H3C SecPath Series, Operation Manual

Page 1: ...ging PPP Link Efficiency Mechanism 1 16 1 4 Typical PPP Configuration Example 1 17 1 4 1 PAP Authentication 1 17 1 4 2 CHAP Authentication 1 18 1 5 Troubleshooting PPP 1 19 Chapter 2 PPPoE Server Configuration 2 1 2 1 Introduction to PPPoE 2 1 2 2 PPPoE Server Configuration 2 1 2 2 1 Creating a Virtual Template 2 1 2 2 2 Enabling Disabling PPPoE Server 2 2 2 2 3 Configuring PPPoE Server Parameters...

Page 2: ...ts Table of Contents ii 3 4 2 Connecting a LAN to the Internet Through an ADSL Modem 3 7 Chapter 4 VLAN Configuration 4 1 4 1 Introduction to VLAN 4 1 4 2 Basic VLAN Configuration 4 3 4 3 Displaying and Debugging VLAN 4 3 4 4 Typical VLAN Configuration Example 4 4 ...

Page 3: ...word to the authenticating party z The authenticator will check if the username and password are correct according to local user list and then return different responses Acknowledge or Not Acknowledge 2 CHAP authentication CHAP Challenge Handshake Authentication Protocol is a 3 way handshake authentication protocol and the password is sent encrypted The process of CHAP authentication is as follows...

Page 4: ...red it enters the Authenticate phase and starts the CHAP PAP authentication 4 If the authentication fails it will enter the Terminate phase to remove the link and the LCP will go down If the authentication succeeds it will proceed to start the network negotiation NCP In this case the LCP state is still Opened while the state of IP control protocol IPCP is changed from Initial to Request 5 NCP nego...

Page 5: ...w Table 1 1 Configure PPP encapsulation on the interface Operation Command Configure PPP encapsulation on the interface link protocol ppp The link layer protocol encapsulated on the dialer and virtual template interfaces defaults to PPP 1 2 2 Configuring the Polling Interval Data link protocols such as PPP FR and HDLC use a timer to monitor the status of the link periodically The polling interval ...

Page 6: ...ter the corresponding view in system view local user username Configure the password for the local user in local user view password simple cipher password Cancel the password of the local user in local user view undo password Set the callback and caller number attributes of the PPP user in local user view service type ppp callback nocheck callback number callback number call number call number sub...

Page 7: ...em view local user username Configure the password for the local user in local user view password simple cipher password Cancel the password of the local user in local user view undo password Set the callback and caller number attributes of the PPP user in local user view service type ppp callback nocheck callback number callback number call number call number subcall number Restore the default ca...

Page 8: ...l firewall are null IV Configuring the local to be authenticated by the peer using CHAP Table 1 6 Configure the local to be authenticated by the peer with the CHAP approach Operation Command Create a local user and enter the local user view system view local user username Set a password for the local user in local user view password simple cipher password Cancel the password for the local user in ...

Page 9: ...ameters of NCP such as the configuration of local IP address and the IP address assigned to the peer refer to the Network Protocol Configuration part in this manual For example the ip address ppp negotiate command can be used to ask the peer to assign IP address for the local while the remote address command can be used to designate the local to assign IP address for the peer Perform the following...

Page 10: ...on the interface When PPP is disabled the negotiated IP address will be deleted z If the interface has an IP address the original IP address is deleted after you configure the interface to negotiate IP addresses z After you configure the interface to negotiate IP addresses you are not allowed to assign an IP address for the interface The negotiation can generate an IP address z After you configure...

Page 11: ...igh ip address Remove the configuration undo ip pool pool number Use the global address pool to assign an IP address for the PPP user remote address pool pool number Remove the configuration undo remote address By default if the remote address pool command and the domain address pool are not configured the IP address is not assigned for the peer When you configure the remote address pool command b...

Page 12: ...ered IP address is used z If the server delivers an IP address pool instead of an IP address the system searches for the IP address pool in turn in domain view and assigns an IP address for the PPP user z If the system assigns no IP address using the above two methods or the local authentication is adopted the system searches for the address pool in turn in domain view and assigns an IP address fo...

Page 13: ...ialup for example the firewall should allocate a DNS server address to the PC so that the PC can use its domain name to access the Internet When connected using PPP to the network access server NAS of the service provider the firewall should be able to request the NAS for a DNS server address or accept the unsolicited DNS server address for revolving domain names Perform the following configuratio...

Page 14: ...terface the PPP interface sends link quality reports LQRs instead for monitoring the link When the quality of the link is normal the system calculates link quality based on each LQR and shuts down the link if the results of two consecutive calculations are below the forbidden percentage After shutting down the link the system calculates link quality every ten LQRs and brings the link up again if t...

Page 15: ...nd link fragmentation and interleaving LFI I IP header compression IPHC is a host to host protocol that applies to transmit multimedia services such as voice and video over IP networks To decrease the bandwidth consumed by headers you may enable IP header compression on PP links to compress RTP including IP UDP and RTP headers or TCP headers The following describes how compression operates taking ...

