Вы находитесь на странице: 1из 839

HP A-MSR Router Series

Web-Based Configuration Guide

Abstract
This document describes the software features for the HP A Series products and guides you through the
software configuration procedures. These configuration guides also provide configuration examples to
help you apply software features to different network scenarios.

This documentation is intended for network planners, field technical support and servicing engineers, and
network administrators working with the HP A Series products.

Part number: 5998-2054


Software version: CMW520-R2207P02
Document version: 6PW100-20110810
Legal and notice information
© Copyright 2011 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or use
of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents

Web overview ······························································································································································ 1 


Logging in to the web interface ······································································································································· 1 
Logging out of the web interface····································································································································· 2 
Introduction to the web interface ····································································································································· 2 
User level ··········································································································································································· 4 
Introduction to web-based NM functions························································································································ 4 
Common web interface elements ································································································································· 17 
Common buttons and icons ·································································································································· 17 
Content display by pages ···································································································································· 17 
Searching function ················································································································································ 18 
Sorting function······················································································································································ 20 
Managing web-based NM through CLI ······················································································································ 21 
Enabling or disabling web-based NM················································································································ 21 
Managing the current web user ·························································································································· 21 
Configuration guidelines ··············································································································································· 21 
Troubleshooting web browser ······································································································································ 21 
Failure to access the device through the web interface ···················································································· 21 

Configuring device information ································································································································ 25 


Displaying device information ······································································································································ 25 
Device information ················································································································································ 27 
Broadband connection information ····················································································································· 27 
3G wireless card state ·········································································································································· 28 
LAN information ···················································································································································· 29 
WLAN information ················································································································································ 29 
Service information ··············································································································································· 30 
Recent system logs················································································································································· 30 
Integrated service management ··································································································································· 30 

Configuring web interface basic services ················································································································ 31 


Starting the basic configuration wizard·············································································································· 31 
Setting WAN interface parameters ····················································································································· 31 
Setting LAN interface parameters························································································································ 38 
Setting WLAN interface parameters ··················································································································· 40 
Validating basic services configuration ·············································································································· 41 

Configuring WAN interfaces ···································································································································· 43 


Configuring an Ethernet interface ································································································································ 43 
Configuring an SA interface ········································································································································· 46 
Configuration procedure ······································································································································ 46 
Configuring an ADSL/G.SHDSL interface ··················································································································· 47 
Configuration procedure ······································································································································ 48 
Configuring a CE1/PRI interface ································································································································· 51 
Configuration procedure ······································································································································ 51 
Configuring a CT1/PRI interface·································································································································· 54 
Configuration procedure ······································································································································ 54 
Viewing the general information and statistics of an interface ················································································· 55 

Configuring VLAN······················································································································································ 57 


Configuring a VLAN and its VLAN interface ·············································································································· 57 
Configuration task lists ·········································································································································· 57 

iii
Creating a VLAN and its VLAN interface ··········································································································· 58 
Configuring VLAN member ports ························································································································ 59 
Configuring parameters for a VLAN interface ··································································································· 59 
Configuration guidelines ··············································································································································· 61 

Configuring wireless services ···································································································································· 62 


Configuration task list ···················································································································································· 62 
Wireless service configuration ····································································································································· 63 
Configuring wireless access service ···························································································································· 63 
Creating a wireless access service ······················································································································ 63 
Configuring clear type wireless service ·············································································································· 64 
Configuring crypto type wireless service ············································································································ 72 
Security parameter dependencies ······················································································································· 79 
Displaying wireless access service information ·········································································································· 80 
Displaying wireless service information ·············································································································· 80 
Displaying client information ······························································································································· 82 
Displaying RF ping information ··························································································································· 86 
Wireless access configuration examples····················································································································· 87 
Wireless service configuration example ············································································································· 87 
Access service-based VLAN configuration example ························································································· 88 
PSK authentication configuration example ········································································································· 90 
Local MAC authentication configuration example ···························································································· 94 
Remote MAC authentication configuration example ························································································· 97 
Remote 802.1x authentication configuration example ··················································································· 101 
802.11n configuration example ······················································································································· 108 

Configuring client mode ········································································································································· 111 


Enabling the client mode ············································································································································· 111 
Connecting the wireless service ························································································································· 112 
Displaying statistics ············································································································································· 113 
Client mode configuration example ··························································································································· 114 

Configuring radios ·················································································································································· 117 


Configuring data transmit rates ·································································································································· 121 
Configuring 802.11b/802.11g rates ·············································································································· 121 
Configuring 802.11n MCS ······························································································································· 122 
Displaying radio··························································································································································· 123 
Displaying wireless services bound to a radio ································································································ 123 
Displaying detailed radio information ·············································································································· 123 

Configuring WLAN security ··································································································································· 126 


Blacklist and whitelist ··················································································································································· 126 
Configuring the blacklist and whitelist functions ······································································································· 126 
Configuring dynamic blacklist ··························································································································· 126 
Configuring static blacklist ································································································································· 128 
Configuring whitelist ··········································································································································· 128 
User isolation ································································································································································ 129 
Configuring user isolation ··········································································································································· 130 

Configuring WLAN QoS ········································································································································ 131 


Configuring wireless QoS ··········································································································································· 131 
Enabling wireless QoS ······································································································································· 131 
Setting the SVP service········································································································································ 132 
Setting CAC admission policy ··························································································································· 133 
Setting radio EDCA parameters for APs ··········································································································· 133 
Setting EDCA parameters for wireless clients ·································································································· 134 
Display radio statistics ········································································································································ 136 

iv
Displaying client statistics ··································································································································· 138 
Setting rate limiting ············································································································································· 139 
Wireless QoS configuration example························································································································ 140 
CAC service configuration example ················································································································· 140 
Static rate limiting configuration example ········································································································ 142 
Dynamic rate limiting configuration example ·································································································· 143 

Configuring advanced WLAN settings ················································································································· 145 


District code ·································································································································································· 145 
Setting a district code ·················································································································································· 145 
Channel busy test ························································································································································· 145 
Configuring a channel busy test ························································································································ 146 

Configuring 3G management ································································································································ 148 


Managing the 3G modem ·········································································································································· 148 
Displaying the 3G information ·························································································································· 148 
Managing the pin code ······································································································································ 150 

Configuring NAT····················································································································································· 152 


Recommended configuration procedure ··········································································································· 152 
Configuring dynamic NAT ································································································································· 152 
Configuring a DMZ host ····································································································································· 154 
Configuring an internal server ··························································································································· 155 
Enabling application layer protocol check ······································································································· 157 
Configuring connection limit ······························································································································ 157 
NAT configuration examples ······································································································································ 158 
Private hosts to access public network configuration example ······································································ 158 
Internal server configuration example ··············································································································· 160 

Configuring access control ····································································································································· 164 


Access control configuration example ······················································································································· 165 

Configuring URL filtering ········································································································································ 167 


URL filtering configuration example ··························································································································· 169 

Configuring MAC address filtering ······················································································································· 171 


Configuring the MAC address filtering type ···································································································· 171 
Configuring the MAC addresses to be filtered ································································································ 172 
MAC address filtering configuration example ································································································· 173 

Configuring attack protection ································································································································ 175 


Blacklist function ·················································································································································· 175 
Intrusion detection function ································································································································· 175 
Configuring the blacklist function ······························································································································· 178 
Recommended configuration procedure ··········································································································· 178 
Enabling the blacklist function ··························································································································· 178 
Adding a blacklist entry manually ····················································································································· 179 
Viewing blacklist entries ····································································································································· 179 
Configuring intrusion detection ·································································································································· 180 
Attack protection configuration examples ················································································································· 182 
Attack protection configuration example for the A-MSR900/20-1X series routers ····································· 182 
Attack protection configuration example for the A-MSR20/30/50 series routers ······································ 185 

Configuring application control ····························································································································· 189 


Configuring application control ································································································································· 189 
Recommended configuration procedure ··········································································································· 189 
Loading applications··········································································································································· 189 
Configuring a custom application ····················································································································· 190 

v
Enabling application control ······························································································································ 191 
Application control configuration example ··············································································································· 192 

Configuring webpage redirection ························································································································· 195 


Configuring routes ·················································································································································· 197 
Route configuration ······················································································································································ 197 
Creating an IPv4 static route ······························································································································ 197 
Displaying the active route table ······················································································································· 199 
IPv4 static route configuration example····················································································································· 200 
Configuration guidelines ············································································································································· 202 

Configuring user-based load sharing ···················································································································· 204 


Configuring traffic ordering ··································································································································· 205 
Recommended configuration procedure ··········································································································· 205 
Setting the traffic ordering interval ···················································································································· 206 
Specifying the traffic ordering mode················································································································· 206 
Displaying internal interface traffic ordering statistics ···················································································· 206 
Displaying external interface traffic ordering statistics···················································································· 207 

Configuring DNS ···················································································································································· 208 


Configuring dynamic domain name resolution ································································································ 208 
Enabling DNS proxy ··········································································································································· 209 
Enabling dynamic domain name resolution ····································································································· 210 
Enabling DNS proxy ··········································································································································· 210 
Clearing the dynamic domain name cache ····································································································· 210 
Specifying a DNS server ···································································································································· 210 
Configuring a domain name suffix ···················································································································· 211 
Domain name resolution configuration example ······································································································ 211 

Configuring DDNS ·················································································································································· 217 


Configuration prerequisites ········································································································································· 218 
Configuration procedure ············································································································································· 218 
DDNS configuration example····································································································································· 219 

Configuring DHCP ·················································································································································· 222 


Configuring the DHCP server ····························································································································· 223 
Configuring the DHCP relay agent ··················································································································· 224 
Configuring the DHCP client ······························································································································ 224 
Enabling DHCP ···················································································································································· 225 
Configuring DHCP interface setup ···················································································································· 225 
Configuring a static address pool for the DHCP server ·················································································· 226 
Configuring a dynamic address pool for the DHCP server ············································································ 228 
Configuring IP addresses excluded from dynamic allocation ········································································ 230 
Configuring a DHCP server group ···················································································································· 231 
DHCP configuration examples···································································································································· 232 
DHCP configuration example without DHCP relay agent ··············································································· 233 
DHCP relay agent configuration example ········································································································ 240 
Configuration guidelines ············································································································································· 246 

Configuring ACL ····················································································································································· 247 


Configuring an ACL ····················································································································································· 247 
Configuration task list ········································································································································· 247 
Creating an IPv4 ACL ········································································································································· 248 
Configuring a rule for a basic IPv4 ACL··········································································································· 249 
Configuring a rule for an advanced IPv4 ACL································································································· 250 
Configuring a rule for an Ethernet frame header ACL ···················································································· 253 

vi
Configuration guidelines ············································································································································· 255 

Configuring QoS ····················································································································································· 256 


Subnet limit··························································································································································· 257 
Advanced limit ····················································································································································· 257 
Advanced queue ················································································································································· 258 
Configuring QoS ·························································································································································· 258 
Configuring subnet limit······································································································································ 258 
Configuring advanced limit································································································································ 260 
Configuring advanced queue ···························································································································· 263 
QoS configuration examples ······································································································································ 267 
Subnet limit configuration example ··················································································································· 267 
Advanced queue configuration example·········································································································· 269 
Appendix packet priorities ·········································································································································· 272 

Configuring SNMP·················································································································································· 275 


SNMP agent configuration ········································································································································· 275 
Configuration task list ········································································································································· 275 
Enabling the SNMP agent function ··················································································································· 277 
Configuring an SNMP view ······························································································································· 278 
Configuring an SNMP community ····················································································································· 280 
Configuring an SNMP group ····························································································································· 281 
Configuring an SNMP user ································································································································ 283 
Configuring SNMP trap function ······················································································································· 285 
Displaying SNMP packet statistics ···················································································································· 287 
SNMP configuration example ···································································································································· 288 
SNMPv1 or SNMPv2c configuration example ································································································ 288 
SNMPv3 configuration example ······················································································································· 292 

Configuring bridging ·············································································································································· 299 


Configuring bridging ··················································································································································· 299 
Configuration task list ········································································································································· 299 
Enabling a bridge set ········································································································································· 299 
Adding an interface to a bridge set ·················································································································· 300 
Bridging configuration example ································································································································· 301 

Configuring user groups ········································································································································· 305 


Configuration task list ········································································································································· 305 
Configuring a user group ··································································································································· 306 
Configuring a user ·············································································································································· 306 
Configuring access control ································································································································· 307 
Configuring application control ························································································································· 308 
Configuring bandwidth control ·························································································································· 309 
Configuring packet filtering ······························································································································· 310 
Synchronizing user group configuration for WAN interfaces········································································ 312 
User group configuration example ···························································································································· 312 

Configuring MSTP ··················································································································································· 320 


Introduction to RSTP ············································································································································ 327 
Introduction to MSTP ··········································································································································· 327 
Protocols and standards ····································································································································· 332 
Configuring MSTP ························································································································································ 333 
Configuration task list ········································································································································· 333 
Configuring an MSTP region ····························································································································· 333 
Configuring MSTP globally ································································································································ 334 
Configuring MSTP on a port ······························································································································ 337 
MSTP configuration example ······································································································································ 339 

vii
Configuration guidelines ············································································································································· 344 

Configuring RADIUS ··············································································································································· 346 


Configuring a RADIUS scheme··································································································································· 346 
RADIUS configuration example ·································································································································· 351 
Configuration guidelines ············································································································································· 357 

Configuring login control ······································································································································· 359 


Login control configuration example·························································································································· 360 

Configuring ARP······················································································································································ 362 


Gratuitous ARP ····························································································································································· 362 
Displaying ARP entries ················································································································································ 362 
Creating a static ARP entry ········································································································································· 363 
Removing ARP entries ·················································································································································· 363 
Enabling learning of dynamic ARP entries ················································································································ 364 
Configuring gratuitous ARP ········································································································································· 365 
Static ARP configuration example ······························································································································ 365 

Configuring ARP attack protection························································································································· 371 


Configuring periodic sending of gratuitous ARP packets ························································································ 371 
Configuring ARP automatic scanning ························································································································ 372 
Configuring fixed ARP ················································································································································· 374 

Configuring IPsec VPN ··········································································································································· 375 


Configuring IPsec VPN ················································································································································ 375 
Configuration task list ········································································································································· 375 
Configuring an IPsec connection ······················································································································· 376 
Displaying IPsec VPN monitoring information ································································································· 383 
IPsec VPN configuration example ······························································································································ 384 
Configuration guidelines ············································································································································· 386 

Configuring L2TP ····················································································································································· 388 


Configuring L2TP ·························································································································································· 389 
Recommended configuration procedure ··········································································································· 389 
Enabling L2TP ······················································································································································ 389 
Adding an L2TP group········································································································································ 390 
Displaying L2TP tunnel information ··················································································································· 396 
L2TP configuration example ········································································································································ 396 
Client-initiated VPN configuration example ····································································································· 396 

Configuring GRE ····················································································································································· 402 


Configuring a GRE over IPv4 tunnel ·························································································································· 402 
Configuration prerequisites ································································································································ 402 
Recommended configuration procedure ··········································································································· 402 
Creating a GRE tunnel ········································································································································ 402 
GRE over IPv4 tunnel configuration example············································································································ 404 

Configuring certificate management ····················································································································· 412 


PKI operation ······················································································································································· 412 
Configuring PKI ···························································································································································· 413 
Configuration task list ········································································································································· 413 
Creating a PKI entity ··········································································································································· 415 
Creating a PKI domain ······································································································································· 416 
Generating an RSA key pair ······························································································································ 419 
Destroying the RSA key pair ······························································································································ 420 
Retrieving and displaying a certificate ············································································································· 420 
Requesting a local certificate ····························································································································· 421 

viii
Retrieving and displaying a CRL ······················································································································· 422 
PKI configuration examples········································································································································· 423 
Configuring a PKI entity to request a certificate from a CA (method I) ························································· 423 
Configuring a PKI entity to request a certificate from a CA (method II) ························································ 427 
Applying RSA digital signature in IKE negotiation ·························································································· 432 
Configuration guidelines ············································································································································· 438 

Configuring system management··························································································································· 439 


Configuration management ········································································································································ 439 
Save configuration ·············································································································································· 439 
Initialize configuration ········································································································································ 440 
Backing up configuration ··································································································································· 440 
Restoring configuration ······································································································································· 441 
Backing up and restoring device files through the USB port ·········································································· 442 
Rebooting device ························································································································································· 443 
Service management ··················································································································································· 443 
Configuring service management ······················································································································ 444 
User management ························································································································································ 446 
Creating a user ···················································································································································· 446 
Setting the super password for switching to the management level ······························································ 447 
Switching the user access level to the management level ··············································································· 448 
System time ··································································································································································· 448 
Setting the system time ········································································································································ 449 
Setting the system time zone ······························································································································ 450 
TR-069 configuration ··················································································································································· 450 
TR-069 network framework ································································································································ 451 
Basic functions of TR-069 ··································································································································· 451 
TR-069 configuration ·········································································································································· 452 
Configuration guidelines ···································································································································· 453 
Software upgrade (for the A-MSR900/A-MSR20-1X series) ··················································································· 454 
Upgrading software ············································································································································ 454 
Software upgrade (for the A-MSR20/30/50 series) ······························································································· 454 
Upgrading software ············································································································································ 455 

Configuring SNMP lite············································································································································ 456 


SNMP agent configuration ········································································································································· 456 
SNMP configuration example ···································································································································· 458 
SNMPv1 or SNMPv2c configuration example ································································································ 458 
SNMPv3 configuration example ······················································································································· 459 

Configuring syslog ·················································································································································· 462 


Displaying syslogs ··············································································································································· 462 
Setting the loghost ··············································································································································· 463 
Setting buffer capacity and refresh interval······································································································ 464 

Configuring diagnostic tools ·································································································································· 466 


Trace route ··························································································································································· 466 
Ping ······································································································································································· 466 
Tools operations ··························································································································································· 467 
Trace route operation ········································································································································· 467 
Ping operation ····················································································································································· 467 

Configuring WiNet ················································································································································· 469 


Configuring WiNet ······················································································································································ 470 
Enabling WiNet ·················································································································································· 470 
Setting the background image for the WiNet topology diagram ·································································· 471 
Managing WiNet················································································································································ 471 

ix
Configuring a RADIUS user································································································································ 473 
WiNet configuration example ···································································································································· 474 
WiNet establishment configuration example ··································································································· 474 
WiNet-based RADIUS authentication configuration example ········································································ 480 

Configuring VoIP basic service ······························································································································ 484 


Basic service setup ······················································································································································· 484 
Displaying the configuration wizard homepage ····························································································· 484 
Selecting a country ·············································································································································· 484 
Configuring local numbers ································································································································· 485 
Configuring connection properties ···················································································································· 485 
Finishing configuration wizard ·························································································································· 486 

Local number and call route overview··················································································································· 487 


Basic settings ································································································································································ 487 
Fax and modem ··························································································································································· 487 
Call services·································································································································································· 487 
Advanced settings ························································································································································ 487 

Configuring local number and call route ·············································································································· 488 


Local number························································································································································ 488 
Call route ······························································································································································ 488 
Basic settings ································································································································································ 489 
Configuring a local number ······························································································································· 489 
Configuring a call route ····································································································································· 490 
Configuration examples of local number and call route ························································································· 492 
Configuring direct calling for SIP UAs through the SIP protocol (configuring static IP address) ················ 492 
Configuring direct calling for SIP UAs through the SIP protocol (configuring domain name) ···················· 495 
Configuring proxy server involved calling for SIP UAs ··················································································· 499 
Configuring trunk mode calling ························································································································· 506 

Configuring fax and modem ·································································································································· 510 


FoIP ················································································································································································ 510 
Protocols and standards for FoIP ······················································································································· 510 
Fax flow ································································································································································ 511 
Introduction to fax methods ································································································································ 511 
SIP Modem pass-through function ······························································································································ 512 
Configuring fax and modem ······································································································································ 512 
Configuring fax and modem parameters of a local number ·········································································· 512 
Configuring fax and modem parameters of a call route ················································································ 515 

Configuring call services ········································································································································ 517 


Call waiting ························································································································································· 517 
Call hold ······························································································································································· 517 
Call forwarding ··················································································································································· 517 
Call transfer·························································································································································· 518 
Call backup·························································································································································· 518 
Hunt group ··························································································································································· 518 
Call barring·························································································································································· 518 
Message waiting indication ······························································································································· 518 
Three-party conference ······································································································································· 518 
Silent monitor and barge in services ················································································································· 519 
Calling party control ··········································································································································· 519 
Door opening control ·········································································································································· 519 
CID on the FXS voice subscriber line ················································································································ 519 
CID on the FXO voice subscriber line ··············································································································· 520 
Support for SIP voice service of the VCX ·········································································································· 520 

x
Configuring call services of a local number ············································································································· 520 
Configuring call forwarding, call waiting, call hold, call transfer, and three-party conference ················ 520 
Configuring other voice functions ······················································································································ 522 
Configuring call services of a call route ···················································································································· 524 
Call services configuration examples ························································································································ 525 
Configuring call waiting ····································································································································· 525 
Configuring call forwarding ······························································································································· 526 
Configuring call transfer ····································································································································· 528 
Configuring hunt group ······································································································································ 529 
Configuring three-party conference ··················································································································· 532 
Configuring silent monitor and barge in service ····························································································· 534 

Configuring advanced settings for local numbers and call routes ······································································ 541 
Coding parameters ············································································································································· 541 
Other parameters ················································································································································ 545 
Configuring advanced settings for a local number ·································································································· 545 
Configuring coding parameters for a local number ························································································ 545 
Configuring other parameters for a local number ··························································································· 547 
Configuring advanced settings for a call route ········································································································ 548 
Configuring coding parameters for a call route ······························································································ 548 
Configuring other parameters for a call route ································································································· 549 
Advanced settings configuration example ················································································································ 550 
Configuring out-of-band DTMF transmission mode for SIP ············································································· 550 

Configuring SIP-to-SIP call settings ························································································································· 552 


Configuring codec transparent transmission ············································································································· 552 

Configuring dial plans ············································································································································ 553 


Dial plan process ················································································································································ 553 
Regular expression ·············································································································································· 554 
Introduction to dial plan functions ······························································································································ 556 
Number match ····················································································································································· 556 
Call control ··························································································································································· 557 
Number substitution ············································································································································ 557 
Configuring dial plan ·················································································································································· 558 
Configuring number match ································································································································ 558 
Configuring call control ······································································································································ 559 
Configuring number substitution ························································································································ 563 
Dial plan configuration examples ······························································································································ 565 
Configuring number match mode ······················································································································ 565 
Configuring the match order of number selection rules ·················································································· 567 
Configuring entity type selection priority rules ································································································· 570 
Configuring call authority control ······················································································································ 574 
Configuring number substitution ························································································································ 577 

Configuring call connections·································································································································· 585 


Introduction to SIP ························································································································································ 585 
Terminology ························································································································································· 585 
Functions and features of SIP ····························································································································· 586 
SIP messages························································································································································ 587 
SIP fundamentals ················································································································································· 587 
Support for transport layer protocols ························································································································· 590 
SIP security ···································································································································································· 590 
Signaling encryption ··········································································································································· 590 
Media flow encryption········································································································································ 591 
TLS-SRTP combinations ········································································································································ 591 
Support for SIP extensions ··········································································································································· 592 
xi
Configuring SIP connections ·································································································································· 593 
Configuring connection properties ····························································································································· 593 
Configuring registrar··········································································································································· 593 
Configuring proxy server···································································································································· 595 
Configuring session properties ··································································································································· 595 
Configuring source address binding ················································································································· 596 
Configuring SIP listening ···································································································································· 597 
Configuring media security ································································································································ 598 
Configuring caller identity and privacy ············································································································ 598 
Configuring SIP session refresh·························································································································· 599 
Configuring compatibility ··································································································································· 600 
Configuring advanced settings ··································································································································· 602 
Configuring registration parameters ················································································································· 602 
Configuring voice mailbox server ····················································································································· 604 
Configuring signaling security ··························································································································· 605 
Configuring call release cause code mapping ········································································································· 606 
Configuring PSTN call release cause code mappings ···················································································· 606 
Configuring SIP status code mappings ············································································································· 607 
SIP connection configuration examples ····················································································································· 608 
Configuring basic SIP calling features ·············································································································· 608 
Configuring caller ID blocking ··························································································································· 608 
Configuring SRTP for SIP calls···························································································································· 610 
Configuring TCP to carry outgoing SIP calls ···································································································· 611 
Configuring TLS to carry outgoing SIP calls ····································································································· 612 

Configuring SIP server group management ·········································································································· 614 


Configuring a SIP server group ·································································································································· 614 

Configuring SIP trunk ·············································································································································· 617 


Background ·························································································································································· 617 
Features ································································································································································ 618 
Typical applications ············································································································································ 618 
Protocols and standards ····································································································································· 619 
Configuring SIP trunk ··················································································································································· 619 
Configuration task list ········································································································································· 619 
Enabling the SIP trunk function ·························································································································· 620 
Configuring a SIP server group ························································································································· 620 
Configuring a SIP trunk account ························································································································ 621 
Configuring a call route for outbound calls ·············································································································· 622 
Configuring a call route for a SIP trunk account ······························································································ 622 
Configuring fax and modem parameters of the call route of a SIP trunk account ······································· 624 
Configuring advanced settings of the call route of a SIP trunk account ························································ 624 
Configuring codec transparent transmission ···································································································· 626 
Configuring a call route for inbound calls ················································································································ 626 
SIP trunk configuration examples ······························································································································· 627 
Configuring a SIP server group with only one member server ······································································· 627 
Configuring a SIP server group with multiple member servers ······································································· 635 
Configuring call match rules ······························································································································ 637 

Configuring data link management ······················································································································· 640 


Introduction to E1 and T1 ··········································································································································· 640 
E1 and T1 voice functions ··········································································································································· 640 
E1 and T1 interfaces ··········································································································································· 640 
Features of E1 and T1 ········································································································································ 641 
Introduction to BSV interface ······························································································································ 642 
Configuring digital link management ························································································································ 643 

xii
Configuring VE1 line ·········································································································································· 643 
Configuring VT1 line ··········································································································································· 648 
Configuring BSV line··········································································································································· 651 
Displaying ISDN link state ·································································································································· 656 
E1 and T1 voice configuration example ··················································································································· 657 
Configuring E1 voice DSS1 signaling ·············································································································· 657 

Configuring line management································································································································ 660 


FXS voice subscriber line ···································································································································· 660 
FXO voice subscriber line ··································································································································· 660 
E&M subscriber line ············································································································································ 660 
One-to-one binding between FXS and FXO voice subscriber lines ································································ 662 
Echo adjustment function ············································································································································· 662 
Adjusting echo duration ····································································································································· 662 
Adjusting echo cancellation parameters ··········································································································· 663 
Enabling the nonlinear function of echo cancellation ····················································································· 663 
Line management configuration ································································································································· 663 
Configuring an FXS voice subscriber line ········································································································· 663 
Configuring an FXO voice subscriber line ······································································································· 666 
Configuring an E&M subscriber line ················································································································· 669 
Configuring an ISDN line ··································································································································· 672 
Line management configuration examples ················································································································ 674 
Configuring an FXO voice subscriber line ······································································································· 674 
Configuring one-to-one binding between FXS and FXO ················································································· 675 

Configuring SIP local survival ································································································································ 683 


Configuring SIP local survival ····································································································································· 684 
Service configuration ·········································································································································· 684 
User management ··············································································································································· 685 
Trusted nodes ······················································································································································· 686 
Call-out route························································································································································ 686 
Area prefix ··························································································································································· 687 
Call authority control··········································································································································· 688 
SIP local survival configuration examples ················································································································· 689 
Configuring local SIP server to operate in alone mode ·················································································· 689 
Configuring local SIP server to operate in alive mode···················································································· 692 
Configuring call authority control ······················································································································ 694 
Configuring an area prefix ································································································································ 699 
Configuring a call-out route ······························································································································· 702 

Configuring IVR ······················································································································································· 705 


Advantages ··································································································································································· 705 
Customizable voice prompts ······························································································································ 705 
Various codecs ···················································································································································· 705 
Flexible node configuration································································································································ 705 
Customizable process ········································································································································· 705 
Successive jumping ············································································································································· 706 
Error processing methods ··································································································································· 706 
Timeout processing methods ······························································································································ 706 
Various types of secondary calls ······················································································································· 706 
Configuring IVR ···························································································································································· 706 
Uploading media resource files ························································································································· 706 
Configuring the global key policy ······························································································································ 707 
Configuring IVR nodes ················································································································································ 709 
Configuring a call node ····································································································································· 709 
Configuring a jump node ··································································································································· 712 

xiii
Configure a service node ··································································································································· 714 
Configuring access number management ················································································································· 715 
Configuring an access number ·························································································································· 715 
Configuring advanced settings for an access number ···················································································· 716 
IVR configuration examples ········································································································································ 717 
Configure a secondary call on a call node (match the terminator of numbers) ··········································· 717 
Configure a secondary call on a call node (match the number length) ························································ 721 
Configure a secondary call on a call node (match a number) ······································································ 724 
Configure an extension secondary call on a call node ·················································································· 726 
Configuring a jump node ··································································································································· 728 
Configure an immediate secondary call on a service node ··········································································· 730 
Configure a secondary call on a service node ································································································ 732 
Configure a call node, jump node, and service node ···················································································· 734 
Customizing IVR services············································································································································· 740 
Creating a menu·················································································································································· 741 
Binding an access number ································································································································· 747 
Customizing IVR services ···································································································································· 747 
Custom IVR service configuration examples ····································································································· 749 

Advanced IVR configuration ·································································································································· 760 


Global configuration ··················································································································································· 760 
Batch configuration ······················································································································································ 761 
Local number························································································································································ 761 
Call route ······························································································································································ 768 
Line management ················································································································································ 772 
SIP local survival services ··································································································································· 776 

Displaying states and statistics ······························································································································· 777 


Displaying line states ··················································································································································· 777 
Displaying detailed information about analog voice subscriber lines ·························································· 778 
Displaying detailed information about digital voice subscriber lines ···························································· 778 
Displaying call statistics ··············································································································································· 779 
Displaying active call summary ························································································································· 780 
Displaying history call summary ························································································································ 780 
Displaying SIP UA states ············································································································································· 781 
Displaying TCP connection information ············································································································ 781 
Displaying TLS connection information ············································································································· 782 
Displaying number register status ······················································································································ 782 
Displaying number subscription status ·············································································································· 783 
Displaying local survival service states ······················································································································ 783 
Displaying SIP trunk account states ···························································································································· 784 
Displaying server group information·························································································································· 785 
Displaying IVR information·········································································································································· 785 
Displaying IVR call states···································································································································· 785 
Displaying IVR play states ·································································································································· 786 

Support and other resources ·································································································································· 787 


Contacting HP ······························································································································································ 787 
Subscription service ············································································································································ 787 
Related information ······················································································································································ 787 
Documents ···························································································································································· 787 
Websites ······························································································································································ 787 
Conventions ·································································································································································· 788 

Index ········································································································································································ 790 

xiv
Web overview

The device provides web-based configuration interfaces for visual device management and maintenance.
Figure 1 Web-based network management operating environment

Logging in to the web interface


Use the following default settings to log in to the web interface through HTTP:
• Username—admin
• Password—admin
• IP address of the device—192.168.1.1.
To log in to the web interface of the device from a PC:
1. Connect the Ethernet port of the device to the PC with a crossover Ethernet cable.
2. Configure an IP address for the PC, and make sure that the PC and the device can reach each other.
For example, assign the PC an IP address (for example, 192.168.1.2) within the network segment
192.168.1.0/24 (except for 192.168.1.1).
3. Open the browser and enter the login information:
a. Enter the IP address http://192.168.1.1 in the address bar, and press Enter.
The login page of the web interface appears (see Figure 2).
b. Enter the username, password admin and the verification code. Select the language (English and
Chinese are supported), and click Login.
Figure 2 Login page of the web interface

1
NOTE:
• The PC in Figure 1 is the one where you configure the device, but it is not necessarily the web-based network
management terminal. The web-based network management terminal is a PC (or another terminal) used to log in
to the web interface, and it must be reachable by the device.
• After logging in to the web interface, you can create a new user and configure the IP address of the interface
connecting the user to the device.
• If you click the verification code displayed on the web login page, you can get a new verification code.
• Up to 24 users can concurrently log in to the device through the web interface.

Logging out of the web interface


Click Logout in the upper-right corner of the web interface to quit web-based network management.
The system does not automatically save the current configuration before you log out of the web interface,
so remember to save the current configuration before logout.

NOTE:
Closing the browser does not automatically log out a logged-in user.

Introduction to the web interface


The web-based interface is composed of three parts: navigation area, title area, and body area, as
shown in Figure 3.

2
Figure 3 Initial page of the web interface

(1) Navigation area (2) Title area (3) Body area

• Navigation area—Organizes the web function menus in the form of a navigation tree, where you
can select function menus as needed. The result is displayed in the body area.

3
• Title area—On the left, displays the path of the current configuration interface in the navigation
area. On the right, provides the Save button to quickly save the current configuration, the Help
button to display the web related help, and the Logout button to log out of the web interface.
• Body area—The area where you can configure and display a function.

User level
Web user levels, ranging from low to high, are visitor, monitor, configure, and management.
• Visitor—Users of this level can perform the ping and trace route operations, but cannot access the
device data or configure the device.
• Monitor—Users of this level can access the device data but cannot configure the device.
• Configure—Users of this level can access data from the device and configure the device, but they
cannot upgrade the host software, add/delete/modify users, or back up/restore the application file.
• Management—Users of this level can perform all operations for the device.

Introduction to web-based NM functions


User level indicates that users of this level or users of a higher level can perform the corresponding
operations. See Table 1.
Table 1 Description of web-based NM functions

Function menu Description User level


View and refresh device
information, broadband
connection information, 3G
wireless card state, LAN
Device Information Monitor
information, WLAN
information, services
information, and recent system
Device Information
logs.

View the URL address of a


Monitor
card.
Integrated Service
Management Change the URL address of a
card, and log in to the web Configure
interface of the card.

Perform basic service


Wizard Basic Configuration Wizard Configure
configuration of routers.

View configuration information


of a WAN interface, and Monitor
WAN interface statistics.
WAN Interface Setup
Interface Setup Modify WAN interface
Interface configuration, and clear the Configure
Setup statistics of a WAN interface.

View configuration information


LAN Interface Monitor
VLAN Setup of a VLAN.
Setup
Configure a VLAN. Configure

4
Function menu Description User level
View configuration information
Monitor
VLAN Interface Setup of a VLAN interface.

Configure a VLAN interface. Configure

View wireless service, radio


Monitor
and client information.

View wireless service, radio


Summary and client information; clear
radio statistics; clear client
Configure
statistics, disconnect a
connection, and add a client
to a blacklist.

View configuration information


Monitor
about an access service.
Access Service
Create and configure an
Configure
access service.

View radio parameters and


Monitor
radio rate settings.
Radio Set radio parameters,
Wireless 802.11a/b/g rates, and Configure
Configuration 803.11n MCS.

View configuration information


for blacklist, whitelist, and user Monitor
Security isolation.

Configure blacklist, whitelist,


Configure
and user isolation.

View wireless QoS and rate


limiting settings, and radio Monitor
and client information.
Wireless QoS
Configure wireless QoS and
rate limiting, and clear radio Configure
and client information.

View configuration information


Monitor
Country Code of the country code.

Set the country code. Configure

View 3G modem information,


3G Information UIM card information, and 3G Monitor
network information.
3G
View UIM card status. Monitor
PIN Code Management
Manage PIN codes. Configure

View information about NAT


Monitor
Dynamic NAT configurations.
NAT NAT
Configuration Configuration Configure NAT. Configure

DMZ HOST Create a DMZ host. Monitor

5
Function menu Description User level
Enable DMZ host on an
Configure
interface.

View configurations of the


Monitor
NAT Server Setup internal server.

Configure the internal server. Configure

View configurations of the


application layer protocol Monitor
ALG check function.

Configure the application


Configure
layer protocol check function.

View configuration information


about the number of Monitor
Nat Outbound Setup connections displayed.

Configure connection limit. Configure

View access control


Monitor
Access configuration information.

Configure access control. Configure

View information about URL


Monitor
filtering conditions.
URL Filter
Add or delete URL filtering
Configure
conditions.

