3Com Network Router 10014303 User Manual

3Com Router  
Configuration Guide for V1.20  
Part No. 10014303  
Published January 2004  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Chapter 1 Configuring Class-Based Queuing  
As an extension of WFQ, class based queuing (CBQ) provides users with class  
definition support. CBQ assigns individual FIFO reservation queues to the classes  
defined by each user to buffer data of the same class. When there is network  
congestion, CBQ matches outbound packets according to the classification rule  
defined by users to make them enter relevant queues. Before queue entry of packets,  
the congestion avoidance mechanism (tail-drop or weighted random early detection  
[WRED]) and bandwidth limit must first be checked. When packets leave the queues,  
weighted fair scheduling of packets in the queues corresponding to each class should  
be performed.  
LLQ  
BQ1  
BQ2  
Outgoing first  
Scheduling  
Sent packets  
IP Packets  
Classifying  
Sent queue  
¡- ¡-  
BQ64  
Figure 1-1 CBQ diagram  
If CBQ performs weighted fair treatment to queues of all classes, voice packets, the  
delay-sensitive data flow may not be sent out in time. Therefore, PQ is introduced to  
CBQ to create low latency queuing (LLQ), which provides strictly preferred sending  
service for such delay-sensitive data flow as voice packets.  
LLQ strictly combines PQ with CBQ. When a user defines a class, he can specify it to  
accept strict priority service. The class of this type is called priority class. All packets  
of the priority class enter the same priority queue. Before they enter a queue, the  
bandwidth limit of each class of packets should be checked. When packets go out of  
the queues, the packets in the priority queue are forwarded before packets in the  
queues corresponding to other classes. But if the maximum reservation bandwidth  
configured for LLQ is exceeded, the packets in other queue are sent. Weighted fair  
scheduling will be performed to the packets in other queues when they are forwarded.  
In order to avoid long time delay of packets in other queues, the maximum available  
bandwidth can be specified for each priority class during LLQ application for traffic  
3
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
policing upon congestion. If no congestion occurs, the priority class is permitted to  
use bandwidth exceeding the assigned value. In case of congestion, packets  
exceeding the assigned bandwidth of the priority class will be discarded. Burst size is  
also configurable under LLQ.  
When the system matches packets with rules, it matches priority classes before other  
classes. If there are multiple priority classes, they are matched one by one according  
to configuration sequence. The same procedure is used to match packets and rules in  
other classes. If there are multiple rules in a class, they are also matched one by one  
according to the configuration sequence.  
1.2 CBQ Configuration Tasks  
CBQ (Class Based Queuing) configuration includes:  
Define a class and enter the class view  
Configure matching rules of a class  
Define the policy and enter the policy view  
Configure class in policy and enter policy-class view  
Configure features of a class  
Apply a policy to an interface  
1.2.1 Define a Class and Enter the Class View  
Defines a class and enters class view.  
Perform the following configurations in the system view.  
Table 1-1 Define a class and enter the class view  
Operation  
Command  
Define a Class and Enter the Class  
View  
qos class [ logic-and | logic-or ] class-name  
Delete a class and enter class view  
undo qos class [ logic-and | logic-or ] class-name  
By default, a class named default-class is defined in the system. The class name  
defined by the user “class-name” cannot be default-class.  
By default, the defined class is logic-and and the interrelationship between matching  
rules in the class view is logical AND.  
1.2.2 Configure Matching Rules of a Class  
1) Define the rule for matching all packets  
Perform the following configurations in class view.  
4
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Table 1-2 Define/delete the rule matching all packets  
Operation  
Command  
Define the rule matching all packets  
Delete the rule matching all packets  
if-match [logic-not ] any  
undo if-match [logic- not ] any  
2) Define the class matching rule  
Perform the following configurations in class view.  
Table 1-3 Define/delete the class matching rule  
Operation  
Command  
Define the class matching rule  
Delete the class matching rule  
if-match [ logic-not ] class class-name  
undo if-match [ logic-not ] class class-name  
Note:  
This command cannot be used circularly. For example, qos class A defines the rules to match qos class  
B, while qos class B cannot define a rule matching qos class A directly or indirectly.  
3) Define the ACL matching rule  
Perform the following configurations in class view.  
Table 1-4 Define/delete ACL matching rule  
Operation  
Command  
if-match [ logic-not ] acl acl-number  
undo if-match [ logic-not ] acl acl-number  
Define ACL matching rule  
Delete ACL matching rule  
4) Define the MAC address matching rule  
Perform the following configurations in class view.  
Table 1-5 Define/delete the matching rule of a MAC address  
Operation  
Command  
Define MAC address matching rule  
if-match [ logic-not ] { destination-mac | source-mac } mac-address  
undo if-match [logic-not ] { destination-mac | source-mac }  
Delete MAC address matching rule  
mac-address  
Note:  
The matching rules of the destination MAC address are only meaningful for the policies in outbound  
direction and the interface of Ethernet type.  
5
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
The matching rules of the source MAC address are only meaningful for the policies in inbound direction  
and the interface of Ethernet type.  
5) Define the inbound interface matching rule of a class  
Perform the following configurations in class view.  
Table 1-6 Define/delete the inbound interface matching rule of a class  
Operation  
Command  
Define the inbound interface  
matching rule of a class  
Delete the inbound interface  
matching rule of a class  
if-match [ logic-not ] inbound-interface type number }  
undo if-match [ logic-not ] inbound-interface type number  
6) Define the DSCP matching rule  
The differentiated services code point (DSCP) is a refined field from the 6 high bits of  
ToS bytes in IP header by IETF DiffServ workgroup.In the solution submitted by  
DiffServ, services are classified and traffic is controlled according to service  
requirements at the network ingress. Simultaneously, DSCP is set. Communication  
(including resource allocation, packet discard policy, etc.) is classified and served on  
the basis of the grouped DSCP values  
You can set classified matching rules according to DSCP values.  
Perform the following configurations in class view.  
Table 1-7 Define/delete DSCP matching rule  
Operation  
Define DSCP matching rule  
Delete DSCP matching rule  
Command  
if-match [ logic-not ] ip-dscp value [ value ] …  
undo if-match [ logic-not ] ip-dscp value [ value ] …  
7) Define the IP precedence matching rule  
Perform the following configurations in class view.  
Table 1-8 Define/delete ip precedence matching rule  
Operation  
Command  
Define IP precedence matching rule  
Delete IP precedence matching rule  
if-match [ logic-not ] ip-precedence value [ value ] …  
undo if-match [ logic-not ] ip-precedence …  
6
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Use the corresponding command to configure the value of ip precedence during the  
configuration; otherwise, the configuration of the if-match ip precedence command  
will overwrite the previous configurations.  
8) Define the RTP port matching rule  
Perform the following configurations in class view.  
Table 1-9 Define/delete RTP port matching rule  
Operation  
Command  
if-match [logic-not ] rtp start-port starting-port-number end-port  
end-port-number  
Define RTP port matching rule  
undo if-match [ logic-not ] rtp start-port starting-port-number  
end-port end-port-number  
Delete RTP port matching rule  
Because the RTP priority queue (RTPQ) has a higher priority than that of CBQ, only  
RTPQ will take effect if both RTPQ and the queue based on the class matching RTP  
are configured at the same time.  
9) Define the protocol matching rule  
Perform the following configurations in class view.  
Table 1-10 Define/delete IP matching rule  
Operation  
Command  
if-match [ logic-not ] protocol ip  
undo if-match [ logic-not ] protocol ip  
Define IP matching rule  
Delete IP matching rule  
10) Define the rule of all packets that do not satisfy the specified matching  
rule.  
Perform the following configurations in class view.  
Table 1-11 Define/delete the rule of all packets not satisfying the specified matching rule  
Operation  
Command  
if-match logic-not criteria  
undo if-match logic-not criteria  
Define the rule of all packets not satisfying specified  
matching rule  
Delete the rule of all packets not satisfying specified  
matching rule  
Match-criteria: Matching rule of the class, including acl, any, class, destination-mac,  
inbound-interface, ip-precedence, ip-dscp, protocol, rtp, source-mac.  
1.2.3 Define the Policy and Enter the Policy View  
Policy definition includes definition to the feature requirement for each class in the  
policy, such as queue scheduling, including EF, AF, WFQ, TP, TS, and WRED.  
7
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Perform the following configurations in the system view.  
Table 1-12 Define the policy and enter the policy view  
Operation  
Command  
Define the policy and enter the policy  
view  
Delete the specified policy  
qos policy policy-name  
undo qos policy policy-name  
If an interface applies this policy, this policy is not allowed to be deleted. You must  
remove the application of this policy on the interface and then delete the policy with  
the undo qos policy command.  
1.2.4 Configure Class in Policy and Enter Policy-Class View  
Perform the following configurations in the policy view.  
Table 1-13 Configure class in policy and enter policy-class view  
Operation  
Command  
Configure class in policy  
Remove the class configuration  
qos-class class-name  
undo qos-class class-name  
class-name: Name of a class, of a defined class.  
1.2.5 Configure Features of a Class in Policy  
1) Configure bandwidth  
CBQ can set bandwidth and queuing length for each class.  
Bandwidth is the minimum guarantee that the router can provide when congestion  
occurs. If there is no congestion, each class can use the bandwidth larger than the  
assigned one, but if there is congestion, for each class, all the packets exceeding the  
assigned bandwidth will be dropped.  
Queuing length is the maximum queue length of the class. When the queue is as long  
as the preset length, new packets that want to enter the queue will be dropped.  
Policy class configured with expedited-forwarding and bandwidth is a priority class  
and will enter low latency queuing (LLQ).  
Policy class configured with assured-forwarding and bandwidth is an ordinary class.  
The class that does not match any policy is called the default-class, and it can be  
configured with assured-forwarding and bandwidth. After the default-class is  
8
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
configured with a maximum bandwidth, the system will assign the class an individual  
queue, called the default queue.  
Theoretically, each class can be configured with bandwidth of any size, but generally,  
the priority classes can occupy 70% of the total bandwidth, and other ordinary classes  
and the default class occupy less than 10%. It should be noted that the total  
bandwidth assigned to each class and the RTP priority queue should not be larger  
than the available bandwidth (the maximum bandwidth of the interface multiplied by  
the percentage of the reserved bandwidth).  
Please perform the following configurations in policy-class view.  
Table 1-14 Configure assured-forwarding and the minimum bandwidth  
Operation  
Command  
Configure assured-forwarding for an  
ordinary class or default class and  
configure the minimum bandwidth for them  
Delete the assured-forwarding  
af bandwidth { bandwidth | pct percentage }  
undo af  
Configure expedited-forwarding for priority  
class and configure the maximum  
bandwidth and CBS for it  
ef bandwidth bandwidth [ cbs size ]  
Delete expedited-forwarding  
undo ef  
This function can only be applied on the outbound direction.  
Note:  
Priority classes must be configured with absolute bandwidth, while ordinary classes and the default class  
can be configured with relative bandwidth (in percentage) or absolute bandwidth.  
2) Configure fair queue for the default class  
Perform the following configurations in the policy-class view.  
Table 1-15 Configure fair queue for the default class  
Operation  
Command  
Configure WFQ for the default class  
Remove the configured WFQ of the default  
class  
wfq [ queue-number total-queue-number ]  
undo wfq  
9
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
3) Configure the maximum queue length of the class  
Configure maximum queue length of the class and configure the drop type as tail  
drop.  
Perform the following configurations in the policy-class view.  
Table 1-16 Configure the maximum queue length of the class  
Operation  
Command  
queue-length queue-length  
undo queue-length  
Configure the maximum queue length of the  
class  
Delete the configuration of maximum queue  
length  
This command can be used only after the af command has been configured. Execute  
the undo af command then queue-length will be deleted as well.  
For the default-class, this command can be used only after the af has been  
configured.  
