H3C MSR Series Routers Web Configuration Guide (V5) - Release 2311 (V1.06) - Book PDF

H3C MSR Series Routers
Web-Based Configuration Guide(V5)
Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com
Software version: MSR-CMW520-R2311

Document version: 20130320-C-1.16
Copyright © 2008-2013, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C, , H3CS, H3CIE, H3CNE, Aolynk, , H3Care, , IRF, NetPilot, Netflow,

SecEngine, SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of
Hangzhou H3C Technologies Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
This document is the Web-based configuration guide for the H3C MSR series routers, and describes
how to visually manage and maintain the H3C MSR series routers through a Web-based interface.
This preface includes:
• Audience
• Conventions
• About the H3C MSR documentation set
• Obtaining documentation
• Technical support
• Documentation feedback
These configuration guides apply to the following models of the H3C MSR series routers:
Model
• MSR 900
MSR 900
• MSR 920
• MSR 930
• MSR 930-GU
MSR 930 • MSR 930-GT
• MSR 930-DG
• MSR 930-SA
• MSR 20-10
• MSR 20-10E
MSR 20-1X • MSR 20-11
• MSR 20-12
• MSR 20-15
• MSR 20-20
MSR 20 • MSR 20-21
• MSR 20-40
• MSR 30-10
• MSR 30-11
• MSR 30-11E
• MSR 30-11F
MSR 30
• MSR 30-16
• MSR 30-20
• MSR 30-40
• MSR 30-60
• MSR 50-40
MSR 50
• MSR 50-60
Audience
This documentation is intended for:
• Network planners
• Field technical support and servicing engineers
• Network administrators working with the routers
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars, from
[ x | y | ... ]
which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by vertical
{ x | y | ... } *
bars, from which you select at least one.
Asterisk marked square brackets enclose optional syntax choices separated by vertical
[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign can
&<1-n>
be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions
Window names, button names, field names, and menu items are in Boldface. For
Boldface
example, the New User window appears; click OK.
> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.
Symbols
An alert that calls attention to important information that if not understood or followed can
WARNING result in personal injury.
An alert that calls attention to important information that if not understood or followed can
CAUTION result in data loss, data corruption, or damage to hardware or software.
IMPORTANT An alert that calls attention to essential information.

NOTE An alert that contains additional or supplementary information.
TIP An alert that provides helpful information.
Network topology icons
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.
Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.
About the H3C MSR documentation set

The H3C MSR documentation set includes:
Category Documents Purposes
Marketing brochures Describe product specifications and benefits.
Provide an in-depth description of software features

Product description and Technology white papers
and technologies.
specifications
Describe card specifications, features, and
Card datasheets
standards.
Compliance and safety Provides regulatory information and the safety

manual instructions that must be followed during installation.
Hardware
Provides a complete guide to hardware installation
specifications and Installation guide
and hardware specifications.
installation
MSR Series Routers Interface
Provide the hardware specifications of cards.
Module Manual
MSR Series Routers Describe software features and configuration

Configuration guides procedures.
MSR Series Routers Provide a quick reference to all available

Software configuration
Command references commands.
MSR Series Routers Web Describe Web software features and configuration
Configuration guides procedures.
Provide information about the product release,

H3C MSR Basic Routers
including the version history, hardware and software
Operations and
compatibility matrix, version upgrade information,
maintenance
technical support information, and software
H3C MSR Standard Routers
upgrading.
Obtaining documentation
You can access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] – Provides hardware installation, software
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with the
software version.
Technical support
service@h3c.com
http://www.h3c.com
Documentation feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Contents
Web overview ······························································································································································ 1

Logging in to the Web interface······································································································································ 1
Logging out of the Web interface ··································································································································· 2
Introduction to the Web interface···································································································································· 2
User level············································································································································································ 5
Introduction to the Web-based NM functions ················································································································ 5
Common Web interface elements ································································································································ 19
Managing Web-based NM through CLI ····················································································································· 23
Enabling/disabling Web-based NM ·················································································································· 23
Managing the current Web user ························································································································· 23
Configuration guidelines ··············································································································································· 23
Troubleshooting Web browser ····································································································································· 24
Cannot access the device through the Web interface ······················································································ 24
Displaying device information ·································································································································· 28

Displaying device information ······································································································································ 30
Displaying broadband connection information ·········································································································· 30
Displaying 3G wireless card state ······························································································································· 30
Displaying LAN information·········································································································································· 32
Displaying WLAN information ····································································································································· 32
Displaying service information ····································································································································· 33
Displaying recent system logs ······································································································································· 33
Managing integrated services ······································································································································ 33
Basic services configuration ······································································································································ 34

Configuring basic services ············································································································································ 34
Entering the homepage of basic configuration wizard ····················································································· 34
Setting WAN interface parameters ····················································································································· 34
Setting LAN interface parameters ························································································································ 43
Setting WLAN interface parameters ··················································································································· 44
Validating the basic services configuration ········································································································ 45
Configuring WAN interfaces ···································································································································· 47

Configuring an Ethernet interface or subinterface ······································································································ 47
Overview ································································································································································ 47
Configuring an Ethernet interface ························································································································ 47
Configuring an SA interface ········································································································································· 50
SA interface overview ··········································································································································· 50
Configuration procedure ······································································································································ 50
Configuring an ADSL/G.SHDSL interface ··················································································································· 52
ADSL/G.SHDSL interface overview····················································································································· 52
Configuring a CE1/PRI interface ································································································································· 55
CE1/PRI interface overview ································································································································· 55
Configuring a CT1/PRI interface ·································································································································· 58
CT1/PRI interface overview ································································································································· 58
Configuring a cellular interface ···································································································································· 59
Overview ································································································································································ 59
i
Viewing the general information and statistics of an interface ················································································· 61
Configuring VLANs ···················································································································································· 62

Overview········································································································································································· 62
Configuring a VLAN and its VLAN interface ·············································································································· 62
Recommended configuration procedures ··········································································································· 62
Creating a VLAN and its VLAN interface ··········································································································· 63
Configuring VLAN member ports ························································································································ 64
Configuring parameters for a VLAN interface ··································································································· 64
Configuration guidelines ··············································································································································· 66
Wireless configuration overview ······························································································································ 67

Overview········································································································································································· 67
Configuration task list ···················································································································································· 67
Configuring wireless services ···································································································································· 68

Configuring wireless access service····························································································································· 68
Creating a wireless access service ······················································································································ 68
Configuring clear type wireless service ·············································································································· 69
Configuring crypto type wireless service ············································································································ 77
Binding an AP radio to a wireless service ·········································································································· 82
Security parameter dependencies ······················································································································· 83
Displaying wireless access service ······························································································································· 84
Displaying wireless service··································································································································· 84
Displaying client ···················································································································································· 86
Displaying RF ping information ··························································································································· 90
Wireless access service configuration examples ········································································································ 91
Wireless service configuration example ············································································································· 91
Access service-based VLAN configuration example·························································································· 92
PSK authentication configuration example ········································································································· 94
Local MAC authentication configuration example····························································································· 96
Remote MAC authentication configuration example ························································································· 98
Remote 802.1X authentication configuration example ··················································································· 104
802.11n configuration example ······················································································································· 109
Client mode ····························································································································································· 111

Enabling the client mode ············································································································································· 111
Connecting the wireless service ························································································································· 112
Displaying statistics ············································································································································· 113
Client mode configuration example ··························································································································· 114
Configuring radios ·················································································································································· 116

Configuring data transmit rates ·································································································································· 120
Configuring 802.11a/802.11b/802.11g rates ···························································································· 120
Configuring 802.11n MCS································································································································ 121
Displaying radio··························································································································································· 122
Displaying WLAN services bound to a radio ·································································································· 122
Displaying detailed radio information ·············································································································· 122
Configuring WLAN security ··································································································································· 125

Blacklist and white list·················································································································································· 125
Configuring the blacklist and white list functions ····································································································· 125
Configuring dynamic blacklist ··························································································································· 125
Configuring static blacklist ································································································································· 126
Configuring white list ·········································································································································· 127
Configuring user isolation ··········································································································································· 127
ii
Configuring WLAN QoS ········································································································································ 129
Configuring wireless QoS ··········································································································································· 129
Enabling wireless QoS ······································································································································· 129
Setting the SVP service ········································································································································ 129
Setting CAC admission policy ··························································································································· 130
Setting radio EDCA parameters for APs ··········································································································· 131
Setting EDCA parameters for wireless clients ·································································································· 132
Display radio statistics ········································································································································ 133
Displaying client statistics ··································································································································· 135
Setting rate limiting ············································································································································· 137
Wireless QoS configuration example ························································································································ 138
CAC service configuration example ················································································································· 138
Static rate limiting configuration example ········································································································ 139
Dynamic rate limiting configuration example ·································································································· 140
Configuring advanced settings ······························································································································ 142

Setting a district code ·················································································································································· 142
Channel busy test ························································································································································· 142
Managing 3G ························································································································································· 144

Managing the 3G modem ·········································································································································· 144
Displaying 3G information ································································································································· 144
Managing the pin code ······································································································································ 145
Configuring NAT ····················································································································································· 148

Overview······································································································································································· 148
Recommended configuration procedure···················································································································· 148
Configuring dynamic NAT ·········································································································································· 148
Configuring a DMZ host ············································································································································· 150
Creating a DMZ host ·········································································································································· 150
Enabling DMZ host on an interface ·················································································································· 150
Configuring an internal server ···································································································································· 151
Enabling application layer protocol check················································································································ 153
Configuring connection limit ······································································································································· 153
NAT configuration examples ······································································································································ 154
Internal hosts accessing public network configuration example ···································································· 154
Internal server configuration example ··············································································································· 156
Configuring access control ····································································································································· 160

Configuration procedure ············································································································································· 160
Access control configuration example ······················································································································· 161
Configuring URL filtering········································································································································· 163

URL filtering configuration example ··························································································································· 164
Configuring MAC address filtering ······················································································································· 166

Configuring the MAC address filtering type ············································································································· 166
Configuring the MAC addresses to be filtered ········································································································· 166
MAC address filtering configuration example ·········································································································· 168
Configuring attack protection································································································································· 170

Overview······································································································································································· 170
Blacklist function ·················································································································································· 170
Intrusion detection function ································································································································· 170
Configuring the blacklist function ······························································································································· 172
Recommended configuration procedure ··········································································································· 172
iii
Enabling the blacklist function ··························································································································· 173
Adding a blacklist entry manually ····················································································································· 173
Viewing blacklist entries ····································································································································· 174
Configuring intrusion detection ·································································································································· 174
Attack protection configuration examples ················································································································· 176
Attack protection configuration example for MSR 900/20-1X ······································································ 176
For MSR 20/30/50/930 routers ····················································································································· 179
Configuring application control ····························································································································· 183

Loading applications ··········································································································································· 183
Configuring a custom application ····················································································································· 184
Enabling application control ······························································································································ 185
Application control configuration example ··············································································································· 186
Web page redirection configuration ····················································································································· 188

Overview······································································································································································· 188
Configuring web page redirection····························································································································· 188
Configuring routes ·················································································································································· 190

Overview······································································································································································· 190
Configuring routes ······················································································································································· 190
Creating an IPv4 static route ······························································································································ 190
Displaying the active route table ······················································································································· 192
Static route configuration example ···························································································································· 192
IPv4 static route configuration example ············································································································ 192
Configuration guidelines ············································································································································· 195
Configuring user-based load sharing ···················································································································· 196

Overview······································································································································································· 196
Configuring user-based load sharing ························································································································ 196
Configuring traffic ordering ··································································································································· 198

Overview······································································································································································· 198
Setting the traffic ordering interval ····························································································································· 199
Specifying the traffic ordering mode ························································································································· 199
Displaying internal interface traffic ordering statistics ····························································································· 199
Displaying external interface traffic ordering statistics ···························································································· 200
Configuring DNS ···················································································································································· 201

Overview······································································································································································· 201
Configuring dynamic domain name resolution ································································································ 201
Configuring DNS proxy ······································································································································ 202
Enabling dynamic domain name resolution ·············································································································· 202
Enabling DNS proxy ···················································································································································· 202
Clearing the dynamic domain name cache ·············································································································· 203
Specifying a DNS server ············································································································································· 203
Configuring a domain name suffix ···························································································································· 203
Domain name resolution configuration example ······································································································ 204
Configuring DDNS ·················································································································································· 209

Overview······································································································································································· 209
Configuration prerequisites ········································································································································· 210
DDNS configuration example ····································································································································· 211
iv
Configuring DHCP ·················································································································································· 214
Introduction to DHCP ··················································································································································· 214
Configuring the DHCP server ····························································································································· 215
Configuring the DHCP relay agent···················································································································· 215
Configuring the DHCP client ······························································································································ 216
Enabling DHCP ···························································································································································· 216
Configuring DHCP interface setup ····························································································································· 217
Configuring a static address pool for the DHCP server ··························································································· 218
Configuring a dynamic address pool for the DHCP server ····················································································· 220
Configuring IP addresses excluded from dynamic allocation ················································································· 222
Configuring a DHCP server group ····························································································································· 223
DHCP configuration examples ···································································································································· 224
DHCP configuration example without DHCP relay agent ··············································································· 225
DHCP relay agent configuration example ········································································································ 232
Configuring ACLs ···················································································································································· 239

Overview······································································································································································· 239
Recommended IPv4 ACL configuration procedure ··································································································· 239
Adding an IPv4 ACL ···················································································································································· 240
Configuring a rule for a basic IPv4 ACL ··················································································································· 240
Configuring a rule for an advanced IPv4 ACL ········································································································· 242
Configuring a rule for an Ethernet frame header ACL ····························································································· 245
Configuring QoS ····················································································································································· 248

