Dax Router Guide

&200210$18$/
)25
';035287(56

9HUVLRQQ

'DWH
H1RY

G
5HYLVLRQ 'DWHG 1RY
1

Dear Dax User,
Congratulations!! You are now a proud owner of this DAX DXMP ROUTER.
We are sure you will be delighted with the features and performance of your new
product. And, the Dax support, if you need it.
This DAX DXMP ROUTER has unique user-friendly features and benefits. And, is
designed to increase the reliability and efficiency of your network.
We at Dax have offered the highest level of pre/post sales support in India for 15
years and are committed to providing you with International quality, Indian market
savvy products. This DAX DXMP ROUTER is a reflection of that commitment.
It is with this confidence that we promise you a 3 Years Carry-in warranty of which
Instant Replacement Anywhere is provided during the first year of warranty.
Please contact me (or any Dax Office) if and when you need us, we will endeavor
to win your confidence too.
“Happy Daxing”
Sujit
Country Manager - Dax
)&&:DUQLQJ

This equipment has been tested and found to comply with the limits of a Class B
computing device, pursuant to Part 15 of the FCC rules. These limits are designed
to provide reasonable protection against harmful interference in a residential
installation. This equipment generates, uses and can radiate radio frequency energy
and, if not installed and used in accordance with the instructions, may cause
harmful interference to radio communications.
If you suspect this product is causing interference, turn your computer ON and OFF
while your radio or TV is showing interference. If the interference disappears when
you turn the computer OFF and reappears when you turn the computer ON, then
something in the computer is causing interference.
You can try to correct the interference by one or more of the following measures:
1. Reorient/Relocate the receiving antenna.

2. Increase the separation between the equipment and receiver.
3. Connect the equipment into an outlet on a circuit difference from that
to which the receiver is connected.
4. Ensure that all expansion slots (on the back or side of the computer) are
covered. Also ensure that all metal retaining brackets are tightly attached to the
computer.
CE Marking Warning
This is a Class A product. In a domestic environment this product may cause radio
interference in which case the user may be required to take adequate measures.
MP Series Router Manual
Configuration Guide &
Technical Manual
CONTENTS
CHAPTER 1 SYSTEM BASIS ------------------------------------------------------- 15

1.1 Router Configuration Mode ---------------------------------------------------------------------------------------15
1.2 Command line Mode -------------------------------------------------------------------------------------------------15
1.3 Constructing the Configuration Environment-------------------------------------------------------------------19

1.3.1 Configuring a Router through the configuration interface (Console) ----------------------------------- 19
1.3.2 Making configuration through the LINE port of the 56/336modem module--------------------------- 19
1.3.3 Configuring a Router through Telnet -------------------------------------------------------------------------------- 19
1.4 Command Line Interface--------------------------------------------------------------------------------------------24
1.4.1 Command Line On-Line Help---------------------------------------------------------------------------------------- 24
1.4.2 Error Message of Command Line------------------------------------------------------------------------------------ 30
1.4.3 History Command------------------------------------------------------------------------------------------------------ 30
1.4.4 Editing Features -------------------------------------------------------------------------------------------------------- 30
1.4.5 Display Features-------------------------------------------------------------------------------------------------------- 31
CHAPTER 2 SYSTEM CONFIGURATION AND MANAGEMENT --------- 31

2.1 System Configuration -------------------------------------------------------------------------------------------------32
2.1. 1 Configuring the System Name--------------------------------------------------------------------------------------- 32
2.1.2 Configuring the System Calendar------------------------------------------------------------------------------------ 33
2.1.3 Configuring System Users -------------------------------------------------------------------------------------------- 33
2.1.4 Enable Password and Timeout value -------------------------------------------------------------------------------- 33
2.2 System Management ------------------------------------------------------------------------------------------------34
2.2.1 Storage Medium and File Types Supported by Maipu Routers -------------------------------------------------- 34
2.2. 2 Management of the Router File System ---------------------------------------------------------------------------- 35
2.2.1 Displaying the file device information ------------------------------------------------------------------------------ 35
2.2.2 File Management------------------------------------------------------------------------------------------------------- 36
2.2.3 Directory management ------------------------------------------------------------------------------------------------ 38
s
2.2.5 Management of Router Configuration Files ------------------------------------------------------------------------ 38
2. 3 System tools------------------------------------------------------------------------------------------------------------41
2.3.1 The command show---------------------------------------------------------------------------------------------------- 41
2.3.2 Protocol Debugging---------------------------------------------------------------------------------------------------- 42
2.3.3 Network Troubleshooting tools -------------------------------------------------------------------------------------- 43
2.3.4 SysLog (system logging) function ----------------------------------------------------------------------------------- 43
2.3.5 Spy cpu to check cpu utilization rate ------------------------------------------------------------------------------ 44
2.3.6 Examining the Utilization of CPU ----------------------------------------------------------------------------------- 45
2.4 System software update ---------------------------------------------------------------------------------------------45
CHAPTER 3 NETWORK PROTOCOL -------------------------------------------- 55

3.1 IP Address Configuration --------------------------------------------------------------------------------------------56
3.1.1 Introduction to IP Addressing ---------------------------------------------------------------------------------------- 56
3.1.2 Allocating an IP address to an Interface ---------------------------------------------------------------------------- 57
3.1.3 Enabling IP Unnumbered on a Serial Port -------------------------------------------------------------------------- 58
3.1.4 Setting the IP Address Negotiation property on an Interface----------------------------------------------------- 59
3.1.5 Displaying IP Address Configurations ------------------------------------------------------------------------------ 59
3. 2 Address Resolution---------------------------------------------------------------------------------------------------59
3.2.1 Establishing an Address Resolution Protocol (ARP)-------------------------------------------------------------- 59
3.2.2 Defining a Static ARP Cache----------------------------------------------------------------------------------------- 59
3..3 Displaying the ARP cache ------------------------------------------------------------------------------------------60
3.3.1 Domain Name System (DNS) ------------------------------------------------------------------------------------------- 60
3.3.2 Mapping IP addresses to Host Name ----------------------------------------------------------------------------------- 60
3.3.3 Designating a Domain Name -------------------------------------------------------------------------------------------- 61
3.3.4 Designating a Domain Name Server ----------------------------------------------------------------------------------- 61
3.3.5 Designating a Domain Name Service Order--------------------------------------------------------------------------- 61
3.4 IP Protocol --------------------------------------------------------------------------------------------------------------61
3.4.1 Enabling/Disabling IP Route Forwarding------------------------------------------------------------------------------ 61
3.4.2 Permitting/Prohibiting IP to Accept Redirection Messages --------------------------------------------------------- 61
3.4.3 Permitting/Prohibiting IP Receiving Redirection Message---------------------------------------------------------- 62
3.4.4 IP Fast Transmission------------------------------------------------------------------------------------------------------ 62
3.4.5 Configuring IP Protocol Attributes ------------------------------------------------------------------------------------- 62
3.5 ICMP protocol----------------------------------------------------------------------------------------------------------64
3.5.1 Configuring ICMP Options ------------------------------------------------------------------------------------------- 64
3.5.2 Displaying ICMP Statistics ------------------------------------------------------------------------------------------- 64
3.6 IGMP protocol ----------------------------------------------------------------------------------------------------------64
3.7TCP protocol -------------------------------------------------------------------------------------------------------------65
3.7.1 Configuring TCP properties ------------------------------------------------------------------------------------------ 65
3.7.2 Displaying TCP Statistics --------------------------------------------------------------------------------------------- 65
3.8 UDP Protocol -----------------------------------------------------------------------------------------------------------66
3.8.1 Configuring UDP Protocol Attributes ------------------------------------------------------------------------------- 67
3.8.2 Observing UDP Statistic Information ------------------------------------------------------------------------------- 68
3. 9 The Socket Interface -------------------------------------------------------------------------------------------------68
3. 10 Proxy ARP ------------------------------------------------------------------------------------------------------------68
CHAPTER 4 DISCRIPTION OF THE INTERFACE CABLE SIGNALS ----- 68

CHAPTER 5 WAN PROTOCOLS CONFIGURATION ------------------------- 88
5. 1 PPP Protocol -----------------------------------------------------------------------------------------------------------88
5.1.1 Brief Introduction of PPP ------------------------------------------------------------------------------------- 88
5.1.2 Description of basic PPP instructions ----------------------------------------------------------------------- 89
5.1.3 Examples of PPP configuration ------------------------------------------------------------------------------ 90
5.1.4 Configuring PPP Authentication----------------------------------------------------------------------------- 91
5.1.5 Monitoring and Debugging PPP information -------------------------------------------------------------- 92
5.1.6 PPP Address Pool---------------------------------------------------------------------------------------------- 93
5.1.7 PPP Multilink--------------------------------------------------------------------------------------------------- 94
5.1.8 PPP Data Compression ------------------------------------------------------------------------------------------------ 97
5.1.9 PPP BACP (Bandwidth Allocation Control Protocol) and PPP BAP ------------------------------------------- 98
5.1.10 BACP Configuration Commands -------------------------------------------------------------------------------- 98
5.1.11 A PPP BACP Configuration Example --------------------------------------------------------------------------- 101
5.1.12 Monitoring and Debugging PPP BACP ------------------------------------------------------------------------- 103
5.1.13 MPLS Over PPP-------------------------------------------------------------------------------------------------- 103
5.1.14 AAA authorization Over PPP----------------------------------------------------------------------------------- 105
5.1.15 PPP encryption --------------------------------------------------------------------------------------------------- 105
5.1.16 PPP CALLBACK ------------------------------------------------------------------------------------------------ 106
5.1.17 negotiate DNS and WINS over PPP --------------------------------------------------------------------------- 106
5.1.18 Negotiate IP Address over PPP from dialer-map--------------------------------------------------------------- 107
5.1.19 PPP Bridge -------------------------------------------------------------------------------------------------------- 107
5.1.20 Null username CHAP authentication Over PPP ---------------------------------------------------------------- 108
5.2 HDLC protocol -------------------------------------------------------------------------------------------------------- 109
5.2.1 Brief Introduction of Protocol------------------------------------------------------------------------------ 109
5.2.2 The relevant commands of HDLC: ------------------------------------------------------------------------ 109
5.2.3 HDLC Debug Information---------------------------------------------------------------------------------- 110
5.2.4 Configuring HDLC Bridge-connection Mode ----------------------------------------------------------- 110
5.2.5 HDL bridge ----------------------------------------------------------------------------------------------------------- 112
5.3 SLIP protocol---------------------------------------------------------------------------------------------------------- 112
5.3.1 Brief Introduction -------------------------------------------------------------------------------------------- 112
5.3.2 An example of configuration ------------------------------------------------------------------------------- 112
5.4 TCP/IP Packet Header Compression------------------------------------------------------------------------- 113
5.5 X.25 Protocol--------------------------------------------------------------------------------------------------------- 114
5.5.1 Brief Introduction of X.25 ------------------------------------------------------------------------------------------ 115
5.5.2 Description of basic X.25 configuration -------------------------------------------------------------------------- 115
5.5.3 An example of a typical X.25 configuration---------------------------------------------------------------------- 115
5.5.4 Debugging/Monitoring X.25 --------------------------------------------------------------------------------------- 116
5.5.5 The X.25 subinterface --------------------------------------------------------------------------------------- 117
5.5.6 An example of X.25 subinterface configuration --------------------------------------------------------- 118
5.5.7 The switching function of X.25 ---------------------------------------------------------------------------- 119
5.5.8 The PAD function of X.25 ---------------------------------------------------------------------------------- 124
5. 6 Frame Relay Protocol---------------------------------------------------------------------------------------------- 125
5.6.1 Description of basic instructions to configure frame relay ----------------------------------------------------- 129
5.6.2 The typical configuration example of frame relay------------------------------------------------------- 129
5.6.3 The debugging/monitoring of frame relay---------------------------------------------------------------- 130
5.6.4 Frame Relay Reverse Address Resolution Protocol----------------------------------------------------- 131
5.6.5 Frame relay sub-interface ----------------------------------------------------------------------------------- 132
5.6.6 An example of frame relay subinterface configuration ------------------------------------------------- 133
5.6.7 Frame Relay Switch ----------------------------------------------------------------------------------------- 134
5.6.8 Frame-Relay PVC Compression ----------------------------------------------------------------------------------- 137
5.6.9 DE bit support on Frame-Relay ------------------------------------------------------------------------------------ 139
5.6.10 Frame-Relay Fragment -------------------------------------------------------------------------------------------- 140
CHAPTER 6 DDR AND INTERFACE BACKUP ------------------------------ 146

6.1 Dialer Backup --------------------------------------------------------------------------------------------------------- 147
6.1.1 The Configuration of a Built-in Frequency-band MODEM ---------------------------------------------------- 147
6.1.2 Dialer Script ---------------------------------------------------------------------------------------------------------- 150
6.1.3 The Configuration of Dial Backup--------------------------------------------------------------------------------- 152
6.1.4 The Typical Example of Dialer Backup--------------------------------------------------------------------------- 153
6.1.5 Configure Backup load ---------------------------------------------------------------------------------------------- 155
6.2 DDR Dialer Configurations ---------------------------------------------------------------------------------------- 158
6.2.1 Configuring DDR (Dial-On-Demand Routing) ------------------------------------------------------------------ 158
6.2.2 Dialer Callback ------------------------------------------------------------------------------------------------------- 165
6.3 Dialup Prototype (Profile) ------------------------------------------------------------------------------------------ 171
6.3.1 Dialer Interface ------------------------------------------------------------------------------------------------------- 171
6.3.2 Dialer Map-class ----------------------------------------------------------------------------------------------------- 172
6.3.3 Dialer Pool ------------------------------------------------------------------------------------------------------------ 172
6.3.4 Physical Interface ---------------------------------------------------------------------------------------------------- 173
6.3.5 A Sample Configuration -------------------------------------------------------------------------------------------- 173
CHAPTER 7 ROUTING CONFIGURATION ----------------------------------- 175

7. 1 A Brief Introduction to Routing----------------------------------------------------------------------------------- 175
7.2 Configuring Static Routes/Default Routes -------------------------------------------------------------------- 176
2.1 Configuring static route ------------------------------------------------------------------------------------- 176
2.2 Configuring the default route------------------------------------------------------------------------------- 176
7.3 Configuring RIP Dynamic Routing------------------------------------------------------------------------------ 177
7.3.1 The Description of Relevant Commands to Configure RIP -------------------------------------------- 178
7.3.2 An Example of RIP Configuration ------------------------------------------------------------------------ 179
7.3.3 Debugging RIP ----------------------------------------------------------------------------------------------- 180
7.4 Configuring OSPF Dynamic Routing---------------------------------------------------------------------------- 181
7.4.1 Description of Relevant Commands Configuring OSPF ----------------------------------------------- 181
distribute-list <1_1000> --------------------------------------------------------------------------------------------------- 181
hello-interval ---------------------------------------------------------------------------------------------------------------- 182
7.4.2 An Example of OSPF Configuration ---------------------------------------------------------------------- 189
7.4.3 Debugging/Monitoring OSPF ------------------------------------------------------------------------------ 186
7.5 Configuring IRMP Dynamic Route------------------------------------------------------------------------------- 194
7.5.1 Description of relevant commands configuring IRMP---------------------------------------------------------- 194
7.5.2 An Example of an IRMP Configuration ------------------------------------------------------------------ 196
7.5.3 Debugging/monitoring IRMP ---------------------------------------------------------------------------- 197
7.6 Configuring SNSP Route --------------------------------------------------------------------------------------- 198
7.6.1 Description of Relevant Commands for Configuring SNSP ----------------------------------------- 198
7.6.2 An Example of SNSP Configuration-------------------------------------------------------------------- 198
7.7 Configuring VBRP --------------------------------------------------------------------------------------------------- 199
7.7.1 Related VBRP Configuration Commands ------------------------------------------------------------------------ 200
7.7.2 An Example of VBRP Configuration ----------------------------------------------------------------------------- 203
7.7.3 Monitoring and Debugging VBRP -------------------------------------------------------------------------------- 203
7.8 Configuring VRRP --------------------------------------------------------------------------------------------------- 204
7.8.1 Related VRRP Configuration Commands ------------------------------------------------------------------------ 204
7.8.2 An Example of VRRP Configuration ----------------------------------------------------------------------------- 206
7.8.3 Monitoring and Debugging VRRP -------------------------------------------------------------------------------- 207
7. 9 Configuring Snapshot Routing----------------------------------------------------------------------------------- 207
7. 9.1 Related Descriptions of Snapshot Routing Configuration Commands --------------------------------------- 208
7. 9.2 An Example of Snapshot Routing--------------------------------------------------------------------------------- 209
7. 9.3 Monitoring and Debugging Snapshot Routing ------------------------------------------------------------------ 210
7. 10 Configuring Policy Route ---------------------------------------------------------------------------------------- 211
7.10.1 Related Descriptions of Policy Route Configuration Commands -------------------------------------------- 211
7.10.2 An example of policy route configuration----------------------------------------------------------------------- 212
7.10.3 Monitoring and Debugging of Policy Route -------------------------------------------------------------------- 214
7.11 Configuring M-VRF ------------------------------------------------------------------------------------------------ 215
7.11.1 Related Descriptions of M-VRF Configuration Commands -------------------------------------------------- 215
7.11.2 An Example of M-VRF Configuration -------------------------------------------------------------------------- 217
7.11.3 Monitoring and Debugging M-VRF ----------------------------------------------------------------------------- 220
7.12 Load Balance-------------------------------------------------------------------------------------------------------- 221
7.12.1 Description Of Relevant Commands Supporting Load Balance--------------------------------------- 221
7.12.2 An Example Load Balance Configuration---------------------------------------------------------------- 222
7.12.3 Monitoring and Debugging Load Balance---------------------------------------------------------------- 223
7.13 Configuring BGP Dynamic Routing Protocol ---------------------------------------------------------------- 223
7.13.1 Related Descriptions of BGP Configuration Commands--------------------------------------------------------- 223
7.13.2 Examples of BGP Configuration ------------------------------------------------------------------------------------ 234
7.13.3 BGP Monitoring and Debugging ------------------------------------------------------------------------------------ 243
CHAPTER 8 CONFIGURING SNA----------------------------------------------- 251

8. 1 Data Link SwitchingÄDLSwÅ------------------------------------------------------------------------------------- 251
8.1.1 Configuring the Commands Relevant to DLSw ----------------------------------------------------------------- 252
8.1.2 Debugging and Monitoring --------------------------------------------------------------------------------- 254
8.2 Synchronous Data Link Control (SDLC) --------------------------------------------------------------------------- 256
8.2.1 The Relevant Configuring Commands of SDLC ---------------------------------------------------------------- 257
8.2.2 Configuring the Relevant Operations of SDLC on an Interface ----------------------------------------------- 259
8.2.3 The Debugging Information of SDLC ---------------------------------------------------------------------------- 259
8.2.4 Typical Network Construction Mode of SNA Application ----------------------------------------------------- 261
8.2.5 The typical SNA configuration of Maipu Router ---------------------------------------------------------------- 261
8. 3 LLC2 -------------------------------------------------------------------------------------------------------------------- 265
8.4 QLLC -------------------------------------------------------------------------------------------------------------------- 267
8.4.1 QLLC Configuring Commands ------------------------------------------------------------------------------------ 267
8.4.2 Typical QLLC Configuration--------------------------------------------------------------------------------------- 269
8.4.3 QLLC Debugging/Monitoring ------------------------------------------------------------------------------------- 270
CHAPTER 9 IP TELEPHONE CONFIGURATION -------------------------- 276

9.1 Configure Voice Card Interface -------------------------------------------------------------------------------------- 276
9.1.1 Relevant Commands------------------------------------------------------------------------------------------------- 276
9.1.2 A Simple Example of Configuration ---------------------------------------------------------------------- 278
9. 2 Configuring VoIP ------------------------------------------------------------------------------------------------------ 278
9.2.1 Relevant Commands------------------------------------------------------------------------------------------------- 279
9.2.2 The Usage of the Basic Commands-------------------------------------------------------------------------------- 281
9.2.3 The Usage of the Extended Configuration------------------------------------------------------------------------ 281
9.2.4 Configuration Example---------------------------------------------------------------------------------------------- 281
9.3 Configuring the Maipu Router as a H.323 Voice Gateway ------------------------------------------------------- 286
9.3.1 Basic Concepts ------------------------------------------------------------------------------------------------------- 287
9.3.2 Configuring H.323 Voice Gateway -------------------------------------------------------------------------------- 287
9. 4 IP Telephone Debugging Switch ------------------------------------------------------------------------------------ 287
CHAPTER 10 TERMINAL CONFIGURATION-------------------------------- 290

10.1 Terminal Protocol--------------------------------------------------------------------------------------------------- 291
10.1.1 Configuring the Terminal Protocol ---------------------------------------------------------------------------------- 291
10.1.1.1 Creating/Configuring Terminal Template --------------------------------------------------------------------- 291
10.1.1.2 The Interface Encapsulation Terminal Link Protocol-------------------------------------------------------- 293
10.1.1.3 Applying the Terminal Module to a Terminal Protocol Interface ------------------------------------------ 295
10.1.2 An Example of Terminal Protocol Configuration ----------------------------------------------------------------- 294
10.1.3 Related Terminal Debugging Commands -------------------------------------------------------------------------- 295
10.2 MPDLC Protocol---------------------------------------------------------------------------------------------------- 296
10.2.1 Configuring MPDLC Protocol--------------------------------------------------------------------------------------- 297
10.2.1.1 Creating/Configuring Terminal Template --------------------------------------------------------------------- 297
10.2.1.2 Encapsulating Interface with MPDLC Link Protocol ------------------------------------------------------- 297
10.2.1.3 Applying the Terminal Template to a MPDLC Interface --------------------------------------------------- 298
10.2.2 An Example of MPDLC Configuration ---------------------------------------------------------------------------- 298
10.2.3 Related MPDLC Debugging Commands--------------------------------------------------------------------------- 298
10.3 X.3 PAD Terminal -------------------------------------------------------------------------------------------------- 298
10.3.1 Configuring the X.3 PAD Terminal --------------------------------------------------------------------------------- 299
10.3.1.1 Creating/Configuring a Terminal Template ------------------------------------------------------------------- 299
10.3.1.2 Configuring X.25 Link-layer Protocol------------------------------------------------------------------------- 299
10.3.1.3 Applying a Terminal Template to X.3 PAD------------------------------------------------------------------- 299
10.3.1.4 An Example of X.3 PAD Terminal Configuration ----------------------------------------------------------- 299
10.3.1.5 The Related Debugging Commands of the X.3 PAD Terminal -------------------------------------------- 301
10.3.2 Configuring UNIX Server -------------------------------------------------------------------------------------------- 301
10.3.2.1 Configuring Itest Parameters ----------------------------------------------------------------------------------- 301
10.3.2.2 Configuring SCO UNIX----------------------------------------------------------------------------------------- 304
10.3.2.3 Configuring AIX UNIX ----------------------------------------------------------------------------------------- 306
10.3.2.4 Configuring SUN UNIX ---------------------------------------------------------------------------------------- 307
10.3.2.5 Configuring HP UNIX------------------------------------------------------------------------------------------- 309
10.3.2.6 Adjusting UNIX Kernel Parameters --------------------------------------------------------------------------- 311
10.3.2.7 TELNET Fix-terminal ------------------------------------------------------------------------------------------- 312
10.3.2.8 Itest Terminal Management ------------------------------------------------------------------------------------- 312
10.4 Comparison of New/ Old Version of IOS Configuration--------------------------------------------------- 312
10.4.1 The Comparison of Terminal Number Distribution --------------------------------------------------------------- 312
10.4.2 The Comparison of Interface Configuration ----------------------------------------------------------------------- 314
10.4.3 The Configuration of Itest.conf Adopting Encryption and Compression -------------------------------------- 314
10.4.4 Examples of New/Old Configuration of Maipu Router ---------------------------------------------------------- 314
CHAPTER 11 SECURITY CONFIGURATION--------------------------------- 316

11.1 Firewall Configuration --------------------------------------------------------------------------------------------- 316
11.1.1 Access Lists --------------------------------------------------------------------------------------------------------- 316
11.1.2 Correlative Firewall Configuration------------------------------------------------------------------------------- 321
11.1.3 Applying Access Lists To An Interface-------------------------------------------------------------------------- 322
11.1.4 Monitoring And Maintaining Your Firewall -------------------------------------------------------------------- 323
11.1.5 Configuring An Access Channel --------------------------------------------------------------------------------- 323
11.1.6 Time Limit Packet Filtering --------------------------------------------------------------------------------------- 325
11.1.7 Media Access Control (MAC) Address Packet Filtering ------------------------------------------------------ 327
11.1.8 A Few Points About Firewall Configuration-------------------------------------------------------------------- 328
11.1.9 Examples------------------------------------------------------------------------------------------------------------- 329
11.2 Network Address Translation (NAT) Configuration--------------------------------------------------------- 334
11.2.1 NAT Confirgation Points To Keep In Mind --------------------------------------------------------------------- 335
11.2.2 NAT Configuration Commands----------------------------------------------------------------------------------- 335
11.2.3 Interior Source Address Translation------------------------------------------------------------------------------ 337
11.2.4 Interior Destination Address Translation ------------------------------------------------------------------------ 339
11.2.5 Timeout Alteration ------------------------------------------------------------------------------------------------- 340
11.2.6 NAT Monitoring And Maintenance ------------------------------------------------------------------------------ 340
11.3 Easy IP Configuration ------------------------------------------------------------------------------------------- 343
11.3.1 Configuring Easy IP------------------------------------------------------------------------------------------------ 343
11.3.2 Easy IP Configuration Case --------------------------------------------------------------------------------------- 343
11. 4 Access Control List (ACL) User Group Control Configurations ---------------------------------------- 344
11.4.1 Subnet Isolation ----------------------------------------------------------------------------------------------------- 344
11.4.2 User Rights Management ----------------------------------------------------------------------------------- 344
11. 5 IPsec Network Security Configuration------------------------------------------------------------------------ 352
11.5.1 Configuring IPsec--------------------------------------------------------------------------------------------------- 352
11.5.2 Monitoring and Debugging IPsec -------------------------------------------------------------------------------- 367
11.5.3 IPsec Configuration Case ------------------------------------------------------------------------------------------ 369
11. 6 Encryption Module Usage --------------------------------------------------------------------------------------- 374
11.6.1 Features -------------------------------------------------------------------------------------------------------------- 374
11.6.2 Encryption Module Application --------------------------------------------------------------------------- 374
11.7 Configuring IKE ----------------------------------------------------------------------------------------------------- 375
11.7.1 Configuring IKE ---------------------------------------------------------------------------------------------------- 376
11.7.2 Monitoring And Debugging IKE --------------------------------------------------------------------------------- 381
11.7.3 Configuration Examples ------------------------------------------------------------------------------------------- 383
11. 8 Configure Virtual Private Dial-up Network (VPDN)-------------------------------------------------------- 388
11.8.1 Global VPDN Configuration ----------------------------------------------------------------------------------------- 388
11.8.2 Special LAC configuration ------------------------------------------------------------------------------------------- 389
11.8.3 Special LNS Configuration------------------------------------------------------------------------------------------- 390
11.8.4 Configure VPDN Tunnel --------------------------------------------------------------------------------------------- 391
11.8.5 Configure the Virtual Template Interface--------------------------------------------------------------------------- 391
11.8.6 Example of VPDN Configuration ----------------------------------------------------------------------------------- 392
11.8.7 VPDN Monitoring and Debugging---------------------------------------------------------------------------------- 393
11.9 Configure GRE------------------------------------------------------------------------------------------------------ 394
11.9.1 Relative Commands to Configure GRE ---------------------------------------------------------------------------- 394
11.9.2 Example of GRE Configuration ------------------------------------------------------------------------------------- 395
10.9.3 GRE Checking and Debugging -------------------------------------------------------------------------------------- 395
11.10 Configuration of Digital Certificate ---------------------------------------------------------------------------- 398
11.10.1 Parsing of Terminologies Relative with Digital Certificate----------------------------------------------------- 398
11.10.2 Introduction to digital certificate ----------------------------------------------------------------------------------- 399
11.10.3 Configuration of Certificate----------------------------------------------------------------------------------------- 399
CHAPTER 12 QUALITY OF SERVICE (QOS) CONFIGURATION ------- 407

12. 1 First In First Out (FIFO) ------------------------------------------------------------------------------------------ 408
12. 2 Priority Queuing (PQ) -------------------------------------------------------------------------------------------- 408
12. 2.1 Distribute The Packet Queue and Priority Class--------------------------------------------------------------- 408
12. 2.2 Configure Priority Queuing -------------------------------------------------------------------------------------- 408
12. 2.3 Adjust The Priority Queue Size ---------------------------------------------------------------------------------- 409
12. 2.4 Choose Packet Drop-type Algorithm---------------------------------------------------------------------------- 410
12. 2.5 Configure A RED Group ----------------------------------------------------------------------------------------- 410
12. 2.6 Example ------------------------------------------------------------------------------------------------------------- 410
12. 3 Weighted Fair Queue (WFQ) ----------------------------------------------------------------------------------- 413
12. 4 Customer Queuing (CQ)----------------------------------------------------------------------------------------- 414
12. 4.1 Assign A Queue In CQ Mode ------------------------------------------------------------------------------------ 414
12. 4.2 Configure CQ ------------------------------------------------------------------------------------------------------ 414
12. 4.3 Adjust CQ User Attributes---------------------------------------------------------------------------------------- 416
12. 4.4 Choose Packet Drop-type Algorithm---------------------------------------------------------------------------- 416
12. 4.5 Debugging ---------------------------------------------------------------------------------------------------------- 417
12. 4.6 An example --------------------------------------------------------------------------------------------------------- 417
12. 5 Weighted Random Early Detect Queue (WREDQ) ------------------------------------------------------- 418
12. 6 Class-Based Weighted Fair Queue(CBWFQ)-------------------------------------------------------------- 418
12. 6.1 Define A Match Class --------------------------------------------------------------------------------------------- 419
12. 6.2 Define A CBWFQ Policy----------------------------------------------------------------------------------------- 419
12. 6.3 Apply The Defined CBWFQ Policy To An Interface --------------------------------------------------------- 420
12. 6.4 Debugging ---------------------------------------------------------------------------------------------------------- 421
12. 6.5 Example ------------------------------------------------------------------------------------------------------------- 421
12. 7 Bandwidth Management----------------------------------------------------------------------------------------- 422
12. 8 Traffic Shaping ----------------------------------------------------------------------------------------------------- 423
12. 9 RSVP (Resource Reservation Protocol)--------------------------------------------------------------------- 423
CHAPTER 13 802.1Q SPECIFICATIONS-------------------------------------- 427

13.1 802.1Q Configuring Principles ---------------------------------------------------------------------------------- 427
13.1.1 VLAN Functions --------------------------------------------------------------------------------------------------- 427
13.1.2 One-Armed Routing------------------------------------------------------------------------------------------------ 427
13.1.3 Subnet Isolation----------------------------------------------------------------------------------------------------- 427
13.2 802.1Q Configuring Commands-------------------------------------------------------------------------------- 428
13.2.1 Configuring 802.1Q Commands---------------------------------------------------------------------------------- 428
13.2.2 A Typical One-Armed Router Application---------------------------------------------------------------------- 428
13.2.3 A Typical Subnet Isolation Application ------------------------------------------------------------------------- 431
13.2.4 Displaying Configuration Statistics ------------------------------------------------------------------------------ 431
CHAPTER 14 DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP)

CONFIGURATION ------------------------------------------------------------------ 434
14. 1 Introduction of DHCP--------------------------------------------------------------------------------------------- 434
14. 2 Configuration of DHCP------------------------------------------------------------------------------------------- 434
14. 2.1 DHCP Configuration Task List ---------------------------------------------------------------------------------- 434
14. 2.2 The Relative Commands ------------------------------------------------------------------------------------------ 434
14. 2.3 Configure DHCP--------------------------------------------------------------------------------------------------- 434
14. 3 DHCP Configuration Case -------------------------------------------------------------------------------------- 435
14. 4 Examine the Status and the Debug--------------------------------------------------------------------------- 436
CHAPTER 15 NDSP PROTOCOL CONFIGURATION ----------------------- 437

15.1 Commands----------------------------------------------------------------------------------------------------------- 437
15.2 Examples------------------------------------------------------------------------------------------------------------- 437
CHAPTER 16 SNMP CONFIGURATION --------------------------------------- 439

16.1 SNMP Instruction Set --------------------------------------------------------------------------------------------- 439
16.2 Simple Network Management Protocol (SNMP) Configuration----------------------------------------- 439
16.3 Remote Network Monitoring (RMON) ------------------------------------------------------------------------- 452
16.3 Remote Network Monitoring (RMON) ------------------------------------------------------------------------- 452
CHAPTER 17 NETWORK TEST AND TROUBLESHOOTING ----------- 460

17.1 Network Test Tools------------------------------------------------------------------------------------------------- 460
17.1.1 Ping ------------------------------------------------------------------------------------------------------------ 460
17.1.2 Traceroute ----------------------------------------------------------------------------------------------------------- 461
17.1.3 Netstat---------------------------------------------------------------------------------------------------------------- 461
17.1.4 Show ----------------------------------------------------------------------------------------------------------------- 462
17.2 How To Diagnose A Network Failure -------------------------------------------------------------------------- 462
17.2.1 Diagnosing LAN Port Failures ----------------------------------------------------------------------------------- 462
17.2.2 Diagnosing WAN Port Failures ----------------------------------------------------------------------------------- 501
CHAPTER 18 SOFTWARE UPGRADE ---------------------------------------- 463

18.1 The Upgrade of ROOT-------------------------------------------------------------------------------------------- 463
18.1.1 Upgrade the Hex File of the ROOT program through the Console Interface------------------------------- 463
18.2 The Upgrade of an Application (IOS) ------------------------------------------------------------------------- 466
18.2.1 Upgrade the Bin File of an Application through TFTP/FTP-------------------------------------------------- 466
18.2.2 Upgrade the Bin File of an Application through the Console Interface ------------------------------------- 468
18.2.3 Upgrade the Hex File of an Application through the Console Interface ------------------------------------ 470
CHAPTER 19 SNTP CONFIGURATION -------------------------------------- 475

19.1 Relevant commands to configure SNTP --------------------------------------------------------------------- 475
19.2 An Example of SNTP Configuration --------------------------------------------------------------------------- 475
19.3 Checking and Debugging SNTP ----------------------------------------------------------------- 482
19.4 Configuring the Time Zone ------------------------------------------------------------------------ 482
19.5 An Example of Time Zone Configuration --------------------------------------------------------------------- 483
CHAPTER 20 MULTICAST ROUTE CONFIGURATION ------------------ 484

20.1 Configure IGMP -------------------------------------------------------------------------------------- 484
20.1.1 Descriptions of commands to configure IGMP ---------------------------------------------------------- 484
20.1.2 An Example of IGMP Configuration---------------------------------------------------------------------- 484
20.1.3 Monitoring and Debugging IGMP------------------------------------------------------------------------- 484
20.2 Configure PIM-SM ----------------------------------------------------------------------------------- 484
20.2.1 Descriptions of Commands to Configure PIM-SM------------------------------------------------------ 485
20.2.2 An PIM-SM Configuration Example---------------------------------------------------------------------- 487
20.2.3 Monitoring and Debugging PIM-SM --------------------------------------------------------------------- 488
CHAPTER 21 AAA CONFIGURATION----------------------------------------- 492

21.1 Descriptions of Command Relevant with AAA------------------------------------------------ 492
21.2 An Example of AAA Configuration ----------------------------------------------------------------------------- 492
21.3 Checking and Debugging AAA ---------------------------------------------------------------------------------- 495
CHAPTER 22 MPLS CONFIGURATION -------------------------------------- 497

22.1 Brief Introduction to MPLS --------------------------------------------------------------------------------------- 492
22.2 Descriptions of commands to configure MPLS ----------------------------------------------- 492
22.3 An Example of MPLS\VPN Configuration -------------------------------------------------------------------- 495
CHAPTER 23 INTERFACE CONFIGURATION------------------------------- 506

23.1 Interface Types ----------------------------------------------------------------------------------------------------- 506
23.1.1 Interface Types Presently Supported by Maipu Routers---------------------------------------------------------- 506
23.1.2 Configuring Interfaces ------------------------------------------------------------------------------------------------ 506
23.2 Configuring an Ethernet Port ------------------------------------------------------------------------------------ 506
23.2.1 The Protocols Supported by Maipu Series Router ---------------------------------------------------------------- 506
23.2.2 Configuring Network Address ----------------------------------------------------------------------------------------- 06
23.2.3 Configuring an Vlan Interface --------------------------------------------------------------------------------------- 506
23.2.4 Establishing Address Resolution (ARP)---------------------------------------------------------------------------- 506
23.2.4.1 Defining a Static ARP Buffer----------------------------------------------------------------------------------- 506
23.2.4.2 Examining ARP Buffer ------------------------------------------------------------------------------------------ 506
23.2.5 Proxy ARP-------------------------------------------------------------------------------------------------------------- 506
23.2.6 Monitoring and Maintenance ---------------------------------------------------------------------------------------- 506
23.3Configuring High-speed Serial Interface ---------------------------------------------------------------------- 506
23.3.1 Configuring an Asynchronous Serial Interface ---------------------------------------------------------------------- 74
23.3.2 Configuring a Synchronous Serial Interface ------------------------------------------------------------------------- 75
23.3.2.1 Configuring the Operation Mode of a Synchronous Serial Interface ---------------------------------------- 75
23.3.3 Monitoring and Maintenance ------------------------------------------------------------------------------------------ 75
23.4 Configuring a 16-asyn-serial-interface module ---------------------------------------------------------------76
23.5 Configuring a CE1 Module-----------------------------------------------------------------------------------------77
23.5.1 Configuring a CE1 interface ------------------------------------------------------------------------------------------- 77
23.5.2 Monitoring a CE1 Module --------------------------------------------------------------------------------------------- 79
23.6 Configuring an E1 module -----------------------------------------------------------------------------------------79
23.6.1 Configuring an E1 Interface-------------------------------------------------------------------------------------------- 79
23.6.2 Monitoring an E1 Interface--------------------------------------------------------------------------------------------- 81
23.7 Configuring an 8-port Synchronous Module -------------------------------------------------------------------81
23.7.1 Configuring an 8S Interface -------------------------------------------------------------------------------------------- 81
23.7.2 Monitoring an 8s Interface --------------------------------------------------------------------------------------------- 83
23.8 Configuring a Built-in Base-band Modem ----------------------------------------------------------------------83
23.8.1 Configuring a Single-port 128 Modem Module --------------------------------------------------------------------- 83
23.8.2 Configuring an 8-port 128 Modem Module-------------------------------------------------------------------------- 83
23.9 Configuring a Built-in MODEM Module -------------------------------------------------------------------------84
23.9.1 Configuring a Built-in MODEM Module ---------------------------------------------------------------------------- 84
23.9.2 Built-in MODEM Debugging------------------------------------------------------------------------------------------ 85
23.10 Configuring an ISDN Module --------------------------------------------- Error! Bookmark not defined.
Chapter 1 System Basis
This chapter mainly describes the basic concepts of the InfoExpress IOS system in Maipu’s Router Series. Included in this
chapter are relevant concepts, such as the InfoExpress system mode, the preparation of the configuration environment, the
command line interface and so on.
The main contents of this chapter are as follows:
o Router Configuration mode

o Command run mode
o Constructing the configuration environment
o Command line interface
1.1 Router Configuration Mode
Maipu routers provides users with four typical configuration modes:
o Use the command shell to configure through the console interface;

o Configuration through LINE interface of 56/336 modem module;
o Configuration through Telnet remote log in a router;
o Configuration through SNMP network management system.
The last configuration mode provides users with the interface of the English version, which is mainly used for users to
monitor the working status of a network and to collect statistical information of the system.
This manual describes the configuration mode of the router through the interface console. The other two modes, which
configure the router through the interface LINE in 56/336modem and Telnet remote login, are similar to the former. The
detail of the last mode that configures the router through SNMP can refer to the router network managing system
specifications.
1.2 Command line Mode
InfoExpress IOS of Maipu’s MP Router series provides a special subsystem dealing with commands for management and
execution of system commands, which is called shell. The main functions of shell are as follows:
o Registration of system commands

o User edit of system configuration commands
o Syntax parsing of commands inputted by users (through interface console or Telnet link )
o Execution of system command
When a user configures a router through the command shell, the system provides many kinds of run modes for the execution
of the command. Each command mode respectively supports the special InfoExpress IOS configuring command. Accordingly
this attains the aim of hierarchy protection of the system, and ensures against unauthorized access to the system.
The Shell subsystem presently provides the following modes for running the configuring commands, and each different mode
is corresponding with a different system prompt that is employed to tell users in which mode he/she is presently operating.
These modes are:
o Common user mode (User EXEC)

o Privileged user mode (Privileged EXEC)
o Global configuration mode (Global configuration)
o Interface configuration mode (Interface configuration)
o Route configuration mode (route configuration)
o File system configuration mode (file system configuration)
o Access list configuration mode (access list configuration)
o Voice-port configuration mode (voice-port configuration)
o Dial-peer configuration mode (dial-peer configuring)
o Encryption transform configuration mode (crypto transform-set configuration)
o Encryption mapping configuration mode (crypto map configuration)
o IKE policy configuration mode (isakmp configuration)
o Pub key chain configuration mode (pubkey-chain configuration)
o Pub key configuration mode (pubkey-key configuration)
o DHCP configuration mode(dhcp configuration)
Other configuration modes will be introduced in relevant chapters.
Table 1-1 describes methods of entering different command modes and how to switch between different modes.
Table 1-1 the InfoExpress system modes and the switch methods between modes
Method of Exiting method Function

Mode name System prompt
Entering mode description
Alters the terminal
configuration.
The common Execute the command exit Executes the basic
Login router>
user mode to exit. testing.
Displays the system
information.
Execute the command

Execute the disable to come back to the Configures the
The user mode.
command enable executing
Privileged router#
in the common parameters of the
user mode
user mode. Execute the command router.
configure to enter the
global configuration mode
Execute the
command Execute the command exit
configure in to come back to the
The global Configures the
privileged user privileged user mode.
configura-tion Router(config)# global parameters
mode and specify Execute the command
mode needed for the
the corresponding interface to enter the
keyword at the router running.
interface configuration
same time. mode.
Configures the
interface of the
router in the mode,
including:
Execute the
command Configures the
interface in global Ethernet interface;
Interface configuration Execute the command exit Configures the
router(config-if- serial interface;
Configura- mode (and to come back to the
xxx[number])#
tion mode designate the privileged user mode. Configures the
corresponding interface ISDN;
interface at the
same time) Configures the
interface IP phone;
Configures the
interface E1.
Configures IP
routing protocol in
Execute the the mode, including:
corresponding router(config-static)#
The routing route configuring router(config—rip)# Execute the command exit Static routing
configura-tion command in to return to the privileged
mode global router(config-ospf)# user mode.
configuration router(config-irmp)# RIP dynamic routing
mode.
The IRMP
configuration mode
In global
configuration
Finishes the file
File system mode, a user
Execute the command exit system management
configura-tion enters this mode router (config-fs)#
to return to the privileged of the router.
mode through the
command user mode. Upgrades the router
filesystem. software.
In global
configuration
mode, a user Configures the
enters the mode access list of the
The access through the firewall, including:
list command ip router(config-std-nacl)# Execute the command exit Configures of the
configuration access-list, and router(config-ext-nacl)# to return to the global standard access list.
mode designates the configuration mode.
corresponding
keys and Configures the
parameters extended access list.
simultaneously.
In global
configuration
mode, a user
enters the mode
The voice-
through the
port Execute the command exit
command voice- router(config-voice-port)# Configures the
configura-tion to come back to the global
port, and voice-port.
mode configuration mode.
designates the
corresponding
parameters
simultaneously.
In global
configuration
mode, a user
enters the mode
through the
The dial-peer Configures VoIP.
command dial- Execute the command
configura-tion router(config-dial-peer)#
peer, and exit to come back to the Configures POTS.
mode
designates the global configuration mode.
corresponding
keys and
parameters
simultaneously.
Configures the
The In global router(cfg-crypto-trans)# Execute the command exit encryption transform
encryption configuration to come back to the global set.
transform mode, a user configuration mode.
configura- enters the mode
tion mode through the
command crypto
ipsec transform-
set, and designates
the corresponding
parameters
simultaneously.
In global
configuration
mode, a user
enters the mode
The through the
Execute the command exit Configures the
encryption command crypto
router(cfg-crypto-map)# to come back to the global encryption mapping
mapping map, and
configuration mode. items.
configura- designates the
tion mode corresponding
keys and
parameters
simultaneously.
In global
configuration
mode, a user
enters the mode
The IKE through the
policy Configures the IKE
command crypto Execute the command exit policy.
router(config-isakmp)#
Configura- isakmp, and to come back to the global
tion mode designates the configuration mode.
corresponding
keys and
parameters
simultaneously.
In global
configuration
The public mode, a user
key chain Configures the RSA
enters the mode router(config-pubkey- Execute the command exit
configura- public key to be
through the chain)# to return to the global used.
tion mode command crypto configuration mode.
key pubkey-
chain rsa.
In config-pubkey-
chain mode, a user
enters the mode
through the
Public key command named-
Execute the command exit
configura- key or Configures the
router(config-pubkey-key)# to return to the config-
addressed-key public key.
tion mode pubkey-chain mode.
and designates the
corresponding
keys and
parameters
simultaneously.
In the global
The DHCP configuration
Configura- mode, a user Execute the command exit
router(dhcp-config)# Configures DHCP.
enters the mode to return to the global
tion mode through the configuration mode.
command
router(config)#ip
dhcp pool, and
designates
thecorresponding
key words and
parameters
simultaneously.
Note
The word router is the default system name of a router when it leaves the factory. Users can rename the system name by
executing the command hostname in the global configuration mode, and the alteration can go into effect instantly.
1.3 Constructing the Configuration Environment

Users can use the command line provided by a router in four different ways. These approaches are introduced respectively as
follows:
1.3.1 Configuring a Router through the configuration interface (Console)
The following steps are used to connect with a terminal and configure the router through the port Console:
Choosing a terminal:
The terminal can be a standard one with RS-232 serial port or a common PC and the later is used more frequently. If making
configuration from the remote end, you will need two more modems.
After affirming that at either the router or the terminal is shutdown, please connect the RS-232 serial port of the terminal with
the Console port of the router. The connection relationship is shown in figure 1-2:
Constructing local
configuration environment
MAIPUROUTER
PC for
configuration
Configuring
port
Serial of PC
Cable of
configuring prot
Figure 1-2 connection sketch map of local configuring the router
Figure 1-3 Creating a Connection
Creating a
connection:(Figure
Power up the terminal, configuring the communication parameters of the terminal: 9600bps Baud rate, 8 data1-3)
bits, no parity,
1 stop bit, and no flow control, choose VT100 as the type of terminal.
Choose a name for the
connection
If the PC is running Win95/98/2000/NT operating system, you can use the Hyper Terminal – Maipu
program, and set the serial port
parameters of HyperTerminal program according to above parameters.
(Or choose any other
The following example shows the HyperTerminal program running in Windows NT:name)
Choosing serial communication Choosing a windows

port (Figure 1-4) icon for the created
connection
This example shows the
configuration communication
parameters of HyperTerminal
program:
Choose COM1 or COM2

according to the serial port
connected
(Figure 1-4) Choosing serial communication port

Configuring the parameters of
the serial communication port
(Figure 1-5)
Baud ratio (Bits per second) --

- 9600bps
Data bits --- 8
Parity ---no
Stop bit----1
Flow control---None
Figure 1-5 Configuring the parameters of the serial communication port
Power on the router, and press Enter the key on the terminal, then a prompt “router>”will be displayed on the
terminal and the router can be configured. (Where the word “router” is the actual name of the router.)
1.3.2 Making configuration through the LINE port of the 56/336modem module
If the 56/336modem module has been configured in the router, the DIP dial-up switch of the module can be used to configure
the working mode of the port LINE .The usage of the switch DIP can be shown in the table 1-2:
Choosing mode Configuring the DIP switch Interpretation

1 2
1. 56/336MODEM mode OFF OFF LINE port is used as the
interface of the inside
56/336MODEM.
2. Console port mode ON OFF The LINE port is used as a
CONSOLE port, and the router
can be configured through the
remote dial-up login.
Table 1-2 Usages of DIP dial-up switch in the 56/336modem module
1.3.3 Configuring a Router through Telnet
If the IP address of each interface on the router has been configured correctly, then Telnet can be used to log in the router
through LAN or WAN and the router can be configured.
1) Configuring through a LAN

3& I RU FRQI L JXU DW L RQ 3& 3&
W KH U RXW HU W R FRQI L JXU H
6HU YHU
- Connect the network interface of computer with the Ethernet port of the router on the LAN.
- Run the Telnet client application program on a computer in the LAN.
- Configure the default mode (preference) of the Telnet terminal.
The contents of the configuration should be set as: terminal ->default mode -> simulation option select VT100/ANSI.
Note:
During the configuration of the Telnet client program, the option “local response (each display)” must be canceled.
Otherwise it will repeatedly display the contents inputted by the user which will adversely effect the normal employment of
the command edit function of the shell subsystem.
Type in the IP address of the router, and establishing Telnet connection to the router.
Set the Host Name as having the IP address of the router: 128.255.255.1
Configure the port as Telnet (23);

Configure the terminal type as TCP/IP (Winsock);
(The other operations are the same as the configuration through the console interface.)
2) Configuration through the WAN:
Connect the configured computer to the remote router through LAN router
Run the Telnet client program application program on the locally configured computer
The following steps are the same as that of configuration through LAN
3& I RU &RQI L JXU L QJ W KH U HPRW H U RXW HU

FRQI L JXU DW L RQ W KU RXJK 3& I RU FRQI L JXU DW L RQ L Q /$1
3& 3& 3&
:$1
/$1
6\QFKU RQRXV
DV\QFKU RQRXV SRU W 6\QFKU RQRXV
/RFDO DV\QFKU RQRXV SRU W
U RXW HU
5RXW HU ZDL W L QJ I RU
FRQI L JXU DW L RQ
/$1 6HU YHU
3) Configuring a remote router through a local router
Run the Telnet client program on the local router, and configure a remote-end router by logging on to its network. The
method is the same as the one of configuring a router through Telnet on network. The connection figuration is as follows:
&RQI L JXU L QJ U HPRW H HQG U RXW HU W KU RXJK O RFDO U RXW HU
3& 3& 3&
:$1
6\QFKU RQRXV
3& I RU $V\QFKU RQRXV /$1
FRQI L JXU DW L RQ
3& VHU L DO
&RQI L JXU L QJ /RFDO 6\QFKU RQRXV
U RXW HU
SRU W $V\QFKU RQRXV
5RXW HU ZDL W L QJ
&DEO H RI I RU FRQI L JXU DW L RQ
FRQI L JXU L QJ SRU W
/$1 6HU YHU
Note:
When configuring the router through Telnet, do not alter the IP address of the WAN interface hastily. Only when make
sure that the other parameters are configured correctly can you alter the IP address. After the address is altered, Telnet would
disconnect and reestablish the connection. So the connection must be established again after the new IP address is inputted to
the host.
If users log into a Maipu router from a Linux system, the configuration should be made as follows:
First, input the user’s name and password into the Linux system;
Run Telnet client program in shell environment of Linux system to log in the router, using the following command:
telnet 128.255.255.1
After the command is executed, the output is as follows:
Connected to 128.255.255.1 ...done
Display the system prompt of the router:
router>
Press the keys “^” and “]” simultaneously to return to the prompt of telnet program:
telnet>
Execute the command to cancel the local binary mode:
telnet> unset binary
Already in network ASCII mode with remote host.
router>
After the above operations are completed, the command editing environment in shell system can work normally.
IF users log in the router through another type of Telnet client program, and the command edit environment works
abnormally, please configure the Telnet client program according to the above mentioned specifications.
1.4 Command Line Interface
The Command Line interface is an interactive interface provided by the shell subsystem for users to configure and use a
router. Users can perform the corresponding configuration tasks through the command line interface. At the same time, users
can also examine the system information and see the running status of the system through the interface.
The Command Line interface provides users with the following functions:
- System help information management;
- Inputting and editing of system commands;
- Interface history commands management;
- Terminal displaying system management.
1.4.1 Command Line On-Line Help
The Command Line provides the following kinds of on-line helps:

help
full help
partial help
By means of the above help methods, users can get various kinds of help information, illustrated respectively as follows:
1) In any command mode, type help to obtain simple descriptions about the help system:
router>help
Help may be requested at any point in a command by typing a question mark: '?'. If nothing matches, the help list will be
empty and you must backup until entering a '?' shows the
available options.
Two types of help are provided:

1. Full help is available when you are ready to enter a command argument (e.g. 'show ?') and describes each possible
argument.
2. Partial help is provided when an abbreviated argument is entered and you want to know which arguments match
the input (e.g. 'show pr?'.)
2) In any command mode, type in a question mark “?” to view all possible commands and their simple descriptions in this
mode. The following command lists all commands that can be executed in the privileged user mode:
router#?
Command Description
bootparams Print/Modify system boot parameters
bridge Transparent bridge two scc interfaces
Clear reset function
Clock Config the system clock information
Configure Turn on configuration commands mode
console-speed Set console speed
Copy Copy a file to another
Debug Debugging functions, see also undebug
Disable Turn off privileged commands
display Show something for debug purpose
exit Exit from current EXEC mode
filesystem Turn on file system management commands
mode
help Description of the interactive help system
language Set help information language
logout Exit from EXEC shell
memdump Dump memory image
more Format showing output
mrt Mrouted
netstat Show active connections for Internet protocol
socket
no Negate a command or set its defaults
pad Open a X.29 PAD connection
phonerxgain Voip card receive gain adjust
phonetxgain Voip card transmit gain adjust
ping Send echo messages
quickping Send echo messages
reload Halt and perform a cold restart
reset Set something of runing system
rlogin Open a rlogin connection
sendtrap Send a trap to a specified host or all the host in
the trap host list
set Set something of runing system
show Show running system information
spy Control collecting task activity data
sysupdate Update system software

telnet Open a telnet connection
terminal Set terminal line parameters
trace Show a task stack frame
traceroute Trace route to destination
undebug Disable debugging functions, see also debug
wdogDisable Disable the system watchdog
wdogEnable Enable the system watchdog
who Show who is logged on
Whoami Who am i?
write Write current running configuration to a
destination
x3 Set X.3 parameters on PAD
3) Type in a command followed by one question mark (?) separated by a blank, if there is to be a keyword in the place, all
keywords and their simple descriptions will be listed. The following list shows all the key words that can follow the
command show in the privileged user mode:
router#show ?
about Print the copyright information
access-lists List access lists
accounting Accounting data for active sessions
adsl Adsl
arp Print entries in the system ARP table
bridge Bridge Forwarding/Filtering Database [verbose]
card_list Show information of hardware modules
cbwfq Show CBWFQ status
clock Print system clock information
compress PPP protocol
console Print console interface information
controllers Controllers
cpu Show CPU use per process
cq Show CQ status
debugging State of each debugging option
debuglist Debug register list
device Print the system devices information
dhcp Dynamic Host Configuration Protocol status
dialer Dialer parameters and statistics
dip-switch Print system DIP switch
dot1Q Dot1Q
dynamic-command Show module name of dynamic register
enable Print enable information
file Print file system information
filesystem Print file system information of device
flux Show flux information
forward Forward
frame-relay Frame-Relay protocol
gre Gre protocol
hosts Print current host tables information
if-list Print ifnet list
ifx-list Print ifnet_ext list
interface Print detailed information of interface
ip Print Internet protocol status information
keyflow Keyflow informations
language What language you use
ld LLC2 device
llc2 Show LLC2 status
logging Show system logging information
mbuf Print detailed statistics of mbuf
memory Print the system memory usage information
modem Modem
mpdlc Show MPDLC infomation
mpls Mpls
name-server Print DNS Resolver configuration
ndsp NDSP information
netDev Print net device list
netjob Print netJob information
nia NIA information
pool Show all mbuf pool
ppp Point-to-Point protocol
pq Show PQ status
process Active process statistics
queueing Show queueing configuration
rmon Remote monitoring
route-map Show route map information
running-config Print system running configuration information
scriptList Print system script list
semaphore Print the semaphore information
snapshot Snapshot parameters and statistics
snmp-server Show current statics of SNMP Agent
snsp Stub Network Search Protocol(SNSP)
sntp Print sntp client information
spd Show spd status
spy Show spy switch status
stack Print the Process stack utilization information
standby Virtual Backup Router Protocol (VBRP) information
startup-config Print system startup configuration information
strt-list Static route hash table
sysadmin Show tasks cared
sysjob Print sysJob information
systimertask Print all tasks scheduled on the systimer list
tacacs Shows tacacs server statistics
tcp Status of TCP connections
tech-support Show system information for Tech-Support
terminal Show terminal
time-range Show time range
tunnel-chain Tunnel chain
ura User resource authorization information
users Print the system user login information
version Print system hardware and software status
vpdn VPDN information
wfq Show WFQ status
wred Show WRED status
x25 X.25 information
4) Type in a command followed by one question mark “?” separated by a blank, if there is a parameter in this place, the
related descriptions of the relevant parameters will be listed:
router(config)#interface ?
group Interface group
fastethernet Fast Ethernet network interface
loopback loopback interface
dialer Dialer interface
tunnel Tunnel interface
multilink Multilink interface
virtual-template Virtual Template interface
serial serial network interface
5) Type in a character string closely followed by one question mark “?” and all keywords which begin with the same
character string and their descriptions will be listed.
router#d?
display Show something for debug purpose
disable Turn off privileged commands
debug Debugging functions,see also undebug
6) Type in a command followed by a character string closely with one question mark “?” and all keywords which begin with
the character string and their descriptions will be listed.
router#show h?
Command Description
Hosts Print current host tables information
1.4.2 Error Message of Command Line
When users type in any and all commands, the syntax of the commands will be examined. If the syntax is correct, then the
commands will be executed correctly, otherwise error messages will be reported to users. Common error messages are shown
in table 1-3:
Table 1-3 Error prompt messages of Command Line
Error message Reason for Error

% Invalid input detected at '^' marker. Cannot find the command.
Unknown
Cannot find keywords.
Parameter type of is wrong.
The parameter value is beyond the range.
Type “*** ?” for a list of subcommands The input command is not integrate.
Note: The string *** represents the uncompleted command-string the user has inputted.
1.4.3 History Command

The command line interface provides the function similar to DosKey, and the system will automatically save
commands inputted by the user into the history command buffer. Users can transfer history commands saved by the
command line interface at any time and can execute them repeatedly so as to reduce the users’ unnecessary repetition
of inputting commands. The command line interface can store up to 10 commands for each user connecting to a router,
the most recent commands take priority over the oldest command.
Accessing the history commands:
Table 1-4 Accessing the History Commands of the Command Line Interface
Operation The key pressed Function

Accessing the last history Up-cursor key or Ctrl+p If there are some earlier history
command commands, then they are taken out; or
else the system alarms.
Accessing the next history Down-cursor key or Ctrl+n If there are some later history
command commands, then they are taken out; or
else, the system clears the command
line and alarms.
Note:
When the cursor key is used to access the history commands and telnet runs in Windows98/NT system to log in the
router, the option “terminal->premier option->simulation option” should be configured as type VT-100/ANSI.
1.4.4 Editing Features

The command line interface provides basic command editing functions supporting multi-line editing; with a maximum of 256
characters for each command line. Table 1-5 lists the basic editing functions provided by the subsystem shell.
Table 1-5 a table of basic edit functions
Key Pressed Function

If the edit buffer is not full, then the key is inserted at the
Common key
location of the cursor and the cursor shifts right;
Key Pressed Function
otherwise the system alarms with a bell.
Deletes the character before the cursor location. If the
cursor has arrived at the beginning of the command, the
Backspace key system alarms with a bell.
Deletes the character on the cursor location. If the cursor
Delete key has arrived at the end of the command, the system alarms
with a bell.
Left shifts the cursor one character location. If the cursor
Left cursor key 8 A% has arrived at the beginning of the command, the system
alarms with a bell.
Right shifts the cursor one character location. If the
Right cursor key :A) cursor has arrived at the end of the command, the system
alarms with a bell.
Up or down cursor key 9 ; Displays the history commands.
Â Shifts the cursor to the beginning of the command line
Ê Shifts the cursor to the end of the command line
Deletes all the characters on the left of the cursor until
Û
the cursor arrives at the beginning of the command line.
Deletes all the characters on the right of the cursor until
^K
the cursor arrives at the end of the command line.
1.4.5 Display Features

The command line interface provides the following display features:
When the information needed can not be displayed on one screen, the system offers the pause function, and displays a prompt
“(--MORE--)” at the bottom left corner of the screen. Here are some available choices for users:
Type in the Space key or the key ‘9¶RU&WUO-F to continue displaying the next screen of messages.
Enter the ‘;¶NH\RU&WUO-B to display the previous screen of messages.
Type the ENTER or the key ‘+’ or ‘:¶WRVFUROOGRZQRQHOLQHRIWKHGisplayed message on the
screen.
Type in the key ‘-’ or ‘8¶WRVFUROOXSRQHOLQHRIWKHGLVSOD\HGPHVVDJHRQWKHVFUHHQ
Typing in any other keystroke, the system displays the system prompt directly.
The features described above are shown in table 1-6:
Table 1-6 Display features
Key pressed Function

Key‘;¶RU&WUO-B Displays the information of the previous screen.
Space key (Space) or key ‘9¶ RU&WUO-F Goes on displaying the information of the next screen.
Key ‘-‘or ‘8¶ The information displayed on the screen rolls down one
row.
Carriage return key (Enter) or key Goes on displaying the information of the next row.
‘+’or‘:¶
Other keys Exits from the display.
Chapter 2 System Configuration and Management

This chapter describes the basic configuration and management of Maipu routers, including system configuration commands,
user and password management, configuration of environment parameters, file management and examination of system
information etc.
The main contents of this chapter are:

- System configuration
- System management
- System tools
2.1 System Configuration
In a Maipu router, the main tasks of system configuration are:

- Configuring the system name
- Configuring the system clock which includes:
- Configuring the system users
Table 2-1 shows all commands by which the configuration tasks described above will be completed:
Table 2-1 List of System Configuration Commands
Configuration Command Command Running mode Typical example

task function
Configuring a hostname Changing the Configuration router(config)#hostname router

name router name mode
Configuring a Configuring the Privileged user

clock router#clock 2001 11 15 9 25 10
calendar system calendar mode
Configuring Adding system Configuration router(config)#user Maipuxf

user
system users users mode password 0 Maipu 1
2.1. 1 Configuring the System Name
When the router leaves the factory, its default system name is router. Users can change the system name at any time
according to their needs. This change takes effect immediately; the new system name will appear in the next system prompt.
The following example will change the system name from “router” to “router_1”:
The operating steps are as follows:
Command Task
router#configure terminal Executes the command #configure terminal in

the Privileged user mode to enter the global
configuration mode.
router(config)#hostname router_1 Executes the command hostname with the

parameter “router_1” in the global configuration
mode to change the system name.
router_1(config)# The new system command begins to come into

effect in the next display of the system prompt.
2.1.2 Configuring the System Calendar
There is an independent clock system is installed in each Maipu router to record the current system time which includes
information includes year, month, date, hour, minute, second and week. When the system starts, the system time rests at
00:00:00 January 1,1970. Through the execution of the command clock, the calendar system of the router can be set to the
current time as shown in the following example:
router#clock 2001 11 15 9 36 10 The function of the executed command in the privileged user mode is
to set the time of the system calendar as 09:36:10, November 15 , 2001.
router#show clock Displays the current time of the
system.
UTC:THU NOV 15 09:36:15 2001 The current time is 09:36, November 15, 2001,default
timezone is UTC.
Note: The command show clock can be executed either in the common user mode
or in the privileged user mode, and the function is just the same in both the modes.
Note: Because there is no real time system (i.e.the system clock is still running after it is powered off), the system clock
will return to 00:00:00 January 1,1970 each time the router is turned on.
2.1.3 Configuring System Users

To enhance the system security, the router only permits the users that have been configured in the system to access it through
a terminal, TELNET and etc, and denies the other users access.
Adding a system users:

router#configure terminal Enter the global configuration mode
.
router(config)#user Maipu password 0 Maipu Add a user “Maipu” to the system with its
corresponding password “Maipu”
router(config)#user Maipuxf password 0 Maipu The user is “Maipuxf” and its corresponding password is
“Maipu”.
After the commands are executed, the users “Maipu” and “Maipuxf” will be permitted to access the router.
Configuring the superuser
router#configure terminal Enter the global configuration mode
router(config)#user root password 0 root Add a user “root” to the system with its corresponding password
“root”
The system prescribes that the name of the super user is root
examining the information of system users
router#show user
After the above command is executed in the privileged user mode, you can examine the registered users
Deleting the system user:
router#configure terminal
router(config)#no user Maipu Delete the system user “Maipu”
After the command is executed, the router will deny the access of the user “Maipu” to the router.
Note: The passwords and the relevant cipher showed in the Maipu router can be configured in the global
configuration mode. The parameters no service password-encrypt and service password-encrypt decide whether the
encryption is needed. For example, if there is the configuration of service password-encrypt, then the user name and
the corresponding passwords are shown as follows:
user Maipuxf password 7 \XPXXXOYTYO
Any option related to the password should carefully considered during configuration. Option 7 is defined for special
use. Please do not use this option in your configuration!
2.1.4 Enable Password and Timeout value

In the global configuration mode, these can be set through the command enable password and enable timeout.
Command Description
router(config)#enable password password Configure the password of the super user.
router(config)#enable timeout <0_0x7FFFFFFF> Configure the time out value
Note:
The default value of time out is 300 seconds, or 5 minutes. If the value is set as 0, then there will never be a time out.
2.2 System Management
2.2.1 Storage Medium and File Types Supported by Maipu Routers
The Maipu router has three kinds of storage media, and its functions are as follows:
o DRAM: used as operating space for router application programs;
o FLASH: Stores router application programs, configuration files, BootROM programs etc.
o EEPROM: Stores users information and variable system configuration files.
There are four types of the files managed by the Maipu router:
o Router application program files ----used for route forwarding, files management, system management, etc.
o Configuration files ----Store the system parameters configured by users
o BootROM files ---- Store system initialized data
o Other files ---- for example, the dial tone memory file of second dial-up
o
2.2. 2 Management of the Router File System
Each Maipu router constructs a file system based on DOS in the system flash to store the information that rarely needs to be
changed, such as a router application program (protocol software, device program, drivers, etc.) and BootROM program etc.
The file system is called TFFS (True Flash File System). In the file system configuration mode, the system provides a set of
commands to manage the file system, which are showed in the table 2-2:
Table 2-2 the command list of the file system management
Name of the Function of the Running mode of Example

command command the command
Copy Copies a file File system Router(config-fs)#copy flash:file1
configuration mode flash:file2
Delete Deleting a file File system Router(config-fs)#delete file1
configuration mode
Type Displays a file’s File system Router(config-fs)#type startup
contents configuration mode
Dir Displays a File system Router(config-fs)#dir
directory or a file configuration mode
cd Changing the File system Router(config-fs)#cd dir1
current path configuration mode
Pwd Displays current File system Router(config-fs)#pwd
path configuration mode
Mkdir Creates a directory File system Router(config-fs)#mkdir dir1
configuration mode
Rmdir Deletes an existing File system Router(config-fs)#rmdir dir1
directory configuration mode
Volume Displays file device File system Router(config-fs)#volume
information configuration mode
Show Displays file device The privileged user Router#show filesytem
information mode
The file system management of the router is composed of two parts: they are file management and directory management.
Because TFFS is based on DOS file system, long file names are not supported. Each directory name can be a maximum of 8
characters in length. Each file name follows the 8.3-naming standard.
2.2.1 Displaying the file device information

The file system of a Maipu router is based on the physical device flash. Use the following commands to display TFFS
information:
Execute the command volume in the file system configuration mode.
router(config-fs)#volume
device name: /flash The name of the device is /flash.
total number of sectors: 5687 There are 5687 sectors all together in the file system.
bytes per sector: 512 Each sector has 512 bytes;
media byte: 0xf8 Type of medium: 0xf8;
# of sectors per cluster: 4 Each cluster has 4 sectors;
# of reserved sectors: 1 One reserved sector;
# of FAT tables: 2 Two FAT tables;
# of sectors per FAT: 5 Each FAT table occupies 5 sectors.
max # of root dir entries: 240 The root directory can contain at most
240 files or directories;
# of hidden sectors: 1 One hidden sector;
removable medium: false (This device can’t be removable;
disk change w/out warning: not enabled The file system doesn’t warn about modification;
auto-sync mode: not enabled Auto synchronization of the auto file
system isn’t supported;
long file names: not enabled Long file name isn’t supported;
exportable file system: not enabled The file system can’t be replaced;
lowercase-only filenames: not enabled File name does not differentiate the uppercase or the lowercase.
volume mode: O_RDWR (read/write) The file system is read and written;
available space: 2893824 bytes The current useable space of the
system is 2893824 bytes;
max avail. config space: 2893824 bytes The maximum useable space of the system is 2893824 bytes.
Or execute the command show file in the privileged user mode:
The meaning is the same as volume.
2.2.2 File Management
The file management commands in the file system configuration mode, allow users to operate all files in TFFS including:
o List files (directories);
o Copying a file;
o Deleting a file;
o Displaying a file.
The following are some examples of using file management commands:
(1) Listing files (directories)

router#filesystem
router(config-fs)#dir
size date time name

-------- ------ ------ --------
4 JAN-01-1980 00:00:00 RANDOM
1713 JAN-01-1980 00:00:00 STARTUP
512 JAN-01-1980 00:00:00 MaipuXF <DIR>
Aftering executing the command filesystem to enter the file system configuration mode, execute the command dir in
this mode and all files and subdirectories will be listed out in the current directory.
(2) Copying files
router(config-fs)#copy startup-config flash/Maipuxf/newstart

Copies the file startup, renames it as newstart and puts it into the directory Maipuxf.
size date time name

-------- ------ ------ --------
4 JAN-01-1980 00:00:00 RANDOM
1713 JAN-01-1980 00:00:00 STARTUP
512 JAN-01-1980 00:00:00 MaipuXF <DIR>
router(config-fs)#cd Maipuxf
size date time name

-------- ------ ------ --------
512 JAN-01-1980 00:00:00 . <DIR>
512 JAN-01-1980 00:00:00 .. <DIR>
1713 JAN-01-1980 00:00:00 NEWSTART
( 3 ) Deleting files
router(config-fs)#delete startup Deletes the file startup.
The Data of this file will be lost! if OS is deleted, the system will hangup!
Please confirm to continue(Yes/No)y After Y(Yes) is confirmed, the file will be deleted, otherwise
N(No) represents that the operation will be canceled.
size date time name

-------- ------ ------ --------
4 JAN-01-1980 00:00:00 RANDOM
512 JAN-01-1980 00:00:00 MaipuXF <DIR>
(4) Displaying the contents of files

router(confgi-fs)#type startup Displays the content of the file startup.
The content of file startup
interface fastethernet0
exit
interface serial0
physical-layer sync
encapsulation PPP
exit
2.2.3 Directory management
Directory management of each file system includes the following:

o Display the current path of the system;
o Change the current path;
o Create a directory;
The followings are some examples of using directory management commands:
(1) Displaying the current path of the system;

router#filesystem
router(config-fs)#pwd
/flash
router(config-fs)#
The above information indicates that the system is presently located in the directory /flash.
(2 ) Change the current path of the system:

router(config-fs)#cd Maipuxf
router(config-fs)#pwd
/flash/Maipuxf
router(config-fs)#
The above information indicates that the system is currently located in the directory /flash/Maipuxf.
(3) Creating a directory

router(config-fs)#mkdir MProuter1
size date time name
---- ------------ ----------- ---------
512 JAN-01-1980 00:00:00 . <DIR>
512 JAN-01-1980 00:00:00 .. <DIR>
512 JAN-01-1980 00:00:00 MPROUTER1 <DIR>
2.2.4 Deleting a directory
router(config-fs)#rmdir MProuter1
size date time name
---- ----------- ----------- ----------
512 JAN-01-1980 00:00:00 . <DIR>
512 JAN-01-1980 00:00:00 .. <DIR>
2.2.5 Management of Router Configuration Files
1) Contents and Formats of the Configuration Files
The configuration file exists in the file system in the form of text. Its format is as follows:
Existing in the format of configuring commands;
In order to save the memory space of the device flash, only those commands in the configuration modes (including
the global configuration mode, the interface configuration mode, the access list configuration mode and the routing
protocol configuration mode etc.) are saved.
The organization of commands regards the command mode as standard, and all commands in the same mode are
organized together to form a paragraph.
Paragraphs are arranged in a certain order: the global configuration mode, the interface configuration mode and the
routing configuration mode etc..
Sort the commands according to the relation among them, all related commands are grouped together and a blank
line is used to separate groups.
The following is an example of the configuration file of Maipu router: (The details relating to the meaning of this information
will be introduced in following chapters)
router#sh run
Building Configuration...done
Current configuration:
version 4.2.7(YD)-2(integrity)
hostname router
enable password [WOWWWNXSX encrypt
enable timeout 0
no service password-encrypt
no service enhanced-secure
line 0 15 mode terminal
interface loopback0
exit
ip address 192.168.0.83 255.255.255.0
exit
interface ethernet0
exit
interface serial3
Physical-layer sync
encapsulation ppp
ip address 1.1.1.2 255.255.255.0
exit
line 0 15 flowctl soft

terminal 0 15 local 192.168.0.83
terminal 0 15 remote 0 zfy 192.168.0.80 fix-terminal
terminal 0 15 enable
2) Loading of the configuration file
The configuration file of Maipu routers can be edited in a text editor (for example, wordpad) according to the format
prescribed in the above section, and then it can be downloaded to router through FTP or TFTP. This operation can be used
by terminal users or through Telnet.
The following example is given to explain how to download the router configuration file through FTP:
Step 1: Edit the configuration file named config on a computer;

Step 2: Starting the FTP SERVER on the computer;
Step 3: Executing the command ftpcopy in the file configuration mode of the router to download from the computer.
It can be shown as follows:

router(config-fs)#ftpcopy A.B.C.D router router1 j:\ config startup
Computer’s IP address user name password directory file name local file name
The aim of the above command is to download the configuration file config from the root directory of disk J of the computer
whose address is A.B.C.D to a router, and write it into the current directory of the router TFFS with the name startup.
Executing the command dir, you can see that a new file startup has been added into the current directory.
size date time name
---- ----------------- ----------- ---------
512 JAN-01-1980 00:00:00 MPROUTER <DIR>
580 JAN-01-1980 00:00:00 STARTUP
630 JAN-02-1980 00:00:00 CONFIG
Downloading configuration files via TFTP is very similar to downloading via FTP, the only difference between them is that
the computer needs to run TFTP SERVER.
Step 4: Restart the router and execute the configuration file ---- startup, and modify the
system configurations successfully.
3) Saving the Current System Configurations

After validating that the modified system configurations are error free, users can save the current configurations to be treated
as configuration parameters for the next startup.
The following command can be executed to save the current running configuration into the startup configuration file
(STARTUP):
router#copy running-config startup-config
Or use another command:
router#write startup-config
The following command can be executed to save the current running configuration into the remote host through TFTP:
r o u t e r # c o p y r u n n i n g - c o n f i g t f t p A . B . C . D WORD
The address of the remote host
The following command can be executed to save the startup configuration file into the remote host through TFTP:
r o u t e r # c o p y s t a r t u p - c o n f i g t f t p A . B . C . D WORD
The following command can be executed to save the configuration files of the remote host into the startup configuration file
(STARTUP) of the router through TFTP:
router#copy tftp A.B.C.D WORD startup-config
4) Displaying the Current Configuration of the Running Routers

router#show running-config
2.3 Management of system authentication and command hierarchical-authorization command

In order to enhancing capability of MP routers’ security, they provide lots of authentication management systems
(including AAA, detailed in the part of AAA configuration) when users log on or enter privilege mode by operating “enble”
command and only those who have right authority can log on or operate successfully.
Different level of users have different level of authorized executable command set. Command authority therefore is
ranged from level 0 to level 15, in which level 0 represents the lowest authority while level 15 represents the highest.
2.3.1 enable command
Task: All user authority levels (from 0 to 15) can be accessible by operating “enble” command. For example, if you have
some level of authority (that means you have right user name and password), you will successfully pass the “enable”
authentication and get right user authority level.
Router> or router#
Command Task
enable 0~15 | CR “0~15” means user authority level. If nothing is given behind “enable”,
default is level 15.
If present user authority level is higher, it is without any authentication when
entering lower level. Otherwise, possible authentication decided by present
configuration is needed when entering higher one.
Note:
1Õ Given password is set by “enable password level” command, authentication without AAA or with AAA by means of
“enable” authentication in the “enable” method list will be realized by this password.
2Õ If no “enable password level” command is operated, however authentication will be realized by means of “enable”
authentication in the “enable” method list, there are two possible situations as follows:
aÕ If users log on by TELNET, authentication will fail to pass with “% No password set” prompt without AAA
configuration or with “% Error in authentication” prompt with AAA.
bÕIf users log on by CONSOLE, authentication with AAA configuration will first try the password set in “enable
password level” command and then pass with default by means of “none” if finding no “enable password level” command is
operated. While authentication without AAA configuration will fail to pass with “% No password set” prompt.
3) Passing “enable” authentication successful, present user will get right user authentication level which can be showed by
“show privilege” command.
4) If it is configured by “aaa authentication enable default method” command, the following authentication methods can be
used to meet users’ needs.
a) If it is configured by “aaa authentication enable default none” commandØauthentication will be realized without any
password.
b) If it is configured by “aaa authentication enable default line” commandØ authentication will be realized with
password set in “line” command, or it will fail to pass with “% Error in authentication” prompt.
c) If it is configured by “aaa authentication enable default radius” commandØplease note authentication user name (that
is “$enab+level$”, in which level is represented authentication level by the number from 1 to 15 meaning ) needed by the
command is invariable. Given user name denoted in fixed rules by means of radius, only password (no user name anymore) is
necessary in the process of authentication. If a user is already set its password in radius server, authentication will be realized
successfully by the password otherwise unsuccessfully. For example, given “enable 10” command has been done, the fixed
user name is “$enab10$” which has already existed in radius server, and authentication will be passed successfully only by
its password.
d) If it is configured by “aaa authentication enable default tacacs” commandØuser name and password is necessary. If
user name and password are already in tacacs server and “enable” authentication of tacacs has been set beforehand
(note: tacacs server has to set right password of “enable” authentication to users )Øauthentication will be realized
successfully otherwise unsuccessfully.
5) The above methods can be in combinative use detailed in charter 15 (AAA Configuration).
2.3.2 privilege command

Task: Every command has its default level. “privilege” command can modify its default level.
Present user can only modify commands with equal or lower level than itself. For example, user with level 12 can only
modify commands with level from 0 to 12.
Router(config)#
Command Task
privilege MODE level 0*15 all | command LINE
Note:
1) In which MODE represents working mode of commands to be set and can be all system’s modes.
2) In which parameter 0*15 represents a level set to commands.
3) If key word “all” is used in the command, all commands in present mode will be set to a given level.
4) If key word “command” is used in the command, “command” can be input by the first several key parts so that all sub-
commands with the same key parts will be set to the same level. For example: If running “privilege CONF level 2 command
interface” commandØall sub-commands starting with interface will be set to level 2 ,in present IOS version including sub-
commands group and interface. If running “privilege CONF level 2 command interface group” commandØonly sub-
commands starting with interface group will be set to level 2 while sub-command interface interface won’t be set
5) If there is no command in the given MODE matching input character string, configuration is not set successfully with
“%Invalid command string "xxx" ” prompts.
6) Input command character string follows the rule of “match most”, which means string that you input can be only found
among all commands. While in the footprint, the string will be completed to match the whole command.
7) “no” command will set authority levels of right command set back to their default levels, in whichæ
a)” no privilege MODE CR” command will set all commands in MODE back to their default levels.
b)” no privilege MODE level level CR” command will set the command configured to level in MODE back to its default
level.
a) rules
After configuring the command, command level will take effect at once, which can be testified in the following 2
aspects.
i. Whether present user has the given authority level or not is decided by this configuration when user runs
commands.
ii. Whether present user has authority level of a footprint configuration command or not is decided by this
configuration when running “show run” or “show startup” command.
2.3.3 Enable Password Command

Task: Set local enabled passward for entering router with any user level
router(config)#
Command Task
enable password level 1*15 0|7 string default level is 15 if it doesn’t be designated
enable password [0 | 7 ] string 0 means password is decryption; 7 means password is
encryption. Default is 0
Note:
1) The keyword “7” normally won’t be used for password. If it’s needed, the encryption is created by certain maipu router.
2) Use the corresponding NO command to cancel enabled password of some level.
3) When show run, the displayed password is cryptograph, i.e. the keyword is “7”.
4) Now there’re two kinds of encryption methods,they’re new/old encrypted methods, using ‘service new-encrypt’ and the
corresponding NO command to shift new and old methods.
2.3.4 User Command

Task: Set the local user database for local authentication.
router(config)#
Command Task
user string password 0 LINE Set user password
user string privilege 0-15 Set privilege level of user
user string autocommand <LINE> Set authorized auto-executed command of user
user string autocommand-option Set options of auto-executed command. The command
nohangup|delay <0_120> “nohangup” indicates that the connection won’t be
disconnected after auto-executed command finished. The
command “delay” indicates the time that is used to execute
the
auto-executed command.
user string callback-dialstring string Set the callback number of user
Note:
1) Use the corresponding NO commands of above to cancel configuration.
2) If authentication and authorization locally, please use the local user databases which is configured with above commands.
2.3.5 Line Command

Task: Set attributes of line user, includes password, user level, idle timeout, authentication mode, and so on.
Command Task&Description
router(config)# line con 0 Enter line config mode
router(config)#line vty 0~15 0~15
router(config-line)#absolute-timeout Set the total time that permit user to telnet and operate. Note:
<0_10000> the default ‘0’ means no limited time. Before the expired
time 5 seconds , router will give a prompt about the
timeout.” * Line timeout expired”
router(config-line)#privilege level Set privilege level for telnet user, default level is 1
<0_15>
router(config-line)#access-list Access-list name(only support standard access-list)
<1_1000>
access list
router(config-line)#autocommand Set auto-command after user succeeds to telnet under
<LINE> privilege mode; default is no auto-executed command.
router(config-line)#autocommand-option Set options of auto-command. “Nohangup” indicates that the
nohangup | delay <0_120> connection won’t be disconnected after auto-command
finished(default: connection will disconnect after finished).
“Delay” indicates the time that is used to execute the auto-
command(default is 0, i.e. no delay).
After deploying “autocommand”, “delay” can be in effect.
router(config-line)#exec-timeout Set idle timeout. if the time is 0, the user won’t exit for ever
<0_35791> <0_2147483> when it’s idle. Default idle timeoutis 5 minutes.
router(config-line)#password 0|7 LINE Configure line password
router(config-line)#login CR | local | Configure the authentication method for telnet.
authentication “CR” means using line password to authenticate;
“local” indicates using local user database to authenticate;
“authentication” indicates using AAA method to
authenticate.
Default is no login, i.e. user can telnet without
authentication, only when there’s no any AAA configuration.
router(config-line)#timeout login Set the timeout of waiting user to enter username and
respond <0_300> password. Default is 30seconds
Note:
1) Use the corresponding NO commands of above to resume the default configuration.
2) User use ‘line’ authorized attribute to telnet in default. But if the authorized method is set as ‘local’, then ‘local’ authorized
attribute has precedence over ‘line’ one. Only when user has no other attribute, ‘line’ attribute can be in effect. Also, other
attributes is the same, such as tacacs, radius.
Relevant example:
Configuration:
aaa new-model
aaa authentication login default line
aaa authorization exec default if-authenticated
line vty 0 2
exec-timeout 5 0
absolute-timeout 2
timeout login respond 60
privilege level 14
autocommand show mem
autocommand-option delay 5 nohangup
password 0 vty
after telnet, user should be authorized these ‘line’ attributes:

debug information as followed (open ‘debug author exec’ command to seeÕ
AUTHOR/EXEC/LINE (6): processing AV priv-lvl=14
AUTHOR/EXEC/LINE (6): processing AV autocmd=show mem
AUTHOR/EXEC/LINE (6): processing AV nohangup=TRUE
AUTHOR/EXEC/LINE (6): processing AV timeout=120
2.3.6 show privilege command

Task: Display the level of current user.
router> or router#
Command Task
show privilege Default level is 1. So in default, user with 0 level can not
execute this command
user string privilege 0-15 Set privilege level of user
user string autocommand <LINE> Set authorized auto-executed command of user
user string autocommand-option Set options of auto-executed command. The command
nohangup|delay <0_120> “nohangup” indicates that the connection won’t be
disconnected after auto-executed command finished. The
command “delay” indicates the time that is used to execute
the auto-executed command.
user string callback-dialstring string Set the callback number of user
Relevant example:
router#show privilege
current privilege level is 15
2. 4 System tools
2.4.1 The command show

The information displayed by the system command show can be categorized in the following ways:
o System software and hardware resources information
o System statistic information
o System configuration information
o Basic system information
Table 2-4 Keywords of the System Command show
Command Description
Stack Displays the usage information of each task stack of
the system.
Memory Displays the system memory information.
Mbuf Displays the system buffer information.
Process Displays the system task/process information.
Device Displays the system physical and logical device
information.
Interface Displays the system network interface information
Host Displays the system interior host table information.
Arp Displays the system ARP table information.
Ip Displays the statistic information of IP layer
(including TCP and UDP).
Bootparams Displays the system startup parameters.
Startup-config Displays the contents of the system startup
configuration file.
About Displays the system copyright information.
Version Displays the system hardware/software version
information.
(1) Displaying the system stack

router#show stack
NAME ENTRY TID SIZE CUR HIGH MARGIN
------------ ------------ -------- ----- ----- ------ ---------
tExcTask 0x000004b4fc fe1488 7984 224 464 7520
tLogTask 0x0000051850 fdeb00 4984 216 1072 3912
tMPLog 0x00000f7f34 8a90e8 5112 208 1024 4088
tSccTx0 0x0000240358 8de848 3992 160 224 3768
tSccTx1 0x0000240358 8d3848 3992 160 420 3572
tSccTx2 0x0000240358 8ca848 3992 160 420 3572
tSccTx3 0x0000240358 8c1848 3992 160 420 3572
tEsccRx0 0x000013c0d8 d2ec30 3984 168 1124 2860
tPPP 0x00001d1ae8 d25d28 9320 184 1056 8264
tNetTask 0x00000d0ca0 a1c0a8 9984 192 1120 8864
tFecRxTx 0x000013c710 a0dd88 10224 152 644 9580
tEthTx 0x0000129754 8ec158 12280 168 232 12048
tEthRx 0x000012997c 8e8f40 12280 160 308 11972
tSccRx0 0x00002402dc 8dfde8 4992 152 216 4776
tSccRx1 0x00002402dc 8d4de8 4992 152 748 4244
tSccRx2 0x00002402dc 8cbde8 4992 152 524 4468
tSccRx3 0x00002402dc 8c2de8 4992 152 748 4244
tRtMsg 0x00001e7714 a19780 5368 1368 2216 3152
tModDet0 0x0000237c10 8dd690 3984 176 304 3680
tModDet1 0x0000237c10 8d2690 3984 176 304 3680
tModDet2 0x0000237c10 8c9690 3984 176 308 3676
tModDet3 0x0000237c10 8c0690 3984 176 436 3548
tSdlcTask 0x00002057a4 84d328 9456 168 1244 8212
tLapbTimer 0x00002fc640 864de8 3984 128 384 3600
tShell1 0x0000025810 82cae8 19800 10040 13128 6672
tActive 0x00001e99d0 89fe40 3992 256 512 3480
tRadius 0x000010e33c 8a64b0 4088 168 232 3856
tTacacs+ 0x0000116dd4 8a51e0 2032 160 224 1808
tPkTimer 0x000022a4dc 85fde8 3984 120 408 3576
tBridge 0x000011c1c0 894858 20472 144 404 20068
tLLC2 0x000017f550 88f640 20472 192 428 20044
tDLSwPeer 0x0000200918 89d108 16368 144 1044 15324
tDLSwCore 0x0000200bd8 898ef0 16368 464 1720 14648
tEsccDet0 0x000013c1e4 d2fde8 3984 256 880 3104
tInfoGuide 0x00003a4bd8 83bde8 40272 568 2056 38216
tFecDetect 0x000013c4fc9 370e8 4984 152 944 4040
tEnetDet 0x000012a93c 8e5d28 7152 136 264 6888
tTffsPTask 0x0000259b3c fdaeb8 2032 136 396 1636
tQLLC 0x00002076d4 85ec30 8184 136 1212 6972
tTelnetd 0x0000101134 8a1058 4080 392 616 3464
tExcTrace 0x0000011258 89ec88 3056 296 528 2528
INTERRUPT 5000 0 1052 3 948
(2) Displaying information about system memory

router#show memory
SUMMARY:
status bytes blocks avg block max block
------ --------- -------- ---------- ----------
current
free 35241056 16 2202566 26850984
alloc 21077416 20082 1049 -
cumulative
alloc 21571048 25563 842 -
code
code 10785360 - - -
STATISTICS:
Available bytes 35241056
Used bytes 21077416
Total bytes 56318472
Used bytes percent 37%
(3) Displaying the usage information of the system buffer

router#show mbuf
Statistics for the network stack mbuf
type number
--------- --------
FREE : 7998
DATA : 0
HEADER : 2
SOCKET : 0
PCB : 0
RTABLE : 0
HTABLE : 0
ATABLE : 0
SONAME : 0
ZOMBIE : 0
SOOPTS : 0
FTABLE : 0
RIGHTS : 0
IFADDR : 0
CONTROL : 0
OOBDATA : 0
IPMOPTS : 0
IPMADDR : 0
IFMADDR : 0
MRTABLE : 0
TOTAL : 8000
number of mbufs: 8000
number of times failed to find space: 0
number of times waited for space: 0
number of times drained protocols for space: 0
CLUSTER POOL TABLE
size clusters free usage
----------------------------------------------------
64 800 798 10114
128 200 200 1060
256 200 200 46
512 100 100 0
1024 80 80 0
2048 50 50 0
----------------------------------------------------
(4) Displaying system devices information

router#show device
drv name
0 /null
1 /tyCo/0
1 /tyCo/1
4 serial3
2 /pipe/temp
3 /logging
3 /more
3 /config
5 WEBDEV
3 /flash
7 /pty/00.S
8 /pty/00.M
7 /pty/01.S
8 /pty/01.M
(5) Displaying the status information of about all of the system interfaces
router#show interface
loopback (unit number 0):
Flags: (0x8069) UP LOOPBACK MULTICAST ARP RUNNING
Type: SOFTWARE_LOOPBACK
Internet address: 127.0.0.1
Netmask 0xff000000 Subnetmask 0xff000000
Metric: 0, MTU: 32768, BW: 8000000Kbps
0 packets received; 0 packets sent
0 multicast packets received
0 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
fastethernet (unit number 0):
Flags: (0x8063) UP BROADCAST MULTICAST ARP RUNNING
Type: ETHERNET_CSMACD
Subnetmask 0xffffff00
Broadcast address: 192.168.0.255
Ethernet address is 00:01:7a:00:39:be
Rate: 100Mbit/s Duplex: full duplex
Babbling recvive 0, babbling transmit 0, heartbeat fail 0
Tx late collision 0, Tx retransmit limit 0, Tx underrun 0
Tx carrier sense 0, Rx length violation 0
Rx not aligned 0, Rx CRC error 0, Rx overrun 894
Rx trunc frame 0, Rx too small 0, Rx alloc mbuf fail 212682
ethernet (unit number 0):
Flags: (0x8062) DOWN BROADCAST MULTICAST ARP RUNNING
Ethernet address is 00:01:7a:08:39:be
serial (unit number 3):
Flags: (0x8070) DOWN POINT-TO-POINT MULTICAST ARP RUNNING
Type: PPP
Subnetmask 0xffffff00
Destination Internet address: 0.0.0.0
(6) Displaying the system version information

router#show version
MP3600 Router Version Information

System ID : 3601000000f3
Monitor Version : 2.40/1
Software Version : 4.2.7(YD)-2(integrity)
System image file: rpm-g-4.2.7(YD)-2.bin
Compiled : May 29 2004, 17:27:05 by CVS
Board Name : MP3600 (MPC8240 with 64 MBytes sdram, 8 MBytes flash)
Board Version : 04 (0x4)
MP3600 system uptime is 1 hour 23 minute 12 second
(7) Displaying the system copyright information

router#show about
The MP2600 series modular architecture offers users a branch office and center office
that provides the versatility needed to adapt to changes in network technology, as new
services and applications become available. With full support of the InfoExpressIOS
software, MP2600 modular architecture will provides the power to support the following
applications:
General Internet/intranet access
LAN-to-LAN Internetwork
Secure Internet/intranet access
Multiservice voice/data integration
Analog and digital dial access services
Virtual Private Network (VPN) access
LAN Internetwork
Interconnecting with IBM SNA Network
MP2600 modular architecture includes the following optional modules:
1 Port V.24 Serial Sync/Async Module

1 Port V.35 Serial Sync/Async Module
33.6K/56K Async/Sync Analog MODEM Module
128K CSU/DSU S/T Module
128K CSU/DSU U Module
16 Async Port & 2 Sync Port Serial Module
IP Telephone POTS Module
IP Telephone PBX Module
ISDN BRI Module
ISDN PRI Module
Copyright 1998-2000 by Maipu Networks

2.4.2 Protocol Debugging
Presently, the system provides debugging switches of many protocols including IP, PPP, HDLC, OSPF, FR, and X25 etc.
The following example provides a simple introduction as to how to turn on/off a debugging switch:
Turning on a protocol-debugging switch

Turning on the debugging switch of IP protocol access-list datagram
router#debug ip packet access-list
Turning on the debugging switch of RIP protocol

router#debug ip rip events
Turning on the PPP protocol debugging switch (on the interface s0)
router#debug ppp negotiation s0
Turning on the HDLC protocol debugging switch

router#debug hdlc s0
FR has many protocol debugging switches, including

Debug frame-relay lmi [interface/cr]
Debug frame-relay log [interface/cr]
Debug frame-relay packet [interface/cr] etc.
The protocol-debugging switches will be explained in detail in the relevant chapters.
Turning off a protocol-debugging switch
In order to turn off a protocol-debugging switch, users need only to add a command word no before the
corresponding command that turns on the switch.
2.4.3 Network Troubleshooting tools
This will be explained in detail in chapter 17 “Network Debugging and Fault Diagnosis”.
2.4.4 SysLog (system logging) function
1)SysLog can record every level system information and save those in flash file. In general, sysLog only record information
which level is emergencies(level 0), alerts( level 1), critical(level 2), errors(level 3) or warnings(level 4), of course, you can
change this by sysLog configuration command.
The corresponding command is:
router(config)#logging trap level <CR>
<0_7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions[default] (severity=4)
Table 2-5 sysLog severity level
severity level key-word description
0 emergencies System is unusable
1 alerts Immediate action needed
2 critical Critical conditions
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant conditions
6 informational Informational messages
7 debugging Debugging messages
After configure some severity level for sysLog, all levels more severer than this level will be recorded in flash logging file.
For example, if you configure “ logging trap notifications”, then those logging information from level 0 to level 5 could be
record.
2) show the logging

In the privileged user mode, executing command “show logging” can show all recorded logging information. For example:
router#show logging
The Context of syslog file:
%SYS-5-CONFIG-I:Configured from console by console
3) clear the logging

In the privileged user mode, command “clear logging” can clear the contents of logging file.
4) configure sysLog informaiton option
You can add timestamps and task name for sysLog informaiton. In global configuration mode, its command are:
router(config)#service taskname log

router(config)#service timestamps log datetime
& Note:
The timestamps get from the time system of current router.
3.4 System Logging

1) The system logging can record each level of prompts information. By default, the logging records nothing but the
information about the system unusable. To make the logging record other information, the following operations are necessary.
Enable the logging in the global configuration:
router(config)#logging trap level <CR>
<0_7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4
The information levels are defined as follows:
Level Keyword Description
0 emergencies The system is unusable.
1 alerts Some actions must be taken at
once.
2 critical The critical status.
3 errors The error status.
4 warnings The warning status
5 notifications The normal but noticeable
status.
6 informational The informational message.
7 debugging The debugging information
After a level is defined, the level or lower level of information will be recorded into the logging file. For example, if level 5 is
defined, then level 0~5 of information will be recorded.
2) Examine the logging:
router#show logging
3) clear the logging
router#clear logging
4)ÔOptionalÕEnable the message timestamp in the global configuration mode. router(config)#service
timestamps log datetime
& Notice:
The command above is used to add the timestamp to any logging information according to the date and time set by the
router.
2.4.5 Spy cpu to check cpu utilization rate

(1)Maipu routers provide tools to check cpu utilization rate, when trun on the switch of spying cpu, every running tasks’s cpu
utilization can be checked.
(2)There are two set of commands which are provided to trun on/off the switch of spying cpu. One is spy cpu/no spy cpu in
the privileged user mode; the other is check cpu enable/check cpu disable in the global configuration mode which can be
saved in configuration file.
The following table is the comment of check cpu command in the global configuration mode:
Table 2-6 a table of check cpu command

Command Description
router(config)#check cpu enable turn on the switch of spying cpu , system begins to collect
the data of cpu utilization for every running task
router(config)#check cpu disable turn off the switch of spying cpu, system stop collecting
the data
of cpu utilization for every running task
router(config)#check cpu time- set time-interval value of updating cpu current
interval <1_3600> utilization, default is 2 seconds
router(config)#check cpu view set stype of showing cpu, parameter simple indicates that
[simple|_CR_] only display running task’s cpu utilization.
router(config)#check cpu check some parameters and status, such as switch status
parameter of spying cpu.
(3)In the privileged user mode, command show cpu display current cpu utilization rate for every task, the following is a
example of show cpu:
router#show cpu
NAME TID PRI total% ( ticks) delta% ( ticks) current%
-------- ----- --- --------------- --------------- ------
tCheckCpu 37640824 30 0%( 80) 0%( 2) 0%
tShell1 37840344 20 35%( 5868) 0%( 0) 0%
tFwdTask 41410224 45 15%( 2478) 0%( 0) 0%
tNetTask 41420760 50 5%( 918) 0%( 0) 0%
KERNEL 0 0 4%( 780) 0%( 0) 0%
INTERRUPT 0 0 0%( 12) 0%( 0) 0%
IDLE 0 0 38%( 6260) 99%( 398) 99%
Average cpu utilization rate is 59% in timeslice 00:01:22 (16396 ticks)

Current cpu utilization rate is 0% in timeslice 00:00:02 (400 ticks)
& ö
noteö
Because task tCheckCpu will go on to collect cpu utilization data at interval of some time(default is 2 seconds),
some cpu resource will be used. Suggest not trun on the switch of spying cpu if checking cpu utilization is not needed.
2.4.6 Examining the Utilization of CPU
1) Provide the tools to examine the utilization of CPU. After enabling the switch monitoring CPU, the CPU utilization of
each task in a period can be examined.
2) Provide 2 groups of commands to enable/disable the switch monitoring the CPU utilization: spy cpu/no spy cpu in the
privileged user mode and check cpu enable/chech cpu disable in the global configuration mode. The command check cpu
enable can be saved in the configuration file.
The related commands in the global configuration mode are described as follows:
Command Description
router(config)#check cpu enable Enable the switch monitoring the CPU and start to collect the
data of the CPU utilization.
router(config)#check cpu disable Disable the switch monitoring the CPU and stop collecting the
data of the CPU utilization. The default status is disable.
router(config)#check cpu time- Set the interval of refreshing the CPU utilization. The defaut
interval <1_3600> interval is 2 seconds.
router(config)#check cpu view Whether to display in the simple mode. Namely that only the
[simple|_CR_] CPU task is disaplayed. The simple mode is disabled by default.
router(config)#check cpu parameter Examine some current parameters and status of check cpu, for
example, whether to enable the monitoring switch.
In the privileged user mode, use the command show cpu to display the CPU utilization.
For example:
router#show cpu
NAME TID PRI total% ( ticks) delta% ( ticks) current%
-------- ----- --- --------------- --------------- ------
tCheckCpu 37640824 30 0%( 80) 0%( 2) 0%
tShell1 37840344 20 35%( 5868) 0%( 0) 0%
tFwdTask 41410224 45 15%( 2478) 0%( 0) 0%
tNetTask 41420760 50 5%( 918) 0%( 0) 0%
KERNEL 0 0 4%( 780) 0%( 0) 0%
INTERRUPT 0 0 0%( 12) 0%( 0) 0%
IDLE 0 0 38%( 6260) 99%( 398) 99%
Average cpu utilization rate is 59% in timeslice 00:01:22 (16396 ticks)

Current cpu utilization rate is 0% in timeslice 00:00:02 (400 ticks)
& Note:
When the switch monitoring the CPU is enabled, the task tCheckCpu can not stop collecting the CPU data, which will
occupy some CPU source. So, if it is unnecessary to diagnose the CUP utilization of each task, you had better not enable the
switch.
2.5 System software update
This will be explained in detail in chapter 18 “Software Update”.
Chapter 3 Network Protocol
Maipu's MP Series routers supports Internet network protocols. The Internet Protocol is the protocol based on packets and is
used to exchange data through a computer network. IP is the foundation of all other protocols in the Internet protocol stack.
IP deals with addressing, fragmenting, reassembling and disassembling of the protocol information; datagrams. As the
network layer protocol, IP processes address routing and controls the transmission of data packets. As network layer
protocols, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are established on the IP layer. TCP is a
connection-based protocol, which provides the reliable data transmission service while UDP is connectionless protocol,
which provides unreliable data transmission service. MP series routers support all the demands prescribed in the RFC of
Internet Protocol (IP), which includes the services such as IP, ICMP, IGMP, TCP, and UDP etc.
The chapter includes the following contents:
• IP address configuration
• IP protocol configuration
• ICMP protocol configuration
• IGMP protocol configuration
• TCP protocol configuration
• UDP protocol configuration
3.1 IP Address Configuration
3.1.1 Introduction to IP Addressing

An IP address is a 32-bit number assigned to every device which runs the IP protocol and connects to the Internet. IP
addresses are used to designate a network connection IP addresses are divided into five classes for convenience, and each
IP addresses is divided into two parts:
• Network number: Designates the network to which each device belongs.

• Host number: Designates the host number of each device on its network
Table 3-1 lists the classes and ranges of IP Addresses
Table 3-1 Classes and Ranges of IP Addresses
Address type Valid Ranges of Explanation

IP address
0.0.0.0-127.255.255.255 The network number 127 is used for
A loopback interface.
A host number, whose bits are all 1,

B 128.0.0.0-191,255,255,255 is used for a broadcast over its
network.
A host number, whose bits are all 1,

C 192.0.0.0-223.255.255.255 is used for a broadcast over its
network.
Class D addresses are used for

D 224.0.0.0-239.255.255.255 Multicast
Class E addresses are reserved for

E 240.0.0.0-247.255.355.255 later use.
Usually, IP addresses of different classes are intended for use in different network systems. For large-scale network systems,
Class A addresses are used, while Class B and Class C IP addresses would most likely be used for medium and small scale
network systems. Class D and E addresses are reserved for special use.
With the development of the Internet, the IP addresses become limited and class address distribution can lead to the wasting
of IP addresses. To solve this problem the concept of "subnet" has emerged. A "subnet" uses several bits of a host bits of a
net address as the subnet, so the same network address can span mutliple physical networks.
Maipu’s MP Series routers support the following IP address features:
• Supports the feature of network address with classes

• Supports subnetting properties of network addresses
• Supports CIDR properties of classless routing
• Allocates several IP addresses to a network interface in a broadcast network (for example, Ethernet)
• Permits the use of unnumbered IP addresses on a serial-port interface to save addresses.
• Supports EASY IP and NAT
3.1.2 Allocating an IP address to an Interface
An interface often has a primary IP address. The following tasks should be done in the interface configuration mode to
allocate a primary IP address and network mask to a network interface.
Command Task
Ip adderss <ip-address> <mask> Set master IP address for the interface
A subnet mask is used to identify the network number of an IP address. When a mask is used to determine a subnet in a
network, the mask is regarded as a subnet mask.
Note: Maipu MP series routers only support network masks which are composed of several continuous “1” bits with left
alignment.
In addition, Maipu MP series routers supports the assigning of many IP addresses to a broadcasting/multicasting network
interface. So you can assign some unlimited secondary addresses, which can be used in various occasions. The most
popular applications are shown in the following descriptions:
• There may not be enough host addresses for a given network section. For instance, your subnet allows up to 254
host addresses for a logical subnet, however, your physical subnet has 300 actual host addresses. Two logical
subnets on the physical subnet can exist after introducing secondary IP addresses to a router or an access server.
• In the past, many networks used Layer-2 bridges, instead of subnets. The use of the secondary addresses can help
covert the network into a subnet, which is a network based on routers. A bridge router in an old network can easily
establish several subnets in this network segment.
• Two subnets in a single network can be separated by another network under other conditions. You can establish a
network from subnets, so that these subnets can be separated physically by another network by use of secondary
addresses. Note that a subnet can not appear at several active interfaces at the same time.
Note: If any router in the network segment uses a secondary address, all the other routers in the same segment must use the
secondary addresses in the same network or subnet.
Table 3-2 Management of Interface IP addresses
Command Description
ip address 128.255.255.1 255.255.0.0 [secondary] Allocate a primary (secondary) IP address to an interface.
no ip address 128.255.255.1 255.255.0.0 [secondary] Disable an existing primary (secondary) IP address.
The following example shows how to assign a primary IP address and two secondary IP addresses to the interface
Fastethernet0:
router(config)#interface Fastethernet0
router(config-if-fastethernet0)#ip address 128.255.255.1 255.255.0.0
router(config-if-fastethernet0)#ip address 128.254.255.1 255.255.0.0 secondary
router(config-if-fastethernet0)#ip address 128.253.255.1 255.255.0.0 secondary
router(config-if)#exit
router(config)#
& Note:
Those secondary IP addresses configured for the same interface have priority according to their configuration time. At
the same time, these IP addresses are not required in the same net section thereby allowing routers to forward datagrams
quickly.
3.1.3 Enabling IP Unnumbered on a Serial Port
The IP unnumbered process is a method to saving IP addresses on the Internet network. You can enable IP unnumbered on a
serial-interface, instead of assigning a visible IP address to the interface. Whenever an unnumbered interface produces a
packet (for example, when updating a routing list), it will use the interface address designated by you as the source address of
IP packet. It will also that designated interface address to determine which route process is sending the updated content to
this unnumbered interface. There are some limitations. They are:
• A serial-port presently only supports Point-to-Point Protocol (PPP). The High-Level Data Link Control (HDLC),
Link Access Process Balance (LAPB), Serial Line Internet Protocol (SLIP) and Channel interface will be supported
in the future.
• The command ping EXEC cannot be used to test and connect the interface since it has no IP address. But the Simple
Network Management Protocol (SNMP) can be used to remotely monitor the status of the interface.
• Do not boot network image through unnumbered serial ports.
• Do not support IP security options on a unnumbered interface.
For details, please refer to RFC 1195; It is not necessary to assign an IP address to
each port.
& Note:
Be sure to use an unnumbered serial line among different main networks. At each end, if there are different main
networks are assigned to your unnumbered any routing protocol running through serial lines will be configured not to
announce subnet information.
To enable an IP process on an unnumbered serial port, the following task should be finished in the interface configuration
mode:
Table 3-3
Command Description
Enable IP unnumbered on a serial interface, and don't

Ip unnumbered <reference interface> distribute an obvious IP address to the interface.
The specified interface, not another unnumbered one, must be another interface in the router with at least one IP address. The
designated interface must also be valid.
3.1.4 Setting the IP Address Negotiation property on an Interface
With regard to the point-to-point protocols on the data link layer supporting IP address negotiation, you can enable IP address
negotiation on an interface with no IP address. Typically, PPP running over serial lines is used to access Internet via an ISP.
IP address negotiation of the serial port is enabled by the commands (listed in the table 3-4), which allows the local interfaces
to receive the IP address assigned by the interface of the opposite terminals.
Table 3-4
Command Description
Ip address negotiated Enable IP address negotiation of an interface.
No ip address negotiated Disable IP address negotiation of an interface
3.1.5 Displaying IP Address Configurations
Use the command show interface to display IP address configurations after you have completed the interface IP address
configurations.
3. 2 Address Resolution
Maipu MP series routers permit you to designate IP addresses through address resolution and naming service.
3.2.1 Establishing an Address Resolution Protocol (ARP)
A device may have a data link (MAC) address (which uniquely identifies an interface on a LAN), and it can also has a
network address (which identifies the network and the host number in which the device is located). In order to communicate
with a device on an Ethernet network, for example, a Maipu MP series router must first decide the 48 bits MAC address of
that device. The process used to determine the MAC address from an IP address is called address resolution. The process
used to determine an IP address from a MAC address is called reverse address resolution (RAR).
Maipu routers support the Address Resolution Protocol (ARP). ARP is used to associate an IP address with a MAC address.
Taking an IP address as input, ARP can determine its MAC address. Once a MAC address is determined, the IP
address/MAC address association is kept in the ARP cache for high-speed searches. Then IP datagrams are encapsulated into
frames to be sent out onto the network.
3.2.2 Defining a Static ARP Cache
ARP provides a dynamic mapping from an IP address to a MAC address. Because most hosts support dynamic address
resolution, it is not usually necessary to add a static entry into the Address Resolution Protocol (ARP) cache. You can
define one globally ---- write a permanent entry into the ARP cache, if the entry is defined for necessity. MP router
software will translate the 32-bit IP address into a 48-bit MAC address by that entry.
Execute the following commands in the Global configuration mode:
arp <ip-address> <ethernet-address> Used to define a static ARP cache
no arp <ip-address> <ethernet-address> Used to delete a static ARP cache
3..3 Displaying the ARP cache
In order to display the cache being used by the system, users can examine the contents of the ARP cache by typing the
command show arp EXEC. In order to remove all dynamic entries from the ARP cache, users can type the privileged EXEC
command clear arp.
3.3.1 Domain Name System (DNS)

Each IP address has its related host name. Maipu Router software holds a cache that maps a host name to an IP address,
which is supported by telnet, ping and the relevant remote login. The cache accelerates the procedure translating the host
name into an address.
IP provides a naming method to enable a device to be identified by its location in IP. This is a hierarchical naming method
provided for domains. To trace a domain name, IP defines the conception of name server, which is used to keep a cache (or
database) that holds the mapping information from a domain name to an IP addresses. To map a domain name into an IP
address, you must first identify a host name, and then specify a domain name server to enable the Domain Naming System,
which is a global naming method to uniquely identify a network device on an internetwork.
3.3.2 Mapping IP addresses to Host Name
Maipu routers holds a table that saves host names and their corresponding IP addresses. The table is also called the host
name-to-address mapping table. High-level protocols, such as the remote logon, use host names to identify network devices
(hosts). IP addresses or routers and other network devices should be associated mutually by static or dynamic tools.
When the dynamic mapping cannot be used, addresses can be distributed to host names manually.
To specify a domain name or a host name to an address, users can execute the following commands in the global
configuration mode:
host <host_name> <Ip_Address> Defining a mapping of host names and IP addresses
no host <host_name> <Ip_Address> Deleting a mapping of host names and IP addresses
3.3.3 Designating a Domain Name
You can designate a default domain name for a router. The domain name will be used by the system to finish the domain
name request. You can designate either a single domain name or a series of domain names. Any IP host name without a
domain name will have a specified domain name before it is added to the host table.
Execute any following task in global configuration mode in order to designate a domain name:
ip domain-name <name> Defines a default domain name.

no ip domain-name <name> Deletes a default domain name.
3.3.4 Designating a Domain Name Server
Execute the following commands in the global configuration mode to specify one or hosts (up to 6) as domain name servers
to provide name information service for DNS:
ip name-server server-address Defines a domain name server
no ip name-server server-address Deletes a domain name server.
3.3.5 Designating a Domain Name Service Order
When resolving a name by use of the name service, the system will first use the default local name Cache, and then it uses
DNS service to complete name resolution. Users can also designate that the system only use the DNS service (so you need
not map an IP address into a host name manually) or first use the DNS service, and then use the local name CACHE to
achieve name resolution.
Executing the following command in the global configuration mode:
ip name-order {dns-first|dns-only|local-first}
3.3.5.1 Debug commands
command Task
Display the debugging information in duration of get ip address
Debug name-server
from dns server
3.4 IP Protocol
3.4.1 Enabling/Disabling IP Route Forwarding
Each Maipu router enables IP route forwarding by default. But it can be disabled under certain conditions, which can be
realized under the following operations:
In the global configuration mode, users can disable IP routing forwarding by typing the command no ip routing.
In the global configuration mode, users can enable IP routing forwarding by typing the command ip routing.
3.4.2 Permitting/Prohibiting IP to Accept Redirection Messages
Each Maipu router enables the acceptance of IP redirection by default. But in under certain conditions, IP redirection can be
disabled. This can be accomplished by the following commands (in the global configuration mode):
ip redirect Enables IP to accept IP redirection

no ip redirect Disables IP to accept IP redirection
The default setting is to permit IP redirection.
Executing the following commands in the interface configuration mode:
ip redirects Enables the sending of ICMP Redirect messages

no ip redirects Disables the sending ICMP Redirect messages
The default setting is to permit the redirecting of an ICMP Message.
3.4.3 Permitting/Prohibiting IP Receiving Redirection Message
The redirection packet of icmp can result in the update of the routing table. The default setting of a Maipu Router is not to
update route after the router receives the redirection icmp packet. But users can select the route update.
Executing the following commands in global configuration mode:

icmp redirect-route Enables the addition of an icmp redirect route
no icmp redirect-route Disables the addition of an icmp redirect route
The default setting is to prohibit the routing update.
3.4.4 IP Fast Transmission
The IP fast transmission is realized through route cache mechanism. The purpose of the route cache is to reduce the repeated
searching of a routing table and to accelerate the packets sending speed through using previous cache searching results. But
under certain circumstances, users can choose to enable/disable the following two places to process route cache.
1) Fast transmitting route cache. Before sent to IP layer to deal, some packets received by interface can be transferred
directly if they match the route that stored in the cache.
Executing the following commands in the interface configuration mode:
ip route-cache Enables fast-switching cache for outgoing packets

no ip route-cache Disables fast-switching cache for outgoing packets
The default setting is to permit cache for outgoing packets.
2) When there are packets sent down from the user layer, if the destination is the same each time and the route is UP, the
route in the cache can be used without searching the routing table. Only one route, which is the result of recently searching
the routing table, is stored in cache.
Execute the following commands in the global configuration mode:
ip upper-cache Enables the use of upper route cache

no ip upper-cache Disables the use of upper route cache
The default setting is to permit the use of upper route cache.
3.4.5 Configuring IP Protocol Attributes
Maipu routers can configure the following IP attributes to UDP:
• Configure input queue of the IP protocol

• Configure the default Time-To-Live (TTL) of sending datagrams
• Configure the default Time-To-Live (TTL) of sending IP datagrams
• Enable IP recv-checksum
• Enable IP send-checksum
The Table 3-5 lists the commands to configure the UDP properties:
Table 3-5 UDP properties configuration
Table 3-5
Command Description
ip option default-ttl [1-255] Configure the Time-To-Live of the IP protocol
ip option fragment-ttl [1-255] Configure the Time-To-Live of IP fragment
ip option queue-length [300-600] Configuring the queue length of the IP receive-buffer
ip option recv-checksum Enable IP recv-checksum
Ip option send-checksum Enable IP send-checksum
Displaying IP Statistics
router#show ip
statistics
Statistics for the

IP protocol
total 1356 ---The number of the total received/sent packets
Badsum 0 ---The number of the packets that have bad checksums
Tooshort 0 ---The number of the packets that are too short
Toosmall 0 ---The number of the packets that are too small
Badhlen 0 ---The number of the packets that have bad header

lengths
badlen 0 ---The number of the packets that have bad lengths
infragments 0 ---The number of the received fragment packets
fragdropped 0 ---The number of packets discarded when fragment
fragtimeout 0 ---The number of packets when fragmented overtime
forward 0 ---The number of packets forwarded
cantforward 1312 ---The number of packets that can not be forwarded
redirectsent 0 ---The number of redirected transmissions
unknownprotocol 16 ---The number of packets with unknown protocols
nobuffers 0 ---The number of packets having no buffers
reassembled 0 ---The number of datagram reassembly
outfragments 0 ---The number of fragmented packets transmitted
noroute 0 ---The times of without routing
3.5 ICMP protocol
In the Internet Protocol stack, the Internet Control Message Protocol (ICMP) provides services such as controls, error reports
and network tests, etc. for other protocols in the Internet stack. The Maipu router supports RFC792, RFC950 and RFC1122.
3.5.1 Configuring ICMP Options

ICMP supports the request and reply options of subnet masks by default. But users can sometimes disable these options.
No Ip mask-reply to disable request and replay options of subnet masks.

