Emr - Na c03026850 1 PDF

HP A-MSR Router Series
Web-Based Configuration Guide
Abstract
This document describes the software features for the HP A Series products and guides you through the
software configuration procedures. These configuration guides also provide configuration examples to
help you apply software features to different network scenarios.
This documentation is intended for network planners, field technical support and servicing engineers, and
network administrators working with the HP A Series products.
Part number: 5998-2054

Software version: CMW520-R2207P02
Document version: 6PW100-20110810
Legal and notice information
© Copyright 2011 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or use
of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents
Web overview ······························································································································································ 1

Logging in to the web interface ······································································································································· 1
Logging out of the web interface····································································································································· 2
Introduction to the web interface ····································································································································· 2
User level ··········································································································································································· 4
Introduction to web-based NM functions························································································································ 4
Common web interface elements ································································································································· 17
Common buttons and icons ·································································································································· 17
Content display by pages ···································································································································· 17
Searching function ················································································································································ 18
Sorting function······················································································································································ 20
Managing web-based NM through CLI ······················································································································ 21
Enabling or disabling web-based NM················································································································ 21
Managing the current web user ·························································································································· 21
Configuration guidelines ··············································································································································· 21
Troubleshooting web browser ······································································································································ 21
Failure to access the device through the web interface ···················································································· 21
Configuring device information ································································································································ 25

Displaying device information ······································································································································ 25
Device information ················································································································································ 27
Broadband connection information ····················································································································· 27
3G wireless card state ·········································································································································· 28
LAN information ···················································································································································· 29
WLAN information ················································································································································ 29
Service information ··············································································································································· 30
Recent system logs················································································································································· 30
Integrated service management ··································································································································· 30
Configuring web interface basic services ················································································································ 31

Starting the basic configuration wizard·············································································································· 31
Setting WAN interface parameters ····················································································································· 31
Setting LAN interface parameters························································································································ 38
Setting WLAN interface parameters ··················································································································· 40
Validating basic services configuration ·············································································································· 41
Configuring WAN interfaces ···································································································································· 43

Configuring an Ethernet interface ································································································································ 43
Configuring an SA interface ········································································································································· 46
Configuration procedure ······································································································································ 46
Configuring an ADSL/G.SHDSL interface ··················································································································· 47
Configuring a CE1/PRI interface ································································································································· 51
Configuring a CT1/PRI interface·································································································································· 54
Viewing the general information and statistics of an interface ················································································· 55
Configuring VLAN······················································································································································ 57

Configuring a VLAN and its VLAN interface ·············································································································· 57
Configuration task lists ·········································································································································· 57
iii
Creating a VLAN and its VLAN interface ··········································································································· 58
Configuring VLAN member ports ························································································································ 59
Configuring parameters for a VLAN interface ··································································································· 59
Configuration guidelines ··············································································································································· 61
Configuring wireless services ···································································································································· 62

Configuration task list ···················································································································································· 62
Wireless service configuration ····································································································································· 63
Configuring wireless access service ···························································································································· 63
Creating a wireless access service ······················································································································ 63
Configuring clear type wireless service ·············································································································· 64
Configuring crypto type wireless service ············································································································ 72
Security parameter dependencies ······················································································································· 79
Displaying wireless access service information ·········································································································· 80
Displaying wireless service information ·············································································································· 80
Displaying client information ······························································································································· 82
Displaying RF ping information ··························································································································· 86
Wireless access configuration examples····················································································································· 87
Wireless service configuration example ············································································································· 87
Access service-based VLAN configuration example ························································································· 88
PSK authentication configuration example ········································································································· 90
Local MAC authentication configuration example ···························································································· 94
Remote MAC authentication configuration example ························································································· 97
Remote 802.1x authentication configuration example ··················································································· 101
802.11n configuration example ······················································································································· 108
Configuring client mode ········································································································································· 111

Enabling the client mode ············································································································································· 111
Connecting the wireless service ························································································································· 112
Displaying statistics ············································································································································· 113
Client mode configuration example ··························································································································· 114
Configuring radios ·················································································································································· 117

Configuring data transmit rates ·································································································································· 121
Configuring 802.11b/802.11g rates ·············································································································· 121
Configuring 802.11n MCS ······························································································································· 122
Displaying radio··························································································································································· 123
Displaying wireless services bound to a radio ································································································ 123
Displaying detailed radio information ·············································································································· 123
Configuring WLAN security ··································································································································· 126

Blacklist and whitelist ··················································································································································· 126
Configuring the blacklist and whitelist functions ······································································································· 126
Configuring dynamic blacklist ··························································································································· 126
Configuring static blacklist ································································································································· 128
Configuring whitelist ··········································································································································· 128
User isolation ································································································································································ 129
Configuring user isolation ··········································································································································· 130
Configuring WLAN QoS ········································································································································ 131

Configuring wireless QoS ··········································································································································· 131
Enabling wireless QoS ······································································································································· 131
Setting the SVP service········································································································································ 132
Setting CAC admission policy ··························································································································· 133
Setting radio EDCA parameters for APs ··········································································································· 133
Setting EDCA parameters for wireless clients ·································································································· 134
Display radio statistics ········································································································································ 136
iv
Displaying client statistics ··································································································································· 138
Setting rate limiting ············································································································································· 139
Wireless QoS configuration example························································································································ 140
CAC service configuration example ················································································································· 140
Static rate limiting configuration example ········································································································ 142
Dynamic rate limiting configuration example ·································································································· 143
Configuring advanced WLAN settings ················································································································· 145

District code ·································································································································································· 145
Setting a district code ·················································································································································· 145
Channel busy test ························································································································································· 145
Configuring a channel busy test ························································································································ 146
Configuring 3G management ································································································································ 148

Managing the 3G modem ·········································································································································· 148
Displaying the 3G information ·························································································································· 148
Managing the pin code ······································································································································ 150
Configuring NAT····················································································································································· 152

Recommended configuration procedure ··········································································································· 152
Configuring dynamic NAT ································································································································· 152
Configuring a DMZ host ····································································································································· 154
Configuring an internal server ··························································································································· 155
Enabling application layer protocol check ······································································································· 157
Configuring connection limit ······························································································································ 157
NAT configuration examples ······································································································································ 158
Private hosts to access public network configuration example ······································································ 158
Internal server configuration example ··············································································································· 160
Configuring access control ····································································································································· 164

Access control configuration example ······················································································································· 165
Configuring URL filtering ········································································································································ 167

URL filtering configuration example ··························································································································· 169
Configuring MAC address filtering ······················································································································· 171

Configuring the MAC address filtering type ···································································································· 171
Configuring the MAC addresses to be filtered ································································································ 172
MAC address filtering configuration example ································································································· 173
Configuring attack protection ································································································································ 175

Blacklist function ·················································································································································· 175
Intrusion detection function ································································································································· 175
Configuring the blacklist function ······························································································································· 178
Enabling the blacklist function ··························································································································· 178
Adding a blacklist entry manually ····················································································································· 179
Viewing blacklist entries ····································································································································· 179
Configuring intrusion detection ·································································································································· 180
Attack protection configuration examples ················································································································· 182
Attack protection configuration example for the A-MSR900/20-1X series routers ····································· 182
Attack protection configuration example for the A-MSR20/30/50 series routers ······································ 185
Configuring application control ····························································································································· 189

Configuring application control ································································································································· 189
Loading applications··········································································································································· 189
Configuring a custom application ····················································································································· 190
v
Enabling application control ······························································································································ 191
Application control configuration example ··············································································································· 192
Configuring webpage redirection ························································································································· 195

Configuring routes ·················································································································································· 197
Route configuration ······················································································································································ 197
Creating an IPv4 static route ······························································································································ 197
Displaying the active route table ······················································································································· 199
IPv4 static route configuration example····················································································································· 200
Configuration guidelines ············································································································································· 202
Configuring user-based load sharing ···················································································································· 204

Configuring traffic ordering ··································································································································· 205
Setting the traffic ordering interval ···················································································································· 206
Specifying the traffic ordering mode················································································································· 206
Displaying internal interface traffic ordering statistics ···················································································· 206
Displaying external interface traffic ordering statistics···················································································· 207
Configuring DNS ···················································································································································· 208

Configuring dynamic domain name resolution ································································································ 208
Enabling DNS proxy ··········································································································································· 209
Enabling dynamic domain name resolution ····································································································· 210
Enabling DNS proxy ··········································································································································· 210
Clearing the dynamic domain name cache ····································································································· 210
Specifying a DNS server ···································································································································· 210
Configuring a domain name suffix ···················································································································· 211
Domain name resolution configuration example ······································································································ 211
Configuring DDNS ·················································································································································· 217

Configuration prerequisites ········································································································································· 218
Configuration procedure ············································································································································· 218
DDNS configuration example····································································································································· 219
Configuring DHCP ·················································································································································· 222

Configuring the DHCP server ····························································································································· 223
Configuring the DHCP relay agent ··················································································································· 224
Configuring the DHCP client ······························································································································ 224
Enabling DHCP ···················································································································································· 225
Configuring DHCP interface setup ···················································································································· 225
Configuring a static address pool for the DHCP server ·················································································· 226
Configuring a dynamic address pool for the DHCP server ············································································ 228
Configuring IP addresses excluded from dynamic allocation ········································································ 230
Configuring a DHCP server group ···················································································································· 231
DHCP configuration examples···································································································································· 232
DHCP configuration example without DHCP relay agent ··············································································· 233
DHCP relay agent configuration example ········································································································ 240
Configuring ACL ····················································································································································· 247

Configuring an ACL ····················································································································································· 247
Configuration task list ········································································································································· 247
Creating an IPv4 ACL ········································································································································· 248
Configuring a rule for a basic IPv4 ACL··········································································································· 249
Configuring a rule for an advanced IPv4 ACL································································································· 250
Configuring a rule for an Ethernet frame header ACL ···················································································· 253
vi
Configuring QoS ····················································································································································· 256

Subnet limit··························································································································································· 257
Advanced limit ····················································································································································· 257
Advanced queue ················································································································································· 258
Configuring QoS ·························································································································································· 258
Configuring subnet limit······································································································································ 258
Configuring advanced limit································································································································ 260
Configuring advanced queue ···························································································································· 263
QoS configuration examples ······································································································································ 267
Subnet limit configuration example ··················································································································· 267
Advanced queue configuration example·········································································································· 269
Appendix packet priorities ·········································································································································· 272
Configuring SNMP·················································································································································· 275

SNMP agent configuration ········································································································································· 275
Enabling the SNMP agent function ··················································································································· 277
Configuring an SNMP view ······························································································································· 278
Configuring an SNMP community ····················································································································· 280
Configuring an SNMP group ····························································································································· 281
Configuring an SNMP user ································································································································ 283
Configuring SNMP trap function ······················································································································· 285
Displaying SNMP packet statistics ···················································································································· 287
SNMP configuration example ···································································································································· 288
SNMPv1 or SNMPv2c configuration example ································································································ 288
SNMPv3 configuration example ······················································································································· 292
Configuring bridging ·············································································································································· 299

Configuring bridging ··················································································································································· 299
Enabling a bridge set ········································································································································· 299
Adding an interface to a bridge set ·················································································································· 300
Bridging configuration example ································································································································· 301
Configuring user groups ········································································································································· 305

Configuring a user group ··································································································································· 306
Configuring a user ·············································································································································· 306
Configuring access control ································································································································· 307
Configuring application control ························································································································· 308
Configuring bandwidth control ·························································································································· 309
Configuring packet filtering ······························································································································· 310
Synchronizing user group configuration for WAN interfaces········································································ 312
User group configuration example ···························································································································· 312
Configuring MSTP ··················································································································································· 320

Introduction to RSTP ············································································································································ 327
Introduction to MSTP ··········································································································································· 327
Protocols and standards ····································································································································· 332
Configuring MSTP ························································································································································ 333
Configuring an MSTP region ····························································································································· 333
Configuring MSTP globally ································································································································ 334
Configuring MSTP on a port ······························································································································ 337
MSTP configuration example ······································································································································ 339
vii
Configuring RADIUS ··············································································································································· 346

Configuring a RADIUS scheme··································································································································· 346
RADIUS configuration example ·································································································································· 351
Configuring login control ······································································································································· 359

Login control configuration example·························································································································· 360
Configuring ARP······················································································································································ 362

Gratuitous ARP ····························································································································································· 362
Displaying ARP entries ················································································································································ 362
Creating a static ARP entry ········································································································································· 363
Removing ARP entries ·················································································································································· 363
Enabling learning of dynamic ARP entries ················································································································ 364
Configuring gratuitous ARP ········································································································································· 365
Static ARP configuration example ······························································································································ 365
Configuring ARP attack protection························································································································· 371

Configuring periodic sending of gratuitous ARP packets ························································································ 371
Configuring ARP automatic scanning ························································································································ 372
Configuring fixed ARP ················································································································································· 374
Configuring IPsec VPN ··········································································································································· 375

Configuring IPsec VPN ················································································································································ 375
Configuring an IPsec connection ······················································································································· 376
Displaying IPsec VPN monitoring information ································································································· 383
IPsec VPN configuration example ······························································································································ 384
Configuring L2TP ····················································································································································· 388

Configuring L2TP ·························································································································································· 389
Enabling L2TP ······················································································································································ 389
Adding an L2TP group········································································································································ 390
Displaying L2TP tunnel information ··················································································································· 396
L2TP configuration example ········································································································································ 396
Client-initiated VPN configuration example ····································································································· 396
Configuring GRE ····················································································································································· 402

Configuring a GRE over IPv4 tunnel ·························································································································· 402
Configuration prerequisites ································································································································ 402
Creating a GRE tunnel ········································································································································ 402
GRE over IPv4 tunnel configuration example············································································································ 404
Configuring certificate management ····················································································································· 412

PKI operation ······················································································································································· 412
Configuring PKI ···························································································································································· 413
Creating a PKI entity ··········································································································································· 415
Creating a PKI domain ······································································································································· 416
Generating an RSA key pair ······························································································································ 419
Destroying the RSA key pair ······························································································································ 420
Retrieving and displaying a certificate ············································································································· 420
Requesting a local certificate ····························································································································· 421
viii
Retrieving and displaying a CRL ······················································································································· 422
PKI configuration examples········································································································································· 423
Configuring a PKI entity to request a certificate from a CA (method I) ························································· 423
Configuring a PKI entity to request a certificate from a CA (method II) ························································ 427
Applying RSA digital signature in IKE negotiation ·························································································· 432
Configuring system management··························································································································· 439

Configuration management ········································································································································ 439
Save configuration ·············································································································································· 439
Initialize configuration ········································································································································ 440
Backing up configuration ··································································································································· 440
Restoring configuration ······································································································································· 441
Backing up and restoring device files through the USB port ·········································································· 442
Rebooting device ························································································································································· 443
Service management ··················································································································································· 443
Configuring service management ······················································································································ 444
User management ························································································································································ 446
Creating a user ···················································································································································· 446
Setting the super password for switching to the management level ······························································ 447
Switching the user access level to the management level ··············································································· 448
System time ··································································································································································· 448
Setting the system time ········································································································································ 449
Setting the system time zone ······························································································································ 450
TR-069 configuration ··················································································································································· 450
TR-069 network framework ································································································································ 451
Basic functions of TR-069 ··································································································································· 451
TR-069 configuration ·········································································································································· 452
Configuration guidelines ···································································································································· 453
Software upgrade (for the A-MSR900/A-MSR20-1X series) ··················································································· 454
Upgrading software ············································································································································ 454
Software upgrade (for the A-MSR20/30/50 series) ······························································································· 454
Upgrading software ············································································································································ 455
Configuring SNMP lite············································································································································ 456

SNMP agent configuration ········································································································································· 456
SNMP configuration example ···································································································································· 458
SNMPv1 or SNMPv2c configuration example ································································································ 458
SNMPv3 configuration example ······················································································································· 459
Configuring syslog ·················································································································································· 462

Displaying syslogs ··············································································································································· 462
Setting the loghost ··············································································································································· 463
Setting buffer capacity and refresh interval······································································································ 464
Configuring diagnostic tools ·································································································································· 466

Trace route ··························································································································································· 466
Ping ······································································································································································· 466
Tools operations ··························································································································································· 467
Trace route operation ········································································································································· 467
Ping operation ····················································································································································· 467
Configuring WiNet ················································································································································· 469

Configuring WiNet ······················································································································································ 470
Enabling WiNet ·················································································································································· 470
Setting the background image for the WiNet topology diagram ·································································· 471
Managing WiNet················································································································································ 471
ix
Configuring a RADIUS user································································································································ 473
WiNet configuration example ···································································································································· 474
WiNet establishment configuration example ··································································································· 474
WiNet-based RADIUS authentication configuration example ········································································ 480
Configuring VoIP basic service ······························································································································ 484

Basic service setup ······················································································································································· 484
Displaying the configuration wizard homepage ····························································································· 484
Selecting a country ·············································································································································· 484
Configuring local numbers ································································································································· 485
Configuring connection properties ···················································································································· 485
Finishing configuration wizard ·························································································································· 486
Local number and call route overview··················································································································· 487

Basic settings ································································································································································ 487
Fax and modem ··························································································································································· 487
Call services·································································································································································· 487
Advanced settings ························································································································································ 487
Configuring local number and call route ·············································································································· 488

Local number························································································································································ 488
Call route ······························································································································································ 488
Basic settings ································································································································································ 489
Configuring a local number ······························································································································· 489
Configuring a call route ····································································································································· 490
Configuration examples of local number and call route ························································································· 492
Configuring direct calling for SIP UAs through the SIP protocol (configuring static IP address) ················ 492
Configuring direct calling for SIP UAs through the SIP protocol (configuring domain name) ···················· 495
Configuring proxy server involved calling for SIP UAs ··················································································· 499
Configuring trunk mode calling ························································································································· 506
Configuring fax and modem ·································································································································· 510

FoIP ················································································································································································ 510
Protocols and standards for FoIP ······················································································································· 510
Fax flow ································································································································································ 511
Introduction to fax methods ································································································································ 511
SIP Modem pass-through function ······························································································································ 512
Configuring fax and modem ······································································································································ 512
Configuring fax and modem parameters of a local number ·········································································· 512
Configuring fax and modem parameters of a call route ················································································ 515
Configuring call services ········································································································································ 517

Call waiting ························································································································································· 517
Call hold ······························································································································································· 517
Call forwarding ··················································································································································· 517
Call transfer·························································································································································· 518
Call backup·························································································································································· 518
Hunt group ··························································································································································· 518
Call barring·························································································································································· 518
Message waiting indication ······························································································································· 518
Three-party conference ······································································································································· 518
Silent monitor and barge in services ················································································································· 519
Calling party control ··········································································································································· 519
Door opening control ·········································································································································· 519
CID on the FXS voice subscriber line ················································································································ 519
CID on the FXO voice subscriber line ··············································································································· 520
Support for SIP voice service of the VCX ·········································································································· 520
x
Configuring call services of a local number ············································································································· 520
Configuring call forwarding, call waiting, call hold, call transfer, and three-party conference ················ 520
Configuring other voice functions ······················································································································ 522
Configuring call services of a call route ···················································································································· 524
Call services configuration examples ························································································································ 525
Configuring call waiting ····································································································································· 525
Configuring call forwarding ······························································································································· 526
Configuring call transfer ····································································································································· 528
Configuring hunt group ······································································································································ 529
Configuring three-party conference ··················································································································· 532
Configuring silent monitor and barge in service ····························································································· 534
Configuring advanced settings for local numbers and call routes ······································································ 541
Coding parameters ············································································································································· 541
Other parameters ················································································································································ 545
Configuring advanced settings for a local number ·································································································· 545
Configuring coding parameters for a local number ························································································ 545
Configuring other parameters for a local number ··························································································· 547
Configuring advanced settings for a call route ········································································································ 548
Configuring coding parameters for a call route ······························································································ 548
Configuring other parameters for a call route ································································································· 549
Advanced settings configuration example ················································································································ 550
Configuring out-of-band DTMF transmission mode for SIP ············································································· 550
Configuring SIP-to-SIP call settings ························································································································· 552

Configuring codec transparent transmission ············································································································· 552
Configuring dial plans ············································································································································ 553

Dial plan process ················································································································································ 553
Regular expression ·············································································································································· 554
Introduction to dial plan functions ······························································································································ 556
Number match ····················································································································································· 556
Call control ··························································································································································· 557
Number substitution ············································································································································ 557
Configuring dial plan ·················································································································································· 558
Configuring number match ································································································································ 558
Configuring call control ······································································································································ 559
Configuring number substitution ························································································································ 563
Dial plan configuration examples ······························································································································ 565
Configuring number match mode ······················································································································ 565
Configuring the match order of number selection rules ·················································································· 567
Configuring entity type selection priority rules ································································································· 570
Configuring call authority control ······················································································································ 574
Configuring number substitution ························································································································ 577
Configuring call connections·································································································································· 585

Introduction to SIP ························································································································································ 585
Terminology ························································································································································· 585
Functions and features of SIP ····························································································································· 586
SIP messages························································································································································ 587
SIP fundamentals ················································································································································· 587
Support for transport layer protocols ························································································································· 590
SIP security ···································································································································································· 590
Signaling encryption ··········································································································································· 590
Media flow encryption········································································································································ 591
TLS-SRTP combinations ········································································································································ 591
Support for SIP extensions ··········································································································································· 592
xi
Configuring SIP connections ·································································································································· 593
Configuring connection properties ····························································································································· 593
Configuring registrar··········································································································································· 593
Configuring proxy server···································································································································· 595
Configuring session properties ··································································································································· 595
Configuring source address binding ················································································································· 596
Configuring SIP listening ···································································································································· 597
Configuring media security ································································································································ 598
Configuring caller identity and privacy ············································································································ 598
Configuring SIP session refresh·························································································································· 599
Configuring compatibility ··································································································································· 600
Configuring advanced settings ··································································································································· 602
Configuring registration parameters ················································································································· 602
Configuring voice mailbox server ····················································································································· 604
Configuring signaling security ··························································································································· 605
Configuring call release cause code mapping ········································································································· 606
Configuring PSTN call release cause code mappings ···················································································· 606
Configuring SIP status code mappings ············································································································· 607
SIP connection configuration examples ····················································································································· 608
Configuring basic SIP calling features ·············································································································· 608
Configuring caller ID blocking ··························································································································· 608
Configuring SRTP for SIP calls···························································································································· 610
Configuring TCP to carry outgoing SIP calls ···································································································· 611
Configuring TLS to carry outgoing SIP calls ····································································································· 612
Configuring SIP server group management ·········································································································· 614

Configuring a SIP server group ·································································································································· 614
Configuring SIP trunk ·············································································································································· 617

Background ·························································································································································· 617
Features ································································································································································ 618
Typical applications ············································································································································ 618
Protocols and standards ····································································································································· 619
Configuring SIP trunk ··················································································································································· 619
Enabling the SIP trunk function ·························································································································· 620
Configuring a SIP server group ························································································································· 620
Configuring a SIP trunk account ························································································································ 621
Configuring a call route for outbound calls ·············································································································· 622
Configuring a call route for a SIP trunk account ······························································································ 622
Configuring fax and modem parameters of the call route of a SIP trunk account ······································· 624
Configuring advanced settings of the call route of a SIP trunk account ························································ 624
Configuring codec transparent transmission ···································································································· 626
Configuring a call route for inbound calls ················································································································ 626
SIP trunk configuration examples ······························································································································· 627
Configuring a SIP server group with only one member server ······································································· 627
Configuring a SIP server group with multiple member servers ······································································· 635
Configuring call match rules ······························································································································ 637
Configuring data link management ······················································································································· 640

Introduction to E1 and T1 ··········································································································································· 640
E1 and T1 voice functions ··········································································································································· 640
E1 and T1 interfaces ··········································································································································· 640
Features of E1 and T1 ········································································································································ 641
Introduction to BSV interface ······························································································································ 642
Configuring digital link management ························································································································ 643
xii
Configuring VE1 line ·········································································································································· 643
Configuring VT1 line ··········································································································································· 648
Configuring BSV line··········································································································································· 651
Displaying ISDN link state ·································································································································· 656
E1 and T1 voice configuration example ··················································································································· 657
Configuring E1 voice DSS1 signaling ·············································································································· 657
Configuring line management································································································································ 660

FXS voice subscriber line ···································································································································· 660
FXO voice subscriber line ··································································································································· 660
E&M subscriber line ············································································································································ 660
One-to-one binding between FXS and FXO voice subscriber lines ································································ 662
Echo adjustment function ············································································································································· 662
Adjusting echo duration ····································································································································· 662
Adjusting echo cancellation parameters ··········································································································· 663
Enabling the nonlinear function of echo cancellation ····················································································· 663
Line management configuration ································································································································· 663
Configuring an FXS voice subscriber line ········································································································· 663
Configuring an FXO voice subscriber line ······································································································· 666
Configuring an E&M subscriber line ················································································································· 669
Configuring an ISDN line ··································································································································· 672
Line management configuration examples ················································································································ 674
Configuring an FXO voice subscriber line ······································································································· 674
Configuring one-to-one binding between FXS and FXO ················································································· 675
Configuring SIP local survival ································································································································ 683

Configuring SIP local survival ····································································································································· 684
Service configuration ·········································································································································· 684
User management ··············································································································································· 685
Trusted nodes ······················································································································································· 686
Call-out route························································································································································ 686
Area prefix ··························································································································································· 687
Call authority control··········································································································································· 688
SIP local survival configuration examples ················································································································· 689
Configuring local SIP server to operate in alone mode ·················································································· 689
Configuring local SIP server to operate in alive mode···················································································· 692
Configuring call authority control ······················································································································ 694
Configuring an area prefix ································································································································ 699
Configuring a call-out route ······························································································································· 702
Configuring IVR ······················································································································································· 705

Advantages ··································································································································································· 705
Customizable voice prompts ······························································································································ 705
Various codecs ···················································································································································· 705
Flexible node configuration································································································································ 705
Customizable process ········································································································································· 705
Successive jumping ············································································································································· 706
Error processing methods ··································································································································· 706
Timeout processing methods ······························································································································ 706
Various types of secondary calls ······················································································································· 706
Configuring IVR ···························································································································································· 706
Uploading media resource files ························································································································· 706
Configuring the global key policy ······························································································································ 707
Configuring IVR nodes ················································································································································ 709
Configuring a call node ····································································································································· 709
Configuring a jump node ··································································································································· 712
xiii
Configure a service node ··································································································································· 714
Configuring access number management ················································································································· 715
Configuring an access number ·························································································································· 715
Configuring advanced settings for an access number ···················································································· 716
IVR configuration examples ········································································································································ 717
Configure a secondary call on a call node (match the terminator of numbers) ··········································· 717
Configure a secondary call on a call node (match the number length) ························································ 721
Configure a secondary call on a call node (match a number) ······································································ 724
Configure an extension secondary call on a call node ·················································································· 726
Configuring a jump node ··································································································································· 728
Configure an immediate secondary call on a service node ··········································································· 730
Configure a secondary call on a service node ································································································ 732
Configure a call node, jump node, and service node ···················································································· 734
Customizing IVR services············································································································································· 740
Creating a menu·················································································································································· 741
Binding an access number ································································································································· 747
Customizing IVR services ···································································································································· 747
Custom IVR service configuration examples ····································································································· 749
Advanced IVR configuration ·································································································································· 760

Global configuration ··················································································································································· 760
Batch configuration ······················································································································································ 761
Local number························································································································································ 761
Call route ······························································································································································ 768
Line management ················································································································································ 772
SIP local survival services ··································································································································· 776
Displaying states and statistics ······························································································································· 777

Displaying line states ··················································································································································· 777
Displaying detailed information about analog voice subscriber lines ·························································· 778
Displaying detailed information about digital voice subscriber lines ···························································· 778
Displaying call statistics ··············································································································································· 779
Displaying active call summary ························································································································· 780
Displaying history call summary ························································································································ 780
Displaying SIP UA states ············································································································································· 781
Displaying TCP connection information ············································································································ 781
Displaying TLS connection information ············································································································· 782
Displaying number register status ······················································································································ 782
Displaying number subscription status ·············································································································· 783
Displaying local survival service states ······················································································································ 783
Displaying SIP trunk account states ···························································································································· 784
Displaying server group information·························································································································· 785
Displaying IVR information·········································································································································· 785
Displaying IVR call states···································································································································· 785
Displaying IVR play states ·································································································································· 786
Support and other resources ·································································································································· 787

Contacting HP ······························································································································································ 787
Subscription service ············································································································································ 787
Related information ······················································································································································ 787
Documents ···························································································································································· 787
Websites ······························································································································································ 787
Conventions ·································································································································································· 788
Index ········································································································································································ 790
xiv
Web overview
The device provides web-based configuration interfaces for visual device management and maintenance.
Figure 1 Web-based network management operating environment
Logging in to the web interface

Use the following default settings to log in to the web interface through HTTP:
• Username—admin
• Password—admin
• IP address of the device—192.168.1.1.
To log in to the web interface of the device from a PC:
1. Connect the Ethernet port of the device to the PC with a crossover Ethernet cable.
2. Configure an IP address for the PC, and make sure that the PC and the device can reach each other.
For example, assign the PC an IP address (for example, 192.168.1.2) within the network segment
192.168.1.0/24 (except for 192.168.1.1).
3. Open the browser and enter the login information:
a. Enter the IP address http://192.168.1.1 in the address bar, and press Enter.
The login page of the web interface appears (see Figure 2).
b. Enter the username, password admin and the verification code. Select the language (English and
Chinese are supported), and click Login.
Figure 2 Login page of the web interface
1
NOTE:
• The PC in Figure 1 is the one where you configure the device, but it is not necessarily the web-based network
management terminal. The web-based network management terminal is a PC (or another terminal) used to log in
to the web interface, and it must be reachable by the device.
• After logging in to the web interface, you can create a new user and configure the IP address of the interface
connecting the user to the device.
• If you click the verification code displayed on the web login page, you can get a new verification code.
• Up to 24 users can concurrently log in to the device through the web interface.
Logging out of the web interface

Click Logout in the upper-right corner of the web interface to quit web-based network management.
The system does not automatically save the current configuration before you log out of the web interface,
so remember to save the current configuration before logout.
NOTE:
Closing the browser does not automatically log out a logged-in user.
Introduction to the web interface

The web-based interface is composed of three parts: navigation area, title area, and body area, as
shown in Figure 3.
2
Figure 3 Initial page of the web interface
(1) Navigation area (2) Title area (3) Body area
• Navigation area—Organizes the web function menus in the form of a navigation tree, where you
can select function menus as needed. The result is displayed in the body area.
3
• Title area—On the left, displays the path of the current configuration interface in the navigation
area. On the right, provides the Save button to quickly save the current configuration, the Help
button to display the web related help, and the Logout button to log out of the web interface.
• Body area—The area where you can configure and display a function.
User level
Web user levels, ranging from low to high, are visitor, monitor, configure, and management.
• Visitor—Users of this level can perform the ping and trace route operations, but cannot access the
device data or configure the device.
• Monitor—Users of this level can access the device data but cannot configure the device.
• Configure—Users of this level can access data from the device and configure the device, but they
cannot upgrade the host software, add/delete/modify users, or back up/restore the application file.
• Management—Users of this level can perform all operations for the device.
Introduction to web-based NM functions

User level indicates that users of this level or users of a higher level can perform the corresponding
operations. See Table 1.
Table 1 Description of web-based NM functions
Function menu Description User level

View and refresh device
information, broadband
connection information, 3G
wireless card state, LAN
Device Information Monitor
information, WLAN
information, services
information, and recent system
Device Information
logs.
View the URL address of a

Monitor
card.
Integrated Service
Management Change the URL address of a
card, and log in to the web Configure
interface of the card.
Perform basic service

Wizard Basic Configuration Wizard Configure
configuration of routers.
View configuration information

of a WAN interface, and Monitor
WAN interface statistics.
WAN Interface Setup
Interface Setup Modify WAN interface
Interface configuration, and clear the Configure
Setup statistics of a WAN interface.

LAN Interface Monitor
VLAN Setup of a VLAN.
Setup
Configure a VLAN. Configure
4
Monitor
VLAN Interface Setup of a VLAN interface.
Configure a VLAN interface. Configure
View wireless service, radio

Monitor
and client information.
View wireless service, radio

Summary and client information; clear
radio statistics; clear client
Configure
statistics, disconnect a
connection, and add a client
to a blacklist.

Monitor
about an access service.
Access Service
Create and configure an
Configure
access service.
View radio parameters and

Monitor
radio rate settings.
Radio Set radio parameters,
Wireless 802.11a/b/g rates, and Configure
Configuration 803.11n MCS.

for blacklist, whitelist, and user Monitor
Security isolation.
Configure blacklist, whitelist,

Configure
and user isolation.
View wireless QoS and rate

limiting settings, and radio Monitor
Wireless QoS
Configure wireless QoS and
rate limiting, and clear radio Configure

Monitor
Country Code of the country code.
Set the country code. Configure
View 3G modem information,

3G Information UIM card information, and 3G Monitor
network information.
3G
View UIM card status. Monitor
PIN Code Management
Manage PIN codes. Configure
View information about NAT

Monitor
Dynamic NAT configurations.
NAT NAT
Configuration Configuration Configure NAT. Configure
DMZ HOST Create a DMZ host. Monitor
5
Enable DMZ host on an
Configure
interface.
View configurations of the

Monitor
NAT Server Setup internal server.
Configure the internal server. Configure

application layer protocol Monitor
ALG check function.
Configure the application

Configure
layer protocol check function.

about the number of Monitor
Nat Outbound Setup connections displayed.
Configure connection limit. Configure
View access control

Monitor
Access configuration information.
Configure access control. Configure
View information about URL

Monitor
filtering conditions.
URL Filter
Add or delete URL filtering
Configure
conditions.
View information about MAC

Monitor
address filtering conditions.
MAC Address Filtering Set MAC address filtering
types, add or delete MAC Configure
addresses to be filtered.
View and refresh the blacklist

information and whether Monitor
blacklist filtering is enabled.
Security Blacklist
Setup Add, modify, delete and clear
Attack Defend blacklist entries, and enable or Configure
disable blacklist filtering.
View intrusion detection

Monitor
Intrusion Detection configuration information.
Configure intrusion detection. Configure
View application control

Monitor
Application Control configuration information.
Configure application control. Configure
Load an application and view

Application Load Application Configure
the loaded application.
Control
View custom application
Monitor
information.
Custom Application
Add, modify, and delete a
Configure
custom application.
6
View the configuration
Monitor
information of redirection.
Redirection Add, modify, or remove the
redirection configuration on an Configure
interface.
View IPv4 route summary

Summary Monitor
information.
Route Setup
Create Create IPv4 static routes. Configure
Remove Delete IPv4 static routes. Configure
View the IP address, mask,

and load sharing information Monitor
of an interface.
User-based-sharing
Modify the load sharing status
and shared bandwidth of an Configure
interface.
View IP addresses, traffic

ordering mode and traffic Monitor
Config ordering interval for interfaces.
Configure traffic ordering

Configure
mode and interval.
Traffic
Ordering Statistics of Inbound View inbound interface traffic
Monitor
Interfaces ordering statistics.
Advance
Statistics of Outbound View outbound interface traffic

Monitor
Interfaces ordering statistics.
View DNS configurations. Monitor

DNS Configuration
Configure DNS. Configure
DNS Setup View DDNS configurations. Monitor
DDNS Configuration Add, modify, and delete a
Configure
DDNS entry.
View whether DHCP is

Monitor
DHCP Enable globally enabled or disabled.
Enable or disable DHCP. Configure
DHCP Setup View DHCP server, relay, or

client configurations on an Monitor
DHCP Interface Setup interface.
Enable the DHCP server, relay,

Configure
or client on an interface.
View summary IPv4 ACL

Summary Monitor
information.
QoS ACL
Create Create an IPv4 ACL. Configure
Setup IPv4
Configure a basic rule for an
Basic Config Configure
IPv4 ACL.
7
Configure an advanced rule
Advanced Config Configure
for an IPv4 ACL.
Configure a link layer rule for

Link Config Configure
an IPv4 ACL.
Remove Remove an IPv4 ACL. Configure
View subnet limit configuration

Monitor
information.
Subnet Limit
Add, modify or delete subnet
Configure
limit rules.
View advanced limit

Monitor
configuration information.
Advanced Limit
Add, modify, or delete
Configure
advanced limit rules.
View advanced queue

Monitor
Advanced Queue Configure interface

bandwidth, add, modify, or
Configure
delete bandwidth guarantee
policies.
Summary View classifier information. Monitor
Create Create a classifier. Configure

Classifier Configure classification rules
Setup Configure
for a classifier.
Remove Remove a classifier. Configure
Summary View behavior information. Monitor
Create Create a behavior. Configure

Behavior Configure actions for a
Setup Configure
behavior.
Remove Remove a behavior. Configure
Summary View QoS policy information. Monitor
Create Create a QoS policy. Configure

Policy Configure classifier-behavior
Setup Configure
associations.
Remove Remove a QoS policy. Configure
View QoS policy application

Summary Monitor
information of a port.
Port
Setup Apply a QoS policy to a port. Configure
Policy
Remove a QoS policy from a
Remove Configure
port.
SNMP (supported View and refresh SNMP

on the A-MSR20, Setup configuration information and Monitor
A-MSR30, and statistics.
8
A-MSR50) Configure SNMP. Configure
View brief information about

Monitor
SNMP communities.
Community
Create, modify and remove an
Configure
SNMP community.

Monitor
SNMP groups.
Group
Create, modify, and remove
Configure
an SNMP group.

Monitor
SNMP users.
User
Configure
an SNMP user.
View the status (enabled or

disabled) of the SNMP trap
Monitor
function and target host
Trap information.
Enable or disable the SNMP

trap function; create, modify, Configure
and remove a target host.
View brief information of

Monitor
SNMP views.
View
Configure
an SNMP view.
View and set global bridging

Global Config Configure
information.
Bridge
View and set interface
Config Interface Configure
bridging information.
View user group configuration. Monitor

Group
Configure user groups. Configure
View user configuration. Monitor

User User
Group View users. Configure
WAN Synchronize the user group

Synchroni configuration to a WAN Configure
Security zation interface.
View access control

Monitor
configuration.
Connection Control
Configure time range-based
Configure
access control.
View custom application

Application Control Monitor
configuration.
9
Customize applications. Configure
View bandwidth management

Monitor
Bandwidth configuration.
Configure bandwidth control. Configure
View packet filtering rules. Monitor

Packet Filter Configure packet filtering
Configure
rules.
Configure the MST

region-related parameters and Monitor
VLAN-to-MSTI mappings.
Region
Modify the MST region-related
parameters and VLAN-to-MSTI Configure
mappings.
MSTP
View MSTP port parameters. Monitor
Port
Modify MSTP port parameters. Configure
View MSTP parameters

Global Configure
globally.
View and add, modify, and Manageme

RADIUS
delete a RADIUS scheme. nt
View login control rules. Monitor

Access Add and delete a login control
Configure
rule.
View an ARP table. Monitor

ARP Table Add, modify, and delete ARP
Configure
entries.
View gratuitous ARP

Monitor
Gratuitous ARP configuration information.
Configure gratuitous ARP. Configure

ARP View the number of dynamic
Management ARP entries that an interface Monitor
can learn.
Enable or disable an interface

Dynamic Entry to or from learning dynamic
ARP entries, and change the
Configure
number of dynamic ARP
entries that an interface can
learn.
Specify the interface

ARP
Scan performing ARP automatic Monitor
Anti-Attack
scanning.
10
Start or stop ARP scanning. Configure
View all static and dynamic

Monitor
ARP entries.
Fix Convert all dynamic ARP
entries to static ones or delete Configure
all static ARP entries.
View IPsec connection

Monitor
configuration.
IPsec Connection Add, modify, delete, enable,
or disable an IPsec Configure
connection.
View configuration, status,

IPsec VPN and tunnel information of IPsec Monitor
connections.
Monitoring Information Delete tunnels that are set up

with configuration of an IPsec
connection, and delete all Configure
ISAKMP SAs of an IPsec
VPN
connection.
View L2TP status and L2TP

group configuration Monitor
information.
L2TP Configuration
L2TP Configure L2TP status, add,
modify or delete an L2TP Configure
group.
Tunnel Info View L2TP tunnel information. Monitor
View GRE tunnel information. Monitor

GRE Add, modify, or delete a GRE
Configure
tunnel.
View PKI entity information. Monitor

Entity Add, change, and delete PKI
Configure
entities.
View PKI domain information. Monitor

Domain Add, change, and delete PKI
Configure
domains.
Certificate View PKI certificates and
Management Monitor
details of the certificate.
Certificate Create keys, retrieve

certificates, apply for
Configure
certificates, and delete
certificates.
View CRLs. Monitor

CRL
Retrieve CRLs. Configure
11
Save the current configuration
to the configuration file to be Configure
used at the next startup.
Save
Save the current configuration
Manageme
as the factory default
nt
configuration.
Restore all configurations on

Initialize the device to the factory Configure
default configuration.
Upload the current startup

Manageme
Backup Configuration configuration file of the device
nt
Configuration to the TFTP server for backup.
Download the configuration

file saved on the TFTP server to Manageme
Restore Configuration
the current configuration file of nt
the device.
View device files. Monitor
Back up files on the device to

the destination device through
Backup and Restore a USB port; transfer files from
Configure
the device where the files are
backed up to the local device
through a USB port.
System
Management Reboot Reboot device. Configure
View related configuration of

Configure
system services.
Service Management Set whether to enable different
Manageme
services and set related
nt
parameters.
View brief information of

User Summary Monitor
users.
Set the super password for

Manageme
Super Password switching to management
nt
level.
Manageme
Create User Create a user.
Users nt
Manageme
Modify User Modify user account.
nt
Manageme
Remove User Remove a user.
nt
Switch user access level to the

Switch To Management Visitor
management level.
View SNMP configuration

SNMP (supported on the A-MSR900 series Monitor
information.
and MSR20-1X series)
Configure SNMP. Configure
12
View current system time and
Monitor
System Time System Time its configurations.
Set system time. Configure
View TR-069 configurations. Monitor

TR-069
Set TR-069. Configure
Upgrade software of the Manageme

Software Upgrade
device. nt
View detailed system logs. Monitor

Loglist
Clear log buffer. Configure

Monitor
specified loghost.
Loghost
Set the IP address of the
Configure
loghost.
Syslog
View the number of logs that
can be stored in the log buffer;
Other set the refresh period on the Monitor
Logset log information displayed on
the web interface.
Set the number of logs that can

Configure
be stored in the log buffer.
Execute ping and view the

Ping Visitor
Diagnostic result.
Tools Execute trace route and view
Trace Route Visitor
the result.
View and refresh the WiNet

topology diagram and view Monitor
detailed device information.
Manually trigger the collection

WiNet Management of topology information, save
the current WiNet topology as
the baseline topology, restore Configure
the configuration to factory
WiNet
defaults, and restart the
member.
Setup Configure WiNet. Configure
View RADIUS user

Monitor
information.
User Management
Configure
RADIUS user.

about the configuration Monitor
Voice wizard.
Configuration Wizard
Management Configure voice basic
parameters through the Configure
configuration wizard.
13
View local number
Monitor
Local Number
Create, set, and delete a local
Configure
number.
View call route configuration

Monitor
information.
Call Route
Create, set, and delete a call
Configure
route.
View number match

Monitor
Number Match
Configure number match
Configure
parameters.
View call number groups, and

the maximum number of call Monitor
connections in a set.
Dial Plan
Call Authority Control Configure a call number
group, and the maximum
Configure
number of call connections in
a set.
View number substitution

Monitor
Number Substitution configuration information.
Configure number substitution. Configure
View connection properties,

session properties, advanced
Monitor
settings, and call release cause
code mappings.
SIP Connection
Configure connection
properties, session properties,
Call Configure
advanced settings, and call
Connection release cause code mappings.
View SIP server group

Monitor
configuration.
SIP Server Group
Management
Configure a SIP server group. Configure
View VE1, VT1, and BSV line

Monitor
configuration, and line state.
Digital Link Management
View and configure a VE1,
Configure
VT1, and BSV line.
View FXS, FXO, E&M, and

ISDN configuration Monitor
information and state.
Line Management
Configure an FXS, FXO, E&M,
and ISDN line, and query their Configure
state.
SIP Trunk Service Configuration View SIP trunk status. Monitor
14
Management Enable the SIP trunk function. Configure
View SIP account

Monitor
configuration.
Account Management
Add, modify, and delete a SIP
Configure
account.
View call route configuration. Monitor

Call Route Add, modify, and delete a call
Configure
route.
View SIP local survival

Monitor
Service Configuration configuration.
Configure SIP local survival. Configure
View registered user

Monitor
configuration.
User Management
Configure
registered user.
View trust node configuration. Monitor

Trust Nodes Add, modify, and delete a
Configure
trust node.
SIP Local View call-out route

Monitor
Survival configuration.
Call-Out Route
Configure
call-out route.
View area prefix

Monitor
configuration.
Area Prefix
Add and delete an area
Configure
prefix.
View call authority control

Monitor
configuration and application.
Call Authority Control Add and delete a call rule set,
and apply the call rule set Configure
globally or to registered users.
View media resources

Monitor
configuration.
Media Resources
Management Upload media resource files or
configure an MOH audio input Configure
port.
IVR Services View access number

Monitor
Access Number configuration.
Management Add, modify, and delete an
Configure
access number.
Processing Methods View processing methods

Monitor
Customization customization configuration.
15
Configure processing methods
Configure
customization configuration.
View service node and global

Monitor
key policy configuration.
Advanced Settings Configure service node and
global key policy Configure
configuration.
View global configuration

Monitor
Global Configuration information.
Perform global configurations. Configure
Advanced View batch configuration

Monitor
Configuration information.
Batch Configuration Create local numbers, call

routes, manage lines, and
Configure
configure SIP local survival in
batches.
View information about all

Line States Monitor
voice subscriber lines.
View and refresh active and

Monitor
history call statistics.
Call Statistics View and refresh active and
history call statistics, and clear Configure
history call statistics.
View information about all

TCP-based call connections,
TLS-based call connections,
Monitor
States and number register information,
Statistics and subscription status
information.
SIP UA States View information about all

TCP-based call connections,
TLS-based call connections,
number register information,
Configure
and subscription status
information, and terminate
specified TCP and TLS
connections.
Local Survival Service View and refresh registration

Monitor
States and subscription status.
16
Common web interface elements
Common buttons and icons
Table 2 Common buttons and icons
Button and icon Description

Validates the configuration.
Cancels the configuration, and goes to the corresponding display page

or device information page.
Refreshes the current page.
Clears all statistics or items in a list.
Adds an item.
Deletes entries on a list.
Selects all entries on a list or all ports on a device panel.
Clears all selected entries on a list or all ports on a device panel.
Typically located on the Operation column of a display page, it launches

the modify page of a corresponding entry to display or modify the
configurations of the entry.
Typically located on the Operation column of a display page, it removes

an entry.
Content display by pages

The web interface can display contents by pages, as shown in Figure 4. You can set the number of entries
displayed per page and view the contents on the first, previous, next, and last pages, or go to any page
that you want to check.
17
Figure 4 Content display by pages
Searching function
The web interface provides basic and advanced search functions, which display entries matching the
specified search criteria.
• Basic search—As shown in Figure 4, enter the keyword in the text box above the list, select a search
item from the dropdown list, and click the Search button to display the entries that match your
criteria. Figure 5 shows an example of searching for entries with VLAN ID equal to 2.
Figure 5 Basic search function example
• Advanced search—As shown in Figure 4, you can click the Advanced Search link to open the
advanced search page illustrated in Figure 6. Specify the search criteria, and click Apply to display
the entries that match your criteria.
18
Figure 6 Advanced search
Take the ARP table shown in Figure 4 as an example. To search for the ARP entries with interface Ethernet
0/4, and IP address range from 192.168.1.50 to 192.168.1.59, follow these steps:
1. Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 7, and click Apply. The ARP entries with interface Ethernet 0/4 are displayed.
Figure 7 Advanced search function example (I)
2. Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 8, and click Apply. The ARP entries with interface Ethernet 0/4 and IP address range from
192.168.1.50 to 192.168.1.59 are displayed, as shown in Figure 9.
Figure 8 Advanced searching function example (II)
19
Figure 9 Advanced searching function example (III)
Sorting function
The web interface provides you with a basic sorting function to sort entries by column.
Basic sorting function: On a list page, click the blue heading item of each column to sort the entries based
on the heading item you selected. After you click, the heading item is displayed with an arrow beside it,
as shown in Figure 10. The upward arrow indicates ascending order, and the downward arrow indicates
descending order.
Figure 10 Basic sorting function example (based on IP address in descending order)
20
Managing web-based NM through CLI
Enabling or disabling web-based NM
Table 3 Enable/disable the web-based NM service
Task Command
Enable the web-based NM service. ip http enable
Disable the web-based NM service. undo ip http enable
Managing the current web user

Table 4 Manage the current web user
Task Command
Display currently logged in users. display web users
free web-users { all | user-id userid | user-name

Log out a specified user or all users.
username }
Configuration guidelines
• The web-based configuration interface supports the following:
Operating systems: Windows XP, Windows 2000, Windows Server 2003 Enterprise Edition,
Windows Server 2003 Standard Edition, Windows Vista, Linux and MAC OS.
Browsers: Microsoft Internet Explorer 6.0 SP2 and later, Mozilla Firefox 3.0 and later, and
Google Chrome 2.0.174.0 and later.
• The web-based configuration interface does not support the Back, Next, Refresh buttons provided by
the browser. Using these buttons may result in abnormal display of webpages.
• The Windows firewall limits the number of TCP connections. When you use IE to log in to the web
interface, you may be unable to open the web interface. To avoid this problem, turn off the
Windows firewall before logging in.
• If the software version of the device changes, clear the cache data on the browser before logging in
to the device through the web interface. Otherwise, the webpage content may not be displayed
correctly.
• You can display at most 20,000 entries that support content display by pages.
Troubleshooting web browser

Failure to access the device through the web interface
Symptom
You can ping the device successfully and log in to the device through telnet. HTTP is enabled, and the
operating system and browser version meet the web interface requirements. However, you cannot access
the web interface of the device.
21
Analysis
• If you use Microsoft Internet Explorer, you can access the web interface only when the following
functions are enabled: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for
scripting, and active scripting.
• If you use Mozilla Firefox, you can access the web interface only when JavaScript is enabled.
Configuring the Internet Explorer settings

1. Open Internet Explorer, and select Tools > Internet Options.
2. Click the Security tab, and then select a web content zone to specify its security settings. See Figure
11.
Figure 11 Internet Explorer setting (I)
3. Click Custom Level, and the Security Settings dialog box appears.
4. Enable these functions: Run ActiveX controls and plug-ins, Script ActiveX controls marked safe for
scripting, and Active scripting. See Figure 12.
22
Figure 12 Internet Explorer Setting (II)
5. Click OK in the Security Settings dialog box.
23
Configuring Firefox web browser settings
1. Open the Firefox web browser, and select Tools > Options.
2. Click the Content tab, select Enable JavaScript, and click OK. See Figure 13.
Figure 13 Firefox web browser setting
24
Configuring device information
Displaying device information

You can view the following information on the Device Info menu:
• Device information
• Broadband connection information
• 3G wireless card state
• LAN information
• WLAN information
• Services information
• Recent system logs (The five most recent system logs are displayed)
After logging in to the web interface, the Device Info page appears, as shown in Figure 14.
NOTE:
The Device Info page contains five parts, which correspond to the five tabs below the figure on the page
(except the Service Information and Recent System Logs tabs). When you point to a part of the figure, the
system prompts you for the tab of the corresponding information, and you can jump to the tab by clicking
this part.
25
Figure 14 Device information
26
Select the refresh mode in Refresh Period.
• If you select a specific period, the system automatically refreshes the Device Info page.
• If you select Manual, click Refresh to refresh the page.
Device information
Table 5 Field description
Field Description
Device Model Device name
Device ID Device ID
Software Version Software version of the device
Firmware Version Firmware version of the device
Hardware Version Hardware version of the device
Running Time Running time since the device was rebooted
CPU Usage Real-time CPU usage
Memory Usage Real-time memory usage
Broadband connection information

Field Description
Interface Interface name
Session Type Connection type of the interface
Network-Side Connection
Connection state at the network side of the interface
State
IP Address/Mask IP address and mask of the interface
DNS Server IP address of the DNS server
Uplink Rate (Kbits/Second) Average rate of outgoing data for the last 300 seconds
Downlink Rate
Average rate of incoming data for the last 300 seconds
(Kbits/Second)
Work Mode Rate and duplex mode of the interface
27
3G wireless card state
To display detailed information about the 3G wireless card state, click the More link in the 3G Wireless
Card State area. This displays information about the 3G modem, UIM card, and 3G network.
Figure 15 3G wireless card state
Field Description
3G Modem Information Connection state of the 3G network.
State of the 3G modem:

• Normal—A 3G modem is connected to the router.
3G Modem State
• Absent or unrecognized modem—No 3G modem is connected to the
router, or the modem cannot be recognized.
Model Model of the 3G modem.
Manufacturer Manufacturer of the 3G modem.
CMII ID CMII ID of the 3G modem.
Serial Number Serial number of the 3G modem.
Hardware Version Hardware version of the 3G modem.
Firmware Version Firmware version of the 3G modem.
PRL Version PRL version of the 3G modem.
28
Field Description
State of the UIM card:
• Absent.
• Being initialized.
• Fault.
• Destructed.
UIM Card State
• PIN code protection is disabled.
• PIN code protection is enabled. Enter the PIN code for authentication.
• PIN code protection is enabled, and the PIN code has passed the
authentication.
• The PIN code has been blocked. Enter the PUK code to unblock it.
IMSI IMSI of the UIM card.
Voltage Power voltage of the UIM card.
Mobile Network 3G network where the UIM card resides.
State of the 3G network where the UIM card resides:

• No Service
• CDMA
Network Type
• HDR
• CDMA/HDR HYBRID
• Unknown
RSSI RSSI of the 3G network.
LAN information
Field Description
Interface Interface name
Link State Link state of the interface
Work Mode Rate and duplex mode of the interface
WLAN information
Field Description
SSID (WLAN Name) Name of the WLAN service
Service Status Whether the service is enabled or disabled
Number of PCs Connected Number of PCs connected to the WLAN service
29
Service information
Field Description
Service Name of the service
Status Status of the service
Recent system logs

Field Description
Time Time when system logs were generated
Level Level of system logs
Description Contents of system logs
Integrated service management

For devices with a card installed, if the card provides the web interface access function, after specifying
the URL address of the card on the integrated service management page, you can log in to the web
interface of the card to manage the card.
After logging in to the web interface of the device, the Device Info page appears by default. Click the
Integrated Service Management tab to display the page to view card information of the device.
Figure 16 Integrated service management
• To change the URL address of the card, click of the target card, as shown in Figure 16. Enter the
URL address in the box (see Figure 17) and click to apply the configuration or click to cancel
the modification.
• Set the URL address of the card, and then connect the card to the LAN to which the administrator
belongs. On the page shown in Figure 16, click Manage. A page linked to the specified URL
address appears where you can log in to the web interface of this card to manage it.
Figure 17 Change card URL address
30
Configuring web interface basic services
You can configure the following basic services on the web interface:
• Setting WAN interface parameters
• Setting LAN interface parameters
• Setting WLAN interface parameters
This document guides you through quick configuration of basic services of routers, including configuring
WAN, LAN, and WLAN interface parameters.
NOTE:
• For more information about WAN interfaces, see "Configuring WAN interfaces."
• For more information about LAN interfaces, see "Configuring VLAN."
• For more information about WLAN interfaces, see "Configuring wireless services."
Starting the basic configuration wizard

From the navigation tree, select Wizard > Basic Configuration Wizard to display the basic configuration
wizard page, as shown in Figure 18.
Figure 18 Basic configuration wizard
Setting WAN interface parameters

On the basic configuration wizard page, click Next to display the page for configuring WAN interface
parameters.
31
The page for configuring WAN interface parameters varies with the interface type. You are allowed to
set Ethernet, SA, ADSL/G.SHDSL, CE1/PR1, and CT1/PR1 interface parameters.
Ethernet interface
Figure 19 Set Ethernet interface parameters
Table 12 Configuration of Ethernet interface parameters (in auto mode)
Item Description
WAN Interface Select the Ethernet interface to configure.
Connect Mode: Auto Select Auto connect mode to automatically obtain an IP address.
Specify the MAC address of the Ethernet interface in either of the two ways:
• Use the MAC address of the device—Use the default MAC address of the
MAC Address Ethernet interface, which is displayed in brackets.
• Use a customized MAC address—Assign a MAC address to the Ethernet
interface.
Table 13 Configuration of Ethernet interface parameters (in manual mode)
Item Description
Connect Mode: Manual Use Manual connect mode to configure an IP address.
TCP-MSS Set the maximum TCP segment length of an interface.
MTU Set the MTU of an interface.
IP Address Specify the IP address of the Ethernet interface.
Subnet Mask Select a subnet mask for the Ethernet interface.
Gateway Address Configure the next hop of a static route.
32
Item Description
Specify a DNS server IP address for the interface. DNS server 1 is used before
DNS1 DNS server 2.
To configure the global DNS server on the page you enter, select Advanced >
DNS Setup > DNS Configuration. The global DNS server is queried prior to the
DNS servers of the interfaces. In other words, the DNS query is sent to the global
DNS2
DNS server first. If the query fails, the DNS query is sent to the next DNS server
until the query succeeds.
• Use the customized MAC address—Assign a MAC address to the Ethernet
interface.
Table 14 Configuration of Ethernet interface parameters (in PPPoE mode)
Item Description
Select the PPPoE connect mode.

In PPPoE mode, a user name and password should be provided by the local ISP.
Connect Mode: PPPoE When the device connects to the ISP server, the ISP server initiates PPPoE
authentication. When the device passes authentication, the ISP server sends the
IP address, subnet mask, gateway IP address, and DNS server IP address to the
device.
User Name Specify the user name for identity authentication.
Password Specify the password for identity authentication.
Select an idle timeout interval:

Online for all time
• Online for all time—The device is always online.
Online according to the • Online according to the idle timeout value—The device disconnects from the
Idle Timeout value server if no data exchange occurs between it and the server within the
specified time. Then it automatically establishes the connection upon
receiving a request for access.
Idle timeout When Online according to the Idle Timeout value is enabled, specify an idle
timeout value.
• Use the customized MAC address—Assign a MAC address to the Ethernet
interface.
33
SA interface
Figure 20 Set SA parameters
Table 15 Configuration of SA interface parameters
Item Description
WAN Interface Select the SA interface to configure.
IP Address Specify the IP address of the SA interface.
Subnet Mask Select a subnet mask for the SA interface.
ADSL/G.SHDSL interface
Figure 21 Set ADSL/G.SHDSL parameters
34
Table 16 Configuration of ADSL/G.SHDSL interface parameters (in IPoA mode)
Item Description
WAN Interface Select the ADSL/G.SHDSL interface to configure.
Connect Mode: IPoA Select the IPoA connect mode.
PVC Specify the VPI/VCI value for PVC.
IP Address Specify the IP address of the ADSL/G.SHDSL interface.
Subnet Mask Select a subnet mask for the ADSL/G.SHDSL interface.
Map IP Specify the peer destination IP address of the mapped PVC.
Table 17 Configuration of ADSL/G.SHDSL interface parameters (in IPoEoA mode)
Item Description
Connect Mode: IPoEoA Select the IPoEoA connect mode.
IP Address Specify the IP address of the ADSL/G.SHDSL interface.
Subnet Mask Select a subnet mask for the ADSL/G.SHDSL interface.
Table 18 Configuration of ADSL/G.SHDSL interface parameters (in PPPoA mode)
Item Description
Connect Mode: PPPoA Select the PPPoA connect mode.
Table 19 Configuration of ADSL/G.SHDSL interface parameters (in PPPoEoA mode)
Item Description
Connect Mode: PPPoEoA Select the PPPoEoA connect mode.
35
Item Description
Select an idle timeout value:

Online for all time
• Online for all time—The device is always online.
Online according to the • Online according to the idle timeout value—The device disconnects from the
Idle Timeout value server if no data exchange occurs between it and the server within the
specified time. After that, it automatically establishes the connection upon
receiving a request.
Idle timeout When Online according to the Idle Timeout value is enabled, specify an idle
timeout value.
CE1/PR1 interface
The CE1/PR1 interface works in two modes: E1 mode and CE1 mode.
1. In E1 mode:
Figure 22 Set CE1/PR1 interface parameters (in E1 mode)
Table 20 Configuration of CE1/PR1 interface parameters (in E1 mode)
Item Description
WAN Interface Select the CE1/PR1 interface to configure.
Work Mode: E1 Select the E1 work mode.
2. In CE1 mode:
36
Figure 23 Set CE1/PR1 interface parameters (in CE1 mode)
Table 21 Configuration of CE1/PR1 interface parameters (in CE1 mode)
Item Description
WAN Interface Select the CE1/PR1 interface to configure.
Work Mode: CE1 Select the CE1 work mode.
Select one of the following operation actions:

Operation • Create—Binds timeslots.
• Remove—Unbinds timeslots.
Serial Select a number for the created Serial interface.
Timeslot-List Specify the timeslots to be bound or unbound.
37
CT1/PR1 interface
Figure 24 Set CT1/PR1 parameters
Table 22 Configuration of CT1/PR1 interface parameters
Item Description
WAN Interface Select the CT1/PR1 interface to configure.
Work Mode: E1 Select the CT1 work mode.
Select one of the following operation actions:

Operation • Create—Binds timeslots.
• Remove—Unbind timeslots.
Serial Select the number for the created serial interface.
Timeslot-List Specify the timeslots to be bound or unbound.
Setting LAN interface parameters

After finishing the previous configuration, click Next to display the page for configuring LAN interface
parameters, as shown in Figure 25.
38
Figure 25 Set LAN parameters
Table 23 Configuration of LAN interface parameters
Item Description
Displays the ID of the VLAN interface to configure.
IMPORTANT:
VLAN Interface
By default, the VLAN interface on the device that has the smallest number is displayed. If no
VLAN interface is available on the device, the system automatically creates an interface
numbered 1 and displays it.
IP Address
Specify the IP address and a subnet mask for the VLAN interface.
Subnet Mask
Select whether to enable DHCP server.

DHCP Server
If you enable DHCP server, the DHCP server configuration is displayed.
Start IP Address Specify the IP address range for dynamic allocation in an extended address pool.
IMPORTANT:
If the extended address pool is configured on an interface, when a DHCP client's request
End IP Address arrives at the interface, the server assigns an IP address from this extended address pool
only. Therefore, the client cannot obtain an IP address if no IP address is available in the
extended address pool.
Specify a gateway IP address in the DHCP address pool for DHCP clients.
Gateway IP When accessing a server or host that is not in its network segment, a DHCP client
Address needs the gateway to forward data for it. When you specify a gateway IP address in
the address pool, the DHCP server sends an IP address and the gateway IP address to
a requesting client.
39
Item Description
Specify a DNS server IP address in the DHCP address pool for DHCP clients. DNS
DNS Server 1 server 1 is used before DNS server 2.
To allow DHCP clients to access the Internet through domain names, the DHCP server
sends an IP address and a DNS server IP address to clients.
DNS Server 2
Setting WLAN interface parameters

After finishing the previous configuration, click Next to display the page for configuring WLAN interface
parameters, as shown in Figure 26.
Figure 26 Set WLAN parameters
Table 24 Configuration of WLAN parameters
Item Description
WLAN Setting Select whether to make WLAN settings.
Network Name
Specify a wireless network name.
(SSID)
Network Hide Select whether to hide the network name.
Select a radio unit supported by the AP: 1 or 2.

Radio Unit
Which value is supported varies with device models.
40
Item Description
Select whether to enable data encryption.
Enable Encrypt With data encryption enabled, data transmission between wireless client and wireless
device can be securely encrypted.
Encrypt Act Select an encryption mode for the wireless network: WEP40 or WEP104.
Select a key format.

• When you select WEP40, the key can be a 5-character string or 10-digit
Key Mode hexadecimal number.
• When you select WEP104, the key can be a 13-character string or a 26-digit
hexadecimal number.
Key Seed You can either use a key seed to generate keys or type keys manually. Then, you can
choose one of the configured keys.
Key 1 • When you select WEP40 and ASCII, the generated or input key is a 5-character
string.
Key 2 • When you select WEP40 and HEX, the generated or input key is a 10-digit
hexadecimal number.
• When you select WEP104 and ASCII, the generated or input key is a 13-character
Key 3
string.
• When you select WEP104 and HEX, the generated or input key is a 26-digit
Key 4 hexadecimal number.
Validating basic services configuration

After finishing basic services configuration, click Next to display the page shown in Figure 27 to validate
your configuration.
41
Figure 27 Check the basic service configuration
This page shows the configurations that you have made through the previous steps. Check the
configurations, and click Finish to validate them. To make any modification, click Back to go to previous
pages and edit the settings.
The page also provides an option Save Current Configuration to save the configurations to the
configuration file (either a .cfg file or an .xml file) to be used at the next startup of the device. If this option
is selected, the configurations you make persist through a device reboot.
42
Configuring WAN interfaces
The WAN interfaces that can be configured on the web interface include Ethernet interfaces, SA
interfaces, ADSL/G.SHDSL interfaces, CE1/PRI interfaces, and CT1/PRI interfaces.
Configuring an Ethernet interface

An Ethernet interface supports the following connection modes:
• Auto—The interface acts as a DHCP client to obtain an IP address through DHCP.
• Manual—The IP address and subnet mask are configured manually for the interface.
• PPPoE—The interface acts as a PPPoE client. PPPoE provides access to the Internet for hosts in an
Ethernet through remote access devices. It also implements access control and accounting on a
per-host basis. Because it is cost-effective, PPPoE is popular for various applications, such as
residential networks.
To configure an Ethernet interface:
Select Interface Setup > WAN Interface Setup from the navigation tree to display the WAN interface
configuration page, which displays the name, connection type, IP address, mask, status, and operation
icon ( ) of each interface, as shown in Figure 28.
Figure 28 WAN Interface Setup
Click the icon corresponding to an Ethernet interface to display the page for configuring that Ethernet
interface, as shown in Figure 29.
43
Figure 29 Configure an Ethernet interface
Table 25 Configuration (auto mode)
Item Description
WAN Interface Displays the name of the Ethernet interface to configure.
Display and set the interface status:

• Connected—The current interface is up and connected. Click the Disable
button to shut down the interface.
Interface Status • Not connected—The current interface is up but not connected. Click the
Disable button to shut down the interface.
• Administratively Down—The current interface is shut down by a network
administrator. Click the Enable button to bring up the interface.
Select Auto as the connection mode. The interface automatically obtains an IP

Connect Mode: Auto
address.
Set the MAC address of the Ethernet interface:

• Use MAC address of the device—Use the default MAC address of the Ethernet
interface, which is displayed in the following brackets.
MAC Address
• Use customized MAC address—Manually set the MAC address of the Ethernet
interface. When this option is selected, you must enter a MAC address in the
field below.
44
Table 26 Configuration (manual mode)
Item Description

Select Manual as the connection mode. In this mode, you must assign an IP
Connect Mode: Manual
address and subnet mask for the interface manually.
TCP-MSS Configure the TCP MSS on the interface.
MTU Configure the MTU on the interface.
IP Address Configure an IP address for the interface.
IP Mask Configure the subnet mask for the interface.
Gateway IP Address Configure the next hop for the static route.
DNS1 Assign an IP address to the DNS servers. DNS1 has a higher precedence than
DNS2.
To configure a global DNS server, select Advanced > DNS Setup > DNS
Configuration from the navigation tree. The global DNS server has a higher
DNS2
precedence than all DNS servers configured on the interfaces. An interface first
sends a query request to the global DNS server. If it fails to receive a response, it
sends query requests to the DNS servers configured on the interfaces one by one.

Ethernet interface, which is displayed in the following brackets.
MAC Address
• Use the customized MAC address—Manually set the MAC address of the
Ethernet interface. When this option is selected, you must enter a MAC
address in the field below.
Table 27 Configuration (PPPoE mode)
Item Description

Connect Mode: PPPoE Select PPPoE as the connection mode.
User Name Configure the user name for authentication.
45
Item Description
Password Configure the password for authentication.
Set the idle timeout value for a connection.

Online for all time
• Online for all time—The connection is maintained until manually disconnected
or upon an anomaly.
Online according to the
Idle Timeout value • Online according to the Idle Timeout value—The connection is automatically
disconnected if no traffic is transmitted or received on the link for a period of
time. The connection is reestablished when an access to the Internet request is
received.
Idle timeout
If the Online according to the Idle Timeout value is selected, the Idle timeout value
must be specified.

Ethernet interface, which is displayed in brackets.
MAC Address
• Use the customized MAC address—Manually set the MAC address of the
Ethernet interface. When this option is selected, you must enter a MAC
address in the field.
Configuring an SA interface
The synchronous/asynchronous serial (SA) interface supports PPP connection mode.
PPP is a link layer protocol that carries packets over point-to-point links. It provides user authentication
and allows for easy extension while supporting synchronous/asynchronous communication.
PPP contains a set of protocols, including an LCP, an NCP, and authentication protocols such as PAP and
CHAP. Among these protocols:
• LCP is responsible for establishing, tearing down, and monitoring data links.
• NCP negotiates the packet format and type of data links.
• PAP and CHAP provide network security.
Configuration procedure
configuration page. Click the icon corresponding to the SA interface you want to configure to display
the SA interface configuration page, as shown in Figure 30.
46
Figure 30 Configure an SA interface
Table 28 Configuration
Item Description
WAN Interface Displays the name of the interface to configure.

• Connected—The current interface is up and connected. Click the Disable button to
shut down the interface.
Interface Status • Not connected—The current interface is up but not connected. Click the Disable
IP Address Configure the IP address for the interface.
IP Mask Configure the subnet mask for the interface
Configuring an ADSL/G.SHDSL interface

The ADSL interface and the G.SHDSL interface support IPoA, IPoEoA, PPPoA, and PPPoEoA.
IPoA
IPoA enables IP packets to traverse an ATM network. In an IPoA implementation, ATM provides the data
link layer for the IP hosts on the same network to communicate with one another, and IP packets must be
adapted to traverse the ATM network.
47
IPoA makes full use of the advantages of ATM, including high speed point-to-point connections (which
help improve the bandwidth performance of an IP network), excellent network performance, and
complete, mature QoS services.
IPoEoA
IPoEoA adopts a three-layer architecture, with IP encapsulation at the uppermost layer, IPoE in the middle,
and IPoEoA at the bottom.
IPoEoA is suitable where Ethernet packets are forwarded through an ATM interface, for example, when a
network device forwards traffic from an Ethernet across an ATM PVC to a network access server.
PPPoA
PPPoA enables ATM to carry PPP protocol packets. With PPPoA, PPP packets' are encapsulated in ATM
cells. In this case, ATM can be viewed as the carrier of PPP packets. Because the communication process
of PPPoA is managed by PPP, PPPoA inherits the flexibility and comprehensive applications of PPP.
PPPoEoA
PPPoEoA enables ATM to carry PPPoE protocol packets. With PPPoEoA, Ethernet packets are
encapsulated in ATM cells, through which you can use a PVC to simulate all the functions of Ethernet. To
allow ATM to carry Ethernet frames, the interface management module provides the VE interface. The VE
interface has Ethernet characteristics and can be dynamically created through configuration commands.
The following is the protocol stack adopted by the VE interface.
• ATM PVC at the bottom layer
• Ethernet at the link layer
• Protocols the same as those for a common Ethernet interface at the network layer and upper layers
configuration page. Click the icon corresponding to the ADSL/G.SHDSL interface you want to
configure to display the ADSL/G.SHDSL interface configuration page, as shown in Figure 31.
48
Figure 31 Configure an ADSL/G.SHDSL interface
Table 29 Configuration (IPoA)
Item Description
WAN Interface Displays the name of the ADSL/G.SHDSL interface to configure.

Connect Mode: IPoA Select IPoA as the connection mode.
PVC Set the VPI/VCI value for the PVC.
Map IP Set the remote IP address for the IPoA mapping.
Table 30 Configuration (IPoEoA)
Item Description
49
Item Description
Connect Mode: IPoEoA Select IPoEoA as the connection mode.
Table 31 Configuration (PPPoA)
Item Description

Connect Mode: PPPoA Select PPPoA as the connection mode.
Table 32 Configuration (PPPoEoA)
Item Description

50
Item Description
Connect Mode: PPPoEoA Select PPPoEoA as the connection mode.
Set the idle timeout value for a connection.

Online for all time
• Online for all time—The connection is maintained until being disconnected
manually or upon an anomaly.
Online according to the
Idle Timeout value • Online according to the Idle Timeout value—The connection is disconnected
automatically if no traffic is transmitted or received on the link for a period
of time. The connection is re-set up when an access to the Internet request is
received.
Idle timeout
If the Online according to the Idle Timeout value is selected, specify the Idle
timeout value.
Configuring a CE1/PRI interface

The CE1/PRI interface supports PPP connection mode. For details about PPP, see "Configuring an SA
interface."
The CE1/PRI interface can work in either E1 mode (non-channelized mode) or CE1 mode (channelized
mode).
• A CE1/PRI interface in E1 mode equals an interface of 2048 Mbps data bandwidth, on which no
timeslots are divided. Its logical features are the same as those of a synchronous serial interface. It
supports link layer protocols such as PPP, FR, LAPB and X.25, and network protocols such as IP and
IPX.
• A CE1/PRI interface in CE1 mode is physically divided into 32 timeslots, numbered 0 to 31. Among
them, timeslot 0 is used for transmitting synchronization information. All timeslots except timeslot 0
can be randomly bundled into multiple channel sets and used as an interface. Its logical features are
the same as those of a synchronous serial interface. It supports link layer protocols such as PPP,
HDLC, FR, LAPB and X.25, and network protocols such as IP.
configuration page. Click the icon corresponding to the CE1/PRI interface to configure to display the
CE1/PRI interface configuration page. The appearance and features of this page vary with the operating
mode of the CE1/PRI interface.
51
Configuring a CE1/PRI interface in E1 mode
Figure 32 Configure a CE1/PRI interface in E1 mode
Table 33 Configuration (in E1 mode)
Item Description
WAN Interface Displays the name of the CE1/PRI interface to configure.

Work Mode: E1 Select E1 as the work mode.
52
Configuring a CE1/PRI interface in CE1 mode
Figure 33 Configure a CE1/PRI interface in CE1 mode
Table 34 Configuration (in CE1 mode)
Item Description
WAN Interface Displays the name of the CE1/PRI interface to configure.

• Connected—The current interface is up and connected. Click the Disable button to
shut down the interface.
Work Mode: CE1 Select CE1 as the work mode.
Select to add or remove timeslots.

Operation • Create—Adds timeslots to form a channel set.
• Delete—Removes timeslots from a channel set.
Serial Specify the serial interface number of the channel set.
Timeslot-List Set the timeslots to add or remove.
53
Configuring a CT1/PRI interface
The CT1/PRI interface supports PPP connection mode. For details about PPP, see "Configuring an SA
interface."
When it is working as a CT1 interface, all timeslots (numbered 1 to 24) can be randomly divided into
groups. Each of these groups can form one channel set for which the system automatically creates an
interface that is logically equivalent to a synchronous serial interface. This interface supports link layer
protocols such as PPP, HDLC, FR, LAPB, and X.25, and network protocols such as IP and IPX.
configuration page. Click the icon corresponding to the CT1/PRI interface to configure to display the
CT1/PRI interface configuration page, as shown in Figure 34.
Figure 34 Configure a CT1/PRI interface
Item Description
WAN Interface Displays the name of the CT1/PRI interface to configure.

• Connected—The current interface is up and connected. Click the Disable button
to shut down the interface.
54
Item Description
Work Mode: CT1 Select CT1 as the word mode.
Select to add or remove timeslots.

Operation • Create—Adds timeslots to form a channel set.
• Delete—Removes timeslots from a channel set.
Serial Specify the serial interface number of the channel set.
Timeslot-List Set the timeslots to add or remove.
Viewing the general information and statistics of an

interface
On the WAN Interface Setup page as shown in Figure 28, you can view the name, connection type, IP
address, mask, and status of each interface. To view the statistics of an interface, click the interface name
to display the page shown in Figure 35.
55
Figure 35 Statistics of an interface
56
Configuring VLAN
You can configure the following port-based VLAN and VLAN interface functions through the web
interface:
• Create or delete VLANs.
• Add/remove member ports to/from a VLAN.
• Create or delete VLAN interfaces.
• Configure VLAN interface parameters.
Ethernet is a network technology based on the CSMA/CD mechanism. Because the medium is shared,
collisions and excessive broadcasts are common on Ethernet networks. To address the issue, VLAN was
introduced to break a LAN down into separate VLANs. VLANs are isolated from each other at Layer 2. A
VLAN is a bridging domain, and all broadcast traffic is contained within it.
For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform Layer 3
forwarding. To achieve this, VLAN interfaces are used. VLAN interfaces are virtual interfaces used for
Layer 3 communication between different VLANs. They do not exist as physical entities on devices. For
each VLAN, you can create one VLAN interface. You can configure VLAN interfaces to forward traffic at
the network layer.
NOTE:
For more information about VLANs and VLAN interfaces, see HP A-MSR Router Series Layer 2—LAN
Switching Configuration Guide.
Configuring a VLAN and its VLAN interface

Configuration task lists
Configuring a VLAN
Table 36 VLAN configuration task list
Task Remarks
Creating a VLAN and its VLAN interface Required
Configuring VLAN member ports Required
Configuring a VLAN interface

Table 37 VLAN interface configuration task list
Task Remarks
Creating a VLAN and its
Required.
VLAN interface
57
Task Remarks
Optional.
Configure an IP address and MAC address for a VLAN interface. Select whether
to enable the DHCP server function for a VLAN interface. If you enable it,
Configuring parameters
configure related parameters.
for a VLAN interface
You can also configure the DHCP server function in Advanced > DHCP Setup. For
more information, see "Configuring DHCP." This chapter only describes the DHCP
server configuration in the LAN Setup module.
Creating a VLAN and its VLAN interface

Select Interface Setup > LAN Interface Setup from the navigation tree. The system goes to the default
VLAN Setup page, as shown in Figure 36.
Figure 36 VLAN Setup page
Item Description
VLAN Create And Remove Set the operation type to Create or Remove.
Enter the ID of the VLAN (or VLAN interface) to be created or removed. You
VLAN IDs
can create or remove multiple VLANs at a time.
Create VLAN Interface You can create a VLAN interface when a VLAN is created.
58
Item Description
Only Remove VLAN
You can remove the VLAN interface of a VLAN without removing the VLAN.
Interface
Return to "VLAN configuration task list."

Return to "VLAN interface configuration task list."
Configuring VLAN member ports

The ports that you assign to a VLAN in the web interface can only be set to the untagged type.
The VLAN member port list displayed on the VLAN Setup page includes both tagged and untagged
member ports.
You can configure a VLAN by assigning ports to it or removing ports from it.
Select Interface Setup > LAN Interface Setup from the navigation tree. The system goes to the default
VLAN Setup page, as shown in Table 39.
Item Description
VLAN ID Select the ID of the VLAN to assign ports to or remove ports from.
Port list Select the ports to add or remove.
Add Click Add to assign the selected ports to the VLAN.
Remove Click Remove to remove the selected ports from the VLAN.
Return to "VLAN configuration task list."
Configuring parameters for a VLAN interface

Select Interface Setup > LAN Interface Setup from the navigation tree, and then click the VLAN Interface
Setup tab to display the page for configuring parameters for VLAN interfaces, as shown in Figure 37.
59
Figure 37 VLAN Interface Setup page
Item Description
VLAN ID Select the ID of the VLAN interface to configure.
IP Address
Set the VLAN interface's IP address and subnet mask.
Subnet Mask
60
Item Description
Set the MAC address of the VLAN interface:
• Use the MAC address of the device—Use the default MAC address of the VLAN
interface, which is displayed in brackets.
MAC Address
• Use the customized MAC address—Manually set the MAC address of the VLAN
interface. When this option is selected, you must enter a MAC address in the
field below.
Select whether the VLAN interface operates in DHCP server mode.

DHCP Server If you enable DHCP server on the interface, you can continue to configure related
DHCP server parameters.
Set an extended DHCP address pool used for dynamic IP address allocation. The IP
address range is defined by a start IP address and an end IP address.
NOTE:
Start IP Address
If an extended address pool is configured on the port that receives the DHCP request
End IP Address packet, the server allocates an IP address from the extended address pool to the client,
regardless of whether a common address pool (static binding or dynamic allocation) is
also configured on the port. If no IP address is available in the pool, the server is not able
to allocate an IP address to the client.
Set the gateway IP address allocated to the DHCP clients from the DHCP address
pool.
Gateway IP Address When DHCP clients access servers or hosts on other network segments, their data is
forwarded through the gateway. After specifying a gateway IP address, the server
sends the gateway IP address to the clients along with the IP addresses allocated to
them.
Assign an IP address from the address pool for the DNS server allocated to the
DHCP clients on the local network segment. DNS Server 1 has a higher preference
DNS Server 1 than DNS Server 2.
DNS Server 2 To enable DHCP clients to access hosts on the Internet by domain names, the DHCP
server should specify the local DNS server's IP address when assigning IP addresses
to these DHCP clients.
Set the IP addresses that are not to be auto assigned in the DHCP address pool.
An IP address that is already assigned (gateway IP address or FTP server IP address
for example) should not be assigned to another client. Otherwise, IP address
Reserved IP Address
conflicts occur.
When you specify an IP address configured in a static binding as not to be auto
assigned, this address can still be assigned to the client in the static binding.
Return to "VLAN interface configuration task list."
When you configure VLANs, follow these guidelines:
• As the default VLAN, VLAN 1 cannot be created or manually removed.
• You cannot manually create or remove VLANs reserved for special purposes.
• You cannot directly remove protocol-reserved VLANs, voice VLANs, management VLANs, or
dynamically learned VLANs. To remove them, you must first remove relevant configurations.
61
Configuring wireless services
The device allows you to perform the following configurations in the web interface:
• Configuring wireless access service
• Displaying wireless access service
• Configuring data transmit rates
• Displaying radio
• Configuring the blacklist and whitelist functions
• Configuring user isolation
• Configuring wireless QoS
• Setting a district code
With these configurations, you can build an integrated, stable, secure, effective wireless network.
WLAN is popular nowadays. Compared with wired LANs, WLANs are easier and cheaper to implement
because several APs can provide wireless access for an entire building or area. A WLAN does not
necessarily mean that everything is wireless. The servers and backbones still reside on wired networks.
WLANs mainly provide the following services:
• Authentication and encryption to secure wireless access
• Wireless access and mobility to free users from the restrictions of wires and cables
Configuration task list

Perform the tasks in Table 41 to perform wireless configuration.
Table 41 Wireless configuration task list
Task Remarks
Required.
Wireless service configuration Allows you to create a wireless service and
configure its attributes.
Optional.
Configuring radio Allows you configure radio rates to adjust the
capabilities of wireless devices.
Optional.
Configuring WLAN security Allows you to control client access to enhance
wireless security.
Optional.
Configuring WLAN QoS Allows you to configure WLAN QoS to make full
use of wireless resources.
62
Task Remarks
Optional.
Configuring advanced WLAN Allows you to configure district codes as needed to
meet country-specific regulations.
Wireless service configuration

For more information about WLAN user access, see HP A-MSR Router Series WLAN Configuration
Guide.
Configuring wireless access service

Creating a wireless access service
Select Interface Setup > Wireless > Access Service from the navigation tree to display the page for
configuring access service.
Figure 38 Configure access service
Click Add to display the page for creating a wireless access service.
Figure 39 Create a wireless service
63
Item Description
Radio ID: 1 or 2. The actual value range depends on
Radio Unit
your device model.
Display the radio mode, which depends on your

Mode
device model.
Set the SSID.

An SSID should be as unique as possible. For security,
the company name should not be contained in the
Wireless Service Name SSID. HP recommends that you do not use a long
random string as the SSID because it only adds to the
Beacon frame length and usage complexity, without
any improvement to wireless security.
Select the wireless service type:

Wireless Service Type • clear—The SSID is not encrypted.
• crypto—The SSID is encrypted.
Configuring clear type wireless service

Configuring basic settings for the clear type wireless service
Select Interface Setup > Wireless > Access Service from the navigation tree, and then click the icon of
the target clear type wireless service to display the page for configuring wireless service.
Figure 40 Configure clear type wireless service
Item Description
Wireless Service Display the selected SSID.
Enter the ID of the VLAN whose packets are to be sent untagged.

VLAN (Untagged) VLAN (Untagged) indicates that the port sends the traffic of the
VLAN with the VLAN tag removed.
64
Item Description
Set the default VLAN of a port.
Default VLAN By default, the default VLAN of all ports is VLAN 1. After you set
the new default VLAN, VLAN 1 is the ID of the VLAN whose
packets are to be sent untagged.
Remove the IDs of the VLANs whose packets are to be sent

Delete VLAN
untagged and tagged.
• Enable—Disables the advertisement of the SSID in beacon
frames.
• Disable—Enables the advertisement of the SSID in beacon
frames.
By default, the SSID in beacon frames is advertised.
NOTE:
SSID HIDE
• If the advertising of the SSID in beacon frames is disabled,
the SSID must be configured for the clients to associate with
the device.
• Disabling the advertising of the SSID in beacon frames does
little good to wireless security. Allowing the advertising of the
SSID in beacon frames enables a client to discover an AP
more easily.
Configuring advanced settings for the clear type wireless service

the target clear type wireless service to display the page for advanced configuration.
Figure 41 Advanced settings for the clear type wireless service
Item Description
Maximum number of clients of an SSID to be associated with the
same radio of the AP.
NOTE:
Client Max Users
When the number of clients of an SSID to be associated with the
same radio of the AP reaches the maximum, the SSID is
automatically hidden.
65
Item Description
web interface management right of online clients
• Disable—Disables the web interface management right of
Management Right online clients.
• Enable—Enables the web interface management right of
online clients.
Security settings for the clear type wireless service

the target wireless service to display the page for configuring security settings for the clear type wireless
service.
Item Description
Authentication Type For the clear type wireless service, you can select Open-System only.
66
Item Description
• mac-authentication—Performs MAC address authentication on users.
• mac-else-userlogin-secure—This mode is the combination of the
mac-authentication and userlogin-secure modes, with MAC
authentication having a higher priority. Upon receiving a non-802.1X
frame, a port in this mode performs only MAC authentication. Upon
receiving an 802.1X frame, the port performs MAC authentication. If
MAC authentication fails, the port then performs 802.1X
authentication.
• mac-else-userlogin-secure-ext—This mode is similar to the
mac-else-userlogin-secure mode, except that it supports multiple
802.1X and MAC authentication users on the port.
• userlogin-secure—In this mode, port-based 802.1X authentication is
performed for users. Multiple 802.1X authenticated users can access
the port, but only one user can be online.
• userlogin-secure-or-mac—This mode is the combination of the
userlogin-secure and mac-authentication modes, with 802.1X
authentication having a higher priority. For a wireless user, 802.1X
authentication is performed first. If 802.1X authentication fails, MAC
authentication is performed.
• userlogin-secure-or-mac-ext—This mode is similar to the
userlogin-secure-or-mac mode, except that it supports multiple 802.1X
Port Mode and MAC authentication users on the port.
• userlogin-secure-ext—In this mode, a port performs 802.1X
authentication on users in macbased mode and supports multiple
802.1X users.
NOTE:
There are multiple security modes. To remember them easily, follow these
rules to understand part of the port security modes:
• userLogin indicates port-based 802.1X authentication.
• mac indicates MAC address authentication.
• The authentication mode before Else is used preferentially. If the
authentication fails, the authentication after Else may be used,
depending on the protocol type of the packets to be authenticated.
• The authentication mode before Or and the one after Or have the
same priority. The device determines the authentication mode
according to the protocol type of the packets to be authenticated. For
wireless users, the 802.1X authentication mode is used preferentially.
• userLogin together with Secure indicates MAC-based 802.1X
authentication.
• A security mode with Ext allows multiple 802.1X users to pass the
authentication. A security mode without Ext allows only one 802.1X
user to pass the authentication.
Maximum number of users that can be connected to the network through

Max User
a specific port.
1. Configure MAC authentication.
67
Figure 42 MAC authentication configuration
Item Description
mac-authentication—MAC-based authentication is
Port Mode
performed on access users.
Control the maximum number of users allowed to access

Max User
the network through the port.
MAC Authentication Select the MAC Authentication option.
Select an existing domain from the Domain list.

The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the
Domain Setup tab, and enter a new domain name in the
Domain Name field.
Domain • The selected domain name applies to only the current
wireless service, and all clients accessing the wireless
service use this domain for authentication,
authorization, and accounting.
• Do not delete a domain name in use. Otherwise, the
clients that access the wireless service are logged out.
2. Configure userlogin-secure/userlogin-secure-ext.
68
Figure 43 userlogin-secure/userlogin-secure-ext port security configuration page (userlogin-secure is used
for example)
Item Description
• userlogin-secure—Perform port-based 802.1X
authentication for access users. In this mode, multiple
802.1X authenticated users can access the port, but only
Port Mode one user can be online.
• userlogin-secure-ext—Perform MAC-based 802.1X
authentication for access users. In this mode, the port
supports multiple 802.1X users.
Control the maximum number of users allowed to access the

Max User
network through the port.
Select an existing domain from the Mandatory Domain list.

The default domain is system. To create a domain, select
Authentication > AAA from the navigation tree, click the Domain
Setup tab, and enter a new domain name in the Domain Name
field.
Mandatory Domain • The selected domain name applies to only the current
wireless service, and all clients accessing the wireless
service use this domain for authentication, authorization,
and accounting.
• Do not delete a domain name in use. Otherwise, the clients
that access the wireless service are logged out.
• EAP—Use EAP. With EAP authentication, the authenticator
encapsulates 802.1X user information in the EAP attributes
of RADIUS packets and sends the packets to the RADIUS
server for authentication. It does not need to repackage the
EAP packets into standard RADIUS packets for
Authentication Method authentication.
• CHAP—CHAP. By default, CHAP is used. CHAP transmits
only user names rather than passwords over the network.
Therefore, this method is safer.
• PAP—Use PAP. PAP transmits passwords in plain text.
69
Item Description
• Enable—Enable the online user handshake function so that
the device can periodically send handshake messages to a
Handshake user to check whether the user is online. By default, the
function is enabled.
• Disable—Disable the online user handshake function.
• Enable—Enable the multicast trigger function of 802.1X to
send multicast trigger messages to the clients periodically for
initiating authentication. By default, the multicast trigger
function is enabled.
• Disable—Disable the 802.1X multicast trigger function.
Multicast Trigger NOTE:

For a WLAN, the clients can actively initiate authentication, or the
AP can discover users and trigger authentication. Therefore, the
ports do not need to send 802.1X multicast trigger messages
periodically for initiating authentication. HP recommends that you
disable the multicast trigger function in a WLAN because the
multicast trigger messages consume bandwidth.
3. Configure the other four port security modes.

Figure 44 Port security configuration page for the other four security modes (mac-else-userlogin-secure is
used for example)
70
Item Description
• mac-else-userlogin-secure—This mode is the
combination of the mac-authentication and
userlogin-secure modes, with MAC authentication
having a higher priority. Upon receiving a
non-802.1X frame, a port in this mode performs
only MAC authentication. Upon receiving an
802.1X frame, the port performs MAC
authentication. If MAC authentication fails, the
port performs 802.1X authentication.
• mac-else-userlogin-secure-ext—This mode is
similar to the mac-else-userlogin-secure mode,
except that it supports multiple 802.1X and MAC
Port Mode authentication users on the port.
• userlogin-secure-or-mac—This mode is the
combination of the userlogin-secure and
mac-authentication modes, with 802.1X
authentication having a higher priority. For a
wireless user, 802.1X authentication is
performed first. If 802.1X authentication fails,
MAC authentication is performed.
• userlogin-secure-or-mac-ext—This mode is
similar to the userlogin-secure-or-mac mode,
except that it supports multiple 802.1X and MAC
authentication users on the port.
Control the maximum number of users allowed to

Max User
access the network through the port.
Select an existing domain from the Mandatory

Domain list. After a mandatory domain is configured,
all 802.1X users accessing the port are forced to use
the mandatory domain for authentication,
Mandatory Domain authorization, and accounting.
The default domain is system. To create a domain,
select Authentication > AAA from the navigation tree,
click the Domain Setup tab, and enter a new domain
name in the Domain Name field.
• EAP—Use EAP. With EAP authentication, the
authenticator encapsulates 802.1X user
information in the EAP attributes of RADIUS
packets and sends the packets to the RADIUS
server for authentication. It does not need to
repackage the EAP packets into standard
Authentication Method RADIUS packets for authentication.
• CHAP—Use CHAP. By default, CHAP is used.
CHAP transmits only usernames but not
passwords over the network. Therefore, this
method is safer.
• PAP—Use PAP. PAP transmits passwords in plain
text.
71
Item Description
• Enable—Enable the online user handshake
function so that the device can periodically send
handshake messages to a user to check whether
Handshake the user is online. By default, the function is
enabled.
• Disable—Disable the online user handshake
function.
• Enable—Enable the multicast trigger function of
802.1X to send multicast trigger messages to the
clients periodically for initiating authentication.
By default, the multicast trigger function is
enabled.
• Disable—Disable the 802.1X multicast trigger
function.
Multicast Trigger NOTE:

For a WLAN, the clients can actively initiate
authentication, or the AP can discover users and trigger
authentication. Therefore, the ports do not need to send
802.1X multicast trigger messages periodically for
initiating authentication. HP recommends that you
disable the multicast trigger function in a WLAN
because the multicast trigger messages consume
bandwidth.

Domain • The selected domain name applies to only the

current wireless service, and all clients accessing
the wireless service use this domain for
authentication, authorization, and accounting.
• Do not delete a domain name in use. Otherwise,
the clients that access the wireless service are
logged out.
Configuring crypto type wireless service

Configuring basic settings for the crypto type wireless service
the target crypto type wireless service to display the page for configuring wireless service.
72
Figure 45 Crypto type wireless service
See Table 43 for the basic configuration of crypto type wireless service.
Advanced settings for the crypto type wireless service

the target crypto type wireless service to display the page for configuring wireless service.
Figure 46 Advanced settings for the crypto type wireless service
Item Description
Maximum number of clients of an SSID to be
associated with the same radio of the AP.
NOTE:
Client Max Users
When the number of clients of an SSID to be associated
with the same radio of the AP reaches the maximum,
the SSID is automatically hidden.
Set the PTK lifetime. A PTK is generated through a
PTK Life Time
four-way handshake.
73
Item Description
Set the TKIP countermeasure time.
By default, the TKIP countermeasure time is 0
seconds (the TKIP countermeasure policy is
disabled).
If the TKIP countermeasure time is set to a value other
than 0, the TKIP countermeasure policy is enabled.
MIC is designed to avoid hacker tampering. It uses
the Michael algorithm and is extremely secure.
TKIP CM Time
When failures occur to MIC, the data may have
been tampered with, and the system may be under
attack. In this case, TKIP enables the countermeasure
policy to prevent hackers from attacking. With the
countermeasure policy enabled, if more than two
MIC failures occur within the specified time, the TKIP
disassociates all connected wireless clients, and no
new associations are allowed within the TKIP
countermeasure time.
web interface management right of online clients:

• Disable—Disables the web interface
Management Right management right of online clients.
• Enable—Enables the web interface management
right of online clients.
An AC generates a GTK and sends the GTK to a

client during the authentication process between an
AP and the client through group key handshake/the
4-way handshake. The client uses the GTK to decrypt
broadcast and multicast packets.
GTK Rekey Method • Time—The GTK is refreshed after a specified
period of time.
• Packet—The GTK is refreshed after a specified
number of packets are transmitted.
By default, the GTK re-keying method is time-based,
and the interval is 86,400 seconds.
Enable refreshing the GTK when some client goes

offline.
GTK User Down Status
By default, the GTK is not refreshed when a client
goes off-line.
Security settings for the crypto type wireless service

the target crypto type wireless service to display the page for configuring crypto type wireless service.
74
Figure 47 Security settings for the crypto type wireless service
Item Description
Link authentication method:
• Open-System—No authentication. With this authentication
mode enabled, all clients pass authentication.
Authentication Type
• Shared-Key—The two parties need to have the same shared
key configured for this authentication mode. You can select
this option only when WEP encryption mode is used.
• Open-System and Shared-Key—It indicates that you can select
both open-system and shared-key authentication.
Encryption mechanisms supported by the wireless service:

• CCMP—Encryption mechanism based on the AES encryption
algorithm.
Cipher Suite • TKIP—Encryption mechanism based on the RC4 algorithm
and dynamic key management.
• CCMP and TKIP—Indicates that you can select both CCMP
and TKIP encryption.
Wireless service type (IE information carried in the beacon or

probe response frame):
• WPA—Wi-Fi Protected Access, a security mechanism before
the 802.11i protocol.
Security IE • WPA2—Security mechanism defined in 802.11i (also known
as the "RSN security mechanism") which is more secure than
WEP and WPA.
• WPA and WPA2—Indicates that you can select both WPA
and WPA2.
Encryption
• wep40—Indicates the WEP40 key option.
WEP • wep104—Indicates the WEP104 key option.
• wep128—Indicates the WEP128 key option.
75
Item Description
Configure the key index:
• 1—Key index 1.
Key ID
There are 4 static keys in WEP. The key index can be 1, 2, 3 or
4. The key corresponding to the specified key index is used for
encrypting and decrypting broadcast and multicast frames.
Key length.
• For wep40, the key is a string of 5 alphanumeric characters
or a 10-digit hexadecimal number.
Key Length • For wep104, the key is a string of 13 alphanumeric
characters or a 26-digit hexadecimal number.
• For wep128, the key is a string of 16 alphanumeric
characters or a 32-digit hexadecimal number.
WEP Key Configure the WEP key.
See Table 45.