Overview······································································································································································· 248
Subnet limit··························································································································································· 248
Advanced limit ····················································································································································· 248
Advanced queue ················································································································································· 248
Configuring subnet limit ·············································································································································· 249
Configuring advanced limit ········································································································································ 250
Configuring advanced queue ····································································································································· 253
Configuring interface bandwidth······················································································································· 253
Configure bandwidth guarantee ······················································································································· 254
QoS configuration examples ······································································································································ 257
Subnet limit configuration example ··················································································································· 257
Advanced queue configuration example ·········································································································· 258
Appendix Packet priorities ·········································································································································· 261
Configuring SNMP·················································································································································· 264

Overview······································································································································································· 264
SNMP agent configuration task list ···························································································································· 264
Enabling the SNMP agent function ··················································································································· 266
Configuring an SNMP view ······························································································································· 267
Configuring an SNMP community ····················································································································· 269
Configuring an SNMP group ····························································································································· 270
Configuring an SNMP user ································································································································ 271
Configuring SNMP trap function ······················································································································· 273
Displaying SNMP packet statistics ···················································································································· 275
SNMPv1/v2c configuration example ························································································································ 276
SNMPv3 configuration example ································································································································ 279
Configuring bridging ·············································································································································· 285

Overview······································································································································································· 285
v
Bridging overview ··············································································································································· 285
Major functionalities of bridges ························································································································· 285
VLAN transparency ············································································································································· 289
Configuring bridging ··················································································································································· 289
Recommended basic bridging configuration procedure ················································································· 289
Enabling a bridge set ········································································································································· 289
Adding an interface to a bridge set ·················································································································· 290
Bridging configuration example ································································································································· 291
Configuring user groups ········································································································································· 295

User group configuration task list ······························································································································· 295
Configuring a user group ··································································································································· 296
Configuring a user ·············································································································································· 296
Configuring access control ································································································································· 297
Configuring application control ························································································································· 298
Configuring bandwidth control ·························································································································· 299
Configuring packet filtering································································································································ 300
Synchronizing user group configuration for wan interfaces ··········································································· 302
User group configuration example····························································································································· 302
Configuring MSTP ··················································································································································· 310

Introduction to STP ······················································································································································· 310
Protocol packets of STP ······································································································································· 310
Basic concepts in STP·········································································································································· 310
How STP works ···················································································································································· 311
Introduction to RSTP ····················································································································································· 317
Introduction to MSTP ···················································································································································· 317
Why MSTP ··························································································································································· 317
Basic concepts in MSTP ······································································································································ 318
How MSTP works ················································································································································ 322
Implementation of MSTP on devices·················································································································· 322
Protocols and standards ····································································································································· 322
Recommended MSTP configuration procedure ········································································································· 322
Configuring an MST region ········································································································································ 323
Configuring MSTP globally ········································································································································· 324
Configuring MSTP on a port ······································································································································· 328
MSTP configuration example ······································································································································ 330
Configuring RADIUS ··············································································································································· 336

Overview······································································································································································· 336
Configuring a RADIUS scheme ··································································································································· 336
Configuring common parameters ······················································································································ 337
Adding RADIUS servers ······································································································································ 340
RADIUS configuration example ·································································································································· 341
Configuring login control ······································································································································· 350

Login control configuration example ·························································································································· 351
Network requirements ········································································································································· 351
Configuring a login control rule so Host A cannot Telnet to Router ······························································ 351
Configuring a login control rule so Host B cannot access Router through the Web···································· 352
Configuring ARP ······················································································································································ 354

Overview······································································································································································· 354
Gratuitous ARP ····················································································································································· 354
vi
Displaying ARP entries················································································································································· 354
Creating a static ARP entry ········································································································································· 355
Removing ARP entries ·················································································································································· 355
Enabling learning of dynamic ARP entries ················································································································ 356
Configuring gratuitous ARP ········································································································································· 357
Static ARP configuration example ······························································································································ 357
Configuring ARP attack defense ···························································································································· 362

Overview······································································································································································· 362
Configuring periodic sending of gratuitous ARP packets ························································································ 362
Configuring ARP automatic scanning ························································································································ 363
Configuring fixed ARP ················································································································································· 364
Configuring IPsec VPN ··········································································································································· 366

Overview······································································································································································· 366
Configuring an IPsec connection ································································································································ 367
Displaying IPsec VPN monitoring information ·········································································································· 373
IPsec VPN configuration example ······························································································································ 374
Configuring L2TP ····················································································································································· 377

Enabling L2TP ······························································································································································· 378
Adding an L2TP group ················································································································································ 378
Displaying L2TP tunnel information ···························································································································· 385
Client-initiated VPN configuration example ·············································································································· 385
Configuring GRE ····················································································································································· 390

Overview······································································································································································· 390
Configuring a GRE over IPv4 tunnel ·························································································································· 390
Creating a GRE tunnel ········································································································································ 390
GRE over IPv4 tunnel configuration example············································································································ 392
SSL VPN overview ··················································································································································· 400

How SSL VPN works ···················································································································································· 400
Advantages of SSL VPN ·············································································································································· 401
Configuring SSL VPN gateway ······························································································································ 402

Configuring the SSL VPN service ······························································································································· 403
Configuring Web proxy server resources ················································································································· 404
Configuring TCP application resources ····················································································································· 406
Configuring a remote access service resource································································································· 407
Configuring a desktop sharing service resource ····························································································· 408
Configuring an email service resource ············································································································· 409
Configuring a Notes service resource··············································································································· 410
Configuring a common TCP service resource ·································································································· 412
Configuring IP network resources······························································································································· 413
Configuring global parameters·························································································································· 413
Configuring host resources ································································································································· 414
Configuring a user-IP binding ···························································································································· 416
Configuring a predefined domain name ·········································································································· 417
Configuring a resource group ···································································································································· 418
Configuring local users················································································································································ 420
Adding a local user manually ···························································································································· 420
vii
Importing local users in bulk ······························································································································ 422
Configuring a user group ············································································································································ 423
Viewing user information ············································································································································ 425
Viewing online user information ························································································································ 425
Logging out an online user ································································································································· 425
Viewing history user information ······················································································································· 425
Performing basic configurations for the SSL VPN domain······················································································· 426
Configuring the domain policy ·························································································································· 426
Configuring the caching policy ························································································································· 428
Configuring a bulletin ········································································································································· 428
Configuring authentication policies ··························································································································· 429
Configuring local authentication ······················································································································· 430
Configuring RADIUS authentication ·················································································································· 430
Configuring LDAP authentication ······················································································································· 431
Configuring AD authentication ·························································································································· 433
Configuring combined authentication ··············································································································· 434
Configuring a security policy ······································································································································ 435
Customizing the SSL VPN user interface ··················································································································· 439
Customizing the SSL VPN interface partially ···································································································· 440
Customizing the SSL VPN interface fully ··········································································································· 442
User access to SSL VPN ·········································································································································· 443

Logging in to the SSL VPN service interface ············································································································· 443
Accessing SSL VPN resources····································································································································· 444
Getting help information ············································································································································· 445
Changing the login password ···································································································································· 446
SSL VPN configuration example ···························································································································· 447

Network requirements ················································································································································· 447
Configuration prerequisites ········································································································································· 447
Configuring the SSL VPN service ······················································································································· 448
Configuring SSL VPN resources ························································································································· 451
Configuring SSL VPN users ································································································································ 456
Configuring an SSL VPN domain ······················································································································ 459
Verifying the configuration ·········································································································································· 461
Managing certificates ············································································································································· 465

Overview······································································································································································· 465
Recommended configuration procedure for manual request·········································································· 465
Recommended configuration procedure for automatic request······································································ 467
Creating a PKI entity ···················································································································································· 468
Creating a PKI domain ················································································································································ 469
Generating an RSA key pair······································································································································· 472
Destroying the RSA key pair ······································································································································· 473
Retrieving and displaying a certificate ······················································································································ 473
Requesting a local certificate ······································································································································ 475
Retrieving and displaying a CRL ································································································································ 476
PKI configuration examples ········································································································································· 476
Certificate request from a Windows 2003 CA server ···················································································· 476
Certificate request from an RSA Keon CA server ···························································································· 480
IKE negotiation with RSA digital signature ······································································································· 484
viii
Managing the system ·············································································································································· 491
Managing the configuration ······································································································································· 491
Saving the configuration····································································································································· 491
Restoring factory defaults ··································································································································· 492
Backing up configuration ··································································································································· 492
Restoring configuration ······································································································································· 493
Backing up and restoring device files through the USB port ·········································································· 493
Rebooting the device ··················································································································································· 495
Managing services ······················································································································································· 495
Managing users ··························································································································································· 497
Creating a user ···················································································································································· 498
Setting the super password ································································································································ 499
Switching to the management level ··················································································································· 499
Configuring system time ·············································································································································· 500
Setting the system time ········································································································································ 500
Setting the time zone and daylight saving time ······························································································· 502
Configuring TR-069 ····················································································································································· 503
TR-069 network framework ································································································································ 504
Basic functions of TR-069 ··································································································································· 504
Configuration procedure ···································································································································· 506
Configuration guidelines ···································································································································· 507
Upgrading software ····················································································································································· 507
Upgrading software (for the MSR 900/MSR 20-1X) ······················································································ 507
Upgrading software (for the MSR 20/30/50/930)······················································································· 508
Configuring SNMP (lite version) ···························································································································· 510

Overview······································································································································································· 510
Enabling the SNMP agent function ···························································································································· 510
SNMP configuration examples ··································································································································· 512
SNMPv1/v2c configuration example ··············································································································· 512
SNMPv3 configuration example························································································································ 514
Configuring syslogs················································································································································· 516

Displaying syslogs ························································································································································ 516
Setting the log host······················································································································································· 518
Setting buffer capacity and refresh interval ·············································································································· 519
Using diagnostic tools············································································································································· 520

Traceroute ····································································································································································· 520
Ping ················································································································································································ 520
Traceroute operation ··················································································································································· 520
Ping operation ······························································································································································ 521
Configuring WiNet ················································································································································· 523

Configuring WiNet ······················································································································································ 523
Enabling WiNet ·················································································································································· 523
Setting the background image for the WiNet topology diagram ·································································· 524
Managing WiNet················································································································································ 525
Configuring a RADIUS user ································································································································ 527
How the guest administrator obtains the guest password ·············································································· 529
WiNet configuration example ···································································································································· 530
WiNet establishment configuration example ··································································································· 530
WiNet-based RADIUS authentication configuration example ········································································ 535
Configuration wizard·············································································································································· 539

Overview······································································································································································· 539
ix
Basic service setup ······················································································································································· 539
Entering the configuration wizard homepage·································································································· 539
Selecting a country ·············································································································································· 539
Configuring local numbers ································································································································· 540
Configuring connection properties ···················································································································· 541
Finishing configuration wizard ·························································································································· 541
Local number and call route ··································································································································· 542

Basic settings ································································································································································ 542
Fax and modem ··························································································································································· 542
Call services ·································································································································································· 542
Advanced settings ························································································································································ 542
Basic settings ··························································································································································· 543

Introduction to basic settings ······································································································································· 543
Local number························································································································································ 543
Call route ······························································································································································ 543
Basic settings ································································································································································ 544
Configuring a local number ······························································································································· 544
Configuring a call route······································································································································ 545
Configuration examples of local number and call route ························································································· 547
Configuring direct calling for SIP UAs through the SIP protocol (configuring static IP address)················· 547
Configuring direct calling for SIP UAs through the SIP protocol (configuring domain name) ···················· 551
Configuring proxy server involved calling for SIP UAs ··················································································· 555
Configuring trunking mode calling ···················································································································· 562
Fax and modem ······················································································································································ 566

Protocols and standards for FoIP ······················································································································· 566
Fax flow ································································································································································ 566
Introduction to fax methods ································································································································ 567
SIP modem pass-through function ······························································································································· 567
Configuring fax and modem······································································································································· 568
Configuring fax and modem parameters of a local number ·········································································· 568
Configuring fax and modem parameters of a call route ················································································ 571
Call services ···························································································································································· 573

Call waiting·························································································································································· 573
Call hold ······························································································································································· 573
Call forwarding ··················································································································································· 573
Call transfer·························································································································································· 574
Call backup ·························································································································································· 574
Hunt group ··························································································································································· 574
Call barring ·························································································································································· 574
Message waiting indication ······························································································································· 574
Three-party conference ······································································································································· 574
Silent monitor and barge in services ················································································································· 575
Calling party control ··········································································································································· 575
Door opening control ·········································································································································· 575
CID on the FXS voice subscriber line ················································································································ 575
CID on the FXO voice subscriber line ··············································································································· 576
Support for SIP voice service of the VCX ·········································································································· 576
Configuring call services of a local number·············································································································· 576
Configuring call forwarding, call waiting, call hold, call transfer, and three-party conference················· 576
Configuring other voice functions ······················································································································ 578
Configuring call services of a call route ···················································································································· 580
Call services configuration examples ························································································································ 581
x
Configuring call waiting ····································································································································· 581
Configuring call forwarding ······························································································································· 582
Configuring call transfer ····································································································································· 584
Configuring hunt group ······································································································································ 585
Configuring three-party conference ··················································································································· 588
Configuring silent monitor and barge in ·········································································································· 590
Advanced settings ··················································································································································· 596

Introduction to advanced settings ······························································································································· 596
Coding parameters ············································································································································· 596
Other parameters ················································································································································ 600
Configuring advanced settings of a local number ··································································································· 600
Configuring coding parameters of a local number ························································································· 600
Configuring other parameters of a local number ···························································································· 602
Configuring advanced settings of a call route ·········································································································· 603
Configuring coding parameters of a call route································································································ 603
Configuring other parameters for a call route ································································································· 604
Advanced settings configuration example ················································································································ 605
Configuring out-of-band DTMF transmission mode for SIP ············································································· 605
SIP-to-SIP connections ·············································································································································· 607