Ip mask-reply to enable request and reply options of subnet masks.
3.5.2 Displaying ICMP Statistics
router#sh ip icmp
Statistics for ICMP protocol
16 calls to icmp error ---The times for system to call ICMP to send error
messages
0 error not generated because --- The number of ICMP errors generated due to
old message was icmp timeout
Output histogram: ---output information
destination unreachable: 16 ---The times of the unreachable destination
0 message with bad code fields ---The number of packets with bad code field
0 message < minimum length>
0 bad checksum ---The numbers of packets with bad checksum

0 message with bad length ---The numbers of packets with bad length
Input histogram: ---The input information
Destination unreachable: 16 ---The times of unreachable destination
0 message response generated ---The number of the response messages
3.6 IGMP protocol
The Internet Group Management Protocol (IGMP) assists IP to provide other applications with multicast service in the
Internet Protocol stack. Maipu routers support RFC1122.
Display IGMP statistics by the command show ip igmp stat.
router#show ip igmp stat

Statistics for the IGMP protocol
0 invalid queries received ----The number of invalid membership queries
0 invalid reports received ---- The number of invalid membership reports
0 bad checksums received ----The number of bad checksums received.
0 reports for local groups received ----The number of reports for local groups received
0 membership queries received ----The number of membership queries received
0 membership reports received ----The number of membership reports received
0 short packets received ----The number of short packets received
0 total messages received ----The number of total messages received
2 membership reports sent ----The number of membership reports sent
3.7TCP protocol
The Transmission Control Protocol (TCP) provides a highly reliable datagrams transmission service between application
programs. Maipu Routers support RFC793, RFC813, RFC879, RFC896 and RFC1122.
3.7.1 Configuring TCP properties
Maipu routers can configure the following TCP attributes:
• Configure the size of TCP receiving-buffer (recvbuffers)

• Configure the size of TCP sending-buffer
• Configure TCP retransmit threshold
• Configure TCP default size of maximum segment
• Configure TCP default round trip time
Configuration commands of the TCP attributes are shown in Table 3-6
Table 3-6 the TCP Attribute Configurations

Command Description
ip tcp recvbuffers [1024-65536](default: 4096) Set the TCP receive buffer size
ip tcp sendbuffers [1024-65536](default: 4096) Sets the send buffer size
ip tcp retransmits [1-100](default: 3) Sets the retransmit threshold
ip tcp segment-size [256-4028](default: 512) Configures the size of the maximum TCP segment
ip tcp round-trip [1-100](defult: 3) Configure the maximum TCP round trip time
ip tcp idle-timeout[3-144000](default: 14400) Configure the idle time of the connection that is before the
first testing of keeping alive
ip tcp init-timeout[2-30000](default: 150) Configure the value of the connection establishment
ip tcp keep-count[3-20](default: 8) Configure the maximum keeping alive times when the
opposite terminal has no response
ip tcp selective-ack Configure TCP selective acknowledgement options as per

RFC2018
3.7.2 Displaying TCP Statistics
The command show Ip tcp provides the detailed TCP statistics.
routerr#show ip tcp
Statistics for the TCP protocol:
0 packet sent ---The total number of sending packets
0 data packet (0 byte) ---The packets number (byte number)
0 data packet (0 byte) retransmitted ---The resent packets number (byte number)
0 ack-only packet (0 delayed) ---The acknowledge packets number (the

delayed acknowledge number)
0 URG only packet ---The urgent packets number
0 window probe packet ---The window probe packets number
0 window update packet ---The window update packets number
0 control packet ---The control packets number
0 packet received ---The total received packets number
0 ack (for 0 byte) ---The acknowledge packets number (byte).
0 duplicate ack ---The duplicate-acknowledge packets number
0 ack for unsent data ---The number of the packets asked not to be sent
0 packet (0 byte) received in-sequence ---The number of the packets received in

sequence (byte)
0 completely duplicate packet (0 byte) ---The completely duplicate packet number (byte)
0 packet with some dup. Data ---The partial duplicate packet number (byte)
(0 byte duped)
0 out-of-order packet (0 byte) ---The out-of-order packets number (byte)
0 packet (0 byte) of data after window ---The number of the packets outside of the
window (byte)
0 window probe ---The window probe packets number
0 window update packet ---The window update packets number
0 packet received after close ---The number of the received packets after
closing connection.
0 discarded for bad checksum ---The number of the packets discarded because
of bad checksum
0 discarded for bad header offset field ---The number of the packets discarded because
of bad header offset field
0 discarded because packet too short ---The number of the packets discarded because
of too short
0 connection request ----The number of the local TCP connection

requests
0 connection accept ----The number of connections received by the

local TCP
0 connection established ----The established TCP connections number

(including accepts).
0 connection closed (including 0 drop) ----The closed TCP connections number
0 embryonic connection dropped ----The discarded connections number
0 segment updated rtt (of 0 attempt) ----No packet used to update round trip time
0 retransmit timeout ----The times of retransmission for timeout
0 connection dropped by reXmit timeout ---The number of discarded connections for

timeout resending
0 persist timeout ---The persist timer don't timeout
0 keepalive timeout ---The number of keepalive timeouts.
0 keepalive probe sent ---The number of keepalive probes sent.
0 connection dropped by keepalive ---The number of connections dropped by

keepalive
0 pcb cache lookup failed ---The times of examining protocol control

module failure
3.8 UDP Protocol
The User Datagram Protocol (UDP) provides the basic service of data transmission between application programs. Maipu
MP series routers support RFC768.
3.8.1 Configuring UDP Protocol Attributes
Maipu routers can configure the following UDP attributes:
• Configure the default Time-to-Time Live for sending UDP packets.
• Set UDP recvbuffers’ size
• Set UDP sendbuffers’ size
• Enable UDP recv-checksum
• Enable UDP send-checksum
Table 3-7 lists configuration commands of UDP attributes.
Table 3-7 UDP Attribute Configurations

Command Description
ip udp default-ttl [1-255] Set Time-To-Live of UDP packets
ip udp recvbuffers [1024-65536] Set UDP receiving buffer size
ip udp sendbuffers [1024-65536] Set UDP sending buffer size
ip udp recv-checksum Enable UDP receiving checksum
ip udp send-checksum Enable UDP sending checksum
3.8.2 Observing UDP Statistic Information
The command show Ip udp displays detailed UDP statistics
router# show ip udp
Statistics for the UDP protocol:
32 total packets ---The total number of input and output packets.
16 input packets ---The total number of input packets.
16 output packets ---The total number of output packets.
0 incomplete header ---The number of the packets with incomplete

UDP headers
0 bad data length field ---The number of the packets with bad UDP data
length field
0 bad checksum ---The number of the packets with bad UDP

checksum
0 broadcasts received with no ports ---The number of the broadcast packets received
with no ports
0 full socket ---The number of broadcast packets received

with full socket.
16 pcb cache lookups failed ---The number of PCB Cache lookups failed
16 pcb hash lookups failed ---The number of PCB Hash lookups failed
3. 9 The Socket Interface
A socket is a mechanism that network application programs use to access lower layer network resources. Maipu MP series
routers supports the standard socket interface mechanism and a series of socket applications. The command Show Ip Sockets
can be used to display the usage situation of the TCP/UDP connection used by the current system, and can helpful to
troubleshoot.
router#show ip sockets
Active Internet connections (including servers)
PCB Proto Recv-Q Send-Q Local Address Foreign Address (state)

-------- ----- ------ ------ ------------------ ------------------- -------
990320 TCP 0 0 128.255.1.8.23 128.255.111.100.10
ESTABLISHED
99029c TCP 0 0 128.255.1.8.23 128.255.1.6.1057

ESTABLISHED
98ff84 TCP 0 0 0.0.0.0.23 0.0.0.0.0

LISTEN
9903a4 UDP 0 0 0.0.0.0.0 0.0.0.0.0
98fdf8 UDP 0 0 0.0.0.0.0 0.0.0.0.0
98ff00 UDP 0 0 0.0.0.0.1024 0.0.0.0.0
Each line represents one TCP/UDP connection.
Explanation of Abbreviations in the Chart:
PCB -- indicates the address of the Protocol Control Block
Proto -- indicates the protocol used by the current connection: TCP or UDP
Recev-Q -- indicates the data received over the current connection
Send-Q -- indicates the data sent over the current connection
Local Address -- indicated the local address and port number of the current connection
Foreign Address – remote address and port number of the current connection
For TCP connection, (State) indicates the current TCP state.
Chapter 4 Interface Configuration
This chapter mainly describes the interfaces supplied by Maipu series routers and how to configure them. And the main
contents of this chapter are listed as follows:
z Interface type supported by Maipu series routers
z Configuring Ethernet interfaces
z Configuring high-speed serial interfaces
z Configuring a 16-asyn-port/printing module
z Configuring a CE1 module
z Configuring an 8-syn-port module
z Configuring a built-in base-band modem module
z Configuring a built-in frequency-band modem module
z Configuring an ISDN module
4.1 Interface Types
This section mainly describes the interface types supported by Maipu series routers and how to configure them.
4.1.1 Interface Types Presently Supported by Maipu Routers

z Ethernet port
z Configuring port
z High-speed serial-port
z Asynchronous serial-port
z Synchronous serial-port
z Synchronous/Asynchronous serial-port
z Built-in 56K/33.6K frequency-band MODEM
z Built-in 128K base-band MODEM
z ISDN S/T interface module
z ISDN U interface module
z Unchannelized E1
z Channelized E1
z PRI Interface
z IP telephone interface
4.1.2 Configuring Interfaces
Before configuring interfaces, you should know of the follow points at least:
1) The connection situation of physical interfaces, physical operational modes and related operational parameters;
2) For a WAN interface, the link-layer encapsulation protocol and operational parameters should be appointed
between the WAN interface and the opposite-end interface connected with the WAN interface.
3) The network-layer IP address of the interface should be configured correctly.
4) Correctly configuring the static route of the destination network that can be reached through the interface, or
configuring the operational parameters of the dynamic routing protocol on the interface.
5) If the interface supports the dialup mode, the dialup mapping and MODEM management need be configured more.
6) If a firewall need be configured on the interface, it is necessary for you to configure the related packet filtering and
NAT parameters.
4.2 Configuring an Ethernet Port
The main contents of this section are listed as follows:
z The protocols supported by Maipu series routers
z Configuring the network address
z Configuring a vlan Interface
z Establishing the address resolution (ARP)
z Proxy ARP
z Monitoring and maintenance
4.2.1 The Protocols Supported by Maipu Series Router
The Ethernet port of maipu router can support the following two frame formats:
1) Ethernet_II (ARPA)
2) Ethernet_SNAP
The foregoing frame formats are used to encapsulate the network-layer IP protocol. When receiving data, the Ethernet port
can automatically recognize frame formats. But when transmitting data, the port can do nothing but make encapsulation
according to the specified frame format.
4.2.2 Configuring Network Address
Currently, MPROUTER can support noting but IP protocol on the network layer. And the network/host address and sub-net
mask need be configured by means of the following command:
Command Descriptions
router#configure terminal The user enters the global configuration
mode from the privileged user mode.
router(config)# interface fastethernet0 Enter the configuration status of the
interface f0.
router(config-if-fastethernet0)#ip address A.B.C.D Configure the IP address and sub-net mask
mask of the interface f0.
router(config-if-fastethernet0)#ip address A.B.C.D Configure the secondary address of the
mask secondary interface f0.
Note:
A.B.C.D is the IP address of the interface, and mask is the sub-net mask of the interface.
Notice:
Sixty-four secondary addresses can be configured at best on the Ethernet interface. And there is no limit of the
secondary addresses for the master interface.
4.2.3 Configuring an Vlan Interface

About the detailed information about configuring a vlan interface, refer to chapter 12 “802.1Q Configuration” of “Router
Configuration Manual”.
4.2.4 Establishing Address Resolution (ARP)
Maipu series routers can supports Ethernet address resolution protocol (ARP), which is used to establish the relation between
an IP address and a MAC address. After an IP address is input, the ARP can determine a MAC address related with the IP
address. Once the MAC address is determined, the relation of the IP address/MAC address will be saved into the ARP high-
speed buffer so as to realize the high-speed search. After that, an IP datagraph is encapsulated into a link-layer frame and
transmitted in the network.
4.2.4.1 Defining a Static ARP Buffer
ARP provides a dynamic mapping between an IP address and a MAC address. Most hosts can support the dynamic address
solution, so no static ARP buffer need be specified generally. If it is necessary to define the ARP buffer, you can define it in
the global configuration mode—namely load a permanent item into the ARP buffer. And MPROUTER software uses it to
translate a 32-bit IP address into a 48-bit hardware address.
Execute the following commands in the global configuration mode:
router(config)#arp A.B.C.D H.H.H Define a static ARP buffer;
router(config)#no arp A.B.C.D H.H.H Delete a static ARP buffer;
Note:
A.B.C.D is a host name or IP address and H.H.H is a MAC address. H means a hexadecimal number between 0 and FFF.
4.2.4.2 Examining ARP Buffer
To display the contents of the ARP cache used by the system, you can use the command show arp to examine the cache.
router#show arp
LINK LEVEL ARP TABLE
destination gateway flags Refcnt Use Interface
-----------------------------------------------------------------------
129.255.117.5 0050.ba27.e285 405 2 32455 fastethernet0
129.255.150.1 0050.ba27.d0f5 405 2 1011270 fastethernet0
-----------------------------------------------------------------------
Noteö
ö
1ì Destination: the destination IP address÷
2ì Gateway: the MAC address of the destination IP address÷
3ì Flags: flag bit (405—the dynamic ARP, Co5—the static ARP);

4ì Refcnt: the times of using the ARP;
5ì Use: the number of frames transmitted to the IP address;
6ì Interface: the interface connecting with the IP address
To refresh the ARP item, you can use the privileged EXEC command clear arp to do it.
router#clear arp
4.2.5 Proxy ARP
If an ARP request is transmitted from a host in a network to a host in another network, the router connecting the two
networks can answer the request. The foregoing procedure is called Proxy ARP. This way can make the end sending the ARP
request mistake that the router is the destination host. In fact, the destination host is on another side of the router. In this way,
the router, whose function is equivalent to the proxy of the destination host, can transmit packets to the destination host. Ô
RFC1027Õ
Maipu router supports the proxy ARP.
Execute the following command in the interface configuration mode:
router(config-if-fastethernet0)#ip proxy-arp Enable the proxy ARP.
router(config-if-fastethernet0)#no ip proxy-arp Disable the proxy ARP.
Note:
The proxy ARP is enabled by default.
The following example is about the typical ARP application and configuration:

035287(5 5287(5
3&e
| 3&e
|
Noteö
ö
1) 136.1.0.0 is a 16-bit mask of the network segment in which PC1 is located.

2) 136.1.2.0 is a 24-bit mask of the network segment in which PC2 is located.
3) No gateway is configured for PC1. And for PC2, however, 136.1.2.88 need be set its gateway or there exists a route to
PC1äthe IP address of the next hop is 136.1.2.88åí
If ARP proxy is disabled on the Ethernet of MPROUTER, PC1 fails to ping 136.1.2.55 successfully. This is because:
For packets in the same network, PC1 firstly broadcasts the ARP request so as to acquire the MAC address of the destination
host. After getting the address, PC1 transmits the packet to the destination. In the foregoing example, both the destination
host and PC1 on the same network (which can be known according to the mask of PC1), but they are not located in the same
network physically. If there is no response after PC1 sends the ARP request, then PC1 pings unsuccessfully. Here, if
MPROUTER enables ARP proxy, MPROUTER can use its MAC address to answer the request sent by PC1, and PC1 can
ping successfully. The ARP proxy of MPROUTER is mainly applied to this case.
4.2.6 Monitoring and Maintenance
When finishing the configuration of the Ethernet interface, you can enter the privileged user mode and execute the command
show interface to display the diverse configuration parameters and current operational status of the Ethernet interface.
RouterÏshow interface fastethernet0
fastethernet (unit number 0):
Flags: (0x8063) UP BROADCAST MULTICAST ARP RUNNING
ÔProtocol signal UPÕ
ÔInterface type: CSMA/CDÔIEEE802.3ÕÕ
ÔPort addressæ129.255.117.22Õ
Netmask 0xffff0000 Subnetmask 0xffff0000
ÔNetwork maskæ255.255.0.0 Sub-net maskæ255.255.0.0Õ
Broadcast address: 129.255.255.255
ÔBroadcast addressæ129.255.255.255 Õ
Metric: 0, MTU: 1500, BW: 100000Kbps, DLY: 100 usec
ÔMaximal transmitting unitæ1500çbandwidthæ100MçDelayæ100 microsecondsÕ
Ethernet address is 0001.7a00.0016
ÔMAC address:0001.7a00.0016Õ
Rate: 100Mbit/s Duplex: full duplex
ÔRateæ100Mç Operational modeæfull duplex modeÕ
Babbling recvive 0, babbling transmit 0, heartbeat fail 0
Tx late collision 0, Tx retransmit limit 0, Tx underrun 98
Tx carrier sense 0, Rx length violation 0
Rx not aligned 4, Rx CRC error 13, Rx overrun 68
ÔIn the received frames, there are 4 un-aligned ones, 13 CRC error’s ones and 68 overrun ones. Õ
Rx trunc frame 0, Rx too small 0, Rx alloc mbuf fail 0
5 minute input rate 19000 bits/sec ,12 packets/sec
ÔThe input rate is 19000 bits/sec, namely 12 packets/sec, in the late 5 minutes.Õ
5 minute output rate 6000 bits/sec ,2 packets/sec
ÔThe output rate is 6000 bits/sec , namely 2 packets/sec, in the late 5 minutes.Õ
Ô63200024 packets are receivedçand 9128013 packets are sentÕ
Ô57157487 multicast packets are receivedÕ
Ô1045 multicast packets are sent.Õ
ÔThere are 37 input errors and 0 output error.Õ
ÔThere is 0 collision; and 24166659 packets are discarded.Õ
4.3Configuring High-speed Serial Interface
Maipu router can provides two kinds of high-speed serial interfaces: one can support both synchronous and asynchronous
operation mode, called a synchronous/asynchronous serial interface; another can operate only in the asynchronous operation
mode, such as a configuration interface. The configuration interface Console is used to connect with user terminals and
serves as the configuration and monitoring interface of the router. Generally, you need not configure the configuration
interface, and it is not also recommended for you to do it.
The serial interface of Maipu router supports the following applications:
1) Connecting with the external Modem, and serving as a dialup interface or a backup interface;
2) Operating in the V.24/V.35 interface mode ( a high-speed synchronous/asynchronous WAN interface)ç
3) Supporting link-layer protocols, such as PPP, SLIP, FR, X25 and HDLC;
4) The extended synchronous/asynchronous serial interface or asynchronous serial interface can support link-layer
protocols, such as PPP, SLIP, X25, HDLC and FRÔbut the asynchronous serial interface can not support FRÕ.
CONFIGURING AN ASYNCHRONOUS SERIAL INTERFACE

CONFIGURING A SYNCHRONOUS SERIAL INTERFACE
MONITORING AND MAINTENANCE
4.3.1 Configuring an Asynchronous Serial Interface
Without any configuration, an asynchronous serial interface can work in the asynchronous operation mode. And to make the
synchronous/asynchronous serial interface work in the asynchronous operation mode, you can execute the following
commands. For example, you can execute the following commands to configure the serial interface 0 and make it work in
the asynchronous operation mode:
RouterÔconfig-if-serial0ÕÏ
physical-layer async Configure the asynchronous operation mode for the serial interface
0Äserial0Å.
speed 9600 Configure the bund rate 9600 for the asynchronous serial interface.
And the baud rate can be select from 1200bps/2400bps/4800bps/
9600bps/ 19200bps/38400bps/57600bps/115200bps.
databits 8 Configure the databits of the asynchronous serial interface: 8. And
the value can be selected from 5/6/7/8.
stopbits 1 Configure the stopbits of the asynchronous serial interface: 1. And
the value can be selected from 1/2.
parity none Configure the parity of the asynchronous serial interface: none.
And the value can be selected from even/none/odd/space/mark.
flow-control none Configure the flow-control of the asynchronous serial interface:
none.
And the value can be hardware flow-control (none) or software
flow-control.
maxinum-rx-unit 128 Configuring the maximal unit-receivable of the asynchronous
serial-interface; the scope of the maximal unit-receivable supported
by the serial interface is between 128 and 4096.
Tx-on dcdÉdsr Set the sending condition of the serial interface. And the default
condition is dcdÉdsr.
Noticeö
ö
When the asynchronous serial interface connects with the external Modem, the baud rate is applied to the
communication between the serial interface and the Modem. So their baud rate can be set differently. The line rate can be
determined after the Modem makes negotiation with the serial interface. And when two serial interfaces connect together
directly, they need be configured with the same baud rate.
When working in the hardware flow-control mode, the asynchronous serial interface can, by means of detecting the CTS
signal, determine whether to send data; and when working in the software flow-control mode, the asynchronous serial
interface can, by means of judging the flow-control character äXON/XOFFå, determine whether to send data.
4.3.2 Configuring a Synchronous Serial Interface
Without any configuration, a synchronous serial interface can work in the synchronous operation mode. The synchronous
serial interface can work in the DTE/DCE mode. When working in the DTE mode, the external DCE equipment (such as the
external synchronous Modem) connecting with the interface provides the clock source; and when working in the DCE mode,
the router connecting with the interface provides the clock source.
The synchronous serial-interface can provide a V.24/V.35 interface. By means of internal jumper, the router can provide
different types of interfaces.
For example, you can execute the following command to configure the serial interface 0 Ôserial0Õand make it work in the
synchronous operation mode:
RouterÔconfig-if-serial0ÕÏphysical-layer sync
4.3.2.1 Configuring the Operation Mode of a Synchronous Serial Interface
By default, a synchronous serial interface works in the DTE mode. And you can make the interface work in the DCE mode
through configuring DCE clock rate and adopting the DCE cable.
The different operation modes of the synchronous serial interface are corresponding with the different clock options:
1) If the synchronous serial interface works in the DTE mode, the serial interface receives the clock provided by the
external DCE equipment. Here, the DTE serial interface can not only select the receiving /sending clock of the
DCE equipment as itself receiving/sending clock, but also regard the sending clock of the DCE device as itself
receiving/sending clock. For example, you can use the following command to set the sending clock of the DCE
device as itself receiving/sending clock:
RouterÔconfig-if-serial0Õ)#clock multiplex Configuring the DTE clock multiplex.
When the interface works in the DTE mode, to eliminate the half clock cycle of the line some time, you can invert the
receiving clock of the DTE.
RouterÔconfig-if-serial0Õclock invert Configuring the DTE clock invert.
Noteö
ö
The clock is not inverted by default.
2) If the synchronous serial interface works in the DCE mode, the serial interface need provide the clock for the
external equipments. For example, you can use the following command to set the DCE clock rate:
RouterÔconfig-if-serial0Õ# clock rate 128000 Configuring the DCE clock rate as 128000.
Noteö
ö
In the synchronous operation mode, the serial interface can support a very wide clock rate scope. The lowest clock rate
is 1200bps, and the highest rate is related with the operation mode of the interface.
The highest clock rates supported by the interfaces in the different interface modes are different:
· In the V.24 mode, the highest clock rate can reach 200kbpsç
· In the V.35 mode, the highest clock rate in the DTE mode can reach 8Mbps and that in the DCE mode can reach
2Mbps.
Noteö
ö
The basic configuration of an 8 syn/asyn expansion interface is the same as that of the high-speed WAN interface. And
the different between them is that the rate supported by the former is relatively lower.
4.3.3 Monitoring and Maintenance
When finishing the configuration of the interface, you can enter the privileged user mode and execute the command show
interface to display the diverse configuration parameters and current operational status of the interface.
RouterÏshow interface serial0
Flags: (0x8071) UP POINT-TO-POINT MULTICAST ARP RUNNING
(Protocol signal : UP)
Type: PPP
(Interface typeæPPP)
(Port addressæ10.1.1.1)
Netmask 0xff000000 Subnetmask 0xffffff00
(Network maskæ255.0.0.0 Sub-net maskæ255.255.255.0)
(The IP address of the opposite endæ10.1.1.2)
Metric: 0, MTU: 1500, BW: 128Kbps, DLY: 20000 usec
(Maximal transmitting unitæ1500çbandwidthæ128KçDelayæ20 microseconds)
5 minute input rate 790000 bits/sec ,14 packets/sec
ÔThe input rate is 790000 bits/sec, namely 14 packets/sec, in the late 5 minutesÕ
5 minute output rate 788000 bits/sec, 12 packets/sec
ÔThe output rate is 788000 bits/sec, namely 12 packets/sec, in the late 5 minutesÕ
(1761641 packets are received; and 1827994 packets are sent.)
(0 multicast packet is received.)
(0 multicast packet is sent.)
(There are 148 input errors 146 output errors)
(There is 0 collision; and 9 packets are discarded)
lcp:OPENED, ipcp:OPENED, cdpcp:OPENED
rxFrames: 2296829, rxChars –1694564374
Ôthe number of the received frames is 2296829, and total bytes of the received frames are –1694564374.Õ
txFrames: 2275846, txChars –1714594630
ÔThe number of the sent frames is 2275846, and total bytes of the sent frames are –1714594630.Õ
rxNoOctet 17, rxAbtErrs 6, rxCrcErrs 0
ÔIn the received frames, there are 17 un-aligned ones. Six received frames are discarded and there exists no CRC
error’s frame. Õ
rxOverrun 0, rxLenErrs 0, txUnderrun 0
Ôthere exists 0 rxOverrun frame, 0 rxLenErr frame and 0 txUnderrun frame.Õ
rate=2000000 bps
(The line rate is 2M)
DCD=up DSR=up DTR=up RTS=up CTS=up Txc=up
4.4 Configuring a 16-asyn-serial-interface module
Maipu router contains a 16-asyn-serial-interface module. The module adopts the interface standard—RS-232, uses DB25
(M)/DB25 (F) connectors and RJ45 socket, supports 9600bps-115200bps baud scope, operates in the DTE or DCE mode.
Additionally, the module can support the following services:
z Connecting with a terminal (with the function of terminal-number fixing)
z Connecting with ATM (automated teller machine)
z Connecting with a PC station
z Connecting with a router
z Connecting with a frequency-band/base-band Modem
z Supporting PC/router dialup access
z Other serial equipment.
The concrete configuration is the same as that of the asynchronous serial-interface.

4.5 Configuring a CE1 Module
Brief introduction to a CE1 interface:
z A CE1 interface can be physically divided into 32 time-slots whose number is from 0 to 31 correspondingly.
Time-slot 0 can not be used to transmit data.
z Each frame of the CE1 circuit is composed of 32 time-slots and the transmission rate of each time-slot is 64K.
z When a CE1 interface is used, the total time-slots (1~31) can be optionally divided into several groups. After
bounded together, each group of time-slots can serve as an logical interface (use the command “channel-
group”shell to realize it), supporting link-layer protocols such as PPP, X.25, HDLC and FR etc.
z Configuring a CE1 interface
z Monitoring a CE1 interface
4.5.1 Configuring a CE1 interface
The tasks of CE1 configuration are listed as follows:
1) Configuring the physical-layer operation parameters of the CE1 interface, including frame check mode and line
encoding format etc.
2) Configuring the channel-group operation parameters
3) Configuring an interface.
Perform the following configuration in the global configuration mode:
router(config)#controller e1 0/0 Use the slot-number and unit-number to determine
the location (0/0) of the controller and enter the E1
configuration mode.
Noticeö
ö
For the low-end routers including MP1700, MP2500 and MP2600 etc, only the slot S0 can support the CE1 module.
Configuring the physical-layer operation parameters of the CE1 interface

router(config- Use the configuration command of a framing controller to select a frame
controller)#framing type for the E1 data line. And the following types can be selected:
crc4 crc4: Specify the CRC4 check mode for the E1 interface to receive/transmit
data;
no-crc4: Specify the E1 interface not to adopt the CRC4 check mode
for receiving/transmitting data;
Default: Set the default type (CRC4 check is valid only for data
transmission) .
router(config- Use the configuration command of a linecode controller to select a line
controller)#linecode encoding type for the E1 line. And the following types can be selected:
hdb3 Ami: Set the AMI (alternate mark inversion) as the line encoding type.
E1 is invalid by default.
router(config- Use the configuration command of a clock source controller to select a line
controller)# clock source clock for the E1 line. And the following types can be selected.:
internal Internal: The CE1 interface provides clock source by itself;
Line: Extract the clock from the line. The type is valid by default.
router(config- The CE1 interface is configured as the PRI mode. After that, an interface
controller)#pri-group similar to S0/0:15 can be generated.
Configuring the channel-group operation parameters:

router(config-controller)#channel-group Set the time-slots occupied by each channel.
number timeslots range
Noteö
ö
1) Number: The channel-group number. When an E1 data line is configured, the scope of the channel-group number is
from 0 to 30.
2) Range: The value scope to which one or more time-slots in a channel-group belong. The first time-slot number is 1,
and its range is from 1 to 31.
Notice:
1) When a time-slot is configured, the time-slot-number of the start-time-slot must be more than that of the stop-time-
slot, or else, the time-slot-number is invalid.
2) If two channels are configured with the repeating time-slot, the configuration is invalid and no interface can be
generated.
3) When a time-slot is configured, the scope of the time-slot must match with a channel-group-number. And it is the
service provider that defines time-slots including a channel-group.
The following example defines three channel-groups: channel-group 0 includes a single time-slot, channel-group 2 includes
three time-slots and channel-group 7 includes a single time-slot.
router(config)#controller e1 0/0 Use the slot-number and unit-number to
determine the location (0/0) of the controller and
enter the E1 configuration mode.
router(config-controller)#channel-group 0 Configure time-slot 1 for channel-group 0.
timeslots 1
router(config-controller)#channel-group 2 Configure 3~5 time-slots for channel-group 2.
timeslots 3-5 (That is to say that the rate of the channel-group 2
is 192K)
router(config-controller)#channel-group 7 Configure time-slot 7 for channel-group 7.
timeslots 6
router(config-controller)#framing crc4 Enable CRC4
router(config-controller)#linecode hdb3 Configure the line code as HDB3.
After finishing the configuration above, you can perform the interface configuration. The interface form is s0:0 s0:2 s0:7.
router(config)#interface s0/0:0 Enter the channel-group 0.
router(config-if-serial0/0:0)# encapsulation ppp Encapsulate the link-layer protocol as PPP.
router(config-if-serial0/0:0)#ip add 1.1.1.1 Configure the IP address 1.1.1.1 and subnet mask
255.0.0.0 255.0.0.0.
router(config-if)#exit
router(config)#interface s0/0:2 Enter the channel-group 2.
router(config-if-serial0/0:2)# encapsulation hdlc Encapsulate the link-layer protocol as HDLC.
router(config-if-serial0/0:2)#ip add 2.2.2.1 Configure the IP address 2.2.2.1 and subnet mask
255.0.0.0 255.0.0.0.
router(config-if)#end
Noticeö
ö
When multiple time-slots are configured, “-” is used between the start-slot and the stop-slot.
4.5.2 Monitoring a CE1 Module
After finishing the interface configuration, the user can enter the privileged user mode and execute the command show
interface to display the parameter configuration and current operation status of the channel-group. Each parameter is the
same as that of the serial interface.
When the interface information is examined, the massive error frames can be discovered from the E1 statistics information,
the link-layer negotiation is slow, and there exists packet loss during the PING course.
The possible causes:
7KH&(PRGXOHFDQVXSSRUWWZRNLQGVRIFRQQHFWLRQFDEOHVRQHLV QRQ-EDODQFHFRD[LDOFDEOHDQGWKHRWKHULV
balance twisted-pair cable. When equipment connection is performed, the impedance may be unmatched.
4.6 Configuring an E1 module
By default, an E1 interface follows G.703 and the total bandwidth 2.048Mbit/ is used for data transmission. When the E1
interface is used for the frame structure, the interface can be used for G.704 no-channel associated signaling and G.704
channel associated signaling structure: the sixteenth time-slot of the former structure can be used to transmit data, and the
sixteen time-slot of the latter structure can be used to transmit signalings except data; and time-slot 0 of the foregoing two
structures can not be used to transmit data.
When the E1 interface is employed, the total time-slots can be optionally bound together to serve as an logical interface that
has the same logic as that of the synchronous serial-interface and can support PPP, X.25 and HDLC protocols.
z Configuring an E1 interface
z Monitoring an E1 interface
4.6.1 Configuring an E1 Interface
The configuration tasks of an E1 interface are listed as follows:
z Configuring the physical-layer operation parameters of an E1 interface
z Configuring the link-layer operation parameters of an E1 interface
Configuring the physical-layer operation parameters of an E1 interface

RouterÔconfig-if-serial0/0Õ ?
Router Ä config-if- Use the time-slot interface configuration command to enable the framed
serial0/0 Å #timeslot serial interface of the G.703E1 port adapter. And using the negation form
<start-slot - stop-slot> of the command or setting the stat-slot as 0 can restore the default.
start-slot: The first sub-frame of the master frame, the scope of the
parameter value is between 0 and 31, and the parameter value must be
less than or equal to stop slot.
stop slot: The last sub-frame of the master frame, the scope of the
parameter value is between 0 and 31, and the parameter value must be
more than or equal to start slot.
Router Ä config-if- The E1 module operates in the CCS mode. The command can take effect
serial0/0Å#ts16 only in the framing mode.
Router Ä config-if- The E1 mode adopts G.703 protocol and 2M mode.

serial0/0Å#no timeslot
Router Ä config-if- The E1 module operates in the CAS mode.
serial0/0Å#no ts16
Router Ä config-if- Configure the check mode of the E1 data line as crc4. The follow types
serial0/0 Å #crc4 can be selected:
{rcrc4|tcrc4|(CR)} crc4: Specify the E1 interface to adopt the CRC4 check mode for
receiving/transmitting data;
no-crc4: Specify the E1 interface not to adopt the CRC4 check mode
for receiving/transmitting data;
rcrc4: The receiving CRC4 is valid.
tcrc4: The transmitting CRC4 is valid.
Router Ä config-if- Set the clock mode of the interface:
serial0/0Å# clock source Line: Set the operation clock mode as the line clock.
<line|internal> Internal: Set the operation clock mode as the internal clock.
Noticeö
ö
1) By default, G.703 is configured as the transparent 2M mode, and the clock as the line clock.
2) Nothing but the serial-interface 0 of low-end routersäincluding MP1700, MP2500 and MP2600åcan support the E1
module.
3) The E1 interface can only operate in the synchronism mode.
Configuring the link-layer operation parameters of an E1 interface

RouterÔconfig-if-serial0Õë
Router Ä config-if-serial0 Å # encapsulation < Configure the link-layer protocol used on the E1
Configure encapsulation protocol> interface.
Router Ä config-if-serial0 Å #ip address Configure the IP address and corresponding subnet
<unicast address> < network mask> mask of the E1 interface.
Noticeö
ö
1) The link-layer protocols of the E1 interface can be configured as nothing but the synchronism mode;
2) By default, the link-layer protocol configured for the E1 interface is HDLC.
The following example defines an E1 interface: 1-31 time-slot, CCS mode, line clock, no CRC4, PPP link-layer
protocol, IP address 1.1.1.1 and 8-bit mask.
router(config)#interface serial0/0 Enter the E1 interface.
router(config-if-serial0/0)#timeslots 1-31 Set the E1 interface to use 1-31 time-slot.
Router(config-if-serial0/0)#ts16 Set the operation mode of the E1 interface as CCS.
Router(config-if-serial0/0)#no crc4 Set the E1 interface to perform no CRC4 check for
the received data and fill no CRC4 checksum in the
transmitted data.
Router(config-if-serial0/0)# encapsulation ppp Configure the link-layer protocol as PPP.
Router(config-if-serial0/0)#ip address 1.1.1.1 Configure the IP address 1.1.1.1 and 8-bit mask of
255.0.0.0 the E1 interface.
Noticeö
ö
When multiple time-slots are configured, “-” is used between the start-slot and the stop-slot. And when a single time-slot
is configured, the time-slot can be directly filled in. when the E1 interface is configured as the CAS mode, the sixteenth time-
slot is only used to transmit signalings
4.6.2 Monitoring an E1 Interface
interface to display the parameter configuration and current operation status of the E1 interface. Each parameter is the same
as that of the serial interface.
When the interface information is examined, the massive error frames can be discovered from the E1 statistics information,
the link-layer negotiation is slow, and there exists packet loss during the PING course.
After finishing the interface configuration, the user can enter the privileged user mode and execute the command show run
interface to display the time-slots occupied by the E1 interface.
The possible causes:
7KH(LQWHUIDFHVXSSRUWVWZRNLQGVRIFRQQHFWLRQFDEOHVRQHLV QRQ-EDODQFHFRD[LDOFDEOHDQGWKHRWKHULV
balance twisted-SDLUFDEOH:KHQD HTXLSPHQWLVFRQQHFWHGWKHLPSHGDQFHPD\EHXQPDWFKHG6RWKH FDEOHLV
often used. When the E1 cable connects with other equipments, pay attention to whether the parameters (such as CRC4,
CCS/CAS, clock mode and time-slot) of the equipment match with those of the other equipments.
4.7 Configuring an 8-port Synchronous Module
An 8s module is an 8-port high-speed synchronous serial-interface module. The 8S module can be used to avoid the non-
synchronous rate between the serial-interface clock based on the bus clock and the factual clock of the V.35 interface. The 8S
module shares 32 time-slots with other TDM bus modules (expect the E1 module), can only operate in the synchronism mode
and support 64K/128K. When an 8S module is inserted into Maipu router, eight interfaces sync0~sync7, which support PPP,
X.25 and HDLC protocols, will be added.
The main contents of this section are listed as follows;
z Configuring an 8S interface
z Monitoring an 8s Interface
4.7.1 Configuring an 8S Interface
The configuration tasks of an 8S interface are listed as follows:
z Configuring the physical-layer operation parameters of an 8s interface
z Configuring the link-layer operation parameters of an 8s interface
Configuring the physical-layer operation parameters of an 8s interface
RouterÔconfig-if-sync0Õ ?
RouterÄconfig-if-sync0Å# nrzi-encoding Set the line encoding mode of the interface as the
NRZI-encoding (Non-Return-To-Zero-Inverted-
encoding). The negation form of the command is used
to cancel the NRZI-encoding.
Router Ä config-if-sync0 Å #no nrzi- Set the line encoding mode of the interface as NRZ-
encoding encoding (Non-Return-To-Zero) (the default mode is
the NRZ-encoding.)
Router Ä config-if-sync0 Å # txphase/ Set the transmitting/receiving phase of the interface as
rxphase the rising edge or falling edge.
txphase txup : representing that the channel
sends data at the rising edge.
txdown: representing that the channel sends data at
the falling edge.
rxphase rxup : representing that the channel
receives data at the rising edge.
rxdown: representing that the channel receives data at
the falling edge.
Router Ä config-if-sync0 Å #clock rate Set the clock rate of the interface and configure a bit
<64000/128000> rate receivable for the interface processor. The negation
form of the command is used to cancel the
configuration.
Router Ä config-if-sync0 Å #clock <rx/tx> Set the receiving/transmitting clock of the interface as
<in/out> the interval/external clock.
Notice:
1) The default configuration is: the NRZ-encoding mode, transmitting data at the falling edge and receiving data at the
rising edge, adopting the interval clock as the clock source for transmitting/receiving data.
2) Configure the receiving/transmitting phase, which, generally, need be reconfigured.
3) NRZI is mainly applied to the EIA/TIA-232 connection in the IBM environment.
4) When the clock frequency of the interface is configured, the effect of 0 is equal to that of the command no clock
rate, which means that the interface occupies no time-slot of the TDM bus.
Configuring the link-layer operation parameters of an 8s interface
RouterÔconfig-if-serial0Õë
Router Ä config-if-sync0 Å # encapsulation < Configure the protocol that is used on the link layer
Configure encapsulation protocol> of the 8S interface.
RouterÄconfig-if-sync0Å #ip address <unicast Configure the IP address and subnet mask of the 8S
address> < network mask> interface.
Notice:
1) The link-layer protocol configured on the 8S interface can but be synchronous;
2) The default link-layer protocol of the 8S interface is HDLC.
The following example defines an 8S interface (for example interface sync0 ): the NRZ-encoding mode, sending data at the
falling edge and receiving data at the rising edge, the clock frequency 128000, adopting the interval clock as the clock source
for transmitting/receiving data, PPP link-layer protocol, IP address 1.1.1.1 and 8-bit mask.
router(config)#interface sync0 Enter the 8s interface sync0.
router(config-if-sync0)#clock rate 128000 Set the clock rate of the interface as 128000.
Router(config-if-sync0)# txphase txdown Set that the data is transmitted at the falling edge of
the interface.
Router(config-if-sync0)# rxphase rxup Set that the data is received at the rising edge of the
interface.
Router(config-if-sync0)# clock rx in Set the receiving clock as the external clock.
Router(config-if-sync0)# clock tx in Set the transmitting clock as the external clock.
Router(config-if-sync0)# encapsulation ppp Set the link-layer protocol as PPP.
Router(config-if-sync0)#ip address 1.1.1.1 Configure the E1 interface: the IP address—1.1.1.1,
255.0.0.0 the mask—8-bit.
noticeö
ö
1) By default: no clock rate is configured;

2) If the clock source of multiple 8S interfaces is simultaneously configured as an external clock and
transmitting/receiving data depends on the external clock, the external equipment is required to provide the standard clock.
4.7.2 Monitoring an 8s Interface
interface sync0 to display the parameter configuration and current operation status of the 8S interface.
After finishing the interface configuration, the user can enter the privileged user mode and execute the command show qmc
timeslots to display the system TDM bus time-slots occupied by the 8S interface
After finishing the interface configuration, the user can enter the privileged user mode and execute the command show csm
to display which interface supports the current clock source of the system TDM bus.
The possible cause resulting in high bit-error rate of data transmission is that:
When an external clock is configured for the 8S interface, the peripheral equipment is required to provide a standard clock, or
else, packets will be lost badly and bit error rate will be high.
4.8 Configuring a Built-in Base-band Modem
Maipu router supports many kinds of built-in base-band modem module and the interface name is bm0/0. For an 8-port 128
built-in modem module, the interface name adopts the format of ebmx/y: x represents 4 or 5, and y represents 0~7; and each
interface can operate either in the LT mode or in the NT mode. (Note: ebm is the interface of MP2600 series router 8-port
baseband modem moduleØBM is interface of MP3600 series routers baseband modem module)
z Configuring the interface bm0/0 of a 128 module
z Configuring the interface ebm4/0 of an 8-port 128 module
4.8.1 Configuring a Single-port 128 Modem Module
Only the slot S0 on the low-end router can support a single-port 128 module.
RouterÔconfigÕÏ
Router(config)#interface bm0/0 Enter the configuration mode of the interface
bm0/0.
router(config-if-bm0/0)#line mode nt Operate in the NT mode.
router(config-if-bm0/0)#enca hdlc Encapsulate the HDLC protocol.
router(config-if-bm0/0)#ip address 2.2.2.2 The IP address of the port is 2.2.2.2 and the
255.0.0.0 corresponding mask is 255.0.0.0.
router(config-if-bm0/0)#clock rate 64000 The clock rate is 64K.
Noteö
ö
The single-port 128 module supports the 64k/128k synchronous communication mode.
4.8.2 Configuring an 8-port 128 Modem Module
An 8-port base-band modem module can be inserted in the upper or lower layer of the expended slot or both.
1ÕSupporting the link-layer protocols including HDLC, PPP, Frame Relay and X.25 etc.
2ÕSupporting the network-layer protocols such as IP and IPX;
The configuration tasks of the 8-port 128 modem module are listed as follows:
1) Configuring the baud rate;
2) Configuring the line mode;
3) Configuring the operation parameters of the link-layer protocols;
4) Configuring the IP address.
Configuring the clock of the synchronous interface:
RouterÔconfigÕÏ
router(config)#interface ebm4/0 Configure the interface ebm4/0 of the 8-port base-
band 128 modem module.
router(config-if-ebm0)#clock rate Configure the clock rate: 64Kbps/128kbps. (The
64000|128000 default value is 64Kbps)
router(config-if-ebm0)#line mode lt|nt Set the line mode: LT/NT(The default mode is
NT ).
router (config-if-ebm0)#ip address 1.1.1.1 The IP address of the port is 1.1.1.1, and the
255.0.0.0 corresponding subnet mask is 255.0.0.0.
router (config-if-ebm0)#enca ppp Encapsulate the PPP protocol.
router(config)#interface ebm4/1 Configure the interface ebm4/1 of the built-in 128
module.
router(config-if-ebm1)#line mode lt|nt Same as above.
router(config-if-ebm1)#enca ppp Same as above.
router(config-if-ebm1)#ip address 2.2.2.1 Same as above.
255.0.0.0
router(config-if-ebm1)#clock rate 64000 Same as above.
…………………. ………………….
Noteö
ö
1) Eight interfaces can support nothing but the synchronism operation mode;
2) Because the base-band MODEM adopts two B channels and the line baud rate need be the integer times of B, namely
the integer times of 64K, the baud rate can be configured only as 64K and 128K.;
3) For the base-band Modem on the other end, its configuration except the operation mode and address must be the same
as that of the modem on this end.
Notice:
1) If the DIP switch of the module is ON, then the bi-direction loop is enabled on the module.
2) When more than 2 ports of the 8-port 128 module operate simultaneously in the NT mode, the data transmission
clock source of the LT equipment connecting with the two ports must be consistent, like a MP9400 128 card in DDN network.
4.9 Configuring a Built-in MODEM Module
Maipu router supports many kinds of built-in frequency-band MODEM modules, such as single-port 1M56/1M336 Modem
module and four-port 4M336/4M56 Modem module. Each kind of interface can operate in the synchronism/asynchronism
mode. For these interfaces, their configuration mode is the same as that of the other serial interfaces, and the difference is that
they support the leased line or dialup line mode, the clock mode in the synchronism mode (internal clock, external clock and
slave clock).
z Configuring a built-in Modem;
z Debugging a built-in Modem.
4.9.1 Configuring a Built-in MODEM Module
The configuration of a single-port MODEM module is the same as that of a multi-port one.
RouterÔconfigÕÏ
Router(config)#interface serial0 Enter the configuration mode of the interface
serial0.
router(config-if-serial0)#physical-layer Configure the synchronism/asynchronism operation
sync/async mode.
router(config-if-serial0)#enca ppp Encapsulate the PPP protocol.
router(config-if-serial0)#ip address 2.2.2.2 The IP address of the port is 2.2.2.2, and the
255.0.0.0 corresponding mask is 255.0.0.0.
router(config-if-serial0)#modem clock-rate Configure the Modem line rate in the synchronism
33600 modem.
router(config-if-serial0)#speed 115200 Configure the Modem line rate in the asynchronism
modem.
router(config-if-serial0)#mode clock-mode Configure the Modem clock mode (the external
external/internal/slave clock, the internal clock and slave clock) in the
synchronism modem.
router(config-if)#modem party Configure the Modem answer/origination.
answer/originate
router(config-if-serial0)#mode line leased Configure the leased line mode for Modem.
router(config-if-serial0)#dialer string 5148295 Configure the phone number for the Modem to dial
up in the dialup mode.
router(config-if-serial0)#mode enable/disable Enable/disable the Modem configuration.
Noteö
ö
1) The line rate and clock type need be configured in the synchronism mode. And in the dialup mode, a phone number
of the answer party need be configured on the call origination;
2) When in the synchronism/asynchronism mode, the highest line rate is 33600bps/115200bps.
3) Both sides of modems need select consistent modulation protocol, line rate, synchronism/asynchronism mode, error
control protocol and compression protocol in the asynchronism mode. And when in the synchronism mode, both sides need
select the Modem synchronous clock.
4) Call/Answer configuration: the MODEM to originate the relation is called call origination, and the other party is
called answer.
4.9.2 Built-in MODEM Debugging
Open the MODEM debugging switch and observe its dialup status and related information:
mp2600#debug modem interface-number
Close the MODEM debugging switch:
mp2600#no debug modem interface-number
The following example describes how to use the default system scripts to dial out:
maipu2#debug modem serial0
serial0: Config modem for dialing out
serial0: AT configurating command:
AAT&FE0Q0W1S95=44S36=5S25=0X0
AAT&D2&Q5
AATM1L1
serial0: Success to send the 0th group configuring command
serial0: Success to send the 1st group configuring command
serial0: success to configure modem
serial0: Start dialing automatically
serial0: Dialing timeout is set as 45s(DL-mode)
serial0: Dialing 81...
serial0: modem connected.

Line protocol on Interface serial0, changed state to up
4.10 Configuring an ISDN Module
PRI is configured as follows: (A CE1 module must be inserted in the router.)
Syntax Descriptions
router(config)#controller e1 0/0 Enter the E1 configuration mode through the
controller location (0) that is defined with the unit
number.
router(config-controller)#pri-group timeslot 1-31 Configure multiple time-slots to create a PRI
interface.
Only one pri-group can be configured for one
CE1. However, as long as there exists no time-slot
overlapping between pri-group and channel-group,
both can be simultaneously configured for one
CE1.
router(config-controller)#exit Exit from the E1 configuration mode.
router(config-if-serial0/0:15)#isdn switch-type Configure the switch-type of an ISDN PRI
primary-net5 interface.
BRI is configured as follows:
Syntax Descriptions
router(config-if-bri0/0)#isdn switch-type basic- Configure the switch-type of an ISDN BRI
net3 interface.
By default, ISDN supports nothing but DDR dialup mode. And about the other configuration, refer to “DDR Dialup
Configuration”. At present, PRI does not serve as the dialing party.
4.11Configuring an Interface-group
Bind multiple interfaces together as an interface-group. Once interface commands are configured in the interface-group, all
interfaces in the interface-group will automatically generate those commands. This can reduce the repeat of configuring the
same commands on each interface.
z Basic interface-group configuration commands
z An example of interface-group configuration
z Configuration and statistics information of an interface-group
4.11.1 Basic Interface-group Configuration Commands
Create an interface-group:
router(config)#interface group <0-255> ?
Syntax Descriptions
Adopt the enumeration mode to specify some
Enum
interfaces for the generation of an interface-group.
Set the interface range of the interface-group through
Range
specifying the start interface and end interface.
Display all interfaces contained by the interface-
Display
group.
Note:
1) The type of each interface in an interface-group should be the same. (such as asynchronous interface.)2) The
above are the basic commands to create an interface-group. If no interface-group is created, the system will display the
inexistence of the command (such as the command show if-group) related with the interface-group. The commands
related with the configuration and statistics information of the interface-group do not exist until at least one interface-
group is created.
4.11.2 An example of interface-group configuration
Configure interface-group parameters:
Syntax Descriptions
Set interface-group 2 containing 16
router(config)#interface group 2 range async1/0
asynchronous interfaces (from interface async1/0
async1/15
to async1/15).
Encapsulate the terminal protocol on the
router(config-if-group2)#encapsulation terminal
interface-group.
router(config-if-group2)#speed 9600 Configure the rate on the interface-group.
router(config-if-group2)#flow-control software
Configure the flow-control on the interface.
65535
Configuration resultÖ
router#show running-config
...
interface group 2 range async1/0 async1/15 (Configure an asynchronous interface-group.)
....
interface async1/0 (Configure the asynchronous interface contained by the interface-group to be
automatically generated on the interface-group.)
speed 9600
databits 8
stopbits 1
parity none
flow-control software 65535
tx-on dsr
encapsulation terminal
exit
interface async1/1
speed 9600
databits 8
stopbits 1
parity none
tx-on dsr
exit
.... (The following configuration is omitted)
4.11.3Configuration and Statistics Information of an Interface-group

show interface group _0_255_
Use the command above to display the detailed interface information of all interfaces contained by the specified
interface-group.
ÏCommand modeÐthe privileged user configuration mode.
show if-group
Use the command above to display all interface information of each interface-group.
show running-config interface group _0_255_

Use the command above to display the configuration information of all interfaces contained by the specified interface-
group.
Chapter 5 WAN Protocols Configuration
Maipu routers supports the following familiar WAN protocols: PPP, HDLC, X.25, LAPB, X.25, frame relay, SLIP, ISDN
and dial-up connection. This chapter describes how to configure Maipu’s MP series routers to connect with a WAN (for
ISDN and dial-up connection information please refer to Chapter 6).
The main topics addressed in this chapter are:
o PPP protocol
o HDLC protocol
o SLIP protocol
o TCP/IP header compression
o X.25 protocol
o Frame Relay protocol
5. 1 PPP Protocol
The topics addressed in this section are as follows:
o Brief Introduction of PPP
o Description of basic PPP instructions
o PPP configuration examples
o Configuring PPP authentication
o Monitor and debug PPP information
o PPP address pool
o PPP multilink
o PPP data compression
5.1.1 Brief Introduction of PPP
The PPP protocol is a kind of data link layer protocol used to transmit network layer packets on the connection from point to
point. PPP includes Link Control Protocol (LCP), Network Control Protocol (NCP), Authentication Protocol (PAP and
CHAP), and it can support synchronous/asynchronous line. PPP can be applied to serial systems with different properties to
transmit many kinds of network layer protocol data. PPP is a universal method of connecting various kinds of hosts, bridges
and routers.
PPP is composed of the following three components:
1. A method which encapsulates many kinds of network protocol datagrams;

2. The Link Control Protocol (LCP) used to establish, configure and test the data link connection;
3. A group of Network Control Protocols (NCP) used to establish and configure different network layer protocols.
5.1.2 Description of basic PPP instructions
1) Interface commands:
router1(config-if-XXX)#ppp ?
Command Description
ppp ac PPP frame address and compression of control field

ppp accounting Configures the accounting method of PPP connection.
ppp authentication Configures the authentication method (CHAP/PAP) of
PPP connection.
ppp callback Configures the callback operation.
------ppp callback accept Configures it as the receiving side.
------ppp callback request Configureds it as the originate side.
ppp chap hostname Configures CHAP authentiction parameters.
ppp multilink Configures the multilink binding of interface.
ppp compression PPP compression protocol (predictor/stacker)
ppp pap Configures PAP authentiction parameters.
ppp pc Protocol field compression of PPP frame
Ppp timeout
------ppp timeout authenticationæ The maximum waiting time to authenticate again
------ppp timeout ipcpæ The maximum waiting time to configure network
------ppp timeout retryæ protocols again
The maximum waiting time to connect link again
2) PPP interface address negotiation
In many network modes, IP addresses are distributed in the direction of upper-end to lower-end, so at the lower-end address
negotiation is used to negotiate the address of opposite terminal. For the point-to-point link layer protocol, it supports IP
address negotiation, so it can configure IP address negotiation properties of an interface without an IP address. There are
some typical examples, such as running PPP protocol in serial line to access the Internet through an ISP, configuring the IP
address negotiation of local serial interface, permitting the local interface to receive the address distributed by the opposite
terminal. The relevant configuration commands are as follows:
router (config-if- XXX)#
Command Description
peer defaut ip address A.B.C.D Distributes an IP address to the opposite terminal.
no peer defaut ip address A.B.C.D Cancels an IP address distributed to opposite terminal
Ip address negotiated Accepts the IP address distributed by the opposite

terminal.
no Ip address negotiated Does not accept the IP address distributed by the opposite
terminal.
5.1.3 Examples of PPP configuration
1) Synchronous PPP protocol

V
U RXW HU
''1 V

U RXW HU
Illustration:
1. The port S0 (3.3.3.1) of local router connects with the port S0 (3.3.3.2) of the opposite router.
A. The configuration of router1

Command Task
router#configure terminal Enters global configuration mode
router(config)#interface s0 Enters S0 interface
router(config-if-serial0)# physical-layer sync Configures physical layer works in
synchronization mode.
router(config-if-serial0)#encapsulation ppp Encapsulates PPP protocol.
router(config-if-serial0)# ip address 3.3.3.1 255.255.255.Ì Configures IP address.
router(config-if-serial0)#exit Exits from the interface s0
Note:
1. Configuration of router2 and router1 are only different in host name, IP address and
clock. In all other respects they are the same.
2. Only encapsulation of the data link layer PPP protocol is discussed in this example. Other configurations of the
physical layer and the network layers can refer to the relevant chapters.
2) The address negotiation

As shown in the figure above, local IP addresses can now be obtained through address negotiation.
A. The configuration of router1:

Command Task
Router#configure terminal Enters the global configuration mode.
router(config)#interface s0 Enters the interface S0.
router(config-if-serial0)#physical-layer sync The physical layer works in synchronous mode.
router(config-if-serial0)#clock rate 64000 Configures the clock rate.
router(config-if-serial0)#encapsulation ppp Encapsulates the link layer protocol PPP.
router(config-if-serial0)#ip add ress 3.3.3.1 25 5.255.255.0 Configures the network layer IP address.
router(config-if-serial0)#peer defaut ip address Designates an IP address of the opposite terminal.
3.3.3.2
router(config-if-serial0)#exit
B. The configuration of router2:

Command Task
Router#configure terminal Enters the global configuration mode.
router(config)#interface s0 Enters the interface S0.
router(config-if-serial0)#physical-layer sync The physical layer works in synchronous mode.
router(config-if-serial0)#encapsulation ppp Encapsulates the link layer protocol PPP.

router(config-if-serial0)#ip address negotiated Permits to accept the address distributed by the
opposite terminal.
5.1.4 Configuring PPP Authentication

The PPP authentication between a local router and remote router supports PAP and CHAP, and it can be bidirectional
1. An example of configuring the PAP authentication

V
URXWHU
''1 V

URXWHU

Command Task
Router1#configure terminal Enters the global configuration mode.
Router1(config)#user goat pass 0 Maipu Configures the user name as goat and
passord as Maipu.
Router1(config)#interface s0 Enters the interface S0.
Router1(config-if-serial)#physical-layer sync The physical layer works in synchronous
mode.
Router1(config-if-serial)#encapsulation ppp Encapsulates PPP as link layer protocol
Router1(config-if-serial)#ppp authentication pap Configures pap authentication.
Router1(config-if-serial)#ip address 3.3.3.1 255.255.255.0 Configures IP address.
Router1(config-if-serial)#clock rate 128000 Provides clock.
Router1(config-if-serial)#exit
B. The configuration of router2

Command Task
Router2(config)#interface s0 Enters the interface S0.
Router2(config-if-serial0)#physical-layer sync The physical layer works in
synchronous mode. (Corresponding to
the partner)
Router2(config-if-serial0)#encapsulation ppp Encapsulates PPP protocol.
Router2(config-if-serial0)#ip address 3.3.3.2 255.255.255.0 Configures an IP address.
Router2(config-if-serial0)#ppp pap sent-username goat password Configures the negotiated user name
Maipu and the corresponding password.
Router2(config-if-serial0)#exit
2. An example of configuring CHAP authentication

V
URXWHU
''1 V

URXWHU
Note:
1. Because the CHAP authentication needs to check user names, the command hostname is needed to determine the
names of two sides.
A.The configuration of router1:

Command Task
Router1#configure terminal
Router1(config)# user mp2 password 0 Maipu
Router1(config)# interface serial0
Router1(config-if-serial0)# physical-layer sync
Router1(config-if-serial0)# clock rate 128000
Router1(config-if-serial0)# encapsulation ppp
Router1(config-if-serial0)# ppp authentication chap Configures as chap authentication.
Router1(config-if-serial0)# ppp chap hostname mp1 Configures the authentications
name.
Router1(config-if-serial0)# ip address 100.0.0.2 255.0.0.0
Router1(config-if-serial0)# exit

Command Task
Router1(config)#user mp1 password 0 Maipu
Router1(config)#interface serial0
Router1(config-if-serial0)#physical-layer sync
Router1(config-if-serial0)#encapsulation ppp
Router1(config-if-serial0)#ppp chap hostname mp2 Configures the authentication
name.
Router1(config-if-serial0)#ip address 100.0.0.2 255.0.0.0
5.1.5 Monitoring and Debugging PPP information

Command Description
show ppp information serial2
(Display PPP information) LCP Stats
LCP phase
ESTABLISH
LCP state REQUEST
SENT
lcp echo timer OFF
IPCP Stats
IPCP state INITIAL
NDSPCP Stats
NDSPCP state INITIAL
PAP Stats
client PAP state INITIAL
server PAP state INITIAL
CHAP Stats
client CHAP state INITIAL
server CHAP state INITIAL
Router#show ppp multilink Displays PPP multilink status information
Router#show ppp version Displays PPP version information
Router#debug ppp negotiation Opens debugging PPP negotiation information and use this command to
[serial serial-number] see the compression information such as tcp ,rtp ,predictor and stacker
Router#debug ppp header serial Opens debugging header information of packets when PPP is
serial-number negotiated
Router#debug ppp packer Opens debugging PPP receiving/sending messages information
serial serial-number
Router#show compress XXX Displays compressed information.
5.1.6 PPP Address Pool

When an up-end server needs to distribute IP address uniformly to its lower-end network equipments, you can choose the
address pool function in PPP.
1. The relevant configuration commands are as follows:

routerÔconfigÕ#ë
Command Description
In the global configuration mode:
Ip local pool default A.B.C.D E.F.G.H Defines a default address pool with the start address of
A.B.C.C and the end address of E.F.G.H.
IP local pool pool-name A.B.C.D E.F.G.H Defines an address pool called pool-name and with the
start address of A.B.C.D and end address of E.F.G.H.
ip address-pool local Enables the default address pool on all interfaces
In the interface mode:
peer default ip address A.B.C.D Distributes a fixed IP address A.B.C.D to the opposite
terminal.
peer default ip address pool Enables the default address pool. (Default)
peer default ip address pool pool-name Enables an address pool called pool-name.
Ip address negotiated Enables address negotiation on the opposite terminal.
2. An example configuration:
V
U RXW HU
''1 V

U RXW HU
Illustration:
1. As is shown in the figure aboveÈthe routers router1 and router2 connect with each other through S0, encapsulate
the PPP protocol, and an address pool is configured in router1 (Users can also configure a default address pool). In
router2 the address negotiation is configured to learn the IP address distributed by the opposite router.
A.The configuration of router1:
Command Task
Router(config)#ip local pool goat 10.0.0.2 10.0.0.10 Defines an address pool called goat with
network addresses from 10.0.0.2 to 10.0.0.10.
Router(config)#interface serial0 Enters the interface S0.
Router(config-if-serial0)#physical-layer sync Configures it as the synchronous mode.
Router(config-if-serial0)#clock rate 128000 Configures the clock rate.
Router(config-if-serial0)#encapsulation ppp Encapsulates the PPP protocol.
Router(config-if-serial0)#peer default ip address pool goat Designates the opposite terminal to use the
addresses in address pool goat (distribute
addresses from big to small).
Router(config-if-serial0)#ip address 10.0.0.11 255.0.0.0 Configures the IP address.
Router(config-if-serial0)#exit
B.The configuration of router2:
Command Task
Router(config)#interface serial0 Enters the relevant interface.

Router(config-if-serial0)#physical-layer sync Configures it as the synchronous mode.
Router(config-if-serial0)#encapsulation ppp Encapsulates PPP protocol.
Router(config-if-serial0)#ip address negotiated Uses address negotiation to negotiate IP
addresses distributed by the opposite terminal.
Router(config-if-serial0)#end
Notice:
1. If you want to use a default address pool, you must first configure the default address pool, then enable it. After ip
add negotiated is configured on the opposite router, it will work. If ip address-pool local is configured in the
global configuration mode, then all the interfaces will use the default address pool, and then it is unnecessary to
configure peer default ip address pool.
2. If you want to use a given address pool, you must first configure the given address pool, and then configure peer
default ip address pool-name on the given interface.
5.1.7 PPP Multilink
PPP multilink binding can be used to provide load balance for dialup lines (PSTN/ISDN) or synchronous lines, enhance line
throughput and reduce the transmission delay among systems. By means of the PPP multilink binding, a packet can be
divided into multiple slices, which can be transmitted over the multiple parallel links simultaneously and then can be restored
to the original packet orderly.
The PPP multilink supports three binding modes: multilink, dialer and BRI. Dialer and logical interface multilink modes are
applied to the binding of physical interfaces, and the BRI mode is applied to the binding of B channels (MP router can also
support the binding of two ISDN B channels.). The three binding modes support the corresponding network modes
respectively.
The multilink binding mode: the mode is generally applied to synchronous line binding (such as DDN and SDH) instead of
dialup line binding (such as PSTN and ISDN).
The dialer binding mode: the mode is generally applied to the PSTN dialup line binding instead of the ISDN dialup line
binding. Besides that, the mode can also be applied to the synchronous line binding, but it is not recommended.
The BRI binding mode: when the multilink is adopted, the mode can be applied to nothing but the binding of two B channels
of ISDN dialup line.
The following three examples are given respectively for the foregoing three kinds of multilink binding modes.
ä1å
å The multilink binding mode
PXO W L O L QN PXO W L O L QN

6 6
6 6
U RXW HU U RXW HU
Illustration:
As shown in the figure above, two private lines are adopted for the connection of Router1 and Router2. To use PPP
multilink, you should firstly establish a multilink interface respectively for Router1 and Router2 and bind the physical
interfaces to the multilink interface.
1) The multilink interface of router1 is configured as follows:(the related configuration of router2 is similar to that of
router1)
Syntax Descriptions
router1#configure terminal Enter the global configuration mode.
router1(config)#int multilink1 Create a multilink logical interface multilink1.
router1(config-if-multilink1)#ip add 2.0.0.1 Configure the IP address.
255.0.0.0
router1(config-if- multilink1)#encapsulation ppp Enable the PPP protocol.
router1(config-if- multilink1)#ppp multilink Enable the PPP multilink.
2) The physical interface of router1 is configured as follows:(the related configuration of router2 is similar to that of
router1)
Syntax Descriptions
router1(config)#int s1/0 Enter an interface.
router1(config-if-serial1/0)# encapsulation ppp Encapsulate the PPP protocol.
router1(config-if-serial1/0)#multilink-group 1 Relate the physical interface with the multilink
interface.
router1(config-if-serial1/0)#physical-layer sync Configure the synchronous mode.
router1(config-if-serial2/0)#multilink-group 1 Relate the physical interface with the multilink
interface.
router1(config-if-serial2/0)#physical-layer sync Configure the synchronous mode.
ä2å
å The dialer binding mode
GL DO HU GL DO HU

6 6
3671
6 6
U RXW HU U RXW HU
Illustration:
As shown in the figure above, two physical interfaces (frequency-band modem interface or serial interface adopts the
external modem mode) are adopted for the connection of Router1 and Router2. To use PPP multilink, you should firstly
establish a dialer interface respectively for Router1 and Router2 and bind the physical interfaces to the dialer interface.
1) The dialer interface of Router1 is configured as follows. (The configuration of the dialer interface on Router2 is
similar to that of Router1.)
Syntax Descriptions
router1(config)#dialer-list 1 protocol ip permit Define a dialer-list.
router1(config)#int dialer1 Create a dialer interface dialer1.
router1(config-if-dialer1)#ip add 2.0.0.1 255.0.0.0 Configure the IP address.
router1(config-if-dialer1)#encapsulation ppp Enable the PPP protocol.
router1(config-if-dialer1)#dialer in-band Enable DDR of the interface.
router1(config-if-dialer1)#dialer-group 1 Define an access group for access control.
router1(config-if-dialer1)#ppp multilink Enable the PPP multilink.
router1(config-if-dialer1)#dialer string Configure the phone number for dialer (two
phone numbers need be configured for two lines)
router1(config-if-dialer1)#dialer load-threshold Specify the load-threshold (such as 1) for the
dialer.
2) The physical interface of Router1 is configured as follows. (The configuration of the physical interface on Router2 is
similar to that of Router1)
Syntax Descriptions
router1(config-if-serial1/0)#dialer rotary-group 1 Relate the physical interface with the dialer
interface.
router1(config-if-serial1/0)#physical-layer async Configure the asynchronous mode (Generally,
PSTN adopts the asynchronous modes)
router1(config-if-serial2/0)#dialer rotary-group 1 Relate the physical interface with the dialer
interface.
router1(config-if-serial2/0)#physical-layer async Configure the asynchronous mode (Generally,
PSTN adopts the asynchronous modes)
The above is the basic configuration of the modem. If the interface adopts the external modem mode,
modem out need still be configured on the serial-interface more.
ä3å
å The BRI binding mode
bri0/0 bri0/0
2.0.0.1/8 2.0.0.2/8
B channel 0 B channel 0
ISDN
B channel B channel
1 1
router1 router2
Illustration:
As shown in the figure above, one ISDN line is employed for Router1 and Router2 to access ISDN. Two B channels of
the line are bound together for a PPP multilink. By default, two B channels are bound with the BRI interface. Thereby, the
BRI binding mode needs no manual configuration of the binding of two B channels and the BRI interface.
1) The BRI interface of Router1 is configured as follows. (The configuration of the BRI interface on Router2 is similar
to that of Router1)
Syntax Descriptions
router1(config)#dialer-list 1 protocol ip permit Define a dialer-list.
router1(config)#int bri0/0 Enter the BRI interface.
router1(config-if- bri0/0)#ip add 2.0.0.1 255.0.0.0 Configure the IP address.
router1(config-if- bri0/0)#encapsulation ppp Enable the PPP protocol.
router1(config-if- bri0/0)#dialer in-band Enable the interface DDR.
router1(config-if- bri0/0)#dialer-group 1 Define an access group for access control.
router1(config-if- bri0/0)#ppp multilink Enable the PPP multilink.
router1(config-if- bri0/0)#dialer string Configure an ISDN number for dialup
router1(config-if- bri0/0)#dialer load-threshold Specify the load-threshold (such as 1) for the
dialer.
5.1.8 PPP Data Compression

Maipu routers can use compression to optimize its performance and then can provide higher data throughput capacity.
The compression modes supported by Maipu routers are as follows:

Predictor----uses the index method to forecast the next character sequence of the data stream according to the compression
dictionary; it can first judge whether the data is compressed. If the data has been compressed, it will be sent out at once and
the system does not waste time to compress the data that has been compressed.
Stacker---- is a compression method based on Lempel-Ziv(LZ). It sends each kind of data only one time, and then only sends
the information about each kind of data that is located in the data stream. The receiver can assemble the data stream again int
understandable information.
TCP/IP Header Compression----is employed to compress the length of TCP/IP header
RTP Compression----is employed to compress the real-time voice data.
1. The relevant configuring commands:

router(config-if- XXX)#
Command Description
ppp Compress predictor Configures predictor compression.

ppp Compress stacker Configures stacker compression.
ip tcp header-compression Configures TCP header compression.
ip rtp header-compression Configures RTP compression.
Note 1:
1. Predicor is an algorithm that lays on dense memory and little usage of CPU;
2. Stacker is an algorithm that lays on dense CPU and little usage of memory.
3. display this compression information to refer to debug ppp commands
Note 2:
1. For all the functions achieved by PPP (for example, compression and reliable-link etc.), Users need to configure it
from both sides. If only one side configures a function while the other one does not, the function will not work.
2. PPP Compression Example

An example of compression configuration
Illustration:
The predictor compression is adopted for the connection of the port S1/0(3.3.3.1) of the local router router1 and the
port S1/0 (3.3.3.2) of the opposite router router2.
A) Router1 is configured as follows.
Syntax Descriptions
router1(config)#interface s1/0 Enter the interface S1/0.
router1(config-if-serial1/0)#physical-layer sync The physical layer operates in the
synchronous mode.
router1(config-if-serial1/0)#encapsulation ppp Encapsulate the link-layer protocol
PPP.
router1(config-if-serial1/0)#ppp compress predictor Configure the predictor compression.
router1(config-if-serial1/0)#ip address 3.3.3.1 255.0.0.0 Configure the IP address.
router1(config-if-serial1/0)#clock rate 128000 Provide the clock rate.
router1(config-if-serial1/0)#exit
B) Router2 is configured as follows.
Syntax Descriptions
synchronous mode.(Corresponding
with the opposite end)
router2(config-if-serial1/0)#encapsulation ppp Encapsulate the PPP protocol.
router1(config-if-serial1/0)#ppp compress predictor Configure the predictor compression.
5.1.9 PPP BACP (Bandwidth Allocation Control Protocol) and PPP BAP
5.1.10 BACP Configuration Commands

This section mainly describes the BACP (bandwidth allocation control protocol) configuration commands that are used to
configure the router PPP (point-to-point protocol) for the dialup solution.
ppp bap call
Use the Command to enable PPP BACP CALL. To configure the PPP BACP call parameters, use the interface
configuration command ppp bap call. To deny the processing of the specified type, use the negation of the command to
disable it.
ppp bap call { accept | request | timer seconds }
no ppp bap call { accept | request | timer }
Syntax Description
Accept Allow the opposite end to initiate link addition. (By default)
Request Allow the local end to initiate link addition.
Timer seconds The time to wait between sending call requests in seconds. And
its range is from 2s to 120s. (No default is configured).
ÏBy defaultÐaccept -------- The opposite end can initiate link addition.
ÏCommand modeÐthe interface configuration mode The opposite end can initiate link addition
ppp bap callback

Use the Command to enable the parameter of PPP BAP CALLBACK. To configure the PPP BACP callback and set
callback parameters, use the interface configuration command ppp bap callback. To delete the configuration of PPP BACP
callback, use the negation of the command to disable it.
ppp bap callback { accept | request | timer seconds }
no ppp bap callback { accept | request | timer }
Syntax Description
Accept Initiate link addition upon peer notification.
Request Request that a peer initiate link addition.
Timer seconds The time to wait between sending callback requests in seconds.
And its range is from 2s to 120s. (The default is “disabled”).
ÏBy defaultÐThe callback is disable.
ÏCommand modeÐthe inteface configuration mode
ppp bap drop

Use the Command to enable the delete opertion of multilink bundle. To configure the parameter that is used to delete a
link from a bound links, use the interface configuration command ppp bap drop. To deny the processing of the specified
type, use the negation of the command to disable it.
ppp bap drop { accept | after-retries | request | timer seconds }
no ppp bap drop { accept | after-retries |request | timer }
Syntax Description
Accept Allow a peer to initiate link removal (By default).
Request Remove the link after no response to drop requests.
Timer seconds Initiate the removal of a link (No default value is configured).
after-retries The time to wait between sending link drop requests in seconds.
Without any BACP negotiation, the local router can delete the
link directly when receiving no interrupt request response sent by the
opposite end.
ÏBy defaultÐaccept Ãrequest-------the opposite end and the local router are permitted to enable link delete.
ppp bap link types
Use the Command to define the link type of multilink bundle.
To define the link type contained in specified multilink bundle, use the interface configuration command ppp bap link
types. To delete an interfac type that is permitted to be added previously, use the negation of the command to disable it.
ppp bap link types [ isdn ] [ analog ]
no ppp bap link types [ isdn ] [ analog ]
Syntax Description
Isdn ISDN interface
ISDN link can be added into a multilink bundle.
Analog Synchronous or asynchronous interfaces.
An asynchronous serial link can be added into the multilink bundle.
ÏBy defaultÐdisabled
ppp bap max

Use the Command to define the parameter of BAP rety.
To set the larger PPP BACP retry-times, use the interface configuration command ppp bap max. To delete any retry-
times, use the negation of the command to disable it.
ppp bap max { dial-attempts number | ind-retries number | req-retries number | dialers number }
no ppp bap max { dial-attempts | ind-retries | req-retries | dialers }
Syntax Description
dial-attempts number Maximum number of dial attempts for a phone number to any destination.
Its value range is from 1 to 3, and the default value is 1.
ind-retries number Maximum number of retries of a call status indication (3 default). Its value
range is from 1 to 10, and the default value is 3.
req-retries number Maximum number of retries for a particular request . Its value range is from
1 to 5, and the default value is 3.
dialers number Maximum number of idle dialers permitted to log in. Its value range is from
1 to 10.
ÏBy defaultÐ
dial-attempts number =1 one time of dial-attempt
ind-retries number =5 5 times of dial-attemptss
req-retries number =3 3 times of dial-attempts
ppp bap number

Use the Command to define the number for peer’s Call.
To specify a local phone number so that the opposite end can establish a multilink bundle by means of the dialup mode,
use the interface configuration command ppp bap number. To delete a configured number , use the negation of the
commaand to disable it.
ppp bap number { default phone-number | secondary phone-number }
no ppp bap number { default | secondary }
Syntax Description
default phone-number A base phone number which can be used to dial in.
Secondary phone-number A secondary phone number which can be applied to the BRI interface.
ÏBy defaultÐNo phone number is provided.
ppp bap monitor load

Use the Command to monitor the payload of multilink bundle.
To acknowledge the link delete/add request of the opposite end for the threshold value of the current multilink load and
the defined dialer load, use the interface configuration command ppp bap monitor load. To make the ingress link add
request have no relation with the threshold of the multilink load, use the negation of the commaand to disable it.
ppp bap monitor load
no ppp bap monitor load
ÏBy defaultÐeabled
ÏCommand modeÐinterface configuration mode.
ppp bap timeout
To set the non-default timeout of PPP BACP suspension and response, use the interface configuration command ppp
bap timeoutÄTo restore the default timeout of the response or delete a suspension timeout completely, use the negation of
the commaand to disable it.
ppp bap timeout { pending seconds | response seconds }
no ppp bap timeout { pending | response }
Syntax Description
Pending seconds Pending action timeout in seconds. Its value range is from 2s to 180s, and
the default is 20.
Response seconds Response timeout in seconds Its value range is from 2s to 120s, and the
default is 3.
ÏBy defaultÐaccept ---------The oppositing end can enable the link addition.
ppp multilink
To enable the multilink PPP on an interface and dynamic bandwidth allocation, use the interface configuration
command ppp multilink. To disable the multilink PPP or dynamic bandwidth allocation, use the negation of the commaand
to disable it.
ppp multilink [ bap ]
no ppp multilink [ bap ]
Syntax Description
Bap Enable BACP/BAP bandwidth allocation negotiation(optional).
ÏBy defaultÐdisabled.
5.1.11 A PPP BACP Configuration Example
Figure 4-7 an example of PPP BACP configuration

IllustrationÖ
1) Router1 and router2 are connected together through two PSTN lines, and DDR dialup is configured for them. There
are two phone numbers 602 and 603 on the side of router1, and there are two phone numbers 605 and 606 on the side of
router2.
2) The aim of the example is that the second dialup line will be activated when the traffic of the first dialup line arrives
at some specified value.
BAP is configured on the BRI interface:

A) Router1 is configured as follows:
Command Task
router1# configure terminal
router1(config)# user router2 password 0 maipu
router1(config)# dialer-list 1 protocol ip permit
router1(config)# interface bri0/0
router1(config-if-bri0/0)#ip address 12.1.1.2
255.0.0.0
router1(config-if-bri0/0)# dialer in-band Activate the DDR dialup Kü DDR.
router1(config-if-bri0/0)# dialer idle-timeout 20
router1(config-if-bri0/0)# dialer fast-idle 2000
router1(config-if-bri0/0)# dialer enable-timeout
20
router1(config-if-bri0/0)# dialer map ip 12.1.1.1
name router2 broadcast 605
router1(config-if-bri0/0)# dialer load-threshold
14 outbound Set the link load threshold as 14/255 so that the
second link will be activated when the link load
exceeds the threshold.
router1(config-if-bri0/0)# dialer-group 1
router1(config-if-bri0/0)# encapsulation ppp
router1(config-if-bri0/0)# ppp multilink bap Negotiate BACP and BAP on the multilink.
router1(config-if-bri0/0)# ppp authentication
chap
router1(config-if-bri0/0)# ppp chap hostname
router1
router1(config-if-bri0/0)# ppp bap call request Sent the BAP call request when some links need be
added.
router1(config-if-bri0/0)# ppp bap link types Set the type of the current multilink as ISDN.
isdn
router1(config-if-bri0/0)# ppp bap number Set the default dialup string (the local number, used
default 602 for the dialup of the opposite end)
router1(config-if-bri0/0)# ppp bap number Set the secondary dialup string ( configured only on
secondary 603 the BRI interface and applied to the opposite end )
router1(config-if-bri0/0)# ppp bap drop after- Directly delete the link instead of sending BAP
retries distconnection request. (directly send LCP
interrupt request)
B) Router1 2s configured as follows:

Command Task
router2(config)# interface bri0/0
router2(config-if-bri0/0)#ip address 12.1.1.1
255.0.0.0
router2(config-if-bri0/0)# dialer in-band Active the DDR dialup.
router2(config-if-bri0/0)# dialer idle-timeout 20
router2(config-if-bri0/0)# dialer fast-idle 2000
router2(config-if-bri0/0)# dialer enable-timeout
20
router2(config-if-bri0/0)# dialer map ip 12.1.1.2
name router1 broadcast 602
router2(config-if-bri0/0)# dialer load-threshold 14 Configure the link load.
outbound
router2(config-if-bri0/0)# dialer-group 1
router2(config-if-bri0/0)# encapsulation ppp
router2(config-if-bri0/0)# ppp multilink bap Negotiate BACP and BAP on the multilink.
router2(config-if-bri0/0)# ppp authentication chap
router2(config-if-bri0/0)# ppp chap hostname
router2
router2(config-if-bri0/0)# ppp bap call accept Receive the BAP call of the opposite end.
(it is the default configuration and can be omitted.)
router2(config-if-bri0/0)# ppp bap link types isdn
router2(config-if-bri0/0)# ppp bap number default
605
router2(config-if-bri0/0)# ppp bap number
secondary 606
router2(config-if-bri0/0)# ppp bap drop after-
retries
BAP is configured on the serial interface:

Command Task
router1(config)# interface dialer0 Create a logical dialer interface.
router1(config-if-dialer0)# ip address 12.1.1.2
255.0.0.0
router1(config-if-dialer0)# dialer idle-timeout 20
router1(config-if-dialer0)# dialer fast-idle 2000
router1(config-if-dialer0)# dialer enable-timeout 20
router1(config-if-dialer0)# dialer in-band
router1(config-if-dialer0)# Dialer string 605 The opposite-end number used to activate
the first link.
router1(config-if-dialer0)# dialer load-threshold 14 Configure the link load.
outbound
router1(config-if-dialer0)# dialer-group 1
router1(config-if-dialer0)# encapsulation ppp
router1(config-if-dialer0)# ppp multilink bap Negotiate BACP and BAP on the multilink.
router1(config-if-dialer0)# ppp authentication chap
router1(config-if-dialer0)# ppp chap hostname router1
router1(config-if-dialer0)# ppp bap callback request Sent the BAP callback request when a link
need be added.
router1(config-if-dialer0)# ppp bap link types analog Set the type of the current multilink as
analog.
router1(config-if-dialer0)# ppp bap drop after-retries Directly delete the link instead of sending
BAP distconnection request. (directly send
LCP interrupt request)
router1(config-if-dialer0)# interface s1/0 Enterht the configuration mode of the
physical interface.
router1(config-if-Serial1/0)# physical-layer async
router1(config-if-Serial1/0)# encapsulation ppp
router1(config-if-Serial1/0)# dialer rotary-group 0 Subject to the logical interface dialer0.
router1(config-if-Serial1/0)# ppp bap number default The dialup string provided for the opposite
602 end.
router1(config-if-Serial1/0)# interface s2/0
router1(config-if-Serial2/0)# dialer-rotary-group 0 Subject to the logical interface dialer0.
router1(config-if-Serial2/0)# ppp bap number default The dialup string provided for the opposite
603 end.
B) Router 2 is configured as follows:

Command Task
router2(config)# interface dialer0
router2(config-if- dialer0)# ip address 12.1.1.2 255.0.0.0
router2(config-if-dialer0)# dialer idle-timeout 20
router2(config-if-dialer0)# dialer fast-idle 2000
router2(config-if-dialer0)# dialer enable-timeout 20
router2(config-if-dialer0)# dialer in-band
router2(config-if-dialer0)# Dialer string 602 The opposite-end number used to
activate the first link.
router2(config-if-dialer0)# dialer load-threshold 14 Configure the link load.
outbound
router2(config-if-dialer0)# dialer-group 1
router2(config-if-dialer0)# encapsulation ppp
router2(config-if-dialer0)# ppp multilink bap Negotiate BACP and BAP on the
multilink.
router2(config-if-dialer0)# ppp authentication chap
router2(config-if-dialer0)# ppp chap hostname router2
router2(config-if-dialer0)# ppp bap callback accept Receive the BAP callback request. (By
default)
router2(config-if-dialer0)# ppp bap link types analog Set the type of the current multilink as
analog.
router2(config-if-dialer0)# ppp bap drop after-retries
router2(config-if-dialer0)# interface s1/0
router2(config-if-Serial1/0)# dialer rotary-group 0 Subject to the logical interface dialer0.
router2(config-if-Serial1/0)# ppp bap number default 605 The dialup string provided for the
opposite end.
router2(config-if-Serial1/0)# interface s2/0
router2(config-if-Serial2/0)# dialer-rotary-group 0 Subject to the logical interface dialer0.
router2(config-if-Serial2/0)#ppp bap number default 606
5.1.12 Monitoring PPP BACP

show ppp bap group
To display the configuration and operation status of a multilink bundle, use the command show ppp bap group.
show ppp bap group
Syntax Description
Group Display BAP group information.
ÏCommand modeÐthe privileged configuration mode
show ppp multilink

To display the information about multilink PPP bundle, use the command show ppp multilink.
ÏCommand modeÐthe privileged configuration mode
5.1.13 MPLS Over PPP

ppp mpls
To transport MPLS packets over PPP, use the command ppp mpls, or else, use the negation of the command to disable
it.
ÏCommand modeÐthe interface configuration mode
£Configuration Example¤æ
Illustration:
Router1 and router2 are connected directly in the MPLS core network.
Syntax Descriptions
synchronous mode.
PPP.
router1(config-if-serial1/0)#ppp mpls Configure PPP to support MPLS.
router1(config-if-serial1/0)#mpls ip Configure an interface to support
MPLS.
router1(config-if-serial1/0)#clock rate 128000 Provide clock rate.
Syntax Descriptions
router1(config-if-serial1/0)#ppp mpls Configure PPP to support MPLS.
router1(config-if-serial1/0)#mpls ip Configure an interface to support
MPLS.
5.1.14 AAA authorization Over PPP

ppp authorization string
In order to use AAA authorization on PPP link, configure the command PPP authorization, or else, use the negation of
the command to disable it.
Ïconfiguration exampleÐplease refer to AAA configuration
5.1.15 PPP encryption

ppp encrypt des encrypt-key
In order to use encryption on PPP link, configure DES encryption, or else, use the negation of the command to disable
it.
£Configuration Example¤
Illustration:
The DES encryption is adopted for the connection of the port S1/0(3.3.3.1) of the local router router1 and the port
S1/0 (3.3.3.2) of the opposite router router2. Ä
Syntax Descriptions
synchronous mode.
PPP.
router1(config-if-serial1/0)#ppp encrypt des 123 Configure the DES encryption key
(must be consistent with that of the
opposite end)
router1(config-if-serial1/0)#clock rate 128000 Provide the clock rate.
Syntax Descriptions
router1(config-if-serial1/0)#ppp encrypt des 123 Configure the DES encryption key
(must be consistent with that of the
opposite end)
5.1.16 PPP CALLBACK

ppp callback accept | initiate | request
In order to use CallBack function on PPP link, confige PPP Callback command, or else, use the negation of the
command to disable it.
ÏCommand modeÐthe interface configuration mode.
NoticeÖ
When the option of Callback is not configured, use PPP Callback Initiate to callback.(eg: the callback negotiation
between the router and Linux OS). When a callback is performed between the router and Windows OS serving as the dialup
server, it is recommended that the command ppp callback accept is configured on the router.
5.1.17 negotiate DNS and WINS over PPP

ppp ipcp dns ip-address1 [ip-address2]
ppp ipcp wins ip-address1 [ip-address2]
In order to negotiate DNS and WINS ip address, use PPP ipcp dns Command, or else use the negation of the command
to disable it.
Syntax Description
Dns Specify DNS negotiation options
Wins Specify WINS negotiation options
ip-address1 Primary DNS/WINS IP address
ip-address2 Secondary DNS/WINS IP address
ÏCommand modeÐinterface configuration mode.
NoticeÖ
The Command uses to dial for Windows.
ÏConfiguration ExampleÐthe interface configuration mode.
3& U RXW HU
6

03 03

3671
Illustration:
PC connects to the router through the PSTN dialer, and the router allocates DNS, WINS address and an IP address
to PC.
The router is configured as follows.
Syntax Descriptions
router1(config-if-serial1/0)#physical-layer async The physical layer operates in the
asynchronous mode.
PPP.
router1(config-if-serial1/0)#modem out Set the external MODEM mode.
router1(config-if-serial1/0)# peer default ip address 3.3.3.2 Allocate an IP address to PC.
router1(config-if-serial1/0)#ppp ipcp dns 1.1.1.1 1.1.1.2 Allocate DNS address to PC.
router1(config-if-serial1/0)#ppp ipcp wins 2.1.1.1 2.1.1.2 Allocate WINS address to PC.
5.1.18 Negotiate IP Address over PPP from dialer-map

ppp ignore-map
In order to negotiate IP address from dialer-map of peer, use ppp ignore-map Command, or else, use the negation of the
ÏBy defaultÐenabled
Notice:
The command no ppp ignore-map and dialer map used together. no ppp ignore-map and the command dialer map
are used together.
ÏConfiguration exampleÐplease refer to chapter 6
5.1.19 PPP Bridge
ppp bridge ip
Use PPP Bridge IP Command to enable Bridge datas over PPP link, or else use the negation of the command to disable
it.
ÏCommand modeÐthe interface configure mode
NoticeÖ
The command ppp bridge ip and bridge-group used together. ppp bridge ip and the command bridge-group are
used together.
5.1.20 Null username CHAP authentication Over PPP

ppp chap password [string]
Use the command ppp chap password [string] to set the password for null username authentication; otherwise, use the
negation of the command to cancel the existing configuration.
The parameter string is the password whose length can not be more than 80 (characters) and there exists no default value
of the password.
ÏBy defaultÐNothing is defined.
ppp chap hostname [string]
Use the command ppp chap hostname [string] to set the chap authentication username; otherwise, use the negation of
the command to cancel the existing configuration and use the hostname.
The parameter string is the username whose length can not be more than 80 (characters). By default, the router
hostname is adopted.
ÏBy defaultÐThe router hostname is adopted.
ppp chap send-hostname
Use the command ppp chap send-hostname to enable the switch of sending the concrete username for chap
authentication; otherwise, use the negation of the command to disable the switch and send null username.
ÏBy defaultÐNothing is defined.
NoticeÖ
By default, PPP protocol can be used to deal with the authentication information of null name sent by the
opposite end. The null name of ms-chap authentication is also supported, and the configuration is the same.
ÏConfiguration ExampleÐ
ro u ter
D ia lu p a c c e s s s y s t e m
S 1 /0
163
M P336
605
PSTN
Illustration:
When a dialup access system (or PPPOE access system) is performing the chap authentication, the null name is
sent to the lower-end equipment. Thereby, the downlink equipments can not search the related password from the user
base according to the username of the upper-end equipment. Hare, it is necessary to configure the chap authentication
of null username for MP router.
The router is configured as follows.
Syntax Descriptions
router1(config-if-serial1/0)#physical-layer async The physical layer operates in the
asynchronous mode.
PPP.
router1(config-if-serial1/0)#modem out Configure the external MODEM
mode.
router1(config-if-serial1/0)#ppp chap hostname abc Configure the username allocated by
the access system.
router1(config-if-serial1/0)#ppp chap password 123 Configure the password allocated by
the access system.
router1(config-if-serial1/0)#dialer string 163 Set the called number 163 of the
access system.
router1(config-if-serial1/0)# modem party originate Set MODEM as the call origination.
router1(config-if-serial1/0)# modem enable Enable the modem.
5.2 HDLC protocol
5.2.1 Brief Introduction of Protocol

HDLC is a bit-oriented synchronous communication procedure developed by the International Standards Organization
(ISO)(bit-oriented means that any combination of bits can be transmitted). From the point of link access, HDLC has several
main subsets, such as LAP (Link Access Protocol), LAPB(Link Access Procedure Balanced)and LAPD(Link Access
Procedure for D channel).
5.2.2 The relevant commands of HDLC:
router(config-if- XXX)#
Command Description
encapsulation hdlc Link layer protocol encapsulates HDLC.

keeplive period Sends the period of the keeplive frame [0-
32767].
An Example of HDLC Configuration
V
U RXW HU
''1 V

U RXW HU
Illustration:
1. As shown in the figure above, router1 and router2 connects to each other through serial port s0 and use HDLC
protocol.
2. The port S0 (3.3.3.1) of local router router1 connects to the port S0 (3.3.3.2) of the opposite router router2.
1. The configuration of router1:

Command Task
router1(config)#int s1 Enters the interface configuration mode.
router1(config-if-serial1)#ip add 1.0.0.1 255.0.0.0 Configures IP address.
router1(config-if-serial1)#phy sync Configures it as the synchronization mode.
router1(config-if-serial1)#clock rate 128000 Configures clock.
router1(config-if-serial1)#encapsulation hdlc Configures the HDLC protocol.

Command Task
Router2(config)#int s1 Enters the interface configuration mode.
router2(config-if-serial1)#encapsulation hdlc Encapsulates the HDLC protocol.
Router2(config-if-serial1)#phy sync Configures it as the synchronization mode.
Router2(config-if-serial1)#ip add 1.0.0.2 255.0.0.0 Configures the IP address.
5.2.3 HDLC Debug Information

There are two main debug switches for HDLC, which can analyze the working situation of HDLC by comparing the relevant
information in DEBUG with the frame format of HDLC.
Turn on the debugging switch of the interface that encapsulates HDLC:

Router#
Command Description
debug hdlc serial-number all Display all the received/sending frames and the
contents of a whole frame on the interface that
encapsulates HDLC.
debug hdlc serial-number head Display all the received/sending frames and the
contents of the frame headers on the interface that
encapsulates HDLC.
5.2.4 Configuring HDLC Bridge-connection Mode
Maipu routers can be configured to work in HDLC bridge mode. In this mode the equipment connected together at the two
ends of the bridge can transmit data transparently through the TCP/IP network. From the viewpoint of users, the equipment at
two ends of bridge was connected to each other through a pair of MODEMs would be connected to each otherØwhile the
intermediate TCP/IP network looks like a direct-cable.
1) Configuring instructions
router(config-if-XXX)#
Command Description
encapsulation hdlc
bridge ip <A.B.C.D> <bridge prot number> Configures the local IP address (equipment as
<client / server> server)/peer IP address(equipment as client) and the
bridge-connection port.
2) A sample configuration
(TXL SPHQW $ (TXL SPHQW %

,3
1HW ZRU N
5RXW HU $ 5RXW HU %
Illustration:
Through the configuration showed in the above figure, the user PCs Equipment A and B connect on the both sides of the
bridges to routerA and routerB which can transmit data transparently across the TCP/IP network
The relevant configurations are as follows:
1. The configuration of routerA:

Command Task
routerA(config)#interface serial2 Enters the interface s2.
routerA(config-if-serial2)#physical-layer sync Configures it as synchronization mode
routerA(config-if-serial2)#encapsulation ppp Encapsulates the PPP protocol.
routerA(config-if-serial2)#ip address 6.1.1.2 255.255.255.252 Configures the IP address.
routerA(config-if-serial2)#exit Returns to the global configuration mode.
routerA(config)#interface serial3 Enters the interface s3.
routerA(config-if-serial3)#physical-layer sync Encapsulates the synchronization mode.
routerA(config-if-serial3)#clock rate 128000 Configures the clock as 128K.
routerA(config-if-serial3)#encapsulation hdlc Encapsulates HDLC protocol.
routerA(config-if-serial3)#bridge ip 6.1.1.1 5000 client The IP of the bridge-connection server, the
port number 5000, the client end
routerA(config-if-serial3)#exit Finishes the configuration.
2. The configuration of routerB

Command Task
routerB(config)#interface serial2
routerB(config-if-serial2)# physical-layer sync Configures it as the synchronization mode.
routerB(config-if-serial2)#clock rate 128000 Configures the clock as 128K.
routerB(config-if-serial2)#encapsulation ppp Encapsulates the PPP protocol.
routerB(config-if-serial2)#ip address 6.1.1.1 255.255.255.252 Configures the IP address.
routerB(config-if-serial2)#exit Exits from interface mode.
routerB(config)#interface serial0 Enters the port s0 mode.
routerB(config-if-serial0)#physical-layer sync Configures it as synchronization mode.
routerB(config-if-serial0)#encapsulation hdlc Configures HDLC encapsulation.
routerB(config-if-serial0)#bridge ip 6.1.1.1 5000 server Configures the server with a port 5000.
routerB(config-if-serial0)#exit Finishes the configuration.
Note:
In the above configuration, the routerA is used as the client end while the routerB is used as the server end; both of the bridge
port numbers are set as 5000. The s2 port of MprouterA and the s2 port of MprouterB connect to the TCP/IP network
respectively. The port s3 and port s0 are used as the interface of the bridge-connection to connect user equipment, and then
they enable the user equipment to transmit data transparently through the TCP/IP network.
3) Displaying Information
The command “show interface” allows users to examine the current connection status of the bridge.
For example:
routerA#show interface serial3
Flags: (0x80f0) DOWN POINT-TO-POINT MULTICAST RUNNING
Type: HDLC
Metric is 0
Maximum Transfer Unit size is 1500
hdlc version: v1.27
hdlc bridge client: 6.1.1.1,5000, connect The bridge is at the status of connected.
rxFrames 1744, rxChars 74436
txFrames 1738, txChars 74410
DCD=up DSR=up DTR=up RTS=up CTS=up TxC=up
rate=128000 bps
5.2.5 HDLC Compression and debugging

compress stac
To enable STAC compression over the HDLC link protocol, use the command Compress Stac, or else, use the negation
of the command to disable it.
NoticeÖ
HDLC STAC uses LZS algorithm to compress the network-layer data. About the related information, refer to the
instruction to PPP data compression.
Debug interface number

ÏCommand modeÐthe privilege configuration mode
5.3 SLIP protocol

5.3.1 Brief Introduction
SLIP is a kind of protocol widely used at present to transmit IP datagrams on a serial line. While it is a very p ractical
standard while not an Internet standard. It is only a protocol used to encapsulate IP datagrams, and only defines the sequence
of the characters in the IP datagram that is encapsulated in the link layer frame format and is sent over a serial line, without
providing the functions such as dynamical IP address distribution, datagram type identity, error checking/correction and data
compression etc.
5.3.2 An example of configuration
SLIP configuration is simple, which generally includes about several procedures: configuring the physical layer as
asynchronous, the link layer encapsulating SLIP and peer IP address. In addition, properly asynchronous configuration is
must.
V
U RXW HU
''1 V

U RXW HU
Illustration:
1. As shown in the above figure, router1 and router2 connect to each other through serial port s0 and both run the
SLIP protocol.
The configuration is as follows:

Command Task
router1(config)#int s0 Enters the interface configuration mode.
router1(config-if-serial0)#phy async The physical layer works in the
asynchronous mode.
router1(config-if-serial0)#enc slip Encapsulates SLIP.
router1(config-if-serial0)#ip address 3.3.3.1 255.255.255.0 Local IP address
router1(config-if-serial0)#peer ip address 3.3.3.2 Designates the IP address of the opposite
terminal.
router1(config-if-serial0)#speed 9600 Speed is 9600.
router1(config-if-serial0)#databit 8 8 Data bits
router1(config-if-serial0)#stopbit 1 1 stop bit
router1(config-if-serial0)#parity none Parity none
router1(config-if-serial0)#flowctrl none Without flow control

Command Task
Router2(config)#int s0 Enters the interface mode.
Router2(config-if-serial0)#phy async Configures the working mode as
asynchronous.
Router2(config-if-serial0)#enc slip Encapsulates SLIP protocol.
Router2(config-if-serial0)#speed 9600 Speed is 9600.
Router2(config-if-serial0)#stopbit 1 1 stop bit
Router2(config-if-serial0)#databit 8 8 data bits
Router2(config-if-serial0)#ip address 3.3.3.2 255.255.255.0 Configures the IP address.
Router2(config-if-serial0)#peer ip address 3.3.3.1 Designates the IP address of the opposite
terminal.
Router2(config-if-serial0)#parity none Parity none
Router2(config-if-serial0)#flowctrl none Without flow control
Note:
1. Peer ip add A.B.C.D is used to designate the IP address of the opposite side.
5.4 TCP/IP Packet Header Compression

TCP packet header compression uses the van Jacobson algorithm, which is defined in the RFC 1144. It is suitable for the
TCP/IP data stream with small packets (for example, the telnet session packet). TCP/IP packet header compression reduces
additional costs because of transferring the big TCP/IP packet headers in WAN.
TCP/IP packet header compression is geared toward protocols and it only compresses TCP/IP packet headers. So the frame
header of the second layer will not be changed. The data frame whose TCP/IP packet header has been compressed will be
transmitted on the WAN link.
In other words, TCP/IP packet header compression is more useful with the minitype packets that only have several bytes
(such as a telnet packet). The packet header compression protocols supported by Maipu routers are: X25 protocol, Frame-
relay protocol, PPP protocol and HDLC protocol. This kind of packet can also be applied to the dial-up WAN link protocol.
Because data compression wll bring additional process, packet header compression is usually used on the low-speed link, for
example, the 64Kb/S link.
The configuration commands are as follows:

router (config-if-XXX)#Û
Command Description
enc ppp Encapsulate ppp. (ROUTER supports the TCP packet-header

compression of x25.frame-relay.hdlc.ppp)
ip tcp header-compression Encapsulates TCP packet header compressionÄ
Ip tcp header-compression passive The function of the keyword “passive” is that the TCP packets
will be compressed if received packets of the interface are
compressed. If the parameter “passive” is not designated, the
router will compress all the data streams.
5.5 X.25 Protocol

This section introduces how to configure X.25 protocol on a Maipu router and how to run various X.25 parameters so as to
achieve the seamless intgegration of a Maipu router in a X.25 network.
The main topics discussed in this section are:
Brief introduction of X.25

Description of basic X.25 configuration
The typical examples of X.25 configurations
Debugging/monitoring X.25
The X.25 sub-interface
Examples of X.25 sub-interface configurations
5.5.1 Brief Introduction of X.25
When the MP2600 router is used to connect with X.25 network or another router encapsulating X.25 through a leased line,
the X.25 protocol and LAPB protocol need to be configured on the WAN port of the router.
5.5.2 Description of basic X.25 configuration
A. The configuring commands of X.25

router(config-if-XXX)#x25 ?
Command Description
Address <X.121 address> Configure the X.121 address of the interface.

Dce Work in X.25 DCE mode
Dte Work in X.25 DTE mode
Configures the hold-queue length of virtual circuit
hold-queue <number>
group.
htc <Virtual Circuit number> Configures the highest bidirectional virtual circuit.
Configures the idle time of encapsulated virtual
idle <Minutes>
circuit.
ips < bytes (power of 2)> Configures the size of the maximum input group.
ltc <virtual circuit number> Configures the lowest-bidirectional virtual circuit.
map ip/ compressedtcp <A.B.C.D> <X.121 Addr>< Establishes the mapping from IP address to X.121
broadcast/ negotiate-disable/ <CR> > address.
modulo <128/8> Configures modulo value (numbering mode).
Configures the permitted number of virtual
nvc < SVCs>
circuits. The maximum of the number is 8.
ops <bytes (power of 2)> Configures the size of the maximum output group.
pvc <circuit number> ip/compressedtcp
Creates a permanent virtual circuit.
<A.B.C.D><X.121 address><broadcast/ <CR> >
Configures the delay value of the DTE/DCE-
t20 <seconds>
restart timer.
Configures the delay value of DTE/DCE call
t21 <seconds>
regulation timer.
Configures the delay value of DTE/DCE recover
t22 <seconds>
regulation timer.
Configures the delay value of DTE/DCE clear
t23 <seconds>
regulation timer.
win <packets> Configures the size of input window.
wout <packets> Configures the size of output window.
B. The configuration command of LAPB
The second layer of X.25 or namely LAPB corresponds with the data link layer of the OSI reference mode. LAPB prescribes
the format (called frame) to exchange data on the physical link, to check losing sequence and losing frame, to perform frame
retransmission and frame acknowledge
router(config-if-XXX)#lapb ?
Command Description
dce The lapb dce working mode

dte The lapb dte working mode
K <LAPB k parameter (frames)> Configures the LAPB window parameter K.
modulo <128/8> Configures the numbering mode (also called
moulus) of LAPB frame.
N1 <LAPB N1 parameter (bytes)> The maximum byte number of the frame expected
to be received.
N2 <LAPB N2 parameter (transmit count)> The maximum try times to send a frame.
T1 <LAPB T1 parameter (seconds)> Resend timer
T2 <LAPB T2 parameter (seconds)> Receiving timer
T4 <LAPB T4 parameter (seconds)> Configure the LAPB system timers T1, T2, T4.
5.5.3 An example of a typical X.25 configuration
V V
;
URXWHU URXWHU

Command Task
Router1(config)#interface s0 Enters port S0.
Router1(config-if-serial0)#physical-layer sync The physical layer works in the synchronous
mode.
Router1(config-if-serial0)#encapsulation x25 Encapsulates the data link layer protocol
X.25.
Router1(config-if-serial0) x25 dte Configures X.25 as DTE mode.
Router1(config-if-serial0)x25 address 200 The X.121 address is 200
Router1(config-if-serial0)x25 map ip 3.3.3.2 100 Establishes the map between the IP address
of the opposite terminal and the X.121
address.
Router1(config-if-serial0)#ip address 3.3.3.1 255.255.255. Configures the IP address of port S0.
Ü
Router1(config-if-serial0)#end

Command Task
Router2(config)#interface s0
Router2(config-if-serial0)#encapsulation x25
Router2(config-if-serial0) x25 dce Configures X.25 as DCE mode.
Router2(config-if-serial0)x25 address 100 The X.121 address is 100.
Router2(config-if-serial0)x25 map ip 3.3.3.1 200 Establishes the map between the IP address
of the opposite terminal and the X.121
address.
Router2(config-if-serial0)#ip address 3.3.3.2 255.255.255. Configures the IP address of the port S0.
Ü
Router2(config-if-serial0)#end
5.5.4 Debugging/Monitoring X.25
Displays the status information of an interface of local router:
show interface serial <serial-number>

Flags: (0x80e1) UP MULTICAST RUNNING
Type: RFC877_X25
Netmask 0xff000000 Subnetmask 0xffffff00
Metric is 0
X.25 DTE,address 100, state R1, modulo 8, timer 0
Defaults: idle VC timeout 1 Minutes
ietf encapsulation
input/output window sizes 2/2, packet sizes 128/128
Timers: T20 10, T21 10, T22 10, T23 10
Channels: PVC none, SVC 1-1024
RESTARTs 0/1 CALLs 1+0/0+1 DIAGs 0/0
LAPB DTE, state CONNECT modulo 8, k 7, N1 1550, N2 10
T1 3s, T2 1s, interfaceoutage (partial T3) 9s, T4 15s
vs:5, vr:4, txNr:4, rxNr:5, retxCnt:0, retxqIn:5, retxqOut:5
IFRAMEs 13/12 RNRs 0/0 REJs 0/0 SABM/Es 36/1 FRMRs 0/0 DISCs 0/0
txQueue: priority 0: cnt=0 max=20 sMax=1
rxFrames 995, rxChars 12377
txFrames 748, txChars 11693
B. Displays the virtual circuit status information of an interface of local router

show x25 vc
serial3:
vc No.1024: R1-P4-D1 SVC calling FRI FEB 20 20:25:37 1970
local X.121 address: 1124
remote X.121 address: 1125 (112.255.4.5)
flow-state: ready (D1), sWin:2, rWin:2
sMaxPktSize:128, rMaxPktSize:128
vr:4, vs:0, nr:3, ns:0, lastNr:0, noRspDataCnt:0
stxQueue: priority 0: cnt=0 max=32 sMax=2 qw=3 qwMax=10
txQueue: priority 0: cnt=0 max=300 sMax=8 qw=4 qwMax=10
C. Other debugging/monitoring commands
Command Description
Displays the address mapping table from protocol

show x25 map
address to X.121 address.
Displays the detail of the appointed virtual circuit that
show x25 vc
has been established.
Displays all the received/sent packets and the contents
debug x25 serial-number all
of whole packet on the interface.
Displays the received/sent all groups and the contents
debug x25 serial-number head
of the group header.
Displays the received/sent groups and the contents of
debug x25 serial-number vc
the group header on the interface with the VC number
Displays all the received/sent frames and the contents
debug lapb serial-number all
of hole frame on the interface.
Displays all the received/sent frames and the contents
debug lapb serial-number head
of the frame header on the interface
5.5.5 The X.25 subinterface
A subinterface is a virtual interface that is capable of connecting to some networks through a physical interface. For the
routing protocol using the split-horizon rule, subinterface is needed to decide which host needs routing updates. In a WAN
environment, if sub-interface (X.25) is used, other routers that are connected through the same physical interface may not
receive the route update information. Compared with the routers connected through the different physical interfaces, the
subinterface can be used and it can be regarded as a separate interface. Then the host can be connected to different
subinterfaces of the same physical interface. The route process regards each subinterface as an independent route update
source; so all the subinterfaces can be fit for receiving route update information.
A subinterface has two types: point to point and point to multipoint. The default is point to multipoint. At the current time,
X.25 of Maipu routers only support the point-to-multipoint subinterface.
Configuring a X.25 subinterface

Note:
1. When the subinterface is configured, X.25 must be configured on the master-interface. And the x25 address x121-
address also needs to be configured (if the subinterface uses the map mapping) or x25 ltc ltc-nunber is configured
(if the subinterface uses the pvc mapping), and the ip-address is configured on the master interface.
2. If a sub-interface wants to be up, the master-interface must be up first. If the master-interface is shutdown, it is
natural that the subinterface will be down.
5.5.6 An example of X.25 subinterface configuration
U RXW HU
V

V
;
V
U RXW HU

V
U RXW HU
Illustration:
The above figure represents how to configure a subinterface on router1 so as to connect the whole X.25 network. Router2
corresponds with the master interface of router1 while router3 corresponds with the subinterface of router1.

Command Task
Router1(config)#interface serial2 Enters the serial port 2
Router1(config-if-serial2)#physical-layer sync Physical layer synchronous
Router1(config-if-serial2)#clock rate 64000 Speed 64K
Router1(config-if-serial2)#encapsulation x25 Encapsulates the X.25 protocol on the
data link layer.
Router1(config-if-serial2)#x25 address 11625541 X121 address
Router1(config-if-serial2)#x25 map ip 116.255.4.2 11625542 The map of opposite IP address and
opposite X121 address
Router1(config-if-serial2)#ip address 116.255.4.1 255.255.255.0 The IP address of the local main
interface
Router1(config-if-serial2)#x25 dte The working mode of X.25 is DTE.
Router1(config)interface serial2.1 Enters the subinterface S2.1.
Router1(config-sub-if-serial2.1)#x25 map ip 117.255.4.2 11725542 The map of opposite IP address and
opposite X121 address
Router1(config-sub-if-serial2.1)#ip address 117.255.4.1 The IP address of the local
255.255.255.0 subinterface
Router1(config-sub-if-serial2.1)#exit
A. The configuration of router2 (router3)

Command Task
Router2(config)#interface serial2 The tasks are the same as the one of
router1.
Router2(config-if-serial2)#clock rate 64000
Router2(config-if-serial2)#encapsulation x25
Router2(config-if-serial2)#x25 dte
Router2(config-if-serial2)#x25 address 11625542
Router2(config-if-serial2)#x25 map ip 116.255.4.1 11625541
Router2(config-if-serial2)#ip address 116.255.4.2 255.255.255.0
5.5.7 The switching function of X.25

The switching function of X.25 much more perfects the functions of X.25. We can configure the router to be a Transmission
Control Protocol (TCP) connection to switching X.25 data streams. In many modes, main network is generally composed of
the routers that are used to switching IP datagram. But we can use several X.25 equipments to connect each other through the
routing type of IP main network. The switching of X.25 has two kinds: PVC and SVC.
Note:
1. The router can be used as a local or a remote switch, and it can switch X.25 data streams through TCP. Which is
called XOT (X.25 Over TCP) usually.
1. SVC switching
A. The configuring commands

In order to enable the switching function of X.25, we can input the command “X25 routring” in the global configuration
mode.
router(config)#
Command Task
router (config)#x25 routing Configures it as an X.25 switch.
X.25 data streams can be routed between local serial ports. In this situation, the static routing command is needed to map
X.121 address to the serial port. The router permits the X.25 interface connected to different ports to perform Switched
Virtual Circuit (SVC) connection, and this is called local X.25 connection.
Remote X.25 switching enables the X.25 interface connected with different routers to establish the switched virtual circuit
(SVC) and permanent virtual circuit (PVC). Remote X.25 switching is achieved through using tunnel technology for all X.25
calls and data streams between routers on the TCP connection. In order to enable remote switching, users can use the
command “X25 router”:
router (config)#x25 route X.121 address interface type number

Syntax Description
X.121 address X.121 address of the destination
Type number Type and number of the interface to the destination
B. An example of X.25 switching function
6 6
U RXW HU U RXW HU U RXW HU
[ [
Illustration:
As shown in the figure above, we premise that router3 is used as the X.25 switch, and that router2 and router4 perform
communication between them through the X.25 switching function of router3. The X.121 address of the serial-port s2 of
router2 is 200 while the X.121 address of the serial-port s3 of router4 is 100. We also need to configure the IP addresses of
router2 and router4 by manually.
The configuration of router2:

Command Task
router2(config)#int s2/0 Enters the interface mode.

router2(config-if-serial2/0)#physical-layer sync Encapsulates it as the synchronous mode.
router2(config-if-serial2/0)#encapsulation x25 Encapsulates the X.25 protocol.
router2(config-if-serial2/0)#x25 dte Configures the X.25 as DTE mode
(default).
router2(config-if-serial2/0)#x25 address 200 Configures X.121 address.
router2(config-if-serial2/0)#x25 map ip 10.0.0.2 100 Configures map mapping.
broadcast
router2(config-if-serial2/0)#ip address 10.0.0.1 255.0.0.0 Configures IP address.
Configuration has been finished.
Command Task
router3(config)#x25 routing Configures it as an X.25 switch.

router3(config)#x25 route 100 interface serial 3/0 Configures the corresponding X.121 address to
which data stream is transmitted and the
corresponding port.
router3(config)#x25 route 200 interface serial 2/0 Configures the corresponding X.121 address to
which data stream is transmitted and the
corresponding port.
router3(config)#int s2/0 Enters the interface s2 mode.
router3(config-if-serial2/0)#clock rate 128000 Configures the clock.
router3(config-if-serial2/0)#encapsulation x25 Encapsulates X.25 protocol.
router3(config-if-serial2/0)#x25 dce Configures X.25 as the DCE mode.
router3(config-if-serial2/0)#int s3/0 Enters the interface S3.
router3(config-if-serial3/0)#physical-layer sync Configures it as the synchronization mode
router3(config-if-serial3/0)#clock rate 128000 Configures the clock.
router3(config-if-serial3/0)#encapsulation x25 Configures X.25 protocol.
router3(config-if-serial3/0)#x25 dce Configures X.25 as the DCE mode.
Command Task
router2(config)#int s3/0 Enters the interface mode.

router2(config-if-serial3/0)#physical-layer sync Encapsulates it as the synchronization
mode.
router2(config-if-serial3/0)#encapsulation x25 Encapsulates X.25 protocol.
router2(config-if-serial3/0)#x25 dte Configures X.25 as DTE mode (default).
router2(config-if-serial3/0)#x25 address 100 Configures the X.121 address.
router2(config-if-serial3/0)#x25 map ip 10.0.0.1 200 Configures the map mapping.
broadcast
router2(config-if-serial3/0)#ip address 10.0.0.2 255.0.0.0 Configures the IP address.
router2(config-if-serial3/0)#exit Configuration hase been finished.
2. PVC switching function
A. The specification of configuration
There are two kinds of PVC switching functions: one is the local PVC switching and the other is the XOT switching that is
used to connect two lines of PVC through TCP/IP network.
The commands of X.25 PVC:
router (config-if-serial3)#x25 pvc Circuit number interface type number pvc number1
The configuring commands: (in interface configuration mode):
Command Description
Circuit number The PVC number that will be applied to the

local interface.
Interface Designates the keywords needed by an interface.
Type The type of the remote interface
Number The remote interface number
PVC The keywords needed to configure switching
PVC.
Number1 The PVC number that will be used for the
remote side
The configuring commands of XOT:

router (config-if-serial3)#x25 pvc Circuit number xot address interface type string pvc number
The configuring commands: (in the interface configuration mode):
Command Description
Circuit number The PVC number used to connect equipment

Xot Indicates that two PVCs will be connected
through a TCP/IP LAN that uses XOT.
Address The IP address of the connected equipment.
Interface serial Indicates that the interface is a serial port.
String The definition of serial interface, which can be a
number or a character string.
PVC Designates a line of PVC.
Number Designates the PVC number of the destination
address.
B.Example
V V
U RXW HU U RXW HU U RXW HU
[ [
Illustration:
As shown in the above figure, the PVC between router2 and router3 is 1, while the PVC between router4 and router3 is 2.
Router3 is used as a PVC X.25 switch. The usage of the interface can be seen from the above figure.
Relevant configuration:
Command Task
router2(config)#int s2 Enters the interfacemode.

router2(config-if-seral2)#physical-layer sync Configures it as the synchronization mode.
router2(config-if-serial2)#encapsulation x25 Encapsulates X.25 protocol.
router2(config-if-serial2)#x25 dte Configures it as X.25 DTE mode.
router2(config-if-serial2)#x25 ltc 16 Configures the parameter 1tc (Notice: PVC
number must be less than the value of 1tc.) and
make it to be the same as the value of the up-end
switch.
router2(config-if-serial2)#x25 pvc 1 ip 10.0.0.2 Map the local PVC number to the IP address of
opposite terminal.
router2(config-if-serial2)#ip address 10.0.0.1 255.0.0.0 Configures IP address.
Command Task
router3(config)#x25 routing
Configures it as X.25 switch.
router3(config)#int s2 Enters the interface s2 mode.
router3(config-if-serial2)#physical-layer sync Configure it as the synchronization mode.
router3(config-if-serial2)#clock rate 128000 Configures the clock.
router3(config-if-serial2)#x25 dce Encapsulates X.25 as DCE mode.
router3(config-if-serial2)#x25 ltc 16 Configures the value of 1tc.
router3(config-if-serial2)#x25 pvc 1 interface serial 3 pvc Configures the switching PVC.
2
router3(config-if-serial2)#lapb dce Encapsulates LAPB as DEC mode.
router3(config-if-serial2)#int s3 Enters the interface s3.
router3(config-if-serial3)#physical-layer sync Configures it as the synchronization mode.
router3(config-if-serial3)#x25 ltc 16 Configures the value of 1tc.
router3(config-if-serial3)#x25 dce Encapsulates X.25 as DCE mode.
router3(config-if-serial3)#lapb dce Encapsulates LAPB as the DEC mode.
router3(config-if-serial3)#x25 pvc 2 interface serial 2 pvc Configures switching PVC.
1
router3(config-if-serial3)#exit Configuration has been finished.
Command Task

Router4(config-if-serial3)#physical-layer sync Configures it as the synchronization mode.
Router4(config-if-serial3)#encapsulation x25 Encapsulates X.25 protocol.
Router4(config-if-serial3)#x25 dte Configures X.25 as DTE mode.
Router4(config-if-serial3)#x25 ltc 16 Configures the parameter 1tc (Notice PVC
number must be less than the value of 1tc) and
switch.
Router4(config-if-serial3)#x25 pvc 2 ip 10.0.0.1 Maps the local PVC number to the IP address of
opposite terminal.
Router4(config-if-serial3)#ip address 10.0.0.2 255.0.0.0 Configures the IP address.
An example of XOT mode:

U RXW HU U RXW HU
333 39&
6 V V
39& U RXW HU
6
U RXW HU
Illustration:
1. As shown in the above figure, X.25 protocol runs between router1 and router2, and it also runs between router3
and router4. However, the PPP protocol runs between router2 and router3. The PVC value and the situation of the
corresponding interface connection can be derived from the above figure.
Command Task

Router1(config-if-serial3)# physical-layer sync Configures it as the synchronization mode.
Router1(config-if-serial3)# encapsulation x25 Encapsulates X.25 protocol.
Router1(config-if-serial3)# x25 dte Configures X.25 as DTE mode.
Router1(config-if-serial3)# x25 ltc 16 Configures the parameter ltc (Notice: PVC
switch.
Router1(config-if-serial3)# x25 pvc 1 ip 1.0.0.21 Maps the local PVC number to the IP address of
opposite terminal.
Router1(config-if-serial3)# ip address 1.0.0.1 255.0.0.0 Configures the IP address.
Command Task
router2(config)#x25 routing Configures it as frame-relay switch.

router2(config)#int s2 Enters the interface s2 to configure TCP/IP
network interface.
router2(config-if-serial2)# physical-layer sync Configures it as the synchronization mode.
router2(config-if-serial2)# encapsulation ppp Encapsulates PPP protocol.
router2(config-if-serial2)# ip address 10.0.0.2 255.0.0.0 Configures the IP address.
router2(config-if-serial2)#int s3 Enters the interface s3.
router2(config-if-serial3)# physical-layer sync Configures it as the synchronization mode.
router2(config-if-serial3)# clock rate 128000 Configures the clock.
router2(config-if-serial3)# encapsulation x25 Encapsulates X.25 protocol.
router2(config-if-serial3)# x25 dce Configures X.25 as DCE mode.
router2(config-if-serial3)# x25 ltc 16 Configures the value of 1tc.
Router2(config-if-serial3)#25 pvc 1 xot 10.0.0.1 Configures the map of X.25 to TCP/IP.
interface serial 3 pvc2
route r2(config-if-serial3)# lapb dce Configures LAPB as DCE mode.
router2(config-if-serial3)#end Configuration has been finished.
Command Task
Router3(config)#x25 routing Configures it as a frame-relay switch.