Parameters such as authentication type and encryption type
determine the port mode. For more information, see Table 53.
After you select the Cipher Suite option, the following four port
security modes are added:
• mac and psk—MAC-based authentication must be performed
on access users first. If MAC-based authentication succeeds,
Port Security an access user has to use the pre-configured PSK to negotiate
with the device. Access to the port is allowed only after the
negotiation succeeds.
• psk—An access user must use the PSK that is pre-configured
to negotiate with the device. The access to the port is allowed
only after the negotiation succeeds.
• userlogin-secure-ext—Perform MAC-based 802.1X
authentication for access users. In this mode, the port supports
multiple 802.1X users.
1. Configure mac and psk.
76
Figure 48 mac and psk port security configuration page
Item Description
mac and psk—MAC-based authentication must be
performed on access users first. If MAC-based
authentication succeeds, an access user has to use the
Port Mode
pre-configured PSK to negotiate with the device.
Access to the port is allowed only after the negotiation
succeeds.

Max User

Domain • The selected domain name applies to only the

current wireless service, and all clients accessing
the wireless service use this domain for
authentication, authorization, and accounting.
• Do not delete a domain name in use. Otherwise,
the clients that access the wireless service are
logged out.
• pass-phrase—Enter a PSK in the form of a
character string. You must enter a string that can
be displayed and is of 8 to 63 characters.
Preshared Key
• raw-key—Enter a PSK in the form of a
hexadecimal number. You must enter a valid
64-bit hexadecimal number.
77
2. Configure psk.
Figure 49 psk port security configuration page
Item Description
psk—An access user must use the PSK that is
pre-configured to negotiate with the device. The
Port Mode
access to the port is allowed only after the negotiation
succeeds.

Max User
• pass-phrase—Enter a PSK in the form of a
character string. You must enter a string that can
be displayed and consists of 8 to 63 characters.
Preshared Key
• raw-key—Enter a PSK in the form of a
hexadecimal number. You must enter a valid
64-bit hexadecimal number.
3. Configure userlogin-secure-ext.
Perform the configurations as shown in "Configure userlogin-secure/userlogin-secure-ext."
78
Security parameter dependencies
In a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are
described in Table 53.
Table 53 Security parameter dependencies
WEP
Service Authentication Encryption
Security IE encryption Port mode
type mode type
/key ID
mac-authentication
mac-else-userlogin-secure
mac-else-userlogin-secure-ext
Clear Open-System Unavailable Unavailable Unavailable userlogin-secure
userlogin-secure-ext
userlogin-secure-or-mac
userlogin-secure-or-mac-ext
WEP
encryption is mac and psk
available
Selected Required psk
The key ID
can be 1, 2, userlogin-secure-ext
3, or 4
Open-System
WEP
encryption is
required
Unselected Unavailable mac-authentication
The key ID
can be 1, 2,
3 or 4
WEP
encryption is
required
Crypto Shared-Key Unavailable Unavailable mac-authentication
The key ID
can be 1, 2,
3 or 4
WEP
encryption is mac and psk
required
Selected Required psk
The key ID
can be 2, 3 userlogin-secure-ext
Open-System or 4
and Shared-Key WEP
encryption is
required
Unselected Unavailable mac-authentication
The key ID
can be 1, 2,
3 or 4
79
Displaying wireless access service information
Displaying wireless service information
Select Interface Setup > Wireless > Summary from the navigation tree and click the name of the specified
wireless service to view the detailed information, statistics, or connection history.
Displaying detailed information about wireless service

Figure 50 Display detailed information of wireless service (clear type)
Field Description
Service Template Number Current service template number.
SSID SSID for the ESS.
Service Template Type Service template type.
Type of authentication used.

Authentication Method Wireless service of the clear type only uses open
system authentication.
• Disable—The SSID is advertised in beacon
frames.
SSID-hide
• Enable—Disables the advertisement of the SSID
in beacon frames.
Status of service template:

Service Template Status • Enable—Enables wireless service.
• Disable—Disables wireless service.
Maximum clients per BSS Maximum number of associated clients per BSS.
80
Figure 51 Display detailed information of wireless service (crypto type)
Field Description
Service Template Number Current service template number.
SSID SSID for the ESS.
Service Template Type Service template type.
Security IE Security IE: WPA or RSN.
Authentication Method Authentication method: open system or shared key.

• Disable—The SSID is advertised in beacon
frames.
SSID-hide
• Enable—Disables the advertisement of the SSID
in beacon frames.
Cipher suite—CCMP, TKIP, WEP40, WEP104, or

Cipher Suite
WEP128.
TKIP Countermeasure Time(s) TKIP countermeasure time in seconds.
PTK Life Time(s) PTK lifetime in seconds.
GTK Rekey GTK rekey configured.
GTK rekey method configured: packet based or time

GTK Rekey Method
based.
Time for GTK rekey in seconds:

• Time—The GTK is refreshed after a specified
GTK Rekey Time(s) period of time.
• Packet—The GTK is refreshed after a specified
number of packets are transmitted.
Status of service template:

Service Template Status • Enable—Enables wireless service.
• Disable—Disables wireless service.
Maximum clients per BSS Maximum number of associated clients per BSS.
81
Displaying statistics of wireless service
Figure 52 Display wireless service statistics
Displaying connection history information of wireless service

Figure 53 Display the connection history information of wireless service
Displaying client information

Displaying client detailed information
Select Interface Setup > Wireless > Summary from the navigation tree, and then click the Client tab to
display the Client page. Then click the Detail Information tab on the page, and click the name of the
specified client to view the detailed information of the client.
82
Figure 54 Display client
Table 56 Client RSSI
Field Description
: The RSSI is no greater than 20.
: The RSSI is between 20 and 30 (inclusive).

Client RSSI : The RSSI is between 30 and 35 (inclusive).
: The RSSI is between 35 and 40 (inclusive).
: The RSSI is greater than 40.
Field Description
MAC address MAC address of the client.
AID Association ID of the client.
Username of the client:

• The field is displayed as -NA- if the client adopts
plain-text authentication or cipher-text authentication
with no username.
User Name
• The field is irrelevant to the portal authentication
method. If the client uses the portal authentication
method, the field does not display the portal
username of the client.
Radio Interface WLAN radio interface.
SSID SSID of the device.
BSSID MAC address of the device.
Port WLAN-DBSS interface associated with the client.
Number of the VLAN interface to which the client

VLAN
belongs.
83
Field Description
State State of the client, such as running.
Power Save Mode Client's power save mode: active or sleep.
Wireless mode, such as 802.11b, 802.11g, or

Wireless Mode
802.11gn.
QoS Mode Whether the device supports the WMM function.
Number of times the client has been activated to listen to

Listen Interval (Beacon Interval)
beacon frames.
Received signal strength indication. This value indicates

RSSI
the client signal strength detected by the AP.
SNR Signal to Noise Ratio.
Represents the reception/transmission rate of the last

Rx/Tx Rate
frame.
Client Type Client type, such as RSN, WPA, or Pre-RSN.
Authentication method, such as open system or shared

Authentication Method
key.
AKM Method AKM suite used, such as Dot1X or PSK.
Displays the 4-way handshake state:

• IDLE—Displayed in initial state.
• PTKSTART—Displayed when the 4–way handshake is
initialized.
4-Way Handshake State
• PTKNEGOTIATING—Displayed after valid message 3
was sent.
• PTKINITDONE—Displayed when the 4-way
handshake is successful.
Displays the group key state:

• IDLE—Displayed in initial state.
Group Key State
• REKEYNEGOTIATE—Displayed after the AC sends the
initial message to the client.
• REKEYESTABLISHED—Displayed when re-keying is
successful.
Encryption Cipher Encryption cipher: clear or crypto.
Roam Status Displays the roam status: Normal or Fast Roaming.
Time for which the client has been associated with the
Up Time
device.
Field Description
Refresh Refresh the current page.
Add the selected client to the static blacklist, which

Add to Blacklist you can display by selecting Security > Filter from the
navigation tree.
84
Field Description
Reset Statistic Delete all items in the list, or clear all statistics.
Disconnect Log off the selected client.
Displaying client statistics

Select Interface Setup > Wireless > Summary from the navigation tree, and then click the Client tab to
display the Client page. Click the Statistic Information tab on the page, and click the name of the
specified client to view the statistics of the client.
Figure 55 Display client statistics
Field Description
AP Name Name of the associated access point.
Radio Id Radio ID.
SSID SSID of the device.
BSSID MAC address of the device.
MAC Address MAC address of the client.
Received signal strength indication. This value

RSSI indicates the client signal strength detected by
the device.
Transmitted Frames Number of transmitted frames.
Statistics of background traffic, in frames or in

Back Ground(Frames/Bytes)
bytes.
Statistics of best effort traffic, in frames or in

Best Effort(Frames/Bytes)
bytes.
Video(Frames/Bytes) Statistics of video traffic, in frames or in bytes.
Voice(Frames/Bytes) Statistics of voice traffic, in frames or in bytes.
Received Frames Number of received frames.
85
Field Description
Discarded Frames Number of discarded frames.
Displaying RF ping information

RF ping is a ping function performed on wireless links. This function enables you to get the connection
information between the AP and its associated clients, such as signal strength, packet re-transmission
attempts, and RTT.
Select Summary > Client from the navigation tree to display the Client page, click the Link Test Information
tab on the page, and click the name of the specified client to view the link test information of the client.
Figure 56 View link test information
Field Description
• Rate number for a non-802.11n client.
No./MCS
• MCS value for an 802.11n client.
Rate(Mbps) Rate at which the radio interface sends wireless ping frames.
TxCnt Number of wireless ping frames that the radio interface sent.
RxCnt Number of wireless ping frames that the radio interface received from the client.
Received signal strength indication. This value indicates the client signal strength
RSSI
detected by the AP.
Retries Total number of retransmitted ping frames.
RTT(ms) Round-trip time.
86
Wireless access configuration examples
Wireless service configuration example
Network requirements
As shown in Figure 57, enable the wireless function on the device to enable the client to access the
internal network resources at any time. The device provides plain-text wireless access service with SSID
service1. 802.11g is adopted.
Figure 57 Network diagram
1. Configure a wireless service.
# Create a wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree, and then click Add to display
the page for creating a wireless service.
a. Select the radio unit 1.

b. Set the service name to service1.
c. Select the wireless service type clear.
d. Click Apply.
2. Enable the wireless service.
enabling wireless service.
87
Figure 59 Enable the wireless service
a. Set the service1 option.

b. Click Enable.
3. Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional.)
Select Interface Setup > Wireless > Access Service from the navigation tree to display the Radio Setup
page. Make sure that 802.11g radio is enabled.
Figure 60 Enable 802.11g radio
Verifying the configuration

To view the online clients, select Interface Setup > Wireless > Summary from the navigation tree, and then
click the Client tab.
Follow these guidelines when you configure a wireless service:
• Select a correct district code.
• Make sure that the radio unit is enabled.
Access service-based VLAN configuration example

An AP can provide multiple wireless access services. Different wireless access services can use different
wireless security policies and can be bound to different VLANs to implement wireless access user
isolation.
As shown in Figure 61, configure wireless VLANs to satisfy the following requirements:
• Set up a wireless access service named research, and configure it to use the PSK authentication.
Clients that access the wireless network are in VLAN 2.
• Set up a wireless access service named office, and configure it to use the clear text authentication.
Clients that access the wireless network are in VLAN 3.
88
SSID：research
VLAN：2 Client：0040-96b3-8a77
IP network
Router
SSID：office
VLAN：3
Client：0014-6c8a-43ff
1. Configure a wireless service named research.
Select Interface Setup > Wireless > Access Service from the navigation tree, and click Create to display the
page for creating a wireless service.
a. Configure the name of the wireless service as research.
b. Select the wireless service type crypto.
c. Click Apply.
# After the wireless service is created, the system is automatically navigated to the wireless service page,
where you can perform the VLAN settings (before this operation, select Network > VLAN and create
VLAN 2 first).
Figure 62 Set the VLANs
a. Enter 2 in the VLAN (Untagged) field.

b. Enter 2 in the Default VLAN field.
c. Enter 1 in the Delete VLAN field.
NOTE:
For PSK-related configuration, see "PSK authentication configuration example." You can strictly follow
the configuration example to configure the PSK configuration.
2. Configure a wireless service named office.

89
Select Interface Setup > Wireless > Access Service from the navigation tree, and click Create to display the
page for creating a wireless service.
a. Configure the wireless service name as office.
b. Select the wireless service type clear.
c. Click Apply.
# After the wireless service is created, the system is automatically navigated to the wireless service page,
where you can configure the VLANs (first select Network > VLAN from the navigation tree, and create
VLAN 3).
Figure 63 Set the VLANs
a. Enter 3 in the VLAN (Untagged) field.

b. Enter 3 in the Default VLAN field.
c. Enter 1 in the Delete VLAN field.
d. Click Apply.
3. Verify the configuration.
To view the online clients, select Interface Setup > Wireless > Summary from the navigation tree, and then
click the Client tab.
On this page, you can see that the client 0014-6c8a-43ff, which accesses the SSID office, is in VLAN 3,
while the client 0040-96b3-8a77, which accesses the SSID research, is in VLAN 2. Because the two
clients are in different VLANs, they cannot access each other.
PSK authentication configuration example

As shown in Figure 64, the client accesses the wireless network by passing PSK authentication. The PSK
key configuration on the client is the same as that on the AP (12345678).
90
a. Set the service name to psk.

b. Select the wireless service type crypto.
c. Click Apply.
2. Configure PSK authentication.
After you create a wireless service, the wireless service configuration page is displayed. Perform security
setup when configuring PSK authentication.
Figure 66 Security setup
a. Select the Open-System from the Authentication Type list.

b. Select the Cipher Suite option, select CCMP and TKIP (select an encryption type as needed), and
then select WPA from the Security IE list.
c. Select the Port Set option, and select psk from the Port Mode list.
d. Select pass-phrase from the Preshared Key list, and enter key ID 12345678.
e. Click Apply.
91
enabling a wireless service.
a. Select the psk option.

b. Click Enable.
4. Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional. )
Select Interface Setup > Wireless > Radio from the navigation tree to display the Radio page. Make sure
that 802.11g radio is enabled.
5. Configure the client.
Launch the client, and refresh the network list. Select the configured service in Choose a wireless network
(PSK, in this example), and click Connect. In the dialog box that appears, enter the key (12345678, in
this example), and then click Connect.
92
Figure 68 Configure the client
The client has the same pre-shared PSK key as the AP, so the client can associate with the AP.
93
Figure 69 The client is associated with the AP

• The same PSK pre-shared key is configured on the client. The client can successfully associate with
the device and can access the WLAN network.
• To view the online clients, select Interface Setup > Wireless > Access Service from the navigation
tree, and then click the Client tab.
Local MAC authentication configuration example

As shown in Figure 70, perform MAC authentication on the client.
94

b. Set the service name to mac-auth.
d. Click Apply.
2. Configure local MAC address authentication.
After you have created a wireless service, the wireless service configuration page is displayed. Perform
security setup when configuring MAC authentication.
a. Select the Open-System from the Authentication Type list.

b. Select the Port Set option, and select mac-authentication from the Port Mode list.
c. Select the MAC Authentication option, and select system from the Domain list.
95
d. Click Apply.
a. Select the mac-auth option.

b. Click Enable.
4. Configure a MAC authentication list.
Select Interface Setup > Wireless > Access Service from the navigation tree, and then click MAC
Authentication List to display the page for configuring a MAC authentication list.
Figure 74 Add a MAC authentication list
a. Add a local user in the MAC Address box. 00-14-6c-8a-43-ff is used in this example.
b. Click Add.
5. Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional. )
that 802.11g is enabled.
6. Configure the client.
Launch the client, and refresh the network list. Select the configured service in Choose a wireless network
(mac-auth, in this example), and click Connect. If the MAC address of the client is in the MAC address list,
the client can pass MAC authentication and access the wireless network.
96
Figure 75 Configure the client

If the MAC address of the client is in the MAC authentication list, the client can pass authentication and
access the WLAN network. Select Interface Setup > Wireless > Access Service from the navigation tree
and then click the Client tab to view the online clients.
Remote MAC authentication configuration example

Perform remote MAC authentication on the client.
• Use the iMC as the RADIUS server for AAA. On the RADIUS server, configure the client's username
and password as the MAC address of the client and the shared key as expert. The IP address of the
RADIUS server is 10.18.1.88.
97
• The IP address of the device is 10.18.1.1. On the device, configure the shared key for
communication with the RADIUS server as expert, and configure the device to remove the domain
name of a username before sending it to the RADIUS server.
RADIUS server
10.18.1.88
10.18.1.1
IP network SSID：mac-auth
Switch Router
Client
1. Configure wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree, and then click Create to
display the page for creating a wireless service.
a. Select radio unit 1.

b. Set the wireless service name as mac-auth.
d. Click Apply.
2. Configure MAC authentication.
After you create a wireless service, the wireless service configuration page is displayed. Then you can
configure MAC authentication on the Security Setup area.
98
a. Select Open-System from the Authentication Type list.

b. Select the Port Set option, and select mac-authentication from the Port Mode list.
c. Select the MAC Authentication option, and select system from the Domain list.
d. Click Apply.
Select Interface Setup > Wireless > Access Service from the navigation tree to display the page shown in
the following figure.
a. Select the mac-auth option.

b. Click Enable.
4. Enable 802.11g radio (By default, the 802.11g radio is enabled. Therefore, this step is optional.)
5. Configure the RADIUS server (iMC v5).
The following takes the iMC (iMC PLAT 5.0 and iMC UAM 5.0) as an example to illustrate the basic
configuration of the RADIUS server.
# Add an access device.
99
Log in to the iMC management platform. Select the Service tab, and select User Access Manager > Access
Device Management from the navigation tree to display the access device configuration page. Click Add
on the page to display the configuration page shown in Figure 80:
a. Enter the shared key 12345678. Keep the default values for other parameters.
b. Select or manually add the access device with the IP address 10.18.1.1.
Figure 80 Add access device
# Add a service.
Select the Service tab, and select User Access Manager > Service Configuration from the navigation tree to
display the page for adding a service. Then click Add on the page to display the following configuration
page. Set the service name to mac, and keep the default values for other parameters.
Figure 81 Add service
# Add an account.
Select the User tab, and then select User > All Access Users from the navigation tree to display the user
page. Then, click Add on the page to display the page as shown in Figure 82.
a. Enter username 00-14-6c-8a-43-ff.
b. Set the account name and password both to 00-14-6c-8a-43-ff.
c. Select the service mac.
100
Figure 82 Add account

During authentication, the user does not need to enter the username or password. After passing MAC
authentication, the client can associate with the device and access the WLAN. View the online clients by
selecting Interface Setup > Wireless > Summary from the navigation tree and then clicking the Client tab.
Remote 802.1x authentication configuration example

Perform remote 802.1X authentication on the client.
• Use the iMC as a RADIUS server for AAA. On the RADIUS server, configure the client's username as
user, password as dot1x, and shared key as expert. The IP address of the RADIUS server is
10.18.1.88.
• On the device, configure the shared key as expert, and configure the device to remove the domain
name of a username before sending it to the RADIUS server. The IP address of the device is
10.18.1.1.
101
1. Configure wireless service.
a. Select radio unit 1.

b. Set the service name as dot1x.
c. Select the wireless service type crypto.
d. Click Apply.
2. Configure 802.1X authentication.
After you create a wireless service, the wireless service configuration page is displayed. Then you can
configure 802.1X authentication on the Security Setup area.
102
a. Select Open-System from the Authentication Type list.

b. Select the Cipher Suite option, select CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
c. Select the Port Set option, and select userlogin-secure-ext from the Port Mode list.
d. Select system from the Mandatory Domain list.
e. Select EAP from the Authentication Method list.
f. Disable Handshake and Multicast Trigger (recommended).
g. Click Apply.
Select Interface Setup > Wireless > Access Service from the navigation tree.
a. Select the dot1x option.
b. Click Enable.
4. Enable 802.11g radio (By default, the 802.11g radio is enabled. Therefore, this step is optional.)
5. Configure the RADIUS server (iMC v5).
The following takes the iMC (iMC PLAT 5.0 and iMC UAM 5.0) as an example to illustrate the basic
configuration of the RADIUS server.
Log in to the iMC management platform. Select the Service tab, and then select User Access Manager >
Access Device Management from the navigation tree to display the access device configuration page.
Click Add on the page to display the configuration page shown in Figure 86:
a. Enter the shared key 12345678. Keep the default values for other parameters.
b. Select or manually add the access device with the IP address 10.18.1.1.
103
Figure 86 Add access device
# Add a service.
Select the Service tab, and then select User Access Manager > Service Configuration from the navigation
tree to display the Add Service Configuration page. Then click Add on the page to display the following
configuration page.
a. Set the service name to dot1x.
b. Set the Certificate Type to EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN.
Figure 87 Add a service
# Add an account.
Select the User tab, and then select User > All Access Users from the navigation tree to display the user
page. Then, click Add on the page to display the page shown in Figure 88.
a. Enter username user.
b. Set the account name to user and password to dot1x.
c. Select the service dot1x.
104
Figure 88 Add account
6. Configure the wireless card.
Double click the icon at the bottom right corner of your desktop. The Wireless Network Connection
Status window appears. Click the Properties button in the General tab. The Wireless Network Connection
Properties window appears. In the Wireless Networks tab, select wireless network with the SSID dot1x,
and then click Properties. The dot1x Properties window appears. Then, in the Authentication tab, select
Protected EAP (PEAP) from the EAP type list, and click Properties. In the window that appears, clear
Validate server certificate, and click Configure. In the dialog box that appears, clear Automatically use my
Windows logon name and password (and domain if any). The configuration procedure is as shown
in Figure 89 through Figure 91.
105
Figure 89 Configure the wireless card (I)
106
Figure 90 Configure the wireless card (II)
107
Figure 91 Configure the wireless card (III)

• After you enter username user and password dot1x in the dialog box that appears, the client can
associate with the device and access the WLAN.
• To view the online clients, select Interface Setup > Wireless > Summary from the navigation tree,
and then click the Client tab.
802.11n configuration example

As shown in Figure 92, configure the 802.11n-capable AP to allow the 802.11n client to access the
wireless network at a high rate.
108

b. Set the service name to 11nservice.
d. Click Apply.
a. Select the 11nservice option.

b. Click Enable.
3. Enable 802.11n(2.4GHZ) radio (By default, 802.11n(2.4GHZ) radio is enabled. Therefore, this
step is optional. )

• To view the online clients, select Interface Setup > Wireless > Summary from the navigation tree,
and then click the Client tab.
• Among these online clients, 0014-6c8a-43ff is an 802.11g client, and 001e-c144-473a is a
802.11n client. In this example, client types are not restricted. Therefore, both 802.11g and
109
802.11n clients can access the wireless network. If Client 802.11n Only is configured, only
001e-c144-473a can access the wireless network.
When you configure 802.11n, follow these guidelines:
• Select Interface Setup > Wireless > Radio from the navigation tree, select the radio unit to configure,
and click the corresponding icon to display the radio configuration page. On that page, you
can modify the 802.11n-related parameters, including Bandwidth Mode, A-MSDU, A-MPDU, Short
GI, and Client 802.11n Only (permitting only 802.11n users to access the wireless network).
• Make sure that 802.11n(2.4GHZ) is enabled.
• Select Interface Setup > Wireless > Radio from the navigation tree to modify the 802.11n rate.
110
Configuring client mode
In client mode, a router accesses the wireless network as a client. Multiple hosts or printers in the wired
network can access the wireless network through the router.
Figure 95 Client mode
Enabling the client mode

Select Interface Setup > Wireless Service > Client Mode from the navigation tree, and then click Connect
Setup.
Figure 96 Enable the client mode
Select the radio unit to enable, and then click Enable.
111
NOTE:
• Support for radio mode types depends on your device model.
• You cannot enable an access service or WDS service on a radio interface with the client mode enabled.
• To modify the radio mode, select Radio > Radio from the navigation tree, click the icon of the target radio, and
change the radio mode using the Radio Mode option.
• If the 802.11(2.4GHz) client mode is used, the client can scan 802.11(2.4GHz) wireless services.
With the client mode enabled, you can check the existing wireless services in the wireless service list.
Figure 97 Check the wireless service list
Connecting the wireless service

1. Method 1:
Click the Connect icon of the wireless service in the wireless service list, and a SET CODE dialog box
appears, as shown in Figure 98.
Figure 98 Set a code
The following authentication modes are supported:

• Open System
112
• Shared key
• RSN + PSK
Item Description
Specify the network authentication mode:
• Open System—Open system authentication (no
authentication).
AuthMode • Shared Key—Shared key authentication, which requires the
client and the device to be configured with the same shared
key.
• RSN+PSK—PSK authentication.
Set the data encryption mode:
• Clear—No encryption.
CipherSuite
• WEP—WEP encryption.
• TKIP/CCMP—TKIP/CCMP encryption.
Password Configure the WEP key.
There are four static keys in WEP. Their key indexes are 1, 2, 3,
KeyID and 4. The key corresponding to the specified key index is used
for encrypting and decrypting frames.
2. Method II:
You can also enter a wireless service to specify the wireless service to be connected on the page that is
displayed after clicking the Connect icon of the wireless service.
Figure 99 Associate the specified wireless service
Enter the specified wireless service in the Wireless Service Name field, and click Connect. Then the dialog
box in Figure 98 appears. Set the options on the dialog box according to the specified wireless service
type.
Displaying statistics
Select Interface Setup > Wireless Service > Client Mode from the navigation tree, and click Statistic
Information to display the page shown in Figure 100.
113
Figure 100 Display statistics
Client mode configuration example

As shown in Figure 101, the router accesses the wireless network as a client. The Ethernet interface of the
router connects to multiple hosts or printers in the wired network, and the wired network is connected to
the wireless network through the router.
• The AP accesses the wired LAN, and the router accesses the AP as a client.
• The router accesses the wireless service psk by passing the RSN(CCMP)+PSK authentication.
• Client with MAC address 0014-6c8a-43ff also accesses the wireless service psk.
Internet
Gateway
AP
PSK PSK
Client Client
PSK
Router
PC Printer Client
114
1. Enable the client mode.
Select Interface Setup > Wireless Service > Client Mode from the navigation tree, and click Connect Setup
Figure 102 Enable the client mode
Select the option corresponding to 802.11g, and click Enable. With the client mode enabled, you can
check the existing wireless services in the wireless service list.
Figure 103 Check the wireless service list
2. Connect the wireless service.

Click the Connect icon of the wireless service psk in the wireless service list, and a SET CODE dialog box
appears, as shown in Figure 104.
Figure 104 Set a code
a. Specify the AuthMode as RSN+PSK.
115
b. Specify the CipherSuite as CCMP/AES.
c. Set the Password to that on the AP, 12345678.
d. Click Apply.

On the AP shown in Figure 101, select Interface Setup > Wireless Service > Summary > Client from the
navigation tree to display the page shown in Figure 105, where you can check whether the router is
online.
Figure 105 Check that the workgroup bridge is online
• You can see that the client with MAC address 0014-6c8a-43ff and the router with MAC address
000f-e2333-5510 have been successfully associated with the AP.
• The wired devices on the right (such as printers and PCs) can access the wireless network through
the router.
As shown in Figure 106, if the router uses two radio interfaces at the same time, the client connecting to
radio 2 can access the AP through the router.
116
Configuring radios
802.11b/g/n operates in 2.4 GHz band. Each band can be divided into multiple channels for wireless
communication. You can configure and adjust the channels to achieve optimal performance.
To configure a radio, select Interface Setup > Wireless > Radio from the navigation tree to display the
Radio page, select the AP you want, and then click the icon to display the page for AP radio setup
page.
Figure 107 Radio setup
Item Description
Radio Unit Display the selected radios.
Radio Mode Display the selected radio mode.
Maximum radio transmission power, which varies with country codes,

channels, radio modes, and antenna types. If you adopt the 802.11n mode,
Transmit Power
the maximum transmit power of the radio also depends on the bandwidth
mode.
Specify the working channel of the radio, which varies with radio types and
country codes.
auto—The working channel is automatically selected. If you select this mode,
Channel the AP checks the channel quality in the WLAN network and selects the
channel of the best quality as its working channel.
If you modify the working channel configuration, the transmit power is
automatically adjusted.
802.11n The option is available only when the device supports 802.11n.
117
Item Description
802.11n can bond two adjacent 20-MHz channels together to form a
40-MHz channel. During data forwarding, the two 20-MHz channels can
work separately with one acting as the primary channel and the other acting
as the secondary channel, or they can work together as a 40-MHz channel.
This provides a simple way of doubling the data rate.
By default, the channel bandwidth of the 802.11n radio (2.4GHz) is 20
MHz.
bandwidth mode
NOTE:
• If the channel bandwidth of the radio is set to 40 MHz, a 40 MHz
channel is used as the working channel. If no 40 MHz channel is
available, a 20 MHz channel is used. For the specifications, see IEEE
P802.11n D2.00.
• If you modify the bandwidth mode configuration, the transmit power is
automatically adjusted.
If you select the client dot11n-only option, non-802.11n clients are

client dot11n-only prohibited from access. To provide access for all 802.11b/g clients, disable
this function.
Selecting the A-MSDU option enables A-MSDU.

Multiple MSDUs can be aggregated into a single A-MSDU. This reduces the
MAC header overhead and improves MAC layer forwarding efficiency.
A-MSDU Only A-MSDUs can be received.
NOTE:
When 802.11n radios are used in a mesh WLAN, make sure that they have the
same A-MSDU configuration.
Selecting the A-MPDU option enables A-MPDU.
802.11n introduces the A-MPDU frame format. By using only one PHY
header, each A-MPDU can accommodate multiple MPDUs, which have their
PHY headers removed. This reduces the overhead in transmission and the
A-MPDU
number of ACK frames to be used, improving network throughput.
NOTE:
When 802.11n radios are used in a mesh WLAN, make sure that they have the
same A-MSDU configuration.
Selecting the short GI option enables short GI.
Delays may occur during receiving radio signals due to factors like multi-path
reception. Therefore, a subsequently sent frame may interfere with a
short GI previously sent frame. The GI function is used to avoid such interference. It
increases the throughput by 10 percent.
The short GI function is independent of bandwidth and supports both 20MHz
and 40MHz bandwidths.
118
Figure 108 Radio setup (advanced setup)
Item Description
Preamble is a pattern of bits at the beginning of a frame so that the receiver
can sync up and be ready for the real data. There are two different kinds of
preambles:
• Short preamble—A short preamble improves network performance.
Preamble
Therefore, this option is always selected.
• Long preamble—A long preamble ensures compatibility between access
point and some legacy client devices. Therefore, you can select this
option to make legacy client devices support short preamble.
Transmit Distance Maximum coverage of a radio.
After the ANI function is enabled, the device automatically adjusts the noise
immunity level according to the surrounding signal environment to eliminate
ANI RF interference.
• Enable—Enables ANI.
• Disable—Disables ANI.
Client Max Count Maximum number of clients that can be associated with one radio.
Specify the maximum length of frames that can be transmitted without

fragmentation. When the length of a frame exceeds the specified fragment
threshold value, it is fragmented.
• In a wireless network where error rate is high, you can decrease the
fragment threshold by a rational value. In this way, when a fragment of a
Fragment Threshold frame is not received, only this fragment has to be retransmitted rather
than the whole frame. Therefore, the throughput of the wireless network is
improved.
• In a wireless network where no collision occurs, you can increase the
fragment threshold by a rational value to decrease acknowledgement
packets, increasing network throughput.
119
Item Description
Interval for sending beacon frames. Beacon frames are transmitted at a
Beacon Interval regular interval to allow mobile clients to join the network. Beacon frames
are used for a client to identify nearby APs or network control devices.
RTS threshold length. If a frame is larger than this value, the RTS mechanism
is used.
RTS is used to avoid data collisions in a WLAN.
A smaller RTS threshold causes RTS packets to be sent more often, consuming
more available bandwidth. However, the more often RTS packets are sent,
RTS Threshold the quicker the system can recover from interference or collisions.
In a high-density WLAN, you can decrease the RTS threshold by a rational
value to reduce collisions in the network.
NOTE:
The RTS mechanism occupies bandwidth. Therefore, this mechanism applies only
to data frames larger than the RTS threshold.
Number of beacon intervals between DTIM transmissions. The device sends
DTIM Period
buffered broadcast/multicast frames when the DTIM counter reaches 0.
Number of retransmission attempts for unicast frames larger than the RTS
Long Retry Threshold
threshold.
Number of retransmission attempts for unicast frames smaller than the RTS
Short Retry Threshold
threshold if no acknowledgment is received for it.
Interval for which a frame received by a device can stay in the buffer
Max Receive Duration
memory.
120
Configuring data transmit rates
Configuring 802.11b/802.11g rates
Select Interface Setup > Wireless > Radio from the navigation tree, and then click the Rate tab to display
the page shown in Figure 109.
Figure 109 Set 802.11a/802.11b/802.11g rates
Item Description
Configure rates (in Mbps) for 802.11b.
By default:
• Mandatory rates—1 and 2.
802.11b • Supported rates—5.5 and 11.
• Multicast rate—Automatically selected from the mandatory rates. The
transmission rate of multicasts in a BSS is selected from the mandatory
rates supported by all clients.
Configure rates (in Mbps) for 802.11g.

By default:
• Mandatory rates—1, 2, 5.5, and 11.
802.11g • Supported rates—6, 9, 12, 18, 24, 36, 48, and 54.
• Multicast rate—Automatically selected from the mandatory rates. The
transmission rate of multicasts in a BSS is selected from the mandatory
rates supported by all clients.
121
Configuring 802.11n MCS
Configuration of mandatory and supported 802.11n rates is achieved by specifying the maximum MCS
index.
Select Interface Setup > Wireless > Radio from the navigation tree, and then click the Rate tab to display
Figure 110 Set 802.11n rate
Item Description
Set the maximum MCS index for 802.11n mandatory rates.
NOTE:
Mandatory Maximum MCS
If you select the client dot11n-only option, you must configure the mandatory
maximum MCS.
Set the multicast MCS for 802.11n.
The multicast MCS is adopted only when all clients use 802.11n. If a
non-802.11n client exists, multicast traffic is transmitted at a mandatory MCS
data rate.
Multicast MCS
NOTE:
When the multicast MCS takes effect, the corresponding data rates defined for
20 MHz are adopted regardless of whether the 802.11n radio operates in 40
MHz mode or in 20 MHz mode.
Supported Maximum MCS Set the maximum MCS index for 802.11n supported rates.
NOTE:
For more information about MCS, see HP A-MSR Router Series WLAN Configuration Guide.
122
Displaying radio
Displaying wireless services bound to a radio
Select Interface Setup > Wireless > Summary from the navigation tree, and then click the Radio tab. Click
the specified radio unit, and then click the Wireless Service tab to view the wireless services bound to the
radio.
Figure 111 Display wireless services bound to the radio
NOTE:
The Noise Floor item in the table indicates various random electromagnetic waves during the wireless
communication. For the environment with a high noise floor, you can improve the SNR by increasing the
transmit power or by reducing the noise floor.
Displaying detailed radio information

Select Interface Setup > Wireless > Summary from the navigation tree, and then click the Radio tab. Click
the specified radio unit, and then click the Detail Info tab to view the corresponding detailed information.
123
Figure 112 Display detailed radio information
Field Description
WLAN-Radio1/0 current state: UP State of the radio interface.
IP Packet Frame Type Output frame encapsulation type.
Hardware Address MAC address of the radio interface.
Radio-type dot11g WLAN protocol type used by the interface.
Channel used by the interface. The keyword auto

means that the channel is automatically selected.
channel If the channel is manually configured, the field is
displayed in the format of channel
configured-channel.
power(dBm) Transmit power of the interface (in dBm).
Received: 2 authentication frames, 2 association Number of authentication and association frames

frames received.
Sent out: 2 authentication frames, 2 association Number of authentication and association frames
frames sent.
Number of stations being associated and stations

Stations: 0 associating, 2 associated
having been associated.
124
Field Description
Input packet statistics of the interface:
• Number of packets, number of bytes
Input : 70686 packets, 6528920 bytes • Number of unicast packets, number of bytes of
: 255 unicasts, 34440 bytes unicast packets
: 70461 multicasts/broadcasts, 6494480 bytes • Number of multicasts/broadcast packets, number
of bytes of multicasts/broadcast packets
: 0 fragmented
• Number of fragmented packets
: 414 discarded, 26629 bytes
• Number of discarded packets, number of
: 0 duplicates, 3785 FCS errors discarded bytes
: 0 decryption errors • Number of duplicate frames, number of FCS
errors
• Number of encryption errors
Output packet statistics of the interface:
• Number of packets, number of bytes
Output: 3436 packets, 492500 bytes • Number of unicast packets, number of bytes of
: 3116 unicasts, 449506 bytes unicast packets
: 320 multicasts/broadcasts, 42994 bytes • Number of multicasts/broadcast packets, number
of bytes of multicasts/broadcast packets
: 0 fragmented
• Number of fragmented packets
: 948 discarded, 100690 bytes
• Number of discarded packets, number of
: 0 failed RTS, 1331 failed ACK discarded bytes
: 4394 transmit retries, 1107 multiple transmit • Number of failed RTS packets, number of failed
retries ACK packets
• Number of retransmitted frames, number of
transmission retries
125
Configuring WLAN security
When it comes to security, a WLAN is inherently weaker than a wired LAN because all wireless devices
use the air as the transmission media. This means that the data transmitted by one device can be received
by any other device within the coverage of the WLAN. To enhance WLAN security, you can use
whitelists, blacklists, and user isolation to control user access and behavior.
Blacklist and whitelist

You can configure the blacklist and whitelist functions to filter frames from WLAN clients, thereby
implementing client access control.
The WLAN client access control is accomplished through the following types of lists:
• Whitelist—Contains the MAC addresses of all clients allowed to access the WLAN. If the whitelist is
used, only permitted clients can access the WLAN, and all frames from other clients are discarded.
• Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is
manually configured.
• Dynamic blacklist—Contains MAC addresses of clients whose frames are to be dropped. A client is
dynamically added to the list if it is considered to be sending attacking frames until the timer of the
entry expires.
When a device receives an 802.11 frame, it checks the source MAC address of the frame and processes
the frame as follows:
1. If the source MAC address does not match any entry in the whitelist, it is dropped. If there is a
match, the frame is considered valid and is further processed.
2. If no whitelist entries exist, the static and dynamic blacklists are searched.
If the source MAC address matches an entry in any of the two lists, it is dropped.
If there is no match or if no blacklist entries exist, the frame is considered valid and is further
processed.
Configuring the blacklist and whitelist functions

Configuring dynamic blacklist
Select Interface Setup > Wireless > Security from the navigation tree, and then click the Blacklist tab to
display the dynamic blacklist configuration page.
126
Figure 113 Dynamic blacklist configuration page
Item Description
• Enable—Enables dynamic blacklist.
• Disable—Disables dynamic blacklist.
Dynamic Blacklist NOTE:
Before enabling the dynamic blacklist function, select the Flood Attack Detect option
in the WIDS Setup page.
Configure the lifetime of the entries in the blacklist. When the lifetime of an entry
Lifetime
expires, the entry is removed from the blacklist.
NOTE:
These attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood, Disassoc-Flood,
ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood and NullData-Flood.
127
Configuring static blacklist
On the blacklist configuration page shown in Figure 113, click the Static tab to display the static blacklist
configuration page shown in Figure 114. Click Add Static to display the static blacklist configuration
page.
Figure 114 Static blacklist configuration
Item Description
MAC Address If you select this option, add a MAC address to the static blacklist.
Select Current Connect If you select this option, the table below it lists the current existing clients. Select
Client the options of the clients to add their MAC addresses to the static blacklist.
Configuring whitelist
Select Interface Setup > Wireless > Security from the navigation tree, and then click the Whitelist tab.
Click Add to display the whitelist configuration page.
Figure 115 Whitelist configuration
128
Item Description
MAC Address If you select this option, add a MAC address to the whitelist.
Select Current Connect If you select this option, the table below it lists the current existing clients. Select
Client the checkboxes for the clients to add their MAC addresses to the whitelist.
User isolation
If a device has the user isolation feature enabled, clients associated with it are isolated at Layer 2.
As shown in Figure 116, after user isolation is enabled on the device, no clients can ping each other or
learn each other's MAC or IP addresses, because they cannot exchange Layer 2 packets.
129
Configuring user isolation
Select Interface Setup > Wireless > Security from the navigation tree, and then click the User Isolate tab to
display the page shown in Figure 117.
Figure 117 User isolation configuration
Table 70 Configuration item
Item Description
• Enable—Enables user isolation on the AP to isolate the clients associated with
it at Layer 2.
User Isolate
• Disable—Disables the user isolation.
By default, wireless user isolation is disabled.
130
Configuring WLAN QoS
An 802.11 network offers wireless access based on the CSMA/CA channel contention. All clients
accessing the WLAN have equal channel contention opportunities, and all applications carried on the
WLAN use the same channel contention parameters. A live WLAN, however, is required to provide
differentiated access services to address diversified requirements of applications for bandwidth, delay,
and jitter.
To provide applications with QoS services, IEEE developed 802.11e for the 802.11-based WLAN
architecture.
While IEEE 802.11e was being standardized, Wi-Fi Alliance defined the WMM standard to allow QoS
provision devices of different vendors to interoperate. WMM makes a WLAN network capable of
providing QoS services.
NOTE:
For introduction to the WLAN QoS terminology and the WMM protocol, see HP A-MSR Router Series
WLAN Configuration Guide.
Configuring wireless QoS

Enabling wireless QoS
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and click the QoS Service tab
to display the page that displays the QoS.
Figure 118 Wireless QoS
Select the radio unit to configure, and click Enable. By default, wireless QoS is enabled.
NOTE:
The WMM protocol is the foundation of the 802.11n protocol. Therefore, when the radio works in
802.11n (2.4 GHz) radio mode, you must enable WMM. Otherwise, the associated 802.11n clients may
fail to communicate.
131
Setting the SVP service
Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left of the interface, and
then select QoS Service to display the page for displaying wireless QoS.
Figure 119 Wireless QoS
Find the radio you want in the AP list, and then click the icon in the Operation column to display the
page for setting SVP mapping.
Figure 120 Set the SVP mapping AC
Item Description
Radio Display the selected radio.
Select the SVP Mapping option, and then select the mapping AC to be used
by the SVP service:
• AC-VO
SVP Mapping
• AC-VI
• AC-BE
• AC-BK
NOTE:
SVP mapping applies only to non-WMM client access.
132
Setting CAC admission policy
then click the QoS Service tab. Click the corresponding icon of the radio you want in the Operation
column to display the page for setting CAC admission policy.
Figure 121 Set CAC admission policy
Item Description
Users-based admission policy (maximum number of clients allowed to be
connected). A client is counted only once, even if it is using both AC-VO and
Client Number AC-VI.
By default, the users-based admission policy applies, with the maximum
number of users being 20.
Channel utilization-based admission policy (the rate of the medium time of

Channel Utilization the accepted AC-VO and AC-VI traffic to the valid time during the unit time).
The valid time is the total time during which data is transmitted.
Setting radio EDCA parameters for APs

column to display the page for configuring wireless QoS. Then click the corresponding icon of the priority
type (AC_BK is used as an example here) to be modified in the Operation column to display the page for
setting radio EDCA parameters.
Figure 122 Set radio EDCA parameters
133
Item Description
Priority type Display the priority type.
AIFSN Arbitration inter-frame spacing number used by the device.
TXOP Limit Transmission opportunity limit used by the device.
ECWmin Exponent form of CWmin used by the device.
ECWmax Exponent form of CWmax used by the device.
If you select the No ACK checkbox, the No ACK policy is used by the device.
No ACK
By default, the normal ACK policy is used by the device.
Table 74 Default radio EDCA parameters
AC TXOP Limit AIFSN ECWmin ECWmax

AC-BK 0 7 4 10
AC-BE 0 3 4 6
AC-VI 94 1 3 4
AC-VO 47 1 2 3
NOTE:
• ECWmin cannot be greater than ECWmax.
• On a device operating in 802.11b radio mode, HP recommends that you set the TXOP-Limit to 0, 0, 188, and 102
for AC-BK, AC-BE, AC-VI, and AC-VO, respectively.
Setting EDCA parameters for wireless clients

column to display the page for setting wireless QoS. In the Client EDCA list, find the priority type (AC_BK
is used in this example) to be modified, and then click the corresponding icon in the Operation column to
display the page for setting client EDCA parameters.
Figure 123 Set client EDCA parameters
134
Item Description
Priority type Display the priority type.
AIFSN Arbitration inter-frame spacing number used by clients.
TXOP Limit Transmission opportunity limit used by clients.
ECWmin Exponent form of CWmin used by clients.
ECWmax Exponent form of CWmax used by clients.

• Enable—Enables CAC.
• Disable—Disables CAC.
CAC
AC-VO and AC-VI support CAC, which is disabled by default. This item is
not available for AC-BE or AC-BK because they do not support CAC.
Table 76 Default EDCA parameters for clients
AC TXOP Limit AIFSN ECWmin ECWmax

AC-BK 0 7 4 10
AC-BE 0 3 4 10
AC-VI 94 2 3 4
AC-VO 47 2 2 3
NOTE:
• ECWmin cannot be greater than ECWmax.
• If all clients operate in 802.11b radio mode, HP recommends that you set TXOPLimit to 188 and 102 for AC-VI and
AC-VO, respectively.
• If some clients operate in 802.11b radio mode and some clients operate in 802.11g radio mode in the network, the
TXOPLimit parameters in Table 76 are recommended.
• Once you enable CAC for an AC, it is enabled automatically for all ACs with higher priority. For example, if you
enable CAC for AC-VI, CAC is also enabled for AC-VO. However, enabling CAC for AC-VO does not enable CAC
for AC-VI.
135
Display radio statistics
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and then click the Radio
Statistics tab to display the page that displays radio statistics. Click a radio to see its details.
Figure 124 Display radio statistics
Field Description
Radio interface WLAN radio interface.
Client EDCA update count Number of client EDCA parameter updates.

• WMM—Indicates that QoS mode is enabled.
QoS mode
• None—Indicates that QoS mode is not enabled.
Radio chip QoS mode Radio chip's support for the QoS mode.
Radio chip max AIFSN Maximum AIFSN allowed by the radio chip.
Radio chip max ECWmin Maximum ECWmin allowed by the radio chip.
Radio chip max TXOPLimit Maximum TXOPLimit allowed by the radio chip.
Radio chip max ECWmax Maximum ECWmax allowed by the radio chip.
Number of clients that have been admitted to access

Client accepted the radio, including the number of clients that have
been admitted to access the AC-VO and the AC-VI.
Total requested medium time, including that of the

Total request mediumtime(us)
AC-VO and the AC-VI.
Number of requests rejected due to insufficient

Calls rejected due to insufficient resource
resources.
Number of requests rejected due to invalid

Calls rejected due to invalid parameters
parameters.
Number of requests rejected due to invalid medium

Calls rejected due to invalid mediumtime
time.
136
Field Description
Number of requests rejected due to invalid delay
Calls rejected due to invalid delaybound
bound.
Admission Control Policy Admission control policy.
Threshold Threshold used by the admission control policy.
Response policy adopted for CAC-disabled ACs.

CAC-Free's AC Request Policy Response Success indicates that the response is
successful.
Policy of processing frames unauthorized by CAC:

• Discard—Drops frames.
CAC Unauthed Frame Policy
• Downgrade—Decreases the priority of frames.
• Disassociate—Disassociates with the client.
Maximum medium time allowed by the CAC policy
CAC Medium Time Limitation(us)
(in microseconds).
Maximum voice traffic delay allowed by the CAC

CAC AC-VO's Max Delay(us)
policy (in microseconds).
Maximum video traffic delay allowed by the CAC

CAC AC-VI's Max Delay(us)
policy (in microseconds).
Number of the AC to which SVP packets are

SVP packet mapped AC number
mapped.
ECWmin ––
ECWmax ––
AIFSN ––
TXOPLimit ––
Ack Policy ACK policy adopted by an AC.

• Disabled—Indicates that the AC is not controlled
by CAC.
CAC
• Enable—Indicates that the AC is controlled by
CAC.
137
Displaying client statistics
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and then click the Client
Statistics tab to display the page that displays client statistics. Click a client name to see its details.
Figure 125 Display client statistics
Field Description
MAC address MAC address of the client.
SSID SSID.
QoS mode:
QoS Mode • WMM—Indicates that the client is a QoS client.
• None—Indicates that the client is a non-QoS client.
Max SP length Maximum service period.
AC Access category.
APSD attribute of an AC:

• T—The AC is trigger-enabled.
State • D—The AC is delivery-enabled.
• T | D—The AC is both trigger-enabled and delivery-enabled.
• L—The AC is of legacy attributes.
Assoc State APSD attribute of the four ACs when a client accesses the AP.
Uplink CAC packets Number of uplink CAC packets.
Uplink CAC bytes Number of uplink CAC bytes.
Downlink CAC packets Number of downlink CAC packets.
Downlink CAC bytes Number of downlink CAC bytes.
Downgrade packets Number of downgraded packets.
Downgrade bytes Number of downgraded bytes.
138
Field Description
Discard packets Number of dropped packets.
Discard bytes Number of dropped bytes.
Setting rate limiting

The WLAN provides limited bandwidth for each device. Because the bandwidth is shared by wireless
clients attached to the device, aggressive use of bandwidth by a client affects other clients. To ensure fair
use of bandwidth, you can rate limit traffic of clients using either of the following approaches:
• Configure the total bandwidth shared by all clients in the same BSS. This is called "dynamic mode."
The rate limit of a client is the configured total rate/the number of online clients. For example, if the
configure total rate is 10 Mbps and five clients are online, the rate of each client is 2 Mbps.
• Configure the maximum bandwidth that can be used by each client in the BSS. This is called "static
mode." For example, if the configured rate is 1 Mbps, the rate limit of each user online is 1 Mbps.
When the set rate limit multiplied by the number of access clients exceeds the available bandwidth
provided by the device, no clients can get the guaranteed bandwidth.
Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left, click the Client Rate
Limit tab, and then click Add to display the page for setting rate limiting.
Figure 126 Set rate limiting
Item Description
Wireless Service Display an existing wireless service.
• Inbound—From clients to the device.
• Outbound—From the device to clients.
Direction
• Both—Includes inbound (from clients to the device) and outbound
(from the device to clients).
Rate limiting mode:

Mode • Dynamic
• Static
139
Item Description
Set the rate of the clients:
• If you select the static mode, static rate is displayed, and the rate is
Rate the bandwidth of each client.
• If you select the dynamic mode, share rate is displayed, and the
rate is the total bandwidth of all clients.
Wireless QoS configuration example

CAC service configuration example
As shown in Figure 127, an AP with WMM enabled accesses the Ethernet. Enable CAC for the AC-VO
and AC-VI queues of the clients of the fat AP. Use the user number-based admission policy to limit the
number of access users to 10, so that the clients using high-priority queues (including the AC-VO and
AC-VI queues) can be guaranteed enough bandwidth.
1. Configure the access service.
For related configurations, see "Wireless access configuration examples." You can strictly follow the steps
in the related configuration example to configure the wireless service.
2. Configure wireless QoS.
# Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and then click the QoS
Service tab to display the page shown in Figure 128. Make sure that WMM is enabled.
Figure 128 Wireless QoS configuration page
# Select the radio unit to configure in the list, and then click the corresponding icon in the Operation
column to display the page for configuring wireless QoS. In the Client EDCA list, select the priority type
(AC_VO is used in this example) to be modified, and then click the corresponding icon in the
Operation column to display the page for setting client EDCA parameters.
140
Figure 129 Enable CAC
a. Select Enable from the CAC list.

b. Click Apply.
# Enable CAC for AC_VI in the same way.

# Select Interface Setup > Wireless > Wireless QoS from the navigation tree, click the QoS Service tab,
and then click the icon of the target radio unit in the Operation column to display the page for
configuring wireless QoS.
Figure 130 The page for setting CAC client number
a. Select the Client Number option, and then enter 10.

b. Click Apply.

If the number of existing clients in the high-priority ACs plus the number of clients requesting access is
smaller than or equal to the user-defined maximum number of users allowed in high-priority ACs (which is
10, in this example), the request is allowed. Otherwise, the request is rejected.
141
Static rate limiting configuration example
As shown in Figure 131, two clients access the WLAN through a SSID named service1. Limit the
maximum bandwidth per client to 128 kbps on the device.
1. Configure the access service.
For the configuration procedure, see "Wireless access configuration examples." You can strictly follow
the related configuration example to configure the wireless service.
2. Configure static rate limiting.
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, click Client Rate Limit, and then
click Add to display the page for configuring rate limit settings for clients.
Figure 132 Configure static rate limiting
a. Select service1 from the Wireless Service list.

b. Select inbound from the direction list.
c. Select static from the mode list.
d. Enter 128000 in the static rate field.
e. Click Apply.
142
• Client 1 and Client 2 access the WLAN through an SSID named service1.
• Check that traffic from Client 1 is rate limited to around 128 kbps and so is traffic from Client 2.
Dynamic rate limiting configuration example

As shown in Figure 133, clients access the WLAN through a SSID named service2. Configure all clients
to share 8000 kbps of bandwidth in any direction.
1. Configure the wireless service.
For the configuration procedure, see "Wireless access configuration examples." You can strictly follow
the related configuration example to configure the wireless service.
2. Configure dynamic rate limiting.
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, click Client Rate Limit, and then
click Add to display the page for configuring rate limit settings for clients.
Figure 134 Configure dynamic rate limiting
a. Select service2 from the Wireless Service list.

b. Select both from the direction list.
c. Select dynamic from the mode list.
143
d. Enter 8000 in the share rate field.
e. Click Apply.

1. When only Client 1 accesses the WLAN through SSID service2, its traffic can pass through at a rate
as high as 8000 kbps.
2. When both Client 1 and Client 2 access the WLAN through SSID service2, their traffic flows can
each pass through at a rate as high as 4000 kbps.
144
Configuring advanced WLAN settings
District code
Radio frequencies for countries and regions vary based on country regulations. A district code determines
characteristics such as frequency range, channel, and transmit power level. Configure the valid country
code or area code for a WLAN device to meet the specific country regulations.
Setting a district code

Select Interface Setup > Wireless > District Code from the navigation tree to display the page for setting a
district code.
Figure 135 Set a district code
Item Description
Select a district code.
District Code Configure the valid district code for a WLAN device to
meet the country regulations.
NOTE:
• If the list is not available, the setting is preconfigured to meet the requirements of the target market and is locked. It
cannot be changed.
• Support for district code depends on your device model.
Channel busy test

A channel busy test is a tool to test how busy a channel is. It tests channels supported by the district code
one by one, and it provides a busy rate for each channel. This avoids the situation in which some
channels are heavily loaded and some are idle.
During a channel busy test, routers do not provide any WLAN services. All connected clients are
disconnected, and WLAN packets are discarded.
145
Configuring a channel busy test
Select Interface Setup > Wireless Service > Advanced > Channel Busy Test from the navigation tree to
display the channel busy test configuration page.
Figure 136 Channel busy test configuration page
Click the icon of a target AP to display the channel busy testing page, as shown in Figure 137.
Figure 137 Test busy rate of channels
Click Start to start the testing.
146
Item Description
Radio Unit Display the radio unit, which takes the value of 1 or 2.
Radio Mode Display the radio mode of the router.
Set a time period in seconds within which a channel is tested.

Test time per channel
Defaults to 3 seconds.
147
Configuring 3G management
You can connect a router to a 3G modem through the USB interface on the main board of the router.
After it is connected to an external UIM card, the 3G modem can access a wireless network and carry out
3G wireless communications.
The router supports 3G modems provided by different vendors. As a peripheral, the 3G modem is not a
part of the router. However, you can maintain and manage the 3G modem through the web interface of
the router.
Managing the 3G modem

Displaying the 3G information
Select 3G > 3G Information from the navigation tree to display the configuration page shown in Figure
138. The status information of the 3G modem, UIM card, and 3G network is displayed on the page.
Figure 138 3G information
Table 82, Table 83, and Table 84 describe the 3G modem information, UIM card information, and 3G
network information, respectively.
148
Table 82 3G modem information
Item Description
State of the 3G modem:
• Normal—A 3G modem is connected to the router.
3G Modem State
• Absent or unrecognized modem—No 3G modem is connected to the router,
or the modem cannot be recognized.
Model Model of the 3G modem.
Manufacturer Manufacturer of the 3G modem.
CMII ID CMII ID of the 3G modem.
Serial Number Serial number of the 3G modem.
Hardware Version Hardware version of the 3G modem.
Firmware Version Firmware version of the 3G modem.
PRL Version PRL version of the 3G modem.
Table 83 UIM card information
Item Description
State of the UIM card:
• Absent.
• Being initialized.
• Fault.
UIM Card
• Destructed.
State
• PIN code protection is disabled.
• PIN code protection is enabled. Enter the PIN code for authentication.
• PIN code protection is enabled, and the PIN code has passed the authentication.
• The PIN code has been blocked. Enter the PUK code to unblock it.
IMSI IMSI of the UIM card.
Voltage Power voltage of the UIM card.
Table 84 3G network information
Item Description
Mobile Network 3G network where the UIM card resides
State of the 3G network where the UIM card resides:

• No Service
• CDMA
Network Type
• HDR
• CDMA/HDR HYBRID
• Unknown
RSSI RSSI of the 3G network
149
Managing the pin code
NOTE:
• If the PIN code is entered incorrectly a number of times that exceeds the maximum attempts allowed by the device,
the PIN code is blocked. To unblock the PIN code, you must enter the correct PUK code.
• If the PUK code is entered incorrectly a number of times that exceeds the maximum attempts allowed by the device,
the UIM card is destructed. Be cautious when entering the PUK code.
Select 3G > PIN Code Management from the navigation tree to display the PIN code management page.
The PIN code allows you to perform different operations, depending on the UIM card status.
When the UIM card is abnormal

Figure 139 shows the PIN code management page in the situation where the UIM card is absent, being
initialized, faulty, or destructed. In such cases, you cannot manage the PIN code.
Figure 139 PIN code management page I
When the PIN code protection is disabled for the UIM card
Figure 140 shows the PIN code management page in the situation where the PIN code protection for the
UIM card is disabled. To enable the PIN code protection, enter the PIN code correctly, and then click
Apply. A pin code comprises four to eight figures.
Figure 140 PIN code management page II
When the PIN code must be entered for authentication

Figure 141 shows the PIN code management page in the situation where the PIN code protection has
been enabled for the UIM card and the PIN code must be entered for authentication. To unblock the PIN
code protection, enter the PIN code correctly, and click Apply.
Figure 141 PIN code management page III
150
When the UIM card has passed the PIN code authentication
Figure 142 shows the PIN code management page in the situation where the UIM card has passed the
PIN code authentication. You can perform the following operations:
• In the Disable PIN Code Protection field, enter the PIN code correctly, and then click Apply to disable
the PIN code protection for the UIM card.
• In the PIN Code Modification field, enter the current PIN code correctly and the new PIN code twice,
and then click Apply to modify the current PIN code.
Figure 142 PIN code management page IV
When the PUK code must be entered to unblock the PIN code of the UIM card
Figure 143 shows the PIN code management page in the situation where the PIN code of the UIM card
has been locked and the PUK code must be entered. To unblock the PIN code of the UIM card and set a
new PIN code, enter the PUK code correctly and the new PIN code twice, and then click Apply.
Figure 143 PIN code management page V
151
Configuring NAT
You can do the following to configure NAT on the web interface:

• Configure dynamic NAT.
• Configure one-to-one static NAT.
• Configure an internal server.
• Enable application layer protocol check.
• Configure connection limit.
NAT provides a way of translating an IP address to another IP address for a packet. In practice, NAT is
primarily used to allow private hosts to access public networks. With NAT, a few public IP addresses are
used to translate a large number of internal IP addresses, effectively solving the IP address depletion
problem.
NOTE:
For more information about NAT, see HP A-MSR Router Series Layer 3—IP Services Configuration Guide.
Recommended configuration procedure

Step Remarks
Configuring dynamic NAT Use either approach:
• Dynamic NAT—A dynamic NAT entry is generated
dynamically. Dynamic NAT applies to the network
environment where a large number of internal users need to
Configuring a DMZ host access the Internet.
• Static NAT—Mappings between external and internal network
addresses are manually configured. Static NAT enables a few
users to use fixed IP addresses to access the Internet.
Required.
Configuring an internal server You can configure an internal server by mapping a public IP
address and port number to the private IP address and port
number of the internal server.
Optional.
Enabling application layer protocol
Enable NAT to check specified application layer protocols.
check
By default, all application layer protocols are checked by NAT.
Optional.
Configuring connection limit
Limit the number of connections from a source IP address.
Configuring dynamic NAT

Select NAT Configuration > NAT Configuration from the navigation tree to display the default Dynamic
NAT page shown in Figure 144.
152
Figure 144 Dynamic NAT Configuration
Item Description
Interface Specify an interface on which to enable the NAT policy.
Select an address translation mode:

• Interface Address—In this mode, the NAT gateway directly uses an interface's
public IP address as the translated IP address. You do not need to configure any
address pool for this mode.
Translation Mode
• PAT—In this mode, both IP addresses and port numbers of packets are translated.
Configure an address pool for this mode.
• No-PAT—In this mode, only IP addresses of packets are translated. Configure an
address pool for this mode.
Specify the start and the end IP addresses for the NAT address pool.
The start IP address must be lower than the end IP address. If the end IP address and
the start IP address are the same, you are specifying only one IP address.
Start IP Address NOTE:
End IP Address • Only one translation mode can be selected for the same address pool.
• NAT address pools used by some device models cannot be those used by other
address translation policies, IP addresses of interfaces with Easy IP enabled, or
external IP addresses of internal servers.
153
Configuring a DMZ host
1. Create a DMZ host.
Select NAT Configuration > NAT Configuration from the navigation tree, and then click the DMZ HOST tab
Figure 145 Create a DMZ host
Item Description
Host IP Address Specify the internal IP address in a one-to-one static NAT mapping.
Global IP Address Specify the external IP address in a one-to-one static NAT mapping.
2. Enable the DMZ host on an interface.

Select NAT Configuration > NAT Configuration from the navigation tree, and then click the DMZ HOST tab
to display the page shown in Figure 146. You can enable or disable the DMZ host on interfaces.
• The icon indicates that the DMZ host is disabled on the corresponding interface. Click the Enable
link next to the interface to enable DMZ host on the interface.
• The icon indicates that DMZ host is enabled on the corresponding interface. Click the Disable link
next to the interface to disable the DMZ host on the interface.
154
Figure 146 Enable the DMZ host on interfaces
Configuring an internal server

Select NAT Configuration > NAT Configuration from the navigation tree, and then click the NAT Server
Setup tab to display the internal server configuration page shown in Figure 147.
155
Figure 147 Internal server configuration page
Item Description
Interface Specify an interface on which the NAT policy is to be enabled.
Protocol Type of protocol carried by IP: TCP or UDP.
Public IP address for the internal server.

Global IP Address
You can use the IP address of the current interface or manually specify an IP address.
Global port number for the internal server.

• Select Other and then enter a port number. If you enter 0, all types of services are
provided (only a static binding between the external IP address and the internal IP
Global Port
address is established).
• Select a service, and the corresponding port number is provided. You cannot
modify the port number displayed.
Host IP Address Internal IP address for the internal server.
Internal port number for the internal server.

• Select Other and then enter a port number. If you enter 0, all types of services are
provided (only a static binding between the external IP address and the internal IP
Host Port
address is created).
• Select a service, and the corresponding port number is provided. You cannot
modify the port number displayed.
156
Enabling application layer protocol check
Select NAT Configuration > NAT Configuration from the navigation tree, and then click the ALG tab to
display the application layer protocol check configuration page shown in Figure 148.
Figure 148 Application layer protocol check
Item Description
Enable/disable checking the specified application layer protocols, including DNS, FTP,
Protocol Type
PPTP, NBT, ILS, H.323, and SIP.
Configuring connection limit

Select NAT Configuration > NAT Configuration from the navigation tree, and then click the Nat Outbound
Setup tab to display the connection limit configuration page shown in Figure 149.
Figure 149 Connection limit
Item Description
Enable connection limit Enable/disable connection limit.
Set the maximum number of connections that can be initiated from a source IP
Max Connections
address.
157
NAT configuration examples
Private hosts to access public network configuration example
As shown in Figure 150, a company has three public IP addresses ranging from 202.38.1.1/24 to
202.38.1.2/24, and the internal network address is 10.110.0.0/16. Specifically, the company has the
following requirements:
• The internal users can access the Internet by using public addresses 202.38.1.2 and 202.38.1.3.
• Configure the upper limit of connections as 1000 based on the source IP address.
1. Configure the IP address of each interface. (Details not shown)
# Configure dynamic NAT on Ethernet 0/2.
• Select NAT Configuration > NAT Configuration to display the dynamic NAT configuration page
shown in Figure 151.
158
Figure 151 Configure dynamic NAT
a. Select Ethernet0/2 from the Interface list.

b. Select PAT from the Translation Mode list.
c. Enter 202.38.1.2 in the Start IP Address filed.
d. Enter 202.38.1.3 in the End IP Address filed.
e. Click Apply.
# Configure the connection limit.

• Click the Connection Limit tab to display the connection limit configuration page shown in Figure
152.
Figure 152 Configure connection limit
a. Select Enable connection limit.

b. Enter 1000 in Max Connections.
c. Click Apply.
159
Internal server configuration example
A company provides one FTP server and two web servers for external users to access. The internal
network address is 10.110.0.0/16. The internal network address for the FTP server is 10.110.10.3/16,
and that for web server 1 is 0.110.10.1/16. For web server 2, it is 10.110.10.2/16. The company has
three public IP addresses ranging from 202.38.1.1/24 to 202.38.1.3/24. Specifically, the company
has the following requirements:
• External hosts can access the company internal servers.
• 202.38.1.1 is used as the public IP address for the internal servers, and port number 8080 is used
for web server 2.
10.110.10.1/16 10.110.10.2/16
Web server 1 Web server 2
Eth0/1 Eth0/2
10.110.10.10/16 202.38.1.1/24
Internet
Router Host
FTP server
10.110.10.3/16
# Configure the FTP server.
• Select NAT Configuration > NAT Configuration from the navigation tree, and then click the Internal
Server tab to display the internal server configuration page shown in Figure 154.
160
Figure 154 Configure the FTP server

b. Select the TCP option for Protocol.
c. Select an option for Global IP Address, and then enter 202.38.1.1 in the field.
d. Select ftp from the Global Port list.
e. Enter 10.110.10.3 in the Host IP Address field.
f. Select ftp from the Host Port list.
g. Click Apply.
# Configure web server 1.
161
Figure 155 Configure web server 1
a. As shown in Figure 155, select Ethernet0/2 from the Interface list.

c. Select an option for Global IP Address filed, and enter 202.38.1.1 in the field.
d. Select http from the Global Port list.
f. Select http from the Host Port list.
g. Click Apply.
# Configure web server 2.

• Click Add in the internal server configuration page.
162
Figure 156 Configure web server 2

c. Select an option for Global IP Address, and enter 202.38.1.1 in the field.
d. Enter 8080 in the Global Port field.
f. Enter 8080 in the Host Port field.
g. Click Apply.
163
Configuring access control
Access control allows you to control access to the Internet from the LAN by setting the time range, IP
addresses of computers in the LAN, port range, and protocol type. All data packets matching these
criteria are denied access to the Internet.
Up to 10 access control policies can be configured, and they are matched in ascending order of
sequence number. The comparison stops immediately after one match is found.
NOTE:
• The 10 access control policies correspond to ACL 3980 through 3989, respectively, in ascending order of sequence
number. Modifying these ACLs may impact the corresponding access control policies.
• Access control is effective only in the outgoing direction of WAN interfaces.
To configure access control:

Select Security Setup > Access from the navigation tree, and then click the Access Control tab to display
Figure 157 Access control
164
Item Description
Set the time range of a day for the rule to IMPORTANT:
Begin-End Time take effect. The start time must be earlier
than the end time. Set both types of time ranges, or set neither
of them. To set neither of them, make sure
the Begin-End Time is 00:00 - 00:00 and
Select the days of a week for the rule to that no days of a week are selected. Setting
Week
take effect. neither of them means that the rule takes
effect all the time.
Specify to control accesses based on the protocol used for data transmission.
Protocol These options are available: TCP, UDP, and IP.
For information about which services use which protocols, see Table 91.
Configure the IP address range of computers. To control a single IP address, enter the
Source IP Address
address in the two fields.
Set the port range to be filtered.

Destination Port
For example, to control Telnet access, enter 23 in the two fields.
Action to be taken for matching packets.

Operation The action is Deny, which means that all packets matching the access control policies
are not allowed to pass.
Table 91 Commonly used services and their ports
Service Transport layer protocol Port number
FTP TCP 21
Telnet TCP 23
TFTP UDP 69
web TCP 80
Access control configuration example

As shown Figure 158, internal users of a company, Host A to Host D, access the Internet through the
router. Configure an access control policy as follows:
• Host A to Host C cannot access the Internet from 09:00 to 18:00 every Monday to Friday and can
access the Internet the rest of time.
• Host D can access the Internet all the time.
165
Internet
Eth0/1
Router
Host A Host B Host C Host D

10.1.1.1 10.1.1.2 10.1.1.3 10.1.1.4
# Configure an access control policy to prohibit Host A to Host C from accessing the Internet during work
time.
• Select Security Setup > Access from the navigation tree, and then perform the configurations shown
in Figure 159.
Figure 159 Configure an access control policy
a. Set the Begin-End Time to 09:00 - 18:00.

b. Select the checkboxes for Monday to Friday.
c. Select the protocol IP.
d. Enter source IP address range 10.1.1.1 - 10.1.1.3.
e. Click Apply.
166
Configuring URL filtering
The URL filtering function allows you to deny access to certain Internet webpages from the LAN by setting
keywords and URL addresses.
NOTE:
The URL filtering function applies only to the outbound direction of WAN interfaces.
To configure URL filtering:

Select Security Setup > URL Filter from the navigation tree to display the page shown in Figure 160. Then,
click Add to display the URL filtering configuration page shown in Figure 161.
Figure 160 URL filtering entries
167
Figure 161 URL filtering configuration page
Item Description
Set the URL addresses to be filtered. NOTE:
URL
You can enter a regular expression.
The URL and keyword are in OR relation.
Set the keywords to be filtered. You When both are configured, the system
Keyword
can enter a regular expression. generates two URL filtering conditions.
If the Import filter list file checkbox is selected, you can import filtering rules from a
Import file.
filter list File Name Specify the name and path of the file in the local host from which you obtain the
file file.
For a description of the content format of filter list files, see Figure 161.
168
URL filtering configuration example
As shown in Figure 162, internal users access the Internet through Router. Configure the URL filtering
function to disallow access of all internal users to Internet website www.webflt.com.
Internet
Eth0/1
Router
# Configure the URL filtering function.
• Select Security Setup > URL Filter from the navigation tree. Click Add and then perform the following
configurations, as shown in Figure 163.
169
Figure 163 Configure the URL filtering function
a. Select the URL checkbox, and then enter www.webflt.com in the URL field.
b. Click Apply.
170
Configuring MAC address filtering
MAC address filtering is used to match MAC addresses of hosts accessing the network through the device
and to deny or permit hosts with matched MAC addresses to access the network through the device.
NOTE:
MAC address filtering applies only to the outgoing direction of Layer 3 Ethernet interfaces and dialer
interfaces.
Configuring the MAC address filtering type

Select Security Setup > MAC Address Filtering from the navigation tree to display the MAC address
filtering configuration page shown in Figure 164.
Figure 164 MAC address filtering
Item Description
Select a MAC address filtering type:
• Disable MAC address filtering
• Permit access to the Internet—Enables MAC address filtering to permit only the
hosts whose MAC addresses are on the MAC address list below to access the
network through the device.
filtering type
• Deny access to the Internet—Enables MAC address filtering to deny the hosts
whose MAC addresses are on the MAC address list below from accessing the
network through the device.
A MAC address list is displayed in the lower part of the page after you select Permit
access to the Internet or Deny access to the Internet.
171
Configuring the MAC addresses to be filtered
Select Security Setup > MAC Address Filtering from the navigation tree to display the MAC address
filtering configuration page shown in Figure 164. Select Permit access to the Internet or Deny access to the
Internet, and the permitted or denied MAC addresses are listed in the lower part of the page, as shown
in Figure 165. Click Add to display the Add MAC Address page, as shown in Figure 166.
Figure 165 MAC address filtering (permit access to the Internet)
Figure 166 Add MAC addresses
172
Item Description
Use the customized MAC address Enter the MAC addresses to be filtered, or select them from the learned
Use the learned MAC addresses MAC addresses list.
NOTE:
If you select Permit access to the Internet or Deny access to the Internet as the filtering type, the selected
filtering type takes effect as long as you add the MAC addresses for this type, regardless of whether you
click Apply at the filtering type configuration area on the MAC Address Filtering page.
MAC address filtering configuration example

As shown in Figure 167, internal users access the Internet through Router. Configure the MAC address
filtering function to deny users whose MAC addresses are 000d-88f8-0dd7 and 000d-88f7-b8d6 from
accessing the Internet.
Internet
Eth0/1
Router
000d-88f8-0dd7 000d-88f7-b8d6
192.168.1.17 192.168.1.18
# Configure the MAC address filtering function.
• Select Security Setup > MAC Address Filtering from the navigation tree, and then perform the
following configurations, as shown in Figure 168.
173
Figure 168 Select MAC address filtering type
a. Select Deny access to the Internet as the filtering type.

b. Click Add.
Then perform the following configurations, as shown in Figure 169.

Figure 169 Specify the MAC addresses to be denied access to the Internet
a. Select Use the learned MAC addresses.

b. Select 000d-88f8-0dd7 and 000d-88f7-b8d6 from the Learned MAC Addresses list, and then
click the << button to add them to the Selected MAC Addresses list.
c. Click Apply.
174
Configuring attack protection
Complete the following tasks to configure attack protection functions in the web interface:
• Enable the blacklist function.
• Add a blacklist entry manually.
• View blacklist entries.
• Configure intrusion detection.
Attack protection is an important network security feature. It can determine whether received packets are
attack packets according to the packet contents and behaviors and, if detecting an attack, take measures
to deal with the attack. Protection measures include logging the event, dropping packets, updating the
session status, and blacklisting the source IP address.
Blacklist function
The blacklist function is an attack protection measure that filters packets by source IP address. Compared
with ACL packet filtering, blacklist filtering is simpler in matching packets and can, therefore, filter
packets at a high speed. Blacklist filtering is very effective in filtering packets from certain IP addresses.
One outstanding benefit of the blacklist function is that it allows the device to add and delete blacklist
entries dynamically. This is done by working in conjunction with the scanning attack protection function.
When the device detects a scanning attack according to the packet behavior, it adds the IP address of
the attacker to the blacklist, so packets from the IP address are filtered. Blacklist entries added
dynamically are aged in a specified period of time.
The blacklist function also allows you to add and delete blacklist entries manually. Blacklist entries added
manually can be permanent blacklist entries or non-permanent blacklist entries. A permanent entry always
exists in the blacklist unless you delete it manually. You can configure the aging time of a non-permanent
entry. After the timer expires, the device automatically deletes the blacklist entry, allowing packets from
the corresponding IP address to pass.
Intrusion detection function

The device can defend against two categories of network attacks: single-packet attacks and abnormal
traffic. Abnormal traffic falls into two sub-categories: scanning attacks and flood attacks, according to
attack characteristics.
Protection against single-packet attacks

Single-packet attack is also called "malformed packet attack." Such an attack is formed when:
• The attacker sends defective IP packets, such as overlapping IP fragments and packets with illegal
TCP flags, to a target system so that the target system malfunctions or crashes when processing such
packets.
• The attacker sends large quantities of such packets to the network to use up the network bandwidth.
Table 95 lists the types of single-packet attacks that can be prevented by the device.
175
Table 95 Types of single-packet attacks
Single-packet attack Description
A Fraggle attacker sends large amounts of UDP echo packets (with the UDP port
number of 7) or Chargen packets (with the UDP port number of 19) to a subnet
Fraggle
broadcast address. This causes a large quantity of responses in the network, using
up the network bandwidth of the subnet or crashing the target host.
A LAND attacker forges large amounts of TCP SYN packets with both the source
address and destination address being the IP address of the target, causing the
LAND target to send SYN ACK messages to itself and establish half-open connections as a
result. In this way, the attacker may deplete the half-open connection resources of
the target, making it unable to work normally.
A WinNuke attacker sends OOB data packets to the NetBIOS port (139) of a target
running a Windows system. The pointer fields of these attack packets are
WinNuke overlapped, resulting in NetBIOS fragment overlaps. This causes the target host that
has established TCP connections with other hosts to crash when it processes these
NetBIOS fragments.
Different operating systems process abnormal TCP flags differently. The attacker
sends TCP packets with abnormal TCP flags to the target host to probe its operating
TCP Flag
system. If the operating system cannot process such packets properly, the host
crashes down.
Upon receiving an ICMP unreachable packet, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
ICMP Unreachable
destination. By sending ICMP unreachable packets, an attacker can cut off the
connection between the target host and the network.
An ICMP Redirect attacker sends ICMP redirect messages to hosts on a subnet to

ICMP Redirect request the hosts to change their routing tables, interfering with the normal
forwarding of IP packets.
The Tracert program usually sends UDP packets with a large destination port
number and an increasing TTL (starting from 1). The TTL of a packet is decreased by
1 when the packet passes each router. Upon receiving a packet with a TTL of 0, a
Tracert
router sends an ICMP time exceeded message back to the source IP address of the
packet. A Tracert attacker exploits the Tracert program to figure out the network
topology.
A Smurf attacker sends ICMP echo requests to the broadcast address of the target
network. As a result, all hosts on the target network reply to the requests, causing
Smurf
network congestion and causing hosts on the target network to be unable to provide
services.
A Source Route attacker probes the network structure through the Source Route
Source Route
option in IP packets.
A Route Record attacker probes the network structure through the Record Route
Route Record
option in IP packets.
For some hosts and devices, large ICMP packets cause memory allocation errors
Large ICMP and crash down the protocol stack. An attacker can make a target crash down by
sending large ICMP packets to it.
The single-packet attack protection function takes effect only on incoming packets. It analyzes the
characteristics of incoming packets to determine whether the packets are offensive and, if they are
offensive, logs the events and discards the packets. For example, if the length of an ICMP packet reaches
176
or exceeds 4000 bytes, the device considers the packet a large ICMP attack packet, outputs a warning
log, and discards the packet.
Protection against scanning attacks

Scanning attackers usually use some scanning tools to scan host addresses and ports in a network. By
doing this, they find possible targets and services enabled on the targets and figure out the network
topology, preparing for further attacks to the target hosts.
The scanning attack protection function takes effect only on incoming packets. It monitors the rate at
which an IP address initiates connections to destination systems. If the rate reaches or exceeds 4000
connections per second, it logs the event, adds the IP address to the blacklist, and discards subsequent
packets from the IP address.
Protection against flood attacks

Flood attackers send a large number of forged requests to the targets in a short time, so that the target
systems become too busy to provide services for legal users, resulting in denial of services.
The device can defend against these types of flood attacks:
SYN flood attack
Because of the limited resources, the TCP/IP stack permits only a limited number of TCP connections. A
SYN flood attacker sends a great quantity of SYN packets to a target server, using a forged address as
the source address. After receiving the SYN packets, the server replies with SYN ACK packets. Because
the destination address of the SYN ACK packets is unreachable, the server can never receive the
expected ACK packets, resulting in large amounts of half-open connections. In this way, the attacker
exhausts the system resources, making the server unable to service normal clients.
ICMP flood attack
An ICMP flood attacker sends a large number of ICMP requests to the target in a short time by, for
example, using the ping program, causing the target to become too busy to process normal services.
UDP flood attack
A UDP flood attacker sends a large number of UDP messages to the target in a short time, so that the
target becomes too busy to process normal services.
The flood attack protection function takes effect only on outgoing packets. It is mainly used to protect
servers. It monitors the connection establishment rate and number of half-open connections of a server. If
the rate reaches or exceeds 1000 connections per second or if the number of half-open connections
reaches or exceeds 10,000 (only SYN flood attack protection supports restriction of half-open
connections), it logs the event and discards subsequent connection requests to the server.
177
Configuring the blacklist function
Step Remarks
Required.
Enabling the blacklist function
By default, the blacklist function is disabled.
Required.
Use either approach.
You can add blacklist entries manually or enable the blacklist
Adding blacklist entries
function globally, configure the scanning attack protection function,
Configuring the scanning
and enable the blacklist function for scanning attack protection to
attack protection function to
allow the device to add the IP addresses of detected scanning
add blacklist entries
attackers to the blacklist automatically. For configuration of scanning
automatically
attack protection, see "Configuring intrusion detection."
Adding a blacklist entry
By default, no blacklist entry exists.
manually
NOTE:
Modifying an automatically added entry changes the type of the entry to
Manual.
Viewing blacklist entries Optional.
Enabling the blacklist function

From the navigation tree, select Security Setup > Attack Defend > Blacklist to display the page shown
in Figure 170, where all manually configured or automatically generated blacklist entries are listed.
Select the Enable Blacklist checkbox, and then click Apply to enable the blacklist filtering function.
Figure 170 Blacklist page
178
Adding a blacklist entry manually
On the blacklist page shown in Figure 170, click Add to configure a blacklist entry, as shown in Figure
171.
Figure 171 Add a blacklist entry
Item Description
Specify the IP address to be added to the blacklist. This IP address cannot be a
IP Address broadcast address, a class D address, a class E address, 127.0.0.0/8, or
255.0.0.0/8.
Configure the entry as a non-permanent entry, and specify the hold time of the
Hold Time
blacklist entry.
Permanence Configure the entry as a permanent entry.
Viewing blacklist entries

Select Security Setup > Attack Defend > Blacklist from the navigation tree to view blacklist entries.
Field Description
IP Address IP address of the blacklist entry.
The way in which the blacklist entry was added, Manual or Automatic.
• Manual—The entry was added manually or has been modified after being
added automatically.
Add Method • Automatic—The entry was added automatically by the scanning attack
protection function.
NOTE:
Modifying an automatically added entry changes the type of the entry to Manual.
Start Time The time when the blacklist entry was added.
Hold Time Duration for which the blacklist entry is held in the blacklist.
Dropped Count Number of packets matching the blacklist entry and dropped by the device.
179
Configuring intrusion detection
On the A-MSR900/20-1X series routers
Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree to display the
intrusion detection configuration page, as shown in Figure 172. Select the Enable attack defense policy
checkbox, and then select the specific attack protection functions to be enabled. Click Apply to finish the
configuration.
Figure 172 Intrusion detection configuration page
On the A-MSR20/30/50 series routers

Select Security Setup > Attack Defend > Intrusion Detection to display the page shown in Figure 173.
Click Add to display the page for adding a new intrusion detection policy shown in Figure 174. Select an
interface, select the attack protection functions to be enabled, and then click Apply. The selected attack
protection functions are enabled on the selected interface.
180
Figure 173 Intrusion detection policy list
Figure 174 Add an intrusion detection policy
181
Attack protection configuration examples
Attack protection configuration example for the
A-MSR900/20-1X series routers
As shown in Figure 175, internal users Host A, Host B, and Host C access the Internet through Router. The
network security requirements are as follows:
• Router always drops packets from Host D, an attacker.
• Router denies packets from Host C for 50 minutes for temporary access control of Host C.
• Router provides scanning attack protection and automatically adds detected attackers to the
blacklist.
• Router provides Land attack protection and Smurf attack protection.
# Configure IP addresses for the interfaces. (Details not shown)
# Enable the blacklist function.
• Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the
182
Figure 176 Enable the blacklist function
a. Select the Enable Blacklist checkbox.

b. Click Apply.
# Add blacklist entries manually.

• Click Add and then perform the following configurations, as shown in Figure 177.
Figure 177 Add a blacklist entry for Host D
a. Enter IP address 5.5.5.5, the IP address of Host D.

b. Select Permanence for this blacklist entry.
c. Click Apply.
d. Click Add and then perform the following configurations, as shown in Figure 178.
183
Figure 178 Add a blacklist entry for Host C
a. Enter IP address 192.168.1.5, the IP address of Host C.

b. Select Hold Time and set the hold time of this blacklist entry to 50 minutes.
c. Click Apply.
# Configure intrusion detection: Enable scanning attack protection, and enable blacklist function for it.
Enable Land attack protection and Smurf attack protection.
• Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree, and then
perform the following configurations, as shown in Figure 179.
184
Figure 179 Configure intrusion detection
a. Select Enable Attack Defense Policy.

b. Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack
Detection, and Add Source IP Address to the Blacklist. Clear all other checkboxes.
c. Click Apply.

• Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist.
• Router drops all packets from Host D unless you remove Host D from the blacklist.
• Router drops packets from Host C within 50 minutes. Then, Router forwards packets from Host C
normally.
• Upon detecting the scanning attack, Router outputs an alarm log and adds the IP address of the
attacker to the blacklist. You can view the added blacklist entry by selecting Security Setup > Attack
Defend > Blacklist.
• Upon detecting the Land or Smurf attack, Router outputs an alarm log and drops the attack packet.
Attack protection configuration example for the

A-MSR20/30/50 series routers
As shown in Figure 180, internal users Host A, Host B, and Host C access the Internet through Router. The
network security requirements are as follows:
185
• Router always drops packets from Host D, an attacker.
• Router denies packets from Host C for 50 minutes for temporary access control of Host C.
• Router provides scanning attack protection and automatically adds detected attackers to the blacklist
on interface Ethernet 0/2, the interface connecting the Internet.
• Router provides Land attack protection and Smurf attack protection on Ethernet 0/2.
# Configure IP addresses for the interfaces. (Details not shown)
# Enable the blacklist function.
• Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the
Figure 181 Enable the blacklist function
a. Select the Enable Blacklist checkbox.

b. Click Apply.
# Add blacklist entries manually.

• Click Add and then perform the following configurations, as shown in Figure 182.
186
Figure 182 Add a blacklist entry for Host D
a. Enter IP address 5.5.5.5, the IP address of Host D.

b. Select Permanence for this blacklist entry.
c. Click Apply.
d. Click Add and then perform the following configurations, as shown in Figure 183.
Figure 183 Add a blacklist entry for Host C
a. Enter IP address 192.168.1.5, the IP address of Host C.

b. Select Hold Time and set the hold time of this blacklist entry to 50 minutes.
c. Click Apply.
# Configure intrusion detection on Ethernet 0/2: Enable scanning attack protection, and enable blacklist
function for it. Enable Land attack protection and Smurf attack protection.
• Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree. Click Add and
then perform the following configurations, as shown in Figure 184.
187
Figure 184 Configure intrusion detection
a. Select interface Ethernet0/2.

b. Select Enable Attack Defense Policy.
c. Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack
Detection, and Add Source IP Address to the Blacklist. Clear all other checkboxes.
d. Click Apply.

• Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist.
• Router drops all packets from Host D unless you remove Host D from the blacklist.
• Router drops packets from Host C within 50 minutes. Then, Router forwards packets from Host C
normally.
• Upon detecting the scanning attack on Ethernet 0/2, Router outputs an alarm log and adds the IP
address of the attacker to the blacklist. You can view the added blacklist entry by selecting Security
Setup > Attack Defend > Blacklist.
• Upon detecting the Land or Smurf attack on Ethernet 0/2, Router outputs an alarm log and drops the
attack packet.
188
Configuring application control
Complete the following tasks to configure application control in the web interface:
• Load applications.
• Configure a custom application.
• Enable application control.
Application control allows you to control which applications and protocols users can access on the
Internet by specifying the destination IP address, protocol, operation type, and port. Application control
can be based on a group of users or all users in a LAN. This chapter describes the application control
based on all users. For application control based on user group, see "Configuring SIP server group
management."
NOTE:
The application control function applies only to the outbound direction of WAN interfaces.

Step Remarks
Optional.
Load the signature file that contains the application control rules to
the device.
Loading applications
NOTE:
If you perform this configuration multiple times, only the last file loaded
to the device takes effect.
Optional.
Configuring a custom application
Add a custom application, and configure the match rules.
Required.
Enabling application control Enable application control for specified applications or protocols
globally.
Loading applications
Select Security Setup > Application Control from the navigation tree, and then click the Load Application
tab to display the page for loading applications shown in Figure 185.
• To load an application control file from the device, select From Device, select the application control
file, and then click Apply.
• To load an application control file from the local host to the device, select From Local, click Browse
to find the file, and then click Apply.
189
After the file is loaded to the device successfully, all the loaded applications are displayed in the lower
part of the page.
Figure 185 Load applications
Configuring a custom application

Select Security Setup > Application Control from the navigation tree, and then click the Custom
Application tab to display the custom application list page shown in Figure 186. Click Add to display the
page for configuring a custom application shown in Figure 187.
Figure 186 Custom applications
190
Figure 187 Add a custom application
Item Description
Application Name Specify the name for the custom application.
Specify the protocol to be used for transferring packets, including TCP, UDP, and
Protocol
All. All means all IP-carried protocols.
IP Address Specify the IP address of the server of the applications to be controlled.
Specify the port numbers of the applications to be controlled.

Match Rule
When you select TCP or UDP for the Protocol parameter, the port configuration is
available.
Start Port
• If you do not want to limit port numbers, do not select a match rule. In this case,
Port
you do not need to enter the start port and end port.
• If you want to limit a range of ports, select Range for the match rule, and then
End Port enter the start port and end port to specify the port range.
• If you select other options of the match rule, you only need to enter the start port.
Enabling application control

Select Security Setup > Application Control from the navigation tree. The Application Control tab appears,
as shown in Figure 188. Select the applications and protocols to be controlled from the Loaded
Applications, Predefined Applications, and Custom Applications areas as needed, and then click Apply.
191
Figure 188 Application Control
Application control configuration example

As shown in Figure 189, internal users access the Internet through Router. Configure application control
on Router, so that no user can use MSN.
Internet
Eth0/1
Router
# Load the application control file. (Assume that signature file p2p_default.mtd, which can prevent users
from using MSN, is stored on the device).
• Select Security Setup > Application Control from the navigation tree, and then click the Load
Application tab and perform the following configurations, as shown in Figure 190.
192
Figure 190 Load the application signature file
a. Select the From Device option, and then select file p2p_default.
b. Click Apply. Figure 191 shows the loaded applications.
Figure 191 Loaded applications
# Enable application control.

• Click the Application Control tab, and then perform the following configurations, as shown in Figure
192.
193
Figure 192 Configure application control
a. Select MSN from the Loaded Applications area.

b. Click Apply.
194
Configuring webpage redirection
With webpage redirection configured on an interface, a user accessing a webpage through the interface
for the first time is forcibly led to a specified webpage (the web access request of the user is redirected to
the specified URL). After that, the user can access network resources normally. If the user sends a web
access request after a specified time interval, the specified webpage is displayed again.
This feature applies to scenarios where a hotel or carrier wants to periodically push an advertisement
webpage to users.
NOTE:
Webpage redirection is ineffective on the interface with the portal function enabled. Do not configure both
functions on an interface.
To configure webpage redirection:

Select Advanced > Redirection from the navigation tree to display the page shown in Figure 193. The
webpage redirection configuration information is displayed on the page. Click Add to display the
configuration page shown in Figure 194.
Figure 193 Redirection page
Figure 194 Redirection URL configuration page
195
Table 99 describes the redirection URL configuration.
Item Description
Interface Select an interface on which to enable webpage redirection.
Enter the address of the webpage to be displayed (the URL to which the web access
Redirection URL
request is redirected). For example, http://192.0.0.1.
Interval Enter the time interval at which webpage redirection is triggered.
196
Configuring routes
The term "router" in this document refers to both routers and Layer 3 switches.
This chapter mainly describes IPv4 route configuration.
You can perform the following route configurations through the web interface:
• Creating a static route
• Displaying the active route table
Upon receiving a packet, a router determines the optimal route based on the destination address and
forwards the packet to the next router in the path. When the packet reaches the last router, it then
forwards the packet to the destination host.
Routing provides the path information that guides the forwarding of packets.
A router selects optimal routes from the routing table and sends them to the FIB table to guide packet
forwarding. Each router maintains a routing table and a FIB table.
You can manually configure routes. Such routes are called "static routes."
NOTE:
For more information about the routing table and static routes, see HP A-MSR Router Series Layer 3—IP
Routing Configuration Guide.
Route configuration
Creating an IPv4 static route
Select Advanced > Route Setup from the navigation tree, and then click the Create tab to display the static
route configuration page, as shown in Figure 195.
197
Figure 195 Static route configuration page
Item Description
Enter the destination IP address of the static route, in
Destination IP Address
dotted decimal notation.
Enter the mask of the destination IP address.

Mask You can enter a mask length or a mask in dotted
decimal notation.
Enter a preference value for the static route. The

smaller the number, the higher the preference.
Preference For example, specifying the same preference for

multiple static routes to the same destination enables
load sharing on the routes, while specifying different
preferences enables route backup.
Enter the next hop IP address of the static route, in

Next Hop
dotted decimal notation.
198
Item Description
Select the outgoing interface of the static route.
Interface If you select Null 0, the destination IP address is
unreachable.
Displaying the active route table

Select Advanced > Route Setup from the navigation tree to display the Summary tab, as shown in Figure
196.
Figure 196 Active route table
Field Description
Destination IP Address Destination IP address of the route.
Mask Mask of the destination IP address.
Routing protocol that discovered the route, including

Protocol static route, direct route, and various dynamic
routing protocols.
Preference Preference for the route.
Next Hop Next hop address of the route.
Output interface of the route. Packets destined for the

Interface destination IP address are forwarded out the
interface.
199
IPv4 static route configuration example
The routers' interfaces and the hosts' IP addresses and masks are shown in Figure 197. Configure static
routes on the routers for any two hosts to communicate with each other.
Configuration considerations
1. Configure a default route with Router B as the next hop on Router A.
2. On Router B, configure one static route with Router A as the next hop and the other with Router C as
the next hop.
3. Configure a default route with Router B as the next hop on Router C.
1. Configure the IP addresses of the interfaces. (Details not shown)
2. Configure static routes on the routers.
# Configure a default route on Router A.
• Select Advanced > Route Setup from the navigation tree of Router A, and then click the Create tab to
perform the following settings on the page shown in Figure 198.
a. Enter 0.0.0.0 for Destination IP Address.
b. Enter 0 for Mask.
c. Enter 1.1.4.2 for Next Hop.
d. Click Apply.
200
Figure 198 Configure a default route on Router A
The newly created static route is listed in the lower part of the page.
# Configure two static routes on Router B.
a. Select Advanced > Route Setup from the navigation tree of Router B, and then click the Create
tab to perform the following settings on the page shown in Figure 198.
b. Enter 1.1.2.0 for Destination IP Address.
c. Enter 24 for Mask.
d. Enter 1.1.4.1 for Next Hop.
e. Click Apply.
f. Enter 1.1.3.0 for Destination IP Address.
g. Enter 24 for Mask.
h. Enter 1.1.5.6 for Next Hop.
i. Click Apply.
# Configure a default route on Router C.
a. Select Advanced > Route Setup from the navigation tree or Router C, and then click the Create
tab to perform the following settings on the page shown in Figure 198.
b. Enter 0.0.0.0 for Destination IP Address.
c. Enter 0 for Mask.
d. Enter 1.1.5.5 for Next Hop.
e. Click Apply.
3. Configure the IP addresses and default gateways of hosts.
As shown in Figure 197, configure the IP addresses of the hosts, and configure the default gateways of
Host A, B, and C as 1.1.2.3, 1.1.6.1, and 1.1.3.1, respectively. The detailed configuration steps are not
shown.
201
# Display the active route table.
From the navigation trees of Router A, Router B, and Router C, select Advanced > Route Setup to display
the Summary tab. Verify that the newly created static routes are displayed in the active route table.
# Ping Host A from Host B (assuming both hosts run Windows XP).
C:\Documents and Settings\Administrator>ping 1.1.2.2
Pinging 1.1.2.2 with 32 bytes of data:
Reply from 1.1.2.2: bytes=32 time=1ms TTL=128

Ping statistics for 1.1.2.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
# Use the tracert command on Host B to check the reachability to Host A.

C:\Documents and Settings\Administrator>tracert 1.1.2.2
Tracing route to 1.1.2.2 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 1.1.6.1

2 <1 ms <1 ms <1 ms 1.1.4.1
3 1 ms <1 ms <1 ms 1.1.2.2
Trace complete.
When you configure a static route, follow these guidelines:
1. If you do not specify the preference when you configure a static route, the default preference is
used. Reconfiguration of the default preference applies only to newly created static routes. The web
interface does not support configuration of the default preference.
2. When you configure a static route, the static route does not take effect if you specify the next hop
address first and then configure it as the IP address of a local interface, such as an Ethernet interface
and VLAN interface.
3. When specifying the output interface:
If Null 0 or a loopback interface is specified as the output interface, there is no need to configure
the next hop.
If a point-to-point interface is specified as the output interface, you do not need to specify the
next hop, and there is no need to change the configuration after the peer address has changed.
For example, a PPP interface obtains the peer's IP address through PPP negotiation. Therefore,
you only need to specify it as the output interface.
202
If the output interface is an NBMA or P2MP interface (which supports point-to-multipoint
networks), the IP address-to-link layer address mapping must be established. HP recommends
specifying the next hop when you configure it as the output interface.
If you want to specify a broadcast interface (such as an Ethernet interface, virtual template, or
VLAN interface) as the output interface (which can have multiple next hops), you must specify the
next hop at the same time.
203
Configuring user-based load sharing
You can configure user-based load sharing in the web interface.

