their turn to be transmitted. You should enable the interface to fragment large data frames to reduce serialization delay.

  • Page 419: Viewing Qos Maps

    Setting Up Quality of Service Monitoring QoS Viewing QoS Maps When monitoring QoS on the router, you should first eliminate problems arising from misconfigurations that result in the QoS policy not being applied to the traffic at all. The following are possible scenarios: Criteria was misconfigured—Examples include a miskeyed IP prece- dence value or misconfigured wildcard bits in an ACL.

  • Page 420: Managing Queues

    Setting Up Quality of Service Monitoring QoS You can modify a QoS map entry by entering its configuration mode context and reentering commands. You can delete a QoS map entry by entering: Syntax: no qos map <mapname> [sequence number] For example: ProCurve(config)# no qos map VoiceMap 20 You can then reconfigure the map entry.

  • Page 421: Troubleshooting Common Configuration Problems

    Setting Up Quality of Service Monitoring QoS controls the amount of traffic passed to the lower-speed WAN interfaces. Rate limiting Ethernet traffic prevents the router from receiving and processing a great number of packets that it will only have to drop. The show queue command also displays the number of currently active conversations on an interface as well as the highest number of conversations ever active at once.

  • Page 422: An Ethernet Interface Refusing To Take A Qos-Policy

    Setting Up Quality of Service Quick Start Using the percent remaining keywords helps to avoid this problem. The Secure Router OS allocates bandwidth from only that which remains after low- latency queues have been served. However, you can still make errors, so plan carefully before configuring the map.

  • Page 423: Configuring Cbwfq

    Setting Up Quality of Service Quick Start Enable WFQ and set the threshold level for how many packets each subqueue can hold (between 16 and 512): ProCurve(config-ppp 1)# fair-queue <packet threshold> Configuring CBWFQ If you plan to define classes according to the traffic’s source and destina- tion IP address, you must create an extended ACL to select the network or networks that belong to a class.
  • Page 424 Setting Up Quality of Service Quick Start Match the entry to the criterion for the class with one of the commands shown in Table 8-14. For example: ProCurve(config-qos-map)# match list Network1 Table 8-14. QoS Map Criteria Criteria Match Command ToS value—IP precedence match precedence <0-7>...

  • Page 425: Configuring A Low-Latency Queue

    Setting Up Quality of Service Quick Start Assign the QoS map to the logical interface for the WAN connection on which you want to enable CBWFQ. For example: ProCurve(config)# interface ppp 1 ProCurve(config-ppp 1)# qos-policy out Class Configuring a Low-Latency Queue Create a QoS map entry to define the queue.

  • Page 426: Marking Packets

    Setting Up Quality of Service Quick Start You can also mark traffic placed in a low-latency queue with a ToS value. Use a set command from the QoS map entry for the queue. (See step 3 in “Marking Packets” on page 8-76.) If so desired, configure another queue.

  • Page 427: Configuring Frame Relay Fragmentation

    Setting Up Quality of Service Quick Start Set the ToS value: Syntax: set [dscp <0-63> | precedence <0-7>] For example: ProCurve(config-qos-map)# set dscp 34 If so desired, configure another entry to mark other packets. Assign the QoS map to the logical interface that transmits the packets: ProCurve(config)# interface ppp 1 ProCurve(config-ppp 1)# qos-policy out <mapname>...

  • Page 428: Configuring Qos On An Ethernet Interface

    Setting Up Quality of Service Quick Start Configuring QoS on an Ethernet Interface Move to the Ethernet interface configuration mode context and enable rate limiting: Syntax: traffic-shape rate <bps> If you want the Ethernet interface to implement CBWFQ or low-latency queues, configure the QoS map as described above.
  • Page 429 Network Monitoring Contents Overview ............9-3 Network Monitor Probes .
  • Page 430 Network Monitoring Contents Configuring Tracks ......... 9-26 Creating a Track .

  • Page 431: Overview

    Network Monitoring Overview Overview Network monitoring serves two functions: It tests and controls static and Dynamic Host Configuration Protocol (DHCP) routes. It tests network performance, logging when performance falls below a certain level. For the ProCurve Secure Router, testing routes is the primary purpose of network monitoring.

  • Page 432: Probe Characteristics

    Network Monitoring Overview Probe Characteristics A probe is defined by these configurable characteristics: period—specifies the frequency at which the probe runs a test (that is, transmits a probe packet), for example, every 60 seconds tolerance—determines how many tests must fail before a probe as a whole is considered to have failed timeout—the length of time before a test is considered to have failed;...

  • Page 433: Probe States

    Network Monitoring Overview Probe States A probe configured on your ProCurve Secure Router is also defined by its state—either Pass or Fail. The state is determined by the number of tests that have failed, together with the tolerance setting. For example, you could configure the tolerance so that a probe fails when 9 out of 10 tests fail or when 20 tests in a row fail.

  • Page 434: Purposes Of Network Monitoring

    Network Monitoring Overview Purposes of Network Monitoring Now that you understand how network monitoring works, you can learn about the services it provides to your WAN. Testing Static Routes A static route has a low administrative distance, based on the assumption that the person who created the route can vouch for its accuracy and preferred status.
  • Page 435 Network Monitoring Overview Local network Eth 0/2 server Internet Cable Router 10.1.4.12 modem Probe Routing Table Key destination 0.0.0.0 /0 10.1.1.1 track remote ISDN demand 1 Local network server Eth 0/2 Internet 10.1.4.12 Cable Router modem Probe Key destination Routing Table 0.0.0.0 /0 demand 1 Failure Figure 9-1.
  • Page 436 Network Monitoring Overview Local network ppp 1 Internet Router Probe Remote network Routing Table 0.0.0.0 /0 ppp 1 10.1.0.0 /16 ppp 1 track remote ISDN demand 1 Local network ppp 1 Internet Router Probe Remote network Routing Table Failure 0.0.0.0 /0 ppp 1 10.1.0.0 /16 demand 1 Figure 9-2.

  • Page 437: Monitoring Network Performance

    Network Monitoring Overview The ProCurve Secure Router allows several types of probes to test routes. You can use ICMP echo probes to test simple connectivity to a remote device. Or, you can use TCP connect or HTTP probes to test connectivity to a particular application on a remote server.

  • Page 438: Configuring Network Monitoring

    Network Monitoring Configuring Network Monitoring connection, the track reinstates the failed primary route—only to remove the route again when the probes start to fail. Users lose their sessions as the connection toggles up and down. Use PBR to solve this problem. You configure a route map to forward probe packets along the route that the probe tests.

  • Page 439: Configuring Probes

    Network Monitoring Configuring Network Monitoring Configuring Probes To configure a probe, you must complete these tasks: Create and name the probe and select its type. Specify the probe’s destination. Configure the probe’s tolerance. Activate the probe. You can use the following default settings or your own custom settings: period—default: 60 seconds timeout—default: 1.5 seconds for ICMP, 10 seconds for TCP or HTTP source address—default: the outbound interface’s address...

  • Page 440: Specifying The Probe's Destination

    Network Monitoring Configuring Network Monitoring HTTP request—Use this probe type if you want to monitor a Web server. Like a TCP connect probe, the HTTP probe initiates a connection with the server, requiring the server to respond within a set time, after which the probe terminates the session.
  • Page 441 Network Monitoring Configuring Network Monitoring Table 9-1. Well-known TCP Ports Application TCP Port Border Gateway Protocol (BGP) Daytime server Domain Name System (DNS) Hostname Internet Relay Chat (IRC) Kerberos login Kerberos shell Microsoft directory services (such as Active Directory) Network News Transfer Protocol (NNTP) Protocol Independent Multicast (PIM) Rendezvous Point (RP)

  • Page 442: Specifying The Test's Timeout

    Network Monitoring Configuring Network Monitoring For example, a network administrator could enter this command to probe the company’s FTP server: ProCurve(config-probe-FTPServer)# destination www.company_a.com port 21 For HTTP request probes, the default destination port is 80. If your server uses a different port, you can specify that. For example, if you want to specify port 8080, enter: ProCurve(config-probe-WebServer)# destination www.company_a.com port 8080 Specifying the Test’s Timeout...
  • Page 443 Network Monitoring Configuring Network Monitoring You can set the tolerance in one of two ways: consecutive failures—If a certain number of tests in a row fail, the probe fails. With this type of tolerance, the probe counts consecutive failures. Any time a test passes, the probe resets the count.

  • Page 444: Specifying The Probe's Period

    Network Monitoring Configuring Network Monitoring The valid range for failures is from 1 to 254, and the valid range for set size is from 1 to 255. The value for failures allowed within a set must, of course, be smaller than the value for the set size. Specifying the Probe’s Period The period determines how often the probe runs a test—that is, how often a probe packet is sent out.

  • Page 445: Setting The Source Address For Probe Packets

    Network Monitoring Configuring Network Monitoring Of course, you may not want to decrease the period too much, because probes add overhead to your network. Also, when you are testing for connectivity, you should set the tolerance for ICMP echo probes to at least 3 in order to compensate for routinely lost packets.

  • Page 446: Special Considerations For Configuring Probes

    Network Monitoring Configuring Network Monitoring Special Considerations for Configuring Probes The following sections list special considerations for ICMP echo probes, TCP connect probes, and HTTP request probes. Special Considerations for ICMP Echo Probes ICMP echo probes are used to test the current status of paths to particular networks or endpoints.
  • Page 447 Network Monitoring Configuring Network Monitoring One reason to change the packet size is to test for fragmentation. Voice over IP (VoIP) frames require a route over which they will not be fragmented. You can test a link that you want to use for VoIP by creating a ICMP echo probe. Set the size for the probe to match the size of the payload of the VoIP frames (typically 20 to 160 bytes).

  • Page 448: Special Considerations For Tcp Connect Probes

    Network Monitoring Configuring Network Monitoring Special Considerations for TCP Connect Probes TCP Connect probes monitor TCP servers which include, among others: email servers FTP servers Domain Name System (DNS) servers time servers Therefore, it is important that you set the destination port for the service you are testing, as well as the device’s name or address.
  • Page 449 Network Monitoring Configuring Network Monitoring Selecting the HTTP Request Type. You can choose from three types of requests: Get—An HTTP Get packet is the standard request sent to a Web server, and this is the default probe type. Because the probe sends the same type of request that a typical workstation would send, it is well-suited to testing a Web server’s actual performance.
  • Page 450 Network Monitoring Configuring Network Monitoring Table 9-2. HTTP Response Status Codes Response Class Response Status Code 1xx—Informational • 100: Continue (Request received, continuing • 101: Switching Protocols process.) 2xx—Success • 200: OK (The action was successfully • 201: Created received, understood, and •...
  • Page 451 Network Monitoring Configuring Network Monitoring Response Class Response Status Code 5xx—Server Error • 500: Internal Server Error (The server failed to fulfill an • 501: Not Implemented apparently valid request.) • 502: Bad Gateway • 503: Service Unavailable • 504: Gateway Timeout •...
  • Page 452 Network Monitoring Configuring Network Monitoring Specifying the Web Server’s Absolute Path. Most Web servers use the default path: forward slash (/). However, some use a different path such as /home/index.htm. You do not want a test to fail because the probe sent a faulty request.

  • Page 453: Activating And Shutting Down The Probe

    Network Monitoring Configuring Network Monitoring Be careful when configuring raw strings. The CLI does not stop you from inputting incorrect commands. You can use raw HTTP probes to submit information to the remote Web server. For example, you might want to notify the remote network whether the router is currently using a primary or a backup link.

  • Page 454: Configuring Tracks

    Network Monitoring Configuring Network Monitoring To shut down the probe again (returning it to a perpetual Pass status), enter: Syntax: shutdown Configuring Tracks A track can monitor: remote devices, such as a main office’s or service provider’s router servers running a TCP application Web servers Without network monitoring, the router has no means for detecting when a static route fails at a remote point.

  • Page 455: Specifying The Track's Probes

    Network Monitoring Configuring Network Monitoring For a track that monitors the route to one of the subnets at your company’s branch office in Grenoble, you might enter: ProCurve(config)# track Grenoble2 In either case, you move into the network monitor track configuration mode context, and the prompt reflects this change: ProCurve(config-track-MyWebServer)# You can configure multiple tracks, even in the hundreds.

  • Page 456: Configuring A Dampening Interval

    Network Monitoring Configuring Network Monitoring To specify one probe, from the network monitor track configuration mode context, enter: Syntax: test probe <name> Replace <name> with the probe’s name, which is case sensitive. To specify two probes, of which both must pass for the track to pass, enter: Syntax: test probe <name>...

  • Page 457: Enabling A Track To Log Changes

    Network Monitoring Configuring Network Monitoring A dampening interval configures a track to delay its state change in response to its probes’ state changes. For example, a dampening interval of 10 seconds forces a track to stay in the Pass state for 10 seconds after the associated probe fails.

  • Page 458: Activating And Shutting Down A Track

    Network Monitoring Configuring Network Monitoring To enable the track to log changes, from the network monitor track configu- ration mode context, enter: Syntax: log-changes The log-changes command is like the show events command: it displays in the running-config file, and (as long as you save this configuration to the startup-config file) it persists when the ProCurve Secure Router is rebooted.

  • Page 459: Associating A Track With A Static Route

    Network Monitoring Configuring Network Monitoring To shut down a track, from the network monitor track configuration mode context, enter: Syntax: shutdown To reactivate the track, enter: Syntax: no shutdown Configuring the Track’s Action—Associating the Track with a Route When you use network monitoring to control routes, you must associate a track with a route.

  • Page 460: Associating A Track With A Dhcp Default Route

    Network Monitoring Configuring Network Monitoring If your router does not know an alternate route for the traffic, at least the traffic does not consume any of the relatively limited bandwidth on a WAN connection. You associate a route with a track with the same command with which you create the route.

  • Page 461: Negotiated Address

    Network Monitoring Configuring Network Monitoring These interfaces include: Frame Relay subinterfaces ATM subinterfaces Ethernet interfaces PPP interfaces (only when bridging traffic) The command for activating the client includes a variety of options; you can use any of the options with the track option (except no-default-route because, of course, the router cannot monitor the route if the interface does not accept it at all).

  • Page 462: Implementing Pbr To Route Probe Traffic

    Network Monitoring Configuring Network Monitoring See the Basic Management and Configuration Guide, Chapter 6: Configur- ing the Data Link Layer Protocol for E1, T1, and Serial Interfaces and the Basic Management and Configuration Guide, Chapter 8: Configuring Demand Routing for Primary ISDN Modules for more information. Just as a DHCP server can send a default route, the far end of the PPP connection can also send a default route with the IP address.
  • Page 463 Network Monitoring Configuring Network Monitoring ISDN demand 1 Local network ppp 1 Internet Router Probe Remote network Routing Table Failure 10.1.0.0 /16 demand 1 Route Map match ip address probe set interface ppp 1 null 0 permit icmp any host 10.1.1.1 Figure 9-3.
  • Page 464 Network Monitoring Configuring Network Monitoring Set the forwarding interface to match the forwarding interface in the route that the probe tests. Remember to add the null interface at the end of the command so that the router will drop probes that it cannot forward on the correct interface.

  • Page 465: Using Nat With Network Monitoring

    Network Monitoring Configuring Network Monitoring Table 9-5. Examples of Commands to Configure PBR for Probe Traffic Probe destination Command Monitored Route ACL permit Command Route Map set Command destination DHCP route on Ethernet permit icmp any hostname set interface eth 0/1 null 0 www.mycompany.com (ICMP interface www.mycompany.com...

  • Page 466: Configuration Steps

    Network Monitoring Configuring Network Monitoring To solve this problem, you must create two statements in the ACP that implements NAT. One statement translates source addresses to an address allowed by your primary ISP, and the second translates to an address allowed by your secondary ISP.

  • Page 467: Example

    Network Monitoring Configuring Network Monitoring Create an ACP for the primary WAN interface. From the global configu- ration mode context, enter: Syntax: ip policy-class <policyname> Allow the ACL that selects traffic permitted on the primary WAN interface. From the policy class configuration mode context, enter: Syntax: allow list <listname>...

  • Page 468: Disabling The Rpf Check

    Network Monitoring Configuring Network Monitoring ProCurve(config-policy-class)# allow list MatchPrimary ProCurve(config-policy-class)# ip policy-class Secondary ProCurve(config-policy-class)# allow list MatchSecondary ProCurve(config-policy-class)# exit ProCurve(config)# interface ethernet 0/2 ProCurve(config-eth 0/2)# access-policy Primary ProCurve(config-eth 0/2)# interface demand 1 ProCurve(config-demand 1)# access-policy Secondary ProCurve(config-demand 1)# exit ProCurve(config)# ip policy-class NATInside ProCurve(config-policy-class)# nat source list MatchLocal interface ethernet 0/2 overload policy Primary ProCurve(config-policy-class)# nat source list MatchLocal interface demand 1 over-...
  • Page 469 Network Monitoring Configuring Network Monitoring If you have not set up NAT, you must complete these steps: Create ACLs: • one ACL to select traffic permitted on the primary interface • one ACL to select traffic permitted on the secondary interface •...

  • Page 470: Examples Of Network Monitoring

    Network Monitoring Configuring Network Monitoring Examples of Network Monitoring This section provides examples of how you can configure probes and tracks to: monitor connectivity to the Internet and initiate a backup connection should the primary connection fail monitor static routes to remote networks and initiate a backup connec- tion should the primary route fail monitor connectivity to a mission-critical remote server monitor network congestion and the performance of TCP servers, such...
  • Page 471 Network Monitoring Configuring Network Monitoring Local network Eth 0/2 www.procurve. Internet Cable Router modem Probe Routing Table Key destination 0.0.0.0 /0 10.1.1.1 track PrimaryInternet ISDN demand 1 Local network Eth 0/2 www.procurve. Internet Cable Router modem Probe Key destination Routing Table 0.0.0.0 /0 demand 1 Failure Figure 9-4.
  • Page 472 Network Monitoring Configuring Network Monitoring Configure PBR for the probe traffic. ProCurve(config)# ip access-list extended MatchPing ProCurve(config-ext-nacl)# permit icmp any hostname www.procurve.com ProCurve(config-ext-nacl)# exit ProCurve(config)# route-map Probes 10 ProCurve(config-route-map)# match ip address MatchPing ProCurve(config-route-map)# set interface eth 0/2 null 0 ProCurve(config-route-map)# exit ProCurve(config)# ip local policy route-map Probes Configure NAT.

  • Page 473: Monitor Static Routes To Remote Networks

    Network Monitoring Configuring Network Monitoring Monitor Static Routes to Remote Networks In this scenario, Company A maintains a large central office and several branch offices. Each branch office connects to the central office through an Asymmetric Digital Subscriber Line (ADSL) connection, and the central office routes traffic among these offices.
  • Page 474 Network Monitoring Configuring Network Monitoring Follow these steps: Configure one ICMP echo probe for each branch office LAN. Because you are testing connectivity, set the tolerance to consecutive failures, and set the timeout and tolerance high enough to ensure that congestion is not interpreted as a failed connection.

  • Page 475: Monitor Connectivity To A Mission-Critical Tcp Server

    Network Monitoring Configuring Network Monitoring Configure PBR for the probe traffic. In this case, the probes test routes that use the same forwarding interface, so you can create a single route map entry: ProCurve(config)# ip access-list extended ProbeBranch ProCurve(config-ext-nacl)# permit icmp any host 10.2.1.1 ProCurve(config-ext-nacl)# permit icmp any host 10.3.1.1 ProCurve(config-ext-nacl)# exit ProCurve(config)# route-map Probes 10...
  • Page 476 Network Monitoring Configuring Network Monitoring This scenario requires a single track, which will test whether the connection exists to at least one of the FTP servers. If the track fails, it removes the primary route to the headquarters. The ISDN connection initiates the next time that interesting traffic (which you could define as any traffic or as traffic destined to the FTP servers) arrives on the demand interface.
  • Page 477 Network Monitoring Configuring Network Monitoring Configure the track. ProCurve(config)# track FTPServers ProCurve(config-track-FTPServers)# test probe FTPServer1 or probe FTPServer2 ProCurve(config-track-FTPServers)# dampening-interval 10 ProCurve(config-track-FTPServers)# log-changes ProCurve(config-track-FTPServers)# exit Configure routes. Enable the track to monitor the primary route. ProCurve(config)# ip route 0.0.0.0 /0 ppp 1 ProCurve(config)# ip route 10.1.0.0 /16 ppp 1 track FTPServers ProCurve(config)# ip route 10.1.0.0 /16 demand 1 20 Configure PBR for the probes.

  • Page 478: Monitor Network Congestion And The Performance Of Servers

    Network Monitoring Configuring Network Monitoring ProCurve(config)# ip policy-class NATInside ProCurve(config-policy-class)# nat source list MatchAllPrimary interface ppp 1 overload policy Primary ProCurve(config-policy-class)# nat source list MatchAllBackup interface ppp 1 overload policy Backup ProCurve(config)# interface ethernet 0/1 ProCurve(config-eth 0/1)# access-policy NATInside ProCurve(config-eth 0/1)# exit Monitor Network Congestion and the Performance of Servers In this scenario, you want to monitor congestion at two often-used and mission-critical remote servers.