View information about MAC


Monitor
address filtering conditions.
MAC Address Filtering Set MAC address filtering
types, add or delete MAC Configure
addresses to be filtered.

View and refresh the blacklist


information and whether Monitor
blacklist filtering is enabled.
Security Blacklist
Setup Add, modify, delete and clear
Attack Defend blacklist entries, and enable or Configure
disable blacklist filtering.

View intrusion detection


Monitor
Intrusion Detection configuration information.

Configure intrusion detection. Configure

View application control


Monitor
Application Control configuration information.

Configure application control. Configure

Load an application and view


Application Load Application Configure
the loaded application.
Control
View custom application
Monitor
information.
Custom Application
Add, modify, and delete a
Configure
custom application.

6
Function menu Description User level
View the configuration
Monitor
information of redirection.
Redirection Add, modify, or remove the
redirection configuration on an Configure
interface.

View IPv4 route summary


Summary Monitor
information.
Route Setup
Create Create IPv4 static routes. Configure

Remove Delete IPv4 static routes. Configure

View the IP address, mask,


and load sharing information Monitor
of an interface.
User-based-sharing
Modify the load sharing status
and shared bandwidth of an Configure
interface.

View IP addresses, traffic


ordering mode and traffic Monitor
Config ordering interval for interfaces.

Configure traffic ordering


Configure
mode and interval.
Traffic
Ordering Statistics of Inbound View inbound interface traffic
Monitor
Interfaces ordering statistics.
Advance

Statistics of Outbound View outbound interface traffic


Monitor
Interfaces ordering statistics.

View DNS configurations. Monitor


DNS Configuration
Configure DNS. Configure
DNS Setup View DDNS configurations. Monitor
DDNS Configuration Add, modify, and delete a
Configure
DDNS entry.

View whether DHCP is


Monitor
DHCP Enable globally enabled or disabled.

Enable or disable DHCP. Configure

DHCP Setup View DHCP server, relay, or


client configurations on an Monitor
DHCP Interface Setup interface.

Enable the DHCP server, relay,


Configure
or client on an interface.

View summary IPv4 ACL


Summary Monitor
information.
QoS ACL
Create Create an IPv4 ACL. Configure
Setup IPv4
Configure a basic rule for an
Basic Config Configure
IPv4 ACL.

7
Function menu Description User level
Configure an advanced rule
Advanced Config Configure
for an IPv4 ACL.

Configure a link layer rule for


Link Config Configure
an IPv4 ACL.

Remove Remove an IPv4 ACL. Configure

View subnet limit configuration


Monitor
information.
Subnet Limit
Add, modify or delete subnet
Configure
limit rules.

View advanced limit


Monitor
configuration information.
Advanced Limit
Add, modify, or delete
Configure
advanced limit rules.

View advanced queue


Monitor
configuration information.

Advanced Queue Configure interface


bandwidth, add, modify, or
Configure
delete bandwidth guarantee
policies.

Summary View classifier information. Monitor

Create Create a classifier. Configure


Classifier Configure classification rules
Setup Configure
for a classifier.

Remove Remove a classifier. Configure

Summary View behavior information. Monitor

Create Create a behavior. Configure


Behavior Configure actions for a
Setup Configure
behavior.

Remove Remove a behavior. Configure

Summary View QoS policy information. Monitor

Create Create a QoS policy. Configure


Policy Configure classifier-behavior
Setup Configure
associations.

Remove Remove a QoS policy. Configure

View QoS policy application


Summary Monitor
information of a port.
Port
Setup Apply a QoS policy to a port. Configure
Policy
Remove a QoS policy from a
Remove Configure
port.

SNMP (supported View and refresh SNMP


on the A-MSR20, Setup configuration information and Monitor
A-MSR30, and statistics.

8
Function menu Description User level
A-MSR50) Configure SNMP. Configure

View brief information about


Monitor
SNMP communities.
Community
Create, modify and remove an
Configure
SNMP community.

View brief information about


Monitor
SNMP groups.
Group
Create, modify, and remove
Configure
an SNMP group.

View brief information about


Monitor
SNMP users.
User
Create, modify, and remove
Configure
an SNMP user.

View the status (enabled or


disabled) of the SNMP trap
Monitor
function and target host
Trap information.

Enable or disable the SNMP


trap function; create, modify, Configure
and remove a target host.

View brief information of


Monitor
SNMP views.
View
Create, modify, and remove
Configure
an SNMP view.

View and set global bridging


Global Config Configure
information.
Bridge
View and set interface
Config Interface Configure
bridging information.

View user group configuration. Monitor


Group
Configure user groups. Configure

View user configuration. Monitor


User User
Group View users. Configure

WAN Synchronize the user group


Synchroni configuration to a WAN Configure
Security zation interface.

View access control


Monitor
configuration.
Connection Control
Configure time range-based
Configure
access control.

View custom application


Application Control Monitor
configuration.

9
Function menu Description User level

Customize applications. Configure

View bandwidth management


Monitor
Bandwidth configuration.

Configure bandwidth control. Configure

View packet filtering rules. Monitor


Packet Filter Configure packet filtering
Configure
rules.

Configure the MST


region-related parameters and Monitor
VLAN-to-MSTI mappings.
Region
Modify the MST region-related
parameters and VLAN-to-MSTI Configure
mappings.
MSTP
View MSTP port parameters. Monitor
Port
Modify MSTP port parameters. Configure

View MSTP parameters


Global Configure
globally.

View and add, modify, and Manageme


RADIUS
delete a RADIUS scheme. nt

View login control rules. Monitor


Access Add and delete a login control
Configure
rule.

View an ARP table. Monitor


ARP Table Add, modify, and delete ARP
Configure
entries.

View gratuitous ARP


Monitor
Gratuitous ARP configuration information.

Configure gratuitous ARP. Configure


ARP View the number of dynamic
Management ARP entries that an interface Monitor
can learn.

Enable or disable an interface


Dynamic Entry to or from learning dynamic
ARP entries, and change the
Configure
number of dynamic ARP
entries that an interface can
learn.

Specify the interface


ARP
Scan performing ARP automatic Monitor
Anti-Attack
scanning.

10
Function menu Description User level
Start or stop ARP scanning. Configure

View all static and dynamic


Monitor
ARP entries.
Fix Convert all dynamic ARP
entries to static ones or delete Configure
all static ARP entries.

View IPsec connection


Monitor
configuration.
IPsec Connection Add, modify, delete, enable,
or disable an IPsec Configure
connection.

View configuration, status,


IPsec VPN and tunnel information of IPsec Monitor
connections.

Monitoring Information Delete tunnels that are set up


with configuration of an IPsec
connection, and delete all Configure
ISAKMP SAs of an IPsec
VPN
connection.

View L2TP status and L2TP


group configuration Monitor
information.
L2TP Configuration
L2TP Configure L2TP status, add,
modify or delete an L2TP Configure
group.

Tunnel Info View L2TP tunnel information. Monitor

View GRE tunnel information. Monitor


GRE Add, modify, or delete a GRE
Configure
tunnel.

View PKI entity information. Monitor


Entity Add, change, and delete PKI
Configure
entities.

View PKI domain information. Monitor


Domain Add, change, and delete PKI
Configure
domains.
Certificate View PKI certificates and
Management Monitor
details of the certificate.

Certificate Create keys, retrieve


certificates, apply for
Configure
certificates, and delete
certificates.

View CRLs. Monitor


CRL
Retrieve CRLs. Configure

11
Function menu Description User level
Save the current configuration
to the configuration file to be Configure
used at the next startup.
Save
Save the current configuration
Manageme
as the factory default
nt
configuration.

Restore all configurations on


Initialize the device to the factory Configure
default configuration.

Upload the current startup


Manageme
Backup Configuration configuration file of the device
nt
Configuration to the TFTP server for backup.

Download the configuration


file saved on the TFTP server to Manageme
Restore Configuration
the current configuration file of nt
the device.

View device files. Monitor

Back up files on the device to


the destination device through
Backup and Restore a USB port; transfer files from
Configure
the device where the files are
backed up to the local device
through a USB port.
System
Management Reboot Reboot device. Configure

View related configuration of


Configure
system services.
Service Management Set whether to enable different
Manageme
services and set related
nt
parameters.

View brief information of


User Summary Monitor
users.

Set the super password for


Manageme
Super Password switching to management
nt
level.

Manageme
Create User Create a user.
Users nt

Manageme
Modify User Modify user account.
nt

Manageme
Remove User Remove a user.
nt

Switch user access level to the


Switch To Management Visitor
management level.

View SNMP configuration


SNMP (supported on the A-MSR900 series Monitor
information.
and MSR20-1X series)
Configure SNMP. Configure

12
Function menu Description User level
View current system time and
Monitor
System Time System Time its configurations.

Set system time. Configure

View TR-069 configurations. Monitor


TR-069
Set TR-069. Configure

Upgrade software of the Manageme


Software Upgrade
device. nt

View detailed system logs. Monitor


Loglist
Clear log buffer. Configure

View configurations of the


Monitor
specified loghost.
Loghost
Set the IP address of the
Configure
loghost.
Syslog
View the number of logs that
can be stored in the log buffer;
Other set the refresh period on the Monitor
Logset log information displayed on
the web interface.

Set the number of logs that can


Configure
be stored in the log buffer.

Execute ping and view the


Ping Visitor
Diagnostic result.
Tools Execute trace route and view
Trace Route Visitor
the result.

View and refresh the WiNet


topology diagram and view Monitor
detailed device information.

Manually trigger the collection


WiNet Management of topology information, save
the current WiNet topology as
the baseline topology, restore Configure
the configuration to factory
WiNet
defaults, and restart the
member.

Setup Configure WiNet. Configure

View RADIUS user


Monitor
information.
User Management
Add, modify, and delete a
Configure
RADIUS user.

View configuration information


about the configuration Monitor
Voice wizard.
Configuration Wizard
Management Configure voice basic
parameters through the Configure
configuration wizard.

13
Function menu Description User level
View local number
Monitor
configuration information.
Local Number
Create, set, and delete a local
Configure
number.

View call route configuration


Monitor
information.
Call Route
Create, set, and delete a call
Configure
route.

View number match


Monitor
configuration information.
Number Match
Configure number match
Configure
parameters.

View call number groups, and


the maximum number of call Monitor
connections in a set.
Dial Plan
Call Authority Control Configure a call number
group, and the maximum
Configure
number of call connections in
a set.

View number substitution


Monitor
Number Substitution configuration information.

Configure number substitution. Configure

View connection properties,


session properties, advanced
Monitor
settings, and call release cause
code mappings.
SIP Connection
Configure connection
properties, session properties,
Call Configure
advanced settings, and call
Connection release cause code mappings.

View SIP server group


Monitor
configuration.
SIP Server Group
Management
Configure a SIP server group. Configure

View VE1, VT1, and BSV line


Monitor
configuration, and line state.
Digital Link Management
View and configure a VE1,
Configure
VT1, and BSV line.

View FXS, FXO, E&M, and


ISDN configuration Monitor
information and state.
Line Management
Configure an FXS, FXO, E&M,
and ISDN line, and query their Configure
state.

SIP Trunk Service Configuration View SIP trunk status. Monitor

14
Function menu Description User level
Management Enable the SIP trunk function. Configure

View SIP account


Monitor
configuration.
Account Management
Add, modify, and delete a SIP
Configure
account.

View call route configuration. Monitor


Call Route Add, modify, and delete a call
Configure
route.

View SIP local survival


Monitor
Service Configuration configuration.

Configure SIP local survival. Configure

View registered user


Monitor
configuration.
User Management
Add, modify, and delete a
Configure
registered user.

View trust node configuration. Monitor


Trust Nodes Add, modify, and delete a
Configure
trust node.

SIP Local View call-out route


Monitor
Survival configuration.
Call-Out Route
Add, modify, and delete a
Configure
call-out route.

View area prefix


Monitor
configuration.
Area Prefix
Add and delete an area
Configure
prefix.

View call authority control


Monitor
configuration and application.
Call Authority Control Add and delete a call rule set,
and apply the call rule set Configure
globally or to registered users.

View media resources


Monitor
configuration.
Media Resources
Management Upload media resource files or
configure an MOH audio input Configure
port.

IVR Services View access number


Monitor
Access Number configuration.
Management Add, modify, and delete an
Configure
access number.

Processing Methods View processing methods


Monitor
Customization customization configuration.

15
Function menu Description User level
Configure processing methods
Configure
customization configuration.

View service node and global


Monitor
key policy configuration.
Advanced Settings Configure service node and
global key policy Configure
configuration.

View global configuration


Monitor
Global Configuration information.

Perform global configurations. Configure

Advanced View batch configuration


Monitor
Configuration information.

Batch Configuration Create local numbers, call


routes, manage lines, and
Configure
configure SIP local survival in
batches.

View information about all


Line States Monitor
voice subscriber lines.

View and refresh active and


Monitor
history call statistics.
Call Statistics View and refresh active and
history call statistics, and clear Configure
history call statistics.

View information about all


TCP-based call connections,
TLS-based call connections,
Monitor
States and number register information,
Statistics and subscription status
information.

SIP UA States View information about all


TCP-based call connections,
TLS-based call connections,
number register information,
Configure
and subscription status
information, and terminate
specified TCP and TLS
connections.

Local Survival Service View and refresh registration


Monitor
States and subscription status.

16
Common web interface elements
Common buttons and icons
Table 2 Common buttons and icons

Button and icon Description


Validates the configuration.

Cancels the configuration, and goes to the corresponding display page


or device information page.

Refreshes the current page.

Clears all statistics or items in a list.

Adds an item.

Deletes entries on a list.

Selects all entries on a list or all ports on a device panel.

Clears all selected entries on a list or all ports on a device panel.

Typically located on the Operation column of a display page, it launches


the modify page of a corresponding entry to display or modify the
configurations of the entry.

Typically located on the Operation column of a display page, it removes


an entry.

Content display by pages


The web interface can display contents by pages, as shown in Figure 4. You can set the number of entries
displayed per page and view the contents on the first, previous, next, and last pages, or go to any page
that you want to check.

17
Figure 4 Content display by pages

Searching function
The web interface provides basic and advanced search functions, which display entries matching the
specified search criteria.
• Basic search—As shown in Figure 4, enter the keyword in the text box above the list, select a search
item from the dropdown list, and click the Search button to display the entries that match your
criteria. Figure 5 shows an example of searching for entries with VLAN ID equal to 2.
Figure 5 Basic search function example

• Advanced search—As shown in Figure 4, you can click the Advanced Search link to open the
advanced search page illustrated in Figure 6. Specify the search criteria, and click Apply to display
the entries that match your criteria.

18
Figure 6 Advanced search

Take the ARP table shown in Figure 4 as an example. To search for the ARP entries with interface Ethernet
0/4, and IP address range from 192.168.1.50 to 192.168.1.59, follow these steps:
1. Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 7, and click Apply. The ARP entries with interface Ethernet 0/4 are displayed.
Figure 7 Advanced search function example (I)

2. Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 8, and click Apply. The ARP entries with interface Ethernet 0/4 and IP address range from
192.168.1.50 to 192.168.1.59 are displayed, as shown in Figure 9.
Figure 8 Advanced searching function example (II)

19
Figure 9 Advanced searching function example (III)

Sorting function
The web interface provides you with a basic sorting function to sort entries by column.
Basic sorting function: On a list page, click the blue heading item of each column to sort the entries based
on the heading item you selected. After you click, the heading item is displayed with an arrow beside it,
as shown in Figure 10. The upward arrow indicates ascending order, and the downward arrow indicates
descending order.
Figure 10 Basic sorting function example (based on IP address in descending order)

20
Managing web-based NM through CLI
Enabling or disabling web-based NM
Table 3 Enable/disable the web-based NM service

Task Command
Enable the web-based NM service. ip http enable

Disable the web-based NM service. undo ip http enable

Managing the current web user


Table 4 Manage the current web user

Task Command
Display currently logged in users. display web users

free web-users { all | user-id userid | user-name


Log out a specified user or all users.
username }

Configuration guidelines
• The web-based configuration interface supports the following:
Operating systems: Windows XP, Windows 2000, Windows Server 2003 Enterprise Edition,
Windows Server 2003 Standard Edition, Windows Vista, Linux and MAC OS.
Browsers: Microsoft Internet Explorer 6.0 SP2 and later, Mozilla Firefox 3.0 and later, and
Google Chrome 2.0.174.0 and later.
• The web-based configuration interface does not support the Back, Next, Refresh buttons provided by
the browser. Using these buttons may result in abnormal display of webpages.
• The Windows firewall limits the number of TCP connections. When you use IE to log in to the web
interface, you may be unable to open the web interface. To avoid this problem, turn off the
Windows firewall before logging in.
• If the software version of the device changes, clear the cache data on the browser before logging in
to the device through the web interface. Otherwise, the webpage content may not be displayed
correctly.
• You can display at most 20,000 entries that support content display by pages.

Troubleshooting web browser


Failure to access the device through the web interface
Symptom
You can ping the device successfully and log in to the device through telnet. HTTP is enabled, and the
operating system and browser version meet the web interface requirements. However, you cannot access
the web interface of the device.

21
Analysis
• If you use Microsoft Internet Explorer, you can access the web interface only when the following
functions are enabled: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for
scripting, and active scripting.
• If you use Mozilla Firefox, you can access the web interface only when JavaScript is enabled.

Configuring the Internet Explorer settings


1. Open Internet Explorer, and select Tools > Internet Options.
2. Click the Security tab, and then select a web content zone to specify its security settings. See Figure
11.
Figure 11 Internet Explorer setting (I)

3. Click Custom Level, and the Security Settings dialog box appears.
4. Enable these functions: Run ActiveX controls and plug-ins, Script ActiveX controls marked safe for
scripting, and Active scripting. See Figure 12.

22
Figure 12 Internet Explorer Setting (II)

5. Click OK in the Security Settings dialog box.

23
Configuring Firefox web browser settings
1. Open the Firefox web browser, and select Tools > Options.
2. Click the Content tab, select Enable JavaScript, and click OK. See Figure 13.
Figure 13 Firefox web browser setting

24
Configuring device information

Displaying device information


You can view the following information on the Device Info menu:
• Device information
• Broadband connection information
• 3G wireless card state
• LAN information
• WLAN information
• Services information
• Recent system logs (The five most recent system logs are displayed)
After logging in to the web interface, the Device Info page appears, as shown in Figure 14.

NOTE:
The Device Info page contains five parts, which correspond to the five tabs below the figure on the page
(except the Service Information and Recent System Logs tabs). When you point to a part of the figure, the
system prompts you for the tab of the corresponding information, and you can jump to the tab by clicking
this part.

25
Figure 14 Device information

26
Select the refresh mode in Refresh Period.
• If you select a specific period, the system automatically refreshes the Device Info page.
• If you select Manual, click Refresh to refresh the page.

Device information
Table 5 Field description

Field Description
Device Model Device name

Device ID Device ID

Software Version Software version of the device

Firmware Version Firmware version of the device

Hardware Version Hardware version of the device

Running Time Running time since the device was rebooted

CPU Usage Real-time CPU usage

Memory Usage Real-time memory usage

Broadband connection information


Table 6 Field description

Field Description
Interface Interface name

Session Type Connection type of the interface

Network-Side Connection
Connection state at the network side of the interface
State

IP Address/Mask IP address and mask of the interface

DNS Server IP address of the DNS server

Uplink Rate (Kbits/Second) Average rate of outgoing data for the last 300 seconds

Downlink Rate
Average rate of incoming data for the last 300 seconds
(Kbits/Second)

Work Mode Rate and duplex mode of the interface

27
3G wireless card state
To display detailed information about the 3G wireless card state, click the More link in the 3G Wireless
Card State area. This displays information about the 3G modem, UIM card, and 3G network.
Figure 15 3G wireless card state

Table 7 Field description

Field Description
3G Modem Information Connection state of the 3G network.

State of the 3G modem:


• Normal—A 3G modem is connected to the router.
3G Modem State
• Absent or unrecognized modem—No 3G modem is connected to the
router, or the modem cannot be recognized.

Model Model of the 3G modem.

Manufacturer Manufacturer of the 3G modem.

CMII ID CMII ID of the 3G modem.

Serial Number Serial number of the 3G modem.

Hardware Version Hardware version of the 3G modem.

Firmware Version Firmware version of the 3G modem.

PRL Version PRL version of the 3G modem.

28
Field Description
State of the UIM card:
• Absent.
• Being initialized.
• Fault.
• Destructed.
UIM Card State
• PIN code protection is disabled.
• PIN code protection is enabled. Enter the PIN code for authentication.
• PIN code protection is enabled, and the PIN code has passed the
authentication.
• The PIN code has been blocked. Enter the PUK code to unblock it.
IMSI IMSI of the UIM card.

Voltage Power voltage of the UIM card.

Mobile Network 3G network where the UIM card resides.

State of the 3G network where the UIM card resides:


• No Service
• CDMA
Network Type
• HDR
• CDMA/HDR HYBRID
• Unknown

RSSI RSSI of the 3G network.

LAN information
Table 8 Field description

Field Description
Interface Interface name

Link State Link state of the interface

Work Mode Rate and duplex mode of the interface

WLAN information
Table 9 Field description

Field Description
SSID (WLAN Name) Name of the WLAN service

Service Status Whether the service is enabled or disabled

Number of PCs Connected Number of PCs connected to the WLAN service

29
Service information
Table 10 Field description

Field Description
Service Name of the service

Status Status of the service

Recent system logs


Table 11 Field description

Field Description
Time Time when system logs were generated

Level Level of system logs

Description Contents of system logs

Integrated service management


For devices with a card installed, if the card provides the web interface access function, after specifying
the URL address of the card on the integrated service management page, you can log in to the web
interface of the card to manage the card.
After logging in to the web interface of the device, the Device Info page appears by default. Click the
Integrated Service Management tab to display the page to view card information of the device.
Figure 16 Integrated service management

• To change the URL address of the card, click of the target card, as shown in Figure 16. Enter the
URL address in the box (see Figure 17) and click to apply the configuration or click to cancel
the modification.
• Set the URL address of the card, and then connect the card to the LAN to which the administrator
belongs. On the page shown in Figure 16, click Manage. A page linked to the specified URL
address appears where you can log in to the web interface of this card to manage it.
Figure 17 Change card URL address

30
Configuring web interface basic services

You can configure the following basic services on the web interface:
• Setting WAN interface parameters
• Setting LAN interface parameters
• Setting WLAN interface parameters
This document guides you through quick configuration of basic services of routers, including configuring
WAN, LAN, and WLAN interface parameters.

NOTE:
• For more information about WAN interfaces, see "Configuring WAN interfaces."
• For more information about LAN interfaces, see "Configuring VLAN."
• For more information about WLAN interfaces, see "Configuring wireless services."

Starting the basic configuration wizard


From the navigation tree, select Wizard > Basic Configuration Wizard to display the basic configuration
wizard page, as shown in Figure 18.
Figure 18 Basic configuration wizard

Setting WAN interface parameters


On the basic configuration wizard page, click Next to display the page for configuring WAN interface
parameters.

31
The page for configuring WAN interface parameters varies with the interface type. You are allowed to
set Ethernet, SA, ADSL/G.SHDSL, CE1/PR1, and CT1/PR1 interface parameters.

Ethernet interface
Figure 19 Set Ethernet interface parameters

Table 12 Configuration of Ethernet interface parameters (in auto mode)

Item Description
WAN Interface Select the Ethernet interface to configure.

Connect Mode: Auto Select Auto connect mode to automatically obtain an IP address.

Specify the MAC address of the Ethernet interface in either of the two ways:
• Use the MAC address of the device—Use the default MAC address of the
MAC Address Ethernet interface, which is displayed in brackets.
• Use a customized MAC address—Assign a MAC address to the Ethernet
interface.

Table 13 Configuration of Ethernet interface parameters (in manual mode)

Item Description
WAN Interface Select the Ethernet interface to configure.

Connect Mode: Manual Use Manual connect mode to configure an IP address.

TCP-MSS Set the maximum TCP segment length of an interface.

MTU Set the MTU of an interface.

IP Address Specify the IP address of the Ethernet interface.

Subnet Mask Select a subnet mask for the Ethernet interface.

Gateway Address Configure the next hop of a static route.

32
Item Description
Specify a DNS server IP address for the interface. DNS server 1 is used before
DNS1 DNS server 2.
To configure the global DNS server on the page you enter, select Advanced >
DNS Setup > DNS Configuration. The global DNS server is queried prior to the
DNS servers of the interfaces. In other words, the DNS query is sent to the global
DNS2
DNS server first. If the query fails, the DNS query is sent to the next DNS server
until the query succeeds.

Specify the MAC address of the Ethernet interface in either of the two ways:
• Use the MAC address of the device—Use the default MAC address of the
MAC Address Ethernet interface, which is displayed in brackets.
• Use the customized MAC address—Assign a MAC address to the Ethernet
interface.

Table 14 Configuration of Ethernet interface parameters (in PPPoE mode)

Item Description
WAN Interface Select the Ethernet interface to configure.

Select the PPPoE connect mode.


In PPPoE mode, a user name and password should be provided by the local ISP.
Connect Mode: PPPoE When the device connects to the ISP server, the ISP server initiates PPPoE
authentication. When the device passes authentication, the ISP server sends the
IP address, subnet mask, gateway IP address, and DNS server IP address to the
device.

User Name Specify the user name for identity authentication.

Password Specify the password for identity authentication.

TCP-MSS Set the maximum TCP segment length of an interface.

MTU Set the MTU of an interface.

Select an idle timeout interval:


Online for all time
• Online for all time—The device is always online.
Online according to the • Online according to the idle timeout value—The device disconnects from the
Idle Timeout value server if no data exchange occurs between it and the server within the
specified time. Then it automatically establishes the connection upon
receiving a request for access.
Idle timeout When Online according to the Idle Timeout value is enabled, specify an idle
timeout value.

Specify the MAC address of the Ethernet interface in either of the two ways:
• Use the MAC address of the device—Use the default MAC address of the
MAC Address Ethernet interface, which is displayed in brackets.
• Use the customized MAC address—Assign a MAC address to the Ethernet
interface.

33
SA interface
Figure 20 Set SA parameters

Table 15 Configuration of SA interface parameters

Item Description
WAN Interface Select the SA interface to configure.

User Name Specify the user name for identity authentication.

Password Specify the password for identity authentication.

TCP-MSS Set the maximum TCP segment length of an interface.

MTU Set the MTU of an interface.

IP Address Specify the IP address of the SA interface.

Subnet Mask Select a subnet mask for the SA interface.

ADSL/G.SHDSL interface
Figure 21 Set ADSL/G.SHDSL parameters

34
Table 16 Configuration of ADSL/G.SHDSL interface parameters (in IPoA mode)

Item Description
WAN Interface Select the ADSL/G.SHDSL interface to configure.

Connect Mode: IPoA Select the IPoA connect mode.

PVC Specify the VPI/VCI value for PVC.

TCP-MSS Set the maximum TCP segment length of an interface.

MTU Set the MTU of an interface.

IP Address Specify the IP address of the ADSL/G.SHDSL interface.

Subnet Mask Select a subnet mask for the ADSL/G.SHDSL interface.

Map IP Specify the peer destination IP address of the mapped PVC.

Table 17 Configuration of ADSL/G.SHDSL interface parameters (in IPoEoA mode)

Item Description
WAN Interface Select the ADSL/G.SHDSL interface to configure.

Connect Mode: IPoEoA Select the IPoEoA connect mode.

PVC Specify the VPI/VCI value for PVC.

TCP-MSS Set the maximum TCP segment length of an interface.

MTU Set the MTU of an interface.

IP Address Specify the IP address of the ADSL/G.SHDSL interface.

Subnet Mask Select a subnet mask for the ADSL/G.SHDSL interface.

Table 18 Configuration of ADSL/G.SHDSL interface parameters (in PPPoA mode)

Item Description
WAN Interface Select the ADSL/G.SHDSL interface to configure.

Connect Mode: PPPoA Select the PPPoA connect mode.

PVC Specify the VPI/VCI value for PVC.

User Name Specify the user name for identity authentication.

Password Specify the password for identity authentication.

TCP-MSS Set the maximum TCP segment length of an interface.

MTU Set the MTU of an interface.

Table 19 Configuration of ADSL/G.SHDSL interface parameters (in PPPoEoA mode)

Item Description
WAN Interface Select the ADSL/G.SHDSL interface to configure.

Connect Mode: PPPoEoA Select the PPPoEoA connect mode.

PVC Specify the VPI/VCI value for PVC.

User Name Specify the user name for identity authentication.

35
Item Description
Password Specify the password for identity authentication.

TCP-MSS Set the maximum TCP segment length of an interface.

MTU Set the MTU of an interface.

Select an idle timeout value:


Online for all time
• Online for all time—The device is always online.
Online according to the • Online according to the idle timeout value—The device disconnects from the
Idle Timeout value server if no data exchange occurs between it and the server within the
specified time. After that, it automatically establishes the connection upon
receiving a request.
Idle timeout When Online according to the Idle Timeout value is enabled, specify an idle
timeout value.

CE1/PR1 interface
The CE1/PR1 interface works in two modes: E1 mode and CE1 mode.
1. In E1 mode:
Figure 22 Set CE1/PR1 interface parameters (in E1 mode)

Table 20 Configuration of CE1/PR1 interface parameters (in E1 mode)

Item Description
WAN Interface Select the CE1/PR1 interface to configure.

Work Mode: E1 Select the E1 work mode.

User Name Specify the user name for identity authentication.

Password Specify the password for identity authentication.

TCP-MSS Set the maximum TCP segment length of an interface.

MTU Set the MTU of an interface.

2. In CE1 mode:

36
Figure 23 Set CE1/PR1 interface parameters (in CE1 mode)

Table 21 Configuration of CE1/PR1 interface parameters (in CE1 mode)

Item Description
WAN Interface Select the CE1/PR1 interface to configure.

Work Mode: CE1 Select the CE1 work mode.

Select one of the following operation actions:


Operation • Create—Binds timeslots.
• Remove—Unbinds timeslots.
Serial Select a number for the created Serial interface.

Timeslot-List Specify the timeslots to be bound or unbound.

User Name Specify the user name for identity authentication.

Password Specify the password for identity authentication.

TCP-MSS Set the maximum TCP segment length of an interface.

MTU Set the MTU of an interface.

37
CT1/PR1 interface
Figure 24 Set CT1/PR1 parameters

Table 22 Configuration of CT1/PR1 interface parameters

Item Description
WAN Interface Select the CT1/PR1 interface to configure.

Work Mode: E1 Select the CT1 work mode.

Select one of the following operation actions:


Operation • Create—Binds timeslots.
• Remove—Unbind timeslots.
Serial Select the number for the created serial interface.

Timeslot-List Specify the timeslots to be bound or unbound.

User Name Specify the user name for identity authentication.

Password Specify the password for identity authentication.

TCP-MSS Set the maximum TCP segment length of an interface.

MTU Set the MTU of an interface.

Setting LAN interface parameters


After finishing the previous configuration, click Next to display the page for configuring LAN interface
parameters, as shown in Figure 25.

38
Figure 25 Set LAN parameters

Table 23 Configuration of LAN interface parameters

Item Description
Displays the ID of the VLAN interface to configure.

IMPORTANT:
VLAN Interface
By default, the VLAN interface on the device that has the smallest number is displayed. If no
VLAN interface is available on the device, the system automatically creates an interface
numbered 1 and displays it.
IP Address
Specify the IP address and a subnet mask for the VLAN interface.
Subnet Mask

Select whether to enable DHCP server.


DHCP Server
If you enable DHCP server, the DHCP server configuration is displayed.

Start IP Address Specify the IP address range for dynamic allocation in an extended address pool.

IMPORTANT:
If the extended address pool is configured on an interface, when a DHCP client's request
End IP Address arrives at the interface, the server assigns an IP address from this extended address pool
only. Therefore, the client cannot obtain an IP address if no IP address is available in the
extended address pool.
Specify a gateway IP address in the DHCP address pool for DHCP clients.

Gateway IP When accessing a server or host that is not in its network segment, a DHCP client
Address needs the gateway to forward data for it. When you specify a gateway IP address in
the address pool, the DHCP server sends an IP address and the gateway IP address to
a requesting client.

39
Item Description

Specify a DNS server IP address in the DHCP address pool for DHCP clients. DNS
DNS Server 1 server 1 is used before DNS server 2.
To allow DHCP clients to access the Internet through domain names, the DHCP server
sends an IP address and a DNS server IP address to clients.
DNS Server 2

Setting WLAN interface parameters


After finishing the previous configuration, click Next to display the page for configuring WLAN interface
parameters, as shown in Figure 26.
Figure 26 Set WLAN parameters

Table 24 Configuration of WLAN parameters

Item Description
WLAN Setting Select whether to make WLAN settings.

Network Name
Specify a wireless network name.
(SSID)

Network Hide Select whether to hide the network name.

Select a radio unit supported by the AP: 1 or 2.


Radio Unit
Which value is supported varies with device models.

40
Item Description
Select whether to enable data encryption.
Enable Encrypt With data encryption enabled, data transmission between wireless client and wireless
device can be securely encrypted.

Encrypt Act Select an encryption mode for the wireless network: WEP40 or WEP104.

Select a key format.


• When you select WEP40, the key can be a 5-character string or 10-digit
Key Mode hexadecimal number.
• When you select WEP104, the key can be a 13-character string or a 26-digit
hexadecimal number.

Key Seed You can either use a key seed to generate keys or type keys manually. Then, you can
choose one of the configured keys.
Key 1 • When you select WEP40 and ASCII, the generated or input key is a 5-character
string.
Key 2 • When you select WEP40 and HEX, the generated or input key is a 10-digit
hexadecimal number.
• When you select WEP104 and ASCII, the generated or input key is a 13-character
Key 3
string.
• When you select WEP104 and HEX, the generated or input key is a 26-digit
Key 4 hexadecimal number.

Validating basic services configuration


After finishing basic services configuration, click Next to display the page shown in Figure 27 to validate
your configuration.

41
Figure 27 Check the basic service configuration

This page shows the configurations that you have made through the previous steps. Check the
configurations, and click Finish to validate them. To make any modification, click Back to go to previous
pages and edit the settings.
The page also provides an option Save Current Configuration to save the configurations to the
configuration file (either a .cfg file or an .xml file) to be used at the next startup of the device. If this option
is selected, the configurations you make persist through a device reboot.

42
Configuring WAN interfaces

The WAN interfaces that can be configured on the web interface include Ethernet interfaces, SA
interfaces, ADSL/G.SHDSL interfaces, CE1/PRI interfaces, and CT1/PRI interfaces.

Configuring an Ethernet interface


An Ethernet interface supports the following connection modes:
• Auto—The interface acts as a DHCP client to obtain an IP address through DHCP.
• Manual—The IP address and subnet mask are configured manually for the interface.
• PPPoE—The interface acts as a PPPoE client. PPPoE provides access to the Internet for hosts in an
Ethernet through remote access devices. It also implements access control and accounting on a
per-host basis. Because it is cost-effective, PPPoE is popular for various applications, such as
residential networks.
To configure an Ethernet interface:
Select Interface Setup > WAN Interface Setup from the navigation tree to display the WAN interface
configuration page, which displays the name, connection type, IP address, mask, status, and operation
icon ( ) of each interface, as shown in Figure 28.
Figure 28 WAN Interface Setup

Click the icon corresponding to an Ethernet interface to display the page for configuring that Ethernet
interface, as shown in Figure 29.

43
Figure 29 Configure an Ethernet interface

Table 25 Configuration (auto mode)

Item Description
WAN Interface Displays the name of the Ethernet interface to configure.

Display and set the interface status:


• Connected—The current interface is up and connected. Click the Disable
button to shut down the interface.
Interface Status • Not connected—The current interface is up but not connected. Click the
Disable button to shut down the interface.
• Administratively Down—The current interface is shut down by a network
administrator. Click the Enable button to bring up the interface.

Select Auto as the connection mode. The interface automatically obtains an IP


Connect Mode: Auto
address.

Set the MAC address of the Ethernet interface:


• Use MAC address of the device—Use the default MAC address of the Ethernet
interface, which is displayed in the following brackets.
MAC Address
• Use customized MAC address—Manually set the MAC address of the Ethernet
interface. When this option is selected, you must enter a MAC address in the
field below.