A routing protocol can have multiple equal-cost routes to the same destination. These routes have the
same preference and are all used to accomplish load sharing if no route with a higher preference is
available.
The device supports user-based load sharing based on the user information (source IP addresses) of
packets.
To configure user-based load sharing:
Select Advanced > User-based-sharing from the navigation tree to display the page shown in Figure 199,
where interface configuration is displayed. Click the icon to display the Modify configuration page
Figure 199 User-based load sharing
Figure 200 Modify configuration
Item Description
Interface Name of the interface for which to configure user-based load sharing.
Status of
Set whether to enable user-based load sharing on the interface.
user-based-sharing
Set the bandwidth of the interface.
Bandwidth The load ratio of each interface is calculated based on the bandwidth of each
interface. For example, if the bandwidth of Ethernet 0/0 is set to 200 kbps and that
of Ethernet 0/1 is set to 100 kbps, the load ratio is 2:1.
204
Configuring traffic ordering
You can do the following to configure traffic ordering on the web interface:
• Setting the traffic ordering interval
• Specifying the traffic ordering mode
• Displaying internal interface traffic ordering statistics
• Displaying external interface traffic ordering statistics
When multiple packet flows (classified by their source addresses) are received or sent by a device, you
can configure IP traffic ordering on the device to collect statistics of the flows in the inbound/outbound
direction and then rank the statistics. The network administrator can use the traffic ordering statistics to
analyze the network usage for network management.
An interface can be specified as an external or internal interface to collect traffic statistics:
• An internal interface collects both inbound and outbound traffic statistics, including total traffic
statistics, total inbound/outbound traffic statistics, inbound/outbound TCP packet statistics,
inbound/outbound UDP packet statistics, and inbound/outbound ICMP packet statistics.
• An external interface collects only the total inbound traffic statistics.

Step Remarks
Optional.
Setting the traffic ordering interval
The default traffic ordering interval is 10 seconds.
Required.
Specify an interface as an internal or external interface to
Specifying the traffic ordering mode
collect traffic statistics.
By default, an interface does not collect traffic statistics.
Displaying internal interface traffic ordering

Optional.
statistics
You can view the traffic ordering statistics of internal or
Displaying external interface traffic ordering
external interfaces.
statistics
205
Setting the traffic ordering interval
Select Advanced > Traffic Ordering from the navigation tree to display the default configuration page
shown in Figure 201. You can set the interval for collecting traffic statistics in the lower part of the page.
Figure 201 Traffic ordering configuration page
Specifying the traffic ordering mode

Select Advanced > Traffic Ordering from the navigation tree to display the page shown in Figure 201.
You can view and configure the interface for collecting traffic statistics in the upper part of the page.
Select one or more options for the interfaces in the list:
• Click Internal interface to set the interfaces as the internal interfaces to collect traffic statistics.
• Click External interface to set the interfaces as the external interfaces to collect traffic statistics.
• Click Disable statistics collecting to disable the interfaces from collecting traffic statistics.
Displaying internal interface traffic ordering statistics

Select Advanced > Traffic Ordering from the navigation tree, and click the Statistics of Internal Interfaces
tab to display the page shown in Figure 202.
By default, the system arranges the entries in descending order of the total traffic statistics and displays
the top five entries. Select one item from the Arrange in list, enter a number in the Number of entries
displayed field, and then click Refresh to display the list as needed.
206
Figure 202 Internal interface traffic ordering statistics page
Displaying external interface traffic ordering statistics

Select Advanced > Traffic Ordering from the navigation tree, and click the Statistics of External Interfaces
page to display the page shown in Figure 203.
By default, the system arranges the entries in descending order of the total inbound traffic statistics and
displays the top five entries. Select one item from the Arrange in list, enter a number in the Number of
entries displayed field, and then click Refresh to display the list as needed.
Figure 203 External interface traffic ordering statistics page
207
Configuring DNS
You can do the following to configure DNS on the web interface:

• Enabling dynamic domain name resolution
• Enabling DNS proxy
• Clearing the dynamic domain name cache
• Specifying a DNS server
• Configuring a domain name suffix
DNS is a distributed database that provides TCP/IP applications with the mappings between host names
and IP addresses. With DNS, you can use easy-to-remember host names in some applications and let the
DNS server translate them into correct IP addresses.
NOTE:
For more information about DNS, see HP A-MSR Router Series Layer 3—IP Services Configuration Guide.
DNS provides the following functions:

• Dynamic domain name resolution—Implemented by querying the DNS server.
• DNS proxy—Forwards DNS requests and replies between the DNS client and DNS server.
Configuring dynamic domain name resolution

Step Remarks
Required.
Enabling dynamic domain name resolution Enable dynamic domain name resolution.
Disabled by default.
Required.
Specifying a DNS server Not specified by default.
You can specify up to six DNS servers.
Optional.
A suffix is used when the name to be resolved is
incomplete. The system can supply the missing part.
For example, a user can configure com as the suffix
for aabbcc.com. The user only has to enter aabbcc to
Configuring a domain name suffix
obtain the IP address of aabbcc.com because the
system adds the suffix and delimiter before passing
the name to the DNS server.
Not configured by default.
You can configure up to 10 DNS suffixes.
208
Step Remarks
Optional.
Clear the dynamic IPv4 domain name cache.
The DNS client stores latest mappings between
domain names and IP addresses in the dynamic
Clearing the dynamic domain name cache
domain name cache. The DNS client searches the
cache for a repeated query rather than sending a
request to the DNS server. The mappings are aged
out from the cache after a certain time. You can also
manually clear the cache.
Enabling DNS proxy

Recommend configuration procedure
Step Remarks
Required.
Enabling DNS proxy Enable DNS proxy on the device.
Required.
Specifying a DNS server Not specified by default.
You can specify up to six DNS servers.
209
Enabling dynamic domain name resolution
Select Advanced > DNS Setup > DNS Configuration from the navigation tree to display the configuration
page shown in Figure 204.
Select Enable for Dynamic DNS and click Apply.
Figure 204 Dynamic domain name resolution configuration
Enabling DNS proxy

Select Enable for DNS Proxy and click Apply.
Clearing the dynamic domain name cache

Select the Clear Dynamic DNS cache checkbox, and click Apply.
Specifying a DNS server

Click Add IP to display the page shown in Figure 205.
210
Figure 205 Add a DNS server address
Item Description
DNS Server IP Address Enter the IP address of a DNS server.
Configuring a domain name suffix

Click Add Suffix to display the configuration page shown in Figure 206.
Figure 206 Add a domain name suffix
Item Description
DNS Domain Name Suffix Configure a domain name suffix.
Domain name resolution configuration example

• As shown in Figure 207, Router B serves as a DNS client, and Router A is specified as a DNS
server. Dynamic domain name resolution and the domain name suffix are configured on Router B.
Therefore, Router B can use domain name host to access the host with the domain name host.com
and the IP address 3.1.1.1/24.
• Router A serves as the DNS proxy. The IP address of the actual DNS server is 4.1.1.1/24.
• Router B performs domain name resolution via Router A.
211
Router B
DNS client 4.1.1.1/24
DNS server
2.1.1.1/24
Router A
DNS proxy
2.1.1.2/24 1.1.1.1/24
IP network
3.1.1.1/24
host.com
Host
NOTE:
• Before performing the following configuration, make sure that the device and the host are routable to each other
and that the IP addresses of the interfaces are configured as shown in Figure 207.
• This configuration may vary with different DNS servers. The following configuration is performed on a PC running
Windows Server 2000.
1. Configure the DNS server.
# Enter the DNS server configuration page.
Select Start > Programs > Administrative Tools > DNS.
# Create zone com.
As shown in Figure 208, right click Forward Lookup Zones, select New zone, and then follow the
instructions to create a new zone named com.
Figure 208 Create a zone
212
# Create a mapping between the host name and the IP address.
Figure 209 Add a host
213
In Figure 209, right click zone com and then select New host to display the dialog box shown in Figure
210. Enter host name host and IP address 3.1.1.1.
Figure 210 Add a mapping between domain name and IP address
2. Configure the DNS proxy (Router A).

# Enable DNS proxy on Router A.
• Select Advanced > DNS Setup > DNS Configuration from the navigation tree to display the
Figure 211 Enable DNS proxy on Router A
a. Select Enable for DNS Proxy.

b. Click Apply.
# Specify the DNS server address.
214
• Click Add IP to display the page shown in Figure 212.
Figure 212 Specify a DNS server address
a. Enter 4.1.1.1 for DNS Server IP Address.

b. Click Apply.
3. Configure the DNS client (Router B).
# Enable dynamic domain name resolution.
• Select Advanced > DNS Setup > DNS Configuration from the navigation tree to display the
Figure 213 Enable dynamic domain name resolution
a. Select Enable for Dynamic DNS.

b. Click Apply.
# Specify the DNS server address.

• Click Add IP to display the page shown in Figure 214.
215
Figure 214 Specify the DNS server address
a. Enter 2.1.1.2 for DNS Server IP Address.

b. Click Apply.
# Configure the domain name suffix.

• Click Add suffix to display the page shown in Figure 215.
Figure 215 Configure DNS domain name suffix
a. Enter com for DNS Domain Name Suffix.

b. Click Apply.

Select Other > Diagnostic Tools from the navigation tree, and click the Ping tab. Use the ping host
command to verify that the communication between Router B and the host is normal and that the
corresponding destination IP address is 3.1.1.1.
216
Configuring DDNS
Although DNS allows you to access nodes in networks using their domain names, it provides only the
static mappings between domain names and IP addresses. When you use the domain name to access a
node whose IP address has changed, your access fails because DNS leads you to the IP address that is
no longer where the node resides.
DDNS can dynamically update the mappings between domain names and IP addresses for DNS servers
to direct you to the latest IP address corresponding to a domain name.
Figure 216 DDNS networking application
As shown in Figure 216, DDNS works on the client-server model comprising the DDNS client and the
DDNS server.
• DDNS client—A device that has to update the mapping between the domain name and the IP
address dynamically. An Internet user usually uses the domain name to access an application layer
server such as an HTTP and FTP server. When its IP address changes, the application layer server
runs as a DDNS client that sends a request to the DDNS server for updating the mapping between
the domain name and the IP address.
• DDNS server—Informs the DNS server of latest mappings. When receiving the mapping update
request from a DDNS client, the DDNS server tells the DNS server to re-map between the domain
name and IP address of the DDNS client. Therefore, Internet users can use the same domain name to
access the DDNS client even if the IP address of the DDNS client has changed.
NOTE:
• The DDNS update process does not have a unified standard and depends on the DDNS server that the DDNS client
contacts. The well-known DDNS service providers include www.3322.org, www.oray.cn (also known as the
"PeanutHull server"), and www.dyndns.com.
• With the DDNS client configured, a device can dynamically update the latest mapping between its domain name
and IP address on the DNS server through a DDNS server at www.3322.org or www.oray.cn, for example.
217
Configuration prerequisites
• Visit the website of a DDNS service provider, register an account, and apply for a domain name for
the DDNS client.
• Specify the primary IP address of the interface, and make sure that the DDNS server and the
interface can reach each other.
• Configure static or dynamic domain name resolution to translate the domain name of the DDNS
server into its IP address.
Select Advanced > DNS Setup > DDNS Configuration from the navigation tree to display the DDNS page
shown in Figure 217. Click Add to configure a DDNS entry, as shown in Figure 217.
Figure 217 DDNS configuration page
Figure 218 Create a DDNS entry
Item Description
Domain Name Specify the DDNS entry name, which is the only identifier of the DDNS entry.
Server Server Provider Select the DDNS server provider: 3322.org or PeanutHull.
218
Item Description
Settings Specify the server name of the DDNS server for domain name resolution.
NOTE:
After the server provider is selected, the DDNS server name appears
automatically. For example, if the server provider is 3322.org, the server name is
Server Name
members.3322.org; if the server provider is PeanutHull, the server name is
phservice2.oray.net. HP recommends that you do not change the server name of
server provider 3322.org, but you can use the server name, such as
phservice2.oray.net, phddns60.oray.net, client.oray.net, or ph031.orat.net for
server provider PeanutHull.
Specify the interval for sending DDNS update requests after DDNS update is
enabled.
NOTE:
• A DDNS update request is immediately initiated when the primary IP
Interval address of the interface changes or when the link state of the interface
changes from down to up, regardless of whether the interval is reached.
• If you specify the interval as 0, your device does not periodically initiate
any DDNS update request, but it will initiate a DDNS update request when
the primary IP address of the interface is changed or when the link state of
the interface changes from down to up.
Account Username Specify the username used for logging in to the DDNS server.
Settings Password Specify the password used for logging in to the DDNS server.
Select an interface to which the DDNS policy is applied.

Associated The IP address in the host name-to-IP address mapping for update is the
Interface primary IP address of the interface.
You can bind up to four DDNS entries to an interface.
Other Specify the FQDN in the IP-to-FQDN mapping for update.

Settings • If the DDNS service is provided by www.3322.org, the FQDN must be
specified. Otherwise, DDNS update may fail.
FQDN • If the DDNS server is a PeanutHull server and no FQDN is specified, the
DDNS server updates all corresponding domain names of the DDNS client
account. If an FQDN is specified, the DDNS server updates only the
specified IP-to-FQDN mapping.
DDNS configuration example

• As shown in Figure 219, Router is a web server with the domain name whatever.3322.org.
• Router acquires an IP address through DHCP. Through DDNS service provided by www.3322.org,
Router informs the DNS server of the latest mapping between its domain name and IP address.
• The IP address of the DNS server is 1.1.1.1. Router uses the DNS server to translate www.3322.org
into the corresponding IP address.
219
NOTE:
Before configuring DDNS on Router, register at http://www.3322.org/ (username Steven and
password nevets in this example), add Router's host name-to-IP address mapping to the DNS server, and
make sure that the devices are reachable to each other.
# Enable dynamic domain name resolution and set the IP address of the DNS server to 1.1.1.1. (Details
not shown)
# Configure DDNS.
• Select Advanced > DNS Setup > DDNS Configuration from the navigation tree, and then click Add to
display the page shown in Figure 220.
Figure 220 Configure DDNS
a. Enter 3322 for Domain Name.

b. Select 3322.org from the Server Provider list.
c. Enter steven for Username.
220
d. Enter nevets for Password.
e. Select Ethernet0/1 from the Associated Interface list.
f. Enter whatever.3322.org for FQDN.
g. Click Apply.
After the preceding configuration is completed, Router notifies the DNS server of its new domain
name-to-IP address mapping through the DDNS server provided by www.3322.org whenever its IP
address changes. Therefore, Router can always provide web service at whatever.3322.org.
221
Configuring DHCP
You can do the following to configure DHCP on the web interface:

• Enabling DHCP
• Configuring DHCP interface setup
• Configuring a static address pool for the DHCP server
• Configuring a dynamic address pool for the DHCP server
• Configuring IP addresses excluded from dynamic allocation
• Configuring a DHCP server group
The DHCP provides a framework to assign configuration information to network devices.
DHCP uses the client/server model. Figure 221 shows a typical DHCP application.
Figure 221 A typical DHCP application
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet via a DHCP relay agent, as shown in Figure 222.
Figure 222 A typical DCHP relay agent application
DHCP client DHCP client
IP network
DHCP relay agent
DHCP client DHCP client DHCP server
222
NOTE:
For more information about DHCP, see HP A-MSR Router Series Layer 3—IP Services Configuration
Guide.
Configuring the DHCP server

Recommended configured procedure
Step Remarks
Required.
Enabling DHCP Enable DHCP globally.
Optional.
For detailed configuration, see "Configuring DHCP interface
setup."
Enabled by default.
Configuring the DHCP server on an
interface NOTE:
The DHCP server configuration is supported only on a Layer 3 Ethernet
interface (or subinterface), virtual Ethernet interface, VLAN interface,
Layer 3 aggregate interface, serial interface, ATM interface,
MP-group interface, or loopback interface.
Configuring a static address pool for Required.

the DHCP server An address pool can be either static or dynamic, but not both.
NOTE:
When a DHCP client tries to obtain an IP address through a DHCP
relay agent, an IP address pool on the same network segment as the
Configuring a dynamic address pool DHCP relay agent interface must be configured. Otherwise, the DHCP
for the DHCP server client fails to obtain an IP address.
Optional.
Exclude IP addresses from automatic allocation in the DHCP
address pool.
To avoid address conflicts, the DHCP server excludes IP addresses
Configuring IP addresses excluded from used by the gateway or FTP server from dynamic allocation.
dynamic allocation By default, all IP addresses in the address pool, except the IP
address of the DHCP server, can be assigned automatically.
NOTE:
If a static bound IP address is excluded from automatic allocation, it is
still assignable to the bound user.
223
Configuring the DHCP relay agent
Step Remarks
Required.
Enabling DHCP Enable DHCP globally.
Required.
To improve reliability, you can specify several DHCP servers as a
Configuring a DHCP server group group on the DHCP relay agent and correlate a relay agent
interface with the server group. When the interface receives DHCP
requests from clients, the relay agent forwards them to all DHCP
servers of the group.
Required.
For the detailed configuration, see "Configuring DHCP interface
setup."
By default, the interface works as a DHCP server.
NOTE:
Configure the DHCP relay agent on
• The DHCP relay agent configuration is supported only on a
the current interface and correlate it
Layer 3 Ethernet interface (or subinterface), virtual Ethernet
with the DHCP server group.
interface, VLAN interface, Layer 3 aggregate interface, or serial
interface.
• If the DHCP relay agent is enabled on an Ethernet subinterface,
a packet received from a client on this interface must contain a
VLAN tag, and the VLAN tag must be consistent with the VLAN
ID of the subinterface. Otherwise, the packet is discarded.
Configuring the DHCP client

Step Remarks
Required.
For detailed configuration, see "Configuring DHCP
interface setup."
By default, the interface does not obtain an IP address
through DHCP.
Configure the DHCP client on an interface
NOTE:
The DHCP client configuration is supported only on a Layer 3
interface (or subinterface), VLAN interface, or Layer 3
aggregate interface. You cannot configure an interface of an
aggregation group as a DHCP client.
224
Enabling DHCP
Select Advanced > DHCP Setup from the navigation tree to display the default DHCP Enable page shown
in Figure 223.
Figure 223 DHCP Enable
Table 106 DHCP global configuration
Item Description
DHCP Enable or disable DHCP globally.
Configuring DHCP interface setup

Select Advanced > DHCP Setup in the navigation tree, and then click the DHCP Interface Setup tab to
display the DHCP interface setup configuration page shown in Figure 224.
Figure 224 DHCP interface setup
Table 107 DHCP interface setup configuration
Item Description
Interface Select an interface to configure.
Select a type for the interface:

• None—Upon receiving a DHCP request, the interface does not assign an
IP address to the requesting client nor serve as a DHCP relay agent to
forward the request.
• Server—Upon receiving a DHCP request, the interface assigns the
Type
requesting client an IP address from the address pool.
• Relay—Upon receiving a DHCP request, the interface forwards the
request to an external DHCP server, which assigns an IP address for the
requesting client.
• Client—The interface uses DHCP to obtain an IP address.
225
Item Description
Correlate the relay agent interface with a DHCP server group.
DHCP server group You can correlate a DHCP server group with multiple interfaces and make
sure that you already added DHCP server groups for selection.
Configuring a static address pool for the DHCP server

Select the Server option in the Type field, and then expand the Assignable IP Addresses node. Select the
Static Binding option in the Address Allocation Mode field to expand the static address pool setup
configuration section, as shown in Figure 225.
226
Figure 225 Static address pool setup for the DHCP server
Item Description
Pool Name Name of the static DHCP address pool.
Address Allocation
Specify the static address allocation mode for the DHCP address pool.
Mode: Static Binding
IP address and its subnet mask of the static binding. A natural mask is adopted if
IP Address no subnet mask is specified.
NOTE:
Subnet Mask It cannot be the IP address of the DHCP server interface. Otherwise, IP address conflicts
may occur, and the client cannot obtain the IP address.
227
Item Description
MAC Address A client's MAC address of the static binding.
Specify a domain name suffix for the DHCP client.

Domain Name After specifying a domain name in the address pool, the DHCP server assigns the
domain name along with an IP address to a client.
Specify a gateway for the DHCP client.
Gateway IP Address DHCP clients that want to access hosts outside the local subnet need a gateway to
forward data. After specifying a gateway in the address pool, the DHCP server
assigns the gateway address along with an IP address to a client.
Specify a primary DNS server for the DHCP client.

Primary DNS Server In order for clients to access the Internet using a domain name, the DHCP server
assigns the specified DNS server address along with an IP address to a client.
Standby DNS Server Specify a standby DNS server for the DHCP client.
Configuring a dynamic address pool for the DHCP server

Select the Server option in the Type field, and then expand the Assignable IP Addresses node. Select the
Dynamic Allocation option in the Address Allocation Mode field to expand the dynamic address pool
setup configuration section, as shown in Figure 226.
228
Figure 226 Dynamic address pool setup for the DHCP server
Item Description
Pool Name Name of the dynamic DHCP address pool.
Address Allocation Mode:

Specify the dynamic address allocation mode for the DHCP address pool.
Dynamic Allocation
Specify an IP address for dynamic address allocation. A natural mask is

IP Address adopted if no subnet mask is specified.
NOTE:
229
Item Description
Make sure that the IP address is on the same network segment as the IP address
Subnet Mask of the DHCP server interface or the DHCP relay agent interface to avoid wrong
IP address allocation.
Specify the lease for IP addresses to be assigned.

NOTE:
Lease Duration • If the lease has an end time specified later than the year 2106, the
system considers it an expired lease.
• The lease duration does not have the inherit attribute.
Specify a domain name suffix for the DHCP client.
Domain Name After specifying a domain name in the address pool, the DHCP server
assigns the domain name along with an IP address to a client.
Specify a gateway for the DHCP client.

DHCP clients that want to access hosts outside the local subnet need a
Gateway IP Address gateway to forward data. After specifying a gateway in the address pool,
the DHCP server assigns the gateway address along with an IP address to a
client.
Specify a primary DNS server for the DHCP client.
Primary DNS Server In order for clients to access the Internet using a domain name, the DHCP
server assigns the specified DNS server address along with an IP address to
a client.
Standby DNS Server Specify a standby DNS server for the DHCP client.
Configuring IP addresses excluded from dynamic allocation

Select the Server option in the Type field, and then expand the Forbidden IP Addresses node, as shown
in Figure 227.
230
Figure 227 IP address excluded from dynamic allocation setup
Table 110 Configuration to exclude IP addresses from dynamic allocation
Item Description
Start IP Address Specify the lowest IP address excluded from dynamic allocation.
Specify the highest IP address excluded from dynamic allocation.
End IP Address The end IP address must not be lower than the start IP address. A higher end IP
address and a lower start IP address specify an IP address range. Two identical IP
addresses specify a single IP address.
Configuring a DHCP server group

Select an interface that supports DHCP relay agent, select the Relay option in the Type field, and then
expand the Add DHCP Server Group node, as shown in Figure 228.
231
Figure 228 DHCP server group setup
Item Description
DHCP server group ID.
Group ID
You can create up to 20 DHCP server groups.
Specifies the DHCP server IP addresses for the DHCP server group.
Server IP Address The IP address of a DHCP server cannot be on the same network segment as that of
the DHCP relay agent interface. Otherwise, DHCP clients may fail to obtain IP
addresses.
DHCP configuration examples

There are two typical DHCP network types:
• The DHCP server and clients are on the same subnet and directly exchange DHCP messages.
• The DHCP server and clients are not on the same subnet and communicate with each other via a
DHCP relay agent.
The DHCP server configuration for both types is the same.
232
DHCP configuration example without DHCP relay agent
• The DHCP server (Router A) assigns IP addresses to clients on subnet 10.1.1.0/24, which is
subnetted into 10.1.1.0/25 and 10.1.1.128/25.
• The IP addresses of Ethernet 0/1 and Ethernet 0/2 on Router A are 10.1.1.1/25 and
10.1.1.129/25, respectively.
• In subnet 10.1.1.0/25, the lease is ten days and twelve hours, the domain name suffix is
aabbcc.com, the DNS server address is 10.1.1.2/25, and the gateway address is
10.1.1.126/25.
• In subnet 10.1.1.128/25, the lease is five days, the domain name suffix is aabbcc.com, the DNS
server address is 10.1.1.2/25, and the gateway address is 10.1.1.254/25.
• Subnets 10.1.1.0/25 and 10.1.1.128/25 have the same domain name suffix and DNS server
address. Therefore, the domain name suffix and DNS server address need to be configured only for
subnet 10.1.1.0/24. Subnet 10.1.1.0/25 and 10.1.1.128/25 can inherit the configuration of
subnet 10.1.1.0/24.
• Router B (DHCP client) obtains a static IP address, DNS server address, and gateway address from
Router A (DHCP server).
Client
Client 10.1.1.4/25 Client Client
Eth0/1 Eth0/2
10.1.1.1/25 10.1.1.129/25
Gateway A Router A Gateway B

10.1.1.126/25 Eth0/1 DHCP server 10.1.1.254/25
Router B
DNS server Client Client Client
10.1.1.2/25
1. Configure the DHCP server (Router A).
# Specify IP addresses for interfaces. (Details not shown)
# Enable DHCP.
• Select Advanced > DHCP Setup from the navigation tree of Router A to display the default DHCP
Enable page and perform the following operations, as shown in Figure 230.
233
Figure 230 Enable DHCP
a. Select the Enable option in the DHCP field.

b. Click Apply.
# Enable the DHCP server on interface Ethernet 0/1. By default, the DHCP server is enabled on interface
Ethernet 0/1. (Details not shown)
# Configure a DHCP static address pool, and bind IP address 10.1.1.5 to Router B.
• Click the DHCP Interface Setup tab and perform the following operations, as shown in Figure 231.
234
Figure 231 DHCP static address pool configuration
a. Select the Server option in the Type field.

b. Expand the Assignable IP Addresses node.
c. Enter pool-static in the Pool Name field.
d. Select the Static Binding option in the Address Allocation Mode field.
e. Enter 10.1.1.5 in the IP Address field.
f. Select the Subnet Mask checkbox, and then enter 255.255.255.128.
g. Enter 000f-e200-0002 in the MAC Address field.
h. Select the Gateway IP Address checkbox, and then enter 10.1.1.126.
i. Select the Primary DNS Server checkbox, and then enter 10.1.1.2.
j. Click Apply.
# Configure DHCP address pool 0 (including the address range, client domain name suffix, and DNS
server address).
235
Figure 232 DHCP address pool 0 configuration
a. Enter pool0 in the Pool Name field, as shown in Figure 232.

b. Select the Dynamic Allocation option in the Address Allocation Mode field.
c. Enter 10.1.1.0 in the IP Address field.
d. Select the Subnet Mask checkbox, and then enter 255.255.255.0.
e. Select the Domain Name checkbox, and then enter aabbcc.com.
f. Select the Primary DNS Server checkbox, and then enter 10.1.1.2.
g. Click Apply.
# Configure DHCP address pool 1 (including the address range, lease duration, and gateway address).
236

b. Select Dynamic Allocation in the Address Allocation Mode field.
e. Set the Lease Duration to 10 days, 12 hours, and 0 minutes.
f. Select the Gateway IP Address checkbox, and then enter 10.1.1.126.
g. Click Apply.
# Configure DHCP address pool 2 (including the address range, lease duration, and gateway IP
address).
237

b. Select the Dynamic Allocation option in the Address Allocation Mode field.
e. Set the Lease Duration to 5 days, 0 hours, and 0 minutes.
f. Select the Gateway IP Address checkbox, and then enter 10.1.1.254.
g. Click Apply.
# Exclude IP addresses from dynamic allocation (DNS server and gateway addresses).
• Expand the Forbidden IP Addresses node and perform the following operations, as shown in Figure
235.
238
Figure 235 Exclude IP addresses from dynamic allocation
a. Enter 10.1.1.2 in the Start IP Address field.

b. Enter 10.1.1.2 in the End IP Address field.
c. Click Apply.
d. Enter 10.1.1.126 in the Start IP Address field, as shown in Figure 235.
e. Enter 10.1.1.126 in the End IP Address field.
f. Click Apply.
g. Enter 10.1.1.254 in the Start IP Address field, as shown in Figure 235.
h. Enter 10.1.1.254 in the End IP Address field.
i. Click Apply.
2. Configure the DHCP client (Router B).
# Enable the DHCP client on interface Ethernet 0/1.
• Select Advanced > DHCP Setup from the navigation tree of Router B, and then click the DHCP
Interface Setup tab and perform the following operations, as shown in Figure 236.
239
Figure 236 Enable the DHCP client on interface Ethernet 0/1
a. Select Ethernet0/1 from the Interface dropdown list.

b. Select the Client option in the Type field.
c. Click Apply.
3. Configure the DHCP client (Router C).
a. Select Advanced > DHCP Setup from the navigation tree of Router C, and then click the DHCP
Interface Setup tab, as shown in Figure 236.
b. Select Ethernet0/1 from the Interface dropdown list.
c. Select the Client option in the Type field.
d. Click Apply.
DHCP relay agent configuration example

• Ethernet 0/1 on the DHCP relay agent (Router A) connects to the network where DHCP clients
reside. The IP address of Ethernet 0/1 is 10.10.1.1/24, and the IP address of Ethernet 0/2 is
10.1.1.2/24 that connects to the DHCP server 10.1.1.1/24 (Router B).
• Router A forwards DHCP messages so that the DHCP clients on the network segment 10.10.1.0/24
can obtain IP addresses, DNS server address, and gateway address from the DHCP server. The IP
address lease is seven days, the domain name suffix is aabbcc.com, the DNS server address is
10.10.1.2/24, and the gateway address is 10.10.1.126/24.
240
1. Configure the DHCP relay agent (Router A).
# Specify IP addresses for interfaces. (Details not shown)
# Enable DHCP.
• Select Advanced > DHCP Setup from the navigation tree of Router A to display the default DHCP
Enable tab and perform the following operations, as shown in Figure 238.
Figure 238 DHCP enable

b. Click Apply.
# Create a DHCP server group.

241
Figure 239 DHCP server group creating
a. Select Ethernet0/1 from the Interface dropdown list.

b. Select the Relay option in the Type field.
c. Expand the Add DHCP Server Group node.
d. Enter 1 in the Group ID field.
e. Enter 10.1.1.1 in the Server IP Address field.
f. Click Apply.
# Enable the DHCP relay agent on interface Ethernet 0/1.
Figure 240 The page for enabling the DHCP relay agent on interface Ethernet 0/1
a. Select 1 from the DHCP Server Group dropdown list.

b. Click Apply.
2. Configure the DHCP server (Router B).
242
# Specify addresses for interfaces. (Details not shown)
# Enable DHCP.
• Select Advanced > DHCP Setup from the navigation tree of Router B to display the default DHCP
Enable tab, as shown in Figure 241.
Figure 241 Enable DHCP

b. Click Apply.
# Enable the DHCP server on interface Ethernet 0/1. By default, the DHCP server is enabled on Ethernet
0/1. (Details not shown)
# Configure a dynamic DHCP address pool.
243
Figure 242 Dynamic DHCP address pool configuration
a. Select the Server option in the Type field.

b. Expand the Assignable IP Addresses node.
c. Enter pool1 in the Pool Name field.
d. Select the Dynamic Allocation option in the Address Allocation Mode field.
e. Enter 10.10.1.0 in the IP Address field.
f. Select the Subnet Mask checkbox, and then enter 255.255.255.0.
g. Set the Lease Duration to 7 days, 0 hours, and 0 minutes.
h. Select the Domain Name checkbox, and then enter aabbcc.com.
i. Select the Gateway IP Address checkbox, and then enter 10.10.1.126.
j. Select the Primary DNS Server checkbox, and then enter 10.10.1.2.
k. Click Apply.
# Exclude IP addresses from dynamic allocation (DNS server and gateway addresses).
• Expand the Forbidden IP Addresses node, as shown in Figure 243.
244
Figure 243 IP address excluded from dynamic allocation configuration
a. Enter 10.1.1.2 in the Start IP Address field.

b. Enter 10.1.1.2 in the End IP Address field.
c. Click Apply.
d. Enter 10.1.1.126 in the Start IP Address field, as shown in Figure 243.
e. Enter 10.1.1.126 in the End IP Address field.
f. Click Apply.
3. Configure the DHCP client (Router C).
• Select Advanced > DHCP Setup from the navigation tree of Router C, and then click the DHCP
Interface Setup tab and perform the following operations, as shown in Figure 244.
245
Figure 244 Enable the DHCP client on interface Ethernet 0/1
a. Select Ethernet0/1 in the Interface field.

b. Select the Client option in the Type field.
c. Click Apply.
1. If multiple VLAN interfaces sharing one MAC address request IP addresses using DHCP, the DHCP
server cannot be a Windows 2000 server or a Windows 2003 server.
2. To remove a DHCP server group that is associated with multiple interfaces, first cancel the
associations.
246
Configuring ACL
The web interface provides the following ACL configuration functions:

• Configuring an IPv4 ACL
• Configuring a rule for a basic IPv4 ACL
• Configuring a rule for an advanced IPv4 ACL
• Configuring a rule for an Ethernet frame header ACL
An ACL is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as
source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also widely used by many modules (for example, QoS
and IP routing) for traffic identification.
IPv4 ACLs fall into the following categories.
Table 112 IPv4 ACL categories
Category ACL number Match criteria
Basic ACLs 2000 to 2999 Source IPv4 address
Source/destination IPv4 address, protocols over IPv4, and other

Advanced ACLs 3000 to 3999
Layer 3 and Layer 4 header fields
Ethernet frame Layer 2 header fields, such as source and destination MAC
4000 to 4999
header ACLs addresses, 802.1p priority, and link layer protocol type
NOTE:
For more information about IPv4 ACL, see HP A-MSR Router Series ACL and QoS Configuration Guide.
Configuring an ACL
Table 113 IPv4 ACL configuration task list
Task Remarks
Required.
Creating an IPv4 ACL The category of the created ACL depends on the ACL
number that you specify.
247
Task Remarks
Configuring a rule for a basic IPv4 ACL Required.
Configuring a rule for an advanced IPv4 ACL Complete one of these tasks according to the ACL
category.
Configuring a rule for an Ethernet frame header ACL
Creating an IPv4 ACL

Select Advanced > QoS Setup > ACL IPv4 from the navigation tree, and then click the Add tab to display
the IPv4 ACL configuration page, as shown in Figure 245.
Figure 245 The page for creating an IPv4 ACL
Item Description
Set the number of the IPv4 ACL, which ranges from
2000 to 2999.
NOTE:
ACL Number You can create only basic ACLs (numbered from 2000
to 2999) in the web interface. However, the web
interface can display the advanced ACLs and Ethernet
frame header ACLs, and you can configure rules for
these ACLs.
248
Item Description
Set the match order of the ACL. The following match
orders are available:
• Config—Packets are compared against ACL rules
in the ascending ACL rule ID order.
Match Order
• Auto—Packets are compared against ACL rules
in the depth-first match order, which ensures that
any subset of a rule is always matched before the
rule.
Description Set the description for the ACL.
Return to "IPv4 ACL configuration task list."
Configuring a rule for a basic IPv4 ACL

Select Advanced > QoS Setup > ACL IPv4 from the navigation tree, and then click the Basic Config tab to
display the rule configuration page for a basic IPv4 ACL, as shown in Figure 246.
Figure 246 The page for configuring an basic IPv4 ACL
249
Item Description
Select the basic IPv4 ACL for which you want to
ACL configure rules.
ACLs available for selection are basic IPv4 ACLs.
Select the Rule ID option, and enter a number for the

rule.
If you do not specify the rule number, the system
assigns one automatically.
Rule ID
NOTE:
If the rule number you specify already exists, the
following operations modify the configuration of the
rule.
Select the action to be taken on the IPv4 packets
matching the rule:
Action
• Permit—Allows matched packets to pass.
• Deny—Drops matched packets.
Select this option to apply the rule only to non-first
fragments.
Check Fragment
If you do not select this option, the rule applies to all
fragments and non-fragments.
Select this option to keep a log of matched IPv4

packets.
Check Logging A log entry contains the ACL rule number, action on
the matched packets, protocol that IP carries,
source/destination address, source/destination port
number, and number of matched packets.
Source IP Address Select the Source IP Address option, and enter a

source IPv4 address and source wildcard, in dotted
Source Wildcard decimal notation.
Select the time range during which the rule takes

effect.
Time Range
The time ranges available for selection must be created
in the CLI.
Configuring a rule for an advanced IPv4 ACL

Select Advanced > QoS Setup > ACL IPv4 from the navigation tree, and then click the Advanced Config
tab to display the rule configuration page for an advanced IPv4 ACL, as shown in Figure 247.
250
Figure 247 The page for configuring an advanced IPv4 ACL
251
Item Description
Select the advanced IPv4 ACL for which you want to
configure rules.
You can create advanced IPv4 ACLs only in the CLI. For
more information, see HP A-MSR Router Series ACL and
ACL QoS Configuration Guide. In addition, the system
automatically generates advanced IPv4 ACLs when you
configure advanced bandwidth limit and advanced
bandwidth guarantee. For more information, see
"Configuring QoS."
Select the Rule ID option, and enter a number for the

rule.
If you do not specify the rule number, the system assigns
Rule ID one automatically.
NOTE:
If the rule number you specify already exists, the following
operations modify the configuration of the rule.
Select the action to be performed for IPv4 packets
matching the rule:
Action
• Permit—Allows matched packets to pass.
Select this option to apply the rule to only non-first
fragments.
Non-First Fragments Only
If you do not select this option, the rule applies to all
fragments and non-fragments.
Select this option to keep a log of matched IPv4 packets.

A log entry contains the ACL rule number, operation for
Logging the matched packets, protocol that IP carries,
source/destination address, source/destination port
number, and number of matched packets.
Source IP Address Select the Source IP Address option and enter a source
IPv4 address and source wildcard, in dotted decimal
Source Wildcard notation.
IP Address Filter
Destination IP Address Select the Source IP Address option and enter a source IP
address and source wildcard, in dotted decimal
Destination Wildcard notation.
Select the protocol to be carried by IP.
Protocol If you select 1 ICMP, you can configure the ICMP

message type and code. If you select 6 TCP or 17 UDP,
you can configure the TCP or UDP specific items.
ICMP Message Specify the ICMP message type and code.

ICMP Type These items are available only when you select 1 ICMP
ICMP Type from the Protocol dropdown list.
252
Item Description
If you select Other from the ICMP Message dropdown list,
you must enter values in the ICMP Type and ICMP Code
ICMP Code
fields. Otherwise, the two fields take the default values,
which cannot be changed.
Select this option to make the rule match packets used for
establishing and maintaining TCP connections.
These items are available only when you select 6 TCP
TCP Connection Established
from the Protocol dropdown list.
A rule with this item configured matches TCP connection
packets with the ACK or RST flag.
Select the operators, and enter the source port numbers

and destination port numbers as required.
Source
TCP/UDP Port These items are available only when you select 6 TCP or
17 UDP from the Protocol dropdown list.
Different operators have different configuration
requirements for the port number fields:
• Not Check—The following port number fields cannot
be configured.
Destination
• Range—The following port number fields must be
configured to define a port range.
• Other values—The first port number field must be
configured and the second must not.
DSCP Specify the DSCP priority.

Precedence
TOS Specify the ToS preference.
Filter
Precedence Specify the IP precedence.
Time Range Select the time range during which the rule takes effect.
Configuring a rule for an Ethernet frame header ACL

Select Advanced > QoS Setup > ACL IPv4 from the navigation tree, and then click the Link Config tab to
display the rule configuration page for an Ethernet frame header IPv4 ACL, as shown in Figure 248.
253
Figure 248 The page for configuring a rule for an Ethernet frame header ACL
Item Description
Select the Ethernet frame header IPv4 ACL for which you want to configure
rules.
ACL You can create Ethernet frame header IPv4 ACLs only in the CLI. For more
information, see HP A-MSR Router Series ACL and QoS Configuration
Guide.
Select the Rule ID option, and enter a number for the rule.
If you do not specify the rule number, the system assigns one
automatically.
Rule ID
NOTE:
If the rule number you specify already exists, the following operations modify
the configuration of the rule.
Select the action to be performed for IPv4 packets matching the rule.
Action • Permit—Allows matched packets to pass.
MAC Source MAC

Address Select the Source MAC Address option, and enter a source MAC address
Address
and wildcard.
Filter Source Mask
254
Item Description
Destination MAC
Address Select the Destination MAC Address option, and enter a destination MAC
address and wildcard.
Destination Mask
COS(802.1p priority) Specify the 802.1p priority for the rule.
LSAP Type Select the LSAP Type option, and specify the DSAP and SSAP fields in the
LLC encapsulation by configuring the following items:
• LSAP Type—Indicates the frame encapsulation format.
LSAP Mask • LSAP Mask—Indicates the LSAP wildcard.
Type Filter
Select the Protocol Type option, and specify the link layer protocol type by
Protocol Type
configuring the following items:
• Protocol Type—Indicates the frame type. It corresponds to the
type-code field of Ethernet_II and Ethernet_SNAP frames.
Protocol Mask
• Protocol Mask—Indicates the wildcard.
Time Range Select the time range during which the rule takes effect.
When you configure an ACL, follow these guidelines:
1. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
2. You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which case
the other settings remain the same.
255
Configuring QoS
The web interface provides the following QoS configuration functions:

• Configuring subnet limit
• Configuring advanced limit
• Configuring advanced queue
QoS is a concept concerning service demand and supply. It reflects the ability to meet customer needs.
Generally, QoS focuses on improving services under certain conditions rather than grading services
precisely.
QoS evaluates the ability of the network to forward packets of different services. The evaluation can be
based on different criteria because the network may provide various services. Generally, QoS refers to
the ability to provide improved service by solving the core issues such as delay, jitter, and packet loss
ratio in the packet forwarding process.
Through the web interface, you can configure the following QoS features:
• Subnet limit
• Advanced limit
•
256
Advanced queue
Subnet limit
Subnet limit enables you to regulate the specification of traffic entering or leaving a device based on
source/destination IP address. Packets conforming to the specification can pass through, and packets
exceeding the specification are dropped. In this way, the network resources are protected.
Advanced limit
Similar to subnet limit, advanced limit also implements traffic policing at the IP layer. They differ in that:
• Advanced limit can classify traffic based on time range, packet precedence, protocol type, and port
number, and it can provide more granular services.
• In addition to permitting traffic conforming to the specification to pass through, advanced limit can
also set IP precedence, DSCP value, and 802.1p priority for packets as required.
NOTE:
For more information about IP precedence, DSCP values, and 802.1p priority, see "Appendix packet
priorities."
257
Advanced queue
Advanced queue offers the following functions:
• Interface bandwidth limit—Uses token buckets for traffic control and limits the rate of transmitting
packets (including critical packets) on an interface. When limiting the rate of all packets on an
interface, interface bandwidth limit is a better approach than subnet limit and advanced limit. This is
because, working at the IP layer, the latter two functions do not take effect on packets not processed
by the IP layer.
• Bandwidth guarantee—When congestion occurs on a port, CBQ classifies packets into different
classes according to user-defined match criteria and assigns these classes to their queues. Before
assigning packets to a queue, CBQ performs bandwidth restriction check. When being dequeued,
packets are scheduled by WFQ.
Advanced queue applies only to outgoing packets of interfaces.
Configuring QoS
Configuring subnet limit
Select Advance > QoS Setup > Subnet Limit from the navigation tree to display the page shown in Figure
249. Click Add to display the Subnet Limit Setting page, as shown in Figure 250.
Figure 249 Subnet limit
258
Figure 250 Subnet limit setting
Item Description
Start Address
Set the address range of the subnet where rate limit is to be performed.
End Address
Interface Specify the interface to which the subnet limit is to be applied.
CIR Set the average traffic rate allowed.
Set the rate limit method:

• Share—Limits the total rate of traffic for all IP addresses on the subnet and
Type dynamically allocates bandwidth to an IP address based on traffic size.
• Per IP—Individually limits the rate of traffic of each IP address on the subnet to
the configured rate.
Set the direction where the rate limit applies:

• Download—Limits the rate of incoming packets of the interface based on their
Direction destination IP addresses.
• Upload—Limits the rate of outgoing packets of the interface based on their
source IP addresses.
259
Configuring advanced limit
Select Advance > QoS Setup > Advanced Limit from the navigation tree to display the page shown
in Figure 251. Click Add to display the Advanced Limit Setting page, as shown in Figure 252.
Figure 251 Advanced limit
260
Figure 252 Advanced limit setting
261
Item Description
Description Configure a description for the advanced limit policy for management.
Interface Specify the interface to which the advanced limit is to be applied.
Set the direction where the rate limit applies:

Direction • Download—Limits the rate of incoming packets of the interface.
• Upload—Limits the rate of outgoing packets of the interface.
CIR Set the average traffic rate allowed.
Specify the type of priority to be re-marked for packets conforming to the

specification and allowed to pass through:
• None—Does not re-mark any priority of packets.
• 802.1p—Re-marks the 802.1p priority of packets and specifies the 802.1p
Remark Type
priority value.
• IP—Re-marks the IP precedence of packets and specifies the IP precedence
value.
• DSCP—Re-marks the DSCP of packets and specifies the DSCP value.
Define a rule to match packets based on their IP addresses.
Add multiple IP addresses/masks to the list box. Click Add or Delete to add or
delete IP addresses/masks to/from the list box.
IP Address/Mask • When the direction Download is specified, the source IP address of packets is
matched.
• When the direction Upload is specified, the destination IP address of packets is
matched.
Define a rule to match packets based on their IP precedence values.

You can configure up to eight IP precedence values for an advanced limit policy.
IP Precedence The relationship between the IP precedence values is OR. If the same IP precedence
value is specified multiple times, the system considers them as one. The defined IP
precedence values are displayed in ascending order automatically.
Define a rule to match packets based on their DSCP values.

You can configure up to eight DSCP values for an advanced limit policy. The
DSCP relationship between the DSCP values is OR. If the same DSCP value is specified
multiple times, the system considers them as one. The defined DSCP values are
displayed in ascending order automatically.
Inbound Interface Define a rule to match packets received on the specified interface.
Set the time range when the advanced limit policy takes effect. The begin-end time
Time Range
and days of the week are required to set.
Define a rule to match packets based on their protocol types.

The protocol types available for selection include the system-defined protocols and
Protocol Name the protocols loaded through the P2P signature file. To load a P2P signature file,
select Security Setup > Application Control from the navigation tree, and click Load
Application.
Custom Type Define a rule to match packets based on self-defined protocol types.
Source Port You should select the transport layer protocol type and set the source service port
262
Item Description
Destination Port range and destination service port range.
Configuring advanced queue

To use the advanced queue function on tunnel interfaces, sub-interfaces, or VT and dialer interfaces with
PPPoE, PPPoA, PPPoEoA, or PPPoFR at the data link layer, you must configure interface bandwidth for
these interfaces.
Configuring interface bandwidth

Select Advance > QoS Setup > Advanced Queue from the navigation tree to display the Advanced Queue
page shown in Figure 253. Select an interface from the Interface Name list, and then configure and view
the CIR of the interface.
Figure 253 Advanced queue
Item Description
Interface Name Select the interface to configure.
263
Item Description
Set the average traffic rate allowed for the interface.
HP recommends that you configure the interface
bandwidth to be smaller than the actual available
bandwidth of a physical interface or logical link.
NOTE:
If you have specified the interface bandwidth, the
maximum interface bandwidth used for bandwidth
check when CBQ queues packets is 1,000,000 kbps. If
you have not specified the interface bandwidth, the
maximum interface bandwidth varies by interface type
according to these rules:
Interface Bandwidth • If the interface is a physical one, the actual baud
rate or rate applies.
• If the interface is T1/E1, MFR, or any other type
of logical serial interface formed by timeslots or
multiple links, the total bandwidth of all member
channels/links applies.
• If the interface is a template interface, such as a
VT interface, dialer interface, BRI interface, or PRI
interface, 1,000,000 kbps applies.
• If the interface is a virtual interface of any other
type (for example, a tunnel interface), 0 kbps
applies.
Configure bandwidth guarantee

Select Advance > QoS Setup > Advanced Queue from the navigation tree to display the Advanced Queue
page shown in Figure 253. In the Application Bandwidth area, all bandwidth guarantee policies are
displayed. Click Add to display the page for creating a bandwidth guarantee policy, as shown in Figure
254.
264
Figure 254 Create a bandwidth guarantee policy
265
Item Description
Configure a description for the bandwidth guarantee
Description
policy for management.
Set the service class queue type:

• EF—Provides absolutely preferential queue
scheduling for the EF service to ensure low delay
for real-time data traffic. In the meantime, by
restricting bandwidth for high-priority traffic, it
Queue Type
can overcome the disadvantage that some
low-priority queues are not serviced.
• AF—Provides a highly precise bandwidth
guarantee and queue scheduling on the basis of
AF service weights for various AF services.
Specify the interface to which bandwidth guarantee

Interface
is to be applied.
Set the bandwidth guarantee for the queue:

• For the EF queue, the set bandwidth is the
maximum bandwidth.
• For the AF queue, the set bandwidth is the
Bandwidth minimum guaranteed bandwidth.
NOTE:
The sum of the bandwidth specified in the bandwidth
guarantee policies applied to an interface must be no
greater than the available bandwidth of the interface.
Define a rule to match packets based on their IP
addresses.
IP Address/Mask You can add multiple IP addresses/masks. Click Add
or Delete to add or delete IP addresses/masks
to/from the list box.
Define a rule to match packets based on their IP

precedence values.
You can configure up to eight IP precedence values
for a bandwidth guarantee policy. The relationship
IP Precedence between the IP precedence values is OR. If the same
IP precedence value is specified multiple times, the
system considers them as one. The defined IP
precedence values are displayed in ascending order
automatically.
266
Item Description
Define a rule to match packets based on their DSCP
values.
You can configure up to eight DSCP values for a
bandwidth guarantee policy. The relationship
DSCP between the DSCP values is OR. If the same DSCP
value is specified multiple times, the system considers
them as one. After each configuration, the defined
DSCP values are displayed in ascending order
automatically.
Define a rule to match packets received on the

Inbound Interface
specified interface.
Set the time range when the bandwidth guarantee

Time Range policy takes effect. The begin-end time and days of
the week are required to set.
Define a rule to match packets based on protocol

types.
The protocol types available for selection include the
Protocol Name system-defined protocols and the protocols loaded
through the P2P signature file. To load a P2P
signature file, select Security Setup > Application
Control from the navigation tree, and click Load
Application.
Custom Type Define a rule to match packets based on self-defined

protocol types.
Source Port
You should select the transport layer protocol type
and set the service source port range and destination
Destination Port
port range.
QoS configuration examples

Subnet limit configuration example
As shown in Figure 255, limit the rate of packets leaving Ethernet 1/1 of Router.
Perform per-IP rate limiting for traffic sourced from Host A through Host Z, which are on the network
segments 2.1.1.1 through 2.1.1.100, with the per-IP limit being 5 kbps.
267
Router
Eth1/1
Internet
Eth1/2
……
Host A Host Z
2.1.1.1/8 2.1.1.100/8
# Configure the bandwidth limit settings for the network segment.
• Select Advance > QoS Setup > Subnet Limit from the navigation tree, click Add on the displayed
page, and perform the following configurations as shown in Figure 256.
Figure 256 Configure subnet limit
a. Enter 2.1.1.1 in the Start Address field.

b. Enter 2.1.1.100 in the End Address field.
c. Select interface Ethernet 1/1.
d. Enter 5 in the CIR field.
e. Select Per IP for the Type field.
f. Select Upload for the Direction field.
g. Click Apply.
268
Advanced queue configuration example
As shown in Figure 257, the data traffic from Router C is classified into three classes based on DSCP
fields of IP packets.
Configure advanced queue to perform the following actions:
• Perform AF for traffic with the DSCP fields AF11 and AF22 (DSCP values 10 and 18), and set the
minimum bandwidth to 40 kbps.
• Perform EF for traffic with the DSCP field EF (DSCP value 46), and set the maximum bandwidth to
240 kbps.
Before performing the configuration, make sure of the following:
• The route from Router C to Router D through Router A and Router B is reachable.
• The DSCP fields have been set for the traffic before the traffic enters Router A.
1. Configure Router A.
# Perform AF for traffic with DSCP fields AF11 and AF21.
• Select Advance > QoS Setup > Advanced Queue from the navigation tree, click Add on the
displayed page, and perform the following configurations shown in Figure 258.
269
Figure 258 Configure assured forwarding
a. Enter the description test-af.

b. Select AF (Assured Forwarding) in the Queue Type list.
d. Enter 40 in the Bandwidth field.
e. Enter 10, 18 in the DSCP field.
f. Click Apply.
# Perform EF for traffic with DSCP field EF.
270
• Select Advance > QoS Setup > Advanced Queue from the navigation tree, click Add on the
displayed page, and perform the following configurations shown in Figure 259.
Figure 259 Configure expedited forwarding
a. Enter the description test-ef.

b. Select EF (Expedited Forwarding) in the Queue Type list.
d. Enter 240 in the Bandwidth field.
e. Enter 46 in the DSCP field.
f. Click Apply.
After the configurations are completed, EF traffic is forwarded preferentially when congestion occurs in
the network.
271
Appendix packet priorities
IP precedence and DSCP values
Figure 260 DS field and ToS bytes
As shown in Figure 260, the ToS field of the IP header contains eight bits. The first three bits (0 to 2)
represent IP precedence from 0 to 7, and the subsequent four bits (3 to 6) represent a ToS value from 0 to
15. According to RFC 2474, the ToS field of the IP header is redefined as the DS field, where a DSCP
value is represented by the first six bits (0 to 5) and is in the range 0 to 63. The remaining two bits (6 and
7) are reserved.
Table 122 Description of IP precedence
IP precedence (decimal) IP precedence (binary) Keyword

0 000 routine
1 001 priority
2 010 immediate
3 011 flash
4 100 flash-override
5 101 critical
6 110 internet
7 111 network
In a network in the Diff-Serve model, traffic is assigned into the following classes, and packets are
processed according to their DSCP values.
• EF class—The switch forwards the packets of this class without considering whether the link is shared
by other traffic. The class is suitable for preferential services requiring low delay, low packet loss,
low jitter, and high bandwidth.
• AF class—This class is divided into four subclasses (AF 1 to AF 4), each containing three drop
priorities for more granular classification. The QoS level of the AF class is lower than that of the EF
class.
• CS class—This class is derived from the IP ToS field and includes eight subclasses.
• BE class—This class is a special CS class that does not provide any assurance. AF traffic exceeding
the limit is degraded to the BE class. All IP network traffic belongs to this class by default.
272
Table 123 Description of DSCP values
DSCP value (decimal) DSCP value (binary) Keyword

46 101110 ef
10 001010 af11
12 001100 af12
14 001110 af13
18 010010 af21
20 010100 af22
22 010110 af23
26 011010 af31
28 011100 af32
30 011110 af33
34 100010 af41
36 100100 af42
38 100110 af43
8 001000 cs1
16 010000 cs2
24 011000 cs3
32 100000 cs4
40 101000 cs5
48 110000 cs6
56 111000 cs7
0 000000 be(default)
802.1p priority
802.1p priority lies in the Layer 2 packet header and applies to situations where Layer 3 header analysis
is not needed and QoS must be assured at Layer 2.
Figure 261 An Ethernet frame with an 802.1q tag header
As shown in Figure 261, the 4-byte 802.1q tag header consists of the tag protocol identifier (TPID, two
bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length). Figure
262 shows the format of the 802.1q tag header.
273
Figure 262 801.1q tag header
Table 124 Description of 802.1p priority
802.1p priority (decimal) 802.1p priority (binary) Keyword

0 000 best-effort
1 001 background
2 010 spare
3 011 excellent-effort
4 100 controlled-load
5 101 video
6 110 voice
7 111 network-management
The priority in the 802.1q tag header is called "802.1p priority" because its use is defined in IEEE
802.1p.
274
Configuring SNMP
Only the A-MSR20/30/50 series routers support this function.

For the A-MSR900/20-1X series routers, see "Configuring SNMP (lite version)."
SNMP is an Internet standard protocol widely used for an NMS to access and operate the devices
(SNMP agents) on a network, regardless of their vendors, physical characteristics, and interconnect
technologies.
SNMP enables network administrators to read and set the variables on managed devices to monitor their
operating and health state, diagnose network problems, and collect statistics for management purposes.
HP SNMP agents support these SNMP versions:
• SNMPv1—Uses password authentication to control access to SNMP agents. SNMPv1 passwords fall
into the categories of read-only passwords and read-and-write passwords.
A read-only password enables reading data from an SNMP agent.
A read-and-write password enables reading data and setting variables on an SNMP agent.
• SNMPv2c—Also uses password authentication for SNMP agent access control. It is compatible with
SNMPv1, but supports more operation modes, data types, and error codes.
• SNMPv3—Uses a USM to secure SNMP communication. You can configure authentication and
privacy mechanisms to authenticate access and encrypt SNMP packets for integrity, authenticity,
and confidentiality.
An NMS and an SNMP agent must use the same SNMP version to communicate with each other.
For more information about SNMP, see HP A-MSR Router Series Network Management and Monitoring
Configuration Guide.
SNMP agent configuration

Because configurations for SNMPv3 differ substantially from those for SNMPv1 and SNMPv2c, their
SNMP functionalities are introduced separately as follows.
Configuring SNMPv1 or SNMPv2c

Table 125 SNMPv1 or SNMPv2c configuration task list
Task Remarks
Required.
The SNMP agent function is disabled by default.
Enabling the SNMP agent function
IMPORTANT:
If SNMP the agent function is disabled, all SNMP
agent-related configurations are removed.
275
Task Remarks
Optional.
Configuring an SNMP view After creating SNMP views, you can specify an
SNMP view for an SNMP group to limit the MIB
objects that can be accessed by the SNMP group.
Configuring an SNMP community Required.
Optional.
Allows you to configure that the agent can send
SNMP traps to the NMS and configure information
Configuring SNMP trap function
about the target host of the SNMP traps.
By default, an agent is allowed to send SNMP traps
to the NMS.
Displaying SNMP packet statistics Optional
Configuring SNMPv3
Table 126 SNMPv3 configuration task list
Task Remarks
Required.
The SNMP agent function is disabled by default.
IMPORTANT:
If the SNMP agent function is disabled, all SNMP
agent-related configurations are removed.
Optional.
Configuring an SNMP view After creating SNMP views, you can specify an SNMP
view for an SNMP group to limit the MIB objects that
can be accessed by the SNMP group.
Required.
After creating an SNMP group, you can add SNMP
Configuring an SNMP group users to the group when creating the users. Therefore,
you can realize centralized management of users in
the group through the management of the group.
Required.
Configuring an SNMP user Before creating an SNMP user, create the SNMP
group to which the user belongs.
Optional.
Allows you to configure that the agent can send SNMP
traps to the NMS and configure information about the
target host of the SNMP traps.
By default, an agent is allowed to send SNMP traps to
the NMS.
Displaying SNMP packet statistics Optional.
276
Select Advanced > SNMP from the navigation tree to display the SNMP configuration page shown
in Figure 263. On the upper part of the page, you can select to enable or disable the SNMP agent
function and configure parameters such as SNMP version. On the lower part of the page, you can view
the SNMP statistics, which help you understand the running status of the SNMP after your configuration.
Figure 263 Set up
277
Item Description
SNMP Specify to enable or disable the SNMP agent function.
Configure the local engine ID.
Local Engine ID The validity of a user after it is created depends on the engine ID of the SNMP agent.
If the engine ID when the user is created is not identical to the current engine ID, the
user is invalid.
Maximum Packet
Configure the maximum size of an SNMP packet that the agent can receive/send.
Size
Set a character string to describe the contact information for system maintenance.
Contact If the device is faulty, the maintainer can contact the manufacturer according to the
contact information of the device.
Location Set a character string to describe the physical location of the device.
SNMP Version Set the SNMP version run by the system.
Return to "SNMPv1 or SNMPv2c configuration task list" or "SNMPv3 configuration task list."
Configuring an SNMP view

Select Advanced > SNMP from the navigation tree, and then click the View tab to display the page shown
in Figure 264.
Figure 264 View page
Creating an SNMP view

Click Add, and the Add View window appears, as shown in Figure 265. Enter the view name, and click
Apply to display the page shown in Figure 266.
278
Figure 265 Create an SNMP view (1)
Figure 266 Create an SNMP view (2)
Table 128 describes the configuration for creating an SNMP view. After configuring the parameters of a
rule, click Add to add the rule to the list box in the lower part of the page. After configuring all rules, click
Apply to create an SNMP view. The view is not created if you click Cancel.
Item Description
View Name Set the SNMP view name.
Select to exclude or include the objects in the view range determined by

Rule
the MIB subtree OID and subtree mask.
Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as system).
MIB Subtree OID MIB subtree OID identifies the position of a node in the MIB tree, and it
can uniquely identify a MIB subtree.
Set the subtree mask.

Subtree Mask If no subtree mask is specified, the default subtree mask (all Fs) is used for
mask-OID matching.
Adding rules to an SNMP view
Click the icon corresponding to the specified view on the page, as shown in Figure 264. The Add rule
for the view ViewDefault window appears, as shown in Figure 267. After configuring the parameters,
279
click Apply to add the rule for the view. Table 128 describes the configuration for creating an SNMP
view.
Figure 267 Add rules to an SNMP view
NOTE:
You can also click the icon corresponding to the specified view on the page shown in Figure 264, and
then you can display the page to modify the view.
Configuring an SNMP community

Select Advanced > SNMP from the navigation tree, then click the Community tab to display the page
shown in Figure 268. Click Add to display the Add SNMP Community page, as shown in Figure 269.
Figure 268 Configure an SNMP community
280
Figure 269 Create an SNMP Community
Item Description
Community Name Set the SNMP community name.
Configure SNMP NMS access right:

• Read only—The NMS can perform read-only
operations to the MIB objects when it uses this
community name to access the agent.
Access Right
• Read and write—The NMS can perform both
read and write operations to the MIB objects
when it uses this community name to access the
agent.
Specify the view associated with the community to

View limit the MIB objects that can be accessed by the
NMS.
Associate the community with a basic ACL to allow

ACL or prohibit the access to the agent from the NMS
with the specified source IP address.
Return to "SNMPv1 or SNMPv2c configuration task list."
Configuring an SNMP group

Select Advanced > SNMP from the navigation tree, then click the Group tab to display the page shown
in Figure 270. Click Add to display the Add SNMP Group page, as shown in Figure 271.
281
Figure 270 SNMP group
Figure 271 Crate an SNMP group
Item Description
Group Name Set the SNMP group name.
Select the security level for the SNMP group:

• NoAuth/NoPriv—No authentication no privacy.
• Auth/NoPriv—Authentication without privacy.
Security Level
• Auth/Priv—Authentication and privacy.
NOTE:
The security level for an existing SNMP group cannot be modified.
Read View Select the read view of the SNMP group.
Select the write view of the SNMP group.

Write View If no write view is configured, the NMS cannot perform the write operations to all MIB
objects on the device.
282
Item Description
Select the notify view of the SNMP group (the view that can send trap messages).
Notify View
If no notify view is configured, the agent does not send traps to the NMS.
Associate a basic ACL with the group to restrict the source IP address of SNMP
packets. You can configure to allow or prohibit SNMP packets with a specific source
ACL
IP address in order to restrict the intercommunication between the NMS and the
agent.
Return to "SNMPv3 configuration task list."
Configuring an SNMP user

Select Advanced > SNMP from the navigation tree, and then click the User tab to display the page shown
in Figure 272. Click Add to display the Add SNMP User page, as shown in Figure 273.
Figure 272 SNMP user
283
Figure 273 Create an SNMP user
Item Description
User Name Set the SNMP user name.
Select the security level for the SNMP group:

• NoAuth/NoPriv—No authentication no privacy.
Security Level
• Auth/NoPriv—Authentication without privacy.
• Auth/Priv—Authentication and privacy.
Select an SNMP group to which the user belongs.
• When the security level is NoAuth/NoPriv, you can select an
SNMP group with no authentication/no privacy.
Group Name
• When the security level is Auth/NoPriv, you can select an
SNMP group with no authentication/no privacy or
authentication without privacy.
• When the security level is Auth/Priv, you can select an SNMP
group of any security level.
Select an authentication mode (including MD5 and SHA) when

Authentication Mode
the security level is Auth/NoPriv or Auth/Priv.
Authentication Password Set the authentication password when the security level is
284
Item Description
Auth/NoPriv or Auth/Priv.
Confirm Authentication Password The confirm authentication password must be the same as the
authentication password.
Select a privacy mode (including DES56, AES128, and 3DES)

Privacy Mode
when the security level is Auth/Priv.
Privacy Password Set the privacy password when the security level is Auth/Priv.
The confirm privacy password must be the same as the privacy
Confirm Privacy Password
password.
Associate a basic ACL with the user to restrict the source IP

address of SNMP packets. You can configure to allow or prohibit
ACL SNMP packets with a specific source IP address in order to allow
or prohibit the specified NMS to access the agent by using this
user name.
Return to "SNMPv3 configuration task list."

Select Advanced > SNMP from the navigation tree, and then click the Trap tab to display the page shown
in Figure 274. On the upper part of the page, you can select to enable the SNMP trap function. On the
lower part of the page, you can configure target hosts of the SNMP traps. Click Add to display the Add
Trap Target Host page, as shown in Figure 275.
Figure 274 Traps configuration
285
Figure 275 Add a target host of SNMP traps
Item Description
Set the destination IP address.
Destination IP Address Select the IP address type: IPv4/domain name, or IPv6, and then
enter the corresponding IP address in the field according to the IP
address type.
Set the security name:

• An SNMPv1 community name
Security Name
• An SNMPv2c community name
• An SNMPv3 user name
Set UDP port number.
NOTE:
The default port number is 162, which is the SNMP-specified port used
UDP Port
for receiving traps on the NMS. Generally (such as when using iMC or
MIB Browser as the NMS), you can use the default port number. To
change this parameter to another value, make sure that the
configuration is the same as that on the NMS.
Select the security model (the SNMP version).
NOTE:
Security Model
The security model must be the same as that running on the NMS.
Otherwise, the NMS cannot receive any traps.
286
Item Description
Set the authentication and privacy mode for SNMP traps when the
security model is selected as v3. The available security levels are:
no authentication no privacy, authentication but no privacy, and
Security Level authentication and privacy.
If you select v1 or v2c in the Security Model list, the Security Level
can only be no authentication no privacy, and it cannot be
modified.
Displaying SNMP packet statistics

Select Advanced > SNMP from the navigation tree to display the Setup tab page. On the lower part of the
page, you can view the SNMP statistics, as shown in Figure 276.
Figure 276 SNMP statistics
287
SNMP configuration example
SNMPv1 or SNMPv2c configuration example
As shown in Figure 277, the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the SNMP
agent at 1.1.1.1/24, and the agent automatically sends traps to report events to the NMS.
Configuring the agent

# Enable SNMP.
• Select Advanced > SNMP from the navigation tree to display the Setup page. Perform the following
288
Figure 278 Enable SNMP
a. Select the Enable option.

b. Set the SNMP version to both v1 and v2c.
c. Click Apply.
# Configure an SNMP community.
• Click the Community tab, and then click Add. Perform the following configurations, as shown
in Figure 279.
289
Figure 279 Configure SNMP community named public
a. Enter public in the field of Community Name.

b. Select Read only from the Access Right list.
c. Click Apply.
d. Click the Community tab, and then click Add. Perform the following configurations, as shown
in Figure 280.
Figure 280 Configure SNMP community named private
a. Enter private in the field of Community Name.

b. Select Read and write from the Access Right list.
c. Click Apply.
290
# Enable Agent to send SNMP traps.
• Click the Trap tab, and perform the following configurations, as shown in Figure 281.
Figure 281 Enable Agent to send SNMP traps
a. Select the Enable SNMP Trap checkbox.

b. Click Apply.
# Add target hosts of SNMP traps.

• On the Trap tab page, click Add, and perform the following configurations, as shown in Figure 282.
Figure 282 Add target hosts of SNMP traps
a. Select IPv4/Domain for Destination IP address type.

b. Enter the destination address 1.1.1.2.
291
c. Enter the security username public.
d. Select v1 from the Security Model list. (This configuration must be the same as that running on the
NMS. Otherwise, the NMS cannot receive any traps.)
e. Click Apply.
Configuring the NMS

The configuration on NMS must be consistent with that on the agent. Otherwise, you cannot perform
corresponding operations.
With SNMPv1 or SNMP v2c, set both read password and read-and-write password on the NMS. Also,
configure the aging time and retry times. You can inquire about and configure the device through the
NMS. For more information about NMS configuration, see the manual provided for NMS.

• After the above configuration, an SNMP connection is established between the NMS and the agent.
The NMS can obtain and configure the values of some parameters on the agent through MIB nodes.
• Shut down or bring up an idle interface on the agent, and the NMS receives the corresponding trap.
SNMPv3 configuration example

As shown in Figure 283, the NMS (1.1.1.2/24) uses SNMPv3 to monitor and manage the interface
status of the agent (.1.1.1/24), and the agent automatically sends traps to report events to the NMS.
The NMS and the agent perform authentication when they set up an SNMP session. The authentication
algorithm is MD5, and the authentication key is authkey. The NMS and the agent also encrypt the SNMP
packets between them by using the DES algorithm and the privacy key prikey.
Agent NMS
1.1.1.1/24 1.1.1.2/24
Configure the agent

# Enable SNMP.
• Select Advanced > SNMP from the navigation tree to display the Setup page. Perform the following
292
Figure 284 Enable SNMP
a. Select the Enable option.

b. Set the SNMP version to v3.
c. Click Apply.
# Configure an SNMP view.
• Click the View tab, and then click Add. Perform the following configurations, as shown in Figure
285.
293
Figure 285 Set the name of the view to be created
• Enter view1 in the View Name field.

• Click Apply to display the page for view1. Perform the following configurations, as shown in Figure
286.
Figure 286 Add a view named view1
a. Select the Included option.

b. Enter the MIB subtree OID interfaces.
c. Click Add.
d. Click Apply. A configuration progress dialog box appears, as shown in Figure 287.
294
Figure 287 Configuration progress dialog box
• After the configuration process is complete, click Close.

# Configure an SNMP group.
• Click the Group tab, and then click Add. Perform the following configurations, as shown in Figure
288.
Figure 288 Configure an SNMP group
a. Enter group1 in the Group Name field.

b. Select NoAuth/NoPri from the Security Level list.
c. Select view1 from the Read View list.
d. Select v3 from the Security Level list.
e. Click Apply.
# Configure an SNMP user.
295
• Click the User tab, and then click Add. Perform the following configurations, as shown in Figure
289.
Figure 289 Configure an SNMP user
a. Enter user1 in the User Name field.

b. Select NoAuth/NoPri from the Security Level list.
c. Select group1 (NoAuth/NoPri) from the Group Name list.
d. Click Apply.
# Enable Agent to send SNMP traps.

• Click the Trap tab, and perform the following configurations, as shown in Figure 290.
296
a. Select the Enable SNMP Trap checkbox.

b. Click Apply.
# Add target hosts of SNMP traps.

• On the Trap tab page, click Add and perform the following configurations, as shown in Figure 291.
a. Select the destination IP address type as IPv4/Domain.

b. Enter the destination address 1.1.1.2.
c. Enter the user name user1.
d. Select v3 from the Security Model list.
297
e. Click Apply.
Configure the NMS

The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform
SNMPv3 adopts a security mechanism of authentication and privacy. Configure username and security
level. According to the configured security level, configure the related authentication mode,
authentication password, privacy mode, privacy password, and so on.
Also, configure the aging time and retry times. After the above configurations, you can configure the
device as needed through the NMS. For more information about NMS configuration, see the manual
provided for NMS.

• Shut down or bring up an idle interface on the agent, and the NMS receives the corresponding trap.
298
Configuring bridging
Through the web interface, you can configure the following transparent bridging functions:
• Enabling a bridge set
• Adding an interface to a bridge set
A bridge is a store-and-forward device that connects and transfers traffic between LAN segments at the
data-link layer. In some small-sized networks, especially those with dispersed distribution of users, the use
of bridges can reduce the network maintenance costs, without requiring the end users to perform special
configurations on the devices.
In applications, the following major kinds of bridging technologies apply: transparent bridging, SRB,
translational bridging, and SR/TLB. The devices support only transparent bridging.
Transparent bridging bridges LAN segments of the same physical media type, primarily in Ethernet
environments. A transparent bridging device keeps a bridge table, which contains mappings between
destination MAC addresses and outbound interfaces.
NOTE:
For more information about transparent bridging, see HP A-MSR Router Series Layer 2—WAN
Configuring bridging
Table 133 Basic bridging configuration task list
Task Remarks
Required.
Enabling a bridge set
No bridge set is enabled by default.
Adding an interface to a Required.

bridge set An interface is not in any bridge set by default.
Enabling a bridge set

Select Advanced > Bridge from the navigation tree to display the Global config page, as shown in Figure
292.
299
Figure 292 Global config
Item Remarks
Bridge Group id Set the ID of the bridge set to enable.
Return to "Basic bridging configuration task list."
Adding an interface to a bridge set

Select Advanced > Bridge from the navigation tree, and then click the Config interface tab to display the
300
Figure 293 Configure interface
Item Remarks
Interface Select the interface to configure.
Bridge Group Set the ID of the bridge set to add the interface to.
Enable or disable VLAN transparency on the interface.

NOTE:
VLAN Transmit
• HP recommends that you do not enable this function on a subinterface.
• A VLAN interface does not support this function.
Return to "Basic bridging configuration task list."
Bridging configuration example

As shown in Figure 294, the trunk ports of Switch A and of Switch B are assigned to the same VLAN.
Enable VLAN transparency on Ethernet interfaces of the two routers, so that the two office areas can
communicate within the same VLAN.
301
# Enable bridge set 2.
• Select Advanced > Bridge from the navigation tree to display the Global config page. Perform
configurations on the page, as shown in Figure 295.
Figure 295 Enable bridge set 2
a. Enter 2 as the bridge group ID.

b. Click Apply.
# Assign Ethernet 1/1 to bridge set 2, and enable VLAN transparency.

• Click the Config interface tab, and perform configurations on the page, as shown in Figure 296.
302
Figure 296 Assign Ethernet 1/1 to bridge set 2 and enable VLAN transparency

b. Select 2 from the Bridge Group list.
c. Select Enable from the VLAN Transmit list.
d. Click Apply.
# Assign Ethernet 1/2 to bridge set 2, and enable VLAN transparency.

Figure 297 Assign Ethernet 1/2 to bridge set 2 and enable VLAN transparency

b. Select 2 from the Bridge Group list.
303
c. Select Enable from the VLAN Transmit list.
d. Click Apply.
2. Configure Router B.
Configure Router A in the same way that you configured Router B.
304
Configuring user groups
You can define the hosts to be managed in the LAN as users and then add them to a user group, so that
you can perform access control, application control, bandwidth control, and packet filtering on a per user
group basis.
• Access control—Allows you to deny access from hosts during specific time ranges. All data packets
matching these criteria are denied access to the Internet.
• Application control—Allows you to restrict access to a specific application or protocol (such as
Telnet, DNS, SIP, HTTP, and so on) in the Internet from users in a user group. You can perform
application control based on a user group or all users. For more information about application
control, see "Configuring application control."
• Bandwidth control—Allows you to control the bandwidth consumption based on user group. It
evaluates traffic with token buckets and drops the unqualified packets, controlling bandwidth
utilization.
• Packet filtering—Allows you to filter packets that match specific criteria, such as the protocol,
destination IP address, source port, and destination port on a per user group basis.

Table 136 User group configuration task list
Task Remarks
Required.
Configuring a user group
By default, no user groups are configured.
Required.
Configuring a user Add users to the user group.
By default, a user group has no users.

Required.
Use at least one of the approaches.
Configuring bandwidth control
By default, a user group has no service configured.
Configuring packet filtering
Optional.
If a WAN interface is added or a non-WAN interface becomes a
WAN interface after the user or user group is configured,
Synchronizing user group
synchronize the user group configuration to the WAN interface.
configuration for WAN interfaces
NOTE:
Make sure that at least one user group is in the system before
synchronization.
305
Configuring a user group
Select Advanced > Security > Usergroup from the navigation tree. The group configuration page appears,
as shown in Figure 298.
Figure 298 User group configuration
Item Description
Set the name of the group to be added.
User Group Name The group name is a character string beginning with letters. The string cannot
contain a question mark (?) or a space.
Return to "User group configuration task list."
Configuring a user
Select Advanced > Security > Usergroup from the navigation tree, and then click the User tab to display
the page for configuring users, as shown Figure 299.
306
Figure 299 User configuration
Item Description
Please select a user group Select the group to add users to.
Set the mode in which the users are added:

• Static—In this mode, enter the username and IP address manually in the
Add Mode following fields.
• Dynamic—The system displays all devices connected with the device for
you to select.
Set the username.

Username • In static add mode, specify the username manually.
• In dynamic add mode, the system automatically generates a username.
Set the IP address.
• In static add mode, specify the IP address manually.
IP Address • In dynamic add mode, the system automatically obtains the IP addresses
and MAC addresses of the devices connecting to the device for you to
select.

Select Advanced > Security > Connect Control from the navigation tree to display the configuration page
307
Figure 300 Access control configuration
Item Description
Select a user group for access control.
Please select a user group When there is more than one user group, the option all is available. Selecting
all means that the access control configuration applies to all user groups.
Days
Set the time range in which access to the Internet is denied.
Time

Select Advanced > Security > Application Control from the navigation tree to display the page shown
in Figure 301.
308
Figure 301 Application control
Item Description
Select a user group for application control.
Please select a user
group When there is more than one user group, the option all is available. Selecting all
means that the application control configuration applies to all user groups.
Select the applications and protocols to be controlled:

• Loaded applications—Applications contained in the loaded signature file. To
Please select load a signature file, select Security > Application Control.
applications to deny • Predefined applications
• Custom applications—To customize applications, select Security > Application
Control.
Configuring bandwidth control

After logging into the web interface, select Advanced > Security > Band Width from the navigation tree to
display the bandwidth control configuration page, as shown in Figure 302.
309
Figure 302 Bandwidth control configuration
Item Description
Set the user group for bandwidth control configuration.
Please select a user
group When there is more than one user group, the option all is available. Selecting all
means that the bandwidth control configuration applies to all user groups.
CIR Set the CIR (the permitted average rate of traffic).
Set the CBS. CBS is the capacity of the token bucket (the maximum traffic size that is
permitted in each burst).
The CBS value must be greater than the maximum packet size.
CBS
NOTE:
By default, the CBS is the number of bytes transmitted in 500 ms at the rate of CIR. If the
number exceeds the value range, the allowed maximum or minimum value is adopted.
Configuring packet filtering

Select Advanced > Security > Packet Filter from the navigation tree to display the Packet Filter page, as
310
Figure 303 Packet filtering configuration
Item Description
Select a user group that the packet filtering is to be applied to.
Please select a user group When there is more than one user group, the option all is available.
Selecting all means that the packet filtering configuration applies to all user
groups.
Protocol Select a protocol carried by IP.
Destination IP Address
Set the destination IP address and wildcard mask.
Destination Wildcard
Configure the source port for TCP/UDP packets.

Operator
When you select 6 TCP or 17 UDP as the protocol, these parameters are
configurable.
Port • If you select NotCheck as the operator, port numbers are not checked,
Source Port and no ports need to be specified.
• If you select Range as the operator, specify both start and end ports to
define a port range.
ToPort
• If you select another option as the operator, only a start port must be
specified.
Configure the destination port of TCP/UDP packets.

Destination Port Operator
When you select 6 TCP or 17 UDP as the protocol, these parameters can
311
Item Description
be configurable.
Port • If you select NotCheck as the operator, port numbers are not checked,
and no ports need to be specified.
• If you select Range as the operator, specify both start and end ports to
define a port range.
ToPort
• If you select another option as the operator, only a start port must be
specified.
Synchronizing user group configuration for WAN interfaces

Select Advanced > Security > Usergroup from the navigation tree, and then click the WAN
Synchronization tab to display the page for user group configuration synchronization, as shown in Figure
304.
Click the Sync button to synchronize the user group configuration for WAN interfaces.
Figure 304 User group configuration synchronization
User group configuration example

As shown in Figure 305, the Router connects the intranet to the Internet. Host A is used by the Manager.
Host B, Host C, and Host D are used by common users. On Router, do the following:
• Configure access control so that access from common users to the Internet during work time (9:00 to
18:00 from Monday through Friday) is denied, while access from the Manager is allowed.
• Configure application control so that access from common users to MSN application is denied,
while access from the Manager is allowed.
• Configure the maximum average rate of Internet access as 8 kbps for common users and 54 kbps
for the Manager.
• Configure packet filtering so that access to the server at the address 2.2.2.1 from common users is
denied.
312
Manager
Host A Host B
IP: 192.168.1.11/24 IP: 192.168.1.12/24
MAC: 0015-e9ac-2def
Eth1/0
192.168.1.1/24 Eth1/0
Internet
Router
Host C Host D
192.168.1.13/24 192.168.1.14/24
# Create user groups staff (for common users) and manager (for the Manager).
• Select Advanced > Security > Usergroup to display the group configuration page. Perform the
configurations shown in Figure 306.
Figure 306 Create user groups staff and manager
a. Enter staff as a user group name.

b. Click Apply.
c. Enter manager as a user group name.
d. Click Apply.
# Add users to user groups.

• Select Advanced > Security > Usergroup, and then click the User tab. Perform the configurations
313
Figure 307 Add users to user group staff
a. Select staff from the user group list.

b. Select Dynamic as the add mode. The following area then displays the IP addresses and MAC
addresses of all hosts in the intranet that connects to the Router.
c. Select the entries of Host B, Host C, and Host D.
d. Click Apply. A configuration progress dialog box appears, as shown in Figure 308.
314
• After the configuration process is complete, click Close.
Figure 309 Add users to user group manager
a. Select manager from the user group list.

b. Select Static for Add Mode.
c. Enter hosta as the username.
d. Enter 192.168.1.11 as the IP address.
e. Click Apply. A configuration progress dialog box appears.
f. After the configuration process is complete, click Close.
# Configure access control for user group staff.
• Select Advanced > Security > Connect Control, and perform the configurations shown in Figure 310.
315
Figure 310 Configure access control for user group staff

b. Select the checkboxes for Monday through Friday.
c. Specify 09:00 as the start time.
d. Specify 18:00 as the end time.
e. Click Apply. A configuration progress dialog box appears.
f. After the configuration process is complete, click Close.
# Load the application control file (assume the signature file is stored on the device).
• Select Security Setup > Application Control from the navigation tree, and then click the Load
Application tab. Perform the configurations shown in Figure 311.
316
Figure 311 Load the application control file
a. Select the From Device option, and select file p2p_default.

b. Click Apply. Then, you can view MSN is in the loaded applications on the lower part of the
page.
# Configure application control for user group staff.
• Select Advanced > Security > Application Control from the navigation tree, and perform the
Figure 312 Configure application control to user group staff

b. Select MSN from the Loaded Applications area.
c. Click Apply. A configuration progress dialog box appears.
d. After the configuration process is complete, click Close.
# Configure bandwidth control for user groups staff and manager.

• Select Advanced > Security > Band Width, and then perform the configurations shown in Figure
313.
317
Figure 313 Configure bandwidth control to user groups staff and manager
a. Select the staff user group.

b. Enter 8 for the CIR.
c. Click Apply. A configuration progress dialog box appears.
e. Select the manager user group.
f. Enter 54 for the CIR.
g. Click Apply. A configuration progress dialog box appears.
h. After the configuration process is complete, click Close.
# Configure packet filtering for user group staff.

• Select Advanced > Security > Packet Filter, and then perform the configurations shown in Figure
314.
318
Figure 314 Configure packet filtering for user group staff

b. Select IP as the protocol.
c. Select the Destination IP Address checkbox.
d. Enter 2.2.2.1 as the destination IP address.
e. Enter 0.0.0.0 as the destination wildcard.
f. Click Apply. A configuration progress dialog box appears.
g. After the configuration process is complete, click Close.
319
Configuring MSTP
This feature is available only on the A-MSR20/30/50 routers.