Configuring media parameters for SIP-to-SIP connections ······················································································· 607
Configuring signaling parameters for SIP-to-SIP connections ·················································································· 608
Configuring dial plans ············································································································································ 610

Dial plan process ························································································································································· 610
Regular expression ······················································································································································· 611
Dial plan functions ······················································································································································· 613
Number match ····················································································································································· 613
Call control ··························································································································································· 614
Number substitution ············································································································································ 614
Configuring dial plan ·················································································································································· 615
Configuring number match································································································································· 615
Configuring call control ······································································································································ 616
Configuring number substitution ························································································································ 620
Dial plan configuration examples ······························································································································ 622
Configuring number match mode ······················································································································ 622
Configuring the match order of number selection rules ·················································································· 624
Configuring entity type selection priority rules ································································································· 628
Configuring call authority control ······················································································································ 632
Configuring number substitution ························································································································ 635
Call connection ······················································································································································· 643

Introduction to SIP ························································································································································ 643
Terminology ························································································································································· 643
Functions and features of SIP ····························································································································· 644
SIP messages························································································································································ 645
SIP fundamentals ················································································································································· 645
Support for transport layer protocols ························································································································· 648
SIP security ···································································································································································· 648
Signaling encryption ··········································································································································· 649
Media flow encryption ········································································································································ 649
TLS-SRTP combinations ········································································································································ 650
Support for SIP extensions ··········································································································································· 650
Configuring SIP connections ·································································································································· 651

Configuring connection properties ····························································································································· 651
xi
Configuring registrar ··········································································································································· 651
Configuring proxy server ···································································································································· 653
Configuring session properties ··································································································································· 653
Configuring source address binding ················································································································· 653
Configuring SIP listening ···································································································································· 655
Configuring media security ································································································································ 656
Configuring caller identity and privacy ············································································································ 657
Configuring SIP session refresh·························································································································· 658
Configuring compatibility ··································································································································· 658
Configuring advanced settings ··································································································································· 660
Configuring the address hiding mode ·············································································································· 660
Specifying the outbound proxy ·························································································································· 660
Configuring registration parameters ················································································································· 661
Configuring voice mailbox server ····················································································································· 663
Configuring signaling security ··························································································································· 664
Configuring call release cause code mapping ········································································································· 665
Configuring PSTN call release cause code mappings ···················································································· 665
Configuring SIP status code mappings ············································································································· 666
SIP connection configuration examples ····················································································································· 666
Configuring basic SIP calling features ·············································································································· 666
Configuring caller ID blocking ··························································································································· 666
Configuring SRTP for SIP calls ···························································································································· 668
Configuring TCP to carry outgoing SIP calls ···································································································· 669
Configuring TLS to carry outgoing SIP calls ····································································································· 670
Managing SIP server groups ·································································································································· 672

Creating a SIP server group ······························································································································· 672
Configuring the real-time switching function ···································································································· 672
Configuring the keep-alive mode······················································································································· 673
Configuring the source address binding mode ································································································ 674
Configuring server information management ··································································································· 675
Configuring SIP trunk ·············································································································································· 677

Features ································································································································································ 678
Typical applications ············································································································································ 678
Protocols and standards ····································································································································· 679
Configuring SIP trunk ··················································································································································· 679
Configuration task list ········································································································································· 679
Enabling the SIP trunk function··························································································································· 680
Configuring a SIP server group ························································································································· 680
Configuring a SIP trunk account ························································································································ 681
Configuring a call route for outbound calls ·············································································································· 682
Configuring a call route for a SIP trunk account ······························································································ 682
Configuring fax and modem parameters of the call route of a SIP trunk account ······································· 684
Configuring advanced settings of the call route of a SIP trunk account ························································ 684
Configuring media parameters for SIP-to-SIP connections ·············································································· 686
Configuring signaling parameters for SIP-to-SIP connections ········································································· 687
Configuring a call route for inbound calls ················································································································ 688
SIP trunk configuration examples ······························································································································· 689
Configuring a SIP server group with only one member server ······································································· 689
Configuring a SIP server group with multiple member servers ······································································· 695
Configuring call match rules ······························································································································ 698
Managing data links ··············································································································································· 701

Overview······································································································································································· 701
Introduction to E1 and T1 ··································································································································· 701
xii
E1 and T1 voice functions ·································································································································· 701
E1 and T1 interfaces ··········································································································································· 702
Features of E1 and T1········································································································································· 703
Introduction to BSV interface ······························································································································ 703
Configuring digital link management ························································································································ 704
Configuring VE1 line··········································································································································· 704
Configuring VT1 line ··········································································································································· 709
Configuring BSV line ··········································································································································· 711
Displaying ISDN link state ·································································································································· 716
E1 voice DSS1 signaling configuration example ····································································································· 716
Managing lines ······················································································································································· 719

FXS voice subscriber line ············································································································································· 719
FXO voice subscriber line ··········································································································································· 719
E&M subscriber line ····················································································································································· 719
E&M introduction ················································································································································· 719
E&M start mode ··················································································································································· 719
One-to-one binding between FXS and FXO voice subscriber lines ········································································ 721
Echo adjustment function ············································································································································· 721
Adjusting echo duration ····································································································································· 721
Adjusting echo cancellation parameters ··········································································································· 721
Enabling the nonlinear function of echo cancellation ····················································································· 722
Line management configuration ································································································································· 722
Configuring an FXS voice subscriber line ········································································································· 722
Configuring an FXO voice subscriber line········································································································ 725
Configuring an E&M subscriber line ················································································································· 728
Configuring an ISDN line ··································································································································· 731
Configuring a paging line ·································································································································· 733
Configuring an MoH line ··································································································································· 734
Line management configuration examples ················································································································ 735
Configuring an FXO voice subscriber line········································································································ 735
Configuring one-to-one binding between FXS and FXO ················································································· 736
Configuring SIP local survival ································································································································ 744

Configuring SIP local survival ····································································································································· 745
Service configuration ·········································································································································· 745
User management ··············································································································································· 746
Trusted nodes ······················································································································································· 747
Call-out route ························································································································································ 747
Area prefix ··························································································································································· 748
Call authority control··········································································································································· 749
SIP local survival configuration examples ················································································································· 750
Configuring local SIP server to operate in alone mode ·················································································· 750
Configuring local SIP server to operate in alive mode···················································································· 753
Configuring call authority control ······················································································································ 755
Configuring an area prefix ································································································································ 760
Configuring a call-out route································································································································ 763
Configuring IVR ······················································································································································· 766

Overview······································································································································································· 766
Advantages ··································································································································································· 766
Customizable voice prompts ······························································································································ 766
Various codecs ···················································································································································· 766
Flexible node configuration ································································································································ 766
Customizable process ········································································································································· 766
Successive jumping ············································································································································· 767
xiii
Error processing methods ··································································································································· 767
Timeout processing methods ······························································································································ 767
Various types of secondary calls ······················································································································· 767
Configuring IVR ···························································································································································· 767
Uploading media resource files ························································································································· 767
Importing a media resource through an MoH audio input port ····································································· 768
Configuring the global key policy ······························································································································ 769
Configuring IVR nodes················································································································································· 770
Configuring a call node ····································································································································· 770
Configure a jump node ······································································································································ 773
Configure a service node ··································································································································· 775
Configuring access number management ················································································································· 776
Configuring an access number ·························································································································· 776
Configuring advanced settings for the access number ··················································································· 777
IVR configuration examples ········································································································································ 778
Configure a secondary call on a call node (match the terminator of numbers) ··········································· 778
Configure a secondary call on a call node (match the number length) ························································ 782
Configure a secondary call on a call node (match a number) ······································································ 785
Configure an extension secondary call on a call node ·················································································· 787
Configure a jump node ······································································································································ 789
Configure an immediate secondary call on a service node ··········································································· 791
Configure a secondary call on a service node ································································································ 793
Configure a call node, jump node, and service node ···················································································· 795
Customizing IVR services············································································································································· 801
Create a menu ····················································································································································· 802
Bind an access number ······································································································································· 808
Customize IVR services ······································································································································· 808
Custom IVR service configuration example ······································································································ 809
Advanced configuration ········································································································································· 820

Global configuration···················································································································································· 820
Batch configuration ······················································································································································ 821
Local number························································································································································ 821
Call route ······························································································································································ 828
Line management ················································································································································ 831
SIP local survival services ··································································································································· 835
States and statistics ················································································································································· 837

Line states ······································································································································································ 837
Displaying detailed information about analog voice subscriber lines··························································· 838
Displaying detailed information about digital voice subscriber lines ···························································· 838
Call statistics ································································································································································· 839
Displaying active call summary ························································································································· 840
Displaying history call summary ························································································································ 840
SIP UA states ································································································································································· 841
Displaying TCP connection information ············································································································ 841
Displaying TLS connection information ············································································································· 841
Connection status ························································································································································· 842
Displaying number register status ······················································································································ 842
Displaying number subscription status ·············································································································· 843
Local survival service states ········································································································································· 843
SIP trunk account states ··············································································································································· 844
Displaying SIP trunk account states ··················································································································· 844
Displaying dynamic contact states ···················································································································· 845
Server group information ············································································································································ 845
xiv
IVR information ····························································································································································· 846
Displaying IVR call states ···································································································································· 846
Displaying IVR play states ·································································································································· 847
Index ········································································································································································ 848
xv
Web overview
The device provides Web-based configuration interfaces for visual device management and
maintenance.
Figure 1 Web-based network management operating environment
Logging in to the Web interface

Follow these guidelines when you log in to the Web interface:
• The PC in Figure 1 is the one where you configure the device, but not necessarily the Web-based
network management terminal. The Web-based network management terminal is a PC (or another
terminal) used to log in to the Web interface and is required to be reachable to the device.
• If you click the verification code displayed on the Web login page, you can get a new verification
code.
• Up to 24 users can concurrently log in to the device through the Web interface.
• You can also log in to the Web interface through HTTPS, but you must enable HTTPS on the device,
and the address you input in the address bar must start with https://. For more information, see
"Configuring service management."
• If you have configured the auto authentication mode for an HTTPS login user by using the web
https-authorization mode command, the user is automatically authenticated by the PKI certificate,
without inputting any username and password. For more information, see Fundamentals
Configuration Guide.
You can use the following default settings to log in to the Web interface through HTTP:
• Username—admin
• Password—admin
• IP address of the device—192.168.1.1.
To log in to the Web interface of the device from a PC:
1. Connect the Ethernet interface Ethernet 0/0 of the device to the PC using a crossover Ethernet
cable.
2. Configure an IP address for the PC and make sure the PC and device can reach each other.
For example, assign the PC an IP address (for example, 192.168.1.2) within the network segment
192.168.1.0/24 (except for 192.168.1.1).
3. Open the browser, and input the login information.
a. Type the IP address http://192.168.1.1 in the address bar and press Enter.
The login page of the Web interface (see Figure 2) appears.
b. Enter the username and password admin, and the verification code, select the language
(English and Chinese are supported at present), and click Login.
1
Figure 2 Login page of the Web interface
Logging out of the Web interface

CAUTION:
A logged-in user cannot automatically log out by directly closing the browser.
Click Logout in the upper-right corner of the Web interface to quit Web-based network management.
The system will not save the current configuration before you log out of the Web interface. Save the
current configuration before logout.
Introduction to the Web interface

The Web-based interface is composed of three parts: navigation area, title area, and body area.
2
Figure 3 Initial page of the Web interface
3
4
① Navigation area ② Title area ③ Body area
• Navigation area—Organizes the Web function menus in the form of a navigation tree, where you
can select function menus as needed. The result is displayed in the body area.
• Title area—On the left, displays the path of the current configuration interface in the navigation
area; on the right, provides the Save button to quickly save the current configuration, the Help button
to display the Web related help information, and the Logout button to log out of the Web interface.
• Body area—The area where you can configure and display a function.
User level
Web user levels, ranging from low to high, are visitor, monitor, configure, and management. A
higher-level user has all rights of a lower-level user.
• Visitor—Users of this level can perform the ping and traceroute operations, but can neither access
the device data nor configure the device.
• Monitor—Users of this level can only access the device data but cannot configure the device.
• Configure—Users of this level can access data from the device and configure the device, but they
cannot upgrade the host software, add/delete/modify users, or backup/restore the application
file.
• Management—Users of this level can perform any operations for the device.
Introduction to the Web-based NM functions

User level in Table 1 indicates that users of this level or users of a higher level can perform the
corresponding operations.
Table 1 Web-based NM function description
Function menu Description User level

Displays and allows you to
refresh device information,
broadband connection
information, 3G wireless
Device Information Monitor
card state, LAN information,
WLAN information, services
information, and recent
Device Information system logs.
Displays the URL address on

Monitor
a card.
Integrated Service Management Allows you to change the

URL address of a card, and
Configure
log in to the Web interface
of the card.
Guides you through the

Wizard Basic Configuration Wizard basic service configuration Configure
of routers.
5
Displays the configuration
information of a WAN
Monitor
interface, and allows you to
WAN view interface statistics.
Interface WAN Interface Setup
Setup Allows you to modify WAN
interface configuration, and
Configure
clear the statistics of a WAN
interface.

Monitor
information of a VLAN.
VLAN Setup
Allows you to configure a
Configure
VLAN.
LAN Interface
Setup Displays the configuration
information of a VLAN Monitor
VLAN Interface Setup interface.