  • Page 479: Submit Information To A Remote Web Server

    Network Monitoring Configuring Network Monitoring ProCurve(config-probe-OptimalEmail)# timeout 500 ProCurve(config-probe-OptimalEmail)# tolerance rate-of-failure 4 10 ProCurve(config-probe-OptimalEmail)# no shutdown ProCurve(config-probe-OptimalEmail)# exit ProCurve(config)# probe MinimalEmail tcp-connect ProCurve(config-probe-MinimalEmail)# destination www.mycompany.com port 25 ProCurve(config-probe-MinimalEmail)# timeout 2500 ProCurve(config-probe-MinimalEmail)# tolerance rate-of-failure 14 16 ProCurve(config-probe-MinimalEmail)# no shutdown ProCurve(config-probe-MinimalEmail)# exit Configure the tracks that monitor changes in performance.
  • Page 480 Network Monitoring Configuring Network Monitoring This scenario requires three probes: Ping monitors connectivity to the Internet. HTTPPrimary informs the Web server when the router is using the primary link. HTTPBackup informs the Web server when the router is using the backup link.
  • Page 481 Network Monitoring Configuring Network Monitoring ProCurve(config)# probe HTTPSecondary http-request ProCurve(config-probe-HTTPSecondary)# destination 10.5.4.20 ProCurve(config-probe-HTTPSecondary)# source-port 5151 ProCurve(config-probe-HTTPSecondary)# type raw ProCurve(config-probe-HTTPSecondary)# raw-string #GET /log.php?hostname=$SYSTEM_NAME &serial=$SYSTEM_SERIAL_NUMBER&link=Backup HTTP/1.0 #\r\n #\r\n #exit ProCurve(config-probe-HTTPSecondary)# period 300 ProCurve(config-probe-HTTPSecondary)# tolerance consecutive-failures 3 ProCurve(config-probe-HTTPSecondary)# no shutdown ProCurve(config-probe-HTTPSecondary)# exit Configure a track to monitor the connection to the headquarters and to control the default route received from the ISP.
  • Page 482 Network Monitoring Configuring Network Monitoring ProCurve(config-route-map)# set interface demand 1 null 0 ProCurve(config-route-map)# exit ProCurve(config)# ip local policy route-map Probes Modify the ACL that selects Interesting traffic for demand routing so that the HTTPSecondary probe does not bring the ISDN link up. For example, enter: ProCurve(config)# ip access-list extended Interesting ProCurve(config-ext-nacl)# deny tcp any eq 5151 host 10.5.4.20 eq www...

  • Page 483: Viewing Network Monitor Tracks And Probes

    Network Monitoring Configuring Network Monitoring Viewing Network Monitor Tracks and Probes Network monitoring automates the process of testing network and server performance. However, nothing can relieve you of the necessity of viewing the results of these tests and taking appropriate action. When you enable a track to log changes in probe status, the track automati- cally displays those logs to the terminal screen, as well as saves them to the event history.

  • Page 484: Debugging Network Monitor Tracks

    Network Monitoring Configuring Network Monitoring Viewing the track in real time shows moment-to-moment changes: Syntax: show track <name> realtime You can view the entire configuration for all tracks configured on the ProCurve Secure Router by entering this enable mode command: Syntax: show running-config track [verbose] Use the verbose option to see all commands, including default settings that you have not altered.

  • Page 485: Debugging Network Monitor Probes

    Network Monitoring Configuring Network Monitoring Timeout—the time (in milliseconds) that a test has in which to pass Hostname or IP address—the probe’s destination Tracked by—the tracks that use the probe to monitor the network Tests run—the total number of tests run since statistics were last cleared Failed—the total number of failures since statistics were last cleared Time in current state—listed in days, hours, minutes, and seconds As for tracks, you can view the entire configuration of all probes configured...

  • Page 486: Troubleshooting Network Monitoring

    Network Monitoring Troubleshooting Network Monitoring Table 9-6. Network Monitoring clear Commands Command Clears clear counters probe for all probes: • number of tests run • time in current state clear counters probe for the specified probe: <name> • number of tests run •...

  • Page 487: Track Takes An Inappropriate Action

    Network Monitoring Troubleshooting Network Monitoring Reasons for this problem include: Track not associated with a route—Check which routes the track is monitoring with the show track <name> command. If the track is not monitoring any routes, it cannot remove a failed route. You must enter the track option with one of these commands: •...

  • Page 488: Backup Route Fails To Be Added

    Network Monitoring Troubleshooting Network Monitoring Incorrect probe destination—View a probe (show probe <name>) and check for a miskeyed destination address or hostname, which would cause the probe to fail when it should pass. Inappropriate timeout and tolerance settings—You might find that you need to adjust a probe’s timeout or tolerance settings to account for normal network congestion.

  • Page 489: Failed Primary Route Periodically Reappears In The

    Network Monitoring Troubleshooting Network Monitoring Failed Primary Route Periodically Reappears in the Routing Table A primary connection fails; network monitoring detects the failure and removes the primary route. A backup connection becomes active, and traffic once again reaches its destination. A minute or two later, the router begins dropping traffic again.

  • Page 490: Quick Start

    Network Monitoring Quick Start Quick Start This section contains the commands that you must enter to quickly configure network monitoring to control static and DHCP routes. Only minimal explanation is provided. If you need additional information about any of these options, check “Contents” on page 9-1 to locate the section that contains the explanation you need.
  • Page 491 Network Monitoring Quick Start Next configure a track: Create the track and specify its name. Syntax: track <name> Specify the probe for the track. • Specify one probe. Syntax: test probe <name> • Specify two probes, both of which must pass for the track to pass. Syntax: test probe <name>...
  • Page 492 Network Monitoring Quick Start Next, configure PBR to specify the route for probe packets. The ProCurve Secure Router should, of course, always forward these packets along the route that the probe is testing: 11. Create an extended ACL to select traffic associated with each probe: Syntax: ip access-list extended <listname>...
  • Page 493 Network Monitoring Quick Start 19. Create an ACL to select incoming traffic permitted on the primary con- nection. From the global configuration mode context, enter: Syntax: ip access-list standard <listname> Syntax: [permit | deny] [any | host {<A.B.C.D> | hostname <hostname>} | <A.B.C.D>...
  • Page 494 Network Monitoring Quick Start 26. Create a second NAT statement: • Specify the ACL that you configured for local traffic. • Specify the backup WAN interface or an IP address valid for the backup connection. • Specify the ACP for traffic on the primary interface. Syntax: nat source list <listname>...

  • Page 495: Contents

    Virtual Private Networks Contents Overview ........... . . 10-4 VPN Tunnels .
  • Page 496 Virtual Private Networks Contents Configuring a Peer’s Remote ID and Preshared Key ... . 10-32 Site-to-Site Configuration ....... 10-33 Client-to-Site Configuration .
  • Page 497 Virtual Private Networks Contents Troubleshooting a VPN That Uses IPSec ......10-73 Tools and Procedures ........10-73 Troubleshooting Commands .

  • Page 498: Vpn Tunnels

    Virtual Private Networks Overview Overview When your organization leases dedicated lines to establish a WAN, it is guaranteed a secure, private connection. Your organization controls what networks can access the private lines. However, leasing private lines can be costly. When you establish a WAN through the Internet, you capitalize on pre- existing public connections to link networks with a minimum of expense.

  • Page 499: Ipsec Headers

    Virtual Private Networks Overview IPSec Headers Operating on the Network Level of the Open Systems Interconnection (OSI) model, IPSec authenticates the endpoints of a tunnel by encapsulating an IP packet with an IPSec header. The IPSec header is either an Authentication Header (AH) and/or an Encapsulation Security Payload (ESP) header.

  • Page 500: Hash And Encryption Algorithms

    Virtual Private Networks Overview IPSec tunnel mode, which acts at the Network Layer (Layer 3), allows a gateway device (such as a router) to provide IPSec support for many hosts. The router receives a packet already encapsulated with an IP header. It then encapsulates the IP packet with an IPSec header, adding a new IP header to direct the packet to the location where it will be processed.

  • Page 501: Ipsec Vpn Tunnels

    Virtual Private Networks Overview IPSec VPN Tunnels A private WAN connection physically defines the path between two hosts over which data can be transmitted. Only authorized hosts can exchange data because only authorized hosts have access to the physical media that transmit the data.
  • Page 502 Virtual Private Networks Overview Defining an SA Manually. You can define the IPSec SA yourself, specifying the algorithms to be used to secure data, defining the SA’s SPI, and inputting the actual keys. (See “Configuring a VPN using IPSec with Manual Keying” on page 10-64.) However, because this method of configuration is relatively insecure and complex, ProCurve Networking does not recommend it.
  • Page 503 Virtual Private Networks Overview Key generation. You will recall that an algorithm is simply the set method for transforming data using a key. The key is what actually defines and secures the tunnel and it must be unique. When you use IKE, however, you only need to configure the algorithms IKE proposes in the first exchange.
  • Page 504 Virtual Private Networks Overview Router Router Internet Security proposals for IKE SA Matching proposal Both compute Diffie-Hellman public value Diffie-Hellman public value Diffie-Hellman public value Both compute encryption and authentication lays Authentication information (encrypted) Authentication information (encrypted) Figure 10-2. IKE Phase 1 Authentication.
  • Page 505 Virtual Private Networks Overview When authenticating itself, a host sends a certificate containing its identifica- tion information, its public key, and its CA’s digital signature. The host then appends its own digital signature to the certificate, which it generates by hashing the certificate and encrypting it with its private key.
  • Page 506 Virtual Private Networks Overview Table 10-1. IKE Phase 1 Exchanges IKE Phase 1 Exchange Message Includes You Must Configure Reference security proposal • hash algorithm IKE attribute policy page 10-28 • encryption algorithm • authentication method • Diffie-Hellman group • IKE SA lifetime Diffie-Hellman key public value —...

  • Page 507: Vpn Overlay

    Virtual Private Networks Overview Table 10-2. IKE Phase 2 Exchanges IKE Phase 2 Exchange Message Includes You Must Configure Reference security proposal • one to three • transform set page 10-40 algorithms: containing the algorithm(s) – AH hash • crypto map entry –...

  • Page 508: Physical Setup

    Virtual Private Networks Physical Setup GRE tunnels are commonly used to send multicasts through a network (such as the Internet) that cannot route multicast messages. For example, routing protocols such as RIP v2 and OSPF send multicast updates. A tunnel can encapsulate the updates and carry them through the network that does not support multicasts.

  • Page 509: Configuring A Vpn Using Ipsec

    Virtual Private Networks Configuring a VPN Using IPSec Configuring a VPN Using IPSec In order to establish a VPN connection, you must define how the IPSec SA is to be negotiated and with what peers. The IPSec SA can be created either manually or using IKE.
  • Page 510 Virtual Private Networks Configuring a VPN Using IPSec Table 10-3. Policies for IKE Phase 1: IKE SA Establishment *Must Match Peer Parameter Options Default Configured in Reference *hash algorithm • MD5 IKE attribute policy page 10-28 • SHA *encryption algorithm •...
  • Page 511 Virtual Private Networks Configuring a VPN Using IPSec Refer to Table 10-5 for a summary of how you configure security policies for the IPSec SA. You do not have to specify the same algorithms and other options for the IKE SA and the IPSec SA. However, you must be sure to configure IPSec proposals that match your peer’s.
  • Page 512 Virtual Private Networks Configuring a VPN Using IPSec Table 10-6. Authorized Peer ID Parameter Options Default Configured in Reference peer ID (for establishing • public IP address (site-to- no default • IKE policy page 10-24 communications) site) • crypto map entry page 10-42 •...

  • Page 513: Configuring Ipsec With Manual Keying

    Virtual Private Networks Configuring a VPN Using IPSec Table 10-7. Configuring VPN Traffic Parameter Options Default Configured in Reference Local network(s) subnet (IP range indicated by No default extended ACL permit page 10-35 wildcard bits) statement (source IP) Remote network(s) subnet (IP range indicated by No default extended ACL permit...

  • Page 514: Policies And Crypto Maps

    Virtual Private Networks Configuring a VPN Using IPSec Table 10-9. Inbound and Outbound Manually Configured Keys Parameter Options Default Configured in Reference key protocol • AH no default crypto map, set session-key page 10-64 command • ESP 256 to 4294967295 no default crypto map, set session-key page 10-64...
  • Page 515 Virtual Private Networks Configuring a VPN Using IPSec matches the packet already exists, then the router secures the packet with the keys contained in the SA, inserts the associated SPI, and forwards the packet to its destination. Internet Router Router crypto map VPN VPN tunnel...
  • Page 516 Virtual Private Networks Configuring a VPN Using IPSec If the packet does not match an active IPSec SA, then the ProCurve Secure Router looks up the IKE policy associated with the peer specified in the entry. It uses this policy to initiate IKE with the peer, establish an IKE SA, and negotiate an IPSec SA to secure the packet.

  • Page 517: Configuration Tasks

    Virtual Private Networks Configuring a VPN Using IPSec Configuration Tasks In order to configure a VPN connect using IKE, you must: enable crypto commands configure an IKE policy configure an IKE attribute policy add an entry for the peer in a remote ID list configure a transform set specify VPN traffic in an ACL configure a crypto map entry...

  • Page 518: Peer Id

    Virtual Private Networks Configuring a VPN Using IPSec You can also alter the default settings for: initiate mode response mode IKE SA security parameters stored in the attribute policy, including: • hash algorithm • encryption algorithm • Diffie-Hellman group • authentication method To begin configuring an IKE policy, enter this command from the global configuration mode context:...
  • Page 519 Virtual Private Networks Configuring a VPN Using IPSec 10.2.2.2 Local Router Peer Router Internet LAN1 LAN2 LAN1 LAN2 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.4.0/24 Peer ID Figure 10-4. Peer ID To configure Local Router shown in Figure 10-4, you should enter: ProCurve(config-ike)# peer 10.2.2.2 Even in a VPN with several sites, your ProCurve Secure Router creates an individual VPN tunnel to each site.

  • Page 520: Initiate And Response Mode

    Virtual Private Networks Configuring a VPN Using IPSec Client-to-Site Configuration. A client-to-site VPN connects mobile users (such as telecommuters) to a private network through the individual users’ Internet connection. It would not be feasible for you to configure a peer ID for each mobile user, even if they all had a static IP addresses.
  • Page 521 Virtual Private Networks Configuring a VPN Using IPSec Site-to-Site Configuration. Typically, you can leave the initiate and respond modes at their defaults. However, if the remote router takes a dynamic address, the local router cannot initiate IKE. To prevent the router from initiating IKE, enter: ProCurve(config-ike)# no initiate Conversely, if the WAN interface on your ProCurve Secure Router has a dynamic address, it must initiate IKE.

  • Page 522: Attribute Policy

    Virtual Private Networks Configuring a VPN Using IPSec Client-to-Site Configuration. The router cannot initiate IKE with mobile users in a client-to-site configuration. Enter the following command: ProCurve(config-ike)# no initiate Setting the respond mode to main can cause problems in a client-to-site VPN: main mode requires the peer to use an IP address for its ID, but you may need to use a different type of ID for mobile users.
  • Page 523 Virtual Private Networks Configuring a VPN Using IPSec The attribute policy is accessible only to the IKE policy in which you configure it. This means that you cannot assume IKE can propose parameters to one peer that you have configured for another peer. Table 10-12.
  • Page 524 Virtual Private Networks Configuring a VPN Using IPSec stronger security parameters. The policy for the mobile clients would include a higher-priority attribute policy for the preferred security parameters, but also an attribute policy with lower security options. IKE SA Mobile Users Proposals for mobile users 10.2.2.1...

  • Page 525: Enabling Nat-Traversal (Nat-T) For A Client-To-Site Vpn

    Virtual Private Networks Configuring a VPN Using IPSec Configure the high security IKE SA proposals in an attribute policy: ProCurve(config-ike)# attribute 10 ProCurve(config-ike-attribute)# authentication dss-sig ProCurve(config-ike-attribute)# encryption 3des ProCurve(config-ike-attribute)# lifetime 240 ProCurve(config-ike-attribute)# group 2 Configure a second set of IKE SA proposals for mobile users in a lower priority (higher index) attribute policy: ProCurve(config-ike-attribute)# attribute 20 ProCurve(config-ike-attribute)# authentication dss-sig...

  • Page 526: Configuring A Peer's Remote Id And Preshared Key

    Virtual Private Networks Configuring a VPN Using IPSec If the peers discover NAT, then they encapsulate packets in the UDP/IP header. The peer behind the NAT device should also use a one-byte UDP packet that ensures that it keeps the same NAT assignment for the duration of the VPN tunnel.

  • Page 527: Site-To-Site Configuration

    Virtual Private Networks Configuring a VPN Using IPSec Table 10-13. Remote ID Types Remote ID Type Example (Figure 10-6) Wildcard Command Syntax IP address 10.1.20.1 10.1.0.0 0.0.255.255 crypto ike remote-id address <A.B.C.D> <wildcard bits> domain name siteb.procurve.com *procurve.com crypto ike remote-id fqdn <domain name>...

  • Page 528: Client-To-Site Configuration

    Virtual Private Networks Configuring a VPN Using IPSec You should identify the peer in the way most supported by your organization’s policies. You can also use the wildcard character (*) to ease configuration. For example, if you are connecting multiple sites that all use your organiza- tion’s domain name, you might want to enter an FQDN that consists of a wildcard character and your organization’s domain name so that you only have to enter one command.

  • Page 529: Mapping The Remote Id To An Ike Policy And Crypto Map Entry

    Virtual Private Networks Configuring a VPN Using IPSec If peers’ digital certificates use ASN-DNs, you must enter the fields exactly as they are in the certificate. You can use the wildcard character (*) for some of the fields. See Table 10-13 on page 10-33 for the command syntax for specifying the remote ID.

  • Page 530: Restricting Specified Hosts

    Virtual Private Networks Configuring a VPN Using IPSec Extended ACLs allow you to select traffic according to its source and destination IP address (among other fields in the IP header). To create an ACL that selects traffic transmitted between two networks, enter the following command: Syntax: ip access-list extended <listname>...

  • Page 531: Permitting Local And Remote Networks

    Virtual Private Networks Configuring a VPN Using IPSec Permitting Local and Remote Networks You will need to add a permit statement specifying each local network allowed to access the VPN tunnel as the source IP address. The destination depends on the type of VPN. N o t e The IP addresses selected by the ACL must match the peer’s configuration exactly.

  • Page 532: Applying The Acl To A Crypto Map

    Virtual Private Networks Configuring a VPN Using IPSec To permit traffic from Site A to Site B, you enter: ProCurve(config-ext-nacl)# permit ip 10.1.0.0 0.0.15.255 10.1.16.0 0.0.15.255 You can also use wildcard bits to include only part of a subnet, according to topology of your VPN.

  • Page 533: Example Configuration

    Virtual Private Networks Configuring a VPN Using IPSec Example Configuration Figure 10-7 illustrates a VPN between two remote sites, each of which includes two LANs. At Site B, only one LAN is allowed in the VPN. At Site A, independent on-site contractors have been assigned addresses in VLAN 99—192.168.2.192 to 192.168.2.223.

  • Page 534: Configuring Ipsec Sa Parameters

    Virtual Private Networks Configuring a VPN Using IPSec pass through the WAN interface and so receive the router’s public IP address. However, only traffic from local private networks can access the VPN tunnel, so the traffic cannot reach its destination. You can force all traffic sent to a server to use the IP address of LAN interface so that it can access the remote VPN site.
  • Page 535 Virtual Private Networks Configuring a VPN Using IPSec Specify the algorithms: If using AH, you can select: • an AH hash algorithm b. If using ESP, you can select: • an encryption algorithm • a hash algorithm (optional) If using AH and ESP, you can select: •...

  • Page 536: Crypto Maps

    Virtual Private Networks Configuring a VPN Using IPSec You complete the first four steps in a single command entered from the global configuration mode context. Refer to Table 10-14 for the exact command syntax for configuring a transform set. Enter commands such as the following: ProCurve(config)# crypto ipsec transform-set T1ah-sha-hmac esp-3des ProCurve(config)# crypto ipsec transform-set T2 ah-md5-hmac esp-aes-128-cbc esp- sha-hmac...
  • Page 537 Virtual Private Networks Configuring a VPN Using IPSec To create a crypto map entry, enter the following command from the global configuration mode context: Syntax: crypto map <mapname> <map index> [ipsec-ike | ipsec-manual] The mapname is an alphanumeric string. You can configure a set of crypto map entries that have the same name but different map indexes, which you apply together to an interface.
  • Page 538 Virtual Private Networks Configuring a VPN Using IPSec Unlike an IKE policy, you can only set one peer for the crypto map entry. This is because the crypto map entry actually defines the VPN tunnel, and a VPN tunnel is a point-to-point connection. N o t e If the remote gateway has a dynamic address, you cannot set the peer ID.
  • Page 539 Virtual Private Networks Configuring a VPN Using IPSec Traffic Carried over the VPN Tunnel. To specify which traffic will be car- ried over the VPN tunnel (in other words which networks make up the VPN), you must match the crypto map entry to an extended ACL: Syntax: match address <listname>...

  • Page 540: Applying A Crypto Map To An Interface

    Virtual Private Networks Configuring a VPN Using IPSec Parameter Options (From Most to Least Secure) Default Command Syntax PFS group • Diffie-Hellman group 2 PFS not used set pfs [group2 | group1] • Diffie-Hellman group 1 IPSec SA lifetime • 2560 to 536,870,912 kilobytes 8 hours set security-association lifetime [kilobytes...

  • Page 541: Granting Remote Users A Private Network Address With Ike Mode Config (Required For Client-To-Site Vpns)

    Virtual Private Networks Configuring a VPN Using IPSec You should apply the crypto map to the logical interface on which traffic will be transmitted. Typically this is a WAN interface that connects the Internet. Valid interfaces include: PPP interfaces Frame Relay subinterfaces HDLC interfaces ATM subinterfaces Ethernet interfaces...

  • Page 542: Configuring An Ike Client Configuration Pool

    Virtual Private Networks Configuring a VPN Using IPSec The remote user requests an IP address from the ProCurve Secure Router between IKE phase 1 and phase 2 negotiations. It may also request addresses for Domain Name System (DNS) and NetBIOS Windows Internet Naming Service (WINS) servers.

  • Page 543: Applying The Pool To An Ike Policy

    Virtual Private Networks Configuring a VPN Using IPSec For example, include the entire 192.168.100.0 /24 subnet: ProCurve(config-ike-client-pool)# ip-range 192.168.100.1 192.168.100.254 Use the commands shown in Table 10-16 to configure optional configurations such as server addresses. Table 10-16. IKE Client Configuration Pools Parameter Function Command Syntax...

  • Page 544: Configuring An Xauth Server

    Virtual Private Networks Configuring a VPN Using IPSec Configuring an Xauth Server Complete the following steps: Configure an authentication, authorization, and accounting (AAA) list to inform the Xauth server which database to search for usernames and passwords. Enable the Xauth server in an IKE policy. If you have not already done so, you will also need to configure the local username database or RADIUS server group.
  • Page 545 Virtual Private Networks Configuring a VPN Using IPSec Configuring RADIUS and TACACS+. If Xauth will be using a RADIUS or TACACS+ server database, you must enable the router to contact the server. First, specify the IP address of the server from the global configuration mode context: Syntax: radius-server host [<A.B.C.D>| <hostname>] Syntax: tacacs-server host [<A.B.C.D>| <hostname>]...
  • Page 546 Virtual Private Networks Configuring a VPN Using IPSec Table 10-17. AAA List Authentication Methods Database Location Keyword Command Syntax router local aaa authentication login <aaa listname> local RADIUS server or servers group aaa authentication login <aaa listname> group [radius | <groupname>] TACACS+ server or servers group aaa authentication login...