Router3(config)#int s2 Enters the interface s2 to configure TCP/IP
network interface.
Router3(config-if-serial2)# encapsulation ppp Encapsulates PPP protocol.
Router3(config-if-serial2)# Clock rate 128000 Configures the clock.
Router3(config-if-serial2)# ip address 10.0.0.1 255.0.0.0 Configures the IP address.
Router3(config-if-serial2)#int s3 Enters the interface s3.
Router3(config-if-serial3)# clock rate 128000 Configures clock.
Router3(config-if-serial3)# x25 dce Configures X.25 as DCE mode.
Router3(config-if-serial3)# x25 ltc 16 Configures the value of 1tc.
Router3(config-if-serial3)#25 pvc 2 xot 10.0.0.2 interface Configures the mapping of X.25 and TCP/IP.
serial 3 pvc1
Router3(config-if-serial3)# lapb dce Configures LAPB as DCE mode.
Router3(config-if-serial3)#end Configuration has been finished.
Command Task

Router4(config-if-serial3)# x25 dte Configures X.25 as DTE mode.
Router4(config-if-serial3)# x25 ltc 16 Configures the parameter ltc (Notice: PVC
make it to be the same as the value of the switch.
Router4(config-if-serial3)# x25 pvc 2 ip 1.0.0.1 Maps the local PVC number to the IP address of
opposite terminal.
Router4(config-if-serial3)# ip address 1.0.0.2 255.0.0.0 Configures IP address.
5.5.8 The PAD function of X.25

The PAD is a telnet-like function, which is used to login a remote X.25 host. The destination address is a X.121 address
instead of IP address.
1. Configuring instructions
Command Task
Router# pad x.121 address Login a remote X.25 host
2. An example`
LegendÖ
Router1 and router2 is connected directly throuth X.25
A Configuration of router1
Command Task
Router1(config)#interface s1/0 Enters the interface mode
Router1(config-if-serial1/0)#encapsulation Encapsulates X.25 protocol.
x25
Router1(config-if-serial1/0) x25 dte Configures X.25 as DTE mode
Router1(config-if-serial1/0)x25 address 100 Configure X.121 address as 200
B Configureation of router2
Command Task
Router2(config)#interface s1/0
Router2(config-if-serial1/0)#clock rate 128000 Configure the clock rate
Router2(config-if-serial1/0)#encapsulation
x25
Router2(config-if-serial1/0)x25 dce
Router2(config-if-serial1/0)x25 address 200 Configure X.121 address to 200
Router2(config-if-serial1/0)#end Configuration has been finished.
Router2#pad 100 PAD to peer
Router1> Login
5.5.9 Annex G(X.25 over Frame-Relay)

Related Configuration Commands
1) x.25 profile
Use the command x.25 profile to create a X.25 Profile; otherwise, use the negation of the command to cancel the
corresponding X.25 Profile.
x25 profile name [ dte | dce ]
Syntax Descriptions
profile Specify the keyword of the x25 profile.
name The name of the x25 profile
dte (Optional)The x25 profile serves as
DTE.
dce (Optional)The x25 profile serves as
DCE.
£By default¤There exists no name, the x.25 profile serves as DTE.
£Command mode¤the global configuration mode.
2) Enter the X.25 configuration mode after creating the X.25 Profile. In the mode, use the following configuration
commands to configure X.25 parameters of the X.25profile. The usage and meaning of these configuration commands are the
same as that of those commands that are used to encapsulate X.25 interface and configure X.25 parameters.
Syntax Descriptions
x25 address Configure the X.121 address.
x25 modulo Configure the window mode.
x25 hic Configure the maximal one-way ingress virtual circuit
number.
x25 hoc Configure the maximal one-way egress virtual circuit
number.
x25 htc Configure the maximal two-way virtual circuit number.
x25 ltc Configure the minimal two-way virtual circuit number.
x25 t20 Configure the value of the retransmission timer that is
used to restart request packets.
x25 t21 Configure the value of the call request timer.
used to reset request packets.
used to clear request packets.
x25 hold-queue Configure the maximal number of packets a virtual
circuit can save before transmitting data.
x25 idle Configure the idle period of clearing a SVC.
x25 nvc Configure the maximal number of protocol virtual
circuits that along with the host are enabled
simultaneously.
x25 ips Configure the maximal length of an ingress packet.
x25 ops Configure the maximal length of an egress packet.
x25 win Configure the value of the in-window.
x25 wout Configure the value of the out-window.
3) Enter the X.25 configuration mode after creating the X.25 Profile. In the mode, use the following configuration
commands to configure LAPB parameters of the X.25profile. The usage and meaning of these configuration commands are
the same as that of those commands that are used to encapsulate X.25 interface and configure LAPB parameters.
Syntax Descriptions
lapb k Configure the maximal number of uncertained frames,
namely window size.
lapb modulo Configure LAPB basic (mode 8)/extended (mode16)
protocol mode.
lapb N1 Configure the maximal number of bits contained in a
frame.
lapb N2 Configure the maximal times of data packet
retransmission.
lapb T1 Configure the value of the retransmission timer.
lapb T2 Configure the value of the acknowledgement timer.
lapb T4 Configure the value of the idle timer.
4) x.25-profile
Use the command x.25-profile to relate a X.25 Profile with some frame-relay PVC on a frame-relay interface;
otherwise, use the negation of the command to cancel the relation.
frame-relay interface-dlci number
x25-profile name
no x25-profile name
Syntax Descriptions
Number The DLCI number of the frame-relay PVC related
with X.25 profile
Name The name of X.25 profile related with PVC
£By default¤There exists no relation.
£Command mode¤the frame-relay DLCI configuration mode.
5) Use the following command to send out a X.25 call through the frame-relay network:
x25 route address interface serial-interface dlci number
Syntax Descriptions
Address The X.121 destination address.
serial-interface Route the selected call to the specified frame-relay
serial interface.
Number The frame-relay DLCI number used to transmit the
call.
An Example of Configuring X.25 over Frame-relay Network
Frame relay
Figure 4-15 an example of configuring X.25 over the frame-relay network
Illustration:
As shown in figure above, a connection between RouterA and RouterB is established through a X.25 packet switching
network; the interconnection between RouterB and RouterC is realized through a frame-relay switching network; and the
connection between RouterC and RouterD is established through a X.25 packet switching network. By means of Annex.G,
X.25 packets between RouterA and RouterD are transmitting over the frame-relay network.
1) RouterA is configured as follows.

Syntax Descriptions
RouterA#configure terminal
RouterA(config)# interface serial1/0 Enter the interface S1/0configuration
mode.
RouterA(config-if-serial1/0)# physical-layer sync
RouterA(config-if-serial1/0)# clock rate 64000 Configure the clock rate.
RouterA(config-if-serial1/0)# encapsulation x25 Encapsulate X.25 on the interface.
RouterA(config-if-serial1/0)# x25 address 70 Configure the X.25 address.
RouterA(config-if-serial1/0)# x25 map ip 192.168.1.2 71 Configure the X.25 address map.
RouterA(config-if-serial1/0)# ip address 192.168.1.1 Configure the IP address.

255.255.255.0
RouterA(config-if-serial1/0)#exit
2) RouterB is configured as follows.
Syntax Descriptions
RouterB# configure terminal
RouterB(config)# x25 routing
RouterB(config)# x25 profile name1 dce Create a X.25 Profile and set it as DCE.
RouterB(config-x25)#exit
RouterB(config)# interface serial1/0 Enter the interface S1/0 configuration mode.
RouterB(config-if-serial1/0)# physical-layer sync
RouterB(config-if-serial1/0)# encapsulation x25 dce Encapsulate X.25 on the interface.
RouterB(config-if-serial1/0)# interface serial2/0 Enter the interface S2/0 configuration mode.

RouterB(config-if-serial2/0)# encapsulation frame-relay Encapsulate frame-relay on the interface.
RouterB(config-if-serial2/0)# frame-relay lmi-type ansi Configure frame-relay LMI type.
RouterB(config-if-serial2/0)# frame-relay interface-dlci Configure the DLCI number
100
RouterB(config-fr-dlci)# x25-profile name1 Relate X.25 Profile (name1) to the specified
PVC.
RouterB(config-fr-dlci)# exit Exit the DLCI configuration mode.
RouterB(config-if-serial2/0)#exit
RouterB(config)# x25 route 71 interface serial2/0 dlci Transmit a X.25 call over the specified
100 frame-relay PVC.
RouterB(config)# x25 route 70 interface serial1/0 Transmit a X.25 packet.
3) RouterC is configured as follows.
Syntax Descriptions
RouterC# configure terminal
RouterC(config)# x25 routing
RouterC(config)# x25 profile name2 dte Create a X.25 Profile and set it as DTE.
RouterC(config-x25)#exit
RouterC(config)# interface serial2/0 Enter the interface S2/0 configuration
mode.
RouterC(config-if-serial2/0)# physical-layer sync
RouterC(config-if-serial2/0)# encapsulation x25 dce Encapsulate X.25 on the interface.
RouterC(config-if-serial2/0)# interface serial1/0 Enter the interface S1/0 configuration

mode.
RouterC(config-if-serial1/0)# encapsulation frame-relay Encapsulate frame-relay on the interface.
RouterC(config-if-serial1/0)# frame-relay lmi-type ansi Configure frame-relay LMI type.
RouterC(config-if-serial1/0)# frame-relay interface-dlci 200 Configure the DLCI number
RouterB(config-fr-dlci)# x25-profile name2 Relate X.25 Profile (name1) to the

specified PVC.
RouterB(config-fr-dlci)# exit Exit the DLCI configuration mode.
RouterC(config-if-serial1/0)#exit
RouterC(config)# x25 route 70 interface serial1/0 dlci 200 Transmit a X.25 call over the specified
frame-relay PVC.
RouterC(config)# x25 route 71 interface serial2/0 Transmit a X.25 packet.
4) RouterD is configured as follows.

Syntax Descriptions
RouterD# configure terminal
RouterD(config)# interface serial2/0 Enter the interface S2/0
configuration mode.
RouterD(config-if-serial2/0)# physical-layer sync
RouterD(config-if-serial2/0)# clock rate 64000 Configure the clock rate.
RouterD(config-if-serial2/0)# encapsulation x25 Encapsulate X.25 on the interface.
RouterD(config-if-serial2/0)# x25 address 71 Configure the X25 address.
RouterD(config-if-serial2/0)# x25 map ip 192.168.1.1 70 Configure the X25 address map.
RouterD(config-if-serial2/0)# ip address 192.168.1.2 255.255.255.0 Configure the IP address.

RouterD(config-if-serial2/0)#exit
5.5.10 Wildcard Route

The wildcard route becomes effective when the command x25 route address is used to configure route. All calls whose
called addresses start with address are transmitted over the specified route interface.
For example:
x25 route 123 int s1/0
All calls whose called addresses start with 123 are transmitted over the interface s1/0.
5. 6 Frame Relay Protocol
Frame relay is a protocol standardized by ANSI and CCITT, and it can provide remarkable performance/price ratio to busting
out traffic (for example, LAN inter-connection and SNA). Frame relay is a kind of interface protocol between the Customer
Premise Equipment (CPE), such as a router or Front End Processor, and a WAN sending data to remote CPE.
The main topics addressed in this section are as follows:
o Description of the basic instructions necessary to configure frame relay

o A typical configuration example of frame relay
o Debugging/monitoring frame relay
o Reverse Address Resolution Protocol of frame relay
o Frame relay sub-interface
o Configuration examples of frame relay sub-interface
5.6.1 Description of basic instructions to configure frame relay

routerÄconfig-if-XXXÅ# frame-relay Û
Command Description
interface-dlci <NUMBER> The identity number of frame relay data link

Intf-type dce/dte/nni Configures the working mode of frame relay.
ip rtp header-compression The header compression of Realtime
Transmission Protocol
lmi-n391 dte <NUMBER> The default value of the counter to PVC request
status is 6, and its value range is from 1 to 255.
lmi-n392 dte <NUMBER> The default of error threshold is 3, and value
range is from 1 to 10.
lmi-n393 dte <NUMBER> Event counter.
The default value is 4, and value range is from 1
to 10.
lmi-type ansi/lmi/q9332a Configures the type of LMI protocol.
map ip A.B.C.D <NUMBER> broadcast/ Cisco/ itef Configures the map mapping (permit the frame
relay to be encapsulated with mutlticast/ cisco/
Internet Engineering Task Force (IETF))
format).
5.6.2 The typical configuration example of frame relay

The working flow of frame relay is shown as follows:
Encapsulating
frame relay Designating LMI Designating Establishing address
DLCI mapping
V V
)U DPH
U RXW HU U HO D\
U RXW HU
Illustration:
The S0 port (3.3.3.1) of local router router1 connects to the S0 port (3.3.3.2) of the opposite router router2.

Command Task
Router1(config)#interface s0 Enters the S0 port.
Router1(config-if-serial0)#physical-layer sync Configures the working mode of physical
layer as the synchronization mode.
Router1(config-if-serial0)#intf-type dte Works in frame relay DTE mode.
Router1(config-if-serial0)#encapsulation frame-relay Encapsulates frame relay of link layer
protocol.
Router1(config-if-serial0)#frame-relay lmi-type ansi Designates the frame relay type lmi: it
should be same with the switch in telcom.
Router1(config-if-serial0)#frame-relay interface-dlci 18 The local dlci number: it is provided by
telecommunication office.
Router1(config-if-serial0)#frame-relay map ip 3.3.3.2 18 Frame relay mapping, the opposite terminal
broadcast IP address and the local dlci number
Router1(config-if-serial0)#ip address 3.3.3.1 255.255.255. The IP address of the port S0
Ü

Command Task
Router2(config-if-serial0)#physical-layer sync Configures the working mode of physical
layer as the synchronization mode.
Router2(config-if-serial0)#encapsulation frame-relay Encapsulates frame relay of link layer
protocol.
Router2(config-if-serial0)#frame-relay lmi-type ansi Designates the frame relay type lmi: it
should be same with the switch in telecom.
Router2(config-if-serial0)#intf-type dte Work in the frame relay DTE mode.
Router2(config-if-serial0)#frame-relay interface-dlci 20 The local-end number dlci: it is provided by
telecommunication office.
Router2(config-if-serial0)#frame-relay map ip 3.3.3.1 20 Frame relay mapping, the opposite terminal
broadcast IP address, the dlci number of local end
Router2(config-if-serial0)#ip address 3.3.3.2 255.255.255.Ü The IP address of the S0 port
5.6.3 The debugging/monitoring of frame relay
Users can examine the PVC status of frame relay, and “ACTIVE” indicates that the PVC is in usable status. Users can also
examine all the frame relay interfaces or a given one to determine the given PVC status and the statistic number of
received/sent packets.
A. Displaying all status information of virtual link (of interface) on the local router
show frame-relay pvc [interface serial number]
PVC statistics for interface serial0 (Frame Relay DTE)
DLCI = 17, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = serial0
input pkts 10 output pkts 10 in bytes 1040
out bytes 1040 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
B. Displaying the information of frame relay mapping

show frame-relay map
Serial2(up):ip 10.1.2.66 dlci 65,static,broadcast,
IETF, status ACTIVE
B. Other debugging/monitoring commands
Command Description
show frame-relay lmi [interface serial number] Displays LMI statistic of frame relay.
show frame-relay inarp [interface serial number] Displays INARP information.
show frame-relay inarp ip rtp header-compression
debug frame-relay lmi [interface serial number] Displays LMI running data of frame
relay.
debug frame-relay packet [interface serial number] Displays data operation beared by frame
relay.
debug frame-relay log [interface serial number] Displays frame relay events and error
indication.
Notice:
o The physical layer must be in synchronous mode.
o The IP addresses of the ports of two connected routers must be in the same network segment.
o When show int s n shows that the interface is “UP”and show frame map shows that status is“ACTIVE”, it is
indicated that frame relay has connected with the WAN port and can begin to transmit data.
5.6.4 Frame Relay Reverse Address Resolution Protocol
Brief Introduction of the Frame Relay Protocol

The main function of Reverse Address Resolution Protocol is to resolve the protocol address of the opposite equipment
connected with each virtual circuit, which includes the IP address, IPX address etc. (At the present time Maipu routers only
support IP addresses). If the protocol address of the opposite equipment connected to the virtual circuit is known, the
mapping between the opposite terminal protocol address and DLCI can be created locally, and then the manual configuration
can be avoided.
The contents of this section are as follow:
o Description of the basic instructions of frame relay Reverse Address Resolution Protocol
o A typical configuration example of frame relay Rdverse Address Resolution Protocol
o Debugging/monitoring of frame relay Reverse Address Resolution Protocol
A. Description of the basic instructions of frame relay Reverse Address Resolution Protocol
router(config-if)#
Command Description
frame-relay inverse-arp Permits the sending of RARP (Inverse

Address Resolution Protocol) request (the
default).
frame-relay inverse-arp interval Configures the time interval of sending
RARP (Inverse Address Resolution
Protocol) request (the default value is 60
seconds).
frame-relay inverse-arp ip <DLCI NUMBER> Permits the sending of RARP (Inverse
Address Resolution Protocol) request on a
virtual circuit.
frame-relay inverse-arp update Updates the dynamic mapping periodically.
B. The diagram below shows a typical configuration example of frame relay Reverse Address Resolution Protocol
V V
)U DPH
U RXW HU U HO D\
U RXW HU
Illustration:
1. The port S0 (3.3.3.1) of the local router router1 connects to the port S0 (3.3.3.2) of the opposite router router2.
The configuration of router1

Router1(config-if-serial0)# encapsulation frame-relay
Router1(config-if-serial0)# frame-relay lmi-type ansi The type of LMI
Router1(config-if-serial0)# frame-relay inverse-arp Permits the sending frame relay RARP (the
default).
Router1(config-if-serial0)#ip address 3.3.3.1 255.0.0.0 Local-end IP address.
Router1(config-if-serial0)#frame-relay inverse-arp update Updates the dynamic mapping periodically.
Router1(config-if-serial0)#frame-relay interface-dlci 16 Configures the DLCI number.

Router2(config-if-serial0)# encapsulation frame-relay
Router2(config-if-serial0)# frame-relay lmi-type ansi The type LMI.
Router2(config-if)# frame-relay inverse-arp Permits the sending of the frame relay RARP
(the default)
Router2(config-if-serial0)#ip address 3.3.3.2 255.0.0.0 Local IP address.
Router2(config-if-serial0)#frame-relay inverse-arp update Updates the dynamic mapping periodically.
Router2(config-if-serial0)#frame-relay interface-dlci 16 Configures the DLCI number.
C. Debugging/monitoring of frame relay Reverse Address Resolution Protocol (RARP)
Displaying packets receiving/sending status of frame relay Reverse Address Resolution Protocol
show frame-relay inarp
Frame Relay Inarp statistics for interface serial2:
InARP requests sent 5, InARP replies sent 0
InARP request recvd 0, InARP replies recvd 4
Displaying the information of frame relay mapping

show frame-relay map
serial0 (up): ip 3.3.3.2, dlci 16, dynamic,
IETF, status ACTIVE
Note:
1. The word dynamic among the above information indicates that the mapping is established dynamically through the
Reverse Address Resolution Protocol (RARP).
5.6.5 Frame relay sub-interface
The configuration process of a frame relay sub-interface:
Frame relay is Designate the type of sub- Frame relay is

encapsulated on interface: Point-to- configured on the
subinterface.
the Point/Point-to-multipoint. configures
masterinterface.
A subinterface inherits the properties of a masterinterface, so before the subinterface is configured, the frame relay must be
encapsulated on the main interface. [LMI]
A. The configuration of frame relay point-to-point interface

router(config)#
Command Description
interface Serial <serialnumber.subnumber> point-to-point Configure the subinterface as the point-to-

point mode.
frame-relay interface-dlci number Configure the number of the data link
connection identifier (DLCI).
frame-relay ip rtp header-compression Configure frame relay using RTP header
compression (optional).
ip route peer-address A.B.C.D Designate IP address of the opposite
terminal (It is used in dynamic routing
interaction).
B. The configuration of frame relay point-to-multipoint sub-interface

router(config)#
Command Description
interface Serial <serialnumber.subnumber> point-to-multipoint Configure the subinterface as the point-to-

multipoint mode.
frame-relay interface-dlci number Configure the number of the data link
connection identifier (DLCI).
frame-relay ip rtp header-compression Configure frame relay using RTP header
compression (optional).
frame-relay map ip ip_address dlci [broadcast|cisco|ietf] Configure the frame relay MAP mapping.
5.6.6 An example of frame relay subinterface configuration

U RXW HU
V

V )U DPH U HO D\
U RXW HU V

V
U RXW HU
Illustration:
1. The above example explains how to configure the subinterface on the router A so as that the whole frame relay
network can be connected. The router router2 connects to the main interface of router1 while the router router3
connects to the subinterface of router1.

Command Task
Router1(config-if-serial2)#physical-layer sync Synchronization
Router1(config-if-serial2)#clock rate 64000 Clock
Router1(config-if-serial2)#intf-type dte Works in DTE mode of frame
relay.
Router1(config-if-serial2)#frame-relay lmi-type q933a Designates LMI type as q933a.
Router1(config-if-serial2)#frame-relay intf-type dte
Router1(config-if-serial2)#frame-relay interface-dlci 102 The DLCI number
Router1(config-if-serial2)#frame-relay map ip 116.255.4.2 102 Configures frame relay mapping.
broadcast
Router1(config-if-serial2)#ip address 116.255.4.1 255.255.255.0 Local-end IP address
Router1(config)#interface serial2.1 multipoint The mode of the subinterface is
point-to-multipoint.
Router1(config-sub-if-serial2.1)#frame-relay interface-dlci 202 DLCI number is 202, which is
provided by telecommunication
office.
Router1(config-sub-if-serial2.1)#frame-relay map ip 117.255.4.2 202 Configures the frame relay
broadcast mapping of the subinterface.
Router1(config-sub-if-serial2.1)#ip address 117.255.4.1 255.255.255.0 IP address of the subinterface.
Router1(config-sub-if)#end
B. The configuration of router2 (router3)

Command Task
Router2# con t
Router2(config )#interface serial2
Router2(config-if-serial2)#clock rate 64000
Router2(config-if-serial2)#encapsulation frame-relay Encapsulates frame relay.
Router2(config-if-serial2)#frame-relay lmi-type q933a Designates LMI type as q933a.
Router2(config-if-serial2)#frame-relay interface-dlci 101 The DLCI number is 101.
Router2(config-if-serial2)#frame-relay map ip 116.255.4.1 101 Configures the frame relay mapping.
broadcast
Router2(config-if-serial2)#ip address 116.255.4.2 255.255.255.0 IP address
5.6.7 Frame Relay Switch
1. Brief introduction of commands
Maipu routers supports the function of frame relay switching. Frame relay switches makes the router able to encapsulate the
data frame of frame relay into IP datagrams.
router(config)#frame-relay switching
A. Configuring it as a frame relay switch

router(config)#
Command Description
Frame-relay swithig Configures it as a frame relay switch.
Configure the router, through the commmand frame-relay switching, to execute the switch function in frame relay network.
When the router runs as a Router(config)#frame-relay switching switch, data stream can be exchanged between two serial
ports of the router through the command frame-relay. The router executes PVC data exchange between two serial ports.
router(config-if-XXX)#frame-relay route in-dlci out-interface out-dlci
B. The command frame-relay switching

Router(config-if-XXX)#
Command Description
In-dlci The DLCI number of packets received by the

interface
Out-interface The interface used by the router to transmit
packets
Out-dlci The DLCI number used by the router to
transmit packets through the designated
outward interface
The interface configuration can be applied to frame relay switch through the command frame-relay intf-type. The type of
frame relay switch is decided by the functions of the router in frame relay network.
router(config-if-XXX)#frame-relay intf-type [dte |dce |nni]
C. The command Frame-relay intf-type
Router(config-if-XXX)#
Command Description
Dte The interface of the router is used to connect a

frame relay network.
Dce The interface of the router connectes with a
router, and the local router is used as a frame
relay switch.
Nni The router is used as a switch. The interface is
connected with another switch and supports
the network-to-network interface (NNI).
An example of frame relay serving as switch
'/&, '/&, '/&,
5RXW HU 5RXW HU 5RXW HU 5RXW HU

6 6 6 6 6 6
Illustration:
1. As shown in the above figure, router2 and router3 serve as frame relay switches while router1 and router4 serve as
DTE interfaces. When the data stream from router1 arrives at the port s3 of router2, the data stream with DLCI
number 40 will be handed to the output port s2; at the same time, DLCI number 50 will be used in the source
identifier. Data stream is transmitted to the port s2of router3. Similarly, the data stream with DLCI number 50 is
handed to the output port s3 again, so the data stream arrives at router4. The data from router4 can arrive at the
destination router1 according to the same principle, too.
The relevant configuration:

Command Task
router1(config)#int s3 Enters the interface mode.

router1(config-if-serial3)#encapsulation frame-relay Encapsulates the protocol frame-relay.
router1(config-if-serial3)#frame-relay lmi-type ansi Configures LMI type.
router1(config-if-serial3)#frame-relay interface-dlci 40 Configures DLCI number.
router1(config-if-serial3)#frame-relay map ip 1.0.0.2 40 Configures MAP mapping.
broadcast
router1(config-if-serial3)#ip address 1.0.0.1 255.0.0.0 Configures IP address.
Router(config-if-serial2)#
Command Task
Configuration of the interface S3

router2(config)#frame-relay switching Configures it as the frame relay switch mode.
router2(config-if-serial3)#encapsulation frame-relay Encapsulates the protocol frame-relay .
router2(config-if-serial3)#frame-relay lmi-type ansi Configures the LMI mode.
router2(config-if-serial3)#frame-relay intf-type dce Configures it as a frame relay switch to
connect with another router.
router2(config-if-serial3)#frame-relay route 40 interface Configures the direction for switch to transmit
serial2 50 data.
The configuration of the interface S2:
router2(config-if-serial2)#frame-relay lmi-type ansi Configures LMI mode.
router2(config-if-serial2)#frame-relay intf-type nni Configures it as the switch mode (NNI) to
connect with another switch.
router2(config-if-serial2)#frame-relay route 50 interface Configures the direction for switch to transmit
serial3 40 data.
Configuration of router3:
Router(config-if-serial2)#
Command Task
Configuration of the interface S3

Router3(config)#frame-relay switching Configures it as the frame relay exchange
mode.
Router3(config-if-serial3)#clock rate 128000 Configures clock.
Router3(config-if-serial3)#encapsulation frame-relay
Encapsulates the protocol frame-relay.
Router3(config-if-serial3)#frame-relay lmi-type ansi Configures LMI mode.
Router3(config-if-serial3)#frame-relay intf-type dce Configures it as a frame relay switch to
connect with another router.
Router3(config-if-serial3)#frame-relay route 60 interface Configures the direction for switch to transmit
serial2 50 data.
The configuration of the interface S2:
Router3(config-if-serial2)#encapsulation frame-relay Encapsulates the protocol frame-relay.
Router3(config-if-serial2)#frame-relay lmi-type ansi Configures LMI mode.
Router3(config-if-serial2)#frame-relay intf-type nni Configures it as the switch mode (NNI) to
connect with another switch.
Router3(config-if-serial2)#frame-relay route 50 interface Configures the direction for switch to transmit
serial3 60 data.
Router3(config-if-serial2)#Clock rate 128000 Configures clock.
Router3(config-if-serial2)#exit Configuration has been finished.
Command Task

router1(config-if-serial3)#frame-relay lmi-type ansi Configures LMI type.
router1(config-if-serial3)#frame-relay interface-dlci 60 Configures DLCI number.
router1(config-if-serial3)#frame-relay map ip 1.0.0.1 60 Configures MAP mapping.
roadcast
router1(config-if-serial3)#ip address 1.0.0.2 255.0.0.0 Configures the IP address.
router1(config-if-serial3)#exit Configuration has been finished
Note:
1. The DLCI numbers between switches do not need to be configured in ports.
2. In fact, different LMI types can be configured on different ports and the same LMI type is unnecessary. But the
LMI between two routers must be the same.
3. Examine whether the function of switch works well through the command show frame-relay route. If S2 and S3
are showed as active, this indicates that the function of switch works well.
5.6.8 Frame-Relay PVC Compression
1) TCP/IP Header Compression over Frame-Relay PVC

A command to configure TCP/IP Header Compression over Frame-Relay PVC
frame-relay map ip A.B.C.D dlci tcp header-compress
To enalbe TCP/IP header compression on frame-relay PVC, use the command frame-relay map ip A.B.C.D dlci tcp
header-compress, or else, use the negation of the command to disable it.
frame-relay map ip a.b.c.d dlci nocompress
To disable the compression (including TCP/IP and RTP compression) on the special PVC, use the command frame-
relay map ip a.b.c.d dlci nocompress.
frame-relay map ip ip-address dlci tcp header-compress [passive]
Syntax Description
Ip-address The IP address of the opposite end
Dlci The DLCI number of the DLCI interface.
Passive Passive compression
ÏCommand modeÐthe point-multipoint interface configuration mode
frame-relay ip tcp header-compress [passive]
To enable TCP/IP header compression on all of frame-relay PVC, use the command frame-relay ip tcp header-
compress [passive], or else, use the negation of the command to disable it.
An example of TCP/IP Compression over frame-relay PVC.
Frame-relay
Router1 is configured as follows :

Command Task
RouterA# configure terminal
RouterA(config)# interface serial0/0 Enter the interface Serial0/0 configuration
mode.
RouterA(config-if-serial0/0)# encapsulation frame-relay Enable frame-relay encapsulation for the
interface S0/0.
RouterA(config-if-serial0/0)# frame-relay lmi-type ansi Set the type as LMI.
RouterA(config-if-serial0/0)# frame-relay interface-dlci Configure the local DLCI number.
100
RouterA(config-if-serial0/0)# frame-relay map ip 3.3.3.2 Configure the TCP/IP header compression
100 tcp header-compress on DLCI=100 PVC.
RouterA(config-if-serial0/0)# ip address 3.3.3.1 Configure the interface IP address.
255.0.0.0
Command Task
RouterB(config)#interface serial0/0 Enter the interface S0/0 configurationo
mode.
RouterB(config-if-serial0/0)# clock rate 128000
RouterB(config-if-serial0/0)# encapsulation frame-relay Enable the frame-relay encapsulatin
for the interface s0/0.
RouterB(config-if-serial0/0)# frame-relay lmi-type ansi Set the type as LMI.
RouterB(config-if-serial0/0)# frame-relay interface-dlci Configure the local DLCI number.
100
RouterB(config-if-serial0/0)# frame-relay map ip 3.3.3.1 Configure the TCP/IP header
100 tcp header-compress compression on DLCI=100 PVC.
RouterB(config-if-serial0/0)# ip address 3.3.3.2 Configure the interface IP address.
255.0.0.0
Monitor the TCP/IP header compression over Frame-Relay PVC.

Use the command show frame-relay ip tcp header-compress to show TCP/IP compression information about whether
the tranmitted data is compressed and related compression statistics.
2) RTP Compression over Frame-Relay PVC

A command to configure RTP compression over frame-relay PVC.
frame-relay map ip A.B.C.D dlci rtp header-compress
To enable RTP compression over frame-relay PVC, use the command frame-relay map ip A.B.C.D dlci rtp header-
compress, otherwise, use the negation of the command to disable it.
Use the command to enable RTP compression over special frame-relay PVC, and use the negation of the command to
disable it.
frame-relay map ip ip-address dlci rtp header-compress [passive]
Syntax Description
Ip-address The IP address of the opposite end.
Dlci The DLCI number of the DLCI interface.
Passive Passive compression.
ÏCommand modeÐthe point-to-multipoint interface configuration mode
frame-relay ip rtp header-compress [passive]
To enable RTP compression over all frame-relay PVCs, use the command frame-relay ip rtp header-compress
[passive], or else, use the negation of the command to distable it.
An example of RTP compression over frame-relay PVC
Frame-relay
Router1 is configured as follows:

Command Task
RouterA(config)# interface serial0/0 Enter the interface Serial0/0 configuration
mode.
RouterA(config-if-serial0/0)# encapsulation frame-relay Enable frame-relay encapsulation for the
interface S0/0.
RouterA(config-if-serial0/0)# frame-relay lmi-type ansi Set the type as LMI.
RouterA(config-if-serial0/0)# frame-relay interface-dlci Configure the local DLCI number.
100
RouterA(config-if-serial0/0)# frame-relay map ip 3.3.3.2 Configure the TCP/IP header compression
100 rtp header-compress on DLCI=100 PVC.
RouterA(config-if-serial0/0)# ip address 3.3.3.1 Configure the interface IP address.
255.0.0.0
Command Task
RouterB(config)#interface serial0/0 Enter the interface Serial0/0 configuration
mode.
RouterB(config-if-serial0/0)# clock rate 128000
RouterB(config-if-serial0/0)# encapsulation frame-relay Enable frame-relay encapsulation for the
interface S0/0.
RouterB(config-if-serial0/0)# frame-relay lmi-type ansi Set the type as LMI.
RouterB(config-if-serial0/0)# frame-relay interface-dlci Configure the local DLCI number.
100
RouterB(config-if-serial0/0)# frame-relay map ip 3.3.3.1 Configure the TCP/IP header compression
100 rtp header-compress on DLCI=100 PVC.
RouterB(config-if-serial0/0)# ip address 3.3.3.2 Configure the interface IP address.
255.0.0.0
3) Monitoring of RTP Compression over Frame-Relay PVC

Use the command show frame-relay ip rtp header-compress to show RTP compression information about whether the
tranmitted data is compressed and related compression statistics.
Notice:
The command frame-relay ip tcp header-compress/ frame-relay ip rtp header-compres is valid to all PVCs (except
the PVCs for which the RTP compression has bee configured singly ).
It can be examined by the command show frame-relay ip tcp header-comress / show frame-relay ip rtp header-
compress that the RTP compression has been configured on PVC and its type is inherited.
For a single PVC on which the RTP has been configured, it can be known by the command that its compression type is
enabled.
5.6.9 DE bit support on Frame-Relay

1) Configuration command
frame-relay de-list
To enable the DE bit list in the frame-relay network, use the command frame-relay de-list, or else, use the negation of
the command to disable it.
frame-relay de-list list-number protocol ip {fragments | gt size| list access-list-number
| lt size| tcp port| udp port}
Syntax Description
List-number DE list number
Size Packet size
Access-list-number Access list number
Port The port number of the destination address.
ÏCommand modeÐthe globe configuration mode.
frame-relay de-group
To eable DE bit discarding rule on DLCI, use the command frame-relay de-group, or else, use the negation of the
Frame-relay de-goup de-list-number dlci
Syntax Description
De-list-number DE list number
Dlci DLCI number
frame-relay congestion-management
To enable the DE rule on an interface, use the command frame-relay congestion-management, or else, use the
negation of the command to disable it.
2) Configuration examples
An example of the configuration command DE-list frame-relay de-list
define DE list 1 for IP fragment packets / Set DE bit for packets of the IP fragment.
frame-relay de-list 1 protocol ip fragment
define DE list 2 for port 500 of UDP packets / Set DE bit for UDP packets whose port number is 500.
frame-relay de-list 2 protocol ip udp 500
An example of the configuration command de-group frame-relay de-group

Enable DE list 1 on PVC 100 /Enable the rule de-list 3 on DLCI-number=100 PVC for setting DE bit.
frame-relay de-group 1 100
Notice:
Only one kind of rule can be set in each DE-list.
Multiple de-lists canbe enabled on each PVC, and one de-list can also be used in different PVCs simultaneously.
To enable DE, it is necessary to configure the command frame-relay congestion-management on the interface.
De can not take effect until traffic-shapping is configured.
3) Monitoring DE bit over Frame-Relay

Use the command show frame-relay PVC to show the statistics of received/transmitted packets for which DE bit has
been configured.
5.6.10 Frame-Relay Fragment

frame-relay fragment
To enable frame-relay fragment function, use the command frame-relay fragment number, or else, use the negation of
the command to disable it. Abour related details, refer to FRF.12.
frame-relay fragment number
Syntax Description
Number Fragment sizeÄBy byteÅ
ÏCommand modeÐthe map-class configuration mode .
frame-relay fragment must-encap-mulproto

After the frame fragment function is configured, to perform the multilink encapsulation for network-layer packet whose
size is less than the frame fragment, use the command frame-relay fragment must-encap-mulproto, or else, use the
negation of the command to disable it.
ÏCommand modeÐthe map-class configuration mode
Notice:
Usually, it is unnecessary to configure the command. The command need be enabled only when opposite equipment
performs the multilink encapsulation for network-layer packet whose size is less than the frame fragment or implements the
strict order-limit to network-layer data.
The frame fragment function can not take effect until the traffic-shapping is enabled.
5.6.11Frame-relay Traffic Shaping
5.6.11.1 Traffic Shaping Configuration Commands

map-class frame-relay
Use the command map-class frame-relay to specify a map type for some PVC to define Quality of Service (QoS);
otherwise, use the negation of the command to delete the corresponding map type.
map-class frame-relay map-class-name
no map-class frame-relay map-class-name
Syntax Descriptions
frame-relay The keyword of the specified map
type.
map-class-name The name of the map type.
£By default¤The command is disabled. And no default name is defined.

£Command mode¤The global configuration mode.
frame-relay traffic-rate
Use the command frame-relay traffic-rate to specify the egress flow rate for the PVC related with some map type;
otherwise, use the negation of the command to restore the default flow rate.
frame-relay traffic-rate average [ peak ]
no frame-relay traffic-rate average [ peak ]
Syntax Descriptions
Average The average rate (by bit per second), equivalent to the
specified CIR.
Peak (Optional )the peak rate (by bit per second), equivalent
to.
CIR + Be/Tc = CIR(1 + Be/Bc) = CIR + EIR
£By default¤If the peak rate is omitted, the adopted default value is the line rate.
£Command mode¤the map type configuration mode.
frame-relay adaptive-shaping
Use the command frame-relay adaptive-shaping to specify the rate adjust mode for the PVC related with some map
type; otherwise, use the negation of the command to deny the rate adjust.
frame-relay adaptive-shaping { becn | foresight}
no frame-relay adaptive-shaping
Syntax Descriptions
Becn Perform the rate adjust according to BECN message.
Foresight Perform the rate adjust according to foresight message.
£By default¤The command is disabled.
frame-relay custom-queue-list
Use the command frame-relay custom-queue-list to specify the custom-queue for the PVC related with some map
type; otherwise, use the negation of the command to restore the default value of the PVC queue.
frame-relay custom-queue-list list-number
no frame-relay custom-queue-list list-number
Syntax Descriptions
list-number The list-number of the queue.
£By default¤The default queue is FCFS (First Come First Service).
frame-relay priority-group
Use the command frame-relay priority-group to specify the priority queue for the PVC related with some map type;
otherwise, use the negation of the command to restore the default value of the PVC queue.
frame-relay priority-group list-number
no frame-relay priority-group list-number
Syntax Descriptions
list-number The list-number of the queue.
£By default¤The default queue is FCFS.
frame-relay traffic-shaping
Use the command frame-relay traffic-shaping to make traffic shaping effective for all PVC of a frame-relay interface;
otherwise, use the negation of the command to disable the function of traffic shaping.
frame-relay traffic-shaping
no frame-relay traffic-shaping
£By default¤The command is disabled.
£Command mode¤the interface configuration mode.
frame-relay class
Use the command frame-relay class to relate a map type with an interface or a sub-interface; otherwise, use the
negation of the command to cancel the relation.
frame-relay class name
no frame-relay class name
Syntax Descriptions
name The name of the map class related with the
interface/sub-interface.
class
Use the command to relate a map type to some PVC; otherwise, use the negation of the command to cancel the relation.
class name
no class name
Syntax Descriptions
Name The name of the map class related with the PVC.
£Command mode¤the DLCI configuration mode.
5.6.11.2 An example of traffic shaping configuration
Frame relay
Figure 4-23 the frame-relay traffic shaping configuration
Illustration:
As shown in figure above, an interconnection between RouterA (the port s0/0 192.168.2.1) and RouterB (the port s1/0
192.168.2.2) is established through a frame-relay network. The frame-relay traffic shaping policy is adopted to limit data
transmission rate over the specified PVC between RouterA and RouterB and provide high priority service for Telnet data
transmission between RouterA and RouterB.
1RouterA is configured as follows.

Syntax Descriptions
RouterA#configure terminal
RouterA(config)# priority-list 1 protocol ip high tcp Configure a priority queue and set QoS of Telnet
23 as high.
RouterA(config)# map-class frame-relay name Establish a map for PVC.
RouterA(config-map-class)# frame-relay traffic- Specify the egress flow rate and peak rate for the
rate 9600 128000 PVC related with the map type.
RouterA(config-map-class)# frame-relay priority- Specify the priority queue for the PVC related
group 1 with the map type.
RouterA(config-map-class)# exit
RouterA(config)# interface serial0/0 Enter the interface S0/0 configuration mode.
RouterA(config-if-serial0/0)# encapsulation frame- Perform the frame-relay encapsulation.
relay
RouterA(config-if-serial0/0)# frame-relay lmi-type Configure the LMI type .
ansi
RouterA(config-if-serial0/0)# frame-relay traffic- Make traffic shaping effective on the frame-relay
shaping interface.
RouterA(config-if-serial0/0)# frame-relay interface- Configure the local DLCI number.
dlci 100
RouterA(config-fr-dlci)# class name Relate the map type with the specified PVC.
RouterA(config-fr-dlci)#exit Exit the DLCI configuration mode.
RouterA(config-if-serial0/0)# frame-relay map ip Configure the frame-relay address map.
192.168.2.2 100
RouterA(config-if-serial0/0)# ip address 192.168.2.1 Configure the IP address.
255.255.255.0
RouterA(config-if-serial0/0)# priority-group 2 Enable the PQ queue on the interface (the serial-
number is not consistent with the defined one.)
RouterA(config-if-serial0/0)# end
2) The simple frame-relay configuration is performed on RouterB.
5.6.12 Frame-relay Bridging VLAN
5.6.12.1 Frame-relay VLAN Configuration Commands

vlan-bridge
Use the command vlan-bridge to make the frame-relay network bridge VLAN; otherwise, use the negation of the
command to deny bridging VLAN.
Vlan-bridge vlan-interface
Syntax Descriptions
vlan-interface The VLAN interface to be bridged.
£By default¤The command is denied.
£Command mode¤The point-to-point sub-interface configuration mode.
5.6.12.2 An Example of Frame-relay VLAN Configuration
Frame
relay
Figure 4-24 the frame-relay bridging VLAN
Illustration:
As shown in figure above, in the one-point-to-multi-point frame-relay network, all routers are required to adopt the
point-to-point sub-interface configuration mode. The interface f0 of RouterA has three sub-interfaces that belong to three
different VLANs respectively. And the interface S0/0 also has three sub-interfaces that are related with three different
VLANs respectively; the interface f0.1 of RouterB belongs to Vlan1 and the interface s1/0.1 is related with Vlan1; the
interface f0.1 of RouterC belongs to Vlan2 and the interface s2/0.1 is related with Vlan2; the interface f0.1 of RouterD
belongs to Vlan3 and the interface s3/0.1 is related with Vlan3.
1) RouterA is configured as follows.

Syntax Descriptions
RouterA(config)# interface fastethernet0.1 Enter the sub-interface f0.1 configuration
mode.
RouterA(config-if-fastethernet0.1)# encapsulation dot1q 1 Encapsulate the sub-interface to Vlan1.
RouterA(config-if-fastethernet0.1)# interface Enter the sub-interface f0.2 configuration
fastethernet0.2 mode.
RouterA(config-if-fastethernet0.2)# interface Enter the sub-interface f0.3 configuration
fastethernet0.3 mode.
RouterA(config-if-fastethernet0.3)# interface serial0/0 Enter the interface s0/0 configuration
mode.
RouterA(config-if-serial0/0)# encapsulation frame-relay Perform the frame-relay encapsulation for
the interface S0/0.
RouterA(config-if-serial0/0)# frame-relay lmi-type ansi Set the LMI type.
RouterA(config-if-serial0/0)# interface serial0/0.1 point-to- Enter the sub-interface s0/0.1
point configuration mode.
RouterA(config-if-serial0/0.1)# frame-relay interface-dlci Configure the local DLCI number.
100
RouterA(config-if-serial0/0.1)# vlan-bridge Make S0/0.1 relate with F0.1 and bridge
fastethernet0.1 the corresponding VLAN.
RouterA(config-if-serial0/0.1)# interface serial0/0.2 point- Enter the sub-interface s0/0.2
to-point configuration mode.
200
RouterA(config-if-serial0/0.2)#vlan-bridge fastethernet0.2 Make S0/0.2 relate with F0.2 and bridge
the corresponding VLAN.
RouterA(config-if-serial0/0.2)# interface serial0/0.3 point- Enter the sub-interface s0/0.3
to-point configuration mode.
300
RouterA(config-if-serial0/0.3)#vlan-bridge fastethernet0.3 Make S0/0.3 relate with F0.3 and bridge
2) RouterB is configured as follows.
Syntax Descriptions
RouterB(config)# interface fastethernet0.1 Enter the sub-interface f0.1 configuration
mode.
RouterB(config-if-fastethernet0.1)# encapsulation dot1q 1 Encapsulate the sub-interface to Vlan1.
RouterB(config-if-fastethernet0.1)# interface serial1/0 Enter the interface S1/0 configuration
mode.
RouterB(config-if-serial1/0)# encapsulation frame-relay Perform the frame-relay encapsulation for
the interface s1/0.
RouterB(config-if-serial1/0)# frame-relay lmi-type ansi Set the LMI type.
RouterB(config-if-serial1/0)# interface serial1/0.1 point-to- Enter the sub-interface S1/0.1
RouterB(config-if-serial1/0.1)# frame-relay interface-dlci Configure the local DLCI number.
101
RouterB(config-if-serial1/0.1)# vlan-bridge fastethernet0.1 Make S1/0.1 relate with F1.1 and bridge
RouterB(config-if-serial1/0.1)# end
3) RouterC is configured as follows.
Syntax Descriptions
RouterC# configure terminal
RouterC(config)# interface fastethernet0.1 Enter the sub-interface f0.1 configuration
mode.
RouterC(config-if-fastethernet0.1)# encapsulation dot1q 2 Encapsulate the sub-interface to Vlan2.
RouterC(config-if-fastethernet0.1)# interface serial2/0 Enter the interface S2/0 configuration
mode.
RouterC(config-if-serial2/0)# encapsulation frame-relay Perform the frame-relay encapsulation for
the interface S2/0.
RouterC(config-if-serial2/0)# frame-relay lmi-type ansi Set the LMI type.
RouterC(config-if-serial2/0)# interface serial2/0.1 point-to- Enter the sub-interface S2/0.1
RouterC(config-if-serial2/0.1)# frame-relay interface-dlci Configure the local DLCI number.
201
RouterC(config-if-serial2/0.1)# vlan-bridge fastethernet0.1 Make S2/0.1 relate with f0.1 and bridge
RouterC(config-if-serial2/0.1)# end
4) RouterD is configured as follows.
Syntax Descriptions
RouterD# configure terminal
RouterD(config)# interface fastethernet0.1 Enter the sub-interface f0.1 configuration
mode.
RouterD(config-if-fastethernet0.1)# encapsulation dot1q 3 Encapsulate the sub-interface to Vlan3.
RouterD(config-if-fastethernet0.1)# interface serial3/0 Enter the interface S3/0 configuration
mode.
RouterD(config-if-serial3/0)# physical-layer sync
RouterD(config-if-serial3/0)# encapsulation frame-relay Perform the frame-relay encapsulation for
the interface s3/0.
RouterD(config-if-serial3/0)# frame-relay lmi-type ansi Set the LMI type.
RouterD(config-if-serial3/0)# interface serial3/0.1 point-to- Enter the sub-interface S3/0.1
RouterD(config-if-serial3/0.1)# frame-relay interface-dlci Configure the local DLCI number.
301
RouterD(config-if-serial3/0.1)# vlan-bridge Make S3/0.1 relate with F0.1 and bridge
fastethernet0.1 the corresponding VLAN.
RouterD(config-if-serial3/0.1)# end
NoticeÖ
Vlan-bridge is required to adopt the point-to-point sub-interface configuration mode.
Chapter 6 DDR and Interface Backup
This chapter mainly describes how to configure a Maipu Router to perform the remote dialer access through PSTN and ISDN
(Integrated Services Digital Network).

Dialer backup
The configuration of DDR dialer
Dialer prototype
6.1 Dialer Backup

6.1.1 The Configuration of a Built-in Frequency-band MODEM
A built-in frequency-band modem in a Maipu router supports several dialer modes, such as synchronism, asynchronism,
dialer line, and leased line etc. This section describes how to configure the built-in frequency-band modem in a Maipu router
to perform the remote dialer function.
1) The relevant commands
A. Configuring modem parameters

router(config-if-XXX)#modem ?
Command Description
async-mode Configures it in the asynchronous mode, including buffer asynchronism,

direct asynchronism and error asynchronism. (If you add a “?” behind the
command modem async-mode, you can see the prompt of the next step.
Of course, you can get help of all the configuration through using “?”)
clock-mode In the synchronous mode, internal clock, external clock and slave clock
can be configured. In the asynchronous mode, it is unnecessary to
configure the clock.
clock-rate In the synchronous mode, modem circuitry rate is configured. (In the
asynchronous mode, the command speed is used to configure interface
rate)
outer The command is used to configure an outer modem, while it isn’t used to
configure a built-in modem.
party The command is used to configure modem as originator or answer.
Disable Disable modem.
Enable Enable modem.
Line Configure modem as the leased line mode
v25bis enable Forbidden AT command, active v.25bits command
Note:
1. The above commands can be used similarly when MP336/56MODEM is connected externally
B. Configuring the telephone number of a called user

Router (config-if-XXX) #dialer string phone number
Command Description
dialer string <number> Configures the telephone number of the called side. The number can only
be composed of Arabic numerals (When the exterior line of the built-in
modem is a dialer line, the number needs to be configured; when the
exterior line of the modem is a leased line, the number does not need to be
configured.)
Note:
1. Many called numbers can be configured. After this, when the router dials a number, it will adopt the polling dialer
(Namely, the first number is dialed; if it is busy, then the second number is dialed in turn, and so on)
2) Examples of usage of configuring commands
A. A leased line mode

6
5RXHU
6
5RXHU
Illustration:
1. The built-in frequency-band MODEM is configured on the interface interface serial2 of router1 and router2. And
the leased line mode is configured.
3. router1 is a caller that uses the internal clock, while router2 is the answer that uses the slave clock. The line speed
is 9600.
The configuration of router1 is as follows:

Command Task
router1(config)#interface serial2/0 Enters the interface configuration mode with
built-in frequency-band MODEM.
router1(config-if-serial2/0)#ip address 1.1.1.1 Configures the IP address.
255.255.255.0
router1(config-if-serial2/0)# encapsulation PPP Encapsulates PPP protocol.
router1(config-if-serial2/0)#modem clock-mode internal Configures the MODEM clock as the
internal, synchronous mode : internal clock
(internal); external clock (external); slave
clock (slave).
router1(config-if-serial2/0)#modem clock-rate 9600 Configures the line speed as 9600.
router1(config-if-serial2/0)#modem line leased Configures MODEM as the leased line mode.
router1(config-if-serial2/0)#modem party originate Configures MODEM as a caller.
router1(config-if-serial2/0)#modem enable Enables the MODEM configuration to
become effective
Command Task

router2(config-if-serial2/0)#ip address 1.1.1.2
255.255.255.0
router2(config-if-serial2/0)#modem clock-mode slave Configures it as the slave clock mode
router2(config-if-serial2/0)#modem clock-rate 9600
router2(config-if-serial2/0)#modem line leased
router2(config-if-serial2/0)#modem party answer Configures MODEM as an answer.
Router2(config-if-serial2/0)#modem enable
Router2(config-if-serial2/0)#exit
B. The dialer mode:

The above are the configuration of the built-in modem with a leased line mode and its simple explanation. Then, we will
simply explain the configuration of the dialer mode as follows:

6
3671
6 5RXHU
5RXHU
Illustration:
1. The built-in frequency-band MODEM is configured on the interface serial2/0 of router1 and router2. And the dialer
mode is configured.
2. Router1 is a caller and router2 is an answer.
The relevant configuration (synchronous mode)

Command Task
router1#configure terminal
router1(config-if-serial2/0)#ip address 10.1.1.1 Configures IP address.
255.255.255.0
router1(config-if-serial2/0)#physical-layer sync Configures it as the synchronous mode.
router1(config-if-serial2/0)#modem clock-mode internal Configures it as the internal clock mode.
router1(config-if-serial2/0)#modem clock-rate 33600 Configures MODEM speed.
router1(config-if-serial2/0)#modem party originate Configures MODEM as a caller.
router1(config-if-serial2/0)# Configures the telephone number of the
dialer string 7722107 opposite terminal.
dialer string 7721679
router1(config-if-serial2/0)# Enables the MODEM.
modem enable
router2
Command Task
router2(config)#interface serial2/0 Enters the relevant interface.
router2(config-if-serial2/0)#ip address 10.1.1.2 Configures the IP address.
255.255.255.0
router2config-if-serial2/0)#physical-layer sync Configures it as the synchronous mode.
router2(config-if-serial2/0)#encapsulation PPP Encapsulates PPP protocol.
router2(config-if-serial2/0)#modem party answer Configures it as an answer.
router2config-if-serial2/0)#modem clock-rate 33600 Configures MODEM ratio.
router2(config-if-serial2/0)#modem enable Enables the MODEM.
The configuration of the asynchronous mode is as follows:

The configuration of Router1 The configuration of Router2
interface serial3 interface serial3
physical-layer async physical-layer async
speed 115200 speed 115200
databits 8 databits 8
stopbits 1 stopbits 1
parity none parity none
flow-control none flow-control none
encapsulation ppp encapsulation ppp
ip address 10.0.0.1 255.0.0.0 ip address 10.0.0.2 255.0.0.0
dialer string 8005
modem party originate modem party answer
modem enable modem enable
Exit Exit
Note:
1. When using the leased line mode, MODEM keeps on calling (or answering) until it is connected.
2. If it is an outer modem, modem outer needs to be configured.
6.1.2 Dialer Script

There are many types of modems for sale in today’s market. Although they all support the AT instructions set, there are some
differences with regards to their implementation. To provide more flexibility, a dialer language, called dialer scripts, can be
established. The script language has the following features:
o The script is composed of some ordered set of some defined keywords, sent strings and expected strings.
o Strings can be separated by a blank.
o A script command doesn’t match upper/lower case. It begins with at or AT and represents that what will be sent is
an AT command.
o The AT instructions set of different companies may be different, so they should be configured by referring to their
accessory specifications.
Editing script
router (config)#chat-script script-name script
script name script content
For example, configuring the following script:

router (config)#chat-script Maipu at&f&k3%c3 atm1
In this example, the script name is Maipu and the script contents are at&f&k3%c3 and atm1.
Using the command no to delete the script:

router (config)# no chat-script script-name
Configure the Modem script that is executed when a connection needs to be established:
router(config-if- XXX)# script connection script-name
Script-name is configured in the global configuration mode: chat-script script-name, which is the script-name in the script.
Its purpose is to connect the AT command with the corresponding interface.
When the router needs the modem to call out, it will send the script designated by script-name to the modem first, and then it
will initialize configuration of the modem. When all of the modem scripts have been executed successfully, the initialization
finishes. After this, the router sends the dialer string to the modem to call the opposing party.
Similarly, when the modem is configured as modem party answer, and when the opposite terminal sends call and the local-
end receives a bell-shaking signal, the router will also sends the modem initialization script to configure the modem. When
all configuration succeeds, the modem will negotiate with the opposite modem, and the router will enter the status
Answering incoming call to wait for the connection of modem. When the modem has succeeded in connecting, it will enter
the phase of the link layer negotiation.
Use no script connection to cancel the feature.

router(config-if-serial2/0)#no script connection
Note:
1. If no script is configured for the modem, then the modem will start the default script set by the system. Because the
AT scripts supported by various companies have some differences, it is recommended that users configure the
script for a modem through referring to the modem usage manual of its company so that the modems of different
companies and types can work in better harmony with the router.
2. You can use the debug commands (for example, debug modem s2) to examine the default script.
Appendix: the scripts in common use MP336 series
THE AT
COMMANDS IN The relevant explanation
COMMON USE
&QnDn (the default is D2) &D0 : simple hangup of the modem;
Functions of all kinds of &D1 : changing from the data mode to the command mode;
compressions triggered &D2 : the modem hangs up and closes the auto-answer;
respectively when DTR hops from
&D3 : the modem reset
ON to OFF. Notice that D0 can be
only useful to the Q1 mode, while
D1, D2 and D3 are useful to all the
compression modes.
&Qn
(The default is &Q5) &Q0: Using the direct asynchronous mode
&Q1: Using the synchronous connection mode (the command mode
being of asynchronism)
&Q5: Using the error asynchronous mode
&Q0: Using the common asynchronous mode (with the function of rate
buffer)
Result codeæn=0-6ØOKç other valueØERROR
&QnCn &C0: DCD being ON all the time;
(controled by DCD) &C1: DCD indicating the status of the carrier wave;
(The default is &C1) Result code: n=0,1, OK; other values, ERROR.
&K0: no flow control mode
&Kn &K3: the RTS/CTS flow control mode (the default)
&K4: the XON/XOFF flow control mode
(the flow control modes between
DCE and DTE) &K5: transparent XON/XOFF flow control mode
&K6: the XON/XOFF and RTS/CTS simultaneous control mode
e default is &K3) The result code: n=0,3 to 6, OK; other values, ERROR
&Ln &L0: the command mode;
&L2: the auto leased line mode
Functions of the leased (special) &L3: the auto dialer line mode
line
&L5: the dialer backup working mode
%Cn &C0: No compression

&C1: Enable the MNP5 compression mode
(Limit to the error control mode) &C2: Enable the V.42bis compression mode
(The default is &C3) &C3: Enable the V.42bsi compression and the MNP5 compression
mode
Result code: n=0 to 3, OK; other values, ERROR
Notice: & and % are different.
%En &E0: without monitoring line quality, using auto retraining
&E1: monitoring line quality, performing auto retraining
Controlling and monitoring line &E2: monitoring line quality, automatically promoting/depressing
quality speed according to the quality status
(The default is &E0) • Automatically promote/depress speed that is chosen in the
V.32bis/V.32 modulation speed. When speed is lower than 4800bps, it
can’t be promoted/depressed, instead, it can auto retrain only. (This is
used in dialer line only)
The result code: n=0 to 2, OK; other values, ERROR
&F The modem loads the factory default configuration.

Note:
1. When the command AT is configured, it should be done according to the instructions of the corresponding
company.
2. When different modulation protocols are chosen, the appropriate one should be done according to the different line
status. For example, both V.34 protocol and V.22bis support the speed 2400. But in fact, the same speed using
different modulation protocols will have different effect because of the line status.
6.1.3 The Configuration of Dial Backup
The relevant commands
Command Task
router(config-if- XXX)#backup delay Configures the time should elapsed before the
secondary line status changes after a primary
line status has changed
router(config-if-XXX)#backup interface Configures an interface as a secondary or dail
backup
For example:
router(config-if- XXX)# backup interface s3/0
Set the interaface s3/0 as the backup line
router(config-if- XXX)# backup delay 5 5
Set a 5-second delay on activating the secondary line and set a 5-second delay on deactivating the
secondary line
6.1.4 The Typical Example of Dialer Backup
The example of modem dialer backup configuration:
6
6
5RXW HU e o$
:$1
6 6
5RXW HU e o%
&DO O $QVZHU
0RGHP 3671
Explanation: The serial 2 of the router router-A connects to an outer modem, chooses the asynchronous mode, encapsulates
PPP protocol , is used as a backup line of serial 0 and a caller uses the manual configuration of modem script; The detailed
configuration is as follows:
The configuration of router-A:
Command Task
router-A(config)#int s0
router-A(config-if-serial0)# encapsulation ppp
router-A(config-if-serial0)# physical-layer sync
router-A(config-if-serial0)# backup interface serial2 Configures the S2 as a backup
interface.
router-A(config-if-serial0)#
backup delay 5 5 Set a 5-second delay on activating
the secondary line after the primary
line goes down and set a 5-second
delay on deactivating the secondary
line after the primary line comes up
router-A(config-if-serial0)#ip add 128.255.1.1 255.255.0.0
router-A(config-if-serial0)#exit
router-A(config)# Establishes a MODEM script:
chat-script modem-configure at&f%c3&k3&c1 The script name: modem-configure
The script contents:
at&f%c3&k3&c1
router-A(config-if-serial2)# physical-layer async
router-A(config-if-serial2)#speed 38400
router-A(config-if-serial2)# modem outer Configures the outer MODEM.
router-A(config-if-serial2)# dialer string 5566030 Configures the called number as
5566030.
router-A(config-if-serial2)#modem party originate Configures MODEM as the caller.
router-A(config-if-serial2)#script connection modem-configure Specify the modem script that
should be executed
router-A(config-if-serial2)#ip address 192.255.255.1 255.255.255.0 Configures the IP address.
router-A(config-if-serial2)#exit Configuration has been finished.
Note:
Analyzing the above script: &f is to used to load the factory default configurationç%c3&k3&c is used to modify the
corresponding parameters of the script. Of course, if you want to configure the parameters by yourself, you need not use the
script of &f.
The serial 2 of the router router-B connects to an outer modem, chooses the asynchronous mode, encapsulates PPP protocol,
is used as a backup line of serial 0 and an answer uses the default script of the modem;
The detailed configuration is as follows:
router-B(config)#int s0
router-B(config-if-serial0)#
ip add 128.255.1.12 255.255.0.0
router-B(config-if-serial0)# encapsulation ppp
router-B(config-if-serial0)# physical-layer sync
router-B(config-if-serial0)#exit
router-B(config)# Configures the dialer script.
chat-script modem-configure at&f%c3&k3&c1
router-B(config-if-serial2)# physical-layer async
router-B(config-if-serial2)# enc ppp
router-B(config-if-serial2)# flow-control software
router-B(config-if-serial2)#
ip address 192.255.255.2 255.255.255.0
router-B(config-if-serial2)# modem outer Starts the outer MODEM.
router-B(config-if-serial2)# modem party answer Configures MODEM as the answer.

router-B(config-if-serial2)#speed 38400
router-B(config-if-serial2)#exit`
6.1.5 Configure Backup load

You can configure the backup load to activate or deactivate the secondary line based on the traffic load on the primary and
sencondary line.When the load on the primary line is greater than the value, the secondary line is enabled.When the load on
the primary line plus the load on the secondary line is less than the value, the secondary line is disabled.
Load diapup uses the traffic load to activate/disconnect backup line. When the traffic of the primary line reach some
threshold (the percentage of maximal traffice, the same as the below.), the backup line is activated; when the total traffic of
the primary and backup line is less than some threshold, the backup line is disconnected.
Backup load
Set a traffic load threthold for dial backup service
Backup load {enable-threshold|never} {disable-load|never}
no backup load
Syntax Description
Enable-threshold Percentage of the primary line’s available bandwidth that the

traffic load must exceed to enable dail backup
never Sets the secondary line never to be activated due to traffic
load
disable-load Percentaget of the primary line’s available bandwidth that
the traffic load must be less than to disable dial backup
never Sets the secondary line never to be deactivated due to traffic
load
Note:
1. You shoud configure backup interface first before configure load dialup.
2. The traffic statistics of the line is the traffic statistics every 5 minutes.
2) Examples of usage of configuring commands
Illustration;
1) Two lines are employed between Router1 and router2: one is the primary line, connecting with the interface s2/0, and
the other is the backup line, connecting with. The phone number corresponding router1 is 601 and that corresponding to
router2 is 611.
2) The purpose of the example above is that when the traffic load reaches the value assigned to the line, the secondary
line is activated although the primary line is still enabled.
About the detailed DDR configuration, refer to Section 5.2 DDR Dialup Configuration.

command Task
Router1# configure terminal

Router1(config)# dialer-list 1 protocol ip permit
Router1(config)# interface serial1
Router1(config-if-serial1)# ip address 22.1.1.1
255.0.0.0
Router1(config-if-serial1)# backup interface serail2 Assign interface s 2 to be the backup
interface
Router1(config-if-serial1)# backup load 90 10 sets the traffic load threshold to 90 percent of
the primary line serial 0.
When The load is exceeded, the secondary
line is activated, and will not be deactivated
until the combined
load is less than 10 percent of the primary
bandwidth.
Router1(config-if-serial1)# interface serial2

Router1(config-if-serial2)# physical-layer async
Router1(config-if-serial2)# dialer in-band Specify DDR (Dial-On-Demand Routing) to
be supported
Router1(config-if-serial2)# dialer-group 1
Router1(config-if-serial2)# dialer string 611
Router1(config-if-serial2)# modem outer
Router1(config-if-serial2)# ip addr 21.1.1.1 255.0.0.0
Router1(config-if-serial2)# interface loopback0
Router1(config-if-loopback0)# ip addr 20.1.1.1
255.0.0.0
Router1(config-if-loopback0)# exit
Router1(config)# ip route 20.1.1.2 255.255.255.255
21.1.1.2
Router1(config)#ip route 20.1.1.2 255.255.255.255
22.1.1.2

Command Task
Router1# configure terminal
Router1(config)# dialer-list 1 protocol ip permit
Router1(config)# interface serial1 Configure main interface
Router1(config-if-serial1)# ip address 22.1.1.2
255.0.0.0
Router1(config-if-serial1)# interface serial2 Configure backup interface
Router1(config-if-serial2)# physical-layer async
Router1(config-if-serial2)# modem outer
Router1(config-if-serial2)# ip addr 21.1.1.2 255.0.0.0
Router1(config-if-serial2)# interface loopback0
Router1(config-if-loopback0)# ip addr 20.1.1.2
255.0.0.0
Router1(config-if-loopback0)# exit
21.1.1.1
22.1.1.1
3) Debug commands
z show interface
Display the 5-minute traffic load of an interface
z Debug backup
Display the debugging information in the course of load dialup.
The Debugging of Modem
To examine its dialer status and the relative information, use the debug modem command:
router#debug modem interface
This command displays the debugging information of a given interface
The following is the debugging information with default parameters:

pppdown1#debug modem s3
pppdown1(config)#1d2h: [tMdmDelay]serial3: Config modem for dialing out
1d2h: [tMdmDelay]serial3: AT configurating command:
AAT&FE0Q0W1S95=44S36=5S25=0X0
AAT&D2&Q5
AATM1L1
1d2h: [tSccRx3]serial3: Success to send the 0th group configuring command
1d2h: [tSccRx3]serial3: Success to send the 1th group configuring command
1d2h: [tSccRx3]serial3: success to configure modem
1d2h: [tSccRx3]serial3: Start dialing automatically
1d2h: [tNetTask]serial3: Dialing timeout is set as 45s(DL-mode)
1d2h: [tNetTask]serial3: Dialing 8005...
Closing the modem debugging switch
router#no debug modem interface
Note:
1. If modem does not dial up, it should be examined whether cables are connected correctly, and make sure that the
modem has been turned on and configured as the receiving AT commands mode and reliably connected to the
correct interface.
2. When users try to turn on the dialer connection but the modem doesn’t respond to the access request, users should
examine whether the remote modem is configured as the auto-answer or the AT command mode. They should make
sure that the remote modem has connected with the router or other equipments. If necessary, the dialer sound on the
telephone line can be examined.
3. If the modem can not receive answers or send calls correctly, users can also examine whether the modem script is
configured correctly through the command debug modem interface.
4. When the modem connects with Cisco products, users should notice whether the modem DTR lamp is normal. If it is
abnormal, users should clear the line through the command clear line ***.
6.2 DDR Dialer Configurations
Preparing to configure DDR (Dial-On-Demand Routing)

For a network needing to use DDR, users can perform configuration according to the following series of operations:
o Decide which routers use DDR, select what kind of transmission medium will be used, which interfaces of the outer
use DDR, which kind of DDR topology structure an interface adopts, whether an interfaces sends call, or accepts
call, or both.
o Decide the interface type (asynchronous serial port or ISDN interface).
o Configure the interface encapsulation, the default is PPP.
o Configure the routing protocol (RIP, OSPF or static routing etc) employed on the DDR port.
6.2.1 Configuring DDR (Dial-On-Demand Routing)

Defining the Interesting Traffic
The global configuring command is: dialer-list (also called dialer list). In order to control the condition for a DDR call to take
place, users can use the command dialer-list to configure the packet condition. Only those packets that meet the packets
prescribed by dialer-list can initiate DDR to dial up. The simple format of the command can prescribe a set of protocols that are
both permitted to trigger a call/prohibited from triggering a call. The complex format of the command can cite an access control
list so as to define interesting data in detail.
router(config)#dialer-list dialer group number protocol ip { permit | deny | list access-list-number }
Dialer group number is the sequence number <1_10> of dialer-list, corresponding with the dialer-group group-
number of DDR interface configuration.
Access-list-number is the sequence number of the access list access-list corresponding with dialer-list
Ip is a protocol name, and the protocol supported presently is ip protocol.
Permit indicates packets corresponding with the protocol are permitted.
Deny indicates packets corresponding with the protocol are denied.
Note:
1. When configuring the access list, you should do it orderly. In addition, the multicasting packet of the routers from
some companies can trigger the dialer. For example, for the multicasting packet of OSPF 224.0.0.5, it is best to
deny it; or else, the telephone company will give you the telephone bill. Or you can use debug dialer packer to
examine whether there is the multicasting packet, whether it is necessary to configure an access list for the triggered
dialer
router(config-if-serial1)#dialer ?
The relevant configuration is as follows:
Command Description
callback-secure Turns on the callback security switch; hang up the

call without correct configuration of reverse
callback.
enable-timeout
Set the length of time an interface stays down after
a call has conmpleted or failed and before it is
available to dial again
fast-idle Configures fast idle time, for which the line will
stay before it is disconnected and the competing
call is placed, if there exists competition on the line.
hold-queue Configures the number of outgoing packets to be
queued.
idle-timeout Specify the idle time before the line is disconnected
in-band Specify DDR (Dial-On-Demand Routing) to be
supported.
load-threshold .Interface load beyond which the dialer will initiate
another call to the destionation
map Associates the IP address of the opposite terminal
with the phonenumber or the called user name so as
to call one or more sites.
pool Associates the dialer interface with the dialer pool
(taking effect in the dialer interface).
pool-member Configure the physical interface.to be a member of
a dialing pool.
Priority Configures the priority of physical interface in the
dialer pool.
remote-name Configures the name of the remote system.
rotary-group Adds an interface into the dialer rotary group.
Rotor Designates the method used by DDR to call the
outward line.
String Configures the telephone number to be dialed up.
wait-for-callback-time Configures the time waiting for the callback.
wait-for-carrier-time Configures the longest time for DDR to wait for
call establishment.
· Distributing the dialer list dialer-list to a port
After defining a dialer-list, you need to associate it with the interface answering for originating/accepting call. The
corresponding command is as follows:
router(config-if-serial1) # dialer-group group-number

group number
dialer-group: The command configures an interface as a member of a special dialer group. The group points to a dialer list.
group-number: It is the number of the dialer group the interface belongs to. The group is defined through the command
“dialer-list”, which defines the interesting traffic of DDR. The value that can be accepted is an integer from 1 to 10.
dialer-group
The command configures an interface to belong to a given dialer-group, which points to a dialer-list.
group-number
This is the number of the dialer access group to which the interface belongs. The dialer access group is defined by the
command “dialer-list”, which defines the trigger data stream originating DDR. The acceptable values are the integer within 1
to 10.
Defining the relevant parameters of the destination
After defining the structure of the interesting traffic, you should provide the interface answering for originating call/answer
with all necessary parameters that arriving at the destination needs. Here, “dialer map” or “dialer string” indicates the routing
information, such as the telephone number to dial, etc.
The command dialer map:
router(config-if-serial1)#dialer map ip A.B.C.D name hostname dialer-string
ip representing protocol
A.B.C.D representing the name of the remote system
dial-string representing the dialed telephone number to arrive at the remote-end destination
The command dialer string:

pppdown1(config-if-XXX)#dialer string <STRING>
<STRING> Dialer string The telephone number of the opposite terminal
Note:
1. When it is only used to send call, the command dialer map and the telephone number string dialer-string are
necessary; the keyword name is optional.
2. If the keyword name is employed, PPP authentication must be configured. The name should be the same as the
hostname sent from the remote end.
3. If the dynamic routing is configured, the option broadcast must be added behind name hostname.
4. The command dialer map and dialer string can’t be used simultaneously.
5. The command dialer map and the keyword name are needed in the dialer callback.
2) Illustration of the command usage

6 5RXW HU e o

5RXW HU e o 0RGHP

3671
5RXW HU e
o
6
6

Illustration:
1. Router-1, Router-2 and Router-3 connects with each other through the outer MODEM and PSTN dialer.
The configuration of router1 s1 and the DDR relevant configuration are as follows:
User name and dialer-list:

Command Task
route1#configure terminal
route1(config)#dialer-list 1 protocol ip list 1001 Permits the dialer access group1 to spur DDR
dialer.
route1(config)#user route2 password 0 Maipu Configures user name and password. You can
route1(config)#user route3 password 0 Maipu configure several user names, which has no
affect on the configuration of name in dialer
map. As long as the user name corresponds
with the name in dialer map, it is ok.
route1(config)#ip access-list extended 1001 Establishes an access list 1001.
route1(config-ext-nacl)#deny ip any 224.0.0.0 The access rule is configured mainly for that
0.255.255.255 some multicasting packets that can trigger
route1(config-ext-nacl)#permit ip any any DDR dialer.
The configuration of the interface:
Command Task
route1(config)#interface serial1 Enters the interface s1.

route1(config-if-serial1)#physical-layer async Configures it as the asynchronous mode
route1(config-if-serial1)#speed 115200 Speed is 115200.
route1(config-if-serial1)#databits 8 8 data bits
route1(config-if-serial1)#stopbits 1 1 stop bit
route1(config-if-serial1)#parity none The parity bit is NULL.
route1(config-if-serial1)#flow-control none Configures the flow control as NULL.
route1(config-if-serial1)#encapsulation ppp Encapsulates PPP protocol.
route1(config-if-serial1)#ip address 10.170.0.1 255.0.0.0 Configures the IP address.
route1(config-if-serial1)#modem outer Enables the outer MODEM to be effective.
route1(config-if-serial1)#dialer in-band Specify DDR (Dial-On-Demand Routing) to
be supported
route1(config-if-serial1)# DDR hangs up link when no data stream
dialer idle-timeout 100 passes through the link within 100 seconds
after a call is created.
route1(config-if-serial1)# After the current call has been idle for 30
dialer fast-idle 30 seconds, the call gives place to another one
that is waiting.
route1(config-if-serial1)# Sends the call with telephone number
dialer map ip 10.170.0.2 name route2 4081240 4031240 to router2 with the address
10.170.0.2.
route1(config-if-serial1)# Sends the call with telephone number
dialer map ip 10.170.0.3 name route3 4081150 4081150 to router3 with the address
10.170.0.3.
route1(config-if-serial1)#dialer-group 1 The interface s1 belongs to the dialer access

group 1 (Dial up only when the data stream
according with the dialer-group1 is triggered.)
route1(config-if-serial1)#ppp authentication chap Configures chap authentication, Configure the
command as the chap originator.
route1(config-if-serial1)#ppp chap hostname route1 Configures the authenticated name
corresponding with the name in the opposite
terminal dialer map.
route1(config-if-serial1)#exit
Configuring dialer triggering route :
route1(config)#ip route 192.168.3.0 255.255.255.0 10.170.0.3

route1(config)#ip route 192.168.1.0 255.255.255.0 10.170.0.2
Note:
1.The above two routes are used to trigger the different telephone numbers that the
different directions of data stream trigger.
2.During the course, after the route1 dials on the outer modem of the route2 and constructs an access to the
route2, if there is no data sent through the s1 within 100 seconds (namely exceeding the value of idle-
timeout), the router1 will trigger modem1 to automatically disconnect the connection with the modem2 of the
route2. Within the idle time, if the route1 receives the data stream to trigger calling the route3, the timer fast-
idle will start. Within the 30 seconds the timer fast-idle times, if there is no data sent to the route2 through the
s1, the route1 will disconnect the connection with the route2 and call the route3.
3.For the answer, it should be configured as the authentication originator. At the moment of callback, two same
names can not be configured in dialer map on the side of callbacker. Besides the above, of course, the same user
name with that on a Cisco router can not also be configured at the time of authentication.
3) The example of DDR (Dial-On-Demand Routing) dialer configuration
The serial 2 of the router router-A connects to an outer modem, chooses the asynchronous mode, encapsulates the
PPP protocol (using chap authentication), is used as a backup interface and a caller and start the script of the modem:
at&f&k3%c3&c1. The serial port 0 is used as the master interface, encapsulates the HDLC protocol. The dialer adopts
the dialer map mode.
The serial 2 of the router router-B connects to an outer modem, chooses the asynchronous mode, encapsulates PPP
protocol, is used as a backup line to the serial 0 and a answer uses the script of the modem: at&f&k3%c3&c1. And the
static routing is adopted between routers.

6
6
5RXW HU e o$
:$1
6 6
5RXW HU e o%
&DO O $FNQRZO HGJH
0RGHP 3671

Illustration:
Router-A and Router-B connect with each other through their own s0, while their own s2 connects the outer modem,
which serves as a backup line to the interface s0.
The configuration of a caller:
Command Task
router-A#con t
router-A(config)# Configures the opposite terminal as a local
user answer pass 0 Maipu user and configure its password, which must
be the same as the user password configured
by the opposite terminal (namely the chap
authentication password sent by the opposite
terminal).
router-A(config)# Configures the packets triggering dialer.
dialer-list 1 protocol ip permit
router-A(config)# Establishes the MODEM dialer script.
chat-script m-con at&f&k3%c3&c1 The script name: m-con;
The script contents: at&f&k3%c3&c1
router-A(config)# int f0
router-A(config-if-fastethernet0)# ip address 195.168.1.3
255.255.255.0
router-A(config-if-fastethernet0)#exit
router-A(config-if-serial0)#phy sync
router-A(config-if-serial0)# encapsulation hdlc
ip address 128.255.1.1 255.255.0.0
router-A(config-if-serial0)# Uses the serial S2 as the backup line to the
backup interface serial2 interface s0.
router-A(config-if-serial0)# Set a 5-second delay on activating the
backup delay 5 20 secondary line after the primary line goes
down and set a 20-second delay on
deactivating the secondary line after the
primary line comes up
router-A(config-if-serial2)# physical-layer async
ppp authentication chap
ppp chap hostname caller
router-A(config-if-serial2)# ip address 192.255.255.1
255.255.255.0
router-A(config-if-serial2)# Configures the outer modem.

modem outer
router-A(config-if-serial2)# Specify DDR (Dial-On-Demand Routing) to
dialer in-band be supported
router-A(config-if-serial2)# Configures a dialer association. IP address of
dialer map ip 192.255.255.2 name answer 5148120 the opposite terminal is 192.255.255.2, the
authentication user name is answer and the
telephone number to dial is 5148120. If the
dynamic routing is employed, don’t forget to
add a word broadcast behind the telephone
number.
router-A(config-if-serial2)# Configures the MODEM script.
script connection m-con
router-A(config-if-serial2)# Defined the interesting traffic that triggers
dialer-group 1 DDR.
router-A(config)# ip route 193.168.0.0 255.255.0.0 serial0 Adds the static route.

router-A(config)# ip route 193.168.0.0 255.255.0.0 serial2
200
Command Task
router-B# configure terminal

Configures the opposite terminal as a
router-B(config)#user caller password 0 Maipu local user and configure its password,
which must be the same as the user
password configured by the opposite
terminal (namely the chap authentication
password sent by the opposite terminal).
router-B(config)#dialer-list 1 protocol ip permit Configures the packets triggering dialer.
router-B(config)# Establishes MODEM dialer script;
chat-script m-con at&f&k3%c3&c1 The script name: m-con
The script contents: at&f&k3%c3&c1
router-BÔconfigÕ# int f0
router-B(config-if-fastethernet0)#
ip address 193.168.2.3 255.255.255.0
router-B(config-if-fastethernet0)#exit
router-B(config-if-serial0)#phy sync
router-B(config-if-serial0)#encapsulation hdlc
router-B(config-if-serial0)#clock rate 64000
router-B(config-if-serial0)#ip address 128.255.1.2 255.255.0.0
router-B(config-if-serial2)# physical-layer async
router-B(config-if-serial2)# encapsulation ppp
router-B(config-if-serial2)# ppp authentication chap Configures chap authentication.

router-B(config-if-serial2)# ppp chap hostname answer Configures the name of chap
authentication.
router-B(config-if-serial2)# dialer map ip 192.255.255.1 name Of course, if this side serves only as an
caller( 5148343) answer, it will be not necessary to
configure the telephone number to dial.
router-B(config-if-serial2)# ip address 192.255.255.1
255.255.255.0
router-B(config-if-serial2)#modem outer Configures the outer modem.
router-B(config-if-serial2)# Specify DDR (Dial-On-Demand Routing)
dialer in-band to be supported
router-B(config-if-serial2)#script connection m-con Configures MODEM script.
router-B(config-if-serial2)#dialer-group 1 Defines the interesting traffic that triggers
DDR.
router-B(config)#ip route 195.168.0.0 255.255.0.0 serial0 Adds the static route

router-B(config)#ip route 195.168.0.0 255.255.0.0 serial2
Noticeable points:
z If the modem does not dial up, users should examine whether cables are connected correctly, should make sure that
the modem has been turned on, it has been configured as the mode the modem can accept the AT commands and
that it has connected reliably with the correct interface.
z When users try to open the dialer connection but the modem has no response to the access request, users should
examine whether the remote modem is configured as auto-answer or the AT command mode. They should make
sure that the remote modem has been connected to the router or to other equipment. When necessary, they can also
examine whether there is a dialer sound on the telephone line.
z If a modem can not accept an answer or send call correctly, users can also examine whether the modem script is
configured correctly through the command debug modem interface.
z When the dialer backup interface does not dial up, then dcd is down, but its flag Flags is often in the status of up
(spoofing). However, at the moment, the interface is not up really. Only when the primary line goes down and
there is data to trigger, then the dialer backup interface can dial. When it is connected correctly, the flags will be in
the status of up.
6.2.2 Dialer Callback
PPP reverse callback provides a kind of client/server relation between the two ends connected in terms of the point-to-point
mode. The function of PPP reverse callback permits the router to ask the opposite terminal router connected by dialer to call
back. The feature can be used to control access and save the charge of the remote call between routers.
Operation and procedure of reverse callback:

1. The reverse callback client originates a call. In the LCP negotiation phase of PPP, a client can use the reverse
callback option to request the reverse callback.
2. The reverse callback server determines the reverse callback request and examines the configuration of itself to validate
whether the reverse callback is employed.
3. The reverse callback client and server process the authentication through CHAP or PAP. A user name is used to
distinguish the dialer string used by the callback.
4. After the success of the first authentication, the router used as the reverse callback server will distinguish the dialer
string used by the reverse callback. The reverse callback server compares user names with the host names in the dialer-
mapping list.
5. If “dialer callback-secure” is not started, the reverse callback server will maintain the initial call when the reverse
callback isn’t configured for the authenticated user name; or else, the reverse callback server will hang up the initial call.
6. The reverse callback server uses a dialer string to originate a reverse callback. If it fails, it will not try to call again.
During the course of returning a call back, the reverse callback does not process LCP negotiation of PPP.
7. Process to call.
8. Keep on connecting.
Note:
If the caller requests to process reverse callback but the server is not be configured to accept a reverse callback, then the
answer router will maintain the initial call originated by the caller.
The relevant commands of reverse callback in the global configuration mode:
Command Description
Username username password password Creates a local authentication database based

on user names.
map-class dialer string Creates a callback mapping class.
Dialer callback-server Starts the callback server.
Dialer enable-timeout Configures the waiting time of a callback
Dialer fast-idle Configures the fast idle time when there exists
competition.
Dialer idle-timeout Configures the idle time of before hangup
Dialer wait-for-carrier-time Changes the value of the fast call rerouting
timer into twice the value of start pause timer.
The configuring commands in the interface mode:
Command Description
Dialer callback-secure Starts a secure callback (dialing up an

abnormal call).
PPP callback request Callback requestÔapplied to a clientÕ
PPP callback accept Callback acceptation
The configuration example of dialer callback:

'L DO XS

3671
5RXW HU e o$
5RXW HU e o%
&DO O EDFN
Illustration:
1. The routers Router-A and Router-B connect with each other through PSTN network. The Router-A is a dialer
requester the Router-B is a callbacker. The telephone number of the Router-A is 8001 and the number of the
Router-B is 8002.
2. The router Router-B is used as the dialer server in this example.
The configuration is as following:

Router1ÙA
router1ÙA (config)#user Maipu password 0 Maipu
router1ÉA (config)#dialer-list 1 protocol ip permit
router1ÙA (config)#int s2
router1ÙA (config-if-serial2)#ip address 100.0.0.1 255.0.0.0
router1ÉA (config-if-serial2)#enc ppp
router1ÙA (config-if-serial2)#phy async
router1ÙA (config-if-serial2)#dialer in-band
router1ÙA (config-if-serial2)#dialer-group 1
router1ÙA (config-if-serial2)#dialer map ip 100.0.0.2 name Maipu broadcast 8002
router1ÙA (config-if-serial2)#ppp callback request
router1ÉA (config-if-serial2)#ppp authentication chap
router1ÙA (config-if-serial2)#ppp chap hostname goat
Router2ÙB
router2ÙB (config)#user goat password 0 Maipu
router2ÙB (config)#dialer-list 1 protocol ip permit
router2ÙB (config)#map-class dialer goat
router2ÙB (config-map-class)#dialer callback-server
router2ÙB (config)#int s2
router2ÙB (config-if-serial2)#ip address 100.0.0.2 255.0.0.0
router2ÙB (config-if-serial2)#enc ppp
router2ÙB (config-if-serial2)#phy async
router2ÙB (config-if-serial2)#dialer in-band
router2ÙB (config-if-serial2)#dialer-group 1
router2ÙB (config-if-serial2)#dialer map ip 100.0.0.1 name goat class goat broadcast 8001
router2ÙB (config-if-serial2)#dialer callback-secure
router2ÙB (config-if-serial2)#ppp callback accept
router2ÙB (config-if-serial2)#ppp authentication chap
router2ÙB (config-if-serial2)#ppp chap hostname Maipu
Note:
1. The callbacker must be configured as the chap originator.
2. Two same names can’t be configured in the dialer map of the callbacker because a callback decides its callback
object according to name and the same names will lead that the numbers needed to call back can’t be identified.
3. The function of broadcast in dialer map is to let the dynamic routing pass.
2.3 Configuring ISDN

ISDN access interface is a physical connection between users and ISDN service providers. Presently, two different kinds of
access interfaces are defined by ISDN suggestions of ITU-T, which are respectively called Basic Rate Interface (BRI) and
Primary Rate Interface (PRI). Because the establishment of ISDN needs a dialer environment, the Maipu router adopts DDR
(Dial-on-Demand Routing) technology. So, only when relevant packets arrive, the remote-end router of will be dialed. This
technology can save charges for its users.
When the router is configured with the ISDN module, the command show run can be used to see the interface bri0
interface. In order that DDR of ISDN is achieved, the basic configuration of some routers is necessary. The following
example, will explain how to use ISDN on a Maipu router.
1) The example of ISDN BRI configuring DDR:

The following figure shows the structure of a network where one router connects to another one via ISDN. The following
example shows how to combine commands to establish ISDN and DDR. In the example, the commands “dialer map” and
chap authentication are used.
%5,
%5,
, 6'1 &DO O
17
17
, 6'1
5RXW HU e o$
5RXW HU e o%
The following is the configuration of the router-A, which adopts the dialer map and ppp chap authentication.
The configuration of router-A:
Command Task
Router-A(config)#hostname router-A When the user name of ppp chap hostname is

not configured, the chap authentication will
send the hostname configured here to the
opposing party.
router-A(config)#user router-2 password 0 Maipu Configures the opposite terminal as a local user;
configure the password (it is the same with the
user password of the caller). The user is
registered when the machine starts.
router-A(config)#dialer-list 1 protocol ip permit Defines the interesting traffic.
router-A(config)#interface fastethernet0 Configures the interface f0.
router-A(config-if-fastethernet0)#ip address 128.255.252.2
255.255.255.0
router-A(config)#exit
router-A(config)#interface bri0 Enters the bri0 configuration mode.
router-A(config-if-bri0)# Encapsulates PPP protocol and configure CHAP
encapsulation ppp authentication.
router-A(config-if-bri0)#
router-A(config-if-bri0)#ppp chap hostname router-A Configures the user name used for chap
authentication.
router-A(config-if-bri0)#
ip address 192.168.1.1 255.255.255.252
router-A(config-if-bri0)#dialer idle-timeout 60 Idle timeout
router-A(config-if-bri0)#dialer enable-timeout 5 The interval of next calls
router-A(config-if-bri0)#dialer map ip 192.168.1.2 name Defines the relevant parameters of the
router-2 51481279 destination.
router-A(config-if-bri0)#dialer-group 1 The port belongs to the dialer-group1.
router-A(config-if-bri0)#exit
router-A(config)# Configures the trigger dialer routing (it is also a
ip route 130.255.252.0 255.255.255.0 192.168.1.2 static routing).

The configuration of router-2:
Command Task
router(config)#hostname router-B
router-B(config)#user router-A password 0 Maipu
router-B(config)#dialer-list 1 protocol ip permit Configures a dialer-group.
router-B(config)#interface fastethernet0
router-B(config-if-fastethernet0)#
ip address 130.255.252.10 255.255.255.0
router-B(config)#exit
router-B(config)#interface bri0
router-B(config-if-bri0)#encapsulation ppp
router-B(config-if-bri0)#ppp authentication chap Configures CHAP authentication.
router-B(config-if-bri0)#ppp chap hostname router-B Configures the name of CHAP authentication.
router-B(config-if-bri0)#
ip address 192.168.1.2 255.255.255.252
router-B(config-if-bri0)#dialer idle-timeout 60 Configures idle time.
router-B(config-if-bri0)#dialer enable-timeout 5
router-B(config-if-bri0)# Configures the mapping of dialer.
dialer map ip 192.168.1.2 name router-A
router-B(config-if-bri0)#dialer-group 1 Configures the trigger dialer-group1.
router-B(config-if-bri0)#exit
router-B(config)#ip route 128.255.252.0 255.255.255.0
192.168.1.1
Note:
1. The static routing commands of the router-A defines the IP routing of the 130.255.252.0 network connecting to
the LAN interface inter f0 of the router router-2.
2. Interesting packet can be defined as any IP packet, and they can originate the calls to router-B.
3. Router-B is defined to accept calls through the command dialer map. There is the static routing to LAN of the
router router-A on it.
2) Debugging and monitoring
Monitoring an interface
· Display the information of the ISDN BRI interface. The used command is as follows:
router#sh int bri0
Displaying the information of the ISDN BRI interface
bri (unit number 0):
Flags: (0x8071) UP(spoofing) POINT-TO-POINT MULTICAST ARP RUNNING
Type: PPP
False up
status
Netmask 0xffffff00 Subnetmask 0xfffffffc
Metric is 0
rxFrames: 0, rxChars 0
txFrames: 0, txChars 0
DCD=down DSR=down DTR=up RTS=up CTS=down Txc=up
Here, although it can be seen that the DCD signal and DSR signal of the physical layer are DOWN, the interface is still UP.
The reason is that the technique called false UP (namely spoofing) is adopted in DDR. This word indicates that the line need
not be UP but a dialer port still forces it to be false UP. In this way, the interface can dial on demand to route its packets. All
dialer interfaces have this feature.
Display the information about some channel status of ISDN, the second layer and the third layer. The command is as follows:
router#sh isdn status
Displays the information about ISDN status
ISDN BRI0 interface
Layer 1 Status:
F7
Layer 2 Status:
TEI = 67 Ces = 01 SAPI = 00 Status = ST_MULTIFR
I-Frame: 0/0 RR: 5/5 RNR: 0/0 REJ: 0/0
SABME: 1/0 DM: 0/0 DISC: 0/0 UA: 0/1
FRMR: 0/0 TEI: 59/1
B1 channel:
Tx Frames = 0 Tx Bytes = 0, Tx Errors = 0
Rx Frames = 0 Rx Bytes = 0
B2 channel:
Tx Frames = 0 Tx Bytes = 0, Tx Errors = 0
Rx Frames = 0 Rx Bytes = 0
In this common situation, as long as the ISDN module of the router connects with the ISDN switch correctly, the command
show isdn status can be used to see that the second layer is of ST_MULTIFR status, which indicates that the D channel is
active.
The following are some other commands to examine ISDN status:

Examining the current active ISDN data channel
router#show isdn active
· Examining the situation of the ISDN calls that have been used
router#show isdn history
The ISDN Debugging Commands
The following debugging commands are very useful to detect ISDN errors. The two main ISDN commands are “debug isdn
q921” and “debug isdn q931”.
· To display the access procedure that happens on the data link layer of the access server ISDN interface D channel use:
router#debug isdn q921
· To display the establishment and backup of call on the network connection layer (the third layer) between the local router
(client) and the ISDN network use:
router#debug isdn q931
· To display the contents of ISDN i430 protocol
router#debug isdn i430
· To display the contents of the information of ISDN packets
router#debug isdn trace
The following table displays different debugging commands and their relation to the OSI
model.
The OSI layer ISDN DDR dialer
The third layer Debug isdn q931 Debug dialer events

Debug dialer packets
The second layer Debug isdn q921 Debug ppp negotiation
Debug isdn i430
Debug isdn trace
Debug isdn events
Noticeable points:
When ISDN can not achieve the connection with the opposite terminal, please check the following details:
1) Whether ISDN of the router is in ST_MULTIFR status.
2) Whether the B channel to be used by ISDN of the router is being used by other ISDN equipment.
3) Whether the called side is being used.
4) Besides these, the above debugging commands are used to examine whether the configuration is correct.
6.3 Dialup Prototype (Profile)
The dialer prototype separates logical interfaces from the ones answering for sending and accepting calls. In the dialer
prototype, a physical interface and a logical interface are bound together according to each call, so that the different
parameters of the physical interface can be chosen dynamically. The prototype separates the logical part of DDR, such as
network layers, encapsulation, and the parameters relative to dialer, from the physical interfaces answering for sending and
accepting calls.
Outline of the dialer protocol:

z The dialer interface is a logical entity that uses the dialer prototype aimed at the destination.
z The physical interface of the dialer prototype can be subject to many different dialer pools.
The included elements of a dialer interface:

z Dialer interface
z Dialer map-class
z Dialer pool
z Physical interface
6.3.1 Dialer Interface
A dialer interface is a logical entity that uses the dialer prototype aimed at the destination. The whole configuration directly
relevant to the destination will enter the configuration of the dialer interface and several dialer mappings can be designated
for a single dialer interface. One dialer mapping can be associated with parameters aimed at different calls and these
parameters are defined by respective mapping sets.
The following parameters are used to configure a dialer interface:
z The IP address of the destination network

z Encapsulating protocol
z The remote dialer name (applied to PPP CHAP)
z Dialer string or dialer mapping
z Dialer pool number
z Dialer group number
z Dialer list number
The diagram below establishes a relation between the parameters of the dialer prototype. The necessary configuring
commands are listed below the diagram as well:
Dialer string Mapping class

Dial-up interface Dialer pool ÔOptionalÕ
Dialer pool-member
Physical interface Dialer pool
The configuring commands of the dialer prototype:
Command Description
Ip address address mask Configures the IP address.

Dialer remote-name name Designates the remote router name that will be used
in CHAP authentication.
Dialer string string class map-class-name Defines the telephone number of the destination
router and support the optional mapping class.
Dialer load-threshold load Interface load beyond which the dialer will initiate
another call to the destionation
Dialer hold-queue number-of-packets Configures the number of outgoing packets to be
queued
Dialer pool number number Associates the dialer interface with the dialer pool.
Dialer-group guoup-number Creates a dialer control list and define the trigger
packets triggering DDR call.
Ppp multilink Designates that the dialer interface can employ the
PPP multilink binding. The command used on the
physical interface can be applied to the inward call;
the command used in the dialer prototype can be
applied to the outward call. If it can be applied either
to the inward call or to the outward one, it should be
simultaneously used on both the dialer interface and
the physical interface.
6.3.2 Dialer Map-class
Dialer map-class is an arbitrary element in the dialer prototype, and it can define a concrete call feature for the call to the
destination designated by a dialer string.
The relevant commands:
Command Description
Dialer idle-time seconds Prescribes the clock value of the idle timeout used
by dialer, and the default is 120s.
Dialer fast-idle seconds Prescribes all the clock value of the fast idle
timeout, and the default is 20s.
Dialer wait-for-carrier-time seconds Prescribes the time used to wait for carrier waver.
If no carrier waver is examined, the call will be
discard.
6.3.3 Dialer Pool

Each dialer interface can refer to a dialer pool, which is a group of one or more physical interfaces associated with the dialer
prototype.
A physical interface can belong to several dialer pools, and priority (Optional) can be configured for the physical interfaces
included in the dialer pool to decide the sequence for choosing the interfaces.
6.3.4 Physical Interface

A physical interface is a real interface, and it is the command “dialer pool-member” that is used to associate a physical
interface with a dialer pool, (of course, a physical interface can be associated with many dialer pools).
The relevant commands on the physical interface:
Command Description
Dialer pool-member number The parameter “number” is the number of the dialer
pool and is a decimal number within the range from
1 to 255.
Prilrity priority Configures the priority of the physical interfaces in
the dialer pool. Choosing the interface with high
priority to dial.
ppp authentication chap Configures authentication.
Note:
1. Authentication needs to be configured on the physical interface;
2. The interface dialer of the dialer prototype supports PPP protocol presently.
6.3.5 A Sample Configuration
0RGHP
0Se o MP2600 - 1

0Se o MP2600 - 3
3671 0RGHP

0RGHP
0Se o MP2600 - 2
Illustration:
1. In this figure, the router MP2600-1 connects with MP2600-2 and the MP2600-3 through a physical interface. You
can use two dialer map of DDR to configure it. Of course, you can also choose our flexible DDR (dialer prototype) to
achieve this function. In such a small network, you may not feel the flexibility of the dialer prototype. But you will feel it in a
large one because you can configure different parameters on different dialer interfaces so as to achieve different dialer aims
without dialing circularly.
The configuration is as follows:

The configuration of router-1:
Command Task
user goat password 7 [WOWWWNXSX Configures the user name.

user Maipu password 7 [WOWWWNXSX
user cisco password 7 [WOWWWNXSX
ip access-list extended 1001 Defines a dialer access list and rules of it, only the
deny ip any 224.0.0.0 0.255.255.255 data stream answering for the corresponding rule can
permit ip any any dial.
exit
dialer-list 1 protocol ip list 1001
interface dialer1 Defines a dialer interface: the remote-end

ip address 10.0.0.2 255.0.0.0 authentication name is Maipu; the dialer pool is 1,
dialer remote-name Maipu and the dialed telephone number of the opposite end
dialer pool 1 is 8005.
dialer-group 1
encapsulation ppp
dialer string 8005
exit
interface dialer2 Defines a dialer interface: the remote-end
ip address 20.0.0.2 255.0.0.0 authentication name is cisco; the dialer pool is 2, and
dialer remote-name cisco the dialed telephone number of the opposite end is
dialer pool 2 8001.
dialer-group 1
encapsulation ppp
dialer string 8001
exit
interface serial3 Defines a physical interface that is associated with

physical-layer async two dialer pools. The parameters of dialer pool 1 or 2
speed 115200 can be called, namely calling the parameters of
databits 8 dialer1 port or dialer2 port that are associated with
stopbits 1 the dialer pools.
parity none
flow-control none
dialer pool-member 1
dialer pool-member 2
ecapsulation ppp
ppp chap hostname goat
modem outer
exit
The configuration of MAIPU ROUTER-2 and MAIPU ROUTER-3:
MAIPU ROUTER-2 Maipu router-3
user goat password 7 [WOWWWNXSX user goat password 7 [WOWWWNXSX

ip access-list extended 1001 ip access-list extended 1001
deny ip any 224.0.0.0 0.255.255.255 deny ip any 224.0.0.0 0.255.255.255
permit ip any any permit ip any any
exit exit
dialer-list 1 protocol ip list 1001 dialer-list 1 protocol ip list 1001
Defines a dialer interface Defines a dialer interface.
interface dialer1 interface dialer1
ip address 10.0.0.1 255.0.0.0 ip address 20.0.0.1 255.0.0.0
dialer remote-name goat dialer remote-name goat
dialer pool 1 dialer pool 1
dialer-group 1 dialer-group 1
dialer string 8006 dialer string 8006
exit exit
Associating the physical interface with the dialer Associating the physical interface with the dialer
interface interface
interface serial3 interface serial3
physical-layer async physical-layer async
speed 115200 speed 115200
databits 8 databits 8
stopbits 1 stopbits 1
parity none parity none
flow-control none flow-control none
dialer pool-member 1 dialer pool-member 1
ppp authentication chap ppp authentication chap
ppp chap hostname Maipu ppp chap hostname cisco
modem outer modem outer
exit exit
Note:
1. In a large dialer network, you can use the dialer prototype to configure many dialer interfaces (dialer interface).
2. The ISDN network also supports the dialer prototype, and it can employ PPP multilink to bind many ISDN
interfaces.
Chapter 7 Routing Configuration
This chapter introduces routing mechanisms and how to apply many kinds of mainstream routing protocols, such as Routing
Information Protocol (RIP), Internal Routing Message PrococolÄIRMPÅ,Open Shortest Path First (OSPF), to configure a
Maipu router to achieve a network interconnection.
o A Brief Introduction to Routing

o Configuring static routes/default routes
o Configuring RIP dynamic routes
o Configuring OSPF dynamic routes
o Configuring IRMP dynamic routes
o Configuring SNSP routes
o Load balancing
o Configuring VRRP routes
o Configuring VBRP routes
o Configuring snapshot routes
o Configuring policy routes
o Configuring M-VRF routes
o Configuring routing map
o Configuring BGP dynamic routes
7. 1 A Brief Introduction to Routing

Internet protocol is a routable network protocol, in which a router executes the route addressing function.
Each router has a routing table, which plays a key role in transmitting packets. A routing table is created manually by network
administrators or dynamically by exchanging routing information with other routers. A router locates an optimal route to a given
destination from the routing table, then transmits packets following this route. The routing table includes network addresses,
network masks, routing selective metrics, interfaces to be used and the “next hop” IP address on the way to the destination (if
needed).
A route is divided into two kinds due to different destinations:
o Network route, whose destination is a network

o Host route, whose destination is a host
A route further divided into another two kinds depending on whether a router is connected to a destination directly or not.
o Direct route, The destination network is connected directly to the router

o Indirect route, The destination is connected indirectly to the router
A route is also divided into two kinds according to how the routes are generated
o Static routing, which is configured manually

o Dynamic routing, which is generated automatically by various dynamic routing protocols
Very often there are several routes to the same destination. A router uses a set of rules to select the optimal route. The rules
used by a router to select an optimal route to share the network accessibility and state with other routers is called a routing
protocol. A routing protocol contains at the following four parts:
o Transmittable network information reachable by other routers

o Receivable network information reachable by other routers
o The mechanism of selecting the optimal route based on the previous reachable information and to record this route to
the routing table.
o Responses to the changes of network topology and notification of the changes.
Maipu MP series routers supports many kinds of routing methods, which will be introduced one by one in the following
sections: the configuration and usage method of dynamic route/default route, RIPv1/v2 dynamic route, OSPF dynamic route,
and IRMP dynamic route.
7.2 Configuring Static Routes/Default Routes

The static route is the route defined by the user, and it can enable the transmission between the source and the destination to
adopt the path designated by the user.
This section describes how to configure the static route protocol of a Maipu router to interconnect networks.
The main contents of this section are as follows:
o Configuration of the static route

o Configuration the dynamic route
7.2.1 Configuring static route
The configuration of the static route includes:
a. Adding/deleting configuration of the static route
b. Configuration of the static route administrative distance
The detailed configuring commands are:
A. The relevant commands to configure static route

RouterÔconfigÕÏip routeë
Command Description
A.B.C.D The network address of the destination

Mask The network address mask of the destination
A.B.C.D mask a.b.c.d/interface a.b.c.d/interface The IP address of the next hop/the network
[distance] interface to transmit to
[distance] The value scope of the administrative
distance is from 1 to 255
Note:
1. Using the command no ip route to delete a static route
router(config)#no ip route A.B.C.D mask a.b.c.d/interface
2. In practical applications, the configuration of the static route had better adopt the IP address of the next hop. In
a point-to-multipoint network (for example, X.25 and FR), the configuration must adopt the IP address of the next hop.
The network interface configured to transmit can be only fit for the point-to-point link (for example, HDLC).
B. The following methods can also be used to configure the administrative distance of the static route.
router(config)#
Command Description
router static Enters the static route configuration mode.
distance number Configures the administrative distance, of which number is a number within the
range from 1 to 255. The form no distance can be used to delete the configured
administrative distance.
C. An example of configuring a static route

Adding a static route to the interface fasterthenet0 to reach the network 199.199.199.0
Command Task
router1#con t Configures the static route from the interface

fastethernet0 to the network section
router1(config)# ip route 199.199.199.0 255.255.255.0 fastethernet0 199.199.199.0/24.
To display the routing table of the router and checking the configuration results
router#show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, M - Management
D - Redirect, E –IRMP
Gateway of last resort is not set

R 129.255.0.0/16 [120/2] via 172.25.144.1, 00:12:49, fastethernet0
R 192.168.11.0/24[120/2] via 192.168.8.1, 00:02:08,fastethernet0
S 199.199.199.0/24 [1/10] is directly connected, 00:00:03, fastethernet0
Note:
1.The form of this command no is used to delete a static route
2.The route record labeled by an underline is the configured static route
7.2.2 Configuring the default route
Command Description
router(config)#ip route 0.0.0.0 0.0.0.0 A.B.C.D A.B.C.DæIndicating the default gateway IP address
Note:
1. The default route configuration of the router is to permit IP route transmission. But in some special
situations, users can prohibit the routing function, which can be achieved in the global configuration mode
through the following command to prohibit IP route transmission:
router(config)#no ip routing
In the global configuration mode, the following command can be used to permit IP route transmission:
router(config)#ip routing
The no form of this command is used to delete a default route
7.2.3 Debugging Static routing
static routing debugging commands
Command Description
debug ip routing Traces the cource to add or delete static routing

7.3 Configuring RIP Dynamic Routing
Overview
Routing Information Protocol (RIP) exchanges routing updates through broadcasting UDP packets. A router sends out
routing updates every 30 seconds, which is called a notification. If a router does not receive any routing updates from
another router within 180 seconds or more, the routing signal related to that router is disabled. If the router does not receive
any routing updates within 240 seconds after this, the router will delete all routes related tho that route from its routing table.
RIP provides a metric, which is called a hop count, to scale different routing distances. Hop count is the number of routers
passing through a route. The hop count of a directed network is 0, while the hop count of an unreachable network is 16.
If a router has a default route, RIP will notify the route from the router to a virtual network 0.0.0.0 which does not exist.
RIP takes 0.0.0.0 as a network to deal with the default route.
RIP sends routing updates to the interface of the specified network interfaces. If the interfaces are not specified to a
network, no RIP updating information will be sent out.
RIP (Routing Information Protocol) is a kind of distance vector routing protocol serving as the routing of the mini, simple
network. This section mainly describes how to configure Maipu Router RIP to interconnect networks.
o Description of relevant commands to configure RIP

o An example of RIP configuration
o Debugging and monitoring RIP
7.3.1 The Description of Relevant Commands to Configure RIP
Configuring RIP involves these three aspects:
a. Constructing the RIP process and designating a RIP interface
b. RIP route configuration mode
c. RIP interface configuration mode
A. Configuring RIP process and designating a RIP interface

router(config)#
Command Description
router rip Enters the RIP route configuration mode.

network A.B.C.D Configures the RIP process and designates a RIP interface.
B. Configure RIP status parameters

Router(config-rip)#?
Command Description
auto-summary Makes Route Summarization valid.
default Configures the default instruction.

default-information originate [route-
Configures it as the default gateway.
map routemap-name]
Set the default metric that RIP uses to introduce other routing
default-metric metric
protocols.
neighbor ip-address Define a neighbor router exchanging route information
network network-number Associates the network with the RIP routing process.
Restrains route update of the interface, so that this interface can
passive-interface interface-name only accept the route update information sent from the other
routers but can’t send any route update information.
redistribute protocol-name [{as- Configures the route redistribution (you can choose: direct
num|process-id}] [metric metric] connection, IRMP, ospf, static route).
timers basic update invalid holddown
flush Adjusts the timer.
version {1|2} Designates the version of RIP.

address-family ipv4 vrf vrf-name Ebabke VRF in RIP.
distance distance Set RIP management distance.
distribute-list access-list-name in/out
[interface] Configure RIP route filtering.
Maximum-paths number-paths Configure RTP load balance.

offset-list access-list-name in/out
offset [interface] Add offset to RIP metrics.
Note:
1. Similarly, the command no can be used to prohibit the usage of the above commands.
2. The default mode of the version 1 is auto-summary and belongs to the generic routing protocol.
3. The default mode of the version 2 is no auto-summary and supports subnet partition.
C. Relevant commands to configure RIP of an interface
router(config-if-xxx)#
Command Description
ip rip authentication key {0|7}

string Configures authentication key for RIP v2 packets
ip rip authentication mode Configures the verification mode used by the interface (MD5 or simple
{text|md5} text authentication can be selected).
ip rip receive version {1|2|12} Accept sthe designated version on an interface.
ip rip send version {1|2|12} Sends the designated version on an interface.
7.3.2 An Example of RIP Configuration

You can use the RIP routing protocol of version 2 in the network 192.168.9.0/24, and respectively configure the router timers.
During the course of configuring the RIP dynamic routing protocol for the Maipu router to connect, the following tasks
should be finished mainly:
a. Creating the RIP process;

b. Configuring RIP interface parameters.
A. Creating the RIP process

Commmand Task
router(config)#router rip Activates RIP.
router(config-rip)#network 192.168.9.0 Creates RIP process and designate the

corresponding interface.
router(config-rip)#version 2 Defines the RIP route protocol of version 2.
router(config-rip)#timers basic 30 80 60 200 Configures the value of the router timers.
router(config-rip)#exit
B. Configuration of the RIP interface parameters
Command Task
router(config)#int s0
Configures the simple text authentication of
router(config-if-serial0)#ip rip authentication mode text
RIP on the interface 0.
router(config-if-serial0)#ip rip authentication key 0
Configures RIP authentication cipher.
Maipu
router(config-if-serial0)#ip rip send version 1 Sends the version 1.
router(confgi-if-serial0)#exit
7.3.3 Configuring RIP Authentication
Illustration:
See the figure above, the RIP authentication is configured only between RouterA and RouterB. And other configurations
are omitted.
A) RouterA is configured as follows.æ

Syntax Descriptions
RouterA#configure terminal Enter the global configuration mode.
RouterA(config)#interface s1/0 Enter the interface s1/0 configuration
mode.
RouterA(config-if-serial1/0)#ip rip authentication mode text Configure the authentication mode.
RouterA(config-if-serial1/0)#ip rip authentication key 0 maipu Configure the authentication key.
B) RouterB is configured as follows.æ

Syntax Descriptions
RouterB#configure terminal Enter the global configuration mode.
RouterB(config)#interface s1/0 Enter the interface s1/0 configuration
mode.
RouterB(config-if-serial1/0)#ip rip authentication mode text Configure the authentication mode.
RouterB(config-if-serial1/0)#ip rip authentication key 0 maipu Configure the authentication key.
3) Configure version transmitting/receiving
Note:
1) The goal of configuring version transmitting/receiving is to realize the interaction of route information among
different versions of RIP.
2) As shown in figure above, there exists no change of the configuration of RouterA; RouterB and RouterC run RIP
(Version 1). And the other configuration except the following configuration is the same for RouterB and RouterC.
A) RouterB is configured as follows.æ
Syntax Descriptions
RouterB(config)#router rip Enter the RIP configuration mode.
RouterB(config-rip)#version 1 Configure the RIP version.
RouterB(config-rip)#interface s1/0 Enter the interface configuration mode.
RouterB(config-if-serial1/0)#ip rip send version 2 Transmit RIP V2 on the interface s1/0.
RouterB(config-if-serial1/0)#ip rip receive version 2 Receive RIP V2 on the interface s1/0.
RouterB(config-if-serial1/0)#exit Exit.
B) RouterC is configured as follows.æ

Syntax Descriptions
RouterC#configure terminal Enter the global configuration mode.
RouterC(config)#router rip Enter the RIP configuration mode.
RouterC(config-rip)#version 1 Configure the RIP version.
7.3.4 RIP monitoring/debugging
Command Description
debug ip rip event Traces RIP events and messages.

show ip route rip Show the routing information of RIP has learned
7.4 Configuring OSPF Dynamic Routing
Open Shortest Path First (OSPF) is an internal gateway protocol (IGP) used to determine a route in a single Autonomous
System (AS). It is more complex, powerful, widely used anmd efficient than RIP. This section describes how to configure
OSPF dynamic route protocol for a Maipu router to interconnect networks.
The main topics covered in this section are as follows:
o Description of relevant commands configuring OSPF

o An example of OSPF configuration
o Debugging and monitoring OSPF
7.4.1 Description of Relevant Commands Configuring OSPF
Configuration of OSPF is comprised of three sections mainly:

A. Creating OSPF processes and designating OSPF interfaces;
B. OSPF route configuration mode;
C. Configuring status of OSPF for an interface.
The detailed configuring commands are as follows:
A. Configuring the OSPF process and designating an OSPF interface

router(config)#
Command Description
router ospf <1_65535>[ vrf vrfname] Enters configuring OSPF mode.
network A.B.C.D a.b.c.d area Configures the OSPF process and designate the OSPF interface.
area_num ÔA.B.C.D Use the network number of OSPF process.
a.b.c.d inverse-mask
area_num area numberÕ
Note:
1. After the OSPF process is created, the process does not know which interface or network it enters; however, it can
solve this problem through the command network. This command can designate an interface to a given area
simultaneously. The following command can be used to designate the match interface to the area 0:
router (config-ospf)#network 128.255.0.0 0.0.255.255 area 0
In the command network, all the interfaces capable of matching the pair of the addresses and the inverse mask will be
placed into a given area. 0 represents the placeholder, and 1 represents an arbitrary match.
2. The command network has the function of auto-route summary.
3. When the command network can match at least one interface address, the OSPF process runs. When the last
command network is canceled (by running the command no network…), the OSPF process will be deleted.
B. Configuring OSPF status parameters

router(config-ospf)#?
Command Description
Configures the OSPF stub area (choosing in the parameter range

area < area_id > stub
from 0 to 4294967295).
Configures the OSPF stub area (choosing in the parameter range
area < area_id > nssa
from 0 to 4294967295).
area transit_area_id virtual-link
Define a virtual link and its parameters
address
area <area_id> range <address
Configures summarize routes matching address/mask (border
mask>
routers only)
summary-address address mask
[tag tag-value] Configures OSPF IP summary address
cost reference-bandwidth Configures the bandwidth value to count charge (choosing in the
<1_4294967> parameter range from 1 to 4294967).
default Configures the default instruction.
Filters the route (the parameter is used to designate the number of
distribute-list <1_1000>
the standard access list to be filtered).
Configures the neighbor router (configuring neighbor at the time
neighbor ip-address
of NBMA).
passive-interface <interface number> Restrains a port from OSPF addressing.
redistribute<bgp connected irmp Configures the route redistribution (you can choose: direct
rip snsp static> connection, IRMP, RIP, static route).
router-id Configures OSPF router-id in IP address format
summary-address Configures IP address summaries
Note:
1. Similarly, the command NO can be used to prohibit the usage of the above command.
2. Configure the neighbor router:
In order that the OSPF router can be configured to interconnect to a no-broadcasting network, the command can be
used to configure a neighbor. In the neighboring address, ip-address is the IP address of the neighboring interface.
C. The relevant commands configuring OSPF for an interface

router(config-if-xxx)#ip ospf ?
Command Description
authentication-key 0/7 password Configures simple text authentication.
cost Configures the OSPF cost of interface.
dead-interval Configures the stagnation interval.
hello-interval Configures the interval for interface to send

HELLO packet.
message-digest-key key_id md5 0/7 password Configures MD5 authentication.