As a Layer 2 management protocol, STP eliminates Layer 2 loops by selectively blocking redundant links
in a network, and in the meantime, allows for link redundancy.
Like many other protocols, STP evolves as the network grows. The later versions of STP are RSTP and
MSTP. This chapter describes the characteristics of STP, RSTP, and MSTP.
STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in a
LAN. Devices running this protocol detect loops in the network by exchanging information with one
another, and they eliminate loops by selectively blocking certain ports to prune the loop structure into a
loop-free tree structure. This avoids proliferation and infinite cycling of packets that would occur in a loop
network and prevents decreased performance of network devices caused by duplicate packets received.
In the narrow sense, STP refers to the IEEE 802.1d STP. In the broad sense, STP refers to the IEEE 802.1d
STP and various enhanced spanning tree protocols derived from that protocol.
Protocol Packets of STP

STP uses BPDUs (also known as "configuration messages") as its protocol packets.
STP-enabled network devices exchange BPDUs to establish a spanning tree. BPDUs contain sufficient
information for the network devices to complete spanning tree calculation.
In STP, BPDUs have the following types:
• Configuration BPDUs—Used for calculating a spanning tree and maintaining the spanning tree
topology.
• TCN BPDUs—Used for notifying the concerned devices of network topology changes, if any.
Basic Concepts in STP

Root bridge
A tree network must have a root bridge.
There is only one root bridge in the entire network. The root bridge is not fixed, but can change along
with changes of the network topology.
Upon initialization of a network, each device generates and sends out BPDUs periodically with itself as
the root bridge. After network convergence, only the root bridge generates and sends out configuration
BPDUs at a certain interval, and the other devices just forward BPDUs.
Root port
On a non-root bridge, the port nearest to the root bridge is the root port. The root port is responsible for
communication with the root bridge. Each non-root bridge has one and only one root port. The root
bridge has no root port.
Designated bridge and designated port
320
Table 143 Description of designated bridges and designated ports
Classification Designated bridge Designated port

A device directly connected to the local The port through which the designated
For a device device and responsible for forwarding bridge forwards BPDUs to the local
BPDUs to the local device. device.
The port through which the designated

The device responsible for forwarding
For a LAN bridge forwards BPDUs to this LAN
BPDUs to this LAN segment.
segment.
As shown in Figure 315, AP1 and AP2, BP1 and BP2, and CP1 and CP2 are ports on Device A, Device
B, and Device C, respectively.
• If Device A forwards BPDUs to Device B through AP1, the designated bridge for Device B is Device
A, and the designated port of Device B is port AP1 on Device A.
• Two devices are connected to the LAN: Device B and Device C. If Device B forwards BPDUs to the
LAN, the designated bridge for the LAN is Device B, and the designated port for the LAN is the port
BP2 on Device B.
Figure 315 A schematic diagram of designated bridges and designated ports
NOTE:
All ports on the root bridge are designated ports.
Path cost
Path cost is a reference value used for link selection in STP. By calculating path costs, STP selects relatively
robust links and blocks redundant links, and finally prunes the network into a loop-free tree.
How STP works

The devices on a network exchange BPDUs to identify the network topology. Configuration BPDUs
contain sufficient information for the network devices to complete spanning tree calculation. A
configuration BPDU includes the following important fields:
• Root bridge ID—Consisting of the priority and MAC address of the root bridge.
• Root path cost—The cost of the shortest path to the root bridge.
• Designated bridge ID—Consisting of the priority and MAC address of the designated bridge.
321
• Designated port ID—Designated port priority plus port name.
• Message age—Age of the configuration BPDU while it propagates in the network.
• Max age—Maximum age of the configuration BPDU that can be maintained on a device.
• Hello time—Configuration BPDU interval.
• Forward delay—The delay used by STP bridges to transit the state of the root and designated ports
to forwarding.
NOTE:
For simplicity, the descriptions and examples in this document involve only the following fields in the
configuration BPDUs:
• Root bridge ID (represented by device priority)
• Root path cost (related to the rate of the link connecting the port)
• Designated bridge ID (represented by device priority)
• Designated port ID (represented by port name)
Calculation process of the STP algorithm

• Initial state
Upon initialization of a device, each port generates a BPDU with itself as the root bridge, in which the
root path cost is 0, designated bridge ID is the device ID, and the designated port is the local port.
• Selection of the optimum configuration BPDU
Each device sends out its configuration BPDU and receives configuration BPDUs from other devices.
Table 144 Selection of the optimum configuration BPDU
Step Actions
Upon receiving a configuration BPDU on a port, the device performs the following:
• If the received configuration BPDU has a lower priority than that of the configuration
BPDU generated by the port, the device discards the received configuration BPDU and
1 does not process the configuration BPDU of this port.
• If the received configuration BPDU has a higher priority than that of the configuration
BPDU generated by the port, the device replaces the content of the configuration BPDU
generated by the port with the content of the received configuration BPDU.
The device compares the configuration BPDUs of all ports and selects the optimum
2
configuration BPDU.
NOTE:
Configuration BPDU comparison uses the following principles:
• The configuration BPDU that has the lowest root bridge ID has the highest priority.
• If all configuration BPDUs have the same root bridge ID, their root path costs are compared. For example, the root
path cost in a configuration BPDU plus the path cost of a receiving port is S. The configuration BPDU with the
smallest S value has the highest priority.
• If all configuration BPDUs have the same S value, their designated bridge IDs, designated port IDs, and the IDs of
the receiving ports are compared in sequence. The configuration BPDU containing a smaller ID wins out.
• Selection of the root bridge
322
Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge
ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge
IDs to elect the device with the smallest root bridge ID as the root bridge.
• Selection of the root port and designated ports on a non-root device
Table 145 Selection of the root port and designated ports
Step Description
A non-root device regards the port on which it received the optimum configuration BPDU
1
as the root port.
Based on the configuration BPDU and the path cost of the root port, the device calculates a
designated port configuration BPDU for each of the rest ports.
• The root bridge ID is replaced with that of the configuration BPDU of the root port.
2 • The root path cost is replaced with that of the configuration BPDU of the root port plus
the path cost of the root port.
• The designated bridge ID is replaced with the ID of this device.
• The designated port ID is replaced with the ID of this port.
The device compares the calculated configuration BPDU with the configuration BPDU on
the port of which the port role is to be defined, and acts depending on the comparison
result:
• If the calculated configuration BPDU is superior, the device considers this port as the
3 designated port, and it replaces the configuration BPDU on the port with the calculated
configuration BPDU, which will be sent out periodically.
• If the configuration BPDU on the port is superior, the device blocks this port without
updating its configuration BPDU. The blocked port can receive BPDUs but cannot send
BPDUs or forward data.
NOTE:
When the network topology is stable, only the root port and designated ports forward traffic. Other ports
are all in the blocked state; they receive BPDUs but do not forward BPDUs or user traffic.
A tree-shape topology forms upon successful election of the root bridge, the root port on each non-root
bridge, and the designated ports.
The following is an example of how the STP algorithm works. As shown in Figure 316, the priority of
Device A is 0, the priority of Device B is 1, the priority of Device C is 2, and the path costs of these links
are 5, 10, and 4, respectively.
323
Figure 316 Network diagram for the STP algorithm
• Initial state of each device

Table 146 Initial state of each device
Device Port name BPDU of port

AP1 {0, 0, 0, AP1}
Device A
AP2 {0, 0, 0, AP2}
BP1 {1, 0, 1, BP1}

Device B
BP2 {1, 0, 1, BP2}
CP1 {2, 0, 2, CP1}

Device C
CP2 {2, 0, 2, CP2}
• Comparison process and result on each device

Table 147 Comparison process and result on each device
BPDU of port after

Device Comparison process
comparison
• Port AP1 receives the configuration BPDU of Device B {1, 0,
1, BP1}. Device A finds that the configuration BPDU of the
local port {0, 0, 0, AP1} is superior to the received
configuration BPDU and discards the received configuration
BPDU.
• Port AP2 receives the configuration BPDU of Device C {2, 0,
2, CP1}. Device A finds that the BPDU of the local port {0, 0, AP1: {0, 0, 0, AP1}
Device A
0, AP2} is superior to the received configuration BPDU and AP2: {0, 0, 0, AP2}
discards the received configuration BPDU.
• Device A finds that both the root bridge and designated
bridge in the configuration BPDUs of all its ports are itself, so
it assumes itself to be the root bridge. It does not make any
change to the configuration BPDU of each port, and it starts
sending out configuration BPDUs periodically.
324
BPDU of port after
comparison
• Port BP1 receives the configuration BPDU of Device A {0, 0,
0, AP1}. Device B finds that the received configuration BPDU
is superior to the configuration BPDU of the local port {1, 0,
1, BP1} and updates the configuration BPDU of BP1.
BP1: {0, 0, 0, AP1}
• Port BP2 receives the configuration BPDU of Device C {2, 0,
BP2: {1, 0, 1, BP2}
2, CP2}. Device B finds that the configuration BPDU of the
local port {1, 0, 1, BP2} is superior to the received
configuration BPDU and discards the received configuration
BPDU.
• Device B compares the configuration BPDUs of all its ports
and determines that the configuration BPDU of BP1 is the
Device B
optimum configuration BPDU. Then, it uses BP1 as the root
port, the configuration BPDUs of which are not changed.
• Based on the configuration BPDU of BP1 and the path cost of Root port BP1:
the root port (5), Device B calculates a designated port
{0, 0, 0, AP1}
configuration BPDU for BP2 {0, 5, 1, BP2}.
Designated port BP2:
• Device B compares the calculated configuration BPDU {0, 5,
1, BP2} with the configuration BPDU of BP2. If the calculated {0, 5, 1, BP2}
BPDU is superior, BP2 acts as the designated port, and the
configuration BPDU on this port is replaced with the
calculated configuration BPDU, which will be sent out
periodically.
• Port CP1 receives the configuration BPDU of Device A {0, 0,
0, AP2}. Device C finds that the received configuration BPDU
2, CP1} and updates the configuration BPDU of CP1.
CP1: {0, 0, 0, AP2}
• Port CP2 receives the configuration BPDU of port BP2 of
CP2: {1, 0, 1, BP2}
Device B {1, 0, 1, BP2} before the configuration BPDU is
updated. Device C finds that the received configuration BPDU
2, CP2} and updates the configuration BPDU of CP2.
After comparison:
• The configuration BPDU of CP1 is elected as the optimum
configuration BPDU, so CP1 is identified as the root port, the Root port CP1:
Device C configuration BPDUs of which are not changed. {0, 0, 0, AP2}
• Device C compares the calculated designated port
Designated port CP2:
configuration BPDU {0, 10, 2, CP2} with the configuration
BPDU of CP2, and CP2 becomes the designated port, and the {0, 10, 2, CP2}
configuration BPDU of this port is replaced with the calculated
configuration BPDU.
• Then, port CP2 receives the updated configuration BPDU of
Device B {0, 5, 1, BP2}. Because the received configuration
BPDU is superior to its own configuration BPDU, Device C
CP1: {0, 0, 0, AP2}
launches a BPDU update process.
CP2: {0, 5, 1, BP2}
• At the same time, port CP1 receives periodic configuration
BPDUs from Device A. Device C does not launch an update
process after comparison.
325
BPDU of port after
comparison
After comparison:
• Because the root path cost of CP2 (9) (root path cost of the
BPDU (5) plus path cost corresponding to CP2 (4)) is smaller
than the root path cost of CP1 (10) (root path cost of the BPDU
(0) + path cost corresponding to CP2 (10)), the BPDU of CP2
Blocked port CP2:
is elected as the optimum BPDU, and CP2 is elected as the
root port, the messages of which are not changed. {0, 0, 0, AP2}
• After comparison between the configuration BPDU of CP1 Root port CP2:
and the calculated designated port configuration BPDU, port {0, 5, 1, BP2}
CP1 is blocked, with the configuration BPDU of the port
unchanged, and the port does not receive data from Device A
until a spanning tree calculation process is triggered by a new
event (for example, the link from Device B to Device C going
down).
After the comparison processes described in Table 147, a spanning tree with Device A as the root bridge
is established, as shown in Figure 317.
Figure 317 The final calculated spanning tree
NOTE:
The spanning tree calculation process in this example is only a simplified process.
The BPDU forwarding mechanism in STP

• Upon network initiation, every device regards itself as the root bridge, generates configuration
BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval.
• If it is the root port that received a configuration BPDU and the received configuration BPDU is
superior to the configuration BPDU of the port, the device increases the message age carried in the
configuration BPDU following a certain rule and starts a timer to time the configuration BPDU while
sending out this configuration BPDU through the designated port.
• If the configuration BPDU received on a designated port has a lower priority than the configuration
BPDU of the local port, the port immediately sends out its own configuration BPDU in response.
326
• If a path becomes faulty, the root port on this path no longer receives new configuration BPDUs, and
the old configuration BPDUs are discarded due to timeout. The device generates configuration
BPDUs with itself as the root. This triggers a new spanning tree calculation process to establish a
new path to restore the network connectivity.
However, the newly calculated configuration BPDU is not propagated throughout the network
immediately, so the old root ports and designated ports that have not detected the topology change
continue forwarding data along the old path. If the new root ports and designated ports begin to forward
data as soon as they are elected, a temporary loop may occur.
STP timers
STP calculation involves the following timers: forward delay, hello time, and max age.
• Forward delay is the delay time for device state transition.
A path failure can cause spanning tree re-calculation to adapt the spanning tree structure to the change.
However, the resulting new configuration BPDU cannot propagate throughout the network immediately. If
the newly elected root ports and designated ports start to forward data right away, a temporary loop is
likely to occur.
For this reason, as a mechanism for state transition in STP, the newly elected root ports or designated
ports require twice the forward delay time before transiting to the forwarding state to make sure that the
new configuration BPDU has propagated throughout the network.
• Hello time—The time interval at which a device sends hello packets to the surrounding devices to
make sure that the paths are fault-free.
• Max age—Parameter used to determine whether a configuration BPDU held by the device has
expired. A configuration BPDU beyond the max age is discarded.
Introduction to RSTP
Developed based on the 802.1w standard of IEEE, RSTP is an optimized version of STP. It achieves rapid
network convergence by allowing a newly elected root port or designated port to enter the forwarding
state much quicker under certain conditions than in STP.
NOTE:
• In RSTP, a newly elected root port can enter the forwarding state rapidly if this condition is met: the old root port on
the device has stopped forwarding data, and the upstream designated port has started forwarding data.
• In RSTP, a newly elected designated port can enter the forwarding state rapidly if this condition is met: the
designated port is an edge port or a port connected to a point-to-point link. If the designated port is an edge port,
it can enter the forwarding state directly. If the designated port is connected to a point-to-point link, it can enter the
forwarding state immediately after the device undergoes handshake with the downstream device and receives a
response.
Introduction to MSTP
Why MSTP
STP and RSTP limitations
STP does not support rapid state transition of ports. A newly elected root port or designated port must
wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a
point-to-point link or an edge port, which directly connects to a user terminal rather than to another device
or to a shared LAN segment.
327
Although RSTP supports rapid network convergence, it has the same drawback as STP: all bridges within
a LAN share the same spanning tree, so redundant links cannot be blocked based on VLAN, and the
packets of all VLANs are forwarded along the same spanning tree.
Features of MSTP
Developed based on IEEE 802.1s, MSTP overcomes the limitations of STP and RSTP. In addition to the
support for rapid network convergence, it also allows data flows of different VLANs to be forwarded
along separate paths, providing a better load sharing mechanism for redundant links.
MSTP includes the following features:
• MSTP supports mapping VLANs to MSTIs by means of a VLAN-to-instance mapping table. MSTP can
reduce communication overheads and resource usage by mapping multiple VLANs to one MSTI.
• MSTP divides a switched network into multiple regions, each containing multiple spanning trees that
are independent of one another.
• MSTP prunes a loop network into a loop-free tree, avoiding proliferation and endless cycling of
packets in a loop network. In addition, it provides multiple redundant paths for data forwarding,
supporting load balancing of VLAN data.
• MSTP is compatible with STP and RSTP.
Basic concepts in MSTP

Figure 318 Basic concepts in MSTP
328
Assume that all devices in Figure 318 are running MSTP. This section explains some basic concepts of
MSTP.
MST region
An MST region consists of multiple devices in a switched network and the network segments among them.
These devices have the following characteristics:
• All are MSTP-enabled.
• They have the same region name.
• They have the same VLAN-to-instance mapping configuration.
• They have the same MSTP revision level configuration.
• They are physically linked with one another.
For example, all devices in region A0 in Figure 318 have the same MST region configuration.
• They have the same region name.
• They have the same VLAN-to-instance mapping configuration (VLAN 1 is mapped to MSTI 1, VLAN
2 to MSTI 2, and the rest to the common and internal spanning tree (CIST or MSTI 0)).
• They have the same MSTP revision level (not shown in the figure).
Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST
region.
VLAN-to-instance mapping table
As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping
relationships between VLANs and MSTIs. In Figure 318, for example, the VLAN-to-instance mapping
table of region A0 is: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP
achieves load balancing by means of the VLAN-to-instance mapping table.
IST
An IST is a spanning tree that runs in an MST region.
ISTs in all MST regions and the CST jointly constitute the CIST of the entire network. An IST is a section of
the CIST in an MST region.
In Figure 318, for example, the CIST has a section in each MST region, and this section is the IST in the
respective MST region.
CST
The CST is a single spanning tree that connects all MST regions in a switched network. If you regard each
MST region as a device, the CST is a spanning tree calculated by these devices through STP or RSTP.
CSTs are indicated by red lines in Figure 318.
CIST
Jointly constituted by ISTs and the CST, the CIST is a single spanning tree that connects all devices in a
switched network.
In Figure 318, for example, the ISTs in all MST regions plus the inter-region CST constitute the CIST of the
entire network.
MSTI
Multiple spanning trees can be generated in an MST region through MSTP, each spanning tree being
independent of the others. Each spanning tree is referred to as an "MSTI."
329
In Figure 318, for example, multiple MSTIs can exist in each MST region, each MSTI corresponding to
the specified VLANs.
Regional root bridge
The root bridge of the IST or an MSTI within an MST region is the regional root bridge of the IST or the
MSTI. Based on the topology, different spanning trees in an MST region may have different regional
roots.
For example, in region D0 in Figure 318, the regional root of MSTI 1 is device B, and that of MSTI 2 is
device C.
Common root bridge
The common root bridge is the root bridge of the CIST.
In Figure 318, for example, the common root bridge is a device in region A0.
Boundary port
A boundary port is a port that connects an MST region to another MST region, or to a single
spanning-tree region running STP, or to a single spanning-tree region running RSTP. It is at the boundary
of an MST region.
During MSTP calculation, the role of a boundary port in an MSTI must be consistent with its role in the
CIST. But this is not true with master ports. A master port on MSTIs is a root port on the CIST. For example,
in Figure 318, if a device in region A0 is interconnected to the first port of a device in region D0 and the
common root bridge of the entire switched network is located in region A0, the first port of that device in
region D0 is the boundary port of region D0.
Roles of ports
MSTP calculation involves the following port roles: root port, designated port, master port, boundary port,
alternate port, and backup port.
• Root port—A port responsible for forwarding data to the root bridge.
• Designated port—A port responsible for forwarding data to the downstream network segment or
device.
• Master port—A port on the shortest path from the current region to the common root bridge,
connecting the MST region to the common root bridge. If the region is seen as a node, the master
port is the root port of the region on the CST. The master port is a root port on IST/CIST and still a
master port on the other MSTIs.
• Alternate port—The standby port for the root port and the master port. When the root port or master
port is blocked, the alternate port becomes the new root port or master port.
• Backup port—The backup port of a designated port. When the designated port is blocked, the
backup port becomes a new designated port and starts forwarding data without delay. A loop
occurs when two ports of the same MSTP device are interconnected. The device blocks either of the
two ports, and the backup port is the port that is blocked.
A port can play different roles in different MSTIs.
330
Figure 319 Port roles
In Figure 319, devices A, B, C, and D constitute an MST region. Port 1 and port 2 of device A are
connected to the common root bridge. Port 5 and port 6 of device C form a loop. Port 3 and port 4 of
Device D are connected downstream to the other MST regions.
Port states
In MSTP, a port may be in one of the following states:
• Forwarding—The port learns MAC addresses and forwards user traffic.
• Learning—The port learns MAC addresses but does not forward user traffic.
• Discarding—The port does not learn MAC addresses or forward user traffic.
NOTE:
A port can have different port states in different MSTIs.
A port state is not exclusively associated with a port role. Table 148 lists the port states supported by
each port role. ("√" indicates that the port state is available for the corresponding port role, and "—"
indicates that the port state is not available for the corresponding port role.)
Table 148 Ports states supported by different port roles
Port role
Port state Root

Designated
port/master Boundary port Alternate port Backup port
port
port
Forwarding √ √ √ — —
Learning √ √ √ — —
331
Port role
Port state Root

Designated
port/master Boundary port Alternate port Backup port
port
port
Discarding √ √ √ √ √
How MSTP works

MSTP divides an entire Layer 2 network into multiple MST regions, which are interconnected by a
calculated CST. Inside an MST region, multiple spanning trees are calculated, each being an MSTI
(among these MSTIs, MSTI 0 is called the "CIST"). Similar to RSTP, MSTP uses configuration BPDUs to
calculate spanning trees. The only difference between the two protocols is that an MSTP BPDU carries the
MSTP configuration on the device from which this BPDU is sent.
CIST calculation
The calculation of a CIST tree is also the process of configuration BPDU comparison. During this process,
the device with the highest priority is elected as the root bridge of the CIST. MSTP generates an IST within
each MST region through calculation. At the same time, MSTP regards each MST region as a single
device and generates a CST among these MST regions through calculation. The CST and ISTs constitute
the CIST of the entire network.
MSTI calculation
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings. MSTP performs a separate calculation process, which is similar to spanning
tree calculation in STP/RSTP, for each spanning tree. For more information, see "How STP works."
In MSTP, a VLAN packet is forwarded along the following paths:
• Within an MST region, the packet is forwarded along the corresponding MSTI.
• Between two MST regions, the packet is forwarded along the CST.
Implementation of MSTP on devices

MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices
running MSTP and used for spanning tree calculation.
In addition to basic MSTP functions, the device provides the following functions for ease of management:
• Root bridge hold
• Root bridge backup
• Root guard
• BPDU guard
• Loop guard
• TC-BPDU guard
• Support for hot swapping of interface cards and active/standby changeover
Protocols and standards

• IEEE 802.1d, Spanning Tree Protocol
• IEEE 802.1w, Rapid Spanning Tree Protocol
332
• IEEE 802.1s, Multiple Spanning Tree Protocol
Configuring MSTP
Before configuring MSTP, determine the role of each device in each MSTI: root bridge or leaf node. In
each MSTI, only one device acts as the root bridge, and all others act as leaf nodes.
Table 149 MSTP configuration task list
Task Remarks
Optional.
Configure the MST region-related parameters and VLAN-to-instance
Configuring an MSTP region mappings.
By default, the MST region-related parameters adopt the default values,
and all VLANs in an MST region are mapped to MSTI 0.
Required.
Enable MSTP globally, and configure MSTP parameters.
Configuring MSTP globally
By default, MSTP is globally disabled, and all MSTP parameters adopt the
default values.
Optional.
Enable MSTP on a port, and configure MSTP parameters.
Configuring MSTP on a port
By default, MSTP is enabled on ports, and all MSTP parameters adopt the
default values.
Configuring an MSTP region

Select Advanced > MSTP > Region from the navigation tree to display the page shown in Figure 320.
Figure 320 MST region
Click Modify to display the MSTP region configuration page, as shown in Figure 321.
333
Figure 321 Modify an MST region
Item Description
MST region name.
Region Name
The MST region name is the bridge MAC address of the device by default.
Revision Level Revision level of the MST region.
Instance ID
Manually add VLAN-to-instance mappings. Click Apply to add a
Manual VLAN ID
VLAN-to-instance mapping entry to the list.
Apply
Set the modulo value based on which 4094 VLANs are automatically
mapped to the corresponding MSTIs.
With the modulo value set, each VLAN is mapped to the MSTI whose ID is
Modulo (VLAN ID–1) %modulo + 1, where (VLAN ID-1) %modulo is the modulo
operation for (VLAN ID–1). If the modulo value is 15, for example, VLAN
1 is mapped to MSTI 1, VLAN 2 to MSTI 2, VLAN 15 to MSTI 15, VLAN
16 to MSTI 1, and so on.
Validate the VLAN-to- instance mappings, the region name, and the
Activate
revision level.
Return to "MSTP configuration task list."
Configuring MSTP globally

Select Advanced > MSTP > Global from the navigation tree to display the Global MSTP Configuration
page, as shown in Figure 322.
334
Figure 322 Configure MSTP globally
Item Description
Enable or disable STP globally:
• Enable—Enable STP globally.
Enable STP Globally
• Disable—Disable STP globally.
Other MSTP configurations take effect only after you enable STP globally.
Enable or disable BPDU guard globally:

• Enable—Enable BPDU guard globally.
BPDU Protection • Disable—Disable BPDU guard globally.
BPDU guard can protect the device from malicious BPDU attacks, keeping the
network topology stable.
335
Item Description
Set the STP operating mode:
• STP mode—All ports of the device send out STP BPDUs.
• RSTP mode—All ports of the device send out RSTP BPDUs. If the device detects
that it is connected to a legacy STP device, the port connecting to the legacy
Mode
STP device automatically migrates to STP-compatible mode.
• MSTP—All ports of the device send out MSTP BPDUs. If the device detects that
it is connected to a legacy STP device, the port connecting to the legacy STP
device automatically migrates to STP-compatible mode.
Set the maximum number of hops in an MST region to restrict the region size.
Max Hops
The setting can take effect only when it is configured on the regional root bridge.
Specify the standard for path cost calculation. It can be Legacy, IEEE
Path Cost Standard
802.1D-1998, or IEEE 802.1T.
Any two stations in a switched network are interconnected through a specific

path composed of a series of devices. The bridge diameter (or the network
diameter) is the number of devices on the path composed of the most devices.
After you set the network diameter, you cannot set the timers. Instead, the device
automatically calculates the forward delay, hello time, and max age.
Bridge Diameter
NOTE:
• The network diameter applies to only the CIST. It takes effect only after you
configure it on the root bridge. Each MST region is regarded as a device.
• After you set the network diameter, you cannot set the timers. Instead, the
device calculates the forward delay, hello time, and max age automatically.
Set the delay for the root and designated ports to transit
to the forwarding state. TIP:
The length of the forward delay time is related to the

• The settings of
hello time,
network diameter of the switched network. The larger the
Forward forward delay
network diameter is, the longer the forward delay time
Delay and max age
should be. If the forward delay setting is too small,
must meet a
temporary redundant paths may be introduced. If the
certain formula.
forward delay setting is too big, it may take a long time
Otherwise, the
for the network to converge. HP recommends that you
network topology
use the default setting.
will not be stable.
Timers Set the interval at which the device sends hello packets HP recommends
to the surrounding devices to make sure that the paths that you set the
are fault-free. network diameter
An appropriate hello time setting enables the device to and then have the
timely detect link failures on the network without using device
excessive network resources. If the hello time is set too automatically
Hello Time calculate the
long, the device takes packet loss as a link failure and
triggers a new spanning tree calculation process. If the forward delay,
hello time is set too short, the device sends repeated hello time, and
configuration BPDUs frequently, which adds to the max age.
device burden and wastes network resources. HP • The bridge
recommends that you use the default setting. diameter cannot
336
Item Description
Set the maximum length of time a configuration BPDU be configured
can be held by the device. together with the
timers.
If the max age time setting is too small, the network
devices frequently launches spanning tree calculations
Max Age and may take network congestion as a link failure. If the
max age setting is too large, the network may fail to
timely detect link failures and fail to timely launch
spanning tree calculations, reducing the auto-sensing
capability of the network. HP recommends that you use
the default setting.
Instance ID ID of the MSTI to configure.
Role of the device in the MSTI:

• Not Set—The device role is not configured.
• Primary—Configure the device as the root bridge.
Root Type
Instance • Secondary—Configure the device as a secondary root bridge.
After specifying the current device as the primary root bridge or a secondary root
bridge, you cannot change the priority of the device.
Bridge Set the bridge priority of the device, which is one of the factors determining
Priority whether the device can be elected as the root bridge.
Select whether to enable TC-BPDU guard.

When receiving TC BPDUs, the device flushes its forwarding address entries. If
someone forges TC-BPDUs to attack the device, the device receives a large
number of TC-BPDUs within a short time and frequently flushes its forwarding
TC Protection address entries. This affects network stability.
With the TC-BPDU guard function, you can prevent frequent flushing of
forwarding address entries.
HP recommends that you do not disable this function.
Set the maximum number of immediate forwarding address entry flushes the
TC Protection Threshold device can perform within a certain period of time after receiving the first
TC-BPDU.
Configuring MSTP on a port

Select Advanced > MSTP > Port from the navigation tree to display the MSTP Port Configuration page, as
Figure 323 MSTP configuration of a port (1)
337
Click the icon corresponding to a port to display the MSTP Port Configuration page of the port, as
Figure 324 MSTP configuration of a port (2)
Item Description
Port Number Select the port to configure.
Enable or disable STP on the port:

STP Status • Enable—Enable STP on the port.
• Disable—Disable STP on the port.
Set the type of protection enabled on the port:
• Not Set—No protection is enabled on the port.
Protection Type
• Edged Port, Root Protection, Loop Protection—For more information, see Table
153.
Specify whether the port is connected to a point-to-point link:

• Auto—Automatically detects whether the link type of the port is point-to-point.
Point to Point
• Force False—Specifies that the link type for the port is not point-to-point link.
• Force True—Specifies that the link type for the port is point-to-point link.
Configure the maximum number of MSTP packets that can be sent during each
Hello interval.
Transmit Limit
The larger the transmit limit is, the more network resources are occupied. HP
recommends that you use the default value.
338
Item Description
In a switched network, if a port on an MSTP device connects to an STP device,
this port automatically migrates to the STP-compatible mode. However, after the
STP device is removed, whether the port on the MSTP device can migrate
automatically to the MSTP mode depends on which of the following parameters is
mCheck selected:
• Enable—Performs mCheck. The port automatically migrates back to the MSTP
mode.
• Disable—Does not perform mCheck. The port does not automatically migrate
back to the MSTP mode.
Instance ID Set the MSTI ID.
Instance Set the priority of the port in the current MSTI.

Port Priority The priority of a port is an import factor in determining whether the port can be
elected as the root port.
Path Cost Select to calculate the path cost automatically or set the path cost manually.
Table 153 Protection types
Protection type Description

Configure the port as an edge port.
Some ports of access layer devices are directly connected to PCs or file servers, which
cannot generate BPDUs. You can set these ports as edge ports to achieve fast transition
Edged Port for these ports.
HP recommends that you enable the BPDU guard function in conjunction with the edged
port function to avoid network topology changes when the edge ports receive
configuration BPDUs.
Enable the root guard function.

Configuration errors or attacks may result in configuration BPDUs with their priorities
Root Protection higher than that of a root bridge, which causes a new root bridge to be elected and
network topology changes to occur. The root guard function is used to address such a
problem.
Enable the loop guard function.

By keeping receiving BPDUs from the upstream device, a device can maintain the state
Loop Protection of the root port and other blocked ports. These BPDUs may get lost because of network
congestion or unidirectional link failures. The device re-elects a root port, and blocked
ports may transit to the forwarding state, causing loops in the network. The loop guard
function is used to address such a problem.
MSTP configuration example

As shown in Figure 325, all routers on the network are in the same MST region. Router A and Router B
work on the distribution layer. Router C and Router D work on the access layer.
339
Configure MSTP so that packets of different VLANs are forwarded along different instances: packets of
VLAN 10 along MSTI 1, those of VLAN 30 along MSTI 3, those of VLAN 40 along MSTI 4, and those of
VLAN 20 along MSTI 0.
VLAN 10 and VLAN 30 are terminated on the distribution layer routers, and VLAN 40 is terminated on
the access layer routers, so the root bridges of MSTI 1 and MSTI 3 are Router A and Router B,
respectively, and the root bridge of MSTI 4 is Router C.
N 1 0/1
Eth it: VL
Per
0
0, 2
Eth
0/1
m
LA
AN
:V
mit
20,
E th
0/1
Per
30
Eth
0/1
NOTE:
"Permit:" next to a link in the figure is followed by the VLANs whose packets are permitted to pass this link.
1. Configure VLANs and VLAN member ports. (Details not shown)
Create VLAN 10, VLAN 20, and VLAN 30 on Router A and Router B, respectively. Create VLAN 10,
VLAN 20, and VLAN 40 on Router C. Create VLAN 20, VLAN 30, and VLAN 40 on Router D. Configure
the ports on these routers as hybrid ports, and assign them to related VLANs. Configure the security zones
to which the combinations of these ports and their permitted VLANs belong.
# Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3,
and MSTI 4, respectively, and configure the revision level of the MST region as 0.
• Log in to Router A. Select Advanced > MSTP > Region from the navigation tree, click Modify, and
perform the following configurations on the page shown in Figure 326.
340
Figure 326 Configure an MST region on Router A
a. Configure the region name as example.

b. Set the revision level to 0.
c. Select the Manual option.
d. Select 1 in the Instance list.
e. Set the VLAN ID to 10.
f. Click Apply to map VLAN 10 to MSTI 1 and add the VLAN-to-instance mapping entry to the
VLAN-to-instance mapping list.
g. Repeat the preceding steps to map VLAN 30 to MSTI 3 and VLAN 40 to MSTI 4 and add the
VLAN-to-instance mapping entries to the VLAN-to-instance mapping list.
h. Click Activate to end the operation.
# Enable MSTP globally, and configure the current device as the root bridge of MSTI 1.
• Select Advanced > MSTP > Global from the navigation tree, and perform the following
configurations on the page shown in Figure 327.
341
Figure 327 Configure global MSTP parameters on Router A
a. Select Enable in the Enable STP Globally list.

b. Select MSTP in the Mode list.
c. Select the Instance checkbox.
d. Set the Instance ID field to 1.
e. Set the Root Type field to Primary.
f. Click Apply to submit the settings.
and MSTI 4, respectively, and configure the revision level of the MST region as 0. (The procedure here is
the same as that of configuring an MST region on Router A.)
a. Select Advanced > MSTP > Global from the navigation tree, and perform the following
configurations on the page similar to that shown in Figure 327.
b. Select Enable in the Enable STP Globally list.
c. Select MSTP in the Mode list.
d. Select the Instance checkbox.
e. Set the Instance ID field to 3.
f. Set the Root Type field to Primary.
g. Click Apply to submit the settings.
4. Configure Router C.
342
d. Select the Instance checkbox.
e. Set the Instance ID field to 4.
f. Set the Root Type field to Primary.
g. Click Apply to submit the settings.
5. Configure Router D.
# Enable MSTP globally.
d. Click Apply to submit the settings.
Verifying the configurations

You can use the display stp brief command to display brief spanning tree information on each device
after the network converges.
# Display brief spanning tree information on Router A.
[RouterA] display stp brief
MSTID Port Role STP State Protection
0 Ethernet0/1 ALTE DISCARDING NONE
0 Ethernet0/2 DESI FORWARDING NONE
0 Ethernet0/3 ROOT FORWARDING NONE
# Display brief spanning tree information on Router B.

[RouterB] display stp brief
343
# Display brief spanning tree information on Router C.

[RouterC] display stp brief
# Display brief spanning tree information on Router D.

[RouterD] display stp brief
Based on the above information, you can draw the MSTI corresponding to each VLAN, as shown
in Figure 328.
Figure 328 MSTIs corresponding to different VLANs
Follow these guidelines when you configure MSTP:
344
1. Two or more MSTP-enabled devices belong to the same MST region only if they are configured with
the same format selector (0 by default, not configurable), MST region name, VLAN-to-instance
mapping entries in the MST region, and MST region revision level, and they are interconnected
through physical links.
2. After specifying the current device as the root bridge or a secondary root bridge, you cannot
change the priority of the device.
3. If two or more devices with the same bridge priority have been designated to be root bridges of the
same spanning tree instance, MSTP selects the device with the lowest MAC address as the root
bridge.
4. The values of forward delay, hello time, and max age are interdependent. Inappropriate settings of
these values may cause network flapping. HP recommends that you set the network diameter and let
the device automatically set an optimal hello time, forward delay, and max age. The settings of hello
time, forward delay and max age must meet the following formulas:
2 × (forward delay – 1 second) ƒ max age
Max age ƒ 2 × (hello time + 1 second)
5. If the device is not enabled with BPDU guard, when an edge port receives a BPDU from another
port, it transits into a non-edge port. To restore its port role as an edge port, restart the port.
6. Configure ports that are directly connected to terminals as edge ports, and enable BPDU guard for
them. In this way, these ports can rapidly transit to the forwarding state, and network security can be
ensured.
345
Configuring RADIUS
You can configure RADIUS through the web interface.

The RADIUS protocol implements AAA.
RADIUS uses the client/server model. It can protect networks against unauthorized access and is often
used in network environments where both high security and remote user access are required. RADIUS
defines the packet format and message transfer mechanism, and it uses UDP as the transport layer
protocol for encapsulating RADIUS packets. It uses UDP port 1812 for authentication and UDP port 1813
for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods (for example, Ethernet and ADSL).
RADIUS provides access authentication and authorization services, and its accounting function collects
and records network resource usage information.
NOTE:
For more information about RADIUS and AAA, see HP A-MSR Router Series Security Configuration
Guide.
Configuring a RADIUS scheme

A RADIUS scheme defines a set of parameters that the device uses to exchange information with the
RADIUS servers. There might be authentication servers and accounting servers, or primary servers and
secondary servers. The parameters mainly include the IP addresses of the servers, the shared keys, and
the RADIUS server type. By default, no RADIUS scheme exists.
Select Advanced > RADIUS from the navigation tree to display the RADIUS scheme list page, as shown
in Figure 329. Click Add to display the RADIUS scheme configuration page, as shown in Figure 330.
Figure 329 RADIUS scheme list
346
Figure 330 RADIUS scheme configuration page
Table 154 RADIUS scheme configuration
Item Description
Scheme Name Enter a name for the RADIUS scheme.
Configure the common parameters for the RADIUS scheme, including the server
type, username format, and shared keys for authentication and accounting
Common Configuration
packets. For more information about common configuration, see "Common
configuration."
Configure the parameters of the RADIUS authentication servers and accounting

RADIUS Server
servers. For more information about RADIUS server configuration, see "RADIUS
Configuration
server configuration."
Common configuration
Click the expand button before Advanced in the Common Configuration area to expand the advanced
configuration area, as shown in Figure 331.
347
Figure 331 Common configuration
Table 155 Common configuration
Item Description
Select the type of the RADIUS servers supported by the device:
• Standard—Configures the RADIUS client to communicate with the RADIUS
server by using the standard RADIUS protocol and packet format defined in
Server Type RFC 2865/2866 or later.
• Extended—Configures the RADIUS client to communicate with the RADIUS
server (usually an iMC server) by using the proprietary RADIUS protocol and
packet format.
348
Item Description
Select the format of usernames to be sent to the RADIUS server, including Original
format, With domain name, and Without domain name.
A username is generally in the format of userid@isp-name, of which isp-name is
Username Format used by the device to determine the ISP domain to which a user belongs. If a
RADIUS server (such as a RADIUS server of some early version) does not accept a
username that contains an ISP domain name, you can configure the device to
remove the domain name of a username before sending it to the RADIUS server.
Set the shared key for authenticating RADIUS authentication packets and that for
Authentication Key
authenticating RADIUS accounting packets.
Confirm Authentication The RADIUS client and the RADIUS server use MD5 to encrypt RADIUS packets
Key and use the shared key to authenticate the packets exchanged between them. The
client and the server receive and respond to packets from each other only if their
shared keys are the same.
Accounting Key
NOTE:
The shared keys configured in the common configuration part are used only when no
Confirm Accounting Key
corresponding shared keys are configured in the RADIUS server configuration part.
Set the time to wait before the device restores an unreachable RADIUS server to
active state.
If the primary server is unreachable due to temporary interruption on the network
interface or the busy server, you can set the quiet time to 0 so that authentication
Quiet Time and accounting requests for other users are still sent to the primary server for
processing. When the quiet time is 0, if the server being used is unreachable, the
device keeps the server in active state, and sends the request to the next server in
active state. In this way, subsequent authentication or accounting requests may
still be sent to the server.
Set the RADIUS server response timeout time.

If the device sends a RADIUS request to a RADIUS
Server Response server but receives no response within the
Timeout Time specified server response timeout time, it
retransmits the request. Setting a proper value
according to the network conditions helps improve NOTE:
system performance. The server response timeout
Set the maximum number of attempts for time multiplied by the
transmitting a RADIUS packet to a single RADIUS maximum number of RADIUS
server. If the device does not receive a response to packet transmission attempts
its request from the RADIUS server within the must not exceed 75.
Request Transmission
response timeout period, it retransmits the RADIUS
Attempts
request. If the number of transmission attempts
exceeds the limit but the device still receives no
response from the RADIUS server, the device
considers the request a failure.
Set the interval for sending real-time accounting information to the RADIUS
accounting server. The interval must be a multiple of 3.
Realtime Accounting Different real-time accounting intervals impose different performance requirements
Interval on the NAS and the RADIUS server. A shorter interval helps achieve higher
accounting precision but requires higher performance. Use a longer interval when
a large number of users (1000 or more) exist. For more information about the
recommended real-time accounting intervals, see "Configuration guidelines."
349
Item Description
Realtime Accounting
Set the maximum number of attempts for sending a real-time accounting request.
Attempts
Specify the unit for data flows sent to the RADIUS server: byte, kilo-byte,
Unit for Data Flows
mega-byte, or giga-byte.
Specify the unit for data packets sent to the RADIUS server: one-packet,
Unit for Packets
kilo-packet, mega-packet, or giga-packet.
Specify the VPN to which the RADIUS scheme belongs.
VPN This setting is effective to all RADIUS authentication servers and accounting
servers configured in the RADIUS scheme, but the VPN individually specified for a
RADIUS authentication or accounting server takes priority.
Security Policy Server Specify the IP address of the security policy server.
Specify the source IP address for the device to use in RADIUS packets sent to the
RADIUS server.
RADIUS Packet Source
IP HP recommends that you use a loopback interface address instead of a physical
interface address as the source IP address, so that when the physical interface is
down, the response packets from the server can still reach the device.
Buffer stop-accounting
packets Enable or disable buffering of stop-accounting requests for which no responses
are received, and set the maximum number of attempts for sending
Stop-Accounting stop-accounting requests
Attempts
Send accounting-on Enable or disable the accounting-on feature, and set the interval and the
packets maximum number of attempts for sending accounting-on packets
Accounting-On Interval The accounting-on feature enables a device to send accounting-on packets to
RADIUS servers after it reboots, making the servers forcedly log out users who
logged in through the device before the reboot.
Accounting-On Attempts NOTE:

When enabling the accounting-on feature on a device for the first time, you must save
the configuration so that the feature takes effect after the device reboots.
Attribute Enable or disable the device to interpret the RADIUS class attribute as CAR
Interpretation parameters.
RADIUS server configuration

In the RADIUS Server Configuration area, click Add to display the RADIUS server configuration page, as
shown in Figure 332. You can configure RADIUS servers for the RADIUS scheme.
350
Figure 332 RADIUS server configuration
Table 156 RADIUS server configuration
Item Description
Select the type of the RADIUS server to configure. Possible values include primary
Server Type authentication server, primary accounting server, secondary authentication server,
and secondary accounting server.
IP Address Specify the IP address of the RADIUS server.
Port Specify the UDP port of the RADIUS server.
Key Specify the shared key for communication with the RADIUS server.
If no shared key is specified here, the shared key specified in the common
Confirm Key configuration part is used.
Specify the VPN to which the RADIUS server belongs.

If no VPN is specified here, the VPN specified in the common configuration part is
VPN
used.
Support for this configuration item depends on your device model.
RADIUS configuration example

• As shown in Figure 333, connect the Telnet user to the router and the router to the RADIUS server.
• Run the iMC server on the RADIUS server to provide authentication, authorization, and accounting
services for Telnet users. The IP address of the RADIUS server is 10.1.1.1/24.
• Set the shared keys for authentication, authorization, and accounting packets exchanged between
the router and the RADIUS server to expert and specify the ports for authentication/authorization
and accounting as 1812 and 1813, respectively.
• Specify that a username sent to the RADIUS server carries the domain name.
• Add an account on the RADIUS server, with the username and password being hello@bbb and abc.
If the user passes authentication, it is assigned a privilege level of 3.
351
NOTE:
The example below assumes that the RADIUS server runs iMC (iMC PLAT 5.0 and iMC UAM 5.0).
1. Configure the RADIUS server.
When the RADIUS server runs iMC:
Log in to the iMC management platform, click the Service tab, and select User Service Manager > Access
Device from the navigation tree to display the Access Device page. Then, click Add to display the Add
Access Device page, and perform the following configurations, as shown in Figure 334:
a. Set the shared keys for authentication and accounting packets to expert.
b. Specify the ports for authentication and accounting as 1812 and 1813, respectively.
c. Select Device Management Service as the service type.
d. Select HP as the access device type.
e. Select the access device from the device list, or manually add the device with the IP address of
10.1.1.2.
f. Click OK to finish the operation.
NOTE:
The IP address of the access device specified above must be the same as the source IP address of the
RADIUS packets sent from the device, which is the IP address of the outbound interface for RADIUS packets
(the default), or the IP address specified with the nas-ip or radius nas-ip command.
352
Figure 334 Add an access device
# Add a user for device management.

Log in to the iMC management platform, click the User tab, and select Device Management User from the
navigation tree to display the Device Management User page. Then, click Add to display the Add Device
Management User page, and perform the following configurations, as shown in Figure 335:
a. Add a user named hello@bbb and specify the password.
b. Select Telnet as the service type.
c. Set the EXEC privilege level to 3. This value identifies the privilege level of the Telnet user after
login, which is 0 by default.
d. Specify the IP address range of the hosts to be managed as 10.1.1.0 to 10.1.1.255, and click
OK to finish the operation.
NOTE:
The IP address range of the hosts to be managed must contain the IP address of the access device added.
353
Figure 335 Add a user for device management
2. Configure the router.

# Configure the IP address of each interface. (Details not shown)
a. Select Advanced > RADIUS from the navigation tree to display the RADIUS scheme list page.
Click Add and perform the following configurations:
b. Enter system as the scheme name.
c. Select Extended as the server type.
d. Select Without domain name for the username format.
e. In the RADIUS Server Configuration area, click Add to display the RADIUS server configuration
page, and perform the configurations shown in Figure 336.
354
Figure 336 RADIUS authentication server configuration page
a. Select Primary Authentication as the server type.

b. Enter 10.1.1.1 as the IP address of the primary authentication server.
c. Enter 1812 as the port.
d. Enter expert as the key.
e. Enter expert to confirm the key.
f. Click Apply to finish the configuration.
g. In the RADIUS Server Configuration area, click Add again to add a RADIUS accounting server,
as shown in Figure 337.
Figure 337 RADIUS accounting server configuration page
a. Select Primary Accounting as the server type.

b. Enter 10.1.1.1 as the IP address of the primary accounting server.
c. Enter 1813 as the port.
d. Enter expert as the key.
e. Enter expert to confirm the key.
f. Click Apply. The RADIUS scheme configuration page refreshes and the added servers appear in
the server list, as shown in Figure 338. Click Apply to finish the scheme configuration.
355
Figure 338 RADIUS scheme configuration page
# Enable the Telnet service on the router.

[Router] telnet server enable
# Configure the router to use AAA for Telnet users.

[Router] user-interface vty 0 4
[Router-ui-vty0-4] authentication-mode scheme
[Router-ui-vty0-4] quit
# Configure the AAA methods for domain bbb. Because RADIUS authorization information is sent by the
RADIUS server to the RADIUS client in the authentication response message, be sure to reference the
same scheme for authentication and authorization.
[Router] domain bbb
[Router-isp-bbb] authentication login radius-scheme system
[Router-isp-bbb] authorization login radius-scheme system
[Router-isp-bbb] accounting login radius-scheme system
[Router-isp-bbb] quit
# You can achieve the same result by configuring default AAA methods for all types of users in domain
bbb. (You can use either approach as needed.)
[Router] domain bbb
[Router-isp-bbb] authentication default radius-scheme system
[Router-isp-bbb] authorization default radius-scheme system
[Rfm
Verification
After the configuration, the Telnet user should be able to telnet to the router and use the configured
account (username hello@bbb and password abc) to enter the user interface of the router and access all
commands of level 0 through level 3.
356
When you configure the RADIUS client, note the following guidelines:
1. Accounting for FTP users is not supported.
2. If you remove the accounting server used for online users, the router cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the
stop-accounting messages are not buffered locally.
3. The status of RADIUS servers—blocked or active—determines which servers the device
communicates with or turns to when the current servers are not available. In practice, you can
specify one primary RADIUS server and multiple secondary RADIUS servers, with the secondary
servers that function as backup of the primary servers. Generally, the device chooses servers based
on these rules:
When the primary server is in active state, the device communicates with the primary server. If
the primary server fails, the device changes the state of the primary server to blocked, starts a
quiet timer for the server, and turns to a secondary server in active state (a secondary server
configured earlier has a higher priority). If the secondary server is unreachable, the device
changes the state of the secondary server to blocked, starts a quiet timer for the server, and
continues to check the next secondary server in active state. This search process continues until
the device finds an available secondary server or has checked all secondary servers in active
state. If the quiet timer of a server expires or an authentication or accounting response is
received from the server, the status of the server changes back to active automatically, but the
device does not check the server again during the authentication or accounting process. If no
server is found reachable during one search process, the device considers the authentication or
accounting attempt a failure.
Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove
the accounting server, real-time accounting requests and stop-accounting requests for the user
can no longer be delivered to the server.
If you remove an authentication or accounting server in use, the communication of the device
with the server soon times out, and the device looks for a server in active state from scratch. It
checks the primary server (if any) first and then the secondary servers in the order they are
configured.
When the primary server and secondary servers are all in the blocked state, the device
communicates with the primary server. If the primary server is available, its statues changes to
active. Otherwise, its status remains as blocked.
If one server is in the active state but all others are in the blocked state, the device only tries to
communicate with the server in the active state, even if the server is unavailable.
After receiving an authentication/accounting response from a server, the device changes the
status of the server identified by the source IP address of the response to active if the current
status of the server is blocked.
357
4. Table 157 lists the recommended real-time accounting intervals.
Table 157 Recommended real-time accounting intervals
Number of users Real-time accounting interval (in minutes)

1 to 99 3
100 to 499 6
500 to 999 12
1000 or more ≥15
358
Configuring login control
The login control feature allows you to control web or Telnet logins of specified users based on IP address
and login type.
To configure login control:
From the navigation tree, select Advanced > Access to display the login control configuration page. The
upper part of the page allows you to configure login control rules, and the lower part displays existing
login control rules. You can also delete the rules.
Figure 339 Login control configuration
Item Description
Login Type Select the login type to be restricted: Telnet, web, or both.
User IP Address Enter an IP address and wildcard to specify the users.
IMPORTANT:
• Exclude the management IP segment from login control. Otherwise, you cannot
Wildcard log in to the device.
• Do not set the wildcard to 255.255.255.255. Otherwise, no users can log in to
the device.
359
Login control configuration example
As shown in Figure 340, configure login control rules so that Host A cannot telnet to Router, and Host B
cannot access Router through the web.
# Configure a login control rule so that Host A cannot telnet to Router.
• Select Advanced > Access from the navigation tree to display the page for configuring login control
rules. Perform the configurations shown in Figure 341.
Figure 341 Configure a login control rule so that Host A cannot telnet to Router
a. Select Telnet as the login type to be restricted.

b. Enter 10.0.0.1 as the user IP address.
c. Enter 0.0.0.0 as the wildcard.
d. Click Apply. A dialog box appears, asking whether to continue your operation.
360
e. Click OK. A configuration progress dialog box appears, as shown in Figure 342.
f. After completing the settings, click Close.
# Configure a login control rule so that Host B cannot access Router through the web.
• Select Advanced > Access from the navigation tree to display the page for configuring login control
rules.
Figure 343 Configure a login control rule so that Host B cannot access Router through the web
a. Select web as the login type to be restricted.

b. Enter 10.1.1.2 as the user IP address.
c. Enter 0.0.0.0 as the wildcard.
d. Click Apply. A dialog box appears, asking whether to continue your operation.
e. Click OK. A configuration progress dialog box that is similar to Figure 342 appears.
f. After completing the settings, click Close.
361
Configuring ARP
You can do the following to configure ARP on the web interface:

• Displaying ARP entries
• Creating a static ARP entry
• Removing ARP entries
• Enabling learning of dynamic ARP entries
• Configuring gratuitous ARP
ARP is used to resolve an IP address into a physical address (Ethernet MAC address, for example).
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding
MAC address.
NOTE:
For more information about ARP, see HP A-MSR Router Series Layer 3—IP Services Configuration Guide.
Gratuitous ARP
Gratuitous ARP packets
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the
sending device. The sender MAC address is the MAC address of the sending device. The target MAC
address is the broadcast address ff:ff:ff:ff:ff:ff.
A device sends a gratuitous ARP packet for either of the following purposes:
• To determine whether its IP address is already used by another device. If the IP address is already
used, the device is informed of the conflict by an ARP reply.
• To inform other devices of the change of its MAC address.
Enabling learning of gratuitous ARP packets

With this feature enabled, a device, upon receiving a gratuitous ARP packet, adds an ARP entry that
contains the sender IP and MAC addresses in the packet to its ARP table. If the corresponding ARP entry
exists, the device updates the ARP entry.
With this feature disabled, the device uses received gratuitous ARP packets to update existing ARP entries,
but not to create new ARP entries.
Displaying ARP entries

Select Advanced > ARP Management > ARP Table from the navigation tree to display the page shown
in Figure 344. All ARP entries are displayed on the page.
362
Figure 344 ARP Table configuration page
Creating a static ARP entry

in Figure 344. Click Add to display the New Static ARP Entry page, as shown in Figure 345.
Figure 345 Add a static ARP entry
Item Description
IP Address Enter an IP address for the static ARP entry.
MAC Address Enter a MAC address for the static ARP entry.
Enter a VLAN ID and specify a port for the static ARP entry.
VLAN ID
NOTE:
The VLAN ID must be the ID of the VLAN that has already been created, and the port
Advanced must belong to the VLAN. The corresponding VLAN interface must have been
Port
Options created.
VPN
Enter the name of the VPN instance to which the static ARP entry belongs.
Instance
Removing ARP entries

in Figure 344.
363
• To remove specific ARP entries, select the checkboxes for target ARP entries, and click Del Selected.
• To remove all static and dynamic ARP entries, click Delete Static and Dynamic.
• To remove all static ARP entries, click Delete Static.
• To remove all dynamic ARP entries, click Delete Dynamic.
Enabling learning of dynamic ARP entries

Select Advanced > ARP Management > Dynamic Entry from the navigation tree to display the
Figure 346 Dynamic entry management
• To disable all listed interfaces from learning dynamic ARP entries, click Disable all.
• To disable specific interfaces from learning dynamic ARP entries, select target interfaces and click
Disable selected.
• To allow all listed interfaces to learn dynamic ARP entries, click Enable all.
• To allow specific interfaces to learn dynamic ARP entries, select target interfaces and click Enable
selected.
• Click the icon of an interface to display the configuration page as shown in Figure 347, and
specify the maximum number of dynamic ARP entries that this interface can learn. If you enter 0, the
interface is disabled from learning dynamic ARP entries.
364
Figure 347 Modify an interface
NOTE:
If you enable an interface to learn dynamic ARP entries on the dynamic entry management page, the
number of dynamic ARP entries that the interface can learn restores the default.
Configuring gratuitous ARP

Select Advanced > ARP Management > Gratuitous ARP from the navigation tree to display the page
shown in Figure 348
Figure 348 Configuring gratuitous ARP
Item Description
Disable learning of ARP entries according to
Disable gratuitous ARP packets learning function
gratuitous ARP packets.
Enable the device to send gratuitous ARP packets

Send gratuitous ARP packets when receiving ARP
upon receiving ARP requests from another network
requests from another network segment
segment.
Static ARP configuration example

Network Requirements
As shown in Figure 349, hosts are connected to Router A, which is connected to Router B through
Ethernet 0/1 belonging to VLAN 10. The IP address of Router B is 192.168.1.1/24. The MAC address
of Router B is 00e0-fc01-0000.
To enhance communication security between Router A and Router B, a static ARP entry for Router B must
be configured on Router A.
365
# Create VLAN 10 and VLAN-interface 10.
• Select Interface Setup > LAN Interface Setup from the navigation tree to display the default VLAN
Setup page. Perform the following configurations, as shown in Figure 350.
Figure 350 Create VLAN 10 and VLAN-interface10
a. Select the Create option.

b. Enter 10 for VLAN IDs.
c. Select the Create VLAN Interface checkbox.
d. Click Apply.
# Add Ethernet 0/1 to VLAN 10.
366
Figure 351 Add Ethernet 0/1 to VLAN 10
a. As shown in Figure 351, on the VLAN Setup page, select 10 in the VLAN Config field.
b. Select Ethernet0/1 from the list.
c. Click Add. A configuration progress dialog box is displayed, as shown in Figure 352.
Figure 352 The configuration progress dialog box
# Configure the IP address of VLAN-interface 10.

• Click the VLAN Interface Setup tab. Perform the following configurations, as shown in Figure 353.
367
Figure 353 Configure the IP address of VLAN-interface 10
a. Select 10 for Select a VLAN.

b. Enter 192.168.1.2 for IP Address.
c. Enter 255.255.255.0 for Subnet Mask.
d. Click Apply.
# Create a static ARP entry.

• Select Advanced > ARP Management > ARP Table from the navigation tree, and then click Add.
Perform the following configurations, as shown in Figure 354.
368
Figure 354 Create a static ARP entry
a. Enter 192.168.1.1 for IP Address.

b. Enter 00e0-fc01-0000 for MAC Address.
c. Select the Advanced Options checkbox.
d. Enter 10 for VLAN ID.
e. Select Ethernet0/1 for Port.
f. Click Apply.
# View information about static ARP entries.
g. After the above configuration is complete, the page returns to display ARP entries. Select Type
for Search.
h. Enter Static.
i. Click Search. Then you can view the static ARP entries of Router A, as shown in Figure 355.
369
Figure 355 Display information about static ARP entries page
370
Configuring ARP attack protection
You can do the following to configure ARP attack defense on the web interface:
• Configure periodic sending of gratuitous ARP packets
• Configure ARP automatic scanning
• Configure fixed ARP
Although ARP is easy to implement, it provides no security mechanism and is prone to network attacks.
ARP attacks and viruses threaten LAN security. The router can provide the following features to detect and
prevent such attacks.
Periodic sending of gratuitous ARP packets

Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their
corresponding ARP entries or MAC entries in time. This feature can be used to do the following:
• Prevent gateway spoofing
• Prevent ARP entries from being aged out
• Prevent the virtual IP address of a VRRP group from being used by a host
• Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured
Configuring ARP automatic scanning and fixed ARP

ARP automatic scanning is usually used together with the fixed ARP feature.
• With ARP automatic scanning enabled on an interface, the device automatically scans neighbors on
the interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates
dynamic ARP entries.
• Fixed ARP allows the device to change the existing dynamic ARP entries (including those generated
through ARP automatic scanning) into static ARP entries.
The ARP automatic scanning and fixed ARP feature effectively prevent ARP entries from being modified by
attackers. Use the two functions in a small-sized network with stable environment, such as a cybercafé.
Configuring periodic sending of gratuitous ARP

packets
Select Advanced > ARP Anti-Attack > Send Gratuitous ARP from the navigation tree to display the page
371
Figure 356 Send Gratuitous ARP configuration page
Item Description
Select one or more interfaces on which gratuitous ARP packets will be sent out
periodically, and set the interval at which gratuitous ARP packets are sent.
To enable an interface to send out gratuitous ARP packets periodically, select the
interface from the Standby Interface list box, and click <<. To disable an interface
from periodic sending of gratuitous ARP packets, select the interface from the Sending
Interface list box, and click >>.
NOTE:
• You can enable periodic sending of gratuitous ARP packets on a maximum of
1024 interfaces.
Sending Interface
• This feature takes effect only when the link of the enabled interface goes up and
an IP address has been assigned to the interface.
• If you change the interval for sending gratuitous ARP packets, the configuration is
effective at the next sending interval.
• The frequency of sending gratuitous ARP packets may be much lower than is
expected if this function is enabled on multiple interfaces, or if each interface is
configured with multiple secondary IP addresses, or if a small sending interval is
configured in the preceding cases.
• Do not configure this feature on an interface belonging to a VRRP group.
Configuring ARP automatic scanning

Do not perform other operations during an ARP automatic scan.
ARP automatic scanning may take some time. To stop an ongoing scan, click the Interrupt button.
Select Advanced > ARP Anti-Attack > Scan from the navigation tree to display the page shown in Figure
357.
372
Figure 357 ARP Scan configuration page
Item Description
Interface Specify the interface on which to perform ARP automatic scanning.
Enter the address range for ARP automatic scanning.

• To reduce the scanning time, you can specify the address range for
scanning. If the specified address range covers multiple network segments
Start IP Address of the interface's addresses, the sender IP address in the ARP request is the
interface's address on the smallest network segment.
• If no IP address range is specified, the device only scans the network where
the primary IP address of the interface resides for neighbors and sends ARP
requests in which the sender IP address is the primary IP address of the
interface.
NOTE:
• You must specify both the start IP address and the end IP address.
Otherwise, specify neither of them.
End IP Address
• Start and end IP addresses must be on the same network segment as the
primary IP address or a specific manually configured secondary IP address
of the interface. The end IP address must be higher than or equal to the start
IP address.
Also scan IP addresses of

Select to scan IP addresses already existing in ARP entries.
dynamic ARP entries
After the preceding configuration is complete, click Scan to start an ARP automatic scan. To stop an
ongoing scan, click Interrupt. After the scanning is complete, a prompt Scanning is complete appears.
You can view the generated dynamic ARP entries by selecting Advanced > ARP Anti-Attack > Fixed ARP
from the navigation tree.
373
Configuring fixed ARP
NOTE:
• The static ARP entries changed from dynamic ARP entries have the same attributes as the static ARP entries manually
configured.
• The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries
that the device supports. As a result, the device may fail to change all dynamic ARP entries into static ARP entries.
• Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is S. When the
dynamic ARP entries are changed into static, new dynamic ARP entries may be created (suppose the number is M)
and some of the dynamic ARP entries may be aged out (suppose the number is N). After the process is complete,
the number of static ARP entries is D + S + M – N.
Select Advanced > ARP Anti-Attack > Fix from the navigation tree to display the page shown in Figure
358. The page displays all dynamic ARP entries and static ARP entries (including those manually
configured and changed by the fixed ARP feature).
Figure 358 Fixed ARP configuration page
• To change all dynamic ARP entries into static, click Fix All. This operation does not affect existing
static ARP entries.
• To remove all static ARP entries, click Del All Fixed. This operation does not affect dynamic ARP
entries.
• To change a specific dynamic ARP entry into a static ARP entry, select the ARP entry, and click Fix.
This operation does not take effect if you select a static ARP entry.
• To remove a specific static ARP entry, select the ARP entry, and click Del Fixed. This operation does
not take effect if you select a dynamic ARP entry.
374
Configuring IPsec VPN
You can perform the following IPsec VPN configurations in the web interface:
• Configuring an IPsec connection
• Displaying IPsec VPN monitoring information
IPsec is a security framework defined by the IETF for securing IP communications. It is a Layer 3 VPN
technology that transmits data in a secure tunnel established between two endpoints.
IPsec provides the following security services in insecure network environments:
• Confidentiality—The sender encrypts packets before transmitting them over the Internet, protecting
the packets from being eavesdropped en route.
• Data integrity—The receiver verifies the packets received from the sender to make sure they are not
tampered with during transmission.
• Data origin authentication—The receiver verifies the authenticity of the sender.
• Anti-replay—The receiver examines packets and drops outdated and duplicate packets.
IPsec delivers these benefits:
• Reduced key negotiation overheads and simplified maintenance by supporting the IKE protocol. IKE
provides automatic key negotiation and automatic IPsec SA setup and maintenance.
• Good compatibility. You can apply IPsec to all IP-based application systems and services without
modifying them.
• Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for flexibility and
greatly enhances IP security.
IKE is built on a framework defined by ISAKMP. It provides automatic key negotiation and SA
establishment services for IPsec, dramatically simplifying the application, management, configuration and
maintenance of IPsec.
Instead of transmitting keys directly across a network, IKE peers transmit keying materials between them
and calculate shared keys. Even if a third party captures all exchanged data for calculating the keys, it
cannot calculate the keys.
NOTE:
For more information about IPsec and IKE, see HP A-MSR Router Series Security Configuration Guide.
Configuring IPsec VPN

Table 163 IPsec VPN configuration task list
Task Remarks
Configuring an IPsec connection Required.
375
Task Remarks
Optional.
Displays configuration and status information of IPsec connections and
Displaying IPsec VPN monitoring
information of IPsec tunnels.
information
Allows you to delete tunnels that are set up with configuration of an
IPsec connection and delete all ISAKMP SAs of all IPsec connections.
Configuring an IPsec connection

1. Select VPN > IPsec VPN from the navigation tree to display the IPsec connection management page.
Figure 359 IPsec connection management page
2. Click Add.
3. Configure basic parameters, as described in Table 164.
376
Figure 360 Add an IPsec connection
Table 164 Basic configuration
Item Description
IPsec Connection
Enter a name for the IPsec connection.
Name
Interface Select an interface where IPsec is performed.
Network Type Select a network type: site-to-site or PC-to-site.
Enter the address of the remote gateway: an IP address or a host name.

The IP address can be a host IP address or an IP address range. If the local end is
the initiator of IKE negotiation, it can have only one remote IP address, and its
remote IP address must match the local IP address configured on its peer. If the
Remote Gateway local end is the responder of IKE negotiation, it can have more than one remote IP
Address/Hostname address, and one of its remote IP addresses must match the local IP address
configured on its peer.
The remote host name uniquely identifies the remote gateway in the netowrk and
can be resolved into an IP address by the DNS server. The local end can be the
initiator of IKE negotiation when the host name is specified.
377
Item Description
Enter the IP address of the local gateway.
By default, it is the primary IP address of the interface where the IPsec connection is
set up.
Local Gateway NOTE:
Address
Configure this item when you want to specify a special address (a loopback interface
address, for example) for the local gateway. The name or IP address of the remote
gateway is required for an initiator so that the initiator can find the remote peer in
negotiation.
Select the authentication method to be used by the IKE negotiation:

• Pre-Shared-Key—Uses the pre-shared key method. If this option is selected,
enter the key in the field.
Authentication Method
• Certificate—Uses the digital signature method. If this option is selected, select a
certificate from the list. Available certificates are configured in the certificate
management.
Select the remote ID type for IKE

negotiation phase 1:
• IP Address—Uses an IP address as
the ID in IKE negotiation.
Remote ID Type • FQDN—Uses an FQDN type of
gateway name as the ID in IKE
NOTE:
negotiation. If this option is
selected, the remote gateway ID is • If the IKE negotiation initiator uses the
required. FQDN or user FQDN ID type of the
security gateway as the ID for IKE
Select the local ID type for IKE
negotiation, it sends its gateway ID to
negotiation phase 1:
the peer, and the peer uses the locally
• IP Address—Uses an IP address as configured remote gateway ID to
the ID in IKE negotiation. authenticate the initiator. Make sure
• FQDN—Uses an FQDN type as the that the remote gateway ID configured
ID in IKE negotiation. If this option is here is identical to the local gateway
selected, enter a name without any ID configured on its peer.
at sign (@) for the local security • In main mode, only the ID type of IP
Local ID Type
gateway (for example, address can be used in IKE negotiation
foo.bar.com). and SA establishment.
• User FQDN—Uses a user FQDN
type as the ID in IKE negotiation. If
this option is selected, enter a name
string with an at sign (@) for the
local security gateway (for
example, test@foo.bar.com).
Select a method to identify the traffic to be protected by IPsec:

Selector
• Characteristics of Traffic—Identifies traffic to be protected based on the source
address/wildcard and destination address/wildcard specified.
• Designated by Remote Gateway—The data to be protected is determined by
Source the remote gateway.
Address/Wildcard
NOTE:
378
Item Description
• To make sure that SAs can be set up, configure the source address/wildcard
on one peer as the destination address/wildcard on the other, and the
destination address/wildcard on one peer as the source address/wildcard on
the other. If you do not configure the parameters this way, SAs can be set up
Destination only when the IP addresses configured on one peer are subsets of those
Address/Wildcard configured on the other and the peer with the narrower address range initiates
SA negotiation.
• If the data range is designated by the remote gateway, the local peer cannot
initiate a negotiation.
Enable or disable IPsec RRI. When enabling IPsec RRI, you can specify a next hop
and change the preference of the static routes.
After an outbound IPsec SA is created, IPsec RRI automatically creates a static route
to the peer private network. You do not have to manually configure the static route.
NOTE:
Reverse Route Injection • If you enable IPsec RRI and do not configure the static route, the SA negotiation must
be initiated by the remote gateway.
• IPsec RRI creates static routes when IPsec SAs are set up and deletes the static routes
when the IPsec SAs are deleted.
• To view the static routes created by IPsec RRI, select Advanced > Route Setup
[Summary] from the navigation tree.
Specify a next hop for the static routes.
Next Hop If you do not specify any next hop, the remote tunnel endpoint's address learned
during IPsec SA negotiation is used.
Change the preference of the static routes.

Change the route preference for ECMP routing or route backup. If multiple routes
Priority to the same destination have the same preference, traffic is balanced among them.
If multiple routes to the same destination have different preference values, the route
with the highest preference forwards traffic and all other routes are backup routes.
4. Click Advanced Configuration to expand the advanced configuration area.

5. Configure advanced parameters as described in Table 165.
6. Click Apply.
379
Figure 361 Advanced configuration
Table 165 Advanced configuration
Item Description
Phase 1
Select the IKE negotiation mode in phase 1: main or aggressive.

NOTE:
• If the IP address of one end of an IPsec tunnel is obtained dynamically, the IKE
Exchange Mode negotiation mode must be aggressive. In this case, SAs can be established as long as
the username and password are correct.
• An IKE peer uses its configured IKE negotiation mode when it is the negotiation
initiator. A negotiation responder uses the IKE negotiation mode of the initiator.
Select the authentication algorithm to be used in IKE negotiation:
Authentication
• SHA1—Uses HMAC-SHA1.
Algorithm
• MD5—Uses HMAC-MD5.
380
Item Description
Select the encryption algorithm to be used in IKE negotiation:
• DES-CBC—Uses the DES algorithm in CBC mode and 56-bit key
• 3DES-CBC—Uses the 3DES algorithm in CBC mode and 168-bit key.
Encryption Algorithm
• AES-128—Uses the AES algorithm in CBC mode and 128-bit key.
Select the DH group to be used in key negotiation phase 1:

• Diffie-Hellman Group1—Uses the 768-bit Diffie-Hellman group.
DH • Diffie-Hellman Group2—Uses the 1024-bit Diffie-Hellman group.
Enter the ISAKMP SA lifetime in IKE negotiation.

Before an SA expires, IKE negotiates a new SA. As soon as the new SA is set up, it
takes effect immediately, and the old one is cleared automatically when it expires.
SA Lifetime NOTE:
Before an ISAKMP SA expires, IKE negotiates a new SA to replace it. DH calculation in
IKE negotiation takes time, especially on low-end devices. Set the lifetime to greater than
10 minutes to prevent the SA update from influencing normal communication.
Phase 2
Select the security protocols to be used:

• ESP—Uses the ESP protocol.
Security Protocol
• AH—Uses the AH protocol.
• AH-ESP—Uses ESP first and then AH.
Select the authentication algorithm for AH when you select AH or AH-ESP for
AH Authentication Security Protocol.
Algorithm
Available authentication algorithms include MD5 and SHA1.
Select the authentication algorithm for ESP when you select ESP or AH-ESP for
Security Protocol.
ESP Authentication
You can select MD5 or SHA1, or select NULL so that ESP performs no authentication.
Algorithm
The ESP authentication algorithm and ESP encryption algorithm cannot be null at the
same time.
381
Item Description
Select the encryption algorithm for ESP when you select ESP or AH-ESP for Security
Protocol:
• 3DES—Uses the 3DES algorithm and 168-bit key for encryption.
• DES—Uses the DES algorithm and 56-bit key for encryption.
• AES128—Uses the AES algorithm and 128-bit key for encryption.
• AES192—Uses the AES algorithm and 192-bit key for encryption.
ESP Encryption • AES256—Uses the AES algorithm and 256-bit key for encryption.
Algorithm • NULL—Performs no encryption.
NOTE:
• Higher security means more complex implementation and lower speed. DES is enough
to meet general requirements. Use 3DES when high confidentiality and security are
required.
• The ESP authentication algorithm and ESP encryption algorithm cannot be null at the
same time.
Select the IP packet encapsulation mode:
Encapsulation Mode • Tunnel—Uses the tunnel mode.
• Transport—Uses the transport mode.
Enable and configure the PFS feature or disable the feature:
• None—Disables PFS.
• Diffie-Hellman Group1—Enables PFS and uses the 768-bit Diffie-Hellman group.
• Diffie-Hellman Group2—Enables PFS and uses the 1024-bit Diffie-Hellman
group.
• Diffie-Hellman Group5—Enables PFS and uses the 1536-bit Diffie-Hellman
group.
PFS • Diffie-Hellman Group14—Enables PFS and uses the 2048-bit Diffie-Hellman
group.
NOTE:
• DH Group14, DH Group5, DH Group2, and DH Group1 are in the descending order
of security and calculation time.
• When IPsec uses an IPsec connection with PFS configured to initiate negotiation, an
additional key exchange is performed in phase 2 for higher security.
• Two peers must use the same Diffie-Hellman group. Otherwise, negotiation fails.
Enter the IPsec SA lifetime: time-based or traffic-based.
SA Lifetime When negotiating to set up IPsec SAs, IKE uses the smaller one between the lifetime
set locally and the lifetime proposed by the peer.
Enables or disables IKE DPD.

DPD irregularly detects dead IKE peers. When the local end sends an IPsec packet,
DPD checks the time the last IPsec packet was received from the peer. If the time
exceeds the DPD interval, it sends a DPD hello to the peer. If the local end receives
DPD no DPD acknowledgement within the DPD packet retransmission interval, it
retransmits the DPD hello. If the local end still receives no DPD acknowledgement
after having made the maximum number of retransmission attempts (two by default),
it considers the peer already dead, and it clears the IKE SA and the IPsec SAs based
on the IKE SA.
DPD Query Enter the interval after which DPD is triggered if no IPsec protected packets is
Triggering Interval received from the peer.
382
Item Description
DPD Packet
Enter the interval after which DPD packet retransmission occurs if no DPD response is
Retransmission
received.
Interval
Displaying IPsec VPN monitoring information

Select VPN > IPsec VPN from the navigation tree, and then click the Monitoring Information tab to display
the page that displays the IPsec connection configuration and status information, as shown in Figure 362.
Select an IPsec connection. The lower part of the page shows the information of the IPsec tunnel that was
set up with the selected IPsec connection configuration.
To delete all ISAKMP SAs of all IPsec connections, click Delete ISAKMP SA. To delete IPsec tunnels that use
the configuration of an IPsec connection, select the IPsec connection, and then click Delete Selected
Connection's Tunnels.
Figure 362 Monitoring information
Table 166 IPsec connection list field
Field Description
Status of an IPsec connection:
• Connected
Connection Status
• Disconnected
• Unconfigured—The IPsec connection is disabled.
383
Field Description
The most recent error, if any:
• ERROR_NONE—No error occurred.
• ERROR_QM_FSM_ERROR—State machine error.
• ERROR_PHASEI_FAIL—Error occurred in phase 1.
• ERROR_PHASEI_PROPOSAL_UNMATCHED—No matching security proposal in
phase 1.
Last Connection Error
• ERROR_PHASEII_PROPOSAL_UNMATCHED—No matching security proposal in
phase 2.
• ERROR_NAT_TRAVERSAL_ERROR—NAT traversal error.
• ERROR_PHASEII_FAIL—Error occurred in phase 2.
• ERROR_INVALID_SPI—SPI error.
• ERROR_UNKNOWN—Unknown error.
Table 167 IPsec tunnel list field
Field Description
Characteristics of the IPsec protected traffic, including the source
Characteristics of Traffic address/wildcard, destination address/wildcard, protocol, source port, and
destination port.
SPI The inbound and outbound SPIs and the security protocols used.
IPsec VPN configuration example

As shown in Figure 363, configure an IPsec tunnel between Router A and Router B to protect traffic
between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Enable IPsec RRI on Router A, and specify the
next hop as 2.2.2.2.
Configuring Router A
# Assign IP addresses to the interfaces. (Details not shown)
# Configure an IPsec connection.
384
Select VPN > IPsec VPN from the navigation tree, and then click Add. The IPsec connection configuration
page appears, as shown in Figure 364.
Perform the following operations on the page:

a. Enter map1 as the IPsec connection name.
b. Select interface Ethernet0/1.
c. Enter 2.2.3.1 as the remote gateway IP address.
d. Select Pre-Shared-Key, and enter abcde in the field.
e. In the Selector area, select Characteristics of Traffic as the selector type.
f. Specify 10.1.1.0/0.0.0.255 as the source address/wildcard.
g. Specify 10.1.2.0/0.0.0.255 as the destination address/wildcard.
h. Select Enable for RRI.
i. Enter 2.2.2.2 as the next hop.
j. Click Apply.
Configuring Router B
# Assign IP addresses to the interfaces. (Details not shown)
# Configure a static route to Host A.
Select Advanced > Route Setup from the navigation tree, and then click the Create tab.
385
Figure 365 Configure a static route to Host A
Perform the following operations on the page:

a. Enter 10.1.1.0 as the destination IP address.
b. Enter 24 as the mask.
c. Select the Interface checkbox, and then select Ethernet0/1 as the interface.
d. Click Apply.
# Configure an IPsec connection.

Select VPN > IPsec VPN from the navigation tree, and then click Add to display the IPsec connection
configuration page (see Figure 364). Perform the following configurations on the page:
a. Enter map1 as the IPsec connection name.
b. Select interface Ethernet0/1.
d. Select Pre-Shared-Key, and enter abcde in the field.
e. In the Selector area, select Characteristics of Traffic as the selector type.
f. Specify 10.1.2.0/0.0.0.255 as the source address/wildcard.
g. Specify 10.1.1.0/0.0.0.255 as the destination address/wildcard.
h. Click Apply.

After you complete the configuration, packets to be exchanged between subnet 10.1.1.0/24 and subnet
10.1.2.0/24 trigger the negotiation of SAs by IKE. After IKE negotiation succeeds and the IPsec SAs are
established, a static route to subnet 10.1.2.0/24 via 2.2.2.2 is added to the routing table on Device A,
and traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 is protected by IPsec.
When you configure IPsec, follow these guidelines:
386
• Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51
and 50, respectively. Make sure that flows of these protocols are not denied on the interfaces with
IKE or IPsec configured.
• If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different
queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay
operation, packets outside the anti-replay window in the inbound direction may be discarded,
resulting in packet loss. When using IPsec together with QoS, make sure that the classification of
traffic in IPsec is the same as the classification of traffic in QoS.
387
Configuring L2TP
You can enable L2TP, configure an L2TP group, and display L2TP tunnel information in the web interface
of the LNS.
A VPDN is a VPN that utilizes the dial-up function of public networks such as ISDN or PSTN networks to
provide access services for enterprises, small ISPs, and telecommuters. VPDN provides an economical
and effective, point-to-point way for remote users to connect to their private LANs.
The VPDN technology uses a tunneling protocol to build secure VPNs across public networks for
enterprises. Branches away from the headquarters and staff on business trips can remotely access the
Intranet resources in the headquarters through a virtual tunnel over public networks, while other users on
the public networks cannot.
There are primarily three VPDN tunneling protocols:
• PPTP
• L2F
• L2TP
L2TP is the most widely-used VPDN tunneling protocol. Figure 366 shows a typical VPDN built by using
L2TP.
Figure 366 VPDN built by using L2TP
A VPDN built by using L2TP comprises three components: remote system, LAC, and LNS.
Remote system
A remote system is usually a remote user's host or a remote branch's routing device that has to access the
VPDN network.
LAC
An LAC is a device that has PPP and L2TP capabilities. An LAC is usually a NAS located at a local ISP,
which provides access services mainly for PPP users.
An LAC is an endpoint of an L2TP tunnel and lies between an LNS and a remote system. It encapsulates
packets received from a remote system using L2TP and then sends the resulting packets to the LNS. It
388
de-encapsulates packets received from the LNS and then sends the resulting packets to the intended
remote system.
Between an LAC and a remote system is a local connection or a PPP link. Usually, a PPP link is used in a
VPDN application.
LNS
An LNS functions as both the L2TP server and the PPP end system. It is usually an edge device on an
enterprise network.
An LNS is the other endpoint of an L2TP tunnel and is a peer to the LAC. It is the logical termination point
of a PPP session tunneled by the LAC. The L2TP extends the termination point of a PPP session from a NAS
to an LNS, logically.
NOTE:
For more information about L2TP, see HP A-MSR Router Series Layer 2—WAN Configuration Guide.
Configuring L2TP
Step Remarks
Required.
Enabling L2TP
By default, L2TP is disabled.
Required.
Create a L2TP group, and configure L2TP group related
Adding an L2TP group
parameters.
By default, no L2TP group exists.
Optional.
Displaying L2TP tunnel information
View the L2TP tunnel information.
Enabling L2TP
Select VPN > L2TP > L2TP Config from the navigation tree to display the L2TP configuration page, as
shown in Figure 367. On the upper part of the page, you can enable or disable L2TP.
389
Figure 367 L2TP configuration page
Table 168 Configuration item for enabling L2TP
Item Description
Enable L2TP Specify whether to enable L2TP globally.
Adding an L2TP group

Select VPN > L2TP > L2TP Config from the navigation tree to display the L2TP configuration page, as
shown in Figure 367. On the lower part of the page, you can view and configure L2TP groups. Click Add
to add an L2TP group, as shown in Figure 368.
Figure 368 Add an L2TP group
390
Table 169 Configuration for adding an L2TP group
Item Description
L2TP Group Name Specify the name of the L2TP group.
Peer Tunnel Name Specify the peer name of the tunnel.
Local Tunnel Name Specify the local name of the tunnel.
Enable or disable L2TP tunnel authentication in the group. If you

Tunnel Authentication
enable tunnel authentication, set the authentication password.
Either the LAC or LNS end can initiate a tunnel authentication
request. If tunnel authentication is enabled on one end, the tunnel
can be established successfully only if the other end is also
enabled with tunnel authentication and the two ends are
configured with the same authentication passwords. If tunnel
authentication is disabled on both ends, authentication
passwords do not take effect.
Authentication Password NOTE:
• Normally, you must enable tunnel authentication on both
ends of the tunnel for security. You can disable tunnel
authentication to test the network connectivity or to let the
local end receive connections initiated by unknown peers.
• To change the tunnel authentication password, do so after
tearing down the tunnel. Otherwise, your change does not
take effect.
Select the authentication method for PPP users on the local end.
Authentication
Method You can select PAP or CHAP. If you do not select an
authentication method, no authentication is performed.
Specify the ISP domain for PPP user authentication. You can:
• Click Add to display the page for adding an ISP domain, as
shown in Figure 369. See Table 170 for configuration
details.
• Select an ISP domain and click Modify to display the ISP
domain modification page. See Table 170 for configuration
PPP details.
Authentication • Select an ISP domain and click Delete to delete the ISP
Configuration domain.
ISP Domain NOTE:
• If you specify an ISP domain, the specified domain is used for
authentication, and IP addresses must be assigned from the
address pool configured in the specified domain. See the
description of the User Address parameter for details.
• If you do not specify any ISP domain, the system checks
whether domain information is carried in a username. If it is,
the domain is used for authentication (if the domain does not
exist, the authentication fails). Otherwise, the default domain
(system by default) is used for authentication.
PPP Address PPP Server IP/Mask Specify the IP address and mask of the local end.
391
Item Description
Specify the address pool for assigning IP addresses to users on
the peer end, or assign an IP address to a user directly.
If you have specified an ISP domain in PPP authentication
configuration, the address pools in the ISP domain are listed in
the User Address list. You can:
• Click Add to add an address pool, as shown in Figure 370.
User Address
See Table 171 for configuration details.
• Select an address pool and click Modify to display the
address pool modification page. See Table 171 for
configuration details.
• Select an address pool and click Delete to delete the address
pool.
Specify whether to force the peer end to use the IP address

Assign Address
assigned by the local end. If you enable this function, the peer
Forcibly
end is not allowed to use its locally configured IP address.
Specify the interval between sending hello packets.

To check the connectivity of a tunnel, the LAC and LNS regularly
send hello packets to each other. Upon receipt of a Hello packet,
the LAC or LNS returns a response packet. If the LAC or LNS
receives no Hello response packet from the peer within a
Hello Interval specified period of time, it retransmits the hello packet. If it
receives no response packet from the peer after transmitting the
hello packet three times, it considers that the L2TP tunnel is down
and tries to re-establish a tunnel with the peer.
The intervals on the LAC and LNS ends of a tunnel can be
Advance d different.
Configuration
Specify whether to transfer AVP data in hidden mode.
With L2TP, some parameters are transferred as AVP data. You
AVP Hidden can configure an LAC to transfer AVP data in hidden mode
(encrypt AVP data before transmission, for higher security).
This configuration does not take effect on the LNS.
Specify whether to enable flow control for the L2TP tunnel.
Flow Control The L2TP tunnel flow control function is for control of data packets
in transmission. The flow control function helps in buffering and
adjusting the received out-of-order data packets.
392
Item Description
Configure user authentication on an LNS.
An LNS may be configured to authenticate a user who has
passed authentication on the LAC to increase security. In this
case, an L2TP tunnel can be set up only when both of the
Mandatory CHAP authentications succeed. An LNS can authenticate users in three
ways: mandatory CHAP authentication, LCP re-negotiation, and
proxy authentication.
• Mandatory CHAP authentication—With mandatory CHAP
authentication configured, a VPN user who depends on a
NAS to initiate tunneling requests is authenticated twice:
once when accessing the NAS and once on the LNS by using
CHAP.
• LCP re-negotiation—For a PPP user who depends on a NAS
to initiate tunneling requests, the user first performs PPP
negotiation with the NAS. If the negotiation succeeds, the
NAS initiates an L2TP tunneling request and sends the user
authentication information to the LNS. The LNS then
determines whether the user is valid according to the user
authentication information received. Under some
circumstances (when authentication and accounting are
required on the LNS for example), another round of LCP
negotiation is required between the LNS and the user. In this
case, the user authentication information from the NAS is
neglected.
• Proxy authentication—If neither LCP re-negotiation nor
mandatory CHAP authentication is configured, an LNS
performs proxy authentication of users. In this case, the LAC
sends to the LNS all authentication information from users as
well as the authentication mode configured on the LAC itself.
NOTE:
Mandatory LCP • Among these three authentication methods, LCP
re-negotiation has the highest priority. If both LCP
re-negotiation and mandatory CHAP authentication are
configured, the LNS uses LCP re-negotiation and the PPP
authentication method configured in the L2TP group.
• With LCP re-negotiation, if no PPP authentication method is
configured in the L2TP group, the LNS does not
re-authenticate users. It assigns public addresses to the PPP
users immediately. In other words, the users are
authenticated only once at the LAC end.
• Some PPP clients may not support re-authentication, in which
case, LNS side CHAP authentication fails.
• When the LNS uses proxy authentication and the user
authentication information received from the LAC is valid: if
the authentication method configured in the L2TP group is
PAP, the proxy authentication succeeds and a session can be
established for the user. If the authentication method
configured in the L2TP group is CHAP but that configured on
the LAC is PAP, the proxy authentication fails, and no session
can be set up. This is because the level of CHAP
authentication, which is required by the LNS, is higher than
that of PAP authentication, which the LAC provides.
393
Figure 369 Add an ISP domain
Table 170 Configuration for adding an ISP
Item Description
ISP Domain Specify the name of the ISP domain.
Select the primary authentication method for PPP users.:

• HWTACACS—HWTACACS authentication, which uses the HWTACACS
scheme system.
• Local—Local authentication.
• None—No authentication. If you select None, all users are trusted, and
Primary no authentication is performed.
Authentication • RADIUS—RADIUS authentication, which uses the RADIUS scheme
Methods system.
• If you do not select any authentication method, the default
authentication method of the ISP domain is used, which is Local by
default.
Specify whether to use local authentication as the backup authentication

Backup method. This item is available only when you select HWTACACS or
RADIUS as the primary authentication method.
Select the primary authorization method for PPP users:

• HWTACACS—HWTACACS authorization, which uses the HWTACACS
scheme system.
• Local—Local authorization.
Authorization
• None—No authorization. If you select None, the access device does not
Primary perform authorization for PPP users. After passing authentication, PPP
Methods
users can directly access the network.
• RADIUS—RADIUS authorization, which uses the RADIUS scheme
system.
• If you do not select any authorization method, the default authorization
method of the ISP domain is used, which is Local by default.
394
Item Description
Specify whether to use local authorization as the backup authorization
Backup method. This item is available only when you select HWTACACS or
RADIUS as the primary authorization method.
Specify whether to enable the accounting optional function.

For an online user, with the accounting optional function disabled, if no
Accounting accounting server is available or if communication with the current
Optional accounting server fails, the user is disconnected. However, with the
accounting optional function enabled, the user can still use the network
resources in such case, but the system does not send the accounting
information of the user to the accounting server.
Select the primary accounting method for PPP users:

• HWTACACS—HWTACACS accounting, which uses the HWTACACS
Accounting scheme system.
Methods
• Local—Local accounting.
Primary • None—No accounting. If you select None, the system does not perform
accounting for the users.
• RADIUS—RADIUS accounting, which uses the RADIUS scheme system.
• If you do not select any accounting method, the default accounting
method of the ISP domain is used, which is Local by default.
Specify whether to use local accounting as the backup accounting method.

Backup This item is available only when you select HWTACACS or RADIUS as the
primary accounting method.
Specify the maximum number of users the ISP domain can accommodate. If
you do not specify the maximum number, the system does not limit the
number of users of the ISP domain.
Max. Number of Users
Because users may compete for resources, setting a proper limit on the
number of users of an ISP domain helps guarantee performance for the
users of the ISP domain.
Figure 370 Add an address pool
Table 171 Configuration for adding an IP address pool
Item Description
ISP Domain Select the ISP domain for the IP address pool to be created.
395
Item Description
Specify the number of the IP address pool.
IP Address Pool Number If you set the IP address pool number to 1, the name of the IP address pool
is pool1.
Start IP Specify the start IP address and end IP address of the IP address pool.
The number of addresses between the start IP address and end IP address
End IP must not exceed 1024. If you specify only the start IP address, the IP
address pool contains only one IP address (the start IP address).
Displaying L2TP tunnel information

Select VPN > L2TP > Tunnel Info from the navigation tree to display the L2TP tunnel information page, as
Figure 371 L2TP tunnel information
Table 172 L2TP tunnel information
Item Description
Local Tunnel ID Local ID of the tunnel
Peer Tunnel ID Peer ID of the tunnel
Peer Tunnel Port Peer port of the tunnel
Peer Tunnel IP Peer IP address of the tunnel
Session Count Number of sessions on the tunnel
Peer Tunnel Name Peer name of the tunnel
L2TP configuration example

Client-initiated VPN configuration example
As shown in Figure 372, a VPN user accesses the corporate headquarters as follows:
1. The user first connects to the Internet, and then initiates a tunneling request to the LNS directly.
2. After the LNS accepts the connection request, an L2TP tunnel is set up between the LNS and the VPN
user.
396
3. The VPN user communicates with the headquarters over the tunnel.
1. Configure the VPN user.
Assign an IP address (2.1.1.1, in this example) to the user host, configure a route to ensure the
reachability of the LNS (1.1.2.2), and create a virtual private network connection using the Windows
operating system, or install L2TP client software such as WinVPN Client and connect to the Internet in
dial-up mode. Then, perform the following configurations (the configuration order may vary with the client
software):
a. Specify the VPN username as vpdnuser and the password as Hello.
b. Set the Internet interface address of the security gateway as the IP address of the LNS. In this
example, the Ethernet interface on the LNS, the interface for the tunnel, has an IP address of
1.1.2.2.
c. Modify the connection attributes, setting the protocol to L2TP, the encryption attribute to
customized and the authentication mode to CHAP.
2. Configure the LNS.
# Configure IP addresses for interfaces. (Details not shown)
# Configure a route to ensure the reachability of the user host.
# Create a local user named vpdnuser, and set the password to Hello and the service type to PPP.
a. Select System Management > Users from the navigation tree, and then click the Create User tab
and perform the configurations shown in Figure 373.
397
Figure 373 Add a local user
b. Enter vpdnuser as the username.

c. Select access level Configure.
d. Enter the password Hello.
e. Enter Hello to confirm the password.
f. Select PPP Service as the service type.
g. Click Apply.
# Enable L2TP.
• Select VPN > L2TP > L2TP Config from the navigation tree, and then perform the configurations
Figure 374 Enable L2TP
a. Select the Enable L2TP checkbox.

b. Click Apply.
# Add an L2TP group.

a. On the L2TP configuration page, click Add, and then perform the following configurations.
398
b. Enter the L2TP group name test.
c. Enter the peer tunnel name vpdnuser.
d. Enter the local tunnel name LNS.
e. Select Disable for Tunnel Authentication.
f. Select CHAP as the PPP authentication method.
g. Select ISP domain system (the default ISP domain).
h. Click the Modify button of the ISP domain to perform the configurations shown in Figure 375.
Figure 375 Select local authentication for VPN users
a. Select the server type Local as the PPP authentication method.

b. Click Apply to return to the L2TP group configuration page.
c. Enter 192.168.0.1/255.255.255.0 as the PPP server IP address/mask.
d. Click the Add button of the User Address parameter, and then perform the configurations shown
in Figure 376.
Figure 376 Add an IP address pool
a. Select domain system.

b. Enter 1 as the IP address pool number.
c. Enter the start IP address 192.168.0.2.
399
d. Enter the end IP address 192.168.0.100.
e. Click Apply to finish the IP address pool configuration and return to the L2TP group configuration
page.
f. Select pool1 from the User Address list.
g. Select Enable from the Assign Address Forcibly list. Figure 377 shows the L2TP group
configuration page after the above configurations.
h. Click Apply.
Figure 377 L2TP group configurations

# On the user host, initiate an L2TP connection to the LNS. The host obtains an IP address (192.168.0.2)
and is able to ping the private address of the LNS (192.168.0.1).
# On the LNS, select VPN > L2TP > Tunnel Info from the navigation tree. Information about the established
L2TP tunnel should appears, as shown in Figure 378.
400
Figure 378 L2TP tunnel information
401
Configuring GRE
You can configure GRE over IPv4 tunnels in the web interface.
GRE is a protocol designed for encapsulating and carrying the packets of one network layer protocol (for
example, IP or IPX) over another network layer protocol (for example, IP). GRE is a tunneling technology
and serves as a Layer 3 tunneling protocol.
A GRE tunnel is a virtual point-to-point connection for transferring encapsulated packets. Packets are
encapsulated at one end of the tunnel and de-encapsulated at the other end. Figure 379 depicts the
encapsulation and de-encapsulation processes.
Figure 379 X protocol networks interconnected through the GRE tunnel
NOTE:
For more information about GRE, see HP A-MSR Router Series Layer 3—IP Services Configuration Guide.
Configuring a GRE over IPv4 tunnel

Configuration prerequisites
Interfaces on a device, such as VLAN interfaces, Ethernet interfaces, and loopback interfaces, are
configured with IPv4 addresses and can communicate. Such an interface can be used as the source of a
virtual tunnel interface to ensure the reachability of the tunnel destination address.

Step Remarks
Required.
Creating a GRE tunnel
Create a tunnel interface, and configure GRE tunnel related parameters.
Optional.
Each end of the tunnel must have a route (static or dynamic) through the
Configuring a route through the
tunnel to the other end, so that GRE encapsulated packets can be
tunnel
forwarded normally.
For more configuration information, see "Configuring routes."
Creating a GRE tunnel

Select VPN > GRE from the navigation tree to display the GRE tunnel configuration page, as shown
in Figure 380. Then, click Add to add a GRE tunnel, as shown in Figure 381.
402
Figure 380 GRE tunnel configuration page
Figure 381 Add a GRE tunnel
Table 173 GRE tunnel configuration
Item Description
Tunnel Interface Specify the number of the tunnel interface.
Specify the IP address and subnet mask of the tunnel interface.

NOTE:
IP/Mask
When configuring a static route on the tunnel interface, the destination IP address of
the static route must not be in the subnet of the tunnel interface.
Specify the source IP address and destination IP address for the tunnel interface.
Tunnel Source
For the tunnel source address, you can enter an IP address or select an interface.
IP/Interface
In the latter case, the primary IP address of the interface is used as the tunnel
source address.
NOTE:
Tunnel Destination IP The source address and destination address of a tunnel uniquely identify a path. They
must be configured at both ends of the tunnel, and the source address at one end must
be the destination address at the other end and vice versa.
403
Item Description
Specify the key for the GRE tunnel interface. This configuration is to prevent the
tunnel ends from servicing or receiving packets from other places.
GRE Key
NOTE:
The two ends of a tunnel must have the same key or have no key at the same time.
GRE Packet Checksum Enable or disable the GRE packet checksum function.
Enable or disable the GRE keepalive function.

With the GRE keepalive function enabled on a tunnel interface, the device sends
GRE keepalive packets from the tunnel interface periodically. If no response is
Keepalive received from the peer within the specified interval, the device retransmits the
keepalive packet. If the device still receives no response from the peer after
sending the keepalive packet for the maximum number of attempts, the local
tunnel interface goes down and stays down until it receives a keepalive
acknowledgement packet from the peer.
Keepalive Interval Specify the interval between sending the keepalive packets and the maximum
number of transmission attempts.
Number of Retries These two configuration items are available when you select Enable for the GRE
keepalive function.
GRE over IPv4 tunnel configuration example

As shown in Figure 382, Router A and Router B are interconnected through the Internet. Two private IP
subnets, Group 1 and Group 2, are interconnected through a GRE tunnel between Router A and Router
B.
Figure 382 Network diagram for a GRE over IPv4 tunnel
NOTE:
Before performing the configuration, make sure that Router A and Router B are reachable to each other.
# Configure an IPv4 address for interface Ethernet 0/0.
Select Interface Setup > WAN Interface Setup from the navigation tree of Router A. Click the icon of
interface Ethernet 0/0, and then perform the configurations shown in Figure 383:
404
Figure 383 Configure interface Ethernet 0/0
a. Select Manual for Connect Mode.

b. Enter IP address 10.1.1.1.
c. Select IP mask 24 (255.255.255.0).
d. Click Apply.
# Configure an IP address for interface Ethernet 0/1, the physical interface of the tunnel.
Click the icon of interface Ethernet 0/1, and then perform the configurations shown in Figure 384.
405

c. Select IP mask 24 (255.255.255.0).
d. Click Apply.
# Create a GRE tunnel.

Select VPN > GRE from the navigation tree. Click Add, and then perform the configurations shown
in Figure 385:
406
Figure 385 Set up a GRE tunnel
a. Enter 0 in the Tunnel Interface field.

b. Enter IP address/mask 10.1.2.1/24.
c. Enter the source end IP address 1.1.1.1, the IP address of Ethernet 0/1.
d. Enter the destination end IP address 2.2.2.2, the IP address of Ethernet 0/1 on Router B.
e. Click Apply.
# Configure a static route from Router A through interface Tunnel 0 to Group 2.

Select Advanced > Route Setup from the navigation tree. Click the Create tab, and then perform the
Figure 386 Add a static route from Router A through interface Tunnel 0 to Group 2

b. Enter mask 24.
c. Select the Interface checkbox, and then select egress interface Tunnel0.
d. Click Apply.
407
# Configure an IPv4 address for interface Ethernet 0/0.
Select Interface Setup > WAN Interface Setup from the navigation tree. Click the icon of interface
Ethernet 0/0, and then perform the configurations shown in Figure 387.

c. Select IP mask 24 (255.255.255.0).
d. Click Confirm.
# Configure an IP address for interface Ethernet 0/1, the physical interface of the tunnel.
Click the icon of interface Ethernet 0/1, and then perform the configurations shown in Figure 388.
408

c. Select IP mask 24 (255.255.255.0).
d. Click Confirm.
# Create a GRE tunnel.

Select VPN > GRE from the navigation tree. Click Add, and then perform the configurations shown
in Figure 389:
Figure 389 Set up a GRE tunnel
409
a. Enter 0 in the Tunnel Interface field.
b. Enter IP address/mask 10.1.2.2/24.
c. Enter the source end IP address 2.2.2.2, the IP address of Ethernet 0/1.
d. Enter the destination end IP address 1.1.1.1, the IP address Ethernet 0/1 on Router A.
e. Click Apply.
# Configure a static route from Router B through interface Tunnel 0 to Group 1.

Select Advanced > Route Setup from the navigation tree. Click the Create tab, and then perform the
Figure 390 Add a static route from Router B through interface Tunnel 0 to Group 1

b. Enter mask 24.
c. Select the Interface checkbox, and then select egress interface Tunnel0.
d. Click Apply.

# On Router B, ping the IP address of Ethernet 0/0 of Router A.
a. Select Other > Diagnostic Tools from the navigation tree of Router B, and then click the Ping tab.
b. Enter the destination IP address 10.1.1.1.
c. Click Start.
d. View the result of the ping operation in the Summary area, as show in Figure 391.
410
Figure 391 Verify the configuration
411
Configuring certificate management
You can do the following to configure certificate management on the web interface:
• Creating a PKI entity
• Creating a PKI domain
• Generating an RSA key pair
• Destroying the RSA key pair
• Retrieving and displaying a certificate
• Requesting a local certificate
• Retrieving and displaying a CRL
PKI is a general security infrastructure for providing information security through public key technologies,
and it is the most widely applied encryption mechanism. HP's PKI system provides certificate management
for IPsec, SSL, and WAPI.
PKI, also called "asymmetric key infrastructure," uses a key pair to encrypt and decrypt data. The key
pair consists of a private key and a public key. The private key must be kept secret, but the public key
must be distributed. Data encrypted by one of the two keys can only be decrypted by the other.
A key problem of PKI is how to manage the public keys. PKI employs the digital certificate mechanism to
solve this problem. The digital certificate mechanism binds public keys to their owners, helping to
distribute public keys in large networks securely.
With digital certificates, the PKI system provides network communication and e-commerce with security
services such as user authentication, data non-repudiation, data confidentiality, and data integrity.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. Here are some application examples:
• VPN—A VPN is a private data communication network built on the public communication
infrastructure. A VPN can leverage network layer security protocols (for instance, IPsec) in
conjunction with PKI-based encryption and digital signature technologies to achieve confidentiality.
• Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI can
address these needs. The secure email protocol that is developing rapidly is S/MIME, which is
based on PKI and allows for transfer of encrypted mails with signature.
• web security—For web security, two peers can establish an SSL connection first for transparent and
secure communications at the application layer. With PKI, SSL enables encrypted communications
between a browser and a server. Both the communication parties can verify the identity of each
other through digital certificates.
PKI operation
In a PKI-enabled network, an entity can request a local certificate from the CA, and the device can check
the validity of certificate. This is how it works:
1. An entity submits a certificate request to the CA.
2. The RA verifies the identity of the entity and then sends the identity information and the public key
with a digital signature to the CA.
412
3. The CA verifies the digital signature, approves the application, and issues a certificate.
4. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory
navigation service, and notifies the entity that the certificate is successfully issued.
5. The entity retrieves the certificate. With the certificate, the entity can communicate with other entities
safely through encryption and digital signature.
6. The entity makes a request to the CA when it must revoke its certificate. The CA approves the
request, updates the CRLs, and publishes the CRLs on the LDAP server.
Configuring PKI
The system supports the following PKI certificate request modes:
• Manual—In manual mode, you must retrieve a CA certificate, generate a local RSA key pair, and
submit a local certificate request for an entity.
• Auto—In auto mode, an entity automatically requests a certificate through SCEP (a dedicated
protocol for an entity to communicate with a CA) when it has no local certificate or when the present
certificate is about to expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes
require different configurations.
Requesting a certificate manually

Table 174 Configuration task list for requesting a certificate manually
Task Remarks
Required.
Create a PKI entity, and configure the identity information.
A certificate is the binding of a public key and the identity information of an entity,
Creating a PKI entity where the identity information is identified by an entity DN. A CA identifies a
certificate applicant by entity.
The identity settings of an entity must be compliant with the CA certificate issue
policy. Otherwise, the certificate request might be rejected.
Required.
Create a PKI domain, setting the certificate request mode to Manual.
Creating a PKI Before requesting a PKI certificate, an entity must be configured with some enrollment
domain information, which is referred to as a "PKI domain."
A PKI domain is intended only for convenience of reference by other applications like
IKE and SSL, and it has only local significance.
413
Task Remarks
Required.
Generate a local RSA key pair.
By default, no local RSA key pair exists.
Generating an RSA Generating an RSA key pair is an important step in certificate request. The key pair
key pair includes a public key and a private key. The private key is kept by the user, and the
public key is transferred to the CA along with some other information.
NOTE:
If a local certificate already exists, you must remove the certificate before generating a
new key pair to keep the consistency between the key pair and the local certificate.
Required.
Certificate retrieval serves the following purposes:
• Locally stores the certificates associated with the local security domain for
improved query efficiency and reduced query count.
Retrieving the CA • Prepares for certificate verification.
certificate
NOTE:
If a local CA certificate already exists, you cannot perform the CA certificate retrieval
operation. This avoids possible mismatch between certificates and registration
information resulting from relevant changes. To retrieve the CA certificate, first remove the
CA certificate and local certificate.
Required.
When requesting a certificate, an entity introduces itself to the CA by providing its
identity information and public key, which are the major components of the
certificate.
A certificate request can be submitted to a CA in online mode or offline mode.
Requesting a local
• In online mode, if the request is granted, the local certificate is retrieved to the
local system automatically.
certificate
• In offline mode, you must retrieve the local certificate by an out-of-band method.
NOTE:
If a local certificate already exists, you cannot perform the local certificate retrieval
operation. This avoids possible mismatch between the local certificate and registration
information resulting from relevant changes. To retrieve a new local certificate, first
remove the CA certificate and local certificate.
Optional.
Destroying the RSA Destroy the existing RSA key pair and the corresponding local certificate.
key pair If the certificate to be retrieved contains an RSA key pair, you must destroy the
existing RSA key pair. Otherwise, the retrieving operation fails.
Optional.
Retrieving and Retrieve an existing certificate and display its contents.
displaying a NOTE:
certificate
Before retrieving a local certificate in online mode, be sure to complete LDAP server
configuration.
Retrieving and Optional.

displaying a CRL Retrieve a CRL and display its contents.
414
Requesting a certificate automatically
Table 175 Configuration task list for requesting a certificate automatically
Task Remarks
Required.
Create a PKI entity, and configure the identity information.
A certificate is the binding of a public key and the identity information of an entity,
Creating a PKI entity where the identity information is identified by an entity DN. A CA identifies a
certificate applicant by entity.
The identity settings of an entity must be compliant to the CA certificate issue policy.
Otherwise, the certificate request might be rejected.
Required.
Create a PKI domain, setting the certificate request mode to Auto.
Creating a PKI Before requesting a PKI certificate, an entity must be configured with some enrollment
domain information, which is referred to as a "PKI domain."
A PKI domain is intended only for convenience of reference by other applications like
IKE and SSL, and it has only local significance.
Optional.
Destroying the RSA Destroy the existing RSA key pair and the corresponding local certificate.
key pair If the certificate to be retrieved contains an RSA key pair, you must destroy the
existing RSA key pair. Otherwise, the retrieving operation fails.
Optional.
Retrieve an existing certificate and display its contents.
NOTE:
Retrieving and • Before retrieving a local certificate in online mode, be sure to complete LDAP
displaying a server configuration.
certificate
• If a PKI domain already has a CA certificate, you cannot retrieve another CA
certificate for it. This restriction avoids inconsistency between the certificate and
registration information due to related configuration changes. To retrieve a new
CA certificate, delete the existing CA certificate and local certificate first.
Retrieving and Optional.

displaying a CRL Retrieve a CRL and display its contents.
Creating a PKI entity

Select Certificate Management > Entity from the navigation tree to display the page that displays existing
PKI entities, as shown in Figure 392. Then, click Add to display the PKI entity configuration page, as
Figure 392 PKI entities
415
Figure 393 Create a PKI entity
Table 176 PKI entity configuration
Item Description
Entity Name Enter the name for the PKI entity.
Common Name Enter the common name for the entity.
IP Address Enter the IP address of the entity.
Enter the FQDN for the entity.

An FQDN is a unique identifier of an entity on the network. It consists of a host name
FQDN and a domain name and can be resolved to an IP address. For example,
www.whatever.com is an FQDN, where www indicates the host name and
whatever.com the domain name.
Country/Region
Enter the country or region code for the entity.
Code
State Enter the state or province for the entity.
Locality Enter the locality for the entity.
Organization Enter the organization name for the entity.
Organization Unit Enter the unit name for the entity.
Return to "Configuration task list for requesting a certificate manually."

Return to "Configuration task list for requesting a certificate automatically."
Creating a PKI domain

Select Certificate Management > Domain from the navigation tree to display the page that displays
existing PKI domains, as shown in Figure 394. Then, click Add to display the PKI domain configuration
416
Figure 394 PKI domains
Figure 395 Create a PKI domain
Table 177 PKI domain configuration
Item Description
Domain Name Enter the name for the PKI domain.
Enter the identifier of the trusted CA.

An entity requests a certificate from a trusted CA. The trusted CA takes the
responsibility of certificate registration, distribution, and revocation, and query.
CA Identifier NOTE:
• In offline mode, this item is optional. In other modes, this item is required.
• The CA identifier is used only when you retrieve a CA certificate. It is not used
when you retrieve a local certificate.
Select the local PKI entity.

When submitting a certificate request to a CA, an entity must show its identity
Entity Name
information.
Available PKI entities are those that have been configured.
417
Item Description
Select the authority for certificate request:
• CA—Indicates that the entity requests a certificate from a CA.
• RA—Indicates that the entity requests a certificate from an RA.
Generally, an independent RA is in charge of certificate request management. It
Institution
receives the registration request from an entity, checks its qualification, and determines
whether to ask the CA to sign a digital certificate. The RA only checks the application
qualification of an entity; it does not issue any certificate. Sometimes, the registration
management function is provided by the CA, in which case no independent RA is
required. HP recommends that you deploy an independent RA.
Enter the URL of the RA.