Configure
VLAN interface.
Displays wireless service,

Monitor
radio and client information.
Allows you to view wireless

service, radio and client
Summary information; clear radio
Interface statistics; clear client Configure
Setup statistics, disconnect a
connection, and add a client
to a blacklist.
Displays configuration
information about an access Monitor
Access Service service.
Allows you to create and

Configure
configure an access service.
Wireless
Displays radio parameters
Configuration Monitor
and radio rate settings.
Radio Allows you to set radio
parameters, 802.11a/b/g Configure
rates, and 803.11n MCS.
information of blacklist, Monitor
whitelist, and user isolation.
Security
Allows you to configure
blacklist, whitelist, and user Configure
isolation.
Displays wireless QoS and

rate limiting settings, and
Wireless QoS Monitor
displays radio and client
information.
6
wireless QoS and rate
Configure
limiting, and clear radio and
client information.
information of the country Monitor
Country Code code.
Allows you to set the country

Configure
code.
Displays 3G modem
information, UIM card
3G Information Monitor
information, and 3G
network information.
3G
Displays UIM card status. Monitor
PIN Code Management Allows you to manage PIN
Configure
codes.
Displays information about

Monitor
the NAT configurations.
Dynamic NAT
Configure
NAT.
Allows you to create a DMZ

Monitor
host.
DMZ Host
Allows you to enable DMZ
Configure
host on an interface.
Displays configurations of
Monitor
the internal server.
NAT Server Setup
NAT Allows you to configure the
NAT Configure
Configurati internal server.
Configuration
on Displays configurations of
the application layer Monitor
protocol check function.
ALG
Allows you to configure the
application layer protocol Configure
check function.
information about the
Monitor
number of connections
Nat Outbound Setup displayed.

Configure
connection limit.
Displays the access control

Monitor
Security configuration information.
Access
Setup Allows you to configure
Configure
access control.
7
Displays the information
about URL filtering Monitor
URL Filter conditions.
Allows you to add or delete

Configure
URL filtering conditions.
Displays the information

about MAC address filtering Monitor
conditions.
MAC Address Filtering Allows you to set MAC
address filtering types, add
Configure
or delete MAC addresses to
be filtered.

refresh the blacklist
information and whether the Monitor
blacklist filtering is enabled
or not.
Blacklist
Allows you to add, modify,
delete and clear blacklist
Attack Defend entries, and set whether to Configure
enable or disable blacklist
filtering.
Displays intrusion detection

Monitor
configuration information.
Intrusion Detection
Configure
intrusion detection function.
Displays application control

Monitor
Application Control
Configure
application control.
Allows you to load an

Application Load Application application and view the Configure
Control loaded application.
Displays custom application

Monitor
information.
Custom Application Allows you to add, modify
and delete a custom Configure
application.

Monitor
information of redirection.
Redirection Allows you to add, modify or

remove the redirection
....Advance Configure
configuration on an
interface.
Displays IPv4 route summary

Route Setup Summary Monitor
information.
8
Allows you to create IPv4
Create Configure
static routes.
Allows you to delete IPv4

Remove Configure
static routes.
Displays the IP address,

mask and load sharing Monitor
information of an interface.
User-based-sharing Allows you to modify the
load sharing status and
Configure
shared bandwidth of an
interface.
Displays IP addresses, traffic

ordering mode and traffic
Monitor
ordering interval for
Config interfaces.

traffic ordering mode and Configure
Traffic interval.
Ordering
Displays inbound interface
Statistics of Inbound Interfaces Monitor
traffic ordering statistics.
Displays outbound interface

Statistics of Outbound Interfaces Monitor
traffic ordering statistics.
Displays DNS
Monitor
configurations.
DNS Configuration
Configure
DNS.
DNS Setup
Displays DDNS
Monitor
configurations.
DDNS Configuration
Allows you to add, modify,
Configure
and delete a DDNS entry.
Displays whether DHCP is

globally enabled or Monitor
DHCP Enable disabled.
Allows you to enable or

Configure
disable DHCP.
DHCP Setup Displays DHCP server, relay,
or client configurations on Monitor
an interface.
DHCP Interface Setup
Allows you to enable the
DHCP server, relay, or client Configure
on an interface.
Q ACL Displays summary IPv4 ACL

Summary Monitor
oS IPv4 information.
9
Set Allows you to add an IPv4
up Add Configure
ACL.

Basic Config Configure
basic rule for an IPv4 ACL.
Allows you to configure an

Advanced Config advanced rule for an IPv4 Configure
ACL.

Link Config link layer rule for an IPv4 Configure
ACL.
Allows you to remove an

Remove Configure
IPv4 ACL.
Displays the subnet limit

Monitor
Subnet Limit
Allows you to add, modify or
Configure
delete subnet limit rules.
Displays the advanced limit

Monitor
Advanced Limit
Configure
delete advanced limit rules.
Displays advanced queue

Monitor
Advanced Queue Allows you to configure

interface bandwidth, add,
Configure
modify, or delete bandwidth
guarantee policies.
Displays classifier
Summary Monitor
information.
Allows you to create a

Create Configure
classifier.
Classifie
r Allows you to configure
Setup classification rules for a Configure
classifier.
Allows you to remove a

Remove Configure
classifier.
Displays behavior
Summary Monitor
information.
Allows you to create a

Create Configure
Behavio behavior.
r Allows you to configure
Setup Configure
actions for a behavior.
Allows you to remove a

Remove Configure
behavior.
10
Displays QoS policy
Summary Monitor
information.
Allows you to create a QoS

Create Configure
policy.
Policy Allows you to configure
Setup classifier-behavior Configure
associations.
Allows you to remove a QoS

Remove Configure
policy.
Displays QoS policy

Summary application information of a Monitor
port.
Port
Allows you to apply a QoS
Policy Setup Configure
policy to a port.
Allows you to remove a QoS

Remove Configure
policy from a port.

refresh SNMP configuration Monitor
Setup information and statistics.

Configure
SNMP.
Displays the brief

information of SNMP Monitor
communities.
Community
Allows you to create, modify
and remove an SNMP Configure
community.
Displays the brief

information of SNMP Monitor
SNMP groups.
(supported on Group
the MSR-20, Allows you to create, modify
MSR-30, and and remove an SNMP Configure
MSR-50) group.
Displays the brief

Monitor
information of SNMP users.
User Allows you to create,
modify, and remove an Configure
SNMP user.
Displays the status (enabled

or disabled) of the SNMP
Monitor
trap function and target host
information.
Trap
disable the SNMP trap
Configure
function; create, modify,
and remove a target host.
11
Displays the brief
Monitor
information of SNMP views.
View Allows you to create,
modify, and remove an Configure
SNMP view.

Global Config set global bridging Configure
information.
Bridge
Config Interface set interface bridging Configure
information.
Displays user group

Monitor
configuration.
Group
Allows you to configure user
Configure
groups.
UserGroup Displays user configuration. Monitor

User
Displays users. Configure
WAN Allows you to synchronize

Synchron the user group configuration Configure
ization to a WAN interface.
Displays configuration of
Monitor
access control.
Connection Control
Allows you to configure time
Configure
range-based access control.
Security
Displays custom application
Monitor
configuration.
Application Control
Allows you to customize
Configure
applications.
Displays bandwidth
Monitor
management configuration.
Bandwidth
Configure
bandwidth control.
Displays packet filtering

Monitor
rules.
Packet Filter
Configure
packet filtering rules.

MST region-related
MSTP Region Monitor
parameters and
VLAN-to-MSTI mappings.
12
Allows you to modify the
MST region-related
Configure
parameters and
VLAN-to-MSTI mappings.
Displays MSTP port

Monitor
parameters.
Port
Allows you to modify MSTP
Configure
port parameters.
Displays MSTP parameters

Global Configure
globally.

Managem
RADIUS add, modify, and delete a
ent
RADIUS scheme.

Monitor
login control rules.
Access
Allows you to add and
Configure
delete a login control rule.
Displays information of an
Monitor
ARP table.
ARP Table
Allows you to add, modify
Configure
and delete ARP entries.
Displays gratuitous ARP

Monitor
Gratuitous ARP
Configure
gratuitous ARP.
ARP
Management Displays the number of
dynamic ARP entries that an Monitor
interface can learn.

Dynamic Entry disable an interface to or
from learning dynamic ARP
entries, and change the Configure
number of dynamic ARP
entries that an interface can
learn.
Allows you to specify the

interface performing ARP Monitor
Scan automatic scanning.
ARP
Allows you to start or stop
Anti-Attack Configure
ARP scanning.
Displays all static and

Fix Monitor
dynamic ARP entries.
13
Allows you to convert all
dynamic ARP entries to static
Configure
ones or delete all static ARP
entries.
Displays IPsec connection

Monitor
configuration.
IPsec Connection Allows you to add, modify,
delete, enable, or disable an Configure
IPsec connection.
Displays configuration and

status information of IPsec
IPsec VPN connections, and tunnel Monitor
information of IPsec
connections.
Monitoring Information Allows you to delete tunnels
that are set up with
configuration of an IPsec
Configure
connection, and delete all
VPN ISAKMP SAs of an IPsec
connection.
Displays the L2TP status and

L2TP group configuration Monitor
information.
L2TP Configuration
L2TP
L2TP status, add, modify or Configure
delete an L2TP group.
Displays L2TP tunnel

Tunnel Info Monitor
information.
Displays GRE tunnel

Monitor
information.
GRE
Configure
delete a GRE tunnel.
Displays PKI entity

Monitor
information.
Entity
Allows you to add, change,
Configure
and delete PKI entities.
Displays PKI domain

Monitor
information.
Domain
Certificate Allows you to add, change,
Manageme Configure
and delete PKI domains.
nt
Displays PKI certificates and
Monitor
details of the certificate.
Supports the operation such

Certificate as creating keys, retrieving
certificates, applying for Configure
certificates, and deleting
certificates.
14
Displays CRLs. Monitor
CRL
Allows you to retrieve CRLs. Configure
Allows you to save the

current configuration to the
Configure
configuration file to be used
at the next startup.
Save
Allows you to save the
current configuration as the Managem
factory default ent
configuration.
Allows you to restore all

configurations on the device
Initialize Configure
to the factory default
configuration.
Allows you to upload the

current startup configuration Managem
Backup Configuration
file of the device to the TFTP ent
Configuration
server for backup.
Allows you to download the

configuration file saved on
Managem
Restore Configuration the TFTP server to the current
ent
configuration file of the
device.
Displays device files. Monitor

System
Manageme Allows you to back up files
nt on the device to the
destination device through a
Backup and Restore universal serial bus (USB)
Configure
port; transfer files from the
device where the files are
backed up to the local
device through a USB port.
Allows you to reboot the

Reboot Configure
device.
Displays related
configuration of system Configure
services.
Service Management
Allows you to set whether to
Managem
enable different services and
ent
set related parameters.
Displays the brief

User Summary Monitor
information of users.
Allows you to set the supper

Managem
Users Super Password password for switching to
ent
the management level.
Managem
Create User Allows you to create a user.
ent
15
Allows you to modify user Managem
Modify User
account. ent
Managem
Remove User Allows you to remove a user.
ent
Allows you to switch the user

Switch To Management access level to the Visitor
management level.
Displays SNMP
Monitor
SNMP (supported on the MSR 900 and MSR configuration information.
20-1X series) Allows you to configure
Configure
SNMP.
Displays the current system

Monitor
time and its configurations.
System Time
Allows you to set the system
Configure
time.
System Time
Displays the time zone
Monitor
configuration of the system.
Time Zone
Allows you to set the time
Configure
zone of the system.
Displays TR-069
Monitor
TR-069 configurations.
Allows you to set TR-069. Configure
Allows you to upgrade

Software Upgrade Configure
software of the device.
Displays detailed
Monitor
information of system logs.
Loglist
Allows you to clear the log
Configure
buffer.
Displays configurations of
Monitor
the specified loghost.
Loghost
Allows you to set the IP
Configure
address of the loghost.
Syslog
Displays the number of logs
Other that can be stored in the log
buffer; allows you to set the
Monitor
refresh period on the log
Logset information displayed on the
Web interface.
Allows you to set the number

of logs that can be stored in Configure
the log buffer.
Allows you to execute the

Diagnostic
Ping ping command and view the Visitor
Tools
result.
16
Allows you to execute the
Trace Route trace route command and Visitor
view the result.
Displays and refreshes the

WiNet topology diagram
Monitor
and allows you to view the
detailed device information.
Allows you to manually

WiNet Management trigger the collection of
topology information, save
the current WiNet topology
Configure
as the baseline topology,
restore the configuration to
factory defaults and restart
WiNet
the member.
Allows you to build or close

Setup Configure
WiNet.

users managed by the Monitor
RADIUS server.
User Management Allows you to add, modify,
delete, import, and export
Configure
users managed by the
RADIUS server.
information about the Monitor
configuration wizard.
Configuration Wizard Allows you to configure
voice basic parameters
Configure
through the configuration
wizard.
Displays local number

Monitor
Local Number Allows you to create,
Voice
Manageme modify, and delete a local Configure
nt number.
Displays call route

Monitor
Call Route Allows you to create,
modify, and delete a call Configure
route.
Displays number match

Monitor
Dial Plan Number Match
Configure
number match parameters.
17
Displays call authority
control configuration
information, and the Monitor
maximum number of call
Call Authority Control connections in a set.
Allows you to configure call

authority control, and the
Configure
maximum number of call
connections in a set.
Displays number substitution

Monitor
Number Substitution
Configure
number substitution.
Displays connection
properties,session
properties, advanced Monitor
settings, and call release
cause code mappings.
SIP Connection Allows you to configure
connection properties,
Call session properties,
Configure
Connection advanced settings, and call
release cause code
mappings.
Displays SIP server group

Monitor
configuration.
SIP Server Group Management
Configure
SIP server group.
Displays VE1, VT1, and BSV

line configuration Monitor
Digital Link Management information, and line state.