Configures OSPF network type (broadcasting
Network broadcast/non-broadcast/point-to-
network/no-broadcasting network/point-to-point
point/point-to-multipoint
network/point-to-multipoint network).
Configures time between retransmitting hello
poll-interval
packet to dead neighbor
priority Configures the priority of the router.
retransmit-interval Configures the declaration interval to retransmit

the lost connection status.
transmit-delay Configures the transmission delay of connection

status.
demand-circuit Configures OSPF demand circuit
Note:
1. On the protocol port of PPP and HDLC, the default type of OSPF network is point-to-point.
2. On the protocol port of frame relay and X25, the default type of OSPF network is non-broadcast.
D) Reset OSPF process

router#
Command Description
clear ip ospf process Reset OSPF process
Noteæ
Should reset OSPF proces with Clear command to make router-id command become effective.
7.4.2 STUB/NSSA/Route-Summary/Virtual-Link/Demand-Circuit Configuration Commands
area stub
Use the router configuration command area stub to configure the OSPF stub-area; otherwise, use the command no area
stub to disable the function.
area area_id stub
no area area_id stub
Syntax Descriptions
area_id The area-number of the stub-area. Its value range is from 0 to
4294967295 or an IP address is used to identify the stub-area.
£By default¤No area is configured as the stub area.
£Command mode¤the OSPF protocol configuration mode.
£Guide¤No category 5 LSA, namely the external LSA, can be received or transmitted in the stub area. The
neighborship among routers can not be established until the command is configured on all the routers in the stub area.
Note:
1) When a stub area is configured, the area number can not be the backbone area number. That is to say that the area
number can not be 0.
2) To cancel the stub area specified in the configuration, use the command no area area_id stub.
area nssa
An nssa area is similar to an OSPF stub area. Category 5 LSA can not be diffused from the backbone area to the nssa
area, but the external route of autonomous system can be introduced into the area by means of finite forms.
By means of redistributing category 7 AS route introduced into the nssa area, nssa can convert the category 7 external
LSA to category 5 external LSA, which will be flooded to other areas of the autonomous system through the border router in
the nssa area.
Use the command area nssa to configure an area as an nssa area (not-so-stubby area); otherwise, use the command no
area nssa to cancel the attribute nssa of the area.
area area_id nssa
no area area_id nssa
Syntax Descriptions
area_id The area-number of the nssa area. Its value range is from 0 to 4294967295
or an IP address is used to identify the nssa area.
£By default¤No area is configured as the nssa area.
£Guide¤An nssa area is similar to a stub area. Category 5 LSA can not be diffused from the backbone area to the nssa
area, but the external route of autonomous system can be introduced into the area by means of finite forms.
Note:
1) The backbone area can not be configured as the nssa area.
2) Any router in the same area must support nssa area, or else the neighborship among the routers can not be established.
3) If it is possible, try not to adopt the explicit redistribution on nssa abr because the packets converted by the router are
confused easily.
area range
Use the command area range to realize the route summary of areas; otherwise, use the command no area range to
disable it.
area area_id range address mask
no area area_id range address mask
Syntax Descriptions
area_id The OSPF area number. And its value range is from 0 to 4294967295.
address The network IP address.
mask The network IP address.mask
£By default¤No route summary area range is configured.
£Guide¤Route summary is a set of routes generated by the area border router and the AS border router and will be
announced to the neighbor routers. If network numbers in an area is successive, the area border router and the AS border
router can be configured to announce the route summary that specifies the range of network numbers. The route summary can
reduce the size of link-state database. The OSPF route summary can be classified into inter-area route summary and external
route summary. After configured with the command area range, the area border router summarizes the routes in the
configured network segment and generates a route profile summary net lsa, which is notified by the area border router to
other areas, and lsa in the network segment will not be notified any more.
Note:
1) The command area range can take effect on nothing but the area border router.
2) Use the command no area range to cancel the command route summary.
summary-address
Use the command summary-address to perform OSPF external route summary; otherwise, use the command no
summary-address to make the command out of work.
summary-address address mask [tag tag-value]
no summary-address address mask [tag tag-value]
Syntax Descriptions
address The network IP address.
mask The network IP address mask
tag-value The tag-value of the summarized ase lsa. And its value range is from 0 to
4294967295
£By default¤No the command summary-address is configured.
£Command mode¤the OSPF protocol configuration mode
£Guide¤When the route is redistributed from other protocols to OSPF, each route is singly announced in the external
link-status announcement. The command summary-address is used to summarize all redistributed routes covered by the
special network address and mask as one route. In this way, the size of OSPF link-state database can be reduced. Use the
command summary-address to summarize external routes. And the command is used to summarize all ase lsa in the
network segment and generate a summary ase lsa. Only the summary ase lsa is announced to other routers through ASBR.
Note:
1) The command can take effect on nothing but ASBR and summarize the external routes redistributed by OSPF.
2) Use the command no summary-address to cancel the summary command of the external route.
area virtual-link (Configuring a virtual link)

In OSPF, all areas must be connected directly to the backbone area. When performing network design, however, an area
may be out of the backbone area or the backbone area may be isolated. To resolve the problems above, a virtual link can be
adopted. The virtual link can be applied in the following two kinds of conditions: two isolated backbone area can be
connected together by means of configuring the virtual link; a third area, through an area (called transit area) connecting with
the backbone area, is connected to the backbone area.
area transit_area_id virtual-link address
no area transit_area_id virtual-link address
Syntax Descriptions
transit_area_id The area number of virtual-link transit area. Its value range is from 0 to
4294967295, or an IP address is used to identify the area.
Address The router ID of the virtual-link opposite end (neighbor).
£By default¤No area is configured as virtual-link.
£Guide¤
In OSPF, the backbone area must keep the full-connected state all along and all areas must be connected to the
backbone area. If the backbone area is divided into two or more parts, then some destinations are unreachable. To ensure the
prescriptions of OSPF network, a virtual-link can be employed for the isolated backbone areas and the areas that have not
been connected with the backbone area. Each virtual-link can be identified uniquely by means of the transit area and the
router ID of the virtual-link opposite end.
Configuring the demand-circuit
The demand-circuit is a network whose expenditure changes along with network usage. The expenditure can be based
on connection time and transmitted packet bits. The typical demand-circuit includes ISDN circuit, X.25SVC and dial-up
circuit. The data link need keep open for the previous OSPF. This will result in the needless expenses. After the demand-
circuit is added, OSPF Hello message and route update information are restricted on the demand-circuit, and the data link is
allowed to be close when no data is transmitted.
router(config-if-serial0/0)#ip ospf demand-circuit
Syntax Descriptions
demand-circuit Enable the demand-circuit on the interface.
Note:
1) When the demand-circuit is enabled between routers, the demand-circuit can be configured on the interface of
one side or both sides.
2) The demand-circuit can take effect only in the point-to-point interface mode or in the one-point-to-multi-point
interface mode.
Note:
1) The router configured with the virtual-link should be an area border router.
2) The virtual-link is identified by router-id of the router on the other end.
3) The two end routers configured with the virtual-link must be located in the same public area that is called virtual-link
transit area.
4) The virtual-link can be regarded as one part of the backbone area or as unnumbered point-to-point network. Its cost is
the spending of the link and can not be configured.
5) Use the command no area virtual-link to cancel the link configuration command
6) The virtual-link can not be configured through the stub area. That is to say that the virtual-link transit area can not be
the stub area.
7.4.3 Examples of OSPF configuration
A: An Example of OSPF Configuration

U RXW HU

6
6
333 +'/&
6 6
6 )U DPH
6
U HO D\
U RXW HU U RXW HU

(W KHU QHW
(W KHU QHW
Illustration:
1. In the above figure of configuration example, a PPP link runs between router-1 and the interface serial1 of router-2,
Frame Relay runs between the interface serial0 of router1 and the interface serial1 of router3, and HDLC link runs between
the router2 and the interface serial0 of router3.
2. During the course of configuring OSPF dynamic routing protocol for a Maipu router to connect, the following tasks
should be completed:
a) Establishing the OSPF process

b) Configuring OSPF interface parameters
The concrete configuration of Router1:

Command Task
router-1#configure terminal
router-1(config)#router ospf 2 Enters the status of configuring OSPF.
router-1(config-ospf )#network 1.0.0.0 0.255.255.255 area 3 Establishes the OSPF process and
router-1(config-ospf)#network 3.0.0.0 0.255.255.255 area 3 designates the corresponding OSPF
interface.
router-1(config-ospf)#network 128.255.0.0 0.0.255.255 area
3
router-1(config-ospf)# neighbor 3.3.3.2 Configures 3.3.3.2 as a neighbor.
router-1(config-ospf)#exit
router-1(config)#int s0 The type of OSPF network is non-broadcast

router-1(config-if-serial0)# ip ospf network non-broadcast (NBMA).
router-1(config-if-serial0)#exit
router-1(config)#int s1 The type of OSPF network is point-to-point.

router-1(config-if-serial1)# ip ospf network point-to-point
router-1(config)#int f0 The type of OSPF network is broadcasting.

router-1(config-if-fastethernet0)# ip ospf network
broadcast
router-1(config-if-fastethernet0)# end

Command Task
Router-2#configure terminal
router-2(config)#router ospf 2 Establishes an OSPF process and designate
the corresponding OSPF interface.
router-2(config-ospf)#network 1.0.0.0 0.255.255.255 area 3
router-2(config-ospf)#network 2.0.0.0 0.255.255.255 area 3
router-3(config)#int s0
router-2(config-if-serial0)#ip ospf network point-to-point
router-2(config-if-serial1)#end

Command Task
router-3#configure terminal
router-3(config)#router ospf 2
router-3(config-ospf)#network 2.0.0.0 0.255.255.255 area 3 Establishes an OSPF process
router-3(config-ospf)#network 3.0.0.0 0.255.255.255 area 3 and designates the
router-3(config-ospf)#network 130.255.0.0 0.0.255.255 area 3 corresponding OSPF
router-3(config-ospf)# neighbor 3.3.3.1 interface.
router-3(config-if-serial1)# ip ospf network non-broadcast
router-3(config)#int f0
router-3(config-if-fastethernet0)# ip ospf network broadcast
router-3(config-if-fastethernet0)#end
B: An Example to configurate the area virtual-link
U RXW HU

V
V
+'/&
333 $5($
V V
9L U W XDO O L QN
U RXW HU U RXW HU
$5($ $5($

(W KHU QHW
(W KHU QHW
Illustration:
1. In the above figure of configuration example, a PPP link runs between router-1 and the interface serial1 of router-2 ,and
HDLC link runs between the router2 and the interface serial0 of router3.s1 of router-1 and router-2 and s0 of router-3 are
belong to area 3,ethernet 1 of router-1 and ethernet2 of router-3 belong to are belong to backbone,but without physical link
between them. So we configuire virtual link for combine backbone.
2. During the course of configuring OSPF dynamic routing protocol for a Maipu router to connect, the following tasks
should be completed:
a) Establishing the OSPF process

b) Configuring OSPF virtual link
b) Configuring OSPF interface parameters

Command Task
router-1#con t
router-1(config)#router ospf 2 Enters the status of configuring OSPF.
router-1(config-ospf )#network 1.0.0.0 0.255.255.255 Establishes the OSPF process and
area 3 designates the corresponding OSPF
router-1(config-ospf)#network 3.0.0.0 0.255.255.255 interface.
area 3
router-1(config-ospf)#network 128.255.0.0 0.0.255.255
area 3
router-1(config-ospf)#router-id 1.1.1.2 Configure ospf process id to 1.1.1.2Ø
virtual link neighbor should configure
its router id by this
router-1(config-ospf)#area 3 virtual-link 2.2.2.2 Configure ospf virutal link ,neighbor
router id:2.2.2.2 transit area id:3
router-1(config-if-serial1)# ip ospf network point-to-

point

Command Task
Router-2#con t
router-2(config)#router ospf Establishes an OSPF process and
designate the corresponding OSPF
interface.
area 3
area 3
router-2(config-if-serial0)#ip ospf network point-to-
point
point
router-2(config-if-serial1)#end

Command Task
router-3#con t
router-3(config)#router ospf Establishes an OSPF process and
designate the corresponding OSPF
interface.
3
3
area 3
router-1(config-ospf)#router-id 2.2.2.2 Configure ospf process id to 2.2.2.2Ø

virtual link neighbor should configure
its router id by this
router-1(config-ospf)#area 3 virtual-link 1.1.1.2 Configure ospf virutal link ,neighbor

router id:1.1.1.2 transit area id:3
point
7.4.4 Debugging/Monitoring OSPF

A. The monitoring information of OSPF
Command Description
show ip ospf interface Interface: 44.1.1.1 (serial0)
(Displaying information of the Area 0
OSPF interface) Cost: 1 State: BackupDR Status: the Backup designated Router
Type: NBMA Type: non-broadcast (NBMA)
Priority: 1 The priority of the interface: 1
Designated router:
44.1.1.2 Designated Router:44.1.1.2
Backup Designated router:
44.1.1.1 Backup designated Router:44.1.1.1
Authentication: none Authentication: none
Timers:
Hello: 30 Poll: 2:00
Dead: 2:00
Retrans: 5
Neighbors MprouterID:
111.2.2.2
Neighbor Count is 1 Neighbor number:1
Interface:142.255.255.1
(fastethernet0) Area 0
Cost: 1 State: DR
Type: Broadcast
Priority: 1
Designated router:
142.255.255.1
Authentication: none
Timers:
Hello: 10 Poll: 0
Dead: 40 Retrans: 5
Neighbor Count is 0
show ip ospf interface name Interface: 44.1.1.1 (serial0) Area 0

(Monitoring the information of Cost: 1 State: BackupDR
an OSPF interface) Type: NBMA
Priority: 1
Designated router: 44.1.1.2
Backup Designated router: 44.1.1.1
Authentication: none
Timers:
Hello: 30 Poll: 2:00 Dead: 2:00 Retrans: 5
Neighbors MprouterID: 111.2.2.2
Neighbor Count is 1
show ip ospf neighbor Neighbor ID Pri State Dead Time Address serial
(Displaying OSPF neighbor) 111.2.2.2 1 Full/Dr 120 44.1.1.2 serial0
show ip ospf database [process- sh ip os da adv-router 33.33.33.33
id][adv-router [self_originate| OSPF Router with ID (4.4.4.4) (Process ID 2)
A.B.C.D]] ASE link states (AREA 0 )
(Displays lists of information Link ID ADV router Age Seq#
related to the OSPF database of CheckSum
self_originated or special .)
111.1.1.1 33.33.33.33 661 80000002
1c8a
Router link states (AREA 113 )
Link ID ADV router Age Seq#
CheckSum Link Count
33.33.33.33 33.33.33.33 448 8000000d
ee8c 1
Net link states (AREA 113 )
CheckSum Link Count
128.255.43.5 33.33.33.33 448 80000003
640f 2
ASE link states (AREA 113 )
CheckSum
111.1.1.1 33.33.33.33 661 80000002
1c8a
sh ip os da adv-router self_originate
OSPF Router with ID (4.4.4.4) (Process ID 2)
CheckSum Link Count
4.4.4.4 4.4.4.4 1091 80000004
b4ba 1
SumNet link states (AREA 0 )
CheckSum
128.255.40 4.4.4.4 1096 80000002
128a
SumASB link states (AREA 0 )
CheckSum
33.33.33.33 4.4.4.4 1091 80000001
615c
CheckSum Link Count
4.4.4.4 4.4.4.4 1091 80000008
7849 1
SumNet link states (AREA 113 )
CheckSum
138.255.43 4.4.4.4 1086 80000001
7f0e
show ip ospf database show ip ospf database network
[process-id]
[router/network/summary/
asbr-summary/external/ OSPF Router with ID (4.4.4.4) (Process ID 2)
nssa-external] [adv-router
[self_originate| A.B.C.D]]
(displays lists of detail
information related to the special Net link states (AREA 113 )LS age : 997
type OSPF database of options : <DC>
self_originated or special LS_TYPE : Net
advertising router.) Link State ID : 128.255.43.5
Advertising Router : 33.33.33.33
LS Seq Number : 0x80000003
CHECKSUM :0x640f
LS length : 32
Route : Canreach Time:0
Network Mask:255.255.252
Network:128.255.40
Att_rtr number: 2
Attached Router: 33.33.33.33
Attached Router: 4.4.4.4
Show ip ospf routing sh ip os routing
(displays lists of detail OSPF ROUTING IN VRF 0
information related to the routes OSPF PROCESS 2
calculated by spf .) Routes To Area Border:
AREA: 0
Router Cost AdvRouter NextHop(s)
RTAB_REV
4.4.4.4 0 4.4.4.4 Myself 10
AREA: 113
RTAB_REV
4.4.4.4 0 4.4.4.4 Myself 11
Routes To AS Border:
AREA: 0
RTAB_REV
AREA: 113
RTAB_REV
33.33.33.33 1000 33.33.33.33 128.255.43.5 11
Inter AREA:
RTAB_REV
AS Intra Routes:
Dest Mask LSID AdvRouter
Cost Ptype NextHop(s) Area RTAB_REV
128.255.40 255.255.252 128.255.43.5 33.33.33.33
1000 2 128.255.43.4 0.0.0.113 11
138.255.43 255.255.255 138.255.43 4.4.4.4
1000 0 138.255.43.4 0.0.0.0 10
AS External Routes:
Dest Mask LSID AdvRouter
Cost Ptype Etype NextHop(s) Area
RTAB_REV
111.1.1.1 255.255.255.255 111.1.1.1 33.33.33.33
20 5 1 128.255.43.5 0.0.0.113 11
B. OSPF debugging commands
Command Description
debug ip ospf all Displays all the debugging information.
debug ip ospf lsa Traces the link status announces.
debug ip ospf events Traces events and messages.

Traces the reception/sending of messages.
debug ip ospf packet hello / dd / lsr / lsu hello: HELLO message
/ ack / all dd: database description message
lsr: link status request message
lsu: link status update message
ack: acknowledge message on accepting link status update
all: the detailed contents of all the OSPF messages
debug ip ospf route Traces the change of the routing table.
debug ip ospf spf Traces the shortest path tree algorithm.
debug ip ospf state Traces the state machine.
debug ip ospf task Traces tasks.
debug ip ospf timer Traces the timer.
7.5 Configuring IRMP Dynamic Route

IRMP (Internal Routing Message Protocol) is a kind of dynamic routing protocol based on link status. It overcomes the
shortcomings of the Distance Vector Routing Protocol (DVRP) and does not require the heavy overhead. IRMP supports
multiple Autonomous Systems (AS), which can run independently without disturbing each other, and be fit for more large-
scale networks, so presently it is a popular routing protocol. This chapter describes how to configure the dynamic routing
protocol IRMP on Maipu routers enabling it to interconnect networks.
o Description of relevant commands configuring IRMP

o An example of IRMP configuration
o Debugging and monitoring IRMP
7.5.1 Description of relevant commands configuring IRMP
Configuring IRMP routing involves these three main principles:

A. Establishing IRMP process and designating the IRMP interface;
B. Entering the IRMP route configuration mode;
C. Entering the interface IRMP configuration mode.
A. Configuring IRMP process and designating IRMP interface

Router(config)#?
Command Description
router irmp autonomous-system Enters the IRMP route configuration mode (Autonomous
System number)
Runs IRMP on an interface within the designated network
network network-number [wild-mask] range. Network number, inverse-mask
Note:
IRMP routing protocol supports many ASes (Autonomous system) and they can run independently without disturbing
each other. The interface running IRMP can send/accept IRMP messages; however, if the interface has not been designated,
then it can not send/accept IRMP messages, and its route can not be sent from any other interface.
B. Entering the IRMP route configuration mode
router(config-irmp)#?
Command Description
Automatic summary. And only summarize direct

auto-summary
routes.
compatible oldversion Advertise external routes as internal routes

Set the default parameters (bandwidth, delay,
default-metric bandwidth delay reliability mtu loading
realibility, mtu, load) for IRMP to introduce
other routing protocols.
Define an administrative distance of the local
distance irmp distance-for-internal distance-for- external
RIMP internal routes and external routes
Distribute-list access-list-name in/out [interface] Filter the route information.
maximum-paths Choose path number when load is balanced.

Change the value of IRMP K.
metric weights TOS k1 k2 k3 k4 k5 TOS represents service type and only type 0 is
supported.
Define a neighbor router exchanging routing
neighbor ip-address interface
information.
network network-number [wild-mask] Designate the network interface running IRMP .
Prohibit the interface from sending/receiving
passive-interface interface
IRMP route information.
Redistribute protocol [route-map] Configure routing redistribution.
timers active-time minutes Adjust active timers.

When the load is of balance, configure the load
variance metric-variance-multiplier
balancing variance.
Note:
1. Similarly, the command NO can be used to prohibit the usage of the above commands.
2. Prohibiting an interface from receiving/sending IRMP messages

If you do not want IRMP to take effect on an interface, you can configure the command
passive-interface to inhibit IRMP from becoming effective on it. After the configuration,
IRMP will not receive/send IRMP message on the interface.
3. Configuring the routing filter

In some situations, it is likely required to ignore some IRMP routing information accepted or
to prohibit the neighbor router from getting some IRMP routing information. The IRMP
routing protocol can achieve it through referring to the access list.
4. Configuring routing redistribution

IRMP can share routing information of opposite parties by redistributing the routing
information of other routing protocols.
C. Relevant commands configuring IRMP of an interface
router(config-if-xxx)# ?
Command Description
ip message-digest-key irmp autonomous-sytem

Configures authentication.
key_id md5 0/7 string
Configures the interval between
ip hello-interval irmp autonomous-system seconds
HELLO messages.
ip hold-time irmp autonomous-system seconds Configures the neighbor hold-time.
Deletes the configured interval between
no ip hello-interval irmp autonomous-system
HELLO messages.
Cancels the configured neighbor hold-
no ip hold-time irmp autonomous-system
time.
ip split-horizon irmp autonomous-system
Enables split-horizon.
no ip split-horizin irmp autonomous-sytem Prohibits split-horizon.

ip summary-address irmp autonomous-system network-number Perform address summarization on the
mask interface
no ip summary-address irmp autonomous-system network-number Disable address summarization on the
mask interface.
Note:
1. When the IRMP MD5 authentication mode is configured, it must be authenticated, and the key_id of the two ends
must be congruous; 0 in the command indicates plaintext input while 7 indicates cryptograph input.
2. Configuring the interval between HELLO messages and the neighbor hold-time can be
described as follows:
The default IRMP sends HELLO messages at 5 second intervals on a broadcasting interface or a point-to-point
one, or at 60 second intervals on a NBMA interface. After accepting the HELLO messages, it will add the opposite
terminal router to the neighboring table of itself. If the neighbor already exists in the neighbor table, the neighboring
hold-timer will refresh. If the default IRMP , in the hold time, has not accepted any HELLO message sent by a
neighbor all along, it will think that the neighbor has be invalidated and it will be deleted from the neighbor table. The
default hold time will be 3 times the length of the hello time.
3. Prohibiting horizontal split

In the default situation, IRMP uses the split-horizon on an interface, and it is not recommended that split-horizon be
prohibited on a non-NBMA interface.
7.5.2 An Example of an IRMP Configuration
H

FL VFR
V
,3
1HW ZRU N
V
PDL SX
Mai
I
Illustration:
1. In the configuration above, the router cisco in the above figure is a Cisco router while Maipu is
a Maipu Router. During the course of configuring the IRMP dynamic routing protocol on a
Maipu router and CISCO router to connect each other, the following tasks should be finished.
A) Establishing IRMP process
B) Routing filtering /routing redistribution
The concrete configuration of the CISCO router:

Command Task
cisco#configure terminal
cisco(config)#router irmp 1 Starts IRMP .
cisco(config-router)#network 128.255.0.0
Runs IRMP on Ethernet.
cisco(config-router)#network 16.0.0.0 Runs IRMP on s1.
cisco(config-router)#end
The concrete configuration of the Maipu Router

Command Task
Maipu#configure terminal
Maipu(config)#router irmp 1 Starts IRMP .
Maipu(config- irmp )#network 202.1.1.0 Runs IRMP on Ethernet.
Maipu(config- irmp )#network 16.0.0.0
Runs IRMP on s1.
Maipu(config- irmp )#end
Filtering all routes on the Maipu router

Command Task
Maipu(config)#access-list 9 deny any Creates an access list (Rules can
defined according to requestion).
Maipu(config)#router irmp 1
Maipu(config- irmp )#distribute-list 9 in Applies the access list to IRMP .
Redistributing static route

Command Task
Maipu(config)#router irmp 1
Maipu(config- irmp )#redistribute static Redistributes static routing into
IRMP .
7.5.3 Debugging/monitoring IRMP

A. IRMP monitoring information
Command Description
show ip irmp interface [interface] Displays the interface information of current

IRMP .
show ip irmp neighbor [autonomous-system / detail /
Displays the neighbor information of current
interface]
IRMP .
show ip irmp topology [active / summary / network] Displays the routing information of current
IRMP .
B. Debugging commands of IRMP

Command Description
debug ip irmp events Displays the debug information of IRMP
events.
debug ip irmp route Displays the debug information of IRMP
route.
debug ip irmp timer Displays the IRMP timer.
debug ip irmp packets [hello / terse] Displays the debug information of IRMP
messages.
debug ip irmp all Displays the debug information of all the
IRMP .
Noticeable points:
o debug ip irmp packets terse displays the messages including the routing information except HELLO. debug
ip irmp packets terse detail displays the detailed information of each route.
7.6 Configuring SNSP Route
SNSP (Stub Network Search Protocol) uses Neighbor Device Search Protocol (NDSP),a protocol used to discover other
devices on either broadcast or non-broadcast media, to propagate the connected IP prefix of a stub router. SNSP was
designed for customers who do not want to usr network bandwidth for routing protocol updates.Static routing is a good
choice,but there is too much overhead to manually maintain th static route.SNSP is not CPU-intensive and is used when IP
routes are propagated dynamically on Layer2. SNSP is a perfect solution for hub and spoke topology.
o Description of relevant commands configuring SNSP

o An example of SNSP configuration
7.6.1 Description of Relevant Commands for Configuring SNSP

The commands used for configuring SNSP are very simple.
Just configure the router snsp command in the hub router and turn off any dynamic routing protocols in the spoke routers.
Spoke routers will automatically start advertising their subnets using NDSP. You do not need the router snsp command on
spoke
routers.
Router(config)#ë
Commmand Description
router snsp Activates SNSP .

ndsp run Runs NDSP
Note:
1. The command NO can be used to prohibit the application of the above command.
2. In the default situation, the router ignores the received SNSP information.
3. Use NDSP message to carry the SNSP routing message.
7.6.2 An Example of SNSP Configuration

5
,3
1HW ZRU N
5
I
I I I
5 5 5
Illustration:
1. The router R2 serves as a hub router. It is configured with SNSP and IRMP routing protocols, and executes
NDSP.
2. The low-end routers, R3, R4 and R5 run NDSP and are configured with the default route without the dynamic
route.
3. IRMP redistributes the SNSP route on the route R2.
A. The configuration of the Maipu Router R2:

Command Task
R2#configure terminal
R2(config)#router snsp Runs SNSP .
R2(config)# ndsp run Runs NDSP .
R2(config)#router irmp 1
R2(config-irmp)#network 13.0.0.0
R2(config-irmp)#redistribute snsp IRMP redistributes SNSP.
R2(config-irmp)#end
B. The configuration of the Maipu router R3 (the configuration of R4 or R5 is the same as that of R3)
Command Task
R3#configure terminal
R3(config)# ndsp run Runs NDSP.
R3(config)#ip route 0.0.0.0 0.0.0.0 fastethernet0 Configures the default route.
R3(config)#end
7.7 Configuring VBRP

VBRPÔVirtual Backup Router ProtocolÕprovide a network management backup.
Related VBRP configuration commands
An example of VBRP configuration
Monitoring and debugging VBRP
7.7.1 Related VBRP Configuration Commands
standby authentication
The command is used to specify an authentication password for a standby group.
standby [group-number] authentication string
no standby [group-number] authentication
Syntax Description
group_number Specify a VBRP group-number whose
value range is from 0 to 255.
string Specify an authentication password whose
maximal length is 16 (by character).
£By default¤The authentication is supported and the default password is “cisco”.
£Command mode¤the interface configuration mode
Noteö
ö
If no group_number is specified in the command, its default value is 0.

standby ip
The command is used to enable a standby group or configure a virtual IP address.
standby [group-number] ip [ip-address]
no standby [group-number] ip
Syntax Description
group_number Specify a VBRP group-number whose
ip-address Specify a virtual IP address.
£By default¤The standby group is not enabled.
Note:
If no group_number is specified in the command, its default value is 0.
standby preempt
The command is used to specify whether the standby group enables VBRP preempt.
standby [group-number] preempt [delay time]
no standby [group-number] preempt
Syntax Description
group_number Specify a VBRP group_number whose
time Specify the preempt delay time (by
second), and its value range is from 0 to
3600.
£By default¤Non-preempt mode is enabled.
Note:
1) If no group_number is specified in the command, its default value is 0.
2) If no delay time is configured for preempt, the system will take preempt at once.
standby priority
The command is used to configure a priority for the standby group.
standby [group-number] priority priority
no standby [group-number] priority
Syntax Description
priority Specify a priority whose value range is
from 0 to 254.
£By default¤priorityæ100.
Note:
standby timers
The command is used to specify Hello-time and Hold-time for the standby group.
standby [group-number] timers hello-time hold-time
no standby [group-number] timers
Syntax Description
hello-time Specify the period of sending Hello
packet, and its value range is from 0 to
254.
hold-time Specify the hold-time of Hello packet (by
second), and its value range is from 4 to
255.
£By default¤hello-timeæ3 secondsØhold-time: 10 seconds
Note:
standby track
The command is used to specify a monitoring interface for the standby group.
standby [group-number] interface [decrement]
no standby [group-number] interface [decrement]
Syntax Description
interface Specify an interface for monitoring.
decrement Specify the priority decrement, and its
£By default¤No interface is monitored.
Note:
no standby
The command is used to close the standby group.
no standby [group-number]
Syntax Description
£By default¤The standby group is not enabled.
Note:
7.7.2 An Example of VBRP Configuration
, QW HU QHW
U RXW HU U RXW U
I I
3& 3&
Illustration:
As shown in figure above, pc1 and pc2 connect with Internet respectively through router1 and router2, and their default
gateways are respectively 129.255.123.100 and 129.255.123.16.
The basic VBRP configuration is listed as follows:
Command Task
router1#configure terminal Enter the global configuration
mode.
router1(config)#interface fastethernet0 Enter an Ethernet interface.
router1(config-if-fastethernet0)#ip address 129.255.123.21 255.255.0.0 Configure an IP address.
router1(config-if-fastethernet0)#standby 1 ip 129.255.123.100 Configure VBRP group-number
and virtual IP address.
router1(config-if-fastethernet0)#standby 1 priority 110 Set the VBRP priority.
router1(config-if-fastethernet0)#standby 1 preempt delay 10 Set the preempt mode and set the
delay time as 10 seconds.
B) Router2 is configured as follows:
Command Task
mode.
route2(config)#interface fastethernet0 Enter an Ethernet interface.
router2(config-if-fastethernet0)#standby 1 ip 129.255.123.100 Configure VBRP group-number
router2(config-if-fastethernet0)#standby 1 preempt delay 10 Set the preempt mode and set the
delay time as 10 seconds.
7.7.3 Monitoring and Debugging VBRP
show standby
The command is used to display all local VBRPs.
show standby [all]
£Command mode¤the privileged user mode
Noteö
ö
The command show standby can be only used to display the local configured VBRP groups. And the command show
standby all is used to display the local configured VBRP groups besides the groups learned from other routers.
debug standby errors
The command is used to display or close the information about VBRP operation error, such as unsuccessful
authentication and unauthorized version.
debug standby errors
no debug standby errors
debug standby events
The command is used to open the information debugging switch of VBRP event. And the negation of the command is
used to close the debugging switch.
debug standby events [{api|protocol|track}]
no debug standby events
Syntax Description
api Debug API information.
protocol Debug protocol information.
track Debug interface track information.
Noteö
ö
The command debug standby events is used to open all information debugging.
debug standby packets
The command is used to open the information debugging switch of VBRP packet. the negation of the command is used
to close the function of VBRP packet debugging.
debug standby packets [{coup|detail|hello|resign|terse}]
no debug standby packets
Syntax Description
coup Debug coup packet.
detail Display the detailed contents of a packet.
hello Debug Hello packet.
resign Debug Resign packet.
terse Debug coup/resign packet.
Note:
The command debug standby packets is used to open information debugging of all packets.
7.8 Configuring VRRP

VRRPÔVirtual Router Redundancy ProtocolÕcan provide a gateway backup.
Related VRRP configuration commands
An example of VRRP configuration
Monitoring and debugging VRRP
7.8.1 Related VRRP Configuration Commands
Vrrp enable/disable
The command is used to enable vrrp and specify a virtual IP address. The negation of the command is used to disable
vrrp.
Ip vrrp vrid ip ip-address
No ip vrrp vrid
Syntax Description
vrid Specify a vird number whose value range
is from 1 to 255.
ip-address Specify a virtual IP address.
£By default¤Vrrp is disabled.
Noteö
ö
A virtual IP address and a primary address of the interface must be in the same network segment.
Vrrp authentication
The command is used to enable/disable vrrp simple text authentication.
Ip vrrp vrid authentication text string
no ip vrrp vrid authentication
Syntax Description
is from 1 to 255.
string The authentication password. The
maximal length is 16 (by character).
£By default¤The authentication is enabled.
Noteö
ö
The command can not be configured until VRRP is enabled.
Vrrp preempt
The command is used to enable/disable vrrp preempt.
Ip vrrp vrid preempt
no ip vrrp vrid preempt
Syntax Description
is from 1 to 255.
£By default¤the vrrp preempt is disabled.
Noteö
ö

Vrrp priority
The command is used to configure vrrp priority.
Ip vrrp vrid priority priority
No ip vrrp vrid priority
Syntax Description
is from 1 to 255.
priority Specify a vird priority whose value range
is from 1 to 254.
£By default¤priorityæ100
Noteö
ö

Ip Vrrp timer
The command is used to configure the period of sending VRRP packets.
Ip vrrp vrid timer_advertise advertise-time
No ip vrrp vrid timers
Syntax Description
is from 1 to 255.
advertise-time Specify the period (by second) of sending
vrrp packets and its value range is from 1
to 255.
£By default¤advertise-timeæ1
Noteö
ö
Vrrp interface monitoring
The command is used to configure the interface vrrp monitors.
Ip vrrp vrid track interface [decrement]
no ip vrrp vrid track interface
Syntax Description
is from 1 to 255.
interface Specify an interface for monitoring.
decrement Specify the priority decrement.
£By default¤An interface is not be monitored.
Noteö
ö
1) The command can not be configured until VRRP is enabled.

2) if no decrement is specified, the default value of priority decrement is 10.
7.8.2 An Example of VRRP Configuration
, QW HU QHW
U RXW HU U RXW U
I I
3& 3&
Illustration:
As shown in figure above, pc1 and pc2 connect with Internet respectively through router1 and router2, and their default
gateways are respectively 129.255.123.100 and 129.255.123.16.
The basic configuration of VRRP is described as follows:
Command Task
mode.
router1(config)#interface fastethernet0 Enter an Ethernet interface.
router1(config-if-fastethernet0)#ip vrrp 1 ip-address 129.255.123.100 Configure VRRP group-number
router1(config-if-fastethernet0)#ip vrrp 1 priority 110 Set the VRRP priority.
B) Router2 is configured as follows:
Command Task
mode.
route2(config)#interface fastethernet0 Enter an Ethernet interface.
router2(config-if-fastethernet0)# ip vrrp 1 ip-address 129.255.123.100 Configure VRRP group-number
7.8.3 Monitoring and Debugging VRRP

show ip vrrp
The command is used to display all local VRRPs.
show ip vrrp
debug ip vrrp event
The command is used to display/close the event information about VRRP running.
debug ip vrrp event
no debug ip vrrp event
debug ip vrrp packet
The command is used to enable/disable the switch of VRRP packet debugging information.
debug ip vrrp packet
no debug ip vrrp packet
debug ip vrrp timer
The command is used to enable/disable the switch of VRRP timer debugging information.
debug ip vrrp timer
no debug ip vrrp timer
7. 9 Configuring Snapshot Routing

This chapter mainly describes how to configure snapshot routing on a router. Snapshot routing can be used to permit a single
router in the active-time to exchange route information with a remote node and forbid the router in the quiet-time to exchange
route information.
The main contents of this chapter are listed as follows:
Related descriptions of snapshot routing configuration commands
An example of snapshot routing configuration
Debugging snapshot routing
7. 9.1 Related Descriptions of Snapshot Routing Configuration Commands
clear snapshot quiet-time interface
The command can be used to end the quiet-time of the client router in two minutes.
Syntax Description
interface The interface name.
£By default¤The interface makes transformation according to the time of snapshot status.
£Command mode¤the global configuration mode
dialer map snapshot sequence-number dial-string

no dialer map snapshot sequence-number dial-string
The command can be use to define a dialer mapping for the snapshot routing protocol of the client router connecting
with the DDR interface, use the command. And use the negation of the command to delete a defined snapshot routing dialer
mapping.
Syntax Description
sequence-number A number within 1 and 254, used to identify a
unique dialer mapping.
dial-string A phone number of a remote snapshot server.
Dial up the number in the active-time.
£By default¤No map is configured.
snapshot client active-time quiet-time [suppress-statechange-updates] [dialer]

no snapshot client
Syntax Description
active-time The active time for regularly exchanging route upgrade
between the client and server (by minute). Its value range is
from 5 to 1000, and no default value is configured. 5 minutes
is a used-usually value.
quiet-time The quiet time there exists no route change. Its value
range is from 8 to 100000, and no default value is
configured. The minimal quiet time is active time+3.
suppress-statechange-updates Deny the exchange of route upgrade when line protocol
change from “non-active” to “active” or from “dialer
pseudo” to “full-active.”
dialer If the client router must dialup to the remote router
when there exists no routine information flow.
£By default¤The snapshot routing is disabled.
snapshot server active-time

no snapshot server
the command is used to configure a service router for snapshot routing. The negation of the command is used to deny the
service router.
Syntax Description
active-time The active time for regularly exchanging route
upgrade between the client and server (by minute).
Its value range is from 5 to 1000, and no default
value is configured. 5 minutes is a used-usually
value.
Notice:
Snapshot is supported only in the DDR dialup mode.
7. 9.2 An Example of Snapshot Routing
5 6
3671
C ISCOS YSTEMS
0RGHP
/

6 5
CISCOS YSTEMS
0RGHP
/

As shown in figure above, the interface S1/0 of the router R1 connects with the interface of router R2 through PSTN. The
RIP routing protocol is enabled on the link, snapshot routing is used to realize that the route information can be exchanged
only in the active-time, and the RIP protocol is used to discover the route from the opposite end to the loopback interface L0.
R1 serves as the snapshot routing client, and R2 serves as the snapshot routing server. The related configuration is described
as follows:
R1 is configured as follows:
Command Task
In the global mode
R1(config)#router rip Configure the RIP protocol.
R1(config-rip)#network 1.0.0.0
R1(config-rip)#exit
R1(config)#ip access-list extended 1001 Define DDR triggering data flow, shield
R1(config-ext-nacl)# deny ip any host 255.255.255.255 broadcast and multicast packets so that
R1(config-ext-nacl)# deny ip any 224.0.0.0 0.255.255.255 they have no way to trigger DDR dialup.
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)# exit
R1(config)#dialer-list 1 protocol ip list 1001
In the interface configuration mode.
R1(config-if-serial1/0)#ip add 1.1.1.1 255.255.255.0 Configure related DDR operations, and
R1(config-if-serial1/0)#dialer in-band set phone number and IP address.
R1(config-if-serial1/0)#dialer-group 1
R1(config-if-serial1/0)#dialer string 602
R1(config-if-serial1/0)#phy async Configure the modem (The ISDN dialup
R1(config-if-serial1/0)#speed 115200 mode can also be adopted. About related
R1(config-if-serial1/0)#modem outer configuration, refer to sections related
with interface configuration)
R1(config-if-serial1/0)#snapshot client 5 600 dialer Enable the Snapshot client, set active-
time and quiet-time respectively as 5
minutes and 8 minutes.
R2 is configured as follows:
Command Task
In the global configuration mode.
R2(config)#router rip Configure the RIP protocol.
R2(config-rip)#exit
R1(config)#ip access-list extended 1001 Define DDR triggering data flow, shield
R1(config-ext-nacl)# deny ip any host 255.255.255.255 broadcast and multicast packets so that
R1(config-ext-nacl)# deny ip any 224.0.0.0 0.255.255.255 they have no way to trigger DDR dialup.
R1(config-ext-nacl)# permit ip any any
R1(config-ext-nacl)# exit
R1(config)#dialer-list 1 protocol ip list 1001
In the interface configuration mode
R1(config-if-serial1/0)#ip add 1.1.1.2 255.255.255.0 Configure related DDR operations, and
R1(config-if-serial1/0)#dialer in-band set phone number and IP address.
R1(config-if-serial1/0)#dialer-group 1
R1(config-if-serial1/0)#phy async Configure the modem (The ISDN dialup
R1(config-if-serial1/0)#speed 115200 mode can also be adopted. About related
R1(config-if-serial1/0)#modem outer configuration, refer to sections related
with interface configuration)
R2(config-if-serial1/0)#snapshot server 5 Enable the Snapshot server, set active-
time as 5 minutes.
7. 9.3 Monitoring and Debugging Snapshot Routing
show snapshot
The command is used to display the configuration information and current status of Snapshot.
The following information will be displayed through the command:
serial4/2 Snapshot client
Options: Stay asleep on carrier up Dialer support
Length of active period:5
Length of quiet period:200
Length of retry period:8
Current state: active, remaining time: 2 minutes
Explanations: The serial-interface s4/2 is the client and the snapshot status upgrade is denied when the interface is up. The
snapshot is permitted to trigger DDR dialup. The current status is the active time and remained time is 2 minutes.
debug snapshot
no debug snapshot
The command is used to enable/disable snapshot debugging information.
debug dialer
no debug dialer
The command is used to enable/disable DDR event debugging information.
debug dialer packet

no debug dialer packet
The command is used to enable/disable DDR packet debugging information.
debug dialer timer

no debug dialer timer
The command is used to enable/disable DDR timer debugging information.
7. 10 Configuring Policy Route

Policy route is a more flexible mechanism of routing messages than destination routing. It is a procedure that a packet is
transmitted by means of route mapping before a router routes a packet. The route mapping determines which next route the
packet will be routed to. When the shortest route path of a packet is uncertain, the policy route can be enabled to solve the
problem. And the policy route can perform routing according to source address, protocol and port-number.
Related descriptions of policy route configuration commands;
An example of policy route configuration;
Monitoring and debugging of policy route.
7.10.1 Related Descriptions of Policy Route Configuration Commands

To enable policy route, you should determine which route mapping is applied to policy route and establish a route mapping.
The route mapping is used to specify the match standard and the corresponding actions that can be taken when the match
conditions are met. There exist three aspects of policy route configuration commands: A) enabling policy routing for packet
forwarding; B) enabling rapid-switch policy routing; C) enabling local policy routing. And the configuration commands are
described in details as follows:
ip policy route-map
To enable the policy route of an interface in the interface configuration mode, execute the command ip policy route-
map. The policy route controls all packets arriving at the interface. If the policy route fails to control them, packets will go on
finding a routing table. The negation of the command is used to disclose the policy route of the interface.
ip policy route-map route-map-name
no ip policy route-map route-map-name
Syntax Description
route-map-name Specify the name of the route mapping applied to the policy
route of packet forwarding
£By default¤Nothing
Notice:
The command is enabled to disabled the rapid forwarding of the interface.
ip route-cache policy
The rapid forwarding of the policy route can enhance the rate of forwarding a packet. To enable the function, execute
the command ip route-cache policy in the interface configuration mode. After the command is enabled, the forwarding packet
received on the local interface will first be controlled by rapid buffer memory the policy route. The negation of the command
is used to disable the rapid forwarding of the policy route.
ip route-cache policy
no ip route-cache policy
ip local policy route-map
To enable the local policy route for the packets generated from the router, execute the command ip local policy route-
map in the global configuration mode so that which route mapping should be applied by the router. After the command is
enabled, the local policy route controls all packets from the router. If the policy route fails to do them, the packets will go on
finding a routing table.
ip local policy route-map route-map-name

no ip local policy route-map route-map-name
Syntax Description
route-map-name Specify the name of the route mapping applied to the local
policy route.
£By default¤Nothing.
7.10.2 An example of policy route configuration
The private line
Figure 6-10
Illustration:
1)RouterA connects with RouterB through two private lines.
2)RouterA connects with 3 PCs through the Ethernet.
3)Configure the loopback interface of RouterB as the testing point.
4) A static route is configured between RouterA and RouterB.
5)The goal of the example is to demonstrate the packet policy route based on the source IP address: RouterA sends all
data from 129.255.4.44 out of the interface S0/0 and sends all data from 129.255.4.33 out of the interface S1/0, and all other
data are routed according to the destination.
RouterA is configured as follows:
Command Task
routerA(config-if-fastethernet0)#ip address 129.255.4.11 Configure the Ethernet address.
255.255.0.0
routerA(config-if-fastethernet0)#ip policy route-map map1 Apply IP policy route map 1 to interface f0.
routerA(config-if-fastethernet0)#interface serial0/0
routerA(config-if-serial0/0)# physical-layer sync Configure the physical-layer as the
synchronism mode.
routerA(config-if-serial0/0)# encapsulation ppp Encapsulate PPP on the interface s0/0.
routerA(config-if-serial0/0)#ip address 150.1.1.1
255.255.255.0
routerA(config-if- serial0/0)#interface serial1/0
routerA(config-if-serial1/0)#physical-layer sync
routerA(config-if-serial1/0)# clock rate 64000
routerA(config-if-serial1/0)# encapsulation ppp Encapsulate PPP on the interface s1/0.
routerA(config-if-serial1/0)#ip address 151.1.1.1
255.255.255.0
routerA(config-if-serial1/0)#exit
routerA(config)# ip local policy route-map map1 Make the route use the policy map1 to route
the packets generated by itself.
routerA(config)# ip route 152.1.1.2 255.255.255.255 serial1/0 Configure the static route to the loopback
interface of RouterB.
routerA(config)#ip route 152.1.1.2 255.255.255.255 serial0/0 Configure the static route to the loopback
interface of RouterB.
routerA(config)# route-map map1 permit 10 Configure route map 1 and rule execution
number 10.
routerA(config-route-map)# match ip address 1 The match standard that adopts the policy
route for data packet to enter the Ethernet
port of the router accords with standard
access list 1.
routerA(config-route-map)#set interface serial0/0 Set the packet path: the packet is sent out of
the interface s0/0.
routerA(config-route-map)#exit
routerA(config)# route-map map1 permit 20 Configure route map 1 and rule execution
number 20.
routerA(config-route-map)# match ip address 2 The match standard that adopts the policy
route for data packet to enter the Ethernet
port of the router accords with standard
access list 2.
routerA(config-route-map)#set interface serial1/0 Set the packet path: the packet is sent out of
the interface s1/0.
routerA(config-route-map)#exit
routerA(config)#access-list 1 permit host 129.255.4.44 Set access list 1.
routerA(config)#access-list 2 permit host 129.255.4.33 Set access list 2.
RouterB is configured as follows:

Command Task
routerB(config-if-loopback0)#ip address 152.1.1.2 Configure the loopback interface as the
255.255.255.255 testing point.
routerB(config-if-serial0/0)# physical-layer sync
routerB(config-if-serial0/0)# encapsulation ppp Encapsulate PPP on the interface s0/0.
routerB(config-if-serial0/0)# ip address 151.1.1.2
255.255.255.0
routerB(config-if-serial0/0)#interface serial1/0
routerB(config-if-serial1/0)#physical-layer sync
routerB(config-if-serial1/0)# clock rate 64000
routerB(config-if-serial1/0)# encapsulation ppp Encapsulate PPP on the interface s1/0.
routerB(config-if-serial1/0)#ip address 150.1.1.2
255.255.255.0
routerB(config-if-serial1/0)#exit
routerB(config)#ip route 129.255.0.0 255.255.0.0 serial1/0 Configure the static route to the interface f0
of Route A.
routerB(config)#ip route 129.255.0.0 255.255.0.0 serial0/0 Configure the static route to the interface f0
of Route A.
7.10.3 Monitoring and Debugging of Policy Route
show ip policy
The command is used to display the policy route configuration of an interface.
show ip policy
£Command mode¤the privileged user mode.
Show ip cache policy
The command is used to display policy route buffer.
show ip cache policy
show ip cache policy detail
Show ip local policy
The command is used to display the configuration of the local policy route.
show ip local policy
debug ip policy
The command is used to trace the policy route control of a packet.
debug ip policy
no debug ip policy
7.11 Configuring M-VRF

M-VRF is a technology supporting VPN. There exist multiple VRFs on each router, and each kind of source on the router
(such as interface, IP address, protocol, control module and routing table) has its own VRF attribute. The mutual access
among the resources with different VRF is denied. M-VRF can be used to realize network isolation and address overlap.
This can realize the network security to a certain extent.
Related descriptions of M-VRF configuration commands
An example of configuring M-VRF
Monitoring and debugging M-VRF
7.11.1 Related Descriptions of M-VRF Configuration Commands
To enable M-VRF, it is necessary to generate a VRF firstly (there exists a global VRF in the system):
ip vrf
To generate a vrf, use the command ip vrf. And the negation of the command is used to delete a vrf.
ip vrf vrf-name
no ip vrf vrf-name
Syntax Description
vrfÉname Specify a name for generating a vrf.
rd
The command rd is used to specify a RD (route description character) for a generated vrf. The generated VRF can not
take effect until the RD is specified.
rd as:nn
rd ip_addr:nn
Syntax Description
as:nn As: a value within 0 and 65535;
Nn: a value within 0 and 4294967295.
ip_adr:nn Ip_addr: the value within 0.0.0.0 and 255.255.255.255
nn: the value within 0 and 65535.
£Command mode¤the vrf configuration.
Notice:
Once the RD is configured, it must be firstly deleted if it need be modified.
ip vrf forwarding
To related an interface with a valid vrf, use the command ip vrf forwarding. The negation of the command is used to
delete the relation between the interface and the vrf.
ip vrf forwarding vrf-name
no ip vrf forwarding vrf-name
Syntax Description
vrfÉname The vrf_name bound with the interface.
Notice:
1) After there exists a relation between an interface and an effective vrf, all configured IP addresses will be deleted.
2) An interface can establish a relation with only one vrf.
description
To describe the related vrf information, use the command description. And the negation of the command is used to
delete the description information about the vrf.
description line
no description line
Syntax Description
line The description of the interface.
ip route
The command ip route is used to expand the static route and make it support vrf. The negation of the command is used
to delete the static route.
ip route vrf vrf_name xxxx xxxx
no ip route vrf vrf_name xxxx xxxx
Syntax Description
vrfÉname The vrf name of the static route.
arp
The command arp is used to expand a static arp and make it support vrf. The negation of the command is used to delete
the static arp.
arp vrf vrf_name xxxx xxxx
no arp vrf vrf_name xxxx xxxx
Syntax Description
vrfÉname The vrf name of the static arp.
telnet
The command telnet is used to expand telnet and make it support vrf.
telnet vrf vrf_name xxxx
Syntax Description
vrfÉname Telnet the vrf_name of the server.
ping
The command ping is used to expand ping and make it support vrf.
ping vrf vrf_name xxxx
Syntax Description
vrfÉname Ping the vrf_name of the opposite-end address.
quickping
The command quickping is used to expand quickping and make it support vrf.
quickping vrf vrf_name xxxx
Syntax Description
vrfÉname Quickping the vrf_name of the opposite-end address.
clear ip route
The command clear ip route is used to expand clear ip route and make it support vrf.
clear ip route vrf vrf_name xxxx
Syntax Description
vrf_name The specified VRF_name.
traceroute
The command traceroute is used to expand traceroute and make it support vrf.
traceroute vrf vrf_name
Syntax Description
vrf_name The specified VRF_name.
7.11.2 An Example of M-VRF Configuration
Figure 6-11
Illustration:
1) As shown in figure above, the interface s2/0 of RouterA connects with the interface s1/0 of RouterB. Interfaces s2/0.1,
s2/0.2, s1/0.1 and s1/0.2 are configured respectively. For RouterA, s2/0.1ìl1 belongs to vrf A, and s2/0.2ìl2 belongs to vrf
B; For RouterB, s1/0.1ìl1 belongs to vrf A, and s1/0.2ìl2 belongs to vrf B.
2) Enable the dynamic routing protocol RIP on RouterA and RouterB.

A) RouterA is configured as follows:
Command Task
RouterA(config)#ip vrf a Create vrf a.
RouterA(config-vrf)#rd 1:1 Specify a route description character.
RouterA(config-vrf)#exit
RouterA(config)#ip vrf b Create vrf b
RouterA(config-vrf)#rd 2:2 Specify a route description character.
RouterA(config-vrf)#exit
RouterA(config)#interface loopback1 Create loopback interface 11.
RouterA(config-if-loopback1)# ip vrf forwarding a Add the interface to vrf a.
RouterA(config-if-loopback1)#ip address 3.3.3.3 255.255.255.0 Configure an IP address.
RouterA(config-if-loopback1)#interface loopback2 Create loopback interface 12.
RouterA(config-if-loopback2)# ip vrf forwarding b Add the interface to vrf b.
RouterA(config-if-loopback2)#ip address 4.4.4.4 255.255.255.0 Configure an IP address.
RouterA(config-if-loopback2)# interface serial2/0 Enter the interface s2/0.
RouterA(config-if-serial2/0)#encapsulation frame-relay Encapsulate the frame-relay.
RouterA(config-if-serial2/0)# clock rate 128000 Configure the clock rate.
RouterA(config-if-serial2/0)#frame-relay intf-type dte Configure the dte mode.
RouterA(config-if-serial2/0)#interface serial2/0.1 Create sub-interface s2/0.1.
RouterA(config-if-serial2/0.1)#ip vrf forwarding a Add the sub-interface to vrf a.
RouterA(config-if-serial2/0.1)#frame-relay interface-dlci 100 Assign a DLCI number 100.
RouterA(config-fr-dlci)#frame-relay map ip 193.1.1.1 100 Set a mapping between the opposite-end
broadcast IP address and local-end DLCI number.
RouterA(config-if-serial2/0.1)#ip address 193.1.1.2 Configure an IP address.
255.255.255.0
RouterA(config-if-serial2/0.1)#interface serial2/0.2 Create sub-interface s2/0.1.
RouterA(config-if-serial2/0.2)#ip vrf forwarding b Add the sub-interface to vrf b.
RouterA(config-if-serial2/0.2)#frame-relay interface-dlci 200 Assign a DLCI number 200.
RouterA(config-fr-dlci)#frame-relay map ip 193.1.1.1 200 Set a mapping between the opposite-end
broadcast IP address and local-end DLCI number.
RouterA(config-if-serial2/0.2)#ip address 193.1.1.2 Configure an IP address.
255.255.255.0
RouterA(config-if-serial2/0.2)#exit
RouterA(config)#router rip Enable RIP routing protocol.
RouterA(config-rip)#address-family ipv4 vrf a Create a address-family vrf a.
RouterA(config-rip-af)#network 3.0.0.0
RouterA(config-rip-af)#exit
RouterA(config-rip)#address-family ipv4 vrf b Create a address-family vrf b.
RouterA(config-rip-af)#end The configuration ends.
B) RouterB is configured as follows:

Command Task
RouterB#configure terminal
RouterB(config)#ip vrf a
RouterB(config-vrf)#rd 1:1
RouterB(config-vrf)#exit
RouterB(config)#ip vrf b
RouterB(config-vrf)#rd 2:2
RouterB(config-vrf)#exit
RouterB(config)#interface loopback1
RouterB(config-if-loopback1)# ip vrf forwarding a
RouterB(config-if-loopback1)#ip address 1.1.1.1 255.255.255.0
RouterB(config-if-loopback1)#interface loopback2
RouterB(config-if-loopback2)# ip vrf forwarding b
RouterB(config-if-loopback2)#ip address 2.2.2.2 255.255.255.0
RouterB(config-if-loopback2)#exit
RouterB(config)#frame-relay switching
RouterB(config)#interface serial1/0
RouterB(config-if-serial1/0)#encapsulation frame-relay
RouterB(config-if-serial1/0)#frame-relay intf-type dce
RouterB(config-if-serial1/0)#interface serial1/0.1
RouterB(config-if-serial1/0.1)#ip vrf forwarding a
RouterB(config-if-serial1/0.1)#frame-relay interface-dlci 100
RouterB(config-fr-dlci)#frame-relay map ip 193.1.1.2 100
broadcast
RouterB(config-if-serial1/0.1)#ip address 193.1.1.1
255.255.255.0
RouterB(config-if-serial1/0.1)#interface serial1/0.2
RouterB(config-if-serial1/0.2)#ip vrf forwarding b
RouterB(config-if-serial1/0.2)#frame-relay interface-dlci 200
RouterB(config-fr-dlci)#frame-relay map ip 193.1.1.2 200
broadcast
RouterB(config-if-serial1/0.2)#ip address 193.1.1.1
255.255.255.0
RouterB(config-if-serial1/0.2)#exit
RouterB(config)#router rip
RouterB(config-rip)#address-family ipv4 vrf a
RouterB(config-rip-af)#network 1.0.0.0
RouterB(config-rip-af)#exit
RouterB(config-rip)#address-family ipv4 vrf b
RouterB(config-rip-af)#end
Noteö
ö
1) Any vrf can not be added to Loopback0.

2) only one vrf can be added to an interface.
7.11.3 Monitoring and Debugging M-VRF
Show ip route
The command Show ip route is used to expand Show ip route and make it support vrf.
show ip route vrf vrf_name
Syntax Description
vrfÉname Specify a vrf name.
Show arp
The command Show arp is used to expand Show arp and make it support vrf.
show arp vrf vrf_name xxxx
Syntax Description
netstat –r
The command netstat –r is used to expand netstat –r and make it support vrf.
netstat -r vrf vrf_name
Syntax Description
7.12 Load Balance
Maipu routers now supports the routing load balancing, namely, if there exist many routes to a destination, the router will add
these routes into the routing table. When the data is transferred, the data load can be transmitted through this interface link in
a certain proportion.

o Description of relevant commands supporting load balancing
o An example of load balance configuration
o Monitoring and debugging load balancing
7.12.1 Description Of Relevant Commands Supporting Load Balance
When data is transferred, it needs to close two caches in order that the data load can pass through the interface link in a
certain proportion. The concrete configuring commands are as follows:
A.Router(config)#ë
Command Description
no ip upper-cache Closes the upper cache.
B.Router(config-if-xxx)#ë
Command Description
no ip route-cache Closes the route cache.
7.12.2 An Example Load Balance Configuration
GRZQ
(
U RXW HU (
6 6
6 6
XS
A. The configuration of the Maipu router down:

Command Task
Down#configure terminal
Down(config)#router ospf 1
Down(config-ospf)#network 1.0.0.0 0.255.255.255 area 0
Down(config-ospf)#end
B. The configuration of the Maipu router router:

Command Task
Router#configure terminal
Router(config)#router ospf 1
Router(config-ospf)#network 1.0.0.0 0.255.255.255 area 0
Router(config-ospf)#end
C. The configuration of the Maipu router up:
Command Task
Up#configure terminal
Up(config)#router ospf 1
Up(config-ospf)#network 6.0.0.0 0.255.255.255 area 0
Up(config-ospf)#network 7.0.0.0 0.255.255.255 area 0
Up(config-ospf)#end
D. Executes the command show ip route on the Maipu Router up:

O 1.0.0.0/8 [110/2] via 6.6.6.2, 11:23:41, serial2
[110/2] via 7.7.7.2, 11:23:41, serial3
C 6.0.0.0/8 is directly connected, 11:24:27, serial2
O 6.6.6.1/32 [110/2] via 6.6.6.2, 11:23:41, serial2
[110/2] via 7.7.7.2, 11:23:41, serial3
O 7.7.7.1/32 [110/2] via 6.6.6.2, 11:23:41, serial2
[110/2] via 7.7.7.2, 11:23:41, serial3
C 11.11.11.11/32 is directly connected, 11:51:54, loopback0
7.12.3 Monitoring and Debugging Load Balance

When data is transferred, the extended ping can be used or the debug information of the interface is opened to observe the
load balance status.
Command Description
up#ping The interface that packets pass in or

Target IP address: 1.1.1.2 out when the packet ping is
Repeat count [5]:2 examined.
Datagram size [76]:
Timeout in seconds [2]:
Extended commands [no]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [abcd]:
Loose, Strict, Record, Timestamp, Verbose[none]: r
Number of hops [9]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [no]:
Press key (ctrl + shift + 6) interrupt it.
Sending 5, 76-byte ICMP Echos to 32.16.3.1 , timeout is 2 seconds:
Packet has IP options: Total option bytes = 40 .
Record route number : 9
Reply to request 0 from 32.16.3.1, size = 76, time = 149 ms.

Received packet has options:
RR : 1.1.1.1 1.1.1.2 6.6.6.2 6.6.6.1
RR : 1.1.1.1 1.1.1.2 7.7.7.2 7.7.7.1
Success rate is 100% (2/2). Round-trip min/avg/max = 149/154/159 ms.
Displays the route table.
Show ip route
Displays the times the router has
Net-r been used.
7.13 Configuring BGP Dynamic Routing Protocol
BGP (Border Gateway Protocol) is distance-vector-based path vector routing protocol. This protocol is used to transfer the
route information between autonomous systems. IGP can be used to determine the route in the autonomous system. BGP uses
TCP as the transfer protocol (port number 179). This not only ensures the reliability of all transmission, but also reduces the
resource occupied by the protocols. Presently, BGP is a factual standard of external routing. This section describes how to
configure BGP dynamic routing protocol of Maipu routers for network interconnection.
Related Descriptions of BGP Configuration Commands
Examples of BGP configuration
BGP monitoring and debugging.
7.13.1 Related Descriptions of BGP Configuration Commands
router bgp
Use the command router bgp to enable BGP and enter the BGP protocol configuration mode; otherwise, use the
negation of the command to disable BGP.
router bgp autonomous-system
no router bgp autonomous-system
Syntax Descriptions
autonomous-system Autonomous-system is the local autonomous-system number, and

its value range is from 1 to 65535.
£By default¤BGP is disabled.
£Guide¤The command can be used to enable/disable BGP and specify the local autonomous system number.
neighbor remote-as
Use the command neighbor remote-as to specify the autonomous system number of BGP peer/peer group;
otherwise, use the negation of the command to delete the autonomous system number of BGP peer/peer group.
neighbor {neighbor-address | group-name } remote-as as-number
no neighbor { neighbor-address | group-name } remote-as as-number
Syntax Descriptions
neighbor-address The IP address of the peer.

group-name The name of the peer group.
as-number The autonomous-system number of the peer/peer group.
£By default¤There exists no BGP peer/peer group.
£Command mode¤the BGP protocol configuration mode.
neighbor peer-group(Creating)
Use the command neighbor peer-group(Creating) toe create a peer group; otherwise, use the negation of the command
to delete a peer group.
neighbor group-name peer-group
no neighbor group-name peer-group
Syntax Descriptions

£By default¤There exists no peer group.
neighbor peer-group(Assigning)
Use the command neighbor peer-group (Assigning) to add a peer to the specified peer group; otherwise, use the
negation of the command to delete a peer from the specified peer group.
neighbor neighbor-address peer-group group-name
no neighbor neighbor-address peer-group group-name
Syntax Descriptions

£By default¤The command is invalid.
neighbor next-hop-self
Use the command neighbor next-hop-self to cancel the action BGP takes for the next hop in the route that need be
announced to the peer/peer group; otherwise, use the negation of the command to cancel the existing configuration.
neighbor {neighbor-address | group-name } next-hop-self
no neighbor {neighbor-address | group-name } next-hop-self
Syntax Descriptions

neighbor password
Use the command neighbor password to configure MD5 authentication of the TCP connection between two BGP
peers; otherwise, use the negation of the command to cancel the configuration.
neighbor {neighbor-address | group-name } password string
no neighbor {neighbor-address | group-name } password string
Syntax Descriptions

String MD5 password.
£By default¤There exists no MD5 authentication.
neighbor advertisement-interval
Use the command neighbor advertisement-interval to configure the interval for the peer/peer group to send route
information; otherwise, use the negation of the command to restore the default interval for the peer/peer group
to send route information.
neighbor {neighbor-address | group-name } advertisement-interval seconds
no neighbor {neighbor-address | group-name } advertisement-interval seconds
Syntax Descriptions

seconds The minimal interval of sending Update message. Its
value range is from 0 to 600 seconds.
neighbor route-map
Use the command neighbor route-map to configure the route-map of the peer/peer group; otherwise, use the negation
of the command to delete the route-map of the peer/peer group.
neighbor {neighbor-address | group-name } route-map map-name {in | out }
no neighbor {neighbor-address | group-name } route-map map-name {in | out }
Syntax Descriptions

map-name The name of the route-map
in Input the announcement.
out Output the announcement.
neighbor route-reflector-client
Use the command neighbor route-reflector-client to configure the peer/peer group as the client of the route reflector;
otherwise, use the negation of the command to cancel the existing configuration.
neighbor {neighbor-address | group-name } route-reflector-client
no neighbor {neighbor-address | group-name } route-reflector-client
Syntax Descriptions

neighbor send-community
Use the command neighbor send-community to send the community properties to the peer/peer group; otherwise, use
the negation of the command to cancel the existing configuration.
neighbor {neighbor-address | group-name } send-community
no neighbor {neighbor-address | group-name } send-community
Syntax Descriptions

£By default¤No community property is sent.
neighbor timers
Use the command neighbor timers to configure the Holdtime of the specified peer/peer group; otherwise, use the
negation of the command to cancel the existing configuration.
neighbor {neighbor-address | group-name } timers holdtime-interval
no neighbor {neighbor-address | group-name } timers
Syntax Descriptions

holdtime-interval The specified holdtime interval.
£By default¤ The default keepalive is 60 seconds and default holdtime interval is 180 seconds.
neighbor ebgp-multihop
Use the command neighbor ebgp-multihop to allow establishing the connection with the EBGP peer/peer group that
are not connected directly with the network; otherwise, use the negation of the command to cancel the existing configuration.
neighbor {neighbor-address | group-name } ebgp-multihop ttl
no neighbor {neighbor-address | group-name } ebgp-multihop
Syntax Descriptions

ttl The maximal number of hops. Its value range is
from 1 to 255.
neighbor update-source
Use the command neighbor update-source to allow internal BGP to use any operational TCP to connect with an
interface; otherwise, use the negation of the command to cancel the existing configuration.
neighbor {neighbor-address | group-name } update-source interface
no neighbor {neighbor-address | group-name } update-source interface
Syntax Descriptions

interface Specify the interface for TCP connection.
£By default¤ The local interface.
neighbor distribute-list
Use the command neighbor distribute-list to configure the access list of the peer/peer group; otherwise, use the
negation of the command to cancel the configuration.
neighbor {neighbor-address | group-name } distribute-list access-list-number {in | out}
no neighbor {neighbor-address | group-name } distribute-list access-list-number {in | out}
Syntax Descriptions

access-list-name The name of the access list. Its range is from 1 to
1000.
In Input the announcement.
Out Output the announcement.
neighbor filter-list
Use the command neighbor filter-list to configure the filtering list of the peer/peer group; otherwise, use the negation
of the command to cancel the configuration.
neighbor {neighbor-address | group-name } filter-list aspath-list-number {in | out}
no neighbor {neighbor-address | group-name } filter-list access-list-number {in | out}
Syntax Descriptions

aspath-list-name AS regular expression list number. Its value
range is from 1 to 199.
In Input the announcement.
Out Output the announcement.
neighbor version
Use the command neighbor version to configure the special BGP version for receiving; otherwise, use the negation of
the command to use the default version.
neighbor {neighbor-address | group-name } version value

no neighbor {neighbor-address | group-name } version value
Syntax Descriptions

value The BGP version number.
neighbor shutdown
Use the command neighbor shutdown to close the connection with the specified neighbor; otherwise, use the negation
of the command to open the connection with the specified neighbor.
neighbor {neighbor-address | peer_group-name } shutdown

no neighbor {neighbor-address | peer_group-name } shutdown
Syntax Descriptions

peer_group-name The name of the peer group.
neighbor soft-reconfiguration inbound
Use the command neighbor soft-reconfiguration inbound to save the received corrected value; otherwise, use the
negation of the command not to save the received corrected value.
neighbor {neighbor-address | peer_group-name } soft-reconfiguration inbound

no neighbor {neighbor-address | peer_group-name } soft-reconfiguration inbound
Syntax Descriptions

peer_group-name The name of the peer group.
bgp always-compare-med
Use the command bgp always-compare-med to allow comparing the MED value of route paths from different AS
neighbors; otherwise, use the negation of the command to forbid the comparison.
bgp always-compare-med
no bgp always-compare-med
£By default¤There exists no comparison.
bgp cluster-id
Use the command bgp cluster-id to configure the cluster ID of the route reflector; otherwise, use the negation of the
command to delete the cluster ID of the route reflector.
bgp cluster-id cluster-id

no bgp cluster-id cluster-id
Syntax Descriptions
cluster-id The router ID of a single route reflector in the

cluster.
bgp router-id
Use the command bgp router-id to configure the router-id of the router; otherwise, use the negation of the command to
disable the router-id of the router.
bgp router-id router-id

no bgp router-id router-id
Syntax Descriptions
router-id The router-id of the router.

bgp confederation identifier
Use the command bgp confederation identifier to configure the bgp confederation identifier; otherwise, use the
negation of the command to remove the bgp confederation identifier.
bgp confederation identifier as-number

no bgp confederation identifier as-number
Syntax Descriptions
as-number The autonomous system number.

bgp confederation peers
Use the command bgp confederation peers to configure the autonomous system belonging to the bgp confederation;
otherwise, use the negation of the command to remove the autonomous system from the bgp confederation.
bgp confederation peers as-number

no bgp confederation peers as-number
Syntax Descriptions
as-number The autonomous system number.

bgp default local-preference
Use the command bgp default local-preference to configure the local preference; otherwise, use the negation of the
command to restore the default value of the local preference.
bgp default local-preference value
no bgp default local-preference value
Syntax Descriptions
value The local preference. Its value range is from 0 to

4294967295.
£By default¤The default value of local preference is 100.
bgp dampening
Use the command bgp dampening to configure BGP route dampening and other parameters; otherwise, use the
negation of the command to cancel the route dampening.
bgp dampening [half-life reuse suppress max-suppress-time]
no bgp dampening [half-life reuse suppress max-suppress-time]
Syntax Descriptions
half-life The half-life of the BGP route dampening. Its

reuse The route reuse limit. Its value range is from 1 to
20000.
suppress The route suppression limit. Its value range is
from 1 to 20000.
max-suppress-time The maximal suppression time. Its value range is
from 1 to 255.
£By default¤half-life : 15 minutes; reuse :750; suppress: 2000; max-suppress-time: four times of half-life.
network
Use the command network to configure the network to which BGP is sent; otherwise, use the negation of the command
to cancel the existing configuration.
network network-number [mask network-mask] [route-map map-name]
no network network-number [mask network-mask] [route-map map-name]
Syntax Descriptions
network-number The network BGP need announce.

mask The network mask.
network-mask The network mask BGP need announce.
route-map The route map.
map-name The name of the route map.
£By default¤BGP sends no route.
redistribute
Use the command redistribute to introduce the route information of other protocols; otherwise, use the negation of the
command to cancel the introduction of the route information of other protocols.
redistribute protocol [route-map map-name]
no redistribute protocol [route-map map-name]
Syntax Descriptions
protocol Specify the original route protocol that can be

introduced: connected, rip, irmp, ospf, snsp,
static.
route-map The route map.

map-name The name of the route map.
£By default¤BGP does not introduces routes of other protocols.
synchronization
Use the command synchronization to configure the synchronization between BGP and IGP; otherwise, use the negation
of the command to disable the synchronization between BGP and IGP.
synchronization
no synchronization
£By default¤ BGP is synchronous with IGP.
maximum-paths
Use the command maximum-paths to configure BGP to support load balance; otherwise, use the negation of the
command to close BGP load balance
maximum-paths number-paths
no maximum-paths
Syntax Descriptions
number-paths The maximal number of the paths of load balance

supported by BGP. Its value range is from 1 to 6.
£By default¤BGP does not support load balance.
distance bgp
Use the command distance bgp to configure the management distance of external BGP and internal BGP; otherwise,
use the negation of the command to restore the default management distance of external BGP and internal BGP distance bgp
external-distance internal-distance
no distance bgp
Syntax Descriptions
external-distance The management distance of BGP external route.

Its value range is from 1 to 255.
internal-distance The management distance of BGP internal route.
£By default¤The management distance of BGP external route is 20, and the management distance of BGP internal
route is 200.
default-metric
Use the command default-metric to configure the MED value introduced into other protocols; otherwise, use the
default-metric number
no default-metric number
Syntax Descriptions
number The MED value. Its value range is from 1 to

65535.
aggregate-address
Use the command aggregate-address to create an aggregation address in the BGP routing table; otherwise, use the
negation of the command to make the command invalid.
aggregate-address address mask [as-set] [summary-only]
no aggregate-address address mask [as-set] [summary-only]
Syntax Descriptions
address The address of the aggregation route.

mask The network mask of the aggregation route.
as-set Generate a route of AS aggregation segment.
summary-only Only aggregation routes are announced.
match as-path
Use the command match as-path to specify a matched path access list in the route map; otherwise, use the negation of
the command to cancel the configuration.
match as-path path-list-number
no match as-path path-list-number
Syntax Descriptions
path-list-number The path access list number. Its value range is

from 1 to 199.
£Command mode¤the route map configuration mode.
match ip address
Use the command match ip address to specify the matched IP address range in the route map.
match ip address access-list-number
no match ip address access-list-number
Syntax Descriptions
access-list-number The access list number.

match ip next-hop
Use the command match ip next-hop to specify the next matched IP address in route map; otherwise, use the negation
of the command to cancel the configuration.
match ip next-hop access-list-name
no match ip next-hop access-list-name
Syntax Descriptions
access-list-number The access list number.

set as-path
Use the command set as-path to add an AS number before the original AS path in the route map; otherwise, use the
set as-path [prepend as-path-string]
no set as-path [prepend as-path-string]
Syntax Descriptions
prepend Add an AS number.

as-path-string The AS number.
set community
Use the command set community to configure BGP community property in route map; otherwise, use the negation of
set community {additive | local-AS | no-advertise | no-export | none}
no set community {additive | local-AS | no-advertise | no-export | none}
Syntax Descriptions
additive Add the community property to the existing community.

local-AS Do not send the matched route out of the autonomous
system.
no-advertise Do not advertise the matched route to any peer/peer
group.
no-export Do not advertise the route with the property to any
peer/peer group out of the autonomous system except
any peer/peer group in the autonomous system.
none Delete the community property of the route.
set ip next-hop
Use the command set ip next-hop to specify the next hop for the alteration of the original route in the route map;
otherwise, use the negation of the command to cancel the configuration.
set ip next-hop ip-address
no set ip next-hop ip-address
Syntax Descriptions
ipt-address Set the IP address of the next hop.

set local-preference
Use the command set local-preference to change the local preference of the original route for the route map;
otherwise, use the negation of the command to cancel the configuration of the local preference of the original route.
set local-preference value
no set local-preference value
Syntax Descriptions
value Set the local preference.

set metric
Use the command set metric to change the property metric of the original route in the route map; otherwise, use the
set metric metric
no set metric metric
Syntax Descriptions
metric Set the property metric.

set origin
Use the command set origin to change the property origin of the original route in the route map; otherwise, use the
set origin {egp | igp | incomplete}
no set origin
Syntax Descriptions
Egp, igp,incomplete Set the property origin.

clear ip bgp
Use the command clear ip bgp to reset the BGP connection and make the configured-newly policy valid after the
configuration of route policy or BGP has been changed.
clear ip bgp {* | address | as-number}
Syntax Descriptions
* All peers.
address The IP address of the specified peer.
as-number Reset the BGP connection matching with the AS
number. The value range of AS number is from 1
to 65535.
£Command mode¤The privileged user configuration mode.
clear ip bgp dampening
Use the command clear ip bgp dampening to clear the information about route flap dampening and remove the
restraint of the restrained routes.
clear ip bgp dampening {address | mask }
Syntax Descriptions
address The network IP address used to clear the

dampening information.
mask The network mask.
clear ip bgp peer-group
Use the command clear ip bgp peer-group to reset all BGP connections of the specified peer group.
clear ip bgp peer-group group-name

Syntax Descriptions
Group-name The name of the peer group.

7.13.2 Examples of BGP Configuration
Example 1: Basic BGP configuration
Figure 8-6
Illustration:
1) The port S1/0ä192.1.1.1åof RouterA connects to the port S1/0 (192.1.1.2) of RouterB; the port S2/0ä193.1.1.1å
of RouterB connects to the port S2/0 (193.1.1.2) of RouterC;
2) The loopback addresses of three routers are respectively 1.1.1.1(RouterA), 2.2.2.2(RouterB) and 3.3.3.3(RouterC).
3) RouterA is located in AS 100, while RouterB and RouterC are located in AS 200.
A ) RouterA is configured as follows:


RouterA(config)#interface loopback0 Enter the loopback interface.
RouterA(config-if-loopback0)#ip address 1.1.1.1 Configure the IP address.
255.255.255.0
RouterA(config-if-loopback0)#interface s1/0 Enter the interface s1/0.
RouterA(config-if-serial1/0)#encapsulation hdlc Encapsulate the link-layer protocol HDLC.
RouterA(config-if-serial1/0)#ip address 192.1.1.1 Configure the IP address.
255.255.255.0
RouterA(config)#router bgp 100 Enter the BGP configuration mode.
RouterA(config-bgp)#neighbor 192.1.1.2 remote-as 200 Specify the AS number of the BGP peer.
RouterA(config-bgp)#network 1.1.1.0 mask 255.255.255.0 Configure the network to which the BGP is
sent.
RouterA(config-bgp)#exit


RouterB(config)#interface loopback0 Enter the loopback interface.
RouterB(config-if-loopback0)#ip address 2.2.2.2 Configure the IP address.
255.255.255.255
RouterB(config-if-loopback0)#interface s1/0 Enter the configuration interface s1/0.
RouterB(config-if-serial1/0)#encapsulation hdlc Encapsulate the link-layer protocol HDLC.
RouterB(config-if-serial1/0)#ip address 192.1.1.2
255.255.255.0
RouterB(config-if-serial1/0)#clock rate 9600 Configure clock rate.
RouterB(config-if-serial1/0)#interface s2/0
255.255.255.0
RouterB(config-if-serial2/0)#clock rate 9600
RouterB(config)#router bgp 200 Enter the BGP configuration mode.
RouterB(config-bgp)#neighbor 192.1.1.1 remote-as 100 Specify the AS number of the BGP peer.
RouterB(config-bgp)#neighbor 193.1.1.2 remote-as 200 The same as the above.
RouterB(config-bgp)#neighbor 193.1.1.2 next-hop-self Regard its own address as the next hop.
RouterB(config-bgp)#exit
C) RouterC is configured as follows:


RouterC(config)#interface loopback0
RouterC(config-if-loopback0)#ip address 3.3.3.3
255.255.255.255
RouterC(config-if-loopback0)#interface s2/0
RouterC(config-if-serial2/0)#encapsulation hdlc Encapsulate the link-layer protocol HDLC.
RouterC(config-if-serial2/0)#ip address 193.1.1.2
255.255.255.0
RouterC(config)#router bgp 200 Enter the BGP configuration mode.
RouterC(config-bgp)#neighbor 193.1.1.1 remote-as 200 Specify the AS number of the BGP peer.
RouterC(config-bgp)#no synchronization Set the asynchronism between BGP and IGP.
RouterC(config-bgp)#exit
Noticeö
ö
The above mainly describes the dynamic routing protocol BGP. About the configuration mode of the physical layer and
link layer, refer to the related sections.
Example 2: Configuring BGP route reflector
Figure 8-7
Illustration:
1) As shown in the figure above, the configuration of RouterA, RouterB and RouterC is the same as that of example 1.
RouterD is an additional router, belonging to AS 200, its interface s1/0 connects with the interface s1/0 of RouterC, and
their corresponding addresses are 194.1.1.1(RouterC) and 194.1.1.2(RouterD).
2) In the example above, RouterC acts as a reflector and supports two clients: RouterB and RouterC.
3) RouterA is located in AS 100, while RouterB, RouterC and RouterD is located in AS 200.
Syntax Descriptions

RouterA(config)#interface loopback0
RouterA(config-if-loopback0)#ip address 1.1.1.1 255.255.255.0
RouterA(config-if-serial1/0)#ip address 192.1.1.1 255.255.255.0
RouterA(config-bgp)#neighbor 192.1.1.2 remote-as 200 Specify the autonomous system number of
the BGP peer.
RouterA(config-bgp)#network 1.1.1.0 mask 255.255.255.0 Configure the network to which the BGP
is sent.

Syntax Descriptions

RouterB(config)#interface loopback0
RouterB(config-if-loopback0)#ip address 2.2.2.2
255.255.255.255
RouterB(config-if-loopback0)#interface s1/0
RouterB(config-if-serial1/0)#ip address 192.1.1.2 255.255.255.0
RouterB(config-if-serial2/0)#ip address 193.1.1.1 255.255.255.0
RouterB(config)#router rip Enter the RIP configuration mode.
RouterB(config-rip)#network 193.1.1.0
RouterB(config-rip)#version 2
RouterB(config-rip)#exit
RouterB(config-bgp)#neighbor 192.1.1.1 remote-as 100 Specify the autonomous system number of
the BGP peer.
RouterB(config-bgp)#neighbor 193.1.1.2 remote-as 200 The same as above.
Syntax Descriptions

RouterC(config)#interface loopback0
RouterC(config-if-loopback0)#ip address 3.3.3.3
255.255.255.255
RouterC(config-if-loopback0)#interface s1/0
255.255.255.0
RouterC(config-if-serial1/0)#interface s2/0
255.255.255.0
RouterC(config)#router rip Enter the RIP configuration mode.
RouterC(config-rip)#network 193.1.1.0
RouterC(config-rip)#network 194.1.1.0
RouterC(config-rip)#version 2
RouterC(config-rip)#exit
RouterC(config-bgp)#neighbor 193.1.1.1 remote-as 200
RouterC(config-bgp)#neighbor 194.1.1.2 remote-as 200
RouterC(config-bgp)#neighbor 193.1.1.1 route-reflector- Configure the peer as the client of the route
client reflector.
RouterC(config-bgp)#neighbor 194.1.1.2 route-reflector- Configure the peer as the client of the route
client reflector.
RouterC(config-bgp)#no synchronization Set the asynchronism between BGP and IGP.
D) RouterD is configured as follows:

Syntax Descriptions
RouterD#configure terminal Enter the global configuration mode.

RouterD(config)#interface s1/0
RouterD(config-if-serial1/0)#encapsulation hdlc Encapsulate the link-layer protocol HDLC.
RouterD(config-if-serial1/0)#ip address 194.1.1.2
255.255.255.0
RouterD(config-if-serial1/0)#clock rate 9600
RouterD(config)#router rip Enter the RIP configuration mode.
RouterD(config-rip)#network 194.1.1.0
RouterD(config-rip)#version 2
RouterD(config-rip)#exit
RouterD(config)#router bgp 200 Enter the BGP configuration mode.
RouterD(config-bgp)#neighbor 194.1.1.1 remote-as 200 Specify the autonomous system number of
the BGP peer.
RouterD(config-bgp)#no synchronization Set the asynchronism between BGP and IGP.
RouterD(config-bgp)#exit
Noticeö
ö
Example 3: Configuring BGP Routing
Figure 8-9
Illustration:
1) RouterA, RouterB, RouterC and RouterD are connected as shown in the figure above. Configure the command route-
map on RouterC and set the local-preference of the router so that the route information matching the access list (1.1.1.0/24)
can be transmitted over the path with higher local-preference.
2) RouterA is located in AS 100, while RouterB, RouterC and RouterD are located in AS 200.

Syntax Descriptions

RouterA(config)#interface loopback0
RouterA(config-if-loopback0)#ip address 1.1.1.1
255.255.255.0
RouterA(config-if-loopback0)#interface loopback1
RouterA(config-if-loopback1)#ip address 2.2.2.2
255.255.255.0
RouterA(config-if-serial1/0)#ip address 192.1.1.1
255.255.255.0
RouterA(config-if-serial1/0)#interface s2/0
RouterA(config-if-serial2/0)#encapsulation hdlc
RouterA(config-if-serial2/0)#ip address 193.1.1.1
255.255.255.0
RouterA(config-bgp)#network 1.1.1.0 mask 255.255.255.0 Configure the network to which the BGP is
sent.
RouterA(config-bgp)#network 2.2.2.0 mask 255.255.255.0 The same as above.

RouterA(config-bgp)#neighbor 192.1.1.2 remote-as 200 Specify the autonomous system number of
the BGP peer.
RouterA(config-bgp)#neighbor 193.1.1.2 remote-as 200 The same as above.

Syntax Descriptions

RouterB(config)#interface serial1/0
255.255.255.0
255.255.255.0
RouterB(config-bgp)#neighbor 192.1.1.1 remote-as 100 Specify the autonomous system number of
the BGP peer.

Syntax Descriptions

RouterC(config)#interface serial1/0
RouterC(config-if-serial1/0)# ip address 195.1.1.2
255.255.255.0
RouterC(config-if-serial1/0)#clock rate 9600
RouterC(config-if-serial1/0)#interface s2/0
255.255.255.0
RouterC(config-if-serial2/0)#clock rate 9600
RouterC(config)#ip access-list standard 1 Set the access list.
RouterC(config-std-nacl)#permit 1.1.1.0 0.0.0.255
RouterC(config-std-nacl)#exit
RouterC(config)# route-map localpref permit 10 Set the route map.
RouterC(config-route-map)# match ip address 1
RouterC(config-route-map)#set local-preference 200 Set the local preference.
RouterC(config-route-map)#exit
RouterC(config)# route-map localpref permit 20 Set the route map.
RouterC(config-route-map)#set local-preference 100 Set the local preference.
RouterC(config-route-map)#exit
RouterC(config-bgp)#neighbor 193.1.1.1 remote-as 100 Specify the autonomous system number of
the BGP peer.
RouterC(config-bgp)#neighbor 194.1.1.2 remote-as 200 The same as above.
RouterC(config-bgp)#neighbor 195.1.1.1 remote-as 200 The same as above.
RouterC(config-bgp)#neighbor 195.1.1.1 next-hop-self Regard its own address as the next hop.
RouterC(config-bgp)#neighbor 193.1.1.1 route-map Apply localpref to ingress traffic of the
localpref in neighbor 193.1.1.1.
D) RouterD is configured as follows:

Syntax Descriptions
RouterD#configure terminal Enter the global configuration mode.

RouterD(config)#interface loopback0
RouterD(config-if-loopback0)#ip address 4.4.4.4
255.255.255.0
RouterD(config-if-loopback0)#interface s1/0
255.255.255.0
RouterD(config-if- serial1/0)#interface s2/0
255.255.255.0
RouterD(config)#router bgp 200 Enter the BGP configuration mode.
RouterD(config-bgp)#neighbor 194.1.1.2 remote-as 200 Specify the autonomous system number of
the BGP peer.
RouterD(config-bgp)#neighbor 195.1.1.2 remote-as 200 The same as above.
RouterD(config-bgp)#no synchronization Set the asynchronism between BGP and IGP.
RouterD(config-bgp)#exit
Note:
7.13.3 BGP Monitoring and Debugging

show ip bgp
Use the command show ip bgp to display all BGP information.
show ip bgp [address] [mask]
Syntax Descriptions
Address Display the route of the specified IP address in the BGP

routing table.
Mask The network mask.
£Command mode¤the privileged user configuration mode
show ip bgp flap-statistics
Use the command show ip bgp flap-statistic to display the statistics information about route flap dampening.
show ip bgp flap-statistics [address ] [mask]
Syntax Descriptions
Address Display the statistics information about route flap

dampening of the specified IP address in the BGP routing
table.
Mask The network mask
show ip bgp neighbor
Use the command show ip bgp neighbor to display the information about the peer.
show ip bgp neighbor [neighbor-address]
Syntax Descriptions
neighbor-address Display the information about the specified peer.

show ip bgp regexp
Use the command show ip bgp regexp to display the route information matching with the specified AS regular
expression.
show ip bgp regexp regular-expression
Syntax Descriptions
regular-expression Display the route information matching with the specified

AS regular expression.
show ip bgp summary
Use the command show ip bgp summary to display the information about the BGP summary.
show ip bgp summary
debug ip bgp
Use the command debug ip bgp to open the BGP message debugging information switch.
debug ip bgp [address]{all | event | keepalives | open | packets | route | state | task | timer | updates }
Syntax Descriptions
Address Open the message debugging information switch of the

specified BGP peer.
All Open all debugging information switches of BGP messages.
Event Open BGP event debugging information switch.
Keepalive Open BGP keepalive debugging information switch.
Open Open BGP open debugging information switch.
Packets Open all debugging information switches of BGP messages.
Route Open BGP route debugging information switch.
State Open BGP status debugging information switch.
Task Open BGP task debugging information switch.
Timer Open BGP timer debugging information switch.
Updates Open BGP update debugging information switch.
7.14 Configuring Route-map
7.14.1 Related Descriptions of Route-map Configuration Commands

The configuration commands of IP route-map include the following commands:
route-map
Use the command route-map to configure a route-map and enter the route-map configuration mode; otherwise, use the
negation of the command to delete a route-map.
route-map map-name [ { permit | deny} [ seq-number ] ]
no route-map map-name [ [ permit | deny ] [ seq-number ] ]
Syntax Descriptions
Map-name Identify a route-map uniquely.
permit Set the match mode of the defined route-map sentence as
Permit. When satisfying all match sub-sentences of the
sentence, the route is permitted to pass the filter of the
sentence and execute the set sub-sentence of the sentence; or
else, the next sentence of the route-map will be tested.
deny Set the match mode of the defined route-map sentence as
Deny. When satisfying all match sub-sentences of the
sentence, the route is prohibited from passing the filter of the
sentence and no test of the next sentence is performed.
Seq-number A sentence used to identify a route-map. When the route-
map is applied to match, the sentence seq-number is firstly
tested.
Note:
1) The route-map can be applied to route redistribution, policy route and BGP. One route-map is composed of several
sentences and each sentence is composed of some match sub-sentences and set sub-sentences. A match sub-sentence is used
to define the match rule of the sentence and a set sub-sentence is used to define the action that will be taken after the sentence
is matched successfully. The filtering relationship among the match sub-sentences of the sentence is “And”, that is to say that
all match sub-sentences of the sentence must be satisfied fully. The filtering relationship among the route-map sentences is
“Or”, that is to say that the route-map can be regarded as matched successfully as long as one sub-sentence of the sentence is
satisfied. If no sub-sentence of the sentence is satisfied, the route-map is matched unsuccessfully. í
2) If the command parameter includes nothing but the route-map name and the match mode or sentence number is
omitted, a sentence (the sentence number is 10 and the match mode is Permit) is added by default. If the negation of the
command is adopted, then all sentences of the route-map will be deleted.
match as-path
Use the command match as-path to specify the matched path list for the route-map; otherwise, use the negation of the
command to cancel the configuration.
match as-path path-list-number
no match as-path path-list-number
Syntax Descriptions
path-list-number The path-list number. Its value range is from 1 to 199 and
multiple numbers can be input simultaneously.
£Command mode¤the route-map configuration mode.
match community
Use the command match community to specify the matched BGP community; otherwise, use the negation of the
match community community-list--number
no match community community-list--number
Syntax Descriptions
community-list--number The BGP community number. Its value range is from 1 to
199 and multiple numbers can be input simultaneously.
match extcommunity
Use the command match extcommunity to specify the matched BGP/VPN extended-community; otherwise, use the
match extcommunity extcommunity-list--number
no match extcommunity extcommunity-list--number
Syntax Descriptions
extcommunity-list--number The BGP/VPN extended-community number. Its value range is
from 1 to 199 and multiple numbers can be input
simultaneously.
match interface
Use the command match interface to specify the matched interface; otherwise, use the negation of the command to
cancel the configuration.
match interface interface-names
no match interface interface-names
Syntax Descriptions
interface-names The name of the match interface.
match ip address
Use the command match ip address the IP address range for route-map match; otherwise, use the negation of the
match ip address access-list
no match ip address access-list
Syntax Descriptions
Access-list The serial-number or name of the matched access-list.
Multiple ones can be input successively.
match ip next-hop
Use the command match ip next-hop to specify the matched IP address of the next hop for route-map; otherwise, use
the negation of the command to cancel the configuration.
match ip next-hop std-access-list
no match ip next-hop std-access-list
Syntax Descriptions
Std-access-list The standard-access-list or name that will be matched by the
next hop.
match ip route-source
Use the command match ip route-source to specify the matched route-source address; otherwise, use the negation of
match ip route-source std-access-list
no match ip route-source std-access-list
Syntax Descriptions
Std-access-list The standard-access-list number or name that is matched by
the resource-route.
match length
Use the command match length to specify the length range of the matched message; otherwise, use the negation of the
match length min-pkt-length max-pkt-length
no match length min-pkt-length max-pkt-length
Syntax Descriptions
min-pkt-length The minimal packet length
max-pkt-length The maximal packet length
match metric
Use the command match metric to specify the matched metric value; otherwise, use the negation of the command to
match metric metric-value
no match metric metric-value
Syntax Descriptions
Metric-value The matched metric values.
Multiple ones can be input.
match route-type
Use the command match route-type to specify the matched route type; otherwise, use the negation of the command to
match route-type route-type
no match route-type route-type
Syntax Descriptions
route-type The matched route type: external, internal, level-1, level-2,
local or nssa-external
match tag
Use the command match tag to specify the matched tag-value of the route information; otherwise, use the negation of
match tag tag-value
no match tag [tag-value]
Syntax Descriptions
Tag-value The matched tag value.
set as-path
Use the command set as-path to specify an AS number; otherwise, use the negation of the command to cancel the
configuration.
set as-path prepend as-path-number
no set as-path prepend as-path-number
Syntax Descriptions
as-path-number The AS number.
set community
Use the command set community to set the BGP community of the source-route in the route-map; otherwise, use the
set communtiy {additive | local-AS | no-advertise | no-export | none}
no set communtiy {additive | local-AS | no-advertise | no-export | none}
Syntax Descriptions
additive Add the community to the existing community.
local-AS Do not send the matched route out of the autonomous
system.
no-advertise Do not send the matched route to any peer/ any peer group.
no-export Announce the route with the attribute to the peer/peer group
of the autonomous system except the peer/peer group out of
the autonomous system.
None Delete the community of the route.
set ip next-hop
Use the command set ip next-hop to change the next hop of the source-route in the route-map; otherwise, use the
set ip next-hop ip-address
no set ip next-hop ip-address
Syntax Descriptions
ip-address Set the IP address of the next hop.
set local-preference
Use the command set local-preference to change the local preference of the source-route in the route-map;
otherwise, use the negation of the command to cancel the local preference of the source-route.
set local-preference value
no set local-preference value
Syntax Descriptions
value The local preference.
set metric
Use the command set metric to change the metric of the source-route in the route-map; otherwise, use the negation of
set metric metric
no set metric metric
Syntax Descriptions
metric Set the metric.
set origin
Use the command set origin to change the origin of the source-route in the route-map; otherwise, use the negation of
set origin {egp | igp | incomplete}
no set origin
Syntax Descriptions
egp, igp,incomplete Set the origin.
set automatic-tag
Use the command set automatic-tag to set the automatic-tag area; otherwise, use the negation of the command to
set automatic-tag
no set automatic-tag
set comm-list
Use the command set comm-list to adopt the community list to set the community; otherwise, use the negation of the
set comm-list std-comm-list | ext-comm-list
no set comm-list [ std-comm-list | ext-comm-list ]
Syntax Descriptions
std-comm-list The standard-community-list number (1-99).
ext-comm-list The extended-community-list number(100-199).
set dampening
Use the command set dampening to set BGP route dampening (attenuation) parameter; otherwise, use the negation of
set dampening time
no set dampening [time]
Syntax Descriptions
time The time.
set default
Use the command set default to specify the default interface for transmitting packets; otherwise, use the negation of the
set default interface interface-names
no set default interface interface-name
Syntax Descriptions
interface-name The interface name.
Multiple interfaces can be supported simultaneously.
set interface
Use the command set interface to set the interface for transmitting packets; otherwise, use the negation of the command
to cancel the configuration.
set interface interface-names
no set interface interface-name
Syntax Descriptions
Interface-name The interface name.
Multiple interfaces can be supported simultaneously.
set ip default
Use the command set ip default to specify the next hop IP address to which the packet will be transmitted; otherwise,
use the negation of the command to cancel the configuration.
set ip default next-hop ip-address
no set ip default next-hop ip-address
Syntax Descriptions
Ip-address The next hop IP address (in the form of dotted decimal
notation)
set ip df
Use the command set ip df to set the slicing-flag of an IP message; otherwise, use the negation of the command to
set ip df bit-value
no set ip df [ bit-value ]
Syntax Descriptions
bit-value The value of the slicing-bit.(0 or 1).
set ip precedence
Use the command set ip precedence to specify the priority level of an IP message; otherwise, use the negation of the
set ip precedence number | critical | flash-override | immediate | internet | network | priority | routine
no set ip precedence [ number | critical | flash-override | immediate | internet | network | priority | routine ]
Syntax Descriptions
number Priority level(0-7).
routine 0
priority 1
immediate 2
flash 3
flash-override 4
critical 5
internet 6
network 7
set ip qos-group
Use the command set ip qos-group to set the QoS group of an IP packet; otherwise, use the negation of the command to
set ip qos-group qos-group-number
no set ip qos-group [ qos-group-number ]
Syntax Descriptions
qos-group-number QOS group-number(0-99).
set ip tos
Use the command set ip tos to set the IP TOS; otherwise, use the negation of the command to cancel the configuration.
set ip tos tos-value | max-reliability | max-throughput | min-delay | min-monetary-cost | normal
no set ip tos [ tos-value | max-reliability | max-throughput | min-delay | min-monetary-cost | normal ]
Syntax Descriptions
tos-value The value of TOS field(0-15).
max-reliability The maximal reliability.
max-throughput The maximal throughput.
min-delay The minimal delay.
min-monetary-cost The minimal costs
set tag
Use the command set tag to configure the tag value of the OSPF route information; otherwise, use the negation of the
command to delete the configuration.
set tag tag-value
no set tag [tag-value]
Syntax Descriptions
Tag-value The configured tag-value
set weight
Use the command set weight to set the attribute weight; otherwise, use the negation of the command to cancel the
configuration.
set weight weight-value
no set weight [weight-value]
Syntax Descriptions
weight-value The weight value.
show route-map
Use the command show route-map to display the contents of the route-map.
show route-map [ routemap-name ]
Syntax Descriptions
routemap-name The name of the route-map whose contents will be
displayed.
£Command mode¤the privileged user configuration mode.
7.14.2 An Example of Configuring Route-Map

Please refer to the examples of configuring policy route and BGP route.
Chapter 8 Configuring SNA

IBM’s SNA model is very similar to the OSI reference model. The traditional SNA physical entity adopts one of the four
forms: host computer, communication controller, establishment controller and terminal. An establishment controller is always
called a cluster controller and it controls the input/output operation of peripherals (for example, a terminal). The SNA data
link control layer supports multiform media including SDLC and X.25 etc.
z Data Link Switching (DLSw)
z Synchronous data link control protocol (SDLC)
z LLC2
z QLLC
8. 1 Data Link SwitchingÔDLSwÕ
Data Link Switching (DLSw) describes peer connection establishment betwee routers, locating resources, transmitting data,
flow control and SSP (Switch-to-switch Protocol) for error correction. Data-link peer connection between routers must be
terminated according to RFC 1495, the data-link connection should be acknowledged locally. DLSw terminates transmission
of acknowledgement of the Data Link Layer and keepalive information over WAN by local acknowledgement of the local
data-link connection. Timeout of the Data Link Layer can not occur because of the local acknowledgement of data-link
connection. DLSw routers are to place multiple transmissions of data-link control to the corresponding pipelines of TCP
and send them out reliably over IP networks. If two terminal systems want to establish connection through DLSw, the
following tasks must first be completed:
Establish a peer connection

Exchange capabilities
Establishing circuit
Establishing peer connection

To exchange SNA transmission between two routers, a TCP connection should first be established.
Exchanging capabilities
After a TCP connection is established, the routers will exchange capabilities which include DLSw version number, initial
receiving window size, the value of SAPs, number of sessions supported by TCP etc. It will also transmit MAC address
tables. You can configure MAC address tables to avoid broadcasting. After exchanging capabilities DLSw partner is
ready to establish a SNA circuit.
Establishing circuit
Establishing a circuit by a group of terminal systems comprises a search for destination resources (based on MAC address)
and configurations of data-link connections of the system. An SNA device sends a probe frame (a test frame and/or a XID
frame) with destination MAC address to look for other SNA devices on the LAN. When a DLSw router receives the probe
frame, it will send a “canreach” frame to each reachable partner. If a DLSw partner can reach the specified MAC address, it
will send an “icanreach” reply frame.
A circuit is composed of three kinds of connections. The data-link connection and the TCP connection between DLSw
partners are specified by routers and local SNA. The circuit is identified by the circuit ID of the source and the destination
circuit. Each circuit ID is defined the source and destination MAC address, the source and destination LSAPs and a data link
control number. Once the circuit is established information frames can be transmitted.
The main topics discussed in this section are as follows:
o Configuring the commands relevant to DLSw

o Monitoring and examining DLSw
8.1.1 Configuring the Commands Relevant to DLSw
A. Configuring the local parameters of DLSw:
Router(config)#dlsw local-peer ?
Commmand Description
init-pacing-window Configures the size of the initial window.
peer-id ip_address <promiscuous> Sets the IP address of the local router. The parameter
promiscuous is an optional command keyword, which is used
to designate that the local router can accept the DLSw TCP
connection request of the remote-end router without
configuration.
Note:
1. Having configured the local parameters (for example, ip-address and promiscuous etc.) of the router, if you need to
alter them, you must configure them afresh only after having canceled the latest parameters through the
corresponding no command. At the same time, this no command must be executed before the other parameters of
DLSw are configured, or else other commands will be ignored.
B. Configuring the remote parameters of DLSw:
The indispensable parameters are as follows:

Router(config)#
Command Description
dlsw remote-peer list-number The group number of token-ring

The default value of the group number is 0 (It represents that it
can establish a chain with any ring group of the opposite
terminal and can establish the peer relation).
dlsw remote-peer list-number tcp ip-address is the local-peer address of the remote router. The
ip_address local router uses the IP address and the local-peer address of
itself to establish a kind of DLSw peer relation between two
routers.
The optional parameters:

Router(config)#dlsw remote-peer list-number tcp ip_address ë
Command Description
backup-peer Designates the remote-end router used as backup.

Cost Designates the cost from the local router to the remote-end
router specified by ip_address. Its valid value scope is from 1
to 5 and the default value is 3. The larger the value gets, the
higher the cost of reaching the remote-end router is.
Keepalive This is used for the remote-end router to configure the interval
to keep alive. And the value scope of the interval whose unit is
second is from 1 to 1200, the default value being 30. After the
parameter keepalive has been configured, DLSw will transmit
keepalive messages regularly on the TCP connection where no
data is transmitted.
Lf This command is used for the local router to inform the remote-
end router designated by ip_address about its maximum frame
length measured by byte so as to avoid segmenting the data
frame. The valid size is 516, 1470, 1500, 2052, 4472,
8144,11407, 11454 and 17800 bytes and the default size is 1500
bytes.
Passive This command is used to indicate that the remote-end router is
passive because the local router will not send the DLSw
connection request to the opposite router initiatively, but wait
for the connection request sent by the opposite router.
Note: router (config)#dlsw remote-peer list-number tcp ip_address backup-peer

ip_address1
1. Here, the remote-end router designated by ip_address is regarded as the backup entity of the remote router-end
designated by ip_address1, namely that the router designated by ip_address1 is primary peer while the router
designated by ip_address is backup peer. In addition, before configuring backup peer, you must configure
primary peer; while before deleting backup peer, you must delete backup peer. The same primary peer
permits having one backup peer at most.
B. Configuring the DLSw bridge group

The DLSw bridge group command can be used to connect DLSw TCP link to the Ethernet bridge group or interrupt the
connection between them. The command is as follows:
Router (config)#
Command Description
Dlsw bridge-group group-number Connects the DLSw link to the Ethernet bridge group.
The parameter group-number is used to designate the
number of the transparent bridge group that will be
connected with DLSw. The valid value ranges between 1
and 63.
Note:
The following command can be used to interrupt the link between the DLSw link and the designated Ethernet LAN
bridge group:
router (config)#no dlsw bridge-group group-number
However, this command can interrupt the SNA link relevant to the bridge group simultaneously.
D. Configuring the prohibition/activation of running DLSw:

Router (config)#
Command Description
dlsw disable Dlsw disable can be used to remove/ reconfigure DLSw,

which does not change the configuration; while the
command no dlsw disable can restart DLSw. In the default
situation, DLSw is in the active status. In a peculiar
situation, users may need to use the command dlsw disable
to reconfigure the DLSw protocol module.
E. Configuring the real time capabilities exchange of DLSw:

Router ÔconfigÕÏ
Command Description
Dlsw icanreach saps Configures the resource reachable for the local router.
Dlsw icannotreach saps Configures the series of server access points unreachable
for the local router
8.1.2 Debugging and Monitoring

Router #
Command Description
Show dlsw capabilities local Displays all the capability information about DLSw
protocol relevant to the local router.
Displaying the result as follows:
DLSw: Capabilities for local peer

vendor id (OUI) : '17A' (MP) The firm code ‘17A’ (the local
router is Maipu router)
version number : 1 DLSw V1.0 (the version number is
1)
release number : 0 The release number is 0
init pacing window : 20 The size of the initial
transmission window connecting with
TCP by DLSw is 20
unsupported saps : none
num of tcp sessions : 1 The TCP session number is 1
Command Description
show dlsw capabilities <ip-address Displays the DLSw capability information about the
ip-address> opposite router. The IP address of the opposite can be
designated.
DLSw: Capabilities for peer 179.255.255.1(2065) The remote peer address is 179.255.255.1
vendor id (OUI) : '00c' The firm code is ‘00C’; The remote
router is from Cisco.
version number :2 Supporting DLSw V2.0 (the version
number is 2)
release number :0 The release number is 0.
init pacing window : 20 The size of the initial transmission window
connecting with TCP by DLSw is 20
unsupported saps : none
num of tcp sessions :1 The TCP session number is 1.
loop prevent support : no
icanreach mac-exclusive : no
icanreach netbios-excl. : no
reachable mac addresses : none
reachable netbios names : none priority configured : no
version string : The version
version string information corresponding
: to the DLSwThe version information of
protocol software of Cisco router the DLSw protocol software of Maipu Router
Cisco Internetwork Operating System Maipu
Software
InfoExpress Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc. (c) 1999-2010 by Maipu Networks
Copyright
Compiled Tue 07-Dec-99 02:21 by phanguye
Compiled Mar 14 2002 18:43:56 by Maipuxz
The remote Router Accepted Message Sent Message The time establishing connectio
Peers: state pkts_rx pkts_tx type drops ckts TCP uptime
TCP 179.255.255.1 CONNECT 20156 21402 conf 0 1 0 03:46:30
In the global configuration mode, the above command can be executed to display the DLSw capability information of the
opposite routers connecting with the local router, and the opposite routers can be all the ones or the partial ones designated by
IP addresses. This is shown as follows:
Command Description
show dlsw peers Displays all the status of all current DLSw TCP connections
of router.
In the global configuration mode, the above command can be executed to display all the current DLSw TCP connection
status information of the local router and observe the running information of the DLSw protocol. This is showed as follows:
The above information indicates that the current DLSw TCP connection exists as a SNA circuit.
Command Description
show dlsw circuits <detail> Displays all the current DLSw TCP connection status of
router; detail indicates displaying it in details.
In the global configuration mode, the above command can be executed to display all the current DLSw TCP connection
status information of the local router and to observe the running information of the DLSw protocol. This is showed as follows
Index Local vmac address Remote vmac address Connection status Time establishing
connection
(SAP address) (SAP address)
Index local addr(lsap) remote addr(dsap) state uptime
9510608 2001.2654.5050(04) 2001.2611.0050(04) CONNECTED 02:02:34
Port:serial2 peer 179.255.255.1(2065)
Flow-Control-Tx CW:20, Permitted:29; Rx CW:20, Granted:28
RIF = --no rif--
Bytes: 2788096/2788352 Info-frames: 10891/10892
XID-frames: 2/1 UInfo-frames: 0/0
Total number of circuits connected: 1
From the above status information, we can see that no more than 29 messages are permitted to be sent and no more than 28
messages are permitted to be received through the connection. Through this connection, 2788096 bytes have been sent while
2788352 have bytes received; 10891 information frames and 2 XID frames have been sent while 10892 information frames
and 1 XID frame received after the connection has been constructed. The low-end equipment connects with the interface
serial2 of the local router, and the remote IP address is 179.255.255.1 (the remote TCP port number is 2065).
Command Description
show dlsw reachability Displays the reachable information of DLSw.
In the global configuration mode, the above command can be executed to observe the reachable information of DLSw. This
is showed as follows:
The command mac addr indicates the MAC address of the station being searched; Status indicates the result of the station
search; Loc indicates the station location; Peer/port indicates the entity/port number; rif displays the RIF in the buffer.
Command Description
debug dlsw Turns on the information-debugging switch

sending/receiving DLSw.
debug dlsw local-circuit Turns on the local information-debugging switch of DLSw
circuit event.
debug dlsw peers ip-addres <remote Turns on the DLSw event message-debugging switch of the
peer ip address> designated remote end.
8.2 Synchronous Data Link Control (SDLC)
Synchronous Data Link Control (SDLC) was developed by IBM for System Network Architecture (SNA) environments, and
it is the first bit-oriented synchronous protocol among all link-layer protocols. SDLC defines two types of network nodes:
master node and secondary node. The master node controls other workstations (called secondary nodes) and polls the
secondaries in a predetermined order. If a secondary node has data to send, it can transmit them only when it is polled by the
master node. In working procedure, the master node will establish, terminate and manage links.
The main topics in this section are as follows:
o The relevant configuring commands of SDLC

o The relevant operations for configuring SDLC on an interface
o Examining the debugging information of SDLC
o The typical organizing network mode of SNA application
o The typical SNA configuration of a Maipu router
8.2.1 The Relevant Configuring Commands of SDLC

Set the serial port protocol as the SDLC encapsulation mode.
Router(config-if-xxx)# encapsulation sdlc
The relevant commands on a serial port is as follows:

Router(config-if-xxx)#sdlc ?
Command Description
address sdlc_address <xid-passthru | This command can be used to designate the physical
xid-poll> address of the equipment connected with the corresponding
interface of router. The router can, through this address,
establish a link layer connection with the lower-end
equipment.
The indispensable command parameters are as follows:

The parameter sdlc-address represents the address
assigned to the low-end physical equipment, and its valid
value is a hexadecimal numeral within the range from 01 to
FE.
The optional command words are as follows:
The command word xid-poll indicates that the type of the

physical equipment designated by sdlc_address is PU2.1;
It needs a given discovery frame to originate the link
connection procedure.
The command word xid-passthru indicates that router does

not process any accepted XID frames in the data
transmission procedure. This configuration is usually
applied to minicomputer whose up-end host computer is of
AS/400 class, while it is rarely applied to the down-end
router.
vmac vmac_address The parameter vmac_address designates the VMAC
address of a given interface. It is a hexadecimal numeral
character string separated by “.”. Its format is like
XXXX.XXXX.XXXX, of which X represents any a
hexadecimal numeral within 0-F.
Executes the command to designate a VMAC address for

the current interface. This address is used to identify each
other when all equipment hanged by the interface
establishes communication link with the up-end SNA
equipment.
xid sdlc_address xid Executes this command to configure XID values for the
low-end equipment designated by sdlc_address. A XID
value is used for the up-end SNA equipment to identify the
low-end equipment.