  • Page 547: Configuring An Xauth Host

    Virtual Private Networks Configuring a VPN Using IPSec Configuring an Xauth Host The ProCurve Secure Router can act as an Xauth host and authenticate itself to a peer that requires Xauth. Complete the following steps: Create or move to the configuration mode context of the IKE policy for the peer that requires Xauth.

  • Page 548: Overview

    Virtual Private Networks Configuring a VPN Using IPSec Setting the Username, Password, and Passphrase for One-time Password (OTP) Authentication. OTP provides increased security by using a passphrase to generate a series of passwords, each of which is used only once. This prevents hackers from intercepting and hijacking an autho- rized VPN user’s authentication information.
  • Page 549 Virtual Private Networks Configuring a VPN Using IPSec When the peer receives the digital certificate, it extracts the host’s public key and hash function. It decrypts and unhashes the signature and compares it to the certificate. If they match, the peer knows that no one has tampered with the certificate en route.
  • Page 550 Virtual Private Networks Configuring a VPN Using IPSec RSA is the most commonly used algorithm and is extremely secure. Your CA will tell you which standard it uses. You should configure this standard in the IKE attribute policy. (See the discussion of authentication methods in “IKE Phase 1”...

  • Page 551: Obtaining Digital Certificates

    Virtual Private Networks Configuring a VPN Using IPSec Obtaining Digital Certificates First, select a CA server. If your CA server supports SCEP, you must complete three steps to load the necessary certificates into the ProCurve Secure Router’s operating system: Create a CA profile. Load the CA certificate.
  • Page 552 Virtual Private Networks Configuring a VPN Using IPSec For example: ProCurve(ca-profile)# enrollment url http://isakmp-test.ssh.fi/ The domain name should be fully qualified. If you do not include a program name, the router will use the default program pkiclient.exe. If you will be loading certificates manually, use this option for the command: ProCurve(ca-profile)# enrollment terminal N o t e The url and terminal options are mutually exclusive, and the most recently...
  • Page 553 Virtual Private Networks Configuring a VPN Using IPSec If you are using automatic enrollment, you only need to enter the command. Then press to accept the certificate that the OS automatically loads. If you are obtaining the certificate manually, follow the directions in the CLI to cut and paste the certificate into the command line.
  • Page 554 Virtual Private Networks Configuring a VPN Using IPSec The OS will then initiate a dialog with you. (See Figure 10-10.) The OS will ask you to enter any information that you have not already configured from the CA profile configuration mode context. ProCurve(config)# crypto ca enroll MyCA **** Press CTRL+C to exit enrollment request dialog.

  • Page 555: Managing Certificates

    Virtual Private Networks Configuring a VPN Using IPSec Importing a Self Certificate and CRL. You only need to complete this step if you obtaining certificates manually. After your CA server has sent you a self certificate and CRL, you must import them into the CA profile configured on the router.
  • Page 556 Virtual Private Networks Configuring a VPN Using IPSec Viewing Certificates. You can use the show crypto ca commands to view: certificates CRLs CA profiles Enter the command from the enable mode context: Syntax: show crypto ca [certificates | crls | profiles] For example: ProCurve# show crypto ca certificates The certificates option shows both CA and self certificates.
  • Page 557 Virtual Private Networks Configuring a VPN Using IPSec ProCurve# show crypto ca certificates CA Certificate Status: Available Use when deleting Certificate Serial Number: 012d Subject Name: /C=FI/O=SSH Communications Security/OU=Web test/CN=Test CA 1 Issuer: /C=FI/O=SSH Communications Security/OU=Web test/CN=Test CA 1 CRL Dist. Pt: /C=FI/O=SSH Communications Security/OU=Web test/CN=Test CA 1 Start date is Jan 9 16:25:15 2003 GMT...

  • Page 558: Configuring A Vpn Using Ipsec With Manual Keying

    Virtual Private Networks Configuring a VPN Using IPSec For example to delete the self certificate shown in Figure 10-12, enter: ProCurve(config)# crypto ca certificate chain MyCA ProCurve(config-cert-chain)# no certificate 3f9fdcd9 N o t e The Secure Router OS uses the commands in the certificate chain command set to load certificates.

  • Page 559: Configuring The Transform Set

    Virtual Private Networks Configuring a VPN Using IPSec For these reasons, you are advised to always use IKE with IPSec. However, if you are establishing a VPN with a site that does not support IKE, you will have to use manual keying. To maintain security and reduce the chance of misconfigurations, you should only use manual keying to connect two sites managed by the same IT staff.
  • Page 560 Virtual Private Networks Configuring a VPN Using IPSec You must select at least one algorithm. You can select one each of an AH hash, ESP encryption, or an ESP hash algorithm. (See Table 10-19.) For example, enter: ProCurve(config)# crypto ipsec transform-set T1 ah-md5-hmac esp-3des esp-sha-hmac See “Transform Sets”...

  • Page 561: Configuring Crypto Maps For Manual Ipsec

    Virtual Private Networks Configuring a VPN Using IPSec Table 10-20. Key Lengths for Standard Algorithms Algorithm Minimum Key Length in Bits Minimum Key length in HEX • 128 • 16 • 192 • 24 • 256 • 32 3DES Configuring Crypto Maps for Manual IPSec You define the IPSec SA in a crypto map entry.
  • Page 562 Virtual Private Networks Configuring a VPN Using IPSec Each crypto map entry should include one inbound and one outbound key for the protocol(s) selected in the associated transform sets. If you have selected more than one transform set, then the key must meet the longest minimum length requirement.

  • Page 563: Example Configuration

    Virtual Private Networks Configuring a VPN Using IPSec Site B Site A Router 10.10.10.1 Router 10.10.10.2 Internet SP1 2222 SP1 2222 encryption: 1234... encryption: 1234... authentication: 1212... authentication: 1212... LAN1 LAN2 192.168.1.0/24 192.168.2.0/24 SP1 1111 SP1 1111 encryption: 9876... encryption: 9876... authentication: 2121...

  • Page 564: Monitoring A Vpn

    Virtual Private Networks Monitoring a VPN Monitoring a VPN You can monitor the VPN tunnels supported on your router. Enter this enable mode command to view all active SAs: Syntax: show crypto [ike | ipsec] sa Enter the ike keyword to view IKE SAs, which are open only temporarily to allow peers to negotiate a VPN connection securely.
  • Page 565 Virtual Private Networks Monitoring a VPN If you determine that a VPN connection has been established that should not have been, you can enter one of these enable mode commands to terminate it: Syntax: clear crypto ipsec sa entry <A.B.C.D> [ah | esp] <SPI> Syntax: clear crypto ipsec sa peer <A.B.C.D>...
  • Page 566 Virtual Private Networks Monitoring a VPN Table 10-22. VPN show Commands View Command Syntax all IKE SAs show crypto ike sa all IPSec SA show crypto ipsec sa all IPSec SA to a specific peer show crypto ipsec sa address <A.B.C.D> all IPSec SA established with a specific show crypto ipsec sa map <mapname>...

  • Page 567: Troubleshooting A Vpn That Uses Ipsec

    Virtual Private Networks Troubleshooting a VPN That Uses IPSec Troubleshooting a VPN That Uses IPSec When you have correctly configured a VPN, it should quickly go up. You can verify that the VPN has been established by pinging a location on the remote network from the local network.

  • Page 568: Troubleshooting Commands

    Virtual Private Networks Troubleshooting a VPN That Uses IPSec the local router’s settings for this VPN connection exactly match those of the peer. If you are unable to learn the peer’s settings, you can try using default settings to connect to the peer in the fifth step. Troubleshooting Commands The tools you will use as you follow this procedure are the show and debug commands, which are enable mode commands.

  • Page 569: Checking Wan Connections

    Virtual Private Networks Troubleshooting a VPN That Uses IPSec Checking WAN Connections Before you waste time searching through convoluted configurations for an error, you should verify that your connection to the Internet (or other public network) is up. Check that the Physical (Layer 1) connection is good and the Data Link (Layer 2) state is open.

  • Page 570: Monitoring The Ike Process Using Debug Commands

    Virtual Private Networks Troubleshooting a VPN That Uses IPSec However, if the tunnel opens, then you know that you have a problem with the ACL. Enter: Syntax: show ip access-list <listname> Review the ACL, looking for miskeyed entries or problems with the wildcard bits.
  • Page 571 Virtual Private Networks Troubleshooting a VPN That Uses IPSec Table 10-24. Debug Messages Message Possible Problem Best Next Step NO_PROPOSAL_CHOSEN incompatible security Determine whether parameters negotiations failed at IKE phase 1 or phase 2. IKEStartNegotiation: could no IKE policy is configured for Compare peer ID in the crypto not find an IKE policy to use the peer set in the crypto map...
  • Page 572 Virtual Private Networks Troubleshooting a VPN That Uses IPSec IKE phase 2 (quick mode) proposes (or accepts) security parameters including: a hash algorithm (optional for ESP) ii. an encryption algorithm (optional for AH) iii. an IPSec SA lifetime b. generates keys establishes the IPSec SA When you scan debug messages for clues to the source of a problem, pay particular attention to messages that indicate the step that IKE is performing.
  • Page 573 Virtual Private Networks Troubleshooting a VPN That Uses IPSec If the CLI shows an IKE SA for the connection, you know that it at least completed IKE phase 1. You can also scroll through the debug messages looking for signs of the IKE phase that generated the problems.

  • Page 574: Comparing Vpn Policies

    Virtual Private Networks Troubleshooting a VPN That Uses IPSec To check the peer ID in an IKE policy or crypto map entry, enter commands such as the following: Syntax: show crypto map [<mapname> <mapindex>] Syntax: show crypto ike policy You can also view all crypto maps by entering the show crypto map command without a mapname and index.
  • Page 575 Virtual Private Networks Troubleshooting a VPN That Uses IPSec Scroll through the debug messages until you see the message for the relevant IKE phase: “IANA: for proposal ISAKMP” (phase 1). (See Figure 10-15.) An Isakmp proposal is the proposal for the IKE SA. In the debug messages, look underneath the proposal message for the TRANSFORM ATTRIBUTES.
  • Page 576 Virtual Private Networks Troubleshooting a VPN That Uses IPSec Table 10-28. TRANSFORM ATTRIBUTES (IKE SA Security Proposals) SA Attribute Value Options Remote Setting Router Options Local Setting Configuration Group Description • DH Group 1 IKE attribute • 1 policy: • DH Group 2 •...
  • Page 577 Virtual Private Networks Troubleshooting a VPN That Uses IPSec When IKE cannot progress past quick mode message 1, it is unable to negotiate the IPSec SA. If possible, have your peer attempt to initiate a connection with you. In this way you can search through the debug messages for the peer’s IPSec SA proposal and determine which settings do not match local settings.
  • Page 578 Virtual Private Networks Troubleshooting a VPN That Uses IPSec Table 10-29 and Table 10-30 show where in the local router’s running-config you can find the settings that should match the IPSec security policies pro- posed by the peer. Table 10-29. IANA Transform ID Message Value Options Remote Setting...
  • Page 579 Virtual Private Networks Troubleshooting a VPN That Uses IPSec SA Attribute Value Options Remote Setting Setting in the Options Local Setting Running-Config Life Type • seconds crypto map • kilobytes <mapname> • kilobytes • seconds <mapindex> set security- association lifetime Life Time •...

  • Page 580: Returning Vpn Policies To Their Defaults

    Virtual Private Networks Troubleshooting a VPN That Uses IPSec You can compare the peer’s settings to yours in two ways: Initiate a connection with the peer and view the debug messages with the local proposals View the VPN configurations on the local router for the connection To view the configuration on the local router, you can view the running-config as shown above in 10-17.
  • Page 581 Virtual Private Networks Troubleshooting a VPN That Uses IPSec Return the crypto map settings to the defaults: ProCurve(config-crypto map)# no set pfs ProCurve(config-crypto map)# no security-association lifetime Try to ping the remote location from the local network. If the connection goes up, you know that you had a problem with the security policies.

  • Page 582: Quick Start

    Virtual Private Networks Quick Start Quick Start This section provides the commands you must enter to quickly configure: a site-to-site VPN a client-to-site VPN digital certificates Only a minimal explanation is provided. If you need additional information about any of these options, see “Contents” on page 10-1 to locate the section and page number that contains the explanation you need.
  • Page 583 Virtual Private Networks Quick Start Parameters Options Obtain Setting From Your Setting IKE SA encryption • DES match peer algorithm • 3DES • AES 128-bit • AES 192-bit • AES 256-bit IKE SA lifetime 60 to 86,400 seconds match peer IPSec SA proposals •...

  • Page 584: Configuring A Site-To-Site Vpn

    Virtual Private Networks Quick Start Parameters Options Obtain Setting From Your Setting crypto mapname alphanumeric string same name for every entry establishing a connection on the same interface crypto map index number 0 to 65,535 different index number for every entry establishing a connection to a different site 10.2.2.2 Local Router...
  • Page 585 Virtual Private Networks Quick Start Create an IKE policy: Syntax: crypto ike policy <IKE policynumber> Configure the initiate mode: Syntax: [no] initiate [main | aggressive] For example: ProCurve(config-crypto-ike)# initiate aggressive If the peer has a dynamic address, set the mode to no initiate. Set the peer ID or peer IDs: Syntax: peer [any | <peer A.B.C.D>] Create an attribute policy:...
  • Page 586 Virtual Private Networks Quick Start 10. Exit to the global configuration mode and configure algorithms for the IPSec SA in a transform set: • AH protocol: Syntax: crypto ipsec transform-set <setname> [ah-md5-hmac | ah-sha-hmac] • ESP protocol: Syntax: crypto ipsec transform-set <setname> [esp-des | esp-3des | esp- aes-128-cbc | esp-aes-192-cbc | esp-aes-256-cbc | esp-null] [esp-md5- hmac | esp-sha-hmac] •...
  • Page 587 Virtual Private Networks Quick Start 15. Specify one peer only for the crypto map entry: Syntax: set peer <peer A.B.C.D> 16. You can associate the crypto map entry with the IKE policy configured for the remote peer. Syntax: ike-policy <policy number> 17.

  • Page 588: Configuring A Client-To-Site Vpn

    Virtual Private Networks Quick Start • email address: Syntax: crypto ike remote-id user-fqdn <peer email address> [preshared- key <preshared key>] [ike-policy <policy number>] [crypto map <mapname> <map sequence>] • distinguished name (with digital certificates only): Syntax: crypto ike remote-id asn1-dn <distinguished name> [ike-policy <pol- icy number>] [crypto map <mapname>...
  • Page 589 Virtual Private Networks Quick Start Table 10-32. Quick Start Settings for a Client-to-Site VPN Parameters Options Obtain Setting From Your Setting peer ID — peer’s remote ID • IP address (A.B.C.D) mobile users—You should either use any or wildcards to •...
  • Page 590 Virtual Private Networks Quick Start Parameters Options Obtain Setting From Your Setting IPSec SA proposals • AH match peer • ESP • AH and ESP transform setname alphanumeric string — AH authentication algorithm • MD5 match peer • SHA-1 ESP encryption •...
  • Page 591 Virtual Private Networks Quick Start Install the IPSec VPN module. Enable VPN functions: ProCurve(config)# ip crypto Configure an IKE mode config pool: Syntax: crypto ike client configuration pool <poolname> Specify the range of private network addresses in the pool: Syntax: ip-range <first A.B.C.D> <last A.B.C.D> You can also specify server addresses for clients in the pool: Syntax: dns-server <A.B.C.D>...
  • Page 592 Virtual Private Networks Quick Start 13. If so desired, configure another IKE policy to connect to a remote site. (See “Configuring a Site-to-Site VPN” on page 10-90.) 14. Exit to the global configuration mode and configure algorithms for the IPSec SA in a transform set: •...
  • Page 593 Virtual Private Networks Quick Start Add permit statements from the local VPN networks to the network addresses in the IKE mode config pool: Syntax: permit ip [any | host <source A.B.C.D> | | hostname <source host- name> | <source A.B.C.D> <wildcard bits>] [any | host <destination A.B.C.D> | hostname <destination hostname>...
  • Page 594 Virtual Private Networks Quick Start 24. Exit to the global configuration mode context. Configure a remote ID list that contains authentication information for remote peers. If you are using preshared keys for authentication, associate the preshared key with the peer. You can optionally associate a peer with the IKE policy and crypto map entry that should be used with that peer.

  • Page 595: Obtaining Digital Certificates

    Virtual Private Networks Quick Start Obtaining Digital Certificates If you have selected a digital certificate standard for the IKE authentication method, you must obtain a certificate for the router. These instructions give the steps for obtaining a certificate automatically using SCEP. See configura- tion instructions in “Using Digital Certificates (Optional)”...
  • Page 596 Virtual Private Networks Quick Start 10-102...

  • Page 597: Contents

    Configuring a Tunnel with Generic Routing Encapsulation Contents Overview ........... . . 11-2 GRE Tunnels .

  • Page 598: Gre Tunnels

    Configuring a Tunnel with Generic Routing Encapsulation Overview Overview The ProCurve Secure Router supports tunneling using Generic Routing Encapsulation (GRE). GRE is a Layer 2 protocol that encapsulates higher-level protocols and renders them transparent. Routers use GRE to send traffic through an intervening network that does not support such traffic.

  • Page 599: Advantages And Disadvantages Of Gre

    Configuring a Tunnel with Generic Routing Encapsulation Overview For example, on the ProCurve Secure Router, a GRE tunnel can: transit multicast routing protocols, such as Routing Information Protocol (RIP) and Open Shortest Path First (OSPF), through the Internet transit any multicast messages, such as those for a video stream transit traffic through a network that uses the same IP addresses (useful for integrating sites that use overlapping addresses) GRE is often used in conjunction with IPSec.

  • Page 600: Configuring Gre

    Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE Configuring GRE To configure a GRE tunnel on the ProCurve Secure Router, you must: create a tunnel interface configure the tunnel source and destination endpoints assign the tunnel an IP address If you want to secure the tunnel, you can also configure a tunnel key specify traffic allowed to access the tunnel...

  • Page 601: Configuring The Tunnel Source

    Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE When a packet arrives on the tunnel interface, GRE encapsulates it with a GRE header. This header includes a field identifying the encapsulated packet’s protocol. GRE next encapsulates the GRE header with another IP header. This is the delivery header: it directs the packet through the tunnel to the remote endpoint.

  • Page 602: Configuring The Tunnel Destination

    Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE The IP address that you enter is the address that the delivery IP header will include as the source address. If you enter an interface, the IP header will include the address of that interface. The interface must be configured with an IP address before you can use it as the tunnel source.

  • Page 603: Configuring The Tunnel's Ip Address

    Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE Configuring the Tunnel’s IP Address The IP address for the tunnel interface places the tunnel in a local network. To configure the address, enter this command from the tunnel interface configuration mode context: Syntax: ip address <A.B.C.D>...

  • Page 604: Sending Routing Updates Over The Tunnel

    Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE N o t e To eliminate recursive routing, the actual tunnel destination must be routed through a logical interface, not through the tunnel interface. Sending Routing Updates over the Tunnel Enable the routing protocol on the network on which the tunnel interface has its IP address.

  • Page 605: Sending Multicasts Over The Tunnel

    Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE Enable OSPF on the local networks, including the tunnel’s network: ProCurve(config)# router ospf ProCurve(config-ospf)# network 192.168.1.0 0.0.0.255 area 0 ProCurve(config-ospf)# network 192.168.10.0 0.0.0.3 area 0 Sending Multicasts over the Tunnel You can configure Protocol Independent Multicast-Sparse Mode (PIM-SM) on the tunnel interface to tunnel multicasts through the Internet.

  • Page 606: Sending All Traffic To A Network Over The Tunnel

    Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE Sending all Traffic to a Network over the Tunnel You can add a static route to the destination network through the tunnel. From the global configuration mode context, enter: Syntax: ip route <destination A.B.C.D> <subnet mask | /prefix length> tunnel <inter- face number>...

  • Page 607: Filtering Traffic That Arrives On The Tunnel

    Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE Filtering Traffic that Arrives on the Tunnel You can restrict certain traffic from entering the tunnel by applying an access control policy (ACP). For example, you might want only traffic sent from a multicasting video streamer to be able to access the router through the tunnel.

  • Page 608: Enabling Checksum Verification

    Configuring a Tunnel with Generic Routing Encapsulation Configuring GRE Enabling Checksum Verification A router can include a checksum in outgoing packets’ GRE headers. A check- sum is a value computed from the contents of a packet, and is often based on the sum of the bits.

  • Page 609: Troubleshooting Gre Configuration

    Configuring a Tunnel with Generic Routing Encapsulation Troubleshooting GRE Configuration Troubleshooting GRE Configuration You can use the show interfaces command to view: the status of the tunnel (up or down) the tunnel’s IP address packets transmitted and received over the tunnel To track packets as the tunnel encapsulates and sends or receives and decap- sulates them, use this enable mode command: Syntax: debug interface tunnel...

  • Page 610: The Router Does Not Receive Traffic Through The Tunnel

    Configuring a Tunnel with Generic Routing Encapsulation Troubleshooting GRE Configuration The Router Does Not Receive Traffic through the Tunnel Enter the show interfaces command and double-check the tunnel key. You should check the IP routing table and determine whether any traffic is being sent through the tunnel.

  • Page 611: Quick Start

    Configuring a Tunnel with Generic Routing Encapsulation Quick Start Quick Start This section provides the commands you must enter to quickly configure a GRE tunnel and use it to carry routing updates. Only minimal explanation is provided. If you need additional information about any of these options, check “Contents”...
  • Page 612 Configuring a Tunnel with Generic Routing Encapsulation Quick Start Enable the routing protocol on the network on which the tunnel has its IP address (not its source address): If you are using RIP, enter: ProCurve(config)# router rip Syntax: network <A.B.C.D> <subnet mask> For example: ProCurve(config-rip)# network 192.168.10.0 255.255.255.0 b.

