Dax Router Guide PDF

&200210$18$/
)25
';035287(56
5HYLVLRQ 'DWHG
G

1
1RY

9HUVLRQ
Q

'DWH
H1RY

Dear Dax User,

Congratulations!! You are now a proud owner of this DAX DXMP ROUTER.
We are sure you will be delighted with the features and performance of your new
product. And, the Dax support, if you need it.
This DAX DXMP ROUTER has unique user-friendly features and benefits. And, is
designed to increase the reliability and efficiency of your network.
We at Dax have offered the highest level of pre/post sales support in India for 15
years and are committed to providing you with International quality, Indian market
savvy products. This DAX DXMP ROUTER is a reflection of that commitment.
It is with this confidence that we promise you a 3 Years Carry-in warranty of which
Instant Replacement Anywhere is provided during the first year of warranty.
Please contact me (or any Dax Office) if and when you need us, we will endeavor
to win your confidence too.
Happy Daxing
Sujit
Country Manager - Dax
)&&:DUQLQJ

This equipment has been tested and found to comply with the limits of a Class B
computing device, pursuant to Part 15 of the FCC rules. These limits are designed
to provide reasonable protection against harmful interference in a residential
installation. This equipment generates, uses and can radiate radio frequency energy
and, if not installed and used in accordance with the instructions, may cause
harmful interference to radio communications.
If you suspect this product is causing interference, turn your computer ON and OFF
while your radio or TV is showing interference. If the interference disappears when
you turn the computer OFF and reappears when you turn the computer ON, then
something in the computer is causing interference.
You can try to correct the interference by one or more of the following measures:
1.
Reorient/Relocate the receiving antenna.
2.
Increase the separation between the equipment and receiver.
3.
Connect the equipment into an outlet on a circuit difference from that
to which the receiver is connected.
4.
Ensure that all expansion slots (on the back or side of the computer) are
covered. Also ensure that all metal retaining brackets are tightly attached to the
computer.
CE Marking Warning
This is a Class A product. In a domestic environment this product may cause radio
interference in which case the user may be required to take adequate measures.
MP Series Router Manual

Configuration Guide &
Technical Manual
CONTENTS
CHAPTER 1 SYSTEM BASIS ------------------------------------------------------- 15
1.1 Router Configuration Mode ---------------------------------------------------------------------------------------15
1.2 Command line Mode -------------------------------------------------------------------------------------------------15
1.3 Constructing the Configuration Environment-------------------------------------------------------------------19
1.3.1
Configuring a Router through the configuration interface (Console) ----------------------------------- 19
1.3.2
Making configuration through the LINE port of the 56/336modem module--------------------------- 19
1.3.3 Configuring a Router through Telnet -------------------------------------------------------------------------------- 19
1.4 Command Line Interface--------------------------------------------------------------------------------------------24
1.4.1 Command Line On-Line Help---------------------------------------------------------------------------------------- 24
1.4.2 Error Message of Command Line------------------------------------------------------------------------------------ 30
1.4.3 History Command------------------------------------------------------------------------------------------------------ 30
1.4.4 Editing Features -------------------------------------------------------------------------------------------------------- 30
1.4.5 Display Features-------------------------------------------------------------------------------------------------------- 31
CHAPTER 2 SYSTEM CONFIGURATION AND MANAGEMENT --------- 31

2.1 System Configuration -------------------------------------------------------------------------------------------------32
2.1. 1 Configuring the System Name--------------------------------------------------------------------------------------- 32
2.1.2 Configuring the System Calendar------------------------------------------------------------------------------------ 33
2.1.3 Configuring System Users -------------------------------------------------------------------------------------------- 33
2.1.4 Enable Password and Timeout value -------------------------------------------------------------------------------- 33
2.2 System Management ------------------------------------------------------------------------------------------------34
2.2.1 Storage Medium and File Types Supported by Maipu Routers -------------------------------------------------- 34
2.2. 2 Management of the Router File System ---------------------------------------------------------------------------- 35
2.2.1 Displaying the file device information ------------------------------------------------------------------------------ 35
2.2.2 File Management------------------------------------------------------------------------------------------------------- 36
2.2.3 Directory management ------------------------------------------------------------------------------------------------ 38
s
2.2.5 Management of Router Configuration Files ------------------------------------------------------------------------ 38
2. 3 System tools------------------------------------------------------------------------------------------------------------41
2.3.1 The command show---------------------------------------------------------------------------------------------------- 41
2.3.2 Protocol Debugging---------------------------------------------------------------------------------------------------- 42
2.3.3 Network Troubleshooting tools -------------------------------------------------------------------------------------- 43
2.3.4 SysLog (system logging) function ----------------------------------------------------------------------------------- 43
2.3.5 Spy cpu to check cpu utilization rate ------------------------------------------------------------------------------ 44
2.3.6 Examining the Utilization of CPU ----------------------------------------------------------------------------------- 45
2.4 System software update ---------------------------------------------------------------------------------------------45
CHAPTER 3 NETWORK PROTOCOL -------------------------------------------- 55

3.1 IP Address Configuration --------------------------------------------------------------------------------------------56
3.1.1 Introduction to IP Addressing ---------------------------------------------------------------------------------------- 56
3.1.2 Allocating an IP address to an Interface ---------------------------------------------------------------------------- 57
3.1.3 Enabling IP Unnumbered on a Serial Port -------------------------------------------------------------------------- 58
3.1.4 Setting the IP Address Negotiation property on an Interface----------------------------------------------------- 59
3.1.5 Displaying IP Address Configurations ------------------------------------------------------------------------------ 59
3. 2 Address Resolution---------------------------------------------------------------------------------------------------59
3.2.1 Establishing an Address Resolution Protocol (ARP)-------------------------------------------------------------- 59
3.2.2 Defining a Static ARP Cache----------------------------------------------------------------------------------------- 59
3..3 Displaying the ARP cache ------------------------------------------------------------------------------------------60

3.3.1 Domain Name System (DNS) ------------------------------------------------------------------------------------------- 60
3.3.2 Mapping IP addresses to Host Name ----------------------------------------------------------------------------------- 60
3.3.3 Designating a Domain Name -------------------------------------------------------------------------------------------- 61
3.3.4 Designating a Domain Name Server ----------------------------------------------------------------------------------- 61
3.3.5 Designating a Domain Name Service Order--------------------------------------------------------------------------- 61
3.4 IP Protocol --------------------------------------------------------------------------------------------------------------61
3.4.1 Enabling/Disabling IP Route Forwarding------------------------------------------------------------------------------ 61
3.4.2 Permitting/Prohibiting IP to Accept Redirection Messages --------------------------------------------------------- 61
3.4.3 Permitting/Prohibiting IP Receiving Redirection Message---------------------------------------------------------- 62
3.4.4 IP Fast Transmission------------------------------------------------------------------------------------------------------ 62
3.4.5 Configuring IP Protocol Attributes ------------------------------------------------------------------------------------- 62
3.5 ICMP protocol----------------------------------------------------------------------------------------------------------64
3.5.1 Configuring ICMP Options ------------------------------------------------------------------------------------------- 64
3.5.2 Displaying ICMP Statistics ------------------------------------------------------------------------------------------- 64
3.6 IGMP protocol ----------------------------------------------------------------------------------------------------------64
3.7TCP protocol -------------------------------------------------------------------------------------------------------------65
3.7.1 Configuring TCP properties ------------------------------------------------------------------------------------------ 65
3.7.2 Displaying TCP Statistics --------------------------------------------------------------------------------------------- 65
3.8 UDP Protocol -----------------------------------------------------------------------------------------------------------66
3.8.1 Configuring UDP Protocol Attributes ------------------------------------------------------------------------------- 67
3.8.2 Observing UDP Statistic Information ------------------------------------------------------------------------------- 68
3. 9 The Socket Interface -------------------------------------------------------------------------------------------------68
3. 10 Proxy ARP ------------------------------------------------------------------------------------------------------------68
CHAPTER 4 DISCRIPTION OF THE INTERFACE CABLE SIGNALS ----- 68

CHAPTER 5 WAN PROTOCOLS CONFIGURATION ------------------------- 88
5. 1 PPP Protocol -----------------------------------------------------------------------------------------------------------88
5.1.1
Brief Introduction of PPP ------------------------------------------------------------------------------------- 88
5.1.2
Description of basic PPP instructions ----------------------------------------------------------------------- 89
5.1.3
Examples of PPP configuration ------------------------------------------------------------------------------ 90
5.1.4
Configuring PPP Authentication----------------------------------------------------------------------------- 91
5.1.5
Monitoring and Debugging PPP information -------------------------------------------------------------- 92
5.1.6
PPP Address Pool---------------------------------------------------------------------------------------------- 93
5.1.7
PPP Multilink--------------------------------------------------------------------------------------------------- 94
5.1.8 PPP Data Compression ------------------------------------------------------------------------------------------------ 97
5.1.9 PPP BACP (Bandwidth Allocation Control Protocol) and PPP BAP ------------------------------------------- 98
5.1.10 BACP Configuration Commands -------------------------------------------------------------------------------- 98
5.1.11 A PPP BACP Configuration Example --------------------------------------------------------------------------- 101
5.1.12 Monitoring and Debugging PPP BACP ------------------------------------------------------------------------- 103
5.1.13 MPLS Over PPP-------------------------------------------------------------------------------------------------- 103
5.1.14 AAA authorization Over PPP----------------------------------------------------------------------------------- 105
5.1.15 PPP encryption --------------------------------------------------------------------------------------------------- 105
5.1.16 PPP CALLBACK ------------------------------------------------------------------------------------------------ 106
5.1.17 negotiate DNS and WINS over PPP --------------------------------------------------------------------------- 106
5.1.18 Negotiate IP Address over PPP from dialer-map--------------------------------------------------------------- 107
5.1.19 PPP Bridge -------------------------------------------------------------------------------------------------------- 107
5.1.20 Null username CHAP authentication Over PPP ---------------------------------------------------------------- 108
5.2 HDLC protocol -------------------------------------------------------------------------------------------------------- 109
5.2.1
Brief Introduction of Protocol------------------------------------------------------------------------------ 109
5.2.2
The relevant commands of HDLC: ------------------------------------------------------------------------ 109
5.2.3
HDLC Debug Information---------------------------------------------------------------------------------- 110
5.2.4
Configuring HDLC Bridge-connection Mode ----------------------------------------------------------- 110
5.2.5 HDL bridge ----------------------------------------------------------------------------------------------------------- 112
5.3 SLIP protocol---------------------------------------------------------------------------------------------------------- 112
5.3.1
Brief Introduction -------------------------------------------------------------------------------------------- 112
5.3.2
An example of configuration ------------------------------------------------------------------------------- 112
5.4 TCP/IP Packet Header Compression------------------------------------------------------------------------- 113
5.5 X.25 Protocol--------------------------------------------------------------------------------------------------------- 114
5.5.1 Brief Introduction of X.25 ------------------------------------------------------------------------------------------ 115
5.5.2 Description of basic X.25 configuration -------------------------------------------------------------------------- 115
5.5.3 An example of a typical X.25 configuration---------------------------------------------------------------------- 115
5.5.4 Debugging/Monitoring X.25 --------------------------------------------------------------------------------------- 116
5.5.5
The X.25 subinterface --------------------------------------------------------------------------------------- 117
5.5.6
An example of X.25 subinterface configuration --------------------------------------------------------- 118
5.5.7
The switching function of X.25 ---------------------------------------------------------------------------- 119
5.5.8
The PAD function of X.25 ---------------------------------------------------------------------------------- 124
5. 6 Frame Relay Protocol---------------------------------------------------------------------------------------------- 125
5.6.1 Description of basic instructions to configure frame relay ----------------------------------------------------- 129
5.6.2
The typical configuration example of frame relay------------------------------------------------------- 129
5.6.3
The debugging/monitoring of frame relay---------------------------------------------------------------- 130
5.6.4
Frame Relay Reverse Address Resolution Protocol----------------------------------------------------- 131
5.6.5
Frame relay sub-interface ----------------------------------------------------------------------------------- 132
5.6.6
An example of frame relay subinterface configuration ------------------------------------------------- 133
5.6.7
Frame Relay Switch ----------------------------------------------------------------------------------------- 134
5.6.8 Frame-Relay PVC Compression ----------------------------------------------------------------------------------- 137
5.6.9 DE bit support on Frame-Relay ------------------------------------------------------------------------------------ 139
5.6.10 Frame-Relay Fragment -------------------------------------------------------------------------------------------- 140
CHAPTER 6 DDR AND INTERFACE BACKUP ------------------------------ 146

6.1 Dialer Backup --------------------------------------------------------------------------------------------------------- 147
6.1.1 The Configuration of a Built-in Frequency-band MODEM ---------------------------------------------------- 147
6.1.2 Dialer Script ---------------------------------------------------------------------------------------------------------- 150
6.1.3 The Configuration of Dial Backup--------------------------------------------------------------------------------- 152
6.1.4 The Typical Example of Dialer Backup--------------------------------------------------------------------------- 153
6.1.5 Configure Backup load ---------------------------------------------------------------------------------------------- 155
6.2 DDR Dialer Configurations ---------------------------------------------------------------------------------------- 158
6.2.1 Configuring DDR (Dial-On-Demand Routing) ------------------------------------------------------------------ 158
6.2.2 Dialer Callback ------------------------------------------------------------------------------------------------------- 165
6.3 Dialup Prototype (Profile) ------------------------------------------------------------------------------------------ 171
6.3.1 Dialer Interface ------------------------------------------------------------------------------------------------------- 171
6.3.2 Dialer Map-class ----------------------------------------------------------------------------------------------------- 172
6.3.3 Dialer Pool ------------------------------------------------------------------------------------------------------------ 172
6.3.4 Physical Interface ---------------------------------------------------------------------------------------------------- 173
6.3.5 A Sample Configuration -------------------------------------------------------------------------------------------- 173
CHAPTER 7 ROUTING CONFIGURATION ----------------------------------- 175

7. 1 A Brief Introduction to Routing----------------------------------------------------------------------------------- 175
7.2 Configuring Static Routes/Default Routes -------------------------------------------------------------------- 176
2.1
Configuring static route ------------------------------------------------------------------------------------- 176
2.2
Configuring the default route------------------------------------------------------------------------------- 176
7.3 Configuring RIP Dynamic Routing------------------------------------------------------------------------------ 177
7.3.1
The Description of Relevant Commands to Configure RIP -------------------------------------------- 178
7.3.2
An Example of RIP Configuration ------------------------------------------------------------------------ 179
7.3.3
Debugging RIP ----------------------------------------------------------------------------------------------- 180
7.4 Configuring OSPF Dynamic Routing---------------------------------------------------------------------------- 181
7.4.1
Description of Relevant Commands Configuring OSPF ----------------------------------------------- 181
distribute-list <1_1000> --------------------------------------------------------------------------------------------------- 181
hello-interval ---------------------------------------------------------------------------------------------------------------- 182
7.4.2
An Example of OSPF Configuration ---------------------------------------------------------------------- 189
7.4.3
Debugging/Monitoring OSPF ------------------------------------------------------------------------------ 186
7.5 Configuring IRMP Dynamic Route------------------------------------------------------------------------------- 194
7.5.1 Description of relevant commands configuring IRMP---------------------------------------------------------- 194
7.5.2
An Example of an IRMP Configuration ------------------------------------------------------------------ 196
7.5.3
Debugging/monitoring IRMP ---------------------------------------------------------------------------- 197
7.6 Configuring SNSP Route --------------------------------------------------------------------------------------- 198
7.6.1
Description of Relevant Commands for Configuring SNSP ----------------------------------------- 198
7.6.2
An Example of SNSP Configuration-------------------------------------------------------------------- 198
7.7 Configuring VBRP --------------------------------------------------------------------------------------------------- 199
7.7.1 Related VBRP Configuration Commands ------------------------------------------------------------------------ 200
7.7.2 An Example of VBRP Configuration ----------------------------------------------------------------------------- 203
7.7.3 Monitoring and Debugging VBRP -------------------------------------------------------------------------------- 203
7.8 Configuring VRRP --------------------------------------------------------------------------------------------------- 204
7.8.1 Related VRRP Configuration Commands ------------------------------------------------------------------------ 204
7.8.2 An Example of VRRP Configuration ----------------------------------------------------------------------------- 206
7.8.3 Monitoring and Debugging VRRP -------------------------------------------------------------------------------- 207
7. 9 Configuring Snapshot Routing----------------------------------------------------------------------------------- 207
7. 9.1 Related Descriptions of Snapshot Routing Configuration Commands --------------------------------------- 208
7. 9.2 An Example of Snapshot Routing--------------------------------------------------------------------------------- 209
7. 9.3 Monitoring and Debugging Snapshot Routing ------------------------------------------------------------------ 210
7. 10 Configuring Policy Route ---------------------------------------------------------------------------------------- 211
7.10.1 Related Descriptions of Policy Route Configuration Commands -------------------------------------------- 211
7.10.2 An example of policy route configuration----------------------------------------------------------------------- 212
7.10.3 Monitoring and Debugging of Policy Route -------------------------------------------------------------------- 214
7.11 Configuring M-VRF ------------------------------------------------------------------------------------------------ 215
7.11.1 Related Descriptions of M-VRF Configuration Commands -------------------------------------------------- 215
7.11.2 An Example of M-VRF Configuration -------------------------------------------------------------------------- 217
7.11.3 Monitoring and Debugging M-VRF ----------------------------------------------------------------------------- 220
7.12 Load Balance-------------------------------------------------------------------------------------------------------- 221
7.12.1
Description Of Relevant Commands Supporting Load Balance--------------------------------------- 221
7.12.2
An Example Load Balance Configuration---------------------------------------------------------------- 222
7.12.3
Monitoring and Debugging Load Balance---------------------------------------------------------------- 223
7.13 Configuring BGP Dynamic Routing Protocol ---------------------------------------------------------------- 223
7.13.1 Related Descriptions of BGP Configuration Commands--------------------------------------------------------- 223
7.13.2 Examples of BGP Configuration ------------------------------------------------------------------------------------ 234
7.13.3 BGP Monitoring and Debugging ------------------------------------------------------------------------------------ 243
CHAPTER 8 CONFIGURING SNA----------------------------------------------- 251

8. 1 Data Link SwitchingDLSw------------------------------------------------------------------------------------- 251
8.1.1 Configuring the Commands Relevant to DLSw ----------------------------------------------------------------- 252
8.1.2
Debugging and Monitoring --------------------------------------------------------------------------------- 254
8.2 Synchronous Data Link Control (SDLC) --------------------------------------------------------------------------- 256
8.2.1 The Relevant Configuring Commands of SDLC ---------------------------------------------------------------- 257
8.2.2 Configuring the Relevant Operations of SDLC on an Interface ----------------------------------------------- 259
8.2.3 The Debugging Information of SDLC ---------------------------------------------------------------------------- 259
8.2.4 Typical Network Construction Mode of SNA Application ----------------------------------------------------- 261
8.2.5 The typical SNA configuration of Maipu Router ---------------------------------------------------------------- 261
8. 3 LLC2 -------------------------------------------------------------------------------------------------------------------- 265
8.4 QLLC -------------------------------------------------------------------------------------------------------------------- 267
8.4.1 QLLC Configuring Commands ------------------------------------------------------------------------------------ 267
8.4.2 Typical QLLC Configuration--------------------------------------------------------------------------------------- 269
8.4.3 QLLC Debugging/Monitoring ------------------------------------------------------------------------------------- 270
CHAPTER 9 IP TELEPHONE CONFIGURATION -------------------------- 276

9.1 Configure Voice Card Interface -------------------------------------------------------------------------------------- 276
9.1.1 Relevant Commands------------------------------------------------------------------------------------------------- 276

9.1.2
A Simple Example of Configuration ---------------------------------------------------------------------- 278
9. 2 Configuring VoIP ------------------------------------------------------------------------------------------------------ 278
9.2.1 Relevant Commands------------------------------------------------------------------------------------------------- 279
9.2.2 The Usage of the Basic Commands-------------------------------------------------------------------------------- 281
9.2.3 The Usage of the Extended Configuration------------------------------------------------------------------------ 281
9.2.4 Configuration Example---------------------------------------------------------------------------------------------- 281
9.3 Configuring the Maipu Router as a H.323 Voice Gateway ------------------------------------------------------- 286
9.3.1 Basic Concepts ------------------------------------------------------------------------------------------------------- 287
9.3.2 Configuring H.323 Voice Gateway -------------------------------------------------------------------------------- 287
9. 4 IP Telephone Debugging Switch ------------------------------------------------------------------------------------ 287
CHAPTER 10 TERMINAL CONFIGURATION-------------------------------- 290

10.1 Terminal Protocol--------------------------------------------------------------------------------------------------- 291
10.1.1 Configuring the Terminal Protocol ---------------------------------------------------------------------------------- 291
10.1.1.1 Creating/Configuring Terminal Template --------------------------------------------------------------------- 291
10.1.1.2 The Interface Encapsulation Terminal Link Protocol-------------------------------------------------------- 293
10.1.1.3 Applying the Terminal Module to a Terminal Protocol Interface ------------------------------------------ 295
10.1.2 An Example of Terminal Protocol Configuration ----------------------------------------------------------------- 294
10.1.3 Related Terminal Debugging Commands -------------------------------------------------------------------------- 295
10.2 MPDLC Protocol---------------------------------------------------------------------------------------------------- 296
10.2.1 Configuring MPDLC Protocol--------------------------------------------------------------------------------------- 297
10.2.1.1 Creating/Configuring Terminal Template --------------------------------------------------------------------- 297
10.2.1.2 Encapsulating Interface with MPDLC Link Protocol ------------------------------------------------------- 297
10.2.1.3 Applying the Terminal Template to a MPDLC Interface --------------------------------------------------- 298
10.2.2 An Example of MPDLC Configuration ---------------------------------------------------------------------------- 298
10.2.3 Related MPDLC Debugging Commands--------------------------------------------------------------------------- 298
10.3 X.3 PAD Terminal -------------------------------------------------------------------------------------------------- 298
10.3.1 Configuring the X.3 PAD Terminal --------------------------------------------------------------------------------- 299
10.3.1.1 Creating/Configuring a Terminal Template ------------------------------------------------------------------- 299
10.3.1.2 Configuring X.25 Link-layer Protocol------------------------------------------------------------------------- 299
10.3.1.3 Applying a Terminal Template to X.3 PAD------------------------------------------------------------------- 299
10.3.1.4 An Example of X.3 PAD Terminal Configuration ----------------------------------------------------------- 299
10.3.1.5 The Related Debugging Commands of the X.3 PAD Terminal -------------------------------------------- 301
10.3.2 Configuring UNIX Server -------------------------------------------------------------------------------------------- 301
10.3.2.1 Configuring Itest Parameters ----------------------------------------------------------------------------------- 301
10.3.2.2 Configuring SCO UNIX----------------------------------------------------------------------------------------- 304
10.3.2.3 Configuring AIX UNIX ----------------------------------------------------------------------------------------- 306
10.3.2.4 Configuring SUN UNIX ---------------------------------------------------------------------------------------- 307
10.3.2.5 Configuring HP UNIX------------------------------------------------------------------------------------------- 309
10.3.2.6 Adjusting UNIX Kernel Parameters --------------------------------------------------------------------------- 311
10.3.2.7 TELNET Fix-terminal ------------------------------------------------------------------------------------------- 312
10.3.2.8 Itest Terminal Management ------------------------------------------------------------------------------------- 312
10.4 Comparison of New/ Old Version of IOS Configuration--------------------------------------------------- 312
10.4.1 The Comparison of Terminal Number Distribution --------------------------------------------------------------- 312
10.4.2 The Comparison of Interface Configuration ----------------------------------------------------------------------- 314
10.4.3 The Configuration of Itest.conf Adopting Encryption and Compression -------------------------------------- 314
10.4.4 Examples of New/Old Configuration of Maipu Router ---------------------------------------------------------- 314
CHAPTER 11 SECURITY CONFIGURATION--------------------------------- 316

11.1 Firewall Configuration --------------------------------------------------------------------------------------------- 316
11.1.1 Access Lists --------------------------------------------------------------------------------------------------------- 316
11.1.2 Correlative Firewall Configuration------------------------------------------------------------------------------- 321
11.1.3 Applying Access Lists To An Interface-------------------------------------------------------------------------- 322
11.1.4 Monitoring And Maintaining Your Firewall -------------------------------------------------------------------- 323
11.1.5 Configuring An Access Channel --------------------------------------------------------------------------------- 323

11.1.6 Time Limit Packet Filtering --------------------------------------------------------------------------------------- 325
11.1.7 Media Access Control (MAC) Address Packet Filtering ------------------------------------------------------ 327
11.1.8 A Few Points About Firewall Configuration-------------------------------------------------------------------- 328
11.1.9 Examples------------------------------------------------------------------------------------------------------------- 329
11.2 Network Address Translation (NAT) Configuration--------------------------------------------------------- 334
11.2.1 NAT Confirgation Points To Keep In Mind --------------------------------------------------------------------- 335
11.2.2 NAT Configuration Commands----------------------------------------------------------------------------------- 335
11.2.3 Interior Source Address Translation------------------------------------------------------------------------------ 337
11.2.4 Interior Destination Address Translation ------------------------------------------------------------------------ 339
11.2.5 Timeout Alteration ------------------------------------------------------------------------------------------------- 340
11.2.6 NAT Monitoring And Maintenance ------------------------------------------------------------------------------ 340
11.3 Easy IP Configuration ------------------------------------------------------------------------------------------- 343
11.3.1 Configuring Easy IP------------------------------------------------------------------------------------------------ 343
11.3.2 Easy IP Configuration Case --------------------------------------------------------------------------------------- 343
11. 4 Access Control List (ACL) User Group Control Configurations ---------------------------------------- 344
11.4.1 Subnet Isolation ----------------------------------------------------------------------------------------------------- 344
11.4.2
User Rights Management ----------------------------------------------------------------------------------- 344
11. 5 IPsec Network Security Configuration------------------------------------------------------------------------ 352
11.5.1 Configuring IPsec--------------------------------------------------------------------------------------------------- 352
11.5.2 Monitoring and Debugging IPsec -------------------------------------------------------------------------------- 367
11.5.3 IPsec Configuration Case ------------------------------------------------------------------------------------------ 369
11. 6 Encryption Module Usage --------------------------------------------------------------------------------------- 374
11.6.1 Features -------------------------------------------------------------------------------------------------------------- 374
11.6.2
Encryption Module Application --------------------------------------------------------------------------- 374
11.7 Configuring IKE ----------------------------------------------------------------------------------------------------- 375
11.7.1 Configuring IKE ---------------------------------------------------------------------------------------------------- 376
11.7.2 Monitoring And Debugging IKE --------------------------------------------------------------------------------- 381
11.7.3 Configuration Examples ------------------------------------------------------------------------------------------- 383
11. 8 Configure Virtual Private Dial-up Network (VPDN)-------------------------------------------------------- 388
11.8.1 Global VPDN Configuration ----------------------------------------------------------------------------------------- 388
11.8.2 Special LAC configuration ------------------------------------------------------------------------------------------- 389
11.8.3 Special LNS Configuration------------------------------------------------------------------------------------------- 390
11.8.4 Configure VPDN Tunnel --------------------------------------------------------------------------------------------- 391
11.8.5 Configure the Virtual Template Interface--------------------------------------------------------------------------- 391
11.8.6 Example of VPDN Configuration ----------------------------------------------------------------------------------- 392
11.8.7 VPDN Monitoring and Debugging---------------------------------------------------------------------------------- 393
11.9 Configure GRE------------------------------------------------------------------------------------------------------ 394
11.9.1 Relative Commands to Configure GRE ---------------------------------------------------------------------------- 394
11.9.2 Example of GRE Configuration ------------------------------------------------------------------------------------- 395
10.9.3 GRE Checking and Debugging -------------------------------------------------------------------------------------- 395
11.10 Configuration of Digital Certificate ---------------------------------------------------------------------------- 398
11.10.1 Parsing of Terminologies Relative with Digital Certificate----------------------------------------------------- 398
11.10.2 Introduction to digital certificate ----------------------------------------------------------------------------------- 399
11.10.3 Configuration of Certificate----------------------------------------------------------------------------------------- 399
CHAPTER 12 QUALITY OF SERVICE (QOS) CONFIGURATION ------- 407

12. 1 First In First Out (FIFO) ------------------------------------------------------------------------------------------ 408
12. 2 Priority Queuing (PQ) -------------------------------------------------------------------------------------------- 408
12. 2.1 Distribute The Packet Queue and Priority Class--------------------------------------------------------------- 408
12. 2.2 Configure Priority Queuing -------------------------------------------------------------------------------------- 408
12. 2.3 Adjust The Priority Queue Size ---------------------------------------------------------------------------------- 409
12. 2.4 Choose Packet Drop-type Algorithm---------------------------------------------------------------------------- 410
12. 2.5 Configure A RED Group ----------------------------------------------------------------------------------------- 410
12. 2.6 Example ------------------------------------------------------------------------------------------------------------- 410
12. 3 Weighted Fair Queue (WFQ) ----------------------------------------------------------------------------------- 413
12. 4 Customer Queuing (CQ)----------------------------------------------------------------------------------------- 414

12. 4.1 Assign A Queue In CQ Mode ------------------------------------------------------------------------------------ 414
12. 4.2 Configure CQ ------------------------------------------------------------------------------------------------------ 414
12. 4.3 Adjust CQ User Attributes---------------------------------------------------------------------------------------- 416
12. 4.4 Choose Packet Drop-type Algorithm---------------------------------------------------------------------------- 416
12. 4.5 Debugging ---------------------------------------------------------------------------------------------------------- 417
12. 4.6 An example --------------------------------------------------------------------------------------------------------- 417
12. 5 Weighted Random Early Detect Queue (WREDQ) ------------------------------------------------------- 418
12. 6 Class-Based Weighted Fair Queue(CBWFQ)-------------------------------------------------------------- 418
12. 6.1 Define A Match Class --------------------------------------------------------------------------------------------- 419
12. 6.2 Define A CBWFQ Policy----------------------------------------------------------------------------------------- 419
12. 6.3 Apply The Defined CBWFQ Policy To An Interface --------------------------------------------------------- 420
12. 6.4 Debugging ---------------------------------------------------------------------------------------------------------- 421
12. 6.5 Example ------------------------------------------------------------------------------------------------------------- 421
12. 7 Bandwidth Management----------------------------------------------------------------------------------------- 422
12. 8 Traffic Shaping ----------------------------------------------------------------------------------------------------- 423
12. 9 RSVP (Resource Reservation Protocol)--------------------------------------------------------------------- 423
CHAPTER 13 802.1Q SPECIFICATIONS-------------------------------------- 427

13.1 802.1Q Configuring Principles ---------------------------------------------------------------------------------- 427
13.1.1 VLAN Functions --------------------------------------------------------------------------------------------------- 427
13.1.2 One-Armed Routing------------------------------------------------------------------------------------------------ 427
13.1.3 Subnet Isolation----------------------------------------------------------------------------------------------------- 427
13.2 802.1Q Configuring Commands-------------------------------------------------------------------------------- 428
13.2.1 Configuring 802.1Q Commands---------------------------------------------------------------------------------- 428
13.2.2 A Typical One-Armed Router Application---------------------------------------------------------------------- 428
13.2.3 A Typical Subnet Isolation Application ------------------------------------------------------------------------- 431
13.2.4 Displaying Configuration Statistics ------------------------------------------------------------------------------ 431
CHAPTER 14 DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP)

CONFIGURATION ------------------------------------------------------------------ 434
14. 1 Introduction of DHCP--------------------------------------------------------------------------------------------- 434
14. 2 Configuration of DHCP------------------------------------------------------------------------------------------- 434
14. 2.1 DHCP Configuration Task List ---------------------------------------------------------------------------------- 434
14. 2.2 The Relative Commands ------------------------------------------------------------------------------------------ 434
14. 2.3 Configure DHCP--------------------------------------------------------------------------------------------------- 434
14. 3 DHCP Configuration Case -------------------------------------------------------------------------------------- 435
14. 4 Examine the Status and the Debug--------------------------------------------------------------------------- 436
CHAPTER 15 NDSP PROTOCOL CONFIGURATION ----------------------- 437

15.1 Commands----------------------------------------------------------------------------------------------------------- 437
15.2 Examples------------------------------------------------------------------------------------------------------------- 437
CHAPTER 16 SNMP CONFIGURATION --------------------------------------- 439

16.1 SNMP Instruction Set --------------------------------------------------------------------------------------------- 439
16.2 Simple Network Management Protocol (SNMP) Configuration----------------------------------------- 439
16.3 Remote Network Monitoring (RMON) ------------------------------------------------------------------------- 452
16.3 Remote Network Monitoring (RMON) ------------------------------------------------------------------------- 452
CHAPTER 17 NETWORK TEST AND TROUBLESHOOTING ----------- 460

17.1 Network Test Tools------------------------------------------------------------------------------------------------- 460
17.1.1
Ping ------------------------------------------------------------------------------------------------------------ 460
17.1.2 Traceroute ----------------------------------------------------------------------------------------------------------- 461
17.1.3 Netstat---------------------------------------------------------------------------------------------------------------- 461
17.1.4 Show ----------------------------------------------------------------------------------------------------------------- 462

17.2 How To Diagnose A Network Failure -------------------------------------------------------------------------- 462
17.2.1 Diagnosing LAN Port Failures ----------------------------------------------------------------------------------- 462
17.2.2 Diagnosing WAN Port Failures ----------------------------------------------------------------------------------- 501
CHAPTER 18 SOFTWARE UPGRADE ---------------------------------------- 463

18.1 The Upgrade of ROOT-------------------------------------------------------------------------------------------- 463
18.1.1 Upgrade the Hex File of the ROOT program through the Console Interface------------------------------- 463
18.2 The Upgrade of an Application (IOS) ------------------------------------------------------------------------- 466
18.2.1 Upgrade the Bin File of an Application through TFTP/FTP-------------------------------------------------- 466
18.2.2 Upgrade the Bin File of an Application through the Console Interface ------------------------------------- 468
18.2.3 Upgrade the Hex File of an Application through the Console Interface ------------------------------------ 470
CHAPTER 19 SNTP CONFIGURATION -------------------------------------- 475

19.1 Relevant commands to configure SNTP --------------------------------------------------------------------- 475
19.2 An Example of SNTP Configuration --------------------------------------------------------------------------- 475
19.3
Checking and Debugging SNTP ----------------------------------------------------------------- 482
19.4
Configuring the Time Zone ------------------------------------------------------------------------ 482
19.5 An Example of Time Zone Configuration --------------------------------------------------------------------- 483
CHAPTER 20 MULTICAST ROUTE CONFIGURATION ------------------ 484

20.1
20.1.1
20.1.2
20.1.3
20.2
20.2.1
20.2.2
20.2.3
Configure IGMP -------------------------------------------------------------------------------------- 484

Descriptions of commands to configure IGMP ---------------------------------------------------------- 484
An Example of IGMP Configuration---------------------------------------------------------------------- 484
Monitoring and Debugging IGMP------------------------------------------------------------------------- 484
Configure PIM-SM ----------------------------------------------------------------------------------- 484
Descriptions of Commands to Configure PIM-SM------------------------------------------------------ 485
An PIM-SM Configuration Example---------------------------------------------------------------------- 487
Monitoring and Debugging PIM-SM --------------------------------------------------------------------- 488
CHAPTER 21 AAA CONFIGURATION----------------------------------------- 492

21.1
Descriptions of Command Relevant with AAA------------------------------------------------ 492
21.2 An Example of AAA Configuration ----------------------------------------------------------------------------- 492
21.3 Checking and Debugging AAA ---------------------------------------------------------------------------------- 495
CHAPTER 22 MPLS CONFIGURATION -------------------------------------- 497

22.1 Brief Introduction to MPLS --------------------------------------------------------------------------------------- 492
22.2
Descriptions of commands to configure MPLS ----------------------------------------------- 492
22.3 An Example of MPLS\VPN Configuration -------------------------------------------------------------------- 495
CHAPTER 23 INTERFACE CONFIGURATION------------------------------- 506

23.1 Interface Types ----------------------------------------------------------------------------------------------------- 506
23.1.1 Interface Types Presently Supported by Maipu Routers---------------------------------------------------------- 506
23.1.2 Configuring Interfaces ------------------------------------------------------------------------------------------------ 506
23.2 Configuring an Ethernet Port ------------------------------------------------------------------------------------ 506
23.2.1 The Protocols Supported by Maipu Series Router ---------------------------------------------------------------- 506
23.2.2 Configuring Network Address ----------------------------------------------------------------------------------------- 06
23.2.3 Configuring an Vlan Interface --------------------------------------------------------------------------------------- 506
23.2.4 Establishing Address Resolution (ARP)---------------------------------------------------------------------------- 506
23.2.4.1 Defining a Static ARP Buffer----------------------------------------------------------------------------------- 506
23.2.4.2 Examining ARP Buffer ------------------------------------------------------------------------------------------ 506
23.2.5 Proxy ARP-------------------------------------------------------------------------------------------------------------- 506
23.2.6 Monitoring and Maintenance ---------------------------------------------------------------------------------------- 506
23.3Configuring High-speed Serial Interface ---------------------------------------------------------------------- 506
23.3.1 Configuring an Asynchronous Serial Interface ---------------------------------------------------------------------- 74

23.3.2 Configuring a Synchronous Serial Interface ------------------------------------------------------------------------- 75
23.3.2.1 Configuring the Operation Mode of a Synchronous Serial Interface ---------------------------------------- 75
23.3.3 Monitoring and Maintenance ------------------------------------------------------------------------------------------ 75
23.4 Configuring a 16-asyn-serial-interface module ---------------------------------------------------------------76
23.5 Configuring a CE1 Module-----------------------------------------------------------------------------------------77
23.5.1 Configuring a CE1 interface ------------------------------------------------------------------------------------------- 77
23.5.2 Monitoring a CE1 Module --------------------------------------------------------------------------------------------- 79
23.6 Configuring an E1 module -----------------------------------------------------------------------------------------79
23.6.1 Configuring an E1 Interface-------------------------------------------------------------------------------------------- 79
23.6.2 Monitoring an E1 Interface--------------------------------------------------------------------------------------------- 81
23.7 Configuring an 8-port Synchronous Module -------------------------------------------------------------------81
23.7.1 Configuring an 8S Interface -------------------------------------------------------------------------------------------- 81
23.7.2 Monitoring an 8s Interface --------------------------------------------------------------------------------------------- 83
23.8 Configuring a Built-in Base-band Modem ----------------------------------------------------------------------83
23.8.1 Configuring a Single-port 128 Modem Module --------------------------------------------------------------------- 83
23.8.2 Configuring an 8-port 128 Modem Module-------------------------------------------------------------------------- 83
23.9 Configuring a Built-in MODEM Module -------------------------------------------------------------------------84
23.9.1 Configuring a Built-in MODEM Module ---------------------------------------------------------------------------- 84
23.9.2 Built-in MODEM Debugging------------------------------------------------------------------------------------------ 85
23.10 Configuring an ISDN Module --------------------------------------------- Error! Bookmark not defined.
Chapter 1
System Basis
This chapter mainly describes the basic concepts of the InfoExpress IOS system in Maipus Router Series. Included in this
chapter are relevant concepts, such as the InfoExpress system mode, the preparation of the configuration environment, the
command line interface and so on.
The main contents of this chapter are as follows:
o
o
o
o
1.1
Router Configuration mode

Command run mode
Constructing the configuration environment
Command line interface
Router Configuration Mode
Maipu routers provides users with four typical configuration modes:

o
o
o
o
Use the command shell to configure through the console interface;

Configuration through LINE interface of 56/336 modem module;
Configuration through Telnet remote log in a router;
Configuration through SNMP network management system.
The last configuration mode provides users with the interface of the English version, which is mainly used for users to
monitor the working status of a network and to collect statistical information of the system.
This manual describes the configuration mode of the router through the interface console. The other two modes, which
configure the router through the interface LINE in 56/336modem and Telnet remote login, are similar to the former. The
detail of the last mode that configures the router through SNMP can refer to the router network managing system
specifications.
1.2
Command line Mode
InfoExpress IOS of Maipus MP Router series provides a special subsystem dealing with commands for management and
execution of system commands, which is called shell. The main functions of shell are as follows:
o
o
o
o
Registration of system commands

User edit of system configuration commands
Syntax parsing of commands inputted by users (through interface console or Telnet link )
Execution of system command
When a user configures a router through the command shell, the system provides many kinds of run modes for the execution
of the command. Each command mode respectively supports the special InfoExpress IOS configuring command. Accordingly
this attains the aim of hierarchy protection of the system, and ensures against unauthorized access to the system.
The Shell subsystem presently provides the following modes for running the configuring commands, and each different mode
is corresponding with a different system prompt that is employed to tell users in which mode he/she is presently operating.
These modes are:
o
o
o
o
o
o
o
o
o
o
Common user mode

(User EXEC)
Privileged user mode
(Privileged EXEC)
Global configuration mode
(Global configuration)
Interface configuration mode (Interface configuration)
Route configuration mode
(route configuration)
File system configuration mode
(file system configuration)
Access list configuration mode
(access list configuration)
Voice-port configuration mode
(voice-port configuration)
Dial-peer configuration mode
(dial-peer configuring)
Encryption transform configuration mode (crypto transform-set configuration)
o
o
o
o
o
Encryption mapping configuration mode

(crypto map configuration)
IKE policy configuration mode
(isakmp configuration)
Pub key chain configuration mode (pubkey-chain configuration)
Pub key configuration mode
(pubkey-key configuration)
DHCP configuration mode(dhcp configuration)
Other configuration modes will be introduced in relevant chapters.

Table 1-1 describes methods of entering different command modes and how to switch between different modes.
Table 1-1 the InfoExpress system modes and the switch methods between modes
Mode name
Method of
Entering mode
System prompt
Exiting method
The common
user mode
Login
router>
Execute the command exit

to exit.
The
Privileged
user mode
Execute the
command enable
in the common
user mode.
The global
configura-tion
mode
Execute the
command
configure in
privileged user
mode and specify
the corresponding
keyword at the
same time.
Interface
Configuration mode
Execute the
command
interface in global
configuration
mode (and
designate the
corresponding
interface at the
same time)
router#
Execute the command

disable to come back to the
user mode.
Execute the command
configure to enter the
global configuration mode
Router(config)#
router(config-ifxxx[number])#

to come back to the
privileged user mode.
Execute the command
interface to enter the
interface configuration
mode.

to come back to the
privileged user mode.
Function
description
Alters the terminal
configuration.
Executes the basic
testing.
Displays the system
information.
Configures the
executing
parameters of the
router.
Configures the
global parameters
needed for the
router running.
Configures the
interface of the
router in the mode,
including:
Configures the
Ethernet interface;
Configures the
serial interface;
Configures the
interface ISDN;
Configures the
interface IP phone;
Configures the
interface E1.
The routing
configura-tion
mode
Execute the
corresponding
route configuring
command in
global
configuration
mode.
Configures IP
routing protocol in
the mode, including:
router(config-static)#
router(configrip)#
router(config-ospf)#
router(config-irmp)#

to return to the privileged
user mode.
Static routing
RIP dynamic routing
The IRMP
configuration mode
File system
configura-tion
mode
The access
list
configuration
mode
The voiceport
configura-tion
mode
The dial-peer
configura-tion
mode
The
encryption
transform
In global
configuration
mode, a user
enters this mode
through the
command
filesystem.
In global
configuration
mode, a user
enters the mode
through the
command ip
access-list, and
designates the
corresponding
keys and
parameters
simultaneously.
In global
configuration
mode, a user
enters the mode
through the
command voiceport, and
designates the
corresponding
parameters
simultaneously.
In global
configuration
mode, a user
enters the mode
through the
command dialpeer, and
designates the
corresponding
keys and
parameters
simultaneously.
In global
configuration
mode, a user
router (config-fs)#
router(config-std-nacl)#
router(config-ext-nacl)#

to return to the privileged
user mode.

to return to the global
configuration mode.
Finishes the file

system management
of the router.
Upgrades the router
software.
Configures the
access list of the
firewall, including:
Configures of the
standard access list.
Configures the
extended access list.
router(config-voice-port)#

to come back to the global
configuration mode.
router(config-dial-peer)#
Execute the command

exit to come back to the
global configuration mode.
router(cfg-crypto-trans)#

configuration mode.
Configures the
voice-port.
Configures VoIP.
Configures POTS.
Configures the
encryption transform
set.
configuration mode
The
encryption
mapping
configuration mode
The IKE
policy
Configuration mode
The public
key chain
configuration mode
Public key
configuration mode
The DHCP
Configuration mode
enters the mode

through the
command crypto
ipsec transformset, and designates
the corresponding
parameters
simultaneously.
In global
configuration
mode, a user
enters the mode
through the
command crypto
map, and
designates the
corresponding
keys and
parameters
simultaneously.
In global
configuration
mode, a user
enters the mode
through the
command crypto
isakmp, and
designates the
corresponding
keys and
parameters
simultaneously.
In global
configuration
mode, a user
enters the mode
through the
command crypto
key pubkeychain rsa.
In config-pubkeychain mode, a user
enters the mode
through the
command namedkey or
addressed-key
and designates the
corresponding
keys and
parameters
simultaneously.
In the global
configuration
mode, a user
enters the mode
through the
command
router(cfg-crypto-map)#

configuration mode.
router(config-isakmp)#

configuration mode.
router(config-pubkeychain)#

configuration mode.
router(config-pubkey-key)#
router(dhcp-config)#

to return to the configpubkey-chain mode.

configuration mode.
Configures the
encryption mapping
items.
Configures the IKE

policy.
Configures the RSA

public key to be
used.
Configures the
public key.
Configures DHCP.
router(config)#ip
dhcp pool, and
designates
thecorresponding
key words and
parameters
simultaneously.
Note
The word router is the default system name of a router when it leaves the factory. Users can rename the system name by
executing the command hostname in the global configuration mode, and the alteration can go into effect instantly.
1.3
Constructing the Configuration Environment
Users can use the command line provided by a router in four different ways. These approaches are introduced respectively as
follows:
1.3.1
Configuring a Router through the configuration interface (Console)
The following steps are used to connect with a terminal and configure the router through the port Console:
Choosing a terminal:
The terminal can be a standard one with RS-232 serial port or a common PC and the later is used more frequently. If making
configuration from the remote end, you will need two more modems.
After affirming that at either the router or the terminal is shutdown, please connect the RS-232 serial port of the terminal with
the Console port of the router. The connection relationship is shown in figure 1-2:
Constructing local
configuration environment
MAIPUROUTER
PC for
configuration
Configuring
port
Serial of PC
Cable of
configuring prot
Figure 1-2 connection sketch map of local configuring the router
Figure 1-3 Creating a Connection
Creating a
connection:(Figure
Power up the terminal, configuring the communication parameters of the terminal: 9600bps
Baud rate, 8 data1-3)
bits, no parity,
1 stop bit, and no flow control, choose VT100 as the type of terminal.
Choose a name for the

connection
Maipu
If the PC is running Win95/98/2000/NT operating system, you can use the Hyper Terminal
program,
and set the serial port
parameters of HyperTerminal program according to above parameters.
(Or choose any other

The following example shows the HyperTerminal program running in Windows NT:name)
Choosing serial communication

port (Figure 1-4)
Choosing a windows
icon for the created
connection
This example shows the

configuration communication
parameters of HyperTerminal
program:
Choose COM1 or COM2
according to the serial port
connected
(Figure 1-4) Choosing serial communication port
Configuring the parameters of

the serial communication port
(Figure 1-5)
Baud ratio (Bits per second) -- 9600bps
Data bits --- 8
Parity ---no
Stop bit----1
Flow control---None
Figure 1-5 Configuring the parameters of the serial communication port
Power on the router, and press Enter the key on the terminal, then a prompt router>will be displayed on the
terminal and the router can be configured. (Where the word router is the actual name of the router.)
1.3.2
Making configuration through the LINE port of the 56/336modem module
If the 56/336modem module has been configured in the router, the DIP dial-up switch of the module can be used to configure
the working mode of the port LINE .The usage of the switch DIP can be shown in the table 1-2:
Choosing mode
1. 56/336MODEM mode
Configuring the DIP switch

1
OFF
OFF
Interpretation
LINE port is used as the

interface of the inside
56/336MODEM.
2. Console port mode
ON
OFF
The LINE port is used as a
CONSOLE port, and the router
can be configured through the
remote dial-up login.
Table 1-2 Usages of DIP dial-up switch in the 56/336modem module
1.3.3 Configuring a Router through Telnet

If the IP address of each interface on the router has been configured correctly, then Telnet can be used to log in the router
through LAN or WAN and the router can be configured.
1) Configuring through a LAN
3& I RU FRQI L JXU DW L RQ
3&
3&
W KH U RXW HU W R FRQI L JXU H

6HU YHU
- Connect the network interface of computer with the Ethernet port of the router on the LAN.
- Run the Telnet client application program on a computer in the LAN.
- Configure the default mode (preference) of the Telnet terminal.
The contents of the configuration should be set as: terminal ->default mode -> simulation option select VT100/ANSI.
Note:
During the configuration of the Telnet client program, the option local response (each display) must be canceled.
Otherwise it will repeatedly display the contents inputted by the user which will adversely effect the normal employment of
the command edit function of the shell subsystem.
Type in the IP address of the router, and establishing Telnet connection to the router.
Set the Host Name as having the IP address of the router: 128.255.255.1
Configure the port as Telnet (23);
Configure the terminal type as TCP/IP (Winsock);
(The other operations are the same as the configuration through the console interface.)
2) Configuration through the WAN:

Connect the configured computer to the remote router through LAN router
Run the Telnet client program application program on the locally configured computer
The following steps are the same as that of configuration through LAN
&RQI L JXU L QJ W KH U HPRW H U RXW HU

W KU RXJK 3& I RU FRQI L JXU DW L RQ L Q /$1
3& I RU
FRQI L JXU DW L RQ
3&
3&
3&
:$1
/$1
/RFDO
U RXW HU
6\QFKU RQRXV
DV\QFKU RQRXV SRU W
6\QFKU RQRXV
DV\QFKU RQRXV SRU W
5RXW HU ZDL W L QJ I RU

FRQI L JXU DW L RQ
/$1 6HU YHU
3) Configuring a remote router through a local router
Run the Telnet client program on the local router, and configure a remote-end router by logging on to its network. The
method is the same as the one of configuring a router through Telnet on network. The connection figuration is as follows:
&RQI L JXU L QJ U HPRW H HQG U RXW HU W KU RXJK O RFDO U RXW HU

3&
3& I RU
FRQI L JXU DW L RQ
3& VHU L DO
6\QFKU RQRXV
$V\QFKU RQRXV
&RQI L JXU L QJ /RFDO

U RXW HU
SRU W
3&
3&
:$1
/$1
6\QFKU RQRXV
$V\QFKU RQRXV
&DEO H RI
FRQI L JXU L QJ SRU W
5RXW HU ZDL W L QJ
I RU FRQI L JXU DW L RQ
/$1 6HU YHU
Note:
When configuring the router through Telnet, do not alter the IP address of the WAN interface hastily. Only when make
sure that the other parameters are configured correctly can you alter the IP address. After the address is altered, Telnet would
disconnect and reestablish the connection. So the connection must be established again after the new IP address is inputted to
the host.
If users log into a Maipu router from a Linux system, the configuration should be made as follows:
First, input the users name and password into the Linux system;
Run Telnet client program in shell environment of Linux system to log in the router, using the following command:
telnet 128.255.255.1
After the command is executed, the output is as follows:
Connected to 128.255.255.1 ...done
Display the system prompt of the router:
router>
Press the keys
^ and ] simultaneously to return to the prompt of telnet program:
telnet>
Execute the command to cancel the local binary mode:
telnet> unset binary
Already in network ASCII mode with remote host.
router>
After the above operations are completed, the command editing environment in shell system can work normally.
IF users log in the router through another type of Telnet client program, and the command edit environment works
abnormally, please configure the Telnet client program according to the above mentioned specifications.
1.4
Command Line Interface
The Command Line interface is an interactive interface provided by the shell subsystem for users to configure and use a
router. Users can perform the corresponding configuration tasks through the command line interface. At the same time, users
can also examine the system information and see the running status of the system through the interface.
The Command Line interface provides users with the following functions:
System help information management;
Inputting and editing of system commands;
Interface history commands management;
Terminal displaying system management.
1.4.1 Command Line On-Line Help

The Command Line provides the following kinds of on-line helps:
help
full help
partial help
By means of the above help methods, users can get various kinds of help information, illustrated respectively as follows:
1) In any command mode, type help to obtain simple descriptions about the help system:
router>help
Help may be requested at any point in a command by typing a question mark: '?'. If nothing matches, the help list will be
empty and you must backup until entering a '?' shows the
available options.
Two types of help are provided:
1. Full help is available when you are ready to enter a command argument (e.g. 'show ?') and describes each possible
argument.
2. Partial help is provided when an abbreviated argument is entered and you want to know which arguments match
the input (e.g. 'show pr?'.)
2) In any command mode, type in a question mark ? to view all possible commands and their simple descriptions in this
mode. The following command lists all commands that can be executed in the privileged user mode:
router#?
Command
Description
bootparams
Print/Modify system boot parameters
bridge
Transparent bridge two scc interfaces
Clear
reset function
Clock
Config the system clock information
Configure
Turn on configuration commands mode
console-speed
Set console speed
Copy
Copy a file to another
Debug
Debugging functions, see also undebug
Disable
Turn off privileged commands
display
Show something for debug purpose
exit
Exit from current EXEC mode
filesystem
Turn on file system management commands
mode
help
Description of the interactive help system
language
Set help information language
logout
Exit from EXEC shell
memdump
Dump memory image
more
Format showing output
mrt
Mrouted
netstat
Show active connections for Internet protocol

socket
no
Negate a command or set its defaults
pad
Open a X.29 PAD connection
phonerxgain
Voip card receive gain adjust
phonetxgain
Voip card transmit gain adjust
ping
Send echo messages
quickping
Send echo messages
reload
Halt and perform a cold restart
reset
Set something of runing system
rlogin
Open a rlogin connection
sendtrap
Send a trap to a specified host or all the host in

the trap host list
set
Set something of runing system
show
Show running system information
spy
Control collecting task activity data
sysupdate
Update system software
telnet
Open a telnet connection
terminal
Set terminal line parameters
trace
Show a task stack frame
traceroute
Trace route to destination
undebug
Disable debugging functions, see also debug
wdogDisable
Disable the system watchdog
wdogEnable
Enable the system watchdog
who
Show who is logged on
Whoami
Who am i?
write
Write current running configuration to a

destination
x3
Set X.3 parameters on PAD
3) Type in a command followed by one question mark (?) separated by a blank, if there is to be a keyword in the place, all
keywords and their simple descriptions will be listed. The following list shows all the key words that can follow the
command show in the privileged user mode:
router#show ?
about
access-lists
Print the copyright information

List access lists
accounting
Accounting data for active sessions
adsl
Adsl
arp
Print entries in the system ARP table
bridge
Bridge Forwarding/Filtering Database [verbose]
card_list
cbwfq
Show information of hardware modules

Show CBWFQ status
clock
Print system clock information
compress
PPP protocol
console
Print console interface information
controllers
Controllers
cpu
Show CPU use per process
cq
Show CQ status
debugging
State of each debugging option
debuglist
device
dhcp
Debug register list

Print the system devices information
Dynamic Host Configuration Protocol status
dialer
Dialer parameters and statistics
dip-switch
Print system DIP switch
dot1Q
Dot1Q
dynamic-command
Show module name of dynamic register
enable
Print enable information
file
Print file system information
filesystem
Print file system information of device
flux
Show flux information
forward
Forward
frame-relay
Frame-Relay protocol
gre
Gre protocol
hosts
Print current host tables information
if-list
Print ifnet list
ifx-list
Print ifnet_ext list
interface
Print detailed information of interface
ip
Print Internet protocol status information
keyflow
Keyflow informations
language
What language you use
ld
LLC2 device
llc2
Show LLC2 status
logging
Show system logging information
mbuf
Print detailed statistics of mbuf
memory
Print the system memory usage information
modem
Modem
mpdlc
Show MPDLC infomation
mpls
Mpls
name-server
Print DNS Resolver configuration
ndsp
NDSP information
netDev
Print net device list
netjob
Print netJob information
nia
NIA information
pool
Show all mbuf pool
ppp
Point-to-Point protocol
pq
Show PQ status
process
Active process statistics
queueing
Show queueing configuration
rmon
route-map
Remote monitoring
Show route map information
running-config
Print system running configuration information
scriptList
Print system script list
semaphore
Print the semaphore information
snapshot
Snapshot parameters and statistics
snmp-server
Show current statics of SNMP Agent
snsp
Stub Network Search Protocol(SNSP)
sntp
Print sntp client information
spd
Show spd status
spy
Show spy switch status
stack
Print the Process stack utilization information
standby
Virtual Backup Router Protocol (VBRP) information
startup-config
Print system startup configuration information
strt-list
Static route hash table
sysadmin
Show tasks cared
sysjob
Print sysJob information
systimertask
Print all tasks scheduled on the systimer list
tacacs
Shows tacacs server statistics
tcp
Status of TCP connections
tech-support
Show system information for Tech-Support
terminal
Show terminal
time-range
Show time range
tunnel-chain
Tunnel chain
ura
User resource authorization information
users
Print the system user login information
version
Print system hardware and software status
vpdn
VPDN information
wfq
Show WFQ status
wred
Show WRED status
x25
X.25 information
4) Type in a command followed by one question mark ? separated by a blank, if there is a parameter in this place, the
related descriptions of the relevant parameters will be listed:
router(config)#interface ?
group
fastethernet
loopback
Interface group
Fast Ethernet network interface
loopback interface
dialer
Dialer interface
tunnel
Tunnel interface
multilink
virtual-template
serial
Multilink interface
Virtual Template interface
serial network interface
5) Type in a character string closely followed by one question mark ? and all keywords which begin with the same
character string and their descriptions will be listed.
router#d?
display
Show something for debug purpose
disable
Turn off privileged commands
debug
Debugging functions,see also undebug
6) Type in a command followed by a character string closely with one question mark ? and all keywords which begin with
the character string and their descriptions will be listed.
router#show h?
Command
Hosts
Description
Print current host tables information
1.4.2 Error Message of Command Line

When users type in any and all commands, the syntax of the commands will be examined. If the syntax is correct, then the
commands will be executed correctly, otherwise error messages will be reported to users. Common error messages are shown
in table 1-3:
Table 1-3
Error prompt messages of Command Line
Error message
Reason for Error
% Invalid input detected at '^' marker.

Unknown
Cannot find the command.

Cannot find keywords.
Parameter type of is wrong.
The parameter value is beyond the range.
Type *** ? for a list of subcommands
The input command is not integrate.
Note: The string *** represents the uncompleted command-string the user has inputted.
1.4.3 History Command
The command line interface provides the function similar to DosKey, and the system will automatically save
commands inputted by the user into the history command buffer. Users can transfer history commands saved by the
command line interface at any time and can execute them repeatedly so as to reduce the users unnecessary repetition
of inputting commands. The command line interface can store up to 10 commands for each user connecting to a router,
the most recent commands take priority over the oldest command.
Accessing the history commands:
Table 1-4 Accessing the History Commands of the Command Line Interface
Operation
The key pressed
Function
Accessing the last history

command
Up-cursor key or Ctrl+p
If there are some earlier history

commands, then they are taken out; or
else the system alarms.
Accessing the next history

command
Down-cursor key or Ctrl+n
If there are some later history

commands, then they are taken out; or
else, the system clears the command
line and alarms.
Note:
When the cursor key is used to access the history commands and telnet runs in Windows98/NT system to log in the
router, the option terminal->premier option->simulation option should be configured as type VT-100/ANSI.
1.4.4 Editing Features
The command line interface provides basic command editing functions supporting multi-line editing; with a maximum of 256
characters for each command line. Table 1-5 lists the basic editing functions provided by the subsystem shell.
Table 1-5 a table of basic edit functions

Key Pressed
Common key
Function
If the edit buffer is not full, then the key is inserted at the
location of the cursor and the cursor shifts right;
Key Pressed
Function
otherwise the system alarms with a bell.
Deletes the character before the cursor location. If the
cursor has arrived at the beginning of the command, the
system alarms with a bell.
Backspace key
Deletes the character on the cursor location. If the cursor

has arrived at the end of the command, the system alarms
with a bell.
Delete key
Left cursor key
8 A%
Left shifts the cursor one character location. If the cursor

has arrived at the beginning of the command, the system
alarms with a bell.
Right cursor key
:A)
Right shifts the cursor one character location. If the

cursor has arrived at the end of the command, the system
alarms with a bell.
Up or down cursor key
9 ;
Displays the history commands.
Â
Shifts the cursor to the beginning of the command line
Ê
Shifts the cursor to the end of the command line
Û
Deletes all the characters on the left of the cursor until

the cursor arrives at the beginning of the command line.
^K
Deletes all the characters on the right of the cursor until

the cursor arrives at the end of the command line.
1.4.5 Display Features

The command line interface provides the following display features:
When the information needed can not be displayed on one screen, the system offers the pause function, and displays a prompt
(--MORE--) at the bottom left corner of the screen. Here are some available choices for users:
Type in the Space key or the key 9RU&WUO-F to continue displaying the next screen of messages.
Enter the ;NH\RU&WUO-B to display the previous screen of messages.
Type the ENTER or the key + or :WRVFUROOGRZQRQHOLQHRIWKHGisplayed message on the
screen.
Type in the key - or 8WRVFUROOXSRQHOLQHRIWKHGLVSOD\HGPHVVDJHRQWKHVFUHHQ
Typing in any other keystroke, the system displays the system prompt directly.
The features described above are shown in table 1-6:

Table 1-6
Display features
Key pressed
Function
Key;RU&WUO-B
Displays the information of the previous screen.
Space key (Space) or key 9 RU&WUO-F
Goes on displaying the information of the next screen.
Key -or
The information displayed on the screen rolls down one

row.
Carriage return key (Enter) or key

+or:
Goes on displaying the information of the next row.
Other keys
Chapter 2
Exits from the display.
System Configuration and Management
This chapter describes the basic configuration and management of Maipu routers, including system configuration commands,
user and password management, configuration of environment parameters, file management and examination of system
information etc.
The main contents of this chapter are:

-
System configuration
System management
System tools
2.1 System Configuration

In a Maipu router, the main tasks of system configuration are:
-
Configuring the system name
Configuring the system clock which includes:
Configuring the system users
Table 2-1 shows all commands by which the configuration tasks described above will be completed:
Table 2-1 List of System Configuration Commands
Configuration
task
Command
Command
function
Running mode
Typical example
Configuring a
name
hostname
Changing the
router name
Configuration
mode
router(config)#hostname router
Configuring a
calendar
clock
Configuring the
system calendar
Privileged user
mode
router#clock 2001 11 15 9 25 10
Configuring
system users
user
Adding system
users
Configuration
mode
router(config)#user Maipuxf
password 0 Maipu 1
2.1. 1 Configuring the System Name

When the router leaves the factory, its default system name is router. Users can change the system name at any time
according to their needs. This change takes effect immediately; the new system name will appear in the next system prompt.
The following example will change the system name from router to router_1:
The operating steps are as follows:
Command
Task
router#configure terminal
Executes the command #configure terminal in

the Privileged user mode to enter the global
configuration mode.
router(config)#hostname router_1
Executes the command hostname with the
parameter router_1 in the global configuration

mode to change the system name.
router_1(config)#
The new system command begins to come into

effect in the next display of the system prompt.
2.1.2 Configuring the System Calendar

There is an independent clock system is installed in each Maipu router to record the current system time which includes
information includes year, month, date, hour, minute, second and week. When the system starts, the system time rests at
00:00:00 January 1,1970. Through the execution of the command clock, the calendar system of the router can be set to the
current time as shown in the following example:
router#clock 2001 11 15 9 36 10
The function of the executed command in the privileged user mode is

to set the time of the system calendar as 09:36:10, November 15 , 2001.
router#show clock
Displays the current time of the

system.
UTC:THU NOV 15 09:36:15 2001
The current time is 09:36, November 15, 2001,default

timezone is UTC.
Note: The command show clock can be executed either in the common user mode
or in the privileged user mode, and the function is just the same in both the modes.
Note: Because there is no real time system (i.e.the system clock is still running after it is powered off), the system clock
will return to 00:00:00 January 1,1970 each time the router is turned on.
2.1.3 Configuring System Users
To enhance the system security, the router only permits the users that have been configured in the system to access it through
a terminal, TELNET and etc, and denies the other users access.
Adding a system users:

router#configure
terminal
Enter the global configuration mode

.
router(config)#user Maipu password 0 Maipu

corresponding password Maipu
Add a user Maipu to the system with its
router(config)#user Maipuxf password 0 Maipu

Maipu.
The user is Maipuxf and its corresponding password is
After the commands are executed, the users Maipu and Maipuxf will be permitted to access the router.
Configuring the superuser
router#configure
terminal
router(config)#user root password 0 root
Enter the global configuration mode

Add a user root to the system with its corresponding password
root
The system prescribes that the name of the super user is root
examining the information of system users
router#show user
After the above command is executed in the privileged user mode, you can examine the registered users
Deleting the system user:

router(config)#no user Maipu
Delete the system user
Maipu
After the command is executed, the router will deny the access of the user Maipu to the router.
Note: The passwords and the relevant cipher showed in the Maipu router can be configured in the global
configuration mode. The parameters no service password-encrypt and service password-encrypt decide whether the
encryption is needed. For example, if there is the configuration of service password-encrypt, then the user name and
the corresponding passwords are shown as follows:
user Maipuxf password 7 \XPXXXOYTYO
Any option related to the password should carefully considered during configuration.
use. Please do not use this option in your configuration!
Option 7 is defined for special
2.1.4 Enable Password and Timeout value

In the global configuration mode, these can be set through the command enable password and enable timeout.
Command
Description
router(config)#enable password password
Configure the password of the super user.
router(config)#enable timeout <0_0x7FFFFFFF>
Configure the time out value
Note:
The default value of time out is 300 seconds, or 5 minutes. If the value is set as 0, then there will never be a time out.
2.2
System Management
2.2.1 Storage Medium and File Types Supported by Maipu Routers

The Maipu router has three kinds of storage media, and its functions are as follows:
o
DRAM: used as operating space for router application programs;
FLASH: Stores router application programs, configuration files, BootROM programs etc.
EEPROM: Stores users information and variable system configuration files.
There are four types of the files managed by the Maipu router:
o Router application program files ----used for route forwarding, files management, system management, etc.
o Configuration files ----Store the system parameters configured by users
o BootROM files ---- Store system initialized data
o Other files ---- for example, the dial tone memory file of second dial-up
o
2.2. 2 Management of the Router File System
Each Maipu router constructs a file system based on DOS in the system flash to store the information that rarely needs to be
changed, such as a router application program (protocol software, device program, drivers, etc.) and BootROM program etc.
The file system is called TFFS (True Flash File System). In the file system configuration mode, the system provides a set of
commands to manage the file system, which are showed in the table 2-2:
Table 2-2 the command list of the file system management

Name of the
command
Function of the
command
Running mode of
the command
Example
Copy
Copies a file
File system
configuration mode
Router(config-fs)#copy flash:file1
flash:file2
Delete
Deleting a file
File system
configuration mode
Router(config-fs)#delete file1
Type
Displays a files
contents
File system
configuration mode
Router(config-fs)#type startup
Dir
Displays a
directory or a file
File system
configuration mode
Router(config-fs)#dir
cd
Changing the
current path
File system
configuration mode
Router(config-fs)#cd dir1
Pwd
Displays current
path
File system
configuration mode
Router(config-fs)#pwd
Mkdir
Creates a directory
File system
configuration mode
Router(config-fs)#mkdir dir1
Rmdir
Deletes an existing
directory
File system
configuration mode
Router(config-fs)#rmdir dir1
Volume
Displays file device

information
File system
configuration mode
Router(config-fs)#volume
Show
Displays file device

information
The privileged user

mode
Router#show filesytem
The file system management of the router is composed of two parts: they are file management and directory management.
Because TFFS is based on DOS file system, long file names are not supported. Each directory name can be a maximum of 8
characters in length. Each file name follows the 8.3-naming standard.
2.2.1 Displaying the file device information
The file system of a Maipu router is based on the physical device flash. Use the following commands to display TFFS
information:
Execute the command volume in the file system configuration mode.
router(config-fs)#volume
device name:
/flash
total number of sectors:

bytes per sector:
media byte:
# of sectors per cluster:
# of reserved sectors:
# of FAT tables:
# of sectors per FAT:
max # of root dir entries:
5687
512
0xf8
4
1
2
5
240
# of hidden sectors:
removable medium:
disk change w/out warning:
auto-sync mode:
1
not enabled
not enabled
The name of the device is /flash.

There are 5687 sectors all together in the file system.
Each sector has 512 bytes;
Type of medium: 0xf8;
Each cluster has 4 sectors;
One reserved sector;
Two FAT tables;
Each FAT table occupies 5 sectors.
The root directory can contain at most
240 files or directories;
One hidden sector;
false (This device cant be removable;
The file system doesnt warn about modification;
Auto synchronization of the auto file
system isnt supported;

long file names:
not enabled
Long file name isnt supported;
exportable file system:
not enabled
The file system cant be replaced;
lowercase-only filenames:
not enabled File name does not differentiate the uppercase or the lowercase.
volume mode:
O_RDWR (read/write) The file system is read and written;
available space:
2893824 bytes
The current useable space of the
system is 2893824 bytes;
max avail. config space: 2893824 bytes
The maximum useable space of the system is 2893824 bytes.
Or execute the command show file in the privileged user mode:
The meaning is the same as volume.
2.2.2 File Management

The file management commands in the file system configuration mode, allow users to operate all files in TFFS including:
o
List files (directories);
Copying a file;
Deleting a file;
Displaying a file.
The following are some examples of using file management commands:

(1) Listing files (directories)
router#filesystem
router(config-fs)#dir
size
-------4
1713
512
date
time
name
-----------------JAN-01-1980 00:00:00
RANDOM
JAN-01-1980 00:00:00
STARTUP
JAN-01-1980 00:00:00
MaipuXF
<DIR>
Aftering executing the command filesystem to enter the file system configuration mode, execute the command dir in
this mode and all files and subdirectories will be listed out in the current directory.
(2) Copying files

router(config-fs)#copy startup-config flash/Maipuxf/newstart
Copies the file startup, renames it as newstart and puts it into the directory Maipuxf.
size
-------4
1713
512
date
time
name
-----------------JAN-01-1980 00:00:00
RANDOM
JAN-01-1980 00:00:00
STARTUP
JAN-01-1980 00:00:00
MaipuXF
<DIR>
router(config-fs)#cd Maipuxf
size
-------512
512
1713
date
time
name
-----------------JAN-01-1980 00:00:00
.
JAN-01-1980 00:00:00
..
JAN-01-1980 00:00:00
NEWSTART
<DIR>
<DIR>
( 3 ) Deleting files
router(config-fs)#delete startup
Deletes the file startup.
The Data of this file will be lost! if OS is deleted, the system will hangup!
Please confirm to continue(Yes/No)y
After Y(Yes) is confirmed, the file will be deleted, otherwise

N(No) represents that the operation will be canceled.
size
-------4
512
date
-----JAN-01-1980
JAN-01-1980
time
00:00:00
00:00:00
name
-----RANDOM
MaipuXF
-------<DIR>
(4) Displaying the contents of files

router(confgi-fs)#type startup
The content of file startup
interface fastethernet0
exit
interface serial0
physical-layer sync
encapsulation PPP
exit
Displays the content of the file startup.
2.2.3 Directory management

Directory management of each file system includes the following:
o
Display the current path of the system;
Change the current path;
Create a directory;
The followings are some examples of using directory management commands:

(1) Displaying the current path of the system;
router#filesystem
router(config-fs)#pwd
/flash
router(config-fs)#
The above information indicates that the system is presently located in the directory /flash.
(2 ) Change the current path of the system:
router(config-fs)#cd Maipuxf
router(config-fs)#pwd
/flash/Maipuxf
router(config-fs)#
The above information indicates that the system is currently located in the directory /flash/Maipuxf.
(3) Creating a directory
router(config-fs)#mkdir MProuter1
size
date
time
------------------------512
JAN-01-1980
00:00:00
512
JAN-01-1980
00:00:00
512
JAN-01-1980
00:00:00
name
--------.
..
MPROUTER1
<DIR>
<DIR>
<DIR>
2.2.4 Deleting a directory

router(config-fs)#rmdir MProuter1
size
date
time
-----------------------512
JAN-01-1980
00:00:00
512
JAN-01-1980
00:00:00
name
---------.
..
<DIR>
<DIR>
2.2.5 Management of Router Configuration Files

1) Contents and Formats of the Configuration Files
The configuration file exists in the file system in the form of text. Its format is as follows:
Existing in the format of configuring commands;
In order to save the memory space of the device flash, only those commands in the configuration modes (including
the global configuration mode, the interface configuration mode, the access list configuration mode and the routing
protocol configuration mode etc.) are saved.
The organization of commands regards the command mode as standard, and all commands in the same mode are
organized together to form a paragraph.
Paragraphs are arranged in a certain order: the global configuration mode, the interface configuration mode and the
routing configuration mode etc..
Sort the commands according to the relation among them, all related commands are grouped together and a blank
line is used to separate groups.
The following is an example of the configuration file of Maipu router: (The details relating to the meaning of this information
will be introduced in following chapters)
router#sh run
Building Configuration...done
Current configuration:
version 4.2.7(YD)-2(integrity)
hostname router
enable password [WOWWWNXSX encrypt
enable timeout 0
no service password-encrypt
no service enhanced-secure
line 0 15 mode terminal
interface loopback0
exit
ip address 192.168.0.83 255.255.255.0
exit
interface ethernet0
exit
interface serial3
Physical-layer sync
encapsulation ppp
ip address 1.1.1.2 255.255.255.0
exit
line 0 15 flowctl soft
terminal 0 15 local 192.168.0.83
terminal 0 15 remote 0 zfy 192.168.0.80 fix-terminal
terminal 0 15 enable
2) Loading of the configuration file
The configuration file of Maipu routers can be edited in a text editor (for example, wordpad) according to the format
prescribed in the above section, and then it can be downloaded to router through FTP or TFTP. This operation can be used
by terminal users or through Telnet.
The following example is given to explain how to download the router configuration file through FTP:
Step 1: Edit the configuration file named config on a computer;
Step 2: Starting the FTP SERVER on the computer;
Step 3: Executing the command ftpcopy in the file configuration mode of the router to download from the computer.
It can be shown as follows:

router(config-fs)#ftpcopy A.B.C.D
router
router1
j:\
config startup
Computers IP address user name password directory file name local file name
The aim of the above command is to download the configuration file config from the root directory of disk J of the computer
whose address is A.B.C.D to a router, and write it into the current directory of the router TFFS with the name startup.
Executing the command dir, you can see that a new file startup has been added into the current directory.
size
date
time
name
------------------------------ --------512
JAN-01-1980
00:00:00
MPROUTER
580
JAN-01-1980
00:00:00
STARTUP
630
JAN-02-1980 00:00:00 CONFIG
<DIR>
Downloading configuration files via TFTP is very similar to downloading via FTP, the only difference between them is that
the computer needs to run TFTP SERVER.
Step 4: Restart the router and execute the configuration file ---- startup, and modify the
system configurations successfully.
3) Saving the Current System Configurations
After validating that the modified system configurations are error free, users can save the current configurations to be treated
as configuration parameters for the next startup.
The following command can be executed to save the current running configuration into the startup configuration file
(STARTUP):
router#copy running-config startup-config
Or use another command:
router#write startup-config
The following command can be executed to save the current running configuration into the remote host through TFTP:
r o u t e r # c o p y r u n n i n g - c o n f i g t f t p A . B . C . D WORD
The address of the remote host
The following command can be executed to save the startup configuration file into the remote host through TFTP:
r o u t e r # c o p y s t a r t u p - c o n f i g t f t p A . B . C . D WORD
The following command can be executed to save the configuration files of the remote host into the startup configuration file
(STARTUP) of the router through TFTP:
router#copy tftp A.B.C.D WORD startup-config
4) Displaying the Current Configuration of the Running Routers
router#show running-config
2.3 Management of system authentication and command hierarchical-authorization command
In order to enhancing capability of MP routers security, they provide lots of authentication management systems
(including AAA, detailed in the part of AAA configuration) when users log on or enter privilege mode by operating enble
command and only those who have right authority can log on or operate successfully.
Different level of users have different level of authorized executable command set. Command authority therefore is
ranged from level 0 to level 15, in which level 0 represents the lowest authority while level 15 represents the highest.
2.3.1 enable command
Task: All user authority levels (from 0 to 15) can be accessible by operating enble command. For example, if you have
some level of authority (that means you have right user name and password), you will successfully pass the enable
authentication and get right user authority level.
Router>
or
router#
Command
Task
enable 0~15 | CR
0~15 means user authority level. If nothing is given behind enable,
default is level 15.
If present user authority level is higher, it is without any authentication when
entering lower level. Otherwise, possible authentication decided by present
configuration is needed when entering higher one.
Note:
1 Given password is set by enable password level command, authentication without AAA or with AAA by means of
enable authentication in the enable method list will be realized by this password.
2 If no enable password level command is operated, however authentication will be realized by means of enable
authentication in the enable method list, there are two possible situations as follows:
a If users log on by TELNET, authentication will fail to pass with % No password set prompt without AAA
configuration or with % Error in authentication prompt with AAA.
bIf users log on by CONSOLE, authentication with AAA configuration will first try the password set in enable
password level command and then pass with default by means of none if finding no enable password level command is
operated. While authentication without AAA configuration will fail to pass with % No password set prompt.
3) Passing enable authentication successful, present user will get right user authentication level which can be showed by
show privilege command.
4) If it is configured by aaa authentication enable default method command, the following authentication methods can be
used to meet users needs.
a) If it is configured by aaa authentication enable default none commandauthentication will be realized without any
password.
b) If it is configured by aaa authentication enable default line command authentication will be realized with
password set in line command, or it will fail to pass with % Error in authentication prompt.
c) If it is configured by aaa authentication enable default radius commandplease note authentication user name (that
is $enab+level$, in which level is represented authentication level by the number from 1 to 15 meaning ) needed by the
command is invariable. Given user name denoted in fixed rules by means of radius, only password (no user name anymore) is
necessary in the process of authentication. If a user is already set its password in radius server, authentication will be realized
successfully by the password otherwise unsuccessfully. For example, given enable 10 command has been done, the fixed
user name is $enab10$ which has already existed in radius server, and authentication will be passed successfully only by
its password.
d) If it is configured by aaa authentication enable default tacacs commanduser name and password is necessary. If
user name and password are already in tacacs server and enable authentication of tacacs has been set beforehand
(note: tacacs server has to set right password of enable authentication to users )authentication will be realized
successfully otherwise unsuccessfully.
5) The above methods can be in combinative use detailed in charter 15 (AAA Configuration).
2.3.2 privilege command
Task: Every command has its default level. privilege command can modify its default level.
Present user can only modify commands with equal or lower level than itself. For example, user with level 12 can only
modify commands with level from 0 to 12.
Router(config)#
Command
Task
privilege MODE level 0*15 all | command LINE
Note:
1) In which MODE represents working mode of commands to be set and can be all systems modes.
2) In which parameter 0*15 represents a level set to commands.
3) If key word all is used in the command, all commands in present mode will be set to a given level.
4) If key word command is used in the command, command can be input by the first several key parts so that all subcommands with the same key parts will be set to the same level. For example: If running privilege CONF level 2 command
interface commandall sub-commands starting with interface will be set to level 2 ,in present IOS version including subcommands group and interface. If running privilege CONF level 2 command interface group commandonly subcommands starting with interface group will be set to level 2 while sub-command interface interface wont be set
5) If there is no command in the given MODE matching input character string, configuration is not set successfully with
%Invalid command string "xxx" prompts.
6) Input command character string follows the rule of match most, which means string that you input can be only found
among all commands. While in the footprint, the string will be completed to match the whole command.
7) no command will set authority levels of right command set back to their default levels, in which
a) no privilege MODE CR command will set all commands in MODE back to their default levels.
b) no privilege MODE level level CR command will set the command configured to level in MODE back to its default
level.
a) rules
After configuring the command, command level will take effect at once, which can be testified in the following 2
aspects.
i.
Whether present user has the given authority level or not is decided by this configuration when user runs
commands.
ii.
Whether present user has authority level of a footprint configuration command or not is decided by this
configuration when running show run or show startup command.
2.3.3 Enable Password Command

Task: Set local enabled passward for entering router with any user level
router(config)#
Command
enable password level 1*15
enable password
0|7
string
[0 | 7 ] string
Task
default level is 15 if it doesnt be designated
0 means password is decryption; 7 means password is
encryption. Default is 0
Note:
1) The keyword 7 normally wont be used for password. If its needed, the encryption is created by certain maipu router.
2) Use the corresponding NO command to cancel enabled password of some level.
3) When show run, the displayed password is cryptograph, i.e. the keyword is 7.
4) Now therere two kinds of encryption methods,theyre new/old encrypted methods, using service new-encrypt and the
corresponding NO command to shift new and old methods.
2.3.4 User Command
Task: Set the local user database for local authentication.
router(config)#
Command
Task
user string password 0 LINE
Set user password
user string privilege 0-15
Set privilege level of user
user string autocommand <LINE>
Set authorized auto-executed command of user
user string autocommand-option

nohangup|delay <0_120>
Set options of auto-executed command. The command

nohangup indicates that the connection wont be
disconnected after auto-executed command finished. The
command delay indicates the time that is used to execute
the
auto-executed command.
Set the callback number of user
user string callback-dialstring string
Note:
1) Use the corresponding NO commands of above to cancel configuration.
2) If authentication and authorization locally, please use the local user databases which is configured with above commands.
2.3.5 Line Command
Task: Set attributes of line user, includes password, user level, idle timeout, authentication mode, and so on.
Command
Task&Description
Enter line config mode
router(config)# line con 0
router(config)#line vty 0~15 0~15
router(config-line)#absolute-timeout
<0_10000>
router(config-line)#privilege level
<0_15>
router(config-line)#access-list
<1_1000>
access list
router(config-line)#autocommand
<LINE>
router(config-line)#autocommand-option
nohangup | delay <0_120>
router(config-line)#exec-timeout
<0_35791> <0_2147483>
Set the total time that permit user to telnet and operate. Note:
the default 0 means no limited time. Before the expired
time 5 seconds , router will give a prompt about the
timeout. * Line timeout expired
Set privilege level for telnet user, default level is 1
Access-list name(only support standard access-list)
Set auto-command after user succeeds to telnet under

privilege mode; default is no auto-executed command.
Set options of auto-command. Nohangup indicates that the
connection wont be disconnected after auto-command
finished(default: connection will disconnect after finished).
Delay indicates the time that is used to execute the autocommand(default is 0, i.e. no delay).
After deploying autocommand, delay can be in effect.
Set idle timeout. if the time is 0, the user wont exit for ever
when its idle. Default idle timeoutis 5 minutes.
router(config-line)#password 0|7 LINE

router(config-line)#login
authentication
CR | local |
Configure line password

Configure the authentication method for telnet.
CR means using line password to authenticate;
local indicates using local user database to authenticate;
authentication indicates using AAA method to
authenticate.
Default is no login, i.e. user can telnet without
authentication, only when theres no any AAA configuration.
Set the timeout of waiting user to enter username and
password. Default is 30seconds
router(config-line)#timeout login
respond <0_300>
Note:
1) Use the corresponding NO commands of above to resume the default configuration.
2) User use line authorized attribute to telnet in default. But if the authorized method is set as local, then local authorized
attribute has precedence over line one. Only when user has no other attribute, line attribute can be in effect. Also, other
attributes is the same, such as tacacs, radius.
Relevant example:
Configuration:
aaa new-model
aaa authentication login default line
aaa authorization exec default if-authenticated
line vty 0 2
exec-timeout 5 0
absolute-timeout 2
timeout login respond 60
privilege level 14
autocommand show mem
autocommand-option delay 5 nohangup
password 0 vty
after telnet, user should be authorized these line attributes:
debug information as followed (open debug author exec command to see
AUTHOR/EXEC/LINE (6): processing AV priv-lvl=14
AUTHOR/EXEC/LINE (6): processing AV autocmd=show mem
AUTHOR/EXEC/LINE (6): processing AV nohangup=TRUE
AUTHOR/EXEC/LINE (6): processing AV timeout=120
2.3.6 show privilege command
Task: Display the level of current user.
router>
or
router#
Command
show privilege
user string privilege 0-15
Task
Default level is 1. So in default, user with 0 level can not
execute this command
Set privilege level of user
user string autocommand <LINE>
Set authorized auto-executed command of user
user string autocommand-option

nohangup|delay <0_120>
Set options of auto-executed command. The command

nohangup indicates that the connection wont be
disconnected after auto-executed command finished. The
command delay indicates the time that is used to execute
the auto-executed command.
Set the callback number of user
user string callback-dialstring string

Relevant example:
router#show privilege
current privilege level is 15
2. 4 System tools
2.4.1 The command show
The information displayed by the system command show can be categorized in the following ways:
Table 2-4
System software and hardware resources information
System statistic information
System configuration information
Basic system information
Keywords of the System Command show
Command
Stack
Description
Displays the usage information of each task stack of
the system.
Memory
Displays the system memory information.
Mbuf
Displays the system buffer information.
Process
Displays the system task/process information.
Device
Displays the system physical and logical device

information.
Interface
Displays the system network interface information
Host
Displays the system interior host table information.
Arp
Displays the system ARP table information.
Ip
Displays the statistic information of IP layer

(including TCP and UDP).
Bootparams
Displays the system startup parameters.
Startup-config
Displays the contents of the system startup

configuration file.
About
Displays the system copyright information.
Version
Displays the system hardware/software version

information.
(1) Displaying the system stack

router#show stack
NAME
ENTRY
TID
SIZE
CUR HIGH
MARGIN
--------------------------------------------------tExcTask
0x000004b4fc
fe1488
7984
224
464
7520
tLogTask
0x0000051850 fdeb00
4984
216 1072
3912
tMPLog
0x00000f7f34
8a90e8
5112
208 1024
4088
tSccTx0
0x0000240358
8de848
3992
160
224
3768
tSccTx1
0x0000240358
8d3848
3992
160
420
3572
tSccTx2
0x0000240358
8ca848
3992
160
420
3572
tSccTx3
0x0000240358
8c1848
3992
160
420
3572
tEsccRx0
0x000013c0d8
d2ec30
3984
168
1124
2860
tPPP
0x00001d1ae8
d25d28
9320
184
1056
8264
tNetTask
0x00000d0ca0 a1c0a8
9984
192
1120
8864
tFecRxTx
0x000013c710
a0dd88
10224 152
644
9580
tEthTx
tEthRx
tSccRx0
tSccRx1
tSccRx2
tSccRx3
tRtMsg
tModDet0
tModDet1
tModDet2
tModDet3
tSdlcTask
tLapbTimer
tShell1
tActive
tRadius
tTacacs+
tPkTimer
tBridge
tLLC2
tDLSwPeer
tDLSwCore
tEsccDet0
tInfoGuide
tFecDetect
tEnetDet
tTffsPTask
tQLLC
tTelnetd
tExcTrace
INTERRUPT
0x0000129754
0x000012997c
8e8f40
0x00002402dc
8dfde8
0x00002402dc
8d4de8
0x00002402dc
8cbde8
0x00002402dc
8c2de8
0x00001e7714
a19780
0x0000237c10
8dd690
0x0000237c10
8d2690
0x0000237c10
8c9690
0x0000237c10
8c0690
0x00002057a4
84d328
0x00002fc640
864de8
0x0000025810
82cae8
0x00001e99d0
89fe40
0x000010e33c
8a64b0
0x0000116dd4
8a51e0
0x000022a4dc
85fde8
0x000011c1c0
894858
0x000017f550
88f640
0x0000200918
89d108
0x0000200bd8
898ef0
0x000013c1e4
d2fde8
0x00003a4bd8
83bde8
0x000013c4fc9
370e8
0x000012a93c
8e5d28
0x0000259b3c
fdaeb8
0x00002076d4 85ec30
0x0000101134
8a1058
0x0000011258
89ec88
8ec158
12280 168
12280 160
308
4992
152
4992
152
748
4992
152
524
4992
152
748
5368 1368
2216
3984
176
304
3984
176
304
3984
176
308
3984
176
436
9456
168
1244
3984
128
384
19800 10040
13128
3992
256
512
4088
168
232
2032
160
224
3984
120
408
20472 144
404
20472 192
428
16368 144 1044
16368 464 1720
3984
256
880
40272 568 2056
4984
152
944
7152
136
264
2032
136
396
8184
136
1212
4080
392
616
3056
296
528
5000
0
1052
3
(2) Displaying information about system memory

router#show memory
SUMMARY:
status
------
bytes
---------
blocks
avg block
-------- ----------
max block
----------
current
free
35241056
16
2202566
26850984
alloc
21077416
20082
1049
21571048
25563
842
cumulative
alloc
code
232 12048
11972
216
4244
4468
4244
3152
3680
3680
3676
3548
8212
3600
6672
3480
3856
1808
3576
20068
20044
15324
14648
3104
38216
4040
6888
1636
6972
3464
2528
948
4776
code
10785360
STATISTICS:
Available bytes
35241056
Used bytes
21077416
Total
56318472
bytes
Used bytes percent
37%
(3) Displaying the usage information of the system buffer

router#show mbuf
Statistics for the network stack mbuf
type
number
---------
--------
FREE
7998
DATA
HEADER
SOCKET
PCB
RTABLE
HTABLE
ATABLE
SONAME
ZOMBIE
SOOPTS
FTABLE
RIGHTS
IFADDR :
CONTROL :
OOBDATA :
IPMOPTS :
IPMADDR :
IFMADDR :
MRTABLE :
TOTAL
8000
number of mbufs: 8000

number of times failed to find space: 0
number of times waited for space: 0
number of times drained protocols for space: 0
CLUSTER POOL TABLE

size
clusters
free
usage
---------------------------------------------------64
800
798
10114
128
200
200
1060
256
200
200
46
512
100
100
1024
80
80
2048
50
50
----------------------------------------------------
(4) Displaying system devices information

router#show device
drv name
0 /null
1 /tyCo/0
1 /tyCo/1
4 serial3
2 /pipe/temp
3 /logging
3 /more
3 /config
5 WEBDEV
3 /flash
7 /pty/00.S
8 /pty/00.M
7 /pty/01.S
8 /pty/01.M
(5) Displaying the status information of about all of the system interfaces
router#show interface
loopback (unit number 0):
Flags: (0x8069) UP LOOPBACK MULTICAST ARP RUNNING
Type: SOFTWARE_LOOPBACK
Internet address: 127.0.0.1
Netmask 0xff000000 Subnetmask 0xff000000
Metric: 0, MTU: 32768, BW: 8000000Kbps
0 packets received; 0 packets sent
0 multicast packets received
0 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
fastethernet (unit number 0):
Flags: (0x8063) UP BROADCAST MULTICAST ARP RUNNING
Type: ETHERNET_CSMACD
Subnetmask 0xffffff00
Broadcast address: 192.168.0.255
Ethernet address is 00:01:7a:00:39:be
Rate:
100Mbit/s
Duplex: full duplex
Babbling recvive 0, babbling transmit 0, heartbeat fail 0

Tx late collision 0, Tx retransmit limit 0, Tx underrun 0
Tx carrier sense 0, Rx length violation 0
Rx not aligned 0, Rx CRC error 0, Rx overrun 894
Rx trunc frame 0, Rx too small 0, Rx alloc mbuf fail 212682
ethernet (unit number 0):
Flags: (0x8062) DOWN BROADCAST MULTICAST ARP RUNNING
Ethernet address is 00:01:7a:08:39:be
serial (unit number 3):
Flags: (0x8070) DOWN POINT-TO-POINT MULTICAST ARP RUNNING
Type: PPP
Subnetmask 0xffffff00
Destination Internet address: 0.0.0.0

(6) Displaying the system version information
router#show version
MP3600 Router Version Information
System ID
: 3601000000f3
Monitor Version : 2.40/1
Software Version : 4.2.7(YD)-2(integrity)
System image file: rpm-g-4.2.7(YD)-2.bin
Compiled
: May 29 2004, 17:27:05 by CVS
Board Name
: MP3600 (MPC8240 with 64 MBytes sdram, 8 MBytes flash)
Board Version
: 04 (0x4)
MP3600 system uptime is 1 hour 23 minute 12 second
(7) Displaying the system copyright information
router#show about
The MP2600 series modular architecture offers users a branch office and center office
that provides the versatility needed to adapt to changes in network technology, as new
services and applications become available. With full support of the InfoExpressIOS
software, MP2600 modular architecture will provides the power to support the following
applications:
General Internet/intranet access
LAN-to-LAN Internetwork
Secure Internet/intranet access
Multiservice voice/data integration
Analog and digital dial access services
Virtual Private Network (VPN) access
LAN Internetwork
Interconnecting with IBM SNA Network
MP2600 modular architecture includes the following optional modules:
1 Port V.24 Serial Sync/Async Module
1 Port V.35 Serial Sync/Async Module
33.6K/56K Async/Sync Analog MODEM Module
128K CSU/DSU S/T Module
128K CSU/DSU U Module
16 Async Port & 2 Sync Port Serial Module
IP Telephone POTS Module
IP Telephone PBX Module
ISDN BRI Module
ISDN PRI Module
Copyright 1998-2000 by Maipu Networks
2.4.2 Protocol Debugging

Presently, the system provides debugging switches of many protocols including IP, PPP, HDLC, OSPF, FR, and X25 etc.
The following example provides a simple introduction as to how to turn on/off a debugging switch:
Turning on a protocol-debugging switch
Turning on the debugging switch of IP protocol access-list datagram
router#debug ip packet access-list
Turning on the debugging switch of RIP protocol

router#debug ip rip events
Turning on the PPP protocol debugging switch (on the interface s0)
router#debug ppp negotiation s0
Turning on the HDLC protocol debugging switch

router#debug hdlc s0
FR has many protocol debugging switches, including

Debug frame-relay lmi [interface/cr]
Debug frame-relay log [interface/cr]
Debug frame-relay packet [interface/cr] etc.
The protocol-debugging switches will be explained in detail in the relevant chapters.
Turning off a protocol-debugging switch
In order to turn off a protocol-debugging switch, users need only to add a command word no before the
corresponding command that turns on the switch.
2.4.3 Network Troubleshooting tools
This will be explained in detail in chapter 17 Network Debugging and Fault Diagnosis.
2.4.4 SysLog (system logging) function
1)SysLog can record every level system information and save those in flash file. In general, sysLog only record information
which level is emergencies(level 0), alerts( level 1), critical(level 2), errors(level 3) or warnings(level 4), of course, you can
change this by sysLog configuration command.
The corresponding command is:
router(config)#logging trap level <CR>
<0_7>
Logging severity level
alerts
Immediate action needed
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
informational
Informational messages
(severity=6)
notifications
Normal but significant conditions
(severity=5)
warnings
Warning conditions[default]
(severity=4)
Table 2-5 sysLog severity level
severity level
key-word
description
emergencies
System is unusable
alerts
critical
Critical conditions
errors
Error conditions
warnings
Warning conditions
notifications
informational
debugging
Debugging messages
After configure some severity level for sysLog, all levels more severer than this level will be recorded in flash logging file.
For example, if you configure logging trap notifications, then those logging information from level 0 to level 5 could be
record.
2) show the logging
In the privileged user mode, executing command show logging can show all recorded logging information. For example:
router#show logging
The Context of syslog file:
%SYS-5-CONFIG-I:Configured from console by console
3) clear the logging
In the privileged user mode, command clear logging can clear the contents of logging file.
4) configure sysLog informaiton option
You can add timestamps and task name for sysLog informaiton. In global configuration mode, its command are:
router(config)#service taskname log
router(config)#service timestamps log datetime
&
Note:
The timestamps get from the time system of current router.
3.4 System Logging

1) The system logging can record each level of prompts information. By default, the logging records nothing but the
information about the system unusable. To make the logging record other information, the following operations are necessary.
Enable the logging in the global configuration:
router(config)#logging trap level <CR>
<0_7>
Logging severity level
alerts
(severity=1)
critical
Critical conditions
(severity=2)
debugging
Debugging messages
(severity=7)
emergencies
System is unusable
(severity=0)
errors
Error conditions
(severity=3)
informational
(severity=6)
notifications
(severity=5)
warnings
Warning conditions
(severity=4
The information levels are defined as follows:

Level
Keyword
Description
emergencies
The system is unusable.
alerts
Some actions must be taken at

once.
critical
The critical status.
errors
The error status.
warnings
The warning status
notifications
The normal
status.
informational
The informational message.
debugging
The debugging information
but
noticeable
After a level is defined, the level or lower level of information will be recorded into the logging file. For example, if level 5 is
defined, then level 0~5 of information will be recorded.
2) Examine the logging:
router#show logging
3) clear the logging
router#clear logging
router(config)#service
4)OptionalEnable the message timestamp in the global configuration mode.
timestamps log datetime
&
Notice:
The command above is used to add the timestamp to any logging information according to the date and time set by the
router.
2.4.5 Spy cpu to check cpu utilization rate

(1)Maipu routers provide tools to check cpu utilization rate, when trun on the switch of spying cpu, every running taskss cpu
utilization can be checked.
(2)There are two set of commands which are provided to trun on/off the switch of spying cpu. One is spy cpu/no spy cpu in
the privileged user mode; the other is check cpu enable/check cpu disable in the global configuration mode which can be
saved in configuration file.
The following table is the comment of check cpu command in the global configuration mode:
Table 2-6 a table of check cpu command
Description
Command
router(config)#check cpu enable
turn on the switch of spying cpu , system begins to collect

the data of cpu utilization for every running task
router(config)#check cpu disable
turn off the switch of spying cpu, system stop collecting

the data
of cpu utilization for every running task
router(config)#check cpu timeinterval <1_3600>

router(config)#check
[simple|_CR_]
parameter
cpu
set time-interval value of updating cpu current

utilization, default is 2 seconds
view
set stype of showing cpu, parameter simple indicates that

only display running tasks cpu utilization.
cpu
check some parameters and status, such as switch status

of spying cpu.
(3)In the privileged user mode, command show cpu display current cpu utilization rate for every task, the following is a
example of show cpu:
router#show cpu
NAME
-------tCheckCpu
tShell1
tFwdTask
tNetTask
KERNEL
INTERRUPT
IDLE
TID PRI
total% (
----- ----------------37640824
30
0%(
37840344 20
35%(
41410224 45
15%(
41420760 50
5%(
0
0
4%(
0
0
0%(
0
0
38%(
ticks)
delta% (
ticks)
current%
-------------------80)
0%(
2)
0%
5868)
0%(
0)
0%
2478)
0%(
0)
0%
918)
0%(
0)
0%
780)
0%(
0)
0%
12)
0%(
0)
0%
6260)
99%(
398)
99%
Average cpu utilization rate is 59% in timeslice 00:01:22 (16396 ticks)

Current cpu utilization rate is 0% in timeslice 00:00:02 (400 ticks)
&
note
Because task tCheckCpu will go on to collect cpu utilization data at interval of some time(default is 2 seconds),
some cpu resource will be used. Suggest not trun on the switch of spying cpu if checking cpu utilization is not needed.
2.4.6 Examining the Utilization of CPU

1) Provide the tools to examine the utilization of CPU. After enabling the switch monitoring CPU, the CPU utilization of
each task in a period can be examined.
2) Provide 2 groups of commands to enable/disable the switch monitoring the CPU utilization: spy cpu/no spy cpu in the
privileged user mode and check cpu enable/chech cpu disable in the global configuration mode. The command check cpu
enable can be saved in the configuration file.
The related commands in the global configuration mode are described as follows:
Command
Description
router(config)#check cpu enable
Enable the switch monitoring the CPU and start to collect the
data of the CPU utilization.
router(config)#check cpu disable
Disable the switch monitoring the CPU and stop collecting the
data of the CPU utilization. The default status is disable.
interval <1_3600>
cpu
time-
Set the interval of refreshing the CPU utilization. The defaut

interval is 2 seconds.
[simple|_CR_]
cpu
view
Whether to display in the simple mode. Namely that only the

CPU task is disaplayed. The simple mode is disabled by default.
router(config)#check cpu parameter
Examine some current parameters and status of check cpu, for

example, whether to enable the monitoring switch.
In the privileged user mode, use the command show cpu to display the CPU utilization.
For example:
router#show cpu
NAME
TID
--------
-----
tCheckCpu
37640824
tShell1
---
37840344
tFwdTask
30
ticks)
35%(
45
delta% (
---------------
0%(
20
80)
5868)
15%(
2478)
ticks)
current%
-----0%(
0%(
0%(
2)
0)
0)
0%
0%
0%
41420760
50
5%(
918)
0%(
0)
0%
KERNEL
4%(
780)
0%(
0)
0%
INTERRUPT
0%(
12)
0%(
0)
0%
IDLE
38%(
6260)
99%(
398)
99%
Average cpu utilization rate is 59%

Current cpu utilization rate is 0%
&
total% (
---------------
41410224
tNetTask
PRI
in timeslice 00:01:22 (16396 ticks)

in timeslice 00:00:02 (400 ticks)
Note:
When the switch monitoring the CPU is enabled, the task tCheckCpu can not stop collecting the CPU data, which will
occupy some CPU source. So, if it is unnecessary to diagnose the CUP utilization of each task, you had better not enable the
switch.
2.5 System software update
This will be explained in detail in chapter 18 Software Update.
Chapter 3
Network Protocol
Maipu's MP Series routers supports Internet network protocols. The Internet Protocol is the protocol based on packets and is
used to exchange data through a computer network. IP is the foundation of all other protocols in the Internet protocol stack.
IP deals with addressing, fragmenting, reassembling and disassembling of the protocol information; datagrams. As the
network layer protocol, IP processes address routing and controls the transmission of data packets. As network layer
protocols, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are established on the IP layer. TCP is a
connection-based protocol, which provides the reliable data transmission service while UDP is connectionless protocol,
which provides unreliable data transmission service. MP series routers support all the demands prescribed in the RFC of
Internet Protocol (IP), which includes the services such as IP, ICMP, IGMP, TCP, and UDP etc.
The chapter includes the following contents:
IP address configuration
IP protocol configuration
ICMP protocol configuration
IGMP protocol configuration
TCP protocol configuration
UDP protocol configuration
3.1 IP Address Configuration

3.1.1 Introduction to IP Addressing
An IP address is a 32-bit number assigned to every device which runs the IP protocol and connects to the Internet. IP
addresses are used to designate a network connection IP addresses are divided into five classes for convenience, and each
IP addresses is divided into two parts:
Network number: Designates the network to which each device belongs.

Host number:
Designates the host number of each device on its network
Table 3-1 lists the classes and ranges of IP Addresses

Table 3-1 Classes and Ranges of IP Addresses
Address type
Valid Ranges of
IP address
0.0.0.0-127.255.255.255
Explanation
The network number 127 is used for
loopback interface.
128.0.0.0-191,255,255,255
A host number, whose bits are all 1,

is used for a broadcast over its
network.
192.0.0.0-223.255.255.255
A host number, whose bits are all 1,

is used for a broadcast over its
network.
224.0.0.0-239.255.255.255
Class D addresses are used for

Multicast
240.0.0.0-247.255.355.255
Class E addresses are reserved for

later use.
Usually, IP addresses of different classes are intended for use in different network systems. For large-scale network systems,
Class A addresses are used, while Class B and Class C IP addresses would most likely be used for medium and small scale
network systems. Class D and E addresses are reserved for special use.
With the development of the Internet, the IP addresses become limited and class address distribution can lead to the wasting
of IP addresses. To solve this problem the concept of "subnet" has emerged. A "subnet" uses several bits of a host bits of a
net address as the subnet, so the same network address can span mutliple physical networks.
Maipus MP Series routers support the following IP address features:
Supports the feature of network address with classes

Supports subnetting properties of network addresses
Supports CIDR properties of classless routing
Allocates several IP addresses to a network interface in a broadcast network (for example, Ethernet)
Permits the use of unnumbered IP addresses on a serial-port interface to save addresses.
Supports EASY IP and NAT
3.1.2 Allocating an IP address to an Interface

An interface often has a primary IP address. The following tasks should be done in the interface configuration mode to
allocate a primary IP address and network mask to a network interface.
Command
Ip adderss <ip-address> <mask>
Task
Set master IP address for the interface
A subnet mask is used to identify the network number of an IP address. When a mask is used to determine a subnet in a
network, the mask is regarded as a subnet mask.
Note: Maipu MP series routers only support network masks which are composed of several continuous 1 bits with left
alignment.
In addition, Maipu MP series routers supports the assigning of many IP addresses to a broadcasting/multicasting network
interface.
So you can assign some unlimited secondary addresses, which can be used in various occasions. The most
popular applications are shown in the following descriptions:
There may not be enough host addresses for a given network section. For instance, your subnet allows up to 254
host addresses for a logical subnet, however, your physical subnet has 300 actual host addresses. Two logical
subnets on the physical subnet can exist after introducing secondary IP addresses to a router or an access server.
In the past, many networks used Layer-2 bridges, instead of subnets. The use of the secondary addresses can help
covert the network into a subnet, which is a network based on routers. A bridge router in an old network can easily
establish several subnets in this network segment.
Two subnets in a single network can be separated by another network under other conditions. You can establish a
network from subnets, so that these subnets can be separated physically by another network by use of secondary
addresses. Note that a subnet can not appear at several active interfaces at the same time.
Note: If any router in the network segment uses a secondary address, all the other routers in the same segment must use the
secondary addresses in the same network or subnet.
Table 3-2 Management of Interface IP addresses
Command
Description
ip address 128.255.255.1 255.255.0.0 [secondary]
no ip address 128.255.255.1 255.255.0.0 [secondary]
Allocate a primary (secondary) IP address to an interface.
Disable an existing primary (secondary) IP address.
The following example shows how to assign a primary IP address and two secondary IP addresses to the interface
Fastethernet0:
router#configure
terminal
router(config)#interface Fastethernet0
router(config-if-fastethernet0)#ip address 128.255.255.1 255.255.0.0
router(config-if-fastethernet0)#ip address 128.254.255.1 255.255.0.0 secondary
router(config-if-fastethernet0)#ip address 128.253.255.1 255.255.0.0 secondary
router(config-if)#exit
router(config)#
& Note:
Those secondary IP addresses configured for the same interface have priority according to their configuration time. At
the same time, these IP addresses are not required in the same net section thereby allowing routers to forward datagrams
quickly.
3.1.3 Enabling IP Unnumbered on a Serial Port
The IP unnumbered process is a method to saving IP addresses on the Internet network. You can enable IP unnumbered on a
serial-interface, instead of assigning a visible IP address to the interface. Whenever an unnumbered interface produces a
packet (for example, when updating a routing list), it will use the interface address designated by you as the source address of
IP packet. It will also that designated interface address to determine which route process is sending the updated content to
this unnumbered interface. There are some limitations. They are:
A serial-port presently only supports Point-to-Point Protocol (PPP). The High-Level Data Link Control (HDLC),
Link Access Process Balance (LAPB), Serial Line Internet Protocol (SLIP) and Channel interface will be supported
in the future.
The command ping EXEC cannot be used to test and connect the interface since it has no IP address. But the Simple
Network Management Protocol (SNMP) can be used to remotely monitor the status of the interface.
Do not boot network image through unnumbered serial ports.
Do not support IP security options on a unnumbered interface.
For details, please refer to RFC 1195; It is not necessary to assign an IP address to
each port.
& Note:
Be sure to use an unnumbered serial line among different main networks. At each end, if there are different main
networks are assigned to your unnumbered any routing protocol running through serial lines will be configured not to
announce subnet information.
To enable an IP process on an unnumbered serial port, the following task should be finished in the interface configuration
mode:
Table 3-3
Command
Description
Ip unnumbered <reference interface>
Enable IP unnumbered on a serial interface, and don't

distribute an obvious IP address to the interface.
The specified interface, not another unnumbered one, must be another interface in the router with at least one IP address. The
designated interface must also be valid.
3.1.4 Setting the IP Address Negotiation property on an Interface
With regard to the point-to-point protocols on the data link layer supporting IP address negotiation, you can enable IP address
negotiation on an interface with no IP address. Typically, PPP running over serial lines is used to access Internet via an ISP.
IP address negotiation of the serial port is enabled by the commands (listed in the table 3-4), which allows the local interfaces
to receive the IP address assigned by the interface of the opposite terminals.
Table 3-4
Command
Description
Ip address negotiated
Enable IP address negotiation of an interface.
No ip address negotiated
Disable IP address negotiation of an interface
3.1.5 Displaying IP Address Configurations

Use the command show interface to display IP address configurations after you have completed the interface IP address
configurations.
3. 2 Address Resolution
Maipu MP series routers permit you to designate IP addresses through address resolution and naming service.
3.2.1 Establishing an Address Resolution Protocol (ARP)
A device may have a data link (MAC) address (which uniquely identifies an interface on a LAN), and it can also has a
network address (which identifies the network and the host number in which the device is located). In order to communicate
with a device on an Ethernet network, for example, a Maipu MP series router must first decide the 48 bits MAC address of
that device. The process used to determine the MAC address from an IP address is called address resolution. The process
used to determine an IP address from a MAC address is called reverse address resolution (RAR).
Maipu routers support the Address Resolution Protocol (ARP). ARP is used to associate an IP address with a MAC address.
Taking an IP address as input, ARP can determine its MAC address. Once a MAC address is determined, the IP
address/MAC address association is kept in the ARP cache for high-speed searches. Then IP datagrams are encapsulated into
frames to be sent out onto the network.
3.2.2 Defining a Static ARP Cache

ARP provides a dynamic mapping from an IP address to a MAC address. Because most hosts support dynamic address
resolution, it is not usually necessary to add a static entry into the Address Resolution Protocol (ARP) cache. You can
define one globally ---- write a permanent entry into the ARP cache, if the entry is defined for necessity.
MP router
software will translate the 32-bit IP address into a 48-bit MAC address by that entry.
Execute the following commands in the Global configuration mode:
arp <ip-address> <ethernet-address>
Used to define a static ARP cache
no arp <ip-address> <ethernet-address>
Used to delete a static ARP cache
3..3 Displaying the ARP cache

In order to display the cache being used by the system, users can examine the contents of the ARP cache by typing the
command show arp EXEC. In order to remove all dynamic entries from the ARP cache, users can type the privileged EXEC
command clear arp.
3.3.1 Domain Name System (DNS)
Each IP address has its related host name. Maipu Router software holds a cache that maps a host name to an IP address,
which is supported by telnet, ping and the relevant remote login. The cache accelerates the procedure translating the host
name into an address.
IP provides a naming method to enable a device to be identified by its location in IP. This is a hierarchical naming method
provided for domains. To trace a domain name, IP defines the conception of name server, which is used to keep a cache (or
database) that holds the mapping information from a domain name to an IP addresses. To map a domain name into an IP
address, you must first identify a host name, and then specify a domain name server to enable the Domain Naming System,
which is a global naming method to uniquely identify a network device on an internetwork.
3.3.2 Mapping IP addresses to Host Name

Maipu routers holds a table that saves host names and their corresponding IP addresses. The table is also called the host
name-to-address mapping table. High-level protocols, such as the remote logon, use host names to identify network devices
(hosts). IP addresses or routers and other network devices should be associated mutually by static or dynamic tools.
When the dynamic mapping cannot be used, addresses can be distributed to host names manually.
To specify a domain name or a host name to an address, users can execute the following commands in the global
configuration mode:
host <host_name> <Ip_Address>
Defining a mapping of host names and IP addresses
no host <host_name> <Ip_Address>
Deleting a mapping of host names and IP addresses
3.3.3 Designating a Domain Name

You can designate a default domain name for a router. The domain name will be used by the system to finish the domain
name request. You can designate either a single domain name or a series of domain names. Any IP host name without a
domain name will have a specified domain name before it is added to the host table.
Execute any following task in global configuration mode in order to designate a domain name:
ip domain-name <name>
no ip domain-name <name>
Defines a default domain name.

Deletes a default domain name.
3.3.4 Designating a Domain Name Server

Execute the following commands in the global configuration mode to specify one or hosts (up to 6) as domain name servers
to provide name information service for DNS:
ip name-server server-address
Defines a domain name server
no ip name-server server-address
Deletes a domain name server.
3.3.5 Designating a Domain Name Service Order

When resolving a name by use of the name service, the system will first use the default local name Cache, and then it uses
DNS service to complete name resolution. Users can also designate that the system only use the DNS service (so you need
not map an IP address into a host name manually) or first use the DNS service, and then use the local name CACHE to
achieve name resolution.
Executing the following command in the global configuration mode:
ip name-order {dns-first|dns-only|local-first}
3.3.5.1 Debug commands

command
Task
Display the debugging information in duration of get ip address
from dns server
Debug name-server
3.4
IP Protocol
3.4.1 Enabling/Disabling IP Route Forwarding

Each Maipu router enables IP route forwarding by default. But it can be disabled under certain conditions, which can be
realized under the following operations:
In the global configuration mode, users can disable IP routing forwarding by typing the command no ip routing.
In the global configuration mode, users can enable IP routing forwarding by typing the command ip routing.
3.4.2 Permitting/Prohibiting IP to Accept Redirection Messages
Each Maipu router enables the acceptance of IP redirection by default. But in under certain conditions, IP redirection can be
disabled. This can be accomplished by the following commands (in the global configuration mode):
ip redirect
no ip redirect
Enables IP to accept IP redirection

Disables IP to accept IP redirection
The default setting is to permit IP redirection.

Executing the following commands in the interface configuration mode:
ip redirects
no ip redirects
Enables the sending of ICMP Redirect messages

Disables the sending ICMP Redirect messages
The default setting is to permit the redirecting of an ICMP Message.