The parameter sdlc_address represents the address of the
low-end equipment whose XID value need be designated.
The parameter xid represents the value that need be

designated. Its format is like XXXXXXXX, of which X
represents any a hexadecimal numeral within 0-F.
partner partners_mac_address Execute this command to configure MAC address of the
sdlc_address opposite terminal for the low-end equipment belonging to
the SDLC interface.

The parameter partners_mac_addres represents the
opposite terminal MAC address corresponding to the low-
end equipment. Its format is the same as that of the VMAC
parameter.
The parameter sdlc_address represents the physical

address of the low-end equipment that needs to be
configured.
dlsw local_sdlc_address A series of low-end equipment configured on the interface
can be associated with DLSw TCP connection through this
command. Without this association, the corresponding
equipment will not be used.
The parameter local_sdlc_addres designates a series of

low-end equipment addresses, which are separated by
blanks.
delay-response Delays the response time.
K Sets the size of the transmission window.
N2 Sets the retransmission times after timeout.
poll-pause-timer Sets the polling interval.
sdlc-largest-frame Configures the length parameter of the maximum
information frame permitted by the low-end equipment.
T1 Sets the waiting time for the latest frame.
Note:
1. The command sdlc xid sdlc_address xid is useful only when the type of the low-end equipment is PU2.0. In the
situation that the command words xid-passthru and xid-poll have be configured in the command sdlc address,
configuring XID value will not take effect. In addition, before XID value is configured, the physical address of the
corresponding low-end equipment must first be configured, or else the corresponding XID value can not be
configured. When configuring XID value, users must ensure it is consistent with the configuration of the up-end
equipment, or else the SNA connection can not be established.
2. When configuring the command sdlc partner partners_mac_address sdlc_address, users must configure the
physical address of the low-end equipment. At the same time users must ensure the opposite terminal MAC
address configured on the local router is consistent with the up-end VMAC address.
3. Specify that the data encode mode on the interface is NRZI (the default mode is NRZ)
router(config-if-serial1)#nrzi-encoding
8.2.2 Configuring the Relevant Operations of SDLC on an Interface

The SDLC address of the equipment (PU) connected with the interface is c2, the up-end host computer is a minicomputer of
AS400 type. The virtual MAC address of the local interface serial1 is 4020.2654.0a00. The XID value of the connected
equipment is c2 0a238e33, the opposite terminal MAC address is 5600.7507.34c2, and the SDLC address is c2. The
following are designated: the size of the transmission window, whose data-coding mode on the interface is NRZI, is 5; the
polling interval is 20 seconds, and the local station should be polled 5 times before the next polling; the latest frame should
be held for 2 seconds.
Command Description
router(config-if-serial1)# Encapsulating SDLC

encapsulation sdlc
router(config-if-serial1)#sdlc vmac The virtual MAC address of the interface
4020.2654.0a00
router(config-if-serial1)#sdlc address The SDLC address up-end host of the equipment (PU),
c2 xid-passthru which is connected with the interface, is of AS400 type.
router(config-if-serial1)#sdlc xid c2 The connected equipment XID
0a238e33
router(config-if-serial1)#sdlc partner The MAC address and SDLC address of the port
5600.7507.34c2 c2
router(config-if-serial1)#nrzi- Designates that the data coding mode of the interface is
encoding NRZI.
router(config-if-serial1)#sdlc k 5 The transmission window size is 5.
router(config-if-serial1)#sdlc poll- The poll interval is 20 seconds.

pause-time 20
router(config-if-serial1)#sdlc n2 5
The local station is polled 5 times before the polling.
router(config-if-serial1)#sdlc t1 2 Sets waiting time as 2 seconds for the latest frame.
router(config-if-serial1)#sdlc dlsw c2
The local equipment address running on the SDLC link
8.2.3 The Debugging Information of SDLC
Command Description
show int s1 Displays the interface information to observe the SDLC

working status.
router link station role: PRIMARY (DCE)
slow-poll 10 seconds
poll-pause-timer 500 milliseconds
k (windowsize) 7
modulo 8
sdlc vmac: 2001.2654.00--
sdlc addr 20 state is CONNECTED
cls_state is IDLE
VS 0, VA 0, Remote VR 0, Current retransmit count 0
Hold queue: 0/1 IFRAMEs 5/7
TESTs 1/1 XIDs 1/2 DMs 0/0 FRMRs 0/0
RNRs 0/0 SNRMs 0/-- DISCs/RDs 0/0 REJs 0/0 UAs --/0
intf[][]:
32 00 00 00 00 00 00 00
Current serial1 index is: 0
12 packets input, 2314bytes
0 input errors, 0 CRC, 0 overrun, 0 noOctet, 0 abort, 0 lenErr
3 packets output, 3121 bytes, 0 underruns

Flags: (0xf1) UP POINT-TO-POINT RUNNING
Type: SDLC
Metric is 0
From the above information you can see that the terminal equipment hanged by router has connected with the mainframe, and
can transmit data.
The debugging command of DEBUG:

Command Description
debug sdlc packets Turns on the debugging-switch sending/receiving the

debug sdlc SDLC frame.
8.2.4 Typical Network Construction Mode of SNA Application
A. Connect the ATM with the customer FEP directly through synchronous/asynchronous serial port. The network structure is
showed in the following figure:
ATM
S0 S1
SDLC S0/0 WAN
S2
IBM mainframe CISCO Router

Maipu
Maipu Router
Router
The frontmounted computer
Figure 8-1 The Typical Network Construction Mode1 of an SNA Application
Note: A Cisco router and a Maipu router can communicate through the serial interface by means of some link protocols,
such as PPP, HDLC, FR and X.25, or can communicate directly through the local Ethernet.
B. The synchronous/asynchronous serial port connects with ATM and the customer FEP through PSD, or connects with
IBM mainframe through Cisco router. It can be shown as follows:
PSD
S1
IP
Network
SDLC
IBM S2 ATM
mainframe
Frontmounted computer
Figure 8-2 the SNA typical network construction mode2
8.2.5 The typical SNA configuration of Maipu Router

An exampleæ
S0/0: 19.1.1.1 S0: 19.1.1.2
S1
WAN
SDLC S2
S3
IBM ATM
Mainframe Frontmounted
computer
Figure 8-3 the typical SNA configuration (A)
Illustration:
ATM and the customer FEP connect directly with the serial port of the Maipu router, and the Maipu router connects with the
Cisco router through PPP protocol running on the serial port.
The following tasks are finished mainly in the whole procedure:
A. Configure the relevant commands of DLSw in the global configuration mode.
B. Configure PPP protocol for the interface S0 to connect with the up-end router.
C. Configure the ATM machine with a SDLC address C1 for the interface S1
D. Configure the ATM machine with a SDLC address C2 for the interface S2
E. Configure the customer premise machine whose type is PU2.2 and whose address is C3 for the interface S3.
Configuring the relevant commands of DLSw in the global configuration mode:
Command Task
router(config)#dlsw local-peer peer-id 199.1.1.2 The DLSw local-end address

router(config)#dlsw remote-peer 0 tcp 199.1.1.1 The DLSw remote-end address
Configuring PPP protocol for the interface S0 to connect with the up-end router:
Command Task
router(config-if-serial0)#encap ppp Encapsulates the PPP protocol.

router(config-if-serial0)#ip address 199.1.1.2 255.255.255.0 Specifies that the DLSw local-end
address is the address of interface
S0.
Configures the ATM with a SDLC address C1 for the interface S1:
Command Task
router(config-if-serial1)#encap sdlc Encapsulating SDLC

router(config-if-serial1)#sdlc vmac 1111.1111.1100 The interface VMAC
address
router(config-if-serial1)#sdlc address c1 The SDLC address of the
connected equipment
router(config-if-serial1)#sdlc xid c1 05df0301 The XID of the
connected equipment
router(config-if-serial1)#sdlc partner 1111.2222.33c1 c1 The VMAC address of
the opposite terminal
router(config-if-serial1)#sdlc dlsw c1 The address of the local
equipment
router(config-if-serial1)#clock rate 9600
Configures the ATM with a SDLC address C2 for the interface S2:
Command
router(config-if-serial2)#encap sdlc
router(config-if-serial2)#sdlc vmac 2222.2222.2200
router(config-if-serial2)#sdlc address c2
router(config-if-serial2)#sdlc xid c2 05df0302
router(config-if-serial2)#sdlc partner 1111.2222.3320 c2
Configures the customer premise machine whose type is PU2.1 and whose address is C3 for the interface S3:
Command Task
router(config-if-serial3)#sdlc address c3 xid-poll The PU2.1 type of

customer FPE that is a
low-end equipment of the
SDLC interface.
router(config-if-serial3)#sdlc partner 1111.2222.3323 c3
Note:
1. For the low-end equipment of the SDLC interface, the two kinds of configurations, PU2.1 and PU2.0, are
different because they are obviously different in the initial phase of establishing link.
The way for PU2.1 to resolve the problem that the mainframe circuit whose up-end is token-ring can not be established:
Configure sdlc address <sdlc_address> xid-poll echo in the interface configuration mode.
2. For the APPN modes, in the interface configuration mode, it usually needs to be
configured:
sdlc sdlc-largest <sdlc_address> 265Ôor 521: maximum information frame length)
Example B:
S0/0:19.1.1.1 S0:19.1.1.2
WAN
S1
SDLC PSD
IBM mainframe
ATM ATM Frontmounted computer
Figure 8-4 the typical SNA configuration (B)

Illustration:
1. A Maipu router connects with various lower-end equipment on a serial interface through PSD and connects
upwards with the upper-end Cisco router through a WAN.
2. The following tasks are completed mainly in the whole procedure:
A. Configure the relevant commands of DLSw in the global configuration mode.

B. Configure the interface S0 to connect with the upper-end router through the PPP protocol.
C. Configure the interface S1 to connect with two ATM machines whose addresses are C1 and C2 respectively,
and to connect with a customer premise machine whose type is PU2.1 and whose address is C3.
Configure the relevant commands of DLSw in the Global configuration mode:

Command
router(config)#dlsw local-peer peer-id 199.1.1.2

router(config)#dlsw remote-peer 0 tcp 199.1.1.1
Configure the interface S0 to connect with the up-end router via PPP protocol.
Command
router(config-if-serial0)#encap ppp
router(config-if-serial0)#ip address 199.1.1.2 255.255.255.0
Configure the interface S1 to connect with two ATM machines whose addresses are C1 and C2 respectively, and to connect
with a customer premise machine whose type is PU2.1 and whose address is C3.
Command
router(config-if-serial1)#sdlc partner 1111.2222.33c1 c1
router(config-if-serial1)#sdlc address c3 xid-poll
router(config-if-serial1)#sdlc dlsw c1 c2 c3
The above configuration indicates: the lower-end equipment of different types can connect with a same serial port through
PSD. At the same time, when PSD is used, the circuit clock is usually provided by PSD, and the router interface works in the
external clock mode.
Note:
The noticeable points in the SNA application are:

1. Whether the Maipu router and the Cisco router are consistent in the DLSw and
SDLC
2. Whether the status of the interface connecting with ATM, a customer FPE or PSD is up (through the command
show int <the interface name>).
3. According to the requisition, decide whether a static route should be configured on a Maipu router.
4. According to the requisition, decide whether DLSw remote-peer configuration should be added to the Cisco
router;
5. Examine whether the IP address designated by Cisco local-peer can be reached through the Maipu router (By the
command Ping).
6. Examine whether the XID frame needs to be configured.
7. Whether some peculiar options should be configured.
8. Examine whether the cable connects normally, and whether the physical signal is enough.
8. 3 LLC2
The router connects to the bridge group in LAN through the local Ethernet interface. The bridge group is related with the
DLSw TCP connection, and the local LAN interface runs LLC2 protocol.
8.3.1 LLC2 Configuration Commands
z dlsw bridge-group
Use the command dlsw bridge-group to relate the DLSw TCP connection with the Ethernet bridge group in the global
configuration mode.
dlsw bridge-group group-number
Syntax Descriptions
group-number The bridge-group number that will be related with the DLSw TCP connection.
its value range is from 1 to 10.
z bridge group
Use the command bridge group to connect the local Ethernet interface to the bridge group in the local LAN.
bridge group group-number
Syntax Descriptions
group-number The bridge-group number configured for the Ethernet interface.
It must be consistent with group-number of the command dlsw bridge-group.
8.3.2 Protocol Filtering
When there is too much data in the LAN and LLC2 is bridged through Bridge, SAP access list can be configured on Bridge
and nothing but SNA data is allowed to be bridged so that it can be avoided that the data broadcasted in the local LAN is
bridged to LLC2 and transmitted to the upper-end router through DLSw. That is to say that the upper-end network congestion
can be avoided.
z access-list
Use the command access-list to configure LSAP access list.
access-list list-number permit/deny lsap-addr [lsap-wildcard]
Syntax Descriptions
list-number The access list number.
permit/deny Permit/Deny access.
lsap-addr The permitted/denied <dsap,ssap>.
lsap-wildcard The wildcard
z bridge-group group-number input-lsap-list <list-number>
Use the command bridge-group group-number input-lsap-list <list-number> to filter the SAP frames received by
the bridge group.
z bridge-group group-number output-lsap-list <list-number>
Use the command bridge-group group-number output-lsap-list <list-number> to filter the SAP frames sent by the
bridge group.
z bridge-group group-number input-type-list <list-number>
Use the command bridge-group group-number input-type-list <list-number> to filter the Ethernet frames received by
the bridge group.
z bridge-group group-number output-type-list <list-number>
Use the command bridge-group group-number output-type-list <list-number> to filter the Ethernet frames sent by the
bridge group.
Note:
Generally, The SAP list is configured as follows:
access-list 4001 permit 0x0404 0x0000 or
access-list 4001 permit 0x0d0d 0x0000
Thereby, lsap(0x04è0x04)SNA needs is permitted to pass and other types of packets can be filtered out.
8.3.3 An example of typical LLC2 configuration
Server
Figure 22-1
Illustration:
Maipu router connects to the bridge group in LAN through the local Ethernet interface. And the bridge group is related
with the DLSw TCP connection.
A) Configure the related DLSw commands in the global configuration mode.
Syntax Descriptions
dlsw local-peer peer-id 19.1.1.2 The DLSW address of the local end.
dlsw remote-peer 0 tcp 19.1.1.1 The DLSW address of the remote end.
dlsw bridge-group 1 The DLSw bridge-group number in the local LAN.
B) The interface S0/0 adopt the PPP protocol to connect to the upper-end router.
Syntax Descriptions
encap ppp Encapsulate the PPP protocol.
ip address 19.1.1.2 255.255.255.0 Specify an IP address for the interface S0/0.
C) The interface F0 connects to the bridge-group in the local LAN.

Syntax Descriptions
bridge-group 1 The bridge-group number.
D) Filter the SAP frames received by the bridge-group.

Syntax Descriptions
access-list 4001 permit 0x0404 0x0000 The SNA packets are permitted to pass.
bridge-group 1 input-lsap-list 4001 The SNA packets received by the bridge-group from the station
are permitted to pass.
Note:
To relate the DLSw TCP connection with the bridge-group in the local LAN, configure the bridge-group number of DLSw in
the global configuration mode, and the same bridge-group number should simultaneously be configured on the Ethernet
interface so that the Ethernet bridge-group can be related with the DLSw bridge-group.
8.4 QLLC
Qualified Link Layer Control (QLLC) is a data link protocol defined by IBM and which allows SNA data to be transmitted in
the X.25 network. In the traditional SNA network, any equipment using the X.25 protocol on the SNA communication
channel, no matter which on terminal or intermediate system it resides in, needs to make use of the QLLC protocol.
The QLLC transform feature avoids the requisition for the local IBM equipment to install X.25 software. And QLLC only
demands that the low-end equipment can provide X.25 interface to connect with the lower-end equipment in the remote-end
X.25 network with the IBM mainframe through the router with QLLC transform feature. The router connects with the upper-
end equipment through DLSw TCP, so the intermediate equipment does not need the X.25 interface and the relevant
software.

o QLLC configuring commands
o Typical QLLC configuration
o QLLC debugging and monitoring
8.4.1 QLLC Configuring Commands

To run the QLLC protocol, you need a serial link interface configured using X.25 communication, and needs to configure the
opposite router as SRB or RSRB. For Maipu router to run QLLC protocols transform, some detailed configuring commands
are as follows:
A. PVC mode
Router(config-if-xxx)#
Command Description
encapsulation x25 Executes the command to transform the

interface link layer protocol into X.25
protocol.
Maybe the relevant parameters of the X.25
protocol and the LAPB protocol need be
also configured.
x.25 pvc pvc qllc vmac_address Associates the VC of the X.25 interface with
the QLLC protocol.
Pvc is used to designate the PVC number
and the valid range is from 1 to 4095 (But it
must be less than the value of ltc).
Vmac_address specifies the VMAC ID of
the corresponding low-end equipment.
Qllc dlsw pvc pvc partner partner_address Associates the QLLC protocol with DLSw
TCP.
Pvc is used to designate the PVC number,
which must correspond with the PVC
number designated by the preceding
command.
Partner_address designates the VMAC ID
of the opposite equipment associated with
the corresponding low-end equipment.
B. SVC Mode
Router(config-if-xxx)#
Command Description
encapsulation x25 Executes the command to transform the
interface link layer protocol into X.25
protocol.
Maybe the relevant parameters of the X.25
protocol and the LAPB protocol also need to
be configured.
x25 map qllc virtual-mac-addr x121-addr Designates that X.25 SVC is adopted for the
router to communicate with the PU
equipment of the remote X.25 protocol.
virtual-mac-addr represents the virtual
MAC address, namely, the VMAC address
of the remote X.25 terminal connected by
router.
X121-addr represents the X.121 address of
the remote X.25 equipment connected with
this virtual MAC address.
Qllc dlsw vmacaddr virtual-mac-addr partner mac- Associates the QLLC protocol with DLSw
addr TCP.
virtual-mac-addr represents virtual MAC
address, namely, the VMAC address of the
remote X.25 terminal connected by the
router.
Mac-addr represents the address of the
upper-end mainframe designated to
communicate with the remote X.25
equipment.
Qllc dlsw partner mac-addr If all addresses of the mainframes
corresponding to all the X.25 equipment
connected by this interface are mac-addr,
the command can be simplified as this one.
C. The commands in the global configuration mode

Router(config)#
Command Description
Dlsw qllc local-window <10-100> Set the local X.25 window size to control
the traffic between DLSw and X.25.
When the speed of the X.25 interface is
slow, the window size can properly be taken
in and DLSw is notified to reduce the data
transmission speed so as to avoid the
overflow of the data-sending queue. The
default value is 50.
8.4.2 Typical QLLC Configuration

035287(5
6HU YHU
333
)
V 6e

|
;
:RU NVW DW L RQ
Figure 8-6 the typical QLLC configuration scheme
Illustration:
Here the Maipu router connects with a X.25 network through a serial port, runs QLLC protocol, connects with the low-end
SNA equipment, and associates the DLSw TCP with the QLLC protocol.
The configuration of the down-end Maipu router is as follows:
Configuring the relevant commands of DLSw in the global configuration mode:

Command Task
router(config)#dlsw local-peer peer-id 199.1.1.2 Configures DLSw.

router(config)#dlsw remote-peer 0 tcp 199.1.1.1
The interface S0 connects with the upper-end router through PPP protocol:
Command Task
router(config)#int s0 Configures the PPP

protocol for the interface
router(config-if-serial0)#encap ppp to connect with the up-end
router.
router(config-if-serial0)#ip address 199.1.1.2 255.255.255.0
The interface S1 connects with X.25 network, runs QLLC protocol, and connects with the low-end SNA equipment:
Command Task
router(config-if-serial1)#encap x25 Encapsulates the X.25
protocol.
router(config-if-serial1)#x25 dce Configures it as the DCE
mode.
router(config-if-serial1)#x25 ltc 10
router(config-if-serial1)#x25 pvc 1 qllc 1111.2222.3344 Associates VC of the X.25
interface with the QLLC
protocol;
1111.2222.3344 is the
VMAC address of the
low-end equipment.
router(config-if-serial1)#qllc dlsw pvc 1 partner 2233.4455.6677 Associates the QLLC
protocol with the DLSw
TCP connection.
router(config-if-serial1)#end
The QLLC protocol associates the low-end equipment with X.25 VC, and exclusively determines a low-end equipment
through the corresponding VMAC address and the partner address.
8.4.3 QLLC Debugging/Monitoring
Command Description
show qllc <interface> Employment of this command can examine

the current QLLC connection status
intuitively.
router#sh qllc int s1

Interface serial1
SVC
Circuit state CONNECTED, 1000.1000.1040 (04) -> 2000.2000.0040 (04)
The above information displays the current QLLC connection status.

Command Description
Show qllc partner Displays the relevant information of the qllc

partner configuration
Show qllc connection Displays the QLLC connection information.
The command DEBUG:

Command Description
debug qllc Displays the relevant information when QLLC

establishes a connection or interrupts a
connection.
8.5 Mutildrop
Multi-VMAC-address can be configured for the local SDLC protocol not to relate to the SDLC address. The
configuration method is based on the original SDLC configuration, support the configuration multi-VMAC-address.
z sdlc vmac
Use the command sdlc vmac to specify a VMAC address of the interface or specify a MAC address of the physical
equipment connected with the interface.
sdlc vmac mac-address sdlc-address
Syntax Descriptions
mac-address A MAC address of the interface/ a MAC address of the physical equipment
connected with the interface. Its format is XXXX.XXXX.XXXX, and X
represents any hexadecimal number (0-F). The MAC address instead of the
address whose last two bits are replaced with SDLC need be configured when
partner is configured on the opposite router.
sdlc-address The parameter supports the different MAC addresses configured for the
different physical equipments on the same SDLC interface. The valid range of
the SDLC address is from 01 to FE (hexadecimal) .
The MAC address of each equipment connected with the interface is the MAC
address of the physical equipments specified by sdlc-address.
8.6 Time-based Filtering

On the router, the local MAC address based on DLSw Circuit can be used to realize time control.
1) Command: dlsw mac-address <HHHH.HHHH.HHHH> time-range <NAME>
of which: HHHH.HHHH.HHHH means the DLSw local address.
NAME: the name of time-range
ÏCommand modeÐthe global configuration mode.
Show dlsw time-rangeÖDisplay the status of DLSw time-range

2) After the command above is configured and no corresponding time-range is configured, the default is Deny.
3) In the factual environment, the command above often cooperates with the SNTP protocol so as to acquire the time
of the NTP server.
Mprouter is configured as follows: sntp server <ip-address> The IP address is the address of the NTP server.
8.7 Typical SNA Network Construction Modes
1) Connect to ATM and the front end processor directly through the synchronous/asynchronous serial-interface:
6
6'/& 6 6
:$1
&, 6&2 03 6
, %0 5RXW HU 5RXW HU $70
0DL QI U DPH )U RQW (QG
3U RFHVVRU
Figure 22-3
Note:
The communication between the Cisco router and Maipu router can be realized by means of two modes: the serial
interface runs the link protocol (for example PPP, HDLC, FR or X.25) or the local Ethernet is adopted.
2) The synchronous/asynchronous serial-interface connects with ATM and the front end processor through PSD and
connects to the IBM mainframe through Cisco router.
IP network
IBM mainframe
MP router
Cisco router
Front end
processor
Figure 22-4
8.8 Typical SNA configuration of Maipu Router
8.8.1 Typical Configuration 1
WAN
IBM mainframe MP router
Cisco router
Front
end
Figure 22-5
Illustration:
ATM and front end processor connect to the serial interface of Maipu router directly, and Maipu router connects to Cisco
router by means of running the PPP protocol on the serial interface.
1) The DLSw configuration commands in the global configuration mode are listed as follows:
Syntax Descriptions
dlsw local-peer peer-id 19.1.1.2 DLSW local-peer address.

dlsw remote-peer 0 tcp 19.1.1.1 DLSW remote-peer address.
2) The PPP is configured for the interface S0/0 to connect to the upper-end router:
Syntax Descriptions

ip address 19.1.1.2 255.255.255.0 Specify an IP address for the interface S0/0.
3) Configure the ATM (the SDLC address is C1) on the interface S1/0:
Syntax Descriptions
encap sdlc Encapsulate SDLC.

sdlc vmac 1111.1111.1100 The interface vmac address
sdlc address c1 The SDLC address of the connected equipment
sdlc xid c1 05df0301 The xid of the connected equipment.
sdlc partner 1111.2222.33c1 c1 The vmac address of the opposite end.
sdlc dlsw c1 Relate SDLC to DLSW.
clock rate 9600 Clock rate.
4) Configure the ATM (the SDLC address is C2) on the interface S2/0:
Syntax Descriptions

clock rate 9600 Clock rate
5) Configure the ATM (the SDLC address is C3 and the type is PU2.1) on the interface S3/0:
Syntax Descriptions

sdlc address c3 xid-poll The downstream equipment of the SDLC interface is the
PU2.1 front end processor.
Note:
For the downstream equipment of the SDLC interface, there exists some difference between PU2.1 and PU2.0.
8.8.2 Typical Configuration 2
MP router
WAN
IBM Cisco Router

mainframe
MP router
Front end
processor
Figure 22-6
Illustration:
By means of PSD, one serial interface of Maipu router connects with multiple downstream equipments, and connects to
the upper-end Cisco router through WAN.
1) The DLSw configuration commands in the global configuration mode are listed as follows:
Syntax Descriptions
dlsw local-peer peer-id 19.1.1.2 DLSW local-peer address.

dlsw remote-peer 0 tcp 19.1.1.1 DLSW remote-peer address.
2) The configuration interface S0/0 connects to the upper-end router by means of PPP protocol.
Syntax Descriptions
ip address 19.1.1.2 255.255.255.0 Specify an IP address for the interface s0/0.
3) The configuration interface S1/0 connects with two ATMs (whose SDLC addresses are respectively C1 and C2) and
the front end processor (the address: C3, type: PU2.1) through PSD.
Syntax Descriptions

sdlc address c3 xid-poll
sdlc partner 1111.2222.33c3 c3
sdlc dlsw c1 c2 c3 Relate SDLC to DLSW.
4) If multigrain is enabled on the same interface, multiple VMAC addresses can be adopted.
Syntax Descriptions

sdlc vmac 1111.1111.1111 c1 The interface vmac address(the sdlc partner address of the
opposite router is 1111.1111.1111).
There exists no relation between the interface address and sdlc c1
address.
sdlc vmac 2222.2222.2222 c2 The interface vmac address(the sdlc partner address of the
opposite router is 2222.2222.2222)
There exists no relation between the interface address and sdlc c2
address.
sdlc address c3 xid-poll
sdlc vmac 3333.3333.3333 c3
sdlc partner 1111.2222.33c3 c3
sdlc dlsw c1 c2 Relate SDLC to DLSW.
The configuration above indicates that: different types of downstream equipments can connect to one serial interface through
PSD. At the same time, when PSD is adopted, the line clock is provided by PSD, and the interface of the router operates in
the external clock mode.
Note:
The following points should be noticed in the SNA applications:
1) Whether Maipu router and Cisco router are consistent on DLSw/SDLC configuration.
2) The status of the interface connecting with ATM, front end processor or PSD is UP.(by means of the command show
int <interface name>)
3) Determine whether the static route is configured on Maipu router according to the factual requirements.
4) Determine whether the configuration of DLSw remote-peer is added on Cisco router according to the factual
requirements.
5) Check whether the IP address specified by Cisco local-peer can be reachable through Maipu router( by means of
Ping)÷
6) Check whether the XID frame need be configured.
7) Check whether some special options need be configured.
8) Check whether cables are in order and physical signals are adequate.
Chapter 9 IP Telephone Configuration
IP telephone configuration generally refers to the system that processes voice communication on an IP network. An IP
telephone system has been integrated into Maipu’s MP series routers. Users can use the IP telephone module provided by the
router to process voice communication. Presently, Maipu routers support the H.323 protocol family, the mainstream protocol
of the IP telephone system. H.323 protocol family includes H.225-Call Control Protocol, H.245-Multimedia Control
Protocol, and RTP/RTCP --Realtime Transmission Protocol/Realtime Transmission Control Protocol.
This chapter describes how to configure the Maipu voice card, including how the FXS card accesses the PSTN/PBX through
the FXO card, how the FXS cards intercommunicate between them, how to configure a Maipu router as the H.323 voice
gateway, and some optional extended configurations.
Configuring the voice card interface

Configuring voip
Configuring the Maipu router as the H.323 voice gateway
The Debugging Switch of IP telephone
9.1 Configure Voice Card Interface
Maipu’s MP router series supports two kinds of voice cards:
FXSÙ Foreign eXchange Station interface card

is used to connect general telephone or the exterior line of a mini PBX.
FXOÙ Foreign eXchange Office interface card

is used to connect a PSTN telephone line or the interior line of a mini PBX.
The main topics discussed in this section are as follows:
• Relevant commands
• A simple configuration example
9.1.1 Relevant Commands

The command to enter the voice port in the global configuration mode is:
RouterÔconfigÕÏvoice-port ë
Command Description
<STRING> This is the voice card interface.
Note:
1. If there is an IP telephone module of an old version router, the voice card interface is a single number, for example,
0, 1 etc.
2. If there is an IP telephone module of new version router, the voice card interface is the format of x/y, of which x is
the WAN port number while y is the voice port number. For example, inserting the module in the WAN port s3 and using
channel 1, then the voice port number is 3/1.
3. The number of a concrete interfaces can be examined through the command show run.
After entering the voice port:
RouterÔconfigÕÏvoice-port 0/0
RouterÔconfig-voice-portÕ#ë
Command Description
Codec <g723 / g729 / g711a> This command is used to configure voice-coding type. There are
G.723, G.729 and G.711a, to be selected, which correspond to
different codings and compression algorithms. The typical ones
are G.729 and G.723. If a kind of voice coding is selected, the
router will negotiate voice coding first.
Volume <Number> This number is the volume coefficient within the range 0-63.
The larger the coefficient, the higher the volume.
connection-plar <STRING> It is used only in the FXO card; string represents a telephone
number. After the configuration is finished, once a ringing is
detected on the FXO port, the telephone number is used as the
called number and a call is directly originated to the remote
terminal.
[no] shutdown Configures opening/shutting down the voice port.
Jbuf <0_16> Sets voice dynamic jitter buffer
9.1.2 A Simple Example of Configuration

Configuring the FXS card (supposing that a new version router is being used)
Command Task
Router(config)#voice-port 0/0 Configures the voice port 0/0.
Router(config-voice-port)#volume 28 Configures the volume coefficient as 28.
Router(config-voice-port)#codec g729 Configures the voice coding type as g729
Router(config-voice-port)#no shutdown Opens the voice port.
Note:
1. The default configuration of voice port is shutdown.
9. 2 Configuring VoIP
In the VoIP (Voice over IP) configuration, there is a conception dial-peer that is used to distinguish different types of session
segments. There are two kinds of dial-peers:
POTS — A traditional telephone network peer, such as commonly used telephone interfaces,
PSTN telephone line interface (Z interface), etc.
VoIP — IP network peers (passing through the IP network, corresponding with the remote
telephone segment.)
The main topics addressed in this section are:
Relevant commands
Usage of the basic commands
Usage of the extended configuration
A configuration example
Seeing the two kinds of dial-peers at the caller:

$QVZHU
,3
&DO O HU 1HW ZRU N

3671
6RXU FH 'HVW L QDW L RQ

U RXW HU
'L DO SHHU 3276 'L DO SHHU 9R, 3 U RXW HU
7KH FRU U HVSRQGL QJ W HO HSKRQH RI 7KH W HU PL QDO SDVVL QJ W KU RXJK , 3 QHW ZRU N
W KH W HU PL QDO
Figure 9-1 Dial peers seen from the perspective of the calling party
Seeing the two kinds of dial-peers at the answer:
5HFHL YHU
,3
&DO O HU 1HW ZRU N

3671
'HVW L QDW L RQ
6RXU FH U RXW HU
U RXW HU
9R, 3 'L DO SHHU 3276 'L DO SHHU
Figure 9-2 Dial peers seen from the perspective of the called party
9.2.1 Relevant Commands
Router#conf t
Router(config)#ë
Command Description
dial-peer <1_255> <pots/voip> Configures the dialing map; 1-255 is the number of the session
segment number; make configurations to the pots end or the
voip end.
Configuring the pots end:

Router(config)#dial-peer 1 pots
Router(config-dial-peer)#ë
Command Description
destination-pattern <STRING> Configures E.164 telephone number.
port <STRING> Configures the voice port corresponding to the pots end.
Configuring of the voip end:

Router(config)#dial-peer 1 voip
Router(config-dial-peer)#ë
Command Description
destination-pattern <STRING> Configures E.164 telephone number.

session-target <STRING> Configures IP address of the VoIP end.
dt Configures the abbreviated dialing string or the extended dialing

string.
9.2.2 The Usage of the Basic Commands

Router(config)#
Command Description
DialÙpeer 1 pots Enters the local number configuration mode.
destination-pattern 111 Configures the local number as 111.
Port 0/0 Configures the number 111 to be corresponding with the voice
port 0/0.
Router(config)#
Command Description
DialÙpeer 1 voip Configures the opposite H.323 gateway/terminal.
destination-pattern 111 Configures the number of the opposite terminal as 111 (the
number to be called).
9.2.3 The Usage of the Extended Configuration

The explanations above describe the basic configuration of dialing an IP telephone, and the basic configuration used to
achieve the voice communication on the IP network. For further understanding, below we provide some optional
configurations. For example:
A. Abbreviated number dialing/extended number dialing
• Abbreviated number dialing

Extension dialing allows users to really dial a longer number. For example, user dials 111, he can dial on 5148111.
• Extended number dialing

It can satisfy the requisition that the numbers the mini switch prescribes are comparatively short and users get
accustomed to dialing a certain format of number. For example, when users want to dial 5148222, they can simply dial
the extension 222. In this way, users will not notice the existence of the inner switch, instead, they will feel as though
they are connecting directly with the PSTN network.
Example:
,3
QHW ZRU N

5RXW HU
5RXW HU
Router2 uses the abbreviated number dialing:
Command Description
Router(config)#dialÙpeer 1 voip Configures the opposite H.323 gateway/terminal.
Router(config)#destination-pattern 1 Configures the number to be dialed as 1.

Router(config)#session-target 1.1.1.1 Configures the IP address of opposite terminal.
Router(config)#dt 111 Configures the number corresponding with the dialing1 as 1.
Note:
Router1 uses the extended number dialing:
Command Description
Router(config)#dialÙpeer 1 voip Configures the opposite H.323 gateway/terminal.
Router(config)#destination-pattern 5148222 Configures the number to be dialed as 5148222.
Router(config)#session-target 2.2.2.2 Configures the IP address of opposite terminal.
Router(config)#dt 222 Configures the number corresponding with the dialing

5148222 as 222.
Note:
1. When a user dials the number “5148222”, in fact he dials the telephone “222”.
2. When a user dials the number after destination-pattern, in fact they are dialing the number after dt.
B. Dial-up terminator
When dialing, users can select whether they need to have the dialing terminator “#” or “*”. If needed, they must dial an “#”
or “*” key to indicate the end of the dialing, otherwise, the router recognizes the dialing terminator automatically. If users do
not use the wildcard “.”, there will be little difference to have a dialing terminator or not. When the wildcard is used, the
advantage with a dialing terminator is that the configuration will be simple for users, at that time, to dial an uncertain length
number. Without the dialing terminator, when dialing, users will feel as if they are dialing from a common telephone;
however, when the lengths of the numbers to be dialed are different, the configuration will be much longer, and it will add
some matching terms to match the number with different lengths.
Router(config)#
Command Description
dialplan terminator <#/*/CR> Chooses/configures “#” or “*” as having the dialing

terminat
dialplan terminator time <1_10> The dialup timeout. Its value range is from 1s to 10s.
< Description >
C. Secondary dialing
Secondary dialing and direct extension dialing:
Secondary dialing is the dialing mode that occurs on the general telephone network, after a common telephone dials on the
FX0 port (can be regarded as the telephone exchange), it dials another extension. This mode is similar to that of a common
telephone PBX.
The other mode, apart from second dialing mode, is the direct extension mode, namely that after a general telephone in
common telephone network dials to the FX0 port, it need not dial the extension number further, instead, it directly dials on
some extension number according to the configuration.
Features of the secondary dialing:
After the telephone exchange is connected successfully, dialing any additional extension that can be connected can be dialed
according to the record prompt (if there is record).
The secondary dialing record:
The unique recording function of the Maipu IP telephone provides the recording time of 15 seconds. When the telephone
exchange is connected successfully and you hear the prompt tone “di”, please input *123*# (if the configuration is not being
used, you need not dial the last key “#”). If there is the dialing terminator, please configures it as ending with a #, then you
can begin to record when hearing a prompt tone, and press any key to terminate recording after finishing. So, when the
telephone exchange is dialed up successfully next time, you can hear the recorded sound. During the course of hearing the
sound, you can interrupt it at any time to dial the needed extension number.
,3
1HW ZRU N

3671
5RXW HU

5RXW HU
Illustration:
1. Secondary dial: When the telephone “5148333” of the exterior PSTN network dials on “5148222”, the prompt tone
can be heard, and then you dial “111”or “111#” further, namely, dial the extension “111”.
2. Direct extension dialing: the following commands need be added to the router2:
Router(config)#voice-port 3/0
Command Task
connection-plar 111 Configures 5148222. Once the connection is ok, then the call
with the number “111” will be sent automatically to the remote
terminal
Note:
1. The default configuration of a Maipu IP telephone is the secondary dialing mode.
2. Only the FXO (connecting with the switch card exteriorly) has the option of choosing the
secondary dialing (mode) or the direct connection extension.
9.2.4 Configuration Example
,3
1HW ZRU N

5RXW HU
5RXW HU
Illustration:
1. In the above configuration, both Router 1 and Router 2 each contain built-in FXS modules.
Supposing they are the new version of routers and two IP telephone modules are inserted
into the interface S2 respectively and the channel 0 is employed.
2. This example is about the interconnection between the two FXS modules, when they are
configured, the following tasks should be completed:
A. Configuring the pots end and the voip end

B. Configuring the voice interface
Configuring the pots end and the voip end
First configure the parameters of router1:

Command Task
Router#con t
Router(config)#dial-peer 1 pots Enters the local number configuration
mode.
Router(config-dial-peer)#destination-pattern 111 Configures the local number as “111”.
Router(config-dial-peer)#port 2/0 Configures the number “111” to
correspond with the channel 2/0.
Router(config-dial-peer)#exit
Router(config)#dial-peer 2 voip Enters the voip configuration mode.
Router(config-dial-peer)#destination-pattern 222 Configures the number to be dialed.
Router(config-dial-peer)#session-target 1.1.1.2 Configures the IP address of the end to be

dialed.
Second configuring the parameters of router2:

Command Task
Router#con t
mode.
Router(config-dial-peer)#port 2/0 Configures the number “222”to
Router(config)#dial-peer 2 voip Enters the voip configuration mode

dialed.
Configuring the Voice Interface

The configuration of router1 is the same as that of router2
Command Task
Router(config)#voice-port 2/0 Enters the corresponding voice port.
Router(config-voice-port)#codec g729 Configures the coding mode as g729.
Router(config-voice-port)#no shutdown Activates the voice port.
Illustration:
1. In the above figure of configuration, both router1 and router2 have the built-in FXS modules,
while router3 has a built-in FXO module. Supposing they are the new version of routers, and
all the IP telephone modules are inserted in the port s2 and they use the channel 1.
2. This is an example about the intercommunication between the FXS module and the FXO,
about the second dialing, and about the direct extension dial. When they are configured, the
following tasks should be finished:
A. Configuring the pots end and the voip end
B. Configuring the voice interface
3. The appendix is about the usage of the extended configuration.

Configuring the pots end and the voip end
First, configure the parameters of router1

Command Task
Router#con t
mode.

dialed.
Router(config-dial-peer)#destination-pattern Configures the opposite telephone
9....... number; the wildcard is used to match
any number string.
dialed.
Second, configure the parameters of router2:

Command Task
Router#con t
mode.
Router(config- dial-peer)#port 2/1 Configures the number “222” to correspond
with the channel 2/1.
Router(config- dial-peer)#exit

dialed.
Router(config-dial-peer)#destination-pattern 9..... Configures the opposite telephone number;
the wildcard is used to match any number
string.
dialed.
To configure the parameters of router3:

Command Task
Router#con t
mode.
Router(config-dial-peer)#destination-pattern Configures the local numbers as the
9....... wildcard strings beginning with “9”.
Router(config- dial-peer)#port 2/1 Configures the number “9.......”to
Router(config-dial-peer)#destination-pattern 111 Configures the number of the interior
extension to be dialed on.
dialed.
Router(config-dial-peer)#destination-pattern 222 Configures the number of the interior
extension to be dialed on.
dialed.
Configuring the voice interface

The configuration of router1 is the same as that of router2
Command Task
Router(config-voice-port)#codec g729 Configures the coding mode as g729.
The configuration of router3 is different depending on the modes of secondary dialing and direct extension dialing.
Command Task
Router(config-voice-port)#codec g729 Configures the coding mode to be g729.
5RXWHUFRQILJ-voice-port)#connectionÙplar 111 Once the exterior line dials up 5148333
successfully, the extension 111 will be
connected directly.
5RXWHUFRQILJ-voice-port)#connectionÙplar 222 Once the exterior line dials up 5148333
successfully, the extension 222 will be
connected directly.
Router(config-voice-port)#exit
Note:
1. If the command sentences are configured with “ ÓDEHOLWis in the direct connection mode.
The advantage of this mode is that it is easy for a user to operate, once the user successfully
dials 5148333, he can dial 111/222 directly. The disadvantage is that it is fixed to dial up only
one extension, namely that one voice interface only corresponds to only one
connection-plar.
2. If the command sentences are not configured with the “ ÓDEHOLWLVLQVHFRQGDU\GLDOLQJ
mode. After the exterior line successfully dials 5148333, he can choose the extension 111 or
the extension 222 according to the record prompt (if there is record)
3. All numbers configuration can use the wildcard.
Appendix: Usage of the extended configuration

The extended configuration of the router1 (using abbreviated number dialing/extended number dialing)
Command Task
Router#con t
mode.
Router(config- dial-peer)#port 2/1 Configures the number “111”to
Router(config-dial-peer)#destination-pattern Configures the number to be dialed.
5148222
Router(config-dial-peer)#session-target 1.1.1.2 Configures IP address of the end to be

dialed.
Router(config-dial-peer)#dt 222 Configures the number “222” that really
corresponds to the number “5148222”
dialed by users.
Router(config-dial-peer)#destination-pattern Configures the telephone number of the
... opposite end and use the wildcard to
match any number string.
dialed.
Router(config-dial-peer)#dt 95148... Configures addition of “9” to any 7 bit
number dialed by users.
Note:
1. After dt is configured, the number configured in destination is the ones dialed by users, the
number of dt is the ones transmitting really in the line.
2. The above configuration is used to achieve the following functions:
A) If users dial the number “5148222”Øthey dial the extension “222” successfully.
B) If users dial the number “123”, they can dial the exterior line “5148123”
successfully.
The extended configuration of the router2 (using the dialing terminator)

Command Task
Router#con t
mode.
Router(config-dial-peer)#session-target 1.1.1.1 Configures IP address of the end to be

dialed.
Router(config-dial-peer)#destination-pattern Configures telephone number of the
9............. opposite end and use the wildcard to
match any number string.
dialed.
Router(config)#voip_dial_terminator Ï Configures the termination as “#”.
Note:
1. When dialing “111”, users must end it with “#”, only so can the number really be dialed out.
2. When dialing 95148123 or 913912345678, users end it with “#”, then the number will be sent
out. This can achieve that all the numbers with different lengths can use the same one voip
(the number of the wildcard point should be more than/equal to the longest number to be
dialed, so does the pots wildcard of the router3)
3. If there is no dialing terminator, when users want to match both dialing of 5148123 and
139123456789, different voips need be configured. For example, the wildcard beginning
with 8 matches the 7 bits numbers, while the wildcard beginning with 9 matches the 11 bits
numbers.
9.3 Configuring the Maipu Router as a H.323 Voice Gateway
A Maipu router can be used as the H.323 voice gateway, and can be used for the voice intercommunication between many IP
networks or between an IP network and a telecommunications network, such as PSTN network etc. Presently, Maipu routers
supports the RAS (Registration, Admission, Status) protocol, which is used to exchange information with the gatekeeper.
Other functions, such as security, charging and Supplementary Services, will be provided in the subsequent version.
The main topics addressed in this section are as follows:
• Basic Concepts
• Configuring H.323 voice gateway
• An example of configuration
9.3.1 Basic Concepts
RAS protocol:
RAS (Registration, Admission, Status) protocol is a protocol that runs between the H.323 gateway and the gatekeeper, and is
used for call control and management, which includes address resolution, address mapping, bandwidth management, call
control, route management and security management.
9.3.2 Configuring H.323 Voice Gateway
A. Configuring the pots dial-peer

Router(config)#
Command Description
dial-peer <1_255> pots Enters pots

destination-pattern<string> Identifies the gateway.
port 0 The number corresponds with the voice port 0.
B. Configure voip dialing-peer

Router(config)# dial-peer 1 voip
Command Description
destination-pattern <string> Configures the telephone number of the destination end.
supported-prefix <string> Configures a prefix to identify the voice gateway at which the
destination telephone is. This prefix will be added to the front of
the telephone number dialed by users.
session-target ras Designates the use of the RAS protocol to get the IP address of
the destination telephone.
C. Configuring the voice gateway interface:

A network interface is configured as the RAS protocol interface of the voice gateway, only one network interface can be
configured as the voice interface. Configure the multicast mode on the network interface (for example, Ethernet interface)
supporting multicasting to search for the gatekeeper. On the network interface (for example, WAN port) which does not
support multicasting, only the designated gatekeeper IP address can be configured.
Router(config)#int s0
Command Description
h323-gateway voip interface Designates this interface as the RAS protocol interface of
the voice gateway.
h323-gateway voip h323-id <STRING> Configures the gateway interface identifier that is used for
the gatekeeper to identify the gateway interface.
h323-gateway voip id <STRING> <ipaddr/ The first string is the gatekeeper ID, while the second string
multicast> <STRING/CR> is the IP address that is configured after the ipaddr mode is
chose.
h323-gateway voip supported-prefix Configures the gateway ID-prefix that is used for the
<STRING> gateway to process the session route, namely that the
gatekeeper will route the telephone number beginning with
this prefix to the gateway.
Note:
1. The multicast mode is used to search the gatekeeper through the multicasting mode while
the ipaddr mode is used to designate the gatekeeper.
D. Starting the voice gateway

Router(config)#
Command Description
Gateway Starts the voice gateway.
3.3 Configuration Example
Configuring a Maipu router

Command Task
Router(config)#dial-peer 1 pots Configures the pots end.

Router(config-dial-peer)#destination- Configures the local gateway identifier as “7#” and the number
pattern 7# 5219609 as 5219609.
Router(config-dial-peer)#port 0 The number is bound with the voice interface 0.
Router(config)#dial-peer 2 voip Configures the voice port of the opposite end.
Router(config-dial-peer)#destination- The opposite telephone

pattern 5213541
Router(config-dial-peer)#supported- The destination gateway prefix identification
prefix 8#
Router(config-dial-peer)#session-target Designates that the RSA protocol is used to get the IP address of
ras the destination telephone.
Router(config)#int f0 Configures the voice gateway interface.
Router(config-if-fastethernet0)#ip address
128.255.255.244 255.255.0.0
Router(config-if-fastethernet0)#h323- Configures the gateway interface identifier.
gateway voip h323-id mp
Router(config-if-fastethernet0)#h323- Designates that the multicasting mode is used to search the
gateway voip id gk multicast gatekeeper.
Router(config-if-fastethernet0)#h323- Configures the gateway identification prefix as “7#”

gateway voip supported-prefix 7#
Router(config-if-fastethernet0)#h323- Designates that this interface is used as the RAS protocol
gateway voip interface interface of the voice gateway.
Router(config-if-fastethernet0)#no
shutdown
Router(config-if-fastethernet0)#exit
Router(config)#gateway Starts the voice gateway.
9. 4 IP Telephone Debugging Switch
Notice:
• Turning on the IP telephone debugging switch
• Turning off the IP telephone debugging switch
• The wire order of the new version Voip module
Turning on the IP telephone debugging switch:
Router(config)#
Command Description
debug voipdrv <STRING> Turns on an interface debugging switch. <String> is the

<all/busytone/events/resource/status> voice interface to be monitored, the following words that
can chosen are busytone, event or status of the
monitoring interface, choosing all means turning on all
the voipdrv debugging information of the interface.
Note:
1. The voice interface monitored must be continuous up to a certain channel. For example, if there is a new version router, the
voice interface should be of the form “0/1”; while if there is a old version router, then it should be of the form “0”, “1” or
“2“ etc. The principle is that this voice interface form should be the same as that voice interface form seen by the command
show run.
Turning off the IP telephone debugging switch:

Router(config)#
Command Description
No debug all Closes all the debugging information.
The wire order of the new version IP telephone:

1) 2vop and 2vos: RJ45 line with 8 wires, line4 and lind5 corresponding to the channel 0; and line3 and lind6 corresponding
to the channel 1.
2) The IP telephone module with single port: RJ45 line with 8 pins of which the fourth and the fifth ones are used.
Chapter 10 Terminal Configuration
10.1 Terminal Protocol
o UNIX
o Ethernet
o T o T o T
Figure 10-1 Terminal protocol operation modeÔthe local modeÕ
IllustrationÖ
The figure above is the topology of the local terminal operation mode: the local router accesses the Ethernet through the
Ethernet port and connects with the Unix server; the synchronous/asynchronous interface or asynchronous interface
encapsulates the terminal protocol and connects with the terminals.
o UNIX
o E
o Local
o Remo
o T o T o T
Figure 10-2 Terminal protocol operation modeÄthe remote modeÅ
Illustration:
The figure above is the topology of the remote terminal operation mode: the remote router accesses the WAN through
the WAN interface and connects with the local router through which the remote router connects with the Unix server. On the
remote router, the synchronous/asynchronous interface or asynchronous interface encapsulates the terminal protocol and
connects with the terminals.
Compared with the previous terminal access mode of Maipu router, the terminal protocol has gotten much enhancement
at the aspects of function and flexibility and overcomes the limitation that nothing but the asynchronous interface module can
access the terminal. As long as the interface module supported by Maipu router can operate in the asynchronous mode (For
example: frequency-band MODEM interface, high-speed synchronous/asynchronous serial interface), the interface can
encapsulate the terminal protocol for terminal access.
Firstly, the terminal protocol can, according to the user configuration or terminal service, specify the service-port of the
upper-end service for the establishment of TCP connection. When the lower-end service data arrives, the router encapsulates
the terminal data into TCP/IP messages, and sends them to upper-end server through the TCP connection; at the same time,
the terminal protocol monitors the data the server send downwards, and the terminal protocol encapsulates the TCP/IP
message and sends the service data to the terminal when the router receives the data sent from the server. The terminal
protocol can establish multiple TCP connections simultaneously and realize the service switch of the terminal. Moreover, the
terminal protocol can assist Itest or other terminal-number fix program to realize the fix terminal-number access and data
encryption and compression transmission, which can enhance service security.
10.1.1 Configuring the Terminal Protocol

The following steps are necessary for you to configure an interface of the router to connect with a terminal.
Creating/configuring terminal template
The interface encapsulation terminal link protocol
Applying the terminal template to the terminal protocol interface.
10.1.1.1 Creating/Configuring Terminal Template
To make the router support the terminal access, it is necessary to configure terminal service parameters, such as the local IP
address, remote service IP address and TCP port-number, and save the configuration into the terminal template. After a
terminal template has been created, all protocols supporting the terminal access, such as TerminalMPDLC and X.25 PAD,
can apply the template simultaneously. And the modification of the template configuration can also update the status of the
protocols applying the template simultaneously.
Terminal template template-name
In the global configuration mode, use the command terminal template to create or enter a template. The parameter
template-name is the template name. When there exists no the template, the template will be created and the user can enter
the terminal template configuration modeÔconfig- terminal-templateÕ. And use the command no terminal template
template-name to delete the template.
Note:
The terminal name is case sensitive.
In the terminal template configuration mode, the parameters related with terminal services can be configured, and the
following commands can be supported.
Terminal local local-ip-address
Configure the local IP address of the template as the IP address of some interface of the router (generally the local IP
address is the IP address of the loopback interface). The terminal protocol can regard the IP address as the source address and
establish the TCP connection with the server.
Terminal remote
terminal remote host-number host-name host-ip-address domain name{fix-terminal | telnet | rlogin}
Syntax Description
host-number The remote service number, and its value scope is from 0 to 9.
host-name The remote service name, displayed on the terminal selection interface.
host-ip-address The IP address of the remote service.
domain name The host domain name of the remote service.
fix-terminal The remote service works in the fix-terminal mode (By default).
telnet The remote service works in the telnet mode.
rlogin The remote service works in the rlogin mode.
When working in the fix-terminal mode, the remote service can support the following options:
terminal remote host-number host-name host-ip-address fix-terminal { tcp-port | authentication | compress | encrypt
<string> | start-chars | negotiate-port | server}
Syntax Description
tcp-port The TCP port number of the remote fix-terminal itest service.
Its value range is from 1 to 65535 and the default port-number is 3051.
authentication Router ID authentication (Namely the previous MAC address
authentication, and no authentication is configured by default.)
compress Compress the data
encrypt Encrypt the data in the fix-terminal mode. After that, the key is also
encrypted.
start-chars The Fix-terminal auto-screen-brush character.
It need be consistent with that the Itest configuration (nothing is
configured by default.)
negotiate-port Specify the negotiation port number for terminal connection in the fix-
terminal mode.
server The router serves as the server of the TCP connection and waits for client
connection.
NoteÖ
1) When the function of the auto-screen-brush is employed, the parameters -r –k a1:a2:a3 need be configured when Itest
starts. The parameter “-r” means enabling the screen memory. For ék a1:a2:a3, a1, a2 and a3 are hexadecimal numbers, and
“0xa1 0xa2 0xa3” is configured behind “start-chars”;
2) When the function of data compression is adopted, the option compress need be added into the Itest configuration file
(itest.conf), and its format is described as followsö
/dev/ttyp53 196.72.167.4 com1 term2 compress÷
ùx (x represents the key value) need be added into the Itest

3) When the encryption function is adopted, the option keyù
configuration file (itest.conf), and its format is described as follows:
/dev/ttyp53 196.72.167.4 com1 term2 keyùa÷
4) In view of the security, the System ID corresponding to the router can be configured on Itest. In this way, only the
terminal connecting with the specified router can log in the Unix server. It is necessary to add a MAC address into the Itest
configuration file (itest.conf), and its format is described as followsö
/dev/ttyp53 196.72.167.4 com1 term2 mac 00017a450312÷

5) The last item is the System ID of the router. It can be displayed by means of executing the command 'show version’
on the router.
6) When the fix-terminal server is adopted, no remote address need be configured. The address used for TCP connection
monitoring is the terminal local address. The remote address can be filled with any format of valid IP address.
7) When the fix-terminal server is adopted, no switching of service host need be performed usually. It is recommended
that only one remote host need be configured.
When working in the Telnet mode, the remote service supports the following options:
terminal remote host-no host-name host-ip-address telnet { tcp-port | ANSI | VT100 | xenix }
Syntax Description
tcp-port The TCP port-number of the remote service. Its value range is from
1 to 65535 and the default value is 23.
ANSI Telnet operates in the ANSI mode.
VT100 Telnet operates in the VT100 modeÄBy defaultÅ.
Xenix Telnet operates in the xenix mode.
When working in the rlogin mode, the remote service supports the following options:
terminal remote host-no host-name host-ip-address rlogin remote-user-name
Syntax Description
Remote-user-name The remote username of rlogin logon.
In the terminal template configuration mode, the related configuration commands are described as follows:
terminal {auto-linking <0*9> | hesc-chars | host <0*9> hesc-chars | print { on | off } | redraw {<0*9> |
console } <STRING> | retry-times <1*65535> | rx-delay | rbufsize <128*16384> | tbufsize <2048*16384> }
Syntax Description
auto-linking Automatically establishing a link (Disabled by default)
hesc-chars The terminal service switch character ( the default character is
“Ctrl+G+D”)
host The hot key of terminal host switch.
print Print the information about prompts and helps on the terminal
(permitted by default)
redraw The terminal redraw (the field STRING is the terminal screen-
brush key, and different terminals define different terminal screen-
brush keys)
retry-times The retry times of establishing a link ( three times by default).
rx-delay The receiving delay, applied to the situation of using a card reader
(no delay is configured by default).
tbufsize The size of TCP transmitting bufferÄ 8192 by defaultÅ
rbufsize The size of TCP receiving bufferÄ2048 by defaultÅ
10.1.1.2 The Interface Encapsulation Terminal Link Protocol
In the interface configuration mode, configure the command encapsulation terminal.
terminal noise-filter
The command is used to enable/disable the noise-filter of the interface. After the noise-filter is enabled, the noise
interference, which is on the floating line and results from closing the RX/TX/GND terminal connection, can be
avoided. The noise-filter is enabled by default.
terminal noise-filter { ENABLE | DISABLE }
NoteÖ
1) The terminal protocol must operate in the asynchronous mode. For the synchronous/asynchronous serial interface
mode, the configuration command physical async must be firstly used to convert the physical layer into the asynchronous
mode.
2) Neither IP address nor other IP property parameters can be configured;
3) After the terminal protocol is encapsulated, the default configuration tx-on dsr can be adjusted according to the
bottom-layer physical signals of the terminal interface, such as tx-on dcd-dsr or tx-on cts;
4) No flow-control is configured by default. Generally, a terminal can receive nothing but the receiving, transmitting and
GND signals, and support no hardware flow-control. The flow-control configuration can be modified according to the line
condition and terminal performance.
5) The command terminal noise-filter can be used to filter out the start-character 00 or ff. In some applications, the 00 or
ff character can be sent out in the beginning. Here, the noise-filter is disabled.
10.1.1.3 Applying the Terminal Module to a Terminal Protocol Interface
Adopt the command terminal apply template-name <interface1> <interface2> to apply the terminal template to the
Terminal protocol interface <interface1> and<interface2>.
NoteÖ
When a terminal template is applied to multiple interfaces, such as the two interfaces above, interface1 and interface2
must be two interfaces in the same slot.
10.1.2 An Example of Terminal Protocol Configuration
The local-end encapsulating the terminal protocol is configured as follows:ÔShown as figure 10-1Õ
A) Configuring the interface parameters:
Command Task
Router#config terminal
Router(config)#int f0 Enter the configuration mode of the
interface f0.
Router(config-if-fastethernet0)#ip add 129.255.24.100 Configure the Ethernet address of the
255.255.0.0 router/ terminal server.
Router#(config)interface serial0/0 The configuration mode of the serial-
interface s0/0.
Router(config-if-serial0/0)#physical-layer async The serial-interface s0/0 is configured
as the asynchronous mode.
Router(config-if-serial0/0)#tx-on dcd Configure the dcd signal to judge
physical signal up.
Router(config-if-serial0/0)#encapsulation terminal Encapsulate the terminal protocol.
Router(config-if-serial0/0)#exit
ÔThe above is the configuration of encapsulating a high-speed serial interface as the terminal protocol, and the
configuration of 8/16SA is the same as that of the high-speed serial interface.Õ
Command Task
Router#(config)interface serial1/0 The configuration mode of the serial-interface
s1/0.
Router(config-if-serial1/0)#physical-layer async
Router(config-if-serial1/0)#tx-on dcd Configure the dcd signal to judge physical
signal up.
Router(config-if-serial1/0)#encapsulation terminal Configure the interface s1/0 (built-in modem)
to encapsulate the terminal protocol.
Router(config-if-serial1/0)#modem party originate Configure the built-in modem as the
origination.
Router(config-if-serial1/0)#modem line leased Configure the built-in modem as the automatic
leased line mode.
Router(config-if-serial1/0)#modem async direct Configure the built-in modem as the direct
asynchronous mode.
Router(config-if-serial1/0)#modem enable
Ô The above is the configuration of the automatic leased line mode in which the built-in modem encapsulates the
terminal protocol. The usage of this mode needs the cooperation with the mp56/336B external modem.Õ
Command Task
Router#(config)interface serial1/0
Router(config-if-serial1/0)#physical-layer async
Router(config-if-serial1/0)#tx-on dcd Configure the dcd signal to judge physical
signal up.
Router(config-if-serial1/0)#encapsulation terminal
Router(config-if-serial1/0)#modem party originate Set the built-in modem as call origination.
Router(config-if-serial1/0)#dialer string 123 Set the built-in modem as the dialup mode.
Router(config-if-serial1/0)#modem async error-correct Set the built-in modem as error asynchronism.
ÔThe above is the configuration of the dialup mode in which the built-in modem encapsulates the terminal protocol.
The usage of this mode needs the cooperation with the mp56/336B external modem.Õ
B) Configuring Template Parameters:
Command Task
Router(config)#terminal template maipu Establish a template whose name is maipu.
router(config-terminal-template)#terminal local Set the local IP address (the address of the
129.255.24.100 interface f0).
router(config-terminal-template)#terminal remote 0 fix Set service 0 as the fix-terminal mode, the IP
129.255.100.101 fix-terminal address as the IP of the Unix FEP (Front End
Processors).
router(config-terminal-template)#terminal remote 1 Set service 1 as the telnet mode.
telnet 129.255.100.101 telnet
router(config-terminal-template)#terminal remote 2 Set service 2 as the rlogin mode.
rlogin 129.255.100.101 rlogin
router(config-terminal-template)#terminal remote 3 Set service 3 as the echo mode. (Optional)
input 129.255.100.101 fix-terminal 7
router(config-terminal-template)#terminal remote 4 fix- Set service 4 as 2nd fix-terminal mode. In the
2 129.255.100.101 fix-terminal 3052 negotiate-port mode,
3652 Two itests are configured for Unix: data port—
3052, and negotiation port—3652.
router(config-terminal-template)#exit
C) Applying the template to an interface
Command Task
Router(config)# terminal apply maipu serial0/0 Apply the template to the interface s0/0.
10.1.3 Related Terminal Debugging Commands

show terminal
debug terminal <interface>
terminal restart { all | <interface> }
show ip socket
10.2 MPDLC Protocol

The router can, through MPDLC (MP data link control protocol, Maipu private protocol), connect with MP multiplexer (such
as MP8000/8100/8200) so that one serial interface of the router can realize the access of at most 8 terminals. This can
enhance the router’s ability of terminal access greatly.
UNIX FEP
Ethernet
Local
MP8100
multiplexer
Terminal Terminal Terminal

Figure 10-3 the MPDLC network mode chartÄthe local modeÅ
IllustrationsÖ
The local router accesses the Ethernet through the Ethernet interface and connects with the Unix server. The
synchronous interface, synchronous/asynchronous interface or asynchronous interface encapsulates MPDLC protocol and
connects downwards with MP8100 multiplexer that connects with terminals through sub-interfaces (8 subinterfaces).
o UNIX FEP
Ethernet
Local router
Remote
MP8100
multiplexer
Figure 10-4 MPDLC network mode chart Äthe

remote modeÅ
Terminal Terminal Terminal
IllustrationÖ
The remote router accesses the WAN through the WAN interface and connects with the local router, then connects with
the Unix server through the local router. The synchronous interface, synchronous/asynchronous interface or asynchronous
interface of the remote router encapsulates MPDLC protocol and connects downwards with MP8100 multiplexer that
connects with terminals through sub-interfaces (8 subinterfaces) .
NoteÖ
In the MPDLC mode, the sub-interfaces of MP multiplexer can connect with terminals, prints and card-reader, and can
not support SDLC equipments (such as ATM).
10.2.1 Configuring MPDLC Protocol
To make the router adopt the MPDLC protocol to connect with MP multiplexer, the following steps are necessary:
Creating/configuring a terminal template;
Encapsulating an interface with MPDLC Link protocol
Applying the template to the MPDLC interface
10.2.1.1 Creating/Configuring Terminal Template
The terminal template used by MPDLC protocol is the same as that used by the terminal protocol. About how to create and
configure a terminal template, refer to section 10.1.1.
10.2.1.2 Encapsulating Interface with MPDLC Link Protocol
Configure the command encapsulation mpdlc in the interface configuration mode.
Configure the command mpdlc channel <start-chan> <end-chan> dtr-forced-on according to the physical
performance of the terminal connecting with the sub-interface of the multiplexer×
Partial terminal can not provide DTR signal for the sub-interface of MP8000 series equipments and notify the multiplexer of
whether to connect with the terminal equipment. In this situation, it is necessary to configure the command mpdlc channel
<start-chan> <end-chan> dtr-forced-on to specify some sub-interfaces to connect with the terminal equipments. Thereinto,
start-chan and end-chan represent the start-channel number and the end-channel number respectively. And their value scope
is from 1 to 8.
Note:
1) The router parameters, such as line synchronism/asynchronism, clock, rate and flow-control, must be configured
according to the serial-interface parameters of MP multiplexer;
2) Neither IP address nor other IP parameters is configured on the MPDLC interface.
10.2.1.3 Applying the Terminal Template to a MPDLC Interface
Use the command terminal apply template-name <interface1> <interface2> to apply the terminal template template-name
to all channels of MPDLC interfaces <interface1> ~ <interface2>ç
Similarly, Use the command terminal apply template-name <interface> channel <start-chan> <end-chan> to apply the
terminal template template-name to the specified channels of the interface <interface> ×
NoteÖ
When the terminal template is applied to multiple interfaces, both and must be the two interfaces in the same slot; the
command terminal apply template-name <interface1> <interface2> can be used many times to apply the terminal template
to the interfaces of different slots. An interface can adopt only one terminal template.
10.2.2 An Example of MPDLC Configuration
The local configuration of encapsulating MPDLC: (shown as figure 3)
A) Configuring interface parameters:
Command Task
Router(config) interface serial0/0
Router(config-if-serial0/0)#physical-layer async Configure the interface as the
asynchronous operation mode.
Router(config-if-serial0/0)#encapsulation mpdlc Encapsulate the MPDLC protocol.
Router(config-if-serial0/0)#mpdlc channel 1 8 dtr-force- Enable channel 1-8, and set dtr signal as
on up.
ÔThe above is the configuration of encapsulating MPDLC on the high-speed interface. And the configuration of
8/16SA is the same as that of the high-speed interface.Õ
Command Task
Router(config) #interface serial1/0
Router(config-if-serial1/0) # physical-layer async Configure the interface as the
asynchronous operation mode.
Router(config-if-serial1/0)#tx-on dcd
Router(config-if-serial1/0)#encapsulation mpdlc Encapsulate the MPDLC protocol.
on up.
Router(config-if-serial1/0)#modem party answer Set the built-in Modem as the answer
Router(config-if-serial1/0)#modem line leased Set the built-in Modem as the private
line mode.
Router(config-if-serial1/0)#modem async direct Set the built-in modem as the direct
asynchronism mode.
ÔThe above is the configuration of the automatic private line mode in which the built-in modem encapsulates the
terminal protocol. The usage of this mode needs the cooperation with the mp8100 multiplexer.Õ
Command Task
Router#(config)interface serial1/0
Router(config-if- serial1/0)#physical-layer async
on up.
Router(config-if- serial1/0)#encapsulation mpdlc Encapsulate the MPDLC protocol.
Router(config-if- serial1/0)#modem party originate Set the built-in Modem as the call
origination.
Router(config-if- serial1/0)#dialer string 123 Set the phone number the built-in
modem dials.
Router(config-if-serial1/0)#modem async error-correct Set the built-in Modem as the error-
asynchronism.
Router(config-if- serial1/0)#modem enable
Router(config-if- serial1/0)#exit
ÔThe above is the configuration of the dialup mode in which the built-in modem encapsulates the MPDLC protocol.
And the usage of this mode needs the cooperation with the mp8100 multiplexer.Õ
B) Configuring Template Parameters:
The configuration of a template is the same as that of encapsulating the terminal protocol. Only one template can be
defined, and each interface can adopt nothing but one template.
C) Applying the template to an interfaceæ
Command Task
Router(config)# terminal apply maipu serial0/0 Apply the template to the interface s0/0.
10.2.3 Related MPDLC Debugging Commands
show mpdlc
debug mpdlc
10.3 X.3 PAD Terminal
Figure10-5 the X.3 PAD terminal network mode
UNIX FEP
Mp router
X.25 terminal
10.3.1 Configuring the X.3 PAD Terminal
To configure the X.3PAD terminal of the router, the following steps are necessary:
Creating/configuring a terminal template
Configuring X.25 link-layer protocol
Apply the terminal template to X.3 PAD.
10.3.1.1 Creating/Configuring a Terminal Template
The terminal template used by the X.3 PAD terminal is the same as the Terminal protocol. And about how to create and
configure a terminal template, refer to section 10.1.1.
10.3.1.2 Configuring X.25 Link-layer Protocol
Encapsulate X.25 link-layer protocol on the interface and configure the corresponding parameters.
10.3.1.3 Applying a Terminal Template to X.3 PAD
In the global configuration mode, configure the command terminal x.121-addr template-name COM TERM and apply the
terminal template template-name to X.PAD.
Syntax Description
x.121-addr The x.121 address of the remote PAD logon equipment.
template-name The name of the applied terminal template.
COM The COM number (user-defined) for using the function of fix-
terminal.
TERM The TERM number (user-defined) for using the function of fix-
terminal.
10.3.1.4 An Example of X.3 PAD Terminal Configuration
The configuration of the router and related explanation are described as follows:
1) Encapsulating related X.25 parameters (including X.25 address, DCE/DTE operation mode and internal/external
clock) of a WAN interface;
2) The configuration commands of a terminal template are listed as follows:
Command Description
terminal template <Temp-Name> Create/configure a terminal template (the global
mode command).
terminal local <ip-address> Configure the local IP address.
terminal remote <0-9> Host-Name <ip- Configure the remote services: ten different
address>[telnet][rlogin][fix-term] services (09), telnet/rlogin/fix-term mode can be
supported.
terminal hesc-chars Configure the switching character string. And the
default is “Ctrl+G+D”.
terminal rx-delay Set the receiving delay mode. The default mode is
no delay.
terminal rbufsize <32-8192> Set the size of the TCP receiving buffer. The
default size is 2048 bytes.
terminal tbufsize <32-8192> Set the size of the TCP receiving buffer. The
default size is 8192 bytes.
terminal print <on/off> Set terminal print as on: the prompts are printed on
the terminal. The default configuration is ON.
terminal retry-times <1-255> Set the maximal retry-times of establishing a link.
The default value is 3 (times).
3) The coincidence relations among the terminal X.25 source address, terminal template and port number are listed as
follows:
Command Description
terminal <x121-addr> <Temp-name> <com> <x121-addrs> : the X.121 address of the remote
<term> x25 equipment
<termplate-name>:the name of the template used
by the terminal
<com> and <term>: the parameters used by the fix-
terminal. It must be consistent with the
configuration of the application itest.
A configuration example:
Command: Task
Configure the Ethernet address of the
Router#(config)#interface fastethernet0
router.
Router(config-if-fastethernet0)#ip address 10.1.1.1
255.0.0.0
Router(config)#interface serial0/0
Router(config-if-serial0/0)#physical-layer sync Configure the synchronous mode.
Router(config-if-serial0/0)#clock rate 9600 Set the clock rate as 9600.
The interface is encapsulated with the
Router(config-if-serial0/0)#encapsulation x25
X.25 protocol.
Router(config-if-serial0/0)#x25 dte Configure the X.25 dte mode.
Configure the X.121 address as
Router(config-if-serial0/0)#x25 address 1234567
1234567.
Router (config) #terminal template maipu Configure the template maipu.
The local address of the template is
Router (config-terminal-template) #terminal local 10.1.1.1
10.1.1.1.
The remote address of the terminal
Router (config-terminal-template) #terminal remote 1 fix-
adopting the fix-terminal service is
terminal 10.1.2.1 fix-terminal
10.1.2.1.
Router (config-terminal-template) #terminal remote 2 The remote address of the terminal
Telnet 10.1.3.1 telnet adopting the telnet service is 10.1. 3.1.
Router (config-terminal-template) #terminal remote 3 The remote address of the terminal
Rlogin 10.1.4.1 rlogin adopting the rlogin service is 10.1.4.1.
Router (config-terminal-template) #exit

Router (config) #terminal 7654321 maipu 1 1 The x.121 address of the remote x.25
equipment is 7654321, and the name of
the template used by the terminal is
maipu, terminal com is 1 and terminal
ter is 1.
10.3.1.5 The Related Debugging Commands of the X.3 PAD Terminal
debug x25 pad {packet | event }
show terminal
10.3.2 Configuring UNIX Server
This section mainly describes how to configure the application Itest and UNIX configuration parameters to realize the fix-
terminal logon and other related functions. And its main contents are listed as follows:
Configuring Itest parameters
Configuring SCO UNIX
Configuring AIX UNIX
Configuring SUN UNIX
Configuring HP UNIX
Configuring UNIX kernel parameters
Configuring TELNET fix-terminal
Managing Itest terminal
10.3.2.1 Configuring Itest Parameters
When a terminal works in the fix-terminal mode, the UNIX server must be configured, so that the terminal can establish
the correct TCP connection with the UNIX server to achieve the service for the remote terminal. Like the terminal that adopts
the telnet mode to log in, the terminal that adopts the fix-terminal mode to log in the UNIX server occupies the UNIX virtual
equipment number (the number in the SCO system is ttypxx.). There exists the difference between them. The telnet daemon,
according to the logon precedence, distributes the idle ttypxx equipment numbers (from small to large) to these terminals,
simultaneously, sends them to the login interface. And the fix-terminal daemon, according to the configuration, distributes he
idle ttypxx equipment numbers to the terminals that logs in from the corresponding physical interfaces, so as to achieve the
fixation of the terminal numbers; besides this, when the terminals logs in, the system manager, by means of the configuration,
can decide whether to send the login interface to the terminals or send the application interface to the terminals.
The name of the fix-terminal service application is Itest (itest.sco, itest.aix, itest.sun and itest.hp are respectively in the
service of SCO,AIX, SUN and HP systems. Here the foregoing application are called by a joint name Itest).
To cooperate with Terminal and MPDLC, the version of the application itest must be V4.0 or higher. The format of enabling
the itest process is described as follows:
UNIXÏitest –[ Parameter name] –[Parameter name] …
And the meaning of the related parameters can be examined by the command itest -h:
Parameter Meaning
-c confile Set the configuration file of itest, and the default is /ect/itest.conf.
Set the maximum number of the login terminals that itest can accept, and the
-n max_term
default is 256.
-p port Set the port number of the itest program service, and the default is 3051.
Set the port number of the itest program management port, and the default is
-m mng_port
3055. Enter the itest managing interface through the access to the port.
-g neg_port Designate the itest log file, the default is /tmp/itest.log.
Define the exit_key for the terminal. For example, use “itest –x 1:1:1” when
-l log_file starting itest, then after pressing CTRL-A-A-A on the terminal, the terminal will
exit.
The timeout the data read from the network is written towards the application
-x exit_key
program (the default is 1 second). Discard it when the time expires.
Shut down the terminal regularly, and make the terminal become invalid within
-w discard_time
the given time.
Configure the identification authentication for the user to enter the management
interface, and there exists no identification authentication by default. The user
-T time_file
name and password used for the identification authentication is that of the
system.
Establish a new session after each time of connection. If the configuration in
-s /ect/inittab is respawn, this option should be selected; if the configuration is off,
then this option should not be selected.
-N Set the configuration file of itest, and the default is /ect/itest.conf.
Each time the terminal is connected or disconnected, the previous invalid

-K
terminal process should be cleaned.
Send out the login interface automatically without the need to configure the table
-o
initial.
-r Open the screen redraw function.
After the screen redraw function is enabled, designate the terminal screen row
-i cr_lines number, which generally is the default value Ïthe default value of vt100 is
24Èthe default value of ansi is 25Ð
After the screen redraw function is enabled, designate the redraw key, which is a
hexadecimal number and split by “:” (For example, 1b: 5b: 67:45), and whose
-k redraw_key default value is 0x12 (^R). Recommend that at least 3 characters be used to
avoid the confliction with the data sent by the equipments, such as a POS
machine.
-M keymap_file Transform the meanings of the character sent by the terminal.
-t Examine some UNIX parameters relevant with the itest running.
-h Examine the itest parameter information.
NoteÖ
1) It is recommended that the two parameters –N and –K be used simultaneously in the execution mode itest –NK. Its
function is to clean the previous process when the terminal logs in again. These two parameters have a certain relation with
the application. And Industrial and Commercial Bank transaction system had better not employ the parameters.
2) The parameterér is used to enable the function of screen redraw. When the terminal switches among the different
services, the function can save the contents of the current screen before switching. To realize the function, the shared memory
of the Unix server should be at least 1.5M. If there appears "...shmget error:Invalid argument” when itest-r is executed, the
following configuration is necessary: to execute “admin--Hardware/Kernel manager—Kernel | Tune Parameters-- 16.Shared
data” to modify the parameter SHMMAXäthe shared memoryå and the value of 2000000(bytes) is recommended. After
configuring the parameter –r, you can adopt “ctrl + R” to manually refresh the screen on the terminal.
3) Parameter –TöIn the view of system security, Itest can provide a function of regularly closing a terminal. In this way,
the terminal can be invalid in the specified time. The user need define a configuration file time.conf, whose format is
all 12:00 13:00 18:00 20:00
All terminals are invalid in 12:00-13:00 and 18:00-20:0. (Up to five time segments can be specified.)
ttyp11:ttyp12 12:00 13:00 The tow terminals ( ttyp11 and ttyp12) are invalid in 12:00-13:00.
When starting Itest, the parameter –T need be specify the file time.conf.
itest –T time.conf
4) Parameter –M: Transform the characters sent by the terminal to other characters according to the corresponding
configuration. And you need define a configuration file keymap.conf , whose format is described as follows:
File format Meanings
4f:50 1b:4f:50 Transform the character 4f:50 to 1b:4f:50.
4f:51 1b:4f:51 Transform the character 4f:51 to 1b:4f:51.
When starting Itest, the parameter –M need be used to specify the file keymap.conf.
itest –M keymap.conf
5) Parameters éc ép ém ég: These parameters are respectively used to specify the configuration files and
program ports for starting itest. Different configuration files and program ports can be used to start multiple Itests.
Command Times
Itest The first time
Itest –c /ect/itest.conf2 –p 3052 –m 3056 –g 3652 –l /tmp/itest.log2 The second time
Thereinto, when starting Itest for the first time, no parameter is specified and the default mode is employed:
Configuration file: /ect/itest.conf
Service port: 3051
Management port: 3055
Negotiation port: 3651
Log port: /tmp/itest.log
When starting Itest for the second time, the following mode is specified:
Configuration file:/ect/itest.conf2
Service port: 3052
Management port: 3056
Negotiation port: 3652
Log port: /tmp/itest.log2
The corresponding configuration files are listed as follows:
Configuration File name
/dev/ttyp11 1.1.1.1 com1 term1 /ect/itest.conf
/dev/ttyp21 1.1.1.1 com1 term1 /ect/itest.conf2
The terminal configuration template of the terminal server are configured as follows:
terminal remote 0 fix1 129.255.24.100 fix-erminal
terminal remote 1 fix2 129.255.24.100 fix-terminal 3052 negotiate-port 3652
6) The usage of Itest timing.
In view of system security, Itest can also provide the powerful ability of time-control that can be used to limit the
working hours and non-working hours. To use the function, you firstly add the configuration of time-access list into the
configuration file itest.conf. And the basic format of the time-access list is listed as follows:
Keyword ID Actio Starting/Ending Starting/Ending Starting/Ending
Number n day/month/year day of week minute/hour
access-list 1 permit 2004.xx.xx-2004.xx.xx 1-5 08:00-12:00
The meaning of each field is described as follows:
Field name Meanings
Keyword It indicates that this row is the configuration of the time-control access.
ID Number The ID number of the time-control access list. The number must be more than 0. And
multiple access lists can use the same ID number. In this way, these access lists can
compose a access list-group and work together.
Action The action can be either Permit or Deny, indicating that the terminal that uses the time-
control list is permitted to go on working or disconnected in the time meeting the
configuration.
Starting/Ending The starting/ending day/month/year is divided by “.”. “X” means any day/month/year.
day/month/year For example, xxxx.5.1 represents 1st may of any year, and 2004.xx.1 represents the first
day of any month in 2004.
Starting/Ending day of The starting day of week and the ending day of week is divided by “-”. “X” means any
week day from Monday to Sunday. For example, “1-5” represents the days from Monday to
Friday.
Starting/Ending The starting time and the ending time is divided by “-”. For example 08:00-12:00
minute/hour represents the time from 8:00am to 12:00am, and 13:30-17:30 represents the time from
13:30pm to 17:30pm.
After the time access-control list is added into the configuration itest.conf, the time control of the terminal can be performed
as long as “acl=xxx” is added behind the configuration corresponding to the terminal to be controlled.
For a group ACL with the same ID, its configuration order is from up to down. The first item of the group takes the leading
effect. It the item matches unsuccessfully, the default action is “Deny”. So the item of stricter time control should be placed
at the front of the group. The terminal to which no ACL is specified can work any time.
The following example represents that the working time of the terminal ttyp5 is 8:00am~18:00pm of Monday ~ Friday,
9:00am~16:00pm of Saturday ~ Sunday, 9:00am~16:00pm in the 7-day holiday of Labor/National Day.
/dev/ttyp5 16.54.1.22 com1 term acl=7

The configuration of other terminals are listed as follows:

access-list 7 deny xxxx.05.01-xxxx.05.07 x-x 00:00-09:00
access-list 7 deny xxxx.05.01-xxxx.05.07 x-x 17:00-23:59
access-list 7 deny xxxx.xx.xx -xxxx.xx.xx 6-7 00:00-09:00
access-list 7 deny xxxx.xx.xx -xxxx.xx.xx 6-7 17:00-23:59
acccess-list 7 permit xxxx.xx.xx-xxxx.xx.xx 1-5 08:00-18:00
10.3.2.2 Configuring SCO UNIX

The default number of SCO UNIX virtual terminals is 64. To increase the number, execute the command netconfig
to modify the SCO TCP/IP parameters:
Syntax Description
The value is the maximum number of the UNIX system virtual
Pseudo ttys: 256 terminals, and it must be more than the number of the really
existing terminals.
Copy the fix-terminal service program itest.sco and place the copy into the directory “/ect”. If the copy is sent out
through ftp, it must adopt the binary mode.
Syntax Description
chmod 744 itest.sco Add the right to execute it to the user root.
Add the following sentences to the file /ect/rc.d/8/userdef. In this way, when starting, the system will start
itest.sco automatically.
Syntax Description
echo MP-Router Itest starting … The prompt information at
the time of startup
/ect/itest.sco Execute itest.sco.
route add –net 128.255.130.0 –netmask 255.255.255.0 16.28.3.4 The route added into the
router.
Note:
The italic sections of the command route add –net are the addresses of the network segment, at which the router is
located, and the IP address of the up-end router connecting with the network fragment, and its aim is to add a route to the
router to the UNIX server. The factual configuration depends on your concrete network address and IP address.
Create and configure the table itest.conf, then place it at the directory /ect for itest to distribute the terminal
numbers. And its format is listed as follows:
/dev/ttyp11 128.255.130.254 com1 term1
…… …… …… ……
/dev/ttyp18 128.255.130.254 com8 term1
/dev/ttyp21 128.255.130.254 com9 term1
…… …… …… ……
/dev/ttyp28 128.255.130.254 com16 term1
NoteÖ
The meaning of each field in the table above is described as follows:
Fields Meaning
/dev/ttyp11 It is the terminal equipment number distributed for the corresponding
physical port, and the number must exist in the directory “/dev”.
128.255.130.254 The IP address of the router connecting with the terminal (namely the local
address configured on the terminal server)
The serial-interface number (consistent with the value of COM that is
com1
displayed by means of the command show terminal)
The terminal number (consistent with the value of TERM that is displayed
term1
by means of the command show terminal)
Configure the table “/ect/inittab” so as to determine whether to send the login interface to the terminal.
p11:234:respawn:/ect/getty /dev/ttyp11 m
p12:234:off:/ect/getty /dev/ttyp12 m
……
Note:
Field Meaning
p11 The ID domain. It can be defined by users and serve as the parameter
following enable/disable. The manager can use the enable ID to
activate this terminal and send the login interface.
234 The operation level. It specifies that when running in system running
levels 2,3,4, the sentence is valid.
respawn/off The action domain. When users adopt the login mode to log in, the
domain need be configured as respawn, and when users want to send
an application interface to the terminal, the domain need be
configured as off.
/ect/getty /dev/ttyp11 m The command domain. It specifies some action executed for some
port-number. In this example, the login interface is sent to the
terminal ttyp11, and m indicates that the terminal speed is 9600.
Configure the table /ect/ttytype so as to provide the terminal type configuration for application programs. The
format is listed as follows:
Terminal type Terminal number
Vt100 ttyp11
Ansi ttyp21
10.3.2.3 Configuring AIX UNIX
Increase the number of the BSD-style pseudo terminals:
MeansæUse the command smit—Devices—Pty—Change/show Characteristies …— to modify the number of the
BSD-style pseudo terminals more than the number of the really used terminals.
Copy the fix-terminal service program itest.aix and place the copy into the directory “/ect”. If the copy is sent out
Command Description
Add the right to execute it to the user
chmod 744 itest. aix
root.
Add the following sentences to the file /ect/rc.tcpip. In this way, when starting, the system will start itest.aix
automatically.
Command Description
The prompt information at the time of
echo MP-Router Itest starting …
startup
/ect/itest.aix Execute itest.aix.
route add –net 128.255.130.0 –netmask 255.255.255.0
The route added to the router.
16.28.3.4
Note:
The italic sections of the command route add –net are the address of the network fragment at which the router is
located and the IP address of the up-end router connecting with the network segment, and the aim of this section is to add a
route to the router to the UNIX server. And the factual configuration depends on your concrete network address and IP
address.
Create and configure the table itest.conf, then place it into the directory /ect for itest to distribute the terminal
numbers. Its format is as follows:
/dev/ttyq0 128.255.130.254 com1 term1
…… …… …… ……
/dev/ttyq7 128.255.130.254 com8 term1
/dev/ttyq8 128.255.130.254 com9 term1
…… …… …… ……
/dev/ttyqf 128.255.130.254 com16 term1
NoteÖ
Field Meaning
It is the terminal equipment number distributed to the corresponding
/dev/ttyq0
physical port, and it must exist in the directory /dev.
The IP address of the router connecting with the terminal (namely the local
128.255.130.254
address configured on the router)
com1
The terminal number (consistent with the value of TERM that is displayed
term1
by means of the command show terminal)
Configure the table /ect/inittab so as to determine whether to send the login interface to the terminal:
Q1:234:respawn:/usr/sbin/getty /dev/ttyq1
Q2:234:off:/usr/sbin/getty /dev/ttyq2
……
NoteÖ
Field Meaning
The ID domain. It can be defined by users and serve as the parameter
Q1 following penable/pdisable×The manager can use the penable ID to
The operation level. It specifies that when running in system running levels
234
2,3,4, the sentence is valid.
The action domain. When users adopt the login mode to log in, the domain
respawn/off need be configured as respawn, and when users want to send an application
interface to the terminal, the domain need be configured as off.
/usr/sbin/getty The command domain. It specifies some action executed for some port-
/dev/ttypq1 number. In this example, the login interface is sent to the terminal ttyp11.
Configure the table /ect/ttytype so as to provide the terminal type configuration for applications. The format is
Vt100 ttyq1
Ansi ttyq2
……
10.3.2.4 Configuring SUN UNIX
Increase the number of the SUN system pseudo terminals. The default number of the SUN system pseudo
terminals is 48. To increase the number, you can do according to the following steps (in this example, increasing
the pseudo terminal number to 128):
A. Adding this line set npty=128 at the place of the file /ect/system where the core variable is
changed.
B. Edit the file /ect/iu.ap, and modify ptsl 0 47 ldterm ttcompat as ptsl 0 127 ldterm ttcompat.
C. Execute the command boot –r to restart the system.
Copy the fix-terminal service program itest.sun and place the copy into the directory /ect. If the copy is sent out
Command Description
chmod 744 itest.sun Add the right to execute it to the user root.
Add a startup execution file Sitest (Noticing the capital letter S) into the directory of /ect/rc3.d, and add the right to
execute it so that the fix-terminal service program itest.sun can start when the system starts. The contents of the
file are described as follows:
Command Description
echo MP-Router Itest starting … The prompt information at the time of startup
/ect/itest.sun Execute itest.sun.
route add –net 128.255.130.0 – Add the route to the router/terminal server.
netmask 255.255.255.0 16.28.3.4
NoteÖ
1) The italic sections of the command route add –net are the address of the network fragment at which the router is
located and the IP address of the up-end router connecting with the network segment, and the aim of this section is to add a
route to the router to the UNIX server. And the factual configuration depends on your concrete network address and IP
address.
2) In the SUN system, when the types of machines are different, some files may well run abnormally. The corresponding
execution file need be regenerated according to its type. To do it, please communicate with the technical staff of our company.
numbers. Its format is listed as follows:Ö
/dev/ttyq0 128.255.130.254 com1 term1
…… …… …… ……
/dev/ttyq7 128.255.130.254 com8 term1
/dev/ttyq8 128.255.130.254 com9 term1
…… …… …… ……
NoteÖ
Field Meaning
It is the terminal equipment number distributed for the corresponding
/dev/ttyq0
The IP address of the router connecting with the terminal (namely the
128.255.130.254
local address configured on the terminal server)
com1
The terminal number (consistent with the value of TERM that is
term1
Configure the table /ect/inittab so as to determine whether to send the login interface to the terminal.
Q1:234:respawn:/usr/lib/saf/ttymon –g –h –p “ùname –n`login: ” -T ansi –d /dev/ttyq1
Q2:234:off:/usr/lib/saf/ttymon –g –h –p “ùname –n`login: ” -T ansi –d /dev/ttyq2
……
NoteÖ
Field Meaning
Q1 The ID domain. It can be defined by users and serve as the parameter
following penable/pdisable×The manager can use the penable ID to
an application interface to the terminal, the domain need be configured
as off.
/usr/lib/saf/ttymon –g –h –p The command domain. It specifies some action executed for some
“ùname –n`login: ” -T ansi port-number. In this example, the login interface is sent to the terminal
–d /dev/ttyq1 ttyp11. (“`” of “ùname –n`” is not a single quotation marks but an
inverse single quotation marks)
Configure the table /ect/ttytype so as to provide the terminal type configuration for applications. The format is
Vt100 ttyq1
Ansi ttyq2
10.3.2.5 Configuring HP UNIX
Increase the number of the HP system pseudo terminals. To increase the number of the system pseudo terminals,
you can do according to the following steps (in this example, increasing the pseudo terminal number to 128):
Use the command smitty and select “Devices Æ PtyÆChange/Show Characteristies”, modify the number of the
BSD-style pseudo terminals as 128.
Copy the fix-terminal service program itest.hp and place the copy into the directory /ect. If the copy is sent out
Command Description
chmod 744 itest.sun Add the right to execute it to the user root.
NoteÖ
In the HP system, when the types of machines are different, some files may well run abnormally. The corresponding
execution file need be regenerated according to its type. To do it, please communicate with the technical staff of our company.
Add a sentence into startup execution file /sbin/rc so that the fix-terminal service program itest.hp can start when
the system starts. The added contents are described as follows:
Command Description
echo MP-Router Itest starting … The prompt information at the time of startup
/ect/itest.hp Execute itest.hp.
numbers. Its format is listed as follows:Ö
/dev/ttyq0 128.255.130.254 com1 term1
…… …… …… ……
/dev/ttyq7 128.255.130.254 com8 term1
/dev/ttyq8 128.255.130.254 com9 term1
…… …… …… ……
NoteÖ
Field Meaning
It is the terminal equipment number distributed for the corresponding
/dev/ttyq0
The IP address of the router connecting with the terminal (namely the
128.255.130.254
local address configured on the terminal server)
com1
The terminal number (consistent with the value of TERM that is
term1
Configure the table /ect/inittab so as to determine whether to send the login interface to the terminal.
Q1:234:respawn:/usr/lib/saf/ttymon –g –h –p “ùname –n`login: ” -T ansi –d /dev/ttyq1
Q2:234:off:/usr/lib/saf/ttymon –g –h –p “ùname –n`login: ” -T ansi –d /dev/ttyq2
……
NoteÖ
Field Meaning
Q1 The ID domain. It can be defined by users and serve as the parameter
following penable/pdisable×The manager can use the penable ID to
an application interface to the terminal, the domain need be configured
as off.
/usr/lib/saf/ttymon –g –h –p The command domain. It specifies some action executed for some
“ùname –n`login: ” -T ansi port-number. In this example, the login interface is sent to the terminal
–d /dev/ttyq1 ttyp11. (“`” of “ùname –n`” is not a single quotation marks but an
inverse single quotation marks)
Notice:
After some kernel parameters are changed in some Unix systems (such as the SCO system), the kernel parameters need
to be reconnected. Because each time the kernel is reconnected, the system will use “/ect/conf/cf.d/init.base” to conver
init.base automatically, and and the manual configuration of the table will be lost. Thereby, after finishing the configuration,
you should backup the table inittab. As long as you copy the table inittab to cover init.base, then the inittab configuration
will not be lost when the system reconnects
In the course t, after itest started up, the modification made in the table itest.conf can not take effect immediately unless
using the command refresh in the managing mode
Whenever the configuration of the table inittab has been modified, to make the modification take effect in the situation
UNIX doesn’t restart, you must use the command init q to make the system scan the table again.
Once some Unix systems start up, they will occupy the pseudo terminals. So when the table itest.conf is configured, the
pseudo terminal number should start behind the pseudo terminal number occupied by the system. And it is recommended that
some numbers should be reserved.
10.3.2.6 Adjusting UNIX Kernel Parameters
When many terminals are connected with the UNIX server and there exist many services, it may occur that the default kernel
resource of the server isn’t enough, which will result in various kinds of bugs. To ensure the system to run securely and
reliably, each kernel parameter of the UNIX server need be reconfigured and the distributed quantity of the relevant resource
should be increased.
Take how to adjust default kernel resource of the SCO UNIX 5 as an example:
Run netconfig and modify the two SCO parameters included by TCP/IP
Parameter Meaning
The maximum connection number. In the version itest v3, each Itest
TCP connections :
terminal occupies a TCP connection after login. Because other system
1024 applications can also occupy TCP connections, so it is recommended that
the parameter value is configured as more than 1024.
The number of the system virtual terminals. It is recommended that the
Pseudo ttys Ö256
number is more than 256.
Run the command scoadmin-Hardware/Kernel Manager-Kernel|Tune Parameters… to enter the menu of the core
parameters setting:
Select 7. Use the command User and group configuration to modify the following parameters:
Parameter Meaning
The maximum number of the files each process can open. For every
terminal in the version itest v3, after the terminal logs in, the number of
NOFILES
the files opened by the process itest increases 2. It is recommended that
the parameter should be 3 times of the number of terminals.
The maximum number of the processes. Because the system itself
MAXUP occupies some processes, it is recommended that the parameter value
should be more than 800.
Select 12. Use the command Streams to modify the following parameters:
Parameter Meaning
The number of the stream header structures. If there are more than 150
NSTREAM terminals to be configured, it is recommend that the parameter should be
configured as 6000.
The number of the pages. 4k per page. If there are more than 150
NSTRPAGES terminals to be configured, it is recommend that the parameter should be
configured as 3000.
If this value is too little, the stream buffer of the system will become
STRSPLITFRAC scraps soon. So it is recommend that the parameter should be configured
as 80.
Select 3. Use the command TTYs to modify the following parameters:
Parameter Meaning
The number of the character table buffers. it is recommend that the
NCLIST
parameter should be configured as 2048.
Notice:
The command netstat –m can be executed to examine the usage of the system stream resource. When some item occurs
FAIL, the values of the parameters NSTREAM and NSTRPAGES need be increased.
When there exists the prompt “Too many open files” in /tmp/itest.log, the value of the parameter NOFILES need be
increased.
10.3.2.7 TELNET Fix-terminal
To realize the fixation of terminal equipment-number for TELNET, use the function of TELNET fix-terminal. For example,
to fix the connection that adopts the telnet mode between 128.255.2.2 and the service port of Itest as “ttyp21”, add the
following row of configuration to the configuration file itest.conf:
/dev/ttyp21 128.255.2.2 comx termx
Notice that what following com and term must be “x”. and the other configuration (such as the configuration of the table
inittab) is the same as that in the fix-terminal mode.
To telnet the fix-terminal from the rotuer, add the option telnet into the template configuration of the router. And Itest service
port 3051 need also be added. For example:
terminal remote 5 tel 129.255.11.110 telnet 3051
To telnet the fix-terminal from a PC, execute the following command:
telnet 129.255.11.110 3051
multiple terminals can be distributed to one IP address. For example, use the following the command to distribute
ttyp21Øttyp22 and ttyp30 to 128.255.8.8:
NoteÖ
When multiple telnet terminals are distributed to one IP address, it can be realized that only network terminal
equipments can be fixed.
10.3.2.8 Itest Terminal Management
Itest is a multi-process service program that brings some difficulties for process management, so the management control is
enhanced in the program. The management process of itest runs on the TCP interface 3055(Use the parameter -m to specify
other port) and enters the management mode.
Execute on the Unix:
telnet localhost 3055
telnet 127.0.0.1 3055
Execute on the remote terminal:
telnet ip-address 3055 Ip_addr is the IP address of the UNIX server.
By default, no username or password need be input for logging in the management port. To limit login,
In the default situation, a user can log in the managing port without inputting the user name and password. The command
itest –s can be used to limit users logging in when itest starts. In this way, when a user wants to log in the management port,
he will be asked to input his user name and password. Different users have different management rights, while the user root
have all rights.
After the user enters the management mode, the prompt itest> is displayed; and the command help can be used to examine
the command format:
Command Description
help Display the command and the simple prompt.
task Display the status of each task.
kill Kill the terminal process (This command can be executed only
by the root user).
disable Disable a certain terminal.
enable Enable a certain terminal.
term Display all the effective configuration read from the file
itest.conf.
pid Display the process number corresponding to each terminal.
time Display the configuration of shutting down a terminal
regularly.
refresh Refresh the file itest.conf. The command of itest4.5 or higher
version can support adding/deleting/modifying the contents of
itest.conf. And the command of previous version can only
support adding the contents of itest.conf.
debug Monitor the terminal information.
undebug Stop monitoring the terminal information.
stop Stop the itest service, namely killing all the itest processes
(This command can be executed only by the root user).
exit Exit from the management mode, but the service itest still
goes on operating.
NoteÖ
1) The command killökill {pid | dev_name | A.B.C.D}

If the equipment number of some terminal is pty53 and the corresponding process number is 2045 (can be known by
means of using the command ‘pid’), the command kill p53 or kill 2045 can be used to kill the terminal process.
To kill all the terminal processes of some IP address (Assuming that the IP address is 196.77.8.2), the command kill
196.77.8.2 can be used to do it.
2) The command debugödebug ptypXX
Its debug information is written into the file /tmp/itest_dbg/ttypXX. This can be examined by the commands, such as
more, vi, cat, and etc.í
10.4 Comparison of New/ Old Version of IOS Configuration
10.4.1 The Comparison of Terminal Number Distribution
For Maipu router, the distribution of COM/TERM number corresponding to V2.X.X or previous version of terminals is
different from that of V3.X.X or higher version. It is noticeable that the corresponding contents of the file itest.conf should be
configured according to the COM/TERM number distributed to each interface. For V.X.X or higher version of IOS, the
following two modes can be used to get the COM/TERM number distributed to an interface:
The fist mode: after the interface is encapsulated with the terminal protocol, the command show interface <> can be used to
examine the COM/TERM number:
For exampleæmp2600#show intface s1/0
serial1/0:
Flags: (0xd0) DOWN POINT-TO-POINT TRAILERS RUNNING
Type: TERMINAL
Queue strategy: FIFO , Output queue: 0/40 (current/max packets)
………
TERMINAL STATE: CLOSE, Flag = 0x0, COM 34, TERM 1
……….
The second mode: after the interface is encapsulated with the terminal protocol and executes the terminal template, the
command show terminal <> can be used to examine the COM/TERM number:
mp2600#shos terminal
TermService version: 2.41
--------------------------------------------------------------------
Interface Type COM/TERM State Template RH-State
[0123456789]
--------------------------------------------------------------------
1: async4/0 T 1/1 WAITING itest43 D DDDDDDD
2: async4/1 T 2/1 WAITING itest43 D DDDDDDD
3: serial1/0 T 34/1 CLOSE
--------------------------------------------------------------------
Type: T - Terminal, M - MPDLC
RH-State: D - DISCONNECT, C - CONNECTING, * - CONNECT
10.4.2 The Comparison of Interface Configuration
For the new version, after the interface is encapsulated with the terminal protocol, the command tx-on dsr will be added
automatically. And the command can be removed by means of using the command no tx-on dsr. Notice that when the
terminal interface is the modem interface or the interface connects with the external modem the command is tx-on dcd
instead of tx-on dsr.
10.4.3 The Configuration of Itest.conf Adopting Encryption and Compression
Itest4.2 or higher version of Itest can support data encryption and compression. The configuration of the router can refer to
section 1.1.1. For the configuration of itest.conf on the Unix server, the following configuration need be added (Be care of
case sensitive):
Data encryption: Add “keyéx” behind comx termx of the file itest.conf. For example:
/dev/ttyp21 128.255.130.254 com9 term1 keyÙa
Data compression: Add compress behind comx termx of the file itest.conf. For example:
/dev/ttyp18 128.255.130.254 com8 term1 compress
Data encryption and compression: Add both “keyéx” and compress behind comx termx of the file itest.conf.(There
exists no requirement to the order of the added items) For example:
Encryption compression and address authentication: Add both “keyéx”, compress and mac behind comx termx
of the file itest.conf.(There exists no requirement to the order of the added items) For example:
/dev/ttyp11 128.255.130.254 com1 term1 compress keyÙa mac 3601000004d9
An integrated example:
/dev/ttyp11 128.255.130.254 com1 term1 compress keyÙa mac 00017a00a792
…… …… …… ……
/dev/ttyp18 128.255.130.254 com8 term1 compress key=a
/dev/ttyp21 128.255.130.254 com9 term1 keyÙa
…… …… …… ……
10.4.4 Examples of New/Old Configuration of Maipu Router
A configuration file in the old configuration mode:
mp2600# show running-config
….
line 0 15 mode terminal
….
line 0 15 flowctl soft 180
terminal 0 15 local 129.255.8.43
terminal 0 15 remote 0 unix-1 129.255.24.100 fix-terminal authentication
terminal 0 15 host 0 hesc-chars 8
terminal 0 15 hesc-chars 1
terminal 0 15 redraw console \E!9Q
terminal 0 15 redraw 0 \E!10Q
terminal 0 15 rbufsize 1024
terminal 0 15 tbufsize 2048
terminal 0 15 rx-delay on
terminal 0 15 print off
terminal 0 15 auto-linking 0
terminal 0 15 enable
A configuration file in the new configuration mode:
The interface is configured as follows:
mp2600#sho run int a4/0
Building Configuration...
Current configuration:
interface async4/0
speed 9600
databits 8
stopbits 1
parity none
tx-on dsr
exit
The terminal template is configured as follows:
terminal template itest43
terminal local 129.255.8.43
terminal remote 0 unix-1 129.255.24.100 fix-terminal authentication compress encrypt a
terminal remote 1 telnet-unix 129.255.24.100 telnet
terminal remote 2 rlogin-unix 129.255.24.100 rlogin
terminal hesc-chars 1
terminal host 0 hesc-char C
terminal host 1 hesc-char P
terminal host 2 hesc-char V
terminal redraw console \E!8Q
terminal redraw 0 \E!9Q
terminal redraw 1 \E!11Q
terminal rbufsize 4096
terminal tbufsize 10000
terminal retry-times 6
terminal rx-delay on
exit
Apply the template to the interface:
terminal apply itest43 async4/0 async4/15
Chapter 11 Security Configuration
This chapter will describe how to operate the security configuration of your MP2600 Router.
Maipu Networks Routers offer comprehensive network security features like:
1. PPP protocol supports (PAP and CHAP), which effectively prevents unauthorized connections.
2. Callback technology.
3. An IP protocol layer providing firewall protection, which filters unauthorized data packets.
4. Network Address Translation (NAT), which can hide your interior network and prevent exterior network attacks.
5. Access Control Lists (ACL), which can sort end users into up to 15 different classes depending on your needs. These
lists register a different series of commands available to individual users. They ensure that users with different rights will
only be able to access certain commands.
6. Encryption and key exchange technologies
11.1 Firewall Configuration

This section will look at:
Access Lists
Correlative Firewall Configuration
Applying Access Lists To An Interface
Monitoring And Maintaining Your Firewall
Access Channel Configuration
Time Limit Packet Filtering
Media Access Control (MAC) Address Packet Filtering
A Few Points About Firewall Configuration
Examples
11.1.1 Access Lists
A. How To Edit A Standard Access List
A standard access list can filter your network communications based on packet header source addresses. You can define a
standard access list with within the access-list command, and delete it at any time by placing the no command in front of the
command in global configuration mode.
router(config)#access-list ?
Command Description
<1001_2000> The number range used in an extended access list.
<1_1000> The number range used in a standard access list.
router(config)#access-list 1 ?
Command Description
Deny Denies access.
Permit Permits access.
router(config)#access-list 1 deny ?
Command Description
A.B.C.D The format of the source address
Any The short form of the source address 0.0.0.0 and
the source address wildcard 255.255.255.255
Host The short form of the source address 0.0.0.0.
router(config)#access-list 1 deny A.B.C.D ?
Command Description
A.B.C.D Wildcards applied to source address are
expressed with dotted decimal notation. This
masks rebel code. If a bit is marked 1, that
means that the bit is indifferent.
router(config)#access-list 1 deny A.B.C.D a.b.c.d ?
Command Description
Log Logs output to the console about the access list.
This is an optional function.
To define a standard access list:
router(config)#access-list access-list-number list number, number<1_1000> for a standard access list
Command Description
{deny | permit} source [source-wildcard] [log] Source: the source address.
Source-wildcard: the source address’s wildcard.
Deleting an access list:
Command Description
router(config)#no access-list list-number This deletes an access list.
List-number: the deleted access list’s number.
You can define a standard access list named after a title or serial number with the following codes:
(You can delete this list by placing no in front of the command code part that’s in bold type.)
router(config)#ip access-list ?
Command Description
Extended Designates an extended access list definition.
Standard Designating a standard access list definition.
router(config)#ip access-list standard ?
Command Description
<1_1000> List number
WORD List name
Command Description
router(config)#ip access-list standard 1 Enters the access list configuration mode.
router(config-std-nacl)#?
Command Description
Deny Denies access, if the conditions in the access list
aren’t successfully met.
End
Exit
Help
No
Permit Permits access, if conditions in the access list are
successfully met.
router(config-std-nacl)#deny ?
Command Description
A.B.C.D Source address.
Any Source address 0.0.0.0 255.255.255.255
Host Source address 0.0.0.0
router(config-std-nacl)#deny A.B.C.D ?
Command Description
A.B.C.D The wildcard applied to the source address.
router(config-std-nacl)#deny A.B.C.D a.b.c.d ?

Command Description
Log Logs output to the console about the access list.
This is an optional function.
Command Description
router(config)#ip access-list standard {name | Defines a standard access list in global
access-list-number} configuration mode.
router(config-std-nacl)#{deny | permit} source Defines a rule in the list in access list
[source-wildcard] [log] configuration mode.
router(config-std-nacl)#no {deny | permit} source Deletes a rule from the list
[source-wildcard] [log]
Example: Construct an access list named number 2 (see following table), then define three rule items and apply this list 2 to
Ethernet interface 0. Among the packets from Ethernet interface 0, those packets that come from the host 92.49.0.3 in the
subnet 92.49.0.0 will be allowed. All the packets from any host within the subnet 92.48.00 will be permitted, too. All
others will be denied.
Command Task
router(config)# access-list 2 permit host 92.49.0.3 Permits the packets from the host IP 92.49.0.3
log in the subnet 92.49.0.0.
router(config)# access-list 2 permit 92.48.0.0 Permits all packets from any host in the subnet
0.0.255.255 92.48.0.0.
router(config)# access-list 2 deny any Denies other packets.
router(config)# interface ethernet 0
router(config-if-ethernet)# ip access-group 2 in Applies list 2 to Ethernet interface 0.
The following commands have the same effect:

Command Task
router(config)# ip access-list standard 2
router(config-std-nacl)# permit host 92.49.0.3 log Permits the packets from the host IP
92.49.0.3 in the subnet 92.49.0.0.
router(config-std-nacl)# permit 92.48.0.0 Permit all packets from any host in the subnet
0.0.255.255 92.48.0.0.
router(config-std-nacl)# deny any Denies other packets.
router(config-std-nacl)# exit
router(config-if-ethernet)# ip access-group 2 in Applies list number 2 to Ethernet interface 0.
Use the following series of commands when only one rule is to be deleted:
Command Task
router(config)# ip access-list standard 2
router(config-std-nacl)# no permit host 92.49.0.3 log
router(config-std-nacl)# exit
B. How To Edit An Extended Access List
An extended access list can be used to filter IP communications not only according to the source address and the destination
address of the packet header, but also according to the fields included into the IP, UDP, TCP, ICMP and IGMP packet
headers.
The command router71(config)#access-list 1001 ? 1001-2000 indicates an extended access list.
Command Description
Deny Denies access.
router(config)#access-list 1001 deny ?