  • Page 613: Contents

    Configuring Multicast Support for a Stub Network Contents Overview ........... . . 12-3 Multicast Applications .
  • Page 614 Configuring Multicast Support for a Stub Network Contents Troubleshooting Multicast Stub Routing and IGMP ....12-21 Strategies and Tools ........12-21 Procedure for Troubleshooting Multicast Stub Routing .

  • Page 615: Multicast Applications

    Configuring Multicast Support for a Stub Network Overview Overview This overview describes IP multicasting and Internet Group Management Protocol (IGMP). The overview then explains how the ProCurve Secure Router can support multicasting by running either Protocol Independent Multicast-Sparse Mode (PIM-SM), which is a multicast routing protocol, or IGMP proxy.

  • Page 616: Ip Multicasting

    Configuring Multicast Support for a Stub Network Overview IP multicasting allows hosts to send messages to multiple hosts simulta- neously. Hosts join multicast host groups to be become eligible to receive specific multicasts. The ProCurve Secure Router supports the routing of such multicasts using either PIM-SM or IGMP proxy.

  • Page 617: Multicast Addresses

    Configuring Multicast Support for a Stub Network Overview Network 1 192.168.1.0/24 Packet destination 232.0.0.10 Switch Router Switch Figure 12-2. Multicasting Multicast Addresses The destination address in the IP header of a multicast message is the multicast address. Only hosts that have joined the group for this multicast address receive the message.

  • Page 618: Igmp

    Configuring Multicast Support for a Stub Network Overview IGMP IGMP helps a router to determine which host groups have members in which networks so that the router can properly forward multicast messages. Some multicast routing protocols (including the protocol supported on the ProCurve Secure Router) suppress multicasts unless a router or network specifically requests them.

  • Page 619: Igmp Queries

    Configuring Multicast Support for a Stub Network Overview Multicast packet Switch Group 99 Multicast packet Router Switch Figure 12-4. Multicasting with IGMP IGMP Queries On the ProCurve Secure Router, you enable an interface to act as a multicast agent when you do one of the following: configure the interface as a multicast stub downstream interface enable PIM-SM on the interface The multicast agent broadcasts IGMP queries to all hosts, asking them to...

  • Page 620: Multicast Routing Protocols

    Configuring Multicast Support for a Stub Network Overview Hosts send their IGMP reports to the multicast address rather then simply to the multicast agent. When the other hosts in the group receive this report, they cancel the report they would otherwise send out. In this way, the multicast agent should receive one, and only one, report for each multicast address for which a host group exists on a stub network.

  • Page 621: Igmp Proxy

    Configuring Multicast Support for a Stub Network Overview tured, unidirectional path. However, a router running IGMP proxy cannot establish different routes for different multicast groups. It must receive all multicasts on the same incoming, or upstream, interface. In addition, a router running IGMP proxy cannot transit multicast traffic.

  • Page 622: Igmp

    Configuring Multicast Support for a Stub Network Overview at the helper address considers the upstream interface to be a multicast host that is a member of every group to which at least one host in the stub networks belongs. IGMP report Group 99 Group 99 IGMP report...

  • Page 623: Configuring Igmp Proxy For Multicast Stub Routing Support

    Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support Configuring IGMP Proxy for Multicast Stub Routing Support You should not use IGMP proxy for multicast support unless your ProCurve Secure Router acts as a stub router. (Even when your router is a stub router, it can be a good idea to enable a multicast routing protocol such as PIM-SM.) A stub router is a router in a stub network.

  • Page 624: Enabling Ip Multicast Routing

    Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support You can also: have the router stack join an IGMP group alter IGMP intervals (for experienced administrators only) Enabling IP Multicast Routing The ProCurve Secure Router must implement multicast routing to keep track of which interfaces forward packets destined to certain multicast addresses.

  • Page 625: Determining Which Interfaces Are Downstream And Which

    Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support For example, to set the helper address for the router in Figure 12-6, you would enter: ProCurve(config)# ip mcast-stub helper-address 10.1.1.2 N o t e The router must know a route to the helper address.

  • Page 626: Configuring A Downstream Interface

    Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support Configuring a Downstream Interface First, move to the configuration mode context for the interface: Syntax: interface <interface ID> For example: ProCurve(config)# int eth 0/1 A downstream interface typically should perform three functions: IGMP multicast agent—send IGMP queries and listen for IGMP messages IGMP proxy—forward IGMP messages to a remote multicast server multicast forwarding—forward multicast messages if the corresponding...

  • Page 627: Enabling Igmp Proxy

    Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support Enabling IGMP Proxy If you want a stub network to receive multicast messages from a remote network, you must enable IGMP proxy on the interface connecting to the stub network.

  • Page 628: Configuring An Upstream Interface

    Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support Configuring an Upstream Interface An upstream interface is a forwarding helper interface: an interface through which the router reaches the helper address. The multicast server considers the upstream interface to be the multicast host.

  • Page 629: Tunneling Multicast Traffic Through The Internet

    Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support Because the fixed interface is an alternative to a downstream interface, you should remember to configure these settings before configuring a fixed interface: enable multicast routing specify the helper address configure the upstream interface Then, move to the configuration mode context for the interface that you want...

  • Page 630: Adding The Router Stack To A Multicast Group

    Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support remote tunnel endpoint, and a GRE header. The router then forwards the packet. Routers in the non-multicast network can read the delivery header to forward the multicast packet to the tunnel endpoint. The router at the remote endpoint removes the GRE header from the packet and forwards the multicast packet through the correct interfaces to members of the multicast host group.

  • Page 631: Altering Igmp Query Intervals

    Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support Altering IGMP Query Intervals IGMP involves trade-offs. The protocol contains packets by giving multicast routers up-to-date information on which networks actually need specific multicasts. On the other hand, the IGMP queries that maintain this information also consume bandwidth.
  • Page 632 Configuring Multicast Support for a Stub Network Configuring IGMP Proxy for Multicast Stub Routing Support Table 12-1. IGMP Intervals Interval Function Default Range Command Syntax query interval The query interval is how often 60 seconds 0 to 65,535 seconds ip igmp query-interval the interface broadcasts <seconds>...

  • Page 633: Troubleshooting Multicast Stub Routing And Igmp

    Configuring Multicast Support for a Stub Network Troubleshooting Multicast Stub Routing and IGMP Interval Function Default Range Command Syntax — immediate-leave This command is used when ip igmp immediate- an interface connects to a leave single host or to an IGMP snooping switch.
  • Page 634 Configuring Multicast Support for a Stub Network Troubleshooting Multicast Stub Routing and IGMP When troubleshooting multicast stub routing, you should follow the general procedure described below. You will use the show and debug commands summarized in Table 12-2. N o t e You enter show and debug commands from the enable mode context.

  • Page 635: Procedure For Troubleshooting Multicast Stub Routing

    Configuring Multicast Support for a Stub Network Troubleshooting Multicast Stub Routing and IGMP Procedure for Troubleshooting Multicast Stub Routing Identify the multicast address and network in question. Verify that the router believes a host group exists for that address on that network.
  • Page 636 Configuring Multicast Support for a Stub Network Troubleshooting Multicast Stub Routing and IGMP • The downstream interface is running a version of IGMP incompatible with that used on the network. Enter show ip igmp interface and view the IGMP version. You can change the version for a particular interface by entering this command from the logical interface config- uration mode context: Syntax: ip igmp version [1 | 2]...
  • Page 637 Configuring Multicast Support for a Stub Network Troubleshooting Multicast Stub Routing and IGMP • If the helper address is “enabled,” the interface is running IGMP proxy. Verify that the helper address is correct in the running config. Also check connectivity using the ping command. The router must, of course, be able to reach the multicast device at the central site.

  • Page 638: Quick Start

    Configuring Multicast Support for a Stub Network Quick Start Quick Start This section provides the commands you must enter to quickly configure support for multicasting. Only a minimal explanation is provided. If you need additional information about any of these options, check “Contents” on page 12-1 to locate the section that contains the explanation you need.
  • Page 639 Configuring Multicast Support for a Stub Network Quick Start Group 1 Multicast 1 Multicast 1 Multicast Switch Router Router Helper address Multicast 2 Downstream Upstream Multicast 2 interface interface Group 2 Figure 12-8. Sample Multicast Configuration Enable multicast routing: ProCurve(config)# ip multicast-routing Set the helper address, which is the address of the multicast router.
  • Page 640 Configuring Multicast Support for a Stub Network Quick Start Move to the configuration mode context of the upstream interface. (See Figure 12-8.) Syntax: interface <interface ID> Enable IGMP proxy and multicast forwarding. Syntax: ip mcast-stub upstream 12-28...
  • Page 641 Configuring Multicast Support with PIM-SM Contents Overview ........... . . 13-3 Multicast Trees .
  • Page 642 Configuring Multicast Support with PIM-SM Contents Configuring PIM-SM ......... . . 13-28 Enabling PIM-SM .

  • Page 643: Overview

    Configuring Multicast Support with PIM-SM Overview Overview In order to receive multicast packets from one network and route them to hosts in different networks, a router must implement a multicast routing protocol. The ProCurve Secure Router supports Protocol Independent Multi- cast-Sparse Mode (PIM-SM).

  • Page 644: Multicast Trees

    Configuring Multicast Support with PIM-SM Overview An entry in the multicast routing table lists connections to downstream routers and networks as outgoing interfaces and the connection to the upstream router as the incoming interface. A router only accepts a multicast packet if it arrives on the appropriate incoming interface.

  • Page 645: Sp Tree

    Configuring Multicast Support with PIM-SM Overview these sources may change. In addition, when hosts join a multicast group, they do not know the address of the source. Sources and receivers need a common point at which to discover each other, and the RP provides this point. The DR of each subnet forwards join/prunes toward the RP so that the RP can begin forwarding multicasts to the appropriate routers as soon as a source begins transmitting.

  • Page 646: Multicast Routing Table

    Configuring Multicast Support with PIM-SM Overview The process for switching from an RP to an SP tree will be described in more detail in “Switching from an RP to an SP Tree” on page 13-9. Multicast Routing Table Just as a unicast routing table has an entry for each unicast destination address to which the route can forward traffic, a multicast routing table has an entry for every multicast group for which the router must transit traffic.
  • Page 647 Configuring Multicast Support with PIM-SM Overview Each entry includes a list of outgoing interfaces. Unlike a unicast routing table entry, a multicast table entry can include multiple forwarding, or outgoing, interfaces. Because a multicast address applies to all hosts who have joined the multicast group, and because these hosts may be in different networks, the router may copy packets destined to a single multicast address and route them out multiple interfaces.

  • Page 648: Joining A Shared Or Rp Tree

    Configuring Multicast Support with PIM-SM Overview Although (S, G) entries relate to SP trees, routers that are only part of an RP tree can also store special (S, G) entries with the RP-bit set. These entries prune downstream neighbors from the RP tree for multicasts from a specific source, but allow the neighbors to remain in the RP tree for traffic from other sources for the group.

  • Page 649: Switching From An Rp To An Sp Tree

    Configuring Multicast Support with PIM-SM Overview (*, G) Join IGMP Join Router C Router B Multicast host RP tree (*, G) Join Router A—RP Figure 13-2. Joining a Shared, or RP, Tree Switching from an RP to an SP Tree Once a router begins to receive a multicast stream along the RP tree, it can change to an SP tree.
  • Page 650 Configuring Multicast Support with PIM-SM Overview The RP follows this process to generate an SP tree to the source. (See Figure 13-3): A source registers with the RP and the RP generates an SP tree to draw the multicast traffic towards itself and down the RP tree. The RP initially receives encapsulated multicast traffic from a new source in unicast register packets.
  • Page 651 Configuring Multicast Support with PIM-SM Overview A source registers with the RP Router B RP for Group X Multicast Source of RP Tree Router A Router C Multicast Intermediate Group X Router D Edge router Host Y The RP joins SP tree Router B RP Tree RP for Group X...

  • Page 652: Edge Routers

    Configuring Multicast Support with PIM-SM Overview ProCurve# show ip mroute IP Multicast Routing Table Flags: S - Sparse, C - Connected, P - Pruned, J - Join SPT, T - SPT- bit Set, F - Register, R - RP-bit Set Timers: Uptime/Expires The (*, G) entry (*, 239.255.255.1), 01:10:32/00:00:00, RP 10.1.1.1, Flags: SJ...
  • Page 653 Configuring Multicast Support with PIM-SM Overview The router creates the (S, G) entry, but continues to accept traffic from the RP tree. An (S, G) entry’s SPT-bit signals that the router is using the SP tree exclusively. When the router first creates the (S, G) entry, it clears the SPT- bit so that the multicast stream will not be disrupted while the SP tree is established.

  • Page 654: A Source's Dr

    Configuring Multicast Support with PIM-SM Overview The router receives multicasts on the SP tree. As soon as the original router receives a packet on the incoming interface for the (S, G) entry, it sets the entry’s SPT-bit, signaling that the SP tree is active.

  • Page 655: Building Rp And Sp Trees When The Source Begins Multicasting First

    Configuring Multicast Support with PIM-SM Overview The DR continues forwarding multicasts over the SP tree. Figure 13-6 shows the multicast routing table of a ProCurve Secure Router acting as the DR for a source. ProCurve# show ip mroute IP Multicast Routing Table Flags: S - Sparse, C - Connected, P - Pruned, J - Join SPT, T - SPT- bit Set,...

  • Page 656: A Host Joins A Group After Routers Have Already Switched To An Sp Tree

    Configuring Multicast Support with PIM-SM Overview Although the RP creates the (S, G) entry, because the entry’s outgoing interface list is null, the RP does not send a join for the SP tree. The RP also sends a register-stop to the source’s DR. The DR stops sending the encapsulated multicasts.

  • Page 657: Rp Selection

    Configuring Multicast Support with PIM-SM Overview RP Selection When a router adds an entry for a new group to its multicast routing table, it must determine the RP for that group. The router searches its RP set for up to four routers that can support that group. An RP set includes the IP address of every router allowed to become an RP and the multicast groups that each router can support.

  • Page 658: Pim-Sm Packets

    Configuring Multicast Support with PIM-SM Overview RP Set RP Set Router A 244.0.0.0 7.255.255.255 Router A 244.0.0.0 7.255.255.255 Router B Any Router B Any Router A Router B RP Set Router C Router A 244.0.0.0 7.255.255.255 Router B Any Figure 13-7. Static RP Selection N o t e Because you must configure exactly the same RP set on each router in the domain, attempts to assign specific routers to specific groups can lead to...
  • Page 659 Configuring Multicast Support with PIM-SM Overview If the router is sending the packet to its RP to either join or withdraw from the group’s RP tree, the join or prune list contains a wildcard entry with the RP’s address. An exception to this rule occurs when a router withdraws from an RP tree in order to join an SP tree.
  • Page 660 Configuring Multicast Support with PIM-SM Overview If a group’s prune list includes the specific source, the router deletes (or schedules for deletion) the interface from the corresponding (S, G) entry’s outgoing interface list. Receiving (S, G) RP-bit Prunes. The prune list for a group may include a specific source marked with an RP-bit.
  • Page 661 Configuring Multicast Support with PIM-SM Overview If the upstream neighbor is itself part of the SP tree, it prunes the downstream router from its branch of the SP tree. If the upstream neighbor is not part of the SP tree, it creates an (S, G) RP-bit entry to prune the downstream router from its RP tree.
  • Page 662 Configuring Multicast Support with PIM-SM Overview The upstream router may already have an (S, G) entry without the RP-bit set. For example, an RP generally creates an SP tree immediately after a source registers with it. Because the RP copies the outgoing interfaces in the (*, G) entry to the newly created (S, G) entry, the RP continues sending traffic over the connections in its RP tree.
  • Page 663 Configuring Multicast Support with PIM-SM Overview Table 13-1. Triggered Join/Prune Packets Event Action Packet Includes Sent to • The router receives an IGMP join The router joins the RP tree. join for the group with upstream RP neighbor for a new or inactive group. a wildcard source •...
  • Page 664 Configuring Multicast Support with PIM-SM Overview Event Action Packet Includes Sent to The router receives multicast traffic If the SP incoming interface is prune for the group upstream RP neighbor on its SP tree. different from the RP incoming with a specific source interface, the router sets the STP- address (RP-bit set) bit for the (S, G) entry.

  • Page 665: Register Packets

    Configuring Multicast Support with PIM-SM Overview For example, Router A has an entry for (*, 239.255.1.1) with incoming interface PPP 1, outgoing interface Ethernet 0/2, and RP 192.168.1.1. Router A periodi- cally sends a join/prune packet on PPP 1 which contains an entry for multicast group 239.255.1.1.

  • Page 666: Register-Stop Packets

    Configuring Multicast Support with PIM-SM Overview Register-Stop Packets After an RP begins receiving multicasts on the SP tree, it no longer needs the register packets. The RP sends register-stops to the DR for the source, instruct- ing the DR to stop sending the encapsulated traffic. Register-stops are trig- gered when the RP has an (S, G) with the STP-bit set and receives a register packet.
  • Page 667 Configuring Multicast Support with PIM-SM Overview Redundant Multicasts Network 10.1.1.0/24 Group: 239.255.1.1 Router B Multicast Source: 10.10.10.10 PPP1 Group: 239.255.1.1 Eth 0/1 PPP1 Multicast Routing Table Router A PPP1 (10.10.10.10, 239.255.1.1) ISDN Incoming: PPP1 Internet Router C Outgoing: Eth 0/1 Eth 0/1 Asserts Sent Network...

  • Page 668: Configuring Pim-Sm

    Configuring Multicast Support with PIM-SM Configuring PIM-SM Configuring PIM-SM To configure PIM-SM on a router, you must: enable PIM-SM on router interfaces specify the RP PIM-SM relies on RPF to determine upstream neighbors. The protocol works with whatever routing methods the router uses, including: static routing Routing Internet Protocol (RIP) Open Shortest Path First (OSPF)

  • Page 669: Enabling Pim-Sm

    Configuring Multicast Support with PIM-SM Configuring PIM-SM Enabling PIM-SM You must enable PIM-SM on every interface that connects to a network in the PIM domain. These networks include: LAN networks with hosts that may join the multicast groups LAN networks through which multicast traffic must transit WAN networks through which multicast traffic will travel between remote sites The Layer 2 interfaces on the ProCurve Secure Router that support PIM-SM...

  • Page 670: Configuring A Static Rp Set

    Configuring Multicast Support with PIM-SM Configuring PIM-SM From the PIM sparse configuration mode context, you can: specify static RPs change the threshold for switching to an SP tree force the router to use the RP tree permanently change the interval at which the router sends periodic join/prune messages Configuring a Static RP Set An RP for a multicast group forms the root of that group’s RP tree.

  • Page 671: Specifying Static Rps That Support All Groups

    Configuring Multicast Support with PIM-SM Configuring PIM-SM For the simplest configuration, and the configuration least prone to errors, you should allow all RPs to support any group. There is no reason to configure different RPs for various groups unless you expect these conditions to be true: only certain areas of the network will use certain groups having a router act as RP for groups expected in its area will significantly decrease bandwidth usage...

  • Page 672: Specifying A Static Rp For A Specific Group

    Configuring Multicast Support with PIM-SM Configuring PIM-SM Specifying a Static RP for a Specific Group Instead of configuring the same routers to support all multicast groups, you can associate specific RPs with specific groups. You should only use this option if your organization has a particular reason for doing so.
  • Page 673 Configuring Multicast Support with PIM-SM Configuring PIM-SM If you know precisely which groups your network must support and you know which areas expect traffic for specific groups, you can configure a router to support a single group. For example, the multicast video streamer in Figure 13-11 is the only source that sends traffic to 239.255.255.1.
  • Page 674 Configuring Multicast Support with PIM-SM Configuring PIM-SM If necessary, you can remove a group from the range of groups for an RP with a deny statement. Use this command: Syntax: deny [host <A.B.C.D> | <A.B.C.D> <wildcard bits>] For example, you want Router 1 to be RP for all multicast groups except for group 239.255.255.1, which will be used in only one section of the network.

  • Page 675: Specifying When The Router Switches To The Sp Tree

    Configuring Multicast Support with PIM-SM Configuring PIM-SM N o t e You may want to limit an RP that currently supports all groups to only supporting some groups. In this case, you must first enter no rp-address <A.B.C.D>. You can then re-enter the command with the specification for the ACL that lists the groups the RP should support.

  • Page 676: Forcing The Router To Use The Rp Tree Permanently

    Configuring Multicast Support with PIM-SM Configuring PIM-SM N o t e The PIM-SM protocol automatically manages the transition to the SP tree, keeping the RP tree active until convergence is complete. For more informa- tion on this process, see “Switching from an RP to an SP Tree” on page 13-9. Forcing the Router to Use the RP Tree Permanently A router’s SP tree is tailored to be the best connection between the router and a specific source, and you should almost always allow your ProCurve Secure...

  • Page 677: Changing Pim-Sm Timers

    Configuring Multicast Support with PIM-SM Configuring PIM-SM Because a router can have interfaces on several different networks, you set the DR priority for each specific interface. You can assign different interfaces different priorities. For an example, your ProCurve Secure Router connects to VLAN 10 on Ethernet subinterface 0/1.10 and to VLAN 20 on Ethernet subinterface 0/1.20.

  • Page 678: Join/Prune Period

    Configuring Multicast Support with PIM-SM Configuring PIM-SM Table 13-2. PIM-SM Timers Timer Meaning Command Syntax Configured From Range Default join/prune period time between sending join-prune-msg- PIM configuration 10 to 65535 60 seconds period join/prunes interval <seconds> mode context seconds hello timer time between sending ip pim-sparse hello- Ethernet or WAN...

  • Page 679: Hello Timer

    Configuring Multicast Support with PIM-SM Configuring PIM-SM Hello Timer Routers transmit periodic hellos through PIM interfaces to signal that the connection is still active. The hello-timer option determines how often an interface sends a hello. The router also uses this setting to compute the hello holdtime, which it includes in hello packets to instruct neighbors how long to wait for the next hello before removing the connection from any outgoing interface lists.