3.4.3 Permitting/Prohibiting IP Receiving Redirection Message
The redirection packet of icmp can result in the update of the routing table. The default setting of a Maipu Router is not to
update route after the router receives the redirection icmp packet. But users can select the route update.
Executing the following commands in global configuration mode:
icmp redirect-route
Enables the addition of an icmp redirect route
no icmp redirect-route
Disables the addition of an icmp redirect route
The default setting is to prohibit the routing update.
3.4.4 IP Fast Transmission
The IP fast transmission is realized through route cache mechanism. The purpose of the route cache is to reduce the repeated
searching of a routing table and to accelerate the packets sending speed through using previous cache searching results. But
under certain circumstances, users can choose to enable/disable the following two places to process route cache.
1) Fast transmitting route cache. Before sent to IP layer to deal, some packets received by interface can be transferred
directly if they match the route that stored in the cache.
Executing the following commands in the interface configuration mode:
ip route-cache
no ip route-cache
Enables fast-switching cache for outgoing packets

Disables fast-switching cache for outgoing packets
The default setting is to permit cache for outgoing packets.

2) When there are packets sent down from the user layer, if the destination is the same each time and the route is UP, the
route in the cache can be used without searching the routing table. Only one route, which is the result of recently searching
the routing table, is stored in cache.
Execute the following commands in the global configuration mode:
ip upper-cache
no ip upper-cache
Enables the use of upper route cache

Disables the use of upper route cache
The default setting is to permit the use of upper route cache.
3.4.5 Configuring IP Protocol Attributes

Maipu routers can configure the following IP attributes to UDP:
Configure input queue of the IP protocol

Configure the default Time-To-Live (TTL) of sending datagrams
Configure the default Time-To-Live (TTL) of sending IP datagrams
Enable IP recv-checksum
Enable IP send-checksum
The Table 3-5 lists the commands to configure the UDP properties:
Table 3-5 UDP properties configuration
Table 3-5
Command
ip option default-ttl [1-255]
ip option fragment-ttl [1-255]
Description
Configure the Time-To-Live of the IP protocol
Configure the Time-To-Live of IP fragment
ip option queue-length [300-600]
Configuring the queue length of the IP receive-buffer
ip option recv-checksum
Enable IP recv-checksum
Ip option send-checksum
Enable IP send-checksum
Displaying IP Statistics
router#show ip
statistics
Statistics for the
IP protocol
total 1356
---The number of the total received/sent packets
Badsum
---The number of the packets that have bad checksums
Tooshort
---The number of the packets that are too short
Toosmall
---The number of the packets that are too small
Badhlen
---The number of the packets that have bad header
lengths
badlen
---The number of the packets that have bad lengths
infragments
---The number of the received fragment packets
fragdropped
---The number of packets discarded when fragment
fragtimeout
---The number of packets when fragmented overtime
forward
---The number of packets forwarded
cantforward
1312
---The number of packets that can not be forwarded
redirectsent
---The number of redirected transmissions
unknownprotocol
16
---The number of packets with unknown protocols
nobuffers
---The number of packets having no buffers
reassembled
---The number of datagram reassembly
outfragments
---The number of fragmented packets transmitted
noroute
---The times of without routing
3.5
ICMP protocol
In the Internet Protocol stack, the Internet Control Message Protocol (ICMP) provides services such as controls, error reports
and network tests, etc. for other protocols in the Internet stack. The Maipu router supports RFC792, RFC950 and RFC1122.
3.5.1 Configuring ICMP Options

ICMP supports the request and reply options of subnet masks by default. But users can sometimes disable these options.
No Ip mask-reply
Ip mask-reply
to disable request and replay options of subnet masks.

to enable request and reply options of subnet masks.
3.5.2 Displaying ICMP Statistics

router#sh ip icmp
Statistics for ICMP protocol
16 calls to icmp error
---The times for system to call ICMP to send error

messages
0 error not generated because

old message was icmp
--- The number of ICMP errors generated due to

timeout
Output histogram:
---output information
destination unreachable: 16
---The times of the unreachable destination
0 message with bad code fields
---The number of packets with bad code field
0 message < minimum length>

0 bad checksum
---The numbers of packets with bad checksum
0 message with bad length
---The numbers of packets with bad length
Input histogram:
---The input information
Destination unreachable: 16
---The times of unreachable destination
0 message response generated
---The number of the response messages
3.6 IGMP protocol

The Internet Group Management Protocol (IGMP) assists IP to provide other applications with multicast service in the
Internet Protocol stack. Maipu routers support RFC1122.
Display IGMP statistics by the command show ip igmp stat.
router#show ip igmp stat
Statistics for the IGMP protocol
0 invalid queries received
----The number of invalid membership queries
0 invalid reports received
---- The number of invalid membership reports
0 bad checksums received
----The number of bad checksums received.
0 reports for local groups received
----The number of reports for local groups received
0 membership queries received
----The number of membership queries received
0 membership reports received
----The number of membership reports received
0 short packets received
----The number of short packets received
0 total messages received
----The number of total messages received
2 membership reports sent
----The number of membership reports sent
3.7TCP protocol
The Transmission Control Protocol (TCP) provides a highly reliable datagrams transmission service between application
programs. Maipu Routers support RFC793, RFC813, RFC879, RFC896 and RFC1122.
3.7.1 Configuring TCP properties
Maipu routers can configure the following TCP attributes:
Configure the size of TCP receiving-buffer (recvbuffers)

Configure the size of TCP sending-buffer
Configure TCP retransmit threshold
Configure TCP default size of maximum segment
Configure TCP default round trip time
Configuration commands of the TCP attributes are shown in Table 3-6

Table 3-6 the TCP Attribute Configurations
Command
ip tcp recvbuffers [1024-65536](default: 4096)
ip tcp sendbuffers [1024-65536](default: 4096)
ip tcp retransmits [1-100](default: 3)
Description
Set the TCP receive buffer size
Sets the send buffer size
Sets the retransmit threshold
ip tcp segment-size [256-4028](default: 512)
Configures the size of the maximum TCP segment
ip tcp round-trip [1-100](defult: 3)
Configure the maximum TCP round trip time
ip tcp idle-timeout[3-144000](default: 14400)
Configure the idle time of the connection that is before the

first testing of keeping alive
ip tcp init-timeout[2-30000](default: 150)
Configure the value of the connection establishment
ip tcp keep-count[3-20](default: 8)
Configure the maximum keeping alive times when the

opposite terminal has no response
ip tcp selective-ack
Configure TCP selective acknowledgement options as per

RFC2018
3.7.2 Displaying TCP Statistics

The command show Ip tcp provides the detailed TCP statistics.
routerr#show ip tcp
Statistics for the TCP protocol:
0 packet sent
---The total number of sending packets
0 data packet (0 byte)
---The packets number (byte number)
0 data packet (0 byte) retransmitted
---The resent packets number (byte number)
0 ack-only packet (0 delayed)
---The acknowledge packets number (the

delayed acknowledge number)
0 URG only packet
---The urgent packets number
0 window probe packet
---The window probe packets number
0 window update packet
---The window update packets number
0 control packet
---The control packets number
0 packet received
---The total received packets number
0 ack (for 0 byte)
---The acknowledge packets number (byte).
0 duplicate ack
---The duplicate-acknowledge packets number
0 ack for unsent data
---The number of the packets asked not to be sent
0 packet (0 byte) received in-sequence
---The number of the packets received in

sequence (byte)
0 completely duplicate packet (0 byte)
---The completely duplicate packet number (byte)
0 packet with some dup. Data

(0 byte duped)
---The partial duplicate packet number (byte)
0 out-of-order packet (0 byte)
---The out-of-order packets number (byte)
0 packet (0 byte) of data after window
---The number of the packets outside of the

window (byte)
0 window probe
---The window probe packets number
0 window update packet
---The window update packets number
0 packet received after close
---The number of the received packets after

closing connection.
0 discarded for bad checksum
---The number of the packets discarded because

of bad checksum
0 discarded for bad header offset field

of bad header offset field
0 discarded because packet too short

of too short
0 connection request
----The number of the local TCP connection

requests
0 connection accept
----The number of connections received by the

local TCP
0 connection established
(including accepts).
----The established TCP connections number
0 connection closed (including 0 drop)
----The closed TCP connections number
0 embryonic connection dropped
----The discarded connections number
0 segment updated rtt (of 0 attempt)
----No packet used to update round trip time
0 retransmit timeout
----The times of retransmission for timeout
0 connection dropped by reXmit timeout
---The number of discarded connections for

timeout resending
0 persist timeout
---The persist timer don't timeout
0 keepalive timeout
---The number of keepalive timeouts.
0 keepalive probe sent
---The number of keepalive probes sent.
0 connection dropped by keepalive
---The number of connections dropped by

keepalive
0 pcb cache lookup failed
---The times of examining protocol control

module failure
3.8 UDP Protocol

The User Datagram Protocol (UDP) provides the basic service of data transmission between application programs. Maipu
MP series routers support RFC768.
3.8.1 Configuring UDP Protocol Attributes
Maipu routers can configure the following UDP attributes:
Configure the default Time-to-Time Live for sending UDP packets.
Set UDP recvbuffers size
Set UDP sendbuffers size
Enable UDP recv-checksum
Enable UDP send-checksum
Table 3-7 lists configuration commands of UDP attributes.

Table 3-7 UDP Attribute Configurations
Command
Description
ip udp default-ttl [1-255]
Set Time-To-Live of UDP packets
ip udp recvbuffers [1024-65536]
Set UDP receiving buffer size
ip udp sendbuffers [1024-65536]
Set UDP sending buffer size
ip udp recv-checksum
Enable UDP receiving checksum
ip udp send-checksum
Enable UDP sending checksum
3.8.2 Observing UDP Statistic Information

The command show Ip udp displays detailed UDP statistics
router# show
ip
udp
Statistics for the UDP protocol:

32 total packets
---The total number of input and output packets.
16 input packets
---The total number of input packets.
16 output packets
---The total number of output packets.
0 incomplete header
---The number of the packets with incomplete

UDP headers
0 bad data length field
---The number of the packets with bad UDP data

length field
0 bad checksum
---The number of the packets with bad UDP

checksum
0 broadcasts received with no ports
---The number of the broadcast packets received

with no ports
0 full socket
---The number of broadcast packets received

with full socket.
16 pcb cache lookups failed
---The number of PCB Cache lookups failed
16 pcb hash lookups failed
---The number of PCB Hash lookups failed
3. 9 The Socket Interface

A socket is a mechanism that network application programs use to access lower layer network resources. Maipu MP series
routers supports the standard socket interface mechanism and a series of socket applications. The command Show Ip Sockets
can be used to display the usage situation of the TCP/UDP connection used by the current system, and can helpful to
troubleshoot.
router#show ip sockets
Active Internet connections (including servers)
PCB
--------
Proto
-----
Recv-Q
------
Send-Q
------
Local Address
------------------
Foreign Address
(state)
-------------------------
990320 TCP
ESTABLISHED
128.255.1.8.23
128.255.111.100.10
99029c TCP
ESTABLISHED
128.255.1.8.23
128.255.1.6.1057
0.0.0.0.23
0.0.0.0.0
0.0.0.0.0
0.0.0.0.0
98ff84
LISTEN
9903a4
TCP
UDP
98fdf8
UDP
0.0.0.0.0
98ff00
UDP
0.0.0.0.1024
0.0.0.0.0
0.0.0.0.0
Each line represents one TCP/UDP connection.

Explanation of Abbreviations in the Chart:
PCB -- indicates the address of the Protocol Control Block
Proto -- indicates the protocol used by the current connection: TCP or UDP
Recev-Q -- indicates the data received over the current connection
Send-Q -- indicates the data sent over the current connection
Local Address -- indicated the local address and port number of the current connection
Foreign Address remote address and port number of the current connection
For TCP connection, (State) indicates the current TCP state.
Chapter 4 Interface Configuration

This chapter mainly describes the interfaces supplied by Maipu series routers and how to configure them. And the main
contents of this chapter are listed as follows:
z Interface type supported by Maipu series routers
z
Configuring Ethernet interfaces
Configuring high-speed serial interfaces
Configuring a 16-asyn-port/printing module
Configuring a CE1 module
Configuring an 8-syn-port module
Configuring a built-in base-band modem module
Configuring a built-in frequency-band modem module
Configuring an ISDN module
4.1 Interface Types

This section mainly describes the interface types supported by Maipu series routers and how to configure them.
4.1.1 Interface Types Presently Supported by Maipu Routers
z Ethernet port
Configuring port
High-speed serial-port
Asynchronous serial-port
Synchronous serial-port
Synchronous/Asynchronous serial-port
Built-in 56K/33.6K frequency-band MODEM
Built-in 128K base-band MODEM
ISDN S/T interface module
ISDN U interface module
Unchannelized E1
Channelized E1
PRI Interface
IP telephone interface
4.1.2 Configuring Interfaces

Before configuring interfaces, you should know of the follow points at least:
1) The connection situation of physical interfaces, physical operational modes and related operational parameters;
2)
For a WAN interface, the link-layer encapsulation protocol and operational parameters should be appointed
between the WAN interface and the opposite-end interface connected with the WAN interface.
3)
The network-layer IP address of the interface should be configured correctly.
4)
Correctly configuring the static route of the destination network that can be reached through the interface, or
configuring the operational parameters of the dynamic routing protocol on the interface.
5)
If the interface supports the dialup mode, the dialup mapping and MODEM management need be configured more.
6)
If a firewall need be configured on the interface, it is necessary for you to configure the related packet filtering and
NAT parameters.
4.2 Configuring an Ethernet Port

The main contents of this section are listed as follows:
z The protocols supported by Maipu series routers
z
Configuring the network address
Configuring a vlan Interface
Establishing the address resolution (ARP)
Proxy ARP
Monitoring and maintenance
4.2.1 The Protocols Supported by Maipu Series Router

The Ethernet port of maipu router can support the following two frame formats:
1) Ethernet_II (ARPA)
2) Ethernet_SNAP
The foregoing frame formats are used to encapsulate the network-layer IP protocol. When receiving data, the Ethernet port
can automatically recognize frame formats. But when transmitting data, the port can do nothing but make encapsulation
according to the specified frame format.
4.2.2 Configuring Network Address
Currently, MPROUTER can support noting but IP protocol on the network layer. And the network/host address and sub-net
mask need be configured by means of the following command:
Command
Descriptions
The user enters the global configuration

mode from the privileged user mode.
router(config)# interface fastethernet0
Enter the configuration status of the

interface f0.
router(config-if-fastethernet0)#ip
mask
router(config-if-fastethernet0)#ip
mask secondary
address
address
A.B.C.D
Configure the IP address and sub-net mask

of the interface f0.
A.B.C.D
Configure the secondary address of the

interface f0.
Note:
A.B.C.D is the IP address of the interface, and mask is the sub-net mask of the interface.
Notice:
Sixty-four secondary addresses can be configured at best on the Ethernet interface. And there is no limit of the
secondary addresses for the master interface.
4.2.3 Configuring an Vlan Interface
About the detailed information about configuring a vlan interface, refer to chapter 12 802.1Q Configuration of Router
Configuration Manual.
4.2.4 Establishing Address Resolution (ARP)
Maipu series routers can supports Ethernet address resolution protocol (ARP), which is used to establish the relation between
an IP address and a MAC address. After an IP address is input, the ARP can determine a MAC address related with the IP
address. Once the MAC address is determined, the relation of the IP address/MAC address will be saved into the ARP highspeed buffer so as to realize the high-speed search. After that, an IP datagraph is encapsulated into a link-layer frame and
transmitted in the network.
4.2.4.1 Defining a Static ARP Buffer
ARP provides a dynamic mapping between an IP address and a MAC address. Most hosts can support the dynamic address
solution, so no static ARP buffer need be specified generally. If it is necessary to define the ARP buffer, you can define it in
the global configuration modenamely load a permanent item into the ARP buffer. And MPROUTER software uses it to
translate a 32-bit IP address into a 48-bit hardware address.
Execute the following commands in the global configuration mode:
Command
Descriptions
router(config)#arp
A.B.C.D
H.H.H
router(config)#no arp A.B.C.D H.H.H
Define a static ARP buffer;

Delete a static ARP buffer;
Note:
A.B.C.D is a host name or IP address and H.H.H is a MAC address. H means a hexadecimal number between 0 and FFF.
4.2.4.2 Examining ARP Buffer
To display the contents of the ARP cache used by the system, you can use the command show arp to examine the cache.
router#show arp
LINK LEVEL ARP TABLE
destination
gateway
flags Refcnt Use
----------------------------------------------------------------------129.255.117.5
0050.ba27.e285
405
2
32455
129.255.150.1
0050.ba27.d0f5
405
2
1011270
---------------------------------------------------------------------- Note
Interface
fastethernet0
fastethernet0
1 Destination: the destination IP address

2 Gateway: the MAC address of the destination IP address
3 Flags: flag bit (405the dynamic ARP, Co5the static ARP);
4 Refcnt: the times of using the ARP;
5 Use: the number of frames transmitted to the IP address;
6 Interface: the interface connecting with the IP address
To refresh the ARP item, you can use the privileged EXEC command clear arp to do it.
router#clear arp
4.2.5 Proxy ARP
If an ARP request is transmitted from a host in a network to a host in another network, the router connecting the two
networks can answer the request. The foregoing procedure is called Proxy ARP. This way can make the end sending the ARP
request mistake that the router is the destination host. In fact, the destination host is on another side of the router. In this way,
the router, whose function is equivalent to the proxy of the destination host, can transmit packets to the destination host.
RFC1027
Maipu router supports the proxy ARP.
Execute the following command in the interface configuration mode:
Command
Descriptions
router(config-if-fastethernet0)#ip proxy-arp
Enable the proxy ARP.
router(config-if-fastethernet0)#no ip proxy-arp
Disable the proxy ARP.
Note:
The proxy ARP is enabled by default.
The following example is about the typical ARP application and configuration:

035287(5
3&e
|

5287(5
3&e
|
Note
1) 136.1.0.0 is a 16-bit mask of the network segment in which PC1 is located.

2) 136.1.2.0 is a 24-bit mask of the network segment in which PC2 is located.
3) No gateway is configured for PC1. And for PC2, however, 136.1.2.88 need be set its gateway or there exists a route to
PC1the IP address of the next hop is 136.1.2.88
If ARP proxy is disabled on the Ethernet of MPROUTER, PC1 fails to ping 136.1.2.55 successfully. This is because:
For packets in the same network, PC1 firstly broadcasts the ARP request so as to acquire the MAC address of the destination
host. After getting the address, PC1 transmits the packet to the destination. In the foregoing example, both the destination
host and PC1 on the same network (which can be known according to the mask of PC1), but they are not located in the same
network physically. If there is no response after PC1 sends the ARP request, then PC1 pings unsuccessfully. Here, if
MPROUTER enables ARP proxy, MPROUTER can use its MAC address to answer the request sent by PC1, and PC1 can
ping successfully. The ARP proxy of MPROUTER is mainly applied to this case.
4.2.6 Monitoring and Maintenance

When finishing the configuration of the Ethernet interface, you can enter the privileged user mode and execute the command
show interface to display the diverse configuration parameters and current operational status of the Ethernet interface.
Routershow interface fastethernet0
fastethernet (unit number 0):
Flags: (0x8063) UP BROADCAST MULTICAST ARP RUNNING
Protocol signal UP
Interface type: CSMA/CDIEEE802.3
Port address129.255.117.22
Netmask 0xffff0000 Subnetmask 0xffff0000
Network mask255.255.0.0 Sub-net mask255.255.0.0
Broadcast address: 129.255.255.255
Broadcast address129.255.255.255
Metric: 0, MTU: 1500, BW: 100000Kbps, DLY: 100 usec
Maximal transmitting unit1500bandwidth100MDelay100 microseconds
Ethernet address is 0001.7a00.0016
MAC address:0001.7a00.0016
Duplex: full duplex
Rate: 100Mbit/s
Rate100M Operational modefull duplex mode
Babbling recvive 0, babbling transmit 0, heartbeat fail 0
Tx late collision 0, Tx retransmit limit 0, Tx underrun 98
Tx carrier sense 0, Rx length violation 0
Rx not aligned 4, Rx CRC error 13, Rx overrun 68
In the received frames, there are 4 un-aligned ones, 13 CRC errors ones and 68 overrun ones.
Rx trunc frame 0, Rx too small 0, Rx alloc mbuf fail 0
5 minute input rate 19000 bits/sec ,12 packets/sec
The input rate is 19000 bits/sec, namely 12 packets/sec, in the late 5 minutes.
5 minute output rate 6000 bits/sec ,2 packets/sec
The output rate is 6000 bits/sec , namely 2 packets/sec, in the late 5 minutes.
63200024 packets are receivedand 9128013 packets are sent
57157487 multicast packets are received
1045 multicast packets are sent.
There are 37 input errors and 0 output error.
There is 0 collision; and 24166659 packets are discarded.
4.3Configuring High-speed Serial Interface
Maipu router can provides two kinds of high-speed serial interfaces: one can support both synchronous and asynchronous
operation mode, called a synchronous/asynchronous serial interface; another can operate only in the asynchronous operation
mode, such as a configuration interface. The configuration interface Console is used to connect with user terminals and
serves as the configuration and monitoring interface of the router. Generally, you need not configure the configuration
interface, and it is not also recommended for you to do it.
The serial interface of Maipu router supports the following applications:
1) Connecting with the external Modem, and serving as a dialup interface or a backup interface;
2) Operating in the V.24/V.35 interface mode ( a high-speed synchronous/asynchronous WAN interface)
3) Supporting link-layer protocols, such as PPP, SLIP, FR, X25 and HDLC;
4) The extended synchronous/asynchronous serial interface or asynchronous serial interface can support link-layer
protocols, such as PPP, SLIP, X25, HDLC and FRbut the asynchronous serial interface can not support FR.
CONFIGURING AN ASYNCHRONOUS SERIAL INTERFACE

CONFIGURING A SYNCHRONOUS SERIAL INTERFACE
MONITORING AND MAINTENANCE
4.3.1 Configuring an Asynchronous Serial Interface
Without any configuration, an asynchronous serial interface can work in the asynchronous operation mode. And to make the
synchronous/asynchronous serial interface work in the asynchronous operation mode, you can execute the following
commands. For example, you can execute the following commands to configure the serial interface 0 and make it work in
the asynchronous operation mode:
Routerconfig-if-serial0
Command
Descriptions
physical-layer async
Configure the asynchronous operation mode for the serial interface

0serial0.
speed
Configure the bund rate 9600 for the asynchronous serial interface.
And the baud rate can be select from 1200bps/2400bps/4800bps/
9600bps/ 19200bps/38400bps/57600bps/115200bps.
9600
databits 8
Configure the databits of the asynchronous serial interface: 8. And

the value can be selected from 5/6/7/8.
stopbits 1
Configure the stopbits of the asynchronous serial interface: 1. And

the value can be selected from 1/2.
parity none
Configure the parity of the asynchronous serial interface: none.

And the value can be selected from even/none/odd/space/mark.
flow-control none
Configure the flow-control of the asynchronous serial interface:

none.
And the value can be hardware flow-control (none) or software
flow-control.
maxinum-rx-unit 128
Configuring the maximal unit-receivable of the asynchronous

serial-interface; the scope of the maximal unit-receivable supported
by the serial interface is between 128 and 4096.
Tx-on dcddsr
Set the sending condition of the serial interface. And the default
condition is dcddsr.
Notice
When the asynchronous serial interface connects with the external Modem, the baud rate is applied to the
communication between the serial interface and the Modem. So their baud rate can be set differently. The line rate can be
determined after the Modem makes negotiation with the serial interface. And when two serial interfaces connect together
directly, they need be configured with the same baud rate.
When working in the hardware flow-control mode, the asynchronous serial interface can, by means of detecting the CTS
signal, determine whether to send data; and when working in the software flow-control mode, the asynchronous serial
interface can, by means of judging the flow-control character XON/XOFF, determine whether to send data.
4.3.2 Configuring a Synchronous Serial Interface

Without any configuration, a synchronous serial interface can work in the synchronous operation mode. The synchronous
serial interface can work in the DTE/DCE mode. When working in the DTE mode, the external DCE equipment (such as the
external synchronous Modem) connecting with the interface provides the clock source; and when working in the DCE mode,
the router connecting with the interface provides the clock source.
The synchronous serial-interface can provide a V.24/V.35 interface. By means of internal jumper, the router can provide
different types of interfaces.
For example, you can execute the following command to configure the serial interface 0 serial0and make it work in the
synchronous operation mode:
Routerconfig-if-serial0physical-layer sync
4.3.2.1 Configuring the Operation Mode of a Synchronous Serial Interface
By default, a synchronous serial interface works in the DTE mode. And you can make the interface work in the DCE mode
through configuring DCE clock rate and adopting the DCE cable.
The different operation modes of the synchronous serial interface are corresponding with the different clock options:
1) If the synchronous serial interface works in the DTE mode, the serial interface receives the clock provided by the
external DCE equipment. Here, the DTE serial interface can not only select the receiving /sending clock of the
DCE equipment as itself receiving/sending clock, but also regard the sending clock of the DCE device as itself
receiving/sending clock. For example, you can use the following command to set the sending clock of the DCE
device as itself receiving/sending clock:
Routerconfig-if-serial0)#clock multiplex
Configuring the DTE clock multiplex.
When the interface works in the DTE mode, to eliminate the half clock cycle of the line some time, you can invert the
receiving clock of the DTE.
Routerconfig-if-serial0clock invert
Configuring the DTE clock invert.
Note
The clock is not inverted by default.

2) If the synchronous serial interface works in the DCE mode, the serial interface need provide the clock for the
external equipments. For example, you can use the following command to set the DCE clock rate:
Routerconfig-if-serial0# clock rate 128000
Configuring the DCE clock rate as 128000.
Note
In the synchronous operation mode, the serial interface can support a very wide clock rate scope. The lowest clock rate
is 1200bps, and the highest rate is related with the operation mode of the interface.
The highest clock rates supported by the interfaces in the different interface modes are different:
In the V.24 mode, the highest clock rate can reach 200kbps
In the V.35 mode, the highest clock rate in the DTE mode can reach 8Mbps and that in the DCE mode can reach
2Mbps.
Note
The basic configuration of an 8 syn/asyn expansion interface is the same as that of the high-speed WAN interface. And
the different between them is that the rate supported by the former is relatively lower.
4.3.3 Monitoring and Maintenance
When finishing the configuration of the interface, you can enter the privileged user mode and execute the command show
interface to display the diverse configuration parameters and current operational status of the interface.
Routershow interface serial0

Flags: (0x8071) UP POINT-TO-POINT MULTICAST ARP RUNNING
(Protocol signal : UP)
Type: PPP
(Interface typePPP)
(Port address10.1.1.1)
Netmask 0xff000000 Subnetmask 0xffffff00
(Network mask255.0.0.0 Sub-net mask255.255.255.0)
(The IP address of the opposite end10.1.1.2)
Metric: 0, MTU: 1500, BW: 128Kbps, DLY: 20000 usec
(Maximal transmitting unit1500bandwidth128KDelay20 microseconds)
5 minute input rate 790000 bits/sec ,14 packets/sec
The input rate is 790000 bits/sec, namely 14 packets/sec, in the late 5 minutes
5 minute output rate 788000 bits/sec, 12 packets/sec
The output rate is 788000 bits/sec, namely 12 packets/sec, in the late 5 minutes
(1761641 packets are received; and 1827994 packets are sent.)
(0 multicast packet is received.)
(0 multicast packet is sent.)
(There are 148 input errors 146 output errors)
(There is 0 collision; and 9 packets are discarded)
lcp:OPENED, ipcp:OPENED, cdpcp:OPENED
rxFrames: 2296829, rxChars 1694564374
the number of the received frames is 2296829, and total bytes of the received frames are 1694564374.
txFrames: 2275846, txChars 1714594630
The number of the sent frames is
2275846, and total bytes of the sent frames are 1714594630.
rxNoOctet 17, rxAbtErrs 6, rxCrcErrs 0

In the received frames, there are 17 un-aligned ones. Six received frames are discarded and there exists no CRC
errors frame.
rxOverrun 0, rxLenErrs 0, txUnderrun 0
there exists
0 rxOverrun frame, 0 rxLenErr frame and 0 txUnderrun frame.
rate=2000000 bps
(The line rate is 2M)
DCD=up DSR=up DTR=up RTS=up CTS=up Txc=up
4.4 Configuring a 16-asyn-serial-interface module
Maipu router contains a 16-asyn-serial-interface module. The module adopts the interface standardRS-232, uses DB25
(M)/DB25 (F) connectors and RJ45 socket, supports 9600bps-115200bps baud scope, operates in the DTE or DCE mode.
Additionally, the module can support the following services:
z Connecting with a terminal (with the function of terminal-number fixing)
z
Connecting with ATM (automated teller machine)
Connecting with a PC station
Connecting with a router
Connecting with a frequency-band/base-band Modem
Supporting PC/router dialup access
Other serial equipment.
The concrete configuration is the same as that of the asynchronous serial-interface.

4.5 Configuring a CE1 Module
Brief introduction to a CE1 interface:
z A CE1 interface can be physically divided into 32 time-slots whose number is from 0 to 31 correspondingly.
Time-slot 0 can not be used to transmit data.
z
Each frame of the CE1 circuit is composed of 32 time-slots and the transmission rate of each time-slot is 64K.
When a CE1 interface is used, the total time-slots (1~31) can be optionally divided into several groups. After
bounded together, each group of time-slots can serve as an logical interface (use the command channelgroupshell to realize it), supporting link-layer protocols such as PPP, X.25, HDLC and FR etc.

z Configuring a CE1 interface
z
Monitoring a CE1 interface
4.5.1 Configuring a CE1 interface

The tasks of CE1 configuration are listed as follows:
1) Configuring the physical-layer operation parameters of the CE1 interface, including frame check mode and line
encoding format etc.
2) Configuring the channel-group operation parameters
3) Configuring an interface.
Perform the following configuration in the global configuration mode:
Command
Descriptions
router(config)#controller e1 0/0
Use the slot-number and unit-number to determine

the location (0/0) of the controller and enter the E1
configuration mode.
Notice
For the low-end routers including MP1700, MP2500 and MP2600 etc, only the slot S0 can support the CE1 module.
Configuring the physical-layer operation parameters of the CE1 interface
Command
Descriptions
router(configcontroller)#framing
crc4
Use the configuration command of a framing controller to select a frame

type for the E1 data line. And the following types can be selected:
crc4: Specify the CRC4 check mode for the E1 interface to receive/transmit
data;
no-crc4:
Specify the E1 interface not to adopt the CRC4 check mode
for receiving/transmitting data;
Default:
Set the default type (CRC4 check is valid only for data
transmission) .
router(configcontroller)#linecode
hdb3
Use the configuration command of a linecode controller to select a line

encoding type for the E1 line. And the following types can be selected:
Ami:
Set the AMI (alternate mark inversion) as the line encoding type.
E1 is invalid by default.
router(configcontroller)# clock source
internal
Use the configuration command of a clock source controller to select a line

clock for the E1 line. And the following types can be selected.:
Internal:
Line:
router(configcontroller)#pri-group
The CE1 interface provides clock source by itself;

Extract the clock from the line. The type is valid by default.
The CE1 interface is configured as the PRI mode. After that, an interface
similar to S0/0:15 can be generated.
Configuring the channel-group operation parameters:

Command
Descriptions
Set the time-slots occupied by each channel.
router(config-controller)#channel-group
number timeslots range
Note
1) Number: The channel-group number. When an E1 data line is configured, the scope of the channel-group number is
from 0 to 30.
2) Range: The value scope to which one or more time-slots in a channel-group belong. The first time-slot number is 1,
and its range is from 1 to 31.
Notice:
1) When a time-slot is configured, the time-slot-number of the start-time-slot must be more than that of the stop-timeslot, or else, the time-slot-number is invalid.
2) If two channels are configured with the repeating time-slot, the configuration is invalid and no interface can be
generated.
3) When a time-slot is configured, the scope of the time-slot must match with a channel-group-number. And it is the
service provider that defines time-slots including a channel-group.
The following example defines three channel-groups: channel-group 0 includes a single time-slot, channel-group 2 includes
three time-slots and channel-group 7 includes a single time-slot.
Command
Descriptions
router(config)#controller e1 0/0
Use the slot-number and unit-number to

determine the location (0/0) of the controller and
enter the E1 configuration mode.
timeslots 1
Configure time-slot 1 for channel-group 0.
timeslots 3-5
Configure 3~5 time-slots for channel-group 2.

(That is to say that the rate of the channel-group 2
is 192K)
timeslots 6
Configure time-slot 7 for channel-group 7.
router(config-controller)#framing crc4
Enable CRC4
router(config-controller)#linecode hdb3
Configure the line code as HDB3.
After finishing the configuration above, you can perform the interface configuration. The interface form is s0:0 s0:2 s0:7.
Command
Descriptions
router(config)#interface s0/0:0
Enter the channel-group 0.
router(config-if-serial0/0:0)# encapsulation ppp

router(config-if-serial0/0:0)#ip
255.0.0.0
add
1.1.1.1
Encapsulate the link-layer protocol as PPP.

Configure the IP address 1.1.1.1 and subnet mask
255.0.0.0.
router(config-if)#exit
router(config)#interface s0/0:2
Enter the channel-group 2.
router(config-if-serial0/0:2)# encapsulation hdlc
Encapsulate the link-layer protocol as HDLC.
router(config-if-serial0/0:2)#ip
255.0.0.0
add
2.2.2.1
Configure the IP address 2.2.2.1 and subnet mask

255.0.0.0.
router(config-if)#end
Notice
When multiple time-slots are configured, - is used between the start-slot and the stop-slot.
4.5.2 Monitoring a CE1 Module
After finishing the interface configuration, the user can enter the privileged user mode and execute the command show
interface to display the parameter configuration and current operation status of the channel-group. Each parameter is the
same as that of the serial interface.
When the interface information is examined, the massive error frames can be discovered from the E1 statistics information,
the link-layer negotiation is slow, and there exists packet loss during the PING course.
The possible causes:
7KH&(PRGXOHFDQVXSSRUWWZRNLQGVRIFRQQHFWLRQFDEOHVRQHLV QRQ-EDODQFHFRD[LDOFDEOHDQGWKHRWKHULV
balance twisted-pair cable. When equipment connection is performed, the impedance may be unmatched.
4.6 Configuring an E1 module
By default, an E1 interface follows G.703 and the total bandwidth 2.048Mbit/ is used for data transmission. When the E1
interface is used for the frame structure, the interface can be used for G.704 no-channel associated signaling and G.704
channel associated signaling structure: the sixteenth time-slot of the former structure can be used to transmit data, and the
sixteen time-slot of the latter structure can be used to transmit signalings except data; and time-slot 0 of the foregoing two
structures can not be used to transmit data.
When the E1 interface is employed, the total time-slots can be optionally bound together to serve as an logical interface that
has the same logic as that of the synchronous serial-interface and can support PPP, X.25 and HDLC protocols.
z Configuring an E1 interface
z
Monitoring an E1 interface
4.6.1 Configuring an E1 Interface

The configuration tasks of an E1 interface are listed as follows:
z Configuring the physical-layer operation parameters of an E1 interface
z
Configuring the link-layer operation parameters of an E1 interface
Configuring the physical-layer operation parameters of an E1 interface

Routerconfig-if-serial0/0 ?
Command
Descriptions
Router
config-if
serial0/0 #timeslot
<start-slot - stop-slot>
Use the time-slot interface configuration command to enable the framed

serial interface of the G.703E1 port adapter. And using the negation form
of the command or setting the stat-slot as 0 can restore the default.
start-slot:
The first sub-frame of the master frame, the scope of the
parameter value is between 0 and 31, and the parameter value must be
less than or equal to stop slot.
stop slot:
The last sub-frame of the master frame, the scope of the
parameter value is between 0 and 31, and the parameter value must be
more than or equal to start slot.

Router
config-ifserial0/0#ts16
The E1 module operates in the CCS mode. The command can take effect
only in the framing mode.
Router
config-ifserial0/0#no timeslot
The E1 mode adopts G.703 protocol and 2M mode.
Router
config-ifserial0/0#no ts16
The E1 module operates in the CAS mode.
Router
config-if
serial0/0
#crc4
{rcrc4|tcrc4|(CR)}
Configure the check mode of the E1 data line as crc4. The follow types
can be selected:
crc4: Specify the E1 interface to adopt the CRC4 check mode for
receiving/transmitting data;
no-crc4:
Specify the E1 interface not to adopt the CRC4 check mode
for receiving/transmitting data;
Router
config-ifserial0/0# clock source
<line|internal>
rcrc4:
The receiving CRC4 is valid.
tcrc4:
The transmitting CRC4 is valid.
Set the clock mode of the interface:

Line:
Set the operation clock mode as the line clock.
Internal:
Set the operation clock mode as the internal clock.
Notice
1) By default, G.703 is configured as the transparent 2M mode, and the clock as the line clock.
2) Nothing but the serial-interface 0 of low-end routersincluding MP1700, MP2500 and MP2600can support the E1
module.
3) The E1 interface can only operate in the synchronism mode.
Configuring the link-layer operation parameters of an E1 interface
Command
Descriptions
Router config-if-serial0 # encapsulation <
Configure encapsulation protocol>
Configure the link-layer protocol used on the E1

interface.
Router config-if-serial0
#ip
<unicast address> < network mask>
Configure the IP address and corresponding subnet

mask of the E1 interface.
address
Notice
1) The link-layer protocols of the E1 interface can be configured as nothing but the synchronism mode;
2) By default, the link-layer protocol configured for the E1 interface is HDLC.
The following example defines an E1 interface: 1-31 time-slot, CCS mode, line clock, no CRC4, PPP link-layer
protocol, IP address 1.1.1.1 and 8-bit mask.
Command
Descriptions
router(config)#interface serial0/0
Enter the E1 interface.
router(config-if-serial0/0)#timeslots 1-31
Set the E1 interface to use 1-31 time-slot.
Router(config-if-serial0/0)#ts16
Set the operation mode of the E1 interface as CCS.
Router(config-if-serial0/0)#no crc4
Set the E1 interface to perform no CRC4 check for

the received data and fill no CRC4 checksum in the
transmitted data.
Router(config-if-serial0/0)# encapsulation ppp
Configure the link-layer protocol as PPP.
Router(config-if-serial0/0)#ip address 1.1.1.1

255.0.0.0
Configure the IP address 1.1.1.1 and 8-bit mask of

the E1 interface.
Notice
When multiple time-slots are configured, - is used between the start-slot and the stop-slot. And when a single time-slot
is configured, the time-slot can be directly filled in. when the E1 interface is configured as the CAS mode, the sixteenth timeslot is only used to transmit signalings
4.6.2 Monitoring an E1 Interface
interface to display the parameter configuration and current operation status of the E1 interface. Each parameter is the same
as that of the serial interface.
When the interface information is examined, the massive error frames can be discovered from the E1 statistics information,
the link-layer negotiation is slow, and there exists packet loss during the PING course.
After finishing the interface configuration, the user can enter the privileged user mode and execute the command show run
interface to display the time-slots occupied by the E1 interface.
The possible causes:
7KH(LQWHUIDFHVXSSRUWVWZRNLQGVRIFRQQHFWLRQFDEOHVRQHLV QRQ-EDODQFHFRD[LDOFDEOHDQGWKHRWKHULV
balance twisted-SDLUFDEOH:KHQD HTXLSPHQWLVFRQQHFWHGWKHLPSHGDQFHPD\EHXQPDWFKHG6RWKH FDEOHLV
often used. When the E1 cable connects with other equipments, pay attention to whether the parameters (such as CRC4,
CCS/CAS, clock mode and time-slot) of the equipment match with those of the other equipments.
4.7 Configuring an 8-port Synchronous Module
An 8s module is an 8-port high-speed synchronous serial-interface module. The 8S module can be used to avoid the nonsynchronous rate between the serial-interface clock based on the bus clock and the factual clock of the V.35 interface. The 8S
module shares 32 time-slots with other TDM bus modules (expect the E1 module), can only operate in the synchronism mode
and support 64K/128K. When an 8S module is inserted into Maipu router, eight interfaces sync0~sync7, which support PPP,
X.25 and HDLC protocols, will be added.
The main contents of this section are listed as follows;
z Configuring an 8S interface
z
Monitoring an 8s Interface
4.7.1 Configuring an 8S Interface

The configuration tasks of an 8S interface are listed as follows:
z Configuring the physical-layer operation parameters of an 8s interface
z
Configuring the link-layer operation parameters of an 8s interface
Configuring the physical-layer operation parameters of an 8s interface

Routerconfig-if-sync0 ?
Command
Descriptions
Routerconfig-if-sync0# nrzi-encoding
Set the line encoding mode of the interface as the

NRZI-encoding
(Non-Return-To-Zero-Invertedencoding). The negation form of the command is used
to cancel the NRZI-encoding.
Router config-if-sync0 #no

encoding
nrzi-
Set the line encoding mode of the interface as NRZencoding (Non-Return-To-Zero) (the default mode is
the NRZ-encoding.)
txphase/
Set the transmitting/receiving phase of the interface as

the rising edge or falling edge.
Router config-if-sync0 #
rxphase
txphase
txup : representing that
sends data at the rising edge.
txdown: representing that
the channel
the channel sends data at
the falling edge.

rxphase
rxup : representing that
receives data at the rising edge.
rxdown: representing that
the falling edge.
Router config-if-sync0 #clock
<64000/128000>
the channel
the channel receives data at
rate
Set the clock rate of the interface and configure a bit

rate receivable for the interface processor. The negation
form of the command is used to cancel the
configuration.
Router config-if-sync0 #clock <rx/tx>

<in/out>
Set the receiving/transmitting clock of the interface as

the interval/external clock.
Notice:
1) The default configuration is: the NRZ-encoding mode, transmitting data at the falling edge and receiving data at the
rising edge, adopting the interval clock as the clock source for transmitting/receiving data.
2) Configure the receiving/transmitting phase, which, generally, need be reconfigured.
3) NRZI is mainly applied to the EIA/TIA-232 connection in the IBM environment.
4) When the clock frequency of the interface is configured, the effect of 0 is equal to that of the command no clock
rate, which means that the interface occupies no time-slot of the TDM bus.
Configuring the link-layer operation parameters of an 8s interface
Command
Descriptions
Router config-if-sync0 # encapsulation <
Configure encapsulation protocol>
Configure the protocol that is used on the link layer

of the 8S interface.
Routerconfig-if-sync0 #ip address <unicast

address> < network mask>
Configure the IP address and subnet mask of the 8S

interface.
Notice:
1) The link-layer protocol configured on the 8S interface can but be synchronous;
2) The default link-layer protocol of the 8S interface is HDLC.
The following example defines an 8S interface (for example interface sync0 ): the NRZ-encoding mode, sending data at the
falling edge and receiving data at the rising edge, the clock frequency 128000, adopting the interval clock as the clock source
for transmitting/receiving data, PPP link-layer protocol, IP address 1.1.1.1 and 8-bit mask.
Command
Descriptions
router(config)#interface sync0
Enter the 8s interface sync0.
router(config-if-sync0)#clock rate 128000
Set the clock rate of the interface as 128000.
Router(config-if-sync0)# txphase txdown
Set that the data is transmitted at the falling edge of

the interface.
Router(config-if-sync0)# rxphase rxup
Set that the data is received at the rising edge of the

interface.
Router(config-if-sync0)# clock rx in
Set the receiving clock as the external clock.
Router(config-if-sync0)# clock tx in
Set the transmitting clock as the external clock.
Router(config-if-sync0)# encapsulation ppp
Set the link-layer protocol as PPP.
Router(config-if-sync0)#ip
255.0.0.0
address
1.1.1.1
Configure the E1 interface: the IP address1.1.1.1,

the mask8-bit.
notice
1) By default: no clock rate is configured;

2) If the clock source of multiple 8S interfaces is simultaneously configured as an external clock and
transmitting/receiving data depends on the external clock, the external equipment is required to provide the standard clock.
4.7.2 Monitoring an 8s Interface
interface sync0 to display the parameter configuration and current operation status of the 8S interface.
After finishing the interface configuration, the user can enter the privileged user mode and execute the command show qmc
timeslots to display the system TDM bus time-slots occupied by the 8S interface
After finishing the interface configuration, the user can enter the privileged user mode and execute the command show csm
to display which interface supports the current clock source of the system TDM bus.
The possible cause resulting in high bit-error rate of data transmission is that:
When an external clock is configured for the 8S interface, the peripheral equipment is required to provide a standard clock, or
else, packets will be lost badly and bit error rate will be high.
4.8 Configuring a Built-in Base-band Modem
Maipu router supports many kinds of built-in base-band modem module and the interface name is bm0/0. For an 8-port 128
built-in modem module, the interface name adopts the format of ebmx/y: x represents 4 or 5, and y represents 0~7; and each
interface can operate either in the LT mode or in the NT mode. (Note: ebm is the interface of MP2600 series router 8-port
baseband modem moduleBM is interface of MP3600 series routers baseband modem module)
z Configuring the interface bm0/0 of a 128 module
z
Configuring the interface ebm4/0 of an 8-port 128 module
4.8.1 Configuring a Single-port 128 Modem Module

Only the slot S0 on the low-end router can support a single-port 128 module.
Routerconfig
Command
Descriptions
Router(config)#interface bm0/0
Enter the configuration mode of the interface

bm0/0.
router(config-if-bm0/0)#line mode nt
Operate in the NT mode.
router(config-if-bm0/0)#enca hdlc
Encapsulate the HDLC protocol.
router(config-if-bm0/0)#ip
255.0.0.0
address
2.2.2.2
router(config-if-bm0/0)#clock rate 64000
The IP address of the port is 2.2.2.2 and the

corresponding mask is 255.0.0.0.
The clock rate is 64K.
Note
The single-port 128 module supports the 64k/128k synchronous communication mode.
4.8.2 Configuring an 8-port 128 Modem Module
An 8-port base-band modem module can be inserted in the upper or lower layer of the expended slot or both.
1Supporting the link-layer protocols including HDLC, PPP, Frame Relay and X.25 etc.
2Supporting the network-layer protocols such as IP and IPX;
The configuration tasks of the 8-port 128 modem module are listed as follows:
1) Configuring the baud rate;
2) Configuring the line mode;
3) Configuring the operation parameters of the link-layer protocols;
4) Configuring the IP address.
Configuring the clock of the synchronous interface:
Routerconfig
Command
Descriptions
router(config)#interface ebm4/0
Configure the interface ebm4/0 of the 8-port baseband 128 modem module.
rate
router(config-if-ebm0)#clock
64000|128000
router(config-if-ebm0)#line mode lt|nt
router (config-if-ebm0)#ip
255.0.0.0
address
router (config-if-ebm0)#enca
ppp
Configure the clock rate: 64Kbps/128kbps. (The

default value is 64Kbps)
Set the line mode: LT/NT(The default mode is
NT ).
1.1.1.1
The IP address of the port is 1.1.1.1, and the

corresponding subnet mask is 255.0.0.0.
Encapsulate the PPP protocol.
router(config)#interface ebm4/1
Configure the interface ebm4/1 of the built-in 128

module.
router(config-if-ebm1)#line mode lt|nt
Same as above.
router(config-if-ebm1)#enca ppp
Same as above.
router(config-if-ebm1)#ip
255.0.0.0
router(config-if-ebm1)#clock
address
2.2.2.1
rate 64000
Same as above.
Same as above.
.
Note
1) Eight interfaces can support nothing but the synchronism operation mode;
2) Because the base-band MODEM adopts two B channels and the line baud rate need be the integer times of B, namely
the integer times of 64K, the baud rate can be configured only as 64K and 128K.;
3) For the base-band Modem on the other end, its configuration except the operation mode and address must be the same
as that of the modem on this end.
Notice:
1) If the DIP switch of the module is ON, then the bi-direction loop is enabled on the module.
2) When more than 2 ports of the 8-port 128 module operate simultaneously in the NT mode, the data transmission
clock source of the LT equipment connecting with the two ports must be consistent, like a MP9400 128 card in DDN network.
4.9 Configuring a Built-in MODEM Module
Maipu router supports many kinds of built-in frequency-band MODEM modules, such as single-port 1M56/1M336 Modem
module and four-port 4M336/4M56 Modem module. Each kind of interface can operate in the synchronism/asynchronism
mode. For these interfaces, their configuration mode is the same as that of the other serial interfaces, and the difference is that
they support the leased line or dialup line mode, the clock mode in the synchronism mode (internal clock, external clock and
slave clock).
z Configuring a built-in Modem;
z
Debugging a built-in Modem.
4.9.1 Configuring a Built-in MODEM Module

The configuration of a single-port MODEM module is the same as that of a multi-port one.
Routerconfig
Command
Descriptions
Router(config)#interface serial0
Enter the configuration mode of the interface

serial0.
router(config-if-serial0)#physical-layer
sync/async
Configure the synchronism/asynchronism operation

mode.
router(config-if-serial0)#enca ppp
router(config-if-serial0)#ip
255.0.0.0
address
router(config-if-serial0)#modem
33600
2.2.2.2
The IP address of the port is 2.2.2.2, and the

corresponding mask is 255.0.0.0.
clock-rate
Configure the Modem line rate in the synchronism

modem.
router(config-if-serial0)#speed 115200
router(config-if-serial0)#mode
external/internal/slave
Configure the Modem line rate in the asynchronism

modem.
clock-mode
router(config-if)#modem
answer/originate
party
Configure the Modem clock mode (the external

clock, the internal clock and slave clock) in the
synchronism modem.
Configure the Modem answer/origination.
router(config-if-serial0)#mode line leased
Configure the leased line mode for Modem.
router(config-if-serial0)#dialer string 5148295
Configure the phone number for the Modem to dial

up in the dialup mode.
router(config-if-serial0)#mode enable/disable
Enable/disable the Modem configuration.
Note
1) The line rate and clock type need be configured in the synchronism mode. And in the dialup mode, a phone number
of the answer party need be configured on the call origination;
2) When in the synchronism/asynchronism mode, the highest line rate is 33600bps/115200bps.
3) Both sides of modems need select consistent modulation protocol, line rate, synchronism/asynchronism mode, error
control protocol and compression protocol in the asynchronism mode. And when in the synchronism mode, both sides need
select the Modem synchronous clock.
4) Call/Answer configuration: the MODEM to originate the relation is called call origination, and the other party is
called answer.
4.9.2 Built-in MODEM Debugging
Open the MODEM debugging switch and observe its dialup status and related information:
mp2600#debug modem interface-number
Close the MODEM debugging switch:
mp2600#no debug modem interface-number
The following example describes how to use the default system scripts to dial out:
maipu2#debug modem serial0
serial0: Config modem for dialing out
serial0: AT configurating command:
AAT&FE0Q0W1S95=44S36=5S25=0X0
AAT&D2&Q5
AATM1L1
serial0: Success to send the 0th group configuring command
serial0: Success to send the 1st group configuring command
serial0: success to configure modem
serial0: Start dialing automatically
serial0: Dialing timeout is set as 45s(DL-mode)
serial0: Dialing 81...
serial0: modem connected.
Line protocol on Interface serial0, changed state to up
4.10 Configuring an ISDN Module
PRI is configured as follows: (A CE1 module must be inserted in the router.)
Syntax
Descriptions
router(config)#controller
e1 0/0
Enter the E1 configuration mode through the

controller location (0) that is defined with the unit
number.
router(config-controller)#pri-group timeslot 1-31
Configure multiple time-slots to create a PRI

interface.
Only one pri-group can be configured for one
CE1. However, as long as there exists no time-slot
overlapping between pri-group and channel-group,
both can be simultaneously configured for one
CE1.
router(config-controller)#exit
Exit from the E1 configuration mode.
router(config-if-serial0/0:15)#isdn
primary-net5
BRI is configured as follows:
Syntax
switch-type
router(config-if-bri0/0)#isdn switch-type basicnet3
Configure the switch-type of an ISDN PRI

interface.
Descriptions
Configure the switch-type of an ISDN BRI
interface.
By default, ISDN supports nothing but DDR dialup mode. And about the other configuration, refer to DDR Dialup
Configuration. At present, PRI does not serve as the dialing party.
4.11Configuring an Interface-group
Bind multiple interfaces together as an interface-group. Once interface commands are configured in the interface-group, all
interfaces in the interface-group will automatically generate those commands. This can reduce the repeat of configuring the
same commands on each interface.
Basic interface-group configuration commands
z
z
An example of interface-group configuration
Configuration and statistics information of an interface-group
4.11.1 Basic Interface-group Configuration Commands
Create an interface-group:
router(config)#interface group <0-255> ?

Syntax
Enum
Range
Display
Descriptions
Adopt the enumeration mode to specify some
interfaces for the generation of an interface-group.
Set the interface range of the interface-group through
specifying the start interface and end interface.
Display all interfaces contained by the interfacegroup.
Note:
1) The type of each interface in an interface-group should be the same. (such as asynchronous interface.)2) The
above are the basic commands to create an interface-group. If no interface-group is created, the system will display the
inexistence of the command (such as the command show if-group) related with the interface-group. The commands
related with the configuration and statistics information of the interface-group do not exist until at least one interfacegroup is created.
4.11.2 An example of interface-group configuration
Configure interface-group parameters:

Syntax
router(config)#interface group 2 range async1/0

async1/15
Descriptions
Set interface-group 2 containing 16
asynchronous interfaces (from interface async1/0
to async1/15).
router(config-if-group2)#encapsulation
terminal
router(config-if-group2)#speed 9600
router(config-if-group2)#flow-control software
65535
Encapsulate the terminal protocol on the

interface-group.
Configure the rate on the interface-group.
Configure the flow-control on the interface.
Configuration result
router#show running-config
...
interface group 2 range async1/0 async1/15
(Configure an asynchronous interface-group.)
....
interface async1/0
(Configure the asynchronous interface contained by the interface-group to be
automatically generated on the interface-group.)
speed 9600
databits 8
stopbits 1
parity none
flow-control software 65535
tx-on dsr
encapsulation terminal
exit
interface async1/1
speed 9600
databits 8
stopbits 1
parity none
tx-on dsr
exit
.... (The following configuration is omitted)
4.11.3Configuration and Statistics Information of an Interface-group
show interface group _0_255_
Use the command above to display the detailed interface information of all interfaces contained by the specified
interface-group.
Command modethe privileged user configuration mode.
show if-group
Use the command above to display all interface information of each interface-group.
show running-config interface group _0_255_
Use the command above to display the configuration information of all interfaces contained by the specified interfacegroup.
Chapter 5 WAN Protocols Configuration

Maipu routers supports the following familiar WAN protocols: PPP, HDLC, X.25, LAPB, X.25, frame relay, SLIP, ISDN
and dial-up connection. This chapter describes how to configure Maipus MP series routers to connect with a WAN (for
ISDN and dial-up connection information please refer to Chapter 6).
The main topics addressed in this chapter are:
o
o
o
o
o
o
PPP protocol
HDLC protocol
SLIP protocol
TCP/IP header compression
X.25 protocol
Frame Relay protocol
5. 1 PPP Protocol
The topics addressed in this section are as follows:
o Brief Introduction of PPP
o Description of basic PPP instructions
o PPP configuration examples
o Configuring PPP authentication
o Monitor and debug PPP information
o PPP address pool
o PPP multilink
o PPP data compression
5.1.1
Brief Introduction of PPP
The PPP protocol is a kind of data link layer protocol used to transmit network layer packets on the connection from point to
point. PPP includes Link Control Protocol (LCP), Network Control Protocol (NCP), Authentication Protocol (PAP and
CHAP), and it can support synchronous/asynchronous line. PPP can be applied to serial systems with different properties to
transmit many kinds of network layer protocol data. PPP is a universal method of connecting various kinds of hosts, bridges
and routers.
PPP is composed of the following three components:
1. A method which encapsulates many kinds of network protocol datagrams;
2. The Link Control Protocol (LCP) used to establish, configure and test the data link connection;
3. A group of Network Control Protocols (NCP) used to establish and configure different network layer protocols.
5.1.2
Description of basic PPP instructions
1) Interface commands:
router1(config-if-XXX)#ppp ?
Command
Description
ppp ac
ppp accounting
ppp authentication
PPP frame address and compression of control field

Configures the accounting method of PPP connection.
Configures the authentication method (CHAP/PAP) of
PPP connection.
Configures the callback operation.
Configures it as the receiving side.
Configureds it as the originate side.
Configures CHAP authentiction parameters.
Configures the multilink binding of interface.
PPP compression protocol (predictor/stacker)
Configures PAP authentiction parameters.
Protocol field compression of PPP frame
ppp callback
------ppp callback accept
------ppp callback request
ppp chap hostname
ppp multilink
ppp compression
ppp pap
ppp pc
Ppp timeout
------ppp timeout authentication
------ppp timeout ipcp
------ppp timeout retry
The maximum waiting time to authenticate again

The maximum waiting time to configure network
protocols again
The maximum waiting time to connect link again
2) PPP interface address negotiation

In many network modes, IP addresses are distributed in the direction of upper-end to lower-end, so at the lower-end address
negotiation is used to negotiate the address of opposite terminal. For the point-to-point link layer protocol, it supports IP
address negotiation, so it can configure IP address negotiation properties of an interface without an IP address. There are
some typical examples, such as running PPP protocol in serial line to access the Internet through an ISP, configuring the IP
address negotiation of local serial interface, permitting the local interface to receive the address distributed by the opposite
terminal. The relevant configuration commands are as follows:
router (config-if- XXX)#
5.1.3
Command
Description
peer defaut ip address A.B.C.D
Distributes an IP address to the opposite terminal.
no peer defaut ip address A.B.C.D
Cancels an IP address distributed to opposite terminal
Accepts the IP address distributed by the opposite

terminal.
no Ip address negotiated
Does not accept the IP address distributed by the opposite

terminal.
Examples of PPP configuration
1) Synchronous PPP protocol

V
U RXW HU

''1

V
U RXW HU

1.
Illustration:
The port S0 (3.3.3.1) of local router connects with the port S0 (3.3.3.2) of the opposite router.
A. The configuration of router1

Command
router(config)#interface s0
router(config-if-serial0)# physical-layer sync
router(config-if-serial0)#encapsulation ppp
router(config-if-serial0)# ip address 3.3.3.1
router(config-if-serial0)#exit

255.255.255.
Task
Enters global configuration mode
Enters S0 interface
Configures physical layer works in
synchronization mode.
Encapsulates PPP protocol.
Configures IP address.
Exits from the interface s0
Note:
1. Configuration of router2 and router1 are only different in host name, IP address and
clock. In all other respects they are the same.
2.
Only encapsulation of the data link layer PPP protocol is discussed in this example. Other configurations of the
physical layer and the network layers can refer to the relevant chapters.
2) The address negotiation

As shown in the figure above, local IP addresses can now be obtained through address negotiation.
A. The configuration of router1:
Command
Router#configure terminal
router(config-if-serial0)#physical-layer sync
router(config-if-serial0)#clock rate 64000
router(config-if-serial0)#ip add ress 3.3.3.1 25 5.255.255.0
router(config-if-serial0)#peer defaut ip address
3.3.3.2
B. The configuration of router2:

Command
Task
Enters the global configuration mode.
Enters the interface S0.
The physical layer works in synchronous mode.
Configures the clock rate.
Encapsulates the link layer protocol PPP.
Configures the network layer IP address.
Designates an IP address of the opposite terminal.
Task
router(config-if-serial0)#physical-layer sync

The physical layer works in synchronous mode.
router(config-if-serial0)#ip address negotiated
Encapsulates the link layer protocol PPP.

Permits to accept the address distributed by the
opposite terminal.
5.1.4
Configuring PPP Authentication
The PPP authentication between a local router and remote router supports PAP and CHAP, and it can be bidirectional
1.
An example of configuring the PAP authentication
V
URXWHU
''1

V
URXWHU

Command
Router1#configure terminal
Router1(config)#user goat pass 0 Maipu
Task
Configures the user name as goat and
passord as Maipu.
The physical layer works in synchronous
mode.
Encapsulates PPP as link layer protocol
Configures pap authentication.
Provides clock.
Router1(config)#interface s0
Router1(config-if-serial)#physical-layer sync
Router1(config-if-serial)#encapsulation ppp
Router1(config-if-serial)#ppp authentication pap
Router1(config-if-serial)#ip address 3.3.3.1 255.255.255.0
Router1(config-if-serial)#clock rate 128000
Router1(config-if-serial)#exit
B. The configuration of router2

Command
Router2(config-if-serial0)#physical-layer sync
Router2(config-if-serial0)#encapsulation ppp
Router2(config-if-serial0)#ip address 3.3.3.2 255.255.255.0
Router2(config-if-serial0)#ppp pap sent-username goat password
Maipu
Router2(config-if-serial0)#exit
Task
The physical layer works in
synchronous mode. (Corresponding to
the partner)
Configures an IP address.
Configures the negotiated user name
and the corresponding password.
2. An example of configuring CHAP authentication

V
URXWHU

''1

V
URXWHU
Note:
1.
Because the CHAP authentication needs to check user names, the command hostname is needed to determine the
names of two sides.
A.The configuration of router1:

Command
Router1(config)# user mp2 password 0 Maipu
Router1(config)# interface serial0
Router1(config-if-serial0)# physical-layer sync
Router1(config-if-serial0)# clock rate 128000
Router1(config-if-serial0)# encapsulation ppp
Router1(config-if-serial0)# ppp authentication chap
Task
Configures as chap authentication.
Router1(config-if-serial0)# ppp chap hostname mp1
Configures the authentications

name.
Router1(config-if-serial0)# ip address 100.0.0.2 255.0.0.0

Router1(config-if-serial0)# exit
Command
Router1(config)#user mp1 password 0 Maipu
Router1(config)#interface serial0
Router1(config-if-serial0)#encapsulation ppp
Router1(config-if-serial0)#ppp chap hostname mp2
Task
Configures the authentication

name.

5.1.5
Monitoring and Debugging PPP information
Command
Description
show ppp information
serial2
LCP Stats
(Display PPP information)
LCP phase
ESTABLISH
LCP state
REQUEST
SENT
lcp echo timer
OFF
IPCP Stats
IPCP state
INITIAL
NDSPCP Stats
NDSPCP state
INITIAL
PAP Stats
client PAP state
INITIAL
server PAP state
INITIAL
CHAP Stats
client CHAP state
INITIAL
server CHAP state
INITIAL
Router#show ppp multilink
Displays PPP multilink status information
Router#show ppp version
Displays PPP version information
Router#debug ppp negotiation
Opens debugging PPP negotiation information and use this command to
[serial serial-number]
see the compression information such as tcp ,rtp ,predictor and stacker
Router#debug ppp header serial
Opens debugging header information of packets when PPP is
serial-number
negotiated
Router#debug ppp packer
Opens debugging PPP receiving/sending messages information
serial serial-number
Router#show compress XXX
Displays compressed information.
5.1.6
PPP Address Pool
When an up-end server needs to distribute IP address uniformly to its lower-end network equipments, you can choose the
address pool function in PPP.
1. The relevant configuration commands are as follows:
routerconfig#
Command
Description
In the global configuration mode:
Ip local pool default A.B.C.D
E.F.G.H
Defines a default address pool with the start address of
A.B.C.C and the end address of E.F.G.H.
IP local pool pool-name A.B.C.D

ip address-pool local
In the interface mode:
peer default ip address
Defines an address pool called pool-name and with the

start address of A.B.C.D and end address of E.F.G.H.
Enables the default address pool on all interfaces
E.F.G.H
A.B.C.D
Distributes a fixed IP address A.B.C.D to the opposite

terminal.
Enables the default address pool. (Default)
Enables an address pool called pool-name.
Enables address negotiation on the opposite terminal.
peer default ip address pool

peer default ip address pool pool-name
2. An example configuration:
V
U RXW HU

''1

V
U RXW HU
Illustration:
1.
As is shown in the figure abovethe routers router1 and router2 connect with each other through S0, encapsulate
the PPP protocol, and an address pool is configured in router1 (Users can also configure a default address pool). In
router2 the address negotiation is configured to learn the IP address distributed by the opposite router.
A.The configuration of router1:

Command
Router(config)#ip local pool goat 10.0.0.2 10.0.0.10
Router(config-if-serial0)#physical-layer sync
Router(config-if-serial0)#clock rate 128000
Router(config-if-serial0)#encapsulation ppp
Router(config-if-serial0)#peer default ip address pool goat
Router(config-if-serial0)#ip address 10.0.0.11 255.0.0.0

Router(config-if-serial0)#exit
Task
Defines an address pool called goat with
network addresses from 10.0.0.2 to 10.0.0.10.
Configures it as the synchronous mode.
Configures the clock rate.
Encapsulates the PPP protocol.
Designates the opposite terminal to use the
addresses in address pool goat (distribute
addresses from big to small).
Configures the IP address.
B.The configuration of router2:

Command
Router(config-if-serial0)#physical-layer sync
Router(config-if-serial0)#encapsulation ppp
Router(config-if-serial0)#ip address negotiated
Task
Enters the relevant interface.
Uses address negotiation to negotiate IP
addresses distributed by the opposite terminal.
Router(config-if-serial0)#end
Notice:
1.
If you want to use a default address pool, you must first configure the default address pool, then enable it. After ip
add negotiated is configured on the opposite router, it will work. If ip address-pool local is configured in the
global configuration mode, then all the interfaces will use the default address pool, and then it is unnecessary to
configure peer default ip address pool.
2.
5.1.7
If you want to use a given address pool, you must first configure the given address pool, and then configure peer
default ip address pool-name on the given interface.
PPP Multilink
PPP multilink binding can be used to provide load balance for dialup lines (PSTN/ISDN) or synchronous lines, enhance line
throughput and reduce the transmission delay among systems. By means of the PPP multilink binding, a packet can be
divided into multiple slices, which can be transmitted over the multiple parallel links simultaneously and then can be restored
to the original packet orderly.
The PPP multilink supports three binding modes: multilink, dialer and BRI. Dialer and logical interface multilink modes are
applied to the binding of physical interfaces, and the BRI mode is applied to the binding of B channels (MP router can also
support the binding of two ISDN B channels.). The three binding modes support the corresponding network modes
respectively.
The multilink binding mode: the mode is generally applied to synchronous line binding (such as DDN and SDH) instead of
dialup line binding (such as PSTN and ISDN).
The dialer binding mode: the mode is generally applied to the PSTN dialup line binding instead of the ISDN dialup line
binding. Besides that, the mode can also be applied to the synchronous line binding, but it is not recommended.
The BRI binding mode: when the multilink is adopted, the mode can be applied to nothing but the binding of two B channels
of ISDN dialup line.
The following three examples are given respectively for the foregoing three kinds of multilink binding modes.
1
The multilink binding mode
PXO W L O L QN

6
6
U RXW HU
PXO W L O L QN

6
6
U RXW HU
Illustration:
As shown in the figure above, two private lines are adopted for the connection of Router1 and Router2. To use PPP
multilink, you should firstly establish a multilink interface respectively for Router1 and Router2 and bind the physical
interfaces to the multilink interface.
1) The multilink interface of router1 is configured as follows:(the related configuration of router2 is similar to that of
router1)
Syntax
Descriptions
router1#configure terminal
Enter the global configuration mode.
router1(config)#int multilink1
Create a multilink logical interface multilink1.
router1(config-if-multilink1)#ip
add
2.0.0.1
Configure the IP address.
255.0.0.0
router1(config-if- multilink1)#encapsulation ppp
Enable the PPP protocol.
router1(config-if- multilink1)#ppp multilink
Enable the PPP multilink.
2) The physical interface of router1 is configured as follows:(the related configuration of router2 is similar to that of
router1)
Syntax
Descriptions
router1(config)#int s1/0
Enter an interface.
router1(config-if-serial1/0)# encapsulation ppp
router1(config-if-serial1/0)#multilink-group 1
Relate the physical interface with the multilink
interface.
router1(config-if-serial1/0)#physical-layer sync
Configure the synchronous mode.
router1(config-if-serial2/0)#multilink-group 1
Enter an interface.
Relate the physical interface with the multilink
interface.
2
The dialer binding mode

GL DO HU
GL DO HU

6
6
3671
6
U RXW HU
6
U RXW HU
Illustration:
As shown in the figure above, two physical interfaces (frequency-band modem interface or serial interface adopts the
external modem mode) are adopted for the connection of Router1 and Router2. To use PPP multilink, you should firstly
establish a dialer interface respectively for Router1 and Router2 and bind the physical interfaces to the dialer interface.
1) The dialer interface of Router1 is configured as follows. (The configuration of the dialer interface on Router2 is
similar to that of Router1.)
Syntax
Descriptions
router1(config)#dialer-list 1 protocol ip permit
Define a dialer-list.
router1(config)#int dialer1
Create a dialer interface dialer1.
router1(config-if-dialer1)#ip add 2.0.0.1 255.0.0.0
router1(config-if-dialer1)#encapsulation ppp
router1(config-if-dialer1)#dialer in-band
Enable DDR of the interface.
router1(config-if-dialer1)#dialer-group 1
Define an access group for access control.
router1(config-if-dialer1)#ppp multilink
router1(config-if-dialer1)#dialer string
Configure the phone number for dialer (two
phone numbers need be configured for two lines)
router1(config-if-dialer1)#dialer load-threshold
Specify the load-threshold (such as 1) for the
dialer.
2) The physical interface of Router1 is configured as follows. (The configuration of the physical interface on Router2 is
similar to that of Router1)
Syntax
Descriptions
Enter an interface.
router1(config-if-serial1/0)#dialer rotary-group 1
Relate the physical interface with the dialer
interface.
router1(config-if-serial1/0)#physical-layer async
Configure the asynchronous mode (Generally,
PSTN adopts the asynchronous modes)
Enter an interface.
router1(config-if-serial2/0)#dialer rotary-group 1
Relate the physical interface with the dialer
interface.
Configure the asynchronous mode (Generally,
PSTN adopts the asynchronous modes)

The above is the basic configuration of the modem. If the interface adopts the external modem mode,
modem out need still be configured on the serial-interface more.
3
The BRI binding mode
bri0/0
bri0/0
2.0.0.1/8
2.0.0.2/8
B channel 0
B channel 0
ISDN
B channel
1
router1
B channel
1
router2
Illustration:
As shown in the figure above, one ISDN line is employed for Router1 and Router2 to access ISDN. Two B channels of
the line are bound together for a PPP multilink. By default, two B channels are bound with the BRI interface. Thereby, the
BRI binding mode needs no manual configuration of the binding of two B channels and the BRI interface.
1) The BRI interface of Router1 is configured as follows. (The configuration of the BRI interface on Router2 is similar
to that of Router1)
Syntax
router1(config)#dialer-list 1 protocol ip permit
router1(config)#int bri0/0
router1(config-if- bri0/0)#ip add 2.0.0.1 255.0.0.0
router1(config-if- bri0/0)#encapsulation ppp
router1(config-if- bri0/0)#dialer in-band
router1(config-if- bri0/0)#dialer-group 1
router1(config-if- bri0/0)#ppp multilink
router1(config-if- bri0/0)#dialer string
router1(config-if- bri0/0)#dialer load-threshold
Descriptions
Define a dialer-list.
Enter the BRI interface.
Enable the interface DDR.
Define an access group for access control.
Configure an ISDN number for dialup
Specify the load-threshold (such as 1) for the
dialer.
5.1.8 PPP Data Compression

Maipu routers can use compression to optimize its performance and then can provide higher data throughput capacity.
The compression modes supported by Maipu routers are as follows:
Predictor----uses the index method to forecast the next character sequence of the data stream according to the compression
dictionary; it can first judge whether the data is compressed. If the data has been compressed, it will be sent out at once and
the system does not waste time to compress the data that has been compressed.
Stacker---- is a compression method based on Lempel-Ziv(LZ). It sends each kind of data only one time, and then only sends
the information about each kind of data that is located in the data stream. The receiver can assemble the data stream again int
understandable information.
TCP/IP Header Compression----is employed to compress the length of TCP/IP header
RTP Compression----is employed to compress the real-time voice data.
1.
The relevant configuring commands:
router(config-if- XXX)#
Command
ppp Compress predictor
ppp Compress stacker
ip tcp header-compression
ip rtp header-compression
Description
Configures predictor compression.
Configures stacker compression.
Configures TCP header compression.
Configures RTP compression.
Note 1:
1. Predicor is an algorithm that lays on dense memory and little usage of CPU;
2. Stacker is an algorithm that lays on dense CPU and little usage of memory.
3. display this compression information to refer to debug ppp commands
Note 2:
1. For all the functions achieved by PPP (for example, compression and reliable-link etc.), Users need to configure it
from both sides. If only one side configures a function while the other one does not, the function will not work.
2.
PPP Compression Example
An example of compression configuration
Illustration:
The predictor compression is adopted for the connection of the port S1/0(3.3.3.1) of the local router router1 and the
port S1/0 (3.3.3.2) of the opposite router router2.
A) Router1 is configured as follows.
Syntax
router1(config)#interface s1/0
router1(config-if-serial1/0)#encapsulation ppp
router1(config-if-serial1/0)#ppp compress predictor
router1(config-if-serial1/0)#ip address 3.3.3.1 255.0.0.0
router1(config-if-serial1/0)#clock rate 128000
router1(config-if-serial1/0)#exit
B) Router2 is configured as follows.
Syntax
router1(config-if-serial1/0)#ppp compress predictor
Descriptions
Enter the interface S1/0.
The physical layer operates in the
synchronous mode.
Encapsulate the link-layer protocol
PPP.
Configure the predictor compression.
Provide the clock rate.
Descriptions
synchronous
mode.(Corresponding
with the opposite end)
Configure the predictor compression.

5.1.9 PPP BACP (Bandwidth Allocation Control Protocol) and PPP BAP
5.1.10 BACP Configuration Commands
This section mainly describes the BACP (bandwidth allocation control protocol) configuration commands that are used to
configure the router PPP (point-to-point protocol) for the dialup solution.
ppp bap call
Use the Command to enable PPP BACP CALL. To configure the PPP BACP call parameters, use the interface
configuration command ppp bap call. To deny the processing of the specified type, use the negation of the command to
disable it.
ppp bap call { accept | request | timer seconds }
no ppp bap call { accept | request | timer }
Syntax
Description
Accept
Allow the opposite end to initiate link addition. (By default)
Request
Allow the local end to initiate link addition.
Timer seconds
The time to wait between sending call requests in seconds. And

its range is from 2s to 120s. (No default is configured).
By defaultaccept -------- The opposite end can initiate link addition.
Command modethe interface configuration mode The opposite end can initiate link addition
ppp bap callback
Use the Command to enable the parameter of PPP BAP CALLBACK. To configure the PPP BACP callback and set
callback parameters, use the interface configuration command ppp bap callback. To delete the configuration of PPP BACP
callback, use the negation of the command to disable it.
ppp bap callback { accept | request | timer seconds }
no ppp bap callback { accept | request | timer }
Syntax
Description
Accept
Request
Timer seconds
Initiate link addition upon peer notification.

Request that a peer initiate link addition.
The time to wait between sending callback requests in seconds.
And its range is from 2s to 120s. (The default is disabled).
By defaultThe callback is disable.

Command modethe inteface configuration mode
ppp bap drop
Use the Command to enable the delete opertion of multilink bundle. To configure the parameter that is used to delete a
link from a bound links, use the interface configuration command ppp bap drop. To deny the processing of the specified
type, use the negation of the command to disable it.
ppp bap drop { accept | after-retries | request | timer seconds }
no ppp bap drop { accept | after-retries |request | timer }
Syntax
Description
Accept
Request
Timer seconds
after-retries
Allow a peer to initiate link removal (By default).

Remove the link after no response to drop requests.
Initiate the removal of a link (No default value is configured).

The time to wait between sending link drop requests in seconds.
Without any BACP negotiation, the local router can delete the
link directly when receiving no interrupt request response sent by the
opposite end.
By defaultaccept request-------the opposite end and the local router are permitted to enable link delete.
ppp bap link types

Use the Command to define the link type of multilink bundle.
To define the link type contained in specified multilink bundle, use the interface configuration command ppp bap link
types. To delete an interfac type that is permitted to be added previously, use the negation of the command to disable it.
ppp bap link types [ isdn ] [ analog ]
no ppp bap link types [ isdn ] [ analog ]
Syntax
Description
Isdn
Analog
ISDN interface
ISDN link can be added into a multilink bundle.
Synchronous or asynchronous interfaces.
An asynchronous serial link can be added into the multilink bundle.
By defaultdisabled
ppp bap max
Use the Command to define the parameter of BAP rety.
To set the larger PPP BACP retry-times, use the interface configuration command ppp bap max. To delete any retrytimes, use the negation of the command to disable it.
ppp bap max { dial-attempts number | ind-retries number | req-retries number | dialers number }
no ppp bap max { dial-attempts | ind-retries | req-retries | dialers }
Syntax
Description
dial-attempts number
ind-retries number
req-retries number
dialers number
Maximum number of dial attempts for a phone number to any destination.

Its value range is from 1 to 3, and the default value is 1.
Maximum number of retries of a call status indication (3 default). Its value
range is from 1 to 10, and the default value is 3.
Maximum number of retries for a particular request . Its value range is from
1 to 5, and the default value is 3.
Maximum number of idle dialers permitted to log in. Its value range is from
1 to 10.
By default
dial-attempts number =1 one time of dial-attempt
ind-retries number =5 5 times of dial-attemptss
req-retries number =3 3 times of dial-attempts
ppp bap number
Use the Command to define the number for peers Call.
To specify a local phone number so that the opposite end can establish a multilink bundle by means of the dialup mode,
use the interface configuration command ppp bap number. To delete a configured number , use the negation of the
commaand to disable it.
ppp bap number { default phone-number | secondary phone-number }
no ppp bap number { default | secondary }
Syntax
Description
default phone-number
A base phone number which can be used to dial in.
Secondary phone-number
A secondary phone number which can be applied to the BRI interface.
By defaultNo phone number is provided.
ppp bap monitor load
Use the Command to monitor the payload of multilink bundle.
To acknowledge the link delete/add request of the opposite end for the threshold value of the current multilink load and
the defined dialer load, use the interface configuration command ppp bap monitor load. To make the ingress link add
request have no relation with the threshold of the multilink load, use the negation of the commaand to disable it.
ppp bap monitor load
no ppp bap monitor load
By defaulteabled
Command modeinterface configuration mode.
ppp bap timeout
To set the non-default timeout of PPP BACP suspension and response, use the interface configuration command ppp
bap timeoutTo restore the default timeout of the response or delete a suspension timeout completely, use the negation of
the commaand to disable it.
ppp bap timeout { pending seconds | response seconds }
no ppp bap timeout { pending | response }
Syntax
Description
Pending seconds
Pending action timeout in seconds. Its value range is from 2s to 180s, and
the default is 20.
Response seconds
Response timeout in seconds Its value range is from 2s to 120s, and the
default is 3.
By defaultaccept ---------The oppositing end can enable the link addition.
ppp multilink
To enable the multilink PPP on an interface and dynamic bandwidth allocation, use the interface configuration
command ppp multilink. To disable the multilink PPP or dynamic bandwidth allocation, use the negation of the commaand
to disable it.
ppp multilink [ bap ]
no ppp multilink [ bap ]
Syntax
Description
Bap
Enable BACP/BAP bandwidth allocation negotiation(optional).
By defaultdisabled.
5.1.11 A PPP BACP Configuration Example
Figure 4-7 an example of PPP BACP configuration

Illustration
1) Router1 and router2 are connected together through two PSTN lines, and DDR dialup is configured for them. There
are two phone numbers 602 and 603 on the side of router1, and there are two phone numbers 605 and 606 on the side of
router2.
2) The aim of the example is that the second dialup line will be activated when the traffic of the first dialup line arrives
at some specified value.
BAP is configured on the BRI interface:
A) Router1 is configured as follows:
Command
Task
router1# configure terminal

router1(config)# user router2 password 0 maipu
router1(config)# dialer-list 1 protocol ip permit
router1(config)# interface bri0/0
router1(config-if-bri0/0)#ip address
255.0.0.0
12.1.1.2
router1(config-if-bri0/0)# dialer in-band

router1(config-if-bri0/0)# dialer idle-timeout 20
router1(config-if-bri0/0)# dialer fast-idle 2000
router1(config-if-bri0/0)# dialer enable-timeout
Activate the DDR dialup K DDR.
20
router1(config-if-bri0/0)# dialer map ip 12.1.1.1
name router2 broadcast 605
router1(config-if-bri0/0)# dialer load-threshold
14 outbound
Set the link load threshold as 14/255 so that the

second link will be activated when the link load
exceeds the threshold.
router1(config-if-bri0/0)# dialer-group 1
router1(config-if-bri0/0)# encapsulation ppp
router1(config-if-bri0/0)# ppp multilink bap
Negotiate BACP and BAP on the multilink.
router1(config-if-bri0/0)# ppp authentication

chap
router1(config-if-bri0/0)# ppp chap hostname
router1
router1(config-if-bri0/0)# ppp bap call request
router1(config-if-bri0/0)# ppp bap link types
Sent the BAP call request when some links need be

added.
Set the type of the current multilink as ISDN.
isdn
router1(config-if-bri0/0)# ppp bap number
default 602
secondary 603
router1(config-if-bri0/0)# ppp bap drop afterretries
B) Router1 2s configured as follows:

Command
Set the default dialup string (the local number, used

for the dialup of the opposite end)
Set the secondary dialup string ( configured only on
the BRI interface and applied to the opposite end )
Directly delete the link instead of sending BAP
distconnection request. (directly send LCP
interrupt request)
Task

router2(config)# interface bri0/0
router2(config-if-bri0/0)#ip address 12.1.1.1
255.0.0.0
router2(config-if-bri0/0)# dialer in-band
router2(config-if-bri0/0)# dialer idle-timeout 20
router2(config-if-bri0/0)# dialer fast-idle 2000
router2(config-if-bri0/0)# dialer enable-timeout
20
router2(config-if-bri0/0)# dialer map ip 12.1.1.2
name router1 broadcast 602
router2(config-if-bri0/0)# dialer load-threshold 14
outbound
router2(config-if-bri0/0)# dialer-group 1
router2(config-if-bri0/0)# encapsulation ppp
router2(config-if-bri0/0)# ppp multilink bap
router2(config-if-bri0/0)# ppp authentication chap
router2(config-if-bri0/0)# ppp chap hostname
router2
Active the DDR dialup.
Configure the link load.
router2(config-if-bri0/0)# ppp bap call accept
Receive the BAP call of the opposite end.

(it is the default configuration and can be omitted.)
router2(config-if-bri0/0)# ppp bap link types isdn

router2(config-if-bri0/0)# ppp bap number default
605
secondary 606
router2(config-if-bri0/0)# ppp bap drop afterretries
BAP is configured on the serial interface:
Command
Task

router1(config)# interface dialer0
router1(config-if-dialer0)# ip address 12.1.1.2
255.0.0.0
router1(config-if-dialer0)# dialer idle-timeout 20
router1(config-if-dialer0)# dialer fast-idle 2000
router1(config-if-dialer0)# dialer enable-timeout 20
router1(config-if-dialer0)# dialer in-band
router1(config-if-dialer0)# Dialer string 605
router1(config-if-dialer0)# dialer load-threshold 14
outbound
router1(config-if-dialer0)# dialer-group 1
router1(config-if-dialer0)# encapsulation ppp
router1(config-if-dialer0)# ppp multilink bap
router1(config-if-dialer0)# ppp authentication chap
router1(config-if-dialer0)# ppp chap hostname router1
router1(config-if-dialer0)# ppp bap callback request
router1(config-if-dialer0)# ppp bap link types analog
router1(config-if-dialer0)# ppp bap drop after-retries
router1(config-if-dialer0)# interface s1/0
Create a logical dialer interface.
The opposite-end number used to activate

the first link.
Sent the BAP callback request when a link

need be added.
Set the type of the current multilink as
analog.
Directly delete the link instead of sending
BAP distconnection request. (directly send
LCP interrupt request)
Enterht the configuration mode of the
physical interface.
router1(config-if-Serial1/0)# physical-layer async

router1(config-if-Serial1/0)# encapsulation ppp
router1(config-if-Serial1/0)# dialer rotary-group 0
Subject to the logical interface dialer0.
router1(config-if-Serial1/0)# ppp bap number default
The dialup string provided for the opposite

end.
602
router1(config-if-Serial1/0)# interface s2/0
router1(config-if-Serial2/0)# dialer-rotary-group 0
router1(config-if-Serial2/0)# ppp bap number default
The dialup string provided for the opposite
603
end.
B) Router 2 is configured as follows:

Command
Task

router2(config)# interface dialer0
router2(config-if- dialer0)# ip address 12.1.1.2 255.0.0.0
router2(config-if-dialer0)# dialer idle-timeout 20
router2(config-if-dialer0)# dialer fast-idle 2000
router2(config-if-dialer0)# dialer enable-timeout 20
router2(config-if-dialer0)# dialer in-band
router2(config-if-dialer0)# Dialer string 602
router2(config-if-dialer0)# dialer load-threshold
outbound
router2(config-if-dialer0)# dialer-group 1
router2(config-if-dialer0)# encapsulation ppp
14
router2(config-if-dialer0)# ppp multilink bap
The opposite-end number used to

activate the first link.
Negotiate BACP and BAP on the

multilink.
router2(config-if-dialer0)# ppp authentication chap

router2(config-if-dialer0)# ppp chap hostname router2
router2(config-if-dialer0)# ppp bap callback accept
router2(config-if-dialer0)# ppp bap link types analog
Receive the BAP callback request. (By

default)
Set the type of the current multilink as
analog.
router2(config-if-dialer0)# ppp bap drop after-retries

router2(config-if-dialer0)# interface s1/0
router2(config-if-Serial1/0)# dialer rotary-group 0
router2(config-if-Serial1/0)# ppp bap number default 605
The dialup string provided for the

opposite end.
router2(config-if-Serial1/0)# interface s2/0

router2(config-if-Serial2/0)# dialer-rotary-group 0
router2(config-if-Serial2/0)#ppp bap number default 606

5.1.12 Monitoring PPP BACP
show ppp bap group
To display the configuration and operation status of a multilink bundle, use the command show ppp bap group.
show ppp bap group
Syntax
Description
Group
Display BAP group information.
Command modethe privileged configuration mode

show ppp multilink
To display the information about multilink PPP bundle, use the command show ppp multilink.
Command modethe privileged configuration mode

5.1.13 MPLS Over PPP
ppp mpls
To transport MPLS packets over PPP, use the command ppp mpls, or else, use the negation of the command to disable
it.
By defaultdisabled
Command modethe interface configuration mode
Configuration Example
Illustration:
Router1 and router2 are connected directly in the MPLS core network.
Syntax
router1(config-if-serial1/0)#ppp mpls
router1(config-if-serial1/0)#mpls ip
Syntax
router1(config-if-serial1/0)#ppp mpls
router1(config-if-serial1/0)#mpls ip
Descriptions
synchronous mode.
PPP.
Configure PPP to support MPLS.
Configure an interface to support
MPLS.
Provide clock rate.
Descriptions
synchronous
mode.(Corresponding
Configure PPP to support MPLS.
Configure an interface to support
MPLS.
5.1.14 AAA authorization Over PPP

ppp authorization string
In order to use AAA authorization on PPP link, configure the command PPP authorization, or else, use the negation of
the command to disable it.

By defaultdisabled
configuration exampleplease refer to AAA configuration
5.1.15 PPP encryption

ppp encrypt des encrypt-key
In order to use encryption on PPP link, configure DES encryption, or else,
it.
By defaultdisabled
use the negation of the command to disable
Illustration:
The DES encryption is adopted for the connection of the port S1/0(3.3.3.1) of the local router router1 and the port
S1/0 (3.3.3.2) of the opposite router router2.
Syntax
router1(config-if-serial1/0)#ppp encrypt des 123

Syntax
router1(config-if-serial1/0)#ppp encrypt des 123
Descriptions
synchronous mode.
PPP.
Configure the DES encryption key
(must be consistent with that of the
opposite end)
Provide the clock rate.
Descriptions
synchronous
mode.(Corresponding
Configure the DES encryption key
(must be consistent with that of the
opposite end)
5.1.16 PPP CALLBACK

ppp callback accept | initiate | request
In order to use CallBack function on PPP link, confige PPP Callback command, or else, use the negation of the
command to disable it.
By defaultdisabled
Command modethe interface configuration mode.
Notice
When the option of Callback is not configured, use PPP Callback Initiate to callback.(eg: the callback negotiation
between the router and Linux OS). When a callback is performed between the router and Windows OS serving as the dialup
server, it is recommended that the command ppp callback accept is configured on the router.
5.1.17 negotiate DNS and WINS over PPP
ppp ipcp dns ip-address1 [ip-address2]
ppp ipcp wins ip-address1 [ip-address2]
In order to negotiate DNS and WINS ip address, use PPP ipcp dns Command, or else use the negation of the command
to disable it.
Syntax
Description
Dns
Specify DNS negotiation options
Wins
Specify WINS negotiation options
ip-address1
Primary DNS/WINS IP address
ip-address2
Secondary DNS/WINS IP address
By defaultdisabled
Command modeinterface configuration mode.
Notice
The Command uses to dial for Windows.
Configuration Examplethe interface configuration mode.
U RXW HU
3&
6

03
03

3671

Illustration:
PC connects to the router through the PSTN dialer, and the router allocates DNS, WINS address and an IP address
to PC.
The router is configured as follows.
Syntax
Descriptions
asynchronous mode.
router1(config-if-serial1/0)#modem out
router1(config-if-serial1/0)# peer default ip address 3.3.3.2
router1(config-if-serial1/0)#ppp ipcp dns 1.1.1.1 1.1.1.2
router1(config-if-serial1/0)#ppp ipcp wins 2.1.1.1 2.1.1.2

PPP.
Set the external MODEM mode.
Allocate an IP address to PC.
Allocate DNS address to PC.
Allocate WINS address to PC.
5.1.18 Negotiate IP Address over PPP from dialer-map

ppp ignore-map
In order to negotiate IP address from dialer-map of peer, use ppp ignore-map Command, or else, use the negation of the
By defaultenabled
Notice:
The command no ppp ignore-map and dialer map used together. no ppp ignore-map and the command dialer map
are used together.
Configuration exampleplease refer to chapter 6
5.1.19 PPP Bridge
ppp bridge ip
Use PPP Bridge IP Command to enable Bridge datas over PPP link, or else use the negation of the command to disable
it.
By defaultdisabled
Command modethe interface configure mode
Notice
The command ppp bridge ip and bridge-group used together. ppp bridge ip and the command bridge-group are
used together.
5.1.20 Null username CHAP authentication Over PPP
ppp chap password [string]
Use the command ppp chap password [string] to set the password for null username authentication; otherwise, use the
negation of the command to cancel the existing configuration.
The parameter string is the password whose length can not be more than 80 (characters) and there exists no default value
of the password.
By defaultNothing is defined.
ppp chap hostname [string]
Use the command ppp chap hostname [string] to set the chap authentication username; otherwise, use the negation of
the command to cancel the existing configuration and use the hostname.
The parameter string is the username whose length can not be more than 80 (characters). By default, the router
hostname is adopted.
By defaultThe router hostname is adopted.
ppp chap send-hostname
Use the command ppp chap send-hostname to enable the switch of sending the concrete username for chap
authentication; otherwise, use the negation of the command to disable the switch and send null username.
By defaultNothing is defined.
Notice
By default, PPP protocol can be used to deal with the authentication information of null name sent by the
opposite end. The null name of ms-chap authentication is also supported, and the configuration is the same.
ro u ter
D ia lu p a c c e s s s y s t e m
S 1 /0
163
M P336
PSTN
605
Illustration:
When a dialup access system (or PPPOE access system) is performing the chap authentication, the null name is
sent to the lower-end equipment. Thereby, the downlink equipments can not search the related password from the user
base according to the username of the upper-end equipment. Hare, it is necessary to configure the chap authentication
of null username for MP router.
The router is configured as follows.
Syntax
router1(config-if-serial1/0)#modem out
router1(config-if-serial1/0)#ppp chap hostname abc
router1(config-if-serial1/0)#ppp chap password 123
router1(config-if-serial1/0)#dialer string 163
router1(config-if-serial1/0)# modem party originate
router1(config-if-serial1/0)# modem enable
Descriptions
asynchronous mode.
PPP.
Configure the external MODEM
mode.
Configure the username allocated by
the access system.
Configure the password allocated by
the access system.
Set the called number 163 of the
access system.
Set MODEM as the call origination.
Enable the modem.
5.2 HDLC protocol

5.2.1
Brief Introduction of Protocol
HDLC is a bit-oriented synchronous communication procedure developed by the International Standards Organization
(ISO)(bit-oriented means that any combination of bits can be transmitted). From the point of link access, HDLC has several
main subsets, such as LAP (Link Access Protocol), LAPB(Link Access Procedure Balanced)and LAPD(Link Access
Procedure for D channel).
5.2.2
The relevant commands of HDLC:
router(config-if- XXX)#
Command
Description
encapsulation hdlc
Link layer protocol encapsulates HDLC.
keeplive
Sends the period of the keeplive frame

32767].
period
[0-
An Example of HDLC Configuration

V
U RXW HU

''1

V
U RXW HU
Illustration:
As shown in the figure above, router1 and router2 connects to each other through serial port s0 and use HDLC
protocol.
2. The port S0 (3.3.3.1) of local router router1 connects to the port S0 (3.3.3.2) of the opposite router router2.
1.
1. The configuration of router1:

Command
router1(config)#int s1
router1(config-if-serial1)#ip add 1.0.0.1 255.0.0.0
router1(config-if-serial1)#phy sync
router1(config-if-serial1)#clock rate 128000
router1(config-if-serial1)#encapsulation hdlc
Task
Enters the interface configuration mode.
Configures it as the synchronization mode.
Configures clock.
Configures the HDLC protocol.

Command
Router2(config)#int s1
router2(config-if-serial1)#encapsulation hdlc
Router2(config-if-serial1)#phy sync
Router2(config-if-serial1)#ip add 1.0.0.2 255.0.0.0
Task
Encapsulates the HDLC protocol.
5.2.3
HDLC Debug Information
There are two main debug switches for HDLC, which can analyze the working situation of HDLC by comparing the relevant
information in DEBUG with the frame format of HDLC.
Turn on the debugging switch of the interface that encapsulates HDLC:
Router#
Command
Description
debug hdlc serial-number all
Display all the received/sending frames and the

contents of a whole frame on the interface that
encapsulates HDLC.
debug hdlc serial-number head
Display all the received/sending frames and the

contents of the frame headers on the interface that
encapsulates HDLC.
5.2.4
Configuring HDLC Bridge-connection Mode
Maipu routers can be configured to work in HDLC bridge mode. In this mode the equipment connected together at the two
ends of the bridge can transmit data transparently through the TCP/IP network. From the viewpoint of users, the equipment at
two ends of bridge was connected to each other through a pair of MODEMs would be connected to each otherwhile the
intermediate TCP/IP network looks like a direct-cable.
1) Configuring instructions
router(config-if-XXX)#
Command
encapsulation hdlc
bridge ip <A.B.C.D> <bridge prot number>
<client / server>
Description
Configures the local IP address (equipment as
server)/peer IP address(equipment as client) and the
bridge-connection port.
2) A sample configuration
(TXL SPHQW $

5RXW HU $
(TXL SPHQW %
,3
1HW ZRU N

5RXW HU %
Illustration:
Through the configuration showed in the above figure, the user PCs Equipment A and B connect on the both sides of the
bridges to routerA and routerB which can transmit data transparently across the TCP/IP network
The relevant configurations are as follows:

1. The configuration of routerA:
Command
routerA(config)#interface serial2
routerA(config-if-serial2)#physical-layer sync
routerA(config-if-serial2)#encapsulation ppp
routerA(config-if-serial2)#ip address 6.1.1.2 255.255.255.252
routerA(config-if-serial2)#exit
routerA(config-if-serial3)#clock rate 128000
routerA(config-if-serial3)#encapsulation hdlc
routerA(config-if-serial3)#bridge ip 6.1.1.1 5000 client
Task
Enters the interface s2.
Configures it as synchronization mode
Returns to the global configuration mode.
Encapsulates the synchronization mode.
Configures the clock as 128K.
Encapsulates HDLC protocol.
The IP of the bridge-connection server, the
port number 5000, the client end
Finishes the configuration.
2. The configuration of routerB

Command
Task
routerB(config)#interface serial2
routerB(config-if-serial2)# physical-layer sync
routerB(config-if-serial2)#clock rate 128000
routerB(config-if-serial2)#encapsulation ppp
routerB(config-if-serial2)#ip address 6.1.1.1 255.255.255.252
routerB(config-if-serial2)#exit
routerB(config)#interface serial0
routerB(config-if-serial0)#physical-layer sync
routerB(config-if-serial0)#encapsulation hdlc
routerB(config-if-serial0)#bridge ip 6.1.1.1 5000 server
routerB(config-if-serial0)#exit

Configures the clock as 128K.
Exits from interface mode.
Enters the port s0 mode.
Configures it as synchronization mode.
Configures HDLC encapsulation.
Configures the server with a port 5000.
Finishes the configuration.
Note:
In the above configuration, the routerA is used as the client end while the routerB is used as the server end; both of the bridge
port numbers are set as 5000. The s2 port of MprouterA and the s2 port of MprouterB connect to the TCP/IP network
respectively. The port s3 and port s0 are used as the interface of the bridge-connection to connect user equipment, and then
they enable the user equipment to transmit data transparently through the TCP/IP network.
3) Displaying Information
The command show interface allows users to examine the current connection status of the bridge.
For example:
routerA#show interface serial3
Flags: (0x80f0) DOWN POINT-TO-POINT MULTICAST RUNNING
Type: HDLC
Metric is 0
Maximum Transfer Unit size is 1500
hdlc version: v1.27
hdlc bridge client: 6.1.1.1,5000, connect
The bridge is at the status of connected.
rxFrames 1744, rxChars 74436
txFrames 1738, txChars 74410
DCD=up DSR=up DTR=up RTS=up CTS=up TxC=up
rate=128000 bps
5.2.5 HDLC Compression and debugging
compress stac
To enable STAC compression over the HDLC link protocol, use the command Compress Stac, or else, use the negation
of the command to disable it.
By defaultdisabled
Notice
HDLC STAC uses LZS algorithm to compress the network-layer data. About the related information, refer to the
instruction to PPP data compression.
Debug interface number
By defaultdisabled
Command modethe privilege configuration mode
5.3 SLIP protocol
5.3.1
Brief Introduction
SLIP is a kind of protocol widely used at present to transmit IP datagrams on a serial line. While it is a very p ractical
standard while not an Internet standard. It is only a protocol used to encapsulate IP datagrams, and only defines the sequence
of the characters in the IP datagram that is encapsulated in the link layer frame format and is sent over a serial line, without
providing the functions such as dynamical IP address distribution, datagram type identity, error checking/correction and data
compression etc.
5.3.2
An example of configuration
SLIP configuration is simple, which generally includes about several procedures: configuring the physical layer as
asynchronous, the link layer encapsulating SLIP and peer IP address. In addition, properly asynchronous configuration is
must.
V
U RXW HU

''1

V
U RXW HU
Illustration:
1. As shown in the above figure, router1 and router2 connect to each other through serial port s0 and both run the
SLIP protocol.
The configuration is as follows:
Command
router1(config-if-serial0)#phy async
router1(config-if-serial0)#enc slip
router1(config-if-serial0)#ip address 3.3.3.1 255.255.255.0
router1(config-if-serial0)#peer ip address 3.3.3.2
router1(config-if-serial0)#speed 9600
router1(config-if-serial0)#databit 8
router1(config-if-serial0)#stopbit 1
router1(config-if-serial0)#parity none
router1(config-if-serial0)#flowctrl none

Command
Router2(config-if-serial0)#phy async
Router2(config-if-serial0)#enc slip
Router2(config-if-serial0)#speed 9600
Router2(config-if-serial0)#stopbit 1
Router2(config-if-serial0)#databit 8
Router2(config-if-serial0)#peer ip address 3.3.3.1
Router2(config-if-serial0)#parity none
Router2(config-if-serial0)#flowctrl none
Task
The physical layer works in the
asynchronous mode.
Encapsulates SLIP.
Local IP address
Designates the IP address of the opposite
terminal.
Speed is 9600.
8 Data bits
1 stop bit
Parity none
Without flow control
Task
Enters the interface mode.
Configures the working mode as
asynchronous.
Encapsulates SLIP protocol.
Speed is 9600.
1 stop bit
8 data bits
Designates the IP address of the opposite
terminal.
Parity none
Without flow control
Note:
1. Peer ip add A.B.C.D is used to designate the IP address of the opposite side.
5.4 TCP/IP Packet Header Compression
TCP packet header compression uses the van Jacobson algorithm, which is defined in the RFC 1144. It is suitable for the
TCP/IP data stream with small packets (for example, the telnet session packet). TCP/IP packet header compression reduces
additional costs because of transferring the big TCP/IP packet headers in WAN.
TCP/IP packet header compression is geared toward protocols and it only compresses TCP/IP packet headers. So the frame
header of the second layer will not be changed. The data frame whose TCP/IP packet header has been compressed will be
transmitted on the WAN link.
In other words, TCP/IP packet header compression is more useful with the minitype packets that only have several bytes
(such as a telnet packet). The packet header compression protocols supported by Maipu routers are: X25 protocol, Frame-
relay protocol, PPP protocol and HDLC protocol. This kind of packet can also be applied to the dial-up WAN link protocol.
Because data compression wll bring additional process, packet header compression is usually used on the low-speed link, for
example, the 64Kb/S link.
The configuration commands are as follows:
router (config-if-XXX)#
Command
Description
enc ppp
Encapsulate ppp. (ROUTER supports the TCP packet-header

compression of x25.frame-relay.hdlc.ppp)
Encapsulates TCP packet header compression
The function of the keyword passive is that the TCP packets
will be compressed if received packets of the interface are
compressed. If the parameter passive is not designated, the
router will compress all the data streams.
ip tcp header-compression
Ip tcp header-compression passive
5.5
X.25 Protocol
This section introduces how to configure X.25 protocol on a Maipu router and how to run various X.25 parameters so as to
achieve the seamless intgegration of a Maipu router in a X.25 network.
The main topics discussed in this section are:
Brief introduction of X.25
Description of basic X.25 configuration
The typical examples of X.25 configurations
Debugging/monitoring X.25
The X.25 sub-interface
Examples of X.25 sub-interface configurations
5.5.1 Brief Introduction of X.25
When the MP2600 router is used to connect with X.25 network or another router encapsulating X.25 through a leased line,
the X.25 protocol and LAPB protocol need to be configured on the WAN port of the router.
5.5.2 Description of basic X.25 configuration
A. The configuring commands of X.25
router(config-if-XXX)#x25 ?
Command
Description
Address <X.121 address>
Configure the X.121 address of the interface.
Dce
Work in X.25 DCE mode
Dte
Work in X.25 DTE mode
hold-queue <number>
Configures the hold-queue length of virtual circuit

group.
htc <Virtual Circuit number>
Configures the highest bidirectional virtual circuit.
idle <Minutes>
Configures the idle time of encapsulated virtual

circuit.
ips < bytes (power of 2)>
Configures the size of the maximum input group.
ltc <virtual circuit number>
Configures the lowest-bidirectional virtual circuit.
map ip/ compressedtcp <A.B.C.D> <X.121 Addr><

broadcast/ negotiate-disable/ <CR> >
Establishes the mapping from IP address to X.121

address.
B.
modulo <128/8>
Configures modulo value (numbering mode).
nvc < SVCs>
Configures the permitted number of virtual

circuits. The maximum of the number is 8.
ops <bytes (power of 2)>
Configures the size of the maximum output group.
pvc <circuit number> ip/compressedtcp

<A.B.C.D><X.121 address><broadcast/ <CR> >
Creates a permanent virtual circuit.
t20 <seconds>
Configures the delay value of the DTE/DCErestart timer.
t21 <seconds>
Configures the delay value of DTE/DCE call

regulation timer.
t22 <seconds>
Configures the delay value of DTE/DCE recover

regulation timer.
t23 <seconds>
Configures the delay value of DTE/DCE clear

regulation timer.
win <packets>
Configures the size of input window.
wout <packets>
Configures the size of output window.
The configuration command of LAPB
The second layer of X.25 or namely LAPB corresponds with the data link layer of the OSI reference mode. LAPB prescribes
the format (called frame) to exchange data on the physical link, to check losing sequence and losing frame, to perform frame
retransmission and frame acknowledge
router(config-if-XXX)#lapb ?
Command
Description
dce
The lapb dce working mode
dte
K <LAPB k parameter (frames)>
The lapb dte working mode

Configures the LAPB window parameter K.
modulo <128/8>
Configures the numbering mode (also called

moulus) of LAPB frame.
N1 <LAPB N1 parameter (bytes)>
The maximum byte number of the frame expected

to be received.
N2 <LAPB N2 parameter (transmit count)>
The maximum try times to send a frame.
T1 <LAPB T1 parameter (seconds)>
Resend timer
Receiving timer
Configure the LAPB system timers T1, T2, T4.
5.5.3 An example of a typical X.25 configuration

V
URXWHU

V
;

URXWHU

Command
Router1(config-if-serial0)#encapsulation
Task
x25
Router1(config-if-serial0) x25 dte

Router1(config-if-serial0)x25 address 200
Router1(config-if-serial0)x25 map ip 3.3.3.2 100
Router1(config-if-serial0)#ip address 3.3.3.1
Router1(config-if-serial0)#end
255.255.255.

Command
Router2(config-if-serial0)#encapsulation x25
Router2(config-if-serial0) x25 dce
Router2(config-if-serial0)x25 address 100
Router2(config-if-serial0)x25 map ip 3.3.3.1 200
255.255.255.
5.5.4 Debugging/Monitoring X.25

Displays the status information of an interface of local router:
show interface serial <serial-number>

Flags: (0x80e1) UP MULTICAST RUNNING
Type: RFC877_X25
Netmask 0xff000000 Subnetmask 0xffffff00
Metric is 0
X.25 DTE,address 100, state R1, modulo 8, timer 0
Defaults: idle VC timeout 1 Minutes
ietf encapsulation
input/output window sizes 2/2, packet sizes 128/128
Timers: T20 10, T21 10, T22 10, T23 10
Enters port S0.

The physical layer works in the synchronous
mode.
Encapsulates the data link layer protocol
X.25.
Configures X.25 as DTE mode.
The X.121 address is 200
Establishes the map between the IP address
of the opposite terminal and the X.121
address.
Configures the IP address of port S0.
Task
Configures X.25 as DCE mode.

The X.121 address is 100.
Establishes the map between the IP address
of the opposite terminal and the X.121
address.
Configures the IP address of the port S0.
Channels: PVC none, SVC 1-1024

RESTARTs 0/1 CALLs 1+0/0+1 DIAGs 0/0
LAPB DTE, state CONNECT modulo 8, k 7, N1 1550, N2 10
T1 3s, T2 1s, interfaceoutage (partial T3) 9s, T4 15s
vs:5, vr:4, txNr:4, rxNr:5, retxCnt:0, retxqIn:5, retxqOut:5
IFRAMEs 13/12 RNRs 0/0 REJs 0/0 SABM/Es 36/1 FRMRs 0/0 DISCs 0/0
txQueue: priority 0: cnt=0 max=20 sMax=1
rxFrames 995, rxChars 12377
txFrames 748, txChars 11693
B. Displays the virtual circuit status information of an interface of local router
show x25 vc
serial3:
vc No.1024: R1-P4-D1 SVC calling FRI FEB 20 20:25:37 1970
local X.121 address: 1124
remote X.121 address: 1125 (112.255.4.5)
flow-state: ready (D1), sWin:2, rWin:2
sMaxPktSize:128, rMaxPktSize:128
vr:4, vs:0, nr:3, ns:0, lastNr:0, noRspDataCnt:0
stxQueue: priority 0: cnt=0
max=32
sMax=2
qw=3
qwMax=10
txQueue: priority 0: cnt=0
max=300 sMax=8
qw=4
qwMax=10
C. Other debugging/monitoring commands
Command
show x25 map
show x25 vc
debug x25 serial-number all
debug x25 serial-number head
debug x25 serial-number vc
debug lapb serial-number all
debug lapb serial-number head
5.5.5
Description
Displays the address mapping table from protocol
address to X.121 address.
Displays the detail of the appointed virtual circuit that
has been established.
Displays all the received/sent packets and the contents
of whole packet on the interface.
Displays the received/sent all groups and the contents
of the group header.
Displays the received/sent groups and the contents of
the group header on the interface with the VC number
Displays all the received/sent frames and the contents
of hole frame on the interface.
Displays all the received/sent frames and the contents
of the frame header on the interface
The X.25 subinterface
A subinterface is a virtual interface that is capable of connecting to some networks through a physical interface. For the
routing protocol using the split-horizon rule, subinterface is needed to decide which host needs routing updates. In a WAN
environment, if sub-interface (X.25) is used, other routers that are connected through the same physical interface may not
receive the route update information. Compared with the routers connected through the different physical interfaces, the
subinterface can be used and it can be regarded as a separate interface. Then the host can be connected to different
subinterfaces of the same physical interface. The route process regards each subinterface as an independent route update
source; so all the subinterfaces can be fit for receiving route update information.
A subinterface has two types: point to point and point to multipoint. The default is point to multipoint. At the current time,
X.25 of Maipu routers only support the point-to-multipoint subinterface.
Configuring a X.25 subinterface
Note:
1.
When the subinterface is configured, X.25 must be configured on the master-interface. And the x25 address x121address also needs to be configured (if the subinterface uses the map mapping) or x25 ltc ltc-nunber is configured
(if the subinterface uses the pvc mapping), and the ip-address is configured on the master interface.
2.
If a sub-interface wants to be up, the master-interface must be up first. If the master-interface is shutdown, it is
natural that the subinterface will be down.
5.5.6
An example of X.25 subinterface configuration

U RXW HU
U RXW HU

V
V

V

;

V
U RXW HU
Illustration:
The above figure represents how to configure a subinterface on router1 so as to connect the whole X.25 network. Router2
corresponds with the master interface of router1 while router3 corresponds with the subinterface of router1.
Command
Router1(config-if-serial2)#clock rate 64000
Router1(config-if-serial2)#x25 address 11625541
Router1(config-if-serial2)#x25 map ip 116.255.4.2 11625542
Router1(config-if-serial2)#x25 dte
Router1(config)interface serial2.1
Router1(config-sub-if-serial2.1)#x25 map ip 117.255.4.2 11725542
Router1(config-sub-if-serial2.1)#ip address 117.255.4.1
255.255.255.0
Router1(config-sub-if-serial2.1)#exit
A. The configuration of router2 (router3)
Command
Task
Enters the serial port 2
Physical layer synchronous
Speed 64K
Encapsulates the X.25 protocol on the
data link layer.
X121 address
The map of opposite IP address and
opposite X121 address
The IP address of the local main
interface
The working mode of X.25 is DTE.
Enters the subinterface S2.1.
The map of opposite IP address and
opposite X121 address
The IP address of the local
subinterface
Task
The tasks are the same as the one of
router1.
Router2(config-if-serial2)#x25 address 11625542
Router2(config-if-serial2)#x25 map ip 116.255.4.1 11625541
5.5.7
The switching function of X.25
The switching function of X.25 much more perfects the functions of X.25. We can configure the router to be a Transmission
Control Protocol (TCP) connection to switching X.25 data streams. In many modes, main network is generally composed of
the routers that are used to switching IP datagram. But we can use several X.25 equipments to connect each other through the
routing type of IP main network. The switching of X.25 has two kinds: PVC and SVC.
Note:
1.
1.
The router can be used as a local or a remote switch, and it can switch X.25 data streams through TCP. Which is
called XOT (X.25 Over TCP) usually.
SVC switching
A. The configuring commands

In order to enable the switching function of X.25, we can input the command X25 routring in the global configuration
mode.
router(config)#
Command
router (config)#x25 routing
Task
Configures it as an X.25 switch.
X.25 data streams can be routed between local serial ports. In this situation, the static routing command is needed to map
X.121 address to the serial port. The router permits the X.25 interface connected to different ports to perform Switched
Virtual Circuit (SVC) connection, and this is called local X.25 connection.
Remote X.25 switching enables the X.25 interface connected with different routers to establish the switched virtual circuit
(SVC) and permanent virtual circuit (PVC). Remote X.25 switching is achieved through using tunnel technology for all X.25
calls and data streams between routers on the TCP connection. In order to enable remote switching, users can use the
command X25 router:
router (config)#x25 route X.121 address interface type number
Syntax
Description
X.121 address
X.121 address of the destination
Type number
Type and number of the interface to the destination
B. An example of X.25 switching function
U RXW HU
6
[
U RXW HU
6
U RXW HU
[
Illustration:
As shown in the figure above, we premise that router3 is used as the X.25 switch, and that router2 and router4 perform
communication between them through the X.25 switching function of router3. The X.121 address of the serial-port s2 of
router2 is 200 while the X.121 address of the serial-port s3 of router4 is 100. We also need to configure the IP addresses of
router2 and router4 by manually.
The configuration of router2:
Command
Task
router2(config-if-serial2/0)#encapsulation x25
router2(config-if-serial2/0)#x25 dte

Encapsulates it as the synchronous mode.
Encapsulates the X.25 protocol.
Configures the X.25 as DTE mode
(default).
Configures X.121 address.
Configures map mapping.
router2(config-if-serial2/0)#x25 address 200

router2(config-if-serial2/0)#x25 map ip 10.0.0.2 100
broadcast
Configuration has been finished.

Command
router3(config)#x25 routing
router3(config)#x25 route 100 interface serial 3/0
router3(config)#x25 route 200 interface serial 2/0
router3(config-if-serial2/0)#x25 dce
router3(config-if-serial2/0)#int s3/0
router3(config-if-serial3/0)#x25 dce
Task
Configures it as an X.25 switch.
Configures the corresponding X.121 address to
which data stream is transmitted and the
corresponding port.
Configures the corresponding X.121 address to
which data stream is transmitted and the
corresponding port.
Enters the interface s2 mode.
Configures the clock.
Encapsulates X.25 protocol.
Configures X.25 as the DCE mode.
Configures it as the synchronization mode
Configures X.25 protocol.
Configures X.25 as the DCE mode.