Page 16: ... long each The information in some fields of these headers however is unchanged through the lifetime of the connection and needs sending only once while the information in some other fields changes but regularly and within a definite range Based on this idea VJ TCP header compression may compress a 40 byte TCP IP header to 3 to 5 bytes It can significantly improve the transmission speed of some ap...

Page 17: ...s sion enabled TCP connections ppp compression iphc tcp connections number Restore the default undo ppp compression iphc tcp connections The parameter number indicates the maximum connection number from 3 to 256 of TCP compression mode on the interface It is 16 by default III Configuring maximum number of compression enabled RTP connections You can configure maximum number of compression enabled R...

Page 18: ...pression on the PPP interface ip tcp vjcompress Disable VJ TCP header compression on the PPP interface undo ip tcp vjcompress By default VJ TCP header compression is disabled on the PPP interface 1 3 4 Displaying and Debugging PPP Link Efficiency Mechanism Table 1 21 Display and debug PPP link efficiency mechanism Operation Command Display statistics about TCP header compression display ppp compre...

Page 19: ...h the PAP approach II Network diagram SecPath1 SecPath 2 Ethernet1 0 0 Ethernet1 0 0 Figure 1 3 Network diagram of PAP and CHAP authentication III Configuration procedure 1 Configure SecPath1 Add a PPPoE user H3C local user secpath2 H3C luser secpath2 password simple pwd H3C luser secpath2 service type ppp Configure virtual template parameters on SecPath1 H3C interface virtual template 1 H3C Virtu...

Page 20: ...a PPPoE user H3C local user secpath2 H3C luser secpath2 password simple pwd Configure virtual template parameters on SecPath1 H3C interface virtual template 1 H3C Virtual Template1 ppp authentication mode chap H3C Virtual Template1 ppp chap user secpath1 H3C Virtual Template1 ip address 1 1 1 1 255 0 0 0 H3C Virtual Template1 remote address 1 1 1 2 Configure the PPPoE parameter on SecPath1 H3C int...

Page 21: ... up state Problem solving This problem may arise from the PPP authentication failure due to the incorrect configuration of PPP authentication parameters Enable the debugging of PPP and you will see the information describing that LCP went up with a successful LCP negotiation but went down after the PAP or CHAP negotiation Fault 2 The physical link fails to go up Problem solving Execute the display...

Page 22: ...PPPoE This is the very purpose of the Discovery phase After entering the Session phase of PPPoE the system can encapsulate the PPP packet as the payload of PPPoE frame into an Ethernet frame and then send the Ethernet frame to the peer In the frame the SESSION ID must be the one determined at the Discovery phase MAC address must be the address of the peer and the PPP packet section begins with the...

Page 23: ...erface view The commands in the following table concern Ethernet interfaces and are only valid for corresponding Ethernet interfaces More specifically While PPPoE is enabled on an Ethernet interface it is not accordingly enabled on other Ethernet interfaces Likewise when PPPoE is disabled on an Ethernet interface it is not necessarily disabled on other Ethernet interfaces Note Before beginning the...

Page 24: ...current system is allowed to set up pppoe server max sessions total number Restore the default maximum number of PPPoE sessions that the current system is allowed to set up undo pppoe server max sessions total 2 2 4 Enabling Disabling the PPPoE Server to Output PPP Related Log To avoid decreased device performance due to excessive log output you can disable the PPPoE server to output log informati...

Page 25: ...Configuration Example I Network requirements In Figure 2 1 the hosts access the Internet through the firewall SecPath by making use of PPPoE II Network diagram Firewall SecPath is connected to the Ethernet through the interface Ethernet 1 0 0 and the Internet through Serial3 0 0 Internet Host Host SecPath Ethernet 1 0 0 Ethernet 3 0 0 Figure 2 1 PPPoE network diagram III Configuration procedure Ad...

Page 26: ...ain to use the local authentication scheme H3C domain system H3C isp system scheme local Add a local IP address pool containing nine IP addresses H3C isp system ip pool 1 1 1 1 2 1 1 1 10 When installed with PPPoE client software and configured with user name and password every host on the Ethernet can access the Internet through the firewall with PPPoE If radius scheme or hwtacacs scheme is confi...

Page 27: ...eate a PPPoE Session ID Whereas PPP establishes a peer correlation PPPoE however establishes a client server correlation in the Discovery phase During the Discovery phase a host client can discover an access concentrator server After the Discovery phase the host and the concentrator can establish PPPoE session via the MAC address and session ID z PPP Session phase At the beginning of the PPP Sessi...

Page 28: ...nally installing PPPoE client dialing software by the user 3 2 Configuring the PPPoE Client Fundamental PPPoE configuration tasks include z Configure a dialer interface z Configure a PPPoE session Advanced PPP configuration task includes z Terminate a PPPoE session 3 2 1 Configuring a Dialer Interface Before configuring PPPoE session you should first configure a dialer interface and configure a di...