Command Description
<0_255> Number showing ALL kinds of protocols
ICMP Internet Control Message Protocol (ICMP)
IGMP Internet Group Management Protocol (IGMP)
IP All Internet Protocols
TCP Translation Control Protocol (TCP)
UDP User Data Protocol (UDP)
You can define an extended access list on a number in extended access-list format.
You can delete the list with the no command in global configuration mode.
access-list access-list-number {deny | permit} protocol source source-wildcard [operator port [port]] ] destination
destination-wildcard [ICMP-type] [igMP-type] [operator port [port]] [ack / fin / established / psh / rst / syn / urg] [precedence
precedence] [tos tos] [log]
Syntax Description
Access list number List number
Protocol Protocol
Source Packet source address
Source-wildcard Source address wildcard
Destination Packet destination address
Destination-wildcard Destination address wildcard
Precedence Priority
TOS Type of service
Log Record permit or deny packets in the logging at
several minutes interval
ICMP-type Message type of ICMP
IGMP-type Message type of IGMP
Operator Port Comparison
Port Port
Port Number Port number
Ack / fin / established / psh / rst / syn / urg TCP flag bit
You can define an extended access list based on a name or a number according to the following steps. (You can delete the
whole list with the no command in global configuration mode.)
ip access-list extended {access-list-number/name}
Syntax Description
access-list-number An access list number, always a decimal number
between 1001 to 2000
[no] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]
Syntax Description
Deny Denies access.
Protocol The protocol’s name or number. It may be one
of the following keys: ICMP, IGMP, IP, TCP or
UDP. Or it is expressed with a decimal number
between 0 and 255. The IP keyword can match
any protocol.
Source The host or network that the packet is coming
from, namely the source address of the packet.
It can be expressed three ways: the first is through
dotted decimal notation. The second is through
the any keyword, which is the short form of the
source address 0.0.0.0 and the source address
wildcard 255.255.255. Thirdly, this can be
expressed as the host source, or the source address
with the 0.0.0.0 wildcard.
Source-wildcard The wildcard applied to the source address. It
can be expressed three ways. The first is
through dotted decimal notation, or the network
mask rebel code. (The bit marked 1 means that
that bit is indifferent.) The second way this can be
expressed is through the any command, which is
the short form of noting the source address 0.0.0.0
and source address wildcard 255.255.255.255.
Thirdly, this can also refer to the host source,
which stands for the source address and the
source address with the 0.0.0.0 wildcard.
Destination The destination network or a host, namely the
destination’s address. It can be expressed three
different ways, like the source address above.
Please refer that definition.
Destination-wildcard The wildcard applied to the destination address. It
can be expressed three different ways, like the
source address wildcard above. Please refer to
that definition.
Precedence The packet priority. It can be ranked by in
number from 1 to 7, or the name of a priority.
(The titles within can include: critical, flash,
flash-override, immediate, internet, network,
priority and routine.). Optional function.
TOS The packet service type. It can contain a number
from 0 to 15 or the name of a service type (The
titles within it can include: max-reliability, max-
throughput, min-delay, min-monetary-cost and
normal). Optional function.
LCMP-type The message type of an ICMP packet. It can be
expressed through a number from 0 and 255 or
the name of a message type. Optional function.
LCMP-code The code type of an ICMP packet message type,
which can be expressed with a number from 0 and
255. Optional function.
IGMP-type An IGMP packet message type that can be
expressed with a number from 0 and 255.
Optional function.
Operator Used to compare a source port and a destination
port. There are five kinds of values that can be
compared between the two ports: less than, more
than, equal to, unequal to, and range. If the
operational character comes after the source
address and the source address wildcard, it is
applied to the source port. If the operational
character comes after the destination address and
the destination address wildcard, it is applied to
the destination port. Optional function.
Range Used to define when the operator demands two
port-numbers, and other operators demand one
port number.
ack, fin, psh, rst, syn, ur Used to match the TCP flag bit, including:
Acknowledgement flag, finishing flag, promptly
sending flag, restoration flag, synchronization
flag, and urgency flag. Optional function.
Established Indicates successful connection. If the TCP packet
contains ACK or RST, the packet will be
matched. Only the packet for initial connection
isn’t matched. Optional function.
Name Refers to the name of an access list. The name is
used to distinguish it from other lists. It can’t
include any blank characters and the first
character must be a letter.
11.1.2 Correlative Firewall Configuration

To display the access list log:
Command Description
router# debug ip packet access-list Permits access list display.
In the privileged used mode, the default permits
display.
router# undebug ip packet access-list Doesn’t permit list display.
When the access list log switch is open, the number of items displayed by each rule in the global configuration mode by
default is, at best, 0. This means the number of displayed items isn’t limited.
Command Description
router(config)# firewall verbose-limit number A number from 0 to 4,294,967,295.
Firewall Default Rules

To filter all record routing packets:
Command Description
router(config)# firewall default-deny Denies all packets. In the global configuration mode,
the default setting will automatically be set to deny
all packets.
router(config)# no firewall default-deny Permits all packets.
Command Description
router(config)# ip record-route Permits packets with a route recording option.
In the global configuration mode, the default
will permit the packet with an IP recording
route option (ie. recording routing or time
label).
router(config)# no ip record-route Denies all packets with a recording route
option.
To filter all source routing packets:
Command Description
router(config)# ip source-route Permits all packets with source routing.
In the global configuration mode, the default setting
will permit a packet that has an IP source route
option (ie. lose source routing or strict source
routing).
router(config)# no ip source-route Denies packets with a source route option.
To filter a directional broadcast packet:
Command Description
router(config-if-xxx)# ip directed-broadcast Permits the interface to send a directional
broadcasting packet.
router(config-if-xxx)# no ip directed-broadcast Denies the sending of a directional
broadcasting packet. In the interface
configuration mode, the default setting will
deny a directional broadcasting packet.
To permit an interface or a sub-interface to send a mask-reply ICMP packet:
Command Description
Router(config-if-xxx)# ip mask-reply Permits an interface to send an ICMP mask-
reply packet.
Router(config-if-xxx)# no ip mask-reply Denies the sending of an ICMP mask-reply
packet.
In the interface or sub-interface
configuration mode, the default setting will
refuse to send an ICMP mask-reply packet.
To permit an interface or a sub-interface to send an ICMP redirecting packet:
Command Description
router(config-if-xxx)# ip redirects Permits the interface to send an ICMP
redirecting packet.
In the interface or sub-interface configuration
mode, the default setting permits the
interface to send an ICMP redirecting packet.
router(config-if-xxx)# no ip redirects Doesn’t allow the interface to send an ICMP
redirecting packet.
To permit an interface to send an ICMP unreachable packet:
Command Description
router(config-if-xxx)# ip unreachables Permits the interface to send an ICMP
unreachable-packet. In the interface or sub-
interface configuration mode, the default
setting will permit the interface to send an
ICMP unreachable-packet.
router(config-if-xxx)# no ip unreachables Doesn’t allow the interface to send an ICMP
unreachable-packet.
11.1.3 Applying Access Lists To An Interface

After you construct an access list, it can be applied to a number of interfaces. The access list can be applied inward or
outward. In the interface configuration mode, use the command IP access-group to control the interface access. Use the
no command to remove the access list from the interface.
router(config-if-xxx)#[no] ip access-group {access-list-number | name} {in | out}

Syntax Description
Access-list-number A number from 1 to 2,000.
Name The access list name.
In Filters the inward packet.
Out Filters the outward packet.
After a packet is received to the inward standard access list, the packet source address will be checked against the access list.
On an extended access list, the firewall will check fields such as the destination address and protocol other than the source
address. If the packet is permitted by the access list, the routing software will process it successively. If the packet isn’t
permitted, the software will lose the packet and will send an ICMP unreachable-packet to the source address.
After the packet is received and routed to an interface, to the outward standard access list, the firewall software checks the
packet source address against the access list. To an extended access list, the firewall checks fields like destination address
and protocol (and so on) along with the source address. If the packet is permitted by the access list, the routing software
will transmit it. Otherwise, the software will discard the packet and will send an ICMP unreachable-packet to the source
address. Note: If you haven’t built an access list, all packets coming through the interface will be permitted.
For example, you can apply the extended access list 1,001 to the inward Ethernet interface 0 and the standard access list to
the Ethernet outward interface 0. Then exit the interface configuration mode.
Command Task
router(config-if-ethernet0)# ip access-group 1001 in Applies the extended access list 1,001 to the
inward Ethernet interface 0.
router(config-if-ethernet0)# ip access-group 10 out Applies the standard access list to the outward
Ethernet interface 0.
router(config-if-ethernet0)# exit
11.1.4 Monitoring And Maintaining Your Firewall
To display the contents of an access list in the privileged user mode:
router# show access-lists [access-list-number / name]
Syntax Description
access-list-number / name The access list number or name.
If you don’t input a name or number, all of your access lists will be displayed.
To show certain access lists, input:
router# show access-lists
Output result:
Extended ip access list: 1001
permit ICMP any any 8 0 log 4 matches
permit tcp any any syn log 1 matches
permit ICMP any any echo-reply log 4 matches
permit tcp any any established log 4 matches
Here, the matching times correspond to the filtered packet-matching rule.
To display the an access list application to the interfaces:
router#sh ip int list
Output result:
Interface fastethernet 0
Outgoing access list is 2
Inbound access list is 1
Interface serial 2
Outgoing access list is not set
Inbound access list is 1001
To clear the access list counter in the privileged user mode
router# clear access-list counters [access-list-number | name]
Without a name or number, all access list counters will be cleared. You can use the following command to clear access-list
counters:
router# clear access-list counters
To show access lists, input:
router# show access-lists
Output result:
permit ICMP any any 8 0 log 0 matches
permit tcp any any syn log 0 matches
permit ICMP any any echo-reply log 0 matches
permit tcp any any established log 0 matches
Note: Because the counter was set with a value of 0, the matching time is 0.
You can also monitor and maintain the firewall by examining an access list log. Log records include information such as
the source address, the destination address, the protocol type, the port number, and the sending and receiving interfaces, et
cetera. To access this function, input:
router#debug ip packet access-list
11.1.5 Configuring An Access Channel

Notes:
1) Many interface channel rules should be configured in a certain order based on priority.
2) Try to avoid simultaneously configuring a series of interfaces with channel rules. If a data packet passes through
two interfaces with channel rule configurations, the data won’t be permitted through the system until it passes
examination by both sets of rules.
3) Please do not configure a firewall and an access channel on the router at the same time. This will cause a major
malfunction.
4) An access channel can only adapt to a simple set of conditions. For more complex rules, please configure a
firewall based on an access list. (Please refer to Section 1.1).
To add an interface configuration mode rule:

router(config-if)#[no] access-tunnel destination dest-mask [directly]
Syntax Description
Destination Destination address
Dest-mask Mask
Directly Used to mark the address’s direction. If it is set, the
direct connection will be located between the
destination address and the interface (ie. the host IP
address will be coming from the subnet connected
to the interface), or else the indirect connection
between them – ie. a router is between them.
Optional function.
No Deletes a rule.
Example of an access channel configuration (Figure 2):
router
f0 s0
Outer network A network
Subnet1
e0
123.56.7.0/24
Subnet2
Host 1 Host 2
123.45.6.7 123.45.8.9
Example 1:
Please examine Figure 2. If you want all the machines in the interior subnet1 and subnet2 to have permission to access the
exterior host1 and host2, you would input the following configuration code:
Command Task
router# config terminal
router(config)# interface serial 0 Configures the interface s0.
router(config-if-serial0)# access-tunnel 123.45.6.7 Accesses host1’s access channel.
255.255.255.255 directly
router(config-if-serial0)# access-tunnel 123.45.8.9 Accesses host2’s access channel.
255.255.255.255 directly
router(config-if-serial0)# exit
router(config)# exit
Because the direct orientation access channel is configured on the interface s0, that interface will check whether or not the
source address matches the channel address when s0 receives a data packet. When such a message is sent to the system, the
destination address will be checked and the unmatched address packet will be denied.
Example 2:
Please examine the following Figure 2. If you want subnet1 to access host 1, host 2 and the exterior network subnet
123.56.7.0/24 without restricting subnet 2’s access, you would input the commands below. Note: In this example, the
access channel can’t be set on the exterior interface s0 – it should be set on the interface f0, which is connected to the subnet1.
Command Task
router(config)# interface f0 Configures the interface f0.
router(config-if-fastethernet0)# acce 123.45.6.7 Accesses host1’s access channel.
255.255.255.255
router(config-if-fastethernet0)# acce 123.45.8.9 Accesses host2’s access channel.
255.255.255.255
router(config-if-fastethernet0)# acce 123.56.7.0 Accesses network 123.56.7.0’s access code.
255.255.255.0
router(config-if-fastethernet0)# exit
11.1.6 Time Limit Packet Filtering

You might want to set your networks up so that all of the machines within a network fragment can access a server at a certain
time, say the regular weekday business hours of your business. But, at the same time, you might want to permit exceptions
to that rule, by allowing users to access your system on a Saturday afternoon, for example.
All the time-based demands you might have can be met through defining a time range in the router and activating security
mechanisms to bind that time range to the packet filtering process.
Time Range
A time range is, simply, a set of time segments of your choosing that allows users to access the network. There are
two kinds of time segments: a relative time segment and an absolute time segment. The former refers to a weekly
segment. The latter refers to a segment covering a certain date (ie. x month, x day, x year).
To define a time range in the configuration or interface mode:

Command Task
Maipu26(config)# time-range time_range_name This command will allow you to enter a

time range configuration mode. If a time
range doesn’t already exist, a new one will
be created.
Deletes a time range through the command
Maipu26(config)# no time-range time_range_name “no”.
To define a relative time segment in the time segment configuration mode:

Command Description
periodic [days-of-the-week] [hh:mm] to [days- This checks whether an equivalent structure has
of-the-week] [hh:mm] existed before you add a new time segment. If the
time segment doesn’t exist, a new one will be
created.
Note: You can delete a segment by imputing the

no command.
The date default is set daily. The time default is

0:00 and 24:00, respectively.
To define [days-of-the-week] [hh:mm], you can input, for example:

Command Task
periodic 8:00 to 17:30 Sets the relative time segment from 8:00 to 17:30
periodic weekday Saturday 8:00 to 17:00 Sets the relative time segment on weekdays
(Monday to Friday) and Saturday from 8:00 to
17:00.
periodic Friday 17:30 to Monday 8:00 Sets the relative time segment from 17:30 on a
Friday to 8:00 the following Monday.
To define an absolute time segment:

Command Description
absolute [start time date] [end time date] Note: You can omit the start and end clauses by
using the no command, which tells the system when
it can start or stop allowing access.
To define [start time date] [end time date]:

Command Task
absolute start 8:00 31 January 2004 end 8:00 Sets the absolute time segment to 8:00 on January
15 February 2005 31, 2004, to 8:00 on February 15, 2005.
Time Range Applications
Displaying a time range’s status: Whether the time range works or not depends on its current status (ON or OFF),
regardless of the filtering rule or access list the time range might be bound to. That current status will also
correspond to its respective time segment status
Clearing or changing a time range status: A time range will be cleared within a minute in default mode. You may
have to wait up to 60 seconds before any of your changes are applied to the system.
Cisco Configuration Comparisons
A Cisco router permits an absolute time segment rule within a time range, while a Maipu router can allow many
absolute time segment rules within the system. The absolute time in Cisco systems is a genuine form of absolute time
and the date must be set according to a rigorous format: day, month and year. But Maipu router products tells time
in a kind of relative way, so the month and year in a date can be omitted.
Dealing With Time Judgment Issues
Binding Time Ranges To Packet Filtering
Packet filtering will work only when the time range status is ON. The command format is consistent with Cisco’s
setup. For example:
Command Task
Permit any log time-range t_r_name1
Access-list 1001 deny TCP any any time-range
t_r_name2
Add the time range name at the bottom of your filtering rules. Its position comes after the log file, just like in Cisco’s
router systems. Note: There isn’t a special command that you can use to cancel the binding relationship. If you
want to cancel the command, you first have to delete the filtering rule and then resubmit the same rule without
imputing a time limit.
When the router compares a data packet against the filtering rules, the trange term will not participate in this
matching process. In fact, when a time range is bound to two filtering rules, the rules are considered to be the same
by the router. If there were two different filtering rules for the same task in an access list, then the time limit rule
would not work at all.
Filtering:
Whether a filtering rule that’s bound to a time range will work or not is dependant on the time range’s current status.
When a data packet is filtered, each filtering rule in the access list you’ve applied will be matched against it one by
one. If a filtering rule is bound to the time range, and the time range status is OFF, then the rule will be skipped in
the system and the next filtering rule will be matched against it.
Note: If the current time-range status is set to OFF, all of the bound time ranges will not work. (Please refer to
Chapter 5, Environment Parameters.) All of the filtering rules, no matter whether they are bound to time ranges or
not, will participate in the filtering procedure.
Binding a time range to an access list

Binding a time range to an access list is considered the equivalent of binding a time range to each filtering rule within
the access list.
This operation’s command is:

ip time-range time-range-name access-list a-l-name| a-l-number
Your can remove the binding by using the command no. Note: When this type of access list filters a packet, the status of
the time range should be the first thing to be examined by the system. If the status of the bound time range is set to OFF, all
of the filtering rules will be ignored and this access list will be considered the equivalent of an empty list by the system.
1. Configuring time range environment parameters
The timelive time inverse accumulated counter default frequency is set at one minute.
The configuring command is as follows:

Command Description
Set time-range frequency number Number refers to the time difference between
the two times being cleared by the system.
The time difference unit is 60 seconds, and is
stored at the “range-frequency” global
variable.
The counter and system time difference is, by default, 100 seconds.
The configuring command is as follows:

Command Description
Set time-range max-offset number Once the time difference is overstepped, the
status of every time range will be judged
again. Timelive will be computed and the
accumulated time of the counter will be
updated. The max difference time is stored at
the global variable: time_max_offset.
2. Time range enabling switch
When the default switch value is ON, every bound entity will have a time limit. If the status of the switch is set to
OFF, every bound time range will not work, and all clauses with the name “time-range” to will be ignored by the filter.
(To the access list, the binding relationship won’t even exist.) The switch’s status value is stored at the global
variable named trange_enable.
Command:
Command Description
Set time-range disable [OFF]: Once the switch is set to OFF, the time
range refreshing process that’s running in the
background will be aborted.
Set time-range enable [ON]
11.1.7 Media Access Control (MAC) Address Packet Filtering
The MAC address can filter the source address of a data packet at the interface level.
The main contents of this section are:
Setting An Access List
Adding Filter Rules
Binding An Interface.
A. Setting An Access List

An access list can be added in the configuring mode. There are two kinds of adding modes:
Command Description
Mac access-list standard 2001-3000 | name This mode can locate the special access list and
enter the configuration mode of the access list.
If the access list does not exist, a new access list
will be created. In the access list configuration
mode, you can configure an access list’s filtering
rule.
Access-list number permit deny This mode can add a filtering rule to a specified
access list directly in configuration mode. If the
access list doesn’t exist, a new one will be created
and the mode won’t change.
No mac access-list standard number|name Deletes the access list.
No access-list number Deletes the access list.
Adding Filter Rules:
Command Description
permit|deny any | host macaddress | macaddress This command can be executed in the access
macmask list configuration mode. You can delete a
rule with the using the no command.
Note: The second mode listed in the preceeding table [Access-list number permit deny] can also be used to add a filtering
rule. (When using this command with a Cisco system, you can add an access list and a filtering rule. However, Cisco
only provides a command to delete an access list. It doesn’t provide a corresponding command to delete a filtering rule.)
Command Task
router(config)#mac access-list standard 2002
router(config-std-mac-nacl)#permit host 1.1.1
router(config-std-mac-nacl)#permit 2.2.2 0.0.ffff
router(config-std-mac-nacl)#deny any
C. Binding An Interface:
A binding can be configured in the interface mode. You can use the no command to remove it.
Command Description
mac access-group number|name in|out
11.1.8 Reflect Access List

A reflect access list can be used to realize that: 1) the connection between network A and network B can be established
through a router; 2) Network A can forwardly access network B, however network B can not forwardly access network A.
The configuration commands of reflect access list are listed as follows:
Syntax Descriptions
ip access-list extended 1001 Add a keyword reflect behinds the extended access
permit ip 129.255.0.0 0.0.255.255 128.255.0.0 list, and name the reflect access list after AtoB.
0.0.255.255 reflect AtoB
exit
ip access-list extended 1002 Create an additional access list, and configure an item
evaluate AtoB to refer to the reflect access list AtoB that has been
exit defined above.
The following case of simple configuration is used to describe the configuration and usage of the reflect access list.
)

)
3&B$ 3&B%
To realize that PC_A can access PC_B and PC_B has no way to access PC_A, MP router should be configured as follows:
Syntax Descriptions
router(config)# ip access-list extended 1001 Define the extended
access list 1001.
router(config-ext-nacl)# permit host 129.255.43.2 host 128.255.43.2 reflect Define the reflect access
AtoB list AtoB.
router(config-ext-nacl)# exit
router(config)# ip access-list extended 1002
router(config-ext-nacl)# evaluate AtoB
router(config)# interface fastethernet1
router(config-if- fastethernet1)# ip access-group 1001 in
router(config-if-ethernet)# exit
router(config)# interface fastethernet0
router(config-if- fastethernet0)# ip access-group 1002 in
router(config-if- fastethernet0)# exit
11.1.9 The Configuration and Usage of “Security Accounting”

“Security Accounting” is a special function of MP router cooperating with MP “security accounting server”, mainly applied
to user charge, user bandwidth control and user authentication control etc.
Generally, the topological structure is : the user of the network connecting with some interface of the router can not access
Ethernet until he passes the user authentication successfully. Generally, the interface can not support direct-connection users
except the direct-connection servers.
Related configuration:
1) Configure a direct-connection server:
If the user can not pass the user authentication successfully, all packets of the user are denied. But some connection
with some servers, such as DHCP server, DNS server and authentication server must be permitted. A system manager
can, through the router, perform the direct-connection configuration of those servers and packets communicating with the
servers are permitted to pass:
Use the following command to configure a server.
flux-control server [addr1 addr2…….]
Use the following command to delete some direct-connection server:
no flux-control server [addr1 addr2….]
3) Configuring an internal interface:

An internal interface is a restricted interface, through the interface the internal user can connect to the router. And
“Security and Accounting” can take effect on nothing but the packets entering the internal interface.
fluc-control interface [interface1 interface2….]
Use the following command to cancel an internal interface.
no fluc-control interface [interface1 interface2….]
1) Configure the Web authentication server (Authentication interception):

To configure the transparent authentication, that is to say that the system can automatically send the authentication
page to the user when the user tries to connect to Ethernet, please use the following command to configure the Web
authentication server on the router.
flux-control web-server addr [port server-port ] [interface interface-name]
When the server is configured as the Web authentication server, the server can also serve as the direct-connection
server simultaneously.
Recommend: the interface parameter, which is used to connect the server and the router, had better follow the
command; otherwise, the system will, according to the route, automatically judge the network segment, at which the
router is located, and determine the connection interface. And if firewall configuration precedes route configuration,
some unexpected errors may happen and “authentication interception” will be unsuccessful.
Use the following command to delete the configuration:
no flux-control webserver
“Authentication interception” will be closed automatically and the direct-connection server with the same address
will be deleted.
1) Open “Security accounting”æ

flux-control on
Close “Security accounting”æ
flux-control off
if “Security accounting” is opened again after closed, the configuration will not be lost.
2) Display the related information:

Display the simple information:
show flux-control
The command above is used to display current basic configuration, status and user IP addresses of authenticated
users.
For example:
router#show flux-control
flux-control server 128.255.253.80 128.255.250.170
flux interface ethernet0
Web_server: 128.255.250.170:8000 connet interface: ethernet0 redirect flag :1
current flux-control state: ON
current login user IP:

128.255.251.89
128.255.252.61
Display the detailed information:æ

show flux-control detail
If the detailed information is displayed, the packet filtering rules of the user passing user authentication will also be
displayed.
For example:
router#show flux-control detail
flux-control server 128.255.253.80 128.255.250.170
flux interface ethernet0
Web_server: 128.255.250.170:8000 connet interface: ethernet0 redirect flag :1
current flux-control state: ON
current login user IP:

128.255.251.89
rule no:0 PERMIT dst range:0.0.0.0 - 255.255.255.255
Send: 417 / 417 bytes; Receive: 1389 / 1389 bytes.
128.255.252.61
rule no:0 PERMIT dst range:0.0.0.0 - 255.255.255.255
Send: 782 / 782 bytes; Receive: 5628 / 5628 bytes.
3) Display the record of Web authentication address translationæ

show flux-control redirect
The system will display a record of address translation, of which, scr-ip and src-port are user source address and
user source port, dst-ip and dst-port are user destination address and user destination port, state represents the record
state (0 means that only one syn message of the user is received and 1 means that multiple messages have been received
or a connection has been established), age represents the aging time (by second) in which the connection is live.
If the user and server follow the same interface, termp-in and termp-port, which serve as frame-relay address and
port temporarily, will be displayed.
For example:
router#show flux-control redirect
src-ip src-port dst-ip dst-port temp-ip temp-port state age

128.255.251.89 1035 192.168.1.200 80 128.255.251.88 54345 1 24
128.255.251.89 1034 192.168.1.200 80 128.255.251.88 54089 1 24
7) About bandwidth limit:
When the authentication server performs bandwidth limit for some user, the bandwidth limit is realized factually on
the router.
Its mechanism is that the flow limit is performed in unit time. When there exists the limit, the bi-directional flow in
the unit time can not exceed the bandwidth limit.
Notice: by default, the flow limit of a message is performed only for egress messages. This is because that: when
performing the flow limit, ISP mainly allows for the bandwidth of the egress line connecting with a router; since there
exist ingress user messages, which have consumed the bandwidth of the egress line in fact; it is unreasonable to deny the
ingress messages after the comprehensive consideration. So, when there exist some user ingress messages, whether the
used bandwidth has exceeded the bandwidth limit or not, these messages will be permitted
When the system adopts the default configuration, the factual flow permitted will be more than the bandwidth
control in a small degree if the quantity of user messages is by far more than its bandwidth limit. The deviation between
the factual flow and the bandwidth limit depends on network delay and the configured unit time.
To perform the bandwidth limit for ingress messages, use the following command.
flux-control band-in
use the following command to cancel the configuration.
no flux-control band-in
The unit time of bandwidth sampling is 3 seconds by default.
Use the following command to change the unit time:
flux-control cell-time number
11.1.10 A Few Points About Firewall Configuration

A. Preventing Messages From Dummy Addresses.
B. Applying An Access List.
C. Locating A Packet Filter.
A. Preventing Messages From Dummy Addresses
The packet filter sifts through data in the packet coming in, coming out or coming through the network in both directions.
For reasons of efficiency, many packet filters only examine a data packet traveling in one direction.
6XEQHW PDVN 5RXW HU
, QW HU L RU ([W HU L RU
1HW ZRU N L QW HU I DFH L QW HU I DFH
, QW HU QHW
, QW HU L RU
L QW HU I DFH Dummy packet coming from
source address
6XEQHW PDVN

1HW ZRU N
6RXU FH DGGU HVV
An exam ple ofdum m y address cheat
If the packet was filtered when it was sent out through a router, some information will be lost. This means that the interior
network can easily be attacked by a user with a fake (or dummy) address, as shown in the preceding figure.
In that figure, the network 135.12.0.0 is connected to the Internet through a router. That interior network has two subnets.
The network subnet masks to both subnet 10 and 11 have the following address: 255.255.255.0. A packet from the fake IP
address 135.12.10.201 is shown coming from an exterior TCP/IP host. It is then received by the router’s exterior interface.
If the router is set to filter incoming data packets, the dummy packet will be quickly noticed and it will be prevented from
entering the network. Since the router knows that the network 135.12.10.0 is connected to a different (ie. interior) interface,
it knows the packet can’t be coming from an exterior interface. But if the packet filter is only set to examine the outgoing
data packets, the router won’t be able to check the exterior interface and the message from the dummy address will enter the
network.
In order to add more security to your network, you can add some ‘anti-cheat’ rules to your incoming access list to bind the
filter to an exterior interface. The aim of this is to tell the router to refuse both interior network source addresses and invalid
source addresses. Invalid source addresses can include a non-registered address, a loop-back address and a broadcasting
address. Hackers often use these types of source addresses to prevent them from being tracked and discovered by a network
manager.
The following commands can be added to the inward access list that is applied to your exterior interfaces. They will prevent
some dummy IP addresses.
access-list 1001 deny ip 135.12.10.0 0.255.255.255 any (an interior network)
access-list 1001 deny ip 135.12.11.0 0.255.255.255 any (an interior network)
access-list 1001 deny ip 10.0.0.0 0.255.255.255 any (a reserved IP address)
These anti-cheat rules should be stored in your system before any other rules on the inward access list. This will ensure that
only packets containing a valid IP address will be checked against the remaining rules.
B. Applying An Access List

The task of applying an access list should immediately follow its construction. If the access list doesn’t have any rules
applied to an interface, any data – valid or invalid – can be permitted into your network.
Hint: You should not apply an access list without any interface definitions. You should remove an access list from the
interface before any changes are made to the system.
Each interface can have an inward access list and an outward access list, but you can’t have two or more kinds of the same
list – inward and outward rules must be on the same list. When more than one access list is applied to the router, only the
last access list you’ve added will work.
C. Locating A Packet Filter
The security filter can often sift through data in an inward direction and drop distrustful-looking packets. This will prevent
dummy addresses from cheating the system before all of the packets are routed. But a packet filter works in the opposite
manner of a traffic filer, which examines information traveling out of the network and prevents needless packets from
occupying a special data link.
You should consider your CPU resources for processing an access list and routing activity. If most of your packets are
filtered out after they’ve been routed through the system – which is, of course, referred to as inward filtering – you will
probably save some CPU space.
The standard access list should be placed as close to the source address as possible in order for your network to communicate
quickly with another host or network. That way, when a packet is denied, bandwidth and CPU space that’s being occupied by
the packet won’t be wasted.
Because an extended access list has the function of precisely identifying a packet, it should be used as close to a source address
as possible in order to prevent the denied packet from occupying the bandwidth and CPU. On the other hand, because of the
complexity of the extended list, you will be adding processing burdens to your bandwidth and CPU.
11.1.11 Examples
Example 1:
, QW HU L RU Router
H V , QW HU QH
QHW ZRU N
([W HU L RU W
131.44.0.0 131.44.1.1
QHW ZRU N
Note: The above example shows a network with the following security policies in place:
All interior network hosts (131.44.0.0) can access any TCP Internet service.
Exterior hosts can access the SMTP service in the mail gateway 131.44.1.1, but can’t access the interior network
itself.
All ICMP messages will be blocked.
These policies can be configured on the router by imputing the following series of commands:
Command Task
router(config)# ip access-list extended 1001 Defines an extended access list as 1,001.
router(config-ext-nacl)# permit TCP 131.44.0.0
0.0.255.255 any
router(config-ext-nacl)# permit ICMP any
131.44.0.0 0.0.255.255
router(config)# access-list 1002 permit TCP any
131.44.0.0 0.0.255.255 established
router(config)# access-list 1002 permit TCP any
host 131.44.1.1 eq 25
router(config-if-ethernet0)# ip access-group 1001 in
router(config)# interface serial 0
router(config-if-serial0)# ip access-group 1002 in
router(config)#
Example 2

U RXW HU
H V
, QW HU L RU ([W HU L RU , QW HU QHW
QHW ZRU N QHW ZRU N

The above example shows a network with the following security policies:
The outer email and news servers can be permitted to access Interior Host 144.19.74.200 and Host 144.19.74.201.
DNS access in the gateway server 144.19.74.202 is permitted.
The interior hosts are permitted to access all TCP services in the exterior network, except Gopher and Web servers.
All above policies can be configured on the router as follows:
Command Task
router(config)# ip access-list extended ether-in
router(config-ext-nacl)# deny TCP 144.19.0.0
0.0.255.255 any eq 70
router(config-ext-nacl)# deny TCP 144.19.0.0
0.0.255.255 any eq 80
router(config-ext-nacl)# permit TCP any
router(config)# ip access-list extended serial-in
router(config-ext-nacl)# permit TCP any 144.19.0.0
0.0.255.255 established
router(config-ext-nacl)# permit TCP any host
144.19.74.200 eq 25
router(config-ext-nacl)# permit UDP any host
144.19.74.200 eq 119
router(config-ext-nacl)# permit TCP any host
144.19.74.201 eq 25
144.19.74.201 eq 119
144.19.74.202 eq 53
router(config-if)# ip access-group ether-in in
router(config-if)# exit
router(config)# interface serial 0
router(config-if-serial0)# ip access-group serial-in in
router(config)#
11.2 Network Address Translation (NAT) Configuration
The following topics are dealt with in this section:

1. NAT Configuration Points To Keep In Mind
2. NAT Configuration Commands
3. Interior Source Address Translation
4. Interior Destination Address Translation
5. Timeout Alteration
6. NAT Mointoring And Maintenance
11.2.1 NAT Confirgation Points To Keep In Mind
1. You can’t overlap a global IP address with a local one, and only three kinds of local addresses are recommended:
Kind Task
A class10.0.0.0 / 8 1 A class IP address

B class 172.16.0.0 / 12 16 B class IP addresses
C class 192.168.0.0 / 16 256 C class IP addresses
2. You can’t overlap a static address with the dynamic address pool.
3. As a solution for connectivity problems, NAT can be practically used when a number of internal IP hosts are trying
to communicate with the exterior network at the same time. In this case, you would have to translate only a few of
your address scope subsets to an exclusive external address. You can recycle these addresses later for another type
of use.
4. When an IP address or a port is embedded in an application program, NAT won’t be transparent to users at the
opposite end. You wouldn’t be able to use NAT in this case.
5. The router using NAT won’t support IPsec because point-to-point security can’t be guaranteed.
6. The router only broadcasts incoming data, never outgoing.
7. The static routing configuration between the NAT and your ISP router needs to be set.
8. The IP OPTION won’t be supported normally.
9. You should use the same NAT list when many interfaces exist.
11.2.2 NAT Configuration Commands

router (config)#ip nat ?
Command Description
Frequency NAT Overtime Translation
inside Interior Address Translation
pool Defines An IP Address Pool
redirect-enable Opens The NAT Redirection Function.
translation Alters NAT Overtime Translation
To define an IP address pool, use the global configuring command ip nat pool.
To delete this pool, use the command format: no ip nat pool.
router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
[type rotary]
Syntax Description
Name The Address Pool Name
start-ip The Start Address
End-ip The End Address
Netmask Network Mask
prefix-length The network mask digits signify which mask all
addresses in the pool belong to.
type rotary Indicates that the address pool scope has true
hosts addresses. A TCP load will be assigned
based to these hosts. (Optional function.) This
pool type is only applied to incoming address
NAT configuration.
Command Description
router(config)#no ip nat pool name Deletes the address pool.
Note: The same address pool can’t be referred to by two different NAT configurations. If two NAT definitions must be
incorporated together, make sure you alter the corresponding access list rules. Also, the same IP address cannot be defined
in two different pools. You may cause the system to malfunction if you do.
To build an interior source address NAT, use the global configuring command ip nat inside source.
To delete a static or dynamic translation, use the command format no ip nat inside source.
Construct a basic static translation with the static key.
router(config)#ip nat inside source list {access-list-number | name} pool name [overload]
Syntax Description
access-list-number The access list name or number
Name The address pool name
Overload Enables the router to use a global address in the
place of many local addresses. When the
overload parameter is configured, the TCP or
UDP port number of each interior host is used to
distinguish different sessions where the same
local IP address was used. (Optional function).
router(config)#ip nat inside source static {tcp | udp} local-ip local-port global-ip global-port
Syntax Description
local-ip Interior local address
global-ip Interior global address
tcp | udp Protocol
local-port Interior local port number
global-port Interior global port number
To start using the incoming NAT, type in the global configuring command ip nat inside destination.
To delete a dynamic translation, input no ip nat inside destination.
When the incoming NAT is used to share the TCP load use:
router(config)#ip nat inside destination list {access-list-number | name} pool name
Syntax Description
Pool name The pool name. The pool contains a local address
assigned in dynamic translation. The pool type is
ROTARY, and the pool address is a true interior
local host address.
To designate an interior or exterior NAT interface, use the interface configuring command ip nat.
To remove this function, enter no ip nat.
Note: You can’t use an interior and exterior interface at the same time.
router(config-if)#[no] ip nat {inside | outside}
Syntax Description
Inside Designates the interface to connect with the
interior network.
Outside Designates the interface to connect with the

exterior network.
11.2.3 Interior Source Address Translation
When communicating with the router, you can use this feature to change your IP address into an exclusive global IP address
through static or dynamic translation. Static translation builds a one-to-one map between an interior local address and an
interior global address, which is helpful when a fixed address wants to access an interior host from the outer network.
Dynamic translation, on the other hand, maps an interior local address with a global address pool.
1) Static Translation Configuration

The following example shows the steps you should take to configure a static translation. Note: You can configure many
interior and exterior interfaces through this method.
First, construct a static translation from 192.168.8.1 to 203.25.25.1. Configure the Ethernet interface 0 to an interior
interface. Configure the serial 0 to an exterior interface.
Command Task
router(config)#ip nat inside source static Constructs a static translation from 192.168.8.1 to
192.168.8.1 203.25.25.1 203.25.25.1.
router(config)#interface e0 Designates the interface e0.
router(config-if-ethernet0)#ip nat inside Connects the marked interface to an interior
network
router(config)#exit
router(config)#interface s0 Designates the interface s0
router(config-if-serial0)#ip nat outside Connects the marked interface to an exterior
network
2) Configuring Dynamic Translation
NAT configuration:
, QW HU L RU ([W HU L RU
6$
6$
'$

H V

, QW HU QHW
'$
+RVW %

je e
k 1$7 7DEO H
, QW HU L RU O RFDO , QW HU L RU JO REDO
, 3 DGGU HVV , 3 DGGU HVV

1$7 , QW HU L RU VRXU FH DGGU HVV W U DQVO DW L RQ

In order to translate the interior source address on the router in the preceding example, it must be configured as follows:
Command Task
router(config)#ip nat pool pl-1 203.25.25.1 203.25.25.20 Constructs a global address pool with the name
netmask 255.255.255.0 pl-l. The pool includes 20 global addresses from
203.25.25.1 to 203.25.25.20.
router(config)#access-list 1 permit 192.168.8.0 Constructs an access list 1 and allows the
0.0.0.255 network segment addresses 192.168.8.0 and
0.0.0.255 to be translated.
router(config)#ip nat inside source list 1 pool pl-1 Performs the address translation between list 1
and pool –1.
router(config)#interface e0 Designates the interface e0.
router(config-if-ethernet0)#ip nat inside Connects the marked interface with the interior
network
router(config-if-ethernet0)#exit
router(config)#interface s0 Designates the interface s0.
router(config-if-serial0)#ip nat outside Connects the marked interface with the exterior
network
router(config)#
In the preceding case, a global address pool pi-1 is first constructed. The pool includes 20 global addresses between
203.25.25.1 to 203.25.25.20. The access list 1 permits all hosts in the interior network to perform address translation. The
Ethernet port 0 is configured as an interior interface and the serial is configured as an exterior interface.
Note: The access list must permit these addresses to be translated. An access list that permits too many addresses
translations could allow a security breach or other type of malfunction.
3) Interior Global Address Overload

The router will be allowed to map many local addresses to a global address in order to save addresses in your interior global
address pool. When an overload has been configured, the router will maintain original data from higher layers – for
example: the TCP or UDP port numbers – to ensure that the global address will be translated into the right local addresses.
When many local addresses are mapped into a global address, the TCP/UDP port numbers of each interior host will be used
to differentiate between all of these different local addresses.
, QW HU L RU '$
([W HU L RU
6$
6$
+RVW %

H V
'$
, QW HU QHW

j e
e k 1$7 7DEO H
3U RW , QW HU L RU O RFDO , QW HU L RU JO REDO ([W HU L RU JO REDO +RVW &
RFRO , 3 DGGU HVV 3RU W , 3 DGGU HVV 3RU W , 3 $GGU HVV 3RU W
7&3
7&3
NAT over loading interior globaladdresses
In order to overload global addresses on the router, as shown in the preceding figure, the router must be configured as
follows:
Command Task
router(config)# ip nat pool pl-2 203.25.25.1 203.25.25.5 Builds a global address pool called pl-2. The
netmask 255.255.255.0 pool includes five global addresses between
203.25.25.1 and 203.25.25.5.
router(config)# access-list 1 permit 192.168.8.0 Permits access list 1 to perform the address
0.0.0.255 translation to all hosts in the interior network.
router(config)# ip nat inside source list 1 pool pl-2 Allows the access list 1 and the address pool
overload pl-2 to build a dynamic source translation.
router(config)# interface e0 Designates the interface e0
router(config-if-ethernet0)# ip nat inside Marks the above interface as an interior one
router(config-if-ethernet0)# exit
router(config)# interface s0 Designates the interface s0
router(config-if-serial0)# ip nat outside Marks the above interface as exterior.
router(config)#
In this example, the global address pool pl-2 is built first. The pool includes five global addresses between 203.25.25.1 and
203.25.25.5. The access list 1 permits all hosts in the interior network to perform an address translation. The Ethernet
port 0 is configured as an interior interface, while serial 0 becomes an exterior interface. The router then allows many local
addresses to use a global address.
11.2.4 Interior Destination Address Translation

If many interior network hosts – for example, Web servers – provide the same access to many continuous interior IP
addresses, then you can configure the NAT translation of the interior destination address to obtain simple TCP load sharing.
That way, the router can process many outbound global addresses.
The steps to configuring an interior destination address translation in the global configuration mode are as follows:
A. Define a rotary type of IP address pool that can be assigned as needed. The addresses in the pool are interior host
addresses, and will be used to share the TCP load.
router(config)#ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} type rotary
Syntax Description
Name Pool name
Start-ip Start address
end-ip End address
netmask Network mask
prefix-length The mask’s bit number
type rotary The true IP host
B. Define an access list and permit addresses in this list to be translated.
router (config)#access-list access-list-number permit source source-wildcard access-list access-list-number permit protocol
source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]
Note: Please consult the preceding section again and the section on firewall configuration (Section One) for a list of
definitions corresponding to each command.
This access list can generally be defined as an extension access list to limit the number of destination addresses from received
data packet. It will only be translated when the exterior interface receives the destination address of the data packet.
C. Construct an interior destination translation based on the access list and the address pool you configured in the
above steps.
Command Description
ip nat inside destination list access-list-number pool name
D. Designate an interior interface.

Command Description
interface type number
E. Mark the interface to connect with the interior.

Command Description
ip nat inside
F. Designate an exterior interface.

Command Description
interface type number
G. Mark the interface to connect with the exterior.

Command Description
ip nat outside
Note: If there is only one interior host being used, it isn’t necessary to perform dynamic NAT configuration. If you want to
use NAT to hide the host IP address, then configure your router using static NAT. Because dynamic NAT only works for
TCP data packets, you’d be better off using static NAT configuration – especially if your host provides other protocol
services.
11.2.5 Timeout Alteration
You can alter NAT timeout with the global configuring command ip nat translation.
You can return to the default setting with the command no ip nat translation.
router(config)#ip nat translation ?
Command Description
Dns-timeout
finrst-timeout Ends and resets the TCP packet translation
timeout. The default setting is 60 seconds.
iMPs-error The ICMP error packet translation timeout.
The default setting is 60 seconds.
ICMP-timeout The ICMP packet translation timeout. The
default setting is 300 seconds.
port-timeout
syn-timeout The initiative TCP packet’s translation timeout.
The default setting is 90 seconds.
tcp-timeout The TCP port translation timeout. The default
setting is 1,800 seconds (30 minutes).
Timeout The simple dynamic translation timeout. The
default is 1,800 seconds (30 minutes).
udp-timeout The UPD port translation timeout. The default
is 600 seconds (10 minutes).
router(config)#ip nat translation timeout ?
Command Description
<1_2147483647> Timeout
Never Never timesout
Example:
Command Task
router(config)#ip nat translation timeout 120 Sets the timeout function to 120 seconds.
11.2.6 NAT Monitoring ,Maintenance and Debug

1. Mornitoring and Maintenance Commands
1) The dynamic address translation item can be removed with the privileged user command clear ip nat translation
before you set a timeout.
Command Task
router(config)#clear ip nat translation all Clears all dynamic transmissions.
router(config)#clear ip nat translation inside global-ip: Global address
global-ip local-ip local-ip: Local address
Clears the simple dynamic translation item.
router(config)#clear ip nat translation {tcp | global-ip: Global address
udp} inside global-ip global-port local-ip local- global-port: Global port
port local-ip: Local IP address
local-port: Local port
Clears the extended dynamic translation item.
2) You can display the active translation list item with the privileged user command show ip nat translations.
Command Task
router#show ip nat translations
The following are output examples of the preceding command:
You can use the global addresses 128.255.251.84 and 128.255.251.85 to communicate with some exterior hosts
without overloading.
router# show ip nat translations
Dir Pro Hv0 Hv1 Inside global Inside local Outside global Age
out --- 426 982 128.255.251.85 192.168.0.2 128.255.251.90 1783
out --- 425 981 128.255.251.84 192.168.0.2 128.255.251.89 1761
Dir Pro Inside global:Port Inside local:Port Outside global:Port Flags
in ---- 201.10.10.1 10 .0 .0 .90 228.255.255.99
in ---- 201.10.10.2 10 .0 .0 .97 129.55.9.3
You can use one global address to perform an address translation by overloading.
router# show ip nat translations
Dir Pro Hv0 Hv1 Inside global Inside local Outside global Age
out ICMP 850 16 128.255.251.86:1027 192.168.0.2:44080 128.255.251.90:44080 295
out ICMP 849 15 128.255.251.86:1026 192.168.0.2:44080 128.255.251.89:44080 288
Note: Translate 192.168.0.2 into 128.255.251.86 to access the exterior address 128.255.251.90/89.
Dir Pro Inside global:Port Inside local:Port Outside global:Port Flags
in ---- 201.10.10.1æ1026 10 .0 .0 .90æ2347 228.255.255.99æ23
in ---- 201.10.10.1æ1027 10 .0 .0 .97æ3455 129.55.9.3æ21
The preceeding fields are defined as follows:
Field Description
Dir Creates the translation’s packet direction.
Pro Recognizes the overload translation protocol.
Hv0 Hv1 The NAT record location.
Inside global The interior global IP and its port
Inside local The interior local IP and its port
Outside global The exterior global IP and its port
Age The remaining lifetime of the NAT record, told in
seconds.
3) You can display the NAT statistics with the privileged user command show ip nat statistics. Clear them by
typing clear ip nat statistics.
router# show ip nat statistics
Information Description
NAT version: 5.6
Total translations: 0 static, 2 dynamic
No memory: 0, Execcess drop: 0, Age1: 0, Age2:
0, Age3: 0
Translation mode: NATNAPT
NAT redirect enable
Outside interfaces: fastethernet0 Exterior interface f0
Inside interfaces: serial2 Interior interface s2
Hits: 73 Misses: 7
Expired translations: 3
Dynamic mappings:
-- Inside Source
access-list 1 pool p1 refcount 2
pool p1: netmask 255.255.255.248 The address pool uses the defined rules from
access list 1.
start 128.255.251.83 end 128.255.251.86
type GENERIC, total addresses 4, allocated 1 ,
misses 0
flags: ipN_MAP ipN_OVERLOAD
Fragment statistics: Totals: 0 Had-existeds: 0 No-
memorys: 0
Hits: 0 Expireds: 0 News: 0
Ftp proxy session: Totals: 0 Hits: 0 No-
memorys: 0
The above displayed fields are described as follows:

Field Description
Total translations Shows the amount of active static translations and
dynamic translations in the system.
Outside interface Refers to the list marked as an outside interface.
Inside interface Refers to the list marked as an inside interface.
Hits Indicates the number of times the translation list had
been examined and had its destination items found.
Misses Indicates the number of times the translation list had
been examined and didn’t have its destination items
found.
Expired translation The expired translation that have happened since
system startup.
Dynamic mappings Indicates dynamic mapping information.
Inside Source Indicates interior source address translation
information.
access-list Indicates the amount of times the access lists were
used in translation.
pool Indicates the address pool name used in translation.
Refcount Pool reference times.
Netmask The address pool’s first IP address.
End The address pool’s final IP address.
Type The type of address pool used: generic or rotary.
total addresses The address pool’s total address number.
allocated The amount of allocated addresses in the pool.
misses The number of times the missed packet didn’t have an
IP address.
4) You can display all NAT address pools with the privileged user command show ip nat pool.
router# show ip nat pool
Information Description
Address pool : p1
start : 128.255.251.83
end : 128.255.251.86
netmask : 255.255.255.248
type : GENERIC
5) To turn off the NAT redirect switch:

Command Task
router(config)# no ip nat redirect
Note: The redirect switch is specially set by the NAT for OICQ applications, and users between the interior and exterior
network won’t be able to communicate with each other directly. The router’s NAT provides the special switch function to
establish direct communication between users, based on its application. The problem can be overcome, though, by
transferring the OICQ server.
The default switch configuration will be set to ON. If you don’t need this function, you can turn the switch off. You can
open the switch again with the following command:
Command Task
router(config)# ip nat redirect
2. Debug Commands
command Task
router#debug ip nat To see all the informations of NAT
router#no debug ip nat Close debug ip nat command
router#debug ip nat packets Display the information in detail of IP packets before and after
translation
router#no debug ip nat packets Close debug ip nat packet command
11.2.7 Considerations of Configuring NAT

1) The global addresses and the local addresses can not be overlapped. The following three classes of local addresses are
recommended:
Class Descriptions
Class AÖ10.0.0.0 / 8 One class A address.

Class BÖ172.16.0.0 / 12 16 class B addresses.
Class CÖ192.168.0.0 / 16 256 class C addresses.
2) The static addresses and the addresses in the dynamic address pool can not be overlapped.
3) As a solution to connection, only when a small amount of hosts simultaneously communicate with the external of the
area, can NAT be practical. In this case, only a small sub-set of IP addresses in the area must be translated into unique IP
addresses. And when these addresses are not applied any more, these addresses can be reused again.
4) When an IP address or a port is embedded into an application, NAT becomes non-transparent for end users. So, NAT
can neither be applied to the case.
5) The router that has realize the technology can not support IPSec because the end-to-end security can not be ensured.
6) The route information can be broadcasted to the internal instead of the external
7) It is necessary to configure the static route between NAT and ISP routers.
8) IP OPTION can not be supported normally.
9) When there exists multiple interfaces, the same NAT table must be adopted
11.3 Easy IP Configuration

The items talked about in this brief section are:
Configuring Easy IP
Easy IP Configuration Cases
11.3.1 Configuring Easy IP

In order to make sure the Easy IP function works normally, you will need to also configure the LAN to WAN routing.
To configure Easy IP, you must:

1. Define a NAT pool.
2. Configure the LAN interface.
3. Define the NAT for a LAN interface.
4. Configure the WAN interface
5. Finally, define the NAT for the WAN interface.
11.3.2 Easy IP Configuration Case
The following configuration command can make a number of interior network hosts use just one negotiated IP address to
access the Internet.
Command Task
router(config)# access-list 1 permit 192.168.12.0 Defines access list 1 and enables it to
0.0.0.255 permit the addresses in the network
segment to be translated.
router(config)# ip nat inside source list 1 Builds the dynamic source address
interface serial0 overload translation between list 1 and port s0.
router(config)# interface e0 Designated a LAN interface e0.
router(config-if-ethernet0)# ip address
192.168.12.1 255.255.255.0
router(config-if-ethernet0)# ip nat inside Defines the NAT for a LAN interface.
router(config)# interface s0 Designates the WAN interface s0.
router(config-if-serial0)# physical-layer async
router(config-if-serial0)# speed 38400
router(config-if-serial0)# flow-control hardware
router(config-if-serial0)# encapsulation ppp Encapsulates PPP.
router(config-if-serial0)# ip address negotiated Starts PPP/IPCP address negotiation.
router(config-if-serial0)# ppp pap sent-username Starts PAP authentication.
xxx password xxx
router(config-if-serial0)# no keepalive
router(config-if-serial0)# ip nat outside Defines NAT for WAN interface.
router(config)#
11. 4 Access Control List (ACL) User Group Control Configurations

This section takes about two subjects related to ACL User Group Control Configurations:
Subnet Isolation
User Rights Management
11.4.1 Subnet Isolation

The main contents of this subsection are:
A. Principles Of Subnet Isolation
B. Configuration Commands
C. Examples Of Subnet Isolation
D. Other Applications
E. User access control: ACL.
A. Principles Of Subnet Isolation

Subnet isolation allows an interface filter to partition different access areas. (Different access areas can be divided on a
network interface so they can’t communicate with each other.) You can prevent attacks to your network by isolating data
packets that contain fake IP addresses. You can have different subnets isolated on the same physical link.
B. Configuration Commands
Command Description
router (config)#acl-group number Number <1 to 100>
interface interface number Binds a service area by defining the access group and
the interface it can have access to.
router (config)#acl-group number user Binds a user and a local area by defining an access
user names group user.
routerA(config)#user root password 0 Sets the super user.
password
router (config)#user usernames password Sets the common user.
0 password
Note: The super user account is the root account.
z To open the user classification management function, input:

Command Description
router (config)# service password- Opens the password encryption service.
encryption
router (config)# service enhanced-secure Opens the enhanced encryption service.
Note: After this command has been used, all passwords that have been configured previously will be encrypted. Be sure to
remember the password of the super user root.
z To configure local login authentication
Command Description
router (config)# aaa new-model Opens the AAA function.
router (config)# aaa authentication login default Sets up local authentication mode.
local
Note: After the above commands have been configured, the configured user name must be inputted before you can exit and
re-enter common user mode again. If the root user logs in, he or she can freely alter the router configuration. If a
common user logs in, she or he will be managed by their corresponding grade.
z To forbid a common user from logging in a second time:

Command Task
router (config)#no enable acl telnet-twice
Note: After the command has been configured, the user will be forbidden from logging into a router.
z To grant a common user partial rights:

router (config)#acl username Û
Command Description
acl_ifgrp Permits setting acl rights. Configures acl group and all
corresponding ports.
acl_usergrp Permits setting acl rights. Configures acl group and all users in
the group.
del_startup Assigns the right to delete a configuration file.
interface Assigns the right to operate ports.
line Assigns the right to operate the asynchronous ports.
Reload Assigns the right to reset.
sif_maker Assigns the right to set sub-interface.
st_route Assigns the right to set static routing.
Sysupdate Assigns the right to upgrade system.
Note: Common users are prohibited from using the system until the above commands are used. Once you’ve added these
commands to the system, users will be able to read/write information to/from it (or just read or write information
individually).
C. Examples of Subnet Isolation
The following figure illustrates a network with subnet isolation security policies in place:
Server A Server B
Area A Area B
routerB S1 S1 routerC
X.25
lan switchA S3 S3.1 lan switchB

F
E0
0 routerA
pc pc
net net
A B
Subnet isolation
After the X25 firewall is configured between router B and router C, as shown in the preceding figure, we can accomplish the
following tasks:
1. User MaipuA can’t access any interface and other equipment in access area B, such as server B.
2. User MaipuB can’t access any interface and other equipment in access area A, such as the interface S1 in router C.
3. If user MaipuA tries to log in to a router from netB, he or she will be denied access.
4. Users, except the super user, cannot telnet again after they have already accessed a router by that method. This is
an optional function and it can prevent a second login.
The dataflow based on the port number or MAC address of a PC NIC (Network Interface Card) can be prohibited. For
example, if you first use arp to bind the MAC address of a PC network card to an IP address, you can then define the
dataflow of the IP address through an access list. This way, only one fixed PC can access the network segment, even if their
IP address has been modified.
Configuring routerA:
Command Task
routerA#
routerA#con t
routerA(config)#interface serial3
routerA(config-if-serial3)#physical-layer sync
routerA(config-if-serial3)#encapsulation x25
routerA(config-if-serial3)#x25 dce
routerA(config-if-serial3)#x25 address 18
routerA(config-if-serial3)#x25 map ip 1.1.1.2 16
routerA(config-if-serial3)#clock rate 19200
routerA(config-if-serial3)#lapb dce
routerA(config-if-serial3)#ip address 1.1.1.1
255.255.255.0
routerA(config-if-serial3)#exit
routerA(config)#interface serial3.1
routerA(config-if-serial3.1)#x25 map ip 5.5.5.2 13
routerA(config-if-serial3.1)#ip address 5.5.5.1 Sets a sub-interface
255.255.255.0
routerA(config-if-serial3.1)#exit
routerA(config)#acl-group 1 interface fastethernet0 Binds Server A to an area.
serial3
routerA(config)#acl-group 2 interface ethernet0 Binds Server B to an area.
serial3.1
routerA(config)#acl-group 1 user MaipuA Binds the local area to MaipuA.
routerA(config)#acl-group 2 user MaipuB Binds the local area to MaipuB.
D. Other Applications
Example 1: In the following figure, MP2600 connects to the other two routers through firewall X25. S1 is connected to
Router A and S2 is connected to Router B. Here, we want to separate the network into two isolated areas.
F0 E0
MP2600
S1 S2
Area 1 Area 2
X.25
Router A Router B
After the X.25 firewall on each router is correctly configured, the subnet isolation function on the MP2600 router will be
successfully completed.
Command Task
MP2600(config)# acl-group 1 interface Binds Area 1 and Access Group1.
fastethernet0 serial1
MP2600(config)# acl-group 2 interface Binds Area 2 and Access Group 2.
ethernet0 serial2
Example 2: As shown in the following figure, the network is to be separated into four unattached areas. Users in each
department include:
Marketing Dept.: sc1 sc2 Product Development Dept.: kf1 kf2

Technical Support Dept.: js1 js2 js3 Finance Dept.: cw1 cw2
det
Access area 2
Market Dept Developing Dept
F0 E0
INTERNET
Access area 1 MP2600
S3
Technology support Dept Finance Dept
Access area 3
Case One: The Marketing Department and Technical Department can access each other. No other department can access
each other.
Step One: Configure the access area.

Command Task
MP2600(config)# acl-group 1 interface Binds access area 1 and access group 1.
fastethernet0 serial1
MP2600(config)# acl-group 2 interface Binds access area 2 and the access group 2.
ethernet0
MP2600(config)# acl-group 3 interface serial2 Binds access area 3 and the access group 3.
Step Two: Configure a user group and add a user.

Command Task
MP2600(config)# acl-group 1 user sc1 sc2 js1 Binds access group 1 to marketing and technical
js2 js3 support.
MP2600(config)# acl-group 2 user kf1 kf2 Binds product development with access group 2.
MP2600(config)# acl-group 3 user cw1 cw2 Binds the finance department to the access group 3.
Case Two: After a period of time, the business depicted here gets an Internet connection, and its managers wants all
departments except Finance to get Internet access. This requirement can be met when interface S3, which connects directly
to the Internet, is added to the corresponding configured access area.
Command Task
MP2600(config)# acl-group 1 interface Binds interface serial 3 with access group 1.
serial3
MP2600(config)# acl-group 2 interface Binds interface serial 3 to access group 2.
serial3
Access Area 1 and Access Area 2 can now formally connect to the Internet. However, the data packet from Access Area 3
is denied at the router because Interface S2 and S3 aren’t in the same access area. The Internet data packet, similarly, can’t
get to Access Area 3 through Interface S2. Thus, simple isolation technology can ensure the information security of some
important departments.
Example 3: As shown in the following figure, an enterprise network is distributed throughout a series of different access
areas. But Areas 1 and 2 are separated from each other and they can’t access each other. (The broken line in the following
figure shows that the access areas on the two routers are configured separately from each another.)
Step One: X.25 is re-configured on both routers using sub-interface S2.1.
Configuring router MP2600A:

Command Task
MP2600A(config)#int s2
MP2600A(config-if-serial2)#enc x25
MP2600A(config-if-serial2)#x25 dce
MP2600A(config-if-serial2)#x25 addr 1110
MP2600A(config-if-serial2)#ip address 192.168.0.1
255.255.255.0
Encapsulates X.25 on interface S2, and sets up the
MP2600A(config-if-serial2)#exit
X.25 with an IP address.
MP2600A(config)#int s2.1
MP2600A(config-if-serial2.1)#ip address
192.168.1.1 255.255.255.0
MP2600A(config-if-serial2.1)#x25 map ip
192.168.1.2 2220
Sets up the IP address on Interface S2.1, and
MP2600A(config-if-serial2.1)#exit
designates an address for the opposite end.
MP2600A(config)#int s2.2
MP2600A(config-if-serial2.2)#ip address
192.168.2.1 255.255.255.0
MP2600A(config-if-serial2.2)#x25 map ip
192.168.2.2 2220
Sets up the IP address on the S2.2 interface and
MP2600A(config-if-serial2.2)#exit
designates the address at the opposite end.
Configuring router MP2600B:

Command Task
MP2600B(config)#int s2
MP2600B(config-if-serial2)#enc x25
MP2600B(config-if-serial2)#x25 dce
MP2600B(config-if-serial2)#x25 addr 2220
MP2600B(config-if-serial2)#ip address 192.168.0.2
255.255.255.0
Encapsulates X.25 on the interface S2 and sets
MP2600B(config-if-serial2)#exit
X.25 and IP address.
MP2600B(config)#int s2.1
MP2600B(config-if-serial2.1)#ip address
192.168.1.2 255.255.255.0
MP2600B(config-if-serial2.1)#x25 map ip
192.168.1.1 1110
Sets up the IP address on interface S2.1 and
MP2600B(config-if-serial2.1)#exit
designates the IP address at the opposite end.
MP2600B(config)#int s2.2
MP2600B(config-if-serial2.2)#ip address
192.168.2.2 255.255.255.0
MP2600B(config-if-serial2.2)#x25 map ip
192.168.2.1 1110
Sets up the IP address on Interface S2.1 and
MP2600B(config-if-serial2.2)#exit
designates an IP address at the opposite end.
Step Two: Set up an access area:

Command Task
MP2600A(config)# acl-group 1 interface Binds area 1 with access group 1.
fastethernet0 serial2.1
MP2600A(config)# acl-group 2 interface Binds area 2 with access group 2.
ethernet0 serial2.2
MP2600B(config)# acl-group 3 interface serial1 Binds area 3 with access group 3.

serial2.1
MP2600B(config)# acl-group 4 interface Binds area 4 with access group 4.
fastethernet0 serial2.2
Step Three: Add a user to the user group in the corresponding access area.
As shown in the preceeding Example Two, you can add a user to the corresponding group. The users in Area 1 should be
added to Group 1 and Group 3, and users in Area 2 should be added to Group 2 and Group 4. Please refer to Case Two for
details on how to set up these users.
E. ACL User Right Control

You can configure whether a user is permitted to execute Telnet twice on the router or not. The commands are as follows:
Command Task
MP2600(config)# enable acl telnet-twice Permits a user to execute Telnet twice
MP2600(config)# no enable acl telnet-twice Doesn’t permit a user to execute Telnet
The system default permits users to log in twice. This operation can be turned off except when subnet isolation has been
configured onto the system. The root user can also log in twice, no matter what.
11.4.2 User Rights Management

Different network managers can get different rights based on their roles through the setup of user management rights. This
can ensure that the router runs normally and remains easy to maintain.
The graded rights corresponding setup are shown as follows:

Command Task
router(config)user root password 0 router Sets the super user. Its account can only be
named root.
router(config)exit
router#exit
router>exit
Login:root
password:Maipu Note: The password ‘Maipu’ is not displayed
router>en
router#config terminal
router(config)user Maipu password 0 Maipu Adds a new user whose password is ‘Maipu’.
router(config)service password-encryption
router(config)service enhanced-secure Opens the user grade management function
If the root user doesn’t perform any operation, he or she can only examine the router configuration and perform other
operations that don’t have an effect on the router’s operation.
router(config)# acl Maipu:
Command Description
acl_ifgrp Assigns acl set up rights.
acl_usergrp Assigns acl set up rights.
address_set Assigns interface configuration rights.
del_startup Assigns file configuration deletion rights.
reload Assigns system file reloading rights.
sif_maker Assigns sub-interface set-up rights.
st_route Assigns static routing adding rights.
sysupdate Assigns system upgrade rights.
telnet_twice Assigns second login rights.
Example:
Command Task
router(config)#acl Maipu reload This command grants the user Maipu the
right to reset a router.
Note: Only root users can perform the acl operation and alter the configuration freely on the router. So please be sure to
change the root password from ‘Maipu’ to something new as soon as possible.
11. 5 IPsec Network Security Configuration

The main topics in this section are:
Configuring IPsec
IPsec Monitoring And Debugging
IPsec Configuration Examples
11.5.1 Configuring IPsec
So far, IPsec can only used to work in Point-to-Point mode.

To manually configure IPsec, you need to also configure each IPsec peer that participates in communication. Note: In order
to ensure the access list is compatible with IPsec, both the IPsec ESP and AH protocol will use the numbers 50 and 51
respectively. (Please see B. Create An Encryption Access List.)
This is the order in which you must go about configuring IPsec:
A. Configure IPsec Control (optional)
B. Create An Encryption Access List
B. Define An Encryption Transformation Set
C. Configure The Global Lifetime (optional)
D. Create An Static Encryption Map
E. Apply The Encryption Map To An Interface
F. Delete And Rebuild IPsec Security Associations. (optional)
A. Configure IPsec Control

router(config)#crypto ?
Command Description
config-bynet Sets ways to perform remote configuration, such as
telnet.
ike Sets IKE parameters.
IPsec Sets IPsec configuration command
isakmp Sets security association key management.
Key Sets security key.
Map Configures encrypted map.
Dynamic-map Configures an dynamic map.
router(config)#crypto IPsec ?
Command Description
Enable Opens the security association and enables it to
work.
Df-bit Define means of processing df bit in an encapsulated
packet.
security-association Sets security association attributes.
spd Defines a security policy database.
Transform-set Defines a set of encryption algorithms.
IPsec switch: Use the following commands in global configuration mode:

Command Description
router(config)#crypto IPsec enable Opens IPsec .
router(config)#no crpto IPsec enable Closes IPsec .
Notes:
1. The IPsec fuction won’t work until the IPsec switch is open. The default setting leaves the switch open.
2. When IPsec is closed, all operations related to IPsec are invalid until the command open is used.
3. If the IPsec function running on one terminal is closed, then IPsec functions running on other terminals must be
closed in order to the network to formally communicate.
1. How To Ignore IPsec SA

Use this command in global configuration mode:
Command Task
router(config)#crypto IPsec spd ignore Transmitts data packets even when the
corresponding SA has not been built.
router(config)#no crypto IPsec spd ignore Discards data packets when there isn’t a
corresponding SA processing them. This is also the
default status.
2. How To Forbid Users To Acess Remote Telnet Configuration
Note: The following commands become effective simultaneously to both IPsec and IKE.
Command Task
router(config)#crypto config-bynet permit Permits remote configuration. (Default setting.)
router(config)#no crpto config-bynet permit Forbid remote configuration.
B. Create An Encryption Access List
An Encryption Access List is used to define which IP package should be encrypted, and which one shouldn’t.
In global configuration mode, the following commands are used to create an Encryption Access List:
router(config)#access-list access-list-number { deny | permit } protocol source source-wildcard destination destination-
wildcard [precedence precedence] [tos tos] [log]
Syntax Description
access-list-number Access list number
Protocol Protocol
Source Source address
source-wildcard Source address wildcard
destination Destination address
destination-wildcard Destination address wildcard
Precedence Priority
tos Service type
log Log
router(config)#ip access-list extended name
Syntax Description
Name The access list name
Note: Users facing a complex configuration stuation can refer to the following points:
1. We recommend configuring the mirror-map encryption access list to the IPsec function specified by each static
encryption map defined on the local peer. You should also define a new mirror-mapping encryption access list on
the remote-end peer at the same time.
2. The encryption access list isn’t used to decide whether a message is permitted or not allowed to pass through your
interface. It only decides which communications coming through the interface should be examined for security
reasons and which ones shouldn’t. Not until you apply the access list straight to the interface and construct the
corresponding security association will your decisions go into effect.
3. Avoid using the any command. For instance, using it with the permit command will cause all data entering the
router to be encapsulated by IPsec, and so some information unencapsulated, e.g. routing update information and
control information, may be discarded silently.
4. Use an IP access list specified by number or name. Remember: IPsec runs only on extended access lists.
5. The encryption access list that has had a permit function performed on it will allow all IP communication that
meets specified conditions to be protected by the corresponding encryption map’s rules. On the other hand, the
deny command may prevent the communication from being encrypted.
6. Presently, the access list’s port configuration number doesn’t support scope configuration, so the port number must
be specified or be the default number.
7. After the corresponding encryption map is defined and applied to an interface, the specified encryption access list
will be applied to the interface. Different access lists must be applied to the different entry in the same encryption
map. These tasks will be discussed in the following section (Section 6). But the information coming in and out
of the system will be judged by the corresponding IPsec access list, so the access list perameters can be applied to
messages leaving or entering the router.
8. There should be at least one permit sentence in the IPsec access list. When the access list is used in translation
mode, there must be one permit sentence in the access list. The source address and destination address must be
consistent with the security peer’s corresponding addresses. The host address can’t be a network address or
wildcard.
C. Configure An Encryption Translation Set
A translation set is a combination of different special security protocols and algorithms. You can configure one of these sets
with the following commands:
1. Defining And Deleting A Translation Set
Use the following commands in global configuration mode: (Note: executing these command will let you enter you into
encryption transform configuration mode.)
router(config)#[no] crypto IPsec transform-set transform-set-name transform1 [transform2[transform3]]

Syntax Description
transform-set-name Designates the transformation set that will be
created or altered.
transform1 [transform2[transform3]] Designates three transformation methods to define
IPsec security protocols and algorithms. The
encryption transformation set is shown in the
following Table 11-5-1.
No Deletes the specified transformation set.
Table 11-5-1 An Encryption Transformation Table
Choose one of these in ESP
Choose one of these in AH Choose one of these in ESP transformation, only when you’ve
transformation . transformation . chosen a function in column two
complied to rfc2406.
Transform Task Transform Task Transform Task
ah-md5-hmac AH esp-des ESP encryption esp-md5-hmac ESP
authentication algorithm with authentication
algorithm with 56-bit-DES. algorithm with
MD5. HMAC MD5. HMAC
variable. variable.
ah-ha-ha AH esp-3des ESP encryption esp-rmd160- ESP
authentication algorithm with hmac authentication
algorithm with 3DES. algorithm with
SHA. HMAC RMD160.
variable. HMAC variable.
ah-rmd160- AH esp-blf ESP encryption esp-sha-hmac ESP
hmac authentication algorithm with authentication
algorithm with BLF. algorithm with
RMD160. SHA. HMAC
HMAC variable.
variable.
esp-ssp02 Special ESP
encryption
algorithm with
SSP02 (used
through a
special
encryption
chip).
esp-null ESP-Null
algorithm
Note: Illegal combinations should be avoided when transformation sets are created.
1. Two or more transformation sets of the same class, such as esp-des and esp-blf, are illegal combinations. Two
transformations in the same column of the Table 11-5-1 aren’t permitted to be present.
2. The ESP authentication algorithm can’t be applied alone. It must be applied with the ESP encryption algorithm
complied to rfc2406.
3. The ESP encryption algorithm complied to rfc2406 can be applied not only with the ESP authentication algorithm,
but also on its own. If the encryption algorithm esp-null command is chosen, then just one kind of ESP
authentication algorithm must be configured. The following are feasible translation combinations:
ah-sha-hmac
esp-des
esp-des and esp-md5-hmac
ah-sha-hmac and esp-des and esp-sha-hmac
Command Task
router(config)#cry ips tr mytrans1 ah-sha-hmac Defines the transformation set mytrans1.
esp-des esp-md5-hmac
router(cfg-crypto-trans)#exit
router(config)#cry ips tr mytrans2 esp-des esp-sha- Defines the transformation set mytrans2.
hmac
router(config)# no cry ips tr mytrans2 Deletes the transformation set mytrans2.
Two transformation sets have been configured: the transform set mytrans1 has three functions – namely ah-sha-hmac, esp-
des and esp-md5-hmac – and when that set is applied, both AH authentication and des encryption&MD5 hash of ESP can
be performed. The transformation set mytrans2 has two functions, namely esp-des and esp-sha-hma, and when the
transformation set is applied, ESP des encryption with sha hash can be performed. The last command deletes the transform
set mytrans2.
2. Change The Transformation Set Mode
In the encryption transformation configuration mode, you can apply a transformation set mode:
Command Description
router(cfg-crypto-trans)#mode [tunnel][transport] [tunnel][transport] (Optional function). Designates
ÔOptionalÕ either a transform set mode, a tunnel mode or a
transport mode. The default setting is in tunnel
mode. Change the mode relative to the translation
set. The mode configuration is useful only when a
message’s source addresses and destination
addresses have been set to an IPsec peer address, and
it is invalid to all other communication. (All other
messages can be performed in the tunnel mode.)
To change back to default tunnel mode:

Command Description
router(cfg-crypto-trans)#no mode Returns the mode back to its default.
Notes:
1. The IPsec transport mode will not be used until the peer-to-peer security measure should be needed. In this case,
you should avoid using the tunnel mode in order to avoid adding unnecessary security protocol headers.
2. When the data packet’s final destination is not safe, the IPsec tunnel mode should be used.
3. When the router forwards data packets through a security service, it must use the tunnel mode.
4. In a situation where ehther of two modes can be used, the AH tunnel mode isn’t commonly used because the data is
being protected as it would be in transpot mode.
5. If the translation mode is used, the host address, not the network address, should be configured. Also, the address
of the IPsec peer will correspond to addresses in the access list. The wildcard will not be allowed.
6. No more than one access list permit command can use translation mode. The source or destination address is also
the security tunnel’s source or destination.
Command Description
router(cfg-crypto-trans)#mode tran Sets the transport mode.
D. Configure Global Lifetime
The global lifetime is applied when a new IPsec security association is negotiated. It can be used to build the IKE security
association.
To set a IPsec global lifetime:

router(config)#[no] crypto IPsec security-association lifetime [seconds|kilobytes]
Syntax Description
Kilobytes Computes the lifetime by designating the IPsec SA to
expire after a certain amount of traffic (in kilobytes)
passes through the system.
Seconds Computes the lifetime by designating the IPsec SA to
expire after a certain number of seconds.
No Sets the global lifetime to default mode.
Notes:
1. The default settings of the IPsec SA global lifetime are 3,600 seconds and 4,608,000KB. (This will transmit data
at 10Kbs for an hour.)
2. The lifetime can be reset in different encryption maps.
3. Changing the global lifetime won’t effect existing security associations. It will, however, be applied to the
successive security association negotiation. (That is, the lifetime set in the security encryption map that is in use.)
E. Configuring The Encryption Map
You can create an encryption map based on the following rules and operations:
Which communication do you want IPsec to protect? (Consider creating an Encryption Access List, as explained
in Section B.)
Where will the messages protected by IPsec be sent? Who will the remote-end IPsec peer? (Please see Section B
for more details.)
Which IPsec security policies should be applied to messages? Select one from a list of transformation sets.
There are two kinds of encryption map entry. They are either used to manually building an IPsec security association or by
IKE negotiation. Both types can exist in the same map set.
You can apply the encryption map to the interface so that they can judge all IP communication through the interface. In
order to make IPsec between its two peers a success operation, their encryption maps must contain configuring code that’s
compatible between each other. When two peers try to build a security association, one peer must have an encryption map
that’s compatible with the other. In order to be compatible, these maps should at least meet the following conditions:
They must contain compatible Encryption Access Lists, such as a mirror mapping access list.
They must preform the same transformation functions.
1. Manually Create An SA Encryption Map
You can plan a manual seurity association between the local router and IPsec peer manager, so both will be able build the
security association manually whenever they want. The encryption map must be created in order to build the SA manually.
Use the following commands in global configuration mode:
To designate the encryption map that will be created or altered, use this command to enter the encryption-map configuration
in global configuration mode:
Command Description
router(config)#crypto map map-name Map-name: the encryption map set name
seq-num IPsec-manual seq-num: the map entry number
To have the encryption map build a message’s security association manually, use this command:
Command Description
Router(config)#cry map mymap 1 IPsec-m This command creates an encryption map entry whose
number is 1. Add the item to the encryption map set
mymap. If the encryption map set doesn’t exist, then
create a new one named mymap. Finish the
command and enter encryption mapping configuration
mode.
To designate an extended access list to an encryption map:

Command Description
router(cfg-crypto-map)#match address access-list-id|name: the list number/name

[access-list-id|name]
Note: An encryption map can only be appointed to one encryption access list, and vice-versa.
To remove an extended access list from an encryption map:

Command Description
router(cfg-crypto-map)#no match address access-list-id|name: the list number/name
{access-list-id|name}
Example: If the security access list 1234 is configured in advance (see the following table), then the first command applied
to the access list 1234 will result in the encryption map’s configuration. The second command cancels this operation.
Command Task
router(cfg-crypto-map)#match addr 1234 Designates an extended access list.
router(cif-crypto-map)#no matc addr Removes a chosen extended access list.
To designate an encryption map’s IPsec peer:

Command Description
router(cfg-crypto-map)#set peer ip-address ip-address: the peer’s IPsec address
The preceding command will designate a remote-end IPsec peer, too. The message protected by the IPsec will be sent to the
peer. (Only one peer must be specified in manual configuration mode.)
To remove an IPsec peer from an encryption map:

Command Description
router(cfg-crypto-map)#no set peer ip-address ip-address: the peer’s IPsec address
Example:
Command Task
router(cif-crypto-map)#set peer Sets the IPsec peer with the IP address 192.255.125.60 as
192.255.125.60 the opposite encryption peer.
router(cfg-crypto-map)#no set peer Cancels and resets the above set.
To specify a translation set for the encryption map:

Command Description
router(cfg-crypto-map)#set transform-set transform-set-name: the transformation set name
transform-set-name
Note: Designate the proper transformation set in completing the preceeding task. The set must be the same as the one
appointed by the remote-end peer. (A transform set must be specified when it is configured manually.)
To remove a transformation set from the encryption map:

Command Description
router(cfg-crypto-map)#no set transform-set Removes the transformation set.
Example:
Command Task
router(cfg-crypto-map)# set tran mytrans1 Designates the encryption map to use the translation
set mytrans1.
To set the AH protocol session key:

router(cfg-crypto-map)#set session-key {inbound[outbound]} ah spi hex-key-string
Syntax Description
Inbound Inbound
Outbound Outbound
Spi The index value of the security parameter used to
identify a security association.
The same SPI can be given to a security association
that has packets following in two directions (in/out)
with two protocols (AH and ESP). However, some
peers can’t freely assign SPI. An exclusive SPI
value must be applied to a combination of destination
addresses and protocols. If the packet is inbound,
the destination address is the router address. If it is
outbound, then the destination is the peer address.
Before the session key is configured, the
transformation set should be configured first.
Different transformation sets will have different key
length demands.
hex-key-string Designates the session key with a string in
hexidecimal form: don’t input char 0X. Other
characters are invalid.
Note: If the specified transformation set includes an AH protocol, then the command is used to set the AH security
parameter index (SPIs) and password for the protected in/outbound message. (This command specifies that the AH security
association will be used to protect the message.) The appropiate in or outbound configuration must be performed.
The following length of key data string MUST be at least double of the least key length needed, for example, when the least
length of key is 16 bytes, the length of key string you input must be at least 32 and even.
To delete the maps’ IPsec session key:

Command Description
router(cfg-crypto-map)#no set session-key Deletes an IPsec session key.
{inbound|outbound} ah
Example:
Command Task
router(cfg-crypto-map)#set sess inb ah 300 When the AH hash algorithm is AH-
123456789012345678901234567890abcd MD5-HMAC, the length of key is at
least 16 bytes.
router(cfg-crypto-map)#set sess out ah 301 When the AH hash algorithm is AH-
12345678901234567890abcdefabcdef1234567 SHA-HMAC, the length of key is at
890 least 32 bytes.
To delete the inbound key from the encryption map:

Command Description
router(cfg-crypto-map)#no set sess inb ah
Troubleshooting the key length limit:

Command Possible Reasons For Error Messages
router(cfg-crypto-map)#set sess in ah 300 1 The data key must be an even number of characters.
The key length must be even.
router(cfg-crypto-map)#set sess in ah 300 12 The data key bit length is too short. It needs to be
at least 16 bytes, when the AH hash algorithm is
AH-MD5-HMAC.
router(cfg-crypto-map)#set sess in ah 300 12 The data key bit length is too short. It needs to be
at least 20 bytes, when the AH hash algorithm is
AH-SHA-HMAC.
router(cfg-crypto-map)#set sess in ah 300 12 Warning: no translation set needs this key. It will
appear when the encryption transformation set
doesn’t use the AH hash method.
To set an ESP protocol’ s IPsec session key:

router(cfg-crypto-map)#set session-key inbound[outbound] esp spi cipher hex-keystring[authenticator hex-key-string]
Syntax Description
cipher Indicates whether or not the key string will be used
together with ESP encryption transform.
authenticator (Optional function.) Indicates whether the key
string will be used together with ESP authentication
transformation set or not. The parameter is needed
only when the encryption map uses the ESP
authentication algorithm.
Note: If the specified transformation set includes an ESP protocol, then the preceeding command is used in encryption
mapping configuration mode to set AH security parameter indexes (SPIs) and password for the protected in or outbound
message. If the transformation set includes ESP encryption algorithm, then the encryption key should also be provided.
If the transformation set includes an ESP authentication algorithm, then the authentication key should be provided. (The
command specifies that an ESP security association will be used to protect the message.)
To remove an IPsec session key from the encryption map:

Command Description
router(cfg-crypto-map)#no set session-key Removes the IPsec session key.
{inbound|outbound} esp
Examples:
Command Task
router(cfg-crypto-map)#set sess inb esp 2222 cipher When the ESP hash algorithm is ESP-
1234567890abcdef auth MD5-HMAC.
12345678901234567890123456789012
router(cfg-crypto-map)#set sess out esp 2223 cipher When the ESP hash algorithm is ESP-
1234567890abcdef12 auth MD5-HMAC.
1234567890123456789012345678901234
router(cfg-crypto-map)#set sess inb esp 2222 cipher When the ESP hash algorithm is ESP-
1234567890abcdef auth SHA-HMAC.
1234567890123456789012345678901234567890
router(cfg-crypto-map)#set sess out esp 2223 cipher When the ESP hash algorithm is ESP-
1234567890abcdef12 auth SHA-HMAC
1234567890123456789012345678901234567890
To remove the encryption map’s ESP inbound key:

Command Task
router(cfg-crypto-map)#no set sess inb esp Removes the ESP inbound key.
Troubleshooting the key length limit:

Command Possible Reasons For Error Messages
router(cfg-crypto-map)#set sess in esp The data key will be too short by at least eight bytes.
300 cipher 12 The DES method key length must be at least eight bytes.
router(cfg-crypto-map)#set sess in esp The data key must have an even number of characters.
300 cipher 1 The key length must be even, too.
router(cfg-crypto-map)#set sess in esp The data key must have an even number of characters.
300 cipher 1234567890123456 au 1 The key length must be even.
router(cfg-crypto-map)#set sess in esp The data key is too short by at least 16 bytes. When
300 cipher 1234567890123456 au 12 the ESP hash method is ESP-MD5-HMAC, the length
needed is at least 16 bytes.
router(cfg-crypto-map)#set sess in esp The data key is too short by at least 20 bytes. When the
300 cipher 1234567890123456 au 12 ESP hash method is ESP-SHA-HMAC, the length must
be at least 20 bytes.
router(cfg-crypto-map)#set sess in esp Warning: No transformation function needs this key.

300 cipher 12
This will prompt an error message, as the encryption
transformation set is using an improper encryption
algorithm.
router(cfg-crypto-map)#set sess in esp Warning: No transformation function needs this key.
300 cipher 1234567890123456 au 12
This will prompt an error message because the
encryption transform set isn’t using the ESP hash
algorithm.
2. Creating An IKE SA Encryption Map.
When IKE is used as a security association, new security association parameters (or uses) can be negotiated among IPsec
peers. Namely, the encryption map can be specified.
Creating an encryption map using an IKE SA:
Step One: Use the following command in global configuration mode to enter the security encryption map configuration:
Command Description
router(config)#crypto map map-name map-name: name of the encryption map set
seq-num IPsec-isakmp seq-num: the entry number
IPsec-isakMP: IPsec-isakmp indicates this is a
security encryption map used by IKE.
Step Two: Designate an extended access list for the encryption map.
Command Description
router(cfg-crypto-map)#match address access- access-list-id: the specified access list number.
list-id
This command performs the same function that
manually configuring the encryption map does.
Step Three: Designates an IPsec peer for an encryption map.

Command Description
router(cfg-crypto-map)#set peer ip-address The same manually configuring the encryption map.
Step Four: Designates a transform set for an encryption map.

Command Description
router(cfg-crypto-map)#set transforl-set transform-set-name: Designates the name of
transform-set-name1 [transform-set-name2 … transformation set which can be used. Six sets can be
transform-set-name6] configured at most.
Step Five: Designates the IPsec security association lifetime.
To designate IPsec SA to expire:

Command Description
router(cfg-crypto-map)#set security- Seconds: Designates the SA lifetime.
association lifetime seconds seconds Seconds: Designates time in which a security
association can exist before expire.
router(cfg-crypto-map)#set security- Kilobytes: Designates the lifetime shown in
association lifetime kilobytes kilobytes bytes traffic.
Kilobytes: The amount of kilobyte traffic two IPsec
peers in the security association generates before the
SA expires.
To revert back to a global lifetime:

Command Description
router(cfg-crypto-map)#no set security- Reverts back to the global lifetime
association lifetime [seconds|kilobytes]
Specific Notes For Step Five:
1. IPsec uses shared keys. These keys and their corresponding security association will expire at the same time.
2. Time or traffic lifetimes will expire at the same time as their security association.
3. If the router follows a new security association – and if its encryption map has been reconfigured with the new
lifetime – its peer will follow the same encryption map lifetime, too. When the router begins negotiation, the new
lifetime will be applied to the router and its peer.
4. Changing lifetime data will have no effect on the existing security association. But, during the next negotiation, it
will bind a new security association to the data permitted by the encryption map. If you want the new setup to go
into effect as soon as possible, the command clear crypto sa can be used to clear part or whole parts of the security
association database.
5. When the encryption map’s security association lifetime is canceled or isn’t set, the global lifetime will be regarded
as the correct lifetime during negoiation.
Step Six: Designate whether the ideal transformation security mechanism or the IPsec peer should contain the PFS
requirement when IPsec applies the encryption map’s SA.
Command Description
router(cfg-crypto-map)#set group1: Designates that IPsec will use 758-bit Diffie-
pfs[group1|group2|group3] Hellman groupware during a new Diffie-Hellman
exchange.
group2: Designates that IPsec will use 1024-bit
Diffie-Hellman groupware during a new Diffie-
Hellman exchange.
group3: Designate that IPsec will use 1536-bit
Diffie-Hellman groupware during a new Diffie-
Hellman exchange.
To be sure IPsec cannot perform the PFS application, please use this command:
Command Description
router(cfg-crypto-map)#no set pfs
Specific Notes For Step Six

1. In default mode, the system won’t require for the PFS. If you dosn’t designate what groupware to use, the default
will automatically call it group1.
2. If the peer launches a negotiation when the local configuration has been appointed to use PFS, then the peer must
organize PFS exchange – otherwise, the negotiation will fail. If the local configuration doesn’t designate the
groupware, then the local router will use default group1. The peer party will be accepted no matter which
groupware is provided. If the configuration has specified group2 and group3, then the peer party must provide the
same groups.
3. PFS increases your network’s security because, if a hacker decrypts a key, only the database using that key will be
threatened. If PFS isn’t used, other keys with access to that database could be targeted.
4. Everytime that PFS is applied and a new SA is initiated, there will be a new Diffie-Hellman exchange.
Step Seven: configure DPD (Detect Dead Peer) function for encryption item. In this way, the local end can detect whether
the peer has the function of fault-auto-restore. The command is described as follows:
Command Description
router(cfg-crypto-map)# set dpd delay-time retry- delay-time: the maximal interval of sending
number [hold|clear] dbd detect message (by second). and the default value
is 10.
retry-number: the retry-timestimes of retransmitting
dpd detect packet. and the default value is 2.
hold: the action for pdd timeout, representing that the
connection will be reset and the negotiation will be
triggered again for the next time. The option is enabled
by default.
Clear: the action for DPD timeout, representing that
the connection is not reset and a new IKE negotiation
will be triggered for the next time.
To cancel the configuration, the following command should be used:

Command Description
router(cfg-crypto-map)# no set dpd Cancel DPD function
Step Eight: Exit from the encryption map configuration mode.

Command Description
router(cfg-crypto-map)#exit Exit
Repeat these steps if more encryption maps are required.
3. Delete Encryption Map
Use the following command in global configuration mode to delete, in whole or in part, map items:
Command Description
router(config)#no crypto map map-name Map-name: The name of encryption map
[seq-num] Seq-num: The number of encryption map
When the encryption map is deleted, the existing security association will stay in effect until the command clear crypto sa
unrebuild is used to delete the corresponding security association.
4. Configure dynamic encryption map

When the IPsec peer address is variable or has not been kown beforehand, the local can been configured as dynamic dynamic
map. Use the following command in global configuration mode to enter the dynamic encryption map configuration mode:
Command Description
router(config)#crypto dynamic-map map-name map-name: the name of the dynamic encryption
seq-num map set
seq-num: the serial-number of the dynamic
encryption map entry
The other configuration is similar to that of the normal ISAKMP encryption map set (see section 2).
Notes:
1. Multiple peers can be set in a dynamic encryption map, but only one can be set in normal encryption map.
2. At least one transformation set must be set in a dynamic encryption map and the configuration of other attributes
is optional.
3. Only one dynamic encryption item can be set for one dynamic encryption map set currently. Different from the
common ISAKMP encryption map set, the dynamic encryption map set can not be directly applied to an interface, and it
can not take effect until it is mapped to an ISAKMP encryption map item.
4. The IPsec peer configured as the dynamic map set can not initiate IKE negotiation to build IPsec tunnel for
communication, it must wait and accept the IKE negotiation request from the peer (it must be configured as the
common ISAKMP encryption map set).
Use the following command in global configuration mode to generate a normal encryption map entry referring to a dynamic
map set beforehand defined.
Command Description
router(config)#crypto map map-name seq- map-name: the name of the dynamic encryption
num ipsec-isakmp dynamic dynamic-map- map set
name seq-num: the serial-number of dynamic encryption
map item
dynamic-map-name: the name of dynamic
encryption map set
Use the following command in global configuration mode to delete the specified dynamic encryption map item or the whole
dynamic encrytion map set
Command Description
router(config)#no crypto dynamic-map map- map-name: the name of dynamic encryption map
name [seq-num] set
seq-num: the serial-number of dynamic map item.
Notes:
To delete a dynamic encrytion map set or entry, be sure that it has not been used, that is to say that it has not been
mapped to a common ISAKMP encryption map item.
F. Apply The Encryption Mapping Item To An Interface
1. Applying An Encryption Map Interface
An encryption map should be configured for each interface that the IPsec communication will pass through. The encryption
map will be used to judge all communication through the interface and apply special rules to different messages that need
protection through a security association.
Use the following command in interface configuration mode to apply the encryption map to an interface:
Command Description
router(config-if-xxx)#crypto map map- map-name name of encryption map
name [address ip-address] ip-address ip address of the interface
Notes:
1. Before the interface provides IPsec service, an encryption map must be assigned to the interface. If many
encryption maps have the same map-name but different seq-num, they will still be located in the same set and
applied to the same interface.
2. If Seq-num has a low number on the encryption map, it will carry a higher priority. An encryption map may
contain a combination of IPsec-ISAkMP and IPsec-manual.
To remove an encryption map from an interface:
Command Description
router(config-if)#no crypto map map-name. Removes the encryption map
Examples:
Command Task
router(config-if-xxx)#cry map mymap Applies the encryption mapping list mymap to
the current interface.
router(config-if-xxx)#cry map mymap addr Applies mymap to the current interface and
128.255.125.12 designates to use the address 128.255.125.12 of
the interface for the map set mymap
3. Designating The Encryption Map’s ID Interface
Use the following command to designate an identified interface in global configuration mode:
Command Description
router(config)#crypto map map-name local- map-name: the name of the encryption map
address {interface-id } interface-id the identity of the interface
To delete the command from the configuration:

Command Description
router(config)#no crypto map map-name local- Deletes the identified interface of the map set
address
Notes:
When designate an identified interface to an encryption map set, the IP address of the interface will be used as the local
address for IPsec tunnel.
To use loop interface as an identified interface, imput:

Command Task
router(config)#cry map mymap local f0 Designates the loopback0 as the identified interface.
This interface’s address is regarded as the source
address, used to send data and the destination
address, which is used to receive data.
G. Delete And Rebuild IPsec Security Associations

Use the following command in the privileged user mode to delete and rebuild the SA, if conditions permit:
Command Description
router#clear crypto SA [unrebuild] [unrebuild] (Optional.) Chooses the parameter
to delete the specified security association. It
doesn’t rebuild one.
To delete all IPsec associations and (if the parameter unrebuild hasn’t been chosen) rebuild all security associations on the
current encryption map:
Command Description
router#clear crypto sa peer ip-address ip-address: The remote-end peer IP address that uses
[unrebuild] the peer command to delete the IPsec assocation from
the specified peer.
router#clear crypto sa map map-name map-name: The name of the encryption map set.
[unrebuild] Use the map command to delete all security
associations created by the specified encryption map
set.
router#clear crypto sa entry destination- destination-address: The local or remote-end peer IP
address protocol spi address
[unrebuild] protocol: The security protocol esp/ah
spi: spi number
Use the entry command to delete all security

associations that contains the specified address,
protocol and the SPI IPsec association.
Note:
1. When you finish clearing data, the IPsec association will be rebuilt, if allowed.
2. If a configuration changes that has litte effect on the security association, then the change doesn’t have an effect on
the current security association and will have an effect on the coming security association. All security association
can be rebuilt through the command clear crypto sa. This way, these security associations can use this new
configuration. When the security association is built manually, if the configuration changes – which usually has
little effect on security association – then the command clear crypto sa must be used before the change becomes in
effect
3. When any security association is deleted, anything related to it will also be deleted. The inbound security
association and the outbound one are always built or deleted together.
4. In order to ensure the router processing the IPsec communication isn’t affected, only clear the part security
association’s contents.
Example:
Command Task
router#clear cry sa Clears all security associations and rebuilds the
security association according to condition.
router#clear cry sa map mymap Clears all security associations created by the
encryption mapping mymap and rebuilds them.
H. Configure parameters on IPsec NAT-Traversal

Configure IPSec-NAT traversal, and firstly probe whether there exists NAT in the network and perform the corresponding
processing of the existing NAT.
Specify NAT traversal for usage:
Syntax Descriptions
router(config)# crypto nat-traversal enable Enabled by default.
Specify no NAT traversal for usage:
Syntax Descriptions
router(config)# no crypto nat-traversal enable
Specify the frequency of activating IPSec NAT:
Syntax Descriptions
router(config)# crypto nat-traversal keepalive 20 seconds by default.
<1_550>
When allocating an IP address to a host, the NAT equipment can ensure the useful-life (keepalive) of the new address, that is
to say that the address can still keep alive in the useful-life when there exists no flow. For example, the NAT equipment can
make an IP address, which is generated by the NAT equipment and has been unused for 20 seconds, invalid. So, IPSec
participator need send UDP packets periodically so that the NAT map can not be altered until the SA of phase 1 and phase 2
expires.
Note:
NAT equipment can provide corresponding session timeout interval according to different manufacturers and models. It is
very important to determine the timeout interval of the NAT equipment and set the activation frequency in the interval.
11.5.2 Monitoring and Debugging IPsec
The following commands are used in EXE mode to examine the IPsec configuration information:
To examine the tranformation set configuration:

Command Description
router#show crypto IPsec transform-set [tag tag transform-set-name (Optional.) This only displays
transform-set-name] the translation set whose specified name is transform-
set-name. If the command name isn’t used, all of the
sets on the router will be displayed.
To examine the encryption mapping:

Command Description
router#show crypto map [interface interface interface (Optional.) Only displays the specified
interface|tag map-name] encryption map.
tag map-name (Optional) Only displays the
encryption map specified by map-name.
If the interface or tag command isn’t used, all encryption
maps on the router will be displayed.
To examine the dynamic map set:
Command Description
router#show crypto dynamic-map [tag] [map- tag map-name: (Optional) the name of dynamic
name] map set.
To examine the state information of IPsec NAT-Traversal:

Commad Description
router#show crypto nat-traversal Examine the related staus information and whether
Ipsec has NAT-Traversal function.
Examine IPsec association information.

router#show crypto IPsec sa [map map-name|address ip-address |interface {interface-
name|ip-address}|identity]
Syntax Description
map map-name (Optional.) Displays the existing security association
created by the encryption map map-name.
Address ip-addres (Optional.) Displays the existing security association
whose address is specified.
Interface {interface-name|ip-address} Displays the existing security associations appointed
to the interface. The interface IP address should
indicate the interface name. When it has been configured
with a specific identified interface, it should be displayed.
When the interface has many addresses, the addresses
should be displayed.
Identity (Optional.) Displays dataflow only, notthe security
association information.
To display IPsec statistics:

router#show ip ?
Command Description
Ahstate Displays AH protocol stats
espstate Displays ESP protocol stats
To clear IPsec statistics:

router#clear ip ?
Command Description
Ahstat Clears AH protocol stats
Espstat Clears ESP protocol stats
Command Description
router#show crypto pfkeyv2 pfkeystate Displays statistic information about the pfkey socket.
router#clear crypto pfkeyv2 pfkeytate Clears statistic information about the pfkey socket.
router#show crypto IPSecout Displays the statistic value processed by the IPsec
input module.
router#clear crypto IPSecout Clears the statistic value processed by the IPsec input
module.
router#show crypto IPsec state/version State: Displays IPsec state information.
Version: Displays IPsec version information.
router#show crypto spd Displays the dataflow information in the security
database of IPsec policies.
router#show crypto explist Displays the SA’s overtime chain list.
To debug IPsec:
Command Description
router#debug IPsec addr {tx|rx|double} tx|rx|double: Input/output/bidirection
Observes the IP address and the data packet direction
entering the IPsec module.
router#no debug IPsec Closes debugging.
router#debug esp {addr|all|tail|head} addr|all|tail|head Address/datagram/the last 20
{tx|rx|double} bytes20 / the start 20 bytes
tx|rx|double
Input/output/bidirection
Observes the IP address and direction of the datagram

that enters ESP module.
router#no debug esp Closes debugging
router#debug ah {addr|all|tail|head} {tx| Observea the IP address and the direction of the
rx|double} specified data entering the AH module.
router#no debug ah Closes debugging
11.5.3 IPsec Configuration Case
Network
121.255.0.0
segment 128.255.0.0 Network
segment
Router A Router B
Tunn
IPSec el s
121.255.255.162 f0 s2 2 f0 128.255.255.161
1.1.1.2 1.1.1.1
Notes About The Preceeding Illustration:

1. Router A connects to Network Segment 121 through Ethernet interface f0. The address of f0 is 121.255.255.162.
2. Router B connects to Network Segment 128 through Ethernet interface f0. the address of f0 is 128.255.255.161.
3. Two routers connect through WAN to each other through the interface S2 and PPP protocol. They are set in
asynchronous mode. The S2 address in the router A is 1.1.1.2 and the S2 address in the router B is 1.1.1.1.
4. All protocols types will be processed in the dataflow from 121.255.0.0 to 128.255.0.0.
Router A Configuration:
Command Task
router>en
router#conf n
router(config)#int f0
router(config-if-fastethernet)#ip addr 121.255.255.162
255.255.0.0
router(config-if-fastethernet)#exit
router(config)#int s2 Configures the IP address of the interface
and the link layer protocol. The link
layer protocol can be specified freely
when IPsec is used.
router(config-if-serial2)#phy asyn
router(config-if-serial2)#ip addr 1.1.1.2
255.255.255.255
router(config)#acc 1001 per ip 121.255.255.162 Configures an access list used to
0.0.255.255 128.255.255.161 0.0.255.255 designate what dataflow the user wants
IPsec to process. The following
examples are all protocols. TCP/UDP
can be specified alone.
router(config)#cry ip tr test esp-des esp-md5-hmac Configures how to protect the dataflow
securely. The encryption method is used
to encrypt data and protect the data can’t
be recognized on the network. The
authentications (md5, sha1…) are used to
assure data integrity and to guarantee the
data cannot be changed in
transportation.
router(cfg-crypto-trans)#mo tu Designates the tunnel mode to be used.
When the end address of the security
tunnel isn’t equal to the end address of
the dataflow, the tunnel mode must be
applied. For users, the transport mode
isn’t commonly used. The command is
optional and the default is the tunnel
mode.
router(config)#cry map map1 1 IPsec-m Configures the encryption map 1.
router(cfg-crypto-map)#set peer 1.1.1.1 Designates the other end’s peer address.
router(cfg-crypto-map)#set tr test Designates the transformation set.
router(cfg-crypto-map)#match addr 1001 Designates the encryption access list.
router(cfg-crypto-map)#set ses i esp 1001 c
1234567812345678 a
1234567890123456789012345678901234
router(cfg-crypto-map)#set ses o esp 1001 c Sets the key and Security Parameter
1234567812345678 a Index (SPI) and it should respond to the
12345678901234567890123456789012 configuration of the end-to-end router.
The details refer to the corresponding
manual specifications.
router(cfg-crypto-map)#exit
router(config-if-serial2)#cry map map1 Applies the configuration to the S2
interface.
router#cle cry sa(no global configuration mode) Makes configuration effective.
router(config)#ip route 0.0.0.0 0.0.0.0 s2 Configures default routing.
router(config)#exit
Now, configuration is complete. The following command is used to examine information:
router(config)#sh cr map
You can display the security encryption map as follows:
Crypto map: 'map1', 1,ipsec-manual

Peer = 1.1.1.1
Used on interface: serial2(1.1.1.2)
Extended ip access list 1001('1001')
access-list 1001('1001') permit any
source: addr = 121.255.255.162/255.255.0.0
dest: addr = 128.255.255.161/255.255.0.0
current peer 1.1.1.1
inbound esp spi: 1001
cipher key: ********
auth key:********
inbound ah spi: 0
key: (null)
outbound esp spi: 1001
cipher key: ********
auth key: ********
outbound ah spi: 0
key: (null)
router#sh cr ips sa
You can display the security association as follows:

================ Security Association Information ================
Interface: serial2
Local ident(addr/mask):(1.1.1.2/255.255.255.255)
Remote ident(addr/mask):(1.1.1.1/255.255.255.255)
Current peer: 1.1.1.1
Local crypto endpt:1.1.1.2, remote crypto endpt:1.1.1.1
inbound esp sas:
spi:0x3e9(1001), dstaddr: 1.1.1.1, sproto: ESP
transform: esp-des, esp-md5-hmac,
in use settings = {Tunnel}
IV size: 8 bytes
crypto map: 'map1',1
Replay detection support: N
outbound esp sas:
spi:0x3e9(1001), dstaddr: 1.1.1.2, sproto: ESP
transform: esp-des, esp-md5-hmac
IV size: 8 bytes
crypto map: 'map1',1
Replay detection support: N
Permitted flows:
Flow:Protocol: any
Source addr: 121.255.255.162/255.255.0.0
Destination addr: 128.255.255.161/255.255.0.0
Sport: any
Dport: any
router#sh cr ips sa id
You can display the dataflow information:

================ Flow Information ================
SA:Srcaddr:1.1.1.2
Dstaddr: 1.1.1.1
SPI: 1001
Security proto: 50(ESP)
Permitted flows:
Flow:Protocol: any
Source addr: 121.255.255.162/255.255.0.0
Sport: any
Dport: any
router#show cr spd
You can also display secure dataflow information:

---------------------------------------------------------------
Flow - flow that uses this policy
Mask - flow mask
SA - SA to be used by this policy
---------------------------------------------------------------
===================
flow :< src: 121.255.0.0 sport:any >
< dst: 128.255.0.0 dport:any proto:any >
mask :< src: 255.255.0.0 sport: 0 >
< dst: 255.255.0.0 dport: 0 proto: 0>
SA :< dst: 1.1.1.1 spi: 1001 sproto: 50 >
state:<UP refcount= 0>
router#show ip ip
To display statistics about communication packets:
Statistics for the ipip protocol:

0 total packets
0 total input packets
0 input packets drop by no buf
0 packets drop for error ip ver
0 packets dropped due to ip queue full
0 0 input byte
0 total output packets
0 output packets drop by no buf
0 0 output byte
router#show ip esp
To display statistics about IPsec encrypted packets:
router#sh ip esp
Statistics for the ESP protocol:
0 total packets
0 packet in esp_input() drop by no buf
0 packet drop for no SA
0 packet drop for no equal to SA
0 packet attempted to use an invalid SA
0 packet drop for no XFORM in SA
0 packet drop ip queue full
================ ESP NEW ==============

0 input ESP NEW proto packet
0 packet right
0 packet drop for no buf
0 packet drop for counter wrap
0 packet drop for too old
0 packet drop for replay
0 packet drop for err fill len
0 packet drop for bad packet len
0 packet drop for bad auth
0 packet drop for ssf error
0 input kbytes
0 output ESP NEW packet
0 packet right
0 packet drop for big than ip_MAXPACKET
0 packet drop for wrap
0 output kbytes
The hosts of Network Segment 121 will ping the hosts of Network Segment 128. After this command is finished, the router
statistics will indicate that packets been been encrypted. When the router senses the presence of a WAN line, the next IP
header protocol field is the esp protocol. The IP data packets passing through the system will be protected from outside
intrusion.
router#show ip ip
Statistics for the IPIP protocol:

8 total packets
4 total input packets
0 input packets drop by no buf
0 packets drop for error ip ver
0 packets dropped due to ip queue full
0 240 input byte
4 total output packets
0 output packets drop by no buf
0 240 output byte
router#sh ip esp
Statistics for the ESP protocol:

8 total packets
0 packet in esp_input() drop by no buf
0 packet drop for no SA
0 packet drop for no equal to SA
0 packet attempted to use an invalid SA
0 packet drop for no XFORM in SA
0 packet drop ip queue full
================ ESP NEW ==============

4 input ESP NEW proto packet
0 packet right
0 packet drop for counter wrap
0 packet drop for too old
0 packet drop for replay
0 packet drop for err fill len
0 packet drop for bad packet len
0 packet drop for bad auth
0 input kbytes
4 output ESP NEW packet
0 packet right
0 packet drop for big than ip_MAXPACKET
0 packet drop for wrap
0 output Kbytes
Use the same commands on router B to examine its configuration.
Router B Configuration:
Command Task
router>en
router#conf n
router(config)#int f0
router(config-if-fastethernet0)#ip addr 128.255.255.161
255.255.0.0
router(config-if-fastethernet0)#exit
router(config-if-serial2)#ip addr 1.1.1.1 255.255.255.255
router(config-if-serial2)#phy asyn
router(config-if-serial2)#clo rate 64000
router(config)#acc 1001 per ip 128.255.255.161 Configures an access list
0.0.255.255 121.255.255.162 0.0.255.255
router(config)#cry ip tr test esp-des esp-md5- Configures how to protect the dataflow
hmac securely.
router(cfg-crypto-trans)#mo tu Designates the tunnel mode that will be
used.
router(config)#cry map map1 1 IPsec-m Configures the encryption map.
router(cfg-crypto-map)#set peer 1.1.1.2 Designates the other end address of the
tunnel.
router(cfg-crypto-map)#set tr test Designates the transformation set that
will be used.
router(cfg-crypto-map)#match ad 1001 Designates the encryption access list.
router(cfg-crypto-map)#set ses i esp 1001 c
1234567812345678 a
12345678901234567890123456789012
router(cfg-crypto-map)#set ses o esp 1001 c 1234567812345678 a
1234567890123456789012345678901234 Sets the key and Security Parameter
Index (SPI).
router(cfg-crypto-map)#exit
router(config-if-serial2)#cry map map1 Applies the interface configuration, and
the operation will specifies the local end
address of the tunnel.
router#cle cry sa Makes the configuration effective.
router(config)#ip route 0.0.0.0 0.0.0.0 s2 Configures the default routing.
11. 6 Encryption Module Usage

Features
Encryption Module Application
11.6.1 Features
High speed hardware encryption that is much faster than software encryption such as DES and 3DES etc.
128 bit encryption algorithms that allows for a high level of security index.
Hardware encryption that works without using up valuable CPU resources.
Applied IPsec and IKE that providing the esp-ssp02 encryption algorithm.
11.6.2 Encryption Module Application
The Maipu ENCRYPT hardware encryption module is installed in the security router’s interior bus socket. which is invisible
from the outside or by the outside card in slot and so can provide the esp-ssp02 encryption algorithm, genius hardware
pseudo-random number and read/write interface used by Smart card, and can be used for IPsec and IKE to realize hardware
encryption
1) Internet Protocol Security (IPsec) Encryption Mechanism Application
Command Description
router(config)#crypto IPsec transform-set After the encryption module has been installed, the
transform-set-name esp-ssp02 esp-ssp02 algorithm in IPsec configuration can be
applied when the transformation set is configured.
This method is similar to the one described in Section
5.
2) Internet Key Exchange (IKE) Encryption Mechanism Application
Command Description
router(config-isakmp)# encryption ssp02 After the encryption module has been installed, the
IKE encryption algorithms in IISAKMP policies
configuration mode can be specified as esp-ssp02
encryption algorithms when the IKE policy is
created.
This method is very similar to the method described

in Section 7.
11.7 Configuring IKE

Configuring IKE
Monitor And Debugging IKE
Configuration Examples
11.7.1 Configuring IKE
A. IKE Switch
B. Create IKE Policies
C. Configure RSA Key Manually (Optional)
D. Configure The Shared Key In Advance (Optional)
E. Clear IKE Connection (Optional)
F. Configure IKE Aggressive Mode (Optional)
G. Configure IKE Autobuilding Tunnel for IPsec (Optional)
IKE Switch and Mode Choice

Command Description
router(config)#crypto isakmp enable Opens default mode.
router(config)#no crypto isakmp enable Closes default
Note:
1. If a terminal closes IKE, then all IPsec terminals must close IKE.
2. When IKE is closed all operations, IKE remains invalid until it is opened once more.
When IKE is closed, IPsec only has manual configuration functions and doesn’t support key lifetime and anti-replay
functions. IKE uses UDP port 500 or port 4500 (in NAT-Traversal) to assure that communications won’t be blocked in the
IKE and IPsec interfaces.
Create IKE Policies
IKE policies describes which security parameters are applied to protect subsequent IKE negotiation. Each terminal’s
security association (SA) will identify the security parameters after both terminals agree on a policy. The SA is applied to
the subsequent IKE communication during negoiation.
Each IKE policy has the following parameters:
Encryption algorithm
Hash algorithm
Authenticating method
Diffie-Hellman groupware identification
Lifetime of IKE security association
The following commands are executed as the following steps to configure security policy:
Step One: Enter ISAKMP policy configuration (config-isakmp) mode commands in global configuration mode.
Command Description
router(config)#crypto isakmp policy priority Priority: 1—9999
IKE policy identity: Default10000 is the least.
router(config)#no crypto isakmp policy Cancels an IKE policy.
[priority]
Example:
Command Task
router(config)# crypto isa po 123 Creates an IKE policy with the priority 123 and enters
config-isakmp configuration mode.
Step Two: Designate IKE encryption methods in ISAKMP policy configuration mode.
Command Description
router(config-isakmp )# encryption Des: Designates use of the encryption algorithm des.
des|3des|blowfish|ssp02 3des: Designates use of the encryption algorithm
3des.
Blowfish: Designate use of the encryption algorithm
blowfish.
ssp02: Designates use of the encryption algorithm
ssp02 (using a hardware encryption module).
router(config-isakmp)# no encryption Renews the IKE encryption algorithm back to the
default algorithm (des).
Example:
Command Task
router(config-isakmp)# encry 3des Designates use of the encryption algorithm 3des in
the policy.
router(config-isakmp)#no encry Designates use of the default encryption algorithm
des in the policy.
Step Three: Designate IKE authentication method in ISAKMP policy configuration mode:
Command Description
router(config-isakmp)# authentication{rsa- rsa-sig: Designates RSA signature
sig|pre-shared} authentication to be used.
pre-shared: Designates the pre-shared key
authentication to be used.
router(config-isakmp)#no authentication Designate the use of a default authentication
method pre-shared key.
Example:
Command Task
router(config-isakmp)#authen rsa-sig Designates the RSA signature authentication method
to be used in the policy.
router(config-isakmp)#no authe Designates the default pre-shared key authentication
method to be used in the policy.
Step Four: Designate IKE hash method in ISAKMP policy configuration mode:
Command Description
router(config-is)#hash sha|md5|rmd160 Sha: Designates use of the hash algorithm sha.
md5: Designates use of the hash algorithm md5.
rmd160: Designates use of the hash algorithm rmd160.
router(config-isakmp)#no hash Renews the hash method to the default algorithm SHA
Example:
Command Task
router(config-isakmp)#hash md5 Designates the hash algorithm md5 to be used in
the policy.
router(config-isakmp)#no hash Designates the hash algorithm SHA to be used in the
policy.
Step Five: Designates the Diffie-Hellman groupware used by IKE in the ISAKMP policy configuration mode:
Command Description
router(config-isakmp)#group 1|2|5 1 Designates the 768-bit Diffie-Hellman groupware
to be used.
2 Designates the 1024-bit Diffie-Hellman groupware
to be used.
3 Designates the 1536-bit Diffie-Hellman groupware
to be used.
router(config-isakmp)#no group Resumes to the default 1–768 bit Diffie-Hellman
groupware.
Example:
Command Task
router(config-isakmp)#group 2 Designates the 1024-bit Diffie-Hellman groupware
to be used.
Step Six: Designates the IKESA lifetime in seconds in ISAKMP policy configuration mode”
Command Description
router(config-isakMP)#lifetime seconds Seconds
router(config-isakMP)#no lifetime Renews the lifetime to the default time: 86,400
seconds.
Note:
1. When IKE begins to negotiate, the first thing you should do is agree on the consistent parameters to be set for each
session. The SA on each terminal will refer to these parameters, and each terminal will reserve SA until its lifetime
expires. Before SA expires, the parameters can be reused by the subsequent IKE negotiation. This can save some
time when a new IPsec SA is set. Some of these parameters are negotiated before the SA expires.
2. When the local terminal begins to negotiate with the remote terminal, whichever terminal’s lifetime is the shortest
will be the one selected by the system.
Step seven: Return to global configuration mode:

Command Description
router(config-isakmp)#exit Returns you to global configuration mode.
C. Configure RSA Key Manually Based On IKE Parameters
1. Setting ISAKMP identity

Command Description
router(config)#crypto isakmp identity {address hostname: ip address/host name
|hostname }
router(config)#no crypto isakmp identity Cancels ISAKMP identity.
Note:
1.When only one IP address exists, it’s used as the ISAKMP identity. When many interfaces are used to negotiate
IKE and the IP address is unknown, the hostname should be applied.
2. When the RSA key mode is configured manually for IKE negotiation, you should use the command crypto
isakmp rsa-sig-cert no-optional to keep it effective.
Example:
Command Task
router(config)#crypto isa identi host Defaults the ISAKMP identity of the local host as the
hostname router.
router(config)#ip host hostname address1 [address2 Configures all remote terminals, if the ISAKMP
… address8] identity is the hostname, then the terminal hostname is
mapped to the IP address on all remote terminals.
router(config)#no ip host hostname address Cancels the mapping.
[address1 address2 … address8]
If myrouter and yourrouter are a pair of terminals, then use the above commands on myrouter to configure ISAKMP
identity. At the same time, the remote hostname and address mapping need to be configured on yourrouter.
Command Task
router(config)#ip host yourrouter.domain.com Specifies IP addresses.
121.255.254.202 2.2.2.3
router(config)#no ip host yourrouter 121.255.254.202 Removes 121.255.254.202 from the address mapping.
If an IP address isn’t specified, all host addresses will
be deleted.
2. Configure the RSA public-key exponent

Command Description
router(config)#crypto key public-exponent The RSA key index can be specified before the RSA
{3|17|65537} public key is generated. It can be 3,17 or 65537.
The default is 65537.
The router and its peer can use different public key
exponents. The new public-key exponent won’t go
into effect until the new RSA key is generated again.
Public-key exponents of two ends can be different.
3. Generate RSA key.

Command Description
router(config)#crypto generate rsa [usage-keys] Usage keys.
Designates the RSA signature key to be generated,

not the common key pair.
Default mode: the RSA key doesn’t exist. A
common key pair is generated when there are no
usage-keys. (Note: Only the RSA signature pairs will
be generated at the present time.)
Note:
1. Ensure the router’s host name or IP domain name has been configured.
2. If the RSA key exists, the new key will substitute the existing key that has the same name.
3. If a common purpose key needs to be generated, a pair of RSA keys will also be generated. These RSA keys will be
used together with the IKE policy to designate the RSA signature.
4. The size of the key modules must be set when the RSA key is generated. Its size should be not less than 512 bits.
5. The command can be used to generate the public key pair. The private key pair will remain invisible.
Example:
router(config)# cry key ger rsa us
The name for the keys will be: lincx
Choose the size of the key modulus in the range of 512 to 2048 for your General Purpose Keys.
Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus(Ctrl+E to exit)[512]?
Generating RSA key (modulous is 512 bits)................................................................. Done.
# RSA 512 bits, myrouter.domain.com, THU JAN 01 00:02:08 2001
# RFC2537 format RSA Pubkey:
010368a9 73f587e9 8a8487ce a6fb676f b5ae6889 ed840cac c6e6104c 7c180e52
90d42e0b f787a7ef 83cf b1b0 6c2eef49 c1392ec9 85b989e5 8ed61a8 bdc3468e
21520798 55
Note: Each of the eight numbers are displayed in a segment for reading ease. The blank character is invalid.
4. Delete all RSA keys
Command Description
router(config)#crypto key zeroize rsa Permanently deletes all local RSA keys.
5. Designate the RSA public keys for all the other terminals
Step One: If the RSA public key is used, then all remote-end RSA public keys must be configured locally:
Command Description
router(config)#crypto key pubkey-chain rsa Enters config-pubkey-chain mode
Step Two: Enter config-pubkey-key mode:

router(config-pubkey-chain)#[no][ named-key][ addressed-key] key-address [encryption|signature]
Syntax Description
Key-name Designates the RSA’s remote terminal key name. It is
always the remote terminal’s whole valid domain
name.
Key-address Designates the IP address of remote terminal’s RSA
key.
Encryption Designates the encryption key when no keys are
used.
signature Designates the signature key when no keys are used.
If the IPsec remote terminal generates the signature
key, the signature key is used with the command and
its key-string.
If the IPsec remote terminal generates the encryption
key, the encryption key is used with the command
and its key-string.
If the named-key command is used, then the public

key configuring command address is used to
designate the terminal’s IP address.
Example:
Command Task
router(config-pubkey-chain)#named-key
yourrouter.domain.com sig
Step three: If the whole valid domain name is used in the second step to name the remote terminal (the command named-
key), then you can specify its IP address. The command can be used when only one router interface processes IPsec.
Example:
Command Task
router(config-pubkey-key)#address 192.68.66.65
Step four: Start to input the encryption key-string data after the command key-string is executed in config-pubkey-key
mode:
Designate the remote terminal’s RSA public key. The key can be seen when the remote terminal’s manager generates the
router’s previous RSA key.
Command Description
router(config-pubkey-key)#key-string [help] Input the key in hexidecimal form. While inputting
this, the keyboard’s CTRL key can be pressed to
input data continuously. Before the command is
used, the command addressed-key or named-key
must be used to identify the remote terminal.
Use the help function to display information about
public key operation.
Step Five: Quit (or Ctrl+E)

When the public key is inputted, press Ctrl+e – or input enter and then quit – to end the public key tasks and return to the
config-pubkey-key mode.
Step Six: Return to global configuration mode.