Command
Task

Encapsulates it as the synchronization
mode.
Configures X.25 as DTE mode (default).
Configures the X.121 address.
Configures the map mapping.
router2(config-if-serial3/0)#x25 dte
router2(config-if-serial3/0)#x25 address 100
router2(config-if-serial3/0)#x25 map ip 10.0.0.1 200
broadcast

Configuration hase been finished.
2. PVC switching function

A.
The specification of configuration
There are two kinds of PVC switching functions: one is the local PVC switching and the other is the XOT switching that is
used to connect two lines of PVC through TCP/IP network.
The commands of X.25 PVC:

router (config-if-serial3)#x25 pvc Circuit number interface type number pvc number1
The configuring commands: (in interface configuration mode):
Command
Description
Circuit number
The PVC number that will be applied to the

local interface.
Designates the keywords needed by an interface.
The type of the remote interface
The remote interface number
The keywords needed to configure switching
PVC.
The PVC number that will be used for the
remote side
Interface
Type
Number
PVC
Number1
The configuring commands of XOT:

router (config-if-serial3)#x25 pvc Circuit number xot address interface type string pvc number
The configuring commands: (in the interface configuration mode):
Command
Description
Circuit number
Xot
The PVC number used to connect equipment

Indicates that two PVCs will be connected
through a TCP/IP LAN that uses XOT.
The IP address of the connected equipment.
Indicates that the interface is a serial port.
The definition of serial interface, which can be a
number or a character string.
Designates a line of PVC.
Designates the PVC number of the destination
address.
Address
Interface serial
String
PVC
Number
B.Example
U RXW HU
V
[
U RXW HU
V
U RXW HU
[
Illustration:
As shown in the above figure, the PVC between router2 and router3 is 1, while the PVC between router4 and router3 is 2.
Router3 is used as a PVC X.25 switch. The usage of the interface can be seen from the above figure.
Relevant configuration:
Command
router2(config-if-seral2)#physical-layer sync
router2(config-if-serial2)#encapsulation x25
router2(config-if-serial2)#x25 dte
router2(config-if-serial2)#x25 ltc 16
Task
Enters the interfacemode.
Configures it as X.25 DTE mode.
Configures the parameter 1tc (Notice: PVC
router2(config-if-serial2)#x25 pvc 1 ip 10.0.0.2

number must be less than the value of 1tc.) and

make it to be the same as the value of the up-end
switch.
Map the local PVC number to the IP address of
opposite terminal.

Command
Task
router3(config-if-serial2)#physical-layer sync
router3(config-if-serial2)#x25 dce
router3(config-if-serial2)#x25 pvc 1 interface serial 3 pvc
Configures it as X.25 switch.

Enters the interface s2 mode.
Configure it as the synchronization mode.
Encapsulates X.25 as DCE mode.
Configures the value of 1tc.
Configures the switching PVC.
2
router3(config-if-serial2)#lapb dce
router3(config-if-serial2)#int s3
router3(config-if-serial3)#x25 dce
router3(config-if-serial3)#lapb dce
router3(config-if-serial3)#x25 pvc 2 interface serial 2 pvc
Encapsulates LAPB as DEC mode.

Encapsulates X.25 as DCE mode.
Encapsulates LAPB as the DEC mode.
Configures switching PVC.
1
router3(config-if-serial3)#exit
Command
Router4(config-if-serial3)#x25 ltc 16
Router4(config-if-serial3)#x25 pvc 2 ip 10.0.0.1

An example of XOT mode:
Task
Configures the parameter 1tc (Notice PVC
number must be less than the value of 1tc) and
switch.
Maps the local PVC number to the IP address of
opposite terminal.
U RXW HU
39&
6
333
V
39&
U RXW HU
U RXW HU
V
6
U RXW HU
Illustration:
1.
As shown in the above figure, X.25 protocol runs between router1 and router2, and it also runs between router3
and router4. However, the PPP protocol runs between router2 and router3. The PVC value and the situation of the
corresponding interface connection can be derived from the above figure.

Command
Router1(config-if-serial3)# encapsulation x25
Router1(config-if-serial3)# x25 dte
Router1(config-if-serial3)# x25 ltc 16
Router1(config-if-serial3)# x25 pvc 1 ip 1.0.0.21

Task
Configures the parameter ltc (Notice: PVC
switch.
opposite terminal.

Command
router2(config-if-serial2)# physical-layer sync
router2(config-if-serial2)# encapsulation ppp
router2(config-if-serial2)# ip address 10.0.0.2 255.0.0.0
router2(config-if-serial2)#int s3
router2(config-if-serial3)# physical-layer sync
router2(config-if-serial3)# clock rate 128000
router2(config-if-serial3)# encapsulation x25
router2(config-if-serial3)# x25 dce
router2(config-if-serial3)# x25 ltc 16
Router2(config-if-serial3)#25 pvc 1 xot 10.0.0.1
interface serial 3 pvc2
route r2(config-if-serial3)# lapb dce
router2(config-if-serial3)#end
Task
Configures it as frame-relay switch.
Enters the interface s2 to configure TCP/IP
network interface.
Configures the map of X.25 to TCP/IP.
Configures LAPB as DCE mode.

Command
Router3(config)#x25 routing
Task
Configures it as a frame-relay switch.
Enters the interface s2 to configure TCP/IP
network interface.
Router3(config-if-serial2)# encapsulation ppp

Router3(config-if-serial2)# Clock rate 128000
Router3(config-if-serial2)#int s3
Router3(config-if-serial3)# clock rate 128000
Router3(config-if-serial3)# x25 dce
Router3(config-if-serial3)#25 pvc 2 xot 10.0.0.2 interface
serial 3 pvc1
Router3(config-if-serial3)# lapb dce

Configures clock.
Configures the mapping of X.25 and TCP/IP.
Configures LAPB as DCE mode.

Command
Router4(config-if-serial3)# x25 dte
Router4(config-if-serial3)# x25 pvc 2 ip 1.0.0.1

Task
Configures the parameter ltc (Notice: PVC
make it to be the same as the value of the switch.
opposite terminal.
5.5.8
The PAD function of X.25
The PAD is a telnet-like function, which is used to login a remote X.25 host. The destination address is a X.121 address
instead of IP address.
1. Configuring instructions
Command
Task
Router# pad x.121 address
Login a remote X.25 host
2. An example`
Legend
Router1 and router2 is connected directly throuth X.25
A Configuration of router1
Command
Router1(config)#interface s1/0
Router1(config-if-serial1/0)#encapsulation
x25
Router1(config-if-serial1/0) x25 dte
Router1(config-if-serial1/0)x25 address 100
B Configureation of router2
Task
Enters the interface mode
Configures X.25 as DTE mode
Configure X.121 address as 200
Command
Router2(config-if-serial1/0)#clock rate 128000
Router2(config-if-serial1/0)#encapsulation
Task
Configure the clock rate
x25
Router2(config-if-serial1/0)x25 dce
Router2(config-if-serial1/0)x25 address 200
Router2(config-if-serial1/0)#end
Router2#pad 100
Router1>
Configure X.121 address to 200

PAD to peer
Login
5.5.9 Annex G(X.25 over Frame-Relay)

Related Configuration Commands
1) x.25 profile
Use the command x.25 profile to create a X.25 Profile; otherwise, use the negation of the command to cancel the
corresponding X.25 Profile.
x25 profile name [ dte | dce ]
Syntax
Descriptions
profile
Specify the keyword of the x25 profile.
name
The name of the x25 profile
dte
(Optional)The x25 profile serves as
DTE.
dce
(Optional)The x25 profile serves as
DCE.
By defaultThere exists no name, the x.25 profile serves as DTE.
Command modethe global configuration mode.
2) Enter the X.25 configuration mode after creating the X.25 Profile. In the mode, use the following configuration
commands to configure X.25 parameters of the X.25profile. The usage and meaning of these configuration commands are the
same as that of those commands that are used to encapsulate X.25 interface and configure X.25 parameters.
Syntax
Descriptions
x25 address
Configure the X.121 address.
x25 modulo
Configure the window mode.
x25 hic
Configure the maximal one-way ingress virtual circuit
number.
x25 hoc
Configure the maximal one-way egress virtual circuit
number.
x25 htc
Configure the maximal two-way virtual circuit number.
x25 ltc
Configure the minimal two-way virtual circuit number.
x25 t20
Configure the value of the retransmission timer that is
used to restart request packets.
x25 t21
Configure the value of the call request timer.
x25 t22
used to reset request packets.
x25 t23
used to clear request packets.
x25 hold-queue
Configure the maximal number of packets a virtual
circuit can save before transmitting data.
x25 idle
Configure the idle period of clearing a SVC.
x25 nvc
Configure the maximal number of protocol virtual
circuits that along with the host are enabled
simultaneously.
x25 ips
Configure the maximal length of an ingress packet.
x25 ops
x25 win
x25 wout
Configure the maximal length of an egress packet.

Configure the value of the in-window.
Configure the value of the out-window.
3) Enter the X.25 configuration mode after creating the X.25 Profile. In the mode, use the following configuration
commands to configure LAPB parameters of the X.25profile. The usage and meaning of these configuration commands are
the same as that of those commands that are used to encapsulate X.25 interface and configure LAPB parameters.
Syntax
lapb k
lapb modulo
lapb N1
lapb N2
lapb T1
lapb T2
lapb T4
Descriptions
Configure the maximal number of uncertained frames,
namely window size.
Configure LAPB basic (mode 8)/extended (mode16)
protocol mode.
Configure the maximal number of bits contained in a
frame.
Configure the maximal times of data packet
retransmission.
Configure the value of the retransmission timer.
Configure the value of the acknowledgement timer.
Configure the value of the idle timer.
4) x.25-profile
Use the command x.25-profile to relate a X.25 Profile with some frame-relay PVC on a frame-relay interface;
otherwise, use the negation of the command to cancel the relation.
frame-relay interface-dlci number
x25-profile name
no x25-profile name
Syntax
Number
Descriptions
The DLCI number of the frame-relay PVC related
with X.25 profile
The name of X.25 profile related with PVC
Name
By defaultThere exists no relation.
Command modethe frame-relay DLCI configuration mode.
5) Use the following command to send out a X.25 call through the frame-relay network:
x25 route address interface serial-interface dlci number
Syntax
Descriptions
Address
The X.121 destination address.
serial-interface
Route the selected call to the specified frame-relay
serial interface.
The frame-relay DLCI number used to transmit the
Number
call.
An Example of Configuring X.25 over Frame-relay Network
Frame relay
Figure 4-15 an example of configuring X.25 over the frame-relay network

Illustration:
As shown in figure above, a connection between RouterA and RouterB is established through a X.25 packet switching
network; the interconnection between RouterB and RouterC is realized through a frame-relay switching network; and the
connection between RouterC and RouterD is established through a X.25 packet switching network. By means of Annex.G,
X.25 packets between RouterA and RouterD are transmitting over the frame-relay network.
1) RouterA is configured as follows.
Syntax
Descriptions
RouterA#configure terminal
RouterA(config)# interface serial1/0
Enter the interface S1/0configuration

mode.
RouterA(config-if-serial1/0)# physical-layer sync

RouterA(config-if-serial1/0)# clock rate 64000
RouterA(config-if-serial1/0)# encapsulation x25
Configure the clock rate.

Encapsulate X.25 on the interface.
RouterA(config-if-serial1/0)# x25 address 70

RouterA(config-if-serial1/0)# x25 map ip 192.168.1.2 71
Configure the X.25 address.

Configure the X.25 address map.
RouterA(config-if-serial1/0)#
ip
255.255.255.0
RouterA(config-if-serial1/0)#exit
address
192.168.1.1
2) RouterB is configured as follows.

Syntax
Descriptions
RouterB# configure terminal

RouterB(config)# x25 routing
RouterB(config)# x25 profile name1 dce
RouterB(config-x25)#exit
RouterB(config)# interface serial1/0
Enter the interface S1/0 configuration mode.
RouterB(config-if-serial1/0)# physical-layer sync

RouterB(config-if-serial1/0)# encapsulation x25 dce
RouterB(config-if-serial1/0)# interface serial2/0

RouterB(config-if-serial2/0)# encapsulation frame-relay
RouterB(config-if-serial2/0)# frame-relay lmi-type ansi
RouterB(config-if-serial2/0)# frame-relay interface-dlci
100
RouterB(config-fr-dlci)# x25-profile name1
RouterB(config-fr-dlci)# exit
RouterB(config-if-serial2/0)#exit
RouterB(config)# x25 route 71 interface serial2/0 dlci
100
RouterB(config)# x25 route 70 interface serial1/0
Create a X.25 Profile and set it as DCE.
Encapsulate frame-relay on the interface.

Configure frame-relay LMI type.
Configure the DLCI number
Relate X.25 Profile (name1) to the specified
PVC.
Exit the DLCI configuration mode.
Transmit a X.25 call over the specified
frame-relay PVC.
Transmit a X.25 packet.
3) RouterC is configured as follows.

Syntax
Descriptions
RouterC# configure terminal

RouterC(config)# x25 routing
RouterC(config)# x25 profile name2 dte
RouterC(config-x25)#exit
RouterC(config)# interface serial2/0
Create a X.25 Profile and set it as DTE.

Enter the interface S2/0 configuration
mode.
RouterC(config-if-serial2/0)# physical-layer sync

RouterC(config-if-serial2/0)# encapsulation x25 dce
RouterC(config-if-serial2/0)# interface serial1/0

mode.

RouterC(config-if-serial1/0)# encapsulation frame-relay
Encapsulate frame-relay on the interface.
RouterC(config-if-serial1/0)# frame-relay lmi-type ansi
Configure frame-relay LMI type.
RouterC(config-if-serial1/0)# frame-relay interface-dlci 200
Configure the DLCI number
RouterB(config-fr-dlci)# x25-profile name2
Relate X.25 Profile (name1) to

specified PVC.
RouterB(config-fr-dlci)# exit
the
RouterC(config-if-serial1/0)#exit
RouterC(config)# x25 route 70 interface serial1/0 dlci 200
RouterC(config)# x25 route 71 interface serial2/0
Transmit a X.25 call over the specified

frame-relay PVC.
Transmit a X.25 packet.
4) RouterD is configured as follows.

Syntax
RouterD# configure terminal
RouterD(config)# interface serial2/0
Descriptions
Enter
the
interface
configuration mode.
S2/0
RouterD(config-if-serial2/0)# physical-layer sync

RouterD(config-if-serial2/0)# clock rate 64000
RouterD(config-if-serial2/0)# encapsulation x25

RouterD(config-if-serial2/0)# x25 address 71

RouterD(config-if-serial2/0)# x25 map ip 192.168.1.1 70
Configure the X25 address.

Configure the X25 address map.
RouterD(config-if-serial2/0)# ip address 192.168.1.2 255.255.255.0
RouterD(config-if-serial2/0)#exit
5.5.10 Wildcard Route
The wildcard route becomes effective when the command x25 route address is used to configure route. All calls whose
called addresses start with address are transmitted over the specified route interface.
For example:
x25 route 123 int s1/0
All calls whose called addresses start with 123 are transmitted over the interface s1/0.
5. 6 Frame Relay Protocol

Frame relay is a protocol standardized by ANSI and CCITT, and it can provide remarkable performance/price ratio to busting
out traffic (for example, LAN inter-connection and SNA). Frame relay is a kind of interface protocol between the Customer
Premise Equipment (CPE), such as a router or Front End Processor, and a WAN sending data to remote CPE.
The main topics addressed in this section are as follows:
o
Description of the basic instructions necessary to configure frame relay
o
o
o
o
o
A typical configuration example of frame relay

Debugging/monitoring frame relay
Reverse Address Resolution Protocol of frame relay
Frame relay sub-interface
Configuration examples of frame relay sub-interface
5.6.1 Description of basic instructions to configure frame relay

routerconfig-if-XXX# frame-relay
Command
Description
interface-dlci
<NUMBER>
Intf-type dce/dte/nni
ip rtp header-compression
The identity number of frame relay data link

Configures the working mode of frame relay.
The header compression of Realtime
Transmission Protocol
The default value of the counter to PVC request
status is 6, and its value range is from 1 to 255.
The default of error threshold is 3, and value
range is from 1 to 10.
Event counter.
The default value is 4, and value range is from 1
to 10.
Configures the type of LMI protocol.
Configures the map mapping (permit the frame
relay to be encapsulated with mutlticast/ cisco/
Internet Engineering Task Force (IETF))
format).
lmi-n391
dte <NUMBER>
lmi-n392
dte
lmi-n393
dte <NUMBER>
<NUMBER>
lmi-type ansi/lmi/q9332a
map ip A.B.C.D <NUMBER> broadcast/ Cisco/ itef
5.6.2
The typical configuration example of frame relay
The working flow of frame relay is shown as follows:
Encapsulating
frame relay
V
U RXW HU
Designating
DLCI
Designating LMI

)U DPH
U HO D\
Establishing address
mapping
V

U RXW HU
Illustration:
The S0 port (3.3.3.1) of local router router1 connects to the S0 port (3.3.3.2) of the opposite router router2.
Command
Router1(config-if-serial0)#intf-type dte
Router1(config-if-serial0)#encapsulation frame-relay
Router1(config-if-serial0)#frame-relay lmi-type ansi
Router1(config-if-serial0)#frame-relay interface-dlci 18
Router1(config-if-serial0)#frame-relay map ip 3.3.3.2 18
broadcast
Task
Enters the S0 port.
Configures the working mode of physical
layer as the synchronization mode.
Works in frame relay DTE mode.
Encapsulates frame relay of link layer
protocol.
Designates the frame relay type lmi: it
should be same with the switch in telcom.
The local dlci number: it is provided by
telecommunication office.
Frame relay mapping, the opposite terminal
IP address and the local dlci number
255.255.255.

Command
The IP address of the port S0
Task
Configures the working mode of physical

layer as the synchronization mode.
Encapsulates frame relay of link layer
protocol.
Designates the frame relay type lmi: it
should be same with the switch in telecom.
Work in the frame relay DTE mode.
The local-end number dlci: it is provided by
telecommunication office.
Frame relay mapping, the opposite terminal
broadcast
IP address, the dlci number of local end
Router2(config-if-serial0)#ip address 3.3.3.2 255.255.255. The IP address of the S0 port
5.6.3
The debugging/monitoring of frame relay
Users can examine the PVC status of frame relay, and ACTIVE indicates that the PVC is in usable status. Users can also
examine all the frame relay interfaces or a given one to determine the given PVC status and the statistic number of
received/sent packets.
A. Displaying all status information of virtual link (of interface) on the local router
show frame-relay pvc [interface serial number]
PVC statistics for interface serial0 (Frame Relay DTE)
DLCI = 17, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = serial0
input pkts 10
output pkts 10
in bytes 1040
out bytes 1040
dropped pkts 0
in FECN pkts 0
in BECN pkts 0
out FECN pkts 0
out BECN pkts 0
in DE pkts 0
out DE pkts 0
B. Displaying the information of frame relay mapping
show frame-relay map
Serial2(up):ip 10.1.2.66 dlci 65,static,broadcast,
IETF, status ACTIVE
B. Other debugging/monitoring commands

Command
Description
show frame-relay lmi [interface serial number]
Displays LMI statistic of frame relay.
show frame-relay inarp [interface serial number]
Displays INARP information.
show frame-relay
inarp ip rtp header-compression
debug frame-relay lmi [interface serial number]
Displays LMI running data of frame

relay.
debug frame-relay packet [interface serial number]
Displays data operation beared by frame

relay.
debug frame-relay log [interface serial number]
Displays frame relay events and error

indication.
Notice:
5.6.4
The physical layer must be in synchronous mode.
The IP addresses of the ports of two connected routers must be in the same network segment.
When show int s n shows that the interface is UPand show frame map shows that status isACTIVE, it is
indicated that frame relay has connected with the WAN port and can begin to transmit data.
Frame Relay Reverse Address Resolution Protocol
Brief Introduction of the Frame Relay Protocol

The main function of Reverse Address Resolution Protocol is to resolve the protocol address of the opposite equipment
connected with each virtual circuit, which includes the IP address, IPX address etc. (At the present time Maipu routers only
support IP addresses). If the protocol address of the opposite equipment connected to the virtual circuit is known, the
mapping between the opposite terminal protocol address and DLCI can be created locally, and then the manual configuration
can be avoided.
The contents of this section are as follow:
o
o
o
Description of the basic instructions of frame relay Reverse Address Resolution Protocol
A typical configuration example of frame relay Rdverse Address Resolution Protocol
Debugging/monitoring of frame relay Reverse Address Resolution Protocol
A.
Description of the basic instructions of frame relay Reverse Address Resolution Protocol
router(config-if)#
Command
Description
frame-relay inverse-arp
Permits the sending of RARP (Inverse

Address Resolution Protocol) request (the
default).
Configures the time interval of sending
RARP (Inverse Address Resolution
Protocol) request (the default value is 60
seconds).
Permits the sending of RARP (Inverse
Address Resolution Protocol) request on a
virtual circuit.
Updates the dynamic mapping periodically.
frame-relay inverse-arp interval
frame-relay inverse-arp ip <DLCI NUMBER>
frame-relay inverse-arp update
B. The diagram below shows a typical configuration example of frame relay Reverse Address Resolution Protocol
V
U RXW HU

)U DPH
U HO D\
V

U RXW HU
Illustration:
1.
The port S0 (3.3.3.1) of the local router router1 connects to the port S0 (3.3.3.2) of the opposite router router2.
The configuration of router1

Router1(config-if-serial0)# encapsulation frame-relay
Router1(config-if-serial0)# frame-relay lmi-type ansi

Router1(config-if-serial0)# frame-relay inverse-arp
Router1(config-if-serial0)#frame-relay inverse-arp update
Router2(config-if-serial0)# encapsulation frame-relay
Router2(config-if-serial0)# frame-relay lmi-type ansi
Router2(config-if)# frame-relay inverse-arp
Router2(config-if-serial0)#frame-relay inverse-arp update
The type of LMI

Permits the sending frame relay RARP (the
default).
Local-end IP address.
Configures the DLCI number.
The type LMI.

Permits the sending of the frame relay RARP
(the default)
Local IP address.
Configures the DLCI number.
C. Debugging/monitoring of frame relay Reverse Address Resolution Protocol (RARP)

Displaying packets receiving/sending status of frame relay Reverse Address Resolution Protocol
show frame-relay inarp
Frame Relay Inarp statistics for interface serial2:
InARP requests sent 5,
InARP replies sent 0
InARP request recvd 0,
InARP replies recvd 4
Displaying the information of frame relay mapping
show frame-relay map
serial0 (up): ip 3.3.3.2, dlci 16, dynamic,
IETF, status ACTIVE
Note:
1. The word dynamic among the above information indicates that the mapping is established dynamically through the
Reverse Address Resolution Protocol (RARP).
5.6.5
Frame relay sub-interface
The configuration process of a frame relay sub-interface:
Frame relay is
encapsulated on
the
masterinterface.
Designate the type of subinterface: Point-toPoint/Point-to-multipoint.
Frame relay is
configured on the
subinterface.
configures
A subinterface inherits the properties of a masterinterface, so before the subinterface is configured, the frame relay must be
encapsulated on the main interface. [LMI]
A. The configuration of frame relay point-to-point interface
router(config)#
Command
Description
interface Serial <serialnumber.subnumber> point-to-point
Configure the subinterface as the point-topoint mode.

Configure the number of the data link
connection identifier (DLCI).
Configure frame relay using RTP header
compression (optional).
Designate IP address of the opposite

frame-relay
ip
rtp header-compression
ip route peer-address A.B.C.D
terminal (It is used in dynamic routing

interaction).
B. The configuration of frame relay point-to-multipoint sub-interface
router(config)#
Command
Description
interface Serial <serialnumber.subnumber> point-to-multipoint
Configure the subinterface as the point-tomultipoint mode.

Configure the number of the data link
connection identifier (DLCI).
Configure frame relay using RTP header
compression (optional).
Configure the frame relay MAP mapping.

frame-relay
ip
frame-relay
map ip
5.6.6
rtp header-compression
ip_address
dlci [broadcast|cisco|ietf]
An example of frame relay subinterface configuration

U RXW HU

V
U RXW HU
V

)U DPH U HO D\
V

V
U RXW HU
Illustration:
1.
The above example explains how to configure the subinterface on the router A so as that the whole frame relay
network can be connected. The router router2 connects to the main interface of router1 while the router router3
connects to the subinterface of router1.

Command
Router1(config-if-serial2)#frame-relay lmi-type q933a
Router1(config-if-serial2)#frame-relay intf-type dte
broadcast
Router1(config)#interface serial2.1 multipoint
Router1(config-sub-if-serial2.1)#frame-relay interface-dlci 202
Router1(config-sub-if-serial2.1)#frame-relay map ip 117.255.4.2 202

broadcast
Router1(config-sub-if-serial2.1)#ip address 117.255.4.1 255.255.255.0
Task
Synchronization
Clock
Works in DTE mode of frame
relay.
Designates LMI type as q933a.
The DLCI number
Configures frame relay mapping.
Local-end IP address
The mode of the subinterface is
point-to-multipoint.
DLCI number is 202, which is
provided by telecommunication
office.
Configures the frame relay
mapping of the subinterface.
IP address of the subinterface.
Router1(config-sub-if)#end
B. The configuration of router2 (router3)

Command
Task
Router2# con t
Router2(config )#interface serial2
Encapsulates frame relay.
Router2(config-if-serial2)#frame-relay lmi-type q933a
Designates LMI type as q933a.
The DLCI number is 101.
Configures the frame relay mapping.
broadcast
IP address
5.6.7
Frame Relay Switch
1. Brief introduction of commands
Maipu routers supports the function of frame relay switching. Frame relay switches makes the router able to encapsulate the
data frame of frame relay into IP datagrams.
router(config)#frame-relay switching
A. Configuring it as a frame relay switch
router(config)#
Command
Description
Frame-relay swithig
Configures it as a frame relay switch.
Configure the router, through the commmand frame-relay switching, to execute the switch function in frame relay network.
When the router runs as a Router(config)#frame-relay switching switch, data stream can be exchanged between two serial
ports of the router through the command frame-relay. The router executes PVC data exchange between two serial ports.
router(config-if-XXX)#frame-relay route in-dlci out-interface out-dlci
B. The command frame-relay switching
Router(config-if-XXX)#
Command
Description
In-dlci
The DLCI number of packets received by the

interface
The interface used by the router to transmit
packets
The DLCI number used by the router to
transmit packets through the designated
outward interface
Out-interface
Out-dlci
The interface configuration can be applied to frame relay switch through the command frame-relay intf-type. The type of
frame relay switch is decided by the functions of the router in frame relay network.
router(config-if-XXX)#frame-relay intf-type [dte |dce |nni]
C.
The command Frame-relay intf-type
Router(config-if-XXX)#
Command
Description
Dte
The interface of the router is used to connect a

frame relay network.
The interface of the router connectes with a
router, and the local router is used as a frame
relay switch.
The router is used as a switch. The interface is
connected with another switch and supports
the network-to-network interface (NNI).
Dce
Nni
An example of frame relay serving as switch

'/&,
5RXW HU
6
6
'/&,
5RXW HU
6
6
'/&,
5RXW HU
6
6
5RXW HU
Illustration:
1. As shown in the above figure, router2 and router3 serve as frame relay switches while router1 and router4 serve as
DTE interfaces. When the data stream from router1 arrives at the port s3 of router2, the data stream with DLCI
number 40 will be handed to the output port s2; at the same time, DLCI number 50 will be used in the source
identifier. Data stream is transmitted to the port s2of router3. Similarly, the data stream with DLCI number 50 is
handed to the output port s3 again, so the data stream arrives at router4. The data from router4 can arrive at the
destination router1 according to the same principle, too.
The relevant configuration:
Command
Task
router1(config-if-serial3)#encapsulation frame-relay
router1(config-if-serial3)#frame-relay lmi-type ansi
router1(config-if-serial3)#frame-relay interface-dlci 40
router1(config-if-serial3)#frame-relay map ip 1.0.0.2 40
broadcast
Router(config-if-serial2)#

Encapsulates the protocol frame-relay.
Configures LMI type.
Configures DLCI number.
Configures MAP mapping.
Command
Task
Configuration of the interface S3

router2(config)#frame-relay switching
Configures it as the frame relay switch mode.
router2(config-if-serial3)#frame-relay intf-type dce

Encapsulates the protocol frame-relay .
Configures the LMI mode.
Configures it as a frame relay switch to
connect with another router.
Configures the direction for switch to transmit
data.
router2(config-if-serial3)#frame-relay route 40 interface

serial2 50
The configuration of the interface S2:
router2(config-if-serial2)#frame-relay intf-type nni
router2(config-if-serial2)#frame-relay route 50 interface
serial3 40
Configuration of router3:
Router(config-if-serial2)#
Command

Configures LMI mode.
Configures it as the switch mode (NNI) to
connect with another switch.
data.
Task
Configuration of the interface S3

Router3(config)#frame-relay switching
Router3(config-if-serial3)#frame-relay intf-type dce
Router3(config-if-serial3)#frame-relay route 60 interface
serial2 50
The configuration of the interface S2:
Router3(config-if-serial2)#frame-relay intf-type nni
Router3(config-if-serial2)#frame-relay route 50 interface
serial3 60
Router3(config-if-serial2)#Clock rate 128000
Configures it as the frame relay exchange

mode.
Configures clock.
Configures it as a frame relay switch to
connect with another router.
data.
Configures it as the switch mode (NNI) to
connect with another switch.
data.
Configures clock.
Command
Task
Configures LMI type.
router1(config-if-serial3)#frame-relay interface-dlci 60
Configures DLCI number.
router1(config-if-serial3)#frame-relay map ip 1.0.0.1 60
Configures MAP mapping.
roadcast
Configuration has been finished
Note:
1. The DLCI numbers between switches do not need to be configured in ports.
2. In fact, different LMI types can be configured on different ports and the same LMI type is unnecessary. But the
LMI between two routers must be the same.
3. Examine whether the function of switch works well through the command show frame-relay route. If S2 and S3
are showed as active, this indicates that the function of switch works well.
5.6.8 Frame-Relay PVC Compression

1) TCP/IP Header Compression over Frame-Relay PVC
A command to configure TCP/IP Header Compression over Frame-Relay PVC
frame-relay map ip A.B.C.D dlci tcp header-compress
To enalbe TCP/IP header compression on frame-relay PVC, use the command frame-relay map ip A.B.C.D dlci tcp
header-compress, or else, use the negation of the command to disable it.
frame-relay map ip a.b.c.d dlci nocompress
To disable the compression (including TCP/IP and RTP compression) on the special PVC, use the command framerelay map ip a.b.c.d dlci nocompress.
frame-relay map ip ip-address dlci tcp header-compress [passive]
Syntax
Description
Ip-address
The IP address of the opposite end
Dlci
The DLCI number of the DLCI interface.
Passive
Passive compression
By defaultdisabled
Command modethe point-multipoint interface configuration mode
frame-relay ip tcp header-compress [passive]
To enable TCP/IP header compression on all of frame-relay PVC, use the command frame-relay ip tcp headercompress [passive], or else, use the negation of the command to disable it.
By defaultdisabled.
An example of TCP/IP Compression over frame-relay PVC.
Frame-relay
Router1 is configured as follows :

Command
RouterA# configure terminal
RouterA(config-if-serial0/0)# encapsulation frame-relay
RouterA(config-if-serial0/0)# frame-relay lmi-type ansi
RouterA(config-if-serial0/0)# frame-relay interface-dlci
Task
Enter the interface Serial0/0 configuration
mode.
Enable frame-relay encapsulation for the
interface S0/0.
Set the type as LMI.
Configure the local DLCI number.
100
RouterA(config-if-serial0/0)# frame-relay map ip 3.3.3.2
100 tcp header-compress
ip
address
3.3.3.1
255.0.0.0
Command
RouterB(config)#interface serial0/0
RouterB(config-if-serial0/0)# clock rate 128000
Configure the TCP/IP header compression

on DLCI=100 PVC.
Configure the interface IP address.
Task
Enter the interface S0/0 configurationo
mode.
Enable the frame-relay encapsulatin

for the interface s0/0.
100
RouterB(config-if-serial0/0)# frame-relay map ip 3.3.3.1
100 tcp header-compress
RouterB(config-if-serial0/0)#
ip
address
3.3.3.2
255.0.0.0
Configure
the
TCP/IP
header
compression on DLCI=100 PVC.
Monitor the TCP/IP header compression over Frame-Relay PVC.

Use the command show frame-relay ip tcp header-compress to show TCP/IP compression information about whether
the tranmitted data is compressed and related compression statistics.
2) RTP Compression over Frame-Relay PVC
A command to configure RTP compression over frame-relay PVC.
frame-relay map ip A.B.C.D dlci rtp header-compress
To enable RTP compression over frame-relay PVC, use the command frame-relay map ip A.B.C.D dlci rtp headercompress, otherwise, use the negation of the command to disable it.
Use the command to enable RTP compression over special frame-relay PVC, and use the negation of the command to
disable it.
frame-relay map ip ip-address dlci rtp header-compress [passive]
Syntax
Description
Ip-address
The IP address of the opposite end.
Dlci
The DLCI number of the DLCI interface.
Passive
Passive compression.
By defaultdisabled
Command modethe point-to-multipoint interface configuration mode
frame-relay ip rtp header-compress [passive]
To enable RTP compression over all frame-relay PVCs, use the command frame-relay ip rtp header-compress
[passive], or else, use the negation of the command to distable it.
By defaultdisabled
An example of RTP compression over frame-relay PVC
Frame-relay
Router1 is configured as follows:

Command
RouterA(config-if-serial0/0)# frame-relay interface-dlci
Task
mode.
interface S0/0.
100
RouterA(config-if-serial0/0)# frame-relay map ip 3.3.3.2
100 rtp header-compress
ip
address
3.3.3.1
255.0.0.0
Command

on DLCI=100 PVC.
Task
mode.

RouterB(config-if-serial0/0)# clock rate 128000

interface S0/0.
100
RouterB(config-if-serial0/0)# frame-relay map ip 3.3.3.1
100 rtp header-compress
RouterB(config-if-serial0/0)#
ip
address
3.3.3.2
255.0.0.0

on DLCI=100 PVC.
3) Monitoring of RTP Compression over Frame-Relay PVC

Use the command show frame-relay ip rtp header-compress to show RTP compression information about whether the
tranmitted data is compressed and related compression statistics.
Notice:
The command frame-relay ip tcp header-compress/ frame-relay ip rtp header-compres is valid to all PVCs (except
the PVCs for which the RTP compression has bee configured singly ).
It can be examined by the command show frame-relay ip tcp header-comress / show frame-relay ip rtp headercompress that the RTP compression has been configured on PVC and its type is inherited.
For a single PVC on which the RTP has been configured, it can be known by the command that its compression type is
enabled.
5.6.9 DE bit support on Frame-Relay
1) Configuration command
frame-relay de-list
To enable the DE bit list in the frame-relay network, use the command frame-relay de-list, or else, use the negation of
the command to disable it.
frame-relay de-list list-number protocol ip {fragments | gt size| list access-list-number
| lt size| tcp port| udp port}
Syntax
Description
List-number
DE list number
Size
Packet size
Access-list-number
Access list
Port
The port number of the destination address.
number
By defaultdisabled
Command modethe globe configuration mode.
frame-relay de-group
To eable DE bit discarding rule on DLCI, use the command frame-relay de-group, or else, use the negation of the
Frame-relay de-goup de-list-number dlci
Syntax
Description
De-list-number
DE list number
Dlci
DLCI number
By defaultdisabled
frame-relay congestion-management
To enable the DE rule on an interface, use the command frame-relay congestion-management, or else, use the
negation of the command to disable it.
By defaultdisabled.
2) Configuration examples
An example of the configuration command DE-list
frame-relay de-list
define DE list 1 for IP fragment packets

/ Set DE bit for packets of the IP fragment.
frame-relay de-list 1 protocol ip fragment
define DE list 2 for port 500 of UDP packets / Set DE bit for UDP packets whose port number is 500.
frame-relay de-list 2 protocol ip udp 500
An example of the configuration command de-group frame-relay de-group
Enable DE list 1 on PVC 100
/Enable the rule de-list 3 on DLCI-number=100 PVC for setting DE bit.
frame-relay de-group 1 100
Notice:
Only one kind of rule can be set in each DE-list.
Multiple de-lists canbe enabled on each PVC, and one de-list can also be used in different PVCs simultaneously.
To enable DE, it is necessary to configure the command frame-relay congestion-management on the interface.
De can not take effect until traffic-shapping is configured.
3) Monitoring DE bit over Frame-Relay
Use the command show frame-relay PVC to show the statistics of received/transmitted packets for which DE bit has
been configured.
5.6.10 Frame-Relay Fragment
frame-relay fragment
To enable frame-relay fragment function, use the command frame-relay fragment number, or else, use the negation of
the command to disable it. Abour related details, refer to FRF.12.
frame-relay fragment number
Syntax
Description
Number
Fragment sizeBy byte
By defaultdisabled
Command modethe map-class configuration mode .
frame-relay fragment must-encap-mulproto
After the frame fragment function is configured, to perform the multilink encapsulation for network-layer packet whose
size is less than the frame fragment, use the command frame-relay fragment must-encap-mulproto, or else, use the
negation of the command to disable it.
By defaultdisabled
Command modethe map-class configuration mode
Notice:
Usually, it is unnecessary to configure the command. The command need be enabled only when opposite equipment
performs the multilink encapsulation for network-layer packet whose size is less than the frame fragment or implements the
strict order-limit to network-layer data.
The frame fragment function can not take effect until the traffic-shapping is enabled.
5.6.11Frame-relay Traffic Shaping
5.6.11.1 Traffic Shaping Configuration Commands
map-class frame-relay
Use the command map-class frame-relay to specify a map type for some PVC to define Quality of Service (QoS);
otherwise, use the negation of the command to delete the corresponding map type.
map-class frame-relay map-class-name
no map-class frame-relay map-class-name
Syntax
Descriptions
frame-relay
The keyword of the specified map
type.
map-class-name
The name of the map type.
By defaultThe command is disabled. And no default name is defined.
Command modeThe global configuration mode.
frame-relay traffic-rate
Use the command frame-relay traffic-rate to specify the egress flow rate for the PVC related with some map type;
otherwise, use the negation of the command to restore the default flow rate.
frame-relay traffic-rate average [ peak ]
no frame-relay traffic-rate average [ peak ]
Syntax
Descriptions
Average
The average rate (by bit per second), equivalent to the
specified CIR.
Peak
(Optional )the peak rate (by bit per second), equivalent
to.
CIR + Be/Tc = CIR(1 + Be/Bc) = CIR + EIR
By defaultIf the peak rate is omitted, the adopted default value is the line rate.
Command modethe map type configuration mode.
frame-relay adaptive-shaping
Use the command frame-relay adaptive-shaping to specify the rate adjust mode for the PVC related with some map
type; otherwise, use the negation of the command to deny the rate adjust.
frame-relay adaptive-shaping { becn | foresight}
no frame-relay adaptive-shaping
Syntax
Descriptions
Becn
Perform the rate adjust according to BECN message.
Foresight
Perform the rate adjust according to foresight message.
By defaultThe command is disabled.
frame-relay custom-queue-list
Use the command frame-relay custom-queue-list to specify the custom-queue for the PVC related with some map
type; otherwise, use the negation of the command to restore the default value of the PVC queue.
frame-relay custom-queue-list list-number
no frame-relay custom-queue-list list-number
Syntax
Descriptions
list-number
The list-number of the queue.
By defaultThe default queue is FCFS (First Come First Service).
frame-relay priority-group
Use the command frame-relay priority-group to specify the priority queue for the PVC related with some map type;
otherwise, use the negation of the command to restore the default value of the PVC queue.
frame-relay priority-group list-number
no frame-relay priority-group list-number
Syntax
Descriptions
list-number
The list-number of the queue.
By defaultThe default queue is FCFS.
frame-relay traffic-shaping
Use the command frame-relay traffic-shaping to make traffic shaping effective for all PVC of a frame-relay interface;
otherwise, use the negation of the command to disable the function of traffic shaping.
frame-relay traffic-shaping
no frame-relay traffic-shaping
By defaultThe command is disabled.
frame-relay class
Use the command frame-relay class to relate a map type with an interface or a sub-interface; otherwise, use the
negation of the command to cancel the relation.
frame-relay class name
no frame-relay class name

Syntax
name
Descriptions
The name of the map class related with the
interface/sub-interface.

class
Use the command to relate a map type to some PVC; otherwise, use the negation of the command to cancel the relation.
class name
no class name
Syntax
Descriptions
Name
The name of the map class related with the PVC.
Command modethe DLCI configuration mode.
5.6.11.2 An example of traffic shaping configuration
Frame relay
Figure 4-23 the frame-relay traffic shaping configuration

Illustration:
As shown in figure above, an interconnection between RouterA (the port s0/0 192.168.2.1) and RouterB (the port s1/0
192.168.2.2) is established through a frame-relay network. The frame-relay traffic shaping policy is adopted to limit data
transmission rate over the specified PVC between RouterA and RouterB and provide high priority service for Telnet data
transmission between RouterA and RouterB.
1RouterA is configured as follows.
Syntax
RouterA(config)# priority-list 1 protocol ip high tcp
23
RouterA(config)# map-class frame-relay name
RouterA(config-map-class)# frame-relay trafficrate 9600 128000
RouterA(config-map-class)# frame-relay prioritygroup 1
RouterA(config-map-class)# exit
RouterA(config-if-serial0/0)# encapsulation framerelay
RouterA(config-if-serial0/0)# frame-relay lmi-type
ansi
RouterA(config-if-serial0/0)# frame-relay trafficshaping
RouterA(config-if-serial0/0)# frame-relay interfacedlci 100
RouterA(config-fr-dlci)# class name
Descriptions
Configure a priority queue and set QoS of Telnet
as high.
Establish a map for PVC.
Specify the egress flow rate and peak rate for the
PVC related with the map type.
Specify the priority queue for the PVC related
with the map type.
Perform the frame-relay encapsulation.
Configure the LMI type .
Make traffic shaping effective on the frame-relay
interface.
Relate the map type with the specified PVC.
RouterA(config-fr-dlci)#exit
RouterA(config-if-serial0/0)# frame-relay map ip
192.168.2.2 100
RouterA(config-if-serial0/0)# ip address 192.168.2.1
255.255.255.0
RouterA(config-if-serial0/0)# priority-group 2

Configure the frame-relay address map.
Enable the PQ queue on the interface (the serialnumber is not consistent with the defined one.)
RouterA(config-if-serial0/0)# end
2) The simple frame-relay configuration is performed on RouterB.
5.6.12 Frame-relay Bridging VLAN
5.6.12.1 Frame-relay VLAN Configuration Commands
vlan-bridge
Use the command vlan-bridge to make the frame-relay network bridge VLAN; otherwise, use the negation of the
command to deny bridging VLAN.
Vlan-bridge vlan-interface
Syntax
Descriptions
vlan-interface
The VLAN interface to be bridged.
By defaultThe command is denied.
Command modeThe point-to-point sub-interface configuration mode.
5.6.12.2 An Example of Frame-relay VLAN Configuration
Frame
relay
Figure 4-24 the frame-relay bridging VLAN

Illustration:
As shown in figure above, in the one-point-to-multi-point frame-relay network, all routers are required to adopt the
point-to-point sub-interface configuration mode. The interface f0 of RouterA has three sub-interfaces that belong to three
different VLANs respectively. And the interface S0/0 also has three sub-interfaces that are related with three different
VLANs respectively; the interface f0.1 of RouterB belongs to Vlan1 and the interface s1/0.1 is related with Vlan1; the
interface f0.1 of RouterC belongs to Vlan2 and the interface s2/0.1 is related with Vlan2; the interface f0.1 of RouterD
belongs to Vlan3 and the interface s3/0.1 is related with Vlan3.

1) RouterA is configured as follows.
Syntax
RouterA(config)# interface fastethernet0.1
Descriptions
RouterA(config-if-fastethernet0.1)# encapsulation dot1q 1

RouterA(config-if-fastethernet0.1)#
interface
fastethernet0.2
Enter the sub-interface f0.1 configuration

mode.
Encapsulate the sub-interface to Vlan1.
mode.
RouterA(config-if-fastethernet0.2)#
interface
fastethernet0.3

mode.
RouterA(config-if-fastethernet0.3)# interface serial0/0
Enter the interface s0/0 configuration

mode.

RouterA(config-if-serial0/0)# interface serial0/0.1 point-topoint
RouterA(config-if-serial0/0.1)# frame-relay interface-dlci
100
vlan-bridge
RouterA(config-if-serial0/0.1)#
fastethernet0.1
RouterA(config-if-serial0/0.1)# interface serial0/0.2 pointto-point
200
RouterA(config-if-serial0/0.2)#vlan-bridge fastethernet0.2
RouterA(config-if-serial0/0.2)# interface serial0/0.3 pointto-point
300
RouterA(config-if-serial0/0.3)#vlan-bridge fastethernet0.3
2) RouterB is configured as follows.
Syntax
RouterB(config)# interface fastethernet0.1
RouterB(config-if-fastethernet0.1)# encapsulation dot1q 1
RouterB(config-if-fastethernet0.1)# interface serial1/0
Perform the frame-relay encapsulation for

the interface S0/0.
Set the LMI type.
Enter
the
sub-interface
s0/0.1
configuration mode.
Make S0/0.1 relate with F0.1 and bridge
the corresponding VLAN.
Enter
the
sub-interface
s0/0.2
configuration mode.
Enter
the
sub-interface
s0/0.3
configuration mode.
Descriptions
mode.
mode.
the interface s1/0.
Set the LMI type.
RouterB(config-if-serial1/0)# interface serial1/0.1 point-topoint

RouterB(config-if-serial1/0.1)# frame-relay interface-dlci
101
RouterB(config-if-serial1/0.1)# vlan-bridge fastethernet0.1
Enter
the
sub-interface
S1/0.1
configuration mode.
RouterB(config-if-serial1/0.1)# end
3) RouterC is configured as follows.
Syntax
RouterC# configure terminal
RouterC(config)# interface fastethernet0.1
RouterC(config-if-fastethernet0.1)# encapsulation dot1q 2
RouterC(config-if-fastethernet0.1)# interface serial2/0
RouterC(config-if-serial2/0)# encapsulation frame-relay
RouterC(config-if-serial2/0)# frame-relay lmi-type ansi
RouterC(config-if-serial2/0)# interface serial2/0.1 point-topoint
RouterC(config-if-serial2/0.1)# frame-relay interface-dlci
201
RouterC(config-if-serial2/0.1)# vlan-bridge fastethernet0.1
Descriptions
mode.
mode.
the interface S2/0.
Set the LMI type.
Enter
the
sub-interface
S2/0.1
configuration mode.
Make S2/0.1 relate with f0.1 and bridge
RouterC(config-if-serial2/0.1)# end
4) RouterD is configured as follows.
Syntax
RouterD# configure terminal
RouterD(config)# interface fastethernet0.1
RouterD(config-if-fastethernet0.1)# encapsulation dot1q 3
RouterD(config-if-fastethernet0.1)# interface serial3/0
Descriptions
mode.
mode.
RouterD(config-if-serial3/0)# physical-layer sync

RouterD(config-if-serial3/0)# encapsulation frame-relay
RouterD(config-if-serial3/0)# frame-relay lmi-type ansi
RouterD(config-if-serial3/0)# interface serial3/0.1 point-topoint
RouterD(config-if-serial3/0.1)# frame-relay interface-dlci
301
vlan-bridge
RouterD(config-if-serial3/0.1)#
fastethernet0.1
RouterD(config-if-serial3/0.1)# end

the interface s3/0.
Set the LMI type.
Enter
the
sub-interface
S3/0.1
configuration mode.
Notice
Vlan-bridge is required to adopt the point-to-point sub-interface configuration mode.
Chapter 6
DDR and Interface Backup
This chapter mainly describes how to configure a Maipu Router to perform the remote dialer access through PSTN and ISDN
(Integrated Services Digital Network).
Dialer backup
The configuration of DDR dialer
Dialer prototype
6.1 Dialer Backup

6.1.1 The Configuration of a Built-in Frequency-band MODEM
A built-in frequency-band modem in a Maipu router supports several dialer modes, such as synchronism, asynchronism,
dialer line, and leased line etc. This section describes how to configure the built-in frequency-band modem in a Maipu router
to perform the remote dialer function.
1)
The relevant commands
A. Configuring modem parameters

router(config-if-XXX)#modem ?
Command
Description
async-mode
Configures it in the asynchronous mode, including buffer asynchronism,

direct asynchronism and error asynchronism. (If you add a ? behind the
command modem async-mode, you can see the prompt of the next step.
Of course, you can get help of all the configuration through using ?)
clock-mode
In the synchronous mode, internal clock, external clock and slave clock
can be configured. In the asynchronous mode, it is unnecessary to
configure the clock.
clock-rate
In the synchronous mode, modem circuitry rate is configured. (In the

asynchronous mode, the command speed is used to configure interface
rate)
outer
The command is used to configure an outer modem, while it isnt used to

configure a built-in modem.
party
The command is used to configure modem as originator or answer.
Disable
Disable modem.
Enable
Enable modem.
Line
Configure modem as the leased line mode
v25bis enable
Forbidden AT command, active v.25bits command
Note:
1. The above commands can be used similarly when MP336/56MODEM is connected externally
B. Configuring the telephone number of a called user
Router (config-if-XXX) #dialer string phone number
Command
Description
dialer string <number>
Configures the telephone number of the called side. The number can only
be composed of Arabic numerals (When the exterior line of the built-in
modem is a dialer line, the number needs to be configured; when the
exterior line of the modem is a leased line, the number does not need to be
configured.)
Note:
1.
Many called numbers can be configured. After this, when the router dials a number, it will adopt the polling dialer
(Namely, the first number is dialed; if it is busy, then the second number is dialed in turn, and so on)
2) Examples of usage of configuring commands
A.
A leased line mode

5RXHU
6
6
5RXHU
Illustration:
1. The built-in frequency-band MODEM is configured on the interface interface serial2 of router1 and router2. And
the leased line mode is configured.
3. router1 is a caller that uses the internal clock, while router2 is the answer that uses the slave clock. The line speed
is 9600.
The configuration of router1 is as follows:

Command
router1(config)#interface serial2/0
router1(config-if-serial2/0)#ip address 1.1.1.1
255.255.255.0
router1(config-if-serial2/0)# encapsulation PPP
router1(config-if-serial2/0)#modem clock-mode internal
router1(config-if-serial2/0)#modem clock-rate 9600

router1(config-if-serial2/0)#modem line leased
router1(config-if-serial2/0)#modem party originate
router1(config-if-serial2/0)#modem enable
Task
Enters the interface configuration mode with
built-in frequency-band MODEM.
Configures the MODEM clock as the
internal, synchronous mode : internal clock
(internal); external clock (external); slave
clock (slave).
Configures the line speed as 9600.
Configures MODEM as the leased line mode.
Configures MODEM as a caller.
Enables the MODEM configuration to
become effective
Command
255.255.255.0
Task

router2(config-if-serial2/0)#modem clock-mode slave

router2(config-if-serial2/0)#modem line leased
router2(config-if-serial2/0)#modem party answer
Router2(config-if-serial2/0)#modem enable
Router2(config-if-serial2/0)#exit
Configures it as the slave clock mode
Configures MODEM as an answer.
B. The dialer mode:

The above are the configuration of the built-in modem with a leased line mode and its simple explanation. Then, we will
simply explain the configuration of the dialer mode as follows:

6

5RXHU
6
3671
5RXHU
Illustration:
1. The built-in frequency-band MODEM is configured on the interface serial2/0 of router1 and router2. And the dialer
mode is configured.
2. Router1 is a caller and router2 is an answer.
The relevant configuration (synchronous mode)
Command
Task


255.255.255.0
router1(config-if-serial2/0)#modem clock-mode internal
Configures it as the internal clock mode.
Configures MODEM speed.
router1(config-if-serial2/0)#modem party originate
Configures MODEM as a caller.
router1(config-if-serial2/0)#
dialer string 7722107
dialer string 7721679
router1(config-if-serial2/0)#
modem enable
Configures the telephone number of the

opposite terminal.
Enables the MODEM.
router2
Command
Task
255.255.255.0
Enters the relevant interface.

router2config-if-serial2/0)#physical-layer sync
router2(config-if-serial2/0)#encapsulation PPP
router2(config-if-serial2/0)#modem party answer
router2config-if-serial2/0)#modem clock-rate 33600
router2(config-if-serial2/0)#modem enable

Configures it as an answer.
Configures MODEM ratio.
Enables the MODEM.
The configuration of the asynchronous mode is as follows:

The configuration of Router1
The configuration of Router2
interface serial3
interface serial3
speed 115200
speed 115200
databits 8
databits 8
stopbits 1
stopbits 1
parity none
parity none
flow-control none
flow-control none
encapsulation ppp
encapsulation ppp
ip address 10.0.0.1 255.0.0.0
ip address 10.0.0.2 255.0.0.0
dialer string 8005
modem party originate
modem party answer
modem enable
modem enable
Exit
Exit
Note:
1.
2.
When using the leased line mode, MODEM keeps on calling (or answering) until it is connected.
If it is an outer modem, modem outer needs to be configured.
6.1.2 Dialer Script

There are many types of modems for sale in todays market. Although they all support the AT instructions set, there are some
differences with regards to their implementation. To provide more flexibility, a dialer language, called dialer scripts, can be
established. The script language has the following features:
o The script is composed of some ordered set of some defined keywords, sent strings and expected strings.
o Strings can be separated by a blank.
o A script command doesnt match upper/lower case. It begins with at or AT and represents that what will be sent is
an AT command.
o The AT instructions set of different companies may be different, so they should be configured by referring to their
accessory specifications.
Editing script
router (config)#chat-script
script-name
script name
script
script content
For example, configuring the following script:

router (config)#chat-script Maipu at&f&k3%c3 atm1
In this example, the script name is Maipu and the script contents are at&f&k3%c3 and atm1.
Using the command no to delete the script:
router (config)# no chat-script script-name
Configure the Modem script that is executed when a connection needs to be established:
router(config-if- XXX)# script connection script-name
Script-name is configured in the global configuration mode: chat-script script-name, which is the script-name in the script.
Its purpose is to connect the AT command with the corresponding interface.
When the router needs the modem to call out, it will send the script designated by script-name to the modem first, and then it
will initialize configuration of the modem. When all of the modem scripts have been executed successfully, the initialization
finishes. After this, the router sends the dialer string to the modem to call the opposing party.
Similarly, when the modem is configured as modem party answer, and when the opposite terminal sends call and the localend receives a bell-shaking signal, the router will also sends the modem initialization script to configure the modem. When
all configuration succeeds, the modem will negotiate with the opposite modem, and the router will enter the status
Answering incoming call to wait for the connection of modem. When the modem has succeeded in connecting, it will enter
the phase of the link layer negotiation.
Use no script connection to cancel the feature.

router(config-if-serial2/0)#no script connection
Note:
1.
If no script is configured for the modem, then the modem will start the default script set by the system. Because the
AT scripts supported by various companies have some differences, it is recommended that users configure the
script for a modem through referring to the modem usage manual of its company so that the modems of different
companies and types can work in better harmony with the router.
2.
You can use the debug commands (for example, debug modem s2) to examine the default script.
Appendix: the scripts in common use MP336 series
THE AT
COMMANDS IN
COMMON USE
&QnDn (the default is D2)
Functions of all kinds of
compressions triggered
respectively when DTR hops from
ON to OFF. Notice that D0 can be
only useful to the Q1 mode, while
D1, D2 and D3 are useful to all the
compression modes.
&Qn
(The default is &Q5)
&QnCn
(controled by DCD)
The relevant explanation
&D0 : simple hangup of the modem;

&D1 : changing from the data mode to the command mode;
&D2 : the modem hangs up and closes the auto-answer;
&D3 : the modem reset
&Q0: Using the direct asynchronous mode

&Q1: Using the synchronous connection mode (the command mode
being of asynchronism)
&Q5: Using the error asynchronous mode
&Q0: Using the common asynchronous mode (with the function of rate
buffer)
Result coden=0-6OK other valueERROR
&C0: DCD being ON all the time;
&C1: DCD indicating the status of the carrier wave;
(The default is &C1)

&Kn
(the flow control modes between
DCE and DTE)
e default is &K3)
&Ln
Functions of the leased (special)
line
%Cn
(Limit to the error control mode)
(The default is &C3)
%En
Controlling and monitoring line
quality
(The default is &E0)
Result code: n=0,1, OK;
other values, ERROR.
&K0: no flow control mode

&K3: the RTS/CTS flow control mode (the default)
&K4: the XON/XOFF flow control mode
&K5: transparent XON/XOFF flow control mode
&K6: the XON/XOFF and RTS/CTS simultaneous control mode
The result code: n=0,3 to 6, OK; other values, ERROR
&L0: the command mode;
&L2: the auto leased line mode
&L3: the auto dialer line mode
&L5: the dialer backup working mode
&C0: No compression
&C1: Enable the MNP5 compression mode
&C2: Enable the V.42bis compression mode
&C3: Enable the V.42bsi compression and the MNP5 compression
mode
Result code: n=0 to 3, OK; other values, ERROR
Notice: & and % are different.
&E0: without monitoring line quality, using auto retraining
&E1: monitoring line quality, performing auto retraining
&E2: monitoring line quality, automatically promoting/depressing
speed according to the quality status
Automatically promote/depress speed that is chosen in the
V.32bis/V.32 modulation speed. When speed is lower than 4800bps, it
cant be promoted/depressed, instead, it can auto retrain only. (This is
used in dialer line only)
The result code: n=0 to 2, OK; other values, ERROR
The modem loads the factory default configuration.
&F
Note:
1.
When the command AT is configured, it should be done according to the instructions of the corresponding
company.
2.
When different modulation protocols are chosen, the appropriate one should be done according to the different line
status. For example, both V.34 protocol and V.22bis support the speed 2400. But in fact, the same speed using
different modulation protocols will have different effect because of the line status.
6.1.3 The Configuration of Dial Backup

Command
Task
router(config-if- XXX)#backup delay
Configures the time should elapsed before the

secondary line status changes after a primary
line status has changed
router(config-if-XXX)#backup interface
Configures an interface as a secondary or dail

backup
For example:
router(config-if- XXX)# backup interface s3/0
Set the interaface s3/0 as the backup line

router(config-if- XXX)# backup delay 5 5
Set a 5-second delay on activating the secondary line and set a 5-second delay on deactivating the
secondary line
6.1.4 The Typical Example of Dialer Backup

The example of modem dialer backup configuration:
5RXW HU e o$
6

6

&DO O
0RGHP
:$1
6

6

3671

5RXW HU e o%
$QVZHU
Explanation: The serial 2 of the router router-A connects to an outer modem, chooses the asynchronous mode, encapsulates
PPP protocol , is used as a backup line of serial 0 and a caller uses the manual configuration of modem script; The detailed
configuration is as follows:
The configuration of router-A:

Command
Task
router-A(config)#int s0
router-A(config-if-serial0)# encapsulation ppp
router-A(config-if-serial0)# physical-layer sync
router-A(config-if-serial0)# backup interface serial2
router-A(config-if-serial0)#
backup delay 5 5
Configures the S2 as a backup

interface.
Set a 5-second delay on activating
the secondary line after the primary
line goes down and set a 5-second
delay on deactivating the secondary
line after the primary line comes up
router-A(config-if-serial0)#ip add 128.255.1.1 255.255.0.0

router-A(config-if-serial0)#exit
router-A(config)#
chat-script modem-configure
at&f%c3&k3&c1
Establishes a MODEM script:

The script name: modem-configure
The script contents:
at&f%c3&k3&c1
router-A(config)#int
s2
router-A(config-if-serial2)# physical-layer async

router-A(config-if-serial2)#speed 38400
router-A(config-if-serial2)# modem outer
Configures the outer MODEM.
router-A(config-if-serial2)# dialer string 5566030
Configures the called number as

5566030.
router-A(config-if-serial2)#modem party originate
Configures MODEM as the caller.
router-A(config-if-serial2)#script connection modem-configure
Specify the modem script that

should be executed
router-A(config-if-serial2)#ip address 192.255.255.1 255.255.255.0
Note:
Analyzing the above script: &f is to used to load the factory default configuration%c3&k3&c is used to modify the
corresponding parameters of the script. Of course, if you want to configure the parameters by yourself, you need not use the
script of &f.
The serial 2 of the router router-B connects to an outer modem, chooses the asynchronous mode, encapsulates PPP protocol,
is used as a backup line of serial 0 and an answer uses the default script of the modem;
The detailed configuration is as follows:
router-B(config)#int s0
router-B(config-if-serial0)#
ip add 128.255.1.12 255.255.0.0
router-B(config-if-serial0)# encapsulation ppp
router-B(config-if-serial0)# physical-layer sync
router-B(config-if-serial0)#exit
router-B(config)#
chat-script modem-configure
Configures the dialer script.

at&f%c3&k3&c1
router-B(config-if-serial2)# physical-layer async
router-B(config-if-serial2)# enc ppp
router-B(config-if-serial2)# flow-control software
ip address 192.255.255.2 255.255.255.0
router-B(config-if-serial2)# modem outer
Starts the outer MODEM.
router-B(config-if-serial2)# modem party answer
Configures MODEM as the answer.
router-B(config-if-serial2)#speed 38400
router-B(config-if-serial2)#exit`
6.1.5 Configure Backup load
You can configure the backup load to activate or deactivate the secondary line based on the traffic load on the primary and
sencondary line.When the load on the primary line is greater than the value, the secondary line is enabled.When the load on
the primary line plus the load on the secondary line is less than the value, the secondary line is disabled.
Load diapup uses the traffic load to activate/disconnect backup line. When the traffic of the primary line reach some
threshold (the percentage of maximal traffice, the same as the below.), the backup line is activated; when the total traffic of
the primary and backup line is less than some threshold, the backup line is disconnected.
1)
Backup load
Set a traffic load threthold for dial backup service
Backup load {enable-threshold|never} {disable-load|never}
no backup load
Syntax
Description
Enable-threshold
Percentage of the primary lines available bandwidth that the

traffic load must exceed to enable dail backup
never
Sets the secondary line never to be activated due to traffic

load
disable-load
Percentaget of the primary lines available bandwidth that

the traffic load must be less than to disable dial backup
never
Sets the secondary line never to be deactivated due to traffic

load
Note:
1. You shoud configure backup interface first before configure load dialup.
2. The traffic statistics of the line is the traffic statistics every 5 minutes.
2)
Examples of usage of configuring commands
Illustration;
1) Two lines are employed between Router1 and router2: one is the primary line, connecting with the interface s2/0, and
the other is the backup line, connecting with. The phone number corresponding router1 is 601 and that corresponding to
router2 is 611.
2) The purpose of the example above is that when the traffic load reaches the value assigned to the line, the secondary
line is activated although the primary line is still enabled.
About the detailed DDR configuration, refer to Section 5.2 DDR Dialup Configuration.
command
Task
Router1# configure terminal

Router1(config)# dialer-list 1 protocol ip permit
Router1(config-if-serial1)#
255.0.0.0
ip
address
22.1.1.1
Router1(config-if-serial1)# backup interface serail2

backup load 90 10
Assign interface s 2 to be the backup

interface
sets the traffic load threshold to 90 percent of
the primary line serial 0.
When The load is exceeded, the secondary
line is activated, and will not be deactivated
until the combined
load is less than 10 percent of the primary
bandwidth.
Router1(config-if-serial1)# interface serial2

Router1(config-if-serial2)# physical-layer async
Router1(config-if-serial2)# dialer in-band
Specify DDR (Dial-On-Demand Routing) to

be supported
Router1(config-if-serial2)# dialer-group 1
Router1(config-if-serial2)# dialer string 611
Router1(config-if-serial2)# modem outer
Router1(config-if-serial2)# ip addr 21.1.1.1 255.0.0.0
Router1(config-if-serial2)# interface loopback0
Router1(config-if-loopback0)#
255.0.0.0
ip
addr
20.1.1.1
Router1(config-if-loopback0)# exit
Router1(config)# ip route 20.1.1.2 255.255.255.255
21.1.1.2
Router1(config)#ip route 20.1.1.2 255.255.255.255
22.1.1.2
Command
Task
Router1# configure terminal

Router1(config)# dialer-list 1 protocol ip permit
255.0.0.0
ip
Configure main interface

address
Router1(config-if-serial1)# interface serial2

Router1(config-if-serial2)# physical-layer async
22.1.1.2
Configure backup interface
Router1(config-if-serial2)# modem outer

Router1(config-if-serial2)# ip addr 21.1.1.2 255.0.0.0
Router1(config-if-serial2)# interface loopback0
Router1(config-if-loopback0)#
255.0.0.0
ip
addr
20.1.1.2
Router1(config-if-loopback0)# exit
21.1.1.1
22.1.1.1
3)
Debug commands
show interface
Display the 5-minute traffic load of an interface
z Debug backup
Display the debugging information in the course of load dialup.
The Debugging of Modem

To examine its dialer status and the relative information, use the debug modem command:
router#debug modem interface
This command displays the debugging information of a given interface
The following is the debugging information with default parameters:
pppdown1#debug modem s3
pppdown1(config)#1d2h: [tMdmDelay]serial3: Config modem for dialing out
1d2h: [tMdmDelay]serial3: AT configurating command:
AAT&FE0Q0W1S95=44S36=5S25=0X0
AAT&D2&Q5
AATM1L1
1d2h: [tSccRx3]serial3: Success to send the 0th group configuring command
1d2h: [tSccRx3]serial3: Success to send the 1th group configuring command
1d2h: [tSccRx3]serial3: success to configure modem
1d2h: [tSccRx3]serial3: Start dialing automatically
1d2h: [tNetTask]serial3: Dialing timeout is set as 45s(DL-mode)
1d2h: [tNetTask]serial3: Dialing 8005...
Closing the modem debugging switch
router#no debug modem interface
Note:
1. If modem does not dial up, it should be examined whether cables are connected correctly, and make sure that the
modem has been turned on and configured as the receiving AT commands mode and reliably connected to the
correct interface.
2. When users try to turn on the dialer connection but the modem doesnt respond to the access request, users should
examine whether the remote modem is configured as the auto-answer or the AT command mode. They should make
sure that the remote modem has connected with the router or other equipments. If necessary, the dialer sound on the
telephone line can be examined.
3. If the modem can not receive answers or send calls correctly, users can also examine whether the modem script is
configured correctly through the command debug modem interface.
4. When the modem connects with Cisco products, users should notice whether the modem DTR lamp is normal. If it is
abnormal, users should clear the line through the command clear line ***.
6.2 DDR Dialer Configurations
Preparing to configure DDR (Dial-On-Demand Routing)
For a network needing to use DDR, users can perform configuration according to the following series of operations:
o
Decide which routers use DDR, select what kind of transmission medium will be used, which interfaces of the outer
use DDR, which kind of DDR topology structure an interface adopts, whether an interfaces sends call, or accepts
call, or both.
Decide the interface type (asynchronous serial port or ISDN interface).
Configure the interface encapsulation, the default is PPP.
Configure the routing protocol (RIP, OSPF or static routing etc) employed on the DDR port.
6.2.1 Configuring DDR (Dial-On-Demand Routing)

1) The relevant commands
Defining the Interesting Traffic
The global configuring command is: dialer-list (also called dialer list). In order to control the condition for a DDR call to take
place, users can use the command dialer-list to configure the packet condition. Only those packets that meet the packets
prescribed by dialer-list can initiate DDR to dial up. The simple format of the command can prescribe a set of protocols that are
both permitted to trigger a call/prohibited from triggering a call. The complex format of the command can cite an access control
list so as to define interesting data in detail.
router(config)#dialer-list dialer group number protocol ip { permit | deny | list access-list-number }
Dialer group number is the sequence number <1_10> of dialer-list, corresponding with the dialer-group groupnumber of DDR interface configuration.
Access-list-number is the sequence number of the access list access-list corresponding with dialer-list
Ip is a protocol name, and the protocol supported presently is ip protocol.
Permit indicates packets corresponding with the protocol are permitted.
Deny indicates packets corresponding with the protocol are denied.
Note:
1. When configuring the access list, you should do it orderly. In addition, the multicasting packet of the routers from
some companies can trigger the dialer. For example, for the multicasting packet of OSPF 224.0.0.5, it is best to
deny it; or else, the telephone company will give you the telephone bill. Or you can use debug dialer packer to
examine whether there is the multicasting packet, whether it is necessary to configure an access list for the triggered
dialer
router(config-if-serial1)#dialer ?
The relevant configuration is as follows:
Command
Description
callback-secure
Turns on the callback security switch; hang up the

call without correct configuration of reverse
callback.
enable-timeout
Set the length of time an interface stays down after
a call has conmpleted or failed and before it is
fast-idle
hold-queue
idle-timeout
in-band
load-threshold
map
pool
pool-member
Priority
remote-name
rotary-group
Rotor
String
wait-for-callback-time
wait-for-carrier-time
available to dial again

Configures fast idle time, for which the line will
stay before it is disconnected and the competing
call is placed, if there exists competition on the line.
Configures the number of outgoing packets to be
queued.
Specify the idle time before the line is disconnected
Specify DDR (Dial-On-Demand Routing) to be
supported.
.Interface load beyond which the dialer will initiate
another call to the destionation
Associates the IP address of the opposite terminal
with the phonenumber or the called user name so as
to call one or more sites.
Associates the dialer interface with the dialer pool
(taking effect in the dialer interface).
Configure the physical interface.to be a member of
a dialing pool.
Configures the priority of physical interface in the
dialer pool.
Configures the name of the remote system.
Adds an interface into the dialer rotary group.
Designates the method used by DDR to call the
outward line.
Configures the telephone number to be dialed up.
Configures the time waiting for the callback.
Configures the longest time for DDR to wait for
call establishment.
Distributing the dialer list dialer-list to a port

After defining a dialer-list, you need to associate it with the interface answering for originating/accepting call. The
corresponding command is as follows:
router(config-if-serial1) # dialer-group group-number
group number
dialer-group: The command configures an interface as a member of a special dialer group. The group points to a dialer list.
group-number: It is the number of the dialer group the interface belongs to. The group is defined through the command
dialer-list, which defines the interesting traffic of DDR. The value that can be accepted is an integer from 1 to 10.
dialer-group
The command configures an interface to belong to a given dialer-group, which points to a dialer-list.
group-number
This is the number of the dialer access group to which the interface belongs. The dialer access group is defined by the
command dialer-list, which defines the trigger data stream originating DDR. The acceptable values are the integer within 1
to 10.
Defining the relevant parameters of the destination
After defining the structure of the interesting traffic, you should provide the interface answering for originating call/answer
with all necessary parameters that arriving at the destination needs. Here, dialer map or dialer string indicates the routing
information, such as the telephone number to dial, etc.
The command dialer map:
router(config-if-serial1)#dialer map ip A.B.C.D name hostname dialer-string

ip
representing protocol
A.B.C.D
representing the name of the remote system
dial-string
representing the dialed telephone number to arrive at the remote-end destination
The command dialer string:
pppdown1(config-if-XXX)#dialer string <STRING>
<STRING>
Dialer string
The telephone number of the opposite terminal
Note:
1. When it is only used to send call, the command dialer map and the telephone number string dialer-string are
necessary; the keyword name is optional.
2. If the keyword name is employed, PPP authentication must be configured. The name should be the same as the
hostname sent from the remote end.
3. If the dynamic routing is configured, the option broadcast must be added behind name hostname.
4. The command dialer map and dialer string cant be used simultaneously.
5. The command dialer map and the keyword name are needed in the dialer callback.
2)
Illustration of the command usage

6

5RXW HU e o

0RGHP
3671
6
5RXW HU e o

5RXW HU e
o

6

Illustration:
1. Router-1, Router-2 and Router-3 connects with each other through the outer MODEM and PSTN dialer.
The configuration of router1 s1 and the DDR relevant configuration are as follows:
User name and dialer-list:
Command
Task
route1#configure terminal
route1(config)#dialer-list 1 protocol ip list 1001
route1(config)#user route2
route1(config)#user route3
password 0 Maipu
password 0 Maipu
route1(config)#ip access-list extended 1001

route1(config-ext-nacl)#deny ip any 224.0.0.0
0.255.255.255
route1(config-ext-nacl)#permit ip any any
Permits the dialer access group1 to spur DDR

dialer.
Configures user name and password. You can
configure several user names, which has no
affect on the configuration of name in dialer
map. As long as the user name corresponds
with the name in dialer map, it is ok.
Establishes an access list 1001.
The access rule is configured mainly for that
some multicasting packets that can trigger
DDR dialer.
The configuration of the interface:

Command
Task
route1(config)#interface serial1
route1(config-if-serial1)#physical-layer async
route1(config-if-serial1)#speed 115200
route1(config-if-serial1)#databits 8
route1(config-if-serial1)#stopbits 1
route1(config-if-serial1)#parity none

Configures it as the asynchronous mode
Speed is 115200.
8 data bits
1 stop bit
The parity bit is NULL.
route1(config-if-serial1)#flow-control none
route1(config-if-serial1)#encapsulation ppp
route1(config-if-serial1)#ip address 10.170.0.1 255.0.0.0
route1(config-if-serial1)#modem outer
route1(config-if-serial1)#dialer in-band
route1(config-if-serial1)#
dialer idle-timeout 100
dialer fast-idle 30
dialer map ip 10.170.0.2 name route2 4081240
dialer map ip 10.170.0.3 name route3 4081150
route1(config-if-serial1)#dialer-group 1
route1(config-if-serial1)#ppp authentication chap

route1(config-if-serial1)#ppp chap hostname route1
Configures the flow control as NULL.

Enables the outer MODEM to be effective.
be supported
DDR hangs up link when no data stream
passes through the link within 100 seconds
after a call is created.
After the current call has been idle for 30
seconds, the call gives place to another one
that is waiting.
Sends the call with telephone number
4031240 to router2 with the address
10.170.0.2.
Sends the call with telephone number
4081150 to router3 with the address
10.170.0.3.
The interface s1 belongs to the dialer access
group 1 (Dial up only when the data stream
according with the dialer-group1 is triggered.)
Configures chap authentication, Configure the
command as the chap originator.
Configures the authenticated name
corresponding with the name in the opposite
terminal dialer map.
route1(config-if-serial1)#exit
Configuring dialer triggering route :

route1(config)#ip route 192.168.3.0 255.255.255.0 10.170.0.3
route1(config)#ip route 192.168.1.0 255.255.255.0 10.170.0.2
Note:
1.The above two routes are used to trigger the different telephone numbers that the
different directions of data stream trigger.
2.During the course, after the route1 dials on the outer modem of the route2 and constructs an access to the
route2, if there is no data sent through the s1 within 100 seconds (namely exceeding the value of idletimeout), the router1 will trigger modem1 to automatically disconnect the connection with the modem2 of the
route2. Within the idle time, if the route1 receives the data stream to trigger calling the route3, the timer fastidle will start. Within the 30 seconds the timer fast-idle times, if there is no data sent to the route2 through the
s1, the route1 will disconnect the connection with the route2 and call the route3.
3.For the answer, it should be configured as the authentication originator. At the moment of callback, two same
names can not be configured in dialer map on the side of callbacker. Besides the above, of course, the same user
name with that on a Cisco router can not also be configured at the time of authentication.
3)
The example of DDR (Dial-On-Demand Routing) dialer configuration
The serial 2 of the router router-A connects to an outer modem, chooses the asynchronous mode, encapsulates the
PPP protocol (using chap authentication), is used as a backup interface and a caller and start the script of the modem:
at&f&k3%c3&c1. The serial port 0 is used as the master interface, encapsulates the HDLC protocol. The dialer adopts
the dialer map mode.
The serial 2 of the router router-B connects to an outer modem, chooses the asynchronous mode, encapsulates PPP
protocol, is used as a backup line to the serial 0 and a answer uses the script of the modem: at&f&k3%c3&c1. And the
static routing is adopted between routers.

5RXW HU e o$
6

6

&DO O
0RGHP
:$1
3671
6

6
5RXW HU e o%

$FNQRZO HGJH

Illustration:
Router-A and Router-B connect with each other through their own s0, while their own s2 connects the outer modem,
which serves as a backup line to the interface s0.
The configuration of a caller:

Command
Task
router-A#con t
router-A(config)#
user answer pass 0 Maipu
router-A(config)#
dialer-list 1 protocol ip permit
router-A(config)#
chat-script m-con at&f&k3%c3&c1
Configures the opposite terminal as a local

user and configure its password, which must
be the same as the user password configured
by the opposite terminal (namely the chap
authentication password sent by the opposite
terminal).
Configures the packets triggering dialer.
Establishes the MODEM dialer script.
The script name: m-con;
The script contents: at&f&k3%c3&c1
router-A(config)# int f0
router-A(config-if-fastethernet0)# ip address 195.168.1.3
255.255.255.0
router-A(config-if-fastethernet0)#exit
router-A(config-if-serial0)#phy sync
router-A(config-if-serial0)# encapsulation hdlc
ip address 128.255.1.1 255.255.0.0
backup interface serial2
backup delay 5 20
Uses the serial S2 as the backup line to the

interface s0.
Set a 5-second delay on activating the
secondary line after the primary line goes
down and set a 20-second delay on
deactivating the secondary line after the
primary line comes up
router-A(config-if-serial2)# physical-layer async
ppp authentication chap
ppp chap hostname caller
router-A(config-if-serial2)# ip address 192.255.255.1
255.255.255.0
modem outer
dialer in-band
dialer map ip 192.255.255.2
Configures the outer modem.
name answer 5148120
script connection m-con
dialer-group 1
router-A(config)# ip route 193.168.0.0 255.255.0.0 serial0
router-A(config)# ip route 193.168.0.0 255.255.0.0 serial2
200
Command

be supported
Configures a dialer association. IP address of
the opposite terminal is 192.255.255.2, the
authentication user name is answer and the
telephone number to dial is 5148120. If the
dynamic routing is employed, dont forget to
add a word broadcast behind the telephone
number.
Configures the MODEM script.
Defined the interesting traffic that triggers
DDR.
Adds the static route.
Task
router-B# configure terminal

router-B(config)#user caller password 0 Maipu
router-B(config)#dialer-list 1 protocol ip permit

router-B(config)#
chat-script m-con at&f&k3%c3&c1
router-Bconfig# int f0
router-B(config-if-fastethernet0)#
ip address 193.168.2.3 255.255.255.0
Configures the opposite terminal as a

local user and configure its password,
which must be the same as the user
password configured by the opposite
terminal (namely the chap authentication
password sent by the opposite terminal).
Configures the packets triggering dialer.
Establishes MODEM dialer script;
The script name: m-con
The script contents: at&f&k3%c3&c1
router-B(config-if-fastethernet0)#exit
router-B(config-if-serial0)#phy sync
router-B(config-if-serial0)#encapsulation hdlc
router-B(config-if-serial0)#clock rate 64000
router-B(config-if-serial0)#ip address 128.255.1.2 255.255.0.0
router-B(config-if-serial2)# physical-layer async
router-B(config-if-serial2)# encapsulation ppp
router-B(config-if-serial2)# ppp authentication chap
Configures chap authentication.
router-B(config-if-serial2)# ppp chap hostname answer
Configures the name of chap

authentication.
Of course, if this side serves only as an
answer, it will be not necessary to
configure the telephone number to dial.
router-B(config-if-serial2)# dialer map ip 192.255.255.1 name

caller( 5148343)
router-B(config-if-serial2)# ip address 192.255.255.1
255.255.255.0
router-B(config-if-serial2)#modem outer
Configures the outer modem.
dialer in-band
router-B(config-if-serial2)#script connection m-con
Specify DDR (Dial-On-Demand Routing)

to be supported
Configures MODEM script.
router-B(config-if-serial2)#dialer-group 1
Defines the interesting traffic that triggers

DDR.
router-B(config)#ip route 195.168.0.0 255.255.0.0 serial0
router-B(config)#ip route 195.168.0.0 255.255.0.0 serial2
Adds the static route
Noticeable points:
z If the modem does not dial up, users should examine whether cables are connected correctly, should make sure that
the modem has been turned on, it has been configured as the mode the modem can accept the AT commands and
that it has connected reliably with the correct interface.
z When users try to open the dialer connection but the modem has no response to the access request, users should
examine whether the remote modem is configured as auto-answer or the AT command mode. They should make
sure that the remote modem has been connected to the router or to other equipment. When necessary, they can also
examine whether there is a dialer sound on the telephone line.
z If a modem can not accept an answer or send call correctly, users can also examine whether the modem script is
configured correctly through the command debug modem interface.
z When the dialer backup interface does not dial up, then dcd is down, but its flag Flags is often in the status of up
(spoofing). However, at the moment, the interface is not up really. Only when the primary line goes down and
there is data to trigger, then the dialer backup interface can dial. When it is connected correctly, the flags will be in
the status of up.
6.2.2 Dialer Callback

PPP reverse callback provides a kind of client/server relation between the two ends connected in terms of the point-to-point
mode. The function of PPP reverse callback permits the router to ask the opposite terminal router connected by dialer to call
back. The feature can be used to control access and save the charge of the remote call between routers.
Operation and procedure of reverse callback:
1.
The reverse callback client originates a call. In the LCP negotiation phase of PPP, a client can use the reverse
callback option to request the reverse callback.
2.
3.
4.
5.
6.
The reverse callback server determines the reverse callback request and examines the configuration of itself to validate
whether the reverse callback is employed.
The reverse callback client and server process the authentication through CHAP or PAP. A user name is used to
distinguish the dialer string used by the callback.
After the success of the first authentication, the router used as the reverse callback server will distinguish the dialer
string used by the reverse callback. The reverse callback server compares user names with the host names in the dialermapping list.
If dialer callback-secure is not started, the reverse callback server will maintain the initial call when the reverse
callback isnt configured for the authenticated user name; or else, the reverse callback server will hang up the initial call.
The reverse callback server uses a dialer string to originate a reverse callback. If it fails, it will not try to call again.
During the course of returning a call back, the reverse callback does not process LCP negotiation of PPP.
7.
8.
Process to call.
Keep on connecting.
Note:
If the caller requests to process reverse callback but the server is not be configured to accept a reverse callback, then the
answer router will maintain the initial call originated by the caller.
The relevant commands of reverse callback in the global configuration mode:
Command
Username username password password
map-class dialer string
Dialer callback-server
Dialer enable-timeout
Dialer fast-idle
Dialer idle-timeout
Dialer wait-for-carrier-time
Description
Creates a local authentication database based
on user names.
Creates a callback mapping class.
Starts the callback server.
Configures the waiting time of a callback
Configures the fast idle time when there exists
competition.
Configures the idle time of before hangup
Changes the value of the fast call rerouting
timer into twice the value of start pause timer.
The configuring commands in the interface mode:

Command
Description
Dialer callback-secure
Starts a secure callback (dialing up an

abnormal call).
Callback requestapplied to a client
Callback acceptation
PPP callback request

PPP callback accept
The configuration example of dialer callback:
'L DO XS

5RXW HU e o$

3671
&DO O EDFN
5RXW HU e o%
Illustration:
1. The routers Router-A and Router-B connect with each other through PSTN network. The Router-A is a dialer
requester the Router-B is a callbacker. The telephone number of the Router-A is 8001 and the number of the
Router-B is 8002.
2. The router Router-B is used as the dialer server in this example.
The configuration is as following:
Router1A
router1A (config)#user Maipu password 0 Maipu
router1A (config)#dialer-list 1 protocol ip permit
router1A (config)#int s2
router1A (config-if-serial2)#ip address 100.0.0.1 255.0.0.0
router1A (config-if-serial2)#enc ppp
router1A (config-if-serial2)#phy async
router1A (config-if-serial2)#dialer in-band
router1A (config-if-serial2)#dialer-group 1
router1A (config-if-serial2)#dialer map ip 100.0.0.2 name Maipu broadcast 8002
router1A (config-if-serial2)#ppp callback request
router1A (config-if-serial2)#ppp authentication chap
router1A (config-if-serial2)#ppp chap hostname goat
Router2B
router2B (config)#user goat password 0 Maipu
router2B (config)#dialer-list 1 protocol ip permit
router2B (config)#map-class dialer goat
router2B (config-map-class)#dialer callback-server
router2B (config)#int s2
router2B (config-if-serial2)#ip address 100.0.0.2 255.0.0.0
router2B (config-if-serial2)#enc ppp
router2B (config-if-serial2)#phy async
router2B (config-if-serial2)#dialer in-band
router2B (config-if-serial2)#dialer-group 1
router2B (config-if-serial2)#dialer map ip 100.0.0.1 name goat class goat broadcast 8001
router2B (config-if-serial2)#dialer callback-secure
router2B (config-if-serial2)#ppp callback accept
router2B (config-if-serial2)#ppp authentication chap
router2B (config-if-serial2)#ppp chap hostname Maipu
Note:
1. The callbacker must be configured as the chap originator.
2. Two same names cant be configured in the dialer map of the callbacker because a callback decides its callback
object according to name and the same names will lead that the numbers needed to call back cant be identified.
3. The function of broadcast in dialer map is to let the dynamic routing pass.
2.3 Configuring ISDN
ISDN access interface is a physical connection between users and ISDN service providers. Presently, two different kinds of
access interfaces are defined by ISDN suggestions of ITU-T, which are respectively called Basic Rate Interface (BRI) and
Primary Rate Interface (PRI). Because the establishment of ISDN needs a dialer environment, the Maipu router adopts DDR
(Dial-on-Demand Routing) technology. So, only when relevant packets arrive, the remote-end router of will be dialed. This
technology can save charges for its users.
When the router is configured with the ISDN module, the command show run can be used to see the interface bri0
interface. In order that DDR of ISDN is achieved, the basic configuration of some routers is necessary. The following
example, will explain how to use ISDN on a Maipu router.
1)
The example of ISDN BRI configuring DDR:
The following figure shows the structure of a network where one router connects to another one via ISDN. The following
example shows how to combine commands to establish ISDN and DDR. In the example, the commands dialer map and
chap authentication are used.
%5,

5RXW HU e o$
17

%5,

, 6'1 &DO O
17
, 6'1

5RXW HU e o%
The following is the configuration of the router-A, which adopts the dialer map and ppp chap authentication.
The configuration of router-A:
Command
Task
Router-A(config)#hostname router-A
When the user name of ppp chap hostname is

not configured, the chap authentication will
send the hostname configured here to the
opposing party.
router-A(config)#user router-2 password 0 Maipu
Configures the opposite terminal as a local user;

configure the password (it is the same with the
user password of the caller). The user is
registered when the machine starts.
router-A(config)#dialer-list 1 protocol ip permit

router-A(config)#interface fastethernet0
router-A(config-if-fastethernet0)#ip address 128.255.252.2
255.255.255.0
router-A(config)#exit
Defines the interesting traffic.
router-A(config)#interface bri0
router-A(config-if-bri0)#
encapsulation ppp
Enters the bri0 configuration mode.
router-A(config-if-bri0)#ppp chap hostname router-A
Configures the user name used for chap

authentication.
Configures the interface f0.
Encapsulates PPP protocol and configure CHAP

authentication.
ip address 192.168.1.1 255.255.255.252
router-A(config-if-bri0)#dialer idle-timeout 60
Idle timeout
router-A(config-if-bri0)#dialer enable-timeout 5
The interval of next calls
router-A(config-if-bri0)#dialer map ip 192.168.1.2 name
Defines the relevant parameters of the
router-2 51481279
destination.
router-A(config-if-bri0)#dialer-group 1
The port belongs to the dialer-group1.
router-A(config-if-bri0)#exit
router-A(config)#
ip route 130.255.252.0 255.255.255.0 192.168.1.2
Configures the trigger dialer routing (it is also a

static routing).

The configuration of router-2:
Command
Task
router(config)#hostname router-B
router-B(config)#user router-A password 0 Maipu
router-B(config)#dialer-list 1 protocol ip permit
Configures a dialer-group.
router-B(config)#interface fastethernet0
router-B(config-if-fastethernet0)#
ip address 130.255.252.10 255.255.255.0
router-B(config)#exit
router-B(config)#interface bri0
router-B(config-if-bri0)#encapsulation ppp
router-B(config-if-bri0)#ppp authentication chap
Configures CHAP authentication.
router-B(config-if-bri0)#ppp chap hostname router-B
Configures the name of CHAP authentication.
router-B(config-if-bri0)#
ip address 192.168.1.2 255.255.255.252
router-B(config-if-bri0)#dialer idle-timeout 60
Configures idle time.
router-B(config-if-bri0)#dialer enable-timeout 5
router-B(config-if-bri0)#
dialer map ip 192.168.1.2 name router-A
router-B(config-if-bri0)#dialer-group 1
Configures the mapping of dialer.

Configures the trigger dialer-group1.
router-B(config-if-bri0)#exit
router-B(config)#ip route 128.255.252.0 255.255.255.0
192.168.1.1
Note:
1. The static routing commands of the router-A defines the IP routing of the 130.255.252.0 network connecting to
the LAN interface inter f0 of the router router-2.
2. Interesting packet can be defined as any IP packet, and they can originate the calls to router-B.
3. Router-B is defined to accept calls through the command dialer map. There is the static routing to LAN of the
router router-A on it.
2)
Debugging and monitoring
Monitoring an interface
Display the information of the ISDN BRI interface. The used command is as follows:
router#sh int bri0
Displaying the information of the ISDN BRI interface
bri (unit number 0):
Flags: (0x8071) UP(spoofing) POINT-TO-POINT MULTICAST ARP RUNNING
Type: PPP
False up
status

Netmask 0xffffff00 Subnetmask 0xfffffffc
Metric is 0
rxFrames: 0, rxChars 0
txFrames: 0, txChars 0
DCD=down DSR=down DTR=up RTS=up CTS=down Txc=up
Here, although it can be seen that the DCD signal and DSR signal of the physical layer are DOWN, the interface is still UP.
The reason is that the technique called false UP (namely spoofing) is adopted in DDR. This word indicates that the line need
not be UP but a dialer port still forces it to be false UP. In this way, the interface can dial on demand to route its packets. All
dialer interfaces have this feature.
Display the information about some channel status of ISDN, the second layer and the third layer. The command is as follows:
router#sh isdn status
Displays the information about ISDN status
ISDN BRI0 interface
Layer 1 Status:
F7
Layer 2 Status:
TEI = 67
Ces = 01
SAPI = 00
Status = ST_MULTIFR
I-Frame: 0/0
RR: 5/5
RNR: 0/0
REJ: 0/0
SABME:
1/0
DM: 0/0
DISC: 0/0
UA: 0/1
FRMR:
0/0
TEI: 59/1
B1 channel:
Tx Frames = 0 Tx Bytes = 0, Tx Errors = 0
Rx Frames = 0 Rx Bytes = 0
B2 channel:
Tx Frames = 0 Tx Bytes = 0, Tx Errors = 0
Rx Frames = 0 Rx Bytes = 0
In this common situation, as long as the ISDN module of the router connects with the ISDN switch correctly, the command
show isdn status can be used to see that the second layer is of ST_MULTIFR status, which indicates that the D channel is
active.
The following are some other commands to examine ISDN status:
Examining the current active ISDN data channel
router#show isdn active
Examining the situation of the ISDN calls that have been used
router#show isdn history
The ISDN Debugging Commands

The following debugging commands are very useful to detect ISDN errors. The two main ISDN commands are debug isdn
q921 and debug isdn q931.
To display the access procedure that happens on the data link layer of the access server ISDN interface D channel use:
router#debug isdn q921
To display the establishment and backup of call on the network connection layer (the third layer) between the local router
(client) and the ISDN network use:
router#debug isdn q931
To display the contents of ISDN i430 protocol
router#debug isdn i430
To display the contents of the information of ISDN packets
router#debug isdn trace
The following table displays different debugging commands and their relation to the OSI
model.
The OSI layer
ISDN
DDR dialer
The third layer
Debug isdn q931
Debug dialer events

Debug dialer packets
The second layer
Debug isdn q921

Debug isdn i430
Debug isdn trace
Debug isdn events
Debug ppp negotiation
Noticeable points:
When ISDN can not achieve the connection with the opposite terminal, please check the following details:
1) Whether ISDN of the router is in ST_MULTIFR status.
2) Whether the B channel to be used by ISDN of the router is being used by other ISDN equipment.
3) Whether the called side is being used.
4) Besides these, the above debugging commands are used to examine whether the configuration is correct.
6.3 Dialup Prototype (Profile)
The dialer prototype separates logical interfaces from the ones answering for sending and accepting calls. In the dialer
prototype, a physical interface and a logical interface are bound together according to each call, so that the different
parameters of the physical interface can be chosen dynamically. The prototype separates the logical part of DDR, such as
network layers, encapsulation, and the parameters relative to dialer, from the physical interfaces answering for sending and
accepting calls.
z
z
Outline of the dialer protocol:

The dialer interface is a logical entity that uses the dialer prototype aimed at the destination.
The physical interface of the dialer prototype can be subject to many different dialer pools.
The included elements of a dialer interface:

z Dialer interface
z Dialer map-class
z Dialer pool
z Physical interface
6.3.1 Dialer Interface

A dialer interface is a logical entity that uses the dialer prototype aimed at the destination. The whole configuration directly
relevant to the destination will enter the configuration of the dialer interface and several dialer mappings can be designated
for a single dialer interface. One dialer mapping can be associated with parameters aimed at different calls and these
parameters are defined by respective mapping sets.
The following parameters are used to configure a dialer interface:
z
z
z
z
z
z
z
The IP address of the destination network

Encapsulating protocol
The remote dialer name (applied to PPP CHAP)
Dialer string or dialer mapping
Dialer pool number
Dialer group number
Dialer list number
The diagram below establishes a relation between the parameters of the dialer prototype. The necessary configuring
commands are listed below the diagram as well:
Dialer string
Dial-up interface Dialer pool
Mapping class
Optional
Dialer pool-member
Physical interface
Dialer pool
The configuring commands of the dialer prototype:

Command
Description
Ip address address mask

Dialer remote-name name

Designates the remote router name that will be used
in CHAP authentication.
Defines the telephone number of the destination
router and support the optional mapping class.
Interface load beyond which the dialer will initiate
another call to the destionation
Configures the number of outgoing packets to be
queued
Associates the dialer interface with the dialer pool.
Creates a dialer control list and define the trigger
packets triggering DDR call.
Designates that the dialer interface can employ the
PPP multilink binding. The command used on the
physical interface can be applied to the inward call;
the command used in the dialer prototype can be
applied to the outward call. If it can be applied either
to the inward call or to the outward one, it should be
simultaneously used on both the dialer interface and
the physical interface.
Dialer string string class map-class-name

Dialer load-threshold load
Dialer hold-queue
number-of-packets
Dialer pool number number

Dialer-group guoup-number
Ppp multilink
6.3.2 Dialer Map-class

Dialer map-class is an arbitrary element in the dialer prototype, and it can define a concrete call feature for the call to the
destination designated by a dialer string.
The relevant commands:
Command
Description
Dialer idle-time seconds
Prescribes the clock value of the idle timeout used

by dialer, and the default is 120s.
Prescribes all the clock value of the fast idle
timeout, and the default is 20s.
Prescribes the time used to wait for carrier waver.
If no carrier waver is examined, the call will be
discard.
Dialer fast-idle seconds

Dialer wait-for-carrier-time seconds
6.3.3 Dialer Pool

Each dialer interface can refer to a dialer pool, which is a group of one or more physical interfaces associated with the dialer
prototype.
A physical interface can belong to several dialer pools, and priority (Optional) can be configured for the physical interfaces
included in the dialer pool to decide the sequence for choosing the interfaces.
6.3.4 Physical Interface
A physical interface is a real interface, and it is the command dialer pool-member that is used to associate a physical
interface with a dialer pool, (of course, a physical interface can be associated with many dialer pools).
The relevant commands on the physical interface:
Command
Description
Dialer pool-member number
The parameter number is the number of the dialer

pool and is a decimal number within the range from
1 to 255.
Configures the priority of the physical interfaces in
the dialer pool. Choosing the interface with high
priority to dial.
Configures authentication.
Prilrity priority
Note:
1. Authentication needs to be configured on the physical interface;
2. The interface dialer of the dialer prototype supports PPP protocol presently.
6.3.5 A Sample Configuration

0RGHP
MP2600 - 1
0Se o

3671
0RGHP

0Se o
Illustration:
0Se o
0RGHP
MP2600 - 2
MP2600 - 3
1.
In this figure, the router MP2600-1 connects with MP2600-2 and the MP2600-3 through a physical interface. You
can use two dialer map of DDR to configure it. Of course, you can also choose our flexible DDR (dialer prototype) to
achieve this function. In such a small network, you may not feel the flexibility of the dialer prototype. But you will feel it in a
large one because you can configure different parameters on different dialer interfaces so as to achieve different dialer aims
without dialing circularly.
The configuration is as follows:
The configuration of router-1:
Command
Task
user goat password 7 [WOWWWNXSX

user Maipu password 7 [WOWWWNXSX
user cisco password 7 [WOWWWNXSX
ip access-list extended 1001
deny ip any 224.0.0.0 0.255.255.255
permit ip any any
exit
dialer-list 1 protocol ip list 1001
Configures the user name.
interface dialer1
ip address 10.0.0.2 255.0.0.0
dialer remote-name Maipu
dialer pool 1
dialer-group 1
encapsulation ppp
dialer string 8005
exit
interface dialer2
ip address 20.0.0.2 255.0.0.0
dialer remote-name cisco
dialer pool 2
dialer-group 1
encapsulation ppp
dialer string 8001
exit
Defines a dialer interface: the remote-end

authentication name is Maipu; the dialer pool is 1,
and the dialed telephone number of the opposite end
is 8005.
interface serial3
speed 115200
databits 8
stopbits 1
parity none
flow-control none
dialer pool-member 1
ecapsulation ppp
ppp chap hostname goat
modem outer
exit
Defines a dialer access list and rules of it, only the

data stream answering for the corresponding rule can
dial.
Defines a dialer interface: the remote-end

authentication name is cisco; the dialer pool is 2, and
the dialed telephone number of the opposite end is
8001.
Defines a physical interface that is associated with

two dialer pools. The parameters of dialer pool 1 or 2
can be called, namely calling the parameters of
dialer1 port or dialer2 port that are associated with
the dialer pools.
The configuration of MAIPU ROUTER-2 and MAIPU ROUTER-3:

MAIPU ROUTER-2
Maipu router-3

deny ip any 224.0.0.0 0.255.255.255
permit ip any any
exit
Defines a dialer interface
interface dialer1
ip address 10.0.0.1 255.0.0.0
dialer remote-name goat
dialer pool 1
dialer-group 1
encapsulation ppp
dialer string 8006
exit
Associating the physical interface with the dialer
interface
interface serial3
speed 115200
databits 8
stopbits 1
parity none
flow-control none
encapsulation ppp
ppp chap hostname Maipu
modem outer
exit

deny ip any 224.0.0.0 0.255.255.255
permit ip any any
exit
Defines a dialer interface.
interface dialer1
ip address 20.0.0.1 255.0.0.0
dialer remote-name goat
dialer pool 1
dialer-group 1
encapsulation ppp
dialer string 8006
exit
Associating the physical interface with the dialer
interface
interface serial3
speed 115200
databits 8
stopbits 1
parity none
flow-control none
encapsulation ppp
ppp chap hostname cisco
modem outer
exit
Note:
1. In a large dialer network, you can use the dialer prototype to configure many dialer interfaces (dialer interface).
2. The ISDN network also supports the dialer prototype, and it can employ PPP multilink to bind many ISDN
interfaces.
Chapter 7
Routing Configuration
This chapter introduces routing mechanisms and how to apply many kinds of mainstream routing protocols, such as Routing
Information Protocol (RIP), Internal Routing Message PrococolIRMP,Open Shortest Path First (OSPF), to configure a
Maipu router to achieve a network interconnection.
o
o
o
o
o
o
o
o
o
o
o
o
o
o
A Brief Introduction to Routing

Configuring static routes/default routes
Configuring RIP dynamic routes
Configuring OSPF dynamic routes
Configuring IRMP dynamic routes
Configuring SNSP routes
Load balancing
Configuring VRRP routes
Configuring VBRP routes
Configuring snapshot routes
Configuring policy routes
Configuring M-VRF routes
Configuring routing map
Configuring BGP dynamic routes
7. 1 A Brief Introduction to Routing

Internet protocol is a routable network protocol, in which a router executes the route addressing function.
Each router has a routing table, which plays a key role in transmitting packets. A routing table is created manually by network
administrators or dynamically by exchanging routing information with other routers. A router locates an optimal route to a given
destination from the routing table, then transmits packets following this route. The routing table includes network addresses,
network masks, routing selective metrics, interfaces to be used and the next hop IP address on the way to the destination (if
needed).
A route is divided into two kinds due to different destinations:
o
o
Network route, whose destination is a network

Host route, whose destination is a host
A route further divided into another two kinds depending on whether a router is connected to a destination directly or not.
o
o
Direct route, The destination network is connected directly to the router

Indirect route, The destination is connected indirectly to the router
A route is also divided into two kinds according to how the routes are generated
o
o
Static routing, which is configured manually

Dynamic routing, which is generated automatically by various dynamic routing protocols
Very often there are several routes to the same destination. A router uses a set of rules to select the optimal route. The rules
used by a router to select an optimal route to share the network accessibility and state with other routers is called a routing
protocol. A routing protocol contains at the following four parts:
o
o
o
o
Transmittable network information reachable by other routers

Receivable network information reachable by other routers
The mechanism of selecting the optimal route based on the previous reachable information and to record this route to
the routing table.
Responses to the changes of network topology and notification of the changes.
Maipu MP series routers supports many kinds of routing methods, which will be introduced one by one in the following
sections: the configuration and usage method of dynamic route/default route, RIPv1/v2 dynamic route, OSPF dynamic route,
and IRMP dynamic route.
7.2
Configuring Static Routes/Default Routes
The static route is the route defined by the user, and it can enable the transmission between the source and the destination to
adopt the path designated by the user.
This section describes how to configure the static route protocol of a Maipu router to interconnect networks.
The main contents of this section are as follows:
o
o
7.2.1
Configuration of the static route

Configuration the dynamic route
Configuring static route
The configuration of the static route includes:

a. Adding/deleting configuration of the static route
b. Configuration of the static route administrative distance
The detailed configuring commands are:
A. The relevant commands to configure static route
Routerconfigip route
Command
Description
A.B.C.D
[distance]
A.B.C.D
The network address of the destination
Mask
The network address mask of the destination
a.b.c.d/interface The IP address of the next hop/the network
interface to transmit to
[distance]
The value scope of the administrative
distance is from 1 to 255
mask
a.b.c.d/interface
Note:
1. Using the command no ip route to delete a static route
mask a.b.c.d/interface
router(config)#no ip route A.B.C.D
2. In practical applications, the configuration of the static route had better adopt the IP address of the next hop. In
a point-to-multipoint network (for example, X.25 and FR), the configuration must adopt the IP address of the next hop.
The network interface configured to transmit can be only fit for the point-to-point link (for example, HDLC).
B. The following methods can also be used to configure the administrative distance of the static route.
router(config)#
Command
Description
router static
Enters the static route configuration mode.
distance number
Configures the administrative distance, of which number is a number within the

range from 1 to 255. The form no distance can be used to delete the configured
administrative distance.
C. An example of configuring a static route

Adding a static route to the interface fasterthenet0 to reach the network 199.199.199.0
Command
Task
router1#con t
Configures the static route from the interface

fastethernet0 to the network section
199.199.199.0/24.
router1(config)# ip route 199.199.199.0 255.255.255.0 fastethernet0
To display the routing table of the router and checking the configuration results
router#show ip route
Codes: C - connected,
S - static,
R - RIP,
O - OSPF, M - Management
D - Redirect, E IRMP
Gateway of last resort is not set
R 129.255.0.0/16 [120/2] via 172.25.144.1, 00:12:49, fastethernet0
R 192.168.11.0/24[120/2] via 192.168.8.1, 00:02:08,fastethernet0
S 199.199.199.0/24 [1/10] is directly connected, 00:00:03, fastethernet0
Note:
1.The form of this command no is used to delete a static route
2.The route record labeled by an underline is the configured static route
7.2.2
Configuring the default route
Command
Description
router(config)#ip route 0.0.0.0 0.0.0.0 A.B.C.D
A.B.C.DIndicating the default gateway IP address
Note:
1.
The default route configuration of the router is to permit IP route transmission. But in some special
situations, users can prohibit the routing function, which can be achieved in the global configuration mode
through the following command to prohibit IP route transmission:
router(config)#no ip routing
In the global configuration mode, the following command can be used to permit IP route transmission:
router(config)#ip routing
The no form of this command is used to delete a default route
7.2.3 Debugging Static routing
static routing debugging commands
Command
Description
debug ip routing
Traces the cource to add or delete static routing
7.3
Configuring RIP Dynamic Routing
Overview
Routing Information Protocol (RIP) exchanges routing updates through broadcasting UDP packets. A router sends out
routing updates every 30 seconds, which is called a notification. If a router does not receive any routing updates from
another router within 180 seconds or more, the routing signal related to that router is disabled. If the router does not receive
any routing updates within 240 seconds after this, the router will delete all routes related tho that route from its routing table.
RIP provides a metric, which is called a hop count, to scale different routing distances. Hop count is the number of routers
passing through a route. The hop count of a directed network is 0, while the hop count of an unreachable network is 16.
If a router has a default route, RIP will notify the route from the router to a virtual network 0.0.0.0 which does not exist.
RIP takes 0.0.0.0 as a network to deal with the default route.
RIP sends routing updates to the interface of the specified network interfaces.
network, no RIP updating information will be sent out.
If the interfaces are not specified to a
RIP (Routing Information Protocol) is a kind of distance vector routing protocol serving as the routing of the mini, simple
network. This section mainly describes how to configure Maipu Router RIP to interconnect networks.
Description of relevant commands to configure RIP
An example of RIP configuration
Debugging and monitoring RIP
The Description of Relevant Commands to Configure RIP
o
o
o
7.3.1
Configuring RIP involves these three aspects:

a. Constructing the RIP process and designating a RIP interface
b. RIP route configuration mode
c. RIP interface configuration mode
A. Configuring RIP process and designating a RIP interface

router(config)#
Command
Description
router rip
Enters the RIP route configuration mode.
network
A.B.C.D
Configures the RIP process and designates a RIP interface.
B. Configure RIP status parameters

Router(config-rip)#?
Command
Description
auto-summary
Makes Route Summarization valid.
default
Configures the default instruction.
default-information originate [routemap routemap-name]
Configures it as the default gateway.
default-metric metric
Set the default metric that RIP uses to introduce other routing
protocols.
neighbor ip-address
Define a neighbor router exchanging route information
network network-number
Associates the network with the RIP routing process.
passive-interface interface-name
Restrains route update of the interface, so that this interface can

only accept the route update information sent from the other
routers but cant send any route update information.
redistribute protocol-name [{asnum|process-id}] [metric metric]
Configures the route redistribution (you can choose: direct

connection, IRMP, ospf, static route).
timers basic update invalid holddown

flush
Adjusts the timer.
version
Designates the version of RIP.
{1|2}
address-family ipv4 vrf vrf-name
Ebabke VRF in RIP.
distance distance
Set RIP management distance.
distribute-list access-list-name in/out

[interface]
Configure RIP route filtering.
Maximum-paths number-paths
Configure RTP load balance.
offset-list access-list-name in/out

offset [interface]
Add offset to RIP metrics.
Note:
1.
Similarly, the command no can be used to prohibit the usage of the above commands.
2.
3.
The default mode of the version 1 is auto-summary and belongs to the generic routing protocol.
The default mode of the version 2 is no auto-summary and supports subnet partition.
C. Relevant commands to configure RIP of an interface

router(config-if-xxx)#
Command
ip rip authentication key {0|7}
string
ip rip authentication mode
{text|md5}
Description
Configures authentication key for RIP v2 packets
Configures the verification mode used by the interface (MD5 or simple
text authentication can be selected).
ip rip receive version {1|2|12}
Accept sthe designated version on an interface.
ip rip send version {1|2|12}
Sends the designated version on an interface.
7.3.2
An Example of RIP Configuration
You can use the RIP routing protocol of version 2 in the network 192.168.9.0/24, and respectively configure the router timers.
During the course of configuring the RIP dynamic routing protocol for the Maipu router to connect, the following tasks
should be finished mainly:
a. Creating the RIP process;
b. Configuring RIP interface parameters.
A. Creating the RIP process
Commmand
router(config)#router rip
Task
Activates RIP.
router(config-rip)#network 192.168.9.0
Creates RIP process and designate the

corresponding interface.
Defines the RIP route protocol of version 2.
Configures the value of the router timers.
router(config-rip)#version 2
router(config-rip)#timers basic 30 80 60 200
router(config-rip)#exit
B. Configuration of the RIP interface parameters
Command
router(config)#int s0
Task
router(config-if-serial0)#ip rip authentication mode text
Configures the simple text authentication of

RIP on the interface 0.
router(config-if-serial0)#ip rip authentication key 0

Maipu
Configures RIP authentication cipher.
router(config-if-serial0)#ip rip send version 1
Sends the version 1.
router(confgi-if-serial0)#exit
7.3.3
Configuring RIP Authentication
Illustration:
See the figure above, the RIP authentication is configured only between RouterA and RouterB. And other configurations
are omitted.
A) RouterA is configured as follows.
Syntax
Descriptions
RouterA(config)#interface s1/0

mode.
RouterA(config-if-serial1/0)#ip rip authentication mode text
Configure the authentication mode.
RouterA(config-if-serial1/0)#ip rip authentication key 0 maipu
Configure the authentication key.
B) RouterB is configured as follows.

Syntax
Descriptions
RouterB#configure terminal
RouterB(config)#interface s1/0

mode.
RouterB(config-if-serial1/0)#ip rip authentication mode text
Configure the authentication mode.
RouterB(config-if-serial1/0)#ip rip authentication key 0 maipu
Configure the authentication key.
3) Configure version transmitting/receiving

Note:
1) The goal of configuring version transmitting/receiving is to realize the interaction of route information among
different versions of RIP.

2) As shown in figure above, there exists no change of the configuration of RouterA; RouterB and RouterC run RIP
(Version 1). And the other configuration except the following configuration is the same for RouterB and RouterC.
A) RouterB is configured as follows.
Syntax
Descriptions
RouterB(config)#router rip
Enter the RIP configuration mode.
RouterB(config-rip)#version 1
Configure the RIP version.
RouterB(config-rip)#interface s1/0
Enter the interface configuration mode.
RouterB(config-if-serial1/0)#ip rip send version 2
Transmit RIP V2 on the interface s1/0.
RouterB(config-if-serial1/0)#ip rip receive version 2
Receive RIP V2 on the interface s1/0.
Exit.
B) RouterC is configured as follows.

Syntax
Descriptions
RouterC#configure terminal
RouterC(config)#router rip
RouterC(config-rip)#version 1
Configure the RIP version.
7.3.4 RIP monitoring/debugging

Command
Description
debug ip
Traces RIP events and messages.
rip event
show ip route rip
Show the routing information of RIP has learned
7.4 Configuring OSPF Dynamic Routing

Open Shortest Path First (OSPF) is an internal gateway protocol (IGP) used to determine a route in a single Autonomous
System (AS). It is more complex, powerful, widely used anmd efficient than RIP. This section describes how to configure
OSPF dynamic route protocol for a Maipu router to interconnect networks.
The main topics covered in this section are as follows:
o
o
o
7.4.1
Description of relevant commands configuring OSPF

An example of OSPF configuration
Debugging and monitoring OSPF
Description of Relevant Commands Configuring OSPF
Configuration of OSPF is comprised of three sections mainly:

A. Creating OSPF processes and designating OSPF interfaces;
B. OSPF route configuration mode;
C. Configuring status of OSPF for an interface.
The detailed configuring commands are as follows:
A. Configuring the OSPF process and designating an OSPF interface
router(config)#
Command
Description
router ospf <1_65535>[ vrf vrfname]
Enters configuring OSPF mode.
network
area_num
A.B.C.D
a.b.c.d area
Configures the OSPF process and designate the OSPF interface.

A.B.C.D Use the network number of OSPF process.
inverse-mask
a.b.c.d
area_num area number
Note:
1. After the OSPF process is created, the process does not know which interface or network it enters; however, it can
solve this problem through the command network. This command can designate an interface to a given area
simultaneously. The following command can be used to designate the match interface to the area 0:
router (config-ospf)#network 128.255.0.0
0.0.255.255
area
In the command network, all the interfaces capable of matching the pair of the addresses and the inverse mask will be
placed into a given area. 0 represents the placeholder, and 1 represents an arbitrary match.
2. The command network has the function of auto-route summary.
3. When the command network can match at least one interface address, the OSPF process runs. When the last
command network is canceled (by running the command no network), the OSPF process will be deleted.
B. Configuring OSPF status parameters
router(config-ospf)#?
Command
Description
area
< area_id > stub
area
< area_id > nssa
Configures the OSPF stub area (choosing in the parameter range

from 0 to 4294967295).
Configures the OSPF stub area (choosing in the parameter range
from 0 to 4294967295).
area transit_area_id virtual-link

address
area <area_id> range <address
mask>
summary-address
[tag tag-value]
cost
address
Define a virtual link and its parameters

Configures summarize routes matching address/mask (border
routers only)
mask
Configures OSPF IP summary address
reference-bandwidth
<1_4294967>
Configures the bandwidth value to count charge (choosing in the

parameter range from 1 to 4294967).
default
Configures the default instruction.