  • Page 680: Configuration Examples

    Configuring Multicast Support with PIM-SM Configuring PIM-SM pruning the interface is determined by the sum of the override timer and the propagation delay. Take care in altering these timers; they should match on all neighboring routers so that one router does not delete an entry too soon. Configuration Examples This section guides you through the process of configuring PIM-SM in several simplified scenarios.
  • Page 681 Configuring Multicast Support with PIM-SM Configuring PIM-SM You should configure PIM-SM on each router interface in the network. Because all sources are at the headquarters, you decide to configure the HQ WAN router as the single RP. Figure 13-13 shows the running-config for the HQ WAN router (showing only the sections of the configuration necessary for PIM-SM).
  • Page 682 Configuring Multicast Support with PIM-SM Configuring PIM-SM Configure a routing protocol. In this example, the network uses OSPF. The headquarters is the network backbone (area 0), Site A is stub area 1, and Site B is stub area 2. Note that routers in these areas receive summaries for inter-area traffic, not a default route.
  • Page 683 Configuring Multicast Support with PIM-SM Configuring PIM-SM hostname "HQRouter" ip multicast-routing interface loop 1 ip address 10.1.63.1 255.255.255.0 no shutdown interface eth 0/1 ip address 10.1.1.1 255.255.255.0 ip pim sparse-mode no shutdown interface eth 0/2 ip address 10.1.32.1 255.255.255.0 ip pim sparse-mode no shutdown interface t1 1/1 tdm-group 1 timeslots 1-24 speed 64...
  • Page 684 Configuring Multicast Support with PIM-SM Configuring PIM-SM You would need to make the same configurations on the WAN routers at Site A and Site B. Figure 13-14 shows the running-config for the Router at Site A. hostname "RouterA" ip multicast-routing interface loop 1 ip address 10.1.66.10...

  • Page 685: Groups

    Configuring Multicast Support with PIM-SM Configuring PIM-SM hostname "RouterA" ip multicast-routing ip mcast-stub helper-address 10.1.64.1 interface eth 0/1 ip address 10.1.65.1 255.255.255.0 ip mcast-stub downstream ip mcast-stub helper-enable no shutdown interface t1 1/1 tdm-group 1 timeslots 1-24 speed 64 no shutdown interface fr 1 point-to-point frame-relay lmi-type ansi no shutdown...
  • Page 686 Configuring Multicast Support with PIM-SM Configuring PIM-SM Site B Site A Multicast source Router A Router B 10.1.66.10 10.1.129.2 10.1.66.0/24 10.1.32.0/30 HQ Router Router D 10.1.63.1 10.1.62.2 10.1.1.0/30 Multicast Router C source 10.1.20.0/24 Figure 13-16. Example 2 Network To configure the HQ WAN router, you would follow these steps: Follow steps 1 through 6 described in Example 1 to configure all router interfaces, to enable Layer 2 interfaces to run PIM-SM, and to configure the routing protocol.
  • Page 687 Configuring Multicast Support with PIM-SM Configuring PIM-SM The LAN at Site A supports a multicast server transmitting to 239.255.255.1. Configure an ACL that permits Router A (10.1.66.10) to support only this multicast group: HQRouter(config)# ip access-list standard rp3 HQRouter(config-std-nacl)# permit host 239.255.255.1 Configure the RP set: HQRouter(config)# router pim-sparse HQRouter(config-pim-sparse)# rp-address 10.1.63.1 access-group rp1...

  • Page 688: Troubleshooting Pim-Sm

    Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Troubleshooting PIM-SM When hosts are not receiving multicasts, you must determine where the traffic is going astray. Because PIM-SM relies on unidirectional trees, you should first troubleshoot the router that directly connects to the hosts, then proceed to the next hop upstream router until you find the point at which the traffic is disrupted.

  • Page 689: Flags

    Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM ProCurve# show ip mroute IP Multicast Routing Table Legend for entry Flags: S - Sparse, C - Connected, P - Pruned, J - Join SPT, T - SPT- flags bit Set, F - Register, R - RP-bit Set Timers: Uptime/Expires (*, 239.255.255.1), 01:06:23/00:00:00, RP 10.1.1.1, Flags: SCJ (*, G) entry for the...

  • Page 690: First Line Of A Multicast Routing Table Entry

    Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Flag Name Meaning Valid for Entry Type Join SPT • For a (*, G) entry on an RP, the RP will generate • (*, G) an SP tree for group traffic immediately after a •...
  • Page 691 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM ProCurve# show ip mroute IP Multicast Routing Table Flags: S - Sparse, C - Connected, P - Pruned, J - Join SPT, T - SPT- bit Set, F - Register, R - RP-bit Set Timers: Uptime/Expires (*, G) entry (*, 239.255.255.1), 01:06:23/00:00:00, RP 10.1.1.1, Flags: SCJ...

  • Page 692: Incoming Interface

    Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Table 13-4. Flags in Typical Multicast Routing Table Entries Flags Meaning (*, G) entry The router is an edge router for this group. (*, G) entry Typically, the router is RP for this group. (*, G) entry Typically, the router is RP for this group, and it also connects directly to hosts that are members of this group.

  • Page 693: Outgoing Interface List

    Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM A router should never have an (S, G) entry without an incoming interface. ProCurve# show ip mroute IP Multicast Routing Table Flags: S - Sparse, C - Connected, P - Pruned, J - Join SPT, T - SPT- bit Set, F - Register, R - RP-bit Set Timers: Uptime/Expires...

  • Page 694: Viewing Pim-Sm Information

    Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM The outgoing interface list for an (S, G) RP-bit entry includes the interfaces that connect to routers who have not joined an SP tree and still need multicasts from the shared RP tree. (See Figure 13-21.) ProCurve# show ip mroute IP Multicast Routing Table Flags:...
  • Page 695 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Table 13-5. PIM-SM show Commands View Command Syntax • intervals for sending join/prune packets show ip pim-sparse • SPT threshold interfaces running PIM: show ip pim-sparse interface • interface status • DR for the interface’s network •...

  • Page 696: Pim-Sm Troubleshooting Process

    Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Table 13-6. PIM-SM debug Commands View Command Syntax all messages debug ip pim-sparse assert messages debug ip pim-sparse assert hellos debug ip pim-sparse hello PIM join and prunes debug ip pim-sparse joinprune detailed information in PIM messages debug ip pim-sparse packets registers and register-stops debug ip pim-sparse register...
  • Page 697 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM If you see the group that you are troubleshooting in the list of group memberships, move to step 3. If the list of group memberships does not include necessary groups, then you must troubleshoot IGMP. Remember that you should enable PIM on LAN interfaces in order for those interfaces to run IGMP.
  • Page 698 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM If the multicast routing table does have an entry for the group in question, view the list of outgoing interfaces in this entry. If the local interface that connects to the network experiencing the problems is not in this list, then the router will not forward multicasts to it.
  • Page 699 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM ProCurve# show ip mroute IP Multicast Routing Table Flags: S - Sparse, C - Connected, P - Pruned, J - Join SPT, T - SPT- bit Set, F - Register, R - RP-bit Set Timers: Uptime/Expires (*, G) entry for the (*, 239.255.255.1), 00:41:58/00:03:22, RP 10.1.1.1, Flags: SCJ...
  • Page 700 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM This table must include an explicit route to the RP or source (depending on the type of entry) in order for the router to determine the incoming interface for an multicast entry. You must either enable a routing protocol on the router or configure a static route to each RP and network that may include a multicast source.

  • Page 701: Pim Neighbors

    Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM You can also enter show ip pim-sparse traffic to verify that the router is sending join/prune messages. If you want to see the actual messages being sent then you must use the debug ip pim-sparse joinprune command as shown in Figure 13-27.
  • Page 702 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Troubleshooting RP Sets. When a router does not receive multicast traffic from its upstream neighbors, one of the most likely problems is that the local router and its upstream neighbors have incompatible RP sets. If neighbors select different RPs for a group, the upstream router ignores joins for that group from the downstream router.
  • Page 703 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Enter this command from the CLI of the router that is using the wrong RP to view its RP set: ProCurve# show ip pim-sparse rp-set Compare this RP set to that configured on a neighboring router that has selected the correct RP.
  • Page 704 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM RouterA# show ip pim-sparse rp-set Group address Static-RP-address ----------------------------------- 10.1.1.1 10.1.1.2 10.3.3.2 RouterA# show access-lists Standard IP access list rp1 permit host 239.255.255.1 (1 matches) Standard IP access list rp2 deny host 239.255.255.1 (1 matches) permit 224.0.0.0 15.255.255.255 (3 matches) permit 224.0.0.0 7.255.255.255 (0 matches) Standard IP access list rp3...
  • Page 705 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM Note the difference in Router B’s ACL for the RP at 10.1.1.2. On Router B, this RP only supports the half of all possible multicast groups (224.0.0.0 through 231.255.255.255) rather than all of the groups. Figure 13-32 shows which RPs Router A and B have actually selected for each active group.
  • Page 706 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM RouterA# show ip pim-sparse rp-set Group address Static-RP-address ----------------------------------- 10.1.1.1 10.1.1.2 10.3.3.2 RouterA# show access-lists Standard IP access list rp1 permit host 239.255.255.1 (1 matches) Standard IP access list rp2 deny host 239.255.255.1 (1 matches) permit 224.0.0.0 15.255.255.255 (3 matches) permit 224.0.0.0 7.255.255.255 (0 matches) Remove this...
  • Page 707 Configuring Multicast Support with PIM-SM Troubleshooting PIM-SM RouterA# show ip pim-sparse rp-set Group address Static-RP-address ----------------------------------- 10.1.1.2 10.3.3.2 RouterA# show access-lists Extended IP access list rp1 permit ip any 224.0.0.0 7.255.255.255 (0 matches) Extended IP access list rp2 permit ip any 232.0.0.0 7.255.255.255 (1 matches) The IP address for the multicast host address should be in the source position.

  • Page 708: Quick Start

    Configuring Multicast Support with PIM-SM Quick Start Quick Start This section provides the commands you must enter to quickly configure PIM- SM for multicast routing. Only a minimal explanation is provided. If you need additional information about any of these options, see “Contents” on page 13-1 to locate the section and page number that contains the expla- nation you need.
  • Page 709 Configuring Multicast Support with PIM-SM Quick Start You can also prohibit the router from using SP trees at all. Enter this command from the PIM sparse configuration mode context: Syntax: spt-threshold infinity You can configure different RPs to support different multicast groups. Configure the address or range of addresses for groups that the RP should support in a standard ACL.
  • Page 710 Configuring Multicast Support with PIM-SM Quick Start 13-70...

  • Page 711: Contents

    Link Layer Discovery Protocol Contents Overview ........... . . 14-2 LLDP .

  • Page 712: Lldp

    Link Layer Discovery Protocol Overview Overview Routing protocols allow routers to learn about each other dynamically as a network expands and changes. However, these protocols run over Layer 3 of the Open Systems Interconnection (OSI) model. Devices such as switches, which operate on Layer 2, do not participate.

  • Page 713: Lldp Messages

    Link Layer Discovery Protocol Overview LLDP runs over the Data Link Layer, so devices that use different Network Layer protocols can still identify each other. The ProCurve Secure Router automatically participates in LLDP so that the router can learn about the devices to which it connects and so that it can inform other devices of its presence.
  • Page 714 Link Layer Discovery Protocol Overview The ProCurve Secure Router supports a network control protocol (NCP) called the LLDP Control Protocol (LLDPCP). This protocol allows PPP peers to negotiate the exchange of LLDP messages encapsulated in PPP frames. The router can also exchange LLDP messages over a Frame Relay or an ATM PVC.

  • Page 715: Viewing Lldp Information

    Link Layer Discovery Protocol Viewing LLDP Information Viewing LLDP Information The ProCurve Secure Router automatically runs LLDP with settings suitable for a typical network. Before you alter these settings, you should examine the information that the router is actually sending and receiving. You should also understand how LLDP works so that you can capitalize on the information LLDP interfaces collect.
  • Page 716 Link Layer Discovery Protocol Viewing LLDP Information capabilities—all the functions the neighbor can fulfill, which include: • router • bridge • host • DOCSIS device (a type of cable modem) • WLAN Access Point • repeater • telephone enabled capabilities—the neighbor’s current function; the display gives a key for the capabilities (for example, R for router) local port or interface—the interface through which the router connects to the neighbor...
  • Page 717 Link Layer Discovery Protocol Viewing LLDP Information If you enter the show lldp neighbors command without any options, you can also view a summary of the LLDP information. The summary includes only: system name (neighbor’s) port ID enabled capabilities platform local port ProCurve# show lldp neighbors Capability Codes: R - Router, B - Bridge, H - Host, D - DOCSIS Device,...

  • Page 718: Viewing Local Lldp Activity

    Link Layer Discovery Protocol Viewing LLDP Information You can also view actual information about neighbors as this information updates in real time. (See Figure 14-5.) Enter: Syntax: show lldp neighbors realtime -------------------------------------------------------------------- Capability Codes: R - Router, B - Bridge, H - Host, D - DOCSIS Device, W - WLAN Access Point, r - Repeater, T - Telephone System Name Port ID...

  • Page 719: Viewing Real-Time Lldp Messages: Debug Lldp Commands

    Link Layer Discovery Protocol Viewing LLDP Information ProCurve# show lldp interface eth 0/1 (TX/RX) 240 packets input 0 input errors 0 TLV errors, 0 TLVs Discarded 0 packets discarded 241 packets output 0 neighbor ageouts fr 1.1 (TX/RX) 235 packets input 0 input errors 0 TLV errors, 0 TLVs Discarded 0 packets discarded...
  • Page 720 Link Layer Discovery Protocol Viewing LLDP Information You can view the LLDP messages that are arriving on interfaces in real time by entering: Syntax: debug lldp rx [verbose] If an interface seems to be receiving an undue number of messages, you can enter the show lldp neighbors interface <interface ID>...

  • Page 721: Viewing Lldp Timers

    Link Layer Discovery Protocol Viewing LLDP Information ProCurve# debug lldp tx verbose LLDP: TTL 120 LLDP: System Description "ProCurve Secure Router 7203dl" LLDP: System Name "ProCurve" LLDP: System Description "ProCurve Secure Router 7203dl, Version: 03.01, Date: Fri Aug 12 08:41:29 2005" LLDP: System Capabilities: LLDP:...

  • Page 722: Configuring Lldp

    Link Layer Discovery Protocol Configuring LLDP Configuring LLDP All active interfaces on the ProCurve Secure Router, except for ATM subinter- faces, automatically send out LLDP messages. (See Table 14-2 on page 14-15 for the default transmit intervals.) For most networks, the default settings for LLDP are adequate. If you so choose, you can attempt to minimize overhead or to restrict the information the router transmits about itself by: preventing an interface from sending certain LLDP messages...
  • Page 723 Link Layer Discovery Protocol Configuring LLDP Enter no lldp send without any options to prevent the interface from trans- mitting any messages. You can restrict the interface from sending only certain messages by entering the no form of the lldp send command followed by the specific option. For example, if a WAN interface transmits the management address into an untrusted environment, hackers could attempt to access your router.

  • Page 724: Preventing An Interface From Receiving Lldp Messages

    Link Layer Discovery Protocol Configuring LLDP Preventing an Interface from Receiving LLDP Messages You can prevent an interface from listening for LLDP messages by moving to its configuration mode context and entering: Syntax: no lldp receive You cannot filter out certain types of information. The interface either receives all LLDP messages or none.

  • Page 725: Quick Start

    Link Layer Discovery Protocol Quick Start Table 14-2. LLDP Intervals Interval Meaning Default Range Command Syntax transmit interval time between sending 30 seconds 5 to 32,768 seconds lldp transmit-interval LLDP messages during <seconds> normal operations minimum transmit minimum time the 2 seconds 1 to 8192 lldp minimum-...
  • Page 726 Link Layer Discovery Protocol Quick Start b. You can also prevent the router from sending any LLDP messages, while still allowing it to listen for messages. Syntax: no lldp send To only prevent the router from receiving LLDP messages, enter: Syntax: no lldp receive Enter a command without the no option to re-enable the function.

  • Page 727: Contents

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Contents Overview ........... . . 15-6 Routing Protocols .
  • Page 728 IP Routing—Configuring RIP, OSPF, BGP, and PBR Contents Enabling and Disabling Route Summarization for Classful Subnets ......... . 15-27 Configuring a Passive Interface: Prohibiting an Interface from Sending Updates .
  • Page 729 IP Routing—Configuring RIP, OSPF, BGP, and PBR Contents Configuring BGP ..........15-67 BGP Advantages .
  • Page 730 IP Routing—Configuring RIP, OSPF, BGP, and PBR Contents Filtering Inbound Routes ......15-103 Applying Policies to Inbound Routes .
  • Page 731 IP Routing—Configuring RIP, OSPF, BGP, and PBR Contents Troubleshooting Routing ........15-148 Monitoring the Routing Table .

  • Page 732: Routing Protocols

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Overview Overview This chapter describes how to configure routing protocols and policy based routing (PBR). Before attempting to configure a routing protocol, you should understand: IP addressing, including how a subnet mask divides an IP address into a network address and a host address classful and classless IP networks classless interdomain routing (CIDR) notation...

  • Page 733: Secure Router

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Overview Dynamic Routing Protocols Supported on the ProCurve Secure Router The ProCurve Secure Router supports three routing protocols—each of which it can use alone or in conjunction with the others: Routing Information Protocol (RIP) versions 1 and 2 Open Shortest Path First (OSPF) version 2 Border Gateway Protocol (BGP) version 4 RIP and OSPF are Interior Gateway Protocols (IGPs);...
  • Page 734 IP Routing—Configuring RIP, OSPF, BGP, and PBR Overview What information routers include in routing updates—With some routing protocols, routers exchange their entire routing tables. With other routing protocols, routers exchange only portions of the routing table. Routers that are running a link-state protocol, such as OSPF, do not exchange actual routes.
  • Page 735 IP Routing—Configuring RIP, OSPF, BGP, and PBR Overview Table 15-1. Routing Protocol Comparison Option OSPF Metric Number of hops to the • Inverse bandwidth Variety of policies: computation destination. • Type of service (ToS) (rarely • external or internal route and route used) •...

  • Page 736: Advantages And Disadvantages Of Routing Protocols

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Overview Advantages and Disadvantages of Routing Protocols Dynamic routing can provide reliable routes. OSPF, for example, can select routes according to fairly sophisticated criteria, such as link state and band- width, and BGP can take an organization’s policies into account. The best route at one moment may not always be the best route, and dynamic routing protocols can track these changes.

  • Page 737: Load Sharing

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Overview Protocol Advantages Disadvantages Uses • ISPs use BGP. • Configuration is complicated. • Connecting to an ISP • BGP provides tight control • The network must also run an • Not used over dial-up over which routes are IGP.

  • Page 738: Rip Process

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP lowest values will be selected. Because different routing protocols have different administrative distances, the multiple routes will generally be dis- covered using the same dynamic protocol. The router can share traffic over the routes based on destination, assigning traffic destined to some hosts to one route and traffic destined to other hosts to another route.

  • Page 739: Rip Updates, V1 And V2

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP When a router receives a route that it does not know from a neighbor, it adds it to its routing table. The source of the update becomes the next-hop address for the destination, and the metric is the advertised metric plus one. That is, because the router is one hop from the source of the update, the router is also one more hop from the destination.
  • Page 740 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP an address family field—set at 2, indicating that addresses are in IPv4 format up to 25 entries, each consisting of: • a destination IP address • a metric, which is the number of hops to the destination address from the router that is sending the packet When a router discovers a new or better route from a RIP v1 update, it assumes that the neighbor from which it received the update is the next hop for the...

  • Page 741: And Triggered Updates

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Speeding Convergence: Split Horizon, Poison Reverse, and Triggered Updates One shortcoming of RIP is its relatively slow convergence in some network environments. Routers send updates every 30 seconds. In a large network, a router may not receive accurate and up-to-date information on a route for several minutes.
  • Page 742 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP As long as the network remains stable, this process continues smoothly. However, problems arise if the topology changes. Consider what happens when the link between Router B and Network 1 fails. (See Figure 15-2.) Router B begins advertising a route to Network 1 with a metric of 16 to indicate that it is unreachable.

  • Page 743: Rip Timing Intervals

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Worse, the count to infinity interferes with convergence to an actual valid route. For example, Router C in Figure 15-2 also connects to Network 1 through a five-hop redundant route. Router C waits until the count to infinity for the invalid route reaches 6 before it starts using and advertising the correct route.

  • Page 744: Rip Configuration Considerations

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP The timeout interval determines the amount of time the router will wait without receiving information about a route before declaring that route invalid. When the router times out a route, it sends out poison updates for that route for the next two update cycles.

  • Page 745: Selecting A Rip Version

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Options RIP Specification Configuration Considerations which routers send • all router interfaces on RIP • specifying RIP networks and receive updates networks (page 15-21) • passive interfaces, which • configuring passive receive updates but do not interfaces (page 15-30) send them...

  • Page 746: Setting A Global Rip Version

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Setting a Global RIP Version This command specifies which type of RIP updates the ProCurve Secure Router will both send and listen for: Syntax: version [1 | 2] The default version is 1. Because RIP v2 provides significant advantages over RIP v1, you may want to use v2 if possible.

  • Page 747: Specifying Networks That Will Participate In Rip

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP For example: ProCurve(config)# interface eth 0/1 ProCurve(config-eth 0/1)# ip rip send version 1 ProCurve(config-eth 0/1)# ip rip receive version 1 If the router connects to an external network (for example, an ISP), you should implement RIP v2, which can act as an EGP.

  • Page 748: Redistributing Routes

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP For example, you would configure Router A in Figure 15-3 as follows: ProCurve(config-rip)# network 192.168.1.0 255.255.255.0 ProCurve(config-rip)# network 10.1.1.0 255.255.255.252 WAN Connection 10.1.1.0 /30 Router B Router A Network 1 Network 2 192.168.1.0/24 192.168.2.0/24 Figure 15-3.

  • Page 749: Redistributing Connected Routes

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP routing updates. (See Chapter 11: Configuring a Tunnel with Generic Routing Encapsulation.) A router that receives and accepts the redistributed route adds it to its routing table as a RIP route. By default, RIP interfaces advertise redistributed routes with a metric of zero, as if they were directly connected.

  • Page 750: Redistributing Ospf Routes

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Redistributing OSPF Routes Various routing protocols discover routes in different ways. Some routing protocols produce more reliable routes in certain topologies than other rout- ing protocols can. For some networks, you might need to use several routing protocols.