The entity submits the certificate request to the server at this URL through the SCEP
protocol. The SCEP protocol is intended for communication between an entity and an
authentication authority.
Requesting URL
In offline mode, this item is optional. In other modes, this item is required.
NOTE:
• In offline mode, this item is optional. In other modes, this item is required.
• This item does not support domain name resolution.
LDAP IP Enter the IP address, port number, and version of the LDAP server.
Port An LDAP server is usually deployed to store certificates and CRLs. If this is the case,
configure the IP address of the LDAP server.
Version
Request Mode Select the online certificate request mode: auto or manual.
Password Encrypt Enter the password for certificate revocation and specify whether to display the
Password password in cipher text when the certificate request mode is set to Auto.
Specify the fingerprint used for verifying the CA root certificate.
Fingerprint Hash After receiving the root certificate of the CA, an entity must verify the fingerprint of the
root certificate (the hash value of the root certificate content). This hash value is unique
to every certificate. If the fingerprint of the root certificate does not match the one
configured for the PKI domain, the entity rejects the root certificate.
• If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint
must a string of 32 characters in hexadecimal notation.
• If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The
fingerprint must a string of 40 characters in hexadecimal notation.
• If you do not specify the fingerprint hash, do not enter any fingerprint. The entity
Fingerprint does not verify the CA root certificate, and you yourself must make sure that the CA
server is trusted.
NOTE:
The fingerprint must be configured if you specify the certificate request mode as Auto. If you
specify the certificate request mode as Manual, you can leave the fingerprint settings null. If
you do not configure the fingerprint, the entity does not verify the CA root certificate, and
you yourself must make sure that the CA server is trusted.
Set the polling interval and attempt limit for querying the certificate request status.
Polling Count
After an entity makes a certificate request, the CA might need a long period of time if it
verifies the certificate request in manual mode. During this period, the applicant must
Polling Interval query the status of the request periodically to get the certificate as soon as possible
after the certificate is signed.
418
Item Description
Enable CRL Select this checkbox to specify that CRL checking is required during certificate
Checking verification.
Enter the CRL update period (the interval at which the PKI entity downloads the latest
CRLs).
This item is available when the Enable CRL Checking checkbox is selected.
CRL Update Period
By default, the CRL update period depends on the next update field in the CRL file.
The manually configured CRL update period takes precedent over that specified in the
CRL file.
Enter the URL of the CRL distribution point.

This item is available when the Enable CRL Checking checkbox is selected.
CRL URL When the URL of the CRL distribution point is not set, you should acquire the CA
certificate and a local certificate, and then acquire a CRL through SCEP.
This item does not support domain name resolution.

Generating an RSA key pair

Select Certificate Management > Certificate from the navigation tree to display the page that displays
existing PKI certificates, as shown in Figure 396. Then, click Create Key to display the RSA key pair
configuration page, as shown in Figure 397.
Figure 396 PKI certificates
Figure 397 Generate an RSA key pair
419
Table 178 Configuration for generating an RSA key pair
Item Description
Key Length Enter the length of the RSA keys.
Destroying the RSA key pair

existing PKI certificates, as shown in Figure 396.
Click Destroy Key to enter RSA key pair destruction page, as shown in Figure 398. Then, click Apply to
destroy the existing RSA key pair and the corresponding local certificate.
Figure 398 Destroy an RSA key pair

Retrieving and displaying a certificate

You can download an existing CA certificate or local certificate from the CA server and save it locally. To
do so, you can use offline mode or online mode. In offline mode, you must retrieve a certificate by an
out-of-band method such as FTP, disk, or email, and then import it into the local PKI system.
existing PKI certificates, as shown in Figure 396. Then click Retrieve Cert to display the PKI certificate
retrieval page, as shown in Figure 399.
Figure 399 Retrieve a certificate
Table 179 Configuration for retrieving a PKI certificate
Item Description
Domain Name Select the PKI domain for the certificate.
Certificate Type Select the type of the certificate to be retrieved: CA or local.
420
Item Description
Enable Offline Select this checkbox to retrieve a certificate in offline mode (by an out-of-band method
Mode such as FTP, disk, or email), and then import the certificate into the local PKI system.
Get File From Specify the path and name of the certificate file.
Device • If the certificate file is saved on the device, select Get File From Device and then
specify the path of the file on the device.
Get File From PC • If the certificate file is saved on a local PC, Select Get File From PC and then specify
the path to the file, and select the partition of the device for saving the file.
Enter the password for protecting the private key, which was specified when the
Password
certificate was exported.
After retrieving a certificate, you can click View Cert corresponding to the certificate from the PKI
certificates list to display the contents of the certificate, as shown in Figure 400.
Figure 400 Display certificate information

Requesting a local certificate

existing PKI certificates, as shown in Figure 396. Then click Request Cert to display the local certificate
request page, as shown in Figure 401.
421
Figure 401 Request a certificate
Table 180 Configuration for requesting a local certificate
Item Description
Domain Name Select the PKI domain for the certificate.
Password Enter the password for certificate revocation.
Select this option to request a certificate in offline mode (by an out-of-band method such
as FTP, disk, or email).
Enable Offline If you cannot request a certificate from the CA through the SCEP protocol, you can
Mode enable the offline mode. In this case, after clicking Apply, the offline certificate request
information page appears, as shown in Figure 402. Submit the information to the CA
to request a local certificate.
Figure 402 Offline certificate request information
Retrieving and displaying a CRL

Select Certificate Management > CRL from the navigation tree to display the page that displays CRLs, as
Figure 403 CRLs
a. Click Retrieve CRL to retrieve the CRL of a domain.
422
b. Then, click View CRL for the domain to display the contents of the CRL.
Figure 404 Display CRL information

PKI configuration examples

Configuring a PKI entity to request a certificate from a CA
(method I)
As shown in Figure 405, configure the router to work as the PKI entity, so that:
• The router submits a local certificate request to the CA server, which runs Windows Server 2003.
• The router acquires CRLs for certificate verification.
423
1. Configure the CA server.
# Install the CA server component.
From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove
Windows Components. In the dialog box that appears, select Certificate Services and click Next to begin
the installation.
# Install the SCEP add-on.
Because a CA server running Windows 2003 server operating system does not support SCEP by default,
be sure to install the SCEP add-on to provide the router with automatic certificate registration and retrieval.
After the add-on is installed, a prompt dialog box appears, displaying the URL of the registration server
configured on the router.
# Modify the certificate service properties.
From the start menu, select Control Panel > Administrative Tools > Certificate Authority. If the CA server
and SCEP add-on have been installed successfully, there should be two certificates issued by the CA to
the RA. Right-click CA server and select Properties from the shortcut menu, and select the Policy Module
tab in the CA server Properties dialog box. Select the option of Follow the settings in the certificate
template, if applicable. Otherwise, automatically issue the certificate. Then click OK.
# Modify the IIS attributes.
From the start menu, select Control Panel > Administrative Tools > Internet Information Services (IIS)
Manager and then select web Sites from the navigation tree. Right-click Default web Site and select
Properties. Then select the Home Directory tab. Specify the path for certificate service in the Local path
field. To avoid conflicts with existing services, change the TCP port number to an unused one on the web
Site tab.
After the configuration, you must also make sure that the system clock of the router and that of the CA are
synchronized, so that the router can request certificate correctly.
# Create a PKI entity.
• Select Certificate Management > Entity from the navigation tree, and then click Add to perform the
424
Figure 406 Add a PKI entity
a. Enter aaa as the PKI entity name.

b. Enter router as the common name.
c. Click Apply.
# Create a PKI domain.
• Select Certificate Management > Domain from the navigation tree, and then click Add to perform the
Figure 407 Add a PKI domain
a. Enter torsa as the PKI domain name.

b. Enter CA server as the CA identifier.
c. Select aaa as the local entity.
d. Select RA as the authority for certificate request.
e. Enter http://4.4.4.1:8080/certsrv/mscep/mscep.dll as the URL for certificate request. The URL
must be in the format of http://host:port/certsrv/mscep/mscep.dll, where host and port are the
host address and port number of the CA server.
425
f. Select Manual as the certificate request mode.
g. Click Apply. When the system displays the following message, click OK to confirm:
Fingerprint of the root certificate not specified. No root certificate validation will occur. Continue?
# Generate an RSA key pair.
• Select Certificate Management > Certificate from the navigation tree, and then click Create Key to
perform the configurations shown in Figure 408.
• Click Apply to generate an RSA key pair.

# Retrieve the CA certificate.
• Select Certificate Management > Certificate from the navigation tree, and then click Retrieve Cert to
Figure 409 Retrieve the CA certificate
a. Select torsa as the PKI domain.

b. Select CA as the certificate type.
426
c. Click Apply.
# Request a local certificate.
• Select Certificate Management > Certificate from the navigation tree, and then click Request Cert to

b. Select Password, and then enter challenge-word as the password.
c. Click Apply. When the system displays the following message, click OK to confirm:
Certificate request has been submitted.
Verify the configuration

After the configuration, select Certificate Management > Certificate from the navigation tree, and then
click View Cert corresponding to the certificate of PKI domain torsa to view the certificate information.
You can also click View Cert corresponding to the CA certificate of PKI domain torsa to view the CA
certificate information.
Configuring a PKI entity to request a certificate from a CA

(method II)
Configure the router working as the PKI entity, so that:
• The router submits a local certificate request to the CA server, which runs the RSA Keon software.
• The router acquires CRLs for certificate verification.
Figure 411 Diagram for configuring a PKI entity to request a certificate from a CA
427
1. Configure the CA server.
# Create a CA server named myca.
In this example, configure the basic attributes of Nickname and Subject DN on the CA server first:
• Nickname—Name of the trusted CA
• Subject DN—DN information of the CA, including the CN
• OU
• O
• C
The other attributes might use the default values.
# Configure extended attributes.
After configuring the basic attributes, perform configuration on the Jurisdiction Configuration page of the
CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function,
and adding the IP address list for SCEP autovetting.
# Configure the CRL publishing behavior.
After completing the configuration, perform CRL related configurations.
In this example, select the local CRL publishing mode of HTTP, and set the HTTP URL to
http://4.4.4.133:447/myca.crl.
After the configuration, make sure that the system clock of the router is synchronous to that of the CA, so
that the router can request certificates and retrieve CRLs properly.
a. Enter aaa as the PKI entity name.

b. Enter router as the common name.
428
c. Click Apply.
a. Enter torsa as the PKI domain name.

b. Enter myca as the CA identifier.
c. Select aaa as the local entity.
d. Select CA as the authority for certificate request.
e. Enter http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for
certificate request. The URL must be in the format of http://host:port/Issuing Jurisdiction ID,
where Issuing Jurisdiction ID is the hexadecimal string generated on the CA.
f. Select Manual as the certificate request mode.
g. Click the expansion button before Advanced Configuration to display the advanced
configuration items.
h. Select the Enable CRL Checking checkbox.
i. Enter http://4.4.4.133:447/myca.crl as the CRL URL.
j. Click Apply. When the system displays the following message, click OK to confirm:
429


c. Click Apply.
430

b. Select Password, and then enter challenge-word as the password.
# Retrieve the CRL.
• After retrieving a local certificate, select Certificate Management > CRL from the navigation tree.
Figure 417 Retrieve CRL
• Click Retrieve CRL of the PKI domain of torsa.
Verify the configuration

After the configuration, select Certificate Management > Certificate from the navigation tree to view
detailed information about the retrieved CA certificate and local certificate, or select Certificate
Management > CRL from the navigation tree to view detailed information about the retrieved CRL.
431
Applying RSA digital signature in IKE negotiation
• An IPsec tunnel is set up between Router A and Router B to secure the traffic between Host A on
subnet 10.1.1.0/24 and Host B on subnet 11.1.1.0/24.
• Router A and Router B use IKE for IPsec tunnel negotiation and RSA digital signature of a PKI
certificate system for identity authentication.
• As shown in Figure 418, Router A and Router B use different CAs. They might also use the same CA
as required.
Figure 418 Diagram for applying RSA digital signature in IKE negotiation
432
a. Enter en as the PKI entity name.

b. Enter router-a as the common name.
c. Enter 2.2.2.1 as the IP address of the entity.
d. Click Apply.
# Create a PKI domain. (The RA URL given here is just an example. Configure the RA URL as required.)
a. Enter 1 as the PKI domain name.

b. Enter CA1 as the CA identifier.
c. Select en as the local entity.
433
e. Enter http://1.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request. (The RA URL
given here is just an example. Configure the RA URL as required.)
f. Enter 1.1.1.102 as the IP address of the LDAP server, 389 as the port number, and select 2 as
the version number.
g. Select Manual as the certificate request mode.
h. Click the expansion button before Advanced Configuration to display the advanced
i. Select the Enable CRL Checking checkbox.
j. Enter ldap://1.1.1.102 as the URL for CRLs.
k. Click Apply. When the system displays the following message, click OK to confirm:

434
a. Select 1 as the PKI domain.

c. Click Apply.
a. Select 1 as the PKI domain.

b. Click Apply. When the system displays the following message, click OK to confirm:
# Add an IPsec connection.
• Select VPN > IPsec VPN from the navigation tree, and then click Add to perform the configurations
435
a. Enter con as the IPsec connection name.

b. Select Ethernet0/2 as the gateway interface
d. Select Certificate as the authentication method, and select CN=router-a for the certificate.
e. Select Characteristics of Traffic as the selector type.
f. Enter 11.1.1.0/0.0.0.255 as the source IP address/wildcard.
g. Enter 10.1.1.0/0.0.0.255 as the destination IP address/wildcard.
h. Click Apply.
2. Configure Router B. (The configuration pages for Router B are similar to those of Router A, so they
are not shown here.)
a. Select Certificate Management > Entity from the navigation tree, and then click Add.
b. Enter en as the PKI entity name.
c. Enter router-b as the common name.
d. Enter 3.3.3.1 as the IP address of the entity.
e. Click Apply.

• Select Certificate Management > Domain from the navigation tree, and then click Add.
436
a. Enter 1 as the PKI domain name.
b. Enter CA2 as the CA identifier.
c. Select en as the local entity.
e. Enter http://2.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request. (The RA URL
given here is just an example. Configure the RA URL as required.)
f. Enter 2.1.1.102 as the IP address of the LDAP server, 389 as the port number, and select 2 as
the version number.
g. Select Manual as the certificate request mode.
h. Click the expansion button before Advanced Configuration to display the advanced
i. Select the Enable CRL Checking checkbox.
j. Enter ldap://2.1.1.102 as the URL for CRLs.
k. Click Apply. When the system displays the following message, click OK to confirm:
a. Select Certificate Management > Certificate from the navigation tree, and then click Create Key.
b. Click Apply to generate an RSA key pair.

a. Select Certificate Management > Certificate from the navigation tree, and then click Retrieve
Cert.
b. Select 1 as the PKI domain.
c. Select CA as the certificate type.
d. Click Apply.

a. Select Certificate Management > Certificate from the navigation tree, and then click Request Cert.
b. Select 1 as the PKI domain.
# Add an IPsec connection.
a. Select VPN > IPsec VPN from the navigation tree, and then click Add.
b. Enter con as the IPsec connection name.
c. Select Ethernet0/2 as the gateway interface.
d. Enter 2.2.2.1 as the remote gateway IP address.
e. Select Certificate as the authentication method, and select CN=router-b for the certificate.
f. Select Characteristics of Traffic as the selector type.
g. Enter 10.1.1.0/0.0.0.255 as the source IP address/wildcard.
h. Enter 11.1.1.0/0.0.0.255 as the destination IP address/wildcard.
i. Click Apply.
437
When you configure PKI, note the following guidelines:
1. Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates are abnormal.
2. The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server does not
respond to the certificate request.
3. The SCEP plug-in is required when you use the Windows Server as the CA. In this case, specify RA
as the authority for certificate request when configuring the PKI domain.
4. The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case,
specify CA as the authority for certificate request when configuring the PKI domain.
438
Configuring system management
System management allows you to perform the following operations:

• Configuration management
• Reboot
• Service management
• User management
• System time
• TR-069 configuration
• Software upgrade (for the A-MSR900/A-MSR20-1X series)
• Software upgrade (for the A-MSR20/30/50 series)
Configuration management
Save configuration
The save configuration module provides the following functions:
• Saving the current configuration to the configuration file to be used at the next startup (including the
.cfg and .xml files).
• Saving the current configuration as the factory default configuration, and the name of the
configuration file is init.cfg.
NOTE:
• Besides the following methods, the web management interface allows you to click the button on the right of
the title area to fast save the configuration.
• Saving the configuration takes a period of time.
• The system does not support the operation of saving configuration of two or more consecutive users. If such a case
occurs, the system prompts the latter users to try later.
• When you save the current configuration on a distributed device, the SMB does not save the .xml configuration file.
To ensure the synchronization between the AMB and the SMB, copy this file to the SMB.
Select System Management > Configuration from the navigation tree to display the save configuration
page.
439
Figure 425 Save configuration page
• To save the current configuration to the configuration file to be used at the next startup, click Save
Current Settings.
• To save the current configuration to both the configuration file to be used at the next startup and the
factory default configuration file, click Save As Factory-Default Settings.
Initialize configuration
Initializing clears the current configuration file and then restarts the device with the factory default
configuration.
Select System Management > Configuration from the navigation tree, and then click the Initialize tab to
display the initialize configuration page.
Figure 426 Initialize
To restore the factory defaults, click Restore Factory-Default Settings.
Backing up configuration
Configuration file backup allows you to do the following:
• View the configuration file for next startup (including .cfg and .xml files).
• Back up the configuration file for next startup (including .cfg and .xml files) to the PC of the current
user.
440
Select System > Maintenance > Backup from the navigation tree, and click Backup to display the
configuration file backup configuration page.
Figure 427 Configuration file backup page
• When you click the upper Backup button, a file download dialog box appears. You can select to
view the .cfg file or to save the file locally.
• When you click the lower Backup button, a file download dialog box appears. You can select to
view the .xml file or to save the file locally.
Restoring configuration
Configuration restoration allows you to do the following:
• Upload the .cfg file on the host of the current user to the device for the next startup.
• Upload the .xml file on the host of the current user to the device for the next startup, and delete the
previous .xml configuration file that was used for the next startup.
Select System > Maintenance > Restore from the navigation tree, and click Restore to display the restoring
configuration file page.
Figure 428 Restoring configuration file page
• When you click the upper Browse button, the file upload dialog box appears. You can select the
.cfg file to be uploaded, and then click Apply.
• When you click the lower Browse button, the file upload dialog box appears. You can select the
.xml file to be uploaded, and then click Apply.
441
Backing up and restoring device files through the USB port
The files needed in device running, such as startup files and configuration files, are stored in the storage
medium of the device. To facilitate management of the files on the device, the device provides the fast
backup and restoration function.
• Fast backup—Allows you to back up files on the device to the destination device through a USB port.
• Fast restoration—Allows you to transfer files from the device where the files are backed up to the
local device through a USB port. The system also allows you to choose whether to specify the startup
file or configuration file to be restored as the main startup file or configuration file of the device.
NOTE:
The storage medium of a device has many types, such as flash cards, CF cards, and so on. The storage
medium type used by the device depends on the device model.
Select System Management > Configuration from the navigation tree, and then click the Backup and
Restore tab to display the fast backup and restoration page.
Figure 429 Back up and restore device files through the USB port
• In the Device File(s) area, select the files to be backed up, and then click Backup to back up the
selected files to the destination device.
• In the USB File(s) area, select the files to be restored, and click Restore to transfer the selected files to
the device through the USB port.
442
NOTE:
You can restore multiple files at once, but only one startup file or configuration file can be included in
these files for restoration.
Rebooting device
Before rebooting the device, save the configuration. Otherwise, all unsaved configurations are lost after
reboot. After the device reboots, re-log in to the web interface.
Select System Management > Reboot from the navigation tree to display the device reboot configuration
page. Click Apply to reboot the device.
Figure 430 Device reboot page
You can choose to check whether the current configuration has been saved to the configuration file to be
used at the next startup as needed.
• If you select the Check whether the current configuration is saved in the next startup configuration file
option, the system checks the configuration before rebooting the device. If the check succeeds, the
system reboots the device. If the check fails, the system displays a dialog box to tell you that the
current configuration and the saved configuration are inconsistent, and it does not reboot the
device. In this case, you must save the current configuration manually before you can reboot the
device.
• If you do not select the option, the system reboots the device directly.
Service management
The service management module provides these types of services: FTP, Telnet, SSH, SFTP, HTTP, and
HTTPS. You can enable or disable the services as needed. In this way, the performance and security of
the system can be enhanced, and secure management of the device can be achieved.
The service management module also provides the function to modify HTTP and HTTPS port numbers, and
the function to associate the FTP, HTTP, or HTTPS service with an ACL, reducing attacks of illegal users of
these services.
FTP service
FTP is an application layer protocol for sharing files between a server and client over a TCP/IP network.
443
Telnet service
The Telnet protocol is an application layer protocol that provides remote login and virtual terminal
functions on the network.
SSH service
SSH offers an approach to securely logging in to a remote device. Through encryption and strong
authentication, it protects devices against attacks such as IP spoofing and plain text password
interception.
SFTP service
SFTP is a new feature in SSH2.0. SFTP uses the SSH connection to provide secure data transfer. The
device can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file
management and transfer. The device can also serve as an SFTP client, enabling a user to log in from the
device to a remote device for secure file transfer.
HTTP service
HTTP is used for transferring webpage information across the Internet. It is an application-layer protocol in
the TCP/IP protocol suite.
You can log in to the device by using the HTTP protocol with HTTP service enabled, accessing and
controlling the device with web-based network management.
HTTPS service
HTTPS refers to the HTTP protocol that supports the SSL protocol.
The SSL protocol of HTTPS enhances the security of the device in the following ways:
• Uses the SSL protocol to ensure that legal clients can access the device securely and to prohibit
illegal clients.
• Encrypts the data exchanged between the HTTPS client and the device to ensure data security and
integrity, realizing the security management of the device.
• Defines certificate attribute-based access control policy for the device to control the access right of
the client, to further avoid attacks from illegal clients.
Configuring service management

Select System Management > Service Management from the navigation tree to display the service
management configuration page.
444
Figure 431 Service management
Item Description
Enable FTP Specify whether to enable the FTP service.
service The FTP service is disabled by default.
FTP Associate the FTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the FTP service.
ACL
You can view this configuration item by clicking the expanding button in
front of FTP.
Enable Telnet Specify whether to enable the Telnet service.

Telnet
service The Telnet service is disabled by default.
Enable SSH Specify whether to enable the SSH service.

SSH
service The SSH service is disabled by default.
Specify whether to enable the SFTP service.

Enable SFTP The SFTP service is disabled by default.
SFTP
service NOTE:
When you enable the SFTP service, the SSH service must be enabled.
Enable HTTP Specify whether to enable the HTTP service.

service The HTTP service is disabled by default.
Set the port number for HTTP service.

Port Number front of HTTP.
HTTP NOTE:
When you modify a port, make sure that the port is not used by other service.
Associate the HTTP service with an ACL. Only the clients that pass the
ACL filtering are permitted to use the HTTP service.
ACL
front of HTTP.
Enable HTTPS Specify whether to enable the HTTPS service.

HTTPS
service The HTTPS service is disabled by default.
445
Item Description
Set the port number for HTTPS service.
front of HTTPS.
Port Number
NOTE:
When you modify a port, make sure that the port is not used by other
services.
Associate the HTTPS service with an ACL. Only the clients that pass the
ACL filtering are permitted to use the HTTPS service.
ACL
You can view this configuration item by clicking the expand button in
front of HTTPS.
Set the local certificate for the HTTPS service. What is displayed in the list
is the theme of the certificate.
Certificate You can configure the available certificates by selecting Certificate
Management from the navigation tree. For more information, see
"Configuring certificate management."
User management
The user management module provides these functions:
• Creates a local user, and sets the password, access level, and service type for the user.
• Sets the super password for switching the current web user access level to the management level.
• Switches the current web user access level to the management level.
Creating a user
Select System Management > Users from the navigation tree, and then click the Create User tab to display
the page for creating local users.
Figure 432 Create a user
446
Item Description
Username Set the username for a user.
Set the access level for a user. Users of different levels can perform different
operations. Ranging from low to high, web user levels are as follows:
• Visitor—Users of this level can use the network diagnostic tools ping and trace
route. They can neither access the device data nor configure the device.
• Monitor—Users of this level can only access the device data but cannot configure
Access Level the device.
• Configure—Users of this level can access data from the device and configure the
device, but they cannot upgrade the host software, add/delete users, modify users,
or back up/restore the application file.
• Management—Users of this level can perform any operations for the device.
Only the web, FTP, and Telnet users support the access level setting.
Password Set the password for a user.
Enter the same password again. Otherwise, the system prompts that the two passwords
Confirm Password
are not consistent when you apply the configuration.
Set the service type, including web, FTP, Telnet, and PPP services. You must select at
Service
least one of them.
Setting the super password for switching to the management

level
In this part, users of the management level can specify the password for a lower-level user to switch from
the current access level to the management level. If no such password is configured, the switchover fails.
Select System Management > Users from the navigation tree, and then click the Super Password tab to
display the super password configuration page.
Figure 433 Super password configuration page
447
Item Description
Set the operation type:
Create/Remove • Create—Configure or modify the super password.
• Remove—Remove the current super password.
Password Set the password for a user to switch to the management level.
Enter the same password again. Otherwise, the system prompts that the two passwords
Confirm Password
are not consistent when you apply the configuration.
Switching the user access level to the management level

This function is provided for a user to switch the current user level to the management level. Note the
following:
• Before switching, make sure that the super password is already configured. A user cannot switch to
the management level without a super password.
• The access level switchover of a user is valid for the current login only. The access level configured
for the user is not changed. When the user re-logs in to the web interface, the access level of the
user is still the original level.
Log in to the web interface, and then select System Management > Users from the navigation tree. Click
the Switch to Management tab to display the access level switching page. Then, enter the super password,
and click Login.
Figure 434 Access level switching page
System time
You must configure a correct system time so that the device can work with other devices properly.
The device supports setting system time through manual configuration and automatic synchronization of
NTP server time.
An administrator cannot keep time synchronized among all devices within a network by changing the
system clock on each device because this is a huge amount of workload and cannot guarantee the clock
precision. NTP, however, allows quick clock synchronization within the entire network and ensures a high
clock precision.
Defined in RFC 1305, NTP synchronizes timekeeping among distributed time servers and clients. NTP
runs over UDP, using UDP port 123.
The purpose of using NTP is to keep consistent timekeeping among all clock-dependent devices within the
network so that the devices can provide diverse applications based on the consistent time.
448
Setting the system time
Select System Management > System Time from the navigation tree, and the System Time tab is displayed.
On the upper part of the interface, the current system time is displayed. On the lower part of the interface,
you can set the system time.
Figure 435 System time configuration page
Item Description
NTP Server 1 Enable clock automatic synchronization with an NTP server. You can
specify two NTP servers by entering their IP addresses. NTP Server 1 is the
primary server and NTP Server 2 is the secondary server.
NOTE:
Automatic
Synchronizat With automatic synchronization configured, the device periodically
ion NTP Server 2 synchronizes its time with the NTP server. If the synchronization fails, the
system uses the manually configured time. After the synchronization recovers,
the system uses the synchronized time.
The IP address of an NTP server is a host address and cannot be a
broadcast or a multicast address, or the IP address of the local clock.
Set the system time manually.

You can enter the system date and time in the field or select the date and
time in the calendar as follows:
Manual Setup
• Click Today. The date in the calendar becomes the local date, and the
time in the calendar does not change.
• Select the year, month, date, and time, and then click OK.
449
Figure 436 Calendar page
Setting the system time zone

Select System Management > System Time from the navigation tree, and then click the Time Zone tab to
enter the page shown in Figure 437 to set the time zone of the system.
Figure 437 Time zone
TR-069 configuration
TR-069 protocol is a technology specification initiated and developed by the 'DSL Forum. It defines the
general frame, message format, management method, and data model for the management and
configuration of home network devices in the next-generation network.
TR-069 is mainly applied to DSL access networks. In a DSL access network, user devices are large in
number and deployed separately usually in the customer premise. Therefore, device management and
maintenance is hard to perform. TR-069 is designed to solve the problem by the idea of remote central
management of CPE through an ACS.
450
TR-069 network framework
The basic network elements of TR-069 are as follows:

• ACS—The management device in the network.
• CPE—The managed device in the network.
• DNS server—TR-069 defines that an ACS and a CPE use URLs to identify and access each other.
DNS is used to resolve the URLs.
• DHCP server—Assigns an IP address to an ACS and a CPE and uses the options filed in the DHCP
packet to provide configuration parameters to the CPE.
The device is a CPE and uses TR-069 to communicate with an ACS.
Basic functions of TR-069

Auto connection between ACS and CPE
A CPE can connect to an ACS automatically by sending an Inform message. The following conditions
may trigger an auto connection:
• CPE startup. A CPE can find the corresponding ACS according to the acquired URL, and initiates a
connection to the ACS.
• A CPE is configured to send Inform messages periodically. The CPE automatically sends an Inform
message at the configured interval (1 hour, for example) to establish connections.
• A CPE is configured to send Inform messages at a specific time. The CPE automatically sends an
Inform message at the configured time to establish a connection.
• The current session is not finished but interrupted abnormally. In this case, if the number of CPE
auto-connection retries does not reach the limit, the CPE automatically establishes a connection.
An ACS can initiate a Connect Request to a CPE at any time and can establish a connection with the CPE
after passing the CPE authentication.
Auto-configuration
When a CPE logs in to an ACS, the ACS can automatically apply some configurations to the CPE to
perform auto configuration of the CPE. Auto-configurable parameters supported by the device include
(but are not confined to) the following:
• Configuration file (ConfigFile)
• ACS address (URL)
451
• ACS username (Username)
• ACS password (Password)
• Inform message auto sending flag (PeriodicInformEnable)
• Inform message auto sending interval (PeriodicInformInterval)
• Inform message auto sending time (PeriodicInformTime)
• CPE username (ConnectionRequestUsername)
• CPE password (ConnectionRequestPassword)
CPE system boot file and configuration file management

The administrator can store important files such as the system boot file and configuration file on an ACS.
If the ACS finds that a file is updated, it notifies the CPE to download the file by sending a request. After
the CPE receives the request, it can automatically download the file from the specified file server
according to the filename and download address provided in the ACS request. After the CPE downloads
the file, it checks the file validity and then reports the download result (succeeded or failed) to the ACS.
The device does not support file download using digital signature.
The device supports downloading the following types of files: system boot file and configuration file.
To back up important data, a CPE can upload the current configuration file to the specified server
according to the requirement of an ACS. The device only supports uploading the vendor configuration file
and log file.
CPE status and performance monitoring

An ACS can monitor the parameters of the CPE connected to it. Different CPEs have different
performances and functionalities. Therefore, the ACS must be able to identify each CPE and monitor the
current configuration and the configuration changes of each CPE. TR-069 also allows the administrator to
define monitor parameters and get the parameters through an ACS in order to obtain the CPE status and
statistics information.
The status and performance that can be monitored by an ACS include: manufacture name (Manufacturer),
manufacture identification (ManufacturerOUI), serial number (SerialNumber), hardware version
(HardwareVersion), software version (SoftwareVersion), device status (DeviceStatus), up time (UpTime),
configuration file, ACS address, ACS username, ACS password, PeriodicInformEnable,
PeriodicInformInterval, PeriodicInformTime, CPE address, CPE username, and CPE password.
For the TR-069 mechanism, see HP A-MSR Router Series Network Management and Monitoring
The TR-069 parameters of CPE can be configured automatically through ACS remote management. It can
also be configured manually through web, which is described in detail in this section.
Select System Management > TR-069 from the navigation tree to display the TR-069 configuration page.
452
Figure 439 TR-069 configuration page
Item Description
Enable or disable TR-069.
TR-069
TR-069 configurations can take effect only after you enable TR-069.
URL Configure the URL used by a CPE to initiate a connection to the ACS.
Username Configure the username used by a CPE to initiate a connection to the ACS.
ACS Configure the password used by a CPE to initiate a connection to the ACS.
Password You can specify a username without a password that is used in the authentication.
If so, the configuration on the ACS and that on the CPE must be the same.
Configure the username used by the CPE to authenticate the connection sent from
Username
the ACS.
Configure the password used by the CPE to authenticate the connection sent from
the ACS.
Password
You can specify a username without a password that is used in the authentication.
CPE If so, the configuration on the ACS and that on the CPE must be the same.
Sending
Enable or disable CPE's periodical sending of Inform messages.
Inform
Interval Configure the interval between sending the Inform messages.
Set the CPE connection interface. The CPE sends inform packets carrying the IP
CPE Interface address of this interface to make the ACS establish a connection with the CPE
using this IP address.
• TR-069 configuration through ACS is of higher priority than that through web. You cannot use a
configuration mode to modify parameters configured through a configuration mode with a higher
priority.
453
• To remove the configuration of a parameter, select the checkbox for the parameter, clear the value
that was entered, and then click Apply.
Software upgrade (for the A-MSR900/A-MSR20-1X

series)
A boot file, also known as the "system software" or "device software," is an application file used to boot
the device. Software upgrade allows you to obtain a target application file from the current host and set
the file as the boot file to be used at the next boot. In addition, you can choose to reboot the device
immediately after the above operations to make the upgraded software effective.
Upgrading software
NOTE:
Software upgrade takes some time. During software upgrade, do not perform any operation on the web
interface. Otherwise, software upgrade may be interrupted.
Select System Management > Software Upgrade from the navigation tree to display the software upgrade
configuration page.
Figure 440 Software upgrade configuration page
Item Description
Specify the filename of the local application file, which must be suffixed with
File the .app or .bin extension.
The filename is main.bin when the file is saved on the device.
Reboot after the Specify whether to reboot the device to make the upgraded software take effect
upgrading finished after the application file is uploaded.
Software upgrade (for the A-MSR20/30/50 series)

Software upgrade allows you to obtain a target application file from the current host and set the file as
the main boot file or backup boot file to be used at the next boot.
454
A boot file, also known as the "system software" or "device software," is an application file used to boot
the device. A main boot file is used to boot a device, and a backup boot file is used to boot a device only
when the main boot file is unavailable.
Upgrading software
NOTE:
Software upgrade takes some time. During software upgrade, do not perform any operation on the web
interface. Otherwise, software upgrade may be interrupted.
Select System Management > Software Upgrade from the navigation tree to display the software upgrade
configuration page.
Figure 441 Software upgrade configuration page
Item Description
Specify the filename of the local application file, which must be suffixed with
File
the .app or .bin extension.
Specify the type of the boot file for the next boot:
File Type • Main
• Backup
Specify whether to overwrite the file with the same name.
If a file with same name
already exists, overwrite If you do not select the option, when a file with the same name exists, the system
it without any prompt displays the message "The file has existed," and you cannot perform the upgrade
operation.
Reboot after the Specify whether to reboot the device to make the upgraded software take effect
upgrading finished after the application file is uploaded.
455
Configuring SNMP lite
Only the A-MSR900/20-1X series routers support this function.

For the A-MSR20/30/50 series routers, see "Configuring SNMP."
You can configure the SNMP agent function on the web interface.
SNMP is an Internet standard protocol widely used for an NMS to access and operate the devices
(SNMP agents) on a network, regardless of their vendors, physical characteristics, and interconnect
technologies.
SNMP enables network administrators to read and set the variables on managed devices to monitor their
operating and health state, diagnose network problems, and collect statistics for management purposes.
HP SNMP agents support three SNMP versions: SNMPv1, SNMPv2c, and SNMPv3.
• SNMPv1 uses password authentication to control access to SNMP agents. SNMPv1 passwords fall
into the categories of read-only passwords and read-and-write passwords.
A read password enables reading data from an SNMP agent.
A read-and-write password enables reading data and setting variables on an SNMP agent.
• SNMPv2c also uses password authentication for SNMP agent access control. It is compatible with
SNMPv1, but it supports more operation modes, data types, and error codes.
• SNMPv3 uses a USM to secure SNMP communication. You can configure authentication and
privacy mechanisms to authenticate access and encrypt SNMP packets for integrity, authenticity,
and confidentiality.
An NMS and an SNMP agent must use the same SNMP version to communicate with each other.
For more information about SNMP, see HP A-MSR Router Series Network Management and Monitoring
SNMP agent configuration

Select System Management > SNMP from the navigation tree to access the SNMP configuration page.
456
Figure 442 SNMP configuration page
Item Description
Enable or disable the SNMP agent.
SNMP
When you disable the SNMP agent, all SNMP agent settings are removed.
Select the SNMP version run by the system.
SNMP Version
Set the same SNMP version as on the NMS.
Contact Information Enter contact information for the device.
Set the system name of the device.

Sysname
The configured system name appears at the top of the navigation tree.
Device Location Enter the physical location of the device.
Set the SNMP security username when SNMPv3 is used.

Security Username
Set the same security username on the NMS.
Set the authentication password when the SNMP version is selected as
SNMPv3.
Authentication Password Set the same authentication password on the NMS.
The authentication protocol on the agent is MD5. Set MD5 as the
authentication protocol on the NMS.
457
Item Description
Set the privacy password when the SNMP version is selected as SNMPv3.
Set the same privacy password on the NMS.
Privacy Password
The privacy protocol on the agent is DES56. Set DES56 as the privacy protocol
on the NMS.
When the SNMP version is SNMPv1 & v2, set the read-only password with
Read Password which the NMS can perform only read operations to the agent.
Set the same read password on the NMS.
When the SNMP version is SNMPv1 & v2, set the read-and-write password with
Read & Write Password which the NMS can perform both read and write operations to the agent.
Set the same read-and-write password on the NMS.
When the SNMP version is SNMPv1 & v2, set the authentication password with
which the agent can send traps to the NMS. The trap password must be the
Trap Password same with either the read password or the read-and-write password.
The trap password defaults to the security username and is not configurable
when the SNMP version is SNMPv3.
Set the trusted IP address of the agent.

• If the trusted host is specified, only the NMS with the specified source IP
Trusted Host address can access the agent.
• If no trusted host is specified, there is no IP-address-based access control to
the NMS.
Trap Target Host Set the IP address of the target host of SNMP traps.
SNMP configuration example

SNMPv1 or SNMPv2c configuration example
The SNMP agent (1.1.1.1/24) connects to an NMS (1.1.1.2/24) over Ethernet, as shown in Figure 443.
The NMS uses SNMPv1 or SNMPv2c to monitor and manage the SNMP agent, and the SNMP agent
reports errors and failures to the NMS.
Agent NMS
1.1.1.1/24 1.1.1.2/24
1. Configure the SNMP agent.
a. Select System Management > SNMP from the navigation tree, and configure SNMP as shown
in Figure 444.
458
Figure 444 Configure the SNMP agent
b. Select the Enable option for SNMP.

c. Select the SNMPv1 & v2 option for SNMP Version.
d. Enter a read password, a read-and-write password, and a trap password.
e. Enter the IP address of the trap destination (1.1.1.2 in this example) in the Trap Target Host
Address/Domain field.
f. Click Apply.
2. Configure the SNMP NMS.
NOTE:
The SNMP settings on the NMS and the agent must match.
Set the same SNMP version, read password, and read-and-write password as on the SNMP agent.
Configuration verification
• Check that the NMS and the SNMP agent can set up SNMP sessions and that the NMS can query
and set MIB variables on the SNMP agent.
• Execute the shutdown and undo shutdown commands on an idle interface on the SNMP agent, and
check that the NMS can receive linkUp and linkDown traps.
SNMPv3 configuration example

The SNMP agent (1.1.1.1/24) connects to an NMS (1.1.1.2/24) over Ethernet, as shown in Figure 445.
The NMS uses SNMPv3 to monitor and manage the interface status of the SNMP agent. The SNMP agent
reports errors and failures to the NMS, and the NMS uses UDP port 5000 for SNMP traps.
459
The NMS and the SNMP agent perform authentication when they set up an SNMP session and encrypt
SNMP packets between them. The authentication key is authkey, and the privacy key is prikey.
Agent NMS
1.1.1.1/24 1.1.1.2/24
Configuring the SNMP agent

• Select System Management > SNMP from the navigation tree, and configure SNMP settings as
Figure 446 Configure the SNMP agent.
a. Select the Enable option for SNMP.

b. Select the SNMPv3 option for SNMP Version.
c. Enter a username in the Security Username field.
d. Enter authkey in the Authentication Password field.
e. Enter prikey in the Privacy Password.
f. Enter 1.1.1.2 in the field of Trusted Host.
g. Enter 1.1.1.2 in the field of Trap Target Host.
h. Click Apply.
460
Configuring the SNMP NMS
The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform
SNMPv3 adopts a security mechanism of authentication and privacy. Configure security username,
authentication protocol, authentication password, privacy protocol, privacy password, and so on.
Also, configure the aging time and retry times. After the above configurations, you can configure the
device as needed through the NMS. For more information about NMS configuration, see the manual
provided for NMS.

• Disable or enable an idle interface on the device, and the NMS receives the corresponding trap.
461
Configuring syslog
System logs contain a large amount of network and device information, including running status and
configuration changes. System logs are an important way for network administrators to monitor network
and device running status. With system log information, network administrators can find network or
security problems and take corresponding actions against them.
The system supports these information output destinations: the console, monitor terminal (terminal of users
logged in through the AUX, VTY, or TTY user interface), log buffer, log host, and web interface.
Displaying syslogs
The web interface provides rich search and sorting functions, and you can easily view system logs
through the web interface. Select Other > Syslog from the navigation tree to display the syslog display
Figure 447 Syslog display page
462
TIP:
To clear all system logs in the log cache of the web interface, click Reset.
To refresh the system logs displayed on the webpage, click Refresh.
To make the syslog display page refresh automatically, set the refresh interval on the syslog configuration page. For
more information, see "Setting buffer capacity and refresh interval."
Field Description
Time/Date Displays the time/date when system logs are generated.
Source Displays the module that generates system logs.
Displays the severity level of system logs. System logs are classified into eight
levels by severity. The severity levels in descending order are emergency, alert,
critical, error, warning, notification, informational, and debugging.
• Emergency—The system is unavailable.
• Alert—Information that depends prompt reaction.
Level • Critical—Critical information.
• Error—Error information.
• Warning—Warnings.
• Notification—Normal information that must be noticed.
• Informational—Informational information to be recorded.
• Debugging—Information generated during the debugging.
Digest Displays the summary of system logs.
Description Displays the contents of system logs.
Setting the loghost

To send system logs to the specified loghost, set the loghost information on the web interface. You can
specify up to four loghosts.
Select Other > Syslog from the navigation tree, and then click the Loghost tab to display the loghost
463
Figure 448 Loghost configuration page
Item Description
IPv4/Domain
Set the IPv4 address or domain name of the loghost.
Loghost IP/Domain
IPv6
Set the IPv6 address of the loghost.
Loghost IP
Setting buffer capacity and refresh interval

Select Other > Syslog from the navigation tree, and then click the Log Setup tab to display the syslog
464
Figure 449 Log setup
Item Description
Buffer Capacity Set the number of logs that can be stored in the log buffer of the web interface.
Set the refresh interval of the log information displayed on the web interface:
• Manual—You must click Refresh to refresh the web interface when displaying
Refresh Interval log information.
• Automatic—You can select to refresh the web interface every 1 minute, 5
minutes, or 10 minutes.
465
Configuring diagnostic tools
Trace route
By using the trace route command, you can display the Layer 3 devices involved in delivering a packet
from source to destination. This function is useful for identification of failed nodes in the event of a
network failure.
A trace route operation involves the following steps:
1. The source device sends a packet with a TTL value of 1 to the destination device.
2. The first hop (the Layer 3 device that first receives the packet) responds with a TTL-expired ICMP
message to the source. In this way, the source device can obtain the address of the first Layer 3
device.
3. The source device sends a packet with a TTL value of 2 to the destination device.
4. The second hop responds with a TTL-expired ICMP message, which gives the source device the
address of the second Layer 3 device.
5. The above process continues until the ultimate destination device is reached. In this way, the source
device can trace the addresses of all Layer 3 devices involved to get to the destination device.
You can trace a route to an IP address or a host name. If the host name cannot be resolved, prompt
information is displayed on the source device.
Ping
You can use the ping function to check whether a device with a specified address is reachable, and to
examine network connectivity.
A successful execution of the ping command involves the following steps:
1. The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device.
2. The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source device
after receiving the ICMP echo request.
3. The source device displays related statistics after receiving the reply.
Output of the ping command is as follows:
• You can use the ping command to ping an IP address or a host name. If the host name is unknown,
the prompt information is displayed on the source device.
• If the source device does not receive an ICMP echo reply within the timeout time, it displays the
prompt information and the statistics during the ping operation. If the source device receives an
ICMP echo reply within the timeout time, it displays the number of bytes of the echo reply, the
message sequence numberTTL, response time, and statistics during the ping operation.
Statistics during the ping operation include number of packets sent, number of echo reply messages
received, percentage of messages not received, and the minimum, average, and maximum response
time.
466
Tools operations
Trace route operation
NOTE:
• The trace route function of the web interface does not support IPv6 addresses.
• Before executing a trace route operation, execute the ip ttl-expires enable command on the intermediate device to
enable the sending of ICMP timeout packets, and execute the ip unreachables enable command on the destination
device to enable the sending of ICMP destination unreachable packets.
Log in to the web interface, and then select Other > Diagnostic Tools from the navigation tree to display
the trace route configuration page, as shown in Figure 450.
Figure 450 Trace route configuration page
Enter the destination IP address or host name, and click Start to execute the trace route command. You
see the result in the Summary box.
Ping operation
NOTE:
The ping function of the web interface does not support IPv6 addresses.
Select Other > Diagnostic Tools from the navigation tree, and then click the Ping tab to display the ping
467
Figure 451 Ping configuration page
Enter the destination IP address or host name, and click Start to execute the ping command. You see the
result in the Summary box.
468
Configuring WiNet
As networks expand, more access devices are deployed at network edges. To manage these devices is a
tedious and complicated job. In addition, although IP address resources become insufficient, a large
number of public IP addresses are required as each device must be configured with an IP address. WiNet
technology helps you manage a large number of scattered network devices centrally.
WiNet has the following benefits:
• Saving public IP addresses.
• Integration—WiNet is integrated in network devices as a function, and requires no special network
management device.
• Easy to deploy—To build a WiNet, you only need to select a management device and complete
simple configurations through webpages on the management device.
• Low cost—No additional software is needed.
• User-friendly interface—WiNet provides the web interface for interaction, which facilitates
operations and management and requires no special network management staff.
• Plug-and-play—Based on an HP proprietary technology, WiNet displays the device in the network
topology once it is connected to the network through an Ethernet interface, and it allows you to
perform corresponding operations.
• Easy and quick deployment of security authentication—WiNet allows you to configure a RADIUS
server on an administrator device through simple web configuration and to configure interfaces of
member devices for security authentication through the administrator device.
According to the status and functions, devices are classified into three roles in WiNet:
• Administrator—Refers to the device serving as the WiNet management device. In a WiNet, only the
administrator is configured with a public IP address. You must specify only one administrator in each
WiNet to configure, manage, and monitor other devices. The administrator collects information to
discover and add candidates.
• Member—Refers to a device managed by the administrator in the WiNet.
• Candidate—Refers to a WiNet-capable device that has not yet been added to the WiNet. However,
the topology information of the candidate is already collected by the administrator.
469
Configuring WiNet
Enabling WiNet
To build a WiNet, configure a candidate as the administrator, and configure WiNet on it.
Select WiNet from the navigation tree. When WiNet is disabled, an Only the WiNet administrator
supports the function dialog box appears. Click OK to display the Setup page, as shown in Figure 453.
You can build or close WiNet on the page.
Figure 453 WiNet setup page
Table 192 WiNet setup configuration
Item Description
WiNet Name Enter a WiNet name.
Enter a management VLAN ID in the WiNet. You can enter an existing static
VLAN only.
The management VLAN is used by WiNet packets for communication. It
actually defines the WiNet management range and delivers the following
functions:
• Isolates WiNet management packets from other packets, so that security
Management VLAN
is enhanced.
• Enables internal communication between the administrator, members, and
candidates.
WiNet management requires that the management VLAN traffic be permitted
on the administrator's ports (including cascade ports, if any) connected to
members, candidates, and the external network.
IP Pool (Administrator IP) Enter an IP address, and select a network mask for the administrator. After
that, each WiNet member is assigned an IP address on the same subnet as
Mask of IP Pool the administrator.
NOTE:
After a WiNet is built, you cannot configure items on the Setup page, and the Build WiNet button changes
to Close WiNet. To delete the WiNet, click the Close WiNet button.
470
Setting the background image for the WiNet topology diagram
The WiNet topology diagram is displayed in the WiNet Management page and uses a white background
by default. You can customize the background image by uploading a .jpg or .bmp image (which is less
than 0.5 MB).
Select WiNet from the navigation tree, and then click the Setup tab to display the configuration page, as
To customize the background image, click Browse, locate the image you want to use, and then click
Upload.
To remove the customized background image, click Clear.
Managing WiNet
To manage WiNet members, make sure the port that connects your host to the administrator permits
packets of the management VLAN. Select WiNet from the navigation tree to display the default WiNet
Management page, as shown in Figure 454.
Figure 454 WiNet management page
On the WiNet Management page, you can perform these operations:

1. Set the refresh period for automatic refreshing of the WiNet topology diagram. Or, you can select
Manual for Refresh Period and click Refresh to display the latest WiNet topology diagram.
471
2. Click Collect Topology. After that, the administrator starts to collect topology information. In addition
to manual topology collection, the system automatically collects topology information every minute.
3. Click Network Snapshot to save the current WiNet topology as the baseline topology. The baseline
topology is used to show changes in network topology at different time points.
4. Click Initialize Topology to clear the stored baseline topology and cookies.
5. Click Open AuthN Center to configure a RADIUS server for security authentication on the
administrator device. Then this button changes to Close AuthN Center, and you can click the button
to remove the RADIUS server.
6. Drag the icon of a specific device in the WiNet topology, and place it to a position as needed. If the
browser is configured to accept cookies, the latest position information of each device is stored after
you click Network Snapshot.
7. Double-click a device on the WiNet topology map to show details about the device, including the
hostname, MAC address, device model, IP address, version, number of hops, and WiNet
information, as shown in Figure 455.
Figure 455 Device details
8. View the WiNet topology information, including the role of each device and connection status
between devices. The connection status can be:
Normal link—Indicates a connection existing in the baseline topology and the current topology.
New link—Indicates a connection not existing in the baseline topology but in the current
topology.
Blocked loops—Indicate connections blocked by STP. If a normal link is blocked, it is displayed
as a black broken line. If a new link is blocked, it is displayed as a blue broken line.
Down link—Indicates a connection existing in the baseline topology but not in the current
topology.
9. Click a device in the topology diagram to view its panel diagram. You can manage the device as
follows:
NOTE:
Only A-MSR30 routers installed with MIM-FSW modules, A-MSR30-11E routers, and A-MSR30-11F
routers support displaying of the device panel, device renaming, and Layer 2 Portal authentication on
interfaces.
a. Click Rename Device and enter a new system name for the device, as shown in Figure 456.
472
Figure 456 Rename a device
b. Select one or multiple Layer 2 Ethernet interfaces on the panel diagram of the device, and click
Port Guard to enable Layer 2 Portal authentication on the interfaces.
NOTE:
You cannot enable Layer 2 Portal authentication on an interface that connects the management device to
a member/candidate device, connects the management device to an external network, or connects the
administrator to the management device.
c. If a member is selected, click Manage Device to log in to the webpage of the member. You can
configure and manage the member through the webpage. The username and password are
required before you can log in to the member. If the current user and password are consistent
with those of the member, you can directly log in to the member.
d. If a member is selected, click Initialize to restore the configuration to factory defaults and restart
the member.
e. If a member is selected, click Reboot to restart the member.
Configuring a RADIUS user

Select WiNet from the navigation tree, and then click the User Management tab to display the page
shown in Figure 457. Click Add to display the page shown in Figure 458.
Figure 457 User management page
473
Figure 458 Add a user
Table 193 Configuration for a RADIUS user
Item Description
Username Enter the name of the user.
Password Set a user password and confirm it.

The leading spaces (if any) of a password are omitted.
Confirm Password
Enter an authorized VLAN ID for the user.

NOTE:
VLAN
If the access device does not support authorized VLANs, users with the authorized
VLAN ID specified cannot pass authentication.
Enter an authorized ACL number for the user.
NOTE:
ACL
If the access device does not support authorized ACL properties, users with the
authorized ACL specified cannot pass authentication.
Set the time when the user becomes invalid, in the format of
HH:MM:SS-YYYY/MM/DD.
Expire Time
A user whose system time is later than the preset expire time cannot pass
authentication.
Description Enter the user information.
WiNet configuration example

WiNet establishment configuration example
As shown in Figure 459, a WiNet comprises an administrator and two members.
474
• The administrator is connected to the external network through Ethernet 0/1 and is connected to the
members through Ethernet 0/2 and Ethernet 0/3, respectively.
• The WiNet management VLAN is VLAN 10.
• The network interface of the administrator is VLAN-interface 10 with IP address 163.172.55.1/24.
1. Configure Device A and Device C.
# Configure Ethernet 0/1 on each device to permit VLAN 10 traffic. (Details not shown)
2. Configure Device B.
# Create VLAN 10 and VLAN-interface 10.
• Select Interface Setup > LAN Interface Setup from the navigation tree to display the default VLAN
Setup page, as shown in Figure 460.
475
Figure 460 Create VLAN 10 and VLAN-interface 10
a. Select the Create option.

b. Enter 10 for VLAN IDs.
c. Select the Create VLAN Interface checkbox.
d. Click Apply.
# Assign Ethernet 0/1, Ethernet 0/2, and Ethernet 0/3 to VLAN 10.
Figure 461 Assign interfaces to VLAN 10
476
a. On the VLAN Setup page, select 10 in the VLAN Config field, as shown in Figure 461.
b. Select Ethernet0/1, Ethernet0/2, and Ethernet0/3 from the list.
c. Click Add. The configuration progress dialog box appears, as shown in Figure 462.
d. After the configuration is complete, click Close.
# Configure the IP address of VLAN-interface 10.

• Click the VLAN Interface Setup tab to display the page shown in Figure 463.
477
Figure 463 Specify an IP address for VLAN-interface 10
a. Select 10 for VLAN ID.

b. Enter 163.172.55.1 for IP Address.
c. Enter 255.255.255.0 for Subnet Mask.
d. Click Apply.
# Enable WiNet.
• Select WiNet from the navigation tree. When WiNet is disabled, an Only the WiNet administrator
supports the function dialog box appears. Click OK to display the Setup page, as shown in Figure
464.
478
Figure 464 Enable WiNet
a. Enter WiNet for WiNet Name.

b. Click Advance Options.
c. Enter 10 for Management VLAN.
d. Enter 192.168.0.1 for IP Pool (Administrator IP).
e. Select 255.255.255.0 for Mask of IP Pool.
f. Click Build WiNet.
Verification
After the preceding configuration is complete, log in to Device B via Ethernet 0/1, and select WiNet from
the navigation tree to display the WiNet Management page. You can view a WiNet topology diagram
comprising an administrator (Device B) and two members (Device A and Device C) and manage the
devices, as shown in Figure 465.
479
Figure 465 WiNet topology diagram
WiNet-based RADIUS authentication configuration example

As shown in Figure 466, a WiNet comprises an administrator (Device B) and two members (Device A
and Device C). Client connects to Device A through Ethernet 0/2.
Deploy security authentication in the WiNet so that the client can access external networks after passing
authentication on Device B.
480
1. Establish a WiNet.
See "WiNet establishment configuration example" for detailed configuration.
2. Configure WiNet-based RADIUS authentication.
# Specify a RADIUS user.
• Log in to Device B through Ethernet 0/1. Select WiNet from the navigation tree on Device B, click
the User Management tab, and then click Add to display the page shown in Figure 467.
Figure 467 Configure WiNet-based RADIUS authentication
a. Enter client for Username.

b. Enter client_password for Password.
c. Enter client_password for Confirm Password.
d. Click Apply.
# Set up a RADIUS server.
481
Figure 468 Set up a RADIUS server
a. As shown in Figure 468, click the WiNet Management tab.

b. Click Open AuthN Center.
# Enable Layer 2 Portal authentication on Ethernet 0/2 of Device A.
482
Figure 469 Enable Layer 2 Portal authentication on Ethernet 0/2 of Device A
a. As shown in Figure 469, click Device A on the topology diagram.

b. Click Ethernet 0/2 on the panel diagram.
c. Click Port Guard.
483
Configuring VoIP basic service
The configuration wizard guides you to establish a basic call and to configure local numbers and
connection properties.
Basic service setup

Displaying the configuration wizard homepage
From the navigation tree, select Voice Management > Configuration Wizard to display the configuration
wizard homepage, as shown in Figure 470.
Figure 470 Configuration wizard homepage
Selecting a country
In the wizard homepage, click Start to display the country selection page, as shown in Figure 471.
Figure 471 Country selection page
484
Item Description
Call Progress Tone
Configure the device to play the call progress tones of a specified country or region.
Country Mode
Configuring local numbers

In the country tone configuration page, click Next to display the local number configuration page, as
Figure 472 Local number configuration page
Item Description
Line FXS voice subscriber lines
Number Local telephone numbers
Username Username used for registration authentication
Password Password used for registration authentication
Configuring connection properties

After finishing the local number configuration, click Next to display the connection property configuration
485
Figure 473 Connection property configuration page
Item Description
Main Registrar Address Address of the main registrar. It can be an IP address or a domain name.
Main Registrar Port

Port number of the main registrar.
Number
Backup Registrar Address Address of the backup registrar. It can be an IP address or a domain name.
Backup Registrar Port

Port number of the backup registrar.
Number
Proxy Server Address Address of the proxy server. It can be an IP address or a domain name.
Proxy Server Port Number Port number of the proxy server.
Finishing configuration wizard

After finishing the connection property configuration, click Finish to compete your configuration. Then the
page jumps to the local number list, where you can view the configured local numbers and modify their
settings.
486
Local number and call route overview
The local number and call route parts contain basic settings, fax and modem, call services, and advanced
settings pages.
Basic settings
To implement a basic voice call, complete local number and call route configurations.
• Local number configuration includes setting a local telephone number and authentication
information used for registration.
• Call route configuration includes setting a destination telephone number and call route type. You
can select either SIP routing or trunk routing as the call route type. SIP routing includes proxy server
mode, IP routing mode, and server group binding mode.
For more information about basic settings of local number and call route, see "Configuring ."
Fax and modem

After completing the VoIP configurations (the basic settings of local number and call route), you can make
IP calls. Generally, if you connect the device to a fax machine or a modem, you can send and receive
faxes with the default settings. In the fax and modem configuration page, you can adjust some
parameters according to your needs.
For more information about fax and modem configuration, see "Configuring fax and modem."
Call services
Call services contains various new functions on the basis of voice basic call to meet the application
requirements of VoIP users.
For more information about call services configuration, see "Configuring call services."
Some call services require the involvement of a voice server. For the configuration of the voice server, see
"Configuring call connections."
Advanced settings
The advanced settings include the following parts:
• Coding parameters—This part includes the configuration of codec priorities and packet assembly
intervals. The voice codec affects the voice bandwidth and voice quality, and you must select a
proper codec according to the actual network. The packet assembly interval depends on the
network bandwidth and network architecture and affects codec delay time.
• Others—This part includes the configuration of number selection priority, dial prefix, called number
sending mode, DTMF transmission mode, DSCP field value, and so on.
487
Configuring local number and call route
Local number
Local number configuration includes setting a local telephone number and authentication information
used for registration.
Call route
Call route configuration includes setting a destination telephone number and call route type. The call
route type can be either SIP routing or trunk routing.
SIP routing
SIP routing includes proxy server mode, IP routing mode, and server group binding mode. If you select IP
routing, the called parties can be found through static IP addresses or domain names. The network
diagram for IP routing mode is shown in Figure 474.
Figure 474 Network diagram for IP routing
Proxy server mode and server group binding mode need the SIP server to complete routing, as shown
in Figure 475.
Figure 475 Network diagram for proxy server/server group binding modes
SIP server
IP network
Router A Router B
Trunk routing
You can connect devices to the PBX on the PSTN network through FXO, E&M, VE1, VT1, and BSV trunk
lines. Among them, VE1 and VT1 trunk routing enables the device to provide more voice communication
channels, greatly increasing device utilization and broadening the service range.
Trunk line Trunk line

IP
PBX Router A Router B PBX
488
See "Configuring trunk mode calling" for the configuration example of using the trunk routing as the call
route type.
Basic settings
Configuring a local number
Select Voice Management > Local Number from the navigation tree, and see "Configuring trunk mode
calling." Click Add to display the page for creating a local number, as shown in Figure 476.
Figure 476 Local number configuration page
Item Description
Number ID Local number ID (1 to 9999).
Number Local number.
This list displays all FXS voice subscriber lines. Select a voice subscriber line to be
Bound Line
bound with the local number.
Description Description of the number.

• Enable. After the Enable option is selected, the authentication related options
Register Function can be configured.
• Disable.
Register Username Username used for registration authentication.
Register Password Password used for registration authentication.
Authentication information used for handshake authentication between the registrar

Cnonce Name
and the SIP UA.
489
Item Description
Realm name used for handshake authentication between the registrar and SIP UA.
NOTE:
Realm Name If a realm name is configured on the SIP UA, make sure that it is the same as that
configured on the registrar. Otherwise, the SIP UA fails the authentication due to
mismatch. If no realm name is configured on a SIP UA, the SIP UA performs no realm
name match and considers that the realm name configured on the registrar is trusted.
Status Enable or disable the local number.
NOTE:
• If it is necessary to configure authentication information for a local number, the same authentication information is
recommended for the same telephone number.
• In the case of authentication, you cannot modify the authentication information after the register function is enabled
because this operation may result in registration update failures.
Configuring a call route

Select Voice Management > Call Route from the navigation tree, and then click Add to display the page
for creating a call route, as shown in Figure 477.
Figure 477 Call route configuration page
490
Item Description
Call Route ID Enter a call route ID (10000 to 19999).
Destination
Enter the called telephone number.
Number
Description Enter the description of the call route.

Use a SIP proxy server to complete
Proxy Server
calling.
Use the SIP protocol to perform direct
calling. It you select this option, provide
IP Routing
the destination address and port
SIP number.
Required
Select a server group from the Server to use one
Call Route Type
Group list. You can add SIP server approach.
Binding Server
groups into the list in Voice
Group
Management > Call Connection > SIP
Server Group Management.
Select a trunk routing line from the list
Trunk Trunk Route Line that displays all available voice
subscriber lines.
Select one of the following transport layer protocols:
Transport Layer • UDP
Protocol for Call • TCP
Route • TLS
By default, UDP is selected.
• SIP—Specifies the SIP scheme.
URL Scheme for
• SIPS—Specifies the SIPS scheme.
Call Route
By default, the SIP scheme is selected.
• Enable—After the Enable option is selected, the authentication related options can
be configured.
• Disable
Register Function
NOTE:
The trunk routing mode supports the register function. Authentication-related options and
their meanings are the same as those of local number, so they are not shown here.
Status Enable or disable the call route.
491
Configuration examples of local number and call
route
Configuring direct calling for SIP UAs through the SIP protocol
(configuring static IP address)
As shown in Figure 478, Router A and Router B can directly call each other as SIP UAs using the SIP
protocol (configuring static IP addresses).
Eth2/1 Eth2/1
Router A 192.168.2.1/24 Internet 192.168.2.2/24
Router B
FXS 8/0 FXS 8/0
Telephone A Telephone B
1111 2222
# Create a local number.
Select Voice Management > Local Number from the navigation tree, and then click Add to display the
page for creating a local number.
Figure 479 Create local number 1111
492
a. Enter 1 for Number ID.
b. Enter 1111 for Number.
c. Select subscriber-line 8/0 from the Bound Line list.
d. Enter Telephone A for Description.
e. Click Apply.
# Create a call route.

for creating a call route.
Figure 480 Create call route 2222
a. Enter 10000 for Call Route ID.

b. Enter 2222 for Destination Number.
c. Select IP Routing for SIP Routing, and enter 192.168.2.2 for Destination Address.
d. Click Apply.
493
d. Enter Telephone B for Description.
e. Click Apply.

494
d. Click Apply.
Verifying the confiugration

• After the above configuration, you can use telephone 1111 to call telephone 2222, or use
telephone 2222 to call telephone 1111.
• Select Voice Management > States and Statistics > Call Statistics from the navigation tree to display
the Active Call Summary page, which displays the statistics of ongoing calls.
Configuring direct calling for SIP UAs through the SIP protocol
(configuring domain name)
As shown in Figure 483, acting as SIP UAs, Router A and Router B can first query destination addresses
through a DNS server and then make calls using the SIP protocol.
495
NOTE:
Before performing the following configurations, configure domain name resolution. For more information
about DNS, see "Configuring DNS."

e. Click Apply.
496

c. Select IP Routing for SIP Routing, and enter cc.news.com for Destination Address.
d. Click Apply.
497
e. Click Apply.

498
d. Click Apply.

• After the above configuration, you can use telephone 1111 to call telephone 2222 by using the
DNS server to get the destination address, and you can use telephone 2222 to call telephone 1111
by querying the static IP address of the called party.
Configuring proxy server involved calling for SIP UAs

As shown in Figure 488, Router A and Router B act as SIP UAs, and SIP calls are made through a SIP
proxy server.
499
Eth2/1 Eth2/1
Router A 192.168.2.1/24 Internet 192.168.2.2/24
Router B
FXS 8/0 FXS 8/0

Eth2/1
192.168.2.3/24
Telephone A SIP server Telephone B

1111 2222

e. Click Apply.

500
c. Select SIP Routing for Call Route Type.
d. Select Proxy Server for SIP Routing.
e. Click Apply.
# Configure the registrar and the proxy server.

Select Voice Management > Call Connection > SIP Connection from the navigation tree to display the
connection properties configuration page.
Figure 491 Configure registration information
501
a. Select Enable for Register State.
b. Enter 192.168.2.3 for Main Registrar Address.
c. Enter Router A for Username and abc for Password.
d. In the Proxy Server area, enter 192.168.2.3 for Server Address.
e. Click Apply.
502
e. Click Apply.

503
c. Select SIP for Call Route Type.
e. Click Apply.
# Configure the registrar and the proxy server.

connection properties configuration page.
Figure 494 Configure registration information
504
c. In the Proxy Server area, enter 192.168.2.3 for Server Address.
d. Enter Router A for Username and abc for Password.
e. Click Apply.

• After the local numbers of the two sides are registered on the registrar successfully, telephone 1111
and telephone 2222 can call each other through the proxy server.
• Select Voice Management > States and Statistics > Connection Status from the navigation tree, and
then click the Register Status tab to view the SIP register status.
505
Configuring trunk mode calling
As shown in Figure 495, Router A and Router B are connected through an FXO trunk line. It is required
that Telephone 1111 can call Telephone 2222.

e. Click Apply.

506
c. Select Trunk for Call Route Type.
d. Select subscriber-line 1/0 from the Trunk Route Line list.
e. Click Apply.
# Configure number sending mode.

Select Voice Management > Call Route from the navigation tree, and then click the icon of the target
route to display the advanced settings page.
Figure 498 Configure number sending mode
507
a. Select Send All Digits of a Called Number for Called Number Sending Mode.
b. Click Apply.

e. Click Apply.
508
• Telephone 1111 can call telephone 2222 over the trunk line.
509
Configuring fax and modem
FoIP
Traditional fax machines transmit and receive faxes over PSTN. As time passes, fax has gained wide
applications owing to its advantages such as various information, high transmission speed, and simple
operations. By far, G3 fax machines are dominant in the fax communications. A G3 fax machine adopts
the signal digitizing technology. Image signals are digitized and compressed internally, then converted
into analog signals through a modem, and finally transmitted into the PSTN switch through common
subscriber lines.
FoIP is for sending and receiving faxes over the Internet. Devices can provide the FoIP function after the
FoIP feature is added on the basis of the VoIP function. Because FoIP is the Internet-based fax service, it
costs users less to send national and international faxes.
The network diagram for FoIP is similar to that for VoIP. You just replace the IP phone with a fax machine
to implement the fax function. As long as you can use IP phones, you can use the fax function. Therefore,
the fax function is very simple. The following figure illustrates an FoIP system structure.
Figure 500 FoIP system structure
Protocols and standards for FoIP

IP real-time fax complies with the ITU-T T.30 and T.4 protocols on the PSTN side and T.38 protocols on
the IP network side.
• T.30 protocol is about file and fax transmission over PSTN. It describes and regulates the
communication traffic of G3 fax machines over common telephone networks, signal format, control
signaling, and error correction to the full extent.
• T.4 protocol is a standard protocol involving the G3 fax terminals for file transmission. It provides a
standard regulation for the G3 fax terminals on image encoding/decoding scheme, signal
modulation and speed, transmission duration, error correction, and file transmission mode.
• T.38 protocol is about the real-time G3 fax over IP networks. It describes and regulates the
communication mode, packet format, error correction and some communication flows of real-time
G3 fax over IP networks.
510
Fax flow
In FoIP, the call setup, handshake, rate training, packet transfer, and call release are always realtime.
From the perspective of users, FoIP has no difference from faxing over PSTN.
Signals that a G3 fax machine receives and sends are modulated analog signals. Therefore, the router
processes fax signals in a different way than it processes telephone signals. The router must perform A/D
or D/A conversion for fax signals (the router demodulates analog signals from PSTN into digital signals
or modulates digital signals from the IP network into analog signals), but it does not need to compress fax
signals.
A real-time fax process consists of five phases:
1. Fax call setup phase—This phase is similar to the process of a telephone call setup. The difference is
that the fax tones identifying the sending/receiving terminals are included.
2. Prior-messaging phase—During this phase, fax faculty negotiation and training are performed.
3. Messaging phase—During this phase, fax packets are transmitted in accordance with the T.4
procedure, and packet transmission is controlled (including packets synchronization, error detection
and correction, and line monitoring).
4. Post-messaging phase—During this phase, control operations such as packet authentication,
messaging completion, and multi-page continuous transmission are performed.
5. Fax call release phase—During this phase, the fax call is released.
Introduction to fax methods

T.38 fax
The device supports two fax protocols: T.38 protocol and standard T.38 protocol. The standard T.38
protocol should be selected for interworking with leading fax terminals in the industry. Since most leading
fax terminals in the industry do not support the local training mode, the end-to-end training mode must be
selected for interworking with them.
Pass-through fax
The fax pass-through technology was developed primarily for the purpose of compressing and
transmitting T.30 fax packets that cannot be demodulated through packet switched networks. With this
technology, the devices on two sides can directly communicate over a transparent IP link, and the voice
gateways do not distinguish fax calls from voice calls. After detecting a fax tone in an established VoIP
call, the voice gateway checks whether the voice codec protocol is G.711. If it is not, the voice gateway
switches the codec to G.711. Then fax data is transmitted as voice data in the pass-through mode.
In the pass-through mode, fax information is in the format of uncompressed G.711 codes and is
encapsulated in RTP packets between gateways, and a fixed bandwidth of 64 Kbps is occupied.
Although the packet redundancy mechanism can reduce the packet loss ratio, the pass-through mode is
subject to factors such as packet loss ratio, jitter, and delay. Therefore, it is necessary to ensure
synchronization of the clocks on both sides. Fax pass-through is called VBD by ITU-T. Fax or modem
signals are transmitted over a voice channel using a proper coding method. The only codecs supported
are G.711 A-law and G.711 μ-law. In addition, when the fax pass-through function is enabled, the VAD
function must be disabled to avoid fax failures.
You can implement the fax pass-through function on the voice gateway in either of the following ways:
• Configure the fax to work in the pass-through mode on both sides.
511
• Negotiate the codec as G.711 and disable fax forwarding. Then, disable the VAD function to avoid
fax failures. This method is used for the voice gateway to interwork with other devices in the
pass-through mode.
SIP Modem pass-through function

The SIP Modem pass-through function is mainly used for remote device management. Since the VoIP
network has replaced part of the traditional PSTN, VoIP devices are required to support the modem
pass-through function, which can help remote PSTN users to log in to internal network devices through
dialup.
Configuring fax and modem

Before configuring fax and modem, configure local numbers and call routes. See "Configuring " for
details.
Configuring fax and modem parameters of a local number

Select Voice Management > Local Number from the navigation tree, and then click the icon of the
local number to be configured to display the local number Fax and Modem configuration page, as shown
in Figure 501.
Figure 501 Local number Fax and Modem configuration page
Item Description
• Enable—The fax parameters can be configured only when the fax function
Fax Function is enabled.
• Disable
512
Item Description
Configure the protocol used for fax communication with other devices:
• T.38—With this protocol, a fax connection can be set up quickly.
• Standard T.38—Supports SIP.
Configure the fax pass-through mode:

Fax Protocol • G.711 A-law
• G.711 μ-law
The pass-through mode is subject to such factors as loss of packet, jitter, and
delay, so the clocks on both communication sides must be kept synchronized.
Only G.711 A-law and G.711 μ-law are supported, and the VAD function
should be disabled.
Low-speed data refers to the V.21 NOTE:

command data. Increasing the number of redundant
Number of Redundant
Low-speed T.38 Packets This option is configurable when T.38 packets improves reliability of network
or standard T.38 is selected as the fax transmission and reduces packet loss
protocol. ratio. A great amount of redundant
packets, however, can increase
bandwidth consumption to a great
High-speed data refers to the TCF and
extent and thereby, in the case of low
image data.
Number of Redundant bandwidth, affect the fax quality
High-speed T.38 Packets This option is configurable when T.38 seriously. Therefore, the number of
or standard T.38 is selected as the fax redundant packets should be selected
protocol. properly according to the network
bandwidth.
Specifies the maximum fax transmission rate:
• 24000 bps—Set the maximum transmission rate to 2400 bps.
• 4800 bps—Negotiate the baud rate first in accordance with the V.27 fax
protocol. The maximum transmission rate is 4800 bps.
protocol. The maximum transmission rate is 9600 bps.
protocol. The maximum transmission rate is 14,400 bps.
• Allowed Max Voice Speed of the Codec Protocol—Determines the maximum
fax rate depending on the codec protocol.
By default, the Allowed Max Voice Speed of the Codec Protocol option is
Max Transmission Rate of
adopted.
Fax
NOTE:
• If G.711 is adopted, the maximum fax transmission rate is 14,400 bps,
and the fax protocol is V.17.
• If G.723.1 Annex A is adopted, the maximum fax transmission rate is
4,800 bps, and the fax protocol is V.27.
• If G.726 is adopted, the maximum fax transmission rate is 14,400 bps,
and the fax protocol is V.17.
• If G.729 is adopted, the maximum fax transmission rate is 7,200 bps, and
the fax protocol is V.29.
If an option other than the default option is adopted, the maximum rate is
negotiated first in accordance with the corresponding fax protocol.
513
Item Description
Specify the fax training mode:
• Local—Indicates that the gateways participate in the rate training between
fax terminals. In the local training mode, rate training is performed
between fax terminals and gateways, and then the receiving gateway
sends the training result of the receiving fax terminal to the transmitting
Fax Training Mode
gateway. The transmitting gateway finalizes the packet transmission rate
by comparing the received training result with its own training result.
• Point-to-Point—Indicates that the gateways do not participate in the rate
training between two fax terminals. In this mode, rate training is performed
between two fax terminals and is transparent to the gateways.
When rate training is carried on between fax terminals, the transmitting

terminal transmits "zero-filled" TCF data (the filling time per packet is 1.5±10%
seconds) to the receiving fax terminal, and the receiving fax terminal decides
whether the current rate is acceptable according to the received TCF data.
When the percentage of all-ones or all-zeros TCF data to the total number of
TCP data is less than the local training threshold, the current rate training
Local Training Threshold in succeeds. Otherwise, the current rate training fails and you must drop the rate
Percentage for a local training operation again.
By default, the threshold is 10.
NOTE:
When the local training mode is adopted, use this option to configure the threshold
in percentage. When the Point-to-Point training mode is adopted, the gateway
does not participate in rate training, and the threshold of local training does not
apply.
In common fax applications, the participating fax terminals negotiate with the
standard faculty (such as V.17 and V.29 rate) by default. It means that they do
not send each other NSF message frames. In some cases, such as encrypted
fax, both fax terminals adopt a nonstandard faculty (NSF) to negotiate.
At the start of negotiation, both terminals first exchange NSF message frames,
and then they negotiate the subsequent fax faculty for communication. NSF
Signal Transmission Mode messages are standard T.30 messages and carry private information.
of Fax Faculty
To use a nonstandard faculty for negotiation, the following conditions must be
satisfied:
1. Fax terminals must support nonstandard transmission mode.
2. The transmission mode must be set to a nonstandard mode in the POTS
and VoIP entities for both fax terminals.
By default, a standard faculty mode is adopted for fax faculty transmission.
Usually, the default transmit energy level of the gateway carrier is acceptable.
If the fax cannot be set up yet on the premise that other configurations are
Transmit Energy Level of a correct, you can attempt to adjust the transmit energy level of the gateway
Gateway Carrier carrier (transmit energy level attenuation). A greater level indicates greater
energy. A smaller level indicates greater attenuation.
By default, the transmit energy level of the gateway carrier is –15 dBm.
514
Item Description
As defined in ITU-T, the ECM is required for a half-duplex and fax message
transmission using the half-duplex and half-modulation system of ITU-T V.34
protocol. The G3 fax terminals working in full-duplex mode are required to
support half-duplex mode (ECM).
The fax machines using ECM can correct errors, provide the ARQ function, and
transmit fax packets in the format of HDLC frames. The fax machines using
non-ECM cannot correct errors, and they transmit fax packets in the format of
binary strings.
ECM Fax
• Enable—Enable ECM for fax.
• Disable—Disable ECM for fax.
By default, ECM is disabled.
ECM can be adopted only if fax machines on both sides support ECM and the
gateways are configured with ECM.
You must enable ECM mode for the local numbers and call routes
corresponding to the fax sender and receiver in the ECM mode.
The CNG fax switchover is mainly used to implement the fax mailbox service
through communication with the VCX. When the local fax machine A
originates a fax call to the peer fax machine B, if B is busy or is unattended, A
can send the originated fax to the fax mailbox of the VCX. With CNG fax
CNG Fax Switchover switchover enabled, the voice gateway can switch to the fax mode once it
Function receives a CNG from A.
• Enable
• Disable
The function is disabled by default.
Configure the codec type and switching mode for SIP Modem pass-through
function:
• Standard G.711 A-law—Adopt G.711 A-law as the codec type and use
Re-Invite switching for SIP Modem pass-through.
Codec Type and Switching
• Standard G.711 μ-law—Adopt G.711 μ-law as the codec type and use
Mode for SIP Modem
Re-Invite switching for SIP Modem pass-through.
Pass-through
• NTE Compatible G.711 A-law—Adopt G.711 A-law as the codec type and
use NTE-compatible switching for SIP Modem pass-through.
• NTE Compatible G.711 μ-law—Adopt G.711 μ-law as the codec type and
use NTE-compatible switching for SIP Modem pass-through.
Configure the value of NTE payload type for the NTE-compatible switching
mode.
This option is configurable only when NTE Compatible G.711 A-law or NTE
NTE Payload Type Field
Compatible G.711 μ-law is selected from the Codec Type and Switching Mode
for SIP Modem Pass-through list.
By default, the value of the NTE payload type is 100.
Configuring fax and modem parameters of a call route

Select Voice Management > Call Route from the navigation tree, and then click the icon of the call
route to be configured to display the call route Fax and Modem configuration page.
515
Figure 502 Call route Fax and Modem configuration page
For call route fax and modem configuration items, see Table 199 for details.
516
Configuring call services
More and more VoIP-based services are demanded as voice application environments expand. On the
basis of basic calls, new features are implemented to meet different application requirements of VoIP
subscribers.
Call waiting
When subscriber C calls subscriber A who is already engaged in a call with subscriber B, the call is not
rejected if call waiting is enabled. Just like a normal call, subscriber C hears ringback tones, while
subscriber A hears call waiting tones as a reminder that a call is waiting on the line.
Subscriber A can answer the new call by pressing the flash hook or by hanging up to end the call with
subscriber B. In the former case, subscriber B is held. In the latter case, subscriber A is immediately
alerted and can pick up the phone to answer the call originated by subscriber C (the waiting call).
Call hold
If subscriber A in a conversation with subscriber B presses the flash hook, the media session of subscriber
B is temporarily cut through and is held (in the silent state or listening to the waiting tones). The system
plays silent tones or dial tones to subscriber A, depending on the configuration. (The system first plays
dial tones and waits for the subscriber to dial. If the subscriber fails to dial within a period of time, the
system stops playing dial tones and the line stays on hold.). Subscriber A can resume the call with
subscriber B by pressing the flash hook again.
After pressing the flash hook, subscriber A hears dial tones and can initiate a new call. The setup flow for
the new call is completely the same as the one for ordinary calls.
Call forwarding
After receiving a session request, the called party cannot answer the call for some reason. In this case,
the called party notifies in a response the calling party of the forwarded-to number so that the calling
party can re-initiate a session request to the new destination. This is call forwarding.
The system supports these types of call forwarding:
• Call forwarding unconditional—With this feature enabled on a voice subscriber line, incoming calls
are forwarded to the predetermined destination, no matter whether the voice subscriber line is
available.
• Call forwarding busy—With this feature enabled on a voice subscriber line, an incoming call is
forwarded to the predetermined destination when the voice subscriber line is busy.
• Call forwarding no reply—With this feature enabled on a voice subscriber line, an incoming call is
forwarded to the predetermined destination when the voice subscriber line is not answered within a
period of time, which is configured by specifying Max Duration of Playing Ringback Tones on the
FXS, FXS, or E&M line configuration page. It defaults to 60 seconds.
• Call forwarding unavailable—With this feature enabled on a voice subscriber line, an incoming call
is forwarded to the predetermined destination when the voice subscriber line is shut down.
517
Call transfer
Subscriber A (originator) and subscriber B (recipient) are in a conversation. Subscriber A presses the
flash hook and the call is put on hold. Subscriber A dials another number to originate a call to subscriber
C (final recipient). After Subscriber A hangs up, the call between subscriber B and subscriber C is
established. This is call transfer.
To perfect the call transfer feature, the device supports the call recovery function after the call transfer fails.
If subscriber C in the above example is in a conversation with another subscriber and cannot establish a
conversation with subscriber B, the call between subscriber A and subscriber B is recovered.
Call backup
After initiating a call to the called party, the calling party is unable to receive a response. In this case, if
there is another link (PSTN link or VoIP link) to the called party, the calling party re-initiates a call to the
called party over the new route. This is call backup.
The system supports these types of call backup:
• A PSTN link or VoIP link backs up a PSTN link.
• A PSTN link backs up a VoIP link.
Hunt group
Multiple voice subscriber lines are configured with the same called number to form a hunt group. If the
voice subscriber line with the first priority is unavailable when a call setup request to the called party is
received, the call is still established through another voice subscriber line in the hunt group.
Call barring
Call barring includes incoming call barring and outgoing call barring.
Incoming call barring usually refers to the DND service. When incoming call barring is enabled on a
voice subscribe line, calls originated to the attached phone fail.
When outgoing call barring is enabled on a voice subscriber line, calls originated from the attached
phone fail, too.
Message waiting indication

The MWI feature allows a voice gateway to notify a subscriber of messages received from a voice
mailbox server. For example, when a call destined to subscriber A is forwarded to the voice mailbox
server, the server notifies the voice gateway of the state change. When subscriber A picks up the phone,
subscriber A hears the message waiting tone without needing to query the mailbox.
Three-party conference
When subscriber A has a call with subscriber B and holds a call with subscriber C, A can make C join
the current conversation to implement a three-party conference.
During a three-party conference, a passive participant can initiate a new call to create another
conversation. In this way, conference chaining is implemented, and each conference initiator serves as a
conference bridge.
518
Silent monitor and barge in services
"Silent monitor service" allows a supervisor to monitor active calls without being heard.
"Barge in service" allows a supervisor to participate in a monitored call to implement three-party
conference. For example, suppose subscribers A and B are in a conversation and subscriber C is the
supervisor. If C wants to join the conversation, it sends a request to A. If A permits it, the three-party
conference can be held. In this example, C is the active participant of the conference, A is the voice mixer,
and B is the original participant of the conversation.
Silent monitor and barge in services can be considered as the extensions of three-party conference. To
distinguish them from traditional three-party conference, these two services are called three-party
conference in active participation mode.
Calling party control

The calling party control service allows the called party to resume the conversation with the calling party
by picking up the phone within the specified time. For example, subscriber A is the calling party, and
subscriber B is the called party. The on-hook delay is set to m seconds on the voice subscriber line of
subscriber B. After the call between A and B is established, if the calling party A hangs up first, the call is
ended up. If the called party B hangs up first, it can resume the call with A by picking up the phone within
m seconds. After that, no matter how many times B hangs up within m seconds, it can resume the call with
A by picking up the phone.
In this example, after B hangs up for the first time, A hears silent tones from the headphone within m
seconds. If subscriber C dials subscriber B during this time, the telephone of B does not ring, and C hears
busy tones.
Door opening control

The door opening control service allows a user to open a door remotely. The process is as follows: user A
who wants to enter a door calls user B. After the session is established, user B enters a password starting
with an asterisk (*) and ending with a pound sign (#) on the phone.
• If the entered password is correct (the password matches the door opening control password
configured for the voice subscriber line), the door control relay opens the door. After a predefined
door open duration, the door control relay locks the door automatically.
• If the entered password is incorrect, the door cannot be opened.
CID on the FXS voice subscriber line

The CID service means that the calling identity information (including the calling number and calling
name) such as calling number, calling name, date, and time is displayed on the called terminal.
With the CID function, calling numbers and calling time in single-data-message format can be transmitted
or received in an on-hook state. When the CID function is combined with services such as CFU and CFB,
calling identity information can also be transmitted if required. A message in SDMF contains the following
information:
• Date and time when the voice call occurs (MM DD hh:mm)
• Calling number if CID is enabled on the device
• P if CID is disabled on the device
519
• O if the terminating private branch exchange (PBX) fails to obtain the calling number (for example,
the originating PBX end does not send it)
A message in MDMF contains the following information:
• Date and time when the voice call occurs (MM DD hh:mm)
• Calling number and calling name if CID is enabled on the device
• Two Ps for the calling number and the calling name if CID is disabled on the device
• O if the terminating PBX fails to obtain the calling number (for example, the originating PBX end
does not send it)
• O if the terminating PBX fails to obtain the calling name (for example, the originating PBX end does
not send it)
The FXS voice subscriber line sends the calling identity information to the called telephone. The calling
identity information is sent to the called telephone through FSK modulation between first and second rings.
Therefore, the called user must pick up the telephone after the second ring to make sure that the calling
identity information is sent and received correctly. Otherwise, the calling identity information may fail to
be displayed.
CID on the FXO voice subscriber line

The FXO voice subscriber line receives the calling identity information from the PBX. The FXO interface
receives the modulation information of the calling identity information from the PBX between the first and
second rings (This is the default situation. You can configure the Time for CID Check on the FXO line
configuration page to configure the time for CID check). The calling identity information then undergoes
FSK demodulation and parity check. The function of sending calling identity information is checked after
the parity check succeeds. If the function is enabled, the calling identity information (indicating that the
calling identity information is received) is sent. Otherwise, the character P or O is sent.
Support for SIP voice service of the VCX

Together with a server, the VCX implements the application of multiple voice features such as Silent
Monitor, Camp On, and FwdMail Toggle by using the 3Com proprietary SIP Feature messages.
Configuring call services of a local number

Configuring call forwarding, call waiting, call hold, call transfer,
and three-party conference
Select Voice Management > Local Number from the navigation tree, and then click the icon of the local
number to be configured to display the call services configuration page shown in Figure 503.
520
Figure 503 Call services configuration page
Item Description
The Forwarded-to Number for Call Forwarding no Reply—Enter the forwarded-to
number for call forwarding no reply.
The Forwarded-to Number for Call Forwarding Busy—Enter the forwarded-to number
for call forwarding busy.
Call Forwarding
Call Forwarding Unconditional—Enter the forwarded-to number for forwarding
unconditional.
The Forwarded-to Number for Call Forwarding Unavailable—Enter the forwarded-to
number for call forwarding unavailable.
After call waiting is enabled, you can configure the following parameters according to
your needs:
• Number of Call Waiting Tone Play Times
• Number of Tones Played at One Time
Call Waiting
• Interval for Playing Call Waiting Tones
By default, two call waiting tones are played once, and if the value of Number of Tones
in a Call Waiting Tone is greater than 1, the Interval for Playing Call Waiting Tones is 15
seconds.
Call Hold Enable or disable the call hold function.
Call hold must be enabled before call transfer.

Call Transfer After call transfer is enabled, you can set the Call Transfer Start Delay parameter
according to your needs.
Three-Party The three-party conference function depends on the call hold function. Therefore,
Conference enable the call hold function before configuring three-party conference.
521
Item Description
Monitor and Barge
Enable or disable the silent-monitor and barge in services.
In
Configuring other voice functions

number to be configured to display the call services configuration page shown in Figure 504.
Item Description
Set the calling name, a string of case-sensitive characters including numbers 0 through
9, letters A through Z or a through z, underlines (_), hyphens (-),dots (.), exclamation
point (!), percent sign (%), asterisk (*), plus sign (+), grave accent (`), single quotation
mark (‘), and tilde (~).
Calling Name
By default, no calling name is configured.
The calling name in the calling identity information can only be transmitted in MDMF
format. Therefore, if the calling information delivery is enabled, select the Complex
Delivery option in the Calling Information Delivery area.
522
Item Description
Configure the format of calling information:
• Complex Delivery—Calling identity information is transmitted in complex format.
• Simple Delivery—Calling identity information is transmitted in simple format.
Calling Information
• Do Not Deliver—Do not deliver the Calling identity information.
Delivery
By default, the complex delivery is adopted.
If the remote end supports one format only, you must use the same message format at
the local end.
• Enable
Call Identity
• Disable
Delivery
The calling identity is delivered by default.
• Enable
Incoming Call
• Disable
Barring
By default, incoming call barring is disabled.
Password for
Set a password to lock your telephone when you do not want others to use your
Outgoing Call
telephone.
Barring
• Enable
Feature Service • Disable
By default, feature service is disabled.
• Enable
• Disable
By default, the hunt group function is disabled.
Hunt Group
NOTE:
To use the hunt group feature, select the Enable option of all local numbers involved in this
service.
• Enable
• Disable
By default, MWI is disabled.
Message Waiting After MWI is enabled, you can configure the Duration of Playing the Message Waiting
Indicator Tone parameter according to your needs.
NOTE:
Generally, the voice gateway sends a SUBSCRIBE to the server, receives a NOTIFY from the
server if the subscription is successful, and obtains the status of the voice mailbox
afterwards.
Configure the PLAR function. The number is the E.164 telephone number of the
Hotline Numbers
terminating end.
Enable calling party control and set the on-hook delay time of the called party. If the
On-hook Delay delay time is set to 0, this indicates that the call party control is disabled.
Time of the Called
Party By default, calling party control is disabled (the on-hook delay of the called party is set
to 0).
Processing Priority
When the Line is Specify the processing sequence of services when the line is busy.
Busy
523
Configuring call services of a call route
route to be configured to display the call route call services configuration page shown in Figure 505.
NOTE:
• After completing the trunk configuration of a call route, you can configure the call services of the call route. The SIP
call route does not support call services configuration.
• Support for options provided on the call services page of a call route depends on the selected trunk route line. Only
the FXO trunks support the Calling Number Delivery and Calling Identity Delivery functions.
Item Description
After call waiting is enabled, you can configure the following parameters according to
your needs:
• Number of Call Waiting Tone Play Times
Call Waiting
By default, the number of call waiting tone play times is one, and the number of call
wait tones played at one time is 2, and if the value of Number of Tones Played at One
Time is greater than 1, the Interval for Playing Call Waiting Tones is 15 seconds.
• Enable
Incoming Call
• Disable
Barring
By default, incoming call barring is disabled.
Password for
Set a password to lock your telephone when you do not want others to use your
Outgoing Call
telephone.
Barring
524
Item Description
• Enable
• Disable
By default, hunt group function is disabled.
Hunt Group
NOTE:
To use the hunt group feature, select the Enable option of all call routes involved in this
service.
Configure the PLAR function. The number is an E.164 telephone number of the
Hotline Numbers
terminating end.
Call services configuration examples

Configuring call waiting
As shown in Figure 506, place a call from Telephone C to Telephone A, which is already engaged in a
call with Telephone B, and the call is not rejected. Just like a normal call, the subscriber at Telephone C
hears ringback tones, while the subscriber at Telephone A hears call waiting tones as a reminder that
another call is waiting on the line.
Router A Router B Router C
Eth1/1 Eth1/1
10.1.1.1/24 20.1.1.2/24
Eth1/2 Eth1/1
1000 10.1.1.2/24 20.1.1.1/24 3000
Telephone A Telephone C
2000
Telephone B
NOTE:
Before performing the following configuration, make sure that Router A, Router B, and Router C are
reachable to each other.
Completing basic voice call configurations

Complete basic voice call configurations on Router A, Router B, and Router C.
Configuring call waiting

Configure call waiting on Router A.
Select Voice Management > Local Number from the navigation tree, and then click the icon of local
number 1000 in the local number list to display the call services configuration page.
Figure 507 Configure call waiting
525
a. Select Enable for Call Waiting.
b. Click Apply.

Verify the two call waiting operation modes:
• Operation 1—When the subscriber at Telephone C dials 1000 to call Telephone A which is already
engaged in a call with Telephone B, the subscriber at Telephone C hears ringback tones, while the
subscriber at Telephone A hears call waiting tones as a reminder that a call is waiting on the line. If
the subscriber at Telephone A then hangs up, the telephone rings, and the subscriber at Telephone A
can pick up the phone to start a conversation with Telephone C.
• Operation 2—When the subscriber at Telephone C dials 1000 to call Telephone A who is already
engaged in a call with Telephone B, the subscriber at Telephone A can press the flash hook to start
a conversation with Telephone C, so Telephone B is held. The subscriber at Telephone A can press
the flash hook again to continue the talk with Telephone B, and then Telephone C is held. Call hold
function must be enabled on the voice subscriber line connected to Telephone A.
Configuring call forwarding

As shown in Figure 508, place a call from Telephone A to Telephone B. Router B forwards the call to
Telephone C when Telephone B is busy. Finally, Telephone A and Telephone C start a conversation.
526
Eth1/1 Eth1/1
10.1.1.1/24 20.1.1.2/24
Eth1/2 Eth1/1
1000 10.1.1.2/24 20.1.1.1/24 3000
2000
Telephone B
NOTE:

Configuring call forwarding

Configure call forwarding on Router B.
Figure 509 Configure call forwarding
a. Enter 3000 for the forwarded-to number for Call Forwarding Busy.
b. Click Apply.
527
Place a call from Telephone A to Telephone B. Router B forwards the call to Telephone C when Telephone
B is busy. Finally, Telephone A and Telephone C start a conversation
Configuring call transfer

As shown in Figure 510, call transfer enables Telephone A to transfer Telephone B to Telephone C. After
the call transfer is completed, Telephone B and Telephone C are in a conversation.
The whole process is as follows:
1. Call Telephone B from Telephone A, and then Telephone B and Telephone A are in a conversation.
2. Perform a hookflash at Telephone A to put the call with Telephone B on hold.
3. Call Telephone C (3000) from Telephone A after hearing dial tones.
4. Hang up Telephone A.
5. Telephone B and Telephone C are in a conversation, and call transfer is completed.
Eth1/1 Eth1/1
10.1.1.1/24 20.1.1.2/24
Eth1/2 Eth1/1
1000 10.1.1.2/24 20.1.1.1/24 3000
2000
Telephone B
NOTE:

Configuring call transfer

# Configure call hold and call transfer on Router A.
Figure 511 Configure call transfer
528
a. Select Enable for Call Hold.
b. Select Enable for Call Transfer.
c. Click Apply.

The whole process is as follows:
1. Call Telephone B from Telephone A, and then Telephone B and Telephone A are in a conversation.
2. Perform a hookflash at Telephone A to put the call with Telephone B on hold.
3. Call Telephone C (3000) from Telephone A after hearing dial tones.
4. Hang up Telephone A.
5. Telephone B and Telephone C are in a conversation, and call transfer is completed.
Configuring hunt group

As shown in Figure 512, hunt group applies to the situation where multiple subscriber lines correspond to
the same number. When the voice subscriber line with the first highest priority is in use, the device can
automatically connect an incoming call to the voice subscriber line with the second highest priority.
Telephone A1 (1000) and Telephone A2 (1000) are both connected to Router A, and Telephone A1 has
a higher priority. Dial number 1000 from Telephone B (2000). Because Telephone A1 has a higher
priority, Telephone B is connected to Telephone A1. If number 1000 is dialed from Telephone C (3000)
when Telephone A1 and Telephone B are in a conversation, hunt group enables Telephone C to have a
conversation with Telephone A2.
529
Eth1/1
10.1.1.2/24
Router B 2000
Telephone B
1000
Telephone A1 Eth1/1
10.1.1.1/24
Eth1/2
20.1.1.1/24
Router A
1000 Eth1/1
Telephone A2 20.1.1.2/24
Router C 3000
Telephone C
NOTE:
routable to each other.

Configuring hunt group

# Configure a number selection priority for Telephone A2 on Router A. Keep the default priority 0 (the
highest priority) for Telephone A1.
number 1000 in the local number list to display the advanced settings configuration page.
Figure 513 Configure number selection priority of Telephone A2
530
a. Select 4 from the Number Selection Priority list.
b. Click Apply.
# Configure hunt group on Router A.

number 1000 of Telephone A1 in the local number list to display the call services configuration page.
Figure 514 Configure hunt group
531
a. Select Enable for Hunt Group.
b. Click Apply.
Perform the same configuration for the local number 1000 of Telephone A2. (Details not shown)

Dial number 1000 from Telephone B (2000). Because Telephone A1 has a higher priority, Telephone B
is connected to Telephone A1. If you dial number 1000 from Telephone C (3000) when Telephone A1
and Telephone B are in a conversation, hunt group enables Telephone C to have a conversation with
Telephone A2.
Configuring three-party conference

As shown in Figure 515, place a call from Telephone A to Telephone B, and after the call is established,
hold the call on Telephone B. Then, place a call from Telephone B to Telephone C. After success, press
the hook flash on Telephone B, and press 3. Then a three-party conference can be established among
Telephones A, B, and C.
532
Eth1/0 Eth1/0
10.1.1.1/24 20.1.1.2/24
Eth1/0 Eth1/1
1000 10.1.1.2/24 20.1.1.1/24 3000
2000
Telephone B
NOTE:
routable to each other.

