Beruflich Dokumente
Kultur Dokumente
Copyright 2008-2013, Hangzhou H3C Technologies Co., Ltd. and its licensors
Preface
This document is the Web-based configuration guide for the H3C MSR series routers, and describes
how to visually manage and maintain the H3C MSR series routers through a Web-based interface.
This preface includes:
Audience
Conventions
Obtaining documentation
Technical support
Documentation feedback
These configuration guides apply to the following models of the H3C MSR series routers:
Model
MSR 900
MSR 900
MSR 920
MSR 930
MSR 930
MSR 20-10
MSR 20-1X
MSR 930-GU
MSR 930-GT
MSR 930-DG
MSR 930-SA
MSR 20-10E
MSR 20-11
MSR 20-12
MSR 20-15
MSR 20
MSR 20-20
MSR 20-21
MSR 20-40
MSR 30
MSR 50
MSR 30-10
MSR 30-11
MSR 30-11E
MSR 30-11F
MSR 30-16
MSR 30-20
MSR 30-40
MSR 30-60
MSR 50-40
MSR 50-60
Audience
This documentation is intended for:
Network planners
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention
Description
Boldface
Bold text represents commands and keywords that you enter literally as shown.
Italic
Italic text represents arguments that you replace with actual values.
[]
Square brackets enclose syntax choices (keywords or arguments) that are optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars, from which
you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by vertical
bars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by vertical
bars, from which you select one choice, multiple choices, or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&) sign can
be entered 1 to n times.
GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in Boldface. For
example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Convention
Description
Symbols
WARNING
An alert that calls attention to important information that if not understood or followed can
result in personal injury.
CAUTION
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
IMPORTANT
Convention
Description
NOTE
TIP
Hardware
specifications and
installation
Software configuration
Operations and
maintenance
Documents
Purposes
Marketing brochures
Card datasheets
Installation guide
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] Provides the documentation released with the
software version.
Technical support
service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Contents
Web overview 1
Logging in to the Web interface 1
Logging out of the Web interface 2
Introduction to the Web interface 2
User level 5
Introduction to the Web-based NM functions 5
Common Web interface elements 19
Managing Web-based NM through CLI 23
Enabling/disabling Web-based NM 23
Managing the current Web user 23
Configuration guidelines 23
Troubleshooting Web browser 24
Cannot access the device through the Web interface 24
Displaying device information 28
Displaying device information 30
Displaying broadband connection information 30
Displaying 3G wireless card state 30
Displaying LAN information 32
Displaying WLAN information 32
Displaying service information 33
Displaying recent system logs 33
Managing integrated services 33
Basic services configuration 34
Configuring basic services 34
Entering the homepage of basic configuration wizard 34
Setting WAN interface parameters 34
Setting LAN interface parameters 43
Setting WLAN interface parameters 44
Validating the basic services configuration 45
Configuring WAN interfaces 47
Configuring an Ethernet interface or subinterface 47
Overview 47
Configuring an Ethernet interface 47
Configuring an SA interface 50
SA interface overview 50
Configuration procedure 50
Configuring an ADSL/G.SHDSL interface 52
ADSL/G.SHDSL interface overview 52
Configuration procedure 52
Configuring a CE1/PRI interface 55
CE1/PRI interface overview 55
Configuration procedure 56
Configuring a CT1/PRI interface 58
CT1/PRI interface overview 58
Configuration procedure 58
Configuring a cellular interface 59
Overview 59
i
Configuration procedure 59
Viewing the general information and statistics of an interface 61
Configuring VLANs 62
Overview 62
Configuring a VLAN and its VLAN interface 62
Recommended configuration procedures 62
Creating a VLAN and its VLAN interface 63
Configuring VLAN member ports 64
Configuring parameters for a VLAN interface 64
Configuration guidelines 66
Wireless configuration overview 67
Overview 67
Configuration task list 67
Configuring wireless services 68
Configuring wireless access service 68
Creating a wireless access service 68
Configuring clear type wireless service 69
Configuring crypto type wireless service 77
Binding an AP radio to a wireless service 82
Security parameter dependencies 83
Displaying wireless access service 84
Displaying wireless service 84
Displaying client 86
Displaying RF ping information 90
Wireless access service configuration examples 91
Wireless service configuration example 91
Access service-based VLAN configuration example 92
PSK authentication configuration example 94
Local MAC authentication configuration example 96
Remote MAC authentication configuration example 98
Remote 802.1X authentication configuration example 104
802.11n configuration example 109
Client mode 111
Enabling the client mode 111
Connecting the wireless service 112
Displaying statistics 113
Client mode configuration example 114
Configuring radios 116
Configuring data transmit rates 120
Configuring 802.11a/802.11b/802.11g rates 120
Configuring 802.11n MCS 121
Displaying radio 122
Displaying WLAN services bound to a radio 122
Displaying detailed radio information 122
Configuring WLAN security 125
Blacklist and white list 125
Configuring the blacklist and white list functions 125
Configuring dynamic blacklist 125
Configuring static blacklist 126
Configuring white list 127
Configuring user isolation 127
ii
viii
Configuring
Configuring
Configuring
Configuring
Configuring
Configuring
Index 848
xv
Web overview
The device provides Web-based configuration interfaces for visual device management and
maintenance.
Figure 1 Web-based network management operating environment
The PC in Figure 1 is the one where you configure the device, but not necessarily the Web-based
network management terminal. The Web-based network management terminal is a PC (or another
terminal) used to log in to the Web interface and is required to be reachable to the device.
If you click the verification code displayed on the Web login page, you can get a new verification
code.
Up to 24 users can concurrently log in to the device through the Web interface.
You can also log in to the Web interface through HTTPS, but you must enable HTTPS on the device,
and the address you input in the address bar must start with https://. For more information, see
"Configuring service management."
If you have configured the auto authentication mode for an HTTPS login user by using the web
https-authorization mode command, the user is automatically authenticated by the PKI certificate,
without inputting any username and password. For more information, see Fundamentals
Configuration Guide.
You can use the following default settings to log in to the Web interface through HTTP:
Usernameadmin
Passwordadmin
Connect the Ethernet interface Ethernet 0/0 of the device to the PC using a crossover Ethernet
cable.
2.
Configure an IP address for the PC and make sure the PC and device can reach each other.
For example, assign the PC an IP address (for example, 192.168.1.2) within the network segment
192.168.1.0/24 (except for 192.168.1.1).
3.
Navigation area
Title area
Body area
Navigation areaOrganizes the Web function menus in the form of a navigation tree, where you
can select function menus as needed. The result is displayed in the body area.
Title areaOn the left, displays the path of the current configuration interface in the navigation
area; on the right, provides the Save button to quickly save the current configuration, the Help button
to display the Web related help information, and the Logout button to log out of the Web interface.
Body areaThe area where you can configure and display a function.
User level
Web user levels, ranging from low to high, are visitor, monitor, configure, and management. A
higher-level user has all rights of a lower-level user.
VisitorUsers of this level can perform the ping and traceroute operations, but can neither access
the device data nor configure the device.
MonitorUsers of this level can only access the device data but cannot configure the device.
ConfigureUsers of this level can access data from the device and configure the device, but they
cannot upgrade the host software, add/delete/modify users, or backup/restore the application
file.
ManagementUsers of this level can perform any operations for the device.
Description
User level
Monitor
Device Information
Monitor
Configure
Configure
Device Information
Wizard
Function menu
WAN
Interface
Setup
VLAN Setup
LAN Interface
Setup
VLAN Interface Setup
Summary
Interface
Setup
Access Service
Wireless
Configuration
Radio
Security
Wireless QoS
Description
User level
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Displays configuration
information about an access
service.
Monitor
Configure
Monitor
Configure
Displays configuration
information of blacklist,
whitelist, and user isolation.
Monitor
Configure
Monitor
Function menu
Country Code
3G Information
3G
PIN Code Management
Dynamic NAT
DMZ Host
NAT
Configurati
on
ALG
Security
Setup
Access
Description
User level
Configure
Displays configuration
information of the country
code.
Monitor
Configure
Displays 3G modem
information, UIM card
information, and 3G
network information.
Monitor
Monitor
Configure
Monitor
Configure
Monitor
Configure
Displays configurations of
the internal server.
Monitor
Configure
Displays configurations of
the application layer
protocol check function.
Monitor
Configure
Displays configuration
information about the
number of connections
displayed.
Monitor
Configure
Monitor
Configure
Function menu
URL Filter
Blacklist
Attack Defend
Intrusion Detection
Application Control
Application
Control
Load Application
Custom Application
Redirection
....Advance
Route Setup
Summary
Description
User level
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Configure
Monitor
Configure
Monitor
Configure
Monitor
Function menu
Description
User level
Create
Configure
Remove
Configure
Monitor
Configure
Monitor
Configure
Monitor
Monitor
Displays DNS
configurations.
Monitor
Configure
Displays DDNS
configurations.
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
User-based-sharing
Config
Traffic
Ordering
DNS Configuration
DNS Setup
DDNS Configuration
DHCP Enable
DHCP Setup
Q
oS
ACL
IPv4
Summary
Function menu
Set
up
Description
User level
Add
Configure
Basic Config
Configure
Advanced Config
Configure
Link Config
Configure
Remove
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Summary
Displays classifier
information.
Monitor
Create
Configure
Setup
Configure
Remove
Configure
Summary
Displays behavior
information.
Monitor
Create
Configure
Setup
Configure
Remove
Configure
Subnet Limit
Advanced Limit
Advanced Queue
Classifie
r
Behavio
r
10
Function menu
Description
User level
Summary
Monitor
Create
Configure
Setup
Configure
Remove
Configure
Summary
Monitor
Setup
Configure
Remove
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Policy
Port
Policy
Setup
Community
SNMP
(supported on
the MSR-20,
MSR-30, and
MSR-50)
Group
User
Trap
11
Function menu
Description
User level
Monitor
Configure
Global Config
Configure
Config Interface
Configure
Monitor
Configure
Monitor
Displays users.
Configure
Configure
Displays configuration of
access control.
Monitor
Configure
Monitor
Configure
Displays bandwidth
management configuration.
Monitor
Configure
Monitor
Configure
Monitor
View
Bridge
Group
UserGroup
User
WAN
Synchron
ization
Connection Control
Security
Application Control
Bandwidth
Packet Filter
MSTP
Region
12
Function menu
Port
Global
RADIUS
Access
ARP Table
Gratuitous ARP
ARP
Management
Dynamic Entry
ARP
Anti-Attack
Scan
Fix
13
Description
User level
Configure
Monitor
Configure
Configure
Managem
ent
Monitor
Configure
Displays information of an
ARP table.
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Function menu
IPsec Connection
IPsec VPN
Monitoring Information
VPN
L2TP Configuration
L2TP
Tunnel Info
GRE
Entity
Certificate
Manageme
nt
Domain
Certificate
14
Description
User level
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Function menu
Description
User level
Displays CRLs.
Monitor
Configure
Configure
Managem
ent
Initialize
Configure
Backup Configuration
Managem
ent
Restore Configuration
Managem
ent
Monitor
Configure
Configure
Displays related
configuration of system
services.
Configure
Managem
ent
User Summary
Monitor
Super Password
Managem
ent
Create User
Managem
ent
CRL
Save
Configuration
System
Manageme
nt
Backup and Restore
Reboot
Service Management
Users
15
Function menu
Description
User level
Modify User
Managem
ent
Remove User
Managem
ent
Switch To Management
Visitor
Displays SNMP
configuration information.
Monitor
Configure
Monitor
Configure
Monitor
Configure
Displays TR-069
configurations.
Monitor
Configure
Configure
Displays detailed
information of system logs.
Monitor
Configure
Displays configurations of
the specified loghost.
Monitor
Configure
Monitor
Configure
Visitor
System Time
System Time
Time Zone
TR-069
Software Upgrade
Loglist
Loghost
Syslog
Other
Logset
Diagnostic
Tools
Ping
16
Function menu
Trace Route
WiNet Management
WiNet
Setup
User Management
Configuration Wizard
Voice
Manageme
nt
Local Number
Call Route
Dial Plan
Number Match
17
Description
User level
Visitor
Monitor
Configure
Configure
Monitor
Configure
Displays configuration
information about the
configuration wizard.
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Function menu
Number Substitution
SIP Connection
Call
Connection
Line Management
Advanced
Configuration
Global Configuration
Batch Configuration
18
Description
User level
Monitor
Configure
Monitor
Configure
Displays connection
properties,session
properties, advanced
settings, and call release
cause code mappings.
Monitor
Configure
Monitor
Configure
Monitor
Configure
Monitor
Configure
Displays global
configuration information.
Monitor
Configure
Monitor
Function menu
Call Statistics
Statistics
Connection Status
Description
User level
Configure
Monitor
Configure
Monitor
Description
Allows you to bring the configuration on the current page into effect.
Allows you to cancel the configuration on the current page, and go to the
corresponding display page or device information page.
Allows you to refresh the information on the current page.
Allows you clear all statistics or items in a list.
Allows you to enter the page for adding an entry.
Allows you to delete entries on a list.
Allows you to select all the entries on a list or all ports on a device panel.
Allows you to clear all the entries on a list or all ports on a device panel.
Typically located in the Operation column of a display page, it allows you
to enter the modify page of a corresponding entry so as to display or
modify the configurations of the entry.
Typically located in the Operation column of a display page, it allows you
to remove an entry.
19
Searching function
The Web interface provides you with the basic and advanced searching functions to display only the
entries that match specific searching criteria.
Basic search: As shown in Figure 4, input the keyword in the text box above the list, select a search
item from the drop-down list and click the Search button to display the entries that match the
criteria. Figure 5 shows an example of searching for entries with VLAN ID being 2.
Advanced search: Advanced search function: As shown in Figure 4, you can click the Advanced
Search link to open the advanced search page, as shown in Figure 6. Specify the search criteria,
and click Apply to display the entries that match the criteria.
20
Take the ARP table shown in Figure 4 as an example. If you want to search for the ARP entries with
interface being Ethernet 0/4, and IP address range being 192.168.1.50 to 192.168.1.59, follow these
steps:
1.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 7, and click Apply. The ARP entries with interface being Ethernet 0/4 are displayed.
2.
Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 8, and click Apply. The ARP entries with interface being Ethernet 0/4 and IP address
range being 192.168.1.50 to 192.168.1.59 are displayed as shown in Figure 9.
21
Sorting function
The Web interface provides you with the basic sorting function to display entries in certain orders.
On a list page, you can click the blue heading item of each column to sort the entries based on the
heading item you selected. After your clicking, the heading item is displayed with an arrow beside it as
shown in Figure 10. The upward arrow indicates the ascending order, and the downward arrow
indicates the descending order.
22
Figure 10 Basic sorting function example (based on IP address in the descending order)
Command
ip http enable
Command
Configuration guidelines
The Web-based configuration interface supports the operating systems of Windows XP, Windows
2000, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition,
Windows Vista, Windows 7, Linux, and MAC OS.
23
The Web-based configuration interface supports the browsers of Microsoft Internet Explorer 6.0
SP2 and higher, Mozilla Firefox 3.0 and higher, and Google Chrome 2.0.174.0 and higher.
The Web-based configuration interface does not support the Back, Next, Refresh buttons provided
by the browser. Using these buttons may result in abnormal display of Web pages.
The Windows firewall limits the number of TCP connections, when you use IE to log in to the Web
interface, sometimes you may be unable to open the Web interface. To avoid this problem, turn off
the Windows firewall before login.
If the software version of the device changes, clear the cache data on the browser before logging
in to the device through the Web interface; otherwise, the Web page content may not be displayed
correctly.
You can display at most 20,000 entries that support content display by pages.
Analysis
If you use the Microsoft Internet Explorer, you can access the Web interface only when the following
functions are enabled: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for
scripting and active scripting.
If you use the Mozilla Firefox, you can access the Web interface only when JavaScript is enabled.
Open the Internet Explorer, and then select Tools > Internet Options.
2.
Click the Security tab, and then select a Web content zone to specify its security settings, as shown
in Figure 11.
24
3.
4.
As shown in Figure 12, enable these functions: Run ActiveX controls and plug-ins, script ActiveX
controls marked safe for scripting and active scripting.
25
5.
Open the Firefox Web browser, and then select Tools > Options.
2.
Click the Content tab, select the Enable JavaScript check box, and click OK, as shown in Figure
13.
26
27
28
29
If you select a specific period, the system periodically refreshes the Device Info page.
Description
Device Model
Device name.
Software Version
Firmware Version
Hardware Version
Running Time
CPU Usage
Memory Usage
Description
Interface
Interface name.
Session Type
Network-Side Connection
State
IP Address/Mask
DNS Server
Average rate in the outgoing direction on the interface in recent 300 seconds.
Average rate in the incoming direction on the interface in recent 300 seconds.
Work Mode
30
Description
3G Modem Information
3G Modem State
Model
Manufacturer
CMII ID
Serial Number
Hardware Version
Firmware Version
PRL Version
31
Field
Description
State of the UIM card, which can be:
Absent.
Being initialized.
Fault.
Destructed.
Personal identification number (PIN) code protection is disabled.
PIN code protection is enabled. Enter the PIN code for authentication.
PIN code protection is enabled, and the PIN code has passed the
authentication.
The PIN code has been blocked. Enter the PIN unlocking key (PUK) code to
unblock it.
IMSI
Voltage
Mobile Network
Network Type
RSSI
No Service.
CDMA.
HDR.
CDMA/HDR HYBRID.
Unknown.
Description
Interface
Interface name.
Link State
Work Mode
Description
Service Status
32
Description
Service
Status
Description
Time
Level
Description
Properly set the URL address of the card, and then connect the card to the LAN to which the
administrator belongs. On the page as shown in Figure 16, click the Manage button, a page linked
to the specified URL address pops up, and then you can log in to the Web interface of this card to
manage it.
33
34
Ethernet interface
Figure 19 Setting Ethernet interface parameters
Description
WAN Interface
MAC Address
Use the MAC address of the deviceUse the default MAC address of the
Ethernet interface, which is displayed in the brackets.
Use the customized MAC addressAssign a MAC address in the field to the
Ethernet interface.
Description
WAN Interface
TCP-MSS
MTU
IP Address
Subnet Mask
Gateway Address
DNS1
Specify a DNS server IP address for the interface. Note that DNS server 1 is used
before DNS server 2.
35
Item
Description
DNS2
To configure the global DNS server on the page you enter, select Advanced > DNS
Setup > DNS Configuration. The global DNS server has priority over the DNS
servers of the interfaces. The DNS query is sent to the global DNS server first. If the
query fails, the DNS query is sent to the DNS server of the interface until the query
succeeds.
Specify the MAC address of the Ethernet interface in either of the two ways:
Use the MAC address of the deviceUse the default MAC address of the
MAC Address
Use the customized MAC addressAssign a MAC address in the field to the
Ethernet interface.
Description
WAN Interface
User Name
Password
In PPPoE mode, a username and password is provided by the local Internet Service
Provider (ISP).When the device connects to the ISP server, the ISP server initiates
PPPoE authentication. When the device passes the authentication, the ISP server
will send the IP address, subnet mask, gateway IP address, and DNS server IP
address to the device.
Enter the username for identity authentication.
Display whether a password has been specified for identity authentication.
An empty field indicates that no password is configured.
New Password
TCP-MSS
MTU
server if no data exchange occurs between it and the server within the specified
time. Then, it automatically establishes the connection upon receiving a request
for accessing the Internet from the LAN.
When Online according to the Idle Timeout value is enabled, specify an idle
timeout value.
Specify the MAC address of the Ethernet interface in either of the two ways:
Use the MAC address of the deviceUse the default MAC address of the
MAC Address
Use the customized MAC addressAssign a MAC address in the field to the
Ethernet interface.
36
SA interface
Figure 20 Setting SA parameters
Description
WAN Interface
User Name
Password
New Password
TCP-MSS
MTU
IP Address
Subnet Mask
37
ADSL/G.SHDSL interface
Figure 21 Setting ADSL/G.SHDSL parameters
Description
WAN Interface
PVC
TCP-MSS
MTU
IP Address
Subnet Mask
Map IP
Description
WAN Interface
PVC
TCP-MSS
MTU
IP Address
Subnet Mask
Description
WAN Interface
Item
Description
PVC
User Name
Password
New Password
TCP-MSS
MTU
Description
WAN Interface
PVC
User Name
Password
New Password
TCP-MSS
MTU
server if no data exchange occurs between it and the server within the specified
time. After that, it automatically establishes the connection upon receiving a
request for accessing the Internet from the LAN.
When Online according to the Idle Timeout value is enabled, specify an idle
timeout value.
CE1/PR1 interface
The CE1/PR1 interface operates in two modes: E1 mode and CE1 mode.
1.
In E1 mode
39
Description
WAN Interface
Work Mode: E1
User Name
Password
New Password
TCP-MSS
MTU
2.
In CE1 mode
40
Description
WAN Interface
Operation
CreateBinds timeslots.
RemoveUnbinds timeslots.
Serial
Timeslot-List
User Name
Password
New Password
TCP-MSS
MTU
CT1/PR1 interface
Figure 24 Setting CT1/PR1 parameters
Description
WAN Interface
Work Mode: E1
Operation
CreateBinds timeslots.
RemoveUnbind timeslots.
41
Item
Description
Serial
Timeslot-List
User Name
Password
New Password
TCP-MSS
MTU
Cellular interface
Figure 25 Setting Cellular parameters
Description
WAN Interface
User Name
Password
New Password
TCP-MSS
MTU
Dialer Number
Item
Idle Timeout
Description
server if no data exchange occurs between it and the server within the specified
time. After that, it automatically establishes the connection upon receiving a
request for accessing the Internet from the LAN.
When Online according to the Idle Timeout value is enabled, specify an idle
timeout value.
Description
Display the ID of the VLAN interface to be configured.
VLAN Interface
IP Address
Subnet Mask
DHCP Server
Start IP Address
IMPORTANT:
By default, the VLAN interface on the device that has the smallest number is displayed. If no
VLAN interface is available on the device, the system automatically creates an interface
numbered 1 and displays it.
Specify the IP address and a subnet mask for the VLAN interface.
Select whether to enable DHCP server.
If you enable DHCP server, the configuration items of the DHCP server will be displayed.
Specify the IP address range for dynamic allocation in an extended address pool.
43
Item
Description
IMPORTANT:
End IP Address
If the extended address pool is configured on an interface, when a DHCP client's request
arrives at the interface, the server assigns an IP address from this extended address pool
only. The client cannot obtain an IP address if no IP address is available in the extended
address pool.
Specify a gateway IP address in the DHCP address pool for DHCP clients.
Gateway IP
Address
When accessing a server or host that is not in its network segment, a DHCP client needs
the gateway to forward data for it. When you specify a gateway IP address in the
address pool, the DHCP server sends an IP address as well as the gateway IP address to
a requesting client.
DNS Server 1
Specify a DNS server IP address in the DHCP address pool for DHCP clients. Note that
DNS server 1 is used before DNS server 2.
DNS Server 2
To allow DHCP clients to access the Internet through domain names, the DHCP server
needs to send an IP address as well as a DNS server IP address to clients.
Description
WLAN Setting
44
Item
Description
Network Name
(SSID)
Network Hide
Radio Unit
Enable Encrypt
With data encryption enabled, data transmission between wireless client and wireless
device can be secured.
Encrypt Act
When you select WEP40, the key can be a 5-character string or 10-digit hexadecimal
Key Mode
number.
When you select WEP104, the key can be a 13-character string or a 26-digit
hexadecimal number.
Key Seed
You can either use a key seed to generate keys or enter keys manually. Then, you can
choose one of the configured keys.
Key 1
When you select WEP40 and ASCII, the generated or entered key is a 5-character
Key 2
Key 3
Key 4
string.
When you select WEP40 and HEX, the generated or entered key is a 10-digit
hexadecimal number.
When you select WEP104 and ASCII, the generated or entered key is a 13-character
string.
When you select WEP104 and HEX, the generated or entered key is a 26-digit
hexadecimal number.
45
46
ManualThe IP address and subnet mask are configured manually for the interface.
PPPoEThe interface acts as a PPPoE client. PPPoE provides access to the Internet for hosts in an
Ethernet through remote access devices. It also implements access control and accounting on a
per-host basis. As it is cost-effective, PPPoE gains popularity in various applications, such as
residential networks.
Click the
icon for an Ethernet interface to enter the page for configuring the Ethernet interface.
47
Description
WAN Interface
Interface Status
Not connectedIndicating that the current interface is up, but not connected,
click Disable to shut down the interface.
Select Auto as the connection mode. The interface will get an IP address
automatically.
Set the MAC address of the Ethernet interface using one of these available options:
Use the MAC address of the deviceUse the default MAC address of the
MAC Address
Use the customized MAC addressManually set the MAC address of the
Ethernet interface. When you select this option, you must enter a MAC address in
the field below.
48
Description
WAN Interface
Select Manual as the connection mode. In this mode, you must manually assign an
IP address and subnet mask to the interface.
TCP-MSS
MTU
IP Address
IP Mask
Gateway IP Address
DNS1
Assign an IP address to the DNS servers. DNS1 has a higher precedence than
DNS2.
DNS2
To configure a global DNS server, select Advanced > DNS Setup > DNS
Configuration from the navigation tree. The global DNS server has a higher
precedence than all the DNS servers configured on the interfaces. That is, an
interface first sends a query request to the global DNS server. If failing to receive a
response, it sends query requests to the DNS servers configured on the interfaces
one by one.
Set the MAC address of the Ethernet interface using one of these available options:
Use the MAC address of the deviceUse the default MAC address of the
MAC Address
Use the customized MAC addressManually set the MAC address of the
Ethernet interface. When you select this option, you must enter a MAC address in
the field below.
Description
WAN Interface
User Name
49
Item
Password
Description
Displays whether a password is configured for authentication.
If the field displays null, no password is configured for authentication.
New Password
TCP-MSS
MTU
MAC Address
Use the MAC address of the deviceUse the default MAC address of the
Ethernet interface, which is displayed in the following brackets.
Use the customized MAC addressManually set the MAC address of the
Ethernet interface. When you select this option, you must enter a MAC address in
the field below.
Configuring an SA interface
SA interface overview
The synchronous/asynchronous serial (SA) interface supports PPP connection mode.
PPP is a link layer protocol that carries packets over point-to-point links. It has been widely used because
it can provide user authentication and allows for easy extension while supporting
synchronous/asynchronous communication.
PPP contains a set of protocols, including a LCP, a NCP, and authentication protocols such as PAP and
CHAP. Among these protocols:
The LCP is responsible for establishing, tearing down, and monitoring data links.
The NCP is used for negotiating the packet format and type of data links.
Configuration procedure
Select Interface Setup > WAN Interface Setup from the navigation tree to enter the WAN interface
configuration page. Click the
icon for the SA interface you want to configure to enter the SA interface
configuration page.
50
Description
WAN Interface
Not connectedIndicating that the current interface is up but not connected, click
Disable to shut down the interface.
New Password
TCP-MSS
MTU
IP Address
IP Mask
51
IPoA
IPoA enables IP packets to traverse an ATM network. In an IPoA implementation, ATM provides the data
link layer for the IP hosts on the same network to communicate with one another, and IP packets must be
adapted in order to traverse the ATM network.
IPoA makes full use of the advantages of ATM, including high speed point-to-point connections, which
help improve the bandwidth performance of an IP network, excellent network performance, and
complete, mature QoS services.
IPoEoA
IPoEoA adopts a three-layer architecture, with IP encapsulation at the uppermost layer, IPoE in the middle,
and IPoEoA at the bottom.
IPoEoA is suitable where Ethernet packets are to be forwarded through an ATM interface. For example,
it works when a network device forwards traffic from an Ethernet across an ATM PVC to a network access
server.
PPPoA
PPPoA enables ATM to carry PPP protocol packets. With PPPoA, PPP packets, in which IP packets or other
protocols' packets can be encapsulated, are encapsulated in ATM cells. In this case, ATM can be simply
viewed as the carrier of PPP packets. As the communication process of PPPoA is managed by PPP, PPPoA
inherits the flexibility and comprehensive applications of PPP.
PPPoEoA
PPPoEoA enables ATM to carry PPPoE protocol packets. With PPPoEoA, Ethernet packets are
encapsulated in ATM cells, through which you can use a PVC to simulate all the functions of Ethernet. To
allow ATM to carry Ethernet frames, the interface management module provides the VE interface. The VE
interface has Ethernet characteristics and can be dynamically created through configuration commands.
The following is the protocol stack adopted by the VE interface:
Protocols the same as those for a common Ethernet interface at the network layer and upper layers
Configuration procedure
Select Interface Setup > WAN Interface Setup from the navigation tree to enter the WAN interface
configuration page. Click the
icon for the ADSL/G.SHDSL interface you want to configure to enter
the ADSL/G.SHDSL interface configuration page, as shown in Figure 32.
52
Description
WAN Interface
PVC
TCP-MSS
MTU
IP Address
IP Mask
Map IP
Description
WAN Interface
53
Item
Description
Display and set the interface status:
PVC
TCP-MSS
MTU
IP Address
IP Mask
Description
WAN Interface
PVC
User Name
Password
New Password
TCP-MSS
MTU
Description
WAN Interface
54
Item
Description
Display and set the interface status:
PVC
User Name
Password
New Password
TCP-MSS
MTU
Idle timeout
If you select Online according to the Idle Timeout value, you must set the Idle
timeout value.
A CE1/PRI interface in E1 mode equals an interface of 2048 Mbps data bandwidth, on which no
timeslots are divided. Its logical features are the same as those of a synchronous serial interface. It
supports link layer protocols such as PPP, FR, LAPB and X.25 and network protocols such as IP and
IPX.
A CE1/PRI interface in CE1 mode is physically divided into 32 timeslots numbered 0 to 31. Among
them, timeslot 0 is used for transmitting synchronizing information. All the timeslots except timeslot
0 can be randomly divided into multiple channel sets and each set can be used as an interface
upon timeslot bundling. Its logical features are the same as those of a synchronous serial interface.
It supports link layer protocols such as PPP, HDLC, FR, LAPB and X.25, and network protocols such
as IP.
55
Configuration procedure
Select Interface Setup > WAN Interface Setup from the navigation tree to enter the WAN interface
configuration page. Click the
icon for the CE1/PRI interface you want to configure to enter the
CE1/PRI interface configuration page, which varies with the operating mode of the CE1/PRI interface.
Description
WAN Interface
User Name
Password
New Password
TCP-MSS
MTU
56
Description
WAN Interface
Not connectedIndicating that the current interface is up but not connected, click
Disable to shut down the interface.
Operation
Serial
Timeslot-List
User Name
Password
New Password
Item
Description
TCP-MSS
MTU
Configuration procedure
Select Interface Setup > WAN Interface Setup from the navigation tree to enter the WAN interface
configuration page. Click the
icon for a CT1/PRI interface. The page for configuring the interface
appears.
Figure 35 Configuring a CT1/PRI interface
58
Description
WAN Interface
Not connectedIndicating that the current interface is up but not connected, click
Disable to shut down the interface.
Operation
Serial
Timeslot-List
User Name
Password
New Password
TCP-MSS
MTU
Configuration procedure
Select Interface Setup > WAN Interface Setup from the navigation tree to enter the WAN interface
configuration page. Click the
icon for a cellular interface. The page for configure the cellular
interface appears.
59
Description
WAN Interface
Not connectedIndicating that the current interface is up but not connected, click
Disable to shut down the interface.
User Name
Password
New Password
TCP-MSS
MTU
Dialer Number
60
Item
Description
Set the idle timeout time for a connection:
Idle Timeout
If you select Online according to the Idle Timeout value, you must set the Idle timeout
value.
61
Configuring VLANs
You can configure the following port-based VLAN and VLAN interface functions through the Web
interface:
Overview
Ethernet is a network technology based on the CSMA/CD mechanism. As the medium is shared,
collisions and excessive broadcasts are common on Ethernet networks. To address the issue, virtual LAN
(VLAN) was introduced to break a LAN down into separate VLANs. VLANs are isolated from each other
at Layer 2. A VLAN is a bridging domain, and all broadcast traffic is contained within it.
For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform Layer 3
forwarding. To achieve this, VLAN interfaces are used. VLAN interfaces are virtual interfaces used for
Layer 3 communication between different VLANs. They do not exist as physical entities on devices. For
each VLAN, you can create one VLAN interface. You can configure VLAN interfaces to forward traffic at
the network layer.
For more information about VLANs and VLAN interfaces, see H3C MSR Series Routers (V5) Layer
2LAN Switching Configuration Guide.
Remarks
1.
Required.
2.
Required.
Remarks
Creating a VLAN and its VLAN
interface.
Required.
62
Step
Remarks
Optional.
2.
Description
VLAN IDs
Enter the ID of the VLAN (or VLAN interface) to be created or removed. You can
create or remove multiple VLANs at a time.
63
Item
Description
Description
VLAN ID
Select the ID of the VLAN that you want to assign ports to or remove ports from.
Port list
Add
Remove
64
Description
VLAN ID
IP Address
Subnet Mask
65
Item
Description
Set the MAC address of the VLAN interface:
Use the MAC address of the deviceUse the default MAC address of the VLAN
MAC Address
Use the customized MAC addressManually set the MAC address of the VLAN
interface. When you select this option, you must enter a MAC address in the text
box below.
Select whether the VLAN interface operates in DHCP server mode.
DHCP Server
If you select to enable DHCP server on the interface, you can continue to configure
related DHCP server parameters.
Set an extended DHCP address pool used for dynamic IP address allocation. The IP
address range is defined by a start IP address and an end IP address.
Start IP Address
End IP Address
If an extended address pool is configured on the port that receives the DHCP request
packet, the server allocates an IP address in the extended address pool to the client,
regardless of whether a common address pool (static binding or dynamic allocation)
is also configured on the port. If no IP address is available in the pool, the server will
not be able to allocate an IP address to the client.
Set the gateway IP address allocated to the DHCP clients from the DHCP address
pool.
Gateway IP Address
DNS Server 1
DNS Server 2
When DHCP clients access servers or hosts on other network segments, their data
needs to be forwarded through the gateway. After specifying a gateway IP address,
the server sends the gateway IP address to the clients along with the IP addresses
allocated to them.
Assign an IP address in the address pool to the DNS server allocated to the DHCP
clients on the local network segment. DNS Server 1 has a higher preference than DNS
Server 2.
To enable DHCP clients to access hosts on the Internet by domain names, the DHCP
server needs to specify the local DNS server's IP address when assigning IP addresses
to these DHCP clients.
Set the IP addresses that are not to be automatically assigned in the DHCP address
pool.
Reserved IP Address
Do not assign an IP address that is already assigned (gateway IP address or FTP server
IP address for example) to another client. Otherwise, IP address conflict will occur.
After you specify an IP address configured in a static binding as not to be auto
assigned, this address can still be assigned to the client in the static binding.
Configuration guidelines
When you configure VLANs, follow these guidelines:
VLAN 1 is the default VLAN, which can neither be created nor removed manually.
Some VLANs are reserved for special purposes. You can neither create nor remove them manually.
You cannot directly remove protocol-reserved VLANs, voice VLANs, management VLANs, or
dynamically learned VLANs. To remove them, you must remove relevant configurations first.
66
Client mode
Displaying radio
After these configurations, you can build an integrated, stable, secure, effective wireless network.
Overview
Wireless Local Area Network (WLAN) is popular nowadays. Compared with wired LANs, WLANs are
easier and cheaper to implement because only one or several access points (APs) can provide wireless
access for an entire building or area. A WLAN does not necessarily mean that everything is wireless. The
servers and backbones still reside on wired networks. WLANs mainly provide the following services:
Wireless access and mobility to free users from the restrictions of wires and cables.
Remarks
Required.
Client mode
67
Task
Remarks
Optional.
68
Description
Radio Unit
Radio ID, 1 or 2.
Mode
69
Description
Wireless Service
VLAN (Untagged)
Default VLAN
Delete VLAN
By default, the default VLAN of all ports is VLAN 1. After you set
the new default VLAN, VLAN 1 is the ID of the VLAN whose
packets are to be sent untagged.
Remove the IDs of the VLANs whose packets are to be sent
untagged and tagged.
IMPORTANT:
70
Description
Maximum number of clients of an SSID to be associated with the same
radio of the AP.
IMPORTANT:
When the number of clients of an SSID to be associated with the same radio
of the AP reaches the maximum, the SSID is automatically hidden.
Web interface management right of online clients.
Management Right
clients.
Description
Authentication
Type
71
Item
Description
mac-authenticationPerforms MAC address authentication on users.
mac-else-userlogin-secureThis mode is the combination of the mac-authentication and
userlogin-secure modes, with MAC authentication having a higher priority. Upon
receiving a non-802.1X frame, a port in this mode performs only MAC authentication;
upon receiving an 802.1X frame, the port performs MAC authentication and then, if
MAC authentication fails, 802.1X authentication.
mode, except that it supports multiple 802.1X and MAC authentication users on the port.
multiple 802.1X authenticated users can access the port, but only one user can be online.
The authentication mode before Or and that after Or have the same priority. The device
determines the authentication mode according to the protocol type of the packets to be
authenticated. For wireless users, the 802.1X authentication mode is used preferentially.
Max User
1.
Maximum number of users that can be connected to the network through a specific port.
72
Description
Port Mode
Max User
Control the maximum number of users allowed to access the network through the port.
MAC Authentication
Domain
The selected domain name applies to only the current wireless service, and all
clients accessing the wireless service use this domain for authentication,
authorization, and accounting.
Do not delete a domain name in use. Otherwise, the clients that access the wireless
service will be logged out.
2.
Configure userlogin-secure/userlogin-secure-ext:
73
Description
userlogin-securePerform port-based 802.1X authentication for access
Port Mode
users. In this mode, multiple 802.1X authenticated users can access the
port, but only one user can be online.
Max User
Control the maximum number of users allowed to access the network through
the port.
Select an existing domain from the list.
The default domain is system. To create a domain, select Authentication >
AAA from the navigation tree, click the Domain Setup tab, and type a new
domain name in the Domain Name combo box.
Mandatory Domain
The selected domain name applies to only the current wireless service,
and all clients accessing the wireless service use this domain for
authentication, authorization, and accounting.
Do not delete a domain name in use. Otherwise, the clients that access the
wireless service will be logged out.
Authentication Method
names rather than passwords over the network. Therefore this method is
safer.
74
Item
Description
EnableEnable the multicast trigger function of 802.1X to send multicast
trigger messages to the clients periodically for initiating authentication. By
default, the multicast trigger function is enabled.
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP can
discover users and trigger authentication. Therefore, the ports do not need to
send 802.1X multicast trigger messages periodically for initiating
authentication. H3C recommends that you disable the multicast trigger function
in a WLAN because the multicast trigger messages consume bandwidth.
3.
Figure 46 Configuring port security for the other four security modes (mac-else-userlogin-secure is
taken for example)
75
Description
mac-else-userlogin-secureThis mode is the combination of the
mac-authentication and userlogin-secure modes, with MAC authentication
having a higher priority. Upon receiving a non-802.1X frame, a port in this mode
performs only MAC authentication. Upon receiving an 802.1X frame, the port
performs MAC authentication and then, if MAC authentication fails, 802.1X
authentication.
Max User
Mandatory Domain
Control the maximum number of users allowed to access the network through the
port.
Select an existing domain from the list. After a mandatory domain is configured, all
802.1X users accessing the port are forced to use the mandatory domain for
authentication, authorization, and accounting.
The default domain is system. To create a domain, select Authentication > AAA from
the navigation tree, click the Domain Setup tab, and type a new domain name in the
Domain Name field.
Authentication Method
user information in the EAP attributes of RADIUS packets and sends the packets
to the RADIUS server for authentication. It does not need to repackage the EAP
packets into standard RADIUS packets for authentication.
IMPORTANT:
For a WLAN, the clients can actively initiate authentication, or the AP can discover
users and trigger authentication. Therefore, the ports do not need to send 802.1X
multicast trigger messages periodically for initiating authentication. You are
recommended to disable the multicast trigger function in a WLAN because the
multicast trigger messages consume bandwidth.
MAC Authentication
76
Item
Description
Select an existing domain from the list.
The default domain is system. To create a domain, select Authentication > AAA from
the navigation tree, click the Domain Setup tab, and type a new domain name in the
Domain Name field.
Domain
The selected domain name applies to only the current wireless service, and all
clients accessing the wireless service use this domain for authentication,
authorization, and accounting.
Do not delete a domain name in use. Otherwise, the clients that access the
wireless service are logged out.
See Table 41 for the configuration items of basic configuration of crypto type wireless service.
77
Description
Maximum number of clients of an SSID to be associated with the same radio of
the AP.
IMPORTANT:
When the number of clients of an SSID to be associated with the same radio of the
AP reaches the maximum, the SSID is automatically hidden.
TKIP CM Time
MIC is designed to avoid hacker tampering. It uses the Michael algorithm and is
extremely secure. When failures occur to MIC, the data may have been
tampered, and the system may be under attack. In this case, TKIP will enable the
countermeasure policy to prevent hackers from attacking. With the
countermeasure policy enabled, if more than two MIC failures occur within the
specified time, the TKIP disassociates all connected wireless clients and no new
associations are allowed within the TKIP countermeasure time.
Web interface management right of online clients:
Management Right
By default, the GTK rekeying method is time-based, and the interval is 86400
seconds.
78
Item
Description
Description
Link authentication method, which can be:
Shared-KeyThe two parties must have the same shared key configured for this
authentication mode. You can select this option only when WEP encryption mode is
used.
CCMP and TKIPYou can select both CCMP and TKIP encryption.
Wireless service type (IE information carried in the beacon or probe response frame):
Security IE
79
Item
Description
WEP
Key ID
1Key index 1.
2Key index 2.
3Key index 3.
4Key index 4.
There are 4 static keys in WEP. The key index can be 1, 2, 3 or 4. The key corresponding
to the specified key index will be used for encrypting and decrypting broadcast and
multicast frames.
Key length.
Key Length
WEP Key
MAC-based authentication succeeds, an access user has to use the pre-configured PSK
to negotiate with the device. Access to the port is allowed only after the negotiation
succeeds.
pskAn access user must use the pre-shared key (PSK) that is pre-configured to
negotiate with the device. The access to the port is allowed only after the negotiation
succeeds.
80
Description
Port Mode
mac and psk: MAC-based authentication must be performed on access users first.
If MAC-based authentication succeeds, an access user has to use the
pre-configured PSK to negotiate with the device. Access to the port is allowed
only after the negotiation succeeds.
Max User
Control the maximum number of users allowed to access the network through the
port.
MAC Authentication
Domain
The selected domain name applies to only the current wireless service, and all
clients accessing the wireless service use this domain for authentication,
authorization, and accounting.
Do not delete a domain name in use. Otherwise, the clients that access the
wireless service will be logged out.
2.
Configure psk:
81
Description
Port Mode
psk: An access user must use the pre-shared key (PSK) that is pre-configured
to negotiate with the device. The access to the port is allowed only after the
negotiation succeeds.
Max User
Control the maximum number of users allowed to access the network through
the port.
3.
Configure userlogin-secure-ext:
Perform the configurations as shown in Configure userlogin-secure/userlogin-secure-ext.
Select Interface Setup > Wireless > Access Service from the navigation tree.
2.
Click the
icon for the target wireless service to enter the page as shown in Figure 52.
3.
4.
Click Bind.
82
Authenticat
ion mode
Encryption
type
Security IE
WEP
encryption
/key ID
Port mode
mac-authentication
mac-else-userlogin-secure
Clear
Open-Syste
m
mac-else-userlogin-secure-ext
Unavailable
Unavailable
Unavailable
userlogin-secure
userlogin-secure-ext
userlogin-secure-or-mac
userlogin-secure-or-mac-ext
Selected
Required
Open-Syste
m
Unselected
Crypto
Shared-Key
Unavailable
Selected
Unavailable
Unavailable
Required
Open-Syste
m and
Shared-Key
Unselected
Unavailable
83
WEP
encryption is
available
The key ID
can be 1, 2,
3, or 4
userlogin-secure-ext
WEP
encryption is
required
The key ID
can be 1, 2,
3 or 4
WEP
encryption is
required
The key ID
can be 1, 2,
3 or 4
psk
mac-authentication
mac-authentication
WEP
encryption is
required
The key ID
can be 2, 3
or 4
userlogin-secure-ext
WEP
encryption is
required
The key ID
can be 1, 2,
3 or 4
psk
mac-authentication
Description
SSID
Authentication Method
SSID-hide
The detailed information about WLAN service (crypto type) is as shown in Figure 54. For the description
of the fields in the detailed information, see Table 53.
84
Description
SSID
Security IE
Authentication Method
SSID-hide
Cipher Suite
GTK Rekey
85
Displaying client
Displaying client detailed information
Select Interface Setup > Wireless > Summary from the navigation tree, and click the Client tab to enter
the Client page. Then click the Detail Information tab on the page, and click the name of the specified
client to view the detailed information of the client.
The detailed information about a client is as shown in Figure 57. For the description of the fields in the
client detailed information, see Table 55.
86
Description
Indicates that 0 < RSSI <= 20.
Indicates that 20 < RSSI <= 30.
Client RSSI
Description
MAC address
AID
User Name
Radio Interface
SSID
BSSID
Port
VLAN
87
Field
Description
State
Wireless Mode
QoS Mode
RSSI
SNR
Rx/Tx Rate
Client Type
Authentication Method
AKM Method
Encryption Cipher
Roam Status
Up Time
Time for which the client has been associated with the
device.
Description
Refresh
Add to Blacklist
Add the selected client to the static blacklist, which you can
display by selecting Security > Filter from the navigation
tree.
Reset Statistic
Disconnect
88
Description
AP Name
Radio Id
Radio ID.
SSID
BSSID
MAC Address
RSSI
Transmitted Frames
Back Ground(Frames/Bytes)
Best Effort(Frames/Bytes)
Video(Frames/Bytes)
Voice(Frames/Bytes)
Received Frames
Discarded Frames
89
Description
No./MCS
Rate (Mbps)
TxCnt
RxCnt
Number of wireless ping frames that the radio interface received from the client.
RSSI
Received signal strength indication. This value indicates the client signal strength
detected by the AP.
Retries
RTT(ms)
90
The device provides plain-text wireless access service with SSID service1.
802.11g is adopted.
SSIDsevice1
Router
Client
Configuration procedure
1.
Click Apply.
2.
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the page for enabling
wireless service, as shown in Figure 62:
91
Click Enable.
3.
Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional.)
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the Radio Setup page,
as shown in Figure 63. Make sure 802.11g radio is enabled.
Figure 63 Enabling 802.11g radio
Configuration guidelines
Follow these guidelines when you configure a wireless service:
Set up a wireless access service named research, and configure it to use the PSK authentication.
Clients that access the wireless network are in VLAN 2.
Set up a wireless access service named office, and configure it to use the clear text authentication.
Clients that access the wireless network are in VLAN 3.
92
SSIDresearch
VLAN2
Client0040-96b3-8a77
IP network
Router
SSIDoffice
VLAN3
Client0014-6c8a-43ff
Configuration procedure
1.
Click Apply.
# After the wireless service is created, the system is automatically navigated to the wireless service page,
where you can perform the VLAN settings (before this operation, select Network > VLAN and create
VLAN 2 first).
Figure 65 Setting the VLANs
For PSK-related configuration, see "PSK authentication configuration example." You can strictly follow the
configuration example to configure the PSK configuration.
2.
Click Apply.
# After the wireless service is created, the system is automatically navigated to the wireless service page,
where you can configure the VLANs (first select Network > VLAN from the navigation tree, and create
VLAN 3).
Figure 66 Setting the VLANs
Click Apply.
3.
Configuration procedure
1.
94
Click Apply.
2.
After you create a wireless service, you will enter the wireless service configuration page. You need to
perform security setup when configuring PSK authentication, as shown in Figure 69:
Figure 69 Configuring security settings
Select the Cipher Suite option, select CCMP and TKIP (select an encryption type as needed), and
then select WPA from the Security IE list.
Select the Port Set option, and select psk from the Port Mode list.
Select pass-phrase from the Preshared Key list, and type key ID 12345678.
Click Apply.
3.
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the page for enabling
a wireless service, as shown in Figure 70:
95
Click Enable.
4.
Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional. )
Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make
sure 802.11g radio is enabled.
The same PSK pre-shared key is configured on the client. The client can successfully associate with
the device and can access the WLAN network.
If you select Interface Setup > Wireless > Access Service from the navigation tree, and then click the
Client tab, you can view the online clients.
Configuration procedure
1.
96
Click Apply.
2.
After you create a wireless service, you enter the wireless service configuration page. You must perform
security setup when configuring MAC authentication, as shown in Figure 73:
Figure 73 Configuring security settings
Select the Port Set option, and select mac-authentication from the Port Mode list.
Select the MAC Authentication option, and select system from the Domain list.
Click Apply.
3.
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the page for enabling
a wireless service, as shown in Figure 74:
Figure 74 Enabling the wireless service
Click Enable.
4.
Select Interface Setup > Wireless > Access Service from the navigation tree, and click MAC
Authentication List to enter the page for configuring a MAC authentication list, as shown in Figure 75:
Figure 75 Adding a MAC authentication list
Add a local user in the MAC Address box. 00-14-6c-8a-43-ff is used in this example.
Click Add.
5.
Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional. )
Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure
802.11g is enabled.
98
Configuration procedure
1.
Click Apply.
2.
99
Select the Port Set option, and select mac-authentication from the Port Mode list.
Select the MAC Authentication option, and select system from the Domain list.
Click Apply.
3.
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the page as shown
in the following figure.
Figure 79 Enabling the wireless service
Click Enable.
4.
Enable 802.11g radio (By default, the 802.11g radio is enabled. Therefore, this step is optional.)
Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure
802.11g is enabled.
5.
The following takes the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to
illustrate the basic configuration of the RADIUS server.
# Add an access device.
100
Log in to IMC. Select the Service tab, and then select Access Service > Access Device from the navigation
tree to enter the access device configuration page. Click Add on the page to enter the configuration
page as shown in Figure 80:
Add ports 1812, and 1813 for Authentication Port and Accounting Port.
Select or manually add the access device with the IP address 10.18.1.1.
# Add service.
Select the Service tab, and then select Access Service > Service Configuration from the navigation tree to
enter the add service page. Then click Add on the page to enter the following configuration page. Set the
service name as mac, and keep the default values for other parameters.
Figure 81 Adding service
# Add an account.
Select the User tab, and then select User > All Access Users from the navigation tree to enter the user
page. Then, click Add on the page to enter the page as shown in Figure 82.
101
6.
The following takes the IMC (the IMC versions are IMC PLAT 5.0 and IMC UAM 5.0) as an example to
illustrate the basic configurations of the RADIUS server.
# Add an access device.
Log in to IMC. Select the Service tab, and then select User Access Manager > Access Device
Management > Access Device from the navigation tree to enter the access device configuration page.
Click Add on the page to enter the configuration page as shown in Figure 83:
Input 12345678 as the Shared Key. keep the default values for other parameters.
Select or manually add the access device with the IP address 10.18.1.1.
# Add service.
102
Select the Service tab, and then select User Access Manager > Service Configuration from the navigation
tree to enter the add service page. Then click Add on the page to enter the following configuration page.
Set the service name as mac, and keep the default values for other parameters.
Figure 84 Adding service
# Add an account.
Select the User tab, and then select User > All Access Users from the navigation tree to enter the user
page. Then, click Add on the page to enter the page as shown in Figure 85.
103
Configuration procedure
1.
Click Apply.
2.
After you create a wireless service, the wireless service configuration page appears. Then you can
configure 802.1X authentication on the Security Setup area, as shown in Figure 88:
104
Select the Cipher Suite option, select CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
Select the Port Set option, and select userlogin-secure-ext from the Port Mode list.
Click Apply.
3.
Select Interface Setup > Wireless > Access Service from the navigation tree.
Click Enable.
4.
Enable 802.11g radio (By default, the 802.11g radio is enabled. Therefore, this step is optional.)
Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure
802.11g is enabled.
5.
The following takes the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to
illustrate the basic configuration of the RADIUS server.
# Add an access device.
Log in to IMC. Select the Service tab, and then select Access Service > Access Device from the navigation
tree to enter the access device configuration page. Click Add on the page to enter the configuration
page as shown in Figure 89:
Add ports 1812, and 1813 for Authentication Port and Accounting Port.
105
Select or manually add the access device with the IP address 10.18.1.1.
# Add a service.
Select the Service tab, and then select Access Service > Service Configuration from the navigation tree to
enter the add service page. Then click Add on the page to enter the following configuration page.
Set the Certificate Type to EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN.
106
# Add an account.
Select the User tab, and then select User > All Access Users from the navigation tree to enter the user
page. Then, click Add on the page to enter the page shown in Figure 91.
6.
107
The following takes the IMC (the IMC versions are IMC PLAT 5.0 and IMC UAM 5.0) as an example to
illustrate the basic configurations of the RADIUS server.
# Add an access device.
Log in to IMC. Select the Service tab, and then select User Access Manager > Access Device
Management from the navigation tree to enter the access device configuration page. Click Add on the
page to enter the configuration page as shown in Figure 92:
Input 12345678 as the Shared Key. keep the default values for other parameters.
Select or manually add the access device with the IP address 10.18.1.1.
# Add service.
Select the Service tab, and then select User Access Manager > Service Configuration from the navigation
tree to enter the add service page. Then click Add on the page to enter the following configuration page.
Set the service name as dot1x, select EAP-PEAP AuthN as the Certificate Type, and MS-CHAPV2 AuthN
as the Certificate Sub-Type.
Figure 93 Adding service
108
# Add an account.
Select the User tab, and then select User > All Access Users from the navigation tree to enter the user
page. Then, click Add on the page to enter the page as shown in Figure 94.
After you enter username user and password dot1x in the popup dialog box, the client can
associate with the device and access the WLAN.
You can view the online clients by selecting Interface Setup > Wireless > Summary from the
navigation tree, and then clicking the Client tab.
IP network
Router
Client
Configuration procedure
1.
109
Click Apply.
2.
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the page for enabling
a wireless service, as shown in Figure 97:
Figure 97 Enabling the wireless service
Click Enable.
3.
Enable 802.11n(2.4GHZ) radio (By default, 802.11n(2.4GHZ) radio is enabled. Therefore, this
step is optional. )
Configuration guidelines
When you configure 802.11n, follow these guidelines:
Select Interface Setup > Wireless > Radio from the navigation tree, select the radio unit to be
configured, and click the corresponding
icon to enter the radio configuration page, where you
110
can modify the 802.11n-related parameters, including Bandwidth Mode, A-MSDU, A-MPDU, Short
GI, and Client 802.11n Only (permitting only 802.11n users to access the wireless network).
Select Interface Setup > Wireless > Radio from the navigation tree to modify the 802.11n rate.
Client mode
The client mode means that a router operating accesses the wireless network as a client. Multiple hosts
or printers in the wired network can access the wireless network through the router.
Figure 98 Client mode
NOTE:
Support for radio mode types depends on your device model.
You cannot enable an access service or WDS service on a radio interface with the client mode enabled.
To modify the radio mode, select Radio > Radio from the navigation tree, click the
radio, and change the radio mode in the Radio Mode option.
If the 802.11(2.4GHz) client mode is used, the client can scan 802.11(2.4GHz) wireless services.
With the client mode enabled, you can check the existing wireless services in the wireless service list.
Figure 100 Checking the wireless service list
Method 1
Click the Connect icon of the wireless service in the wireless service list, and a SET CODE dialog box
shown in Figure 101 appears.
Figure 101 Setting a code
Open System
Shared key
RSN + PSK
112
Description
Specify the network authentication mode, which can be:
AuthMode
RSN+PSKPSK authentication
Set the data encryption mode, which can be:
CipherSuite
ClearNo encryption
WEPWEP encryption
TKIP/CCMPTKIP/CCMP encryption
Password
KeyID
There are four static keys in WEP. Their key indexes are 1, 2, 3,
and 4. The key corresponding to the specified key index will be
used for encrypting and decrypting frames.