4) Configure the discarding mode of the class as random.  
Perform the following configurations in the policy-class view.  
Table 1-17 Configure the discarding mode of the class as random  
Operation  
Command  
Configure the discarding mode of the class  
as random  
wred [ ip-dscp value | ip-precedence value ]  
Restore the default setting  
undo wred [ ip-dscp value | ip-precedence value ]  
ip-dscp indicates that the DSCP value is used to calculate the drop probability of a  
packet.  
Ip-precedence: Indicate that the IP precedence value is used to calculate drop  
probability of a packet, which is the default setting.  
This command cannot be used until the af command has been configured. In the  
case of the default class, this command be used only after the af command has been  
configured. The wred and queue-length commands are mutually exclusive. Other  
configurations under the random drop will be deleted simultaneously when this  
command is deleted. When a QoS policy including WRED is applied on an interface,  
the original WRED configuration on the interface will be invalid.  
The default-class can only be configured with the random discard mode based on IP  
precedence.  
5) Configure exponential of average queue length calculated by WRED  
Perform the following configurations in the policy-class view.  
10  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Table 1-18 Configure exponential of average queue length calculated by WRED  
Operation  
Command  
Configure exponential of average queue  
length calculated by WRED  
wred weighting-constant exponent  
Delete the configuration of exponential of  
average queue length calculated by WRED  
undo wred weighting-constant  
This command can be used only after the af command has been configured and the  
wred command has been used to enable WRED discard mode.  
6) Configure DSCP lower-limit, upper-limit and discard probability of  
WRED  
Perform the following configurations in the policy-class view.  
Table 1-19 Configure DSCP lower-limit, upper-limit and discard probability of WRED  
Operation  
Command  
Configure DSCP lower-limit, upper-limit  
and discard probability of WRED  
Delete the configured DSCP lower-limit,  
upper-limit and discard probability of  
WRED  
wred ip dscp value low-limit low-limit hjgh-limit high-limit  
[ discard-probability discard-prob ]  
undo wred ip-dscp value  
value: DSCP value, in the range from 0 to 63, which can be any of the following  
keywords: ef, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43,  
cs1, cs2, cs3, cs4, cs5 or cs7.  
The discard mode based on WRED should have been enabled via the wred ip-dscp  
command.  
When the configuration of qos wred is deleted, the wred ip-dscp will also be  
deleted.  
When the af configuration is deleted, the configuration of discarding parameters will  
also be deleted.  
7) Configure lower-limit, upper-limit and discarding probability of WRED  
precedence  
Perform the following configurations in the policy-class view.  
Table 1-20 Configure lower-limit, upper-limit and discarding probability of WRED precedence  
Operation  
Command  
Configure lower-limit, upper-limit and  
discard probability of WRED precedence  
denominator  
wred ip-precedence value low-limit low-limit hjgh-limit high-limit  
[ discard-probability discard-prob ]  
Delete the configuration of lower-limit,  
upper-limit and discard probability of  
WRED precedence denominator  
undo wred ip-precedence value  
11  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
The discarding mode based on WRED must already have been enabled via the wred  
ip-precedence command.  
When the configuration of qos wred is deleted, the wred ip-precedence is also  
deleted.  
When the af configuration is deleted, the configuration of discarding parameters will  
also be deleted.  
8)  
Enable/Disable traffic policing  
Perform the following configurations in the policy-class view.  
Table 1-21 Enable/Disable traffic policing for the class  
Operation  
Command  
car cir rate [ cbs size ebs size ] [ conform action [ exceed action] ]  
undo car  
Enable traffic policing for the class  
Disable traffic policing for the class  
In the table, action means actions taken on a data packet, including:  
discard: Discard a packet.  
pass: Send a packet.  
remark-dscp-pass new-dscp: Set the value of new-dscp and send it. This value  
ranges from 0 to 63.  
remark-prec-pass new-prec: Set new IP priority new-prec and send it. This  
value ranges from 0 to 7.  
If TP is used in the class-policy applied on the interface, it can be applied on both  
inbound and outbound interfaces.  
When the class-policy including TP feature is applied on an interface, it invalidates the  
original qos car command.  
If this command is repeatedly configured on the same class policy, the last  
configuration replaces the previous one.  
The class configured with traffic policing without the application of AF or EF enters the  
default queue if it passes traffic policing but encounters interface congestion.  
9) Configure traffic shaping (TS) for a class  
Perform the following configurations in the policy-class view.  
Table 1-22 Enable/disable TS for a class  
Operation  
Enable TS for a class  
Disable TS for a class  
Command  
gts cir rate [ cbs burst-size [ ebs size [ queue-length length ] ] ]  
undo gts  
12  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
If qos gts is used in the class-policy that is applied to the interface, it can only be  
applied to the outbound interface.  
When the class including TS is applied to the interface, the original qos gts command  
that is configured on the interface will become invalid.  
If this command is repeatedly executed to configure the same class policy, the last  
configuration replaces the previous one.  
The class configured with TS without applying the configuration of AF or EF enters  
the default queue if it passes traffic shaping but encounters interface congestion.  
10) Set DSCP value for the class to identify packets.  
Perform the following configurations in the policy-class view.  
Table 1-23 Set DSCP value for the class to identify packets  
Operation  
Command  
Set DSCP value for the class to identify packets  
Remove DSCP value that identifies packets  
remark ip-dscp value  
undo remark ip-dscp  
11) Set IP precedence value to identify matched packets  
Perform the following configurations in the policy-class view.  
Table 1-24 Set IP precedence value to identify matched packets  
Operation  
Command  
remark ip-precedence value  
undo remark ip-precedence  
Set IP precedence value to identify matched  
packets  
Set IP precedence value to identify matched  
packets  
1.2.6 Apply a policy to an interface  
The qos apply policy command applies a policy to a specific physical interface. A  
policy can be used on multiple physical ports.  
Perform the following configurations in class view.  
Table 1-25 Associate an interface with the set policy  
Operation  
Command  
Apply an associated policy to an  
interface  
Delete an associated policy from an  
interface  
qos apply policy { inbound | outbound } policy-name  
undo qos apply policy { inbound | outbound }  
13  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
The following is the rule for a policy to be applied in interface view.  
A policy configured with various features (including remark, car, gts, af, ef, wfq,  
and wred,) apply to a common physical interface and a virtual template interface  
over MP.  
The policy configured with TS (gts), and ef, af, wfq cannot be applied on the  
interface as an inbound policy.  
The sub-interface does not support ef, af, or wfq but supports TS (gts) and TP  
(car). The policy configured with TS and TP can be applied on the sub-interface.  
Note:  
In the case of fast forwarding, CBQ is not supported.  
1.2.7 Displaying and debugging CBQ  
After the above configuration, execute display command in all views to display the  
current class-based queue configuration, and to verify the effect of the configuration.  
Table 1-26 Display and debug CBQ  
Operation  
Command  
display qos class [ class-name ]  
Display class information configured on the  
router  
Display the configuration information of an  
specified policy or a specified class in all  
policies or all classes  
display qos policy [ policy-name [ class class-name ] ]  
Display the configuration information and  
running status of an policy on a specified  
interface  
display qos policy interface [ type number } [ inbound |  
outbound ]  
Display the configuration information and  
running status of class-based queue on a  
specified interface  
display qos cbq interface type umber  
debugging qos cbq { af | be | ef | class } [ interface type  
number ]  
Enable the debugging of a CBQ  
1.2.8 Typical CBQ Configuration Example  
A typical CBQ configuration simultaneously transmits multiple service data on the  
serial interface and satisfies the demand in various service flows by CBQ.  
The networking diagram is shown below, wherein the bandwidth of serial0 is 64K,  
PC1 sends service flow 1 to PC3, PC2 sends a service flow 2 to PC4, and there is  
also a voice service flow.  
14  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
In terms of service, service flow 1 must occupy a bandwidth of 10K, service flow 2  
must occupy a bandwidth of 20K, under the premise of ensuring voice service.  
1.1.1.1/24  
1.1.4.1/24  
PC1  
PC2  
PC3  
PC4  
E0 1.1.4.2/24  
E0  
1.1.1.2/24  
s0  
E1  
10.1.1.2/24  
E1: 10.1.4.2/24  
10.1.4.1/24  
1.1.6.2/24  
10.1.1.1/24  
s0 1.1.6.1  
Router B  
Router A  
Tel ephone  
Tel ephone  
Figure 1-2 Networking diagram of CBQ configuration  
Note:  
This example only illustrates configurations corresponding to CBQ. The configurations of various  
services and routes should be performed by the user independently. This example only configures CBQ  
on Router A. Router B can be configured similarly.  
Configure Router A:  
1
Configure ACL rule.  
[RouterA] acl 101  
[RouterA-acl-101]rulenormalpermitipsource1.1.0.00.0.255.255destination  
any  
[RouterA] acl 102  
[RouterA-acl-102]rulenormalpermitipsource10.1.0.00.0.255.255destination  
any  
2
Configure class 1:  
[RouterA] qos class logic-and 1  
[RouterA-qosclass-1] if-match acl 101  
[RouterA-qosclass-1] quit  
3
Configure class 2:  
[RouterA] qos class logic-and 2  
[RouterA-qosclass-2] if-match acl 102  
[RouterA-qosclass-2] quit  
4
Configure priority class:  
[RouterA] qos class logic-and voip  
15  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
[RouterA-qosclass-voip] if-match rtp start-port 16384 end-port 32767  
[RouterA-qosclass-voip] quit  
5
Configure CBQ policy:  
[RouterA] qospolicy 1  
6
Configure the bandwidth of service 1 to be 10K:  
[RouterA-qospolicy-1]qos-class 1  
[RouterA-qospolicy-c-1 1] af bandwidth 10  
[RouterA-qospolicy-c-1 1] quit  
7
Configure the bandwidth of service 2 to be 20K:  
[RouterA-qospolicy-1]qos-class 2  
[RouterA-qospolicy-c-1 2] af bandwidth 20  
[RouterA-qospolicy-c-1 2] quit  
8
Configure the voice service to be priority service:  
[RouterA-qospolicy-1]qos-class voip  
[RouterA-qospolicy-c-1 voip] ef bandwidth 10 cbs 1500  
[RouterA-qospolicy-c-1 voip] quit  
9
Apply CBQ policy 1 to Serial0:  
[RouterA] interface serial 0  
[RouterA-Serial0] qos apply policy outbound 1  
10  
Remove fast-forwarding on the interface. (The interface does not support CBQ  
in the case of fast-forwarding.)  
[RouterA-Serial0] undo ip fast-forwarding  
16  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Chapter 2 Configuring TACACS+  
TACACS+ is facilitated with AAA to control PPP, VPDN, and login access to routers.  
CISCO ACS is the only application software that is supported.  
Compared to RADIUS, TACACS+ features more reliable transmission and encryption,  
and is more suitable for security control. The following table lists the primary  
differences between TACACS+ and RADIUS protocols.  
Table 2-1 Comparison between the TACACS+ protocol and the RADIUS protocol  
TACACS+ protocol  
RADIUS protocol  
Adopts TCP and hence can provide more reliable network  
transmission.  
Adopts UDP.  
Encrypts the entire main body of the packets except for  
the standard TACACS+ header.  
Encrypts only the password field in the  
authentication packets.  
Supports separate authentication and authorization. For  
example, you can use RADIUS for authentication but  
TACACS+ for authorization.  
If RADIUS is used for authentication before authorizing  
with TACACS+, RADIUS is responsible for confirming  
whether a user can be accepted, and TACACS+ is  
responsible for the authorization.  
Processes authentication and authorization  
together.  
Is well suited to security control.  
Is well suited to accounting.  
Supports authorization before the configuration commands Does not support authorization before  
on the Router can be used. configuration.  