Configuring three-party conference

# Enable call hold on Router A and Router C.
number to be configured to display the call services configuration page.
Figure 516 Configure call hold

b. Click Apply.
# Enable call hold and three-party conference on Router B.
533
Figure 517 Configure call hold

b. Select Enable for Three-Party Conference.
c. Click Apply.

Now Telephone B, as the conference initiator, can establish a three-party conference with participants
Telephone A and Telephone C.
If you also enable three-party conference on the FXS lines of Telephone A and Telephone C on Router A
and Router C, during the conference, a new call can be initiated from Telephone A or Telephone C to
invite another passive participant. In this way, conference chaining is implemented.
Configuring silent monitor and barge in service

• Configure silent monitor for Telephone C to monitor the conversation between Telephone A and
Telephone B. After configuration, when Telephone A and Telephone B are in a conversation, dial
the feature code *425*Number of Telephone A# at Telephone C to monitor the conversation between
Telephone A and Telephone B.
• Configure barge in for Telephone C to participate in the conversation between Telephone A and
Telephone B. After configuration, dial the feature code *428# at Telephone C to participate in the
conversation between Telephone A and Telephone B.
534
Configuring the VCX

Open the web interface of the VCX, and select Central Management Console. Configure the information
of Telephone A, Telephone B, and Telephone C. The following takes Telephone A as an example.
Figure 519 Telephone configuration page
# Configure the silent-monitor authority.

Click Features of number 1000 to display the feature configuration page, and then click Edit Feature of
the Silent Monitor and Barge In feature to display the page shown in Figure 520.
535
Figure 520 Silent monitor and barge in feature configuration page (I)
Click Assign External Phones to specify that number 3000 has the authority to monitor number 1000.
After this configuration, the page shown in Figure 521 appears.
Figure 521 Silent monitor and barge in feature configuration page (II)
After the above configuration, Telephone C with the number 3000 can monitor and barge in the
conversations of Telephone A with the number 1000.
# Configure a local number and call routes.
• Configure a local number—Specify the local number ID as 1000 and the number as 1000, and bind
the number to line line 1/0 on the local number configuration page.
• Configure the call route to Router B—Specify the call route ID as 10000, the destination number as
3000, and the call route type as SIP, and use a SIP proxy server to complete calls on the call route
configuration page.
• Configure the call route to Router C—Specify the call route ID as 10001, the destination number as
3000, and the call route type as SIP, and use a proxy server to complete calls on the call route
configuration page.
• Configure SIP registration—Enable register function of the server on the connection properties
configuration page. Select Voice Management > Call Connection > SIP Connection from the
navigation tree to display the connection properties configuration page, and configure the IP
addresses of both the main registrar and the proxy server as 100.1.1.101.
# Enable the feature service and the silent-monitor and barge-in function.
536
number 1000 to display the call services page shown in Figure 522.
Figure 522 Enable the feature service and the silent monitor and barge in function
a. Select Enable for Monitor and Barge In.

b. Select Enable for Feature Service.
c. Click Apply.
537
• Configure the call route to Router A—Specify the call route ID as 10000, the destination number as
configuration page.
• Configure the call route to Router C—Specify the call route ID as 10001, the destination number as
configuration page.
navigation tree to display the connection properties configuration page, then configure the IP
Configuring Router C
• Configure the call route to Router A—Specify the call route ID as 10000, the destination number as
configuration page.
• Configure the call route to Router B—Specify the call route ID as 10001, the destination number as
configuration page.
navigation tree to display the connection properties configuration page, then configure the IP
# Configure the DTMF transmission mode as NTE out-of-band transmission.
Select Voice Management > Call Route from the navigation tree, and then click the icon of call route
1000 to display the advanced settings page shown in Figure 523.
538
Figure 523 Configure DTMF transmission mode
a. Select RFC2833 for DTMF Transmission Mode.

b. Click Apply.
# Enable the feature service.

number 3000 to display the call services page shown in Figure 524.
Figure 524 Enable the feature service
a. Select Enable for Feature Service.
539
b. Click Apply.

After the above configuration, dial feature code *425*1000# at Telephone C, and you can monitor the
conversation between Telephone A and Telephone C. If you want to participate in the conversation, dial
*428# at Telephone C.
540
Configuring advanced settings for local numbers
and call routes
Coding parameters
The configuration of coding parameters includes specifying codec priorities and packet assembly
intervals.
The codecs include: g711alaw, g711ulaw, g723r53, g723r63, g726r16, g726r24, g726r32,
g726r40, g729a, g729br8, and g729r8.
Following are the characteristics of different codecs:
• g711alaw and g711ulaw provide high-quality voice transmission, while requiring greater
bandwidth.
• g723r53 and g723r63 provide silence suppression technology and comfortable noise. The
relatively higher speed output is based on multi-pulse multi-quantitative level technology and
provides relatively higher voice quality. The relatively lower speed output is based on the
Algebraic-Code-Excited Linear-Prediction technology and provides greater flexibility for application.
• The voice quality provided by g729r8 and g729a is similar to the ADPCM of 32 kbps, having the
quality of a toll. It also features low bandwidth, lesser event delay, and medium processing
complexity. Therefore, it has a wide field of application.
Table 203 Relationship between algorithms and bandwidth
Codec Bandwidth Voice quality

G.711 (A-law and μ-law) 64 kbps (without compression) Best
G.726 16, 24, 32, 40 kbps Good
G.729 8 kbps Good
G.723 r63 6.3 kbps Fair
G.723 r53 5.3 kbps Fair
Actual network bandwidth is related to packet assembly interval and network structure. The longer the
packet assembly interval is, the closer the network bandwidth is to the media stream bandwidth. More
headers consume more bandwidth. A longer packet assembly interval results in a longer fixed coding
latency.
The following tables show the relevant packet assembly parameters without IPHC, including packet
assembly interval, bytes coded in a time unit, and network bandwidth. You can choose a suitable codec
algorithm according to idle and busy status of the line and network situations more conveniently.
541
Table 204 G.711 algorithm (A-law and μ-law)
Packet
Packet Network Network
Bytes coded length Packet length Coding
assembly bandwidth bandwidt
in a time unit (IP) (IP+PPP) (bytes) latency
interval (IP) h (IP+PPP)
(bytes)
100.8
10 ms 80 120 96 kbps 126 10 ms
kbps
20 ms 160 200 80 kbps 206 82.4 kbps 20 ms
30 ms 240 280 74.7 kbps 286 76.3 kbps 30 ms
G.711 algorithm (A-law and μ-law): media stream bandwidth 64 kbps, minimum packet assembly interval 10
ms.
Table 205 G.723 r63 algorithm
Packet Bytes Packet Network Packet length Network

Coding
assembly coded in a length (IP) bandwidth (IP+PPP) bandwidth
latency
interval time unit (bytes) (IP) (bytes) (IP+PPP)
30 ms 24 64 16.8 kbps 70 18.4 kbps 30 ms
60 ms 48 88 11.6 kbps 94 12.3 kbps 60 ms
90 ms 72 112 9.8 kbps 118 10.3 kbps 90 ms
120 ms 96 136 9.1 kbps 142 9.5 kbps 120 ms
150 ms 120 160 8.5 kbps 166 8.9 kbps 150 ms
180 ms 144 184 8.2 kbps 190 8.4 kbps 180 ms
G.723 r63 algorithm: media stream bandwidth 6.3 kbps, minimum packet assembly interval 30 ms.
Packet Bytes coded Packet Network Packet length Network

Coding
assembly in a time length (IP) bandwidth (IP+PPP) bandwidth
latency
interval unit (bytes) (IP) (bytes) (IP+PPP)
30 ms 20 60 15.9 kbps 66 17.5 kbps 30 ms
60 ms 40 80 10.6 kbps 86 11.4 kbps 60 ms
90 ms 60 100 8.8 kbps 106 9.3 kbps 90 ms
120 ms 80 120 8 kbps 126 8.4 kbps 120 ms
150 ms 100 140 7.5 kbps 146 7.8 kbps 150 ms
180 ms 120 160 7.1 kbps 166 7.4 kbps 180 ms
G.723 r53 algorithm: media stream bandwidth 5.3 kbps, minimum packet assembly interval 30 ms.
542
Packet Bytes coded Packet Network Packet length Network

Coding
assembly in a time length (IP) bandwidth (IP+PPP) bandwidth
latency
interval unit (bytes) (IP) (bytes) (IP+PPP)
10 ms 20 60 48 kbps 66 52.8 kbps 10 ms
20 ms 40 80 32 kbps 86 34.4 kbps 20 ms
30 ms 60 100 26.7 kbps 106 28.3 kbps 30 ms
40 ms 80 120 24 kbps 126 22.1 kbps 40 ms
50 ms 100 140 22.4 kbps 146 23.4 kbps 50 ms
60 ms 120 160 21.3 kbps 166 11.4 kbps 60 ms
70 ms 140 180 20.6 kbps 186 21.3 kbps 70 ms
80 ms 160 200 20 kbps 206 20.6 kbps 80 ms
90 ms 180 220 19.5 kbps 226 20.1 kbps 90 ms
100 ms 200 240 19.2 kbps 246 19.7 kbps 100 ms
110 ms 220 260 18.9 kbps 266 19.3 kbps 110 ms
G.726 r16 algorithm: media stream bandwidth 16 kbps, minimum packet assembly interval 10 ms.
Packet Bytes Packet Network Network

Packet length Coding
assembly coded in a length (IP) bandwidth bandwidth
(IP+PPP) (bytes) latency
interval time unit (bytes) (IP) (IP+PPP)
10 ms 30 70 56 kbps 76 60.8 kbps 10 ms
20 ms 60 100 40 kbps 106 42.4 kbps 20 ms
30 ms 90 130 34.7 kbps 136 36.3 kbps 30 ms
40 ms 120 160 32 kbps 166 33.2 kbps 40 ms
50 ms 150 190 30.4 kbps 196 31.2 kbps 50 ms
60 ms 180 220 29.3 kbps 226 30.1 kbps 60 ms
70 ms 210 250 28.6 kbps 256 29.3 kbps 70 ms
Packet Bytes coded Packet Network Network

assembly in a time length (IP) bandwidth bandwidth
interval unit (bytes) (IP) (IP+PPP)
10 ms 40 80 64 kbps 86 68.8 kbps 10 ms
20 ms 80 120 48 kbps 126 50.4 kbps 20 ms
30 ms 120 160 42.7 kbps 166 44.3 kbps 30 ms
40 ms 160 200 40 kbps 206 41.2 kbps 40 ms
543
Packet Bytes coded Packet Network Network
assembly in a time length (IP) bandwidth bandwidth
interval unit (bytes) (IP) (IP+PPP)
50 ms 200 240 38.4 kbps 246 39.4 kbps 50 ms
Packet Packet Network Network

Bytes coded Packet length Coding
assembly length (IP) bandwidt bandwidth
in a time unit (IP+PPP) (bytes) latency
interval (bytes) h (IP) (IP+PPP)
10 ms 50 90 72 kbps 96 76.8 kbps 10 ms
20 ms 100 140 56 kbps 146 58.4 kbps 20 ms
30 ms 150 190 50.7 kbps 196 52.3 kbps 30 ms
40 ms 200 240 48 kbps 246 49.2 kbps 40 ms
Table 211 G.729 algorithm
Packet Bytes Packet Network Network

assembly coded in a length (IP) bandwidth bandwidth
interval time unit (bytes) (IP) (IP+PPP)
10 ms 10 50 40 kbps 56 44.8 kbps 10 ms
20 ms 20 60 24 kbps 66 26.4 kbps 20 ms
30 ms 30 70 18.7 kbps 76 20.3 kbps 30 ms
40 ms 40 80 16 kbps 86 17.2 kbps 40 ms
50 ms 50 90 14.4 kbps 96 15.4 kbps 50 ms
60 ms 60 100 13.3 kbps 106 14.1 kbps 60 ms
70 ms 70 110 12.6 kbps 116 13.3 kbps 70 ms
80 ms 80 120 12 kbps 126 12.6 kbps 80 ms
90 ms 90 130 11.6 kbps 136 12.1 kbps 90 ms
100 ms 100 140 11.2 kbps 146 11.7 kbps 100 ms
110 ms 110 150 10.9 kbps 156 11.3 kbps 110 ms
120 ms 120 160 10.7 kbps 166 11.1 kbps 120 ms
130 ms 130 170 10.5 kbps 176 10.8 kbps 130 ms
140 ms 140 180 10.3 kbps 186 10.6 kbps 140 ms
150 ms 150 190 10.1 kbps 196 10.5 kbps 150 ms
160 ms 160 200 10 kbps 206 10.3 kbps 160 ms
170 ms 170 210 9.9 kbps 216 10.2 kbps 170 ms
180 ms 180 220 9.8 kbps 226 10 kbps 180 ms
G.729 algorithm: media stream bandwidth 8 kbps, minimum packet assembly interval 10 ms.
544
NOTE:
• The packet assembly interval is the duration to encapsulate information into a voice packet.
• Bytes coded in a time unit = packet assembly interval × media stream bandwidth.
• Packet length (IP) = IP header + RTP header + UDP header + voice information length = 20+12+8+data.
• Packet length (IP+PPP) = PPP header + IP header + RTP header + UDP header + voice information length =
6+20+12+8+data.
• Network bandwidth = Bandwidth of the media stream × packet length/bytes coded in a time unit.
Because IPHC compression is affected significantly by network stability, it cannot achieve high efficiency
unless the line is of high quality, the network is very stable, and packet loss does not occur or seldom
occurs. When the network is unstable, IPHC efficiency drops drastically. With best IPHC performance, the
IP (RTP) header can be compressed to 2 bytes. If the PPP header is compressed at the same time, a great
deal of media stream bandwidth can be saved. The following table shows the best IPHC compression
efficiency of codec algorithms with a packet assembly interval of 30 milliseconds.
Table 212 Compression efficiency of IPHC+PPP header
Bytes Before compression After IPHC+PPP compression

coded in
Codec Network Network
a time Packet length Packet length
bandwidth bandwidth
unit (IP+PPP) (bytes) (IP+PPP) (bytes)
(IP+PPP) (IP+PPP)
G.729 30 76 20.3 kbps 34 9.1 kbps
G.723r63 24 70 18.4 kbps 28 7.4 kbps
G.723r53 20 66 17.5 kbps 24 6.4 kbps
G.726r16 60 106 28.3 kbps 64 17.1 kbps
G.726r24 90 136 17.5 kbps 94 25.1 kbps
G.726r32 120 166 44.3 kbps 124 33.1 kbps
G.726r40 150 196 52.3 kbps 154 41.1 kbps
Other parameters
Other parameters are some optional parameters, such as number selection priority, dial prefix, called
number sending mode, and DTMF transmission mode. For descriptions of these parameters, see
"Configuring other parameters for a local number" and "Configuring other parameters for a call route."
Configuring advanced settings for a local number

Configuring coding parameters for a local number
number to be configured to display the advanced settings configuration page.
545
Figure 525 Configure coding parameters of the local number
Item Description
Specify a codec Specify the codecs and their priority levels:
Codec with the First
with the first • g711alaw—G.711 A-law codec (defining the pulse
Priority
priority. code modulation technology), requiring a bandwidth of
Specify a codec 64 kbps, usually adopted in Europe.
Codec with the Second
with the second • g711ulaw—G.711μ-law codec, requiring a bandwidth
Priority
priority. of 64 kbps, usually adopted in North America and
Specify a codec Japan.
Codec with the Third • g723r53—G.723.1 Annex A codec, requiring a
with the third
Priority bandwidth of 5.3 kbps.
priority.
• g723r63—G.723.1 Annex A codec, requiring a
bandwidth of 6.3 kbps.
• g726r16—G.726 Annex A codec. It uses the ADPCM
technology, requiring a bandwidth of 16 kbps.
• g726r24—G.726 Annex A codec. It uses ADPCM,
requiring a bandwidth of 24 kbps.
• g726r32—G.726 Annex A codec. It uses ADPCM,
requiring a bandwidth of 32 kbps.
Specify a codec
Codec with the Lowest • g726r40—G.726 Annex A codec. It uses ADPCM,
with the lowest
Priority requiring a bandwidth of 40 kbps.
priority.
• g729a—G.729 Annex A codec (a simplified version of
G.729), requiring a bandwidth of 8 kbps.
• g729br8—G.729 Annex B (the voice compression
technology using conjugate algebraic-code-excited
linear-prediction), requiring a bandwidth of 8 kbps.
• g729r8—G.729 (the voice compression technology
using conjugate algebraic-code-excited
linear-prediction), requiring a bandwidth of 8 kbps.
Packet Assembly Interval of

Packet assembly interval for g711alaw and g711ulaw codecs.
G711

Packet assembly interval for g723r53 and g723r63 codecs.
G723
546
Item Description
Packet assembly interval for g726r16 codec.
G726r16

G726r24

G726r32

G726r40

Packet assembly interval for g729r8, g729br8, and g729a codecs.
G729
NOTE:
Two communication parties can communicate normally only if they share some identical
coding/decoding algorithms. If the codec algorithm between two connected devices is inconsistent, or if
the two devices share no common coding/decoding algorithms, the calling fails.
Configuring other parameters for a local number

Select Voice Management > Local Number from the navigation tree, and then click the icon of the
local number to be configured to display the advanced settings configuration page.
Figure 526 Configure other parameters of the local number
Item Description
Set the priority of the local number. The smaller the value, the higher the
Number Selection Priority
priority.
Configure a dial prefix for the local number. For a trunk type call route,
Dial Prefix
the dial prefix is added to the called number to be sent out.
547
Item Description
Send a
Truncated
Send a truncated called number.
Called
Number
Send All
Called Number Digits of a
Send all digits of a called number.
Sending Mode Called
Number
Send
Send a certain number of digits (that are extracted from the end of a
Certain
number) of a called number. The specified value should be not greater
Number of
than the total number of digits of the called number.
Digits
In-band
Specify the in-band SIP DTMF transmission mode.
Transmission
DTMF
Out-of-band
Transmission Specify the out-of-band SIP DTMF transmission mode.
Transmission
Mode
Adopt DTMF NTE transmission mode. When you adopt this transmission
RFC2833
mode, you can configure the payload type field in RTP packets.
Set the DSCP value in the ToS field in the IP packets that carry the RTP
Pre-defined
DSCP Field Value stream.
Customized Enter the customized DSCP value in the Customized field.
The VAD discriminates between silence and speech on a voice

connection according to signal energies. VAD reduces the bandwidth
requirements of a voice connection by not generating traffic during
periods of silence in an active voice connection. Speech signals are
generated and transmitted only when an active voice segment is
VAD detected. Researches show that VAD can save the transmission
bandwidth by 50%.
• Enable
• Disable
By default, VAD is disabled.
Configuring advanced settings for a call route

Configuring coding parameters for a call route
route to be configured to display the advanced settings configuration page.
548
Figure 527 Configure coding parameters of the call route
For coding parameters configuration items of the call route, see Table 214.
Configuring other parameters for a call route

route to be configured to display the advanced settings configuration page.
Figure 528 Configure other parameters of the call route
For the configuration items of other parameters of the call route, see Table 214 and Table 215.
Item Description
Set the priority of the call route. The smaller the value, the higher the
Call Route Selection Priority
priority.
549
Item Description
• Enable
The Local End Plays Ringback
• Disable
Tone
By default, the remote end instead of the local end plays ringback tones.
Advanced settings configuration example

Configuring out-of-band DTMF transmission mode for SIP
Two routers work as SIP UAs. After establishing a call connection, the calling and called parties adopt
DTMF SIP out-of-band transmission to make the transmission of DTMF digits more reliable.
Configuring voice basic calling settings

For detailed configuration, see "Configuring direct calling for SIP UAs through the SIP protocol
(configuring static IP address)."
Configuring out-of-band DTMF transmission mode for SIP

# Configure the out-of-band DTMF transmission mode on Router A for the call route.
Select Voice Management > Call Route from the navigation tree, find call route 2222 in the list, and then
click its icon to enter its advanced settings page.
Figure 530 Configure out-of-band DTMF transmission mode
550
a. Select Out-of-band Transmission for DTMF Transmission Mode.
b. Click Apply.
# Configure out-of-band DTMF transmission mode on Router B for the local number.
Select Voice Management > Local Number from the navigation tree, find local number 2222 in the list,
and then click its icon to display the advanced settings page.
Figure 531 Configure out-of-band DTMF transmission mode
a. Select Out-of-band Transmission for DTMF Transmission Mode.

b. Click Apply.

After a call connection is established, if one side presses the telephone keys, the DTMF digits are
transmitted to the other side using out-of-band signaling, and the other side hears short DTMF tones from
the handset.
551
Configuring SIP-to-SIP call settings
Configuring codec transparent transmission

Select Voice Management > Call Route from the navigation tree, and then click the icon of the target
route to display the following page.
Figure 532 SIP-to-SIP Connections
Item Description
Enable or disable codec transparent transmission.
If the SIP trunk device does not support the codecs supported by the
calling and called parties, you can enable codec transparent transmission
so that the SIP trunk device transparently transmits codec capability sets
between the two parties to complete codec negotiation.
By default, codec transparent transmission is disabled, and the SIP trunk
Codec Transparent
device participates in media negotiation between two parties.
NOTE:
This option takes effect only for public-to-private call routes. To enable this
function for private-to-public call routes, perform the configuration in Voice
Management > SIP Trunk Management > Call Route. For relation
configuration information, see "Configuring SIP trunk."
552
Configuring dial plans
More requirements on dial plans arise with the wide application of VoIP. A dial plan should be flexible,
reasonable, and operable, and should be able to help a voice gateway to manage numbers in a unified
way, making number management more convenient and reasonable.
The dial plan process on the calling side differs from that on the called side. The following discusses these
two dial plan processes.
Dial plan process

On the calling side
Figure 533 shows the dial plan operation process on the calling side.
Figure 533 Flow chart for dial plan operation process on the calling side
Local lines
PSTN
Processing sequence
on calling side
Number substitution
Line
Line
Number substitution
Global
Global
Select a Number
Local substitution
local
number/call
number or Local number
route
call route /call route
Initiate a call (called number)
1. The voice gateway on the calling side replaces the calling and called numbers according to the
number substitution rule on the receiving line.
2. The voice gateway performs global number substitution.
3. The gateway selects proper numbers based on the local number or call route selection priority rules
and replaces the calling and called numbers.
4. The gateway initiates a call to the called side and sends the calling and called numbers.
553
On the called side
Figure 534 shows the dial plan operation process on the called side.
Figure 534 Flow chart for dial plan operation process on the called side
1. After receiving a voice call (the called number), the voice gateway on the called side performs
global calling/called number substitution.
2. The voice gateway on the called side selects proper local numbers or call routes based on the local
number or call route selection priority rules. (Number substitution may also be involved during the
local number or call route selection.) If the called party is a local number, the gateway directly
connects the line. If the called party is a PSTN subscriber, the gateway initiates a call and sends the
calling and called numbers to the PSTN. The PBX in the PSTN connects the call.
Regular expression
You frequently use some regular expressions when you configure number substitution rules. Regular
expressions are a powerful and flexible tool for pattern matching and substitution. They are not restricted
to a language or system and have been widely accepted.
When using a regular expression, construct a matching pattern according to certain rules, and then
compare the matching pattern with the target object. The simplest regular expressions do not contain any
meta-character. For example, you can specify a regular expression hello, which only matches the string
hello.
To help you construct matching patterns flexibly, regular expressions support some special characters,
called meta-characters, which define the way other characters appear in the target object.
Table 217 Meta-characters
Meta-character Meaning
0-9 Digits 0 through 9.
554
Meta-character Meaning
# and * Each indicates a valid digit.
Wildcard, which can match any valid digit. For example, 555…. can match any
.
number beginning with 555 and ending in four additional characters.
Hyphen (connecting element), used to connect two numbers (the smaller comes
-
before the larger) to indicate a range of numbers, for example, 1-9 inclusive.
Delimits a range for matching. It can be used together with signs such as !, %, and +.
[]
For example, [235-9] indicates one number of 2, 3, and 5 through 9.
Indicates a sub-expression. For example, (086) indicates the character string 086. It
() is usually used together with signs such as !, %, and +. For example, (086)!010 can
match two character strings 010 and 086010.
A control character, indicating that the sub-expression before it appears once or does
! not appear. For example, (010)!12345678 can match 12345678 and
01012345678.
A control character, indicating that the sub-expression before it appears one or more
times. However, if a calling number starts with the plus sign, the sign itself does not
have special meanings and only indicates that the following is an effective number
+
and the whole number is E.164-compliant. For example, 9876(54)+ can match
987654, 98765454, 9876545454, and so on, and +110022 is an
E.164-compliant number.
A control character, indicating that the sub-expression before it appears multiple

% times or does not appear. For example, 9876(54)% can match 9876, 987654,
98765454, 9876545454, and so on.
NOTE:
• The sub-expression (one digit or digit string) before a control character such as !, +, and % can appear the number
of times indicated by the control character. For example, (100)+ can match 100, 100100, 100100100, and so on.
After any number of them are matched, the match is considered an exact match. In the longest match mode, the
voice gateway ignores subsequent digits dialed by the subscriber after an exact match. (For the situation where the
gateway must wait for subscribers to continue dialing after an exact match, refer to the T mode.)
• The characters (\) and (|) are mainly used in regular expressions and cannot be used as common characters. The
character (\) is an escape character. If you want a control character to represent itself, add the escape character (\)
before it. For example, (\+) represents the character (+) itself because (+) is a control character in regular
expressions. The character (|) means that the current character (string) is the character (string) on either the left or
the right. For example, 0860108888|T means that the current character string is either 0860108888 or T.
• T mode: If the character T is in the number set in a local number or call route, it means that the voice gateway should
wait for more digits until the number exceeds the maximum length or the dial timer expires.
• If a number starts with the plus sign (+), note the following when you use it on a trunk: The E&M, R2, and LGS
signaling uses DTMF, and because the plus sign (+) does not have a corresponding audio, the number cannot be
transmitted to the called side successfully. While the DSS1 signaling uses ISDN, the above problem does not exist.
Therefore, you should avoid using a number that cannot be identified by the signaling itself. Otherwise, the call
fails.
555
Introduction to dial plan functions
Number match
Dial terminator
In areas where variable-length numbers are used, you can specify a character as the dial terminator so
that the voice gateway can dial out the number before the dialing interval expires. The dial terminator
identifies the end of a dialing process, and a call connection is established based on the received digits
when the dial terminator is received. The voice gateway does not wait for further digits, even if the
longest match mode has been globally configured.
Maximum number of local numbers or call routes found before a search process stops
This function enables you to define the maximum number of qualified local numbers or call routes to be
found before a search process stops. Even if the number of local numbers or call routes meeting call
requirements is greater than the defined maximum number, the system matches against the local numbers
or call routes that are found in the search according to the configured maximum number.
Number match mode

You can specify a match mode, either longest match or shortest march.
For example, you have configured two destination numbers, 0106688 and 01066880011, on the
device.
When a subscriber dials 01066880011:
• If the device is configured to use the shortest match mode, the dialed number matches 0106688. In
other words, the device establishes a call connection to 0106688 at the remote end, without
processing the last four digits (0011).
• If the device is configured to use the longest match mode, the dialed number matches
01066880011. In other words, the device establishes a call connection to 01066880011 at the
remote end.
When a subscriber dials 0106688:
• If the device is configured to use shortest match mode, it matches 0106688.
• If the device is configured to use longest match mode, it waits for further digits. After the dial timer
expires, the device ignores the configured longest match mode and automatically uses shortest
match mode to establish a call connection.
When a subscriber dials 0106688#, if you configure longest match mode and a dial terminator of "#"
on the device, the device also ignores the configured longest match mode and uses shortest match mode
to establish a call connection.
Number match policy

A number match policy can be in either service–first mode or number–first mode.
If the number-first mode is applied, a dialed number matches first against numbers and then local service
numbers or service feature codes (when the service feature switch is enabled). For example, if a local
service feature number is *40*1234 and the number *40 is configured for a local number or call route,
*40*1234 dialed by a subscriber first matches the number *40 (*40 is dialed out as the called number),
and the local service corresponding to the local service code *40*1234 is not triggered.
556
Entity type selection priority rules
You can configure the priorities for different types of entities. When multiple local numbers or call routes
are qualified for a call connection, the system selects a suitable local number or call route whose entity
type has the highest priority.
Match order of number selection rules

You can configure the match order of local number or call route selection rules. The system selects a local
number or call route according to the configured rules, which include exact match, priority, random
selection, and longest idle time.
The match order of rules determines the application sequence of the rules as follows:
• If there are multiple rules, the system first selects a local number or call route according to the first
rule.
• If the first rule cannot decide which local number or call route should be selected, the system applies
the second rule. If the second rule still cannot decide on a local number or call route, the system
applies the third rule.
• If all rules cannot decide which local number or call route should be selected, the system selects a
local number or call route with the smallest ID.
• After the random selection rule is applied, there is no local number or call route selection conflict.
Therefore, the random selection rule can only serve as a rule with the lowest priority or serve as a
unique rule separately.
Call control
Call authority control
To configure call authority control, you can assign subscriber numbers to a number group, and then bind
the group, which has authorities configured, to a local number or call route.
When a subscriber originates a call that matches the local number or call route that has bound with a
number group, the system compares the calling number with each number in the number group. If a
match is found, the calling is permitted. Otherwise, the system finds the next matching local number or
call route until the calling is permitted or denied. For related configuration of this function, see
"Configuring a number group."
Maximum-call-connection set
You can limit the total call connections for local numbers or call routes according to the network scale to
control communication traffic. You can bind a local number or call route to a maximum-call-connection set.
After that, the number of call connections of the local number or call route is restricted.
Number substitution
A number substitution rule list defines some number substitution methods. It can be used wherever number
substitution is necessary. There is no limitation on where and how many times it is used. Therefore, a
number substitution rule list may be bound globally and bound to different local numbers/call routes and
lines.
The characteristics of global calling/called number substitution or calling/called number substitution on
local numbers/call routes and lines are as follows:
• Global number substitution—The voice gateway substitutes calling and called numbers of all
incoming and outgoing calls according to the number substitution rules configured in dial program
557
view. Multiple number substitution rule lists can be bound for global calling and called number
substitution of incoming and outgoing calls. If there is no match in the first number substitution rule
list, the voice gateway matches against other number substitution rule lists.
• Number substitution on local numbers or call routes—The voice gateway substitutes the calling and
called numbers based on the number substitution rule lists bound to local numbers or call routes.
• Number substitution on a specific line—The voice gateway substitutes the calling and called numbers
of incoming calls based on the number substitution rules configured on the receiving line.
Configuring dial plan

Configuring number match
Select Voice Management > Dial Plan > Number Match from the navigation tree to display the number
match configuration page shown in Figure 535.
Figure 535 Number match configuration page
Item Description
Configure a special character as the dial terminator for length-variable telephone
numbers.
If you set the argument character to # or *, and if the first character of the
Dial Terminator configured local number or call route is the same as the argument character (# or
*), the device takes this first character as a common number rather than a dial
terminator.
By default, no dial terminator is configured.
Max Count of Numbers

Set the maximum number of local numbers or call routes found before a search
Found before Search
process stops.
Stops
• Longest Number Match—Matches the longest number.
Number Match Mode • Shortest Number Match—Matches the shortest number.
By default, the shortest-number match mode is adopted.
558
Item Description
• Service first
Number Match Policy
• Number first
Select Based on Voice Select the Enable option. The sequence of the voice entities in the Selection
Entity Type Sequence list determines the match order, and you can click the Up and Down
buttons to move a voice entity.
Selection Sequence By default, entities are not selected by type.

The web interface does not support the configuration of VoFR entities.
First Rule in the Match • Exact match—The more digits of a digit string are matched from left to right,
Order the higher the precision is. The system stops using the rule once a digit cannot
be matched uniquely.
Second Rule in the Match
• Priority—Number priorities are divided into 11 levels numbered from 0 to
Order
10. The smaller the value is, the higher the priority is. That means level 0 has
the highest priority.
• Random selection—The system selects at random a number from a set of
qualified numbers. After the random selection rule is applied, there is no
number selection conflict. The random selection rule can only serve as a rule
with the lowest priority or serve as a unique rule separately.
Third Rule in the Match • Longest idle time—The longer the voice entity is idle, the higher the priority is.
Order You can select one to three rules to form a sequence. The voice gateway first
selects a number according to the first rule. If the voice gateway fails to decide
which number should be selected according to the first rule, it applies the second
rule, and so on.
By default, the match order of rules for the number selection is exact match->
priority-> random selection.
Configuring call control

Configuring a number group
Follow these steps to configure call control:
Step 1: Configure a number group and numbers in the group.
Step 2: Bind the local numbers, call routes, or IVR numbers to the number group.
1. Add a number group.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree to display the
number group page shown in Figure 536.
559
Figure 536 Number group page
Click Add to display the number group configuration page shown in Figure 537.
Figure 537 Number group configuration page
Item Description
Group ID ID of the number group.
Description Description of the number group.
Numbers in the
Group Enter subscriber numbers to be added into the group in the field. You can add a
number by clicking Add.
Add
2. Bind local numbers to the call number group.

Click Not Bound in the Local Numbers Bound column to display the local call number binding page shown
in Figure 538.
560
Figure 538 Local number binding page
Item Description
• Permit the calls from the number group
Binding Mode
• Deny the calls from the number group
Select the checkbox in front of the ID column, and then click Apply to complete local number binding.
NOTE:
A local number can be bound to multiple number groups in the same binding mode (a local number can
either permit or deny the calls from bound number groups).
3. Bind call routes to the call number group.

Click Not Bound in the Call Routes Bound column to display the call route binding page.
The configuration of call route binding is similar to that of local number binding, so it is not shown here.
NOTE:
A call route can be bound to multiple number groups in the same binding mode (a call route can either
permit or deny the calls from bound number groups).
4. Bind IVR numbers to the call number group.

Click Not Bound in the IVR Numbers Bound column to display the IVR number binding page.
The configuration of IVR number binding is similar to that of local number binding, so it is not shown here.
Configuring a max-call-connection set

Follow these steps to configure a max-call-connection set:
Step 1: Configure a max-call-connection set, and specify the maximum number of call connections in this
set.
Step 2: Bind the local numbers, call routes, or IVR numbers to the max-call-connection set.
1. Add a max-call-connection set.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and then click the
Max-Call-Connection Set tab to display the max-call-connection set configuration page shown in Figure
539.
561
Figure 539 Max-call-connection set page
Click Add to display the Max-Call-Connection Set Configuration page shown in Figure 540.
Figure 540 Max-call-connection set configuration page
Item Description
Connection Set ID ID of the max-call-connection set
Max Number of Call

Maximum number of call connections in the max-call-connection set
Connections in the Set
2. Bind local numbers to a max-call-connection set.

Click Not Bound in the Local Numbers Bound column to display the local call number binding page shown
in Figure 541.
Figure 541 Local number binding page
Select the checkbox in front of the ID column, and then click Apply to complete local number binding.
3. Bind call routes to a max-call-connection set.
Click Not Bound in the Call Routes Bound column to display the call route binding page.
The configuration of call route binding is similar to that of local number binding, so it is not shown here.
4. Bind IVR numbers to a max-call-connection set.
562
Click Not Bound in the IVR Numbers Bound column to display the IVR number binding page.
The configuration of IVR number binding is similar to that of local number binding, so it is not shown here.
Configuring number substitution

Follow these steps to configure number substitution:
Step 1: Add a number substitution list.
Step 2: Bind a number substitution list to global, local numbers, call routes, or lines.
1. Add a number substitution list.
Select Voice Management > Dial Plan > Number Substitution from the navigation tree to display the
number substitution list page shown in Figure 542.
Figure 542 Number substitution list page
Click Add to display the number substitution configuration page.

Figure 543 Number substitution configuration page
563
Item Description
Number Substitution
ID of the number substitution rule list.
Rule List ID
• End-Only—Reserves the digits to which all ending dots (.) in the input number
correspond.
• Left-to-Right—Reserves from left to right the digits to which the dots in the input
number correspond.
• Right-to-Left—Reserves from right to left the digits to which the dots in the input
number correspond.
Dot Match Rule
By default, the dot match rule is End-Only.
The dots here are virtual match digits. Virtual match digits refer to those matching the
variable part such as ., +, %, !, and [] in a regular expression. For example, when
1255 is matched with the regular expression 1[234]55, the virtual match digit is 2,
when matched with the regular expression 125+, the virtual match digit is 5, and
matched with the regular expression 1..5, the virtual match digits are 25.
Rule ID ID of the number substitution rule.
Input number involved in number substitution, in the format of [ ^ ] [ + ] input number

[ $ ], up to 31 characters. The signs are explained as follows:
• ^—Caret. The match begins with the first character of a number string (the
device begins with the first character of the match string to match a user
number).
• +—Plus sign. The sign itself does not have special meanings. It only indicates
Input Number
that the following string is an effective number and the number is
E.164-compliant.
• $—Dollar sign. It indicates that the last character of the match string must be
matched (the last digit of a user number must match the last character of the
match string).
• string—String consisting of characters such as 0 to 9, #, *, ., !, and %.
Output Number Output involved in number substitution, in the format of ^(+)![0-9#*.]+$.
Input Number Type

Types of the input number and output number involved in number substitution.
Output Number Type
Input Numbering Plan
Output Numbering Input and output numbering plans involved number substitution.
Plan
Set the preferred number substitution rule of the current number substitution rule list.
In a voice call, the system first uses the preferred number substitution rule for number
substitution. If this rule fails to be applied or is not configured, the system tries to
Applied First (only apply all other rules in order until one or none of them is applied.
one rule can be
applied first) During a number substitution process, there may be multiple rules, but only one of
them can be set as the preferred one. Moreover, the latest configuration overwrites
the previous one.
By default, this function is disabled.
Add a Rule Click this button to save the configured rule.
2. Bind a number substitution list to global, local numbers, call routes, or lines.
564
Click Not Bound in the Global Binding, Local Numbers Bound, Call Routes Bound, or Bound Line column to
display the corresponding binding page. The configurations of these bindings are similar to those of local
number binding in call control, so they are not shown here.
Dial plan configuration examples

Configuring number match mode
As shown in Figure 544, configure different number match modes for calls from Telephone A to
Telephone B and Telephone C.
0
1/
S
FX
FX
S
1/
1
1. Shortest number match:
• Configure Router A.
# Add a local number: specify the number ID as 1000, the number as 10001234$, and the bound line
as line 1/0 on the local number configuration page.
# Add a call route: specify the call route ID as 2000, the destination number as 20001234$, and the
destination address as 1.1.1.2 on the call route configuration page.
# Add a call route: specify the call route ID as 2001, the destination number as 200012341234$, and
the destination address as 1.1.1.2 on the call route configuration page.
• Configure Router B.
as 1/0 on the local number configuration page.
# Add a local number: specify the number ID as 2001, the number as 200012341234$, and the bound
line as 1/1 on the local number configuration page.
When you dial number 20001234 at Telephone A, the number 20001234 matches call route 2000,
and Telephone B is alerted because the device adopts the shortest match mode by default.
2. Longest number match:
565
# Configure Router A. Select Voice Management > Dial Plan > Number Match from the navigation tree to
display the number match configuration page shown in Figure 545.
Figure 545 Number match mode configuration page
a. Select Longest Number Match for Number Match Mode.

b. Click Apply.
After you dial number 20001234 at Telephone A and wait for some time (during this period, you can
continue dialing), the dialed number 20001234 matches call route 2000, and Telephone B is alerted.
If you continue to dial 1234 during that period, the dialed number 200012341234 matches call route
2001, and Telephone C is alerted.
3. Dial terminator:
# Configure Router A. Select Voice Management > Dial Plan > Number Match from the navigation tree to
display the dial terminator configuration page shown in Figure 546.
Figure 546 Dial terminator configuration page
a. Enter # for Dial Terminator.
566
b. Click Apply.
After you dial 20001234# at Telephone A, the number immediately matches call route 2000, and
Telephone B is alerted.
Configuring the match order of number selection rules

As shown in Figure 547, configure different number selection rule match orders for calls from Telephone
A to Telephone B.
# Configure call route selection priority.
Select Voice Management > Call Route from the navigation tree to display the call route list page. Find the
call route with the ID of 2000 in the list, and then click its corresponding icon to display the advanced
setting page.
Figure 548 Call route selection priority configuration page
a. Select 10 from the Call Route Selection Priority list.

b. Click Apply.
567
# Add a call route: specify the call route ID as 2001, the destination number as 2000123.$, and the
Select Voice Management > Call Route from the navigation tree to display the call route list page. Find the
call route with the ID of 2001 in the list, and then click its corresponding icon to display the advanced
setting page.
Figure 549 Cal route selection priority configuration page
a. Select 5 from the Call Route Selection Priority list.

b. Click Apply.
# Add a call route: specify the call route ID as 2002, the destination number as 2000....$, and the
Configuring the match order of number selection rules: the first rule is exact match, the second rule is
priority, and the third rule is random selection
Configure Router A. Select Voice Management > Dial Plan > Number Match from the navigation tree to
display the page for configuring the match order of number selection rules, as shown in Figure 550.
568
Figure 550 Match order of number selection rules configuration page
a. Select Exact Match from the First Rule in the Match Order list.
b. Select Priority from the Second Rule in the Match Order list.
c. Select Random Selection from the Third Rule in the Match Order list.
d. Click Apply.
After you dial number 20001234 at Telephone A, the number matches call route 2000.
Configuring the match order of number selection rules as follows: the first rule is priority, the second rule is
exact match, and the third rule is random selection
display the page for configuring the match order of number selection rules.
a. Select Priority from the First Rule in the Match Order list.
b. Select Exact Match from the Second Rule in the Match Order list.
c. Select Random Selection from the Third Rule in the Match Order list.
569
d. Click Apply.
After you dial number 20001234 at Telephone A, the number matches call route 2002.
Configuring the number selection rule as random selection

display the page for configuring the match order of number selection rules.
a. Select Random Selection from the First Rule in the Match Order list.
b. Click Apply.
After you dial number 20001234 at Telephone A, the number matches call route 2000, 2001, or 2002
at random.
Configuring entity type selection priority rules

As shown in Figure 553, there are an IP connection and a PRI connection between Router A and Router B.
Configure different entity type selection priority rules for calls from Telephone A to Telephone B.
Select Voice Management > Digital Link Management from the navigation tree to display the digital link
list page. Find the digital link VE1 5/0 in the list, and then click its corresponding icon to display the
E1 parameters configuration page.
570
Figure 554 E1 parameters configuration page
a. Select PRI Trunk Signaling for Working Mode.

b. Select Internal for TDM Clock Source. (Internal is the default setting)
c. Select the Network Side Mode for ISDN Working Mode.
d. Click Apply.
trunk route line as 5/0:15 on the call route configuration page. In addition, select the Send All Digits of a
Called Number option in the Called Number Sending Mode area when you configure the advanced
settings of this call route.
571
Select Voice Management > Digital Link Management from the navigation tree to display the digital link
list page. Find the digital link VE1 5/0 in the list, and then click its corresponding icon to display the
E1 parameters configuration page.
a. Select PRI Trunk Signaling for Working Mode.

b. Select User Side Mode for ISDN Working Mode. (User Side Mode is the default setting)
c. Select Line for TDM Clock Source.
d. Click Apply.
Configuring the system to first select VoIP entity

display the number match configuration page.
572
Figure 556 Entity type selection priority rule configuration page (I)
a. Configure the order of the voice entities in the Selection Sequence list: the first is VOIP, the
second is POTS, the third is VoFR, and the last is IVR.
b. Click Apply.
After you dial 20001234 at Telephone A, the number matches call route 2000 (VoIP entity).
Configuring the system to first select POTS entity

display the number match configuration page.
Figure 557 Entity type selection priority rule configuration page (II)
a. Configure the order of the voice entities in the Selection Sequence list: the first is POTS , the
second is VOIP, the third is VoFR, and the last is IVR.
b. Click Apply.
After you dial 20001234 at Telephone A, the number matches call route 1001 (POTS entity).
573
Configuring call authority control
As shown in Figure 558, Router A, Router B, and Router C are located at place A, place B, and place C,
respectively, and they are all connected to the SIP server to allow subscribers to make SIP calls. When
VoIP links fail for some reason, PSTN links that provide backup for VoIP links can be automatically
brought up. It is required that subscribers whose telephone numbers beginning with 1100 at place A can
originate calls to place B while subscribers whose telephone number beginning with 1200 can originate
calls to both place B and place C.
Place A Place B
110000
Router B
2100
1100..
PBX
110099 Router A
2200
IP PSTN’s
central office
120000 PBX
Router C
1200.. 3100
PSTN’s
central office
120099 PBX
SIP server
3200
PSTN’s
Place C
central office
# Configure two number groups.
Configure Router A. Select Voice Management > Dial Plan > Call Authority Control from the navigation
tree, and then click Add to display the number group configuration page.
Figure 559 Number group configuration page
574
a. Enter 1 for Group ID.
b. Enter 1100.. for Numbers in the Group.
c. Click Add to add numbers into the group.
d. Click Apply.
Display the number group configuration page again to add another number group:
a. Enter 2 for Group ID.
b. Enter 1200.. for Numbers in the Group.
c. Click Add to add numbers into the group.
d. Click Apply.
# Add a call route for place B: specify the call route ID as 2000, the destination number as 2..., and use
a proxy server for SIP routing on the call route configuration page.
# Crete a call route for place C: specify the call route ID as 3000, the destination number as 3..., and
use a proxy server for SIP routing on the call route configuration page.
# Add a call route for place B: specify the call route ID as 2100, the destination number as 2…, and
trunk route line as 5/0:15 on the call route configuration page. In addition, select the Send All Digits of a
# Add a call route 3… for place C: specify the call route ID as 3100, the destination number as 3..., and
the trunk route line as 5/1:15 on the call route configuration page. In addition, select the Send All Digits
of a Called Number option in the Called Number Sending Mode area when you configure the advanced
# Bind a call route to number group 1 to allow subscribers whose telephone numbers beginning with
1100 at place A to originate calls to place B.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree to display the page
Figure 560 Binding call route configuration page (I)
Click Not Bound in the Call Routes Bound column to display the call route binding page of number group
1.
575
Figure 561 Call route binding page (I)
a. Select Permit the calls from the number group for Binding Mode.
b. Select the checkbox for call route 2100.
c. Click Apply.
# Bind a call route to the number group 2 to allow subscribers whose telephone number beginning with
1200 to originate calls to both place B and place C.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree to display the page
Figure 562 Binding call route configuration page (II)
Click Not Bound in the Call Routes Bound column to display the call route binding page of number group
2.
576
Figure 563 Call route binding page (II)
a. Select Permit the calls from the number group for Binding Mode.
b. Select the checkboxes for call routes 2100 and 3100.
c. Click Apply.
# Add a call route: specify the call route ID as 2100, the destination number as 2…, and the trunk route
line as 1/0:15 on the call route configuration page. In addition, select the Send All Digits of a Called
Number option in the Called Number Sending Mode area when you configure the advanced settings of
this call route.
# Add a call route: specify its call route ID as 3100, the destination number as 3..., and the trunk route
line as 1/0:15 on the call route configuration page. In addition, select the Send All Digits of a Called
this call route.
Configuring number substitution

As shown in Figure 564, there is a PBX to form a local telephony network at place A and place B. The
following requirements should be met:
• These two local telephony networks communicate through two voice gateways. Subscribers in one
PBX network can make ordinary calls to remote subscribers in the other PBX network over a VoIP
network.
• Configure two FXO trunk lines between each router and its PBX and enable hunt group to realize
trunk line backup.
• There are a financial department, market department, and sales department at both place A (area
code 021) and place B (area code 010). A department at place A only has to know the telephone
numbers of the local departments and the area code of place B when calling a department at place
B. For example, the financial department at place B can dial 3366 to call the local market
department. The financial department at place B can dial 0103366 to call the market department at
place A, and the caller ID displayed on the terminal at place A is 0211234 (area code of place B +
telephone number of the financial department at place B).
577
The PBX (calling side) at place B changes the called number to an intermediate number.
The PBX (called side) at place A changes the received intermediate number to a local number before
initiating the call.
NOTE:
The following configuration supports dial plan–based calls from place B to place A only.
# Set the IP address of the Ethernet interface to 2.2.2.2.
# Add a call route for place A: specify the call route ID as 10, the destination number as 010…., the call
route type as SIP, the SIP routing as IP routing, and the destination address as 1.1.1.1 on the call route
configuration page.
# Add a call route: specify the call route ID as 100, the destination number as ...., and the trunk route line
as 1/0 on the call route configuration page. In addition, select the Send All Digits of a Called Number
option in the Called Number Sending Mode area when you configure the advanced settings of this call
route. Also, select the Enable option in the Hunt Group area when you configure the call services of this
call route.
# Add a call route: specify the call route ID as 101, the destination number as ...., and the trunk route
line as 1/1 on the call route configuration page. In addition, select the Send All Digits of a Called Number
option in the Called Number Sending Mode area when you configure the advanced settings of this call
route. Also, select the Enable option in the Hunt Group area when you configure the call services of this
call route.
# Add a number substitution rule list for called numbers of outgoing calls.
Select Voice Management > Dial Plan > Number Substitution from the navigation tree, and then click Add
to display the number substitution configuration page.
578
Figure 565 Number substitution configuration page (I)
a. Enter 21101 for Number Substitution Rule List ID.

b. Add three number substitution rules, as shown in Figure 565.
c. Click Apply.
# Add another number substitution rule list for calling numbers of outgoing calls.
579
Figure 566 Number substitution configuration page (II)

c. Click Apply.
# Enter the call route binding page of number substitution list 21101.
Figure 567 Call routing binding page of number substitution list 21101
• Select Apply Call Routing Binding Rule to Called Numbers for Binding Mode.
• Select call route 10.
• Click Apply.
# Enter the call route binding page of number substitution list 21102.
580
Figure 568 Call routing binding page of number substitution list 21102
a. Select Apply Call Routing Binding Rule to Calling Numbers for Binding Mode.
b. Select call route 10.
c. Click Apply.
# Set the IP address of the Ethernet interface to 1.1.1.1.
# Add a call route: specify the call route ID as 1010, the destination number as …., and the trunk route
line as FXO line 1/0 on the call route configuration page. In addition, select the Send All Digits of a Called
this call route. Also, select the Enable option in the Hunt Group area when you configure the call services
of this call route.
# Add a call route: specify the call route ID as 2010, the destination number as ...., and the trunk route
line as FXO line 1/1 on the call route configuration page. In addition, select the Send All Digits of a Called
this call route. Also, select the Enable option in the Hunt Group area when you configure the call services
of this call route.
# Add number substitution rule list 101 for called numbers of incoming calls.
581
Figure 569 Number substitution configuration page (III)

c. Click Apply.
# Add another number substitution rule list for calling numbers of incoming calls.
582
Figure 570 Number substitution configuration page (IV)

c. Click Apply.
# Enter the global binding page of number substitution list 101.
Figure 571 Global binding page of number substitution list 101
a. Select Incoming Calling for Incoming Binding Type.

b. Click Apply.
# Enter the global binding page of number substitution list 102.
583
Figure 572 Global binding page of number substitution list 102
a. Select Incoming Called for Incoming Binding Type.

b. Click Apply.
584
Configuring call connections
Introduction to SIP
SIP is an application layer control protocol that can establish, modify, and terminate multimedia sessions
such as IP phone calls, multimedia sessions, and multimedia conferences. It is the core component in the
multimedia data and control architecture of the IETF (RFC 3261).
SIP is responsible for signaling control in IP networks and communication with soft switch platforms,
intending to build a next generation value-added service platform to deliver better value-added services to
telecom carriers, banks, and financial organizations.
SIP is used for initiating sessions. It sets up and terminates a multimedia session involving a group of
participants and dynamically adjusts and modifies session characteristics such as required session
bandwidth, media type (voice, video, or data), media encoding/decoding format, and multicast/unicast.
SIP is based on text encoding and constructed by taking HTTP, a quite mature protocol, as a model. Easy
to extend and implement, it is suitable for implementing Internet-based multimedia conference systems.
Terminology
Multimedia session
According to RFC2327, a multimedia session is a set of multimedia senders and receivers and the data
streams flowing from senders to receivers. A multimedia conference is an example of a multimedia
session.
A session is identified by a set of username, session ID, network type, address type, and address.
User agent
A UA, or a SIP endpoint, is a SIP-enabled multimedia session endpoint. Usually, a SIP-enabled router
serves as a SIP UA.
There are two types of UAs: UAC and UAS. To make a call, a SIP endpoint must process the SIP request
as a UAS and initiate the SIP request as a UAC.
A UAC is a device that initiates a session request. It can be a calling SIP endpoint or a proxy server
forwarding a request to a called endpoint, for example.
A UAS is a device that generates a response to a SIP request. It can be a called SIP endpoint or a proxy
server receiving a request from a calling endpoint, for example.
Proxy server
A proxy server is a device that forwards session requests to a called UA on behalf of a calling UA (a SIP
endpoint) and responds to the calling UA on behalf of the called UA.
When the proxy server receives a request from a calling UA, it checks for the called UA location and for
the call policies of the calling UA and called UA. If the called UA location information is available, and if
the calling UA is allowed to make the call, the proxy server forwards the request to the called UA.
Redirect server
A redirect server sends a new connection address to a requesting client.
585
For example, when receiving a request from a calling UA, the redirect server searches for the location
information of the called UA and returns the location information to the UA. The location can be that of
the called UA or another proxy server, to which the UA can initiate the session request again. The
subsequent procedure is the same as that for calling a called UA directly or for calling a proxy server.
Location server
A location server is a device that provides UA information to proxy and redirect servers. It retains UA
information received by a registrar. The location server and registrar can be located on the same server
as two logical components or on different devices.
Registrar
A registrar receives UAs' registrations. The registration information (for example, the local telephone
number) is usually stored on the location server for future retrieval. The location server and the registrar
are both logical components and are usually co-located.
Functions and features of SIP

Functions
SIP supports five basic functions:
• Locating called SIP endpoints, the most powerful function of SIP. For this purpose, SIP can use the
registration information of SIP endpoints on the registrar. In addition, it can enhance its user location
service by using other location services provided by the DNS and LDAP.
• Determining user availability, making sure whether a called endpoint can participate in a session.
SIP supports multiple address description and addressing styles, SIP-URI (for example, SIP:
123456@172.18.24.11), Tel-URL (for example, Tel: +1312000), and SIPS-URI (for example, SIPS:
123456@172.18.24.11). Therefore, a SIP caller can identify whether a callee is attached to a
PSTN network by the callee's address and then initiate and set up the call to the callee through the
gateway connected to the PSTN.
• Determining user capabilities (the media type and media parameters of a called endpoint). In a
message exchange process, each SIP endpoint sends such information in messages so that all other
participants can learn about its capabilities.
• Setting up a session, or session parameters, at both the callee and caller sides. Two parties can
select the appropriate capabilities for session setup through negotiation about media type and
media parameters to be used.
• Managing sessions by modifying session parameters or terminating sessions.
Features
SIP delivers the following features:
• Open standards—It can accommodate new functions, products, and services introduced by different
service providers.
• Flexible configuration—It accommodates a wide range of dialup, wire, and wireless devices, allows
highly flexible configurations, and can work with other systems.
• Scalable system—The system allows expansion as enterprises grow.
• Support to remote users—With SIP, an enterprise network can extend to all its users, wherever they
are.
• Consistent communication method—Management becomes easier as the result of consistency in
dialup mode and system access method used by branches, SOHOs, and traveling personnel.
586
• Quick launch—The system can be updated quickly to accommodate new branches and personnel,
as well as changes resulting from job rotation or relocation.
• Easy to install and maintain—Even non-professional individuals can install and maintain SIP systems.
SIP messages
SIP messages, which fall into the categories of SIP request messages and SIP response messages, are
encoded in text mode.
SIP request messages include INVITE, ACK, OPTIONS, BYE, CANCEL, and REGISTER. RFC 3261 defines
the request messages:
• INVITE—Used to invite a user to join a call.
• ACK—Used to acknowledge the response to a request.
• OPTIONS—Used to query for the capabilities.
• BYE—Used to release an established call.
• CANCEL—Used to give up a call attempt.
• REGISTER—Used to register with the SIP registrar.
SIP response messages, used to respond to SIP requests, indicate the status of a call or registration:
succeeded or failed. Response messages are distinguished by status codes. Each status code is a 3-digit
integer, where the first digit defines the class of a response, and the last two digits describe the response
message in more detail.
Table 223 Status codes of response messages
Code Description Class

100 – 199 The request is received and is being processed. Provisional
200 – 299 The request is successfully received, understood, and accepted. Success
300 – 399 A further action must be taken to process the request. Redirection
400 – 499 The request contains bad syntax and cannot be processed. Client error
500 – 599 The request cannot be processed due to UAS or server error. Server error
600 – 699 The request cannot be processed by any UAS or server. Global error
SIP fundamentals
Registration
In a complete SIP system, all SIP endpoints working as UAs should register with SIP registrars, providing
information such as location, session capabilities, and call policy.
Normally, a SIP UA sends its registrar a REGISTER request at startup or in response to an administrative
registration operation, carrying all the information that must be recorded. Upon receipt of the request, the
registrar sends back a response notifying receipt of the request and a 200 OK (SUCCESS) message if the
registration is accepted. See the following figure.
Figure 573 Message exchange for a UA to register with a Registrar
587
Call setup
SIP operates in the Client/Server mode and sets up calls through communication between UA and proxy
server.
Figure 574 Network diagram for call setup involving a proxy server
In the above figure, Telephone A wants to call Telephone B, and Router A and Router B work as SIP
endpoints (UAs).
The procedure for connecting a call from Telephone A to Telephone B is as follows:
1. Telephone A sends the number of Telephone B.
2. Upon receipt of the call, Router A sends a session request (INVITE) to the proxy server.
3. The proxy server consults its database for information corresponding to the number of Telephone B.
If such information is available, it forwards the request to Router B.
4. Router B, after receiving the request, responds to the proxy server and makes Telephone B ring if
Telephone B is available.
5. The proxy server forwards the response to Router A. The response discussed here includes two
provisional response messages (100 Trying and 180 Ringing) and one success response (200 OK).
Figure 575 illustrates the complete call setup procedure.
Figure 575 Call setup procedures involving a proxy server
588
Calling side Proxy Server Called side
INVITE
100 Trying
INVITE
100 Trying
180 Ringing
180 Ringing
200 OK
200 OK
ACK for 200

ACK for 200
RTP/RTCP
BYE
BYE
200 for BYE
200 for BYE
This is a simplified scenario where only one proxy server is involved and no registrar is present. A
complex scenario, however, may involve multiple proxy servers and registrars.
Call redirection
When a SIP redirect server receives a session request, it sends back a response indicating the address of
the called SIP endpoint instead of forwarding the request. The calling and called endpoints can send
requests and responses to each other directly. See Figure 576.
Figure 576 Call redirection procedure for UAs
589
This is a common application. Fundamentally, a redirect server can respond with the address of a proxy
server as well. The subsequent call procedures are the same as the call procedures involving proxy
servers.
Support for transport layer protocols

As an application layer protocol, SIP supports the following transport layer protocols:
• UDP—UDP is a connectionless protocol and does not provide reliability. Therefore, SIP connections
established over UDP are unreliable.
• TCP—Ensures transmission reliability for SIP messages. TCP provides connection-oriented and
reliable transmission for SIP-based VoIP communications. Using TCP, SIP does not need to consider
packet loss and retransmission issues.
• TLS—Ensures transmission security for SIP messages. For more information, see "Signaling
encryption."
These transport layer protocols have their own benefits, and you can select a protocol based on your
network environment. The system does not support transport layer protocol switchover during
communication.
SIP security
Signaling encryption
TLS runs over TCP and provides a complete set of authentication and encryption solutions for application
layer protocols. When establishing a TLS connection, both sides need to authenticate each other by using
their own digital certificates and can communicate with each other only after passing authentication. SIP
590
messages are encrypted during SIP over TLS transmissions to prevent data from being sniffed and to
increase the security of voice communications.
Media flow encryption

RTP and RTCP are supported media flow protocols. RTP provides end-to-end real-time transmission for
real-time data such as audio and video data. RTCP monitors data transmission in real time and performs
congestion and traffic control in time. RTP and RTCP can work together to optimize the transmission
efficiency by providing efficient replies and minimizing overheads.
Media flows are transmitted in plain text. To ensure transmission security, SRTP was introduced.
SRTP provides for encryption of the RTP/RTCP packet payload, for authentication of the entire RTP/RTCP
packet, and for packet replay protection.
The first step of SRTP encryption is to negotiate encryption information, which can only be carried in the
crypto header field of the SDP. The initiator sends its encryption information to the receiver for negotiation.
If the negotiation is successful, the receiver returns corresponding encryption information. After a session
is established, each end uses its own key to encrypt sent RTP/RTCP packets and uses the key of the peer
to decrypt received RTP/RTCP packets.
SDP negotiation includes the following cryptographic attributes.
Table 224 Cryptographic attributes
Attribute Description Remarks

The tag attribute is an identifier for a particular cryptographic
Tag attribute to determine which of the several offered Required.
cryptographic attributes was chosen by the receiver.
The crypto-suite attribute defines the encryption and

authentication algorithm. The device supports suites
Crypto-Suite Required.
AES_CM_128_HMAC_SHA1_80 and
AES_CM_128_HMAC_SHA1_32.
The key parameters attribute defines key information, including

Key Parameters Required.
the key generation algorithm and the key value.
The session parameters attribute defines session parameters, Optional.

Session
such as key generation rate, UNENCRYPTED_SRTP,
Parameters Not supported.
UNENCRYPTED_SRTCP, UNAUTHENTICATED_SRTP, and FEC.
When SRTP is used to encrypt RTP/RTCP packets, the encryption engine, if enabled, encrypts and
authenticates RTP/RTCP packets. If the encryption engine is disabled, the CPU encrypts and authenticates
RTP/RTCP packets. For more information about the encryption engine, see HP A-MSR Router Series
Security Configuration Guide.
NOTE:
SRTP is available only for SIP calls. SIP trunk devices do not support SRTP. For information about SIP trunk,
see "Configuring SIP trunk management."
TLS-SRTP combinations
TLS protects control signaling, and SRTP encrypts and authenticates voice media flows. You can use them
separately or together. The following table shows four combinations of TLS and SRTP.
591
Table 225 TLS-SRTP combinations
TLS SRTP Description

Signaling packets are secured. Personal information is protected.
On On Media packets are secured. Call conversations are protected.
Recommended.
Signaling packets are not secured. Personal information is not protected.

Off On
Media packets are secured. Call conversations are protected.
Signaling packets are secured. Personal information is protected.

On Off
Media packets are not secured. Call conversations are not protected.
Signaling packets are not secured. Personal information is not protected.

Off Off
Media packets are not secured. Call conversations are not protected.
Support for SIP extensions

• Strict SIP routing is supported. In a complicated network environment where a request from SIP UAC
to SIP UAS must pass through multiple proxy servers, SIP uses the Route header field and the
Record-Route header field to make sure that requests in the dialog can be routed through these
proxy servers.
• The new update method for SIP defined in RFC 3311 is supported. It is mainly used to update
parameters of a session, such as switching codecs, switching the voice to the media server, and
mute operation before the session is established, but has no impact on normal call procedures.
592
Configuring SIP connections
Configuring connection properties

Configuring registrar
connection properties configuration page shown in Figure 577.
Figure 577 Registrar configuration page
Item Description
• Enable—Select to enable the SIP registrar.
Registrar State
• Disable—Select to disable the SIP registrar.
593
Item Description
• UDP—Applies the UDP transport layer protocol when the device registers to
the main registrar.
• TCP—Applies the TCP transport layer protocol when the device registers to
Main Registrar Transport the main registrar.
Layer Protocol
• TLS—Applies the TLS transport layer protocol when the device registers to the
main registrar.
By default, the UDP protocol is applied.
• SIP—Specifies the SIP scheme as the URL scheme when the device registers to
the main registrar.
Main Registrar URL
• SIPS—Specifies the SIPS scheme as the URL scheme when the device registers
Scheme
to the main registrar.
By default, the SIP scheme is applied.
Main Registrar Address IP address or domain name of the main registrar.
Main Registrar Port

Port number of the main registrar.
Number
Aging Time for the Main

Registration aging time for the main registrar.
Registrar
• UDP—Applies the UDP transport layer protocol when the device registers to
the backup registrar.
• TCP—Applies the TCP transport layer protocol when the device registers to
Backup Registrar the backup registrar.
Transport Layer Protocol
• TLS—Applies the TLS transport layer protocol when the device registers to the
backup registrar.
• SIP—Specifies the SIP scheme as the URL scheme when the device registers to
the backup registrar.
Backup Registrar URL
• SIPS—Specifies the SIPS scheme as the URL scheme when the device registers
Scheme
to the backup registrar.
Backup Registrar
IP address or domain name of the backup registrar.
Address
Backup Registrar Port

Port number of the backup registrar.
Number
Aging Time for the

Registration aging time for the backup registrar.
Backup Registrar
Username Username used for authentication.
Password Password used for authentication.
Authentication
Information Field for Authentication information field used for handshake authentication between the
Handshake registrar and the SIP UA.
Authentication
Domain Name for

Domain name used for handshake authentication between the registrar and the
Handshake
SIP UA.
Authentication
594
Configuring proxy server
proxy server configuration page shown in Figure 578.
Figure 578 Proxy server configuration page
Item Description
Select the checkbox, and select a server group from the list as the proxy server.
You can add a server group on the page that can be accessed by selecting Voice
Use Server Group
Management > Call Connection > SIP Server Group Management from the
navigation tree.
• UDP—Applies the UDP transport layer protocol when the device initiates a
call.
Transport Layer Protocol • TCP—Applies the TCP transport layer protocol when the device initiates a
for SIP Calls call.
• TLS—Applies the TLS transport layer protocol when the device initiates a call.
• SIP—Specifies the SIP scheme as the URL scheme.
URL Scheme • SIPS—Specifies the SIPS scheme as the URL scheme.
Proxy Server Address IP address or a domain name of the proxy server.
Proxy Server Port

Port number of the proxy server.
Number
Configuring session properties

Select Voice Management > Call Connection > SIP Connection from the navigation tree, and then click the
Session Properties tab to display the session properties configuration page.
595
Configuring source address binding
Introduction to SIP support for source IP address binding
With this function, you can specify a source IP address for SIP signaling or media streams that go out of
the gateway. SIP support for source IP address binding is implemented by binding a static IP address or
the primary IP address of an interface.
• Static IPv4 address binding—The source IP address specified for SIP calls is the bound IP address.
• Source address interface binding—In a large network, an interface obtains its IP address from a
DHCP or PPPoE server. In this scenario, you can use this function to configure an interface as the
source of SIP signaling and media streams to avoid manual IP address configuration, facilitating
network management.
Source IP address binding is supported on the Layer 3 Ethernet interface, GigabitEthernet interface, or
dialer interface.
NOTE:
For information about DHCP, see HP A-MSR Router Series Layer 3—IP Services Configuration Guide.
Configuring source address binding

Session Properties tab to display the session properties configuration page shown in Figure 579.
Figure 579 Source address binding configuration page
Item Description
Configure media stream binding mode or disable media stream binding:
Media Stream Binding • None—Disables media stream binding.
Mode • IPv4 Address Binding—Binds the media stream to a static IPv4 address.
• Interface Binding—Binds the media stream to an interface.
IPv4 Address Bound with If IPv4 Address Binding is selected as the media stream binding mode, enter the
the Media Stream IPv4 address to be bound in this field.
If Interface Binding is selected as the media stream binding mode, specify the
Interface Bound with the
interface to be bound from the list. Only the Layer 3 Ethernet interface, GE
Media Stream
interface, and dialer interface are supported.
596
Item Description
Configure the signaling stream binding mode or disable signaling stream
binding:
Signaling Stream Binding
• None—Disables signaling stream binding.
Mode
• IPv4 Address Binding—Binds the signaling stream to an IPv4 address.
• Interface Binding—Binds the signaling stream to an interface.
IPv4 Address Bound with If IPv4 Address Binding is selected as the signaling stream binding mode, enter
the Signaling Stream the IPv4 address to be bound in this field.
If Interface Binding is selected as the signaling stream binding mode, specify the
Interface Bound with the
interface to be bound from the list. Only Layer 3 Ethernet interfaces, GE
Signaling Stream
interfaces, and dialer interfaces are supported.
Table 229 Application of the source address binding settings in different states
Settings made when… Result

• For SIP media streams, the source IP address binding
settings do not take effect until the next SIP call.
The call is active
• For SIP signaling streams, the source IP address binding
settings take effect immediately.
The source IP address binding settings do not take effect, and

The bound interface or the interface whose the original sending mode of the signaling streams or media
IP address is bound has been shut down streams is restored. After the interface is up, the source IP
address binding settings take effect immediately.
The bound static IP address has been

removed or modified, or the bound The source IP address binding settings are removed.
interface has been removed
The bound hot-swappable interface have The source IP address binding settings are cancelled and are
been disconnected restored the next time the interface is connected.
The physical layer or link layer of the The source IP address binding settings never take effect, and
corresponding interface is down the gateway automatically gets an IP address to send packets.
The DHCP lease duration expires and the

interface dynamically obtains a new IP The new IP address is used as the source IP address.
address from the DHCP server
The subsequent registration update messages use the source IP

The SIP registrar is enabled address newly bound to signaling streams to initiate
registration.
Configuring SIP listening

Session Properties tab to display the page shown in Figure 580.
Figure 580 Configure SIP listening
597
Item Description
• UDP—Specifies UDP as the transport layer protocol for incoming SIP calls
and enables UDP listening port 5060.
• TCP—Specifies TCP as the transport layer protocol for incoming SIP calls and
enables TCP listening port 5060.
• TLS—Specifies TLS as the transport layer protocol for incoming SIP calls and
enables TLS listening port 5061. If you select this option, you must select a
certificate from the Certificate list.
SIP Listening Transport By default, both the UDP and TCP listening ports are enabled, and the TLS
Layer Protocol listening port is disabled.
Configure this item in either of the following scenarios:
• If the device is the call receiver, enable the listening port of the transport layer
protocol used by the incoming calls.
• If TCP or TLS is selected as the transport layer protocol when the device
initiates a call, you must specify it as the SIP listening transport layer protocol
in this item. Otherwise, no register request can be initiated.
Resetting the setting for this item deletes the currently established connections.
Configuring media security

Session Properties tab to display the page shown in Figure 581.
Figure 581 Configure media security
Item Description
• RTP—Specifies RTP as the media flow protocol for SIP calls.
• SRTP—Specifies SRTP as the media flow protocol for SIP calls.
By default, the RTP protocol is applied.
When both the RTP and SRTP protocols are specified as the media flow protocols
Media Protocol for SIP calls:
• If the device is the call initiator, both two media flow protocols are carried in
the INVITE message for the receiver to select.
• If the device is the call receiver, the SRTP protocol is first used for media flow
negotiation. If the negotiation fails, the RTP protocol is used.
Configuring caller identity and privacy

Session Properties tab to display the caller identity and privacy configuration page shown in Figure 582.
598
Figure 582 Caller identity and privacy configuration page
Item Description
• None—Neither the P-Preferred-Identity header Caller ID presentation can be
field nor the P-Asserted-Identity header field is disabled by adding the
added. P-Preferred-Identity,
• P-Assented-Identity—Adds the P-Asserted-Identity P-Asserted-Identity, or
header field. The Privacy header field indicates Remote-Party-ID header field.
whether caller identity presentation is enabled, • When the
Caller Identity and the P-Asserted-Identity header field contains P-Preferred-Identity or
Presentation the caller's number. P-Asserted-Identity header
Restriction Mode • P-Preferred-Identity—Adds the P-Preferred-Identity field is added, the Privacy
header field. The Privacy header field indicates header field is added.
whether caller identity presentation is enabled, When the Privacy header
and the P-Asserted-Identity header field contains field is set to none, caller
the caller's number. identity presentation is
allowed. When the Privacy
The default setting is None (caller identity
header field is set to id,
presentation is enabled).
caller identity presentation is
restricted.
• Remote-Party-ID header
field: privacy=off indicates
caller identity presentation
and privacy=full indicates
caller identity screening. The
calling information can be
• Enable—Adds the Remote-Party-ID header field. transparently transmitted by
Add the • Disable—Removes the Remote-Party-ID header adding the Remote-Party-ID
Remote-Party-ID field. header field.
Header Field By default, the Remote-Party-ID header field is not The Remote-Party-ID header field
added. can be used together with the
P-Preferred-Identity header field
or P-Asserted-Identity header
field. If so, the Remote-Party-ID
header field takes precedence
over the P-Preferred-Identity
header field or the
P-Asserted-Identity header field.
Configuring SIP session refresh

Introduction to SIP Session Refresh
In a high-volume traffic environment, if a BYE message gets lost for a session, the call proxy server does
not know that the session has ended and still maintains the state information for the call, which wastes
599
resources of the server. To solve this problem, RFC 4082 defines a session timer mechanism for SIP
sessions: the UA sends periodic re-INVITE or UPDATE requests (referred to as "session refresh requests")
to notify the proxy server about the current state of the session. The interval for sending session refresh
requests is determined through the negotiation of both sides.
The following new header fields are added to the session refresh requests:
• Session-Expires—Conveys the maximum session duration. If no refresh request is received during
this time, the session is considered ended.
• Min-SE—Conveys the minimum session duration, which is used to avoid frequent refresh requests
from occupying network bandwidth.
Configuring SIP session refresh

Session Properties tab to display the SIP session refresh configuration page shown in Figure 583.
Figure 583 SIP session refresh configuration page
Item Description
• Enable—Enables SIP session refresh.
• Disable—Disables SIP session refresh.
SIP Session Refresh
You can configure Session Expiration and Min Session Refresh Interval only after
the SIP session refresh function is enabled.
Session Expiration Maximum and minimum session durations of SIP sessions.

By default:
• The periodic refresh of SIP sessions is not enabled automatically. If periodic
Min Session Refresh refresh of SIP sessions is disabled on the called party but enabled on the
Interval calling party, the called party enables periodic refresh of SIP sessions after
negotiation.
• The minimum session duration is 90 seconds.
Configuring compatibility
Session Properties tab to display the compatibility configuration page shown in Figure 584.
600
Figure 584 Compatibility configuration page
Item Description
The devices of some vendors do not strictly follow the SIP protocol. To interoperate with such devices,
configure the SIP compatibility options.
• Enable—Configures the device to use the address (IP address or DNS
domain name) in the To header field as the address in the From header field
Use the address in the To when sending a SIP request.
header field as the
• Disable—Does not use the address in the To header field as the address in
address in the From
the From header field. The From header field contains the source address,
header field
and the To header field contains the destination address.
By default, the SIP compatibility function is disabled.
Configure the source of the called number:

• Request-Line Header Field—Obtains the called number from the Request-Line
Source of the Called field.
Number • To Header Field—Obtains the called number from the To header field.
By default, the called number is obtained from the request-line, which is the start
line in an SIP request message.
• Carry the x-param compatibility option:
If the device receives a re-INVITE request with the a=X-modem field, it
replies with a 200 OK response carrying the a=X-modem field in the SDP
field.
If the device receives a re-INVITE request with the a=X-fax field, it replies
with a 200 OK response carrying the a=X-fax field.
When the device initiates a fax pass-through operation, the a=X-fax field
SIP Fax and Modem
is carried in the re-INVITE request. When the device initiates a modem
Pass-through
pass-through operation, the a=X-modem field is carried in the re-INVITE
request.
• Compatible with T.38 fax—The device can recognize T.38-specific
description fields, and fax parameters T38FaxTranscodingJBIG,
T38FaxTranscodingMMR, and T38FaxFillBitRemoval, which are in the SDP
fields of the re-INVITE requests and 200 OK responses, do not contain :0.
By default, the compatibility options are not carried in re-INVITE requests.
UAC Product Name Product name of the UAC.
601
Item Description
UAC Product Version Product version of the UAC.
UAS Product Name Product name of the UAS.
UAS Product Version Product version of the UAS.
Configuring advanced settings

NOTE:
Registration timers are available to SIP trunk accounts. For information about SIP trunk, see "Configuring
SIP trunk management."
Configuring registration parameters

Advanced Settings tab to display the configuration page shown in Figure 585.
Figure 585 Configure advanced settings
Item Description
Set the interval for the local number or SIP trunk account to re-register with the
Re-registration Interval
registrar after a registration failure.
Set the registration expiration time. A local number or an SIP trunk account
Registration Expiration
expires after it has registered with the registrar for a specified period of time,
Time
which is the registration expiration interval.
Registration Percentage To ensure the validity of registration information of a local number or an SIP trunk
602
Item Description
account on the registrar, the local number or SIP trunk account must re-register
with the registrar at a specified time before the registration expiration interval is
reached. You can set the registration percentage or lead time before registration
to set the time when the local number or SIP trunk account re-registers with the
registrar.
• When the time, which is registration expiration interval multiplied by
expiration percentage, is reached, the local number or SIP trunk account
Lead Time Before re-registers with the registrar.
Registration • When the time, which is registration expiration interval minus lead time
before expiration, is reached, the local number or SIP trunk account
re-registers with the registrar.
You can configure both timers. In this case, the actual re-registration time is
decided by the timer that expires first. In other words, the local number or SIP
trunk account tries to re-register with the registrar when any one of the two timers
expires.
• Parking—The SIP trunk device sends the OPTIONS or REGISTER message to
the current server. When the current server is not available, the SIP trunk
device selects the member server with the second highest priority in the SIP
server group as the current server even if the original current server recovers.
Before the parking mode is applied, set OPTIONS or REGISTER as the
keep-alive mode on the page that can be accessed by selecting Voice
Management > Call Connection > SIP Server Group Management from the
navigation tree.
• Homing—The SIP trunk device sends the OPTIONS messages to both the
current server and the member server with the second highest priority in the
Redundancy Mode
SIP server group. When the current server is not available, the SIP trunk
device selects the member server with the second highest priority as the
current server. Once the original current server recovers or a server with a
higher priority than the current server is available in the SIP server group, the
SIP trunk device selects the original current server or the server with the
highest priority as the current server. Before the homing mode is applied, set
OPTIONS as the keep-alive mode on the page that can be accessed by
selecting Voice Management > Call Connection > SIP Server Group
Management from the navigation tree.
By default, parking mode is applied.
• Enable—Configures the Contact header fields of the REGISTER messages to
contain the dt parameter. This option is used when the device communicates
Carry VCX with a VCX device.
Authentication • Disable—Configures the Contact header fields of the REGISTER messages not
Information to contain the dt parameter.
By default, the Contact header fields of the REGISTER messages do not contain
the dt parameter.
603
Item Description
Fuzzy telephone number registration refers to the use of a wildcard (including the
dot (.) and the character T), rather than a standard E.164 number in the match
template of a POTS entity.
After enabling fuzzy telephone number registration, the voice gateway (router)
retains dots and substitutes asterisks (*) for Ts when sending REGISTER
messages.
Fuzzy Telephone
Number Registration • Enable—Enables fuzzy telephone number registration.
• Disable—Disables fuzzy telephone number registration.
By default, the function is disabled.
NOTE:
To use the fuzzy telephone number registration function, make sure that the registrar
and the location server also support the function.
Configuring voice mailbox server

Introdunction to MWI
The MWI feature allows a voice gateway to notify a subscriber of messages received from a voice
mailbox server. For example, when a call destined to subscriber A is forwarded to the voice mailbox
server, the server notifies the state change to the voice gateway. If there is any new message or voice
mail, when subscriber A picks up the phone, subscriber A hears the message waiting tone without
needing to query the mailbox.
Follow these steps to configure MWI:
Step 1: Configure the voice mailbox server.
Step 2: Enable MWI for local numbers.
Configuring voice mailbox server

Advanced Settings tab to display the voice mailbox server configuration page shown in Figure 586.
Figure 586 Voice mailbox server configuration page
604
Item Description
• UDP—Specifies UDP as the transport layer protocol to be used during the
subscription.
• TCP—Specifies TCP as the transport layer protocol to be used during the
Transport Layer Protocol subscription.
• TLS—Specifies TLS as the transport layer protocol to be used during the
subscription.
By default, UDP is adopted.
• SIP—Specifies SIP as the URL scheme to be used during subscription.
URL Scheme • SIPS—Specifies SIPS as the URL scheme to be used during subscription.
By default, SIP is adopted.
Server Address The voice mailbox server address: an IP address or a domain name.
Port Number Port number of the voice mailbox server.
Subscription Valid Time Effective time of the subscription.
Re-subscription Time Subscription retry interval.
Voice Mailbox Number Set the voice mailbox number.

• Binding Mode—Indicates that the MWI function is bound with the voice
mailbox and the voice mailbox server has set up subscription information for
the UA. Therefore, the UA can receive NOTIFY messages without sending
SUBSCRIBEs to the voice mailbox server.
• Non-binding Mode—Indicates that the voice mailbox server does not set up
subscription information for the UA automatically, so the UA has to send a
SUBSCRIBE to the server and after that it can get NOTIFY messages from the
Binding Mode server. Non-binding mode falls into two categories:
• Loose Match—Indicates that strict consistency check is not needed, so the call
ID that the NOTIFY is sent to can be different from the call ID that proposed
the subscription.
• Strict Match—Indicates that strict consistency check is needed, so the call ID
that the NOTIFY is sent to must be the same as the call ID that proposed the
subscription.
NOTE:
Generally, the voice gateway sends a SUBSCRIBE to the server, and it receives a NOTIFY from the server
if the subscription is successful. It obtains the status of the voice mailbox afterwards.
Configuring signaling security

Advanced Settings tab to display the configuration page shown in Figure 587.
605
Figure 587 Configure signaling security
Item Description
TCP Connection Sets the aging time for TCP connections. If the idle time of an established TCP
Aging Time connection reaches the specified aging time, the connection is closed.
TLS Connection Sets the aging time for TLS connections. If the idle time of an established TLS
Aging Time connection reaches the specified aging time, the connection is closed.
Configuring call release cause code mapping

Regardless of whether a voice call is cleared normally or abnormally, a message with the call release
cause code is sent. The default SIP status code to PSTN release cause code mappings and PSTN release
cause code to SIP status mappings are used for communication between a SIP network and a PSTN. To
adapt to more complex network applications, you can change the default mappings.
Configuring PSTN call release cause code mappings

PSTN Release Cause Code Mapping tab to display the configuration page shown in Figure 588.
606
Figure 588 PSTN release cause code mapping configuration page
You can enter the SIP status code into the corresponding SIP Status Code (400-699) field. Because the
PSTN release cause code 16 corresponds to a SIP request message, instead of a SIP status code, you can
configure no SIP status code for 16. You can click Load Default Value to restore the default mappings
between PSTN release cause codes and SIP status codes.
Configuring SIP status code mappings

SIP Status Code Mapping tab to display the page shown in Figure 589.
607
Figure 589 SIP status code mapping configuration page
You can select the values in the PSTN Release Cause Code fields. You can also click Load Default Value to
restore the default mappings between PSTN release cause codes and SIP status codes.
SIP connection configuration examples

Configuring basic SIP calling features
See "Configuring " for information about how to do the following:
• Implement direct SIP calling through static IP addressing
• Configure domain name involved SIP calling
• Configure proxy server involved SIP calling
Configuring caller ID blocking

Router A and Router B work as SIP UAs. Use Telephone 1111 to call telephone 2222. Block calling
number 1111.
608
Configuring basic voice calls
# Configure a local number and the call route to Router B.
• Configure a local number: specify the local number ID as 1111 and the number as 1111, and bind
• Configure the call route to Router B: specify the call route ID as 2222, the destination number as
2222, the call route type as SIP, the SIP routing as IP routing, and the destination address as
192.168.2.2 on the call route configuration page.
Configuring caller identity and privacy

# Disable the sending of calling information on Route A.
Select Voice Management > Local Number from the navigation tree, and then click the corresponding icon
to display the call services configuration page shown in Figure 591.
Figure 591 Configure call services of the calling party
a. Select Do Not Deliver for Calling Information Delivery.

b. Click Apply.
# Configure the P-Asserted-Identity header field.

Session Properties tab to display the session properties configuration page shown in Figure 592.
609
Figure 592 Configure caller identity presentation restriction mode
a. Select P-Asserted-Identity for Caller Identity Presentation Restriction Mode.

b. Click Apply.

After the above configuration, when you use telephone 1111 to call telephone 2222, the calling number
1111 is not displayed on telephone 2222.
Configuring SRTP for SIP calls

Two routers, Router A and Router B, work as SIP UAs. SIP calls use the SRTP protocol to protect call
conversations.

For detailed configuration, see "Configuring basic voice calls."
Specifying SRTP as the media flow protocol for SIP calls

# Specify SRTP as the media flow protocol for SIP calls on Router A and Router B.
Session Properties tab to display the media security configuration page shown in Figure 594.
Figure 594 Configure media security
a. Select SRTP for Media Protocol.

b. Click Apply.

SIP calls use the SRTP protocol to encrypt and authenticate media flows, and call conversations are well
protected.
610
Configuring TCP to carry outgoing SIP calls
Two routers, Router A and Router B, work as SIP UAs. SIP calls between the two parties are carried over
TCP.

Specifying the transport layer protocol

# Specify TCP as the transport layer protocol for outgoing calls on Router A.
Session Properties tab to display the transport layer protocol configuration page shown in Figure 596.
Figure 596 Specify transport layer protocol for outgoing calls
a. Select TCP for Transport Layer Protocol for SIP Calls.

b. Click Apply.
# Specify TCP as the transport layer protocol for incoming SIP calls. (Optional, because the TCP listening
port is enabled by default.)
Figure 597 Specify listening transport layer protocol
a. Select TCP for SIP Listening Transport Layer Protocol.
611
b. Click Apply.

SIP calls from telephone 1111 to telephone 2222 are carried over TCP. You can view information about
TCP connections on the TCP Connection Information tab page by selecting Voice Management > States
and Statistics > SIP UA States from the navigation tree and then clicking the TCP Connection Information
tab.
Configuring TLS to carry outgoing SIP calls

Two routers, Router A and Router B, work as SIP UAs. The SIP calls between the two parties are carried
over TLS.
NOTE:
• The CA server runs RSA Keon in this configuration example.
• To make sure that the certificate on the device can be used, be sure that the device system time falls within the
validity time of the certificate.
Retrieving the CA certificate from the certificate issuing server.

For more information about how to retrieve the CA certificate from the certificate issuing server, see
"Configuring certificate management."

Specifying the transport layer protocol on Router A

# Specify TLS as the transport layer protocol for outgoing calls on Router A.
612
Figure 599 Specify transport layer protocol for outgoing calls
a. Select TLS for Transport Layer Protocol for SIP Calls.

b. Click Apply.
# Specify TLS as the transport layer protocol for incoming SIP calls.
Figure 600 Specify listening transport layer protocol
a. Select TLS for SIP Listening Transport Layer Protocol.

b. Click Apply.
Specifying the transport layer protocol on Router B

The configuration procedure is the same with that on Router A.

SIP calls from telephone 1111 to telephone 2222 are carried over TLS. You can view information about
TLS connections on the TLS Connection Information tab page by selecting Voice Management > States and
Statistics > SIP UA States from the navigation tree and then clicking the TLS Connection Information tab.
613
Configuring SIP server group management
A SIP server group is used to manage the registrar and call servers. A SIP server group can be configured
with up to five member servers. An index represents the priority of a member server in the SIP server
group. The smaller the index value, the higher the priority. The currently used SIP server is called the
current server. Each server in the SIP server group can be the current server, but there is only one current
server at a time.
Configuring a SIP server group

Select Voice Management > Call Connection > SIP Server Group Management from the navigation tree to
display the server group configuration page shown in Figure 601.
Figure 601 Configure a SIP server group
Item Description
Server Group ID ID of the SIP server group.
614
Item Description
The name of a SIP server group identifies the SIP server group. The domain name
of the carrier server is usually used as the name of a SIP server group. If the name
of a SIP server group is not configured, the host name specified on the account
Server Group Name management page (which can be accessed by selecting Voice Management >
SIP Trunk Management > Account Management from the navigation tree) is used
to identify the group, if any. Otherwise, the IP address or domain name of the
current server in the SIP server group is used to identify the group.
Description Description of the SIP server group.
Enable or disable the real-time switching function.

• With the real-time switching function enabled, if the SIP trunk device receives
no response message or receives response message 408 or 5XX (excluding
502, 504, 505, and 513) after sending registration requests to the SIP
server, the SIP trunk device tries to connect to the member server with the
second highest priority value in the SIP server group, and so on, until it
Real-Time Switching successfully connects to a SIP server or has tried all servers in the group.
• With the real-time switching function enabled, if the SIP trunk device receives
no response message or receives response message 403, 408 or 5XX
(excluding 502, 504, 505, and 513) after initiating a call, the SIP trunk
device tries to connect to the member server with the second highest priority
value in the SIP server group, and so on, until it successfully connects to a SIP
server or has tried all servers in the group.
The keep-alive function is used to detect whether the SIP servers in a SIP server
group are reachable. The SIP trunk device selects the current server according to
the detect result and the redundancy mode. If the keep-alive function is disabled,
the current server is always the one with the highest priority in the SIP server
group.
• Disabled—Disable the keep-alive function.
Keep-Alive Mode
• Options—The SIP trunk device periodically sends OPTIONS messages to
detect the servers. If the SIP trunk device receives response message 408 or
5XX (excluding 502, 504, 505, and 513) from a SIP server after sending an
OPTIONS message, it considers the SIP server unreachable.
• Register—The REGISTER message can be used to detect the SIP servers. If the
SIP trunk device receives response message 408 or 5XX (excluding 502,
504, 505, and 513) from a SIP server after sending a REGISTER message, it
considers the SIP server unreachable.
Interval for Sending Set the interval for sending OPTIONS messages to the SIP servers when the
OPTIONS Messages keep-alive mode is set to Options.
Set server ID. A SIP server group can be configured with up to five member
Server ID servers. An index represents the priority of a member server in the SIP server
group. The smaller the index value, the higher the priority.
• UDP—Specify UDP as the transport layer protocol for the connection between
the SIP trunk device and the SIP server.
• TCP—Specify TCP as the transport layer protocol for the connection between
Transport Layer Protocol the SIP trunk device and the SIP server.
• TLS—Specify TLS as the transport layer protocol for the connection between
the SIP trunk device and the SIP server.
By default, the UDP protocol is adopted.
615
Item Description
• SIP—Specify the SIP scheme as the URL scheme.
URL Scheme • SIPS—Specify the SIPS scheme as the URL scheme.
By default, the SIP URL scheme is adopted.
Server Address IPv4 address or domain name of the SIP server.
Port Number Specify a port number of the SIP server.
NOTE:
For more configuration examples of SIP server groups, see "Configuring SIP trunk management."
616
Configuring SIP trunk
Background
As shown in Figure 602, on a typical telephone network, internal calls of the enterprise are made through
the internal PBX, and external calls are placed over a PSTN trunk.
Figure 602 Typical telephone network
With the development of IP technology, many enterprises have deployed SIP-based IP-PBX networks, as
shown in Figure 603. Internal calls of the enterprise are made by using the SIP protocol, and external
calls are still placed over a PSTN trunk. The problem is that the enterprises have to maintain both the SIP
network and PSTN trunk, which increases the difficulty of network management.
Figure 603 SIP+PSTN network
SIP + PSTN network

Enterprise
intranet
SIP
PSTN trunk
PSTN
Router IP-PBX Router
As more enterprise IP-PBX networks run SIP and more ITSPs use SIP to provide basic voice communication
structures, enterprises urgently need a technology that uses SIP to connect the enterprise IP-PBX network to
the ITSP to realize an all IP-based network. This technology is called "SIP trunk." A typical SIP trunk
network is shown in Figure 604.
The SIP trunk function can be embedded into the voice gateway or the firewall deployed at the edge of
an enterprise private network. The device providing the SIP trunk function is called the "SIP trunk device"
or the "SIP trunk gateway."
617
Figure 604 All IP-based network
All IP-based network

ITSP
Enterprise
intranet
SIP SIP
SIP trunk SIP server
Router IP-PBX SIP trunk device
SIP server
Features
SIP trunk has the following features:
1. Only one secure and QoS-guaranteed SIP trunk link is required between a SIP trunk device and the
ITSP. The SIP trunk link can carry multiple concurrent calls, and the carrier only authenticates the link
instead of each SIP call carried on this link.
2. The internal calls of the enterprise are placed by the enterprise IP-PBX. The outbound calls of the
enterprise are forwarded by the SIP trunk device to the ITSP and are finally routed to the PSTN by
the device in the ITSP. Enterprises do not need to maintain the PSTN trunk, thereby saving the costs
of hardware and maintenance.
3. By setting destination addresses, the enterprise can select to connect to multiple ITSPs, to make full
use of the ITSPs all over the world and to save call costs.
4. With the SIP trunk device deployed, the entire network can use the SIP protocol to better support IP
communication services, such as voice, conference, and instant messaging.
5. A SIP trunk device differs from a SIP proxy server. The SIP trunk device initiates a new call request to
the ITSP on behalf of the user after receiving a call request from the user, and both the user and the
ITSP communicate only with the SIP trunk device. During the forwarding process, the SIP trunk device
forwards both signaling messages and RTP media messages.
Typical applications
The SIP trunk device is deployed between the enterprise IP-PBX and the ITSP. All internal calls are placed
by the enterprise IP-PBX. All outbound calls are forwarded by the SIP trunk device to the ITSP through the
SIP trunk link. Figure 605 shows a typical SIP trunk network.
618
Figure 605 SIP trunk network diagram
ITSP
Enterprise
IP SIP server
SIP trunk
Router IP-PBX SIP trunk device
SIP server

SIP trunk-related protocols and standards are as follows:
• RFC 3261
• RFC 3515
• SIPconnect Technical Recommendation v1.1
Configuring SIP trunk

Table 239 SIP trunk configuration task list
Task Remarks
Enabling the SIP trunk function Required
Creating a SIP server group Required
Configuring a SIP
server group Enabling the real-time switching, Required if there are multiple servers
keep-alive, and redundancy functions in a SIP server group
Configuring a SIP trunk account Required

Configuring a SIP trunk
account Configuring registration parameters for a
Optional
SIP trunk account
Configuring a call route for a SIP trunk

Configuring a call Required
account
route for outbound
calls Configuring fax and modem parameters
Optional
of the call route of a SIP trunk account
619
Task Remarks
Configuring advanced settings of the call
Optional
route of a SIP trunk account
Configuring a call route for inbound calls Required
Enabling the SIP trunk function

Select Voice Management > SIP Trunk Management > Service Configuration from the navigation tree.
Figure 606 Configure services
Item Description
Enable the SIP trunk function before you can use other SIP trunk functions. HP
recommends that you do not use a device enabled with the SIP trunk function as
a SIP UA.
SIP Trunk Function • Enable
• Disable
By default, the SIP trunk function is disabled.
Configuring a SIP server group

Creating a SIP server group
Select Voice Management > Call Connection > SIP Server Group Management from the navigation tree.
On the server group configuration page that appears, create a SIP server group.
Enabling the real-time switching, keep-alive, and redundancy functions

• Select Voice Management > Call Connection > SIP Server Group Management from the navigation
tree. On the server group configuration page that appears, configure the real-time switching and
keep-alive functions.
• Select Voice Management > Call Connection > SIP Connection from the navigation tree, and then
click the Advanced Settings tab, where you can specify the redundancy mode.
For more information about how to configure a SIP server group, real-time switching, and the keep-alive
function, see "Configuring SIP server group management."
For more information about how to configure the redundancy function, see "Configuring SIP
connections."
620
Configuring a SIP trunk account
Configuring a SIP trunk account
A SIP trunk account contains information allocated to users by the carrier, including authentication
username, authentication password, host name, host user name, and the associated SIP server group.
Select Voice Management > SIP Trunk Management > Account Management from the navigation tree, and
then click Add. The following page appears.
Figure 607 Configure a SIP trunk account
Item Description
Account ID Enter a SIP trunk account ID.
Select the SIP server group used by the SIP trunk account for registration. SIP server
SIP Server Group groups can be configured in Voice Management > Call Connection > SIP Server Group
for Registration Management.
By default, a SIP trunk account has no SIP server group specified for registration.
Set the registration aging time. If you do not configure this item, the system uses the
Registration
registration aging time configured in Voice Management > Call Connection > SIP
Aging Time
Connection.
Host Username Enter the host username allocated by the ITSP to the SIP trunk account.
Host Name Enter the host name allocated by the ITSP to the SIP trunk account.
621
Item Description
• Enable
• Disable
By default, the SIP trunk account is enabled.
Account Status
Disabling a SIP trunk account that is already involved in a connection does not delete
the connection. In other words, the disable configuration takes effect on the next call that
uses this account.
• Enable
• Disable
Registration
By default, the registration function of the SIP trunk account is disabled.
Function
To perform registration, provide the host username or associate the account with a SIP
server group.
Authentication
Enter the authentication username for the SIP trunk account.
Username
Authentication
Enter the authentication password for the SIP trunk account.
Password
Configuring registration parameters for a SIP trunk account

Advanced Settings tab to configure registration parameters for a SIP trunk account. For more information
about registration parameter configuration, see "Configuring SIP connections."
Configuring a call route for outbound calls

Configuring a call route for a SIP trunk account
To use a SIP trunk account to call an external user, first bind the SIP trunk account to a call route, and then
configure the call route by using of the following methods:
• Bind a SIP server group.
• Specify IP routing.
• Specify the proxy server used for outbound calls.
Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and then click
Add.
622
Figure 608 Configure a call route
Item Description
Call Route ID Enter a call route ID.
Destination Number Enter the called telephone number.
Bound Account Select a SIP trunk account to be bound to the voice entity.
Description Enter a description for the call route.
Use a SIP proxy server to complete calling. If you select this option,
Proxy
configure the proxy server beforehand in Voice Management > Call
Server
Connection > SIP Connection.
Select one of the following transport layer protocols"

Transport • UDP
Layer • TCP
Protocol • TLS
By default, UDP is selected.
SIP Trunk Routing
• SIP—Specifies the SIP scheme.
IP SIP URL
Routing
• SIPS—Specifies the SIPS scheme.
Scheme
By default, the SIP scheme is selected.
Destinati
on
Address Enter the destination address and port number of the called
party.
Port
Number
623
Item Description
Bind to Select a server group. You can create a SIP server group in
Server
server Voice Management > Call Connection > SIP Server
Group
group Management.
Enable
Status
Disable
Configuring fax and modem parameters of the call route of a

SIP trunk account
the icon of the call route to be configured to display the call route fax and modem configuration
page.
The fax and modem parameters of the call route of a SIP trunk account are the same as those of a call
route. For more information about fax and modem parameters, see "Configuring fax and modem."
Configuring advanced settings of the call route of a SIP trunk

account
Configuring call match rules
the icon of the call route to be configured to display the advanced settings configuration page.
Figure 609 Advanced settings
Item Description
You can control call route selection by configuring the prefix of source host name, prefix of destination host
name, or the source IP address as the call match rules. If you select several call match rules, only the calls that
match all rules are permitted.
624
Item Description
• Specify the prefix of a source host name as a call match rule. The specified
source host name prefix is used to match against the source host names of calls.
If the INVITE message received by the SIP trunk device carries the
Remote-Party-ID header, the source host name is abstracted from this header
field. If the INVITE message received by the SIP trunk device carries the Privacy
header, the source host name is abstracted from the P-Asserted-Identity or
Match a Source Host P-Preferred-Identity header field. If the INVITE message received by the SIP trunk
Name Prefix device does not carry any of the above mentioned three header fields, the host
name in the From header field of the INVITE message is used as the source host
name.
• The prefix of a source host name consists of 1 to 31 characters, which are not
case-sensitive and can include letters, digits, underlines (_), hyphens (-), asterisk
(*), and dots (.). An asterisk represents a character string of any length. For
example, t*m can match the source host names tom, tim, and so on.
• Specify the prefix of a destination host name as a call match rule. The specified
destination host name prefix is used to match against the destination host
names of calls. The host name in the To header field of an INVITE message
received by the SIP trunk device is used as the destination host name.
Match a Destination
• The prefix of a destination host name consists of 1 to 31 characters, which are
Host Name Prefix
not case-sensitive and can include letters, digits, underlines (_), hyphens (-),
asterisk (*), and dots (.). An asterisk represents a character string of any length,
for example, b*y can match the destination host names boy, boundary, and so
on.
Specify a source IP address as a call match rule. The value must be in

dotted notation and can include dots (.), multiplication signs (x),
asterisks (*), and digits, where x represents any number between 0
IPv4 and 9, * represents any number between 0 and 255, and x and * can
address appear multiple times in one source IP address. Fuzzy matching is
supported. For example, 100.1.x.3 indicates any IP address between
100.1.0.3 and 100.1.9.3, and 192.*.*.* indicates any IP address
between 192.0.0.1 and 192.255.255.255.
Specify a domain name as a call match rule. A domain name is not

Match a Source case-sensitive and can include letters, digits, hyphens (-), underscores
Address (_), asterisk (*), and dots (.), with a maximum length of 255 characters.
If you provide this parameter, the specified domain name is used to
match against the source addresses of calls, and a whole-word match
DNS
is considered a match. For example, if the domain name is configured
as sohu, sohu.com is not a match. However, fuzzy matching is
supported. An asterisk represents a character string of any length, for
example, i*n can match the source addresses ilison, iverson, inn, and
so on.
Server
Specify the index of a SIP server group as a call match rule.
Group
Configuring coding parameters

The coding parameters of the call route of a SIP trunk account are the same as those of a call route. For
more information about coding parameters, see "Configuring advanced settings for local numbers and
call routes."
625
Configuring other parameters
Other parameters of the call route of a SIP trunk account are the same as those of a call route. For more
information about other parameters, see "Configuring advanced settings for local numbers and call
routes."
Configuring codec transparent transmission

the icon of the target call route to display the SIP-to-SIP Connections configuration page.
Figure 610 SIP-to-SIP Connections
Item Description
Enable or disable codec transparent transmission.
If the SIP trunk device does not support the codecs supported by the
calling and called parties, you can enable codec transparent transmission
so that the SIP trunk device transparently transmits codec capability sets
between the two parties to complete codec negotiation.
By default, codec transparent transmission is disabled, and the SIP trunk
Codec Transparent
device participates in media negotiation between two parties.
NOTE:
This option takes effect only for private-to-public call routes. To enable this
function for public-to-private call routes, perform the configuration in Voice
Management > Call Route. For relation configuration information, see
"Configuring the local number and call route."
Configuring a call route for inbound calls

Select Voice Management > Call Route from the navigation tree, and then click Add to display the call
route configuration page. Specify the call route type as SIP.
For more information about call routes, see "Configuring the local number and call route" and
"Configuring ."
626
SIP trunk configuration examples
Configuring a SIP server group with only one member server
The enterprise private network has a SIP trunk device. Router A is a private network device, and Router B
is a public network device. Configure a SIP server group with only one member server so that all calls
between the enterprise private network and public network are made through the SIP trunk device.
# Configure a local call number.
Select Voice Management > Local Number from the navigation tree, and then click Add.
627
Figure 612 Configure a local number

d. Click Apply.
# Configure a call route.