2.
Method II
You can also enter a wireless service to specify the wireless service to be connected on the page
displayed after clicking the Connect icon of the wireless service.
Figure 102 Associating the specified wireless service
Enter the specified wireless service in the Wireless Service Name field, and click Connect. Then the
dialog box in Figure 101 appears. Set the options on the dialog box according to the specified wireless
service type.
Displaying statistics
Select Interface Setup > Wireless Service > Client Mode from the navigation tree and click Statistic
Information to enter the page shown in Figure 103.
Figure 103 Displaying statistics
113
The AP accesses the wired LAN, and the router accesses the AP as a client.
The router accesses the wireless service psk by passing the RSN(CCMP)+PSK authentication.
Client with MAC address 0014-6c8a-43ff also accesses the wireless service psk.
Gateway
AP
PSK
PSK
Client
Client
PSK
Router
PC
Printer
Client
Configuration procedure
1.
Select Interface Setup > Wireless Service > Client Mode from the navigation tree and click Connect Setup
to enter the page shown in Figure 105.
114
Select the option corresponding to 802.11g and click Enable. With the client mode enabled, you can
check the existing wireless services in the wireless service list.
Figure 106 Checking the wireless service list
2.
Click the Connect icon of the wireless service psk in the wireless service list, and a SET CODE dialog box
shown in Figure 107 appears.
Figure 107 Setting a code
Click Apply.
115
You can see that the client with MAC address 0014-6c8a-43ff and the router with MAC address
000f-e2333-5510 have been successfully associated with the AP.
The wired devices on the right (such as printers and PCs) can access the wireless network through
the router.
Configuration guidelines
As shown in Figure 109, if the router uses two radio interfaces at the same time, the client connecting to
radio 2 can access the AP through the router.
Figure 109 Network diagram
Client
Gateway
2
dio
Ra
AP
Internet
Radio1
Ra
dio
2
Client
Configuring radios
802.11b/g operates in 2.4 GHz band, 802.11a in 5 GHz band, and 802.11n in both 2.4 GHz and 5
GHz bands. Each band can be divided into multiple channels for wireless communication. You can
configure and adjust the channels to achieve optimal performance.
To configure a radio, select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio
page, select the desired AP, and click the
icon to enter the page for AP radio setup page, as shown
in Figure 110:
116
Description
Radio Unit
Selected radios.
Radio Mode
Transmit Power
Maximum radio transmission power, which varies with country codes, channels,
radio modes and antenna types. If you adopt the 802.11n mode, the maximum
transmit power of the radio also depends on the bandwidth mode.
Specify the working channel of the radio, which varies with radio types and country
codes.
Channel
auto: The working channel is automatically selected. If you select this mode, the AP
checks the channel quality in the WLAN network, and selects the channel of the best
quality as its working channel.
If you modify the working channel configuration, the transmit power will be
automatically adjusted.
802.11n
IMPORTANT:
The option is available only when the device supports 802.11n.
802.11n can bond two adjacent 20-MHz channels together to form a 40-MHz
channel. During data forwarding, the two 20-MHz channels can work separately
with one acting as the primary channel and the other acting as the secondary
channel or work together as a 40-MHz channel. This provides a simple way of
doubling the data rate.
bandwidth mode
By default, the channel bandwidth of the 802.11n radio (5 GHz) is 40 MHz, and
that of the 802.11n radio (2.4GHz) is 20 MHz.
IMPORTANT:
If the channel bandwidth of the radio is set to 40 MHz, a 40 MHz channel is used
as the working channel. If no 40 MHz channel is available, a 20 MHz channel is
used. For the specifications, see IEEE P802.11n D2.00.
If you modify the bandwidth mode configuration, the transmit power will be
automatically adjusted.
client dot11n-only
If you select the client dot11n-only option, non-802.11n clients are prohibited from
access. If you want to provide access for all 802.11a/b/g clients, disable this
function.
117
Item
Description
Selecting the A-MSDU option enables A-MSDU.
Multiple MSDUs can be aggregated into a single A-MSDU. This reduces the MAC
header overhead, improving MAC layer forwarding efficiency.
A-MSDU
A-MPDU
802.11n introduces the A-MPDU frame format. By using only one PHY header, each
A-MPDU can accommodate multiple Message Protocol Data Units (MPDUs) which
have their PHY headers removed. This reduces the overhead in transmission and the
number of ACK frames to be used, and thus improves network throughput.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, make sure that they have the same
A-MSDU configuration.
Selecting the short GI option enables short GI.
short GI
Delays may occur during receiving radio signals due to factors like multi-path
reception. Therefore, a subsequently sent frame may interfere with a previously sent
frame. The GI function is used to avoid such interference. It increases the throughput
by 10 percent.
The short GI function is independent of bandwidth and thus supports both 20MHz
and 40MHz bandwidths.
118
Description
Preamble is a pattern of bits at the beginning of a frame so that the receiver
can sync up and be ready for the real data. There are two different kinds of
preambles:
point and some legacy client devices. Therefore, you can select this option
to make legacy client devices support short preamble.
ANI
Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device
automatically adjusts the noise immunity level according to the surrounding
signal environment to eliminate RF interference.
EnableEnables ANI.
DisableDisables ANI.
Maximum length of frames that can be transmitted without fragmentation.
When the length of a frame exceeds the specified fragment threshold value, it
is fragmented.
In a wireless network where error rate is high, you can decrease the
Fragment Threshold
Interval for sending beacon frames. Beacon frames are transmitted at a regular
interval to allow mobile clients to join the network. Beacon frames are used for
a client to identify nearby APs or network control devices.
Request to send (RTS) threshold length. If a frame is larger than this value, the
RTS mechanism will be used.
RTS is used to avoid data collisions in a WLAN.
RTS Threshold
A smaller RTS threshold causes RTS packets to be sent more often, thus
consuming more available bandwidth. However, the more often RTS packets
are sent, the quicker the system can recover from interference or collisions.
In a high-density WLAN, you can decrease the RTS threshold by a rational
value to reduce collisions in the network.
IMPORTANT:
The RTS mechanism occupies bandwidth. Therefore, this mechanism applies only
to data frames larger than the RTS threshold.
DTIM Period
119
Item
Description
Number of retransmission attempts for unicast frames larger than the RTS
threshold.
Number of retransmission attempts for unicast frames smaller than the RTS
threshold if no acknowledgment is received for it.
Interval for which a frame received by a device can stay in the buffer memory.
Description
Configure rates (in Mbps) for 802.11a.
By default:
802.11a
120
Item
Description
Configure rates (in Mbps) for 802.11b.
By default:
802.11b
Description
Set the maximum MCS index for 802.11n mandatory rates.
IMPORTANT:
If you select the client dot11n-only option, you must configure the mandatory
maximum MCS.
Set the multicast MCS for 802.11n.
Multicast MCS
The multicast MCS is adopted only when all the clients use 802.11n. If a non
802.11n client exists, multicast traffic is transmitted at a mandatory MCS data
rate.
IMPORTANT:
When the multicast MCS takes effect, the corresponding data rates defined for
20 MHz are adopted no matter whether the 802.11n radio operates in 40 MHz
mode or in 20 MHz mode.
121
For more information about MCS, see WLAN Configuration Guide in H3C MSR Series Routers
Configuration Guides (V5).
Make the MCS configuration the same on all APs in mesh configuration.
Displaying radio
Displaying WLAN services bound to a radio
Select Interface Setup > Wireless > Summary from the navigation tree, click the Radio tab, click the
specified radio unit, and select the Wireless Service tab to view the WLAN services bound to the radio.
Figure 114 Displaying WLAN services bound to the radio
The Noise Floor item in the table indicates various random electromagnetic waves during the wireless
communication. For the environment with a high noise floor, you can improve the signal-to-noise ratio
(SNR) by increasing the transmit power or reducing the noise floor.
122
Description
Hardware Address
Radio-type dot11a
channel
power(dBm)
: 0 fragmented
: 414 discarded, 26629 bytes
: 0 duplicates, 3785 FCS errors
: 0 decryption errors
123
Field
Description
Output packet statistics of the interface:
124
White listContains the MAC addresses of all clients allowed to access the WLAN. If the whitelist
is used, only permitted clients can access the WLAN, and all frames from other clients will be
discarded.
Static blacklistContains the MAC addresses of clients forbidden to access the WLAN. This list is
manually configured.
Dynamic blacklistContains MAC addresses of clients whose frames will be dropped. A client is
dynamically added to the list if it is considered sending attacking frames until the timer of the entry
expires.
When a device receives an 802.11 frame, it checks the source MAC address of the frame and processes
the frame as follows:
1.
If the source MAC address does not match any entry in the white list, it is dropped. If there is a
match, the frame is considered valid and will be further processed.
2.
If no white list entries exist, the static and dynamic blacklists are searched.
If the source MAC address matches an entry in any of the two lists, it is dropped.
If there is no match, or no blacklist entries exist, the frame is considered valid and will be further
processed.
125
Description
EnableEnables dynamic blacklist.
DisableDisables dynamic blacklist.
Dynamic Blacklist
IMPORTANT:
Before enabling the dynamic blacklist function, select the Flood Attack Detect option
in the WIDS Setup page.
Lifetime
Configure the lifetime of the entries in the blacklist. When the lifetime of an entry
expires, the entry is removed from the blacklist.
At present, these attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood,
Disassoc-Flood, ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood and NullData-Flood.
126
Description
Select the MAC Address option, and then add a MAC address to the static black
list.
If you select the option, the table below lists the current existing clients. Select the
options of the clients to add their MAC addresses to the static blacklist.
Description
Select the MAC Address option and then add a MAC address to the white list.
If you select the option, the table below lists the current existing clients. Select the
boxes of the clients to add their MAC addresses to the white list.
127
Description
EnableEnables user isolation on the AP to isolate the clients associated with it
User Isolate
at Layer 2.
128
Select the box in front of the radio unit to be configured, and click Enable. By default, wireless QoS is
enabled.
The WMM protocol is the foundation of the 802.11n protocol. Therefore, when the radio operates in
802.11n (5 GHz) or 802.11n (2.4 GHz) radio mode, you must enable WMM. Otherwise, the associated
802.11n clients may fail to communicate.
129
Description
Radio
Selected radio.
Select the SVP Mapping option, and then select the mapping AC to be used by
the SVP service:
SVP Mapping
AC-VO.
AC-VI.
AC-BE.
AC-BK.
130
Description
Client Number
Channel Utilization
Description
Radio
Selected radio.
Priority type
Priority type.
AIFSN
Item
Description
TXOP Limit
ECWmin
ECWmax
No ACK
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-BK
10
AC-BE
AC-VI
94
AC-VO
47
Description
Radio
Selected radio.
Priority type
Priority type.
AIFSN
TXOP Limit
ECWmin
132
Item
Description
ECWmax
EnableEnables CAC.
DisableDisables CAC.
CAC
AC-VO and AC-VI support CAC, which is disabled by default. This item is not
available for AC-BE or AC-BK, because they do not support CAC.
TXOP Limit
AIFSN
ECWmin
ECWmax
AC-BK
10
AC-BE
10
AC-VI
94
AC-VO
47
133
Description
Radio interface
QoS mode
Client accepted
Threshold
134
Field
Description
Response policy adopted for CAC-disabled ACs.
DiscardDrops frames.
DowngradeDecreases the priority of frames.
DisassociateDisassociates with the client.
ECWmin
ECWmax
AIFSN
TXOPLimit
Ack Policy
CAC
135
Description
MAC address
SSID
QoS Mode
Max SP length
AC
Access category.
APSD attribute of an AC, which can be:
State
TThe AC is trigger-enabled.
DThe AC is delivery-enabled.
T | DThe AC is both trigger-enabled and delivery-enabled.
LThe AC is of legacy attributes.
Assoc State
APSD attribute of the four ACs when a client accesses the AP.
Downgrade packets
Downgrade bytes
Discard packets
Discard bytes
136
Configure the total bandwidth shared by all clients in the same BSS. This is called dynamic mode.
The rate limit of a client is the configured total rate/the number of online clients. For example, if the
configure total rate is 10 Mbps and five clients are online, the rate of each client is 2 Mbps.
Configure the maximum bandwidth that can be used by each client in the BSS. This is called static
mode. For example, if the configured rate is 1 Mbps, the rate limit of each user online is 1 Mbps.
When the set rate limit multiplied by the number of access clients exceeds the available bandwidth
provided by the device, no clients can get the guaranteed bandwidth.
Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left, select the Client
Rate Limit tab, and click Add to enter the page for setting rate limiting, as shown in Figure 129.
Figure 129 Setting rate limiting
Description
Wireless Service
Direction
Dynamic mode.
Static mode.
Set the rate of the clients.
Rate
If you select the static mode, static rate is displayed, and the rate is
the bandwidth of each client.
If you select the dynamic mode, share rate is displayed, and the rate
is the total bandwidth of all clients.
137
Configuration procedure
1.
2.
# Select the radio unit to be configured in the list and click the corresponding
icon in the
Operation column to enter the page for configuring wireless QoS. In the Client EDCA list, select the
priority type (AC_VO is taken for example here) to be modified, and click the corresponding
icon in the Operation column to enter the page for setting client EDCA parameters.
Figure 132 Enabling CAC
Click Apply.
Click Apply.
Configuration procedure
1.
2.
Click Apply.
Client 1 and Client 2 access the WLAN through an SSID named service1.
Check that traffic from Client 1 is rate limited to around 128 kbps, so is traffic from Client 2.
Configuration procedure
1.
2.
Click Apply.
When only Client 1 accesses the WLAN through SSID service2, its traffic can pass through at a rate
as high as 8000 kbps.
When both Client 1 and Client 2 access the WLAN through SSID service2, their traffic flows can
each pass through at a rate as high as 4000 kbps.
141
Description
Select a district code.
District Code
If the list is grayed out, the setting is preconfigured to meet the requirements of the target market and is
locked. It cannot be changed.
Support for district code depends on your device model.
142
Click the
icon of a target AP to enter channel busy testing page, as shown in Figure 140.
Description
Radio Unit
Radio Mode
143
Managing 3G
You can connect a router to a 3G modem via the USB interface on the MPU of the router. After connected
to an external UIM card, the 3G modem can access the wireless network provided by China Telecom
and carry out 3G wireless communications.
The router supports 3G modems provided by different venders. As a peripheral, the 3G modem is not a
part of the router. However, you can maintain and manage the 3G modem through the Web interface
of the router.
144
Description
State of the 3G modem:
3G Modem State
Model
Manufacturer
CMII ID
Serial Number
Hardware Version
Firmware Version
PRL Version
Description
State of the UIM card:
UIM Card
State
Absent.
Being initialized.
Fault.
Destructed.
PIN code protection is disabled.
PIN code protection is enabled. Enter the PIN code for authentication.
PIN code protection is enabled, and the PIN code has passed the authentication.
The PIN code has been blocked. Enter the PUK code to unblock it.
IMSI
Voltage
Description
Mobile Network
Network Type
RSSI
No Service.
CDMA.
HDR.
CDMA/HDR HYBRID.
Unknown.
CAUTION:
If the PIN code is entered incorrectly many times that exceed the maximum attempts allowed by the
device, the PIN code is blocked. To unblock the PIN code, you must enter the correct PUK code.
If the PUK code is entered incorrectly many times that exceed the maximum attempts allowed by the
device, the UIM card is destructed. Be cautious when entering the PUK code.
Select 3G > PIN Code Management from the navigation tree to enter the PIN code management page.
The PIN code allows you to perform different operations depending on the UIM card status.
When the PIN code protection is disabled for the UIM card
Figure 143 shows the PIN code management page when the PIN code protection for the UIM card is
disabled. To enable the PIN code protection, enter the PIN code and click Apply. A PIN code contains
4 to 8 digits.
Figure 143 PIN code management page II
When the UIM card has passed the PIN code authentication
Figure 145 shows the PIN code management page in the case that the UIM card has passed the PIN
code authentication. You can do the following operations:
146
In the Disable PIN Code Protection field, correctly enter the PIN code and click Apply to disable the
PIN code protection for the UIM card.
In the PIN Code Modification field, correctly enter the current PIN code and the new PIN code twice,
and then click Apply to modify the current PIN code.
When the PUK code needs to be entered to unblock the PIN code of the UIM card
Figure 146 shows the PIN code management page in the case that the PIN code of the UIM card has
been locked and the PUK code needs to be entered.
To unblock the PIN code of the UIM card and set a new PIN code, enter the PUK code correctly and the
new PIN code twice, and then click Apply.
Figure 146 PIN code management page V
147
Configuring NAT
Overview
Network Address Translation (NAT) provides a way of translating an IP address to another IP address for
a packet. In practice, NAT is primarily used to allow private hosts to access public networks. With NAT,
a few public IP addresses are used to translate a large number of internal IP addresses. This effectively
solving the IP address depletion problem.
For more information about NAT, see the Layer 3IP Services Configuration Guide in H3C MSR Series
Routers Configuration Guide (V5).
Remarks
Use either approach.
Required.
Configuring an internal server
Optional.
Limit the number of connections from a source IP address.
148
Description
Interface
Interface AddressIn this mode, the NAT gateway directly uses an interface's
Translation Mode
public IP address as the translated IP address. You do not need to configure any
address pool for this mode.
PATIn this mode, both IP addresses and port numbers of packets are translated.
You need to configure an address pool for this mode.
No-PATIn this mode, only IP addresses of packets are translated. You need to
configure an address pool for this mode.
Specify the start and the end IP addresses for the NAT address pool.
The start IP address must be lower than the end IP address. If the end IP address and
the start IP address are the same, you specify only one IP address.
Start IP Address
End IP Address
IMPORTANT:
Only one translation mode can be selected for the same address pool.
The maximum number of IP addresses contained in an address pool depends on
the device model.
NAT address pools used by some device models cannot be those used by other
address translation policies, IP addresses of interfaces with Easy IP enabled, or
external IP addresses of internal servers.
149
From the navigation tree, select NAT Configuration > NAT Configuration.
2.
Description
Host IP Address
Global IP Address
The
icon indicates that DMZ host is disabled on the corresponding interface. Click the Enable
link next to the interface to enable DMZ host on the interface.
The
icon indicates that DMZ host is enabled on the corresponding interface. Click the Disable
link next to the interface to disable DMZ host on the interface.
150
From the navigation tree, select NAT Configuration > NAT Configuration.
2.
151
Description
Interface
Protocol
Specify the type of the protocol carried by IP, which can be TCP or UDP.
Global IP Address
Global Port
Select Other and then enter a port number. If you enter 0, all types of services are
provided. That is, only a static binding between the external IP address and the
internal IP address is established.
Select a service and the corresponding port number is provided. You cannot modify
the port number displayed.
Host IP Address
152
Item
Description
Specify internal port number for the internal server.
From the list, you can:
Host Port
Select Other and then enter a port number. If you enter 0, all types of services are
provided. That is, only a static binding between the external IP address and the
internal IP address is created.
Select a service and the corresponding port number is provided. You cannot modify
the port number displayed.
From the navigation tree, select NAT Configuration > NAT Configuration.
2.
Protocol Type
Description
Enable/disable checking the specified application layer protocols, including DNS, FTP,
PPTP, NBT, ILS, H.323, and SIP.
IMPORTANT:
Support for the protocol types depends on the device model.
From the navigation tree, select NAT Configuration > NAT Configuration.
2.
153
Description
Max Connections
Set the maximum number of connections that can be initiated from a source IP
address.
The internal users can access the Internet by using public addresses 202.38.1.2 and 202.38.1.3.
Configure the upper limit of connections as 1000 based on the source IP address.
2.
Click Apply.
3.
in Figure 155.
b. Select Enable connection limit.
c.
d. Click Apply.
155
202.38.1.1 is used as the public IP address for the internal servers and port number 8080 is used
for Web server 2.
Server tab to enter the internal server configuration page, as shown in Figure 157.
b. Select Ethernet0/2 from the Interface list.
c.
d. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1.
e. Select ftp from the Global Port list.
f.
2.
Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1.
g. Click Apply.
157
3.
d. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1.
e. Enter 8080 in the Global Port field.
f.
158
159
Configuration procedure
Select Security Setup > Access from the navigation tree, and then click the Access Control tab.
Figure 160 Access control
160
Description
Begin-End Time
Week
IMPORTANT:
Set both types of time ranges or set neither
of them. To set neither of them, make sure
the Begin-End Time is 00:00 - 00:00 and
no days of a week are selected. Setting
neither of them means it takes effect all the
time.
Specify to control accesses based on the protocol used for data transmission.
Protocol
Source IP Address
Destination Port
Configure the IP address range of computers. To control a single IP address, enter the
address in the two fields.
Set the port range to be filtered.
For example, to control Telnet access, enter 23 in the two fields.
Action to be taken for matching packets.
Operation
The action is Deny, which means all packets matching the access control policies are
not allowed to pass.
Port number
FTP
TCP
21
Telnet
TCP
23
TFTP
UDP
69
Web
TCP
80
Host A to Host C cannot access the Internet from 09:00 to 18:00 every Monday to Friday. They can
access the Internet at all other times.
161
Configuration procedure
# Configure an access control policy to prohibit Host A to Host C from accessing the Internet during work
time.
Click Apply.
162
Configuration procedure
Select Security Setup > URL Filter from the navigation tree to enter the page as shown in Figure 163. Then,
click Add to enter the URL filtering configuration page, as shown in Figure 164.
Figure 163 URL filtering entries
163
Description
URL
Keyword
Import
filter list
file
IMPORTANT:
The URL and keyword are in OR relation.
When both are configured, the system
generates two URL filtering conditions.
If the Import filter list file box is selected, you can import filtering rules from a file.
File Name
Specify the name and path of the file in the local host from which you obtain the file.
For description of the content format of filter list files, see Figure 164.
164
Configuration procedure
# Configure the URL filtering function.
Select Security Setup > URL Filter from the navigation tree. Click Add and then perform the
following configurations, as shown in Figure 166.
Select the box before URL and then enter www.webflt.com in the field.
Click Apply.
165
Description
Select a MAC address filtering type:
MAC addresses are on the MAC address list below to access the network through the device.
filtering type
Deny access to the InternetEnables MAC address filtering to deny the hosts whose MAC
addresses are on the MAC address list below from accessing the network through the device.
IMPORTANT:
A MAC address list appears at the lower part of the page after you select Permit access to the
Internet or Deny access to the Internet.
166
Description
Enter the MAC addresses to be filtered or select them from the learned
MAC addresses list.
If you select Permit access to the Internet or Deny access to the Internet as the filtering type, the selected
filtering type will take effect as long as you add the MAC addresses for this type, no matter whether or
not you click Apply at the filtering type configuration area on the MAC Address Filtering page.
167
Eth0/1
Router
000d-88f8-0dd7
192.168.1.17
000d-88f7-b8d6
192.168.1.18
Configuration procedure
# Configure the MAC address filtering function.
Select Security Setup > MAC Address Filtering from the navigation tree and then perform the
following configurations, as shown in Figure 171.
Click Add and then perform the following configurations, as shown in Figure 172.
168
Figure 172 Specifying the MAC addresses to be denied access to the Internet
Select 000d-88f8-0dd7 and 000d-88f7-b8d6 from the Learned MAC Addresses list, and then click
the << button to add them to the Selected MAC Addresses list.
Click Apply.
169
Overview
Attack protection is an important network security feature. It can determine whether received packets are
attack packets according to the packet contents and behaviors and, if detecting an attack, take measures
to deal with the attack. Protection measures include logging the event, dropping packets, updating the
session status, and blacklisting the source IP address.
Blacklist function
The blacklist function is an attack protection measure that filters packets by source IP address. Compared
with ACL packet filtering, blacklist filtering is simpler in matching packets. Therefore, it filer packets at a
high speed. Blacklist filtering is very effective in filtering packets from certain IP addresses.
One outstanding benefit of the blacklist function is that it allows the device to add and delete blacklist
entries dynamically. This is done by working in conjunction with the scanning attack protection function.
When the device detects a scanning attack according to the packet behavior, it adds the IP address of
the attacker to the blacklist. Therefore, packets from the IP address will be filtered. Blacklist entries added
dynamically will be aged in a specific period of time.
The blacklist function also allows you to add and delete blacklist entries manually. Blacklist entries added
manually can be permanent blacklist entries or non-permanent blacklist entries. A permanent entry will
always exist in the blacklist unless you delete it manually. You can configure the aging time of a
non-permanent entry. After the timer expires, the device automatically deletes the blacklist entry, allowing
packets from the corresponding IP address to pass.
The attacker sends defective IP packets, such as overlapping IP fragments and packets with illegal
TCP flags, to a target system so that the target system malfunctions or crashes when processing such
packets.
The attacker sends large quantities of such packets to the network to use up the network bandwidth.
Table 93 lists the types of single-packet attacks that can be prevented by the device.
170
Description
Fraggle
A Fraggle attacker sends large amounts of UDP echo packets (with the UDP port
number of 7) or Chargen packets (with the UDP port number of 19) to a subnet
broadcast address. This will cause a large quantity of responses in the network, using
up the network bandwidth of the subnet or crashing the target host.
LAND
A LAND attacker forges large amounts of TCP SYN packets with both the source
address and destination address being the IP address of the target, causing the target
to send SYN ACK messages to itself and establish half-open connections as a result.
In this way, the attacker may deplete the half-open connection resources of the target,
making it unable to work normally.
WinNuke
A WinNuke attacker sends Out-of-Band (OOB) data packets to the NetBIOS port
(139) of a target running a Windows system. The pointer fields of these attack packets
are overlapped, resulting in NetBIOS fragment overlaps. This will cause the target
host that has established TCP connections with other hosts to crash when it processes
these NetBIOS fragments.
TCP Flag
Different operating systems process abnormal TCP flags differently. The attacker
sends TCP packets with abnormal TCP flags to the target host to probe its operating
system. If the operating system cannot process such packets properly, the host will
crash down.
ICMP Unreachable
Upon receiving an ICMP unreachable packet, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
destination. By sending ICMP unreachable packets, an attacker can cut off the
connection between the target host and the network.
ICMP Redirect
Tracert
The Tracert program usually sends UDP packets with a large destination port number
and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when
the packet passes each router. Upon receiving a packet with a TTL of 0, a router sends
an ICMP time exceeded message back to the source IP address of the packet. A
Tracert attacker exploits the Tracert program to figure out the network topology.
Smurf
A Smurf attacker sends ICMP echo requests to the broadcast address of the target
network. As a result, all hosts on the target network will reply to the requests, causing
the network congested and hosts on the target network unable to provide services.
Source Route
A Source Route attacker probes the network structure through the Source Route option
in IP packets.
Route Record
A Route Record attacker probes the network structure through the Record Route option
in IP packets.
Large ICMP
For some hosts and devices, large ICMP packets will cause memory allocation error
and thus crash down the protocol stack. An attacker can make a target crash down by
sending large ICMP packets to it.
The single-packet attack protection function takes effect to only incoming packets. It analyzes the
characteristics of incoming packets to determine whether the packets are offensive and, if they are
offensive, logs the events and discards the packets. For example, if the length of an ICMP packet reaches
or exceeds 4000 bytes, the device considers the packet a large ICMP attack packet, outputs a warning
log, and discards the packet.
171
Because of the limited resources, the TCP/IP stack permits only a limited number of TCP
connections. A SYN flood attacker sends a great quantity of SYN packets to a target server, using
a forged address as the source address. After receiving the SYN packets, the server replies with
SYN ACK packets. As the destination address of the SYN ACK packets is unreachable, the server
can never receive the expected ACK packets, resulting in large amounts of half-open connections.
In this way, the attacker exhausts the system resources, making the server unable to service normal
clients.
ICMP flood attack
An ICMP flood attacker sends a large number of ICMP requests to the target in a short time by, for
example, using the ping program, causing the target too busy to process normal services.
UDP flood attack
A UDP flood attacker sends a large number of UDP messages to the target in a short time, so that
the target gets too busy to process normal services.
The flood attack protection function takes effect to only outgoing packets. It is mainly used to
protect servers. It monitors the connection establishment rate and number of half-open connections
of a server. If the rate reaches or exceeds 1000 connections per second or the number of half-open
connections reaches or exceeds 10000 (only SYN flood attack protection supports restriction of
half-open connections), it logs the event, and discards subsequent connection requests to the
server.
Remarks
1.
2.
Required.
By default, the blacklist function is disabled.
Required.
Perform at least one of the two tasks.
172
Step
Remarks
3.
You can add blacklist entries manually, or enable the blacklist function
globally, configure the scanning attack protection function, and
enable the blacklist function for scanning attack protection to allow the
device to add the IP addresses of detected scanning attackers to the
blacklist automatically. For configuration of scanning attack
protection, see "Configuring intrusion detection."
Optional.
173
Description
IP Address
Hold Time
Configure the entry as a non-permanent entry and specify the hold time of the
blacklist entry.
Permanence
Description
IP Address
Manual: The entry was added manually or has been modified after being
added automatically.
Add Method
Start Time
Hold Time
Duration for which the blacklist entry will be held in the blacklist.
Dropped Count
Number of packets matching the blacklist entry and therefore dropped by the
device.
policy and then select the specific attack protection functions to be enabled. Then, click Apply to finish the
configuration.
Figure 175 Intrusion detection configuration page
175
Router denies packets from Host C for 50 minutes for temporary access control of Host C.
Router provides scanning attack protection and automatically adds detected attackers to the
blacklist.
176
Configuration procedure
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable the blacklist function.
Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the
following configurations, as shown in Figure 179.
Click Apply.
Click Add and then perform the following configurations, as shown in Figure 180:
177
Click Apply.
Click Add and then perform the following configurations, as shown in Figure 181:
Select Hold Time and set the hold time of this blacklist entry to 50 minutes.
Click Apply.
# Configure intrusion detection: Enable scanning attack protection, and enable blacklist function for it;
enable Land attack protection and Smurf attack protection.
Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree and then
perform the following configurations, as shown in Figure 182.
178
Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack
Detection, and Add Source IP Address to the Blacklist. Clear all other options.
Click Apply.
Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist.
Router drops all packets from Host D unless you remove Host D from the blacklist.
Router drops packets from Host C within 50 minutes. Then, Router forwards packets from Host C
normally.
Upon detecting the scanning attack, Router outputs an alarm log and adds the IP address of the
attacker to the blacklist. You can view the added blacklist entry by selecting Security Setup > Attack
Defend > Blacklist.
Upon detecting the Land or Smurf attack, Router outputs an alarm log and drops the attack packet.
Router denies packets from Host C for 50 minutes for temporary access control of Host C.
179
Router provides scanning attack protection and automatically adds detected attackers to the
blacklist on interface Ethernet 0/2, the interface connecting the Internet.
Router provides Land attack protection and Smurf attack protection on Ethernet 0/2.
Configuration procedure
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable the blacklist function.
Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the
following configurations, as shown in Figure 184.
Click Apply.
Click Add and then perform the following configurations, as shown in Figure 185:
180
Click Apply.
Click Add and then perform the following configurations, as shown in Figure 186:
Select Hold Time and set the hold time of this blacklist entry to 50 minutes.
Click Apply.
# Configure intrusion detection on Ethernet 0/2: Enable scanning attack protection, and enable blacklist
function for it; enable Land attack protection and Smurf attack protection.
Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree. Click Add and
then perform the following configurations, as shown in Figure 187.
181
Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack
Detection, and Add Source IP Address to the Blacklist. Clear all other options.
Click Apply.
Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist.
Router drops all packets from Host D unless you remove Host D from the blacklist.
Router drops packets from Host C within 50 minutes. Then, Router forwards packets from Host C
normally.
Upon detecting the scanning attack on Ethernet 0/2, Router outputs an alarm log and adds the IP
address of the attacker to the blacklist. You can view the added blacklist entry by selecting Security
Setup > Attack Defend > Blacklist.
Upon detecting the Land or Smurf attack on Ethernet 0/2, Router outputs an alarm log and drops
the attack packet.
182
Remarks
Optional.
1.
Loading applications
Load the signature file that contains the application control rules to the
device.
IMPORTANT:
If you perform this configuration for multiple times, only the last file
loaded to the device takes effect.
2.
3.
Optional.
Add a custom application and configure the match rules.
Required.
Enable application control for specified applications or protocols
globally.
Loading applications
Select Security Setup > Application Control from the navigation tree, and then select the Load
Application tab to enter the page for loading applications, as shown in Figure 188.
To load an application control file from the device, select From Device, select the application control
file, and then click Apply.
To load an application control file from the local host to the device, select From Local, click Browse
to find the file, and then click Apply.
After the file is loaded to the device successfully, all the loaded applications will be displayed at the
lower part of the page.
183
184
Description
Application Name
Protocol
Specify the protocol to be used for transferring packets, including TCP, UDP, and All.
All means all IP carried protocols.
IP Address
Match Rule
Start Port
Port
If you do not want to limit port numbers, do not select any option for the match rule.
In this case, you do not need to enter the start port and end port.
End Port
If you want to limit a range of ports, select Range for the match rule, and then enter
the start port and end port to specify the port range.
If you select other options of the match rule, you just need to enter the start port.
185
Configuration procedure
# Load the application control file (assume that signature file p2p_default.mtd, which can prevent using
of MSN, is stored on the device).
Select Security Setup > Application Control from the navigation tree, and then select the Load
Application tab and perform the following configurations, as shown in Figure 193.
Select the From Device option, and select file p2p_default from the list.
186
Click the Application Control tab and then perform the following configurations, as shown in Figure
195.
Click Apply.
187
188
Description
Interface
Redirection URL
Type the address of the web page to be displayed, that is, the URL to which the web
access request is redirected. For example, http://192.0.0.1.
Interval
189
Configuring routes
The term "router" in this chapter refers to both routers and Layer 3 switches. This chapter mainly describes
IPv4 route configuration.
You can perform the following route configurations through the Web interface:
Overview
Upon receiving a packet, a router determines the optimal route based on the destination address and
forwards the packet to the next router in the path. When the packet reaches the last router, it then
forwards the packet to the destination host.
Routing provides the path information that guides the forwarding of packets.
A router selects optimal routes from the routing table, and sends them to the forwarding information base
(FIB) table to guide packet forwarding. Each router maintains a routing table and a FIB table.
You can manually configure routes. Such routes are called static routes.
For more information about the routing table and static routes, see Layer 3IP Routing Configuration
Guide in H3C MSR Series Routers Configuration Guide (V5).
Configuring routes
Creating an IPv4 static route
1.
2.
190
3.
Description
Destination IP Address
Enter the destination IP address of the static route, in dotted decimal notation.
Mask
Preference
For example, specifying the same preference for multiple static routes to the
same destination enables load sharing on the routes, while specifying different
preferences enables route backup.
Next Hop
Enter the next hop IP address of the static route, in dotted decimal notation.
Interface
191
Description
Destination IP Address
Mask
Protocol
Routing protocol that discovered the route, including static route, direct
route, and various dynamic routing protocols.
Preference
Next Hop
Interface
Output interface of the route. Packets destined for the destination IP address
are forwarded out of the interface.
192
Configuration considerations
1.
2.
On Router B, configure one static route with Router A as the next hop and the other with Router C
as the next hop.
3.
Configuration procedure
1.
2.
Enter 0.0.0.0 for Destination IP Address, 0 for Mask, and 1.1.4.2 for Next Hop.
d. Click Apply.
The newly created static route is listed at the lower part of the page.
3.
Enter 1.1.2.0 for Destination IP Address, 24 for Mask, and 1.1.4.1 for Next Hop.
c.
d. Click Apply.
e. Enter 1.1.3.0 for Destination IP Address, 24 for Mask, and 1.1.5.6 for Next Hop.
Click Apply.
f.
The newly created static route is listed at the lower part of the page.
4.
Enter 0.0.0.0 for Destination IP Address, 0 for Mask, and 0 for Mask.
c.
d. Click Apply.
The newly created static route is listed at the lower part of the page.
5.
Configure the IP addresses of the hosts and configure the default gateways of Host A, Host B, and
Host C as 1.1.2.3, 1.1.6.1, and 1.1.3.1. (Details not shown.)
6.
<1 ms
<1 ms
<1 ms
1.1.6.1
<1 ms
<1 ms
<1 ms
1.1.4.1
1 ms
<1 ms
<1 ms
1.1.2.2
Trace complete.
194
Configuration guidelines
When you configure a static route, follow these guidelines:
If you do not specify the preference, the default preference is used. Reconfiguration of the default
preference applies only to newly created static routes. The Web interface does not support
configuration of the default preference.
If you specify the next hop address first and then configure it as the IP address of a local interface,
such as an Ethernet interface and VLAN interface, the static route does not take effect.
195
Overview
A routing protocol can have multiple equal-cost routes to the same destination. These routes have the
same preference, and are all used to accomplish load sharing if no route with a higher preference is
available.
The device supports user-based load sharing based on the user information (source IP addresses) of
packets.
2.
Click the
icon of an interface.
3.
196
Description
Interface
Status of
user-based-sharing
Bandwidth
The load ratio of each interface is calculated based on the bandwidth of each
interface. For example, if the bandwidth of Ethernet 0/0 is set to 200 kbps, and that
of Ethernet 0/1 is set to 100 kbps, then the load ratio is 2:1.
197
Overview
When multiple packet flows (classified by their source addresses) are received or sent by a device, you
can configure IP traffic ordering on the device to collect statistics of the flows in the inbound/outbound
direction, and then rank the statistics. The network administrator can use the traffic ordering statistics to
analyze the network usage for network management.
You can specify an interface as an external or internal interface to collect traffic statistics:
An internal interface collects both inbound and outbound traffic statistics, including the following:
Remarks
Setting the traffic ordering interval.
Optional.
The default traffic ordering interval is 10 seconds.
Required.
2.
3.
4.
Optional.
You can view the traffic ordering statistics of internal or
external interfaces.
198
Click Internal interface to set the interfaces as the internal interfaces to collect traffic statistics.
Click External interface to set the interfaces as the external interfaces to collect traffic statistics.
Click Disable statistics collecting to disable the interfaces from collecting traffic statistics.
Select one item from the Arrange in list, enter a number in the Number of entries displayed field, and
then click Refresh to display the list as needed.
Figure 205 Internal interface traffic ordering statistics page
200
Configuring DNS
Overview
Domain Name System (DNS) is a distributed database that provides TCP/IP applications with the
mappings between host names and IP addresses. With DNS, you can use easy-to-remember host names
in some applications and let the DNS server translate them into correct IP addresses.
For more information about DNS, see Layer 3IP Services Configuration Guide in H3C MSR Series
Routers Configuration Guide (V5).
DNS provides the following functions:
DNS proxyForwards DNS requests and replies between the DNS client and DNS server.
Remarks
Required.
Remarks
Required.
From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the
configuration page as shown in Figure 207.
2.
3.
Click Apply.
From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the
configuration page as shown in Figure 207.
2.
3.
Click Apply.
From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the
configuration page as shown in Figure 207.
2.
3.
Click Apply.
From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the
configuration page as shown in Figure 207.
2.
3.
4.
Click Apply.
Description
From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the
configuration page as shown in Figure 207.
2.
Click Add Suffix to enter the configuration page as shown in Figure 209.
3.
4.
Click Apply.
203
Description
4.1.1.1/24
DNS server
Router A
DNS proxy
2.1.1.1/24
2.1.1.2/24
1.1.1.1/24
IP network
3.1.1.1/24
host.com
Host
Before performing the following configuration, make sure the device and the host are routable to each
other, and the IP addresses of the interfaces are configured as shown in Figure 210.
This configuration may vary with different DNS servers. The following configuration is performed on a PC
running Windows server 2000.
2.
204
3.
205
Click Apply.
206
Click Apply.
Click Apply.
207
Click Apply.
Click Apply.
208
Configuring DDNS
Overview
Although DNS allows you to access nodes in networks using their domain names, it provides only the
static mappings between domain names and IP addresses. When you use the domain name to access
a node whose IP address has changed, your access fails because DNS leads you to the IP address that
is no longer where the node resides.
Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names
and IP addresses for DNS servers to direct you to the latest IP address corresponding to a domain name.
DDNS can only dynamically update the mappings between domain names and IPv4 addresses but not
IPv6 addresses.
Figure 219 DDNS networking application
As shown in Figure 219, DDNS works on the client-server model comprising the DDNS client and the
DDNS server.
DDNS clientA device that needs to update the mapping between the domain name and the IP
address dynamically on a DNS server. An Internet user usually uses the domain name to access an
application layer server such as an HTTP and FTP server. When its IP address changes, the
application layer server runs as a DDNS client that sends a request to the DDNS server for updating
the mapping between the domain name and the IP address.
DDNS serverInforms the DNS server of latest mappings. When receiving the mapping update
request from a DDNS client, the DDNS server tells the DNS server to re-map between the domain
name and IP address of the DDNS client. Therefore, the Internet users can use the same domain
name to access the DDNS client even if the IP address of the DDNS client has changed.
The DDNS update process does not have a unified standard and depends on the DDNS server that the
DDNS client contacts. The well-known DDNS service providers include www.3322.org, www.oray.cn
(also known as the PeanutHull server), and www.dyndns.com.
The device can act as a DDNS client to dynamically update the latest mapping between its domain name
and IP address on the DNS server through a DDNS server at www.3322.org or www.oray.cn for
example.
209
Configuration prerequisites
Visit the website of a DDNS service provider, register an account, and apply for a domain name for
the DDNS client.
Specify the primary IP address of the interface and make sure the DDNS server and the interface
can reach each other.
Configure static or dynamic domain name resolution to translate the domain name of the DDNS
server into its IP address.
Configuration procedure
1.
From the navigation tree, select Advanced > DNS Setup > DDNS Configuration to enter the DDNS
page, as shown in Figure 220.
2.
Click Add.
3.
Description
Domain Name
Specify the DDNS entry name, which is the only identifier of the DDNS entry.
210
Item
Description
Server Provider
Server Name
Server
Settings
After the server provider is selected, the DDNS server name appears
automatically. For example, if the server provider is 3322.org, the server name is
members.3322.org. If the server provider is PeanutHull, the server name is
phservice2.oray.net. Use the default server name for the server provider
3322.org. The server provider PeanutHull can use phservice2.oray.net,
phddns60.oray.net, client.oray.net, or ph031.oray.net as the server name.
Specify the interval for sending DDNS update requests after DDNS update is
enabled.
IMPORTANT:
address of the interface changes or the link state of the interface changes
from down to up, no matter whether the interval is reached.
If you specify the interval as 0, your device does not periodically initiate any
DDNS update request, but initiates a DDNS update request when the
primary IP address of the interface is changed or the link state of the interface
changes from down to up.
Account
Settings
Username
Password
Associated
Interface
The IP address in the host name-to-IP address mapping for update is the primary
IP address of the interface.
IMPORTANT:
You can bind up to four DDNS entries to an interface.
Other
Settings
Specify the Fully Qualified Domain Name (FQDN) in the IP-to-FQDN mapping
for update.
DDNS server updates all the corresponding domain names of the DDNS
client account. If an FQDN is specified, the DDNS server updates only the
specified IP-to-FQDN mapping.
211
Enable dynamic domain name resolution and set the IP address of the DNS server to 1.1.1.1.
(Details not shown.)
2.
Configure DDNS:
a. From the navigation tree, select Advanced > DNS Setup > DDNS Configuration.
b. Click Add to enter the page.
c.
Enter nevets in Password and select Ethernet0/1 from the Associated Interface list.
h. Click Apply.
After the preceding configuration is completed, Router notifies the DNS server of its new domain
name-to-IP address mapping through the DDNS server provided by www.3322.org whenever its
IP address changes. Therefore, Router can always provide Web service at whatever.3322.org.
213
Configuring DHCP
Introduction to DHCP
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration
information to network devices.
DHCP uses the client/server model. Figure 224 shows a typical DHCP application.
Figure 224 A typical DHCP application
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet through a DHCP relay agent, as shown in Figure 225.
Figure 225 A typical DHCP relay agent application
For more information about DHCP, see Layer 3IP Services Configuration Guide in H3C MSR Series
Routers Configuration Guide (V5).
214
Remarks
Required.
Enabling DHCP
IMPORTANT:
The DHCP server configuration is supported only on a Layer 3 Ethernet
interface (or subinterface), virtual Ethernet interface, VLAN interface,
Layer 3 aggregate interface, serial interface, ATM interface,
MP-group interface, or loopback interface.
Required.
An address pool can be either static or dynamic, but not both.
IMPORTANT:
Remarks
Required.
Enabling DHCP
215
Task
Remarks
Required.
IMPORTANT:
Remarks
Required.
For detailed configuration, see "Configuring DHCP interface
setup."
Enabling DHCP
Select Advanced > DHCP Setup from the navigation tree to enter the default DHCP Enable page as shown
in Figure 226.
216
Description
DHCP
2.
3.
4.
Click Apply.
Description
Interface
Type
217
Item
Description
Correlate the relay agent interface with a DHCP server group.
You can correlate a DHCP server group with multiple interfaces. Make sure that
you have already added DHCP server groups for selection.
2.
Click the DHCP Interface Setup tab to enter the DHCP interface setup configuration page as shown
in Figure 227.
3.
Select the Server option in the Type field and expand the Assignable IP Addresses node.
4.
Select Static Binding option in the Address Allocation Mode field to expand the static address pool
setup configuration section.
218
Figure 228 Static address pool setup for the DHCP server
5.
Configure the static address pool for the DHCP server as described in Table 106.
6.
Click Apply.
Description
Pool Name
Address Allocation
Mode: Static Binding
Specify the static address allocation mode for the DHCP address pool.
219
Item
Description
IP Address
IP address and its subnet mask of the static binding. A natural mask is adopted if no
subnet mask is specified.
IMPORTANT:
Subnet Mask
It cannot be the IP address of the DHCP server interface. Otherwise, IP address conflicts
may occur, and the client cannot obtain the IP address.
MAC Address
Domain Name
After specifying a domain name in the address pool, the DHCP server assigns the
domain name along with an IP address to a client.
Specify a gateway for the DHCP client.
Gateway IP Address
DHCP clients that want to access hosts outside the local subnet needs a gateway to
forward data. After specifying a gateway in the address pool, the DHCP server
assigns the gateway address along with an IP address to a client.
Specify a primary DNS server for the DHCP client.
In order for clients to access the Internet using a domain name, the DHCP server
assigns the specified DNS server address along with an IP address to a client.
2.
Click the DHCP Interface Setup tab to enter the DHCP interface setup configuration page as shown
in Figure 227.
3.
Select the Server option in the Type field, and then expand the Assignable IP Addresses node.
4.
Select the Dynamic Allocation option in the Address Allocation Mode field to expand the dynamic
address pool setup configuration section.
220
Figure 229 Dynamic address pool setup for the DHCP server
5.
Configure the dynamic address pool for the DHCP server as described in Table 107.
6.
Click Apply.
Description
Pool Name
Specify the dynamic address allocation mode for the DHCP address pool.
IP Address
221
Item
Description
IMPORTANT:
Subnet Mask
Make sure the IP address is on the same network segment as the IP address of
the DHCP server interface or the DHCP relay agent interface to avoid wrong IP
address allocation.
Specify the lease for IP addresses to be assigned.
NOTE:
Lease Duration
If the lease has an end time specified later than the year 2106, the system
considers it an expired lease.
After specifying a domain name in the address pool, the DHCP server assigns
the domain name along with an IP address to a client.
Specify a gateway for the DHCP client.
Gateway IP Address
DHCP clients that want to access hosts outside the local subnet need a
gateway to forward data. After specifying a gateway in the address pool, the
DHCP server assigns the gateway address along with an IP address to a
client.
Specify a primary DNS server for the DHCP client.
In order for clients to access the Internet using a domain name, the DHCP
server assigns the specified DNS server address along with an IP address to
a client.
2.
Click the DHCP Interface Setup tab to enter the DHCP interface setup configuration page as shown
in Figure 227.
3.
4.
222
5.
6.
Click Apply
Description
Start IP Address
End IP Address
The end IP address must not be lower than the start IP address. A higher end IP
address and a lower start IP address specify an IP address range while two identical
IP addresses specify a single IP address.
2.
Click the DHCP Interface Setup tab to enter the DHCP interface setup configuration page as shown
in Figure 227.
3.
4.
Select the Relay option in the Type field, and then expand the Add DHCP Server Group node.
223
5.
6.
Click Apply.
Description
DHCP server group ID.
You can create at most 20 DHCP server groups.
Specifies the DHCP server IP addresses for the DHCP server group.
Server IP Address
IMPORTANT:
The IP address of a DHCP server cannot be on the same network segment as that of the
DHCP relay agent interface. Otherwise, DHCP clients may fail to obtain IP addresses.
The DHCP server and clients are on the same subnet and directly exchange DHCP messages.
The DHCP server and clients are not on the same subnet and communicate with each other through
a DHCP relay agent.
The DHCP server configuration for the two types is the same.
224
2.
Enable DHCP:
a. Select Advanced > DHCP Setup from the navigation tree to enter the default DHCP Enable
page.
225
Click Apply.
3.
Enable the DHCP server on interface Ethernet 0/1. (By default, the DHCP server is enabled on
interface Ethernet 0/1. Details not shown.)
4.
Configure a DHCP static address pool, and bind IP address 10.1.1.5 to Router B:
a. Click the DHCP Interface Setup tab.
226
b. Select the Server option in the Type field and expand the Assignable IP Addresses node.
c.
Enter pool-static in the Pool Name field and select the Static Binding option in the Address
Allocation Mode field.
d. Enter 10.1.1.5 in the IP Address field and select the Subnet Mask box, and then enter
255.255.255.128.
e. Enter 000f-e200-0002 in the MAC Address field and select the Gateway IP Address box, and
Select the Primary DNS Server box, and then enter 10.1.1.2.
g. Click Apply.
5.
Configure DHCP address pool 0 (including the address range, client domain name suffix and DNS
server address):
227
Enter 10.1.1.0 in the IP Address field and select the Subnet Mask box, and then enter
255.255.255.0.
Click Apply.
Configure DHCP address pool 1 (including the address range, lease duration, and gateway
address):
228
g. Click Apply.
7.
Configure DHCP address pool 2 (including the address range, lease duration and gateway IP
address):
229
g. Click Apply.
8.
Exclude IP addresses from dynamic allocation (DNS server and gateway addresses):
a. Expand the Forbidden IP Addresses node.
230
b. Enter 10.1.1.2 in the Start IP Address field, enter 10.1.1.2 in the End IP Address field, click
Apply, enter 10.1.1.126 in the Start IP Address field, as shown in Figure 238, enter
10.1.1.126 in the End IP Address field, click Apply, enter 10.1.1.254 in the Start IP Address
field, as shown in Figure 238, and enter 10.1.1.254 in the End IP Address field.
c.
Click Apply.
Setup tab.
231
d. Click Apply.
d. Click Apply.
232
2.
Enable DHCP:
a. Select Advanced > DHCP Setup from the navigation tree of Router A
b. Enter the default DHCP Enable tab.
c.
d. Click Apply.
3.
233
g. Click Apply.
4.
Figure 243 The page for enabling the DHCP relay agent on interface Ethernet 0/1
2.
Enable DHCP:
a. Select Advanced > DHCP Setup from the navigation tree of Router B
b. Enter the default DHCP Enable tab, as shown in Figure 244.
c.
d. Click Apply.
3.
Enable the DHCP server on interface Ethernet 0/1. (By default, the DHCP server is enabled on
Ethernet 0/1. Details are not shown.)
4.
235
b. Select the Server option in the Type field and expand the Assignable IP Addresses node.
c.
Enter pool1 in the Pool Name field and select the Dynamic Allocation option in the Address
Allocation Mode field.
d. Enter 10.10.1.0 in the IP Address field, select the Subnet Mask box, and then enter
255.255.255.0.
e. Set the Lease Duration to 7 days, 0 hours, and 0 minutes.
f.
Click Apply.
Exclude IP addresses from dynamic allocation (DNS server and gateway addresses):
a. Expand the Forbidden IP Addresses node, as shown in Figure 246.
236
d. Click Apply.
e. Enter 10.1.1.126 in the Start IP Address field, as shown in Figure 246.
f.
g. Click Apply.
237
c.
Configuration guidelines
1.
If multiple VLAN interfaces sharing one MAC address request IP addresses using DHCP, the DHCP
server cannot be a Windows 2000 server or a Windows 2003 server.
2.
To remove a DHCP server group that is associated with multiple interfaces, cancel the associations
first.
238
Configuring ACLs
The Web interface provides the following ACL configuration functions:
Overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also widely used by many modules (for example, QoS
and IP routing) for traffic identification.
IPv4 ACLs fall into the following categories, as shown in Table 110.
Table 110 IPv4 ACL categories
Category
ACL number
Match criteria
Basic ACLs
2000 to 2999
Advanced ACLs
3000 to 3999
Ethernet frame
header ACLs
4000 to 4999
For more information about IPv4 ACL, see H3C MSR Series Routers (V5) ACL and QoS Configuration
Guide.
Remarks
Required.
1.
2.
3.
4.
239
Required.
Complete one of these tasks according to the ACL
category.
Description
ACL Number
Set the number of the IPv4 ACL you want to configure. The value range for the ACL number
is 2000 to 2999.
Set the match order of the ACL:
Match Order
ConfigPackets are compared against ACL rules in the ascending ACL rule ID order.
AutoPackets are compared against ACL rules in the depth-first match order. This makes
sure any subset of a rule is always matched before the rule.
Description
240
Description
Select the basic IPv4 ACL for which you want to configure rules.
ACLs available for selection are basic IPv4 ACLs.
Select the Rule ID box, and enter a number for the rule.
Rule ID
If you do not specify the rule number, the system will assign one automatically.
If the rule number you specify already exists, the following operations modify the
configuration of the rule.
Select the action to be taken on the IPv4 packets matching the rule:
Action
Check Fragment
Check Logging
A log entry contains the ACL rule number, action on the matched packets, protocol
that IP carries, source/destination address, source/destination port number, and
number of matched packets.
Source IP Address
Select the Source IP Address box, and enter a source IPv4 address and source
241
Item
Description
Source Wildcard
Time Range
The time ranges available for selection must have been created at the CLI on the
router.
242
243
Description
Select the advanced IPv4 ACL for which you want to configure
rules.
You can use command line interface to create advanced IPv4
ACLs. For more information, see H3C MSR Series Routers (V5)
ACL and QoS Configuration Guide. Also, when you configure
advanced bandwidth limit and advanced bandwidth
guarantee, the system automatically creates advanced IPv4
ACLs. For more information, see "Configuring QoS."
ACL
Select the Rule ID box, and enter a number for the rule.
If you do not specify the rule number, the system assigns one
automatically.
Rule ID
Action
If you do not select this box, the rule applies to all fragments and
non-fragments.
Select this box to keep a log of matched IPv4 packets.
A log entry contains the ACL rule number, operation for the
matched packets, protocol that IP carries, source/destination
address, source/destination port number, and number of
matched packets.
Logging
Source IP Address
IP Address Filter
Source Wildcard
Destination IP Address
Destination Wildcard
Protocol
ICMP Message
ICMP Type
These items are available only when you select 1 ICMP from the
Protocol list.
ICMP Code
If you select Other from the ICMP Message list, you must enter
values in the ICMP Type and ICMP Code fields. Otherwise, the
two fields will take the default values, which cannot be changed.
ICMP Type
244
Item
Description
Select this box to make the rule match packets used for
establishing and maintaining TCP connections.
TCP Connection
Established
These items are available only when you select 6 TCP from the
Protocol list.
A rule with this item configured matches TCP connection packets
with the ACK or RST flag.
Source
Select the operators and, enter the source port numbers and
destination port numbers as required.
These items are available only when you select 6 TCP or 17 UDP
from the Protocol list.
TCP/UDP Port
Precedence
Filter
Time Range
DSCP
TOS
Precedence
245
Figure 251 The page for configuring a rule for an Ethernet frame header ACL
Description
Select the Ethernet frame header IPv4 ACL for which you want to configure
rules.