Page 29: ...e refer to the chapter discussing DDD configurations in the Dial up part of this manual 3 2 2 Configuring a PPPoE Session PPPoE session can be configured on a physical Ethernet interface or a virtual Ethernet VE interface created on an ADSL interface When a firewall is to be linked to the Internet through an ADSL interface it is necessary to configure PPPoE session on the virtual Ethernet interfac...

Page 30: ... Only when there is data transmission requirement will the firewall initiate PPPoE call to create a PPPoE session If the free time of a PPPoE link exceeds the value set by user the firewall will automatically terminate the PPPoE session 3 2 3 Resetting Deleting a PPPoE Session Execute the reset pppoe client command and the reset pppoe server command in user view and the undo pppoe client command i...

Page 31: ...ure it 3 3 Displaying and Debugging the PPPoE Client Execute the display command in all views and the debugging command in user view Table 3 5 Displaying and Debugging the PPPoE client Operation Command Display the status and statistics of a PPPoE session display pppoe client session summary packet dial bundle number number Enable the PPPoE client debugging debugging pppoe client all data error ev...

Page 32: ...H3C Dialer1 dialer group 1 H3C Dialer1 dialer bundle 1 H3C Dialer1 ip address ppp negotiate H3C Dialer1 ppp pap local user secpath2 password simple pwd Configure a PPPoE session H3C interface ethernet 1 0 0 H3C Ethernet1 0 0 pppoe client dial bundle number 1 When CHAP authentication applies configure the firewalls as follows 1 Configure SecPath1 Add a PPPoE user H3C local user secpath2 H3C luser s...

Page 33: ...ber 1 3 4 2 Connecting a LAN to the Internet Through an ADSL Modem I Network requirements The PCs in the LAN access the Internet through SecPath A which connects to the DSLAM using an ADSL line in always on mode The ADSL account has a username of adsluser and a password of 123456 As the PPPoE server SecPath B connects to DSLAM through the Eth2 0 0 interface and provides RADIUS authentication and a...

Page 34: ...1 If the IP addresses of the PCs in the LAN are private addresses it is necessary to configure NAT Network Address Translation on the firewall The NAT configuration will not be elaborated here For details refer to the part about NAT configuration in the Security module of this manual 2 Configure SecPath B Add a PPPoE user H3C local user adsluser H3C luser adsluser password simple 123456 H3C luser ...

Page 35: ...e RADIUS scheme H3C radius scheme cams H3C radius cams primary authentication 10 110 91 146 1812 H3C radius cams primary accounting 10 110 91 146 1813 H3C radius cams key authentication expert H3C radius cams key accounting expert H3C radius cams server type extended H3C radius cams user name format with domain H3C radius cams quit See related materials for detailed configuration of RADIUS server ...

Page 36: ...AC addresses in the mapping table If it can find a match it will only send the frames to the corresponding ports if not it will forward them to all ports except for the receiving port In this way the collision domains are separated in their own ports and will not extend to other ports The switch as a kind of transparent device does not change the source and destination addresses of the Ethernet fr...

Page 37: ...d frames from one VLAN to another except that it is a layer 3 switch z It can enhance the security of LAN VLANs cannot directly communicate with one another that is the users in one VLAN cannot directly access those in other VLANs They need help of such layer 3 devices as routers or Layer 3 switches to fulfill the access z It provides virtual workgroups VLAN can be used to group different users to...

Page 38: ...figuration Operation Command Create an Ethernet subinterface and enter its view in system view interface subinterface type interface number Set the IP address of an Ethernet subinterface in interface view ip address ip address ip mask Set the encapsulation type of an Ethernet subinterface or a gigabit Ethernet subinterface and related VLAN ID in interface view vlan type dot1q vid vid Set the maxim...

Page 39: ... via subinterfaces As shown in the following figure the VLAN attributes of ports are specified on Switch 1 and Switch 2 thus the workstations A B C and D connected to these Switches belong to VLAN 10 or VLAN 20 The following is required z The addresses of subinterfaces Ethernet 3 0 0 1 Ethernet3 0 0 2 Ethernet4 0 0 1 and Ethernet4 0 0 2 are 1 0 0 1 2 0 0 1 3 0 0 1 and 4 0 0 1 respectively z Commun...

Page 40: ...P addresses Set the encapsulation type of each subinterface The encapsulation type of the Ethernet subinterface must keep consistent with what configured on the switch port and the associated VLAN ID Note After configuring the encapsulation type of the Ethernet subinterface the subinterface is set as permitted trunk H3C system view H3C interface ethernet 3 0 0 1 H3C Ethernet3 0 0 1 ip address 1 0 ...

Page 41: ... Security Products Chapter 4 VLAN Configuration 4 6 Set the maximum number of packets that VLAN10 can process into 100000 per second and that VLAN20 can process into 200000 per second H3C max packet process 100000 10 H3C max packet process 200000 20 ...