Configure
VE1, VT1, and BSV line.
Displays FXS, FXO, E&M,

and ISDN configuration Monitor
information and state.
Line Management
Allows you to configure an
FXS, FXO, E&M, and ISDN Configure
line, and query their state.
Displays global
Monitor
Global Configuration
Advanced Allows you to perform
Configure
Configuration global configurations.
Displays batch configuration

Batch Configuration Monitor
information.
18
Allows you to create local
numbers, call routes, and Configure
manage lines in batches.
Allows you to view and

refresh active and history Monitor
call statistics.
Call Statistics Allows you to view and
refresh active and history
Statistics Configure
call statistics, and clear
history call statistics.
Allows you to view and

Connection Status refresh registration and Monitor
subscription status.
Common Web interface elements

Common buttons and icons
Table 2 Common buttons and icons
Button and icon Description

Allows you to bring the configuration on the current page into effect.
Allows you to cancel the configuration on the current page, and go to the
corresponding display page or device information page.
Allows you to refresh the information on the current page.
Allows you clear all statistics or items in a list.
Allows you to enter the page for adding an entry.
Allows you to delete entries on a list.
Allows you to select all the entries on a list or all ports on a device panel.
Allows you to clear all the entries on a list or all ports on a device panel.
Typically located in the Operation column of a display page, it allows you

to enter the modify page of a corresponding entry so as to display or
modify the configurations of the entry.
Typically located in the Operation column of a display page, it allows you

to remove an entry.
Content display by pages

The Web interface can display contents by pages, as shown in Figure 4. You can set the number of
entries displayed per page, and view the contents on the first, previous, next, and last pages, or go to any
page that you want to check.
19
Figure 4 Content display by pages
Searching function
The Web interface provides you with the basic and advanced searching functions to display only the
entries that match specific searching criteria.
• Basic search: As shown in Figure 4, input the keyword in the text box above the list, select a search
item from the drop-down list and click the Search button to display the entries that match the
criteria. Figure 5 shows an example of searching for entries with VLAN ID being 2.
Figure 5 Basic search function example
• Advanced search: Advanced search function: As shown in Figure 4, you can click the Advanced
Search link to open the advanced search page, as shown in Figure 6. Specify the search criteria,
and click Apply to display the entries that match the criteria.
20
Figure 6 Advanced search
Take the ARP table shown in Figure 4 as an example. If you want to search for the ARP entries with
interface being Ethernet 0/4, and IP address range being 192.168.1.50 to 192.168.1.59, follow these
steps:
1. Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 7, and click Apply. The ARP entries with interface being Ethernet 0/4 are displayed.
Figure 7 Advanced search function example (I)
2. Click the Advanced Search link, specify the search criteria on the advanced search page as shown
in Figure 8, and click Apply. The ARP entries with interface being Ethernet 0/4 and IP address
range being 192.168.1.50 to 192.168.1.59 are displayed as shown in Figure 9.
21
Figure 8 Advanced searching function example (II)
Figure 9 Advanced searching function example (III)
Sorting function
The Web interface provides you with the basic sorting function to display entries in certain orders.
On a list page, you can click the blue heading item of each column to sort the entries based on the
heading item you selected. After your clicking, the heading item is displayed with an arrow beside it as
shown in Figure 10. The upward arrow indicates the ascending order, and the downward arrow
indicates the descending order.
22
Figure 10 Basic sorting function example (based on IP address in the descending order)
Managing Web-based NM through CLI

Enabling/disabling Web-based NM
Task Command
Enable the Web-based NM service. ip http enable
Disable the Web-based NM service. undo ip http enable
Managing the current Web user

Task Command
Display the current login users. display web users
free web-users { all | user-id userid | user-name

Log out the specified user or all users.
username }
Configuration guidelines
• The Web-based configuration interface supports the operating systems of Windows XP, Windows
2000, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition,
Windows Vista, Windows 7, Linux, and MAC OS.
23
• The Web-based configuration interface supports the browsers of Microsoft Internet Explorer 6.0
SP2 and higher, Mozilla Firefox 3.0 and higher, and Google Chrome 2.0.174.0 and higher.
• The Web-based configuration interface does not support the Back, Next, Refresh buttons provided
by the browser. Using these buttons may result in abnormal display of Web pages.
• The Windows firewall limits the number of TCP connections, when you use IE to log in to the Web
interface, sometimes you may be unable to open the Web interface. To avoid this problem, turn off
the Windows firewall before login.
• If the software version of the device changes, clear the cache data on the browser before logging
in to the device through the Web interface; otherwise, the Web page content may not be displayed
correctly.
• You can display at most 20,000 entries that support content display by pages.
Troubleshooting Web browser

Cannot access the device through the Web interface
Symptom
You can ping the device successfully, and log in to the device through Telnet. HTTP is enabled and the
operating system and browser version meet the Web interface requirements. However, you cannot
access the Web interface of the device.
Analysis
• If you use the Microsoft Internet Explorer, you can access the Web interface only when the following
functions are enabled: Run ActiveX controls and plug-ins, script ActiveX controls marked safe for
scripting and active scripting.
• If you use the Mozilla Firefox, you can access the Web interface only when JavaScript is enabled.
Configuring the Internet Explorer settings

1. Open the Internet Explorer, and then select Tools > Internet Options.
2. Click the Security tab, and then select a Web content zone to specify its security settings, as shown
in Figure 11.
24
Figure 11 Internet Explorer setting (I)
3. Click Custom Level, and a dialog box Security Settings appears.

4. As shown in Figure 12, enable these functions: Run ActiveX controls and plug-ins, script ActiveX
controls marked safe for scripting and active scripting.
25
Figure 12 Internet Explorer setting (II)
5. Click OK in the Security Settings dialog box.
Configuring Firefox Web browser settings

1. Open the Firefox Web browser, and then select Tools > Options.
2. Click the Content tab, select the Enable JavaScript check box, and click OK, as shown in Figure
13.
26
Figure 13 Firefox Web browser setting
27
Displaying device information
When you are logged in to the Web interface, you are placed on the Device Info page.
The Device Info page contains five parts, which correspond to the five tabs below the figure on the page
except the Services Information and Recent System Logs tabs. When you put your cursor on a part of the
figure, the system prompts you for the tab of the corresponding information, and you can jump to the tab
by clicking this part.
28
Figure 14 Device information
29
Select the refresh mode from the Refresh Period list.
• If you select a specific period, the system periodically refreshes the Device Info page.
• If you select Manual, click Refresh to refresh the page.
Displaying device information

Table 3 Field description
Field Description
Device Model Device name.
Software Version Software version of the device.
Firmware Version Firmware version of the device.
Hardware Version Hardware version of the device.
Running Time Running time after the latest boot of the device.
CPU Usage Real-time CPU usage.
Memory Usage Real-time memory usage.
Displaying broadband connection information

Field Description
Interface Interface name.
Session Type Connection type of the interface.
Network-Side Connection
Connection state at the network side of the interface.
State
IP Address/Mask IP address and mask of the interface.
DNS Server IP address of the DNS server.
Uplink Rate (kbps) Average rate in the outgoing direction on the interface in recent 300 seconds.
Downlink Rate (kbps) Average rate in the incoming direction on the interface in recent 300 seconds.
Work Mode Rate and duplex mode of the interface.
Displaying 3G wireless card state

To display the detailed information about the 3G wireless card state, click the More link in the 3G
Wireless Card State area. The information includes 3G modem information, user identity module (UIM)
information, and 3G network information.
30
Figure 15 3G wireless card state
Field Description
3G Modem Information Connection state of the 3G network.
State of the 3G modem, which can be:

• Normal—A 3G modem is connected to the router.
3G Modem State
• Absent or unrecognized modem—No 3G modem is connected to the router
or the modem cannot be recognized.
Model Model of the 3G modem.
Manufacturer Manufacturer of the 3G modem.
CMII ID CMII ID of the 3G modem.
Serial Number Serial number of the 3G modem.
Hardware Version Hardware version of the 3G modem.
Firmware Version Firmware version of the 3G modem.
PRL Version Preferred roaming list (PRL) version of the 3G modem.
31
Field Description
State of the UIM card, which can be:
• Absent.
• Being initialized.
• Fault.
• Destructed.
UIM Card State • Personal identification number (PIN) code protection is disabled.
• PIN code protection is enabled. Enter the PIN code for authentication.
• PIN code protection is enabled, and the PIN code has passed the
authentication.
• The PIN code has been blocked. Enter the PIN unlocking key (PUK) code to
unblock it.
IMSI International Mobile Subscriber Identity (IMSI) of the UIM card.
Voltage Power voltage of the UIM card.
Mobile Network 3G network where the UIM card resides.
State of the 3G network where the UIM card resides, which can be:
• No Service.
• CDMA.
Network Type
• HDR.
• CDMA/HDR HYBRID.
• Unknown.
RSSI Received signal strength indication (RSSI) of the 3G network.
Displaying LAN information

Field Description
Interface Interface name.
Link State Link state of the interface.
Work Mode Rate and duplex mode of the interface.
Displaying WLAN information

Field Description
SSID (WLAN Name) Name of the WLAN service.
Service Status Whether the service is enabled or not.
Number of PCs Connected Number of PCs connected to the WLAN service.
32
Displaying service information
Field Description
Service Name of the service.
Status Status of the service.
Displaying recent system logs

Field Description
Time Time when the system logs are generated.
Level Level of the system logs.
Description Contents of the system logs.
Managing integrated services

For devices with a card installed, if the card provides the Web interface access function, after specifying
the URL address of the card on the integrated service management page, you can log in from the
integrated service management page to the Web interface of the card to manage the card.
When you are logged in to the Web interface, you are placed on the Device Info page. Click the
Integrated Service Management tab to enter the page displaying card information of the device.
Figure 16 Integrated service management
• To change the URL address of the card, click of the target card. Enter the URL address in the field
and click to apply the configuration or click to cancel the modification.
• Properly set the URL address of the card, and then connect the card to the LAN to which the
administrator belongs. On the page as shown in Figure 16, click the Manage button, a page linked
to the specified URL address pops up, and then you can log in to the Web interface of this card to
manage it.
Figure 17 Changing card URL address
33
Basic services configuration
This document guides you through quick configuration of basic services of routers, including configuring
WAN interface parameters, LAN interface parameters, and WLAN interface parameters.
For information about WAN interfaces, see "Configuring WAN interfaces." For information about LAN
interfaces, see "Configuring VLANs." For information about WLAN interfaces, see "Wireless
configuration overview."
Configuring basic services

Entering the homepage of basic configuration wizard
Select Wizard > Basic Configuration Wizard from the navigation tree.
Figure 18 Basic configuration wizard
Setting WAN interface parameters

On the basic configuration wizard page, click Next.
The page for configuring WAN interface parameters varies with the interface type. You are allowed to
set Ethernet, SA, ADSL/G.SHDSL, CE1/PR1, CT1/PR1, and Cellular interface parameters. To do so, set
the WAN interface parameters as follows.
34
Ethernet interface
Figure 19 Setting Ethernet interface parameters
Table 10 Configuration items (in auto mode)
Item Description
WAN Interface Select the Ethernet interface to be configured.
Connect Mode: Auto Select the Auto connect mode to automatically obtain an IP address.
Specify the MAC address of the Ethernet interface in either of the two ways:
• Use the MAC address of the device—Use the default MAC address of the
MAC Address Ethernet interface, which is displayed in the brackets.
• Use the customized MAC address—Assign a MAC address in the field to the
Ethernet interface.
Table 11 Configuration items (in manual mode)
Item Description
Connect Mode: Manual Select the Manual connect mode to configure an IP address.
TCP-MSS Set the maximum TCP segment length of an interface.
MTU Set the MTU of an interface.
IP Address Specify the IP address of the Ethernet interface.
Subnet Mask Select a subnet mask for the Ethernet interface.
Gateway Address Configure the next hop of a static route.
Specify a DNS server IP address for the interface. Note that DNS server 1 is used
DNS1
before DNS server 2.
35
Item Description
To configure the global DNS server on the page you enter, select Advanced > DNS
Setup > DNS Configuration. The global DNS server has priority over the DNS
DNS2 servers of the interfaces. The DNS query is sent to the global DNS server first. If the
query fails, the DNS query is sent to the DNS server of the interface until the query
succeeds.
Ethernet interface.
Table 12 Configuration items (in PPPoE mode)
Item Description
Select the PPPoE connect mode.

In PPPoE mode, a username and password is provided by the local Internet Service
Connect Mode: PPPoE Provider (ISP).When the device connects to the ISP server, the ISP server initiates
PPPoE authentication. When the device passes the authentication, the ISP server
will send the IP address, subnet mask, gateway IP address, and DNS server IP
address to the device.
User Name Enter the username for identity authentication.
Display whether a password has been specified for identity authentication.

Password
An empty field indicates that no password is configured.
New Password Specify or modify the password for identity authentication.
Select an idle timeout interval:

Online for all time
• Online for all time—The device is always online.
Online according to the • Online according to the idle timeout value—The device disconnects from the
Idle Timeout value server if no data exchange occurs between it and the server within the specified
time. Then, it automatically establishes the connection upon receiving a request
for accessing the Internet from the LAN.
Idle timeout When Online according to the Idle Timeout value is enabled, specify an idle
timeout value.
Ethernet interface.
36
SA interface
Figure 20 Setting SA parameters
Table 13 Configuration items
Item Description
WAN Interface Select the SA interface to be configured.
User Name Specify the user name for identity authentication.