  • Page 751: Creating An Acl To Act As A Rip Filter

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Creating an ACL to Act as a RIP Filter To configure RIP route filtering, you must first create a standard ACL that specifies which route you want to filter. To create the ACL, from the global configuration mode context, enter: Syntax: ip access-list standard <listname>...
  • Page 752 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP You can then apply the filter: globally to all inbound routes globally to all outbound routes to all routes received on a specific interface to all routes advertised on a specific interface to all routes learned by a particular method (redistributed routes) Applying Global RIP Filters.

  • Page 753: Example Rip Filter

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Example RIP Filter You might want to prohibit RIP from redistributing and advertising an OSPF default route, but you may want to allow RIP to advertise other OSPF routes. In this example, the ACL requires only a permit statement for the allowed OSPF route.
  • Page 754 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Destination IP Address Next -Hop IP address Metric 10.5.0.0 255.255.0.0 10.1.1.1 With route summarization, an interface can broadcast: Destination IP Address Next-Hop IP address Metric 10.0.0.0 255.0.0.0 10.1.1.1 Route summarization is particularly useful for limiting the amount of band- width routers consume with RIP updates.
  • Page 755 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Network 1 Next hop A WAN Connection 1.1.1.0 /30 Network 2 Next hop A Network 3 Next hop C Router A Router B WAN Connection Network 2 2.2.2.0 /30 10.1.2.0 /24 Router C Network 1 10.1.1.0 /24...

  • Page 756: From Sending Updates

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP Configuring a Passive Interface: Prohibiting an Interface from Sending Updates In some situations, you may want an interface to receive routes but not to broadcast its own routing table. For example, you can configure a loopback interface as a passive interface to prevent it from sending out updates through a physical interface that has already sent out updates of its own.

  • Page 757: Altering Rip Intervals

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring RIP For example, you can configure a loopback interface as a passive interface to prevent the routing from sending out redundant advertisements. For another example, you can use a tunnel interface to receive RIP updates from a remote VPN site.

  • Page 758: Configuring Ospf

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF To set the timeout interval, enter this command from the RIP configuration mode context: Syntax: timeout-timer <seconds> You can set the timer to any number between 5 and 4,294,967,295 seconds. Configuring OSPF OSPF was designed to cope with several of RIP’s shortcomings.

  • Page 759: Lsas

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF You can also divide an OSPF network into areas, each of which deals with its own routing. After you partition the AS into areas, routers take on differenti- ated roles and only learn about their own area, further reducing the strain on individual routers.

  • Page 760: Point-To-Point Versus Multi-Access Networks

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Point-to-Point Versus Multi-Access Networks In a point-to-point network, a router establishes full adjacency only with the routers to which it is directly connected. All WAN connections on the ProCurve Secure Router are point-to-point. Even Frame Relay networks rely on point-to-point permanent virtual circuits (PVCs) connected through Frame Relay subinterfaces.
  • Page 761 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Internal routers, which are entirely in one area, handle intra-area routing. They use Type 1 and 2 LSAs (which are described in “LSA Types” on page 15-37), to synchronize their databases with routers in their own area and to generate the intra-area routes.
  • Page 762 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Internal routers in a stub area are stub routers. At least one router in the area communicates with an ABR in area 0. The network that the two routers have in common is defined as part of the stub area, making the area 0 router part of both area 0 and the stub area.

  • Page 763: Lsa Types

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF LSA Types Routers within an area exchange LSAs Type 1 and 2 to synchronize their databases. Routers can also transmit LSAs Type 3, 4, and 5 between areas so that they can learn how to route inter-area traffic. Table 15-6 summaries the different LSA types.

  • Page 764: Route Computation

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF All routers generate Type 1 LSAs, which they use to advertise their own links. A Type 1 LSA includes: the link ID—in a point-to-point link, the neighboring router’s ID (typically its loopback interface address); in a link to a network, the network IP address the type of link—point to point, stub network, transit network link status...

  • Page 765: Ospf Configuration Concerns

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Depending on the type of LSAs that the router receives, the database can also include: links to ranges of networks in other areas links to external networks The router would use this information to generate inter-area and external routes.
  • Page 766 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF One common topology for a WAN is a headquarters, defined as area 0, that connects to stub areas at one or more remote sites. In this topology, the headquarters’ routers that connect to the remote sites are ABRs. The routers at the remote sites are internal routers.
  • Page 767 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Area 1 Area 0 Area 2 Network 1 Network 3 ABR A ABR B Internal Internal Router C Router D Network 4 Network 2 Figure 15-7. OSPF Network with WAN as Area 0 If these routers are the only routers at the remote sites or if the remote sites are quite small, you could leave the network undivided.
  • Page 768 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Refer to Table 15-7 for a summary of how OSPF manages route exchanges and what parameters you can configure for the protocol. Table 15-7. OSPF Parameters Parameter OSPF Specification Configuration Considerations Information in •...
  • Page 769 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Parameter OSPF Specification Configuration Considerations When routers • Routers send LSAs: Optional: send LSAs and – not more than every 5 seconds • Configuring intervals for an OSPF interface other messages (page 15-60) –...

  • Page 770: Setting The Router Id

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF In addition, for ABRs you can: prohibit a summary LSA from being advertised You complete most OSPF configurations from the OSPF configuration mode context. However, you alter OSPF intervals for individual interfaces from that interface’s configuration mode context.

  • Page 771: Advertising Networks And Establishing Ospf Areas

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF to identify the routers at remote sites. In addition, loopback interfaces are always up as long as the router has at least one functioning link. Conse- quently, the router’s ID will not change if an interface goes down and up again.

  • Page 772: Configuring Stub Areas

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF If your entire WAN is only one area, you should define all networks as part of area 0. Move to the OSPF configuration mode context and enter: Syntax: network <A.B.C.D> <wildcard bits> area <area ID | A.B.C.D> You use wildcard bits to define networks rather than a subnet mask.

  • Page 773: One Area To Routers In Another Area

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Note You must configure each device in the stub area with the area <area ID> stub command. Otherwise, devices will not be able to achieve adjacency. Even though routers in a stub area only handle intra-area routing, hosts can still reach other areas.
  • Page 774 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Route summarization offers two distinct advantages: Saving bandwidth and router memory—Routers can transmit more infor- mation at once. Routing tables are simplified. Cordoning off problem networks—OSPF routers generate a network topology according to the messages they receive about link states; when- ever a link goes down or up, the network topology changes.
  • Page 775 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF 10.1.3.0 /24 HQ—Area 0 Router C 10.1.2.0 /24 10.1.1.0 /24 Stub 10.1.8.0 /24 area 3 ABR B ABR A Router F 10.1.4.0 /24 10.1.6.0 /24 Router E Router D Site 3 10.1.9.0 /24 Stub Stub area 1...
  • Page 776 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF For example, if area 1 included a single 24-bit subnet that the ABR should advertise to other areas, you should enter: ProCurve(config-ospf)# area 1 range 192.168.1.0 255.255.255.0 advertise An area often contains several subnets. As long as these subnets are contigu- ous, you can specify all of them at the same time by altering the subnet mask.
  • Page 777 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF 192.168.1.0 255.255.192.0 Network Address 11000000 10101000 00000001 00000000 Subnet Mask 11111111 11111111 11000000 00000000 Network Address 10101000 00101101 00000000 00000000 192.168.0.0 192.168.63.0 255.255.192.0 Host Address 11000000 10101000 00111111 00000000 Subnet Mask 11111111 11111111 11000000 00000000 Same Network 10101000 00101101 00000000 00000000...

  • Page 778: Example Configuration Of Ospf Areas

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF For example, suppose that traffic between area 1 and the ABR must travel over a relatively low-speed link. In this case, you might change the default- cost setting to 20: ProCurve(config-ospf)# area 1 default-cost 20 Example Configuration of OSPF Areas The WAN shown in Figure 15-12 connects the company’s headquarters to three remote sites in a Frame Relay network.
  • Page 779 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF In the example configuration commands, note that the network commands enable OSPF on the /20 subnets on which the ABR interfaces reside. The area <area ID> range commands, on the other hand, specify the range of four / 20 subnets that belong to each area.

  • Page 780: Prohibiting The Advertisement Of Networks

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Prohibiting the Advertisement of Networks You can prohibit an ABR from advertising networks in one area to routers in another area. You can also prohibit the advertisement of only a certain range of destinations within the area.

  • Page 781: Configuring Route Summaries For Asbrs

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF If the routing table already includes a default route (the first two options described above), you do not need to enter the always keyword with the default-information-originate command. The always keyword configures the router to generate the default route even when it does not have its own default route.

  • Page 782: Configuring Cost Calculation For A Link

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF advertise only one default route for all of them. Or the router in a virtual private network (VPN) may receive routes from an ISP router that the ISP has tunneled from a remote site. For example, suppose that a router receives an external route for a network that uses private addresses in 10.2.0.0 /16 range.
  • Page 783 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF However, you can override the cost the ProCurve Secure Router computes. For example, you may want to assign a higher cost to a high-speed but frequently congested link. Or you may want to assign a lower cost to a lower- speed but cheaper connection.

  • Page 784: Redistributing Rip Routes

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF The range for the rate is 1 to 4,294,967 Mbps. The default is 100. Redistributing Routes Discovered by Other Protocols (ASBRs) Many networks use more than one routing protocol. Routing protocols dis- cover routes in different ways.

  • Page 785: Redistributing Connected And Static Routes

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF However, if the external routes are limited, you can simply have the router redistribute them into OSPF. For example, suppose that your router connects to an external network that runs RIP. You can enable the router’s WAN interface to run RIP (see “Configuring RIP”...

  • Page 786: Configuring The Default Metric For Redistributed Routes

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Configuring the Default Metric for Redistributed Routes By default, the ProCurve Secure Router assigns routes redistributed into OSPF a metric of 20. Enter the following command to change this metric for all redistributed routes: Syntax: default-metric <value>...
  • Page 787 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF To change the hello interval for a logical interface, move to the configuration mode context for that interface and enter: Syntax: ip ospf hello-interval <value> The value can be between 1 and 65,535 seconds. N o t e When you change an interface’s hello interval, you must remember to change its peer interface’s dead interval accordingly.

  • Page 788: Configuring Ospf Authentication

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF The refresh interval, which dictates how often routers must send out an LSA, must be such that routers can refresh their databases every 30 minutes. The shortest path first (SPF) delay and hold timers save processing power by preventing a router from continuously calculating new best routes.
  • Page 789 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF With OSPF simple password authentication, routers simply add a password to the 64-bit authentication field in the OSPF header. With MD5 authentication, a router uses a secret key and the MD5 algorithm to generate a message digest for a packet.

  • Page 790: Example Ospf Configuration

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF For example, you might enter: ProCurve(config-fr 1.101)# ip ospf message-digest 1 md5 secret N o t e You must set the same password or key for each interface on a network, but you can set different passwords or keys for different networks.
  • Page 791 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF To configure the ABR, you would complete the following steps: Assign IP addresses to the Ethernet and WAN interfaces: ProCurve(config)# interface eth 0/1 ProCurve(config-eth 0/1)# ip address 10.1.1.2 /24 ProCurve(config)# interface eth 0/2 ProCurve(config-eth 0/2)# ip address 10.1.3.2 /24 ProCurve(config)# interface ppp 1 ProCurve(config-ppp 1)# ip address 10.1.4.2 /24...
  • Page 792 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring OSPF Define the router ID by configuring a loopback interface: ProCurve(config)# interface loop 1 ProCurve(config-loopback 1)# ip address 192.168.251.5 /24 Access the OSPF configuration mode context: ProCurve(config)# router ospf Define the connected OSPF networks in the area. This step also enables OSPF on interfaces on those networks: ProCurve(config-ospf)# network 10.1.5.0 0.0.0.255 area 5 ProCurve(config-ospf)# network 10.1.6.0 0.0.0.255 area 5...

  • Page 793: Configuring Bgp

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Redistribute routes discovered by the EGP into OSPF. Also, redistribute connected routes because not all interfaces are running OSPF: ProCurve(config-rip)# redistribute rip ProCurve(config-rip)# redistribute connected You could alternatively generate a default route for external traffic: ProCurve(config-ospf)# default-information-originate always Or you could configure a route summary for the external traffic: ProCurve(config-ospf)# summary-address 10.200.0.0 255.255.0.0...

  • Page 794: Bgp Advantages

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP The WAN router runs BGP to communicate with the connecting ISP router, also called the ISP edge router. The ISP tunnels the routes advertised by the local router through the Internet to the remote sites. Only ISP routers that connect to routers at the private organization’s remote sites can receive these routes, which they then pass to the private routers.

  • Page 795: Vrf And Mpls

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP VRF and MPLS An ISP uses Virtual Routing and Forwarding (VRF) to separate one customer’s routes from another’s and Multiprotocol Label Switching (MPLS) to ensure that the routes reach only the authorized remote sites. Without VRF, customers could not transmit private network routes between remote sites: the ISP routers would have no way of knowing which route belonged to which customer.

  • Page 796: Multihoming

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP The ISP edge router connecting to the local site forms an MPLS Label Switch Path (LSP) with the ISP edge router connecting to the authorized remote site. (An LSP resembles a dynamic PVC.) The edge routers mark packets with an MPLS label that directs them toward the other router through the LSP so that only Customer A sites receive Customer A routes.

  • Page 797: Bgp Messages

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP BGP Messages BGP sends relatively few messages compared to a routing protocol such as OSPF. A BGP update can include one new route and several withdrawn routes. AS Field. When a BGP interface advertises a route, it adds its AS to the BGP packet.
  • Page 798 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP configure policies to load balance: • configure an interface as the source of external updates • prepend private AS numbers to help balance inbound traffic • set a multi-exit discriminator to help balance inbound traffic enable inbound soft reconfiguration set an administrative distance for routes discovered by BGP alter BGP intervals...

  • Page 799: Enabling Bgp

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Enabling BGP To enable BGP, enter the following command from the global configuration mode context. You must also set the local AS number: Syntax: router bgp <AS number> For example, your ISP has assigned your organization AS 1: ProCurve(config)# router bgp 1 You then enter the BGP configuration mode context: ProCurve(config-bgp)#...

  • Page 800: Setting The Router Id

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Therefore, when you advertise a network or range of networks, you must verify that the routing table includes the exact route that you have specified (including the same subnet mask or corresponding prefix length.) If the routing table does not include this route, you must configure a null route.

  • Page 801: Configuring A Bgp Neighbor

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Configuring a BGP Neighbor BGP is different from many routing protocols because it does not allow a router to automatically search for peers from which to obtain routes. You must configure a separate BGP neighbor for each router with which the local router can communicate.

  • Page 802: Load Balancing

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP The router includes the local AS number in BGP routes that it receives from your router and advertises to another peer. Often, the ISP prohibits its routers from advertising routes with your AS in its path to external neighbors. The local AS should be the same number, assigned to you by the ISP, that you configured when you enabled BGP.

  • Page 803: Neighbor: Specifying The Source For Updates

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Balancing Loads over Multiple Connections to the Same Neighbor: Specifying the Source for Updates If you are connecting to the neighbor using T1 or E1 lines over a PPP or Frame Relay connection, you do not need to configure load balancing. You should instead configure Multilink PPP (MLPPP) or Multilink Frame Relay (MLFR), protocols that automatically distribute traffic over multiple carrier lines.

  • Page 804: Balancing Loads Over Connections To Different Neighbors

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP N o t e s Your must inform your ISP if you are using a loopback interface as the update source so that its IT staff can correctly configure the ISP router to connect to your router.
  • Page 805 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Routers prefer routes discovered through eBGP over those discovered by an internal routing protocol. For example, the organization in Figure 15-17 mul- tihomes using Router A and Router B. Router A receives external routes from the ISP;...
  • Page 806 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP You configure which routes the router accepts and advertises by configuring prefix lists and applying them to neighbors. Apply a prefix list to outbound data to restrict the advertisement of certain routes; apply a prefix list to inbound data to prohibit the router from accepting a route.

  • Page 807: Creating Prefix Lists: Configuring Filters For Route Exchange

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Creating Prefix Lists: Configuring Filters for Route Exchange Because BGP is designed to run between external networks, it allows admin- istrators to precisely control the information routers accept from neighbors and advertise about the private network. When a BGP router receives a route from a neighbor, it applies an internal filter before it even considers whether to place the route in its routing table.

  • Page 808: Naming The List

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP To break this command down into its steps, you: name the list assign the entry an order specify whether the filter permits or denies routes that match the entry specify the network address, including prefix length optionally, specify the range of prefix lengths that the router will permit (or deny) for routes to subnets within this network Naming the List...

  • Page 809: Specifying The Range Of Prefix Lengths

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Specifying the Range of Prefix Lengths If you enter only a network address without specifying a range for prefix lengths, the router assumes that the route must be an exact match. For example, if you enter ip prefix-list FilterIn seq 5 permit 10.1.0.0 /16, the BGP interface will only accept routes to the entire 10.1.0.0 /16 subnet.

  • Page 810: Example Bgp Policies

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Example BGP Policies Prefix list filters help you to regulate which routes the router advertises and learns, thus controlling to some degree the path traffic takes in and out of your network.
  • Page 811 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Preventing the Router from Advertising External Traffic. A common BGP application is multihoming. Multihoming allows you to connect to two ISPs and advertise certain routes to one ISP and certain routes to the other ISP. An unintended consequence of multihoming is that the ISPs can advertise routes to each other through your local network, which can then become a transit network for external traffic.
  • Page 812 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP When multihoming, you can configure one BGP interface to advertise one set of local networks to one ISP and another BGP interface to advertise another set to another ISP. In this way, you can attempt to force the ISPs to load balance incoming traffic across your two connections.
  • Page 813 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Customer ISP 1 Router A ISP 2 Network 1 Network 2 Figure 15-19. Load Balancing Outgoing Traffic For example, Router A in Figure 15-19 connects to ISP 1 and ISP 2 through two PPP interfaces.

  • Page 814: Example Prefix List Configuration

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Example Prefix List Configuration Router A in AS 1 connects to the Internet. It uses a default route for typical Internet traffic, but needs routes to the private networks at a remote VPN site. Each site in the VPN uses addresses in the 10.1.0.0 /16 range.
  • Page 815 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP You can also configure a route map to apply various attributes to the routes it filters. For example, when advertising a route, the router can request that the neighbor restrict advertisement of that route to certain peers. You would configure the router to make this request by creating an outbound route map to add community attributes to the route.

  • Page 816: Creating A Route Map Entry

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Creating a Route Map Entry To create a route map entry, enter this command from the global configuration mode context: Syntax: route-map <mapname> <sequence number> You can apply one route map to each neighbor for outbound data and one for inbound data.

  • Page 817: Configuring An As Path List

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP You can permit multiple communities by stringing several keywords in the same command. For example: ProCurve(config-comm-list)# permit local-as no-export You can also specifically deny a community from a list. For example, in order to prohibit the BGP interface from advertising routes belonging to a certain community, you should configure a community list that denies that commu- nity.

  • Page 818: Defining The Routes That A Router Can Advertise

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Defining the Routes that a Router Can Advertise You can control whether the BGP interface advertises a route to a neighbor according to the route’s: network address and prefix length AS path community metric You select the routes that the BGP interface will advertise by entering a match...
  • Page 819 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP The simplest way to configure a prefix list is to permit the exact routes that the BGP interface should advertise. For example, your network includes two networks. You want the router to advertise network 10.1.0.0 /16 but not network 10.2.0.0 /16.
  • Page 820 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Filtering Advertised Routes According to Community. If your network places routes in communities, you can filter the routes that the local router advertises according to these communities. A route can be a member of one or more communities. A community is simply a way of grouping routes together and applying a consistent policy to the group.
  • Page 821 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Table 15-12. Policies for BGP Communities Community Advertise To internet all peers local-as peers in the local AS no-advertise no peers no-export internal peers only For example, your router connects to an external BGP neighbor. You configure a community list to allow the router to advertise routes in the Internet community, but to suppress advertisement of routes in the local AS.
  • Page 822 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Private networks do not typically transit traffic between AS. Therefore, filter- ing advertised routes according to AS path is usually unnecessary when configuring eBGP in a private network. To select routes according to values in their AS fields, first create the AS list: Syntax: ip as-path-list <listname>...

  • Page 823: To Advertise A Route To Certain Peers Only

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Use set commands to configure attributes you want to apply to the advertised routes and then apply the route map to the BGP neighbor as an outbound filter. If you do not want to set any attributes, simply apply the route map. Placing a Route in a Community: Requesting a Neighbor to Advertise a Route to Certain Peers Only You can configure a route map to place a route in a BGP community.
  • Page 824 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP In the prefix list, you can also specify routes to a range of subnets. Enter the network address of the entire network and the range of prefix lengths used by subnets within that network. For example, suppose a network includes multiple, variable-length private subnets in the 192.168.0.0 /16 range.

  • Page 825: Prepending Private As Numbers For Load Balancing

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP You can use multiple set commands to place selected routes in multiple communities. In order for the router to advertise routes’ community attributes to the external neighbor, you must move to the BGP neighbor configuration mode and enter: Syntax: send-community standard You must also apply the route map that establishes routes’...

  • Page 826: Balancing

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP You can also select routes according to other attributes, such as AS path or community: Syntax: match [as-path <listname> | community <listname>] For example, if your network groups routes into two communities, you could advertise routes in one of these communities with an artificially high AS hop count.
  • Page 827 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Follow these steps to set multi-exit discriminators: Divide your network into various destinations for traffic. Divide the network into as many sections as your organization has connections to ISP routers. Determine which connections you would like external neigh- bors to use for traffic destined to the various sections of the network.
  • Page 828 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Configure a route map with a new name for the second external neighbor. Repeat steps 3 through 6. In this second route map, the set of routes that received the higher metric in the first route map should receive a lower metric, and one of the sets of routes that received the lower metric in the first route map should now receive a higher metric.

  • Page 829: Filtering Inbound Routes

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Filtering Inbound Routes Just as you can control the routes that the local router advertises to a neighbor, you can also control the routes that the router accepts from a neighbor. You can filter inbound routes according to: destination network address and prefix length community...

  • Page 830: Applying Policies To Inbound Routes

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Next, create the route map entry (route-map <mapname> <sequence number>) and match the entry to the appropriate list: Syntax: match [as-path <listname> | community <listname>] You can also configure the router to only accept routes with a particular metric.