ACL
You can use command line interface to create Ethernet frame header IPv4
ACLs. For more information, see H3C MSR Series Routers (V5) ACL and
QoS Configuration Guide.
Select the Rule ID box, and enter a number for the rule.
Rule ID
If you do not specify the rule number, the system will assign one
automatically.
If the rule number you specify already exists, the following operations
modify the configuration of the rule.
246
Item
Description
Select the action to be performed for IPv4 packets matching the rule:
Action
Source MAC
Address
MAC
Address
Filter
Source Mask
Destination MAC
Address
Destination Mask
COS(802.1p priority)
LSAP Type
LSAP Mask
Type Filter
Protocol Type
Protocol Mask
Select the Source MAC Address box, and enter a source MAC address and
wildcard.
Select the Destination MAC Address box, and enter a destination MAC
address and wildcard.
Specify the 802.1p priority for the rule.
Select the LSAP Type box, and specify the DSAP and SSAP fields in the LLC
encapsulation by configuring the following items:
Select the time range during which the rule takes effect.
Configuration guidelines
When you configure an ACL, follow these guidelines:
You cannot create a rule with or modify a rule to have the same permit/deny statement as an
existing rule in the ACL.
You can only modify the existing rules of an ACL that uses the match order of config. When you
modify a rule of such an ACL, you may choose to change just some of the settings, in which case
the other settings remain the same.
247
Configuring QoS
The Web interface provides the following QoS configuration functions:
Overview
Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to
meet customer needs. Generally, QoS focuses on improving services under certain conditions rather than
grading services precisely.
In an Internet, QoS evaluates the ability of the network to forward packets of different services. You can
base the evaluation on different criteria because the network may provide various services. Generally,
QoS refers to the ability to provide improved service by solving the core issues such as delay, jitter, and
packet loss ratio in the packet forwarding process.
Through the Web interface, you can configure the following QoS features:
Subnet limit
Advanced limit
Advanced queue
Subnet limit
Subnet limit enables you to regulate the specification of traffic entering or leaving a device based on
source/destination IP address. Packets conforming to the specification can pass through, and packets
exceeding the specification are dropped. In this way, the network resources are protected.
Advanced limit
Similar to subnet limit, advanced limit also implements traffic policing at the IP layer. They differ in that:
Advanced limit can classify traffic based on time range, packet precedence, protocol type, and
port number, and provide more granular services.
In addition to permitting traffic conforming to the specification to pass through, advanced limit can
also set IP precedence, differentiated service code point (DSCP) value, and 802.1p priority for
packets as required.
For more information about IP precedence, DSCP values, and 802.1p priority, see "Appendix Packet
priorities."
Advanced queue
Advanced queue offers the following functions:
Interface bandwidth limitUses token buckets for traffic control and limits the rate of transmitting
packets (including critical packets) on an interface. When limiting the rate of all packets on an
248
interface, interface bandwidth limit is a better approach than subnet limit and advanced limit. This
is because working at the IP layer the latter two functions do not take effect on packets not
processed by the IP layer.
249
Description
Set the address range of the subnet where rate limit is to be performed.
Interface
CIR
ShareLimits the total rate of traffic for all IP addresses on the subnet, and
dynamically allocates bandwidth to an IP address based on traffic size.
Type
Per IPIndividually limits the rate of traffic of each IP address on the subnet to the
configured rate.
destination IP addresses.
UploadLimits the rate of outgoing packets of the interface based on their source
IP addresses.
250
251
Description
Description
Configure a description for the advanced limit policy for management sake.
Interface
Direction
CIR
Remark Type
When you specify the direction Download, the source IP address of packets is
matched.
When you specify the direction Upload, the destination IP address of packets is
matched.
You can configure up to eight IP precedence values for an advanced limit policy, and
the relationship between the IP precedence values is OR. If the same IP precedence
value is specified multiple times, the system considers them as one. The defined IP
precedence values are displayed in ascending order automatically.
Define a rule to match packets based on their DSCP values.
DSCP
You can configure up to eight DSCP values for an advanced limit policy, and the
relationship between the DSCP values is OR. If the same DSCP value is specified
multiple times, the system considers them as one. The defined DSCP values are
displayed in ascending order automatically.
Inbound Interface
Time Range
Set the time range when the advanced limit policy takes effect. The begin-end time
and days of the week are required to set.
Define a rule to match packets based on their protocol types.
Protocol Name
The protocol types available for selection include the system-defined protocols and the
protocols loaded through the P2P signature file. To load a P2P signature file, select
Security Setup > Application Control from the navigation tree and click Load
Application.
Custom Type
Source Port
You should select the transport layer protocol type and set the source service port
range and destination service port range.
Destination Port
252
Description
Interface Name
253
Item
Description
Set the average traffic rate allowed for the interface.
H3C recommends that you configure the interface bandwidth to be smaller than
the actual available bandwidth of a physical interface or logical link.
If you have specified the interface bandwidth, the maximum interface bandwidth
used for bandwidth check when CBQ enqueues packets is 1000000 kbps. If you
have not specified the interface bandwidth, the maximum interface bandwidth
varies by interface type following these rules:
Interface Bandwidth
If the interface is a virtual interface of any other type, a tunnel interface for
example, 0 kbps applies.
254
255
Description
Description
Configure a description for the bandwidth guarantee policy for management sake.
Set the service class queue type:
the EF service so as to ensure low delay for real-time data traffic. At the same time,
by restricting bandwidth for high-priority traffic, it can overcome the disadvantage
that some low-priority queues are not serviced.
Interface
Bandwidth
IP Address/Mask
You can add multiple IP addresses/masks. Click the Add or Delete button to add or
delete IP addresses/masks to/from the field.
Define a rule to match packets based on their IP precedence values.
IP Precedence
You can configure up to eight IP precedence values for a bandwidth guarantee policy,
and the relationship between the IP precedence values is OR. If the same IP precedence
value is specified multiple times, the system considers them as one. The defined IP
precedence values are displayed in ascending order automatically.
Define a rule to match packets based on their DSCP values.
DSCP
You can configure up to eight DSCP values for a bandwidth guarantee policy, and the
relationship between the DSCP values is OR. If the same DSCP value is specified
multiple times, the system considers them as one. After each configuration, The defined
DSCP values are displayed in ascending order automatically.
Inbound Interface
Time Range
Set the time range when the bandwidth guarantee policy takes effect. The begin-end
time and days of the week are required to set.
Define a rule to match packets based on protocol types.
Protocol Name
The protocol types available for selection include the system-defined protocols and the
protocols loaded through the P2P signature file. To load a P2P signature file, select
Security Setup > Application Control from the navigation tree and click Load
Application.
Custom Type
Source Port
Select the transport layer protocol type and set the service source port range and
destination port range.
Destination Port
256
Configuration procedure
# Configure the bandwidth limit settings for the network segment.
Select Advance > QoS Setup > Subnet Limit from the navigation tree, and click Add on the
displayed page.
Click Apply.
Perform AF for traffic with the DSCP fields AF11 and AF22 (DSCP values 10 and 18), and set the
minimum bandwidth to 40 kbps.
Perform EF for traffic with the DSCP field EF (DSCP value 46), and set the maximum bandwidth to
240 kbps.
The route from Router C to Router D through Router A and Router B is reachable.
The DSCP fields have been set for the traffic before the traffic enters Router A.
Configuration procedure
1.
Configure Router A:
Select Advance > QoS Setup > Advanced Queue from the navigation tree, and click Add on the
displayed page.
258
Click Apply.
Select Advance > QoS Setup > Advanced Queue from the navigation tree, and click Add on the
displayed page.
259
Click Apply.
After the configurations are completed, EF traffic is forwarded preferentially when congestion occurs in
the network.
260
As shown in Figure 263, the ToS field of the IP header contains eight bits: the first three bits (0 to 2)
represent IP precedence from 0 to 7. According to RFC 2474, the ToS field of the IP header is redefined
as the differentiated services (DS) field, where a differentiated service code point (DSCP) value is
represented by the first six bits (0 to 5) and is in the range 0 to 63. The remaining two bits (6 and 7) are
reserved.
Table 119 Description on IP precedence
IP precedence (decimal)
IP precedence (binary)
Keyword
000
routine
001
priority
010
immediate
011
flash
100
flash-override
101
critical
110
internet
111
network
Keyword
46
101110
ef
10
001010
af11
12
001100
af12
14
001110
af13
18
010010
af21
20
010100
af22
22
010110
af23
26
011010
af31
261
Keyword
28
011100
af32
30
011110
af33
34
100010
af41
36
100100
af42
38
100110
af43
001000
cs1
16
010000
cs2
24
011000
cs3
32
100000
cs4
40
101000
cs5
48
110000
cs6
56
111000
cs7
000000
be(default)
802.1p priority
802.1p priority lies in the Layer 2 packet header and is applicable to occasions where Layer 3 header
analysis is not needed and QoS must be assured at Layer 2.
Figure 264 An Ethernet frame with an 802.1q tag header
As shown in Figure 264, the 4-byte 802.1q tag header consists of the TPID (two bytes in length), whose
value is 0x8100, and the TCI (two bytes in length). Figure 265 shows the format of the 802.1q tag header.
The priority in the 802.1q tag header is called "802.1p priority," because its use is defined in IEEE
802.1p.
Figure 265 801.1q tag header
262
Keyword
000
best-effort
001
background
010
spare
011
excellent-effort
100
controlled-load
101
video
110
voice
111
network-management
263
Configuring SNMP
This chapter is only applicable to the MSR 20/30/50/930 series routers.
For information about configuring SNMP from the Web interface for the MSR 900/20-1X series routers,
see "Configuring SNMP (lite version)."
Overview
The Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a
management station to access and operate the devices on a network, regardless of their vendors,
physical characteristics and interconnect technologies.
The SNMP framework comprises the following elements:
SNMP managerWorks on an NMS to monitor and manage the SNMP-capable devices in the
network.
SNMP agentWorks on a managed device to receive and handle requests from the NMS, and
send traps to the NMS when some events, such as interface state change, occur.
H3C supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same
SNMP version to communicate with each other.
SNMPv1Uses community names for authentication. To access an SNMP agent, an NMS must use
the same community name as set on the SNMP agent. If the community name used by the NMS is
different from the community name set on the agent, the NMS cannot establish an SNMP session to
access the agent or receive traps and notifications from the agent.
SNMPv2cUses community names for authentication. SNMPv2c is compatible with SNMPv1, but
supports more operation modes, data types, and error codes.
SNMPv3Uses a user-based security model (USM) to secure SNMP communication. You can
configure authentication and privacy mechanisms to authenticate and encrypt SNMP packets for
integrity, authenticity, and confidentiality.
For more information about SNMP, see H3C MSR Series Routers Network Management and Monitoring
Configuration Guide.
264
Task
Remarks
Required.
The SNMP agent function is disabled by default.
IMPORTANT:
If SNMP the agent function is disabled, all SNMP agent-related
configurations are removed.
Optional.
After creating SNMP views, you can specify an SNMP view for
an SNMP group to limit the MIB objects that can be accessed by
the SNMP group.
Required.
Optional.
Allows you to configure that the agent can send SNMP traps to
the NMS, and configure information about the target host of the
SNMP traps.
By default, an agent is allowed to send SNMP traps to the NMS.
Optional.
Configuring SNMPv3
Task
Remarks
Required.
The SNMP agent function is disabled by default.
IMPORTANT:
If the SNMP agent function is disabled, all SNMP agent-related
configurations are removed.
Optional.
After creating SNMP views, you can specify an SNMP view for
an SNMP group to limit the MIB objects that can be accessed by
the SNMP group.
Required.
After creating an SNMP group, you can add SNMP users to the
group when creating the users. Therefore, you can realize
centralized management of users in the group through the
management of the group.
Required.
Allows you to configure that the agent can send SNMP traps to
the NMS, and configure information about the target host of the
SNMP traps
By default, an agent is allowed to send SNMP traps to the NMS.
Optional.
265
Select Advanced > SNMP from the navigation tree to enter the SNMP configuration page, as
shown in Figure 266.
On the upper part of the page, you can select to enable or disable the SNMP agent function and
configure parameters such as SNMP version.
On the lower part of the page, you can view the SNMP statistics, which helps you understand the
running status of the SNMP after your configuration.
2.
Description
SNMP
Local Engine ID
Maximum Packet
Size
The validity of a user after it is created depends on the engine ID of the SNMP agent. If
the engine ID when the user is created is not identical to the current engine ID, the user
is invalid.
Configure the maximum size of an SNMP packet that the agent can receive or send.
Set a character string to describe the contact information for system maintenance.
Contact
If the device is faulty, the maintainer can contact the manufacture factory according to
contact information for the device.
Location
SNMP Version
267
Table 123 describes the configuration items for creating an SNMP view. After configuring the parameters
of a rule, click Add to add the rule into the list box at the lower part of the page. After configuring all rules,
click Apply to create an SNMP view. The view will not be created if you click Cancel.
Table 123 Configuration items
Item
Description
View Name
Rule
MIB subtree OID identifies the position of a node in the MIB tree, and it can
uniquely identify a MIB subtree.
Set the subtree mask.
Subtree Mask
If no subtree mask is specified, the default subtree mask (all Fs) will be used
for mask-OID matching.
268
Select Advanced > SNMP from the navigation tree, then click the Community tab to enter the page
as shown in Figure 271.
2.
3.
Description
Community Name
Access Right
ACL
1.
270
2.
Description
Group Name
Security Level
Read View
Write View
Notify View
ACL
If no write view is configured, the NMS cannot perform the write operations to all MIB
objects on the device.
Select the notify view of the SNMP group, that is, the view that can send trap messages.
If no notify view is configured, the agent does not send traps to the NMS.
Associate a basic ACL with the group to restrict the source IP address of SNMP packets,
that is, you can configure to allow or prohibit SNMP packets with a specific source IP
address, so as to restrict the intercommunication between the NMS and the agent.
271
1.
Click Add to enter the Add SNMP User page, as shown in Figure 276.
2.
Description
User Name
Security Level
Item
Description
Select an SNMP group to which the user belongs:
Group Name
Authentication Mode
Authentication Password
Privacy Mode
Privacy Password
The confirm privacy password must be the same with the privacy
password.
ACL
Associate a basic ACL with the user to restrict the source IP address
of SNMP packets, that is, you can configure to allow or prohibit
SNMP packets with a specific source IP address, so as to allow or
prohibit the specified NMS to access the agent by using this user
name.
Select Advanced > SNMP from the navigation tree, and click the Trap tab to enter the page as
shown in Figure 277.
On the upper part of the page, you can select to enable the SNMP trap function.
On the lower part of the page, you can configure target hosts of the SNMP traps.
273
2.
Click Add to enter the Add Trap Target Host page, as shown in Figure 278.
3.
Description
Set the destination IP address.
Destination IP Address
Security Name
Select the IP address type: IPv4/domain name or IPv6, and then type
the corresponding IP address or domain name in the field according
to the IP address type.
Set the security name, which can be an SNMPv1 community name,
an SNMPv2c community name, or an SNMPv3 username.
274
Item
Description
Set UDP port number.
IMPORTANT:
UDP Port
The default port number is 162, which is the SNMP-specified port used
for receiving traps on the NMS. Generally (such as using IMC or MIB
Browser as the NMS), you can use the default port number. To change
this parameter to another value, make sure the configuration is the
same with that on the NMS.
Select the security model, the SNMP version.
Security Model
IMPORTANT:
The security model must be the same as that running on the NMS.
Otherwise, the NMS cannot receive any trap.
Security Level
Set the authentication and privacy mode for SNMP traps when the
security model is selected as v3. The available security levels are: no
authentication no privacy, authentication but no privacy, and
authentication and privacy.
If you select v1 or v2c in the Security Model list, the security level can
only be no authentication no privacy, and cannot be modified.
275
Enable SNMP:
a. Select Advanced > SNMP from the navigation tree, and you will enter the Setup page. Perform
d. Click Apply.
2.
in Figure 282.
276
Click Apply.
d. Click the Community tab and then click Add. Perform the following configuration as shown
in Figure 283.
Figure 283 Configuring SNMP community named private
f.
Click Apply.
285.
Figure 285 Adding target hosts of SNMP traps
Click Apply.
278
2.
3.
For more information about configuring the NMS, see the NMS manual.
After the configuration, an SNMP connection is established between the NMS and the agent. The
NMS can get and configure the values of some parameters on the agent through MIB nodes.
Shut down or bring up an idle interface on the agent, and the NMS receives the corresponding
trap.
Enable SNMP:
a. Select Advanced > SNMP from the navigation tree, and you will enter the Setup page. Perform
279
d. Click Apply.
2.
288.
Figure 288 Setting the name of the view to be created
Click Apply and enter the page of view1. Perform the following configuration as shown
in Figure 289.
280
Click Add.
g. Click Apply. A configuration progress dialog box appears, as shown in Figure 290.
291.
281
Click Apply.
292.
Figure 292 Configuring an SNMP user
c.
Type authkey in the Authentication Password and Confirm Authentication Password fields.
Click Apply.
Click Apply.
294.
283
g. Click Apply.
2.
3.
4.
5.
Set the authentication key to authkey and the privacy key to prikey.
For more information about configuring the NMS, see the NMS manual.
After the configuration, an SNMP connection is established between the NMS and the agent. The
NMS can get and configure the values of some parameters on the agent through MIB nodes.
Shut down or bring up an idle interface on the agent, and the NMS receives the corresponding
trap.
284
Configuring bridging
Through the Web interface, you can configure the following transparent bridging functions:
Overview
Bridging overview
A bridge is a store-and-forward device that connects and transfers traffic between LAN segments at the
data-link layer. In some small-sized networks, especially those with dispersed distribution of users, the use
of bridges can reduce the network maintenance costs without requiring the end users to perform special
configurations on the devices.
In applications, the following major kinds of bridging technologies apply: transparent bridging,
source-route bridging (SRB), translational bridging, and source-route translational bridging (SR/TLB).
The devices support only transparent bridging.
Transparent bridging bridges LAN segments of the same physical media type, primarily in Ethernet
environments. A transparent bridging device keeps a bridge table, which contains mappings between
destination MAC addresses and outbound interfaces.
For more information about transparent bridging, see Layer 2WAN Configuration Guide in H3C MSR
Series Routers Configuration Guides (V5).
285
Host B
Host A
Source address
00e0.fcaa.aaaa
Destination address
00e0. fcbb.bbbb
LAN segment 1
Bridge interface 1
Bridge
Bridge interface 2
LAN segment 2
Host C
Host D
As the bridge receives the Ethernet frame on bridging interface 1, it determines that Host A is attached
to bridging interface 1 and creates a mapping between the MAC address of Host A and bridging
interface 1 in its bridge table, as shown in Figure 296.
Figure 296 The bridge determines that Host A is attached to interface 1
When Host B responds to Host B, the bridge also hears the Ethernet frame from Host B. As the frame is
received on bridging interface 1, the bridge determines that Host B is also attached to bridging interface
1, and creates a mapping between the MAC address of Host B and bridging interface 1 in its bridge
table, as shown in Figure 297.
286
Figure 297 The bridge determines that Host B is also attached to interface 1
MAC address: 00e0.fcbb.bbbb
Host B
Host A
Source address
00e0.fcbb. bbbb
MAC address
Interface
Bridge interface 1
1
1
Bridge
00e 0.fcbb.bbbb
00e0.fcaa.aaaa
LAN segment 1
Bridge table
00e 0.fcaa.aaaa
Destination address
Bridge interface 2
LAN segment 2
Host C
Host D
MAC address: 00e0.fcdd.dddd
Finally, the bridge obtains all the MAC-interface mappings (assume that all hosts are in use), as shown
in Figure 298.
Figure 298 The final bridge table
MAC address: 00e0.fcbb.bbbb
Host B
Host A
LAN segment 1
Bridge table
MAC address
Interface
00e0.fcaa.aaaa
1
1
2
2
00e0.fcbb.bbbb
00e0.fccc.cccc
00e0.fcdd.dddd
Bridge interface 1
Bridge
Bridge interface 2
LAN segment 2
Host C
Host D
MAC address: 00e0.fcdd.dddd
When Host A sends an Ethernet frame to Host C, the bridge searches its bridge table and finds out
that Host C is attached to bridging interface 2, and forwards the Ethernet frame out of bridging
interface 2, as shown in Figure 299.
287
Host B
Host A
Source address Destination address
00e0.fcaa.aaaa
Bridge table
MAC address
LAN segment 1
Interface
00e0.fcaa.aaaa
00e0.fcbb.bbbb
00e0.fccc.cccc
00e0.fcdd.dddd
1
1
2
2
Bridge interface 1
Bridge
Bridge interface 2
LAN segment 2
00e0.fccc.cccc
Host C
Host D
MAC address: 00e 0.fcdd.dddd
When Host A sends an Ethernet frame to Host B, as Host B is on the same LAN segment with Host
A, the bridge filters the Ethernet frame instead of forwarding it, as shown in Figure 300.
When Host A sends an Ethernet frame to Host C, if the bridge does not find a MAC-to-interface
mapping about Host C in its bridge table, the bridge forwards the Ethernet frame to all interfaces
except the interface on which the frame was received, as shown in Figure 301.
288
Figure 301 The proper MAC-to-interface mapping is not found in the bridge table
When a bridge receives a broadcast or multicast frame, it forwards the frame to all interfaces other than
the receiving interface.
VLAN transparency
VLAN transparency enables a bridge to forward VLAN-tagged packets without processing their VLAN
tags. If your device does not support VLAN tags, enable VLAN transparency on any interfaces that may
receive VLAN-tagged packets to avoid dropping of VLAN tags.
Configuring bridging
Recommended basic bridging configuration procedure
Step
Remarks
1.
2.
Adding an interface to a
bridge set
Required.
No bridge set is enabled by default.
Required.
An interface is not in any bridge set by default.
289
Remarks
Bridge Group id
290
Remarks
Interface
Bridge Group
Set the ID of the bridge set to which you want add the interface.
Enable or disable VLAN transparency on the interface.
VLAN Transmit
291
Switch B
Switch A
Eth1/1
Office
area B
Eth1/1
Trunk
Trunk
Eth1/1
Eth1/2
Eth1/1
Eth1/2
Router A
Router B
Configuration procedure
1.
Configure Router A:
# Enable bridge set 2.
a. Select Advanced > Bridge from the navigation tree to enter the Global config page.
292
Figure 306 Assigning Ethernet 1/1 to bridge set 2 and enable VLAN transparency
Configure Router B:
Configure Router B in the same way as you configured Router A.
294
Access controlAllows you to deny access from hosts during specific time ranges. All data packets
matching these criteria will be denied access to the Internet.
Bandwidth controlAllows you to control the bandwidth consumption based on user group. It
evaluates traffic with token buckets and drops unqualified packets.
Packet filteringAllows you to filter packets that match specific criteria such as the protocol,
destination IP address, source port, and destination port on a per user group basis.
Remarks
Required.
By default, no user groups are configured.
Required.
Configuring a user
Required.
Use at least one of the approaches.
By default, a user group has no service configured.
Optional.
295
Description
Set the name of the group to be added.
The group name is a character string beginning with letters. The string cannot contain
any question mark (?) or space.
Configuring a user
Select Advanced > Security > Usergroup from the navigation tree, and then select the User tab to enter
the page as shown Figure 309.
296
Description
Add Mode
StaticIn this mode, type the username and IP address manually in the
following fields.
DynamicThe system displays all devices connected to the device for you to
select.
IP Address
297
Description
Select a user group for access control.
When there is more than one user group, the option all is available. Selecting
all means that the access control configuration applies to all the user groups.
Set the time range in which access to the Internet is denied.
298
Description
Select a user group for application control.
When there is more than one user group, the option all is available. Selecting all
means that the application control configuration applies to all the user groups.
Select the applications and protocols to be controlled. There are three types of
applications for you to select:
Please select
applications to deny
299
Description
Set the user group for bandwidth control configuration.
When there are more than one user group, the option all is available. Selecting all
means that the bandwidth control configuration applies to all the user groups.
Set the committed information rate (CIR), that is, the permitted average rate of traffic.
Set the committed burst size (CBS). CBS is the token bucket capacity, that is, the
maximum traffic size that is permitted in each burst.
CBS
The CBS value must be greater than the maximum packet size.
IMPORTANT:
By default, the CBS is the number of bytes transmitted in 500 ms at the rate of CIR. If the
number exceeds the value range, the allowed maximum or minimum value is adopted.
300
Description
Select a user group to which packet filtering is applied.
When there is more than one user group, the option all is available.
Selecting all means that the packet filtering configuration applies to all the
user groups.
Protocol
Select a protocol.
Destination IP Address
Destination Wildcard
Operator
Source Port
Port
If you select NotCheck as the operator, port numbers will not be checked
and no ports need to be specified.
If you select Range as the operator, you must specify both start and end
ToPort
If you select other option as the operator, only a start port needs to be
specified.
Destination Port
Operator
301
Item
Description
configurable.
Port
If you select NotCheck as the operator, port numbers will not be checked
and no ports need to be specified.
If you select Range as the operator, you must specify both start and end
ToPort
If you select other option as the operator, only a start port needs to be
specified.
Select Advanced > Security > Usergroup from the navigation tree, and then select the WAN
Synchronization tab to enter the page, as shown in Figure 314.
2.
Click the Sync button to synchronize the user group configuration for WAN interfaces.
Configure access control so that access from common users to the Internet during work time (9:00
to 18:00 from Monday through Friday) is denied while access from the manager is allowed.
Configure application control so that access from common users to MSN application is denied
while access from the manager is allowed.
Configure the maximum average rate of Internet access as 8 kbps for common users and 54 kbps
for the manager.
Configure packet filtering so that access to the server at the address 2.2.2.1 from common users is
denied.
302
Creating user groups staff (for common users) and manager (for the manager)
1.
Select Advanced > Security > Usergroup to enter the group configuration page. Perform the
configurations as shown in Figure 316.
2.
3.
Click Apply.
4.
5.
Click Apply.
Select Advanced > Security > Usergroup, and then select the User tab.
303
2.
3.
4.
5.
Click Apply.
A configuration progress dialog box appears, as shown in Figure 318.
304
6.
7.
8.
9.
10.
11.
12.
305
2.
3.
4.
5.
6.
Click Apply.
A configuration progress dialog box appears.
7.
Loading the application control file (assume the signature file is stored on the device)
1.
Select Security Setup > Application Control from the navigation tree, and then select the Load
Application tab.
306
2.
3.
Click Apply.
Then, you can view MSN is in the loaded applications on the lower part of the page.
Select Advanced > Security > Application Control from the navigation tree, and perform the
configurations as shown in Figure 322.
2.
3.
4.
Click Apply.
A configuration progress dialog box appears.
5.
307
Select Advanced > Security > Band Width, and then perform the configurations as shown in Figure
323.
Figure 323 Configuring bandwidth control to user groups staff and manager
2.
3.
4.
Click Apply.
A configuration progress dialog box appears.
5.
6.
7.
8.
Click Apply.
A configuration progress dialog box appears.
9.
Select Advanced > Security > Packet Filter, and then perform the configurations as shown in Figure
324.
308
2.
3.
4.
5.
6.
7.
8.
309
Configuring MSTP
Only MSR 20/30/50/930 routers support this feature.
As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by
selectively blocking redundant links in a network, and allows for link redundancy.
Like many other protocols, STP evolves as the network grows. The later versions of STP are the Rapid
Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP). This chapter describes
the characteristics of STP, RSTP, and MSTP.
Introduction to STP
STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in a
LAN. Devices running this protocol detect loops in the network by exchanging information with one
another and eliminate loops by selectively blocking certain ports to prune the loop structure into a
loop-free tree structure. This avoids proliferation and infinite cycling of packets that would occur in a loop
network and prevents decreased performance of network devices caused by duplicate packets received.
In the narrow sense, STP refers to the IEEE 802.1d STP. In the broad sense, STP refers to the IEEE 802.1d
STP and various improved spanning tree protocols derived from that protocol.
Configuration BPDUsUsed for calculating a spanning tree and maintaining the spanning tree
topology.
Topology change notification (TCN) BPDUsUsed for notifying the concerned devices of network
topology changes, if any.
310
Root port
On a non-root bridge, the port nearest to the root bridge is the root port. The root port is responsible for
communication with the root bridge. Each non-root bridge has one and only one root port. The root
bridge has no root port.
Designated bridge
Designated port
For a device
For a LAN
As shown in Figure 325, AP1 and AP2, BP1 and BP2, and CP1 and CP2 are ports on Device A, Device
B, and Device C, respectively.
If Device A forwards BPDUs to Device B through AP1, the designated bridge for Device B is Device
A, and the designated port of Device B is port AP1 on Device A.
Two devices are connected to the LAN: Device B and Device C. If Device B forwards BPDUs to the
LAN, the designated bridge for the LAN is Device B, and the designated port for the LAN is the port
BP2 on Device B.
Path cost
Path cost is a reference value used for link selection in STP. By calculating path costs, STP selects relatively
robust links and blocks redundant links, and finally prunes the network into a loop-free tree.
Root bridge IDConsisting of the priority and MAC address of the root bridge.
Designated bridge IDConsisting of the priority and MAC address of the designated bridge.
Forward delayDelay used by STP bridges to transit the state of the root and designated ports to
forwarding.
For simplicity, the descriptions and examples in this document involve only the following fields in the
configuration BPDUs:
Root path cost (related to the rate of the link connecting the port)
2.
Actions
Upon receiving a configuration BPDU on a port, the device performs the following:
If the received configuration BPDU has a lower priority than that of the configuration BPDU
1
generated by the port, the device discards the received configuration BPDU and does not
process the configuration BPDU of this port.
If the received configuration BPDU has a higher priority than that of the configuration BPDU
generated by the port, the device replaces the content of the configuration BPDU generated
by the port with the content of the received configuration BPDU.
The device compares the configuration BPDUs of all the ports and chooses the optimum
configuration BPDU.
The configuration BPDU that has the lowest root bridge ID has the highest priority.
If all the configuration BPDUs have the same root bridge ID, their root path costs are compared. For
example, the root path cost in a configuration BPDU plus the path cost of a receiving port is S. The
configuration BPDU with the smallest S value has the highest priority.
If all configuration BPDUs have the same S value, their designated bridge IDs, designated port IDs,
and the IDs of the receiving ports are compared in sequence. The configuration BPDU containing
a smaller ID wins out.
312
3.
4.
Description
A non-root device regards the port on which it received the optimum configuration BPDU as
the root port.
Based on the configuration BPDU and the path cost of the root port, the device calculates a
designated port configuration BPDU for each of the rest ports.
The root bridge ID is replaced with that of the configuration BPDU of the root port.
The root path cost is replaced with that of the configuration BPDU of the root port plus the
path cost of the root port.
If the calculated configuration BPDU is superior, the device considers this port as the
3
designated port, and replaces the configuration BPDU on the port with the calculated
configuration BPDU, which will be sent out periodically.
If the configuration BPDU on the port is superior, the device blocks this port without
updating its configuration BPDU. The blocked port can receive BPDUs but cannot send
BPDUs or forward data.
When the network topology is stable, only the root port and designated ports forward traffic, and other
ports are all in the blocked statethey receive BPDUs but do not forward BPDUs or user traffic.
A tree-shape topology forms upon successful election of the root bridge, the root port on each non-root
bridge and the designated ports.
313
1.
Device B
Device C
2.
Port name
BPDU of port
AP1
{0, 0, 0, AP1}
AP2
{0, 0, 0, AP2}
BP1
{1, 0, 1, BP1}
BP2
{1, 0, 1, BP2}
CP1
{2, 0, 2, CP1}
CP2
{2, 0, 2, CP2}
Comparison process
Port AP1 receives the configuration BPDU of Device B {1, 0, 1,
BP1}. Device A finds that the configuration BPDU of the local
port {0, 0, 0, AP1} is superior to the received configuration
BPDU, and discards the received configuration BPDU.
CP1}. Device A finds that the BPDU of the local port {0, 0, 0,
AP2} is superior to the received configuration BPDU, and
discards the received configuration BPDU.
Device A finds that both the root bridge and designated bridge
in the configuration BPDUs of all its ports are itself, so it assumes
itself to be the root bridge. It does not make any change to the
configuration BPDU of each port, and starts sending out
configuration BPDUs periodically.
314
Device
Comparison process
Port BP1 receives the configuration BPDU of Device A {0, 0, 0,
AP1}. Device B finds that the received configuration BPDU is
superior to the configuration BPDU of the local port {1, 0, 1,
BP1}, and updates the configuration BPDU of BP1.
After comparison:
315
Device
Comparison process
After comparison:
Because the root path cost of CP2 (9) (root path cost of the
After the comparison processes described in Table 141, a spanning tree with Device A as the root bridge
is established as shown in Figure 327.
Figure 327 The final calculated spanning tree
Upon network initiation, every device regards itself as the root bridge, generates configuration
BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval.
If it is the root port that received a configuration BPDU and the received configuration BPDU is
superior to the configuration BPDU of the port, the device increases the message age carried in the
configuration BPDU following a certain rule and starts a timer to time the configuration BPDU while
sending this configuration BPDU out of the designated port.
If the configuration BPDU received on a designated port has a lower priority than the configuration
BPDU of the local port, the port immediately sends out its own configuration BPDU in response.
If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs
and the old configuration BPDUs will be discarded due to timeout. The device will generate
configuration BPDUs with itself as the root. This triggers a new spanning tree calculation process to
establish a new path to restore the network connectivity.
316
However, the newly calculated configuration BPDU will not be propagated throughout the network
immediately, so the old root ports and designated ports that have not detected the topology change
continue forwarding data along the old path. If the new root ports and designated ports begin to
forward data as soon as they are elected, a temporary loop may occur.
STP timers
STP calculation involves the following timers:
Forward delayThe delay time for device state transition. A path failure can cause spanning tree
re-calculation to adapt the spanning tree structure to the change. However, the resulting new
configuration BPDU cannot propagate throughout the network immediately. If the newly elected
root ports and designated ports start to forward data right away, a temporary loop is likely to occur.
For this reason, as a mechanism for state transition in STP, the newly elected root ports or
designated ports require twice the forward delay time before transiting to the forwarding state to
make sure the new configuration BPDU has propagated throughout the network.
Hello timeThe time interval at which a device sends hello packets to the surrounding devices to
make sure the paths are fault free.
Max ageA parameter used to determine whether a configuration BPDU held by the device has
expired. A configuration BPDU beyond the max age will be discarded.
Introduction to RSTP
Developed based on the 802.1w standard of IEEE, RSTP is an optimized version of STP. It achieves rapid
network convergence by allowing a newly elected root port or designated port to enter the forwarding
state much quicker under certain conditions than in STP.
In RSTP, a newly elected root port can enter the forwarding state rapidly if this condition is met: the old
root port on the device has stopped forwarding data and the upstream designated port has started
forwarding data.
In RSTP, a newly elected designated port can enter the forwarding state rapidly if this condition is met:
the designated port is an edge port or a port connected to a point-to-point link. If the designated port is
an edge port, it can enter the forwarding state directly. If the designated port is connected to a
point-to-point link, it can enter the forwarding state immediately after the device undergoes handshake
with the downstream device and gets a response.
Introduction to MSTP
Why MSTP
STP and RSTP limitations
STP does not support rapid state transition of ports. A newly elected root port or designated port must
wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a
point-to-point link or an edge port, which directly connects to a user terminal rather than to another
device or a shared LAN segment.
Although RSTP supports rapid network convergence, it has the same drawback as STPAll bridges
within a LAN share the same spanning tree, so redundant links cannot be blocked based on VLAN, and
the packets of all VLANs are forwarded along the same spanning tree.
317
Features of MSTP
Developed based on IEEE 802.1s, MSTP overcomes the limitations of STP and RSTP. In addition to the
support for rapid network convergence, it also allows data flows of different VLANs to be forwarded
along separate paths, providing a better load sharing mechanism for redundant links.
MSTP includes the following features:
MSTP divides a switched network into multiple regions, each containing multiple spanning trees
that are independent of one another.
MSTP prunes a loop network into a loop-free tree, avoiding proliferation and endless cycling of
packets in a loop network. In addition, it provides multiple redundant paths for data forwarding,
supporting load balancing of VLAN data.
Assume that all devices in Figure 328 are running MSTP. This section explains some basic concepts of
MSTP.
318
MST region
A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the
network segments among them. These devices have the following characteristics:
For example, all the devices in region A0 in Figure 328 have the same MST region configuration.
The same VLAN-to-instance mapping configuration (VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI
2, and the rest to the common and internal spanning tree (CIST or MSTI 0).
Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST
region.
IST
An internal spanning tree (IST) is a spanning tree that runs in an MST region.
ISTs in all MST regions and the common spanning tree (CST) jointly constitute the common and internal
spanning tree (CIST) of the entire network. An IST is a section of the CIST in an MST region.
In Figure 328, for example, the CIST has a section in each MST region, and this section is the IST in the
respective MST region.
CST
The CST is a single spanning tree that connects all MST regions in a switched network. If you regard each
MST region as a "device," the CST is a spanning tree calculated by these devices through STP or RSTP.
CSTs are indicated by red lines in Figure 328.
CIST
Jointly constituted by ISTs and the CST, the CIST is a single spanning tree that connects all devices in a
switched network.
In Figure 328, for example, the ISTs in all MST regions plus the inter-region CST constitute the CIST of the
entire network.
MSTI
Multiple spanning trees can be generated in an MST region through MSTP, one spanning tree being
independent of another. Each spanning tree is called a multiple spanning tree instance (MSTI).
In Figure 328, for example, multiple MSTIs can exist in each MST region, each MSTI corresponding to the
specified VLANs.
319
Boundary port
A boundary port is a port that connects an MST region to another MST region, or to a single
spanning-tree region running STP, or to a single spanning-tree region running RSTP. It is at the boundary
of an MST region.
During MSTP calculation, the role of a boundary port in an MSTI must be consistent with its role in the
CIST. However, this is not true with master ports. A master port on MSTIs is a root port on the CIST. For
example, in Figure 328, if a device in region A0 is interconnected to the first port of a device in region
D0 and the common root bridge of the entire switched network is located in region A0, the first port of
that device in region D0 is the boundary port of region D0.
Roles of ports
MSTP calculation involves the following port roles: root port, designated port, master port, boundary port,
alternate port, and backup port.
Designated portPort responsible for forwarding data to the downstream network segment or
device.
Master portPort on the shortest path from the current region to the common root bridge,
connecting the MST region to the common root bridge. If the region is seen as a node, the master
port is the root port of the region on the CST. The master port is a root port on IST/CIST and still a
master port on the other MSTIs.
Alternate portStandby port for the root port and the master port. When the root port or master
port is blocked, the alternate port becomes the new root port or master port.
Backup portBackup port of a designated port. When the designated port is blocked, the backup
port becomes a new designated port and starts forwarding data without delay. A loop occurs when
two ports of the same MSTP device are interconnected. The device will block either of the two ports,
and the backup port is the port to be blocked.
320
Port 2
Port 1
Master port
Alternate port
A
C
Port 6
Port 5
Backup port
D
Designated port
Port 3
Port 4
In Figure 329, devices A, B, C, and D constitute an MST region. Port 1 and port 2 of device A are
connected to the common root bridge, port 5 and port 6 of device C form a loop, and port 3 and port
4 of Device D are connected downstream to the other MST regions.
Port states
In MSTP, a port may be in one of the following states:
LearningThe port learns MAC addresses but does not forward user traffic.
DiscardingThe port does not learn MAC addresses or forwards user traffic.
A port can have different port states in different MSTIs. A port state is not exclusively associated with a
port role. Table 142 lists the port states supported by each port role. ("" indicates that the port state is
available for the corresponding port role and "" indicates that the port state is not available for the
corresponding port role.)
Table 142 Ports states supported by different port roles
Port role
Port state
Root port/master
port
Designated
port
Boundary port
Alternate port
Backup port
Forwarding
Learning
Discarding
321
CIST calculation
The calculation of a CIST tree is also the process of configuration BPDU comparison. During this process,
the device with the highest priority is elected as the root bridge of the CIST. MSTP generates an IST within
each MST region through calculation, and, at the same time, MSTP regards each MST region as a single
device and generates a CST among these MST regions through calculation. The CST and ISTs constitute
the CIST of the entire network.
MSTI calculation
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings. MSTP performs a separate calculation process, which is similar to spanning
tree calculation in STP/RSTP, for each spanning tree. For more information, see "How STP works."
In MSTP, a VLAN packet is forwarded along the following paths:
Within an MST region, the packet is forwarded along the corresponding MSTI.
Between two MST regions, the packet is forwarded along the CST.
Root guard
BPDU guard
Loop guard
TC-BPDU guard
Step
Remarks
Optional.
1.
2.
Configuring an MST
region.
Configuring MSTP
globally.
3.
Configuring MSTP on
a port.
Click Modify to enter the MSTP region configuration page, as shown in Figure 331.
Figure 331 Modifying an MST region
323
Description
MST region name.
The MST region name is the bridge MAC address of the device by default.
Revision Level
Modulo
With the modulo value set, each VLAN is mapped to the MSTI whose ID is (VLAN ID
1) %modulo + 1, where (VLAN ID 1) %modulo is the modulo operation for (VLAN
ID 1). If the modulo value is 15, for example, VLAN 1 will be mapped to MSTI 1,
VLAN 2 to MSTI 2, VLAN 15 to MSTI 15, VLAN 16 to MSTI 1, and so on.
Activate
Validate the VLAN-to- instance mappings, the region name, and the revision level.
324
Description
Enable or disable STP globally:
BPDU Protection
325
Item
Description
Set the STP operating mode:
that it is connected to a legacy STP device, the port connecting to the legacy STP
device will automatically migrate to STP-compatible mode.
MSTPAll ports of the device send out MSTP BPDUs. If the device detects that it
is connected to a legacy STP device, the port connecting to the legacy STP
device will automatically migrate to STP-compatible mode.
Max Hops
Path Cost Standard
Set the maximum number of hops in an MST region to restrict the region size.
The setting can take effect only when it is configured on the regional root bridge.
Specify the standard for path cost calculation. It can be Legacy, IEEE
802.1D-1998, or IEEE 802.1T.
Any two stations in a switched network are interconnected through a specific path
composed of a series of devices. The bridge diameter (or the network diameter) is
the number of devices on the path composed of the most devices.
Bridge Diameter
After you set the network diameter, you cannot set the timers. Instead, the device
automatically calculates the forward delay, hello time, and max age.
When you configure the bridge diameter, follow these guidelines:
The network diameter applies to only the CIST. It takes effect only after you
configure it on the root bridge. Each MST region is regarded as a device.
After you set the network diameter, you cannot set the timers. Instead, the device
calculates the forward delay, hello time, and max age automatically.
326
Item
Description
Set the timers:
Forward DelaySet the delay for the root and designated ports to transit to the
forwarding state. The length of the forward delay time is related to the network
diameter of the switched network. The larger the network diameter is, the longer
the forward delay time should be. If the forward delay setting is too small,
temporary redundant paths may be introduced. If the forward delay setting is
too big, it may take a long time for the network to converge. H3C recommends
that you use the default setting.
Hello TimeSet the interval at which the device sends hello packets to the
Timers
surrounding devices to make sure the paths are fault-free. An appropriate hello
time setting enables the device to timely detect link failures on the network
without using excessive network resources. If the hello time is set too long, the
device will take packet loss as a link failure and trigger a new spanning tree
calculation process. If the hello time is set too short, the device will send
repeated configuration BPDUs frequently. This adds to the device burden and
wastes network resources. H3C recommends that you use the default setting.
Max AgeSet the maximum length of time a configuration BPDU can be held
by the device. If the max age time setting is too small, the network devices will
frequently launch spanning tree calculations and may take network congestion
as a link failure. If the max age setting is too large, the network may fail to timely
detect link failures and fail to timely launch spanning tree calculations, reducing
the auto-sensing capability of the network. H3C recommends that you use the
default setting.
The settings of hello time, forward delay and max age must meet a certain
formula. Otherwise, the network topology will not be stable. H3C recommends
you to set the network diameter, and then have the device automatically
calculate the forward delay, hello time, and max age.
Bridge PrioritySet the bridge priority of the device, which is one of the factors
determining whether the device can be elected as the root bridge.
After specifying the current device as the primary root bridge or a secondary root
bridge, you cannot change the priority of the device.
Select whether to enable TC-BPDU guard.
TC Protection
When receiving topology change (TC) BPDUs, the device flushes its forwarding
address entries. If someone forges TC-BPDUs to attack the device, the device will
receive a large number of TC-BPDUs within a short time and frequently flushes its
forwarding address entries. This affects network stability.
The TC-BPDU guard function prevents frequent flushing of forwarding address
entries.
H3C does not recommend disabling this function.
TC Protection Threshold
Set the maximum number of immediate forwarding address entry flushes the device
can perform within a certain period of time after receiving the first TC-BPDU.
327
Click the
334.
icon for a port to enter the MSTP Port Configuration page of the port, as shown in Figure
Description
Port Number
STP Status
328
Item
Description
Set the type of protection enabled on the port:
Protection Type
Point to Point
Transmit Limit
mCheck
The larger the transmit limit is, the more network resources will be occupied. H3C
recommends you to use the default value.
In a switched network, if a port on an MSTP device connects to an STP device, this port will
automatically migrate to the STP-compatible mode. However, after the STP device is
removed, whether the port on the MSTP device can migrate automatically to the MSTP mode
depends on which of the following parameter is selected:
EnablePerforms mCheck. The port automatically migrates back to the MSTP mode.
DisableDoes not perform mCheck. The port does not automatically migrate back to the
MSTP mode.
Instance
Path CostSelect to calculate the path cost automatically or set the path cost manually.
Table 146 Protection types
Protection type
Description
Configure the port as an edge port.
Edged Port
Some ports of access layer devices are directly connected to PCs or file servers, which
cannot generate BPDUs. You can set these ports as edge ports to achieve fast transition
for these ports.
H3C recommends you to enable the BPDU guard function in conjunction with the edged
port function to avoid network topology changes when the edge ports receive
configuration BPDUs.
Enable the root guard function.
Root Protection
Configuration errors or attacks may result in configuration BPDUs with their priorities
higher than that of a root bridge, which causes a new root bridge to be elected and
network topology change to occur. The root guard function is used to address such a
problem.
Enable the loop guard function.
Loop Protection
By keeping receiving BPDUs from the upstream device, a device can maintain the state of
the root port and other blocked ports. These BPDUs may get lost because of network
congestion or unidirectional link failures. The device will re-elect a root port, and blocked
ports may transit to the forwarding state, causing loops in the network. The loop guard
function is used to address such a problem.
329
"Permit:" next to a link in the figure is followed by the VLANs the packets of which are permitted to pass
this link.
Configuration procedure
1.
2.
Configure Router A:
# Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1,
MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0:
a. Log in to Router A. Select Advanced > MSTP > Region from the navigation tree, click Modify,
and then make the following configurations on the page shown in Figure 336.
330
g. Click Apply to map VLAN 10 to MSTI 1, and add the VLAN-to-instance mapping entry to the
# Enable MSTP globally and configure the current device as the root bridge of MSTI 1:
j.
Select Advanced > MSTP > Global from the navigation tree, and make the following
configurations on the page shown in Figure 337.
331
Configure Router B:
# Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1,
MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. The
procedure here is the same as that of configuring an MST region on Router A.
# Enable MSTP globally and configure the current device as the root bridge of MSTI 3:
a. Select Advanced > MSTP > Global from the navigation tree, and make the following
Configure Router C:
# Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1,
MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. The
procedure here is the same as that of configuring an MST region on Router A.
332
# Enable MSTP globally and configure the current device as the root bridge of MSTI 4:
a. Select Advanced > MSTP > Global from the navigation tree, and make the following
Configure Router D:
5.
# Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1,
MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. The
procedure here is the same as that of configuring an MST region on Router A.
# Enable MSTP globally:
a. Select Advanced > MSTP > Global from the navigation tree, and make the following
Port
Role
STP State
Protection
Ethernet0/1
ALTE
DISCARDING
NONE
Ethernet0/2
DESI
FORWARDING
NONE
Ethernet0/3
ROOT
FORWARDING
NONE
Ethernet0/1
DESI
FORWARDING
NONE
Ethernet0/3
DESI
FORWARDING
NONE
Ethernet0/2
DESI
FORWARDING
NONE
Ethernet0/3
ROOT
FORWARDING
NONE
Port
Role
STP State
Protection
Ethernet0/1
DESI
FORWARDING
NONE
Ethernet0/2
DESI
FORWARDING
NONE
Ethernet0/3
DESI
FORWARDING
NONE
Ethernet0/2
DESI
FORWARDING
NONE
Ethernet0/3
ROOT
FORWARDING
NONE
Ethernet0/1
DESI
FORWARDING
NONE
Ethernet0/3
DESI
FORWARDING
NONE
333
MSTID
Port
Role
STP State
Protection
Ethernet0/1
DESI
FORWARDING
NONE
Ethernet0/2
ROOT
FORWARDING
NONE
Ethernet0/3
DESI
FORWARDING
NONE
Ethernet0/1
ROOT
FORWARDING
NONE
Ethernet0/2
ALTE
DISCARDING
NONE
Ethernet0/3
DESI
FORWARDING
NONE
Port
Role
STP State
Protection
Ethernet0/1
ROOT
FORWARDING
NONE
Ethernet0/2
ALTE
DISCARDING
NONE
Ethernet0/3
ALTE
DISCARDING
NONE
Ethernet0/1
ROOT
FORWARDING
NONE
Ethernet0/2
ALTE
DISCARDING
NONE
Ethernet0/3
ROOT
FORWARDING
NONE
Based on the above information, draw the MSTI corresponding to each VLAN, as shown in Figure 338.
Figure 338 MSTIs corresponding to different VLANs
Configuration guidelines
Follow these guidelines when you configure MSTP:
Two or more MSTP-enabled devices belong to the same MST region only if they are configured with
the same format selector (0 by default, not configurable), MST region name, VLAN-to-instance
mapping entries in the MST region, and MST region revision level, and they are interconnected
through physical links.
334
After specifying the current device as the root bridge or a secondary root bridge, you cannot
change the priority of the device.
If two or more devices with the same bridge priority have been designated to be root bridges of the
same spanning tree instance, MSTP will select the device with the lowest MAC address as the root
bridge.
The values of forward delay, hello time, and max age are interdependent. Inappropriate settings of
these values may cause network flapping. H3C recommends you to set the network diameter and
let the device automatically set an optimal hello time, forward delay, and max age. The settings of
hello time, forward delay and max age must meet the following formulae:
2 (forward delay 1 second) max age
Max age 2 (hello time + 1 second)
If the device is not enabled with BPDU guard, when an edge port receives a BPDU from another port,
it transits into a non-edge port. To restore its port role as an edge port, you must restart the port.
Configure ports that are directly connected to terminals as edge ports and enable BPDU guard for
them. In this way, these ports can rapidly transit to the forwarding state, and network security can
be ensured.
335
Configuring RADIUS
You can configure RADIUS through the Web interface.
Overview
Remote Authentication Dial-In User Service (RADIUS) protocol is a distributed information interaction
protocol that uses a client/server model to implement AAA. It can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user access.
RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, including Ethernet and ADSL.
RADIUS provides access authentication, authorization, and accounting services. The accounting function
collects and records network resource usage information.
For more information about RADIUS and AAA, see H3C MSR Series Routers Configuration Guides (V5).
2.
Click Add.
336
3.
4.
Click Apply.
Description
Scheme Name
Common Configuration
Configure the common parameters for the RADIUS scheme, including the server
type, the username format, and the shared keys for authentication and accounting
packets. For more information about common configuration, see "Configuring
common parameters."
RADIUS Server
Configuration
Click the expand button before Advanced in the Common Configuration area to expand the
advanced configuration area.
337
2.
Description
Select the type of the RADIUS servers supported by the device, which can be:
338
Item
Description
Select the format of usernames to be sent to the RADIUS server, including
Original format, With domain name, and Without domain name.
Username Format
Authentication Key
Confirm Authentication Key
Accounting Key
Confirm Accounting Key
The RADIUS client and the RADIUS server use MD5 to encrypt RADIUS
packets. They verify packets through the specified shared key. The client and
the server can receive and respond to packets from each other only when
they use the same shared key.
IMPORTANT:
The shared keys configured in the common configuration part are used only
when no corresponding shared keys are configured in the RADIUS server
configuration part.
Set the time to wait before the device restores an unreachable RADIUS server
to active state.
Quiet Time
Item
Description
Specify the unit for data flows sent to the RADIUS server, which can be byte,
kilo-byte, mega-byte, or giga-byte.
Specify the unit for data packets sent to the RADIUS server, which can be
one-packet, kilo-packet, mega-packet, or giga-packet.
Specify the VPN to which the RADIUS scheme belongs.
VPN
Stop-Accounting Attempts
Enable or disable the accounting-on feature, and set the interval and the
maximum number of attempts for sending accounting-on packets.
Send accounting-on packets
Accounting-On Interval
Accounting-On Attempts
IMPORTANT:
When enabling the accounting-on feature on a device for the first time, you
must save the configuration so that the feature takes effect after the device
reboots.
Attribute
Interpretation
Enable or disable the device to interpret the RADIUS class attribute as CAR
parameters.
340
2.
3.
Click Apply.
You can repeat the above steps to configure multiple RADIUS servers for the RADIUS scheme.
Table 149 Configuration items
Item
Description
Server Type
Select the type of the RADIUS server to be configured. Possible values include
primary authentication server, primary accounting server, secondary
authentication server, and secondary accounting server.
Specify the IPv4 or IPv6 address of the RADIUS server.
IP Address
The IP addresses of the primary and secondary servers for a scheme must be
different. Otherwise, the configuration fails.
RADIUS server addresses in the same scheme must use the same IP version.
Port
Key
Confirm Key
VPN
If no shared key is specified, the shared key specified in the common configuration
part is used.
Specify the VPN to which the RADIUS server belongs.
If no VPN is specified, the VPN specified in the common configuration part is used.
As shown in Figure 343, connect the Telnet user to the router and the router to the RADIUS server.
Run the RADIUS server on CAMS or IMC to provide authentication, authorization, and accounting
services for Telnet users. The IP address of the RADIUS server is 10.1.1.1/24.
Set the shared key for AAA packets exchanged between the router and the RADIUS server to expert,
and specify the ports for authentication/authorization and accounting as 1812 and 1813,
respectively.
Configure the router to send the RADIUS server usernames that carry domain names.
341
Add an account on the RADIUS server, with the username and password being hello@bbb and abc.
If the user passes authentication, it is assigned a privilege level of 3.
Log in to CAMS.
g. Select System Management > System Configuration from the navigation tree.
h. In the System Configuration page, click Modify for Access Device.
i.
Click Add.
j.
k. Set both the shared key for authentication and accounting to expert.
l.
m. Specify the ports for authentication and accounting as 1812 and 1813, respectively.
n. Select Extensible Protocol as the protocol type.
o. Select Standard as the RADIUS packet type.
p. Click OK.
2.
a. Select User Management > User for Device Management from the navigation tree.
b. Click Add in the right pane.
c.
g. Enter 192.168.1.0 for the start IP address of the hosts and 192.168.1.255 as the end IP
Click OK.
Select Access Service > Service Configuration from the navigation tree.
d. Click Add.
e. Enter expert as the shared key for authentication and accounting.
f.
Enter 1812 and 1813 as the ports for authentication and accounting, respectively.
Select the access device from the device list, or manually add the device with the IP address of
10.1.1.2.
The IP address of the access device must be the same as the source IP address of the RADIUS
packets sent from the router. By default, the source IP address of a RADIUS packet is the IP
address of the sending interface.
343
j.
Click OK.
2.
Select Access User View > All Access Users from the navigation tree.
d. Click Add.
e. Enter hello@bbb as the username.
f.
This value identifies the privilege level of the Telnet user after login, which is 0 by default.
i.
Click Add under IP Address List of Managed Devices, and then enter 10.1.1.0 as the start IP
address and 10.1.1.255 as the end IP address for the IP address range. The IP address range
of the hosts to be managed must contain the IP address of the access device added.
j.