Password
IP Address Specify the IP address of the SA interface.
Subnet Mask Select a subnet mask for the SA interface.
37
ADSL/G.SHDSL interface
Figure 21 Setting ADSL/G.SHDSL parameters
Table 14 Configuration items (in IPoA mode)
Item Description
WAN Interface Select the ADSL/G.SHDSL interface to be configured.
Connect Mode: IPoA Select the IPoA connect mode.
PVC Specify the VPI/VCI value for PVC.
IP Address Specify the IP address of the ADSL/G.SHDSL interface.
Subnet Mask Select a subnet mask for the ADSL/G.SHDSL interface.
Map IP Specify the peer destination IP address of the mapped PVC.
Table 15 Configuration items (in IPoEoA mode)
Item Description
Connect Mode: IPoEoA Select the IPoEoA connect mode.
IP Address Specify the IP address of the ADSL/G.SHDSL interface.
Subnet Mask Select a subnet mask for the ADSL/G.SHDSL interface.
Table 16 Configuration items (in PPPoA mode)
Item Description
38
Item Description
Connect Mode: PPPoA Select the PPPoA connect mode.
Displays whether a password has been specified for identity authentication.

Password
Table 17 Configuration items (in PPPoEoA mode)
Item Description
Connect Mode: PPPoEoA Select the PPPoEoA connect mode.
Displays whether a password has been specified for identity authentication.

Password
Select an idle timeout value from either of the following:

Online for all time
• Online for all time—The device is always online.
Online according to the • Online according to the idle timeout value—The device disconnects from the
Idle Timeout value server if no data exchange occurs between it and the server within the specified
time. After that, it automatically establishes the connection upon receiving a
request for accessing the Internet from the LAN.
Idle timeout When Online according to the Idle Timeout value is enabled, specify an idle
timeout value.
CE1/PR1 interface
The CE1/PR1 interface operates in two modes: E1 mode and CE1 mode.
1. In E1 mode
39
Figure 22 Setting CE1/PR1 interface parameters (in E1 mode)
Table 18 Configuration items (in E1 mode)
Item Description
WAN Interface Select the CE1/PR1 interface to be configured.
Work Mode: E1 Select the E1 work mode.

Password
2. In CE1 mode
Figure 23 Setting CE1/PR1 interface parameters (in CE1 mode)
40
Table 19 Configuration items (in CE1 mode)
Item Description
WAN Interface Select the CE1/PR1 interface to be configured.
Work Mode: CE1 Select the CE1 work mode.
Select one of the following operation actions:

Operation • Create—Binds timeslots.
• Remove—Unbinds timeslots.
Serial Select a number for the created Serial interface.
Timeslot-List Specify the timeslots to be bound or unbound.

Password
CT1/PR1 interface
Figure 24 Setting CT1/PR1 parameters
Item Description
WAN Interface Select the CT1/PR1 interface to be configured.
Work Mode: E1 Select the CT1 work mode.
Select one of the following operation actions:

Operation • Create—Binds timeslots.
• Remove—Unbind timeslots.
41
Item Description
Serial Select the number for the created serial interface.
Timeslot-List Specify the timeslots to be bound or unbound.

Password
Cellular interface
Figure 25 Setting Cellular parameters
Item Description
WAN Interface Select the Cellular interface to be configured.

Password
Dialer Number Specify a dialer number for an interface.
Online for all time Select an idle timeout value from either of the following:
Online according to the • Online for all time—The device is always online.
Idle Timeout value • Online according to the idle timeout value—The device disconnects from the
42
Item Description
server if no data exchange occurs between it and the server within the specified
time. After that, it automatically establishes the connection upon receiving a
Idle Timeout request for accessing the Internet from the LAN.
When Online according to the Idle Timeout value is enabled, specify an idle
timeout value.
Setting LAN interface parameters

After finishing the previous configuration, click Next.
Figure 26 Setting LAN parameters
Item Description
Display the ID of the VLAN interface to be configured.
IMPORTANT:
VLAN Interface
By default, the VLAN interface on the device that has the smallest number is displayed. If no
VLAN interface is available on the device, the system automatically creates an interface
numbered 1 and displays it.
IP Address
Specify the IP address and a subnet mask for the VLAN interface.
Subnet Mask
Select whether to enable DHCP server.

DHCP Server
If you enable DHCP server, the configuration items of the DHCP server will be displayed.
Start IP Address Specify the IP address range for dynamic allocation in an extended address pool.
43
Item Description
IMPORTANT:
If the extended address pool is configured on an interface, when a DHCP client's request
End IP Address arrives at the interface, the server assigns an IP address from this extended address pool
only. The client cannot obtain an IP address if no IP address is available in the extended
address pool.
Specify a gateway IP address in the DHCP address pool for DHCP clients.
Gateway IP When accessing a server or host that is not in its network segment, a DHCP client needs
Address the gateway to forward data for it. When you specify a gateway IP address in the
address pool, the DHCP server sends an IP address as well as the gateway IP address to
a requesting client.
DNS Server 1 Specify a DNS server IP address in the DHCP address pool for DHCP clients. Note that
DNS server 1 is used before DNS server 2.
DNS Server 2 To allow DHCP clients to access the Internet through domain names, the DHCP server
needs to send an IP address as well as a DNS server IP address to clients.
Setting WLAN interface parameters

After finishing the previous configuration, click Next.
Figure 27 Setting WLAN parameters
Item Description
WLAN Setting Select whether to make WLAN settings.
44
Item Description
Network Name
Specify a wireless network name.
(SSID)
Network Hide Select whether to hide the network name.
Select a radio unit supported by the AP, which can be 1 or 2.

Radio Unit
Which value is supported varies with device models.
Select whether to enable data encryption.

Enable Encrypt With data encryption enabled, data transmission between wireless client and wireless
device can be secured.
Encrypt Act Select an encryption mode for the wireless network, WEP40 or WEP104.
Select a key format.

• When you select WEP40, the key can be a 5-character string or 10-digit hexadecimal
Key Mode number.
• When you select WEP104, the key can be a 13-character string or a 26-digit
hexadecimal number.
Key Seed You can either use a key seed to generate keys or enter keys manually. Then, you can
choose one of the configured keys.
Key 1 • When you select WEP40 and ASCII, the generated or entered key is a 5-character
string.
• When you select WEP40 and HEX, the generated or entered key is a 10-digit
Key 2
hexadecimal number.
• When you select WEP104 and ASCII, the generated or entered key is a 13-character
Key 3 string.
• When you select WEP104 and HEX, the generated or entered key is a 26-digit
Key 4 hexadecimal number.
Validating the basic services configuration

After finishing basic services configuration, click Next to validate your configuration.
This page shows the configurations that you have made through the previous steps. Check the
configurations, and click Finish to validate them. To make any modification, click Back to go to previous
pages and edit the settings.
The page also provides an option Save Current Configuration for you to save the configurations to the
configuration file (both the .cfg file and the .xml file) to be used at the next startup of the device. If you
select this option, the configurations you make survive a device reboot.
45
Figure 28 Checking the basic service configuration
46
Configuring WAN interfaces
The WAN interfaces that you can configure on the Web interface include Ethernet interfaces, SA
interfaces, ADSL/G.SHDSL interfaces, CE1/PRI interfaces, CT1/PRI interfaces, and cellular interfaces.
Configuring an Ethernet interface or subinterface

Overview
An Ethernet interface or subinterface supports the following connection modes:
• Auto—The interface acts as a DHCP client to get an IP address through DHCP.
• Manual—The IP address and subnet mask are configured manually for the interface.
• PPPoE—The interface acts as a PPPoE client. PPPoE provides access to the Internet for hosts in an
Ethernet through remote access devices. It also implements access control and accounting on a
per-host basis. As it is cost-effective, PPPoE gains popularity in various applications, such as
residential networks.
Configuring an Ethernet interface

Select Interface Setup > WAN Interface Setup from the navigation tree to enter the WAN interface
configuration page, which displays the name, connection type, IP address, mask, status, and operation
icon ( ) of each interface.
Figure 29 WAN Interface Setup
Click the icon for an Ethernet interface to enter the page for configuring the Ethernet interface.
47
Figure 30 Configuring an Ethernet interface
Table 24 Configuration items (auto mode)
Item Description
WAN Interface Displays the name of the Ethernet interface to be configured.
Display and set the interface status:

• Connected—Indicating that the current interface is up and connected, click
Disable to shut down the interface.
Interface Status • Not connected—Indicating that the current interface is up, but not connected,
click Disable to shut down the interface.
• Administratively Down—Indicating that the current interface is shut down by a
network administrator, click Enable to bring up the interface.
Select Auto as the connection mode. The interface will get an IP address
Connect Mode: Auto
automatically.
Set the MAC address of the Ethernet interface using one of these available options:
Ethernet interface, which is displayed in the following brackets.
MAC Address
• Use the customized MAC address—Manually set the MAC address of the
Ethernet interface. When you select this option, you must enter a MAC address in
the field below.
48
Table 25 Configuration items (manual mode)
Item Description

Interface Status • Not connected—Indicating that the current interface is up but not connected,
Select Manual as the connection mode. In this mode, you must manually assign an
Connect Mode: Manual
IP address and subnet mask to the interface.
TCP-MSS Configure the TCP MSS on the interface.
MTU Configure the MTU on the interface.
IP Address Configure an IP address for the interface.
IP Mask Configure the subnet mask for the interface.
Gateway IP Address Configure the next hop for the static route.
DNS1 Assign an IP address to the DNS servers. DNS1 has a higher precedence than
DNS2.
To configure a global DNS server, select Advanced > DNS Setup > DNS
Configuration from the navigation tree. The global DNS server has a higher
DNS2 precedence than all the DNS servers configured on the interfaces. That is, an
interface first sends a query request to the global DNS server. If failing to receive a
response, it sends query requests to the DNS servers configured on the interfaces
one by one.
Set the MAC address of the Ethernet interface using one of these available options:
Ethernet interface, which is displayed in the following brackets.
MAC Address
the field below.
Table 26 Configuration items (PPPoE mode)
Item Description

Connect Mode: PPPoE Select PPPoE as the connection mode.
User Name Configure the username for authentication.
49
Item Description
Displays whether a password is configured for authentication.
Password
If the field displays null, no password is configured for authentication.
New Password Set or modify the password for authentication.
Set the idle timeout time for a connection:

• Online for all time—The connection is maintained until being disconnected
manually or upon an anomaly.
• Online according to the Idle Timeout value—The connection is disconnected
Idle timeout automatically if no traffic is transmitted or received on the link for a period of
time. The connection will be re-set up when an access to the Internet request is
received.
If you select Online according to the Idle Timeout value, you must set the Idle timeout
value.
Set the MAC address of the Ethernet interface by using one of these available
options:
MAC Address Ethernet interface, which is displayed in the following brackets.
the field below.
Configuring an SA interface
SA interface overview
The synchronous/asynchronous serial (SA) interface supports PPP connection mode.
PPP is a link layer protocol that carries packets over point-to-point links. It has been widely used because
it can provide user authentication and allows for easy extension while supporting
synchronous/asynchronous communication.
PPP contains a set of protocols, including a LCP, a NCP, and authentication protocols such as PAP and
CHAP. Among these protocols:
• The LCP is responsible for establishing, tearing down, and monitoring data links.
• The NCP is used for negotiating the packet format and type of data links.
• PAP and CHAP are for network security.
Configuration procedure
configuration page. Click the icon for the SA interface you want to configure to enter the SA interface
configuration page.
50
Figure 31 Configuring an SA interface
Item Description
WAN Interface Displays the name of the interface to be configured.

• Connected—Indicating that the current interface is up and connected, click Disable
to shut down the interface.
Interface Status • Not connected—Indicating that the current interface is up but not connected, click

Password
IP Address Configure the IP address for the interface.
51
Configuring an ADSL/G.SHDSL interface
ADSL/G.SHDSL interface overview
The ADSL interface and the G.SHDSL interface support IPoA, IPoEoA, PPPoA, and PPPoEoA.
IPoA
IPoA enables IP packets to traverse an ATM network. In an IPoA implementation, ATM provides the data
link layer for the IP hosts on the same network to communicate with one another, and IP packets must be
adapted in order to traverse the ATM network.
IPoA makes full use of the advantages of ATM, including high speed point-to-point connections, which
help improve the bandwidth performance of an IP network, excellent network performance, and
complete, mature QoS services.
IPoEoA
IPoEoA adopts a three-layer architecture, with IP encapsulation at the uppermost layer, IPoE in the middle,
and IPoEoA at the bottom.
IPoEoA is suitable where Ethernet packets are to be forwarded through an ATM interface. For example,
it works when a network device forwards traffic from an Ethernet across an ATM PVC to a network access
server.
PPPoA
PPPoA enables ATM to carry PPP protocol packets. With PPPoA, PPP packets, in which IP packets or other
protocols' packets can be encapsulated, are encapsulated in ATM cells. In this case, ATM can be simply
viewed as the carrier of PPP packets. As the communication process of PPPoA is managed by PPP, PPPoA
inherits the flexibility and comprehensive applications of PPP.
PPPoEoA
PPPoEoA enables ATM to carry PPPoE protocol packets. With PPPoEoA, Ethernet packets are
encapsulated in ATM cells, through which you can use a PVC to simulate all the functions of Ethernet. To
allow ATM to carry Ethernet frames, the interface management module provides the VE interface. The VE
interface has Ethernet characteristics and can be dynamically created through configuration commands.
The following is the protocol stack adopted by the VE interface:
• ATM PVC at the bottom layer
• Ethernet at the link layer
• Protocols the same as those for a common Ethernet interface at the network layer and upper layers
configuration page. Click the icon for the ADSL/G.SHDSL interface you want to configure to enter
the ADSL/G.SHDSL interface configuration page, as shown in Figure 32.
52
Figure 32 Configuring an ADSL/G.SHDSL interface
Table 28 Configuration items (IPoA)
Item Description
WAN Interface Displays the name of the ADSL/G.SHDSL interface to be configured.