44
Table 26 Configuration (manual mode)

Item Description
WAN Interface Displays the name of the Ethernet interface to configure.

Display and set the interface status:


• Connected—The current interface is up and connected. Click the Disable
button to shut down the interface.
Interface Status • Not connected—The current interface is up but not connected. Click the
Disable button to shut down the interface.
• Administratively Down—The current interface is shut down by a network
administrator. Click the Enable button to bring up the interface.

Select Manual as the connection mode. In this mode, you must assign an IP
Connect Mode: Manual
address and subnet mask for the interface manually.

TCP-MSS Configure the TCP MSS on the interface.

MTU Configure the MTU on the interface.

IP Address Configure an IP address for the interface.

IP Mask Configure the subnet mask for the interface.

Gateway IP Address Configure the next hop for the static route.

DNS1 Assign an IP address to the DNS servers. DNS1 has a higher precedence than
DNS2.
To configure a global DNS server, select Advanced > DNS Setup > DNS
Configuration from the navigation tree. The global DNS server has a higher
DNS2
precedence than all DNS servers configured on the interfaces. An interface first
sends a query request to the global DNS server. If it fails to receive a response, it
sends query requests to the DNS servers configured on the interfaces one by one.

Set the MAC address of the Ethernet interface:


• Use the MAC address of the device—Use the default MAC address of the
Ethernet interface, which is displayed in the following brackets.
MAC Address
• Use the customized MAC address—Manually set the MAC address of the
Ethernet interface. When this option is selected, you must enter a MAC
address in the field below.

Table 27 Configuration (PPPoE mode)

Item Description
WAN Interface Displays the name of the Ethernet interface to configure.

Display and set the interface status:


• Connected—The current interface is up and connected. Click the Disable
button to shut down the interface.
Interface Status • Not connected—The current interface is up but not connected. Click the
Disable button to shut down the interface.
• Administratively Down—The current interface is shut down by a network
administrator. Click the Enable button to bring up the interface.

Connect Mode: PPPoE Select PPPoE as the connection mode.

User Name Configure the user name for authentication.

45
Item Description
Password Configure the password for authentication.

TCP-MSS Configure the TCP MSS on the interface.

MTU Configure the MTU on the interface.

Set the idle timeout value for a connection.


Online for all time
• Online for all time—The connection is maintained until manually disconnected
or upon an anomaly.
Online according to the
Idle Timeout value • Online according to the Idle Timeout value—The connection is automatically
disconnected if no traffic is transmitted or received on the link for a period of
time. The connection is reestablished when an access to the Internet request is
received.
Idle timeout
If the Online according to the Idle Timeout value is selected, the Idle timeout value
must be specified.

Set the MAC address of the Ethernet interface:


• Use the MAC address of the device—Use the default MAC address of the
Ethernet interface, which is displayed in brackets.
MAC Address
• Use the customized MAC address—Manually set the MAC address of the
Ethernet interface. When this option is selected, you must enter a MAC
address in the field.

Configuring an SA interface
The synchronous/asynchronous serial (SA) interface supports PPP connection mode.
PPP is a link layer protocol that carries packets over point-to-point links. It provides user authentication
and allows for easy extension while supporting synchronous/asynchronous communication.
PPP contains a set of protocols, including an LCP, an NCP, and authentication protocols such as PAP and
CHAP. Among these protocols:
• LCP is responsible for establishing, tearing down, and monitoring data links.
• NCP negotiates the packet format and type of data links.
• PAP and CHAP provide network security.

Configuration procedure
Select Interface Setup > WAN Interface Setup from the navigation tree to display the WAN interface
configuration page. Click the icon corresponding to the SA interface you want to configure to display
the SA interface configuration page, as shown in Figure 30.

46
Figure 30 Configure an SA interface

Table 28 Configuration

Item Description
WAN Interface Displays the name of the interface to configure.

Display and set the interface status:


• Connected—The current interface is up and connected. Click the Disable button to
shut down the interface.
Interface Status • Not connected—The current interface is up but not connected. Click the Disable
button to shut down the interface.
• Administratively Down—The current interface is shut down by a network
administrator. Click the Enable button to bring up the interface.

User Name Configure the user name for authentication.

Password Configure the password for authentication.

TCP-MSS Configure the TCP MSS on the interface.

MTU Configure the MTU on the interface.

IP Address Configure the IP address for the interface.

IP Mask Configure the subnet mask for the interface

Configuring an ADSL/G.SHDSL interface


The ADSL interface and the G.SHDSL interface support IPoA, IPoEoA, PPPoA, and PPPoEoA.

IPoA
IPoA enables IP packets to traverse an ATM network. In an IPoA implementation, ATM provides the data
link layer for the IP hosts on the same network to communicate with one another, and IP packets must be
adapted to traverse the ATM network.

47
IPoA makes full use of the advantages of ATM, including high speed point-to-point connections (which
help improve the bandwidth performance of an IP network), excellent network performance, and
complete, mature QoS services.

IPoEoA
IPoEoA adopts a three-layer architecture, with IP encapsulation at the uppermost layer, IPoE in the middle,
and IPoEoA at the bottom.
IPoEoA is suitable where Ethernet packets are forwarded through an ATM interface, for example, when a
network device forwards traffic from an Ethernet across an ATM PVC to a network access server.

PPPoA
PPPoA enables ATM to carry PPP protocol packets. With PPPoA, PPP packets' are encapsulated in ATM
cells. In this case, ATM can be viewed as the carrier of PPP packets. Because the communication process
of PPPoA is managed by PPP, PPPoA inherits the flexibility and comprehensive applications of PPP.

PPPoEoA
PPPoEoA enables ATM to carry PPPoE protocol packets. With PPPoEoA, Ethernet packets are
encapsulated in ATM cells, through which you can use a PVC to simulate all the functions of Ethernet. To
allow ATM to carry Ethernet frames, the interface management module provides the VE interface. The VE
interface has Ethernet characteristics and can be dynamically created through configuration commands.
The following is the protocol stack adopted by the VE interface.
• ATM PVC at the bottom layer
• Ethernet at the link layer
• Protocols the same as those for a common Ethernet interface at the network layer and upper layers

Configuration procedure
Select Interface Setup > WAN Interface Setup from the navigation tree to display the WAN interface
configuration page. Click the icon corresponding to the ADSL/G.SHDSL interface you want to
configure to display the ADSL/G.SHDSL interface configuration page, as shown in Figure 31.

48
Figure 31 Configure an ADSL/G.SHDSL interface

Table 29 Configuration (IPoA)

Item Description
WAN Interface Displays the name of the ADSL/G.SHDSL interface to configure.

Display and set the interface status:


• Connected—The current interface is up and connected. Click the Disable
button to shut down the interface.
Interface Status • Not connected—The current interface is up but not connected. Click the
Disable button to shut down the interface.
• Administratively Down—The current interface is shut down by a network
administrator. Click the Enable button to bring up the interface.

Connect Mode: IPoA Select IPoA as the connection mode.

PVC Set the VPI/VCI value for the PVC.

TCP-MSS Configure the TCP MSS on the interface.

MTU Configure the MTU on the interface.

IP Address Configure the IP address for the interface.

IP Mask Configure the subnet mask for the interface.

Map IP Set the remote IP address for the IPoA mapping.

Table 30 Configuration (IPoEoA)

Item Description
WAN Interface Displays the name of the ADSL/G.SHDSL interface to configure.

49
Item Description
Display and set the interface status:
• Connected—The current interface is up and connected. Click the Disable
button to shut down the interface.
Interface Status • Not connected—The current interface is up but not connected. Click the
Disable button to shut down the interface.
• Administratively Down—The current interface is shut down by a network
administrator. Click the Enable button to bring up the interface.

Connect Mode: IPoEoA Select IPoEoA as the connection mode.

PVC Set the VPI/VCI value for the PVC.

TCP-MSS Configure the TCP MSS on the interface.

MTU Configure the MTU on the interface.

IP Address Configure the IP address for the interface.

IP Mask Configure the subnet mask for the interface.

Table 31 Configuration (PPPoA)

Item Description
WAN Interface Displays the name of the ADSL/G.SHDSL interface to configure.

Display and set the interface status:


• Connected—The current interface is up and connected. Click the Disable
button to shut down the interface.
Interface Status • Not connected—The current interface is up but not connected. Click the
Disable button to shut down the interface.
• Administratively Down—The current interface is shut down by a network
administrator. Click the Enable button to bring up the interface.

Connect Mode: PPPoA Select PPPoA as the connection mode.

PVC Set the VPI/VCI value for the PVC.

User Name Configure the user name for authentication.

Password Configure the password for authentication.

TCP-MSS Configure the TCP MSS on the interface.

MTU Configure the MTU on the interface.

Table 32 Configuration (PPPoEoA)

Item Description
WAN Interface Displays the name of the ADSL/G.SHDSL interface to configure.

Display and set the interface status:


• Connected—The current interface is up and connected. Click the Disable
button to shut down the interface.
Interface Status • Not connected—The current interface is up but not connected. Click the
Disable button to shut down the interface.
• Administratively Down—The current interface is shut down by a network
administrator. Click the Enable button to bring up the interface.

50
Item Description
Connect Mode: PPPoEoA Select PPPoEoA as the connection mode.

PVC Set the VPI/VCI value for the PVC.

User Name Configure the user name for authentication.

Password Configure the password for authentication.

TCP-MSS Configure the TCP MSS on the interface.

MTU Configure the MTU on the interface.

Set the idle timeout value for a connection.


Online for all time
• Online for all time—The connection is maintained until being disconnected
manually or upon an anomaly.
Online according to the
Idle Timeout value • Online according to the Idle Timeout value—The connection is disconnected
automatically if no traffic is transmitted or received on the link for a period
of time. The connection is re-set up when an access to the Internet request is
received.
Idle timeout
If the Online according to the Idle Timeout value is selected, specify the Idle
timeout value.

Configuring a CE1/PRI interface


The CE1/PRI interface supports PPP connection mode. For details about PPP, see "Configuring an SA
interface."
The CE1/PRI interface can work in either E1 mode (non-channelized mode) or CE1 mode (channelized
mode).
• A CE1/PRI interface in E1 mode equals an interface of 2048 Mbps data bandwidth, on which no
timeslots are divided. Its logical features are the same as those of a synchronous serial interface. It
supports link layer protocols such as PPP, FR, LAPB and X.25, and network protocols such as IP and
IPX.
• A CE1/PRI interface in CE1 mode is physically divided into 32 timeslots, numbered 0 to 31. Among
them, timeslot 0 is used for transmitting synchronization information. All timeslots except timeslot 0
can be randomly bundled into multiple channel sets and used as an interface. Its logical features are
the same as those of a synchronous serial interface. It supports link layer protocols such as PPP,
HDLC, FR, LAPB and X.25, and network protocols such as IP.

Configuration procedure
Select Interface Setup > WAN Interface Setup from the navigation tree to display the WAN interface
configuration page. Click the icon corresponding to the CE1/PRI interface to configure to display the
CE1/PRI interface configuration page. The appearance and features of this page vary with the operating
mode of the CE1/PRI interface.

51
Configuring a CE1/PRI interface in E1 mode
Figure 32 Configure a CE1/PRI interface in E1 mode

Table 33 Configuration (in E1 mode)

Item Description
WAN Interface Displays the name of the CE1/PRI interface to configure.

Display and set the interface status:


• Connected—The current interface is up and connected. Click the Disable
button to shut down the interface.
Interface Status • Not connected—The current interface is up but not connected. Click the
Disable button to shut down the interface.
• Administratively Down—The current interface is shut down by a network
administrator. Click the Enable button to bring up the interface.

Work Mode: E1 Select E1 as the work mode.

User Name Configure the user name for authentication.

Password Configure the password for authentication.

TCP-MSS Configure the TCP MSS on the interface.

MTU Configure the MTU on the interface.

52
Configuring a CE1/PRI interface in CE1 mode
Figure 33 Configure a CE1/PRI interface in CE1 mode

Table 34 Configuration (in CE1 mode)

Item Description
WAN Interface Displays the name of the CE1/PRI interface to configure.

Display and set the interface status:


• Connected—The current interface is up and connected. Click the Disable button to
shut down the interface.
Interface Status • Not connected—The current interface is up but not connected. Click the Disable
button to shut down the interface.
• Administratively Down—The current interface is shut down by a network
administrator. Click the Enable button to bring up the interface.

Work Mode: CE1 Select CE1 as the work mode.

Select to add or remove timeslots.


Operation • Create—Adds timeslots to form a channel set.
• Delete—Removes timeslots from a channel set.
Serial Specify the serial interface number of the channel set.

Timeslot-List Set the timeslots to add or remove.

User Name Configure the user name for authentication.

Password Configure the password for authentication.

TCP-MSS Configure the TCP MSS on the interface.

MTU Configure the MTU on the interface.

53
Configuring a CT1/PRI interface
The CT1/PRI interface supports PPP connection mode. For details about PPP, see "Configuring an SA
interface."
When it is working as a CT1 interface, all timeslots (numbered 1 to 24) can be randomly divided into
groups. Each of these groups can form one channel set for which the system automatically creates an
interface that is logically equivalent to a synchronous serial interface. This interface supports link layer
protocols such as PPP, HDLC, FR, LAPB, and X.25, and network protocols such as IP and IPX.

Configuration procedure
Select Interface Setup > WAN Interface Setup from the navigation tree to display the WAN interface
configuration page. Click the icon corresponding to the CT1/PRI interface to configure to display the
CT1/PRI interface configuration page, as shown in Figure 34.
Figure 34 Configure a CT1/PRI interface

Table 35 Configuration

Item Description
WAN Interface Displays the name of the CT1/PRI interface to configure.

Display and set the interface status:


• Connected—The current interface is up and connected. Click the Disable button
to shut down the interface.
Interface Status • Not connected—The current interface is up but not connected. Click the Disable
button to shut down the interface.
• Administratively Down—The current interface is shut down by a network
administrator. Click the Enable button to bring up the interface.

54
Item Description
Work Mode: CT1 Select CT1 as the word mode.

Select to add or remove timeslots.


Operation • Create—Adds timeslots to form a channel set.
• Delete—Removes timeslots from a channel set.
Serial Specify the serial interface number of the channel set.

Timeslot-List Set the timeslots to add or remove.

User Name Configure the user name for authentication.

Password Configure the password for authentication.

TCP-MSS Configure the TCP MSS on the interface.

MTU Configure the MTU on the interface.

Viewing the general information and statistics of an


interface
On the WAN Interface Setup page as shown in Figure 28, you can view the name, connection type, IP
address, mask, and status of each interface. To view the statistics of an interface, click the interface name
to display the page shown in Figure 35.

55
Figure 35 Statistics of an interface

56
Configuring VLAN

You can configure the following port-based VLAN and VLAN interface functions through the web
interface:
• Create or delete VLANs.
• Add/remove member ports to/from a VLAN.
• Create or delete VLAN interfaces.
• Configure VLAN interface parameters.
Ethernet is a network technology based on the CSMA/CD mechanism. Because the medium is shared,
collisions and excessive broadcasts are common on Ethernet networks. To address the issue, VLAN was
introduced to break a LAN down into separate VLANs. VLANs are isolated from each other at Layer 2. A
VLAN is a bridging domain, and all broadcast traffic is contained within it.
For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform Layer 3
forwarding. To achieve this, VLAN interfaces are used. VLAN interfaces are virtual interfaces used for
Layer 3 communication between different VLANs. They do not exist as physical entities on devices. For
each VLAN, you can create one VLAN interface. You can configure VLAN interfaces to forward traffic at
the network layer.

NOTE:
For more information about VLANs and VLAN interfaces, see HP A-MSR Router Series Layer 2—LAN
Switching Configuration Guide.

Configuring a VLAN and its VLAN interface


Configuration task lists
Configuring a VLAN
Table 36 VLAN configuration task list

Task Remarks
Creating a VLAN and its VLAN interface Required

Configuring VLAN member ports Required

Configuring a VLAN interface


Table 37 VLAN interface configuration task list

Task Remarks
Creating a VLAN and its
Required.
VLAN interface

57
Task Remarks
Optional.
Configure an IP address and MAC address for a VLAN interface. Select whether
to enable the DHCP server function for a VLAN interface. If you enable it,
Configuring parameters
configure related parameters.
for a VLAN interface
You can also configure the DHCP server function in Advanced > DHCP Setup. For
more information, see "Configuring DHCP." This chapter only describes the DHCP
server configuration in the LAN Setup module.

Creating a VLAN and its VLAN interface


Select Interface Setup > LAN Interface Setup from the navigation tree. The system goes to the default
VLAN Setup page, as shown in Figure 36.
Figure 36 VLAN Setup page

Table 38 Configuration

Item Description
VLAN Create And Remove Set the operation type to Create or Remove.

Enter the ID of the VLAN (or VLAN interface) to be created or removed. You
VLAN IDs
can create or remove multiple VLANs at a time.

Create VLAN Interface You can create a VLAN interface when a VLAN is created.

58
Item Description
Only Remove VLAN
You can remove the VLAN interface of a VLAN without removing the VLAN.
Interface

Return to "VLAN configuration task list."


Return to "VLAN interface configuration task list."

Configuring VLAN member ports


The ports that you assign to a VLAN in the web interface can only be set to the untagged type.
The VLAN member port list displayed on the VLAN Setup page includes both tagged and untagged
member ports.
You can configure a VLAN by assigning ports to it or removing ports from it.
Select Interface Setup > LAN Interface Setup from the navigation tree. The system goes to the default
VLAN Setup page, as shown in Table 39.
Table 39 Configuration

Item Description
VLAN ID Select the ID of the VLAN to assign ports to or remove ports from.

Port list Select the ports to add or remove.

Add Click Add to assign the selected ports to the VLAN.

Remove Click Remove to remove the selected ports from the VLAN.

Return to "VLAN configuration task list."

Configuring parameters for a VLAN interface


Select Interface Setup > LAN Interface Setup from the navigation tree, and then click the VLAN Interface
Setup tab to display the page for configuring parameters for VLAN interfaces, as shown in Figure 37.

59
Figure 37 VLAN Interface Setup page

Table 40 Configuration

Item Description
VLAN ID Select the ID of the VLAN interface to configure.

IP Address
Set the VLAN interface's IP address and subnet mask.
Subnet Mask

60
Item Description
Set the MAC address of the VLAN interface:
• Use the MAC address of the device—Use the default MAC address of the VLAN
interface, which is displayed in brackets.
MAC Address
• Use the customized MAC address—Manually set the MAC address of the VLAN
interface. When this option is selected, you must enter a MAC address in the
field below.

Select whether the VLAN interface operates in DHCP server mode.


DHCP Server If you enable DHCP server on the interface, you can continue to configure related
DHCP server parameters.

Set an extended DHCP address pool used for dynamic IP address allocation. The IP
address range is defined by a start IP address and an end IP address.
NOTE:
Start IP Address
If an extended address pool is configured on the port that receives the DHCP request
End IP Address packet, the server allocates an IP address from the extended address pool to the client,
regardless of whether a common address pool (static binding or dynamic allocation) is
also configured on the port. If no IP address is available in the pool, the server is not able
to allocate an IP address to the client.
Set the gateway IP address allocated to the DHCP clients from the DHCP address
pool.

Gateway IP Address When DHCP clients access servers or hosts on other network segments, their data is
forwarded through the gateway. After specifying a gateway IP address, the server
sends the gateway IP address to the clients along with the IP addresses allocated to
them.

Assign an IP address from the address pool for the DNS server allocated to the
DHCP clients on the local network segment. DNS Server 1 has a higher preference
DNS Server 1 than DNS Server 2.
DNS Server 2 To enable DHCP clients to access hosts on the Internet by domain names, the DHCP
server should specify the local DNS server's IP address when assigning IP addresses
to these DHCP clients.

Set the IP addresses that are not to be auto assigned in the DHCP address pool.
An IP address that is already assigned (gateway IP address or FTP server IP address
for example) should not be assigned to another client. Otherwise, IP address
Reserved IP Address
conflicts occur.
When you specify an IP address configured in a static binding as not to be auto
assigned, this address can still be assigned to the client in the static binding.

Return to "VLAN interface configuration task list."

Configuration guidelines
When you configure VLANs, follow these guidelines:
• As the default VLAN, VLAN 1 cannot be created or manually removed.
• You cannot manually create or remove VLANs reserved for special purposes.
• You cannot directly remove protocol-reserved VLANs, voice VLANs, management VLANs, or
dynamically learned VLANs. To remove them, you must first remove relevant configurations.

61
Configuring wireless services

The device allows you to perform the following configurations in the web interface:
• Configuring wireless access service
• Displaying wireless access service
• Configuring data transmit rates
• Displaying radio
• Configuring the blacklist and whitelist functions
• Configuring user isolation
• Configuring wireless QoS
• Setting a district code

With these configurations, you can build an integrated, stable, secure, effective wireless network.
WLAN is popular nowadays. Compared with wired LANs, WLANs are easier and cheaper to implement
because several APs can provide wireless access for an entire building or area. A WLAN does not
necessarily mean that everything is wireless. The servers and backbones still reside on wired networks.
WLANs mainly provide the following services:
• Authentication and encryption to secure wireless access
• Wireless access and mobility to free users from the restrictions of wires and cables

Configuration task list


Perform the tasks in Table 41 to perform wireless configuration.
Table 41 Wireless configuration task list

Task Remarks
Required.
Wireless service configuration Allows you to create a wireless service and
configure its attributes.

Optional.
Configuring radio Allows you configure radio rates to adjust the
capabilities of wireless devices.

Optional.
Configuring WLAN security Allows you to control client access to enhance
wireless security.

Optional.
Configuring WLAN QoS Allows you to configure WLAN QoS to make full
use of wireless resources.

62
Task Remarks
Optional.
Configuring advanced WLAN Allows you to configure district codes as needed to
meet country-specific regulations.

Wireless service configuration


For more information about WLAN user access, see HP A-MSR Router Series WLAN Configuration
Guide.

Configuring wireless access service


Creating a wireless access service
Select Interface Setup > Wireless > Access Service from the navigation tree to display the page for
configuring access service.
Figure 38 Configure access service

Click Add to display the page for creating a wireless access service.
Figure 39 Create a wireless service

63
Table 42 Configuration

Item Description
Radio ID: 1 or 2. The actual value range depends on
Radio Unit
your device model.

Display the radio mode, which depends on your


Mode
device model.

Set the SSID.


An SSID should be as unique as possible. For security,
the company name should not be contained in the
Wireless Service Name SSID. HP recommends that you do not use a long
random string as the SSID because it only adds to the
Beacon frame length and usage complexity, without
any improvement to wireless security.

Select the wireless service type:


Wireless Service Type • clear—The SSID is not encrypted.
• crypto—The SSID is encrypted.

Configuring clear type wireless service


Configuring basic settings for the clear type wireless service
Select Interface Setup > Wireless > Access Service from the navigation tree, and then click the icon of
the target clear type wireless service to display the page for configuring wireless service.
Figure 40 Configure clear type wireless service

Table 43 Configuration

Item Description
Wireless Service Display the selected SSID.

Enter the ID of the VLAN whose packets are to be sent untagged.


VLAN (Untagged) VLAN (Untagged) indicates that the port sends the traffic of the
VLAN with the VLAN tag removed.

64
Item Description
Set the default VLAN of a port.

Default VLAN By default, the default VLAN of all ports is VLAN 1. After you set
the new default VLAN, VLAN 1 is the ID of the VLAN whose
packets are to be sent untagged.

Remove the IDs of the VLANs whose packets are to be sent


Delete VLAN
untagged and tagged.
• Enable—Disables the advertisement of the SSID in beacon
frames.
• Disable—Enables the advertisement of the SSID in beacon
frames.
By default, the SSID in beacon frames is advertised.
NOTE:
SSID HIDE
• If the advertising of the SSID in beacon frames is disabled,
the SSID must be configured for the clients to associate with
the device.
• Disabling the advertising of the SSID in beacon frames does
little good to wireless security. Allowing the advertising of the
SSID in beacon frames enables a client to discover an AP
more easily.

Configuring advanced settings for the clear type wireless service


Select Interface Setup > Wireless > Access Service from the navigation tree, and then click the icon of
the target clear type wireless service to display the page for advanced configuration.
Figure 41 Advanced settings for the clear type wireless service

Table 44 Configuration

Item Description
Maximum number of clients of an SSID to be associated with the
same radio of the AP.
NOTE:
Client Max Users
When the number of clients of an SSID to be associated with the
same radio of the AP reaches the maximum, the SSID is
automatically hidden.

65
Item Description
web interface management right of online clients
• Disable—Disables the web interface management right of
Management Right online clients.
• Enable—Enables the web interface management right of
online clients.

Security settings for the clear type wireless service


Select Interface Setup > Wireless > Access Service from the navigation tree, and then click the icon of
the target wireless service to display the page for configuring security settings for the clear type wireless
service.
Table 45 Configuration

Item Description
Authentication Type For the clear type wireless service, you can select Open-System only.

66
Item Description
• mac-authentication—Performs MAC address authentication on users.
• mac-else-userlogin-secure—This mode is the combination of the
mac-authentication and userlogin-secure modes, with MAC
authentication having a higher priority. Upon receiving a non-802.1X
frame, a port in this mode performs only MAC authentication. Upon
receiving an 802.1X frame, the port performs MAC authentication. If
MAC authentication fails, the port then performs 802.1X
authentication.
• mac-else-userlogin-secure-ext—This mode is similar to the
mac-else-userlogin-secure mode, except that it supports multiple
802.1X and MAC authentication users on the port.
• userlogin-secure—In this mode, port-based 802.1X authentication is
performed for users. Multiple 802.1X authenticated users can access
the port, but only one user can be online.
• userlogin-secure-or-mac—This mode is the combination of the
userlogin-secure and mac-authentication modes, with 802.1X
authentication having a higher priority. For a wireless user, 802.1X
authentication is performed first. If 802.1X authentication fails, MAC
authentication is performed.
• userlogin-secure-or-mac-ext—This mode is similar to the
userlogin-secure-or-mac mode, except that it supports multiple 802.1X
Port Mode and MAC authentication users on the port.
• userlogin-secure-ext—In this mode, a port performs 802.1X
authentication on users in macbased mode and supports multiple
802.1X users.
NOTE:
There are multiple security modes. To remember them easily, follow these
rules to understand part of the port security modes:
• userLogin indicates port-based 802.1X authentication.
• mac indicates MAC address authentication.
• The authentication mode before Else is used preferentially. If the
authentication fails, the authentication after Else may be used,
depending on the protocol type of the packets to be authenticated.
• The authentication mode before Or and the one after Or have the
same priority. The device determines the authentication mode
according to the protocol type of the packets to be authenticated. For
wireless users, the 802.1X authentication mode is used preferentially.
• userLogin together with Secure indicates MAC-based 802.1X
authentication.
• A security mode with Ext allows multiple 802.1X users to pass the
authentication. A security mode without Ext allows only one 802.1X
user to pass the authentication.

Maximum number of users that can be connected to the network through


Max User
a specific port.

1. Configure MAC authentication.

67
Figure 42 MAC authentication configuration

Table 46 Configuration

Item Description
mac-authentication—MAC-based authentication is
Port Mode
performed on access users.

Control the maximum number of users allowed to access


Max User
the network through the port.

MAC Authentication Select the MAC Authentication option.

Select an existing domain from the Domain list.


The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the
Domain Setup tab, and enter a new domain name in the
Domain Name field.
Domain • The selected domain name applies to only the current
wireless service, and all clients accessing the wireless
service use this domain for authentication,
authorization, and accounting.
• Do not delete a domain name in use. Otherwise, the
clients that access the wireless service are logged out.

2. Configure userlogin-secure/userlogin-secure-ext.

68
Figure 43 userlogin-secure/userlogin-secure-ext port security configuration page (userlogin-secure is used
for example)

Table 47 Configuration

Item Description
• userlogin-secure—Perform port-based 802.1X
authentication for access users. In this mode, multiple
802.1X authenticated users can access the port, but only
Port Mode one user can be online.
• userlogin-secure-ext—Perform MAC-based 802.1X
authentication for access users. In this mode, the port
supports multiple 802.1X users.

Control the maximum number of users allowed to access the


Max User
network through the port.

Select an existing domain from the Mandatory Domain list.


The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a new domain name in the Domain Name
field.
Mandatory Domain • The selected domain name applies to only the current
wireless service, and all clients accessing the wireless
service use this domain for authentication, authorization,
and accounting.
• Do not delete a domain name in use. Otherwise, the clients
that access the wireless service are logged out.
• EAP—Use EAP. With EAP authentication, the authenticator
encapsulates 802.1X user information in the EAP attributes
of RADIUS packets and sends the packets to the RADIUS
server for authentication. It does not need to repackage the
EAP packets into standard RADIUS packets for
Authentication Method authentication.
• CHAP—CHAP. By default, CHAP is used. CHAP transmits
only user names rather than passwords over the network.
Therefore, this method is safer.
• PAP—Use PAP. PAP transmits passwords in plain text.

69
Item Description
• Enable—Enable the online user handshake function so that
the device can periodically send handshake messages to a
Handshake user to check whether the user is online. By default, the
function is enabled.
• Disable—Disable the online user handshake function.
• Enable—Enable the multicast trigger function of 802.1X to
send multicast trigger messages to the clients periodically for
initiating authentication. By default, the multicast trigger
function is enabled.
• Disable—Disable the 802.1X multicast trigger function.

Multicast Trigger NOTE:


For a WLAN, the clients can actively initiate authentication, or the
AP can discover users and trigger authentication. Therefore, the
ports do not need to send 802.1X multicast trigger messages
periodically for initiating authentication. HP recommends that you
disable the multicast trigger function in a WLAN because the
multicast trigger messages consume bandwidth.

3. Configure the other four port security modes.


Figure 44 Port security configuration page for the other four security modes (mac-else-userlogin-secure is
used for example)

70
Table 48 Configuration

Item Description
• mac-else-userlogin-secure—This mode is the
combination of the mac-authentication and
userlogin-secure modes, with MAC authentication
having a higher priority. Upon receiving a
non-802.1X frame, a port in this mode performs
only MAC authentication. Upon receiving an
802.1X frame, the port performs MAC
authentication. If MAC authentication fails, the
port performs 802.1X authentication.
• mac-else-userlogin-secure-ext—This mode is
similar to the mac-else-userlogin-secure mode,
except that it supports multiple 802.1X and MAC
Port Mode authentication users on the port.
• userlogin-secure-or-mac—This mode is the
combination of the userlogin-secure and
mac-authentication modes, with 802.1X
authentication having a higher priority. For a
wireless user, 802.1X authentication is
performed first. If 802.1X authentication fails,
MAC authentication is performed.
• userlogin-secure-or-mac-ext—This mode is
similar to the userlogin-secure-or-mac mode,
except that it supports multiple 802.1X and MAC
authentication users on the port.

Control the maximum number of users allowed to


Max User
access the network through the port.

Select an existing domain from the Mandatory


Domain list. After a mandatory domain is configured,
all 802.1X users accessing the port are forced to use
the mandatory domain for authentication,
Mandatory Domain authorization, and accounting.
The default domain is system. To create a domain,
select Authentication > AAA from the navigation tree,
click the Domain Setup tab, and enter a new domain
name in the Domain Name field.
• EAP—Use EAP. With EAP authentication, the
authenticator encapsulates 802.1X user
information in the EAP attributes of RADIUS
packets and sends the packets to the RADIUS
server for authentication. It does not need to
repackage the EAP packets into standard
Authentication Method RADIUS packets for authentication.
• CHAP—Use CHAP. By default, CHAP is used.
CHAP transmits only usernames but not
passwords over the network. Therefore, this
method is safer.
• PAP—Use PAP. PAP transmits passwords in plain
text.

71
Item Description
• Enable—Enable the online user handshake
function so that the device can periodically send
handshake messages to a user to check whether
Handshake the user is online. By default, the function is
enabled.
• Disable—Disable the online user handshake
function.
• Enable—Enable the multicast trigger function of
802.1X to send multicast trigger messages to the
clients periodically for initiating authentication.
By default, the multicast trigger function is
enabled.
• Disable—Disable the 802.1X multicast trigger
function.

Multicast Trigger NOTE:


For a WLAN, the clients can actively initiate
authentication, or the AP can discover users and trigger
authentication. Therefore, the ports do not need to send
802.1X multicast trigger messages periodically for
initiating authentication. HP recommends that you
disable the multicast trigger function in a WLAN
because the multicast trigger messages consume
bandwidth.
MAC Authentication Select the MAC Authentication option.

Select an existing domain from the Domain list.


The default domain is system. To create a domain,
select Authentication > AAA from the navigation tree,
click the Domain Setup tab, and enter a new domain
name in the Domain Name field.

Domain • The selected domain name applies to only the


current wireless service, and all clients accessing
the wireless service use this domain for
authentication, authorization, and accounting.
• Do not delete a domain name in use. Otherwise,
the clients that access the wireless service are
logged out.

Configuring crypto type wireless service


Configuring basic settings for the crypto type wireless service
Select Interface Setup > Wireless > Access Service from the navigation tree, and then click the icon of
the target crypto type wireless service to display the page for configuring wireless service.

72
Figure 45 Crypto type wireless service

See Table 43 for the basic configuration of crypto type wireless service.

Advanced settings for the crypto type wireless service


Select Interface Setup > Wireless > Access Service from the navigation tree, and then click the icon of
the target crypto type wireless service to display the page for configuring wireless service.
Figure 46 Advanced settings for the crypto type wireless service

Table 49 Configuration

Item Description
Maximum number of clients of an SSID to be
associated with the same radio of the AP.
NOTE:
Client Max Users
When the number of clients of an SSID to be associated
with the same radio of the AP reaches the maximum,
the SSID is automatically hidden.
Set the PTK lifetime. A PTK is generated through a
PTK Life Time
four-way handshake.

73
Item Description
Set the TKIP countermeasure time.
By default, the TKIP countermeasure time is 0
seconds (the TKIP countermeasure policy is
disabled).
If the TKIP countermeasure time is set to a value other
than 0, the TKIP countermeasure policy is enabled.
MIC is designed to avoid hacker tampering. It uses
the Michael algorithm and is extremely secure.
TKIP CM Time
When failures occur to MIC, the data may have
been tampered with, and the system may be under
attack. In this case, TKIP enables the countermeasure
policy to prevent hackers from attacking. With the
countermeasure policy enabled, if more than two
MIC failures occur within the specified time, the TKIP
disassociates all connected wireless clients, and no
new associations are allowed within the TKIP
countermeasure time.

web interface management right of online clients:


• Disable—Disables the web interface
Management Right management right of online clients.
• Enable—Enables the web interface management
right of online clients.

An AC generates a GTK and sends the GTK to a


client during the authentication process between an
AP and the client through group key handshake/the
4-way handshake. The client uses the GTK to decrypt
broadcast and multicast packets.
GTK Rekey Method • Time—The GTK is refreshed after a specified
period of time.
• Packet—The GTK is refreshed after a specified
number of packets are transmitted.
By default, the GTK re-keying method is time-based,
and the interval is 86,400 seconds.

Enable refreshing the GTK when some client goes


offline.
GTK User Down Status
By default, the GTK is not refreshed when a client
goes off-line.

Security settings for the crypto type wireless service


Select Interface Setup > Wireless > Access Service from the navigation tree, and then click the icon of
the target crypto type wireless service to display the page for configuring crypto type wireless service.

74
Figure 47 Security settings for the crypto type wireless service

Table 50 Configuration

Item Description
Link authentication method:
• Open-System—No authentication. With this authentication
mode enabled, all clients pass authentication.

Authentication Type
• Shared-Key—The two parties need to have the same shared
key configured for this authentication mode. You can select
this option only when WEP encryption mode is used.
• Open-System and Shared-Key—It indicates that you can select
both open-system and shared-key authentication.

Encryption mechanisms supported by the wireless service:


• CCMP—Encryption mechanism based on the AES encryption
algorithm.
Cipher Suite • TKIP—Encryption mechanism based on the RC4 algorithm
and dynamic key management.
• CCMP and TKIP—Indicates that you can select both CCMP
and TKIP encryption.