In a typical TACACS+ application, a dial-up or terminal user needs to log in the router  
for operations. Working as the TACACS+ client in this case, the router sends the user  
name and password to the TACACS+ server for authentication. After passing the  
authentication and getting the authorization, the user can log in to the router to  
perform operations, as shown in the following figure.  
inal user  
inal  
nal  
nal user  
nal  
i
T
T
e
r
m
T
T
T
e
e
e
e
r
r
r
r
m
m
m
m
i
i
H
H
H
H
H
W
W
W
W
W
T
T
T
T
T
A
A
A
A
A
C
C
C
C
C
A
A
A
A
A
C
C
C
C
C
S
S
S
S
S
s
s
s
s
s
e
e
e
e
e
r
r
r
r
r
ver  
ver  
ver  
ver  
ver  
129.7.66.66  
129.7.66.66  
129.7.66.66  
129.7.66.66  
129.7.66.66  
I
S
D
N
\
P
S
T
N
R
o
u
ter  
D
D
D
D
i
i
i
i
a
a
a
a
a
l
l
l
l
l
-
-
-
-
-
u
u
u
u
p
p
p
p
p
u
u
ser  
ser  
H
H
H
H
H
W
W
W
W
W
T
T
T
T
T
A
A
A
A
A
C
C
C
C
C
A
A
A
A
A
C
C
C
C
C
S
S
S
S
S
c
c
c
c
c
lient  
lient  
lient  
l ent  
l ent  
i
i
H
H
H
H
H
W
W
W
W
W
T
T
T
T
T
A
A
A
A
A
C
C
C
C
C
A
A
A
A
A
C
C
C
C
C
S
S
S
S
S
s
s
s
s
s
e
e
e
e
e
r
r
r
r
r
ver  
ver  
ver  
ver  
ver  
129.7.66.67  
129.7.66.67  
129.7.66.67  
129.7.66.67  
129.7.66.67  
Figure 2-2 Networking for a typical TACACS+ application  
17  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
2.2 The Basic Message Interaction Flow of TACACS+  
For example, use TACACS+ to implement AAA on a telnet user, and the basic  
message interaction flow described below is used:  
1) A user requests access to the router. The router(TACACS+ client) sends the  
authentication start packet to the TACACS+ server upon receipt of the request.  
2) The TACACS+ server sends an authentication response packet requesting the  
user name. The router (TACACS+ client) asks the user for the user name upon  
receipt of the response packet.  
3) After receiving the user name from the user, the router (TACACS+ client) sends  
the authentication packet to the TACACS+ carrying the user name.  
4) The TACACS+ server sends back an authentication response packet, requesting  
the login password. Upon receipt of the response packet, the router (TACACS+  
client) requests the user for the login password.  
5) The router (TACACS+ client) sends an authentication packet carrying the login  
password to the TACACS+ server.  
6) The TACACS+ server sends back the authentication response packet indicating  
that the user has passed the authentication.  
7) The router (TACACS+ client) sends the user authorization packet to the  
TACACS+ server.  
8) The TACACS+ server sends back the authorization response packet, indicating  
that the user has passed the authorization.  
9) Upon receipt of the response packet indicating an authorization success, the  
router (TACACS+ client) pushes the configuration interface of the router to the  
user.  
10) The router (TACACS+ client) sends the accounting start request packet to the  
TACACS+ server  
11) The TACACS+ server sends back an accounting response packet, indicating that  
it has received the accounting start request packet.  
12) The user quits, and the router (TACACS+ client) sends the accounting stop  
packet to the TACACS+ server.  
13) The TACACS+ server sends back the accounting stop packet, indicating that the  
accounting stop request packet has been received.  
The following figure illustrates the basic message interaction flow:  
18  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
H
C
W
T
n
A
t
C
A
C
S
H
Server  
W
T
A
C
ACS  
User  
l
i
e
Us  
er  
l
o
g
s
in  
n
A
u
t
h
en  
t
i
c
a
ti  
o
n
S
t
a
r
t
Req  
u
e
s
t
packet  
packet  
A
u
t
h
e
n
t
i
c
a
t
i
o
n
r
e
s
p
o
n
s
e
p
a
c
k
e
t,  
,
r
e
q
u
e
s
t
i
n
g
f
o
r
t
h
e
u
s
e
r
name  
name  
Req  
u
e
s
t
Us  
er  
fo  
r
th  
e
us  
er  
n
a
m
e
e
Us  
er  
e
n
t
e
r
s
t
h
e
us  
er  
name  
name  
A
u
t
h
e
n
t
i
c
a
t
i
o
n
c
o
n
t
i
n
u
a
n
c
e
packet  
packet  
c
a
r
r
y
i
n
g
t
h
e
u
s
e
r
name  
name  
A
u
t
h
e
n
t
i
c
a
t
i
o
n
r
e
s
p
o
n
s
e
p
a
c
k
e
t,  
,
r
e
q
u
e
s
t
i
n
g
f
o
r
t
h
e
password  
password  
Req  
u
e
s
t
Us  
er  
fo  
r
th  
e
password  
password  
A
u
t
h
e
n
t
i
c
a
t
i
o
n
c
o
n
t
i
n
u
a
n
c
e
ppacket  
Us  
er  
e
n
t
e
r
s
t
h
e
password  
password  
c
a
r
r
y
i
n
g
t
h
e
ppassword  
A
u
t
h
en  
t
i
c
a
ti  
o
n
s
u
c
c
es  
s
ppacket  
A
u
t
h
o
r
i
z
a
t
i
o
n
r
eq  
u
e
s
t
ppacket  
A
u
t
h
o
r
i
z
a
t
i
o
n
s
u
c
c
e
s
s
ppacket  
Us  
er  
is  
p
e
r
m
i
t
tted  
A
c
c
o
u
n
t
i
n
g
s
t
a
r
t
re  
qu  
es  
t
ppacket  
A
c
c
o
u
n
t
i
n
g
s
t
a
r
t
r
e
s
po  
ns  
e
ppacket  
Us  
er  
qquits  
A
c
c
o
u
n
t
i
n
g
s
t
o
p
ppacket  
A
c
c
o
u
n
t
i
n
g
s
t
o
p
r
es  
p
o
n
s
e
ppacket  
Figure 2-3 The flow of implementing AAA for a telnet user  
2.3 The TACACS+ Functions Implemented by 3Com Routers  
3Com Routers support the following TACACS+ functions:  
1) AAA on login users (including console, Telnet, dumb terminal, PAD, terminal  
accessing, and FTP users)  
2) AAA on PPP users  
3) AAA on VPDN users (L2TP is used in this case)  
2.4 TACACS+ Configuration Tasks  
Basic TACACS+ configuration tasks include:  
Create a TACACS+ server group  
Add the TACACS+ server into a TACACS+ server group  
High-level TACACS+ configuration tasks include:  
19  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Standby/Primary server switchover interval  
The shared key for the AAA negotiation between the router and TACACS+  
Server  
Set the timeout time waiting for a TACACS+ server to make a response  
Specify a source IP address for all the TACACS+ packets to be transmitted  
2.4.1 Create a TACACS+ server group  
Before a TACACS+ server can be used to implement AAA, you should first create a  
TACACS+ server group and put the TACACS+ server into the group. The router will  
look up the group for a TACACS+ server to implement AAA. You can create a  
maximum of 11 TACACS+ server groups.  
Perform the following configuration in system view.  
Table 2-2 Create a TACACS+ server group  
Operation  
Command  
Create a TACACS+ server group  
by specifying its name  
hwtacacs-server template template-name  
Delete a TACACS+ server group  
by specifying its name  
undo hwtacacs server template template-name  
By default, no server group is configured.  
2.4.2 Add a TACACS+ Server into a TACACS+ Server Group  
After a TACACS+ server group is created, you add TACACS+ servers into it. Each  
group allows of a maximum of 5 servers.  
Perform the following configuration in TACACS+ view.  
Table 2-3 Add/Delete TACACS+ servers  
Operation  
Command  
host ip ip-address  
[
port port-number ] [ response-timeout time  
]
Add a TACACS+ server into a  
TACACS+ server group  
[
shared-key key-string ] [ authen-primary  
|
author-primary |  
account-primary  
]
Remove a TACACS+ server from undo host ip ip-address  
a TACACS+ server group account-primary  
[
authen-primary  
|
author-primary |  
]
By default, no TACACS+ Server is specified.  
20  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Note:  
When this command is used without being configured with the parameter shared-key key-string for  
negotiation, the default key configured using the shared-key command will be used.  
2.4.3 Standby/Primary Server Switchover Interval  
If you have specified the primary and standby servers in a TACACS+ server group,  
the router regularly tests whether the primary server can work properly in the case  
that the current server used to provide AAA services is a standby server. Once it finds  
that the specified primary server can work normally, it switches from the current  
standby server to the primary server. You can configure the interval for switching.  
Perform the following configuration in TACACS+ view.  
Table 2-4 Configure a standby/primary server switchover interval  
Operation  
Command  
Configure a standby/primary server switchover interval  
Restore the default standby/primary server switchover  
interval  
timer quiet minutes  
undo timer quiet  
The standby/primary server switchover interval defaults to five minutes.  
2.4.4 Set a Shared Key for the AAA Negotiation Between Router and  
TACACS+ Server  
Setting a shared key can ensure the security of the communications between router  
and TACACS+ server. By default, the system does not set a key. Therefore, you  
should use this command to set a shared key in the case that a TACACS+ server is  
used as the AAA server.  
Perform the following configuration in system view.  
Table 2-5 Set a shared key for the AAA negotiation between router and TACACS+ server  
Operation  
Command  
shared-key key-string  
undo shared-key  
Configure a shared key for the AAA negotiation with any  
TACACS+ servers in a specified TACACS+ server group  
Delete the shared key for the AAA negotiation with the  
TACACS+ servers in a specified TACACS+ server group  
By default, no key is set.  
21  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Caution:  
1) The entered key must match the key used by the TACACS+ server.  
2) All the leading spaces and ending spaces in a key string will be ignored. In addition, a key that  
contains spaces in the middle is not supported.  
2.4.5 Specify a Source IP Address for the TACACS+ Packets to be  
Transmitted  
You can specify a source IP address for the TACACS+ packets sent from different  
interfaces on the router. In this way, the TACACS+ server will contact the router only  
at that IP address.  
A TACACS+ server requires the administrator to register all the TACACS+ clients. The  
clients are scrutinized on the basis of their source IP address. Therefore, the different  
interfaces on the same router are regarded by the TACACS+ server as different  
clients. Whenever the TACACS+ server receives a packet carrying an unregistered  
source IP address, it regards the packet as illegal and hence does no processing on  
it.  
Caution:  
You must make sure that the specified source IP address is the IP address of some interface on the  
router, and that the server maintains the route to that IP address. You can configure a loopback interface  
on the router, specify an IP address for it, and use this address as the source IP address of the  
TACACS+ packets.  
Perform the following configuration in system view.  
Table 2-6 Specify the source IP address for the transmitted TACACS+ packets  
Operation  
Command  
ip-address interface interface-type  
Configure the source IP address for the source-ip  
{
|
transmitted TACACS+ packets  
interface-number  
}
Remove the source IP address specified for  
the TACACS+ packets to be transmitted  
undo source-ip  
By default, the source IP address is the IP address of the interface where the  
TACACS+ packets are sent.  
22  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
2.5 Displaying and Debugging TACACS+  
Execute the following commands in all views.  
Table 2-7 Display and debug AAA and RADIUS  
Operation  
Command  
display hwtacacs accounting verbose  
display hwtacacs server verbose  
Display all the accounting details.  
Display all the router-TACACS+  
interaction details.  
[
]
[
]
Clear all the accounting details.  