Filters the route (the parameter is used to designate the number of
the standard access list to be filtered).
Configures the neighbor router (configuring neighbor at the time
of NBMA).
distribute-list <1_1000>
neighbor ip-address
passive-interface <interface number>
Restrains a port from OSPF addressing.
redistribute<bgp connected
rip snsp static>
Configures the route redistribution (you can choose: direct

connection, IRMP, RIP, static route).
irmp
router-id
Configures OSPF router-id in IP address format
summary-address
Configures IP address summaries
Note:
1. Similarly, the command NO can be used to prohibit the usage of the above command.
2. Configure the neighbor router:
In order that the OSPF router can be configured to interconnect to a no-broadcasting network, the command can be
used to configure a neighbor. In the neighboring address, ip-address is the IP address of the neighboring interface.
C. The relevant commands configuring OSPF for an interface
router(config-if-xxx)#ip ospf ?
Command
Description
authentication-key 0/7 password
Configures simple text authentication.
cost
Configures the OSPF cost of interface.
dead-interval
Configures the stagnation interval.
hello-interval
Configures the interval for interface to send

HELLO packet.
message-digest-key key_id
md5
0/7
password
Network broadcast/non-broadcast/point-topoint/point-to-multipoint
poll-interval
Configures MD5 authentication.

Configures OSPF network type (broadcasting
network/no-broadcasting network/point-to-point
network/point-to-multipoint network).
Configures time between retransmitting hello
packet to dead neighbor
priority
Configures the priority of the router.
retransmit-interval
Configures the declaration interval to retransmit

the lost connection status.
transmit-delay
Configures the transmission delay of connection

status.
demand-circuit
Configures OSPF demand circuit
Note:
1. On the protocol port of PPP and HDLC, the default type of OSPF network is point-to-point.
2. On the protocol port of frame relay and X25, the default type of OSPF network is non-broadcast.
D) Reset OSPF process
router#
Command
clear ip ospf process
Description
Reset OSPF process
Note
Should reset OSPF proces with Clear command to make router-id command become effective.
7.4.2
STUB/NSSA/Route-Summary/Virtual-Link/Demand-Circuit Configuration Commands
area stub
Use the router configuration command area stub to configure the OSPF stub-area; otherwise, use the command no area
stub to disable the function.
area area_id stub
no area area_id stub
Syntax
Descriptions
area_id
The area-number of the stub-area. Its value range is from 0 to

4294967295 or an IP address is used to identify the stub-area.
By defaultNo area is configured as the stub area.

Command modethe OSPF protocol configuration mode.
GuideNo category 5 LSA, namely the external LSA, can be received or transmitted in the stub area. The
neighborship among routers can not be established until the command is configured on all the routers in the stub area.
Note:
1) When a stub area is configured, the area number can not be the backbone area number. That is to say that the area
number can not be 0.
2) To cancel the stub area specified in the configuration, use the command no area area_id stub.
area nssa
An nssa area is similar to an OSPF stub area. Category 5 LSA can not be diffused from the backbone area to the nssa
area, but the external route of autonomous system can be introduced into the area by means of finite forms.
By means of redistributing category 7 AS route introduced into the nssa area, nssa can convert the category 7 external
LSA to category 5 external LSA, which will be flooded to other areas of the autonomous system through the border router in
the nssa area.
Use the command area nssa to configure an area as an nssa area (not-so-stubby area); otherwise, use the command no
area nssa to cancel the attribute nssa of the area.
area area_id nssa
no area area_id nssa
Syntax
Descriptions
area_id
The area-number of the nssa area. Its value range is from 0 to 4294967295
or an IP address is used to identify the nssa area.
By defaultNo area is configured as the nssa area.

GuideAn nssa area is similar to a stub area. Category 5 LSA can not be diffused from the backbone area to the nssa
area, but the external route of autonomous system can be introduced into the area by means of finite forms.
Note:
1) The backbone area can not be configured as the nssa area.
2) Any router in the same area must support nssa area, or else the neighborship among the routers can not be established.
3) If it is possible, try not to adopt the explicit redistribution on nssa abr because the packets converted by the router are
confused easily.
area range
Use the command area range to realize the route summary of areas; otherwise, use the command no area range to
disable it.
area area_id range address mask
no area area_id range address mask
Syntax
Descriptions
area_id
The OSPF area number. And its value range is from 0 to 4294967295.
address
The network IP address.
mask
The network IP address.mask
By defaultNo route summary area range is configured.

GuideRoute summary is a set of routes generated by the area border router and the AS border router and will be
announced to the neighbor routers. If network numbers in an area is successive, the area border router and the AS border
router can be configured to announce the route summary that specifies the range of network numbers. The route summary can
reduce the size of link-state database. The OSPF route summary can be classified into inter-area route summary and external
route summary. After configured with the command area range, the area border router summarizes the routes in the
configured network segment and generates a route profile summary net lsa, which is notified by the area border router to
other areas, and lsa in the network segment will not be notified any more.
Note:
1) The command area range can take effect on nothing but the area border router.
2) Use the command no area range to cancel the command route summary.
summary-address
Use the command summary-address to perform OSPF external route summary; otherwise, use the command no
summary-address to make the command out of work.
summary-address address mask [tag tag-value]
no summary-address address mask [tag tag-value]
Syntax
Descriptions
address
The network IP address.
mask
The network IP address mask
tag-value
The tag-value of the summarized ase lsa. And its value range is from 0 to
4294967295
By defaultNo the command summary-address is configured.

Command modethe OSPF protocol configuration mode
GuideWhen the route is redistributed from other protocols to OSPF, each route is singly announced in the external
link-status announcement. The command summary-address is used to summarize all redistributed routes covered by the
special network address and mask as one route. In this way, the size of OSPF link-state database can be reduced. Use the
command summary-address to summarize external routes. And the command is used to summarize all ase lsa in the
network segment and generate a summary ase lsa. Only the summary ase lsa is announced to other routers through ASBR.
Note:
1) The command can take effect on nothing but ASBR and summarize the external routes redistributed by OSPF.
2) Use the command no summary-address to cancel the summary command of the external route.
area virtual-link (Configuring a virtual link)
In OSPF, all areas must be connected directly to the backbone area. When performing network design, however, an area
may be out of the backbone area or the backbone area may be isolated. To resolve the problems above, a virtual link can be
adopted. The virtual link can be applied in the following two kinds of conditions: two isolated backbone area can be
connected together by means of configuring the virtual link; a third area, through an area (called transit area) connecting with
the backbone area, is connected to the backbone area.
area transit_area_id virtual-link address
no area transit_area_id virtual-link address
Syntax
Descriptions
transit_area_id
The area number of virtual-link transit area. Its value range is from 0 to
4294967295, or an IP address is used to identify the area.
Address
The router ID of the virtual-link opposite end (neighbor).
By defaultNo area is configured as virtual-link.

Guide
In OSPF, the backbone area must keep the full-connected state all along and all areas must be connected to the
backbone area. If the backbone area is divided into two or more parts, then some destinations are unreachable. To ensure the
prescriptions of OSPF network, a virtual-link can be employed for the isolated backbone areas and the areas that have not
been connected with the backbone area. Each virtual-link can be identified uniquely by means of the transit area and the
router ID of the virtual-link opposite end.
Configuring the demand-circuit
The demand-circuit is a network whose expenditure changes along with network usage. The expenditure can be based
on connection time and transmitted packet bits. The typical demand-circuit includes ISDN circuit, X.25SVC and dial-up
circuit. The data link need keep open for the previous OSPF. This will result in the needless expenses. After the demandcircuit is added, OSPF Hello message and route update information are restricted on the demand-circuit, and the data link is
allowed to be close when no data is transmitted.
router(config-if-serial0/0)#ip ospf demand-circuit
Syntax
Descriptions
demand-circuit
Enable the demand-circuit on the interface.
Note:
1) When the demand-circuit is enabled between routers, the demand-circuit can be configured on the interface of
one side or both sides.
2) The demand-circuit can take effect only in the point-to-point interface mode or in the one-point-to-multi-point
interface mode.
Note:
1) The router configured with the virtual-link should be an area border router.
2) The virtual-link is identified by router-id of the router on the other end.
3) The two end routers configured with the virtual-link must be located in the same public area that is called virtual-link
transit area.
4) The virtual-link can be regarded as one part of the backbone area or as unnumbered point-to-point network. Its cost is
the spending of the link and can not be configured.
5) Use the command no area virtual-link to cancel the link configuration command
6) The virtual-link can not be configured through the stub area. That is to say that the virtual-link transit area can not be
the stub area.
7.4.3
Examples of OSPF configuration
A: An Example of OSPF Configuration
U RXW HU

6
6

+'/&
333
6
6

U RXW HU

)U DPH
U HO D\
6
6

U RXW HU

(W KHU QHW
(W KHU QHW
Illustration:
1. In the above figure of configuration example, a PPP link runs between router-1 and the interface serial1 of router-2,
Frame Relay runs between the interface serial0 of router1 and the interface serial1 of router3, and HDLC link runs between
the router2 and the interface serial0 of router3.
2. During the course of configuring OSPF dynamic routing protocol for a Maipu router to connect, the following tasks
should be completed:
a) Establishing the OSPF process
b) Configuring OSPF interface parameters
The concrete configuration of Router1:
Command
router-1#configure terminal
router-1(config)#router ospf 2
router-1(config-ospf )#network 1.0.0.0 0.255.255.255 area 3
router-1(config-ospf)#network 3.0.0.0 0.255.255.255 area 3
router-1(config-ospf)#network 128.255.0.0 0.0.255.255 area
3
router-1(config-ospf)# neighbor 3.3.3.2
router-1(config-ospf)#exit
Task
Enters the status of configuring OSPF.
Establishes the OSPF process and
designates the corresponding OSPF
interface.
Configures 3.3.3.2 as a neighbor.
router-1(config)#int s0
router-1(config-if-serial0)# ip ospf network non-broadcast
router-1(config-if-serial0)#exit
The type of OSPF network is non-broadcast

(NBMA).
router-1(config-if-serial1)# ip ospf
The type of OSPF network is point-to-point.

network point-to-point
router-1(config)#int f0
router-1(config-if-fastethernet0)# ip ospf
broadcast
router-1(config-if-fastethernet0)# end
The type of OSPF network is broadcasting.

network
Command
Router-2#configure terminal
Task
Establishes an OSPF process and designate
the corresponding OSPF interface.

router-2(config-if-serial0)#ip ospf
router-2(config-if-serial1)#end

Command
Task
router-3#configure terminal
router-3(config-ospf)# neighbor 3.3.3.1
network non-broadcast
router-3(config)#int f0
router-3(config-if-fastethernet0)# ip ospf
router-3(config-if-fastethernet0)#end
network broadcast
Establishes an OSPF process

and designates the
corresponding OSPF
interface.
B: An Example to configurate the area virtual-link

U RXW HU

V
V
$5($
333
V

U RXW HU

+'/&
V
9L U W XDO O L QN
$5($

$5($

U RXW HU

(W KHU QHW
(W KHU QHW
Illustration:
1. In the above figure of configuration example, a PPP link runs between router-1 and the interface serial1 of router-2 ,and
HDLC link runs between the router2 and the interface serial0 of router3.s1 of router-1 and router-2 and s0 of router-3 are
belong to area 3,ethernet 1 of router-1 and ethernet2 of router-3 belong to are belong to backbone,but without physical link
between them. So we configuire virtual link for combine backbone.
2. During the course of configuring OSPF dynamic routing protocol for a Maipu router to connect, the following tasks
should be completed:
a) Establishing the OSPF process
b) Configuring OSPF virtual link
b) Configuring OSPF interface parameters
Command
router-1#con t
router-1(config-ospf )#network 1.0.0.0 0.255.255.255
area 3
router-1(config-ospf)#network 3.0.0.0 0.255.255.255
area 3
area 3
router-1(config-ospf)#router-id 1.1.1.2
router-1(config-ospf)#area 3 virtual-link 2.2.2.2
Task
Enters the status of configuring OSPF.
Establishes the OSPF process and
designates the corresponding OSPF
interface.
Configure ospf process id to 1.1.1.2

virtual link neighbor should configure
its router id by this
Configure ospf virutal link ,neighbor
router id:2.2.2.2 transit area id:3
point
network point-to-

Command
Router-2#con t
Task
router-2(config)#router ospf
Establishes an OSPF process and

designate the corresponding OSPF
interface.

area 3
area 3
router-2(config-if-serial0)#ip ospf network point-topoint
point
router-2(config-if-serial1)#end
network point-to-

Command
router-3#con t
router-3(config)#router ospf
Task
Establishes an OSPF process and
designate the corresponding OSPF
interface.

3
3
area 3
router-1(config-ospf)#router-id 2.2.2.2
Configure ospf process id to 2.2.2.2

virtual link neighbor should configure
its router id by this
router-1(config-ospf)#area 3 virtual-link 1.1.1.2
Configure ospf virutal link ,neighbor

router id:1.1.1.2 transit area id:3
point
network point-to-
7.4.4
Debugging/Monitoring OSPF
A. The monitoring information of OSPF
Command
Description
show ip ospf interface

(Displaying information of the
OSPF interface)
Interface: 44.1.1.1 (serial0)

Area 0
Cost: 1 State: BackupDR
Status: the Backup designated Router
Type: NBMA
Type: non-broadcast (NBMA)
Priority: 1
The priority of the interface: 1
Designated router:
44.1.1.2
Designated Router:44.1.1.2
Backup Designated router:
44.1.1.1
Backup designated Router:44.1.1.1
Authentication: none
Timers:
Hello: 30 Poll: 2:00
Dead: 2:00
Retrans: 5
Neighbors MprouterID:
111.2.2.2
Neighbor Count is 1
Neighbor number:1
Interface:142.255.255.1
(fastethernet0) Area 0
Cost: 1 State: DR
Type: Broadcast
Priority: 1
Designated router:
142.255.255.1
Timers:
Hello: 10 Poll: 0
Dead: 40 Retrans: 5
Neighbor Count is 0
show ip ospf interface name

(Monitoring the information of
an OSPF interface)
Interface: 44.1.1.1 (serial0)

Area 0
Cost: 1 State: BackupDR
Type: NBMA
Priority: 1
Designated router: 44.1.1.2
Backup Designated router: 44.1.1.1
Timers:
Hello: 30 Poll: 2:00 Dead: 2:00 Retrans: 5
Neighbors MprouterID: 111.2.2.2
Neighbor Count is 1
Neighbor ID
Pri
State
Dead Time Address serial
111.2.2.2
1
Full/Dr
120
44.1.1.2 serial0
show ip ospf neighbor

(Displaying OSPF neighbor)
show ip ospf database [processid][adv-router [self_originate|
A.B.C.D]]
(Displays lists of information
related to the OSPF database of
self_originated or special .)
sh ip os da adv-router 33.33.33.33
OSPF Router with ID (4.4.4.4) (Process ID 2)
ASE link states (AREA 0 )
Link ID
ADV router
Age
Seq#
CheckSum
111.1.1.1
33.33.33.33
661
80000002
1c8a
Router link states (AREA 113 )
Link ID
ADV router
Age
Seq#
CheckSum
Link Count
33.33.33.33
33.33.33.33
448
8000000d
ee8c
show ip ospf database

[process-id]
[router/network/summary/
asbr-summary/external/
nssa-external] [adv-router
[self_originate| A.B.C.D]]
(displays lists of detail
information related to the special
type OSPF database of
self_originated or special
advertising router.)
Net link states (AREA 113 )

Link ID
ADV router
Age
Seq#
CheckSum Link Count
128.255.43.5
33.33.33.33
448
80000003
640f
2
ASE link states (AREA 113 )
Link ID
ADV router
Age
Seq#
CheckSum
111.1.1.1
33.33.33.33
661
80000002
1c8a
sh ip os da adv-router self_originate
Link ID
ADV router
Age
Seq#
CheckSum
Link Count
4.4.4.4
4.4.4.4
1091
80000004
b4ba
1
SumNet link states (AREA 0 )
Link ID
ADV router
Age
Seq#
CheckSum
128.255.40
4.4.4.4
1096
80000002
128a
SumASB link states (AREA 0 )
Link ID
ADV router
Age
Seq#
CheckSum
33.33.33.33
4.4.4.4
1091
80000001
615c
Link ID
ADV router
Age
Seq#
CheckSum
Link Count
4.4.4.4
4.4.4.4
1091
80000008
7849
1
SumNet link states (AREA 113 )
Link ID
ADV router
Age
Seq#
CheckSum
138.255.43
4.4.4.4
1086
80000001
7f0e
show ip ospf database network
Net link states (AREA 113 )LS age : 997

options : <DC>
LS_TYPE : Net
Link State ID : 128.255.43.5
Advertising Router : 33.33.33.33
LS Seq Number : 0x80000003
CHECKSUM :0x640f
LS length : 32
Route : Canreach Time:0
Network Mask:255.255.252
Network:128.255.40
Show ip ospf routing

(displays lists of detail
information related to the routes
calculated by spf .)
Att_rtr number: 2
Attached Router: 33.33.33.33
Attached Router: 4.4.4.4
sh ip os routing
OSPF ROUTING IN VRF 0
OSPF PROCESS 2
Routes To Area Border:
AREA: 0
Router
Cost
AdvRouter
NextHop(s)
RTAB_REV
4.4.4.4
0
4.4.4.4
Myself
10
AREA: 113
Router
Cost
AdvRouter
NextHop(s)
RTAB_REV
4.4.4.4
0
4.4.4.4
Myself
11
Routes To AS Border:
AREA: 0
Router
Cost
AdvRouter
NextHop(s)
RTAB_REV
AREA: 113
Router
Cost
AdvRouter
NextHop(s)
RTAB_REV
33.33.33.33
1000
33.33.33.33
128.255.43.5
11
Inter AREA:
Router
Cost
AdvRouter
NextHop(s)
RTAB_REV
AS Intra Routes:
Dest
Mask
LSID
AdvRouter
Cost
Ptype NextHop(s)
Area
RTAB_REV
128.255.40
255.255.252
128.255.43.5
33.33.33.33
1000
2
128.255.43.4
0.0.0.113
11
138.255.43
255.255.255
138.255.43
4.4.4.4
1000
0
138.255.43.4
0.0.0.0
10
AS External Routes:
Dest
Mask
LSID
AdvRouter
Cost
Ptype
Etype
NextHop(s)
Area
RTAB_REV
111.1.1.1
255.255.255.255 111.1.1.1
33.33.33.33
20
5
1
128.255.43.5
0.0.0.113
11
B. OSPF debugging commands

Command
Description
debug ip ospf all
Displays all the debugging information.
debug ip ospf lsa
Traces the link status announces.
debug ip ospf events
Traces events and messages.

Traces the reception/sending of messages.
debug ip ospf packet hello / dd / lsr / lsu

/ ack / all
hello: HELLO message

dd:
database description message
lsr:
link status request message
lsu: link status update message
ack:
all:
acknowledge message on accepting link status update

the detailed contents of all the OSPF messages
debug ip ospf route
Traces the change of the routing table.
debug ip ospf
spf
Traces the shortest path tree algorithm.
debug ip ospf
state
Traces the state machine.
debug ip ospf task
Traces tasks.
debug ip ospf timer
Traces the timer.
7.5 Configuring IRMP Dynamic Route

IRMP (Internal Routing Message Protocol) is a kind of dynamic routing protocol based on link status. It overcomes the
shortcomings of the Distance Vector Routing Protocol (DVRP) and does not require the heavy overhead. IRMP supports
multiple Autonomous Systems (AS), which can run independently without disturbing each other, and be fit for more largescale networks, so presently it is a popular routing protocol. This chapter describes how to configure the dynamic routing
protocol IRMP on Maipu routers enabling it to interconnect networks.
o Description of relevant commands configuring IRMP
o An example of IRMP configuration
o Debugging and monitoring IRMP
7.5.1 Description of relevant commands configuring IRMP
Configuring IRMP routing involves these three main principles:
A. Establishing IRMP process and designating the IRMP interface;
B. Entering the IRMP route configuration mode;
C. Entering the interface IRMP configuration mode.
A. Configuring IRMP process and designating IRMP interface
Router(config)#?
Command
router irmp autonomous-system
network network-number [wild-mask]
Description
Enters the IRMP route configuration mode (Autonomous
System number)
Runs IRMP on an interface within the designated network
range.
Network number, inverse-mask
Note:
IRMP routing protocol supports many ASes (Autonomous system) and they can run independently without disturbing
each other. The interface running IRMP can send/accept IRMP messages; however, if the interface has not been designated,
then it can not send/accept IRMP messages, and its route can not be sent from any other interface.
B. Entering the IRMP route configuration mode
router(config-irmp)#?
Command
Description
auto-summary
Automatic summary. And only summarize direct

routes.
compatible oldversion
Advertise external routes as internal routes
default-metric bandwidth delay reliability mtu loading
Set the default parameters (bandwidth, delay,

realibility, mtu, load) for IRMP to introduce
other routing protocols.
distance irmp distance-for-internal distance-for- external
Define an administrative distance of the local

RIMP internal routes and external routes
Distribute-list access-list-name in/out [interface]
Filter the route information.
maximum-paths
Choose path number when load is balanced.
metric weights TOS k1 k2 k3 k4 k5

neighbor
ip-address interface
network
network-number [wild-mask]
passive-interface
interface
Redistribute protocol [route-map]

timers active-time
minutes
variance metric-variance-multiplier
Change the value of IRMP K.

TOS represents service type and only type 0 is
supported.
Define a neighbor router exchanging routing
information.
Designate the network interface running IRMP .
Prohibit the interface from sending/receiving
IRMP route information.
Configure routing redistribution.
Adjust active timers.
When the load is of balance, configure the load
balancing variance.
Note:
1. Similarly, the command NO can be used to prohibit the usage of the above commands.
2. Prohibiting an interface from receiving/sending IRMP messages
If you do not want IRMP to take effect on an interface, you can configure the command
passive-interface to inhibit IRMP from becoming effective on it. After the configuration,
IRMP will not receive/send IRMP message on the interface.
3. Configuring the routing filter
In some situations, it is likely required to ignore some IRMP routing information accepted or
to prohibit the neighbor router from getting some IRMP routing information. The IRMP
routing protocol can achieve it through referring to the access list.
4. Configuring routing redistribution
IRMP can share routing information of opposite parties by redistributing the routing
information of other routing protocols.
C. Relevant commands configuring IRMP of an interface
router(config-if-xxx)# ?
Command
Description
ip message-digest-key irmp autonomous-sytem

key_id md5 0/7 string
Configures authentication.
ip hello-interval irmp autonomous-system seconds
Configures the interval between

HELLO messages.
ip hold-time irmp autonomous-system seconds
Configures the neighbor hold-time.
no ip hello-interval irmp autonomous-system
Deletes the configured interval between

HELLO messages.
Cancels the configured neighbor holdtime.
no ip hold-time irmp autonomous-system

ip split-horizon irmp autonomous-system
Enables split-horizon.
no ip split-horizin irmp autonomous-sytem
Prohibits split-horizon.
ip summary-address irmp autonomous-system network-number

mask
no ip summary-address irmp autonomous-system network-number
mask
Perform address summarization on the

interface
Disable address summarization on the
interface.
Note:
1. When the IRMP MD5 authentication mode is configured, it must be authenticated, and the key_id of the two ends
must be congruous; 0 in the command indicates plaintext input while 7 indicates cryptograph input.
2. Configuring the interval between HELLO messages and the neighbor hold-time can be
described as follows:
The default IRMP sends HELLO messages at 5 second intervals on a broadcasting interface or a point-to-point
one, or at 60 second intervals on a NBMA interface. After accepting the HELLO messages, it will add the opposite
terminal router to the neighboring table of itself. If the neighbor already exists in the neighbor table, the neighboring
hold-timer will refresh. If the default IRMP , in the hold time, has not accepted any HELLO message sent by a
neighbor all along, it will think that the neighbor has be invalidated and it will be deleted from the neighbor table. The
default hold time will be 3 times the length of the hello time.
3. Prohibiting horizontal split
In the default situation, IRMP uses the split-horizon on an interface, and it is not recommended that split-horizon be
prohibited on a non-NBMA interface.
7.5.2
An Example of an IRMP Configuration
H

FL VFR
V
,3
1HW ZRU N
Mai
P
DL SX
V
I

Illustration:
1. In the configuration above, the router cisco in the above figure is a Cisco router while Maipu is
a Maipu Router. During the course of configuring the IRMP dynamic routing protocol on a
Maipu router and CISCO router to connect each other, the following tasks should be finished.
A) Establishing IRMP process
B) Routing filtering /routing redistribution
The concrete configuration of the CISCO router:
Command
cisco#configure terminal
Task
cisco(config)#router irmp 1
cisco(config-router)#network 128.255.0.0
cisco(config-router)#network 16.0.0.0
Starts IRMP .
Runs IRMP on Ethernet.
Runs IRMP on s1.
cisco(config-router)#end
The concrete configuration of the Maipu Router
Command
Maipu#configure terminal
Maipu(config)#router irmp 1
Maipu(config- irmp )#network 202.1.1.0
Maipu(config- irmp )#network 16.0.0.0
Maipu(config- irmp )#end
Filtering all routes on the Maipu router

Command
Maipu(config)#access-list 9 deny any
Maipu(config- irmp )#distribute-list 9 in
Redistributing static route
Command
Maipu(config- irmp )#redistribute static
Task
Starts IRMP .
Runs IRMP on Ethernet.
Runs IRMP on s1.
Task
Creates an access list (Rules can
defined according to requestion).
Applies the access list to IRMP .
Task
Redistributes static routing into

IRMP .
7.5.3
Debugging/monitoring IRMP
A. IRMP monitoring information
Command
Description
show ip irmp interface [interface]
Displays the interface information of current

IRMP .
show ip irmp neighbor [autonomous-system / detail /

interface]
show ip irmp topology [active / summary / network]
B. Debugging commands of
Command
debug ip irmp events
debug ip
irmp route
Displays the neighbor information of current

IRMP .
Displays the routing information of current
IRMP .
IRMP
Description
Displays the debug information of IRMP
events.
route.
debug ip
debug ip
irmp timer
irmp packets [hello / terse]
debug ip
irmp all
Displays the IRMP timer.

messages.
Displays the debug information of all the
IRMP .
Noticeable points:
o debug ip irmp packets terse displays the messages including the routing information except HELLO. debug
ip irmp packets terse detail displays the detailed information of each route.
7.6
Configuring
SNSP Route
SNSP (Stub Network Search Protocol) uses Neighbor Device Search Protocol (NDSP),a protocol used to discover other
devices on either broadcast or non-broadcast media, to propagate the connected IP prefix of a stub router. SNSP was
designed for customers who do not want to usr network bandwidth for routing protocol updates.Static routing is a good
choice,but there is too much overhead to manually maintain th static route.SNSP is not CPU-intensive and is used when IP
routes are propagated dynamically on Layer2. SNSP is a perfect solution for hub and spoke topology.
Description of relevant commands configuring
An example of SNSP configuration
o
o
SNSP
7.6.1
Description of Relevant Commands for Configuring SNSP
The commands used for configuring SNSP are very simple.
Just configure the router snsp command in the hub router and turn off any dynamic routing protocols in the spoke routers.
Spoke routers will automatically start advertising their subnets using NDSP. You do not need the router snsp command on
spoke
routers.
Router(config)#
Commmand
Description
router snsp
ndsp run
Activates SNSP .
Runs NDSP
Note:
1.
2.
3.
7.6.2
The command NO can be used to prohibit the application of the above command.
In the default situation, the router ignores the received SNSP information.
Use NDSP message to carry the SNSP routing message.
An Example of
SNSP Configuration

5
,3
1HW ZRU N

5
I
I

I
5
5
I
5
Illustration:
The router R2 serves as a hub router. It is configured with SNSP and IRMP routing protocols, and executes
NDSP.
1.
2.
The low-end routers, R3, R4 and R5 run

route.
3.
IRMP redistributes the
NDSP and are configured with the default route without the dynamic
SNSP route on the route R2.
A. The configuration of the Maipu Router R2:

Command
Task
R2#configure terminal
R2(config)#router snsp
R2(config)# ndsp run
R2(config)#router irmp 1
R2(config-irmp)#network 13.0.0.0
R2(config-irmp)#redistribute snsp
R2(config-irmp)#end
Runs SNSP .
Runs NDSP .
IRMP redistributes
SNSP.
B. The configuration of the Maipu router R3 (the configuration of R4 or R5 is the same as that of R3)
Command
Task
R3#configure terminal
R3(config)# ndsp run
R3(config)#ip route 0.0.0.0 0.0.0.0 fastethernet0
R3(config)#end
Runs NDSP.
Configures the default route.
7.7 Configuring VBRP

VBRPVirtual Backup Router Protocolprovide a network management backup.
Related VBRP configuration commands
An example of VBRP configuration
Monitoring and debugging VBRP
7.7.1 Related VBRP Configuration Commands

standby authentication
The command is used to specify an authentication password for a standby group.
standby [group-number] authentication string
no standby [group-number] authentication
Syntax
Description
group_number
Specify a VBRP group-number whose

value range is from 0 to 255.
string
Specify an authentication password whose

maximal length is 16 (by character).
By defaultThe authentication is supported and the default password is cisco.

Note
If no group_number is specified in the command, its default value is 0.

standby ip
The command is used to enable a standby group or configure a virtual IP address.
standby [group-number] ip [ip-address]
no standby [group-number] ip
Syntax
Description
group_number
Specify a VBRP group-number whose

ip-address
Specify a virtual IP address.
By defaultThe standby group is not enabled.

Note:
If no group_number is specified in the command, its default value is 0.
standby preempt
The command is used to specify whether the standby group enables VBRP preempt.
standby [group-number] preempt [delay time]
no standby [group-number] preempt
Syntax
Description
group_number
Specify a VBRP group_number whose

time
Specify the preempt delay time (by

second), and its value range is from 0 to
3600.
By defaultNon-preempt mode is enabled.

Note:
1) If no group_number is specified in the command, its default value is 0.
2) If no delay time is configured for preempt, the system will take preempt at once.
standby priority
The command is used to configure a priority for the standby group.
standby [group-number] priority priority

no standby [group-number] priority
Syntax
Description
group_number

priority
Specify a priority whose value range is

from 0 to 254.
By defaultpriority100.
Note:
standby timers
The command is used to specify Hello-time and Hold-time for the standby group.
standby [group-number] timers hello-time hold-time
no standby [group-number] timers
Syntax
Description
group_number

hello-time
Specify the period of sending Hello

packet, and its value range is from 0 to
254.
hold-time
Specify the hold-time of Hello packet (by

second), and its value range is from 4 to
255.
By defaulthello-time3 secondshold-time: 10 seconds

Note:
standby track
The command is used to specify a monitoring interface for the standby group.
standby [group-number] interface [decrement]
no standby [group-number] interface [decrement]
Syntax
Description
group_number

interface
Specify an interface for monitoring.
decrement
Specify the priority decrement, and its

By defaultNo interface is monitored.

Note:

no standby
The command is used to close the standby group.
no standby [group-number]
Syntax
group_number
Description
By defaultThe standby group is not enabled.

Note:
7.7.2 An Example of VBRP Configuration
, QW HU QHW
U RXW HU
U RXW U
I
I
3&
3&
Illustration:
As shown in figure above, pc1 and pc2 connect with Internet respectively through router1 and router2, and their default
gateways are respectively 129.255.123.100 and 129.255.123.16.
The basic VBRP configuration is listed as follows:
Command
Task
Enter the
mode.
global
configuration
router1(config)#interface fastethernet0
Enter an Ethernet interface.
router1(config-if-fastethernet0)#ip address 129.255.123.21 255.255.0.0
Configure an IP address.
router1(config-if-fastethernet0)#standby 1 ip 129.255.123.100
Configure VBRP group-number

and virtual IP address.
router1(config-if-fastethernet0)#standby 1 priority 110
Set the VBRP priority.
router1(config-if-fastethernet0)#standby 1 preempt delay 10
Set the preempt mode and set the

delay time as 10 seconds.
B) Router2 is configured as follows:

Command
Task
Enter the
mode.
global
configuration
route2(config)#interface fastethernet0
router2(config-if-fastethernet0)#standby 1 ip 129.255.123.100
Configure VBRP group-number

router2(config-if-fastethernet0)#standby 1 preempt delay 10
Set the preempt mode and set the

delay time as 10 seconds.
7.7.3 Monitoring and Debugging VBRP

show standby
The command is used to display all local VBRPs.
show standby [all]
Command modethe privileged user mode
Note
The command show standby can be only used to display the local configured VBRP groups. And the command show
standby all is used to display the local configured VBRP groups besides the groups learned from other routers.
debug standby errors
The command is used to display or close the information about VBRP operation error, such as unsuccessful
authentication and unauthorized version.
debug standby errors
no debug standby errors
debug standby events
The command is used to open the information debugging switch of VBRP event. And the negation of the command is
used to close the debugging switch.
debug standby events [{api|protocol|track}]
no debug standby events
Syntax
Description
api
Debug API information.
protocol
Debug protocol information.
track
Debug interface track information.

Note
The command debug standby events is used to open all information debugging.
debug standby packets
The command is used to open the information debugging switch of VBRP packet. the negation of the command is used
to close the function of VBRP packet debugging.
debug standby packets [{coup|detail|hello|resign|terse}]
no debug standby packets
Syntax
Description
coup
Debug coup packet.
detail
Display the detailed contents of a packet.
hello
Debug Hello packet.
resign
Debug Resign packet.
terse
Debug coup/resign packet.

Note:
The command debug standby packets is used to open information debugging of all packets.
7.8 Configuring VRRP

VRRPVirtual Router Redundancy Protocolcan provide a gateway backup.
Related VRRP configuration commands
An example of VRRP configuration
Monitoring and debugging VRRP
7.8.1 Related VRRP Configuration Commands
Vrrp enable/disable
The command is used to enable vrrp and specify a virtual IP address. The negation of the command is used to disable
vrrp.
Ip vrrp vrid ip ip-address
No ip vrrp vrid
Syntax
Description
vrid
Specify a vird number whose value range

is from 1 to 255.
ip-address
Specify a virtual IP address.
By defaultVrrp is disabled.
Note
A virtual IP address and a primary address of the interface must be in the same network segment.
Vrrp authentication
The command is used to enable/disable vrrp simple text authentication.
Ip vrrp vrid authentication text string
no ip vrrp vrid authentication
Syntax
Description
vrid

is from 1 to 255.
string
The authentication password.

maximal length is 16 (by character).
By defaultThe authentication is enabled.

Note
The
The command can not be configured until VRRP is enabled.

Vrrp preempt
The command is used to enable/disable vrrp preempt.
Ip vrrp vrid preempt
no ip vrrp vrid preempt
Syntax
vrid
Description
is from 1 to 255.
By defaultthe vrrp preempt is disabled.

Note

Vrrp priority
The command is used to configure vrrp priority.
Ip vrrp vrid priority priority
No ip vrrp vrid priority
Syntax
Description
vrid

is from 1 to 255.
priority
Specify a vird priority whose value range

is from 1 to 254.
By defaultpriority100
Note

Ip Vrrp timer
The command is used to configure the period of sending VRRP packets.
Ip vrrp vrid timer_advertise advertise-time
No ip vrrp vrid timers
Syntax
Description
vrid

is from 1 to 255.
advertise-time
Specify the period (by second) of sending

vrrp packets and its value range is from 1
to 255.
By defaultadvertise-time1
Note

Vrrp interface monitoring
The command is used to configure the interface vrrp monitors.
Ip vrrp vrid track interface [decrement]
no ip vrrp vrid track interface
Syntax
Description
vrid

is from 1 to 255.
interface
Specify an interface for monitoring.
decrement
Specify the priority decrement.
By defaultAn interface is not be monitored.

Note
1) The command can not be configured until VRRP is enabled.

2) if no decrement is specified, the default value of priority decrement is 10.
7.8.2 An Example of VRRP Configuration
, QW HU QHW
U RXW HU
U RXW U
I
I
3&
3&
Illustration:
As shown in figure above, pc1 and pc2 connect with Internet respectively through router1 and router2, and their default
gateways are respectively 129.255.123.100 and 129.255.123.16.
The basic configuration of VRRP is described as follows:
Command
Task
Enter the
mode.
global
configuration
router1(config)#interface fastethernet0
router1(config-if-fastethernet0)#ip vrrp 1 ip-address 129.255.123.100
Configure VRRP group-number

router1(config-if-fastethernet0)#ip vrrp 1 priority 110
Set the VRRP priority.
B) Router2 is configured as follows:

Command
Task
Enter the
mode.
global
configuration
route2(config)#interface fastethernet0
router2(config-if-fastethernet0)# ip vrrp 1 ip-address 129.255.123.100
Configure VRRP group-number

7.8.3 Monitoring and Debugging VRRP

show ip vrrp
The command is used to display all local VRRPs.
show ip vrrp
debug ip vrrp event
The command is used to display/close the event information about VRRP running.
debug ip vrrp event
no debug ip vrrp event
debug ip vrrp packet
The command is used to enable/disable the switch of VRRP packet debugging information.
debug ip vrrp packet
no debug ip vrrp packet
debug ip vrrp timer
The command is used to enable/disable the switch of VRRP timer debugging information.
debug ip vrrp timer
no debug ip vrrp timer
7. 9 Configuring Snapshot Routing

This chapter mainly describes how to configure snapshot routing on a router. Snapshot routing can be used to permit a single
router in the active-time to exchange route information with a remote node and forbid the router in the quiet-time to exchange
route information.
The main contents of this chapter are listed as follows:
Related descriptions of snapshot routing configuration commands
An example of snapshot routing configuration
Debugging snapshot routing
7. 9.1 Related Descriptions of Snapshot Routing Configuration Commands

clear snapshot quiet-time interface
The command can be used to end the quiet-time of the client router in two minutes.
Syntax
Description
interface
The interface name.
By defaultThe interface makes transformation according to the time of snapshot status.

Command modethe global configuration mode
dialer map snapshot sequence-number dial-string
no dialer map snapshot sequence-number dial-string

The command can be use to define a dialer mapping for the snapshot routing protocol of the client router connecting
with the DDR interface, use the command. And use the negation of the command to delete a defined snapshot routing dialer
mapping.
Syntax
Description
sequence-number
A number within 1 and 254, used to identify a

unique dialer mapping.
A phone number of a remote snapshot server.
Dial up the number in the active-time.
dial-string
By defaultNo map is configured.

snapshot client active-time quiet-time [suppress-statechange-updates] [dialer]
no snapshot client
Syntax
active-time
quiet-time
suppress-statechange-updates
dialer
Description
The active time for regularly exchanging route upgrade
between the client and server (by minute). Its value range is
from 5 to 1000, and no default value is configured. 5 minutes
is a used-usually value.
The quiet time there exists no route change. Its value
range is from 8 to 100000, and no default value is
configured. The minimal quiet time is active time+3.
Deny the exchange of route upgrade when line protocol
change from non-active to active or from dialer
pseudo to full-active.
If the client router must dialup to the remote router
when there exists no routine information flow.
By defaultThe snapshot routing is disabled.

snapshot server active-time
no snapshot server
the command is used to configure a service router for snapshot routing. The negation of the command is used to deny the
service router.
Syntax
active-time
Description
The active time for regularly exchanging route
upgrade between the client and server (by minute).
Its value range is from 5 to 1000, and no default
value is configured. 5 minutes is a used-usually
value.
Notice:
Snapshot is supported only in the DDR dialup mode.
7. 9.2 An Example of Snapshot Routing

5
6
C ISCOS YSTEMS
/

0RGHP
3671
6
5
CISCOS YSTEMS
0RGHP

/

As shown in figure above, the interface S1/0 of the router R1 connects with the interface of router R2 through PSTN. The
RIP routing protocol is enabled on the link, snapshot routing is used to realize that the route information can be exchanged
only in the active-time, and the RIP protocol is used to discover the route from the opposite end to the loopback interface L0.
R1 serves as the snapshot routing client, and R2 serves as the snapshot routing server. The related configuration is described
as follows:
R1 is configured as follows:
Command
Task
In the global mode

R1(config)#router rip
Configure the RIP protocol.
R1(config-rip)#network 1.0.0.0
R1(config-rip)#exit
R1(config)#ip access-list extended 1001
Define DDR triggering data flow, shield
R1(config-ext-nacl)# deny ip any host 255.255.255.255
broadcast and multicast packets so that
R1(config-ext-nacl)# deny ip any 224.0.0.0 0.255.255.255
they have no way to trigger DDR dialup.
R1(config-ext-nacl)# permit ip any any

R1(config-ext-nacl)# exit
R1(config)#dialer-list 1 protocol ip list 1001
In the interface configuration mode.
R1(config-if-serial1/0)#ip add 1.1.1.1 255.255.255.0
Configure related DDR operations, and
R1(config-if-serial1/0)#dialer in-band
set phone number and IP address.
R1(config-if-serial1/0)#dialer-group 1
R1(config-if-serial1/0)#dialer string 602
R1(config-if-serial1/0)#phy async
Configure the modem (The ISDN dialup
R1(config-if-serial1/0)#speed 115200
mode can also be adopted. About related
R1(config-if-serial1/0)#modem outer
configuration, refer to sections related

with interface configuration)
R1(config-if-serial1/0)#snapshot client 5 600 dialer
Enable the Snapshot client, set activetime and quiet-time respectively as 5

minutes and 8 minutes.
R2 is configured as follows:
Command
Task
In the global configuration mode.

Configure the RIP protocol.
R2(config)#router rip
R2(config-rip)#exit
R1(config)#ip access-list extended 1001
Define DDR triggering data flow, shield
R1(config-ext-nacl)# deny ip any host 255.255.255.255
broadcast and multicast packets so that
R1(config-ext-nacl)# deny ip any 224.0.0.0 0.255.255.255
they have no way to trigger DDR dialup.
R1(config-ext-nacl)# permit ip any any

R1(config-ext-nacl)# exit
R1(config)#dialer-list 1 protocol ip list 1001
In the interface configuration mode
R1(config-if-serial1/0)#ip add 1.1.1.2 255.255.255.0
Configure related DDR operations, and
R1(config-if-serial1/0)#dialer in-band
set phone number and IP address.
R1(config-if-serial1/0)#dialer-group 1
R1(config-if-serial1/0)#phy async
Configure the modem (The ISDN dialup
R1(config-if-serial1/0)#speed 115200
mode can also be adopted. About related
R1(config-if-serial1/0)#modem outer
configuration, refer to sections related

with interface configuration)
R2(config-if-serial1/0)#snapshot server 5
Enable the Snapshot server, set activetime as 5 minutes.
7. 9.3 Monitoring and Debugging Snapshot Routing

show snapshot
The command is used to display the configuration information and current status of Snapshot.
The following information will be displayed through the command:
serial4/2
Snapshot client
Options: Stay asleep on carrier up
Dialer support
Length of active period:5

Length of quiet period:200
Length of retry period:8
Current state: active, remaining time: 2 minutes
Explanations: The serial-interface s4/2 is the client and the snapshot status upgrade is denied when the interface is up. The
snapshot is permitted to trigger DDR dialup. The current status is the active time and remained time is 2 minutes.
debug snapshot
no debug snapshot
The command is used to enable/disable snapshot debugging information.

debug dialer
no debug dialer
The command is used to enable/disable DDR event debugging information.

debug dialer packet
no debug dialer packet
The command is used to enable/disable DDR packet debugging information.

debug dialer timer
no debug dialer timer
The command is used to enable/disable DDR timer debugging information.

7. 10 Configuring Policy Route

Policy route is a more flexible mechanism of routing messages than destination routing. It is a procedure that a packet is
transmitted by means of route mapping before a router routes a packet. The route mapping determines which next route the
packet will be routed to. When the shortest route path of a packet is uncertain, the policy route can be enabled to solve the
problem. And the policy route can perform routing according to source address, protocol and port-number.
Related descriptions of policy route configuration commands;
An example of policy route configuration;
Monitoring and debugging of policy route.
7.10.1 Related Descriptions of Policy Route Configuration Commands
To enable policy route, you should determine which route mapping is applied to policy route and establish a route mapping.
The route mapping is used to specify the match standard and the corresponding actions that can be taken when the match
conditions are met. There exist three aspects of policy route configuration commands: A) enabling policy routing for packet
forwarding; B) enabling rapid-switch policy routing; C) enabling local policy routing. And the configuration commands are
described in details as follows:
ip policy route-map
To enable the policy route of an interface in the interface configuration mode, execute the command ip policy routemap. The policy route controls all packets arriving at the interface. If the policy route fails to control them, packets will go on
finding a routing table. The negation of the command is used to disclose the policy route of the interface.
ip policy route-map route-map-name
no ip policy route-map route-map-name
Syntax
Description
route-map-name
Specify the name of the route mapping applied to the policy

route of packet forwarding
By defaultNothing

Notice:
The command is enabled to disabled the rapid forwarding of the interface.
ip route-cache policy
The rapid forwarding of the policy route can enhance the rate of forwarding a packet. To enable the function, execute
the command ip route-cache policy in the interface configuration mode. After the command is enabled, the forwarding packet
received on the local interface will first be controlled by rapid buffer memory the policy route. The negation of the command
is used to disable the rapid forwarding of the policy route.
ip route-cache policy
no ip route-cache policy
By defaultNothing
ip local policy route-map
To enable the local policy route for the packets generated from the router, execute the command ip local policy routemap in the global configuration mode so that which route mapping should be applied by the router. After the command is
enabled, the local policy route controls all packets from the router. If the policy route fails to do them, the packets will go on
finding a routing table.
ip local policy route-map route-map-name
no ip local policy route-map route-map-name
Syntax
route-map-name
Description
Specify the name of the route mapping applied to the local
policy route.
By defaultNothing.

7.10.2 An example of policy route configuration
The private line
Figure 6-10
Illustration:
1)RouterA connects with RouterB through two private lines.
2)RouterA connects with 3 PCs through the Ethernet.
3)Configure the loopback interface of RouterB as the testing point.

4) A static route is configured between RouterA and RouterB.
5)The goal of the example is to demonstrate the packet policy route based on the source IP address: RouterA sends all
data from 129.255.4.44 out of the interface S0/0 and sends all data from 129.255.4.33 out of the interface S1/0, and all other
data are routed according to the destination.
RouterA is configured as follows:
Command
Task
routerA(config-if-fastethernet0)#ip
255.255.0.0
address
129.255.4.11 Configure the Ethernet address.
routerA(config-if-fastethernet0)#ip policy route-map map1
Apply IP policy route map 1 to interface f0.
routerA(config-if-fastethernet0)#interface serial0/0
routerA(config-if-serial0/0)# physical-layer sync
Configure the physical-layer

synchronism mode.
routerA(config-if-serial0/0)# encapsulation ppp
Encapsulate PPP on the interface s0/0.
routerA(config-if-serial0/0)#ip
255.255.255.0
address
as
the
150.1.1.1
routerA(config-if- serial0/0)#interface serial1/0

routerA(config-if-serial1/0)#physical-layer sync
routerA(config-if-serial1/0)# clock rate 64000
routerA(config-if-serial1/0)# encapsulation ppp
routerA(config-if-serial1/0)#ip
255.255.255.0
address

151.1.1.1
routerA(config-if-serial1/0)#exit
routerA(config)# ip local policy route-map map1
Make the route use the policy map1 to route

the packets generated by itself.
routerA(config)# ip route 152.1.1.2 255.255.255.255 serial1/0
Configure the static route to the loopback

interface of RouterB.
routerA(config)#ip route 152.1.1.2 255.255.255.255 serial0/0
Configure the static route to the loopback

interface of RouterB.
routerA(config)# route-map map1 permit 10
Configure route map 1 and rule execution

number 10.
routerA(config-route-map)# match ip address 1
The match standard that adopts the policy

route for data packet to enter the Ethernet
port of the router accords with standard
access list 1.
routerA(config-route-map)#set interface serial0/0
Set the packet path: the packet is sent out of

the interface s0/0.
routerA(config-route-map)#exit
routerA(config)# route-map map1 permit 20
Configure route map 1 and rule execution

number 20.
routerA(config-route-map)# match ip address 2
The match standard that adopts the policy

route for data packet to enter the Ethernet
port of the router accords with standard
access list 2.
routerA(config-route-map)#set interface serial1/0
Set the packet path: the packet is sent out of

the interface s1/0.
routerA(config-route-map)#exit
routerA(config)#access-list 1 permit host 129.255.4.44
Set access list 1.
routerA(config)#access-list 2 permit host 129.255.4.33
Set access list 2.
RouterB is configured as follows:

Command
Task
routerB(config-if-loopback0)#ip
255.255.255.255
address
152.1.1.2 Configure the loopback interface as the

testing point.
routerB(config-if-serial0/0)# physical-layer sync

routerB(config-if-serial0/0)# encapsulation ppp
routerB(config-if-serial0/0)#
255.255.255.0
ip
address

151.1.1.2
routerB(config-if-serial0/0)#interface serial1/0
routerB(config-if-serial1/0)#physical-layer sync
routerB(config-if-serial1/0)# clock rate 64000
routerB(config-if-serial1/0)# encapsulation ppp
routerB(config-if-serial1/0)#ip
255.255.255.0
address

150.1.1.2
routerB(config-if-serial1/0)#exit
routerB(config)#ip route 129.255.0.0 255.255.0.0 serial1/0
Configure the static route to the interface f0

of Route A.
routerB(config)#ip route 129.255.0.0 255.255.0.0 serial0/0
Configure the static route to the interface f0

of Route A.
7.10.3 Monitoring and Debugging of Policy Route
show ip policy
The command is used to display the policy route configuration of an interface.

show ip policy
Command modethe privileged user mode.
Show ip cache policy
The command is used to display policy route buffer.

show ip cache policy
show ip cache policy detail
Show ip local policy
The command is used to display the configuration of the local policy route.
show ip local policy
debug ip policy
The command is used to trace the policy route control of a packet.

debug ip policy
no debug ip policy

7.11 Configuring M-VRF
M-VRF is a technology supporting VPN. There exist multiple VRFs on each router, and each kind of source on the router
(such as interface, IP address, protocol, control module and routing table) has its own VRF attribute. The mutual access
among the resources with different VRF is denied. M-VRF can be used to realize network isolation and address overlap.
This can realize the network security to a certain extent.
Related descriptions of M-VRF configuration commands
An example of configuring M-VRF
Monitoring and debugging M-VRF
7.11.1 Related Descriptions of M-VRF Configuration Commands
To enable M-VRF, it is necessary to generate a VRF firstly (there exists a global VRF in the system):
ip vrf
To generate a vrf, use the command ip vrf. And the negation of the command is used to delete a vrf.
ip vrf vrf-name
no ip vrf vrf-name
Syntax
Description
vrfname
Specify a name for generating a vrf.
By defaultNothing.
rd
The command rd is used to specify a RD (route description character) for a generated vrf. The generated VRF can not
take effect until the RD is specified.
rd as:nn
rd ip_addr:nn
Syntax
Description
as:nn
As: a value within 0 and 65535;

Nn: a value within 0 and 4294967295.
ip_adr:nn
Ip_addr: the value within 0.0.0.0 and 255.255.255.255

nn: the value within 0 and 65535.
By defaultNothing.
Command modethe vrf configuration.
Notice:
Once the RD is configured, it must be firstly deleted if it need be modified.
ip vrf forwarding
To related an interface with a valid vrf, use the command ip vrf forwarding. The negation of the command is used to
delete the relation between the interface and the vrf.
ip vrf forwarding vrf-name
no ip vrf forwarding vrf-name
Syntax
Description
vrfname
The vrf_name bound with the interface.
By defaultNothing
Notice:
1) After there exists a relation between an interface and an effective vrf, all configured IP addresses will be deleted.
2) An interface can establish a relation with only one vrf.
description
To describe the related vrf information, use the command description. And the negation of the command is used to
delete the description information about the vrf.
description line
no description line
Syntax
Description
line
The description of the interface.

ip
route
The command ip route is used to expand the static route and make it support vrf. The negation of the command is used
to delete the static route.
ip route vrf vrf_name xxxx xxxx
no ip route vrf vrf_name xxxx xxxx
Syntax
Description
vrfname
The vrf name of the static route.
By defaultNothing
arp
The command arp is used to expand a static arp and make it support vrf. The negation of the command is used to delete
the static arp.
arp vrf vrf_name xxxx xxxx
no arp vrf vrf_name xxxx xxxx
Syntax
Description
vrfname
The vrf name of the static arp.
By defaultNothing.
telnet
The command telnet is used to expand telnet and make it support vrf.
telnet vrf vrf_name xxxx
Syntax
Description
vrfname
Telnet the vrf_name of the server.
By defaultNothing
ping
The command ping is used to expand ping and make it support vrf.
ping vrf
vrf_name xxxx
Syntax
Description
vrfname
Ping the vrf_name of the opposite-end address.
By defaultNothing.
quickping
The command quickping is used to expand quickping and make it support vrf.
quickping vrf vrf_name xxxx
Syntax
Description
Quickping the vrf_name of the opposite-end address.
vrfname
By defaultNothing
clear
ip
route
The command clear ip route is used to expand clear ip route and make it support vrf.
clear ip route vrf vrf_name xxxx
Syntax
Description
vrf_name
The specified VRF_name.
By defaultNothing
traceroute
The command traceroute is used to expand traceroute and make it support vrf.
traceroute vrf
vrf_name
Syntax
Description
vrf_name
The specified VRF_name.
By defaultNothing
7.11.2 An Example of M-VRF Configuration
Figure 6-11
Illustration:
1) As shown in figure above, the interface s2/0 of RouterA connects with the interface s1/0 of RouterB. Interfaces s2/0.1,
s2/0.2, s1/0.1 and s1/0.2 are configured respectively. For RouterA, s2/0.1l1 belongs to vrf A, and s2/0.2l2 belongs to vrf
B; For RouterB, s1/0.1l1 belongs to vrf A, and s1/0.2l2 belongs to vrf B.
2) Enable the dynamic routing protocol RIP on RouterA and RouterB.
A) RouterA is configured as follows:

Command
Task
RouterA(config)#ip vrf a
Create vrf a.
RouterA(config-vrf)#rd 1:1
Specify a route description character.
RouterA(config-vrf)#exit
RouterA(config)#ip vrf b
Create vrf b
RouterA(config-vrf)#rd 2:2
Specify a route description character.
RouterA(config-vrf)#exit
RouterA(config)#interface loopback1
Create loopback interface 11.
RouterA(config-if-loopback1)# ip vrf forwarding a
Add the interface to vrf a.
RouterA(config-if-loopback1)#ip address 3.3.3.3 255.255.255.0
RouterA(config-if-loopback1)#interface loopback2
Create loopback interface 12.
RouterA(config-if-loopback2)# ip vrf forwarding b
Add the interface to vrf b.
RouterA(config-if-loopback2)# interface serial2/0
Enter the interface s2/0.
RouterA(config-if-serial2/0)#encapsulation frame-relay
Encapsulate the frame-relay.
RouterA(config-if-serial2/0)# clock rate 128000
RouterA(config-if-serial2/0)#frame-relay intf-type dte
Configure the dte mode.
RouterA(config-if-serial2/0)#interface serial2/0.1
Create sub-interface s2/0.1.
RouterA(config-if-serial2/0.1)#ip vrf forwarding a
Add the sub-interface to vrf a.
RouterA(config-if-serial2/0.1)#frame-relay interface-dlci 100
Assign a DLCI number 100.
RouterA(config-fr-dlci)#frame-relay map ip 193.1.1.1 100 Set a mapping between the opposite-end

broadcast
IP address and local-end DLCI number.
RouterA(config-if-serial2/0.1)#ip
255.255.255.0
address
193.1.1.2 Configure an IP address.
RouterA(config-if-serial2/0.1)#interface serial2/0.2
Create sub-interface s2/0.1.
RouterA(config-if-serial2/0.2)#ip vrf forwarding b
Add the sub-interface to vrf b.
RouterA(config-if-serial2/0.2)#frame-relay interface-dlci 200
Assign a DLCI number 200.
RouterA(config-fr-dlci)#frame-relay map ip 193.1.1.1 200 Set a mapping between the opposite-end

broadcast
IP address and local-end DLCI number.
RouterA(config-if-serial2/0.2)#ip
255.255.255.0
address
193.1.1.2 Configure an IP address.
RouterA(config-if-serial2/0.2)#exit
RouterA(config)#router rip
Enable RIP routing protocol.
RouterA(config-rip)#address-family ipv4 vrf a
Create a address-family vrf a.
RouterA(config-rip-af)#network 3.0.0.0
RouterA(config-rip-af)#exit
RouterA(config-rip)#address-family ipv4 vrf b
Create a address-family vrf b.
RouterA(config-rip-af)#end
The configuration ends.
B) RouterB is configured as follows:

Command
Task
RouterB(config)#ip vrf a
RouterB(config-vrf)#rd 1:1
RouterB(config-vrf)#exit
RouterB(config)#ip vrf b
RouterB(config-vrf)#rd 2:2
RouterB(config-vrf)#exit
RouterB(config)#interface loopback1
RouterB(config-if-loopback1)# ip vrf forwarding a
RouterB(config-if-loopback1)#ip address 1.1.1.1 255.255.255.0
RouterB(config-if-loopback1)#interface loopback2
RouterB(config-if-loopback2)# ip vrf forwarding b
RouterB(config-if-loopback2)#ip address 2.2.2.2 255.255.255.0
RouterB(config-if-loopback2)#exit
RouterB(config)#frame-relay switching
RouterB(config-if-serial1/0)#encapsulation frame-relay
RouterB(config-if-serial1/0)#frame-relay intf-type dce
RouterB(config-if-serial1/0)#interface serial1/0.1
RouterB(config-if-serial1/0.1)#ip vrf forwarding a
RouterB(config-if-serial1/0.1)#frame-relay interface-dlci 100
RouterB(config-fr-dlci)#frame-relay map ip 193.1.1.2 100
broadcast
RouterB(config-if-serial1/0.1)#ip
255.255.255.0
address
193.1.1.1
RouterB(config-if-serial1/0.1)#interface serial1/0.2
RouterB(config-if-serial1/0.2)#ip vrf forwarding b
RouterB(config-if-serial1/0.2)#frame-relay interface-dlci 200
RouterB(config-fr-dlci)#frame-relay map ip 193.1.1.2 200
broadcast
RouterB(config-if-serial1/0.2)#ip
255.255.255.0
address
193.1.1.1
RouterB(config-if-serial1/0.2)#exit
RouterB(config-rip)#address-family ipv4 vrf a
RouterB(config-rip-af)#network 1.0.0.0
RouterB(config-rip-af)#exit
RouterB(config-rip)#address-family ipv4 vrf b
RouterB(config-rip-af)#end
Note
1) Any vrf can not be added to Loopback0.

2) only one vrf can be added to an interface.
7.11.3 Monitoring and Debugging M-VRF
Show ip route
The command Show ip route is used to expand Show ip route and make it support vrf.
show ip route vrf vrf_name
Syntax
Description
vrfname
Specify a vrf name.
Show arp
The command Show arp is used to expand Show arp and make it support vrf.
show arp vrf vrf_name xxxx
Syntax
Description
vrfname
Specify a vrf name.
netstat r
The command netstat r is used to expand netstat r and make it support vrf.
netstat -r vrf vrf_name
Syntax
Description
vrfname
Specify a vrf name.
7.12 Load Balance

Maipu routers now supports the routing load balancing, namely, if there exist many routes to a destination, the router will add
these routes into the routing table. When the data is transferred, the data load can be transmitted through this interface link in
a certain proportion.
o
o
o
7.12.1
Description of relevant commands supporting load balancing

An example of load balance configuration
Monitoring and debugging load balancing
Description Of Relevant Commands Supporting Load Balance
When data is transferred, it needs to close two caches in order that the data load can pass through the interface link in a
certain proportion. The concrete configuring commands are as follows:
A.Router(config)#
Command
Description
no ip upper-cache
Closes the upper cache.
B.Router(config-if-xxx)#
7.12.2
Command
Description
no ip route-cache
Closes the route cache.
An Example Load Balance Configuration

GRZQ
U RXW HU
(
(
6
6
6
XS
6
A. The configuration of the Maipu router down:

Command
Task
Down#configure terminal
Down(config)#router ospf 1
Down(config-ospf)#network 1.0.0.0 0.255.255.255 area 0
Down(config-ospf)#end
B. The configuration of the Maipu router router:

Command
Router(config)#router ospf 1
Router(config-ospf)#network 1.0.0.0 0.255.255.255 area 0
Router(config-ospf)#end
Task
C. The configuration of the Maipu router up:

Command
Task
Up#configure terminal
Up(config)#router ospf 1
Up(config-ospf)#network 6.0.0.0 0.255.255.255 area 0
Up(config-ospf)#network 7.0.0.0 0.255.255.255 area 0
Up(config-ospf)#end
D. Executes the command show ip route on the Maipu Router up:
O 1.0.0.0/8 [110/2] via 6.6.6.2, 11:23:41, serial2
[110/2] via 7.7.7.2, 11:23:41, serial3
C 6.0.0.0/8 is directly connected, 11:24:27, serial2
O 6.6.6.1/32 [110/2] via 6.6.6.2, 11:23:41, serial2
[110/2] via 7.7.7.2, 11:23:41, serial3
O 7.7.7.1/32 [110/2] via 6.6.6.2, 11:23:41, serial2
[110/2] via 7.7.7.2, 11:23:41, serial3
C 11.11.11.11/32 is directly connected, 11:51:54, loopback0
7.12.3 Monitoring and Debugging Load Balance
When data is transferred, the extended ping can be used or the debug information of the interface is opened to observe the
load balance status.
Command
Description
up#ping
Target IP address: 1.1.1.2
Repeat count [5]:2
Datagram size [76]:
Timeout in seconds [2]:
Extended commands [no]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [abcd]:
Loose, Strict, Record, Timestamp, Verbose[none]: r
Number of hops [9]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [no]:
Press key (ctrl + shift + 6) interrupt it.
Sending 5, 76-byte ICMP Echos to 32.16.3.1 , timeout is 2 seconds:
Packet has IP options: Total option bytes = 40 .
Record route number : 9
The interface that packets pass in or

out when the packet ping is
examined.
Reply to request 0 from 32.16.3.1, size = 76, time = 149 ms.

Received packet has options:
RR : 1.1.1.1
1.1.1.2
6.6.6.2
6.6.6.1
RR : 1.1.1.1
1.1.1.2
7.7.7.2
7.7.7.1
Success rate is 100% (2/2). Round-trip min/avg/max = 149/154/159 ms.
Displays the route table.
Show ip route
Net-r
Displays the times the router has

been used.
7.13 Configuring BGP Dynamic Routing Protocol

BGP (Border Gateway Protocol) is distance-vector-based path vector routing protocol. This protocol is used to transfer the
route information between autonomous systems. IGP can be used to determine the route in the autonomous system. BGP uses
TCP as the transfer protocol (port number 179). This not only ensures the reliability of all transmission, but also reduces the
resource occupied by the protocols. Presently, BGP is a factual standard of external routing. This section describes how to
configure BGP dynamic routing protocol of Maipu routers for network interconnection.
Related Descriptions of BGP Configuration Commands
Examples of BGP configuration
BGP monitoring and debugging.
7.13.1 Related Descriptions of BGP Configuration Commands
router bgp
Use the command router bgp to enable BGP and enter the BGP protocol configuration mode; otherwise, use the
negation of the command to disable BGP.
router bgp autonomous-system
no router bgp autonomous-system
Syntax
Descriptions
autonomous-system
Autonomous-system is the local autonomous-system number, and

its value range is from 1 to 65535.
By defaultBGP is disabled.
GuideThe command can be used to enable/disable BGP and specify the local autonomous system number.
neighbor remote-as
Use the command neighbor remote-as to specify the autonomous system number of BGP peer/peer group;
otherwise, use the negation of the command to delete the autonomous system number of BGP peer/peer group.
neighbor {neighbor-address | group-name } remote-as as-number
no neighbor { neighbor-address | group-name } remote-as as-number
Syntax
Descriptions
neighbor-address
The IP address of the peer.
group-name
The name of the peer group.
as-number
The autonomous-system number of the peer/peer group.
By defaultThere exists no BGP peer/peer group.

Command modethe BGP protocol configuration mode.
neighbor peer-group(Creating)
Use the command neighbor peer-group(Creating) toe create a peer group; otherwise, use the negation of the command
to delete a peer group.
neighbor group-name peer-group
no neighbor group-name peer-group
Syntax
Descriptions
group-name
By defaultThere exists no peer group.

neighbor peer-group(Assigning)
Use the command neighbor peer-group (Assigning) to add a peer to the specified peer group; otherwise, use the
negation of the command to delete a peer from the specified peer group.
neighbor neighbor-address peer-group group-name

no neighbor neighbor-address peer-group group-name
Syntax
Descriptions
neighbor-address
group-name
By defaultThe command is invalid.

neighbor next-hop-self
Use the command neighbor next-hop-self to cancel the action BGP takes for the next hop in the route that need be
announced to the peer/peer group; otherwise, use the negation of the command to cancel the existing configuration.
neighbor {neighbor-address | group-name } next-hop-self
no neighbor {neighbor-address | group-name } next-hop-self
Syntax
Descriptions
neighbor-address
group-name

neighbor password
Use the command neighbor password to configure MD5 authentication of the TCP connection between two BGP
peers; otherwise, use the negation of the command to cancel the configuration.
neighbor {neighbor-address | group-name } password string
no neighbor {neighbor-address | group-name } password string
Syntax
Descriptions
neighbor-address
group-name
String
MD5 password.
By defaultThere exists no MD5 authentication.

neighbor advertisement-interval
Use the command neighbor advertisement-interval to configure the interval for the peer/peer group to send route
information; otherwise, use the negation of the command to restore the default interval for the peer/peer group
to send route information.
neighbor {neighbor-address | group-name } advertisement-interval seconds
no neighbor {neighbor-address | group-name } advertisement-interval seconds
Syntax
Descriptions
neighbor-address
group-name
seconds
The minimal interval of sending Update message. Its
value range is from 0 to 600 seconds.

neighbor route-map
Use the command neighbor route-map to configure the route-map of the peer/peer group; otherwise, use the negation
of the command to delete the route-map of the peer/peer group.
neighbor {neighbor-address | group-name } route-map map-name {in | out }
no neighbor {neighbor-address | group-name } route-map map-name {in | out }
Syntax
Descriptions
neighbor-address
group-name
map-name
The name of the route-map
in
Input the announcement.
out
Output the announcement.

neighbor route-reflector-client
Use the command neighbor route-reflector-client to configure the peer/peer group as the client of the route reflector;
otherwise, use the negation of the command to cancel the existing configuration.
neighbor {neighbor-address | group-name } route-reflector-client
no neighbor {neighbor-address | group-name } route-reflector-client
Syntax
Descriptions
neighbor-address
group-name

neighbor send-community
Use the command neighbor send-community to send the community properties to the peer/peer group; otherwise, use
the negation of the command to cancel the existing configuration.
neighbor {neighbor-address | group-name } send-community
no neighbor {neighbor-address | group-name } send-community
Syntax
Descriptions
neighbor-address
group-name
By defaultNo community property is sent.

neighbor timers
Use the command neighbor timers to configure the Holdtime of the specified peer/peer group; otherwise, use the
negation of the command to cancel the existing configuration.
neighbor {neighbor-address | group-name } timers holdtime-interval
no neighbor {neighbor-address | group-name } timers
Syntax
Descriptions
neighbor-address
group-name
holdtime-interval
The specified holdtime interval.
By default The default keepalive is 60 seconds and default holdtime interval is 180 seconds.
neighbor ebgp-multihop
Use the command neighbor ebgp-multihop to allow establishing the connection with the EBGP peer/peer group that
are not connected directly with the network; otherwise, use the negation of the command to cancel the existing configuration.
neighbor {neighbor-address | group-name } ebgp-multihop ttl
no neighbor {neighbor-address | group-name } ebgp-multihop
Syntax
Descriptions
neighbor-address
group-name
ttl
The maximal number of hops. Its value range is

from 1 to 255.
neighbor update-source
Use the command neighbor update-source to allow internal BGP to use any operational TCP to connect with an
interface; otherwise, use the negation of the command to cancel the existing configuration.
neighbor {neighbor-address | group-name } update-source interface
no neighbor {neighbor-address | group-name } update-source interface
Syntax
Descriptions
neighbor-address
group-name
interface
Specify the interface for TCP connection.
By default The local interface.

neighbor distribute-list
Use the command neighbor distribute-list to configure the access list of the peer/peer group; otherwise, use the
negation of the command to cancel the configuration.
neighbor {neighbor-address | group-name } distribute-list access-list-number {in | out}
no neighbor {neighbor-address | group-name } distribute-list access-list-number {in | out}
Syntax
Descriptions
neighbor-address
group-name
access-list-name
The name of the access list. Its range is from 1 to

1000.
In
Out

neighbor filter-list
Use the command neighbor filter-list to configure the filtering list of the peer/peer group; otherwise, use the negation
of the command to cancel the configuration.
neighbor {neighbor-address | group-name } filter-list aspath-list-number {in | out}
no neighbor {neighbor-address | group-name } filter-list access-list-number {in | out}
Syntax
Descriptions
neighbor-address
group-name
aspath-list-name
AS regular expression list number. Its value

range is from 1 to 199.
In
Out

neighbor version
Use the command neighbor version to configure the special BGP version for receiving; otherwise, use the negation of
the command to use the default version.
neighbor {neighbor-address | group-name } version value
no neighbor {neighbor-address | group-name } version value
Syntax
Descriptions
neighbor-address
group-name
value
The BGP version number.
neighbor shutdown
Use the command neighbor shutdown to close the connection with the specified neighbor; otherwise, use the negation
of the command to open the connection with the specified neighbor.
neighbor {neighbor-address | peer_group-name } shutdown
no neighbor {neighbor-address | peer_group-name } shutdown
Syntax
Descriptions
neighbor-address
peer_group-name
neighbor soft-reconfiguration inbound
Use the command neighbor soft-reconfiguration inbound to save the received corrected value; otherwise, use the
negation of the command not to save the received corrected value.
neighbor {neighbor-address | peer_group-name } soft-reconfiguration inbound
no neighbor {neighbor-address | peer_group-name } soft-reconfiguration inbound
Syntax
Descriptions
neighbor-address
peer_group-name
bgp always-compare-med
Use the command bgp always-compare-med to allow comparing the MED value of route paths from different AS
neighbors; otherwise, use the negation of the command to forbid the comparison.
bgp always-compare-med
no bgp always-compare-med
By defaultThere exists no comparison.
bgp cluster-id
Use the command bgp cluster-id to configure the cluster ID of the route reflector; otherwise, use the negation of the
command to delete the cluster ID of the route reflector.
bgp cluster-id cluster-id
no bgp cluster-id cluster-id
Syntax
Descriptions
cluster-id
The router ID of a single route reflector in the

cluster.
bgp router-id
Use the command bgp router-id to configure the router-id of the router; otherwise, use the negation of the command to
disable the router-id of the router.
bgp router-id router-id

no bgp router-id router-id
Syntax
Descriptions
router-id
The router-id of the router.
bgp confederation identifier
Use the command bgp confederation identifier to configure the bgp confederation identifier; otherwise, use the
negation of the command to remove the bgp confederation identifier.
bgp confederation identifier as-number

no bgp confederation identifier as-number
Syntax
Descriptions
as-number
The autonomous system number.
bgp confederation peers
Use the command bgp confederation peers to configure the autonomous system belonging to the bgp confederation;
otherwise, use the negation of the command to remove the autonomous system from the bgp confederation.
bgp confederation peers as-number

no bgp confederation peers as-number
Syntax
Descriptions
as-number
The autonomous system number.
bgp default local-preference
Use the command bgp default local-preference to configure the local preference; otherwise, use the negation of the
command to restore the default value of the local preference.
bgp default local-preference value
no bgp default local-preference value
Syntax
Descriptions
value
The local preference. Its value range is from 0 to

4294967295.
By defaultThe default value of local preference is 100.

bgp dampening
Use the command bgp dampening to configure BGP route dampening and other parameters; otherwise, use the
negation of the command to cancel the route dampening.
bgp dampening [half-life reuse suppress max-suppress-time]
no bgp dampening [half-life reuse suppress max-suppress-time]
Syntax
Descriptions
half-life
The half-life of the BGP route dampening. Its

reuse
The route reuse limit. Its value range is from 1 to

20000.
suppress
The route suppression limit. Its value range is

from 1 to 20000.
max-suppress-time
The maximal suppression time. Its value range is

from 1 to 255.
By defaulthalf-life : 15 minutes; reuse :750; suppress: 2000; max-suppress-time: four times of half-life.
network
Use the command network to configure the network to which BGP is sent; otherwise, use the negation of the command
to cancel the existing configuration.
network network-number [mask network-mask] [route-map map-name]
no network network-number [mask network-mask] [route-map map-name]
Syntax
Descriptions
network-number
The network BGP need announce.
mask
The network mask.
network-mask
The network mask BGP need announce.
route-map
The route map.
map-name
The name of the route map.
By defaultBGP sends no route.

redistribute
Use the command redistribute to introduce the route information of other protocols; otherwise, use the negation of the
command to cancel the introduction of the route information of other protocols.
redistribute protocol [route-map map-name]
no redistribute protocol [route-map map-name]
Syntax
Descriptions
protocol
Specify the original route protocol that can be

introduced: connected, rip, irmp, ospf, snsp,
static.
route-map
The route map.
map-name
The name of the route map.
By defaultBGP does not introduces routes of other protocols.

synchronization
Use the command synchronization to configure the synchronization between BGP and IGP; otherwise, use the negation
of the command to disable the synchronization between BGP and IGP.
synchronization
no synchronization
By default BGP is synchronous with IGP.
maximum-paths
Use the command maximum-paths to configure BGP to support load balance; otherwise, use the negation of the
command to close BGP load balance
maximum-paths number-paths
no maximum-paths
Syntax
Descriptions
number-paths
The maximal number of the paths of load balance

supported by BGP. Its value range is from 1 to 6.
By defaultBGP does not support load balance.

distance bgp
Use the command distance bgp to configure the management distance of external BGP and internal BGP; otherwise,
use the negation of the command to restore the default management distance of external BGP and internal BGP distance bgp
external-distance internal-distance
no distance bgp
Syntax
Descriptions
external-distance
The management distance of BGP external route.

Its value range is from 1 to 255.
internal-distance
The management distance of BGP internal route.

By defaultThe management distance of BGP external route is 20, and the management distance of BGP internal
route is 200.
default-metric
Use the command default-metric to configure the MED value introduced into other protocols; otherwise, use the
default-metric number
no default-metric number
Syntax
Descriptions
number
The MED value. Its value range is from 1 to

65535.
aggregate-address
Use the command aggregate-address to create an aggregation address in the BGP routing table; otherwise, use the
negation of the command to make the command invalid.
aggregate-address address mask [as-set] [summary-only]
no aggregate-address address mask [as-set] [summary-only]
Syntax
Descriptions
address
The address of the aggregation route.
mask
The network mask of the aggregation route.
as-set
Generate a route of AS aggregation segment.
summary-only
Only aggregation routes are announced.

match as-path
Use the command match as-path to specify a matched path access list in the route map; otherwise, use the negation of
the command to cancel the configuration.
match as-path path-list-number
no match as-path path-list-number
Syntax
Descriptions
path-list-number
The path access list number. Its value range is

from 1 to 199.
Command modethe route map configuration mode.
match ip address
Use the command match ip address to specify the matched IP address range in the route map.
match ip address access-list-number
no match ip address access-list-number
Syntax
Descriptions
access-list-number
The access list number.
match ip next-hop
Use the command match ip next-hop to specify the next matched IP address in route map; otherwise, use the negation
of the command to cancel the configuration.
match ip next-hop access-list-name
no match ip next-hop access-list-name
Syntax
Descriptions
access-list-number
set as-path
Use the command set as-path to add an AS number before the original AS path in the route map; otherwise, use the
set as-path [prepend as-path-string]
no set as-path [prepend as-path-string]
Syntax
Descriptions
prepend
Add an AS number.
as-path-string
The AS number.
set community
Use the command set community to configure BGP community property in route map; otherwise, use the negation of
set community {additive | local-AS | no-advertise | no-export | none}
no set community {additive | local-AS | no-advertise | no-export | none}
Syntax
Descriptions
additive
Add the community property to the existing community.
local-AS
Do not send the matched route out of the autonomous

system.
no-advertise
Do not advertise the matched route to any peer/peer

group.
no-export
Do not advertise the route with the property to any

peer/peer group out of the autonomous system except
any peer/peer group in the autonomous system.
none
Delete the community property of the route.
set ip next-hop
Use the command set ip next-hop to specify the next hop for the alteration of the original route in the route map;
otherwise, use the negation of the command to cancel the configuration.
set ip next-hop ip-address
no set ip next-hop ip-address
Syntax
Descriptions
ipt-address
Set the IP address of the next hop.
set local-preference
Use the command set local-preference to change the local preference of the original route for the route map;
otherwise, use the negation of the command to cancel the configuration of the local preference of the original route.
set local-preference value
no set local-preference value
Syntax
Descriptions
value
Set the local preference.
set metric
Use the command set metric to change the property metric of the original route in the route map; otherwise, use the
set metric metric
no set metric metric
Syntax
Descriptions
metric
Set the property metric.
set origin
Use the command set origin to change the property origin of the original route in the route map; otherwise, use the
set origin {egp | igp | incomplete}
no set origin
Syntax
Descriptions
Egp, igp,incomplete
Set the property origin.
clear ip bgp
Use the command clear ip bgp to reset the BGP connection and make the configured-newly policy valid after the
configuration of route policy or BGP has been changed.
clear ip bgp {* | address | as-number}
Syntax
Descriptions
All peers.
address
The IP address of the specified peer.
as-number
Reset the BGP connection matching with the AS

number. The value range of AS number is from 1
to 65535.
Command modeThe privileged user configuration mode.
clear ip bgp dampening
Use the command clear ip bgp dampening to clear the information about route flap dampening and remove the
restraint of the restrained routes.
clear ip bgp dampening {address | mask }
Syntax
Descriptions
address
The network IP address used to clear the

dampening information.
mask
The network mask.
clear ip bgp peer-group
Use the command clear ip bgp peer-group to reset all BGP connections of the specified peer group.
clear ip bgp peer-group group-name
Syntax
Descriptions
Group-name

7.13.2 Examples of BGP Configuration
Example 1: Basic BGP configuration
Figure 8-6
Illustration:
1) The port S1/0192.1.1.1of RouterA connects to the port S1/0 (192.1.1.2) of RouterB; the port S2/0193.1.1.1
of RouterB connects to the port S2/0 (193.1.1.2) of RouterC;
2) The loopback addresses of three routers are respectively 1.1.1.1(RouterA), 2.2.2.2(RouterB) and 3.3.3.3(RouterC).
3) RouterA is located in AS 100, while RouterB and RouterC are located in AS 200.
A ) RouterA is configured as follows:
Command
Descriptions
Enter the loopback interface.
RouterA(config-if-loopback0)#ip
255.255.255.0
address
1.1.1.1 Configure the IP address.
RouterA(config-if-loopback0)#interface s1/0
RouterA(config-if-serial1/0)#encapsulation hdlc
Encapsulate the link-layer protocol HDLC.
RouterA(config-if-serial1/0)#ip
255.255.255.0
address
RouterA(config)#router bgp 100
Enter the BGP configuration mode.
RouterA(config-bgp)#neighbor 192.1.1.2 remote-as 200
Specify the AS number of the BGP peer.
RouterA(config-bgp)#network 1.1.1.0 mask 255.255.255.0
Configure the network to which the BGP is

sent.
RouterA(config-bgp)#exit
Command
Descriptions
RouterB(config-if-loopback0)#ip
255.255.255.255
Enter the loopback interface.

address
RouterB(config-if-loopback0)#interface s1/0
Enter the configuration interface s1/0.
RouterB(config-if-serial1/0)#encapsulation hdlc
RouterB(config-if-serial1/0)#ip
255.255.255.0
address
192.1.1.2
RouterB(config-if-serial1/0)#clock rate 9600
Configure clock rate.
RouterB(config-if-serial1/0)#interface s2/0
255.255.255.0
address

193.1.1.1

RouterB(config)#router bgp 200
RouterB(config-bgp)#neighbor 192.1.1.1 remote-as 100
The same as the above.
RouterB(config-bgp)#neighbor 193.1.1.2 next-hop-self
Regard its own address as the next hop.
RouterB(config-bgp)#exit
C) RouterC is configured as follows:
Command
Descriptions
RouterC(config)#interface loopback0
RouterC(config-if-loopback0)#ip
255.255.255.255
address
3.3.3.3
RouterC(config-if-loopback0)#interface s2/0
RouterC(config-if-serial2/0)#encapsulation hdlc
RouterC(config-if-serial2/0)#ip
255.255.255.0
address

193.1.1.2
RouterC(config)#router bgp 200
RouterC(config-bgp)#neighbor 193.1.1.1 remote-as 200
RouterC(config-bgp)#no synchronization
Set the asynchronism between BGP and IGP.
RouterC(config-bgp)#exit
Notice
The above mainly describes the dynamic routing protocol BGP. About the configuration mode of the physical layer and
link layer, refer to the related sections.

Example 2: Configuring BGP route reflector
Figure 8-7
Illustration:
1) As shown in the figure above, the configuration of RouterA, RouterB and RouterC is the same as that of example 1.
RouterD is an additional router, belonging to AS 200, its interface s1/0 connects with the interface s1/0 of RouterC, and
their corresponding addresses are 194.1.1.1(RouterC) and 194.1.1.2(RouterD).
2) In the example above, RouterC acts as a reflector and supports two clients: RouterB and RouterC.
3) RouterA is located in AS 100, while RouterB, RouterC and RouterD is located in AS 200.
Syntax
Descriptions
RouterA(config-if-serial1/0)#ip address 192.1.1.1 255.255.255.0

Specify the autonomous system number of

the BGP peer.
Configure the network to which the BGP

is sent.
Syntax
Descriptions
RouterB(config-if-loopback0)#ip
255.255.255.255
address
2.2.2.2
RouterB(config-if-loopback0)#interface s1/0
RouterB(config-if-serial1/0)#ip address 192.1.1.2 255.255.255.0

RouterB(config-if-serial2/0)#ip address 193.1.1.1 255.255.255.0

RouterB(config-rip)#network 193.1.1.0
RouterB(config-rip)#version 2
RouterB(config-rip)#exit

the BGP peer.
The same as above.
Syntax
Descriptions
RouterC(config)#interface loopback0
RouterC(config-if-loopback0)#ip
255.255.255.255
address
3.3.3.3
RouterC(config-if-loopback0)#interface s1/0
255.255.255.0
address

194.1.1.1
RouterC(config-if-serial1/0)#interface s2/0
255.255.255.0
address

193.1.1.2
RouterC(config)#router rip
RouterC(config-rip)#network 193.1.1.0
RouterC(config-rip)#network 194.1.1.0
RouterC(config-rip)#version 2
RouterC(config-rip)#exit

RouterC(config-bgp)#neighbor
client
193.1.1.1
route-reflector- Configure the peer as the client of the route

reflector.
client
194.1.1.2
route-reflector- Configure the peer as the client of the route

reflector.
RouterC(config-bgp)#no synchronization
D) RouterD is configured as follows:
Syntax
Descriptions
RouterD#configure terminal
RouterD(config)#interface s1/0
RouterD(config-if-serial1/0)#encapsulation hdlc
RouterD(config-if-serial1/0)#ip
255.255.255.0
address

194.1.1.2
RouterD(config-if-serial1/0)#clock rate 9600

RouterD(config)#router rip
RouterD(config-rip)#network 194.1.1.0
RouterD(config-rip)#version 2
RouterD(config-rip)#exit
RouterD(config)#router bgp 200
RouterD(config-bgp)#neighbor 194.1.1.1 remote-as 200

the BGP peer.
RouterD(config-bgp)#no synchronization
RouterD(config-bgp)#exit
Notice
Example 3: Configuring BGP Routing
Figure 8-9
Illustration:
1) RouterA, RouterB, RouterC and RouterD are connected as shown in the figure above. Configure the command routemap on RouterC and set the local-preference of the router so that the route information matching the access list (1.1.1.0/24)
can be transmitted over the path with higher local-preference.
2) RouterA is located in AS 100, while RouterB, RouterC and RouterD are located in AS 200.
Syntax
Descriptions
255.255.255.0
address
1.1.1.1
RouterA(config-if-loopback0)#interface loopback1
255.255.255.0
address
2.2.2.2
255.255.255.0
address
192.1.1.1
RouterA(config-if-serial1/0)#interface s2/0
255.255.255.0
address
193.1.1.1
Configure the network to which the BGP is
sent.
The same as above.

the BGP peer.
The same as above.
Syntax
Descriptions
255.255.255.0
address

192.1.1.2

255.255.255.0
address

194.1.1.2


the BGP peer.
The same as above.
The same as above.
Syntax
Descriptions
RouterC(config)#interface serial1/0
RouterC(config-if-serial1/0)#
255.255.255.0
ip
address
RouterC(config-if-serial1/0)#clock rate 9600

RouterC(config-if-serial1/0)#interface s2/0

195.1.1.2
255.255.255.0
address
193.1.1.2
RouterC(config-if-serial2/0)#clock rate 9600

RouterC(config)#ip access-list standard 1
Set the access list.
RouterC(config-std-nacl)#permit 1.1.1.0 0.0.0.255

RouterC(config-std-nacl)#exit
RouterC(config)# route-map localpref permit 10
Set the route map.
RouterC(config-route-map)# match ip address 1

RouterC(config-route-map)#set local-preference 200
RouterC(config-route-map)#exit
RouterC(config)# route-map localpref permit 20
Set the route map.
RouterC(config-route-map)#set local-preference 100
RouterC(config-route-map)#exit

the BGP peer.
The same as above.
The same as above.
RouterC(config-bgp)#neighbor 195.1.1.1 next-hop-self
localpref in
193.1.1.1
route-map Apply localpref to ingress traffic of the

neighbor 193.1.1.1.
D) RouterD is configured as follows:
Syntax
Descriptions
RouterD#configure terminal
RouterD(config)#interface loopback0
RouterD(config-if-loopback0)#ip
255.255.255.0
address
4.4.4.4
RouterD(config-if-loopback0)#interface s1/0
255.255.255.0
address

195.1.1.1
RouterD(config-if- serial1/0)#interface s2/0

255.255.255.0
address
194.1.1.1
RouterD(config)#router bgp 200

the BGP peer.
The same as above.
RouterD(config-bgp)#no synchronization
RouterD(config-bgp)#exit
Note:
7.13.3 BGP Monitoring and Debugging
show ip bgp
Use the command show ip bgp to display all BGP information.

show ip bgp [address] [mask]
Syntax
Descriptions
Address
Display the route of the specified IP address in the BGP

routing table.
Mask
The network mask.
Command modethe privileged user configuration mode
show ip bgp flap-statistics
Use the command show ip bgp flap-statistic to display the statistics information about route flap dampening.
show ip bgp flap-statistics [address ] [mask]
Syntax
Descriptions
Address
Display the statistics information about route flap

dampening of the specified IP address in the BGP routing
table.
Mask
The network mask
show ip bgp neighbor
Use the command show ip bgp neighbor to display the information about the peer.
show ip bgp neighbor [neighbor-address]
Syntax
Descriptions
neighbor-address
Display the information about the specified peer.
show ip bgp regexp
Use the command show ip bgp regexp to display the route information matching with the specified AS regular
expression.
show ip bgp regexp regular-expression
Syntax
Descriptions
regular-expression
Display the route information matching with the specified

AS regular expression.
show ip bgp summary
Use the command show ip bgp summary to display the information about the BGP summary.
show ip bgp summary
debug ip bgp
Use the command debug ip bgp to open the BGP message debugging information switch.
debug ip bgp [address]{all | event | keepalives | open | packets | route | state | task | timer | updates }
Syntax
Descriptions
Address
Open the message debugging information switch of the

specified BGP peer.
All
Open all debugging information switches of BGP messages.
Event
Open BGP event debugging information switch.
Keepalive
Open BGP keepalive debugging information switch.
Open
Open BGP open debugging information switch.
Packets
Open all debugging information switches of BGP messages.
Route
Open BGP route debugging information switch.
State
Open BGP status debugging information switch.
Task
Open BGP task debugging information switch.
Timer
Open BGP timer debugging information switch.
Updates
Open BGP update debugging information switch.

7.14 Configuring Route-map
7.14.1 Related Descriptions of Route-map Configuration Commands
The configuration commands of IP route-map include the following commands:
route-map
Use the command route-map to configure a route-map and enter the route-map configuration mode; otherwise, use the
negation of the command to delete a route-map.
route-map map-name [ { permit | deny} [ seq-number ] ]
no route-map map-name [ [ permit | deny ] [ seq-number ] ]
Syntax
Descriptions
Map-name
Identify a route-map uniquely.
permit
Set the match mode of the defined route-map sentence as

Permit. When satisfying all match sub-sentences of the
sentence, the route is permitted to pass the filter of the
sentence and execute the set sub-sentence of the sentence; or
else, the next sentence of the route-map will be tested.

deny
Set the match mode of the defined route-map sentence as

Deny. When satisfying all match sub-sentences of the
sentence, the route is prohibited from passing the filter of the
sentence and no test of the next sentence is performed.
Seq-number
A sentence used to identify a route-map. When the routemap is applied to match, the sentence seq-number is firstly
tested.

Note:
1) The route-map can be applied to route redistribution, policy route and BGP. One route-map is composed of several
sentences and each sentence is composed of some match sub-sentences and set sub-sentences. A match sub-sentence is used
to define the match rule of the sentence and a set sub-sentence is used to define the action that will be taken after the sentence
is matched successfully. The filtering relationship among the match sub-sentences of the sentence is And, that is to say that
all match sub-sentences of the sentence must be satisfied fully. The filtering relationship among the route-map sentences is
Or, that is to say that the route-map can be regarded as matched successfully as long as one sub-sentence of the sentence is
satisfied. If no sub-sentence of the sentence is satisfied, the route-map is matched unsuccessfully.
2) If the command parameter includes nothing but the route-map name and the match mode or sentence number is
omitted, a sentence (the sentence number is 10 and the match mode is Permit) is added by default. If the negation of the
command is adopted, then all sentences of the route-map will be deleted.
match as-path
Use the command match as-path to specify the matched path list for the route-map; otherwise, use the negation of the
command to cancel the configuration.
match as-path path-list-number
no match as-path path-list-number
Syntax
Descriptions
path-list-number
The path-list number. Its value range is from 1 to 199 and

multiple numbers can be input simultaneously.
Command modethe route-map configuration mode.
match community
Use the command match community to specify the matched BGP community; otherwise, use the negation of the
match community
community-list--number
no match community
Syntax
Descriptions
The BGP community number. Its value range is from 1 to

199 and multiple numbers can be input simultaneously.
match extcommunity
Use the command match extcommunity to specify the matched BGP/VPN extended-community; otherwise, use the
match extcommunity
extcommunity-list--number
no match extcommunity
Syntax
Descriptions
The BGP/VPN extended-community number. Its value range is

from 1 to 199 and multiple numbers can be input
simultaneously.
match interface
Use the command match interface to specify the matched interface; otherwise, use the negation of the command to
cancel the configuration.
match interface
interface-names
no match interface
interface-names
Syntax
Descriptions
interface-names
The name of the match interface.
match ip address
Use the command match ip address the IP address range for route-map match; otherwise, use the negation of the
match ip address
access-list
no match ip address
access-list
Syntax
Descriptions
Access-list
The serial-number or name of the matched access-list.

Multiple ones can be input successively.
match ip next-hop
Use the command match ip next-hop to specify the matched IP address of the next hop for route-map; otherwise, use
the negation of the command to cancel the configuration.
match ip next-hop std-access-list
no match ip next-hop std-access-list
Syntax
Descriptions
Std-access-list
The standard-access-list or name that will be matched by the

next hop.
match ip route-source
Use the command match ip route-source to specify the matched route-source address; otherwise, use the negation of
match ip route-source
std-access-list
no match ip route-source
std-access-list
Syntax
Descriptions
Std-access-list
The standard-access-list number or name that is matched by

the resource-route.
match length
Use the command match length to specify the length range of the matched message; otherwise, use the negation of the
match length
min-pkt-length max-pkt-length
no match length
min-pkt-length max-pkt-length
Syntax
Descriptions
min-pkt-length
The minimal packet length
max-pkt-length
The maximal packet length
match metric
Use the command match metric to specify the matched metric value; otherwise, use the negation of the command to
match metric metric-value
no match metric
metric-value
Syntax
Descriptions
Metric-value
The matched metric values.

Multiple ones can be input.
match route-type
Use the command match route-type to specify the matched route type; otherwise, use the negation of the command to
match route-type route-type
no match route-type route-type
Syntax
Descriptions
route-type
The matched route type: external, internal, level-1, level-2,

local or nssa-external
match tag
Use the command match tag to specify the matched tag-value of the route information; otherwise, use the negation of
match tag tag-value
[tag-value]
no match tag
Syntax
Descriptions
Tag-value
The matched tag value.

set as-path
Use the command set as-path to specify an AS number; otherwise, use the negation of the command to cancel the
configuration.
set as-path prepend as-path-number
no set as-path prepend as-path-number
Syntax
Descriptions
as-path-number
The AS number.
set community
Use the command set community to set the BGP community of the source-route in the route-map; otherwise, use the
set communtiy {additive | local-AS | no-advertise | no-export | none}
no set communtiy {additive | local-AS | no-advertise | no-export | none}
Syntax
Descriptions
additive
Add the community to the existing community.
local-AS
Do not send the matched route out of the autonomous

system.
no-advertise
Do not send the matched route to any peer/ any peer group.
no-export
Announce the route with the attribute to the peer/peer group

of the autonomous system except the peer/peer group out of
the autonomous system.
None
Delete the community of the route.
set ip next-hop
Use the command set ip next-hop to change the next hop of the source-route in the route-map; otherwise, use the
set ip next-hop ip-address
no set ip next-hop ip-address
Syntax
Descriptions
ip-address
Set the IP address of the next hop.
set local-preference
Use the command set local-preference to change the local preference of the source-route in the route-map;
otherwise, use the negation of the command to cancel the local preference of the source-route.
set local-preference value
no set local-preference value
Syntax
Descriptions
value
The local preference.
set metric
Use the command set metric to change the metric of the source-route in the route-map; otherwise, use the negation of
set metric metric
no set metric metric
Syntax
Descriptions
metric
Set the metric.
set origin
Use the command set origin to change the origin of the source-route in the route-map; otherwise, use the negation of
set origin {egp | igp | incomplete}
no set origin
Syntax
Descriptions
egp, igp,incomplete
Set the origin.
set automatic-tag
Use the command set automatic-tag to set the automatic-tag area; otherwise, use the negation of the command to
set automatic-tag
no set automatic-tag
set comm-list
Use the command set comm-list to adopt the community list to set the community; otherwise, use the negation of the
set comm-list std-comm-list | ext-comm-list
no set comm-list [ std-comm-list | ext-comm-list ]
Syntax
Descriptions
std-comm-list
The standard-community-list number (1-99).
ext-comm-list
The extended-community-list number(100-199).
set dampening
Use the command set dampening to set BGP route dampening (attenuation) parameter; otherwise, use the negation of
set dampening time
no set dampening [time]
Syntax
Descriptions
time
The time.
set default
Use the command set default to specify the default interface for transmitting packets; otherwise, use the negation of the
set default interface interface-names
no set default interface interface-name
Syntax
Descriptions
interface-name
The interface name.

Multiple interfaces can be supported simultaneously.
set interface
Use the command set interface to set the interface for transmitting packets; otherwise, use the negation of the command
to cancel the configuration.
set interface interface-names
no set interface interface-name
Syntax
Descriptions
Interface-name
The interface name.

Multiple interfaces can be supported simultaneously.
set ip default
Use the command set ip default to specify the next hop IP address to which the packet will be transmitted; otherwise,
use the negation of the command to cancel the configuration.
set ip default next-hop ip-address
no set ip default next-hop ip-address
Syntax
Descriptions
Ip-address
The next hop IP address (in the form of dotted decimal

notation)
set ip df
Use the command set ip df to set the slicing-flag of an IP message; otherwise, use the negation of the command to
set ip df bit-value
no set ip df [ bit-value ]
Syntax
Descriptions
bit-value
The value of the slicing-bit.(0 or 1).
set ip precedence
Use the command set ip precedence to specify the priority level of an IP message; otherwise, use the negation of the
set ip precedence number | critical | flash-override | immediate | internet | network | priority | routine
no set ip precedence [ number | critical | flash-override | immediate | internet | network | priority | routine ]
Syntax
Descriptions
number
Priority level(0-7).
routine
priority
immediate
flash
flash-override
critical
internet
network
set ip qos-group
Use the command set ip qos-group to set the QoS group of an IP packet; otherwise, use the negation of the command to
set ip qos-group qos-group-number
no set ip qos-group [ qos-group-number ]
Syntax
Descriptions
qos-group-number
QOS group-number(0-99).
set ip tos
Use the command set ip tos to set the IP TOS; otherwise, use the negation of the command to cancel the configuration.
set ip tos tos-value | max-reliability | max-throughput | min-delay | min-monetary-cost | normal
no set ip tos [ tos-value | max-reliability | max-throughput | min-delay | min-monetary-cost | normal ]
Syntax
Descriptions
tos-value
The value of TOS field(0-15).
max-reliability
The maximal reliability.
max-throughput
The maximal throughput.
min-delay
The minimal delay.
min-monetary-cost
The minimal costs
set tag
Use the command set tag to configure the tag value of the OSPF route information; otherwise, use the negation of the
command to delete the configuration.
set tag tag-value
no set tag [tag-value]
Syntax
Descriptions
Tag-value
The configured tag-value
set weight
Use the command set weight to set the attribute weight; otherwise, use the negation of the command to cancel the
configuration.
set weight weight-value
no set weight [weight-value]
Syntax
Descriptions
weight-value
The weight value.
show route-map
Use the command show route-map to display the contents of the route-map.
show route-map [ routemap-name ]
Syntax
Descriptions
routemap-name
The name of the route-map whose contents will be

displayed.

7.14.2 An Example of Configuring Route-Map
Please refer to the examples of configuring policy route and BGP route.
Chapter 8
Configuring SNA
IBMs SNA model is very similar to the OSI reference model. The traditional SNA physical entity adopts one of the four
forms: host computer, communication controller, establishment controller and terminal. An establishment controller is always
called a cluster controller and it controls the input/output operation of peripherals (for example, a terminal). The SNA data
link control layer supports multiform media including SDLC and X.25 etc.
z Data Link Switching (DLSw)
z Synchronous data link control protocol (SDLC)
z LLC2
z QLLC
8. 1 Data Link SwitchingDLSw

Data Link Switching (DLSw) describes peer connection establishment betwee routers, locating resources, transmitting data,
flow control and SSP (Switch-to-switch Protocol) for error correction. Data-link peer connection between routers must be
terminated according to RFC 1495, the data-link connection should be acknowledged locally. DLSw terminates transmission
of acknowledgement of the Data Link Layer and keepalive information over WAN by local acknowledgement of the local
data-link connection. Timeout of the Data Link Layer can not occur because of the local acknowledgement of data-link
connection. DLSw routers are to place multiple transmissions of data-link control to the corresponding pipelines of TCP
and send them out reliably over IP networks. If two terminal systems want to establish connection through DLSw, the
following tasks must first be completed:
Establish a peer connection
Exchange capabilities
Establishing circuit
Establishing peer connection
To exchange SNA transmission between two routers, a TCP connection should first be established.
Exchanging capabilities
After a TCP connection is established, the routers will exchange capabilities which include DLSw version number, initial
receiving window size, the value of SAPs, number of sessions supported by TCP etc. It will also transmit MAC address
tables. You can configure MAC address tables to avoid broadcasting. After exchanging capabilities DLSw partner is
ready to establish a SNA circuit.
Establishing circuit
Establishing a circuit by a group of terminal systems comprises a search for destination resources (based on MAC address)
and configurations of data-link connections of the system. An SNA device sends a probe frame (a test frame and/or a XID
frame) with destination MAC address to look for other SNA devices on the LAN. When a DLSw router receives the probe
frame, it will send a canreach frame to each reachable partner. If a DLSw partner can reach the specified MAC address, it
will send an icanreach reply frame.
A circuit is composed of three kinds of connections. The data-link connection and the TCP connection between DLSw
partners are specified by routers and local SNA. The circuit is identified by the circuit ID of the source and the destination
circuit. Each circuit ID is defined the source and destination MAC address, the source and destination LSAPs and a data link
control number. Once the circuit is established information frames can be transmitted.
The main topics discussed in this section are as follows:
o Configuring the commands relevant to DLSw
o Monitoring and examining DLSw
8.1.1 Configuring the Commands Relevant to DLSw
A. Configuring the local parameters of DLSw:
Router(config)#dlsw local-peer ?
Commmand
Description
init-pacing-window
Configures the size of the initial window.
peer-id ip_address <promiscuous>
Sets the IP address of the local router. The parameter

promiscuous is an optional command keyword, which is used
to designate that the local router can accept the DLSw TCP
connection request of the remote-end router without
configuration.
Note:
1.
Having configured the local parameters (for example, ip-address and promiscuous etc.) of the router, if you need to
alter them, you must configure them afresh only after having canceled the latest parameters through the
corresponding no command. At the same time, this no command must be executed before the other parameters of
DLSw are configured, or else other commands will be ignored.
B. Configuring the remote parameters of DLSw:

The indispensable parameters are as follows:
Router(config)#
Command
Description
dlsw remote-peer list-number
dlsw remote-peer list-number tcp

ip_address
The group number of token-ring

The default value of the group number is 0 (It represents that it
can establish a chain with any ring group of the opposite
terminal and can establish the peer relation).
ip-address is the local-peer address of the remote router. The
local router uses the IP address and the local-peer address of
itself to establish a kind of DLSw peer relation between two
routers.
The optional parameters:

Router(config)#dlsw remote-peer list-number tcp ip_address
Command
Description
backup-peer
Designates the remote-end router used as backup.
Cost
Designates the cost from the local router to the remote-end

router specified by ip_address. Its valid value scope is from 1
to 5 and the default value is 3. The larger the value gets, the
higher the cost of reaching the remote-end router is.
This is used for the remote-end router to configure the interval
to keep alive. And the value scope of the interval whose unit is
second is from 1 to 1200, the default value being 30. After the
parameter keepalive has been configured, DLSw will transmit
keepalive messages regularly on the TCP connection where no
data is transmitted.
Keepalive
Lf
This command is used for the local router to inform the remoteend router designated by ip_address about its maximum frame
length measured by byte so as to avoid segmenting the data
frame. The valid size is 516, 1470, 1500, 2052, 4472,
8144,11407, 11454 and 17800 bytes and the default size is 1500
bytes.
This command is used to indicate that the remote-end router is
passive because the local router will not send the DLSw
connection request to the opposite router initiatively, but wait
for the connection request sent by the opposite router.
Passive
Note: router (config)#dlsw remote-peer list-number tcp ip_address backup-peer

ip_address1
1.
Here, the remote-end router designated by ip_address is regarded as the backup entity of the remote router-end
designated by ip_address1, namely that the router designated by ip_address1 is primary peer while the router
designated by ip_address is backup peer. In addition, before configuring backup peer, you must configure
primary peer; while before deleting backup peer, you must delete backup peer. The same primary peer
permits having one backup peer at most.
B. Configuring the DLSw bridge group
The DLSw bridge group command can be used to connect DLSw TCP link to the Ethernet bridge group or interrupt the
connection between them. The command is as follows:
Router (config)#
Command
Description
Dlsw bridge-group group-number
Connects the DLSw link to the Ethernet bridge group.

The parameter group-number is used to designate the
number of the transparent bridge group that will be
connected with DLSw. The valid value ranges between 1
and 63.
Note:
The following command can be used to interrupt the link between the DLSw link and the designated Ethernet LAN
bridge group:
router (config)#no dlsw bridge-group group-number
However, this command can interrupt the SNA link relevant to the bridge group simultaneously.
D. Configuring the prohibition/activation of running DLSw:

Router (config)#
Command
Description
dlsw disable
Dlsw disable can be used to remove/ reconfigure DLSw,

which does not change the configuration; while the
command no dlsw disable can restart DLSw. In the default
situation, DLSw is in the active status. In a peculiar
situation, users may need to use the command dlsw disable
to reconfigure the DLSw protocol module.
E. Configuring the real time capabilities exchange of DLSw:

Router config
Command
Description
Dlsw icanreach saps
Configures the resource reachable for the local router.
Dlsw icannotreach saps
Configures the series of server access points unreachable

for the local router
8.1.2
Debugging and Monitoring
Router #
Command
Show dlsw capabilities local
Description
Displays all the capability information about DLSw
protocol relevant to the local router.
Displaying the result as follows:

DLSw: Capabilities for local peer
vendor id (OUI)
: '17A' (MP)
router is Maipu router)
version number
: 1
1)
release number
: 0
init pacing window
: 20
unsupported saps
num of tcp sessions
: none
: 1
The firm code 17A (the local

DLSw V1.0 (the version number is
The release number is 0
The size of the initial
transmission window connecting with
TCP by DLSw is 20
The TCP session number is 1
Command
Description
show dlsw capabilities <ip-address

ip-address>
Displays the DLSw capability information about the

opposite router. The IP address of the opposite can be
designated.
DLSw: Capabilities for peer 179.255.255.1(2065) The remote peer address is 179.255.255.1
vendor id (OUI)
: '00c'
The firm code is 00C; The remote
router is from Cisco.
version number
:2
Supporting DLSw V2.0 (the version
number is 2)
release number
:0
The release number is 0.
init pacing window
: 20
The size of the initial transmission window
connecting with TCP by DLSw is 20
unsupported saps
: none
num of tcp sessions
:1
The TCP session number is 1.
loop prevent support
: no
icanreach mac-exclusive : no
icanreach netbios-excl. : no
reachable mac addresses : none
priority configured
: no
reachable netbios names : none
version string
:
The version
information corresponding
to the DLSwThe version information of
version
string
:
the DLSw protocol software of Maipu Router
protocol software of Cisco router
Cisco Internetwork Operating System Maipu
Software
InfoExpress Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright
Copyright (c) 1986-1999 by cisco Systems,
Inc. (c) 1999-2010 by Maipu Networks
Compiled Tue 07-Dec-99 02:21 by phanguye
Compiled Mar 14 2002 18:43:56 by Maipuxz
The remote Router
Accepted Message
Peers:
state
pkts_rx
TCP 179.255.255.1
CONNECT
pkts_tx
20156
Sent Message
type
21402
drops
The time establishing connectio
ckts
conf
TCP
0
uptime
1
03:46:30
In the global configuration mode, the above command can be executed to display the DLSw capability information of the
opposite routers connecting with the local router, and the opposite routers can be all the ones or the partial ones designated by
IP addresses. This is shown as follows:
Command
show dlsw peers
Description
Displays all the status of all current DLSw TCP connections
of router.
In the global configuration mode, the above command can be executed to display all the current DLSw TCP connection
status information of the local router and observe the running information of the DLSw protocol. This is showed as follows:
The above information indicates that the current DLSw TCP connection exists as a SNA circuit.
Command
Description
show dlsw circuits <detail>
Displays all the current DLSw TCP connection status of

router; detail indicates displaying it in details.
In the global configuration mode, the above command can be executed to display all the current DLSw TCP connection
status information of the local router and to observe the running information of the DLSw protocol. This is showed as follows
Index
Local vmac address Remote vmac address

connection
(SAP address)
(SAP address)
Index
local addr(lsap)
9510608
2001.2654.5050(04)
Port:serial2
Connection status
remote addr(dsap)
state
2001.2611.0050(04)
CONNECTED
Time establishing
uptime
02:02:34
peer 179.255.255.1(2065)
Flow-Control-Tx CW:20, Permitted:29; Rx CW:20, Granted:28

RIF = --no rif-Bytes:
2788096/2788352
XID-frames:
2/1
Info-frames:
UInfo-frames:
10891/10892
0/0
Total number of circuits connected: 1
From the above status information, we can see that no more than 29 messages are permitted to be sent and no more than 28
messages are permitted to be received through the connection. Through this connection, 2788096 bytes have been sent while
2788352 have bytes received; 10891 information frames and 2 XID frames have been sent while 10892 information frames
and 1 XID frame received after the connection has been constructed. The low-end equipment connects with the interface
serial2 of the local router, and the remote IP address is 179.255.255.1 (the remote TCP port number is 2065).
Command
show dlsw
Description
reachability
Displays the reachable information of DLSw.
In the global configuration mode, the above command can be executed to observe the reachable information of DLSw. This
is showed as follows:
The command mac addr indicates the MAC address of the station being searched; Status indicates the result of the station
search; Loc indicates the station location; Peer/port indicates the entity/port number; rif displays the RIF in the buffer.
Command
Description
debug dlsw
Turns on the information-debugging switch

sending/receiving DLSw.
debug dlsw local-circuit
Turns on the local information-debugging switch of DLSw

circuit event.
Turns on the DLSw event message-debugging switch of the
designated remote end.
debug dlsw peers ip-addres <remote

peer ip address>
8.2 Synchronous Data Link Control (SDLC)

Synchronous Data Link Control (SDLC) was developed by IBM for System Network Architecture (SNA) environments, and
it is the first bit-oriented synchronous protocol among all link-layer protocols. SDLC defines two types of network nodes:
master node and secondary node. The master node controls other workstations (called secondary nodes) and polls the
secondaries in a predetermined order. If a secondary node has data to send, it can transmit them only when it is polled by the
master node. In working procedure, the master node will establish, terminate and manage links.
The main topics in this section are as follows:
o
o
o
o
o
The relevant configuring commands of SDLC

The relevant operations for configuring SDLC on an interface
Examining the debugging information of SDLC
The typical organizing network mode of SNA application
The typical SNA configuration of a Maipu router
8.2.1 The Relevant Configuring Commands of SDLC

Set the serial port protocol as the SDLC encapsulation mode.
Router(config-if-xxx)# encapsulation sdlc
The relevant commands on a serial port is as follows:
Router(config-if-xxx)#sdlc ?
Command
Description
address sdlc_address <xid-passthru |
xid-poll>
This command can be used to designate the physical

address of the equipment connected with the corresponding
interface of router. The router can, through this address,
establish a link layer connection with the lower-end
equipment.
The indispensable command parameters are as follows:
The parameter sdlc-address represents the address
assigned to the low-end physical equipment, and its valid
value is a hexadecimal numeral within the range from 01 to
FE.
The optional command words are as follows:
The command word xid-poll indicates that the type of the
physical equipment designated by sdlc_address is PU2.1;
It needs a given discovery frame to originate the link
connection procedure.
The command word xid-passthru indicates that router does
not process any accepted XID frames in the data
transmission procedure. This configuration is usually

applied to minicomputer whose up-end host computer is of
AS/400 class, while it is rarely applied to the down-end
router.
vmac vmac_address
The parameter vmac_address designates the VMAC

address of a given interface. It is a hexadecimal numeral
character string separated by .. Its format is like
XXXX.XXXX.XXXX, of which X represents any a
hexadecimal numeral within 0-F.
Executes the command to designate a VMAC address for
the current interface. This address is used to identify each
other when all equipment hanged by the interface
establishes communication link with the up-end SNA
equipment.
xid
sdlc_address xid
Executes this command to configure XID values for the

low-end equipment designated by sdlc_address. A XID
value is used for the up-end SNA equipment to identify the
low-end equipment.
The parameter sdlc_address represents the address of the
low-end equipment whose XID value need be designated.
The parameter xid represents the value that need be
designated. Its format is like XXXXXXXX, of which X
represents any a hexadecimal numeral within 0-F.
partner partners_mac_address
sdlc_address
Execute this command to configure MAC address of the

opposite terminal for the low-end equipment belonging to
the SDLC interface.
The parameter partners_mac_addres represents the
opposite terminal MAC address corresponding to the lowend equipment. Its format is the same as that of the VMAC
parameter.
The parameter sdlc_address represents the physical
address of the low-end equipment that needs to be
configured.
dlsw local_sdlc_address
A series of low-end equipment configured on the interface

can be associated with DLSw TCP connection through this
command. Without this association, the corresponding
equipment will not be used.
The parameter local_sdlc_addres designates a series of
low-end equipment addresses, which are separated by
blanks.
delay-response
Delays the response time.
Sets the size of the transmission window.
N2
Sets the retransmission times after timeout.
poll-pause-timer
Sets the polling interval.
sdlc-largest-frame
Configures the length parameter of the maximum

information frame permitted by the low-end equipment.
T1
Sets the waiting time for the latest frame.
Note:
1.
The command sdlc xid sdlc_address xid is useful only when the type of the low-end equipment is PU2.0. In the
situation that the command words xid-passthru and xid-poll have be configured in the command sdlc address,
configuring XID value will not take effect. In addition, before XID value is configured, the physical address of the
corresponding low-end equipment must first be configured, or else the corresponding XID value can not be
configured. When configuring XID value, users must ensure it is consistent with the configuration of the up-end
equipment, or else the SNA connection can not be established.
2.
When configuring the command sdlc partner partners_mac_address sdlc_address, users must configure the
physical address of the low-end equipment. At the same time users must ensure the opposite terminal MAC
address configured on the local router is consistent with the up-end VMAC address.
3.
Specify that the data encode mode on the interface is NRZI (the default mode is NRZ)
router(config-if-serial1)#nrzi-encoding
8.2.2 Configuring the Relevant Operations of SDLC on an Interface
The SDLC address of the equipment (PU) connected with the interface is c2, the up-end host computer is a minicomputer of
AS400 type. The virtual MAC address of the local interface serial1 is 4020.2654.0a00. The XID value of the connected
equipment is c2 0a238e33, the opposite terminal MAC address is 5600.7507.34c2, and the SDLC address is c2. The
following are designated: the size of the transmission window, whose data-coding mode on the interface is NRZI, is 5; the
polling interval is 20 seconds, and the local station should be polled 5 times before the next polling; the latest frame should
be held for 2 seconds.
Command
Description
router(config-if-serial1)#
encapsulation sdlc
router(config-if-serial1)#sdlc vmac
4020.2654.0a00
router(config-if-serial1)#sdlc address
c2 xid-passthru
router(config-if-serial1)#sdlc xid c2
0a238e33
router(config-if-serial1)#sdlc partner
5600.7507.34c2 c2
router(config-if-serial1)#nrziencoding
router(config-if-serial1)#sdlc k 5
Encapsulating SDLC
router(config-if-serial1)#sdlc pollpause-time 20
router(config-if-serial1)#sdlc n2 5
router(config-if-serial1)#sdlc t1 2
router(config-if-serial1)#sdlc dlsw c2
The virtual MAC address of the interface

The SDLC address up-end host of the equipment (PU),
which is connected with the interface, is of AS400 type.
The connected equipment XID
The MAC address and SDLC address of the port
Designates that the data coding mode of the interface is
NRZI.
The transmission window size is 5.
The poll interval is 20 seconds.
The local station is polled 5 times before the polling.
Sets waiting time as 2 seconds for the latest frame.
The local equipment address running on the SDLC link
8.2.3 The Debugging Information of SDLC

Command
Description
show int s1
Displays the interface information to observe the SDLC

working status.
router link station role: PRIMARY (DCE)
slow-poll 10 seconds
poll-pause-timer 500 milliseconds
k (windowsize) 7
modulo 8
sdlc vmac: 2001.2654.00-sdlc addr 20 state is CONNECTED
cls_state is IDLE
VS 0, VA 0, Remote VR 0, Current retransmit count 0
Hold queue: 0/1
IFRAMEs 5/7
TESTs 1/1
XIDs 1/2
RNRs 0/0
SNRMs 0/--
DMs 0/0
FRMRs 0/0
DISCs/RDs 0/0
REJs 0/0
UAs --/0
intf[][]:
32
00
00
00
00
00
00
00
Current serial1 index is: 0

12 packets input, 2314bytes
0 input errors, 0 CRC, 0 overrun, 0 noOctet, 0 abort, 0 lenErr
3 packets output, 3121 bytes, 0 underruns
DCD=up
DSR=up
DTR=up
RTS=up
CTS=up
TxC=up

Flags: (0xf1) UP POINT-TO-POINT RUNNING
Type: SDLC
Metric is 0
From the above information you can see that the terminal equipment hanged by router has connected with the mainframe, and
can transmit data.
The debugging command of DEBUG:
Command
Description
debug sdlc packets

debug sdlc
Turns on the debugging-switch sending/receiving the

SDLC frame.
8.2.4 Typical Network Construction Mode of SNA Application

A. Connect the ATM with the customer FEP directly through synchronous/asynchronous serial port. The network structure is
showed in the following figure:
ATM
S1
S0
SDLC
S0/0
WAN
S2
IBM mainframe
Maipu
Maipu Router
Router
CISCO Router
The frontmounted computer
Figure 8-1 The Typical Network Construction Mode1 of an SNA Application

Note: A Cisco router and a Maipu router can communicate through the serial interface by means of some link protocols,
such as PPP, HDLC, FR and X.25, or can communicate directly through the local Ethernet.
B. The synchronous/asynchronous serial port connects with ATM and the customer FEP through PSD, or connects with
IBM mainframe through Cisco router. It can be shown as follows:
PSD
S1
SDLC
IP
Network
IBM
mainframe
S2
ATM
Frontmounted computer
Figure 8-2 the SNA typical network construction mode2
8.2.5 The typical SNA configuration of Maipu Router
An example
S0/0: 19.1.1.1
S0: 19.1.1.2
S1
WAN
SDLC
IBM
Mainframe
S3
S2
ATM
Frontmounted
computer
Figure 8-3 the typical SNA configuration (A)

Illustration:
ATM and the customer FEP connect directly with the serial port of the Maipu router, and the Maipu router connects with the
Cisco router through PPP protocol running on the serial port.
The following tasks are finished mainly in the whole procedure:
A. Configure the relevant commands of DLSw in the global configuration mode.
B. Configure PPP protocol for the interface S0 to connect with the up-end router.
C. Configure the ATM machine with a SDLC address C1 for the interface S1
D. Configure the ATM machine with a SDLC address C2 for the interface S2
E. Configure the customer premise machine whose type is PU2.2 and whose address is C3 for the interface S3.
Configuring the relevant commands of DLSw in the global configuration mode:

Command
Task
router(config)#dlsw local-peer peer-id 199.1.1.2
The DLSw local-end address
router(config)#dlsw remote-peer 0 tcp 199.1.1.1
The DLSw remote-end address
Configuring PPP protocol for the interface S0 to connect with the up-end router:
Command
Task
router(config-if-serial0)#encap ppp
router(config-if-serial0)#ip address 199.1.1.2 255.255.255.0
Specifies that the DLSw local-end

address is the address of interface
S0.
Configures the ATM with a SDLC address C1 for the interface S1:
Command
Task
router(config-if-serial1)#encap sdlc
Encapsulating SDLC
router(config-if-serial1)#sdlc vmac 1111.1111.1100
The interface VMAC

address
The SDLC address of the
connected equipment
The XID of the
connected equipment
The VMAC address of
the opposite terminal
The address of the local
equipment
router(config-if-serial1)#sdlc address c1
router(config-if-serial1)#sdlc xid c1 05df0301
router(config-if-serial1)#sdlc partner 1111.2222.33c1 c1
Configures the ATM with a SDLC address C2 for the interface S2:
Command
router(config-if-serial2)#sdlc partner 1111.2222.3320 c2
Configures the customer premise machine whose type is PU2.1 and whose address is C3 for the interface S3:
Command
Task
router(config-if-serial3)#sdlc address c3 xid-poll
The PU2.1 type of

customer FPE that is a
low-end equipment of the
SDLC interface.
router(config-if-serial3)#sdlc partner 1111.2222.3323 c3

Note:
1.
For the low-end equipment of the SDLC interface, the two kinds of configurations,
PU2.1 and PU2.0, are
different because they are obviously different in the initial phase of establishing link.
The way for PU2.1 to resolve the problem that the mainframe circuit whose up-end is token-ring can not be established:
Configure sdlc address <sdlc_address> xid-poll echo in the interface configuration mode.
2. For the APPN modes, in the interface configuration mode, it usually needs to be
configured:
sdlc sdlc-largest <sdlc_address> 265or 521: maximum information frame length)
Example B:
S0:19.1.1.2
S0/0:19.1.1.1
WAN
S1
IBM mainframe
PSD
SDLC
ATM
ATM Frontmounted computer
Figure 8-4 the typical SNA configuration (B)

Illustration:
1. A Maipu router connects with various lower-end equipment on a serial interface through PSD and connects
upwards with the upper-end Cisco router through a WAN.
2.
The following tasks are completed mainly in the whole procedure:
A. Configure the relevant commands of DLSw in the global configuration mode.
B. Configure the interface S0 to connect with the upper-end router through the PPP protocol.
C. Configure the interface S1 to connect with two ATM machines whose addresses are C1 and C2 respectively,
and to connect with a customer premise machine whose type is PU2.1 and whose address is C3.
Configure the relevant commands of DLSw in the Global configuration mode:
Command
Configure the interface S0 to connect with the up-end router via PPP protocol.
Command
Configure the interface S1 to connect with two ATM machines whose addresses are C1 and C2 respectively, and to connect
with a customer premise machine whose type is PU2.1 and whose address is C3.
Command
router(config-if-serial1)#sdlc address c3 xid-poll
router(config-if-serial1)#sdlc dlsw c1 c2 c3
The above configuration indicates: the lower-end equipment of different types can connect with a same serial port through
PSD. At the same time, when PSD is used, the circuit clock is usually provided by PSD, and the router interface works in the
external clock mode.
Note:
The noticeable points in the SNA application are:
1. Whether the Maipu router and the Cisco router are consistent in the DLSw and
SDLC
2. Whether the status of the interface connecting with ATM, a customer FPE or PSD is up (through the command
show int <the interface name>).
3. According to the requisition, decide whether a static route should be configured on a Maipu router.
4. According to the requisition, decide whether DLSw remote-peer configuration should be added to the Cisco
router;
5. Examine whether the IP address designated by Cisco local-peer can be reached through the Maipu router (By the
command Ping).
6. Examine whether the XID frame needs to be configured.
7. Whether some peculiar options should be configured.
8. Examine whether the cable connects normally, and whether the physical signal is enough.
8. 3 LLC2
The router connects to the bridge group in LAN through the local Ethernet interface. The bridge group is related with the
DLSw TCP connection, and the local LAN interface runs LLC2 protocol.
8.3.1 LLC2 Configuration Commands
z
dlsw bridge-group
Use the command dlsw bridge-group to relate the DLSw TCP connection with the Ethernet bridge group in the global
configuration mode.
dlsw bridge-group group-number
Syntax
Descriptions
group-number
The bridge-group number that will be related with the DLSw TCP connection.
its value range is from 1 to 10.

z
bridge group
Use the command bridge group to connect the local Ethernet interface to the bridge group in the local LAN.
bridge group group-number
Syntax
Descriptions
group-number
The bridge-group number configured for the Ethernet interface.