Wireless service type (IE information carried in the beacon or


probe response frame):
• WPA—Wi-Fi Protected Access, a security mechanism before
the 802.11i protocol.
Security IE • WPA2—Security mechanism defined in 802.11i (also known
as the "RSN security mechanism") which is more secure than
WEP and WPA.
• WPA and WPA2—Indicates that you can select both WPA
and WPA2.

Encryption
• wep40—Indicates the WEP40 key option.
WEP • wep104—Indicates the WEP104 key option.
• wep128—Indicates the WEP128 key option.

75
Item Description
Configure the key index:
• 1—Key index 1.
• 2—Key index 2.
• 3—Key index 3.
Key ID
• 4—Key index 4.
There are 4 static keys in WEP. The key index can be 1, 2, 3 or
4. The key corresponding to the specified key index is used for
encrypting and decrypting broadcast and multicast frames.

Key length.
• For wep40, the key is a string of 5 alphanumeric characters
or a 10-digit hexadecimal number.
Key Length • For wep104, the key is a string of 13 alphanumeric
characters or a 26-digit hexadecimal number.
• For wep128, the key is a string of 16 alphanumeric
characters or a 32-digit hexadecimal number.

WEP Key Configure the WEP key.

See Table 45.


Parameters such as authentication type and encryption type
determine the port mode. For more information, see Table 53.
After you select the Cipher Suite option, the following four port
security modes are added:
• mac and psk—MAC-based authentication must be performed
on access users first. If MAC-based authentication succeeds,
Port Security an access user has to use the pre-configured PSK to negotiate
with the device. Access to the port is allowed only after the
negotiation succeeds.
• psk—An access user must use the PSK that is pre-configured
to negotiate with the device. The access to the port is allowed
only after the negotiation succeeds.
• userlogin-secure-ext—Perform MAC-based 802.1X
authentication for access users. In this mode, the port supports
multiple 802.1X users.

1. Configure mac and psk.

76
Figure 48 mac and psk port security configuration page

Table 51 Configuration

Item Description
mac and psk—MAC-based authentication must be
performed on access users first. If MAC-based
authentication succeeds, an access user has to use the
Port Mode
pre-configured PSK to negotiate with the device.
Access to the port is allowed only after the negotiation
succeeds.

Control the maximum number of users allowed to


Max User
access the network through the port.

MAC Authentication Select the MAC Authentication option.

Select an existing domain from the Domain list.


The default domain is system. To create a domain,
select Authentication > AAA from the navigation tree,
click the Domain Setup tab, and enter a new domain
name in the Domain Name field.

Domain • The selected domain name applies to only the


current wireless service, and all clients accessing
the wireless service use this domain for
authentication, authorization, and accounting.
• Do not delete a domain name in use. Otherwise,
the clients that access the wireless service are
logged out.
• pass-phrase—Enter a PSK in the form of a
character string. You must enter a string that can
be displayed and is of 8 to 63 characters.
Preshared Key
• raw-key—Enter a PSK in the form of a
hexadecimal number. You must enter a valid
64-bit hexadecimal number.

77
2. Configure psk.
Figure 49 psk port security configuration page

Table 52 Configuration

Item Description
psk—An access user must use the PSK that is
pre-configured to negotiate with the device. The
Port Mode
access to the port is allowed only after the negotiation
succeeds.

Control the maximum number of users allowed to


Max User
access the network through the port.
• pass-phrase—Enter a PSK in the form of a
character string. You must enter a string that can
be displayed and consists of 8 to 63 characters.
Preshared Key
• raw-key—Enter a PSK in the form of a
hexadecimal number. You must enter a valid
64-bit hexadecimal number.

3. Configure userlogin-secure-ext.
Perform the configurations as shown in "Configure userlogin-secure/userlogin-secure-ext."

78
Security parameter dependencies
In a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are
described in Table 53.
Table 53 Security parameter dependencies

WEP
Service Authentication Encryption
Security IE encryption Port mode
type mode type
/key ID
mac-authentication
mac-else-userlogin-secure
mac-else-userlogin-secure-ext
Clear Open-System Unavailable Unavailable Unavailable userlogin-secure
userlogin-secure-ext
userlogin-secure-or-mac
userlogin-secure-or-mac-ext

WEP
encryption is mac and psk
available
Selected Required psk
The key ID
can be 1, 2, userlogin-secure-ext
3, or 4
Open-System
WEP
encryption is
required
Unselected Unavailable mac-authentication
The key ID
can be 1, 2,
3 or 4

WEP
encryption is
required
Crypto Shared-Key Unavailable Unavailable mac-authentication
The key ID
can be 1, 2,
3 or 4

WEP
encryption is mac and psk
required
Selected Required psk
The key ID
can be 2, 3 userlogin-secure-ext

Open-System or 4
and Shared-Key WEP
encryption is
required
Unselected Unavailable mac-authentication
The key ID
can be 1, 2,
3 or 4

79
Displaying wireless access service information
Displaying wireless service information
Select Interface Setup > Wireless > Summary from the navigation tree and click the name of the specified
wireless service to view the detailed information, statistics, or connection history.

Displaying detailed information about wireless service


Figure 50 Display detailed information of wireless service (clear type)

Table 54 Field description

Field Description
Service Template Number Current service template number.

SSID SSID for the ESS.

Service Template Type Service template type.

Type of authentication used.


Authentication Method Wireless service of the clear type only uses open
system authentication.
• Disable—The SSID is advertised in beacon
frames.
SSID-hide
• Enable—Disables the advertisement of the SSID
in beacon frames.

Status of service template:


Service Template Status • Enable—Enables wireless service.
• Disable—Disables wireless service.
Maximum clients per BSS Maximum number of associated clients per BSS.

80
Figure 51 Display detailed information of wireless service (crypto type)

Table 55 Field description

Field Description
Service Template Number Current service template number.

SSID SSID for the ESS.

Service Template Type Service template type.

Security IE Security IE: WPA or RSN.

Authentication Method Authentication method: open system or shared key.


• Disable—The SSID is advertised in beacon
frames.
SSID-hide
• Enable—Disables the advertisement of the SSID
in beacon frames.

Cipher suite—CCMP, TKIP, WEP40, WEP104, or


Cipher Suite
WEP128.

TKIP Countermeasure Time(s) TKIP countermeasure time in seconds.

PTK Life Time(s) PTK lifetime in seconds.

GTK Rekey GTK rekey configured.

GTK rekey method configured: packet based or time


GTK Rekey Method
based.

Time for GTK rekey in seconds:


• Time—The GTK is refreshed after a specified
GTK Rekey Time(s) period of time.
• Packet—The GTK is refreshed after a specified
number of packets are transmitted.

Status of service template:


Service Template Status • Enable—Enables wireless service.
• Disable—Disables wireless service.
Maximum clients per BSS Maximum number of associated clients per BSS.

81
Displaying statistics of wireless service
Figure 52 Display wireless service statistics

Displaying connection history information of wireless service


Figure 53 Display the connection history information of wireless service

Displaying client information


Displaying client detailed information
Select Interface Setup > Wireless > Summary from the navigation tree, and then click the Client tab to
display the Client page. Then click the Detail Information tab on the page, and click the name of the
specified client to view the detailed information of the client.

82
Figure 54 Display client

Table 56 Client RSSI

Field Description

: The RSSI is no greater than 20.

: The RSSI is between 20 and 30 (inclusive).


Client RSSI : The RSSI is between 30 and 35 (inclusive).

: The RSSI is between 35 and 40 (inclusive).

: The RSSI is greater than 40.

Table 57 Field description

Field Description
MAC address MAC address of the client.

AID Association ID of the client.

Username of the client:


• The field is displayed as -NA- if the client adopts
plain-text authentication or cipher-text authentication
with no username.
User Name
• The field is irrelevant to the portal authentication
method. If the client uses the portal authentication
method, the field does not display the portal
username of the client.

Radio Interface WLAN radio interface.

SSID SSID of the device.

BSSID MAC address of the device.

Port WLAN-DBSS interface associated with the client.

Number of the VLAN interface to which the client


VLAN
belongs.

83
Field Description
State State of the client, such as running.

Power Save Mode Client's power save mode: active or sleep.

Wireless mode, such as 802.11b, 802.11g, or


Wireless Mode
802.11gn.

QoS Mode Whether the device supports the WMM function.

Number of times the client has been activated to listen to


Listen Interval (Beacon Interval)
beacon frames.

Received signal strength indication. This value indicates


RSSI
the client signal strength detected by the AP.

SNR Signal to Noise Ratio.

Represents the reception/transmission rate of the last


Rx/Tx Rate
frame.

Client Type Client type, such as RSN, WPA, or Pre-RSN.

Authentication method, such as open system or shared


Authentication Method
key.

AKM Method AKM suite used, such as Dot1X or PSK.

Displays the 4-way handshake state:


• IDLE—Displayed in initial state.
• PTKSTART—Displayed when the 4–way handshake is
initialized.
4-Way Handshake State
• PTKNEGOTIATING—Displayed after valid message 3
was sent.
• PTKINITDONE—Displayed when the 4-way
handshake is successful.

Displays the group key state:


• IDLE—Displayed in initial state.
Group Key State
• REKEYNEGOTIATE—Displayed after the AC sends the
initial message to the client.
• REKEYESTABLISHED—Displayed when re-keying is
successful.

Encryption Cipher Encryption cipher: clear or crypto.

Roam Status Displays the roam status: Normal or Fast Roaming.

Time for which the client has been associated with the
Up Time
device.

Table 58 Field description

Field Description
Refresh Refresh the current page.

Add the selected client to the static blacklist, which


Add to Blacklist you can display by selecting Security > Filter from the
navigation tree.

84
Field Description
Reset Statistic Delete all items in the list, or clear all statistics.

Disconnect Log off the selected client.

Displaying client statistics


Select Interface Setup > Wireless > Summary from the navigation tree, and then click the Client tab to
display the Client page. Click the Statistic Information tab on the page, and click the name of the
specified client to view the statistics of the client.
Figure 55 Display client statistics

Table 59 Field description

Field Description
AP Name Name of the associated access point.

Radio Id Radio ID.

SSID SSID of the device.

BSSID MAC address of the device.

MAC Address MAC address of the client.

Received signal strength indication. This value


RSSI indicates the client signal strength detected by
the device.

Transmitted Frames Number of transmitted frames.

Statistics of background traffic, in frames or in


Back Ground(Frames/Bytes)
bytes.

Statistics of best effort traffic, in frames or in


Best Effort(Frames/Bytes)
bytes.

Video(Frames/Bytes) Statistics of video traffic, in frames or in bytes.

Voice(Frames/Bytes) Statistics of voice traffic, in frames or in bytes.

Received Frames Number of received frames.

85
Field Description
Discarded Frames Number of discarded frames.

Displaying RF ping information


RF ping is a ping function performed on wireless links. This function enables you to get the connection
information between the AP and its associated clients, such as signal strength, packet re-transmission
attempts, and RTT.
Select Summary > Client from the navigation tree to display the Client page, click the Link Test Information
tab on the page, and click the name of the specified client to view the link test information of the client.
Figure 56 View link test information

Table 60 Field description

Field Description
• Rate number for a non-802.11n client.
No./MCS
• MCS value for an 802.11n client.
Rate(Mbps) Rate at which the radio interface sends wireless ping frames.

TxCnt Number of wireless ping frames that the radio interface sent.

RxCnt Number of wireless ping frames that the radio interface received from the client.

Received signal strength indication. This value indicates the client signal strength
RSSI
detected by the AP.

Retries Total number of retransmitted ping frames.

RTT(ms) Round-trip time.

86
Wireless access configuration examples
Wireless service configuration example
Network requirements
As shown in Figure 57, enable the wireless function on the device to enable the client to access the
internal network resources at any time. The device provides plain-text wireless access service with SSID
service1. 802.11g is adopted.
Figure 57 Network diagram

Configuration procedure
1. Configure a wireless service.
# Create a wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree, and then click Add to display
the page for creating a wireless service.
Figure 58 Create a wireless service

a. Select the radio unit 1.


b. Set the service name to service1.
c. Select the wireless service type clear.
d. Click Apply.
2. Enable the wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree to display the page for
enabling wireless service.

87
Figure 59 Enable the wireless service

a. Set the service1 option.


b. Click Enable.
3. Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional.)
Select Interface Setup > Wireless > Access Service from the navigation tree to display the Radio Setup
page. Make sure that 802.11g radio is enabled.
Figure 60 Enable 802.11g radio

Verifying the configuration


To view the online clients, select Interface Setup > Wireless > Summary from the navigation tree, and then
click the Client tab.

Configuration guidelines
Follow these guidelines when you configure a wireless service:
• Select a correct district code.
• Make sure that the radio unit is enabled.

Access service-based VLAN configuration example


Network requirements
An AP can provide multiple wireless access services. Different wireless access services can use different
wireless security policies and can be bound to different VLANs to implement wireless access user
isolation.
As shown in Figure 61, configure wireless VLANs to satisfy the following requirements:
• Set up a wireless access service named research, and configure it to use the PSK authentication.
Clients that access the wireless network are in VLAN 2.
• Set up a wireless access service named office, and configure it to use the clear text authentication.
Clients that access the wireless network are in VLAN 3.

88
Figure 61 Network diagram

SSID:research
VLAN:2 Client:0040-96b3-8a77
IP network

Router
SSID:office
VLAN:3

Client:0014-6c8a-43ff

Configuration procedure
1. Configure a wireless service named research.
# Create a wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree, and click Create to display the
page for creating a wireless service.
a. Configure the name of the wireless service as research.
b. Select the wireless service type crypto.
c. Click Apply.
# After the wireless service is created, the system is automatically navigated to the wireless service page,
where you can perform the VLAN settings (before this operation, select Network > VLAN and create
VLAN 2 first).
Figure 62 Set the VLANs

a. Enter 2 in the VLAN (Untagged) field.


b. Enter 2 in the Default VLAN field.
c. Enter 1 in the Delete VLAN field.

NOTE:
For PSK-related configuration, see "PSK authentication configuration example." You can strictly follow
the configuration example to configure the PSK configuration.

2. Configure a wireless service named office.


# Create a wireless service.

89
Select Interface Setup > Wireless > Access Service from the navigation tree, and click Create to display the
page for creating a wireless service.
a. Configure the wireless service name as office.
b. Select the wireless service type clear.
c. Click Apply.
# After the wireless service is created, the system is automatically navigated to the wireless service page,
where you can configure the VLANs (first select Network > VLAN from the navigation tree, and create
VLAN 3).
Figure 63 Set the VLANs

a. Enter 3 in the VLAN (Untagged) field.


b. Enter 3 in the Default VLAN field.
c. Enter 1 in the Delete VLAN field.
d. Click Apply.
3. Verify the configuration.
To view the online clients, select Interface Setup > Wireless > Summary from the navigation tree, and then
click the Client tab.
On this page, you can see that the client 0014-6c8a-43ff, which accesses the SSID office, is in VLAN 3,
while the client 0040-96b3-8a77, which accesses the SSID research, is in VLAN 2. Because the two
clients are in different VLANs, they cannot access each other.

PSK authentication configuration example


Network requirements
As shown in Figure 64, the client accesses the wireless network by passing PSK authentication. The PSK
key configuration on the client is the same as that on the AP (12345678).
Figure 64 Network diagram

Configuration procedure
1. Configure a wireless service.
# Create a wireless service.

90
Select Interface Setup > Wireless > Access Service from the navigation tree, and then click Add to display
the page for creating a wireless service.
Figure 65 Create a wireless service

a. Set the service name to psk.


b. Select the wireless service type crypto.
c. Click Apply.
2. Configure PSK authentication.
After you create a wireless service, the wireless service configuration page is displayed. Perform security
setup when configuring PSK authentication.
Figure 66 Security setup

a. Select the Open-System from the Authentication Type list.


b. Select the Cipher Suite option, select CCMP and TKIP (select an encryption type as needed), and
then select WPA from the Security IE list.
c. Select the Port Set option, and select psk from the Port Mode list.
d. Select pass-phrase from the Preshared Key list, and enter key ID 12345678.
e. Click Apply.

91
3. Enable the wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree to display the page for
enabling a wireless service.
Figure 67 Enable the wireless service

a. Select the psk option.


b. Click Enable.
4. Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional. )
Select Interface Setup > Wireless > Radio from the navigation tree to display the Radio page. Make sure
that 802.11g radio is enabled.
5. Configure the client.
Launch the client, and refresh the network list. Select the configured service in Choose a wireless network
(PSK, in this example), and click Connect. In the dialog box that appears, enter the key (12345678, in
this example), and then click Connect.

92
Figure 68 Configure the client

The client has the same pre-shared PSK key as the AP, so the client can associate with the AP.

93
Figure 69 The client is associated with the AP

Verifying the configuration


• The same PSK pre-shared key is configured on the client. The client can successfully associate with
the device and can access the WLAN network.
• To view the online clients, select Interface Setup > Wireless > Access Service from the navigation
tree, and then click the Client tab.

Local MAC authentication configuration example


Network requirements
As shown in Figure 70, perform MAC authentication on the client.
Figure 70 Network diagram

Configuration procedure
1. Configure a wireless service.
# Create a wireless service.

94
Select Interface Setup > Wireless > Access Service from the navigation tree, and then click Add to display
the page for creating a wireless service.
Figure 71 Create a wireless service

a. Select the radio unit 1.


b. Set the service name to mac-auth.
c. Select the wireless service type clear.
d. Click Apply.
2. Configure local MAC address authentication.
After you have created a wireless service, the wireless service configuration page is displayed. Perform
security setup when configuring MAC authentication.
Figure 72 Security setup

a. Select the Open-System from the Authentication Type list.


b. Select the Port Set option, and select mac-authentication from the Port Mode list.
c. Select the MAC Authentication option, and select system from the Domain list.

95
d. Click Apply.
3. Enable the wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree to display the page for
enabling a wireless service.
Figure 73 Enable the wireless service

a. Select the mac-auth option.


b. Click Enable.
4. Configure a MAC authentication list.
Select Interface Setup > Wireless > Access Service from the navigation tree, and then click MAC
Authentication List to display the page for configuring a MAC authentication list.
Figure 74 Add a MAC authentication list

a. Add a local user in the MAC Address box. 00-14-6c-8a-43-ff is used in this example.
b. Click Add.
5. Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional. )
Select Interface Setup > Wireless > Radio from the navigation tree to display the Radio page. Make sure
that 802.11g is enabled.
6. Configure the client.
Launch the client, and refresh the network list. Select the configured service in Choose a wireless network
(mac-auth, in this example), and click Connect. If the MAC address of the client is in the MAC address list,
the client can pass MAC authentication and access the wireless network.

96
Figure 75 Configure the client

Verifying the configuration


If the MAC address of the client is in the MAC authentication list, the client can pass authentication and
access the WLAN network. Select Interface Setup > Wireless > Access Service from the navigation tree
and then click the Client tab to view the online clients.

Remote MAC authentication configuration example


Network requirements
Perform remote MAC authentication on the client.
• Use the iMC as the RADIUS server for AAA. On the RADIUS server, configure the client's username
and password as the MAC address of the client and the shared key as expert. The IP address of the
RADIUS server is 10.18.1.88.

97
• The IP address of the device is 10.18.1.1. On the device, configure the shared key for
communication with the RADIUS server as expert, and configure the device to remove the domain
name of a username before sending it to the RADIUS server.
Figure 76 Network diagram
RADIUS server
10.18.1.88

10.18.1.1
IP network SSID:mac-auth

Switch Router
Client

Configuration procedure
1. Configure wireless service.
# Create a wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree, and then click Create to
display the page for creating a wireless service.
Figure 77 Create a wireless service

a. Select radio unit 1.


b. Set the wireless service name as mac-auth.
c. Select the wireless service type clear.
d. Click Apply.
2. Configure MAC authentication.
After you create a wireless service, the wireless service configuration page is displayed. Then you can
configure MAC authentication on the Security Setup area.

98
Figure 78 Security setup

a. Select Open-System from the Authentication Type list.


b. Select the Port Set option, and select mac-authentication from the Port Mode list.
c. Select the MAC Authentication option, and select system from the Domain list.
d. Click Apply.
3. Enable the wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree to display the page shown in
the following figure.
Figure 79 Enable the wireless service

a. Select the mac-auth option.


b. Click Enable.
4. Enable 802.11g radio (By default, the 802.11g radio is enabled. Therefore, this step is optional.)
Select Interface Setup > Wireless > Radio from the navigation tree to display the Radio page. Make sure
that 802.11g is enabled.
5. Configure the RADIUS server (iMC v5).
The following takes the iMC (iMC PLAT 5.0 and iMC UAM 5.0) as an example to illustrate the basic
configuration of the RADIUS server.
# Add an access device.

99
Log in to the iMC management platform. Select the Service tab, and select User Access Manager > Access
Device Management from the navigation tree to display the access device configuration page. Click Add
on the page to display the configuration page shown in Figure 80:
a. Enter the shared key 12345678. Keep the default values for other parameters.
b. Select or manually add the access device with the IP address 10.18.1.1.

Figure 80 Add access device

# Add a service.
Select the Service tab, and select User Access Manager > Service Configuration from the navigation tree to
display the page for adding a service. Then click Add on the page to display the following configuration
page. Set the service name to mac, and keep the default values for other parameters.
Figure 81 Add service

# Add an account.
Select the User tab, and then select User > All Access Users from the navigation tree to display the user
page. Then, click Add on the page to display the page as shown in Figure 82.
a. Enter username 00-14-6c-8a-43-ff.
b. Set the account name and password both to 00-14-6c-8a-43-ff.
c. Select the service mac.

100
Figure 82 Add account

Verifying the configuration


During authentication, the user does not need to enter the username or password. After passing MAC
authentication, the client can associate with the device and access the WLAN. View the online clients by
selecting Interface Setup > Wireless > Summary from the navigation tree and then clicking the Client tab.

Remote 802.1x authentication configuration example


Network requirements
Perform remote 802.1X authentication on the client.
• Use the iMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username as
user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
• On the device, configure the shared key as expert, and configure the device to remove the domain
name of a username before sending it to the RADIUS server. The IP address of the device is
10.18.1.1.

101
Figure 83 Network diagram

Configuration procedure
1. Configure wireless service.
# Create a wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree, and then click Add to display
the page for creating a wireless service.
Figure 84 Create a wireless service

a. Select radio unit 1.


b. Set the service name as dot1x.
c. Select the wireless service type crypto.
d. Click Apply.
2. Configure 802.1X authentication.
After you create a wireless service, the wireless service configuration page is displayed. Then you can
configure 802.1X authentication on the Security Setup area.

102
Figure 85 Security setup

a. Select Open-System from the Authentication Type list.


b. Select the Cipher Suite option, select CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
c. Select the Port Set option, and select userlogin-secure-ext from the Port Mode list.
d. Select system from the Mandatory Domain list.
e. Select EAP from the Authentication Method list.
f. Disable Handshake and Multicast Trigger (recommended).
g. Click Apply.
3. Enable the wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree.
a. Select the dot1x option.
b. Click Enable.
4. Enable 802.11g radio (By default, the 802.11g radio is enabled. Therefore, this step is optional.)
Select Interface Setup > Wireless > Radio from the navigation tree to display the Radio page. Make sure
that 802.11g is enabled.
5. Configure the RADIUS server (iMC v5).
The following takes the iMC (iMC PLAT 5.0 and iMC UAM 5.0) as an example to illustrate the basic
configuration of the RADIUS server.
# Add an access device.
Log in to the iMC management platform. Select the Service tab, and then select User Access Manager >
Access Device Management from the navigation tree to display the access device configuration page.
Click Add on the page to display the configuration page shown in Figure 86:
a. Enter the shared key 12345678. Keep the default values for other parameters.
b. Select or manually add the access device with the IP address 10.18.1.1.

103
Figure 86 Add access device

# Add a service.
Select the Service tab, and then select User Access Manager > Service Configuration from the navigation
tree to display the Add Service Configuration page. Then click Add on the page to display the following
configuration page.
a. Set the service name to dot1x.
b. Set the Certificate Type to EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN.

Figure 87 Add a service

# Add an account.
Select the User tab, and then select User > All Access Users from the navigation tree to display the user
page. Then, click Add on the page to display the page shown in Figure 88.
a. Enter username user.
b. Set the account name to user and password to dot1x.
c. Select the service dot1x.

104
Figure 88 Add account

6. Configure the wireless card.

Double click the icon at the bottom right corner of your desktop. The Wireless Network Connection
Status window appears. Click the Properties button in the General tab. The Wireless Network Connection
Properties window appears. In the Wireless Networks tab, select wireless network with the SSID dot1x,
and then click Properties. The dot1x Properties window appears. Then, in the Authentication tab, select
Protected EAP (PEAP) from the EAP type list, and click Properties. In the window that appears, clear
Validate server certificate, and click Configure. In the dialog box that appears, clear Automatically use my
Windows logon name and password (and domain if any). The configuration procedure is as shown
in Figure 89 through Figure 91.

105
Figure 89 Configure the wireless card (I)

106
Figure 90 Configure the wireless card (II)

107
Figure 91 Configure the wireless card (III)

Verifying the configuration


• After you enter username user and password dot1x in the dialog box that appears, the client can
associate with the device and access the WLAN.
• To view the online clients, select Interface Setup > Wireless > Summary from the navigation tree,
and then click the Client tab.

802.11n configuration example


Network requirements
As shown in Figure 92, configure the 802.11n-capable AP to allow the 802.11n client to access the
wireless network at a high rate.
Figure 92 Network diagram

108
Configuration procedure
1. Configure a wireless service.
# Create a wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree, and then click Add to display
the page for creating a wireless service.
Figure 93 Create a wireless service

a. Select the radio unit 1.


b. Set the service name to 11nservice.
c. Select the wireless service type clear.
d. Click Apply.
2. Enable the wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree to display the page for
enabling a wireless service.
Figure 94 Enable the wireless service

a. Select the 11nservice option.


b. Click Enable.
3. Enable 802.11n(2.4GHZ) radio (By default, 802.11n(2.4GHZ) radio is enabled. Therefore, this
step is optional. )

Verifying the configuration


• To view the online clients, select Interface Setup > Wireless > Summary from the navigation tree,
and then click the Client tab.
• Among these online clients, 0014-6c8a-43ff is an 802.11g client, and 001e-c144-473a is a
802.11n client. In this example, client types are not restricted. Therefore, both 802.11g and

109
802.11n clients can access the wireless network. If Client 802.11n Only is configured, only
001e-c144-473a can access the wireless network.

Configuration guidelines
When you configure 802.11n, follow these guidelines:
• Select Interface Setup > Wireless > Radio from the navigation tree, select the radio unit to configure,
and click the corresponding icon to display the radio configuration page. On that page, you
can modify the 802.11n-related parameters, including Bandwidth Mode, A-MSDU, A-MPDU, Short
GI, and Client 802.11n Only (permitting only 802.11n users to access the wireless network).
• Make sure that 802.11n(2.4GHZ) is enabled.
• Select Interface Setup > Wireless > Radio from the navigation tree to modify the 802.11n rate.

110
Configuring client mode

In client mode, a router accesses the wireless network as a client. Multiple hosts or printers in the wired
network can access the wireless network through the router.
Figure 95 Client mode

Enabling the client mode


Select Interface Setup > Wireless Service > Client Mode from the navigation tree, and then click Connect
Setup.
Figure 96 Enable the client mode

Select the radio unit to enable, and then click Enable.

111
NOTE:
• Support for radio mode types depends on your device model.
• You cannot enable an access service or WDS service on a radio interface with the client mode enabled.
• To modify the radio mode, select Radio > Radio from the navigation tree, click the icon of the target radio, and
change the radio mode using the Radio Mode option.
• If the 802.11(2.4GHz) client mode is used, the client can scan 802.11(2.4GHz) wireless services.

With the client mode enabled, you can check the existing wireless services in the wireless service list.
Figure 97 Check the wireless service list

Connecting the wireless service


1. Method 1:
Click the Connect icon of the wireless service in the wireless service list, and a SET CODE dialog box
appears, as shown in Figure 98.
Figure 98 Set a code

The following authentication modes are supported:


• Open System

112
• Shared key
• RSN + PSK
Table 61 Configuration

Item Description
Specify the network authentication mode:
• Open System—Open system authentication (no
authentication).
AuthMode • Shared Key—Shared key authentication, which requires the
client and the device to be configured with the same shared
key.
• RSN+PSK—PSK authentication.
Set the data encryption mode:
• Clear—No encryption.
CipherSuite
• WEP—WEP encryption.
• TKIP/CCMP—TKIP/CCMP encryption.
Password Configure the WEP key.

There are four static keys in WEP. Their key indexes are 1, 2, 3,
KeyID and 4. The key corresponding to the specified key index is used
for encrypting and decrypting frames.

2. Method II:
You can also enter a wireless service to specify the wireless service to be connected on the page that is
displayed after clicking the Connect icon of the wireless service.
Figure 99 Associate the specified wireless service

Enter the specified wireless service in the Wireless Service Name field, and click Connect. Then the dialog
box in Figure 98 appears. Set the options on the dialog box according to the specified wireless service
type.

Displaying statistics
Select Interface Setup > Wireless Service > Client Mode from the navigation tree, and click Statistic
Information to display the page shown in Figure 100.

113
Figure 100 Display statistics

Client mode configuration example


Network requirements
As shown in Figure 101, the router accesses the wireless network as a client. The Ethernet interface of the
router connects to multiple hosts or printers in the wired network, and the wired network is connected to
the wireless network through the router.
• The AP accesses the wired LAN, and the router accesses the AP as a client.
• The router accesses the wireless service psk by passing the RSN(CCMP)+PSK authentication.
• Client with MAC address 0014-6c8a-43ff also accesses the wireless service psk.
Figure 101 Network diagram

Internet

Gateway

AP

PSK PSK

Client Client
PSK

Router

PC Printer Client

114
Configuration procedure
1. Enable the client mode.
Select Interface Setup > Wireless Service > Client Mode from the navigation tree, and click Connect Setup
to display the page shown in Figure 102.
Figure 102 Enable the client mode

Select the option corresponding to 802.11g, and click Enable. With the client mode enabled, you can
check the existing wireless services in the wireless service list.
Figure 103 Check the wireless service list

2. Connect the wireless service.


Click the Connect icon of the wireless service psk in the wireless service list, and a SET CODE dialog box
appears, as shown in Figure 104.
Figure 104 Set a code

a. Specify the AuthMode as RSN+PSK.

115
b. Specify the CipherSuite as CCMP/AES.
c. Set the Password to that on the AP, 12345678.
d. Click Apply.

Verifying the configuration


On the AP shown in Figure 101, select Interface Setup > Wireless Service > Summary > Client from the
navigation tree to display the page shown in Figure 105, where you can check whether the router is
online.
Figure 105 Check that the workgroup bridge is online

• You can see that the client with MAC address 0014-6c8a-43ff and the router with MAC address
000f-e2333-5510 have been successfully associated with the AP.
• The wired devices on the right (such as printers and PCs) can access the wireless network through
the router.

Configuration guidelines
As shown in Figure 106, if the router uses two radio interfaces at the same time, the client connecting to
radio 2 can access the AP through the router.
Figure 106 Network diagram

116
Configuring radios

802.11b/g/n operates in 2.4 GHz band. Each band can be divided into multiple channels for wireless
communication. You can configure and adjust the channels to achieve optimal performance.
To configure a radio, select Interface Setup > Wireless > Radio from the navigation tree to display the
Radio page, select the AP you want, and then click the icon to display the page for AP radio setup
page.
Figure 107 Radio setup

Table 62 Configuration

Item Description
Radio Unit Display the selected radios.

Radio Mode Display the selected radio mode.

Maximum radio transmission power, which varies with country codes,


channels, radio modes, and antenna types. If you adopt the 802.11n mode,
Transmit Power
the maximum transmit power of the radio also depends on the bandwidth
mode.

Specify the working channel of the radio, which varies with radio types and
country codes.
auto—The working channel is automatically selected. If you select this mode,
Channel the AP checks the channel quality in the WLAN network and selects the
channel of the best quality as its working channel.
If you modify the working channel configuration, the transmit power is
automatically adjusted.

802.11n The option is available only when the device supports 802.11n.

117
Item Description
802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can
work separately with one acting as the primary channel and the other acting
as the secondary channel, or they can work together as a 40-MHz channel.
This provides a simple way of doubling the data rate.
By default, the channel bandwidth of the 802.11n radio (2.4GHz) is 20
MHz.
bandwidth mode
NOTE:
• If the channel bandwidth of the radio is set to 40 MHz, a 40 MHz
channel is used as the working channel. If no 40 MHz channel is
available, a 20 MHz channel is used. For the specifications, see IEEE
P802.11n D2.00.
• If you modify the bandwidth mode configuration, the transmit power is
automatically adjusted.

If you select the client dot11n-only option, non-802.11n clients are


client dot11n-only prohibited from access. To provide access for all 802.11b/g clients, disable
this function.

Selecting the A-MSDU option enables A-MSDU.


Multiple MSDUs can be aggregated into a single A-MSDU. This reduces the
MAC header overhead and improves MAC layer forwarding efficiency.
A-MSDU Only A-MSDUs can be received.
NOTE:
When 802.11n radios are used in a mesh WLAN, make sure that they have the
same A-MSDU configuration.
Selecting the A-MPDU option enables A-MPDU.
802.11n introduces the A-MPDU frame format. By using only one PHY
header, each A-MPDU can accommodate multiple MPDUs, which have their
PHY headers removed. This reduces the overhead in transmission and the
A-MPDU
number of ACK frames to be used, improving network throughput.
NOTE:
When 802.11n radios are used in a mesh WLAN, make sure that they have the
same A-MSDU configuration.
Selecting the short GI option enables short GI.
Delays may occur during receiving radio signals due to factors like multi-path
reception. Therefore, a subsequently sent frame may interfere with a
short GI previously sent frame. The GI function is used to avoid such interference. It
increases the throughput by 10 percent.
The short GI function is independent of bandwidth and supports both 20MHz
and 40MHz bandwidths.

118
Figure 108 Radio setup (advanced setup)

Table 63 Configuration

Item Description
Preamble is a pattern of bits at the beginning of a frame so that the receiver
can sync up and be ready for the real data. There are two different kinds of
preambles:
• Short preamble—A short preamble improves network performance.
Preamble
Therefore, this option is always selected.
• Long preamble—A long preamble ensures compatibility between access
point and some legacy client devices. Therefore, you can select this
option to make legacy client devices support short preamble.

Transmit Distance Maximum coverage of a radio.

After the ANI function is enabled, the device automatically adjusts the noise
immunity level according to the surrounding signal environment to eliminate
ANI RF interference.
• Enable—Enables ANI.
• Disable—Disables ANI.
Client Max Count Maximum number of clients that can be associated with one radio.

Specify the maximum length of frames that can be transmitted without


fragmentation. When the length of a frame exceeds the specified fragment
threshold value, it is fragmented.
• In a wireless network where error rate is high, you can decrease the
fragment threshold by a rational value. In this way, when a fragment of a
Fragment Threshold frame is not received, only this fragment has to be retransmitted rather
than the whole frame. Therefore, the throughput of the wireless network is
improved.
• In a wireless network where no collision occurs, you can increase the
fragment threshold by a rational value to decrease acknowledgement
packets, increasing network throughput.

119
Item Description
Interval for sending beacon frames. Beacon frames are transmitted at a
Beacon Interval regular interval to allow mobile clients to join the network. Beacon frames
are used for a client to identify nearby APs or network control devices.

RTS threshold length. If a frame is larger than this value, the RTS mechanism
is used.
RTS is used to avoid data collisions in a WLAN.
A smaller RTS threshold causes RTS packets to be sent more often, consuming
more available bandwidth. However, the more often RTS packets are sent,
RTS Threshold the quicker the system can recover from interference or collisions.
In a high-density WLAN, you can decrease the RTS threshold by a rational
value to reduce collisions in the network.
NOTE:
The RTS mechanism occupies bandwidth. Therefore, this mechanism applies only
to data frames larger than the RTS threshold.
Number of beacon intervals between DTIM transmissions. The device sends
DTIM Period
buffered broadcast/multicast frames when the DTIM counter reaches 0.

Number of retransmission attempts for unicast frames larger than the RTS
Long Retry Threshold
threshold.

Number of retransmission attempts for unicast frames smaller than the RTS
Short Retry Threshold
threshold if no acknowledgment is received for it.