Command Description
router(config-pubkey-key)#exit Returns to global configuration mode
6. Delete all RSA public keys.
In the public key configuration mode, the command no key-name or no key-address can be used to delete the terminal
peer’s public key. The following command can also be used to delete all public keys:
Command Description
router(config)#crypto pubkey-chain zeroize Clears all RSA public keys at the opposed end when
your terminal doesn’t have a key.
Note: The command only clears the public key information in memory. You can’t alter the information in the configuration
file without rewriting it.
D. Configure A Pre-Shared Key
If the authentication method specified in the IKE policy is a pre-shared key, then the pre-shared key must be configured.
Before the pre-shared key is configured, the ISAKMP identity of each terminal must be first setup.
Use the following commands to configure the pre-shared key in global configuration mode:
Command Description
router(config)#crypto isakmp key keystring Keystring: the pre-shared key
address peer-address peer-address: IP address of the remote terminal
router(config)#crypto isakmp key keystring peer-hostname: the remote terminal’s host name
hostname peer-hostname keystring: designates the pre-shared key. It can be
any combination of numbers and characters.
router(config)#no crypto isakmp key address Cancels the pre-shared key
peer-address
router(config)#no crypto isakmp key Cancels the pre-shared key
hostname peer-hostname
Note:
1. No matter where a pre-shared key is specified in IKE policy, that key must be configured.
2. You must know the identity of the key you wish to configure. You can find out by inputting crypto ISAKMP
identity.
3. You must configure the pre-shared key on both terminals at the same time.
4. If the ISAKMP IP address has been set in the remote terminal, then the address key is used.
5. If the ISAKMP host has been set in the remote terminal, then the hostname key is used.
When the hostname key word is used, the remote terminal’s hostname can also be mapped to all of its IP address interfaces
that may be used in the IKE negotiation. (The command ip-host completes this function.) You must do this mapping,
unless the hostname has been already been mapped to the IP address on the DNS server.
Example:
Command Task
router(config)#cryp isa key
123456789abcdefghijdlm hostname
yourrouter.domain.com
E. Clear IKE Connection

Command Description
router#clear crypto isakmp [connection-id] connection-id: Clears the link. When optional
parameters aren’t used, all IKE links will be deleted.
F. Configure IKE Aggressive Mode
According to the factual need in application you can configure Aggressive Mode as the negotiation mode in the first phase of
IKE negotiation and it is normally set as Main Mode.
Use the following command in the global configuration mode to specify the peer adopting the Aggressive Mode:
Command Description
router(config)#crypto isakmp peer ip-address Ipaddress: the IP address of the peer adopting
ipaddress the Aggressive Mode.
Use the following command in global configuration mode to specify the peer adopting not the Aggressive Mode but Main
Mode:
Command Description
router(config)#no crypto isakmp peer ip-address Ipaddress: the IP address of the peer adopting
ipaddress not the Aggressive Mode but Main Mode.
Note:
This configuration has effect on only one peer only when it will initiate the first phase IKE negotiation to the other end,
but it is not effective when accept the negotiation request from the remote.
G. Configure IKE Autobuilding Tunnel for IPsec

According to the factual need you can set whether the IKE auto-negotiation is enabled or not. After it is enabled and effective,
adopt the IKE to manage all encryption map sets of the key and immediately notify IKE of starting to auto-negotiate and
generate an IPsec security alliance, instead of using the data flow to trigger the negotiation.
Command Description
router(config)#crypto ike auto-build Adding the keyword no before the command
represents the configuration will be canceled.
Note:
The configuration takes effect globally, that is to say that it is valid for all ipsec-isakmp encryption map sets that
have applied to interfaces and have been configured completely. Howerver, the configuration takes no effect on a dynamic
encryption map set and an encryption map item (a template item) to which the dnynamic encryption set is mapped
11.7.2 Monitoring And Debugging IKE
1. Monitoring IKE
The following series of commands can be executed to display relative IKE data in EXEC mode.
1. To display the ISAKMP policy:
Command Description
router#show crypto isakmp policy Priority: Priority level
[priority] Displayed contents include: priority, encryption
algorithm, hash algorithm, authentication mode,
Diffie-Hellman group and lifetime.
2. To display the IKE SA information

router#show crypto isakmp sa
Command Description
<Number> sa-id: Displays detailed information of the specified
SA.
phase1 Displays first stage SA information
Quick
3. To display the local public key

Command Description
router#show crypto key mypubkey rsa Displays the router’s RSA public key
Displayed contents include: generation time,
name, purpose (signature, encryption) and key.
4. To display the local public key exponent

Command Description
router#show crypto key public-exponent
5. To display the host’s corresponding public key

Command Description
router#show crypto key pubkey-chain Displays the router terminal’s RSA public key. The
rsa[name key-name | address key-address] key includes the RSA public key configured manually
on the router.
Use the name or address keys to store detailed RSA
router information.
The displayed contents include: generation manner
(manual), purpose (signature, common), IP address
and name.
When these key words (name or address) are used,
the displayed contents are: name, IP address, purpose,
generation manner and keys.
6. To display the local ISAKMP identity, plus the remote host’s ISAKMP identity and address map:
Command Description
router#show crypto isakmp identity local|remote Local: Displays the ISAKMP identity of the local
host.
Remote: Displays the ISAKMP identity and address
map list of the remote-end host.
7. To display the IKE connection

Command Description
router#show isakmp connection
8. To display the information about the identity of the peer adopting the IKE Aggressive Mode.
Command Description
router#show crypto isakmp peer
2. IKE Debugging
1. Use the following debugging commands to observe IKE procedure information in EXEC mode:
router#[no] debug crypto isakmp {normal|packet|serious}
Syntax Description
Normal Displays the procedure information. The default
status is ‘close’.
Packet Displays the information of the message. The default
status is ‘close’.
Serious When system errors occur, error information is
presented here. The default status is open.
No Closes the debugging data display
2. Use the following command to activate the IKE send negotiation in EXEC mode:
router#debug init ike connection-id {pending|phase1}
Syntax Description
connection-id Designates the IKE send negotiation connection
number. This number can be seen through the
command show crypto isakmp connection.
pending Designates an entire IKE negotiation and builds IPsec
SA.
phase1 Designates that the first stage of IKE negotiation
should be finished.
11.7.3 Configuration Examples
128.255.0.0 Network segment 121.255.0.0 Network segment
Router A Router B
Security
tunnel s
128.255.254.201 f0 s2 2 f0 121.255.254.202
2.2.2.2 2.2.2.3
Notes About The Preceeding Diagram:

1. Router A connects with Network Segment 128 through Ethernet port f0. The IP address of f0 is 128.255.254.201.
2. Router B connects with Network Segment 121 through Ethernet port f0. The IP address of f0 is 121.255.254.202.
3. Router A connects with B through WAN port s2 via PPP encapsulation, synchronization and 64,000 clock rate.
The S2 address of Router A is 2.2.2.2 and the S2 address of Router B is 2.2.2.3.
4. Protects the WAN segmant data by encryption.
The corresponding IPsec configuration must be performed in order for IKE to be used. For the purposes of illustrating the
preceding example, suppose the corresponding configuration hadn’t been performed. Router A would have to be configured
first.
Router A:
Command Task
IPsec Configuration:
Configure an encryption transform set:
routera(config)#cr ips tr t0 esp-3des ah-sha-hmac
routera(cfg-crypto-trans)#ex
routera(config)#cr ips tr t1 esp-des esp-md5-hmac
routera(cfg-crypto-trans)#ex
Configure an access list:
routera(config)#acc 1001 permit ip 128.255.0.0
0.0.255.255 121.255.0.0 0.0.255.255
Configure the encryption map:
routera(config)#cr map map1 1 IPsec-i
routera(cfg-crypto-map)#set tr t0 t1
routera(cfg-crypto-map)#set peer 2.2.2.3
routera(cfg-crypto-map)#match addr 1001
routera(cfg-crypto-map)#set pfs group2
routera(cfg-crypto-map)#set secur life sec 2000
routera(cfg-crypto-map)#set secur life kilo 3800000
Apply the encryption map:
routera(config)#int s2
routera(config-if-serial2)#ip addr 2.2.2.2 255.255.0.0
routera(config-if-serial2)#encap ppp
routera(config-if-serial2)#phy syn
routera(config-if-serial2)#clock rate 64000
routera(config-if-serial2)#no ip route-c
routera(config-if-serial2)#cr map map1
routera(config-if-serial2)#ex
IKE Configuration:
Configure IKE security policy:
routera(config)#cr isa pol 100
routera(config-isakmp)#auth rsa-sig
routera(config-isakmp)#enc 3des
routera(config-isakmp)#hash md5
routera(config-isakmp)#group 2
routera(config-isakmp)#life 4000
routera(config-isakmp)#ex
Configure ISAKMP identity, hostname and address
mapping:
routera(config)#cr isa id host R-A The local ISAKMP identity is R-A, and it is
independent of the hostname configured by the
hostname command in global configuration
mode.
routera(config)#ip host R-B 2.2.2.3 121.255.254.202 Configures ISAKMP identity with the remote-
end’s corresponding IP address of R-B.
Because the authentication method rsa-sig has
been configured in the policy, the RSA signature
pair must be generated on the local host. If
pre-shared has been adopted, then the following
operation to generate and configure the remote
terminal’s key needn’t be performed, but the
pre-shared key must be configured.
Generate RSA signature key: Generats the RSA public key
routera(config)#cr key gen rsa
The name for the keys will be: R-A
Choose the size of the key modulus in the
range of 512 to 2,048 for your Signature Keys.
Choosing a key modulus greater than 512 may
take a few minutes.
How many bits in the modulus [512]?
Generating RSA key (modulous is 512
bits)............ Done.
# RSA 512 bits, R-A, FRI MAY 25 00:10:28 2001
7f3da22f f139e66a 8d37539b 14e7a57e 93948f00
c75ac94b 6750dc3e 80b3e27b
7f3da22f f139e66a 8d37539b 14e7a57e 93948f00
c75ac94b 6750dc3e 80b3e27b
123abcd1 34
routera(config)#cr key pub rsa Configures the remote-end public key that is
routera(cfg-pubkey-chain)#named R-B generated from R-B.
routera(cfg-pubkey-key)#key-str
Input public key (Ctrl+E to exit):
010358e7 99f1a220 574aea3e f6d99e7f 355d7210
ec027aab 81b7bb1b 480aed6e
1c39f8de 7e4d8031 9978442f 3db86a53 c6da6046
f43a2950 8ce131ff 61a23eaf
f6571234 22
ê
routera(cfg-pubkey-key)#ex
routera(cfg-pubkey-chain)#ex
If the pre-shared key in IKE policy is the

authentication method, then the signature key
needn’t be generated and the remote-end public
key needn’t be configured. The pre-shared key
needs be configured, though.
routera(config)#cr isa key Configures the pre-shared key shared with R-B.
123456781234567812345678 hostn R-B
Configure routing: (Optional)
reoutera(config)#ip route 0.0.0.0 0.0.0.0 s2
Make the configuration take effect:
routera #clear cry sa
Router B:
The similar configuring procedure is performed on Router B:
Command Task
routerb(config)#cr ips tr t1 esp-3des ah-sha-hmac
routerb(cfg-crypto-trans)#ex
routerb(config)#cr ips tr t2 esp-des esp-md5-hmac
routerb(cfg-crypto-trans)#ex
routerb(config)#acc 1001 permit ip 121.255.0.0 0.0.255.255

128.255.0.0 0.0.255.255
routerb(config)#cr map map2 1 IPsec-i

routerb(cfg-crypto-map)#set tr t1 t2
routerb(cfg-crypto-map)#set peer 2.2.2.2
routerb(cfg-crypto-map)#match addr 1001
routerb(cfg-crypto-map)#set pfs group2
routerb(cfg-crypto-map)#set security life sec 2000
routerb(cfg-crypto-map)#set security life kilo 3800000
routerb(cfg-crypto-map)#ex
routerb(config)#int s2
routerb(config-if-serial2)#ip addr 2.2.2.3 255.255.0.0
routerb(config-if-serial2)#encap ppp
routerb(config-if-serial2)#phy syn
routerb(config-if-serial2)#no ip route-c
routerb(config-if-serial2)#cr map map2
routerb(config-if-serial2)#ex
routerb(config)#cr isa po 100
routerb(config-isakmp)#auth rsa-sig
routerb(config-isakmp)#enc 3des
routerb(config-isakmp)#hash md5
routerb(config-isakmp)#group 2
routerb(config-isakmp)#lifet 4000
routerb(config-isakmp)#ex
router(config)#cr is id host R-B
router(config)#cr k g r
The name for the keys will be: R-B

Choose the size of the key modulus in the range of 512
to 2,048 for your Signature Keys.
Choosing a key modulus greater than 512 may take a
few minutes.
How many bits in the modulus [512]?
Generating RSA key (modulous is 512 bits)
........... Done.
# RSA 512 bits, R-B, FRI MAY 25 00:18:00 2001
010358e7 99f1a220 574aea3e f6d99e7f 355d7210 ec027aab
81b7bb1b 480aed6e
1c39f8de 7e4d8031 9978442f 3db86a53 c6da6046 f43a2950
8ce131ff 61a23eaf
f6571234 22
routerb(config)#cr key pub rsa
routerb(cfg-pubkey-chain)#named R-A
routerb(cfg-pubkey-key)#key
Input public key (Ctrl+E to exit):
7f3da22f f139e66a 8d37539b 14e7a57e 93948f00 c75ac94b
6750dc3e 80b3e27b
7f3da22f f139e66a 8d37539b 14e7a57e 93948f00 c75ac94b
6750dc3e 80b3e27b
123abcd1 34
ê
routerb(cfg-pubkey-key)#ex
routerb(cfg-pubkey-chain)#ex
If the pre-shared key for the

authentication method has been specified
in the policy, then configure the pre-
shared key.
routerb(config)#cr isa key 123456781234567812345678 host R-
A
routerb(config)#ip route 0.0.0.0 0.0.0.0 s2
routerb#clear cr sa
Note:
1. If the RSA signature authentication method is chosen, then the RSA public key must be configured with each other.
2. You can now perform communication to make IKE work. There two kinds of methods you can use to test this:
You can ping messages from one Ethernet segment to another Ethernet segment. This will activate IKE to start
negotiation and build an IPsec SA.
The debug init ike 1 pend command can also be used in EXE mode to make IKE start negotiation.
The display command is used to show the following information:
Examining IKE policy

routera#sh cr isa po
Protection suite priority 100
encryption algorithm: 3DES - Treble Data Encryption Standard
hash algorithm: MD5 - Message Digital 5
authentication method: RSA Signature - Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bits Diffie-Hellman group)
lifetime: 4000 seconds
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: SHA - Secure Hash Standard
authentication method: Pre-shared key
Diffie-Hellman group: #1 (768 bits Diffie-Hellman group)
lifetime: 86400 seconds
Examining IKE SA
routera#sh cr isa sa
localaddr peeraddr state sa-id
2.2.2.2 2.2.2.3 OAK_QM_IDLE : MAIN_R3 1
Examining IPsec SA
routera#sh cr ips sa
================ Security Association Information ================
Interface: serial2
Crypto map tag: map1, entry seq-num: 1 , local addr: 2.2.2.2
Local ident(addr/mask):(2.2.2.2/255.255.255.255)
Remote ident(addr/mask):(2.2.2.3/255.255.255.255)
local crypto endpt: 2.2.2.2, remote crypto endpt: 2.2.2.3
inbound esp sas:
spi:0X71ac1d29 (1907105065)
transform: esp-3des,
Current input 31680 bytes
Replay detection support: Y
outbound esp sas:
spi:0X18eb1a47 (418060871)
transform: esp-3des,
group sa's SPI: 0X18eb1a48 (418060872)
sa timing: remaining key lifetime(k/sec):(3799969/1902)
Current output 31680 bytes
Permitted flows:
Flow:Protocol: any
Source addr: 128.255.0.0/255.255.0.0
Sport: any
Dport: any
inbound ah sas:
spi:0X71ac1d28 (1907105064)
transform: ah-sha-hmac
in use settings = {Transport}
Current input 32160 bytes
outbound ah sas:
spi:0X18eb1a48 (418060872)
transform: ah-sha-hmac
in use settings = {Transport}
group sa's SPI: 0X18eb1a47 (418060871)
Current output 32160 bytes
Examining RSA local terminal public key

routera#sh cr key mypu rsa
Key name: R-A
Usage: RSA Signature Key
Key Data:(0x):
7f3da22f f139e66a 8d37539b 14e7a57e 93948f00 c75ac94b 6750dc3e 80b3e27b
7f3da22f f139e66a 8d37539b 14e7a57e 93948f00 c75ac94b 6750dc3e 80b3e27b
123abcd1 34
Examining RSA remote terminal public key

routera#sh cr key pub rsa
Codes: M - Manually Configured,
C - Extract from certificate
Code Usage ip address Name
M Signature R-B
Examining the detailed RSA public key data of the appointed remote terminal
routera#sh cr key pub rsa name R-B
Key name: R-B
Key address: (null)
Usage: RSA Signature Key
Source: Manual
Data:(0x):
010358e7 99f1a220 574aea3e f6d99e7f 355d7210 ec027aab 81b7bb1b 480aed6e
1c39f8de 7e4d8031 9978442f 3db86a53 c6da6046 f43a2950 8ce131ff 61a23eaf
f6571234 22
Examining the local ISAKMP identity

routera#sh cr isa id l
Local ISAKMP identity: R-A
Examining the remote ISAKMP identity

routera#sh cr isa id r
Remote ISAKMP identity: R-B
with addrlist: 2.2.2.3 121.255.254.202
11. 8 Configure Virtual Private Dial-up Network (VPDN)

This section mainly describes all commands that are necessary to configure virtual private dial-up network (VPDN). Its
primary contents are as follows:
Global VPDN configuration
Special LAC configuration
Special LNC configuration
VPDN tunnel configuration
Virtual template interface configuration
VPN configuration example
VPDN monitoring and debugging
Noticeö
ö
Presently, VPDN only supports PPP dial-up, and the tunneling protocol only supports L2TP.
11.8.1 Global VPDN Configuration

Enable/Disable VPDN
To configure any VPDN, we should enable it firstly. Only after VPDN is enabled, can some commands, which are used to
configure LAC/LNS for L2TP dialin, be employed by users.
vpdn enable
It is very simple to enable VPDN. To enable VPDN, use the following global configuration command:
vpdn enable
£Configuration mode¤ Global configuration
no vpdn enable
Stop using VPDN. To disable VPDN, use the following global configuration command:
no vpdn enable
Create/ Delete a VPDN Group

The VPDN group is a mechanism, permitting us to organize all VPDN commands relative with devices (such as VPDN
etc.) into an independent group. This mechanism can specify whether Maipu router is one of four L2TP (Layer 2 Tunneling
Protocol, L2TP) devices (LAC (L2TP Access Concentrator, LAC) dialin, LAC dial-out, LNS (L2TP Network Server, LNS)
accept-dialin and LNS accept-dial-out). Once the VPDN group is configured as a L2TP device (LAC or LNS), then it can’t
be changed any longer. By means of utilizing multiple VPDN groups, we can make a router become a LAC or LNS.
vpdn-group
Employ the following configuration commands to create a VPDN group:
vpdn-group vpdn-group-number
Syntax Descriptions
vpdn-group-number It is the name of the VPDN group, and
its type is NUMBER.
no vpdn-group
Employ the following configuration commands to delete a specified VPDN group:
no vpdn-group vpdn-group-number
Syntax Descriptions
vpdn-group-number It is the name of the VPDN group, and
its type is NUMBER.
VPDN Configuration Keywords

The purpose of each keyword is to describe the activities executed by L2TP devices. When a user is performing the LAC
dialin, LAC must request the dialin service from LNS and LNS need accept the dialin service. And when a user is performing
the LNS dialout, LNS must request the dialout service from LAC and LAC need accept the dialin service.
Multiple VPDN groups can be used to configure Maipu router so that it can serve as one of four devices (LAC dialin, LAC
dialout, LNS accept-dialin and LNS accept-dial-out).
The following commands can be employed to specify which keyword each L2TP can use and enter the corresponding
device configuration.
Syntax Descriptions
request-dialin Configure VPDN request-dialin.
request-dialout Configure VPDN request-dialout.
accept-dialin Configure VPDN request-dialin group.
accept-dialout Configure VPDN request-dialout group.
£Configuration mode¤ the VPDN group configuration mode
Notice:
Presently, LAC request-dialin and LNS request-dialout have been realized.
11.8.2 Special LAC configuration
Enter the special LAC configuration mode when the VPDN group selects the keyword request-dialin for the L2TP device.
Specify the IP Address of the corresponding LNS

To make LAC find LNS according to VPDN group configuration information, employ the following command to specify
the IP address:
initiate-to ip ip-address
Syntax Descriptions
ip-address It is the IP address of LNS and its type
is regular IP address.
£Configuration mode¤ the LAC request-dialin configuration mode
Identify LAC
To establish a tunnel, LAC and LNS need be identified by each other. According to LAC identification, LNS can find the
corresponding VPDN-GROUP from its configuration and send back its own identification so that LAC can apply the
identification to the command show. For LAC, the identification, which LNS adopts during the course of establishing a
tunnel, isn’t important, but LAC must correctly identified itself, or else, LNS has no way to find the VPDN group related
with LAC.
Employ the following command to configure the identification:
local name lac-host-name
Syntax Descriptions
lac-host-name It is the name LAC uses to identify himself to LNS,
and its type is STRING.
Specify VPDN Protocol for a VPDN Group

After a VPDN-GROUP is created, the VPDN protocol need be specified for it. Presently, L2TP (Lay 2 transport
protocol) is a practical protocol.
Employ the following command to specify the protocol for a VPDN-GROUP:
protocol vpdn-protocol
Syntax Descriptions
vpdn-protocol The VPDN group employs the L2TP protocol.
Presently, only the protocol can be used.
Specify a Method for LAC to Identify L2TP Users

When a user dials in a LAC, LAC needs a method to identify his domain name. The L2TP user can add one domain name
to the username (for example, maipu.com is the domain name of jmj@maipu.com) so that the mapping between the user and
LNS can be established.
domain domain-name
Syntax Descriptions
domain-name It is the domain name employed to relate the user
with LNS, and its type is STRING.
£Configuration mode ¤ the LAC request-dialin configuration mode
11.8.3 Special LNS Configuration

Enter the special LNS configuration mode when the VPDN group selects the keyword accept-dialin for the L2TP device.
Specify the Name to Identify LNS

To establish a tunnel, LAC and LNS need be identified by each other. According to LAC identification, LNS can find the
corresponding VPDN-GROUP from its configuration and send back its own identification so that LAC can apply the
identification to the command show. For LAC, the identification, which LNS adopts during the course of establishing a
tunnel, isn’t important, but LAC must correctly identified itself, or else, LNS has no way to find the VPDN group related
with LAC.
local name lns-host-name
lns-host-name It is the name of LNS provides to LAC, and its type
is STRING.
£Configuration mode ¤the LNS accept-dialin configuration mode.
Specify the Name to identify LAC:
When LAC need establish a LNS tunnel, LAC sends its identification to LNS, then, LNS finds the corresponding VPDN
group to perform the identification.
Employ the following command to configure the identification of LAC:
terminate-from hostname lac-host-name
lac-host-name It is the name of LAC provides to LNS, and its type
is STRING.
£Configuration mode ¤ the LNS accept-dialin configuration mode
Specify the Virtual Template Interface
TO stop the existing L2TP session, there must be an interface to stop the session.
In fact, a L2TP packet is a PPP packet with an additional data header. Once the header is removed, the PPP packet can
work. To make the PPP packet take effective, a virtual access interface that can understand the data of PPP packet head is
dynamically established by a virtual template interface specified in VPDN-GROUP. Once a virtual template interface is
specified, the virtual access interface should be generated and configured correctly so that it can understand the data of PPP
packet.
Employ the following command to specify which virtual template interface in VPDN-GROUP is used to create a virtual
access interface in VPDN-GROUP during the course of session establishment:
virtual-template virtual-template-number
virtual-template-number Specify the virtual template number that is used during
the course of session establishment, and its range is from <1-
25>.
Specify the VPDN Protocol in a VPDN Group

After a VPDN-GROUP is created, the VPDN protocol to be used can be configured. Presently, only L2TP (Layer 2
Tunneling protocol) is the practical protocol that has been realized.
Employ the following command:

protocol vpdn-protocol
vpdn-protocol The VPDN group employs the L2TP protocol. Presently,
only the protocol can be used.
11.8.4 Configure VPDN Tunnel

Specify the Share Password of Tunnel
To establish a tunnel successfully, LAC and LNS must employ the share password to identify each other. The share
password is configured in the corresponding VPDN-GROUP. You can employ the following VPDN-GROUP configuration
command to configure the share password that is employed during the course of identifying the tunnel.
Use the following command to specify the share password:
l2tp tunnel password password
password It is the share password of a tunnel, and its type is
STRING.
Specify the receive-window-size of a tunnel

The receive-window-size of a tunnel can be specified through the following command in the VPDN group configuration:
l2tp tunnel receive-window receive-window-size
receive-window-size It is the receive-window-size, and its range is <4-
300>.
11.8.5 Configure the Virtual Template Interface

Once the virtual template interface number is specified on LNS, its corresponding virtual template need be created on LNS
so that the virtual template interface can clone a virtual access interface dynamically during the course of establishing a
tunnel and a session.
A virtual template interface is a logical entity----the configuration of a serial-port, instead of being related with a physical
interface. This logical entity can be dynamically applied on demand. A virtual access interface is a virtual interface, can be
dynamically created and configured.
Creating a Virtual Template Interface

To create a virtual template interface and enter the interface configuration mode, use the following command in the global
configuration mode:
interface virtual-template virtual-template-number
Virtual-template-number It is the virtual template number and its range is <0-
255>.
£Configuration mode¤ the Global configuration mode
Configure Other Relative Properties

A virtual template configuration can be added through PPP configuration commands, such as, encapsulation pppØppp
authentication chap, and so on. The concrete configuration can refer to “WAN Protocol Configuration Manual”.
Besides commands shutdown and dialer, all other commands that can be acceptable for the serial interface can also be used
for the virtual template interface.
£Configuration mode¤ the Interface configuration mode
Noticeö
ö
Be sure to perform the configuration strictly according to the configuration manual.
11.8.6 Example of VPDN Configuration

The example is shown as the following figure:
PPP dial-up
ISP, L2TP LAC L2TP LNS
Figure 10-15
Illustrationöö
Shown as the figure above, the PC dials in LAC through the remote dial-up, and the middle network is between LAC and
LNS.
LAC is configured as follows:
Router(config)# vpdn enable Enable VPDN.
router(config)# vpdn-group 1 Create a VPDN group
router(config-vpdn)#request-dialin Permit the request-dialin of the VPDN
group.
router(config-vpdn-req-in)# protocol l2tp Specify the L2TP protocol for the VPDN
group.
router(config-vpdn-req-in)#domain mp-2.com Specify the domain name to relate a user
with a VPDN group.
router(config-vpdn)#initiate-to ip 192.168.10.2 Specify the IP address of LNS.
router(config-vpdn)# local name r3 Specify the name for LAC to identify itself
on LNS.
router(config-vpdn)# l2tp tunnel password 7 a Specify the share password for
identification.
router(config-if-serial0/0)#physical-layer sync Configure the serial-port as the
synchronous mode.
router(config-if-serial0/0)#encapsulation ppp Encapsulate the protocol.
router(config-if-serial0/0)#ppp authentication pap Configure the interface to employ the PAP
authentication.
router(config-if-serial1/0)#physical-layer async Configure the serial-port as the
asynchronous mode.
router(config-if-serial1/0)#encapsulation ppp Encapsulate the protocol.
router(config-if-serial1/0)#ip address 129.255.14.66 Configure the IP address and subnet mask
255.255.255.0 of the interface s1/0.
router(config-if-serial1/0)#dialer in-band Enable DDR on the interface.
router(config-if-serial1/0)#dialer-group 1 Configure the interface to be subject to
some dialer-group.
router(config-if-serial1/0)# modem outer Use the outer modem.
Configure on LNS as follows:
router(config)# vpdn enable Enable VPDN.
router(config)# vpdn-group 2 Create a VPDN group.
router(config-vpdn)# accept-dialin Permit the accept-dialin of the VPDN
group.
router(config-vpdn-acc-in)# protocol l2tp Specify the L2TP protocol in the VPDN
group.
router(config-vpdn-acc-in)#virtual-template 1 Specify the virtual template interface.
router(config-vpdn)#terminate-from hostname r3 LAC provides the name of LNS.
router(config-vpdn)# local name r2 LNS provides its name to LAC.
router(config-vpdn)# l2tp tunnel password 7 a Specify the share password for
authentication.
router(config)#int virtual-template1 Create a virtual template interface.
router(config-if-virtual-template1)# encapsulation ppp Encapsulate the protocol.
router(config-if-virtual-template1)# ppp authentication pap Adopt the PAP as the authentication
protocol.
router(config-if-virtual-template1)#ip unnumber loopback1 Enable the IP un-number on the interface.
router(config-if-virtual-template1)# peer default ip address Specify the opposite-end IP address of the
pool vpdn-pool interface.
router(config)# user mp-5@mp-2.com password 0 a Configure the username and password for the
dialin user.
router(config)# ip local pool vpdn-pool 172.16.20.10 Configure the address pool.
172.16.20.100
router(config-if-loopback1)# ip address 172.16.20.1 Configure the IP address of L1.
255.255.255.0
router(config-if-serial2/0)#physical-layer sync Configure the serial interface as the
synchronous mode.
router(config-if-serial2/0)#clock rate 9600 Configure the clock.
router(config-if-serial2/0)# encapsulation ppp Encapsulate the protocol.
router(config-if-serial2/0)# ip address 192.168.10.2 Configure the IP address.
255.255.255.0
11.8.7 VPDN Monitoring and Debugging

show vpdn
Display the configuration of Tunnel.
£Command mode¤the privilege user mode.
debug l2tp data
Trace the information related with messages.
no debug l2tp data
debug l2tp event
Trace the sending and receiving of messages.
no debug l2tp event
debug l2tp detail
Trace the relative detail.
no debug l2tp detail
11.9 Configure GRE
GREÔshort for Generic Routing EncapsulationÕ can encapsulate the datagram of some network layer protocols (for
example, IP) so that the encapsulated datagram can be transported over other network layer protocols (for example, IP). GRE
adopts a tunnel technology between protocol layers. Tunnel is a virtual point-point interface that provides one channel over
which the encapsulated datagram can be transported and encapsulates/decapsulates the datagram on both sides of the Tunnel
interface.
Main contents of this section are described as follows:
Relative command to configure GRE;
Example of GRE configuration;
GRE checking and debugging
11.9.1 Relative Commands to Configure GRE

interface tunnel
Use the Description following command to create a virtual Tunnel interface and enter the tunnel configuration mode. The
form no of the command is used to delete a specified tunnel.
interface tunnel tunnel-number
no interface tunnel tunnel-number
Syntax Descriptions
tunnel-number Specify the tunnel-number, and its range is
0-65535.
£Default¤No Tunnel interface is created.
£Command Mode¤the Global configuration mode
tunnel checksum
Configure two sides of the tunnel to perform the checksum verification so as to check the correctness of messages. The
form no of the command is used to disable the checksum checking of the Tunnel interface.
tunnel checksum
no tunnel checksum
£Default¤Perform no checksum verification.
£Command¤the Tunnel interface configuration mode.
Noticeö ö
Different verification can be configured on two sides of the Tunnel interface, which has no effect on its connectivity.
tunnel destination
Configure the IP address of the opposite end of the Tunnel interface. The form no of the command is used to delete the IP
address of the opposite end of the Tunnel interface.
tunnel destination ip-address
no tunnel destination ip-address
Syntax Descriptions
ip-address Specify that the opposite end employs the IP address of the
factual physical port of the Tunnel interface.
£Default¤Specify no IP address of the opposite end of the Tunnel interface.
£Command mode¤the Tunnel interface configuration mode.
Noteö ö
1) Ip-address must be consistent with the physical port of the opposite end and assure the port is reachable.
2) The destination address of local Tunnel interface must keep consistent with the source address of the opposite-end
Tunnel interface.
tunnel key
Specify the identification key-number of the tunnel. And the form no of the command is used to cancel the identification
key of the tunnel.
tunnel key key-number
no tunnel key key-number
Syntax Descriptions
key-number Specify the identification key-number of the tunnel. And its
value range is 0-4294967295.
£Default¤Specify no identification key-number of the tunnel.
£Command mode¤the Tunnel interface configuration mode.
Noteö ö
Key-numbers of both sides of the tunnel must be consistent.
tunnel sequence-datagrams
Configure two sides of the tunnel to verify the sequence-number of datagrams. This configuration can be used to discard
disordered datagrams. The form no of the command is employed to disable the verification of the sequence-number of
datagrams.
tunnel sequence-datagrams
no tunnel sequence-datagrams
£Default¤Don’t verify the sequence-number of datagrams.
£Command Mode¤the Tunnel interface configuration mode.
Noteö ö
Different verification can be configured on the tunnel interface, without any effect on its connectivity.
tunnel source
Configure the local address of the tunnel interface. The form no of the command is used to delete the local port of the
tunnel interface.
tunnel source {ip-address|interface-name}
no tunnel source {ip-address|interface-name}
Syntax Descriptions
ip-address Specify that the local end uses the IP address of the
factual physical port of the tunnel interface.
interface-name Specify that the local end uses the regular name of the
factual physical port of the tunnel interface.
£Default¤Specify no the local port of the tunnel interface.
£Command mode¤the tunnel interface configuration mode.
11.9.2 Example of GRE Configuration

The example is shown as the following figure:
IP
Figure 10-16
Illustrationö ö
Shown as the figure above, two tunnels are established between Router 1 and Router 2 through the IP network so that
different services can use different logical channels.
router(config)# interface fastethernet0 Enter the configuration status of the
port f0.
router(config-if-fastethernet0)#ip address 129.255.20.188 Configure the IP address of the
255.255.255.0 subnet mask of the port f0.
router(config-if-ethernet0)#ip address 129.255.14.66 255.255.255.0 Configure the IP address of the
subnet mask of the port e0.
router(config-if-serial1/0)#physical-layer sync Configure the serial-port as the
synchronous mode.
router(config-if-serial1/0)# clock rate 9600
router(config-if-serial1/0)# encapsulation ppp
router(config-if-serial1/0)# ip address 20.1.1.1 255.255.255.0 Configure the IP address of the
subnet mask of the port s1/0.
router(config-if-serial1/0)# ip address 20.1.2.1 255.255.255.0 Distribute a secondary address to the
secondary s1/0.
router(config-if-serial1/0)#intface tunnel1
router(config-if-tunnel1)# ip address 1.1.1.1 255.255.255.0 Configure the IP address of the
subnet mask of the tunnel1.
router(config-if-tunnel1)#tunnel source 20.1.1.1 The local end uses the IP address of
the factual physical port of the tunnel
interface.
router(config-if-tunnel1)#tunnel destination 30.1.1.2 The opposite end uses the IP address
of the factual physical port of the tunnel
interface.
router(config-if-tunnel1)#ip route peer-address 1.1.1.2 Specify the IP address of opposite
end of the tunnel 1 in the dynamic route.
router(config-if-tunnel1)#intface tunnel2
router(config-if-tunnel2)#ip address 2.1.1.1 255.255.255.0 Configure the IP address of the
subnet mask of the port tunnel2.
router(config-if-tunnel2)# tunnel source 20.1.2.1 The local end uses the IP address of
the factual physical port of the tunnel
interface.
router(config-if-tunnel2)#tunnel destination 30.1.2.2 The opposite end uses the IP address
of the factual physical port of the tunnel
interface.
router(config-if-tunnel2)#ip route peer-address 2.1.1.2 Specify the IP address of opposite
end of the tunnel 2 in the dynamic route.
router(config-ospf)#network 129.255.20.0 0.0.0.255 area 0 Configure the relative dynamic
routing protocol.
router(config-ospf)#network 1.1.1.0 0.0.0.255 area 0
router(config)# ip route 30.1.1.0 255.255.255.0 20.1.1.2 Configure the relative static routing
protocol for the middle channel.
router(config)# ip route.30.1.2.0 255.255.255.0 20.1.2.2
Route2 is configured as follows:
router(config)# interface fastethernet0 Enter the configuration status of the port f0.
router(config-if-fastethernet0)#ip address 192.168.2.254 255.255.255.0 Configure the IP address of the subnet mask of
the port f0.
router(config-if-ethernet0)#ip address 192.168.1.254 255.255.255.0 Configure the IP address of the subnet mask of
the port e0.
router(config-if-serial1/0)# physical-layer sync Configure the serial-port as the synchronous
mode.
router(config-if-serial1/0)# clock rate 9600 Configure the clock
router(config-if-serial1/0)# encapsulation ppp Encapsulate the protocol
router(config-if-serial1/0)# ip address 30.1.1.2 255.255.255.0 Configure the IP address of the subnet mask of
the port s1/0.
router(config-if-serial1/0)# ip address 30.1.2.2 255.255.255.0 secondary Distribute a secondary address to the s1/0.
router(config-if-serial1/0)#intface tunnel1
router(config-if-tunnel1)# ip address 1.1.1.2 255.255.255.0 Configure the IP address of the subnet mask of
the tunnel1.
router(config-if-tunnel1)#tunnel source 30.1.1.2 The local end uses the IP address of the factual
physical port of the tunnel interface.
router(config-if-tunnel1)#tunnel destination 20.1.1.1 The opposite end uses the IP address of the
factual physical port of the tunnel
interface.
router(config-if-tunnel1)#ip route peer-address 1.1.1.1 Specify the IP address of opposite end of the
tunnel 1 in the dynamic route.
router(config-if-tunnel1)#intface tunnel2
router(config-if-tunnel2)#ip address 2.1.1.2 255.255.255.0 Configure the IP address of the subnet mask of
the port tunnel2.
router(config-if-tunnel2)#tunnel source 30.1.2.2 The local end uses the IP address of the factual
physical port of the tunnel interface.
router(config-if-tunnel2)#tunnel destination 20.1.2.1 The opposite-end uses the IP address of the
factual physical port of the tunnel
interface.
router(config-if-tunnel2)#ip route peer-address 2.1.1.1 Specify the IP address of opposite end of the
tunnel 2 in the dynamic route.
router(config-ospf)#network 192.168.1.0 0.0.0.255 area 0 Configure the relative dynamic routing
protocol.
router(config-ospf)# network 2.1.1.0 0.0.0.255 area 1
router(config-ospf)# network 192.168.2.0 0.0.0.255 area 1
router(config)#ip route 20.1.1.0 255.255.255.0 30.1.1.1 Configure the relative static route of the
middle physical line.
router(config)# ip route 20.1.2.0 255.255.255.0 30.1.2.1
Notice:
This is an application of the network isolation. And usually, it can work in with NIA/URA to realize the isolation of user
authentication.
10.9.3 GRE Checking and Debugging
show tunnel-chain
Display all Tunnel configurations.
show tunnel-chain
ûCommand modeüthe privilege user mode.
show gre statistics
Display the gre statistics.
show gre statistics
debug tunnel data
Enable the information debugging switch. The form no of the command is used to disable the tunnel debugging switch.
debug tunnel data
no debug tunnel data
11.10 Configuration of Digital Certificate
In this section, we mainly narrate the terminologies, principles and characteristics of Digital Certificate as well as relative
debugging commands and information.
Main contents are as followsÖ
Terminologies involved in Digital Certificate;
Introduction to Digital Certificate;
Debugging commands and debugging information.
11.10.1 Parsing of Terminologies Relative with Digital Certificate
Asymmetric CryptographyæIn Asymmetric Cryptography systems, there exists a certain relation between cipher key
and decryption key, but they are entirely different, that one of them can be made public and never mind that someone can
calculate or deduce the other. So, the asymmetric key is also called public key.
CertificateæA certificate, as a special form of digital marking sentence, provides a mechanism to confirm the relationship
between public key and entities that hold private key, signed and delivered by the certificate authority (holding other pair of
private key and public key). Generally, a certificate also contains other information relating to subject public key, such as the
identification information of an entity that has the right to use private key. So when a certificate is delivered, the certificate
authority should prove the correctness of the binding between the subject public key and the subject identification
information.
CA----Certification AuthorityæSimply speaking, it is an entity or service that delivers certificates. CA acts as the role of
a guarantor that is bound between the subject public key and the subject identification information that are all included in the
delivered certificate. IKE needs the support from CA Certification Center when negotiating by certificate.
11.10.2 Introduction to digital certificate

Both PKI and digital certificate technology bind the identification of individual or entity with a public key, and certificates
are delivered uniformly by a certification delivery organization to ensure the validity and security of the certificate entity.
In IPSec, the certificate authentication mode adopted by IKE can provide the following benefits:
1) To avoid the complications of manual configuration of IKE pre-share key or RSA key;
2) To increase the security of IKE negotiation;
3) To prevent the security problems as a result of the leak of cipher key through Certificate Revocation List;
4) To achieve the restriction of validity period and prevention of the overdue usage of key;
5) To refresh certificates automatically;
6) To achieve the unified control of trusted domain by certificates;
7) To backup and restore keys;
8) To locate the person responsible easily when leak of key or unauthorized access arises.
11.10.3 Configuration of Certificate

Configure a CA Trusted Point and Set Trust Policy
A CA trusted point represents a set of CA trusted domains, by which one can set local certificate trust policy and
management policies. Every CA trusted point’s configuration parameters and configuration policies include:
1) The URL address of a certificate Server
2) The CRL verification policies
3) The CRL automatic update policies
4) The CRL default update period
5) The time verification policies
A CA trusted point is configured through the following steps:

(1) Use this command, in configuration mode to enter the CA trusted point (ca-identity) mode.
Commands Descriptions
router(config)#crypto ca identity name Enter a CA trusted point configuration; define the trusted
point’s name <name>.
router(config)#no crypto ca identity name Delete a CA trusted point, including all its configurations
and certificates.
(2) Configure the type of certificate server.

router(ca-identity)#ca type [mpcms | ctca | There are three types of CAs, including MPCMS,
windows] CTCA (telecom CA) and Windows and you can
select one according to the type of CA server. The
default type is MPCMS.
(3) Configure the address information of a certificate server (optional configuration) under the CA trusted point
configuration (ca-identity) mode.
router(ca-identity)#enrollment url address Configure the URL address of CA (or RA) Server for
online application and query.
router(ca-identity)#no enrollment url address Delete the URL address of CA (or RA) Server.
(4) Configure certificate revocation verification policy (optional configuration) under the CA trusted point configuration
(ca-identity) mode
router(ca-identity)#revoke check off Loose verification certificate revocation (default).
router(ca-identity)#revoke check on Strict verification certificate revocation.
Noteö ö
1) The option Revoke check represents the policy when verification the certificate validity through CRL.
2) If configured with the loose verification is or adopting the default configuration, then a router accepts the user certificate
of the opposite entity when it can not find the right CRL.
3) If configured with the strict verification and cannot find the right CRL, then the router doesn’t accept the user certificate
of the opposite entity.
4) The default configuration is the loose verification.
(5) Configure the certificate validity period policy (optional) under CA trusted point configuration (ca-identity) mode
router(ca-identity)#time check off Validate the certificate validity period (default).
router(ca-identity)#time check on Do not validate the certificate validity period.
Noteö ö
1) The option time check represents the policy that is employed when CRL verifies the certificate validity.
2) If configured not to verify the certificate period, then the router accepts the user certificate of the opposite entity when it
has no way to get the standard time correctly and fails to adopt the local time to validate the certificate.
3) If configured not to verification verify the certificate period or adopting the default configuration, then the router refuse
to accept the user certificate of the opposite entity when it has no way to get the standard time correctly and fails to adopt the
local time to validate the certificate.
4) If the device clock is inaccurate, and both device clock and CA don’t support time query, it is suggested to enable this
option, otherwise it will cause the failure of certificate verification or the certificate unavailable.
(6) Configure the automatic update policies (optional) under the CA trusted point configuration (ca-identity) mode.
router(ca-identity)#crl autorenew peroid hours Set the CRL automatic update period, and the unit
is hour.
Noteö ö
1) Starting up the CRL automatic update and setting the little update period may enhance the system security, but if CRL is
larger, it may increase system load.
2) The CRL automatic update time represents that even if the next update time specified by CRL doesn’t expire, it will still
try to refresh CRL. And this may avoid the impact of delivering certificate ahead of schedule by CRL when the certificate is
revoked.
3) If the option time optional is already set, then there is no way to confirm the next update time specified by CRL. So it
refreshes CRL by the default automatic update time.
4) The default CRL update cannot be automatically refreshed.
Online Certificate Application

The Maipu device certificate supports both online and offline manners to acquire certificate. You can select one of the
modes according to the CA system; here we describe the online manner to acquire certificate and CRL.
(1) Use this command, under configuration mode, to download and authenticate the CA self-signature certificate
router(config)#crypto ca authenticate name Download and authenticate a root CA certificate of
a certificate trusted point.
For exampleæ
router(config)#crypto ca authenticate mpca Download and authenticate the root
% The Root CA Certificate has the following attributes: CA certificate of certificate trusted
Serial Number: 60090000BE23A33D0100 point mpca.
Subject: CN=ca177, OU=sec, O=mp, ST=sc, L=cd, C=CN Print this CA certificate fingerprint,
Issuer : CN=ca177, OU=sec, O=mp, ST=sc, L=cd, C=CN and require the user to authenticate
Validity it.
Start date: Oct 8 18:28:14 GMT 2002
End date: Oct 8 18:28:14 GMT 2007
Usage: Sign
Fingerprint(md5) :b096fbdd e32a00ff fb612386 80a34e44
Fingerprint(sha1):d618596e 56648262 2727ee6f 97538f9a
e2472acc
% Do you accept this certificate[yes]/[no]:y
% CA Certificate authenticate success.
Noteö ö
1) Before using the online certificate query or application, please configure the URL address of the CA trusted point.
2) The fingerprint of root CA is acquired from the CA center when a user enrolls, or is acquired by other out-of-band
manner.
(2) Use this command, under the configuration mode, to apply for a user certificate on line.
router(config)#crypto ca enroll name Apply to the CA center for a user certificate.
For examplesæ
router(config)#cry ca enroll mpca Apply to the CA trusted point mpca for a user
% Start certificate enrollment .. certificate.
Password: ****
% Request certificate now?[yes]/[no]:y
% User Certificate enroll success.
Input the user password (sometimes you may
input no password according to the demand of
CA,) and
Does the certificate username include IP
address?
Noteö ö
1) Please configure the URL address of the CA trusted point before performing online certificate query and application.
2) When a user applies the user certificate, the CA certificate must have been authenticated and the corresponding key pair
has been generated locally. If double key pairs need be generated, please employ the application signature to encrypt two
certificates.
(3) Get back the user certificate enrolled successfully.
If the administrator does not authorize the application immediately, please contact with the administrator for the certificate.
Use the following command to get back the certificate after the administrator authorizes the application.
router(config)#crypto ca retrive name Get back the certificate in the enrolled-currently
state.
After the enroll command crypto ca enroll name is executed, if the state of local certificate is requesting, it represents that
the certificate is waiting for authorization.
(4) Use this command, under configuration mode, to perform the online CRL update.
router(config)#crypto ca crl request name Perform the online CRL update immediately.
Noteö
ö
1) Please configure the URL address of CA trusted point before using the online certificate query and application.
2) Before a user performs the online application of CRL, the CA certificate must be authenticated firstly and the
corresponding user certificate has been applied.
3) If the system time is incorrect, it may make the CA certificate or the user certificate unavailable. Here, the user can
firstly configure the option time optional of the CA trusted point.
Offline certificate application

The offline certificate application supports two manners: the direct user input (through a standard input device) and the
introduction from the IC card.
(1) Use this command, under the configuration mode, to enter the certificate chain configuration (config-cert-chain) mode.
router(config)#crypto ca certificate chain name Enter the certificate chain configuration mode.
(2) Use this command, under certificate chain configuration mode, to introduce the certificate through the IC card.
router(config-cert-chain)#ic certificate input Introduce the certificate from IC cards.
(3) Use this command, under certificate chain configuration mode, to input the CA certificate from the screen.
router(config-cert-chain)#certificate ca input Introduce the CA certificate from the screen, and
[pem | der] the keywords pem and der represent the format of
the certificate.
For exampleö
router(config-cert-chain)# certificate ca input pem Require inputting or pasting the
% Input the CA certificate data: certificate in pem format (use two
-----BEGIN CERTIFICATE----- continuous carriage returns to end
MIICATCCAaugAwIBAgIKYAkAAL4joz0BADANBgkqhkiG9w the input).
0BAQ
UFADBSMQ4wDAYDVQQDEwVjYTE3NzEMMAoGA1UECx Require the user to authenticate CA,
MDc2VjMQswCQYDVQQKEwJtcDELMAkGA1UECBMCc2Mx as the same of the online application.
CzAJBgNVBAcTAmNkMQswCQYDVQQGEwJDTjAeFw0wMj
EwMDgxODI4MTRaFw0wNzEwMDgxODI4MTRaMFIxDjAMB
gNVBAMTBWNhMTc3MQwwCgYDVQQLEwNzZWMxCzAJB
gNVBAoTAm1wMQswCQYDVQQIEwJzYzELMAkGA1UEBx
MCY2QxCzAJBgNVBAYTAkNOMFwwDQYJKoZIhvcNAQEB
BQADSwAwSAJBANtHec+d3wUkoCr3YdYhC2wttVSORSgbqN
DQATt9dRijskQy9wpbVrSHJGgD71CoL794CFQPOxdB/t1bcPm3
zwcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBg
NVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFFxZwmjXOtDf
7vnCbOk2uvC8rMyFMB8GA1UdIwQYMBaAFFxZwmjXOtDf7v
nCbOk2uvC8rMyFMA0GCSqGSIb3DQEBBQUAA0EAjGtnVb/Ji
N+IsJsrYX6w5z53GCAZN8xregMQK/6t1qM/s/9JMZE+AQbPkqf
d7um0t3qhc8xGr5aUNMIimpmzRg==
-----END CERTIFICATE-----
% The Root CA Certificate has the following attributes:

Serial Number: 60090000BE23A33D0100
Subject: CN=ca177, OU=sec, O=mp, ST=sc, L=cd, C=CN
Issuer : CN=ca177, OU=sec, O=mp, ST=sc, L=cd, C=CN
Validity
Start date: Oct 8 18:28:14 GMT 2002
End date: Oct 8 18:28:14 GMT 2007
Usage: Sign
Fingerprint(md5) :b096fbdd e32a00ff fb612386 80a34e44

Fingerprint(sha1):d618596e 56648262 2727ee6f 97538f9a
e2472acc
% Do you accept this certificate[yes]/[no]:y
% CA cert import success!
Noteö ö
1) Any mistake in format input or data input can result in no way to introduce.
2) You can use the editor to open the pem format of certificate, paste its contents on the screen, and then introduce it from
the screen.
3) The certificate in der format (binary file purely) can not be pasted directly, it can only be opened by the hex editor and
then be input as ASCII character.
4) Certificates can be converted between PEM format and der format by other tools.
(4)Use this command, under certificate chain configuration mode, to input CRL from the screen
router(config-cert-chain)#crl input [pem | der] Introduce CRL from the screen, and the keywords
pem and der represent its format.
For exampleö
Command descriptions
router(config-cert-chain)#crl input der
30 81 e9 30 81 94 02 01 01 30 0d 06 09 2a 86 48
86 f7 0d 01 01 05 05 00 30 52 31 0e 30 0c 06 03
55 04 03 13 05 63 61 31 37 37 31 0c 30 0a 06 03
55 04 0b 13 03 73 65 63 31 0b 30 09 06 03 55 04
0a 13 02 6d 70 31 0b 30 09 06 03 55 04 08 13 02
73 63 31 0b 30 09 06 03 55 04 07 13 02 63 64 31
0b 30 09 06 03 55 04 06 13 02 43 4e 17 0d 30 32
31 31 31 38 30 33 35 30 31 33 5a 17 0d 30 32 31
31 32 31 30 33 35 30 31 33 5a a0 0e 30 0c 30 0a
06 03 55 1d 14 04 03 02 01 01 30 0d 06 09 2a 86
48 86 f7 0d 01 01 05 05 00 03 41 00 7d 5a 52 28
71 86 e0 3a 88 91 96 87 5e 07 5b 1f c7 db 86 ff
0e a7 35 4a 6f 95 32 48 53 f2 59 c8 bf 2c d1 ac
66 9b 7b d3 d2 d9 3c b2 88 28 88 66 02 61 9d 35
f7 ad bd 7e cf 80 0c 48 dd a3 30 2d
% Input crl success.

Debug Certificate Module
(1) Use this command, under privilege mode, to configure the debugging information switch.
router#debug crypto ca [server | message] Open the certificate debugging switch.
If no keyword is specified, it means turning on all
switches.
The keyword server represents turning on the
certificate service debugging switch.
The keyword message represents turning on the
certificate message debugging switch.
router#no debug crypto ca [server | message] Turn off all certificate debugging switches.
If no keyword is specified, it means turning off all
switches.
The keyword server represents turning off the
certificate service debugging switch.
The keyword message represents turning off the
certificate message debugging switch.
(2) Use this command, under the privilege user mode, to display the information about the CA trusted point configured.
router#show crypto ca identity Display the configuration about CA trusted point.
(3) Use this command, under the privilege user mode, to display the information about the configured certificate.
router#show crypto ca certificates [pem | der] Display the information about the configured
certificate.
The keywords pem and der specify the format of
the certificate. If no keyword is specified, it is
displayed in the general format.
For exampleæ
router# show cry ca certificates pem
CA Certificate: Before here on is the key
Issuer : CN=ca177, OU=sec, O=mp, ST=sc, L=cd, C=CN information about the certificate.
Serial Number: 60090000BE23A33D0100
PEM data:
-----BEGIN CERTIFICATE----- From here on is the certificate data
MIICATCCAaugAwIBAgIKYAkAAL4joz0BADANBgkqhkiG9w in the pem format.
0BAQ
UFADBSMQ4wDAYDVQQDEwVjYTE3NzEMMAoGA1UECx
MDc2VjMQswCQYDVQQKEwJtcDELMAkGA1UECBMCc2Mx
CzAJBgNVBAcTAmNkMQswCQYDVQQGEwJDTjAeFw0wMj
EwMDgxODI4MTRaFw0wNzEwMDgxODI4MTRaMFIxDjAMB
gNVBAMTBWNhMTc3MQwwCgYDVQQLEwNzZWMxCzAJB
gNVBAoTAm1wMQswCQYDVQQIEwJzYzELMAkGA1UEBx
MCY2QxCzAJBgNVBAYTAkNOMFwwDQYJKoZIhvcNAQEB
BQADSwAwSAJBANtHec+d3wUkoCr3YdYhC2wttVSORSgbqN
DQATt9dRijskQy9wpbVrSHJGgD71CoL794CFQPOxdB/t1bcPm3
zwcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBg
NVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFFxZwmjXOtDf
7vnCbOk2uvC8rMyFMB8GA1UdIwQYMBaAFFxZwmjXOtDf7v
nCbOk2uvC8rMyFMA0GCSqGSIb3DQEBBQUAA0EAjGtnVb/Ji
N+IsJsrYX6w5z53GCAZN8xregMQK/6t1qM/s/9JMZE+AQbPkqf
d7um0t3qhc8xGr5aUNMIimpmzRg==
-----END CERTIFICATE-----
(4) Use this command, under the privilege user mode, to display the CRL information configured.
router#show crypto ca crls [pem | der] Display the CRL information configured.
The keywords pem and der specify the format of
the certificate. If no keyword is specified, it is
displayed in the general format.
11.11 Configuring Login-Secure

This section mainly describes fundamental mechanism, configuration commands and configuration examples of login-secure.
11.11.1 Login-secure Mechanism
The goal of login-secure is to enhance the security of router login. An attacker can, through illegal means (such as exhaustion
algorithm), acquire login username, the corresponding password or enable password, which are configured on a router. Once
the login-secure is added, the illegal login will become very difficult.
The design of login-secure must meet the requirement that infinite attempts to enter username and the corresponding
password is denied when a telnet user is logging in. Login-secure can take effect on the following cases: (1) It is required to
enter username and password when logging in. And the maximal times of attempts to log in are 5 when something is wrong
with username or corresponding password (By default, there are three times of attempts, and the times of attempts can be
changed through related commands). If the user logs in unsuccessfully after 5 times of attempts, the system will record the IP
address of the client and enable a timers. In a period of time (10 minutes by default, can be configured), the user is prohibited
from logging in. (2) Only login password need be entered, and the related procedure is similar to (1). (3) Enter the enable
password and 5 attempts are permitted. If the user enters the password unsuccessfully after 5 attempts, the system will enable
a timer. And in a period of time, the executed enable command is a null command, namely password input is denied. If
exiting the STD mode, the user with the same client address is still prohibited from executing the enable command in the
configured period. If login is also limited, then the login is not allowed.
Additionally, a new encryption algorithm is realized because the previous encryption algorithm is too simple. To
ensure the compatibility with the previous encryption algorithm, two commands are provided. The default
configuration command is no service new-encrypt. The command adopts the previous encryption algorithm. If the
command service new-encrypt is configured, then the new encryption algorithm is adopted.
11.11.2Configuration Commands of Login-secure
1) Configuration commands of new encryption algorithm
service new-encrypt
After the command above is configured, the new encryption algorithm is adopted.
no service new-encrypt
After the command above is configured, the previous encryption algorithm is adopted.
ÏCommand modeÐthe global configuration mode.Ä
Note:
1) If the old version (adopting the previous encryption algorithm) has been upgraded to the new version (adopting
the new encryption algorithm ), the previous encryption algorithm can be compatible because no service new-encrypt
is configured by default.
2) If the new encryption algorithm has been realized and the previous encryption algorithm has been downloaded,
no service new-encrypt must be configured for the system to be compatible with the previous encryption algorithm.
2) Basic Configuration Commands of Login-secure
Enable login-secure
service login-secure
The command above is used to enable the login-secure service.
no service login-secure
e command above is used to disable the login-secure service.
ÏCommand modeÐthe global configuration mode.
Configure Login-secure parameters

login-secure max-try-time [1-20]
Use the command above to set the maximal times of login attempts. The default times of attempts are 5. if logging in
unsuccessfully after 5 attempts, the user is prohibited from executing login or the enable operation.
login-secure forbid-time [10-12400]
Use the command above to set the forbid-time of login. The default time is 10 minutes. After the user is prohibited,
neither login nor enable operation is allowed.
login-secure check-record-interval [30-14400]
Use the command above to set the period of checking and clearing aging records that meet the conditions. The default
period is 240 minutes. To preventing the user from using multiple addresses to log in, which will result in that multiple
records are occupied and other users can not log in successfully, it is necessary to clear the aging records periodically.
login-secure record-aging-time [15-1440]
Use the command above to set the aging-time of a record. The default aging-time is 30 minutes. If an address record is
not upgraded in the period (for example, there exists no attempt to log in or perform the enable operation in the period), then
the address is regarded as aging and will be deleted.
Note:
1) The login-secure service is enabled by default.
2) If the login-secure service is enabled(through executing the command service login-secure), other related
commands of the login-secure can be executed; If the login-secure service is disabled(through executing the command
no service login-secure), the other commands are invisible.
3) Displaying the login-secure information
show login-secure information
Use the command above to display the information about user login, including the following items:
router#show login-secure information
forbidden login address:
client address try-time forbid-time wd-id type number record-time
-------------- -------- ----------- ------ ------ ------ -----------
128.255.1.230 3 00:28:32 0x2ff20c0 enable 0 00:01:30
11.11.3 An Example of Login-Secure Configuration
Configuring Login-secure as follows:
Syntax Descriptions
router(config)#service login-secure Enable the login-secure service.
router(config)#login-secure max-try-time 3 Set the permitted maximal-try-time as 3.
router(config)#login-secure forbid-time 30 Set the login forbid-time as 30 minutes.
The result of configuring login-secure are listed as follows:

The Enable operation over Telnet:
router>en
password:
password:
password
% Bad passwords
router>en
password:
password:
password:
% Bad passwords
router>en
password:
password:
password:
% Bad passwords
//After three times, the Enable operation is denied; execute the command show login-secure information can display
the following record information including try-time and forbid-time.
router>
router>en
%enable operation is locked by login-secure service
router>
router>en
%enable operation is locked by login-secure service
router>
Chapter 12 Quality of Service (QoS) Configuration
This chapter describes basic Quality of Service (QoS) principles and corresponding configuration methods.
12. 1 First In First Out (FIFO)

The default queuing function of your Maipu router is First In First out (FIFO), which is shown in the following Figure 1.
Simply put, the router will filter data packets in the same order they enter, which is a very effective way of providing a large-
scale service among a group of similar users with the fewest possible delays. The downside, however, is that FIFO doesn’t
provide multiple Quality of Service levels for different kinds of users. For instance, a Telnet packet might be dropped by
the system after receiving many FTP packets, which will delay the start of a Telnet session. If this happens often, users
trying to login via Telnet might start to complain about the delays on your network. For that reason, you may want to
consider using the alternative queuing methods that are discussed in the remaining sections.
queuin Packets leaving the interface
Packets that must be De-queuing

sent through the h d li
Figure 1 FIFO Queue Map
12. 2 Priority Queuing (PQ)
With priority queuing, the router will send out a packet with the highest priority level before sending a packet with a lower
priority. When the outbound interface is very congested, the packets will be queued from highest to lowest priority. If the
interface isn’t congested, then the router will send all of the packets forward at the same level of priority.
This section talks about:

Distributing The Packet Queue And Priority Class
Configuring Priority Queuing
Adjusting The Priority Queue Size
Application Cases
12. 2.1 Distribute The Packet Queue and Priority Class
In priority queuing, each interface has four queues:

High
Medium
Normal
Low
queuin
high Packets leaving from the
mediu i f
Packets that must be normal
sent through the Dequeuing scheduling
low
Figure 2 Priority Queue Sketch Map
Normal is usually the default queue setting. A packet that isn’t already classified or distributed to a specified queue in any
router can be put into a queue.
12. 2.2 Configure Priority Queuing
You can configure the router so that it can classify packets by:
TCP or UDP port numbers.
Packet size.
The arriving packet’s interface.
Any item described in a standard or extended access list.
IP fragments.
You can also choose to use the default scattered packet mode.
When you start PQ configuration, you must:

A. Define a priority list
B. Apply the defined priority list to an interface
To define a priority list, input:
Router config priority-list <list-number>
Note: Define the priority list number between 1 and 16.
Command Description
interface <interface > <high / medium / normal / low> interface <interface >:
Distributes the interface priority when the packet
arrives.
high / medium / normal / low:
Defines the queue priority of queue.
default <high / medium / normal / low> Default:
Distributes a priority to any packet that doesn’t
match the appointed standard.
protocol ip <high /medium /normal / low> protocol IP: Assigns the data packet using IP
<fragments/ gt /lt /list /tcp/ udp> protocol.
fragments: Assigns a priority by whether or not the
data packet is fragmented.
gt/lt: Assigns a priority by packet size.
list: Assigns a priority by data according to the
access list.
tcp/udp: Assigns a priority by outbound tcp/udp
port number.
To apply the defined priority list to an interface, input:
router config-if-xxx
Command Description
priority-group <list-number> Assigns a priority list to an interface and activates

the priority queuing.
no priority-group Cancels the priority queue.
Note:
1) The same priority list can be applied to many interfaces.
2) Different priority policies can also apply to different interfaces.
3) You can only use one priority list for each interface.
12. 2.3 Adjust The Priority Queue Size
The priority queue default depth of a Maipu router, from high priority to low priority, is 15000, 30000, 45000 and 65535.
This value can be changed when you input the following commands while configuring the router’s priority queue size:

Note: Defines the priority list number between 1 and 16
Command Description
queue-limit <0-15000> <0-32767> <0- queue-limit <high-limit> <medium-limit>

45000> <0-65535> <normal-limit> <low-limit>: Defines the depth of
the four queues (high, medium, etc.).
<0-15000>: The adjusted depth scope of high-priority
queue is from 0 to 15,000 packets.
<0-32767>: The adjusted depth scope of medium-
priority queue is from 0 to 32,767 packets.
<0-45000>: The adjusted depth scope of normal-
priority queue is from 0 to 45,000 packets.
<0-65535>: The adjusted depth scope of low-priority
queue is from 0 to 65,535 packets.
12. 2.4 Monitor and debugging
use in the privilege mode

Command Description
show pq Displays the router’s relative PQ interface
information.
show pq interface <interface> Displays the specified interface’s relative PQ
information.
debug pq debug the router’s relative PQ interface
information.
debug pq interface <interface> debug the specified interface’s relative PQ
information.
12. 2.5 Choose Packet Drop-type Algorithm
When a priority queue is full, packets will be tailed-dropped normally. But you can choose RED algorithm as packet drop-
type:
Note: Defines the priority list number between 1 and 16
Command Description
drop-type random-detect <RED group name> Chooses RED algorithm as packet drop-type.
<RED group name>: name of the RED group. The
following will describe how to configure a RED
group.
drop-type tailed-dropped Chooses default tailed-dropped algorithm as packet
drop-type.
12. 2.6 Configure A RED Group
Following describes how to configure a RED group:

Router config random-detect-group <RED group name>
Note: Defines some parameters of the RED group

RED group config :
Command Description
exponential-weighting-constant <1-12> Defines exponential weight factor.

<1-12>:Integer in 1..12 used in weighted average to
mean 2^number.
precedence <0-7> <0-65535> <0-65535> <1-99> Defines IP precedence, minimum threshold, maximum
threshold and probability denominator parameters.
<0-7>: Defines IP precedence parameter, first 3 bits of
TOS field in IP header.
<0-65535>:Defines minimum threshold(bytes) of the
queue.
<0-65535>:Defines maximum threshold(bytes) of the
queue.
<1-99>: Defines probability denominator.
12. 2.7 Example
Unix host
ip:192.168.255.253/24
ip:192.168.255.30/24
Router2
S1/2
PPP
Router1 S0
ip:128.255.254.1/24
terminal ip:128.255.254.24/24
terminal Business host
Figure 3 PQ Configuration Map Sketch

Notes:
1) In the preceding figure (Figure 3), the Maipu router (Router1) connects with a terminal. The router’s interface
serial0 connects with the interface serial1/2 of the Cisco router (Router2) on the opposite end. The link has terminal
service data, FTP data and other data. The terminal data is to be set to the highest priority, FTP is to be set to the
lowest priority and other data is to be set to normal.
2) The IP address of the remote UNIX host is 192.168.255.253. The process itest should be run on port 3051. FTP
runs on TCP ports 20 and 21.
3) Router2 provides a 64K clock.

The following two methods can achieve this goal:
Method one: Directly configure the priority list.

Command Task
router(config)# priority-list 1 protocol ip low tcp 21 In list 1, the packet going to port number TCP21
is put in the low priority queue.
router(config)# priority-list 1 protocol ip low tcp 20 In list 1, the packet going to port number TCP20
is put in the low priority queue.
router(config)# priority-list 1 protocol ip high tcp In list 1, the packet going to port number
3051 TCP3051 is put in the high priority queue.
router(config)# interface serial0
router(config-if-serial0)# priority-group 1 Applies the priority list1 to the interface.
Method two: Configure an access list:

Command Task
router(config)# access-list 1001 permit tcp any Access list 1001 permits packets with any
192.168.255.253 0.0.255.255 eq 3051 source address, the destination address named
192.168.0.0 and the TCP port number named
3051 to pass through.
router(config)# access-list 1001 permit ip any Access list 1001 permits any IP packet to pass
any through.
router(config)#access-list 1002 permit tcp any Access list 1002 permits packets with any
192.168.0.0 and the TCP port number named 20
to pass through.
router(config)# access-list 1002 permit tcp any Access list 1001 permits packets with any
192.168.0.0 and the TCP port number named 21,
to pass through.
router(config)# access-list 1002 permit ip any Access list 1002 permits any IP packet to pass
any through.
router(config)#priority-list 1 protocol ip low list Packets according access list 1002’s rules are
1002 put in the low priority queue.
router(config)#priority-list 1 protocol ip high list Packets according to access list 1001’s rules are
1001 put in the high priority queue.
router(config)#interface serial0
router(config-if-serial0)#priority-group 1 Applies priority list 1 to the interface.
Note: Although the queue depth can be adjusted, you should generally try to avoid changing it from the default depth –
especially when priority queuing is not meeting current system demands.
12. 3 Weighted Fair Queue (WFQ)
A Weight Fair Queue (WFQ) will sort packet information to ensure that many users with different needs can share bandwidth
at one time when the network is busy. It also ensures that all messages are transmitted in real time when there is little
traffic. In fact, a high-bandwidth message will not become lost in the system if the network is congested – it will be allowed
to pass through. A message with low-bandwidth needs will continuously re-queue until there is less traffic to let the high-
bandwidth message go through the network.
A WFQ saves packet information. When a packet comes into the system, the system sorts the packet into its corresponding
queue. If there a queue for the packet doesn’t exist, a new queue will be created for the packet.
While WFQ is a complex procedure, it conversely needs very little configuration.
queue
Queue1 Packets leaving from the
Sor Queue i f
Packets that must be Queue Dequeuing scheduling

sent
Figurethrough Queue
the Fair Queue Sketch
4 Weighted Map n
12.3.1 Configuration in the interface mode
center(config-if-xxx)
Command Description
Applies a weighted fair queue to the interface.

fair-queue <16-256> <16-256>:Defines WFQ queue nums.
no fair-queue Cancels a weighted fair queue.
Show wfq interface type number See the wfq information in a certain interface
applied wfq
Show wfq See the wfq information in all of the interface
applied wfq
ra#debug wfq interface type number debug the wfq information in a certain intface
Debug wfq debug the wfq information in all of the interface

applied wfq
12.3.2monitor and debugging
in the privilege mode

Command Description
no fair-queue Cancels a weighted fair queue.
Show wfq interface type number See the wfq information in a certain interface
applied wfq
Show wfq See the wfq information in all of the interface
applied wfq
ra#debug wfq interface type number debug the wfq information in a certain intface
Debug wfq debug the wfq information in all of the interface

applied wfq
12. 4 Customer Queuing (CQ)
This system assigns a queue to each user session based on the amount of information that user needs access to. Like WFQ,
these queues save the passing packets as they enter the router. The system will sort and queue a packet.
When the system de-queues, the system will start polling user information. According to the different configurations that
each queue possesses, the corresponding total number of bytes taken from each user’s queue will be different. The user who
needs access to the greatest number of bytes will have the highest priority. (If the sorting rule allowing this to happen isn’t
configured, then the packet will enter the default queue.)
This section covers the following information:

Assign A Queue In CQ Mode
Configure CQ
Adjust CQ Queue Attributes
Debugging
Examples
12. 4.1 Assign A Queue In CQ Mode
Sixteen queues can be defined for each interface here. Each queue is titled and simply identified with a number between 1
and 16. (The number doesn’t have anything to do with queuing priority.)
Configure the router so it can sort packets according to the following standards:
Protocols (ICMP, IGMP, TCP and UDP) and TCP and UDP port numbers,
Packet size.
The arriving packet’s interface.
Any item described by a standard or an extended access list.
IP fragments.
A packet’s source address and destination address.
You can also choose to use the default scattered packet mode.
Queue
Priority Packets leaving from the
Queue1 10%
Sor Queue i f
10%
sent through the Queue 16 30%
Figure 5 Customer Queuing Sketch Map
Note: The queue with serial number 16 is often considered the default queue. A packet neither sorted nor assigned to an
appointed queue will be put in the default queue.
12. 4.2 Configure CQ
Configuring a CQ mainly involves three steps:

1) Defining a CQ list.
2) Defining each queue’s byte number.
3) Applying the defined list to an interface.
Configuration:
a. To define a customer queuing list, input:
Router config custom-queue-list <list-number>
Define a user-defined customer queuing list using a number between 1 and 16.
Command Description
fragments <0-16,Min queue number> <0- Fragments: Sets the queuing rule according to
16,Max queue number> whether the packet is fragmented or not.
<Min queue number>: Sets the minimal queue
number that packet can enter.
<Max queue number>: Sets the maximal queue
number that packet can enter.
gt/lt/et <1-1500> <0-16,Min queue number> <0- gt/lt/et: Sets the queuing rule according to the
16,Max queue number> packet size. It can be more than, less than or
equal to the size of the appointed packet.
<1-1500>:Defines the packet size.
icmp/igmp/tcp/udp <0-16,Min queue number> icmp/igmp/tcp/udp: Sets queuing rule according to
<0-16,Max queue number> different protocol type.
tcp/udp <0-16,Min queue number> <0- keyword-value: Includes the source/destination

16,Max queue number> keyword-value address or the network segment, address netmask
and the source/destination port number.
Sets the queuing rule according to these contents.

ip <0-16,Min queue number> <0-16,Max queue keyword-value: Includes the source/destination
number> keyword-value address of an IP packet or network segment and
address netmask.

list <1-2000, ip access list-name> <0-16,Min list <ip access list-name>: The applied access list
queue number> <0-16,Max queue number> number.

interface <interface > <0-16,Min queue number> interface <interface >: Sets the queuing rule
<0-16,Max queue number> according to the interface where the packet arrives.
default <queue-number> Default: All packets that don’t accord with the
above rules will be put in the default queue.
b. To define the byte number of each queue
Router config custom-queue-list <list-number>

Command Description
queue <0-16,Min queue number> <0-16,Max queue
number> byte-count <byte-count> queue <0-16,Min queue number> <0-16,Max
queue number>: Specify queue size in bytes in
the appointed scope. This parameter is used to
decide the weight of each queue.
c. To apply the defined list to the interface
Command Description
custom-list <list-number> Applies the defined list to the interface.
no custom-list Cancels the user-defined customer queue.
12. 4.3 Adjust CQ User Attributes
The default buffer size of the Maipu router user-defined queue interface is 65,535 bytes. The default buffer size of each
queue from 0 to 16 is 65,535 bytes. The value of the parameter can be altered through the following command:
router config custom-queue-list <list-number>
Command Description
custom-queue-list <list-number> Set the buffer size of each queue from 0 to 16.
queue <0-16,Min queue number> <0-16,Max queue
number> limit <size>
12. 4.4 Choose Packet Drop-type Algorithm
When a customer queue is full, packets will be tailed-dropped normally. But you can choose RED algorithm as packet drop-
type:
router config custom-queue-list <list-number>
Note: Defines the custom-list number between 1 and 16
Command Description
drop-type random-detect <RED group name> Chooses RED algorithm as packet drop-type.
<RED group name>: name of the RED group. Section
2.5 describes how to configure a RED group.
drop-type tailed-dropped Chooses default tailed-dropped algorithm as packet
drop-type.
12. 4.5 Monitor and Debugging
After CQ has been configured, the following debugging command can be used to verify and check the action. The detailed
commands are as follows:
center
Command Description
show cq Displays the router’s relative CQ interface
information.
show cq interface <interface> Displays the specified interface’s relative CQ
information.
debug cq debug the router’s relative CQ interface
information.
debug cq interface <interface> debug the specified interface’s relative CQ
information.
12. 4.6 An example
Unix host
ip:192.168.255.253/24
ip:130.255.78.1/30
Router2
ip:130.255.78.1/30 S1/2
PPP
ip:130.255.78.2/30
Router1 S0
ip:128.255.254.1/24
Terminal ip:128.255.254.24/24
Terminal Business host
Figure 6 CQ Configuration Sketch Map

Notes:
1) In the preceding figure, Maipu Router1 is connected to the terminals. The serial0 interface of Router 1 connects
with serial 1/2 interface of the peer-end Cisco Router2. There are terminal services, FTP and other data on the line.
The terminal data packet is to be put into Queue 1, the FTP data packet goes into Queue 2 and other data packets go
into the default queue.
2) The IP address of the remote UNIX host is 192.168.255.253. The process itest will run on TCP port 3051 and the
FTP will run on the TCP port 20 and 21.
3) Router2 provides the 64K clock
Command Task
center(config)#custom-queue-list 1 tcp 1 1 130.255.78.2 Puts the ftp data packets of TCP port 3051
255.255.255.255 any any any 3051 into queue 1.
Puts the ftp data packets of TCP port 20 into
center(config)# custom-queue-list 1 tcp 2 2 queue 2.
128.255.254.24 255.255.255.255 any any any 20
center(config)# custom-queue-list 1 tcp 2 2 Puts the ftp data packets of TCP port 21 into
128.255.254.24 255.255.255.255 any any any 21 queue 2.
center(config)# custom-queue-list 1 queue 1 1 byte-count Defines the de-queuing byte numbers into
6000 queue 1 of each circle.
center(config)# custom-queue-list 1 queue 2 2 byte-count Define the de-queuing byte numbers in the
1500 queue 2 of each circle.
router(config)#interface serial0
router(config-if-serial0)# custom-list 1 Applies list 1 to the interface.
12. 5 Weighted Random Early Detect Queue (WREDQ)
A Weighted Random Early Detect Queue (WREDQ) is just like FIFOQ except packet drop algorithm and the number of
queues(10 queues). It selects RED as packet drop algorithm. It classifies packets according to IP priority (namely the first 3
bits of TOS field in IP header).
While WRED queuing is a complex procedure, but it needs little configuration.
queue
Queue0 Packets leaving from the interface
Classi Queue12
fy
Packets that must be sent Queue … Dequeuing scheduling
through the interface Queue 9
Figure 4 Weighted Fair
Queue Sketch Map
Configuration:
center(config-if-xxx)
Command Description
exponential-weighting-constant <1-12> Defines exponential weight factor.

<1-12>:Integer in 1..12 used in weighted average to
mean 2^number.
precedence <0-7> <0-65535> <0-65535> <1-100> Defines IP precedence, minimum threshold, maximum
threshold and probability denominator parameters.
queue.
queue.
12. 6 Class-Based Weighted Fair Queue(CBWFQ)
CBWFQ assigns a weight to different classes of IP packets. The bandwidth of the interface configured with CBWFQ will be
allocated according to the weight.
CBWFQ configuration is a complex procedure, configuring a CBWFQ mainly involves three steps:
1) Defining a match class.
2) Defining a CBWFQ policy.
3) Applying the defined CBWFQ policy to an interface.
This section covers the following information:

Define a match class
Define a CBWFQ policy
Apply the defined CBWFQ policy to an interface
Debugging
Example
queue
Queue0 Packets leaving from the
Sor Queue i f

sent
Figurethrough Queue
the Fair Queue Sketch
4 Weighted Map 9
12. 6.1 Define A Match Class

Before defining a CBWFQ policy, a match class should be defined.
Configuration:
To define a match class, input:
router config class-map <class-map name>
class map config :

Command Description
match access-group <1-2000> Defines match class according to a access group.

<1-2000>: Defines access group number
match input-interface <interface> Defines match class according to the inbound
interface.
<interface>: Defines the inbound interface.
match ip precedence <0-7> Defines match class according to the IP precedence.
<0-7>: Defines IP precedence.
match ip dscp <0-63> Defines match class according to the IP dscp field.
<0-63>: Defines IP dscp field.
match mpls experimental <0-7> Defines match class according to MPLS experimental
field.
<0-7>: Defines MPLS experimental field.
12. 6.2 Define A CBWFQ Policy

After defined a match class, a CBWFQ policy can be defined.
Configuration:
To define a CBWFQ policy, input:
router config policy-map <policy-map name>
Then, select match class defined, input:
router policy-map config class <class-map name>
Now configure CBWFQ policy:
CBWFQ policy config:

Command Description
priority <1_100000> Defines packets of this match class enter LLQ queue,
and bandwidth for LLQ(Least Latency Queue)
<1-100000>: Defines LLQ bandwidth, kbits/s
bandwidth percent <1-75> Defines bandwidth percentage for packets of this
match class.
<1-75>: Defines the percentage of bandwidth.
bandwidth <1-100000,bandwidth> <1- Defines bandwidth for packets of this match class.
100000,total bandwidth of this interface>
set ip precedence <0-7> Sets IP precedence for packets of this match class.
<0-7>: Defines IP precedence value being set.
set ip dscp <0-63> Sets IP dscp field for packets of this match class.
<0-63>: Defines IP dscp field value being set..
set mpls experimental imposition <0-7> Set MPLS experimental value at tag imposition for
packets of this match class.
<0-7>: Defines MPLS experimental value at tag
imposition.
set mpls experimental topmost <0-7> Set MPLS experimental value on topmost label for
packets of this match class.
<0-7>: Defines MPLS experimental value on topmost
label.
Random-detect can be configured as packet-drop type, default is tailed-dropped.

Configure RED as packet-drop algorithm, issue:
router CBWFQ policy config random-detect
CBWFQ policy config:
Command Description
random-detect exponential-weighting-constant <1- Defines exponential weight factor.

12> <1-12>:Integer in 1..12 used in weighted average to
mean 2^number.
random-detect precedence <0-7> <0-65535> <0- Defines IP precedence, minimum threshold, maximum
65535> <1-100> threshold and probability denominator parameters.
queue.
queue.
12. 6.3 Apply The Defined CBWFQ Policy To An Interface

After defined a CBWFQ policy, the CBWFQ policy can be applied to an interface.
Command Description
service-policy output <policy-name> Configures CBWFQ on the interface.
Applies the defined CBWFQ policy to the
output packets of the interface.
service-policy input <policy-name> Applies the defined CBWFQ policy to the
input packets of the interface, but only set-
rules in this policy will be effective.
no service-policy output Cancels CBWFQ queues used on the interface.
no service-policy input Cancels CBWFQ policy used on input packets

of the interface.
service-policy queue-limit <1-255> <2000-65536> Configures queue length limits of the specified
queue.
<1-255>: Specifies the queue.
<2000-65536>: Defines queue length limit in
bytes
12. 6.4 Monitor and debugging
After CBWFQ has been configured, the following debugging command can be used to verify and check the action. The
detailed commands are as follows:
center
Command Description
show cbwfq Displays the router’s relative CBWFQ interface
information.
show cbwfq interface <interface> Displays the specified interface’s relative CBWFQ
information.
<interface>: Specifies the interface.
Debug wfq This command can display CBWFQ informaion
12. 6.5 Example
Notes:
1) One 2M private line is adopted between two network nodes. The private line is used to bear the transmission of
voice data, terminal services and data.
2) Supposing the FTP operates on TCP port 20 and 21.
In order to guarantee IP-voice quality and bandwidth of the telnet data packets, we can use CBWFQ.
Configurations of router1:
Command Task
Router1#conf t
router1(config)#access-list 1001 permit ip host 192.168.1.6 IP-voice data packets
host 192.168.1.5
router1(config)#access-list 1002 permit tcp host Telnet data packets
192.168.2.100 host 192.168.0.100 eq 23
router1(config)#access-list 1003 permit tcp host FTP management packets
192.168.2.101 host 192.168.0.101 eq 21
router1(config)#access-list 1003 permit tcp host FTP application data packets
192.168.2.101 host 192.168.0.101 eq 20
router1(config)#class-map voip Defines VOIP match class
router1(config-cmap)#match access-group 1001 Defines match rules for VOIP match class
router1(config)#class-map telnet Defines TELNET match class
router1(config-cmap)#match access-group 1002 Defines match rules for TELNET match class
router1(config)#class-map ftp Defines FTP match class
router1(config-cmap)#match access-group 1003 Defines match rules for FTP match class
router1(config)#policy-map one Defines CBWFQ policy ONE
router1(config-pmap)#class voip Enter configuration-mode of VOIP class
router1(config-pmap-c)#bandwidth percent 50 Assigns 50% bandwidth for VOIP class
router1(config-pmap)#class telnet Enter configuration-mode of TELNET class
router1(config-pmap-c)#bandwidth percent 20 Assighs 20% bandwidth for TELNET class
router1(config-pmap)#class ftp Enter configuration-mode of FTP class
router1(config-pmap-c)#bandwidth percent 5 Assighs 5% bandwidth for FTP class
router1(config)#interface serial 0/0
router1(config-if-serial0/0)#service-policy output one Applies policy ONE on the s0/0 interface
12. 7 Bandwidth Management
MAIPU router uses Committed Access Rate(CAR) as the algorithm of bandwidth management. CAR algorithm allocates
bandwidth to IP data-packet flows according to rate-limit rules.
The detailed configuration are as follows(issuing rate-limit command under router config-if-xxx mode):
rate-limit { input | output } [access-group <access-list-No>] <CIR> <conform-burst> <exceed-burst> conform-action

{<actions> [<action val>] } exceed-action { <actions> [<action val>] }
Syntax Description
{input | output} Apply the rule to ingress/egress packets
access-list-No Specify an access-list no to match packets. If its default configuration is adopted,
all ingress/egress packets of the interface must be matched. The value range is from 1
to 2000.
CIR Define committed Information rate(bit/s), a value in 8000-100000000
Conform burst Define conform burst rate, the depth of conform bucket(byte), a value in
1500-50000000
Exceed burst Define exceed burst rate, the depth of exceed bucket(byte), a value in 0-
100000000
actions [action val] Define actions of conform /exceed burst:
continue : do nothing but continue matching next rule
drop : drop this packet
transmit : forward this packet
set-prec-continue : set the precedence of a packet as <action val> and
continue matching next rule
set-prec-transmit : set the precedence of a packet as <action val> and forward
this packet
set-dscp-continue : set DSCP of a packet as <action val> and continue
matching next rule
set-dscp-transmit : set DSCP of a packet as <action val> and forward this
packet
12. 8 Traffic Shaping

Traffic shaing is used to send packets at an average rate and smooth the egress flow when there exists data congestion.
Configuring Traffic-Shape
traffic-shape command
traffic-shape rate conform-rate permit burst
Syntax Description
conform-rate Maximal bandwidth of the interface. Its value range is from 480 to 1000000000
bits/sec
permit burst Burst bytes permitted in 1/60 second. Its value range is from 1600 to 5000000
bytes
12. 9 RSVP (Resource Reservation Protocol)

RSVP (Resource Reservation Protocol), as a standard signaling protocol, is used to ensure the point-to-point network
bandwidth for the IP network. It adopts basic route allocation protocols to determine where to transmit the reserved request.
When the route allocation changes paths to accommodate to the change of the topology structure, RSVP can make its
reserved request accommodate to the new paths. This working mode doesn’t incommode other route allocation services.
RSVP provides transparent operations through supporting no RSVP router nodes, cooperating with the current queuing
mechanism instead of replacing it. RSVP applies for a specific queuing mechanism, but only a specific interface queuing
mechanism can realize the reservation function.
ip rsvp
ip rsvp bandwidth reservable-bandwidth largest-reservable-flow
ip rsvp {burst burst-factor}| {delay time-value}| {neighbor access-list}| signaling {conform | exceed} {dscp value |
precedence value }| {udp-multicasts multicast-address}
Syntax Descriptions
reservable-bandwidth This is the reservable-bandwidth, and its value range is
between 1 and 10000000 kbps
largest-reservable-flow This is the largest reservable bandwidth of each flow,
and its value range is between 1 and 10000000kbps.
burst burst-factor Set the maximum burst percentage of the reserved flow,
and the value range of burst-factor is between 100 and 1000.
And the default value is 500(%).
delay time-value It is the delay time (millisecond) used to update Adspec
in Guaranteed services, and its value range is between 1 and
5000, 90 (ms) by default.
neighbor access-list Utilize the access list to limit the communication of
RSVP neighbors. Its value range of access-list is between 1
and 1000.
signaling {conform | exceed} {dscp value | Tag the flows that succeed in being reserved, meet or go
precedence value } beyond the bandwidth. When value is corresponding with
DSCP, its value range is between 0 and 63, while
corresponding with precedence, between 0 and 7.
udp-multicasts multicast-address Enable and listen in the multicast address when some
intermediate routers can’t support the original sockets or
default multicast addresses.
The value range of multicast-address is of multicast
group address, and its default is 224.0.0.14.
£Default¤ RSVP is not running.
£Command mode¤The interface configuration mode.
Note:
The maximum reservable bandwidth cannot exceed 75% of the interface maximum bandwidth.
An Example of RSVP (Resource Reservation Protocol) Configuration

Illustration:
Through the Ethernet, PC1 and PC2 connect with ROUTER1 and ROUTER2 respectively. ROUTER1 ROUTER2 adopt
the PPP protocol to connect each other by means of one 2M private line over which all communication between two LANs
respectively connected with PC1 and PC2. And network applications between PC1 and PC2 require a stable 40K bandwidth.
Configure ROUTER1 as follows:
route1#conf t
router1(config)#interface s0/0
router1(config-if-serial0/0)# fair-queue Enable WFQ.
router1(config-if-serial3/0)#bandwidth 2000 Designate the interface bandwidth to
be 2M.
router1(config-if-serial0/0)#ip rsvp bandwidth 64 64 Enable the RSVP resource reservation
function.
router1(config-if-serial0/0)#encapsulation ppp
255.255.255.252
Configure ROUTER2 as follows:
Route2#conf t
Router2(config)#interface s0/0
Router2(config-if-serial0/0)# fair-queue Enable WFQ.
router2(config-if-serial3/0)#bandwidth 2000 Designate the interface bandwidth to
be 2M.
Router2(config-if-serial0/0)#ip rsvp bandwidth 64 64 Enable the RSVP.
Router2(config-if-serial0/0)#encapsulation ppp
Router2(config-if-serial0/0)#ip address 192.168.0.6
255.255.255.252
Configure RSVP Proxy

The proxy configuration is used to replace a node that cannot send RSVP messages to send RSVP messages, so that other
nodes can realize the RSVP reservation through receiving the RSVP proxy message that the router creates.
ip rsvp
ip rsvp { sender | sender-host | reservation | reservation-host }
Syntax Descriptions
Sender Configure the PATH message proxy, of which the followed parameters are as
follows:
the destination address reservable-flow, the resource address of reservable-
flow, IP protocol number of reservable-flow, the destination port of reservable-
flow, the source port of reservable-flow, the previous hop address of PATH
message, the supposed receiving interface of PATH message, the reservable-flow
bandwidth, the reservable-flow burst-size.
sender-host Configure the PATH message proxy for the local application. And no receiving
interface and previous hop addresses need be configured.
reservation Configure the RESV message proxy, of which the followed parameters are as
follows:
the destination address a reservable-flow, the source address of a reservable-
flow, IP protocol number of a reservable-flow, the destination port of a reservable-
flow, the source port of a reservable-flow, the previous hop address of a RESV
message, the supposed receiving interface of RESV message, the reservable
share-style, the service that the reservable-flow applies for, the reservable-flow
bandwidth, the reservable-flow burst-factor.
reservation-host Configure the RESV message proxy for the local application. No receiving
interface and the previous hop address need be configured.
Monitoring and Debugging RSVP (Resource Reservation Protocol)
show ip rsvp installed
This command is used to display the information about the flows that succeeds in RSVP reserving currently.
show ip rsvp installed
£Command mode¤The privilege user mode.
show ip rsvp neighbour
This command is used to display the RSVP neighbor list that switches the RSVP signaling with the local router.
show ip rsvp neighbour
show ip rsvp sender
This command is used to display the list (PSB) of the PATH messages that the local router received.
show ip rsvp sender
show ip rsvp reservation
This command is used to display the list (RSB) of the RESV messages that the local router received.
show ip rsvp reservation
show ip rsvp blockade-state-block
This command is used to display the list (BSB) of the RESV messages that are denied by the previous hop and are received
by the local router.
show ip rsvp blockade-state-block
show ip rsvp timer
This command is used to display the list of the timers relevant with each RSVP in the local router.
show ip rsvp timer
debug ip rsvp
This command is used to display the process that creates the RSVP reservation.
debug ip rsvp
Chapter 13 802.1Q Specifications
This chapter describes how to configure your MP2600 router so it can connect to a Virtual LAN (VLAN) and an exterior
network.
13.1 802.1Q Configuring Principles

A VLAN ID number is added to all network equipment through the 802.1Q protocol. All equipment with the same VLAN
ID number will be able to communicate with each other. Equipment in different VLAN groups won’t be able to
communicate with each other – unless they’re configured to the same VLAN ID number. The following section will tell
you how to set up your equipment to ensure proper communications.
13.1.1 VLAN Functions
An Ethernet supporting 802.1Q can be divided into many subnets, and each subnet will correspond to a certain VLAN (see
Figure 1). When a data packet passes through a switch, it is checked against 802.1Q standards. A VLAN tag will then
be added to describe which packet it belongs to. When the router’s Ethernet interface receives a data packet, the interface
will compare its own VLAN tag with the interface’s corresponding tag. If the receiving interface and data packet both
belong to the same VLAN, the interface will receive the incoming data. Otherwise, the packet will be discarded.
Similarly, when the router sends a data packet, the router also checks the tag. All equipment with the same VLAN tag will
be able to communicate with each other, but must pass through layer three routing.
13.1.2 One-Armed Routing
In order to accomplish one-armed routing, many links between a router and a switch are formed. Namely, the router’s
Ethernet interface connects with a switch’s port. The method is very simple, but it doesn’t make effective use of the
router’s interface so it isn’t an ideal method. The interface is used fully through one-armed routing. (One-armed routing is
illustrated in the following Figure 1.)
The switch is configured between two VLANs – VLAN1 and VLAN2. Port 1 is configured as a relay port belonging to
both VLAN 1 and VLAN 2. Two sub-interfaces are configured on a fast Ethernet router interface and are each assigned to
an independent IP subnet. Two corresponding VLAN IDs are named in each sub-interface.
Mp5124 Switch
vlan1
port1- 10
( market department)
vlan2
Port11- 20 f0.1 f0.2
( market department)
( vlan1)( vlan2)
Mp2600Router
Figure 1 One-Armed Routing
Thus, VLAN1 or VLAN 2’s data stream can get to router sub-interface f0.1/ f0.2 through relay port 1. The routing between
two VLANs is accomplished through the use of two sub-interfaces. Because the router only has one physical interface that
connects to a switch port, the router will have a one-armed router alias.
13.1.3 Subnet Isolation
As long as two sub-interfaces and their corresponding VLAN are configured in default mode, the two VLANs can
communicate with each other. But in some circumanstances, it isn’t what we expected.. To do this, you will have to
create a new access list based on the one-armed routing configuration to filter communications between the two VLANs.
The access list must be applied to the corresponding VLAN sub-interface.
13.2 802.1Q Configuring Commands
Only sub-interfaces 1 to 63 of the Ethernet interface can be named, per 802.1Q protocols. Each sub-interface can be
configured with any VLAN ID number from 1 to 4,094.
13.2.1 Configuring 802.1Q Commands
The 802.1Q protocol configuration involves the following three steps:
creating a sub-interface
naming 802.1Q protocol
setting up an IP layer
A. Create A Sub-Interface
Router config interface fastethernet0.
Syntax Description
[0-63] Sub-interface number
Notes:
1) Fastethernet0.0 is a master interface and can’t change 802.1Q protocol.
2) You can’t have more than 63 sub-interfaces.
B. Name 802.1Q Protocol
router(config-if-fastethernet0.1)#
Command Description
Names 802.1Q protocol on the interface and configures the

encapsulation dot1q <vlan id>
VLAN ID.
Shutdown
No shutdown
Notes:
1) The sub-interface can only encapsulate 802.1Q protocol. The protocol will only be named when a sub-interface has
been created.
2) Your VLAN ID number can only be from 1 to 4,094.
C. Set-up An IP Layer
router(config-if-fastethernet0.1)# ip ?
Command Description
Address <unicast address> < network mask> Configures the sub-interface IP address on the sub-
interface.
access-group <IP access list | Access-list Applies an access list to the sub-interface.
name> <in | out>
Notes:
1) The IP address configured on the sub-interface and the IP address of all the equipment on the same VLAN should be
contained in the same network segment.
2) If you want to use the one-armed routing function, communication between some equipment must be prohibited.
An access list must be applied to the interface.
13.2.2 A Typical One-Armed Router Application
) )

03
03
9/$1 9/$1
9/$1 , ' 9/$1 , '
(7+(51(7 (7+(51(7
3& 3& 3& 3& 3& 3&

Figure 2 One-Armed Routing Sketch Map

Notes About The Preceding Figure:
1) The fastethernet interface of Router MP2600 connects with the relay interface, MP5124. The two Ethernet sub-
interfaces have been configured as fastethernet0.1 and fastethernet0.2 respectively. The corresponding VLAN
IDs are 1 and 2.
2) Two VLANs have been set on MP5124. The VLAN ID 1 interface connects with the left three PCs and the
VLAN ID 2 interface connects with the right three PCs. The relay interface contains two VLAN groups.
3) The PCs named in VLAN ID 1 are in the network segment 1.1.1.0/24, while the PCs in VLAN ID 2 are in the
network segment 1.1.2.0/24.
This allows communication between two VLANs.
Configuration:
To configure fastethernet0.1:
Command Task
Creates the router’s fastethernet0.1 sub-

routeräconfigå#interface fastethernet0.1
interface.
router(config-if-fastethernet0.1)#encapsulation dot1q 1 Sets the VLAN ID of fastethernet0.1 as 1
router (config-if-fastethernet0.1)#ip address 1.1.1.4 Sets the IP address of fastethernet0.1 as

255.255.255.0 1.1.1.4, a subnet mark with 24 bits.
Command Task
routeräconfigå#interface fastethernet0.2 Creates the router’s fastethernet0.2 sub-

interface.
router(config-if-fastethernet0.2)#encapsulation dot1q 2 Set VLAN ID of fastethernet0.2 as 2

router (config-if-fastethernet0.2)#ip address 1.1.2.4 Set IP address of fastethernet0.2 as
255.255.255.0 1.1.2.4, a subnet mark with 24 bits.
Note: The VLAN 1 PC’s default gateway is set to IP address 1.1.1.4 in the MP200’s fastethernet0.1 interface. The
VLAN 2 PC’s default gateway is set to IP address 1.1.2.4 in the MP2600’s fastethernet0.2 interface.
Configuration Results:
router#show run
hostname router
interface loopback0
exit
exit
interface fastethernet0.1
ip address 1.1.1.4 255.255.255.0
encapsulation dot1q 1
exit
ip address 1.1.2.4 255.255.255.0
exit
13.2.3 A Typical Subnet Isolation Application
6HU YHU 6HU YHU

7&3 , 3
1HW ZRU N
03
) )
03
9/$1 9/$1
9/$1 , ' 9/$1 , '
(7+(51(7 (7+(51(7
3& 3& 3& 3& 3& 3&

Figure 3 Subnet Isolation Sketch Map
Notes About The Preceding Figure:

1) The router’s fastethernet interface connects with MP5124’s relay interface. Two Ethernet interfaces are
respectively configured to fastethernet0.1 and fastethernet0.2. The responding VLAN ID is set to 1 and 2
respectively.
2) The MP2600 uses a WAN interface to connect with server1 and server2 through a TCP/IP network.
3) MP2600 router adds two access lists to prohibit communications between VLAN1 and VLAN2. These VLANs
access their own business servers through the router’s WAN interface and aren’t permitted to communicate with
each other.
4) Two VLANs has been set on the MP5124. The VLAN ID 1 interface connects with the left three PCs, while the
VLAN ID 2 interface connects with the right three PCs. The relay interface contains two VLAN groups.
5) The PCs in the VLAN ID 1 group are in network segment 1.1.1.0/24. The PCs in VLAN ID 2 are in network
segment 1.1.2.0/24.
Parameter Configuration:
To configure an access list:
Command Task
Router config #ip access-list standard 1 Creates a standard access list 1 on the
router.
router (config-std-nacl)#deny 1.1.1.0 0.255.255.255 Sets the first access list 1 rule to prohibit
data from 1.1.1.0/24 from passing
through.
router (config-std-nacl)#permit any Sets the second access list 1 rule to

permit any data packet from passing
through.
Router config #ip access-list standard 2 Creates a standard access list 2 on the
router.
router (config-std-nacl)#deny 1.1.2.0 0.255.255.255 Sets the first access list 2 rule to prohibit
data from 1.1.2.0/24 from passing through.
router (config-std-nacl)#permit any Sets the second access list 2 rule to

permit any data packet from passing
through.
Command Task
Router config #interface fastethernet0.1 Creates sub-interface fastethernet0.1.
router (config-if-fastethernet0.1)#encapsulation dot1q 1 Sets the fastethernet0.1 VLAN ID as 1.
router (config-if-fastethernet0.1)#ip address 1.1.1.4 Sets the IP address of fastethernet0.1 as

255.255.255.0 1.1.1.4 and the subnet mask to 24 bits.
router (config-if-fastethernet0.1)#ip access-group 2 out the data sent from fastethernet0.1 is

limited by access list 2.
To configure fastethernet0.2
Command Task
config #interface fastethernet0.2 Creates sub-interface fastethernet0.2.
(config-if-fastethernet0.2)#encapsulation dot1q 2 Sets the fastethernet0.2 VLAN ID as 2
(config-if-fastethernet0.2)#ip address 1.1.2.4 255.255.255.0 Sets the IP address of fastethernet0.2 to

1.1.2.4 and the subnet mask as 24 bits.
(config-if-fastethernet0.2)#ip access-group 1 out The data sent from fastethernet0.2 is

limited by the access list 1.
Configuration Results:
router#show run
hostname router
ip access-list standard 1
deny 1.1.1.0.0.255.255.255
permit any
exit
ip access-list standard 2
deny 1.1.2.0 0.0.255.255.255
permit any
exit
interface loopback0
exit
exit
ip address 1.1.1.4 255.255.255.0
ip access-group 2 out
exit
ip address 1.1.2.4 255.255.255.0
ip access-group 1 out
exit
13.2.4 Displaying Configuration Statistics
A. Display Configuration Sub-Interface Results

router#show run
After inputting the preceding command, you can observe configuration data for each interface. The following is an
example of extracted configuration information:
ip address 2.2.2.2 255.255.0.0
exit
B. Display Sub-Interface Statistics
router#show dot1q interface f0.1
After inputting the above command, you can observe statistical information about a data packet sent or received by sub-
interface f0.1:
fastethernet0.(unit number 1):
0 untagged packets received
0 tagged packets received
91 untagged packets sent
2 tagged packets sent
Chapter 14 Dynamic Host Configuration Protocol (DHCP) Configuration
14. 1 Introduction of DHCP

When a network is too big to control directly by its builder, it is hard to control the network. The frequent problem in the
network where IP addresses are assigned manually is IP address conflict. The only method to resolve the problem is to
assign IP addresses to customers dynamically. Dynamic Host Configuration Protocol (DHCP) assigns an address from an
address pool to the host that requests an address. DHCP also provides other information, such as gateway IP and DNS
server. The purpose of designing DHCP is not to provide the diskless workstation with boot information, but to reduce
burden of assigning IP addresses manually for a manager. DHCP can accomplish the work of assigning addresses.
14. 2 Configuration of DHCP

14. 2.1 DHCP Configuration Task List
'HILQHDQDGGUHVVRIDQDGGUHVVSRROIRUWKHDVVLJQPHQWRIDGGUHVVHV
&RQILJXUHWKHRSWLRQDOSDUDPHWHUVDVVLJQHGWRDKRVW
14. 2.2 The Relative Commands
The following table describes commands of DHCP server, relay and client.
Table 14-1 DHCP commands
Command Description
In global configuration mode:

router(config)#iIp dhcp excluded-address Remove addresses from the address pool.
router(config)#iIp dhcp ping Use the parameter ping.
router(config)#iIp dhcp pool Define an address pool for assigning addresses.
router(config)#ip dhcp-server A.B.C.D Act as dhcp relay by appointing a dhcp server
ö
Create an HDCPö
router(config)#ip dhcp pool word Define an address pool and enter DHCP
configuration mode.
The name of the address pool is the value of word.
In DHCP configuration mode:
router(dhcp-config)# default-router Configure the default gateway of the host.
router(dhcp-config)# dns-server Configure DNS server address of the host.
router(dhcp-config)# domain-name Configure the server name of the host.
router(dhcp-config)# netbios-name-server Configure the address of the server netbios-name.
router(dhcp-config)# network Define the address assigned in the address pool.
router(dhcp-config)#exit Exit the interface mode.
In INTERFACE configuration mode:
router(config-if-fastethernet0)#ip address dhcp Act as dhcp client by requesting a address from some
DHCP server
14. 2.3 Configure DHCP
The first step: Define an address pool applied

The first step to star DHCP service is to define an address pool. The addresses in the address pool will be assigned
dynamically to these hosts that use DHCP to request addresses. The following configuration commands should be used on
the router:
Table 14-2 Create DHCP pool
Command Description
router(config)#ip dhcp pool word Define an address pool with the name of word.
router(dhcp-config)#network A.B.C.D Define an address pool for address assignment. And
netmask A.B.C.D are network ID and netmask is the network
mark.
router(config)#ip dhcp excluded-address low ip Remove the low ip address and high ip address from
address [high ip address] the address pool. Low ip address is the starting address
and high ip address is the ending address.
The second step: Configure the optional parameters passing to the host
DHCP can send more other information to the host in addition to assign addresses dynamically.
Table 14-3 configure DHCP address pool optional parameters
Command Description
router(dhcp-config)#default-router A.B.C.D Configure the default gateway of the host.
A, B, C and D are the default gateways.
router(dhcp-config)#dns-server A.B.C.D Configure DNS server addresses of the host. The

addresses are A.B.C.D.
router(dhcp-config)#domain-name word Configure DNS server name of the host
router(dhcp-config)#netbios-name-server A.B.C.D Configure the addresses of server netbios-name. The
addresses of the server netbios-name are A.B.C.D
14. 3 DHCP Configuration Case

U RXW HU
I

KRVW KRVW KRVW

Illustrationö ö
Many hosts connecting to the interface fastethernet0 of the router, through the following configuration, can get
addresses in the DHCP address pool dynamically.
The configuration as shown below:
Table 14-4 DHCP configuration example
Configuration Task
router#con t Enter the global mode.
router(config)#interface fastethernet0 Configure on the interface f0.
router(config-if -fastethernet0)# Configure IP address.
ip address 129.255.78.44 255.255.0.0
router(config-if -fastethernet0)#exit Exit from the interface f0.
router(config)#ip dhcp excluded-address Remove the address of the interface f0 of the router
129.255.78.44 from the address pool.
router(config)#ip dhcp pool goat maipu Define an address pool maipu.
router(dhcp-config)# Define the address for address assignment in the
network 129.255.0.0 255.255.0.0 address pool.
router(dhcp-config)#default-router Configure the default gateway of the host:
129.255.78.44 129.255.78.44.
router(dhcp-config)#dns-server 61.139.2.69 Configure DNS server address of the host
router(dhcp-config)#netbios-name-server Configure the address of the server netbios-name .
129.255.78.27
router(dhcp-config)#end The configuration finished.
Noteö ö
The host connecting with the interface fastethernet0 of the router, through the above configuration, can get the other
assigned addresses except 129.255.78.44äused by the interface fastethernet0 of the routeråof the network segment
129.255.0.0. And the host will be configured with the information on DNS server, the default gateway and the server
netbios-name.
14. 4 Examine the Status and the Debug

· Examine the host list that currently has been assigned IP address.
Exampleö
router#show ip dhcp binding
Hardware-Address IP-Address Lease Status
0050.ba14.9de5 129.255.0.1 85678 ACKED
0050.ba21.0e6c 129.255.78.2 84765 ACKED
It can be seen from the above information that the two addresses 129.255.0.1 and 129.255.78.2 are respectively assigned to
the two hosts with the corresponding MAC address 0050.ba14.9de5 and 0050.ba21.0e6c.
· Trace and debug DHCP information

router#debug ip dhcp packet
router#debug ip dhcp linkage
router#debug ip dhcp events
Chapter 15 NDSP Protocol Configuration
Neighbor Device Search Protocol(NDSP) discovers adjacent devices on the network and obtains protocol address of
neighboring devices and platform of those devices. NDSP is media- and protocol-independent,and run over the data link
layer only.
Each device configured for NDSP sends periodic messages, known as advertisements, to a multicast address. The
advertisements contain time-to-live, or holdtime, information, which indicates the length of time a receiving device should
hold NDSP information before discarding it. Each device also listens to the periodic NDSP messages sent by others in order
to learn about neighboring devices and determine when their interfaces to the media go up or down.
Currently, NDSP is supported by HDLC,PPP,Frame Relay protocol on WAN interface.
15.1 Commands
You can use the following three commands to configure NDSP in global configuration mode:
Command Description
ndsp run Enable NDSP . The no ndsp run command is used to
deactivate NDSP . The default mode leaves NDSP
turned off.
ndsp timer Specifies frequency of transmission of NDSP update. The
default interval is 60 seconds.
ndsp holdtime: Specfies the amount of time a receiving device should hold
the information sent by your device before discarding it.
The default interval is 180 seconds.
ndsp enable NDSP is enabled by default on all supported interfaces to
send and receiver NDSP information.
NDSP is enabled by default on all supported interfaces to send and receiver NDSP information. You can disable NDSP on an
interface supports NDSP by using the no ndsp enable command.
Command Description
ndsp enable Enabled NDSP on an interface.
Input these commands to display NDSP status:

Command Description
Show ndsp entry Displays information about a specific neighbor
Show ndsp neighbors Displays the type of device that has been discovered, the
name of the device, the number and type of the local
interface, the number of seconds the NDSP advertisement
is valid for the port ,the device type, the device product
number, and the port ID.
Show ndsp traffic Display s NDSP counters,including the number of packets
sent and received and checksum errors.
Show ndsp version Displays the current NDSP version.
15.2 Examples
If you want to run NDSP on your router, you would input:
router(config)# ndsp run
router(config)#exit
router#
If you don’t want to run NDSP on your router anymore, you would input:
router(config)#no ndsp run
router(config)#exit
router#
Chapter 16 SNMP Configuration
SNMP (Simple Network Management Protocol) is a standard protocol to manage the Internet. Its purpose is to assure that the
management information can be transmitted between the Network Management Station and the managed equipment——
agent. It is convenient for the system manager to manage the network system.
SNMP adopts the tree labeling method to number each managed element and insures the number is exclusive. About the
detailed information on SNMP protocol, refer to the TCP/IP data.
16.1 SNMP Instruction Set
z Router (config)#snmp-server ?
Command Description
snmp-server start Activate SNMP network management.
snmp-server community Set the SNMP community name.
snmp-server contact Set the contact mode of the device manager.
snmp-server host Set the host name or IP address of the network
management station receiving SNMP trap.
snmp-server location Set the location of the device.
snmp-server view Set the network management view.
snmp-server enable traps Enable to send specified type of traps
snmp-server AddressParam Set the address parameter.
snmp-server TargetAddress Set the related destination address parameter aaa.

snmp-server engineID Set the engine.
snmp-server group Set the group.
snmp-server notify Set notify-message.
snmp-server proxy Set the proxy for transmitting packet.

snmp-server user Set the user.
snmp-server keepalive Set the keepalive packet.
16.2 Simple Network Management Protocol (SNMP) Configuration

Configuring Community Name:
router(config)#snmp-server community community-name [view view-name [{ro|rw}] [access-list]]
Syntax Description
community community-name Set the community name.
view view-name Specify the view corresponding to the community name.
{ro|rw} Specify the operation right of the community name.
access-list Specify the access control list or name of the community name.
Note:
The parameter community-name is used to specify the community name that is added to the router. Usually, the
community name must be the same as that configured on the network management station, or else the network management
station has no way to perform any operation to the router.
The parameter { ro | rw} is used to set the network management station’s rights to operate the router. The parameter ro
means read-only and rw means reading/writing.
The parameter view is used to specify the view scope for the community. Maipu router can do without the configuration
of the parameter view (it can do with the default).
The parameter access-list is the access control list that is used to perform the access control of hosts in the community.
So, nothing but those hosts that are in the same community with the router and permitted by the router’s access control list
can access the router. (About the detailed information, refer to Maipu router access control module)
For example:
Add the community public to the router, and then set the reading/writing right to operate the router for the network
management station whose community name is public:
router(config) #snmp-server community public rw
Note:
After starting up the router, you must configure the community for it, or else, the network management station has no
way to manage the router by means of snmpv1/v2c;
If you want to perform writing operations on the router, such as upgrading a program, backing up the configuration file,
the parameter < ro/rw/view > must be set as rw(reading/writing).
Configuring the contact of the equipment’ manager and equipment location

Router(config)#snmp-server contact <line> Configuring the contact of the equipment’ manager;
Router(config)#snmp-server location <line> Configuring the equipment location;
Note:
The function of the foregoing commands is to make the network management station read the information about the
router manager and router location for router management. The default configuration is the full name and address of the
router manufacturer.
Deleting SNMP on a router: (Closing the network management proxy process)

The configuration to close SNMP on the router is described as follows:
Router (config)#no snmp-server start
Note:
After the command is executed, the network management proxy process on the router is closed, and the network
management software has no way to manage the router through SNMP.
Configuring the router to send traps message:

The configuration of sending traps message on the router is described as follows:
Router (config)#snmp-server host ip/name [traps] [community community-name] [version {1|2}]
Syntax Description
host ip/name Specify the IP address and name of the network management station.
traps Specify the sending type as traps.
community community-name Specify the community name.
version {1|2} Specify the version number of the trap message.
z
Note:
The parameter < ip/name > represents the destination name or IP address to which the traps message will be sent.
Usually, it is the IP address or name of the host on which the network management application has been installed. It is
noticeable that the trap message is the message the router forwardly sends to the host on which the network management
application has been installed.
If the parameters following host, such as traps, community-name and version, are not configured, the system will adopt
the default configuration: type—traps, community-name—public and version—2.
Enable to send specified traps
Router(config)#snmp-server enable traps [module-name [trap-type]]
module-name trap-type Description
bgp Enable SNMP BGP traps
backward-transition Enable BGP backward transition trap
established Enable BGP established trap
dlsw Enable SNMP DLSw traps
circuit-down Enable DLSw circuit down trap
circuit-up Enable DLSw circuit up trap
tconn-down Enable DLSw tconn down trap
tconn-partner-reject Enable DLSw tconn partner reject trap
tconn-prot-violation Enable DLSw tconn port violation trap
tconn-up Enable DLSw tconn up trap
frame-relay Enable SNMP frame-relay traps
dlci-status-change Enable frame-relay DLCI status change trap
pvc-connect-status- Enable frame-relay PVC connect status change trap
change
pvc-connect-status- Enable frame-relay PVC connect status notify trap
notify
isdn Enable SNMP isdn traps
call-information Enable isdn call information trap
ospf Enable SNMP OSPF traps
if-authen-failure Enable OSPF interface authentication failure trap
if-config-error Enable OSPF interface config error trap
if-rx-bad-packet Enable OSPF interface receive bad packet trap
if-state-change Enable OSPF interface state change trap
lsdb-approaching- Enable OSPF lsdb approaching overflow trap
overflow
lsdb-overflow Enable OSPF lsdb overflow trap
max-age-lsa Enable OSPF max age lsa trap
nbr-state-change Enable OSPF neighbor state change trap
originate-lsa Enable OSPF originate lsa trap
tx-retransmit Enable OSPF retransmit trap
virtif-authen-failure Enable OSPF virtual interface authentication failure trap
virtif-config-error Enable OSPF virtual interface config error trap
virtif-rx-bad-packet Enable OSPF virtual interface receive bad packet trap
virtif-state-change Enable OSPF virtual interface state change trap
virtif-tx-retransmit Enable OSPF virtual interface retransmit trap
virtnbr-state-change Enable OSPF virtual neighbor state change trap
pim Enable SNMP PIM traps
neighbor-loss Enable PIM neighbor loss trap
rsvp Enable SNMP RSVP traps
lost-flow Enable RSVP lost flow trap
new-flow Enable RSVP new flow trap
snmp Enable SNMP traps
authentication Enable authentication trap
coldstart Enable coldstart trap
enterprise Enable enterprise specific traps
linkdown Enable link dowm trap
linkup Enable link up trap
warmstart Enable warmstart trap
x.25 Enable SNMP x.25 traps
reset Enable SNMP x.25 traps
restart Enable SNMP x.25 traps
Some debugging commands of the network management proxy:

Router# show snmp-server
Note:
The command is used to display the current statistics information about the network management proxy of the router:
Router# show snmp-server
0 SNMP packets input:
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied

0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
2 SNMP packets output:
0 Too big errors
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
2 Trap PDUs
0 SNMPv3 Reports:
0 Unknown Security Models
0 Invalid Msgs
0 Unknown PDUHandlers
0 Unavailable Contexts
0 Unknown Contexts
0 Unsupported SecLevels
0 Not In TimeWindows
0 Unknown UserNames
0 Unknown EngineIDs
0 Wrong Digests
0 Decryption Errors
The foregoing information indicates that the router hasn’t received the SNMP message presently, but has sent two trap
SNMP messages that are trap messages. The information SNMPv3 Reports describes is the error statistics information that
appears when SNMPv3 messages are processed.
Router# show snmp-server community
Note:
The command is used to display the information about the community that the router has joined in. The execution result
of the command is displayed as follows:
Router#show snmp-server community
Community Name Relating View Index Access Right ACL-name
public 1 Read-Write
private 1 Read-Only
It indicates that the router has joined in two communities: public and private.
Router# show snmp-server host
Note:
The command is used to display the information of the destination address that has been configured on the router and to
which the traps message will be sent. The execution result of the command is displayed as follows:
Router# show snmp-server host
Trap destination Community Trap-Switch Informs-Switch Version
128.255.254.55 public ON OFF Ver 2
mp-12434 public ON OFF Ver 2
It indicates that the router has set the destinations to which the two traps messages will be respectively sent: 128.255.254.55
and mp-12434.
Router# show snmp-server oidAlias
Note:
The command is used to display the oid sequence’s alias that has been set on the router:
Router# show snmp-server oidAlias
the Alias of snmp oid list:
Oid Alias Oid Serial
MIB-II 1.3.6.1.2.1
ifEntry 1.3.6.1.2.1.2.2.1
MIB-II_system 1.3.6.1.2.1.2.1
It indicates that three oid aliases have been set on the router: the aliases of 1.3.6.1.2.1, 1.3.6.1.2.1.2.2.1 and 1.3.6.1.2.1.2.1 are
MIB-II, ifEntry and MIB-II_system (The three oid aliases are the default configuration of the SNMP proxy of the router.).
Router# show snmp-server view
Note:
The command is used to display the view that has been configured on the router:(Generally, a view is composed of
several sub-tree nodes) :
Router# show snmp-server view
SNMP View List:
View Name View index view operator subtree filter oids
default 1 include 1.3.6.1
It indicates that one view has been configured on the router: its name is default, and view index is 1, including all nodes
under the sub-tree 1.3.6.1. (The view is the default configuration of the SNMP proxy of the router).
Configuring SNMPv3 engine ID:

z router(config)#snmp-server engineID ?
Command Description
remote Configuring the remote engine ID.
local Configuring the local engine ID.
Note:
Each SNMPv3 entity includes an engine (also called local engine), and snmpEngineID is used to exclusively identify
an SNMPv3 entity in a management domain. Moreover, when sending an advertisement or forward a message, the SNMPv3
need know the engineID of the remote destination SNMP entity. So, the remote engineID need be configured, and the
destination IP address and UDP port number need be specified for the engineID.
z router(config)#snmp-server engineID local engineID
Command Description
engineID The value of the local engineID.
For example:
Use the following command to configure the local engineID as 12345678:
router(config)#snmp-server engineID local 12345678
z router(config)#snmp-server engineID remote ip-address port-num engineID [engineGroup]

Syntax Description
ip-address The IP address of the destination entity.
port-num The UDP port-number of the destination entity.
engineID The value of the remote engineID.
[engineGroup] The engine group name.
Note:
When configuring automatic proxy forwarding, you many know no IP address of the surrogated equipment. Here, you
do nothing but input 0.0.0.0 at the location of ip-address. Moreover, the automatic proxy forwarding can not work without the
keepalive mechanism.
For example:
Use the following command to configure the destination entity: IP address—1.1.1.1, port-number—162èengineID—
abcdef1234:
router(config)#snmp-server engineID remote 1.1.1.1 162 abcdef1234
z router(config)#snmp-server engineGroup groupname usrname {noauth |auth |priv}