Clear all the router-TACACS+  
interaction details.  
reset hwtacacs accounting statistics  
reset hwtacacs server statistics  
debugging hwtacacs  
{
authentication  
|
authorization  
|
Enable the debugging of AAA  
implemented using TACACS+  
accounting } [ packet ] [ user user-name ][ interface  
interface-name  
undo debugging hwtacacs  
]
{
authentication  
|
authorization  
|
Disable the debugging of AAA  
implemented using TACACS+  
accounting } [ packet ] [ user user-name ][ interface  
interface-name  
]
2.6 Implementing AAA Using TACACS+  
Use TACACS+ to implement AAA on PPP and login users.  
Te  
r
m
i
nal user  
nal user  
1
9
2
.
1
0
.
1.  
0/24  
4
T
A
A
C
C
.
.
A
A
C
C
0
0
S
S
.
.
+
+
s
s
e
e
r
r
ver  
ver  
1
1
0
0
1
1
1
1
1
1
.1  
.1  
E
1
:
1
9
2
.
1
0
.1.1  
.1.1  
IS  
D
N
\
PSTN  
S0:  
S0:  
R
o
u
t
er  
E0:  
E0:  
10  
1
6
8
.
.1.1  
1.1.1  
1
0
.
1
D
i
a
l
-
u
p
ser  
user  
T
A
A
C
C
A
A
C
C
S
S
+
+
s
s
e
e
r
r
ver  
ver  
1
1
0
0
.
.
1
1
1
1
0
0
.
.
1
1
.2  
.2  
A
c
c
e
ss  
e
d
ne  
twork  
Figure 2-4 Networking for the AAA implementation using TACACS+  
To configure TACACS+:  
1
Create a TACACS+ server group and add TACACS+ servers into it.  
[3Com] HWTACACS-server template tactemplate1  
[3Com-HWTACACS-tactemplate1]host ip 10.110.1.1 authen-primary  
[3Com-HWTACACS-tactemplate1]host ip 10.110.1.1 author-primary  
[3Com-HWTACACS-tactemplate1]host ip 10.110.1.1 account-primary  
[3Com-HWTACACS-tactemplate1]host ip 10.110.1.2  
23  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
2
Configure “mykey” as the shared key for the AAA negotiation with the  
TACACS+ server.  
[3Com-HWTACACS-tactemplate1]shared-key mykey  
[3Com-HWTACACS-tactemplate1] quit  
3
Enable AAA.  
[3Com]aaa-enable  
4
Implement authentication on telnet login users.  
[3Com]login telnet  
[3Com]aaaauthentication-schemeloginlogin-authen-listtemplatetactemplate1  
[3Com] login-method authentication-mode telnet login-authen-list  
5
Implement authentication on the PPP users accessed from the interface  
Serial0.  
[3Com]aaa authentication-scheme ppp ppp-authen-list template tactemplate1  
[3Com]interface serial 0  
[3Com-Serial0] link-protocol ppp  
[3Com-Serial0] ppp authentication-mode pap scheme ppp-authen-list  
[3Com-serial0] quit  
6
Configure a login authorization scheme.  
[3Com]aaa authorization-scheme login login-author-list template tactemplate1  
7
Specify an authorization scheme for login users.  
[3Com]login-method authorization-mode telnet login-author-list  
8
Enable PPP authorization and use the ppp-author-list authorization scheme on  
Serial0.  
[3Com]aaa authorization-scheme ppp ppp-author-list template tactemplate1  
[3Com]interface serial 0  
[3Com-Serial0]link-protocol ppp  
[3Com-Serial0]ip address 168.1.1.1 255.255.255.0  
[3Com-Serial0]ppp authorization-mode ppp-author-list  
[3Com-serial0] quit  
9
Enable login accounting and configure the accounting scheme account-list.  
[3Com] aaa accounting-scheme login login-account-list template tactemplate1  
10  
Use the login-account-list scheme to enable accounting for telnet login users.  
[3Com]login-method accounting-mode login telnet login-account-list  
11  
Enable accounting and use the ppp-account-list accounting scheme on Serial0.  
[3Com] aaa accounting-scheme ppp ppp-account-list template tactemplate1  
[3Com] interface serial 0  
[3Com-Serial0] link-protocol ppp  
[3Com-Serial0] ppp accounting ppp-account-list  
24  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
[3Com-serial0] quit  
12  
Assign an IP address to the interface Ethernet0.  
[3Com]interface ethernet 0  
[3Com-ethernet0]ip address 10.110.1.10 255.255.0.0  
13  
Assign an IP address to Ethernet1.  
[3Com-ethernet0]interface ethernet 1  
[3Com-ethernet0]ip address 192.10.1.1 255.255.255.0  
[3Com-ethernet0]return  
2.6.2 Integrating TACACS+ and RADIUS  
In this example, a TACACS+ server is used for authentication and authorization for  
PPP and login users, and is also used as a standby accounting server. A RADIUS  
server is used for accounting, and is also used as the standby server for  
authentication and authorization.  
Terminal user  
192.10.1.0/24  
TACACS+server  
10.110.1.1  
E1:192.10.1.1  
ISDN\PSTN  
S0:  
Router  
E0:  
10.110.1.10  
168.1.1.1  
Dial-up user  
RADIUS server  
10.110.1.2  
Accessed network  
Figure 2-5 Networking for the application combining TACACS+ and RADIUS  
To integrate TACACS+ and RADIUS:  
1
Enable AAA.  
[3Com]aaa-enable  
2
3
Configure TACACS+.  
Create a TACACS+ server group and add TACACS+ servers into it.  
[3Com] HWTACACS-server template tactemplate1  
[3Com-HWTACACS-tactemplate1]host ip 10.110.1.1 authen-primary  
[3Com-HWTACACS-tactemplate1]host ip 10.110.1.1 author-primary  
4
Configure “mykey” as the shared key for the AAA negotiation with the  
TACACS+ server.  
25  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
[3Com-HWTACACS-tactemplate1] shared-key mykey  
[3Com-HWTACACS-tactemplate1] quit  
5
Configure the IP address, authentication port, and accounting port on the  
RADIUS server.  
[3Com]radius server 10.110.1.2  
6
Configure the key, retransmission times, and the timeout time for the RADIUS  
server.  
[3Com] radius shared-key my-secret  
[3Com] radius retry 2  
[3Com] radius timer response-timeout 5  
7
Configure authentication of Telnet login users.  
[3Com]login telnet  
[3Com]aaa  
authentication-scheme  
login  
telnet-authen-list  
template  
tactemplate1 radius  
[3Com]login-method authentication-mode telnet telnet-authen-list  
8
Configure authentication of PPP users on the interface Serial0.  
[3Com]aaa authentication-scheme ppp ppp-authen-list template tactemplate1  
radius  
[3Com]interface serial 0  
[3Com-Serial0] link-protocol ppp  
[3Com-Serial0] ppp authentication pap scheme ppp-authen-list  
[3Com-serial0] quit  
9
Enable login authorization and configure an authorization scheme.  
[3Com]aaa authorization-scheme login login-author-list template tactemplate1  
10  
Apply a telnet login authorization scheme.  
[3Com]login-method authorization-mode telnet login-author-list  
11  
Enable PPP authorization and use the authorization scheme named “test-list”  
on Serial0.  
[3Com]aaa authorization-scheme ppp ppp-author-list template tactemplate1  
[3Com]interface serial 0  
[3Com-Serial0]link-protocol ppp  
[3Com-Serial0]ip address 168.1.1.1 255.255.255.0  
[3Com-Serial0]ppp authorization-mode ppp-author-list  
[3Com-serial0] quit  
12  
Enable accounting for login users and configure the default accounting  
scheme.  
[3Com] aaa accounting-scheme login default radius template tactemplate1  
[3Com] aaa accounting-scheme optional  
26  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
13  
Apply the default scheme for accounting on telnet login users.  
[3Com]login-method accounting-mode login telnet default  
14  
Enable accounting on Serial0, and configure and apply the default accounting  
scheme.  
[3Com] aaa accounting-scheme ppp default radius template tactemplate1  
[3Com]interface Serial0  
[3Com-Serial0]link-protocol ppp  
[3Com-Serial0]ppp accounting default  
[3Com-serial0] quit  
15  
Assign an IP address to Ethernet0.  
[3Com]interface ethernet 0  
[3Com-ethernet0]ip address 10.110.1.10 255.255.0.0  
16  
Assign an IP address to Ethernet1.  
[3Com-ethernet0]interface ethernet 1  
[3Com-ethernet0]ip address 192.10.1.1 255.255.255.0  
[3Com-ethernet0]return  
2.7 Troubleshooting  
A user always fails to pass the authentication implemented through TACACS+.  
Do the following:  
Check whether the correct user name and password and the available services  
for the user have been configured on the TACACS+ server.  
Check whether the TACACS+ server can be pinged, and whether the correct  
address and port number and shared-key of the server have been configured on  
the router.  
Use the host command to reconfigure the TACACS+ server. Due to the failure in  
communicating with the RADIUS server, the system regards the RADIUS server  
as unavailable. In this case, you can use the undo host command to remove the  
RADIUS server that has been configured, and then use the host command to  
reconfigure the RADIUS server. Thus, the RADIUS server will be able to work  
without any delay.  
Check proper configurations have been made for the TACACS+ server and  
whether the modifications just made have taken effect.  
27  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Chapter 3 Configuring SSH Terminal Service  
Secure Shell (SSH) is a feature that provides information about security and powerful  
authentication functions, which can protect a router from the attacks such as IP  
address spoofing and plain text password. This is especially evident for remote users  
who access the router from a nonsecure network environment. The router provides  
simultaneous access of multiple SSH clients. SSH client allows a user to set up the  
SSH connection with an SSH-supported router or UNIX host. As shown in Figures 2-1  
and 2-2, you can set up an SSH channel for the purpose of local or WAN connection.  
V1.20 supports SSH Server 1.5.  
R
R
o
o
u
u
ter  
er  
t
W
W
o
o
r
r
k
k
s
s
t
t
a
a
t
i
i
on  
t on  
1
1
0
0
0
0
B
B
A
A
S
S
E
E
-
-
TX  
TX  
E
E
t
t
hernet  
hernet  
L
L
a
a
p
p
t
t
op  
op  
S
S
e
e
r
r
v
v
e
e
r
r
S
S
S
S
H
H
C
C
l
l
i
i
e
e
n
n
t
t
-
-
e
e
n
n
a
a
b
b
l
l
e
e
d
d
PC  
PC  
Set up an SSH channel in a LAN  
L
L
o
o
c
c
a
a
l
l
r
r
o
o
u
u
t
t
er  
er  
W
o
r
kstation  
L
L
o
o
c
c
a
a
l
l
L
L
A
A
N
N
E
E
t
t
hernet  
hernet  
R
R
outer  
outer  
W
W
A
A
N
N
l
i
i
ne  
l ne  
L
L
a
a
p
p
t
t
op  
op  
Se  
r  
rver  
L
L
o
o
c
c
a
a
l
l
S
S
S
S
H
H
-
-
e
e
n
n
a
a
b
b
l
l
ed  
ed  
W
A
N
PC  
PC  
R
R
oouutteerr  
R
R
e
e
m
EE  
m
o
o
t
t
e
e
L
L
A
A
NN  
W
o
r
kstation
thheerrnneett  
t
R
R
o
o
u
u
t
t
e
e
rr  
t
t
o
o
b
b
e
e
cc  
o
o
n
n
f
f
i
i
g
g
u
u
r
r
eedd  
L
L
a
a
p
p
t
t
oopp  
PC
S
e
r
verr  
Set up an SSH channel across WAN  
28  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
To set up a secure and authenticated SSH connection, the server and client must go  
through the communication procedure that falls into five stages; version negotiation,  
key algorithm negotiation, authentication type negotiation, session request, and  
session interaction.  