Interval for which a frame received by a device can stay in the buffer
Max Receive Duration
memory.

120
Configuring data transmit rates
Configuring 802.11b/802.11g rates
Select Interface Setup > Wireless > Radio from the navigation tree, and then click the Rate tab to display
the page shown in Figure 109.
Figure 109 Set 802.11a/802.11b/802.11g rates

Table 64 Configuration

Item Description
Configure rates (in Mbps) for 802.11b.
By default:
• Mandatory rates—1 and 2.
802.11b • Supported rates—5.5 and 11.
• Multicast rate—Automatically selected from the mandatory rates. The
transmission rate of multicasts in a BSS is selected from the mandatory
rates supported by all clients.

Configure rates (in Mbps) for 802.11g.


By default:
• Mandatory rates—1, 2, 5.5, and 11.
802.11g • Supported rates—6, 9, 12, 18, 24, 36, 48, and 54.
• Multicast rate—Automatically selected from the mandatory rates. The
transmission rate of multicasts in a BSS is selected from the mandatory
rates supported by all clients.

121
Configuring 802.11n MCS
Configuration of mandatory and supported 802.11n rates is achieved by specifying the maximum MCS
index.
Select Interface Setup > Wireless > Radio from the navigation tree, and then click the Rate tab to display
the page shown in Figure 110.
Figure 110 Set 802.11n rate

Table 65 Configuration

Item Description
Set the maximum MCS index for 802.11n mandatory rates.
NOTE:
Mandatory Maximum MCS
If you select the client dot11n-only option, you must configure the mandatory
maximum MCS.
Set the multicast MCS for 802.11n.
The multicast MCS is adopted only when all clients use 802.11n. If a
non-802.11n client exists, multicast traffic is transmitted at a mandatory MCS
data rate.
Multicast MCS
NOTE:
When the multicast MCS takes effect, the corresponding data rates defined for
20 MHz are adopted regardless of whether the 802.11n radio operates in 40
MHz mode or in 20 MHz mode.
Supported Maximum MCS Set the maximum MCS index for 802.11n supported rates.

NOTE:
For more information about MCS, see HP A-MSR Router Series WLAN Configuration Guide.

122
Displaying radio
Displaying wireless services bound to a radio
Select Interface Setup > Wireless > Summary from the navigation tree, and then click the Radio tab. Click
the specified radio unit, and then click the Wireless Service tab to view the wireless services bound to the
radio.
Figure 111 Display wireless services bound to the radio

NOTE:
The Noise Floor item in the table indicates various random electromagnetic waves during the wireless
communication. For the environment with a high noise floor, you can improve the SNR by increasing the
transmit power or by reducing the noise floor.

Displaying detailed radio information


Select Interface Setup > Wireless > Summary from the navigation tree, and then click the Radio tab. Click
the specified radio unit, and then click the Detail Info tab to view the corresponding detailed information.

123
Figure 112 Display detailed radio information

Table 66 Field description

Field Description
WLAN-Radio1/0 current state: UP State of the radio interface.

IP Packet Frame Type Output frame encapsulation type.

Hardware Address MAC address of the radio interface.

Radio-type dot11g WLAN protocol type used by the interface.

Channel used by the interface. The keyword auto


means that the channel is automatically selected.
channel If the channel is manually configured, the field is
displayed in the format of channel
configured-channel.

power(dBm) Transmit power of the interface (in dBm).

Received: 2 authentication frames, 2 association Number of authentication and association frames


frames received.

Sent out: 2 authentication frames, 2 association Number of authentication and association frames
frames sent.

Number of stations being associated and stations


Stations: 0 associating, 2 associated
having been associated.

124
Field Description
Input packet statistics of the interface:
• Number of packets, number of bytes
Input : 70686 packets, 6528920 bytes • Number of unicast packets, number of bytes of
: 255 unicasts, 34440 bytes unicast packets
: 70461 multicasts/broadcasts, 6494480 bytes • Number of multicasts/broadcast packets, number
of bytes of multicasts/broadcast packets
: 0 fragmented
• Number of fragmented packets
: 414 discarded, 26629 bytes
• Number of discarded packets, number of
: 0 duplicates, 3785 FCS errors discarded bytes
: 0 decryption errors • Number of duplicate frames, number of FCS
errors
• Number of encryption errors
Output packet statistics of the interface:
• Number of packets, number of bytes
Output: 3436 packets, 492500 bytes • Number of unicast packets, number of bytes of
: 3116 unicasts, 449506 bytes unicast packets
: 320 multicasts/broadcasts, 42994 bytes • Number of multicasts/broadcast packets, number
of bytes of multicasts/broadcast packets
: 0 fragmented
• Number of fragmented packets
: 948 discarded, 100690 bytes
• Number of discarded packets, number of
: 0 failed RTS, 1331 failed ACK discarded bytes
: 4394 transmit retries, 1107 multiple transmit • Number of failed RTS packets, number of failed
retries ACK packets
• Number of retransmitted frames, number of
transmission retries

125
Configuring WLAN security

When it comes to security, a WLAN is inherently weaker than a wired LAN because all wireless devices
use the air as the transmission media. This means that the data transmitted by one device can be received
by any other device within the coverage of the WLAN. To enhance WLAN security, you can use
whitelists, blacklists, and user isolation to control user access and behavior.

Blacklist and whitelist


You can configure the blacklist and whitelist functions to filter frames from WLAN clients, thereby
implementing client access control.
The WLAN client access control is accomplished through the following types of lists:
• Whitelist—Contains the MAC addresses of all clients allowed to access the WLAN. If the whitelist is
used, only permitted clients can access the WLAN, and all frames from other clients are discarded.
• Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is
manually configured.
• Dynamic blacklist—Contains MAC addresses of clients whose frames are to be dropped. A client is
dynamically added to the list if it is considered to be sending attacking frames until the timer of the
entry expires.
When a device receives an 802.11 frame, it checks the source MAC address of the frame and processes
the frame as follows:
1. If the source MAC address does not match any entry in the whitelist, it is dropped. If there is a
match, the frame is considered valid and is further processed.
2. If no whitelist entries exist, the static and dynamic blacklists are searched.
If the source MAC address matches an entry in any of the two lists, it is dropped.
If there is no match or if no blacklist entries exist, the frame is considered valid and is further
processed.

Configuring the blacklist and whitelist functions


Configuring dynamic blacklist
Select Interface Setup > Wireless > Security from the navigation tree, and then click the Blacklist tab to
display the dynamic blacklist configuration page.

126
Figure 113 Dynamic blacklist configuration page

Table 67 Configuration

Item Description
• Enable—Enables dynamic blacklist.
• Disable—Disables dynamic blacklist.
Dynamic Blacklist NOTE:
Before enabling the dynamic blacklist function, select the Flood Attack Detect option
in the WIDS Setup page.
Configure the lifetime of the entries in the blacklist. When the lifetime of an entry
Lifetime
expires, the entry is removed from the blacklist.

NOTE:
These attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood, Disassoc-Flood,
ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood and NullData-Flood.

127
Configuring static blacklist
On the blacklist configuration page shown in Figure 113, click the Static tab to display the static blacklist
configuration page shown in Figure 114. Click Add Static to display the static blacklist configuration
page.
Figure 114 Static blacklist configuration

Table 68 Configuration

Item Description
MAC Address If you select this option, add a MAC address to the static blacklist.

Select Current Connect If you select this option, the table below it lists the current existing clients. Select
Client the options of the clients to add their MAC addresses to the static blacklist.

Configuring whitelist
Select Interface Setup > Wireless > Security from the navigation tree, and then click the Whitelist tab.
Click Add to display the whitelist configuration page.
Figure 115 Whitelist configuration

128
Table 69 Configuration

Item Description
MAC Address If you select this option, add a MAC address to the whitelist.

Select Current Connect If you select this option, the table below it lists the current existing clients. Select
Client the checkboxes for the clients to add their MAC addresses to the whitelist.

User isolation
If a device has the user isolation feature enabled, clients associated with it are isolated at Layer 2.
As shown in Figure 116, after user isolation is enabled on the device, no clients can ping each other or
learn each other's MAC or IP addresses, because they cannot exchange Layer 2 packets.
Figure 116 Network diagram

129
Configuring user isolation
Select Interface Setup > Wireless > Security from the navigation tree, and then click the User Isolate tab to
display the page shown in Figure 117.
Figure 117 User isolation configuration

Table 70 Configuration item

Item Description
• Enable—Enables user isolation on the AP to isolate the clients associated with
it at Layer 2.
User Isolate
• Disable—Disables the user isolation.
By default, wireless user isolation is disabled.

130
Configuring WLAN QoS

An 802.11 network offers wireless access based on the CSMA/CA channel contention. All clients
accessing the WLAN have equal channel contention opportunities, and all applications carried on the
WLAN use the same channel contention parameters. A live WLAN, however, is required to provide
differentiated access services to address diversified requirements of applications for bandwidth, delay,
and jitter.
To provide applications with QoS services, IEEE developed 802.11e for the 802.11-based WLAN
architecture.
While IEEE 802.11e was being standardized, Wi-Fi Alliance defined the WMM standard to allow QoS
provision devices of different vendors to interoperate. WMM makes a WLAN network capable of
providing QoS services.

NOTE:
For introduction to the WLAN QoS terminology and the WMM protocol, see HP A-MSR Router Series
WLAN Configuration Guide.

Configuring wireless QoS


Enabling wireless QoS
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and click the QoS Service tab
to display the page that displays the QoS.
Figure 118 Wireless QoS

Select the radio unit to configure, and click Enable. By default, wireless QoS is enabled.

NOTE:
The WMM protocol is the foundation of the 802.11n protocol. Therefore, when the radio works in
802.11n (2.4 GHz) radio mode, you must enable WMM. Otherwise, the associated 802.11n clients may
fail to communicate.

131
Setting the SVP service
Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left of the interface, and
then select QoS Service to display the page for displaying wireless QoS.
Figure 119 Wireless QoS

Find the radio you want in the AP list, and then click the icon in the Operation column to display the
page for setting SVP mapping.
Figure 120 Set the SVP mapping AC

Table 71 Configuration

Item Description
Radio Display the selected radio.

Select the SVP Mapping option, and then select the mapping AC to be used
by the SVP service:
• AC-VO
SVP Mapping
• AC-VI
• AC-BE
• AC-BK

NOTE:
SVP mapping applies only to non-WMM client access.

132
Setting CAC admission policy
Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left of the interface, and
then click the QoS Service tab. Click the corresponding icon of the radio you want in the Operation
column to display the page for setting CAC admission policy.
Figure 121 Set CAC admission policy

Table 72 Configuration

Item Description
Users-based admission policy (maximum number of clients allowed to be
connected). A client is counted only once, even if it is using both AC-VO and
Client Number AC-VI.
By default, the users-based admission policy applies, with the maximum
number of users being 20.

Channel utilization-based admission policy (the rate of the medium time of


Channel Utilization the accepted AC-VO and AC-VI traffic to the valid time during the unit time).
The valid time is the total time during which data is transmitted.

Setting radio EDCA parameters for APs


Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left of the interface, and
then click the QoS Service tab. Click the corresponding icon of the radio you want in the Operation
column to display the page for configuring wireless QoS. Then click the corresponding icon of the priority
type (AC_BK is used as an example here) to be modified in the Operation column to display the page for
setting radio EDCA parameters.
Figure 122 Set radio EDCA parameters

133
Table 73 Configuration

Item Description
Radio Display the selected radio.

Priority type Display the priority type.

AIFSN Arbitration inter-frame spacing number used by the device.

TXOP Limit Transmission opportunity limit used by the device.

ECWmin Exponent form of CWmin used by the device.

ECWmax Exponent form of CWmax used by the device.

If you select the No ACK checkbox, the No ACK policy is used by the device.
No ACK
By default, the normal ACK policy is used by the device.

Table 74 Default radio EDCA parameters

AC TXOP Limit AIFSN ECWmin ECWmax


AC-BK 0 7 4 10

AC-BE 0 3 4 6

AC-VI 94 1 3 4

AC-VO 47 1 2 3

NOTE:
• ECWmin cannot be greater than ECWmax.
• On a device operating in 802.11b radio mode, HP recommends that you set the TXOP-Limit to 0, 0, 188, and 102
for AC-BK, AC-BE, AC-VI, and AC-VO, respectively.

Setting EDCA parameters for wireless clients


Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left of the interface, and
then click the QoS Service tab. Click the corresponding icon of the radio you want in the Operation
column to display the page for setting wireless QoS. In the Client EDCA list, find the priority type (AC_BK
is used in this example) to be modified, and then click the corresponding icon in the Operation column to
display the page for setting client EDCA parameters.
Figure 123 Set client EDCA parameters

134
Table 75 Configuration

Item Description
Radio Display the selected radio.

Priority type Display the priority type.

AIFSN Arbitration inter-frame spacing number used by clients.

TXOP Limit Transmission opportunity limit used by clients.

ECWmin Exponent form of CWmin used by clients.

ECWmax Exponent form of CWmax used by clients.


• Enable—Enables CAC.
• Disable—Disables CAC.
CAC
AC-VO and AC-VI support CAC, which is disabled by default. This item is
not available for AC-BE or AC-BK because they do not support CAC.

Table 76 Default EDCA parameters for clients

AC TXOP Limit AIFSN ECWmin ECWmax


AC-BK 0 7 4 10

AC-BE 0 3 4 10

AC-VI 94 2 3 4

AC-VO 47 2 2 3

NOTE:
• ECWmin cannot be greater than ECWmax.
• If all clients operate in 802.11b radio mode, HP recommends that you set TXOPLimit to 188 and 102 for AC-VI and
AC-VO, respectively.
• If some clients operate in 802.11b radio mode and some clients operate in 802.11g radio mode in the network, the
TXOPLimit parameters in Table 76 are recommended.
• Once you enable CAC for an AC, it is enabled automatically for all ACs with higher priority. For example, if you
enable CAC for AC-VI, CAC is also enabled for AC-VO. However, enabling CAC for AC-VO does not enable CAC
for AC-VI.

135
Display radio statistics
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and then click the Radio
Statistics tab to display the page that displays radio statistics. Click a radio to see its details.
Figure 124 Display radio statistics

Table 77 Field description

Field Description
Radio interface WLAN radio interface.

Client EDCA update count Number of client EDCA parameter updates.


• WMM—Indicates that QoS mode is enabled.
QoS mode
• None—Indicates that QoS mode is not enabled.
Radio chip QoS mode Radio chip's support for the QoS mode.

Radio chip max AIFSN Maximum AIFSN allowed by the radio chip.

Radio chip max ECWmin Maximum ECWmin allowed by the radio chip.

Radio chip max TXOPLimit Maximum TXOPLimit allowed by the radio chip.

Radio chip max ECWmax Maximum ECWmax allowed by the radio chip.

Number of clients that have been admitted to access


Client accepted the radio, including the number of clients that have
been admitted to access the AC-VO and the AC-VI.

Total requested medium time, including that of the


Total request mediumtime(us)
AC-VO and the AC-VI.

Number of requests rejected due to insufficient


Calls rejected due to insufficient resource
resources.

Number of requests rejected due to invalid


Calls rejected due to invalid parameters
parameters.

Number of requests rejected due to invalid medium


Calls rejected due to invalid mediumtime
time.

136
Field Description
Number of requests rejected due to invalid delay
Calls rejected due to invalid delaybound
bound.

Admission Control Policy Admission control policy.

Threshold Threshold used by the admission control policy.

Response policy adopted for CAC-disabled ACs.


CAC-Free's AC Request Policy Response Success indicates that the response is
successful.

Policy of processing frames unauthorized by CAC:


• Discard—Drops frames.
CAC Unauthed Frame Policy
• Downgrade—Decreases the priority of frames.
• Disassociate—Disassociates with the client.
Maximum medium time allowed by the CAC policy
CAC Medium Time Limitation(us)
(in microseconds).

Maximum voice traffic delay allowed by the CAC


CAC AC-VO's Max Delay(us)
policy (in microseconds).

Maximum video traffic delay allowed by the CAC


CAC AC-VI's Max Delay(us)
policy (in microseconds).

Number of the AC to which SVP packets are


SVP packet mapped AC number
mapped.

ECWmin ––

ECWmax ––

AIFSN ––

TXOPLimit ––

Ack Policy ACK policy adopted by an AC.


• Disabled—Indicates that the AC is not controlled
by CAC.
CAC
• Enable—Indicates that the AC is controlled by
CAC.

137
Displaying client statistics
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and then click the Client
Statistics tab to display the page that displays client statistics. Click a client name to see its details.
Figure 125 Display client statistics

Table 78 Field description

Field Description
MAC address MAC address of the client.

SSID SSID.

QoS mode:
QoS Mode • WMM—Indicates that the client is a QoS client.
• None—Indicates that the client is a non-QoS client.
Max SP length Maximum service period.

AC Access category.

APSD attribute of an AC:


• T—The AC is trigger-enabled.
State • D—The AC is delivery-enabled.
• T | D—The AC is both trigger-enabled and delivery-enabled.
• L—The AC is of legacy attributes.

Assoc State APSD attribute of the four ACs when a client accesses the AP.

Uplink CAC packets Number of uplink CAC packets.

Uplink CAC bytes Number of uplink CAC bytes.

Downlink CAC packets Number of downlink CAC packets.

Downlink CAC bytes Number of downlink CAC bytes.

Downgrade packets Number of downgraded packets.

Downgrade bytes Number of downgraded bytes.

138
Field Description
Discard packets Number of dropped packets.

Discard bytes Number of dropped bytes.

Setting rate limiting


The WLAN provides limited bandwidth for each device. Because the bandwidth is shared by wireless
clients attached to the device, aggressive use of bandwidth by a client affects other clients. To ensure fair
use of bandwidth, you can rate limit traffic of clients using either of the following approaches:
• Configure the total bandwidth shared by all clients in the same BSS. This is called "dynamic mode."
The rate limit of a client is the configured total rate/the number of online clients. For example, if the
configure total rate is 10 Mbps and five clients are online, the rate of each client is 2 Mbps.
• Configure the maximum bandwidth that can be used by each client in the BSS. This is called "static
mode." For example, if the configured rate is 1 Mbps, the rate limit of each user online is 1 Mbps.
When the set rate limit multiplied by the number of access clients exceeds the available bandwidth
provided by the device, no clients can get the guaranteed bandwidth.
Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left, click the Client Rate
Limit tab, and then click Add to display the page for setting rate limiting.
Figure 126 Set rate limiting

Table 79 Configuration

Item Description
Wireless Service Display an existing wireless service.
• Inbound—From clients to the device.
• Outbound—From the device to clients.
Direction
• Both—Includes inbound (from clients to the device) and outbound
(from the device to clients).

Rate limiting mode:


Mode • Dynamic
• Static

139
Item Description
Set the rate of the clients:
• If you select the static mode, static rate is displayed, and the rate is
Rate the bandwidth of each client.
• If you select the dynamic mode, share rate is displayed, and the
rate is the total bandwidth of all clients.

Wireless QoS configuration example


CAC service configuration example
Network requirements
As shown in Figure 127, an AP with WMM enabled accesses the Ethernet. Enable CAC for the AC-VO
and AC-VI queues of the clients of the fat AP. Use the user number-based admission policy to limit the
number of access users to 10, so that the clients using high-priority queues (including the AC-VO and
AC-VI queues) can be guaranteed enough bandwidth.
Figure 127 Network diagram

Configuration procedure
1. Configure the access service.
For related configurations, see "Wireless access configuration examples." You can strictly follow the steps
in the related configuration example to configure the wireless service.
2. Configure wireless QoS.
# Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and then click the QoS
Service tab to display the page shown in Figure 128. Make sure that WMM is enabled.
Figure 128 Wireless QoS configuration page

# Select the radio unit to configure in the list, and then click the corresponding icon in the Operation
column to display the page for configuring wireless QoS. In the Client EDCA list, select the priority type
(AC_VO is used in this example) to be modified, and then click the corresponding icon in the
Operation column to display the page for setting client EDCA parameters.

140
Figure 129 Enable CAC

a. Select Enable from the CAC list.


b. Click Apply.

# Enable CAC for AC_VI in the same way.


# Select Interface Setup > Wireless > Wireless QoS from the navigation tree, click the QoS Service tab,
and then click the icon of the target radio unit in the Operation column to display the page for
configuring wireless QoS.
Figure 130 The page for setting CAC client number

a. Select the Client Number option, and then enter 10.


b. Click Apply.

Verifying the configuration


If the number of existing clients in the high-priority ACs plus the number of clients requesting access is
smaller than or equal to the user-defined maximum number of users allowed in high-priority ACs (which is
10, in this example), the request is allowed. Otherwise, the request is rejected.

141
Static rate limiting configuration example
Network requirements
As shown in Figure 131, two clients access the WLAN through a SSID named service1. Limit the
maximum bandwidth per client to 128 kbps on the device.
Figure 131 Network diagram

Configuration procedure
1. Configure the access service.
For the configuration procedure, see "Wireless access configuration examples." You can strictly follow
the related configuration example to configure the wireless service.
2. Configure static rate limiting.
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, click Client Rate Limit, and then
click Add to display the page for configuring rate limit settings for clients.
Figure 132 Configure static rate limiting

a. Select service1 from the Wireless Service list.


b. Select inbound from the direction list.
c. Select static from the mode list.
d. Enter 128000 in the static rate field.
e. Click Apply.

142
Verifying the configuration
• Client 1 and Client 2 access the WLAN through an SSID named service1.
• Check that traffic from Client 1 is rate limited to around 128 kbps and so is traffic from Client 2.

Dynamic rate limiting configuration example


Network requirements
As shown in Figure 133, clients access the WLAN through a SSID named service2. Configure all clients
to share 8000 kbps of bandwidth in any direction.
Figure 133 Network diagram

Configuration procedure
1. Configure the wireless service.
For the configuration procedure, see "Wireless access configuration examples." You can strictly follow
the related configuration example to configure the wireless service.
2. Configure dynamic rate limiting.
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, click Client Rate Limit, and then
click Add to display the page for configuring rate limit settings for clients.
Figure 134 Configure dynamic rate limiting

a. Select service2 from the Wireless Service list.


b. Select both from the direction list.
c. Select dynamic from the mode list.

143
d. Enter 8000 in the share rate field.
e. Click Apply.

Verifying the configuration


1. When only Client 1 accesses the WLAN through SSID service2, its traffic can pass through at a rate
as high as 8000 kbps.
2. When both Client 1 and Client 2 access the WLAN through SSID service2, their traffic flows can
each pass through at a rate as high as 4000 kbps.

144
Configuring advanced WLAN settings

District code
Radio frequencies for countries and regions vary based on country regulations. A district code determines
characteristics such as frequency range, channel, and transmit power level. Configure the valid country
code or area code for a WLAN device to meet the specific country regulations.

Setting a district code


Select Interface Setup > Wireless > District Code from the navigation tree to display the page for setting a
district code.
Figure 135 Set a district code

Table 80 Configuration item

Item Description
Select a district code.
District Code Configure the valid district code for a WLAN device to
meet the country regulations.

NOTE:
• If the list is not available, the setting is preconfigured to meet the requirements of the target market and is locked. It
cannot be changed.
• Support for district code depends on your device model.

Channel busy test


A channel busy test is a tool to test how busy a channel is. It tests channels supported by the district code
one by one, and it provides a busy rate for each channel. This avoids the situation in which some
channels are heavily loaded and some are idle.
During a channel busy test, routers do not provide any WLAN services. All connected clients are
disconnected, and WLAN packets are discarded.

145
Configuring a channel busy test
Select Interface Setup > Wireless Service > Advanced > Channel Busy Test from the navigation tree to
display the channel busy test configuration page.
Figure 136 Channel busy test configuration page

Click the icon of a target AP to display the channel busy testing page, as shown in Figure 137.
Figure 137 Test busy rate of channels

Click Start to start the testing.

146
Table 81 Configuration

Item Description
Radio Unit Display the radio unit, which takes the value of 1 or 2.

Radio Mode Display the radio mode of the router.

Set a time period in seconds within which a channel is tested.


Test time per channel
Defaults to 3 seconds.

147
Configuring 3G management

You can connect a router to a 3G modem through the USB interface on the main board of the router.
After it is connected to an external UIM card, the 3G modem can access a wireless network and carry out
3G wireless communications.
The router supports 3G modems provided by different vendors. As a peripheral, the 3G modem is not a
part of the router. However, you can maintain and manage the 3G modem through the web interface of
the router.

Managing the 3G modem


Displaying the 3G information
Select 3G > 3G Information from the navigation tree to display the configuration page shown in Figure
138. The status information of the 3G modem, UIM card, and 3G network is displayed on the page.
Figure 138 3G information

Table 82, Table 83, and Table 84 describe the 3G modem information, UIM card information, and 3G
network information, respectively.

148
Table 82 3G modem information

Item Description
State of the 3G modem:
• Normal—A 3G modem is connected to the router.
3G Modem State
• Absent or unrecognized modem—No 3G modem is connected to the router,
or the modem cannot be recognized.

Model Model of the 3G modem.

Manufacturer Manufacturer of the 3G modem.

CMII ID CMII ID of the 3G modem.

Serial Number Serial number of the 3G modem.

Hardware Version Hardware version of the 3G modem.

Firmware Version Firmware version of the 3G modem.

PRL Version PRL version of the 3G modem.

Table 83 UIM card information

Item Description
State of the UIM card:
• Absent.
• Being initialized.
• Fault.
UIM Card
• Destructed.
State
• PIN code protection is disabled.
• PIN code protection is enabled. Enter the PIN code for authentication.
• PIN code protection is enabled, and the PIN code has passed the authentication.
• The PIN code has been blocked. Enter the PUK code to unblock it.

IMSI IMSI of the UIM card.

Voltage Power voltage of the UIM card.

Table 84 3G network information

Item Description
Mobile Network 3G network where the UIM card resides

State of the 3G network where the UIM card resides:


• No Service
• CDMA
Network Type
• HDR
• CDMA/HDR HYBRID
• Unknown

RSSI RSSI of the 3G network

149
Managing the pin code
NOTE:
• If the PIN code is entered incorrectly a number of times that exceeds the maximum attempts allowed by the device,
the PIN code is blocked. To unblock the PIN code, you must enter the correct PUK code.
• If the PUK code is entered incorrectly a number of times that exceeds the maximum attempts allowed by the device,
the UIM card is destructed. Be cautious when entering the PUK code.

Select 3G > PIN Code Management from the navigation tree to display the PIN code management page.
The PIN code allows you to perform different operations, depending on the UIM card status.

When the UIM card is abnormal


Figure 139 shows the PIN code management page in the situation where the UIM card is absent, being
initialized, faulty, or destructed. In such cases, you cannot manage the PIN code.
Figure 139 PIN code management page I

When the PIN code protection is disabled for the UIM card
Figure 140 shows the PIN code management page in the situation where the PIN code protection for the
UIM card is disabled. To enable the PIN code protection, enter the PIN code correctly, and then click
Apply. A pin code comprises four to eight figures.
Figure 140 PIN code management page II

When the PIN code must be entered for authentication


Figure 141 shows the PIN code management page in the situation where the PIN code protection has
been enabled for the UIM card and the PIN code must be entered for authentication. To unblock the PIN
code protection, enter the PIN code correctly, and click Apply.
Figure 141 PIN code management page III

150
When the UIM card has passed the PIN code authentication
Figure 142 shows the PIN code management page in the situation where the UIM card has passed the
PIN code authentication. You can perform the following operations:
• In the Disable PIN Code Protection field, enter the PIN code correctly, and then click Apply to disable
the PIN code protection for the UIM card.
• In the PIN Code Modification field, enter the current PIN code correctly and the new PIN code twice,
and then click Apply to modify the current PIN code.
Figure 142 PIN code management page IV

When the PUK code must be entered to unblock the PIN code of the UIM card
Figure 143 shows the PIN code management page in the situation where the PIN code of the UIM card
has been locked and the PUK code must be entered. To unblock the PIN code of the UIM card and set a
new PIN code, enter the PUK code correctly and the new PIN code twice, and then click Apply.
Figure 143 PIN code management page V

151
Configuring NAT

You can do the following to configure NAT on the web interface:


• Configure dynamic NAT.
• Configure one-to-one static NAT.
• Configure an internal server.
• Enable application layer protocol check.
• Configure connection limit.
NAT provides a way of translating an IP address to another IP address for a packet. In practice, NAT is
primarily used to allow private hosts to access public networks. With NAT, a few public IP addresses are
used to translate a large number of internal IP addresses, effectively solving the IP address depletion
problem.

NOTE:
For more information about NAT, see HP A-MSR Router Series Layer 3—IP Services Configuration Guide.

Recommended configuration procedure


Step Remarks
Configuring dynamic NAT Use either approach:
• Dynamic NAT—A dynamic NAT entry is generated
dynamically. Dynamic NAT applies to the network
environment where a large number of internal users need to
Configuring a DMZ host access the Internet.
• Static NAT—Mappings between external and internal network
addresses are manually configured. Static NAT enables a few
users to use fixed IP addresses to access the Internet.

Required.

Configuring an internal server You can configure an internal server by mapping a public IP
address and port number to the private IP address and port
number of the internal server.

Optional.
Enabling application layer protocol
Enable NAT to check specified application layer protocols.
check
By default, all application layer protocols are checked by NAT.

Optional.
Configuring connection limit
Limit the number of connections from a source IP address.

Configuring dynamic NAT


Select NAT Configuration > NAT Configuration from the navigation tree to display the default Dynamic
NAT page shown in Figure 144.

152
Figure 144 Dynamic NAT Configuration

Table 85 Configuration

Item Description
Interface Specify an interface on which to enable the NAT policy.

Select an address translation mode:


• Interface Address—In this mode, the NAT gateway directly uses an interface's
public IP address as the translated IP address. You do not need to configure any
address pool for this mode.
Translation Mode
• PAT—In this mode, both IP addresses and port numbers of packets are translated.
Configure an address pool for this mode.
• No-PAT—In this mode, only IP addresses of packets are translated. Configure an
address pool for this mode.

Specify the start and the end IP addresses for the NAT address pool.
The start IP address must be lower than the end IP address. If the end IP address and
the start IP address are the same, you are specifying only one IP address.
Start IP Address NOTE:
End IP Address • Only one translation mode can be selected for the same address pool.
• NAT address pools used by some device models cannot be those used by other
address translation policies, IP addresses of interfaces with Easy IP enabled, or
external IP addresses of internal servers.

153
Configuring a DMZ host
1. Create a DMZ host.
Select NAT Configuration > NAT Configuration from the navigation tree, and then click the DMZ HOST tab
to display the page shown in Figure 145.
Figure 145 Create a DMZ host

Table 86 Configuration

Item Description
Host IP Address Specify the internal IP address in a one-to-one static NAT mapping.

Global IP Address Specify the external IP address in a one-to-one static NAT mapping.

2. Enable the DMZ host on an interface.


Select NAT Configuration > NAT Configuration from the navigation tree, and then click the DMZ HOST tab
to display the page shown in Figure 146. You can enable or disable the DMZ host on interfaces.
• The icon indicates that the DMZ host is disabled on the corresponding interface. Click the Enable
link next to the interface to enable DMZ host on the interface.
• The icon indicates that DMZ host is enabled on the corresponding interface. Click the Disable link
next to the interface to disable the DMZ host on the interface.

154
Figure 146 Enable the DMZ host on interfaces

Configuring an internal server


Select NAT Configuration > NAT Configuration from the navigation tree, and then click the NAT Server
Setup tab to display the internal server configuration page shown in Figure 147.

155
Figure 147 Internal server configuration page

Table 87 Configuration

Item Description
Interface Specify an interface on which the NAT policy is to be enabled.

Protocol Type of protocol carried by IP: TCP or UDP.

Public IP address for the internal server.


Global IP Address
You can use the IP address of the current interface or manually specify an IP address.

Global port number for the internal server.


• Select Other and then enter a port number. If you enter 0, all types of services are
provided (only a static binding between the external IP address and the internal IP
Global Port
address is established).
• Select a service, and the corresponding port number is provided. You cannot
modify the port number displayed.

Host IP Address Internal IP address for the internal server.

Internal port number for the internal server.


• Select Other and then enter a port number. If you enter 0, all types of services are
provided (only a static binding between the external IP address and the internal IP
Host Port
address is created).
• Select a service, and the corresponding port number is provided. You cannot
modify the port number displayed.

156
Enabling application layer protocol check
Select NAT Configuration > NAT Configuration from the navigation tree, and then click the ALG tab to
display the application layer protocol check configuration page shown in Figure 148.
Figure 148 Application layer protocol check

Table 88 Configuration

Item Description
Enable/disable checking the specified application layer protocols, including DNS, FTP,
Protocol Type
PPTP, NBT, ILS, H.323, and SIP.

Configuring connection limit


Select NAT Configuration > NAT Configuration from the navigation tree, and then click the Nat Outbound
Setup tab to display the connection limit configuration page shown in Figure 149.
Figure 149 Connection limit

Table 89 Configuration

Item Description
Enable connection limit Enable/disable connection limit.

Set the maximum number of connections that can be initiated from a source IP
Max Connections
address.

157
NAT configuration examples
Private hosts to access public network configuration example
Network requirements
As shown in Figure 150, a company has three public IP addresses ranging from 202.38.1.1/24 to
202.38.1.2/24, and the internal network address is 10.110.0.0/16. Specifically, the company has the
following requirements:
• The internal users can access the Internet by using public addresses 202.38.1.2 and 202.38.1.3.
• Configure the upper limit of connections as 1000 based on the source IP address.
Figure 150 Network diagram

Configuration procedure
1. Configure the IP address of each interface. (Details not shown)
# Configure dynamic NAT on Ethernet 0/2.
• Select NAT Configuration > NAT Configuration to display the dynamic NAT configuration page
shown in Figure 151.

158
Figure 151 Configure dynamic NAT

a. Select Ethernet0/2 from the Interface list.


b. Select PAT from the Translation Mode list.
c. Enter 202.38.1.2 in the Start IP Address filed.
d. Enter 202.38.1.3 in the End IP Address filed.
e. Click Apply.

# Configure the connection limit.


• Click the Connection Limit tab to display the connection limit configuration page shown in Figure
152.
Figure 152 Configure connection limit

a. Select Enable connection limit.


b. Enter 1000 in Max Connections.
c. Click Apply.

159
Internal server configuration example
Network requirements
A company provides one FTP server and two web servers for external users to access. The internal
network address is 10.110.0.0/16. The internal network address for the FTP server is 10.110.10.3/16,
and that for web server 1 is 0.110.10.1/16. For web server 2, it is 10.110.10.2/16. The company has
three public IP addresses ranging from 202.38.1.1/24 to 202.38.1.3/24. Specifically, the company
has the following requirements:
• External hosts can access the company internal servers.
• 202.38.1.1 is used as the public IP address for the internal servers, and port number 8080 is used
for web server 2.
Figure 153 Network diagram
10.110.10.1/16 10.110.10.2/16
Web server 1 Web server 2

Eth0/1 Eth0/2
10.110.10.10/16 202.38.1.1/24
Internet

Router Host

FTP server
10.110.10.3/16

Configuration procedure
# Configure the FTP server.
• Select NAT Configuration > NAT Configuration from the navigation tree, and then click the Internal
Server tab to display the internal server configuration page shown in Figure 154.

160
Figure 154 Configure the FTP server

a. Select Ethernet0/2 from the Interface list.


b. Select the TCP option for Protocol.
c. Select an option for Global IP Address, and then enter 202.38.1.1 in the field.
d. Select ftp from the Global Port list.
e. Enter 10.110.10.3 in the Host IP Address field.
f. Select ftp from the Host Port list.
g. Click Apply.

# Configure web server 1.

161
Figure 155 Configure web server 1

a. As shown in Figure 155, select Ethernet0/2 from the Interface list.


b. Select the TCP option for Protocol.
c. Select an option for Global IP Address filed, and enter 202.38.1.1 in the field.
d. Select http from the Global Port list.
e. Enter 10.110.10.1 in the Host IP Address field.
f. Select http from the Host Port list.
g. Click Apply.

# Configure web server 2.


• Click Add in the internal server configuration page.

162
Figure 156 Configure web server 2

a. As shown in Figure 156, select Ethernet0/2 from the Interface list.


b. Select the TCP option for Protocol.
c. Select an option for Global IP Address, and enter 202.38.1.1 in the field.
d. Enter 8080 in the Global Port field.
e. Enter 10.110.10.2 in the Host IP Address field.
f. Enter 8080 in the Host Port field.
g. Click Apply.