Select Voice Management > Call Route from the navigation tree, and then click Add.

628
d. Enter 1.1.1.2 for Destination Address.
e. Click Apply.
Configuring the SIP trunk device

# Enable the SIP trunk function.
Select Voice Management > SIP Trunk Management > Service Configuration from the navigation tree.
Figure 614 Configure services
a. Select Enable for SIP Trunk Function.

b. Click Apply.
# Create SIP server group 1. Add a SIP server into the server group: the ID and the IPv4 address of the
server are 1 and 10.1.1.2, respectively.
Select Voice Management > Call Connection > SIP Server Group Management from the navigation tree,
and then click Add.
629
Figure 615 Configure server group
a. Enter 1 for Server Group ID.

b. Enter 1 for Server ID.
c. Enter 10.1.1.2 for Server Address.
d. Click Add the Server.
e. Click Apply.
# Create SIP trunk account 1 with the host user name 2000, and associate the account with SIP server
group 1.
Select Voice Management > SIP Trunk Management > Account Management from the navigation tree, and
then click Add.
630
Figure 616 Configure a SIP trunk account
a. Enter 1 for Account ID.

b. Select server-group-1 from the SIP Server Group for Registration list.
c. Enter 2000 for Host Username.
d. Select Enable for Registration Function.
e. Click Apply.
# Configure the call route for the outbound calls from private network user 2000 to public network user
1000 by binding SIP server group 1 to the VoIP voice entity.
Add.
631
Figure 617 Configure a call route for the SIP trunk account

c. Select account1 from the Bound Account list.
d. Select Bind to Server Group for SIP Trunk Routing.
e. Select server-group-1 from the Server Group list.
f. Click Apply.
# Configure the call route for the inbound calls from public network user 1000 to private network user
2000. Configure the IP address of the peer end as 1.1.1.1, which is the address of the interface on
Router A.
632
c. Select IP Routing for SIP Route Type.
d. Enter 1.1.1.1 for Destination Address.
e. Click Apply.
# Configure a local call number.
Select Voice Management > Local Number from the navigation tree, and then click Add.
Figure 619 Configure a local number

d. Click Apply.
# Configure a call route.

633

e. Click Apply.
# Configure the IPv4 address of the registrar as 10.1.1.2, and enable the registrar.
Connection Properties tab.
Figure 621 Configure connection properties

c. Click Apply.

1. On the SIP trunk device, display SIP trunk account information.
Select Voice Management > States and Statistics > SIP Trunk Account States from the navigation tree. You
can see that the private network account 2000 has registered with the server at 10.1.1.2.
2. All calls between the private network and public network are made through the SIP trunk device.
On the SIP trunk device, you can see in Voice Management > States and Statistics > Call Statistics that all
calls between the private network and public network are made through the SIP trunk device.
3. On the SIP server of the carrier, you can view only the interface address of the SIP trunk device,
which means that the SIP trunk device can filter the information of the enterprise private network
users.
634
Configuring a SIP server group with multiple member servers
The enterprise private network has a SIP trunk device. Router A is a private network device, and Router B
is a public network device. Configure a SIP server group with multiple member servers so that all calls
between the enterprise private network and public network are made through the SIP trunk device. The
carrier is required to provide multiple servers to ensure call reliability.
ITSP-A
SIP server
10.1.1.3/24
Enterprise private network

Public network
1.1.1.1/24 1.1.1.2/24
2.1.1.1/24 2.1.1.2/24
IP
SIP trunk Router B
1000
2000 Router A SIP trunk device
SIP server
10.1.1.2/24
# Enable the SIP trunk function. (Details not shown)
# Create SIP server group 1. Add two SIP servers into the server group: the IP addresses are 10.1.1.2
and 10.1.1.3, and the server with the address 10.1.1.2 has a higher priority. Enable the real-time
switching function of SIP server group 1. Set the keep-alive mode for SIP server group 1 to Options.
Select Voice Management > Call Connection > SIP Server Group Management from the navigation tree,
and then click Add.
635
Figure 623 Configure server group
a. Enter 1 for Server Group ID.

b. Select Enable for Real-Time Switching.
c. Select Options for Keep-Alive Mode.
d. Enter 1 for Server ID.
e. Enter 10.1.1.2 for Server Address.
f. Click Add the Server.
g. Enter 3 for Server ID.
h. Enter 10.1.1.3 for Server Address.
i. Click Add the Server.
j. Click Apply.
# Set the redundancy mode for SIP server group 1 to parking. (Optional. The redundancy mode for a SIP
server group is parking by default.)
Advanced Settings tab.
636
Figure 624 advanced settings
a. Select Parking for Redundancy Mode.

b. Click Apply.
Other configurations on the SIP trunk device and on other devices are the same as those described in
"Configuring a SIP server group with only one member server."

1. When the SIP server with IP address 10.1.1.2 fails, the SIP server with IP address 10.1.1.3 takes
over communications between the enterprise private network and public network. After that, the
communications recover.
2. When the SIP server with IP address 10.1.1.2 recovers, it does not take over call processing, and
the SIP server with IP address 10.1.1.3 keeps working.
Configuring call match rules

The enterprise private network has a SIP trunk device. Router A1 and Router A2 are private network
devices, and Router B is a public network device.
• Users connected to Router A2 are not allowed to call public network users.
• All calls between the enterprise private network and public network are made through the SIP trunk
device.
637
# Configurations on the SIP trunk device and on other devices are the same as those described in
"Configuring Router A" and "Configuring Router B."
# Configure Router A2: Configure a local number 2001 and a call route to Router B. For the
configuration procedure, see "Configuring Router A."
# Configure Router B: Configure a call route to Router A2. For the configuration procedure, see
"Configuring Router B."
# Configure the SIP trunk device: Select Voice Management > Call Route from the navigation tree, and
then click Add to configure the call route for calls from the number 1000 to 2001. Enter 3.3.3.1 (the IP
address of the interface on Router A2) as the Destination Number.
# Configure call match rules on the SIP trunk device: specify that calls with source IP address 1.1.1.1 are
permitted.
the icon of the call route to be configured to display the advanced settings configuration page.
638
Figure 626 Advanced settings
a. Select IPv4 Address from the Match a Source Address list.

b. Enter 1.1.1.1 for IPv4 Address.
c. Click Apply.

1. Enterprise private network users connected to Router A1 can call public network users, but private
network users connected to Router A2 cannot call public network users.
2. Public network users can call any private network user.
639
Configuring data link management
Introduction to E1 and T1
PDH includes two major communications systems: ITU-T E1 system and ANSI T1 system. The E1 system is
dominant in Europe and some non-European countries. The T1 system is dominant in the USA, Canada,
and Japan.
E1 and T1 use the same sampling frequency (8 kHz), PCM frame length (125 μs), bits per code (8 bits)
and timeslot bit rate (64 kbps). They differ in these aspects:
• E1 adopts A law coding/decoding of 13-segment but T1 adopts μ law coding/decoding of
15-segment.
• Each PCM primary frame of E1 contains 32 timeslots but that of T1 contains 24 timeslots. Each PCM
primary frame of E1 contains 256 bits but that of T1 contains 193 bits. Therefore, E1 provides
2.048 Mbps bandwidth, and T1 provides 1.544 Mbps bandwidth.
E1 and T1 voice functions

E1 and T1 mainly provide voice and signaling trunks to the PSTN. To realize this function, the router must
have E1 and T1 voice interfaces and must be configured with functions required for transmitting voice
over E1 and T1 lines.
The E1 and T1 voice physical interfaces are the VE1 and VT1 interfaces, respectively.
PSTN and routers are connected through E1/T1 trunks, as shown in Figure 627.
Figure 627 Network diagram for an E1/T1 voice system
E1/T1 voice transmission allows a router to provide more channels of voice communication, greatly
improving router utilization and broadening service range.
E1 and T1 interfaces
E1 interface
An E1 interface is logically divided into TSs with TS16 being a signaling channel.
On E1 interfaces, you may create PRI groups or TS sets.
640
You may use an E1 interface as an ISDN PRI or CE1 interface as follows:
1. As an ISDN PRI interface, the E1 interface adopts DSS1 or QSIG signaling. Because TS0 is used to
transfer synchronization information and TS16 is used as a D channel to transfer signaling, you may
arbitrarily bind any timeslots other than TS0 and TS16 as a logical interface, which is equivalent to
an ISDN PRI interface.
2. As a CE1 interface with a signaling channel, the E1 interface can adopt R2 signaling, digital E&M
signaling, or digital LGS signaling.
• When R2 signaling is adopted, every 32 timeslots form a primary frame (PCM30, for example),
where TS0 is used for frame synchronization, TS16 for digital line signaling, and the other 30
timeslots for voice transmission. Every 16 primary frames form one multiframe. In each multiframe,
TS0 in even primary frames conveys FAS, and TS0 in odd primary frames conveys NFAS about link
status information. NFAS provides control signaling for primary rate multiplexing. In the first primary
frame, frame 0, the high-order four bits in TS16 convey MFAS, and the lower-order four bits convey
NMFAS. TS16 in each of other 15 primary frames conveys line status information for two timeslots.
For example, TS16 in frame 1 conveys the digital line signaling status of TS1 and TS17, while that
in frame 2 conveys the digital line signaling status of TS2 and TS18, and so on.
• When digital E&M signaling is adopted, the E1 interface functions as a digital E&M interface. On
the interface, timeslot division and functions are the same as those with R2 signaling.
• When digital LGS signaling is adopted, the E1 interface functions as a digital FXO or FXS interface.
On the interface, timeslot division and functions are the same as those with R2 signaling.
NOTE:
• After you create a TS set and configure signaling on an E1 voice interface card, the system can automatically create
the voice subscriber line for the TS set.
• After TSs of an E1 interface are bound to form a PRI group, the system automatically generates the corresponding
voice subscriber line.
• The web interface supports only the PRI trunk signaling.
T1 interface
A T1 interface can be physically divided into 24 timeslots numbered TS1 through TS24.
You may use a T1 interface as an ISDN PRI interface. The interface adopts DSS1 or QSIG signaling. On
the interface, except for TS24 used as D channel for signaling, you may arbitrarily bundle other timeslots
into an interface logically equivalent to an ISDN PRI interface.
In addition to DSS1 and QSIG signaling, T1 interfaces support R2 signaling, digital E&M signaling, and
LGS signaling. Configured with digital E&M signaling, a T1 interface is used as a digital E&M interface;
with digital LGS signaling, a digital FXO or FXS interface.
NOTE:
• Like E1 voice interface cards, T1 voice interface cards also have the features of voice subscriber lines.
• The web interface supports only the PRI trunk signaling.
Features of E1 and T1
E1 and T1 are characterized by the following:
• Signaling modes
641
• Fax function
• Protocols and standards
Signaling modes
E1/T1 interfaces support these types of signaling:
• DSS1/QSIG user signaling, adopted on the D channel between ISDN user and network interface
(UNI). It comprises a data link layer protocol and a Layer 3 protocol used for basic call control.
• ITU-T R2 signaling, which falls into the categories of digital line signaling and interregister signaling.
Digital line signaling is transmitted in TS16 (ABCD bits) of E1 trunk. It conveys status information
about E1 trunks to describe whether the trunks are occupied, released, or blocked. Interregister
signaling conveys information about address, language, and discriminating digits for internal calls,
echo suppressor, caller properties, and callee properties in multi-frequency compelled approach
(forward and backward) in each timeslot.
• Digital E&M signaling, similar to R2 signaling. It transmits E (recEive) and M (transMit) call control
signals similar to analog E&M signaling in TS16, alignment signals in TS0, and voice signals in
other timeslots. In digital E&M signaling, when an E1 trunk detects and sends connection signaling,
it looks at the signal in TS16. Digital E&M signaling provides three start modes (immediate, wink,
and delay) to adapt to different devices for more reliable connection.
• Digital LGS. Digital loop start signaling is used between telephones and switches to identify the
off-hook/on-hook state, while ground-start signaling is used between switches. They differ in that the
two parties in conversation must check grounding state before closing the line in the ground-start
approach.
Fax function
The fax function is available on E1/T1 voice interfaces to set up fax channels and transmit/receive fax
data.

E1/T1 voice supports SIP, and G.711, G.729, and G.723.1 Annex A (5.3 K and 6.3 K) in ITU
standards.
Table 245 Protocols supported by E1/T1
Item E1 Voice T1 Voice

Framing format CRC4, non-CRC4 SF, ESF
Line coding
HDB3, AMI B8ZS, AMI
format
Introduction to BSV interface

The BSV interface supports simultaneous transmission of voice and data. It can receive, send, compress,
de-compress digital PCM voice traffic, and it realizes VoIP function through other WAN interfaces of the
router.
Generally, a BSV interface is used to connect an ISDN digital telephone. It can also be used as a trunk
interface connecting to a PBX digital trunk. If it cooperates with an FXS or FXO interface, a BSV interface
can realize flexible routing policies for voice callings.
642
Configuring digital link management
You can click the link of a digital link name to display the page that displays the link state. For details, see
"Displaying ISDN link state."
Configuring VE1 line

Select Voice Management > Digital Link Management from the navigation tree, and then click the icon
of the VE1 line to be configured to display the E1 parameters configuration page.
Figure 628 E1 parameters configuration page (I)
Item Description
Physical Parameters Configuration
Configure the working mode of the E1 interface:

• None—Remove the existing bundle.
Working Mode
• PRI trunk signaling—Bundle timeslots on an E1 interface into a PRI group.
By default, no PRI group is created.
Bound Timeslot
Specify the timeslots to be bundled.
Number
• CRC4—Perform CRC.
Frame Check Mode
• NO_CRC4—Do not perform CRC.
• HDB—The line coding format is HDB3.
Line Coding
• AM—The line coding format is AMI.
643
Item Description
• Internal—Set the internal crystal oscillator TDM clock as the TDM clock source
on the E1 interface. After that, the E1 interface obtains clock from the crystal
oscillator on the main board. If it fails to do that, the interface obtains clock
from the crystal oscillator on its E1 card. Because SIC cards are not available
with crystal oscillator clocks, E1 interfaces on SIC cards can only obtain clock
from the main board. The internal clock source is also referred to as "master
clock mode" in some features.
• Line—Set the line TDM clock as the TDM clock source on the E1 interface. After
that, the E1 interface obtains clock from the remote device through the line. The
line clock source is also referred to as "slave clock mode" in some features.
• Line primary—Set the E1 interface to preferably use the line TDM clock as the
TDM clock source. After that, the E1 interface always attempts to use the line
TDM clock prior to any other clock sources.
By default, the TDM clock source for an E1 interface is the internal clock.
When digital voice E1 interfaces perform TDM timeslot interchange, it is important
TDM Clock Source for them to achieve clock synchronization to prevent frame slips and bit errors.
Depending on your configurations on E1 interfaces at the CLI, the system adopts
different clocking approaches. When there is a subcard VCPM on the main board,
the clock distribution principle is as follows:
• If the line keyword is specified for all interfaces, the clock on the interface with
the lowest number is adopted. In case the interface goes down, the clock on the
interface with the second lowest number is adopted.
• If line primary is specified for interface X and line or internal is specified for
other interfaces, the clock on interface X is adopted.
• If line is specified for interface X and internal is specified for other interfaces,
the clock on interface X is adopted.
• Normally, you cannot set the clock source for all interfaces in a system as
internal to prevent frame slips and bit errors. You can do this, however, if the
remote E1 interfaces adopt the line clock source.
When there is no VCPM on the main board, the configuration of each MIM/FIC is
independent, but only one interface can be set as line primary.
• Enable—Enable the E1 interface.
Status
• Disable—Disable the E1 interface.
If you select the PRI Trunk Signaling option, the page shown in Figure 629 appears.
644
Figure 629 E1 parameters configuration page (II)
NOTE:
You are not allowed to configure the following parameters on an ISDN interface if there is still a call on it:
ISDN Overlap-Sending, Switch to ACTIVE State Without Receiving a Connect-Ack Message, Carry High
Layer Compatibility Information, Carry Low Layer Compatibility Information, or ISDN Call Reference
Length. These parameters can take effect only if they are configured when there is no call on the interface.
Alternatively, you can manually disable the ISDN interface, configure the parameters, and then enable the
interface again. The operations, however, lead to the disconnection of calls existing on the interface.
Item Description
ISDN Parameters Configuration
Set the ISDN protocol to be run on an ISDN interface, including DSS1,

ISDN Protocol Type QSIG, and ETSI.
By default, an ISDN interface runs DSS1.
645
Item Description
ISDN working mode to be set: network side mode or user side mode.
ISDN Working Mode
By default, an ISDN interface operates in user side mode.
Configure local ISDN B channel management:

• Disable—Local ISDN B channel management is disabled and is in the
charge of ISDN switch.
• Common management—The device operates in local B channel
management mode to select available B channels for calls. However, the
ISDN switch still has a higher priority in B channel selection. If a locally
selected B channel is different from that selected by the ISDN switch, the
one indicated by the ISDN switch is used for communication.
• Forced management—The device operates in forced local B channel
management mode. In this mode, the device indicates in the Channel ID
information element of a call Setup message that the local B channel is
ISDN Timeslot Management
mandatory and unchangeable. If the ISDN switch indicates a B channel
different from the local one, the call fails.
By default, the local ISDN B channel management is not enabled and is in
the charge of ISDN switch.
It is very important to put appropriate control on the B channels used for
calls in process, especially in PRI mode. Proper channel management can
improve call efficiency and reduce call loss. Normally, the centralized B
channel management provided by exchanges can work well. For this
reason, HP recommends that you adopt the management function provided
by exchanges in most cases, despite that fact the ISDN module can provide
the channel management function as well.
Set a B channel selection method:

• Ascending order—Select B channels in ascending order.
• Descending order—Select B channels in descending order.
ISDN Timeslot Order When operating in B channel local management mode, the device selects B
channels in ascending order by default.
When the exchange manages B channels, these options have no effect. If
you select the Disable option in the ISDN Timeslot Management area, these
options have no effect.
ISDN Overlap-Sending • Enable—Set the ISDN interface to send the called number in overlap
mode. In this mode, the digits of each called number are sent
separately, and the maximum number of the digits sent each time can be
set.
Max Number of Digits that • Disable—Set the ISDN interface to send the called number in full-sending
Can Be Sent Each Time mode. In this mode, all digits of each called number are collected and
sent at a time.
By default, the ISDN interface sends the called number in full-sending mode.
• Enable—Enable the ISDN interface to convert received Progress
Progress-to-Alerting messages into Alerting messages.
Conversion • Disable—Disable the progress-to-alerting conversion function.
This option takes effect only on messages received on an ISDN interface.
646
Item Description
• Enable for outgoing direction—Configure the ISDN protocol to switch to
the ACTIVE state after receiving a Connect message without having to
send a Connect-Ack message.
• Enable for incoming direction—Configure the ISDN protocol to switch to
the ACTIVE state to start Connect and voice service communications
after sending a Connect message without having to wait for a
Connect-Ack message.
• Enable for bidirectional directions—Configure the ISDN protocol to
switch to the ACTIVE state after receiving or sending a Connect message
without having to wait for or send a Connect-Ack message.
• Disable (default)—Configure the ISDN protocol not to ignore the
Connect-Ack messages. The ISDN protocol must wait for the
Connect-Ack message in response to the Connect message before it can
switch to the ACTIVE state to start data and voice service
communications.
Switch to ACTIVE State
Without Receiving or Sending By default, in the event that the device is communicating with an ISDN
a Connect-Ack Message switch:
• The ISDN protocol must wait for the Connect-Ack message in response
to the Connect message before it can switch to the ACTIVE state to start
data and voice service communications.
• After the ISDN protocol receives a Connect message, it must send a
Connect-Ack message in response.
NOTE:
• In the event that the device is communicating with an ISDN switch, its
settings must be the same as those on the switch.
• You are not allowed to configure this list on an ISDN interface if there is
still a call on it. Configuration of this list can take effect only if it is
configured when there is no call on the interface. Alternatively, you can
manually disable the interface, configure this list, and then enable the
interface. The operations, however, lead to the disconnection of the calls
existing on the interface.
• Enable—Configure ISDN to carry the HLC information element in Setup
messages when placing voice calls.
Carry High Layer • Disable—Disable ISDN from carrying the HLC information element in the
Compatibility Information Setup messages when placing voice calls.
By default, the HLC information element is carried in Setup messages when
ISDN places voice calls.
• Enable—Configure ISDN to carry the LLC information element in Setup
Carry Low Layer Compatibility • Disable—Disable ISDN from carrying the LLC information element in the
Information Setup messages when placing voice calls.
By default, the LLC information element is carried in Setup messages when
647
Item Description
• Enable for outgoing direction—Configure the ISDN protocol to send
Setup messages without the Sending-Complete Information Element
when placing a call.
• Enable for incoming direction—Configure the ISDN protocol to ignore
the Sending-Complete Information Element in Setup messages when
receiving a call.
Ignore the Sending-Complete ignore the Sending-Complete Information Element in Setup messages
Information Element in Setup when receiving a call and to send Setup messages without the
Messages Sending-Complete Information Element when placing a call.
• Disable (default)—Configure ISDN not to ignore the Sending-Complete
Information Element in Setup messages. During data exchange between
the device and an ISDN switch, for an incoming call, if a Setup message
does not contain the Sending-Complete Information Element, the number
is not received completely. For an outgoing call, a Setup message
containing the Sending-Complete Information Element indicates that the
number is sent completely.
ISDN Sliding Window Size Set the sliding window size on an ISDN BRI interface.
ISDN T302 Timer Duration Configure the duration of the ISDN protocol Layer 3 timer T302.
Set the length of the call reference used when a call is placed on an ISDN
interface.
The call reference is equal to the sequence number that the protocol assigns
to each call. It is one or two bytes in length and can be used cyclically.
ISDN Call Reference Length When the device receives a call from a remote device, it can automatically
identify the length of the call reference. However, some devices on the
network do not have this capability. In the event that the device is required
to place calls to such a device connected to it, you must configure the device
to use the same call reference length configured on the connected device.
Configuring VT1 line

of the VT1 line to be configured to display the T1 parameters configuration page.
648
Figure 630 T1 parameters configuration page (I)
Item Description
Physical Parameters Configuration
Configure the working mode of the T1 interface:

• None—Remove the existing bundle.
Working Mode
• PRI Trunk Signaling—Bundle timeslots on a T1 interface into a PRI group.
By default, no PRI group is created.
Bound Timeslot
Specify the timeslots to be bundled.
Number
• ESF—Perform ESF.
Frame Check Mode
• SF—Perform SF.
• B8ZS—The line coding format is B8ZS.
Line Coding
• AMI—The line coding format is AMI.
649
Item Description
• Internal—Set the internal crystal oscillator TDM clock as the TDM clock source
on the T1 interface. After that, the T1 interface obtains clock from the crystal
oscillator on the main board. If it fails to do that, the interface obtains clock
from the crystal oscillator on its T1 card. Because SIC cards are not available
with crystal oscillator clocks, T1 interfaces on SIC cards can only obtain clock
from the main board. The internal clock source is also referred to as "master
clock mode" in some features.
• Line—Set the line TDM clock as the TDM clock source on the T1 interface. After
that, the T1 interface obtains clock from the remote device through the line. The
line clock source is also referred to as "slave clock mode" in some features.
• Line primary—Set the T1 interface to preferably use the line TDM clock as the
TDM clock source. After that, the T1 interface always attempts to use the line
TDM clock prior to any other clock sources.
By default, the TDM clock source for a T1 interface is the internal clock.
When digital voice T1 interfaces perform TDM timeslot interchange, it is important
TDM Clock Source for them to achieve clock synchronization to prevent frame slips and bit errors.
Depending on your configurations on T1 interfaces at the CLI, the system adopts
different clocking approaches. When there is a subcard VCPM on the main board,
the clock distribution principle is as follows:
• If the line keyword is specified for all interfaces, the clock on the interface with
the lowest number is adopted. In case the interface goes down, the clock on the
interface with the next second number is adopted.
• If line primary is specified for interface X and line or internal is specified for
other interfaces, the clock on interface X is adopted.
• If line is specified for interface X and internal is specified for other interfaces,
the clock on interface X is adopted.
• Normally, you cannot set the clock source for all interfaces in a system as
internal to prevent frame slips and bit errors. You can do this, however, if the
remote T1 interfaces adopt the line clock source.
When there is no VCPM on the main board, the configuration of each MIM/FIC is
independent, but only one interface can be set as line primary.
• Enable—Enable the T1 interface.
Status
• Disable—Disable the T1 interface.
If you select the PRI Trunk Signaling option, the page shown in Figure 631 appears.
650
Figure 631 T1 parameters configuration page (II)
ISDN protocol types supported by VT1 are DSS1, ATT, ANSI, ETSI, NTT, QSIG, NI2, and 5ESS. Table
247 describes the ISDN parameters configuration items.
Configuring BSV line

of the BSV line to be configured to display the BSV parameters configuration page.
651
Figure 632 BSV parameters configuration page
Item Description
Set the ISDN protocol to be run on an ISDN interface, including DSS1,
ISDN Protocol Type ANSI, NI, NTT, and ETSI.
By default, an ISDN interface runs DSS1.
ISDN working mode to be set: network side mode or user side mode.
ISDN Working Mode
By default, an ISDN interface operates in user side mode.
652
Item Description
Configure local ISDN B channel management:
• Disable—Local ISDN B channel management is disabled and is in the
charge of ISDN switch.
• Common management—The device operates in local B channel
management mode to select available B channels for calls. However, the
ISDN switch still has a higher priority in B channel selection. If a locally
selected B channel is different from that selected by the ISDN switch, the
one indicated by the ISDN switch is used for communication.
• Forced management—The device operates in forced local B channel
management mode. In this mode, the device indicates in the Channel ID
information element of a call Setup message that the local B channel is
ISDN Timeslot Management
mandatory and unchangeable. If the ISDN switch indicates a B channel
different from the local one, the call fails.
By default, the local ISDN B channel management is not enabled but is in
the charge of ISDN switch.
It is very important to put appropriate control on the B channels used for
calls in process, especially in PRI mode. Proper channel management can
improve call efficiency and reduce call loss. Normally, the centralized B
channel management provided by exchanges can work well. For this
reason, HP recommends that you adopt the management function provided
by exchanges in most cases, despite the fact that the ISDN module can
provide the channel management function as well.
Set a B channel selection method:

• Ascending order—Select B channels in ascending order.
• Descending order—Select B channels in descending order.
ISDN Timeslot Order When operating in B channel local management mode, the device selects B
channels in ascending order by default.
When the exchange manages B channel, these options have no effect. If
you select the Disable option in the ISDN Timeslot Management area, these
options have no effect.
ISDN Overlap-Sending • Enable—Set the ISDN interface to send the called number in overlap
mode. In this mode, the digits of each called number are sent
separately, and the maximum number of the digits sent each time can be
set.
Max Number of Digits that • Disable—Set the ISDN interface to send the called number in full-sending
Can Be sent Each Time mode. In this mode, all digits of each called number are collected and
sent at a time.
By default, the ISDN interface sends the called number in full-sending mode.
• Enable—Enable the ISDN interface to convert received Progress
Progress-to-Alerting messages into Alerting messages.
Conversion • Disable—Disable the progress-to-alerting conversion function.
This option takes effect only on messages received on an ISDN interface.
653
Item Description
• Enable for outgoing direction—Configure the ISDN protocol to switch to
the ACTIVE state after receiving a Connect message without having to
send a Connect-Ack message.
• Enable for incoming direction—Configure the ISDN protocol to switch to
the ACTIVE state to start Connect and voice service communications
after sending a Connect message without having to wait for a
Connect-Ack message.
switch to the ACTIVE state after receiving or sending a Connect message
without having to wait for or send a Connect-Ack message.
• Disable (default)—Configure the ISDN protocol not to ignore the
Connect-Ack messages. The ISDN protocol must wait for the
Connect-Ack message in response to the Connect message before it can
switch to the ACTIVE state to start data and voice service
communications.
Switch to ACTIVE State
Without Receiving a By default, in the event that the device is communicating with an ISDN
Connect-Ack Message switch:
• The ISDN protocol must wait for the Connect-Ack message in response
to the Connect message before it can switch to the ACTIVE state to start
data and voice service communications.
• After the ISDN protocol receives a Connect message, it must send a
Connect-Ack message in response.
NOTE:
• In the event that the device is communicating with an ISDN switch, its
settings must be the same as those on the switch.
• You are not allowed to configure this list on an ISDN interface if there is
still a call on it. Configuration of this list can take effect only if it is
configured when there is no call on the interface. Alternatively, you can
manually disable the interface, configure this list, and then enable the
interface. The operations, however, lead to the disconnection of the call
existing on the interface.
• Enable—Configure ISDN to carry the HLC information element in Setup
Carry High Layer • Disable—Disable ISDN from carrying the HLC information element in the
Compatibility Information Setup messages when placing voice calls.
By default, the HLC information element is carried in Setup messages when
• Enable—Configure ISDN to carry the LLC information element in Setup
Carry Low Layer Compatibility • Disable—Disable ISDN from carrying the LLC information element in the
Information Setup messages when placing voice calls.
By default, LLC information element is carried in Setup messages when ISND
places voice calls.
654
Item Description
• Enable for outgoing direction—Configure the ISDN protocol to send
Setup messages without the Sending-Complete Information Element
when placing a call.
• Enable for incoming direction—Configure the ISDN protocol to ignore
the Sending-Complete Information Element in Setup messages when
receiving a call.
ignore the Sending-Complete Information Element in Setup messages
when receiving a call and to send Setup messages without the
Ignore the Sending-Complete
Sending-Complete Information Element when placing a call.
Information Element in Setup
Messages • Disable (default)—Configure the ISDN not to ignore the
Sending-Complete Information Element in Setup messages. When the
data exchange is performed between the device and an ISDN switch,
for an incoming call, the device checks the received Setup messages for
the Sending-Complete Information Element to determine whether or not
the number is received completely. If a Setup message does contain the
Sending-Complete Information Element, the number is not received
completely. For outgoing calls, a Setup message containing the
Sending-Complete Information Element indicates that the number is sent
completely.
Configure the Q.921 permanent link function:
• Enable—The BRI interface sets up a data link connection automatically
and maintains the connection even when no calls are received from the
network layer. If the two-tei mode is also enabled on the interface, two
Q.921 Permanent Link such connections are present.
• Disable—Disable the Q.921 permanent link function on the BRI
interface.
This parameter is available only when the User Side Mode option in the
ISDN Working Mode area is selected.
• Enable—Each call on the BRI interface uses a different EI.
ISDN two-tei • Disable—All calls on all B channels on the BRI interface use one TEI
value.
• Point-to-Multipoint—A BRI interface operating on the network side can
have multiple end devices attached to it.
ISDN Link Mode
• Point-to-Point—Configure the BRI interface operates in point-to-point
mode.
• Enable—Specify an ISDN BRI interface to be in the permanent active
state at the physical layer.
BSV Permanent Active State at • Disable—The BRI interfaces operating on the network side are not in the
the Physical Layer permanent active state at the physical layer.
This parameter is available only when the Network Side Mode option in the
• Enable—Enable remote powering on an ISDN BRI interface.
• Disable—Disable remote powering on an ISDN BRI interface.
BSV Remote Powering
This parameter is available only when the Network Side Mode option in the
ISDN Sliding Window Size Set the sliding window size on an ISDN BRI interface.
655
Item Description
ISDN T302 Timer Duration Configure the duration of the ISDN protocol Layer 3 timer T302.
Set length of the call reference used when a call is placed on an ISDN
interface.
The call reference is equal to the sequence number that the protocol assigns
to each call. It is one or two bytes in length and can be used cyclically.
ISDN Call Reference Length When the device receives a call from a remote device, it can automatically
identify the length of the call reference. However, some devices on the
network do not have this capability. In the event that the device is required
to place calls to such a device connected to it, you must configure the device
to use the same call reference length configured on the connected device.
• Enable—Enable the BSV interface.
Status
• Disable—Disable the BSV interface.
Displaying ISDN link state

Select Voice Management > Digital Link Management from the navigation tree, and then click the name of
the target digital link (taking a VE1 digital link as an example) to display the page that displays the link
state, as shown in Figure 633.
Figure 633 Displaying ISDN link state
656
E1 and T1 voice configuration example
Configuring E1 voice DSS1 signaling
As shown in Figure 634, Telephones in City A and City B communicate with each other through Router A
and Router B over an IP network.
• Router A is connected to a PBX through an E1 voice subscriber line and to the telephone at
0101003 through an FXS voice subscriber line.
• Router B is connected only to a PBX through an E1 voice subscriber line.
The two routers communicate with their respective PBX by exchanging DSS1 user signaling through an
ISDN interface. The one-stage dialing mode is configured on the two routers.
Router A Router B
Eth2/1 Eth2/1
FXS: line 3/0 1.1.1.1/24 2.2.2.2/24
WAN
010-1003 Line 1/1:15 Line 1/1:15
E1 E1
010-1001 0755-2001
PBX PBX
010-1002 0755-2002
Configure Router A
# Configure an ISDN PRI group.
of E1 1/1 to display the E1 parameters configuration page.
657
a. Select the PRI Trunk Signaling option. For other options, use the default settings.
b. Click Apply.
# Configure local numbers and call routes.

• Configure a local number in the local number configuration page: The number ID is 1003, the
number is 0101003, and the bound line is 3/0.
• Configure a call route in the call route configuration page: The call route ID is 1001, the destination
number is 0101001, and the trunk route line is 1/1:15. In addition, select the Send All Digits of a
number is 0755...., and the call route type is SIP, the SIP routing type is IP routing, and the
destination address is 2.2.2.2.
Configure Router B
# Configure an ISDN PRI group.
of E1 1/1 to display the E1 parameters configuration page.
a. Select the PRI Trunk Signaling option. For other options, use the default settings.
b. Click Apply.
# Configure call routes.

Called Number option in the Called Number Sending Mode area if you configure the advanced
658
number is 010...., the call route type is SIP, the SIP routing mode is IP routing, and the destination
address is 1.1.1.1.

• Telephones in City A and City B can communicate with each other.
• Select Voice Management > Statistics > Call Statistics from the navigation tree to display the Active
Call Summary page, and you can view the statistics of active calls.
• Select Voice Management > Digital Link Management from the navigation tree, and then click the
name of the target digital link line 1/1:15 to display the page that displays the link state.
659
Configuring line management
FXS voice subscriber line

An FXS interface uses a standard RJ-11 connector and a telephone cable to directly connect with an
ordinary telephone or a fax machine. An FXS interface accomplishes signaling exchange based on the
level changes on the Tip/Ring line and provides ring, voltage, and dial tone.
FXO voice subscriber line

An FXO interface uses an RJ-11 connector and a telephone cable to connect local calls to a PSTN or PBX.
Like an FXS interface, an FXO interface accomplishes signaling exchange based on the level changes on
the Tip/Ring line. An FXO interface can be connected only to an FXS interface.
E&M subscriber line

E&M introduction
An E&M interface uses an RJ-48 telephone cable to connect a PBX. The PBX sends signals on the M (M
represents mouth) line and receives signals on the E (E represents ear) line. The voice router receives M
signals from the PBX and sends E signals to the PBX. An E&M interface can only be connected to another
E&M interface.
When E&M is applied in voice communication, two or four voice wires can be used. In addition, there
are two or four signaling wires. Therefore, 4-wire analog E&M actually has at least six wires. The 2-wire
mode provides full-duplex voice transmission, and voice is transmitted in two directions on the two wires.
The 4-wire mode is equivalent to the simplex mode, and every two wires are responsible for the voice
transmission in one direction.
E&M start mode

An E&M interface supports E&M signaling and divides each voice connection into trunk circuit side and
signaling unit side (similar to DCE and DTE).
An E&M interface provides on-hook/off-hook signals and minimizes the interference. Because an E&M
interface does not provide any dial tone, one of the following three signaling technologies is used to start
dialing:
• Immediate start—In this mode, the caller picks up the phone, and some time later, the dialed number
is sent to the called side. During this period, whether the called side has been ready for receiving
the called number is not checked. After the called information is received, the callee can pick up the
phone to answer the call.
Figure 637 Immediate start mode
660
• Delay start—In this mode, the caller first picks up the phone to seize the trunk line, and the called
side (such as the peer PBX) also enters the off-hook state in response to the off-hook action of the
caller. The called side (PBX) is in the off-hook state until it is ready for receiving the address
information. After it is ready, it enters the on-hook state, and this interval is the so-called "dial
delay." The calling side sends the address information, and the called side (PBX) connects the call to
the callee. The two parties can then begin the communication.
Figure 638 Delay start mode
• Wink start—In this mode, the caller first picks up the phone to seize the trunk line, and the called
side (such as the peer PBX) is in the on-hook state until receiving a connection signal from the calling
side. Then, the called side sends a wink signal to make an acknowledgement and enter the ready
state. Upon receiving the wink signal, the calling side begins to send the address information, and
the called side connects the call to the callee. The two parties can then begin the communication.
Figure 639 Wink start mode
661
One-to-one binding between FXS and FXO voice subscriber
lines
The one-to-one binding between FXS voice subscriber lines and FXO voice subscriber lines enhances the
reliability of voice solutions. For industry-specific users, highly reliable communication over FXS voice
subscriber lines is required. Dedicated FXO voice subscriber lines can be used for communication over
PSTN when the IP network is unavailable. The one-to-one binding between FXS voice subscriber lines and
FXO voice subscriber lines can meet this requirement.
The one-to-one binding between FXS voice subscriber lines and FXO voice subscriber lines provides the
following functions:
• Dedicated FXO voice subscriber lines—The dedicated FXO voice subscriber lines can be used only
for the bound FXS voice subscriber lines. PSTN-originated calls received over dedicated FXO voice
subscriber lines are directly connected to the bound FXS voice subscriber lines.
• Consistent state between bound FXS and FXO voice subscriber lines—The on-hook/off-hook state of
the bound FXS and FXO voice subscriber lines is consistent. If an FXO subscriber line receives a
PSTN-originated call when the corresponding FXS voice subscriber line goes off-hook, the calling
party hears busy tones.
Echo adjustment function

Echo is when the user hears his/her own voice in the telephone receiver while he/she is talking. This is
because analog signals leak into the receiving path of the user. The echo adjustment function provided by
the VoIP gateway can cancel echoes to some extent.
You can cancel echoes in the following ways:
• Adjusting echo duration
• Adjusting echo cancellation parameter
• Enabling the nonlinearity function of echo cancellation
Adjusting echo duration

Table 250 Adjust echo duration
Symptom Reason Adjustment method

The echo duration is so long that the
convergence time of echo cancellation Shorten echo duration.
A user hears his/her own voice on the network becomes longer.
in conversation. The echo duration is so short that
long-duration echoes are not completely Prolong echo duration.
cancelled.
662
Adjusting echo cancellation parameters
Table 251 Adjust echo cancellation parameters
Symptom Parameters adjusted Effect

A user hears his/her own voice
Speed up the convergence of Too fast convergence may make noises
or loud background noises from
comfortable noise amplitudes. uncomfortable.
the peer when speaking.
Increase the maximum

There are loud environment Too large amplitude may make noises
amplitude of comfortable
noises. uncomfortable.
noises.
A user hears his/her voice Enlarge the control factor of Too high a control factor leads to audio
when speaking. mixed proportion of noises. discontinuity.
Too high a judgment threshold slows

There are echoes when both Enlarge the judgment threshold
down the convergence of the filter
parties speak at the same time. for bidirectional conversation.
factor.
Enabling the nonlinear function of echo cancellation

The nonlinear function of echo cancellation, also known as "residual echo suppression," is the removal of
residual echoes after echo cancellation when the user at the local end does not speak.
Line management configuration

Select Voice Management > Line Management from the navigation tree to display the line list page shown
in Figure 640.
Figure 640 Line list page
Configuring an FXS voice subscriber line

Select Voice Management > Line Management from the navigation tree, and then click the icon of the
FXS line to be configured to display the FXS line configuration page shown in Figure 641.
663
Figure 641 FXS line configuration page
Item Description
Basic Configurations
Description Description of the FXS line.
Maximum interval for the user to dial the next digit.

Max Interval for Dialing the This timer restarts each time the user dials a digit and works in this way until
Next Digit all digits of the number are dialed. If the timer expires before the dialing is
completed, the user is prompted to hang up, and the call is terminated.
Max Interval between Maximum interval in seconds between off-hook and dialing the first digit.
Off-hook and Dialing the First Upon the expiration of the timer, the user is prompted to hang up, and the
Digit call is terminated.
Max Duration of Playing

Maximum duration in seconds of playing ringback tones.
Ringback Tones
664
Item Description
• Enable
Status
• Disable
Advanced Settings
Dial Delay Time Dial delay in seconds.
Lower Limit for Hookflash The time range for the duration of an on-hook condition that is detected as a
Detection hookflash. An on-hook condition is considered to be a hookflash if it lasts for
Upper Limit for Hookflash a period that falls within the hookflash duration range (the period is longer
Detection than the lower limit and shorter than the upper limit).
When the voice signals on the line IMPORTANT:

Input Gain on the Voice
attenuate to a relatively great extent,
Interface Gain adjustment may lead to call
increase the voice input gain value.
failures. HP recommends that you do
When a relatively small voice signal not adjust the gain. If necessary, do it
Output Gain on the Voice
power is needed on the output line, with the guidance of technical
Interface
increase the voice output gain value. personnel.
Each country corresponds to an impedance value, so you can specify an
impedance value by specifying a country. By default, the electrical
Electrical Impedance
impedance on the FXO or FXS voice subscriber line is the impedance value
corresponding to China.
You can specify either of the following packet loss compensation algorithms:
Packet Loss Compensation
• Specific algorithm of the device
Mode
• Universal frame erasure algorithm
You can use this function to generate some comfortable background noise to
replace the toneless intervals during a conversation. If no comfortable noise
is generated, the toneless intervals make both parties in conversation feel
uncomfortable.
Comfortable Noise Function
• Enable
• Disable
By default, the comfortable noise function is enabled.
Echo Cancellation Function • Enable

• Disable
Echo Duration After enabling this function, you can set the echo duration (the time that
elapses from when a user speaks to when he/she hears the echo).
Nonlinear Function of Echo • Enable

Cancellation • Disable
Set the DTMF detection sensitivity level:
• Low—In this mode, the reliability is high, but DTMF tones may fail to be
detected.
DTMF Detection Sensitivity

• Medium—In this mode, the reliability is medium. If you select this option,
you can specify the Frequency Tolerance of Medium DTMF Detection
Level
Sensitivity Level. The greater the value, the higher the probability of false
detection. Support for this option varies with installed cards.
• High—In this mode, the reliability is low, and detection errors may
occur.
665
Configuring an FXO voice subscriber line
FXO line to be configured to display the FXO line configuration page shown in Figure 642.
Figure 642 FXO line configuration page
Item Description
Description Description of the FXO line.
666
Item Description
Max Interval for This timer restarts each time the user dials a digit and works in this way until all
Dialing the Next Digit digits of the number are dialed. If the timer expires before the dialing is completed,
the user is prompted to hang up, and the call is terminated.
Max Interval between Maximum interval in seconds between off-hook and dialing the first digit
Off-hook and Dialing Upon the expiration of the timer, the user is prompted to hang up and the call is
the First Digit terminated.
Max Duration of
Playing Ringback Maximum duration in seconds of playing ringback tones.
Tones
• Enable
Status
• Disable
Advanced Settings
• Delay off-hook—In this mode, configure a dedicated line number, which the
system uses to connect the call to the callee automatically. The communication
can be performed over the FXO subscriber line only after the callee picks up
Off-hook Mode the telephone.
• Immediate off-hook—In this mode, when a call arrives, the FXO interface goes
off-hook immediately, and then the caller performs the second stage dialing.
Bind an FXS voice subscriber line to the FXO voice subscriber line. This list is
available only when you select the Delay Off-hook option in the Off-hook Mode
area.
Binding FXS Line To keep the consistent off-hook/on-hook state between the bound FXS and FXO
lines, the specified FXS line must be the one to which the dedicated line number
points. In addition, only the bound FXS line is allowed to originate calls to the FXO
line by restricting incoming calls.
• Delay Ring
• Immediate Ring
Ring Mode You can select the Delay Ring option to quicken ringing synchronization between
the FXO voice subscriber line and its bound FXS voice subscriber line. However,
for the telephone supporting calling identification display, the calling number is
displayed after the second ringing tone.
In some countries, PBXs do not play busy tones, or the busy tones played by them
only last for a short period of time. When noise is present on a transmission link,
the configuration of silence threshold and silence duration for automatic on-hook
cannot solve the problem where the resource of the FXO interface cannot be
released. In this case, you can specify the duration before a forced on-hook to
Duration before a
solve the problem.
Forced On-hook
No duration is configured by default.
NOTE:
After the duration before a forced on-hook is configured, the call is automatically
disconnected when the duration expires, even if the call is currently going on.
Configure the dial delay time.
Dial Delay Time
By default, the dial delay is 1 second.
667
Item Description
Set the silence threshold. Silence detection-based automatic
If the amplitude of voice signals from the on-hook prevents the situation
switch is smaller than this value, the system where the resource of the FXO
VAD Threshold regards the voice signals as silence. interface cannot be released due
Normally, the signal amplitude on the links to busy tone detection failure when
without traffic ranges from 2 to 5. the busy tone parameters provided
by the connected PBX are special.
By default, the silence threshold is 20.
When the signal values of two
successive sampling points are less
Set the silence duration for automatic than the silence detection
on-hook. threshold, the system considers
that the line goes into the silent
On-hook Duration for Upon expiration of this duration, the system
state. If the line stays in the silent
VAD performs on-hook automatically.
state longer than the silence
By default, the silence duration for automatic duration for automatic on-hook,
on-hook is 7,200 seconds (2 hours). the system automatically
disconnects the call.
Configure the interval between on-hook and off-hook.

By default, the interval between on-hook and off-hook is 500 milliseconds.
In the delay off-hook mode, the on-hook/off-hook state of FXS and FXO lines is
Interval between consistent. When an FXS line goes off-hook, the FXO line to which the FXS line is
On-hook and Off-hook bound goes off-hook, too. When the FXS line in the off-hook state has to connect
the FXO line to originate a call over PSTN, the FXO line must first perform an
on-hook operation and then perform an off-hook operation to send the called
number. This task is to set the interval between the on-hook and off-hook
operations.
When the voice signals on the line attenuate IMPORTANT:

Input Gain on the
to a relatively great extent, increase the input
Voice Interface Gain adjustment may lead to call
gain value.
failures. HP recommends that you
When a relatively small voice signal power is do not adjust the gain. If necessary,
Output gain on the
needed on the output line, increase the voice do it with the guidance of technical
Voice Interface
output gain value. personnel.
Time for CID Check Configure the time for CID check. By default, CID check is
performed between the first and
Set the number of rings after CID check to the second rings, and the FXO
Number of Rings after
off-hook. The greater the value, the later the line goes off-hook as soon as the
CID Check to Off-hook
FXO line goes off-hook. check completes.
Each country corresponds to an impedance value, so you can specify an

impedance value by specifying a country. By default, the electrical impedance on
Electrical Impedance
the FXO or FXS voice subscriber line is the impedance value corresponding to
China.
You can specify either of the following packet loss compensation algorithms:
Packet Loss
• Specific algorithm of the device
Compensation Mode
• Universal frame erasure algorithm
668
Item Description
replace the toneless intervals during a conversation. If no comfortable noise is
generated, the toneless intervals make both parties in conversation feel
Comfortable Noise uncomfortable.
Function • Enable
• Disable
Busy Tone Sending • Enable

• Disable
Duration of Busy Tone With the busy-tone sending function enabled, you can set the duration of busy
tones.
Echo Cancellation • Enable

Function • Disable
After enabling this function, you can set the echo duration (the time that elapses
Echo Duration
from when a user speaks to when he/she hears the echo).
Nonlinear Function of • Enable

Echo Cancellation • Disable
detected.
DTMF Detection • Medium—In this mode, the reliability is medium. If you select this option, you
Sensitivity Level can specify the Frequency Tolerance of Medium DTMF Detection Sensitivity Level.
The greater the value, the higher the probability of false detection. Support for
this option varies with installed cards.
• High—In this mode, the reliability is low, and detection errors may occur.
Configuring an E&M subscriber line

E&M line to be configured to display the E&M line configuration page shown in Figure 643.
669
Figure 643 E&M line configuration page
Item Description
Description Description of the E&M line.
Select the E&M interface cable type: 4-wire or 2-wire.

By default, the cable type is 4-wire.
Cable Type When you configure the cable type, make sure that the cable type
is the same as that of the peer device. Otherwise, only
unidirectional voice service is available.
The configuration is applied to all E&M interfaces of the card.
670
Item Description
Types 1, 2, 3, and 5 are the four signal types (types I, II, III, and V)
of the analog E&M subscriber line.
When you configure the signal type, make sure that the signal type
Signal Type
is the same as that of the peer device.
The configuration is applied to all analog E&M lines in the
corresponding slot.

This timer restarts each time the user dials a digit and works in this
Max Interval for Dialing the Next Digit way until all digits of the number are dialed. If the timer expires
before the dialing is completed, the user is prompted to hang up,
and the call is terminated.
Max Duration the System Waits for the Maximum duration for the system to wait for the first digit of a
First Digit number.
Max Duration of Playing Ringback

Maximum duration in seconds of playing ringback tones.
Tones
• Enable
Status
• Disable
Advanced Settings
Delay Time
before the
Calling Party
Immediate Delay time before the calling party sends DTMF signals in the
Sends DTMF
Start immediate start mode.
Signals in
Immediate Start
Mode
Delay Signal
Duration in Delay Delay signal duration in the delay start mode.
Start Mode
Delay Delay Time
Start before the Called
Start Delay time from when the called party detects a seizure signal to
Party Sends a
Mode when it sends a delay signal in the delay start mode.
Delay Signal in
Delay Start Mode
Delay Time
before the Called
Delay time from when the called party receives a seizure signal to
Party Sends a
when it sends a wink signal in the wink start mode.
Wink Signal in
Wink Wink Start Mode
Start Duration of a
Wink Signal
Time duration in which the called party sends wink signals in the
Send by the
wink start mode.
Called Party in
Wink Start Mode
671
Item Description
Max Time the
Calling Party
The maximum amount of time the calling party waits for a wink
Waits for a Wink
signal after sending a seizure signal in the wink start mode.
Signal in Wink
Start Mode
When the voice signals on the

line attenuate to a relatively IMPORTANT:
Input Gain on the Voice Interface
great extent, increase the voice
input gain value. Gain adjustment may lead to a
call failure. HP recommends that
When a relatively small voice you do not adjust the gain. If
signal power is needed on the necessary, do it with the
Output Gain on the Voice Interface
output line, increase the voice guidance of technical personnel.
output gain value.
Configure the output gain of the SLIC chip. The bottom layer tunes
SLIC Chip Output Gain the signal gain through the SLIC chip.
By default, the output gain of the SLIC chip is 0.8 dB.
You can use this function to generate some comfortable

background noise to replace the toneless intervals during a
conversation. If no comfortable noise is generated, the toneless
Comfortable Noise Function intervals make both parties in conversation feel uncomfortable.
• Enable
• Disable

• Disable
After enabling this function, you can set the echo duration (the time
Echo Duration that elapses from when a user speaks to when he/she hears the
echo).

Configuring an ISDN line

ISDN line to be configured to display the ISDN line configuration page shown in Figure 644.
NOTE:
ISDN lines include BSV interfaces (for information about the BSV interface, see "Configuring data link
management") and ISDN lines generated by binding timeslots of digital E1 interfaces or T1 interfaces into
PRI sets. For the latter, before configuring the ISDN line, perform the following configuration: select Voice
Management > Line Management from the navigation tree, and then click the icon of the line to be
configured to display the corresponding parameters configuration page. In the Working Mode area,
select the PRI Trunk Signaling option to create the ISDN line.
672
Figure 644 ISDN line configuration page
Item Description
Description Description of the ISDN line.
replace the toneless intervals during a conversation. If no comfortable noise
is generated, the toneless intervals make both parties in conversation feel
uncomfortable.
Comfortable Noise Function
• Enable
• Disable

• Disable
Echo Duration After enabling this function, you can set the echo duration (the time that
elapses from when a user speaks to when he/she hears the echo).

When the voice signals on the line IMPORTANT:
Input Gain on the Voice
Interface Gain adjustment may lead to call
increase the input gain value.
failures. HP recommends that you
When a relatively small voice signal do not adjust the gain. If necessary,
Output Gain on the Voice
power is needed on the output line, do it with the guidance of technical
Interface
increase the voice output gain value. personnel.
673
Item Description
Configure a companding law used for quantizing signals.
• A-law, used in China, Europe, Africa, and South America.
Companding Law • μ-law, used in USA.
NOTE:
A BRI interface does not support this configuration item.
DTMF Detection Sensitivity
detected.
Level
• High—In this mode, the reliability is low, and detection errors may
occur.
• Enable
Status
• Disable
Line management configuration examples

Configuring an FXO voice subscriber line
As shown in Figure 645, the FXO voice subscriber line connected to Router B works in PLAR mode, and
the default remote phone number is 010-1001.
Dialing the number 0755-2003 on phone 0755-2001 connects to Router B. Since Router B works in the
private-line mode (the hotline mode), it requests connection to the preset remote number 010-1001 at
Router A.
FXS Line 1/0
# Create a call route and local number.
• Configure a call route in the call route configuration page: The call route ID is 10000, the
destination number is 0755...., and the destination address is 2.2.2.2.
• Create a local number in the local number configuration page: The number ID is 1001, the number
is 0101001, and the bound line is 1/0.
674
# Create call routes.
• Create a call route in the call route configuration page: The call route ID is 10000, the destination
number is 010….., and the destination address is 1.1.1.1.
• Create a call route in the call route configuration page: The call route ID is 10001, the destination
number is 07552001, the call route type is Trunk, and the trunk route line is 1/0. In addition, select
the Send All Digits of a Called Number option in the Called Number Sending Mode area when you
configure the advanced settings of this call route.
# Configure the hotline number.
10001 to display the call services configuration page.
Figure 646 Hotline number configuration page
a. Enter 0101001 in the Hotline Numbers field.

b. Click Apply.

If you dial the number 0755-2003 on phone 0755-2001, a connection is established to number
010-1001 at Router A.
Configuring one-to-one binding between FXS and FXO

• Router A and Router B are connected over an IP network and a PSTN. Telephone A attached to
Router A can make calls to Telephone B attached to Router B over the IP network or the PSTN.
675
• Usually, Telephone A makes calls to Telephone B over the IP network. In the situation where the IP
network is unavailable, Router A sends calls from Telephone A through the bound FXO interface to
Telephone B over PSTN.
• Configure one-to-one binding between FXS and FXO voice subscriber lines.
• When the IP network is available, the VoIP entity is preferably used to make calls over the IP
network.
• When the IP network is unavailable, the POTS entity is used to make calls through the bound FXO
voice subscriber line over the PSTN.
NOTE:
• Router A and Router B are routable to each other.
• The configuration of interface IP addresses is not shown here.
# Configure a local number and two call routes.
destination number is 210…., and the destination address is 192.168.0.76.
number is 0101001, and the bound line is 3/0.
• Configure the backup call route 10001 for the FXO line in the call route configuration page: The
destination address is .T, call route type is Trunk, and the trunk route line is 4/0. In addition, select
# Configure call authority control.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and then click
Add to display the permitted call number group configuration page.
676
Figure 648 Permitted call number group configuration page
a. Enter 1 in the Group ID field.

b. Enter 0101001 in the Numbers in the Group field, and then click Add.
c. Click Apply.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and then click Not
Bound to display the call route binding page of permitted call number group 1.
Figure 649 Call route binding page
a. Select the Permit the calls from the number group option.
c. Click Apply.
677

b. Click Apply.
# Configure the delay off-hook binding for the FXO line.

Select Voice Management > Line Management from the navigation tree, and then click the icon of FXO
line 4/0 to display the FXO line configuration page.
Figure 651 FXO line delay off-hook binding configuration page
a. Select the Delay Off-hook option.

b. Select subscriber-line 3/0 from the Binding FXS Line list.
c. Click Apply.
# Configure the system to first select VoIP entity.
678
match configuration page.
Figure 652 Entity type selection sequence configuration page
a. Select Enable in the Select Based on Voice Entity Type area.

b. Configure the order of the voice entities in the Selection Sequence list: the first is VOIP, the
second is POTS, the third is VoFR, and the last is IVR.
c. Click Apply.
# Configure a local number and two call routes.
destination number is 010…., and the destination address is 192.168.0.71.
number ID is 2101002, and the bound line is 3/0.
• Configure the backup call route 10001 for the FXO line in the call route configuration page: The
destination address is .T, call route type is Trunk, and the trunk route line is 4/0. In addition, select
# Configure call authority control.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and then click
Add to display the permitted call number group configuration page.
679
Figure 653 Permitted call number group configuration page
a. Enter 1 in the Group ID field.

b. Enter 2101002 in the Numbers in the Group field, and then click Add.
c. Click Apply.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and then click Not
Bound to display the call route binding page of permitted call number group 1.
Figure 654 211 Call route binding page
a. Select the Permit the calls from the number group option.
c. Click Apply.
680

b. Click Apply.
# Configure the delay off-hook binding for the FXO line.

FXO line 4/0 to display the FXO line configuration page.
Figure 656 FXO line delay off-hook binding configuration page
a. Select the Delay Off-hook option.

b. Select subscriber-line 3/0 from the Binding FXS Line list.
c. Click Apply.
# Configure the system to first select VoIP entity.
681
match configuration page.
Figure 657 Entity type selection sequence configuration page
a. Select Enable in the Select Based on Voice Entity Type area.

b. Configure the order of the voice entities in the Selection Sequence list: the first is VoIP, the second
is POTS, the third is VoFR, and the last is IVR.
c. Click Apply.

In the situation where the IP network is unavailable, calls can be made over PSTN.
682
Configuring SIP local survival
IP phones have been deployed throughout the headquarters and branches of many enterprises and
organizations. Typically, a voice server is deployed at the headquarters to control calls originated by IP
phones at branches.
The local survival feature enables the voice router at a branch to automatically detect the reachability to
the headquarter voice server and to process calls originated by attached IP phones when the
headquarters voice server is unreachable. The headquarters voice server takes over call services from the
branch voice router when the failure is removed.
Figure 658 shows a typical network diagram for the local survival feature.
Figure 658 Network diagram for the local survival feature
The local survival feature works as follows:

1. When the WAN link from a branch to the headquarters is normal, all IP phones at the branch are
registered with the headquarters voice server, and the headquarters voice server processes calls
originated by branch IP phones.
2. When the WAN link to the headquarters or the primary server fails:
The branch voice router can accept registrations from its attached IP phones.
The branch voice router ensures normal call services between its IP phones, between its IP
phones and FXS interfaces, and between its FXS interfaces.
IP phone users at the branch can place or receive PSTN calls through FXS interfaces on the voice
router.
3. When the WAN link or the primary server recovers, the branch voice router rejects registrations
from IP phones, and the headquarters voice server takes over call processing.
683
Configuring SIP local survival
Service configuration
Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to display
Figure 659 Configure service
Item Description
• Enable—Enables the local SIP server.
Server Running State • Disable—Disables the local SIP server.
By default, the local SIP server is disabled.
Enter the IP address of the local server: a local interface's IP address or a

loopback address, such as 127.0.0.1. The IP address of a local interface is
IP Address Bound to the recommended because a loopback address cannot accept registrations from
Server remote users.
When the local SIP server is enabled, the IP address of the local server must be
provided.
Port Bound to the Server Enter the port number of the local SIP server.
Registration Aging Time

Enter the maximum registration interval of clients.
of the Client
684
Item Description
• Alone—The local SIP server in alone mode acts as a small voice server.
• Alive—The local SIP server in alive mode supports the local survival feature.
When the communication with the remote server fails, the local SIP server
accepts registrations and calls. When the communication resumes, the
Server Operation Mode
remote server accepts registrations and calls again, and the local SIP server
rejects registrations and calls. In the alive mode, Options messages are
periodically sent to the remote server.
By default, the local SIP server operates in alone mode.
Enter the IP address of the remote SIP server.

Remote Server IP address When the alive mode is selected, the IP address of the remote SIP server must be
provided.
Remote Server Port Enter the port number of the remote SIP server.
Interval for Sending

Interval for sending Options messages to the remote SIP server.
Probe Packets
User management
Select Voice Management > SIP Local Survival > User Management from the navigation tree, and then
click Add to display the page shown in Figure 660.
Figure 660 Configure user
Item Description
User ID Enter the ID of a user to be registered.
Telephone Number Enter the telephone number of the user.
Authentication Username Enter the name of the user for authentication.
Authentication Password Enter the password of the user for authentication.
Enter the maximum registration interval of the user.

Registration Aging Time By default, the maximum registration interval of clients set in "Service
configuration" is used.
685
Trusted nodes
Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to display the
Figure 661 Configure a trusted node
Item Description
Enter the IP address of the trusted A trusted node can directly originate
node. calls without being authenticated by
IP address the local SIP server. You do not need to
By default, no trusted node is
configured. configure user information for the
number of the trusted node.
Up to eight trusted nodes can be
Enter the port number of the trusted configured. Whether a trusted node is
Port
node. reachable is determined by its IP
address rather than its port number.
Call-out route
The local SIP server uses a static routing table to forward outgoing calls. If the called number of a call
matches a static route, the local SIP server forwards the call to the specified destination. The called
number does not need to register on the local SIP server. For example, as an external number, 5552000
does not need to register on the local SIP server. Configure a static route entry with the area prefix of 333
and called number of 5552000 on the local SIP server. Upon receiving a call from local number 1000 to
external number 5552000, the local SIP server adds the area prefix 333 to the calling number and
forwards the call to the destination specified in the static route entry.
Select Voice Management > SIP Local Survival > Call-Out Route from the navigation tree, and then click
Add to display the page shown in Figure 662.
686
Figure 662 Configure a call-out route
Item Description
ID Enter the ID of the call-out route.
Destination Enter the destination number prefix and length. Suppose the destination number prefix is
Number Prefix 4100, and the number length is 6. This configuration matches destination numbers that
are 6 digits long and start with 4100.
Number length A dot can be used after a number to represent a character. This configuration does not
support other characters.
Destination IP
address Enter the destination IP address and port number.
Port Number
Area Prefix Enter the area prefix added before the calling numbers of outgoing calls.
Area prefix
When the local SIP server is connected to the extranet, external users can originate calls to internal users
registered with the local SIP server. For calls from external users to internal users, the local SIP server
removes the configured area prefix from each called number to convert it to an internal short number. For
example, if an external user dials number 01050009999, the local SIP server checks whether any area
prefix matches the called number. If the area prefix 0105000 is available, the local SIP server removes
the prefix 0105000 from the called number and sends the call to 9999.
Select Voice Management > SIP Local Survival > Area Prefix from the navigation tree to display the page
Figure 663 Configure a call-in number prefix
• Enter the call-in number prefix, and then click Add a Prefix.
687
Up to eight call-in number prefixes can be configured. The local SIP server adopts longest match to deal
with a called number.
Call authority control

Configure a call rule set
Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and then
click Add to display the page shown in Figure 664.
Figure 664 Configure a call rule set
Item Description
Rule Set ID Enter the ID of the call rule set.
Rule
Rule ID Enter the rule ID.

• Outgoing—Applies the rule to outgoing calls.
Call Direction
• Incoming—Applies the call to incoming calls.
• Permit—Permits the matching calls.
Call Authority
• Deny—Denies the matching calls.
Enter the number match pattern.
Number Pattern A dot can be used after a number to represent a character. This configuration
does not support other characters.
Apply the call rule set

click the icon of the call rule set to display the page shown in Figure 665.
688
Figure 665 Apply the call rule set
Item Description
Rule Set ID Displays the call rule set ID.
• Enable—Applies the call rule set to all registered users.
Applied Globally • Disable—Specifies that the call rule set does not apply to any registered
users.
• In the Available register users field, select registered users, and click << to
add them to Register users bound to the rule set.
Register users bound to
• In the Register users bound to the rule set field, select registered users, and
the rule set
click >> to unbind them.
Users in the Available register users field are added in "User management."
SIP local survival configuration examples

Configuring local SIP server to operate in alone mode
Configure the local SIP server on Router C to operate in alone mode, so that the phones register with the
local SIP server and they can make and receive calls through the local SIP server.
689
# Configure the router to operate in the alone mode.
the following page.
Figure 667 Configure alone mode
a. Select Enable for Server Running State.

b. Enter 2.1.1.2 for IP Address Bound to the Server.
c. Select Alone for Server Operation Mode.
d. Click Apply.
# Configure user 1000.

click Add to display the following page.
690
Figure 668 Configure a user
a. Enter 1000 for User ID.

b. Enter 1000 for Telephone Number.
c. Enter 1000 for Authentication Username.
d. Enter 1000 for Authentication Password.
e. Click Apply.
# Configure user 5000 in the same way.
• Configure a local number in the local number configuration page: The ID is 1000, the number is
1000, the bound line is line2/0, the user name is 1000, and the password is 1000.
• Configure a call route to Router B in the call route configuration page: The ID is 5000, the
destination number is 5000, the routing type is SIP, and the SIP routing method is proxy server.
• Configure SIP registration in the connection properties configuration page: Enable SIP registration,
and configure the main registrar's IP address as 2.1.1.2.
• Configure a call route to Router A in the call route configuration page: The ID is 1000, the
• Configure SIP registration in the connection properties configuration page: Enable registration, and
configure the main registrar's IP address as 2.1.1.2.

• Select Voice Management > States and Statistics > Local Survival Service States from the navigation
tree. You can see that numbers 1000 and 5000 have been registered with the local SIP server on
Router C.
• Phones 1000 and 5000 can call each other through the local SIP server.
691
Configuring local SIP server to operate in alive mode
Router A and Router B carry out call services through the remote voice server VCX. Configure the local SIP
server on Router A to operate in alive mode, so that calls can be originated or received through Router A
when the VCX fails. When the VCX recovers, it takes over call services again.
# Configure the IP address of Ethernet 1/1 as 1.1.1.2 and the IP address of the sub interface as 2.1.1.2.
(Details not shown)
# Configure the local SIP server to operate in alive mode.
the following page.
Figure 670 Configure alive mode

c. Select Alive for Server Operation Mode.
692
d. Enter 3.1.1.1 for Remote Server IP Address.
e. Click Apply.


c. Click Apply.
# Configure user 5000 in the same way.
1000, and the bound line is line2/0.
and configure the main registrar's IP address as 3.1.1.2 and the backup registrar's IP address as
2.1.1.2.
5000, and the bound line is line2/0.
and configure the main registrar's IP address as 3.1.1.2 and the backup registrar's IP address as
2.1.1.2.

• When the VCX fails, the local SIP server on Router A starts to accept registrations from phones,
which can then call each other through Router A. Select Voice Management > States and Statistics >
Local Survival Service States from the navigation tree. You can see that numbers 1000 and 5000
have been registered with the local SIP server on Router A.
693
• When the VCX recovers, Router A disables the local SIP server, and the phones register with the
VCX again.
Configuring call authority control

The numbers for Department A in a company are in the range of 1000 to 1999, while those for
Department B are in the range of 5000 to 5999. Implement the following restrictions:
• Phones in Department A and Department B cannot originate external calls.
• Phone 5000 is not allowed to call phone 1000.
1000 5000
Eth1/1 Eth1/1 Eth1/2 Eth1/1
1.1.1.1/24 1.1.1.2/24 2.1.1.2/24 2.1.1.1/24
Router A Router C Router B
1111 5555
Configuring the local SIP server on Router C

# Configure the local SIP server to operate in alone mode.
the following page.
694
d. Click Apply.


e. Click Apply.
# Configure users with phone numbers 1111, 5000, and 5555 in the same way.
# Configure call rule set 0.
695
Figure 675 Configure call rule set 0
a. Enter 0 for Rule Set ID.

b. Add three rules, as shown in Figure 675.
c. Click Apply.
# Apply call rule set 0.
click the icon of call rule set 0 to display the following page.
696
Figure 676 Apply call rule set 0
a. Select Enable for Applied Globally.

b. Click Apply.
# Configure call rule set 2.

Figure 677 Configure call rule set 2
697
a. Enter 2 for Rule Set ID.
b. Add a rule, as shown in Figure 677.
c. Click Apply.
# Apply call rule set 2.
click the icon of call rule set 2 to display the following page.
Figure 678 Apply call rule set 2
a. Click 5000 in Available register users, and then click << to add it to Register users bound to the
rule set.
b. Click Apply.
destination number is 5…, the routing type is SIP, and the SIP routing method is proxy server.
698
destination number is 1…, the routing type is SIP, and the SIP routing method is proxy server.

tree. You can see that numbers 1000, 1111, 5000, and 5000 have been registered with the local
SIP server on Router C.
• The four phones cannot call external numbers, and phone 5000 cannot call phone 1000.
Configuring an area prefix

The internal numbers of a company are four digits long, and the area prefix is 8899. An external user
has to dial the area prefix 8899 before an internal number. The local SIP server on Router C removes the
area prefix from the dialed number and calls the four-digit internal number. The external phone attached
to Router A is not registered with Router C. The internal phone attached to Router B is registered with
Router C.

the following page.
699

d. Click Apply.
# Configure Router A as a trusted node.

Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to display the
following page.
Figure 681 Configure a trusted node
a. Enter 1.1.1.1 for IP Address.

b. Click Apply.
# Configure area prefix 8899.

Select Voice Management > SIP Local Survival > Area Prefix from the navigation tree to display the
following page.
700
Figure 682 Configure an area prefix
a. Enter 8899 for Area Prefix.

b. Click Add a Prefix.
c. Click Apply.
Figure 683 Configure user 5000

e. Click Apply.
• Configure a local number in the local number configuration page: The ID is 55661000, the number
is 55661000, and the bound line is line2/0.
destination number is 88995000, the routing type is SIP, and the destination address is 2.1.1.2.
701
tree. You can see that number 5000 has been registered with the local SIP server on Router C.
• Place a call from phone 55661000 to phone 88995000. The local SIP server on Router C removes
the area prefix 8899 from the called number and alerts internal phone 5000. Pick up phone 5000.
The call is established.
Configuring a call-out route

The internal numbers of a company are four digits long, and the area prefix is 8899. External phone
55665000 attached to Router B is not registered with the local SIP server on Router C. Internal phone
1000 attached to Router A is already registered with Router C. When a user in the company dials the
external number, the local SIP server routes the call according to the configured call-out route and adds
area prefix 8899 to the calling number.

the following page.

702
d. Click Apply.
# Configure a call-out route.

Select Voice Management > SIP Local Survival > Call-Out Route from the navigation tree, and then click
Add to display the following page.
Figure 686 Configure a call-out route
a. Enter 0 for ID.

b. Enter 55665000 for Destination Number Prefix, and 8 for Number Length.
c. Enter 2.1.1.1 for Destination IP Address.
d. Enter 8899 for Area Prefix.
e. Click Apply.

Figure 687 Configure user 1000

e. Click Apply.
703
destination number is 55665000, the routing type is SIP, and the routing method is proxy server.
• Configure a local number in the local number configuration page: The ID is 55665000, the number
is 55665000, and the bound line is line2/0.
destination number is 1000, the routing type is SIP, and the routing method is proxy server.

tree. You can see that number 1000 has been registered with the local SIP server on Router C.
• Place a call from phone 1000 to phone 55665000. The local SIP server on Router C adds prefix
8899 before the calling number and sends the call to phone 55665000. Pick up phone
55665000. The call is established.
704
Configuring IVR
IVR is extensively used in voice communications. You can use the IVR system to customize interactive
operations and humanize other services. If a subscriber dials an IVR access number, the IVR system plays
the prerecorded voice prompts to direct the subscriber about how to proceed (for example, to dial a
number).
Advantages
A conventional interactive voice system uses fixed audio files and operations. IVR enables you to
customize your own interactive system by adding, modifying, and removing audio files. IVR has the
following advantages.
Customizable voice prompts

Voice prompts can be saved as audio files on voice devices and played to subscribers. You can record
personalized voice prompts, convert the format of the audio files by using the converter provided by HP,
and then upload the converted files to the voice devices. The adding, modifying, and removing
operations in the IVR system are simple and easy to use, and the configurations take effect instantly.
Various codecs
The IVR system supports four codecs for voice prompts: G.711alaw, G.711ulaw, G.723r5, and
G.729r8. The converter provided by HP can transcode among these four codecs. Each kind of codec has
its advantages and disadvantages: G.711alaw and G.711ulaw provide high quality of voice, while
requiring greater memory space. G.723r53 and G.729r8 provide relatively low quality of voice, while
requiring less memory space.
Flexible node configuration

To simplify configuration, the IVR system uses nodes as basic units for configuration. You can define three
types of nodes: call node, jump node, and service node. Each node type has a single function, and you
can combine them to realize complex functions.
• Call node—Executes a secondary call.
• Jump node—Jumps to another node according to the input of the subscriber.
• Service node—Executes various operations, such as executing an immediate secondary call, auto
jumping, terminating a call, and playing an audio file.
Customizable process
You can customize the interactive process easily. For example, configure custom IVR access numbers,
voice prompts, and combinations of keys and voice prompts.
705
Successive jumping
The IVR process can realize successive jumping at most eight times from node to node.
Error processing methods

The IVR system provides three error processing methods: terminate the call, jump to a specified node, and
return to the previous node. You can select an error processing method for a call node, a jump node, or
globally to handle errors.
Timeout processing methods

The IVR system provides three timeout processing methods: terminate the call, jump to a specified node,
and return to the previous node. You can select a timeout processing method for a call node, a jump
node, or globally to handle the keypress timeout event.
Various types of secondary calls

The IVR system supports immediate secondary call, normal secondary call, and extension secondary call:
• A subscriber makes an immediate secondary call without having to dial the number of the called
party. Immediate secondary calls are executed by service nodes.
• A subscriber makes a normal secondary call by dialing the number of the called party. Normal
secondary calls are executed by call nodes. You can configure a node to match the length of a
number, the terminator, or the number.
• A subscriber makes an extension secondary call by dialing the extension number of the called party.
Extension secondary calls are executed by call nodes.
Configuring IVR
Uploading media resource files
Select Voice Management > IVR Services > Media Resources Management from the navigation tree to
display the following page.
Figure 688 Media file list
You can click to save the media resource file to a specified directory.
706
Click Add. The following page appears.
Figure 689 Configure media resource
Item Description
Media Resource ID Set a media resource ID.
Rename Media
Enter a name for the media resource file.
Resource
Upload Media Resource Upload media resource files for g729r8, g711alaw, g711ulaw, and g723r53.
Configuring the global key policy

Select Voice Management > IVR Services > Advanced Settings from the navigation tree, and then click the
Global Key Policy tab.
707
Figure 690 Global key policy
Item Description
Input Error Processing Method
Max Count of Input

Enter the maximum number of input errors.
Errors
• Enable
Play Voice Prompts for
• Disable
Input Errors
Not enabled by default.
Select a voice prompt file. You can configure voice prompt files in Voice
Voice Prompts
Management > IVR Services > Media Resources Management.
Voice Prompts Play

Set the number of voice prompts.
Count
Input Timeout Processing Method
Max Count of Input

Set the maximum number of input timeouts.
Timeouts
Timeout Time Set the timeout time.

• Enable
• Disable
Input Timeout
708
Item Description
Voice Prompts
Voice Prompts Play

Set the number of voice prompts.
Count
Configuring IVR nodes

You can configure three types of IVR nodes: call node, jump node, and service node.
Avoid the following misconfiguration:
• No operation is configured for a node.
• Several nodes form a loop. The subscriber has no other options except jumping around these nodes.
• The IVR process jumps from node to node more than eight times.
Configuring a call node

Use call nodes to configure the secondary call function. You can configure two kinds of dial plans for a
call node: normal secondary call and extension secondary call. If you configure both dial plans for a call
node, the extension secondary call plan takes precedence over the normal secondary call plan.
To handle input errors and input timeouts, configure error processing and timeout processing methods for
a node. If you do not configure the methods, global processing methods apply.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, click the Call
Node List tab, and then click Add to display the following page.
709
Figure 691 Configure a call node
Item Description
Node ID Enter a node ID.
Description Enter a description for the node.
710
Item Description
• Enable
• Disable
The following options are available for playing voice prompts:

Play Voice Prompts • Mandatory play— The subscriber can press keys effectively only after the
voice prompts end.
• Voice prompts—Select a voice prompt file. Voice prompt files can be
configured in Voice Management > IVR Services > Media Resources
Management.
• Play count—Number of play times.
By default, mandatory play is disabled, and the play count is 1.
Input Method
• Terminate the call
• Jump to a specified node
Input Error Processing
• Return to the previous node
Method
By default, the node uses the input error processing method configured in the
global key policy.
Specify the node to which the subscriber is directed when the number of input
Specify A Node
errors reaches the maximum.
Max Count of Input

Maximum number of input errors.
Errors
• Enable
• Disable
Input Errors
Select a voice prompt file. Voice prompt files can be configured in Voice
Voice Prompts
Play Count Number of play times.

Input Timeout Processing
Method
By default, the node uses the input timeout processing method configured in the
global key policy.
Specify the node to which the subscriber is directed when the number of input
Specify A Node
timeouts reaches the maximum.
Max Count of Input

Maximum number of input timeouts.
Timeouts
Timeout Time Timeout time.

• Enable
• Disable
Input Timeout
Voice Prompts
711
Item Description
Play Count Number of play times.
Secondary-Call
• Match the terminator of the numbers
• Match the length of the numbers
Number Match Mode • Match the local number and route
At least, either the number match mode or the extension secondary call must be
configured.
Length of Numbers Enter the number length.
Terminator Enter the terminator.
Extension Secondary-Call
Extension Number Associate the extension number with the corresponding number. You can click
Add a Rule to configure a rule for executing the secondary call.
Corresponding Number
By default, no extension secondary call is configured.
Configuring a jump node

You can configure the following functions for a jump node: playing audio files, jumping to another node,
and terminating a call. You can also configure error processing and timeout processing methods for the
jump node. If you do not configure these methods, the jump node uses the global methods.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, click the Jump
712
Figure 692 Configure a jump node
713
Item Description
See Table 264 for descriptions about other items.
Map actions with keys:

• Jump to a specified node—If this option is selected, select the target node
Key mapping
from the Specify a node list.
No key mapping is configured by default.
Configure a service node

The functions of a service node include playing audio files, jumping to another node, executing
immediate secondary call, and terminating a call.
You can configure at most three functions for a service node. If an executed function is to jump to another
node or to terminate a call, the rest functions are not executed.
Because a service node has no need to wait for subscriber input, the error processing and timeout
processing methods are unavailable for a service node.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, click the Service
Figure 693 Configure a service node
714
Item Description

• Jump to a specified node—If this operation is selected, you must select a node
from the Specify A Node list.
Operation Configuration
• Play voice prompts—If this operation is selected, you must select a voice
prompt file from the Voice Prompt File list.
• Immediate secondary-call—If this operation is selected, you must enter the
secondary call number in the Secondary-call Number field.
Execution Order Select the execution order.
Configuring access number management

Configuring an access number
Select Voice Management > IVR Services > Access Number Management from the navigation tree, and
then click Add to display the following page.
Figure 694 Configure an access number
Item Description
Number ID Enter a number ID (30000 to 39999).
715
Item Description
Number Enter the access number.
Bind a node in the list to the access number. You can configure the nodes in
Bind to Menu
Voice Management > IVR Services > Advanced Settings.
Description Enter a description for the access number.

• Enable—The following registration parameters are configurable when Enable
Register Function is selected.
• Disable
Register Username Enter the user name for registration.
Register Password Enter the password for registration.
Cnonce Name Enter the cnonce name for handshake authentication.
Enter the realm name for handshake authentication.

NOTE:
Realm Name
The realm name must be consistent with that configured on the server. Otherwise,
authentication fails. If no realm name is configured, the device trusts the realm name
from the server.
• Enable—Enables the access number.
Status
• Disable—Disables the access number.
Configuring advanced settings for an access number

then click the icon of the configured access number to display the following page.
Figure 695 Configure advanced settings
For information about advanced settings, see "Configuring advanced settings for local numbers and call
routes."
716
IVR configuration examples
Configure a secondary call on a call node (match the terminator
of numbers)
As shown in Figure 696, configure an IVR access number and call node functions on Router B to meet the
following requirements.
• After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio
file welcome.wav.
• The subscriber dials 50# at Telephone A to originate a secondary call, and then Telephone B1 rings.
• If the subscriber dials a wrong number at Telephone A, Router B plays the audio file
input_error.wav.
• If no number is dialed at Telephone A within the timeout time, Router B plays the audio file
timeout.wav.
# Configure a local number and call route.
• Configure a local number in the local number configuration page: The number ID is 100; the
number is 100; the bound line is line 1/0.
• Configure a route to Router B in the call route configuration page: The route ID is 300; the
destination number is 300; the SIP routing method is IP routing; the destination IP address is
1.1.1.2; the DTMF transmission mode is out-of-band.
# Configure local numbers in the local number configuration page.
• Local number 500: The number ID is 500; the number is 500; the bound line is line 1/0.
• Local number 50: The number ID is 50; the number is 50; the bound line is line 1/1.
# Upload g729r8 media resource files.
717
Figure 697 Upload a media resource file
a. Enter 10001 for Media Resource ID.

b. Enter welcome for Rename Media Resource.
c. Click the Browse button of g729r8 codec to select the target file.
d. Click Apply.
Use the same method to upload the other g729r8 media resource files: timeout, input_error, and bye.
# Configure global error and timeout processing methods to achieve the following purposes:
• If no number is dialed at Telephone A within the timeout time, Router B plays audio file timeout.wav.
If the number of timeouts reaches four, Router B terminates the call.
input_error.wav. If the number of input errors reaches three, Router B terminates the call.
718
Figure 698 Configure the global key policy
a. Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice
Prompts list.
b. Enter 4 for Max Count of Input Timeouts and 5 for Timeout Time.
c. Select Enable for Play Voice Prompts for Input Timeout.
d. Select timeout from the Voice Prompts list.
e. Click Apply.
Configure the call node to achieve the follow purpose:

• The subscriber dials the number 300 at Telephone A and hears the voice prompts of audio file
welcome.wav. After that, the subscriber dials 50# at Telephone A, and Telephone B1 rings.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, click the Configure
Call Node tab, and then click Add to display the following page.
719
a. Enter 10 for Node ID.

b. Enter play-welcome for Description.
c. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list.
d. Select Match the terminator of the numbers from the Number Match Mode list; type # for
Terminator.
e. Click Apply.
# Configure the access number.

720

c. Select play-welcome from the Bind to Menu list.
d. Click Apply.

Dial the number 300 at Telephone A, and the call node plays audio file welcome.wav.Then, dial 50# at
Telephone A, and Telephone B1 rings.
Configure a secondary call on a call node (match the number

length)
file welcome.wav. Configure the number match length as 3 (when the subscriber dials 500 that
matches number length 3, Telephone B2 rings).
input_error.wav.
timeout.wav.
721
See "Configuring Router A."
# Configure the call node.
722
Figure 702 Configure the call node

c. Select Enable for Play Voice Prompts, and select welcome from the Voice Prompts list.
d. Select Match the length of the numbers from the Number Match Mode list, and enter 3 for Length
of Numbers.
e. Click Apply.
For other settings, see "Configuring Router B."

Dial 300 at Telephone A, and Router B plays the audio file welcome.wav. Then dial 500, and Telephone
B2 rings.
723
Configure a secondary call on a call node (match a number)
file welcome.wav. Configure number match so that when the subscriber dials 50, Telephone B1
rings.
input_error.wav.
timeout.wav.
# Configure a call node.
724

d. Select Match the local number and route from the Number Match Mode list.
e. Click Apply.

Dial 300 at Telephone A, and Router B plays the audio file welcome.wav. Then dial 50, and Telephone
B1 rings.
725
Configure an extension secondary call on a call node
file welcome.wav. Then the subscriber dials 0, and Router B makes an extension secondary call so
that Telephone B rings.
input_error.wav.
timeout.wav.
726

d. Select 0 for Extension Number.
727
e. Select 500 for Corresponding Number.
f. Click Apply.

Dial 300 at Telephone A, and Router B plays the audio file welcome.wav. Then dial 0, and Telephone B
rings.
Configuring a jump node

As shown in Figure 707, configure an IVR access number and jump node functions on Router B to meet
the following requirements:
file welcome.wav. Then if the subscriber dials #, Router B terminates the call.
input_error.wav.
timeout.wav.
# Configure a jump node.
Jump Node tab, and then click Add to display the following page.
728
729
d. Select Terminate the call for Key#.
e. Click Apply.

Dial 300 at Telephone A, and Router B plays the audio file welcome.wav. Then dial #, and the call is
terminated.
Configure an immediate secondary call on a service node

As shown in Figure 709, configure an IVR access number and service node functions on Router B to meet
• After the subscriber dials 300 (the IVR access number) from Telephone A, Telephone B rings.
input_error.wav.
timeout.wav.
# Configure a service node.
Service Node tab, and then click Add to display the following page.
730

c. Add two operations, as shown in Figure 710.
d. Click Apply.
# Configure an access number.

731

c. Select call500 from the Bind to Menu list.
d. Click Apply.

Dial 300 at Telephone A. Telephone B rings.
Configure a secondary call on a service node

As shown in Figure 712, configure an IVR access number and service node functions on Router B to meet
file bye.wav and then terminates the call.
input_error.wav.
timeout.wav.
732

b. Enter reject-call for Description.
d. Click Apply.

733

c. Select reject-call from the Bind to Menu list.
d. Click Apply.

Dial number 300 at Telephone A. Router B plays the audio file bye.wav and then terminates the call.
Configure a call node, jump node, and service node

As shown in Figure 715, configure an IVR access number and configure a call node, jump node, and
service node on Router B to meet the following requirements:
• After the subscriber dials 300 at Telephone A, Router B plays the audio file welcome.wav.
• If the subscriber presses the * key at Telephone A, the call jumps to the service node, and the
subscriber hears voice prompts of the audio file bye.wav. After that, the service node releases the
call.
• If the subscriber presses the # key at Telephone A, the call jumps to the call node, and the subscriber
hears the voice prompts of the audio file call.wav. After that, if the subscriber dials 1, Telephone B
rings.
734
# Configure a local number in the local number configuration page.
The number ID is 500; the number is 500; the bound line is line 1/0.
# Upload a g729r8 media resource file.
Figure 716 Upload a g729r8 media resource file

b. Enter welcome for Rename Media Resource.
c. Click the Browse button of g729r8 codec to select the target file.
d. Click Apply.
Use the same method to upload the other g729r8 media resource files: timeout, input_error, and bye.
# Configure global error and timeout processing methods to achieve the following purposes:
• If no number is dialed at Telephone A within the timeout time, Router B plays audio file timeout.wav.
If the number of timeouts reaches four, Router B terminates the call.
735
input_error.wav. If the number of input errors reaches three, Router B terminates the call.
Figure 717 Configure the global key policy
a. Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice
Prompts list.
b. Enter 4 for Max Count of Input Timeouts and 5 for Timeout Time.
c. Select Enable for Play Voice Prompts for Input Timeout.
d. Select timeout from the Voice Prompts list.
e. Click Apply.

736

b. Enter play-call for Description.
c. Select Enable for Play Voice Prompts.
d. Select Enable for Mandatory Play.
737
e. Select call from the Voice Prompts list.
f. Enter 1 for Extension Number.
g. Enter 500 for Corresponding Number.
h. Click Add a Rule.
i. Click Apply.

b. Enter reject-call for Description.
d. Click Apply.
# Configure a jump node.

Jump Node tab, and then click Add to display the following page.
738
739
c. Select Enable for both Play Voice Prompts and Mandatory Play.
d. Select welcome from the Voice Prompts list.
e. Select Jump to a specified node from the Key* list, and reject-all from its Specify a node list.
f. Select Jump to a specified node from the Key# list, and play-all from its Specify a node list.
g. Click Apply.


c. Select play-welcome from the Bind to Menu list.
d. Click Apply.

Dial 300 at Telephone A. Router B plays the audio file welcome.wav. Then:
• If you press the * key at Telephone A, the call jumps to service node 20, and you hear voice prompts
of the audio file bye.wav. After that, the service node releases the call.
• If you press the # key at Telephone A, the call jumps to call node 10, and you hear the voice
prompts of the audio file call.wav. After that, if you dial 1, Telephone B rings.
Customizing IVR services

You can customize your own IVR systems to automate services such as service query and to save costs.
740
Creating a menu
Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree,
and then click Add to create a menu. The following describes settings for different types of menus,
including jump, terminate the call, enter the next menu, return to the previous menu, dial immediately,
and secondary call.
Configure a Jump menu

Select Jump from the Menu Type list to display the following page.
Figure 722 Configure a jump menu
Item Description
Menu Node ID Enter a menu ID.
Menu Name Enter a menu name.
741
Item Description
Select Jump.
Menu Type
By default, Jump is selected.
Play Voice Prompts Select an audio file.

When the User Enters
the Menu No audio file is selected by default.
Select one of the following methods:

Input Error Processing
• Jump
Method
• Return to the previous menu
By default, no method is set.
Specify the target menu.

Specify A Menu
This setting is available when the Input Error Processing Method is Jump to a menu.
Select an audio file.

Input Error Prompts
No audio file is selected by default.

Input Timeout
Processing Method
By default, no method is set.

Specify A Menu This setting is available when the Input Timeout Processing Method is Jump to a
Menu.
Select an audio file.

Timeout Prompts
No audio file is selected by default.
Map keys with operations:

• Jump to a menu
Key Mapping
• Return to the previous menu
No key mapping is configured by default.
Jump to submenu is available when the operation is Jump to a menu.
Configure a Terminate the call menu

Select Terminate the call from the Menu Type list to display the following page.
742
Figure 723 Configure a Terminate the call menu
Item Description
Select Terminate the call.

Menu Type

Configure a menu of type Enter the next menu

Select Enter the next menu from the Menu Type list to display the following page.
Figure 724 Enter the next menu
Item Description
Select Enter the next menu.

Menu Type
743
Item Description
Jump to the next menu Select the target menu.
Configure a menu of type Return to the previous menu

Select Return to the previous menu from the Menu Type list to display the following page.
Figure 725 Return to the previous menu
Item Description
Select Return to the previous menu.

Menu Type

Configure a Dial immediately menu

Select Dial immediately from the Menu Type list to display the following page.
Figure 726 Dial immediately menu
744
Item Description
Select Dial immediately.

Menu Type

Call immediately Enter the target number.
Configure a Secondary-call menu

Select Secondary-call from the Menu Type list to display the following page.
Figure 727 Secondary-call menu
745
Item Description
Select Secondary-call.
Menu Type


Input Error Processing • Jump to a menu
Method • Return to the previous menu
By default, the menu uses the input error processing method configured in the
global key policy.

Specify A Menu This setting is available when the Input Error Processing Method is Jump to a
menu.
Select an audio file. Voice prompt files can be configured in Voice Management >
Input Error Prompts
IVR Services > Media Resources Management.

Input Timeout Processing • Jump to a menu
Method • Return to the previous menu
By default, the menu uses the input timeout processing method configured in the
global key policy.