Click OK.
344
2.
To add a RADIUS scheme, enter system as the scheme name, select Extended as the server
type, select Without domain name for the username format.
d. To add the primary authentication server, click Add in the RADIUS Server Configuration area,
select Primary Authentication as the server type, enter 10.1.1.1 as the IP address, enter 1812
as the port, enter expert as the key, enter expert to confirm the key, and click Apply.
345
e. To add the primary accounting server, click Add again in the RADIUS Server Configuration
area. select Primary Accounting as the server type, enter 10.1.1.1 as the IP address, enter
1813 as the port, enter expert as the key, enter expert to confirm the key, and click Apply.
The RADIUS scheme configuration page refreshes and the added servers appear in the server
list.
Figure 349 RADIUS accounting server configuration page
f.
Click Apply.
346
3.
4.
5.
Use either approach to configure the AAA methods for domain bbb:
Approach 1.
Because RADIUS authorization information is sent by the RADIUS server to the RADIUS client
in the authentication response message, reference the same scheme for authentication and
authorization.
[Router] domain bbb
[Router-isp-bbb] authentication login radius-scheme system
[Router-isp-bbb] authorization login radius-scheme system
[Router-isp-bbb] accounting login radius-scheme system
[Router-isp-bbb] quit
Approach 2.
Configure default AAA methods for all types of users in domain bbb.
[Router] domain bbb
[Router-isp-bbb] authentication default radius-scheme system
[Router-isp-bbb] authorization default radius-scheme system
[Router-isp-bbb] accounting default radius-scheme system
347
Configuration guidelines
When you configure the RADIUS client, follow these guidelines:
If you remove the accounting server used for online users, the router cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the
stop-accounting messages are not buffered locally.
The status of RADIUS servers, blocked or active, determines which servers the device will
communicate with or turn to when the current servers are not available. In practice, you can specify
one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers
that function as the backup of the primary servers. Generally, the device chooses servers based on
these rules:
When the primary server is in the active state, the device communicates with the primary server.
If the primary server fails, the device changes the state of the primary server to blocked, starts
a quiet timer for the server, and turns to a secondary server in the active state (a secondary
server configured earlier has a higher priority). If the secondary server is unreachable, the
device changes the state of the secondary server to blocked, starts a quiet timer for the server,
and continues to check the next secondary server in the active state. This search process
continues until the device finds an available secondary server or has checked all secondary
servers in the active state. If the quiet timer of a server expires or an authentication or
accounting response is received from the server, the status of the server changes back to active
automatically, but the device does not check the server again during the authentication or
accounting process. If no server is found reachable during one search process, the device
considers the authentication or accounting attempt a failure.
Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove
the accounting server, real-time accounting requests and stop-accounting requests for the user
cannot be delivered to the server any more.
If you remove an authentication or accounting server in use, the communication of the device
with the server will soon time out, and the device will look for a server in the active state by
checking any primary server first and then the secondary servers in the order they are
configured.
When the primary server and secondary servers are all in the blocked state, the device
communicates with the primary server. If the primary server is available, its statues changes to
active. Otherwise, its status remains to be blocked.
If one server is in the active state but all the others are in the blocked state, the device only tries
to communicate with the server in the active state, even if the server is unavailable.
After receiving an authentication/accounting response from a server, the device changes the
status of the server identified by the source IP address of the response to active if the current
status of the server is blocked.
348
1 to 99
100 to 499
500 to 999
12
1000
15
349
Configuration procedure
1.
2.
To add a login control rule, configure the rule as described in Table 151 and click Apply.
3.
To delete a login control rule, select the rule from the rule list and click Delete.
Description
Login Type
User IP Address
Wildcard
Exclude the management IP segment from login control. Otherwise, you cannot log
in to the device.
Do not set the wildcard to 255.255.255.255. Otherwise, no user can log in to the
device.
350
Select Advanced > Access from the navigation tree to enter the login control configuration page.
Figure 353 Configuring a login control rule so Host A cannot Telnet to Router
2.
3.
4.
5.
Click Apply.
A dialog box appears, asking you whether you want to continue your operation.
6.
Click OK.
A configuration progress dialog box appears, as shown in Figure 354.
7.
From the navigation tree, select Advanced > Access to enter the page for configuring login control
rules.
2.
3.
4.
Click Apply.
A dialog box appears, asking you whether you want to continue your operation.
5.
Click OK.
6.
352
Figure 355 Configuring a login control rule so Host B cannot access Router through the Web
353
Configuring ARP
Overview
The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address, such as
an Ethernet MAC address.
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding
MAC address.
For more information about ARP, see Layer 3IP Services Configuration Guide in H3C MSR Series
Routers Configuration Guide (V5).
Gratuitous ARP
Gratuitous ARP packets
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the
sending device, the sender MAC address is the MAC address of the sending device, and the target MAC
address is the broadcast address ff:ff:ff:ff:ff:ff.
A device sends a gratuitous ARP packet for either of the following purposes:
Determine whether its IP address is already used by another device. If the IP address is already used,
the device is informed of the conflict by an ARP reply.
354
From the navigation tree, select Advanced > ARP Management > ARP Table.
The ARP Table configuration page as shown in Figure 356 appears.
2.
Click Add.
The New Static ARP Entry page appears.
Description
IP Address
MAC Address
VLAN ID
Advanced
Options
Enter a VLAN ID and specify a port for the static ARP entry.
IMPORTANT:
Port
The VLAN ID must be the ID of the VLAN that has already been created, and the port
must belong to the VLAN. The corresponding VLAN interface must have been
created.
VPN
Instance
Enter the name of the VPN instance to which the static ARP entry belongs.
To remove specific ARP entries, select the boxes in front of them, and click Del Selected.
To remove all static and dynamic ARP entries, click Delete Static and Dynamic.
355
To disable all the listed interfaces from learning dynamic ARP entries, click Disable all.
To disable specific interfaces from learning dynamic ARP entries, select target interfaces and click
Disable selected.
To allow all the listed interfaces to learn dynamic ARP entries, click Enable all.
To allow specific interfaces to learn dynamic ARP entries, select target interfaces and click Enable
selected.
Click the
icon of an interface to enter the configuration page as shown in Figure 359, and
specify the maximum number of dynamic ARP entries that this interface can learn.
If you enter 0, the interface is disabled from learning dynamic ARP entries.
If you enable an interface to learn dynamic ARP entries on the dynamic entry management page, the
number of dynamic ARP entries that the interface can learn restores the default.
356
Description
357
Setup page.
b. Select the Create option, as shown in Figure 362.
c.
2.
Click Add to bring up the configuration progress dialog box, as shown in Figure 364.
358
3.
359
4.
g. Click Apply.
360
5.
Click Search.
You can view the static ARP entries of Router A, as shown in Figure 367.
361
Prevent the virtual IP address of a VRRP group from being used by a host
Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured
With ARP automatic scanning enabled on an interface, the device automatically scans neighbors
on the interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates
dynamic ARP entries.
Fixed ARP allows the device to change the existing dynamic ARP entries (including those generated
through ARP automatic scanning) into static ARP entries.
The ARP automatic scanning and fixed ARP feature effectively prevent ARP entries from being modified
by attackers. Use the two functions in a small-sized network with stable environment, such as a cybercaf.
362
Description
Select one or more interfaces on which gratuitous ARP packets are sent out periodically,
and set the interval at which gratuitous ARP packets are sent.
To enable an interface to send out gratuitous ARP packets periodically, select the
interface from the Standby Interface list box and click <<. To disable an interface from
periodic sending of gratuitous ARP packets, select the interface from the Sending
Interface list box and click >>.
IMPORTANT:
You can enable periodic sending of gratuitous ARP packets on a maximum of 1024
Sending Interface
interfaces.
This feature takes effect only when the link of the enabled interface goes up and an
IP address has been assigned to the interface.
If you change the interval for sending gratuitous ARP packets, the configuration is
effective at the next sending interval.
The frequency of sending gratuitous ARP packets may be much lower than is
363
Description
Interface
To reduce the scanning time, you can specify the address range for scanning.
Start IP Address
If no IP address range is specified, the device only scans the network where
the primary IP address of the interface resides for neighbors, and sends ARP
requests in which the sender IP address is the primary IP address of the
interface.
IMPORTANT:
You must specify both the start IP address and the end IP address. Otherwise,
End IP Address
Start and end IP addresses must be on the same network segment as the
After the preceding configuration is complete, click Scan to start an ARP automatic scan.
To stop an ongoing scan, click Interrupt.
After the scanning is complete, a prompt Scanning is complete appears. You can view the generated
dynamic ARP entries by selecting Advanced > ARP Anti-Attack > Fixed ARP from the navigation tree.
The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static
ARP entries that the device supports. As a result, the device may fail to change all dynamic ARP entries
into static.
Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is S.
When the dynamic ARP entries are changed into static, new dynamic ARP entries may be created
(suppose the number is M) and some of the dynamic ARP entries may be aged out (suppose the number
is N). After the process is complete, the number of static ARP entries is D + S + M N.
From the navigation tree, select Advanced > ARP Anti-Attack > Fix to enter the page shown in Figure 370.
The page displays all dynamic ARP entries and static ARP entries (including manually configured and
changed by the fixed ARP feature).
Figure 370 Fixed ARP configuration page
To change all dynamic ARP entries into static, click Fix All. This operation does not affect existing
static ARP entries.
To remove all static ARP entries, click Del All Fixed. This operation does not affect dynamic ARP
entries.
To change a specific dynamic ARP entry into static, select the ARP entry and click Fix. This operation
does not take effect if you select a static ARP entry.
To remove a specific static ARP entry, select the ARP entry and click Del Fixed. This operation does
not take effect if you select a dynamic ARP entry.
365
Overview
IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It is a Layer
3 VPN technology that transmits data in a secure tunnel established between two endpoints.
IPsec provides the following security services in insecure network environments:
ConfidentialityThe sender encrypts packets before transmitting them over the Internet, protecting
the packets from being eavesdropped en route.
Data integrityThe receiver verifies the packets received from the sender to ensure they are not
tampered with during transmission.
Anti-replayThe receiver examines packets and drops outdated and duplicate packets.
Reduced key negotiation overheads and simplified maintenance by supporting the IKE protocol.
IKE provides automatic key negotiation and automatic IPsec SA setup and maintenance.
Good compatibility. You can apply IPsec to all IP-based application systems and services without
modifying them.
Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for flexibility
and greatly enhances IP security.
IKE is built on a framework defined by ISAKMP. It provides automatic key negotiation and SA
establishment services for IPsec, simplifying the application, management, configuration and
maintenance of IPsec dramatically.
Instead of transmitting keys directly across a network, IKE peers transmit keying materials between them,
and calculate shared keys respectively. Even if a third party captures all exchanged data for calculating
the keys, it cannot calculate the keys.
For more information about IPsec and IKE, see Security Configuration Guide in H3C MSR Series Routers
Configuration Guides (V5).
Remarks
Configuring an IPsec
connection
Required.
366
Step
Remarks
Optional.
2.
Select VPN > IPsec VPN from the navigation tree to enter the IPsec connection management page.
2.
367
3.
Description
Interface
Network Type
Remote
Gateway
Address/Hostname
The IP address can be a host IP address or an IP address range. If the local end is the
initiator of IKE negotiation, it can have only one remote IP address and its remote IP
address must match the local IP address configured on its peer. If the local end is the
responder of IKE negotiation, it can have more than one remote IP address and one
of its remote IP addresses must match the local IP address configured on its peer.
The remote host name uniquely identifies the remote gateway in the netowrk, and
can be resolved into an IP address by the DNS server. The local end can be the
initiator of IKE negotiation when the host name is specified.
Enter the IP address of the local gateway.
By default, it is the primary IP address of the interface where the IPsec connection is
set up.
IMPORTANT:
Configure this item when you want to specify a special address (a loopback interface
address, for example) for the local gateway. The name or IP address of the remote
gateway is required for an initiator so that the initiator can find the remote peer in
negotiation.
Select the authentication method to be used by the IKE negotiation. Options include:
the key in the Key field and enter the same key in the Confirm Key filed.
IP AddressUses an IP address as
the ID in IKE negotiation.
Remote ID Type
368
IMPORTANT:
Item
Description
configured here is identical to the
local gateway ID configured on its
peer.
IP AddressUses an IP address as
the ID in IKE negotiation.
Selector
Source
Address/Wildcard
IMPORTANT:
To make sure SAs can be set up, configure the source address/wildcard on one
Destination
Address/Wildcard
If the data range is designated by the remote gateway, the local peer cannot
initiate a negotiation.
Enable or disable IPsec RRI. When enabling IPsec RRI, you can specify a next hop
and change the preference of the static routes.
After an outbound IPsec SA is created, IPsec RRI automatically creates a static route
to the peer private network. You do not have to manually configure the static route.
Reverse Route Injection
IMPORTANT:
If you enable IPsec RRI and do not configure the static route, the SA negotiation
must be initiated by the remote gateway.
IPsec RRI creates static routes when IPsec SAs are set up, and delete the static
routes when the IPsec SAs are deleted.
To view the static routes created by IPsec RRI, select Advanced > Route Setup
[Summary] from the navigation tree.
If you do not specify any next hop, the remote tunnel endpoints address learned
during IPsec SA negotiation is used.
369
Item
Description
Change the preference of the static routes.
Priority
4.
Change the route preference for equal-cost multipath (ECMP) routing or route
backup. If multiple routes to the same destination have the same preference, traffic is
balanced among them. If multiple routes to the same destination have different
preference values, the route with the highest preference forwards traffic and all other
routes are backup routes.
5.
6.
Click Apply.
Description
Phase 1
370
Item
Description
Select the IKE negotiation mode in phase 1, which can be main or aggressive.
IMPORTANT:
Exchange Mode
If the IP address of one end of an IPsec tunnel is obtained dynamically, the IKE
negotiation mode must be aggressive. In this case, SAs can be established as long
as the username and password are correct.
An IKE peer uses its configured IKE negotiation mode when it is the negotiation
initiator. A negotiation responder uses the IKE negotiation mode of the initiator.
Authentication
Algorithm
SHA1Uses HMAC-SHA1.
MD5Uses HMAC-MD5.
Select the encryption algorithm to be used in IKE negotiation. Options include:
Encryption Algorithm
IMPORTANT:
Before an ISAKMP SA expires, IKE negotiates a new SA to replace it. DH calculation in
IKE negotiation takes time, especially on low-end devices. Set the lifetime greater than 10
minutes to prevent the SA update from influencing normal communication.
Phase 2
Select the security protocols to be used. Options include:
Security Protocol
AH
Authentication
Algorithm
ESP
Authentication
Algorithm
You can select MD5 or SHA1, or select NULL so that ESP performs no authentication.
IMPORTANT:
The ESP authentication algorithm and ESP encryption algorithm cannot be null at the
same time.
371
Item
Description
Select the encryption algorithm for ESP when you select ESP or AH-ESP for Security
Protocol. Options include:
ESP
Encryption
Algorithm
Higher security means more complex implementation and lower speed. DES is
enough to meet general requirements. Use 3DES when high confidentiality and
security are required.
The ESP authentication algorithm and ESP encryption algorithm cannot be null at
the same time.
PFS
NoneDisables PFS.
Diffie-Hellman Group1Enables PFS and uses the 768-bit Diffie-Hellman group.
Diffie-Hellman Group2Enables PFS and uses the 1024-bit Diffie-Hellman group.
Diffie-Hellman Group5Enables PFS and uses the 1536-bit Diffie-Hellman group.
Diffie-Hellman Group14Enables PFS and uses the 2048-bit Diffie-Hellman group.
IMPORTANT:
When IPsec uses an IPsec connection with PFS configured to initiate negotiation, an
additional key exchange is performed in phase 2 for higher security.
Two peers must use the same Diffie-Hellman group. Otherwise, negotiation fails.
Enter the IPsec SA lifetime, which can be time-based or traffic-based.
SA Lifetime
IMPORTANT:
When negotiating to set up IPsec SAs, IKE uses the smaller one between the lifetime set
locally and the lifetime proposed by the peer.
Enables or disables IKE DPD.
DPD
DPD
Query
Triggering Interval
DPD irregularly detects dead IKE peers. When the local end sends an IPsec packet,
DPD checks the time the last IPsec packet was received from the peer. If the time
exceeds the DPD interval, it sends a DPD hello to the peer. If the local end receives no
DPD acknowledgement within the DPD packet retransmission interval, it retransmits the
DPD hello. If the local end still receives no DPD acknowledgement after having made
the maximum number of retransmission attempts (two by default), it considers the peer
already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.
Enter the interval after which DPD is triggered if no IPsec protected packets is received
from the peer.
372
Item
Description
DPD
Packet
Retransmission
Interval
Enter the interval after which DPD packet retransmission will occur if no DPD response
is received.
2.
Click the Monitoring Information tab to enter the page that displays the IPsec connection
configuration and status information.
3.
4.
To delete all ISAKMP SAs of all IPsec connections, click Delete ISAKMP SA. To delete IPsec tunnels
that use the configuration of an IPsec connection, select the IPsec connection, and click Delete
Selected Connection's Tunnels.
Description
Status of an IPsec connection. Possible values include:
Connection Status
Connected.
Disconnected.
UnconfiguredThe IPsec connection is disabled.
373
Field
Description
The most recent error, if any. Possible values include:
Description
Characteristics of Traffic
SPI
Configuring Router A
1.
2.
Select the Pre-Shared-Key box, and then enter abcde in both the Key and Confirm Key fields.
j.
Click Apply.
Configuring Router B
1.
2.
375
f.
Click Apply.
3.
Select the Pre-Shared-Key box, and then enter abcde in both the Key and Confirm Key fields.
Click Apply.
Configuration guidelines
When you configure IPsec, follow these guidelines:
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51
and 50 respectively. Make sure flows of these protocols are not denied on the interfaces with IKE or
IPsec configured.
If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different
queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay
operation, packets outside the anti-replay window in the inbound direction may be discarded,
resulting in packet loss. When using IPsec together with QoS, make sure the characteristics of traffic
in IPsec are the same as traffic classification in QoS.
376
Configuring L2TP
A VPDN is a VPN that utilizes the dial-up function of public networks such as ISDN or PSTN networks to
provide access services for enterprises, small ISPs, and telecommuters. VPDN provides an economical
and effective, point-to-point way for remote users to connect to their private LANs.
Layer 2 Tunneling Protocol (L2TP) is the most widely-used VPDN tunneling protocol. Figure 378 shows a
typical VPDN built by using L2TP.
Figure 378 VPDN built by using L2TP
Remote system
A remote system is usually a remote user's host or a remote branch's routing device that needs to
access the VPDN network.
LAC
An L2TP access concentrator (LAC) is a device that has PPP and L2TP capabilities. An LAC is
usually a Network Access Server (NAS) located at a local ISP, which provides access services
mainly for PPP users.
An LAC is an endpoint of an L2TP tunnel and lies between an LNS and a remote system. It
encapsulates packets received from a remote system using L2TP and then sends the resulting
packets to the LNS. It de-encapsulates packets received from the LNS and then sends the resulting
packets to the intended remote system.
Between an LAC and a remote system is a local connection or a PPP link. Usually, a PPP link is used
in a VPDN application.
LNS
An L2TP network server (LNS) functions as both the L2TP server and the PPP end system. It is usually
an edge device on an enterprise network.
An LNS is the other endpoint of an L2TP tunnel and is a peer to the LAC. It is the logical termination
point of a PPP session tunneled by the LAC. The L2TP extends the termination point of a PPP session
from a NAS to an LNS, logically.
For more information about L2TP, see Layer 2WAN Configuration Guide in H3C MSR Series Routers
Configuration Guides (V5).
377
Enabling L2TP
1.
Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration page, as
shown in Figure 379.
2.
On the upper part of the page, select the box before Enable L2TP.
3.
Click Apply.
Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration page, as
shown in Figure 379.
2.
On the lower part of the page, click Add to add an L2TP group.
378
3.
4.
Click Apply.
Description
379
Item
Description
Tunnel Authentication
Authentication Password
tearing down the tunnel. Otherwise, your change does not take
effect.
Authentication
Method
Select the authentication method for PPP users on the local end.
You can select PAP or CHAP. If you do not select an authentication
method, no authentication will be performed.
Specify the ISP domain for PPP user authentication. You can:
PPP
Authentication
Configuration
Select an ISP domain and click Modify to enter the ISP domain
modification page. For information about the configuration
items, see Table 161.
ISP Domain
Select an ISP domain and click Delete to delete the ISP domain.
If you specify an ISP domain, the specified domain is used for
authentication, and IP addresses must be assigned from the
address pool configured in the specified domain.
If you do not specify any ISP domain, the system checks whether
the domain information is carried in a username. If yes, the
domain is used for authentication; otherwise, the default domain
(system by default) is used for authentication.
PPP Address
380
Item
Description
Assign Address
Forcibly
Hello Interval
Advanced
Configuration
With L2TP, some parameters are transferred as AVP data. You can
configure an LAC to transfer AVP data in hidden mode, namely,
encrypt AVP data before transmission, for higher security.
This configuration does not take effect on an LNS.
Specify whether to enable flow control for the L2TP tunnel.
Flow Control
The L2TP tunnel flow control function is for control of data packets
in transmission. The flow control function helps in buffering and
adjusting the received out-of-order data packets.
381
Item
Description
Configure user authentication on an LNS.
Mandatory CHAP
382
Description
ISP Domain
Primary
LocalLocal authentication.
NoneNo authentication. All users are trusted and no authentication is
performed.
Authentication
Methods
Backup
Primary
Authorization
Methods
LocalLocal authorization.
NoneNo authorization. The access device does not perform
authorization for PPP users. After passing authentication, PPP users can
directly access the network.
method of the ISP domain will be used. The default is local authorization.
Backup
383
Item
Description
Specify whether to enable the accounting optional function.
Accounting
Optional
Accounting
Methods
scheme system.
Primary
LocalLocal accounting.
NoneNo accounting. The system does not perform accounting for the
users.
method of the ISP domain will be used. The default is local accounting.
Backup
Description
ISP Domain
If you set the IP address pool number to 1, the name of the IP address pool is
pool1.
384
Item
Description
Start IP
Specify the start IP address and end IP address of the IP address pool.
End IP
The number of addresses between the start IP address and end IP address
must not exceed 1024. If you specify only the start IP address, the IP address
pool will contain only one IP address, namely, the start IP address.
Select VPN > L2TP > Tunnel Info from the navigation tree to enter the L2TP tunnel information page.
2.
Description
Local Tunnel ID
Peer Tunnel ID
Peer Tunnel IP
Session Count
The user first connects to the Internet, and then initiates a tunneling request to the LNS directly.
2.
After the LNS accepts the connection request, an L2TP tunnel is set up between the LNS and the
VPN user.
3.
The VPN user communicates with the headquarters over the tunnel.
385
Set the Internet interface address of the security gateway as the IP address of the LNS. In this
example, the Ethernet interface on the LNS, the interface for the tunnel, has an IP address of 1.1.2.2.
Modify the connection attributes, setting the protocol to L2TP, the encryption attribute to customized
and the authentication mode to CHAP.
386
2.
Enable L2TP:
a. Select VPN > L2TP > L2TP Config from the navigation tree.
Click Apply.
3.
4.
Click Apply to finish the IP address pool configuration and return to the L2TP group
configuration page.
5.
On the user host, initiate an L2TP connection to the LNS. The host will obtain an IP address
(192.168.0.2) and will be able to ping the private address of the LNS (192.168.0.1).
2.
On the LNS, select VPN > L2TP > Tunnel Info from the navigation tree. Information of the
established L2TP tunnel should appears, as shown in Figure 390.
389
Configuring GRE
You can configure GRE over IPv4 tunnels through the Web interface.
Overview
Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets
of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example,
IP). GRE is a tunneling technology and serves as a Layer 3 tunneling protocol.
A GRE tunnel is a virtual point-to-point connection for transferring encapsulated packets. Packets are
encapsulated at one end of the tunnel and de-encapsulated at the other end. Figure 391 depicts the
encapsulation and de-encapsulation processes.
Figure 391 X protocol networks interconnected through the GRE tunnel
For more information about GRE, see Layer 3IP Services Configuration Guide in H3C MSR Series
Routers Configuration Guides (V5).
Remarks
Creating a GRE tunnel.
Required.
Create a tunnel interface and configure GRE tunnel related parameters.
Optional.
2.
Each end of the tunnel must have a route (static or dynamic) through the
tunnel to the other end, so that GRE encapsulated packets can be forwarded
normally.
For more information about route configuration, see "Configuring routes."
Select VPN > GRE from the navigation tree to enter the GRE tunnel configuration page, as shown
in Figure 392.
390
2.
Description
Tunnel Interface
IP/Mask
IMPORTANT:
When configuring a static route on the tunnel interface, note that the destination IP
address of the static route must not be in the subnet of the tunnel interface.
Tunnel Source
IP/Interface
Specify the source IP address and destination IP address for the tunnel interface.
For the tunnel source address, you can input an IP address or select an interface. In
the latter case, the primary IP address of the interface will be used as the tunnel
source address.
IMPORTANT:
Tunnel Destination IP
The source address and destination address of a tunnel uniquely identify a path. They
must be configured at both ends of the tunnel and the source address at one end must
be the destination address at the other end and vice versa.
391
Item
Description
GRE Key
Specify the key for the GRE tunnel interface. This configuration is to prevent the
tunnel ends from servicing or receiving packets from other places.
IMPORTANT:
The two ends of a tunnel must have the same key or have no key at the same time.
Keepalive
With the GRE keepalive function enabled on a tunnel interface, the device sends
GRE keepalive packets from the tunnel interface periodically. If no response is
received from the peer within the specified interval, the device retransmits the
keepalive packet. If the device still receives no response from the peer after sending
the keepalive packet for the maximum number of attempts, the local tunnel interface
goes down and stays down until it receives a keepalive acknowledgement packet
from the peer.
Keepalive Interval
Specify the interval between sending the keepalive packets and the maximum
number of transmission attempts.
Number of Retries
The two configuration items are available when you select Enable for the GRE
keepalive function.
Before the configuration, make sure Router A and Router B can reach each other.
Configuring Router A
1.
The WAN parameter configuration page for the interface appears, as shown in Figure 395.
c.
Click Apply.
392
2.
Configure an IP address for interface Ethernet 0/1, the physical interface of the tunnel:
a. Click the
393
3.
Enter the destination end IP address 2.2.2.2, the IP address of Ethernet 0/1 on Router B.
g. Click Apply.
394
4.
Click Apply.
Figure 398 Adding a static route from Router A through interface Tunnel 0 to Group 2
Configuring Router B
1.
icon for interface Ethernet 0/0 and then perform the configurations shown
in Figure 399.
395
c.
Click Confirm.
2.
Configure an IP address for interface Ethernet 0/1, the physical interface of the tunnel:
a. Click the
icon for interface Ethernet 0/1 and then perform the configurations shown
in Figure 400.
396
3.
Enter the destination end IP address 1.1.1.1, the IP address Ethernet 0/1 on Router A.
g. Click Apply.
397
4.
Click Apply.
Figure 402 Adding a static route from Router B through interface Tunnel 0 to Group 1
d. Click Start.
e. View the result of the ping operation in the Summary area.
399
The administrator logs in to the Web interface of the SSL VPN gateway, and then creates resources
to represent resources on the internal servers.
2.
A remote user establishes an HTTPS connection to the SSL VPN gateway. The SSL VPN gateway
and the remote user authenticate each other by using the certificate-based authentication function
provided by SSL.
3.
After establishing the HTTPS connection, the user can log in to the Web interface of the SSL VPN
gateway by entering the username and password and selecting the authentication method
(RADIUS authentication, for example). The SSL VPN gateway verifies the user information.
4.
After logging in to the Web interface, the user finds the resources of interest on the Web interface
and then the user client sends an access request to the SSL VPN gateway through an SSL
connection.
400
5.
The SSL VPN gateway resolves the request, interacts with the corresponding server, and then
forwards the server's reply to the user.
Web proxy server resourcesWeb-based access enables users to establish HTTPS connections to
the SSL VPN gateway through a browser and thereby access the Web proxy server resources of the
servers.
TCP application resourcesTCP-based access allows users to use their applications to access the
open service ports of the server securely. Such resources include remote access services, desktop
sharing services, email services, and common application service resources.
IP network resourcesIP-based access allows user hosts to communicate with servers at Layer 3
securely, supporting all IP-based applications to communicate with the servers.
Simple deployment
SSL has been integrated into most browsers, such as IE. Almost every PC installed with a browser
supports SSL. To access Web-based resources, users only need to launch a browser that supports SSL.
When a user tries to access TCP-based or IP-based resources, the SSL VPN client software runs
automatically, without requiring any manual intervention.
Local authentication
RADIUS authentication
LDAP authentication
AD authentication
401
Remarks
Required.
1.
2.
3.
4.
Enable SSL VPN, and configure the port number for the SSL
VPN service and the PKI domain to be used.
Configure at least one type of resources.
By default, no resources are configured.
Required.
5.
8.
9.
402
Step
Remarks
Optional.
Optional.
Customize service interfaces for SSL VPN users.
Select VPN > SSL VPN > Service Management from the navigation tree to enter the service
management page.
2.
3.
Click Apply.
Description
Select the box before this item to enable the SSL VPN service.
Port
Specify the port for providing the SSL VPN service. The default port number is
443.
PKI Domain
Select VPN > SSL VPN > Resource Management > Web Proxy from the navigation tree. A page
that lists the Web proxy server resources appears.
2.
Click Add to enter the page for adding a Web proxy server resource.
3.
Description
Enter a name for the Web proxy server source.
Resource Name
The resource name must be unique in the SSL VPN system. Resources are
uniquely identified by their names.
404
Item
Description
Specify the Website address for providing Web services. It must start with http://
and end with /, for example, http://www.domain.com/web1/.
Website Address
Default Page
Assume that you have specified a website address in the Website Address field.
To allow access to specific webpages provided at the website, for example, the
webpages www.domain1.com, www.domain2.com, www.domain2.org, and
www.domain2.edu, you can specify www.domain1.com|www.domain2.* as
the matching patterns.
Select this box to enable page protection.
4.
With page protection enabled, a login user cannot capture screen shots, save
pages, or printing pages.
5.
Click Apply.
405
Description
Select this box to allow IP access to the resource.
If you select this item, you must configure an IP network resource for a website
and associate the IP network resource with the relevant users. When such a user
accesses the website from the SSL VPN Web interface, the system logs the user in
automatically to the website through the IP network resource.
Use IP network
If you do not select this item, users access the resource through the Web proxy
server.
When you select the IP network mode, this item specifies the path that the
system submits during single login. If you leave this field blank, the system uses
the address that is specified in the Website Address field.
When the IP network mode is not selected, this item specifies the relative path
of the Web proxy website. If you leave this field blank, the SSL VPN system
uses the default page specified in the Default Page field.
Username Parameter
Name
Specify the username parameter name that the system submits during automatic
login.
Specify the password parameter name that the system submits during automatic
login.
Specify the other parameters for the system to submit during automatic login.
Other parameters
To add a parameter other than the username and password, click Add, enter the
parameter name and parameter value on the popup page and click Apply.
Click the
icon of a resource on the Web proxy server resource list, as shown in Figure 406.
7.
Enter a username and a password (the password must be different from the username) on the
popup page, and click Apply.
The login page for the website in the resource pops up.
8.
During this process, the system automatically gets the username parameter name and the password
parameter name. When the website login page requires parameters other than the username and
password, you cannot configure single login in this method.
406
Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree.
The Remote Access Service page appears.
2.
Click Add to enter the page for adding a remote access service.
3.
4.
Click Apply.
Description
Enter a name for the remote access service resource.
The resource name must be unique in the SSL VPN system. Resources are uniquely
identified by their names.
Resource Name
IMPORTANT:
If you do not configure the command for Command, H3C recommends including the
resource type, local address, and local port in the resource name so that users can view
the desired information after they log in to the SSL VPN system.
Remote Host
Specify the host name or IP address of the remote host that provides the remote access
service.
407
Item
Description
Remote Port
Specify the port number that the remote host uses for the remote access service.
Local Host
Local Port
Specify the port number that the local host uses for the remote access service. H3C
recommends using a port number greater than 1024 that is rarely used.
Configure the Windows command for the resource.
Command
After you configure the command, users can start the related application to access the
remote server by clicking the resource name on the SSL VPN service interface.
For example, you can configure the command for a Telnet service in the format telnet
<local address> <local port>, such as telnet 127.0.0.1 2300. If you specified the
default port number of the remote access service as the local port number, you can omit
the local port in the command.
Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree.
2.
Click the Desktop Sharing Service tab to view existing desktop sharing services.
3.
Click Add to enter the page for adding a desktop sharing service.
408
4.
5.
Click Apply.
Description
Enter a name for the desktop sharing service resource.
The resource name must be unique in the SSL VPN system. Resources are uniquely
identified by their names.
Resource Name
IMPORTANT:
If you do not configure the command for Command, H3C recommends including the
resource type, local address, and local port in the resource name so that users can view
the desired information after they log in to the SSL VPN system.
Remote Host
Specify the host name or IP address of the remote host that provides the desktop sharing
service.
Remote Port
Specify the port number that the remote host uses for the desktop sharing service.
Local Host
Local Port
Specify the port number that the local host uses for the remote access service. H3C
recommends using a port number greater than 1024 that is rarely used.
Configure the Windows command for the resource.
Command
For example, you can configure the command for a Windows desktop sharing service
in the format mstsc /v <local address> <local port>, such as mstsc /v 127.0.0.2
20000. If you specified the default port number of the desktop sharing service as the
local port number, you can omit the local port in the command.
Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree.
2.
3.
409
4.
5.
Click Apply.
Description
Enter a name for the email service resource.
The resource name must be unique in the SSL VPN system. Resources are uniquely
identified by their names.
Resource Name
IMPORTANT:
If you do not configure the command for Command, H3C recommends including the
resource type, local address, and local port in the resource name so that users can view
the desired information after they log in to the SSL VPN system.
Service Type
Remote Host
Remote Port
Local Address
Local Port
Enter the local port number. It must be the default port number for the email service of
the specified type.
Configure the Windows command for the resource.
Command
Users must manually start the email service application. You do not need to configure
this item.
Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree.
2.
410
3.
4.
5.
Click Apply.
Description
Enter a name for the Notes service resource.
The resource name must be unique in the SSL VPN system. Resources are uniquely
identified by their names.
Resource Name
IMPORTANT:
If you do not configure the command for Command, H3C recommends including the
resource type, local address, and local port in the resource name so that users can view
the desired information after they log in to the SSL VPN system.
Remote Host
Remote Port
Local Host
IMPORTANT:
The local host character string must be the same as the mail server name in the Notes
application. Otherwise, the Notes service resource cannot be used normally.
Local Port
Enter the local port number. It must be the default port number of the Notes service.
Configure the command for the resource.
Command
Users must manually start the Notes service application. You do not need to configure
this item.
411
Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree.
2.
3.
Click Add to enter the page for adding a common TCP service.
4.
5.
Click Apply.
Description
Enter a name for the common TCP service resource.
The resource name must be unique in the SSL VPN system. Resources are uniquely
identified by their names.
Resource Name
IMPORTANT:
If you do not configure the command for Command, H3C recommends including the
resource type, local address, and local port in the resource name so that users can view
the desired information after they log in to the SSL VPN system.
412
Item
Description
Service Type
Remote Host
Enter the host name or IP address of the remote host that provides the common TCP
service.
Remote Port
Enter the port number that the remote host uses for the common TCP service.
Local Host
Local Port
Enter the port number that the local host uses for the common TCP service.
Command
Remarks
1.
Configuring global
parameters
2.
Required.
Configure global parameters, such as the address pool, gateway address,
timeout time, WINS server, and DNS server, for IP network resources.
Required.
Configure the host resources that users can access from the IP networks list
of the SSL VPN interface.
Optional.
3.
Configuring a user-IP
binding
4.
Configuring a predefined
domain name
Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree. The Global
Configuration tab appears.
413
2.
3.
Click Apply.
Description
Start IP
End IP
Specify the IP address pool from which the gateway assigns IP addresses for clients'
virtual network adapters.
Subnet Mask
Gateway IP
Timeout
Set an idle timeout for client connections. If the gateway does not receive any packet
from a client during this period, the gateway disconnects the client.
WINS Server IP
Enter the WINS server IP addresses to be assigned to clients' virtual network adapters.
DNS Server IP
Enter the DNS server IP addresses to be assigned to clients' virtual network adapters.
Allow clients to
intercommunicate
Select this item to allow online users to access only the VPN.
If you do not select this item, online users can access both the VPN and the Internet.
Specify how to display network services for online users.
Show Network
Services by
Description: Shows the description information of the network services that host
resources allow users to access.
IP address: Shows the destination address, subnet mask, and protocol type of the
network services that host resources allow users to access.
Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree.
2.
3.
4.
5.
Click the Add button under the network services list to enter the page for adding a network service.
415
6.
Add a network service that the host resource provides for users, as described in Table 174.
Description
Destination IP
Subnet Mask
Protocol
Specify the protocol type of the network service, which can be IP, TCP, or UDP.
Enter a description for the network service.
IMPORTANT:
Description
If you have configured the system to show network services by description, H3C
recommends that you include the network services' network information (subnet IP/mask)
in the description so that users can view desired information after they log in to the SSL
VPN system.
7.
Click Apply to add the network service to the network service list.
8.
9.
Click the Add button under the shortcuts list to enter the page for adding a network service shortcut.
10.
Enter a name for the shortcut and specify the Windows command of the shortcut.
11.
12.
13.
Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree.
2.
416
3.
4.
5.
Click Apply.
Description
Username
Specify the username to be bound with an IP address. The username must contain the
domain name. For example, aaa@local.
Specify the IP address to be bound with the username.
IP Address
The specified IP address must be in the same network segment as the global IP address
pool and must not be the gateway address or any address in the global IP pool.
Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree.
2.
Click the Predefined Domain Name tab to view existing predefined domain names.
3.
Click Add to enter the page for adding a predefined domain name
417
4.
5.
Click Apply.
Description
Domain Name
Dynamic: To use this method, you also need to navigate to page Advanced > DNS
IP Setting Method
Setup > DNS Configuration to configure domain name resolution. The gateway will
first resolve the domain name to get an IP address and then issue the IP address to
clients.
Static: To use this method, you must specify an IP address in the next field. The
gateway will issue the domain name-IP address mapping to clients.
IP
Specify an IP address for the domain name when the IP setting method is Static.
When the IP setting method is Dynamic, this IP setting does not take effect.
Select VPN > SSL VPN > Resource Management > Resource Group from the navigation tree. The
Resource Group page appears.
2.
418
3.
4.
Click Apply.
Description
Selected Resources
Available Resources
419
Configure local users one by one in the SSL VPN system. In this method, you can configure all
parameters for a user at the same time, including the user name, password, the certificate and MAC
addresses to be bound, public account settings, user status, and user groups.
Write the information of the users into a text file, and then import the users to the SSL VPN system.
Users imported in this method only contain the username and password information, with the user
status being Permitted. You can configure more parameters for an imported user by modifying the
user's information.
Select VPN > SSL VPN > User Management > Local User from the navigation tree. The local user
list appears.
2.
420
3.
4.
Click Apply.
Description
Username
Description
Password
Specify a password for the local user and enter the password again to confirm the
password.
Confirm Password
Certificate SN
Specify a certificate sequence number for the local user. The certificate number will be
used for identity authentication of the local user.
421
Item
Enable public
account
Description
Select this item to set the local user account as a public account. A public account can
be concurrently used by multiple users to log in to the SSL VPN system.
If you do not select this item, only one user can use the local user account to log in to the
SSL VPN system at a time.
Max Number of
Users
Set the maximum number of concurrent users that can log in to the SSL VPN system by
using the public account.
User Status
Select a user status, which can be Permitted, Permitted When Valid, and Denied.
Expiry Date
Set the expiry date for the user when the user status is set to Permitted When Valid.
MAC Address
Enable MAC
address learning
Selected User
Groups
Available User
Groups
IMPORTANT:
To implement the two
functions, you must also
enable the MAC address
binding function in the
domain policy (see
"Configuring the domain
policy").
Select VPN > SSL VPN > User Management > Batch Import from the navigation tree.
The batch import page appears.
2.
Click Browse to locate the local file that saves the user information.
3.
Set whether to directly overwrite the file with the same name on the device.
4.
Click Apply to import local users from the file into the SSL VPN.
422
Select VPN > SSL VPN > User Management > User Group from the navigation tree.
The user group list page appears.
2.
423
3.
4.
Click Apply.
Description
Select resource groups for the user group. Users in the user group will be able to
access the resources in the selected resource groups.
Available Resources
Selected Local Users
Available Local Users
424
Select VPN > SSL VPN > User Management > User Information from the navigation tree.
The Online Users tab appears, displaying the information of the current online users.
2.
Description
Login Time
Username
IP Address
Select VPN > SSL VPN > User Management > User Information from the navigation tree. The
Online Users tab appears, as shown in Figure 435
2.
3.
4.
Select VPN > SSL VPN > User Management > User Information from the navigation tree.
2.
425
Domain policyDefines the common parameters and functions for the SSL VPN domain.
Caching policySpecifies which cached contents to clear from user hosts when users log out from
the SSL VPN system.
Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. The
Domain Policy tab appears.
2.
3.
Click Apply.
426
Description
Select this item to enable security check.
With security check enabled, the SSL VPN system checks a user host based on the
security policy and determines whether to allow the user to access resources according
to the check result.
IMPORTANT:
To implement user host security check, you must also configure the security policy. See
"Configuring a security policy."
Select this item to use verification codes.
After you select this item, users must enter the correct verification codes to log in to the
SSL VPN system.
Select this item to enable the separate client function.
Enable separate
client
After a user logs in to SSL VPN, the SSL VPN client automatically runs. With separate
client enabled, the system automatically closes the SSL VPN Web interface, leaving the
client software running alone.
Select this item to enable MAC address binding.
With MAC address binding enabled, the SSL VPN system obtains the MAC address of
a user when the user logs in, for user identity authentication or MAC address learning.
Select this item to enable automatic login.
With automatic login enabled, when a user enters the SSL VPN login page, the system
will automatically log the user in by using the guest account or the certificate account,
depending on the authentication mode specified in the default authentication method.
Enable automatic
login
When the authentication mode is password, the system uses the guest account for
automatic login.
When the authentication mode is certificate, the system uses the username carried in
the client certificate for automatic login.
When the authentication mode is password+certificate, the system uses the guest
account for automatic login and requires that the user have the client certificate for
the guest account.
If a login user does not perform any operation during this period, the system logs out
the user.
Select the default authentication method used on the SSL VPN login page.
Default
Authentication
Method
IMPORTANT:
To specify an authentication method other than local authentication as the default
authentication method, you must also enable the authentication method (see
"Configuring authentication policies").
Certificate's
Username Field
Select the certificate field to be used as the username when the authentication mode is
certificate. Options include the Common-Name filed and the Email-Address field.
Set a timeout for the verification code displayed on the SSL VPN login page. If a user
does not enter the displayed verification code in this period, the verification code
becomes invalid. The user can refresh the login page to get a new verification code.
427
Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree.
2.
Click the Caching Policy tab. The caching policy configuration page appears, as shown in Figure
438.
3.
Select the operations to be done on a user host when the user logs out, including:
Clear cached webpages.
Clear cookies.
Clear downloaded programs. Downloaded programs refer to the SSL VPN client software that
was automatically downloaded and run when the users logged in to the SSL VPN system.
Clear configuration files. Configuration files refer to the configuration file that was
automatically saved when a user changed the settings of the SSL VPN client software, if any.
4.
Click Apply.
Configuring a bulletin
1.
Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree.
2.
3.
428
4.
5.
Click Apply.
Description
Title
Content
RADIUS authentication supports only two authentication policies: password and password+certificate.
Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree.
The Local Authentication tab appears.
2.
3.
Click Apply.
Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree.
2.
Click the RADIUS Authentication tab to enter the RADIUS authentication configuration page.
430
3.
4.
Click Apply.
Description
Enable RADIUS
authentication
Authentication Mode
Enable RADIUS
accounting
Upload virtual
address
With this item selected, the system uploads the IP address of the client's virtual network
adapter to the RADIUS server after RADIUS accounting succeeds.
Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree.
2.
Click the LDAP Authentication tab. The LDAP authentication configuration page appears.
431
3.
4.
Click Apply.
Description
Enable LDAP
authentication
LDAP Sever IP
Server Port
Version
Authentication Mode
Specify the name of the user group attribute configured on the LDAP server.
Specify conditions to
query user DN
Select this option to query user DN by specified conditions, including the administrator
DN, password, search base DN, and search template.
Admin DN
Enter a user DN that has the administrator rights, which include the right to view the
login user information.
Password
Confirm Password
Enter a user password that has the administrator right and enter the password again to
confirm the password.
Search Base DN
Search Template
Use a template to
query user DN
User DN template
432
Configuring AD authentication
Active Directory (AD) is a directory service provided by Windows 2000 Server and later versions. It
saves information of objects on a network and allows administrators and users to query the information.
AD uses structured data storage, which is the basis of the directory information logical structure. The SSL
VPN system can cooperate with the existing AD server of an enterprise seamlessly to provide AD
authentication for users in the enterprise.
For successful AD authentication of a user, you must also configure the user information on the AD
authentication server, create user groups, and add the user to the user groups. Make sure that the user
groups configured on the authentication server exist on the SSL VPN gateway. Otherwise, the user cannot
log in. The number of user groups that the gateway supports for a user has a limit. Make sure the number
of user groups specified for a user on the authentication server is equal to or less than the limit.
1.
Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree.
2.
Click the AD Authentication tab. The LDAP authentication configuration page appears.
3.
4.
Click Apply.
Description
Enable AD
authentication
AD Domain Name
AD Server IP
You can specify four AD servers at most. When one server fails, the system uses another
server to authenticate users. The system selects the specified servers in the configuration
order of the servers. The first configured server has the highest priority.
Authentication Mode
Set the interval at which the system checks whether the failed AD server recovers.
Admin Username
Set an administrator account. It must be a user account that has the directory search
right in the User directory in the AD domain.
433
Item
Description
Password
Set a password for the administrator account, and enter the password again to confirm
the password.
Confirm Password
Username Format
Set the username format used to log in to the AD server. Options include Without the
AD domain name, With the AD domain name, and Login name.
Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree.
2.
Click the Combined Authentication tab. The combined authentication configuration page appears.
3.
4.
Click Apply.
Description
Enable combined
authentication
First-Time Authentication
Method
Second-Time Authentication
Method
With this item selected, the system provides the login page and asks a user
for a password again after the user passes the first authentication. If you do
not select this item, the system automatically uses the password for the first
authentication for the second authentication.
IMPORTANT:
This function takes effect only when you enable full customization of the user
interface and the customized user interface can provide a login page twice.
434
Select VPN > SSL VPN > Domain Management > Security Policy from the navigation tree. The
security policy list page appears.
2.
435
3.
4.
Click Apply.
Description
Name
Level
Description
Policy Configuration
To pass the check of a category, a host needs to satisfy at least one rule of the category.
To pass the check of a security policy, a host must satisfy all categories of the policy.
Click the expansion button before a category to view the rule information. Click the
Add button to add a rule for the category. For more information about rule
configuration, see Table 188.
Specify the resources that can be accessed by user hosts that satisfy the security policy.
Resource
Configuration
You can select All Web Proxies, All TCP Applications, and all IP Networks. To select
specific Web proxies, TCP applications, or IP networks, click the corresponding
expansion button.
Operating
System
Browser
Description
Rule Name
Type
Specify the operating system type. A user host must run the specified type of
operating system to pass security check.
Version
Specify the operating system version. The operating system of a user host must
satisfy the version requirement to pass security check.
Patch
Specify the operating system patches. The operating system of a user host must
have the specified patches installed to pass security check.
Rule Name
Type
Specify the browser type. A user host must use the specified type of browser to
pass security check.
436
Item
Description
Set an operator for the browser version check.
Operator
>=: A user host must use the specified version or a later version.
>: A user host must use a version later than the specified version.
=: A user host must use the specified version.
<=: A user host must use the specified version or an earlier version.
<: A user host must use a version earlier than the specified version.
Version
An IE browser version must be a floating point number with up to two digits after
the radix point.
Patch
Specify the browser patches. The browser of a user host must have the
specified patches installed to pass security check.
Rule Name
Type
Specify the antivirus software type. A user host must use the specified type of
antivirus software to pass security check.
Set an operator for antivirus software version check and virus definitions
version check.
>=: The antivirus software and its virus definitions must be of the specified
version or a later version.
>: The antivirus software and its virus definitions must have a version later
Antivirus
Software
Operator
=: The antivirus software and its virus definitions must be of the specified
version.
<=: The antivirus software and its virus definitions must be of the specified
version or an earlier version.
<: The antivirus software and its virus definitions must have a version earlier
than the specified version.
Version
Virus Definitions
Version
Rule Name
Type
Specify the firewall type. A user host must use the specified type of firewall to
pass security check.
Set an operator for firewall version check.
Firewall
Operator
Certificate
>=: A user host must use the specified version or a later version.
>: A user host must use a version later than the specified version.
=: A user host must use the specified version.
<=: A user host must use the specified version or an earlier version.
<: A user host must use a version earlier than the specified version.
Version
Rule Name
Issuer
Specify the certificate issuer. A user host must have a client certificate issued by
the specified issuer to pass security check.
437
Item
File
Process
Description
Rule Name
File Name
Specify the files. A user host must have the specified files to pass security
check.
Rule Name
Process Name
Specify the processes. A user host must have the specified processes to pass
security check.
438
Partial customizationYou can use the webpage files provided by the system and edit some
contents in the files as needed, including the login page title, login page welcome information,
login page logo, service page banner information, service page logo, and service page
background. For the locations of the information items, see the red boxes in Figure 448 and Figure
449.
Full customizationYou can edit a webpage file of your own to provide a fully customized user
access interface.
439
Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. The
Text Information tab appears, as shown in Figure 450.
2.
Configure the service page banner information, login page welcome information, and login page
title on the page.
3.
Click Apply.
440
Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree.
2.
Click the Login Page Logo tab to enter the page shown in Figure 451.
3.
4.
Set whether to directly overwrite the file with the same name on the device.
5.
Click Apply to upload the picture file to the SSL VPN system and use it as the logo picture on the
login page.
Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree.
2.
Click the Service Page Logo tab to enter the page shown in Figure 452.
3.
4.
Set whether to directly overwrite the file with the same name on the device.
5.
Click Apply to upload the picture file to the SSL VPN system and use it as the logo picture on the
service page.
Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree.
2.
Click the Service Page Background tab to enter the page shown in Figure 453.
3.
4.
Set whether to directly overwrite the file with the same name on the device.
5.
Click Apply to upload the picture file to the SSL VPN system and use it as the service page
background picture.
441
Select VPN > SSL VPN > Page Customization > Full Customization from the navigation tree. The full
customization page appears.
2.
3.
Click Apply.
Description
Directory
Enter the directory where the customized page files are saved on the SSL
VPN gateway.
Page File
442
2.
Enter https://192.168.1.1:44300/svpn/ in the address bar of the browser to enter the SSL VPN
login page, as shown in Figure 455. 192.168.1.1 and 44300 are the SSL VPN gateway's host
address and service port number. The service port number can be omitted when it is 443, the
default value.
3.
On the login page, enter the username and password, select an authentication method.
4.
Click Login to enter the SSL VPN service interface, as shown in Figure 456. If you have specified
TCP applications or IP network resources for the user, the system automatically runs the SSL VPN
client software for the user, as shown in Figure 457.
IMPORTANT:
If you have enabled verification code authentication, the login page also provides the verification code
and the user must enter the correct the verification code to log in.
443
Clicking a resource name under TCP Applications to run the command you configured for the
resource (if any), or performing configurations according to the information provided by the
resource name and then access the resource. For example, a user can configure the Outlook email
receiving and sending servers according to the email resource name, logs in by using the username
and password, and then uses the email service.
For an IP network resource, the user can access any host in any accessible network segment and
can click a shortcut name to execute the corresponding command of the shortcut.
445
Click the Configure button in the upper right corner of the SSL VPN service interface to enter the
page shown in Figure 459.
2.
3.
Click Apply.
When the user logs in again, the user must enter the new password.
Figure 459 Changing login password
446
In this example, the CA runs the Windows Server and the SCEP plugin is required on the CA.
The IP address of the SSL VPN gateway is 10.1.1.1/24. The IP address of the CA is 10.2.1.1/24, and
the name of the CA is CA server. The CA is used to issue certificates to the SSL VPN gateway and
remote users.
Perform RADIUS authentication for SSL VPN users. The IP address of the RADIUS server (a
CAMS/IMC server) is 10.153.10.131/24. After passing authentication, an SSL VPN user can access
the internal technology website whose IP address is 10.153.1.223, all hosts on subnet
10.153.2.0/24, and the security sever whose IP address is 10.153.2.25 through the FTP shortcut.
Configure a public account named usera. Specify that only one user can use the public account to
log in at a time. Configure local authentication for the public account and authorize a user who logs
in by using the public account to access the shared desktop provided by internal host
10.153.70.120.
Specify the default authentication method as RADIUS for the SSL VPN domain and enable
verification code authentication.
Host
Remote user
10.1.1.1/24
Internet
Device
SSL VPN gateway
Internal servers
10.2.1.1/24
CA
Configuration prerequisites
The SSL VPN gateway, the CA, and the hosts used by remote users can reach each other.
The CA is enabled with the CA service and can issue certificates to the SSL VPN gateway and the
hosts.
The RADIUS server is properly configured to provide normal authentication function for users. In this
example, you need to configure the shared key as expert, configure the user account and user
group information, and add users to user group user_gr2.
447
Configuration procedure
Configuring the SSL VPN service
1.
2.
On the page that appears, as shown in Figure 462, enter the PKI domain name sslvpn, enter
the CA identifier CA server, select en as the local entity, select RA as the registration authority,
enter the certificate requesting URL http://10.2.1.1/certsrv/mscep/mscep.dll, select Manual
as the certificate request mode, and click Apply.
The system displays "Fingerprint of the root certificate not specified. No root certificate
validation will occur. Continue?"
d. Click OK to continue.
448
3.
d. Click Apply.
4.
page.
The Retrieve Certificate page appears, as shown in Figure 464.
b. Select sslvpn as the PKI domain.
c.
d. Click Apply.
449
5.
management page.
b. Select sslvpn as the PKI domain.
c.
Click Apply.
The system displays "Certificate request has been submitted."
You can view the retrieved CA certificate and the local certificate on the certificate management page.
450
6.
Enable SSL VPN, and configure a port and a PKI domain for the SSL VPN service:
a. Select VPN > SSL VPN > Service Management from the navigation tree.
b. Select the box before Enable SSL VPN.
c.
Configure a Web proxy resource named tech for the internal technology website 10.153.1.223:
a. Select VPN > SSL VPN > Resource Management > Web Proxy from the navigation tree.
b. Click Add.
The Web proxy server resource configuration page appears, as shown in Figure 468.
c.
2.
Configure a resource named desktop for the desktop sharing service provided by host
10.153.70.120:
a. Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree.
b. Click the Desktop Sharing Service tab.
c.
Click Add.
The desktop sharing service configuration page appears, as shown in Figure 469.
d. Enter the resource name desktop, enter the remote host address 10.153.70.120, set the remote
port for the server to 3389, enter the local host address 127.0.0.2, set the local port for the
service to 20000, and enter the command line mstsc /v 127.0.0.2:20000.
e. Click Apply.
452
3.
Click Apply.
4.
Configure a host resource named sec_srv for hosts in subnet 10.153.2.0/24 in IP network mode:
a. Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree.
b. Click the Host Configuration tab.
453
c.
On the page that appears, as shown in Figure 471, enter the destination IP address
10.153.2.0, enter the subnet mask 24, select IP as the protocol type, specify the description
information as 10.153.2.0/24, and click Apply.