It must be consistent with group-number of the command dlsw bridge-group.

8.3.2 Protocol Filtering
When there is too much data in the LAN and LLC2 is bridged through Bridge, SAP access list can be configured on Bridge
and nothing but SNA data is allowed to be bridged so that it can be avoided that the data broadcasted in the local LAN is
bridged to LLC2 and transmitted to the upper-end router through DLSw. That is to say that the upper-end network congestion
can be avoided.
z
access-list
Use the command access-list to configure LSAP access list.

access-list list-number permit/deny lsap-addr [lsap-wildcard]
Syntax
Descriptions
list-number

permit/deny
Permit/Deny access.
lsap-addr
The permitted/denied <dsap,ssap>.
lsap-wildcard
The wildcard

z
bridge-group group-number
input-lsap-list <list-number>
Use the command bridge-group group-number input-lsap-list <list-number> to filter the SAP frames received by
the bridge group.
z
output-lsap-list <list-number>
Use the command bridge-group group-number output-lsap-list <list-number> to filter the SAP frames sent by the
bridge group.
z
input-type-list <list-number>
Use the command bridge-group group-number input-type-list <list-number> to filter the Ethernet frames received by
the bridge group.
z
output-type-list <list-number>
Use the command bridge-group group-number output-type-list <list-number> to filter the Ethernet frames sent by the
bridge group.
Note:
Generally, The SAP list is configured as follows:
access-list 4001 permit 0x0404 0x0000 or
access-list 4001 permit 0x0d0d 0x0000
Thereby, lsap(0x040x04)SNA needs is permitted to pass and other types of packets can be filtered out.
8.3.3 An example of typical LLC2 configuration
Server
Figure 22-1
Illustration:
Maipu router connects to the bridge group in LAN through the local Ethernet interface. And the bridge group is related
with the DLSw TCP connection.
A) Configure the related DLSw commands in the global configuration mode.
Syntax
Descriptions
dlsw local-peer peer-id 19.1.1.2
The DLSW address of the local end.
dlsw remote-peer 0 tcp 19.1.1.1
The DLSW address of the remote end.
dlsw bridge-group 1
The DLSw bridge-group number in the local LAN.
B) The interface S0/0 adopt the PPP protocol to connect to the upper-end router.
Syntax
Descriptions
encap ppp
ip address 19.1.1.2 255.255.255.0
Specify an IP address for the interface S0/0.
C) The interface F0 connects to the bridge-group in the local LAN.

Syntax
Descriptions
bridge-group 1
The bridge-group number.
D) Filter the SAP frames received by the bridge-group.

Syntax
Descriptions
access-list 4001 permit 0x0404 0x0000
The SNA packets are permitted to pass.
bridge-group 1 input-lsap-list 4001
The SNA packets received by the bridge-group from the station

are permitted to pass.
Note:
To relate the DLSw TCP connection with the bridge-group in the local LAN, configure the bridge-group number of DLSw in
the global configuration mode, and the same bridge-group number should simultaneously be configured on the Ethernet
interface so that the Ethernet bridge-group can be related with the DLSw bridge-group.
8.4 QLLC
Qualified Link Layer Control (QLLC) is a data link protocol defined by IBM and which allows SNA data to be transmitted in
the X.25 network. In the traditional SNA network, any equipment using the X.25 protocol on the SNA communication
channel, no matter which on terminal or intermediate system it resides in, needs to make use of the QLLC protocol.
The QLLC transform feature avoids the requisition for the local IBM equipment to install X.25 software. And QLLC only
demands that the low-end equipment can provide X.25 interface to connect with the lower-end equipment in the remote-end
X.25 network with the IBM mainframe through the router with QLLC transform feature. The router connects with the upperend equipment through DLSw TCP, so the intermediate equipment does not need the X.25 interface and the relevant
software.
o QLLC configuring commands
o Typical QLLC configuration
o QLLC debugging and monitoring
8.4.1 QLLC Configuring Commands
To run the QLLC protocol, you need a serial link interface configured using X.25 communication, and needs to configure the
opposite router as SRB or RSRB. For Maipu router to run QLLC protocols transform, some detailed configuring commands
are as follows:
A. PVC mode
Router(config-if-xxx)#
Command
Description
encapsulation x25
Executes the command to transform the

interface link layer protocol into X.25
protocol.
Maybe the relevant parameters of the X.25
protocol and the LAPB protocol need be
also configured.
x.25 pvc pvc qllc vmac_address
Associates the VC of the X.25 interface with

the QLLC protocol.
Pvc is used to designate the PVC number
and the valid range is from 1 to 4095 (But it
must be less than the value of ltc).
Vmac_address specifies the VMAC ID of
the corresponding low-end equipment.
Qllc dlsw pvc pvc partner partner_address
Associates the QLLC protocol with DLSw

TCP.
Pvc is used to designate the PVC number,
which must correspond with the PVC
number designated by the preceding
command.
Partner_address designates the VMAC ID
of the opposite equipment associated with
the corresponding low-end equipment.
B. SVC Mode
Router(config-if-xxx)#
Command
Description
encapsulation x25
Executes the command to transform the

interface link layer protocol into X.25
protocol.
Maybe the relevant parameters of the X.25
protocol and the LAPB protocol also need to
be configured.
x25 map qllc virtual-mac-addr x121-addr
Designates that X.25 SVC is adopted for the

router to communicate with the PU
equipment of the remote X.25 protocol.
virtual-mac-addr represents the virtual
MAC address, namely, the VMAC address
of the remote X.25 terminal connected by
router.
X121-addr represents the X.121 address of
the remote X.25 equipment connected with
this virtual MAC address.
Qllc dlsw vmacaddr virtual-mac-addr partner macaddr
Associates the QLLC protocol with DLSw

TCP.
virtual-mac-addr represents virtual MAC
address, namely, the VMAC address of the
remote X.25 terminal connected by the
router.
Mac-addr represents the address of the
upper-end mainframe designated to
communicate with the remote X.25
equipment.
If all addresses of the mainframes
corresponding to all the X.25 equipment
connected by this interface are mac-addr,
the command can be simplified as this one.
Qllc dlsw partner mac-addr
C. The commands in the global configuration mode

Router(config)#
Command
Description
Dlsw qllc local-window <10-100>
Set the local X.25 window size to control

the traffic between DLSw and X.25.
When the speed of the X.25 interface is
slow, the window size can properly be taken
in and DLSw is notified to reduce the data
transmission speed so as to avoid the
overflow of the data-sending queue. The
default value is 50.
8.4.2 Typical QLLC Configuration
035287(5
6HU YHU
333
V
)
6e
|
;
:RU NVW DW L RQ
Figure 8-6 the typical QLLC configuration scheme

Illustration:
Here the Maipu router connects with a X.25 network through a serial port, runs QLLC protocol, connects with the low-end
SNA equipment, and associates the DLSw TCP with the QLLC protocol.
The configuration of the down-end Maipu router is as follows:
Configuring the relevant commands of DLSw in the global configuration mode:
Command
Task
Configures DLSw.
The interface S0 connects with the upper-end router through PPP protocol:
Command
Task
Configures the PPP

protocol for the interface
to connect with the up-end
router.
The interface S1 connects with X.25 network, runs QLLC protocol, and connects with the low-end SNA equipment:
Command
Task
router(config-if-serial1)#encap x25
Encapsulates the X.25

protocol.
Configures it as the DCE
mode.
router(config-if-serial1)#x25 dce
router(config-if-serial1)#x25 ltc 10
router(config-if-serial1)#x25 pvc 1 qllc 1111.2222.3344
router(config-if-serial1)#qllc dlsw pvc 1 partner 2233.4455.6677
Associates VC of the X.25

interface with the QLLC
protocol;
1111.2222.3344 is the
VMAC address of the
low-end equipment.
Associates the QLLC
protocol with the DLSw
TCP connection.
router(config-if-serial1)#end
The QLLC protocol associates the low-end equipment with X.25 VC, and exclusively determines a low-end equipment
through the corresponding VMAC address and the partner address.
8.4.3 QLLC Debugging/Monitoring
Command
show qllc <interface>
Description
Employment of this command can examine
the current QLLC connection status
intuitively.
router#sh qllc int s1

Interface serial1
SVC
Circuit state CONNECTED, 1000.1000.1040 (04) -> 2000.2000.0040 (04)
The above information displays the current QLLC connection status.

Command
Description
Show qllc partner
Displays the relevant information of the qllc

partner configuration
Show qllc connection
Displays the QLLC connection information.
The command DEBUG:

Command
Description
debug qllc
Displays the relevant information when QLLC

establishes a connection or interrupts a
connection.
8.5 Mutildrop
Multi-VMAC-address can be configured for the local SDLC protocol not to relate to the SDLC address. The
configuration method is based on the original SDLC configuration, support the configuration multi-VMAC-address.
z
sdlc vmac
Use the command sdlc vmac to specify a VMAC address of the interface or specify a MAC address of the physical
equipment connected with the interface.
sdlc vmac mac-address sdlc-address
Syntax
Descriptions
mac-address
A MAC address of the interface/ a MAC address of the physical equipment

connected with the interface. Its format is XXXX.XXXX.XXXX, and X
represents any hexadecimal number (0-F). The MAC address instead of the
address whose last two bits are replaced with SDLC need be configured when
partner is configured on the opposite router.
sdlc-address
The parameter supports the different MAC addresses configured for the
different physical equipments on the same SDLC interface. The valid range of
the SDLC address is from 01 to FE (hexadecimal) .
The MAC address of each equipment connected with the interface is the MAC
address of the physical equipments specified by sdlc-address.
8.6 Time-based Filtering

On the router, the local MAC address based on DLSw Circuit can be used to realize time control.
1) Command: dlsw mac-address <HHHH.HHHH.HHHH> time-range <NAME>
of which: HHHH.HHHH.HHHH means the DLSw local address.
NAME: the name of time-range
Show dlsw time-rangeDisplay the status of DLSw time-range
2) After the command above is configured and no corresponding time-range is configured, the default is Deny.
3) In the factual environment, the command above often cooperates with the SNTP protocol so as to acquire the time
of the NTP server.
Mprouter is configured as follows: sntp server <ip-address>
The IP address is the address of the NTP server.
8.7 Typical SNA Network Construction Modes
1) Connect to ATM and the front end processor directly through the synchronous/asynchronous serial-interface:
6
6
6'/&
, %0
0DL QI U DPH
:$1
&, 6&2
5RXW HU
6
03
5RXW HU
6
$70
)U RQW (QG
3U RFHVVRU
Figure 22-3
Note:
The communication between the Cisco router and Maipu router can be realized by means of two modes: the serial
interface runs the link protocol (for example PPP, HDLC, FR or X.25) or the local Ethernet is adopted.
2) The synchronous/asynchronous serial-interface connects with ATM and the front end processor through PSD and
connects to the IBM mainframe through Cisco router.
IP network
IBM mainframe
MP router
Cisco router
Front end
processor
Figure 22-4
8.8 Typical SNA configuration of Maipu Router

8.8.1 Typical Configuration 1
WAN
IBM mainframe
MP router
Cisco router
Front
end
Figure 22-5
Illustration:
ATM and front end processor connect to the serial interface of Maipu router directly, and Maipu router connects to Cisco
router by means of running the PPP protocol on the serial interface.
1) The DLSw configuration commands in the global configuration mode are listed as follows:
Syntax
Descriptions
DLSW local-peer address.
DLSW remote-peer address.
2) The PPP is configured for the interface S0/0 to connect to the upper-end router:
Syntax
Descriptions
encap ppp
ip address 19.1.1.2 255.255.255.0
Specify an IP address for the interface S0/0.
3) Configure the ATM (the SDLC address is C1) on the interface S1/0:
Syntax
Descriptions
encap sdlc
Encapsulate SDLC.
sdlc vmac 1111.1111.1100
The interface vmac address
sdlc address c1
The SDLC address of the connected equipment
sdlc xid c1 05df0301
The xid of the connected equipment.
sdlc partner 1111.2222.33c1 c1
The vmac address of the opposite end.
sdlc dlsw c1
Relate SDLC to DLSW.
clock rate 9600
Clock rate.
4) Configure the ATM (the SDLC address is C2) on the interface S2/0:
Syntax
Descriptions
encap sdlc
Encapsulate SDLC.
sdlc vmac 2222.2222.2200
sdlc address c2
sdlc dlsw c2
clock rate 9600
Clock rate
5) Configure the ATM (the SDLC address is C3 and the type is PU2.1) on the interface S3/0:
Syntax
Descriptions
encap sdlc
Encapsulate SDLC.
sdlc vmac 3333.3333.3300
sdlc address c3 xid-poll
The downstream equipment of the SDLC interface is the

PU2.1 front end processor.
sdlc dlsw c3
clock rate 9600
Clock rate
Note:
For the downstream equipment of the SDLC interface, there exists some difference between PU2.1 and PU2.0.
8.8.2 Typical Configuration 2

MP router
WAN
IBM
mainframe
Cisco Router
MP router
Front end
processor
Figure 22-6
Illustration:
By means of PSD, one serial interface of Maipu router connects with multiple downstream equipments, and connects to
the upper-end Cisco router through WAN.
1) The DLSw configuration commands in the global configuration mode are listed as follows:
Syntax
Descriptions
DLSW local-peer address.
DLSW remote-peer address.
2) The configuration interface S0/0 connects to the upper-end router by means of PPP protocol.
Syntax
Descriptions
encap ppp
ip address 19.1.1.2 255.255.255.0
Specify an IP address for the interface s0/0.
3) The configuration interface S1/0 connects with two ATMs (whose SDLC addresses are respectively C1 and C2) and
the front end processor (the address: C3, type: PU2.1) through PSD.
Syntax
Descriptions
encap sdlc
Encapsulate SDLC.
sdlc vmac 1111.1111.1100
sdlc address c1
sdlc address c2

sdlc dlsw c1 c2 c3
4) If multigrain is enabled on the same interface, multiple VMAC addresses can be adopted.
Syntax
Descriptions
encap sdlc
Encapsulate SDLC.
sdlc address c1
sdlc vmac 1111.1111.1111
c1
The interface vmac address(the sdlc partner address of the

opposite router is 1111.1111.1111).
There exists no relation between the interface address and sdlc c1
address.
sdlc address c2
sdlc vmac 2222.2222.2222
c2
The interface vmac address(the sdlc partner address of the

opposite router is 2222.2222.2222)
There exists no relation between the interface address and sdlc c2
address.

sdlc vmac 3333.3333.3333 c3
sdlc dlsw c1 c2
clock rate 9600
Clock rate
The configuration above indicates that: different types of downstream equipments can connect to one serial interface through
PSD. At the same time, when PSD is adopted, the line clock is provided by PSD, and the interface of the router operates in
the external clock mode.
Note:
The following points should be noticed in the SNA applications:
1) Whether Maipu router and Cisco router are consistent on DLSw/SDLC configuration.
2) The status of the interface connecting with ATM, front end processor or PSD is UP.(by means of the command show
int <interface name>)
3) Determine whether the static route is configured on Maipu router according to the factual requirements.
4) Determine whether the configuration of DLSw remote-peer is added on Cisco router according to the factual
requirements.
5) Check whether the IP address specified by Cisco local-peer can be reachable through Maipu router( by means of
Ping)
6) Check whether the XID frame need be configured.
7) Check whether some special options need be configured.
8) Check whether cables are in order and physical signals are adequate.
Chapter 9
IP Telephone Configuration
IP telephone configuration generally refers to the system that processes voice communication on an IP network. An IP
telephone system has been integrated into Maipus MP series routers. Users can use the IP telephone module provided by the
router to process voice communication. Presently, Maipu routers support the H.323 protocol family, the mainstream protocol
of the IP telephone system. H.323 protocol family includes H.225-Call Control Protocol, H.245-Multimedia Control
Protocol, and RTP/RTCP --Realtime Transmission Protocol/Realtime Transmission Control Protocol.
This chapter describes how to configure the Maipu voice card, including how the FXS card accesses the PSTN/PBX through
the FXO card, how the FXS cards intercommunicate between them, how to configure a Maipu router as the H.323 voice
gateway, and some optional extended configurations.
Configuring the voice card interface
Configuring voip
Configuring the Maipu router as the H.323 voice gateway
The Debugging Switch of IP telephone
9.1 Configure Voice Card Interface

Maipus MP router series supports two kinds of voice cards:
FXS Foreign eXchange Station interface card
is used to connect general telephone or the exterior line of a mini PBX.
FXO Foreign eXchange Office interface card
is used to connect a PSTN telephone line or the interior line of a mini PBX.
The main topics discussed in this section are as follows:
Relevant commands
A simple configuration example
9.1.1 Relevant Commands

The command to enter the voice port in the global configuration mode is:
Routerconfigvoice-port
Command
<STRING>
Description
This is the voice card interface.
Note:
1.
If there is an IP telephone module of an old version router, the voice card interface is a single number, for example,
0, 1 etc.
2.
If there is an IP telephone module of new version router, the voice card interface is the format of x/y, of which x is
the WAN port number while y is the voice port number. For example, inserting the module in the WAN port s3 and using
channel 1, then the voice port number is 3/1.
3.
The number of a concrete interfaces can be examined through the command show run.
After entering the voice port:

Routerconfigvoice-port 0/0
Routerconfig-voice-port#
Command
Description
Codec <g723 / g729 / g711a>
[no] shutdown
This command is used to configure voice-coding type. There are

G.723, G.729 and G.711a, to be selected, which correspond to
different codings and compression algorithms. The typical ones
are G.729 and G.723. If a kind of voice coding is selected, the
router will negotiate voice coding first.
This number is the volume coefficient within the range 0-63.
The larger the coefficient, the higher the volume.
It is used only in the FXO card; string represents a telephone
number. After the configuration is finished, once a ringing is
detected on the FXO port, the telephone number is used as the
called number and a call is directly originated to the remote
terminal.
Configures opening/shutting down the voice port.
Jbuf
Sets voice dynamic jitter buffer
Volume
<Number>
connection-plar
<STRING>
<0_16>
9.1.2
A Simple Example of Configuration
Configuring the FXS card (supposing that a new version router is being used)
Command
Task
Router(config)#voice-port 0/0
Configures the voice port 0/0.
Router(config-voice-port)#volume 28
Configures the volume coefficient as 28.
Router(config-voice-port)#codec g729
Configures the voice coding type as g729
Router(config-voice-port)#no shutdown
Opens the voice port.
Note:
1. The default configuration of voice port is shutdown.
9. 2 Configuring VoIP
In the VoIP (Voice over IP) configuration, there is a conception dial-peer that is used to distinguish different types of session
segments. There are two kinds of dial-peers:
POTS A traditional telephone network peer, such as commonly used telephone interfaces,
PSTN telephone line interface (Z interface), etc.
VoIP IP network peers (passing through the IP network, corresponding with the remote
telephone segment.)
The main topics addressed in this section are:
Relevant commands
Usage of the basic commands
Usage of the extended configuration
A configuration example
Seeing the two kinds of dial-peers at the caller:
$QVZHU
&DO O HU

,3
1HW ZRU N

3671
6RXU FH
U RXW HU
'L DO SHHU 3276
7KH FRU U HVSRQGL QJ W HO HSKRQH RI
W KH W HU PL QDO
'HVW L QDW L RQ
'L DO SHHU 9R, 3 U RXW HU
7KH W HU PL QDO SDVVL QJ W KU RXJK , 3 QHW ZRU N
Figure 9-1 Dial peers seen from the perspective of the calling party
Seeing the two kinds of dial-peers at the answer:
5HFHL YHU
&DO O HU

6RXU FH
U RXW HU
9R, 3 'L DO SHHU
,3
1HW ZRU N

3671
'HVW L QDW L RQ
U RXW HU
3276 'L DO SHHU
Figure 9-2 Dial peers seen from the perspective of the called party
9.2.1 Relevant Commands

Router#conf t
Router(config)#
Command
Description
dial-peer <1_255> <pots/voip>
Configuring the pots end:

Router(config)#dial-peer 1 pots
Router(config-dial-peer)#
Command
destination-pattern
<STRING>
port <STRING>
Configures the dialing map; 1-255 is the number of the session

segment number; make configurations to the pots end or the
voip end.
Description
Configures E.164 telephone number.
Configures the voice port corresponding to the pots end.
Configuring of the voip end:

Router(config)#dial-peer 1 voip
Router(config-dial-peer)#
Command
destination-pattern
Description
<STRING>
Configures E.164 telephone number.
session-target
<STRING>
Configures IP address of the VoIP end.
dt
Configures the abbreviated dialing string or the extended dialing

string.
9.2.2 The Usage of the Basic Commands

Router(config)#
Command
Enters the local number configuration mode.
Dialpeer 1 pots
destination-pattern
Port
111
Configures the local number as 111.
0/0
Configures the number 111 to be corresponding with the voice

port 0/0.
Router(config)#
Command
Description
Configures the opposite H.323 gateway/terminal.
Dialpeer 1 voip
destination-pattern
Description
111
Configures the number of the opposite terminal as 111 (the

number to be called).
9.2.3 The Usage of the Extended Configuration

The explanations above describe the basic configuration of dialing an IP telephone, and the basic configuration used to
achieve the voice communication on the IP network. For further understanding, below we provide some optional
configurations. For example:
A.
Abbreviated number dialing/extended number dialing
Abbreviated number dialing

Extension dialing allows users to really dial a longer number. For example, user dials 111, he can dial on 5148111.
Extended number dialing

It can satisfy the requisition that the numbers the mini switch prescribes are comparatively short and users get
accustomed to dialing a certain format of number. For example, when users want to dial 5148222, they can simply dial
the extension 222. In this way, users will not notice the existence of the inner switch, instead, they will feel as though
they are connecting directly with the PSTN network.
Example:

,3
QHW ZRU N
5RXW HU
5RXW HU
Router2 uses the abbreviated number dialing:
Command

Description
Router(config)#dialpeer 1 voip
Router(config)#destination-pattern 1
Configures the number to be dialed as 1.

Router(config)#session-target 1.1.1.1
Configures the IP address of opposite terminal.
Router(config)#dt 111
Configures the number corresponding with the dialing1 as 1.
Note:
Router1 uses the extended number dialing:
Command
Description
Router(config)#dialpeer 1 voip
Router(config)#destination-pattern 5148222
Configures the number to be dialed as 5148222.
Router(config)#session-target 2.2.2.2
Configures the IP address of opposite terminal.
Router(config)#dt 222
Configures the number corresponding with the dialing

5148222 as 222.
Note:
1.
When a user dials the number 5148222, in fact he dials the telephone 222.
2.
When a user dials the number after destination-pattern, in fact they are dialing the number after dt.
B. Dial-up terminator
When dialing, users can select whether they need to have the dialing terminator # or *. If needed, they must dial an #
or * key to indicate the end of the dialing, otherwise, the router recognizes the dialing terminator automatically. If users do
not use the wildcard ., there will be little difference to have a dialing terminator or not. When the wildcard is used, the
advantage with a dialing terminator is that the configuration will be simple for users, at that time, to dial an uncertain length
number. Without the dialing terminator, when dialing, users will feel as if they are dialing from a common telephone;
however, when the lengths of the numbers to be dialed are different, the configuration will be much longer, and it will add
some matching terms to match the number with different lengths.
Router(config)#
Command
dialplan terminator <#/*/CR>
dialplan terminator time <1_10>
< Description >
C.
Description
Chooses/configures # or * as having the dialing
terminat
The dialup timeout. Its value range is from 1s to 10s.
Secondary dialing
Secondary dialing and direct extension dialing:

Secondary dialing is the dialing mode that occurs on the general telephone network, after a common telephone dials on the
FX0 port (can be regarded as the telephone exchange), it dials another extension. This mode is similar to that of a common
telephone PBX.
The other mode, apart from second dialing mode, is the direct extension mode, namely that after a general telephone in
common telephone network dials to the FX0 port, it need not dial the extension number further, instead, it directly dials on
some extension number according to the configuration.
Features of the secondary dialing:
After the telephone exchange is connected successfully, dialing any additional extension that can be connected can be dialed
according to the record prompt (if there is record).
The secondary dialing record:
The unique recording function of the Maipu IP telephone provides the recording time of 15 seconds. When the telephone
exchange is connected successfully and you hear the prompt tone di, please input *123*# (if the configuration is not being
used, you need not dial the last key #). If there is the dialing terminator, please configures it as ending with a #, then you
can begin to record when hearing a prompt tone, and press any key to terminate recording after finishing. So, when the
telephone exchange is dialed up successfully next time, you can hear the recorded sound. During the course of hearing the
sound, you can interrupt it at any time to dial the needed extension number.

,3
1HW ZRU N

3671
5RXW HU
5RXW HU

Illustration:
1.
Secondary dial: When the telephone 5148333 of the exterior PSTN network dials on 5148222, the prompt tone
can be heard, and then you dial 111or 111# further, namely, dial the extension 111.
2.
Direct extension dialing: the following commands need be added to the router2:
Command
Task
connection-plar 111
Configures 5148222. Once the connection is ok, then the call

with the number 111 will be sent automatically to the remote
terminal
Note:
1.
The default configuration of a Maipu IP telephone is the secondary dialing mode.
2.
Only the FXO (connecting with the switch card exteriorly) has the option of choosing the
secondary dialing (mode) or the direct connection extension.
9.2.4 Configuration Example

,3
1HW ZRU N
5RXW HU

5RXW HU
Illustration:
1.
In the above configuration, both Router 1 and Router 2 each contain built-in FXS modules.
Supposing they are the new version of routers and two IP telephone modules are inserted
into the interface S2 respectively and the channel 0 is employed.
2.
This example is about the interconnection between the two FXS modules, when they are
configured, the following tasks should be completed:
A.
B.
Configuring the pots end and the voip end

Configuring the voice interface

First configure the parameters of router1:
Command
Router#con t
Task
Router(config-dial-peer)#destination-pattern 111
Router(config-dial-peer)#port 2/0
Enters the local number configuration

mode.
Configures the number 111 to
correspond with the channel 2/0.
Router(config-dial-peer)#exit
Enters the voip configuration mode.
Configures the number to be dialed.
Router(config-dial-peer)#session-target 1.1.1.2
Configures the IP address of the end to be

dialed.
Second configuring the parameters of router2:

Command
Router#con t
Task
mode.
Configures the number 222to
Enters the voip configuration mode

dialed.
Configuring the Voice Interface

The configuration of router1 is the same as that of router2
Command
Task
Enters the corresponding voice port.

Configures the coding mode as g729.
Activates the voice port.
Illustration:
1.
In the above figure of configuration, both router1 and router2 have the built-in FXS modules,
while router3 has a built-in FXO module. Supposing they are the new version of routers, and
all the IP telephone modules are inserted in the port s2 and they use the channel 1.
2.
This is an example about the intercommunication between the FXS module and the FXO,
about the second dialing, and about the direct extension dial. When they are configured, the
following tasks should be finished:
B.
A.
3.
The appendix is about the usage of the extended configuration.
First, configure the parameters of router1
Command
Task
Router#con t

mode.

dialed.
Router(config-dial-peer)#destination-pattern
9.......
Configures the opposite telephone

number; the wildcard is used to match
any number string.
dialed.
Second, configure the parameters of router2:
Command
Task
Router#con t
Router(config- dial-peer)#port 2/1

mode.
Configures the number 222 to correspond
with the channel 2/1.
Router(config- dial-peer)#exit

dialed.
9.....
Configures the opposite telephone number;

the wildcard is used to match any number
string.
dialed.
To configure the parameters of router3:
Command
Router#con t
9.......
Task
mode.
Configures the local numbers as the
wildcard strings beginning with 9.
Configures the number 9.......to
Configures the number of the interior

extension to be dialed on.
dialed.
Configures the number of the interior

extension to be dialed on.
dialed.
The configuration of router1 is the same as that of router2
Command
Task

Configures the coding mode as g729.
The configuration of router3 is different depending on the modes of secondary dialing and direct extension dialing.
Command
Task

Configures the coding mode to be g729.
5RXWHUFRQILJ-voice-port)#connectionplar 111

5RXWHUFRQILJ-voice-port)#connectionplar 222
Once the exterior line dials up 5148333

successfully, the extension 111 will be
connected directly.
Once the exterior line dials up 5148333
successfully, the extension 222 will be
connected directly.
Router(config-voice-port)#exit
Note:
1.
If the command sentences are configured with ODEHOLWis in the direct connection mode.
The advantage of this mode is that it is easy for a user to operate, once the user successfully
dials 5148333, he can dial 111/222 directly. The disadvantage is that it is fixed to dial up only
2.
3.
one extension, namely that one voice interface only corresponds to only one
connection-plar.
If the command sentences are not configured with the ODEHOLWLVLQVHFRQGDU\GLDOLQJ
mode. After the exterior line successfully dials 5148333, he can choose the extension 111 or
the extension 222 according to the record prompt (if there is record)
All numbers configuration can use the wildcard.
Appendix: Usage of the extended configuration

The extended configuration of the router1 (using abbreviated number dialing/extended number dialing)
Command
Task
Router#con t

mode.
5148222
Configures IP address of the end to be

dialed.
Configures the number 222 that really
corresponds to the number 5148222
dialed by users.
Router(config-dial-peer)#dt 222
...
Router(config-dial-peer)#dt 95148...
Configures the telephone number of the

opposite end and use the wildcard to
match any number string.
dialed.
Configures addition of 9 to any 7 bit
number dialed by users.
Note:
1. After dt is configured, the number configured in destination is the ones dialed by users, the
number of dt is the ones transmitting really in the line.
2. The above configuration is used to achieve the following functions:
A)
If users dial the number 5148222they dial the extension 222 successfully.
B)
If users dial the number 123, they can dial the exterior line 5148123
successfully.
The extended configuration of the router2 (using the dialing terminator)
Command
Task
Router#con t

mode.
Configures IP address of the end to be

dialed.
9.............
Configures telephone number of the

opposite end and use the wildcard to
match any number string.
dialed.
Router(config)#voip_dial_terminator
Configures the termination as #.
Note:
1. When dialing 111, users must end it with #, only so can the number really be dialed out.
2. When dialing 95148123 or 913912345678, users end it with #, then the number will be sent
out. This can achieve that all the numbers with different lengths can use the same one voip
(the number of the wildcard point should be more than/equal to the longest number to be
dialed, so does the pots wildcard of the router3)
3. If there is no dialing terminator, when users want to match both dialing of 5148123 and
139123456789, different voips need be configured. For example, the wildcard beginning
with 8 matches the 7 bits numbers, while the wildcard beginning with 9 matches the 11 bits
numbers.
9.3 Configuring the Maipu Router as a H.323 Voice Gateway
A Maipu router can be used as the H.323 voice gateway, and can be used for the voice intercommunication between many IP
networks or between an IP network and a telecommunications network, such as PSTN network etc. Presently, Maipu routers
supports the RAS (Registration, Admission, Status) protocol, which is used to exchange information with the gatekeeper.
Other functions, such as security, charging and Supplementary Services, will be provided in the subsequent version.
The main topics addressed in this section are as follows:
Basic Concepts
Configuring H.323 voice gateway
An example of configuration
9.3.1 Basic Concepts

RAS protocol:
RAS (Registration, Admission, Status) protocol is a protocol that runs between the H.323 gateway and the gatekeeper, and is
used for call control and management, which includes address resolution, address mapping, bandwidth management, call
control, route management and security management.
9.3.2 Configuring H.323 Voice Gateway
A. Configuring the pots dial-peer
Router(config)#
Command
dial-peer <1_255> pots
Description
Enters pots
destination-pattern<string>
Identifies the gateway.
port 0
The number corresponds with the voice port 0.
B. Configure voip dialing-peer

Router(config)# dial-peer 1 voip
Command
Description
destination-pattern <string>
Configures the telephone number of the destination end.
supported-prefix <string>
Configures a prefix to identify the voice gateway at which the

destination telephone is. This prefix will be added to the front of
the telephone number dialed by users.
Designates the use of the RAS protocol to get the IP address of
the destination telephone.
session-target
ras
C. Configuring the voice gateway interface:

A network interface is configured as the RAS protocol interface of the voice gateway, only one network interface can be
configured as the voice interface. Configure the multicast mode on the network interface (for example, Ethernet interface)
supporting multicasting to search for the gatekeeper. On the network interface (for example, WAN port) which does not
support multicasting, only the designated gatekeeper IP address can be configured.
Router(config)#int s0
Command
h323-gateway voip interface
h323-gateway voip h323-id <STRING>
h323-gateway voip id <STRING> <ipaddr/
multicast> <STRING/CR>
h323-gateway voip supported-prefix
<STRING>
Description
Designates this interface as the RAS protocol interface of
the voice gateway.
Configures the gateway interface identifier that is used for
the gatekeeper to identify the gateway interface.
The first string is the gatekeeper ID, while the second string
is the IP address that is configured after the ipaddr mode is
chose.
Configures the gateway ID-prefix that is used for the
gateway to process the session route, namely that the
gatekeeper will route the telephone number beginning with
this prefix to the gateway.
Note:
1. The multicast mode is used to search the gatekeeper through the multicasting mode while
the ipaddr mode is used to designate the gatekeeper.
D. Starting the voice gateway

Router(config)#
Command
Gateway
3.3
Description
Starts the voice gateway.
Configuring a Maipu router

Command
Task
Configures the pots end.
Router(config-dial-peer)#destinationpattern 7# 5219609
Router(config-dial-peer)#port 0
Configures the local gateway identifier as 7# and the number

as 5219609.
The number is bound with the voice interface 0.
Configures the voice port of the opposite end.
Router(config-dial-peer)#destinationpattern 5213541
Router(config-dial-peer)#supportedprefix 8#
Router(config-dial-peer)#session-target
ras
The opposite telephone
Router(config)#int f0
Configures the voice gateway interface.
Router(config-if-fastethernet0)#ip address
128.255.255.244 255.255.0.0
Router(config-if-fastethernet0)#h323gateway voip h323-id mp
Router(config-if-fastethernet0)#h323gateway voip id gk multicast
The destination gateway prefix identification

Designates that the RSA protocol is used to get the IP address of
the destination telephone.
Configures the gateway interface identifier.

Designates that the multicasting mode is used to search the
gatekeeper.
Router(config-if-fastethernet0)#h323gateway voip supported-prefix 7#

Router(config-if-fastethernet0)#h323gateway voip interface
Router(config-if-fastethernet0)#no
shutdown
Router(config-if-fastethernet0)#exit
Configures the gateway identification prefix as 7#
Router(config)#gateway
Starts the voice gateway.
Designates that this interface is used as the RAS protocol

interface of the voice gateway.
9. 4 IP Telephone Debugging Switch

Notice:
Turning on the IP telephone debugging switch
Turning off the IP telephone debugging switch
The wire order of the new version Voip module
Turning on the IP telephone debugging switch:
Router(config)#
Command
debug voipdrv <STRING>
<all/busytone/events/resource/status>
Description
Turns on an interface debugging switch. <String> is the
voice interface to be monitored, the following words that
can chosen are busytone, event or status of the
monitoring interface, choosing all means turning on all
the voipdrv debugging information of the interface.
Note:
1. The voice interface monitored must be continuous up to a certain channel. For example, if there is a new version router, the
voice interface should be of the form 0/1; while if there is a old version router, then it should be of the form 0, 1 or
2 etc. The principle is that this voice interface form should be the same as that voice interface form seen by the command
show run.
Turning off the IP telephone debugging switch:
Router(config)#
Command
No debug all
Description
Closes all the debugging information.
The wire order of the new version IP telephone:

1) 2vop and 2vos: RJ45 line with 8 wires, line4 and lind5 corresponding to the channel 0; and line3 and lind6 corresponding
to the channel 1.
2) The IP telephone module with single port: RJ45 line with 8 pins of which the fourth and the fifth ones are used.
Chapter 10 Terminal Configuration

10.1 Terminal Protocol
UNIX
Ethernet
Figure 10-1 Terminal protocol operation modethe local mode

Illustration
The figure above is the topology of the local terminal operation mode: the local router accesses the Ethernet through the
Ethernet port and connects with the Unix server; the synchronous/asynchronous interface or asynchronous interface
encapsulates the terminal protocol and connects with the terminals.
UNIX
Local
Remo
Figure 10-2 Terminal protocol operation modethe remote mode
Illustration:
The figure above is the topology of the remote terminal operation mode: the remote router accesses the WAN through
the WAN interface and connects with the local router through which the remote router connects with the Unix server. On the
remote router, the synchronous/asynchronous interface or asynchronous interface encapsulates the terminal protocol and
connects with the terminals.
Compared with the previous terminal access mode of Maipu router, the terminal protocol has gotten much enhancement
at the aspects of function and flexibility and overcomes the limitation that nothing but the asynchronous interface module can
access the terminal. As long as the interface module supported by Maipu router can operate in the asynchronous mode (For
example: frequency-band MODEM interface, high-speed synchronous/asynchronous serial interface), the interface can
encapsulate the terminal protocol for terminal access.
Firstly, the terminal protocol can, according to the user configuration or terminal service, specify the service-port of the
upper-end service for the establishment of TCP connection. When the lower-end service data arrives, the router encapsulates
the terminal data into TCP/IP messages, and sends them to upper-end server through the TCP connection; at the same time,
the terminal protocol monitors the data the server send downwards, and the terminal protocol encapsulates the TCP/IP
message and sends the service data to the terminal when the router receives the data sent from the server. The terminal
protocol can establish multiple TCP connections simultaneously and realize the service switch of the terminal. Moreover, the
terminal protocol can assist Itest or other terminal-number fix program to realize the fix terminal-number access and data
encryption and compression transmission, which can enhance service security.
10.1.1 Configuring the Terminal Protocol
The following steps are necessary for you to configure an interface of the router to connect with a terminal.
Creating/configuring terminal template
The interface encapsulation terminal link protocol
Applying the terminal template to the terminal protocol interface.
10.1.1.1 Creating/Configuring Terminal Template

To make the router support the terminal access, it is necessary to configure terminal service parameters, such as the local IP
address, remote service IP address and TCP port-number, and save the configuration into the terminal template. After a
terminal template has been created, all protocols supporting the terminal access, such as TerminalMPDLC and X.25 PAD,
can apply the template simultaneously. And the modification of the template configuration can also update the status of the
protocols applying the template simultaneously.
Terminal template template-name

In the global configuration mode, use the command terminal template to create or enter a template. The parameter
template-name is the template name. When there exists no the template, the template will be created and the user can enter
the terminal template configuration modeconfig- terminal-template. And use the command no terminal template
template-name to delete the template.
Note:
The terminal name is case sensitive.
In the terminal template configuration mode, the parameters related with terminal services can be configured, and the
following commands can be supported.
Terminal local local-ip-address

Configure the local IP address of the template as the IP address of some interface of the router (generally the local IP
address is the IP address of the loopback interface). The terminal protocol can regard the IP address as the source address and
establish the TCP connection with the server.
Terminal remote
terminal remote host-number host-name host-ip-address domain name{fix-terminal | telnet | rlogin}

Syntax
Description
host-number
The remote service number, and its value scope is from 0 to 9.
host-name
The remote service name, displayed on the terminal selection interface.
host-ip-address
The IP address of the remote service.
domain name
The host domain name of the remote service.
fix-terminal
The remote service works in the fix-terminal mode (By default).
telnet
The remote service works in the telnet mode.
rlogin
The remote service works in the rlogin mode.
When working in the fix-terminal mode, the remote service can support the following options:
terminal remote host-number host-name host-ip-address fix-terminal { tcp-port | authentication | compress | encrypt
<string> | start-chars | negotiate-port | server}
Syntax
Description
tcp-port
The TCP port number of the remote fix-terminal itest service.
Its value range is from 1 to 65535 and the default port-number is 3051.
authentication
Router ID authentication (Namely the previous MAC address
authentication, and no authentication is configured by default.)
compress
Compress the data
encrypt
start-chars
negotiate-port
server
Encrypt the data in the fix-terminal mode. After that, the key is also
encrypted.
The Fix-terminal auto-screen-brush character.
It need be consistent with that the Itest configuration (nothing is
configured by default.)
Specify the negotiation port number for terminal connection in the fixterminal mode.
The router serves as the server of the TCP connection and waits for client
connection.
Note
1) When the function of the auto-screen-brush is employed, the parameters -r k a1:a2:a3 need be configured when Itest
starts. The parameter -r means enabling the screen memory. For k a1:a2:a3, a1, a2 and a3 are hexadecimal numbers, and
0xa1 0xa2 0xa3 is configured behind start-chars;
2) When the function of data compression is adopted, the option compress need be added into the Itest configuration file
(itest.conf), and its format is described as follows
/dev/ttyp53 196.72.167.4 com1 term2 compress
3) When the encryption function is adopted, the option key
x (x represents the key value) need be added into the Itest
configuration file (itest.conf), and its format is described as follows:
/dev/ttyp53 196.72.167.4 com1 term2 keya
4) In view of the security, the System ID corresponding to the router can be configured on Itest. In this way, only the
terminal connecting with the specified router can log in the Unix server. It is necessary to add a MAC address into the Itest
configuration file (itest.conf), and its format is described as follows
/dev/ttyp53 196.72.167.4 com1 term2 mac 00017a450312
5) The last item is the System ID of the router. It can be displayed by means of executing the command 'show version
on the router.
6) When the fix-terminal server is adopted, no remote address need be configured. The address used for TCP connection
monitoring is the terminal local address. The remote address can be filled with any format of valid IP address.
7) When the fix-terminal server is adopted, no switching of service host need be performed usually. It is recommended
that only one remote host need be configured.
When working in the Telnet mode, the remote service supports the following options:
terminal remote host-no host-name host-ip-address telnet { tcp-port | ANSI | VT100 | xenix }
Syntax
Description
tcp-port
The TCP port-number of the remote service. Its value range is from
1 to 65535 and the default value is 23.
ANSI
Telnet operates in the ANSI mode.
VT100
Telnet operates in the VT100 modeBy default.
Xenix
Telnet operates in the xenix mode.
When working in the rlogin mode, the remote service supports the following options:
terminal remote host-no host-name host-ip-address rlogin remote-user-name
Syntax
Description
Remote-user-name
The remote username of rlogin logon.
In the terminal template configuration mode, the related configuration commands are described as follows:
terminal {auto-linking <0*9> | hesc-chars | host <0*9> hesc-chars | print { on | off } | redraw {<0*9> |
console } <STRING> | retry-times <1*65535> | rx-delay | rbufsize <128*16384> | tbufsize <2048*16384> }
Syntax
Description
auto-linking
Automatically establishing a link (Disabled by default)
hesc-chars
host
print
redraw
retry-times
rx-delay
The terminal service switch character ( the default character is

Ctrl+G+D)
The hot key of terminal host switch.
Print the information about prompts and helps on the terminal
(permitted by default)
The terminal redraw (the field STRING is the terminal screenbrush key, and different terminals define different terminal screenbrush keys)
The retry times of establishing a link ( three times by default).
tbufsize
The receiving delay, applied to the situation of using a card reader

(no delay is configured by default).
The size of TCP transmitting buffer 8192 by default
rbufsize
The size of TCP receiving buffer2048 by default
10.1.1.2 The Interface Encapsulation Terminal Link Protocol

In the interface configuration mode, configure the command encapsulation terminal.
terminal noise-filter
The command is used to enable/disable the noise-filter of the interface. After the noise-filter is enabled, the noise
interference, which is on the floating line and results from closing the RX/TX/GND terminal connection, can be
avoided. The noise-filter is enabled by default.
terminal noise-filter { ENABLE | DISABLE }
Note
1) The terminal protocol must operate in the asynchronous mode. For the synchronous/asynchronous serial interface
mode, the configuration command physical async must be firstly used to convert the physical layer into the asynchronous
mode.
2) Neither IP address nor other IP property parameters can be configured;
3) After the terminal protocol is encapsulated, the default configuration tx-on dsr can be adjusted according to the
bottom-layer physical signals of the terminal interface, such as tx-on dcd-dsr or tx-on cts;
4) No flow-control is configured by default. Generally, a terminal can receive nothing but the receiving, transmitting and
GND signals, and support no hardware flow-control. The flow-control configuration can be modified according to the line
condition and terminal performance.
5) The command terminal noise-filter can be used to filter out the start-character 00 or ff. In some applications, the 00 or
ff character can be sent out in the beginning. Here, the noise-filter is disabled.
10.1.1.3 Applying the Terminal Module to a Terminal Protocol Interface
Adopt the command terminal apply template-name <interface1> <interface2> to apply the terminal template to the
Terminal protocol interface <interface1> and<interface2>.
Note
When a terminal template is applied to multiple interfaces, such as the two interfaces above, interface1 and interface2
must be two interfaces in the same slot.
10.1.2 An Example of Terminal Protocol Configuration
The local-end encapsulating the terminal protocol is configured as follows:Shown as figure 10-1
A) Configuring the interface parameters:
Command
Task
Router#config terminal
Router(config)#int f0
Enter the configuration mode of the
interface f0.
Router(config-if-fastethernet0)#ip
add
129.255.24.100
Configure the Ethernet address of the
255.255.0.0
router/ terminal server.
Router#(config)interface serial0/0
The configuration mode of the serialinterface s0/0.
Router(config-if-serial0/0)#physical-layer async
The serial-interface s0/0 is configured
as the asynchronous mode.
Router(config-if-serial0/0)#tx-on dcd
Configure the dcd signal to judge
physical signal up.
Router(config-if-serial0/0)#encapsulation terminal
Encapsulate the terminal protocol.
Router(config-if-serial0/0)#exit
The above is the configuration of encapsulating a high-speed serial interface as the terminal protocol, and the
configuration of 8/16SA is the same as that of the high-speed serial interface.
Command
Router(config-if-serial1/0)#modem party originate
Router(config-if-serial1/0)#modem line leased
Router(config-if-serial1/0)#modem async direct
Task
The configuration mode of the serial-interface
s1/0.
Configure the dcd signal to judge physical
signal up.
Configure the interface s1/0 (built-in modem)
to encapsulate the terminal protocol.
Configure the built-in modem as the
origination.
Configure the built-in modem as the automatic
leased line mode.
Configure the built-in modem as the direct
asynchronous mode.
Router(config-if-serial1/0)#modem enable
The above is the configuration of the automatic leased line mode in which the built-in modem encapsulates the
terminal protocol. The usage of this mode needs the cooperation with the mp56/336B external modem.
Command
Task
Configure the dcd signal to judge physical

signal up.
Router(config-if-serial1/0)#modem party originate
Set the built-in modem as call origination.
Router(config-if-serial1/0)#dialer string 123
Set the built-in modem as the dialup mode.
Router(config-if-serial1/0)#modem async error-correct
Set the built-in modem as error asynchronism.
The above is the configuration of the dialup mode in which the built-in modem encapsulates the terminal protocol.
The usage of this mode needs the cooperation with the mp56/336B external modem.
B) Configuring Template Parameters:
Command
Task
Router(config)#terminal template maipu
Establish a template whose name is maipu.
router(config-terminal-template)#terminal
local
Set the local IP address (the address of the
129.255.24.100
interface f0).
router(config-terminal-template)#terminal remote 0 fix
Set service 0 as the fix-terminal mode, the IP
129.255.100.101 fix-terminal
address as the IP of the Unix FEP (Front End
Processors).
router(config-terminal-template)#terminal remote 1
Set service 1 as the telnet mode.
telnet 129.255.100.101 telnet
Set service 2 as the rlogin mode.
rlogin 129.255.100.101 rlogin
Set service 3 as the echo mode. (Optional)
input 129.255.100.101 fix-terminal 7
router(config-terminal-template)#terminal remote 4 fixSet service 4 as 2nd fix-terminal mode. In the
mode,
2 129.255.100.101 fix-terminal 3052 negotiate-port
Two itests are configured for Unix: data port
3652
3052, and negotiation port3652.
router(config-terminal-template)#exit
C) Applying the template to an interface
Command
Router(config)# terminal apply maipu serial0/0
Task
Apply the template to the interface s0/0.
10.1.3 Related Terminal Debugging Commands

show terminal
debug terminal <interface>
terminal restart { all | <interface> }
show ip socket
10.2 MPDLC Protocol

The router can, through MPDLC (MP data link control protocol, Maipu private protocol), connect with MP multiplexer (such
as MP8000/8100/8200) so that one serial interface of the router can realize the access of at most 8 terminals. This can
enhance the routers ability of terminal access greatly.
UNIX FEP
Ethernet
Local
MP8100
multiplexer
Terminal
Figure 10-3
Terminal
Terminal
the MPDLC network mode chartthe local mode
Illustrations
The local router accesses the Ethernet through the Ethernet interface and connects with the Unix server. The
synchronous interface, synchronous/asynchronous interface or asynchronous interface encapsulates MPDLC protocol and
connects downwards with MP8100 multiplexer that connects with terminals through sub-interfaces (8 subinterfaces).
o
UNIX FEP
Ethernet
Local router
Remote
MP8100
multiplexer
Figure 10-4
network mode chart the
MPDLC
remote mode
Terminal
Terminal
Terminal
Illustration
The remote router accesses the WAN through the WAN interface and connects with the local router, then connects with
the Unix server through the local router. The synchronous interface, synchronous/asynchronous interface or asynchronous
interface of the remote router encapsulates MPDLC protocol and connects downwards with MP8100 multiplexer that
connects with terminals through sub-interfaces (8 subinterfaces) .
Note
In the MPDLC mode, the sub-interfaces of MP multiplexer can connect with terminals, prints and card-reader, and can
not support SDLC equipments (such as ATM).
10.2.1 Configuring MPDLC Protocol

To make the router adopt the MPDLC protocol to connect with MP multiplexer, the following steps are necessary:
Creating/configuring a terminal template;
Encapsulating an interface with MPDLC Link protocol
Applying the template to the MPDLC interface
10.2.1.1 Creating/Configuring Terminal Template

The terminal template used by MPDLC protocol is the same as that used by the terminal protocol. About how to create and
configure a terminal template, refer to section 10.1.1.
10.2.1.2 Encapsulating Interface with MPDLC Link Protocol
Configure the command encapsulation mpdlc in the interface configuration mode.
Configure the command mpdlc channel <start-chan> <end-chan> dtr-forced-on according to the physical
performance of the terminal connecting with the sub-interface of the multiplexer
Partial terminal can not provide DTR signal for the sub-interface of MP8000 series equipments and notify the multiplexer of
whether to connect with the terminal equipment. In this situation, it is necessary to configure the command mpdlc channel
<start-chan> <end-chan> dtr-forced-on to specify some sub-interfaces to connect with the terminal equipments. Thereinto,
start-chan and end-chan represent the start-channel number and the end-channel number respectively. And their value scope
is from 1 to 8.
Note:
1) The router parameters, such as line synchronism/asynchronism, clock, rate and flow-control, must be configured
according to the serial-interface parameters of MP multiplexer;
2) Neither IP address nor other IP parameters is configured on the MPDLC interface.
10.2.1.3 Applying the Terminal Template to a MPDLC Interface
Use the command terminal apply template-name <interface1> <interface2> to apply the terminal template template-name
to all channels of MPDLC interfaces <interface1> ~ <interface2>
Similarly, Use the command terminal apply template-name <interface> channel <start-chan> <end-chan> to apply the
terminal template template-name to the specified channels of the interface <interface>
Note
When the terminal template is applied to multiple interfaces, both and must be the two interfaces in the same slot; the
command terminal apply template-name <interface1> <interface2> can be used many times to apply the terminal template
to the interfaces of different slots. An interface can adopt only one terminal template.
10.2.2 An Example of MPDLC Configuration
The local configuration of encapsulating MPDLC: (shown as figure 3)
A) Configuring interface parameters:
Command
Task
Router(config) interface serial0/0
Configure the interface as the
asynchronous operation mode.
Router(config-if-serial0/0)#encapsulation mpdlc
Encapsulate the MPDLC protocol.
Router(config-if-serial0/0)#mpdlc channel 1 8 dtr-forceEnable channel 1-8, and set dtr signal as
on
up.
The above is the configuration of encapsulating MPDLC on the high-speed interface. And the configuration of
8/16SA is the same as that of the high-speed interface.
Command
Task
Router(config) #interface serial1/0

Router(config-if-serial1/0) # physical-layer async
Configure
the
interface
as
the
asynchronous operation mode.

Router(config-if-serial1/0)#encapsulation mpdlc
Router(config-if-serial1/0)#mpdlc channel 1 8 dtr-forceon
Router(config-if-serial1/0)#modem party answer
Router(config-if-serial1/0)#modem line leased
Router(config-if-serial1/0)#modem async direct

Enable channel 1-8, and set dtr signal as
up.
Set the built-in Modem as the answer
Set the built-in Modem as the private
line mode.
Set the built-in modem as the direct
asynchronism mode.
The above is the configuration of the automatic private line mode in which the built-in modem encapsulates the
terminal protocol. The usage of this mode needs the cooperation with the mp8100 multiplexer.
Command
Router(config-if- serial1/0)#physical-layer async
Router(config-if-serial1/0)#mpdlc channel 1 8 dtr-forceon
Router(config-if- serial1/0)#encapsulation mpdlc
Router(config-if- serial1/0)#modem party originate
Router(config-if- serial1/0)#dialer string 123
Router(config-if-serial1/0)#modem async error-correct
Task
Enable channel 1-8, and set dtr signal as

up.
Set the built-in Modem as the call
origination.
Set the phone number the built-in
modem dials.
Set the built-in Modem as the errorasynchronism.
Router(config-if- serial1/0)#modem enable

Router(config-if- serial1/0)#exit
The above is the configuration of the dialup mode in which the built-in modem encapsulates the MPDLC protocol.
And the usage of this mode needs the cooperation with the mp8100 multiplexer.
B) Configuring Template Parameters:
The configuration of a template is the same as that of encapsulating the terminal protocol. Only one template can be
defined, and each interface can adopt nothing but one template.
C) Applying the template to an interface
Command
Task
Router(config)# terminal apply maipu serial0/0
Apply the template to the interface s0/0.
10.2.3 Related MPDLC Debugging Commands
show mpdlc
debug mpdlc
10.3 X.3 PAD Terminal
Figure10-5
the X.3 PAD terminal network mode
UNIX FEP
Mp router
X.25 terminal
10.3.1 Configuring the X.3 PAD Terminal
To configure the X.3PAD terminal of the router, the following steps are necessary:
Creating/configuring a terminal template
Configuring X.25 link-layer protocol
Apply the terminal template to X.3 PAD.
10.3.1.1 Creating/Configuring a Terminal Template

The terminal template used by the X.3 PAD terminal is the same as the Terminal protocol. And about how to create and
configure a terminal template, refer to section 10.1.1.
10.3.1.2 Configuring X.25 Link-layer Protocol
Encapsulate X.25 link-layer protocol on the interface and configure the corresponding parameters.
10.3.1.3 Applying a Terminal Template to X.3 PAD
In the global configuration mode, configure the command terminal x.121-addr template-name COM TERM and apply the
terminal template template-name to X.PAD.
Syntax
Description
x.121-addr
The x.121 address of the remote PAD logon equipment.
template-name
The name of the applied terminal template.
COM
The COM number (user-defined) for using the function of fixterminal.

TERM
The TERM number (user-defined) for using the function of fixterminal.
10.3.1.4 An Example of X.3 PAD Terminal Configuration
The configuration of the router and related explanation are described as follows:
1) Encapsulating related X.25 parameters (including X.25 address, DCE/DTE operation mode and internal/external
clock) of a WAN interface;
2) The configuration commands of a terminal template are listed as follows:
Command
Description
terminal template <Temp-Name>
Create/configure a terminal template (the global
mode command).
terminal local <ip-address>
Configure the local IP address.
terminal remote <0-9> Host-Name
address>[telnet][rlogin][fix-term]
terminal hesc-chars
<ip-
Configure the remote services: ten different

services (09), telnet/rlogin/fix-term mode can be
supported.
Configure the switching character string. And the
default is Ctrl+G+D.
terminal rx-delay
terminal rbufsize <32-8192>
terminal tbufsize <32-8192>
terminal print
<on/off>
terminal retry-times <1-255>
Set the receiving delay mode. The default mode is

no delay.
Set the size of the TCP receiving buffer. The
default size is 2048 bytes.
Set the size of the TCP receiving buffer. The
default size is 8192 bytes.
Set terminal print as on: the prompts are printed on
the terminal. The default configuration is ON.
Set the maximal retry-times of establishing a link.
The default value is 3 (times).
3) The coincidence relations among the terminal X.25 source address, terminal template and port number are listed as
follows:
Command
Description
terminal <x121-addr> <Temp-name> <com>
<x121-addrs> : the X.121 address of the remote
<term>
x25 equipment
<termplate-name>:the name of the template used
by the terminal
<com> and <term>: the parameters used by the fixterminal. It must be consistent with the
configuration of the application itest.
A configuration example:
Command:
Task
Configure the Ethernet address of the
router.
Router#(config)#interface fastethernet0
Router(config-if-fastethernet0)#ip
address
255.0.0.0
Router(config)#interface serial0/0
Router(config-if-serial0/0)#physical-layer sync
Router(config-if-serial0/0)#clock rate 9600
10.1.1.1
Router(config-if-serial0/0)#encapsulation x25
Router(config-if-serial0/0)#x25 dte
Router(config-if-serial0/0)#x25 address 1234567
Router (config) #terminal template maipu
Router (config-terminal-template) #terminal local 10.1.1.1
Router (config-terminal-template) #terminal remote 1 fixterminal 10.1.2.1 fix-terminal
Router (config-terminal-template) #terminal remote 2
Telnet 10.1.3.1 telnet
Router (config-terminal-template) #terminal remote 3
Rlogin 10.1.4.1 rlogin
Router (config-terminal-template) #exit
Router (config) #terminal 7654321 maipu 1 1

Set the clock rate as 9600.
The interface is encapsulated with the
X.25 protocol.
Configure the X.25 dte mode.
Configure the X.121 address as
1234567.
Configure the template maipu.
The local address of the template is
10.1.1.1.
The remote address of the terminal
adopting the fix-terminal service is
10.1.2.1.
adopting the telnet service is 10.1. 3.1.
adopting the rlogin service is 10.1.4.1.
The x.121 address of the remote x.25

equipment is 7654321, and the name of
the template used by the terminal is
maipu, terminal com is 1 and terminal

ter is 1.
10.3.1.5 The Related Debugging Commands of the X.3 PAD Terminal
debug x25 pad {packet | event }
show terminal
10.3.2 Configuring UNIX Server

This section mainly describes how to configure the application Itest and UNIX configuration parameters to realize the fixterminal logon and other related functions. And its main contents are listed as follows:
Configuring Itest parameters
Configuring SCO UNIX
Configuring AIX UNIX
Configuring SUN UNIX
Configuring HP UNIX
Configuring UNIX kernel parameters
Configuring TELNET fix-terminal
Managing Itest terminal
10.3.2.1 Configuring Itest Parameters

When a terminal works in the fix-terminal mode, the UNIX server must be configured, so that the terminal can establish
the correct TCP connection with the UNIX server to achieve the service for the remote terminal. Like the terminal that adopts
the telnet mode to log in, the terminal that adopts the fix-terminal mode to log in the UNIX server occupies the UNIX virtual
equipment number (the number in the SCO system is ttypxx.). There exists the difference between them. The telnet daemon,
according to the logon precedence, distributes the idle ttypxx equipment numbers (from small to large) to these terminals,
simultaneously, sends them to the login interface. And the fix-terminal daemon, according to the configuration, distributes he
idle ttypxx equipment numbers to the terminals that logs in from the corresponding physical interfaces, so as to achieve the
fixation of the terminal numbers; besides this, when the terminals logs in, the system manager, by means of the configuration,
can decide whether to send the login interface to the terminals or send the application interface to the terminals.
The name of the fix-terminal service application is Itest (itest.sco, itest.aix, itest.sun and itest.hp are respectively in the
service of SCO,AIX, SUN and HP systems. Here the foregoing application are called by a joint name Itest).
To cooperate with Terminal and MPDLC, the version of the application itest must be V4.0 or higher. The format of enabling
the itest process is described as follows:
UNIXitest [ Parameter name] [Parameter name]
And the meaning of the related parameters can be examined by the command itest -h:
Parameter
Meaning
-c
confile
-n
max_term
-p
port
-m
mng_port
-g neg_port
-l
log_file
-x
exit_key
-w
discard_time
Set the configuration file of itest, and the default is /ect/itest.conf.

Set the maximum number of the login terminals that itest can accept, and the
default is 256.
Set the port number of the itest program service, and the default is 3051.
Set the port number of the itest program management port, and the default is
3055. Enter the itest managing interface through the access to the port.
Designate the itest log file, the default is /tmp/itest.log.
Define the exit_key for the terminal. For example, use itest x 1:1:1 when
starting itest, then after pressing CTRL-A-A-A on the terminal, the terminal will
exit.
The timeout the data read from the network is written towards the application
program (the default is 1 second). Discard it when the time expires.
Shut down the terminal regularly, and make the terminal become invalid within
the given time.
-T
time_file
-s
-N
Configure the identification authentication for the user to enter the management
interface, and there exists no identification authentication by default. The user
name and password used for the identification authentication is that of the
system.
Establish a new session after each time of connection. If the configuration in
/ect/inittab is respawn, this option should be selected; if the configuration is off,
then this option should not be selected.
Set the configuration file of itest, and the default is /ect/itest.conf.
Each time the terminal is connected or disconnected, the previous invalid
terminal process should be cleaned.
Send out the login interface automatically without the need to configure the table
initial.
-K
-o
-r
Open the screen redraw function.
-i
cr_lines
-k
redraw_key
After the screen redraw function is enabled, designate the terminal screen row
number, which generally is the default value the default value of vt100 is
24the default value of ansi is 25
After the screen redraw function is enabled, designate the redraw key, which is a
hexadecimal number and split by : (For example, 1b: 5b: 67:45), and whose
default value is 0x12 (^R). Recommend that at least 3 characters be used to
avoid the confliction with the data sent by the equipments, such as a POS
machine.
-M keymap_file
Transform the meanings of the character sent by the terminal.
-t
Examine some UNIX parameters relevant with the itest running.
-h
Examine the itest parameter information.
Note
1) It is recommended that the two parameters N and K be used simultaneously in the execution mode itest NK. Its
function is to clean the previous process when the terminal logs in again. These two parameters have a certain relation with
the application. And Industrial and Commercial Bank transaction system had better not employ the parameters.
2) The parameterr is used to enable the function of screen redraw. When the terminal switches among the different
services, the function can save the contents of the current screen before switching. To realize the function, the shared memory
of the Unix server should be at least 1.5M. If there appears "...shmget error:Invalid argument when itest-r is executed, the
following configuration is necessary: to execute admin--Hardware/Kernel managerKernel | Tune Parameters-- 16.Shared
data to modify the parameter SHMMAXthe shared memory and the value of 2000000(bytes) is recommended. After
configuring the parameter r, you can adopt ctrl + R to manually refresh the screen on the terminal.
3) Parameter TIn the view of system security, Itest can provide a function of regularly closing a terminal. In this way,
the terminal can be invalid in the specified time. The user need define a configuration file time.conf, whose format is
all 12:00 13:00 18:00 20:00
All terminals are invalid in 12:00-13:00 and 18:00-20:0. (Up to five time segments can be specified.)
ttyp11:ttyp12 12:00 13:00 The tow terminals ( ttyp11 and ttyp12) are invalid in 12:00-13:00.
When starting Itest, the parameter T need be specify the file time.conf.
itest T time.conf
4) Parameter M: Transform the characters sent by the terminal to other characters according to the corresponding
configuration. And you need define a configuration file keymap.conf , whose format is described as follows:
File format
Meanings
4f:50 1b:4f:50
Transform the character 4f:50 to 1b:4f:50.
4f:51 1b:4f:51
Transform the character 4f:51 to 1b:4f:51.
When starting Itest, the parameter M need be used to specify the file keymap.conf.
itest M keymap.conf
5) Parameters c
p m g: These parameters are respectively used to specify the configuration files and
program ports for starting itest. Different configuration files and program ports can be used to start multiple Itests.
Command
Times
Itest
The first time
Itest c /ect/itest.conf2 p 3052 m 3056 g 3652 l /tmp/itest.log2

The second time
Thereinto, when starting Itest for the first time, no parameter is specified and the default mode is employed:
Configuration file: /ect/itest.conf
Service port: 3051
Management port: 3055
Negotiation port: 3651
Log port: /tmp/itest.log
When starting Itest for the second time, the following mode is specified:
Configuration file:/ect/itest.conf2
Service port: 3052
Management port: 3056
Negotiation port: 3652
Log port: /tmp/itest.log2
The corresponding configuration files are listed as follows:
Configuration
File name
/dev/ttyp11
1.1.1.1 com1 term1
/ect/itest.conf
/dev/ttyp21
1.1.1.1 com1 term1
/ect/itest.conf2
The terminal configuration template of the terminal server are configured as follows:
terminal remote 0 fix1 129.255.24.100 fix-erminal
terminal remote 1 fix2 129.255.24.100 fix-terminal 3052 negotiate-port 3652
6) The usage of Itest timing.
In view of system security, Itest can also provide the powerful ability of time-control that can be used to limit the
working hours and non-working hours. To use the function, you firstly add the configuration of time-access list into the
configuration file itest.conf. And the basic format of the time-access list is listed as follows:
Keyword
ID
Actio
Starting/Ending
Starting/Ending
Starting/Ending
Number
n
day/month/year
day of week
minute/hour
access-list
1
permit
2004.xx.xx-2004.xx.xx
1-5
08:00-12:00
The meaning of each field is described as follows:
Field name
Meanings
Keyword
It indicates that this row is the configuration of the time-control access.
ID Number
The ID number of the time-control access list. The number must be more than 0. And
multiple access lists can use the same ID number. In this way, these access lists can
compose a access list-group and work together.
Action
The action can be either Permit or Deny, indicating that the terminal that uses the timecontrol list is permitted to go on working or disconnected in the time meeting the
configuration.
The starting/ending day/month/year is divided by .. X means any day/month/year.
For example, xxxx.5.1 represents 1st may of any year, and 2004.xx.1 represents the first
day of any month in 2004.
Starting/Ending day of
The starting day of week and the ending day of week is divided by -. X means any
week
day from Monday to Sunday. For example, 1-5 represents the days from Monday to
Friday.
Starting/Ending
The starting time and the ending time is divided by -. For example 08:00-12:00
minute/hour
represents the time from 8:00am to 12:00am, and 13:30-17:30 represents the time from
13:30pm to 17:30pm.
After the time access-control list is added into the configuration itest.conf, the time control of the terminal can be performed
as long as acl=xxx is added behind the configuration corresponding to the terminal to be controlled.
For a group ACL with the same ID, its configuration order is from up to down. The first item of the group takes the leading
effect. It the item matches unsuccessfully, the default action is Deny. So the item of stricter time control should be placed
at the front of the group. The terminal to which no ACL is specified can work any time.
The following example represents that the working time of the terminal ttyp5 is 8:00am~18:00pm of Monday ~ Friday,
9:00am~16:00pm of Saturday ~ Sunday, 9:00am~16:00pm in the 7-day holiday of Labor/National Day.
/dev/ttyp5 16.54.1.22
com1 term
acl=7
The configuration of other terminals are listed as follows:
access-list 7 deny xxxx.05.01-xxxx.05.07 x-x 00:00-09:00

access-list 7 deny xxxx.05.01-xxxx.05.07 x-x 17:00-23:59
access-list 7 deny xxxx.xx.xx -xxxx.xx.xx 6-7 00:00-09:00
access-list 7 deny xxxx.xx.xx -xxxx.xx.xx 6-7 17:00-23:59
acccess-list 7 permit xxxx.xx.xx-xxxx.xx.xx 1-5 08:00-18:00
Starting/Ending
day/month/year
10.3.2.2 Configuring SCO UNIX

The default number of SCO UNIX virtual terminals is 64. To increase the number, execute the command netconfig
to modify the SCO TCP/IP parameters:
Syntax
Description
The value is the maximum number of the UNIX system virtual

terminals, and it must be more than the number of the really
existing terminals.
Copy the fix-terminal service program itest.sco and place the copy into the directory /ect. If the copy is sent out
Pseudo ttys: 256
through ftp, it must adopt the binary mode.

Syntax
Description
chmod 744 itest.sco

Add the right to execute it to the user root.
Add the following sentences to the file /ect/rc.d/8/userdef. In this way, when starting, the system will start
itest.sco automatically.
Syntax
Description
echo MP-Router Itest starting
The prompt information at

the time of startup
Execute itest.sco.
/ect/itest.sco
route add net 128.255.130.0 netmask 255.255.255.0 16.28.3.4
The route added into the

router.
Note:
The italic sections of the command route add net are the addresses of the network segment, at which the router is
located, and the IP address of the up-end router connecting with the network fragment, and its aim is to add a route to the
router to the UNIX server. The factual configuration depends on your concrete network address and IP address.
Create and configure the table itest.conf, then place it at the directory /ect for itest to distribute the terminal
numbers. And its format is listed as follows:
/dev/ttyp11
128.255.130.254
com1
term1
/dev/ttyp18
128.255.130.254
com8
term1
/dev/ttyp21
128.255.130.254
com9
term1
/dev/ttyp28
128.255.130.254
com16
term1
Note
The meaning of each field in the table above is described as follows:
Fields
Meaning
/dev/ttyp11
128.255.130.254
com1
term1
It is the terminal equipment number distributed for the corresponding

physical port, and the number must exist in the directory /dev.
The IP address of the router connecting with the terminal (namely the local
address configured on the terminal server)
The serial-interface number (consistent with the value of COM that is
displayed by means of the command show terminal)
The terminal number (consistent with the value of TERM that is displayed
by means of the command show terminal)
Configure the table /ect/inittab so as to determine whether to send the login interface to the terminal.
p11:234:respawn:/ect/getty
p12:234:off:/ect/getty
/dev/ttyp11 m
/dev/ttyp12 m
Note:
Field
Meaning
p11
234
respawn/off
/ect/getty
/dev/ttyp11 m
The ID domain. It can be defined by users and serve as the parameter

following enable/disable. The manager can use the enable ID to
activate this terminal and send the login interface.
The operation level. It specifies that when running in system running
levels 2,3,4, the sentence is valid.
The action domain. When users adopt the login mode to log in, the
domain need be configured as respawn, and when users want to send
an application interface to the terminal, the domain need be
configured as off.
The command domain. It specifies some action executed for some
port-number. In this example, the login interface is sent to the
terminal ttyp11, and m indicates that the terminal speed is 9600.
Configure the table /ect/ttytype so as to provide the terminal type configuration for application programs. The
format is listed as follows:
Terminal type
Terminal number
Vt100
ttyp11
Ansi
ttyp21
10.3.2.3 Configuring AIX UNIX
Increase the number of the BSD-style pseudo terminals:
MeansUse the command smitDevicesPtyChange/show Characteristies to modify the number of the
BSD-style pseudo terminals more than the number of the really used terminals.
Copy the fix-terminal service program itest.aix and place the copy into the directory /ect. If the copy is sent out
Command
Description
chmod 744 itest. aix
Add the right to execute it to the user

root.
Add the following sentences to the file /ect/rc.tcpip. In this way, when starting, the system will start itest.aix
automatically.
Command
Description

/ect/itest.aix
route add net 128.255.130.0 netmask 255.255.255.0
16.28.3.4
The prompt information at the time of

startup
Execute itest.aix.
The route added to the router.
Note:
The italic sections of the command route add net are the address of the network fragment at which the router is
located and the IP address of the up-end router connecting with the network segment, and the aim of this section is to add a
route to the router to the UNIX server. And the factual configuration depends on your concrete network address and IP
address.
Create and configure the table itest.conf, then place it into the directory /ect for itest to distribute the terminal
numbers. Its format is as follows:
/dev/ttyq0
128.255.130.254
com1
term1
/dev/ttyq7
128.255.130.254
com8
term1
/dev/ttyq8
128.255.130.254
com9
term1
/dev/ttyqf
128.255.130.254
com16
term1
Note
Field
Meaning
/dev/ttyq0
128.255.130.254
com1
It is the terminal equipment number distributed to the corresponding

physical port, and it must exist in the directory /dev.
The IP address of the router connecting with the terminal (namely the local
address configured on the router)
term1
The terminal number (consistent with the value of TERM that is displayed
by means of the command show terminal)
Configure the table /ect/inittab so as to determine whether to send the login interface to the terminal:
Q1:234:respawn:/usr/sbin/getty
Q2:234:off:/usr/sbin/getty
/dev/ttyq1
/dev/ttyq2
Note
Field
Meaning
Q1
234
respawn/off
/usr/sbin/getty
/dev/ttypq1

following penable/pdisableThe manager can use the penable ID to
The operation level. It specifies that when running in system running levels
2,3,4, the sentence is valid.
The action domain. When users adopt the login mode to log in, the domain
need be configured as respawn, and when users want to send an application
interface to the terminal, the domain need be configured as off.
The command domain. It specifies some action executed for some portnumber. In this example, the login interface is sent to the terminal ttyp11.
Configure the table /ect/ttytype so as to provide the terminal type configuration for applications. The format is
Terminal type
Terminal number
Vt100
ttyq1
Ansi
ttyq2
10.3.2.4 Configuring SUN UNIX

Increase the number of the SUN system pseudo terminals. The default number of the SUN system pseudo
terminals is 48. To increase the number, you can do according to the following steps (in this example, increasing
the pseudo terminal number to 128):
A. Adding this line set npty=128 at the place of the file /ect/system where the core variable is
changed.
B. Edit the file /ect/iu.ap, and modify ptsl 0 47 ldterm ttcompat as ptsl 0 127 ldterm ttcompat.
C. Execute the command boot r to restart the system.
Copy the fix-terminal service program itest.sun and place the copy into the directory /ect. If the copy is sent out
Command
Description
chmod 744 itest.sun
Add a startup execution file Sitest (Noticing the capital letter S) into the directory of /ect/rc3.d, and add the right to
execute it so that the fix-terminal service program itest.sun can start when the system starts. The contents of the
file are described as follows:
Command
Description
The prompt information at the time of startup
/ect/itest.sun
Execute itest.sun.
Add the route to the router/terminal server.
route add net 128.255.130.0

netmask 255.255.255.0 16.28.3.4
Note
1) The italic sections of the command route add net are the address of the network fragment at which the router is
located and the IP address of the up-end router connecting with the network segment, and the aim of this section is to add a
route to the router to the UNIX server. And the factual configuration depends on your concrete network address and IP
address.
2) In the SUN system, when the types of machines are different, some files may well run abnormally. The corresponding
execution file need be regenerated according to its type. To do it, please communicate with the technical staff of our company.
numbers. Its format is listed as follows:
/dev/ttyq0
128.255.130.254
com1
term1
/dev/ttyq7
128.255.130.254
com8
term1
/dev/ttyq8
128.255.130.254
com9
term1
/dev/ttyqf
128.255.130.254
com16
term1
Note
Field
Meaning
/dev/ttyq0
128.255.130.254
com1
term1

The IP address of the router connecting with the terminal (namely the
local address configured on the terminal server)
The terminal number (consistent with the value of TERM that is
Q1:234:respawn:/usr/lib/saf/ttymon g h p ùname n`login: -T ansi d /dev/ttyq1

Q2:234:off:/usr/lib/saf/ttymon g h p ùname n`login: -T ansi d /dev/ttyq2
Note
Field
Meaning
Q1

234
respawn/off
/usr/lib/saf/ttymon g h p
ùname n`login: -T ansi
d /dev/ttyq1

an application interface to the terminal, the domain need be configured
as off.
port-number. In this example, the login interface is sent to the terminal
ttyp11. (` of ùname n` is not a single quotation marks but an
inverse single quotation marks)
Configure the table /ect/ttytype so as to provide the terminal type configuration for applications. The format is
Terminal type
Terminal number
Vt100
ttyq1
Ansi
ttyq2
10.3.2.5 Configuring HP UNIX
Increase the number of the HP system pseudo terminals. To increase the number of the system pseudo terminals,
you can do according to the following steps (in this example, increasing the pseudo terminal number to 128):
Use the command smitty and select Devices PtyChange/Show Characteristies, modify the number of the
BSD-style pseudo terminals as 128.
Copy the fix-terminal service program itest.hp and place the copy into the directory /ect. If the copy is sent out
Command
Description
chmod 744 itest.sun
Note
In the HP system, when the types of machines are different, some files may well run abnormally. The corresponding
execution file need be regenerated according to its type. To do it, please communicate with the technical staff of our company.
Add a sentence into startup execution file /sbin/rc so that the fix-terminal service program itest.hp can start when
the system starts. The added contents are described as follows:
Command
Description
The prompt information at the time of startup
/ect/itest.hp
Execute itest.hp.
numbers. Its format is listed as follows:
/dev/ttyq0
128.255.130.254
com1
term1
/dev/ttyq7
128.255.130.254
com8
term1
/dev/ttyq8
128.255.130.254
com9
term1
/dev/ttyqf
128.255.130.254
com16
term1
Note
Field
Meaning
/dev/ttyq0
128.255.130.254
com1
term1

The IP address of the router connecting with the terminal (namely the
local address configured on the terminal server)
The terminal number (consistent with the value of TERM that is
Q1:234:respawn:/usr/lib/saf/ttymon g h p ùname n`login: -T ansi d /dev/ttyq1
Q2:234:off:/usr/lib/saf/ttymon g h p ùname n`login: -T ansi d /dev/ttyq2
Note
Field
Meaning
Q1
234
respawn/off
/usr/lib/saf/ttymon g h p
ùname n`login: -T ansi
d /dev/ttyq1

an application interface to the terminal, the domain need be configured
as off.
port-number. In this example, the login interface is sent to the terminal
ttyp11. (` of ùname n` is not a single quotation marks but an
inverse single quotation marks)
Notice:
After some kernel parameters are changed in some Unix systems (such as the SCO system), the kernel parameters need
to be reconnected. Because each time the kernel is reconnected, the system will use /ect/conf/cf.d/init.base to conver
init.base automatically, and and the manual configuration of the table will be lost. Thereby, after finishing the configuration,
you should backup the table inittab. As long as you copy the table inittab to cover init.base, then the inittab configuration
will not be lost when the system reconnects
In the course t, after itest started up, the modification made in the table itest.conf can not take effect immediately unless
using the command refresh in the managing mode
Whenever the configuration of the table inittab has been modified, to make the modification take effect in the situation
UNIX doesnt restart, you must use the command init q to make the system scan the table again.
Once some Unix systems start up, they will occupy the pseudo terminals. So when the table itest.conf is configured, the
pseudo terminal number should start behind the pseudo terminal number occupied by the system. And it is recommended that
some numbers should be reserved.
10.3.2.6 Adjusting UNIX Kernel Parameters

When many terminals are connected with the UNIX server and there exist many services, it may occur that the default kernel
resource of the server isnt enough, which will result in various kinds of bugs. To ensure the system to run securely and
reliably, each kernel parameter of the UNIX server need be reconfigured and the distributed quantity of the relevant resource
should be increased.
Take how to adjust default kernel resource of the SCO UNIX 5 as an example:
Run netconfig and modify the two SCO parameters included by TCP/IP
Parameter
Meaning
The maximum connection number. In the version itest v3, each Itest
terminal occupies a TCP connection after login. Because other system
applications can also occupy TCP connections, so it is recommended that
the parameter value is configured as more than 1024.
The number of the system virtual terminals. It is recommended that the
Pseudo ttys 256
number is more than 256.
Run the command scoadmin-Hardware/Kernel Manager-Kernel|Tune Parameters to enter the menu of the core
TCP
1024
connections
parameters setting:
Select 7. Use the command User and group configuration to modify the following parameters:
Parameter
NOFILES
MAXUP
The maximum number of the files each process can open. For every
terminal in the version itest v3, after the terminal logs in, the number of
the files opened by the process itest increases 2. It is recommended that
the parameter should be 3 times of the number of terminals.
The maximum number of the processes. Because the system itself
occupies some processes, it is recommended that the parameter value
should be more than 800.
Select 12. Use the command Streams to modify the following parameters:
Parameter
NSTREAM
NSTRPAGES
STRSPLITFRAC
Meaning
Meaning
The number of the stream header structures. If there are more than 150
terminals to be configured, it is recommend that the parameter should be
configured as 6000.
The number of the pages. 4k per page. If there are more than 150
terminals to be configured, it is recommend that the parameter should be
configured as 3000.
If this value is too little, the stream buffer of the system will become
scraps soon. So it is recommend that the parameter should be configured
as 80.
Select 3. Use the command TTYs to modify the following parameters:
Parameter
Meaning
NCLIST
The number of the character table buffers. it is recommend that the

parameter should be configured as 2048.
Notice:
The command netstat m can be executed to examine the usage of the system stream resource. When some item occurs
FAIL, the values of the parameters NSTREAM and NSTRPAGES need be increased.
When there exists the prompt Too many open files in /tmp/itest.log, the value of the parameter NOFILES need be
increased.
10.3.2.7 TELNET Fix-terminal
To realize the fixation of terminal equipment-number for TELNET, use the function of TELNET fix-terminal. For example,
to fix the connection that adopts the telnet mode between 128.255.2.2 and the service port of Itest as ttyp21, add the
following row of configuration to the configuration file itest.conf:
/dev/ttyp21 128.255.2.2 comx termx
Notice that what following com and term must be x. and the other configuration (such as the configuration of the table
inittab) is the same as that in the fix-terminal mode.
To telnet the fix-terminal from the rotuer, add the option telnet into the template configuration of the router. And Itest service
port 3051 need also be added. For example:
terminal remote 5 tel 129.255.11.110 telnet 3051
To telnet the fix-terminal from a PC, execute the following command:
telnet 129.255.11.110 3051
multiple terminals can be distributed to one IP address. For example, use the following the command to distribute
ttyp21ttyp22 and ttyp30 to 128.255.8.8:
Note
When multiple telnet terminals are distributed to one IP address, it can be realized that only network terminal
equipments can be fixed.
10.3.2.8 Itest Terminal Management
Itest is a multi-process service program that brings some difficulties for process management, so the management control is
enhanced in the program. The management process of itest runs on the TCP interface 3055(Use the parameter -m to specify
other port) and enters the management mode.
Execute on the Unix:
telnet localhost 3055
telnet 127.0.0.1 3055
Execute on the remote terminal:
telnet ip-address 3055
Ip_addr is the IP address of the UNIX server.
By default, no username or password need be input for logging in the management port. To limit login,
In the default situation, a user can log in the managing port without inputting the user name and password. The command
itest s can be used to limit users logging in when itest starts. In this way, when a user wants to log in the management port,
he will be asked to input his user name and password. Different users have different management rights, while the user root
have all rights.
After the user enters the management mode, the prompt itest> is displayed; and the command help can be used to examine
the command format:
Command
Description
help
Display the command and the simple prompt.
task
Display the status of each task.
kill
Kill the terminal process (This command can be executed only
by the root user).
disable
Disable a certain terminal.
enable
Enable a certain terminal.
term
Display all the effective configuration read from the file
itest.conf.
pid
Display the process number corresponding to each terminal.
time
Display the configuration of shutting down a terminal
regularly.
Refresh the file itest.conf. The command of itest4.5 or higher

version can support adding/deleting/modifying the contents of
itest.conf. And the command of previous version can only
support adding the contents of itest.conf.
Monitor the terminal information.
Stop monitoring the terminal information.
Stop the itest service, namely killing all the itest processes
(This command can be executed only by the root user).
Exit from the management mode, but the service itest still
goes on operating.
refresh
debug
undebug
stop
exit
Note
1) The command
killkill
{pid | dev_name | A.B.C.D}
If the equipment number of some terminal is pty53 and the corresponding process number is 2045 (can be known by
means of using the command pid), the command kill p53 or kill 2045 can be used to kill the terminal process.
To kill all the terminal processes of some IP address (Assuming that the IP address is 196.77.8.2), the command kill
196.77.8.2 can be used to do it.
2) The command debugdebug ptypXX
Its debug information is written into the file /tmp/itest_dbg/ttypXX. This can be examined by the commands, such as
more, vi, cat, and etc.
10.4 Comparison of New/ Old Version of IOS Configuration
10.4.1 The Comparison of Terminal Number Distribution
For Maipu router, the distribution of COM/TERM number corresponding to V2.X.X or previous version of terminals is
different from that of V3.X.X or higher version. It is noticeable that the corresponding contents of the file itest.conf should be
configured according to the COM/TERM number distributed to each interface. For V.X.X or higher version of IOS, the
following two modes can be used to get the COM/TERM number distributed to an interface:
The fist mode: after the interface is encapsulated with the terminal protocol, the command show interface <> can be used to
examine the COM/TERM number:
For examplemp2600#show intface s1/0
serial1/0:
Flags: (0xd0) DOWN POINT-TO-POINT TRAILERS RUNNING
Type: TERMINAL
Queue strategy: FIFO , Output queue: 0/40 (current/max packets)
TERMINAL STATE: CLOSE, Flag = 0x0, COM 34, TERM 1

.
The second mode: after the interface is encapsulated with the terminal protocol and executes the terminal template, the
command show terminal <> can be used to examine the COM/TERM number:
mp2600#shos terminal
TermService version: 2.41
-------------------------------------------------------------------COM/TERM
Interface Type
State
Template
RH-State
[0123456789]
-------------------------------------------------------------------1/1
1: async4/0
T
WAITING
itest43
D DDDDDDD
2/1
2: async4/1
T
WAITING
itest43
D DDDDDDD
34/1
3: serial1/0
T
CLOSE
-------------------------------------------------------------------Type: T - Terminal, M - MPDLC
RH-State: D - DISCONNECT, C - CONNECTING, * - CONNECT
10.4.2 The Comparison of Interface Configuration

For the new version, after the interface is encapsulated with the terminal protocol, the command tx-on dsr will be added
automatically. And the command can be removed by means of using the command no tx-on dsr. Notice that when the
terminal interface is the modem interface or the interface connects with the external modem the command is tx-on dcd
instead of tx-on dsr.
10.4.3 The Configuration of Itest.conf Adopting Encryption and Compression
Itest4.2 or higher version of Itest can support data encryption and compression. The configuration of the router can refer to
section 1.1.1. For the configuration of itest.conf on the Unix server, the following configuration need be added (Be care of
case sensitive):
Data encryption: Add keyx behind comx termx of the file itest.conf. For example:
term1
keya
/dev/ttyp21
128.255.130.254
com9
Data compression: Add compress behind comx termx of the file itest.conf. For example:
/dev/ttyp18
128.255.130.254
com8
term1
compress
Data encryption and compression: Add both keyx and compress behind comx termx of the file itest.conf.(There
exists no requirement to the order of the added items) For example:
/dev/ttyp18
128.255.130.254
com8
term1
compress
Encryption compression and address authentication: Add both keyx, compress and mac behind comx termx
of the file itest.conf.(There exists no requirement to the order of the added items) For example:
/dev/ttyp11 128.255.130.254 com1
term1 compress keya mac 3601000004d9
An integrated example:
/dev/ttyp11 128.255.130.254 com1
term1
compress keya mac 00017a00a792
/dev/ttyp18
128.255.130.254 com8
term1
compress key=a
/dev/ttyp21
128.255.130.254 com9
term1
keya
/dev/ttyp28 128.255.130.254 com16 term1 compress

10.4.4 Examples of New/Old Configuration of Maipu Router
A configuration file in the old configuration mode:
mp2600# show running-config
.
line 0 15 mode terminal
.
line 0 15 flowctl soft 180
terminal 0 15 local 129.255.8.43
terminal 0 15 remote 0 unix-1 129.255.24.100 fix-terminal authentication
terminal 0 15 host 0 hesc-chars 8
terminal 0 15 hesc-chars 1
terminal 0 15 redraw console \E!9Q
terminal 0 15 redraw 0 \E!10Q
terminal 0 15 rbufsize 1024
terminal 0 15 tbufsize 2048
terminal 0 15 rx-delay on
terminal 0 15 print off
terminal 0 15 auto-linking 0
terminal 0 15 enable
A configuration file in the new configuration mode:
The interface is configured as follows:
mp2600#sho run int a4/0
Building Configuration...
Current configuration:
interface async4/0
speed 9600
databits 8
stopbits 1
parity none
tx-on dsr
exit
The terminal template is configured as follows:
terminal template itest43
terminal local 129.255.8.43
terminal remote 0 unix-1 129.255.24.100 fix-terminal authentication compress encrypt a
terminal remote 1 telnet-unix 129.255.24.100 telnet
terminal remote 2 rlogin-unix 129.255.24.100 rlogin
terminal hesc-chars 1
terminal host 0 hesc-char C
terminal host 1 hesc-char P
terminal host 2 hesc-char V
terminal redraw console \E!8Q
terminal redraw 0 \E!9Q
terminal redraw 1 \E!11Q
terminal rbufsize 4096
terminal tbufsize 10000
terminal retry-times 6
terminal rx-delay on
exit
Apply the template to the interface:
terminal apply itest43 async4/0 async4/15
Chapter 11
Security Configuration
This chapter will describe how to operate the security configuration of your MP2600 Router.
Maipu Networks Routers offer comprehensive network security features like:
1. PPP protocol supports (PAP and CHAP), which effectively prevents unauthorized connections.
2. Callback technology.
3. An IP protocol layer providing firewall protection, which filters unauthorized data packets.
4. Network Address Translation (NAT), which can hide your interior network and prevent exterior network attacks.
5. Access Control Lists (ACL), which can sort end users into up to 15 different classes depending on your needs. These
lists register a different series of commands available to individual users. They ensure that users with different rights will
only be able to access certain commands.
6. Encryption and key exchange technologies
11.1 Firewall Configuration
This section will look at:
Access Lists
Correlative Firewall Configuration
Applying Access Lists To An Interface
Monitoring And Maintaining Your Firewall
Access Channel Configuration
Time Limit Packet Filtering
Media Access Control (MAC) Address Packet Filtering
A Few Points About Firewall Configuration
Examples
11.1.1 Access Lists
A. How To Edit A Standard Access List
A standard access list can filter your network communications based on packet header source addresses. You can define a
standard access list with within the access-list command, and delete it at any time by placing the no command in front of the
command in global configuration mode.
router(config)#access-list ?
Command
Description
<1001_2000>
The number range used in an extended access list.
<1_1000>
The number range used in a standard access list.
router(config)#access-list 1 ?
Command
Description
Deny
Denies access.
Permit
Permits access.
router(config)#access-list 1 deny ?
Command
Description
A.B.C.D
The format of the source address
Any
The short form of the source address 0.0.0.0 and
the source address wildcard 255.255.255.255
Host
The short form of the source address 0.0.0.0.
router(config)#access-list 1 deny A.B.C.D ?
Command
Description
A.B.C.D
Wildcards applied to source address are
expressed with dotted decimal notation. This
masks rebel code. If a bit is marked 1, that
means that the bit is indifferent.
router(config)#access-list 1 deny A.B.C.D a.b.c.d ?
Command
Description
Log
Logs output to the console about the access list.
This is an optional function.
To define a standard access list:
router(config)#access-list access-list-number list number, number<1_1000> for a standard access list

Command
Description
{deny | permit} source [source-wildcard] [log]
Source: the source address.
Source-wildcard: the source addresss wildcard.
Deleting an access list:
Command
Description
router(config)#no access-list list-number
This deletes an access list.
List-number: the deleted access lists number.
You can define a standard access list named after a title or serial number with the following codes:
(You can delete this list by placing no in front of the command code part thats in bold type.)
router(config)#ip access-list ?
Command
Description
Extended
Designates an extended access list definition.
Standard
Designating a standard access list definition.
router(config)#ip access-list standard ?
Command
Description
<1_1000>
List number
WORD
List name
Command
Description
router(config)#ip access-list standard 1
Enters the access list configuration mode.
router(config-std-nacl)#?
Command
Deny
Description
Denies access, if the conditions in the access list
arent successfully met.
End
Exit
Help
No
Permit
router(config-std-nacl)#deny ?
Command
A.B.C.D
Any
Host
router(config-std-nacl)#deny A.B.C.D ?
Command
A.B.C.D
router(config-std-nacl)#deny A.B.C.D a.b.c.d ?
Command
Log
Permits access, if conditions in the access list are

successfully met.
Description
Source address.
Source address 0.0.0.0 255.255.255.255
Source address 0.0.0.0
Description
The wildcard applied to the source address.
Description
Logs output to the console about the access list.
This is an optional function.
Command
Description
router(config)#ip access-list standard {name |

access-list-number}
router(config-std-nacl)#{deny | permit} source
[source-wildcard] [log]
router(config-std-nacl)#no {deny | permit} source
Defines a standard access list in global

configuration mode.
Defines a rule in the list in access list
configuration mode.
Deletes a rule from the list
[source-wildcard] [log]
Example: Construct an access list named number 2 (see following table), then define three rule items and apply this list 2 to
Ethernet interface 0. Among the packets from Ethernet interface 0, those packets that come from the host 92.49.0.3 in the
subnet 92.49.0.0 will be allowed. All the packets from any host within the subnet 92.48.00 will be permitted, too. All
others will be denied.
Command
Task
router(config)# access-list 2 permit host 92.49.0.3

log
router(config)# access-list 2 permit 92.48.0.0
0.0.255.255
router(config)# access-list 2 deny any
Permits the packets from the host IP 92.49.0.3

in the subnet 92.49.0.0.
Permits all packets from any host in the subnet
92.48.0.0.
Denies other packets.
router(config)# interface ethernet 0

router(config-if-ethernet)# ip access-group 2 in
The following commands have the same effect:
Command
Applies list 2 to Ethernet interface 0.
Task
router(config)# ip access-list standard 2

router(config-std-nacl)# permit host 92.49.0.3 log
router(config-std-nacl)# permit 92.48.0.0
0.0.255.255
router(config-std-nacl)# deny any
Permits the packets from the host IP

92.49.0.3 in the subnet 92.49.0.0.
Permit all packets from any host in the subnet
92.48.0.0.
Denies other packets.
router(config-std-nacl)# exit
router(config-if-ethernet)# ip access-group 2 in
Applies list number 2 to Ethernet interface 0.
Use the following series of commands when only one rule is to be deleted:
Command
router(config)# ip access-list standard 2
router(config-std-nacl)# no permit host 92.49.0.3 log
router(config-std-nacl)# exit
B.
Task
How To Edit An Extended Access List
An extended access list can be used to filter IP communications not only according to the source address and the destination
address of the packet header, but also according to the fields included into the IP, UDP, TCP, ICMP and IGMP packet
headers.
The command router71(config)#access-list 1001 ? 1001-2000 indicates an extended access list.
Command
Deny
Permit
Description
Denies access.
Permits access.
router(config)#access-list 1001 deny ?

Command
Description
<0_255>
Number showing ALL kinds of protocols
ICMP
Internet Control Message Protocol (ICMP)
IGMP
IP
TCP
UDP
Internet Group Management Protocol (IGMP)

All Internet Protocols
Translation Control Protocol (TCP)
User Data Protocol (UDP)
You can define an extended access list on a number in extended access-list format.
You can delete the list with the no command in global configuration mode.
access-list access-list-number {deny | permit} protocol source source-wildcard [operator port [port]] ] destination
destination-wildcard [ICMP-type] [igMP-type] [operator port [port]] [ack / fin / established / psh / rst / syn / urg] [precedence
precedence] [tos tos] [log]
Syntax
Access list number
Protocol
Source
Source-wildcard
Destination
Destination-wildcard
Precedence
TOS
Log
ICMP-type
IGMP-type
Operator
Port
Port Number
Ack / fin / established / psh / rst / syn / urg
Description
List number
Protocol
Packet source address
Source address wildcard
Packet destination address
Destination address wildcard
Priority
Type of service
Record permit or deny packets in the logging at
several minutes interval
Message type of ICMP
Message type of IGMP
Port Comparison
Port
Port number
TCP flag bit
You can define an extended access list based on a name or a number according to the following steps.
whole list with the no command in global configuration mode.)
ip access-list extended {access-list-number/name}
Syntax
access-list-number
(You can delete the
Description
An access list number, always a decimal number
between 1001 to 2000
[no] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]
Syntax
Deny
Permit
Protocol
Source
Source-wildcard
Description
Denies access.
Permits access.
The protocols name or number. It may be one
of the following keys: ICMP, IGMP, IP, TCP or
UDP. Or it is expressed with a decimal number
between 0 and 255. The IP keyword can match
any protocol.
The host or network that the packet is coming
from, namely the source address of the packet.
It can be expressed three ways: the first is through
dotted decimal notation. The second is through
the any keyword, which is the short form of the
source address 0.0.0.0 and the source address
wildcard 255.255.255. Thirdly, this can be
expressed as the host source, or the source address
with the 0.0.0.0 wildcard.
The wildcard applied to the source address. It
can be expressed three ways. The first is
through dotted decimal notation, or the network
Destination
Destination-wildcard
Precedence
TOS
LCMP-type
LCMP-code
IGMP-type
Operator
Range
ack, fin, psh, rst, syn, ur
Established
Name
mask rebel code. (The bit marked 1 means that

that bit is indifferent.) The second way this can be
expressed is through the any command, which is
the short form of noting the source address 0.0.0.0
and source address wildcard 255.255.255.255.
Thirdly, this can also refer to the host source,
which stands for the source address and the
source address with the 0.0.0.0 wildcard.
The destination network or a host, namely the
destinations address. It can be expressed three
different ways, like the source address above.
Please refer that definition.
The wildcard applied to the destination address. It
can be expressed three different ways, like the
source address wildcard above. Please refer to
that definition.
The packet priority. It can be ranked by in
number from 1 to 7, or the name of a priority.
(The titles within can include: critical, flash,
flash-override, immediate, internet, network,
priority and routine.). Optional function.
The packet service type. It can contain a number
from 0 to 15 or the name of a service type (The
titles within it can include: max-reliability, maxthroughput, min-delay, min-monetary-cost and
normal). Optional function.
The message type of an ICMP packet. It can be
expressed through a number from 0 and 255 or
the name of a message type. Optional function.
The code type of an ICMP packet message type,
which can be expressed with a number from 0 and
255. Optional function.
An IGMP packet message type that can be
expressed with a number from 0 and 255.
Optional function.
Used to compare a source port and a destination
port. There are five kinds of values that can be
compared between the two ports: less than, more
than, equal to, unequal to, and range. If the
operational character comes after the source
address and the source address wildcard, it is
applied to the source port. If the operational
character comes after the destination address and
the destination address wildcard, it is applied to
the destination port. Optional function.
Used to define when the operator demands two
port-numbers, and other operators demand one
port number.
Used to match the TCP flag bit, including:
Acknowledgement flag, finishing flag, promptly
sending flag, restoration flag, synchronization
flag, and urgency flag. Optional function.
Indicates successful connection. If the TCP packet
contains ACK or RST, the packet will be
matched. Only the packet for initial connection
isnt matched. Optional function.
Refers to the name of an access list. The name is
used to distinguish it from other lists. It cant
include any blank characters and the first
character must be a letter.

11.1.2 Correlative Firewall Configuration
To display the access list log:
Command
router# debug ip packet access-list
router# undebug ip packet access-list
Description
Permits access list display.
In the privileged used mode, the default permits
display.
Doesnt permit list display.
When the access list log switch is open, the number of items displayed by each rule in the global configuration mode by
default is, at best, 0. This means the number of displayed items isnt limited.
Command
Description
router(config)# firewall verbose-limit number
A number from 0 to 4,294,967,295.
Firewall Default Rules

To filter all record routing packets:
Command
Description
router(config)# firewall default-deny
Denies all packets. In the global configuration mode,

the default setting will automatically be set to deny
all packets.
router(config)# no firewall default-deny
Permits all packets.
Command
router(config)# ip record-route
router(config)# no ip record-route
To filter all source routing packets:
Command
router(config)# ip source-route
router(config)# no ip source-route
To filter a directional broadcast packet:
Command
router(config-if-xxx)# ip directed-broadcast
Description
Permits packets with a route recording option.
In the global configuration mode, the default
will permit the packet with an IP recording
route option (ie. recording routing or time
label).
Denies all packets with a recording route
option.
Description
Permits all packets with source routing.
In the global configuration mode, the default setting
will permit a packet that has an IP source route
option (ie. lose source routing or strict source
routing).
Denies packets with a source route option.
Description
Permits the interface to send a directional
broadcasting packet.
router(config-if-xxx)# no ip directed-broadcast
Denies the sending of a directional
broadcasting packet. In the interface
configuration mode, the default setting will
deny a directional broadcasting packet.
To permit an interface or a sub-interface to send a mask-reply ICMP packet:
Command
Description
Router(config-if-xxx)# ip mask-reply
Permits an interface to send an ICMP mask-
reply packet.
Denies the sending of an ICMP mask-reply
packet.
In the interface or sub-interface
configuration mode, the default setting will
refuse to send an ICMP mask-reply packet.
To permit an interface or a sub-interface to send an ICMP redirecting packet:
Command
Description
router(config-if-xxx)# ip redirects
Permits the interface to send an ICMP
redirecting packet.
In the interface or sub-interface configuration
mode, the default setting
permits the
interface to send an ICMP redirecting packet.
router(config-if-xxx)# no ip redirects
Doesnt allow the interface to send an ICMP
redirecting packet.
To permit an interface to send an ICMP unreachable packet:
Command
Description
router(config-if-xxx)# ip unreachables
Permits the interface to send an ICMP
unreachable-packet. In the interface or subinterface configuration mode, the default
setting will permit the interface to send an
ICMP unreachable-packet.
router(config-if-xxx)# no ip unreachables
Doesnt allow the interface to send an ICMP
unreachable-packet.
Router(config-if-xxx)# no ip mask-reply
11.1.3 Applying Access Lists To An Interface

After you construct an access list, it can be applied to a number of interfaces. The access list can be applied inward or
outward. In the interface configuration mode, use the command IP access-group to control the interface access. Use the
no command to remove the access list from the interface.
router(config-if-xxx)#[no] ip access-group {access-list-number | name} {in | out}
Syntax
Description
Access-list-number
A number from 1 to 2,000.
Name
The access list name.
In
Filters the inward packet.
Out
Filters the outward packet.
After a packet is received to the inward standard access list, the packet source address will be checked against the access list.
On an extended access list, the firewall will check fields such as the destination address and protocol other than the source
address. If the packet is permitted by the access list, the routing software will process it successively. If the packet isnt
permitted, the software will lose the packet and will send an ICMP unreachable-packet to the source address.
After the packet is received and routed to an interface, to the outward standard access list, the firewall software checks the
packet source address against the access list. To an extended access list, the firewall checks fields like destination address
and protocol (and so on) along with the source address. If the packet is permitted by the access list, the routing software
will transmit it. Otherwise, the software will discard the packet and will send an ICMP unreachable-packet to the source
address. Note: If you havent built an access list, all packets coming through the interface will be permitted.
For example, you can apply the extended access list 1,001 to the inward Ethernet interface 0 and the standard access list to
the Ethernet outward interface 0. Then exit the interface configuration mode.
Command
router(config-if-ethernet0)# ip access-group 1001 in
router(config-if-ethernet0)# ip access-group 10 out
router(config-if-ethernet0)# exit
Task
Applies the extended access list 1,001 to the
inward Ethernet interface 0.
Applies the standard access list to the outward
Ethernet interface 0.
11.1.4 Monitoring And Maintaining Your Firewall

To display the contents of an access list in the privileged user mode:
router# show access-lists [access-list-number / name]
Syntax
Description
access-list-number / name
The access list number or name.
If you dont input a name or number, all of your access lists will be displayed.
To show certain access lists, input:
router# show access-lists
Output result:
Extended ip access list: 1001
permit ICMP any any 8 0 log
4 matches
permit tcp any any syn log
1 matches
permit ICMP any any echo-reply log
4 matches
permit tcp any any established log
4 matches
Here, the matching times correspond to the filtered packet-matching rule.
To display the an access list application to the interfaces:
router#sh ip int list
Output result:
Interface fastethernet 0
Outgoing access list is 2
Inbound access list is 1
Interface serial 2
Outgoing access list is not set
Inbound access list is 1001
To clear the access list counter in the privileged user mode
router# clear access-list counters [access-list-number | name]
Without a name or number, all access list counters will be cleared. You can use the following command to clear access-list
counters:
router# clear access-list counters
To show access lists, input:
router# show access-lists
Output result:
permit ICMP any any 8 0 log
0 matches
permit tcp any any syn log
0 matches
permit ICMP any any echo-reply log
0 matches
permit tcp any any established log
0 matches
Note: Because the counter was set with a value of 0, the matching time is 0.
You can also monitor and maintain the firewall by examining an access list log. Log records include information such as
the source address, the destination address, the protocol type, the port number, and the sending and receiving interfaces, et
cetera. To access this function, input:
router#debug ip packet access-list
11.1.5 Configuring An Access Channel
Notes:
1) Many interface channel rules should be configured in a certain order based on priority.
2) Try to avoid simultaneously configuring a series of interfaces with channel rules. If a data packet passes through
two interfaces with channel rule configurations, the data wont be permitted through the system until it passes
examination by both sets of rules.
3) Please do not configure a firewall and an access channel on the router at the same time. This will cause a major
malfunction.
4) An access channel can only adapt to a simple set of conditions.

firewall based on an access list. (Please refer to Section 1.1).
To add an interface configuration mode rule:
router(config-if)#[no] access-tunnel destination
Syntax
For more complex rules, please configure a
dest-mask [directly]
Description
Destination
Dest-mask
Directly
Destination address
Mask
Used to mark the addresss direction. If it is set, the
direct connection will be located between the
destination address and the interface (ie. the host IP
address will be coming from the subnet connected
to the interface), or else the indirect connection
between them ie. a router is between them.
Optional function.
Deletes a rule.
No
Example of an access channel configuration (Figure 2):
router
f0
s0
Outer network
Subnet1
A network
e0
123.56.7.0/24
Subnet2
Host 1
123.45.6.7
Host 2
123.45.8.9
Example 1:
Please examine Figure 2. If you want all the machines in the interior subnet1 and subnet2 to have permission to access the
exterior host1 and host2, you would input the following configuration code:
Command
Task
router# config terminal
router(config)# interface serial 0
Configures the interface s0.
router(config-if-serial0)# access-tunnel 123.45.6.7
Accesses host1s access channel.
255.255.255.255 directly
router(config-if-serial0)# access-tunnel 123.45.8.9
255.255.255.255 directly
router(config-if-serial0)# exit
router(config)# exit
Because the direct orientation access channel is configured on the interface s0, that interface will check whether or not the
source address matches the channel address when s0 receives a data packet. When such a message is sent to the system, the
destination address will be checked and the unmatched address packet will be denied.
Example 2:
Please examine the following Figure 2. If you want subnet1 to access host 1, host 2 and the exterior network subnet
123.56.7.0/24 without restricting subnet 2s access, you would input the commands below. Note: In this example, the
access channel cant be set on the exterior interface s0 it should be set on the interface f0, which is connected to the subnet1.
Command
Task
router(config)# interface f0
router(config-if-fastethernet0)# acce 123.45.6.7
255.255.255.255
255.255.255.255
255.255.255.0
router(config-if-fastethernet0)# exit
Configures the interface f0.