Specify A Menu This setting is available when the Input Error Processing Method is Jump to a
menu.
Select an audio file. Voice prompt files can be configured in Voice Management >
Timeout Prompts
IVR Services > Media Resources Management.
Select one of the following policies:

Normal Secondary-Call • Match the terminator of the numbers
Number Matching • Match the length of the numbers
Policy • Match the local number and route
By default, no policy is configured.
Match Number Length Enter the number length.
Match Number
Enter the number terminator.
Terminator
Extension Secondary-Call Number Matching Policy
Extension number Enter an extension number and the corresponding number, and then click Add to
associate them.
Corresponding number
By default, no extension secondary call is configured.
746
Binding an access number
After configuring a menu, click Next to display the following page.
Figure 728 Bind an access number
Select the checkbox for the target access number, and click Apply.
Customizing IVR services

Enter the Customize IVR Services interface
and then click the icon of the target menu to display the Customize IVR Services page.
NOTE:
To perform any operation to the previous page, you must first close the Customize IVR Services page.
Otherwise, errors occur.
747
Figure 729 Customize IVR services
Add a submenu
Select Add A New Node from the Jump to submenu list of Key 0. Click OK in the dialog box that appears
to display the following page.
Figure 730 Add a submenu
You can configure the type of the new menu as jump, terminate the call, enter the next menu, return to the
previous menu, dial immediately, or secondary-call. For information about the menu configuration, see
"Creating a menu."
748
NOTE:
If new settings are made on the page, first click Apply to save them before you select Add a new menu.
Otherwise, the new settings may be lost.
Delete a menu
Enter the Customize IVR Services page, click the target menu, and click Delete the menu. Click OK in the
dialog box that appears.
NOTE:
• If you delete a menu that is referenced by another menu, the operation deletes the reference relation in the menu but
not the menu.
• If you delete a menu that is referenced within itself, the delete operation deletes both the reference relation and the
menu.
Custom IVR service configuration examples

Company A needs a custom IVR system to achieve the following purposes.
1. Voice menu system of Company A
When a user dials the access number 300, the system plays the audio file Hello.wav. Then:
If the user dials 0, the system jumps to the marketing and sales department menu.
If the user dials 1, the system jumps to the telecom product sales department menu.
If the user dials 2, the system jumps to the government product sales department menu.
If the user dials #, the system terminates the call.
2. Marketing and sales department menu
This menu plays the audio file Welcome1.wav. Then:
If the user dials 0, the system dials the number 500 to call the attendant.
If the user dials 1, the system jumps to the major financial customer department menu.
If the user dials 2, the system jumps to the carrier customer department menu.
If the user dials 3, the system jumps to the SME department menu.
If the user dials *, the system returns to the previous menu.
3. Telecom product sales department menu
If the user dials 1, the system plays the audio file that introduces product A.
If the user dials 2, the system plays the audio file that introduces product B.
If the user dials 3, the system plays the audio file that introduces product C.
If the user dials *, the system returns to the previous menu.
4. Government production sales department
749
If the user dials 1, the system plays the audio file that introduces product D.
If the user dials 2, the system plays the audio file that introduces product E.
If the user dials 3, the system plays the audio file that introduces product F.
If the user dials *, the system returns the previous menu.
1. Upload media resource files.
# Upload a media resource file.
Figure 731 Configure media resource

b. Enter Hello for Rename Media Resource.
c. Click Browse for g729r8 codec to select the target file.
d. Click Apply.
Use the same method to upload other g729r8 media resource files. You can see these uploaded files in
Voice Management > IVR Services > Media Resources Management, as shown in Figure 732.
750
Figure 732 Media file list
2. Configure the access number.

# Configure the access number.

c. Enter Voice Menu Access Number for Description.
d. Click Apply.
751
# Create a menu.
and then click Add to create a menu.
Figure 734 Configure a menu
a. Enter 1 for Menu Node ID.

b. Enter Voice Menu System of Company A for Menu Name.
c. Select Jump from the Menu Type list and Hello from the Play Voice Prompts When the User Enters
the Menu list.
d. Click Next.
# Bind the access number.

Figure 735 Bind the access number
Select the checkbox for the access number 30000, and then click Apply.
3. Configure the voice menu system.
# Enter the Customize IVR Services page.
Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree to
display the page shown in Figure 736. Click the icon of the menu to display the Customize IVR
Services page shown in Figure 737.
752
Figure 736 Menu list
Figure 737 Customize IVR services
# Add submenus for the marketing and sales department, telecom product sales department, and
government product sales department.
Select the voice menu system of Company A from the navigation tree to display the following page.
753
Figure 738 Voice menu system of Company A
a. Select Add A New Node from the Jump to submenu list of key 0.
b. Click OK in the dialog box that appears to display the following page.
Figure 739 Create a submenu for the marketing and sales department

b. Enter Marketing and Sales Dept for Menu Description.
c. Select Jump from the Menu Type list and welcome1 from the Player Voice Prompts When the User
Enters the Menu list.
d. Click Apply.
Configure submenus for the telecom product department and government product department as shown
in Figure 740 and Figure 741.
754
Figure 740 Add a submenu for the telecom product sales department
Figure 741 Add a submenu for the government product sales department
Return to the Customize IVR Service page.

Figure 742 Voice menu system of Company A
a. Select Terminate the call from the Operation list of key #.

b. Click Apply.
4. Configure the marketing and sales department submenu.
Select Marketing and Sales Dept from the navigation tree.
755
Figure 743 Marketing and sales department submenu
a. Select Jump from the Operation list, and Add A New Node from the Jump to submenu list for key
0.
b. Click OK in the dialog box that appears to display the following page.

b. Enter Attendant for Menu Description.
c. Select Dial immediately from the Menu Type list, and enter 500 for Call immediately.
d. Click Apply.
Use the same method to add submenus for the major financial customer department, carrier customer
department, and SMB department.
756
Figure 745 Marketing and sales department submenu
a. Select Return to the previous node from the Operation list of key *.
b. Click Apply.
After the configuration, the marketing and sales department submenu is as shown in Figure 745.
5. Configure the telecom product sales department submenu.
Select Telecom Product Sales Dept from the navigation tree.
Figure 746 Telecom product sales department submenu
757
a. Select Jump from the Operation list, and Attendant from the Jump to submenu list of key 0.
b. Select Jump from the Operation list, and Add A New Node from the Jump to submenu list of key
1.
c. Click OK in the dialog box that appears to display the following page.

b. Enter Introduction to Product A for Menu Description.
c. Select Return to the previous node from the Menu Type list, and select ProductA from the Play
Voice Prompts When the User Enters the Menu list.
d. Click Apply.
Use the same method to add submenus for introductions to Products B and C. After that, return to the
Customize IVR Services page.
Figure 748 Telecom product sales department submenu
a. Select Return to the previous node from the Operation list of key *.
b. Click Apply.
758
After the configuration, the telecom product sales department submenu is as shown in Figure 748.
6. Configure the government product sales department submenu.
Select Government Product Sales Dept from the navigation tree. Configure the submenu, as shown
in Figure 749. The configuration procedure is identical with the configuration of the telecom product sales
department submenu.
Figure 749 Government product sales department submenu
After all configurations, the Customize IVR Services page is as shown in Figure 749.
759
Advanced IVR configuration
Global configuration
Select Voice Management > Advanced Configuration > Global Configuration from the navigation tree to
display the global configuration page shown in Figure 750.
Figure 750 Global configuration page
Item Description
• Silent—The calling party does not play any tones to the called party during call
hold.
Tone Playing Mode for • Playing music—The calling party plays the specified tones to the called party
Call Hold
during call hold.
By default, the tone playing mode is the silent mode.
Select the media resource if you select the Playing Music option. You can upload
Media Resource media resource files in Voice Management > IVR Services > Media Resources
Management.
Configure the device to play the call progress tones of a specified country or
Call Progress Tones region.
Country Mode
By default, the call progress tones of China are specified.
760
Item Description
Backup rule:
• Strict—One of the following conditions triggers strict call backup:
The device does not receive any reply from the peer after sending out a call
request.
The device fails to initiate a call to the IP network side.
Backup Rule
The device fails to register on the voice server.
• Loose—Loose call backup is triggered if any of the abovementioned conditions
occur or if the following condition occurs:
The device receives a reject reply (with a number from 3xx to 6xx except
300, 301, 302, 305, 401, 407, and 422) after sending a call request.
Specifies the time duration in seconds for switching from the current VoIP link to
Call Backup Switch
another VoIP link or a PSTN link (the call backup switching time) in case of a VoIP
Time
call failure.
Number of Saved Call

Set the maximum number of call history records that can be stored.
Records
Related Time • Duration of Sending DTMF Digits

Parameters of DTMF • Interval of Sending DTMF Tones
DSCP Value in the ToS
Set the DSCP value in the ToS field in the IP packets that carry the RTP stream
Field of the IP Packets
globally.
Carrying RTP Stream
DSCP Value in the ToS

Field of the IP Packets Set the DSCP value in the ToS field in the IP packets that carry the voice signaling
Carrying Voice globally.
Signaling
Batch configuration
Local number
Creating numbers in batch
Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree. Then
click the Create Numbers in Batch link in the Local Number area to display the page for creating numbers
in batch, as shown in Figure 751.
761
Figure 751 Creating numbers in batch
Item Description
Specify the start number. Then a serial of consecutive numbers starting with the start
number are bound to the selected voice subscriber lines. For example, if you specify
Start Number
the start number as 3000 and select lines 3/0 and line 3/1, line 3/0 is bound to
number 3000, and line 3/1 is bound to number 3001.
You can set the register username and password in one of the following ways:
• Username and Password are the Same as Number
Register Mode • No Username and No Password
• Username and Password are Specified Uniformly—If you select this option, set the
username and password.
Register Username Username used for registration and authentication.
Register Password Password used for registration and authentication.

• Selected FXS Lines
• Available FXS Lines
Select an FXS voice subscriber line in the Available FXS Lines box, and click < to add
the line into the Selected FXS Lines box.
FXS Lines Select an FXS voice subscriber line in the Selected FXS Lines box, and click > to
remove the line from the box.
Click << to add all FXS voice subscriber lines in the Available FXS Lines box to the
Selected FXS Lines box. Click >> to remove all FXS voice subscriber lines from the
Selected FXS Lines box.
Fax and modem

click the Fax and Modem link in the Local Number area to display the local number fax and modem
762
Figure 752 Local number Fax and Modem configuration page
Item Description
Configure the protocol used for fax communication with other devices:
• T.38—Use T.38 fax protocol. With this protocol, a fax connection can be set up
quickly.
• Standard T.38—Use the standard T38 protocol of SIP. The fax negotiation mode
depends on the protocol used (SIP).
Fax Protocol Configure the fax pass-through mode:
• G.711 A-law
• G.711 μ-law
The pass-through mode is subject to such factors as packet loss, jitter, and delay, so
the clocks on both communication sides must be kept synchronized. Only G.711
A-law and G.711 μ−law are supported, and the VAD function should be disabled.
As defined in ITU-T, ECM is required by the half-duplex and half-modulation system

running ITU-T V.34 protocol for fax message transmission. Besides, the G3 fax
terminals working in full-duplex mode are required to support half-duplex mode
(ECM).
transmit fax packets in the format of HDLC frames. The fax machines using non-ECM
cannot correct errors, and they transmit fax packets in the format of binary strings.
ECM Fax
• Enable—Enable ECM.
• Disable—Disable ECM.
By default, ECM is disabled.
To use ECM, fax machines on both sides and the gateway must support ECM.
You must enable ECM mode for the local numbers and call routes corresponding to
the fax sender and receiver in the ECM mode.
763
Item Description
The calling tone (CNG) fax switchover is used to implement the fax mailbox service
through communication with the VCX. When the local fax machine A originates a fax
call to the peer fax machine B, if B is busy or is unattended, A can send the fax call to
the fax mailbox of the VCX. With CNG fax switchover enabled, the voice gateway
CNG Fax
can switch to the fax mode once it receives a CNG from A.
Switchover Function
• Enable
• Disable
Configure the codec type and switching mode for SIP Modem pass-through function:
• Standard G.711 A-law—Adopt the G.711 A-law codec type and Re-Invite
switching mode.
Codec Type and
• Standard G.711 μ-law—Adopt the G.711 μ-law codec type and Re-Invite
Switching mode for
switching mode.
SIP Modem
Pass-through • NTE Compatible G.711 A-law—Adopt the G.711 A-law codec type and
NTE-compatible switching mode.
• NTE Compatible G.711 μ-law—Adopt the G.711 μ-law codec type and
Configure the value of NTE payload type for the NTE-compatible switching mode.
NET Payload Type
Compatible G.711 μ-law is selected in the Codec Type and Switching Mode for SIP
Field
Modem Pass-through list.
Select the checkboxes for specific local numbers, and then click the Apply to Selected
Select the Number(s) Number(s) button to apply the above fax and modem settings to the selected local
numbers.
Call services
click the Call Services link in the Local Number area to display the local number call services configuration
764
Item Description
Configure call forwarding:
• Enable
• Disable
By default, call forwarding is disabled.
After a call forwarding function is enabled, you can enter the corresponding
forwarded-to number:
Call Forwarding • The Forwarded-to Number for Call Forwarding no Reply—Enter the forwarded-to
number.
• The Forwarded-to Number for Call Forwarding Busy—Enter the forwarded-to
number.
• The Forwarding Unconditional—Enter the forwarded-to number.
• The Forwarded-to Number for Call Forwarding Unavailable—Enter the
forwarded-to number.
765
Item Description
Configure call hold:
• Enable
• Disable
By default, call hold is disabled.
Call Hold After call hold is enabled, you can set the Max Time Length the Held Party Can Wait
parameter as needed.
NOTE:
The Max Time Length the Held Party Can Wait is only applied to the held party of a call
(the receiver of call hold).
Configure call transfer:
• Enable
• Disable
Call Transfer By default, call transfer is disabled.
Call hold must be enabled before you can configure call transfer.
After call transfer is enabled, you can set the Call Transfer Start Delay parameter as
needed.
Configure three-party conference:

• Enable
Three-Party • Disable
Conference By default, three-party conference is disabled.
The three-party conference function depends on the call hold function. Therefore,
enable the call hold function before configuring three-party conference.
Configure call waiting:

• Enable
• Disable
By default, call waiting is disabled.
After call waiting is enabled, you can configure the following parameters as needed:
Call Waiting • Number of Call Waiting Tone Play Times
By default, two call waiting tones are played once, and if the value of Number of
Tones in a Call Waiting Tone is greater than 1, the Interval for Playing Call Waiting
Tones is 15 seconds.
Configure hunt group:

• Enable
Hunt Group • Disable
By default, hunt group is disabled.
Configure feature service:

• Enable
Feature Service
• Disable
By default, feature service is disabled.
766
Item Description
Configure MWI:
• Enable
• Disable
Message Waiting By default, MWI is disabled.
Indicator
NOTE:
Generally, the voice gateway sends a SUBSCRIBE to the server, and it receives a NOTIFY
from the server if the subscription is successful. It obtains the status of the voice mailbox
afterwards.
Processing Priority
When the Line is Specify the processing sequence of services when the line is busy.
Busy
Select the checkboxes for the local numbers you want, and then click the Apply to
Select the Number(s) Selected Number(s) button to apply the above call services settings to the selected
local numbers.
Advanced settings
click the Advanced Settings link in the Local Number area to display the local number advanced settings
Figure 754 Local number advanced settings page
767
Item Description
Codec with the First Priority
Codecs and Codec with the Second Priority
Priorities Codec with the Third Priority
Codec with the Lowest Priority
Specify DTMF transmission mode:

• In-band Transmission
DTMF Transmission
• Out-of-band Transmission
Mode
• RFC2833—Adopt DTMF NTE transmission mode. When you adopt this
transmission mode, you can configure the payload type field in RTP packets.
Specify number sending mode:

• Send a Truncated Called Number
Number Sending • Send All Digits of a Called Number
Mode • Send Certain Number of Digits—Send certain number of digits (that are extracted
from the end of a number) of a called number. The specified value should be not
greater than the total number of digits of the called number.
Number Selection
Set the priority of the local number. The smaller the value, the higher the priority.
Priority
Configure a dial prefix for the local number. For a trunk type call route, the dial prefix
is added to the called number to be sent out.
Dial Prefix • Enable
• Disable—Remove the configured dial prefix.
If you enable the function, enter the dial prefix.
The VAD discriminates between silence and speech on a voice connection according
to their energies. VAD reduces the bandwidth requirements of a voice connection by
not generating traffic during periods of silence in an active voice connection. Speech
signals are generated and transmitted only when an active voice segment is detected.
VAD Researches show that VAD can save the transmission bandwidth by 50%.
• Enable
• Disable
Select the checkboxes for the local numbers you want, and then click the Apply to
Select the Number(s) Selected Number(s) button to apply the above advanced settings to the selected local
numbers.
Call route
Fax and modem
click the Fax and Modem link in the Call Route area to display the call route fax and modem configuration
768
Figure 755 Call route Fax and Modem configuration page
Item Description
Specify the protocol used for fax communication with other devices:
• T.38—Use T.38 fax protocol. With this protocol, a fax connection can be set up
quickly.
• Standard T.38—Use the standard T38 protocol of SIP. The fax negotiation mode
depends on the protocol used (SIP).
Fax Protocol Configure the fax pass-through mode:
• G.711 A-law
• G.711 μ-law
The pass-through mode is subject to such factors as packet loss, jitter, and delay, so
the clocks on both communication sides must be kept synchronized. Only G.711
A-law and G.711 μ−law are supported, and the VAD function should be disabled.
As defined in ITU-T, ECM is required by the half-duplex and half-modulation system

running ITU-T V.34 protocol for fax message transmission. In addition, the G3 fax
terminals working in full-duplex mode are required to support half-duplex mode
(ECM).
transmit fax packets in the format of HDLC frames. The fax machines using non-ECM
cannot correct errors, and they transmit fax packets in the format of binary strings.
ECM Fax • Enable—Enable ECM for fax.
• Disable—Disable ECM for fax.
By default, ECM fax is disabled.
ECM can work only if fax machines on both sides support ECM and the gateway is
configured with ECM.
You must enable ECM mode for the local numbers and call routes corresponding to
the fax sender and receiver in the ECM mode.
769
Item Description
The calling tone (CNG) fax switchover is used to implement the fax mailbox service
through communication with the VCX. When the local fax machine A originates a fax
call to the peer fax machine B, if B is busy or is unattended, A can send fax call to the
fax mailbox of the VCX. With CNG fax switchover enabled, the voice gateway can
CNG Fax
switch to the fax mode once it receives a CNG from A.
Switchover Function
• Enable
• Disable
Configure the codec type and switching mode for SIP Modem pass-through function:
• Standard G.711 A-law—Adopt the G.711 A-law codec type and Re-Invite
switching mode.
Codec Type and
• Standard G.711 μ-law—Adopt the G.711 μ-law codec type and Re-Invite
Switching mode for
switching mode.
SIP Modem
Pass-through • NTE Compatible G.711 A-law—Adopt the G.711 A-law codec type and
• NTE Compatible G.711 μ-law—Adopt the G.711 μ-law codec type and
Configure the value of the NTE payload type for the NTE-compatible switching mode.
NET Payload Type
Compatible G.711 μ-law is selected in the Codec Type and Switching Mode for SIP
Field
Modem Pass-through list.
Select the checkboxes for call routes, and then click the Apply to Selected Route(s)
Select the Route(s)
button to apply the above fax and modem settings to the selected call routes.
Advanced settings
click the Advanced Settings link in the Call Route area to display the call route advanced settings page, as
770
Figure 756 Call route advanced settings page
Item Description
Codec with the First Priority
Codecs and Codec with the Second Priority
Priorities Codec with the Third Priority
Codec with the Lowest Priority
Specify DTMF transmission mode:

• In-band Transmission
DTMF Transmission • Out-of-band Transmission
Mode • RFC2833—Adopt DTMF NTE transmission mode. When you adopt this
transmission mode, you can configure the payload type field in RTP packets.
By default, the value of the NTE payload type field is 101.
Route Selection
Set the priority of the call route. The smaller the value, the higher the priority.
Priority
The VAD discriminates between silence and speech on a voice connection according
to their energies. VAD reduces the bandwidth requirements of a voice connection by
not generating traffic during periods of silence in an active voice connection. Speech
signals are generated and transmitted only when an active voice segment is detected.
VAD Researches show that VAD can save the transmission bandwidth by 50%.
• Enable
• Disable
Select the checkboxes for the call routes you want, and then click the Apply to
Select the Route(s) Selected Route(s) button to apply the above advanced settings to the selected call
routes.
771
Line management
FXS line configuration
click the FXS Line Configuration link in the Line Management area to display the FXS line configuration
Figure 757 FXS line configuration page
Item Description

Max Interval for
Dialing the Next This timer restarts each time the user dials a digit and works in this way until all digits
Digit of the number are dialed. If the timer expires before the dialing is completed, the user
is prompted to hang up, and the call is terminated.
Max Interval Maximum interval in seconds between off-hook and dialing the first digit.
between Off-hook
and Dialing the First Upon the expiration of the timer, the user is prompted to hang up, and the call is
Digit terminated.
Configure dial delay time.

Dial Delay Time
By default, the dial delay time is 1 second.
When the voice signals on the line

Input Gain on the IMPORTANT:
Voice Interface
increase the voice input gain value. Gain adjustment may lead to call failures.
When a relatively small voice signal HP recommends that you do not adjust the
Output Gain on the gain. If necessary, do it with the guidance
power is needed on the output line,
Voice Interface of technical personnel.
increase the voice output gain value.
772
Item Description
• Low—In this mode, the reliability is high, but DTMF tones may fail to be detected.
DTMF Detection
• Medium—In this mode, the reliability is medium. If you select this option, you can
specify the Frequency Tolerance of Medium DTMF Detection Sensitivity Level. The
Sensitivity Level
greater the value, the higher the probability of false detection. Support for this
option varies with installed cards.
Select the checkboxes for the lines you want, and then click the Apply to Selected
Select the Line(s)
Line(s) button to apply the above settings to the selected FXS lines.
FXO line configuration

click the FXO Line Configuration link in the Line Management area to display the FXO line configuration
Figure 758 FXO line configuration page
Item Description

Max Interval for
773
Item Description
Max Interval Maximum interval in seconds between off-hook and dialing the first digit.
between Off-hook
and Dialing the First Upon the expiration of the timer, the user is prompted to hang up, and the call is
Digit terminated.
Configure dial delay time.

Dial Delay Time
By default, the dial delay time is 1 second.

Voice Interface

• Low—In this mode, the reliability is high, but DTMF tones may fail to be detected.
DTMF Detection
• Medium—In this mode, the reliability is medium. If you select this option, you can
specify the Frequency Tolerance of Medium DTMF Detection Sensitivity Level. The
Sensitivity Level
greater the value, the higher the probability of false detection. Support for this
option varies with installed cards.
Select the Line(s)
Line(s) button to apply the above settings to the selected FXO lines.
E&M line configuration

click the E&M Line Configuration link in the Line Management area to display the E&M line configuration
Figure 759 E&M line configuration page
774
Item Description

Max Interval for

Voice Interface
Select the Line(s)
Line(s) button to apply the above settings to the selected E&M lines.
ISDN line configuration

click the ISDN Line Configuration link in the Line Management area to display the ISDN line configuration
Figure 760 ISDN line configuration page
Item Description
Input Gain on the
attenuate to a relatively great extent, IMPORTANT:
Voice Interface
increase the voice input gain.
Gain adjustment may lead to call failures.
Output Gain on the power is needed on the output line, gain. If necessary, do it with the guidance
Voice Interface increase the voice output attenuation of technical personnel.
value.
Select the Line(s)
Line(s) button to apply the above settings to the selected ISDN lines.
775
SIP local survival services
click the Create Users in Batches link in the SIP Local Survival Services area to display the page shown
in Figure 761.
Figure 761 Create users in batches
Item Description
Specify the telephone number of the For example, if you specify the start
Start Number
first user to be registered. number as 2000 and set the register
user quantity to 5, the device
automatically generates five registered
Register User Quantity Number of users to be registered. users with telephone numbers from
2000 to 2004.
Set the registration mode:

• No username and password
Registration Mode • Username and password are the same as the number
• Username and password are specified uniformly—If you select this option,
specify the authentication username and authentication password.
Authentication
Enter the name of the user for authentication.
Username
Authentication
Enter the password of the user for authentication.
Password
776
Displaying states and statistics
Displaying line states

Use this page to view information about all voice subscriber lines.
Select Voice Management > States and Statistics > Line States from the navigation tree. The Line State
Information page appears.
Figure 762 Line state information page
This page supports two types of voice subscriber lines:

• Analog voice subscriber lines—FXS, FXO, and E&M.
• Digital voice subscriber lines—BSV, VE1, and VT1.
Field Description
Name Voice subscriber line name.
Voice subscriber line type:

• BRI
• PRI
• FXS
Type
• FXO
• EM
• ISDN PRI
• ISDN BRI
Description Voice subscriber line description.
777
Field Description
• Physical Down—The voice subscriber line is physically down (possibly
because no physical link is present or the link has failed).
Subscriber Line Status • UP—The voice subscriber line is administratively down.
• Shutdown—The voice subscriber line is both administratively and physically
up.
Displaying detailed information about analog voice subscriber

lines
For analog voice subscriber lines FXS, FXO, and E&M, click the Details link to view details.
Figure 763 Paging line details
Displaying detailed information about digital voice subscriber

lines
For digital voice subscriber lines BSV, VE1, and VT1, click the Details link to view details about the line.
778
Figure 764 ISDN line details
Click a TS link to view details about the TS.

Figure 765 Timeslot details
Displaying call statistics

The following pages display call statistics:
• Active Call Summary page—Displays statistics about ongoing calls.
• History Call Summary page—Displays statistics about ended calls.
779
Displaying active call summary
Select Voice Management > States and Statistics > Call Statistics from the navigation tree. The Active Call
Summary page appears.
Figure 766 Active call summary page
Field Description
Call type.
Type
Only Speech and Fax are supported.
Call status:
• Unknown—The call status is unknown.
• Connecting—A connection attempt (outgoing call) is being
Status made.
• Connected—A connection attempt (incoming call) is being
made.
• Active—The call is active.
Displaying history call summary

Select Voice Management > States and Statistics > Call Statistics from the navigation tree, and then click
the History Call Summary tab.
780
Figure 767 History call summary page
Displaying SIP UA states

The following pages show SIP UA states:
• TCP Connection Information page—Displays information about all TCP-based call connections.
• TLS Connection Information page—Displays information about all TLS-based call connections.
• Number Register Status page—Displays number register information when you use SIP servers to
manage SIP calls.
• Number Subscriber Status pages—Displays the subscription status information of MWI when MWI is
in use.
Displaying TCP connection information

Select Voice Management > States and Statistics > SIP UA States from the navigation tree. The TCP
Connection Information page appears.
Figure 768 TCP connection information
Field Description
Connection ID Call connection ID, automatically generated by the system
Local Address IP address of the calling party
Local Port Port number of the calling party
Remote Address IP address of the called party
781
Field Description
Remote Port Port number of the called party
Connection state:
• Idle
Connection State
• Connecting
• Established
Displaying TLS connection information

Select Voice Management > States and Statistics > SIP UA States from the navigation tree. The TLS
Connection Information page appears.
Figure 769 TLS connection information
For more information, see Table 288.
Displaying number register status

Select Voice Management > States and Statistics > SIP UA States from the navigation tree, and then click
the Number Register Status tab.
Figure 770 Number register status
Field Description
Number Registered phone number.
Address of the registrar, in the format of IP address plus port number or

Registrar
domain name.
Remaining aging time of a number (the remaining time before the next
Remaining Aging Time (Sec)
registration).
782
Field Description
Status of the number:
• offline—Not registered
• online—Registered
Status • login—Being registered
• logout—Being deregistered
• dnsin—DNS query is being performed before registration.
• dnsout—DNS query is being performed before deregistration.
Displaying number subscription status

Select Voice Management > States and Statistics > SIP UA States from the navigation tree, and then click
the Number Subscription Status tab.
Figure 771 Number subscription status
Field Description
Number Phone number.
MWI server address, in the format of IP address plus port number or

Subscription Server
domain name.
Remaining aging time of the subscription (the remaining time before the
Remaining Aging Time (Sec)
next subscription).
Subscription status:
• offline—Not subscribed.
Status • online—Subscribed.
• login—The subscription is being proposed.
• logout—The subscription is being canceled.
Displaying local survival service states

Select Voice Management > States and Statistics > Local Survival Service States from the navigation tree.
The Local Survival Service States page appears.
783
Figure 772 Local survival service states
Field Description
• Alone
Server Operation Mode
• Alive
• Enabled
Server Status
• Disabled
User ID User ID.
Phone Number Registered phone number.
State of the registered user:

State • Online—The user is online.
• Offline—The user is offline.
Displaying SIP trunk account states

Select Voice Management > States and Statistics > SIP Trunk Account States from the navigation tree. The
SIP Trunk Account States page appears.
Figure 773 SIP trunk account states
Field Description
Aging Time Aging time.
784
Field Description
Registration status of the SIP trunk account:
• Disabled—Not in use.
• Offline—Not registered.
• Online—Registered.
Status
• Login—Being registered.
• Logout—Being deregistered.
• Dnsin—DNS query is being performed before registration.
• Dnsout—DNS query is being performed before deregistration.
Displaying server group information

Select Voice Management > States and Statistics > Server Group Information from the navigation tree. The
Server Group Information page appears.
Figure 774 Server group information
This page displays the configuration information of server groups. For information about how to configure
server groups, see "Configuring SIP server group management."
Displaying IVR information

The following pages show IVR information:
• IVR Call States page—Displays information about ongoing IVR calls.
• IVR Play States page—Displays information about ongoing IVR playing.
Displaying IVR call states

Select Voice Management > States and Statistics > IVR Information from the navigation tree. The IVR Call
States page appears.
785
Figure 775 IVR call states
Field Description
Corresponding Access Number IVR access number corresponding to the called number.
Current Menu Node Current menu node ID.
Current state:
• Idle—The node is idle.
State • Playing a media file
• Waiting for input—The node is waiting for the input of the subscriber.
• Calling—The node is calling a number.
Displaying IVR play states

Select Voice Management > States and Statistics > IVR Information from the navigation tree. The IVR Play
States page appears.
Figure 776 IVR play states
Field Description
Play Count Play times of the media file.
• Playing
Play State
• Not playing
• PSTN—The called party is from PSTN.
Play Type
• IP—IP address of the peer media.
786
Support and other resources
Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
• Product model names and numbers
• Technical support registration number (if applicable)
• Product serial numbers
• Error messages
• Operating system type and revision level
• Detailed questions
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
• For related documentation, navigate to the Networking section, and select a networking category.
• For a complete list of acronyms and their definitions, see HP A-Series Acronyms.
Websites
• HP.com http://www.hp.com
• HP Networking http://www.hp.com/go/networking
• HP manuals http://www.hp.com/support/manuals
• HP download drivers and software http://www.hp.com/support/downloads
• HP software depot http://www.software.hp.com
787
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars,
[ x | y | ... ]
from which you select one or none.
Asterisk-marked braces enclose a set of required syntax choices separated by vertical

{ x | y | ... } *
bars, from which you select at least one.
Asterisk-marked square brackets enclose optional syntax choices separated by vertical

[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign
&<1-n>
can be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Window names, button names, field names, and menu items are in bold text. For
Boldface
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
An alert that calls attention to important information that if not understood or followed
WARNING can result in personal injury.
An alert that calls attention to important information that if not understood or followed
CAUTION can result in data loss, data corruption, or damage to hardware or software.
IMPORTANT An alert that calls attention to essential information.
NOTE An alert that contains additional or supplementary information.
TIP An alert that provides helpful information.
788
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that

supports Layer 2 forwarding and other Layer 2 features.
Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.
789
Index
3G management configuring call route for SIP trunk account (SIP

trunk), 622
3G modem, 148
ACL
configuration, 148
configuration, 247
displaying 3G information, 148
configuration guidelines, 255
managing pin code, 150
configuring, 247
802.11b
configuring rule for Ethernet frame header ACL,
configuring rates, 121
253
802.11g
creating IPv4 ACL, 248
configuring rates, 121
creating rule for advanced IPv4 ACL, 250
802.11n
creating rule for basic IPv4 ACL, 249
active call summary
configuring, 108
displaying (call statistics), 780
configuring MCS, 122
adding
802.1x
blacklist entry manually (attack protection), 179
configuring remote 802.1x authentication, 101
interface to bridge set, 300
access
L2TP group, 390
binding access number (IVR), 747
address
configuring private hosts to access public network
configuring dynamic address pool for DHCP server,
(NAT), 158
228
configuring wireless access service, 63
configuring IP addresses excluded from dynamic
creating wireless access service, 63 allocation (DHCP), 230
displaying wireless access service information, 80 configuring MAC address filtering, 173
switching user access level to management level, configuring MAC address filtering type, 171
448
configuring MAC addresses to be filtered, 172
access control
configuring source address binding (SIP
configuration, 164 connection), 596
configuring, 165 configuring static address pool for DHCP server,
configuring for user group, 307 226
account adjusting
configuring call route advanced settings for SIP echo adjustment function, 662
trunk account (SIP trunk), 624 echo cancellation parameters (line management),
663
790
echo duration (line management), 662 configuring gratuitous ARP, 365
ADSL/G.SHDSL configuring static ARP, 365
configuring interface (WAN), 47 creating static entry, 363
advanced limit (QoS), 257 displaying entries, 362
advanced queue (QoS), 258 enabling learning of dynamic ARP entries, 364
agent gratuitous ARP, 362
enabling SNMP agent function, 277 removing entries, 363
A-MSR20/30/50 series ARP attack protection
software upgrade (system management), 454 configuration, 371
upgrading software (system management), 455 configuring ARP automatic scanning, 372
A-MSR900/A-MSR20-1X series configuring fixed ARP (ARP attack protection), 374
software upgrade (system management), 439, 454 configuring periodic sending of gratuitous ARP
packets, 371
upgrading software (system management), 454
attack protection
analog voice subscriber lines
adding blacklist entry manually, 179
displaying detailed information (line states), 778
blacklist function, 175
appendix
configuration, 175
packet priorities (QoS), 272
configuring, 182
application
configuring blacklist function, 178
configuring application control for user group, 308
configuring detection, 180
enabling application layer protocol check (NAT),
157 configuring for A-MSR20/30/50 series routers,
185
typical applications (SIP trunk), 618
configuring for A-MSR900/20-1X series routers,
application control
182
configuration, 189
enabling blacklist function, 178
configuring, 189, 192
intrusion detection function, 175
configuring custom application, 190
viewing blacklist entries (attack protection), 179
configuring for user group, 308
authenticating
enabling, 191
configuring local MAC authentication, 94
loading applications, 189
configuring PSK authentication, 90
applying
RSA digital signature in IKE negotiation (certificate
configuring remote MAC authentication, 97
management), 432
configuring WiNet-based RADIUS authentication,
area prefix
480
configuring (SIP local survival), 687
background
ARP
SIP trunk, 617
configuration, 362
791
background image introduction to BSV interface (data link
management), 642
setting background image for WiNet topology
diagram, 471 buffer capacity
backing up setting (syslog), 464
configuration (system management), 440 CAC
device files through USB port (system management), configuring CAC service (WLAN Qos), 140
442
setting CAC admission policy (WLAN QoS), 133
bandwidth control
cache
configuring for user group, 309
clearing dynamic domain name cache (DNS), 210
barge in service (call service), 519
call authority control
binding
configuring, 574
access number (IVR), 747
call backup (call service), 518
configuring source address binding (SIP
call barring (call service), 518
connection), 596
call connection
one-to-one binding between FXS and FXO voice
subscriber lines (line management), 662 configuration, 585
blacklist SIP, 585
adding blacklist entry manually (attack protection), SIP features, 586

179 SIP functions, 586
configuring blacklist function (attack protection), SIP fundamentals, 587
178
SIP media flow encryption, 591
configuring dynamic blacklist (WLAN security),
126 SIP messages, 587
configuring static blacklist (WLAN security), 128 SIP security, 590
enabling blacklist function (attack protection), 178 SIP signaling encryption, 590
function (attack protection), 175 SIP support for transport layer protocols, 590
viewing entries (attack protection), 179 SIP terminology, 585
blocking SIP TLS-SRTP combinations, 591
configuring caller ID blocking (SIP connection), support for SIP extensions, 592
608 call control (dial plan), 557
bridging call forwarding (call service), 517
adding interface to bridge set, 300 call hold (call service), 517
configuration, 299 call release
configuring, 299, 301 configuring call release cause code mapping (SIP
enabling bridge set, 299 connection), 606
BSV configuring PSTN call release cause code mapping

(SIP connection), 606
configuring BSV line (data link management), 651
call route, 488
792
advanced settings, 487 configuring call service, 525
basic settings, 487, 489 configuring call service of call route, 524
call services, 487 configuring call service of local number, 520
coding parameter, 541 configuring call transfer, 520, 528
configuration, 488 configuring call waiting, 520, 525
configuration (advanced settings), 541 configuring hunt group, 529
configuring (voice management), 490, 492 configuring silent monitor service, 534
configuring advanced settings, 548, 550 configuring three-party conference, 520, 532
configuring call route for inbound calls (SIP trunk), door opening control, 519
626
hunt group, 518
configuring call route for outbound calls (SIP trunk),
message waiting indication, 518
622
silent monitor service, 519
configuring call route for SIP trunk account (SIP
trunk), 622 support for SIP voice service of the VCX, 520
configuring coding parameters, 548 three-party conference, 518
configuring out-of-band DTMF transmission mode call services

for SIP, 550 configuration, 517
configuring parameters (other than coding call statistics
parameter), 549
displaying, 779
fax, 487
call transfer (call service), 518
modem, 487
call waiting (call service), 517
optional parameters, 545
caller
overview, 487
configuring caller ID blocking (SIP connection),
call service 608
barge in service, 519 configuring caller identity (SIP connection), 598
call backup, 518 configuring caller privacy (SIP connection), 598
call barring, 518 calling
call forwarding, 517 configuring trunk mode calling (voice
call hold, 517 management), 506
call transfer, 518 calling party control (call service), 519
call waiting, 517 call-out route
calling party control, 519 configuring (SIP local survival), 686
CID on FXO voice subscriber line, 520 CE1/PRI
CID on FXS voice subscriber line, 519 configuring interface (WAN), 51
configuring barge in service, 534 certificate management
configuring call forwarding, 520, 526 applying RSA digital signature in IKE negotiation,
432
configuring call hold, 520
793
configuration, 412 setting EDCA parameters for wireless clients
(WLAN QoS), 134
configuring PKI, 413, 423
client mode
configuring PKI entity to request certificate from CA
(method I), 423 configuration (wireless service), 111
configuring PKI entity to request certificate from CA configuration guidelines, 116
(method II), 427
code
creating PKI domain, 416
configuring call release cause code mapping (SIP
creating PKI entity, 415 connection), 606
destroying RSA key pair, 420 configuring PSTN call release cause code mapping
displaying certificate, 420
configuring SIP status code mapping (SIP
displaying CRL, 422
connection), 607
generating RSA key pair, 419
district code (WLAN), 145
PKI operation, 412
managing pin code (3G management), 150
requesting local certificate, 421
setting district code (WLAN), 145
retrieving certificate, 420
codecs
retrieving CRL, 422
IVR, 705
channel
coding parameter
channel busy test (WLAN), 145
call route, 541
checking
local number, 541
community
157
configuring SNMP community, 280
CID
conference
CID on FXO voice subscriber line (call service),
520 three-party conference (call service), 518
CID on FXS voice subscriber line (call service), 519 configuring
clear type 802.11b/802.11g rates (radio), 121
configuring clear type wireless service, 64 802.11n, 108
clearing 802.11n MCS (radio), 122
dynamic domain name cache (DNS), 210 access control, 165
client access number (IVR), 715
configuring client-initiated VPN (L2TP), 396 access number advanced settings (IVR), 716
configuring DHCP client, 224 access number management (IVR), 715
displaying client information (wireless service), 82 access service-based VLAN, 88
displaying client mode statistics (wireless service), ACL, 247
113
ADSL/G.SHDSL interface (WAN), 47
displaying statistics (WLAN QoS), 138
advanced limit (QoS), 260
enabling client mode (wireless service), 111
794
advanced queue (QoS), 263, 269 call route for outbound calls (SIP trunk), 622
advanced settings (SIP connection), 602 call route for SIP trunk account (SIP trunk), 622
application control, 189, 192 call route modem parameters for SIP trunk account
(SIP trunk), 624
area prefix (SIP local survival), 687, 699
call route parameters (fax), 515
ARP automatic scanning (ARP attack protection),
372 call route parameters (modem), 515
attack protection, 182 call service, 525
attack protection for A-MSR20/30/50 series call service of call route, 524
routers, 185
call service of local number, 520
attack protection for A-MSR900/20-1X series
call transfer, 528
routers, 182
call transfer (call service), 520
barge in service (call service), 534
call waiting, 525
basic SIP calling features (SIP connection), 608
call waiting (call service), 520
blacklist function (attack protection), 178
caller ID blocking (SIP connection), 608
blacklist function (WLAN security), 126
caller identity (SIP connection), 598
bridging, 299, 301
caller privacy (SIP connection), 598
BSV line (data link management), 651
call-out route (SIP local survival), 686, 702
CAC service (WLAN QoS), 140
CE1/PRI interface (WAN), 51
call authority control, 574
channel busy test (WLAN), 146
call authority control (SIP local survival), 688, 694
clear type wireless service, 64
call control (dial plan), 559
client mode (wireless service), 114
call forwarding, 526
client-initiated VPN (L2TP), 396
call forwarding (call service), 520
codec tranparent transmission (SIP trunk), 626
call hold (call service), 520
codec transparent transmission (SIP-to-SIP call
call match rules (SIP trunk), 637
settings), 552
call node (IVR), 709
coding parameters for call route, 548
call node, jump node, and service node (IVR), 734
coding parameters for local number, 545
call release cause code mapping (SIP connection),
compatibility (SIP connection), 600
606
connection limit (NAT), 157
call route (advanced settings), 548, 550
connection properties (SIP connection), 593
call route (batch configuration) (IVR), 768
connection properties (VoIP), 485
call route (voice management), 490, 492
crypto type wireless service, 72
call route advanced settings for SIP trunk account
(SIP trunk), 624 CT1/PRI interface (WAN), 54
call route fax parameters for SIP trunk account (SIP custom application (application control), 190
trunk), 624 data transmit rates (radio), 121
call route for inbound calls (SIP trunk), 626 DDNS, 218, 219
795
DHCP, 232 hunt group (call service), 529
DHCP client, 224 immediate secondary call on a service node (IVR),
730
DHCP interface setup, 225
internal server (NAT), 155, 160
DHCP relay agent, 224, 240
IP addresses excluded from dynamic allocation
DHCP server, 223
(DHCP), 230
DHCP server group, 231
IPsec connection (IPsec VPN), 376
DHCP without relay agent, 233
IPsec VPN, 375, 384
dial plan, 558, 565
IPv4 static route, 200
digital link management (data link management),
ISDN line (line management), 672
643
IVR, 706, 717
direct calling for SIP UAs through SIP protocol
(configuring domain name) (voice management), IVR nodes, 709
495
jump node (IVR), 712, 728
direct calling for SIP UAs through SIP protocol
L2TP, 389, 396
(configuring static IP address) (voice
management), 492 line management, 663, 674
DMZ host (NAT), 154 line management (batch configuration) (IVR), 772
domain name resolution (DNS), 211 local MAC authentication, 94
domain name suffix, 211 local number (advanced settings), 545
dynamic address pool for DHCP server, 228 local number (batch configuration) (IVR), 761
dynamic blacklist (WLAN security), 126 local number (voice management), 489, 492
dynamic domain name resolution (DNS), 208 local number parameters (fax), 512
dynamic NAT, 152 local number parameters (modem), 512
dynamic rate limiting (WLAN QoS), 143 local numbers (VoIP), 485
E&M subscriber line (line management), 669 local SIP server to operate in alive mode (SIP local
survival), 692
entity type selection priority rules (dial plan), 570
local SIP server to operate in alone mode (SIP local
Ethernet interface (WAN), 43
survival), 689
extension secondary call on a call node (IVR), 726
login control, 360
fax, 512
MAC address filtering, 173
finishing configuration wizard (VoIP), 486
MAC address filtering type, 171
fixed ARP (ARP attack protection), 374
MAC addresses to be filtered, 172
FXO voice subscriber line (line management), 666,
match order of number selection rules (dial plan),
674
567
FXS voice subscriber line (line management), 663
media security (SIP connection), 598
global key policy (IVR), 707
modem, 512
gratuitous ARP, 365
MSTP, 333, 339
GRE over IPv4 tunnel, 402, 404
MSTP globally, 334
796
MSTP on port, 337 secondary call on a call node (match number
length) (IVR), 721
MSTP region, 333
secondary call on a call node (match number) (IVR),
NAT, 158
724
number match (dial plan), 558
secondary call on a call node (match terminator of
number match mode (dial plan), 565 numbers) (IVR), 717
number substitution (dial plan), 563, 577 secondary call on a service node (IVR), 732
out-of-band DTMF transmission mode for SIP (call service (SIP local survival), 684
route), 550
service management (system management), 444
parameters for call route (other than coding
service node (IVR), 714
parameter), 549
session properties (SIP connection), 595
parameters for local number (other than coding
parameter), 547 signaling security (SIP connection), 605
parameters for VLAN interface, 59 silent monitor service (call service), 534
periodic sending of gratuitous ARP packets (ARP SIP connection, 608
attack protection), 371
SIP listening (SIP connection), 597
PKI (certificate management), 413, 423
SIP local survival, 684, 689
PKI entity to request certificate from CA (method I)
SIP local survival services (batch configuration)
(certificate management), 423
(IVR), 776
PKI entity to request certificate from CA (method II)
SIP server group, 614
SIP server group (SIP trunk), 620
private hosts to access public network (NAT), 158
SIP server group with multiple member servers (SIP
proxy server (SIP connection), 595
trunk), 635
proxy server involved calling for SIP UAs (voice
SIP server group with only one member server (SIP
management), 499
trunk), 627
PSK authentication, 90
SIP session refresh (SIP connection), 599
PSTN call release cause code mapping (SIP
SIP status code mapping (SIP connection), 607
connection), 606
SIP trunk, 619, 627
QoS, 258, 267
SIP trunk account, 621
RADIUS, 351
SNMP, 288
RADIUS scheme, 346
SNMP agent, 275
RADIUS user (WiNet), 473
SNMP agent (SNMP lite), 456
registrar (SIP connection), 593
SNMP community, 280
registration parameters (SIP connection), 602
SNMP group, 281
remote 802.1x authentication, 101
SNMP lite, 458
remote MAC authentication, 97
SNMP trap function, 285
route, 197
SNMP user, 283
rule for Ethernet frame header ACL, 253
SNMP view, 278
SA interface (WAN), 46
797
SNMPv1, 288 voice mailbox server (SIP connection), 604
SNMPv1 (SNMP lite), 458 VT1 line (data link management), 648
SNMPv2c, 288 whitelist (WLAN security), 128
SNMPv2c (SNMP lite), 458 whitelist function (WLAN security), 126
SNMPv3, 292 WiNet, 470, 474
SNMPv3 (SNMP lite), 459 WiNet establishment, 474
source address binding (SIP connection), 596 WiNet-based RADIUS authentication, 480
SRTP for SIP calls (SIP connection), 610 wireless access, 87
starting basic configuration wizard (web interface), wireless access service, 63
31
wireless QoS (WLAN QoS), 131, 140
static address pool for DHCP server, 226
wireless service, 87
static ARP, 365
connecting
static blacklist (WLAN security), 128
configuring connection limit (NAT), 157
static rate limiting (WLAN QoS), 142
configuring connection properties (VoIP), 485
subnet limit (QoS), 258, 267
configuring IPsec connection (IPsec VPN), 376
synchronizing user group configuration for WAN
displaying broadband connection information, 27
interfaces, 312
wireless service (client mode), 112
TCP to carry outgoing SIP calls (SIP connection),
611 contacting HP, 787
three-party conference (call service), 520, 532 content
TLS to carry outgoing SIP calls (SIP connection), displaying by pages (web interface), 17
612 controlling
TR-069 (system management), 450, 452 calling party control (call service), 519
trunk mode calling (voice management), 506 configuring call authority control, 574
trusted nodes (SIP local survival), 686 door opening control (call service), 519
URL filtering, 169 creating
user, 306 GRE tunnel, 402
user (SIP local survival), 685 IPv4 ACL, 248
user group, 306, 312 IPv4 static route, 197
user isolation (WLAN security), 130 menu (IVR), 741
user-based load sharing, 204 PKI domain (certificate management), 416
VE1 line (data link management), 643 PKI entity (certificate management), 415
VLAN, 57 rule for advanced IPv4 ACL, 250
VLAN interface, 57 rule for basic IPv4 ACL, 249
VLAN member port, 59 static ARP entry, 363
voice functions (call service), 522 user (system management), 446
798
VLAN, 58 intrusion detection function (attack protection), 175
VLAN interface, 58 device
wireless access service, 63 rebooting (system management), 443
crypto type device information
configuring crypto type wireless service, 72 broadband connection, 27
CT1/PRI configuration, 25
configuring interface (WAN), 54 displaying, 25
customizing displaying 3G wireless card state, 28
services (IVR), 740, 747, 749 displaying detailed information, 27
data link management displaying LAN information, 29
configuration, 640 displaying recent system logs, 30
configuring BSV line, 651 displaying service information, 30
configuring E1, 657 displaying WLAN information, 29
configuring E1 voice DSS1 signaling, 657 DHCP
configuring T1, 657 configuration, 222
configuring VE1 line, 643 configuring, 232
configuring VT1 line, 648 configuring client, 224
displaying ISDN link state, 656 configuring DHCP server group, 231
E1 features, 641 configuring dynamic address pool for DHCP server,
228
E1 interface, 640
configuring interface setup, 225
E1 voice functions, 640
introduction to BSV interface, 642
allocation, 230
introduction to E1, 640
configuring relay agent, 224, 240
introduction to T1, 640
configuring server, 223
T1 features, 641
configuring static address pool for DHCP server,
T1 interface, 640 226
T1 voice functions, 640 configuring without relay agent, 233
DDNS enabling, 225
configuration, 217 DHCP relay agent
configuring, 218, 219 configuration guidelines, 246
destroying diagnostic tools
RSA key pair (certificate management), 420 configuration, 466
detecting ping, 466
configuring intrusion detection (attack protection), ping operation, 467
180
tools operations, 467
799
trace route, 466 active call summary (call statistics), 780
trace route operation, 467 active route table, 199
dial plan ARP entries, 362
call control, 557 broadband connection information, 27
configuration, 553 call statistics, 779
configuring, 558, 565 certificate (certificate management), 420
configuring call control, 559 client information (wireless service), 82
configuring entity type selection priority rules, 570 client mode statistics (wireless service), 113
configuring match order of number selection rules, client statistics (WLAN QoS), 138
567
configuration wizard homepage (VoIP), 484
configuring number match, 558
content by pages (web interface), 17
configuring number match mode, 565
CRL (certificate management), 422
configuring number substitution, 563, 577
detailed device information, 27
functions, 556
detailed information (radio), 123
number match, 556
detailed information about analog voice subscriber
number substitution, 557 lines (line states), 778
process, 553 detailed information about digital voice subscriber
lines (line states), 778
regular expression, 554
device information, 25
digital link management
external interface traffic ordering statistics, 207
configuring (data link management), 643
history call summary (call statistics), 780
digital signature
internal interface traffic ordering statistics, 206
applying RSA digital signature in IKE negotiation
(certificate management), 432 IPsec VPN monitoring information, 383
digital voice subscriber lines ISDN link state (data link management), 656
displaying detailed information (line states), 778 IVR call states, 785
direct calling IVR information, 785
configuring for SIP UAs through SIP protocol IVR play states, 786
(configuring domain name) (voice management),
L2TP tunnel information, 396
495
LAN information, 29
configuring for SIP UAs through SIP protocol
(configuring static IP address) (voice line states, 777
management), 492 local survival service states, 783
disabling number register status (SIP UA states), 782
web-based NM, 21 number subscription status (SIP UA states), 783
displaying radio information, 123
3G information (3G management), 148 radio statistics (WLAN QoS), 136
3G wireless card state information, 28 recent system logs, 30
800
RF ping information (wireless service), 86 domain name
server group information, 785 configuring domain name suffix (DNS), 211
service information, 30 door
SIP trunk account states, 784 door opening control (call service), 519
SIP UA states, 781 DTMF
SNMP packet statistics, 287 configuring out-of-band DTMF transmission mode
for SIP (call route), 550
states, 777
duration
statistics, 777
adjusting echo duration (line management), 662
syslog, 462
E&M
TCP connection information (SIP UA states), 781
configuring E&M subscriber line (line management),
TLS connection information (SIP UA states), 782
669
wireless access service information, 80
E&M subscriber line (line management), 660
wireless service information, 80
E1
wireless services bound to a radio, 123
configuring (data link management), 657
WLAN information, 29
configuring voice DSS1 signaling (data link
district management), 657
district code (WLAN), 145 features (data link management), 641
setting district code (WLAN), 145 interface (data link management), 640
DMZ introduction (data link management), 640
configuring DMZ host (NAT), 154 voice functions (data link management), 640
DNS echo
clearing dynamic domain name cache, 210 adjusting echo cancellation parameters (line
configuration, 208 management), 663
configuring domain name resolution, 211 adjusting echo duration (line management), 662
configuring domain name suffix, 211 enabling echo cancellation nonlinear function (line
management), 663
configuring dynamic domain name resolution, 208
echo adjustment function (line management), 662
enabling DNS proxy, 209, 210
EDCA
enabling dynamic domain name resolution, 210
setting EDCA parameters for wireless clients
specifying server, 210 (WLAN QoS), 134
documentation setting radio EDCA parameters for APs (WLAN
conventions used, 788 QoS), 133
website, 787 enabling
domain application control, 191
configuring PKI domain (certificate management), application layer protocol check (NAT), 157
416 blacklist function (attack protection), 178
801
bridge set, 299 call route, 487
client mode (wireless service), 111 configuration, 510
DHCP, 225 configuring, 512
DNS proxy, 209, 210 configuring call route fax parameters for SIP trunk
account (SIP trunk), 624
dynamic domain name resolution (DNS), 210
configuring call route parameters, 515
echo cancellation nonlinear function (line
management), 663 configuring local number parameters, 512
L2TP, 389 flow, 511
learning of dynamic ARP entries, 364 FoIP, 510
SIP trunk function, 620 local number, 487
SNMP agent function, 277 methods, 511
web-based NM, 21 features
WiNet, 470 SIP (call connection), 586
wireless QoS (WLAN QoS), 131 SIP trunk, 618
entity filtering
configuring entity type selection priority rules (dial configuring MAC address filtering, 173
plan), 570
configuring MAC address filtering type, 171
configuring PKI entity (certificate management),
configuring MAC addresses to be filtered, 172
415
finishing
(method I) (certificate management), 423 configuration wizard (VoIP), 486
configuring PKI entity to request certificate from CA flow

(method II) (certificate management), 427 fax, 511
entry FoIP
creating static ARP entry, 363 fax, 510
displaying ARP entries, 362 protocol, 510
enabling learning of dynamic ARP entries, 364 standard, 510
removing ARP entries, 363 framework
error TR-069 network framework (system management),
error processing methods (IVR), 706 451
Ethernet function
configuring interface (WAN), 43 blacklist (attack protection), 175
configuring rule for Ethernet frame header ACL, configuring SNMP trap function, 285
253 configuring voice functions (call service), 522
extension dial plan, 556
support for SIP extensions (call connection), 592 echo adjustment function (line management), 662
fax
802
enabling echo cancellation nonlinear function (line configuring bandwidth control for user group, 309
management), 663
configuring packet filtering for user group, 310
enabling SNMP agent function, 277
configuring SNMP group, 281
intrusion detection (attack protection), 175
configuring user group, 306, 312
SIP (call connection), 586
hunt group (call service), 518
SIP Modem pass-through function, 512
history call summary
TR-069 basic functions (system management), 451
displaying (call statistics), 780
fundamentals
host
configuring DMZ host (NAT), 154
FXO
configuring FXO voice subscriber line (line (NAT), 158
management), 666, 674
HP
configuring one-to-one binding between FXS and
customer support and resources, 787
FXO (line management), 675
document conventions, 788
FXO voice subscriber line (line management), 660
documents and manuals, 787
subscriber lines (line management), 662 icons used, 788
FXS subscription service, 787
CID on FXO voice subscriber line (call service), support contact information, 787
520 symbols used, 788
CID on FXS voice subscriber line (call service), 519 websites, 787
configuring FXS voice subscriber line (line hunt group (call service), 518
management), 663
icons, 788
FXO (line management), 675 identy
FXS voice subscriber line (line management), 660 configuring caller identity (SIP connection), 598
one-to-one binding between FXS and FXO voice IKE

subscriber lines (line management), 662 applying RSA digital signature in IKE negotiation
generating (certificate management), 432
RSA key pair (certificate management), 419 inbound call
GRE configuring call route for inbound calls (SIP trunk),

626
configuration, 402
indicating
configuring GRE over IPv4 tunnel, 402, 404
message waiting indication (call service), 518
creating GRE tunnel, 402
information
group
displaying (radio), 123
adding L2TP group, 390
displaying 3G information, 148
configuring access control for user group, 307
displaying detailed information (radio), 123
803
displaying IPsec VPN monitoring information, 383 creating IPv4 ACL, 248
displaying L2TP tunnel information, 396 creating IPv4 static route, 197
displaying wireless access service information, 80 creating rule for advanced IPv4 ACL, 250
displaying wireless service information, 80 creating rule for basic IPv4 ACL, 249
viewing general information of an interface (WAN), IPv4 static route
55
initializing
ISDN
configuration (system management), 440
configuring ISDN line (line management), 672
initiating
displaying ISDN link state (data link management),
configuring client-initiated VPN (L2TP), 396 656
integrating isolating
service management, 30 user isolation (WLAN security), 129
interface IVR
adding interface to bridge set, 300 advantages, 705
displaying external interface traffic ordering batch configuration, 761
statistics, 207
binding access number, 747
displaying internal interface traffic ordering
codecs, 705
statistics, 206
configuration, 705
introduction to BSV interface (data link
management), 642 configuration (advanced), 760
synchronizing user group configuration for WAN configuring, 706, 717

interfaces, 312 configuring access number, 715
interval configuring access number advanced settings, 716
setting traffic ordering interval, 206 configuring access number management, 715
introduction configuring call node, 709
web interface, 2 configuring call node, jump node, and service
web-based network management functions, 4 node, 734
IPsec configuring call route (batch configuration), 768
configuration guidelines, 386 configuring extension secondary call on a call

node, 726
IPsec VPN
configuring global key policy, 707
configuration, 375
configuring immediate secondary call on a service
node, 730
configuring IPsec connection, 376
configuring jump node, 712, 728
displaying monitoring information, 383
configuring line management (batch configuration),
IPv4 772
configuring GRE over IPv4 tunnel, 402, 404 configuring local number (batch configuration),
761
configuring IPv4 static route, 200
804
configuring nodes, 709 enabling, 389
configuring secondary call on a call node (match LAN
number length), 721
displaying information, 29
configuring secondary call on a call node (match
setting interface parameters (web interface), 38
number), 724
layer
terminator of numbers), 717 enabling application layer protocol check (NAT),
157
configuring secondary call on a service node, 732
level
configuring service node, 714
setting super password for switching to
configuring SIP local survival services (batch
management level, 447
configuration), 776
switching user access level to management level,
creating menu, 741
448
customizable process, 705
limiting
customizable voice prompts, 705
configuring connection limit (NAT), 157
customizing services, 740, 747, 749
configuring dynamic rate limiting (WLAN QoS),
error processing methods, 706 143
flexible node configuration, 705 configuring static rate limiting (WLAN QoS), 142
global configuration, 760 setting rate limiting (WLAN QoS), 139
successive jumping, 706 line
timeout processing methods, 706 CID on FXO voice subscriber line (call service),
520
types of secondary calls, 706
CID on FXS voice subscriber line (call service), 519
uploading media resource files, 706
line management
IVR call states
adjusting echo cancellation parameters, 663
displaying, 785
adjusting echo duration, 662
IVR information
configuration, 660
displaying, 785
IVR play states
configuring E&M subscriber line, 669
displaying, 786
configuring FXO voice subscriber line, 666, 674
jumping
configuring FXS voice subscriber line, 663
successive (IVR), 706
configuring ISDN line, 672
L2TP
adding L2TP group, 390
FXO, 675
configuration, 388
E&M subscriber line, 660
echo adjustment function, 662
configuring client-initiated VPN, 396
enabling echo cancellation nonlinear function, 663
displaying L2TP tunnel information, 396
FXO voice subscriber line, 660
805
FXS voice subscriber line, 660 web interface, 1
one-to-one binding between FXS and FXO voice logging out
subscriber lines, 662
web interface, 2
line states
loghost
displaying, 777
setting (syslog), 463
listening
login control
configuring SIP listening (SIP connection), 597
configuration, 359
loading
configuring, 360
applications (application control), 189
MAC
local
configuring local MAC authentication, 94
configuring call service of local number, 520
configuring local number (voice management),
MAC address filtering
489
configuration, 171
requesting local certificate (certificate
management), 421 configuring, 173
local number, 488 configuring addresses to be filtered, 172
advanced settings, 487 configuring type, 171
basic settings, 487, 489 mailbox
call services, 487 configuring voice mailbox server (SIP connection),

604
coding parameter, 541
managing
configuration, 488
3G modem, 148
configuration (advanced settings), 541
pin code (3G management), 150
configuring (voice management), 489, 492
service (system management), 443
configuring advanced settings, 545
users (system management), 446
configuring coding parameters, 545
WiNet, 471
configuring parameters (other than coding
parameter), 547 manuals, 787
fax, 487 mapping
modem, 487 configuring call release cause code mapping (SIP

connection), 606
optional parameters, 545
configuring PSTN call release cause code mapping
overview, 487
local survival service states
displaying, 783 connection), 607
logging matching
displaying recent system logs, 30 configuring call match rules (SIP trunk), 637
logging in configuring match order of number selection rules
(dial plan), 567
806
media introduction, 327
configuring media security (SIP connection), 598 protocol, 332
menu standard, 332
creating (IVR), 741 NAT
message configuration, 152
message waiting indication (call service), 518 configuring, 158
SIP (call connection), 587 configuring connection limit, 157
message waiting indication (call service), 518 configuring DMZ host, 154
method configuring dynamic NAT, 152
fax, 511 configuring internal server, 155, 160
mode configuring private hosts to access public network,
158
configuring out-of-band DTMF transmission mode
for SIP (call route), 550 enabling application layer protocol check, 157
configuring trunk mode calling (voice negotiating
management), 506
specifying traffic ordering mode, 206 (certificate management), 432
modem network
call route, 487 configuring private hosts to access public network
(NAT), 158
configuration, 510
TR-069 network framework (system management),
configuring, 512
451
configuring call route modem parameters for SIP
network management
trunk account (SIP trunk), 624
disabling web-based NM, 21
configuring call route parameters, 515
enabling web-based NM, 21
configuring local number parameters, 512
integrated service management, 30
local number, 487
introduction to web-based functions, 4
managing web-based NM through CLI, 21
monitoring
web-based, 1
displaying IPsec VPN monitoring information, 383
node
silent monitor service (call service), 519
flexible node configuration (IVR), 705
MSTP
number
configuration, 320
configuring call service of local number, 520
configuring match order of number selection rules
(dial plan), 567
configuring globally, 334
number match (dial plan), 556
configuring MSTP region, 333
number register status
configuring on port, 337
displaying (SIP UA states), 782
807
number subscription status pin
displaying (SIP UA states), 783 managing pin code (3G management), 150
number substitution (dial plan), 557 ping, 466
order operation (diagnostic tools), 467
configuring match order of number selection rules PKI
(dial plan), 567
outbound call
configuring (certificate management), 413, 423
configuring call route for outbound calls (SIP trunk),
622
(method I) (certificate management), 423
overview
call route, 487 (method II) (certificate management), 427
local number, 487 creating PKI domain (certificate management), 416
web-based network management, 1 creating PKI entity (certificate management), 415
packet operation, 412
appendix packet priorities (QoS), 272 port
configuring packet filtering for user group, 310 backing up device files through USB port (system
management), 442
displaying SNMP packet statistics, 287
configuring MSTP on port, 337
parameter
configuring VLAN member port, 59
adjusting echo cancellation parameters (line
management), 663 restoring device files through USB port (system
management), 442
coding parameter (call route), 541
priority
coding parameter (local number), 541
configuring entity type selection priority rules (dial
configuring call route fax parameters for SIP trunk
plan), 570
account (SIP trunk), 624
privacy
trunk account (SIP trunk), 624 configuring caller privacy (SIP connection), 598
configuring parameters for VLAN interface, 59 procedure
configuring registration parameters (SIP adding blacklist entry manually (attack protection),
connection), 602 179
optional parameters (call route), 545 adding interface to bridge set, 300
optional parameters (local number), 545 adding L2TP group, 390
party applying RSA digital signature in IKE negotiation
calling party control (call service), 519
backing up device files through USB port (system
three-party conference (call service), 518
management), 442
password
binding access number (IVR), 747
clearing dynamic domain name cache (DNS), 210
configuring 802.11b/802.11g rates (radio), 121
808
configuring 802.11n, 108 configuring call authority control (SIP local survival),
688, 694
configuring 802.11n MCS (radio), 122
configuring call control (dial plan), 559
configuring access control, 165
configuring call forwarding, 526
configuring call forwarding (call service), 520
configuring access number (IVR), 715
configuring call hold (call service), 520
configuring access number advanced settings (IVR),
716 configuring call match rules (SIP trunk), 637
configuring access number management (IVR), configuring call node (IVR), 709
715
configuring call node, jump node, and service
configuring access service-based VLAN, 88 node (IVR), 734
configuring ACL, 247 configuring call release cause code mapping (SIP
connection), 606
configuring ADSL/G.SHDSL interface (WAN), 47
configuring call route (advanced settings), 548,
configuring advanced limit (QoS), 260
550
configuring advanced queue (QoS), 263, 269
configuring call route (batch configuration) (IVR),
configuring advanced settings (SIP connection), 768
602
configuring call route (voice management), 490,
configuring application control, 189, 192 492
configuring application control for user group, 308 configuring call route advanced settings for SIP
configuring area prefix (SIP local survival), 687, trunk account (SIP trunk), 624
699 configuring call route fax parameters for SIP trunk
configuring ARP automatic scanning (ARP attack account (SIP trunk), 624
protection), 372 configuring call route for inbound calls (SIP trunk),
configuring attack protection, 182 626
configuring attack protection for A-MSR20/30/50 configuring call route for outbound calls (SIP trunk),
series routers, 185 622
configuring attack protection for A-MSR900/20-1X configuring call route for SIP trunk account (SIP
series routers, 182 trunk), 622
configuring bandwidth control for user group, 309 configuring call route modem parameters for SIP
trunk account (SIP trunk), 624
configuring barge in service (call service), 534
configuring call route parameters (fax), 515
configuring basic SIP calling features (SIP
connection), 608 configuring call route parameters (modem), 515
configuring blacklist function (attack protection), configuring call service, 525

178 configuring call service of call route, 524
configuring blacklist function (WLAN security), 126 configuring call service of local number, 520
configuring bridging, 299, 301 configuring call transfer, 528
configuring BSV line (data link management), 651 configuring call transfer (call service), 520
configuring CAC service (WLAN Qos), 140 configuring call waiting, 525
configuring call authority control, 574 configuring call waiting (call service), 520
809
configuring caller ID blocking (SIP connection), configuring digital link management (data link
608 management), 643
configuring caller identity (SIP connection), 598 configuring direct calling for SIP UAs through SIP
protocol (configuring domain name) (voice
configuring caller privacy (SIP connection), 598
management), 495
configuring call-out route (SIP local survival), 686,
configuring direct calling for SIP UAs through SIP
702
protocol (configuring static IP address) (voice
configuring CE1/PRI interface (WAN), 51 management), 492
configuring channel busy test (WLAN), 146 configuring DMZ host (NAT), 154
configuring clear type wireless service, 64 configuring domain name resolution (DNS), 211
configuring client mode (wireless service), 114 configuring domain name suffix (DNS), 211
configuring client-initiated VPN (L2TP), 396 configuring dynamic address pool for DHCP server,
configuring codec tranparent transmission (SIP 228
trunk), 626 configuring dynamic blacklist (WLAN security),
configuring codec tranparent transmission 126
(SIP-to-SIP call settings), 552 configuring dynamic domain name resolution
configuring coding parameters for call route, 548 (DNS), 208
configuring coding parameters for local number, configuring dynamic NAT, 152
545 configuring dynamic rate limiting (WLAN QoS),
configuring compatibility (SIP connection), 600 143
configuring connection limit (NAT), 157 configuring E&M subscriber line (line management),
669
configuring connection properties (SIP connection),
593 configuring E1 (data link management), 657
configuring connection properties (VoIP), 485 configuring E1 voice DSS1 signaling (data link
management), 657
configuring crypto type wireless service, 72
configuring CT1/PRI interface (WAN), 54 plan), 570
configuring custom application (application configuring Ethernet interface (WAN), 43
control), 190
configuring extension secondary call on a call
configuring data transmit rates (radio), 121 node (IVR), 726
configuring DDNS, 218, 219 configuring fax, 512
configuring DHCP, 232 configuring fixed ARP (ARP attack protection), 374
configuring DHCP client, 224 configuring FXO voice subscriber line (line
configuring DHCP interface setup, 225 management), 666, 674
configuring DHCP relay agent, 224, 240 configuring FXS voice subscriber line (line
management), 663
configuring DHCP server, 223
configuring global key policy (IVR), 707
configuring DHCP server group, 231
configuring gratuitous ARP, 365
configuring DHCP without relay agent, 233
configuring GRE over IPv4 tunnel, 402, 404
configuring dial plan, 558, 565
configuring hunt group (call service), 529
810
configuring immediate secondary call on a service configuring media security (SIP connection), 598
node (IVR), 730
configuring modem, 512
configuring internal server (NAT), 155, 160
configuring MSTP, 333, 339
configuring intrusion detection (attack protection),
configuring MSTP globally, 334
180
configuring MSTP on port, 337
allocation (DHCP), 230 configuring MSTP region, 333
configuring IPsec connection (IPsec VPN), 376 configuring NAT, 158
configuring IPsec VPN, 375, 384 configuring number match (dial plan), 558
configuring IPv4 static route, 200 configuring number match mode (dial plan), 565
configuring ISDN line (line management), 672 configuring number substitution (dial plan), 563,
577
configuring IVR, 706, 717
configuring IVR nodes, 709
FXO (line management), 675
configuring jump node (IVR), 712, 728
configuring L2TP, 389, 396 for SIP (call route), 550
configuring line management, 663, 674 configuring packet filtering for user group, 310
configuring line management (batch configuration) configuring parameters for call route (other than
(IVR), 772 coding parameter), 549
configuring local MAC authentication, 94 configuring parameters for local number (other
than coding parameter), 547
configuring local number (advanced settings), 545
configuring parameters for VLAN interface, 59
configuring local number (batch configuration)
(IVR), 761 configuring periodic sending of gratuitous ARP
packets (ARP attack protection), 371
configuring local number (voice management),
489, 492 configuring PKI (certificate management), 413,
423
configuring local number parameters (fax), 512
configuring PKI domain (certificate management),
configuring local number parameters (modem),
416
512
configuring PKI entity (certificate management),
configuring local numbers (VoIP), 485
415
configuring local SIP server to operate in alive
mode (SIP local survival), 692
(method I) (certificate management), 423
configuring local SIP server to operate in alone
mode (SIP local survival), 689
(method II) (certificate management), 427
configuring login control, 360
configuring MAC address filtering, 173 (NAT), 158
configuring MAC address filtering type, 171 configuring proxy server (SIP connection), 595
configuring MAC addresses to be filtered, 172 configuring proxy server involved calling for SIP
configuring match order of number selection rules UAs (voice management), 499
(dial plan), 567 configuring PSK authentication, 90
811
configuring PSTN call release cause code mapping configuring SIP server group (SIP trunk), 620
configuring SIP server group with multiple member
configuring QoS, 258, 267 servers (SIP trunk), 635
configuring RADIUS, 351 configuring SIP server group with only one member
server (SIP trunk), 627
configuring RADIUS scheme, 346
configuring SIP session refresh (SIP connection),
configuring RADIUS user (WiNet), 473
599
configuring registrar (SIP connection), 593
configuring registration parameters (SIP connection), 607
connection), 602
configuring SIP trunk, 619, 627
configuring SIP trunk account, 621
configuring SNMP, 288
configuring route, 197
configuring SNMP agent, 275
configuring rule for Ethernet frame header ACL,
configuring SNMP agent (SNMP lite), 456
253
configuring SNMP community, 280
configuring SA interface (WAN), 46
configuring SNMP group, 281
number length) (IVR), 721 configuring SNMP lite, 458
configuring secondary call on a call node (match configuring SNMP trap function, 285
number) (IVR), 724
configuring SNMP user, 283
configuring SNMP view, 278
terminator of numbers) (IVR), 717
configuring SNMPv1, 288
configuring secondary call on a service node (IVR),
732 configuring SNMPv1 (SNMP lite), 458
configuring service (SIP local survival), 684 configuring SNMPv2c, 288
configuring service management (system configuring SNMPv2c (SNMP lite), 458

management), 444 configuring SNMPv3, 292
configuring service node (IVR), 714 configuring SNMPv3 (SNMP lite), 459
configuring session properties (SIP connection), configuring source address binding (SIP
595 connection), 596
configuring signaling security (SIP connection), configuring SRTP for SIP calls (SIP connection), 610
605
configuring static address pool for DHCP server,
configuring silent monitor service (call service), 226
534
configuring static ARP, 365
configuring SIP connection, 608
configuring static blacklist (WLAN security), 128
configuring SIP listening (SIP connection), 597
configuring static rate limiting (WLAN QoS), 142
configuring SIP local survival, 684, 689
configuring subnet limit (QoS), 258, 267
configuring SIP local survival services (batch
configuration) (IVR), 776 configuring T1 (data link management), 657
configuring SIP server group, 614
812
configuring TCP to carry outgoing SIP calls (SIP creating IPv4 ACL, 248
connection), 611
creating IPv4 static route, 197
configuring three-party conference (call service),
creating menu (IVR), 741
520, 532
creating rule for advanced IPv4 ACL, 250
configuring TLS to carry outgoing SIP calls (SIP
connection), 612 creating rule for basic IPv4 ACL, 249
configuring TR-069 (system management), 452 creating static ARP entry, 363
configuring trunk mode calling (voice creating user (system management), 446
management), 506 creating VLAN, 58
configuring trusted nodes (SIP local survival), 686 creating VLAN interface, 58
configuring URL filtering, 169 creating wireless access service, 63
configuring user, 306 destroying RSA key pair (certificate management),
configuring user (SIP local survival), 685 420
configuring user group, 306, 312 displaying 3G information, 148
configuring user isolation (WLAN security), 130 displaying 3G wireless card state information, 28
configuring user-based load sharing, 204 displaying active call summary (call statistics), 780
configuring VE1 line (data link management), 643 displaying active route table, 199
configuring VLAN, 57 displaying ARP entries, 362
configuring VLAN interface, 57 displaying broadband connection information, 27
configuring VLAN member port, 59 displaying call statistics, 779
configuring voice functions (call service), 522 displaying certificate (certificate management),
420
configuring voice mailbox server (SIP connection),
604 displaying client information (wireless service), 82
configuring VT1 line (data link management), 648 displaying client mode statistics (wireless service),
113
configuring whitelist (WLAN security), 128
displaying client statistics (WLAN QoS), 138
configuring whitelist function (WLAN security), 126
displaying configuration wizard homepage (VoIP),
configuring WiNet, 470, 474
484
configuring WiNet establishment, 474
displaying CRL (certificate management), 422
configuring WiNet-based RADIUS authentication,
displaying detailed device information, 27
480
displaying detailed information about analog voice
configuring wireless access, 87
subscriber lines (line states), 778
displaying detailed information about digital voice
configuring wireless QoS (WLAN Qos), 140 subscriber lines (line states), 778
configuring wireless QoS (WLAN QoS), 131 displaying device information, 25
configuring wireless service, 87 displaying external interface traffic ordering
statistics, 207
connecting wireless service (client mode), 112
displaying history call summary (call statistics), 780
creating GRE tunnel, 402
813
displaying internal interface traffic ordering enabling bridge set, 299
statistics, 206
enabling DHCP, 225
displaying IPsec VPN monitoring information, 383
displaying ISDN link state (data link management),
enabling dynamic domain name resolution (DNS),
656
210
displaying IVR call states, 785
enabling L2TP, 389
displaying IVR information, 785
enabling learning of dynamic ARP entries, 364
displaying IVR play states, 786
enabling SIP trunk function, 620
displaying L2TP tunnel information, 396
displaying LAN information, 29
enabling WiNet, 470
displaying line states, 777
enabling wireless QoS (WLAN QoS), 131
displaying local survival service states, 783
finishing configuration wizard (VoIP), 486
displaying number register status (SIP UA states),
generating RSA key pair (certificate management),
782
419
displaying number subscription status (SIP UA
loading applications (application control), 189
states), 783
logging in to web interface, 1
displaying radio statistics (WLAN QoS), 136
logging out of the web interface, 2
displaying recent system logs, 30
managing pin code (3G management), 150
displaying RF ping information (wireless service),
86 managing service (system management), 443
displaying server group information, 785 managing users (system management), 446
displaying service information, 30 managing WiNet, 471
displaying SIP trunk account states, 784 rebooting device (system management), 443
displaying SIP UA states, 781 removing ARP entries, 363
displaying SNMP packet statistics, 287 requesting local certificate (certificate

management), 421
displaying syslog, 462
restoring device files through USB port (system
displaying TCP connection information (SIP UA
management), 442
states), 781
retrieving certificate (certificate management), 420
displaying TLS connection information (SIP UA
states), 782 retrieving CRL (certificate management), 422
displaying wireless access service information, 80 selecting country (VoIP), 484
displaying wireless service information, 80 setting background image for WiNet topology
diagram, 471
displaying wireless services bound to a radio, 123
setting buffer capacity (syslog), 464
displaying WLAN information, 29
setting CAC admission policy (WLAN QoS), 133
enabling application control, 191
setting EDCA parameters for wireless clients
(WLAN QoS), 134
157
enabling blacklist function (attack protection), 178
814
setting LAN interface parameters (web interface), viewing blacklist entries (attack protection), 179
38
viewing general information of an interface (WAN),
setting loghost (syslog), 463 55
setting radio EDCA parameters for APs (WLAN process
QoS), 133
customizable (IVR), 705
setting rate limiting (WLAN QoS), 139
dial plan, 553
setting refresh interval (syslog), 464
property
configuring connection properties (VoIP), 485
configuring session properties (SIP connection),
setting SVP service (WLAN QoS), 132
595
setting traffic ordering interval, 206
protocol
setting WAN interface parameters (web interface),
31
setting WAN interface parameters for management), 495
ADSL/G.SHDSL (web interface), 34
setting WAN interface parameters for CE1/PR1 protocol (configuring static IP address) (voice
(web interface), 36 management), 492
setting WAN interface parameters for CT1/PR1 enabling application layer protocol check (NAT),
(web interface), 38 157
setting WAN interface parameters for Ethernet FoIP (fax), 510
(web interface), 32
MSTP, 332
setting WAN interface parameters for SA (web
SIP support for transport layer protocols (call
interface), 34
connection), 590
setting WLAN interface parameters (web interface),
SIP trunk, 619
40
proxy
specifying DNS server, 210
configuring proxy server (SIP connection), 595
specifying traffic ordering mode, 206
configuring proxy server involved calling for SIP
starting basic configuration wizard (web interface),
UAs (voice management), 499
31
switching user access level to management level,
448 PSK
synchronizing user group configuration for WAN configuring PSK authentication, 90

interfaces, 312 PSTN
upgrading software for A-MSR20/30/50 series configuring PSTN call release cause code mapping
(system management), 455 (SIP connection), 606
upgrading software for A-MSR900/A-MSR20-1X QoS
series (system management), 454
advanced limit, 257
uploading media resource files (IVR), 706
advanced queue, 258
validating basic services configuration (web
interface), 41 appendix packet priorities, 272
815
configuration, 256 device (system management), 443
configuring, 258, 267 refresh
configuring advanced limit, 260 configuring SIP session refresh (SIP connection),
599
configuring advanced queue, 263, 269
refresh interval
configuring subnet limit, 258, 267
setting (syslog), 464
configuring wireless QoS (WLAN QoS), 131
registering
enabling wireless QoS (WLAN QoS), 131
configuring registration parameters (SIP
subnet limit, 257
connection), 602
queue
regular expression (dial plan), 554
advanced queue (QoS), 258
relay agent
radio
configuring DHCP relay agent, 224
configuration, 117
removing
configuring 802.11b/802.11g rates, 121
ARP entries, 363
configuring 802.11n MCS, 122
requesting
configuring data transmit rates, 121
local certificate (certificate management), 421
displaying detailed information, 123
restoring
displaying information, 123
displaying statistics (WLAN QoS), 136
device files through USB port (system management),
displaying wireless services bound to a radio, 123 442
setting radio EDCA parameters for APs (WLAN retrieving
QoS), 133
certificate (certificate management), 420
RADIUS
CRL (certificate management), 422
configuration, 346
RF ping
configuring, 351
displaying RF ping information (wireless service),
configuring RADIUS user (WiNet), 473 86
configuring scheme, 346 route
configuring WiNet-based RADIUS authentication, configuration, 197
480
configuring, 197
RADIUS client
configuring call route (voice management), 490
configuring call service of a call route, 524
rate
configuring IPv4 static route, 200
configuring dynamic rate limiting (WLAN QoS),
creating IPv4 static route, 197
143
displaying active route table, 199
configuring static rate limiting (WLAN QoS), 142
RSA
setting rate limiting (WLAN QoS), 139
rebooting
816
destroying key pair (certificate management), 420 configuring match order of number selection rules
(dial plan), 567
generating key pair (certificate management), 419
country (VoIP), 484
RSTP
sending
introduction, 327
configuring periodic sending of gratuitous ARP
rule
packets (ARP attack protection), 371
configuring call match rules (SIP trunk), 637
server
configuring DHCP server, 223
plan), 570
configuring DHCP server group, 231
configuring match order of number selection rules
(dial plan), 567 configuring internal server (NAT), 155, 160
configuring rule for Ethernet frame header ACL, configuring proxy server (SIP connection), 595
253
creating rule for advanced IPv4 ACL, 250 UAs (voice management), 499
creating rule for basic IPv4 ACL, 249 configuring voice mailbox server (SIP connection),
604
SA
specifying DNS server, 210
configuring interface (WAN), 46
server group information
saving
displaying, 785
service
scanning
configuring ARP automatic scanning (ARP attack
protection), 372 configuring CAC service (WLAN Qos), 140
scheme customizing (IVR), 740, 747, 749
configuring RADIUS scheme, 346 displaying information, 30
searching displaying wireless access service information, 80
web interface, 18 displaying wireless service information, 80
security integrated management, 30
configuring media security (SIP connection), 598 support for SIP voice service of the VCX (call
service), 520
configuring signaling security (SIP connection),
605 validating basic services configuration (web
interface), 41
session
SIP media flow encryption (call connection), 591
configuring session properties (SIP connection),
SIP signaling encryption (call connection), 590
595
SIP TLS-SRTP combinations (call connection), 591
configuring SIP session refresh (SIP connection),
selecting 599
configuring entity type selection priority rules (dial setting
plan), 570
background image for WiNet topology diagram,
471
817
buffer capacity (syslog), 464 configuring direct calling for SIP UAs through SIP
protocol (configuring static IP address) (voice
CAC admission policy (WLAN QoS), 133
management), 492
district code (WLAN), 145
EDCA parameters for wireless clients (WLAN QoS), for SIP (call route), 550
134
LAN interface parameters (web interface), 38 UAs (voice management), 499
loghost (syslog), 463 features (call connection), 586
radio EDCA parameters for APs (WLAN QoS), functions (call connection), 586
133
fundamentals (call connection), 587
rate limiting (WLAN QoS), 139
media flow encryption (call connection), 591
refresh interval (syslog), 464
messages (call connection), 587
super password for switching to management level,
security (call connection), 590
447
signaling encryption (call connection), 590
SVP service (WLAN QoS), 132
system time (system management), 449
support for SIP extensions (call connection), 592
system time zone (system management), 450
support for SIP voice service of the VCX (call
traffic ordering interval, 206
service), 520
WAN interface parameters (web interface), 31
support for transport layer protocols (call
WAN interface parameters for ADSL/G.SHDSL connection), 590
(web interface), 34
terminology (call connection), 585
WAN interface parameters for CE1/PR1 (web
TLS-SRTP combinations (call connection), 591
interface), 36
WAN interface parameters for CT1/PR1 (web
interface), 38 SIP connection
WAN interface parameters for Ethernet (web configuration, 593
interface), 32
configuring, 608
WAN interface parameters for SA (web interface),
configuring advanced settings, 602
34
configuring basic SIP calling features, 608
WLAN interface parameters (web interface), 40
configuring call release cause code mapping, 606
signaling
configuring caller ID blocking, 608
configuring E1 voice DSS1 signaling (data link
management), 657 configuring caller identity, 598
configuring signaling security (SIP connection), configuring caller privacy, 598

605 configuring compatibility, 600
silent monitor service (call service), 519 configuring connection properties, 593
SIP configuring media security, 598
configuring direct calling for SIP UAs through SIP configuring proxy server, 595
management), 495
818
configuring PSTN call release cause code mapping, configuring call route advanced settings for SIP
606 trunk account, 624
configuring registrar, 593 configuring call route fax parameters for SIP trunk
account, 624
configuring registration parameters, 602
configuring call route for inbound calls, 626
configuring session properties, 595
configuring call route for outbound calls, 622
configuring signaling security, 605
configuring call route for SIP trunk account, 622
configuring SIP listening, 597
configuring SIP session refresh, 599
trunk account, 624
configuring SIP status code mapping, 607
configuring codec transparent transmission, 626
configuring source address binding, 596
configuring SRTP for SIP calls, 610
configuring SIP server group with multiple member
configuring TCP to carry outgoing SIP calls, 611 servers, 635
configuring TLS to carry outgoing SIP calls, 612 configuring SIP server group with only one member
configuring voice mailbox server, 604 server, 627
SIP local survival configuring SIP trunk account, 621
configuration, 683 enabling SIP trunk function, 620
configuring, 684, 689 features, 618
configuring area prefix, 687, 699 protocol, 619
configuring call authority control, 688, 694 standard, 619
configuring call-out route, 686, 702 typical applications, 618
configuring local SIP server to operate in alive SIP trunk account states
mode, 692 displaying, 784
configuring local SIP server to operate in alone SIP UA states
mode, 689
displaying, 781
configuring service, 684
SIP-to-SIP call settings
configuring trusted nodes, 686
configuration, 552
configuring user, 685
configuring codec transparent transmission, 552
SIP server group management
SNMP
configuration, 614
configuration, 275
configuring, 288
SIP trunk
configuring community, 280
background, 617
configuring group, 281
configuration, 617
configuring call match rules, 637
configuring SNMPv2c, 288
819
configuring trap function, 285 displaying, 777
configuring user, 283 displaying client statistics (WLAN QoS), 138
configuring view, 278 displaying external interface traffic ordering
statistics, 207
statistics, 206
SNMP lite
displaying radio statistics (WLAN QoS), 136
configuration, 456
configuring, 458
viewing statistics of an interface (WAN), 55
status
configuring SNMPv2c, 458 connection), 607
configuring SNMPv3, 459 subnet limit (QoS), 257
software upgrade subscriber
A-MSR20/30/50 series (system management), CID on FXO voice subscriber line (call service),
454 520
A-MSR900/A-MSR20-1X series (system CID on FXS voice subscriber line (call service), 519
management), 454
configuring E&M subscriber line (line management),
sorting 669
web interface, 20 configuring FXO voice subscriber line (line
source management), 666, 674
configuring source address binding (SIP configuring FXS voice subscriber line (line
connection), 596 management), 663
specifying E&M subscriber line (line management), 660
DNS server, 210 FXO voice subscriber line (line management), 660
traffic ordering mode, 206 FXS voice subscriber line (line management), 660
SRTP one-to-one binding between FXS and FXO voice

subscriber lines (line management), 662
configuring SRTP for SIP calls (SIP connection), 610
subscription service, 787
standard
suffix
FoIP (fax), 510
configuring domain name suffix (DNS), 211
MSTP, 332
support
SIP trunk, 619
starting service), 520
basic configuration wizard (web interface), 31 support and other resources, 787
states SVP
displaying, 777 setting SVP service (WLAN QoS), 132
statistics switching
820
setting super password for switching to software upgrade for A-MSR900/A-MSR20-1X
management level, 447 series, 454
user access level to management level, 448 switching user access level to management level,
448
symbols, 788
system time, 448
synchronizing
TR-069 basic functions, 451
user group configuration for WAN interfaces, 312
TR-069 network framework, 451
syslog
upgrading software for A-MSR20/30/50 series,
configuration, 462
455
displaying, 462
upgrading software for A-MSR900/A-MSR20-1X
setting buffer capacity, 464 series, 454
setting loghost, 463 system time
setting refresh interval, 464 setting (system management), 449
system system time (system management), 448
displaying recent system logs, 30 system time zone
system management setting (system management), 450
backing up configuration, 440 T1
backing up device files through USB port, 442 configuring (data link management), 657
configuration, 439 features (data link management), 641
configuration management, 439 interface (data link management), 640
configuring service management, 444 introduction (data link management), 640
configuring TR-069, 450, 452 voice functions (data link management), 640
creating user, 446 TCP
initialize configuration, 440 configuring TCP to carry outgoing SIP calls (SIP
managing service, 443 connection), 611
managing users, 446 TCP connection information
rebooting device, 443 displaying (SIP UA states), 781
restoring configuration, 441 testing
restoring device files through USB port, 442 channel busy test (WLAN), 145
save configuration, 439 three-party conference (call service), 518
setting super password for switching to timeout

management level, 447 timeout processing methods (IVR), 706
setting system time, 449 TLS
setting system time zone, 450 configuring TLS to carry outgoing SIP calls (SIP
software upgrade for A-MSR20/30/50 series, connection), 612
454 TLS connection information
displaying (SIP UA states), 782
821
tools operations (diagnostic tools), 467 upgrading
topology software for A-MSR20/30/50 series (system
management), 455
setting background image for WiNet topology
diagram, 471 software for A-MSR900/A-MSR20-1X series
(system management), 454
TR-069
uploading
basic functions (system management), 451
media resource files (IVR), 706
configuring (system management), 450
URL filtering
network framework (system management), 451
configuration, 167
configuring, 169
USB
trace route, 466
backing up device files through USB port (system
operation (diagnostic tools), 467
management), 442
traffic ordering
restoring device files through USB port (system
configuration, 205 management), 442
displaying external interface traffic ordering user
statistics, 207
configuring, 306
statistics, 206
setting interval, 206
specifying mode, 206
configuring bandwidth control for user group, 309
transmitting
configuring packet filtering for user group, 310
for SIP (call route), 550 configuring RADIUS user (WiNet), 473
trap configuring SNMP user, 283
configuring SNMP trap function, 285 configuring user group, 306, 312
troubleshooting managing current web user, 21
failure to access device through web interface, 21 switching user access level to management level,
448
web browser, 21
user isolation (WLAN security), 129
trunk
web user level, 4
configuring trunk mode calling (voice
management), 506 user group
trusted nodes configuration, 305
configuring (SIP local survival), 686 configuring, 306, 312
tunnel configuring access control, 307
configuring GRE over IPv4 tunnel, 402, 404 configuring application control, 308
creating GRE tunnel, 402 configuring bandwidth control, 309
displaying L2TP tunnel information, 396 configuring packet filtering, 310
822
synchronizing configuration for WAN interfaces, FXO voice subscriber line (line management), 660
312
FXS voice subscriber line (line management), 660
user-based load sharing
configuration, 204 subscriber lines (line management), 662
validating support for SIP voice service of the VCX (call
service), 520
basic services configuration (web interface), 41
voice management
VCX
basic settings, 489
service), 520 configuration, 488
VE1 configuring call route, 490
configuring VE1 line (data link management), 643 configuring direct calling for SIP UAs through SIP
protocol (configuring domain name), 495
viewing
blacklist entries (attack protection), 179
protocol (configuring static IP address), 492
general information and statistics of an interface
configuring local number, 489
(WAN), 55
VLAN
UAs, 499
configuration, 57
configuring trunk mode calling, 506
VoIP
configuring, 57
basic service configuration, 484
configuring access service-based VLAN, 88
basic service setup, 484
configuring interface parameters, 59
configuration (basic service), 484
configuring member port, 59
configuring connection properties, 485
creating, 58
configuring local numbers, 485
voice
displaying configuration wizard homepage, 484
CID on FXO voice subscriber line (call service),
finishing configuration wizard, 486
520
selecting country, 484
CID on FXS voice subscriber line (call service), 519
VT1
codecs (IVR), 705
configuring VT1 line (data link management), 648
configuring E1 voice DSS1 signaling (data link
management), 657 waiting
configuring FXO voice subscriber line (line message waiting indication (call service), 518
management), 666, 674
WAN
configuring FXS voice subscriber line (line
configuring ADSL/G.SHDSL interface, 47
management), 663
configuring CE1/PRI interface, 51
configuring voice functions (call service), 522
configuring CT1/PRI interface, 54
configuring voice mailbox server (SIP connection),
604 configuring Ethernet interface, 43
customizable voice prompts (IVR), 705 configuring SA interface, 46
823
setting interface parameters (web interface), 31 setting WLAN interface parameters, 40
setting interface parameters for ADSL/G.SHDSL sorting function, 20
(web interface), 34
starting basic configuration wizard, 31
setting interface parameters for CE1/PR1 (web
troubleshooting web browser, 21
interface), 36
user level, 4
setting interface parameters for CT1/PR1 (web
interface), 38 validating basic services configuration, 41
setting interface parameters for Ethernet (web webpage redirection

interface), 32 configuration, 195
setting interface parameters for SA (web interface), websites, 787
34
whitelist
synchronizing user group configuration for WAN
interfaces, 312 configuring whitelist (WLAN security), 128
viewing general information and statistics of an WiNet

interface, 55 configuration, 469
WAN interface configuration, 43 configuring, 470, 474
web interface configuring RADIUS user, 473
common buttons and elements, 17 configuring WiNet establishment, 474
common elements, 17 configuring WiNet-based RADIUS authentication,
configuration (basic services), 31 480
configuration guidelines, 21 enabling, 470
displaying content by pages, 17 managing, 471
introduction, 2 setting background image for WiNet topology

diagram, 471
logging in, 1
wireless access
logging out, 2
configuring, 87
managing current web user, 21
wireless card
managing web-based NM through CLI, 21
displaying 3G wireless card state information, 28
search function, 18
wireless service
setting LAN interface parameters, 38
configuration, 62, 87
setting WAN interface parameters, 31
setting WAN interface parameters for
ADSL/G.SHDSL, 34 configuring access service-based VLAN, 88
setting WAN interface parameters for CE1/PR1, configuring clear type wireless service, 64
36 configuring client mode, 114
setting WAN interface parameters for CT1/PR1, configuring crypto type wireless service, 72
38
setting WAN interface parameters for Ethernet, 32
connecting (client mode), 112
setting WAN interface parameters for SA, 34
creating wireless access service, 63
824
displaying client information, 82 advanced configuration, 145
displaying client mode statistics, 113 channel busy test, 145
displaying information, 80 configuring channel busy test, 146
displaying RF ping information, 86 displaying information, 29
displaying wireless access service information, 80 district code, 145
displaying wireless services bound to a radio, 123 setting district code, 145
enabling client mode, 111 setting interface parameters (web interface), 40
security parameter dependencies (clear type WLAN QoS
wireless service), 79
configuration, 131
security parameter dependencies (crypto type
configuring CAC service, 140
wireless service), 79
configuring wireless QoS, 131, 140
wizard
enabling wireless QoS, 131
setting LAN interface parameters (web interface),
38 setting CAC admission policy, 133
setting WAN interface parameters (web interface), setting EDCA parameters for wireless clients, 134
31 setting radio EDCA parameters for APs, 133
setting WAN interface parameters for setting SVP service, 132
ADSL/G.SHDSL (web interface), 34
WLAN security
setting WAN interface parameters for CE1/PR1
(web interface), 36 blacklist, 126
setting WAN interface parameters for CT1/PR1 configuration, 126

(web interface), 38 configuring blacklist function, 126
setting WAN interface parameters for Ethernet configuring dynamic blacklist (WLAN security),
(web interface), 32 126
setting WAN interface parameters for SA (web configuring static blacklist (WLAN security), 128
interface), 34
configuring user isolation, 130
setting WLAN interface parameters (web interface),
40 configuring whitelist (WLAN security), 128
starting basic configuration wizard (web interface), configuring whitelist function, 126
31 user isolation, 129
WLAN whitelist, 126
825

Emr - Na c03026850 1 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Emr - Na c03026850 1 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

HP A-MSR Router Series

Web-Based Configuration Guide

Part number: 5998-2054

Configuring device information ································································································································ 25

Configuring web interface basic services ················································································································ 31

Configuring WAN interfaces ···································································································································· 43

Configuring wireless services ···································································································································· 62

Configuring WLAN security ··································································································································· 126

Configuring WLAN QoS ········································································································································ 131

Configuring advanced WLAN settings ················································································································· 145

Configuring 3G management ································································································································ 148

Configuring access control ····································································································································· 164

Configuring MAC address filtering ······················································································································· 171

Configuring attack protection ································································································································ 175

Configuring application control ····························································································································· 189

Configuring webpage redirection ························································································································· 195

Configuring user-based load sharing ···················································································································· 204

Configuring ARP attack protection························································································································· 371

Configuring certificate management ····················································································································· 412

Configuring system management··························································································································· 439

Configuring diagnostic tools ·································································································································· 466

Configuring VoIP basic service ······························································································································ 484

Local number and call route overview··················································································································· 487

Configuring local number and call route ·············································································································· 488

Configuring fax and modem ·································································································································· 510

Configuring SIP-to-SIP call settings ························································································································· 552

Configuring call connections·································································································································· 585

Configuring SIP server group management ·········································································································· 614

Configuring data link management ······················································································································· 640

Configuring line management································································································································ 660

Configuring SIP local survival ································································································································ 683

Advanced IVR configuration ·································································································································· 760

Displaying states and statistics ······························································································································· 777

Support and other resources ·································································································································· 787

Logging in to the web interface

Logging out of the web interface

Introduction to the web interface

(1) Navigation area (2) Title area (3) Body area

Introduction to web-based NM functions

Function menu Description User level

View the URL address of a

Perform basic service

View configuration information

View configuration information

Configure a VLAN interface. Configure

View wireless service, radio

View wireless service, radio

View configuration information

View radio parameters and

View configuration information

Configure blacklist, whitelist,

View wireless QoS and rate

View configuration information

Set the country code. Configure

View 3G modem information,

View information about NAT

DMZ HOST Create a DMZ host. Monitor

View configurations of the

Configure the internal server. Configure

View configurations of the

Configure the application

View configuration information

Configure connection limit. Configure