  • Page 831: Deleting Communities From A Route

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP As always, you can use prefix lists to group routes according to their destina- tion address. For example, you can divide the Internet into several sections and group routes to each section together in a set. You can then configure different attributes for sets of routes that arrive on different interfaces.

  • Page 832: Applying A Route Map Entry To A Bgp Neighbor

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP In order to enforce your organization’s policies, you may need to remove certain communities from inbound routes. To do so, create a community list that permits the communities that you want to delete. (See “Configuring a Community List”...

  • Page 833: Enabling Soft Reconfiguration

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Enabling Soft Reconfiguration Soft reconfiguration allows a network administrator to reconfigure BGP policies without clearing active BGP sessions. Administrators can then insti- tute new policies at any time without forcing the neighbors to reestablish their connection and without disrupting traffic.

  • Page 834: Configuring Route Summarizations

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Configuring Route Summarizations By default, BGP interfaces on the ProCurve Secure Router do not summarize routes. Currently, this is the only available option. Setting Administrative Distance for BGP Routes Your private network should be running an IGP such as RIP or OSPF. The routes BGP discovers for external sites may be redistributed into this protocol, or they may be used in conjunction with the IGP routes.

  • Page 835: Example 1: Baseline Bgp Configuration

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP You can also alter the hold timer both globally and for individual neighbors. This timer determines how long the BGP router waits for an update before terminating a session. It should be relatively high to keep the router from continually having to restart sessions.
  • Page 836 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Complete these steps to configure the ProCurve Secure Router: Configure router interfaces. Router A connects to the ISPs using PPPoE over ADSL. See Figure 15-21 for the running-config for the connections. interface eth 0/1 Connection to ip address...

  • Page 837: That Runs An Igp

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP The router’s routing table must include the routes that the router adver- tises. In this simplified example, the router only advertises the network to which it connects directly, so its routing table automatically includes the necessary route.
  • Page 838 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP The default-information-originate always command allows the router to advertise a default route for the external traffic it receives from the ISP routers. You would then complete the steps explained in “Example 1: Baseline BGP Configuration”...

  • Page 839: Example 3: Configuring A Standard Bgp Policy On A Router That Receives Routes To Remote Private Sites

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP router ospf default-information-originate always network 10.1.1.0 0.0.0.255 area 0 router bgp 3 no auto-summary no synchronization bgp router-id 10.1.0.3 network 10.1.0.0 mask 255.255.254.0 network 10.1.2.0 mask 255.255.254.0 network 10.1.4.0 mask 255.255.254.0 neighbor 10.1.0.1 no default-originate soft-reconfiguration inbound...
  • Page 840 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Then complete these steps to apply a policy to the neighbor: Configure a prefix list that only permits the private routes. In this example, the private sites each use a /24 network in the 10.1.0.0 /16 range: ProCurve(config)# ip prefix-list PrivateRoutes seq 10 permit 10.1.0.0/16 ge 24 le 24 The prefix list must permit the exact routes, including prefix length, advertised by peers.

  • Page 841: That Multihomes

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP hostname “RouterA” interface eth 0/1 ip address 10.1.1.1 255.255.255.0 no shutdown interface eth 0/2 no ip address shutdown interface t1 1/1 tdm-group 1 timeslots 1-24 speed 64 no shutdown interface ppp 1 ip address 10.10.0.3 255.255.255.0...
  • Page 842 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP prefers certain routes from certain neighbors to help distribute outbound traffic over the connections clears any policies on inbound routes that prevent the router from adver- tising them as necessary To configure the router’s IGP and its connection to the BGP neighbors, see “Example 2: Baseline BGP Configuration for a Router that Runs an IGP”...
  • Page 843 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Create two prefix lists for external traffic, each of which specifies routes to half of all IP networks. You can configure the router to accept only routes with longer prefixes so that the router does not learn too many over-specific routes.
  • Page 844 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Permit the router to advertise the other half of the local routes to this neighbor and specify a higher multi-exit discriminator metric for load balancing. (Again, filter out routes that should not be advertised to external neighbors.) ProCurve(config)# route-map ISP1Out 30 ProCurve(config-route-map)# match ip address prefix-list LAN2...
  • Page 845 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP Apply the policies to the neighbors. Allow the router to advertise commu- nity attributes if so desired and if permitted by your ISP. ProCurve(config)# router bgp 3 ProCurve(config-bgp)# neighbor 10.10.0.1 ProCurve(config-bgp-neighbor)# route-map ISP1In in ProCurve(config-bgp-neighbor)# route-map ISP1Out out ProCurve(config-bgp-neighbor)# send-community standard ProCurve(config-bgp-neighbor)# neighbor 10.20.0.1...
  • Page 846 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP hostname "RouterA" router ospf default-information-originate always network 10.1.1.0 0.0.0.255 area 0 ip prefix-list LAN1 seq 10 permit 10.1.0.0/17 Divides local ip prefix-list LAN2 seq 10 permit 10.1.128.0/17 network ip prefix-list Private seq 10 permit 10.1.112.0/20 ge 20 ip prefix-list External1 seq 10 permit 0.0.0.0/1 le 8 Divides external ip prefix-list External2 seq 10 permit 128.0.0.0/1 le 16...
  • Page 847 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring BGP route-map ISP2In permit 10 match ip address prefix-list External1 set local-preference 125 Clears community set comm-list clear delete attributes from set community no-export received routes route-map ISP2In permit 20 Sets higher match ip address prefix-list External2 preference for Prevents the router...

  • Page 848: Configuring Load Sharing

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Load Sharing Configuring Load Sharing Load sharing allows the router to select up to six best routes to a destination. Load sharing is important when your router connects to a remote site (or to the Internet) through connections to multiple remote routers.
  • Page 849 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Load Sharing If you select the per-packet option, the router uses multiple routes in a round- robin fashion, assigning each new packet that matches the routes to the route listed after the route last used. Although this option balances traffic more exactly, it is not generally recommended.
  • Page 850 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Load Sharing If both connections to the central office provide the same bandwidth, then your router will calculate two routes to the central office that have the same metric. However, without load sharing, the router will only be able to add one of these routes in its routing table, and one of the connections will be not be used.

  • Page 851: Configuring Policy-Based Routing

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Configuring Policy-Based Routing Policy-based routing (PBR) on the ProCurve Router allows you to implement basic traffic engineering: you can manipulate the path a packet follows based on characteristics of that packet. Routers use PBR to route traffic with the same destination over different paths according to the traffic’s priority, source, or size.
  • Page 852 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing For example, a university might allow professors, staff, and administra- tors to access the Internet directly. However, university policies dictate that traffic from subnets used by students and guests must be processed by the IDS before being forwarded to the Internet.

  • Page 853: Configuring A Route Map For Pbr

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing N o t e Fast caching will not work in conjunction with PBR. The ProCurve Secure Router maintains a fast cache for each interface. This fast cache stores the most recently used routes. When a packet arrives that can use a route in the fast cache, the route immediately forwards the packet, rather than placing it in a queue to await its turn to be processed.

  • Page 854: Selecting Traffic For A Route Map Entry

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing You should therefore pay attention to the sequence number that you assign to a route map entry. For example, if you want to use a route map to route a packet and to mark this packet with a QoS value, you should enter the set commands for both these policies in the same route map entry.

  • Page 855: Implementing Pbr According To Source

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing If you enter more than one match command in a particular entry (identified by the sequence number), a packet must match the criteria for all of the match commands. If a packet does not match all criteria for the entry, the router attempts to match it to the route map entry with the next sequence number.
  • Page 856 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing When you use a standard ACL, the router routes all traffic from a source according to the policy you configure in the route map. You should be certain that the route applies to all traffic. For example, if you are configuring a policy to forward external traffic from certain sources to a device for further processing, you might not want the router to send local traffic to that device.
  • Page 857 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing To configure an ACL to route traffic based on its source as well as its destination, complete these steps: From the global configuration mode, create an extended ACL: Syntax: ip access-list extended <listname> The routing policy may not apply to traffic destined to certain addresses.

  • Page 858: Implementing Pbr According To Application

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing N o t e s Note that you enter the deny statement first. This prevents the router from matching student traffic to the permit statement before it has a chance to match it to the deny statement.
  • Page 859 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Next, enter the source address and port and then the destination address and port. Use the any keyword for the source and destination addresses if you want to allow all traffic for the application. (Use the any keyword for the source address, but enter a specific destination address, if you want to allow all traffic to a specific server.) Specify the application by entering the destination port after the destina-...

  • Page 860: Implementing Pbr According To Traffic Priority

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Implementing PBR According to Traffic Priority A packet’s IP header includes a type of service (ToS) field that can be marked with various values to request a certain quality of service (QoS) for that packet. The ToS field can include either an IP precedence value or a Differentiated Service Code Point (DSCP).
  • Page 861 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Table 15-16. IP Precedence Values Value Priority routine priority immediate flash flash-override critical internet network If your network uses DiffServ, you can select traffic according to its per-hop behavior (PHB) setting. In networks that support DiffServ, a PHB defines such settings as the bandwidth allocated to traffic and the traffic dropped first when congestion occurs.
  • Page 862 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Table 15-17. Class-Selector PHBs DiffServ Value DSCP First 3 bits IP Precedence 000000 001000 010000 011000 100000 101000 110000 111000 AF divides traffic into classes, which can be assigned varying drop prece- dences and amounts of bandwidth.

  • Page 863: Implementing Pbr According To Payload Size

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing AF Class Drop Precedence DSCP DiffServ Value AF33 high 011110 AF4—most bandwidth AF41 100010 AF42 medium 100100 AF43 high 100110 You can also select traffic marked for expedited forwarding (DSCP 46), a PHB that is guaranteed low-latency and a set amount of bandwidth: Syntax: match ip dscp ef To select a specific DSCP defined within your network, enter this command:...

  • Page 864: Setting The Routing Policy In A Route Map Entry

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing You can enter 0 for the minimum length if you simply want to ensure that the packet does not exceed a specific size. For example, if you knew that packets for interactive traffic in your network were generally smaller than 200 bytes, you could enter this command to select interactive traffic: ProCurve(config-route-map)# match length 0 200...
  • Page 865 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing You can specify multiple next hop addresses or forwarding interfaces in a single command. For example: ProCurve(config-route-map)# set ip next-hop 10.1.1.1 10.2.2.1 The router first attempts to forward a selected packet to the first address or interface specified.

  • Page 866: Configuring Default Routes In A Route Map Entry

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing The routing table for this router shown in Figure 15-31. When a routine packet (IP precedence 0) destined to 192.168.66.12 arrives on the Ethernet interface, the router looks up the entry for network 192.168.64.0 /20 in its routing table and forwards the packet out PPP 2.

  • Page 867: Using A Route Map To Mark Packets With A Qos Value

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing The router would still route this traffic as indicated in the routing table when the table includes an explicit route for the traffic’s destination (for example, a local network). However, when the table does not contain a route to the destination, the router would forward the high-priority traffic according to the default route in the route map entry instead of the default route in the routing table.
  • Page 868 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing The AF PHB divide traffic into four classes, each of which is granted progres- sively more relative bandwidth. Each class is divided into three subclass, the first of which is granted to highest drop priority: routers will drop packets in the first subclass last if the network becomes congested.

  • Page 869: Setting The Don't Fragment Bit

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Setting the Don’t Fragment Bit Packets may travel over a path that includes routers with varying MTUs. When a router prepares to forward a packet, it checks the packet’s size against the MTU of the link that connects to the next hop router.

  • Page 870: Assigning A Route Map To An Interface

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Assigning a Route Map to an Interface In order to activate a routing policy, you must associate the route map with an Ethernet or WAN interface. The router matches incoming packets to the route map and, if it finds a match, routes them as indicated in the map.
  • Page 871 IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing In this example, a university uses a ProCurve Secure Router to connect to the Internet. The university wants to provide the many resources of the Internet to both its students and its professors. However, the administration is aware that students, in particular, often pose security risks.

  • Page 872: Routing Traffic To A Caching Server

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing How should the router forward the student traffic? The router must send the student traffic to the university’s IDS. You could configure the IDS appliance’s IP address as the next-hop address, or the interface that connects to the IDS as the forwarding interface, or both.

  • Page 873: Reserving A Connection For Voip And Video Traffic

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Configuring Policy-Based Routing Reserving a Connection for VoIP and Video Traffic You could use PBR to reserve a connection for VoIP and video conferencing traffic, which require low latency. You could also reserve a connection for mission-critical traffic.

  • Page 874: Troubleshooting Routing

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Configure the route map as follows: ProCurve(config)# route-map RealTime 10 ProCurve(config-route-map)# match ip precedence 5 ProCurve(config-route-map)# set interface ppp 1 ProCurve(config-route-map)# set ip dscp ef ProCurve(config-route-map)# set ip df ProCurve(config-route-map)# exit ProCurve(config)# interface eth 0/1 ProCurve(config-eth 0/1)# ip policy route-map RealTime Troubleshooting Routing...
  • Page 875 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing The screen displays the destinations to which the router can route traffic. (See Figure 15-33.) For each destination, the routing table also records: the method the router used to discover the route •...
  • Page 876 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Table 15-20. Viewing the Routing Table Portion of the Table Command Syntax directly connected routes show ip route connected statically entered routes show ip route static show ip route bgp show ip route rip OSPF show ip route ospf summary...

  • Page 877: Monitoring Routes

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Monitoring Routes You can monitor the route that packets actually take through the network by using the traceroute command. Enter the command follow by the destination address for the route you want to trace: Syntax: traceroute <A.B.C.D>...
  • Page 878 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Enter **, which clears all routes, or enter the destination for the specific route you want to remove. The clear command only removes learned routes. To clear a static route, you must enter the no form of the global configuration mode command you used to enter it: Syntax: no ip route <A.B.C.D>...

  • Page 879: Troubleshooting Rip

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Troubleshooting RIP You can scan RIP events to determine the problem by entering the debug commands shown in Table 15-21 on page 15-150. For example, enter: ProCurve# debug ip rip Examine Table 15-22 to learn about the messages associated with particular problems.

  • Page 880: Router's Subnets

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing An interface only participates in RIP when the network on which it has its primary address has been added to RIP. You can see which interfaces are running RIP by viewing the running-config. The interface may not participate in RIP if the subnet mask for its address has been entered incorrectly.

  • Page 881: Troubleshooting Ospf

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing View the running-config for the interface that connects to the peer that is not receiving routes. If the send version does not match that implemented by the peer, you must change it: ProCurve(config-ppp 1)# ip rip send version [1 | 2] If the interface is not transmitting any RIP messages, it may be configured as a passive interface: it listens for updates but does not send them.
  • Page 882 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Table 15-23. Viewing OSPF Debug Messages Message Command Syntax all events debug ip ospf OSPF packets debug ip ospf packet adjacency events debug ip ospf adj hello debug ip ospf hello LSA generation debug ip ospf lsa-generation SPF generation...
  • Page 883 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Table 15-24. Viewing OSPF Information View Command Syntax • router ID show ip ospf • the number of areas configured on a router • areas’ types: – normal – stub – NSSA •...

  • Page 884: Troubleshooting An Internal Router

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing View Command Syntax OSPF database: show ip ospf database [external | router | network | summary] • complete (no keyword) • external LSAs • router LSAs • network LSAs • summary LSAs summary of the OSPF database show ip ospf database database-summary particular entry in an OSPF database:...
  • Page 885 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing ProCurve#show ip route Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP IA - OSPF inter area, N1 - OSPF NSSA external type 1 N2 - OSPF NSSA external type 2, E1 - OSPF external type 1 E2 - OSPF external type 2 Gateway of last resort is 10.2.2.2 to network 0.0.0.0...
  • Page 886 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing View the OSPF interfaces (show ip ospf interface) and verify that all interfaces that should be running OSPF are listed. Also make sure that the interfaces are up and active. If an interface that should be running OSPF is not, you have found your problem.
  • Page 887 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing OSPF: Update LSA: id=192.168.3.1 rtid=192.168.3.1 area=0.0.0.2 type=1 b09:46:01: Receiving OSPF packet from 10.20.20.1 to 224.0.0.5 on tunnel 1 CurrentTime=5641597. Database Description Packet from Router ID:192.168.100.1; Ver:2 Length:32 Area ID:0.0.0.2 Checksum:0x305d; Using Null Authentication:0:0 Neighbor’s MTU MTU:1472 Options:0x0 Sequence Number:104111321 Router is the Master;...

  • Page 888: Troubleshooting An Abr

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing If the router has established full adjacency with its neighbors, but it still lacks routes to destinations in the area, other routers may be the source of the problem. Troubleshoot these routers as you would a router not sending the correct routes.
  • Page 889 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Other problems with an ABR include: not sending route summaries to the areas that need them misrouting inter-area traffic An ABR That Does Not Send Route Summaries. The area that is not receiving summaries may be defined as a total stub area.

  • Page 890: Troubleshooting Bgp

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing However, different areas often use subnets from the same classful network, and the range should only apply to the one area. You must then calculate exactly which network bits the range of subnets have in common. For example, if area 1 includes subnets 172.16.0.0 /20 and 172.16.16.0 /20, and area 2 includes 172.16.32.0 /20 and 172.16.48.0 /20, the IP address range for area 1 is not 172.16.0.0 /16.
  • Page 891 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Table 15-25. Viewing BGP Debug Messages Message Command Syntax updates: debug ip bgp updates • new route • withdrawn routes events, such as a change in the neighbor’s debug ip bgp events status all BGP messages except keepalives: debug ip bgp [in | out]...
  • Page 892 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing View Command Syntax BGP neighbors: show ip bgp neighbors • neighbor IP address • neighbor ID • remote AS • settings for BGP intervals • connection status • number of messages: –...
  • Page 893 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing N o t e Typically, you should use soft resets because hard resets can disrupt the network. A hard reset terminates the TCP connection to the neighbor, causing all routes to flap. If you enter only the identifier for the neighbor (*, AS number, or IP address), the router automatically institutes a hard reset.
  • Page 894 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Clear the neighbor with a soft reset and see if the router begins to receive routes. If it does, you have confirmed that the filter is the problem. Reconfigure the prefix list or route map, keeping in mind that the router processes entries in order by sequence number and stops as soon as it finds a match.
  • Page 895 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Table 15-27. Checking BGP Configurations Configuration How to View Your Setting local AS show ip bgp [summary] local router ID show ip bgp [summary] local router IP address show ip bgp neighbor neighbor router ID show ip bgp neighbor neighbor IP address...
  • Page 896 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing ProCurve#show ip bgp neighbor BGP neighbor is 10.1.1.1, remote AS 1, external link Configured hold time is 180, keepalive interval is 60 seconds Default minimum time between advertisement runs is 30 seconds Connections established 1;...
  • Page 897 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing ProCurveSR7102dl#show ip bgp neighbor 10.1.1.1 routes BGP local router ID is 192.168.140.1, local AS is 1. Status codes: * valid, > best, i - internal, o - local Origin codes: i - IGP, e - EGP, ? - incomplete Network NextHop Metric LocPrf Path...

  • Page 898: Troubleshooting A Prefix List

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing If you want a router to advertise routes it receives from one BGP neighbor to another, you must configure the AS it should add to the AS path. You configure this setting from the configuration mode context of the BGP neighbor from which the router receives the route.

  • Page 899: Troubleshooting A Route Map

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Keep these tips in mind as you search a prefix list for misconfigurations: If a statement does not include a range of prefixes, then a route must match the statement exactly in order to be selected. Make sure that the prefix length is correct.

  • Page 900: Other Common Bgp Problems

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing When examining the route map for misconfigurations keep these tips in mind: If you want to apply attributes to routes filtered by an inbound route map, you must enter the set command for the attributes in the same route map entry in which you enter the match command to select permitted routes.

  • Page 901: Monitoring And Troubleshooting Pbr

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing The BGP neighbor defines different policies for the community. Or the BGP neighbor does not accept community attributes in customer routes. You should consult with your ISP about what communities it supports. You may also have problems with the local policy that you have configured for communities on your router.
  • Page 902 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing Router# show route-map route-map PBR, permit, sequence 10 Criteria for Match clauses: selecting length 150 200 traffic Set clauses: ip next-hop 10.10.10.254 Number of routes BGP Filtering matches: 0 packets, 0 bytes matches by Policy routing matches: 4 packets, 600 bytes this map entry...
  • Page 903 IP Routing—Configuring RIP, OSPF, BGP, and PBR Troubleshooting Routing You can also select a source address for ping so that you can simulate the traffic for source-based PBR. If the ping is not successful, then you should look for misconfigurations in the set clauses. Verify that specified interfaces are up and that the router’s routing table includes a route to the next-hop address.

  • Page 904: Quick Start

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start Quick Start This section provides the commands you must enter to quickly configure: OSPF: • internal router • • ASBR You can use more than one routing protocol. When the router learns identical routes through different routing protocols, it uses the administrative distances shown in Table 15-28 to choose between them.

  • Page 905: Rip Routing

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start RIP Routing Move to the global configuration mode context and access the RIP con- figuration mode context. ProCurve(config)# router rip Specify the RIP version. Syntax: version [1 | 2] Advertise local subnets. Interfaces on these subnets will send and receive RIP updates.

  • Page 906: Configuring An Internal Router

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start Area 0 192.168.254.2 192.168.255.1 10.2.1.0 /24 Internal Network 1 Router 10.1.2.0 /24 Network 2 ASBR 10.2.2.0 /24 192.168.252.4 Stub area 1 10.3.1.0 /24 External Network Internal Total stub Router area 2 192.168.253.3 Network 4 10.3.2.0 /24...

  • Page 907: Configuring An Abr

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start Specify the network and area of each interface that should run OSPF: Syntax: network <network A.B.C.D> <wildcard bits> area <area ID> For example: ProCurve(config-ospf)# network 10.2.0.0 0.0.255.255 area 1 Specify that this area is a stub area: Syntax: area <area ID>...

  • Page 908: Configuring An Asbr

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start If the ABR will be sending summary LSAs, define the address ranges for these summaries. Select which routes the ABR should advertise and which it should not. Syntax: area <area ID> range <network A.B.C.D> <subnet mask> [advertise | not- advertise] If you do not select an option for advertising, the router will automatically advertise the summary.

  • Page 909: Configuring Bgp

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start Force the router to advertise a default route for external routes. Syntax: default-information-originate [always] [metric <value>] [metric <type>] If the router does not have its own default route, use the always option. Specifying a metric or metric type is optional.