Syntax Description
groupname The name the engine group.
usrname The user name.
{noauth |auth |priv} The security level of the username :no-authentication, authentication but
encryption, authentication and encryption.
Note:
The foregoing command is used to configure the automatic proxy forwarding. Before the command is configured, the
corresponding username need be configured in advance. The function of the command is to relate several engines (SNMPv3
entities) to an engine group. One user can be specified for each engine group. In this way, the username can be used to access
any engine of the engine group. The parameter {noauth |auth |priv} is used to describe the security level of the username,
and must be consistent with the username.
For example:
Use the following command to configure an engine group: group-name—group1, username—user1, security level—
auth:
router(config)#snmp-server engineGroup group1 user1
Configuring an SNMPv3 group:

z Router(config)#snmp-server group group-name v3 {noauth|authnopriv|authpriv} [notify notify-view] [read read-
view] [write write-view]
Syntax Description
group-name The group name.
v3 The security mode of the group is v3.
noauth The security level of the group is no-authentication no-encryption.
authnopriv The security level of the group is authentication no-encryption.
authpriv The security level of the group is authentication encryption.
notify notify-view Configure the notify-view of the group.
read read-view Configure the read-view of the group.
write write-view Configure the write-view of the group.
Note:
In the SNMPv3 group, map a group-name, security information and message type (read, write or notify) into a MIB
view. A given MIB view can determine whether a managed object does not permit of being accessed. At the same time,
several SNMPv3 users can be related to the group. The configuration of the group can strengthen the SNMPv3 access control.
For example:
Use the following command to configure a group: group name—group1, security level—authentication encryption,
notify-view—view3, read-view—view1, and write-view—view2.
Router(config)#snmp-server group group1 v3 authpriv read view1 write view2 notify view2
Configuring SNMPv3 user:

Router(config)Ïsnmp-server user user-name group-name [remote ip-address portnum] v3 [auth {md5|sha} password
[encrypt des password]]
Syntax Description
user-name The username.
group-name The name of the group the user belongs to.
remote ip-address portnum The IP address of and port-number of the remote user.
v3 The user security mode is v3.
auth {md5|sha} password Configure the user authentication protocol as MD5 or SHA, and specify
the password.
encrypt des password Configure the user encryption protocol as DES, and specify the password.
Note:
Configure an USM-based (User security mode) SNMPv3 user, and save the authentication and encryption information
of each user. Notice that the encryption protocol can not be configured until the authentication protocol is configured. For a
remote user (“Remote” is relative to the local SNMPv3 entity. If the local SNMPv3 entity wants to communicate with the
other entity, then the other entity is called “remote” SNMPv3 entity. This will be involved in Notify and Proxy. ), the IP
address and UDP port-number are still specified. When configuring the remote user, you must firstly configure the engineID
of the remote SNMP entity corresponding to the user. Moreover, each user must be corresponding to a group. Only in this
way can a security model and security name be mapped into a group name by means of the view-based control access í
For example:
Use the following command to configure a user: the user name—user1, corresponding group name-group1, security
level—authentication encryption, authentication protocol—MD5, password—123456, encryption protocol—DES,
password—234567.
Router (config)# snmp-server user user1 group1 v3 auth md5 123456 encrypt des 234567
Use the following command to configure a remote user: the user name—user2, IP address—1.1.1.1, port-number—162,
security level—authentication encryption, authentication protocol—SHA, password—123456, encryption protocol—DES,
password—123456.
router(config)#snmp-server user user2 group1 remote 1.1.1.1 162 v3 auth sha 123456 encrypt des 123456
Configuring SNMPv3 Address Parameter:

z router(config)#snmp-server AddressParam address-name v3 user-name {noauth | authnopriv | authpriv}
Syntax Description
address-name The address name.
v3 The message processing model v3 used for the generation of SNMP
messages.
user-name The user name corresponding to the address parameter.
noauth The security level is no-authentication no-encryption.
authnopriv The security level is authentication no-encryption.
authpriv The security level is authentication encryption.
Note:
Some MIB tables have been defined in SNMPv3 so as to configure the destination to which the notify-message is sent.
The address parameter table defines the SNMP parameters that should be used when a message (notification) is generated.
For example:
Use the following command to configure the address parameter: parameter name—addparam1, message processing
model—v3, the corresponding user name (also called security name)—user1, security level—authpriv.
router(config)#snmp-server AddressParam addparam1 v3 user1 authpriv
Configuring the destination address table:
z router(config)#snmp-server TargetAddress target-name ip-address port-num address-param taglist time-out retry-
num
Syntax Description
target-name The address name.
ip-address The destination address.
port-num The UDP port-number.
address-param The address parameter name.
taglist The tag list.
time-out The timeout.
retry-time The times of retransmission.
Note:
The destination address table is used to specify the destination that is used when the SNMP message is generated.
(Notice that TargetAddress and AddrssParam can not be configured until the local SNMPv3 entity accesses the other
(remote) SNMPv3 entity). What you need know is: address-param is the address parameter name that has been configured in
the address parameter table; taglist, which can be configured with multiple values spaced by commas, is used to identify the
notify-message and forward messages to the other destination address.
For example:
Use the following command to configure the destination address table: the addressname—target1, IP address—1.1.1.1,
UDP port-number—162, the corresponding address parameter name—addparam1, the tag-table—tag1 and tag2, timeout—2
seconds, try-time—2.
router(config)#snmp-server TargetAddress target1 1.1.1.1 162 addparam1 tag1,tag2 2 2
Configuring notification:
z Use the following command to perform the configuration of SNMPv3: configure the notification parameter table,
notification filtering table and notification configuration table.
z router(config)#snmp-server notify ?
Command Description
filter Configure the filtering table of the notification.
notify Configure the notification parameter table.
profile Configure the notification configuration table.
Thereinto:
z The notification parameter table is used to specify the destination address to which the notification message is sent.
Whether the notification message is sent to a destination address depends on whether the created filter contains the
destination address.
The notification filtering table has defined a filter that is used to determine whether the notification message is sent to the
destination address.
The notification configuration table is used to relate the foregoing address parameters to the notification parameter table.
About the detailed information about SNMPv3’s fundamentals and functions, refer to the related data about the SNMP
protocol.
z router(config)#snmp-server notify notify notify-name taglist inform
Syntax Description
notify-name The notification name, used to index the unique identification of the
notification table.
taglist The tag value, corresponding to the tag list configured in the address table.
inform Specify the type of the notification message as inform.
Note:
In SNMPv3, the destination address need be specified when a notification is sent. Whether the notification message can
be sent to a destination address depends on whether the created filter contains the destination address. About the detailed
information about SNMPv3 notification, refer to the related technical manuals.
For example:
Use the following command to configure a notification message: the name—notify1, the tag-value—tag1.
router(config)#snmp-server notify notify notify1 tag1 inform
z router(config)#snmp-server notify notify filter-name oid-subtree {exclude|include}
Syntax Description
filter-name The name of the notification filter
oid-subtree MIB sub-tree.
exclude The object under the MIB sub-tree can not send notification message.
include The object under the MIB sub-tree can send notification message.
Notice:
The notification filtering table has defined a filter that can determine whether a message can be sent to the destination
address.
For example:
Use the following command to configure a notification filter: the name—filter1, the MIB sub-tree—1.3.6.1, the type—
include.
router(config)#snmp-server notify filter filter1 1.3.6.1 include
z router(config)#snmp-server notify profile filter-name address-param

Syntax Description
filter-name The name of the notification filter
address-param The address parameter name.
notice:
The notification configuration table is used to relate the address parameter table to the notification filtering table. If both
a notification filtering table and a notification configuration table are defined simultaneously, the SNMP proxy can detect the
object OID when sending a notification message. If the object OID is contained in the defined MIB sub-tree, the notification
message will be sent, or else, the message can not be sent.
For example:
Use the following command to configure the notification configuration table: the name—filter1, the address parameter
name—addparam1.
router(config)#snmp-server notify profile filter1 addparam1
z router(config)#snmp-server proxy proxyname {inform | trap |read | write} engineId address-param target-addr
Syntax Description
proxyname The forwarding configuration name.
{inform | trap |read | write} The message property that need be matched.
engineId The engine ID that need be matched.
address-param The address parameter name that need be matched.
target-addr The destination address name for forwarding.
Note:
The goal of snmp proxy forwarding is to forward the SNMP request to other SNMP entity. To do it, it may be necessary
to convert one version to another version or convert one transmission domain to another transmission domain. Presently, the
SNMP on Maipu equipment can realize nothing but the v3-to-v3 forwarding, is mainly applied to the conversion from one
transmission domain to another transmission domain. Additionally, two message properties trap and inform in the table above
can not be supported.
For example:
Use the following command to configure a proxy forwarding item: the name—proxy1, the address parameter name—
param1, the destination address name—addr1, the engine—1111, message property—read.
router(config)#snmp-server proxy proxy1 read 1111 param1 addr1
z router(config)#snmp-server keepalive destination ip-addr

Syntax Description
ip-addr Configure the destination address of the sent keepalive message.
For example:
Use the following command to configure the destination addresses of two keepalive messages: 202.1.25.1 and
179.68.0.4:
router(config)#snmp-server keepalive destination 202.1.25.1
router(config)#snmp-server keepalive destination 179.68.0.4
z router(config)#snmp-server keepalive interface if-name

Syntax Description
if-name Configure the interface address carried by the sent keepalive message.
Note:
A keepalive message can carry only one interface address. If the interface address has not been configured, the address
of the interface fastethernet0 is carried by default. The keepalive message is used to maintain the SNMP proxy forwarding
table. For a configured proxy forwarding item, if no corresponding keepalive message is received in a period of time, the
proxy forwarding item will be discarded.
For example:
Use the following command to configure a keepalive message: carry the address of the interface ethernet0:
router(config)#snmp-server interface ethernet0
z router(config)#snmp-server keepalive interval { interval-time | default }

Syntax Description
interval-time Configuring the interval of sending a keepalive message.
Default Adopt the default interval of sending a keepalive message: 10 seconds.
For example:
Use the following command to configure the interval of sending a keepalive message as 6 minutes.
router(config)#snmp-server keepalive interval 360
z router(config)#snmp-server notify interface interface-name [with {hostname | saId | engineId}]

Syntax Description
interface-name Configure the interface address that is carried by the sent keepalive
message.
{hostname | said | engineId} Configure whether the host name, channel ID and engineID are carried by
the keepalive message.
Note:
The command is used to be compatible with the old version of keepalive messages that adopt the notify format. The
snmp-server keepalive series commands can be used to configure the new version of keepalive messages.
The command snmp-server host is used to determine the destination address of the keepalive message adopting the
notify format.
Said is the identification of the security alliance. About the detailed information about security alliance, refer to the
related IPSec technical documents.
For example:
Use the following command to configure a keepalive message: to carry the address of the interface ethernet0, engineID
and host name information.
router(config)#snmp-server notify interface ethernet0 with engineId hostname
z
z router(config)#snmp-server notify interval { interval-time | default }
Syntax Description
interval-time Configure the interval of sending a keepalive message.
Default Adopt the default interval of sending a keepalive message: 10 seconds.
Note:
The command is used to be compatible with the old version of keepalive messages. The snmp-server keepalive series
commands can be used to configure the new version of keepalive messages.
The interval is independent of the value of the command snmp-server keepalive interval, and there exist no mutual
influence between them.
For example:
Use the following command to configure the sending interval of a keepalive message as 3 minutes:
router(config)#snmp-server notify interval 180
router#show snmp-server engineID

Note:
The command is used to display the engineID (including both remote engineID and local engineID ) that has been
configured on the router:
router#show snmp-server engineID
Local engine ID: 12345678
IPAddress: 1.1.1.1.0.162 remote engine ID: abcdef1234
The information above indicates that two engineIDs have been configured on the router: one is the local engineID and
another is the remote engineID.
router#show snmp-server group

Note:
The command is used to display the SNMP user group that has been configured on the router:
router#show snmp-server group
GroupName: group1 SecModel:v3,SecLevel:authpriv
Read View: readview
Write View: writeview
Notify View: notifyview
A SNMP user group has been configured on the router, the group name—group1, the security model—v3, the security
level—authentication encryption, the read-view—readview, the write-view—writeview, and the notification view—
notifyview.
router#show snmp-server user

Note:
The command is used to display the users that have been configured on the router:
router#show snmp-server user
SNMP User List:
User Name SecLevel Status EngineID
===========================================================
user1 AuthPriv active 12345678
user2 AuthPriv active abcdef1234
z Two users have been configured on the router: the security level—authentication encryption, the corresponding
engine ID—12345678/ abcdef1234, which can indicate that the user1 is the local user and the user2 is the remote user.
z
z router#show snmp-server AddressParams
Note:
The command is used to display the address parameter table that has been configured on the router:
router#show snmp-server AddressParams
SNMP TargetAddressParam List:
ParamName User Name MP_model SecurityModel SecurityLevel
==================================================================
addparam1 user2 v3 USM authpriv
z Configure the address parameter on the router; the name—addparam1, the corresponding user—useer2, the message
processing mode—v3, the security model—USM, the security level—authentication encryption.
z
z router#show snmp-server TargetAddress
Note:
The command is used to display the destination address table that has been configured on the router:
z
z router#show snmp-server TargetAddress
TargetAddressList:
===================================================
Name: target1
Address: 1.1.1.1.0.162
ParamName: addparam1
TagList: tag1 tag2
TimeOut(sec) :2
RetryCount :2
===================================================
z A destination address item has been configured on the router: the name—target1, the destination address—1.1.1.1,
UDP port-number—162, the taglists—tag1 and tag2, the timeout—2 seconds, try-time—twice.
z
z router#show snmp-server notify notify
Note:
The command is used to display the notification table configured on the router.
router#show snmp-server notify notify

SNMP Notify List:
Name Tag Type
========================================================
notify1 tag1 inform
z A notification table has been configured on the router: the name—notify1, the corresponding tag—tag1, the message
type—inform
z router#show snmp-server notify filter
Note:
The command is used to display the notification filtering table configured on the router.
router#show snmp-server notify filter

SNMP Notify Filter List:
Name FilterSubtree Type
=============================================================
filter1 1.3.6.1 include
z A notification filter table filter1 has been configured on the router, including all nodes under the MIB sub-tree
1.3.6.1.
z router#show snmp-server notify profile
Note:
The command is used to display the notification configuration table configured on the router.
router#show snmp-server notify profile
SNMP Notify Profile List:

Name ParamName Status
=============================================================
filter1 addparam1 Active
z From the configuration above, you can know: the notification filter filter1 is related to the address parameter name
addparam1.
z router#show snmp-server engineGroup
Note:
The command is used to display the engine group configured on the router.
Snmp Debugging command :
Command Description
Debug snmp-server all Debug all snmp, excluding response
Debug snmp-server groupget Debug SCALAR variables GET
Debug snmp-server groupset Debug SCALAR variables SET
debug snmp-server response The response of last operation
Debug snmp-server tblgetnext Debug TABULAR variables GETNEXT
Debug snmp-server tblset Debug TABULAR variables SET
Debug snmp-server trap Debug TRAP

16.3 Remote Network Monitoring (RMON)
RMON instruction set is listed as follows:
Command Description
router(config)#rmon Activate the RMON
task.
router(config)#no rmon Cancel the RMON
task.
router(config)#rmon alarm <1-65536> <OID> <1-65536> absolute/delta risingthreshold Configure the RMON
<0-2147483647> <1-65536> fallingthreshold <0-2147483647> <1-65536> alarm.
router(config)#rmon event <1-65536> description word log <1-65536> owner <word> Configure the RMON
trap <word> event.
The procedure to configure the remote monitoring RMON on the MP router is described as follows:
Step 1: Start the remote monitoring RMON.
router (config)#rmon < CR >
Step 2: Configure relative alarms and objects that are remotely monitored.
router(config)#rmon alarm <1-65536> <OID> <1-65536> absolute/delta risingthreshold <0-2147483647> <1-65536>
fallingthreshold <0-2147483647> <1-65536>
Note:
The parameter <1-65536> behind rmon alarm is the serial number of the alarm;
The parameter <OID> is the object that is remotely monitored (an index need be added behind the object oid). The
object can be represented with an oid sequence or an oid alias, and the following parameter <1-65536> is the time interval to
sample the value of the parameter <OID>÷
The parameter absolute/delta indicates that the type of sampling is of the absolute/relative value÷
The parameter <0-2147483647> behind the parameter risingthreshold is the rising threshold value, and the parameter
<1-65536> indicates the serial number of the event that arises when the rising threshold value is triggered (the default value
is 1)÷
The parameter <0-2147483647> behind the parameter fallingthreshold is the falling threshold value, and the parameter
<1-65536> indicates the serial number of the event that arises when the falling threshold value is triggered (the default value
is 1);
At present, the rmon has only realized monitoring the 10th –21st objects in the interface table (ifTable) of the standard
MIB. The object alias ifEntry of the interface table has been generated automatically in the OID table when the system starts
up. About some information about supporting OID variable, refer to the command router# show rmon alarm
supportVariable.
Step 3: Configure the action that will be implemented proportionally when the remote monitoring RMON is triggered.
router(config)#rmon event <1-65536> description word log <1-65536> owner <word> trap <word>
Note:
The parameter <1-65536> behind rmon event is the serial number of the event ÷
The parameter word behind description is the description of the event. The parameter log <1-65536> and trap <word>
represents the event action. The parameter log indicates that the recording is implemented in the log; the parameter <1-
65536> represents the maximal number of records÷The parameter trap denotes the remote destination to which the trap
information is sent, and the parameter <word> denotes the community name.
The parameter owner <word> denotes the owner of the event.
An example of RMON Configuration
Remotely monitoring the OID object ifEntry.10 on the interface fastethernet0 of the router demands that the ifEntry.10
should be sampled one time every other 5 seconds (Suppose that the interface index of the interface f0 is 1, the object
instance is ifEntry.10). The rising threshold value and the falling threshold value are 5000 respectively. If the sampling result
triggers the threshold, then the trap message will be sent to the community public. At the same time, it will be recorded in
the log on the router (At most 100 records can be recorded.). The detailed configuration is described as follows:
router (config)#rmon
router (config)#rmon alarm 1 ifEntry.10.1 5 absolute risingthreshold 5000 1 fallingthreshold 5000 1
router (config)#rmon event 1 description Monitoring the number of bytes received on the interface f0
log 100 trap public
RMON debugging commands
The RMON command show is used to display the basic information:
Command Description
router# show rmon event Display the information about the rmon event that has
been configured.
router# show rmon alarm Display the information about the rmon alarm that has
been configured.
router# show rmon alarm supportVariable Examine the monitored objects that rmon supports
presently.
Note:
show rmon event—to display the information about the rmon event that has been set:
router# show rmon event
Output:
Event 1 is active, owned by config
Description : maipu
Event firing causes: log and trap, last fired at 00:25:17
Current log entries:
logIndex logTime Description
----------------------------------------------------------------
4 00:12:27 Rising threshold crossing

Description :
Event firing causes: log, last fired at 00:00:00
Description :
Event firing causes: trap, last fired at 00:00:00
Description :
Event firing causes: nothing, last fired at 00:00:00
After the command has been executed, the result output includes:
· The example has 4 rmon events that are identified with 1, 2, 5 and 6 respectively.
· The event 1 triggers the event log and the snmp trap. The last event 1 happens after the system has been started for 25
minutes and 17 seconds. The relative log table can display the log index, the time the event happened and simple description
of events.
· The event 2 and 5 trigger the event log and snmp trap respectively. At present, the two events haven’t happened.
· The event 6 triggers nothing. At present, the event hasn’t happened.
show rmon alarm——to display the information about rmon alarm that has been set:
router# show rmon alarm
Output:
Alarm 1 is active, owned by config
Monitoring variable: ifEntry.10.1 , Sample interval: 10 second(s)
Taking samples type: delta, last value was 6510

Rising threshold : 50, assigned to event: 1
Falling threshold : 40, assigned to event: 1

The example has configured 3 rmon alarms that are identified with 1, 2 and 4 respectively.
The alarm 1 monitors the object instance that is on the interface (whose the index is 1) and corresponding to the 10th object
of ifTable (The number of the total bytes received by the fast Ethernet interface, including the delimiter). The sampling
interval is 10 seconds and sampling type is the delta. The last sample value of the monitored object is 6510. When the sample
rises 50 or falls 40, the event 1 will be triggered (Setting it when configuring the rmon event).
The alarm 2 and alarm 4 respectively monitor the object instances that are on the interfaces (whose the indexes are 1 and 2)
and corresponding to the 10th and 16th objects of ifTable. And the corresponding sampling interval is 50 seconds and 30
seconds respectively. The corresponding triggered events are: alarm 2---- the rising event is the event 2 and the falling event
is the event 5, alarm 4----the rising event is the event 6 and the falling event is the event 1.
show rmon alarm supportVariable——To examine the information about the OID alias of the monitored
objects that are presently supported by rmon.
Output:
Currently support MIB object: (NOTE:be sure to add the index after OID)
ifEntry.[10-21] MIB-II interface table entry
At present, rmon has only realized monitoring the 10th –21st objects in the interface table of the standard MIB. The object
alias ifEntry of the interface table has been generated automatically in OID alias table when the system starts up.
16.3 Remote Network Monitoring (RMON)
RMON Instruction Set
Command Description
router(config)#rmon Activates the RMON task.
router(config)#no rmon Cancels the RMON task.
Configures the RMON alarm information.
router(config)#rmon alarm <1-65536> <OID> <1-65536>
absolute/delta risingthreshold <0-2147483647> <1-
65536> fallingthreshold <0-2147483647> <1-65536>
Configures the RMON event information.

router(config)#rmon event <1-65536> description word
log <1-65536> owner <word> trap <word>
Introducing the RMON router configuration:
Step One: Start RMON by inputting:

router (config)#rmon < CR >
Step Two: Configure the objects that must be remotely monitored by inputting:
router(config)#rmon alarm <1-65536> <OID> <1-65536> absolute/delta risingthreshold <0-2147483647> <1-65536>
fallingthreshold <0-2147483647> <1-65536>
Notes About Step Two:
1) The first <1-65536> parameter (after rmon alarm) is the serial number of the alarm.
2) The <OID> parameter is the object ID that is remotely monitored. The following <1-65536> value is the time
interval parameter that samples the <OID> parameter.
3) Absolute/delta indicates the absolute/relative value.
4) <0-2147483647> after the risingthreshold parameter refers to the rising threshold value, while <1-65536> indicates
the event’s serial number needed when the rising threshold value is triggered.
5) <0-2147483647> after the fallingthreshold parameter refers to the falling threshold value, while <1-65536>
indicates the event’s serial number needed when the falling threshold value is triggered.
Presently, rmon monitors the 10th to 21st objects in the standard MIB interface table. The object alias ifEntry will be
generated automatically in OID table when the system starts.
The following command can output information about the supported OID variable:
router# show rmon alarm supportVariable.
Step Three: Configure the operation when RMON remote monitoring is triggered. Input:
router(config)#rmon event <1-65536> description word log <1-65536> owner <word> trap <word>
Notes About Step Three:
1) The <1-65536> parameter (after rmon event) refers to the event’s serial number.
2) The parameter word after description describes the event. Log <1-65536> and trap <word> indicate the event’s
content: the former refers to the log record and the latter indicates the remote destination where the trap information
is being sent.
3) Owner <word> indicates the owner of the event.
RMON Configuration Example:
Remotely monitor the OID variable ifEntry.10 on the router by demanding that it should be sampled once every five
seconds. The rising and falling threshold values are both 5,000. If the sampled result triggers the threshold, then the trap
information will be sent to public. At the same time, this activity will be recorded in the router’s log.
To start the configuration, input:
router (config)#rmon <cr>
router (config)#rmon alarm 1 ifEntry.10 5 absolute risingthreshold 5000 1 fallingthreshold 5000 1 <cr>
router (config)#romon event 1 description monitoring the variable ifEntry log 1000 trap public
Debugging RMON Commands:
The RMON show command displays the basic information:
Command Description
router# show rmon event Displays configured rmon event data.
router# show rmon alarm Displays configured rmon alarm data.
router# show rmon alarm supportVariable Examines the OID alias data of RMON’s monitored objects.
To display information about the RMON event, input router # show rmon event.
Output:
Description: Maipu
Event firing causes: log and trap, last fired at 00:25:17
Current log entries:
logIndex logTime Description
----------------------------------------------------------------

Description:
Event firing causes: log, last fired at 00:00:00
Description:
Event firing causes: trap, last fired at 00:00:00

Description:
Event firing causes: nothing, last fired at 00:00:00
Notes:
1) The example has 4 rmon events, respectively identified by 1, 2, 5 and 6.
2) Event 1 triggers the log and the SNMP alarm. The relative log table can display the log index, the time the event
happened and a simple description of events. (The last Event 1 happened after the system had been active for 25
minutes and 17 seconds.)
3) Event 2 and 5 triggers the event log and SNMP alarm respectively. (In the example, these things haven’t been
triggered.)
4) Event 6 triggers nothing.
To display data about the set rmon alarm, input router# show rmon alarm
Output:
Monitoring variable: ifEntry.10.1, Sample interval: 10 second(s)
Rising threshold: 50, assigned to event: 1
Falling threshold: 40, assigned to event: 1

Notes:
1) The preceding example has configured 3 rmon alarms, respectively identified by 1, 2 and 4.
2) Alarm 1 monitors the 10th object whose interface table index is 1 (ie. the total amount of bytes received by the
Ethernet interface, including the delimiter). The sampling interval is 10 seconds and sampling type is delta. The
last sample value of the monitored object is 6,510. When the sample rises above 50 or falls below 40, event 1 will
be triggered (ie. the configuration of the RMON event).
3) Alarm 2 and Alarm 4 monitors interfaces 15 and 16, whose interface index is respectively 1 and 2. The
corresponding sampling interval is respectively 50 seconds and 30 seconds. The corresponding triggered events are:
Alarm 2 (ie. the rising event is Event 2 and the falling event is Event 5) and Alarm 4 (ie. the rising event is Event 6
and falling event is Event 1.)
To examine the OID alias data of the monitored objects presently supported by rmon, input:
show rmon alarm supportVariable
Output:
Currently support MIB object: (NOTE: be sure to add the index after OID)
ifEntry.[10-21] MIB-II interface table entry
Note: Rmon is only set up to monitor the 10th to 21st objects in the standard MIB interface table. The ifEntry interface
table object alias will generate automatically in the OID table when the system restarts.
Chapter 17 SNTP Configuration
Simple Network Time Protocol (SNTP) is a TCP/IP protocol that is used to distribute the exact time within the whole
network, and it mainly solves the problem to keep the clocks of all the routers within the network synchronous. All Maipu
routers have their own system clocks and can save the current date and time.
Relevant commands to configure SNTP
An example of SNTP configuration
Checking and debugging SNTP
Configuring the time zone
17.1 Relevant commands to configure SNTP
sntp server
This command can be used to configure the name or IP address of the used SNTP server, and the form no of this command
can be used to remove the configured SNTP server.
sntp server ip-address
no sntp server
Syntax Description
ip-address The IP address of the SNTP server that the client uses.
£Default¤No SNTP server is configured.

sntp broadcast
This command can be used to control whether the SNTP client receives NTP/SNTP broadcast packet.
sntp broadcast {enable|disable}
£Default¤The default is DISABLE.
sntp interval
This command can be used to control the interval between two SNTP requirement packets, and the form no of the command
can be used to reset the default value.
sntp interval time-value
Syntax Description
time-value The value of the interval between two SNTP request packets, and its value range is
between 60s and 3600s.
£Default¤The default value is 60 seconds.

sntp timeout
This command can be used to control the interval for the client-side to wait the server response after it sends a request, and
the form no of the command is used to reset the default value.
sntp timeout time-value
Syntax Description
The value of the interval for the client to wait the server response after it sends a
time-value
request, and its value range is between 300s and 600s.
£Default¤The default value is 300 seconds.

17.2 An Example of SNTP Configuration
As shown in the following figure, CISCO router serves as the NTP server.

Ethern
Configuring under the CONFIG mode of the Maipu router:
Command Task
Router(config)# sntp server 129.255.6.88 Configure the IP address of the NTP server with
129.255.6.88.
17.3 Checking and Debugging SNTP

debug sntp
This command is used to open the switch of SNTP debugging information. The form no of the command is used to close the
SNTP debugging function.
show sntp statu
This command is used to display the SNTP packets that update the system time.
show sntp status
show clock
This command is used to display the system time.
£Command mode¤The common user mode./ The privilege user mode
service timestamps debug datetime localtime msec show-timezone
In DEBUG information, this command is used to display the current time in the local time format and the
time zone information, accurate to an extent of the millisecond.
service timestamps log datetime localtime msec show-timezone
In the log, this command is used to display the current time in the local time format and the time zone
information, accurate to an extent of the millisecond.
17.4 Configuring the Time Zone
clock timezone
This command is used to switch the Universal Time Coordinated (UTC) in the displayed information into the time of the
configured time zone.
clock timezone timezone-name hour-offset minute-offset
Syntax Description
Timezone-name The time zone name.
Hour-offset The hour offset relative to UTC time, and its value range is
between –23 and 23.
minute-offset The minute offset relative to UTC time, and its value range
is between 0 and 59.
£Default¤The default value is the Universal Time Coordinated (UTC).

17.5 An Example of Time Zone Configuration
As shown in the following figure, the Chengdu time zone is configured on the Maipu router that serves as the SNTP
CLIENT, and its hour offset relative to UTC standard time on the SNTP server is 9.
Ethernet
Command Task
Router(config)# clock timezone chengdu 9 Configure the hour offset relative to UTC standard time with
9.
Chapter 18 Multicast Route Configuration
This chapter mainly introduces the core multicast packet forwarding on a router, IGMP application and the selection of
multicast routes.
Main contents of this chapter are as follows:
Configuring IGMP
Configuring PIM-SM
18.1 Configure IGMP
IGMP (Internet Group Management Protocol) is one of the TCP/IP protocol family that answers for managing the IP
multicast members, and it is mainly used to create and maintain the multicast membership between an IP host and multicast
routers that connect with it directly.
Currently, the IGMP Version 2 is adopted popularly, and it specifies three types of packets: Membership Query packet,
Membership Report packet and Leave Group packet.
Membership-query packet:
According to the different addresses, Membership-query packets are divided into general-query packets (by which the
router can know what members there are in the direct network, with the destination group address being 224.0.0.1) and
group-specific-query packets (by which the router can knows whether there is a specific group member in the direct network,
with the destination group address being 0 or a valid multicast group address).
Membership-report packet:
When receiving a membership-query packet, the host identifies the group on the interface that sends this query packet, and
sets a Host Group Delay timer for each member group. When this timer expires, the host sends a membership-report packet
to this router. When this router receives the packet, it adds this group into the local group member list in the network at which
this group is located, and enables the Group Membership Interval timer. If the router still doesn’t receive any membership-
report packet when the maximal query response timer expires, then this indicates that there is no local group member in the
network, and the router needn’t forward the received multicast packets to the network with which it connects.
Leave-group packet:
IGMP Version 2 allows a host to send a leave-group packet (with the destination group address 224.0.0.2) to all routers
when it leaves a multicast group.
IGMP is unsymmetrical between the host and the router. For the host side, it needs to respond the IGMP query packet of
the multicast router with a membership-report packet; for the router side, it needs to send general-query packets periodically,
and then to determine what members there are in the network at which the router itself is located according to the received
response packets. Subsequently, when receiving the leave-group packet of the host, the router sends a specific-member-query
packet to determine whether there exists no member in a specific group.
Main contents of this chapter are as follows:
Descriptions of commands to configure IGMP
An example of IGMP configuration
Monitoring and debugging IGMP
18.1.1 Descriptions of commands to configure IGMP
ip igmp join-group
This command is used to configure the router interface to be a multicast group member. The form no of this command is
used to delete the router interface from the group membership.
ip igmp join-group groups-address
no ip igmp join-group groups-address
Syntax Description
groups-address Groups-address is the group address to be added into the
multicast group.
£Default¤Invalid.
ip igmp query-interval
This command is used to configure the interval for the router to send IGMP query packets. The form no of this command
is used to reset the default value of the interval for the router to send IGMP query packets.
ip igmp query-interval seconds
no ip igmp query-interval
Syntax Description
Seconds The interval to send IGMP query packets, and its value range is between 1
and 65535.
£Default¤The default value of the interval for the router to send IGMP query packets is 60 seconds.
ip multicast-routing
This command is used to enable the multicast routing. The form no of this command is used to disable the multicast
routing.
no ip multicast-routing
£Default¤Disables the multicast routing.
18.1.2 An Example of IGMP Configuration
The example is illustrated as the following figure:
Source (group 224.1.1.23)
Video camera
Video
terminal
Illustration:
The interface s0/1 Ô22.1.1.1Õof the local router router1 adopts the PPP protocol to connect with the interface s1/1Ô
22.1.1.2Õof the opposite-end router router2. The local serverÔ129.255.94.76Õserves as the source the multicast group
224.1.1.23, in which a member (namely a video terminal) connects with the opposite-end router. In fact, the opposite-end can
simultaneously serve as both a multicast source and a video terminal; similarly, the local-end can also serve as a video
terminal.
o The relevant configurations of router1 / router2 are as follows:
Command Task
router1(config)#ip multicastÉrouting Enable the multicast routing protocol.
router1(config-if-serial0/1)#physical-layer sync
router1(config-if-serial0/1)#clock rate 2000000
255.255.255.0
This command is used to configure the multicast
router1(config-if-serial0/1)#ip pim sparse-mode routing protocol, also used for all interfaces that forward
multicast.
This command is used to add the local router into
router1(config-if-serial0/1)#ip igmp join-group
the multicast group 224.1.1.23, but it is not necessary,
224.1.1.23
and usually used for debugging.
Modify the default IGMP query interval to be 30
router1(config-if-serial0/1)#ip igmp query-interval 30
seconds.
router1(config-if-serial0/1)# interface f0
router1(config-if-fastethernet0)#ip address
129.255.22.253 255.255.0.0
router1(config-if-fastethernet0)#ip pim sparse-mode routing protocol, and also used for all interfaces that
forward multicast.
router1(config-if-fastethernet0)#exit
router1(config)#ip pim rp-candidate s0/1 Configure multicast RP proxy.
router1(config)#ip pim bsr-candidate s0/1 Configure multicast BSP proxy.
router2#conf t
router2(config)#ip multicastÉrouting Enable the multicast routing.
router2(config-if-serial1/1)#physical-layer sync
255.255.255.0
router2(config-if-serial1/1)#ip pim sparse-mode routing protocol, and also used for all interfaces that
forward multicast.
router2(config-if-serial1/1)#interface f0
router2(config-if-fastethernet0)#ip address 130.255.1.1
255.255.0.0
router2(config-if-fastethernet0)#ip pim sparse-mode routing protocol, and also used for all interfaces that
forward multicast.
router2(config-if-fastethernet0)#exit
Notice:
Please implement the configuration strictly according to the Configuration Manual.
What is discussed here is about the command enable multicast routing and the relevant IGMP management configuration.
For the detailed configuration of the multicast communication, please go on referring to the following sections.
18.1.3 Monitoring and Debugging IGMP
show ip igmp groups
This command is used to display the state of multicast group members, which are gotten from the IGMP information, in
the direct network.
show ip igmp groups
show ip igmp interface
This command is used to display the IGMP interface information.
show ip igmp interface
show ip igmp stat
This command is used to display the status information of IGMP packets.
show ip igmp stat
debug ip igmp
This command is used to display the IGMP DEBUG information, including IGMP sending/receiving packets, and
adding/deleting group members.
debug ip igmp
18.2 Configure PIM-SM

PIM-SMÔProtocol Independent Multicast, Sparse ModeÕapplies to the following situations mainly:
Group members are relatively dispersive and their range is relatively broad.
The network bandwidth resource is relatively limited.
Being independent of any specific unicast routing protocol, PIM-SM supposes that all routers cannot send any multicast
packet to multicast groups unless there exist transmitted explicit requests. Through setting RP (Rendezvous Point) and
leading the router BSR (Bootstrap Router) to announce the multicast information to all PIM-SM routers, and through letting
routers be added into or leave a multicast group explicitly, PIM-SM reduces the network bandwidth occupied by data packets
and control packets. The PIM-SM constructs a sharing RPT (RP Path Tree) whose root is a RP, so that multicast packets can
be transmitted along the RPT. When a host is added into a multicast group, the router, which directly connects with the host,
sends a PIM-addition packet to the RP; while the first hop router of the sender registers the sender onto the RP; and the DR
(Specified Router) of the receiver adds the receiver into the sharing RPT. Using RPT with a RP serving as its root to forward
packets can not only reduce much protocol statuses that need be maintained by the router and the processing cost of the
router, and but also enhance the flexibility of protocols. The data can be switched from RPT to the resource-based SPT
(Shortest Path Tree), so as to reduce the network delay.
Descriptions of Commands to Configure PIM-SM
An Example of PIM-SM Configuration
Monitoring and Debugging PIM-SM
18.2.1 Descriptions of Commands to Configure PIM-SM
ip pim bsr-border
This command is used to configure the PIM area border. The form no of this command is used to delete the PIM area
border.
ip pim bsr-border
no ip pim bsr-border
£Default¤No PIM area border is configured.
£Usage guide¤When the PIM area border is configured, the PIM bootstrap message except other PIM messages can not
traverse the area border.
ip pim bsr-candidate
This command is used to configure an interface to be a candidate BSR. The form no of this command is used to cancel the
interface to be a candidate BSR.
ip pim bsr-candidate interface [hash-mask-length priority]
no ip pim bsr-candidate
Syntax Description
interface Configure the BSR interface name.
hash-mask-length This is the length of the match mask in HASH algorithm, and its value range is
between 0 and 32. The larger the length is, the littler the C-BSR discreteness is; the little
the length is, the larger the C-BSR discreteness is.
priority This is the priority of the candidate BSR, and its value range is between 0 and 255.
The candidate BSR with larger priority is selected as the final BSR; if having an equal
priority, the router with a larger IP address is selected as the final BSR.
£Default¤The hash-mask-length value is 0Øand the priority default value is 0.

Note:
In a PIM-SM area, there must exist a solitary BSR (Bootstrap Router), which answers for gathering and distributing RP
information. Through the bootstrap message, multiple candidate bootstrap routers vote and create a solitary acknowledged
BSR. Before getting this information, C-BSR considers itself as the BSR, and periodically sends the bootstrap message, which
contains the BSR address and corresponding priority, in the PIM-SM area with the multicast address 224.0.0.13. Depending
on the BSR address and BSR priority, the BSR can be voted. Generally, the candidate BSR with larger priority is selected as
the BSR; if having an equal priority, the router with a larger IP address is selected as the BSR.
ip pim query-interval
This command is used to configure the interval for the interface to send a PIM Hello packet. The form no of this command
is used to reset the default value of the interval for the interface to send a PIM Hello packet.
ip pim query-interval seconds
no ip pim query-interval
Syntax Description
seconds This is the interval for the interface to send PIM Hello packet, and its
value range is between 1s and 65535s.
£Default¤The interval is 30 seconds.

ip pim rp-candidate
This command is used to configure an interface to be a candidate RP. The form no of this command is used to cancel the
interface to be a candidate RP.
ip pim rp-candidate interface [group-list access-list-number]
no ip pim rp-candidate interface
Syntax Description
interface This is the interface that is configured as a candidate RP.
access-list-number This is the standard IP access list number, and its value range is between 1 and
1000. And the range is also the service range of the announced RP.
£Default¤If this command is not followed by the parameter group-list, then it indicates that this RP is the candidate RP
for all groups.
Note:
In PIM-SM protocol, the sharing RPT (RP Path Tree) that is created by the route multicast data contains one root (one
rendezvous point) and multiple leaves (multiple group members). The RP is voted through BSR selection. After the BSR is
generated, all C-RPs (Candidate RP) unicasts C-RP messages to the BSR periodically,, and then the BSR diffuse these
messages to the entire PIM area.
It is suggested that the C-RP of the corresponding multicast group should be as close to the corresponding multicast
source as possible when it is configured.
ip pim sparse-mode
This command is used to enable PIM-SM protocol on the interface, simultaneously, to enable IGMP protocol (of the router
version) on the interface if it is not enabled yet. The form no of this command is used to disable PIM-SM protocol on the
interface.
ip pim sparse-mode
no ip pim sparse-mode
£Default¤ PIM-SM is disabled on an interface.
18.2.2 An PIM-SM Configuration Example
The example is illustrated as the following figure:
Video terminal A
Source A (group 230.1.1.1)
Video camera A
Frame relay
Source B (group 224.1.1.2)
Video terminal B
Source C (group 224.2.2.3)
Video terminal C
Video camera C
Illustration:
The interface s2/0 Ô22.1.1.1Õof Router A adopts PPP protocol to connect with the interface s0/0Ô22.1.1.2Õof the
opposite-end Router. The interface s3/0 Ô22.2.2.1Õof the Router B adopts the frame-delay to connect with the interface
s0/0Ô22.2.2.2Õof the opposite-end Router C. The three routers connect respectively with different multicast group sources,
which serve as the receiving-ends simultaneously.
o The router A configuration is as follows:
Command Task
routerA#configure terminal
routerA(config)#ip multicastÉrouting Enable the multicast routing.
routerA(config)#interface s2/0
routerA(config-if-serial2/0)#physical-layer sync
routerA(config-if-serial2/0)#clock rate 1800000
routerA(config-if-serial2/0)#encapsulation ppp
routerA(config-if-serial2/0)#ip address 22.1.1.1 255.255.255.0
routerA(config-if-serial2/0)#ip pim sparse-mode This command is used to configure the
multicast routing protocol, and used for all
interfaces that forward multicasts.
routerA(config-if-serial2/0)#interface f0
routerA(config-if-fastethernet0)#ip address 80.255.22.253 255.255.0.0
routerA(config-if-fastethernet0)#ip pim sparse-mode This command is used to configure the
multicast routing protocol, and used for all
interfaces that forward multicasts.
routerA(config-if-fastethernet0)#exit
routerA(config)#ip access-list standard 1 Configure the standard access list.
routerA(config-std-nacl)#permit host 230.1.1.1 Configure the usage range of the access list.
routerA(config-std-nacl)#exit
routerA(config)#ip pim rp-candidate fastethernet0 group-list 1 Configure the RP proxy of the specified
group.
routerA(config)#ip pim bsr-candidate s2/0 Configure the multicast BSR proxy.
routerA(config)#router ospf 1
routerA(config-ospf)#network 22.1.1.0 0.0.0.255 area 5
routerA(config-ospf)#network 80.255.0 0.0.255.255 area 5
o The router B configuration is as follows:
Command Task
routerB(config)# configure terminal
routerB(config)#ip multicastÉrouting Enable the multicast routing.
routerB(config)#frame-relay switching
routerB(config)#interface s0/0
routerB(config-if-serial0/0)#physical-layer sync sync
routerB(config-if-serial0/0)#encapsulation ppp
255.255.255.0
routerB(config-if-serial0/0)#ip pim sparse-mode This command is used configure the multicast
routing protocol, and used for all interfaces that
forward multicasts.
routerB(config-if-serial0/0)#interface f0
routerB(config-if-fastethernet0)#ip address 129.255.22.253
255.255.0.0
routerB(config-if-fastethernet0)#ip pim sparse-mode This command is used to configure the multicast
forward multicasts.
routerB(config-if-fastethernet0)#interface serial3/0
routerB(config-if-serial3/0)#clock rate 2000000
255.255.255.0
routerB(config-if-serial3/0)#ip pim sparse-mode
routerB(config-if-serial3/0)#encapsulation frame-relay
routerB(config-if-serial3/0)#frame-relay intf-type dce
routerB(config-if-serial3/0)#frame-relay interface-dlci 100
routerB(config-if-serial3/0)#frame-relay map ip 22.2.2.2 100
broadcast
routerB(config-if-serial3/0)#exit
routerB(config)#ip access-list standard 1 Configure the standard access list.
routerB(config-std-nacl)#permit host 224.1.1.2 Configure the usage range of the access list.
routerB(config-std-nacl)#exit
routerB(config)#ip pim rp-candidate fastethernet0 group-list Configure the RP proxy of a specific group.
1
routerB(config)#router ospf 1
routerB(config-ospf)#network 22.0.0.0 0.255.255.255 area 5 Enable the OSFP on interfaces s0/0 and s3/0..
routerB(config-ospf)#network 129.255.0.0 0.0.255.255.255 Enable the OSFP on the interface f0.
area 5
o The Router C is configured as follows:
Command Task
routerC(config)# configure terminal
routerC(config)#ip multicast-routing Enable the multicast routing.
routerC(config)#int s0/0
routerC(config-if-serial0/0)#ip address 22.2.2.2
255.255.255.0
routerC(config-if-serial0/0)#ip pim sparse-mode This command is used to configure the multicast
forward multicasts.
routerC(config-if-serial0/0)#encapsulation frame-relay
routerC(config-if-serial0/0)#frame-relay intf-type dte
routerC(config-if-serial0/0)#frame-relay interface-dlci 100
routerC(config-if-serial0/0)#frame-relay map ip 22.2.2.1
100 broadcast
routerC(config-if-serial0/0)#interface f0
routerC(config-if-fastethernet0)#ip address 94.255.22.33
255.255.0.0
routerC(config-if-fastethernet0)#ip pim sparse-mode This command is used to configure the multicast
forward multicasts.
routerC(config-if-fastethernet0)#exit
routerC(config)#ip access-list standard 1
routerC(config-std-nacl)#permit host 224.2.2.3 Configure the usage range of the access list.
routerC(config-std-nacl)#exit
routerC(config)#ip pim rp-candidate f0 group-list 1 Configure the RP proxy of a specific group.
routerC(config)#router ospf 1
routerC(config-ospf)#network 22.2.2.0 0.0.0.255 area 5
routerC(config-ospf)#network 94.255.0.0 0.0.255.255 area 5
Note:
What is discussed here is the basic configuration specification for multicast communication. Multicast also supports other
link layer protocols and dynamic routing protocols. Their configurations aren’t described here.
18.2.3 Monitoring and Debugging PIM-SM
show ip mcache
This command is used to display the cache information of the core multicast route.
show ip mcache
show ip mroute
This command is used to display the information about a PIM multicast route list.
show ip mroute
show ip pim bsr
This command is used to display the information about the PIM bootstrap router.
show ip pim bsr
show ip pim interface
This command is used to display the information about the PIM interface.
show ip pim interface
show ip pim neighbor
This command is used to display the information about PIM neighbors.
show ip pim neighbor
show ip pim rp
This command is used to display the information about the PIM RP (Rendezvous Point).
show ip pim rp
18.3 Configuring DVMRP

Distance Vector Multicast Routing Protocol (DVMRP), the first multicast routing protocol applied popularly, is based on RIP
protocol and expands the functions supporting multicast. DVMRP protocol firstly sends probe messages to discover
neighbors, then, performs the unicast path search and determines the dependency relationship of upstream and downstream
by means of route exchange.
DVMRP adopts the reverse-path-multicast (RPM) algorithm for multicast forwarding. When sending multicast packets
firstly, the multicast source adopts the truncated RPM algorithm to forward multicast packets down along the source
multicast distribution tree. When a leaf router does not need the multicast data packet any more, the router sends the prune
message to the multicast source, and the multicast distribution tree is pruned so that the needless traffic can be removed.
After the upstream receives the prune message, the interface receiving the message is set as the prune status and data
forwarding is stopped, the prune status is related with the timeout timer. When the timer expires, the prune status will be
changed into the forwarding status and the multicast data packet will be distributed along these branches again. Additionally,
when there appears a multicast member in the prune area, in order to reduce the response time, the downstream forwardly
sends a graft packet, instead of waiting until the upstream prune status expires, so that the prune status can be changed into
the forwarding status. Obviously, DVMRP is a multicast route table that is established because of data triggering, the
procedure of establishing a route tree can be summarized with “Broadcast and Prune”, and the forwarding feature can also be
summarized as “passive receiving and initiative exist”.
Additionally, when there exist two or more multicast routers in the multi-access network, packets may be forwarded
repeatedly in the network. To avoid it, DVMRP selects a unique forwarding router for each source in the multi-access
network.
DVMRP has the following features:

Based on the establishment of distance vector;
Periodical route upgrade(per 60 seconds)
Upper limit=32 hops(16 hops for RIP)
Reserve restraint has special meaning
Untyped. The route upgrade includes the mask information.

Related descriptions of DVMRP configuration commands
An example of DVMRP configuration
DVMRP monitoring and debugging
18.3.1 Related Descriptions of DVMRP Configuration Commands
Use the command above to enable the multicast on a router.
no ip multicast-routing
£By default¤No multicast is enabled.
ip dvmrp
Use the command above to enable the DVMRP on an interface;
ip dvmrp
no ip dvmrp
£By default¤No DVMRP is disabled.
Note:
A router can enable nothing but one kind of multicast routing protocol. Before DVMRP protocol is enabled, the
configuration of other multicast protocols need be deleted.
18.3.2 An Example of DVMRP Configuration
The example is displayed as the following figure:
S1/0
Ethernet Ethernet
S2/1
Router1 Router2
Pc1 Pc2
Illustration:
As shown in figure above, the interface s1/0 of router1 connects to the interface s1/2 of router2 by means of PPP protocol. At
the same time, the Ethernet interfaces of the two routers connects with two PCs that can serve as the multicast source or
multicast receiving-end
Router1 is configured as follows.:
R
Syntax Descriptions
outer2
router1 (config)#ip multicastÉrouting Enable the multicast routing. is
router1 (config)# interface fastethernet0 config
router1 (config-if-fastethernet0)# ip address ured
131.255.127.3 255.255.0.0
router1 (config-if-fastethernet0)# ip dvmrp Configure the multicast routing protocol as
DVMRP. follow
The command can be applied to all
interfaces forwarding multicast packets. s.:
router1 (config-if-fastethernet0)# interface
serial1/0
router1 (config-if-serial1/0)# physical-layer sync
router1 (config-if-serial1/0)#encapsulation ppp
router1 (config-if-serial1/0)# ip address 8.0.0.1
255.0.0.0
router1 (config-if-serial1/0)# ip dvmrp Configure the multicast routing protocol
DVMRP.
The command can be applied to all
interfaces forwarding multicast packets.
router1 (config-if-serial1/0)# exit

Syntax Descriptions
Notice
Router2(config)#ip multicastÉrouting Enable the multicast routing. ö
Router2(config)# interface fastethernet0
T
Router2(config-if-fastethernet0)# ip address
151.255.127.6 255.255.0.0 he
Router2(config-if-fastethernet0)# ip dvmrp Configure the multicast routing protocol routin
DVMRP. g
protoc
The command can be applied to all interfaces
forwarding multicast packets. ol
need
Router2(config-if-fastethernet0)# interface
not be
serial2/1
config
Router2(config-if-serial2/1)# physical-layer sync
ured
Router2(config-if-serial2/1)#clock rate 2000000 for
Router2(config-if-serial2/1)#encapsulation ppp DVM
Router2(config-if-serial2/1)# ip address 8.0.0.26 RP.
255.0.0.0 H
Router2(config-if-serial2/1)# ip dvmrp Configure the multicast routing protocol ere is
DVMRP. the
The command can be applied to all interfaces basic
forwarding multicast packets. config
Router2(config-if-serial2/1)# exit uration
descri
ption of multicast communication. The multicast can also support other link-layer protocols, and corresponding
examples are not listed here.
18.3.3 DVMRP Monitoring and Debugging
show ip dvmrp interface
Use the command above to display the information about DVMRP interface.
show ip dvmrp interface
show ip dvmrp neighbor
Use the command above to display the information about DVMRP neighbors.
show ip dvmrp neighbor
show ip dvmrp route
Use the command above to display the information about DVMRP route.
show ip dvmrp route
debug ip dvmrp all
Use the command above to display all DEBUG information about DVMRP.
debug ip dvmrp all
debug ip dvmrp cache
Use the command above to display the DEBUG information about DVMRP core cache.
debug ip dvmrp cache
debug ip dvmrp member
Use the command above to display the DEBUG information about DVMRP member joining-in/leaving.
debug ip dvmrp member
debug ip dvmrp packet
Use the command above to display the DEBUG information about DVMRP packets.
debug ip dvmrp packet
debug ip dvmrp peer
Use the command above to display the DEBUG information about DVMRP neighbor event.
debug ip dvmrp peer
debug ip dvmrp prune
Use the command above to display the DEBUG information about DVMRP prune.
debug ip dvmrp prune
debug ip dvmrp route
Use the command above to display the DEBUG information about DVMRP route.
debug ip dvmrp route
Chapter 19 AAA Configuration
This chapter mainly describes how to configure AAA (Authentication, Authorization and Accounting) on the router. AAA
is the abbreviation of Authentication, Authorization and Accounting. As a client program that runs on the network access
server (NAS), it provides a consistent framework for you to configure the three security functions, Authentication,
Authorization and Accounting.
Command descriptions of configuring the relevant AAA;
An example of AAA configuration;
Debugging AAA
19.1 Descriptions of Command Relevant with AAA
aaa new-mode
This command is used to enable AAA on the router. The form no of the command is used to close AAA function.
aaa new-model
no aaa new-model
£Default¤Disable AAA.
aaa authentication banner
This command is used to modify the displayed welcome information when you login on a router. The form no of the
command is used to reset the default welcome information.
aaa authentication banner banner
no aaa authentication banner
Syntax Description
banner This is the welcome information displayed on the
screen when you log in the router.
£Default¤The default welcome information is “User Access Verification”.
aaa authentication fail-message
This command is used to modify the caution information when you fail to login on the router. The form no of the command
is used to reset the default caution information.
aaa authentication fail-message fail-message
no aaa authentication fail-message
Syntax Description
fail-message This is the caution information when you fail to login
on the router.
£Default¤The default caution information is “Access denied!”.
aaa authentication username-prompt
This command is used to modify the displayed text that is used to prompt you to input user name. The form no of this
command is used to reset the default-displayed text.
aaa authentication username-prompt username-prompt
no aaa authentication username-prompt
Syntax Description
username-prompt The displayed text when you are cautioned to input
your user name.
£Default¤The default displayed text is “login:”.
aaa authentication password-prompt
This command is used to modify the displayed text when you are cautioned to input your passport. The form no of this
command is used to reset the default-displayed text.
aaa authentication password-prompt password-prompt
no aaa authentication password-prompt
Syntax Description
password-prompt The displayed text when you are cautioned to input
your passport.
£Default¤The default displayed text is “passport:”.
aaa authentication login
This command is used to configure the login identity authentication method list. The form no of this command is used to
delete the method list.
aaa authentication login {default|list-name} method1[method2…]
no aaa authentication login {default|list-name}
Syntax Description
default Define the default method list.
list-name This is the method list name.
method Authentication methods:
None: Pass directly without authenticating the identity,.
Enable: Use the valid passport to authenticate the identity (the global
enable passport).
Local: Use the local user database to authenticate the identity.
Line: Use the line passport to authenticate the identity.
Radius: Use RADIUS to authenticate the identity.
Tacacs: Use TACACS to authenticate the identity.
£Default¤No authentication method list is defined.
Note:
Cooperating with the command login authentication in line mode, the method list can be used to authenticate the login
identities for some lines.
The default method list applies to all the interfaces and lines (except the interfaces or lines that are defined explicitly and
referred to) automatically.
aaa authentication enable
This command is used to configure the identity authentication method list for you to enter the privilege user mode. The form
no of this command is used to deletes the method list.
aaa authentication enable default method1[method2…]
no aaa authentication enable default
Syntax Description
default Define the default method list.
None: Pass directly without authenticating the identity,
Enable: Use the valid passport to authenticate the identity (the user enable passport or
the global enable passport).
Line: Use the line passport to authenticate the identity.
TacacsÖUse TACACS to authenticate the identity.
Note:
When using the radius authentication method, you should use the passport of the user $enab15$ (need to be set on the radius
server) as the authentication passport.
aaa authentication ppp
This command is used to configure a PPP identity authentication method list. The form no of this command is used to delete
the method list.
aaa authentication ppp list-name method1[method2…]
no aaa authentication ppp list-name
Syntax Description
None: Pass directly without authenticating the identity.
Local: Use the local user database to authenticate the identity.
Tacacs: Use TACACS to authenticate the identity.
£Usage specification¤This method needs to cooperate with the command ppp authentication to apply the method list to
the PPP authentication of an interface.
aaa authorization
This command is used to limit the user access authorization. The form no of the command is used to allow the access
authorization.
aaa authorization {exec|network} {default|list-name} method1[method2…]
no aaa authorization {exec|network} {default|list-name}
Syntax Description
exec Configure the EXEC authorization command method list.
network Configure the authorization method list of the network service.
default Define a default method list.
method Authorization methods:
if-authenticated : If a user passes the identity authentication, then he is authorized to
access the request function.
Local: Use the local database to authorize.
None: Operate no authorization.
Radius: Request the authorization information from RADIUS server.
Tacacs: Request the authorization information from TACACS server.
£Default¤No access authorization is limited (being equivalent to the keyword none).
Note:
1) When the EXEC authorization method list has been configured and you execute EXEC, NAS can implement the
authentication to you to determine whether you have the authorization to execute the EXEC shell program; if NAS fails to
authorize, then you can’t execute EXEC.
2) EXEC supports the authorization of Vendor-specific AV of ciscoSecureACS radius (Cisco), and AV is defined as
follows:
Define autocmd—auto-command, value is the command string, and its format is:
autocmd=STRING
Define nohangup—whether the connection is broken after the system executes the auto-command, and its format
is:
nohangup=FALSE/TRUE or 0/1
Define priv-lvl—the right level authorized to the login user, the range of value is from 0 to 15, and its format is:
priv-lvl=NUM
Define timeout—the entire connection time authorized to the login user, value is a number (by second), and its
format is:
timeout=NUM
aaa accounting
This command is used to configure the AAA accounting method list. The form no of this command is used to cancel the
method list.
aaa accounting {connection|exec|network} {default|list-name} {none|start-stop| stop-only| wait-start} method1[method2]
no aaa accounting {connection|exec|network} list-name
Syntax Description
connection Configure the accounting command that the user uses when he logins to other routers
through telnet or rlogin.
exec Configure the accounting command of enabling the EXEC session.
network Configure all accounting commands of the service requests that are relevant with the
network.
default Define a default method list.
none Don’t process accounting.
start-stop Send a start-accounting notice when a process starts, and send an end-accounting notice
when the process ends. Whether or not the server receives the start-accounting notice, all
requested user processes will start to execute.
stop-only Send an end-accounting notice when the requested user process ends.
wait-start Send a start-accounting notice and an end-accounting notice to the AAA accounting
server. The requested user service isn’t enabled until the notices above are acknowledged.
method accounting methods:
Radius: send the accounting information to the RADIUS server.
Tacacs: send the accounting information to the TACACS server.
ûDefaultüNo accounting method list is defined.
ûCommand modeüThe global configuration mode.
Note:
To execute the accounting work as little as possible, you can use the keyword stop-only to send a stop-record-accounting
notice when a requested user process ends.
To get more accounting information, you can use the keyword start-stop. In this way, RADIUS or TACACS can send a
start-accounting notice when the requested process starts, and can send an end-accounting notice when the process ends.
To obtain more control right to the accounting , you can use wait-start, which ensures that the process request of the user
can’t be authorized until the RADIUS or TACACS server receives the start-accounting notice.
aaa accounting suppress null-username
This command is used to forbid creating a accounting record for the user whose user name is null. The form no of this
command is used to allow creating a accounting record for the user whose user name is null.
aaa accounting suppress null-username
no aaa accounting suppress null-username
ûDefaultüAllow to create a accounting record for the user whose user name is null.
aaa accounting update

This command is used to send temporary accounting records to the server. The form no of this command is used to cancel
to send temporary accounting record.
aaa accounting update {newinfo|periodic number}
no aaa accounting update
Syntax Description
newinfo Send temporary accounting records to the server every time there is
new accounting information.
periodic Send temporary accounting records periodically.
number The interval period.
ûDefaultüNo temporary accounting record is sent.
tacacs-server host
This command is used to configure the Tacacs server. The form no of this command is used to delete the Tacacs server.
tacacs-server host address [key key] [port port] [timeout timeout]
no tacacs-server host address
Syntax Description
address The address of the Tacacs server.
key The key that is used for the communication between the router and the
Tacacs server.
port The TCP port number that is used to connect with the Tacacs
background program.
timeout Set the interval timer for waiting the response from the Tacacs server.
ûDefaultüThe port number is 49, and the timeout is 5 seconds.

Note:
The key configured on the router must be consistent with that on the Tacacs server.
Multiple Tacacs servers can be configured, and the system can select one of them for system authentication according to
the configuration sequence; when some server is unavailable, the system can select the next one automatically till the last one
fails.
tacacs-server key
This command is used to configure the encryption key of the Tacacs. The form no of this command is used to delete the
key.
tacacs-server key key
no tacacs-server key
ûDefaultüThere is no encryption key.
tacacs-server timeout
The command is used to configure the interval timer for waiting the Tacacs server response. The form no of this command is
used to reset the default value.
tacacs-server timeout timeout
no tacacs-server timeout
ûDefaultü5 seconds.
radius-server host
This command is used to configure the RADIUS server. The form no of this command is used to delete the RADIUS
server.
radius-server host address [acc-port acc-port] [auth-port auth-port]
no radius-server host address
Syntax Description
address The address of the RADIUS server.
acc-port The UDP destination port that is specified for the authentication
request.
auth-port The UDP destination port that is specified for the accounting
request.
ûDefaultü acc-port is 1645, and auth-port is 1646.

Note:
The key configured on the router must be consonant with that on the RADIUS server.
Multiple RADIUS servers can be configured, and the system can select one of them for system authentication according to
the configuration sequence; when some server is unavailable, the system can select the next one automatically till the last one
fails.
radius-server dead-time
This command is used to configure dead-time. The form no of this command is used to set dead-time to be 0.
radius-server dead-time dead-time
no radius-server dead-time
Syntax Description
dead-time This is the time length. During the time, no request is
sent to the RADIUS server
ûDefaultü dead-time is set to be 0.
ûUsage guideüAfter the command is used, the system labels the RADIUS severs that don’t respond to the authentication
requests as unusable, and don’t send requests to these servers during the dead-time period of time.
radius-server key
This command is used to configure the RADIUS encryption key. The form no of this command is used to delete the RADIUS
encryption key.
radius-server key key
no radius-server key
ûDefaultüThere is no encryption key.
radius-server timeout
This command is used to configure the interval timer for waiting the response from RADIUS server. The form no of this
command is used to reset the default value.
radius-server timeout timeout
no radius-server timeout
£Default¤5 seconds.
radius-server retransmit
This command is used to configure the maximum times of retransmitting a packet to the RADIUS server. The form no of
this command is used to reset the default value.
radius-server retransmit retries
no radius-server timeout
Syntax Description
retries The maximum times of retransmitting a packet.
£Default¤3 times.
ip {tacacs|radius} source-interface
This command is used to configure the interface address, which is specified for the router to switch packets with the
RADIUS or TACACS server. The form no of this command is used to reset the default value.
ip {tacacs|radius} source-interface interface-name
no ip {tacacs|radius} source-interface
Syntax Description
interface-name The interface name.
ûDefaultü Use the address of the interface.
19.2 An Example of AAA Configuration
Network access
User
Illustration:
In the configuration above, the PPP protocol is encapsulated between the user devices and the network access server
(NAS), and login authentication uses the default method list.
The relevant NAS configurations are as follows:
Command Task
NAS#configure terminal Enter the configuration mode.
NAS (config)# aaa new-model Enable AAA authentication.
NAS (config)# aaa authentication banner Configure the welcome words for a use to login.
^ Welcome ^
NAS (config)# aaa authentication fail- Configure the prompt information for a user to fail to login.
message ^ Sorry, Don’t come in ^
NAS (config)# aaa authentication login The authentication methods (radius, tacacs and none) are adopted for
default radius tacacs none identification authentication of the telnet or rlogin user. (One or more
authentication methods can be selected.)
NAS (config)# aaa authentication enable The authentication method radius enable is adopted for the telnet or
default radius enable rlogin user to enter the privilege use mode.
NAS (config)# aaa authentication ppp Configure the PPP authentication, and cooperate with the command ppp
auth-name radius tacacs local authentication on the interface s1/0.
NAS (config)# aaa authorization exec Configure that only users who are added into the RADIUS server can be
default radius authorized to execute the EXEC shell program; if the authorization fails, then
the users cannot execute EXEC.
NAS (config)# aaa accounting exec default Enable the accounting command of the exec session, and a stop-
stop-only radius accounting notice is sent to the RADIUS server when the requested user
process ends.
NAS (config)# aaa accounting connection Enable the accounting command connection, and implement the
default stop-only radius accounting when NAS logins on other router through telnet or rlogin.
NAS (config)# aaa accounting network list Enable the accounting command (list) that the PPP service requests.
stop-only radius (Because the PPP protocol is encapsulated between the user devices and the
NAS.)
NAS (config)# radius-server host Configure the address of the RADIUS server.
192.168.0.1
NAS (config)# radius-server key maipu Configure the key of the RADIUS server, and the key must be the same
as that of the NAS server on the RADIUS server.
NAS (config)# tacacs-server host Configure the address and key of the TACACS server, and the key must
192.168.0.2 key mp be the same as that of the NAS server on the RADIUS server.
NAS (config)#interface s1/0 Enter the interface mode.
NAS(config-if-serial1/0)#ppp accounting Enable the PPP authentication accounting on the interface. Its name is
list list, which is the same as that following aaa accounting network.
Note:
During the course of adopting the configured method list to authenticate a user, only when the previous method doesn’t
response can the router try the next method. If the identity authentication fails at any point of the period, namely, the security
server or the local user name database response in the form of denying the user to access, then the identity authentication
process will end and no other identity authentication method will be tried.
19.3 Checking and Debugging AAA
show accounting
This command is used to display the AAA accounting information.
show accounting
debug aaa authentication
This command is used to open the switch of AAA authentication debugging information. The form no of this command is
used to close the switch.
debug aaa authentication
no debug aaa authentication
debug aaa authorization
This command is used to open the switch of AAA authorization debugging information. The form no of this command is
used to close the switch.
debug aaa authorization
no debug aaa authorization
debug aaa accounting
This command is used to open the switch of AAA accounting debugging information. The form no of this command is used
to close the switch.
debug aaa accounting
no debug aaa accounting
debug tacacs
This command is used to open the switch of TACACS debugging information. The form no of this command is used to close
the switch.
debug tacacs
no debug tacacs
debug radius
This command is used to open the switch for RADIUS debugging information. The form no of this command is used to close
the switch of RADIUS debugging information.
debug radius [in-plain]
no debug radius
Syntax Description
in-plain Display the RADIUS packet information in the form of
plaintext.
Chapter 20 MPLS Configuration

MPLS (Multiprotocol Label Switching) is a label-based packet forwarding technology, with advantages of both the packet
forwarding technology of layer-2 switch and the routing technology of layer-3, simplifying segment-by-segment data
forwarding and enhancing the packet forwarding capacity.
z Brief introduction to MPLS
z Descriptions of commands to configure MPLS
z An example of MPLS configuration
20.1 Brief Introduction to MPLS

For the traditional IP packet forwarding, the router in each relay segment of the network analyses the destination IP
address independently and executes the network routing algorithm so as to make the independent forwarding decision and
determine the next hop for the packet. However, MPLS divides all packets that enter the network into different FECs
(Forwarding Equivalence Class) and assigns a label to each FEC, so each packet carries a short label with fixed length. The
routers in the network determine how to forward a packet according to its label. In the whole MPLS area, the packet
forwarding is operated according to the label, without operating anything to the IP header.
MPLS consists of two sections. One is the label packet forwarding, implementing the forwarding of the received IP
packets or label packets. Its main operations include:
1) If the received packet is an IP packet, then search the label forwarding list according to its destination address; if there
exists the output label (namely, the next hop supports the label forwarding) of the destination address, then insert this output
label into the IP header, subsequently, forward this packet to the next hop.
2) If the received packet is a label packet, then search the label forwarding list according to the input label on the label
stack top; if it succeeds in finding out the corresponding output label, then replace the input label with the output label,
subsequently, forward this packet; if it fails in finding out the corresponding output label, then pop the input label,
subsequently, forward this packet in the form of IP packet.
The other section is LDP (Label Distribution Protocol), used to switch the label binding information with the neighbor
routers. Through sending Hello packets periodically, LDP finds and maintains a LDP peer. When finding out a new LDP
neighbor, LDP creates a TCP connection with it. Then, through this TCP connection, it uses the information switch label that
LDP defines to bind the information, create and maintain a label-forwarding list.
20.2 Descriptions of commands to configure MPLS

mpls ip
To enable mpls on the router, you can do nothing but configure the command under the global configuration mode and the
interface configuration mode. The form no of this command is used to disable mpls.
mpls ip
no mpls ip
£Command mode¤The global configuration mode and the interface configuration mode.
Note:
To use mpls, you must simultaneously configure the command mpls ip under both the global configuration mode and the
interface configuration mode. Configuring the command mpls ip under the global configuration mode is used to enable mpls,
while configuring the command under the interface configuration mode is used to specify which interface to use mpls packet
forwarding. You can configure the command mpls ip on multiple interfaces.
If the link layer protocol is PPP, then it needs to configure the command ppp mpls on the interface.
mpls ldp router-id
When mpls is enabled, you need select a router-id (namely, an IP address) to serve as the ldp ID, which is used to identify
a specific LSR label space. The form no of this command is used to reset the default value of route id.
mpls ldp router-id A.B.C.D
no mpls ldp router-id
Syntax Description
A.B.C.D This is an IP address serving as the ldp ID.
£Default¤When mpls starts, it automatically selects an interface address to serve as router-id.

Note:
By default, mpls automatically selects an interface address to serve as router-id when starting. And it can select the
address of a loopback interface. Under the situation that no router-id is configured, if the selected interface address that
serves as the router-id is changed, all current ldp connections are deleted, and the ldp can update the router-id,
subsequently, a new connection is rebuilt.
mpls ldp label-distribution
This command is used to set the ldp label distribution mode. The form no of this command is used to reset the default
setting of the label distribution mode.
mpls ldp label-distribution <dod/du>
no mpls ldp label-distribution
Syntax Description
dod/du Label distribution is on demand or unsolicited for downstream.
£Default¤The DU (downstream unsolicited) label distribution mode.

Note:
When using the downstream-unsolicited label distribution mode, for a specific FEC, an LSR (label switched router) can
assign and distribute a label immediately without getting a label request message from the upstream; however, when using
the downstream-on-demand label distribution mode, for a specific FEC, only after receiving the upstream label request
message from the upstream can an LSR (label switched router) assign and distribute a label.
This command is configured under the interface mode, and different label distribution modes can be configured for
different interfaces.
mpls ldp label-control
This command is used to configure the ldp label control mode. The form no of this command is used to reset the default
setting of the ldp label control mode.
mpls ldp label-control <independent/ordered>
no mpls ldp label-control
Syntax Description
independent/ordered The independent control mode or the ordered control mode.
£Default¤The independent control mode.

Note:
When using the independent label control mode, each LSR can announce the label mapping to the LSR (label switch router)
that connects with it at any time; however, when using the ordered control mode, only after the LSR receives the FEC label
mapping message of the specific FEC net hop or when the LSR is the LSP out-bound node, can the LSR send label mapping
messages to the upstream.
mpls ldp label-retention
This command is used to set the ldp label retention mode. The form no of this command is used to reset the default setting
of the ldp label hold mode.
mpls ldp label-retention <conservative/liberal>
no mpls ldp label-control
Syntax Description
conservative/liberal The conservative hold mode or the liberal retention mode.
£Default¤The liberal retention mode.

Note:
For a specific FEC, suppose that the upstream has received the label binding that comes from the downstream, then, when
the downstream router is no longer the next hop of this FEC, if the upstream still preserves this binding, the mode used by the
upstream is called the liberal label retention mode; if the upstream discards this binding, then the mode used by the upstream
is called the conservative label retention mode.
There are various combinations between three label assignment parameters (label distribution mode, label control mode
and label retention mode). However, the default parameters are downstream-unsolicited distribution, independent control
and liberal retention.
mpls ldp hello-interval
This command is used to set the interval (by second) for LSR to send a Hello message periodically. The form no of this
command is used to reset the default setting of interval of the Hello message.
mpls ldp hello-interval <1-60>
no mpls hello-interval
Syntax Description
1-60 The interval to send a Hello message.
Note:
Through sending the Hello packet periodically, LSR finds or maintains a Hello neighbor.
mpls ldp hello-hold-interval
This command is used to set the hold time of ldp hello. The hold time specifies the maximum hold time (by second) for the
LSR to keep the previous Hello message before sending the next Hello message to its peer. LSRs can, through respectively
putting forward its own Hello hold time firstly, negotiate the Hello hold time with each other and then adopt the minimum
value of them. The form no of this command is used to reset the default value of the Hello hold time.
mpls ldp hello-hold-interval <1-60>
no mpls ldp hello-hold-interval
Syntax Description
1-60 Hello hold time.
Note:
LSR maintains a Hello hold timer for each Hello neighbor peer. When an LSR receives a Hello message from a specific
Hello neighbor, the corresponding Hello hold timer will be restarted. If the LSR hasn’t still received the next Hello message
from the specific Hello neighbor when the Hello hold timer expires, then LSR deletes this Hello neighbor, and sends the
corresponding announcement message; subsequently, closes the TCP connection and ends the LDP session.
Hello hold time being 0 indicates the default value. For a link Hello message (connecting with the neighbor directly), the
default value is 15s; while for a destination Hello message (not connecting with the neighbor directly), the default value is
45s.
mpls ldp keepalive-interval
This command is used to set the interval (by second) for LSR to send a Keepalive message periodically. The form no of
this command is used to reset the default setting of the Keepalive message.
mpls ldp keepalive-interval <1-60>
no mpls keepalive-interval
Syntax Description
1-60 The interval for LSR to send a Keepalive message periodically.
Note:
An LSR must ensure that the LDP peer can receive at least one LDP message (any LDP message is effective) in the
keepalive-interval. But if there is no other LDP message for LSR to send, then LSR must send a session hold message.
mpls ldp keepalive-hold-interval
This command is used to set the ldp session hold interval. LSRs can, through putting forward its own session hold interval
respectively, negotiate the session hold interval with each other, and then adopts the minimum value of them. The form no of
this command is used to reset the default value of the session hold interval.
mpls ldp keepalive-hold-interval
no mpls ldp keepalive-hold-interval
Syntax Description
1-60 The ldp session hold interval.
Note:
Through the LDP PDU received from the session transmission connection, an LDP checks the integrality of the LDP
session. The LSR maintains a session hold timer for each LDP session connection, and the corresponding session hold timer
can be restarted when the LSR receives the LDP PDU from a specific session connection. If the LSR hasn’t still received
LDP PDU from the LDP peer when the session hold timer expires, then LSR sends an announcement message, closes the
TCP connection and ends the LDP session.
mpls route-cache
The MPLS fast switching is realized through route cache mechanism. The purpose of the route cache is to reduce the
repeated searching of a routing table and to accelerate the packets sending speed through using previous cache searching
results. But under certain circumstances, users can choose to enable/disable the following two places to process route cache.
mpls route-cache
no mpls route-cache
Note:
The mpls fast switching is turned on by default, The form no of this command is used to disable this function.
20.3 An Example of MPLS\VPN Configuration
Illustration:
In the configuration figure above, router1 and router3 are PE devices, and router2 is a P device. P\PE devices construct
the MPLS backbone network, in which the IGP routing protocol OSFP is running. IBGP is running between two PE devices
that respectively connect with two different networks----VPNA\VPNB. Through BGP announcing the VRF table, the
network vrf_a in router1 interconnects with the network vrf_a in router3, and the network vrf_b in router1 interconnects with
the network vrf_b in router3. VPNs are realized through MPLS\BGP.
The concrete configuration of Router1 is as follows:
Command Task
Router1(config)# mpls ip Run MPLS.
Router1(config)# ip vrf vrf_a Create a vrfa
Router1(config -vrf)# rd 1:1 Configure the route descriptor.
Router1(config -vrf)# route-target export 1:1 Set properties of the destination VPN.
Router1(config -vrf)# route-target import 1:1 Set properties of the destination VPN.
Router1(config -vrf)#exit
Router1(config)# ip vrf vrf_b Create a vrfb.
Router1(config -vrf)# rd 2:2 Configure the route descriptor.
Router1(config -vrf)# route-target export 2:2 Set properties of the destination VPN.
Router1(config -vrf)# route-target import 2:2 Set properties of the destination VPN.
Router1(config -vrf)#exit
Router1(config)# interface loopback0 Configure the loopback address with 12.12.12.12.
Router1 (config-if-loopback0)# ip address 12.12.12.12
255.255.255.255
Router1 (config-if-loopback0)# interface fastethernet 1/0
Router1 (config-if-fastethernet1/0)# ip vrf forwarding vrf_a Add the interface into the vrfa.
Router1 (config-if-fastethernet1/0)# ip address 10.1.1.1 Configure the IP address.
255.255.0.0
Router1 (config-if- fastethernet1/0)# interface fastethernet 1/1
Router1 (config-if-fastethernet1/1)# ip vrf forwarding vrf_b Add the interface into the vrfb.
Router1 (config-if-fastethernet1/1)# ip address 10.2.1.1 Configure the IP address.
255.255.0.0
Router1 (config-if-fastethernet1/1)#interface serial0/1
Router1 (config -if-serial0/1)# encapsulation ppp Encapsulate PPP.
Router1 (config -if-serial0/1)# ppp mpls Use MPLS on the interface (when the link layer protocol
is PPP).
Router1 (config -if-serial0/1)# ip address 21.2.1.1 255.255.0.0
Router1 (config -if-serial0/1)# mpls ip Use MPLS on the interface.
Router1 (config -if-serial0/1)# exit
Router1 (config)# router ospf 1 Configure IGP (OSPF).
Router1 (config-ospf)# network 12.12.12.12 0.0.0.0 area 0
Router1 (config-ospf)#exit
Router1 (config)#router bgp 100 Configure BGP, and the AS number is 100.
Router1 (config -bgp)# no synchronization Set the asynchronous mode between BGP and IGP.
Router1 (config -bgp)# neighbor 14.14.14.14 remote-as 100 Specify the AS number of the BGP peer.
Router1 (config -bgp)# neighbor 14.14.14.14 update-source Specify TCP connection port.
loopback0
Router1 (config-bgp)# address-family ipv4 vrf vrf_a Configure the vrf_a address family.
Router1(config-bgp-af)# no synchronization Set the asynchronous mode between BGP and IGP
Router1 (config-bgp-af)# redistribute connected Redistribute direct routes.
Router1 (config-bgp-af)exit
Router1 (config –bgp)# address-family ipv4 vrf vrf_b Configure the vrf_b address family.
Router1 (config-bgp-af)# no synchronization Set the asynchronous mode between BGP and IGP.
Router1 (config-bgp-af)#exit
Router1 (config-bgp)# address-family vpnv4 Configure the VPN address family.
Router1 (config-bgp-af)# neighbor 14.14.14.14 activate
Router1 (config-bgp-af)# neighbor 14.14.14.14 next-hop-self
Router1 (config-bgp-af)# neighbor 14.14.14.14 send-community Send properties of the expanded community to the peer.
extended
Router1 (config-bgp-af)#exit
Router1 (config-bgp)#exit

Command Task
Router2 (config)#mpls ip Run MPLS
Router2 (config)#interface loopback 0 Configure the loopback address with 13.13.13.13.
Router2 (config-if-loopback0)# ip address 13.13.13.13
255.255.255.255
Router2 (config-if-loopback0)#exit
Router2 (config)#interface serial0/0
Router2 (config-if-serial0/0)#encapsulation ppp Encapsulate PPP.
Router2 (config-if-serial0/0)# ppp mpls Use MPLS on the interface (when the link layer protocol
is PPP).
Router2 (config-if-serial0/0)# ip address 21.1.1.2 255.255.0.0
Router2 (config-if-serial0/0)# mpls ip Use MPLS on the interface
Router2 (config-if-serial0/0)# exit
Router2 (config-if-serial0/1)# encapsulation ppp Encapsulate PPP.
Router2 (config-if-serial0/1)# ppp mpls Use MPLS on the interface (when the link layer protocol
is PPP).
Router2 (config-if-serial0/1)# ip address 21.2.1.2 255.255.0.0
Router2 (config-if-serial0/1)# mpls ip Use MPLS on the interface
Router2 (config)#router ospf 1 Configure IGP (OSPF).
Router2 (config-ospf)# exit

Command Task
Router3 (config)#mpls ip Run MPLS.
Router3 (config)#ip vrf vrf_a Create a vrfa.
Router3 (config-vrf)# rd 1:1 Configure the route descriptor.
Router3 (config-vrf)# route-target export 1:1 Set properties of the destination VPN.
Router3 (config-vrf)# route-target import 1:1 Set properties of the destination VPN.
Router3 (config-vrf)# exit
Router3 (config)#ip vrf vrf_b Create a vrfb.
Router3 (config-vrf)# rd 2:2 Configure the route descriptor.
Router3 (config-vrf)# route-target export 2:2 Set properties of the destination VPN..
Router3 (config-vrf)# route-target import 2:2 Set properties of the destination VPN.
Router3 (config-vrf)# exit
Router3 (config)#interface loopback0 Configure the loopback address with 14.14.14.14.
Router3 (config-if-loopback0)# ip address
14.14.14.14 255.255.255.255
Router3 (config-if-loopback0)# exit
Router3 (config)#interface fastethernet2/2
Router3 (config-if-fastethernet2/2)# ip vrf Add the interface into the vrfa.
forwarding vrf_a
Router3 (config-if-fastethernet2/2)# ip address Configure the IP address.
10.3.1.1 255.255.0.0
Router3 (config-if-fastethernet2/2)# exit
Router3 (config)#interface fastethernet2/3
Router3 (config-if-fastethernet2/3)# ip vrf Add the interface into the vrfb.
forwarding vrf_b
Router3 (config-if-fastethernet2/3)# ip address Configure the IP address.
10.3.1.1 255.255.0.0
Router3 (config-if-fastethernet2/3)# exit
Router3 (config-if-serial1/0)# encapsulation ppp Encapsulate PPP.
Router3 (config-if-serial1/0)# ppp mpls Use MPLS on the interface (when the link layer protocol is PPP).
Router3 (config-if-serial1/0)# ip address 21.1.1.1
255.255.0.0
Router3 (config-if-serial1/0)# mpls ip Use MPLS on the interface.
Router3 (config)#router ospf 1 Configure IGP (OSPF).
Router3 (config-ospf)# network 21.1.0.0 0.0.255.255
area 0
Router3 (config-ospf)# network 14.14.14.14 0.0.0.0
area 0
Router3 (config)#router ospf 2 vrf vrf_a Configure the dynamic routing protocol between PE (router3)
devices and CE (VPNA) devices.
Router3 (config-ospf)# network 10.0.0.0
0.255.255.255 area 0
Router3 (config-ospf)# redistribute bgp 100 Redistribute the BGP_100 route.
Router3 (config)#router bgp 100 Configure BGP, and the AS number is 100.
Router3 (config-bgp)# no synchronization Set the asynchronous mode between BGP and IGP.
Router3 (config-bgp)# neighbor 12.12.12.12 remote- Specify the AS number of the BGP peer.
as 100
Router3 (config-bgp)# neighbor 12.12.12.12 update- Specify aTCP connection port.
source loopback0
Router3 (config-bgp)# address-family ipv4 vrf vrf_a Configure the vrf_a address family.
Router3 (config-bgp-af)# redistribute ospf 2 vrf Redistribute the OSPF (vrf_a) route.
vrf_a
Router3 (config-bgp-af)# exit
Router3 (config-bgp)# address-family ipv4 vrf vrf_b Configure the vrf_b address family.
Router3 (config-bgp)# address-family vpnv4 Configure the vpn address family.
Router3 (config-bgp-af)# neighbor 12.12.12.12
activate
Router3 (config-bgp-af)# neighbor 12.12.12.12 next-
hop-self
Router3 (config-bgp-af)# neighbor 12.12.12.12 Send the properties of the expanded community to the peer.
send-community extended
Router3 (config-bgp)# exit
Chapter 21 Software Upgrade
The software upgrade of Maipu router includes two kinds of situations. One is the upgrade of the ROOT program (Namely
Monitor or the root program), and its main functions include the management and allocation of the flash space, with the low
upgrade-frequency; and the other is the upgrade of the program (IOS) in a router. When functions of the router need be
expanded, the program (IOS) need be upgraded.
21.1 The Upgrade of ROOT
21.1.1 Upgrade the Hex File of the ROOT program through the Console Interface
The function Hyper Terminal provided by Windows 95/98/NT is used to send the upgrading program to the router. The
following will, taking example for the Hyper Terminal application in Windows, describe the upgrade process.
Step 1: Set the Hyper Terminal.
Start the Hyper Terminal application and select the corresponding serial port (such as COM 1) and set its attributes: 9600
baud rate, the soft flow control, eight data bits, no parity and one stop bit.
Step 2: Enter the Monitor mode.
If some information similar to “Monitor version 2.02 is Booting (^c enter monitor mode) ...” is displayed on the screen
when the router starts up, you can press “CTRL+C” to enter the Monitor mode immediately. The prompt character of the
mode is “mpMonitor:>” or “Monitor:>”.
If no foregoing information is displayed on the screen when the router starts up, you need set the baud rate of the Hyper
Terminal as 115200, restart the router, and then press the key ENTER to enter the Monitor mode.
Step 3æReconfigure the speed of the Console interface and the Hyper Terminal to upgrade the hex file of the ROOT
program.
When the prompt character “mpMonitor:>” or “Monitor:>” appears, the command “mpMonitor:>s 115200” is used to set
the speed of the Console interface as 115200bps. At the same time, the speed of the Hyper Terminal is set as 115200bps
(attribute-configuration-baud rate). Stop the connection in the Hyper Terminal and start the connection again. Press “lr
<CR>” behind “mpMonitor:>” and select the option ‘Send text file’ in the menu ‘Transmit’. After the ROOT program (hex
file) that will be upgraded is selected, its transmission starts. After the upgrade ends, set the attributes of the Hyper Terminal
back to the initial setting, and restart it.
You can, according to the information “Monitor version xxx is Booting (^c enter monitor mode) ...”, judge whether the
ROOT program is upgraded successfully.
Noteö
ö
Different modesof Maipu router may adopt different ROOT program. Before the ROOT program is upgraded, please
affirm whether the ROOT program that need be upgraded is suit for the model of Maipu router lest the upgrading mistake
make the router unusable.
After the ROOT program of Maipu low-end router is upgraded from v1.xx to v2.xx or 3.xx, the MAC address of the router
may be changed. To keep the MAC address exclusive and avoid the address conflict that may result in the network fault,
please notice that one ROOT program can only be upgraded on one router.
To void the MAC address conflict resulting from upgrading ROOT as possible, the MAC address of the Ethernet interface
of the router isn’t changed after the ROOT program of Maipu low-end router is upgraded from v2.xx to v3.xx. If you want to
change the MAC address, please refer to step 3----use the command “lr filename r <CR>” to upgrade the ROOT program.
And the filename can be the combination of any letters.
21.2 The Upgrade of an Application (IOS)
Maipu router provides three kinds of methods for the software upgrade. These methods can ceaselessly extend functions of
the router. The following is to describe the three methods of the software upgrade.
21.2.1 Upgrade the Bin File of an Application through TFTP/FTP
Step 1: Run and configure the TFTP/FTP server.

Either Maipu TFTP server, CISCO TFTP or other TFTP/FTP server can be used to upgrade the bin file of application. We
take example for Maipu TFTP server to describe the upgrade:
Open cisco TFTP server and click “TFTP server root-browse” to select directory of the IOS firmware.
Figure 21-1 the option setting of cisco TFTP server

Step 2: Make the TFTP server at the listening state.
Figure 19-2 Cisco TFTP server being at the listening state
Step 3: Connect the Network

Connect the PC serving as the TFTP server with the router through the Ethernet (or other manners) to assure both can ping
each other.
Step 4: Upgrade the application
Enter “sysupdate <the address of the TFTP server> <the name of the file to be upgraded>” in the privilege user mode of
the router. We take example for MP2692:
MP2692# sysupdate 128.255.32.10 mp2692.bin <CR>
Here, the router can prompt you: “Do you really update "mp2692.bin" ? (yes|no):”. You can either enter “n <CR>” to cancel
the operation or enter “y <CR>” to implement the operation to upgrade.
If you enter “y <CR>”, the router will prompt the following information:
“downloading "IOS" (2688708 Bytes): ################################################
###################################################################################
(Omitting the middle information)
OK
Download " mp2692.bin " (2707672 Bytes) succeeded
the flash is TE28F160C3T
erase flash ... success.
write flash ... success.

MP2692#
The information above indicates that IOS file is erased and written successfully. Now, you can reset the router.
21.2.2 Upgrade the Bin File of an Application through the Console Interface

Start the Hyper Terminal program and select the corresponding serial (such as COM 1) and set its attributes: 9600 baud
rate, the soft flow control, eight data bits, no parity and one stop bit.
Step 3 Erase the previous IOS.
Under the system prompt, use the commands “mpMonitor:>e p” or “mpMonitor:>e a” to erase the existing the IOS in the
flash. The difference of the foregoing two commands is that the former only erases IOS while the latter erases both IOS and
the configuration file. But, both don’t erase the ROOT program, which can only be upgraded and can’t be erased.
Step 4: Reconfigure the speed of the Console interface and the Hyper Terminal to upgrade the hex file of the application.
Use the command “mpMonitor:>s 115200” to set the speed of the Console interface of the router as 115200bps. At the
same time, the speed of the Hyper Terminal is set as 115200bps (attribute-configuration-baud rate). Stop the connection in
the Hyper Terminal and start the connection again. Press “lx <CR>” behind “mpMonitor:>” and select the option ‘Send
text file’ in the menu ‘Transmit’. Select ‘xModem protocol’ in the pop-up dialog box. After the IOS program (hex file) that
will be upgraded is selected, its transmission starts. After the upgrade ends, set the attributes of the Hyper Terminal back to
the initial setting, and restart it.
Noteö
ö
The purpose of setting the baud rate as 115200bps is only to improve the transmission speed and reduce the time of
upgrading the application.
21.2.3 Upgrade the Hex File of an Application through the Console Interface

Start the Hyper Terminal program and select the corresponding serial (such as COM 1) and set its attributes: 9600 baud
rate, the soft flow control, eight data bits, no parity and one stop bit.
Step 3: Erase the previous IOS.
Under the system prompt, use the commands “mpMonitor:>e p” or “mpMonitor:>e a” to erase the existing the IOS in the
flash. The difference of the foregoing two commands is that the former only erases IOS while the latter erases both the IOS
and the configuration file. But, both don’t erase the ROOT program, which can only be upgraded and can’t be erased.
Step 4: Reconfigure the speed of the Console interface and the Hyper Terminal to upgrade the hex file of the application.
Use the command “mpMonitor:>s 115200” to set the speed of the Console interface of the router as 115200bps. At the
same time, the speed of the Hyper Terminal is set as 115200bps (attribute-configuration-baud rate). Stop the connection in
the Hyper Terminal and start the connection again. Press “l <CR>” behind “mpMonitor:>” and select the option ‘Send
text file’ in the menu ‘Transmit’. After the IOS program (hex file) that will be upgraded is selected, its transmission starts.
After the upgrade ends, set the attributes of the Hyper Terminal back to the initial setting, and restart it.
Noteö ö
We can, from the aspect of the speed, compare the foregoing three methods of upgrading the ISO program: the first
method (upgrading the bin file of an application through TFTP/FTP) is of the fastest speed, while the third method is of the
lowest speed. And the speed of the second method (Upgrading the bin file of an application through the xModem protocol
under the Monitor mode) is between that of the first method and the third method. In the factual environment, the selection of
the upgrade method should depend on the factual situation.
The first method can also upgrade the mixed program (ROOT+IOS). So, this method can remotely control the upgrade of
the router whose ROOT program need be upgraded instead of on-the-spot upgrading it through the console interface, saving
much the upgrading time. But the method has more fatalness and its misoperation can result in the router being unusable. If
you want to use the method, please request the technology service center to provide the special upgrade program and the
corresponding documents of operation description.
Chapter 22 Network Test and Troubleshooting
This chapter discusses how you can use your Maipu router’s network test tools to diagnose problems with the system.
22.1 Network Test Tools

These four test tools are provided on the router:
Ping: Tests network connectivity
Traceroute: Tests the data packet’s route information
Netstat: Examines network interface status and offers detailed statistical data
Show: Examines the system’s statistical information
22.1.1 Ping
Ping is used to test network connectivity and test whether the router can access the host address. This tool only supports IP
protocol.
Ping runs in common user mode or privileged user mode:
Common User Mode:

Router >ping ?
Command Description
<hostname ipAddress > Pings the host name or destination address.
Privileged user mode:

Router #ping ?
Command Description
<hostname ipAddress <CR>> Pings the host name or destination address.
Notes:
You can stop the ping procedure by pressing Ctrl+Shift+6 on the keyboard at the same time.
After the ping command has been executed, you will see the following onscreen output:
! shows a successful action, while . shows a failed action.
If ping worked, you will statistical information about the number of sent/received data packets, the percentage of data
packets that responded and the minimum, average or maximum response time values.
After you execute the ping <CR> command in privileged user mode, you can input optional parameters. The following two
examples explain these parameters and their meanings.
Example 1: Here, the command ping doesn’t have any extended options:
router#ping
Option Task
Target IP address: 192.168.8.1 The destination address.

Repeat count [5]: 20 The ICMP number repeatedly requesting the data packet.
Data packet size [76]: 1000 Appoints the ICMP size (1,000 byte).
Timeout in seconds [2]: 1 Permits delay. (The delay is regarded as a lost packet
when it receives no acknowledgment of the packet’s
location.)
Extended commands [no]: n The extended command.
Sweep range of sizes [no]: n Whether the ICMP data packet is appointed or not.
Output:

Sending 20, 1000-byte ICMP Echos to 192.168.8.1 , timeout is 1 seconds:
!!!!!!!!!!!!!!!!!!!!
Example 2: After you choose the extended command options, you can set such options as source route, record timestamp
and display detailed information, etc.:
router#ping
Option Task
Target IP address: 128.255.255.1
Repeat count [5]: 1930
Data packet size [76]: 1000
Timeout in seconds [2]: 1
Extended commands [no]: y
Source address or interface:
128.255.255.223
Type of service [0]: 1
Set DF bit in IP header? [no]: y Decides whether or not the IP layer will permit an ICMP data packet to
be segmented.
Validate reply data? [no]: y Decides whether or not the received ICMP data packet should be
examined.
Data pattern [abcd]: asdf Appoints ICMP data regarding requested data packets.
Loose, Strict, Record, Timestamp, Appoints loose/strict source route, record route and timestamp.
Verbose[none]: L
Source route: 128.255.255.223
128.255.255.1
Loose, Strict, Record, Timestamp,
Verbose[LV]: r
Number of hops [6]: 3 Appoints the hops number.
Loose, Strict, Record, Timestamp, Number of hops [2]: 2
Verbose[LVR]: t
Verbose[LVRT]:v
Verbose[LRT]:
Sweep range of sizes [no]: y Decides whether or not the ICMP size scope requesting the data packet
should be appointed.
Sweep min size [74]: Minimum
Sweep max size [65530]: 2000 Maximum
Sweep interval [1]: 10 Shows the increasing interval between two adjacent ICMP data packets
Output:
Sending 1930, [74..2000]-byte ICMP Echos to 128.255.255.1 , timeout is 1 seconds:
Loose source route: 128.255.255.223 128.255.255.1
Record route number : 3
Record timestamp number : 2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!........
22.1.2 Traceroute
The traceroute command is used to test gateways that the data packet has passed through en route to its destination. Its
main function is to test the network connection for dropped connections.
Traceroute shows records the source address of each ICMP TTL overtime message. It will show you the path of the
packet passing from the source to the destination.
You would operate Traceroute when you’ve sent a packet with a TTL of 1, yet received an ICMP error data packet message
indicating the packet can’t be sent, since TTL=0. (If the packet is sent again when the TTL is 2, the second hop router will
similarly send back an ICMP error data packet message, because TTL is 0 when the packet passes through the second
router.) This kind of procedure continues until the packet arrives at the destination.
Traceroute can run in both common user and privileged user modes:
Common User Mode:

Router >traceroute ?
Command Description
<hostname ipAddress > Sets the traceroute host name or destination
Privileged User Mode:

Router # traceroute ?
Command Description
<hostname ipAddress <CR>> Sets the traceroute host name or destination
Note:
You can stop the traceroute procedure by pressing Ctrl+Shift+6 on the keyboard at the same time.
After the command has been executed, you will see the following output:
The sent ICMP data packet information (TTL value, IP header, etc.)
A list of all the routers through which the ICMP data packet has passed through (ie. interface address, the average round
trip time or ICMP data packet error.
After you execute traceroute<CR> in privileged user mode, you can input optional parameters. The following two
examples explain the parameters and their meanings.
Example 1: Here, traceroute doesn’t have any extended options – just basic optional parameters:
MP2600#traceroute
Option Task
Target IP address: 192.168.8.254 The destination address

Source address or interface: 128.255.255.223 Appoints the source address/interface.
Timeout in seconds [2]: Permits delay.
Probe count [3]: Probes the data packet count that has the same TTL
value.
Minimum Time to Live [1]: The TTL default minimum value of the sent probed
data packet
Maximum Time to Live [30]: The TTL default maximum value of the probed sent
data packet
Port Number [33434]: The probed data’s destination UDP port number
Loose, Strict, Record, Timestamp, Verbose[none]: The route options of the source station: loose, strict,
record route and time stamp.
Output:
Type escape sequence to abort.
Tracing the route to 192.168.8.254 , min ttl = 1, max ttl = 30 .
1 2.1.1.1 16 ms * 33 ms * 16 ms *
2 192.168.8.254 16 ms * 33 ms * 16 ms *
Example 2: After you pick the extended command options, you can set some options such as the source route, record time
stamp and detailed information display:
router#traceroute
Option Task
Target IP address: 192.168.8.254

Source address or interface: 128.255.255.223
Timeout in seconds [2]: 1
Probe count [3]: Probes count of the probed data packet with the
same TTL value
Minimum Time to Live [1]: The TTL default minimum of the sent probed
data packet
Maximum Time to Live [30]: The TTL default maximum of the sent probed
data packet
Port Number [33434]: The probed data packet destination’s UDP port
number
Loose, Strict, Record, Timestamp, Verbose[none]: The route options of the source station: loose,
strict, record route and time stamp
Source route: 128.255.255.1 The source address
Loose, Strict, Record, Timestamp, Verbose[LV]: v
Loose, Strict, Record, Timestamp, Verbose[L]: t
Number of hops [7]: 7 Appoints the number of hops to record time.
Loose, Strict, Record, Timestamp, Verbose[LTV]: v
Loose, Strict, Record, Timestamp, Verbose[LT]:
Output:
Type escape sequence to abort.
Tracing the route to 192.168.8.254 , min ttl = 1, max ttl = 30 .
Loose source route: 128.255.255.1
Record timestamp number : 7
1 16 ms 0 ms 16 ms
2 0 ms 0 ms 16 ms
3 !S !S !S
Note: The Traceroute command shows error messages with the ICMP data packet’s help. Besides that, the command can
usually display the average round trip time.
Traceroute data can be expressed in the form of one of the following prompts:
!N: unreachable network
!H: unreachable host
!S: unreachable source route
!A: prohibiting access (ie. prohibited network access, prohibited host access and prohibited management access)
!F: unreachable data packet that needs to be fragmented
?: unknown data packet
22.1.3 Netstat
The netstat command can be used only in privileged user mode to display system tables (ie. the host table, the route table,
the ARP table and the multicast table), the interface status/configuration, protocol statistics and buffer information. These
optional command parameters are as follows:
router#netstat ?
Command Description Remark
-a Displays the system’s interior ARP table
-e Examines the status code This is followed with the hex format status code
-g Displays the interior system’s multi-
broadcast table
-h Displays the system’s host table
-I Displays the router’s interface status
-m Displays data buffers in the network stack.
-n Displays system buffers in the network
stack.
-p Displays special statistics Supports five protocols: IGMP, ICMP, IP, TCP
and UDP.
-r Displays routing table data
-s Displays IP protocol summary statistic
information (for all protocols)
<CR> Displays TCP and UDP port and protocol
connections
22.1.4 Show
In privileged user mode, the show command can be used to:
Display the system clock
Display system equipment and interfaces
Display system statistic information
Display system start-up parameters
Display system tasks
Display system stacks
Here are the various system sub-commands for Show:

router#show ?
Command Description Remark
clock Displays the current system clock. Also works in common

user mode
Device Prints system equipment data.
interface Prints system interface data. Also works in common
user mode
Version Prints system software and hardware data. Also works in common
user mode
ip Examines TCP/IP protocol data. Also works in common
user mode
bootparams Displays system start-up parameters
Process Displays system tasks/process data.
stack Displays system stacks data.
22.2 How To Diagnose A Network Failure

Router configuration is a complex process because of the various interfaces and protocols that are used. Failures often
occur after the router is configured and used for a period of time. Generally, routers placed on two sides of a WAN suffer
the most systems failures. When such a failure occurs, patience is a necessity in determining and fixing the problem.
22.2.1 Diagnosing LAN Port Failures

A 10/100Base-T port is provided in your Maipu router to connect with a LAN. Send the ping data packet from the PC that
needs to be tested to the router’s Ethernet port. If you don’t get a response, the fault is located in the Ethernet port. Use
the following steps to examine and fix this type of failure:
Make sure that the PC is connected with the router’s Ethernet port correctly.
If a Hub or LAN Switch is used to connect to the Ethernet, make sure the PC is connected with the Ethernet port of the router
correctly. The LED indicator on the Hub or LAN Switch will indicate if it is.
You can execute the ping command to test the link from the PC to the Ethernet’s port. When the hardware is connected
incorrectly, there will be no response or no change to the data packet input/output information when the PC pings the router.
Use either of the two following testing procedures to ping the router: (Note: 128.255.255.1 refers to the router’s Ethernet
port IP address.)
In DOS shell:
c:>ping 128.255.255.1
Pinging 128.255.255.1 with 32 bytes of data
Request timed out.
Request timed out.
Request timed out.
In common user mode:

router>ping 128.255.255.2
Sending 5, 76-byte ICMP Echos to 128.255.255.2, timeout is 2 seconds:
.....
Success rate is 0% (0/5).
The output ‘…’ indicates that there’s no response.
Check whether the software is working properly.
Make sure whether the PC’s configured IP addresses Ethernet port is set correctly. The network addresses must be the
same – only the host addresses can be different. If these conditions are met and you’re still getting no response from the
router, then the Ethernet port has been configured incorrectly.
Locate the failure.
Figure out whether protocols are being properly matched.
The Ethernet interface can support two types of IP protocol: Ethernet_II and Ethernet_SNAP. Maipu routers can receive
these different IP packet formats simultaneously. However, the end user must appoint the IP packet’s format. Please
ensure that the sent IP packet’s format is similar to the other equipment being used by the Ethernet protocol.
Check whether the Ethernet is working normally.
The Ethernet router ports can support two speeds: 10 and 100Mbps. It can also support two kinds of working modes: half
duplex and full duplex. These working modes and transmission rates can be easily fixed in the system through automatic
negotiation.
22.2.2 Diagnosing WAN Port Failures
After we know that the Ethernet port has been excluded as a possible problem, the router’s problem might be located in the
WAN port. Follow these steps to determine the problem:
Examine whether the physical interface has been connected correctly.
Your Maipu router supports many kinds of WAN interface cables – V24, V35 and so on. The WAN interface type should
be checked against these cables, and you should ensure the WAN interface is running in the proper
synchronous/asynchronous mode. If necessary, reconfigure the router’s synchronous/asynchronous serial interface.
If your interface runs in asynchronous mode, then examine whether it’s running at the correct speed. In asynchronous
mode, the WAN serial port will support a very broad scope of data transmission speeds. The lowest speed is 1,200 bps and
the highest is 115,200 bps.
The WAN interface can also run in two synchronous modes: DTE and DCE. If it runs in DCE mode, examine whether the
clock rate and the clock mode provided by the router are set correctly. If it works in DTE mode, then check the clock
provided by DSU/CSU.
When the hardware or connection parameters are set incorrectly, the PC won’t respond or won’t show packets moving
through the system when tested by the ping function.
Examine whether the link layer protocols are set correctly.
The router’s WAN interface supports many protocols, such as HDSL, X.25, FR, SLIP, PPP and CSLIP. The WAN routers on
both sides of the communication won‘t talk with each other until the same protocols have been set.
If you use Point-to-Point Protocol (PPP) and have adopted PAP or CHAP as the authentication protocol, please ensure
whether the two password configurations are consistent.
If you use the modem in asynchronous mode, please ensure whether the modem has been set correctly.
If the above configurations are incorrect, the interface won’t be able to connect with the protocols, event though the number
of output/input data packets on your system may appear to have increased.
Locate the failure.
If the link layer protocol is set to PPP in asynchronous dial-up mode, ensure whether the two ends of your dialer maps are set
correctly:
dialer map ip ipAddress telephoneNumb
The ipAddress command refers to the opposite terminal’s IP address and the telephoneNumber is the phone number
connected to this peer.
Routers on both sides of WAN must ensure that the network IP addresses are the same. If the IP address is set incorrectly,
the IP data packet route many have been sent to a wrong destination. When the WAN interface adopts the IP unnumbered
mode to borrow the IP address of the Ethernet interface, faults can occur much more easily.
Examine the route. MP routers presently support many routing methods, such as static routing, RIP v1/v2, OSPF, IRMP
dynamic routing and Dial-on-Demand Routing, etc. The router transmits a data packet in terms of its route information.
A data packet can be transmitted unsuccessfully because the route is incorrectly configured. Sometimes, the routers will
connect successfully with the hosts or other routers, but, sometimes, will disconnect to other network segment equipment.
In this case, if a static route has been adopted, you must manually set the route for the unreachable network segment.
However, if the router has adopted a RIP, OSPF and IRMP dynamic route, the router must configure the route protocols
correctly in order for the data to be successfully transmitted and for the local routing table to be updated.
Chapter 23 Discription Of the Interface Cable Signals
23.1 Ethernet Interface Cable (twisted-pair wire interface RJ45)
Pin 1 and Pin 2 are the sending ends, and Pin 3 and Pin 6 are the receiving ends. Like the interface of a PC Ethernet
Adapter , they can be connected to a HUB directly.
23.2 The Interface Cable of the Configuration Port

The interface of the configuration port provides the RJ45 socket and works in asynchronous DTE mode. A configuration port
cable is provided with each router and it can work in DTE or DCE mode.
23.3 Multiprotocol Serial-port Cable Wiring List

A Maipu MP2600 router provides four multiprotocol serial ports. Each serial port provides a 25-pin-socket. Each port can
work in the V.24 or V.35 mode and can be configured as a DTE or a DCE in either mode. Table 3-1 explains the general
wire list of the V.24/V.35 interface cable.
Table 4-1 the general wire list of the V.24/V.35 interface cable
ISO2110 ISO 2593

RS-232ÄV.24Å V.35
CONNECTOR CONNECTOR
PIN NOS Location DCE DTE Location DCE DTE PIN NOS
01 PG 101 A
02 TD 103 8 103a 8 P
03 RD 104 : 104a : R
04 RTS 105 8 105 8 C
05 CTS 106 : 106 : D
06 DSR 107 : 107 : E
07 SG 102 102 B
08 DCD 109 : 109 : F
09 115b : X
10
11 113b 8 W
12 114b : AA
13
14 103b 8 S
15 TC 114 : 114a : Y
16 104b : T
17 RC 115 : 115a : V
18
19
20 DTR 108 8 108 8 H
21
22
23
24 EXC 113 8 113a 8 U
25
WARRANTY POLICY
1.0 WARRANTY POLICY:
From the date of sale by Dax, all Qualified Dax Products (QDP) are covered by
maximum 3-years carry-in warranty, against manufacturing defects and workmanship
under normal use. The first year Instant Replacement Anywhere (IRA) warranty is
applicable within this 3-year outer limit.
2.0 WARRANTY:
Dax provides this extensive warranty to all QDP customers in order to establish
outstanding quality service to all Dax customers and give them a high return on the
investment in Dax products.
3.0 SCOPE & DURATION OF WARRANTY:

Dax warrants each QDP purchased hereunder against defects in material or
workmanship under normal use and service for a period of three years from date of sale
by Dax.
Dax at is option, will at no charge either repair or replace, any Unit during the carry-in
warranty period, provided it is returned in accordance with the terms of this warranty to
any Dax Authorised Distributor (DAD) or to any Dax Service Centre.
4.0 UNITS THAT ARE NOT QUALIFIED FOR THREE YEARS CARRY IN
WARRANTY:
The following Dax Units are not qualified for 3 years carry in warranty since
they only carry one year warranty:
a. Dax Internal modems
b. Dax Power supplies
5.0 UNITS RETURNED AFTER ONE YEAR FROM THE DATE OF

PURCHASE BUT WITHIN THREE YEARS OF WARRANTY:
Any QDP returned after 12 months but within 3 years, from the date of purchase
(Dax’s invoice date) can be handed over to any DAD for service warranty. The Unit will
be sent to the local AFL warehouse for forwarding to the Dax Service Center, Chennai.
The serviced Unit from Dax will be returned to the same DAD. The to-and-fro freight
charges will be borne by Dax. And, the time for return of serviced Units will be two plus
one working days (2 days for servicing + 1 day for testing) and the actual to and fro
transportation time.
6.0 SERVICES FOR UNITS OUT OF WARRANTY (OOW):

When a Dax Unit is used by a customer for a period beyond specified warranty terms,
the Unit automatically becomes an “Out of Warranty” Unit. Broadly “OOW” would
cover the following categories apart from beyond warranty terms:
a. Burnt Units
b. Units with non-manufacturing defects
c. Mishandled units
The DAD can send the OOW unit directly for repair to the Dax Service Center,
Chennai with freight prepaid. Dax will attempt to repair the Unit at a cost. Dax will
analyse the extent of damage and send the estimate for repair charges to the DAD. If the
DAD agrees to pay the charges, Dax will take up the Unit for repairs after receiving the
advance payment by DD from the customer. After repair, the Unit will be sent to the
customer directly from Dax on a freight to-pay basis. The DAD has to insure the Unit or
assume risk of loss or loss or damage during transit.
7.0 END-OF-LIFE (EOL):

If a Unit is declared as End-of-Life (EOL), or withdrawn due to technological
obsolescence, Dax will attempt to replace it with a functionally close equivalent. This
decision is absolutely at Dax’s discretion. In any case, no monetary benefit will be
rewarded or can be claimed by the customer.
8.0 WARRANTY DOES NOT COVER:

• Warranty is applicable only against manufacturing defects and workmanship under
normal use. Burnt components or PCBs are not categorized under manufacturing
defects. These are susceptible to burnouts due to high incoming voltage in
telephone lines or in power supplies and also improper Earthing.
• Defects or damages to the Units resulting from use of Units in an operating
environment other than as specified in the User Manual.
• Defects or damages resulting from accidents, misuse or neglect or any natural
calamities.
• Defects or damages from improper testing, operation, maintenance, installation,
alteration, modification or adjustments.
• Breakage or damage to the Unit caused due to mishandling.
• Units dismantled or attempted to repair.
• Units that have had their serial numbers removed or tampered with.
• Defects or damages due to spill of food or liquid.
• All outer surfaces and all other externally exposed parts that are scratched or
damaged due to customer’s abnormal use.
• Units if physically tampered with by unauthorized persons.
9.0 JURISDICTION :
Any dispute shall be subject to exclusive jurisdiction of the courts in
Chennai.
10.0 CONTACT DETAILS OF DAX NETWORKS LIMITED AND SERVICE

CENTRE:
Dax Networks Limited
79, Chamiers Road, Chennai 600 028
Ph. No.: 2432 3557 / 2432 3558 / 2432 3984
Fax No. 044 – 2435 7267
Service Centre
New No. 21(Old No.11), II Street,
R.K. Nagar, Mandaveli, Chennai – 28.
Ph. No.: 2462 0217 / 2462 0218
E-MAIL: service@daxnetworks.com
Contact: Manager – IRA
Co-ordinator – Service Centre
Please refer our website www.daxnetworks.com for the current updated address and
contact phone numbers.
WARRANTY CARD FOR DXMP ROUTER
This DXMP ROUTER has been manufactured under the most stringent quality standards by an ISO
9001 Certified Company and is guaranteed to perform. This DXMP ROUTER carry a comprehensive 3-
year warranty. In the unlikely event of the product malfunctioning due to any manufacturing defect, you
can get it exchanged instantly as per our IRA (Instant Replacement Anywhere) policy guidelines within
one year of purchase from date of sale by Dax or get it repaired / replaced at free of charge with in the
Carry-in warranty period. For replacement or repair, please walk-in with the product to your vendor or
any Dax authorized distributor. Just make sure that you produce this card and the serial number of your
product along with proof of date of purchase when you require replacement / repair. For any additional
support, please contact the Dax Technical Support Department at
Dax Networks Ltd.,

79, Chamiers Road, Chennai - 600 028. India
Ph.: 044 - 2432 3558 Fax : 044 - 2435 7267
Email: contact@daxnetworks.com
Website: www.daxnetworks.com
Note: Please refer our website for IRA / Support Centres & Dax Authorized Distributors.

Dax Router Guide

Uploaded by

Copyright:

Available Formats

Dax Router Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dax Router Guide

Uploaded by

Copyright:

Available Formats

1. Reorient/Relocate the receiving antenna.

CHAPTER 1 SYSTEM BASIS ------------------------------------------------------- 15

1.3 Constructing the Configuration Environment-------------------------------------------------------------------19

CHAPTER 2 SYSTEM CONFIGURATION AND MANAGEMENT --------- 31

CHAPTER 3 NETWORK PROTOCOL -------------------------------------------- 55

CHAPTER 4 DISCRIPTION OF THE INTERFACE CABLE SIGNALS ----- 68

CHAPTER 6 DDR AND INTERFACE BACKUP ------------------------------ 146

CHAPTER 7 ROUTING CONFIGURATION ----------------------------------- 175

CHAPTER 8 CONFIGURING SNA----------------------------------------------- 251

CHAPTER 9 IP TELEPHONE CONFIGURATION -------------------------- 276

CHAPTER 10 TERMINAL CONFIGURATION-------------------------------- 290

CHAPTER 11 SECURITY CONFIGURATION--------------------------------- 316

CHAPTER 12 QUALITY OF SERVICE (QOS) CONFIGURATION ------- 407

CHAPTER 13 802.1Q SPECIFICATIONS-------------------------------------- 427

CHAPTER 14 DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP)

CHAPTER 15 NDSP PROTOCOL CONFIGURATION ----------------------- 437

CHAPTER 16 SNMP CONFIGURATION --------------------------------------- 439

CHAPTER 17 NETWORK TEST AND TROUBLESHOOTING ----------- 460

CHAPTER 18 SOFTWARE UPGRADE ---------------------------------------- 463

CHAPTER 19 SNTP CONFIGURATION -------------------------------------- 475

CHAPTER 20 MULTICAST ROUTE CONFIGURATION ------------------ 484

CHAPTER 21 AAA CONFIGURATION----------------------------------------- 492

CHAPTER 22 MPLS CONFIGURATION -------------------------------------- 497

CHAPTER 23 INTERFACE CONFIGURATION------------------------------- 506

The main contents of this chapter are as follows:

o Router Configuration mode

1.1 Router Configuration Mode

Maipu routers provides users with four typical configuration modes:

o Use the command shell to configure through the console interface;

1.2 Command line Mode

o Registration of system commands

o Common user mode (User EXEC)

Other configuration modes will be introduced in relevant chapters.

Method of Exiting method Function

Execute the command

1.3 Constructing the Configuration Environment

Choosing serial communication Choosing a windows

Choose COM1 or COM2

(Figure 1-4) Choosing serial communication port

Baud ratio (Bits per second) --

Data bits --- 8

Figure 1-5 Configuring the parameters of the serial communication port

Choosing mode Configuring the DIP switch Interpretation

1.3.3 Configuring a Router through Telnet

1) Configuring through a LAN

W KH U RXW HU W R FRQI L JXU H

Configure the port as Telnet (23);

2) Configuration through the WAN:

3& I RU &RQI L JXU L QJ W KH U HPRW H U RXW HU

/$1 6HU YHU

3) Configuring a remote router through a local router

1.4 Command Line Interface

1.4.1 Command Line On-Line Help

The Command Line provides the following kinds of on-line helps:

Two types of help are provided:

sysupdate Update system software

1.4.2 Error Message of Command Line

Error message Reason for Error

1.4.3 History Command

Operation The key pressed Function

Existing in the format of configuring commands;