3.1 Configuring SSH  
The basic configuration of SSH is required for the SSH Client to connect to the SSH  
Server (router) successfully. Advanced SSH configurations are optional.  
Basic SSH configurations include:  
Set the protocol supported by the system and the allowed maximum number of  
connections  
Configure and destroy the local RSA key-pair  
Configure authentication type for an SSH user  
Advanced SSH configurations include:  
Set the interval for updating server key  
Set timeout time in SSH authentication  
Set the number of SSH authentication retries  
Access the public key view and edit the key  
Assign a public key to an SSH user  
The default remote login protocol is Telnet, instead of SSH. You must set the remote  
login protocol supported by the system to SSH and set the maximum number of the  
connections.  
Perform the following configuration in system view.  
Table 3-1 Set remote login protocol and the maximum number of connections  
Operation  
Command  
Set the remote login protocol supported by  
the system and the allowed maximum  
number of connections  
protocol inbound { ssh  
|
telnet  
}
numbers  
[
acl acl-number  
]
By default, only Telnet is supported (in this case, up to five simultaneous connections  
are allowed), SSH login is not supported, and ACL is not used.  
Perform this task to generate server and host key-pairs. If there exist RSA key-pairs,  
the system will ask if you want to replace the existing keys. The generated key-pairs  
are represented by “router name + server” and “router name + host”. A server key-pair  
and a host key-pair have a difference of at least 128 bits in size. Both of them have  
the same minimum and maximum sizes, i.e., 512 bits and 2048 bits.  
Perform the following configuration in system view.  
29  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Table 3-2 Configure and destroy RSA key-pairs  
Operation  
Command  
Generate RSA key-pairs  
rsa local-key-pair create  
rsa local-key-pair destroy  
Destroy the RSA key-pairs  
Caution:  
An essential operation underlying a successful SSH login is generating local RSA key-pairs. Before  
performing any other SSH configuration tasks, you must generate a local key-pair by configuring the rsa  
local-key-pair create command.  
It is only necessary for you to execute this command once and you do not have to execute it again after  
rebooting the router.  
II. Configure Authentication Type for an SSH User  
Only SSH users can pass the SSH authentication. There are two SSH authentication  
modes: password authentication and RSA authentication. You can use both at the  
same time.  
When configuring the SSH user, you must set the SSH user’s rights (Administrator,  
Operator or Guest) and specify the authentication mode.  
Perform the following configuration in system view.  
Table 3-3 Configure authentication type for an SSH user  
Operation  
Command  
local-user username service-type ssh  
{
administrator  
|
operator  
|
Configure an SSH user  
guest  
}
password  
{
simple  
|
cipher  
} password  
Configure an authentication type for  
an SSH user  
Remove the authentication type set  
for the specified SSH user  
ssh user username authentication-type { password  
undo ssh user username authentication-type  
|
RSA  
|
all  
}
By default, login authentication type is not specified for users. Login requests are  
refused.  
Perform this task to set a server key-pair updating interval for securing the SSH  
connections to the system.  
Perform the following configuration in system view.  
Table 3-4 Set server key-pair updating interval  
Operation  
Command  
30  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Set a server key-pair updating  
interval  
ssh server rekey-interval hours  
Restore the default updating interval undo ssh server rekey-interval  
By default, the system does not update the server key-pair.  
Perform this task to set an SSH authentication timeout time period.  
Perform the following configuration in system view.  
Table 3-5 Set SSH authentication timeout time  
Operation  
Command  
Set SSH authentication timeout time  
ssh server timeout seconds  
Restore the default SSH authentication  
timeout time setting  
undo ssh server timeout  
The SSH authentication timeout time of the system defaults to 60 seconds.  
Perform this task to set the authentication retry attempts for an SSH connection  
request to prevent unauthorized access.  
Perform the following configuration in system view.  
Table 3-6 Set the number of SSH authentication retries  
Operation  
Command  
Set the number of SSH authentication retries  
ssh server authentication-retries times  
Restore the default number of SSH  
authentication retries  
undo ssh server authentication-retries  
By default, the parameter times defaults to 3.  
III. Access the Public Key View and Edit the Key  
To configure public key, you must enter the public key view first.  
Perform the following configuration in system view.  
Table 3-7 Configure a public key  
Operation  
Command  
rsa peer-public-key key-name  
undo rsa peer-public-key key-name  
Access the public key view.  
Remove the specified public key.  
After accessing the public-key edit view by executing the rsa peer-public-key  
command, you can input the key data by using the public-key-code begin command.  
You can input the key data using the hex command. You are allowed to input spaces  
31  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
when entering key data but they will be deleted by the system. The configured public  
key must be a consecutive hexadecimal character string coded in the public key  
format. Execute the public-key-code end command to stop public key editing and  
save the key. Before you save the key however, you should verify the validity of the  
key in case the key data are rendered useless due to illegal characters contained in  
the public key string.  
Perform the following configuration in public-key view.  
Table 3-8 Start/Stop public key editing  
Operation  
Command  
Access the public key edit view  
public-key-code begin  
public-key-code end  
Stop public key editing and exit  
the public key edit view  
Public key is generated by the Client software supporting SSH1.5 lower.  
Perform the following configuration in public key edit view.  
Table 3-9 Edit a public key  
Operation  
Command  
Input the public key data  
hex hex-data  
IV. Assign a Public Key to an SSH User  
Perform this task to assign a public key that has been configured to an SSH user.  
Perform the following configuration in system view.  
Table 3-10 Assign a public key to an SSH user  
Operation  
Command  
Assign a public key to an SSH user  
ssh user username assign rsa-key keyname  
Remove the association between the  
user and the public key  
undo ssh user username assign rsa-key  
V. Close an SSH Process by Force  
A system administrator can disconnect the connections of all the SSH login users by  
force by executing the kill command on the console interface, or close by force the  
SSH process of a specified SSH login user found by executing the display  
local-user online command.  
32  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Perform the following configuration in system view.  
Table 3-11 Close SSH processes by force  
Operation  
Command  
Kill SSH process(es) by force  
kill ssh { all  
|
userID userid  
}
VI. Display and Debug SSH Information  
After finishing the configurations described above, view the running state of SSH by  
executing the display commands in all views to verify the configuration.  
You can debug the SSH information by executing the debugging commands in all  
views.  
To make better use of the system resources and make the communications more  
secure, you can view the configurations of all the SSH users by displaying and  
debugging the SSH information.  
Perform the following operation in all views.  
Table 3-12 View the SSH involved information  
Operation  
Command  
View the public key portions of the host and  
the server key-pairs  
display rsa local-key-pair public  
Display the client-end RSA public keys  
display rsa peer-public-key  
[
brief  
|
name keyname  
]
Display the SSH status and session  
information  
display ssh server { status  
|
session }  
username  
Display the SSH user information  
Enable SSH debugging  
Enable RSA debugging  
Disable SSH debugging  
Disable RSA debugging  
display ssh user-information  
[
]
debugging ssh server VTY index  
|
all }  
{
debugging rsa  
undo debugging ssh server VTY index  
|
all }  
{
undo debugging rsa  
3.1.2 Configure SSH Client  
SSH client software includes applications such as PuTTy, FreeBSD, and other client  
software that is available on the market. To set up a connection with the server, you  
need to perform the basic configurations on the SSH client, including:  
Specify the IP address of the server.  
Set the remote connection protocol to SSH. Generally, the client supports  
multiple remote connection protocols, such as Telnet, Rlogin and SSH. To set up  
an SSH connection, you must set the protocol to SSH.  
33  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Choose the proper SSH version. Generally the client provides several SSH  
versions. V1.20 supports SSH Server 1.5, so you must choose 1.5 or lower.  
Specify the RSA key file. If you have configured to choose RSA authentication at  
the server, you must specify the RSA key file at the client. In normal case, RSA  
key file is created by the tool attached to the client software, including a pair of  
public key used for the server (router) and private key used for the client.  
Use the third party client software, PuTTY in the following example, to set the  
configuration of SSH client.  
I. Specify the IP address of the server  
Enable the PuTTY program and the following client configuration interface appears.  
Figure 3-1 SSH Client configuration interface (1)  
Enter the IP address of the router in the field “Host Name (or IP address)”. The  
address can be the IP address of the interface whose protocol status is “up” on any  
router, but the route to the SSH client can be reachable, for example , 10.110.28.10.  
II. Set the remote connection protocol to SSH  
Choose "SSH” as the protocol in the above interface.  
34  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
III. Choose the SSH version  
Click “SSH” under “Connection” in the left “Category” of the interface, then the  
following interface appears.  
Figure 3-2 SSH Client configuration interface (2)  
Specify the SSH version to “1”, as shown in the above interface.  
IV. Enable the SSH connection in password authentication mode  
Click [Open] button and the SSH Client interface appears. If the connection is normal,  
then you are prompted to enter user name and password, as shown in the following  
figure.  
35  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Figure 3-3 SSH Client login interface (in password authentication mode )  
After you have entered the correct user name and password, you can implement the  
connection.  
To log out, just use the logout command.  
V. Enable the SSH connection in RAS authentication mode  
To enable the SSH connection in RSA mode, you need to configure the RSA key on  
both the SSH server and client.  
Take the following method to generate keys using PuTTY key generator  
software.  
Enable the PuTTY key generator software, as shown in the following.  
36  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Figure 3-4 PuTTY Generator Software interface (1)  
Choose “SSH1(RSA)” or “SSH2 RSA” as the parameter and enter the number of bits  
in the key.  
Click [Generate] button to generate the RSA key. To ensure the random key, you are  
required to move the mouse. Once you stop moving the cursor, the generating  
process will pause.  
After the key is generated, the following interface appears.  
37  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Figure 3-5 PuTTY Key Generator interface (2)  
Enter a passphrase, if you want to use one.  
Save the key  
After you have generated the keys, you have an RSA public key and an RSA private  
key. Click [Save public key] button and [Save private key] menu to save the keys into  
files (e.g., publicMyKey.ppk and privateMykey.ppk).  
Configure RSA public keys on the server  
For details about configuring RSA public keys on the server, please refer to “2.7.2 7  
Configure public key”.  
Note:  
Not all the keys generated by the SSH client key generator can be configured on the router (SSH server).  
Only the RSA keys compliant with PKCS#1 format can be configured on the router.  
Specify the RSA private key file  
38  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
If you need to perform an RSA authentication, you must specify the RSA private key  
file. If you only need to perform the password authentication, it is not necessary.  
Click the “auth” under “SSH” in the PuTTY configuration interface and the following  
figure appears.  
Figure 3-6 SSH Client Configuration interface (3)  
Click [Browse] button and a file selection dialog box will pop up. After you have  
chosen the private key file, click the [open] button.  
Enable the SSH connection  
Click [Open] button and the SSH Client interface appears. If the connection is normal,  
you are prompted to enter the user name, as shown in the following figure.  
39  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Figure 3-7 SSH Client login interface (in RSA authentication mode)  
After you have entered the correct username, you can perform the SSH connection. If  
a passphrase was used when generating the keys, the passphrase is also required  
before a successful SSH connection can be achieved.  
Note:  
The key generator may be different, depending on the SSH Client configuration interface. For the  
detailed operation, please refer to the use guide of the SSH Client or the online help.  
As shown in Figure 2-3, the console terminal (SSH Client) has set up a local  
connection with Router. Run the SSH1.5-enabled client software on the terminal for  
the sake of safer data and information communications.  
Router  
SSH Client  
Networking for the SSH local configuration  
In this section, the configuration procedures for different login authentication types will  
be covered. However, before you can proceed to any procedure, you must perform  
the following operation:  
[3Com] rsa local-key-pair create  
40  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Note:  
If a local key-pair exists, you can omit this step.  