The network service is added to the host resource.
Click Apply.
454
5.
d. Select desktop on the Available Resources list and click the << button to add it to the Selected
Resources list.
e. Click Apply.
6.
Configure resource group res_gr2, and add resources tech and sec_srv to it:
a. On the resource group list page, click Add.
455
Select resources tech and sec_srv on the Available Resources list and click the << button to add
them to the Selected Resources list.
d. Click Apply.
Enter the username usera, enter the password passworda, confirm the password, select the
box before Enable public account, set the maximum number of users for the public account to
1, and select Permitted as the user status.
d. Click Apply.
456
2.
Configure user group user_gr1, assign resource group res_gr1 to the user group and add local
user usera to the user group:
a. Select VPN > SSL VPN > User Management > User Group from the navigation tree to enter the
d. Select res_gr1 on the Available Resource Groups list and click << to add it to the Selected
Users list.
f.
Click Apply.
457
3.
Configure user group user_gr2, and assign resource group res_gr2 to the user group:
a. On the user group list page, click Add.
b. Enter the user group name user_gr2.
c.
Select res_gr2 on the Available Resource Groups list and click << to add it to the Selected
Resource Groups list.
d. Click Apply.
458
Configure the default authentication method for the SSL VPN domain as RADIUS and enable
verification code authentication:
a. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree.
d. Click Apply.
459
2.
d. In the Common Configuration area, select Extended as the supported RADIUS server type, and
On the page that appears, as shown in Figure 480, select Primary Authentication Server as
the server type, select IPv4 and enter IP address 10.153.10.131, enter port number 1812,
enter the key expert, enter expert again to confirm the key, and click Apply.
The RADIUS server is then added to the RADIUS server list of the RADIUS scheme. Now, the
RADIUS scheme configuration page is shown as Figure 481.
f.
Click Apply.
460
3.
tree.
b. Click the RADIUS Authentication tab.
c.
d. Click Apply.
Select Local from the Auth Mode list. Use the public account usera to log in. You can see the resource
desktop, as shown in Figure 484. Clicking the resource name, you can access the shared desktop of the
specified host, as shown in Figure 485.
Figure 484 Resource that the public account usera can access
462
Assume that a user named userb is configured and added to user group user_gr2 on the RADIUS server.
Use this user account and the default authentication method RADIUS to log in. You can see website tech,
subnet resource 10.153.2.0/24, and a shortcut to the security server, as shown in Figure 486. Click tech
to access the technology website. Click shortcut ftp_security-server to access the security server through
FTP, as shown in Figure 487.
463
464
Managing certificates
Overview
Public Key Infrastructure (PKI) offers an infrastructure for securing network services. PKI, also called
asymmetric key infrastructure, uses a pair of keys (one private and one public) for data encryption and
decryption. Data encrypted with the public key can be decrypted only with the private key, and vice
versa.
PKI uses digital certificates to distribute and employ public keys, and provides network communication
and e-commerce with security services such as user authentication, data confidentiality, and data
integrity.
H3C's PKI system provides certificate management for IPsec, SSL, and WAPI.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. Here are some application examples:
VPNA VPN is a private data communication network built on the public communication
infrastructure. A VPN can leverage network layer security protocols (for example, IPsec) in
conjunction with PKI-based encryption and digital signature technologies to achieve confidentiality.
Web securityFor Web security, two peers can establish an SSL connection first for transparent
and secure communications at the application layer. With PKI, SSL enables encrypted
communications between a browser and a server. Both the communication parties can verify the
identity of each other through digital certificates. For more information about PKI, see Security
Configuration Guide.
ManualIn manual mode, you need to manually retrieve a CA certificate, generate a local RSA
key pair, and submit a local certificate request for an entity.
AutoIn auto mode, an entity automatically requests a certificate through the SCEP when it has no
local certificate or the present certificate is about to expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes
require different configurations.
465
Step
Remarks
Required.
Create a PKI entity and configure the identity information.
1.
2.
3.
Locally store the certificates associated with the local security domain for
improved query efficiency and reduced query count,
4.
Retrieving the CA
certificate
466
Step
Remarks
Required.
When requesting a certificate, an entity introduces itself to the CA by
providing its identity information and public key, which will be the major
components of the certificate.
A certificate request can be submitted to a CA in online mode or offline
mode.
5.
Requesting a local
certificate
IMPORTANT:
If a local certificate already exists, you cannot perform the local certificate
retrieval operation. This restriction avoids inconsistency between the certificate
and the registration information due to configuration changes. To retrieve a
new local certificate, you must remove the CA certificate and local certificate
first.
Optional.
6.
If the certificate to be retrieved contains an RSA key pair, you must destroy
the existing RSA key pair. Otherwise, you cannot retrieved the certificate.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.
Required if you request a certificate in offline mode.
Retrieve an existing certificate and display its contents.
7.
IMPORTANT:
8.
Optional.
Retrieve a CRL and display its contents.
Remarks
Required.
Create a PKI entity and configure the identity information.
1.
467
Task
Remarks
Required.
Create a PKI domain, setting the certificate request mode to Auto.
2.
3.
If the certificate to be retrieved contains an RSA key pair, you must destroy
the existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.
Optional.
Retrieve an existing certificate and display its contents.
IMPORTANT:
4.
5.
Optional.
Retrieve a CRL and display its contents.
2.
Click Add.
468
3.
4.
Click Apply.
Description
Entity Name
Common Name
IP Address
FQDN
An FQDN is a unique identifier of an entity on the network. It consists of a host name and
a domain name and can be resolved to an IP address. For example, www.whatever.com
is an FQDN, where www indicates the host name and whatever.com the domain name.
Country/Region
Code
State
Locality
Organization
Organization Unit
469
2.
Click Add.
3.
4.
Click Apply.
Description
Domain Name
CA Identifier
IMPORTANT:
In offline mode, this item is optional. In other modes, this item is required.
The CA identifier is used only when you retrieve a CA certificate. It is not used when
you retrieve a local certificate.
470
Item
Description
Select the local PKI entity.
Entity Name
When submitting a certificate request to a CA, an entity needs to show its identity
information.
Available PKI entities are those that have been configured.
Select the authority for certificate request.
Requesting URL
In offline mode, this item is optional. In other modes, this item is required.
IMPORTANT:
In offline mode, this item is optional. In other modes, this item is required.
This item does not support domain name resolution.
LDAP IP
Enter the IP address, port number, and version of the LDAP server.
Port
An LDAP server is usually deployed to store certificates and CRLs. If this is the case, you
must configure the IP address of the LDAP server..
Version
Request Mode
Select the online certificate request mode, which can be auto or manual.
Password
Confirm Password
The two boxes are available only when the certificate request mode is set to Auto..
Specify the fingerprint used for verifying the CA root certificate.
Fingerprint Hash
After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the
root certificate, namely, the hash value of the root certificate content. This hash value is
unique to every certificate. If the fingerprint of the root certificate does not match the one
configured for the PKI domain, the entity will reject the root certificate.
If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint
must a string of 32 characters in hexadecimal notation.
If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The fingerprint
must a string of 40 characters in hexadecimal notation.
If you do not specify the fingerprint hash, do not enter any fingerprint. The entity will
Fingerprint
not verify the CA root certificate, and you yourself must make sure the CA server is
trusted.
IMPORTANT:
The fingerprint must be configured if you specify the certificate request mode as Auto. If you
specify the certificate request mode as Manual, you can leave the fingerprint settings null. If
you do not configure the fingerprint, the entity will not verify the CA root certificate and you
yourself must make sure the CA server is trusted.
471
Item
Polling Count
Polling Interval
Enable CRL
Checking
Description
Set the polling interval and attempt limit for querying the certificate request status.
After an entity makes a certificate request, the CA might need a long period of time if it
verifies the certificate request in manual mode. During this period, the applicant needs to
query the status of the request periodically to get the certificate as soon as possible after
the certificate is signed.
Select this box to specify that CRL checking is required during certificate verification.
Enter the CRL update period, that is, the interval at which the PKI entity downloads the
latest CRLs.
This item is available after you click the Enable CRL Checking box.
By default, the CRL update period depends on the next update field in the CRL file.
IMPORTANT:
The manually configured CRL update period takes precedent over that specified in the CRL
file.
Enter the URL of the CRL distribution point. The URL can be an IP address or a domain
name.
CRL URL
This item is available after you click the Enable CRL Checking box.
When the URL of the CRL distribution point is not set, you should acquire the CA
certificate and a local certificate, and then acquire a CRL through SCEP.
2.
472
3.
4.
Click Apply.
2.
3.
Click Apply to destroy the existing RSA key pair and the corresponding local certificate.
2.
3.
4.
Click Apply.
Description
Domain Name
Certificate Type
Enable Offline
Mode
Select this box to retrieve a certificate in offline mode (that is, by an out-of-band means
like FTP, disk, or email).
Specify the path and name of the certificate file to import if you enable offline mode:
If the certificate file is saved on the device, select Get File From Device and then specify
the path and name of the file on the device. If no file is specified, the system, by
default, gets the file domain-name_ca.cer (for the CA certificate) or
domain-name_local.cer (for the local certificate) under the root directory of the device.
If the certificate file is saved on a local PC, Select Get File From PC and then specify the
path and name of the file and specify the partition that saves the file..
Password
If offline mode is enabled, enter the password for protecting the private key, which was
specified when the certificate was exported.
After retrieving a certificate, click View Cert for the certificate from the PKI certificates list to display the
contents of the certificate.
Figure 496 Displaying certificate information
474
2.
3.
Description
Domain Name
Password
Enable Offline
Mode
4.
If you cannot request a certificate from the CA through the SCEP protocol, you can enable
the offline mode. In this case, after clicking Apply, the offline certificate request
information page appears, as shown in Figure 498. Submit the information to the CA to
request a local certificate.
Click Apply.
If you request the certificate in online mode, the system displays "Certificate request has been
submitted." Click OK to confirm. If you request the certificate in offline mode, the system displays
the offline certificate request information. You can submit the information to the CA by an
out-of-band means.
475
2.
3.
Click View CRL for the domain to display the contents of the CRL.
The router submits a local certificate request to the CA server, which runs Windows Server 2003.
476
3.
If the CA server and SCEP add-on have been installed successfully, there should be two
certificates issued by the CA to the RA.
b. Right-click CA server and select Properties from the shortcut menu.
c.
In the CA server Properties dialog box, click the Policy Module tab.
d. Click Follow the settings in the certificate template, if applicable. Otherwise, automatically
(IIS) Manager.
b. From the navigation tree, select Web Sites.
c.
services, change the TCP port number to an unused one on the Web Site tab.
After the configuration, make sure the system clock of the router and that of the CA are synchronized, so
that the router can request certificate correctly.
c.
Enter aaa as the PKI entity name, enter router as the common name, and click Apply.
2.
In upper area of the page, enter torsa as the PKI domain name, enter CA server as the CA
identifier, select aaa as the local entity, select RA as the authority for certificate request, enter
http://4.4.4.1:8080/certsrv/mscep/mscep.dll as the URL for certificate request (the URL must
be in the format of http://host:port/certsrv/mscep/mscep.dll, where host and port are the
host address and port number of the CA server), and select Manual as the certificate request
mode.
d. Click Apply.
The system displays "Fingerprint of the root certificate not specified. No root certificate
validation will occur. Continue?"
e. Click OK to confirm.
478
3.
4.
Select torsa as the PKI domain, select CA as the certificate type, and click Apply.
5.
479
c.
Select torsa as the PKI domain, select Password and then enter "challenge-word" as the
password, and click Apply.
The system displays "Certificate request has been submitted."
d. Click OK to confirm.
The router submits a local certificate request to the CA server, which runs the RSA Keon software.
2.
3.
Enter aaa as the PKI entity name, enter router as the common name, and click Apply.
2.
In the upper area of the page, enter torsa as the PKI domain name, enter myca as the CA
identifier, select aaa as the local entity, select CA as the authority for certificate request, enter
http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for
certificate request (the URL must be in the format of http://host:port/Issuing Jurisdiction ID,
where Issuing Jurisdiction ID is the hexadecimal string generated on the CA), and select
Manual as the certificate request mode.
d. Click the expansion button before Advanced Configuration to display the advanced
configuration items.
481
e. In the advanced configuration area, click the Enable CRL Checking box, and enter
f.
Click Apply.
The system displays "Fingerprint of the root certificate not specified. No root certificate
validation will occur. Continue?"
g. Click OK to confirm.
3.
482
4.
Select torsa as the PKI domain, select CA as the certificate type, and click Apply.
5.
Select torsa as the PKI domain, select Password, enter "challenge-word" as the password, and
click Apply.
The system displays "Certificate request has been submitted."
d. Click OK to confirm.
6.
a. From the navigation tree, sfter retrieving a local certificate, select Certificate Management >
CRL.
484
Configuring Router A
1.
Enter en as the PKI entity name, enter router-a as the common name, enter 2.2.2.1 as the IP
address of the entity, and click Apply.
485
2.
Enter 1 as the PKI domain name, enter CA1 as the CA identifier, select en as the local entity,
select RA as the authority for certificate request, enter
http://1.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request (the RA URL
given here is just an example. Configure the RA URL as required), enter 1.1.1.102 as the IP
address of the LDAP server and 389 as the port number, select 2 as the version number, and
select Manual as the certificate request mode.
d. Click the expansion button before Advanced Configuration to display the advanced
configuration items.
e. In the advanced configuration area, click the Enable CRL Checking box, and enter
Click Apply.
The system displays "Fingerprint of the root certificate not specified. No root certificate
validation will occur. Continue?"
g. Click OK to confirm.
486
3.
4.
Select 1 as the PKI domain, select CA as the certificate type, and click Apply.
487
5.
d. Click OK to confirm.
6.
Enter con as the IPsec connection name, select Ethernet0/2 as the gateway interface, enter
3.3.3.1 as the remote gateway IP address, select Certificate as the authentication method,
select CN=router-a for the certificate, select Characteristics of Traffic as the selector type, enter
11.1.1.0/0.0.0.255 as the source IP address/wildcard, and enter 10.1.1.0/0.0.0.255 as the
destination IP address/wildcard.
d. Click Apply.
488
Configuring Router B
The configuration pages for Router B are similar to those of Router A. (Details not shown)
1.
Enter en as the PKI entity name, enter router-b as the common name, and enter 3.3.3.1 as the
IP address of the entity.
d. Click Apply.
2.
In the upper area of the page, enter 1 as the PKI domain name, enter CA2 as the CA identifier,
select en as the local entity, select RA as the authority for certificate request, enter
http://2.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request (the RA URL given
here is just an example. Configure the RA URL as required), enter 2.1.1.102 as the IP address
of the LDAP server and 389 as the port number, select 2 as the version number, and select
Manual as the certificate request mode.
d. Click the expansion button before Advanced Configuration to display the advanced
configuration items.
e. In the advanced configuration area, click the Enable CRL Checking box and enter
Click Apply.
489
The system displays "Fingerprint of the root certificate not specified. No root certificate
validation will occur. Continue?"
g. Click OK to confirm.
3.
4.
5.
Select 1 as the PKI domain, select CA as the certificate type, and click Apply.
d. Click OK to confirm.
6.
Enter con as the IPsec connection name, select Ethernet0/2 as the gateway interface, enter
2.2.2.1 as the remote gateway IP address, select Certificate as the authentication method, and
select CN=router-b for the certificate, select Characteristics of Traffic as the selector type, enter
10.1.1.0/0.0.0.255 as the source IP address/wildcard, and enter 11.1.1.0/0.0.0.255 as the
destination IP address/wildcard.
d. Click Apply.
Configuration guidelines
When you configure PKI, follow these guidelines:
Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.
The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not
respond to the certificate request.
The SCEP plug-in is required when you use the Windows Server as the CA. In this case, specify RA
as the authority for certificate request when you configure the PKI domain.
The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case,
specify CA as the authority for certificate request when you configure the PKI domain.
490
Saving the current configuration to the configuration file to be used at the next startup (including
the .cfg and .xml files).
Saving the current configuration as the factory default configuration, and the name of the
configuration file is init.cfg.
Besides the following methods, the Web management interface allows you to click the
the right of the title area to fast save the configuration.
button on
2.
To save the current configuration to both the configuration file to be used at the next startup and
the factory default configuration file, click Save As Factory-Default Settings.
2.
3.
Backing up configuration
Configuration file backup allows you to:
View the configuration file for next startup (including .cfg and .xml files).
Back up the configuration file for next startup (including .cfg and .xml files) to the PC of the current
user.
2.
3.
492
When you click the upper Backup button in this figure, a file download dialog box appears.
You can select to view the .cfg file or to save the file locally.
When you click the lower Backup button in this figure, a file download dialog box appears.
You can select to view the .xml file or to save the file locally.
Restoring configuration
Configuration restoration allows you to:
Upload the .cfg file on the host of the current user to the device for the next startup.
Upload the .xml file on the host of the current user to the device for the next startup, and delete the
previous .xml configuration file that was used for the next startup.
2.
3.
4.
Click Apply.
Fast backupBacks up files on the device to the destination device through a universal serial bus
(USB) port.
493
Fast restorationTransfers files from the device where the files are backed up to the local device
through a USB port. In addition, the system allows you to choose whether to specify the startup file
or configuration file to be restored as the main startup file or configuration file of the device.
The storage medium of a device has many types, such as flash cards, CF cards, and so on. The storage
medium type used by the device depends on the device model.
To backup and restore device files through the USB port:
1.
2.
Figure 525 Backing up and restoring device files through the USB port
3.
At a time, you can restore multiple files, but only one startup file or configuration file can be included in
these files for restoration.
494
2.
Click Apply.
Managing services
This module provides six types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or
disable the services as needed. In this way, the performance and security of the system can be enhanced,
thus secure management of the device can be achieved.
This module also provides the function to modify HTTP and HTTPS port numbers, and the function to
associate the FTP, HTTP, or HTTPS service with an ACL, reducing attacks of illegal users on these services.
The description of the services is as follows:
FTP serviceTransfers files between server and client over a TCP/IP network.
Telnet serviceProvides remote login and virtual terminal functions on the network.
SFTP serviceUses the SSH connection to provide secure data transfer. The device can serve as the
SFTP server, allowing a remote user to log in to the SFTP server for secure file management and
transfer. The device can also serve as an SFTP client, enabling a user to log in from the device to a
remote device for secure file transfer. It is a new feature in SSH2.0.
To manage services:
1.
2.
3.
Click Apply.
Description
Enable FTP
service.
FTP
ACL.
Telnet
Enable Telnet
service.
Item
SSH
Description
Enable SSH
service.
SFTP
Enable SFTP
service.
Enable HTTP
service.
Port Number.
HTTP
You can view this configuration item by clicking the expanding button in
front of HTTP.
IMPORTANT:
When you modify a port, ensure that the port is not used by other service.
ACL.
Enable HTTPS
service.
Certificate.
Associate the HTTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTP service.
You can view this configuration item by clicking the expanding button in
front of HTTP.
Specify whether to enable the HTTPS service.
The HTTPS service is disabled by default.
Configure the local certificate for the HTTPS service. The list displays the
certificate subjects. The optional certificates are configured on the VPN >
Certificate Management page. For more information, see "Managing
certificates."
IMPORTANT:
If no certificate is specified, HTTPS generates a self-signed certificate.
HTTPS
You can view this configuration item by clicking the expanding button in
front of HTTPS.
IMPORTANT:
When you modify a port, make sure the port is not used by other service.
ACL.
Associate the HTTPS service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTPS service.
You can view this configuration item by clicking the expanding button in
front of HTTPS.
Managing users
This module provides the following functions:
Create a local user, and set the password, access level, and service type for the user.
Set the super password for switching the current Web user access level to the management level
Switch the current Web user access level to the management level.
497
Creating a user
1.
2.
3.
4.
Click Apply.
Description
Username
VisitorUsers of this level can use the network diagnostic tools ping and trace route.
They can neither access the device data nor configure the device.
MonitorUsers of this level can only access the device data but cannot configure the
Access Level
device.
ConfigureUsers of this level can access data from the device and configure the
device, but they cannot upgrade the host software, add/delete users, modify users, or
backup/restore the application file.
ManagementUsers of this level can perform any operations for the device.
IMPORTANT:
Only the Web, FTP, and Telnet users support the access level setting.
Password
Confirm Password
Enter the same password again. Otherwise, the system prompts that the two passwords
entered are not consistent when you apply the configuration.
498
Item
Description
Service
Set the service type, including Web, FTP, Telnet, Terminal (users logging in to the device
through the console port, AUX port, and Asyn port) and PPP services. You must select at
least one of them.
2.
3.
4.
Click Apply.
Description
Set the operation type:
Create/Remove
Password
Confirm Password
Enter the same password again. Otherwise, the system prompts that the two passwords
entered are not consistent when you apply the configuration.
499
The access level switchover of a user is valid for the current login only. The access level configured for the
user is not changed. When the user re-logs in to the Web interface, the access level of the user is still the
original level.
To switch the user access level to the management level:
1.
2.
3.
4.
Click Login.
Select System Management > System Time from the navigation tree.
The System Time page appears. On the upper part of the interface, the current system time is
displayed.
2.
3.
Click Apply.
500
Description
NTP Server 1.
NTP Server 2.
synchronizes its time with the NTP server. If the synchronization fails, the
system uses the manually configured time. After the synchronization
recovers, the system uses the synchronized time.
If the system time of the NTP server is ahead of the system time of the
device, and the difference between them exceeds the Web idle time
specified on the device, all online Web users are logged out because of
timeout.
You can type the system date and time in the box, or select the date and time
in the calendar, as shown in Figure 532.
Click Today. The date in the calendar becomes the local date, and the
time in the calendar does not change.
Select the year, month, date, and time, and then click OK.
501
Select System Management > System Time from the navigation tree
2.
3.
4.
Click Apply.
Description
Time Zone
502
Item
Description
Adjust the system clock for daylight saving time changes, which means adding one
hour to the current system time.
Click Adjust clock for daylight saving time changes to expand the option, as shown
in Figure 534. You can configure the daylight saving time changes in the following
ways:
Specify that the daylight saving time starts on a specific date and ends on a specific
date. The time range must be greater than one day and smaller than one year. For
example, configure the daylight saving time to start on August 1st, 2006 at
06:00:00 a.m., and end on September 1st, 2006 at 06:00:00 a.m.
Specify that the daylight saving time starts and ends on the corresponding specified
days every year. The time range must be greater than one day and smaller than one
year. For example, configure the daylight saving time to start on the first Monday in
August at 06:00:00 a.m., and end on the last Sunday in September at 06:00:00
a.m.
Configuring TR-069
TR-069 protocol is a technology specification initiated and developed by the DSL Forum. It defines the
general frame, message format, management method, and data model for the management and
configuration of home network devices in the next-generation network.
TR-069 is mainly applied to DSL access networks. In a DSL access network, user devices are large in
number and deployed separately usually in the customer premise. Therefore device management and
maintenance is hard to perform. TR-069 is designed to solve the problem by the idea of remote central
management of the Customer Premises Equipment (CPE) through an Auto-Configuration Server (ACS).
503
DNS serverDomain Name System server. TR-069 defines that an ACS and a CPE use URLs to
identify and access each other. DNS is used to resolve the URLs.
DHCP serverDynamic Host Configuration Protocol server, which assigns an IP address to an ACS
and a CPE, and uses the options filed in the DHCP packet to provide configuration parameters to
the CPE.
The MSR router is a CPE and uses TR-069 to communicate with an ACS.
CPE startup. A CPE can find the corresponding ACS according to the acquired URL, and initiates
a connection to the ACS.
A CPE is configured to send Inform messages periodically. The CPE automatically sends an Inform
message at the configured interval (1 hour for example) to establish connections.
A CPE is configured to send Inform messages at a specific time. The CPE automatically sends an
Inform message at the configured time to establish a connection.
The current session is not finished but interrupted abnormally. In this case, if the number of CPE
auto-connection retries does not reach the limit, the CPE automatically establishes a connection.
An ACS can initiate a Connect Request to a CPE at any time, and can establish a connection with the
CPE after passing the CPE authentication.
Auto-configuration
When a CPE logs in to an ACS, the ACS can automatically apply some configurations to the CPE to
perform auto configuration of the CPE. Auto-configurable parameters supported by the device include,
but are not limited to the following:
Up time (UpTime)
Configuration file
ACS address
ACS username
ACS password
PeriodicInformEnable
PeriodicInformInterval
PeriodicInformTime
505
CPE address
CPE username
CPE password
For the TR-069 mechanism, see Network Management and Monitoring Configuration Guide in H3C
MSR Series Routers Configuration Guide (V5).
Configuration procedure
The TR-069 parameters of CPE can be configured automatically through ACS remote management, and
also can be configured manually through Web, which is described in detail in this section.
To configure TR-069 manually:
1.
2.
3.
Click Apply.
Description
Enable or disable TR-069.
TR-069
TR-069 configurations can take effect only after you enable TR-069.
URL.
Username.
ACS
CPE
Username.
You can specify a username without a password that is used in the authentication.
If so, the configuration on the ACS and that on the CPE must be the same.
Configure the username used by the CPE to authenticate the connection sent from
the ACS.
506
Item
Description
Password.
Configure the password used by the CPE to authenticate the connection sent from
the ACS.
You can specify a username without a password that is used in the authentication.
If so, the configuration on the ACS and that on the CPE must be the same.
Sending
Inform.
Interval.
CPE Interface.
Set the CPE connection interface. The CPE sends inform packets carrying the IP
address of this interface to make the ACS establish a connection with the CPE using
this IP address.
Configuration guidelines
TR-069 configuration through ACS is of higher priority than that through Web. You cannot use a
configuration mode to modify parameters configured through a configuration mode with a higher
priority.
To remove the configuration of a parameter, select the parameter, clear the value you entered, and click
Apply.
Upgrading software
CAUTION:
Software upgrade takes a period of time. During software upgrade, do not perform any operation on the
Web interface. Otherwise, software upgrade may be interrupted.
A system software image, also known as the "boot file", is an application file used to boot the device. A
main system software image is used to boot a device and a backup system software image is used to
boot a device only when the main system software image is unavailable.
Software upgrade allows you to get a target application file from the current host and set the file as the
system software image ( or as the main or backup system software image on the devices that support
main/backup system software image) to be used at the next boot.
Select System Management > Software Upgrade from the navigation tree.
The software upgrade configuration page appears.
2.
3.
Click Apply.
507
Description
Specify the filename of the local application file, which must be suffixed with
the .app or .bin extension.
File
IMPORTANT:
The filename is main.bin when the file is saved on the device.
Specify whether to reboot the device to make the upgraded software take
effect after the application file is uploaded.
Select System Management > Software Upgrade from the navigation tree.
The software upgrade configuration page appears.
2.
3.
Click Apply.
508
Description
File
Specify the filename of the local application file, which must be suffixed with
the .app or .bin extension.
Specify the type of the system software image for the next boot:
File Type
Main.
Backup.
Specify whether to reboot the device to make the upgraded software take effect
after the application file is uploaded.
If you do not select the option, when a file with the same name exists, the system
prompts "The file has existed.", and you cannot perform the upgrade operation.
509
Overview
The Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a
management station to access and operate the devices on a network, regardless of their vendors,
physical characteristics and interconnect technologies.
The SNMP framework comprises the following elements:
SNMP managerWorks on a network management system (NMS) to monitor and manage the
SNMP-capable devices in the network.
SNMP agentWorks on a managed device to receive and handle requests from the NMS, and
send traps to the NMS when some events, such as interface state change, occur.
H3C supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same
SNMP version to communicate with each other.
SNMPv1Uses community names for authentication. To access an SNMP agent, an NMS must use
the same community name as set on the SNMP agent. If the community name used by the NMS is
different from the community name set on the agent, the NMS cannot establish an SNMP session to
access the agent or receive traps and notifications from the agent.
SNMPv2cUses community names for authentication. SNMPv2c is compatible with SNMPv1, but
supports more operation modes, data types, and error codes.
SNMPv3Uses a user-based security model (USM) to secure SNMP communication. You can
configure authentication and privacy mechanisms to authenticate and encrypt SNMP packets for
integrity, authenticity, and confidentiality.
For more information about the SNMP protocol, see H3C MSR Series Routers Network Management and
Monitoring Configuration Guide.
Select System Management > SNMP from the navigation tree to enter the page as shown in Figure
539.
510
2.
Description
Specify to enable or disable the SNMP agent.
SNMP
IMPORTANT:
If the SNMP agent function is disabled, all SNMP agent-related configurations will
be removed.
Set the SNMP version run by the system.
SNMP Version
Contact
Sysname
Device Location
If the device is faulty, the maintainer can contact the manufacturer according to
the contact information of the device.
Set the system name of the device.
The configured system name is displayed on the top of the navigation tree.
Set a character string to describe the physical location of the device.
511
Item
Security Username
Description
Set the SNMP security username when you select the SNMP version SNMPv3.
The security name on the agent must be the same as that on the NMS.
Set the authentication password when you select the SNMP version SNMPv3.
Authentication Password
The authentication password on the agent must be the same as that on the NMS.
The authentication mode on the agent is MD5, and the authentication mode on
the NMS must be MD5.
Set the privacy password when the SNMP version is selected as SNMPv3.
Privacy Password
Read Password
The privacy password on the agent must be the same as that on the NMS.
The privacy mode on the agent is DES56, and the privacy mode on the NMS
must be DES56.
When the SNMP version is SNMPv1 & v2 set the read-only password with which
the NMS can perform only read operation to the agent.
The read password on the agent must be the same as that on the NMS.
When the SNMP version is SNMPv1 & v2, set the read and write password with
which the NMS can perform both read and write operations to the agent.
The read and write password on the agent must be the same as that on the NMS.
When the SNMP version is SNMPv1 & v2, set the authentication password
with which the agent can send traps to the NMS. The trap password on the
agent must be the same as that on the NMS. The trap password is usually the
same with either the read password or the read & write password.
Trap Password
The trap password defaults to the security username and is not configurable
when the SNMP version is SNMPv3.
If the trusted host is specified, only the NMS with the specified source IP
address can access the agent.
512
Select System Management > SNMP from the navigation tree, and then perform configuration as
shown in Figure 541.
2.
3.
4.
5.
6.
7.
8.
Click Apply.
2.
Create a read-only community public and set the read-only password to readonly.
3.
Create a read and write community and set the read and write password to readwrite.
For more information about configuring the NMS, see the NMS manual.
After the configuration, an SNMP connection is established between the NMS and the agent. The
NMS can get and configure the values of some parameters on the agent through MIB nodes.
Disable or enable an idle interface on the device, and the NMS receives the corresponding trap.
513
Select System Management > SNMP from the navigation tree, and then perform the following
configurations, as shown in Figure 543.
2.
3.
4.
5.
6.
7.
8.
9.
Click Apply.
514
2.
3.
4.
5.
Set the authentication key to authkey and the privacy key to prikey.
For more information about configuring the NMS, see the NMS manual.
After the configuration, an SNMP connection is established between the NMS and the agent. The
NMS can get and configure the values of some parameters on the agent through MIB nodes.
Disable or enable an idle interface on the device, and the NMS receives the corresponding trap.
515
Configuring syslogs
System logs record network and device information, including running status and configuration changes.
With system log information, network administrators can find network or security problems, and take
corresponding actions against them.
The system sends system logs to the following destinations:
Console
Monitor terminal, a terminal that has logged in to the device through the AUX, VTY, or TTY user
interface
Log buffer
Log host
Web interface
Displaying syslogs
1.
516
2.
Description
Time/Date
Source
517
Item
Description
Displays the severity level of the system log. The information is classified into eight
levels by severity:
Level
Digest
Description
2.
Click the Loghost tab to enter the log host configuration page, as shown in Figure 545.
3.
4.
Click Apply.
518
Description
Set the IPv4 address or domain name of the log host.
2.
3.
4.
Click Apply.
Description
Buffer Capacity
Set the number of logs that can be stored in the log buffer.
Set the refresh interval of log information.
You can select manual refresh or automatic refresh:
Refresh Interval
519
Traceroute
By using the traceroute facility, you can trace Layer 3 devices involved in delivering a packet from source
to destination.
You can traceroute the IP address or the host name of a device. If the target host name cannot be resolved,
a prompt appears.
A traceroute operation involves the following steps:
1.
The source device sends a packet with a Time to Live (TTL) value of 1 to the destination device.
2.
The first hop device responds with an ICMP TTL-expired message to the source. In this way, the
source device can get the address of the first Layer 3 device.
3.
The source device sends a packet with a TTL value of 2 to the destination device.
4.
5.
The above process continues until the ultimate destination device is reached. The destination
device responds with an ICMP port-unreachable message because the packet from the source has
an unreachable port number. In this way, the source device can get the addresses of all Layer 3
devices on the path.
Ping
You can ping the IP address or the host name of a device.
If the host name cannot be resolved, a prompt appears. If the source device does not receive an ICMP
echo reply within the timeout time, it displays a prompt and ping statistics. If the source device receives
ICMP echo replies within the timeout time, it displays the number of bytes for each echo reply, the
message sequence number, Time to Live (TTL), the response time, and ping statistics. Ping statistics
include number of packets sent, number of echo reply messages received, percentage of messages not
received, and the minimum, average, and maximum response time.
A ping operation involves the following steps:
1.
The source device sends ICMP echo requests to the destination device.
2.
The destination device responds by sending ICMP echo replies to the source device after receiving
the ICMP echo requests.
3.
The source device displays related statistics after receiving the replies.
Traceroute operation
The Web interface does not support IPv6 traceroute.
Before executing a traceroute operation, execute the ip ttl-expires enable command on intermediate
devices to enable the sending of ICMP timeout packets, and execute the ip unreachables enable
command on the destination device to enable the sending of ICMP destination unreachable packets.
520
Log in to the Web interface, and select Other > Diagnostic Tools from the navigation tree to enter
the traceroute operation page, as shown in Figure 547.
2.
3.
Click Start.
You can see the result in the Summary box.
Ping operation
The Web interface does not support IPv6 ping.
To perform a ping operation:
1.
2.
3.
4.
Click Start.
You can see the result in the Summary box.
521
522
Configuring WiNet
The Wisdom Network (WiNet) technology helps you centrally manage a large number of scattered
network devices by using a small number of public IP addresses.
WiNet has the following benefits:
Easy to deployTo build a WiNet, you only need to select a management device to complete
network configurations.
Plug-and-playDisplays a device in the network topology once it is connected to the network and
allows you to perform corresponding operations.
Easy and quick deployment of security authenticationAllows you to configure a RADIUS server on
the administrator device through simple Web configuration and to configure interfaces of member
devices for security authentication through the administrator device.
AdministratorRefers to the device serving as the WiNet management device. In a WiNet, only
the administrator is configured with a public IP address. You only need to specify one administrator
in each WiNet to configure, manage, and monitor other devices. The administrator collects
information to discover and add candidates.
CandidateRefers to a WiNet-capable device that has not been added to the WiNet but its
topology information has been collected by the administrator.
Configuring WiNet
Enabling WiNet
To build a WiNet, configure a candidate as the administrator and configure WiNet on it.
523
1.
2.
3.
Description
WiNet Name
Management VLAN
Enter an IP address and select a network mask for the administrator. After that,
each WiNet member is assigned an IP address on the same subnet as the
administrator.
After a WiNet is built, you cannot configure items on the Setup page, and the Build WiNet button
changes to Close WiNet. To delete the WiNet, click the Close WiNet button.
To customize the background image, click Browse, locate the image you want to use, and click Upload.
To remove the customized background image, click Clear.
Managing WiNet
To manage WiNet members, make sure the port that connects your host to the administrator permits
packets of the management VLAN. Select WiNet from the navigation tree to enter the default WiNet
Management page.
Figure 551 WiNet management page
Set the refresh period for automatic refreshing of the WiNet topology diagram. Or you can select
Manual for Refresh Period and click Refresh to display the latest WiNet topology diagram.
2.
3.
Click Network Snapshot to save the current WiNet topology as the baseline topology. The
baseline topology is used to show changes in network topology at different time points.
4.
Click Initialize Topology to clear the stored baseline topology and cookies.
5.
Click Open AuthN Center to configure a RADIUS server for security authentication on the
administrator device. The administrator device automatically generates a guest user guest and its
password and updates the user and password at 24:00.
525
6.
After the authentication center starts up, the Open AuthN Center button changes to Close AuthN
Center. Click the Close AuthN Center to remove the RADIUS server and the guest user.
7.
Drag the icon of a specific device in the WiNet topology and place it to a position as needed. If
the browser is configured to accept cookies, the latest position information of each device is stored
after you click Network Snapshot.
8.
Double-click a device on the WiNet topology map to show details about the device, including the
hostname, MAC address, device model, IP address, version, number of hops, and WiNet
information, as shown in Figure 552.
9.
View the WiNet topology information, including the role of each device and connection status
between devices. The connection status can be:
Normal linkIndicates a connection existing in the baseline topology and the current
topology.
New linkIndicates a connection not existing in the baseline topology but in the current
topology.
Blocked loopsIndicate connections blocked by STP. If a normal link is blocked, it is displayed
as a black broken line; if a new link is blocked, it is displayed as a blue broken line.
Down linkIndicates a connection existing in the baseline topology but not in the current
topology.
10.
Click a device in the topology diagram to view its panel diagram. You can manage the device as
follows:
NOTE:
Support for displaying of the device panel, device renaming, and Layer 2 portal authentication on
interfaces depends on the device model.
a. Click Rename Device and enter a new system name for the device.
526
b. Select one or multiple Layer 2 Ethernet interfaces on the panel diagram of the device, and click
If a member is selected, click Manage Device to log in to the Web interface for configuring the
member. You can configure and manage the member through the Web interface. The
username and password are required before you can log in to the member. If the current user
and password are consistent with those of the member, you can directly log in to the member.
d. If a member is selected, click Initialize to restore the configuration to factory defaults and restart
the member.
e. If a member is selected, click Reboot to restart the member.
Select WiNet from the navigation tree, and click the User Management tab to enter the page as
shown in Figure 554.
2.
3.
527
Description
Username
Password
Confirm Password
VLAN
IMPORTANT:
If the access device does not support authorized VLANs, users with the authorized
VLAN ID specified cannot pass authentication.
Enter an authorized ACL number for the user.
ACL
IMPORTANT:
If the access device does not support authorized ACL properties, users with the
authorized ACL specified cannot pass authentication.
Expire Time
Description
Set the time when the user becomes invalid, in the format of
HH:MM:SS-YYYY/MM/DD.
A user whose system time is later than the preset expire time cannot pass
authentication.
Enter the user information.
Select a user type, which can be a common user or guest administrator.
User-type
The guest administrator can obtain the passwords of guest users. For more
information, see "How the guest administrator obtains the guest password."
528
Click Export and click Save in the dialog box that appears.
2.
Set the local path and file name for saving the exported files.
3.
Click Save to export all the RADIUS user information in the files to the local host.
4.
Click Import.
The page for importing files appears.
5.
6.
Click Apply to import the user information in the files to the device.
Because the guest password is automatically updated at 24:00 every day, the guest administrator must
re-obtain the password.
To customize a portal authentication page on a member, reference the variable szPTGuestPWD (for
saving guest password) in pt_private.js in the authentication passed page, and use the JS mode to
529
The administrator is connected to the external network through Ethernet 0/1, and is connected to
the members through Ethernet 0/2 and Ethernet 0/3.
Configuration procedure
1.
2.
Configure Device B:
# Create VLAN 10 and VLAN-interface 10.
a. Select Interface Setup > LAN Interface Setup from the navigation tree to enter the default VLAN
Setup page.
530
d. Click Apply.
# Assign Ethernet 0/1, Ethernet 0/2, and Ethernet 0/3 to VLAN 10.
Figure 560 Assigning interfaces to VLAN 10
531
Click Add.
The configuration progress dialog box appears.
532
# Enable WiNet.
f.
g. Click OK.
533
c.
534
535
Configuration procedure
1.
Establish a WiNet
See "WiNet establishment configuration example."
2.
d. Click Add.
e. Enter client for Username, client_password for Password, and client_password for Confirm
f.
Click Apply.
537
538
Configuration wizard
Overview
The configuration wizard helps you establish a basic call, and configure local numbers and connection
properties.
Selecting a country
In the wizard homepage, click Start to access the country selection page, as shown in Figure 570.
539
Description
Configure the device to play the call progress tones of a specified country or region.
Description
Line
Number
Username
Password
540
Description
541
Basic settings
To implement a basic voice call, complete local number and call route configurations.
Local number configuration includes setting a local telephone number and authentication
information used for registration.
Call route configuration includes setting a destination telephone number and call route type. You
can select either SIP routing or trunk routing as the call route type. SIP routing includes proxy server
mode, IP routing mode, and binding server group mode.
For more information about basic settings of local number and call route, see Basic settings.
Call services
Call services contains various new functions on the basis of voice basic call to meet the application
requirements of VoIP users.
For more information about call services configuration, see Call services.
Some call services require the involvement of a voice server. For how to configure the voice server, see
"Configuring SIP connections."
Advanced settings
The advanced settings include the following parts:
Coding parametersThis part includes the configuration of codec priorities and packet assembly
intervals. The voice codec affects the voice bandwidth and voice quality. You must select a proper
codec according to the actual network. The packet assembly interval depends on the network
bandwidth and network architecture, and affects codec delay time.
OthersThis part includes the configuration of number selection priority, dial prefix, called number
sending mode, DTMF transmission mode, DSCP field value, and so on.
542
Basic settings
This section provides information about configuring basic settings.
Call route
Call route configuration includes setting a destination telephone number and call route type. The call
route type can be either SIP routing or trunk routing.
SIP routing
SIP routing includes proxy server mode, IP routing mode, and binding server group mode. If you select
IP routing, the called parties can be found through static IP addresses or domain names. Figure 573
shows the network diagram for IP routing mode.
Figure 573 Network diagram for IP routing mode
Figure 574 shows the network diagram for proxy server and binding server group modes, which require
the involvement of a SIP server.
Figure 574 Network diagram for proxy server and binding server group modes
Trunk routing
You can connect devices to the PBX on the PSTN network through FXO, E&M, VE1, VT1, and BSV trunk
lines. Among them, VE1 and VT1 trunk routing enables the device to provide more voice communication
channels. Therefore, it greatly increases device usage and broadens the service range.
543
See Configuring trunking mode calling for the configuration example of using the trunking routing as the
call route type.
Basic settings
Configuring a local number
Select Voice Management > Local Number from the navigation tree, and click Add to access the page for
creating a local number, as shown in Figure 575.
Figure 575 Local number configuration page
Description
Number ID
Number
Bound Line
This list displays all FXS voice subscriber lines. Select a voice subscriber line to be
bound with the local number.
Description
Enable. After you select the Enable option, you can configure the authentication
Register Function
related options.
Disable.
Register Username
Register Password
Item
Description
Cnonce Name
Specify the authentication information used for handshake authentication between the
registrar and the SIP UA.
Specify the realm name used for handshake authentication between the registrar and
SIP UA.
Realm Name
Status
IMPORTANT:
If you configure a realm name on the SIP UA, make sure it is the same as that configured
on the registrar. Otherwise, the SIP UA fails the authentication due to mismatch. If no
realm name is configured on a SIP UA, the SIP UA performs no realm name match and
considers that the realm name configured on the registrar is trusted.
Enable or disable the local number.
IMPORTANT:
If it is necessary to configure authentication information for a local number, the same authentication
information is recommended for the same telephone number.
In the case of authentication, it is forbidden to modify the authentication information after the register
function is enabled because this operation may result in registration update failures.
545
Description
Call Route ID
Destination
Number
Route Description
IP Routing
Binding Server
Group
SIP
Call Route Type
Trunk
546
Required to
use one
approach
Item
Description
Select one of the following transport layer protocols.
Transport Layer
Protocol for Call
Route
UDP.
TCP.
TLS.
By default, UDP is selected.
Enable. After you select the Enable option, you can configure the authentication
related options.
Register Function
Disable.
IMPORTANT:
The trunk routing mode supports register function. Authentication related options and their
meanings are the same as those of local number and therefore are not included here.
Status
Configuring Router A
# Create a local number.
Select Voice Management > Local Number from the navigation tree, and then click Add to access the
page for creating a local number.
547
1.
2.
3.
4.
5.
Click Apply.
548
6.
7.
8.
Select IP Routing for SIP Routing, and type 192.168.2.2 for Destination Address.
9.
Click Apply.
Configuring Router B
1.
Select Voice Management > Local Number from the navigation tree, and then click Add to access
the page for creating a local number.
549
2.
3.
4.
5.
6.
Click Apply.
Select Voice Management > Call Route List from the navigation tree, and then click Add to access
the page for creating a call route.
550
8.
9.
10.
Select IP Routing for SIP Routing, and enter 192.168.2.1 for Destination Address.
11.
Click Apply.
After the previous configuration, you can use telephone 1111 to call telephone 2222, or use
telephone 2222 to call telephone 1111.
Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access
the Active Call Summary page, which displays the statistics of ongoing calls.
Configuring direct calling for SIP UAs through the SIP protocol
(configuring domain name)
Network requirements
As shown in Figure 582, acting as SIP UAs, Router A and Router B can first query destination addresses
through a DNS server and then make calls using the SIP protocol.
Figure 582 Network diagram
551
IMPORTANT:
Before the following configurations, you need to configure domain name resolution. For more information
about DNS, see "Configuring DNS."
Configuring Router A
# Create a local number.
Select Voice Management > Local Number from the navigation tree, and then click Add to access the
page for creating a local number.
Figure 583 Creating local number 1111
1.
2.
3.
4.
5.
Click Apply.
Select Voice Management > Call Route List from the navigation tree, and then click Add to access
the page for creating a call route.
552
7.
8.
9.
Select IP Routing for SIP Routing, and type cc.news.com for Destination Address.
10.
Click Apply.
Configuring Router B
1.
Select Voice Management > Local Number from the navigation tree, and then click Add to access
the page for creating a local number.
553
2.
3.
4.
5.
6.
Click Apply.
Select Voice Management > Call Route List from the navigation tree, and then click Add to access
the page for creating a call route.
554
8.
9.
10.
Select IP Routing for SIP Routing, and enter 192.168.2.1 for Destination Address.
11.
Click Apply.
After the previous configuration, you can use telephone 1111 to call telephone 2222 by using the
DNS server to get the destination address, and you can use telephone 2222 to call telephone 1111
by querying the static IP address of the called party.
Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access
the Active Call Summary page, which displays the statistics of ongoing calls.
555
Configuring Router A
# Create a local number.
1.
Select Voice Management > Local Number from the navigation tree, and then click Add to access
the page for creating a local number.
2.
3.
4.
5.
6.
Click Apply.
Select Voice Management > Call Route List from the navigation tree, and then click Add to access
the page for creating a call route.
556
8.
9.
10.
11.
12.
Click Apply.
Select Voice Management > Call Connection > SIP Connection from the navigation tree to access
the connection properties configuration page.
557
14.
15.
16.
17.
18.
Click Apply.
Configuring Router B
1.
Select Voice Management > Local Number from the navigation tree, and then click Add to access
the page for creating a local number.
558
2.
3.
4.
5.
6.
Click Apply.
Select Voice Management > Call Route List from the navigation tree, and then click Add to access
the page for creating a call route.
559
8.
9.
10.
11.
12.
Click Apply.
Select Voice Management > Call Connection > SIP Connection from the navigation tree to access
the connection properties configuration page.
560
14.
15.
16.
17.
18.
Click Apply.
After the local numbers of the two sides are registered on the registrar successfully, telephone 1111
and telephone 2222 can call each other through the proxy server.
Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access
the Active Call Summary page, which displays the statistics of ongoing calls.
Select Voice Management > States and Statistics > Connection Status from the navigation tree, and
then click the Register Status tab to view the SIP register status.
561
Configuring Router A
# Create a local number.
1.
Select Voice Management > Local Number from the navigation tree, and then click Add to access
the page for creating a local number.
2.
3.
4.
5.
6.
Click Apply.
Select Voice Management > Call Route List from the navigation tree, and then click Add to access
the page for creating a call route.
562
8.
9.
10.
11.
12.
Click Apply.
Select Voice Management > Call Route from the navigation tree, and click the
number to be configured to access the advanced settings page.
563
icon of the
14.
Select Send All Digits of a Called Number for Called Number Sending Mode.
15.
Click Apply.
Configuring Router B
1.
Select Voice Management > Local Number from the navigation tree, and then click Add to access
the page for creating a local number.
2.
3.
4.
5.
6.
Click Apply.
Telephone 1111 can call telephone 2222 over the trunk line.
Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access
the Active Call Summary page, which displays the statistics of ongoing calls.
565
T.30 protocol is about file and fax transmission over PSTN. It describes and regulates the
communication traffic of G3 fax machines over common telephone networks, signal format, control
signaling, and error correction to the full extent.
T.4 protocol is a standard protocol involving the G3 fax terminals for file transmission. It provides
a standard regulation for the G3 fax terminals on image encoding/decoding scheme, signal
modulation and speed, transmission duration, error correction, and file transmission mode.
T.38 protocol is about the real-time G3 fax over IP networks. It describes and regulates the
communication mode, packet format, error correction and some communication flows of real-time
G3 fax over IP networks.
Fax flow
In FoIP, the call setup, handshake, rate training, packet transfer, and call release are always in real time.
From the perspective of users, FoIP has no difference from faxing over PSTN.
Signals that a G3 fax machine receives and sends are modulated analog signals. Therefore the router
processes fax signals in a different way it processes telephone signals. The router needs to perform A/D
566
or D/A conversion for fax signals (that is, the router demodulates analog signals from PSTN into digital
signals, or modulates digital signals from the IP network into analog signals), but does not need to
compress fax signals.
A real-time fax process consists of five phases:
1.
Fax call setup phase. This phase is similar to the process of a telephone call setup. The difference
is that the fax tones identifying the sending/receiving terminals are included.
2.
Prior-messaging phase. During this phase, fax faculty negotiation and training are performed.
3.
Messaging phase. During this phase, fax packets are transmitted in accordance with the T.4
procedure, and packet transmission is controlled (including packets synchronization, error
detection and correction, and line monitoring).
4.
Post-messaging phase. During this phase, control operations such as packet authentication,
messaging completion, and multi-page continuous transmission are performed.
5.
Fax call release phase. During this phase, the fax call is released.
Pass-through fax
The fax pass-through technology was developed primarily for the purpose of compressing and
transmitting T.30 fax packets that cannot be demodulated through packet switched networks. With this
technology, the devices on two sides can directly communicate over a transparent IP link, and the voice
gateways do not distinguish fax calls from voice calls. After detecting a fax tone in an established VoIP
call, the voice gateway checks whether the voice codec protocol is G.711. If not, the voice gateway
switches the codec to G.711. Then fax data is transmitted as voice data in the pass-through mode.
In the pass-through mode, fax information is in the format of uncompressed G.711 codes and is
encapsulated in RTP packets between gateways, and a fixed bandwidth of 64 Kbps is occupied.
Although the packet redundancy mechanism can reduce the packet loss ratio, the pass-through mode is
subject to factors such as packet loss ratio, jitter, and delay. Therefore, it is necessary to ensure
synchronization of the clocks on both sides. Fax pass-through is called voice band data (VBD) by ITU-T.
That is, fax or modem signals are transmitted over a voice channel using a proper coding method. So far,
the codecs supported are only G.711 A-law and G.711 -law. In addition, when the fax pass-through
function is enabled, the voice activity detection (VAD) function must be disabled to avoid fax failures.
You can implement the fax pass-through function on the voice gateway in two ways:
Negotiate the codec as G.711 and disable fax forwarding. Then, disable the VAD function to avoid
fax failures. This method is used for the voice gateway to interwork with other devices in the
pass-through mode.
pass-through function, which can help remote PSTN users to log in to internal network devices through
dialup.
Description
Fax Function
Enable. The fax parameters can be configured only when the fax function is enabled.
Disable.
568
Item
Description
Configure the protocol used for fax communication with other devices.
G.711 A-law.
G.711 -law.
The pass-through mode is subject to such factors as loss of packet, jitter, and delay, so the
clocks on both communication sides must be kept synchronized. Only G.711 A-law and
G.711 law are supported, and the VAD function should be disabled.
Number of
Redundant
Low-speed T.38
Packets
Number of
Redundant
High-speed T.38
Packets
IMPORTANT:
Increasing the number of redundant packets
improves reliability of network transmission and
reduces packet loss ratio. A great amount of
redundant packets, however, can increase
bandwidth consumption to a great extent and
thereby, in the case of low bandwidth, affect the
fax quality seriously. Therefore, the number of
redundant packets should be selected properly
according to the network bandwidth.
If G.711 is adopted, the maximum fax transmission rate is 14,400 bps and the fax
protocol is V.17.
If G.723.1 Annex A is adopted, the maximum fax transmission rate is 4800 bps and the
fax protocol is V.27.
If G.726 is adopted, the maximum fax transmission rate is 14,400 bps and the fax
protocol is V.17.
By default, the Allowed Max Voice Speed of the Codec Protocol option is adopted.
If G.729 is adopted, the maximum fax transmission rate is 7200 bps and the fax
protocol is V.29.
IMPORTANT:
If an option other than the default option is adopted, the maximum rate is negotiated first in
accordance with the corresponding fax protocol.
569
Item
Description
Specify the fax training mode, which can be:
LocalIndicates that the gateways participate in the rate training between fax
terminals. In the local training mode, rate training is performed between fax terminals
and gateways, respectively, and then the receiving gateway sends the training result of
the receiving fax terminal to the transmitting gateway. The transmitting gateway
finalizes the packet transmission rate by comparing the received training result with its
own training result.
Fax Training
Mode
between two fax terminals. In this mode, rate training is performed between two fax
terminals and is transparent to the gateways.
When rate training is carried on between fax terminals, the transmitting terminal transmits
"zero-filled" TCF data (the filling time per packet is 1.510% seconds) to the receiving fax
terminal, and the receiving fax terminal decides whether the current rate is acceptable
according to the received TCF data.
Local Training
Threshold in
Percentage
When the percentage of all-ones or all-zeros TCF data to the total number of TCP data is
less than the local training threshold, the current rate training succeeds. Otherwise, the
current rate training fails and you must drop the rate for a local training operation again.
By default, the threshold is 10.
IMPORTANT:
When the local training mode is adopted, use this option to configure the threshold in
percentage. When the point-to-point training mode is adopted, the gateway does not
participate in rate training and the threshold of local training is not applicable.
In common fax applications, the participating fax terminals negotiate with the standard
faculty (such as V.17 and V.29 rate) by default. It means that they do not send each other
non-standard facilities (NSF) message frames. In some cases such as encrypted fax, both
fax terminals adopt a nonstandard faculty (NSF) to negotiate.
Signal
Transmission
Mode of Fax
Faculty
At the start of negotiation, both terminals first exchange NSF message frames, and then
negotiate the subsequent fax faculty for communication. NSF messages are standard T.30
messages and carry private information.
To use a nonstandard faculty for negotiation, the following conditions must be satisfied:
6.
7.
The transmission mode must be set to a nonstandard mode in the POTS and VoIP
entities for both fax terminals.
Transmit Energy
Level of a
Gateway Carrier
Usually, the default transmit energy level of the gateway carrier is acceptable. If the fax
cannot be set up yet on the premise that other configurations are correct, you can try to
adjust the transmit energy level of the gateway carrier (that is, transmit energy level
attenuation). A greater level indicates greater energy. A smaller level indicates greater
attenuation.
By default, the transmit energy level of the gateway carrier is 15 dBm.
570
Item
Description
As defined in ITU-T, the ECM is required for a half duplex and fax message transmission
using the half-duplex and half-modulation system of ITU-T V.34 protocol. Besides, the G3
fax terminals working in full duplex mode are required to support half-duplex mode, that is,
ECM.
ECM Fax
The fax machines using ECM can correct errors, provide the automatic repeat request
(ARQ) function, and transmit fax packets in the format of HDLC frames. On the contrary,
the fax machines using non-ECM cannot correct errors and they transmit fax packets in the
format of binary strings.