Accesses network 123.56.7.0s access code.
11.1.6 Time Limit Packet Filtering

You might want to set your networks up so that all of the machines within a network fragment can access a server at a certain
time, say the regular weekday business hours of your business. But, at the same time, you might want to permit exceptions
to that rule, by allowing users to access your system on a Saturday afternoon, for example.
All the time-based demands you might have can be met through defining a time range in the router and activating security
mechanisms to bind that time range to the packet filtering process.
Time Range
A time range is, simply, a set of time segments of your choosing that allows users to access the network. There are
two kinds of time segments: a relative time segment and an absolute time segment. The former refers to a weekly
segment. The latter refers to a segment covering a certain date (ie. x month, x day, x year).
To define a time range in the configuration or interface mode:
Command
Maipu26(config)# time-range
Maipu26(config)# no
time_range_name
time-range time_range_name
Task
This command will allow you to enter a
time range configuration mode. If a time
range doesnt already exist, a new one will
be created.
Deletes a time range through the command
no.
To define a relative time segment in the time segment configuration mode:

Command
Description
periodic [days-of-the-week] [hh:mm] to [days- This checks whether an equivalent structure has
of-the-week] [hh:mm]
existed before you add a new time segment. If the
time segment doesnt exist, a new one will be
created.
Note: You can delete a segment by imputing the
no command.
The date default is set daily.
0:00 and 24:00, respectively.
The time default is
To define [days-of-the-week] [hh:mm], you can input, for example:

Command
Task
periodic 8:00 to 17:30
Sets the relative time segment from 8:00 to 17:30
periodic weekday Saturday 8:00 to 17:00
Sets the relative time segment on weekdays
(Monday to Friday) and Saturday from 8:00 to
17:00.
periodic Friday 17:30 to Monday 8:00
Sets the relative time segment from 17:30 on a
Friday to 8:00 the following Monday.
To define an absolute time segment:
Command
Description
absolute
[start time date]
[end time date]
To define [start time date] [end time date]:

Command
absolute start 8:00 31 January 2004 end 8:00
15 February 2005
Note: You can omit the start and end clauses by

using the no command, which tells the system when
it can start or stop allowing access.
Task
Sets the absolute time segment to 8:00 on January
31, 2004, to 8:00 on February 15, 2005.
Time Range Applications

Displaying a time ranges status: Whether the time range works or not depends on its current status (ON or OFF),
regardless of the filtering rule or access list the time range might be bound to. That current status will also
correspond to its respective time segment status
Clearing or changing a time range status: A time range will be cleared within a minute in default mode. You may
have to wait up to 60 seconds before any of your changes are applied to the system.
Cisco Configuration Comparisons
A Cisco router permits an absolute time segment rule within a time range, while a Maipu router can allow many
absolute time segment rules within the system. The absolute time in Cisco systems is a genuine form of absolute time
and the date must be set according to a rigorous format: day, month and year. But Maipu router products tells time
in a kind of relative way, so the month and year in a date can be omitted.
Dealing With Time Judgment Issues
Binding Time Ranges To Packet Filtering
Packet filtering will work only when the time range status is ON.
setup. For example:
Command
Permit any log time-range t_r_name1
Access-list 1001 deny TCP any any time-range
t_r_name2
The command format is consistent with Ciscos
Task
Add the time range name at the bottom of your filtering rules. Its position comes after the log file, just like in Ciscos
router systems. Note: There isnt a special command that you can use to cancel the binding relationship. If you
want to cancel the command, you first have to delete the filtering rule and then resubmit the same rule without
imputing a time limit.
When the router compares a data packet against the filtering rules, the trange term will not participate in this
matching process. In fact, when a time range is bound to two filtering rules, the rules are considered to be the same
by the router. If there were two different filtering rules for the same task in an access list, then the time limit rule
would not work at all.
Filtering:
Whether a filtering rule thats bound to a time range will work or not is dependant on the time ranges current status.
When a data packet is filtered, each filtering rule in the access list youve applied will be matched against it one by
one. If a filtering rule is bound to the time range, and the time range status is OFF, then the rule will be skipped in
the system and the next filtering rule will be matched against it.
Note: If the current time-range status is set to OFF, all of the bound time ranges will not work. (Please refer to
Chapter 5, Environment Parameters.) All of the filtering rules, no matter whether they are bound to time ranges or
not, will participate in the filtering procedure.
Binding a time range to an access list
Binding a time range to an access list is considered the equivalent of binding a time range to each filtering rule within
the access list.
This operations command is:
ip time-range time-range-name access-list a-l-name| a-l-number
Your can remove the binding by using the command no. Note: When this type of access list filters a packet, the status of
the time range should be the first thing to be examined by the system. If the status of the bound time range is set to OFF, all
of the filtering rules will be ignored and this access list will be considered the equivalent of an empty list by the system.
1.
Configuring time range environment parameters
The timelive time inverse accumulated counter default frequency is set at one minute.
The configuring command is as follows:
Command
Set time-range frequency number
Description
Number refers to the time difference between
the two times being cleared by the system.
The time difference unit is 60 seconds, and is
stored at the
range-frequency global
variable.
The counter and system time difference is, by default, 100 seconds.
The configuring command is as follows:
Command
Set time-range max-offset number
2.
Description
Once the time difference is overstepped, the
status of every time range will be judged
again. Timelive will be computed and the
accumulated time of the counter will be
updated. The max difference time is stored at
the global variable: time_max_offset.
Time range enabling switch
When the default switch value is ON, every bound entity will have a time limit. If the status of the switch is set to
OFF, every bound time range will not work, and all clauses with the name time-range to will be ignored by the filter.
(To the access list, the binding relationship wont even exist.) The switchs status value is stored at the global
variable named trange_enable.
Command:
Command
Set time-range disable
Description
[OFF]: Once the switch is set to OFF, the time
range refreshing process thats running in the
background will be aborted.
Set time-range enable
[ON]
11.1.7 Media Access Control (MAC) Address Packet Filtering
The MAC address can filter the source address of a data packet at the interface level.
The main contents of this section are:
Setting An Access List
Adding Filter Rules
Binding An Interface.
A. Setting An Access List
An access list can be added in the configuring mode. There are two kinds of adding modes:
Command
Description
Mac access-list standard 2001-3000 | name
This mode can locate the special access list and
enter the configuration mode of the access list.
Access-list number permit deny
No mac access-list standard number|name

No access-list number
Adding Filter Rules:
Command
permit|deny any | host macaddress | macaddress
macmask
If the access list does not exist, a new access list

will be created. In the access list configuration
mode, you can configure an access lists filtering
rule.
This mode can add a filtering rule to a specified
access list directly in configuration mode. If the
access list doesnt exist, a new one will be created
and the mode wont change.
Deletes the access list.
Deletes the access list.
Description
This command can be executed in the access
list configuration mode. You can delete a
rule with the using the no command.
Note: The second mode listed in the preceeding table [Access-list number permit deny] can also be used to add a filtering
rule. (When using this command with a Cisco system, you can add an access list and a filtering rule. However, Cisco
only provides a command to delete an access list. It doesnt provide a corresponding command to delete a filtering rule.)
Command
router(config)#mac access-list standard 2002
router(config-std-mac-nacl)#permit host 1.1.1
router(config-std-mac-nacl)#permit 2.2.2 0.0.ffff
router(config-std-mac-nacl)#deny any
C.
Task
Binding An Interface:
A binding can be configured in the interface mode.
You can use the no command to remove it.
Command
mac access-group number|name in|out
Description
11.1.8 Reflect Access List

A reflect access list can be used to realize that: 1) the connection between network A and network B can be established
through a router; 2) Network A can forwardly access network B, however network B can not forwardly access network A.
The configuration commands of reflect access list are listed as follows:
Syntax
Descriptions
permit ip 129.255.0.0 0.0.255.255 128.255.0.0
0.0.255.255 reflect AtoB
Add a keyword reflect behinds the extended access

list, and name the reflect access list after AtoB.
exit
evaluate AtoB
exit
Create an additional access list, and configure an item

to refer to the reflect access list AtoB that has been
defined above.
The following case of simple configuration is used to describe the configuration and usage of the reflect access list.

)

3&B$
)

3&B%
To realize that PC_A can access PC_B and PC_B has no way to access PC_A, MP router should be configured as follows:
Syntax
Descriptions
router(config)# ip access-list extended 1001
Define the extended

access list 1001.
router(config-ext-nacl)# permit host 129.255.43.2 host 128.255.43.2 reflect

AtoB
Define the reflect access

list AtoB.
router(config-ext-nacl)# exit
router(config-ext-nacl)# evaluate AtoB
router(config-if- fastethernet1)# ip access-group 1001 in
router(config-if-ethernet)# exit
router(config-if- fastethernet0)# ip access-group 1002 in
router(config-if- fastethernet0)# exit
11.1.9 The Configuration and Usage of Security Accounting
Security Accounting is a special function of MP router cooperating with MP security accounting server, mainly applied
to user charge, user bandwidth control and user authentication control etc.
Generally, the topological structure is : the user of the network connecting with some interface of the router can not access
Ethernet until he passes the user authentication successfully. Generally, the interface can not support direct-connection users
except the direct-connection servers.
Related configuration:
1) Configure a direct-connection server:
If the user can not pass the user authentication successfully, all packets of the user are denied. But some connection
with some servers, such as DHCP server, DNS server and authentication server must be permitted. A system manager
can, through the router, perform the direct-connection configuration of those servers and packets communicating with the
servers are permitted to pass:
Use the following command to configure a server.
flux-control server [addr1 addr2.]
Use the following command to delete some direct-connection server:
no flux-control server [addr1 addr2.]
3) Configuring an internal interface:
An internal interface is a restricted interface, through the interface the internal user can connect to the router. And
Security and Accounting can take effect on nothing but the packets entering the internal interface.
fluc-control interface [interface1 interface2.]
Use the following command to cancel an internal interface.
no
fluc-control
interface [interface1 interface2.]
1) Configure the Web authentication server (Authentication interception):

To configure the transparent authentication, that is to say that the system can automatically send the authentication
page to the user when the user tries to connect to Ethernet, please use the following command to configure the Web
authentication server on the router.
flux-control web-server addr [port server-port ] [interface interface-name]
When the server is configured as the Web authentication server, the server can also serve as the direct-connection
server simultaneously.
Recommend: the interface parameter, which is used to connect the server and the router, had better follow the
command; otherwise, the system will, according to the route, automatically judge the network segment, at which the
router is located, and determine the connection interface. And if firewall configuration precedes route configuration,
some unexpected errors may happen and authentication interception will be unsuccessful.
Use the following command to delete the configuration:
no flux-control webserver
Authentication interception will be closed automatically and the direct-connection server with the same address
will be deleted.
1) Open Security accounting
flux-control on
Close Security accounting
flux-control off
if Security accounting is opened again after closed, the configuration will not be lost.
2) Display the related information:
Display the simple information:
show flux-control
The command above is used to display current basic configuration, status and user IP addresses of authenticated
users.
For example:
router#show flux-control
flux-control server 128.255.253.80 128.255.250.170
flux interface ethernet0
Web_server: 128.255.250.170:8000 connet interface: ethernet0 redirect flag :1
current flux-control state: ON
current login user IP:
128.255.251.89
128.255.252.61
Display the detailed information:
show flux-control detail
If the detailed information is displayed, the packet filtering rules of the user passing user authentication will also be
displayed.
For example:
router#show flux-control detail
flux-control server 128.255.253.80 128.255.250.170
flux interface ethernet0
Web_server: 128.255.250.170:8000 connet interface: ethernet0 redirect flag :1
current flux-control state: ON
current login user IP:
128.255.251.89
rule no:0 PERMIT dst range:0.0.0.0 - 255.255.255.255
Send: 417 / 417 bytes; Receive: 1389 / 1389 bytes.
128.255.252.61
rule no:0 PERMIT dst range:0.0.0.0 - 255.255.255.255
Send: 782 / 782 bytes;
Receive: 5628 / 5628 bytes.
3) Display the record of Web authentication address translation

show flux-control redirect
The system will display a record of address translation, of which, scr-ip and src-port are user source address and
user source port, dst-ip and dst-port are user destination address and user destination port, state represents the record
state (0 means that only one syn message of the user is received and 1 means that multiple messages have been received
or a connection has been established), age represents the aging time (by second) in which the connection is live.
If the user and server follow the same interface, termp-in and termp-port, which serve as frame-relay address and
port temporarily, will be displayed.
For example:
router#show flux-control redirect
src-ip
src-port dst-ip
dst-port
128.255.251.89 1035
192.168.1.200 80
128.255.251.89 1034
192.168.1.200 80
7) About bandwidth limit:
temp-ip
temp-port
128.255.251.88 54345
128.255.251.88 54089
state age
1
24
1
24
When the authentication server performs bandwidth limit for some user, the bandwidth limit is realized factually on
the router.
Its mechanism is that the flow limit is performed in unit time. When there exists the limit, the bi-directional flow in
the unit time can not exceed the bandwidth limit.
Notice: by default, the flow limit of a message is performed only for egress messages. This is because that: when
performing the flow limit, ISP mainly allows for the bandwidth of the egress line connecting with a router; since there
exist ingress user messages, which have consumed the bandwidth of the egress line in fact; it is unreasonable to deny the
ingress messages after the comprehensive consideration. So, when there exist some user ingress messages, whether the
used bandwidth has exceeded the bandwidth limit or not, these messages will be permitted
When the system adopts the default configuration, the factual flow permitted will be more than the bandwidth
control in a small degree if the quantity of user messages is by far more than its bandwidth limit. The deviation between
the factual flow and the bandwidth limit depends on network delay and the configured unit time.
To perform the bandwidth limit for ingress messages, use the following command.
flux-control band-in
use the following command to cancel the configuration.
no flux-control band-in
The unit time of bandwidth sampling is 3 seconds by default.
Use the following command to change the unit time:
flux-control cell-time number
11.1.10 A Few Points About Firewall Configuration
A. Preventing Messages From Dummy Addresses.
B. Applying An Access List.
C. Locating A Packet Filter.
A.
Preventing Messages From Dummy Addresses
The packet filter sifts through data in the packet coming in, coming out or coming through the network in both directions.
For reasons of efficiency, many packet filters only examine a data packet traveling in one direction.
6XEQHW PDVN

1HW ZRU N
, QW HU L RU
L QW HU I DFH
5RXW HU
, QW HU L RU
L QW HU I DFH
([W HU L RU
L QW HU I DFH
, QW HU QHW
Dummy packet coming from

source address
6XEQHW PDVN

1HW ZRU N
6RXU FH DGGU HVV
An exam ple ofdum m y address cheat
If the packet was filtered when it was sent out through a router, some information will be lost. This means that the interior
network can easily be attacked by a user with a fake (or dummy) address, as shown in the preceding figure.
In that figure, the network 135.12.0.0 is connected to the Internet through a router. That interior network has two subnets.
The network subnet masks to both subnet 10 and 11 have the following address: 255.255.255.0. A packet from the fake IP
address 135.12.10.201 is shown coming from an exterior TCP/IP host. It is then received by the routers exterior interface.
If the router is set to filter incoming data packets, the dummy packet will be quickly noticed and it will be prevented from
entering the network. Since the router knows that the network 135.12.10.0 is connected to a different (ie. interior) interface,
it knows the packet cant be coming from an exterior interface. But if the packet filter is only set to examine the outgoing
data packets, the router wont be able to check the exterior interface and the message from the dummy address will enter the
network.
In order to add more security to your network, you can add some anti-cheat rules to your incoming access list to bind the
filter to an exterior interface. The aim of this is to tell the router to refuse both interior network source addresses and invalid
source addresses. Invalid source addresses can include a non-registered address, a loop-back address and a broadcasting
address. Hackers often use these types of source addresses to prevent them from being tracked and discovered by a network
manager.
The following commands can be added to the inward access list that is applied to your exterior interfaces. They will prevent
some dummy IP addresses.
access-list 1001 deny ip 135.12.10.0 0.255.255.255 any (an interior network)
access-list 1001 deny ip 135.12.11.0 0.255.255.255 any (an interior network)
access-list 1001 deny ip 10.0.0.0 0.255.255.255 any (a reserved IP address)
These anti-cheat rules should be stored in your system before any other rules on the inward access list. This will ensure that
only packets containing a valid IP address will be checked against the remaining rules.
B.
Applying An Access List
The task of applying an access list should immediately follow its construction. If the access list doesnt have any rules
applied to an interface, any data valid or invalid can be permitted into your network.
Hint: You should not apply an access list without any interface definitions. You should remove an access list from the
interface before any changes are made to the system.
Each interface can have an inward access list and an outward access list, but you cant have two or more kinds of the same
list inward and outward rules must be on the same list. When more than one access list is applied to the router, only the
last access list youve added will work.
C.
Locating A Packet Filter
The security filter can often sift through data in an inward direction and drop distrustful-looking packets. This will prevent
dummy addresses from cheating the system before all of the packets are routed. But a packet filter works in the opposite
manner of a traffic filer, which examines information traveling out of the network and prevents needless packets from
occupying a special data link.
You should consider your CPU resources for processing an access list and routing activity. If most of your packets are
filtered out after theyve been routed through the system which is, of course, referred to as inward filtering you will
probably save some CPU space.
The standard access list should be placed as close to the source address as possible in order for your network to communicate
quickly with another host or network. That way, when a packet is denied, bandwidth and CPU space thats being occupied by
the packet wont be wasted.
Because an extended access list has the function of precisely identifying a packet, it should be used as close to a source address
as possible in order to prevent the denied packet from occupying the bandwidth and CPU. On the other hand, because of the
complexity of the extended list, you will be adding processing burdens to your bandwidth and CPU.
11.1.11 Examples
Example 1:
, QW HU L RU
QHW ZRU N
131.44.0.0
H
Router
131.44.1.1
V
([W HU L RU
QHW ZRU N
, QW HU QH
W
Note: The above example shows a network with the following security policies in place:
All interior network hosts (131.44.0.0) can access any TCP Internet service.
Exterior hosts can access the SMTP service in the mail gateway 131.44.1.1, but cant access the interior network
itself.
All ICMP messages will be blocked.
These policies can be configured on the router by imputing the following series of commands:
Command
router(config-ext-nacl)# permit TCP 131.44.0.0
0.0.255.255 any
router(config-ext-nacl)# permit ICMP any
131.44.0.0 0.0.255.255
router(config)# access-list 1002 permit TCP any
131.44.0.0 0.0.255.255 established
router(config)# access-list 1002 permit TCP any
host 131.44.1.1 eq 25
router(config-if-ethernet0)# ip access-group 1001 in
router(config-if-serial0)# ip access-group 1002 in
router(config)#
Example 2
Task
Defines an extended access list as 1,001.

U RXW HU
H
, QW HU L RU
QHW ZRU N
V
([W HU L RU
QHW ZRU N
, QW HU QHW

The above example shows a network with the following security policies:
The outer email and news servers can be permitted to access Interior Host 144.19.74.200 and Host 144.19.74.201.
DNS access in the gateway server 144.19.74.202 is permitted.
The interior hosts are permitted to access all TCP services in the exterior network, except Gopher and Web servers.
All above policies can be configured on the router as follows:
Command
Task
router(config)# ip access-list extended ether-in
router(config-ext-nacl)# deny TCP 144.19.0.0
0.0.255.255 any eq 70
router(config-ext-nacl)# deny TCP 144.19.0.0
0.0.255.255 any eq 80
router(config-ext-nacl)# permit TCP any
router(config)# ip access-list extended serial-in
router(config-ext-nacl)# permit TCP any 144.19.0.0
0.0.255.255 established
router(config-ext-nacl)# permit TCP any host
144.19.74.200 eq 25
router(config-ext-nacl)# permit UDP any host
144.19.74.200 eq 119
router(config-ext-nacl)# permit TCP any host
144.19.74.201 eq 25
144.19.74.201 eq 119
144.19.74.202 eq 53
router(config-if)# ip access-group ether-in in
router(config-if)# exit
router(config-if-serial0)# ip access-group serial-in in
router(config)#
11.2 Network Address Translation (NAT) Configuration

The following topics are dealt with in this section:
1. NAT Configuration Points To Keep In Mind
2. NAT Configuration Commands
3. Interior Source Address Translation
4. Interior Destination Address Translation
5. Timeout Alteration
6. NAT Mointoring And Maintenance
11.2.1 NAT Confirgation Points To Keep In Mind
1. You cant overlap a global IP address with a local one, and only three kinds of local addresses are recommended:
Kind
Task
A class10.0.0.0 / 8
1 A class IP address
B class 172.16.0.0 / 12
16 B class IP addresses
C class 192.168.0.0 / 16
256 C class IP addresses
2. You cant overlap a static address with the dynamic address pool.
3. As a solution for connectivity problems, NAT can be practically used when a number of internal IP hosts are trying
to communicate with the exterior network at the same time. In this case, you would have to translate only a few of
your address scope subsets to an exclusive external address. You can recycle these addresses later for another type
of use.
4. When an IP address or a port is embedded in an application program, NAT wont be transparent to users at the
opposite end. You wouldnt be able to use NAT in this case.
5. The router using NAT wont support IPsec because point-to-point security cant be guaranteed.
6. The router only broadcasts incoming data, never outgoing.
7. The static routing configuration between the NAT and your ISP router needs to be set.
8. The IP OPTION wont be supported normally.
9. You should use the same NAT list when many interfaces exist.
11.2.2 NAT Configuration Commands

router (config)#ip nat ?
Command
Description
Frequency
NAT Overtime Translation
inside
Interior Address Translation
pool
Defines An IP Address Pool
redirect-enable
Opens The NAT Redirection Function.
translation
Alters NAT Overtime Translation
To define an IP address pool, use the global configuring command ip nat pool.
To delete this pool, use the command format: no ip nat pool.
router(config)#ip nat pool name
[type rotary]
Syntax
Name
start-ip
End-ip
Netmask
prefix-length
type rotary
start-ip
end-ip
{netmask netmask | prefix-length prefix-length}
Description
The Address Pool Name
The Start Address
The End Address
Network Mask
The network mask digits signify which mask all
addresses in the pool belong to.
Indicates that the address pool scope has true
hosts addresses. A TCP load will be assigned
based to these hosts. (Optional function.) This

pool type is only applied to incoming address
NAT configuration.
Command
Description
router(config)#no ip nat pool name
Deletes the address pool.
Note: The same address pool cant be referred to by two different NAT configurations. If two NAT definitions must be
incorporated together, make sure you alter the corresponding access list rules. Also, the same IP address cannot be defined
in two different pools. You may cause the system to malfunction if you do.
To build an interior source address NAT, use the global configuring command ip nat inside source.
To delete a static or dynamic translation, use the command format no ip nat inside source.
Construct a basic static translation with the static key.
router(config)#ip nat inside source list {access-list-number | name} pool
name [overload]
Syntax
Description
access-list-number
The access list name or number
Name
The address pool name
Overload
Enables the router to use a global address in the

place of many local addresses. When the
overload parameter is configured, the TCP or
UDP port number of each interior host is used to
distinguish different sessions where the same
local IP address was used. (Optional function).
router(config)#ip nat inside source static {tcp | udp} local-ip local-port global-ip global-port
Syntax
Description
local-ip
Interior local address
global-ip
Interior global address
tcp | udp
Protocol
local-port
Interior local port number
global-port
Interior global port number
To start using the incoming NAT, type in the global configuring command ip nat inside destination.
To delete a dynamic translation, input no ip nat inside destination.
When the incoming NAT is used to share the TCP load use:
router(config)#ip nat inside destination list {access-list-number | name} pool name
Syntax
Pool name
Description
The pool name. The pool contains a local address
assigned in dynamic translation. The pool type is
ROTARY, and the pool address is a true interior
local host address.
To designate an interior or exterior NAT interface, use the interface configuring command ip nat.
To remove this function, enter no ip nat.
Note: You cant use an interior and exterior interface at the same time.
router(config-if)#[no] ip nat {inside | outside}
Syntax
Inside
Description
Designates the interface to connect with the
interior network.
Outside
Designates the interface to connect with the

exterior network.
11.2.3 Interior Source Address Translation

When communicating with the router, you can use this feature to change your IP address into an exclusive global IP address
through static or dynamic translation. Static translation builds a one-to-one map between an interior local address and an
interior global address, which is helpful when a fixed address wants to access an interior host from the outer network.
Dynamic translation, on the other hand, maps an interior local address with a global address pool.
1)
Static Translation Configuration
The following example shows the steps you should take to configure a static translation. Note: You can configure many
interior and exterior interfaces through this method.
First, construct a static translation from 192.168.8.1 to 203.25.25.1.
interface. Configure the serial 0 to an exterior interface.
Command
router(config)#ip nat inside source static
192.168.8.1 203.25.25.1
router(config)#interface e0
router(config-if-ethernet0)#ip nat inside
Configure the Ethernet interface 0 to an interior
Task
Constructs a static translation from 192.168.8.1 to
203.25.25.1.
Designates the interface e0.
Connects the marked interface to an interior
network
router(config)#exit
router(config-if-serial0)#ip nat outside
Designates the interface s0

Connects the marked interface to an exterior
network
2) Configuring Dynamic Translation

NAT configuration:
([W HU L RU
, QW HU L RU
6$

V
H
6$

'$

, QW HU QHW
'$

+RVW %

je e
k 1$7

7DEO H
, QW HU L RU O RFDO , QW HU L RU JO REDO
, 3 DGGU HVV
, 3 DGGU HVV

1$7 , QW HU L RU VRXU FH DGGU HVV W U DQVO DW L RQ
In order to translate the interior source address on the router in the preceding example, it must be configured as follows:
Command
router(config)#ip nat pool pl-1 203.25.25.1 203.25.25.20
netmask 255.255.255.0
router(config)#access-list 1 permit 192.168.8.0
0.0.0.255
router(config)#ip nat inside source list 1 pool pl-1
router(config)#interface e0
router(config-if-ethernet0)#ip nat inside
router(config-if-ethernet0)#exit
router(config-if-serial0)#ip nat outside
Task
Constructs a global address pool with the name
pl-l. The pool includes 20 global addresses from
203.25.25.1 to 203.25.25.20.
Constructs an access list 1 and allows the
network segment addresses 192.168.8.0 and
0.0.0.255 to be translated.
Performs the address translation between list 1
and pool 1.
Designates the interface e0.
Connects the marked interface with the interior
network
Designates the interface s0.
Connects the marked interface with the exterior
network
router(config)#
In the preceding case, a global address pool pi-1 is first constructed. The pool includes 20 global addresses between
203.25.25.1 to 203.25.25.20. The access list 1 permits all hosts in the interior network to perform address translation.
Ethernet port 0 is configured as an interior interface and the serial is configured as an exterior interface.
Note: The access list must permit these addresses to be translated. An access list that permits too many addresses
translations could allow a security breach or other type of malfunction.
The
3)
Interior Global Address Overload
The router will be allowed to map many local addresses to a global address in order to save addresses in your interior global
address pool. When an overload has been configured, the router will maintain original data from higher layers for
example: the TCP or UDP port numbers to ensure that the global address will be translated into the right local addresses.
When many local addresses are mapped into a global address, the TCP/UDP port numbers of each interior host will be used
to differentiate between all of these different local addresses.
, QW HU L RU
6$

'$

([W HU L RU
H
V
6$

'$

+RVW %

, QW HU QHW
j e
e
k 1$7
7DEO H
, QW HU L RU JO REDO ([W HU L RU JO REDO
, 3 DGGU HVV 3RU W , 3 $GGU HVV 3RU W
, QW HU L RU O RFDO
3U RW
RFRO , 3 DGGU HVV 3RU W
+RVW &

7&3
7&3
NAT over loading interior globaladdresses
In order to overload global addresses on the router, as shown in the preceding figure, the router must be configured as
follows:
Command
Task
router(config)# ip nat pool pl-2 203.25.25.1 203.25.25.5
Builds a global address pool called pl-2. The
netmask 255.255.255.0
pool includes five global addresses between
203.25.25.1 and 203.25.25.5.
0.0.0.255
router(config)# ip nat inside source list 1 pool pl-2
overload
Permits access list 1 to perform the address

translation to all hosts in the interior network.
Allows the access list 1 and the address pool
pl-2 to build a dynamic source translation.
router(config)# interface e0
Designates the interface e0
router(config-if-ethernet0)# ip nat inside
Marks the above interface as an interior one
router(config-if-ethernet0)# exit
router(config)# interface s0
router(config-if-serial0)# ip nat outside
Designates the interface s0

Marks the above interface as exterior.
router(config)#
In this example, the global address pool pl-2 is built first. The pool includes five global addresses between 203.25.25.1 and
203.25.25.5. The access list 1 permits all hosts in the interior network to perform an address translation. The Ethernet
port 0 is configured as an interior interface, while serial 0 becomes an exterior interface. The router then allows many local
addresses to use a global address.
11.2.4 Interior Destination Address Translation
If many interior network hosts for example, Web servers provide the same access to many continuous interior IP
addresses, then you can configure the NAT translation of the interior destination address to obtain simple TCP load sharing.
That way, the router can process many outbound global addresses.
The steps to configuring an interior destination address translation in the global configuration mode are as follows:
A.
Define a rotary type of IP address pool that can be assigned as needed. The addresses in the pool are interior host
addresses, and will be used to share the TCP load.
router(config)#ip nat pool name
start-ip end-ip
{netmask netmask | prefix-length prefix-length} type rotary
Syntax
Description
Name
Pool name
Start-ip
Start address
end-ip
End address
netmask
Network mask
prefix-length
The masks bit number
type rotary
The true IP host
B.
Define an access list and permit addresses in this list to be translated.
router (config)#access-list access-list-number permit source source-wildcard access-list access-list-number permit protocol
source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]
Note: Please consult the preceding section again and the section on firewall configuration (Section One) for a list of
definitions corresponding to each command.
This access list can generally be defined as an extension access list to limit the number of destination addresses from received
data packet. It will only be translated when the exterior interface receives the destination address of the data packet.
C.
Construct an interior destination translation based on the access list and the address pool you configured in the
above steps.
Command
Description
ip nat inside destination list access-list-number pool name
D.
Designate an interior interface.
Command
interface type number
Description
E.
Mark the interface to connect with the interior.
Command
ip nat inside
Description
F.
Designate an exterior interface.
Command
interface type number
Description
G.
Mark the interface to connect with the exterior.
Command
Description
ip nat outside
Note: If there is only one interior host being used, it isnt necessary to perform dynamic NAT configuration. If you want to
use NAT to hide the host IP address, then configure your router using static NAT. Because dynamic NAT only works for
TCP data packets, youd be better off using static NAT configuration especially if your host provides other protocol
services.
11.2.5 Timeout Alteration
You can alter NAT timeout with the global configuring command ip nat translation.
You can return to the default setting with the command no ip nat translation.
router(config)#ip nat translation ?
Command
Description
Dns-timeout
finrst-timeout
iMPs-error
ICMP-timeout
port-timeout
syn-timeout
tcp-timeout
Timeout
udp-timeout
Ends and resets the TCP packet translation

timeout. The default setting is 60 seconds.
The ICMP error packet translation timeout.
The default setting is 60 seconds.
The ICMP packet translation timeout. The
default setting is 300 seconds.
The initiative TCP packets translation timeout.
The default setting is 90 seconds.
The TCP port translation timeout. The default
setting is 1,800 seconds (30 minutes).
The simple dynamic translation timeout. The
default is 1,800 seconds (30 minutes).
The UPD port translation timeout. The default
is 600 seconds (10 minutes).
router(config)#ip nat translation timeout ?

Command
<1_2147483647>
Never
Description
Timeout
Never timesout
Example:
Command
router(config)#ip nat translation timeout 120
Task
Sets the timeout function to 120 seconds.
11.2.6 NAT Monitoring ,Maintenance and Debug

1.
Mornitoring and Maintenance Commands
1) The dynamic address translation item can be removed with the privileged user command clear ip nat translation
before you set a timeout.
Command
Task
router(config)#clear ip nat translation all
Clears all dynamic transmissions.
router(config)#clear ip nat translation inside
global-ip: Global address
global-ip local-ip
local-ip: Local address
Clears the simple dynamic translation item.
router(config)#clear ip nat translation {tcp |
global-ip: Global address
udp} inside global-ip global-port local-ip local- global-port: Global port
port
local-ip: Local IP address
local-port: Local port
Clears the extended dynamic translation item.
2) You can display the active translation list item with the privileged user command show ip nat translations.
Command
Task
router#show ip nat translations
The following are output examples of the preceding command:
You can use the global addresses 128.255.251.84 and 128.255.251.85 to communicate with some exterior hosts
without overloading.
router# show ip nat translations
Dir Pro Hv0 Hv1 Inside global
Inside local
Outside global
Age
out --- 426 982
128.255.251.85
192.168.0.2
128.255.251.90
1783
out --- 425 981
128.255.251.84
192.168.0.2
128.255.251.89
1761
Dir Pro
Inside global:Port
Inside local:Port
Outside global:Port Flags
in
---201.10.10.1
10 .0 .0 .90
228.255.255.99
in
---201.10.10.2
10 .0 .0 .97
129.55.9.3
You can use one global address to perform an address translation by overloading.
router# show ip nat translations
Dir Pro Hv0 Hv1 Inside global
Inside local
Outside global
Age
out ICMP 850 16 128.255.251.86:1027 192.168.0.2:44080 128.255.251.90:44080 295
out ICMP 849 15 128.255.251.86:1026 192.168.0.2:44080 128.255.251.89:44080 288
Note: Translate 192.168.0.2 into 128.255.251.86 to access the exterior address 128.255.251.90/89.
Dir Pro
in
---in
----
Inside global:Port
201.10.10.11026
201.10.10.11027
Inside local:Port
Outside global:Port Flags
10 .0 .0 .902347
228.255.255.9923
10 .0 .0 .973455
129.55.9.321
The preceeding fields are defined as follows:

Field
Dir
Pro
Hv0 Hv1
Inside global
Inside local
Outside global
Age
Description
Creates the translations packet direction.
Recognizes the overload translation protocol.
The NAT record location.
The interior global IP and its port
The interior local IP and its port
The exterior global IP and its port
The remaining lifetime of the NAT record, told in
seconds.
3) You can display the NAT statistics with the privileged user command show ip nat statistics.
typing clear ip nat statistics.
router# show ip nat statistics
Information
Description
NAT version: 5.6
Total translations: 0 static, 2 dynamic
No memory: 0, Execcess drop: 0, Age1: 0, Age2:
0, Age3: 0
Translation mode: NATNAPT
NAT redirect enable
Outside interfaces: fastethernet0
Exterior interface f0
Inside interfaces: serial2
Interior interface s2
Hits: 73 Misses: 7
Expired translations: 3
Dynamic mappings:
-- Inside Source
access-list 1 pool p1 refcount 2
pool p1: netmask 255.255.255.248
The address pool uses the defined rules from
access list 1.
start 128.255.251.83 end 128.255.251.86
type GENERIC, total addresses 4, allocated 1 ,
misses 0
flags: ipN_MAP ipN_OVERLOAD
Fragment statistics: Totals: 0 Had-existeds: 0 Nomemorys: 0
Hits: 0
Expireds: 0
News: 0
Ftp proxy session: Totals: 0 Hits: 0
Nomemorys: 0
The above displayed fields are described as follows:
Field
Description
Total translations
Shows the amount of active static translations and
dynamic translations in the system.
Outside interface
Refers to the list marked as an outside interface.
Inside interface
Refers to the list marked as an inside interface.
Hits
Indicates the number of times the translation list had
been examined and had its destination items found.
Misses
Indicates the number of times the translation list had
been examined and didnt have its destination items
found.
Expired translation
The expired translation that have happened since
system startup.
Dynamic mappings
Indicates dynamic mapping information.
Clear them by
Inside Source
Indicates interior source address translation

information.
Indicates the amount of times the access lists were
used in translation.
Indicates the address pool name used in translation.
Pool reference times.
The address pools first IP address.
The address pools final IP address.
The type of address pool used: generic or rotary.
The address pools total address number.
The amount of allocated addresses in the pool.
The number of times the missed packet didnt have an
IP address.
access-list
pool
Refcount
Netmask
End
Type
total addresses
allocated
misses
4) You can display all NAT address pools with the privileged user command show ip nat pool.
router# show ip nat pool
Information
Description
Address pool : p1
start
: 128.255.251.83
end
: 128.255.251.86
netmask : 255.255.255.248
type
: GENERIC
5) To turn off the NAT redirect switch:
Command
router(config)# no ip nat redirect
Task
Note: The redirect switch is specially set by the NAT for OICQ applications, and users between the interior and exterior
network wont be able to communicate with each other directly. The routers NAT provides the special switch function to
establish direct communication between users, based on its application. The problem can be overcome, though, by
transferring the OICQ server.
The default switch configuration will be set to ON. If you dont need this function, you can turn the switch off.
open the switch again with the following command:
Command
Task
router(config)# ip nat redirect
2.
You can
Debug Commands
command
Task
router#debug ip nat
To see all the informations of NAT
router#no debug ip nat
Close debug ip nat command
router#debug ip nat packets
Display the information in detail of IP packets before and after

translation
router#no debug ip nat packets
Close debug ip nat packet command
11.2.7 Considerations of Configuring NAT

1) The global addresses and the local addresses can not be overlapped. The following three classes of local addresses are
recommended:
Class
Descriptions
Class A10.0.0.0 / 8
One class A address.
Class B172.16.0.0 / 12
16 class B addresses.
Class C192.168.0.0 / 16
256 class C addresses.
2) The static addresses and the addresses in the dynamic address pool can not be overlapped.
3) As a solution to connection, only when a small amount of hosts simultaneously communicate with the external of the
area, can NAT be practical. In this case, only a small sub-set of IP addresses in the area must be translated into unique IP
addresses. And when these addresses are not applied any more, these addresses can be reused again.
4) When an IP address or a port is embedded into an application, NAT becomes non-transparent for end users. So, NAT
can neither be applied to the case.
5) The router that has realize the technology can not support IPSec because the end-to-end security can not be ensured.
6) The route information can be broadcasted to the internal instead of the external
7) It is necessary to configure the static route between NAT and ISP routers.
8) IP OPTION can not be supported normally.
9) When there exists multiple interfaces, the same NAT table must be adopted
11.3 Easy IP Configuration
The items talked about in this brief section are:
Configuring Easy IP
Easy IP Configuration Cases
11.3.1 Configuring Easy IP
In order to make sure the Easy IP function works normally, you will need to also configure the LAN to WAN routing.
To configure Easy IP, you must:
1. Define a NAT pool.
2. Configure the LAN interface.
3. Define the NAT for a LAN interface.
4. Configure the WAN interface
5. Finally, define the NAT for the WAN interface.
11.3.2 Easy IP Configuration Case
The following configuration command can make a number of interior network hosts use just one negotiated IP address to
access the Internet.
Command
Task

0.0.0.255
router(config)# ip nat inside source list 1
interface serial0 overload
router(config)# interface e0
Defines access list 1 and enables it to

permit the addresses in the network
segment to be translated.
Builds the dynamic source address
translation between list 1 and port s0.
Designated a LAN interface e0.
router(config-if-ethernet0)# ip address
192.168.12.1 255.255.255.0
router(config-if-ethernet0)# ip nat inside
Defines the NAT for a LAN interface.
router(config)# interface s0
Designates the WAN interface s0.
router(config-if-serial0)# physical-layer async

router(config-if-serial0)# speed 38400
router(config-if-serial0)# flow-control hardware
router(config-if-serial0)# encapsulation ppp
Encapsulates PPP.
router(config-if-serial0)# ip address negotiated
Starts PPP/IPCP address negotiation.
router(config-if-serial0)# ppp pap sent-username

xxx password xxx
router(config-if-serial0)# no keepalive
Starts PAP authentication.
router(config-if-serial0)# ip nat outside
Defines NAT for WAN interface.
router(config)#
11. 4 Access Control List (ACL) User Group Control Configurations
This section takes about two subjects related to ACL User Group Control Configurations:
Subnet Isolation
User Rights Management
11.4.1 Subnet Isolation
The main contents of this subsection are:
A. Principles Of Subnet Isolation
B. Configuration Commands
C. Examples Of Subnet Isolation
D. Other Applications
E. User access control: ACL.
A.
Principles Of Subnet Isolation
Subnet isolation allows an interface filter to partition different access areas. (Different access areas can be divided on a
network interface so they cant communicate with each other.) You can prevent attacks to your network by isolating data
packets that contain fake IP addresses. You can have different subnets isolated on the same physical link.
B.
Configuration Commands
Command
Description
router (config)#acl-group number

interface interface number
Number
<1 to 100>
Binds a service area by defining the access group and
the interface it can have access to.
Binds a user and a local area by defining an access
group user.
Sets the super user.
router (config)#acl-group number user

user names
routerA(config)#user root password 0
password
router (config)#user usernames password Sets the common user.
0 password
Note: The super user account is the root account.
z To open the user classification management function, input:

Command
Description
router (config)# service passwordOpens the password encryption service.
encryption
router (config)# service enhanced-secure
Opens the enhanced encryption service.
Note: After this command has been used, all passwords that have been configured previously will be encrypted.
remember the password of the super user root.
Be sure to
z To configure local login authentication

Command
Description
router (config)# aaa new-model

Opens the AAA function.
router (config)# aaa authentication login default
Sets up local authentication mode.
local
Note: After the above commands have been configured, the configured user name must be inputted before you can exit and
re-enter common user mode again. If the root user logs in, he or she can freely alter the router configuration. If a
common user logs in, she or he will be managed by their corresponding grade.
z To forbid a common user from logging in a second time:
Command
Task
router (config)#no enable acl telnet-twice

Note: After the command has been configured, the user will be forbidden from logging into a router.
z To grant a common user partial rights:
router (config)#acl username
Command
Description
acl_ifgrp
del_startup
Permits setting acl rights. Configures acl group and all

corresponding ports.
Permits setting acl rights. Configures acl group and all users in
the group.
Assigns the right to delete a configuration file.
interface
Assigns the right to operate ports.
line
Assigns the right to operate the asynchronous ports.
Reload
Assigns the right to reset.
sif_maker
Assigns the right to set sub-interface.
st_route
Assigns the right to set static routing.
Sysupdate
Assigns the right to upgrade system.
acl_usergrp
Note: Common users are prohibited from using the system until the above commands are used. Once youve added these
commands to the system, users will be able to read/write information to/from it (or just read or write information
individually).
C.
Examples of Subnet Isolation
The following figure illustrates a network with subnet isolation security policies in place:
Server A
Area A
Area B
S1
S1
routerB
Server B
routerC
X.25
lan switchA
S3
F
0
pc
net
A
S3.1
routerA
lan switchB
E0
Subnet isolation
pc
net
B
After the X25 firewall is configured between router B and router C, as shown in the preceding figure, we can accomplish the
following tasks:
1. User MaipuA cant access any interface and other equipment in access area B, such as server B.
2. User MaipuB cant access any interface and other equipment in access area A, such as the interface S1 in router C.
3. If user MaipuA tries to log in to a router from netB, he or she will be denied access.
4. Users, except the super user, cannot telnet again after they have already accessed a router by that method. This is
an optional function and it can prevent a second login.
The dataflow based on the port number or MAC address of a PC NIC (Network Interface Card) can be prohibited. For
example, if you first use arp to bind the MAC address of a PC network card to an IP address, you can then define the
dataflow of the IP address through an access list. This way, only one fixed PC can access the network segment, even if their
IP address has been modified.
Configuring routerA:
Command
Task
routerA#
routerA#con t
routerA(config-if-serial3)#encapsulation x25
routerA(config-if-serial3)#x25 dce
routerA(config-if-serial3)#x25 address 18
routerA(config-if-serial3)#x25 map ip 1.1.1.2 16
routerA(config-if-serial3)#clock rate 19200
routerA(config-if-serial3)#lapb dce
routerA(config-if-serial3)#ip address 1.1.1.1
255.255.255.0
routerA(config)#interface serial3.1
routerA(config-if-serial3.1)#x25 map ip 5.5.5.2 13
routerA(config-if-serial3.1)#ip address 5.5.5.1
255.255.255.0
routerA(config-if-serial3.1)#exit
Sets a sub-interface
routerA(config)#acl-group 1 interface fastethernet0

serial3
routerA(config)#acl-group 2 interface ethernet0
serial3.1
routerA(config)#acl-group 1 user MaipuA
Binds Server A to an area.
routerA(config)#acl-group 2 user MaipuB
Binds the local area to MaipuB.
Binds Server B to an area.

Binds the local area to MaipuA.
D.
Other Applications
Example 1: In the following figure, MP2600 connects to the other two routers through firewall X25. S1 is connected to
Router A and S2 is connected to Router B. Here, we want to separate the network into two isolated areas.
F0
E0
MP2600
S1
Area 1
S2
Area 2
X.25
Router A
Router B
After the X.25 firewall on each router is correctly configured, the subnet isolation function on the MP2600 router will be
successfully completed.
Command
MP2600(config)# acl-group 1 interface
fastethernet0 serial1
ethernet0 serial2
Task
Binds Area 1 and Access Group1.
Binds Area 2 and Access Group 2.
Example 2: As shown in the following figure, the network is to be separated into four unattached areas.
department include:
Marketing Dept.: sc1 sc2
Technical Support Dept.: js1 js2 js3
Product Development Dept.: kf1 kf2

Finance Dept.: cw1 cw2
det
Access area 2
Developing Dept
Market Dept
F0
E0
INTERNET
MP2600
Access area 1
S3
Technology support Dept
Users in each
Finance Dept
Access area 3
Case One: The Marketing Department and Technical Department can access each other.
each other.
No other department can access
Step One: Configure the access area.

Command
Task

fastethernet0 serial1
ethernet0
MP2600(config)# acl-group 3 interface serial2
Binds access area 1 and access group 1.

Binds access area 2 and the access group 2.
Binds access area 3 and the access group 3.
Step Two: Configure a user group and add a user.

Command
Task
MP2600(config)# acl-group 1 user sc1 sc2 js1

js2 js3
MP2600(config)# acl-group 2 user kf1 kf2
Binds access group 1 to marketing and technical

support.
Binds product development with access group 2.
MP2600(config)# acl-group 3 user cw1 cw2
Binds the finance department to the access group 3.
Case Two: After a period of time, the business depicted here gets an Internet connection, and its managers wants all
departments except Finance to get Internet access. This requirement can be met when interface S3, which connects directly
to the Internet, is added to the corresponding configured access area.
Command
Task

serial3
serial3
Binds interface serial 3 with access group 1.

Binds interface serial 3 to access group 2.
Access Area 1 and Access Area 2 can now formally connect to the Internet. However, the data packet from Access Area 3
is denied at the router because Interface S2 and S3 arent in the same access area. The Internet data packet, similarly, cant
get to Access Area 3 through Interface S2. Thus, simple isolation technology can ensure the information security of some
important departments.
Example 3: As shown in the following figure, an enterprise network is distributed throughout a series of different access
areas. But Areas 1 and 2 are separated from each other and they cant access each other. (The broken line in the following
figure shows that the access areas on the two routers are configured separately from each another.)
Step One: X.25 is re-configured on both routers using sub-interface S2.1.

Configuring router MP2600A:
Command
Task
MP2600A(config)#int s2
MP2600A(config-if-serial2)#enc x25
MP2600A(config-if-serial2)#x25 dce
MP2600A(config-if-serial2)#x25 addr 1110
MP2600A(config-if-serial2)#ip address 192.168.0.1
255.255.255.0
MP2600A(config-if-serial2)#exit
Encapsulates X.25 on interface S2, and sets up the

X.25 with an IP address.
MP2600A(config)#int s2.1
MP2600A(config-if-serial2.1)#ip address
192.168.1.1 255.255.255.0
MP2600A(config-if-serial2.1)#x25 map ip
192.168.1.2 2220
MP2600A(config-if-serial2.1)#exit
Sets up the IP address on Interface S2.1, and

designates an address for the opposite end.
MP2600A(config)#int s2.2
MP2600A(config-if-serial2.2)#ip address
192.168.2.1 255.255.255.0
MP2600A(config-if-serial2.2)#x25 map ip
192.168.2.2 2220
MP2600A(config-if-serial2.2)#exit
Sets up the IP address on the S2.2 interface and

designates the address at the opposite end.
Configuring router MP2600B:

Command
Task
MP2600B(config)#int s2
MP2600B(config-if-serial2)#enc x25
MP2600B(config-if-serial2)#x25 dce
MP2600B(config-if-serial2)#x25 addr 2220
MP2600B(config-if-serial2)#ip address 192.168.0.2
255.255.255.0
MP2600B(config-if-serial2)#exit
Encapsulates X.25 on the interface S2 and sets

X.25 and IP address.
MP2600B(config)#int s2.1
MP2600B(config-if-serial2.1)#ip address
192.168.1.2 255.255.255.0
MP2600B(config-if-serial2.1)#x25 map ip
192.168.1.1 1110
MP2600B(config-if-serial2.1)#exit
Sets up the IP address on interface S2.1 and

designates the IP address at the opposite end.
MP2600B(config)#int s2.2
MP2600B(config-if-serial2.2)#ip address
192.168.2.2 255.255.255.0
MP2600B(config-if-serial2.2)#x25 map ip
192.168.2.1 1110
MP2600B(config-if-serial2.2)#exit
Sets up the IP address on Interface S2.1 and

designates an IP address at the opposite end.
Step Two: Set up an access area:

Command
Task
MP2600A(config)# acl-group 1 interface

fastethernet0 serial2.1
MP2600A(config)# acl-group 2 interface
ethernet0 serial2.2
Binds area 1 with access group 1.
MP2600B(config)# acl-group 3 interface serial1

serial2.1
MP2600B(config)# acl-group 4 interface

fastethernet0 serial2.2
Step Three: Add a user to the user group in the corresponding access area.
As shown in the preceeding Example Two, you can add a user to the corresponding group. The users in Area 1 should be
added to Group 1 and Group 3, and users in Area 2 should be added to Group 2 and Group 4. Please refer to Case Two for
details on how to set up these users.
E.
ACL User Right Control
You can configure whether a user is permitted to execute Telnet twice on the router or not. The commands are as follows:
Command
Task
MP2600(config)# enable acl telnet-twice
Permits a user to execute Telnet twice
MP2600(config)# no enable acl telnet-twice
Doesnt permit a user to execute Telnet
The system default permits users to log in twice. This operation can be turned off except when subnet isolation has been
configured onto the system. The root user can also log in twice, no matter what.
11.4.2 User Rights Management

Different network managers can get different rights based on their roles through the setup of user management rights.
can ensure that the router runs normally and remains easy to maintain.
The graded rights corresponding setup are shown as follows:
Command
Task
router(config)user root password 0 router
Sets the super user. Its account can only be

named root.
router(config)exit
router#exit
router>exit
Login:root
Note: The password Maipu is not displayed
password:Maipu
router>en
router#config terminal
router(config)user Maipu password 0 Maipu
Adds a new user whose password is Maipu.
router(config)service password-encryption
router(config)service enhanced-secure
Opens the user grade management function
If the root user doesnt perform any operation, he or she can only examine the router configuration and perform other
operations that dont have an effect on the routers operation.
router(config)# acl Maipu:
Command
Description
acl_ifgrp
Assigns acl set up rights.
acl_usergrp
Assigns acl set up rights.
address_set
Assigns interface configuration rights.
del_startup
Assigns file configuration deletion rights.
reload
Assigns system file reloading rights.
sif_maker
Assigns sub-interface set-up rights.
This
st_route
Assigns static routing adding rights.
sysupdate
Assigns system upgrade rights.
telnet_twice
Assigns second login rights.
Example:
Command
Task
This command grants the user Maipu the

right to reset a router.
Note: Only root users can perform the acl operation and alter the configuration freely on the router. So please be sure to
change the root password from Maipu to something new as soon as possible.
router(config)#acl Maipu reload
11. 5 IPsec Network Security Configuration

The main topics in this section are:
Configuring IPsec
IPsec Monitoring And Debugging
IPsec Configuration Examples
11.5.1 Configuring IPsec
So far, IPsec can only used to work in Point-to-Point mode.
To manually configure IPsec, you need to also configure each IPsec peer that participates in communication. Note: In order
to ensure the access list is compatible with IPsec, both the IPsec ESP and AH protocol will use the numbers 50 and 51
respectively. (Please see B. Create An Encryption Access List.)
This is the order in which you must go about configuring IPsec:
A. Configure IPsec Control (optional)
B. Create An Encryption Access List
B. Define An Encryption Transformation Set
C. Configure The Global Lifetime (optional)
D. Create An Static Encryption Map
E. Apply The Encryption Map To An Interface
F. Delete And Rebuild IPsec Security Associations. (optional)
A.
Configure IPsec Control
router(config)#crypto ?
Command
Description
config-bynet
ike
Sets ways to perform remote configuration, such as

telnet.
Sets IKE parameters.
IPsec
Sets IPsec configuration command
isakmp
Sets security association key management.
Key
Sets security key.
Map
Configures encrypted map.
Dynamic-map
Configures an dynamic map.
router(config)#crypto IPsec ?
Command
Description
Enable
Opens the security association and enables it to

work.
Df-bit
security-association
Define means of processing df bit in an encapsulated

packet.
Sets security association attributes.
spd
Defines a security policy database.
Transform-set
Defines a set of encryption algorithms.
IPsec switch: Use the following commands in global configuration mode:

Command
Description
router(config)#crypto IPsec enable
Opens IPsec .
router(config)#no crpto IPsec enable
Closes IPsec .
Notes:
1.
2.
3.
The IPsec fuction wont work until the IPsec switch is open. The default setting leaves the switch open.
When IPsec is closed, all operations related to IPsec are invalid until the command open is used.
If the IPsec function running on one terminal is closed, then IPsec functions running on other terminals must be
closed in order to the network to formally communicate.
1.
How To Ignore IPsec SA
Use this command in global configuration mode:
Command
Task
router(config)#crypto IPsec spd ignore
Transmitts data packets even when the

corresponding SA has not been built.
router(config)#no crypto IPsec spd ignore
Discards data packets when there isnt a
corresponding SA processing them. This is also the
default status.
2.
How To Forbid Users To Acess Remote Telnet Configuration
Note: The following commands become effective simultaneously to both IPsec and IKE.
Command
Task
router(config)#crypto config-bynet permit
Permits remote configuration. (Default setting.)
router(config)#no crpto config-bynet permit
Forbid remote configuration.
B.
Create An Encryption Access List
An Encryption Access List is used to define which IP package should be encrypted, and which one shouldnt.
In global configuration mode, the following commands are used to create an Encryption Access List:
router(config)#access-list access-list-number { deny | permit } protocol source source-wildcard destination
wildcard [precedence precedence] [tos tos] [log]
Syntax
Description
access-list-number
Access list number
Protocol
Protocol
Source
Source address
source-wildcard
Source address wildcard
destination
Destination address
destination-wildcard
Destination address wildcard
Precedence
Priority
destination-
tos
Service type
log
Log
router(config)#ip access-list extended name

Syntax
Description
Name
The access list name
Note: Users facing a complex configuration stuation can refer to the following points:
1.
2.
3.
4.
5.
6.
7.
8.
We recommend configuring the mirror-map encryption access list to the IPsec function specified by each static
encryption map defined on the local peer. You should also define a new mirror-mapping encryption access list on
the remote-end peer at the same time.
The encryption access list isnt used to decide whether a message is permitted or not allowed to pass through your
interface. It only decides which communications coming through the interface should be examined for security
reasons and which ones shouldnt. Not until you apply the access list straight to the interface and construct the
corresponding security association will your decisions go into effect.
Avoid using the any command. For instance, using it with the permit command will cause all data entering the
router to be encapsulated by IPsec, and so some information unencapsulated, e.g. routing update information and
control information, may be discarded silently.
Use an IP access list specified by number or name. Remember: IPsec runs only on extended access lists.
The encryption access list that has had a permit function performed on it will allow all IP communication that
meets specified conditions to be protected by the corresponding encryption maps rules. On the other hand, the
deny command may prevent the communication from being encrypted.
Presently, the access lists port configuration number doesnt support scope configuration, so the port number must
be specified or be the default number.
After the corresponding encryption map is defined and applied to an interface, the specified encryption access list
will be applied to the interface. Different access lists must be applied to the different entry in the same encryption
map. These tasks will be discussed in the following section (Section 6). But the information coming in and out
of the system will be judged by the corresponding IPsec access list, so the access list perameters can be applied to
messages leaving or entering the router.
There should be at least one permit sentence in the IPsec access list. When the access list is used in translation
mode, there must be one permit sentence in the access list. The source address and destination address must be
consistent with the security peers corresponding addresses. The host address cant be a network address or
wildcard.
C. Configure An Encryption Translation Set

A translation set is a combination of different special security protocols and algorithms.
with the following commands:
1.
You can configure one of these sets
Defining And Deleting A Translation Set
Use the following commands in global configuration mode: (Note: executing these command will let you enter you into
encryption transform configuration mode.)
router(config)#[no] crypto IPsec transform-set
Syntax
transform-set-name
transform1 [transform2[transform3]]
No
transform-set-name transform1 [transform2[transform3]]

Description
Designates the transformation set that will be
created or altered.
Designates three transformation methods to define
IPsec security protocols and algorithms. The
encryption transformation set is shown in the
following Table 11-5-1.
Deletes the specified transformation set.
Table 11-5-1 An Encryption Transformation Table

Choose one of these in AH
transformation .
Choose one of these in ESP

transformation .
Transform
ah-md5-hmac
Transform
esp-des
Task
ESP encryption
algorithm with
56-bit-DES.
esp-3des
ESP encryption
algorithm with
3DES.
esp-blf
ESP encryption
algorithm with
BLF.
esp-ssp02
Special ESP
encryption
algorithm with
SSP02 (used
through a
special
encryption
chip).
ESP-Null
algorithm
ah-ha-ha
ah-rmd160hmac
Task
AH
authentication
algorithm with
MD5. HMAC
variable.
AH
authentication
algorithm with
SHA. HMAC
variable.
AH
authentication
algorithm with
RMD160.
HMAC
variable.
esp-null
Choose one of these in ESP

transformation, only when youve
chosen a function in column two
complied to rfc2406.
Transform
Task
esp-md5-hmac
ESP
authentication
algorithm with
MD5. HMAC
variable.
esp-rmd160ESP
hmac
authentication
algorithm with
RMD160.
HMAC variable.
esp-sha-hmac
ESP
authentication
algorithm with
SHA. HMAC
variable.
Note: Illegal combinations should be avoided when transformation sets are created.
1. Two or more transformation sets of the same class, such as esp-des and esp-blf, are illegal combinations. Two
transformations in the same column of the Table 11-5-1 arent permitted to be present.
2. The ESP authentication algorithm cant be applied alone. It must be applied with the ESP encryption algorithm
complied to rfc2406.
3. The ESP encryption algorithm complied to rfc2406 can be applied not only with the ESP authentication algorithm,
but also on its own. If the encryption algorithm esp-null command is chosen, then just one kind of ESP
authentication algorithm must be configured. The following are feasible translation combinations:
ah-sha-hmac
esp-des
esp-des and esp-md5-hmac
ah-sha-hmac and esp-des and esp-sha-hmac
Command
router(config)#cry ips tr mytrans1 ah-sha-hmac
esp-des esp-md5-hmac
router(cfg-crypto-trans)#exit
Task
Defines the transformation set mytrans1.
router(config)#cry ips tr mytrans2 esp-des esp-shahmac

Defines the transformation set mytrans2.
router(config)# no cry ips tr mytrans2
Deletes the transformation set mytrans2.
Two transformation sets have been configured: the transform set mytrans1 has three functions namely ah-sha-hmac, espdes and esp-md5-hmac and when that set is applied, both AH authentication and des encryption&MD5 hash of ESP can
be performed. The transformation set mytrans2 has two functions, namely esp-des and esp-sha-hma, and when the
transformation set is applied, ESP des encryption with sha hash can be performed. The last command deletes the transform
set mytrans2.
2.
Change The Transformation Set Mode
In the encryption transformation configuration mode, you can apply a transformation set mode:
Command
Description
router(cfg-crypto-trans)#mode [tunnel][transport]
Optional
[tunnel][transport] (Optional function). Designates

either a transform set mode, a tunnel mode or a
transport mode. The default setting is in tunnel
mode. Change the mode relative to the translation
set.
The mode configuration is useful only when a
messages source addresses and destination
addresses have been set to an IPsec peer address, and
it is invalid to all other communication. (All other
messages can be performed in the tunnel mode.)
To change back to default tunnel mode:

Command
router(cfg-crypto-trans)#no mode
Description
Returns the mode back to its default.
Notes:
1. The IPsec transport mode will not be used until the peer-to-peer security measure should be needed. In this case,
you should avoid using the tunnel mode in order to avoid adding unnecessary security protocol headers.
2. When the data packets final destination is not safe, the IPsec tunnel mode should be used.
3. When the router forwards data packets through a security service, it must use the tunnel mode.
4. In a situation where ehther of two modes can be used, the AH tunnel mode isnt commonly used because the data is
being protected as it would be in transpot mode.
5. If the translation mode is used, the host address, not the network address, should be configured. Also, the address
of the IPsec peer will correspond to addresses in the access list. The wildcard will not be allowed.
6. No more than one access list permit command can use translation mode. The source or destination address is also
the security tunnels source or destination.
Command
router(cfg-crypto-trans)#mode tran
D.
Description
Sets the transport mode.
Configure Global Lifetime
The global lifetime is applied when a new IPsec security association is negotiated.
association.
It can be used to build the IKE security
To set a IPsec global lifetime:

router(config)#[no] crypto IPsec security-association lifetime [seconds|kilobytes]
Syntax
Description
Kilobytes
Computes the lifetime by designating the IPsec SA to

expire after a certain amount of traffic (in kilobytes)
passes through the system.
Computes the lifetime by designating the IPsec SA to
expire after a certain number of seconds.
Sets the global lifetime to default mode.
Seconds
No
Notes:
1. The default settings of the IPsec SA global lifetime are 3,600 seconds and 4,608,000KB.
at 10Kbs for an hour.)
(This will transmit data
2.
The lifetime can be reset in different encryption maps.
3.
Changing the global lifetime wont effect existing security associations. It will, however, be applied to the
successive security association negotiation. (That is, the lifetime set in the security encryption map that is in use.)
E.
Configuring The Encryption Map
You can create an encryption map based on the following rules and operations:
Which communication do you want IPsec to protect? (Consider creating an Encryption Access List, as explained
in Section B.)
Where will the messages protected by IPsec be sent? Who will the remote-end IPsec peer? (Please see Section B
for more details.)
Which IPsec security policies should be applied to messages? Select one from a list of transformation sets.
There are two kinds of encryption map entry. They are either used to manually building an IPsec security association or by
IKE negotiation. Both types can exist in the same map set.
You can apply the encryption map to the interface so that they can judge all IP communication through the interface. In
order to make IPsec between its two peers a success operation, their encryption maps must contain configuring code thats
compatible between each other. When two peers try to build a security association, one peer must have an encryption map
thats compatible with the other. In order to be compatible, these maps should at least meet the following conditions:
They must contain compatible Encryption Access Lists, such as a mirror mapping access list.
They must preform the same transformation functions.
1.
Manually Create An SA Encryption Map
You can plan a manual seurity association between the local router and IPsec peer manager, so both will be able build the
security association manually whenever they want. The encryption map must be created in order to build the SA manually.
Use the following commands in global configuration mode:
To designate the encryption map that will be created or altered, use this command to enter the encryption-map configuration
in global configuration mode:
Command
router(config)#crypto map map-name
seq-num
IPsec-manual
Description
Map-name: the encryption map set name
seq-num: the map entry number
To have the encryption map build a messages security association manually, use this command:
Command
Description
Router(config)#cry map mymap 1 IPsec-m
This command creates an encryption map entry whose
number is 1. Add the item to the encryption map set
mymap. If the encryption map set doesnt exist, then
create a new one named mymap. Finish the
command and enter encryption mapping configuration
mode.
To designate an extended access list to an encryption map:
Command
Description
router(cfg-crypto-map)#match address
[access-list-id|name]
access-list-id|name: the list number/name
Note: An encryption map can only be appointed to one encryption access list, and vice-versa.
To remove an extended access list from an encryption map:

Command
Description
router(cfg-crypto-map)#no match address
access-list-id|name: the list number/name
{access-list-id|name}
Example: If the security access list 1234 is configured in advance (see the following table), then the first command applied
to the access list 1234 will result in the encryption maps configuration. The second command cancels this operation.
Command
router(cfg-crypto-map)#match addr 1234
router(cif-crypto-map)#no matc addr
To designate an encryption maps IPsec peer:
Command
router(cfg-crypto-map)#set peer ip-address
Task
Designates an extended access list.
Removes a chosen extended access list.
Description
ip-address: the peers IPsec address
The preceding command will designate a remote-end IPsec peer, too. The message protected by the IPsec will be sent to the
peer. (Only one peer must be specified in manual configuration mode.)
To remove an IPsec peer from an encryption map:
Command
router(cfg-crypto-map)#no set peer ip-address
Description
ip-address: the peers IPsec address
Example:
Command
router(cif-crypto-map)#set peer
192.255.125.60
router(cfg-crypto-map)#no set peer
Task
Sets the IPsec peer with the IP address 192.255.125.60 as
the opposite encryption peer.
Cancels and resets the above set.
To specify a translation set for the encryption map:

Command
Description
router(cfg-crypto-map)#set transform-set
transform-set-name: the transformation set name
transform-set-name
Note: Designate the proper transformation set in completing the preceeding task. The set must be the same as the one
appointed by the remote-end peer. (A transform set must be specified when it is configured manually.)
To remove a transformation set from the encryption map:
Command
Description
router(cfg-crypto-map)#no set transform-set
Removes the
Example:
Command
router(cfg-crypto-map)# set tran mytrans1
transformation set.
Task
Designates the encryption map to use the translation
set mytrans1.
To set the AH protocol session key:

router(cfg-crypto-map)#set session-key {inbound[outbound]} ah
spi
hex-key-string
Syntax
Description
Inbound
Inbound
Outbound
Outbound
Spi
The index value of the security parameter used to
identify a security association.
The same SPI can be given to a security association
that has packets following in two directions (in/out)
with two protocols (AH and ESP). However, some
peers cant freely assign SPI. An exclusive SPI
value must be applied to a combination of destination
addresses and protocols. If the packet is inbound,
the destination address is the router address. If it is
outbound, then the destination is the peer address.
Before the session key is configured, the
transformation set should be configured first.
Different transformation sets will have different key
length demands.
hex-key-string
Designates the session key with a string in
hexidecimal form: dont input char 0X. Other
characters are invalid.
Note: If the specified transformation set includes an AH protocol, then the command is used to set the AH security
parameter index (SPIs) and password for the protected in/outbound message. (This command specifies that the AH security
association will be used to protect the message.) The appropiate in or outbound configuration must be performed.
The following length of key data string MUST be at least double of the least key length needed, for example, when the least
length of key is 16 bytes, the length of key string you input must be at least 32 and even.
To delete the maps IPsec session key:

Command
Description
router(cfg-crypto-map)#no set session-key

Deletes an IPsec session key.
{inbound|outbound} ah
Example:
Command
Task
router(cfg-crypto-map)#set sess inb ah 300
When the AH hash algorithm is AH123456789012345678901234567890abcd
MD5-HMAC, the length of key is at
least 16 bytes.
When the AH hash algorithm is AHrouter(cfg-crypto-map)#set sess out ah 301
SHA-HMAC, the length of key is at
12345678901234567890abcdefabcdef1234567
least 32 bytes.
890
To delete the inbound key from the encryption map:
Command
router(cfg-crypto-map)#no set sess inb ah
Troubleshooting the key length limit:
Command
router(cfg-crypto-map)#set sess in ah 300 1
Description
Possible Reasons For Error Messages

The data key must be an even number of characters.
The key length must be even.
The data key bit length is too short. It needs to be
at least 16 bytes, when the AH hash algorithm is
AH-MD5-HMAC.
The data key bit length is too short. It needs to be
at least 20 bytes, when the AH hash algorithm is
AH-SHA-HMAC.
Warning: no translation set needs this key. It will
appear when the encryption transformation set
doesnt use the AH hash method.
To set an ESP protocol s IPsec session key:

router(cfg-crypto-map)#set session-key inbound[outbound] esp spi cipher hex-keystring[authenticator hex-key-string]
Syntax
Description
cipher
Indicates whether or not the key string will be used
together with ESP encryption transform.
authenticator
(Optional function.) Indicates whether the key
string will be used together with ESP authentication
transformation set or not. The parameter is needed
only when the encryption map uses the ESP
authentication algorithm.
Note: If the specified transformation set includes an ESP protocol, then the preceeding command is used in encryption
mapping configuration mode to set AH security parameter indexes (SPIs) and password for the protected in or outbound
message. If the transformation set includes ESP encryption algorithm, then the encryption key should also be provided.
If the transformation set includes an ESP authentication algorithm, then the authentication key should be provided. (The
command specifies that an ESP security association will be used to protect the message.)
To remove an IPsec session key from the encryption map:
Command
Description
router(cfg-crypto-map)#no set session-key
Removes the IPsec session key.
{inbound|outbound} esp
Examples:
Command
router(cfg-crypto-map)#set sess inb esp 2222 cipher
1234567890abcdef auth
12345678901234567890123456789012
router(cfg-crypto-map)#set sess out esp 2223 cipher
1234567890abcdef12 auth
Task
When the ESP hash algorithm is ESPMD5-HMAC.
When the ESP hash algorithm is ESPMD5-HMAC.
1234567890123456789012345678901234
router(cfg-crypto-map)#set sess inb esp 2222 cipher
1234567890abcdef auth
1234567890123456789012345678901234567890
router(cfg-crypto-map)#set sess out esp 2223 cipher
1234567890abcdef12 auth
1234567890123456789012345678901234567890
To remove the encryption maps ESP inbound key:

Command
router(cfg-crypto-map)#no set sess inb esp
Troubleshooting the key length limit:
Command
router(cfg-crypto-map)#set sess in esp
300 cipher 12
300 cipher 1
300 cipher 1234567890123456 au 1
300 cipher 1234567890123456 au 12
When the ESP hash algorithm is ESPSHA-HMAC.

When the ESP hash algorithm is ESPSHA-HMAC
Task
Removes the ESP inbound key.
Possible Reasons For Error Messages

The data key will be too short by at least eight bytes.
The DES method key length must be at least eight bytes.
The data key must have an even number of characters.
The key length must be even, too.
The data key must have an even number of characters.
The key length must be even.
The data key is too short by at least 16 bytes.
When
the ESP hash method is ESP-MD5-HMAC, the length
needed is at least 16 bytes.

300 cipher 1234567890123456 au 12
The data key is too short by at least 20 bytes. When the

ESP hash method is ESP-SHA-HMAC, the length must
be at least 20 bytes.

300 cipher 12
Warning: No

300 cipher 1234567890123456 au 12
transformation function needs this key.
This will prompt an error message, as the encryption

transformation set is using an improper encryption
algorithm.
Warning: No transformation function needs this key.
This will prompt an error message because the
encryption transform set isnt using the ESP hash
algorithm.
2.
Creating An IKE SA Encryption Map.
When IKE is used as a security association, new security association parameters (or uses) can be negotiated among IPsec
peers. Namely, the encryption map can be specified.
Creating an encryption map using an IKE SA:
Step One: Use the following command in global configuration mode to enter the security encryption map configuration:
Command
Description
map-name: name of the encryption map set
router(config)#crypto map
map-name
IPsec-isakmp
seq-num
seq-num: the entry number
IPsec-isakMP: IPsec-isakmp indicates this is a
security encryption map used by IKE.
Step Two: Designate an extended access list for the encryption map.
Command
Description
router(cfg-crypto-map)#match address access- access-list-id: the specified access list number.
list-id
This command performs the same function that

manually configuring the encryption map does.
Step Three: Designates an IPsec peer for an encryption map.
Command
Description
router(cfg-crypto-map)#set peer ip-address
The same manually configuring the encryption map.
Step Four: Designates a transform set for an encryption map.
Command
Description
router(cfg-crypto-map)#set transforl-set
transform-set-name: Designates the name of
transform-set-name1 [transform-set-name2
transformation set which can be used. Six sets can be
configured at most.
transform-set-name6]
Step Five: Designates the IPsec security association lifetime.
To designate IPsec SA to expire:
Command
router(cfg-crypto-map)#set securityassociation lifetime seconds seconds
router(cfg-crypto-map)#set securityassociation lifetime kilobytes kilobytes
To revert back to a global lifetime:

Command
router(cfg-crypto-map)#no set securityassociation lifetime [seconds|kilobytes]
Description
Seconds:
Designates the SA lifetime.
Seconds: Designates time in which a security
association can exist before expire.
Kilobytes:
Designates the lifetime shown in
bytes traffic.
Kilobytes: The amount of kilobyte traffic two IPsec
peers in the security association generates before the
SA expires.
Description
Reverts back to the global lifetime
Specific Notes For Step Five:

1.
2.
3.
4.
5.
IPsec uses shared keys. These keys and their corresponding security association will expire at the same time.
Time or traffic lifetimes will expire at the same time as their security association.
If the router follows a new security association and if its encryption map has been reconfigured with the new
lifetime its peer will follow the same encryption map lifetime, too. When the router begins negotiation, the new
lifetime will be applied to the router and its peer.
Changing lifetime data will have no effect on the existing security association. But, during the next negotiation, it
will bind a new security association to the data permitted by the encryption map. If you want the new setup to go
into effect as soon as possible, the command clear crypto sa can be used to clear part or whole parts of the security
association database.
When the encryption maps security association lifetime is canceled or isnt set, the global lifetime will be regarded
as the correct lifetime during negoiation.
Step Six: Designate whether the ideal transformation security mechanism or the IPsec peer should contain the PFS
requirement when IPsec applies the encryption maps SA.
Command
Description
group1: Designates that IPsec will use 758-bit Diffierouter(cfg-crypto-map)#set
pfs[group1|group2|group3]
Hellman groupware during a new Diffie-Hellman
exchange.
group2: Designates that IPsec will use 1024-bit
Diffie-Hellman groupware during a new DiffieHellman exchange.
group3: Designate that IPsec will use 1536-bit
Diffie-Hellman groupware during a new DiffieHellman exchange.
To be sure IPsec cannot perform the PFS application, please use this command:
Command
Description
router(cfg-crypto-map)#no set pfs
Specific Notes For Step Six
1. In default mode, the system wont require for the PFS. If you dosnt designate what groupware to use, the default
will automatically call it group1.
2. If the peer launches a negotiation when the local configuration has been appointed to use PFS, then the peer must
organize PFS exchange otherwise, the negotiation will fail. If the local configuration doesnt designate the
groupware, then the local router will use default group1. The peer party will be accepted no matter which
groupware is provided. If the configuration has specified group2 and group3, then the peer party must provide the
same groups.
3. PFS increases your networks security because, if a hacker decrypts a key, only the database using that key will be
threatened. If PFS isnt used, other keys with access to that database could be targeted.
4. Everytime that PFS is applied and a new SA is initiated, there will be a new Diffie-Hellman exchange.
Step Seven: configure

DPD (Detect Dead Peer) function for encryption item. In this way, the local end can detect whether
the peer has the function of fault-auto-restore. The command is described as follows:
Command
Description
delay-time: the maximal interval of sending
router(cfg-crypto-map)# set dpd delay-time retrynumber [hold|clear]
dbd detect message (by second). and the default value
is 10.
retry-number: the retry-timestimes of retransmitting
dpd detect packet. and the default value is 2.
hold: the action for pdd timeout, representing that the
connection will be reset and the negotiation will be
triggered again for the next time. The option is enabled
by default.
Clear: the action for DPD timeout, representing that
the connection is not reset and a new IKE negotiation
will be triggered for the next time.
To cancel the configuration, the following command should be used:

Command
Description
router(cfg-crypto-map)# no set dpd
Cancel DPD function
Step Eight: Exit from the encryption map configuration mode.

Command
Description
router(cfg-crypto-map)#exit
Exit
Repeat these steps if more encryption maps are required.
3.
Delete Encryption Map
Use the following command in global configuration mode to delete, in whole or in part, map items:
Command
Description
router(config)#no crypto map map-name
Map-name: The name of encryption map
[seq-num]
Seq-num: The number of encryption map
When the encryption map is deleted, the existing security association will stay in effect until the command clear crypto sa
unrebuild is used to delete the corresponding security association.
4. Configure dynamic encryption map
When the IPsec peer address is variable or has not been kown beforehand, the local can been configured as dynamic dynamic
map. Use the following command in global configuration mode to enter the dynamic encryption map configuration mode:
Command
Description
router(config)#crypto dynamic-map map-name
seq-num
map-name:
map set
the name of the dynamic encryption
the serial-number of the dynamic

seq-num:
encryption map entry
The other configuration is similar to that of the normal ISAKMP encryption map set (see section 2).
Notes:
1. Multiple peers can be set in a dynamic encryption map, but only one can be set in normal encryption map.
2. At least one transformation set must be set in a dynamic encryption map and the configuration of other attributes
is optional.
3. Only one dynamic encryption item can be set for one dynamic encryption map set currently. Different from the
common ISAKMP encryption map set, the dynamic encryption map set can not be directly applied to an interface, and it
can not take effect until it is mapped to an ISAKMP encryption map item.
4. The IPsec peer configured as the dynamic map set can not initiate IKE negotiation to build IPsec tunnel for
communication, it must wait and accept the IKE negotiation request from the peer (it must be configured as the
common ISAKMP encryption map set).
Use the following command in global configuration mode to generate a normal encryption map entry referring to a dynamic
map set beforehand defined.
Command
Description
seqrouter(config)#crypto map map-name
num ipsec-isakmp dynamic dynamic-mapname
map-name: the name of the dynamic encryption

map set
seq-num: the serial-number of dynamic encryption
map item
dynamic-map-name:
encryption map set
the name of dynamic
Use the following command in global configuration mode to delete the specified dynamic encryption map item or the whole
dynamic encrytion map set
Command
Description
router(config)#no crypto dynamic-map
name
[seq-num]
map-
map-name: the name of dynamic encryption map

set
seq-num: the serial-number of dynamic map item.
Notes:
To delete a dynamic encrytion map set or entry, be sure that it has not been used, that is to say that it has not been
mapped to a common ISAKMP encryption map item.
F.
Apply The Encryption Mapping Item To An Interface
1.
Applying An Encryption Map Interface
An encryption map should be configured for each interface that the IPsec communication will pass through. The encryption
map will be used to judge all communication through the interface and apply special rules to different messages that need
protection through a security association.
Use the following command in interface configuration mode to apply the encryption map to an interface:
Command
Description
map-name
router(config-if-xxx)#crypto map mapname of encryption map
[address ip-address]
name
ip-address ip address of the interface
Notes:
1.
Before the interface provides IPsec service, an encryption map must be assigned to the interface. If many
encryption maps have the same map-name but different seq-num, they will still be located in the same set and
applied to the same interface.
2. If Seq-num has a low number on the encryption map, it will carry a higher priority. An encryption map may
contain a combination of IPsec-ISAkMP and IPsec-manual.
To remove an encryption map from an interface:
Command
Description
router(config-if)#no crypto map map-name.
Removes the encryption map
Examples:
Command
router(config-if-xxx)#cry map mymap
router(config-if-xxx)#cry map mymap addr
128.255.125.12
3.
Task
Applies the encryption mapping list mymap to
the current interface.
Applies mymap to the current interface and
designates to use the address 128.255.125.12 of
the interface for the map set mymap
Designating The Encryption Maps ID Interface
Use the following command to designate an identified interface in global configuration mode:
Command
Description
router(config)#crypto map map-name localmap-name: the name of the encryption map
address {interface-id }
interface-id the identity of the interface
To delete the command from the configuration:
Command
router(config)#no crypto map map-name localaddress
Description
Deletes the identified interface of the map set
Notes:
When designate an identified interface to an encryption map set, the IP address of the interface will be used as the local
address for IPsec tunnel.
To use loop interface as an identified interface, imput:

Command
Task
router(config)#cry map mymap local f0
Designates the loopback0 as the identified interface.
This interfaces address is regarded as the source
address, used to send data and the destination
address, which is used to receive data.
G.
Delete And Rebuild IPsec Security Associations
Use the following command in the privileged user mode to delete and rebuild the SA, if conditions permit:
Command
router#clear crypto SA
Description
[unrebuild]
(Optional.) Chooses the parameter
to delete the specified security association. It
doesnt rebuild one.
[unrebuild]
To delete all IPsec associations and (if the parameter unrebuild hasnt been chosen) rebuild all security associations on the
current encryption map:
Command
Description
router#clear crypto sa peer ip-address
ip-address: The remote-end peer IP address that uses
[unrebuild]
the peer command to delete the IPsec assocation from
the specified peer.
router#clear crypto sa map map-name
map-name: The name of the encryption map set.
[unrebuild]
Use the map command to delete all security
associations created by the specified encryption map
set.
router#clear crypto sa entry destinationdestination-address: The local or remote-end peer IP
address
address
protocol
spi
[unrebuild]
protocol: The security protocol esp/ah
spi: spi number
Use the entry command to delete all security
associations that contains the specified address,
protocol and the SPI IPsec association.
Note:
1.
2.
3.
4.
When you finish clearing data, the IPsec association will be rebuilt, if allowed.
If a configuration changes that has litte effect on the security association, then the change doesnt have an effect on
the current security association and will have an effect on the coming security association. All security association
can be rebuilt through the command clear crypto sa. This way, these security associations can use this new
configuration. When the security association is built manually, if the configuration changes which usually has
little effect on security association then the command clear crypto sa must be used before the change becomes in
effect
When any security association is deleted, anything related to it will also be deleted. The inbound security
association and the outbound one are always built or deleted together.
In order to ensure the router processing the IPsec communication isnt affected, only clear the part security
associations contents.
Example:
Command
router#clear cry sa
router#clear cry sa map mymap
Task
Clears all security associations and rebuilds the
security association according to condition.
Clears all security associations created by the
encryption mapping mymap and rebuilds them.
H.
Configure parameters on IPsec NAT-Traversal
Configure IPSec-NAT traversal, and firstly probe whether there exists NAT in the network and perform the corresponding
processing of the existing NAT.
Specify NAT traversal for usage:
Syntax
Descriptions
router(config)# crypto nat-traversal enable
Specify no NAT traversal for usage:
Syntax
Enabled by default.
Descriptions
router(config)# no crypto nat-traversal enable

Specify the frequency of activating IPSec NAT:
Syntax
Descriptions
router(config)#
<1_550>
crypto
nat-traversal
keepalive
20 seconds by default.
When allocating an IP address to a host, the NAT equipment can ensure the useful-life (keepalive) of the new address, that is
to say that the address can still keep alive in the useful-life when there exists no flow. For example, the NAT equipment can
make an IP address, which is generated by the NAT equipment and has been unused for 20 seconds, invalid. So, IPSec
participator need send UDP packets periodically so that the NAT map can not be altered until the SA of phase 1 and phase 2
expires.
Note:
NAT equipment can provide corresponding session timeout interval according to different manufacturers and models. It is
very important to determine the timeout interval of the NAT equipment and set the activation frequency in the interval.
11.5.2 Monitoring and Debugging IPsec

The following commands are used in EXE mode to examine the IPsec configuration information:
To examine the tranformation set configuration:
Command
router#show crypto IPsec transform-set [tag
transform-set-name]
To examine the encryption mapping:

Command
router#show crypto map [interface
interface|tag map-name]
Description
tag transform-set-name (Optional.) This only displays
the translation set whose specified name is transformset-name. If the command name isnt used, all of the
sets on the router will be displayed.
Description
interface interface (Optional.) Only displays the specified
encryption map.
tag map-name (Optional) Only displays the
encryption map specified by map-name.
If the interface or tag command isnt used, all encryption
maps on the router will be displayed.
To examine the dynamic map set:

Command
router#show crypto dynamic-map
name]
Description
[tag] [map-
To examine the state information of IPsec NAT-Traversal:

Commad
router#show crypto nat-traversal
tag map-name: (Optional) the name of dynamic

map set.
Description
Examine the related staus information and whether
Ipsec has NAT-Traversal function.
Examine IPsec association information.

router#show crypto IPsec sa [map map-name|address ip-address |interface {interfacename|ip-address}|identity]
Syntax
Description
map map-name
(Optional.) Displays the existing security association
created by the encryption map map-name.
Address ip-addres
(Optional.) Displays the existing security association
whose address is specified.
Interface {interface-name|ip-address}
Displays the existing security associations appointed
to the interface. The interface IP address should
indicate the interface name. When it has been configured
with a specific identified interface, it should be displayed.

When the interface has many addresses, the addresses
should be displayed.
(Optional.) Displays dataflow only, notthe security
association information.
Identity
To display IPsec statistics:

router#show ip ?
Command
Ahstate
espstate
Description
Displays AH protocol stats
Displays ESP protocol stats
To clear IPsec statistics:

router#clear ip ?
Command
Ahstat
Espstat
Description
Clears AH protocol stats
Clears ESP protocol stats
Command
router#show crypto pfkeyv2 pfkeystate
router#clear crypto pfkeyv2 pfkeytate
router#show crypto IPSecout
router#clear
crypto
IPSecout
router#show
crypto
IPsec
router#show
crypto
spd
router#show
crypto
explist
To debug IPsec:
Command
router#debug IPsec
addr
state/version
{tx|rx|double}
router#no debug IPsec

{addr|all|tail|head}
router#debug esp
{tx|rx|double}
router#no debug
router#debug ah
rx|double}
router#no debug
esp
{addr|all|tail|head} {tx|
ah
Description
Displays statistic information about the pfkey socket.
Clears statistic information about the pfkey socket.
Displays the statistic value processed by the IPsec
input module.
Clears the statistic value processed by the IPsec input
module.
State: Displays IPsec state information.
Version: Displays IPsec version information.
Displays the dataflow information in the security
database of IPsec policies.
Displays the SAs overtime chain list.
Description
tx|rx|double: Input/output/bidirection
Observes the IP address and the data packet direction
entering the IPsec module.
Closes debugging.
addr|all|tail|head Address/datagram/the last 20
bytes20 / the start 20 bytes
tx|rx|double
Input/output/bidirection
Observes the IP address and direction of the datagram
that enters ESP module.
Closes debugging
Observea the IP address and the direction of the
specified data entering the AH module.
Closes debugging
11.5.3 IPsec Configuration Case
Network
segment
121.255.0.0
128.255.0.0 Network
segment
Router B
Router A
IPSec
121.255.255.162
f0
Tunn
el
s
2
s2
f0
128.255.255.161
1.1.1.1
1.1.1.2
Notes About The Preceeding Illustration:

1. Router A connects to Network Segment 121 through Ethernet interface f0. The address of f0 is 121.255.255.162.
2. Router B connects to Network Segment 128 through Ethernet interface f0. the address of f0 is 128.255.255.161.
3. Two routers connect through WAN to each other through the interface S2 and PPP protocol. They are set in
asynchronous mode. The S2 address in the router A is 1.1.1.2 and the S2 address in the router B is 1.1.1.1.
4. All protocols types will be processed in the dataflow from 121.255.0.0 to 128.255.0.0.
Router A Configuration:
Command
Task
router>en
router#conf
router(config)#int f0
router(config-if-fastethernet)#ip addr 121.255.255.162
255.255.0.0
router(config-if-fastethernet)#exit
Configures the IP address of the interface

and the link layer protocol. The link
layer protocol can be specified freely
when IPsec is used.
router(config-if-serial2)#phy asyn
router(config-if-serial2)#ip addr 1.1.1.2
255.255.255.255
router(config)#acc 1001 per ip 121.255.255.162
0.0.255.255 128.255.255.161 0.0.255.255
router(config)#cry ip tr test esp-des esp-md5-hmac
router(cfg-crypto-trans)#mo tu
Configures an access list used to

designate what dataflow the user wants
IPsec to process. The following
examples are all protocols. TCP/UDP
can be specified alone.
Configures how to protect the dataflow
securely. The encryption method is used
to encrypt data and protect the data cant
be recognized on the network. The
authentications (md5, sha1) are used to
assure data integrity and to guarantee the
data cannot be changed in
transportation.
Designates the tunnel mode to be used.
When the end address of the security
tunnel isnt equal to the end address of
the dataflow, the tunnel mode must be

applied. For users, the transport mode
isnt commonly used. The command is
optional and the default is the tunnel
mode.
router(config)#cry map map1 1 IPsec-m
Configures the encryption map 1.
router(cfg-crypto-map)#set peer 1.1.1.1
Designates the other ends peer address.
router(cfg-crypto-map)#set tr test
Designates the transformation set.
router(cfg-crypto-map)#match addr 1001
Designates the encryption access list.
router(cfg-crypto-map)#set ses i esp 1001 c

1234567812345678 a
1234567890123456789012345678901234
router(cfg-crypto-map)#set ses o esp 1001 c
1234567812345678 a
12345678901234567890123456789012
Sets the key and Security Parameter

Index (SPI) and it should respond to the
configuration of the end-to-end router.
The details refer to the corresponding
manual specifications.
router(config-if-serial2)#cry map map1
Applies the configuration to the S2

interface.
router#cle cry sa(no global configuration mode)
Makes configuration effective.
router(config)#ip route 0.0.0.0 0.0.0.0 s2
Configures default routing.
router(config)#exit
Now, configuration is complete. The following command is used to examine information:
router(config)#sh cr map
You can display the security encryption map as follows:
Crypto map: 'map1', 1,ipsec-manual
Peer = 1.1.1.1
Used on interface: serial2(1.1.1.2)
Extended ip access list 1001('1001')
access-list 1001('1001') permit any
source: addr = 121.255.255.162/255.255.0.0
dest: addr = 128.255.255.161/255.255.0.0
current peer 1.1.1.1
inbound esp spi: 1001
cipher key: ********
auth key:********
inbound ah spi: 0
key: (null)
outbound esp spi: 1001
cipher key: ********
auth key: ********
outbound ah spi: 0
key: (null)
router#sh cr ips sa
You can display the security association as follows:
================ Security Association Information ================
Interface: serial2
Local ident(addr/mask):(1.1.1.2/255.255.255.255)
Remote ident(addr/mask):(1.1.1.1/255.255.255.255)
Current peer: 1.1.1.1
Local crypto endpt:1.1.1.2, remote crypto endpt:1.1.1.1
inbound esp sas:
spi:0x3e9(1001), dstaddr: 1.1.1.1, sproto: ESP
transform: esp-des, esp-md5-hmac,
in use settings = {Tunnel}
IV size: 8 bytes
crypto map: 'map1',1
Replay detection support: N
outbound esp sas:
spi:0x3e9(1001), dstaddr: 1.1.1.2, sproto: ESP
transform: esp-des, esp-md5-hmac
IV size: 8 bytes
crypto map: 'map1',1
Replay detection support: N
Permitted flows:
Flow:Protocol: any
Source addr: 121.255.255.162/255.255.0.0
Destination addr: 128.255.255.161/255.255.0.0
Sport: any
Dport: any
router#sh cr ips sa id
You can display the dataflow information:
================ Flow Information ================
SA:Srcaddr:1.1.1.2
Dstaddr: 1.1.1.1
SPI: 1001
Security proto: 50(ESP)
Permitted flows:
Flow:Protocol: any
Source addr: 121.255.255.162/255.255.0.0
Sport: any
Dport: any
router#show cr spd
You can also display secure dataflow information:
--------------------------------------------------------------Flow - flow that uses this policy
Mask - flow mask
SA - SA to be used by this policy
--------------------------------------------------------------===================
flow :< src:
121.255.0.0 sport:any
>
< dst:
128.255.0.0 dport:any
proto:any
>
mask :< src:
255.255.0.0 sport:
0
>
< dst:
255.255.0.0 dport:
0 proto:
0>
SA
:< dst:
state:<UP refcount=
1.1.1.1
0>
spi: 1001 sproto:
50 >
router#show ip ip
To display statistics about communication packets:
Statistics for the ipip protocol:
0 total packets
0 total input packets
0 input packets drop by no buf
0 packets drop for error ip ver
0 packets dropped due to ip queue full
0 0 input byte
0 total output packets
0 output packets drop by no buf
0 0 output byte
router#show ip esp
To display statistics about IPsec encrypted packets:
router#sh ip esp
Statistics for the ESP protocol:
0 total packets
0 packet in esp_input() drop by no buf
0 packet drop for no SA
0 packet drop for no equal to SA
0 packet attempted to use an invalid SA
0 packet drop for no XFORM in SA
0 packet drop ip queue full
================ ESP NEW ==============
0 input ESP NEW proto packet
0 packet right
0 packet drop for no buf
0 packet drop for counter wrap
0 packet drop for too old
0 packet drop for replay
0 packet drop for err fill len
0 packet drop for bad packet len
0 packet drop for bad auth
0 packet drop for ssf error
0 input kbytes
0 output ESP NEW packet
0 packet right
0 packet drop for big than ip_MAXPACKET
0 packet drop for wrap
0 output kbytes
The hosts of Network Segment 121 will ping the hosts of Network Segment 128. After this command is finished, the router
statistics will indicate that packets been been encrypted. When the router senses the presence of a WAN line, the next IP
header protocol field is the esp protocol. The IP data packets passing through the system will be protected from outside
intrusion.
router#show ip ip
Statistics for the IPIP protocol:
8 total packets
4 total input packets
0 input packets drop by no buf
0 packets drop for error ip ver
0 packets dropped due to ip queue full
0 240 input byte
4 total output packets
0 output packets drop by no buf
0 240 output byte
router#sh ip esp
Statistics for the ESP protocol:
8 total packets
0 packet in esp_input() drop by no buf
0 packet drop for no SA
0 packet drop for no equal to SA
0 packet attempted to use an invalid SA
0 packet drop for no XFORM in SA
0 packet drop ip queue full
================ ESP NEW ==============
4 input ESP NEW proto packet
0 packet right
0 packet drop for counter wrap
0 packet drop for too old
0 packet drop for replay
0 packet drop for err fill len
0 packet drop for bad packet len
0 packet drop for bad auth
0 input kbytes
4 output ESP NEW packet
0 packet right
0 packet drop for big than ip_MAXPACKET
0 packet drop for wrap
0 output Kbytes
Use the same commands on router B to examine its configuration.
Router B Configuration:
Command
router>en
router#conf n
router(config)#int f0
router(config-if-fastethernet0)#ip addr 128.255.255.161
255.255.0.0
router(config-if-fastethernet0)#exit
router(config-if-serial2)#ip addr 1.1.1.1 255.255.255.255
router(config-if-serial2)#phy asyn
Task
router(config-if-serial2)#clo rate 64000

router(config)#acc 1001 per ip 128.255.255.161
0.0.255.255 121.255.255.162 0.0.255.255
router(config)#cry ip tr test esp-des esp-md5hmac
router(cfg-crypto-trans)#mo tu
Configures an access list

Configures how to protect the dataflow
securely.
Designates the tunnel mode that will be
used.
router(config)#cry map map1 1 IPsec-m
Configures the encryption map.
router(cfg-crypto-map)#set peer 1.1.1.2
Designates the other end address of the

tunnel.
Designates the transformation set that
will be used.
Designates the encryption access list.
router(cfg-crypto-map)#set tr test
router(cfg-crypto-map)#match ad 1001
router(cfg-crypto-map)#set ses i esp 1001 c
1234567812345678 a
12345678901234567890123456789012
router(cfg-crypto-map)#set ses o esp 1001 c 1234567812345678 a
1234567890123456789012345678901234
Sets the key and Security Parameter

Index (SPI).
router(config-if-serial2)#cry map map1
Applies the interface configuration, and

the operation will specifies the local end
address of the tunnel.
router#cle cry sa
Makes the configuration effective.
router(config)#ip route 0.0.0.0 0.0.0.0 s2
Configures the default routing.
11. 6 Encryption Module Usage

Features
Encryption Module Application
11.6.1 Features
High speed hardware encryption that is much faster than software encryption such as DES and 3DES etc.
128 bit encryption algorithms that allows for a high level of security index.
Hardware encryption that works without using up valuable CPU resources.
Applied IPsec and IKE that providing the esp-ssp02 encryption algorithm.
11.6.2 Encryption Module Application
The Maipu ENCRYPT hardware encryption module is installed in the security routers interior bus socket. which is invisible
from the outside or by the outside card in slot and so can provide the esp-ssp02 encryption algorithm, genius hardware
pseudo-random number and read/write interface used by Smart card, and can be used for IPsec and IKE to realize hardware
encryption
1)
Internet Protocol Security (IPsec) Encryption Mechanism Application
Command
router(config)#crypto IPsec transform-set
transform-set-name esp-ssp02
Description
After the encryption module has been installed, the
esp-ssp02 algorithm in IPsec configuration can be
applied when the transformation set is configured.
This method is similar to the one described in Section

5.
2) Internet Key Exchange (IKE) Encryption Mechanism Application

Command
router(config-isakmp)# encryption ssp02
Description
After the encryption module has been installed, the
IKE encryption algorithms in IISAKMP
policies
configuration mode can be specified
as esp-ssp02
encryption algorithms when the IKE policy is
created.
This method is very similar to the method described
in Section 7.
11.7 Configuring IKE

Configuring IKE
Monitor And Debugging IKE
Configuration Examples
11.7.1 Configuring IKE
A. IKE Switch
B. Create IKE Policies
C. Configure RSA Key Manually (Optional)
D. Configure The Shared Key In Advance (Optional)
E. Clear IKE Connection (Optional)
F. Configure IKE Aggressive Mode (Optional)
G. Configure IKE Autobuilding Tunnel for IPsec (Optional)
IKE Switch and Mode Choice
Command
router(config)#crypto isakmp enable
router(config)#no crypto isakmp enable
Description
Opens default mode.
Closes default
Note:
1. If a terminal closes IKE, then all IPsec terminals must close IKE.
2. When IKE is closed all operations, IKE remains invalid until it is opened once more.
When IKE is closed, IPsec only has manual configuration functions and doesnt support key lifetime and anti-replay
functions. IKE uses UDP port 500 or port 4500 (in NAT-Traversal) to assure that communications wont be blocked in the
IKE and IPsec interfaces.
Create IKE Policies
IKE policies describes which security parameters are applied to protect subsequent IKE negotiation. Each terminals
security association (SA) will identify the security parameters after both terminals agree on a policy. The SA is applied to
the subsequent IKE communication during negoiation.
Each IKE policy has the following parameters:
Encryption algorithm
Hash algorithm
Authenticating method
Diffie-Hellman groupware identification
Lifetime of IKE security association
The following commands are executed as the following steps to configure security policy:
Step One: Enter ISAKMP policy configuration (config-isakmp) mode commands in global configuration mode.
Command
Description
router(config)#crypto
isakmp policy priority
router(config)#no crypto
[priority]
isakmp policy
Example:
Command
router(config)# crypto isa po 123
Priority: 19999
IKE policy identity: Default10000 is the least.
Cancels an IKE policy.
Task
Creates an IKE policy with the priority 123 and enters
config-isakmp configuration mode.
Step Two: Designate IKE encryption methods in ISAKMP policy configuration mode.
Command
Description
router(config-isakmp )# encryption
Des: Designates use of the encryption algorithm des.
des|3des|blowfish|ssp02
3des: Designates use of the encryption algorithm
3des.
Blowfish: Designate use of the encryption algorithm
blowfish.
ssp02: Designates use of the encryption algorithm
ssp02 (using a hardware encryption module).
router(config-isakmp)# no encryption
Renews the IKE encryption algorithm back to the
default algorithm (des).
Example:
Command
router(config-isakmp)# encry 3des
router(config-isakmp)#no encry
Task
Designates use of the encryption algorithm 3des in
the policy.
Designates use of the default encryption algorithm
des in the policy.
Step Three: Designate IKE authentication method in ISAKMP policy configuration mode:
Command
Description
router(config-isakmp)# authentication{rsarsa-sig: Designates RSA signature
sig|pre-shared}
authentication to be used.
pre-shared: Designates the pre-shared key
authentication to be used.
router(config-isakmp)#no authentication
Designate the use of a default authentication
method pre-shared key.
Example:
Command
router(config-isakmp)#authen rsa-sig
router(config-isakmp)#no authe
Task
Designates the RSA signature authentication method
to be used in the policy.
Designates the default pre-shared key authentication
method to be used in the policy.
Step Four: Designate IKE hash method in ISAKMP policy configuration mode:
Command
Description
router(config-is)#hash sha|md5|rmd160
Sha: Designates use of the hash algorithm sha.
md5: Designates use of the hash algorithm md5.
rmd160: Designates use of the hash algorithm rmd160.
router(config-isakmp)#no hash
Renews the hash method to the default algorithm SHA
Example:
Command
router(config-isakmp)#hash md5
router(config-isakmp)#no hash
Task
Designates the hash algorithm md5 to be used in
the policy.
Designates the hash algorithm SHA to be used in the
policy.
Step Five: Designates the Diffie-Hellman groupware used by IKE in the ISAKMP policy configuration mode:
Command
Description
router(config-isakmp)#group 1|2|5
1 Designates the 768-bit Diffie-Hellman groupware
to be used.
to be used.
to be used.
router(config-isakmp)#no group
Resumes to the default 1768 bit Diffie-Hellman
groupware.
Example:
Command
router(config-isakmp)#group 2
Task
Designates the 1024-bit Diffie-Hellman groupware
to be used.
Step Six: Designates the IKESA lifetime in seconds in ISAKMP policy configuration mode
Command
Description
router(config-isakMP)#lifetime seconds
Seconds
router(config-isakMP)#no lifetime
Renews the lifetime to the default time: 86,400
seconds.
Note:
1.
2.
When IKE begins to negotiate, the first thing you should do is agree on the consistent parameters to be set for each
session. The SA on each terminal will refer to these parameters, and each terminal will reserve SA until its lifetime
expires. Before SA expires, the parameters can be reused by the subsequent IKE negotiation. This can save some
time when a new IPsec SA is set. Some of these parameters are negotiated before the SA expires.
When the local terminal begins to negotiate with the remote terminal, whichever terminals lifetime is the shortest
will be the one selected by the system.
Step seven: Return to global configuration mode:

Command
router(config-isakmp)#exit
Description
Returns you to global configuration mode.
C. Configure RSA Key Manually Based On IKE Parameters

1. Setting ISAKMP identity
Command
router(config)#crypto isakmp identity {address
|hostname }
router(config)#no crypto isakmp identity
Description
hostname: ip address/host name
Cancels ISAKMP identity.
Note:
1.When only one IP address exists, its used as the ISAKMP identity. When many interfaces are used to negotiate
IKE and the IP address is unknown, the hostname should be applied.
2. When the RSA key mode is configured manually for IKE negotiation, you should use the command crypto
isakmp rsa-sig-cert no-optional to keep it effective.
Example:
Command
router(config)#crypto isa identi host
router(config)#ip host hostname address1 [address2
address8]
router(config)#no ip host hostname address
Task
Defaults the ISAKMP identity of the local host as the
hostname router.
Configures all remote terminals, if the ISAKMP
identity is the hostname, then the terminal hostname is
mapped to the IP address on all remote terminals.
Cancels the mapping.
[address1 address2 address8]

If myrouter and yourrouter are a pair of terminals, then use the above commands on myrouter to configure ISAKMP
identity. At the same time, the remote hostname and address mapping need to be configured on yourrouter.
Command
Task
router(config)#ip host yourrouter.domain.com
Specifies IP addresses.
121.255.254.202 2.2.2.3
router(config)#no ip host yourrouter 121.255.254.202
Removes 121.255.254.202 from the address mapping.
If an IP address isnt specified, all host addresses will
be deleted.
2. Configure the RSA public-key exponent
Command
router(config)#crypto key public-exponent
{3|17|65537}
3. Generate RSA key.