Authenticate login users with the password approach  
[3Com] protocol inbound ssh 5  
[3Com] local-user client001 service-type operator ssh password simple 3Com  
[3Com] ssh user client001 authentication-type password  
You can adopt the default SSH authentication timeout time, retry times, and server  
key updating interval in the system. After finishing the configuration, you can run the  
SSH1.5-enabled client software on a terminal connected to the router and access the  
router from the terminal using the client name client001 and the password 3Com.  
Authenticate login users with the RSA approach  
[3Com] protocol inbound ssh 5  
[3Com] local-user client002 service-type operator ssh  
[3Com] ssh user client002 authentication-type RSA  
Then, generate the random RSA key-pairs in the SSH1.5-enabled client software and  
send the RSA public key to the server end by performing the following procedure.  
[3Com] rsa peer-public-key key002  
[3Com-rsa-public-key] public-key-code begin  
[3Com-rsa-key-code] hex 308186  
[3Com-rsa-key-code] hex 028180  
[3Com-rsa-key-code]hexE75E3D7C11923D33143FB829470EA018889147F66F27A98A  
D6C54A36  
[3Com-rsa-key-code]hexC7DB17E1647DC2BEF1C54116641CD690E5F7B492A059BD6A  
B86A7D18  
[3Com-rsa-key-code]hex1040765C978AF7C912807EAE819B4A65787CDE9C940F74C8  
BC4EFD81  
[3Com-rsa-key-code]hex6CC3EBDA51E75D1BD073AA691F646A81035496AC6F98A730  
D8C44931  
[3Com-rsa-key-code] hex 598682EF EA40DF88 5DD98D45 2670231D  
[3Com-rsa-key-code] hex 0201  
[3Com-rsa-key-code] hex 25  
[3Com-rsa-key-code] public-key-code end  
[3Com] ssh user client002 assign rsa-key key002  
Run the SSH1.5-enabled client software on the terminal which has the RSA key  
saved and set up the SSH connection.  
41  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Chapter 4 Configuring NTP  
As provisioned in RFC1305, Network Time Protocol (NTP) is a protocol of the TCP/IP  
suite, which is used to synchronize the timekeeping among a set of distributed time  
servers and clients on a network. The transmission relies on UDP.  
NTPmessage  
Router A  
10:00:00am  
Network  
1.  
Router B  
NTPmessage 10:00:00am 11:00:01am  
Network  
Router B  
2.  
3.  
Router A  
NTPmessage  
10:00:00am 11:00:01am 11:00:02am  
Network  
Router B  
Router A  
NTP Packet received at 10:00:03  
Network  
4.  
Router B  
Router A  
Figure 4-1 NTP fundamentals  
The above figure illustrates the NTP operating fundamentals. In the figure, Router A  
and Router B are connected via the serial interface, both routers have an  
independent system clock, and they want to synchronize their system clocks. Before  
proceeding to the synchronization procedure, assume the following:  
The time settings on Router A and Router B are respectively 10:00:00am and  
11:00:00am.  
Router B is working as the NTP time server. Therefore, it is up to Router A to  
synchronize its time with that of Router B.  
It takes one second for Router A and Router B to make a one-way packet  
transmission between them.  
Following is the procedure of system clock synchronization:  
Router A sends an NTP message to Router B. This message carries the  
timestamp indicating the time when the message left Router A, 10:00:00am (T1)  
for example.  
Upon the arrival of the NTP message, Router B adds its own timestamp, that is,  
11:00:01am (T2).  
42  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Upon the departure of the NTP message, Router B adds its timestamp  
11:00:02am (T3) again.  
Upon the receipt of the response, Router A adds a new timestamp, that is,  
10:00:03am (T4).  
In this way, Router A obtains adequate information for calculating two essential  
parameters. They are:  
Roundtrip delay of a NTP message, that is, Delay = (T4-T1) – (T3-T2).  
The clock offset of Router A relative to Router B, that is, offset = ( (T2-T1) +  
(T3-T4) ) / 2.  
With these two parameters, Router A can synchronize its clock with that maintained  
by Router B.  
The NTP operating fundamentals described in this section provides only a broad  
outline. NTP provisioned in RFC1305 provides a comprehensive algorithm to ensure  
the accuracy in clock synchronization.  
4.2 NTP Configuration Tasks  
NTP is used for the time synchronization on a network. Perform the following tasks to  
configure NTP.  
Configure NTP operating mode  
Set the roundtrip delay between the local router and the NTP broadcast server  
Set NTP authentication  
Set NTP authentication key  
Set a specified key to be a reliable key  
Set the local NTP message sending interface  
Set the external reference clock or local clock to be the NTP master clock  
Enable/Disable the interface to receive NTP messages  
Control the access to the services of the local router  
Set the number of sessions allowed at the local  
4.2.1 Configure NTP Operating Mode  
You may set the operating mode of the local router in NTP depending on the location  
of the router in the network and the structure of the network. For example, a) you can  
set a remote server as the local time server in which case the local router is working  
in client mode; b) set the remote server as the peer of the local router in which case  
the local router is working in symmetric active mode; c) set the local router to use an  
interface to send NTP broadcast packets in which case it is working in broadcast  
client mode, d) set it to use an interface to send NTP multicast packets in which case  
it is working in multicast mode, or e) you can set it to receive NTP multicast packets in  
which case it is working in multicast client mode.  
43  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Configure the NTP server mode  
Configure the NTP peer mode  
Configure the NTP broadcast server mode  
Configure NTP broadcast client mode  
Configure NTP multicast server mode  
Configure NTP multicast client mode  
I. Configure NTP Server Mode  
This task sets a remote server as the local time server by specifying its address  
X.X.X.X. X.X.X.X which represents a host address. This must not be a broadcast  
address, or multicast address, or the IP address of the reference clock. In this case,  
the local router is working in client mode. It is up to the local client rather than the  
remote server to synchronize its clock with that maintained by the remote server.  
Perform the following configuration in system view.  
Table 4-1 Configure NTP time server  
Operation  
Command  
ntp-service unicast-server X.X.X.X  
[
version number  
|
authentication-keyid  
Configure NTP time server  
keyid  
|
source-interface { { interface-name  
|
interface-type interface-number }  
}
|
priority ] *  
Disable the NTP server  
mode  
undo ntp-service unicast-server X.X.X.X  
NTP version is in the range of 1 to 3 and defaults to 3. The authentication key ID is  
in the range of 1 to 4294967295. You can specify an interface by specifying its  
interface-name or interface-type interface number. The local router will use the IP  
address of the interface as the source IP address carried by the NTP messages sent  
to the time server. In addition, you can specify the time server as the preferred time  
server by specifying priority.  
II. Configure the NTP peer mode  
This task is to set the remote server at X.X.X.X as the peer of the local router. In this  
case, the local router is running in symmetric active mode. X.X.X.X represents a host  
address, which must not be a broadcast address, or multicast address, or the IP  
address of the reference clock. With this approach, the local router can synchronize  
its clock with the one maintained by the remote server while the remote server is also  
allowed to synchronize its clock with the one maintained by the router.  
Perform the following configuration in system view.  
44  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Table 4-2 Configure NTP peer mode  
Operation  
Command  
ntp-service unicast-peer X.X.X.X  
[
version number  
|
authentication-key  
Configure NTP peer mode  
Disable NTP peer mode  
keyid  
|
source-interface { { interface-name  
|
interface-type }  
interface-number } | priority ] *  
undo ntp-service unicast-peer X.X.X.X  
NTP version is in the range of 1 to 3 and defaults to 3, and authentication key ID is in  
the range of 1 to 4294967295. You can specify an interface by specifying its  
interface-name or interface-type interface number. The local router will use the IP  
address of the interface as the source IP address carried by the NTP messages sent  
to the time server. In addition, you can specify the time server as the preferred time  
server by specifying priority.  
III. Configure NTP broadcast server mode  
This task is to specify an interface on the local router for sending NTP broadcast  
messages. In this case, the local router is running as a broadcast server to  
periodically send broadcast messages to the broadcast clients.  
Perform the following configuration in interface view.  
Table 4-3 Configure NTP broadcast server mode  
Operation  
Command  
authentication-keyid keyid version  
Configure NTP broadcast  
server mode  
ntp-service broadcast-server  
number ] *  
[
|
Disable NTP broadcast server  
mode  
undo ntp-service broadcast-server  
NTP version is in the range of 1 to 3 and defaults to 3, and authentication key ID is in  
the range of 1 to 4294967295. This command must be configured on the interface  
that is to be used for sending NTP broadcast messages.  
IV. Configure NTP broadcast client mode  
This task is to specify an interface on the local router to receive the NTP broadcast  
messages and to run in broadcast client mode. The local router first detects the  
broadcast message packets from the server. Upon the receiving the first message  
packet, the local router enters a temporary Client/Server mode to exchange the  
message with the remote server for the purpose of estimating the network delay. It  
then switches to the broadcast client mode to assume the work of detecting the  
broadcast message packets so it can synchronize the local clock.  
Perform the following configuration in interface view.  
45  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Table 4-4 Configure NTP broadcast client mode  
Operation  
Command  
client  
undo ntp-service broadcast  
Configure NTP broadcast client mode  
Disable NTP broadcast client mode  
ntp-service broadcast-  
-client  
This command must be configured on the interface to be used for receiving NTP  
broadcast messages.  
V. Configure NTP multicast server mode  
This task specifies an interface on the local router to send NTP multicast messages.  
In this case, the local router is running as a multicast server and periodically sends  
multicast messages to the multicast clients.  
Perform the following configuration in interface view.  
Table 4-5 Configure NTP multicast server mode  
Operation  
Command  
ntp-service multicast-server  
[
X.X.X.X ] [ authentication-keyid  
Configure NTP multicast server mode  
Disable NTP multicast server mode  
keyed  
|
ttl ttl-number | version number ] *  
undo ntp-service multicast-server  
NTP version is in the range of 1 to 3 and defaults to 3, authentication key ID is in the  
range of 1 to 4294967295, the Time-To-Live (TTL) value of multicast packets is in the  
range of 1 to 255, and the multicast IP address defaults to 224.0.1.1.  
This command must be configured on the interface to be used for sending NTP  
multicast messages.  
VI. Configure NTP multicast client mode  
This task specifies an interface on the local router to receive NTP multicast messages.  
In this case, the local router is running as a multicast client. The local router first  
detects the multicast message packets from the server. Upon the receipt of the first  
message packet, the local router enters a temporary Client/Server mode to exchange  
the message with the remote server for the purpose of estimating the network delay,  
and then it switches to the multicast client mode to assume the work of detecting the  
multicast message packets with which it can synchronize the local clock.  
Perform the following configuration in interface view.  
46  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Table 4-6 Configure NTP multicast client mode  
Operation  
Command  
client X.X.X.X  
undo ntp-service multicast client  
Configure NTP multicast client mode  
Disable NTP multicast client mode  
ntp-service multicast  
-
[
]
-
Multicast IP address X.X.X.X defaults to 224.0.1.1. This command must be  
configured on the interface to be used for receiving NTP multicast messages.  
4.2.2 Configure NTP Authentication  
This task enables NTP authentication, sets MD5 authentication key, and specifies the  
key as a reliable one. Working as a client, the router will not synchronize its clock with  
the one provided by the server unless the server has provided the reliable  
authentication key ID.  
Perform the following configuration in system view.  
Table 4-7 Configure NTP authentication  
Operation  
Command  
Enable NTP authentication  
Disable NTP authentication  
ntp-service authentication enable  
undo ntp-service authentication enable  
4.2.3 Set NTP Authentication Key  
This task is used to set the NTP authentication key.  
Perform the following configuration in system view.  
Table 4-8 Configure NTP authentication key  
Operation  
Command  
Set NTP authentication key  
ntp-service authentication-keyid number authentication-mode md5  
value  
Remove the NTP authentication  
key  
undo ntp-service authentication-keyid number  
The argument number that defines the key ID is in the range of 1 to 4294967295 and  
the key value is a string of 1 to 32 ASCII code characters.  