CNG Fax
Switchover
Function
Implements the CNG fax switchover is mainly used to implement the fax mailbox service
through communication with the VCX. When the local fax machine A originates a fax call
to the peer fax machine B, if B is busy or is unattended, A can send the originated fax to
the fax mailbox of the VCX. With CNG fax switchover enabled, the voice gateway can
switch to the fax mode once it receives a CNG from A.
Enable.
Disable.
The function is disabled by default.
Configure the codec type and switching mode for SIP modem pass-through function.
Standard G.711 A-lawAdopt G.711 A-law as the codec type and use Re-Invite
Codec Type and
Switching Mode
for SIP Modem
Pass-through
Standard G.711 -lawAdopt G.711 -law as the codec type and use Re-Invite
switching for SIP modem pass-through.
NTE Compatible G.711 A-lawAdopt G.711 A-law as the codec type and use
NTE-compatible switching for SIP modem pass-through.
NTE Compatible G.711 -lawAdopt G.711 -law as the codec type and use
NTE-compatible switching for SIP modem pass-through.
Configure the value of NTE payload type for the NTE-compatible switching mode.
NTE Payload
Type Field
This option is configurable only when NTE Compatible G.711 A-law or NTE Compatible
G.711 -law is selected from the Codec Type and Switching Mode for SIP Modem
Pass-through list.
By default, the value of the NTE payload type is 100.
571
For call route fax and modem configuration items, see Table 213 for details.
572
Call services
More and more VoIP-based services are demanded as voice application environments expand. On basis
of basic calls, new features are implemented to meet different application requirements of VoIP
subscribers.
Call waiting
When subscriber C calls subscriber A who is already engaged in a call with subscriber B, the call is not
be rejected if call waiting is enabled. Just like a normal call, subscriber C hears ringback tones, while
subscriber A hears call waiting tones that remind that a call is waiting on the line.
Subscriber A can answer the new call by pressing the flash hook or hanging up to end the call with
subscriber B. In the former case, subscriber B is held. In the latter case, subscriber A is immediately
alerted and can pick up the phone to answer the call originated by subscriber C (the waiting call).
Call hold
If subscriber A in a conversation with subscriber B presses the flash hook, the media session of subscriber
B is temporarily cut through and is held (in the silent state or listening to the waiting tones). The system
plays silent tones or dial tones to subscriber A, depending on the configuration. (The system first plays
dial tones and waits for the subscriber to dial. If the subscriber fails to dial within a period of time, the
system stops playing dial tones and the line stays on hold.). Subscriber A can resume the call with
subscriber B by pressing the flash hook again.
After pressing the flash hook, subscriber A hears dial tones and can initiate a new call. The setup flow
for the new call is completely the same as the one for ordinary calls.
Call forwarding
After receiving a session request, the called party cannot answer the call for some reason. In this case,
the called party notifies in a response the calling party of the forwarded-to number so that the calling
party can re-initiate a session request to the new destination. This is call forwarding.
The system supports four different types of call forwarding:
Call forwarding unconditionalWith this feature enabled on a voice subscriber line, incoming
calls are forwarded to the predetermined destination, no matter whether the voice subscriber line is
available.
Call forwarding busyWith this feature enabled on a voice subscriber line, an incoming call is
forwarded to the predetermined destination when the voice subscriber line is busy.
Call forwarding no replyWith this feature enabled on a voice subscriber line, an incoming call is
forwarded to the predetermined destination when the voice subscriber line is not answered within
a period of time, which is configured by specifying Max Duration of Playing Ringback Tones on the
FXS, FXS or E&M line configuration page and defaults to 60 seconds.
Call forwarding unavailableWith this feature enabled on a voice subscriber line, an incoming
call is forwarded to the predetermined destination when the voice subscriber line is shut down.
573
Call transfer
Subscriber A (originator) and subscriber B (recipient) are in a conversation. Subscriber A presses the
flash hook and the call is put on hold. Subscriber A dials another number to originate a call to subscriber
C (final recipient). After Subscriber A hangs up, the call between subscriber B and subscriber C is
established. This is call transfer.
To perfect the call transfer feature, the device supports the call recovery function after the call transfer fails,
that is, if subscriber C in the previous example is in a conversation with another subscriber and cannot
establish a conversation with subscriber B, the call between subscriber A and subscriber B is recovered.
Call backup
After initiating a call to the called party, the calling party is unable to receive a response. In this case, if
there is another link (PSTN link or VoIP link) to the called party, the calling party re-initiates a call to the
called party over the new route. This is call backup.
The system supports two types of call backup:
Hunt group
Multiple voice subscriber lines are configured with the same called number to form a hunt group. If the
voice subscriber line with the first priority is unavailable when a call setup request to the called party is
received, the call is still established through another voice subscriber line in the hunt group.
Call barring
Call barring includes incoming call barring and outgoing call barring.
Incoming call barring usually refers to the DND service. When incoming call barring is enabled on a
voice subscribe line, calls originated to the attached phone fails.
When outgoing call barring is enabled on a voice subscriber line, calls originated from the attached
phone will fail, too.
Three-party conference
When subscriber A has a call with subscriber B and holds a call with subscriber C, A can make C join
the current conversation to implement a three-party conference.
During a three-party conference, a passive participant can initiate a new call to create another
conversation. In this way, conference chaining is implemented, and each conference initiator serves as
a conference bridge.
574
If the entered password is correct (the password matches the door opening control password
configured for the voice subscriber line), the door control relay opens the door. After a predefined
door open duration, the door control relay locks the door automatically.
Date and time when the voice call occurs (MM DD hh:mm)
575
O if the terminating PBX fails to obtain the calling number (for example, the originating PBX end
does not send it)
Date and time when the voice call occurs (MM DD hh:mm)
Two Ps for the calling number and the calling name, respectively, if CID is disabled on the device
O if the terminating PBX fails to obtain the calling number (for example, the originating PBX end
does not send it)
O if the terminating PBX fails to obtain the calling name (for example, the originating PBX end does
not send it)
The FXS voice subscriber line sends the calling identity information to the called telephone. The calling
identity information is sent to the called telephone through FSK) modulation between first and second
rings. Therefore, the called user must pick up the telephone after the second ring to be sure that the
calling identity information is sent and received correctly. Otherwise, the calling identity information may
fail to be displayed.
576
Description
The Forwarded-to Number for Call Forwarding no ReplyEnter the forwarded-to
number for call forwarding no reply.
Call Forwarding
The Forwarded-to Number for Call Forwarding BusyEnter the forwarded-to number
for call forwarding busy.
Call Forwarding UnconditionalEnter the forwarded-to number for forwarding
unconditional.
The Forwarded-to Number for Call Forwarding UnavailableEnter the forwarded-to
number for call forwarding unavailable.
After call waiting is enabled, configure the following parameters according to your
needs:
Call Waiting
Call Hold
Call Transfer
After call transfer is enabled, you can set the Call Transfer Start Delay parameter
according to your needs.
Three-Party
Conference
The three-party conference function depends on the call hold function. Therefore, you
must enable the call hold function before configuring three-party conference.
577
Calling Name
Description
Set the calling name, a string of case-sensitive characters including numbers 0 through 9,
letters A through Z or a through z, underlines (_), hyphens (-),dots (.), exclamation point
(!), percent sign (%), asterisk (*), plus sign (+), grave accent (`), single quotation mark ('),
and tilde (~).
By default, no calling name is configured.
The calling name in the calling identity information can only be transmitted in MDMF
format. Therefore, if the calling information delivery is enabled, you must select the
Complex Delivery option in the Calling Information Delivery area.
Configure the format of calling information:
Calling Information
Delivery
Call Identity
Delivery
Enable.
Disable.
The calling identity is delivered by default.
578
Item
Incoming Call
Barring
Password for
Outgoing Call
Barring
Description
Enable.
Disable.
By default, incoming call barring is disabled.
Set a password to lock your telephone when you do not want others to use your
telephone.
Door Opening
Password.
Enable the door opening control service and set a password for
opening the door and the door open duration before the door control
relay locks the door.
By default, the door opening service is disabled.
IMPORTANT:
Door Open
Duration.
Install a SIC audio card on the device on which the door opening
control enabled FXS voice subscriber line resides.
Feature Service
Enable.
Disable.
By default, feature service is disabled.
Enable.
Disable.
Hunt Group
Enable.
Disable.
By default, MWI is disabled.
Message Waiting
Indicator
After MWI is enabled, you can configure the Duration of Playing the Message Waiting
Tone parameter according to your needs.
IMPORTANT:
Generally, the voice gateway sends a SUBSCRIBE to the server, and receives a NOTIFY
from the server if the subscription is successful, and gets the status of the voice mailbox
afterwards.
Hotline Numbers
On-hook Delay
Time of the Called
Party
Processing Priority
When the Line is
Busy
Configure the private line auto ring-down (PLAR) function. The number is the E.164
telephone number of the terminating end.
Enable calling party control and set the on-hook delay time of the called party. If the
delay time is set to 0, this indicates that the call party control is disabled.
By default, calling party control is disabled, that is, the on-hook delay of the called party
is set to 0.
Specify the processing sequence of services when the line is busy.
579
Description
After call waiting is enabled, configure the following parameters according to your
needs:
Call Waiting
Incoming Call
Barring
Password for
Outgoing Call
Barring
Enable.
Disable.
By default, incoming call barring is disabled.
Set a password to lock your telephone when you do not want others to use your
telephone.
580
Item
Description
Enable.
Disable.
Hunt Group
Hotline Numbers
Configure the private line auto ring-down (PLAR) function. The number is an E.164
telephone number of the terminating end.
1000
Telephone A
Router B
Eth1/1
10.1.1.1/24
Eth1/2
10.1.1.2/24
Eth1/1
20.1.1.2/24
Eth1/1
20.1.1.1/24
Router C
3000
Telephone C
2000
Telephone B
Configuration procedure
Before performing the following configuration, make sure Router A, Router B and Router C are reachable
to each other.
1.
2.
icon of local
number 1000 in the local number list to access the call services configuration page.
581
Operation 1When the subscriber at Telephone C dials 1000 to call Telephone A which is
already engaged in a call with Telephone B, the subscriber at Telephone C hears ringback tones,
while the subscriber at Telephone A hears call waiting tones that remind that a call is waiting on the
line. If then the subscriber at Telephone A hangs up, the telephone rings, the subscriber at
Telephone A can pick up the phone to start a conversation with Telephone C.
Operation 2When the subscriber at Telephone C dials 1000 to call Telephone A who is already
engaged in a call with Telephone B, the subscriber at Telephone A can press the flash hook to start
a conversation with Telephone C, and therefore Telephone B is held. The subscriber at Telephone
A can press the flash hook again to continue the talk with Telephone B, and then Telephone C is
held. In this case, call hold function must be enabled on the voice subscriber line connecting to
Telephone A.
582
Router B
Eth1/1
10.1.1.1/24
1000
Telephone A
Eth1/2
10.1.1.2/24
Eth1/1
20.1.1.2/24
Eth1/1
20.1.1.1/24
Router C
3000
Telephone C
2000
Telephone B
Configuration procedure
Before performing the following configuration, make sure Router A, Router B and Router C are reachable
to each other.
1.
Complete basic voice call configurations: complete basic voice call configurations on Router A,
Router B, and Router C.
2.
icon of local
number 2000 in the local number list to access the call services configuration page.
b. Enter 3000 for The Forwarded-to Number for Call Forwarding Busy.
c.
Click Apply.
583
Call Telephone B from Telephone A, and then Telephone B and Telephone A are in a conversation.
2.
3.
4.
Hang up Telephone A.
5.
1000
Telephone A
Router B
Eth1/1
10.1.1.1/24
Eth1/2
10.1.1.2/24
Eth1/1
20.1.1.2/24
Eth1/1
20.1.1.1/24
Router C
3000
Telephone C
2000
Telephone B
Configuration procedure
Before performing the following configuration, make sure that Router A, Router B and Router C are
reachable to each other.
1.
Complete basic voice call configurations: complete basic voice call configurations on Router A,
Router B, and Router C.
2.
icon of local
number 1000 in the local number list to access the call services configuration page.
d. Click Apply.
584
Call Telephone B from Telephone A, and then Telephone B and Telephone A are in a conversation.
2.
3.
4.
Hang up Telephone A.
5.
585
Configuration procedure
Before performing the following configuration, make sure that Router A, Router B and Router C are
routable to each other.
1.
Complete basic voice call configurations: complete basic voice call configurations on Router A,
Router B, and Router C.
2.
icon of local
number 1000 in the local number list to access the advanced settings configuration page.
586
Select Voice Management > Local Number from the navigation tree, click the
icon of local
number 1000 of Telephone A1 in the local number list to access the call services configuration
page.
587
Perform the same configuration for the local number 1000 of Telephone A2. The configuration procedure
is not included here.
588
1000
Telephone A
Router B
Eth1/0
10.1.1.1/24
Eth1/0
10.1.1.2/24
Eth1/0
20.1.1.2/24
Router C
Eth1/1
20.1.1.1/24
3000
Telephone C
2000
Telephone B
Configuration procedure
Before performing the following configuration, make sure that Router A, Router B and Router C are
routable to each other.
1.
Complete basic voice call configurations: complete basic voice call configurations on Router A,
Router B, and Router C.
2.
icon of the
c.
Select Voice Management > Local Number from the navigation tree, click the
icon of local
number 2000 in the local number list to access the call services configuration page.
Click Apply.
Configure silent monitor for Telephone C to monitor the conversation between Telephone A and
Telephone B. After configuration, when Telephone A and Telephone B is in a conversation, dialing
the feature code *425*Number of Telephone A# at Telephone C can monitor the conversation
between Telephone A and Telephone B.
Configure barge in for Telephone C to participate the conversation between Telephone A and
Telephone B. After configuration, dialing the feature code *428# at Telephone C can participate
the conversation between Telephone A and Telephone B.
590
Click Features of number 1000 to access the feature configuration page, and then click Edit
Feature of the Silent Monitor and Barge In feature to access the page as shown in Figure 619.
591
Figure 619 Silent monitor and barge in feature configuration page (1)
2.
Click Assign External Phones to specify that number 3000 has the authority to monitor number
1000. After this configuration, the page as shown in Figure 620 appears.
Figure 620 Silent monitor and barge in feature configuration page (2)
After the previous configuration, Telephone C with the number 3000 can monitor and barge in the
conversations of Telephone A with the number 1000.
Configure Router A
# Configure a local number and call routes.
1.
Configure a local number: specify the local number ID as 1000 and the number as 1000, and
bind the number to line line 1/0 on the local number configuration page.
2.
Configure the call route to Router B: specify the call route ID as 2000, the destination number as
3000, and the call route type as SIP, and use a SIP proxy server to complete calls on the call route
configuration page.
3.
Configure the call route to Router C: specify the call route ID as 3000, the destination number as
3000, and the call route type as SIP, and use a proxy server to complete calls on the call route
configuration page.
4.
Configure SIP registration: enable register function of the server on the connection properties
configuration page. Select Voice Management > Call Connection > SIP Connection from the
navigation tree to access the connection properties configuration page, and configure the IP
addresses of both the main registrar and the proxy server as 100.1.1.101.
# Enable the feature service and the silent-monitor and barge-in function.
5.
Select Voice Management > Local Number from the navigation tree, and click the
number 1000 to access the call services page as shown in Figure 621.
592
icon of local
Figure 621 Enabling the feature service and the silent monitor and barge in function
6.
7.
8.
Click Apply.
Configure Router B
# Configure a local number and call routes.
593
1.
Configure a local number: specify the local number ID as 2000 and the number as 2000, and
bind the number to line line 1/0 on the local number configuration page.
2.
Configure the call route to Router A: specify the call route ID as 1000, the destination number as
1000, and the call route type as SIP, and use a SIP proxy server to complete calls on the call route
configuration page.
3.
Configure the call route to Router C: specify the call route ID as 3000, the destination number as
3000, and the call route type as SIP, and use a proxy server to complete calls on the call route
configuration page.
4.
Configure SIP registration: enable register function of the server on the connection properties
configuration page. Select Voice Management > Call Connection > SIP Connection from the
navigation tree to access the connection properties configuration page, then configure the IP
addresses of both the main registrar and the proxy server as 100.1.1.101.
Configure Router C
# Configure a local number and call routes.
1.
Configure a local number: specify the local number ID as 3000 and the number as 3000, and
bind the number to line line 1/0 on the local number configuration page.
2.
Configure the call route to Router A: specify the call route ID as 1000, the destination number as
1000, and the call route type as SIP, and use a SIP proxy server to complete calls on the call route
configuration page.
3.
Configure the call route to Router B: specify the call route ID as 2000, the destination number as
2000, and the call route type as SIP, and use a proxy server to complete calls on the call route
configuration page.
4.
Configure SIP registration: enable register function of the server on the connection properties
configuration page. Select Voice Management > Call Connection > SIP Connection from the
navigation tree to access the connection properties configuration page, then configure the IP
addresses of both the main registrar and the proxy server as 100.1.1.101.
Select Voice Management > Call Route from the navigation tree and click the
1000 to access the advanced settings page as shown in Figure 622.
594
6.
7.
Click Apply.
Select Voice Management > Local Number from the navigation tree, and click the
number 3000 to access the call services page as shown in Figure 623.
icon of local
9.
10.
Click Apply.
595
Advanced settings
This section provides information on configuring various advanced settings.
g711alaw and g711ulaw provide high-quality voice transmission, while requiring greater
bandwidth.
g723r53 and g723r63 provide silence suppression technology and comfortable noise. The
relatively higher speed output is based on multi-pulse multi-quantitative level technology and
provides relatively higher voice quality. The relatively lower speed output is based on the
Algebraic-Code-Excited Linear-Prediction technology and provides greater flexibility for
application.
The voice quality provided by g729r8 and g729a is similar to the adaptive differential pulse code
modulation (ADPCM) of 32 kbps, having the quality of a toll. Also, it features how bandwidth,
lesser event delay, and medium processing complexity. Therefore, it has a wide field of application.
Bandwidth
Voice quality
Best
G.726
Good
G.729
8 kbps
Good
G.723 r63
6.3 kbps
Fair
G.723 r53
5.3 kbps
Fair
Actual network bandwidth is related to packet assembly interval and network structure. The longer the
packet assembly interval, the closer the network bandwidth is to the media stream bandwidth. More
headers consume more bandwidth. A longer packet assembly interval results in a longer fixed coding
latency.
The following tables show the relevant packet assembly parameters without IPHC, including packet
assembly interval, bytes coded in a time unit, and network bandwidth. Therefore, you can choose a
suitable codec algorithm according to idle and busy status of the line and network situations more
conveniently.
596
Bytes coded
in a time unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP)
(bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
10 ms
80
120
96 kbps
126
100.8 kbps
10 ms
20 ms
160
200
80 kbps
206
82.4 kbps
20 ms
30 ms
240
280
74.7 kbps
286
76.3 kbps
30 ms
G.711 algorithm (A-law and -law): media stream bandwidth 64 kbps, minimum packet assembly interval 10
ms.
Bytes
coded in a
time unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP)
(bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
30 ms
24
64
16.8 kbps
70
18.4 kbps
30 ms
60 ms
48
88
11.6 kbps
94
12.3 kbps
60 ms
90 ms
72
112
9.8 kbps
118
10.3 kbps
90 ms
120 ms
96
136
9.1 kbps
142
9.5 kbps
120 ms
150 ms
120
160
8.5 kbps
166
8.9 kbps
150 ms
180 ms
144
184
8.2 kbps
190
8.4 kbps
180 ms
G.723 r63 algorithm: media stream bandwidth 6.3 kbps, minimum packet assembly interval 30 ms.
Bytes coded
in a time
unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP)
(bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
30 ms
20
60
15.9 kbps
66
17.5 kbps
30 ms
60 ms
40
80
10.6 kbps
86
11.4 kbps
60 ms
90 ms
60
100
8.8 kbps
106
9.3 kbps
90 ms
120 ms
80
120
8 kbps
126
8.4 kbps
120 ms
150 ms
100
140
7.5 kbps
146
7.8 kbps
150 ms
180 ms
120
160
7.1 kbps
166
7.4 kbps
180 ms
G.723 r53 algorithm: media stream bandwidth 5.3 kbps, minimum packet assembly interval 30 ms.
Bytes coded
in a time
unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP)
(bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
10 ms
20
60
48 kbps
66
52.8 kbps
10 ms
20 ms
40
80
32 kbps
86
34.4 kbps
20 ms
597
Packet
assembly
interval
Bytes coded
in a time
unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP)
(bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
30 ms
60
100
26.7 kbps
106
28.3 kbps
30 ms
40 ms
80
120
24 kbps
126
22.1 kbps
40 ms
50 ms
100
140
22.4 kbps
146
23.4 kbps
50 ms
60 ms
120
160
21.3 kbps
166
11.4 kbps
60 ms
70 ms
140
180
20.6 kbps
186
21.3 kbps
70 ms
80 ms
160
200
20 kbps
206
20.6 kbps
80 ms
90 ms
180
220
19.5 kbps
226
20.1 kbps
90 ms
100 ms
200
240
19.2 kbps
246
19.7 kbps
100 ms
110 ms
220
260
18.9 kbps
266
19.3 kbps
110 ms
G.726 r16 algorithm: media stream bandwidth 16 kbps, minimum packet assembly interval 10 ms.
Bytes
coded in a
time unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP) (bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
10 ms
30
70
56 kbps
76
60.8 kbps
10 ms
20 ms
60
100
40 kbps
106
42.4 kbps
20 ms
30 ms
90
130
34.7 kbps
136
36.3 kbps
30 ms
40 ms
120
160
32 kbps
166
33.2 kbps
40 ms
50 ms
150
190
30.4 kbps
196
31.2 kbps
50 ms
60 ms
180
220
29.3 kbps
226
30.1 kbps
60 ms
70 ms
210
250
28.6 kbps
256
29.3 kbps
70 ms
G.726 r24 algorithm: media stream bandwidth 24 kbps, minimum packet assembly interval 10 ms.
Bytes coded
in a time
unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP) (bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
10 ms
40
80
64 kbps
86
68.8 kbps
10 ms
20 ms
80
120
48 kbps
126
50.4 kbps
20 ms
30 ms
120
160
42.7 kbps
166
44.3 kbps
30 ms
40 ms
160
200
40 kbps
206
41.2 kbps
40 ms
50 ms
200
240
38.4 kbps
246
39.4 kbps
50 ms
G.726 r32 algorithm: media stream bandwidth 32 kbps, minimum packet assembly interval 10 ms.
598
Bytes coded
in a time unit
Packet
length (IP)
(bytes)
Network
bandwidt
h (IP)
Packet length
(IP+PPP) (bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
10 ms
50
90
72 kbps
96
76.8 kbps
10 ms
20 ms
100
140
56 kbps
146
58.4 kbps
20 ms
30 ms
150
190
50.7 kbps
196
52.3 kbps
30 ms
40 ms
200
240
48 kbps
246
49.2 kbps
40 ms
G.726 r40 algorithm: media stream bandwidth 40 kbps, minimum packet assembly interval 10 ms.
Bytes
coded in a
time unit
Packet
length (IP)
(bytes)
Network
bandwidth
(IP)
Packet length
(IP+PPP) (bytes)
Network
bandwidth
(IP+PPP)
Coding
latency
10 ms
10
50
40 kbps
56
44.8 kbps
10 ms
20 ms
20
60
24 kbps
66
26.4 kbps
20 ms
30 ms
30
70
18.7 kbps
76
20.3 kbps
30 ms
40 ms
40
80
16 kbps
86
17.2 kbps
40 ms
50 ms
50
90
14.4 kbps
96
15.4 kbps
50 ms
60 ms
60
100
13.3 kbps
106
14.1 kbps
60 ms
70 ms
70
110
12.6 kbps
116
13.3 kbps
70 ms
80 ms
80
120
12 kbps
126
12.6 kbps
80 ms
90 ms
90
130
11.6 kbps
136
12.1 kbps
90 ms
100 ms
100
140
11.2 kbps
146
11.7 kbps
100 ms
110 ms
110
150
10.9 kbps
156
11.3 kbps
110 ms
120 ms
120
160
10.7 kbps
166
11.1 kbps
120 ms
130 ms
130
170
10.5 kbps
176
10.8 kbps
130 ms
140 ms
140
180
10.3 kbps
186
10.6 kbps
140 ms
150 ms
150
190
10.1 kbps
196
10.5 kbps
150 ms
160 ms
160
200
10 kbps
206
10.3 kbps
160 ms
170 ms
170
210
9.9 kbps
216
10.2 kbps
170 ms
180 ms
180
220
9.8 kbps
226
10 kbps
180 ms
G.729 algorithm: media stream bandwidth 8 kbps, minimum packet assembly interval 10 ms.
599
NOTE:
The packet assembly interval is the duration to encapsulate information into a voice packet.
Bytes coded in a time unit = packet assembly interval media stream bandwidth.
Packet length (IP) = IP header + RTP header + UDP header + voice information length = 20+12+8+data.
Packet length (IP+PPP) = PPP header + IP header + RTP header + UDP header + voice information length
= 6+20+12+8+data.
Network bandwidth = Bandwidth of the media stream packet length/bytes coded in a time unit.
Because IPHC compression is affected significantly by network stability, it cannot achieve high efficiency
unless the line is of high quality, the network is very stable, and packet loss does not occur or seldom
occurs. When the network is unstable, IPHC efficiency drops drastically. With best IPHC performance,
the IP (RTP) header can be compressed to 2 bytes. If the PPP header is compressed at the same time, a
great deal of media stream bandwidth can be saved. The following table shows the best IPHC
compression efficiency of codec algorithms with a packet assembly interval of 30 milliseconds.
Table 226 Compression efficiency of IPHC+PPP header
Before compression
Codec
Bytes
coded in
a time
unit
Packet length
(IP+PPP) (bytes)
Network
bandwidth
(IP+PPP)
Packet length
(IP+PPP) (bytes)
Network
bandwidth
(IP+PPP)
G.729
30
76
20.3 kbps
34
9.1 kbps
G.723r63
24
70
18.4 kbps
28
7.4 kbps
G.723r53
20
66
17.5 kbps
24
6.4 kbps
G.726r16
60
106
28.3 kbps
64
17.1 kbps
G.726r24
90
136
17.5 kbps
94
25.1 kbps
G.726r32
120
166
44.3 kbps
124
33.1 kbps
G.726r40
150
196
52.3 kbps
154
41.1 kbps
Other parameters
Other parameters are some optional parameters, such as number selection priority, dial prefix, called
number sending mode, and DTMF transmission mode. For the description of these parameters,
see Configuring other parameters of a local number and Configuring other parameters for a call route.
600
icon of the
Description
Specify a codec
with the first
priority.
Specify a codec
with the second
priority.
Specify a codec
with the third
priority.
Specify a codec
with the lowest
priority.
Specify the packet assembly interval for g711alaw and g711ulaw codecs.
Specify the packet assembly interval for g723r53 and g723r63 codecs.
601
Item
Description
Specify the packet assembly interval for g729r8, g729br8, and g729a codecs.
Two communication parties can communicate normally only if they share some identical
coding/decoding algorithms. If the codec algorithm between two connected devices is inconsistent, or
the two devices share no common coding/decoding algorithms, the calling fails.
icon of the
Description
Set the priority of the local number. The smaller the value, the higher
the priority.
Dial Prefix
Configure a dial prefix for the local number. For a trunk type call
route, the dial prefix is added to the called number to be sent out.
602
Item
Called Number
Sending Mode
DTMF
Transmission
Mode
VAD
Description
Send a Truncated
Called Number
Send Certain
Number of Digits
Send a certain number of digits (that are extracted from the end of a
number) of a called number. The specified value should be not
greater than the total number of digits of the called number.
In-band
Transmission
Out-of-band
Transmission
RFC2833
Pre-defined
Set the DSCP value in the ToS field in the IP packets that carry the
RTP stream.
Customized
Enable.
Disable.
By default, VAD is disabled.
603
For coding parameters configuration items of the call route, see Table 228.
For the configuration items of other parameters of the call route, see Table 228 and Table 229.
Table 229 Configuration items
Item
Description
Set the priority of the call route. The smaller the value, the higher the priority.
Enable.
Disable.
By default, the remote end instead of the local end plays ringback tones.
604
Configuration procedure
1.
2.
Click Apply.
# Configure out-of-band DTMF transmission mode on Router B for the local number.
a. Select Voice Management > Local Number from the navigation tree, find local number 2222
Click Apply.
606
SIP-to-SIP connections
Configuring media parameters for SIP-to-SIP
connections
1.
Select Voice Management > Call Route from the navigation tree.
2.
Click the
3.
Codec Transparent
Description
If the SIP trunk device does not support the codec capability sets
supported by the calling and called parties, you can select the
Enable option to enable codec transparent transfer on the SIP trunk
device. The SIP trunk device transparently transfers codec capability
sets between two parties. The calling and called parties complete
the codec negotiation.
By default, the Disable option is selected.
607
Item
Description
In the scenario where the SIP trunk device controls the results of
media capability negotiation, if the SIP trunk device cannot find a
common codec for two parties during negotiation, the two parties
fail to establish a call. In this case, you can select the Enable option
to enable codec transcoding on the SIP trunk device.
Codec Transcoding
With this function enabled, the SIP trunk device uses its own codec
capability set to negotiate with the calling and called parties
respectively. If the negotiated codecs with the two parties do not
match, the SIP trunk device transcodes the media flows passing
through it.
By default, the Disable option is selected.
IMPORTANT:
The codec transcoding feature does not take effect in any of the
following cases:
RelaySpecify the SIP trunk device to act as the RTP trunk proxy
to forward the media packets.
Select Voice Management > Call Route from the navigation tree.
2.
Click the
608
3.
Description
Remote processThe SIP trunk device transparently transfers the
Call-forwarding Signal
Mid-call Signal
the calling party, and the called party also supports this
mechanism, you can select this option to enable the called party
to process the session update information. Otherwise, the session
timer mechanism only works between the calling party and the
SIP trunk device. The interval for sending session update requests
is negotiated by endpoints. For more information, see RFC 4028.
609
1.
The voice gateway on the calling side replaces the calling and called numbers according to the
number substitution rule on the receiving line.
2.
3.
The gateway selects proper numbers based on the local number or on call route selection priority
rules and replaces the calling and called numbers.
4.
The gateway initiates a call to the called side and sends the calling and called numbers.
610
1.
After receiving a voice call (the called number), the voice gateway on the called side performs
global calling/called number substitution.
2.
The voice gateway on the called side selects proper local numbers or call routes based on the local
number or call route selection priority rules. Number substitution may also be involved during the
local number or call route selection. If the called party is a local number, the gateway directly
connects the line. If the called party is a PSTN subscriber, the gateway initiates a call and sends the
calling and called numbers to the PSTN. The PBX in the PSTN connects the call.
Regular expression
You will use some regular expressions frequently when you configure number substitution rules. Regular
expressions are a powerful and flexible tool for pattern matching and substitution. They are not restricted
to a language or system, and have been widely accepted.
When using a regular expression, you must construct a matching pattern according to certain rules, and
then compare the matching pattern with the target object. The simplest regular expressions do not
contain any meta-character. For example, you can specify a regular expression hello, which only
matches the string hello.
To help you construct matching patterns flexibly, regular expressions support some special characters,
called meta-characters, which define the way other characters appear in the target object.
Table 232 Meta-characters
Meta-character
Meaning
0-9
Digits 0 through 9.
611
Meta-character
Meaning
# and *
Wildcard, which can match any valid digit. For example, 555. can match any number
beginning with 555 and ending in four additional characters.
Hyphen (connecting element), used to connect two numbers (The smaller comes before
the larger) to indicate a range of numbers, for example, 1-9 inclusive.
[]
Delimits a range for matching. It can be used together with signs such as !, %, and +. For
example, [235-9] indicates one number of 2, 3, and 5 through 9.
()
Indicates a sub-expression. For example, (086) indicates the character string 086. It is
usually used together with signs such as !, %, and +. For example, (086)!010 can match
two character strings 010 and 086010.
A control character, indicating that the sub-expression before it appears once or does not
appear. For example, (010)!12345678 can match 12345678 and 01012345678.
A control character, indicating that the sub-expression before it appears one or more
times. However, if a calling number starts with the plus sign, the sign itself does not have
special meanings, and only indicates that the following is an effective number and the
whole number is E.164-compliant. For example, 9876(54)+ can match 987654,
98765454, 9876545454, and so on, and +110022 is an E.164-compliant number.
A control character, indicating that the sub-expression before it appears multiple times or
does not appear. For example, 9876(54)% can match 9876, 987654, 98765454,
9876545454, and so on.
The sub-expression (one digit or digit string) before a control character such as !, +, and % can appear
for the times indicated by the control character. For example, (100)+ can match 100, 100100,
100100100, and so on. Once any number of them is matched, the match is considered an exact match.
In the longest match mode, the voice gateway ignore subsequent digits dialed by the subscriber after an
exact match.
For the case that the gateway needs to wait for subscribers to continue dialing after an exact match, refer
to the T mode.
The characters (\) and (|) are mainly used in regular expressions and cannot be used as common
characters. The character (\) is an escape character. If you want a control character to represent itself,
you need to add the escape character (\) before it. For example, (\+) represents the character (+) itself
because (+) is a control character in regular expressions. The character (|) means that the current
character (string) is the character (string) on either the left or the right. For example, 0860108888|T
means that the current character string is either 0860108888 or T.
T mode: If the character T is in the number set in a local number or call route, it means that the voice
gateway should wait for more digits until the number exceeds the maximum length or the dial timer
expires.
If a number starts with the plus sign (+), you must know what happens when you use it on a trunk: The
E&M, R2, and LGS signaling uses DTMF, and as the plus sign (+) does not have a corresponding audio,
the number cannot be transmitted to the called side successfully. While the DSS1 signaling uses ISDN,
the above problem does not exist. Therefore, you should avoid using a number that cannot be identified
by the signaling itself. Otherwise, the call will fail.
612
Maximum number of local numbers or call routes found before a search process stops
This function enables you to define the maximum number of qualified local numbers or call routes to be
found before a search process stops. Even if the number of local numbers or call routes meeting call
requirements is greater than the defined maximum number, the system matches against the local numbers
or call routes that are found in the search according to the configured maximum number.
If the device is configured to use the shortest match mode, the dialed number matches 0106688.
That is, the device establishes a call connection to 0106688 at the remote end, without processing
the last four digits 0011.
If the device is configured to use the longest match mode, the dialed number will match
01066880011. That is, the device establishes a call connection to 01066880011 at the remote end.
If the device is configured to use the shortest match mode, it matches 0106688.
If the device is configured to use the longest match mode, it waits for further digits. After the dial
timer expires, the device ignores the configured longest match mode, and uses shortest match mode
automatically to establish a call connection.
When a subscriber dials 0106688#, if you configure the longest match mode and a dial terminator of
a pound sign (#) on the device, the device ignores the configured longest match mode and uses shortest
match mode to establish a call connection.
613
If there are multiple rules, the system first selects a local number or call route according to the first
rule.
If the first rule cannot decide which local number or call route should be selected, the system applies
the second rule. If the second rule still cannot decide a local number or call route, the system applies
the third rule.
If all the rules cannot decide which local number or call route should be selected, the system selects
a local number or call route with the smallest ID.
After the random selection rule is applied, there is no local number or call route selection conflict.
Therefore, the random selection rule can only serve as a rule with the lowest priority or serve as a
unique rule separately.
Call control
Call authority control
To configure call authority control, assign subscriber numbers to a number group, and then bind the
group, which has authorities configured, to a local number or call route.
When a subscriber originates a call that matches the local number or call route that has bound with a
number group, the system compares the calling number with each number in the number group. If a
match is found, the calling is permitted. Otherwise, the system finds the next matching local number or
call route until the calling is permitted or denied. For related configurations of this function,
see Configuring a number group.
Maximum-call-connection set
You can limit the total call connections for local numbers or call routes according to the network scale to
control communication traffic. You can bind a local number or call route to a maximum-call-connection
set. After that, the number of call connections of the local number or call route is restricted.
Number substitution
A number substitution rule list defines some number substitution methods. It can be used wherever
number substitution is necessary. There is no limitation on where and how many times it is used. Therefore,
a number substitution rule list may be bound globally and bound to different local numbers/call routes
and lines.
The characteristics of global calling/called number substitution or calling/called number substitution on
local numbers/call routes and lines are as follows:
614
Global number substitutionThe voice gateway substitutes calling and called numbers of all
incoming and outgoing calls according to the number substitution rules configured in dial program
view. Multiple number substitution rule lists can be bound for global calling and called number
substitution of incoming and outgoing calls. If there is no match in the first number substitution rule
list, the voice gateway matches against other number substitution rule lists.
Number substitution on local numbers or call routesThe voice gateway substitutes the calling and
called numbers based on the number substitution rule lists bound to local numbers or call routes.
Number substitution on a specific lineThe voice gateway substitutes the calling and called
numbers of incoming calls based on the number substitution rules configured on the receiving line.
Description
Configure a special character as the dial terminator for length-variable
telephone numbers.
Dial Terminator
If you set the argument character to # or *, and if the first character of the
configured local number or call route is the same as the argument
character (# or *), the device takes this first character as a common
number rather than a dial terminator.
By default, no dial terminator is configured.
Set the maximum number of local numbers or call routes found before a
search process stops.
615
Item
Description
Select the Enable option, the sequence of the voice entities in the Selection
Sequence box determines the match order, and you can click the Up and
Down buttons to move a voice entity.
Selection Sequence
Exact matchThe more digits of a digit string are matched from left to
right, the higher the precision is. The system stops using the rule once
a digit cannot be matched uniquely.
0 to 10. The smaller the value is, the higher the priority is. That means
level 0 has the highest priority.
Longest idle timeThe longer the voice entity is idle, the higher the
priority is.
You can select one to three rules to form a sequence. The voice gateway
first selects a number according to the first rule. If the voice gateway fails
to decide which number should be selected according to the first rule, it
applies the second rule, and so on.
By default, the match order of rules for the number selection is exact
match-> priority-> random selection.
616
b. Click Add.
c.
d. Click Apply.
Description
Group ID
Description
Specify the input subscriber numbers to be added into the group in the
field. You can add a number by clicking Add.
Add
2.
617
Description
Binding Mode
A local number can be bound to multiple number groups in the same binding mode, that is, a local
number can either permit or deny the calls from bound number groups.
3.
4.
618
c.
Click Add to access the Max-Call-Connection Set Configuration page as shown in Figure 3.
Description
Connection Set ID
2.
e. Click the box in front of the ID column, and then click Apply to complete local number binding.
3.
4.
The configuration of IVR number binding is similar to that of local number binding. Therefore, it is
not included here.
620
Description
End-OnlyReserve the digits to which all ending dots (.) in the input number
correspond.
Left-to-RightReserve from left to right the digits to which the dots in the
input number correspond.
Right-to-LeftReserve from right to left the digits to which the dots in the
input number correspond.
Rule ID
^Caret. The match begins with the first character of a number string. That
is, the device begins with the first character of the match string to match a
user number.
Input Number
+Plus sign. The sign itself does not have special meanings. It only indicates
that the following string is an effective number and the number is
E.164-compliant.
$Dollar sign. It indicates that the last character of the match string must be
matched. That is, the last digit of a user number must match the last character
of the match string.
In a voice call, the system first uses the preferred number substitution rule for
number substitution. If this rule fails to apply or is not configured, it tries to apply
all other rules in order until one or none of them applies.
During a number substitution process, there may be multiple rules, but only one
of them can be set as the preferred one. Moreover, the latest configuration
overwrites the previous one.
By default, this function is disabled.
Add a Rule
621
3.
Bind a number substitution list to global, local numbers, call routes, or lines:
Click Not Bound in the Global Binding, Local Numbers Bound, Call Routes Bound, or Bound Line
column to access the corresponding binding page.
The configurations of these bindings are similar to that of local number binding in call control.
Therefore is not included here.
Configuration procedure
1.
# Add a local number: specify the number ID as 1000, the number as 10001234$, and the
bound line as line 1/0 on the local number configuration page.
# Add a call route: specify the call route ID as 2000, the destination number as 20001234$,
and the destination address as 1.1.1.2 on the call route configuration page.
# Add a call route: and specify the call route ID as 2001, the destination number as
200012341234$, and the destination address as 1.1.1.2 on the call route configuration
page.
b. Configure Router B:
# Add a local number: specify the number ID as 2000, the number as 20001234$, and the
bound line as 1/0 on the local number configuration page.
# Add a local number: specify the number ID as 2001, the number as 200012341234$, and
the bound line as 1/1 on the local number configuration page.
When you dial number 20001234 at Telephone A, the number 20001234 matches call route
2000, and Telephone B is alerted because the device adopts the shortest match mode by default.
622
2.
navigation tree to access the number match configuration page, as shown in Figure 639.
Figure 639 Number match mode configuration page
After you dial number 20001234 at Telephone A and wait for some time (during this period, you
can continue dialing), the dialed number 20001234 matches call route 2000 and Telephone B is
alerted.
If you continue to dial 1234 during that period, the dialed number 200012341234 matches call
route 2001 and Telephone C is alerted.
3.
Dial terminator
a. Configure Router A: select Voice Management > Dial Plan > Number Match from the
navigation tree to access the dial terminator configuration page, as shown in Figure 640.
b. Type # for Dial Terminator.
c.
Click Apply.
623
After you dial 20001234# at Telephone A, the number immediately matches call route 2000 and
Telephone B is alerted.
Configuring Router A
1.
2.
3.
page.
b. Find the call route with the ID of 2000 in the list, and click its corresponding icon
d. Click Apply.
624
to access
4.
5.
page.
b. Find the call route with the ID of 2001 in the list, and click its corresponding icon
c.
d. Click Apply.
6.
to access
Specify the call route ID as 2002, the destination number as 2000....$, and the destination
address as 1.1.1.2 on the call route configuration page.
Configuring Router B
# Add a local number: specify the number ID as 2000, the number as 20001234$, and the bound line
as 1/0 on the local number configuration page.
Select Voice Management > Dial Plan > Number Match from the navigation tree to access the
page for configuring the match order of number selection rules, as shown in Figure 644.
2.
Select Exact Match from the First Rule in the Match Order list.
3.
Select Priority from the Second Rule in the Match Order list.
4.
Select Random Selection from the Third Rule in the Match Order list.
5.
Click Apply.
After you dial number 20001234 at Telephone A, the number matches call route 2000.
Select Voice Management > Dial Plan > Number Match from the navigation tree to access the
page for configuring the match order of number selection rules.
626
2.
Select Priority from the First Rule in the Match Order list.
3.
Select Exact Match from the Second Rule in the Match Order list.
4.
Select Random Selection from the Third Rule in the Match Order list.
5.
Click Apply.
After you dial number 20001234 at Telephone A, the number matches call route 2002.
Select Voice Management > Dial Plan > Number Match from the navigation tree to access the
page for configuring the match order of number selection rules.
2.
Select Random Selection from the First Rule in the Match Order list.
3.
Click Apply.
627
After you dial number 20001234 at Telephone A, the number matches call route 2000, 2001, or 2002
at random.
Configuring Router A
1.
Select Voice Management > Digital Link Management from the navigation tree to access the digital
link list page.
2.
Find the digital link VE1 5/0 in the list, click its corresponding icon
parameters configuration page.
628
to access the E1
3.
4.
Select Internal for TDM Clock Source. (Internal is the default setting)
5.
6.
Click Apply.
# Add a local number: specify the number ID as 1000, the number as 10001234$, and the
bound line as 1/0 on the local number configuration page.
# Add a call route: specify the call route ID as 1001, the destination number as 20001234$, and
the trunk route line as 5/0:15 on the call route configuration page. In addition, you need to select
the Send All Digits of a Called Number option in the Called Number Sending Mode area when you
configure the advanced settings of this call route.
# Add a call route: specify the call route ID as 2000, the destination number as 20001234$, and
the destination address as 1.1.1.2 on the call route configuration page.
629
Configuring Router B
Select Voice Management > Digital Link Management from the navigation tree to access the digital link
list page. Find the digital link VE1 5/0 in the list, click its corresponding icon
to access the E1
parameters configuration page.
Figure 649 E1 parameters configuration page
Select User Side Mode for ISDN Working Mode. (User Side Mode is the default setting)
Click Apply.
# Add a local number: specify the number ID as 2000, the number as 20001234$, and the bound line
as 1/0 on the local number configuration page.
630
Figure 650 Entity type selection priority rule configuration page (1)
Configure the order of the voice entities in the Selection Sequence box: the first is VOIP, the second
is POTS, the third is VoFR, and the last is IVR.
Click Apply.
After you dial 20001234 at Telephone A, the number will match call route 2000 (VoIP entity).
Configure the order of the voice entities in the Selection Sequence box: the first is POTS , the second
is VOIP, the third is VoFR, and the last is IVR.
Click Apply.
After you dial 20001234 at Telephone A, the number will match call route 1001 (POTS entity).
631
Place A
110000
Router B
2100
1100..
PBX
Router A
110099
IP
120000
PSTNs
central office
2200
PBX
Router C
1200..
3100
PSTNs
central office
PBX
120099
SIP server
3200
PSTNs
central office
Place C
Configuring Router A
# Configure two number groups.
Configure Router A. Select Voice Management > Dial Plan > Call Authority Control from the navigation
tree, and then click Add to access the number group configuration page.
Figure 653 Number group configuration page
1.
2.
3.
4.
Click Apply.
Enter the number group configuration page again to add another number group:
5.
6.
7.
8.
Click Apply.
# Add a call route for place B: specify the call route ID as 2000, the destination number as 2..., and use
a proxy server for SIP routing on the call route configuration page.
# Crete a call route for place C: specify the call route ID as 3000, the destination number as 3...,and use
a proxy server for SIP routing on the call route configuration page.
# Add a call route for place B: specify the call route ID as 2100, the destination number as 2, and trunk
route line as 5/0:15 on the call route configuration page. In addition, you need to select the Send All
Digits of a Called Number option in the Called Number Sending Mode area when you configure the
advanced settings of this call route.
# Add a call route 3 for place C: specify the call route ID as 3100, the destination number as 3..., and
the trunk route line as 5/1:15 on the call route configuration page. In addition, you need to select the
Send All Digits of a Called Number option in the Called Number Sending Mode area when you
configure the advanced settings of this call route.
# Bind a call route to number group 1 to allow that subscribers whose telephone numbers beginning with
1100 at place A can originate calls to place B.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree to access the
page as shown in Figure 654.
Figure 654 Binding call route configuration page (I)
Click Not Bound in the Call Routes Bound column to access the call route binding page of number group
1.
633
9.
Select Permit the calls from the number group for Binding Mode.
10.
11.
Click Apply.
# Bind a call route to the number group 2 to allow that subscribers whose telephone number beginning
with 1200 can originate calls to both place B and place C.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree to access the
page as shown in Figure 656.
Figure 656 Binding call route configuration page (2)
Click Not Bound in the Call Routes Bound column to access the call route binding page of number group
2.
634
12.
Select Permit the calls from the number group for Binding Mode.
13.
14.
Click Apply.
Configuring Router B
Add a call route:
1.
Specify the call route ID as 2100, the destination number as 2, and the trunk route line as
1/0:15 on the call route configuration page.
2.
Select the Send All Digits of a Called Number option in the Called Number Sending Mode area
when you configure the advanced settings of this call route.
Configuring Router C
Add a call route:
1.
Specify its call route ID as 3100, the destination number as 3..., and the trunk route line as 1/0:15
on the call route configuration page.
2.
Select the Send All Digits of a Called Number option in the Called Number Sending Mode area
when you configure the advanced settings of this call route.
These two local telephony networks communicate through two voice gateways. Subscribers in one
PBX network can make ordinary calls to remote subscribers in the other PBX network over a VoIP
network.
Configure two FXO trunk lines between each router and its PBX and enable hunt group to realize
trunk line backup.
There are a financial department, market department, and sales department at both place A (area
code 021) and place B (area code 010). A department at place A only needs to know the telephone
numbers of the local departments and the area code of place B when calling a department at place
B. For example, the financial department at place B can dial 3366 to call the local market
department. The financial department at place B can dial 0103366 to call the market department
635
at place A, and the caller ID displayed on the terminal at place A is 0211234, that is, the area code
of place B + telephone number of the financial department at place B.
Figure 658 Network diagram
Place B
Place A
PBX
Eth2/1
2.2.2.2/24
WAN
Eth2/1
1.1.1.1/24
Router B
Router A
PBX
Configuration considerations
The PBX (calling side) at place B changes the called number to an intermediate number.
The PBX (called side) at place A changes the received intermediate number to a local number before
initiating the call.
The following configuration supports dial planbased calls from place B to place A only.
Configuring Router B
# Set the IP address of the Ethernet interface to 2.2.2.2.
# Add a call route for place A: specify the call route ID as 10, the destination number as 010., the call
route type as SIP, the SIP routing as IP routing, and the destination address as 1.1.1.1 on the call route
configuration page.
# Add a call route: specify the call route ID as 100, the destination number as ...., and the trunk route
line as 1/0 on the call route configuration page. In addition, you need to select the Send All Digits of a
Called Number option in the Called Number Sending Mode area when you configure the advanced
settings of this call route; you also need to select the Enable option in the Hunt Group area when you
configure the call services of this call route.
# Add a call route: specify the call route ID as 101, the destination number as ...., and the trunk route
line as 1/1 on the call route configuration page. In addition, you need to select the Send All Digits of a
Called Number option in the Called Number Sending Mode area when you configure the advanced
settings of this call route; you also need to select the Enable option in the Hunt Group area when you
configure the call services of this call route.
# Add a number substitution rule list for called numbers of outgoing calls.
Select Voice Management > Dial Plan > Number Substitution from the navigation tree, click Add to
access the number substitution configuration page.
636
Click Apply.
# Add another number substitution rule list for calling numbers of outgoing calls.
Select Voice Management > Dial Plan > Number Substitution from the navigation tree, click Add to
access the number substitution configuration page.
637
Click Apply.
# Enter the call route binding page of number substitution list 21101.
Figure 661 Call routing binding page of number substitution list 21101
Select Apply Call Routing Binding Rule to Called Numbers for Binding Mode.
Click Apply.
# Enter the call route binding page of number substitution list 21102.
638
Figure 662 Call routing binding page of number substitution list 21102
Select Apply Call Routing Binding Rule to Calling Numbers for Binding Mode.
Click Apply.
Configuring Router A
# Set the IP address of the Ethernet interface to 1.1.1.1.
# Add a call route: specify the call route ID as 1010, the destination number as ., and the trunk route
line as FXO line 1/0 on the call route configuration page. In addition, you need to select the Send All
Digits of a Called Number option in the Called Number Sending Mode area when you configure the
advanced settings of this call route; you also need to select the Enable option in the Hunt Group area
when you configure the call services of this call route.
# Add a call route: specify the call route ID as 2010, the destination number as ...., and to the trunk route
line as FXO line 1/1 on the call route configuration page. In addition, you need to select the Send All
Digits of a Called Number option in the Called Number Sending Mode area when you configure the
advanced settings of this call route; you also need to select the Enable option in the Hunt Group area
when you configure the call services of this call route.
# Add number substitution rule list 101 for called numbers of incoming calls.
Select Voice Management > Dial Plan > Number Substitution from the navigation tree, and click Add to
access the number substitution configuration page.
639
Click Apply.
# Add another number substitution rule list for calling numbers of incoming calls.
Select Voice Management > Dial Plan > Number Substitution from the navigation tree, click Add to
access the number substitution configuration page.
640
Click Apply.
Click Apply.
641
Click Apply.
642
Call connection
Introduction to SIP
The Session Initiation Protocol (SIP) is an application layer control protocol that can establish, modify,
and terminate multimedia sessions such as IP phone calls, multimedia session and multimedia
conferences. It is the core component in the multimedia data and control architecture of the IETF (RFC
3261).
SIP is responsible for signaling control in IP networks and communication with soft switch platforms. The
intent is to build a next generation value-added service platform to deliver better value-added services to
telecom carriers, banks, and financial organizations.
SIP is used for initiating sessions. It sets up and terminates a multimedia session involving a group of
participants and dynamically adjusts and modifies session characteristics such as required session
bandwidth, media type (voice, video, or data), media encoding/decoding format, and
multicast/unicast. SIP is based on text encoding, and it is constructed by taking the mature protocol HTTP
as a model. Easy to extend and implement, it is suitable for implementing Internet-based multimedia
conference systems.
Terminology
Multimedia session
According to RFC2327, a multimedia session is a set of multimedia senders and receivers and the data
streams flowing from senders to receivers. A multimedia conference is an example of a multimedia
session.
A session is identified by a set of username, session ID, network type, address type, and address.
User agent
A user agent (UA), or a SIP endpoint, is a SIP-enabled multimedia session endpoint. Usually, a
SIP-enabled router serves as a SIP UA.
There are two types of UAs: user agent client (UAC) and user agent server (UAS). To make a call, a SIP
endpoint needs to process the SIP request as a UAS and initiate the SIP request as a UAC.
A UAC is a device that initiates a session request. It can be a calling SIP endpoint or a proxy server
forwarding a request to a called endpoint for example.
A UAS is a device that generates a response to a SIP request. It can be a called SIP endpoint or a proxy
server receiving a request from a calling endpoint for example.
Proxy server
A proxy server is a device that forwards session requests to a called UA on behalf of a calling UA (a SIP
endpoint), and responds to the calling UA on behalf of the called UA.
When the proxy server receives a request from a calling UA, it first requests its location server for
information on called UA location and call policies of calling UA and called UA. If the location
information of the called UA is available and the calling UA is allowed to make the call, the proxy server
then forwards the request to the called UA.
643
Redirect server
A redirect server sends a new connection address to a requesting client.
For example, when it receives a request from a calling UA, the redirect server searches for the location
information of the called UA and returns the location information to the UA. This location can be that of
the called UA or another proxy server, to which the UA can initiate the session request again. The
subsequent procedure is the same as that for calling a called UA directly or for calling a proxy server.
Location server
A location server is a device that provides UA information to proxy and redirect servers. It retains UA
information received by a registrar. The location server and registrar can locate on the same server as
two logical components or locate on different devices.
Registrar
A registrar receives Uas' registrations. The registration information (for example, the local telephone
number) is usually stored on the location server for future retrieval. The location server and the registrar
are both logical components and are usually co-located.
Locating called SIP endpointsThe most powerful function of SIP. For this purpose, SIP can use the
registration information of SIP endpoints on the registrar. In addition, it can improve its user location
service by using other location services provided by the DNS and LDAP.
Determining user availabilityMakes sure whether a called endpoint can participate in a session.
SIP supports multiple address description and addressing styles, SIP-URI (for example, SIP:
123456@172.18.24.11), Tel-URL (for example, Tel: +1312000), and SIPS-URI (SIPS:
123456@172.18.24.11). Therefore, a SIP caller can identify whether a callee is attached to a PSTN
network by callee's address, and then initiate and set up the call to the callee through the gateway
connected to the PSTN.
Determining user capabilitiesDetermines the media type and media parameters of a called
endpoint. In a message exchange process, each SIP endpoint sends such information in messages
so that all other participants can learn about its capabilities.
Setting up a session, or session parameters, at both callee and caller sidesTwo parties can select
the appropriate capabilities for session setup through negotiation about media type and media
parameters to be used.
Features
The following are the features delivered by SIP:
Open standards. It can accommodate new functions, products, and services introduced by different
service providers.
Flexible configuration. It accommodates a wide range of dialup, wire, and wireless devices, allows
highly flexible configurations, and can work with other systems.
Support to remote users. With SIP, an enterprise network can extend to all its users, wherever they
are.
644
Quick launch. The system can be updated quickly to accommodate new branches and personnel,
and changes resulting from job rotation or relocation.
Easy to install and maintain. Nonprofessional individuals can install and maintain SIP systems.
SIP messages
SIP messages, falling into SIP request messages and SIP response messages, are encoded in text mode.