163
Configuring access control

Access control allows you to control access to the Internet from the LAN by setting the time range, IP
addresses of computers in the LAN, port range, and protocol type. All data packets matching these
criteria are denied access to the Internet.
Up to 10 access control policies can be configured, and they are matched in ascending order of
sequence number. The comparison stops immediately after one match is found.

NOTE:
• The 10 access control policies correspond to ACL 3980 through 3989, respectively, in ascending order of sequence
number. Modifying these ACLs may impact the corresponding access control policies.
• Access control is effective only in the outgoing direction of WAN interfaces.

To configure access control:


Select Security Setup > Access from the navigation tree, and then click the Access Control tab to display
the page shown in Figure 157.
Figure 157 Access control

164
Table 90 Configuration

Item Description
Set the time range of a day for the rule to IMPORTANT:
Begin-End Time take effect. The start time must be earlier
than the end time. Set both types of time ranges, or set neither
of them. To set neither of them, make sure
the Begin-End Time is 00:00 - 00:00 and
Select the days of a week for the rule to that no days of a week are selected. Setting
Week
take effect. neither of them means that the rule takes
effect all the time.
Specify to control accesses based on the protocol used for data transmission.
Protocol These options are available: TCP, UDP, and IP.
For information about which services use which protocols, see Table 91.

Configure the IP address range of computers. To control a single IP address, enter the
Source IP Address
address in the two fields.

Set the port range to be filtered.


Destination Port
For example, to control Telnet access, enter 23 in the two fields.

Action to be taken for matching packets.


Operation The action is Deny, which means that all packets matching the access control policies
are not allowed to pass.

Table 91 Commonly used services and their ports

Service Transport layer protocol Port number

FTP TCP 21

Telnet TCP 23

TFTP UDP 69

web TCP 80

Access control configuration example


Network requirements
As shown Figure 158, internal users of a company, Host A to Host D, access the Internet through the
router. Configure an access control policy as follows:
• Host A to Host C cannot access the Internet from 09:00 to 18:00 every Monday to Friday and can
access the Internet the rest of time.
• Host D can access the Internet all the time.

165
Figure 158 Network diagram

Internet

Eth0/1

Router

Host A Host B Host C Host D


10.1.1.1 10.1.1.2 10.1.1.3 10.1.1.4

Configuration procedure
# Configure an access control policy to prohibit Host A to Host C from accessing the Internet during work
time.
• Select Security Setup > Access from the navigation tree, and then perform the configurations shown
in Figure 159.
Figure 159 Configure an access control policy

a. Set the Begin-End Time to 09:00 - 18:00.


b. Select the checkboxes for Monday to Friday.
c. Select the protocol IP.
d. Enter source IP address range 10.1.1.1 - 10.1.1.3.
e. Click Apply.

166
Configuring URL filtering

The URL filtering function allows you to deny access to certain Internet webpages from the LAN by setting
keywords and URL addresses.

NOTE:
The URL filtering function applies only to the outbound direction of WAN interfaces.

To configure URL filtering:


Select Security Setup > URL Filter from the navigation tree to display the page shown in Figure 160. Then,
click Add to display the URL filtering configuration page shown in Figure 161.
Figure 160 URL filtering entries

167
Figure 161 URL filtering configuration page

Table 92 Configuration

Item Description
Set the URL addresses to be filtered. NOTE:
URL
You can enter a regular expression.
The URL and keyword are in OR relation.
Set the keywords to be filtered. You When both are configured, the system
Keyword
can enter a regular expression. generates two URL filtering conditions.

If the Import filter list file checkbox is selected, you can import filtering rules from a
Import file.
filter list File Name Specify the name and path of the file in the local host from which you obtain the
file file.
For a description of the content format of filter list files, see Figure 161.

168
URL filtering configuration example
Network requirements
As shown in Figure 162, internal users access the Internet through Router. Configure the URL filtering
function to disallow access of all internal users to Internet website www.webflt.com.
Figure 162 Network diagram

Internet

Eth0/1

Router

Configuration procedure
# Configure the URL filtering function.
• Select Security Setup > URL Filter from the navigation tree. Click Add and then perform the following
configurations, as shown in Figure 163.

169
Figure 163 Configure the URL filtering function

a. Select the URL checkbox, and then enter www.webflt.com in the URL field.
b. Click Apply.

170
Configuring MAC address filtering

MAC address filtering is used to match MAC addresses of hosts accessing the network through the device
and to deny or permit hosts with matched MAC addresses to access the network through the device.

NOTE:
MAC address filtering applies only to the outgoing direction of Layer 3 Ethernet interfaces and dialer
interfaces.

Configuring the MAC address filtering type


Select Security Setup > MAC Address Filtering from the navigation tree to display the MAC address
filtering configuration page shown in Figure 164.
Figure 164 MAC address filtering

Table 93 Configuration item

Item Description
Select a MAC address filtering type:
• Disable MAC address filtering
• Permit access to the Internet—Enables MAC address filtering to permit only the
hosts whose MAC addresses are on the MAC address list below to access the
network through the device.
filtering type
• Deny access to the Internet—Enables MAC address filtering to deny the hosts
whose MAC addresses are on the MAC address list below from accessing the
network through the device.
A MAC address list is displayed in the lower part of the page after you select Permit
access to the Internet or Deny access to the Internet.

171
Configuring the MAC addresses to be filtered
Select Security Setup > MAC Address Filtering from the navigation tree to display the MAC address
filtering configuration page shown in Figure 164. Select Permit access to the Internet or Deny access to the
Internet, and the permitted or denied MAC addresses are listed in the lower part of the page, as shown
in Figure 165. Click Add to display the Add MAC Address page, as shown in Figure 166.
Figure 165 MAC address filtering (permit access to the Internet)

Figure 166 Add MAC addresses

172
Table 94 Configuration

Item Description
Use the customized MAC address Enter the MAC addresses to be filtered, or select them from the learned
Use the learned MAC addresses MAC addresses list.

NOTE:
If you select Permit access to the Internet or Deny access to the Internet as the filtering type, the selected
filtering type takes effect as long as you add the MAC addresses for this type, regardless of whether you
click Apply at the filtering type configuration area on the MAC Address Filtering page.

MAC address filtering configuration example


Network requirements
As shown in Figure 167, internal users access the Internet through Router. Configure the MAC address
filtering function to deny users whose MAC addresses are 000d-88f8-0dd7 and 000d-88f7-b8d6 from
accessing the Internet.
Figure 167 Network diagram

Internet

Eth0/1

Router

000d-88f8-0dd7 000d-88f7-b8d6
192.168.1.17 192.168.1.18

Configuration procedure
# Configure the MAC address filtering function.
• Select Security Setup > MAC Address Filtering from the navigation tree, and then perform the
following configurations, as shown in Figure 168.

173
Figure 168 Select MAC address filtering type

a. Select Deny access to the Internet as the filtering type.


b. Click Add.

Then perform the following configurations, as shown in Figure 169.


Figure 169 Specify the MAC addresses to be denied access to the Internet

a. Select Use the learned MAC addresses.


b. Select 000d-88f8-0dd7 and 000d-88f7-b8d6 from the Learned MAC Addresses list, and then
click the << button to add them to the Selected MAC Addresses list.
c. Click Apply.

174
Configuring attack protection

Complete the following tasks to configure attack protection functions in the web interface:
• Enable the blacklist function.
• Add a blacklist entry manually.
• View blacklist entries.
• Configure intrusion detection.
Attack protection is an important network security feature. It can determine whether received packets are
attack packets according to the packet contents and behaviors and, if detecting an attack, take measures
to deal with the attack. Protection measures include logging the event, dropping packets, updating the
session status, and blacklisting the source IP address.

Blacklist function
The blacklist function is an attack protection measure that filters packets by source IP address. Compared
with ACL packet filtering, blacklist filtering is simpler in matching packets and can, therefore, filter
packets at a high speed. Blacklist filtering is very effective in filtering packets from certain IP addresses.
One outstanding benefit of the blacklist function is that it allows the device to add and delete blacklist
entries dynamically. This is done by working in conjunction with the scanning attack protection function.
When the device detects a scanning attack according to the packet behavior, it adds the IP address of
the attacker to the blacklist, so packets from the IP address are filtered. Blacklist entries added
dynamically are aged in a specified period of time.
The blacklist function also allows you to add and delete blacklist entries manually. Blacklist entries added
manually can be permanent blacklist entries or non-permanent blacklist entries. A permanent entry always
exists in the blacklist unless you delete it manually. You can configure the aging time of a non-permanent
entry. After the timer expires, the device automatically deletes the blacklist entry, allowing packets from
the corresponding IP address to pass.

Intrusion detection function


The device can defend against two categories of network attacks: single-packet attacks and abnormal
traffic. Abnormal traffic falls into two sub-categories: scanning attacks and flood attacks, according to
attack characteristics.

Protection against single-packet attacks


Single-packet attack is also called "malformed packet attack." Such an attack is formed when:
• The attacker sends defective IP packets, such as overlapping IP fragments and packets with illegal
TCP flags, to a target system so that the target system malfunctions or crashes when processing such
packets.
• The attacker sends large quantities of such packets to the network to use up the network bandwidth.
Table 95 lists the types of single-packet attacks that can be prevented by the device.

175
Table 95 Types of single-packet attacks

Single-packet attack Description

A Fraggle attacker sends large amounts of UDP echo packets (with the UDP port
number of 7) or Chargen packets (with the UDP port number of 19) to a subnet
Fraggle
broadcast address. This causes a large quantity of responses in the network, using
up the network bandwidth of the subnet or crashing the target host.

A LAND attacker forges large amounts of TCP SYN packets with both the source
address and destination address being the IP address of the target, causing the
LAND target to send SYN ACK messages to itself and establish half-open connections as a
result. In this way, the attacker may deplete the half-open connection resources of
the target, making it unable to work normally.

A WinNuke attacker sends OOB data packets to the NetBIOS port (139) of a target
running a Windows system. The pointer fields of these attack packets are
WinNuke overlapped, resulting in NetBIOS fragment overlaps. This causes the target host that
has established TCP connections with other hosts to crash when it processes these
NetBIOS fragments.

Different operating systems process abnormal TCP flags differently. The attacker
sends TCP packets with abnormal TCP flags to the target host to probe its operating
TCP Flag
system. If the operating system cannot process such packets properly, the host
crashes down.

Upon receiving an ICMP unreachable packet, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
ICMP Unreachable
destination. By sending ICMP unreachable packets, an attacker can cut off the
connection between the target host and the network.

An ICMP Redirect attacker sends ICMP redirect messages to hosts on a subnet to


ICMP Redirect request the hosts to change their routing tables, interfering with the normal
forwarding of IP packets.

The Tracert program usually sends UDP packets with a large destination port
number and an increasing TTL (starting from 1). The TTL of a packet is decreased by
1 when the packet passes each router. Upon receiving a packet with a TTL of 0, a
Tracert
router sends an ICMP time exceeded message back to the source IP address of the
packet. A Tracert attacker exploits the Tracert program to figure out the network
topology.

A Smurf attacker sends ICMP echo requests to the broadcast address of the target
network. As a result, all hosts on the target network reply to the requests, causing
Smurf
network congestion and causing hosts on the target network to be unable to provide
services.

A Source Route attacker probes the network structure through the Source Route
Source Route
option in IP packets.

A Route Record attacker probes the network structure through the Record Route
Route Record
option in IP packets.

For some hosts and devices, large ICMP packets cause memory allocation errors
Large ICMP and crash down the protocol stack. An attacker can make a target crash down by
sending large ICMP packets to it.

The single-packet attack protection function takes effect only on incoming packets. It analyzes the
characteristics of incoming packets to determine whether the packets are offensive and, if they are
offensive, logs the events and discards the packets. For example, if the length of an ICMP packet reaches

176
or exceeds 4000 bytes, the device considers the packet a large ICMP attack packet, outputs a warning
log, and discards the packet.

Protection against scanning attacks


Scanning attackers usually use some scanning tools to scan host addresses and ports in a network. By
doing this, they find possible targets and services enabled on the targets and figure out the network
topology, preparing for further attacks to the target hosts.
The scanning attack protection function takes effect only on incoming packets. It monitors the rate at
which an IP address initiates connections to destination systems. If the rate reaches or exceeds 4000
connections per second, it logs the event, adds the IP address to the blacklist, and discards subsequent
packets from the IP address.

Protection against flood attacks


Flood attackers send a large number of forged requests to the targets in a short time, so that the target
systems become too busy to provide services for legal users, resulting in denial of services.
The device can defend against these types of flood attacks:
SYN flood attack
Because of the limited resources, the TCP/IP stack permits only a limited number of TCP connections. A
SYN flood attacker sends a great quantity of SYN packets to a target server, using a forged address as
the source address. After receiving the SYN packets, the server replies with SYN ACK packets. Because
the destination address of the SYN ACK packets is unreachable, the server can never receive the
expected ACK packets, resulting in large amounts of half-open connections. In this way, the attacker
exhausts the system resources, making the server unable to service normal clients.
ICMP flood attack
An ICMP flood attacker sends a large number of ICMP requests to the target in a short time by, for
example, using the ping program, causing the target to become too busy to process normal services.
UDP flood attack
A UDP flood attacker sends a large number of UDP messages to the target in a short time, so that the
target becomes too busy to process normal services.
The flood attack protection function takes effect only on outgoing packets. It is mainly used to protect
servers. It monitors the connection establishment rate and number of half-open connections of a server. If
the rate reaches or exceeds 1000 connections per second or if the number of half-open connections
reaches or exceeds 10,000 (only SYN flood attack protection supports restriction of half-open
connections), it logs the event and discards subsequent connection requests to the server.

177
Configuring the blacklist function
Recommended configuration procedure
Step Remarks
Required.
Enabling the blacklist function
By default, the blacklist function is disabled.

Required.
Use either approach.
You can add blacklist entries manually or enable the blacklist
Adding blacklist entries
function globally, configure the scanning attack protection function,
Configuring the scanning
and enable the blacklist function for scanning attack protection to
attack protection function to
allow the device to add the IP addresses of detected scanning
add blacklist entries
attackers to the blacklist automatically. For configuration of scanning
automatically
attack protection, see "Configuring intrusion detection."
Adding a blacklist entry
By default, no blacklist entry exists.
manually
NOTE:
Modifying an automatically added entry changes the type of the entry to
Manual.

Viewing blacklist entries Optional.

Enabling the blacklist function


From the navigation tree, select Security Setup > Attack Defend > Blacklist to display the page shown
in Figure 170, where all manually configured or automatically generated blacklist entries are listed.
Select the Enable Blacklist checkbox, and then click Apply to enable the blacklist filtering function.
Figure 170 Blacklist page

178
Adding a blacklist entry manually
On the blacklist page shown in Figure 170, click Add to configure a blacklist entry, as shown in Figure
171.
Figure 171 Add a blacklist entry

Table 96 Configuration

Item Description
Specify the IP address to be added to the blacklist. This IP address cannot be a
IP Address broadcast address, a class D address, a class E address, 127.0.0.0/8, or
255.0.0.0/8.

Configure the entry as a non-permanent entry, and specify the hold time of the
Hold Time
blacklist entry.

Permanence Configure the entry as a permanent entry.

Viewing blacklist entries


Select Security Setup > Attack Defend > Blacklist from the navigation tree to view blacklist entries.
Table 97 Field description

Field Description
IP Address IP address of the blacklist entry.

The way in which the blacklist entry was added, Manual or Automatic.
• Manual—The entry was added manually or has been modified after being
added automatically.
Add Method • Automatic—The entry was added automatically by the scanning attack
protection function.
NOTE:
Modifying an automatically added entry changes the type of the entry to Manual.
Start Time The time when the blacklist entry was added.

Hold Time Duration for which the blacklist entry is held in the blacklist.

Dropped Count Number of packets matching the blacklist entry and dropped by the device.

179
Configuring intrusion detection
On the A-MSR900/20-1X series routers
Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree to display the
intrusion detection configuration page, as shown in Figure 172. Select the Enable attack defense policy
checkbox, and then select the specific attack protection functions to be enabled. Click Apply to finish the
configuration.
Figure 172 Intrusion detection configuration page

On the A-MSR20/30/50 series routers


Select Security Setup > Attack Defend > Intrusion Detection to display the page shown in Figure 173.
Click Add to display the page for adding a new intrusion detection policy shown in Figure 174. Select an
interface, select the attack protection functions to be enabled, and then click Apply. The selected attack
protection functions are enabled on the selected interface.

180
Figure 173 Intrusion detection policy list

Figure 174 Add an intrusion detection policy

181
Attack protection configuration examples
Attack protection configuration example for the
A-MSR900/20-1X series routers
Network requirements
As shown in Figure 175, internal users Host A, Host B, and Host C access the Internet through Router. The
network security requirements are as follows:
• Router always drops packets from Host D, an attacker.
• Router denies packets from Host C for 50 minutes for temporary access control of Host C.
• Router provides scanning attack protection and automatically adds detected attackers to the
blacklist.
• Router provides Land attack protection and Smurf attack protection.
Figure 175 Network diagram

Configuration procedure
# Configure IP addresses for the interfaces. (Details not shown)
# Enable the blacklist function.
• Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the
following configurations, as shown in Figure 176.

182
Figure 176 Enable the blacklist function

a. Select the Enable Blacklist checkbox.


b. Click Apply.

# Add blacklist entries manually.


• Click Add and then perform the following configurations, as shown in Figure 177.
Figure 177 Add a blacklist entry for Host D

a. Enter IP address 5.5.5.5, the IP address of Host D.


b. Select Permanence for this blacklist entry.
c. Click Apply.
d. Click Add and then perform the following configurations, as shown in Figure 178.

183
Figure 178 Add a blacklist entry for Host C

a. Enter IP address 192.168.1.5, the IP address of Host C.


b. Select Hold Time and set the hold time of this blacklist entry to 50 minutes.
c. Click Apply.
# Configure intrusion detection: Enable scanning attack protection, and enable blacklist function for it.
Enable Land attack protection and Smurf attack protection.
• Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree, and then
perform the following configurations, as shown in Figure 179.

184
Figure 179 Configure intrusion detection

a. Select Enable Attack Defense Policy.


b. Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack
Detection, and Add Source IP Address to the Blacklist. Clear all other checkboxes.
c. Click Apply.

Verifying the configuration


• Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist.
• Router drops all packets from Host D unless you remove Host D from the blacklist.
• Router drops packets from Host C within 50 minutes. Then, Router forwards packets from Host C
normally.
• Upon detecting the scanning attack, Router outputs an alarm log and adds the IP address of the
attacker to the blacklist. You can view the added blacklist entry by selecting Security Setup > Attack
Defend > Blacklist.
• Upon detecting the Land or Smurf attack, Router outputs an alarm log and drops the attack packet.

Attack protection configuration example for the


A-MSR20/30/50 series routers
Network requirements
As shown in Figure 180, internal users Host A, Host B, and Host C access the Internet through Router. The
network security requirements are as follows:

185
• Router always drops packets from Host D, an attacker.
• Router denies packets from Host C for 50 minutes for temporary access control of Host C.
• Router provides scanning attack protection and automatically adds detected attackers to the blacklist
on interface Ethernet 0/2, the interface connecting the Internet.
• Router provides Land attack protection and Smurf attack protection on Ethernet 0/2.
Figure 180 Network diagram

Configuration procedure
# Configure IP addresses for the interfaces. (Details not shown)
# Enable the blacklist function.
• Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the
following configurations, as shown in Figure 181.
Figure 181 Enable the blacklist function

a. Select the Enable Blacklist checkbox.


b. Click Apply.

# Add blacklist entries manually.


• Click Add and then perform the following configurations, as shown in Figure 182.

186
Figure 182 Add a blacklist entry for Host D

a. Enter IP address 5.5.5.5, the IP address of Host D.


b. Select Permanence for this blacklist entry.
c. Click Apply.
d. Click Add and then perform the following configurations, as shown in Figure 183.

Figure 183 Add a blacklist entry for Host C

a. Enter IP address 192.168.1.5, the IP address of Host C.


b. Select Hold Time and set the hold time of this blacklist entry to 50 minutes.
c. Click Apply.
# Configure intrusion detection on Ethernet 0/2: Enable scanning attack protection, and enable blacklist
function for it. Enable Land attack protection and Smurf attack protection.
• Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree. Click Add and
then perform the following configurations, as shown in Figure 184.

187
Figure 184 Configure intrusion detection

a. Select interface Ethernet0/2.


b. Select Enable Attack Defense Policy.
c. Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack
Detection, and Add Source IP Address to the Blacklist. Clear all other checkboxes.
d. Click Apply.

Verifying the configuration


• Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist.
• Router drops all packets from Host D unless you remove Host D from the blacklist.
• Router drops packets from Host C within 50 minutes. Then, Router forwards packets from Host C
normally.
• Upon detecting the scanning attack on Ethernet 0/2, Router outputs an alarm log and adds the IP
address of the attacker to the blacklist. You can view the added blacklist entry by selecting Security
Setup > Attack Defend > Blacklist.
• Upon detecting the Land or Smurf attack on Ethernet 0/2, Router outputs an alarm log and drops the
attack packet.

188
Configuring application control

Complete the following tasks to configure application control in the web interface:
• Load applications.
• Configure a custom application.
• Enable application control.
Application control allows you to control which applications and protocols users can access on the
Internet by specifying the destination IP address, protocol, operation type, and port. Application control
can be based on a group of users or all users in a LAN. This chapter describes the application control
based on all users. For application control based on user group, see "Configuring SIP server group
management."

NOTE:
The application control function applies only to the outbound direction of WAN interfaces.

Configuring application control


Recommended configuration procedure
Step Remarks
Optional.
Load the signature file that contains the application control rules to
the device.
Loading applications
NOTE:
If you perform this configuration multiple times, only the last file loaded
to the device takes effect.
Optional.
Configuring a custom application
Add a custom application, and configure the match rules.

Required.
Enabling application control Enable application control for specified applications or protocols
globally.

Loading applications
Select Security Setup > Application Control from the navigation tree, and then click the Load Application
tab to display the page for loading applications shown in Figure 185.
• To load an application control file from the device, select From Device, select the application control
file, and then click Apply.
• To load an application control file from the local host to the device, select From Local, click Browse
to find the file, and then click Apply.

189
After the file is loaded to the device successfully, all the loaded applications are displayed in the lower
part of the page.
Figure 185 Load applications

Configuring a custom application


Select Security Setup > Application Control from the navigation tree, and then click the Custom
Application tab to display the custom application list page shown in Figure 186. Click Add to display the
page for configuring a custom application shown in Figure 187.
Figure 186 Custom applications

190
Figure 187 Add a custom application

Table 98 Configuration

Item Description
Application Name Specify the name for the custom application.

Specify the protocol to be used for transferring packets, including TCP, UDP, and
Protocol
All. All means all IP-carried protocols.

IP Address Specify the IP address of the server of the applications to be controlled.

Specify the port numbers of the applications to be controlled.


Match Rule
When you select TCP or UDP for the Protocol parameter, the port configuration is
available.
Start Port
• If you do not want to limit port numbers, do not select a match rule. In this case,
Port
you do not need to enter the start port and end port.
• If you want to limit a range of ports, select Range for the match rule, and then
End Port enter the start port and end port to specify the port range.
• If you select other options of the match rule, you only need to enter the start port.

Enabling application control


Select Security Setup > Application Control from the navigation tree. The Application Control tab appears,
as shown in Figure 188. Select the applications and protocols to be controlled from the Loaded
Applications, Predefined Applications, and Custom Applications areas as needed, and then click Apply.

191
Figure 188 Application Control

Application control configuration example


Network requirements
As shown in Figure 189, internal users access the Internet through Router. Configure application control
on Router, so that no user can use MSN.
Figure 189 Network diagram

Internet

Eth0/1

Router

Configuration procedure
# Load the application control file. (Assume that signature file p2p_default.mtd, which can prevent users
from using MSN, is stored on the device).
• Select Security Setup > Application Control from the navigation tree, and then click the Load
Application tab and perform the following configurations, as shown in Figure 190.

192
Figure 190 Load the application signature file

a. Select the From Device option, and then select file p2p_default.
b. Click Apply. Figure 191 shows the loaded applications.

Figure 191 Loaded applications

# Enable application control.


• Click the Application Control tab, and then perform the following configurations, as shown in Figure
192.

193
Figure 192 Configure application control

a. Select MSN from the Loaded Applications area.


b. Click Apply.

194
Configuring webpage redirection

With webpage redirection configured on an interface, a user accessing a webpage through the interface
for the first time is forcibly led to a specified webpage (the web access request of the user is redirected to
the specified URL). After that, the user can access network resources normally. If the user sends a web
access request after a specified time interval, the specified webpage is displayed again.
This feature applies to scenarios where a hotel or carrier wants to periodically push an advertisement
webpage to users.

NOTE:
Webpage redirection is ineffective on the interface with the portal function enabled. Do not configure both
functions on an interface.

To configure webpage redirection:


Select Advanced > Redirection from the navigation tree to display the page shown in Figure 193. The
webpage redirection configuration information is displayed on the page. Click Add to display the
configuration page shown in Figure 194.
Figure 193 Redirection page

Figure 194 Redirection URL configuration page

195
Table 99 describes the redirection URL configuration.
Table 99 Configuration

Item Description
Interface Select an interface on which to enable webpage redirection.

Enter the address of the webpage to be displayed (the URL to which the web access
Redirection URL
request is redirected). For example, http://192.0.0.1.

Interval Enter the time interval at which webpage redirection is triggered.

196
Configuring routes

The term "router" in this document refers to both routers and Layer 3 switches.
This chapter mainly describes IPv4 route configuration.
You can perform the following route configurations through the web interface:
• Creating a static route
• Displaying the active route table
Upon receiving a packet, a router determines the optimal route based on the destination address and
forwards the packet to the next router in the path. When the packet reaches the last router, it then
forwards the packet to the destination host.
Routing provides the path information that guides the forwarding of packets.
A router selects optimal routes from the routing table and sends them to the FIB table to guide packet
forwarding. Each router maintains a routing table and a FIB table.
You can manually configure routes. Such routes are called "static routes."

NOTE:
For more information about the routing table and static routes, see HP A-MSR Router Series Layer 3—IP
Routing Configuration Guide.

Route configuration
Creating an IPv4 static route
Select Advanced > Route Setup from the navigation tree, and then click the Create tab to display the static
route configuration page, as shown in Figure 195.

197
Figure 195 Static route configuration page

Table 100 Configuration

Item Description
Enter the destination IP address of the static route, in
Destination IP Address
dotted decimal notation.

Enter the mask of the destination IP address.


Mask You can enter a mask length or a mask in dotted
decimal notation.

Enter a preference value for the static route. The


smaller the number, the higher the preference.

Preference For example, specifying the same preference for


multiple static routes to the same destination enables
load sharing on the routes, while specifying different
preferences enables route backup.

Enter the next hop IP address of the static route, in


Next Hop
dotted decimal notation.

198
Item Description
Select the outgoing interface of the static route.
Interface If you select Null 0, the destination IP address is
unreachable.

Displaying the active route table


Select Advanced > Route Setup from the navigation tree to display the Summary tab, as shown in Figure
196.
Figure 196 Active route table

Table 101 Field description

Field Description
Destination IP Address Destination IP address of the route.

Mask Mask of the destination IP address.

Routing protocol that discovered the route, including


Protocol static route, direct route, and various dynamic
routing protocols.

Preference Preference for the route.

Next Hop Next hop address of the route.

Output interface of the route. Packets destined for the


Interface destination IP address are forwarded out the
interface.

199
IPv4 static route configuration example
Network requirements
The routers' interfaces and the hosts' IP addresses and masks are shown in Figure 197. Configure static
routes on the routers for any two hosts to communicate with each other.
Figure 197 Network diagram

Configuration considerations
1. Configure a default route with Router B as the next hop on Router A.
2. On Router B, configure one static route with Router A as the next hop and the other with Router C as
the next hop.
3. Configure a default route with Router B as the next hop on Router C.

Configuration procedure
1. Configure the IP addresses of the interfaces. (Details not shown)
2. Configure static routes on the routers.
# Configure a default route on Router A.
• Select Advanced > Route Setup from the navigation tree of Router A, and then click the Create tab to
perform the following settings on the page shown in Figure 198.
a. Enter 0.0.0.0 for Destination IP Address.
b. Enter 0 for Mask.
c. Enter 1.1.4.2 for Next Hop.
d. Click Apply.

200
Figure 198 Configure a default route on Router A

The newly created static route is listed in the lower part of the page.
# Configure two static routes on Router B.
a. Select Advanced > Route Setup from the navigation tree of Router B, and then click the Create
tab to perform the following settings on the page shown in Figure 198.
b. Enter 1.1.2.0 for Destination IP Address.
c. Enter 24 for Mask.
d. Enter 1.1.4.1 for Next Hop.
e. Click Apply.
f. Enter 1.1.3.0 for Destination IP Address.
g. Enter 24 for Mask.
h. Enter 1.1.5.6 for Next Hop.
i. Click Apply.
The newly created static route is listed in the lower part of the page.
# Configure a default route on Router C.
a. Select Advanced > Route Setup from the navigation tree or Router C, and then click the Create
tab to perform the following settings on the page shown in Figure 198.
b. Enter 0.0.0.0 for Destination IP Address.
c. Enter 0 for Mask.
d. Enter 1.1.5.5 for Next Hop.
e. Click Apply.

The newly created static route is listed in the lower part of the page.
3. Configure the IP addresses and default gateways of hosts.
As shown in Figure 197, configure the IP addresses of the hosts, and configure the default gateways of
Host A, B, and C as 1.1.2.3, 1.1.6.1, and 1.1.3.1, respectively. The detailed configuration steps are not
shown.

201
Verifying the configuration
# Display the active route table.
From the navigation trees of Router A, Router B, and Router C, select Advanced > Route Setup to display
the Summary tab. Verify that the newly created static routes are displayed in the active route table.
# Ping Host A from Host B (assuming both hosts run Windows XP).
C:\Documents and Settings\Administrator>ping 1.1.2.2

Pinging 1.1.2.2 with 32 bytes of data:

Reply from 1.1.2.2: bytes=32 time=1ms TTL=128


Reply from 1.1.2.2: bytes=32 time=1ms TTL=128
Reply from 1.1.2.2: bytes=32 time=1ms TTL=128
Reply from 1.1.2.2: bytes=32 time=1ms TTL=128

Ping statistics for 1.1.2.2:


Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms

# Use the tracert command on Host B to check the reachability to Host A.


C:\Documents and Settings\Administrator>tracert 1.1.2.2

Tracing route to 1.1.2.2 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 1.1.6.1


2 <1 ms <1 ms <1 ms 1.1.4.1
3 1 ms <1 ms <1 ms 1.1.2.2

Trace complete.

Configuration guidelines
When you configure a static route, follow these guidelines:
1. If you do not specify the preference when you configure a static route, the default preference is
used. Reconfiguration of the default preference applies only to newly created static routes. The web
interface does not support configuration of the default preference.
2. When you configure a static route, the static route does not take effect if you specify the next hop
address first and then configure it as the IP address of a local interface, such as an Ethernet interface
and VLAN interface.
3. When specifying the output interface:
If Null 0 or a loopback interface is specified as the output interface, there is no need to configure
the next hop.
If a point-to-point interface is specified as the output interface, you do not need to specify the
next hop, and there is no need to change the configuration after the peer address has changed.
For example, a PPP interface obtains the peer's IP address through PPP negotiation. Therefore,
you only need to specify it as the output interface.

202
If the output interface is an NBMA or P2MP interface (which supports point-to-multipoint
networks), the IP address-to-link layer address mapping must be established. HP recommends
specifying the next hop when you configure it as the output interface.
If you want to specify a broadcast interface (such as an Ethernet interface, virtual template, or
VLAN interface) as the output interface (which can have multiple next hops), you must specify the
next hop at the same time.

203
Configuring user-based load sharing

You can configure user-based load sharing in the web interface.


A routing protocol can have multiple equal-cost routes to the same destination. These routes have the
same preference and are all used to accomplish load sharing if no route with a higher preference is
available.
The device supports user-based load sharing based on the user information (source IP addresses) of
packets.
To configure user-based load sharing:
Select Advanced > User-based-sharing from the navigation tree to display the page shown in Figure 199,
where interface configuration is displayed. Click the icon to display the Modify configuration page
shown in Figure 200.
Figure 199 User-based load sharing

Figure 200 Modify configuration

Table 102 Configuration

Item Description
Interface Name of the interface for which to configure user-based load sharing.

Status of
Set whether to enable user-based load sharing on the interface.
user-based-sharing

Set the bandwidth of the interface.

Bandwidth The load ratio of each interface is calculated based on the bandwidth of each
interface. For example, if the bandwidth of Ethernet 0/0 is set to 200 kbps and that
of Ethernet 0/1 is set to 100 kbps, the load ratio is 2:1.

204
Configuring traffic ordering

You can do the following to configure traffic ordering on the web interface:
• Setting the traffic ordering interval
• Specifying the traffic ordering mode
• Displaying internal interface traffic ordering statistics
• Displaying external interface traffic ordering statistics
When multiple packet flows (classified by their source addresses) are received or sent by a device, you
can configure IP traffic ordering on the device to collect statistics of the flows in the inbound/outbound
direction and then rank the statistics. The network administrator can use the traffic ordering statistics to
analyze the network usage for network management.
An interface can be specified as an external or internal interface to collect traffic statistics:
• An internal interface collects both inbound and outbound traffic statistics, including total traffic
statistics, total inbound/outbound traffic statistics, inbound/outbound TCP packet statistics,
inbound/outbound UDP packet statistics, and inbound/outbound ICMP packet statistics.
• An external interface collects only the total inbound traffic statistics.

Recommended configuration procedure


Step Remarks
Optional.
Setting the traffic ordering interval
The default traffic ordering interval is 10 seconds.

Required.
Specify an interface as an internal or external interface to
Specifying the traffic ordering mode
collect traffic statistics.
By default, an interface does not collect traffic statistics.

Displaying internal interface traffic ordering


Optional.
statistics
You can view the traffic ordering statistics of internal or
Displaying external interface traffic ordering
external interfaces.
statistics

205
Setting the traffic ordering interval
Select Advanced > Traffic Ordering from the navigation tree to display the default configuration page
shown in Figure 201. You can set the interval for collecting traffic statistics in the lower part of the page.
Figure 201 Traffic ordering configuration page

Specifying the traffic ordering mode


Select Advanced > Traffic Ordering from the navigation tree to display the page shown in Figure 201.
You can view and configure the interface for collecting traffic statistics in the upper part of the page.
Select one or more options for the interfaces in the list:
• Click Internal interface to set the interfaces as the internal interfaces to collect traffic statistics.
• Click External interface to set the interfaces as the external interfaces to collect traffic statistics.
• Click Disable statistics collecting to disable the interfaces from collecting traffic statistics.

Displaying internal interface traffic ordering statistics


Select Advanced > Traffic Ordering from the navigation tree, and click the Statistics of Internal Interfaces
tab to display the page shown in Figure 202.
By default, the system arranges the entries in descending order of the total traffic statistics and displays
the top five entries. Select one item from the Arrange in list, enter a number in the Number of entries
displayed field, and then click Refresh to display the list as needed.

206
Figure 202 Internal interface traffic ordering statistics page

Displaying external interface traffic ordering statistics


Select Advanced > Traffic Ordering from the navigation tree, and click the Statistics of External Interfaces
page to display the page shown in Figure 203.
By default, the system arranges the entries in descending order of the total inbound traffic statistics and
displays the top five entries. Select one item from the Arrange in list, enter a number in the Number of
entries displayed field, and then click Refresh to display the list as needed.
Figure 203 External interface traffic ordering statistics page

207
Configuring DNS

You can do the following to configure DNS on the web interface:


• Enabling dynamic domain name resolution
• Enabling DNS proxy
• Clearing the dynamic domain name cache
• Specifying a DNS server
• Configuring a domain name suffix
DNS is a distributed database that provides TCP/IP applications with the mappings between host names
and IP addresses. With DNS, you can use easy-to-remember host names in some applications and let the
DNS server translate them into correct IP addresses.