47  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
4.2.4 Specify Reliable Key  
You must specify a key to be a reliable one before it can be used for authentication.  
For example, if two routers want to use keyid 1 for authentication, both of them must  
specify it to be a reliable one.  
Perform the following configuration in system view.  
Table 4-9 Specify a key to be a reliable key  
Operation  
Command  
Specify a key to be a  
reliable key  
ntp-service reliable authentication-keyid key-number  
Remove a reliable key  
undo ntp-service reliable authentication-keyid key-number  
The argument key-number is in the range of 1 to 4294967295.  
4.2.5 Specify a Local Interface for Sending NTP Messages  
This task specifies an interface whose IP address will be used as the source IP  
address carried in all the NTP messages sent from the local router to the time server.  
Perform the following configuration in system view.  
Table 4-10 Set a local interface for sending NTP messages  
Operation  
Command  
ntp-service source-interface interface-name  
interface-type interface-number  
undo ntp-service source-interface  
Set a local interface for sending NTP  
messages  
Disable the interface as the interface for  
sending NTP messages  
{
}
|
You can specify an interface by specifying its interface-name or interface-type  
interface number. The router will use the IP address of the interface as the source IP  
address carried by the NTP messages sent to the time server. The outgoing interface  
specified using the command ntp-service unicast-server or ntp-service  
unicast-peer, if there is any, will be preferred in case there is any difference.  
4.2.6 Set NTP Master Clock  
This task specifies an external reference clock or the local clock as the NTP master  
clock.  
Perform the following configuration in system view.  
48  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Table 4-11 Set an external reference clock or the local clock as the NTP master clock  
Operation  
Command  
ntp-service refclock-master X.X.X.X ] [ stratum  
X.X.X.X  
Set an external reference clock or  
the local clock as the NTP master  
clock  
[
]
Disable the NTP master clock setting undo ntp-service refclock-master  
[
]
X.X.X.X represents the IP address 127.127.t.u of reference clock. Where, t is in the  
range of 0 to 37 and u in the range of 0 to 3. The argument stratum gives the stratum  
(level) information of the local clock, which is in the range of 1 to 15.If no IP address  
has been specified, the local clock is the NTP master clock by default. You can  
specify the stratum of the NTP master clock.  
4.2.7 Disable/Enable Interface to Receive NTP Messages  
This task disables or enables an interface to receive NTP messages.  
Perform the following configuration in interface view.  
Table 4-12 Disable/Enable an interface to receive NTP messages  
Operation  
Command  
Disable an interface to receive NTP  
messages  
ntp-service source-interface disable  
Enable the interface to receive NTP  
messages  
undo ntp-service source-interface disable  
This task must be performed on the interface desired to be disabled in receiving NTP  
messages.  
4.2.8 Assign the Rights for Accessing the Local Router Service  
This task sets the rights for accessing the NTP service provided by the local router.  
This command provides minimum protection. If you want greater security, you can  
perform authentication. Whenever receiving an access request, the router performs  
the match operation to find out the access right assigned to the requestor in the  
descending order of access rights, i.e., peer, server, synchronization, and query.  
The match found first will be the service access right assigned to the requestor.  
Perform the following configuration in system view.  
49  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Table 4-13 Set the right for accessing the NTP services provided by the local router  
Operation  
Command  
Set the right for accessing the NTP  
services provided by the local router  
ntp-service access  
acl-number  
{
query  
|
synchronization  
|
server  
|
peer  
}
|
Disable setting the rights for  
accessing the services provided by  
the local router  
undo ntp-service access  
peer  
{
query  
|
synchronization server  
|
}
The number of the IP address-based ACL, that is, the argument acl-number, is in the  
range of 1 to 99. Following are the meanings of the accessing rights:  
query: Only permits the requestor to access the local NTP services with a controlled  
query right.  
synchronization: Only permits the requestors to request for the time service.  
server: Permits the requestors to request the local NTP for timing service and control  
query, but will not synchronize the local clock to the remote server.  
peer: Permits the requestors to request the local NTP for time service and controlled  
query, and allows the synchronization of local clock to the remote server.  
4.2.9 Set the Number of Sessions Allowed at the Local  
This command sets the number of dynamic sessions that a client router can establish.  
Perform the following configuration in system view.  
Table 4-14 Set the number of sessions allowed at the local  
Operation  
Command  
Set the number of sessions allowed at the  
local.  
ntp-service max-dynamic-sessions number  
Restore the default number of sessions  
allowed at the local.  
undo ntp-service max-dynamic-sessions  
The maximum number of sessions allowed to set up at the local is defined by the  
argument number, which is in the range of 0 to (128) and defaults to 100.  
4.3 Display and Debug NTP  
After finishing the configurations described earlier, you can execute the display  
commands in all views to view the NTP running state for the purpose of assessing the  
configuration.  
50  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Perform the debugging command in all views to debug the NTP information.  
Table 4-15 Display and debug the NTP information  
Operation  
Command  
display ntp-service status  
display ntp-service sessions  
Display the state information of the NTP  
services  
Display the sessions state of the NTP service  
maintenance  
[
verbose  
]
Display the brief information of the NTP time  
servers that will be passed for tracing back to  
the reference clock source from the local  
device  
display ntp-service trace  
debugging ntp-service  
[
X.X.X.X ]  
Enable NTP debugging  
Parameter  
interface-name: Interface name. The IP address of the interface will be used as the  
source IP address of the messages.  
interface-type: Interface type, which identifies an interface along with  
interface-number.  
interface-number: Interface number, which identifies an interface along with  
interface-type.  
Description  
Using the ntp-service source-interface command, you can specify a local interface  
for NTP message transmission. Using the undo ntp-service source-interface  
command, you can remove the current setting.  
Source address will be determined depending on the output interface.  
Using this command, you can specify a source IP address to be carried by all the  
transmitted NTP messages by specifying the interface. This command is useful in the  
case that you do not want the IP addresses of any other local interfaces to be the  
destination addresses for receiving the response messages except for the specified  
one.  
Example  
Specify the interface Ethernet 0 so that its IP address can be used as the source IP  
address carried by all the outbound NTP message packets.  
[3Com] ntp-service source-interface Ethernet 0  
51  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
4.3.2 ntp-service source-interface disable  
Syntax  
ntp-service source-interface disable  
undo ntp-service source-interface disable  
View  
Interface view  
None  
Parameter  
Description  
Using the ntp-service source-interface disable command, you can disable an  
interface to receive NTP messages. Using the undo ntp-service source-interface  
disable command, you can enable the interface to receive NTP messages.  
By default, an interface is enables to receive NTP messages.  
Example  
Disable Ethernet 0 to receive NTP messages.  
[3Com] interface Ethernet 0  
[3Com-Ethernet0] ntp-service source-interface disable  
4.3.3 ntp-service unicast-peer  
Syntax  
ntp-service unicast-peer X.X.X.X [ version number | authentication-key keyid |  
source-interface { interface-name | interface-type interface-number } | priority ] *  
undo ntp-service unicast-peer X.X.X.X  
View  
System view  
Parameter  
X.X.X.X: IP address of the remote server.  
52  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
version: Defines NTP version number.  
number: NTP version number in the range of 1 to 3.  
authentication-keyid: Defines an authentication key.  
keyid: The key ID carried in the messages transmitted to the remote server, which is  
in the range of 1 to 4294967295.  
source-interface: Specifies interface name.  
interface-name: Interface name. The IP address of the interface will be used as the  
source IP address of the NTP messages that the local device sends to its peer.  
interface-type: Interface type, which identifies an interface along with  
interface-number.  
interface-number: Interface number, which identifies an interface along with  
interface-type.  
priority: Specifies the server to be the preferred server.  
Description  
Using the ntp-service unicast-peer command, you can enable the NTP unicast peer  
mode. Using the undo ntp-service unicast-peer command, you can disable the NTP  
unicast peer mode.  
By default, version number is 3, authentication is disabled, and the server is not the  
preferred choice.  
This command sets the remote server at X.X.X.X to be the peer of the local device  
running in symmetric active mode. X.X.X.X represents a host address, which must  
not be a broadcast or multicast address, or the IP address of the reference clock.  
With all these configurations, the local device can synchronize its clock to the remote  
server and vice versa.  
Example  
Set the peer at 128.108.22.44 to be the synchronization source of the local device,  
allowing the remote peer to synchronize with the local clock. In addition, version 3 is  
adopted, and IP address of Ethernet 0 is used as the IP source address carried by  
the NTP messages.  
[3Com] ntp-service unicast-peer 128.108.22.44 version 3 source-interface  
Ethernet 0  
53  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
4.3.4 ntp-service unicast-server  
Syntax  
ntp-service unicast-server X.X.X.X [ version number | authentication-keyid keyid  
| source-interface { interface-name | interface-type interface-number } | priority ] *  
undo ntp-service unicast-server X.X.X.X  
View  
System view  
Parameter  
X.X.X.X: IP address of the remote server.  
version: Defines NTP version.  
number: NTP version number in the range of 1 to 3.  
authentication-keyid: Defines authentication key ID.  
keyed: The key ID should be carried in the messages sent to the remote server,  
which is in the range of 1 to 4294967295.  
source-interface: Specifies the interface name.  
interface-name: Interface name. The IP address of the interface will be used as the  
source IP address of the NTP messages that the local device sends to the defined  
server.  
interface-type: Interface type, which identifies an interface along with  
interface-number.  
interface-number: Interface number, which identifies an interface along with  
interface-type.  
priority: Specifies the server to be the preferred server.  
Description  
Using the ntp-service unicast-server command, you can enable the NTP server  
mode. Using the undo ntp-service unicast-server command, you can disable the  
NTP server mode.  
By default, version number is 3, authentication is enabled, and the server is not the  
preferred choice.  
54  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
This command declares that the local time server is the remote server specified by  
X.X.X.X. X.X.X.X represents a host address, which must not be a broadcast or  
multicast address, or the IP address of the reference clock. Configured with this  
command, the local device is working in client mode and therefore it is up to the local  
client to synchronize with the remote server rather than vice versa.  
Example  
Configure the local device to synchronize with the server at 128.108.22.44 and set  
the version number to 3.  
[3Com] ntp-service unicast-server 128.108.22.44 version 3  
55  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Chapter 5 Configuring X2T  
The X.25 to TCP switch (X2T) technology can interconnect X.25 and IP networks and  
enables access between X.25 and IP hosts.  
X.25  
TCP/IP Network  
Network  
X.25 Terminal  
Router  
IP Host  
TCP  
X2T  
IP  
TCP  
X.25  
X.25  
IP  
LAPB  
LAPB  
Data Link Layer  
Data Link Layer  
Physical Layer  
Physical Layer  
Figure 5-1 Typical X2T networking  
From the perspective of an X.25 host, each IP host is associated with an X.121  
address. Whenever the router receives an X.25 call request packet, it examines the  
destination X.121 address carried by the packet and looks in its X2T routing table for  
a match for the address. If there is a matched route, the router sets up a TCP  
connection with the host at the destination IP address of the X2T route. After that, the  
router extracts the pure data from the X.25 packet and sends it to the IP host across  
the TCP connection.  
From the perspective of an IP host, it needs to know only the IP address of the  
interface of the router at the IP network side to access an X.25 host. Whenever the  
router receives a TCP connection request, it examines the destination IP address and  
TCP port number of the TCP connection and looks up the X2T routing table for a  
match. If there is a match, the router sets up an X.25 VC destined to the host at the  
associated destination X.121 address of the X2T route. After that, the router extracts  
the pure data from the TCP packet and sends it to the X.25 host across the X.25 VC.  