SIP request messages include INVITE, ACK, OPTIONS, BYE, CANCEL, and REGISTER. RFC 3261 defines
the following six request messages:
SIP response messages, used to respond to SIP requests, indicate the status of a call or registration,
succeeded or failed. Response messages are distinguished by status codes. Each status code is a 3-digit
integer, where the first digit defines the class of a response, and the last two digits describe the response
message in more detail.
Table 235 Status codes of response messages
Code
Description
Class
100199
Provisional
200299
Success
300399
Redirection
400499
Client error
500599
Server error
600699
Global error
SIP fundamentals
Registration
In a complete SIP system, all SIP endpoints working as UAs should register with SIP registrars, providing
information such as location, session capabilities, and call policy.
Typically, a SIP UA sends its registrar a REGISTER request at startup or in response to an administratively
registration operation, carrying all the information that must be recorded. Upon receipt of the request, the
registrar sends back a response notifying receipt of the request, and a 200 OK (SUCCESS) message if
the registration is accepted. The following figure shows the message exchange.
645
Call setup
SIP operates in the Client/Server mode and sets up calls through communication between UA and proxy
server.
Figure 668 Network diagram
In the previous figure, Telephone A wants to call Telephone B, and Router A and Router B work as SIP
endpoints (UAs).
The following is the procedure for connecting a call from Telephone A to Telephone B:
1.
2.
Upon receipt of the call, Router A sends a session request (INVITE) to the proxy server.
3.
The proxy server consults its database for information corresponding to the number of Telephone
B. If such information is available, it forwards the request to Router B.
4.
Router B, after receiving the request, responds to the proxy server and makes Telephone B ring if
Telephone B is available.
5.
The proxy server forwards the response to Router A. The response discussed here includes two
provisional response messages (100 Trying and 180 Ringing) and one success response (200
OK).
646
This is a simplified scenario where only one proxy server is involved and no registrar is present. however,
a complex scenario may involve multiple proxy servers and registrars.
Call redirection
When a SIP redirect server receives a session request, it sends back a response indicating the address of
the called SIP endpoint instead of forwarding the request. The calling and called endpoints therefore can
send request and response to each other directly. See Figure 670.
647
User agent
Redirect Server
INVITE
100 Trying
302 Moved Temporarily
ACK
INVITE
100 Trying
200 OK
ACK
This is a common application. Fundamentally, a redirect server can respond with the address of a proxy
server as well. The subsequent call procedures are the same as the call procedures involving proxy
servers.
UDPUDP is a connectionless protocol and does not provide reliability. Therefore, SIP connections
established over UDP are unreliable.
TCPEnsures transmission reliability for SIP messages. TCP provides connection-oriented and
reliable transmission for SIP-based VoIP communications. Using TCP, SIP need not consider packet
loss and retransmission issues.
Transport layer security (TLS)Ensures transmission security for SIP messages. For more information,
see Signaling encryption.
The above three transport layer protocols have their own benefits, and allow you to select a protocol
based on your network environment. The system does not support transport layer protocol switchover
during communication.
SIP security
This section provides information on signaling encryption, media flow encryption, and TLS-SRTP
combinations.
648
Signaling encryption
TLS runs over TCP and provides a complete set of authentication and encryption solutions for application
layer protocols. When you establish a TLS connection, both sides must authenticate each other by using
their own digital certificates. They can communicate with each other only after passing authentication.
SIP messages are encrypted during SIP over TLS transmissions to prevent your data from being sniffed
and increases the security of voice communications.
Description
Remarks
Tag
Required.
Crypto-Suite
Required.
Key Parameters
Required.
Session
Parameters
Optional.
Not supported at
present.
When you use SRTP to encrypt RTP/RTCP packets, the encryption engine, if enabled, encrypts and
authenticates RTP/RTCP packets. If the encryption engine is disabled, the CPU encrypts and
authenticates RTP/RTCP packets. For more information about the encryption engine, see Security
Configuration Guide in H3C MSR Series Routers Configuration Guides (V5).
SRTP is available only for SIP calls. SIP trunk devices do not support SRTP. For information about SIP trunk,
see "Configuring SIP trunk."
649
TLS-SRTP combinations
TLS protects control signaling, and SRTP encrypts and authenticates voice media flows. You can use them
separately or together. The following table shows four combinations of TLS and SRTP.
Table 237 TLS-SRTP combinations
TLS
SRTP
Description
Signaling packets are secured. Personal information is protected.
On
On
Off
On
On
Off
Off
Off
Strict SIP routing is supported. In a complicated network environment where a request from SIP UAC
to SIP UAS needs to pass through multiple proxy servers, SIP uses the Route header field and the
Record-Route header field to make sure that requests in the dialog can be routed through these
proxy servers.
The new update method for SIP defined in RFC 3311 is supported. It is mainly used to update
parameters of a session, such as switching codecs, switching the voice to the media server, and
mute operation before the session is established, but has no impact on normal call procedures.
650
Description
Registrar State
651
Item
Description
UDPApply the UDP transport layer protocol when the device registers to the
main registrar.
TCPApply the TCP transport layer protocol when the device registers to the
main registrar.
TLSApply the TLS transport layer protocol when the device registers to the
main registrar.
SIPApply the SIP scheme as the URL scheme when the device registers to the
Main Registrar URL
Scheme
main registrar.
SIPSApply the SIPS scheme as the URL scheme when the device registers to
the main registrar.
UDPApply the UDP transport layer protocol when the device registers to the
backup registrar.
Backup Registrar
Transport Layer Protocol
TCPApply the TCP transport layer protocol when the device registers to the
backup registrar.
TLSApply the TLS transport layer protocol when the device registers to the
backup registrar.
SIPApply the SIP scheme as the URL scheme when the device registers to the
Backup Registrar URL
Scheme
backup registrar.
SIPSApply the SIPS scheme as the URL scheme when the device registers to
the backup registrar.
Username
Password
Authentication
Information Field for
Handshake
Authentication
Specify the domain name used for handshake authentication between the registrar
and the SIP UA.
652
Description
Select a server group from the list as the proxy server. You can add a server group
on the page that can be accessed by selecting Voice Management > Call
Connection > SIP Server Group Management from the navigation tree.
UDPApply the UDP transport layer protocol when the device initiates a call.
TCPApply the TCP transport layer protocol when the device initiates a call.
TLSApply the TLS transport layer protocol when the device initiates a call.
By default, the UDP protocol is applied.
URL Scheme
Static IPv4 address bindingThe source IP address specified for SIP calls is the bound IP address.
Source address interface bindingIn a large network, an interface obtains its IP address from a
DHCP or PPPoE server. In this scenario, you can use this function to configure an interface as the
653
source of SIP signaling and media streams to avoid manual IP address configuration, and therefore
help network management.
Source IP address binding is supported on the Layer 3 Ethernet interface, GigabitEthernet interface, or
dialer interface.
For information about DHCP, see Layer 3IP Services Configuration Guide in H3C MSR Series Routers
Configuration Guides (V5).
Description
Configure media stream binding mode or disable media stream binding.
If you select IPv4 Address Binding as the media stream binding mode, you must
enter the IPv4 address to be bound in this field.
If you select Interface Binding as the media stream binding mode, you must specify
the interface to be bound from the list. Only the Layer 3 Ethernet interface, GE
interface, and dialer interface are supported.
Configure the signaling stream binding mode or disable signaling stream binding.
If you select IPv4 Address Binding as the signaling stream binding mode, you must
enter the IPv4 address to be bound in this field.
If you select Interface Binding as the signaling stream binding mode, you must
specify the interface to be bound from the list. Only Layer 3 Ethernet interfaces, GE
interfaces, and dialer interfaces are supported.
654
Table 241 Application of the source address binding settings in different states
Settings made when
Result
For SIP media streams, the source IP address binding settings does
The source IP address binding settings do not take effect, and the
original sending mode of the signaling streams or media streams is
restored. After the interface is up, the source IP address binding
settings take effect immediately.
Cancels the source IP address binding settings. They are restored the
next time the interface is connected.
The source IP address binding settings never take effect and the
gateway automatically gets an IP address to send packets.
655
Description
UDPSpecify UDP as the transport layer protocol for incoming SIP calls and
enables UDP listening port 5060.
TCPSpecify TCP as the transport layer protocol for incoming SIP calls and
enables TCP listening port 5060.
TLSSpecify TLS as the transport layer protocol for incoming SIP calls and
enables TLS listening port 5061. If you select this option, you must select a
certificate from the Certificate list.
By default, both the UDP and TCP listening ports are enabled, and the TLS listening
port is disabled.
Configure this item in either of the following scenarios:
If the device is the call receiver, you must enable the listening port of the
transport layer protocol used by the incoming calls.
If TCP or TLS is selected as the transport layer protocol when the device initiates
a call, you must specify it as the SIP listening transport layer protocol in this item.
Otherwise, no register request can be initiated.
Resetting the setting for this item deletes the currently established connections.
Description
RTPSpecify the Real-time Transport Protocol (RTP) as the media flow protocol
for SIP calls.
SRTPSpecify the Secure Real-time Transport Protocol (SRTP) as the media flow
protocol for SIP calls.
When both the RTP and SRTP protocols are specified as the media flow protocols
for SIP calls:
If the device is the call initiator, both two media flow protocols are carried in the
INVITE message for the receiver to select.
If the device is the call receiver, the SRTP protocol is first used for media flow
negotiation. If the negotiation fails, the RTP protocol is used.
656
Description
header field indicates whether caller identity presentation is enabled or not, and
the P-Asserted-Identity header field contains the callers number.
header field indicates whether caller identity presentation is enabled or not, and
the P-Asserted-Identity header field contains the caller's number.
The default setting is None, that is, caller identity presentation is enabled.
When the P-Preferred-Identity or P-Asserted-Identity header field is added, the Privacy header field
will be added. When the Privacy header field is set to none, caller identity presentation is allowed.
When the Privacy header field is set to id, caller identity presentation is restricted.
Remote-Party-ID header field: privacy=off indicates caller identity presentation and privacy=full
indicates caller identity screening. The calling information can be transparently transmitted by
adding the Remote-Party-ID header field.
The Remote-Party-ID header field can be used together with the P-Preferred-Identity header field or
P-Asserted-Identity header field. If so, the Remote-Party-ID header field takes precedence over the
P-Preferred-Identity header field or the P-Asserted-Identity header field.
657
Session-ExpiresConveys the maximum session duration, that is, if no refresh request is received
during this time, the session is considered ended.
Min-SEConveys the minimum session duration, which is used to avoid frequent refresh requests
from occupying network bandwidth.
Session Expiration
Description
EnableEnable SIP session refresh.
DisableDisable SIP session refresh.
You can configure Session Expiration and Min Session Refresh Interval only after
the SIP session refresh function is enabled.
Maximum and minimum session durations of SIP sessions.
By default,
The periodic refresh of SIP sessions is not enabled automatically. That is, if
Min Session Refresh
Interval
periodic refresh of SIP sessions is disabled on the called party but enabled on
the calling party, the called party will enable periodic refresh of SIP sessions
after negotiation.
Configuring compatibility
Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the
Session Properties tab to access the compatibility configuration page as shown in Figure 678.
658
Description
The devices of some vendors do not strictly follow the SIP protocol. To interoperate with such devices, you must
configure the SIP compatibility options.
EnableConfigure the device to use the address (IP address or DNS domain
Use the address in the To
header field as the
address in the From
header field
name) in the To header field as the address in the From header field when
sending a SIP request.
DisableDo not use the address in the To header field as the address in the
From header field. That is, the From header field contains the source address
and the To header field contains the destination address.
header field.
When the device initiates a fax pass-through operation, the a=X-fax field is
carried in the re-INVITE request. When the device initiates a modem
pass-through operation, the a=X-modem field is carried in the re-INVITE
request.
Compatible with T.38 fax: the device can recognize T.38-specific description
659
Item
Description
Select Voice Management > Call Connection > SIP Connection from the navigation tree.
2.
3.
Address hiding
Description
Specify the address hiding function enables the SIP trunk device to replace the
endpoints' addresses carried in SIP messages with the addresses of the
corresponding egress interfaces.
Select Voice Management > Call Connection > SIP Connection from the navigation tree.
2.
3.
Specify the proxy server used for outbound calls as described in Table 248.
660
Description
Address
Port
Description
Re-registration Interval
Set the interval for the local number or SIP trunk account to re-register with the
registrar after a registration failure.
Registration Expiration
Time
Set the registration expiration time. A local number or an SIP trunk account expires
after it has registered with the registrar for a specified period of time, which is the
registration expiration interval.
661
Item
Description
Registration Percentage
When the time is reached, the local number or SIP trunk account re-registers
with the registrar.
Time is registration expiration interval minus lead time before expiration. When
the time is reached, the local number or SIP trunk account re-registers with the
registrar.
You can configure both timers. In this case, the actual re-registration time is
decided by the timer that expires first. In other words, the local number or SIP trunk
account tries to re-register with the registrar when any one of the two timers
expires.
ParkingThe SIP trunk device sends the OPTIONS or REGISTER message to the
current server. When the current server is not available, the SIP trunk device
selects the member server with the second highest priority in the SIP server
group as the current server even if the original current server recovers. Before the
parking mode is applied, you must set OPTIONS or REGISTER as the keep-alive
mode on the page that can be accessed by selecting Voice Management > Call
Connection > SIP Server Group Management from the navigation tree.
HomingThe SIP trunk device sends the OPTIONS messages to both the
Redundancy Mode
current server and the member server with the second highest priority in the SIP
server group. When the current server is not available, the SIP trunk device
selects the member server with the second highest priority as the current server.
Once the original current server recovers or a server with a higher priority than
the current server is available in the SIP server group, the SIP trunk device selects
the original current server or the server with the highest priority as the current
server. Before the homing mode is applied, you must set OPTIONS as the
keep-alive mode on the page that can be accessed by selecting Voice
Management > Call Connection > SIP Server Group Management from the
navigation tree.
contain the dt parameter. This option is used when the device communicates
with a VCX device.
By default, the Contact header fields of the REGISTER messages do not contain the
dt parameter.
662
Item
Description
Fuzzy telephone number registration refers to the use of a wildcard (including the
dot . and the character T), rather than a standard E.164 number in the match
template of a POTS entity.
After enabling fuzzy telephone number registration, the voice gateway (router)
retains dots and substitutes asterisks (*) for Ts when sending REGISTER messages.
2.
663
Description
UDPSpecify UDP as the transport layer protocol to be used during the
subscription.
subscription.
Server Address
Specify the voice mailbox server address, which can be either an IP address or a
domain name.
Port Number
Re-subscription Time
Binding Mode
8.
Binding ModeThe MWI function is bound with the voice mailbox and the
voice mailbox server has set up subscription information for the UA. Therefore,
the UA can receive NOTIFY messages without sending SUBSCRIBEs to the
voice mailbox server.
9.
Generally, the voice gateway sends a SUBSCRIBE to the server, and receives a NOTIFY from the server
if the subscription is successful, and gets the status of the voice mailbox afterwards.
664
Description
TCP Connection
Aging Time
Set the aging time for TCP connections. If the idle time of an established TCP
connection reaches the specified aging time, the connection will be closed.
Set the aging time for TLS connections. If the idle time of an established TLS connection
reaches the specified aging time, the connection will be closed.
You can enter the SIP status code into the corresponding SIP Status Code (400-699) field. Because the
PSTN release cause code 16 corresponds to a SIP request message, instead of a SIP status code, you can
configure no SIP status code for 16.
Click Load Default Value to restore the default mappings between PSTN release cause codes and SIP
status codes.
665
You can select the values in the PSTN Release Cause Code fields. You can also click Load Default Value
to restore the default mappings between PSTN release cause codes and SIP status codes.
666
Configuration procedure
1.
Configure basic voice calls: configure a local number and the call route to Router B.
Configure a local number: specify the local number ID as 1111 and the number as 1111, and
bind the number to line line 1/0 on the local number configuration page.
Configure the call route to Router B: specify the call route ID as 2222, the destination number
as 2222, the call route type as SIP, the SIP routing as IP routing, and the destination address as
192.168.2.2 on the call route configuration page.
2.
Click Apply.
Configuration procedure
1.
Configure basic voice calls, see "Configure basic voice calls: configure a local number and the
call route to Router B."
2.
668
Configuration procedure
1.
Configure basic voice calls, see "Configure basic voice calls: configure a local number and the
call route to Router B."
2.
# Specify TCP as the transport layer protocol for incoming SIP calls. This is optional, because the
TCP listening port is enabled by default.
Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click
the Session Properties tab to access the transport layer protocol configuration page as shown
in Figure 693.
669
Configuration procedure
The certification authority (CA) server runs RSA Keon in this configuration example.
CAUTION:
To make sure the certificate on the device can be used, be sure that the device system time falls within the
validity time of the certificate.
1.
2.
Configure basic voice calls, see "Configure basic voice calls: configure a local number and the
call route to Router B."
3.
670
# Specify TLS as the transport layer protocol for incoming SIP calls.
Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click
the Session Properties tab to access the transport layer protocol configuration page as shown
in Figure 696.
Figure 696 Specifying listening transport layer protocol
Specify the transport layer protocol on Router B. The configuration procedure is the same with that
on Router A.
671
Select Voice Management > Call Connection > SIP Server Group Management from the navigation
tree.
2.
Click Add.
The page for configuring a server group appears.
3.
Description
Server Group ID
Specify the name of a SIP server group identifies the SIP server group. The domain
name of the carrier server is usually used as the name of a SIP server group. If the
name of a SIP server group is not configured, the host name specified on the
account management page (which can be accessed by selecting Voice
Management > SIP Trunk Management > Account Management from the
navigation tree) is used to identify the group, if any. Otherwise, the IP address or
domain name of the current server in the SIP server group is used to identify the
group.
Description
For more configuration examples of SIP server group, see "Configuring SIP trunk."
Select Voice Management > Call Connection > SIP Server Group Management from the navigation
tree.
672
2.
Click Add.
The page for configuring a server group appears.
3.
Description
Enable or disable the real-time switching function. When the real-time switching
function is enabled:
Real-Time Switching
message 408 or 5XX (excluding 502, 504, 505, and 513) after sending a
registration request to the SIP server, the SIP trunk device tries to connect to the
member server with the second highest priority value in the SIP server group,
and so on, until it successfully connects to a SIP server or have tried all the
servers in the group.
message 403, 408 or 5XX (excluding 502, 504, 505, and 513) after initiating
a call, the SIP trunk device tries to connect to the member server with the second
highest priority value in the SIP server group, and so on, until it successfully
connects to a SIP server or have tried all the servers in the group.
Select Voice Management > Call Connection > SIP Server Group Management from the navigation
tree.
2.
Click Add.
The page for configuring a server group appears.
3.
673
Description
The keep-alive function is used to detect whether the SIP servers in a SIP server
group are reachable. The SIP trunk device selects a server according to the detect
result and the redundancy mode. If the keep-alive function is disabled, the SIP trunk
device always uses the server with the highest priority in the SIP server group.
Keep-Alive Mode
RegisterThe REGISTER message can be used to detect the SIP servers. If the
SIP trunk device receives response message 408 or 5XX (excluding 502, 504,
505, and 513) from a SIP server after sending a REGISTER message, it
considers the SIP server unreachable.
Interval for Sending
OPTIONS Messages
Set the interval for sending OPTIONS messages to the SIP servers when the
keep-alive mode is set to Options.
Select Voice Management > Call Connection > SIP Server Group Management from the navigation
tree.
2.
Click Add.
The page for configuring a server group appears.
3.
Description
Configure source address binding mode for media streams.
674
Item
Description
If you select IPv4 Address Binding as the media stream binding mode, you must
type the IPv4 address to be bound in this field.
If you select Interface Binding as the media stream binding mode, you need to
specify the interface to be bound from the list. Only the Layer 3 Ethernet interface,
GE interface, and dialer interface are supported.
Configure source address binding mode for signaling streams.
If you select IPv4 Address Binding as the signaling stream binding mode, you must
enter the IPv4 address to be bound in this field.
If you select Interface Binding as the signaling stream binding mode, you must
specify the interface to be bound from the list. Only Layer 3 Ethernet interfaces, GE
interfaces, and dialer interfaces are supported.
The following table describes how source address binding works upon different conditions:
Condition
Result
A new source address binding for media does not take effect
The source IP address binding becomes invalid and will not work
until the interface is up. During the shutdown period, the
gateway automatically gets a source IP address for sent
signaling or media flows.
The source address binding does not take effect and the
gateway automatically gets a source IP address for packets.
Select Voice Management > Call Connection > SIP Server Group Management from the navigation
tree.
2.
Click Add.
675
3.
4.
Click Apply.
Description
Server ID
Set server ID. A SIP server group can be configured with up to five member servers.
A server ID represents the priority of the server in the SIP server group. The smaller
the ID, the higher the priority.
UDPSpecify UDP as the transport layer protocol for the connections between
the SIP trunk device and the SIP server.
TCPSpecify TCP as the transport layer protocol for the connections between
Transport Layer Protocol
TLSSpecify TLS as the transport layer protocol for the connections between the
SIP trunk device and the SIP server.
Server Address
Port Number
676
With the development of IP technology, many enterprises deploy SIP-based IP-PBX networks as shown
in Figure 703. Internal calls of the enterprise are made by using the SIP protocol, and external calls are
still placed over a PSTN trunk. The problem is that the enterprises have to maintain both the SIP network
and PSTN trunk. This increases the difficulty of network management.
Figure 703 SIP+PSTN network
As more enterprise IP-PBX networks run SIP and more Internet Telephone Service Providers (ITSPs) use SIP
to provide basic voice communication structures, enterprises urgently need a technology that uses SIP to
connect the enterprise IP-PBX network to the ITSP. This is necessary to have network that is entirely
IP-based. This technology is called SIP trunk. A typical SIP trunk network is shown in Figure 704.
The SIP trunk function can be embedded into the voice gateway or the firewall deployed at the edge of
an enterprise private network. The device providing the SIP trunk function is called the SIP trunk device,
or the SIP trunk gateway.
677
SIP
SIP trunk
Router
IP-PBX
SIP server
SIP server
Features
SIP trunk has the following features:
1.
Only one secure and QoS guaranteed SIP trunk link is required between a SIP trunk device and the
ITSP. The SIP trunk link can carry multiple concurrent calls, and the carrier only authenticates the
link instead of each SIP call carried on this link.
2.
The internal calls of the enterprise are placed by the enterprise IP-PBX. The outbound calls of the
enterprise are forwarded by the SIP trunk device to the ITSP, and are finally routed to the PSTN by
the device in the ITSP. Enterprises do not need to maintain the PSTN trunk. Consequently, they save
the costs of hardware and maintenance.
3.
By setting destination addresses, the enterprise can select to connect to multiple ITSPs, to make full
use of the ITSPs all over the world, and save call costs.
4.
With the SIP trunk device deployed, the entire network can use the SIP protocol to better support
IP communication services, like voice, conference, and instant messaging.
5.
A SIP trunk device differs from a SIP proxy server. The SIP trunk device initiates a new call request
to the ITSP on behalf of the user after receiving a call request from the user, and both the user and
the ITSP communicate only with the SIP trunk device. During the forwarding process, the SIP trunk
device forwards both signaling messages and RTP media messages.
Typical applications
The SIP trunk device is deployed between the enterprise IP-PBX and the ITSP. All internal calls are placed
by the enterprise IP-PBX. All outbound calls are forwarded by the SIP trunk device to the ITSP through the
SIP trunk link. Figure 705 shows a typical SIP trunk network.
678
RFC 3261
RFC 3515
Remarks
Required.
Configuring a SIP
server group
Required.
Required.
Optional.
Required
Optional.
Optional.
679
Task
Remarks
Required.
Description
Enable the SIP trunk function before you can use other SIP trunk functions. H3C
recommends you to not use a device enabled with the SIP trunk function as a SIP
UA.
Enable.
Disable.
By default, the SIP trunk function is disabled.
Select Voice Management > Call Connection > SIP Server Group Management from the navigation
tree. On the server group configuration page that appears, configure the real-time switching and
keep-alive functions.
Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click
the Advanced Settings tab, where you can specify the redundancy mode.
For more information about how to configure a SIP server group, real-time switching, and keep-alive
function, see "Managing SIP server groups."
For more information about how to configure the redundancy function, see "Configuring SIP
connections."
680
Description
Account ID
Select the SIP server group used by the SIP trunk account for registration. SIP server group
can be configured in Voice Management > Call Connection > SIP Server Group
Management.
By default, a SIP trunk account has no SIP server group specified for registration.
Registration
Aging Time
Set the registration aging time. If you do not configure this item, the system uses the
registration aging time configured in Voice Management > Call Connection > SIP
Connection.
Host Username
Enter the host username allocated by the ITSP to the SIP trunk account.
Host Name
Enter the host name allocated by the ITSP to the SIP trunk account.
681
Item
Description
Enable.
Disable.
Account Status
Enable.
Disable.
Registration
Function
Authentication
Username
Authentication
Password
To perform registration, you must provide the host username or associate the account with
a SIP server group.
682
Description
Call Route ID
Destination Number
Bound Account
Description
Use a SIP proxy server to complete calling. If you select this option, you must
configure the proxy server beforehand in Voice Management > Call
Connection > SIP Connection.
Select one of the following transport layer protocols.
Transport
Layer
Protocol
UDP.
TCP.
TLS.
By default, UDP is selected.
IP
Routing
.
SIP URL
Scheme
Destinati
on
Address
Port
Number
683
Item
Description
Bind to
server
group.
Status
Server
Group
Select a server group. You can create a SIP server group in Voice
Management > Call Connection > SIP Server Management.
Enable.
Disable.
Description
You can control call route selection by configuring the prefix of source host name, prefix of destination host
name, or the source IP address as the call match rules. If you select several call match rules, only the calls that
match all rules are permitted.
684
Description
Item
Specify the prefix of a source host name as a call match rule. The specified source
host name prefix is used to match against the source host names of calls. If the
INVITE message received by the SIP trunk device carries the Remote-Party-ID
header, the source host name is abstracted from this header field. If the INVITE
message received by the SIP trunk device carries the Privacy header, the source
host name is abstracted from the P-Asserted-Identity or P-Preferred-Identity header
field. If the INVITE message received by the SIP trunk device does not carry any of
the previously mentioned three header fields, the host name in the From header
field of the INVITE message is used as the source host name.
Specify the prefix of a source host name consists of 1 to 31 characters, which are
not case-sensitive and can include letters, digits, underlines (_), hyphens (-),
asterisk (*), and dots (.). An asterisk represents a character string of any length,
for example, t*m can match the source host names tom, tim, and so on.
Specify the prefix of a destination host name as a call match rule. The specified
Match a Destination
Host Name Prefix
destination host name prefix is used to match against the destination host names
of calls. The host name in the To header field of an INVITE message received by
the SIP trunk device is used as the destination host name.
IPv4
address.
DNS.
Server
Group.
Match a Source
Address
685
Select Voice Management > Call Route from the navigation tree.
2.
Click the
3.
Codec Transparent
Description
If the SIP trunk device does not support the codec capability sets
supported by the calling and called parties, you can select the
Enable option to enable codec transparent transfer on the SIP trunk
device. The SIP trunk device transparently transfers codec capability
sets between two parties. The calling and called parties complete
the codec negotiation.
By default, the Disable option is selected.
686
Item
Description
In the scenario where the SIP trunk device controls the results of
media capability negotiation, if the SIP trunk device cannot find a
common codec for two parties during negotiation, the two parties
will fail to establish a call. In this case, you can select the Enable
option to enable codec transcoding on the SIP trunk device.
Codec Transcoding
With this function enabled, the SIP trunk device uses its own codec
capability set to negotiate with the calling and called parties
respectively. If the negotiated codecs with the two parties do not
match, the SIP trunk device transcodes the media flows passing
through it.
By default, the Disable option is selected.
IMPORTANT:
The codec transcoding feature does not take effect in any of the
following cases:
RelaySpecify the SIP trunk device to act as the RTP trunk proxy
to forward the media packets.
Select Voice Management > Call Route from the navigation tree.
2.
Click the
687
3.
Description
Remote processThe SIP trunk device transparently transfers the
Call-forwarding Signal
Mid-call Signal
the calling party, and the called party also supports this
mechanism, you can select this option to enable the called party
to process the session update information. Otherwise, the session
timer mechanism only works between the calling party and the
SIP trunk device. The interval for sending session update requests
is negotiated by endpoints. For more information, see RFC 4028.
688
Configuring Router A
# Configure a local call number.
1.
Select Voice Management > Local Number from the navigation tree and click Add.
689
2.
3.
4.
5.
Click Apply.
Select Voice Management > Call Route from the navigation tree and click Add.
7.
8.
9.
10.
11.
Click Apply.
Select Voice Management > SIP Trunk Management > Service Configuration from the navigation
tree.
2.
3.
Click Apply.
# Create SIP server group 1. Add a SIP server into the server group: the ID and the IPv4 address of the
server are 1 and 10.1.1.2 respectively.
4.
Select Voice Management > Call Connection > SIP Server Group Management from the
navigation tree and click Add.
5.
6.
7.
8.
9.
Click Apply.
# Create SIP trunk account 1 with the host username 2000, and associate the account with SIP server
group 1.
10.
Select Voice Management > SIP Trunk Management > Account Management from the navigation
tree, and click Add.
11.
12.
Select server-group-1 from the SIP Server Group for Registration list.
13.
14.
15.
Click Apply.
# Configure the call route for the outbound calls from private network user 2000 to public network user
1000 by binding SIP server group 1 to the VoIP voice entity.
16.
Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and
click Add.
692
Figure 718 Configuring a call route for the SIP trunk account
17.
18.
19.
20.
21.
22.
Click Apply.
# Configure the call route for the inbound calls from public network user 1000 to private network user
2000. Configure the IP address of the peer end as 1.1.1.1, which is the address of the interface on Router
A.
23.
Select Voice Management > Call Route from the navigation tree and click Add.
24.
25.
26.
27.
28.
Click Apply.
Configuring Router B
# Configure a local call number.
1.
Select Voice Management > Local Number from the navigation tree and click Add.
2.
3.
4.
5.
Click Apply.
Select Voice Management > Call Route from the navigation tree and click Add.
694
7.
8.
9.
10.
11.
Click Apply.
# Configure the IPv4 address of the registrar as 10.1.1.2 and enable the registrar.
12.
Select Voice Management > Call Connection > SIP Connection from the navigation tree and click
the Connection Properties tab.
13.
14.
15.
Click Apply.
2.
All calls between the private network and public network are made through the SIP trunk device.
On the SIP trunk device, you can see in Voice Management > States and Statistics > Call Statistics
that all calls between the private network and public network are made through the SIP trunk
device.
3.
On the SIP server of the carrier, you can view only the interface address of the SIP trunk device,
which means that the SIP trunk device can filter the information of the enterprise private network
users.
695
2000
Router A
IP
SIP trunk
2.1.1.2/24
Router B
1000
SIP server
10.1.1.2/24
Configuration procedure
# Enable the SIP trunk function. (Details not shown.)
# Create SIP server group 1. Add two SIP servers into the server group: the IP addresses are 10.1.1.2 and
10.1.1.3, and the server with the address 10.1.1.2 has a higher priority value. Enable the real-time
switching function of SIP server group 1. Set the keep-alive mode for SIP server group 1 to Options.
1.
Select Voice Management > Call Connection > SIP Server Group Management from the
navigation tree and click Add.
696
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Click Apply.
# Set the redundancy mode for SIP server group 1 to parking. (Optional. The redundancy mode for a SIP
server group is parking by default.)
12.
Select Voice Management > Call Connection > SIP Connection from the navigation tree and click
the Advanced Settings tab.
697
13.
14.
Click Apply.
Other configurations on the SIP trunk device and on other devices are the same as those described in
"Configuring Router A " ,"Configuring the SIP trunk device" and "Configuring Router B."
When the SIP server with IP address 10.1.1.2 fails, the SIP server with IP address 10.1.1.3 takes
over communications between the private network and the public network. After that, the
communications recover.
2.
When the SIP server with IP address 10.1.1.2 recovers, it does not take over call processing and
the SIP server with IP address 10.1.1.3 keeps working.
Users connected to Router A2 are not allowed to call public network users.
All calls between the private network and public network are made through the SIP trunk device.
698
Configuration procedure
# Configurations on the SIP trunk device and on other devices are the same as those described in
"Configuring Router A " ,"Configuring the SIP trunk device" and "Configuring Router B."
# Configure Router A2: Configure a local number 2001 and a call route to Router B. For the
configuration procedure, see "Configuring Router A."
# Configure Router B: Configure a call route to Router A2. For configuration procedure, see "Configuring
Router B."
# Configure the SIP trunk device: Select Voice Management > Call Route from the navigation tree and
click Add to configure the call route for calls from the number 1000 to 2001. Enter the 3.3.3.1 (the IP
address of the interface on Router A2) as the Destination Number.
# Configure call match rules on the SIP trunk device: specify that calls with source IP address 1.1.1.1 are
permitted.
1.
Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and
click the
icon of the call route to be configured to access the advanced settings configuration
page.
699
2.
3.
4.
Click Apply.
Private network users connected to Router A1 can call public network users, but private network
users connected to Router A2 cannot call public network users.
2.
700
Overview
Introduction to E1 and T1
Plesiochronous digital hierarchy (PDH) includes two major communications systems: ITU-T E1 system and
ANSI T1 system. The E1 system is dominant in European and some non-Europe countries. The T1 system
is dominant in USA, Canada and Japan.
E1 and T1 use the same sampling frequency (8 kHz), PCM frame length (125 s), bits per code (8 bits)
and timeslot bit rate (64 kbps). They differ in these aspects:
Each PCM primary frame of E1 contains 32 timeslots but that of T1 contains 24 timeslots. Each
PCM primary frame of E1 contains 256 bits but that of T1 contains 193 bits. Therefore, E1 provides
2.048 Mbps bandwidth and T1 provides 1.544 Mbps bandwidth.
E1/T1 voice transmission allows a router to provide more channels of voice communication, greatly
improving router use and broadening service range.
701
E1 and T1 interfaces
E1 interface
An E1 interface is logically divided into timeslots (TSs) with TS16 being a signaling channel.
On E1 interfaces, you may create PRI groups or TS sets.
You may use an E1 interface as an ISDN PRI or CE1 interface:
1.
As an ISDN PRI interface, the E1 interface adopts DSS1 or QSIG signaling. As TS0 is used to
transfer synchronization information and TS16 is used as a D channel to transfer signaling, you
may arbitrarily bind any timeslot other than TS0 and TS16 as a logical interface, which is
equivalent to an ISDN PRI interface.
2.
As a CE1 interface with a signaling channel, the E1 interface can adopt R2 signaling, digital E&M
signaling, or digital LGS signaling.
When R2 signaling is adopted, every 32 timeslots form a primary frame (PCM30 for example),
where TS0 is used for frame synchronization, TS16 for digital line signaling, and other 30 timeslots
for voice transmission. Every 16 primary frames form one multiframe. In each multiframe, TS0 in
even primary frames conveys frame alignment signal (FAS) and TS0 in odd primary frames conveys
nonFAS (NFAS) about link status information. NFAS provides control signaling for primary rate
multiplexing. In the first primary frame, frame 0, the high-order four bits in TS16 convey multiframe
FAS (MFAS) and the lower-order four bits convey non-multiframe FAS (NMFAS). TS16 in each of
other 15 primary frames conveys line status information for two timeslots. For example, TS16 in
frame 1 conveys the digital line signaling status of TS1 and TS17 while that in frame 2 conveys the
digital line signaling status of TS2 and TS18, and so on.
When digital E&M signaling is adopted, the E1 interface functions as a digital E&M interface. On
the interface, timeslot division and functions are the same as those with R2 signaling.
When digital LGS signaling is adopted, the E1 interface functions as a digital FXO or FXS interface.
On the interface, timeslot division and functions are the same as those with R2 signaling.
After you create a TS set and configure signaling on an E1 voice interface card, the system can
automatically create the voice subscriber line for the TS set.
After TSs of an E1 interface are bound to form a PRI group, the system will automatically generate the
corresponding voice subscriber line.
The Web interface supports only the PRI trunk signaling.
T1 interface
A T1 interface can be physically divided into 24 timeslots numbered TS1 through TS24.
You may use a T1 interface as an ISDN PRI interface. The interface adopts DSS1 or QSIG signaling. On
the interface, except TS24 used as D channel for signaling, you may arbitrarily bundle other timeslots
into an interface logically equivalent to an ISDN PRI interface.
In addition to DSS1 and QSIG signaling, T1 interfaces support R2 signaling, digital E&M signaling, and
LGS signaling. Configured with digital E&M signaling, a T1 interface is used as a digital E&M interface.
With digital LGS signaling, a digital FXO or FXS interface.
Like E1 voice interface cards, T1 voice interface cards also have the features of voice subscriber lines.
The Web interface supports only the PRI trunk signaling.
702
Features of E1 and T1
E1 and T1 are characterized by the following:
Signaling modes
Fax function
Signaling modes
E1/T1 interfaces support these types of signaling:
DSS1/QSIG user signaling, adopted on the D channel between ISDN user and network interface
(UNI). It has a data link layer protocol and a Layer 3 protocol used for basic call control.
ITU-T R2 signaling, which falls into digital line signaling and interregister signaling. Digital line
signaling is transmitted in TS16 (ABCD bits) of E1 trunk. It conveys status information about E1
trunks to describe whether the trunks are occupied, released, or blocked. Interregister signaling
conveys information about address, language and discriminating digits for internal calls, echo
suppressor, caller properties and callee properties in multi-frequency compelled approach (forward
and backward) in each timeslot.
Digital E&M signaling, similar to R2 signaling. It transmits E (recEive) and M (transMit) call control
signals similar to analog E&M signaling in TS16, alignment signals in TS0, and voice signals in
other timeslots. In digital E&M signaling, when an E1 trunk detects and sends connection signaling,
it looks at the signal in TS16. Digital E&M signaling provides three start modes, immediate, wink,
and delay, to adapt to different devices for more reliable connection.
Digital LGS. Digital loop start signaling is used between telephones and switches to identify the
off-hook/on-hook state, while ground-start signaling is used between switches. They differ in that
the two parties in conversation must check grounding state before closing the line in the ground-start
approach.
Fax function
The fax function is available on E1/T1 voice interfaces to set up fax channels and transmit/receive fax
data.
E1 voice
T1 voice
Framing format
CRC4, non-CRC4
SF, ESF
Line coding
format
HDB3, AMI
B8ZS, AMI
703
Generally, a BSV interface is used to connect an ISDN digital telephone. Also, it can be used as a trunk
interface connecting to a PBX digital trunk. If it cooperates with an FXS or FXO interface, a BSV interface
can realize flexible routing policies for voice callings.
Description
Bound Timeslot
Number
Line Coding
704
Item
Description
InternalSet the internal crystal oscillator time division multiplexing (TDM) clock
as the TDM clock source on the E1 interface. After that, the E1 interface obtains
clock from the crystal oscillator on the main board. If it fails to do that, the
interface obtains clock from the crystal oscillator on its E1 card. Because SIC
cards are not available with crystal oscillator clocks, E1 interfaces on SIC cards
can only obtain clock from the main board. The internal clock source is also called
master clock mode in some features.
LineSet the line TDM clock as the TDM clock source on the E1 interface. After
that, the E1 interface obtains clock from the remote device through the line. The
line clock source is also called slave clock mode in some features.
Line primarySet the E1 interface to preferably use the line TDM clock as the
TDM clock source. After that, the E1 interface always attempts to use the line TDM
clock before any other clock sources.
By default, the TDM clock source for an E1 interface is the internal clock.
TDM Clock Source
If the line keyword is specified for all interfaces, the clock on the interface with the
lowest number is adopted. In case the interface goes down, the clock on the
interface with the second lowest number is adopted.
If line primary is specified for interface X and line or internal is specified for other
interfaces, the clock on interface X is adopted.
If line is specified for interface X and internal is specified for other interfaces, the
clock on interface X is adopted.
Normally, you cannot set the clock source for all interfaces in a system as internal
to prevent frame slips and bit errors. You can do this however if the remote E1
interfaces adopt the line clock source.
When there is no VCPM on the main board, the configuration of each MIM/FIC is
independent but only one interface can be set as line primary.
Status
If you select the PRI Trunk Signaling option, the page as shown in Figure 730 appears.
705
You are not allowed to configure the following parameters on an ISDN interface if there is still a call on
it:
ISDN Overlap-Sending
These parameters can take effect only if it is configured when there is no call on the interface.
Alternatively you can manually disable the ISDN interface, configure the parameters, and then enable
the interface again. The operations, however, will lead to the disconnection of calls existing on the
interface.
Table 265 Configuration items
Item
Description
706
Item
Description
Set the ISDN protocol to be run on an ISDN interface, including DSS1, QSIG,
and ETSI.
By default, an ISDN interface runs DSS1.
Set the ISDN working mode, which can be network side mode or user side
mode.
By default, an ISDN interface operates in user side mode.
Configure local ISDN B channel management.
By default, the local ISDN B channel management is not enabled and is in the
charge of ISDN switch.
It is very important to put appropriate control on the B channels used for calls
in process, especially in PRI mode. Proper channel management can improve
call efficiency and reduce call loss.
Typically, the centralized B channel management provided by exchanges
can work well. For this reason, you should adopt the management function
provided by exchanges in most cases, despite that the ISDN module can
provide the channel management function as well.
Set a B channel selection method:
ISDN Overlap-Sending
mode. In this mode, the digits of each called number are sent separately
and the maximum number of the digits sent each time can be set.
By default, the ISDN interface sends the called number in full-sending mode.
707
Item
Description
Enable for outgoing directionConfigure the ISDN protocol to switch to
the ACTIVE state after receiving a Connect message without having to
send a Connect-Ack message.
the ACTIVE state to start Connect and voice service communications after
sending a Connect message without having to wait for a Connect-Ack
message.
Connect-Ack messages, that is, the ISDN protocol must wait for the
Connect-Ack message in response to the Connect message before it can
switch to the ACTIVE state to start data and voice service communications.
By default, in the event that the device is communicating with an ISDN switch:
The ISDN protocol must wait for the Connect-Ack message in response to
the Connect message before it can switch to the ACTIVE state to start data
and voice service communications.
In the event that the device is communicating with an ISDN switch, its
settings must be the same as those on the switch.
You are not allowed to configure this list on an ISDN interface if there is still
a call on it. Configuration of this list can take effect only if it is configured
when there is no call on the interface. Alternatively, you can manually
disable the interface, configure this list, and then enable the interface.
However, the operations lead to the disconnection of the calls existing on
the interface.
708
Item
Description
Enable for outgoing directionConfigure the ISDN protocol to send Setup
messages without the Sending-Complete Information Element when
placing a call.
When the device receives a call from a remote device, it can automatically
identify the length of the call reference. However, some devices on the
network do not have this capability. In the event that the device is required to
place calls to such a device connected to it, you must configure the device to
use the same call reference length configured on the connected device.
709
Description
Bound Timeslot
Number
Line Coding
LineSet the line TDM clock as the TDM clock source on the T1 interface. After
that, the T1 interface obtains clock from the remote device through the line. The
line clock source is called as slave clock mode in some features.
Line primarySet the T1 interface to preferably use the line TDM clock as the
TDM clock source. After that, the T1 interface always attempts to use the line TDM
clock prior to any other clock sources.
By default, the TDM clock source for a T1 interface is the internal clock.
TDM Clock Source
If the line keyword is specified for all interfaces, the clock on the interface with the
lowest number is adopted. In case the interface goes down, the clock on the
interface with the next second number is adopted.
If line primary is specified for interface X and line or internal is specified for other
interfaces, the clock on interface X is adopted.
If line is specified for interface X and internal is specified for other interfaces, the
clock on interface X is adopted.
Normally, you cannot set the clock source for all interfaces in a system as internal
to prevent frame slips and bit errors. You can do this however if the remote T1
interfaces adopt the line clock source.
When there is no VCPM on the main board, the configuration of each MIM/FIC is
independent but only one interface can be set as line primary.
Status
If you select the PRI Trunk Signaling option, the page as shown in Figure 732 appears.
710
ISDN protocol types supported by VT1 are DSS1, ATT, ANSI, ETSI, NTT, QSIG, NI2, and 5ESS. Table
265 describes the ISDN parameters configuration items.
711
Description
Set the ISDN protocol to be run on an ISDN interface, including DSS1, ANSI,
NI, NTT, and ETSI.
By default, an ISDN interface runs DSS1.
Set the ISDN working mode, which can be network side mode or user side
mode.
By default, an ISDN interface operates in user side mode.
712
Item
Description
Configure local ISDN B channel management.
By default, the local ISDN B channel management is not enabled but is in the
charge of ISDN switch.
It is very important to put appropriate control on the B channels used for calls
in process, especially in PRI mode. Proper channel management can improve
call efficiency and reduce call loss. Normally, the centralized B channel
management provided by exchanges can work well. For this reason, you are
recommended to adopt the management function provided by exchanges in
most cases, despite that the ISDN module can provide the channel
management function as well.
Set a B channel selection method:
ISDN Overlap-Sending
mode. In this mode, the digits of each called number are sent separately
and the maximum number of the digits sent each time can be set.
By default, the ISDN interface sends the called number in full-sending mode.
713
Item
Description
Enable for outgoing directionConfigure the ISDN protocol to switch to
the ACTIVE state after receiving a Connect message without having to send
a Connect-Ack message.
the ACTIVE state to start Connect and voice service communications after
sending a Connect message without having to wait for a Connect-Ack
message.
Connect-Ack messages, that is, the ISDN protocol must wait for the
Connect-Ack message in response to the Connect message before it can
switch to the ACTIVE state to start data and voice service communications.
By default, in the event that the device is communicating with an ISDN switch:
The ISDN protocol must wait for the Connect-Ack message in response to
the Connect message before it can switch to the ACTIVE state to start data
and voice service communications.
In the event that the device is communicating with an ISDN switch, its
settings must be the same as those on the switch.
You are not allowed to configure this list on an ISDN interface if there is still
a call on it. Configuration of this list can take effect only if it is configured
when there is no call on the interface. Alternatively, you can manually
disable the interface, configure this list, and then enable the interface.
However, the operations lead to the disconnection of the call existing on
the interface.
714
Item
Description
Enable for outgoing directionConfigure the ISDN protocol to send Setup
messages without the Sending-Complete Information Element when
placing a call.
and maintains the connection even when no calls are received from the
network layer. If the two-tei mode is also enabled on the interface, two
such connections are present.
DisableThe BRI interfaces operating on the network side are not in the
permanent active state at the physical layer.
This parameter is available only when the Network Side Mode option in the
ISDN Working Mode area is selected.
715
Item
Description
Set length of the call reference used when a call is placed on an ISDN
interface.
Status
The call reference is equal to the sequence number that the protocol assigns to
each call. It is one or two bytes in length and can be used cyclically.
When the device receives a call from a remote device, it can automatically
identify the length of the call reference. However, some devices on the
network do not have this capability. In the event that the device is required to
place calls to such a device connected to it, you must configure the device to
use the same call reference length configured on the connected device.
EnableEnable the BSV interface.
DisableDisable the BSV interface.
Router A is connected to a PBX through an E1 voice subscriber line, and to the telephone at
0101003 through an FXS voice subscriber line.
The two routers communicate with their respective PBX by exchanging DSS1 user signaling through an
ISDN interface. The one-stage dialing mode is configured on the two routers.
716
Configuration procedure
1.
Configure Router A:
# Configure an ISDN PRI group.
Select Voice Management > Digital Link Management from the navigation tree, and then click the
icon of E1 1/1 to access the E1 parameters configuration page.
a. Select the PRI Trunk Signaling option. For other options, use the default settings.
b. Click Apply.
Configure a local number in the local number configuration page: The number ID is 1003, the
number is 0101003, and the bound line is 3/0.
d. Configure a call route in the call route configuration page: The call route ID is 1001, the
destination number is 0101001, and the trunk route line is 1/1:15. In addition, to select the
Send All Digits of a Called Number option in the Called Number Sending Mode area when you
configure the advanced settings of this call route.
e. Configure a call route in the call route configuration page: The call route ID is 1002, the
destination number is 0101002, and the trunk route line is 1/1:15. In addition, select the
Send All Digits of a Called Number option in the Called Number Sending Mode area when you
configure the advanced settings of this call route.
f.
Configure a call route in the call route configuration page: The call route ID is 0755, the
destination number is 0755...., and the call route type is SIP, the SIP routing type is IP routing,
and the destination address is 2.2.2.2.
717
2.
Configure Router B.
# Configure an ISDN PRI group.
Select Voice Management > Digital Link Management from the navigation tree, and then click the
icon of E1 1/1 to access the E1 parameters configuration page.
a. Select the PRI Trunk Signaling option. For other options, use the default settings.
b. Click Apply.
Configure a call route in the call route configuration page: The call route ID is 2001, the
destination number is 07552001, and the trunk route line is 1/1:15. In addition, select the
Send All Digits of a Called Number option in the Called Number Sending Mode area if you
configure the advanced settings of this call route.
d. Configure a call route in the call route configuration page: The call route ID is 2002, the
destination number is 07552002, and the trunk route line is 1/1:15. In addition, select the
Send All Digits of a Called Number option in the Called Number Sending Mode area when you
configure the advanced settings of this call route.
e. Configure a call route in the call route configuration page: The call route ID is 010, the
destination number is 010...., the call route type is SIP, the SIP routing mode is IP routing, and
the destination address is 1.1.1.1.
Select Voice Management > Statistics > Call Statistics from the navigation tree to access the Active
Call Summary page, and you can view the statistics of active calls.
Select Voice Management > Digital Link Management from the navigation tree, and then click the
name of the target digital link line 1/1:15 to access the page displaying the link state.
718
Managing lines
This section provides information on managing and configuring various types of subscriber lines.
Immediate startIn this mode, the caller picks up the phone, and after a brief period, the dialed
number is sent to the called side. During this period, whether the called side has been ready to
receive the called number is not checked. After the called information is received, the callee can
pick up the phone to answer the call.
719
Calling side
(E/M)
Conversation
Conversation
Called side
(M/E)
Hang up
Delay startIn this mode, the caller first picks up the phone to seize the trunk line, and the called
side (such as the peer PBX) also enters the off-hook state in response to the off-hook action of the
caller. The called side (PBX) will be in the off-hook state until it is ready for receiving the address
information. After it is ready, it will enter the on-hook state and this interval is the so-called dial
delay. The calling side sends the address information, and the called side (PBX) connects the call to
the callee. Therefore, the two parties can begin the communication.
Wink startIn this mode, the caller first picks up the phone to seize the trunk line, and the called
side (such as the peer PBX) is in the on-hook state until receiving a connection signal from the calling
side. Then, the called side will send a wink signal to make an acknowledgement and enter the
ready state. Upon receiving the wink signal, the calling side begins to send the address information
and the called side connects the call to the callee. Therefore, the two parties can begin the
communication.
720
Dedicated FXO voice subscriber linesThe dedicated FXO voice subscriber lines can be used only
for the bound FXS voice subscriber lines and PSTN-originated calls received over dedicated FXO
voice subscriber lines are directly connected to the bound FXS voice subscriber lines.
Consistent state between bound FXS and FXO voice subscriber linesThe on-hook/off-hook state
of the bound FXS and FXO voice subscriber lines is consistent. If an FXO subscriber line receives a
PSTN-originated call when the corresponding FXS voice subscriber line goes off-hook, the calling
party will hear busy tones.
Reason
Adjustment method
Parameters adjusted
Effect
721
Symptom
Parameters adjusted
Effect
722
Description
Basic Configurations
Description
This timer will restart each time the user dials a digit and will work in this way until
all the digits of the number are dialed. If the timer expires before the dialing is
completed, the user will be prompted to hook up and the call is terminated.
Specify the maximum interval in seconds between off-hook and dialing the first
digit.
Upon the expiration of the timer, the user will be prompted to hook up and the call
is terminated.
Specify the maximum duration in seconds of playing ringback tones.
723
Item
Status
Description
Enable.
Disable.
Advanced Settings
Dial Delay Time
Specify the time range for the duration of an on-hook condition that will be
detected as a hookflash. That is, if an on-hook condition that lasts for a period
that falls within the hookflash duration range (that is, the period is longer than the
lower limit and shorter than the upper limit) is considered a hookflash.
Electrical Impedance
Comfortable Noise
Function
IMPORTANT:
Gain adjustment may lead to call
failures. H3C recommends that you do
not adjust the gain. If necessary, do it
with the guidance of technical
personnel.
Enable.
Disable.
By default, the comfortable noise function is enabled.
Enable.
Disable.
Echo Duration
After you enable this function, set the echo duration, that is, the time that elapses
from when a user speaks to when he hears the echo.
Enable.
Disable.
Set the DTMF detection sensitivity level.
LowIn this mode, the reliability is high, but DTMF tones may fail to be
detected.
MediumIn this mode, the reliability is medium. If you select this option, you
can specify the Frequency Tolerance of Medium DTMF Detection Sensitivity
Level. The greater the value, the higher the probability of false detection.
Support for this option varies with installed cards.
HighIn this mode, the reliability is low and detection errors may occur.
724
Description
Basic Configurations
Description
725
Item
Description
Specify the maximum interval for the user to dial the next digit.
This timer restarts each time the user dials a digit and will work in this way until
all the digits of the number are dialed. If the timer expires before the dialing is
completed, the user will be prompted to hook up and the call is terminated.
Specify the maximum interval in seconds between off-hook and dialing the first
digit.
Upon the expiration of the timer, the user will be prompted to hook up and the
call is terminated.
Status
Enable.
Disable.
Advanced Settings
Off-hook Mode
number, which the system uses to connect the call to the callee automatically.
The communication can be performed over the FXO subscriber line only after
the callee picks up the telephone.
Immediate off-hookIn this mode, when a call arrives, the FXO interface
goes off-hook immediately and then the caller performs the second stage
dialing.
Bind an FXS voice subscriber line to the FXO voice subscriber line. This list is
available only when you select the Delay Off-hook option in the Off-hook Mode
area.
Binding FXS Line
To keep the consistent off-hook/on-hook state between the bound FXS and FXO
lines, the specified FXS line must be the one to which the dedicated line number
points. In addition, only the bound FXS line is allowed to originate calls to the
FXO line by restricting incoming calls.
Delay Ring.
Immediate Ring.
Ring Mode
You can select the Delay Ring option to quicken ringing synchronization
between the FXO voice subscriber line and its bound FXS voice subscriber line.
However, for the telephone supporting calling identification display, the calling
number will be displayed after the second ringing tone.
In some countries, PBXs do not play busy tones, or the busy tones played by
them only last for a short period of time. When noise is present on a
transmission link, the configuration of silence threshold and silence duration for
automatic on-hook cannot solve the problem that the resource of the FXO
interface cannot be released. In this case, you can specify the duration before a
forced on-hook to solve the problem.
No duration is configured by default.
IMPORTANT:
Once the duration before a forced on-hook is configured, the call will be
automatically disconnected when the duration expires, even if the call is currently
going on.
726
Item
Description
Set the silence threshold.
VAD Threshold
In the delay off-hook mode, the on-hook/off-hook state of FXS and FXO lines is
consistent. When an FXS line goes off-hook, the FXO line to which the FXS line
is bound goes off-hook, too. When the FXS line in the off-hook state needs to
connect the FXO line to originate a call over PSTN, the FXO line must first
perform an on-hook operation, and then perform an off-hook operation to send
the called number. This task is to set the interval between the on-hook and
off-hook operations.
Electrical Impedance
IMPORTANT:
Gain adjustment may lead to call
failures. H3C recommends that you
do not adjust the gain. If necessary,
do it with the guidance of technical
personnel.
By default, CID check is performed
between the first and the second
rings, and the FXO line goes
off-hook as soon as the check
completes.
727
Item
Description
Generate some comfortable background noise to replace the toneless intervals
during a conversation. If no comfortable noise is generated, the toneless
intervals will make both parties in conversation feel uncomfortable.