  • Page 910: Configuring Pbr

    IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start Configure a BGP neighbor. Syntax: neighbor <neighbor A.B.C.D> Specify the neighbor’s IP address as its ID. For example: ProCurve(config-bgp)# neighbor 1.1.1.1 Specify the remote AS. Syntax: remote-as <remote AS> If so desired, specify a loopback interface as the update source, which can add stability to the BGP session.
  • Page 911 IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start If the router will be routing traffic according to source and destination IP address or application data, you must create an extended ACL. Create the ACL. Syntax: ip access-list extended <listname> b.
  • Page 912 IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start To route traffic based on DiffServ value, enter this command: Syntax: match ip dscp [af11 | af12 | af13 | af 21 | af 22 | af23 | af31 | af 32 | af 33 | af 41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef | <0-63>] You can select default traffic (no DiffServ value set);...
  • Page 913 IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start Apply the route map to LAN interfaces to enable PBR for traffic outbound to the WAN. (This is the typical application.) You can also apply route maps to any logical interface. Move to the Ethernet or logical interface configuration mode context and enter this command: Syntax: ip policy route-map <mapname>...
  • Page 914 IP Routing—Configuring RIP, OSPF, BGP, and PBR Quick Start 15-188...

  • Page 915: Contents

    Using the Web Browser Interface for Advanced Configuration Tasks Contents Configuring Access to the Web Browser Interface ....16-4 Enabling Access to the Web Browser Interface ....16-4 The Web Browser Interface Navigation Panel .
  • Page 916 Using the Web Browser Interface for Advanced Configuration Tasks Contents Configuring Access Control from the Web Browser Interface ..16-41 Configuring Access Control Lists (ACLs) ..... 16-41 Configuring Access Control Policies (ACPs) .
  • Page 917 Using the Web Browser Interface for Advanced Configuration Tasks Contents IKE Settings (Custom Setup Only) ..... . . 16-96 IPSec Settings (Custom Setup Only) ..... . 16-99 Confirm Settings .

  • Page 918: Configuring Access To The Web Browser Interface

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access to the Web Browser Interface Configuring Access to the Web Browser Interface You can use the Web browser interface to configure interfaces on your router. To access the Web browser interface, you must first use the command line interface (CLI) to enable the HTTP server on the ProCurve Secure Router and to configure a username and password for HTTP access.

  • Page 919: The Web Browser Interface Navigation Panel

    Using the Web Browser Interface for Advanced Configuration Tasks The Web Browser Interface Navigation Panel The Web Browser Interface Navigation Panel The Web browser interface features a navigation bar, containing available commands grouped by category. (See Figure 16-1.) The navigation bar is always visible on the left side of the browser screen.

  • Page 920: Managing Autosynch™, Files, Firmware, Logging, And Boot Software

    Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software Managing AutoSynch™, Files, Firmware, Logging, and Boot Software In the Utilities section of the Web browser interface, you can do basic file management tasks, manage AutoSynch™, and set the router’s firmware and boot software using the Web browser interface.

  • Page 921: Autosynch™

    Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software AutoSynch ™ To manage the AutoSynch™ feature in the Web browser interface, click AutoSynch in the Utilities section of the navigation bar. The AutoSynch Mode window is displayed.

  • Page 922: Configuration

    Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software When the AutoSynch™ function is enabled, you can force synchronization by clicking the AutoSynch button in the AutoSynch Execute window. The following dialog box is displayed: “You are about to activate AutoSynch.
  • Page 923 Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software flash, it looks on the internal flash memory for a valid file. You can configure the router to load a different configuration by specifying this configuration’s filename and location.
  • Page 924 Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software Figure 16-5. Download Config After you have downloaded the configuration file onto your PC, you can open and edit it in a text editor program such as Notepad. Upload Config.

  • Page 925: Firmware

    Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software In the Delete Config File section, select the file that you want to delete from the Delete Config pull-down menu. This menu will display all the files on flash and cflash that do not have a .biz extension.
  • Page 926 Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software Figure 16-8. Set Primary/Backup Firmware This window also shows the current memory statistics for the internal flash and cflash drives. The Flash memory statistics are displayed as the bytes used divided by the total memory and the drive space free.
  • Page 927 Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software Figure 16-9. Upload Firmware To upload the file from your PC or terminal to the router, click the Browse button next to the Select Firmware File: box. N o t e All firmware files have a .biz extension.

  • Page 928: Debug

    Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software Figure 16-10.Delete Firmware Select the file that you want to delete from the Delete Firmware pull-down menu, which lists all files in the router’s memory that have a .biz extension. Click the Delete button.
  • Page 929 Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software Click Debug in the Utilities section of the navigation bar. To add a debug filter, click the Add Debug Filter button. Figure 16-11. Add Debug Filter From the Category pull-down menu, select the desired debug filter.
  • Page 930 Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software Figure 16-14. Add Debug Filter Specifics Click the Apply button. Repeat steps 2 through 4 for all other debug filters that you want to add. If you want to delete one or more debug filters that you have selected, check the box for each filter that you want to delete.
  • Page 931 Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software When you have selected all of the debug filters that you want, click the Start Debug button. Messages generated for the selected debug filters will then be displayed on the screen.

  • Page 932: Reboot Unit

    Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software C a u t i o n If you click the Stop Debug, Add Debug Filter, or Remove Selected Events button while debug is running, the current debug output on the screen will be lost.

  • Page 933: Telnet To Unit

    Using the Web Browser Interface for Advanced Configuration Tasks Managing AutoSynch™, Files, Firmware, Logging, and Boot Software Telnet to Unit To open a Telnet session between your router and your PC, select Telnet to Unit under Utilities in the navigation bar. In order to successfully establish a Telnet session to your router, you first need to configure the router to allow Telnet access.

  • Page 934: Enabling Ip Services On The Router

    Using the Web Browser Interface for Advanced Configuration Tasks Enabling IP Services on the Router Enabling IP Services on the Router In the IP Services section, you can enable or disable the following servers on the router: TFTP HTTP HTTPS secure copy Telnet You can also configure settings for the Web browser interface.
  • Page 935 Using the Web Browser Interface for Advanced Configuration Tasks Enabling IP Services on the Router Figure 16-18.IP Services Enable/Disable To enable the router as an FTP server, check the box. To enable the router as a TFTP server, check the box. To access the Web browser interface, you enabled the router’s HTTP server from the CLI.

  • Page 936: Web Access Configuration

    Using the Web Browser Interface for Advanced Configuration Tasks Enabling IP Services on the Router C a u t i o n Disabling the HTTP Server will cause the Web browser interface to stop functioning. To change port for the HTTP server, enter the desired port number in the box.
  • Page 937 Using the Web Browser Interface for Advanced Configuration Tasks Enabling IP Services on the Router Figure 16-19. Web Access Configuration To change the Inactivity Timeout, enter the number of hours, minutes, and seconds in the boxes. You can set the maximum number of concurrent connections to the Web browser interface by entering the number in the Max Sessions box.

  • Page 938: Increasing Bandwidth

    Using the Web Browser Interface for Advanced Configuration Tasks Increasing Bandwidth Increasing Bandwidth Link-aggregation protocols allow a router to bundle multiple carrier-lines into a single logical connection to a peer. Link-aggregation allows you to increase the bandwidth on your router without purchasing an expensive T3 or E3 line. The ProCurve Secure Router supports: Multilink Point-to-Point Protocol (MLPPP) Multilink Frame Relay (MLFR)
  • Page 939 Using the Web Browser Interface for Advanced Configuration Tasks Increasing Bandwidth 10. Click the name of the interface for the second physical carrier-line to move to its Configuration window. If necessary, configure the interface as described in “Configuring E1 and T1 Interfaces” on page 14-54 of the Basic Management and Configuration Guide.

  • Page 940: Configuring Mlfr

    Using the Web Browser Interface for Advanced Configuration Tasks Increasing Bandwidth Configuring MLFR In the left navigation bar, select Physical Interfaces. Choose the interface for the first physical carrier-line. You will move to the physical interface’s Configuration window. If you have not already done so, configure the interface as described in “Config- uring E1 and T1 Interfaces”...

  • Page 941: Backup Modules

    Using the Web Browser Interface for Advanced Configuration Tasks Backup Modules Backup Modules The ProCurve Secure Router supports Basic Rate Interface (BRI) Integrated Services Digital Network (ISDN) and analog backup. You must purchase and install a backup module to activate backup. You must then configure backup settings from the CLI.
  • Page 942 Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Table 16-1. Packets Automatically Dropped by the Secure Router OS Firewall Packet Associated Attack larger than the IP max (65,535 bytes) Ping of death fragmented packets with errors when •...

  • Page 943: Enabling Attack Checking

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Unlike a true circuit level gateway, the Secure Router OS firewall does not establish a proxy session to the untrusted host on behalf of the trusted host, which saves processor power.

  • Page 944: Enabling Event Logging

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Figure 16-21. Configuring General Firewall Settings After you enable the firewall, the ProCurve Secure Router automatically guards against all attacks shown in Table 16-1 on page 16-28, as well as against SYN-floods.
  • Page 945 Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Figure 16-22. Logging Settings Tab Check the Event History box to enable the event history for the ProCurve Secure Router. In the Event History Priority Level field, use the pull-down menu to set the event history priority level: •...

  • Page 946: Enabling Email Forwarding

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Enabling Email Forwarding Use the settings on the Email Forwarding tab to forward logs and exception reports to email addresses. (By default, when a failure event occurs, the ProCurve Secure Router automatically generates an exception report and saves the report to a file in internal flash.

  • Page 947: Enabling Syslog Forwarding

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall In the Email Forwarding Priority Level field, use the pull-down menu to set the email forwarding priority level: • info (4) • notice (3) •...

  • Page 948: Display The Event History

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Check the Syslog Forwarding box to enable syslog forwarding. In the Syslog Forwarding Priority Level field, use the pull-down menu to set the email forwarding priority level: •...

  • Page 949: Configuring Session Timeouts

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall The default port for the SIP ALG is UDP 5060. If you want, you can add protocol ports to the ALG. Enter the number of the UDP port in the Port field of the Add SIP ALG Port section.
  • Page 950 Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall You can alter the settings for the default TCP, UDP, and ICMP timeouts. These settings determine when the router will timeout any inactive TCP, UDP, or ICMP session for which you do not set an override timeout (see below).

  • Page 951: Using The Firewall Wizard

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall You can delete timeout policies that have already been added. These policies are listed below the Add/Modify button in the Delete Entries section. Click the Delete button to the right of the specific policy timeout.
  • Page 952 Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Figure 16-27. Permitting Internet Users to Access an Internal Server If your private network includes a server that Internet users need to access, specify it in the Port Forwarding window. Select the server type from the list under Yes.
  • Page 953 Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Figure 16-28. Specifying the Internal Server’s Address The wizard displays the original Port Forwarding window. You can now add a second server. Repeat steps 5 through 7 until you have specified an IP address for every server that Internet users must be able to access.
  • Page 954 Using the Web Browser Interface for Advanced Configuration Tasks Configuring the ProCurve Secure Router OS Firewall Figure 16-29. Viewing Settings Established by the Firewall Wizard 10. Review the NAT settings in the Confirm Settings window. All hosts that connect through the Private Interface will use the address on the public interface.

  • Page 955: Configuring Access Control From The Web Browser Interface

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Configuring Access Control from the Web Browser Interface If you use the Web browser interface to configure access controls on router interfaces, you must first enable the Secure Router OS firewall. In the left navigation bar, select General Firewall under Firewall.
  • Page 956 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Figure 16-31. Add or Modify ACLs In the ACL Name field, enter a name for the ACL. In the ACL Type field, select Extended. (This selection gives you more control in configuring the ACL.) Click the Add New ACL button.
  • Page 957 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Figure 16-33. Add New Custom Policy Entry On the Add New Custom Policy Entry screen, in the Filter Type field, select either: • Permit to define traffic that will initiate the dial-up connection •...

  • Page 958: Configuring Access Control Policies (Acps)

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface 10. In the Destination Data section, define the destination IP address and port. 11. Click the Apply button to save your changes. The permit or deny statement that you configured is listed on the Add/Modify/ Delete Traffic Selectors screen.
  • Page 959 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Figure 16-36. Add New Policy Window Click the Add Policy to Zone button. The Add New Policy Type window is displayed. Figure 16-37. Add New Policy to Security Zone Window 16-45...

  • Page 960: Filtering, Or Blocking, Traffic

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface From this window, you can: • filter, or block, traffic—see “Filtering, or Blocking, Traffic” on page 16-46 • allow traffic—see “Allowing Traffic” on page 16-48 •...
  • Page 961 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Enter a policy descriptor, which will be displayed when you view the running-config. For example, you may want to document how the ACP is going to be used.

  • Page 962: Allowing Traffic

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Click Apply. The policy you created is now listed on the Configure Policies for Security Zone window. Allowing Traffic To allow certain traffic to enter an interface, use the pull-down menu to select Allow for the Policy Type in the Add New Policy window.
  • Page 963 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Enable Stateless Processing, if applicable. Stateless Processing will allow certain IP phones or POS stations to work in situations where stateful TcP processing prevents these devices from working. Select a Destination Security Zone from the following choices: •...

  • Page 964: Configuring Many-To-One Nat

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface b. To enter a specific port, choose Specified. Then use the pull-down menu below to select: – Equal To—the policy only filters the port that you enter in the box to the right –...

  • Page 965: Configuring One-To-One Nat

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Figure 16-40. Configuring Many-to-One NAT Enter a policy descriptor, which will be displayed when you view the running-config. Configure which hosts you want to share the public IP address: all or a specific subnet.
  • Page 966 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface N o t e You must have more than one security zone configured on the router to use one-to-one NAT. If you do not, the screen shown below includes an alert in the Private Security Zone field.

  • Page 967: Procurve Secure Router

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Configuring Policies to Control Management Access to the ProCurve Secure Router To create a policy that controls management access to the router, use the pull-down menu to select Admin Access for the Policy Type in the Add New Policy window.
  • Page 968 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface If the other options do not allow you to configure exactly the policy you need for your network, you should select the Advanced option for Policy Type. For example, if you want to configure one-to-one NAT and specify the public address, rather than selecting an interface and using the IP address assigned to it, you should create an Advanced policy.
  • Page 969 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Enable Stateless Processing, if applicable. For Destination Security Zone, select <Any Security Zone>, a particular security zone, or <Self-bound>. This setting determines the destination address of the traffic you want to select.
  • Page 970 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Figure 16-44. Add New Custom Policy For Filter Type, select Permit or Deny. For Protocol, select any or a specific protocol. 10. If you select ICMP, then you can select an ICMP message type from a list of well known types.

  • Page 971: Changing The Order Of Policies

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Access Control from the Web Browser Interface Changing the Order of Policies The policies you create for a security zone are listed and processed in the order shown on the Configure Policies for Security Zone window. (Access this window by clicking Security Zone <zonename>...

  • Page 972: Configuring Quality Of Service

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Configuring Quality of Service Your ProCurve Secure Router may route several types of traffic: data, which can tolerate high latency and bursts, as well as be fragmented and reconstructed real-time traffic, such as Voice of IP (VoIP), and interactive traffic, such as Telnet, which require low latency and low jitter...

  • Page 973: Configuring Wfq

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service You can configure WFQ, LLQ, and packet marking in the Web browser inter- face. Currently, you must configure CBWFQ in the CLI. The QoS Wizard will help you set up a QoS policy for VoIP traffic. N o t e Because the QoS Wizard writes over any QoS map entries already applied to the interface that you select to carry VoIP traffic, you should always use the...
  • Page 974 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Figure 16-46. Configuring WFQ on an Interface To configure WFQ for ATM connections, follow these steps: Depending on the type of encapsulation you are using for your ADSL connection, the ATM subinterface may or may not have an IP address.
  • Page 975 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Figure 16-47. Configuring WFQ on an ATM Subinterface If you want, you can set how many packets the interface allows in each conversational subqueue. Enter a value between 16 and 512 in the Fair- Queue Threshold field.

  • Page 976: Configuring Qos For Voip With The Qos Wizard

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Configuring QoS for VoIP with the QoS Wizard The QoS wizard guides you through the process of configuring QoS for VoIP applications. C a u t i o n The QoS wizard erases any QoS maps already applied to the interface you select for VoIP traffic.
  • Page 977 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service You will move to the VoIP Traffic Matching window, in which you specify how the router will identify VoIP packets: The documentation for your VoIP application may include the UDP real-time protocol (RTP) port or ports to which traffic is sent.
  • Page 978 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service In the Configure Max Bandwidth window, enter the bandwidth for the queue in Kbps. This bandwidth is the maximum guaranteed. (When the network is not congested, VoIP traffic can burst past this rate.) The window will display the maximum bandwidth available on the inter- face as the high end of the Limit.
  • Page 979 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service You will now move to the DSCP Outbound Marking window. Because signaling traffic, as well as the VoIP packets themselves, must receive priority handling, you should mark signaling traffic with a ToS value. You can accept the default value 26 (for assured forwarding class 31) or enter any value between 0 and 63.
  • Page 980 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Figure 16-51. Sample QoS Configuration for VoIP Traffic Review your settings in the Confirm window: Use the Back button to reconfigure any incorrect settings. You can also click the name of a window in the left navigation bar. For example, you can select RTP Traffic to change how the router selects traffic for the queue.

  • Page 981: Configuring Llq

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Figure 16-52. Finding the Name of the QoS Map Created by the QoS Wizard 10. After clicking Finish, click Exit to close the wizard and return to the main Web browser interface.
  • Page 982 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Enter a new QoS map entry in the Add New QoS Map section of the Modify/Delete QoS Maps window. Enter the name in the Map Name field and the sequence number in the Sequence Number field.
  • Page 983 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Figure 16-54. Configuring Criteria for a QoS Map To select packets according to their IP precedence value, select Precedence and enter a value between 0 and 7. d.
  • Page 984 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Figure 16-55. Setting the Maximum Bandwidth Guaranteed to a Queue In the Priority Queue section, select Bandwidth and enter the maximum transmission rate guaranteed to the queue in the Limit field. (Traffic can burst past this rate.) Enter the rate in Kbps.

  • Page 985: Configuring Packet Marking

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Configuring Packet Marking You can also use the Web browser interface to configure the router to mark packets with a ToS value. First configure a QoS map with an entry for each set of traffic you wish to mark.
  • Page 986 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Figure 16-56. Marking Packets with a ToS Value Move to the Packet Marking section. Enter the value with which the router should mark packets: Select DSCP to enter a DiffServ value between 0 and 63. b.

  • Page 987: Configuring Frame Relay Fragmentation And Rate Limiting

    Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service Figure 16-57. Applying a QoS Policy to an Interface Return to the QoS Map window. The Apply a QoS-policy to an Interface window lists the name of all logical interfaces active on the router. The display includes an Ethernet interface only if you have configured rate limiting for it.
  • Page 988 Using the Web Browser Interface for Advanced Configuration Tasks Configuring Quality of Service N o t e If this Frame Relay PVC will carry VoIP traffic, take care to set the fragmen- tation threshold above the size of VoIP packets. The committed burst rate determines the rate at which the Frame Relay interface can forward traffic when the network is congested.

  • Page 989: Setting Up Network Monitoring

    Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Network Monitoring Setting Up Network Monitoring Network monitoring serves two functions: It tests and controls static and Dynamic Host Configuration Protocol (DHCP) routes. It tests network performance, logging when performance falls below a certain level.
  • Page 990 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Network Monitoring the probe’s failure mode—consecutive failures, rate of failure, or none the actions performed when the probe fails To use the network monitor wizard to configure network monitoring: Select Monitor Wizard under Network Monitoring in the left navigation bar.
  • Page 991 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Network Monitoring Figure 16-60. Create Probe In the Probe Name field, specify the name for the probe that you are configuring. Use the Probe Type pull-down menu to specify the probe type—ICMP Echo, TCP Connect, or HTTP Request.
  • Page 992 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Network Monitoring Figure 16-61.Source Interface Use the Source Interface pull-down menu to select the source interface for the probe. If the router will send the probe through the Internet, the address of the source interface should be an address that ISP routers know how to reach.
  • Page 993 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Network Monitoring Figure 16-62.Destination 10. In the Destination field, specify the IP address or hostname for a device at the destination that you want to monitor. 11. In the Destination Port field, specify the port for the service or application being monitored.
  • Page 994 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Network Monitoring Figure 16-63. HTTP Probe Details 13. Use the Request Type pull-down menu to select the type for the probe— HTTP Get, HTTP Head, or HTTP Raw. An HTTP Get probe sends a standard HTTP request for a Web page.
  • Page 995 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Network Monitoring Figure 16-64. Failure Parameters 15. Select the failure mode and settings. • For the consecutive failures mode, specify the number of consecutive test failures to allow before declaring failure. •...
  • Page 996 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Network Monitoring Figure 16-65. Set Actions 17. Select the action to take when the probe reports failure. For the Override Static Route option, specify either NextHop IP (and specify the next hop address for the route) or NextHop Interface (and specify the forwarding interface for the route).
  • Page 997 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Network Monitoring Figure 16-66. Confirm 19. Review the settings on the screen, and then click the Finish button to close the wizard and apply your network monitoring settings. 16-83...

  • Page 998: Creating A Network Monitor Probe

    Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Network Monitoring Creating a Network Monitor Probe You can also create or modify probes manually. To create a probe: Select General Monitor under Network Monitoring in the left navigation bar. Figure 16-67.
  • Page 999 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Network Monitoring Figure 16-68. Probe Configuration (ICMP Probe Type Shown) Click the Enable box to enable the probe. In the Probe Period field, specify the period for the probe, in seconds. In the Timeout field, specify the timeout for the probe, in milliseconds.

  • Page 1000: Creating A Network Monitor Track

    Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Network Monitoring 10. In the Destination Port field, specify the port for the service or application being monitored. • For TCP connect probes, see Table 9-1 in Chapter 9: Network Moni- toring for a list of ports for common TCP applications.
  • Page 1001 Using the Web Browser Interface for Advanced Configuration Tasks Setting Up Network Monitoring Figure 16-69. Create Tracks In the Track Name field, enter the track name. Click the Create button to create the track. To modify an existing track, select the track from the table at the bottom of the Create Tracks section.

This manual is also suitable for:

Procurve secure router 7203dl j8753a j8753a

Table of Contents