Command
router(config)#crypto generate rsa [usage-keys]
Description
The RSA key index can be specified before the RSA
public key is generated. It can be 3,17 or 65537.
The default is 65537.
The router and its peer can use different public key
exponents. The new public-key exponent wont go
into effect until the new RSA key is generated again.
Public-key exponents of two ends can be different.
Description
Usage keys.
Designates the RSA signature key to be generated,
not the common key pair.
Default mode: the RSA key doesnt exist. A
common key pair is generated when there are no
usage-keys. (Note: Only the RSA signature pairs will
be generated at the present time.)
Note:
1. Ensure the routers host name or IP domain name has been configured.
2. If the RSA key exists, the new key will substitute the existing key that has the same name.
3. If a common purpose key needs to be generated, a pair of RSA keys will also be generated. These RSA keys will be
used together with the IKE policy to designate the RSA signature.
4. The size of the key modules must be set when the RSA key is generated. Its size should be not less than 512 bits.
5. The command can be used to generate the public key pair. The private key pair will remain invisible.
Example:
router(config)# cry key ger rsa us
The name for the keys will be: lincx
Choose the size of the key modulus in the range of 512 to 2048 for your General Purpose Keys.
Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus(Ctrl+E to exit)[512]?
Generating RSA key (modulous is 512 bits)................................................................. Done.
# RSA 512 bits, myrouter.domain.com, THU JAN 01 00:02:08 2001
# RFC2537 format RSA Pubkey:
010368a9 73f587e9 8a8487ce a6fb676f b5ae6889 ed840cac c6e6104c 7c180e52
90d42e0b f787a7ef 83cf b1b0 6c2eef49 c1392ec9 85b989e5 8ed61a8 bdc3468e
21520798 55
Note: Each of the eight numbers are displayed in a segment for reading ease. The blank character is invalid.
4. Delete all RSA keys
Command
Description
router(config)#crypto key zeroize rsa
Permanently deletes all local RSA keys.
5.
Designate the RSA public keys for all the other terminals
Step One: If the RSA public key is used, then all remote-end RSA public keys must be configured locally:
Command
router(config)#crypto key pubkey-chain rsa
Description
Enters config-pubkey-chain mode
Step Two: Enter config-pubkey-key mode:

router(config-pubkey-chain)#[no][ named-key][ addressed-key] key-address [encryption|signature]
Syntax
Description
Key-name
Designates the RSAs remote terminal key name. It is
always the remote terminals whole valid domain
name.
Key-address
Designates the IP address of remote terminals RSA
key.
Encryption
Designates the encryption key when no keys are
used.
signature
Designates the signature key when no keys are used.
If the IPsec remote terminal generates the signature
key, the signature key is used with the command and
its key-string.
If the IPsec remote terminal generates the encryption
key, the encryption key is used with the command
and its key-string.
If the named-key command is used, then the public
key configuring command address is used to
designate the terminals IP address.
Example:
Command
router(config-pubkey-chain)#named-key
yourrouter.domain.com sig
Task
Step three: If the whole valid domain name is used in the second step to name the remote terminal (the command namedkey), then you can specify its IP address. The command can be used when only one router interface processes IPsec.
Example:
Command
Task
router(config-pubkey-key)#address 192.68.66.65
Step four: Start to input the encryption key-string data after the command key-string is executed in config-pubkey-key
mode:
Designate the remote terminals RSA public key.
routers previous RSA key.
Command
router(config-pubkey-key)#key-string [help]
The key can be seen when the remote terminals manager generates the
Description
Input the key in hexidecimal form. While inputting
this, the keyboards CTRL key can be pressed to
input data continuously.
Before the command is
used, the command addressed-key or named-key
must be used to identify the remote terminal.
Use the help function to display information about
public key operation.
Step Five: Quit (or Ctrl+E)

When the public key is inputted, press Ctrl+e or input enter and then quit to end the public key tasks and return to the
config-pubkey-key mode.
Step Six: Return to global configuration mode.
Command
router(config-pubkey-key)#exit
6.
Description
Returns to global configuration mode
Delete all RSA public keys.
In the public key configuration mode, the command no key-name or no key-address can be used to delete the terminal
peers public key. The following command can also be used to delete all public keys:
Command
Description
router(config)#crypto pubkey-chain zeroize
Clears all RSA public keys at the opposed end when
your terminal doesnt have a key.
Note: The command only clears the public key information in memory. You cant alter the information in the configuration
file without rewriting it.
D. Configure A Pre-Shared Key
If the authentication method specified in the IKE policy is a pre-shared key, then the pre-shared key must be configured.
Before the pre-shared key is configured, the ISAKMP identity of each terminal must be first setup.
Use the following commands to configure the pre-shared key in global configuration mode:
Command
Description
router(config)#crypto isakmp key keystring
Keystring: the pre-shared key
address peer-address
peer-address: IP address of the remote terminal
router(config)#crypto isakmp key keystring
peer-hostname: the remote terminals host name
hostname peer-hostname
keystring: designates the pre-shared key. It can be
any combination of numbers and characters.
router(config)#no crypto isakmp key address Cancels the pre-shared key
peer-address
Cancels the pre-shared key
router(config)#no crypto isakmp key
hostname peer-hostname
Note:
1.
2.
3.
4.
5.
No matter where a pre-shared key is specified in IKE policy, that key must be configured.
You must know the identity of the key you wish to configure. You can find out by inputting crypto
identity.
You must configure the pre-shared key on both terminals at the same time.
If the ISAKMP IP address has been set in the remote terminal, then the address key is used.
If the ISAKMP host has been set in the remote terminal, then the hostname key is used.
ISAKMP
When the hostname key word is used, the remote terminals hostname can also be mapped to all of its IP address interfaces
that may be used in the IKE negotiation. (The command ip-host completes this function.) You must do this mapping,
unless the hostname has been already been mapped to the IP address on the DNS server.
Example:
Command
router(config)#cryp isa key
123456789abcdefghijdlm hostname
yourrouter.domain.com
E. Clear IKE Connection
Command
router#clear crypto isakmp [connection-id]
Task
Description
connection-id: Clears the link. When optional
parameters arent used, all IKE links will be deleted.
F. Configure IKE Aggressive Mode

According to the factual need in application you can configure Aggressive Mode as the negotiation mode in the first phase of
IKE negotiation and it is normally set as Main Mode.
Use the following command in the global configuration mode to specify the peer adopting the Aggressive Mode:
Command
Description
router(config)#crypto
ipaddress
isakmp
peer
ip-address
Ipaddress: the IP address of the peer adopting

the Aggressive Mode.
Use the following command in global configuration mode to specify the peer adopting not the Aggressive Mode but Main
Mode:
Command
Description
router(config)#no crypto isakmp peer ip-address
ipaddress
Ipaddress: the IP address of the peer adopting

not the Aggressive Mode but Main Mode.
Note:
This configuration has effect on only one peer only when it will initiate the first phase IKE negotiation to the other end,
but it is not effective when accept the negotiation request from the remote.
G. Configure IKE Autobuilding Tunnel for IPsec
According to the factual need you can set whether the IKE auto-negotiation is enabled or not. After it is enabled and effective,
adopt the IKE to manage all encryption map sets of the key and immediately notify IKE of starting to auto-negotiate and
generate an IPsec security alliance, instead of using the data flow to trigger the negotiation.
Command
Description
router(config)#crypto ike auto-build
Adding the keyword no before the command

represents the configuration will be canceled.
Note:
The configuration takes effect globally, that is to say that it is valid for all ipsec-isakmp encryption map sets that
have applied to interfaces and have been configured completely. Howerver, the configuration takes no effect on a dynamic
encryption map set and an encryption map item (a template item) to which the dnynamic encryption set is mapped
11.7.2 Monitoring And Debugging IKE

1.
Monitoring IKE
The following series of commands can be executed to display relative IKE data in EXEC mode.
1. To display the ISAKMP policy:
Command
Description
router#show crypto isakmp policy
Priority: Priority level
[priority]
Displayed contents include: priority, encryption
algorithm, hash algorithm, authentication mode,
Diffie-Hellman group and lifetime.
2.
To display the IKE SA information
router#show crypto isakmp sa
Command
Description
<Number>
sa-id: Displays detailed information of the specified
SA.
phase1
Displays first stage SA information
Quick
3.
To display the local public key
Command
router#show crypto key mypubkey rsa
4.
To display the local public key exponent
Description
Displays the routers RSA public key
Displayed contents include: generation time,
name, purpose (signature, encryption) and key.
Command
router#show crypto key public-exponent
Description
5.
To display the hosts corresponding public key
Command
Description
router#show crypto key pubkey-chain
Displays the router terminals RSA public key. The
rsa[name key-name | address key-address]
key includes the RSA public key configured manually
on the router.
Use the name or address keys to store detailed RSA
router information.
The displayed contents include: generation manner
(manual), purpose (signature, common), IP address
and name.
When these key words (name or address) are used,
the displayed contents are: name, IP address, purpose,
generation manner and keys.
6.
To display the local ISAKMP identity, plus the remote hosts ISAKMP identity and address map:
Command
Description
router#show crypto isakmp identity local|remote
Local: Displays the ISAKMP identity of the local
host.
Remote: Displays the ISAKMP identity and address
map list of the remote-end host.
7. To display the IKE connection
Command
router#show isakmp connection
Description
8. To display the information about the identity of the peer adopting the IKE Aggressive Mode.
Command
Description
router#show crypto isakmp peer
2.
IKE Debugging
1. Use the following debugging commands to observe IKE procedure information in EXEC mode:
router#[no] debug crypto isakmp {normal|packet|serious}
Syntax
Description
Normal
Displays the procedure information. The default
status is close.
Packet
Displays the information of the message. The default
status is close.
Serious
When system errors occur, error information is
presented here. The default status is open.
No
Closes the debugging data display
2. Use the following command to activate the IKE send negotiation in EXEC mode:
router#debug init ike connection-id {pending|phase1}
Syntax
Description
connection-id
Designates the IKE send negotiation connection
number. This number can be seen through the
command show crypto isakmp connection.
pending
Designates an entire IKE negotiation and builds IPsec
SA.
phase1
Designates that the first stage of IKE negotiation
should be finished.
11.7.3 Configuration Examples
128.255.0.0 Network segment

Router
121.255.0.0 Network segment

Router B
A
Security
tunnel
128.255.254.201
f0
s
2
s2
f0
121.255.254.202
2.2.2.3
2.2.2.2
Notes About The Preceeding Diagram:

1. Router A connects with Network Segment 128 through Ethernet port f0. The IP address of f0 is 128.255.254.201.
2. Router B connects with Network Segment 121 through Ethernet port f0. The IP address of f0 is 121.255.254.202.
3. Router A connects with B through WAN port s2 via PPP encapsulation, synchronization and 64,000 clock rate.
The S2 address of Router A is 2.2.2.2 and the S2 address of Router B is 2.2.2.3.
4. Protects the WAN segmant data by encryption.
The corresponding IPsec configuration must be performed in order for IKE to be used. For the purposes of illustrating the
preceding example, suppose the corresponding configuration hadnt been performed. Router A would have to be configured
first.
Router A:
Command
IPsec Configuration:
Configure an encryption transform set:
routera(config)#cr ips tr t0 esp-3des ah-sha-hmac
routera(cfg-crypto-trans)#ex
routera(config)#cr ips tr t1 esp-des esp-md5-hmac
routera(cfg-crypto-trans)#ex
Configure an access list:
routera(config)#acc 1001 permit ip 128.255.0.0
0.0.255.255 121.255.0.0 0.0.255.255
Configure the encryption map:
routera(config)#cr map map1 1 IPsec-i
routera(cfg-crypto-map)#set tr t0 t1
routera(cfg-crypto-map)#set peer 2.2.2.3
routera(cfg-crypto-map)#match addr 1001
routera(cfg-crypto-map)#set pfs group2
routera(cfg-crypto-map)#set secur life sec 2000
routera(cfg-crypto-map)#set secur life kilo 3800000
Apply the encryption map:
routera(config)#int s2
routera(config-if-serial2)#ip addr 2.2.2.2 255.255.0.0
routera(config-if-serial2)#encap ppp
routera(config-if-serial2)#phy syn
routera(config-if-serial2)#clock rate 64000
routera(config-if-serial2)#no ip route-c
routera(config-if-serial2)#cr map map1
routera(config-if-serial2)#ex
IKE Configuration:
Configure IKE security policy:
Task
routera(config)#cr isa pol 100

routera(config-isakmp)#auth rsa-sig
routera(config-isakmp)#enc 3des
routera(config-isakmp)#hash md5
routera(config-isakmp)#group 2
routera(config-isakmp)#life 4000
routera(config-isakmp)#ex
Configure ISAKMP identity, hostname and address
mapping:
routera(config)#cr isa id host R-A
routera(config)#ip host R-B 2.2.2.3 121.255.254.202
Generate RSA signature key:

routera(config)#cr key gen rsa
The name for the keys will be: R-A
Choose the size of the key modulus in the
range of 512 to 2,048 for your Signature Keys.
Choosing a key modulus greater than 512 may
take a few minutes.
How many bits in the modulus [512]?
Generating RSA key (modulous is 512
bits)............ Done.
# RSA 512 bits, R-A, FRI MAY 25 00:10:28 2001
7f3da22f f139e66a 8d37539b 14e7a57e 93948f00
c75ac94b 6750dc3e 80b3e27b
7f3da22f f139e66a 8d37539b 14e7a57e 93948f00
c75ac94b 6750dc3e 80b3e27b
123abcd1 34
routera(config)#cr key pub rsa
routera(cfg-pubkey-chain)#named R-B
routera(cfg-pubkey-key)#key-str
Input public key (Ctrl+E to exit):
010358e7 99f1a220 574aea3e f6d99e7f 355d7210
ec027aab 81b7bb1b 480aed6e
1c39f8de 7e4d8031 9978442f 3db86a53 c6da6046
f43a2950 8ce131ff 61a23eaf
f6571234 22
ê
routera(cfg-pubkey-key)#ex
routera(cfg-pubkey-chain)#ex
The local ISAKMP identity is R-A, and it is

independent of the hostname configured by the
hostname command in global configuration
mode.
Configures ISAKMP identity with the remoteends corresponding IP address of R-B.
Because the authentication method rsa-sig has
been configured in the policy, the RSA signature
pair must be generated on the local host. If
pre-shared has been adopted, then the following
operation to generate and configure the remote
terminals key neednt be performed, but the
pre-shared key must be configured.
Generats the RSA public key
Configures the remote-end public key that is

generated from R-B.
If the pre-shared key in IKE policy is the

authentication method, then the signature key
neednt be generated and the remote-end public
key neednt be configured. The pre-shared key
needs be configured, though.
routera(config)#cr isa key

Configures the pre-shared key shared with R-B.
123456781234567812345678 hostn R-B
Configure routing: (Optional)
reoutera(config)#ip route 0.0.0.0 0.0.0.0 s2
Make the configuration take effect:
routera #clear cry sa
Router B:
The similar configuring procedure is performed on Router B:
Command
Task
routerb(config)#cr ips tr t1 esp-3des ah-sha-hmac
routerb(cfg-crypto-trans)#ex
routerb(config)#cr ips tr t2 esp-des esp-md5-hmac
routerb(cfg-crypto-trans)#ex
routerb(config)#acc 1001 permit ip 121.255.0.0 0.0.255.255
128.255.0.0 0.0.255.255
routerb(config)#cr map map2 1 IPsec-i
routerb(cfg-crypto-map)#set tr t1 t2
routerb(cfg-crypto-map)#set peer 2.2.2.2
routerb(cfg-crypto-map)#match addr 1001
routerb(cfg-crypto-map)#set pfs group2
routerb(cfg-crypto-map)#set security life sec 2000
routerb(cfg-crypto-map)#set security life kilo 3800000
routerb(cfg-crypto-map)#ex
routerb(config)#int s2
routerb(config-if-serial2)#ip addr 2.2.2.3 255.255.0.0
routerb(config-if-serial2)#encap ppp
routerb(config-if-serial2)#phy syn
routerb(config-if-serial2)#no ip route-c
routerb(config-if-serial2)#cr map map2
routerb(config-if-serial2)#ex
routerb(config)#cr isa po 100
routerb(config-isakmp)#auth rsa-sig
routerb(config-isakmp)#enc 3des
routerb(config-isakmp)#hash md5
routerb(config-isakmp)#group 2
routerb(config-isakmp)#lifet 4000
routerb(config-isakmp)#ex
router(config)#cr is id host R-B
router(config)#cr k g r
The name for the keys will be: R-B
Choose the size of the key modulus in the range of 512
to 2,048 for your Signature Keys.
Choosing a key modulus greater than 512 may take a
few minutes.
How many bits in the modulus [512]?
Generating RSA key (modulous is 512 bits)
........... Done.
# RSA 512 bits, R-B, FRI MAY 25 00:18:00 2001
010358e7 99f1a220 574aea3e f6d99e7f 355d7210 ec027aab
81b7bb1b 480aed6e
1c39f8de 7e4d8031 9978442f 3db86a53 c6da6046 f43a2950
8ce131ff 61a23eaf
f6571234 22
routerb(config)#cr key pub rsa

routerb(cfg-pubkey-chain)#named R-A
routerb(cfg-pubkey-key)#key
Input public key (Ctrl+E to exit):
7f3da22f f139e66a 8d37539b 14e7a57e 93948f00 c75ac94b
6750dc3e 80b3e27b
7f3da22f f139e66a 8d37539b 14e7a57e 93948f00 c75ac94b
6750dc3e 80b3e27b
123abcd1 34
ê
routerb(cfg-pubkey-key)#ex
routerb(cfg-pubkey-chain)#ex
If the pre-shared key for the
authentication method has been specified
in the policy, then configure the preshared key.
routerb(config)#cr isa key 123456781234567812345678 host RA
routerb(config)#ip route 0.0.0.0 0.0.0.0 s2
routerb#clear cr sa
Note:
1.
2.
If the RSA signature authentication method is chosen, then the RSA public key must be configured with each other.
You can now perform communication to make IKE work. There two kinds of methods you can use to test this:
You can ping messages from one Ethernet segment to another Ethernet segment. This will activate IKE to start
negotiation and build an IPsec SA.
The debug init ike 1 pend command can also be used in EXE mode to make IKE start negotiation.
The display command is used to show the following information:

Examining IKE policy
routera#sh cr isa po
Protection suite priority 100
encryption algorithm: 3DES - Treble Data Encryption Standard
hash algorithm: MD5 - Message Digital 5
authentication method: RSA Signature - Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bits Diffie-Hellman group)
lifetime: 4000 seconds
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: SHA - Secure Hash Standard
authentication method: Pre-shared key
Diffie-Hellman group: #1 (768 bits Diffie-Hellman group)
lifetime: 86400 seconds
Examining IKE SA
routera#sh cr isa sa
localaddr
peeraddr
2.2.2.2
2.2.2.3
state
OAK_QM_IDLE
sa-id
: MAIN_R3
Examining IPsec SA
routera#sh cr ips sa
================ Security Association Information ================
Interface: serial2
Crypto map tag: map1, entry seq-num: 1 , local addr: 2.2.2.2
Local ident(addr/mask):(2.2.2.2/255.255.255.255)
Remote ident(addr/mask):(2.2.2.3/255.255.255.255)
local crypto endpt: 2.2.2.2, remote crypto endpt: 2.2.2.3
inbound esp sas:
spi:0X71ac1d29 (1907105065)
transform: esp-3des,
Current input 31680 bytes
Replay detection support: Y
outbound esp sas:
spi:0X18eb1a47 (418060871)
transform: esp-3des,
group sa's SPI: 0X18eb1a48 (418060872)
sa timing: remaining key lifetime(k/sec):(3799969/1902)
Current output 31680 bytes
Permitted flows:
Flow:Protocol: any
Source addr: 128.255.0.0/255.255.0.0
Sport: any
Dport: any
inbound ah sas:
spi:0X71ac1d28 (1907105064)
transform: ah-sha-hmac
in use settings = {Transport}
Current input 32160 bytes
outbound ah sas:
spi:0X18eb1a48 (418060872)
transform: ah-sha-hmac
in use settings = {Transport}
group sa's SPI: 0X18eb1a47 (418060871)
Current output 32160 bytes
Examining RSA local terminal public key
routera#sh cr key mypu rsa
Key name: R-A
Usage: RSA Signature Key
Key Data:(0x):
7f3da22f f139e66a 8d37539b 14e7a57e 93948f00 c75ac94b 6750dc3e 80b3e27b
7f3da22f f139e66a 8d37539b 14e7a57e 93948f00 c75ac94b 6750dc3e 80b3e27b
123abcd1 34
Examining RSA remote terminal public key
routera#sh cr key pub rsa
Codes: M - Manually Configured,
C - Extract from certificate
Code
Usage
ip address
M
Signature
Name
R-B
Examining the detailed RSA public key data of the appointed remote terminal
routera#sh cr key pub rsa name R-B
Key name: R-B
Key address: (null)
Usage: RSA Signature Key
Source: Manual
Data:(0x):
010358e7 99f1a220 574aea3e f6d99e7f 355d7210 ec027aab 81b7bb1b 480aed6e

1c39f8de 7e4d8031 9978442f 3db86a53 c6da6046 f43a2950 8ce131ff 61a23eaf
f6571234 22
Examining the local ISAKMP identity
routera#sh cr isa id l
Local ISAKMP identity: R-A
Examining the remote ISAKMP identity
routera#sh cr isa id r
Remote ISAKMP identity: R-B
with addrlist: 2.2.2.3 121.255.254.202
11. 8 Configure Virtual Private Dial-up Network (VPDN)

This section mainly describes all commands that are necessary to configure virtual private dial-up network (VPDN). Its
primary contents are as follows:
Global VPDN configuration
Special LAC configuration
Special LNC configuration
VPDN tunnel configuration
Virtual template interface configuration
VPN configuration example
VPDN monitoring and debugging
Notice
Presently, VPDN only supports PPP dial-up, and the tunneling protocol only supports L2TP.
11.8.1 Global VPDN Configuration
Enable/Disable VPDN
To configure any VPDN, we should enable it firstly. Only after VPDN is enabled, can some commands, which are used to
configure LAC/LNS for L2TP dialin, be employed by users.
vpdn enable
It is very simple to enable VPDN. To enable VPDN, use the following global configuration command:
vpdn enable
Configuration mode Global configuration
no vpdn enable
Stop using VPDN. To disable VPDN, use the following global configuration command:
no vpdn enable
Create/ Delete a VPDN Group
The VPDN group is a mechanism, permitting us to organize all VPDN commands relative with devices (such as VPDN
etc.) into an independent group. This mechanism can specify whether Maipu router is one of four L2TP (Layer 2 Tunneling
Protocol, L2TP) devices (LAC (L2TP Access Concentrator, LAC) dialin, LAC dial-out, LNS (L2TP Network Server, LNS)
accept-dialin and LNS accept-dial-out). Once the VPDN group is configured as a L2TP device (LAC or LNS), then it cant
be changed any longer. By means of utilizing multiple VPDN groups, we can make a router become a LAC or LNS.
vpdn-group
Employ the following configuration commands to create a VPDN group:
vpdn-group vpdn-group-number
Syntax
Descriptions
vpdn-group-number
It is the name of the VPDN group, and
its type is NUMBER.
no vpdn-group
Employ the following configuration commands to delete a specified VPDN group:
no vpdn-group vpdn-group-number
Syntax
vpdn-group-number
Descriptions
It is the name of the VPDN group, and
its type is NUMBER.

VPDN Configuration Keywords
The purpose of each keyword is to describe the activities executed by L2TP devices. When a user is performing the LAC
dialin, LAC must request the dialin service from LNS and LNS need accept the dialin service. And when a user is performing
the LNS dialout, LNS must request the dialout service from LAC and LAC need accept the dialin service.
Multiple VPDN groups can be used to configure Maipu router so that it can serve as one of four devices (LAC dialin, LAC
dialout, LNS accept-dialin and LNS accept-dial-out).
The following commands can be employed to specify which keyword each L2TP can use and enter the corresponding
device configuration.
Syntax
Descriptions
request-dialin
Configure VPDN request-dialin.
request-dialout
Configure VPDN request-dialout.
accept-dialin
Configure VPDN request-dialin group.
accept-dialout
Configure VPDN request-dialout group.
Configuration mode the VPDN group configuration mode
Notice:
Presently, LAC request-dialin and LNS request-dialout have been realized.
11.8.2 Special LAC configuration
Enter the special LAC configuration mode when the VPDN group selects the keyword request-dialin for the L2TP device.
Specify the IP Address of the corresponding LNS
To make LAC find LNS according to VPDN group configuration information, employ the following command to specify
the IP address:
initiate-to ip ip-address
Syntax
Descriptions
ip-address
It is the IP address of LNS and its type
is regular IP address.
Configuration mode the LAC request-dialin configuration mode
Identify LAC
To establish a tunnel, LAC and LNS need be identified by each other. According to LAC identification, LNS can find the
corresponding VPDN-GROUP from its configuration and send back its own identification so that LAC can apply the
identification to the command show. For LAC, the identification, which LNS adopts during the course of establishing a
tunnel, isnt important, but LAC must correctly identified itself, or else, LNS has no way to find the VPDN group related
with LAC.
Employ the following command to configure the identification:
local name lac-host-name
Syntax
Descriptions
lac-host-name
It is the name LAC uses to identify himself to LNS,
and its type is STRING.
Specify VPDN Protocol for a VPDN Group
After a VPDN-GROUP is created, the VPDN protocol need be specified for it. Presently, L2TP (Lay 2 transport
protocol) is a practical protocol.
Employ the following command to specify the protocol for a VPDN-GROUP:
protocol vpdn-protocol
Syntax
Descriptions
vpdn-protocol
The VPDN group employs the L2TP protocol.
Presently, only the protocol can be used.
Specify a Method for LAC to Identify L2TP Users
When a user dials in a LAC, LAC needs a method to identify his domain name. The L2TP user can add one domain name
to the username (for example, maipu.com is the domain name of jmj@maipu.com) so that the mapping between the user and
LNS can be established.
domain domain-name
Syntax
Descriptions
domain-name
It is the domain name employed to relate the user
with LNS, and its type is STRING.
11.8.3 Special LNS Configuration
Enter the special LNS configuration mode when the VPDN group selects the keyword accept-dialin for the L2TP device.
Specify the Name to Identify LNS
To establish a tunnel, LAC and LNS need be identified by each other. According to LAC identification, LNS can find the
corresponding VPDN-GROUP from its configuration and send back its own identification so that LAC can apply the
identification to the command show. For LAC, the identification, which LNS adopts during the course of establishing a
tunnel, isnt important, but LAC must correctly identified itself, or else, LNS has no way to find the VPDN group related
with LAC.
local name lns-host-name
Command
Descriptions
lns-host-name
It is the name of LNS provides to LAC, and its type
is STRING.
Configuration mode the LNS accept-dialin configuration mode.
Specify the Name to identify LAC:
When LAC need establish a LNS tunnel, LAC sends its identification to LNS, then, LNS finds the corresponding VPDN
group to perform the identification.
Employ the following command to configure the identification of LAC:
terminate-from hostname lac-host-name
Command
Descriptions
lac-host-name
It is the name of LAC provides to LNS, and its type
is STRING.
Configuration mode the LNS accept-dialin configuration mode
Specify the Virtual Template Interface
TO stop the existing L2TP session, there must be an interface to stop the session.
In fact, a L2TP packet is a PPP packet with an additional data header. Once the header is removed, the PPP packet can
work. To make the PPP packet take effective, a virtual access interface that can understand the data of PPP packet head is
dynamically established by a virtual template interface specified in VPDN-GROUP. Once a virtual template interface is
specified, the virtual access interface should be generated and configured correctly so that it can understand the data of PPP
packet.
Employ the following command to specify which virtual template interface in VPDN-GROUP is used to create a virtual
access interface in VPDN-GROUP during the course of session establishment:
virtual-template virtual-template-number
Command
Descriptions
virtual-template-number
Specify the virtual template number that is used during
the course of session establishment, and its range is from <125>.

Specify the VPDN Protocol in a VPDN Group
After a VPDN-GROUP is created, the VPDN protocol to be used can be configured. Presently, only L2TP (Layer 2
Tunneling protocol) is the practical protocol that has been realized.
Employ the following command:
protocol vpdn-protocol
Command
vpdn-protocol
Descriptions
The VPDN group employs the L2TP protocol. Presently,
only the protocol can be used.
11.8.4 Configure VPDN Tunnel

Specify the Share Password of Tunnel
To establish a tunnel successfully, LAC and LNS must employ the share password to identify each other. The share
password is configured in the corresponding VPDN-GROUP. You can employ the following VPDN-GROUP configuration
command to configure the share password that is employed during the course of identifying the tunnel.
Use the following command to specify the share password:
l2tp tunnel password password
Command
Descriptions
password
It is the share password of a tunnel, and its type is
STRING.
Specify the receive-window-size of a tunnel
The receive-window-size of a tunnel can be specified through the following command in the VPDN group configuration:
l2tp tunnel receive-window receive-window-size
Command
Descriptions
receive-window-size
It is the receive-window-size, and its range is <4300>.
11.8.5 Configure the Virtual Template Interface
Once the virtual template interface number is specified on LNS, its corresponding virtual template need be created on LNS
so that the virtual template interface can clone a virtual access interface dynamically during the course of establishing a
tunnel and a session.
A virtual template interface is a logical entity----the configuration of a serial-port, instead of being related with a physical
interface. This logical entity can be dynamically applied on demand. A virtual access interface is a virtual interface, can be
dynamically created and configured.
Creating a Virtual Template Interface
To create a virtual template interface and enter the interface configuration mode, use the following command in the global
configuration mode:
interface virtual-template virtual-template-number
Command
Descriptions
Virtual-template-number
It is the virtual template number and its range is <0255>.
Configuration mode the Global configuration mode
Configure Other Relative Properties
A virtual template configuration can be added through PPP configuration commands, such as, encapsulation pppppp
authentication chap, and so on. The concrete configuration can refer to WAN Protocol Configuration Manual.
Besides commands shutdown and dialer, all other commands that can be acceptable for the serial interface can also be used
for the virtual template interface.
Configuration mode the Interface configuration mode
Notice
Be sure to perform the configuration strictly according to the configuration manual.

11.8.6 Example of VPDN Configuration
The example is shown as the following figure:
PPP dial-up
ISP, L2TP LAC
L2TP LNS
Figure 10-15
Illustration
Shown as the figure above, the PC dials in LAC through the remote dial-up, and the middle network is between LAC and
LNS.
LAC is configured as follows:
Command
Descriptions
Router(config)# vpdn enable
Enable VPDN.
router(config)# vpdn-group 1
Create a VPDN group
router(config-vpdn)#request-dialin
Permit the request-dialin of the VPDN
group.
router(config-vpdn-req-in)# protocol l2tp
Specify the L2TP protocol for the VPDN
group.
router(config-vpdn-req-in)#domain mp-2.com
Specify the domain name to relate a user
with a VPDN group.
router(config-vpdn)#initiate-to ip 192.168.10.2
Specify the IP address of LNS.
router(config-vpdn)# local name r3
Specify the name for LAC to identify itself
on LNS.
router(config-vpdn)# l2tp tunnel password 7 a
Specify the share password for
identification.
router(config-if-serial0/0)#physical-layer sync
Configure the serial-port as the
synchronous mode.
router(config-if-serial0/0)#encapsulation ppp
Encapsulate the protocol.
router(config-if-serial0/0)#ppp authentication pap
Configure the interface to employ the PAP
authentication.
router(config-if-serial1/0)#physical-layer async
asynchronous mode.
router(config-if-serial1/0)#encapsulation ppp
router(config-if-serial1/0)#ip address 129.255.14.66
Configure the IP address and subnet mask
255.255.255.0
of the interface s1/0.
router(config-if-serial1/0)#dialer in-band
Enable DDR on the interface.
router(config-if-serial1/0)#dialer-group 1
Configure the interface to be subject to
router(config-if-serial1/0)# modem outer

Configure on LNS as follows:
Command
router(config)# vpdn enable
router(config)# vpdn-group 2
router(config-vpdn)# accept-dialin
router(config-vpdn-acc-in)# protocol l2tp
router(config-vpdn-acc-in)#virtual-template 1
router(config-vpdn)#terminate-from hostname r3
router(config-vpdn)# local name r2
router(config-vpdn)# l2tp tunnel password 7 a
router(config)#int virtual-template1
router(config-if-virtual-template1)# encapsulation ppp
router(config-if-virtual-template1)# ppp authentication pap
router(config-if-virtual-template1)#ip unnumber loopback1
router(config-if-virtual-template1)# peer default ip address
pool vpdn-pool
user mp-5@mp-2.com password 0 a
router(config)#
router(config)# ip local pool vpdn-pool 172.16.20.10
172.16.20.100
router(config-if-loopback1)# ip address 172.16.20.1
255.255.255.0
router(config-if-serial2/0)#clock rate 9600
router(config-if-serial2/0)# encapsulation ppp
router(config-if-serial2/0)# ip address 192.168.10.2
255.255.255.0
11.8.7 VPDN Monitoring and Debugging
show vpdn
Display the configuration of Tunnel.
Command modethe privilege user mode.
debug l2tp data
Trace the information related with messages.
no debug l2tp data
debug l2tp event
Trace the sending and receiving of messages.
no debug l2tp event
debug l2tp detail
Trace the relative detail.
no debug l2tp detail
some dialer-group.
Use the outer modem.
Descriptions
Enable VPDN.
Create a VPDN group.
Permit the accept-dialin of the VPDN
group.
Specify the L2TP protocol in the VPDN
group.
Specify the virtual template interface.
LAC provides the name of LNS.
LNS provides its name to LAC.
Specify the share password for
authentication.
Create a virtual template interface.
Adopt the PAP as the authentication
protocol.
Enable the IP un-number on the interface.
Specify the opposite-end IP address of the
interface.
Configure the username and password for the
dialin user.
Configure the address pool.
Configure the IP address of L1.
Configure the serial interface as the
synchronous mode.
Configure the clock.
11.9 Configure GRE

GREshort for Generic Routing Encapsulation can encapsulate the datagram of some network layer protocols (for
example, IP) so that the encapsulated datagram can be transported over other network layer protocols (for example, IP). GRE
adopts a tunnel technology between protocol layers. Tunnel is a virtual point-point interface that provides one channel over
which the encapsulated datagram can be transported and encapsulates/decapsulates the datagram on both sides of the Tunnel
interface.
Main contents of this section are described as follows:
Relative command to configure GRE;
Example of GRE configuration;
GRE checking and debugging
11.9.1 Relative Commands to Configure GRE
interface tunnel
Use the Description following command to create a virtual Tunnel interface and enter the tunnel configuration mode. The
form no of the command is used to delete a specified tunnel.
interface tunnel tunnel-number
no interface tunnel tunnel-number
Syntax
Descriptions
tunnel-number
Specify the tunnel-number, and its range is
0-65535.
DefaultNo Tunnel interface is created.
Command Modethe Global configuration mode
tunnel checksum
Configure two sides of the tunnel to perform the checksum verification so as to check the correctness of messages. The
form no of the command is used to disable the checksum checking of the Tunnel interface.
tunnel checksum
no tunnel checksum
DefaultPerform no checksum verification.
Commandthe Tunnel interface configuration mode.
Notice
Different verification can be configured on two sides of the Tunnel interface, which has no effect on its connectivity.
tunnel destination
Configure the IP address of the opposite end of the Tunnel interface. The form no of the command is used to delete the IP
address of the opposite end of the Tunnel interface.
tunnel destination ip-address
no tunnel destination ip-address
Syntax
Descriptions
ip-address
Specify that the opposite end employs the IP address of the
factual physical port of the Tunnel interface.
DefaultSpecify no IP address of the opposite end of the Tunnel interface.
Command modethe Tunnel interface configuration mode.
Note
1) Ip-address must be consistent with the physical port of the opposite end and assure the port is reachable.
2) The destination address of local Tunnel interface must keep consistent with the source address of the opposite-end
Tunnel interface.
tunnel key
Specify the identification key-number of the tunnel. And the form no of the command is used to cancel the identification
key of the tunnel.
tunnel key key-number
no tunnel key key-number
Syntax
Descriptions
key-number
Specify the identification key-number of the tunnel. And its
value range is 0-4294967295.

DefaultSpecify no identification key-number of the tunnel.
Command modethe Tunnel interface configuration mode.
Note
Key-numbers of both sides of the tunnel must be consistent.

tunnel sequence-datagrams
Configure two sides of the tunnel to verify the sequence-number of datagrams. This configuration can be used to discard
disordered datagrams. The form no of the command is employed to disable the verification of the sequence-number of
datagrams.
tunnel sequence-datagrams
no tunnel sequence-datagrams
DefaultDont verify the sequence-number of datagrams.
Command Modethe Tunnel interface configuration mode.
Note
Different verification can be configured on the tunnel interface, without any effect on its connectivity.
tunnel source
Configure the local address of the tunnel interface. The form no of the command is used to delete the local port of the
tunnel interface.
tunnel source {ip-address|interface-name}
no tunnel source {ip-address|interface-name}
Syntax
Descriptions
ip-address
Specify that the local end uses the IP address of the
factual physical port of the tunnel interface.
interface-name
Specify that the local end uses the regular name of the
factual physical port of the tunnel interface.
DefaultSpecify no the local port of the tunnel interface.
Command modethe tunnel interface configuration mode.
11.9.2 Example of GRE Configuration
The example is shown as the following figure:
IP
Figure 10-16
Illustration
Shown as the figure above, two tunnels are established between Router 1 and Router 2 through the IP network so that
different services can use different logical channels.
Command
Descriptions
Enter the configuration status of the
port f0.
router(config-if-fastethernet0)#ip address 129.255.20.188
Configure the IP address of the
255.255.255.0
subnet mask of the port f0.
router(config-if-ethernet0)#ip address 129.255.14.66 255.255.255.0
subnet mask of the port e0.
synchronous mode.
router(config-if-serial1/0)# clock rate 9600
router(config-if-serial1/0)# ip address 20.1.1.1 255.255.255.0
subnet mask of the port s1/0.
Distribute a secondary address to the
secondary
s1/0.
router(config-if-serial1/0)#intface tunnel1
router(config-if-tunnel1)# ip address 1.1.1.1 255.255.255.0
subnet mask of the tunnel1.
router(config-if-tunnel1)#tunnel source 20.1.1.1
The local end uses the IP address of
the factual physical port of the tunnel
interface.
router(config-if-tunnel1)#tunnel destination 30.1.1.2
The opposite end uses the IP address
router(config-if-tunnel1)#ip route peer-address 1.1.1.2

router(config-if-tunnel1)#intface tunnel2
router(config-if-tunnel2)#ip address 2.1.1.1 255.255.255.0
router(config-if-tunnel2)# tunnel source 20.1.2.1

router(config-ospf)#network 129.255.20.0 0.0.0.255 area 0
router(config)# ip route 30.1.1.0 255.255.255.0 20.1.1.2
of the factual physical port of the tunnel

interface.
Specify the IP address of opposite
end of the tunnel 1 in the dynamic route.
subnet mask of the port tunnel2.
The local end uses the IP address of
the factual physical port of the tunnel
interface.
The opposite end uses the IP address
of the factual physical port of the tunnel
interface.
Specify the IP address of opposite
end of the tunnel 2 in the dynamic route.
Configure the relative dynamic
routing protocol.
Configure the relative static routing

protocol for the middle channel.
router(config)# ip route.30.1.2.0 255.255.255.0 20.1.2.2

Route2 is configured as follows:
Command
Descriptions
Enter the configuration status of the port f0.
router(config-if-fastethernet0)#ip address 192.168.2.254 255.255.255.0 Configure the IP address of the subnet mask of
the port f0.
router(config-if-ethernet0)#ip address 192.168.1.254 255.255.255.0
Configure the IP address of the subnet mask of
the port e0.
router(config-if-serial1/0)# physical-layer sync
Configure the serial-port as the synchronous
mode.
router(config-if-serial1/0)# clock rate 9600
Configure the clock
Encapsulate the protocol
the port s1/0.
router(config-if-serial1/0)# ip address 30.1.2.2 255.255.255.0 secondary Distribute a secondary address to the s1/0.
router(config-if-serial1/0)#intface tunnel1
router(config-if-tunnel1)# ip address 1.1.1.2 255.255.255.0
the tunnel1.
The local end uses the IP address of the factual
physical port of the tunnel interface.
The opposite end uses the IP address of the
factual physical port of the tunnel
interface.
Specify the IP address of opposite end of the
tunnel 1 in the dynamic route.
router(config-if-tunnel1)#intface tunnel2
router(config-if-tunnel2)#ip address 2.1.1.2 255.255.255.0
the port tunnel2.
The local end uses the IP address of the factual

protocol.
router(config-ospf)# network 2.1.1.0 0.0.0.255 area 1
router(config-ospf)# network 192.168.2.0 0.0.0.255 area 1
router(config)#ip route 20.1.1.0 255.255.255.0 30.1.1.1
physical port of the tunnel interface.

The opposite-end uses the IP address of the
factual physical port of the tunnel
interface.
Specify the IP address of opposite end of the
tunnel 2 in the dynamic route.
Configure the relative dynamic routing
Configure the relative static route of the

middle physical line.
router(config)# ip route 20.1.2.0 255.255.255.0 30.1.2.1

Notice:
This is an application of the network isolation. And usually, it can work in with NIA/URA to realize the isolation of user
authentication.
10.9.3 GRE Checking and Debugging
show tunnel-chain
Display all Tunnel configurations.
show tunnel-chain
show gre statistics
Display the gre statistics.
show gre statistics
debug tunnel data
Enable the information debugging switch. The form no of the command is used to disable the tunnel debugging switch.
debug tunnel data
no debug tunnel data
11.10 Configuration of Digital Certificate
In this section, we mainly narrate the terminologies, principles and characteristics of Digital Certificate as well as relative
debugging commands and information.
Main contents are as follows
Terminologies involved in Digital Certificate;
Introduction to Digital Certificate;
Debugging commands and debugging information.
11.10.1 Parsing of Terminologies Relative with Digital Certificate
Asymmetric CryptographyIn Asymmetric Cryptography systems, there exists a certain relation between cipher key
and decryption key, but they are entirely different, that one of them can be made public and never mind that someone can
calculate or deduce the other. So, the asymmetric key is also called public key.
CertificateA certificate, as a special form of digital marking sentence, provides a mechanism to confirm the relationship
between public key and entities that hold private key, signed and delivered by the certificate authority (holding other pair of
private key and public key). Generally, a certificate also contains other information relating to subject public key, such as the
identification information of an entity that has the right to use private key. So when a certificate is delivered, the certificate
authority should prove the correctness of the binding between the subject public key and the subject identification
information.
CA----Certification AuthoritySimply speaking, it is an entity or service that delivers certificates. CA acts as the role of
a guarantor that is bound between the subject public key and the subject identification information that are all included in the
delivered certificate. IKE needs the support from CA Certification Center when negotiating by certificate.
11.10.2 Introduction to digital certificate
Both PKI and digital certificate technology bind the identification of individual or entity with a public key, and certificates
are delivered uniformly by a certification delivery organization to ensure the validity and security of the certificate entity.
In IPSec, the certificate authentication mode adopted by IKE can provide the following benefits:
1) To avoid the complications of manual configuration of IKE pre-share key or RSA key;
2) To increase the security of IKE negotiation;
3) To prevent the security problems as a result of the leak of cipher key through Certificate Revocation List;
4) To achieve the restriction of validity period and prevention of the overdue usage of key;
5) To refresh certificates automatically;
6) To achieve the unified control of trusted domain by certificates;
7) To backup and restore keys;
8) To locate the person responsible easily when leak of key or unauthorized access arises.
11.10.3 Configuration of Certificate
Configure a CA Trusted Point and Set Trust Policy
A CA trusted point represents a set of CA trusted domains, by which one can set local certificate trust policy and
management policies. Every CA trusted points configuration parameters and configuration policies include:
1) The URL address of a certificate Server
2) The CRL verification policies
3) The CRL automatic update policies
4) The CRL default update period
5) The time verification policies
A CA trusted point is configured through the following steps:
(1) Use this command, in configuration mode to enter the CA trusted point (ca-identity) mode.
Commands
Descriptions
router(config)#crypto ca identity name
router(config)#no crypto ca identity name
Enter a CA trusted point configuration; define the trusted

points name <name>.
Delete a CA trusted point, including all its configurations
and certificates.
(2) Configure the type of certificate server.

Command
router(ca-identity)#ca type [mpcms | ctca |
windows]
Descriptions
There are three types of CAs, including MPCMS,
CTCA (telecom CA) and Windows and you can
select one according to the type of CA server. The
default type is MPCMS.
(3) Configure the address information of a certificate server (optional configuration) under the CA trusted point
configuration (ca-identity) mode.
Command
Descriptions
router(ca-identity)#enrollment url address
router(ca-identity)#no enrollment url address
Configure the URL address of CA (or RA) Server for

online application and query.
Delete the URL address of CA (or RA) Server.
(4) Configure certificate revocation verification policy (optional configuration) under the CA trusted point configuration
(ca-identity) mode
Command
Descriptions
router(ca-identity)#revoke check off

router(ca-identity)#revoke check on
Loose verification certificate revocation (default).

Strict verification certificate revocation.
Note
1) The option Revoke check represents the policy when verification the certificate validity through CRL.
2) If configured with the loose verification is or adopting the default configuration, then a router accepts the user certificate
of the opposite entity when it can not find the right CRL.
3) If configured with the strict verification and cannot find the right CRL, then the router doesnt accept the user certificate
of the opposite entity.
4) The default configuration is the loose verification.
(5) Configure the certificate validity period policy (optional) under CA trusted point configuration (ca-identity) mode
Commands
Descriptions
router(ca-identity)#time check off
router(ca-identity)#time check on
Validate the certificate validity period (default).

Do not validate the certificate validity period.
Note
1) The option time check represents the policy that is employed when CRL verifies the certificate validity.
2) If configured not to verify the certificate period, then the router accepts the user certificate of the opposite entity when it
has no way to get the standard time correctly and fails to adopt the local time to validate the certificate.
3) If configured not to verification verify the certificate period or adopting the default configuration, then the router refuse
to accept the user certificate of the opposite entity when it has no way to get the standard time correctly and fails to adopt the
local time to validate the certificate.
4) If the device clock is inaccurate, and both device clock and CA dont support time query, it is suggested to enable this
option, otherwise it will cause the failure of certificate verification or the certificate unavailable.
(6) Configure the automatic update policies (optional) under the CA trusted point configuration (ca-identity) mode.
Command
Descriptions
router(ca-identity)#crl autorenew peroid hours
Set the CRL automatic update period, and the unit

is hour.
Note
1) Starting up the CRL automatic update and setting the little update period may enhance the system security, but if CRL is
larger, it may increase system load.
2) The CRL automatic update time represents that even if the next update time specified by CRL doesnt expire, it will still
try to refresh CRL. And this may avoid the impact of delivering certificate ahead of schedule by CRL when the certificate is
revoked.
3) If the option time optional is already set, then there is no way to confirm the next update time specified by CRL. So it
refreshes CRL by the default automatic update time.
4) The default CRL update cannot be automatically refreshed.
Online Certificate Application
The Maipu device certificate supports both online and offline manners to acquire certificate. You can select one of the
modes according to the CA system; here we describe the online manner to acquire certificate and CRL.
(1) Use this command, under configuration mode, to download and authenticate the CA self-signature certificate
Command
Descriptions
router(config)#crypto ca authenticate name
Download and authenticate a root CA certificate of

a certificate trusted point.
For example
Command
router(config)#crypto ca authenticate mpca
% The Root CA Certificate has the following attributes:
Descriptions
Download and authenticate the root
CA certificate of certificate trusted
Serial Number: 60090000BE23A33D0100

Subject: CN=ca177, OU=sec, O=mp, ST=sc, L=cd, C=CN
Issuer : CN=ca177, OU=sec, O=mp, ST=sc, L=cd, C=CN
Validity
Start date: Oct 8 18:28:14 GMT 2002
End
date: Oct 8 18:28:14 GMT 2007
Usage: Sign
Fingerprint(md5) :b096fbdd e32a00ff fb612386 80a34e44
Fingerprint(sha1):d618596e 56648262 2727ee6f 97538f9a
e2472acc
% Do you accept this certificate[yes]/[no]:y
% CA Certificate authenticate success.
point mpca.
Print this CA certificate fingerprint,
and require the user to authenticate
it.
Note
1) Before using the online certificate query or application, please configure the URL address of the CA trusted point.
2) The fingerprint of root CA is acquired from the CA center when a user enrolls, or is acquired by other out-of-band
manner.
(2) Use this command, under the configuration mode, to apply for a user certificate on line.
Command
Descriptions
router(config)#crypto ca enroll name
For examples
Commands
router(config)#cry ca enroll mpca
% Start certificate enrollment ..
Password: ****
% Request certificate now?[yes]/[no]:y
% User Certificate enroll success.
Apply to the CA center for a user certificate.

Descriptions
Apply to the CA trusted point mpca for a user
certificate.
Input the user password (sometimes you may

input no password according to the demand of
CA,) and
Does the certificate username include IP
address?
Note
1) Please configure the URL address of the CA trusted point before performing online certificate query and application.
2) When a user applies the user certificate, the CA certificate must have been authenticated and the corresponding key pair
has been generated locally. If double key pairs need be generated, please employ the application signature to encrypt two
certificates.
(3) Get back the user certificate enrolled successfully.
If the administrator does not authorize the application immediately, please contact with the administrator for the certificate.
Use the following command to get back the certificate after the administrator authorizes the application.
Command
Descriptions
router(config)#crypto ca retrive name
Get back the certificate in the enrolled-currently
state.
After the enroll command crypto ca enroll name is executed, if the state of local certificate is requesting, it represents that
the certificate is waiting for authorization.
(4) Use this command, under configuration mode, to perform the online CRL update.
Command
Descriptions
router(config)#crypto ca crl request name
Note
Perform the online CRL update immediately.
1) Please configure the URL address of CA trusted point before using the online certificate query and application.
2) Before a user performs the online application of CRL, the CA certificate must be authenticated firstly and the
corresponding user certificate has been applied.
3) If the system time is incorrect, it may make the CA certificate or the user certificate unavailable. Here, the user can
firstly configure the option time optional of the CA trusted point.
Offline certificate application
The offline certificate application supports two manners: the direct user input (through a standard input device) and the
introduction from the IC card.
(1) Use this command, under the configuration mode, to enter the certificate chain configuration (config-cert-chain) mode.
Command
Descriptions
router(config)#crypto ca certificate chain name
Enter the certificate chain configuration mode.
(2) Use this command, under certificate chain configuration mode, to introduce the certificate through the IC card.
Command
Descriptions
router(config-cert-chain)#ic certificate input
Introduce the certificate from IC cards.
(3) Use this command, under certificate chain configuration mode, to input the CA certificate from the screen.
Command
Descriptions
router(config-cert-chain)#certificate
[pem | der]
ca
input
Introduce the CA certificate from the screen, and

the keywords pem and der represent the format of
the certificate.
For example
Command
Descriptions
router(config-cert-chain)# certificate ca input pem

% Input the CA certificate data:
-----BEGIN CERTIFICATE----MIICATCCAaugAwIBAgIKYAkAAL4joz0BADANBgkqhkiG9w
0BAQ
UFADBSMQ4wDAYDVQQDEwVjYTE3NzEMMAoGA1UECx
MDc2VjMQswCQYDVQQKEwJtcDELMAkGA1UECBMCc2Mx
CzAJBgNVBAcTAmNkMQswCQYDVQQGEwJDTjAeFw0wMj
EwMDgxODI4MTRaFw0wNzEwMDgxODI4MTRaMFIxDjAMB
gNVBAMTBWNhMTc3MQwwCgYDVQQLEwNzZWMxCzAJB
gNVBAoTAm1wMQswCQYDVQQIEwJzYzELMAkGA1UEBx
MCY2QxCzAJBgNVBAYTAkNOMFwwDQYJKoZIhvcNAQEB
BQADSwAwSAJBANtHec+d3wUkoCr3YdYhC2wttVSORSgbqN
DQATt9dRijskQy9wpbVrSHJGgD71CoL794CFQPOxdB/t1bcPm3
zwcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBg
NVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFFxZwmjXOtDf
7vnCbOk2uvC8rMyFMB8GA1UdIwQYMBaAFFxZwmjXOtDf7v
nCbOk2uvC8rMyFMA0GCSqGSIb3DQEBBQUAA0EAjGtnVb/Ji
N+IsJsrYX6w5z53GCAZN8xregMQK/6t1qM/s/9JMZE+AQbPkqf
d7um0t3qhc8xGr5aUNMIimpmzRg==
-----END CERTIFICATE-----
Require inputting or pasting the

certificate in pem format (use two
continuous carriage returns to end
the input).
% The Root CA Certificate has the following attributes:

Subject: CN=ca177, OU=sec, O=mp, ST=sc, L=cd, C=CN
Validity
Require the user to authenticate CA,

as the same of the online application.
Start date: Oct 8 18:28:14 GMT 2002

End
date: Oct 8 18:28:14 GMT 2007
Usage: Sign
Fingerprint(md5) :b096fbdd e32a00ff fb612386 80a34e44
Fingerprint(sha1):d618596e 56648262 2727ee6f 97538f9a
e2472acc
% Do you accept this certificate[yes]/[no]:y
% CA cert import success!
Note
1) Any mistake in format input or data input can result in no way to introduce.
2) You can use the editor to open the pem format of certificate, paste its contents on the screen, and then introduce it from
the screen.
3) The certificate in der format (binary file purely) can not be pasted directly, it can only be opened by the hex editor and
then be input as ASCII character.
4) Certificates can be converted between PEM format and der format by other tools.
(4)Use this command, under certificate chain configuration mode, to input CRL from the screen
Command
Descriptions
router(config-cert-chain)#crl input [pem | der]
Introduce CRL from the screen, and the keywords

pem and der represent its format.
For example
Command
descriptions
router(config-cert-chain)#crl input der

30 81 e9 30 81 94 02 01 01 30 0d 06 09 2a 86 48
86 f7 0d 01 01 05 05 00 30 52 31 0e 30 0c 06 03
55 04 03 13 05 63 61 31 37 37 31 0c 30 0a 06 03
55 04 0b 13 03 73 65 63 31 0b 30 09 06 03 55 04
0a 13 02 6d 70 31 0b 30 09 06 03 55 04 08 13 02
73 63 31 0b 30 09 06 03 55 04 07 13 02 63 64 31
0b 30 09 06 03 55 04 06 13 02 43 4e 17 0d 30 32
31 31 31 38 30 33 35 30 31 33 5a 17 0d 30 32 31
31 32 31 30 33 35 30 31 33 5a a0 0e 30 0c 30 0a
06 03 55 1d 14 04 03 02 01 01 30 0d 06 09 2a 86
48 86 f7 0d 01 01 05 05 00 03 41 00 7d 5a 52 28
71 86 e0 3a 88 91 96 87 5e 07 5b 1f c7 db 86 ff
0e a7 35 4a 6f 95 32 48 53 f2 59 c8 bf 2c d1 ac
66 9b 7b d3 d2 d9 3c b2 88 28 88 66 02 61 9d 35
f7 ad bd 7e cf 80 0c 48 dd a3 30 2d
% Input crl success.
Debug Certificate Module
(1) Use this command, under privilege mode, to configure the debugging information switch.
Command
Descriptions
router#debug crypto ca [server | message]
Open the certificate debugging switch.

If no keyword is specified, it means turning on all
switches.
The keyword server represents turning on the
certificate service debugging switch.
router#no debug crypto ca [server | message]
The keyword message represents turning on the

certificate message debugging switch.
Turn off all certificate debugging switches.
If no keyword is specified, it means turning off all
switches.
The keyword server represents turning off the
certificate service debugging switch.
The keyword message represents turning off the
certificate message debugging switch.
(2) Use this command, under the privilege user mode, to display the information about the CA trusted point configured.
Command
Descriptions
router#show crypto ca identity
Display the configuration about CA trusted point.
(3) Use this command, under the privilege user mode, to display the information about the configured certificate.
Command
Descriptions
router#show crypto ca certificates [pem | der]
Display the information about the configured

certificate.
The keywords pem and der specify the format of
the certificate. If no keyword is specified, it is
displayed in the general format.
For example
Command
router# show cry ca certificates pem
CA Certificate:
PEM data:
-----BEGIN CERTIFICATE----MIICATCCAaugAwIBAgIKYAkAAL4joz0BADANBgkqhkiG9w
0BAQ
UFADBSMQ4wDAYDVQQDEwVjYTE3NzEMMAoGA1UECx
MDc2VjMQswCQYDVQQKEwJtcDELMAkGA1UECBMCc2Mx
CzAJBgNVBAcTAmNkMQswCQYDVQQGEwJDTjAeFw0wMj
EwMDgxODI4MTRaFw0wNzEwMDgxODI4MTRaMFIxDjAMB
gNVBAMTBWNhMTc3MQwwCgYDVQQLEwNzZWMxCzAJB
gNVBAoTAm1wMQswCQYDVQQIEwJzYzELMAkGA1UEBx
MCY2QxCzAJBgNVBAYTAkNOMFwwDQYJKoZIhvcNAQEB
BQADSwAwSAJBANtHec+d3wUkoCr3YdYhC2wttVSORSgbqN
DQATt9dRijskQy9wpbVrSHJGgD71CoL794CFQPOxdB/t1bcPm3
zwcCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBg
NVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFFxZwmjXOtDf
7vnCbOk2uvC8rMyFMB8GA1UdIwQYMBaAFFxZwmjXOtDf7v
nCbOk2uvC8rMyFMA0GCSqGSIb3DQEBBQUAA0EAjGtnVb/Ji
N+IsJsrYX6w5z53GCAZN8xregMQK/6t1qM/s/9JMZE+AQbPkqf
d7um0t3qhc8xGr5aUNMIimpmzRg==
-----END CERTIFICATE-----
Descriptions
Before here on is the key
information about the certificate.
From here on is the certificate data

in the pem format.
(4) Use this command, under the privilege user mode, to display the CRL information configured.
Command
Descriptions
router#show crypto ca crls [pem | der]
Display the CRL information configured.

The keywords pem and der specify the format of
the certificate. If no keyword is specified, it is
displayed in the general format.
11.11 Configuring Login-Secure

This section mainly describes fundamental mechanism, configuration commands and configuration examples of login-secure.
11.11.1 Login-secure Mechanism
The goal of login-secure is to enhance the security of router login. An attacker can, through illegal means (such as exhaustion
algorithm), acquire login username, the corresponding password or enable password, which are configured on a router. Once
the login-secure is added, the illegal login will become very difficult.
The design of login-secure must meet the requirement that infinite attempts to enter username and the corresponding
password is denied when a telnet user is logging in. Login-secure can take effect on the following cases: (1) It is required to
enter username and password when logging in. And the maximal times of attempts to log in are 5 when something is wrong
with username or corresponding password (By default, there are three times of attempts, and the times of attempts can be
changed through related commands). If the user logs in unsuccessfully after 5 times of attempts, the system will record the IP
address of the client and enable a timers. In a period of time (10 minutes by default, can be configured), the user is prohibited
from logging in. (2) Only login password need be entered, and the related procedure is similar to (1). (3) Enter the enable
password and 5 attempts are permitted. If the user enters the password unsuccessfully after 5 attempts, the system will enable
a timer. And in a period of time, the executed enable command is a null command, namely password input is denied. If
exiting the STD mode, the user with the same client address is still prohibited from executing the enable command in the
configured period. If login is also limited, then the login is not allowed.
Additionally, a new encryption algorithm is realized because the previous encryption algorithm is too simple. To
ensure the compatibility with the previous encryption algorithm, two commands are provided. The default
configuration command is no service new-encrypt. The command adopts the previous encryption algorithm. If the
command service new-encrypt is configured, then the new encryption algorithm is adopted.
11.11.2Configuration Commands of Login-secure
1) Configuration commands of new encryption algorithm
service new-encrypt
After the command above is configured, the new encryption algorithm is adopted.
no service new-encrypt
After the command above is configured, the previous encryption algorithm is adopted.
Note:
1) If the old version (adopting the previous encryption algorithm) has been upgraded to the new version (adopting
the new encryption algorithm ), the previous encryption algorithm can be compatible because no service new-encrypt
is configured by default.
2) If the new encryption algorithm has been realized and the previous encryption algorithm has been downloaded,
no service new-encrypt must be configured for the system to be compatible with the previous encryption algorithm.
2) Basic Configuration Commands of Login-secure
Enable login-secure
service login-secure
The command above is used to enable the login-secure service.
no service login-secure
e command above is used to disable the login-secure service.
Configure Login-secure parameters
login-secure max-try-time [1-20]

Use the command above to set the maximal times of login attempts. The default times of attempts are 5. if logging in
unsuccessfully after 5 attempts, the user is prohibited from executing login or the enable operation.
login-secure forbid-time [10-12400]
Use the command above to set the forbid-time of login. The default time is 10 minutes. After the user is prohibited,
neither login nor enable operation is allowed.
login-secure check-record-interval [30-14400]

Use the command above to set the period of checking and clearing aging records that meet the conditions. The default
period is 240 minutes. To preventing the user from using multiple addresses to log in, which will result in that multiple
records are occupied and other users can not log in successfully, it is necessary to clear the aging records periodically.
login-secure record-aging-time [15-1440]
Use the command above to set the aging-time of a record. The default aging-time is 30 minutes. If an address record is
not upgraded in the period (for example, there exists no attempt to log in or perform the enable operation in the period), then
the address is regarded as aging and will be deleted.
Note:
1) The login-secure service is enabled by default.

2) If the login-secure service is enabled(through executing the command service login-secure), other related
commands of the login-secure can be executed; If the login-secure service is disabled(through executing the command
no service login-secure), the other commands are invisible.
3) Displaying the login-secure information
show login-secure information
Use the command above to display the information about user login, including the following items:
router#show login-secure information
forbidden login address:
client address try-time forbid-time
wd-id
type
number record-time
-------------- -------- -------------------------- ----------128.255.1.230
3
00:28:32
0x2ff20c0
enable
0
00:01:30
11.11.3 An Example of Login-Secure Configuration
Configuring Login-secure as follows:

Syntax
router(config)#service login-secure
router(config)#login-secure max-try-time 3
router(config)#login-secure forbid-time 30
Descriptions
Enable the login-secure service.
Set the permitted maximal-try-time as 3.
Set the login forbid-time as 30 minutes.
The result of configuring login-secure are listed as follows:

The Enable operation over Telnet:
router>en
password:
password:
password
% Bad passwords
router>en
password:
password:
password:
% Bad passwords
router>en
password:
password:
password:
% Bad passwords
//After three times, the Enable operation is denied; execute the command show login-secure information can display
the following record information including try-time and forbid-time.
router>
router>en
%enable operation is locked by login-secure service
router>
router>en
%enable operation is locked by login-secure service

router>
Chapter 12
Quality of Service (QoS) Configuration
This chapter describes basic Quality of Service (QoS) principles and corresponding configuration methods.
12. 1 First In First Out (FIFO)
The default queuing function of your Maipu router is First In First out (FIFO), which is shown in the following Figure 1.
Simply put, the router will filter data packets in the same order they enter, which is a very effective way of providing a largescale service among a group of similar users with the fewest possible delays. The downside, however, is that FIFO doesnt
provide multiple Quality of Service levels for different kinds of users. For instance, a Telnet packet might be dropped by
the system after receiving many FTP packets, which will delay the start of a Telnet session. If this happens often, users
trying to login via Telnet might start to complain about the delays on your network. For that reason, you may want to
consider using the alternative queuing methods that are discussed in the remaining sections.
queuin
Packets leaving the interface

De-queuing
h d li
Packets that must be

sent through the
Figure 1 FIFO Queue Map
12. 2 Priority Queuing (PQ)
With priority queuing, the router will send out a packet with the highest priority level before sending a packet with a lower
priority. When the outbound interface is very congested, the packets will be queued from highest to lowest priority. If the
interface isnt congested, then the router will send all of the packets forward at the same level of priority.
This section talks about:
Distributing The Packet Queue And Priority Class
Configuring Priority Queuing
Adjusting The Priority Queue Size
Application Cases
12. 2.1 Distribute The Packet Queue and Priority Class
In priority queuing, each interface has four queues:
High
Medium
Normal
Low

sent through the
queuin
high
mediu
normal
low
Packets leaving from the

i
f
Dequeuing scheduling
Figure 2 Priority Queue Sketch Map

Normal is usually the default queue setting.
router can be put into a queue.
A packet that isnt already classified or distributed to a specified queue in any
12. 2.2 Configure Priority Queuing

You can configure the router so that it can classify packets by:
TCP or UDP port numbers.
Packet size.
The arriving packets interface.
Any item described in a standard or extended access list.
IP fragments.
You can also choose to use the default scattered packet mode.
When you start PQ configuration, you must:
A. Define a priority list
B. Apply the defined priority list to an interface
To define a priority list, input:
Router config priority-list <list-number>
Note: Define the priority list number between 1 and 16.
Command
Description
interface <interface > <high / medium / normal / low>
interface <interface >:

Distributes the interface priority when the packet
arrives.
high / medium / normal / low:
Defines the queue priority of queue.
Default:
Distributes a priority to any packet that doesnt
match the appointed standard.
protocol IP: Assigns the data packet using IP
protocol.
fragments: Assigns a priority by whether or not the
data packet is fragmented.
gt/lt: Assigns a priority by packet size.
list: Assigns a priority by data according to the
access list.
tcp/udp: Assigns a priority by outbound tcp/udp
port number.
default
<high / medium / normal / low>
protocol ip <high /medium /normal / low>

<fragments/ gt /lt /list /tcp/ udp>
To apply the defined priority list to an interface, input:

router config-if-xxx
Command
Description
priority-group <list-number>
Assigns a priority list to an interface and activates

the priority queuing.
Cancels the priority queue.
no priority-group
Note:
1) The same priority list can be applied to many interfaces.
2) Different priority policies can also apply to different interfaces.
3) You can only use one priority list for each interface.
12. 2.3 Adjust The Priority Queue Size
The priority queue default depth of a Maipu router, from high priority to low priority, is 15000, 30000, 45000 and 65535.
This value can be changed when you input the following commands while configuring the routers priority queue size:
Note: Defines the priority list number between 1 and 16

Command
queue-limit <0-15000>
45000> <0-65535>
Description
<0-32767>
<0-
queue-limit <high-limit> <medium-limit>

<normal-limit> <low-limit>: Defines the depth of
the four queues (high, medium, etc.).
<0-15000>: The adjusted depth scope of high-priority
queue is from 0 to 15,000 packets.
<0-32767>: The adjusted depth scope of mediumpriority queue is from 0 to 32,767 packets.
<0-45000>: The adjusted depth scope of normalpriority queue is from 0 to 45,000 packets.
<0-65535>: The adjusted depth scope of low-priority
queue is from 0 to 65,535 packets.
12. 2.4 Monitor and debugging
use in the privilege mode

Command
Description
show pq
Displays the routers relative PQ interface

information.
Displays the specified interfaces relative PQ
information.
debug the routers relative PQ interface
information.
debug the specified interfaces relative PQ
information.
show pq interface <interface>

debug pq
debug pq interface <interface>
12. 2.5 Choose Packet Drop-type Algorithm

When a priority queue is full, packets will be tailed-dropped normally. But you can choose RED algorithm as packet droptype:
Note: Defines the priority list number between 1 and 16
Command
drop-type random-detect
Description
<RED group name>
drop-type tailed-dropped
Chooses RED algorithm as packet drop-type.

<RED group name>: name of the RED group. The
following will describe how to configure a RED
group.
Chooses default tailed-dropped algorithm as packet
drop-type.
12. 2.6 Configure A RED Group

Following describes how to configure a RED group:
Router config random-detect-group <RED group name>
Note: Defines some parameters of the RED group
RED group config :

Command
Description
exponential-weighting-constant <1-12>
precedence <0-7> <0-65535> <0-65535> <1-99>
Defines exponential weight factor.

<1-12>:Integer in 1..12 used in weighted average to
mean 2^number.
Defines IP precedence, minimum threshold, maximum
threshold and probability denominator parameters.
<0-7>: Defines IP precedence parameter, first 3 bits of
TOS field in IP header.
<0-65535>:Defines minimum threshold(bytes) of the
queue.
<0-65535>:Defines maximum threshold(bytes) of the
queue.
<1-99>: Defines probability denominator.
12. 2.7 Example
Unix host
ip:192.168.255.253/24
ip:192.168.255.30/24
Router2
S1/2
PPP
Router1
S0
ip:128.255.254.1/24
terminal
terminal
ip:128.255.254.24/24
Business host
Figure 3 PQ Configuration Map Sketch

Notes:
1) In the preceding figure (Figure 3), the Maipu router (Router1) connects with a terminal. The routers interface
serial0 connects with the interface serial1/2 of the Cisco router (Router2) on the opposite end. The link has terminal
service data, FTP data and other data. The terminal data is to be set to the highest priority, FTP is to be set to the
lowest priority and other data is to be set to normal.
2) The IP address of the remote UNIX host is 192.168.255.253. The process itest should be run on port 3051.
runs on TCP ports 20 and 21.
3) Router2 provides a 64K clock.
FTP
The following two methods can achieve this goal:

Method one: Directly configure the priority list.
Command
Task
router(config)# priority-list 1 protocol ip low tcp 21
router(config)# priority-list 1 protocol ip low tcp 20
router(config)# priority-list 1 protocol ip high tcp
3051
router(config)# interface serial0
router(config-if-serial0)# priority-group 1
Method two: Configure an access list:
Command
In list 1, the packet going to port number TCP21

is put in the low priority queue.
In list 1, the packet going to port number TCP20
is put in the low priority queue.
In list 1, the packet going to port number
TCP3051 is put in the high priority queue.
Applies the priority list1 to the interface.
Task
router(config)# access-list 1001 permit tcp any
192.168.255.253 0.0.255.255 eq 3051
router(config)# access-list
any
1001
permit ip any
router(config)#access-list 1002 permit tcp any

192.168.255.253 0.0.255.255 eq 20
router(config)# access-list 1002 permit tcp any

192.168.255.253 0.0.255.255 eq 21
router(config)# access-list 1002 permit ip any

any
router(config)#priority-list 1 protocol ip low list
1002
router(config)#priority-list 1 protocol ip high list
1001
router(config)#interface serial0
router(config-if-serial0)#priority-group 1
Access list 1001 permits packets with any

source address, the destination address named
192.168.0.0 and the TCP port number named
3051 to pass through.
Access list 1001 permits any IP packet to pass
through.
192.168.0.0 and the TCP port number named 20
to pass through.
192.168.0.0 and the TCP port number named 21,
to pass through.
Access list 1002 permits any IP packet to pass
through.
Packets according access list 1002s rules are
put in the low priority queue.
Packets according to access list 1001s rules are
put in the high priority queue.
Applies priority list 1 to the interface.
Note: Although the queue depth can be adjusted, you should generally try to avoid changing it from the default depth
especially when priority queuing is not meeting current system demands.
12. 3 Weighted Fair Queue (WFQ)
A Weight Fair Queue (WFQ) will sort packet information to ensure that many users with different needs can share bandwidth
at one time when the network is busy.
It also ensures that all messages are transmitted in real time when there is little
traffic. In fact, a high-bandwidth message will not become lost in the system if the network is congested it will be allowed
to pass through. A message with low-bandwidth needs will continuously re-queue until there is less traffic to let the highbandwidth message go through the network.
A WFQ saves packet information. When a packet comes into the system, the system sorts the packet into its corresponding
queue. If there a queue for the packet doesnt exist, a new queue will be created for the packet.
While WFQ is a complex procedure, it conversely needs very little configuration.
queue
Queue1
Sor
Queue
Queue
Queue
sent
the Fair Queue Sketch
Figurethrough
4 Weighted
Map n

i
f
12.3.1 Configuration in the interface mode

center(config-if-xxx)
Command
fair-queue <16-256>
no fair-queue
Show wfq interface type number
Show wfq
ra#debug wfq interface type number
Debug wfq
Description
Applies a weighted fair queue to the interface.
<16-256>:Defines WFQ queue nums.
Cancels a weighted fair queue.
See the wfq information in a certain interface
applied wfq
See the wfq information in all of the interface
applied wfq
debug the wfq information in a certain intface
debug the wfq information in all of the interface
applied wfq
12.3.2monitor and debugging

in the privilege mode
Command
no
fair-queue
Show wfq interface type number

Show wfq
ra#debug wfq interface type number
Debug wfq
Description
Cancels a weighted fair queue.

See the wfq information in a certain interface
applied wfq
See the wfq information in all of the interface
applied wfq
debug the wfq information in a certain intface
debug the wfq information in all of the interface
applied wfq
12. 4 Customer Queuing (CQ)

This system assigns a queue to each user session based on the amount of information that user needs access to.
these queues save the passing packets as they enter the router. The system will sort and queue a packet.
Like WFQ,
When the system de-queues, the system will start polling user information. According to the different configurations that
each queue possesses, the corresponding total number of bytes taken from each users queue will be different. The user who
needs access to the greatest number of bytes will have the highest priority. (If the sorting rule allowing this to happen isnt
configured, then the packet will enter the default queue.)
This section covers the following information:
Assign A Queue In CQ Mode
Configure CQ
Adjust CQ Queue Attributes
Debugging
Examples
12. 4.1 Assign A Queue In CQ Mode
Sixteen queues can be defined for each interface here. Each queue is titled and simply identified with a number between 1
and 16. (The number doesnt have anything to do with queuing priority.)
Configure the router so it can sort packets according to the following standards:
Protocols (ICMP, IGMP, TCP and UDP) and TCP and UDP port numbers,
Packet size.
The arriving packets interface.
Any item described by a standard or an extended access list.
IP fragments.
A packets source address and destination address.
You can also choose to use the default scattered packet mode.
Sor
sent through the
Queue
Queue1
Queue
Queue
Queue 16
Priority
10%
i
f
10%
30%
Figure 5 Customer Queuing Sketch Map

Note: The queue with serial number 16 is often considered the default queue.
appointed queue will be put in the default queue.
12. 4.2 Configure CQ
A packet neither sorted nor assigned to an
Configuring a CQ mainly involves three steps:

1) Defining a CQ list.
2) Defining each queues byte number.
3) Applying the defined list to an interface.
Configuration:
a.
To define a customer queuing list, input:
Router config custom-queue-list <list-number>

Define a user-defined customer queuing list using a number between 1 and 16.
Command
Description
fragments <0-16,Min queue number> <016,Max queue number>
Fragments: Sets the queuing rule according to

whether the packet is fragmented or not.
gt/lt/et <1-1500> <0-16,Min queue number> <016,Max queue number>
icmp/igmp/tcp/udp
<0-16,Min queue number>
<0-16,Max queue number>
tcp/udp
<0-16,Min queue number> <016,Max queue number> keyword-value
ip <0-16,Min queue number> <0-16,Max queue

number> keyword-value
<Min queue number>: Sets the minimal queue

number that packet can enter.
<Max queue number>: Sets the maximal queue
number that packet can enter.
gt/lt/et: Sets the queuing rule according to the
packet size. It can be more than, less than or
equal to the size of the appointed packet.
<1-1500>:Defines the packet size.
icmp/igmp/tcp/udp: Sets queuing rule according to
different protocol type.
keyword-value: Includes the source/destination
address or the network segment, address netmask
and the source/destination port number.
Sets the queuing rule according to these contents.
keyword-value: Includes the source/destination
address of an IP packet or network segment and
address netmask.
list
<1-2000, ip access list-name> <0-16,Min
queue number> <0-16,Max queue number>

list <ip access list-name>: The applied access list
number.
interface <interface > <0-16,Min queue number>

<0-16,Max queue number>

interface <interface >: Sets the queuing rule
according to the interface where the packet arrives.
default
b.
<queue-number>
Default: All packets that dont accord with the

above rules will be put in the default queue.
To define the byte number of each queue
Router config custom-queue-list <list-number>

Command
queue <0-16,Min queue number> <0-16,Max queue
number> byte-count
<byte-count>
c.
Description
queue <0-16,Min queue number> <0-16,Max
queue number>: Specify queue size in bytes in
the appointed scope. This parameter is used to
decide the weight of each queue.
To apply the defined list to the interface
Command
Description
custom-list <list-number>
Applies the defined list to the interface.
no custom-list
Cancels the user-defined customer queue.
12. 4.3 Adjust CQ User Attributes

The default buffer size of the Maipu router user-defined queue interface is 65,535 bytes. The default buffer size of each
queue from 0 to 16 is 65,535 bytes. The value of the parameter can be altered through the following command:
router config custom-queue-list
<list-number>
Command
Description
custom-queue-list <list-number>
queue <0-16,Min queue number> <0-16,Max queue
number> limit <size>
Set the buffer size of each queue from 0 to 16.
12. 4.4 Choose Packet Drop-type Algorithm

When a customer queue is full, packets will be tailed-dropped normally. But you can choose RED algorithm as packet droptype:
router config custom-queue-list <list-number>
Note: Defines the custom-list number between 1 and 16
Command
drop-type random-detect
Description
<RED group name>
drop-type tailed-dropped
Chooses RED algorithm as packet drop-type.

<RED group name>: name of the RED group. Section
2.5 describes how to configure a RED group.
Chooses default tailed-dropped algorithm as packet
drop-type.
12. 4.5 Monitor and Debugging

After CQ has been configured, the following debugging command can be used to verify and check the action. The detailed
commands are as follows:
center
Command
Description
show cq
Displays the routers relative CQ interface

information.
Displays the specified interfaces relative CQ
information.
debug the routers relative CQ interface
information.
debug the specified interfaces relative CQ
information.
show cq interface <interface>

debug cq
debug cq interface <interface>
12. 4.6 An example
Unix host
ip:192.168.255.253/24
ip:130.255.78.1/30
Router2
ip:130.255.78.1/30
S1/2
PPP
ip:130.255.78.2/30
Router1
S0
ip:128.255.254.1/24
ip:128.255.254.24/24
Terminal
Terminal
Business host
Figure 6 CQ Configuration Sketch Map

Notes:
1) In the preceding figure, Maipu Router1 is connected to the terminals. The serial0 interface of Router 1 connects
with serial 1/2 interface of the peer-end Cisco Router2. There are terminal services, FTP and other data on the line.
The terminal data packet is to be put into Queue 1, the FTP data packet goes into Queue 2 and other data packets go
into the default queue.
2) The IP address of the remote UNIX host is 192.168.255.253. The process itest will run on TCP port 3051 and the
FTP will run on the TCP port 20 and 21.
3) Router2 provides the 64K clock
Command
Task
center(config)#custom-queue-list 1 tcp 1 1 130.255.78.2

255.255.255.255 any any any 3051
Puts the ftp data packets of TCP port 3051

into queue 1.
Puts the ftp data packets of TCP port 20 into
queue 2.
center(config)# custom-queue-list 1 tcp 2 2

128.255.254.24 255.255.255.255 any any any 20
center(config)# custom-queue-list 1 tcp 2 2
128.255.254.24 255.255.255.255 any any any 21
center(config)# custom-queue-list 1 queue 1
6000
center(config)# custom-queue-list 1 queue 2
1500
router(config)#interface serial0
Puts the ftp data packets of TCP port 21 into

queue 2.
byte-count
byte-count
Defines the de-queuing byte numbers into

queue 1 of each circle.
Define the de-queuing byte numbers in the
queue 2 of each circle.
router(config-if-serial0)# custom-list 1
Applies list 1 to the interface.
12. 5 Weighted Random Early Detect Queue (WREDQ)

A Weighted Random Early Detect Queue (WREDQ) is just like FIFOQ except packet drop algorithm and the number of
queues(10 queues). It selects RED as packet drop algorithm. It classifies packets according to IP priority (namely the first 3
bits of TOS field in IP header).
While WRED queuing is a complex procedure, but it needs little configuration.
queue
Packets leaving from the interface
Queue0
Classi
fy
Packets that must be sent

through the interface
Figure 4
Weighted Fair
Queue12
Queue
Queue 9
Queue Sketch Map
Configuration:
center(config-if-xxx)
Command
Description
exponential-weighting-constant <1-12>

mean 2^number.
queue.
queue.
precedence <0-7> <0-65535> <0-65535> <1-100>
12. 6 Class-Based Weighted Fair Queue(CBWFQ)

CBWFQ assigns a weight to different classes of IP packets. The bandwidth of the interface configured with CBWFQ will be
allocated according to the weight.
CBWFQ configuration is a complex procedure, configuring a CBWFQ mainly involves three steps:
1) Defining a match class.
2) Defining a CBWFQ policy.
3) Applying the defined CBWFQ policy to an interface.
This section covers the following information:
Define a match class
Define a CBWFQ policy
Apply the defined CBWFQ policy to an interface
Debugging
Example
queue
Queue0
Sor
Queue
Queue
Queue
sent
the Fair Queue Sketch
Figurethrough
4 Weighted
Map 9

i
f
12. 6.1 Define A Match Class

Before defining a CBWFQ policy, a match class should be defined.
Configuration:
To define a match class, input:
router config class-map <class-map name>
class map config :

Command
match access-group <1-2000>
match input-interface <interface>
match ip precedence <0-7>

match ip dscp <0-63>
match mpls experimental <0-7>
Description
Defines match class according to a access group.
<1-2000>: Defines access group number
Defines match class according to the inbound
interface.
<interface>: Defines the inbound interface.
Defines match class according to the IP precedence.
<0-7>: Defines IP precedence.
Defines match class according to the IP dscp field.
<0-63>: Defines IP dscp field.
Defines match class according to MPLS experimental
field.
<0-7>: Defines MPLS experimental field.
12. 6.2 Define A CBWFQ Policy

After defined a match class, a CBWFQ policy can be defined.
Configuration:
To define a CBWFQ policy, input:
router config policy-map <policy-map name>
Then, select match class defined, input:
router policy-map config class <class-map name>
Now configure CBWFQ policy:
CBWFQ policy config:
Command
priority <1_100000>
bandwidth percent <1-75>
Description
Defines packets of this match class enter LLQ queue,
and bandwidth for LLQ(Least Latency Queue)
<1-100000>: Defines LLQ bandwidth, kbits/s
Defines bandwidth percentage for packets of this
match class.
<1-75>: Defines the percentage of bandwidth.

bandwidth <1-100000,bandwidth> <1100000,total bandwidth of this interface>
set ip precedence <0-7>
set ip dscp <0-63>
set mpls experimental imposition <0-7>
set mpls experimental topmost <0-7>
Defines bandwidth for packets of this match class.

Sets IP precedence for packets of this match class.
<0-7>: Defines IP precedence value being set.
Sets IP dscp field for packets of this match class.
<0-63>: Defines IP dscp field value being set..
Set MPLS experimental value at tag imposition for
packets of this match class.
<0-7>: Defines MPLS experimental value at tag
imposition.
Set MPLS experimental value on topmost label for
packets of this match class.
<0-7>: Defines MPLS experimental value on topmost
label.
Random-detect can be configured as packet-drop type, default is tailed-dropped.

Configure RED as packet-drop algorithm, issue:
router CBWFQ policy config random-detect
CBWFQ policy config:
Command
Description
random-detect exponential-weighting-constant <112>

mean 2^number.
queue.
queue.
random-detect precedence <0-7> <0-65535> <065535> <1-100>
12. 6.3 Apply The Defined CBWFQ Policy To An Interface

After defined a CBWFQ policy, the CBWFQ policy can be applied to an interface.
Command
Description
service-policy output <policy-name>
Configures CBWFQ on the interface.

Applies the defined CBWFQ policy to the
output packets of the interface.
Applies the defined CBWFQ policy to the
input packets of the interface, but only setrules in this policy will be effective.
Cancels CBWFQ queues used on the interface.
service-policy input <policy-name>
no service-policy output
no service-policy input
service-policy queue-limit <1-255> <2000-65536>
Cancels CBWFQ policy used on input packets

of the interface.
Configures queue length limits of the specified
queue.
<1-255>: Specifies the queue.

<2000-65536>: Defines queue length limit in
bytes
12. 6.4 Monitor and debugging

After CBWFQ has been configured, the following debugging command can be used to verify and check the action. The
detailed commands are as follows:
center
Command
Description
show cbwfq
Displays the routers relative CBWFQ interface

information.
Displays the specified interfaces relative CBWFQ
information.
<interface>: Specifies the interface.
This command can display CBWFQ informaion
show cbwfq interface <interface>
Debug wfq
12. 6.5 Example
Notes:
1) One 2M private line is adopted between two network nodes. The private line is used to bear the transmission of
voice data, terminal services and data.
2) Supposing the FTP operates on TCP port 20 and 21.
In order to guarantee IP-voice quality and bandwidth of the telnet data packets, we can use CBWFQ.
Configurations of router1:
Command
Router1#conf t
router1(config)#access-list 1001 permit ip host 192.168.1.6
host 192.168.1.5
router1(config)#access-list 1002 permit tcp host
192.168.2.100 host 192.168.0.100 eq 23
192.168.2.101 host 192.168.0.101 eq 21
192.168.2.101 host 192.168.0.101 eq 20
router1(config)#class-map voip
Task
IP-voice data packets

Telnet data packets
FTP management packets
FTP application data packets
Defines VOIP match class
router1(config-cmap)#match access-group 1001

router1(config)#class-map telnet
router1(config)#class-map ftp
router1(config)#policy-map one
router1(config-pmap)#class voip
router1(config-pmap-c)#bandwidth percent 50
router1(config-pmap)#class telnet
router1(config-pmap)#class ftp
router1(config)#interface serial 0/0
router1(config-if-serial0/0)#service-policy output one
Defines match rules for VOIP match class

Defines TELNET match class
Defines match rules for TELNET match class
Defines FTP match class
Defines match rules for FTP match class
Defines CBWFQ policy ONE
Enter configuration-mode of VOIP class
Assigns 50% bandwidth for VOIP class
Enter configuration-mode of TELNET class
Assighs 20% bandwidth for TELNET class
Enter configuration-mode of FTP class
Assighs 5% bandwidth for FTP class
Applies policy ONE on the s0/0 interface
12. 7 Bandwidth Management

MAIPU router uses Committed Access Rate(CAR) as the algorithm of bandwidth management. CAR algorithm allocates
bandwidth to IP data-packet flows according to rate-limit rules.
The detailed configuration are as follows(issuing rate-limit command under router config-if-xxx mode):
rate-limit { input | output } [access-group <access-list-No>] <CIR> <conform-burst>
{<actions> [<action val>] } exceed-action { <actions> [<action val>] }
Syntax
{input | output}
access-list-No
CIR
Conform burst
Exceed burst
actions [action val]
<exceed-burst> conform-action
Description
Apply the rule to ingress/egress packets
Specify an access-list no to match packets. If its default configuration is adopted,
all ingress/egress packets of the interface must be matched. The value range is from 1
to 2000.
Define committed Information rate(bit/s), a value in 8000-100000000
Define conform burst rate, the depth of conform bucket(byte), a value in

1500-50000000
Define exceed burst rate, the depth of exceed bucket(byte), a value in 0100000000
Define actions of conform /exceed burst:
continue : do nothing but continue matching next rule
drop : drop this packet
transmit : forward this packet
set-prec-continue : set the precedence of a packet as <action val> and
continue matching next rule
set-prec-transmit : set the precedence of a packet as <action val> and forward
this packet
set-dscp-continue : set DSCP of a packet as <action val> and continue
matching next rule
set-dscp-transmit : set DSCP of a packet as <action val> and forward this
packet
12. 8 Traffic Shaping

Traffic shaing is used to send packets at an average rate and smooth the egress flow when there exists data congestion.
Configuring Traffic-Shape
traffic-shape command
traffic-shape
rate conform-rate
Syntax
conform-rate
permit burst
Description
Maximal bandwidth of the interface. Its value range is from 480 to 1000000000
bits/sec
Burst bytes permitted in 1/60 second. Its value range is from 1600 to 5000000
bytes
permit burst
12. 9 RSVP (Resource Reservation Protocol)

RSVP (Resource Reservation Protocol), as a standard signaling protocol, is used to ensure the point-to-point network
bandwidth for the IP network. It adopts basic route allocation protocols to determine where to transmit the reserved request.
When the route allocation changes paths to accommodate to the change of the topology structure, RSVP can make its
reserved request accommodate to the new paths. This working mode doesnt incommode other route allocation services.
RSVP provides transparent operations through supporting no RSVP router nodes, cooperating with the current queuing
mechanism instead of replacing it. RSVP applies for a specific queuing mechanism, but only a specific interface queuing
mechanism can realize the reservation function.
ip rsvp
ip rsvp bandwidth reservable-bandwidth
largest-reservable-flow
ip rsvp {burst burst-factor}| {delay time-value}| {neighbor access-list}| signaling {conform | exceed} {dscp value |
precedence value }| {udp-multicasts multicast-address}
Syntax
reservable-bandwidth
largest-reservable-flow
burst burst-factor
delay time-value
neighbor access-list
signaling {conform | exceed} {dscp value |

precedence value }
udp-multicasts multicast-address
Descriptions
This is the reservable-bandwidth, and its value range is
between 1 and 10000000 kbps
This is the largest reservable bandwidth of each flow,
and its value range is between 1 and 10000000kbps.
Set the maximum burst percentage of the reserved flow,
and the value range of burst-factor is between 100 and 1000.
And the default value is 500(%).
It is the delay time (millisecond) used to update Adspec
in Guaranteed services, and its value range is between 1 and
5000, 90 (ms) by default.
Utilize the access list to limit the communication of
RSVP neighbors. Its value range of access-list is between 1
and 1000.
Tag the flows that succeed in being reserved, meet or go
beyond the bandwidth. When value is corresponding with
DSCP, its value range is between 0 and 63, while
corresponding with precedence, between 0 and 7.
Enable and listen in the multicast address when some
intermediate routers cant support the original sockets or
default multicast addresses.
The value range of multicast-address is of multicast
group address, and its default is 224.0.0.14.
Default RSVP is not running.

Command modeThe interface configuration mode.

Note:
The maximum reservable bandwidth cannot exceed 75% of the interface maximum bandwidth.
An Example of RSVP (Resource Reservation Protocol) Configuration
Illustration:
Through the Ethernet, PC1 and PC2 connect with ROUTER1 and ROUTER2 respectively. ROUTER1 ROUTER2 adopt
the PPP protocol to connect each other by means of one 2M private line over which all communication between two LANs
respectively connected with PC1 and PC2. And network applications between PC1 and PC2 require a stable 40K bandwidth.
Configure ROUTER1 as follows:
Command
route1#conf t
router1(config-if-serial0/0)# fair-queue
router1(config-if-serial3/0)#bandwidth 2000
router1(config-if-serial0/0)#ip rsvp bandwidth 64 64
Descriptions
Enable WFQ.
Designate the interface bandwidth to
be 2M.
Enable the RSVP resource reservation
function.
255.255.255.252
Configure ROUTER2 as follows:
Command
Route2#conf t
Router2(config-if-serial0/0)# fair-queue
router2(config-if-serial3/0)#bandwidth 2000
Router2(config-if-serial0/0)#ip rsvp bandwidth 64 64
Router2(config-if-serial0/0)#encapsulation ppp
Router2(config-if-serial0/0)#ip address 192.168.0.6
255.255.255.252
Descriptions
Enable WFQ.
Designate the interface bandwidth to
be 2M.
Enable the RSVP.
Configure RSVP Proxy

The proxy configuration is used to replace a node that cannot send RSVP messages to send RSVP messages, so that other
nodes can realize the RSVP reservation through receiving the RSVP proxy message that the router creates.
ip rsvp
ip rsvp { sender | sender-host | reservation | reservation-host }
Syntax
Sender
Descriptions
Configure the PATH message proxy, of which the followed parameters are as
follows:
the destination address reservable-flow, the resource address of reservableflow, IP protocol number of reservable-flow, the destination port of reservableflow, the source port of reservable-flow, the previous hop address of PATH
sender-host
reservation
reservation-host
message, the supposed receiving interface of PATH message, the reservable-flow

bandwidth, the reservable-flow burst-size.
Configure the PATH message proxy for the local application. And no receiving
interface and previous hop addresses need be configured.
Configure the RESV message proxy, of which the followed parameters are as
follows:
the destination address a reservable-flow, the source address of a reservableflow, IP protocol number of a reservable-flow, the destination port of a reservableflow, the source port of a reservable-flow, the previous hop address of a RESV
message, the supposed receiving interface of RESV message, the reservable
share-style, the service that the reservable-flow applies for, the reservable-flow
bandwidth, the reservable-flow burst-factor.
Configure the RESV message proxy for the local application. No receiving
interface and the previous hop address need be configured.
Monitoring and Debugging RSVP (Resource Reservation Protocol)

show ip rsvp installed
This command is used to display the information about the flows that succeeds in RSVP reserving currently.
show ip rsvp installed
Command modeThe privilege user mode.
show ip rsvp neighbour
This command is used to display the RSVP neighbor list that switches the RSVP signaling with the local router.
show ip rsvp neighbour
show ip rsvp sender
This command is used to display the list (PSB) of the PATH messages that the local router received.
show ip rsvp sender
show ip rsvp reservation
This command is used to display the list (RSB) of the RESV messages that the local router received.
show ip rsvp reservation
show ip rsvp blockade-state-block
This command is used to display the list (BSB) of the RESV messages that are denied by the previous hop and are received
by the local router.
show ip rsvp blockade-state-block
show ip rsvp timer
This command is used to display the list of the timers relevant with each RSVP in the local router.
show ip rsvp timer
debug ip rsvp
This command is used to display the process that creates the RSVP reservation.
debug ip rsvp
Chapter 13
802.1Q Specifications
This chapter describes how to configure your MP2600 router so it can connect to a Virtual LAN (VLAN) and an exterior
network.
13.1 802.1Q Configuring Principles
A VLAN ID number is added to all network equipment through the 802.1Q protocol. All equipment with the same VLAN
ID number will be able to communicate with each other. Equipment in different VLAN groups wont be able to
communicate with each other unless theyre configured to the same VLAN ID number. The following section will tell
you how to set up your equipment to ensure proper communications.
13.1.1 VLAN Functions
An Ethernet supporting 802.1Q can be divided into many subnets, and each subnet will correspond to a certain VLAN (see
Figure 1). When a data packet passes through a switch, it is checked against 802.1Q standards. A VLAN tag will then
be added to describe which packet it belongs to. When the routers Ethernet interface receives a data packet, the interface
will compare its own VLAN tag with the interfaces corresponding tag. If the receiving interface and data packet both
belong to the same VLAN, the interface will receive the incoming data. Otherwise, the packet will be discarded.
Similarly, when the router sends a data packet, the router also checks the tag. All equipment with the same VLAN tag will
be able to communicate with each other, but must pass through layer three routing.
13.1.2 One-Armed Routing
In order to accomplish one-armed routing, many links between a router and a switch are formed. Namely, the routers
Ethernet interface connects with a switchs port. The method is very simple, but it doesnt make effective use of the
routers interface so it isnt an ideal method. The interface is used fully through one-armed routing. (One-armed routing is
illustrated in the following Figure 1.)
The switch is configured between two VLANs VLAN1 and VLAN2. Port 1 is configured as a relay port belonging to
both VLAN 1 and VLAN 2. Two sub-interfaces are configured on a fast Ethernet router interface and are each assigned to
an independent IP subnet. Two corresponding VLAN IDs are named in each sub-interface.
Mp5124 Switch
vlan1
port1- 10
( market department)
vlan2
Port11- 20
f0.1
f0.2
( market department)
( vlan1)( vlan2)
Mp2600Router
Figure 1 One-Armed Routing
Thus, VLAN1 or VLAN 2s data stream can get to router sub-interface f0.1/ f0.2 through relay port 1. The routing between
two VLANs is accomplished through the use of two sub-interfaces. Because the router only has one physical interface that
connects to a switch port, the router will have a one-armed router alias.
13.1.3 Subnet Isolation
As long as two sub-interfaces and their corresponding VLAN are configured in default mode, the two VLANs can
communicate with each other. But in some circumanstances, it isnt what we expected.. To do this, you will have to
create a new access list based on the one-armed routing configuration to filter communications between the two VLANs.
The access list must be applied to the corresponding VLAN sub-interface.
13.2 802.1Q Configuring Commands

Only sub-interfaces 1 to 63 of the Ethernet interface can be named, per 802.1Q protocols.
configured with any VLAN ID number from 1 to 4,094.
Each sub-interface can be
13.2.1 Configuring 802.1Q Commands

The 802.1Q protocol configuration involves the following three steps:
creating a sub-interface
naming 802.1Q protocol
setting up an IP layer
A. Create A Sub-Interface
Router config interface fastethernet0.
Syntax
Description
[0-63]
Sub-interface number
Notes:
1) Fastethernet0.0 is a master interface and cant change 802.1Q protocol.
2) You cant have more than 63 sub-interfaces.
B. Name 802.1Q Protocol
router(config-if-fastethernet0.1)#
Command
encapsulation dot1q
Description
Names 802.1Q protocol on the interface and configures the
VLAN ID.
<vlan id>
Shutdown
No shutdown
Notes:
1) The sub-interface can only encapsulate 802.1Q protocol. The protocol will only be named when a sub-interface has
been created.
2) Your VLAN ID number can only be from 1 to 4,094.
C. Set-up An IP Layer
router(config-if-fastethernet0.1)# ip ?
Command
Description
Address <unicast address> < network mask>
Configures the sub-interface IP address on the subinterface.
access-group <IP access list |

name> <in | out>
Applies an access list to the sub-interface.
Access-list
Notes:
1) The IP address configured on the sub-interface and the IP address of all the equipment on the same VLAN should be
contained in the same network segment.
2) If you want to use the one-armed routing function, communication between some equipment must be prohibited.
An access list must be applied to the interface.
13.2.2 A Typical One-Armed Router Application

)

)

03
03
9/$1
9/$1 , '
9/$1
9/$1 , '
(7+(51(7
3&
3&
3&

(7+(51(7
3&
3&
3&

Figure 2 One-Armed Routing Sketch Map

Notes About The Preceding Figure:
1) The fastethernet interface of Router MP2600 connects with the relay interface, MP5124. The two Ethernet subinterfaces have been configured as fastethernet0.1 and fastethernet0.2 respectively. The corresponding VLAN
IDs are 1 and 2.
2) Two VLANs have been set on MP5124. The VLAN ID 1 interface connects with the left three PCs and the
VLAN ID 2 interface connects with the right three PCs. The relay interface contains two VLAN groups.
3) The PCs named in VLAN ID 1 are in the network segment 1.1.1.0/24, while the PCs in VLAN ID 2 are in the
network segment 1.1.2.0/24.
This allows communication between two VLANs.
Configuration:
To configure fastethernet0.1:
Command
Task
routerconfig#interface fastethernet0.1
Creates the routers fastethernet0.1 subinterface.
router(config-if-fastethernet0.1)#encapsulation dot1q 1
Sets the VLAN ID of fastethernet0.1 as 1
router (config-if-fastethernet0.1)#ip address 1.1.1.4

255.255.255.0
Sets the IP address of fastethernet0.1 as

1.1.1.4, a subnet mark with 24 bits.
Command
Task
routerconfig#interface fastethernet0.2
Creates the routers fastethernet0.2 subinterface.
router(config-if-fastethernet0.2)#encapsulation dot1q 2
Set VLAN ID of fastethernet0.2 as 2

255.255.255.0
Set IP address of fastethernet0.2 as

1.1.2.4, a subnet mark with 24 bits.
Note: The VLAN 1 PCs default gateway is set to IP address 1.1.1.4 in the MP200s fastethernet0.1 interface.
VLAN 2 PCs default gateway is set to IP address 1.1.2.4 in the MP2600s fastethernet0.2 interface.
Configuration Results:
router#show run
hostname router
interface loopback0
exit
exit
interface fastethernet0.1
ip address 1.1.1.4 255.255.255.0
encapsulation dot1q 1
exit
ip address 1.1.2.4 255.255.255.0
exit
The
13.2.3 A Typical Subnet Isolation Application
6HU YHU
6HU YHU
7&3 , 3
1HW ZRU N
03
)

03
)

9/$1
9/$1 , '
9/$1
9/$1 , '
(7+(51(7
3&
3&
3&

Figure 3
(7+(51(7
3&
3&
3&

Subnet Isolation Sketch Map
Notes About The Preceding Figure:

1) The routers fastethernet interface connects with MP5124s relay interface. Two Ethernet interfaces are
respectively configured to fastethernet0.1 and fastethernet0.2. The responding VLAN ID is set to 1 and 2
respectively.
2) The MP2600 uses a WAN interface to connect with server1 and server2 through a TCP/IP network.
3) MP2600 router adds two access lists to prohibit communications between VLAN1 and VLAN2. These VLANs
access their own business servers through the routers WAN interface and arent permitted to communicate with
each other.
4) Two VLANs has been set on the MP5124. The VLAN ID 1 interface connects with the left three PCs, while the
VLAN ID 2 interface connects with the right three PCs. The relay interface contains two VLAN groups.
5) The PCs in the VLAN ID 1 group are in network segment 1.1.1.0/24.
segment 1.1.2.0/24.
The PCs in VLAN ID 2 are in network
Parameter Configuration:
To configure an access list:
Command
Task
Router config #ip access-list standard 1
Creates a standard access list 1 on the

router.
router (config-std-nacl)#deny 1.1.1.0 0.255.255.255
Sets the first access list 1 rule to prohibit

data from 1.1.1.0/24 from passing
through.
router (config-std-nacl)#permit any
Sets the second access list 1 rule to

permit any data packet from passing
through.
Router config #ip access-list standard 2
Creates a standard access list 2 on the

router.
router (config-std-nacl)#deny 1.1.2.0 0.255.255.255
Sets the first access list 2 rule to prohibit

data from 1.1.2.0/24 from passing through.
router (config-std-nacl)#permit any
Sets the second access list 2 rule to

permit any data packet from passing
through.
Command
Task
Router config #interface fastethernet0.1
Creates sub-interface fastethernet0.1.
router (config-if-fastethernet0.1)#encapsulation dot1q 1
Sets the fastethernet0.1 VLAN ID as 1.

255.255.255.0
Sets the IP address of fastethernet0.1 as

1.1.1.4 and the subnet mask to 24 bits.
router (config-if-fastethernet0.1)#ip access-group 2 out
the data sent from fastethernet0.1 is

limited by access list 2.
To configure fastethernet0.2
Command
Task
config #interface fastethernet0.2
Creates sub-interface fastethernet0.2.
(config-if-fastethernet0.2)#encapsulation dot1q 2
Sets the fastethernet0.2 VLAN ID as 2
(config-if-fastethernet0.2)#ip address 1.1.2.4 255.255.255.0
Sets the IP address of fastethernet0.2 to

1.1.2.4 and the subnet mask as 24 bits.
(config-if-fastethernet0.2)#ip access-group 1 out
The data sent from fastethernet0.2 is

limited by the access list 1.
Configuration Results:
router#show run
hostname router
ip access-list standard 1
deny 1.1.1.0.0.255.255.255
permit any
exit
ip access-list standard 2
deny 1.1.2.0 0.0.255.255.255
permit any
exit
interface loopback0
exit
exit
ip address 1.1.1.4 255.255.255.0
ip access-group 2 out
exit
ip address 1.1.2.4 255.255.255.0
ip access-group 1 out
exit
13.2.4 Displaying Configuration Statistics
A.
Display Configuration Sub-Interface Results
router#show run
After inputting the preceding command, you can observe configuration data for each interface.
example of extracted configuration information:
The following is an
ip address 2.2.2.2 255.255.0.0
exit
B.
Display Sub-Interface Statistics
router#show dot1q interface f0.1

After inputting the above command, you can observe statistical information about a data packet sent or received by subinterface f0.1:
fastethernet0.(unit number 1):
0 untagged packets received
0 tagged packets received
91 untagged packets sent
2 tagged packets sent
Chapter 14 Dynamic Host Configuration Protocol (DHCP) Configuration

14. 1 Introduction of DHCP
When a network is too big to control directly by its builder, it is hard to control the network. The frequent problem in the
network where IP addresses are assigned manually is IP address conflict. The only method to resolve the problem is to
assign IP addresses to customers dynamically. Dynamic Host Configuration Protocol (DHCP) assigns an address from an
address pool to the host that requests an address. DHCP also provides other information, such as gateway IP and DNS
server. The purpose of designing DHCP is not to provide the diskless workstation with boot information, but to reduce
burden of assigning IP addresses manually for a manager. DHCP can accomplish the work of assigning addresses.
14. 2 Configuration of DHCP
14. 2.1 DHCP Configuration Task List
'HILQHDQDGGUHVVRIDQDGGUHVVSRROIRUWKHDVVLJQPHQWRIDGGUHVVHV
&RQILJXUHWKHRSWLRQDOSDUDPHWHUVDVVLJQHGWRDKRVW
14. 2.2 The Relative Commands
The following table describes commands of DHCP server, relay and client.
Table 14-1 DHCP commands
Command
Description
In global configuration mode:

router(config)#iIp dhcp excluded-address
router(config)#iIp dhcp ping
router(config)#iIp dhcp pool
router(config)#ip dhcp-server A.B.C.D
Remove addresses from the address pool.

Use the parameter ping.
Define an address pool for assigning addresses.
Act as dhcp relay by appointing a dhcp server
Create an HDCP
router(config)#ip dhcp pool word
In DHCP configuration mode:

router(dhcp-config)# default-router
router(dhcp-config)# dns-server
router(dhcp-config)# domain-name
router(dhcp-config)# netbios-name-server
router(dhcp-config)# network
router(dhcp-config)#exit
In INTERFACE configuration mode:
router(config-if-fastethernet0)#ip address dhcp
Define an address pool and enter DHCP

configuration mode.
The name of the address pool is the value of word.
Configure the default gateway of the host.
Configure DNS server address of the host.
Configure the server name of the host.
Configure the address of the server netbios-name.
Define the address assigned in the address pool.
Exit the interface mode.
Act as dhcp client by requesting a address from some
DHCP server
14. 2.3 Configure DHCP

The first step: Define an address pool applied
The first step to star DHCP service is to define an address pool. The addresses in the address pool will be assigned
dynamically to these hosts that use DHCP to request addresses. The following configuration commands should be used on
the router:
Table 14-2 Create DHCP pool
Command
Description
router(config)#ip dhcp pool
word
Define an address pool with the name of word.
router(dhcp-config)#network A.B.C.D
Define an address pool for address assignment. And
netmask
A.B.C.D are network ID and netmask is the network
mark.
router(config)#ip dhcp excluded-address low ip
Remove the low ip address and high ip address from
the address pool. Low ip address is the starting address

and high ip address is the ending address.
address [high ip address]
The second step: Configure the optional parameters passing to the host
DHCP can send more other information to the host in addition to assign addresses dynamically.
Table 14-3 configure DHCP address pool optional parameters
Command
Description
router(dhcp-config)#default-router A.B.C.D
Configure the default gateway of the host.
A, B, C and D are the default gateways.
router(dhcp-config)#dns-server
A.B.C.D
router(dhcp-config)#domain-name word
router(dhcp-config)#netbios-name-server A.B.C.D
Configure DNS server addresses of the host. The

addresses are A.B.C.D.
Configure DNS server name of the host
Configure the addresses of server netbios-name. The
addresses of the server netbios-name are A.B.C.D
14. 3 DHCP Configuration Case
U RXW HU
I
KRVW

KRVW
KRVW
Illustration
Many hosts connecting to the interface fastethernet0 of the router, through the following configuration, can get
addresses in the DHCP address pool dynamically.
The configuration as shown below:
Table 14-4 DHCP configuration example
Configuration
Task
router#con t
Enter the global mode.
router(config)#interface fastethernet0
Configure on the interface f0.
router(config-if -fastethernet0)#
Configure IP address.
ip address 129.255.78.44 255.255.0.0
router(config-if -fastethernet0)#exit
Exit from the interface f0.
router(config)#ip dhcp excluded-address
129.255.78.44
router(config)#ip dhcp pool goat maipu
router(dhcp-config)#
Remove the address of the interface f0 of the router

from the address pool.
Define an address pool maipu.
Define the address for address assignment in the
network 129.255.0.0 255.255.0.0

router(dhcp-config)#default-router
129.255.78.44
router(dhcp-config)#dns-server 61.139.2.69
router(dhcp-config)#netbios-name-server
129.255.78.27
router(dhcp-config)#end
address pool.
Configure the default gateway of the host:
129.255.78.44.
Configure DNS server address of the host
Configure the address of the server netbios-name .
The configuration finished.
Note
The host connecting with the interface fastethernet0 of the router, through the above configuration, can get the other
assigned addresses except 129.255.78.44used by the interface fastethernet0 of the routerof the network segment
129.255.0.0. And the host will be configured with the information on DNS server, the default gateway and the server
netbios-name.
14. 4 Examine the Status and the Debug
Examine the host list that currently has been assigned IP address.
Example
router#show ip dhcp binding
Hardware-Address
IP-Address
Lease
Status
0050.ba14.9de5
129.255.0.1
85678
ACKED
0050.ba21.0e6c
129.255.78.2
84765
ACKED
It can be seen from the above information that the two addresses 129.255.0.1 and 129.255.78.2 are respectively assigned to
the two hosts with the corresponding MAC address 0050.ba14.9de5 and 0050.ba21.0e6c.
Trace and debug DHCP information
router#debug ip dhcp packet
router#debug ip dhcp linkage
router#debug ip dhcp events
Chapter 15 NDSP Protocol Configuration

Neighbor Device Search Protocol(NDSP) discovers adjacent devices on the network and obtains protocol address of
neighboring devices and platform of those devices. NDSP is media- and protocol-independent,and run over the data link
layer only.
Each device configured for NDSP sends periodic messages, known as advertisements, to a multicast address. The
advertisements contain time-to-live, or holdtime, information, which indicates the length of time a receiving device should
hold NDSP information before discarding it. Each device also listens to the periodic NDSP messages sent by others in order
to learn about neighboring devices and determine when their interfaces to the media go up or down.
Currently, NDSP is supported by HDLC,PPP,Frame Relay protocol on WAN interface.
15.1 Commands
You can use the following three commands to configure NDSP in global configuration mode:
Command
Description
ndsp run
Enable NDSP . The no ndsp run command is used to
deactivate NDSP . The default mode leaves NDSP
turned off.
ndsp timer
Specifies frequency of transmission of NDSP update. The
default interval is 60 seconds.
ndsp holdtime:
Specfies the amount of time a receiving device should hold

the information sent by your device before discarding it.
The default interval is 180 seconds.
ndsp enable
NDSP is enabled by default on all supported interfaces to

send and receiver NDSP information.
NDSP is enabled by default on all supported interfaces to send and receiver NDSP information. You can disable NDSP on an
interface supports NDSP by using the no ndsp enable command.
Command
Description
ndsp enable
Enabled NDSP on an interface.
Input these commands to display NDSP

Command
Show ndsp entry
Show
ndsp neighbors
Show
ndsp traffic
Show
ndsp version
status:
Description
Displays information about a specific neighbor
Displays the type of device that has been discovered, the
name of the device, the number and type of the local
interface, the number of seconds the NDSP advertisement
is valid for the port ,the device type, the device product
number, and the port ID.
Display s NDSP counters,including the number of packets
sent and received and checksum errors.
Displays the current NDSP version.
15.2 Examples
If you want to run NDSP on your router, you would input:
router(config)# ndsp run
router(config)#exit
router#
If you dont want to run NDSP

router(config)#no ndsp run
router(config)#exit
router#
on your router anymore, you would input:
Chapter 16 SNMP Configuration

SNMP (Simple Network Management Protocol) is a standard protocol to manage the Internet. Its purpose is to assure that the
management information can be transmitted between the Network Management Station and the managed equipment
agent. It is convenient for the system manager to manage the network system.
SNMP adopts the tree labeling method to number each managed element and insures the number is exclusive. About the
detailed information on SNMP protocol, refer to the TCP/IP data.
16.1 SNMP Instruction Set
z Router (config)#snmp-server ?
Command
snmp-server start
snmp-server community
snmp-server contact
snmp-server host
Description
Activate SNMP network management.
Set the SNMP community name.
Set the contact mode of the device manager.
Set the host name or IP address of the network
management station receiving SNMP trap.
Set the location of the device.
Set the network management view.
Enable to send specified type of traps
Set the address parameter.
snmp-server location
snmp-server view
snmp-server enable traps
snmp-server AddressParam
snmp-server TargetAddress
snmp-server engineID
snmp-server group
Set the related destination address parameter aaa.

Set the engine.
Set the group.
snmp-server notify
Set notify-message.
snmp-server proxy
snmp-server user
snmp-server keepalive
Set the proxy for transmitting packet.

Set the user.
Set the keepalive packet.
16.2 Simple Network Management Protocol (SNMP) Configuration

Configuring Community Name:
router(config)#snmp-server community community-name [view view-name [{ro|rw}] [access-list]]
Syntax
Description
community community-name
view view-name
{ro|rw}
access-list
Set the community name.

Specify the view corresponding to the community name.
Specify the operation right of the community name.
Specify the access control list or name of the community name.
Note:
The parameter community-name is used to specify the community name that is added to the router. Usually, the
community name must be the same as that configured on the network management station, or else the network management
station has no way to perform any operation to the router.
The parameter { ro | rw} is used to set the network management stations rights to operate the router. The parameter ro
means read-only and rw means reading/writing.
The parameter view is used to specify the view scope for the community. Maipu router can do without the configuration
of the parameter view (it can do with the default).
The parameter access-list is the access control list that is used to perform the access control of hosts in the community.
So, nothing but those hosts that are in the same community with the router and permitted by the routers access control list
can access the router. (About the detailed information, refer to Maipu router access control module)
For example:
Add the community public to the router, and then set the reading/writing right to operate the router for the network
management station whose community name is public:
router(config) #snmp-server community public rw
Note:
After starting up the router, you must configure the community for it, or else, the network management station has no
way to manage the router by means of snmpv1/v2c;
If you want to perform writing operations on the router, such as upgrading a program, backing up the configuration file,
the parameter < ro/rw/view > must be set as rw(reading/writing).
Configuring the contact of the equipment manager and equipment location
Router(config)#snmp-server contact <line> Configuring the contact of the equipment manager;

Router(config)#snmp-server location <line> Configuring the equipment location;
Note:
The function of the foregoing commands is to make the network management station read the information about the
router manager and router location for router management. The default configuration is the full name and address of the
router manufacturer.
Deleting SNMP on a router: (Closing the network management proxy process)
The configuration to close SNMP on the router is described as follows:

Router (config)#no snmp-server start
Note:
After the command is executed, the network management proxy process on the router is closed, and the network
management software has no way to manage the router through SNMP.
Configuring the router to send traps message:
The configuration of sending traps message on the router is described as follows:

Router (config)#snmp-server host ip/name [traps] [community community-name] [version {1|2}]
Syntax
Description
host ip/name
traps
community community-name
version {1|2}
Specify the IP address and name of the network management station.

Specify the sending type as traps.
Specify the community name.
Specify the version number of the trap message.
Note:
The parameter < ip/name > represents the destination name or IP address to which the traps message will be sent.
Usually, it is the IP address or name of the host on which the network management application has been installed. It is
noticeable that the trap message is the message the router forwardly sends to the host on which the network management
application has been installed.
If the parameters following host, such as traps, community-name and version, are not configured, the system will adopt
the default configuration: typetraps, community-namepublic and version2.
Enable to send specified traps
Router(config)#snmp-server enable traps [module-name [trap-type]]
module-name
trap-type
bgp
backward-transition
established
dlsw
circuit-down
circuit-up
tconn-down
tconn-partner-reject
tconn-prot-violation
tconn-up
Description
Enable SNMP BGP traps
Enable BGP backward transition trap
Enable BGP established trap
Enable SNMP DLSw traps
Enable DLSw circuit down trap
Enable DLSw circuit up trap
Enable DLSw tconn down trap
Enable DLSw tconn partner reject trap
Enable DLSw tconn port violation trap
Enable DLSw tconn up trap
frame-relay
dlci-status-change
pvc-connect-statuschange
pvc-connect-statusnotify
isdn
Enable frame-relay PVC connect status notify trap
if-authen-failure
Enable SNMP isdn traps

Enable isdn call information trap
Enable SNMP OSPF traps
Enable OSPF interface authentication failure trap
if-config-error
if-rx-bad-packet
Enable OSPF interface config error trap

Enable OSPF interface receive bad packet trap
call-information
ospf
if-state-change
lsdb-approachingoverflow
Enable OSPF interface state change trap

Enable OSPF lsdb approaching overflow trap
lsdb-overflow
max-age-lsa
nbr-state-change
originate-lsa
tx-retransmit
Enable OSPF lsdb overflow trap

Enable OSPF max age lsa trap
Enable OSPF neighbor state change trap
Enable OSPF originate lsa trap
Enable OSPF retransmit trap
virtif-authen-failure
Enable OSPF virtual interface authentication failure trap
virtif-config-error
Enable OSPF virtual interface config error trap
virtif-rx-bad-packet
Enable OSPF virtual interface receive bad packet trap
virtif-state-change
virtif-tx-retransmit
Enable OSPF virtual interface state change trap

Enable OSPF virtual interface retransmit trap
virtnbr-state-change
Enable OSPF virtual neighbor state change trap
pim
neighbor-loss
rsvp
lost-flow
new-flow
snmp
authentication
coldstart
enterprise
linkdown
linkup
warmstart
x.25
reset
restart
Enable SNMP frame-relay traps

Enable frame-relay DLCI status change trap
Enable frame-relay PVC connect status change trap
Enable SNMP PIM traps

Enable PIM neighbor loss trap
Enable SNMP RSVP traps
Enable RSVP lost flow trap
Enable RSVP new flow trap
Enable SNMP traps
Enable authentication trap
Enable coldstart trap
Enable enterprise specific traps
Enable link dowm trap
Enable link up trap
Enable warmstart trap
Enable SNMP x.25 traps
Some debugging commands of the network management proxy:
Router# show snmp-server

Note:
The command is used to display the current statistics information about the network management proxy of the router:
Router# show snmp-server
0 SNMP packets input:
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
2 SNMP packets output:
0 Too big errors
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
2 Trap PDUs
0 SNMPv3 Reports:
0 Unknown Security Models
0 Invalid Msgs
0 Unknown PDUHandlers
0 Unavailable Contexts
0 Unknown Contexts
0 Unsupported SecLevels
0 Not In TimeWindows
0 Unknown UserNames
0 Unknown EngineIDs
0 Wrong Digests
0 Decryption Errors
The foregoing information indicates that the router hasnt received the SNMP message presently, but has sent two trap
SNMP messages that are trap messages. The information SNMPv3 Reports describes is the error statistics information that
appears when SNMPv3 messages are processed.
Router# show snmp-server community
Note:
The command is used to display the information about the community that the router has joined in. The execution result
of the command is displayed as follows:
Router#show snmp-server community
Community Name
Relating View Index
Access Right
public
1
Read-Write
private
1
Read-Only
It indicates that the router has joined in two communities: public and private.
Router# show snmp-server host
ACL-name
Note:
The command is used to display the information of the destination address that has been configured on the router and to
which the traps message will be sent. The execution result of the command is displayed as follows:
Router# show snmp-server host
Trap destination
Community
Trap-Switch
128.255.254.55
public
ON
mp-12434
public
Informs-Switch Version
OFF
ON
OFF
Ver 2
Ver 2
It indicates that the router has set the destinations to which the two traps messages will be respectively sent: 128.255.254.55
and mp-12434.
Router# show snmp-server oidAlias
Note:
The command is used to display the oid sequences alias that has been set on the router:
Router# show snmp-server oidAlias
the Alias of snmp oid list:
Oid Alias
Oid Serial
MIB-II
1.3.6.1.2.1
ifEntry
1.3.6.1.2.1.2.2.1
MIB-II_system
1.3.6.1.2.1.2.1
It indicates that three oid aliases have been set on the router: the aliases of 1.3.6.1.2.1, 1.3.6.1.2.1.2.2.1 and 1.3.6.1.2.1.2.1 are
MIB-II, ifEntry and MIB-II_system (The three oid aliases are the default configuration of the SNMP proxy of the router.).
Router# show snmp-server view
Note:
The command is used to display the view that has been configured on the router:(Generally, a view is composed of
several sub-tree nodes) :
Router# show snmp-server view
SNMP View List:
View Name
default
View index
1
view operator
include
subtree filter oids

1.3.6.1
It indicates that one view has been configured on the router: its name is default, and view index is 1, including all nodes
under the sub-tree 1.3.6.1. (The view is the default configuration of the SNMP proxy of the router).
Configuring SNMPv3 engine ID:
z router(config)#snmp-server engineID ?
Command
Description
remote
local
Configuring the remote engine ID.

Configuring the local engine ID.
Note:
Each SNMPv3 entity includes an engine (also called local engine), and snmpEngineID is used to exclusively identify
an SNMPv3 entity in a management domain. Moreover, when sending an advertisement or forward a message, the SNMPv3
need know the engineID of the remote destination SNMP entity. So, the remote engineID need be configured, and the
destination IP address and UDP port number need be specified for the engineID.
z router(config)#snmp-server engineID local engineID
Command
Description
engineID
The value of the local engineID.
For example:
Use the following command to configure the local engineID as 12345678:
router(config)#snmp-server engineID local 12345678
z router(config)#snmp-server engineID remote ip-address port-num engineID [engineGroup]
Syntax
Description
ip-address
port-num
engineID
[engineGroup]
The IP address of the destination entity.

The UDP port-number of the destination entity.
The value of the remote engineID.
The engine group name.
Note:
When configuring automatic proxy forwarding, you many know no IP address of the surrogated equipment. Here, you
do nothing but input 0.0.0.0 at the location of ip-address. Moreover, the automatic proxy forwarding can not work without the
keepalive mechanism.
For example:
Use the following command to configure the destination entity: IP address1.1.1.1, port-number162engineID
abcdef1234:
router(config)#snmp-server engineID remote 1.1.1.1 162 abcdef1234
z router(config)#snmp-server engineGroup groupname usrname {noauth |auth |priv}
Syntax
groupname
usrname
{noauth |auth |priv}
Description
The name the engine group.
The user name.
The security level of the username :no-authentication, authentication but
encryption, authentication and encryption.
Note:
The foregoing command is used to configure the automatic proxy forwarding. Before the command is configured, the
corresponding username need be configured in advance. The function of the command is to relate several engines (SNMPv3
entities) to an engine group. One user can be specified for each engine group. In this way, the username can be used to access
any engine of the engine group. The parameter {noauth |auth |priv} is used to describe the security level of the username,
and must be consistent with the username.
For example:
Use the following command to configure an engine group: group-namegroup1, usernameuser1, security level
auth:
router(config)#snmp-server engineGroup group1 user1
Configuring an SNMPv3 group:
z Router(config)#snmp-server group group-name v3 {noauth|authnopriv|authpriv} [notify notify-view] [read readview] [write write-view]
Syntax
Description
group-name
v3
noauth
authnopriv
authpriv
notify notify-view
read read-view
write write-view
The group name.