Connect Mode: IPoA Select IPoA as the connection mode.
PVC Set the VPI/VCI value for the PVC.
Map IP Set the remote IP address for the IPoA mapping.
Table 29 Configuration items (IPoEoA)
Item Description
53
Item Description
Connect Mode: IPoEoA Select IPoEoA as the connection mode.
Table 30 Configuration items (PPPoA)
Item Description

Connect Mode: PPPoA Select PPPoA as the connection mode.

Password
Table 31 Configuration items (PPPoEoA)
Item Description
54
Item Description
Connect Mode: PPPoEoA Select PPPoEoA as the connection mode.

Password

Idle timeout automatically if no traffic is transmitted or received on the link for a period of
time. The connection will be re-set up when an access to the Internet request is
received.
If you select Online according to the Idle Timeout value, you must set the Idle
timeout value.
Configuring a CE1/PRI interface

CE1/PRI interface overview
The CE1/PRI interface supports PPP connection mode. For details about PPP, refer to section Configuring
an SA interface.
The CE1/PRI interface can operate in either E1 mode (also called non-channelized mode) and CE1
mode (that is, channelized mode).
• A CE1/PRI interface in E1 mode equals an interface of 2048 Mbps data bandwidth, on which no
timeslots are divided. Its logical features are the same as those of a synchronous serial interface. It
supports link layer protocols such as PPP, FR, LAPB and X.25 and network protocols such as IP and
IPX.
• A CE1/PRI interface in CE1 mode is physically divided into 32 timeslots numbered 0 to 31. Among
them, timeslot 0 is used for transmitting synchronizing information. All the timeslots except timeslot
0 can be randomly divided into multiple channel sets and each set can be used as an interface
upon timeslot bundling. Its logical features are the same as those of a synchronous serial interface.
It supports link layer protocols such as PPP, HDLC, FR, LAPB and X.25, and network protocols such
as IP.
55
configuration page. Click the icon for the CE1/PRI interface you want to configure to enter the
CE1/PRI interface configuration page, which varies with the operating mode of the CE1/PRI interface.
Configuring a CE1/PRI interface in E1 mode

Figure 33 Configuring a CE1/PRI interface in E1 mode
Table 32 Configuration items (in E1 mode)
Item Description
WAN Interface Displays the name of the CE1/PRI interface to be configured.

Work Mode: E1 Select E1 as the operating mode.

Password
56
Configuring a CE1/PRI interface in CE1 mode
Figure 34 Configuring a CE1/PRI interface in CE1 mode
Table 33 Configuration items (in CE1 mode)
Item Description
WAN Interface Displays the name of the CE1/PRI interface to be configured.

• Connected—Indicating that the current interface is up and connected, click Disable
to shut down the interface.
Work Mode: CE1 Select CE1 as the operating mode.
Add or remove timeslots:

Operation • create—Adds timeslots to form a channel set.
• delete—Removes timeslots from a channel set.
Serial Specify the serial interface number of the channel set.
Timeslot-List Set the timeslots to add or remove.

Password
57
Item Description
Configuring a CT1/PRI interface

CT1/PRI interface overview
The CT1/PRI interface supports PPP connection mode. For more information about PPP, see "Configuring
an SA interface."
When it is working as a CT1 interface, all the timeslots (numbered 1 to 24) can be randomly divided into
groups. Each of these groups can form one channel set for which the system automatically creates an
interface logically equivalent to a synchronous serial interface. This interface supports link layer protocols
such as PPP, HDLC, FR, LAPB, and X.25, and network protocols such as IP and IPX.
configuration page. Click the icon for a CT1/PRI interface. The page for configuring the interface
appears.
Figure 35 Configuring a CT1/PRI interface
58
Item Description
WAN Interface Displays the name of the CT1/PRI interface to be configured.

Work Mode: CT1 Select CT1 as the operating mode.
Add or remove timeslots.

Operation • create—Adds timeslots to form a channel set.
• delete—Removes timeslots from a channel set.
Serial Specify the serial interface number of the channel set.
Timeslot-List Set the timeslots to add or remove.

Password
Configuring a cellular interface

Overview
You can connect a USB 3G modem to a USB interface of the device. The system will dynamically create
a cellular interface to manage this attached USB 3G modem. When the USB 3G modem is removed
from the USB interface, the cellular interface will be dynamically removed.
When a cellular interface operates in protocol mode, it uses the link layer protocol PPP and network layer
protocol IP.
configuration page. Click the icon for a cellular interface. The page for configure the cellular
interface appears.
59
Figure 36 Configuring a cellular interface
Item Description
WAN Interface Displays the name of the cellular interface to be configured.

Work Mode: CT1 Select CT1 as the operating mode.

Password
Dialer Number Set a number for the interface dials up the peer.
60
Item Description
Idle Timeout
automatically if no traffic is transmitted or received on the link for a period of time.
The connection will be re-set up when an access to the Internet request is received.
If you select Online according to the Idle Timeout value, you must set the Idle timeout
value.
Viewing the general information and statistics of an

interface
On the WAN Interface Setup page as shown in Figure 29, you can view the name, connection type, IP
address, mask, and status of each interface. To view the statistics of an interface, click the interface name
to display the page shown in Figure 37.
Figure 37 Statistics of an interface
61
Configuring VLANs
You can configure the following port-based VLAN and VLAN interface functions through the Web
interface:
• Create or delete VLANs.
• Add/remove member ports to/from a VLAN.
• Create or delete VLAN interfaces.
• Configure VLAN interface parameters.
Overview
Ethernet is a network technology based on the CSMA/CD mechanism. As the medium is shared,
collisions and excessive broadcasts are common on Ethernet networks. To address the issue, virtual LAN
(VLAN) was introduced to break a LAN down into separate VLANs. VLANs are isolated from each other
at Layer 2. A VLAN is a bridging domain, and all broadcast traffic is contained within it.
For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform Layer 3
forwarding. To achieve this, VLAN interfaces are used. VLAN interfaces are virtual interfaces used for
Layer 3 communication between different VLANs. They do not exist as physical entities on devices. For
each VLAN, you can create one VLAN interface. You can configure VLAN interfaces to forward traffic at
the network layer.
For more information about VLANs and VLAN interfaces, see H3C MSR Series Routers (V5) Layer
2—LAN Switching Configuration Guide.
Configuring a VLAN and its VLAN interface

Recommended configuration procedures
Recommended VLAN configuration procedure
Step Remarks
1. Creating a VLAN and its VLAN interface. Required.
2. Configuring VLAN member ports. Required.
Recommended VLAN interface configuration procedure
Step Remarks
1. Creating a VLAN and its VLAN
Required.
interface.
62
Step Remarks
Optional.
Configure an IP address and MAC address for a VLAN
interface. Select whether to enable the DHCP server function for
2. Configuring parameters for a VLAN a VLAN interface. If yes, configure the related parameters.
interface.
You can also configure the DHCP server function in Advanced >
DHCP Setup. For more information, see "Configuring DHCP." This
chapter only describes the DHCP server configuration in the LAN
Setup module.
Creating a VLAN and its VLAN interface

Select Interface Setup > LAN Interface Setup from the navigation tree. The system goes to the default
page, VLAN Setup page.
Figure 38 VLAN setup page
Item Description
VLAN Create And Remove Set the operation type to Create or Remove.
Enter the ID of the VLAN (or VLAN interface) to be created or removed. You can
VLAN IDs
create or remove multiple VLANs at a time.
Create VLAN Interface Create a VLAN interface when you create a VLAN.
63
Item Description
Only Remove VLAN
Remove the VLAN interface of a VLAN without removing the VLAN.
Interface
Configuring VLAN member ports

The ports that you assign to a VLAN in the Web interface can only be set to untagged type.
The VLAN member port list displayed on the VLAN Setup page includes both tagged and untagged
member ports.
You can configure a VLAN by assigning ports to it or removing ports from it.
Select Interface Setup > LAN Interface Setup from the navigation tree. The system goes to the default
page, VLAN Setup page.
Item Description
VLAN ID Select the ID of the VLAN that you want to assign ports to or remove ports from.
Port list Select the ports you want to add or remove.
Add Assign the selected ports to the VLAN.
Remove Remove the selected ports from the VLAN.
Configuring parameters for a VLAN interface

Select Interface Setup > LAN Interface Setup from the navigation tree, and then select the VLAN Interface
Setup tab to enter the page for configuring parameters for VLAN interfaces.
64
Figure 39 VLAN interface setup page
Item Description
VLAN ID Select the ID of the VLAN interface you want to configure.
IP Address
Set the VLAN interface's IP address and subnet mask.
Subnet Mask
65
Item Description
Set the MAC address of the VLAN interface:
• Use the MAC address of the device—Use the default MAC address of the VLAN
interface, which is displayed in the following brackets.
MAC Address
• Use the customized MAC address—Manually set the MAC address of the VLAN
interface. When you select this option, you must enter a MAC address in the text
box below.
Select whether the VLAN interface operates in DHCP server mode.

DHCP Server If you select to enable DHCP server on the interface, you can continue to configure
related DHCP server parameters.
Set an extended DHCP address pool used for dynamic IP address allocation. The IP
address range is defined by a start IP address and an end IP address.
Start IP Address If an extended address pool is configured on the port that receives the DHCP request
packet, the server allocates an IP address in the extended address pool to the client,
End IP Address
regardless of whether a common address pool (static binding or dynamic allocation)
is also configured on the port. If no IP address is available in the pool, the server will
not be able to allocate an IP address to the client.
Set the gateway IP address allocated to the DHCP clients from the DHCP address
pool.
Gateway IP Address When DHCP clients access servers or hosts on other network segments, their data
needs to be forwarded through the gateway. After specifying a gateway IP address,
the server sends the gateway IP address to the clients along with the IP addresses
allocated to them.
Assign an IP address in the address pool to the DNS server allocated to the DHCP
clients on the local network segment. DNS Server 1 has a higher preference than DNS
DNS Server 1 Server 2.
DNS Server 2 To enable DHCP clients to access hosts on the Internet by domain names, the DHCP
server needs to specify the local DNS server's IP address when assigning IP addresses
to these DHCP clients.
Set the IP addresses that are not to be automatically assigned in the DHCP address
pool.
Do not assign an IP address that is already assigned (gateway IP address or FTP server
Reserved IP Address
IP address for example) to another client. Otherwise, IP address conflict will occur.
After you specify an IP address configured in a static binding as not to be auto
assigned, this address can still be assigned to the client in the static binding.
When you configure VLANs, follow these guidelines:
• VLAN 1 is the default VLAN, which can neither be created nor removed manually.
• Some VLANs are reserved for special purposes. You can neither create nor remove them manually.
• You cannot directly remove protocol-reserved VLANs, voice VLANs, management VLANs, or
dynamically learned VLANs. To remove them, you must remove relevant configurations first.
66
Wireless configuration overview
The device allows you to perform the following configuration in the Web interface:
• Configuring wireless access service
• Displaying wireless access service
• Client mode
• Configuring data transmit rates
• Displaying radio
• Configuring the blacklist and white list functions
• To configure user isolation
• Configuring wireless QoS
• Setting a district code
• Channel busy test
After these configurations, you can build an integrated, stable, secure, effective wireless network.
Overview
Wireless Local Area Network (WLAN) is popular nowadays. Compared with wired LANs, WLANs are
easier and cheaper to implement because only one or several access points (APs) can provide wireless
access for an entire building or area. A WLAN does not necessarily mean that everything is wireless. The
servers and backbones still reside on wired networks. WLANs mainly provide the following services:
• Authentication and encryption to secure wireless access.
• Wireless access and mobility to free users from the restrictions of wires and cables.
Configuration task list

Table 39 Wireless configuration task list
Task Remarks
Required.
Configuring wireless service Allows you to create a wireless service and configure
its attributes.
Optional.
Allows you configure a router to access the WLAN as
Client mode a client.
If a router acts as an AP, this configuration is not
required.
Optional.
Configuring radios Allows you configure radio rates to adjust the
capabilities of wireless devices.
67
Task Remarks
Optional.
Configuring WLAN security Allows you to control client access to improve
wireless security.
Optional.
Configuring WLAN QoS Allows you to configure WLAN QoS to make full use
of wireless resources.
Optional.
Configuring advanced settings Allows you to configure district codes as needed to

meet the specific country regulations and configure
channel busy test.
Configuring wireless services
For more information about WLAN user access, see WLAN Configuration Guide in H3C MSR Series
Routers Configuration Guides (V5).
Configuring wireless access service

Creating a wireless access service
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the page for
configuring access service.
Figure 40 Configuring access service
Click Add to enter the page for creating a wireless service.
68
Figure 41 Creating a wireless service
Item Description
Radio Unit Radio ID, 1 or 2.
Mode Radio mode, which depends on your device model.
Set the service set identifier (SSID).

An SSID should be as unique as possible. For security,
the company name should not be contained in the SSID.
Wireless Service Name Meanwhile, it is not recommended to use a long random
string as the SSID, because it only adds the Beacon
frame length and usage complexity, without any
improvement to wireless security.
Select the wireless service type:

Wireless Service Type • clear—The SSID is not encrypted.
• crypto—The SSID is encrypted.
Configuring clear type wireless service

Configuring basic settings for clear type wireless service
Select Interface Setup > Wireless > Access Service from the navigation tree, find the clear type wireless
service in the list, and click the corresponding icon to enter the page for configuring wireless service.
69
Figure 42 Configuring clear type wireless service
Item Description
Wireless Service Display the selected Service Set Identifier (SSID).
Enter the ID of the VLAN whose packets are to be sent untagged.