5.2 X2T Configuration Tasks  
Perform the following tasks to configure X2T:  
Enable X.25 switching  
Configure the interface at the X.25 network side  
Configure the interface at the IP network side  
Configure X.25 route  
56  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Configure X2T route  
I. Enabling X.25 Switching  
Before configuring X2T, you must enable X.25 switching.  
Perform the following configuration in system view.  
Table 5-1 Configure X.25 switching  
Operation  
Command  
Enable X.25 switching  
Disable X.25 switching  
x25 switching  
undo x25 switching  
5.2.2 Configuring the Interface at the X.25 Network Side  
For information about the configuration of the interface at the X.25 network side, see  
“Configure X.25” in Chapter 16 of the 3Com Router Configuration Guide.  
You do not need to configure an X.121 address when configuring the interface at the  
X.25 network side.  
I. Configure the Interface at the IP Network Side  
For the configuration of the interface at the IP network side, see the Network Protocol  
section in the 3Com Router Configuration Guide.  
II. Configuring an X.25 Route  
Perform the following configuration in system view.  
Table 5-2 Configure an X.25 route  
Operation  
Command  
Configure an X.25 route  
Delete the X.25 route  
x25 switch svc x.121-address interface serial number  
undo x25 switch svc x.121-address  
[
interface serial number  
]
III. Configuring an X2T Route  
There are two types of X2T forwarding routes, one from IP network to X.25 network  
and the other from IP network to X.25 network.  
1) Configuring an X.25-to-IP X2T forwarding route  
Perform the following configuration in system view.  
Table 5-3 Configure an X.25-to-IP X2T forwarding route  
Operation  
Command  
Configure an X.25-to-IP X2T  
translate x25 x.121-address ip ip-address port port-number  
57  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
forwarding route  
Delete the X.25-to-IP X2T  
forwarding route  
undo translate x25 x.121-address  
2) Configuring an IP-to-X.25 X2T forwarding route  
Perform the following configuration in system view.  
Table 5-4 Configure an IP-to-X.25 X2T forwarding route  
Operation  
Command  
Configure an IP-to-X.25 X2T  
forwarding route  
Delete the IP-to-X.25 X2T  
forwarding route  
translate ip ip-address port port-number x25 x.121-address  
undo translate ip ip-address port port-number  
5.3 Displaying and Debugging the X2T Information  
Execute the display and debugging commands in all views.  
Table 5-5 Display and debug the X2T information  
Operation  
Command  
Display the static routing table of X2T  
Display the dynamic routing table of X2T  
display x25 x2t route  
display x25 x2t switch-table  
debugging x25 x2t all event  
Enable X2T debugging  
{
|
|
packet }  
5.4 Typical X2T Configuration Example  
The configuration in this example interconnects an X.25 network and an IP network  
Using a router, and allows the X.25 terminals and IP hosts to communicate by  
applying the X2T technology to the router.  
X.121 address  
2222  
X.121 address  
1111  
IP address  
10.1.1.1  
IP address  
10.1.1.2  
E0  
S0  
X.25 Network  
X.25 Terminal  
IP Network  
IP Host  
Router  
Figure 5-2 Networking for the X2T application  
To configure X2T:  
1
Enable X.25 switching  
[3Com]x25 switching  
58  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
2
Configure the interface at the X.25 network side.  
[3Com]interface serial 0  
[3Com-Serial0]link-protocol x25 dce  
[3Com-Serial0]x25 x121-address 1111  
3
Configure the interface at the IP network side.  
[3Com]interface ethernet 0  
[3Com-Ethernet0]ip address 10.1.1.1 255.255.255.0  
4
Configure an X.25 route  
[3Com]x25 switch svc 2222 interface serial 0  
5
Configure an X2T route  
[3Com]translate ip 10.1.1.1 port 102 x25 2222  
[3Com]translate x25 1111 ip 10.1.1.2 port 102  
59  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Chapter 6 Configuring Additional ISDN Support  
ISDN configuration includes the following tasks:  
Configuring the ISDN signaling type.  
Configuring the negotiation parameters of ISDN Layer 3.  
Configuring the SPID parameters of the National (NI) ISDN protocol.  
6.1 Configuring ISDN Signaling Type  
By default, DSS1 signaling is used on ISDN interfaces. You can configure:  
DSS1 on BRI, E1 PRI, and T1 PRI interfaces  
NI (National ISDN), NTT, ANSI, and ATT 5ESS (Lucent 5E) on BRI interfaces  
NTT, ANSI, and ATT 5ESS (Lucent 5E) are configured with the negotiation  
commands of Layer 3 within the DSS1 protocol.  
6.2 Configuring the Negotiation Parameters of ISDN Layer 3  
6.2.1 NTT Protocol  
Table 6-1 Required NTT Protocol Commands  
Operation  
Disable the Sending-Complete  
Command  
undo isdn sending-complete  
Information Element in the Setup message  
Disable the SETUP ACK messages if the received SETUP  
messages in data service calls do not carry the called number  
information.  
isdn ignore callednum  
Table 6-2 Optional NTT Protocol Commands  
Operation  
Command  
Configure the SETUP message to ignore the high-level  
compatibility information unit when a data call is initiated.  
Restore the SETUP message.  
Configure the SETUP message to ignore the low-level  
compatibility information unit when a data call is initiated.  
Restore the SETUP message.  
Configure the router to wait for CONNECT ACK message  
replies from the connected exchange until switching to the  
ACTIVE state.  
isdn ignore hlc  
undo isdn ignore hlc  
isdn ignore llc  
undo isdn ignore llc  
isdn waitconnectack  
60  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Configure the router to become ACTIVE to start data exchange  
undo isdn waitconnectack  
before receiving CONNECT ACK messages.  
Configure the interval for the Q931 timers  
Restore the default interval timers  
isdn q931-timer timer-name time-interval  
undo isdn q931-timer timer-name time-interval  
The ISDN SETUP message contains the following information elements by default:  
High-layer Compatibility  
Low-Layer Compatibility  
Sending Complete  
These can optionally be removed from the SETUP message.  
6.2.2 ANSI Protocol  
Table 6-3 Required ANSI Commands  
Operation  
Command  
undo isdn sending-complete  
Disable the Sending-Complete Information Element in the  
SETUP message sent to PBX  
Table 6-4 Optional ANSI Commands  
Operation  
Command  
Configure the SETUP message to ignore the high-level  
compatibility information unit when a data call is initiated.  
Restore the SETUP message.  
Configure the SETUP message to ignore the low-level  
compatibility information unit when a data call is initiated.  
Restore the SETUP message.  
isdn ignore hlc  
undo isdn ignore hlc  
isdn ignore llc  
undo isdn ignore llc  
Disable the SETUP ACK messages if the received SETUP  
messages in data service calls do not carry the called number  
information  
isdn ignore callednum  
Enable the router to send SETUP ACK messages.  
Configure the router to wait for CONNECT ACK message  
replies from the connected exchange until switching to the  
ACTIVE state.  
undo isdn ignore callednum  
isdn waitconnectack  
Configure the router to become ACTIVE to start data exchange  
before receiving CONNECT ACK messages.  
undo isdn waitconnectack  
Configure the interval for the Q931 timers  
Restore the default interval timers  
isdn q931-timer timer-name time-interval  
undo isdn q931-timer timer-name time-interval  
The ISDN SETUP message contains the following information elements by default:  
High-layer Compatibility  
Low-Layer Compatibility  
Sending Complete  
61  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
These can optionally be removed from the SETUP message.  
6.2.3 ATT 5ESS (Lucent 5E)  
Table 6-5 Required ATT 5ESS Commands  
Operation  
Command  
undo isdn sending-complete  
Disable the Sending-Complete  
Information Element in the Setup message  
Disable the SETUP ACK messages if the received SETUP  
messages in data service calls do not carry the called number  
information.  
isdn ignore callednum  
Table 6-6 Optional ATT 5ESS Commands  
Operation  
Command  
Configure the SETUP message to ignore the high-level  
compatibility information unit when a data call is initiated.  
Restore the SETUP message.  
Configure the SETUP message to ignore the low-level  
compatibility information unit when a data call is initiated.  
Restore the SETUP message.  
Configure the router to wait for CONNECT ACK message  
replies from the connected exchange until switching to the  
ACTIVE state.  
isdn ignore hlc  
undo isdn ignore hlc  
isdn ignore llc  
undo isdn ignore llc  
isdn waitconnectack  
Configure the router to become ACTIVE to start data exchange  
before receiving CONNECT ACK messages.  
undo isdn waitconnectack  
Configure the interval for the Q931 timers  
Restore the default interval timers  
isdn q931-timer timer-name time-interval  
undo isdn q931-timer timer-name time-interval  
The ISDN SETUP message contains the following information elements by default:  
High-layer Compatibility  
Low-Layer Compatibility  
Sending Complete  
These can optionally be removed from the SETUP message.  
6.2.4 NI (National ISDN)  
Table 6-7 Optional NI Commands  
Operation  
Command  
Configure the SETUP message to ignore the high-level  
compatibility information unit when a data call is initiated.  
Restore the SETUP message.  
Configure the SETUP message to ignore the low-level  
compatibility information unit when a data call is initiated.  
isdn ignore hlc  
undo isdn ignore hlc  
isdn ignore llc  
62  
Download from Www.Somanuals.com. All Manuals Search And Download.  
3Com Router Configuration Guide Addendum for V1.20  
Restore the SETUP message.  
undo isdn ignore llc  
Configure the router to wait for CONNECT ACK message  
replies from the connected exchange until switching to the  
ACTIVE state.  
isdn waitconnectack  
Configure the router to become ACTIVE to start data exchange  
before receiving CONNECT ACK messages.  
undo isdn waitconnectack  
The ISDN SETUP message contains the following information elements by default:  
High-layer Compatibility  
Low-Layer Compatibility  
Sending Complete  
These can optionally be removed from the SETUP message.  
6.3 Configuring the SPID Parameters of ISDN NI  
Table 6-8 SPID Commands  
Operation  
Command  
On the BRI interface set the processing mode of the SPID to  
NIT, i.e., non-initializing terminal mode.  
Remove the NIT mode on BRI interface.  
Modify the time-interval of timer TSPID.  
Restore the default value of the time-interval,  
Set the number of times to resend a message on the BRI  
interface.  
isdn spid nit  
undo isdn spid nit  
isdn spid timer seconds  
undo isdn spid timer  
isdn spid resend times  
Restore the default number of times to resend a message.  
Set the SPID value of channel B1.  
undo isdn spid resend  
isdn spid1 spid  
Delete the SPID value of channel B1.  
Set the SPID value of channel B2.  
undo isdn spid1  
isdn spid2 spid  
Delete the SPID value of channel B2.  
Enable SPID negotiation on the BRI interface.  
Configure the service types that must be supported in SPI  
negotiation on the BRI.  
Delete the service types that are not supported in SPI  
negotiation.  
undo isdn spid2  
isdn spid auto-trigger  
isdn spid service [audio | data | speech]  
undo isdn spid service  
By default, there is no NIT mode and no SPID 1 or SPID 2 value. SPID works in  
AUTO mode. The time-interval for the TSPID Timer is 30 seconds. Information can  
only be resent once.  
63  
Download from Www.Somanuals.com. All Manuals Search And Download.  

Airlink101 Computer Hardware AWLH6075 User Manual
Allied Telesis Network Card AT 2916LX10 LC 901 User Manual
Alto Shaam Oven AR 7H ELECTRONIC CONTROL User Manual
American Standard Outdoor Shower R126SS User Manual
Aviom Music Mixer 6416M User Manual
Avocent Switch SC4UAD 001 User Manual
Axis Communications Security Camera P5522 User Manual
Behringer Work Light UP1000 User Manual
Eureka Tents Tent Timberline SQ XT User Manual
F RMC LC30NGTF RMC LC10LP RMC LC20LPF RMC LC30LPFUser Manual