NOTE:
For more information about DNS, see HP A-MSR Router Series Layer 3—IP Services Configuration Guide.

DNS provides the following functions:


• Dynamic domain name resolution—Implemented by querying the DNS server.
• DNS proxy—Forwards DNS requests and replies between the DNS client and DNS server.

Configuring dynamic domain name resolution


Recommended configuration procedure

Step Remarks

Required.
Enabling dynamic domain name resolution Enable dynamic domain name resolution.
Disabled by default.

Required.
Specifying a DNS server Not specified by default.
You can specify up to six DNS servers.

Optional.
A suffix is used when the name to be resolved is
incomplete. The system can supply the missing part.
For example, a user can configure com as the suffix
for aabbcc.com. The user only has to enter aabbcc to
Configuring a domain name suffix
obtain the IP address of aabbcc.com because the
system adds the suffix and delimiter before passing
the name to the DNS server.
Not configured by default.
You can configure up to 10 DNS suffixes.

208
Step Remarks

Optional.
Clear the dynamic IPv4 domain name cache.
The DNS client stores latest mappings between
domain names and IP addresses in the dynamic
Clearing the dynamic domain name cache
domain name cache. The DNS client searches the
cache for a repeated query rather than sending a
request to the DNS server. The mappings are aged
out from the cache after a certain time. You can also
manually clear the cache.

Enabling DNS proxy


Recommend configuration procedure

Step Remarks
Required.
Enabling DNS proxy Enable DNS proxy on the device.
Disabled by default.

Required.
Specifying a DNS server Not specified by default.
You can specify up to six DNS servers.

209
Enabling dynamic domain name resolution
Select Advanced > DNS Setup > DNS Configuration from the navigation tree to display the configuration
page shown in Figure 204.
Select Enable for Dynamic DNS and click Apply.
Figure 204 Dynamic domain name resolution configuration

Enabling DNS proxy


Select Advanced > DNS Setup > DNS Configuration from the navigation tree to display the configuration
page shown in Figure 204.
Select Enable for DNS Proxy and click Apply.

Clearing the dynamic domain name cache


Select Advanced > DNS Setup > DNS Configuration from the navigation tree to display the configuration
page shown in Figure 204.
Select the Clear Dynamic DNS cache checkbox, and click Apply.

Specifying a DNS server


Select Advanced > DNS Setup > DNS Configuration from the navigation tree to display the configuration
page shown in Figure 204.
Click Add IP to display the page shown in Figure 205.

210
Figure 205 Add a DNS server address

Table 103 Configuration

Item Description
DNS Server IP Address Enter the IP address of a DNS server.

Configuring a domain name suffix


Select Advanced > DNS Setup > DNS Configuration from the navigation tree to display the configuration
page shown in Figure 204.
Click Add Suffix to display the configuration page shown in Figure 206.
Figure 206 Add a domain name suffix

Table 104 Configuration

Item Description
DNS Domain Name Suffix Configure a domain name suffix.

Domain name resolution configuration example


Network requirements
• As shown in Figure 207, Router B serves as a DNS client, and Router A is specified as a DNS
server. Dynamic domain name resolution and the domain name suffix are configured on Router B.
Therefore, Router B can use domain name host to access the host with the domain name host.com
and the IP address 3.1.1.1/24.
• Router A serves as the DNS proxy. The IP address of the actual DNS server is 4.1.1.1/24.
• Router B performs domain name resolution via Router A.

211
Figure 207 Network diagram

Router B
DNS client 4.1.1.1/24

DNS server

2.1.1.1/24
Router A
DNS proxy
2.1.1.2/24 1.1.1.1/24
IP network

3.1.1.1/24
host.com

Host

NOTE:
• Before performing the following configuration, make sure that the device and the host are routable to each other
and that the IP addresses of the interfaces are configured as shown in Figure 207.
• This configuration may vary with different DNS servers. The following configuration is performed on a PC running
Windows Server 2000.

Configuration procedure
1. Configure the DNS server.
# Enter the DNS server configuration page.
Select Start > Programs > Administrative Tools > DNS.
# Create zone com.
As shown in Figure 208, right click Forward Lookup Zones, select New zone, and then follow the
instructions to create a new zone named com.
Figure 208 Create a zone

212
# Create a mapping between the host name and the IP address.
Figure 209 Add a host

213
In Figure 209, right click zone com and then select New host to display the dialog box shown in Figure
210. Enter host name host and IP address 3.1.1.1.
Figure 210 Add a mapping between domain name and IP address

2. Configure the DNS proxy (Router A).


# Enable DNS proxy on Router A.
• Select Advanced > DNS Setup > DNS Configuration from the navigation tree to display the
configuration page shown in Figure 211.
Figure 211 Enable DNS proxy on Router A

a. Select Enable for DNS Proxy.


b. Click Apply.

# Specify the DNS server address.

214
• Click Add IP to display the page shown in Figure 212.
Figure 212 Specify a DNS server address

a. Enter 4.1.1.1 for DNS Server IP Address.


b. Click Apply.
3. Configure the DNS client (Router B).
# Enable dynamic domain name resolution.
• Select Advanced > DNS Setup > DNS Configuration from the navigation tree to display the
configuration page shown in Figure 213.
Figure 213 Enable dynamic domain name resolution

a. Select Enable for Dynamic DNS.


b. Click Apply.

# Specify the DNS server address.


• Click Add IP to display the page shown in Figure 214.

215
Figure 214 Specify the DNS server address

a. Enter 2.1.1.2 for DNS Server IP Address.


b. Click Apply.

# Configure the domain name suffix.


• Click Add suffix to display the page shown in Figure 215.
Figure 215 Configure DNS domain name suffix

a. Enter com for DNS Domain Name Suffix.


b. Click Apply.

Verifying the configuration


Select Other > Diagnostic Tools from the navigation tree, and click the Ping tab. Use the ping host
command to verify that the communication between Router B and the host is normal and that the
corresponding destination IP address is 3.1.1.1.

216
Configuring DDNS

Although DNS allows you to access nodes in networks using their domain names, it provides only the
static mappings between domain names and IP addresses. When you use the domain name to access a
node whose IP address has changed, your access fails because DNS leads you to the IP address that is
no longer where the node resides.
DDNS can dynamically update the mappings between domain names and IP addresses for DNS servers
to direct you to the latest IP address corresponding to a domain name.
Figure 216 DDNS networking application

As shown in Figure 216, DDNS works on the client-server model comprising the DDNS client and the
DDNS server.
• DDNS client—A device that has to update the mapping between the domain name and the IP
address dynamically. An Internet user usually uses the domain name to access an application layer
server such as an HTTP and FTP server. When its IP address changes, the application layer server
runs as a DDNS client that sends a request to the DDNS server for updating the mapping between
the domain name and the IP address.
• DDNS server—Informs the DNS server of latest mappings. When receiving the mapping update
request from a DDNS client, the DDNS server tells the DNS server to re-map between the domain
name and IP address of the DDNS client. Therefore, Internet users can use the same domain name to
access the DDNS client even if the IP address of the DDNS client has changed.

NOTE:
• The DDNS update process does not have a unified standard and depends on the DDNS server that the DDNS client
contacts. The well-known DDNS service providers include www.3322.org, www.oray.cn (also known as the
"PeanutHull server"), and www.dyndns.com.
• With the DDNS client configured, a device can dynamically update the latest mapping between its domain name
and IP address on the DNS server through a DDNS server at www.3322.org or www.oray.cn, for example.

217
Configuration prerequisites
• Visit the website of a DDNS service provider, register an account, and apply for a domain name for
the DDNS client.
• Specify the primary IP address of the interface, and make sure that the DDNS server and the
interface can reach each other.
• Configure static or dynamic domain name resolution to translate the domain name of the DDNS
server into its IP address.

Configuration procedure
Select Advanced > DNS Setup > DDNS Configuration from the navigation tree to display the DDNS page
shown in Figure 217. Click Add to configure a DDNS entry, as shown in Figure 217.
Figure 217 DDNS configuration page

Figure 218 Create a DDNS entry

Table 105 Configuration

Item Description
Domain Name Specify the DDNS entry name, which is the only identifier of the DDNS entry.

Server Server Provider Select the DDNS server provider: 3322.org or PeanutHull.

218
Item Description
Settings Specify the server name of the DDNS server for domain name resolution.
NOTE:
After the server provider is selected, the DDNS server name appears
automatically. For example, if the server provider is 3322.org, the server name is
Server Name
members.3322.org; if the server provider is PeanutHull, the server name is
phservice2.oray.net. HP recommends that you do not change the server name of
server provider 3322.org, but you can use the server name, such as
phservice2.oray.net, phddns60.oray.net, client.oray.net, or ph031.orat.net for
server provider PeanutHull.
Specify the interval for sending DDNS update requests after DDNS update is
enabled.
NOTE:
• A DDNS update request is immediately initiated when the primary IP
Interval address of the interface changes or when the link state of the interface
changes from down to up, regardless of whether the interval is reached.
• If you specify the interval as 0, your device does not periodically initiate
any DDNS update request, but it will initiate a DDNS update request when
the primary IP address of the interface is changed or when the link state of
the interface changes from down to up.

Account Username Specify the username used for logging in to the DDNS server.
Settings Password Specify the password used for logging in to the DDNS server.

Select an interface to which the DDNS policy is applied.


Associated The IP address in the host name-to-IP address mapping for update is the
Interface primary IP address of the interface.
You can bind up to four DDNS entries to an interface.

Other Specify the FQDN in the IP-to-FQDN mapping for update.


Settings • If the DDNS service is provided by www.3322.org, the FQDN must be
specified. Otherwise, DDNS update may fail.
FQDN • If the DDNS server is a PeanutHull server and no FQDN is specified, the
DDNS server updates all corresponding domain names of the DDNS client
account. If an FQDN is specified, the DDNS server updates only the
specified IP-to-FQDN mapping.

DDNS configuration example


Network requirements
• As shown in Figure 219, Router is a web server with the domain name whatever.3322.org.
• Router acquires an IP address through DHCP. Through DDNS service provided by www.3322.org,
Router informs the DNS server of the latest mapping between its domain name and IP address.
• The IP address of the DNS server is 1.1.1.1. Router uses the DNS server to translate www.3322.org
into the corresponding IP address.

219
Figure 219 Network diagram

NOTE:
Before configuring DDNS on Router, register at http://www.3322.org/ (username Steven and
password nevets in this example), add Router's host name-to-IP address mapping to the DNS server, and
make sure that the devices are reachable to each other.

Configuration procedure
# Enable dynamic domain name resolution and set the IP address of the DNS server to 1.1.1.1. (Details
not shown)
# Configure DDNS.
• Select Advanced > DNS Setup > DDNS Configuration from the navigation tree, and then click Add to
display the page shown in Figure 220.
Figure 220 Configure DDNS

a. Enter 3322 for Domain Name.


b. Select 3322.org from the Server Provider list.
c. Enter steven for Username.

220
d. Enter nevets for Password.
e. Select Ethernet0/1 from the Associated Interface list.
f. Enter whatever.3322.org for FQDN.
g. Click Apply.

After the preceding configuration is completed, Router notifies the DNS server of its new domain
name-to-IP address mapping through the DDNS server provided by www.3322.org whenever its IP
address changes. Therefore, Router can always provide web service at whatever.3322.org.

221
Configuring DHCP

You can do the following to configure DHCP on the web interface:


• Enabling DHCP
• Configuring DHCP interface setup
• Configuring a static address pool for the DHCP server
• Configuring a dynamic address pool for the DHCP server
• Configuring IP addresses excluded from dynamic allocation
• Configuring a DHCP server group
The DHCP provides a framework to assign configuration information to network devices.
DHCP uses the client/server model. Figure 221 shows a typical DHCP application.
Figure 221 A typical DHCP application

A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet via a DHCP relay agent, as shown in Figure 222.
Figure 222 A typical DCHP relay agent application
DHCP client DHCP client

IP network

DHCP relay agent

DHCP client DHCP client DHCP server

222
NOTE:
For more information about DHCP, see HP A-MSR Router Series Layer 3—IP Services Configuration
Guide.

Configuring the DHCP server


Recommended configured procedure

Step Remarks
Required.
Enabling DHCP Enable DHCP globally.
Disabled by default.

Optional.
For detailed configuration, see "Configuring DHCP interface
setup."
Enabled by default.
Configuring the DHCP server on an
interface NOTE:
The DHCP server configuration is supported only on a Layer 3 Ethernet
interface (or subinterface), virtual Ethernet interface, VLAN interface,
Layer 3 aggregate interface, serial interface, ATM interface,
MP-group interface, or loopback interface.

Configuring a static address pool for Required.


the DHCP server An address pool can be either static or dynamic, but not both.
NOTE:
When a DHCP client tries to obtain an IP address through a DHCP
relay agent, an IP address pool on the same network segment as the
Configuring a dynamic address pool DHCP relay agent interface must be configured. Otherwise, the DHCP
for the DHCP server client fails to obtain an IP address.

Optional.
Exclude IP addresses from automatic allocation in the DHCP
address pool.
To avoid address conflicts, the DHCP server excludes IP addresses
Configuring IP addresses excluded from used by the gateway or FTP server from dynamic allocation.
dynamic allocation By default, all IP addresses in the address pool, except the IP
address of the DHCP server, can be assigned automatically.
NOTE:
If a static bound IP address is excluded from automatic allocation, it is
still assignable to the bound user.

223
Configuring the DHCP relay agent
Recommended configuration procedure

Step Remarks
Required.
Enabling DHCP Enable DHCP globally.
Disabled by default.

Required.
To improve reliability, you can specify several DHCP servers as a
Configuring a DHCP server group group on the DHCP relay agent and correlate a relay agent
interface with the server group. When the interface receives DHCP
requests from clients, the relay agent forwards them to all DHCP
servers of the group.

Required.
For the detailed configuration, see "Configuring DHCP interface
setup."
By default, the interface works as a DHCP server.
NOTE:
Configure the DHCP relay agent on
• The DHCP relay agent configuration is supported only on a
the current interface and correlate it
Layer 3 Ethernet interface (or subinterface), virtual Ethernet
with the DHCP server group.
interface, VLAN interface, Layer 3 aggregate interface, or serial
interface.
• If the DHCP relay agent is enabled on an Ethernet subinterface,
a packet received from a client on this interface must contain a
VLAN tag, and the VLAN tag must be consistent with the VLAN
ID of the subinterface. Otherwise, the packet is discarded.

Configuring the DHCP client


Recommended configuration procedure

Step Remarks
Required.
For detailed configuration, see "Configuring DHCP
interface setup."
By default, the interface does not obtain an IP address
through DHCP.
Configure the DHCP client on an interface
NOTE:
The DHCP client configuration is supported only on a Layer 3
interface (or subinterface), VLAN interface, or Layer 3
aggregate interface. You cannot configure an interface of an
aggregation group as a DHCP client.

224
Enabling DHCP
Select Advanced > DHCP Setup from the navigation tree to display the default DHCP Enable page shown
in Figure 223.
Figure 223 DHCP Enable

Table 106 DHCP global configuration

Item Description
DHCP Enable or disable DHCP globally.

Configuring DHCP interface setup


Select Advanced > DHCP Setup in the navigation tree, and then click the DHCP Interface Setup tab to
display the DHCP interface setup configuration page shown in Figure 224.
Figure 224 DHCP interface setup

Table 107 DHCP interface setup configuration

Item Description
Interface Select an interface to configure.

Select a type for the interface:


• None—Upon receiving a DHCP request, the interface does not assign an
IP address to the requesting client nor serve as a DHCP relay agent to
forward the request.
• Server—Upon receiving a DHCP request, the interface assigns the
Type
requesting client an IP address from the address pool.
• Relay—Upon receiving a DHCP request, the interface forwards the
request to an external DHCP server, which assigns an IP address for the
requesting client.
• Client—The interface uses DHCP to obtain an IP address.

225
Item Description
Correlate the relay agent interface with a DHCP server group.
DHCP server group You can correlate a DHCP server group with multiple interfaces and make
sure that you already added DHCP server groups for selection.

Configuring a static address pool for the DHCP server


Select Advanced > DHCP Setup in the navigation tree, and then click the DHCP Interface Setup tab to
display the DHCP interface setup configuration page shown in Figure 224.
Select the Server option in the Type field, and then expand the Assignable IP Addresses node. Select the
Static Binding option in the Address Allocation Mode field to expand the static address pool setup
configuration section, as shown in Figure 225.

226
Figure 225 Static address pool setup for the DHCP server

Table 108 Configuration

Item Description
Pool Name Name of the static DHCP address pool.

Address Allocation
Specify the static address allocation mode for the DHCP address pool.
Mode: Static Binding

IP address and its subnet mask of the static binding. A natural mask is adopted if
IP Address no subnet mask is specified.
NOTE:

Subnet Mask It cannot be the IP address of the DHCP server interface. Otherwise, IP address conflicts
may occur, and the client cannot obtain the IP address.

227
Item Description
MAC Address A client's MAC address of the static binding.

Specify a domain name suffix for the DHCP client.


Domain Name After specifying a domain name in the address pool, the DHCP server assigns the
domain name along with an IP address to a client.

Specify a gateway for the DHCP client.

Gateway IP Address DHCP clients that want to access hosts outside the local subnet need a gateway to
forward data. After specifying a gateway in the address pool, the DHCP server
assigns the gateway address along with an IP address to a client.

Specify a primary DNS server for the DHCP client.


Primary DNS Server In order for clients to access the Internet using a domain name, the DHCP server
assigns the specified DNS server address along with an IP address to a client.

Standby DNS Server Specify a standby DNS server for the DHCP client.

Configuring a dynamic address pool for the DHCP server


Select Advanced > DHCP Setup in the navigation tree, and then click the DHCP Interface Setup tab to
display the DHCP interface setup configuration page shown in Figure 224.
Select the Server option in the Type field, and then expand the Assignable IP Addresses node. Select the
Dynamic Allocation option in the Address Allocation Mode field to expand the dynamic address pool
setup configuration section, as shown in Figure 226.

228
Figure 226 Dynamic address pool setup for the DHCP server

Table 109 Configuration

Item Description
Pool Name Name of the dynamic DHCP address pool.

Address Allocation Mode:


Specify the dynamic address allocation mode for the DHCP address pool.
Dynamic Allocation

Specify an IP address for dynamic address allocation. A natural mask is


IP Address adopted if no subnet mask is specified.
NOTE:

229
Item Description
Make sure that the IP address is on the same network segment as the IP address
Subnet Mask of the DHCP server interface or the DHCP relay agent interface to avoid wrong
IP address allocation.

Specify the lease for IP addresses to be assigned.


NOTE:
Lease Duration • If the lease has an end time specified later than the year 2106, the
system considers it an expired lease.
• The lease duration does not have the inherit attribute.
Specify a domain name suffix for the DHCP client.
Domain Name After specifying a domain name in the address pool, the DHCP server
assigns the domain name along with an IP address to a client.

Specify a gateway for the DHCP client.


DHCP clients that want to access hosts outside the local subnet need a
Gateway IP Address gateway to forward data. After specifying a gateway in the address pool,
the DHCP server assigns the gateway address along with an IP address to a
client.

Specify a primary DNS server for the DHCP client.

Primary DNS Server In order for clients to access the Internet using a domain name, the DHCP
server assigns the specified DNS server address along with an IP address to
a client.

Standby DNS Server Specify a standby DNS server for the DHCP client.

Configuring IP addresses excluded from dynamic allocation


Select Advanced > DHCP Setup in the navigation tree, and then click the DHCP Interface Setup tab to
display the DHCP interface setup configuration page shown in Figure 224.
Select the Server option in the Type field, and then expand the Forbidden IP Addresses node, as shown
in Figure 227.

230
Figure 227 IP address excluded from dynamic allocation setup

Table 110 Configuration to exclude IP addresses from dynamic allocation

Item Description
Start IP Address Specify the lowest IP address excluded from dynamic allocation.

Specify the highest IP address excluded from dynamic allocation.

End IP Address The end IP address must not be lower than the start IP address. A higher end IP
address and a lower start IP address specify an IP address range. Two identical IP
addresses specify a single IP address.

Configuring a DHCP server group


Select Advanced > DHCP Setup in the navigation tree, and then click the DHCP Interface Setup tab to
display the DHCP interface setup configuration page shown in Figure 224.
Select an interface that supports DHCP relay agent, select the Relay option in the Type field, and then
expand the Add DHCP Server Group node, as shown in Figure 228.

231
Figure 228 DHCP server group setup

Table 111 Configuration

Item Description
DHCP server group ID.
Group ID
You can create up to 20 DHCP server groups.

Specifies the DHCP server IP addresses for the DHCP server group.

Server IP Address The IP address of a DHCP server cannot be on the same network segment as that of
the DHCP relay agent interface. Otherwise, DHCP clients may fail to obtain IP
addresses.

DHCP configuration examples


There are two typical DHCP network types:
• The DHCP server and clients are on the same subnet and directly exchange DHCP messages.
• The DHCP server and clients are not on the same subnet and communicate with each other via a
DHCP relay agent.
The DHCP server configuration for both types is the same.

232
DHCP configuration example without DHCP relay agent
Network requirements
• The DHCP server (Router A) assigns IP addresses to clients on subnet 10.1.1.0/24, which is
subnetted into 10.1.1.0/25 and 10.1.1.128/25.
• The IP addresses of Ethernet 0/1 and Ethernet 0/2 on Router A are 10.1.1.1/25 and
10.1.1.129/25, respectively.
• In subnet 10.1.1.0/25, the lease is ten days and twelve hours, the domain name suffix is
aabbcc.com, the DNS server address is 10.1.1.2/25, and the gateway address is
10.1.1.126/25.
• In subnet 10.1.1.128/25, the lease is five days, the domain name suffix is aabbcc.com, the DNS
server address is 10.1.1.2/25, and the gateway address is 10.1.1.254/25.
• Subnets 10.1.1.0/25 and 10.1.1.128/25 have the same domain name suffix and DNS server
address. Therefore, the domain name suffix and DNS server address need to be configured only for
subnet 10.1.1.0/24. Subnet 10.1.1.0/25 and 10.1.1.128/25 can inherit the configuration of
subnet 10.1.1.0/24.
• Router B (DHCP client) obtains a static IP address, DNS server address, and gateway address from
Router A (DHCP server).
Figure 229 Network diagram
Client
Client 10.1.1.4/25 Client Client

Eth0/1 Eth0/2
10.1.1.1/25 10.1.1.129/25

Gateway A Router A Gateway B


10.1.1.126/25 Eth0/1 DHCP server 10.1.1.254/25

Router B
DNS server Client Client Client
10.1.1.2/25

Configuration procedure
1. Configure the DHCP server (Router A).
# Specify IP addresses for interfaces. (Details not shown)
# Enable DHCP.
• Select Advanced > DHCP Setup from the navigation tree of Router A to display the default DHCP
Enable page and perform the following operations, as shown in Figure 230.

233
Figure 230 Enable DHCP

a. Select the Enable option in the DHCP field.


b. Click Apply.

# Enable the DHCP server on interface Ethernet 0/1. By default, the DHCP server is enabled on interface
Ethernet 0/1. (Details not shown)
# Configure a DHCP static address pool, and bind IP address 10.1.1.5 to Router B.
• Click the DHCP Interface Setup tab and perform the following operations, as shown in Figure 231.

234
Figure 231 DHCP static address pool configuration

a. Select the Server option in the Type field.


b. Expand the Assignable IP Addresses node.
c. Enter pool-static in the Pool Name field.
d. Select the Static Binding option in the Address Allocation Mode field.
e. Enter 10.1.1.5 in the IP Address field.
f. Select the Subnet Mask checkbox, and then enter 255.255.255.128.
g. Enter 000f-e200-0002 in the MAC Address field.
h. Select the Gateway IP Address checkbox, and then enter 10.1.1.126.
i. Select the Primary DNS Server checkbox, and then enter 10.1.1.2.
j. Click Apply.
# Configure DHCP address pool 0 (including the address range, client domain name suffix, and DNS
server address).

235
Figure 232 DHCP address pool 0 configuration

a. Enter pool0 in the Pool Name field, as shown in Figure 232.


b. Select the Dynamic Allocation option in the Address Allocation Mode field.
c. Enter 10.1.1.0 in the IP Address field.
d. Select the Subnet Mask checkbox, and then enter 255.255.255.0.
e. Select the Domain Name checkbox, and then enter aabbcc.com.
f. Select the Primary DNS Server checkbox, and then enter 10.1.1.2.
g. Click Apply.

# Configure DHCP address pool 1 (including the address range, lease duration, and gateway address).

236
Figure 233 DHCP address pool 1 configuration

a. Enter pool1 in the Pool Name field, as shown in Figure 233.


b. Select Dynamic Allocation in the Address Allocation Mode field.
c. Enter 10.1.1.0 in the IP Address field.
d. Select the Subnet Mask checkbox, and then enter 255.255.255.128.
e. Set the Lease Duration to 10 days, 12 hours, and 0 minutes.
f. Select the Gateway IP Address checkbox, and then enter 10.1.1.126.
g. Click Apply.

# Configure DHCP address pool 2 (including the address range, lease duration, and gateway IP
address).

237
Figure 234 DHCP address pool 2 configuration

a. Enter pool2 in the Pool Name field, as shown in Figure 234.


b. Select the Dynamic Allocation option in the Address Allocation Mode field.
c. Enter 10.1.1.128 in the IP Address field.
d. Select the Subnet Mask checkbox, and then enter 255.255.255.128.
e. Set the Lease Duration to 5 days, 0 hours, and 0 minutes.
f. Select the Gateway IP Address checkbox, and then enter 10.1.1.254.
g. Click Apply.

# Exclude IP addresses from dynamic allocation (DNS server and gateway addresses).
• Expand the Forbidden IP Addresses node and perform the following operations, as shown in Figure
235.

238
Figure 235 Exclude IP addresses from dynamic allocation

a. Enter 10.1.1.2 in the Start IP Address field.


b. Enter 10.1.1.2 in the End IP Address field.
c. Click Apply.
d. Enter 10.1.1.126 in the Start IP Address field, as shown in Figure 235.
e. Enter 10.1.1.126 in the End IP Address field.
f. Click Apply.
g. Enter 10.1.1.254 in the Start IP Address field, as shown in Figure 235.
h. Enter 10.1.1.254 in the End IP Address field.
i. Click Apply.
2. Configure the DHCP client (Router B).
# Enable the DHCP client on interface Ethernet 0/1.
• Select Advanced > DHCP Setup from the navigation tree of Router B, and then click the DHCP
Interface Setup tab and perform the following operations, as shown in Figure 236.

239
Figure 236 Enable the DHCP client on interface Ethernet 0/1

a. Select Ethernet0/1 from the Interface dropdown list.


b. Select the Client option in the Type field.
c. Click Apply.
3. Configure the DHCP client (Router C).
# Enable the DHCP client on interface Ethernet 0/1.
a. Select Advanced > DHCP Setup from the navigation tree of Router C, and then click the DHCP
Interface Setup tab, as shown in Figure 236.
b. Select Ethernet0/1 from the Interface dropdown list.
c. Select the Client option in the Type field.
d. Click Apply.

DHCP relay agent configuration example


Network requirements
• Ethernet 0/1 on the DHCP relay agent (Router A) connects to the network where DHCP clients
reside. The IP address of Ethernet 0/1 is 10.10.1.1/24, and the IP address of Ethernet 0/2 is
10.1.1.2/24 that connects to the DHCP server 10.1.1.1/24 (Router B).
• Router A forwards DHCP messages so that the DHCP clients on the network segment 10.10.1.0/24
can obtain IP addresses, DNS server address, and gateway address from the DHCP server. The IP
address lease is seven days, the domain name suffix is aabbcc.com, the DNS server address is
10.10.1.2/24, and the gateway address is 10.10.1.126/24.

240
Figure 237 Network diagram

Configuration procedure
1. Configure the DHCP relay agent (Router A).
# Specify IP addresses for interfaces. (Details not shown)
# Enable DHCP.
• Select Advanced > DHCP Setup from the navigation tree of Router A to display the default DHCP
Enable tab and perform the following operations, as shown in Figure 238.
Figure 238 DHCP enable

a. Select the Enable option in the DHCP field.


b. Click Apply.

# Create a DHCP server group.


• Click the DHCP Interface Setup tab and perform the following operations, as shown in Figure 239.

241
Figure 239 DHCP server group creating

a. Select Ethernet0/1 from the Interface dropdown list.


b. Select the Relay option in the Type field.
c. Expand the Add DHCP Server Group node.
d. Enter 1 in the Group ID field.
e. Enter 10.1.1.1 in the Server IP Address field.
f. Click Apply.
# Enable the DHCP relay agent on interface Ethernet 0/1.
Figure 240 The page for enabling the DHCP relay agent on interface Ethernet 0/1

a. Select 1 from the DHCP Server Group dropdown list.


b. Click Apply.
2. Configure the DHCP server (Router B).

242
# Specify addresses for interfaces. (Details not shown)
# Enable DHCP.
• Select Advanced > DHCP Setup from the navigation tree of Router B to display the default DHCP
Enable tab, as shown in Figure 241.
Figure 241 Enable DHCP

a. Select the Enable option in the DHCP field.


b. Click Apply.

# Enable the DHCP server on interface Ethernet 0/1. By default, the DHCP server is enabled on Ethernet
0/1. (Details not shown)
# Configure a dynamic DHCP address pool.
• Click the DHCP Interface Setup tab and perform the following operations, as shown in Figure 242.

243
Figure 242 Dynamic DHCP address pool configuration

a. Select the Server option in the Type field.


b. Expand the Assignable IP Addresses node.
c. Enter pool1 in the Pool Name field.
d. Select the Dynamic Allocation option in the Address Allocation Mode field.
e. Enter 10.10.1.0 in the IP Address field.
f. Select the Subnet Mask checkbox, and then enter 255.255.255.0.
g. Set the Lease Duration to 7 days, 0 hours, and 0 minutes.
h. Select the Domain Name checkbox, and then enter aabbcc.com.
i. Select the Gateway IP Address checkbox, and then enter 10.10.1.126.
j. Select the Primary DNS Server checkbox, and then enter 10.10.1.2.
k. Click Apply.

# Exclude IP addresses from dynamic allocation (DNS server and gateway addresses).
• Expand the Forbidden IP Addresses node, as shown in Figure 243.

244
Figure 243 IP address excluded from dynamic allocation configuration

a. Enter 10.1.1.2 in the Start IP Address field.


b. Enter 10.1.1.2 in the End IP Address field.
c. Click Apply.
d. Enter 10.1.1.126 in the Start IP Address field, as shown in Figure 243.
e. Enter 10.1.1.126 in the End IP Address field.
f. Click Apply.
3. Configure the DHCP client (Router C).
# Enable the DHCP client on interface Ethernet 0/1.
• Select Advanced > DHCP Setup from the navigation tree of Router C, and then click the DHCP
Interface Setup tab and perform the following operations, as shown in Figure 244.

245
Figure 244 Enable the DHCP client on interface Ethernet 0/1

a. Select Ethernet0/1 in the Interface field.


b. Select the Client option in the Type field.
c. Click Apply.

Configuration guidelines
1. If multiple VLAN interfaces sharing one MAC address request IP addresses using DHCP, the DHCP
server cannot be a Windows 2000 server or a Windows 2003 server.
2. To remove a DHCP server group that is associated with multiple interfaces, first cancel the
associations.

246
Configuring ACL

The web interface provides the following ACL configuration functions:


• Configuring an IPv4 ACL
• Configuring a rule for a basic IPv4 ACL
• Configuring a rule for an advanced IPv4 ACL
• Configuring a rule for an Ethernet frame header ACL
An ACL is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as
source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also widely used by many modules (for example, QoS
and IP routing) for traffic identification.
IPv4 ACLs fall into the following categories.
Table 112 IPv4 ACL categories

Category ACL number Match criteria

Basic ACLs 2000 to 2999 Source IPv4 address

Source/destination IPv4 address, protocols over IPv4, and other


Advanced ACLs 3000 to 3999
Layer 3 and Layer 4 header fields

Ethernet frame Layer 2 header fields, such as source and destination MAC
4000 to 4999
header ACLs addresses, 802.1p priority, and link layer protocol type

NOTE:
For more information about IPv4 ACL, see HP A-MSR Router Series ACL and QoS Configuration Guide.

Configuring an ACL
Configuration task list
Table 113 IPv4 ACL configuration task list

Task Remarks
Required.
Creating an IPv4 ACL The category of the created ACL depends on the ACL
number that you specify.

247
Task Remarks
Configuring a rule for a basic IPv4 ACL Required.
Configuring a rule for an advanced IPv4 ACL Complete one of these tasks according to the ACL
category.
Configuring a rule for an Ethernet frame header ACL

Creating an IPv4 ACL


Select Advanced > QoS Setup > ACL IPv4 from the navigation tree, and then click the Add tab to display
the IPv4 ACL configuration page, as shown in Figure 245.
Figure 245 The page for creating an IPv4 ACL

Table 114 Configuration

Item Description
Set the number of the IPv4 ACL, which ranges from
2000 to 2999.
NOTE:
ACL Number You can create only basic ACLs (numbered from 2000
to 2999) in the web interface. However, the web
interface can display the advanced ACLs and Ethernet
frame header ACLs, and you can configure rules for
these ACLs.

248
Item Description
Set the match order of the ACL. The following match
orders are available:
• Config—Packets are compared against ACL rules
in the ascending ACL rule ID order.
Match Order
• Auto—Packets are compared against ACL rules
in the depth-first match order, which ensures that
any subset of a rule is always matched before the
rule.

Description Set the description for the ACL.

Return to "IPv4 ACL configuration task list."

Configuring a rule for a basic IPv4 ACL


Select Advanced > QoS Setup > ACL IPv4 from the navigation tree, and then click the Basic Config tab to
display the rule configuration page for a basic IPv4 ACL, as shown in Figure 246.
Figure 246 The page for configuring an basic IPv4 ACL

249
Table 115 Configuration

Item Description
Select the basic IPv4 ACL for which you want to
ACL configure rules.
ACLs available for selection are basic IPv4 ACLs.

Select the Rule ID option, and enter a number for the


rule.
If you do not specify the rule number, the system
assigns one automatically.
Rule ID
NOTE:
If the rule number you specify already exists, the
following operations modify the configuration of the
rule.
Select the action to be taken on the IPv4 packets
matching the rule:
Action
• Permit—Allows matched packets to pass.
• Deny—Drops matched packets.
Select this option to apply the rule only to non-first
fragments.
Check Fragment
If you do not select this option, the rule applies to all
fragments and non-fragments.

Select this option to keep a log of matched IPv4


packets.

Check Logging A log entry contains the ACL rule number, action on
the matched packets, protocol that IP carries,
source/destination address, source/destination port
number, and number of matched packets.

Source IP Address Select the Source IP Address option, and enter a


source IPv4 address and source wildcard, in dotted
Source Wildcard decimal notation.

Select the time range during which the rule takes


effect.
Time Range
The time ranges available for selection must be created
in the CLI.

Return to "IPv4 ACL configuration task list."

Configuring a rule for an advanced IPv4 ACL


Select Advanced > QoS Setup > ACL IPv4 from the navigation tree, and then click the Advanced Config
tab to display the rule configuration page for an advanced IPv4 ACL, as shown in Figure 247.

250
Figure 247 The page for configuring an advanced IPv4 ACL

251
Table 116 Configuration

Item Description
Select the advanced IPv4 ACL for which you want to
configure rules.
You can create advanced IPv4 ACLs only in the CLI. For
more information, see HP A-MSR Router Series ACL and
ACL QoS Configuration Guide. In addition, the system
automatically generates advanced IPv4 ACLs when you
configure advanced bandwidth limit and advanced
bandwidth guarantee. For more information, see
"Configuring QoS."

Select the Rule ID option, and enter a number for the


rule.
If you do not specify the rule number, the system assigns
Rule ID one automatically.
NOTE:
If the rule number you specify already exists, the following
operations modify the configuration of the rule.
Select the action to be performed for IPv4 packets
matching the rule:
Action
• Permit—Allows matched packets to pass.
• Deny—Drops matched packets.
Select this option to apply the rule to only non-first
fragments.
Non-First Fragments Only
If you do not select this option, the rule applies to all
fragments and non-fragments.