The security mode of the group is v3.
The security level of the group is no-authentication no-encryption.
The security level of the group is authentication no-encryption.
The security level of the group is authentication encryption.
Configure the notify-view of the group.
Configure the read-view of the group.
Configure the write-view of the group.
Note:
In the SNMPv3 group, map a group-name, security information and message type (read, write or notify) into a MIB
view. A given MIB view can determine whether a managed object does not permit of being accessed. At the same time,
several SNMPv3 users can be related to the group. The configuration of the group can strengthen the SNMPv3 access control.
For example:
Use the following command to configure a group: group namegroup1, security levelauthentication encryption,
notify-viewview3, read-viewview1, and write-viewview2.
Router(config)#snmp-server group group1 v3 authpriv read view1 write view2 notify view2
Configuring SNMPv3 user:
Router(config)snmp-server user user-name group-name [remote ip-address portnum] v3 [auth {md5|sha} password
[encrypt des password]]
Syntax
user-name
group-name
remote ip-address portnum
v3
auth {md5|sha} password
encrypt des password
Description
The username.
The name of the group the user belongs to.
The IP address of and port-number of the remote user.
The user security mode is v3.
Configure the user authentication protocol as MD5 or SHA, and specify
the password.
Configure the user encryption protocol as DES, and specify the password.
Note:
Configure an USM-based (User security mode) SNMPv3 user, and save the authentication and encryption information
of each user. Notice that the encryption protocol can not be configured until the authentication protocol is configured. For a
remote user (Remote is relative to the local SNMPv3 entity. If the local SNMPv3 entity wants to communicate with the
other entity, then the other entity is called remote SNMPv3 entity. This will be involved in Notify and Proxy. ), the IP
address and UDP port-number are still specified. When configuring the remote user, you must firstly configure the engineID
of the remote SNMP entity corresponding to the user. Moreover, each user must be corresponding to a group. Only in this
way can a security model and security name be mapped into a group name by means of the view-based control access
For example:
Use the following command to configure a user: the user nameuser1, corresponding group name-group1, security
levelauthentication encryption, authentication protocolMD5, password123456, encryption protocolDES,
password234567.
Router (config)# snmp-server user user1 group1 v3 auth md5 123456 encrypt des 234567
Use the following command to configure a remote user: the user nameuser2, IP address1.1.1.1, port-number162,
security levelauthentication encryption, authentication protocolSHA, password123456, encryption protocolDES,
password123456.
router(config)#snmp-server user user2 group1 remote 1.1.1.1 162 v3 auth sha 123456 encrypt des 123456
Configuring SNMPv3 Address Parameter:
z router(config)#snmp-server AddressParam address-name v3 user-name {noauth | authnopriv | authpriv}

Syntax
address-name
v3
user-name
noauth
authnopriv
authpriv
Description
The address name.
The message processing model v3 used for the generation of SNMP
messages.
The user name corresponding to the address parameter.
The security level is no-authentication no-encryption.
The security level is authentication no-encryption.
The security level is authentication encryption.
Note:
Some MIB tables have been defined in SNMPv3 so as to configure the destination to which the notify-message is sent.
The address parameter table defines the SNMP parameters that should be used when a message (notification) is generated.
For example:
Use the following command to configure the address parameter: parameter nameaddparam1, message processing
modelv3, the corresponding user name (also called security name)user1, security levelauthpriv.
router(config)#snmp-server AddressParam addparam1 v3 user1 authpriv
Configuring the destination address table:
z router(config)#snmp-server TargetAddress target-name ip-address port-num address-param taglist time-out retrynum
Syntax
Description
target-name
ip-address
port-num
address-param
taglist
time-out
retry-time
The address name.

The destination address.
The UDP port-number.
The address parameter name.
The tag list.
The timeout.
The times of retransmission.
Note:
The destination address table is used to specify the destination that is used when the SNMP message is generated.
(Notice that TargetAddress and AddrssParam can not be configured until the local SNMPv3 entity accesses the other
(remote) SNMPv3 entity). What you need know is: address-param is the address parameter name that has been configured in
the address parameter table; taglist, which can be configured with multiple values spaced by commas, is used to identify the
notify-message and forward messages to the other destination address.
For example:
Use the following command to configure the destination address table: the addressnametarget1, IP address1.1.1.1,
UDP port-number162, the corresponding address parameter nameaddparam1, the tag-tabletag1 and tag2, timeout2
seconds, try-time2.
router(config)#snmp-server TargetAddress target1 1.1.1.1 162 addparam1 tag1,tag2 2 2
Configuring notification:
z Use the following command to perform the configuration of SNMPv3: configure the notification parameter table,
notification filtering table and notification configuration table.
z router(config)#snmp-server notify ?
Command
Description
filter
notify
profile
Configure the filtering table of the notification.

Configure the notification parameter table.
Configure the notification configuration table.
Thereinto:
The notification parameter table is used to specify the destination address to which the notification message is sent.
Whether the notification message is sent to a destination address depends on whether the created filter contains the
destination address.
The notification filtering table has defined a filter that is used to determine whether the notification message is sent to the
destination address.
The notification configuration table is used to relate the foregoing address parameters to the notification parameter table.
About the detailed information about SNMPv3s fundamentals and functions, refer to the related data about the SNMP
protocol.
z router(config)#snmp-server notify notify notify-name taglist inform
Syntax
notify-name
taglist
inform
Description
The notification name, used to index the unique identification of the
notification table.
The tag value, corresponding to the tag list configured in the address table.
Specify the type of the notification message as inform.
Note:
In SNMPv3, the destination address need be specified when a notification is sent. Whether the notification message can
be sent to a destination address depends on whether the created filter contains the destination address. About the detailed
information about SNMPv3 notification, refer to the related technical manuals.
For example:
Use the following command to configure a notification message: the namenotify1, the tag-valuetag1.
router(config)#snmp-server notify notify notify1 tag1 inform
z router(config)#snmp-server notify notify filter-name oid-subtree {exclude|include}
Syntax
Description
filter-name
oid-subtree
exclude
include
The name of the notification filter

MIB sub-tree.
The object under the MIB sub-tree can not send notification message.
The object under the MIB sub-tree can send notification message.
Notice:
The notification filtering table has defined a filter that can determine whether a message can be sent to the destination
address.
For example:
Use the following command to configure a notification filter: the namefilter1, the MIB sub-tree1.3.6.1, the type
include.
router(config)#snmp-server notify filter filter1 1.3.6.1 include
z router(config)#snmp-server notify profile filter-name address-param
Syntax
Description
filter-name
address-param
The name of the notification filter

The address parameter name.
notice:
The notification configuration table is used to relate the address parameter table to the notification filtering table. If both
a notification filtering table and a notification configuration table are defined simultaneously, the SNMP proxy can detect the
object OID when sending a notification message. If the object OID is contained in the defined MIB sub-tree, the notification
message will be sent, or else, the message can not be sent.
For example:
Use the following command to configure the notification configuration table: the namefilter1, the address parameter
nameaddparam1.
router(config)#snmp-server notify profile filter1 addparam1
z router(config)#snmp-server proxy proxyname {inform | trap |read | write} engineId address-param target-addr
Syntax
Description
proxyname
{inform | trap |read | write}
engineId
address-param
target-addr
The forwarding configuration name.

The message property that need be matched.
The engine ID that need be matched.
The address parameter name that need be matched.
The destination address name for forwarding.
Note:
The goal of snmp proxy forwarding is to forward the SNMP request to other SNMP entity. To do it, it may be necessary
to convert one version to another version or convert one transmission domain to another transmission domain. Presently, the
SNMP on Maipu equipment can realize nothing but the v3-to-v3 forwarding, is mainly applied to the conversion from one
transmission domain to another transmission domain. Additionally, two message properties trap and inform in the table above
can not be supported.
For example:
Use the following command to configure a proxy forwarding item: the nameproxy1, the address parameter name
param1, the destination address nameaddr1, the engine1111, message propertyread.
router(config)#snmp-server proxy proxy1 read 1111 param1 addr1
z router(config)#snmp-server keepalive destination ip-addr
Syntax
Description
ip-addr
Configure the destination address of the sent keepalive message.
For example:
Use the following command to configure the destination addresses of two keepalive messages: 202.1.25.1 and
179.68.0.4:
router(config)#snmp-server keepalive destination 202.1.25.1
router(config)#snmp-server keepalive destination 179.68.0.4
z router(config)#snmp-server keepalive interface if-name
Syntax
Description
if-name
Configure the interface address carried by the sent keepalive message.
Note:
A keepalive message can carry only one interface address. If the interface address has not been configured, the address
of the interface fastethernet0 is carried by default. The keepalive message is used to maintain the SNMP proxy forwarding
table. For a configured proxy forwarding item, if no corresponding keepalive message is received in a period of time, the
proxy forwarding item will be discarded.
For example:
Use the following command to configure a keepalive message: carry the address of the interface ethernet0:
router(config)#snmp-server interface ethernet0
z router(config)#snmp-server keepalive interval { interval-time | default }
Syntax
Description
interval-time
Default
Configuring the interval of sending a keepalive message.

Adopt the default interval of sending a keepalive message: 10 seconds.
For example:
Use the following command to configure the interval of sending a keepalive message as 6 minutes.
router(config)#snmp-server keepalive interval 360
z router(config)#snmp-server notify interface interface-name [with {hostname | saId | engineId}]
Syntax
interface-name
Description
Configure the interface address that is carried by the sent keepalive
message.
{hostname | said | engineId}
Configure whether the host name, channel ID and engineID are carried by
the keepalive message.
Note:
The command is used to be compatible with the old version of keepalive messages that adopt the notify format. The
snmp-server keepalive series commands can be used to configure the new version of keepalive messages.
The command snmp-server host is used to determine the destination address of the keepalive message adopting the
notify format.
Said is the identification of the security alliance. About the detailed information about security alliance, refer to the
related IPSec technical documents.
For example:
Use the following command to configure a keepalive message: to carry the address of the interface ethernet0, engineID
and host name information.
router(config)#snmp-server notify interface ethernet0 with engineId hostname
z
z router(config)#snmp-server notify interval { interval-time | default }
Syntax
Description
interval-time
Default
Configure the interval of sending a keepalive message.

Adopt the default interval of sending a keepalive message: 10 seconds.
Note:
The command is used to be compatible with the old version of keepalive messages. The snmp-server keepalive series
commands can be used to configure the new version of keepalive messages.
The interval is independent of the value of the command snmp-server keepalive interval, and there exist no mutual
influence between them.
For example:
Use the following command to configure the sending interval of a keepalive message as 3 minutes:
router(config)#snmp-server notify interval 180
router#show snmp-server engineID
Note:
The command is used to display the engineID (including both remote engineID and local engineID ) that has been
configured on the router:
router#show snmp-server engineID
Local engine ID: 12345678
IPAddress: 1.1.1.1.0.162 remote engine ID: abcdef1234
The information above indicates that two engineIDs have been configured on the router: one is the local engineID and
another is the remote engineID.
router#show snmp-server group
Note:
The command is used to display the SNMP user group that has been configured on the router:
router#show snmp-server group
GroupName: group1 SecModel:v3,SecLevel:authpriv
Read
View: readview
Write
View: writeview
Notify
View: notifyview
A SNMP user group has been configured on the router, the group namegroup1, the security modelv3, the security
levelauthentication encryption, the read-viewreadview, the write-viewwriteview, and the notification view
notifyview.
router#show snmp-server user
Note:
The command is used to display the users that have been configured on the router:
router#show snmp-server user
SNMP User List:
User Name
SecLevel
Status
EngineID
===========================================================
user1
AuthPriv
active
12345678
user2
AuthPriv
active
abcdef1234
z
Two users have been configured on the router: the security levelauthentication encryption, the corresponding
engine ID12345678/ abcdef1234, which can indicate that the user1 is the local user and the user2 is the remote user.
z
z router#show snmp-server AddressParams
Note:
The command is used to display the address parameter table that has been configured on the router:
router#show snmp-server AddressParams
SNMP TargetAddressParam List:
ParamName
User Name
MP_model
SecurityModel
SecurityLevel
==================================================================
addparam1
user2
v3
USM
authpriv
z
Configure the address parameter on the router; the nameaddparam1, the corresponding useruseer2, the message
processing modev3, the security modelUSM, the security levelauthentication encryption.
z
z router#show snmp-server TargetAddress
Note:
The command is used to display the destination address table that has been configured on the router:
z
z router#show snmp-server TargetAddress
TargetAddressList:
===================================================
Name:
target1
Address:
1.1.1.1.0.162
ParamName: addparam1
TagList: tag1 tag2
TimeOut(sec) :2
RetryCount
:2
===================================================
z
A destination address item has been configured on the router: the nametarget1, the destination address1.1.1.1,
UDP port-number162, the tagliststag1 and tag2, the timeout2 seconds, try-timetwice.
z
z router#show snmp-server notify notify
Note:
The command is used to display the notification table configured on the router.
router#show snmp-server notify notify
SNMP Notify List:
Name
Tag
Type
========================================================
notify1
tag1
inform
z A notification table has been configured on the router: the namenotify1, the corresponding tagtag1, the message
typeinform
z router#show snmp-server notify filter
Note:
The command is used to display the notification filtering table configured on the router.
router#show snmp-server notify filter
SNMP Notify Filter List:
Name
FilterSubtree
Type
=============================================================
filter1
1.3.6.1
include
z
A notification filter table filter1 has been configured on the router, including all nodes under the MIB sub-tree
1.3.6.1.
z router#show snmp-server notify profile
Note:
The command is used to display the notification configuration table configured on the router.
router#show snmp-server notify profile
SNMP Notify Profile List:
Name
ParamName
Status
=============================================================
filter1
addparam1
Active
z
From the configuration above, you can know: the notification filter filter1 is related to the address parameter name
addparam1.
z router#show snmp-server engineGroup
Note:
The command is used to display the engine group configured on the router.
Snmp Debugging command :
Command
Debug snmp-server
Description
all
Debug all snmp, excluding response
Debug snmp-server groupget
Debug SCALAR variables GET
Debug snmp-server groupset
Debug SCALAR variables
debug snmp-server response
The response of last operation
Debug snmp-server tblgetnext
Debug TABULAR variables GETNEXT
Debug snmp-server tblset
Debug TABULAR variables SET
Debug snmp-server trap
Debug TRAP
SET
16.3 Remote Network Monitoring (RMON)

RMON instruction set is listed as follows:
Command
router(config)#rmon
Description
Activate the RMON
task.
router(config)#no rmon
Cancel the RMON

task.
router(config)#rmon alarm <1-65536> <OID> <1-65536> absolute/delta risingthreshold

<0-2147483647> <1-65536> fallingthreshold <0-2147483647> <1-65536>
router(config)#rmon event <1-65536> description word log <1-65536> owner <word>
trap <word>
Configure the RMON

alarm.
Configure the RMON
event.
The procedure to configure the remote monitoring RMON on the MP router is described as follows:
Step 1: Start the remote monitoring RMON.

router (config)#rmon < CR >
Step 2: Configure relative alarms and objects that are remotely monitored.
router(config)#rmon alarm <1-65536> <OID> <1-65536> absolute/delta risingthreshold <0-2147483647> <1-65536>
fallingthreshold <0-2147483647> <1-65536>
Note:
The parameter <1-65536> behind rmon alarm is the serial number of the alarm;
The parameter <OID> is the object that is remotely monitored (an index need be added behind the object oid). The
object can be represented with an oid sequence or an oid alias, and the following parameter <1-65536> is the time interval to
sample the value of the parameter <OID>
The parameter absolute/delta indicates that the type of sampling is of the absolute/relative value
The parameter <0-2147483647> behind the parameter risingthreshold is the rising threshold value, and the parameter
<1-65536> indicates the serial number of the event that arises when the rising threshold value is triggered (the default value
is 1)
The parameter <0-2147483647> behind the parameter fallingthreshold is the falling threshold value, and the parameter
<1-65536> indicates the serial number of the event that arises when the falling threshold value is triggered (the default value
is 1);
At present, the rmon has only realized monitoring the 10th 21st objects in the interface table (ifTable) of the standard
MIB. The object alias ifEntry of the interface table has been generated automatically in the OID table when the system starts
up. About some information about supporting OID variable, refer to the command router# show rmon alarm
supportVariable.
Step 3: Configure the action that will be implemented proportionally when the remote monitoring RMON is triggered.
router(config)#rmon event <1-65536> description word log <1-65536> owner <word> trap <word>
Note:
The parameter <1-65536> behind rmon event is the serial number of the event
The parameter word behind description is the description of the event. The parameter log <1-65536> and trap <word>
represents the event action. The parameter log indicates that the recording is implemented in the log; the parameter <165536> represents the maximal number of recordsThe parameter trap denotes the remote destination to which the trap
information is sent, and the parameter <word> denotes the community name.
The parameter owner <word> denotes the owner of the event.
An example of RMON Configuration
Remotely monitoring the OID object ifEntry.10 on the interface fastethernet0 of the router demands that the ifEntry.10
should be sampled one time every other 5 seconds (Suppose that the interface index of the interface f0 is 1, the object
instance is ifEntry.10). The rising threshold value and the falling threshold value are 5000 respectively. If the sampling result
triggers the threshold, then the trap message will be sent to the community public. At the same time, it will be recorded in
the log on the router (At most 100 records can be recorded.). The detailed configuration is described as follows:
router (config)#rmon
router (config)#rmon alarm 1 ifEntry.10.1 5 absolute risingthreshold 5000 1 fallingthreshold 5000 1
router (config)#rmon event 1 description Monitoring the number of bytes received on the interface f0
log 100 trap public

RMON debugging commands
The RMON command show is used to display the basic information:

Command
Description
router# show rmon event

router# show rmon alarm
router# show rmon alarm supportVariable
Display the information about the rmon event that has

been configured.
Display the information about the rmon alarm that has
been configured.
Examine the monitored objects that rmon supports
presently.
Note:
show rmon eventto display the information about the rmon event that has been set:
Output:
Event 1 is active, owned by config
Description : maipu
Event firing causes: log and trap, last fired at 00:25:17
Current log entries:
logIndex
logTime
Description
---------------------------------------------------------------4
00:12:27
Rising threshold crossing
5
00:23:26
6
00:23:36
7
00:23:46
8
00:23:56
9
00:24:07
10
00:24:27
11
00:24:47
12
00:25:07
13
00:25:17
Description :
Event firing causes: log, last fired at 00:00:00
Description :
Event firing causes: trap, last fired at 00:00:00
Description :
Event firing causes: nothing, last fired at 00:00:00
After the command has been executed, the result output includes:
The example has 4 rmon events that are identified with 1, 2, 5 and 6 respectively.
The event 1 triggers the event log and the snmp trap. The last event 1 happens after the system has been started for 25
minutes and 17 seconds. The relative log table can display the log index, the time the event happened and simple description
of events.
The event 2 and 5 trigger the event log and snmp trap respectively. At present, the two events havent happened.
The event 6 triggers nothing. At present, the event hasnt happened.
show rmon alarmto display the information about rmon alarm that has been set:
Output:
Alarm 1 is active, owned by config
Monitoring variable: ifEntry.10.1 ,
Taking samples type: delta,
Sample interval: 10 second(s)
last value was 6510
Rising threshold :
50,
assigned to event: 1
Falling threshold :
40,
last value was 156
Rising threshold :
1500,
Falling threshold :
500,
last value was 0
Rising threshold :
300,
Falling threshold :
200,
The example has configured 3 rmon alarms that are identified with 1, 2 and 4 respectively.
The alarm 1 monitors the object instance that is on the interface (whose the index is 1) and corresponding to the 10th object
of ifTable (The number of the total bytes received by the fast Ethernet interface, including the delimiter). The sampling
interval is 10 seconds and sampling type is the delta. The last sample value of the monitored object is 6510. When the sample
rises 50 or falls 40, the event 1 will be triggered (Setting it when configuring the rmon event).
The alarm 2 and alarm 4 respectively monitor the object instances that are on the interfaces (whose the indexes are 1 and 2)
and corresponding to the 10th and 16th objects of ifTable. And the corresponding sampling interval is 50 seconds and 30
seconds respectively. The corresponding triggered events are: alarm 2---- the rising event is the event 2 and the falling event
is the event 5, alarm 4----the rising event is the event 6 and the falling event is the event 1.
show rmon alarm supportVariableTo examine the information about the OID alias of the monitored
objects that are presently supported by rmon.
Output:
Currently support MIB object:
ifEntry.[10-21]
(NOTE:be sure to add the index after OID)

MIB-II interface table entry
At present, rmon has only realized monitoring the 10th 21st objects in the interface table of the standard MIB. The object
alias ifEntry of the interface table has been generated automatically in OID alias table when the system starts up.
16.3 Remote Network Monitoring (RMON)

RMON Instruction Set
Command
router(config)#rmon
router(config)#no rmon
router(config)#rmon alarm <1-65536> <OID> <1-65536>
absolute/delta risingthreshold <0-2147483647> <165536> fallingthreshold <0-2147483647> <1-65536>
router(config)#rmon event <1-65536> description word
log <1-65536> owner <word> trap <word>
Description
Activates the RMON task.
Cancels the RMON task.
Configures the RMON alarm information.
Configures the RMON event information.
Introducing the RMON router configuration:

Step One: Start RMON by inputting:
router (config)#rmon < CR >
Step Two: Configure the objects that must be remotely monitored by inputting:
router(config)#rmon alarm <1-65536> <OID> <1-65536> absolute/delta risingthreshold <0-2147483647> <1-65536>
fallingthreshold <0-2147483647> <1-65536>
Notes About Step Two:
1) The first <1-65536> parameter (after rmon alarm) is the serial number of the alarm.
2) The <OID> parameter is the object ID that is remotely monitored.
interval parameter that samples the <OID> parameter.
The following <1-65536> value is the time
3) Absolute/delta indicates the absolute/relative value.

4) <0-2147483647> after the risingthreshold parameter refers to the rising threshold value, while <1-65536> indicates
the events serial number needed when the rising threshold value is triggered.
5) <0-2147483647> after the fallingthreshold parameter refers to the falling threshold value, while <1-65536>
indicates the events serial number needed when the falling threshold value is triggered.
Presently, rmon monitors the 10th to 21st objects in the standard MIB interface table. The object alias ifEntry will be
generated automatically in OID table when the system starts.
The following command can output information about the supported OID variable:
router# show rmon alarm supportVariable.
Step Three: Configure the operation when RMON remote monitoring is triggered.
Input:
router(config)#rmon event <1-65536> description word log <1-65536> owner <word> trap <word>
Notes About Step Three:
1) The <1-65536> parameter (after rmon event) refers to the events serial number.
2) The parameter word after description describes the event. Log <1-65536> and trap <word> indicate the events
content: the former refers to the log record and the latter indicates the remote destination where the trap information
is being sent.
3) Owner <word> indicates the owner of the event.
RMON Configuration Example:
Remotely monitor the OID variable ifEntry.10 on the router by demanding that it should be sampled once every five
seconds. The rising and falling threshold values are both 5,000. If the sampled result triggers the threshold, then the trap
information will be sent to public. At the same time, this activity will be recorded in the routers log.
To start the configuration, input:
router (config)#rmon <cr>
router (config)#rmon alarm 1 ifEntry.10 5 absolute risingthreshold 5000 1 fallingthreshold 5000 1 <cr>
router (config)#romon event 1 description monitoring the variable ifEntry log 1000 trap public
Debugging RMON Commands:
The RMON show command displays the basic information:
Command
Description
Displays configured rmon event data.
Displays configured rmon alarm data.
router# show rmon alarm supportVariable
Examines the OID alias data of RMONs monitored objects.
To display information about the RMON event, input router # show rmon event.
Output:
Description: Maipu
Event firing causes: log and trap, last fired at 00:25:17
Current log entries:
logIndex
logTime
Description
---------------------------------------------------------------4
00:12:27
00:23:26
00:23:36
00:23:46
00:23:56
00:24:07
10
00:24:27
11
00:24:47
12
00:25:07
13
00:25:17
Description:
Event firing causes: log, last fired at 00:00:00
Description:
Event firing causes: trap, last fired at 00:00:00
Description:
Event firing causes: nothing, last fired at 00:00:00
Notes:
1) The example has 4 rmon events, respectively identified by 1, 2, 5 and 6.
2) Event 1 triggers the log and the SNMP alarm. The relative log table can display the log index, the time the event
happened and a simple description of events. (The last Event 1 happened after the system had been active for 25
minutes and 17 seconds.)
3) Event 2 and 5 triggers the event log and SNMP alarm respectively.
triggered.)
4) Event 6 triggers nothing.
To display data about the set rmon alarm, input router# show rmon alarm
Output:
Monitoring variable: ifEntry.10.1, Sample interval: 10 second(s)
Taking samples type: delta, last value was 6510
Rising threshold: 50, assigned to event: 1
Falling threshold: 40, assigned to event: 1


(In the example, these things havent been

Notes:
1)
The preceding example has configured 3 rmon alarms, respectively identified by 1, 2 and 4.
2)
Alarm 1 monitors the 10th object whose interface table index is 1 (ie. the total amount of bytes received by the
Ethernet interface, including the delimiter). The sampling interval is 10 seconds and sampling type is delta. The
last sample value of the monitored object is 6,510. When the sample rises above 50 or falls below 40, event 1 will
be triggered (ie. the configuration of the RMON event).
3)
Alarm 2 and Alarm 4 monitors interfaces 15 and 16, whose interface index is respectively 1 and 2. The
corresponding sampling interval is respectively 50 seconds and 30 seconds. The corresponding triggered events are:
Alarm 2 (ie. the rising event is Event 2 and the falling event is Event 5) and Alarm 4 (ie. the rising event is Event 6
and falling event is Event 1.)
To examine the OID alias data of the monitored objects presently supported by rmon, input:
show rmon alarm supportVariable
Output:
Currently support MIB object:
ifEntry.[10-21]
(NOTE: be sure to add the index after OID)

MIB-II interface table entry
Note: Rmon is only set up to monitor the 10th to 21st objects in the standard MIB interface table.
table object alias will generate automatically in the OID table when the system restarts.
The ifEntry interface
Chapter 17 SNTP Configuration

Simple Network Time Protocol (SNTP) is a TCP/IP protocol that is used to distribute the exact time within the whole
network, and it mainly solves the problem to keep the clocks of all the routers within the network synchronous. All Maipu
routers have their own system clocks and can save the current date and time.
Relevant commands to configure SNTP
An example of SNTP configuration
Checking and debugging SNTP
Configuring the time zone
17.1 Relevant commands to configure SNTP
sntp server
This command can be used to configure the name or IP address of the used SNTP server, and the form no of this command
can be used to remove the configured SNTP server.
sntp server ip-address
no sntp server
Syntax
Description
ip-address
The IP address of the SNTP server that the client uses.
DefaultNo SNTP server is configured.

sntp broadcast
This command can be used to control whether the SNTP client receives NTP/SNTP broadcast packet.
sntp broadcast {enable|disable}
DefaultThe default is DISABLE.
sntp interval
This command can be used to control the interval between two SNTP requirement packets, and the form no of the command
can be used to reset the default value.
sntp interval time-value
Syntax
time-value
Description
The value of the interval between two SNTP request packets, and its value range is
between 60s and 3600s.
DefaultThe default value is 60 seconds.

sntp timeout
This command can be used to control the interval for the client-side to wait the server response after it sends a request, and
the form no of the command is used to reset the default value.
sntp timeout time-value
Syntax
time-value
Description
The value of the interval for the client to wait the server response after it sends a
request, and its value range is between 300s and 600s.
DefaultThe default value is 300 seconds.

17.2 An Example of SNTP Configuration
As shown in the following figure, CISCO router serves as the NTP server.
Ethern
Configuring under the CONFIG mode of the Maipu router:

Command
Router(config)# sntp server 129.255.6.88
17.3
Task
Configure the IP address of the NTP server with
129.255.6.88.
Checking and Debugging SNTP
debug sntp
This command is used to open the switch of SNTP debugging information. The form no of the command is used to close the
SNTP debugging function.
show sntp statu
This command is used to display the SNTP packets that update the system time.
show sntp status
show clock
This command is used to display the system time.
Command modeThe common user mode./ The privilege user mode
service timestamps debug datetime localtime msec show-timezone
In DEBUG information, this command is used to display the current time in the local time format and the
time zone information, accurate to an extent of the millisecond.
service timestamps log datetime localtime msec show-timezone
In the log, this command is used to display the current time in the local time format and the time zone
information, accurate to an extent of the millisecond.
17.4
Configuring the Time Zone
clock timezone
This command is used to switch the Universal Time Coordinated (UTC) in the displayed information into the time of the
configured time zone.
clock timezone timezone-name hour-offset minute-offset
Syntax
Timezone-name
Hour-offset
minute-offset
Description
The time zone name.
The hour offset relative to UTC time, and its value range is
between 23 and 23.
The minute offset relative to UTC time, and its value range
is between 0 and 59.
DefaultThe default value is the Universal Time Coordinated (UTC).

17.5
An Example of Time Zone Configuration
As shown in the following figure, the Chengdu time zone is configured on the Maipu router that serves as the SNTP
CLIENT, and its hour offset relative to UTC standard time on the SNTP server is 9.
Ethernet
Command
Router(config)# clock timezone chengdu 9
Task
Configure the hour offset relative to UTC standard time with
9.
Chapter 18
Multicast Route Configuration
This chapter mainly introduces the core multicast packet forwarding on a router, IGMP application and the selection of
multicast routes.
Main contents of this chapter are as follows:
Configuring IGMP
Configuring PIM-SM
18.1
Configure IGMP
IGMP (Internet Group Management Protocol) is one of the TCP/IP protocol family that answers for managing the IP
multicast members, and it is mainly used to create and maintain the multicast membership between an IP host and multicast
routers that connect with it directly.
Currently, the IGMP Version 2 is adopted popularly, and it specifies three types of packets: Membership Query packet,
Membership Report packet and Leave Group packet.
Membership-query packet:
According to the different addresses, Membership-query packets are divided into general-query packets (by which the
router can know what members there are in the direct network, with the destination group address being 224.0.0.1) and
group-specific-query packets (by which the router can knows whether there is a specific group member in the direct network,
with the destination group address being 0 or a valid multicast group address).
Membership-report packet:
When receiving a membership-query packet, the host identifies the group on the interface that sends this query packet, and
sets a Host Group Delay timer for each member group. When this timer expires, the host sends a membership-report packet
to this router. When this router receives the packet, it adds this group into the local group member list in the network at which
this group is located, and enables the Group Membership Interval timer. If the router still doesnt receive any membershipreport packet when the maximal query response timer expires, then this indicates that there is no local group member in the
network, and the router neednt forward the received multicast packets to the network with which it connects.
Leave-group packet:
IGMP Version 2 allows a host to send a leave-group packet (with the destination group address 224.0.0.2) to all routers
when it leaves a multicast group.
IGMP is unsymmetrical between the host and the router. For the host side, it needs to respond the IGMP query packet of
the multicast router with a membership-report packet; for the router side, it needs to send general-query packets periodically,
and then to determine what members there are in the network at which the router itself is located according to the received
response packets. Subsequently, when receiving the leave-group packet of the host, the router sends a specific-member-query
packet to determine whether there exists no member in a specific group.
Main contents of this chapter are as follows:
Descriptions of commands to configure IGMP
An example of IGMP configuration
Monitoring and debugging IGMP
18.1.1
Descriptions of commands to configure IGMP
ip igmp join-group
This command is used to configure the router interface to be a multicast group member. The form no of this command is
used to delete the router interface from the group membership.
ip igmp join-group groups-address
no ip igmp join-group groups-address
Syntax
groups-address
Description
Groups-address is the group address to be added into the
multicast group.
DefaultInvalid.
ip igmp query-interval
This command is used to configure the interval for the router to send IGMP query packets. The form no of this command
is used to reset the default value of the interval for the router to send IGMP query packets.
ip igmp query-interval seconds
no ip igmp query-interval
Syntax
Seconds
Description
The interval to send IGMP query packets, and its value range is between 1
and 65535.
DefaultThe default value of the interval for the router to send IGMP query packets is 60 seconds.
ip multicast-routing
This command is used to enable the multicast routing. The form no of this command is used to disable the multicast
routing.
no ip multicast-routing
DefaultDisables the multicast routing.
18.1.2
An Example of IGMP Configuration
The example is illustrated as the following figure:

Source (group 224.1.1.23)
Video camera
Video
terminal
Illustration:
The interface s0/1 22.1.1.1of the local router router1 adopts the PPP protocol to connect with the interface s1/1
22.1.1.2of the opposite-end router router2. The local server129.255.94.76serves as the source the multicast group
224.1.1.23, in which a member (namely a video terminal) connects with the opposite-end router. In fact, the opposite-end can
simultaneously serve as both a multicast source and a video terminal; similarly, the local-end can also serve as a video
terminal.
o
The relevant configurations of router1 / router2 are as follows:

Command
Task
router1(config)#ip multicastrouting
Enable the multicast routing protocol.
255.255.255.0
router1(config-if-serial0/1)#ip pim sparse-mode
router1(config-if-serial0/1)#ip igmp join-group
224.1.1.23
router1(config-if-serial0/1)#ip igmp query-interval 30
This command is used to configure the multicast

routing protocol, also used for all interfaces that forward
multicast.
This command is used to add the local router into
the multicast group 224.1.1.23, but it is not necessary,
and usually used for debugging.
Modify the default IGMP query interval to be 30
seconds.
router1(config-if-serial0/1)# interface f0
router1(config-if-fastethernet0)#ip address
129.255.22.253 255.255.0.0
router1(config-if-fastethernet0)#ip pim sparse-mode

routing protocol, and also used for all interfaces that
forward multicast.
router1(config-if-fastethernet0)#exit
router1(config)#ip pim rp-candidate s0/1
Configure multicast RP proxy.
router1(config)#ip pim bsr-candidate s0/1
Configure multicast BSP proxy.
router2#conf t
router2(config)#ip multicastrouting
Enable the multicast routing.
255.255.255.0
router2(config-if-serial1/1)#ip pim sparse-mode

forward multicast.
router2(config-if-serial1/1)#interface f0
router2(config-if-fastethernet0)#ip address 130.255.1.1
255.255.0.0
router2(config-if-fastethernet0)#ip pim sparse-mode

forward multicast.
router2(config-if-fastethernet0)#exit
Notice:
Please implement the configuration strictly according to the Configuration Manual.
What is discussed here is about the command enable multicast routing and the relevant IGMP management configuration.
For the detailed configuration of the multicast communication, please go on referring to the following sections.
18.1.3
Monitoring and Debugging IGMP
show ip igmp groups

This command is used to display the state of multicast group members, which are gotten from the IGMP information, in
the direct network.
show ip igmp groups
show ip igmp interface
This command is used to display the IGMP interface information.
show ip igmp interface
show ip igmp stat
This command is used to display the status information of IGMP packets.

show ip igmp stat
debug ip igmp
This command is used to display the IGMP DEBUG information, including IGMP sending/receiving packets, and
adding/deleting group members.
debug ip igmp
18.2
Configure PIM-SM
PIM-SMProtocol Independent Multicast, Sparse Modeapplies to the following situations mainly:

Group members are relatively dispersive and their range is relatively broad.
The network bandwidth resource is relatively limited.
Being independent of any specific unicast routing protocol, PIM-SM supposes that all routers cannot send any multicast
packet to multicast groups unless there exist transmitted explicit requests. Through setting RP (Rendezvous Point) and
leading the router BSR (Bootstrap Router) to announce the multicast information to all PIM-SM routers, and through letting
routers be added into or leave a multicast group explicitly, PIM-SM reduces the network bandwidth occupied by data packets
and control packets. The PIM-SM constructs a sharing RPT (RP Path Tree) whose root is a RP, so that multicast packets can
be transmitted along the RPT. When a host is added into a multicast group, the router, which directly connects with the host,
sends a PIM-addition packet to the RP; while the first hop router of the sender registers the sender onto the RP; and the DR
(Specified Router) of the receiver adds the receiver into the sharing RPT. Using RPT with a RP serving as its root to forward
packets can not only reduce much protocol statuses that need be maintained by the router and the processing cost of the
router, and but also enhance the flexibility of protocols. The data can be switched from RPT to the resource-based SPT
(Shortest Path Tree), so as to reduce the network delay.
Descriptions of Commands to Configure PIM-SM
An Example of PIM-SM Configuration
Monitoring and Debugging PIM-SM
18.2.1
Descriptions of Commands to Configure PIM-SM
ip pim bsr-border
This command is used to configure the PIM area border. The form no of this command is used to delete the PIM area
border.
ip pim bsr-border
no ip pim bsr-border
DefaultNo PIM area border is configured.
Usage guideWhen the PIM area border is configured, the PIM bootstrap message except other PIM messages can not
traverse the area border.
ip pim bsr-candidate
This command is used to configure an interface to be a candidate BSR. The form no of this command is used to cancel the
interface to be a candidate BSR.
ip pim bsr-candidate interface [hash-mask-length
no ip pim bsr-candidate
priority]
Syntax
Description
interface
Configure the BSR interface name.
hash-mask-length
This is the length of the match mask in HASH algorithm, and its value range is
between 0 and 32. The larger the length is, the littler the C-BSR discreteness is; the little
the length is, the larger the C-BSR discreteness is.
This is the priority of the candidate BSR, and its value range is between 0 and 255.
The candidate BSR with larger priority is selected as the final BSR; if having an equal
priority, the router with a larger IP address is selected as the final BSR.
priority
DefaultThe hash-mask-length value is 0and the priority default value is 0.


Note:
In a PIM-SM area, there must exist a solitary BSR (Bootstrap Router), which answers for gathering and distributing RP
information. Through the bootstrap message, multiple candidate bootstrap routers vote and create a solitary acknowledged
BSR. Before getting this information, C-BSR considers itself as the BSR, and periodically sends the bootstrap message, which
contains the BSR address and corresponding priority, in the PIM-SM area with the multicast address 224.0.0.13. Depending
on the BSR address and BSR priority, the BSR can be voted. Generally, the candidate BSR with larger priority is selected as
the BSR; if having an equal priority, the router with a larger IP address is selected as the BSR.
ip pim query-interval
This command is used to configure the interval for the interface to send a PIM Hello packet. The form no of this command
is used to reset the default value of the interval for the interface to send a PIM Hello packet.
ip pim query-interval seconds
no ip pim query-interval
Syntax
Description
seconds
This is the interval for the interface to send PIM Hello packet, and its
value range is between 1s and 65535s.
DefaultThe interval is 30 seconds.

ip pim rp-candidate
This command is used to configure an interface to be a candidate RP. The form no of this command is used to cancel the
interface to be a candidate RP.
ip pim rp-candidate
no ip pim rp-candidate
interface [group-list access-list-number]

interface
Syntax
Description
interface
This is the interface that is configured as a candidate RP.
access-list-number
This is the standard IP access list number, and its value range is between 1 and
1000. And the range is also the service range of the announced RP.
DefaultIf this command is not followed by the parameter group-list, then it indicates that this RP is the candidate RP
for all groups.

Note:
In PIM-SM protocol, the sharing RPT (RP Path Tree) that is created by the route multicast data contains one root (one
rendezvous point) and multiple leaves (multiple group members). The RP is voted through BSR selection. After the BSR is
generated, all C-RPs (Candidate RP) unicasts C-RP messages to the BSR periodically,, and then the BSR diffuse these
messages to the entire PIM area.
It is suggested that the C-RP of the corresponding multicast group should be as close to the corresponding multicast
source as possible when it is configured.
ip pim sparse-mode
This command is used to enable PIM-SM protocol on the interface, simultaneously, to enable IGMP protocol (of the router
version) on the interface if it is not enabled yet. The form no of this command is used to disable PIM-SM protocol on the
interface.
ip pim sparse-mode
no ip pim sparse-mode
Default PIM-SM is disabled on an interface.
18.2.2
An PIM-SM Configuration Example
The example is illustrated as the following figure:
Video terminal A
Source A (group 230.1.1.1)
Video camera A
Frame relay
Source B (group 224.1.1.2)
Video terminal B
Source C (group 224.2.2.3)

Video terminal C
Video camera C
Illustration:
The interface s2/0 22.1.1.1of Router A adopts PPP protocol to connect with the interface s0/022.1.1.2of the
opposite-end Router. The interface s3/0 22.2.2.1of the Router B adopts the frame-delay to connect with the interface
s0/022.2.2.2of the opposite-end Router C. The three routers connect respectively with different multicast group sources,
which serve as the receiving-ends simultaneously.
o The router A configuration is as follows:
Command
routerA#configure terminal
routerA(config)#ip multicastrouting
routerA(config)#interface s2/0
routerA(config-if-serial2/0)#physical-layer sync
routerA(config-if-serial2/0)#clock rate 1800000
routerA(config-if-serial2/0)#encapsulation ppp
routerA(config-if-serial2/0)#ip address 22.1.1.1 255.255.255.0
routerA(config-if-serial2/0)#ip pim sparse-mode
routerA(config-if-serial2/0)#interface f0
routerA(config-if-fastethernet0)#ip address 80.255.22.253 255.255.0.0
routerA(config-if-fastethernet0)#ip pim sparse-mode
Task
This command is used to configure the

multicast routing protocol, and used for all
interfaces that forward multicasts.
This command is used to configure the
multicast routing protocol, and used for all

interfaces that forward multicasts.
routerA(config-if-fastethernet0)#exit
routerA(config)#ip access-list standard 1
routerA(config-std-nacl)#permit host 230.1.1.1
routerA(config-std-nacl)#exit
routerA(config)#ip pim rp-candidate fastethernet0 group-list 1
routerA(config)#ip pim bsr-candidate s2/0
routerA(config)#router ospf 1
routerA(config-ospf)#network 22.1.1.0 0.0.0.255 area 5
routerA(config-ospf)#network 80.255.0 0.0.255.255 area 5
Configure the standard access list.

Configure the usage range of the access list.
Configure the RP proxy of the specified
group.
Configure the multicast BSR proxy.
o The router B configuration is as follows:

Command
routerB(config)# configure terminal
Task
routerB(config)#ip multicastrouting
routerB(config)#frame-relay switching
routerB(config)#interface s0/0
routerB(config-if-serial0/0)#physical-layer sync
sync
routerB(config-if-serial0/0)#encapsulation ppp
routerB(config-if-serial0/0)#ip address 22.1.1.2
255.255.255.0
routerB(config-if-serial0/0)#ip pim sparse-mode
This command is used configure the multicast

routing protocol, and used for all interfaces that
forward multicasts.
routerB(config-if-serial0/0)#interface f0
routerB(config-if-fastethernet0)#ip address 129.255.22.253
255.255.0.0
routerB(config-if-fastethernet0)#ip pim sparse-mode

forward multicasts.
routerB(config-if-fastethernet0)#interface serial3/0
routerB(config-if-serial3/0)#clock rate 2000000
routerB(config-if-serial3/0)#ip address 22.2.2.1
255.255.255.0
routerB(config-if-serial3/0)#ip pim sparse-mode
routerB(config-if-serial3/0)#encapsulation frame-relay
routerB(config-if-serial3/0)#frame-relay intf-type dce
routerB(config-if-serial3/0)#frame-relay interface-dlci 100
routerB(config-if-serial3/0)#frame-relay map ip 22.2.2.2 100
broadcast
routerB(config-if-serial3/0)#exit
routerB(config)#ip access-list standard 1
Configure the standard access list.
routerB(config-std-nacl)#permit host 224.1.1.2
routerB(config-std-nacl)#exit
routerB(config)#ip pim rp-candidate fastethernet0 group-list
Configure the RP proxy of a specific group.
1
routerB(config)#router ospf 1
routerB(config-ospf)#network 22.0.0.0 0.255.255.255 area 5
routerB(config-ospf)#network 129.255.0.0 0.0.255.255.255
area 5
o The Router C is configured as follows:
Enable the OSFP on interfaces s0/0 and s3/0..

Enable the OSFP on the interface f0.
Command
routerC(config)# configure terminal
Task
routerC(config)#ip multicast-routing
routerC(config)#int s0/0
routerC(config-if-serial0/0)#ip address 22.2.2.2
255.255.255.0
routerC(config-if-serial0/0)#ip pim sparse-mode

forward multicasts.
routerC(config-if-serial0/0)#encapsulation frame-relay
routerC(config-if-serial0/0)#frame-relay intf-type dte
routerC(config-if-serial0/0)#frame-relay interface-dlci 100
routerC(config-if-serial0/0)#frame-relay map ip 22.2.2.1
100 broadcast
routerC(config-if-serial0/0)#interface f0
routerC(config-if-fastethernet0)#ip address 94.255.22.33
255.255.0.0
routerC(config-if-fastethernet0)#ip pim sparse-mode

forward multicasts.
routerC(config-if-fastethernet0)#exit
routerC(config)#ip access-list standard 1
routerC(config-std-nacl)#permit host 224.2.2.3
routerC(config-std-nacl)#exit
routerC(config)#ip pim rp-candidate f0 group-list 1
Configure the RP proxy of a specific group.
routerC(config)#router ospf 1
routerC(config-ospf)#network 22.2.2.0 0.0.0.255 area 5
routerC(config-ospf)#network 94.255.0.0 0.0.255.255 area 5
Note:
What is discussed here is the basic configuration specification for multicast communication. Multicast also supports other
link layer protocols and dynamic routing protocols. Their configurations arent described here.
18.2.3
Monitoring and Debugging PIM-SM
show ip mcache
This command is used to display the cache information of the core multicast route.
show ip mcache
show ip mroute
This command is used to display the information about a PIM multicast route list.
show ip mroute
show ip pim bsr
This command is used to display the information about the PIM bootstrap router.
show ip pim bsr
show ip pim interface
This command is used to display the information about the PIM interface.
show ip pim interface
show ip pim neighbor
This command is used to display the information about PIM neighbors.
show ip pim neighbor
show ip pim rp
This command is used to display the information about the PIM RP (Rendezvous Point).
show ip pim rp
18.3 Configuring DVMRP

Distance Vector Multicast Routing Protocol (DVMRP), the first multicast routing protocol applied popularly, is based on RIP
protocol and expands the functions supporting multicast. DVMRP protocol firstly sends probe messages to discover
neighbors, then, performs the unicast path search and determines the dependency relationship of upstream and downstream
by means of route exchange.
DVMRP adopts the reverse-path-multicast (RPM) algorithm for multicast forwarding. When sending multicast packets
firstly, the multicast source adopts the truncated RPM algorithm to forward multicast packets down along the source
multicast distribution tree. When a leaf router does not need the multicast data packet any more, the router sends the prune
message to the multicast source, and the multicast distribution tree is pruned so that the needless traffic can be removed.
After the upstream receives the prune message, the interface receiving the message is set as the prune status and data
forwarding is stopped, the prune status is related with the timeout timer. When the timer expires, the prune status will be
changed into the forwarding status and the multicast data packet will be distributed along these branches again. Additionally,
when there appears a multicast member in the prune area, in order to reduce the response time, the downstream forwardly
sends a graft packet, instead of waiting until the upstream prune status expires, so that the prune status can be changed into
the forwarding status. Obviously, DVMRP is a multicast route table that is established because of data triggering, the
procedure of establishing a route tree can be summarized with Broadcast and Prune, and the forwarding feature can also be
summarized as passive receiving and initiative exist.
Additionally, when there exist two or more multicast routers in the multi-access network, packets may be forwarded
repeatedly in the network. To avoid it, DVMRP selects a unique forwarding router for each source in the multi-access
network.
DVMRP has the following features:
Based on the establishment of distance vector;
Periodical route upgrade(per 60 seconds)
Upper limit=32 hops(16 hops for RIP)
Reserve restraint has special meaning
Untyped. The route upgrade includes the mask information.

Related descriptions of DVMRP configuration commands
An example of DVMRP configuration
DVMRP monitoring and debugging
18.3.1 Related Descriptions of DVMRP Configuration Commands
Use the command above to enable the multicast on a router.
no ip multicast-routing
By defaultNo multicast is enabled.
ip dvmrp
Use the command above to enable the DVMRP on an interface;
ip dvmrp
no ip dvmrp
By defaultNo DVMRP is disabled.
Note:
A router can enable nothing but one kind of multicast routing protocol. Before DVMRP protocol is enabled, the
configuration of other multicast protocols need be deleted.
18.3.2 An Example of DVMRP Configuration
The example is displayed as the following figure:
S1/0
Ethernet
Ethernet
S2/1
Router1
Router2
Pc1
Pc2
Illustration:
As shown in figure above, the interface s1/0 of router1 connects to the interface s1/2 of router2 by means of PPP protocol. At
the same time, the Ethernet interfaces of the two routers connects with two PCs that can serve as the multicast source or
multicast receiving-end
Router1 is configured as follows.:
R
Syntax
router1 (config)#ip multicastrouting
router1 (config)# interface fastethernet0
router1 (config-if-fastethernet0)# ip address
131.255.127.3 255.255.0.0
router1 (config-if-fastethernet0)# ip dvmrp
router1 (config-if-fastethernet0)# interface

serial1/0
router1 (config-if-serial1/0)# physical-layer sync
router1 (config-if-serial1/0)#encapsulation ppp
router1 (config-if-serial1/0)# ip address 8.0.0.1
255.0.0.0
router1 (config-if-serial1/0)# ip dvmrp
router1 (config-if-serial1/0)# exit
Descriptions
outer2
is
config
ured
Configure the multicast routing protocol

DVMRP.
The command can be applied to all
interfaces forwarding multicast packets.

DVMRP.
The command can be applied to all
interfaces forwarding multicast packets.
as
follow
s.:
Syntax
Router2(config)#ip multicastrouting
Router2(config)# interface fastethernet0
Router2(config-if-fastethernet0)# ip address
151.255.127.6 255.255.0.0
Router2(config-if-fastethernet0)# ip dvmrp
Router2(config-if-fastethernet0)# interface
serial2/1
Router2(config-if-serial2/1)# physical-layer sync
Router2(config-if-serial2/1)#clock rate 2000000
Router2(config-if-serial2/1)#encapsulation ppp
Router2(config-if-serial2/1)# ip address 8.0.0.26
255.0.0.0
Router2(config-if-serial2/1)# ip dvmrp
Descriptions

DVMRP.
The command can be applied to all interfaces
forwarding multicast packets.

DVMRP.
The command can be applied to all interfaces
forwarding multicast packets.
Router2(config-if-serial2/1)# exit
ption of multicast communication. The multicast can also support other link-layer protocols, and corresponding
examples are not listed here.
18.3.3 DVMRP Monitoring and Debugging
show ip dvmrp interface
Use the command above to display the information about DVMRP interface.
show ip dvmrp interface
show ip dvmrp neighbor
Use the command above to display the information about DVMRP neighbors.
show ip dvmrp neighbor
show ip dvmrp route
Use the command above to display the information about DVMRP route.
show ip dvmrp route
debug ip dvmrp all
Use the command above to display all DEBUG information about DVMRP.
debug ip dvmrp all
debug ip dvmrp cache
Use the command above to display the DEBUG information about DVMRP core cache.
debug ip dvmrp cache
debug ip dvmrp member
Use the command above to display the DEBUG information about DVMRP member joining-in/leaving.
debug ip dvmrp member
debug ip dvmrp packet
Use the command above to display the DEBUG information about DVMRP packets.

Notice
T
he
routin
g
protoc
ol
need
not be
config
ured
for
DVM
RP.
H
ere is
the
basic
config
uration
descri
debug ip dvmrp packet

debug ip dvmrp peer
Use the command above to display the DEBUG information about DVMRP neighbor event.
debug ip dvmrp peer
debug ip dvmrp prune
Use the command above to display the DEBUG information about DVMRP prune.
debug ip dvmrp prune
debug ip dvmrp route
Use the command above to display the DEBUG information about DVMRP route.
debug ip dvmrp route
Chapter 19 AAA Configuration

This chapter mainly describes how to configure AAA (Authentication, Authorization and Accounting) on the router. AAA
is the abbreviation of Authentication, Authorization and Accounting. As a client program that runs on the network access
server (NAS), it provides a consistent framework for you to configure the three security functions, Authentication,
Authorization and Accounting.
Command descriptions of configuring the relevant AAA;
An example of AAA configuration;
Debugging AAA
19.1
Descriptions of Command Relevant with AAA
aaa new-mode
This command is used to enable AAA on the router. The form no of the command is used to close AAA function.
aaa new-model
no aaa new-model
DefaultDisable AAA.
aaa authentication banner
This command is used to modify the displayed welcome information when you login on a router. The form no of the
command is used to reset the default welcome information.
aaa authentication banner banner
no aaa authentication banner
Syntax
banner
Description
This is the welcome information displayed on the
screen when you log in the router.
DefaultThe default welcome information is User Access Verification.

aaa authentication fail-message
This command is used to modify the caution information when you fail to login on the router. The form no of the command
is used to reset the default caution information.
aaa authentication fail-message fail-message
no aaa authentication fail-message
Syntax
fail-message
Description
This is the caution information when you fail to login
on the router.
DefaultThe default caution information is Access denied!.

aaa authentication username-prompt
This command is used to modify the displayed text that is used to prompt you to input user name. The form no of this
command is used to reset the default-displayed text.
aaa authentication username-prompt username-prompt
no aaa authentication username-prompt
Syntax
username-prompt
Description
The displayed text when you are cautioned to input
your user name.
DefaultThe default displayed text is login:.

aaa authentication password-prompt
This command is used to modify the displayed text when you are cautioned to input your passport. The form no of this
command is used to reset the default-displayed text.
aaa authentication password-prompt password-prompt
no aaa authentication password-prompt

Syntax
Description
password-prompt
The displayed text when you are cautioned to input

your passport.
DefaultThe default displayed text is passport:.

aaa authentication login
This command is used to configure the login identity authentication method list. The form no of this command is used to
delete the method list.
aaa authentication login {default|list-name} method1[method2]
no aaa authentication login {default|list-name}
Syntax
Description
default
Define the default method list.
list-name
This is the method list name.
method
Authentication methods:
None: Pass directly without authenticating the identity,.
Enable: Use the valid passport to authenticate the identity (the global
enable passport).
Local: Use the local user database to authenticate the identity.
Line: Use the line passport to authenticate the identity.
Radius: Use RADIUS to authenticate the identity.
Tacacs: Use TACACS to authenticate the identity.
DefaultNo authentication method list is defined.


Note:
Cooperating with the command login authentication in line mode, the method list can be used to authenticate the login
identities for some lines.
The default method list applies to all the interfaces and lines (except the interfaces or lines that are defined explicitly and
referred to) automatically.
aaa authentication enable
This command is used to configure the identity authentication method list for you to enter the privilege user mode. The form
no of this command is used to deletes the method list.
aaa authentication enable default method1[method2]
no aaa authentication enable default
Syntax
Description
default
Define the default method list.
method
None: Pass directly without authenticating the identity,
Enable: Use the valid passport to authenticate the identity (the user enable passport or
the global enable passport).
Line: Use the line passport to authenticate the identity.
TacacsUse TACACS to authenticate the identity.


Note:
When using the radius authentication method, you should use the passport of the user $enab15$ (need to be set on the radius
server) as the authentication passport.
aaa authentication ppp
This command is used to configure a PPP identity authentication method list. The form no of this command is used to delete
the method list.
aaa authentication ppp list-name method1[method2]
no aaa authentication ppp list-name
Syntax
Description
list-name
method
None: Pass directly without authenticating the identity.
Local: Use the local user database to authenticate the identity.
Tacacs: Use TACACS to authenticate the identity.

Usage specificationThis method needs to cooperate with the command ppp authentication to apply the method list to
the PPP authentication of an interface.
aaa authorization
This command is used to limit the user access authorization. The form no of the command is used to allow the access
authorization.
aaa authorization {exec|network} {default|list-name} method1[method2]
no aaa authorization {exec|network} {default|list-name}
Syntax
Description
exec
Configure the EXEC authorization command method list.
network
Configure the authorization method list of the network service.
default
Define a default method list.
list-name
method
Authorization methods:
if-authenticated : If a user passes the identity authentication, then he is authorized to
access the request function.
Local: Use the local database to authorize.
None: Operate no authorization.
Radius: Request the authorization information from RADIUS server.
Tacacs: Request the authorization information from TACACS server.
DefaultNo access authorization is limited (being equivalent to the keyword none).

Note:
1) When the EXEC authorization method list has been configured and you execute EXEC, NAS can implement the
authentication to you to determine whether you have the authorization to execute the EXEC shell program; if NAS fails to
authorize, then you cant execute EXEC.
2) EXEC supports the authorization of Vendor-specific AV of ciscoSecureACS radius (Cisco), and AV is defined as
follows:
Define autocmdauto-command, value is the command string, and its format is:
autocmd=STRING
Define nohangupwhether the connection is broken after the system executes the auto-command, and its format
is:
nohangup=FALSE/TRUE or 0/1
Define priv-lvlthe right level authorized to the login user, the range of value is from 0 to 15, and its format is:
priv-lvl=NUM
Define timeoutthe entire connection time authorized to the login user, value is a number (by second), and its
format is:
timeout=NUM
aaa accounting
This command is used to configure the AAA
method list.
accounting method list. The form no of this command is used to cancel the
aaa accounting {connection|exec|network} {default|list-name} {none|start-stop| stop-only| wait-start} method1[method2]

no aaa accounting {connection|exec|network} list-name
Syntax
Description
connection
Configure the accounting command that the user uses when he logins to other routers
through telnet or rlogin.
Configure the accounting command of enabling the EXEC session.
exec
network
Configure all accounting commands of the service requests that are relevant with the
network.
Define a default method list.
default
list-name
none
Dont process
start-stop
Send a start-accounting notice when a process starts, and send an end-accounting notice
when the process ends. Whether or not the server receives the start-accounting notice, all
requested user processes will start to execute.
Send an end-accounting notice when the requested user process ends.
stop-only
wait-start
Send a start-accounting notice and an end-accounting notice to the AAA accounting

server. The requested user service isnt enabled until the notices above are acknowledged.
accounting methods:
Radius: send the accounting information to the RADIUS server.
Tacacs: send the accounting information to the TACACS server.
method
DefaultNo
accounting.
accounting method list is defined.

Note:
To execute the accounting work as little as possible, you can use the keyword stop-only to send a stop-record-accounting
notice when a requested user process ends.
To get more accounting information, you can use the keyword start-stop. In this way, RADIUS or TACACS can send a
start-accounting notice when the requested process starts, and can send an end-accounting notice when the process ends.
To obtain more control right to the accounting , you can use wait-start, which ensures that the process request of the user
cant be authorized until the RADIUS or TACACS server receives the start-accounting notice.
aaa accounting suppress null-username
This command is used to forbid creating a accounting record for the user whose user name is null. The form no of this
command is used to allow creating a accounting record for the user whose user name is null.
aaa accounting suppress null-username
no aaa accounting suppress null-username
DefaultAllow to create a
accounting record for the user whose user name is null.

aaa accounting update
This command is used to send temporary accounting records to the server. The form no of this command is used to cancel
to send temporary accounting record.
aaa accounting update {newinfo|periodic number}
no aaa accounting update
Syntax
Description
newinfo
periodic
Send temporary accounting records to the server every time there is

accounting information.
Send temporary accounting records periodically.
number
The interval period.
new
DefaultNo temporary
accounting record is sent.

tacacs-server host
This command is used to configure the Tacacs server. The form no of this command is used to delete the Tacacs server.
tacacs-server host address [key key] [port port] [timeout timeout]
no tacacs-server host address
Syntax
Description
address
The address of the Tacacs server.
key
The key that is used for the communication between the router and the
Tacacs server.
The TCP port number that is used to connect with the Tacacs
background program.
Set the interval timer for waiting the response from the Tacacs server.
port
timeout
DefaultThe port number is 49, and the timeout is 5 seconds.


Note:
The key configured on the router must be consistent with that on the Tacacs server.
Multiple Tacacs servers can be configured, and the system can select one of them for system authentication according to
the configuration sequence; when some server is unavailable, the system can select the next one automatically till the last one
fails.
tacacs-server key
This command is used to configure the encryption key of the Tacacs. The form no of this command is used to delete the
key.
tacacs-server key key
no tacacs-server key
DefaultThere is no encryption key.
tacacs-server timeout
The command is used to configure the interval timer for waiting the Tacacs server response. The form no of this command is
used to reset the default value.
tacacs-server timeout timeout
no tacacs-server timeout
Default5 seconds.
radius-server host
This command is used to configure the RADIUS server. The form no of this command is used to delete the RADIUS
server.
radius-server host address [acc-port acc-port]
no radius-server host address
Syntax
address
acc-port
auth-port
[auth-port auth-port]
Description
The address of the RADIUS server.
The UDP destination port that is specified for the authentication
request.
The UDP destination port that is specified for the accounting
request.
Default acc-port is 1645, and auth-port is 1646.

Note:
The key configured on the router must be consonant with that on the RADIUS server.
Multiple RADIUS servers can be configured, and the system can select one of them for system authentication according to
the configuration sequence; when some server is unavailable, the system can select the next one automatically till the last one
fails.
radius-server dead-time
This command is used to configure dead-time. The form no of this command is used to set dead-time to be 0.
radius-server dead-time dead-time
no radius-server dead-time
Syntax
dead-time
Description
This is the time length. During the time, no request is
sent to the RADIUS server
Default dead-time is set to be 0.

Usage guideAfter the command is used, the system labels the RADIUS severs that dont respond to the authentication
requests as unusable, and dont send requests to these servers during the dead-time period of time.
radius-server key
This command is used to configure the RADIUS encryption key. The form no of this command is used to delete the RADIUS
encryption key.
radius-server key key
no radius-server key
DefaultThere is no encryption key.
radius-server timeout
This command is used to configure the interval timer for waiting the response from RADIUS server. The form no of this
command is used to reset the default value.
radius-server timeout timeout
no radius-server timeout
Default5 seconds.
radius-server retransmit
This command is used to configure the maximum times of retransmitting a packet to the RADIUS server. The form no of
this command is used to reset the default value.
radius-server retransmit retries
no radius-server timeout
Syntax
Description
retries
The maximum times of retransmitting a packet.
Default3 times.
ip {tacacs|radius} source-interface
This command is used to configure the interface address, which is specified for the router to switch packets with the
RADIUS or TACACS server. The form no of this command is used to reset the default value.
ip {tacacs|radius} source-interface interface-name
no ip {tacacs|radius} source-interface
Syntax
Description
interface-name
The interface name.
Default Use the address of the interface.

19.2 An Example of AAA Configuration
Network access
User

Illustration:
In the configuration above, the PPP protocol is encapsulated between the user devices and the network access server
(NAS), and login authentication uses the default method list.
The relevant NAS configurations are as follows:
Command
Task
NAS#configure terminal
Enter the configuration mode.
NAS (config)# aaa new-model
Enable AAA authentication.
NAS (config)# aaa authentication banner

^ Welcome ^
NAS (config)# aaa authentication failmessage ^ Sorry, Dont come in ^
NAS (config)# aaa authentication login
default radius tacacs none
Configure the welcome words for a use to login.

Configure the prompt information for a user to fail to login.
The authentication methods (radius, tacacs and none) are adopted for
identification authentication of the telnet or rlogin user. (One or more
authentication methods can be selected.)
NAS (config)# aaa authentication enable
The authentication method radius enable is adopted for the telnet or
rlogin user to enter the privilege use mode.
default radius enable
NAS (config)# aaa authentication ppp
Configure the PPP authentication, and cooperate with the command ppp
authentication on the interface s1/0.
auth-name radius tacacs local
NAS (config)# aaa authorization exec
Configure that only users who are added into the RADIUS server can be
default radius
authorized to execute the EXEC shell program; if the authorization fails, then
the users cannot execute EXEC.
NAS (config)# aaa accounting exec default
Enable the accounting command of the exec session, and a stopstop-only radius
accounting notice is sent to the RADIUS server when the requested user
process ends.
NAS (config)# aaa accounting connection
Enable the accounting command connection, and implement the
default stop-only radius
accounting when NAS logins on other router through telnet or rlogin.
NAS (config)# aaa accounting network list
Enable the accounting command (list) that the PPP service requests.
stop-only
radius
NAS (config)# radius-server host

192.168.0.1
NAS (config)# radius-server key maipu
NAS (config)# tacacs-server host
192.168.0.2 key mp
NAS (config)#interface s1/0
NAS(config-if-serial1/0)#ppp accounting
list
(Because the PPP protocol is encapsulated between the user devices and the
NAS.)
Configure the address of the RADIUS server.
Configure the key of the RADIUS server, and the key must be the same
as that of the NAS server on the RADIUS server.
Configure the address and key of the TACACS server, and the key must
be the same as that of the NAS server on the RADIUS server.
Enter the interface mode.
Enable the PPP authentication accounting on the interface. Its name is
list, which is the same as that following aaa accounting network.
Note:

During the course of adopting the configured method list to authenticate a user, only when the previous method doesnt
response can the router try the next method. If the identity authentication fails at any point of the period, namely, the security
server or the local user name database response in the form of denying the user to access, then the identity authentication
process will end and no other identity authentication method will be tried.
19.3
Checking and Debugging AAA
show accounting
This command is used to display the AAA accounting information.
show accounting
debug aaa authentication
This command is used to open the switch of AAA authentication debugging information. The form no of this command is
used to close the switch.
debug aaa authentication
no debug aaa authentication
debug aaa authorization
This command is used to open the switch of AAA authorization debugging information. The form no of this command is
used to close the switch.
debug aaa authorization
no debug aaa authorization
debug aaa accounting
This command is used to open the switch of AAA
to close the switch.
debug aaa accounting
no debug aaa accounting
accounting debugging information. The form no of this command is used
debug tacacs
This command is used to open the switch of TACACS debugging information. The form no of this command is used to close
the switch.
debug tacacs
no debug tacacs
debug radius
This command is used to open the switch for RADIUS debugging information. The form no of this command is used to close
the switch of RADIUS debugging information.
debug radius [in-plain]
no debug radius
Syntax
Description
in-plain
Display the RADIUS packet information in the form of

plaintext.
Chapter 20
MPLS Configuration
MPLS (Multiprotocol Label Switching) is a label-based packet forwarding technology, with advantages of both the packet
forwarding technology of layer-2 switch and the routing technology of layer-3, simplifying segment-by-segment data
forwarding and enhancing the packet forwarding capacity.
z
Brief introduction to MPLS
Descriptions of commands to configure MPLS
An example of MPLS configuration
20.1 Brief Introduction to MPLS

For the traditional IP packet forwarding, the router in each relay segment of the network analyses the destination IP
address independently and executes the network routing algorithm so as to make the independent forwarding decision and
determine the next hop for the packet. However, MPLS divides all packets that enter the network into different FECs
(Forwarding Equivalence Class) and assigns a label to each FEC, so each packet carries a short label with fixed length. The
routers in the network determine how to forward a packet according to its label. In the whole MPLS area, the packet
forwarding is operated according to the label, without operating anything to the IP header.
MPLS consists of two sections. One is the label packet forwarding, implementing the forwarding of the received IP
packets or label packets. Its main operations include:
1) If the received packet is an IP packet, then search the label forwarding list according to its destination address; if there
exists the output label (namely, the next hop supports the label forwarding) of the destination address, then insert this output
label into the IP header, subsequently, forward this packet to the next hop.
2) If the received packet is a label packet, then search the label forwarding list according to the input label on the label
stack top; if it succeeds in finding out the corresponding output label, then replace the input label with the output label,
subsequently, forward this packet; if it fails in finding out the corresponding output label, then pop the input label,
subsequently, forward this packet in the form of IP packet.
The other section is LDP (Label Distribution Protocol), used to switch the label binding information with the neighbor
routers. Through sending Hello packets periodically, LDP finds and maintains a LDP peer. When finding out a new LDP
neighbor, LDP creates a TCP connection with it. Then, through this TCP connection, it uses the information switch label that
LDP defines to bind the information, create and maintain a label-forwarding list.
20.2
Descriptions of commands to configure MPLS

mpls ip
To enable mpls on the router, you can do nothing but configure the command under the global configuration mode and the
interface configuration mode. The form no of this command is used to disable mpls.
mpls ip
no mpls ip
Command modeThe global configuration mode and the interface configuration mode.

Note:
To use mpls, you must simultaneously configure the command mpls ip under both the global configuration mode and the
interface configuration mode. Configuring the command mpls ip under the global configuration mode is used to enable mpls,
while configuring the command under the interface configuration mode is used to specify which interface to use mpls packet
forwarding. You can configure the command mpls ip on multiple interfaces.
If the link layer protocol is PPP, then it needs to configure the command ppp mpls on the interface.
mpls ldp router-id
When mpls is enabled, you need select a router-id (namely, an IP address) to serve as the ldp ID, which is used to identify
a specific LSR label space. The form no of this command is used to reset the default value of route id.
mpls ldp router-id A.B.C.D
no mpls ldp router-id

Syntax
Description
A.B.C.D
This is an IP address serving as the ldp ID.
DefaultWhen mpls starts, it automatically selects an interface address to serve as router-id.


Note:
By default, mpls automatically selects an interface address to serve as router-id when starting. And it can select the
address of a loopback interface. Under the situation that no router-id is configured, if the selected interface address that
serves as the router-id is changed, all current ldp connections are deleted, and the ldp can update the router-id,
subsequently, a new connection is rebuilt.
mpls ldp label-distribution
This command is used to set the ldp label distribution mode. The form no of this command is used to reset the default
setting of the label distribution mode.
mpls ldp label-distribution <dod/du>
no mpls ldp label-distribution
Syntax
Description
dod/du
Label distribution is on demand or unsolicited for downstream.
DefaultThe DU (downstream unsolicited) label distribution mode.


Note:
When using the downstream-unsolicited label distribution mode, for a specific FEC, an LSR (label switched router) can
assign and distribute a label immediately without getting a label request message from the upstream; however, when using
the downstream-on-demand label distribution mode, for a specific FEC, only after receiving the upstream label request
message from the upstream can an LSR (label switched router) assign and distribute a label.
This command is configured under the interface mode, and different label distribution modes can be configured for
different interfaces.
mpls ldp label-control
This command is used to configure the ldp label control mode. The form no of this command is used to reset the default
setting of the ldp label control mode.
mpls ldp label-control <independent/ordered>
no mpls ldp label-control
Syntax
Description
independent/ordered
The independent control mode or the ordered control mode.
DefaultThe independent control mode.


Note:
When using the independent label control mode, each LSR can announce the label mapping to the LSR (label switch router)
that connects with it at any time; however, when using the ordered control mode, only after the LSR receives the FEC label
mapping message of the specific FEC net hop or when the LSR is the LSP out-bound node, can the LSR send label mapping
messages to the upstream.
mpls ldp label-retention
This command is used to set the ldp label retention mode. The form no of this command is used to reset the default setting
of the ldp label hold mode.
mpls ldp label-retention <conservative/liberal>

no mpls ldp label-control
Syntax
Description
conservative/liberal
The conservative hold mode or the liberal retention mode.
DefaultThe liberal retention mode.


Note:
For a specific FEC, suppose that the upstream has received the label binding that comes from the downstream, then, when
the downstream router is no longer the next hop of this FEC, if the upstream still preserves this binding, the mode used by the
upstream is called the liberal label retention mode; if the upstream discards this binding, then the mode used by the upstream
is called the conservative label retention mode.
There are various combinations between three label assignment parameters (label distribution mode, label control mode
and label retention mode). However, the default parameters are downstream-unsolicited distribution, independent control
and liberal retention.
mpls ldp hello-interval
This command is used to set the interval (by second) for LSR to send a Hello message periodically. The form no of this
command is used to reset the default setting of interval of the Hello message.
mpls ldp hello-interval
<1-60>
no mpls hello-interval
Syntax
Description
1-60
The interval to send a Hello message.
Default5 seconds.

Note:
Through sending the Hello packet periodically, LSR finds or maintains a Hello neighbor.
mpls ldp hello-hold-interval
This command is used to set the hold time of ldp hello. The hold time specifies the maximum hold time (by second) for the
LSR to keep the previous Hello message before sending the next Hello message to its peer. LSRs can, through respectively
putting forward its own Hello hold time firstly, negotiate the Hello hold time with each other and then adopt the minimum
value of them. The form no of this command is used to reset the default value of the Hello hold time.
mpls ldp hello-hold-interval <1-60>
no mpls ldp hello-hold-interval
Syntax
Description
1-60
Hello hold time.
Default15 seconds.

Note:
LSR maintains a Hello hold timer for each Hello neighbor peer. When an LSR receives a Hello message from a specific
Hello neighbor, the corresponding Hello hold timer will be restarted. If the LSR hasnt still received the next Hello message
from the specific Hello neighbor when the Hello hold timer expires, then LSR deletes this Hello neighbor, and sends the
corresponding announcement message; subsequently, closes the TCP connection and ends the LDP session.
Hello hold time being 0 indicates the default value. For a link Hello message (connecting with the neighbor directly), the
default value is 15s; while for a destination Hello message (not connecting with the neighbor directly), the default value is
45s.
mpls ldp keepalive-interval
This command is used to set the interval (by second) for LSR to send a Keepalive message periodically. The form no of
this command is used to reset the default setting of the Keepalive message.
mpls ldp keepalive-interval
<1-60>
no mpls keepalive-interval
Syntax
Description
1-60
The interval for LSR to send a Keepalive message periodically.
Default15 seconds.

Note:
An LSR must ensure that the LDP peer can receive at least one LDP message (any LDP message is effective) in the
keepalive-interval. But if there is no other LDP message for LSR to send, then LSR must send a session hold message.
mpls ldp keepalive-hold-interval
This command is used to set the ldp session hold interval. LSRs can, through putting forward its own session hold interval
respectively, negotiate the session hold interval with each other, and then adopts the minimum value of them. The form no of
this command is used to reset the default value of the session hold interval.
mpls ldp keepalive-hold-interval
no mpls ldp keepalive-hold-interval
Syntax
Description
1-60
The ldp session hold interval.
Default45 seconds.

Note:
Through the LDP PDU received from the session transmission connection, an LDP checks the integrality of the LDP
session. The LSR maintains a session hold timer for each LDP session connection, and the corresponding session hold timer
can be restarted when the LSR receives the LDP PDU from a specific session connection. If the LSR hasnt still received
LDP PDU from the LDP peer when the session hold timer expires, then LSR sends an announcement message, closes the
TCP connection and ends the LDP session.
mpls route-cache
The MPLS fast switching is realized through route cache mechanism. The purpose of the route cache is to reduce the
repeated searching of a routing table and to accelerate the packets sending speed through using previous cache searching
results. But under certain circumstances, users can choose to enable/disable the following two places to process route cache.
mpls route-cache
no mpls route-cache

Note:
The mpls fast switching is turned on by default, The form no of this command is used to disable this function.
20.3 An Example of MPLS\VPN Configuration
Illustration:
In the configuration figure above, router1 and router3 are PE devices, and router2 is a P device. P\PE devices construct
the MPLS backbone network, in which the IGP routing protocol OSFP is running. IBGP is running between two PE devices
that respectively connect with two different networks----VPNA\VPNB. Through BGP announcing the VRF table, the
network vrf_a in router1 interconnects with the network vrf_a in router3, and the network vrf_b in router1 interconnects with
the network vrf_b in router3. VPNs are realized through MPLS\BGP.
The concrete configuration of Router1 is as follows:
Command
Task
Router1(config)# mpls ip
Run MPLS.
Router1(config)# ip vrf vrf_a
Create a vrfa
Router1(config -vrf)# rd 1:1
Configure the route descriptor.
Router1(config -vrf)# route-target export 1:1
Set properties of the destination VPN.
Router1(config -vrf)# route-target import 1:1
Router1(config -vrf)#exit
Router1(config)# ip vrf vrf_b
Create a vrfb.
Router1(config -vrf)# rd 2:2
Router1(config -vrf)# route-target export 2:2
Router1(config -vrf)# route-target import 2:2
Router1(config -vrf)#exit
Router1(config)# interface loopback0
Configure the loopback address with 12.12.12.12.
Router1 (config-if-loopback0)# ip address 12.12.12.12

255.255.255.255
Router1 (config-if-loopback0)# interface fastethernet 1/0
Router1 (config-if-fastethernet1/0)# ip vrf forwarding vrf_a
Router1 (config-if-fastethernet1/0)# ip address 10.1.1.1
255.255.0.0
Add the interface into the vrfa.

Router1 (config-if- fastethernet1/0)# interface fastethernet 1/1

Router1 (config-if-fastethernet1/1)# ip vrf forwarding vrf_b
Router1 (config-if-fastethernet1/1)# ip address 10.2.1.1
255.255.0.0
Add the interface into the vrfb.

Router1 (config-if-fastethernet1/1)#interface serial0/1

Router1 (config -if-serial0/1)# encapsulation ppp
Encapsulate PPP.
Router1 (config -if-serial0/1)# ppp mpls
Use MPLS on the interface (when the link layer protocol
is PPP).
Router1 (config -if-serial0/1)# ip address 21.2.1.1 255.255.0.0
Router1 (config -if-serial0/1)# mpls ip
Use MPLS on the interface.
Router1 (config -if-serial0/1)# exit

Router1 (config)# router ospf 1
Configure IGP (OSPF).
Router1 (config-ospf)# network 12.12.12.12 0.0.0.0 area 0

Router1 (config-ospf)#exit
Router1 (config)#router bgp 100
Configure BGP, and the AS number is 100.
Router1 (config -bgp)# no synchronization
Set the asynchronous mode between BGP and IGP.
Router1 (config -bgp)# neighbor 14.14.14.14 remote-as 100
Router1 (config -bgp)# neighbor 14.14.14.14 update-source

loopback0
Specify TCP connection port.
Router1 (config-bgp)# address-family ipv4 vrf vrf_a
Configure the vrf_a address family.
Router1(config-bgp-af)# no synchronization
Set the asynchronous mode between BGP and IGP
Router1 (config-bgp-af)# redistribute connected
Redistribute direct routes.
Router1 (config-bgp-af)exit
Router1 (config bgp)# address-family ipv4 vrf vrf_b
Configure the vrf_b address family.
Router1 (config-bgp-af)# no synchronization
Router1 (config-bgp-af)#exit
Router1 (config-bgp)# address-family vpnv4
Configure the VPN address family.
Router1 (config-bgp-af)# neighbor 14.14.14.14 activate

Router1 (config-bgp-af)# neighbor 14.14.14.14 next-hop-self
Router1 (config-bgp-af)# neighbor 14.14.14.14 send-community
extended
Send properties of the expanded community to the peer.
Router1 (config-bgp-af)#exit
Router1 (config-bgp)#exit

Command
Task
Router2 (config)#mpls ip
Run MPLS
Router2 (config)#interface loopback 0
Router2 (config-if-loopback0)# ip address 13.13.13.13

255.255.255.255
Router2 (config-if-loopback0)#exit
Router2 (config)#interface serial0/0
Router2 (config-if-serial0/0)#encapsulation ppp
Router2 (config-if-serial0/0)# ppp mpls
Encapsulate PPP.
is PPP).
Router2 (config-if-serial0/0)# ip address 21.1.1.2 255.255.0.0

Router2 (config-if-serial0/0)# mpls ip
Router2 (config-if-serial0/0)# exit
Use MPLS on the interface
Router2 (config-if-serial0/1)# encapsulation ppp
Encapsulate PPP.

is PPP).
Router2 (config-if-serial0/1)# ip address 21.2.1.2 255.255.0.0

Use MPLS on the interface

Router2 (config)#router ospf 1

Router2 (config-ospf)# exit

Command
Router3 (config)#mpls ip
Router3 (config)#ip vrf vrf_a
Router3 (config-vrf)# rd 1:1
Router3 (config-vrf)# route-target export 1:1
Router3 (config-vrf)# route-target import 1:1
Router3 (config-vrf)# exit
Router3 (config)#ip vrf vrf_b
Router3 (config-vrf)# rd 2:2
Router3 (config-vrf)# route-target export 2:2
Router3 (config-vrf)# route-target import 2:2
Router3 (config-vrf)# exit
Router3 (config)#interface loopback0
Router3 (config-if-loopback0)# ip address
14.14.14.14 255.255.255.255
Router3 (config-if-loopback0)# exit
Router3 (config)#interface fastethernet2/2
Router3 (config-if-fastethernet2/2)# ip vrf
forwarding vrf_a
Router3 (config-if-fastethernet2/2)# ip address
10.3.1.1 255.255.0.0
Router3 (config-if-fastethernet2/2)# exit
Router3 (config)#interface fastethernet2/3
Router3 (config-if-fastethernet2/3)# ip vrf
forwarding vrf_b
Router3 (config-if-fastethernet2/3)# ip address
10.3.1.1 255.255.0.0
Router3 (config-if-fastethernet2/3)# exit
Router3 (config-if-serial1/0)# encapsulation ppp
Router3 (config-if-serial1/0)# ip address 21.1.1.1
255.255.0.0
Router3 (config)#router ospf 1
Router3 (config-ospf)# network 21.1.0.0 0.0.255.255
area 0
Router3 (config-ospf)# network 14.14.14.14 0.0.0.0
area 0
Router3 (config)#router ospf 2 vrf vrf_a
Router3 (config-ospf)# network 10.0.0.0
0.255.255.255 area 0
Task
Run MPLS.
Create a vrfa.
Create a vrfb.
Set properties of the destination VPN..
Add the interface into the vrfa.

Add the interface into the vrfb.

Encapsulate PPP.
Use MPLS on the interface (when the link layer protocol is PPP).
Use MPLS on the interface.

Configure the dynamic routing protocol between PE (router3)

devices and CE (VPNA) devices.
Router3 (config-ospf)# redistribute bgp 100

Router3 (config)#router bgp 100
Router3 (config-bgp)# no synchronization
Router3 (config-bgp)# neighbor 12.12.12.12 remoteas 100
Router3 (config-bgp)# neighbor 12.12.12.12 updatesource loopback0
Router3 (config-bgp)# address-family ipv4 vrf vrf_a
Router3 (config-bgp-af)# redistribute ospf 2 vrf
vrf_a
Router3 (config-bgp-af)# exit
Router3 (config-bgp)# address-family ipv4 vrf vrf_b
Router3 (config-bgp)# address-family vpnv4
Router3 (config-bgp-af)# neighbor 12.12.12.12
activate
Router3 (config-bgp-af)# neighbor 12.12.12.12 nexthop-self
Router3 (config-bgp-af)# neighbor 12.12.12.12
send-community extended
Router3 (config-bgp)# exit
Redistribute the BGP_100 route.

Configure BGP, and the AS number is 100.
Specify aTCP connection port.
Configure the vrf_a address family.
Redistribute the OSPF (vrf_a) route.
Configure the vrf_b address family.
Configure the vpn address family.
Send the properties of the expanded community to the peer.
Chapter 21
Software Upgrade
The software upgrade of Maipu router includes two kinds of situations. One is the upgrade of the ROOT program (Namely
Monitor or the root program), and its main functions include the management and allocation of the flash space, with the low
upgrade-frequency; and the other is the upgrade of the program (IOS) in a router. When functions of the router need be
expanded, the program (IOS) need be upgraded.
21.1 The Upgrade of ROOT
21.1.1 Upgrade the Hex File of the ROOT program through the Console Interface
The function Hyper Terminal provided by Windows 95/98/NT is used to send the upgrading program to the router. The
following will, taking example for the Hyper Terminal application in Windows, describe the upgrade process.
Step 1: Set the Hyper Terminal.
Start the Hyper Terminal application and select the corresponding serial port (such as COM 1) and set its attributes: 9600
baud rate, the soft flow control, eight data bits, no parity and one stop bit.
Step 2: Enter the Monitor mode.
If some information similar to Monitor version 2.02 is Booting (^c enter monitor mode) ... is displayed on the screen
when the router starts up, you can press CTRL+C to enter the Monitor mode immediately. The prompt character of the
mode is mpMonitor:> or Monitor:>.
If no foregoing information is displayed on the screen when the router starts up, you need set the baud rate of the Hyper
Terminal as 115200, restart the router, and then press the key ENTER to enter the Monitor mode.
Step 3Reconfigure the speed of the Console interface and the Hyper Terminal to upgrade the hex file of the ROOT
program.
When the prompt character mpMonitor:> or Monitor:> appears, the command mpMonitor:>s 115200 is used to set
the speed of the Console interface as 115200bps. At the same time, the speed of the Hyper Terminal is set as 115200bps
(attribute-configuration-baud rate). Stop the connection in the Hyper Terminal and start the connection again. Press lr
<CR> behind mpMonitor:> and select the option Send text file in the menu Transmit. After the ROOT program (hex
file) that will be upgraded is selected, its transmission starts. After the upgrade ends, set the attributes of the Hyper Terminal
back to the initial setting, and restart it.
You can, according to the information Monitor version xxx is Booting (^c enter monitor mode) ..., judge whether the
ROOT program is upgraded successfully.
Note
Different modesof Maipu router may adopt different ROOT program. Before the ROOT program is upgraded, please
affirm whether the ROOT program that need be upgraded is suit for the model of Maipu router lest the upgrading mistake
make the router unusable.
After the ROOT program of Maipu low-end router is upgraded from v1.xx to v2.xx or 3.xx, the MAC address of the router
may be changed. To keep the MAC address exclusive and avoid the address conflict that may result in the network fault,
please notice that one ROOT program can only be upgraded on one router.
To void the MAC address conflict resulting from upgrading ROOT as possible, the MAC address of the Ethernet interface
of the router isnt changed after the ROOT program of Maipu low-end router is upgraded from v2.xx to v3.xx. If you want to
change the MAC address, please refer to step 3----use the command lr filename r <CR> to upgrade the ROOT program.
And the filename can be the combination of any letters.
21.2 The Upgrade of an Application (IOS)

Maipu router provides three kinds of methods for the software upgrade. These methods can ceaselessly extend functions of
the router. The following is to describe the three methods of the software upgrade.
21.2.1 Upgrade the Bin File of an Application through TFTP/FTP

Step 1: Run and configure the TFTP/FTP server.
Either Maipu TFTP server, CISCO TFTP or other TFTP/FTP server can be used to upgrade the bin file of application. We
take example for Maipu TFTP server to describe the upgrade:
Open cisco TFTP server and click TFTP server root-browse to select directory of the IOS firmware.
Figure 21-1 the option setting of cisco TFTP server
Step 2: Make the TFTP server at the listening state.
Figure 19-2 Cisco TFTP server being at the listening state
Step 3: Connect the Network

Connect the PC serving as the TFTP server with the router through the Ethernet (or other manners) to assure both can ping
each other.
Step 4: Upgrade the application
Enter sysupdate <the address of the TFTP server> <the name of the file to be upgraded> in the privilege user mode of
the router. We take example for MP2692:
MP2692# sysupdate 128.255.32.10 mp2692.bin <CR>
Here, the router can prompt you: Do you really update "mp2692.bin" ? (yes|no):. You can either enter n <CR> to cancel
the operation or enter y <CR> to implement the operation to upgrade.
If you enter y <CR>, the router will prompt the following information:
downloading "IOS" (2688708 Bytes): ################################################
###################################################################################
(Omitting the middle information)
OK
Download " mp2692.bin " (2707672 Bytes) succeeded
the flash is TE28F160C3T
erase flash ... success.
write flash ... success.
MP2692#
The information above indicates that IOS file is erased and written successfully. Now, you can reset the router.
21.2.2 Upgrade the Bin File of an Application through the Console Interface
Start the Hyper Terminal program and select the corresponding serial (such as COM 1) and set its attributes: 9600 baud
rate, the soft flow control, eight data bits, no parity and one stop bit.
Step 3 Erase the previous IOS.
Under the system prompt, use the commands mpMonitor:>e p or mpMonitor:>e a to erase the existing the IOS in the
flash. The difference of the foregoing two commands is that the former only erases IOS while the latter erases both IOS and
the configuration file. But, both dont erase the ROOT program, which can only be upgraded and cant be erased.
Step 4: Reconfigure the speed of the Console interface and the Hyper Terminal to upgrade the hex file of the application.
Use the command mpMonitor:>s 115200 to set the speed of the Console interface of the router as 115200bps. At the
same time, the speed of the Hyper Terminal is set as 115200bps (attribute-configuration-baud rate). Stop the connection in
the Hyper Terminal and start the connection again. Press lx <CR> behind mpMonitor:> and select the option Send
text file in the menu Transmit. Select xModem protocol in the pop-up dialog box. After the IOS program (hex file) that
will be upgraded is selected, its transmission starts. After the upgrade ends, set the attributes of the Hyper Terminal back to
the initial setting, and restart it.
Note
The purpose of setting the baud rate as 115200bps is only to improve the transmission speed and reduce the time of
upgrading the application.
21.2.3 Upgrade the Hex File of an Application through the Console Interface
Start the Hyper Terminal program and select the corresponding serial (such as COM 1) and set its attributes: 9600 baud
rate, the soft flow control, eight data bits, no parity and one stop bit.
Step 3: Erase the previous IOS.
Under the system prompt, use the commands mpMonitor:>e p or mpMonitor:>e a to erase the existing the IOS in the
flash. The difference of the foregoing two commands is that the former only erases IOS while the latter erases both the IOS
and the configuration file. But, both dont erase the ROOT program, which can only be upgraded and cant be erased.
Step 4: Reconfigure the speed of the Console interface and the Hyper Terminal to upgrade the hex file of the application.
Use the command mpMonitor:>s 115200 to set the speed of the Console interface of the router as 115200bps. At the
same time, the speed of the Hyper Terminal is set as 115200bps (attribute-configuration-baud rate). Stop the connection in
the Hyper Terminal and start the connection again. Press l <CR> behind mpMonitor:> and select the option Send
text file in the menu Transmit. After the IOS program (hex file) that will be upgraded is selected, its transmission starts.
After the upgrade ends, set the attributes of the Hyper Terminal back to the initial setting, and restart it.
Note
We can, from the aspect of the speed, compare the foregoing three methods of upgrading the ISO program: the first
method (upgrading the bin file of an application through TFTP/FTP) is of the fastest speed, while the third method is of the
lowest speed. And the speed of the second method (Upgrading the bin file of an application through the xModem protocol
under the Monitor mode) is between that of the first method and the third method. In the factual environment, the selection of
the upgrade method should depend on the factual situation.
The first method can also upgrade the mixed program (ROOT+IOS). So, this method can remotely control the upgrade of
the router whose ROOT program need be upgraded instead of on-the-spot upgrading it through the console interface, saving
much the upgrading time. But the method has more fatalness and its misoperation can result in the router being unusable. If
you want to use the method, please request the technology service center to provide the special upgrade program and the
corresponding documents of operation description.
Chapter 22
Network Test and Troubleshooting
This chapter discusses how you can use your Maipu routers network test tools to diagnose problems with the system.
22.1 Network Test Tools
These four test tools are provided on the router:
Ping: Tests network connectivity
Traceroute: Tests the data packets route information
Netstat: Examines network interface status and offers detailed statistical data
Show: Examines the systems statistical information
22.1.1 Ping
Ping is used to test network connectivity and test whether the router can access the host address.
protocol.
This tool only supports IP
Ping runs in common user mode or privileged user mode:

Common User Mode:
Router >ping ?
Command
Description
<hostname ipAddress >
Pings the host name or destination address.
Privileged user mode:

Router #ping ?
Command
Description
<hostname ipAddress <CR>>
Pings the host name or destination address.
Notes:
You can stop the ping procedure by pressing Ctrl+Shift+6 on the keyboard at the same time.
After the ping command has been executed, you will see the following onscreen output:
! shows a successful action, while . shows a failed action.
If ping worked, you will statistical information about the number of sent/received data packets, the percentage of data
packets that responded and the minimum, average or maximum response time values.
After you execute the ping <CR> command in privileged user mode, you can input optional parameters.
examples explain these parameters and their meanings.
The following two
Example 1: Here, the command ping doesnt have any extended options:
router#ping
Option
Task

Repeat count [5]: 20
Data packet size [76]: 1000
The destination address.

The ICMP number repeatedly requesting the data packet.
Appoints the ICMP size (1,000 byte).
Timeout in seconds [2]: 1
Extended commands [no]: n

Sweep range of sizes [no]: n
Permits delay. (The delay is regarded as a lost packet

when it receives no acknowledgment of the packets
location.)
The extended command.
Whether the ICMP data packet is appointed or not.
Output:
Sending 20, 1000-byte ICMP Echos to 192.168.8.1 , timeout is 1 seconds:
!!!!!!!!!!!!!!!!!!!!
Example 2: After you choose the extended command options, you can set such options as source route, record timestamp
and display detailed information, etc.:
router#ping
Task
Option
Repeat count [5]: 1930
Data packet size [76]: 1000
Extended commands [no]: y
Source address or interface:
128.255.255.223
Type of service [0]: 1
Set DF bit in IP header? [no]: y
Validate reply data? [no]: y
Data pattern [abcd]: asdf
Loose, Strict, Record, Timestamp,
Verbose[none]: L
Source route: 128.255.255.223
128.255.255.1
Verbose[LV]: r
Number of hops [6]: 3
Verbose[LVR]: t
Verbose[LVRT]:v
Verbose[LRT]:
Sweep range of sizes [no]: y
Sweep min size [74]:
Sweep max size [65530]: 2000
Sweep interval [1]: 10
Decides whether or not the IP layer will permit an ICMP data packet to
be segmented.
Decides whether or not the received ICMP data packet should be
examined.
Appoints ICMP data regarding requested data packets.
Appoints loose/strict source route, record route and timestamp.
Appoints the hops number.

Decides whether or not the ICMP size scope requesting the data packet
should be appointed.
Minimum
Maximum
Shows the increasing interval between two adjacent ICMP data packets
Output:
Sending 1930, [74..2000]-byte ICMP Echos to 128.255.255.1 , timeout is 1 seconds:
Loose source route: 128.255.255.223 128.255.255.1
Record route number : 3
Record timestamp number : 2
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!........
22.1.2 Traceroute
The traceroute command is used to test gateways that the data packet has passed through en route to its destination.
main function is to test the network connection for dropped connections.
Traceroute shows records the source address of each ICMP TTL overtime message.
packet passing from the source to the destination.
Its
It will show you the path of the
You would operate Traceroute when youve sent a packet with a TTL of 1, yet received an ICMP error data packet message
indicating the packet cant be sent, since TTL=0. (If the packet is sent again when the TTL is 2, the second hop router will
similarly send back an ICMP error data packet message, because TTL is 0 when the packet passes through the second
router.) This kind of procedure continues until the packet arrives at the destination.
Traceroute can run in both common user and privileged user modes:
Common User Mode:
Router >traceroute ?
Command
Description
<hostname ipAddress >
Sets the traceroute host name or destination
Privileged User Mode:

Router # traceroute ?
Command
<hostname ipAddress <CR>>
Description
Sets the traceroute host name or destination
Note:
You can stop the traceroute procedure by pressing Ctrl+Shift+6 on the keyboard at the same time.
After the command has been executed, you will see the following output:
The sent ICMP data packet information (TTL value, IP header, etc.)
A list of all the routers through which the ICMP data packet has passed through (ie. interface address, the average round
trip time or ICMP data packet error.
After you execute traceroute<CR> in privileged user mode, you can input optional parameters.
examples explain the parameters and their meanings.
The following two
Example 1: Here, traceroute doesnt have any extended options just basic optional parameters:
MP2600#traceroute
Option
Task

Source address or interface: 128.255.255.223
Timeout in seconds [2]:
Probe count [3]:
The destination address

Appoints the source address/interface.
Permits delay.
Probes the data packet count that has the same TTL
value.
The TTL default minimum value of the sent probed
data packet
The TTL default maximum value of the probed sent
Minimum Time to Live [1]:

Maximum Time to Live [30]:
Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:
data packet
The probed datas destination UDP port number
The route options of the source station: loose, strict,
record route and time stamp.
Output:
Type escape sequence to abort.
Tracing the route to 192.168.8.254 , min ttl = 1, max ttl = 30 .
1 2.1.1.1
16 ms *
33 ms
*
16 ms
*
2 192.168.8.254
16 ms *
33 ms
*
16 ms
Example 2: After you pick the extended command options, you can set some options such as the source route, record time
stamp and detailed information display:
router#traceroute
Option
Task

Source address or interface: 128.255.255.223
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Source route: 128.255.255.1
Loose, Strict, Record, Timestamp, Verbose[LV]: v
Loose, Strict, Record, Timestamp, Verbose[L]: t
Loose, Strict, Record, Timestamp, Verbose[LTV]: v
Loose, Strict, Record, Timestamp, Verbose[LT]:
Probes count of the probed data packet with the

same TTL value
The TTL default minimum of the sent probed
data packet
The TTL default maximum of the sent probed
data packet
The probed data packet destinations UDP port
number
The route options of the source station: loose,
strict, record route and time stamp
The source address
Appoints the number of hops to record time.
Output:
Type escape sequence to abort.
Tracing the route to 192.168.8.254 , min ttl = 1, max ttl = 30 .
Loose source route: 128.255.255.1
Record timestamp number : 7
1
2
3
16 ms
0 ms
!S
0 ms
0 ms
!S
16 ms
16 ms
!S
Note: The Traceroute command shows error messages with the ICMP data packets help.
usually display the average round trip time.
Besides that, the command can
Traceroute data can be expressed in the form of one of the following prompts:
!N: unreachable network
!H: unreachable host
!S: unreachable source route
!A: prohibiting access (ie. prohibited network access, prohibited host access and prohibited management access)
!F: unreachable data packet that needs to be fragmented
?: unknown data packet
22.1.3 Netstat
The netstat command can be used only in privileged user mode to display system tables (ie. the host table, the route table,
the ARP table and the multicast table), the interface status/configuration, protocol statistics and buffer information. These
optional command parameters are as follows:
router#netstat ?
Command
Description
-a
-e
-g
Displays the systems interior ARP table

Examines the status code
Displays the interior systems multibroadcast table
Displays the systems host table
Displays the routers interface status
Displays data buffers in the network stack.
Displays system buffers in the network
stack.
Displays special statistics
-h
-I
-m
-n
-p
-r
-s
<CR>
Remark
This is followed with the hex format status code
Supports five protocols: IGMP, ICMP, IP, TCP

and UDP.
Displays routing table data

Displays IP protocol summary statistic
information (for all protocols)
Displays TCP and UDP port and protocol
connections
22.1.4 Show
In privileged user mode, the show command can be used to:
Display the system clock
Display system equipment and interfaces
Display system statistic information
Display system start-up parameters
Display system tasks
Display system stacks
Here are the various system sub-commands for Show:
router#show ?
Command
Description
Remark
clock
Displays the current system clock.
Also works in common

user mode
Device
interface
Prints system equipment data.

Prints system interface data.
Version
Prints system software and hardware data.

user mode
ip
Examines TCP/IP protocol data.
bootparams
Process
stack
Displays system start-up parameters

Displays system tasks/process data.
Displays system stacks data.
user mode
user mode
22.2 How To Diagnose A Network Failure

Router configuration is a complex process because of the various interfaces and protocols that are used. Failures often
occur after the router is configured and used for a period of time. Generally, routers placed on two sides of a WAN suffer
the most systems failures. When such a failure occurs, patience is a necessity in determining and fixing the problem.
22.2.1 Diagnosing LAN Port Failures
A 10/100Base-T port is provided in your Maipu router to connect with a LAN. Send the ping data packet from the PC that
needs to be tested to the routers Ethernet port. If you dont get a response, the fault is located in the Ethernet port. Use
the following steps to examine and fix this type of failure:
Make sure that the PC is connected with the routers Ethernet port correctly.
If a Hub or LAN Switch is used to connect to the Ethernet, make sure the PC is connected with the Ethernet port of the router
correctly. The LED indicator on the Hub or LAN Switch will indicate if it is.
You can execute the ping command to test the link from the PC to the Ethernets port. When the hardware is connected
incorrectly, there will be no response or no change to the data packet input/output information when the PC pings the router.
Use either of the two following testing procedures to ping the router: (Note: 128.255.255.1 refers to the routers Ethernet
port IP address.)
In DOS shell:
c:>ping 128.255.255.1
Pinging 128.255.255.1 with 32 bytes of data
Request timed out.
Request timed out.
Request timed out.
In common user mode:
router>ping 128.255.255.2
Sending 5, 76-byte ICMP Echos to 128.255.255.2, timeout is 2 seconds:
.....
Success rate is 0% (0/5).
The output indicates that theres no response.
Check whether the software is working properly.
Make sure whether the PCs configured IP addresses Ethernet port is set correctly. The network addresses must be the
same only the host addresses can be different. If these conditions are met and youre still getting no response from the
router, then the Ethernet port has been configured incorrectly.
Locate the failure.

Figure out whether protocols are being properly matched.
The Ethernet interface can support two types of IP protocol: Ethernet_II and Ethernet_SNAP. Maipu routers can receive
these different IP packet formats simultaneously. However, the end user must appoint the IP packets format. Please
ensure that the sent IP packets format is similar to the other equipment being used by the Ethernet protocol.
Check whether the Ethernet is working normally.
The Ethernet router ports can support two speeds: 10 and 100Mbps. It can also support two kinds of working modes: half
duplex and full duplex. These working modes and transmission rates can be easily fixed in the system through automatic
negotiation.
22.2.2 Diagnosing WAN Port Failures
After we know that the Ethernet port has been excluded as a possible problem, the routers problem might be located in the
WAN port. Follow these steps to determine the problem:
Examine whether the physical interface has been connected correctly.
Your Maipu router supports many kinds of WAN interface cables V24, V35 and so on. The WAN interface type should
be checked against these cables, and you should ensure the WAN interface is running in the proper
synchronous/asynchronous mode. If necessary, reconfigure the routers synchronous/asynchronous serial interface.
If your interface runs in asynchronous mode, then examine whether its running at the correct speed. In asynchronous
mode, the WAN serial port will support a very broad scope of data transmission speeds. The lowest speed is 1,200 bps and
the highest is 115,200 bps.
The WAN interface can also run in two synchronous modes: DTE and DCE. If it runs in DCE mode, examine whether the
clock rate and the clock mode provided by the router are set correctly. If it works in DTE mode, then check the clock
provided by DSU/CSU.
When the hardware or connection parameters are set incorrectly, the PC wont respond or wont show packets moving
through the system when tested by the ping function.
Examine whether the link layer protocols are set correctly.
The routers WAN interface supports many protocols, such as HDSL, X.25, FR, SLIP, PPP and CSLIP. The WAN routers on
both sides of the communication wont talk with each other until the same protocols have been set.
If you use Point-to-Point Protocol (PPP) and have adopted PAP or CHAP as the authentication protocol, please ensure
whether the two password configurations are consistent.
If you use the modem in asynchronous mode, please ensure whether the modem has been set correctly.
If the above configurations are incorrect, the interface wont be able to connect with the protocols, event though the number
of output/input data packets on your system may appear to have increased.
Locate the failure.
If the link layer protocol is set to PPP in asynchronous dial-up mode, ensure whether the two ends of your dialer maps are set
correctly:
dialer map ip ipAddress telephoneNumb

The ipAddress command refers to the opposite terminals IP address and the telephoneNumber is the phone number
connected to this peer.
Routers on both sides of WAN must ensure that the network IP addresses are the same. If the IP address is set incorrectly,
the IP data packet route many have been sent to a wrong destination. When the WAN interface adopts the IP unnumbered
mode to borrow the IP address of the Ethernet interface, faults can occur much more easily.
Examine the route. MP routers presently support many routing methods, such as static routing, RIP v1/v2, OSPF, IRMP
dynamic routing and Dial-on-Demand Routing, etc. The router transmits a data packet in terms of its route information.
A data packet can be transmitted unsuccessfully because the route is incorrectly configured. Sometimes, the routers will
connect successfully with the hosts or other routers, but, sometimes, will disconnect to other network segment equipment.
In this case, if a static route has been adopted, you must manually set the route for the unreachable network segment.
However, if the router has adopted a RIP, OSPF and IRMP dynamic route, the router must configure the route protocols
correctly in order for the data to be successfully transmitted and for the local routing table to be updated.
Chapter 23 Discription Of the Interface Cable Signals

23.1 Ethernet Interface Cable (twisted-pair wire interface RJ45)
Pin 1 and Pin 2 are the sending ends, and Pin 3 and Pin 6 are the receiving ends. Like the interface of a PC Ethernet
Adapter , they can be connected to a HUB directly.
23.2 The Interface Cable of the Configuration Port

The interface of the configuration port provides the RJ45 socket and works in asynchronous DTE mode. A configuration port
cable is provided with each router and it can work in DTE or DCE mode.
23.3 Multiprotocol Serial-port Cable Wiring List
A Maipu MP2600 router provides four multiprotocol serial ports. Each serial port provides a 25-pin-socket. Each port can
work in the V.24 or V.35 mode and can be configured as a DTE or a DCE in either mode. Table 3-1 explains the general
wire list of the V.24/V.35 interface cable.
Table 4-1 the general wire list of the V.24/V.35 interface cable
ISO2110
RS-232V.24
CONNECTOR
PIN NOS
Location
ISO 2593
V.35
DCE
DTE
Location
CONNECTOR
DCE
DTE
PIN
01
PG
101
02
TD
103
103a
03
RD
104
104a
04
RTS
105
105
05
CTS
106
106
06
DSR
107
107
07
SG
102
08
DCD
109
102
:
109
115b
11
113b
12
114b
AA
103b
114a
104b
09
10
13
14
15
TC
114
16
17
RC
115
115a
DTR
108
108
18
19
20
21
22
NOS
23
24
25
EXC
113
113a
WARRANTY POLICY
1.0 WARRANTY POLICY:
From the date of sale by Dax, all Qualified Dax Products (QDP) are covered by
maximum 3-years carry-in warranty, against manufacturing defects and workmanship
under normal use. The first year Instant Replacement Anywhere (IRA) warranty is
applicable within this 3-year outer limit.
2.0 WARRANTY:
Dax provides this extensive warranty to all QDP customers in order to establish
outstanding quality service to all Dax customers and give them a high return on the
investment in Dax products.
3.0 SCOPE & DURATION OF WARRANTY:
Dax warrants each QDP purchased hereunder against defects in material or
workmanship under normal use and service for a period of three years from date of sale
by Dax.
Dax at is option, will at no charge either repair or replace, any Unit during the carry-in
warranty period, provided it is returned in accordance with the terms of this warranty to
any Dax Authorised Distributor (DAD) or to any Dax Service Centre.
4.0 UNITS THAT ARE NOT QUALIFIED FOR THREE YEARS CARRY IN
WARRANTY:
The following Dax Units are not qualified for 3 years carry in warranty since
they only carry one year warranty:
a. Dax Internal modems
b. Dax Power supplies
5.0 UNITS RETURNED AFTER ONE YEAR FROM THE DATE OF
PURCHASE BUT WITHIN THREE YEARS OF WARRANTY:
Any QDP returned after 12 months but within 3 years, from the date of purchase
(Daxs invoice date) can be handed over to any DAD for service warranty. The Unit will
be sent to the local AFL warehouse for forwarding to the Dax Service Center, Chennai.
The serviced Unit from Dax will be returned to the same DAD. The to-and-fro freight
charges will be borne by Dax. And, the time for return of serviced Units will be two plus
one working days (2 days for servicing + 1 day for testing) and the actual to and fro
transportation time.
6.0 SERVICES FOR UNITS OUT OF WARRANTY (OOW):
When a Dax Unit is used by a customer for a period beyond specified warranty terms,
the Unit automatically becomes an Out of Warranty Unit. Broadly OOW would
cover the following categories apart from beyond warranty terms:
a. Burnt Units
b. Units with non-manufacturing defects
c. Mishandled units
The DAD can send the OOW unit directly for repair to the
Dax Service Center,
Chennai with freight prepaid. Dax will attempt to repair the Unit at a cost. Dax will
analyse the extent of damage and send the estimate for repair charges to the DAD. If the
DAD agrees to pay the charges, Dax will take up the Unit for repairs after receiving the
advance payment by DD from the customer. After repair, the Unit will be sent to the
customer directly from Dax on a freight to-pay basis. The DAD has to insure the Unit or
assume risk of loss or loss or damage during transit.
7.0 END-OF-LIFE (EOL):
If a Unit is declared as End-of-Life (EOL), or withdrawn due to technological
obsolescence, Dax will attempt to replace it with a functionally close equivalent. This
decision is absolutely at Daxs discretion. In any case, no monetary benefit will be
rewarded or can be claimed by the customer.
8.0 WARRANTY DOES NOT COVER:
Warranty is applicable only against manufacturing defects and workmanship under
normal use. Burnt components or PCBs are not categorized under manufacturing
defects. These are susceptible to burnouts due to high incoming voltage in
telephone lines or in power supplies and also improper Earthing.
Defects or damages to the Units resulting from use of Units in an operating
environment other than as specified in the User Manual.
Defects or damages resulting from accidents, misuse or neglect or any natural
calamities.
Defects or damages from improper testing, operation, maintenance, installation,
alteration, modification or adjustments.
Breakage or damage to the Unit caused due to mishandling.
Units dismantled or attempted to repair.
Units that have had their serial numbers removed or tampered with.
Defects or damages due to spill of food or liquid.
All outer surfaces and all other externally exposed parts that are scratched or
damaged due to customers abnormal use.
Units if physically tampered with by unauthorized persons.
9.0 JURISDICTION
Any dispute shall be subject to exclusive jurisdiction of the courts in
Chennai.
10.0 CONTACT DETAILS OF DAX NETWORKS LIMITED AND SERVICE
CENTRE:
Dax Networks Limited
79, Chamiers Road, Chennai 600 028
Ph. No.: 2432 3557 / 2432 3558 / 2432 3984
Fax No. 044 2435 7267
Service Centre
New No. 21(Old No.11), II Street,
R.K. Nagar, Mandaveli, Chennai 28.
Ph. No.: 2462 0217 / 2462 0218
E-MAIL: service@daxnetworks.com
Contact: Manager IRA
Co-ordinator Service Centre
Please refer our website www.daxnetworks.com for the current updated address and
contact phone numbers.
WARRANTY CARD FOR DXMP ROUTER

This DXMP ROUTER has been manufactured under the most stringent quality standards by an ISO
9001 Certified Company and is guaranteed to perform. This DXMP ROUTER carry a comprehensive 3year warranty. In the unlikely event of the product malfunctioning due to any manufacturing defect, you
can get it exchanged instantly as per our IRA (Instant Replacement Anywhere) policy guidelines within
one year of purchase from date of sale by Dax or get it repaired / replaced at free of charge with in the
Carry-in warranty period. For replacement or repair, please walk-in with the product to your vendor or
any Dax authorized distributor. Just make sure that you produce this card and the serial number of your
product along with proof of date of purchase when you require replacement / repair. For any additional
support, please contact the Dax Technical Support Department at
Dax Networks Ltd.,

79, Chamiers Road, Chennai - 600 028. India
Ph.: 044 - 2432 3558 Fax : 044 - 2435 7267
Email: contact@daxnetworks.com
Website: www.daxnetworks.com
Note: Please refer our website for IRA / Support Centres & Dax Authorized Distributors.

Dax Router Guide PDF

Uploaded by

Copyright:

Available Formats

Dax Router Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dax Router Guide PDF

Uploaded by

Copyright:

Available Formats

Dear Dax User,

MP Series Router Manual

CHAPTER 2 SYSTEM CONFIGURATION AND MANAGEMENT --------- 31

CHAPTER 3 NETWORK PROTOCOL -------------------------------------------- 55

3..3 Displaying the ARP cache ------------------------------------------------------------------------------------------60

CHAPTER 4 DISCRIPTION OF THE INTERFACE CABLE SIGNALS ----- 68

CHAPTER 6 DDR AND INTERFACE BACKUP ------------------------------ 146

CHAPTER 7 ROUTING CONFIGURATION ----------------------------------- 175

CHAPTER 8 CONFIGURING SNA----------------------------------------------- 251

CHAPTER 9 IP TELEPHONE CONFIGURATION -------------------------- 276

9.1.1 Relevant Commands------------------------------------------------------------------------------------------------- 276

CHAPTER 10 TERMINAL CONFIGURATION-------------------------------- 290

CHAPTER 11 SECURITY CONFIGURATION--------------------------------- 316

11.1.5 Configuring An Access Channel --------------------------------------------------------------------------------- 323

CHAPTER 12 QUALITY OF SERVICE (QOS) CONFIGURATION ------- 407

12. 4 Customer Queuing (CQ)----------------------------------------------------------------------------------------- 414

CHAPTER 13 802.1Q SPECIFICATIONS-------------------------------------- 427

CHAPTER 14 DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP)

CHAPTER 15 NDSP PROTOCOL CONFIGURATION ----------------------- 437

CHAPTER 16 SNMP CONFIGURATION --------------------------------------- 439

CHAPTER 17 NETWORK TEST AND TROUBLESHOOTING ----------- 460

17.1.4 Show ----------------------------------------------------------------------------------------------------------------- 462

CHAPTER 18 SOFTWARE UPGRADE ---------------------------------------- 463

CHAPTER 19 SNTP CONFIGURATION -------------------------------------- 475

CHAPTER 20 MULTICAST ROUTE CONFIGURATION ------------------ 484

Configure IGMP -------------------------------------------------------------------------------------- 484

CHAPTER 21 AAA CONFIGURATION----------------------------------------- 492

CHAPTER 22 MPLS CONFIGURATION -------------------------------------- 497

CHAPTER 23 INTERFACE CONFIGURATION------------------------------- 506

23.3.1 Configuring an Asynchronous Serial Interface ---------------------------------------------------------------------- 74

Router Configuration mode

Maipu routers provides users with four typical configuration modes:

Use the command shell to configure through the console interface;

Command line Mode

Registration of system commands

Common user mode

Encryption mapping configuration mode

Other configuration modes will be introduced in relevant chapters.

Execute the command exit

Execute the command

Execute the command exit

Execute the command exit

Execute the command exit

Execute the command exit

Execute the command exit

Finishes the file

Execute the command exit

Execute the command

Execute the command exit

enters the mode

Execute the command exit

Execute the command exit

Execute the command exit

Execute the command exit

Execute the command exit

Configures the IKE

Configures the RSA

Figure 1-2 connection sketch map of local configuring the router

Figure 1-3 Creating a Connection

&RQI L JXU L QJ U HPRW H HQG U RXW HU W KU RXJK O RFDO U RXW HU