Enable.
Disable.
By default, the comfortable noise function is enabled.
Enable.
Disable.
With the busy-tone sending function enabled, you can set the duration of busy
tones.
Enable.
Disable.
Echo Duration
After enabling this function, you can set the echo duration, that is, the time that
elapses from when a user speaks to when he hears the echo.
Enable.
Disable.
Set the DTMF detection sensitivity level.
LowIn this mode, the reliability is high, but DTMF tones may fail to be
detected.
MediumIn this mode, the reliability is medium. If you select this option, you
can specify the Frequency Tolerance of Medium DTMF Detection Sensitivity
Level. The greater the value, the higher the probability of false detection.
Support for this option varies with installed cards.
HighIn this mode, the reliability is low and detection errors may occur.
728
Description
Basic Configurations
Description
Cable Type
When you configure the cable type, make sure the cable type is the
same as that of the peer device. Otherwise, only unidirectional
voice service is available.
The configuration will be applied to all E&M interfaces of the card.
729
Item
Description
Specify the types 1, 2, 3, and 5 are the four signal types (that is,
types I, II, III, and V) of the analog E&M subscriber line.
When you configure the signal type, make sure the signal type is the
same as that of the peer device.
Signal Type
This timer will restart each time the user dials a digit and will work in
this way until all the digits of the number are dialed. If the timer
expires before the dialing is completed, the user will be prompted to
hook up and the call is terminated.
Specify the maximum duration for the system to wait for the first digit
of a number.
Status
Enable.
Disable.
Advanced Settings
Immediate
Start
Delay
Start
Start
Mode
Wink
Start
Delay Time
before the Calling
Party Sends
DTMF Signals in
Immediate Start
Mode
Specify the delay time before the calling party sends DTMF signals
in the immediate start mode.
Delay Signal
Duration in Delay
Start Mode
Delay Time
before the Called
Party Sends a
Delay Signal in
Delay Start Mode
Specify the delay time from when the called party detects a seizure
signal to when it sends a delay signal in the delay start mode.
Delay Time
before the Called
Party Sends a
Wink Signal in
Wink Start Mode
Specify the delay time from when the called party receives a seizure
signal to when it sends a wink signal in the wink start mode.
Duration of a
Wink Signal
Send by the
Called Party in
Wink Start Mode
Specify the time duration the called party sends wink signals in the
wink start mode.
Specify the maximum amount of time the calling party waits for a
wink signal after sending a seizure signal in the wink start mode.
730
Item
Input Gain on the Voice Interface
Description
When the voice signals on the
line attenuate to a relatively
great extent, increase the voice
input gain value.
When a relatively small voice
signal power is needed on the
output line, increase the voice
output gain value.
IMPORTANT:
Gain adjustment may lead to a
call failure. H3C recommends
that you do not adjust the gain. If
necessary, do it with the
guidance of technical personnel.
Configure the output gain of the SLIC chip. The bottom layer tunes
the signal gain through the SLIC chip.
By default, the output gain of the SLIC chip is 0.8 dB.
Enable.
Disable.
By default, the comfortable noise function is enabled.
Echo Duration
Enable.
Disable.
After enabling this function, you can set the echo duration, that is,
the time that elapses from when a user speaks to when he hears the
echo.
Enable.
Disable.
731
Description
Description
Enable.
Disable.
By default, the comfortable noise function is enabled.
Enable.
Disable.
Echo Duration
After enabling this function, you can set the echo duration, that is, the time that
elapses from when a user speaks to when he hears the echo.
Enable.
Disable.
IMPORTANT:
Gain adjustment may lead to call
failures. H3C recommends that you
do not adjust the gain. If necessary,
do it with the guidance of technical
personnel.
732
Item
Description
Set the DTMF detection sensitivity level.
LowIn this mode, the reliability is high, but DTMF tones may fail to be
detected.
HighIn this mode, the reliability is low and detection errors may occur.
Enable.
Disable.
Status
Description
Line Description
When a relatively small voice signal power is needed on the output line, increase the
voice output gain value.
IMPORTANT:
Gain adjustment may lead to call failures. H3C recommends that you do not adjust the
gain. If necessary, do it with the guidance of technical personnel.
Enable.
Disable.
Silent Mode
Item
Description
Set the value of the audio input gain, in the range of -24.0 to 12.0 with a step of 1.
When a relatively small voice signal power is needed on the output line, increase the
voice output gain value.
IMPORTANT:
Gain adjustment may lead to call failures. H3C recommends that you do not adjust the
gain. If necessary, do it with the guidance of technical personnel.
Description
Line Description
When a relatively small voice signal power is needed on the output line, increase the
voice output gain value.
IMPORTANT:
Gain adjustment may lead to call failures. H3C recommends that you do not adjust the
gain. If necessary, do it with the guidance of technical personnel.
Enable.
Disable.
Silent Mode
Set the value of the audio input gain, ranging from of -19.5 to 41.5 with a step of 2.
When a relatively small voice signal power is needed on the output line, increase the
voice output gain value.
IMPORTANT:
Gain adjustment may lead to call failures. H3C recommends that you do not adjust the
gain. If necessary, do it with the guidance of technical personnel.
734
Configuring Router A
# Create a call route and local number.
1.
Configure a call route in the call route configuration page: The call route ID is 0755, the
destination number is 0755...., and the destination address is 2.2.2.2.
2.
Create a local number in the local number configuration page: The number ID is 1001, the
number is 0101001, and the bound line is 1/0.
Configuring Router B
# Create call routes.
1.
Create a call route in the call route configuration page: The call route ID is 010, the destination
number is 010.., and the destination address is 1.1.1.1.
2.
Create a call route in the call route configuration page: The call route ID is 2001, the destination
number is 07552001, the call route type is Trunk, and the trunk route line is 1/0. In addition,
select the Send All Digits of a Called Number option in the Called Number Sending Mode area
when you configure the advanced settings of this call route.
Select Voice Management > Call Route from the navigation tree, and then click the
route 2001 to access the call services configuration page.
735
icon of call
4.
5.
Click Apply.
Router A and Router B are connected over an IP network and a PSTN. Telephone A attached to
Router A can make calls to Telephone B attached to Router B over the IP network or the PSTN.
Usually, Telephone A makes calls to Telephone B over the IP network. In the case that the IP network
is unavailable, Router A sends calls from Telephone A through the bound FXO interface to
Telephone B over PSTN.
736
Configuration considerations
Configure one-to-one binding between FXS and FXO voice subscriber lines.
When the IP network is available, the VoIP entity is preferably used to make calls over the IP
network.
When the IP network is unavailable, the POTS entity is used to make calls through the bound FXO
voice subscriber line over the PSTN.
Configuration procedure
Router A and Router B are routable to each other.
The configuration of interface IP addresses is not shown.
1.
Configure Router A:
# Configure a local number and two call routes.
Configure a call route in the call route configuration page: The call route ID is 210, the destination
number is 210., and the destination address is 192.168.0.76.
Configure a local number in the local number configuration page: The number ID is 0101001, the
number is 0101001, and the bound line is 3/0.
Configure the backup call route 211 for the FXO line in the call route configuration page: The
destination address is .T, call route type is Trunk, and the trunk route line is 4/0. In addition, select
the Send All Digits of a Called Number option in the Called Number Sending Mode area when you
configure the advanced settings of this call route.
# Configure call authority control.
a. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and
then click Add to access the permitted call number group configuration page.
737
Click Apply.
d. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and
then click Not Bound to access the call route binding page of permitted call number group 1.
Figure 752 Call route binding page
a. Select the Permit the calls from the number group option.
b. Select call route 211.
c.
Click Apply.
738
icon of
Select Voice Management > Line Management from the navigation tree, and then click the
icon of FXO line 4/0 to access the FXO line configuration page.
Click Apply.
Click Apply.
Configure Router B:
# Configure a local number and two call routes.
a. Configure a call route in the call route configuration page: The call route ID is 10, the
Configure the backup call route 211 for the FXO line in the call route configuration page: The
destination address is .T, call route type is Trunk, and the trunk route line is 4/0. In addition,
select the Send All Digits of a Called Number option in the Called Number Sending Mode area
when you configure the advanced settings of this call route.
then click Add to access the permitted call number group configuration page.
740
Click Apply.
d. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and
then click Not Bound to access the call route binding page of permitted call number group 1.
Figure 757 211 Call route binding page
a. Select the Permit the calls from the number group option.
b. Select call route 211.
c.
Click Apply.
icon of
Select Voice Management > Line Management from the navigation tree, and then click the
icon of the FXO line 4/0 to access the FXO line configuration page.
741
Click Apply.
Click Apply.
742
743
Branch A
WAN
Server
Headquarters
Branch B
PSTN
Branch C
When the WAN link from a branch to the headquarters is normal, all IP phones at the branch are
registered with the headquarters voice server and the headquarters voice server processes calls
originated by branch IP phones.
2.
When the WAN link to the headquarters or the primary server fails:
The branch voice router can accept registrations from its attached IP phones.
The branch voice router ensures the normal call services between its IP phones, between its IP
phones and FXS interfaces, and between its FXS interfaces.
IP phone users at the branch can place or receive PSTN calls through FXS interfaces on the voice
router.
3.
When the WAN link or the primary server recovers, the branch voice router rejects registrations
from IP phones and the headquarters voice server takes over call processing.
744
Description
Enter the IP address of the local server, which can be a local interface's IP address,
or a loopback address such as 127.0.0.1. The IP address of a local interface is
recommended because a loopback address cannot accept registrations from
remote users.
When the local SIP server is enabled, the IP address of the local server must be
provided.
745
Item
Description
AloneThe local SIP server in alone mode acts as a small voice server.
AliveThe local SIP server in alive mode supports the local survival feature.
That is, when the communication with the remote server fails, the local SIP
server accepts registrations and calls; when the communication resumes, the
remote server accepts registrations and calls again and the local SIP server
rejects registrations and calls. In the alive mode, Options messages will
periodically be sent to the remote server.
When the alive mode is selected, the IP address of the remote SIP server must be
provided.
Specify the interval for sending Options messages to the remote SIP server.
User management
Select Voice Management > SIP Local Survival > User Management from the navigation tree, and click
Add to access the page as shown in Figure 763.
Figure 763 Configuring user
Description
User ID
Telephone Number
Authentication Username
Authentication Password
746
Trusted nodes
Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to access the
page as shown in Figure 764.
Figure 764 Configuring a trusted node
Description
By default, no trusted node is
configured.
Port
Call-out route
The local SIP server uses a static routing table to forward outgoing calls. If the called number of a call
matches a static route, the local SIP server forwards the call to the specified destination. The called
number does not need to register on the local SIP server. For example, as an external number, 5552000
does not need to register on the local SIP server. Configure a static route entry with the area prefix of 333
and called number of 5552000 on the local SIP server. Upon receiving a call from local number 1000
to external number 5552000, the local SIP server adds the area prefix 333 to the calling number, and
forwards the call to the destination specified in the static route entry.
Select Voice Management > SIP Local Survival > Call-Out Route from the navigation tree, and click Add
to access the page as shown in Figure 765.
747
Description
ID
Destination Number
Prefix
Enter the destination number prefix and length. Suppose the destination number
prefix is 4100, and the number length is 6. This configuration matches destination
numbers that are 6-digit long and start with 4100.
Number length
A dot can be used after a number to represent a character. This configuration does
not support other characters.
Destination IP address
Port Number
Area Prefix
Area prefix
When the local SIP server is connected to the extranet, external users can originate calls to internal users
registered with the local SIP server. For calls from external users to internal users, the local SIP server
removes the configured area prefix from each called number to converts it to an internal short number.
For example, if an external user dials number 01050009999, the local SIP server checks whether any
area prefix matches the called number. If the area prefix 0105000 is available, the local SIP server
removes the prefix 0105000 from the called number and sends the call to 9999.
Select Voice Management > SIP Local Survival > Area Prefix from the navigation tree to access the page
as shown in Figure 766.
Figure 766 Configuring a call-in number prefix
748
You can configure up to eight call-in number prefixes. The local SIP server adopts longest match to deal
with a called number.
Description
Rule Set ID
Rule
Rule ID
Call Direction
Call Authority
Number Pattern
A dot can be used after a number to represent a character. This configuration does
not support other characters.
749
Description
Rule Set ID
Applied Globally
In the Register users bound to the rule set field, select registered users and
click >> to unbind them.
Users in the Available register users field are added in User management.
750
Configuring Router C
# Configure the router to operate in the alone mode.
1.
Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to
access the following page.
2.
3.
4.
5.
Click Apply.
Select Voice Management > SIP Local Survival > User Management from the navigation tree, and
click Add to access the following page.
751
7.
8.
9.
10.
11.
Click Apply.
Configuring Router A
1.
Configure a local number in the local number configuration page: The ID is 1000, the number is
1000, the bound line is line2/0, the username is 1000, and the password is 1000.
2.
Configure a call route to Router B in the call route configuration page: The ID is 5000, the
destination number is 5000, the routing type is SIP, and the SIP routing method is proxy server.
3.
Configure SIP registration in the connection properties configuration page: Enable SIP registration,
and configure the main registrars IP address as 2.1.1.2.
Configuring Router B
1.
Configure a local number in the local number configuration page: The ID is 5000, the number is
5000, the bound line is line2/0, the username is 5000, and the password is 5000.
2.
Configure a call route to Router A in the call route configuration page: The ID is 1000, the
destination number is 1000, the routing type is SIP, and the SIP routing method is proxy server.
3.
Configure SIP registration in the connection properties configuration page: Enable registration,
and configure the main registrars IP address as 2.1.1.2.
Select Voice Management > States and Statistics > Local Survival Service States from the
navigation tree. You can find that numbers 1000 and 5000 have been registered with the local SIP
server on Router C.
Phones 1000 and 5000 can call each other through the local SIP server.
752
Configuring Router A
# Configure the IP address of Ethernet 1/1 as 1.1.1.2, and the IP address of the sub interface as 2.1.1.2.
(Details not shown.)
# Configure the local SIP server to operate in alive mode.
1.
Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to
access the following page.
2.
3.
4.
5.
6.
Click Apply.
Select Voice Management > SIP Local Survival > User Management from the navigation tree, and
click Add to access the following page.
8.
9.
10.
Click Apply.
Configuring Router A
1.
Configure a local number in the local number configuration page: The ID is 1000, the number is
1000, and the bound line is line2/0.
2.
Configure a call route to Router B in the call route configuration page: The ID is 5000, the
destination number is 5000, the routing type is SIP, and the SIP routing method is proxy server.
3.
Configure SIP registration in the connection properties configuration page: Enable SIP registration,
and configure the main registrars IP address as 3.1.1.2, and the backup registrars IP address as
2.1.1.2.
Configuring Router B
1.
Configure a local number in the local number configuration page: The ID is 5000, the number is
5000, and the bound line is line2/0.
2.
Configure a call route to Router A in the call route configuration page: The ID is 1000, the
destination number is 1000, the routing type is SIP, and the SIP routing method is proxy server.
3.
Configure SIP registration in the connection properties configuration page: Enable SIP registration,
and configure the main registrars IP address as 3.1.1.2, and the backup registrars IP address as
2.1.1.2
754
When the VCX fails, the local SIP server on Router A starts to accept registrations from phones,
which then can call each other through Router A. Select Voice Management > States and Statistics >
Local Survival Service States from the navigation tree. You can find that numbers 1000 and 5000
have been registered with the local SIP server on Router A.
When the VCX recovers, Router A disables the local SIP server, and the phones register with the
VCX again.
Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to
access the following page.
755
2.
3.
4.
5.
Click Apply.
Select Voice Management > SIP Local Survival > User Management from the navigation tree, and
click Add to access the following page.
7.
8.
9.
10.
11.
Click Apply.
# Configure users with phone numbers 1111, 5000, and 5555 in the similar way.
756
Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree,
and click Add to access the following page.
13.
14.
15.
Click Apply.
Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree,
and click the
icon of call rule set 0 to access the following page.
757
17.
18.
Click Apply.
Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree,
and click Add to access the following page.
20.
21.
22.
Click Apply.
Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree,
and click the
icon of call rule set 2 to access the following page.
24.
Click 5000 in Available register users, and then click << to add it to Register users bound to the
rule set.
25.
Click Apply.
Configuring Router A
1.
Configure a local number in the local number configuration page: The ID is 1000, the number is
1000, the bound line is line2/0, the user name is 1000, and the password is 1000.
2.
Configure a local number in the local number configuration page: The ID is 1111, the number is
1111, the bound line is line2/1, the user name is 1111, and the password is 1111.
3.
Configure a call route to Router B in the call route configuration page: The ID is 5000, the
destination number is 5, the routing type is SIP, and the SIP routing method is proxy server.
4.
Configure SIP registration in the connection properties configuration page: Enable SIP registration,
and configure the main registrars IP address as 2.1.1.2.
Configuring Router B
1.
Configure a local number in the local number configuration page: The ID is 5000, the number is
5000, the bound line is line2/0, the user name is 5000, and the password is 5000.
759
2.
Configure a local number in the local number configuration page: The ID is 5555, the number is
5555, the bound line is line2/1, the user name is 5555, and the password is 5555.
3.
Configure a call route to Router A in the call route configuration page: The ID is 1000, the
destination number is 1, the routing type is SIP, and the SIP routing method is proxy server.
4.
Configure SIP registration in the connection properties configuration page: Enable SIP registration,
and configure the main registrars IP address as 2.1.1.2.
Select Voice Management > States and Statistics > Local Survival Service States from the
navigation tree. You can find that numbers 1000, 1111, 5000, and 5000 have been registered with
the local SIP server on Router C.
The four phones cannot call external numbers, and phone 5000 cannot call phone 1000.
Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to
access the following page.
760
2.
3.
4.
5.
Click Apply.
Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to access
the following page.
7.
8.
Click Apply.
Select Voice Management > SIP Local Survival > Area Prefix from the navigation tree to access the
following page.
761
10.
11.
12.
Click Apply.
Select Voice Management > SIP Local Survival > User Management from the navigation tree, and
click Add to access the following page.
14.
15.
16.
17.
18.
Click Apply.
Configuring Router A
1.
Configure a local number in the local number configuration page: The ID is 55661000, the
number is 55661000, and the bound line is line2/0.
2.
Configure a call route to Router B in the call route configuration page: The ID is 88995000, the
destination number is 88995000, the routing type is SIP, and the destination address is 2.1.1.2.
Configuring Router B
1.
Configure a local number in the local number configuration page: The ID is 5000, the number is
5000, the bound line is line2/0, the user name is 5000, and the password is 5000.
2.
Configure SIP registration in the connection properties configuration page: Enable SIP registration,
and configure the main registrars IP address as 2.1.1.2.
762
Select Voice Management > States and Statistics > Local Survival Service States from the
navigation tree. You can find that number 5000 has been registered with the local SIP server on
Router C.
Place a call from phone 55661000 to phone 88995000. The local SIP server on Router C removes
the area prefix 8899 from the called number, and alerts internal phone 5000. Pick up phone 5000.
The call is established.
Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to
access the page for configuring services.
2.
3.
4.
5.
Click Apply.
Select Voice Management > SIP Local Survival > Call-Out Route from the navigation tree, and click
Add to access the following page.
7.
8.
Enter 55665000 for Destination Number Prefix, and 8 for Number Length.
9.
10.
11.
Click Apply.
Select Voice Management > SIP Local Survival > User Management from the navigation tree, and
click Add to access the following page.
13.
14.
15.
16.
17.
Click Apply.
764
Configuring Router A
1.
Configure a local number in the local number configuration page: The ID is 1000, the number is
1000, the bound line is line2/0, the user name is 1000, and the password is 1000.
2.
Configure a call route to Router B in the call route configuration page: The ID is 55665000, the
destination number is 55665000, the routing type is SIP, and the routing method is proxy server.
Configuring Router B
1.
Configure a local number in the local number configuration page: The ID is 55665000, the
number is 55665000, and the bound line is line2/0.
2.
Configure a call route to Router A in the call route configuration page: The ID is 1000, the
destination number is 1000, the routing type is SIP, and the routing method is proxy server.
3.
Configure SIP registration in the connection properties configuration page: Enable SIP registration,
and configure the main registrars IP address as 2.1.1.2.
Select Voice Management > States and Statistics > Local Survival Service States from the
navigation tree. You can find that number 1000 has been registered with the local SIP server on
Router C.
Place a call from phone 1000 to phone 55665000. The local SIP server on Router C adds prefix
8899 before the calling number, and sends the call to phone 55665000. Pick up phone
55665000. The call is established.
765
Configuring IVR
Overview
Interactive voice response (IVR) is used in voice communications. You can use the IVR system to customize
interactive operations and humanize other services. If a subscriber dials an IVR access number, the IVR
system plays the prerecorded voice telling the subscriber what to do. For example, it might tell the
subscriber to dial a number.
Advantages
A conventional interactive voice system uses fixed audio files and operations. IVR enables you to
customize your own interactive system by adding, modifying, and removing audio files. IVR has the
following advantages.
Various codecs
The IVR system supports four codecs for voice prompts: G.711alaw, G.711ulaw, G.723r5, and G.729r8.
Each kind of codec has its advantages and disadvantages: G.711alaw and G.711ulaw provide high
quality of voice, while requiring greater memory space; G.723r53 and G.729r8 provide relatively low
quality of voice, while requiring less memory space.
Service nodeExecutes various operations, such as executing an immediate secondary call, auto
jumping, terminating a call, and playing an audio file.
Customizable process
You can customize the interactive process easily. For example, configure custom IVR access numbers,
voice prompts, and combinations of keys and voice prompts.
766
Successive jumping
The IVR process can realize successive jumping at most eight times from node to node.
A subscriber makes an immediate secondary call without the need of dialing the number of the
called party. Immediate secondary calls are executed by service nodes.
A subscriber makes a normal secondary call by dialing the number of the called party. Normal
secondary calls are executed by call nodes. You can configure a node to match the length of a
number, matching the terminator, or matching the number.
A subscriber makes an extension secondary call by dialing the extension number of the called party.
Extension secondary calls are executed by call nodes.
Configuring IVR
Uploading media resource files
Select Voice Management > IVR Services > Media Resources Management from the navigation tree to
access the following page.
Figure 791 Media file list
767
Description
Media Resource ID
Upload media resource files for g729r8, g711alaw, g711ulaw, and g723r53.
Click
768
Description
Media resource ID
769
Description
Enable.
Disable.
Not enabled by default.
Voice Prompts
Select a voice prompt file. You can configure voice prompt files in Voice
Management > IVR Services > Media Resources Management.
Timeout Time
Enable.
Disable.
Not enabled by default.
Voice Prompts
Select a voice prompt file. You can configure voice prompt files in Voice
Management > IVR Services > Media Resources Management.
Several nodes form a loop. The subscriber has no other options except jumping around these
nodes.
The IVR process jumps from node to node for more than eight times.
770
Description
Node ID
Description
Item
Description
Enable.
Disable.
Disabled by default.
The following options are available for playing voice prompts:
Mandatory playOnly after the voice prompts end can the subscriber press
keys effectively.
Specify A Node
Specify the node to which the subscriber is directed when the number of input
errors reaches the maximum.
Enable.
Disable.
Not enabled by default.
Voice Prompts
Select a voice prompt file. Voice prompt files can be configured in Voice
Management > IVR Services > Media Resources Management.
Play Count
Specify A Node
Specify the node to which the subscriber is directed when the number of input
timeouts reaches the maximum.
Timeout Time
Enable.
Disable.
Not enabled by default.
Voice Prompts
Select a voice prompt file. You can configure voice prompt files in Voice
Management > IVR Services > Media Resources Management.
Play Count
772
Item
Description
Secondary-Call
Length of Numbers
Terminator
Extension Secondary-Call
Extension Number
Corresponding Number
Associate the extension number with the corresponding number. You can click
Add a Rule to configure a rule for executing the secondary call.
By default, no extension secondary call is configured.
773
774
Description
Node ID
Description
Key mapping
775
Description
Node ID
Description
Operation Configuration
Execution Order
Description
Number ID
Item
Description
Number
Bind to Menu
Bind a node in the list to the access number. You can configure the nodes in Voice
Management > IVR Services > Advanced Settings.
Description
selected.
Disable.
Register Username
Register Password
Cnonce Name
Realm Name
Status
IMPORTANT:
The realm name must be consistent with that configured on the server. Otherwise,
authentication will fail. If no realm name is configured, the device trusts the realm
name from the server.
777
After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio
file welcome.wav.
The subscriber dials 50# at Telephone A to originate a secondary call and then Telephone B1 rings.
If the subscriber dials a wrong number at Telephone A, Router B plays the audio file
input_error.wav.
If no number is dialed at Telephone A within the timeout time, Router B plays the audio file
timeout.wav.
50
Telephone B1
Eth1/1
1.1.1.1/24
100
Telephone A
Eth1/1
1.1.1.2/24
Router A
Router B
500
Telephone B2
Configuring Router A
# Configure a local number and call route.
1.
Configure a local number in the local number configuration page: The number ID is 100, the
number is 100, and the bound line is line 1/0.
2.
Configure a route to Router B in the call route configuration page: The route ID is 300; the
destination number is 300, the SIP routing method is IP routing, the destination IP address is
1.1.1.2, and the DTMF transmission mode is out-of-band.
Configuring Router B
# Configure local numbers in the local number configuration page:
Local number 500: The number ID is 500, the number is 500, and the bound line is line 1/0.
Local number 50: The number ID is 50, the number is 50, and the bound line is line 1/1.
1.
2.
3.
Click the Browse button of g729r8 codec to select the target file.
4.
Click Apply.
Use the same method to upload other g729r8 media resource files timeout, input_error, and bye.
# Configure global error and timeout processing methods to achieve the following purposes:
If no number is dialed at Telephone A within the timeout time, Router B plays audio file timeout.wav.
If number of timeouts reaches four, Router B terminates the call.
If the subscriber dials a wrong number at Telephone A, Router B plays the audio file
input_error.wav. If the number of input errors reaches three, Router B terminates the call.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, and select the
Global Key Policy tab.
779
5.
Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice
Prompts list.
6.
Type 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice
Prompts for Input Timeout; select timeout from the Voice Prompts list.
7.
Click Apply.
The subscriber dials the number 300 at Telephone A, and hears the voice prompts of audio file
welcome.wav. After that, the subscriber dials 50# at Telephone A, and Telephone B1 rings.
9.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the
Configure Call Node tab, and click Add to access the following page.
780
10.
11.
12.
Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list.
13.
Select Match the terminator of the numbers from the Number Match Mode list; type # for
Terminator.
14.
Click Apply.
781
15.
16.
17.
18.
Click Apply.
2.
After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio
file welcome.wav. Configure the number match length as 3, that is, when the subscriber dials 500
that matches number length 3, Telephone B2 rings.
If the subscriber dials a wrong number at Telephone A, Router B plays the audio file
input_error.wav.
If no number is dialed at Telephone A within the timeout time, Router B plays the audio file
timeout.wav.
782
50
Telephone B1
Eth1/1
1.1.1.1/24
100
Telephone A
Eth1/1
1.1.1.2/24
Router A
Router B
500
Telephone B2
Configuration procedure
1.
2.
Configure Router B:
# Configure the call node.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the
Configure Call Node tab, and click Add to access the following page.
783
Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list.
d. Select Match the length of the numbers from the Number Match Mode list; type 3 for Length of
Numbers.
e. Click Apply.
2.
Dial 500.
784
Telephone B2 rings.
After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio
file welcome.wav. Configure number match so that when the subscriber dials 50, Telephone B1
rings.
If the subscriber dials a wrong number at Telephone A, Router B plays the audio file
input_error.wav.
If no number is dialed at Telephone A within the timeout time, Router B plays the audio file
timeout.wav.
50
Telephone B1
Eth1/1
1.1.1.1/24
100
Telephone A
Eth1/1
1.1.1.2/24
Router A
Router B
500
Telephone B2
Configuration procedure
1.
2.
Configure Router B:
# Configure a call node.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the
Configure Call Node tab, and click Add to access the following page.
785
Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list.
d. Select Match the local number and route from the Number Match Mode list.
e. Click Apply.
2.
Dial 50.
Telephone B1 rings.
786
After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio
file welcome.wav. Then the subscriber dials 0, and Router B makes an extension secondary call so
that Telephone B rings.
If the subscriber dials a wrong number at Telephone A, Router B plays the audio file
input_error.wav.
If no number is dialed at Telephone A within the timeout time, Router B plays the audio file
timeout.wav.
Configuration procedure
1.
2.
Configure Router B:
# Configure a call node.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the
Configure Call Node tab, and click Add to access the following page.
787
Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list.
f.
Click Apply.
2.
Dial 0.
Telephone B rings.
After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio
file welcome.wav. Then if the subscriber dials #, Router B terminates the call.
If the subscriber dials a wrong number at Telephone A, Router B plays the audio file
input_error.wav.
If no number is dialed at Telephone A within the timeout time, Router B plays the audio file
timeout.wav.
Configuration procedure
1.
2.
Configure Router B:
# Configure a jump node.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the
Configure Jump Node tab, and click Add to access the following page.
789
790
Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list.
2.
Dial #.
The call is terminated.
After the subscriber dials 300 (the IVR access number) from Telephone A, Telephone B rings.
If the subscriber dials a wrong number at Telephone A, Router B plays the audio file
input_error.wav.
If no number is dialed at Telephone A within the timeout time, Router B plays the audio file
timeout.wav.
Configuration procedure
1.
2.
Configure Router B:
# Configure a service node.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the
Configure Service Node tab, and click Add to access the following page.
791
d. Click Apply.
792
d. Click Apply.
After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio
file bye.wav, and then terminates the call.
If the subscriber dials a wrong number at Telephone A, Router B plays the audio file
input_error.wav.
If no number is dialed at Telephone A within the timeout time, Router B plays the audio file
timeout.wav.
793
Configuration procedure
1.
2.
Configure Router B:
# Configure a servcie node.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the
Configure Service Node tab, and click Add to access the following page.
d. Click Apply.
794
d. Click Apply.
If the subscriber presses the * key at Telephone A, the call jumps to the service node and the
subscriber hears voice prompts of the audio file bye.wav. After that, the service node releases the
call.
If the subscriber presses the # key at Telephone A, the call jumps to the call node and the subscriber
hears the voice prompts of the audio file call.wav. After that, if the subscriber dials 1, Telephone B
rings.
795
Configuration procedure
1.
2.
Configure Router B:
# Configure a local number in the local number configuration page.
The number ID is 500, the number is 500, and the bound line is line 1/0.
# Upload a g729r8 media resource file.
Select Voice Management > IVR Services > Media Resources Management from the navigation
tree to access the following page.
Click the Browse button of g729r8 codec to select the target file.
d. Click Apply.
Use the same method to upload other g729r8 media resource files timeout, input_error, and bye.
# Configure global error and timeout processing methods to achieve the following purposes:
If no number is dialed at Telephone A within the timeout time, Router B plays audio file
timeout.wav. If number of timeouts reaches four, Router B terminates the call.
If the subscriber dials a wrong number at Telephone A, Router B plays the audio file
input_error.wav. If the number of input errors reaches three, Router B terminates the call.
796
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, and select
the Global Key Policy tab.
Figure 822 Configuring the global key policy
a. Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice
Prompts list.
b. Enter 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice
Prompts for Input Timeout; select timeout from the Voice Prompts list.
c.
Click Apply.
797
Select Enable for Play Voice Prompts, select Enable for Mandatory Play, and select call from
the Voice Prompts list.
d. Enter 1 for Extension Number, Enter 500 for Corresponding Number, and click Add a Rule.
798
e. Click Apply.
d. Click Apply.
799
c.
Select Enable for both Play Voice Prompts and Mandatory Play.
Select Jump to a specified node from the Key# list, and play-all from its Specify a node list.
g. Click Apply.
d. Click Apply.
If you press the * key at Telephone A, the call jumps to service node 20 and you hear voice prompts
of the audio file bye.wav. After that, the service node releases the call;
If you press the # key at Telephone A, the call jumps to call node 10 and you hears the voice
prompts of the audio file call.wav. After that, if you dial 1, Telephone B rings.
801
Create a menu
Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree,
and click Add to create a menu. The following describes settings for different types of menus, including
jump, terminate the call, enter the next menu, return to the previous menu, dial immediately, and
secondary call.
Description
Menu Node ID
Menu Name
802
Item
Menu Type
Play Voice Prompts
When the User Enters
the Menu
Description
Select Jump.
By default, Jump is selected.
Select an audio file.
No audio file is selected by default.
Select one of the following methods:
Specify A Menu
Input Error Prompts
Input Timeout
Processing Method
Specify A Menu
Timeout Prompts
Key Mapping
803
Description
Menu Node ID
Menu Name
Menu Type
Play Voice Prompts When the User Enters
the Menu
Description
Menu Node ID
Menu Name
Menu Type
Play Voice Prompts When the User Enters the
Menu
Item
Description
Description
Menu Node ID
Menu Name
Menu Type
Play Voice Prompts When the User
Enters the Menu
805
Description
Menu Node ID
Menu Name
Menu Type
Call immediately
806
Description
Menu Node ID
Menu Name
Menu Type
Play Voice Prompts
When the User Enters the
Menu
Select Secondary-call.
By default, Jump is selected.
Select an audio file.
No audio file is selected by default.
Select one of the following methods.
Specify A Menu
Input Error Prompts
Specify A Menu
Timeout Prompts
Normal Secondary-Call
Number Matching Policy
Match Number
Terminator
Enter an extension number and the corresponding number, and click Add to
associate them.
By default, no extension secondary call is configured.
807
Select the box of the target access number, and click Apply.
808
Add a submenu
Select Add A New Node from the Jump to submenu list of Key 0. Click OK on the popup dialog box to
access the following page.
Figure 835 Adding a submenu
You can configure the type of the new menu as jump, terminate the call, enter the next menu, return to the
previous menu, dial immediately, or secondary-call. For information about the menu configuration,
see Create a menu.
NOTE:
If new settings are made on the page, click Apply to save them first before you select Add a new menu.
Otherwise, the new settings may get lost.
Delete a menu
Enter the Customize IVR Services page, click the target menu, and click Delete the menu. On the popup
page, click OK.
If you delete a menu that is referenced by another menu, the operation deletes the reference relation in
the menu but not the menu.
If you delete a menu that is referenced within itself, the delete operation deletes both the reference
relation and the menu.
809
When a user dials the access number 300, the system plays the audio file Hello.wav. Then, the
following events occur:
If the user dials 0, the system jumps to the marketing and sales department menu.
If the user dials 1, the system jumps to the telecom product sales department menu.
If the user dials 2, the system jumps to the government product sales department menu. If the
user dials #, the system terminates the call.
2.
3.
4.
Configuration procedure
1.
810
Click the Browse button of g729r8 codec to select the target file.
d. Click Apply.
Use the same method to upload other g729r8 media resource files. You can see these uploaded
files in Voice Management > IVR Services > Media Resources Management, as shown in Figure
837
Figure 837 Media file list
2.
Select Voice Management > IVR Services > Access Number Management from the navigation tree,
and click Add to access the following page.
Figure 838 Configuring an access number
d. Click Apply.
# Create a menu.
Select Voice Management > IVR Services > Processing Methods Customization from the navigation
tree, and click Add to create a menu.
Figure 839 Configuring a menu
Select Jump from the Menu Type list, and Hello from the Play Voice Prompts When the User
Enters the Menu list.
d. Click Next.
812
Select the box of the access number 300, and click Apply.
3.
813
# Add submenus for the marketing and sales department, telecom product sales department, and
government product sales department.
Select the voice menu system of Company A from the navigation tree to access the following page.
Figure 843 Voice menu system of Company A
a. Select Add A New Node from the Jump to submenu list of key 0.
b. Click OK on the popup dialog box to access the following page.
Figure 844 Creating a submenu for the marketing and sales department
Select Jump from the Menu Type list, and welcome1 from the Player Voice Prompts When the
User Enters the Menu list.
d. Click Apply.
Configure submenus for the telecom product department and government product department as
per Figure 845 and Figure 846.
814
Figure 845 Adding a submenu for the telecom product sales department
Figure 846 Adding a submenu for the government product sales department
815
a. Select Jump from the Operation list, and Add A New Node from the Jump to submenu list for
key 0.
b. Click OK on the popup dialog box to access the following page.
Select Dial immediately from the Menu Type list, and type 500 for Call immediately.
d. Click Apply.
Use the same method to add submenus for the major financial customer department, carrier
customer department, and SMB department.
816
a. Select Return to the previous node from the Operation list of key *.
b. Click Apply.
After the configuration, the marketing and sales department submenu is as shown in Figure 850
4.
817
a. Select Jump from the Operation list, and Attendant from the Jump to submenu list of key 0.
b. Select Jump from the Operation list, and Add A New Node from the Jump to submenu list of
key 1.
c.
Select Return to the previous node from the Menu Type list, and ProductA from the Play Voice
Prompts When the User Enters the Menu list.
d. Click Apply.
Use the same method to add submenus for introductions to Products B and C. After that, return to
the Customize IVR Services page.
Figure 853 Telecom product sales department submenu
a. Select Return to the previous node from the Operation list of key *.
b. Click Apply.
818
After the configuration, the telecom product sales department submenu is as shown in Figure 853.
5.
After all the configuration, the Customize IVR Services page is as shown in Figure 854.
819
Advanced configuration
This section provides global configuration and batch configuration.
Global configuration
Select Voice Management > Advanced Configuration > Global Configuration from the navigation tree to
access the global configuration page, as shown in Figure 855.
Figure 855 Global configuration page
Description
SilentThe calling party does not play any tones to the called party during call
hold.
Playing musicThe calling party plays the specified tones to the called party
during call hold.
Select the media resource if you select the Playing Music option. You can upload
media resource files in Voice Management > IVR Services > Media Resources
Management.
Configure the device to play the call progress tones of a specified country or region.
By default, the call progress tones of China are specified.
820
Item
Description
Specify the backup rule:
StrictOne of the following three conditions will trigger strict call backup:
The device does not receive any reply from the peer after sending out a call
request.
The device fails to initiate a call to the IP network side.
Backup Rule
conditions or the following condition happens: the device receives a reject reply
(with a number from 3xx to 6xx except 300, 301, 302, 305, 401, 407, and 422)
after sending a call request.
Specify the time duration in seconds for switching from the current VoIP link to
another VoIP link or a PSTN link (that is, the call backup switching time) in case of a
VoIP call failure.
Set the maximum number of call history records that can be stored.
Related Time
Parameters of DTMF
Set the DSCP value in the ToS field in the IP packets that carry the RTP stream
globally.
Set the DSCP value in the ToS field in the IP packets that carry the voice signaling
globally.
Batch configuration
Local number
Creating numbers in batch
Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree,
and then click the Create Numbers in Batch link in the Local Number area to access the page for creating
numbers in batch, as shown in Figure 856.
821
Description
Start Number
Specify the start number, and then a serial of consecutive numbers starting with the start
number will be bound to the selected voice subscriber lines. For example, if you specify
the start number as 3000 and select lines 3/0 and line 3/1, then line 3/0 is bound to
number 3000, and line 3/1 is bound to number 3001.
Set the register username and password in one of the following ways:
Register Mode
Register Username
Register Password
Select an FXS voice subscriber line in the Selected FXS Lines box, click > to remove the
line from the box.
Click << to add all FXS voice subscriber lines in the Available FXS Lines box in to the
Selected FXS Lines box, and then click >> to remove all FXS voice subscriber lines from
the Selected FXS Lines box.
822
Description
Configure the protocol used for fax communication with other devices.
T.38Use T.38 fax protocol. With this protocol, a fax connection can be set up
quickly.
Standard T.38Use the standard T38 protocol of H323 or SIP. The fax negotiation
mode depends on the protocol used (H323 or SIP).
Fax Protocol
G.711 A-law.
G.711 -law.
The pass-through mode is subject to such factors as packet loss, jitter and delay, so the
clocks on both communication sides must be kept synchronized. At present, only
G.711 A-law and G.711 law are supported, and the VAD function should be
disabled.
Enable ECM fax. As defined in ITU-T, the ECM is required by the half-duplex and
half-modulation system running ITU-T V.34 protocol for fax message transmission.
Besides, the G3 fax terminals working in full duplex mode are required to support
half-duplex mode, that is, ECM.
ECM Fax
The fax machines using ECM can correct errors, provide the ARQ function, and
transmit fax packets in the format of HDLC frames. On the contrary, the fax machines
using non-ECM cannot correct errors and they transmit fax packets in the format of
binary strings.
EnableEnable ECM.
DisableDisable ECM.
By default, ECM is disabled.
To use ECM, fax machines on both sides and the gateway must support ECM.
You must enable ECM mode for the local numbers and call routes corresponding to the
fax sender and receiver in the ECM mode.
823
Item
Description
Enable CNG fax switchover function. The CNG fax switchover is used to implement the
fax mailbox service through communication with the VCX. When the local fax machine
A originates a fax call to the peer fax machine B, if B is busy or is unattended, A can
send the fax call to the fax mailbox of the VCX. With CNG fax switchover enabled, the
voice gateway can switch to the fax mode once it receives a CNG from A.
Enable.
Disable.
The function is disabled by default.
Configure the codec type and switching mode for SIP Modem pass-through function.
Standard G.711 A-lawAdopt G.711 A-law as the codec type and use Re-Invite
Codec Type and
Switching mode for
SIP Modem
Pass-through
Standard G.711 -lawAdopt the G.711 -law codec type and Re-Invite switching
mode.
NTE Compatible G.711 A-lawAdopt the G.711 A-law codec type and
NTE-compatible switching mode.
NTE Compatible G.711 -lawAdopt the G.711 -law codec type and
NTE-compatible switching mode.
Configure the value of NTE payload type for the NTE-compatible switching mode.
NET Payload Type
Field
This option is configurable only when NTE Compatible G.711 A-law or NTE Compatible
G.711 -law is selected in the Codec Type and Switching Mode for SIP Modem
Pass-through list.
By default, the value of the NTE payload type is 100.
Select the checkboxes of specific local numbers and then click the Apply to Selected
Number(s) button to apply the above fax and Modem settings to the selected local
numbers.
Call services
Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree,
and then click the Call Services link in the Local Number area to access the local number call services
configuration page, as shown in Figure 858.
824
Description
Configure call forwarding:
Enable.
Disable.
By default, call forwarding is disabled.
After you enable a call forwarding, enter the corresponding forwarded-to number:
Call Forwarding
825
Item
Description
Configure call hold:
Enable.
Disable.
By default, call hold is disabled.
Call Hold
After call hold is enabled, set the Max Time Length the Held Party Can Wait parameter
as needed.
IMPORTANT:
The Max Time Length the Held Party Can Wait is only applied to the held party of a call,
that is, the receiver of call hold.
Configure call transfer:
Enable.
Disable.
Call Transfer
Three-Party
Conference
Enable.
Disable.
By default, three-party conference is disabled.
The three-party conference function depends on the call hold function. Therefore, you
must enable the call hold function before configuring three-party conference.
Configure call waiting:
Enable.
Disable.
By default, call waiting is disabled.
Call Waiting
Hunt Group
Enable.
Disable.
By default, hunt group is disabled.
Configure Feature service:
Feature Service
Enable.
Disable.
By default, Feature service is disabled.
826
Item
Description
Configure MWI:
Enable.
Disable.
Message Waiting
Indicator
Processing Priority
When the Line is
Busy
Select the boxes of desired local numbers, and then click the Apply to Selected
Number(s) button to apply the above call services settings to the selected local numbers.
Advanced settings
Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree,
and then click the Advanced Settings link in the Local Number area to access the local number advanced
settings page, as shown in Figure 859.
Figure 859 Local number advanced settings page
827
Description
Codec with the First Priority.
DTMF Transmission
Mode
In-band Transmission.
Out-of-band Transmission.
RFC2833Adopt DTMF named telephone event (NTE) transmission mode. When
you adopt this transmission mode, you can configure the payload type field in RTP
packets.
Number Selection
Priority
Set the priority of the local number. The smaller the value, the higher the priority.
Configure a dial prefix for the local number. For a trunk type call route, the dial prefix
is added to the called number to be sent out.
Dial Prefix
Enable.
DisableRemove the configured dial prefix.
If you select to enable the function, you must enter the dial prefix.
VAD
Configure VAD. The VAD discriminates between silence and speech on a voice
connection according to their energies. VAD reduces the bandwidth requirements of a
voice connection by not generating traffic during periods of silence in an active voice
connection. Speech signals are generated and transmitted only when an active voice
segment is detected. Researches show that VAD can save the transmission bandwidth
by 50%.
Enable.
Disable.
By default, VAD is disabled.
Select the Number(s)
Select the boxes of desired local numbers, and then click the Apply to Selected
Number(s) button to apply the above advanced settings to the selected local numbers.
Call route
Fax and Modem
Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree,
and then click the Fax and Modem link in the Call Route area to access the call route fax and modem
configuration page, as shown in Figure 860.
828
Description
Specify the protocol used for fax communication with other devices.
T.38Use T.38 fax protocol. With this protocol, a fax connection can be set up
quickly.
Standard T.38 Use the standard T38 protocol of H323 or SIP. The fax negotiation
mode depends on the protocol used (H323 or SIP).
Fax Protocol
G.711 A-law.
G.711 -law.
The pass-through mode is subject to such factors as packet loss, jitter and delay, so the
clocks on both communication sides must be kept synchronized. At present, only
G.711 A-law and G.711 law are supported, and the VAD function should be
disabled.
As defined in ITU-T, the error correction mode (ECM) is required by the half-duplex and
half-modulation system running ITU-T V.34 protocol for fax message transmission.
Besides, the G3 fax terminals working in full duplex mode are required to support
half-duplex mode, namely, ECM.
ECM Fax
The fax machines using ECM can correct errors, provide the automatic repeat request
(ARQ) function, and transmit fax packets in the format of HDLC frames. On the
contrary, the fax machines using non-ECM cannot correct errors and they transmit fax
packets in the format of binary strings.
829
Item
Description
CNG fax switchover is used to implement the fax mailbox service through
communication with the VCX. When the local fax machine A originates a fax call to the
peer fax machine B, if B is busy or is unattended, A can send fax call to the fax mailbox
of the VCX. With CNG fax switchover enabled, the voice gateway can switch to the fax
mode once it receives a CNG from A.
Enable.
Disable.
The function is disabled by default.
Configure the codec type and switching mode for SIP Modem pass-through function.
Standard G.711 A-lawAdopt the G.711 A-law codec type and Re-Invite switching
Codec Type and
Switching mode for
SIP Modem
Pass-through
mode.
Standard G.711 -lawAdopt the G.711 -law codec type and Re-Invite switching
mode.
NTE Compatible G.711 A-lawAdopt the G.711 A-law codec type and
NTE-compatible switching mode.
NTE Compatible G.711 -lawAdopt the G.711 -law codec type and
NTE-compatible switching mode.
Configure the value of the NTE payload type for the NTE-compatible switching mode.
NET Payload Type
Field
This option is configurable only when NTE Compatible G.711 A-law or NTE Compatible
G.711 -law is selected in the Codec Type and Switching Mode for SIP Modem
Pass-through list.
By default, the value of the NTE payload type is 100.
Select the boxes of call routes, and then click the Apply to Selected Route(s) button to
apply the above fax and Modem settings to the selected call routes.
Advanced settings
Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree,
and then click the Advanced Settings link in the Call Route area to access the call route advanced settings
page, as shown in Figure 861.
Figure 861 Call route advanced settings page
830
Description
Codec with the First Priority.
DTMF Transmission
Mode
In-band Transmission.
Out-of-band Transmission.
RFC2833: Adopt DTMF named telephone event (NTE) transmission mode. When
you adopt this transmission mode, you can configure the payload type field in RTP
packets.
VAD
Set the priority of the call route. The smaller the value, the higher the priority.
The VAD discriminates between silence and speech on a voice connection according
to their energies. VAD reduces the bandwidth requirements of a voice connection by
not generating traffic during periods of silence in an active voice connection. Speech
signals are generated and transmitted only when an active voice segment is detected.
Researches show that VAD can save the transmission bandwidth by 50%.
Enable.
Disable.
By default, VAD is disabled.
Select the Route(s)
Select the boxes of desired call routes, and then click the Apply to Selected Route(s)
button to apply the above advanced settings to the selected call routes.
Line management
FXS line configuration
Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree,
and then click the FXS Line Configuration link in the Line Management area to access the FXS line
configuration page, as shown in Figure 862.
831
Description
Specify the maximum interval for the user to dial the next digit.
This timer will restart each time the user dials a digit and will work in this way until all
the digits of the number are dialed. If the timer expires before the dialing is completed,
the user will be prompted to hang up and the call is terminated.
Specify the maximum interval in seconds between off-hook and dialing the first digit.
Upon the expiration of the timer, the user will be prompted to hang up and the call is
terminated.
Configure dial delay time.
By default, the dial delay time is 1 second.
IMPORTANT:
Gain adjustment may lead to call failures.
You are not recommended to adjust the
gain. If necessary, do it with the guidance
of technical personnel.
LowIn this mode, the reliability is high, but DTMF tones may fail to be detected.
MediumIn this mode, the reliability is medium. If you select this option, you can
specify the Frequency Tolerance of Medium DTMF Detection Sensitivity Level. The
greater the value, the higher the probability of false detection. Support for this
option varies with installed cards.
HighIn this mode, the reliability is low and detection errors may occur.
832
Item
Description
Select the boxes of desire lines, and then click the Apply to Selected Line(s) button to
apply the above settings to the selected FXS lines.
Description
Specify the maximum interval for the user to dial the next digit.
This timer will restart each time the user dials a digit and will work in this way until all
the digits of the number are dialed. If the timer expires before the dialing is completed,
the user will be prompted to hang up and the call is terminated.
Specify the maximum interval in seconds between off-hook and dialing the first digit.
Upon the expiration of the timer, the user will be prompted to hang up and the call is
terminated.
Configure dial delay time.
By default, the dial delay time is 1 second.
833
Item
Description
IMPORTANT:
Gain adjustment may lead to call failures.
You are not recommended to adjust the
gain. If necessary, do it with the guidance
of technical personnel.
LowIn this mode, the reliability is high, but DTMF tones may fail to be detected.
MediumIn this mode, the reliability is medium. If you select this option, you can
specify the Frequency Tolerance of Medium DTMF Detection Sensitivity Level. The
greater the value, the higher the probability of false detection. Support for this
option varies with installed cards.
HighIn this mode, the reliability is low and detection errors may occur.
Select the Line(s)
Select the boxes of desired lines, and then click the Apply to Selected Line(s) button to
apply the above settings to the selected FXO lines.
Description
Specify the maximum interval for the user to dial the next digit.
This timer will restart each time the user dials a digit and will work in this way until all
the digits of the number are dialed. If the timer expires before the dialing is completed,
the user will be prompted to hang up and the call is terminated.
834
Item
Description
Select the boxes of desired lines, and then click the Apply to Selected Line(s) button to
apply the above settings to the selected E&M lines.
IMPORTANT:
Gain adjustment may lead to call failures.
You are not recommended to adjust the
gain. If necessary, do it with the guidance
of technical personnel.
Description
Select the boxes of desired line, and then click the Apply to Selected Line(s) button to
apply the above settings to the selected ISDN lines.
IMPORTANT:
Gain adjustment may lead to call failures.
You are not recommended to adjust the
gain. If necessary, do it with the guidance
of technical personnel.
Description
Start Number
Authentication
Username
Authentication
Password
836
Line states
Use this page to view information about all voice subscriber lines.
Select Voice Management > States and Statistics > Line States from the navigation tree. The Line State
Information page appears.
Figure 867 Line state information page
Description
Name
Type
Description
BRI.
PRI.
FXS.
FXO.
EM.
PAGE.
MOH.
ISDN PRI.
ISDN BRI.
Field
Description
Physical DownVoice subscriber line is physically down, possibly because no
838
Click a timeslot (TS) link to view the details about the TS.
Figure 870 Timeslot details
Call statistics
The following pages display call statistics.
839
Description
Call type.
Only Speech and Fax are supported.
Call status:
Status
840
SIP UA states
The following pages show SIP UA states:
TCP Connection Information pageDisplays information about all TCP-based call connections.
TLS Connection Information pageDisplays information about all TLS-based call connections.
Number Register Status pageDisplays number register information when you use SIP servers to
manage SIP calls.
Number Subscriber Status pagesDisplays the subscription status information of MWI when MWI
is in use.
Description
Connection ID
Local Address
Local Port
Remote Address
Remote Port
Connection State
Idle.
Connecting.
Established.
841
Connection status
Displaying number register status
Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree and click the
Number Register Status tab.
Figure 875 Number register status
Description
Number
Registrar
Address of the registrar, in the format of IP address plus port number or domain
name.
Remaining aging time of a number, that is, the remaining time before the next
registration.
Status of the number, including.
Status
offlineNot registered.
onlineRegistered.
loginBeing registered.
logoutBeing deregistered.
dnsinDNS query is being performed before registration.
dnsoutDNS query is being performed before the number is deregistration.
842
Description
Number
Phone number.
Subscription Server
MWI server address, in the format of IP address plus port number or domain
name.
Remaining aging time of the subscription, that is, the remaining time before
the next subscription.
Subscription status, including.
Status
offlineNot subscribed.
onlineSubscribed.
loginThe subscription is being proposed.
logoutThe subscription is being canceled.
843
Description
Server operation mode:
Alone.
Alive.
Server running state:
Server Status
Enabled.
Disabled.
User ID
User ID.
Phone Number
OnlineUser is online.
OfflineUser is offline.
State
Description
Aging Time
Status
DisabledNot in use.
OfflineNot registered.
OnlineRegistered.
LoginBeing registered.
LogoutBeing deregistered.
DnsinDNS query is being performed before registration.
DnsoutDNS query is being performed before deregistration.
844
Description
Telephone number, which could be one of the following types:
Number
Contact Address
Remaining
Aging Time
(Sec)
Type
845
This page shows the configuration information of group servers. For how to configure group servers, see
"Managing SIP server groups."
IVR information
The following pages show IVR information:
Description
State
IdleNode is idle.
Playing a media file.
Waiting for inputNode is waiting for the input of the subscriber.
CallingNode is calling a number.
846
Description
Play Count
Play State
Playing.
Not playing.
Play Type
847
Index
ABCDEFGHILMNOPQRSTUVW
Configuration guidelines,348
Configuration guidelines,490
Configuration guidelines,247
Configuration prerequisites,447
Configuration prerequisites,210
Configuration procedure,350
Advanced settings,542
Configuration procedure,160
Configuration procedure,163
Advantages,766
Configuration procedure,448
Configuration procedure,210
Basic settings,542
Basic settings,544
Batch configuration,821
Call services,542
Call statistics,839
Configuration guidelines,238
Configuration guidelines,376
Configuration guidelines,66
Configuration guidelines,195
Configuration guidelines,334
Configuration guidelines,23
Configuring an SA interface,50
Configuring TR-069,503
Configuring bridging,289
Configuring WiNet,523
Connection status,842
Configuring IVR,767
Configuring routes,190
Displaying radio,122
Displaying recent system logs,33
Displaying syslogs,516
Enabling DHCP,216
Managing services,495
Enabling L2TP,378
Managing users,497
Network requirements,447
Overview,766
Overview,465
Overview,209
Overview,285
Overview,264
Overview,239
Overview,362
Overview,248
Overview,148
Overview,201
Introduction to DHCP,214
Overview,190
Introduction to MSTP,317
Overview,196
Introduction to RSTP,317
Overview,354
Introduction to SIP,643
Overview,198
Introduction to STP,310
Overview,390
Overview,170
Overview,336
Overview,366
Overview,188
IVR information,846
Overview,701
Overview,510
Overview,62
Overview,67
Line states,837
Overview,539
SIP security,648
SIP trunk account states,844
SIP trunk configuration examples,689
Ping,520
SIP UA states,841
Ping operation,521
Traceroute,520
Traceroute operation,520
Upgrading software,507
Regular expression,611
User level,5
851