Select this option to keep a log of matched IPv4 packets.


A log entry contains the ACL rule number, operation for
Logging the matched packets, protocol that IP carries,
source/destination address, source/destination port
number, and number of matched packets.

Source IP Address Select the Source IP Address option and enter a source
IPv4 address and source wildcard, in dotted decimal
Source Wildcard notation.
IP Address Filter
Destination IP Address Select the Source IP Address option and enter a source IP
address and source wildcard, in dotted decimal
Destination Wildcard notation.

Select the protocol to be carried by IP.

Protocol If you select 1 ICMP, you can configure the ICMP


message type and code. If you select 6 TCP or 17 UDP,
you can configure the TCP or UDP specific items.

ICMP Message Specify the ICMP message type and code.


ICMP Type These items are available only when you select 1 ICMP
ICMP Type from the Protocol dropdown list.

252
Item Description
If you select Other from the ICMP Message dropdown list,
you must enter values in the ICMP Type and ICMP Code
ICMP Code
fields. Otherwise, the two fields take the default values,
which cannot be changed.

Select this option to make the rule match packets used for
establishing and maintaining TCP connections.
These items are available only when you select 6 TCP
TCP Connection Established
from the Protocol dropdown list.
A rule with this item configured matches TCP connection
packets with the ACK or RST flag.

Select the operators, and enter the source port numbers


and destination port numbers as required.
Source
TCP/UDP Port These items are available only when you select 6 TCP or
17 UDP from the Protocol dropdown list.
Different operators have different configuration
requirements for the port number fields:
• Not Check—The following port number fields cannot
be configured.
Destination
• Range—The following port number fields must be
configured to define a port range.
• Other values—The first port number field must be
configured and the second must not.

DSCP Specify the DSCP priority.


Precedence
TOS Specify the ToS preference.
Filter
Precedence Specify the IP precedence.

Time Range Select the time range during which the rule takes effect.

Return to "IPv4 ACL configuration task list."

Configuring a rule for an Ethernet frame header ACL


Select Advanced > QoS Setup > ACL IPv4 from the navigation tree, and then click the Link Config tab to
display the rule configuration page for an Ethernet frame header IPv4 ACL, as shown in Figure 248.

253
Figure 248 The page for configuring a rule for an Ethernet frame header ACL

Table 117 Configuration

Item Description
Select the Ethernet frame header IPv4 ACL for which you want to configure
rules.
ACL You can create Ethernet frame header IPv4 ACLs only in the CLI. For more
information, see HP A-MSR Router Series ACL and QoS Configuration
Guide.

Select the Rule ID option, and enter a number for the rule.
If you do not specify the rule number, the system assigns one
automatically.
Rule ID
NOTE:
If the rule number you specify already exists, the following operations modify
the configuration of the rule.
Select the action to be performed for IPv4 packets matching the rule.
Action • Permit—Allows matched packets to pass.
• Deny—Drops matched packets.

MAC Source MAC


Address Select the Source MAC Address option, and enter a source MAC address
Address
and wildcard.
Filter Source Mask

254
Item Description
Destination MAC
Address Select the Destination MAC Address option, and enter a destination MAC
address and wildcard.
Destination Mask

COS(802.1p priority) Specify the 802.1p priority for the rule.

LSAP Type Select the LSAP Type option, and specify the DSAP and SSAP fields in the
LLC encapsulation by configuring the following items:
• LSAP Type—Indicates the frame encapsulation format.
LSAP Mask • LSAP Mask—Indicates the LSAP wildcard.
Type Filter
Select the Protocol Type option, and specify the link layer protocol type by
Protocol Type
configuring the following items:
• Protocol Type—Indicates the frame type. It corresponds to the
type-code field of Ethernet_II and Ethernet_SNAP frames.
Protocol Mask
• Protocol Mask—Indicates the wildcard.

Time Range Select the time range during which the rule takes effect.

Return to "IPv4 ACL configuration task list."

Configuration guidelines
When you configure an ACL, follow these guidelines:
1. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
2. You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which case
the other settings remain the same.

255
Configuring QoS

The web interface provides the following QoS configuration functions:


• Configuring subnet limit
• Configuring advanced limit
• Configuring advanced queue
QoS is a concept concerning service demand and supply. It reflects the ability to meet customer needs.
Generally, QoS focuses on improving services under certain conditions rather than grading services
precisely.
QoS evaluates the ability of the network to forward packets of different services. The evaluation can be
based on different criteria because the network may provide various services. Generally, QoS refers to
the ability to provide improved service by solving the core issues such as delay, jitter, and packet loss
ratio in the packet forwarding process.
Through the web interface, you can configure the following QoS features:
• Subnet limit
• Advanced limit

256
Advanced queue

Subnet limit
Subnet limit enables you to regulate the specification of traffic entering or leaving a device based on
source/destination IP address. Packets conforming to the specification can pass through, and packets
exceeding the specification are dropped. In this way, the network resources are protected.

Advanced limit
Similar to subnet limit, advanced limit also implements traffic policing at the IP layer. They differ in that:
• Advanced limit can classify traffic based on time range, packet precedence, protocol type, and port
number, and it can provide more granular services.
• In addition to permitting traffic conforming to the specification to pass through, advanced limit can
also set IP precedence, DSCP value, and 802.1p priority for packets as required.

NOTE:
For more information about IP precedence, DSCP values, and 802.1p priority, see "Appendix packet
priorities."

257
Advanced queue
Advanced queue offers the following functions:
• Interface bandwidth limit—Uses token buckets for traffic control and limits the rate of transmitting
packets (including critical packets) on an interface. When limiting the rate of all packets on an
interface, interface bandwidth limit is a better approach than subnet limit and advanced limit. This is
because, working at the IP layer, the latter two functions do not take effect on packets not processed
by the IP layer.
• Bandwidth guarantee—When congestion occurs on a port, CBQ classifies packets into different
classes according to user-defined match criteria and assigns these classes to their queues. Before
assigning packets to a queue, CBQ performs bandwidth restriction check. When being dequeued,
packets are scheduled by WFQ.
Advanced queue applies only to outgoing packets of interfaces.

Configuring QoS
Configuring subnet limit
Select Advance > QoS Setup > Subnet Limit from the navigation tree to display the page shown in Figure
249. Click Add to display the Subnet Limit Setting page, as shown in Figure 250.
Figure 249 Subnet limit

258
Figure 250 Subnet limit setting

Table 118 Configuration

Item Description

Start Address
Set the address range of the subnet where rate limit is to be performed.
End Address

Interface Specify the interface to which the subnet limit is to be applied.

CIR Set the average traffic rate allowed.

Set the rate limit method:


• Share—Limits the total rate of traffic for all IP addresses on the subnet and
Type dynamically allocates bandwidth to an IP address based on traffic size.
• Per IP—Individually limits the rate of traffic of each IP address on the subnet to
the configured rate.

Set the direction where the rate limit applies:


• Download—Limits the rate of incoming packets of the interface based on their
Direction destination IP addresses.
• Upload—Limits the rate of outgoing packets of the interface based on their
source IP addresses.

259
Configuring advanced limit
Select Advance > QoS Setup > Advanced Limit from the navigation tree to display the page shown
in Figure 251. Click Add to display the Advanced Limit Setting page, as shown in Figure 252.
Figure 251 Advanced limit

260
Figure 252 Advanced limit setting

261
Table 119 Configuration

Item Description
Description Configure a description for the advanced limit policy for management.

Interface Specify the interface to which the advanced limit is to be applied.

Set the direction where the rate limit applies:


Direction • Download—Limits the rate of incoming packets of the interface.
• Upload—Limits the rate of outgoing packets of the interface.
CIR Set the average traffic rate allowed.

Specify the type of priority to be re-marked for packets conforming to the


specification and allowed to pass through:
• None—Does not re-mark any priority of packets.
• 802.1p—Re-marks the 802.1p priority of packets and specifies the 802.1p
Remark Type
priority value.
• IP—Re-marks the IP precedence of packets and specifies the IP precedence
value.
• DSCP—Re-marks the DSCP of packets and specifies the DSCP value.
Define a rule to match packets based on their IP addresses.
Add multiple IP addresses/masks to the list box. Click Add or Delete to add or
delete IP addresses/masks to/from the list box.
IP Address/Mask • When the direction Download is specified, the source IP address of packets is
matched.
• When the direction Upload is specified, the destination IP address of packets is
matched.

Define a rule to match packets based on their IP precedence values.


You can configure up to eight IP precedence values for an advanced limit policy.
IP Precedence The relationship between the IP precedence values is OR. If the same IP precedence
value is specified multiple times, the system considers them as one. The defined IP
precedence values are displayed in ascending order automatically.

Define a rule to match packets based on their DSCP values.


You can configure up to eight DSCP values for an advanced limit policy. The
DSCP relationship between the DSCP values is OR. If the same DSCP value is specified
multiple times, the system considers them as one. The defined DSCP values are
displayed in ascending order automatically.

Inbound Interface Define a rule to match packets received on the specified interface.

Set the time range when the advanced limit policy takes effect. The begin-end time
Time Range
and days of the week are required to set.

Define a rule to match packets based on their protocol types.


The protocol types available for selection include the system-defined protocols and
Protocol Name the protocols loaded through the P2P signature file. To load a P2P signature file,
select Security Setup > Application Control from the navigation tree, and click Load
Application.

Custom Type Define a rule to match packets based on self-defined protocol types.
Source Port You should select the transport layer protocol type and set the source service port

262
Item Description
Destination Port range and destination service port range.

Configuring advanced queue


To use the advanced queue function on tunnel interfaces, sub-interfaces, or VT and dialer interfaces with
PPPoE, PPPoA, PPPoEoA, or PPPoFR at the data link layer, you must configure interface bandwidth for
these interfaces.

Configuring interface bandwidth


Select Advance > QoS Setup > Advanced Queue from the navigation tree to display the Advanced Queue
page shown in Figure 253. Select an interface from the Interface Name list, and then configure and view
the CIR of the interface.
Figure 253 Advanced queue

Table 120 Configuration

Item Description
Interface Name Select the interface to configure.

263
Item Description
Set the average traffic rate allowed for the interface.
HP recommends that you configure the interface
bandwidth to be smaller than the actual available
bandwidth of a physical interface or logical link.
NOTE:
If you have specified the interface bandwidth, the
maximum interface bandwidth used for bandwidth
check when CBQ queues packets is 1,000,000 kbps. If
you have not specified the interface bandwidth, the
maximum interface bandwidth varies by interface type
according to these rules:
Interface Bandwidth • If the interface is a physical one, the actual baud
rate or rate applies.
• If the interface is T1/E1, MFR, or any other type
of logical serial interface formed by timeslots or
multiple links, the total bandwidth of all member
channels/links applies.
• If the interface is a template interface, such as a
VT interface, dialer interface, BRI interface, or PRI
interface, 1,000,000 kbps applies.
• If the interface is a virtual interface of any other
type (for example, a tunnel interface), 0 kbps
applies.

Configure bandwidth guarantee


Select Advance > QoS Setup > Advanced Queue from the navigation tree to display the Advanced Queue
page shown in Figure 253. In the Application Bandwidth area, all bandwidth guarantee policies are
displayed. Click Add to display the page for creating a bandwidth guarantee policy, as shown in Figure
254.

264
Figure 254 Create a bandwidth guarantee policy

265
Table 121 Configuration

Item Description
Configure a description for the bandwidth guarantee
Description
policy for management.

Set the service class queue type:


• EF—Provides absolutely preferential queue
scheduling for the EF service to ensure low delay
for real-time data traffic. In the meantime, by
restricting bandwidth for high-priority traffic, it
Queue Type
can overcome the disadvantage that some
low-priority queues are not serviced.
• AF—Provides a highly precise bandwidth
guarantee and queue scheduling on the basis of
AF service weights for various AF services.

Specify the interface to which bandwidth guarantee


Interface
is to be applied.

Set the bandwidth guarantee for the queue:


• For the EF queue, the set bandwidth is the
maximum bandwidth.
• For the AF queue, the set bandwidth is the
Bandwidth minimum guaranteed bandwidth.
NOTE:
The sum of the bandwidth specified in the bandwidth
guarantee policies applied to an interface must be no
greater than the available bandwidth of the interface.
Define a rule to match packets based on their IP
addresses.
IP Address/Mask You can add multiple IP addresses/masks. Click Add
or Delete to add or delete IP addresses/masks
to/from the list box.

Define a rule to match packets based on their IP


precedence values.
You can configure up to eight IP precedence values
for a bandwidth guarantee policy. The relationship
IP Precedence between the IP precedence values is OR. If the same
IP precedence value is specified multiple times, the
system considers them as one. The defined IP
precedence values are displayed in ascending order
automatically.

266
Item Description
Define a rule to match packets based on their DSCP
values.
You can configure up to eight DSCP values for a
bandwidth guarantee policy. The relationship
DSCP between the DSCP values is OR. If the same DSCP
value is specified multiple times, the system considers
them as one. After each configuration, the defined
DSCP values are displayed in ascending order
automatically.

Define a rule to match packets received on the


Inbound Interface
specified interface.

Set the time range when the bandwidth guarantee


Time Range policy takes effect. The begin-end time and days of
the week are required to set.

Define a rule to match packets based on protocol


types.
The protocol types available for selection include the
Protocol Name system-defined protocols and the protocols loaded
through the P2P signature file. To load a P2P
signature file, select Security Setup > Application
Control from the navigation tree, and click Load
Application.

Custom Type Define a rule to match packets based on self-defined


protocol types.
Source Port
You should select the transport layer protocol type
and set the service source port range and destination
Destination Port
port range.

QoS configuration examples


Subnet limit configuration example
Network requirements
As shown in Figure 255, limit the rate of packets leaving Ethernet 1/1 of Router.
Perform per-IP rate limiting for traffic sourced from Host A through Host Z, which are on the network
segments 2.1.1.1 through 2.1.1.100, with the per-IP limit being 5 kbps.

267
Figure 255 Network diagram
Router
Eth1/1
Internet
Eth1/2

……

Host A Host Z
2.1.1.1/8 2.1.1.100/8

Configuration procedure
# Configure the bandwidth limit settings for the network segment.
• Select Advance > QoS Setup > Subnet Limit from the navigation tree, click Add on the displayed
page, and perform the following configurations as shown in Figure 256.
Figure 256 Configure subnet limit

a. Enter 2.1.1.1 in the Start Address field.


b. Enter 2.1.1.100 in the End Address field.
c. Select interface Ethernet 1/1.
d. Enter 5 in the CIR field.
e. Select Per IP for the Type field.
f. Select Upload for the Direction field.
g. Click Apply.

268
Advanced queue configuration example
Network requirements
As shown in Figure 257, the data traffic from Router C is classified into three classes based on DSCP
fields of IP packets.
Configure advanced queue to perform the following actions:
• Perform AF for traffic with the DSCP fields AF11 and AF22 (DSCP values 10 and 18), and set the
minimum bandwidth to 40 kbps.
• Perform EF for traffic with the DSCP field EF (DSCP value 46), and set the maximum bandwidth to
240 kbps.
Before performing the configuration, make sure of the following:
• The route from Router C to Router D through Router A and Router B is reachable.
• The DSCP fields have been set for the traffic before the traffic enters Router A.
Figure 257 Network diagram

Configuration procedure
1. Configure Router A.
# Perform AF for traffic with DSCP fields AF11 and AF21.
• Select Advance > QoS Setup > Advanced Queue from the navigation tree, click Add on the
displayed page, and perform the following configurations shown in Figure 258.

269
Figure 258 Configure assured forwarding

a. Enter the description test-af.


b. Select AF (Assured Forwarding) in the Queue Type list.
c. Select interface Ethernet 0/0.
d. Enter 40 in the Bandwidth field.
e. Enter 10, 18 in the DSCP field.
f. Click Apply.
# Perform EF for traffic with DSCP field EF.

270
• Select Advance > QoS Setup > Advanced Queue from the navigation tree, click Add on the
displayed page, and perform the following configurations shown in Figure 259.
Figure 259 Configure expedited forwarding

a. Enter the description test-ef.


b. Select EF (Expedited Forwarding) in the Queue Type list.
c. Select interface Ethernet 0/0.
d. Enter 240 in the Bandwidth field.
e. Enter 46 in the DSCP field.
f. Click Apply.
After the configurations are completed, EF traffic is forwarded preferentially when congestion occurs in
the network.

271
Appendix packet priorities
IP precedence and DSCP values
Figure 260 DS field and ToS bytes

As shown in Figure 260, the ToS field of the IP header contains eight bits. The first three bits (0 to 2)
represent IP precedence from 0 to 7, and the subsequent four bits (3 to 6) represent a ToS value from 0 to
15. According to RFC 2474, the ToS field of the IP header is redefined as the DS field, where a DSCP
value is represented by the first six bits (0 to 5) and is in the range 0 to 63. The remaining two bits (6 and
7) are reserved.
Table 122 Description of IP precedence

IP precedence (decimal) IP precedence (binary) Keyword


0 000 routine

1 001 priority

2 010 immediate

3 011 flash

4 100 flash-override

5 101 critical

6 110 internet

7 111 network

In a network in the Diff-Serve model, traffic is assigned into the following classes, and packets are
processed according to their DSCP values.
• EF class—The switch forwards the packets of this class without considering whether the link is shared
by other traffic. The class is suitable for preferential services requiring low delay, low packet loss,
low jitter, and high bandwidth.
• AF class—This class is divided into four subclasses (AF 1 to AF 4), each containing three drop
priorities for more granular classification. The QoS level of the AF class is lower than that of the EF
class.
• CS class—This class is derived from the IP ToS field and includes eight subclasses.
• BE class—This class is a special CS class that does not provide any assurance. AF traffic exceeding
the limit is degraded to the BE class. All IP network traffic belongs to this class by default.

272
Table 123 Description of DSCP values

DSCP value (decimal) DSCP value (binary) Keyword


46 101110 ef

10 001010 af11

12 001100 af12

14 001110 af13

18 010010 af21

20 010100 af22

22 010110 af23

26 011010 af31

28 011100 af32

30 011110 af33

34 100010 af41

36 100100 af42

38 100110 af43

8 001000 cs1

16 010000 cs2

24 011000 cs3

32 100000 cs4

40 101000 cs5

48 110000 cs6

56 111000 cs7

0 000000 be(default)

802.1p priority
802.1p priority lies in the Layer 2 packet header and applies to situations where Layer 3 header analysis
is not needed and QoS must be assured at Layer 2.
Figure 261 An Ethernet frame with an 802.1q tag header

As shown in Figure 261, the 4-byte 802.1q tag header consists of the tag protocol identifier (TPID, two
bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length). Figure
262 shows the format of the 802.1q tag header.

273
Figure 262 801.1q tag header

Table 124 Description of 802.1p priority

802.1p priority (decimal) 802.1p priority (binary) Keyword


0 000 best-effort

1 001 background

2 010 spare

3 011 excellent-effort

4 100 controlled-load

5 101 video

6 110 voice

7 111 network-management

The priority in the 802.1q tag header is called "802.1p priority" because its use is defined in IEEE
802.1p.

274
Configuring SNMP

Only the A-MSR20/30/50 series routers support this function.


For the A-MSR900/20-1X series routers, see "Configuring SNMP (lite version)."
SNMP is an Internet standard protocol widely used for an NMS to access and operate the devices
(SNMP agents) on a network, regardless of their vendors, physical characteristics, and interconnect
technologies.
SNMP enables network administrators to read and set the variables on managed devices to monitor their
operating and health state, diagnose network problems, and collect statistics for management purposes.
HP SNMP agents support these SNMP versions:
• SNMPv1—Uses password authentication to control access to SNMP agents. SNMPv1 passwords fall
into the categories of read-only passwords and read-and-write passwords.
A read-only password enables reading data from an SNMP agent.
A read-and-write password enables reading data and setting variables on an SNMP agent.
• SNMPv2c—Also uses password authentication for SNMP agent access control. It is compatible with
SNMPv1, but supports more operation modes, data types, and error codes.
• SNMPv3—Uses a USM to secure SNMP communication. You can configure authentication and
privacy mechanisms to authenticate access and encrypt SNMP packets for integrity, authenticity,
and confidentiality.
An NMS and an SNMP agent must use the same SNMP version to communicate with each other.
For more information about SNMP, see HP A-MSR Router Series Network Management and Monitoring
Configuration Guide.

SNMP agent configuration


Configuration task list
Because configurations for SNMPv3 differ substantially from those for SNMPv1 and SNMPv2c, their
SNMP functionalities are introduced separately as follows.

Configuring SNMPv1 or SNMPv2c


Table 125 SNMPv1 or SNMPv2c configuration task list

Task Remarks
Required.
The SNMP agent function is disabled by default.
Enabling the SNMP agent function
IMPORTANT:
If SNMP the agent function is disabled, all SNMP
agent-related configurations are removed.

275
Task Remarks
Optional.

Configuring an SNMP view After creating SNMP views, you can specify an
SNMP view for an SNMP group to limit the MIB
objects that can be accessed by the SNMP group.

Configuring an SNMP community Required.

Optional.
Allows you to configure that the agent can send
SNMP traps to the NMS and configure information
Configuring SNMP trap function
about the target host of the SNMP traps.
By default, an agent is allowed to send SNMP traps
to the NMS.

Displaying SNMP packet statistics Optional

Configuring SNMPv3
Table 126 SNMPv3 configuration task list

Task Remarks
Required.
The SNMP agent function is disabled by default.
Enabling the SNMP agent function
IMPORTANT:
If the SNMP agent function is disabled, all SNMP
agent-related configurations are removed.
Optional.

Configuring an SNMP view After creating SNMP views, you can specify an SNMP
view for an SNMP group to limit the MIB objects that
can be accessed by the SNMP group.

Required.
After creating an SNMP group, you can add SNMP
Configuring an SNMP group users to the group when creating the users. Therefore,
you can realize centralized management of users in
the group through the management of the group.

Required.
Configuring an SNMP user Before creating an SNMP user, create the SNMP
group to which the user belongs.

Optional.
Allows you to configure that the agent can send SNMP
traps to the NMS and configure information about the
Configuring SNMP trap function
target host of the SNMP traps.
By default, an agent is allowed to send SNMP traps to
the NMS.

Displaying SNMP packet statistics Optional.

276
Enabling the SNMP agent function
Select Advanced > SNMP from the navigation tree to display the SNMP configuration page shown
in Figure 263. On the upper part of the page, you can select to enable or disable the SNMP agent
function and configure parameters such as SNMP version. On the lower part of the page, you can view
the SNMP statistics, which help you understand the running status of the SNMP after your configuration.
Figure 263 Set up

277
Table 127 Configuration

Item Description
SNMP Specify to enable or disable the SNMP agent function.

Configure the local engine ID.

Local Engine ID The validity of a user after it is created depends on the engine ID of the SNMP agent.
If the engine ID when the user is created is not identical to the current engine ID, the
user is invalid.

Maximum Packet
Configure the maximum size of an SNMP packet that the agent can receive/send.
Size

Set a character string to describe the contact information for system maintenance.
Contact If the device is faulty, the maintainer can contact the manufacturer according to the
contact information of the device.

Location Set a character string to describe the physical location of the device.

SNMP Version Set the SNMP version run by the system.

Return to "SNMPv1 or SNMPv2c configuration task list" or "SNMPv3 configuration task list."

Configuring an SNMP view


Select Advanced > SNMP from the navigation tree, and then click the View tab to display the page shown
in Figure 264.
Figure 264 View page

Creating an SNMP view


Click Add, and the Add View window appears, as shown in Figure 265. Enter the view name, and click
Apply to display the page shown in Figure 266.

278
Figure 265 Create an SNMP view (1)

Figure 266 Create an SNMP view (2)

Table 128 describes the configuration for creating an SNMP view. After configuring the parameters of a
rule, click Add to add the rule to the list box in the lower part of the page. After configuring all rules, click
Apply to create an SNMP view. The view is not created if you click Cancel.
Table 128 Configuration

Item Description
View Name Set the SNMP view name.

Select to exclude or include the objects in the view range determined by


Rule
the MIB subtree OID and subtree mask.

Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as system).
MIB Subtree OID MIB subtree OID identifies the position of a node in the MIB tree, and it
can uniquely identify a MIB subtree.

Set the subtree mask.


Subtree Mask If no subtree mask is specified, the default subtree mask (all Fs) is used for
mask-OID matching.

Adding rules to an SNMP view

Click the icon corresponding to the specified view on the page, as shown in Figure 264. The Add rule
for the view ViewDefault window appears, as shown in Figure 267. After configuring the parameters,

279
click Apply to add the rule for the view. Table 128 describes the configuration for creating an SNMP
view.
Figure 267 Add rules to an SNMP view

NOTE:
You can also click the icon corresponding to the specified view on the page shown in Figure 264, and
then you can display the page to modify the view.

Return to "SNMPv1 or SNMPv2c configuration task list" or "SNMPv3 configuration task list."

Configuring an SNMP community


Select Advanced > SNMP from the navigation tree, then click the Community tab to display the page
shown in Figure 268. Click Add to display the Add SNMP Community page, as shown in Figure 269.
Figure 268 Configure an SNMP community

280
Figure 269 Create an SNMP Community

Table 129 Configuration

Item Description
Community Name Set the SNMP community name.

Configure SNMP NMS access right:


• Read only—The NMS can perform read-only
operations to the MIB objects when it uses this
community name to access the agent.
Access Right
• Read and write—The NMS can perform both
read and write operations to the MIB objects
when it uses this community name to access the
agent.

Specify the view associated with the community to


View limit the MIB objects that can be accessed by the
NMS.

Associate the community with a basic ACL to allow


ACL or prohibit the access to the agent from the NMS
with the specified source IP address.

Return to "SNMPv1 or SNMPv2c configuration task list."

Configuring an SNMP group


Select Advanced > SNMP from the navigation tree, then click the Group tab to display the page shown
in Figure 270. Click Add to display the Add SNMP Group page, as shown in Figure 271.

281
Figure 270 SNMP group

Figure 271 Crate an SNMP group

Table 130 Configuration

Item Description
Group Name Set the SNMP group name.

Select the security level for the SNMP group:


• NoAuth/NoPriv—No authentication no privacy.
• Auth/NoPriv—Authentication without privacy.
Security Level
• Auth/Priv—Authentication and privacy.
NOTE:
The security level for an existing SNMP group cannot be modified.
Read View Select the read view of the SNMP group.

Select the write view of the SNMP group.


Write View If no write view is configured, the NMS cannot perform the write operations to all MIB
objects on the device.

282
Item Description
Select the notify view of the SNMP group (the view that can send trap messages).
Notify View
If no notify view is configured, the agent does not send traps to the NMS.

Associate a basic ACL with the group to restrict the source IP address of SNMP
packets. You can configure to allow or prohibit SNMP packets with a specific source
ACL
IP address in order to restrict the intercommunication between the NMS and the
agent.

Return to "SNMPv3 configuration task list."

Configuring an SNMP user


Select Advanced > SNMP from the navigation tree, and then click the User tab to display the page shown
in Figure 272. Click Add to display the Add SNMP User page, as shown in Figure 273.
Figure 272 SNMP user

283
Figure 273 Create an SNMP user

Table 131 Configuration

Item Description
User Name Set the SNMP user name.

Select the security level for the SNMP group:


• NoAuth/NoPriv—No authentication no privacy.
Security Level
• Auth/NoPriv—Authentication without privacy.
• Auth/Priv—Authentication and privacy.
Select an SNMP group to which the user belongs.
• When the security level is NoAuth/NoPriv, you can select an
SNMP group with no authentication/no privacy.

Group Name
• When the security level is Auth/NoPriv, you can select an
SNMP group with no authentication/no privacy or
authentication without privacy.
• When the security level is Auth/Priv, you can select an SNMP
group of any security level.

Select an authentication mode (including MD5 and SHA) when


Authentication Mode
the security level is Auth/NoPriv or Auth/Priv.

Authentication Password Set the authentication password when the security level is

284
Item Description
Auth/NoPriv or Auth/Priv.
Confirm Authentication Password The confirm authentication password must be the same as the
authentication password.

Select a privacy mode (including DES56, AES128, and 3DES)


Privacy Mode
when the security level is Auth/Priv.

Privacy Password Set the privacy password when the security level is Auth/Priv.
The confirm privacy password must be the same as the privacy
Confirm Privacy Password
password.

Associate a basic ACL with the user to restrict the source IP


address of SNMP packets. You can configure to allow or prohibit
ACL SNMP packets with a specific source IP address in order to allow
or prohibit the specified NMS to access the agent by using this
user name.

Return to "SNMPv3 configuration task list."

Configuring SNMP trap function


Select Advanced > SNMP from the navigation tree, and then click the Trap tab to display the page shown
in Figure 274. On the upper part of the page, you can select to enable the SNMP trap function. On the
lower part of the page, you can configure target hosts of the SNMP traps. Click Add to display the Add
Trap Target Host page, as shown in Figure 275.
Figure 274 Traps configuration

285
Figure 275 Add a target host of SNMP traps

Table 132 Configuration

Item Description

Set the destination IP address.

Destination IP Address Select the IP address type: IPv4/domain name, or IPv6, and then
enter the corresponding IP address in the field according to the IP
address type.

Set the security name:


• An SNMPv1 community name
Security Name
• An SNMPv2c community name
• An SNMPv3 user name
Set UDP port number.
NOTE:
The default port number is 162, which is the SNMP-specified port used
UDP Port
for receiving traps on the NMS. Generally (such as when using iMC or
MIB Browser as the NMS), you can use the default port number. To
change this parameter to another value, make sure that the
configuration is the same as that on the NMS.
Select the security model (the SNMP version).
NOTE:
Security Model
The security model must be the same as that running on the NMS.
Otherwise, the NMS cannot receive any traps.

286
Item Description
Set the authentication and privacy mode for SNMP traps when the
security model is selected as v3. The available security levels are:
no authentication no privacy, authentication but no privacy, and
Security Level authentication and privacy.
If you select v1 or v2c in the Security Model list, the Security Level
can only be no authentication no privacy, and it cannot be
modified.

Return to "SNMPv1 or SNMPv2c configuration task list" or "SNMPv3 configuration task list."

Displaying SNMP packet statistics


Select Advanced > SNMP from the navigation tree to display the Setup tab page. On the lower part of the
page, you can view the SNMP statistics, as shown in Figure 276.
Figure 276 SNMP statistics

Return to "SNMPv1 or SNMPv2c configuration task list" or "SNMPv3 configuration task list."

287
SNMP configuration example
SNMPv1 or SNMPv2c configuration example
Network requirements
As shown in Figure 277, the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the SNMP
agent at 1.1.1.1/24, and the agent automatically sends traps to report events to the NMS.
Figure 277 Network diagram

Configuring the agent


# Enable SNMP.
• Select Advanced > SNMP from the navigation tree to display the Setup page. Perform the following
configurations, as shown in Figure 278.

288
Figure 278 Enable SNMP

a. Select the Enable option.


b. Set the SNMP version to both v1 and v2c.
c. Click Apply.
# Configure an SNMP community.
• Click the Community tab, and then click Add. Perform the following configurations, as shown
in Figure 279.

289
Figure 279 Configure SNMP community named public

a. Enter public in the field of Community Name.


b. Select Read only from the Access Right list.
c. Click Apply.
d. Click the Community tab, and then click Add. Perform the following configurations, as shown
in Figure 280.
Figure 280 Configure SNMP community named private

a. Enter private in the field of Community Name.


b. Select Read and write from the Access Right list.
c. Click Apply.

290
# Enable Agent to send SNMP traps.
• Click the Trap tab, and perform the following configurations, as shown in Figure 281.
Figure 281 Enable Agent to send SNMP traps

a. Select the Enable SNMP Trap checkbox.


b. Click Apply.

# Add target hosts of SNMP traps.


• On the Trap tab page, click Add, and perform the following configurations, as shown in Figure 282.
Figure 282 Add target hosts of SNMP traps

a. Select IPv4/Domain for Destination IP address type.


b. Enter the destination address 1.1.1.2.

291
c. Enter the security username public.
d. Select v1 from the Security Model list. (This configuration must be the same as that running on the
NMS. Otherwise, the NMS cannot receive any traps.)
e. Click Apply.

Configuring the NMS


The configuration on NMS must be consistent with that on the agent. Otherwise, you cannot perform
corresponding operations.
With SNMPv1 or SNMP v2c, set both read password and read-and-write password on the NMS. Also,
configure the aging time and retry times. You can inquire about and configure the device through the
NMS. For more information about NMS configuration, see the manual provided for NMS.

Verifying the configuration


• After the above configuration, an SNMP connection is established between the NMS and the agent.
The NMS can obtain and configure the values of some parameters on the agent through MIB nodes.
• Shut down or bring up an idle interface on the agent, and the NMS receives the corresponding trap.

SNMPv3 configuration example


Network requirements
As shown in Figure 283, the NMS (1.1.1.2/24) uses SNMPv3 to monitor and manage the interface
status of the agent (.1.1.1/24), and the agent automatically sends traps to report events to the NMS.
The NMS and the agent perform authentication when they set up an SNMP session. The authentication
algorithm is MD5, and the authentication key is authkey. The NMS and the agent also encrypt the SNMP
packets between them by using the DES algorithm and the privacy key prikey.
Figure 283 Network diagram

Agent NMS
1.1.1.1/24 1.1.1.2/24

Configure the agent


# Enable SNMP.
• Select Advanced > SNMP from the navigation tree to display the Setup page. Perform the following
configurations, as shown in Figure 284.

292
Figure 284 Enable SNMP

a. Select the Enable option.


b. Set the SNMP version to v3.
c. Click Apply.
# Configure an SNMP view.
• Click the View tab, and then click Add. Perform the following configurations, as shown in Figure
285.

293
Figure 285 Set the name of the view to be created

• Enter view1 in the View Name field.


• Click Apply to display the page for view1. Perform the following configurations, as shown in Figure
286.
Figure 286 Add a view named view1

a. Select the Included option.


b. Enter the MIB subtree OID interfaces.
c. Click Add.
d. Click Apply. A configuration progress dialog box appears, as shown in Figure 287.

294
Figure 287 Configuration progress dialog box

• After the configuration process is complete, click Close.


# Configure an SNMP group.
• Click the Group tab, and then click Add. Perform the following configurations, as shown in Figure
288.
Figure 288 Configure an SNMP group

a. Enter group1 in the Group Name field.


b. Select NoAuth/NoPri from the Security Level list.
c. Select view1 from the Read View list.
d. Select v3 from the Security Level list.
e. Click Apply.

# Configure an SNMP user.

295
• Click the User tab, and then click Add. Perform the following configurations, as shown in Figure
289.
Figure 289 Configure an SNMP user

a. Enter user1 in the User Name field.


b. Select NoAuth/NoPri from the Security Level list.
c. Select group1 (NoAuth/NoPri) from the Group Name list.
d. Click Apply.

# Enable Agent to send SNMP traps.


• Click the Trap tab, and perform the following configurations, as shown in Figure 290.

296
Figure 290 Add target hosts of SNMP traps

a. Select the Enable SNMP Trap checkbox.


b. Click Apply.

# Add target hosts of SNMP traps.


• On the Trap tab page, click Add and perform the following configurations, as shown in Figure 291.
Figure 291 Add target hosts of SNMP traps

a. Select the destination IP address type as IPv4/Domain.


b. Enter the destination address 1.1.1.2.
c. Enter the user name user1.
d. Select v3 from the Security Model list.

297
e. Click Apply.

Configure the NMS


The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform
corresponding operations.
SNMPv3 adopts a security mechanism of authentication and privacy. Configure username and security
level. According to the configured security level, configure the related authentication mode,
authentication password, privacy mode, privacy password, and so on.
Also, configure the aging time and retry times. After the above configurations, you can configure the
device as needed through the NMS. For more information about NMS configuration, see the manual
provided for NMS.

Verifying the configuration


• After the above configuration, an SNMP connection is established between the NMS and the agent.
The NMS can obtain and configure the values of some parameters on the agent through MIB nodes.
• Shut down or bring up an idle interface on the agent, and the NMS receives the corresponding trap.

298
Configuring bridging

Through the web interface, you can configure the following transparent bridging functions:
• Enabling a bridge set
• Adding an interface to a bridge set
A bridge is a store-and-forward device that connects and transfers traffic between LAN segments at the
data-link layer. In some small-sized networks