VLAN (Untagged) VLAN (Untagged) indicates that the port sends the traffic of the
VLAN with the VLAN tag removed.
Set the default VLAN of a port.
Default VLAN By default, the default VLAN of all ports is VLAN 1. After you set
the new default VLAN, VLAN 1 is the ID of the VLAN whose
packets are to be sent untagged.
Remove the IDs of the VLANs whose packets are to be sent

Delete VLAN
untagged and tagged.
• Enable—Disables the advertisement of the SSID in beacon
frames.
• Disable—Enables the advertisement of the SSID in beacon
frames.
By default, the SSID in beacon frames is advertised.
IMPORTANT:
SSID HIDE
• If the advertising of the SSID in beacon frames is disabled, the
SSID must be configured for the clients to associate with the
device.
• Disabling the advertising of the SSID in beacon frames does
little good to wireless security. Allowing the advertising of the
SSID in beacon frames enables a client to discover an AP more
easily.
Configuring advanced settings for clear type wireless service

service in the list, and click the corresponding icon to enter the page for advanced configuration.
70
Figure 43 Configuring advanced settings for a clear type wireless service
Item Description
Maximum number of clients of an SSID to be associated with the same
radio of the AP.
Client Max Users IMPORTANT:
When the number of clients of an SSID to be associated with the same radio
of the AP reaches the maximum, the SSID is automatically hidden.
Web interface management right of online clients.
• Disable—Disables the Web interface management right of online
Management Right
clients.
• Enable—Enables the Web interface management right of online clients.
Configuring security settings for clear type wireless service

service in the list, and click the corresponding icon to enter the page for configuring clear type
wireless service security.
Item Description
Authentication
For the clear type wireless service, select Open-System only.
Type
71
Item Description
• mac-authentication—Performs MAC address authentication on users.
• mac-else-userlogin-secure—This mode is the combination of the mac-authentication and
userlogin-secure modes, with MAC authentication having a higher priority. Upon
receiving a non-802.1X frame, a port in this mode performs only MAC authentication;
upon receiving an 802.1X frame, the port performs MAC authentication and then, if
MAC authentication fails, 802.1X authentication.
• mac-else-userlogin-secure-ext—This mode is similar to the mac-else-userlogin-secure
mode, except that it supports multiple 802.1X and MAC authentication users on the port.
• userlogin-secure—In this mode, port-based 802.1X authentication is performed for users;
multiple 802.1X authenticated users can access the port, but only one user can be online.
• userlogin-secure-or-mac—This mode is the combination of the userlogin-secure and
mac-authentication modes, with 802.1X authentication having a higher priority. For a
wireless user, 802.1X authentication is performed first. If 802.1X authentication fails,
MAC authentication is performed.
• userlogin-secure-or-mac-ext—This mode is similar to the userlogin-secure-or-mac mode,
except that it supports multiple 802.1X and MAC authentication users on the port.
Port Mode • userlogin-secure-ext—In this mode, a port performs 802.1X authentication on users in
macbased mode and supports multiple 802.1X users.
IMPORTANT:
There are multiple security modes. To remember them easily, follow these rules to understand
part of the port security modes:
• userLogin indicates port-based 802.1X authentication.
• mac indicates MAC address authentication.
• The authentication mode before Else is used preferentially. If the authentication fails, the
authentication after Else may be used depending on the protocol type of the packets to
be authenticated.
• The authentication mode before Or and that after Or have the same priority. The device
determines the authentication mode according to the protocol type of the packets to be
authenticated. For wireless users, the 802.1X authentication mode is used preferentially.
• userLogin together with Secure indicates MAC-based 802.1X authentication.
• A security mode with Ext allows multiple 802.1X users to pass the authentication. A
security mode without Ext allows only one 802.1X user to pass the authentication.
Max User Maximum number of users that can be connected to the network through a specific port.
1. Configure MAC authentication:
72
Figure 44 Configuring MAC authentication
Item Description
Port Mode mac-authentication: MAC-based authentication is performed on access users.
Max User Control the maximum number of users allowed to access the network through the port.
MAC Authentication Select the MAC Authentication option.
Select an existing domain from the list.

The default domain is system. To create a domain, select Authentication > AAA from
the navigation tree, click the Domain Setup tab, and type a new domain name in the
Domain Name field.
Domain • The selected domain name applies to only the current wireless service, and all
clients accessing the wireless service use this domain for authentication,
authorization, and accounting.
• Do not delete a domain name in use. Otherwise, the clients that access the wireless
service will be logged out.
2. Configure userlogin-secure/userlogin-secure-ext:
73
Figure 45 Configuring userlogin-secure/userlogin-secure-ext port security (userlogin-secure is taken
for example)
Item Description
• userlogin-secure—Perform port-based 802.1X authentication for access
users. In this mode, multiple 802.1X authenticated users can access the
Port Mode port, but only one user can be online.
• userlogin-secure-ext—Perform MAC-based 802.1X authentication for
access users. In this mode, the port supports multiple 802.1X users.
Control the maximum number of users allowed to access the network through
Max User
the port.

The default domain is system. To create a domain, select Authentication >
AAA from the navigation tree, click the Domain Setup tab, and type a new
domain name in the Domain Name combo box.
Mandatory Domain • The selected domain name applies to only the current wireless service,
and all clients accessing the wireless service use this domain for
authentication, authorization, and accounting.
• Do not delete a domain name in use. Otherwise, the clients that access the
wireless service will be logged out.
• EAP—Use EAP. With EAP authentication, the authenticator encapsulates
802.1X user information in the EAP attributes of RADIUS packets and
sends the packets to the RADIUS server for authentication; it does not need
to repackage the EAP packets into standard RADIUS packets for
Authentication Method authentication.
• CHAP—Use CHAP. By default, CHAP is used. CHAP transmits only user
names rather than passwords over the network. Therefore this method is
safer.
• PAP—Use PAP. PAP transmits passwords in plain text.
• Enable—Enable the online user handshake function so that the device can
periodically send handshake messages to a user to check whether the user
Handshake is online. By default, the function is enabled.
• Disable—Disable the online user handshake function.
74
Item Description
• Enable—Enable the multicast trigger function of 802.1X to send multicast
trigger messages to the clients periodically for initiating authentication. By
default, the multicast trigger function is enabled.
• Disable—Disable the 802.1X multicast trigger function.
Multicast Trigger IMPORTANT:

For a WLAN, the clients can actively initiate authentication, or the AP can
discover users and trigger authentication. Therefore, the ports do not need to
send 802.1X multicast trigger messages periodically for initiating
authentication. H3C recommends that you disable the multicast trigger function
in a WLAN because the multicast trigger messages consume bandwidth.
3. Configure the other four port security modes:

Figure 46 Configuring port security for the other four security modes (mac-else-userlogin-secure is
taken for example)
75
Item Description
• mac-else-userlogin-secure—This mode is the combination of the
mac-authentication and userlogin-secure modes, with MAC authentication
having a higher priority. Upon receiving a non-802.1X frame, a port in this mode
performs only MAC authentication. Upon receiving an 802.1X frame, the port
performs MAC authentication and then, if MAC authentication fails, 802.1X
authentication.
• mac-else-userlogin-secure-ext—This mode is similar to the
mac-else-userlogin-secure mode, except that it supports multiple 802.1X and
Port Mode MAC authentication users on the port.
• userlogin-secure-or-mac—This mode is the combination of the userlogin-secure
and mac-authentication modes, with 802.1X authentication having a higher
priority. For a wireless user, 802.1X authentication is performed first. If 802.1X
authentication fails, MAC authentication is performed.
• userlogin-secure-or-mac-ext—This mode is similar to the
userlogin-secure-or-mac mode, except that it supports multiple 802.1X and MAC
authentication users on the port.
Control the maximum number of users allowed to access the network through the
Max User
port.
Select an existing domain from the list. After a mandatory domain is configured, all
802.1X users accessing the port are forced to use the mandatory domain for
authentication, authorization, and accounting.
Mandatory Domain
Domain Name field.
• EAP—Use EAP. With EAP authentication, the authenticator encapsulates 802.1X
user information in the EAP attributes of RADIUS packets and sends the packets
to the RADIUS server for authentication. It does not need to repackage the EAP
Authentication Method packets into standard RADIUS packets for authentication.
• CHAP—Use CHAP. By default, CHAP is used. CHAP transmits only usernames
but not passwords over the network. Therefore this method is safer.
• PAP—Use PAP. PAP transmits passwords in plain text.
• Enable—Enable the online user handshake function so that the device can
periodically send handshake messages to a user to check whether the user is
Handshake online. By default, the function is enabled.
• Disable—Disable the online user handshake function.
• Enable—Enable the multicast trigger function of 802.1X to send multicast trigger
messages to the clients periodically for initiating authentication. By default, the
multicast trigger function is enabled.
• Disable—Disable the 802.1X multicast trigger function.
Multicast Trigger IMPORTANT:

For a WLAN, the clients can actively initiate authentication, or the AP can discover
users and trigger authentication. Therefore, the ports do not need to send 802.1X
multicast trigger messages periodically for initiating authentication. You are
recommended to disable the multicast trigger function in a WLAN because the
multicast trigger messages consume bandwidth.
76
Item Description
Domain Name field.
wireless service are logged out.
Configuring crypto type wireless service

Configuring basic settings for crypto type wireless service
Select Interface Setup > Wireless > Access Service from the navigation tree, find the crypto type wireless
service in the list, and click the corresponding icon to enter the page for configuring wireless service,
as shown in Figure 47.
Figure 47 Configuring crypto type wireless service
See Table 41 for the configuration items of basic configuration of crypto type wireless service.
Configuring advanced settings for crypto type wireless service

service in the list, and click the corresponding icon to enter the page for configuring wireless service,
77
Figure 48 Configuring advanced settings for crypto type wireless service
Item Description
Maximum number of clients of an SSID to be associated with the same radio of
the AP.
Client Max Users IMPORTANT:
When the number of clients of an SSID to be associated with the same radio of the
AP reaches the maximum, the SSID is automatically hidden.
PTK Life Time Set the PTK lifetime. A PTK is generated through a four-way handshake.
Set the TKIP countermeasure time.

By default, the TKIP countermeasure time is 0 seconds, that is, the TKIP
countermeasure policy is disabled.
If the TKIP countermeasure time is set to a value other than 0, the TKIP
countermeasure policy is enabled.
TKIP CM Time MIC is designed to avoid hacker tampering. It uses the Michael algorithm and is
extremely secure. When failures occur to MIC, the data may have been
tampered, and the system may be under attack. In this case, TKIP will enable the
countermeasure policy to prevent hackers from attacking. With the
countermeasure policy enabled, if more than two MIC failures occur within the
specified time, the TKIP disassociates all connected wireless clients and no new
associations are allowed within the TKIP countermeasure time.
Web interface management right of online clients:

Management Right • Disable—Disables the Web interface management right of online clients.
• Enable—Enables the Web interface management right of online clients.
An AP generates a group transient key (GTK) and sends the GTK to a client
during the authentication process between an AP and the client through group
key handshake/the 4-way handshake. The client uses the GTK to decrypt
broadcast and multicast packets.
GTK Rekey Method • If Time is selected, the GTK is refreshed after a specified period of time.
• If Packet is selected, the GTK is refreshed after a specified number of packets
are transmitted.
By default, the GTK rekeying method is time-based, and the interval is 86400
seconds.
78
Item Description
Enable refreshing the GTK when some client goes offline.
GTK User Down Status
By default, the GTK is not refreshed when a client goes off-line.
Configuring security settings for crypto type wireless service

service in the list, and click the corresponding icon to enter the page for configuring crypto type
wireless service, as shown in Figure 49.
Figure 49 Configuring security settings for crypto type wireless service
Item Description
Link authentication method, which can be:
• Open-System—No authentication. With this authentication mode enabled, all the
clients will pass the authentication.
Authentication • Shared-Key—The two parties must have the same shared key configured for this
Type authentication mode. You can select this option only when WEP encryption mode is
used.
• Open-System and Shared-Key—You can select both open-system and shared-key
authentication.
Encryption mechanisms supported by the wireless service, which can be:

• CCMP—Encryption mechanism based on the AES encryption algorithm.
Cipher Suite • TKIP—Encryption mechanism based on the RC4 algorithm and dynamic key
management.
• CCMP and TKIP—You can select both CCMP and TKIP encryption.
Wireless service type (IE information carried in the beacon or probe response frame):
• WPA—Wi-Fi Protected Access, a security mechanism before the 802.11i protocol.
Security IE • WPA2—Security mechanism defined in 802.11i, also known as the Robust Security
Network (RSN) security mechanism, which is more secure than WEP and WPA.
• WPA and WPA2—You can select both WPA and WPA2.
Encryption
79
Item Description
• wep40—WEP40 key option.
WEP • wep104—WEP104 key option.
• wep128—WEP128 key option.
Configure the key index, which can be:
• 1—Key index 1.
Key ID
There are 4 static keys in WEP. The key index can be 1, 2, 3 or 4. The key corresponding
to the specified key index will be used for encrypting and decrypting broadcast and
multicast frames.
Key length.
• For wep40, the key is a string of 5 alphanumeric characters or a 10-digit hexadecimal
number.
Key Length • For wep104, the key is a string of 13 alphanumeric characters or a 26-digit
hexadecimal number.
• For wep128, the key is a string of 16 alphanumeric characters or a 32-digit
hexadecimal number.
WEP Key Configure the WEP key.
See Table 43.

Parameters such as authentication type and encryption type determine the port mode. For
details, see Table 51.
After you select the Cipher Suite option, the following four port security modes are added:
• mac and psk—MAC-based authentication must be performed on access users first. If
MAC-based authentication succeeds, an access user has to use the pre-configured PSK
Port Security to negotiate with the device. Access to the port is allowed only after the negotiation
succeeds.
• psk—An access user must use the pre-shared key (PSK) that is pre-configured to
negotiate with the device. The access to the port is allowed only after the negotiation
succeeds.
• userlogin-secure-ext—Perform MAC-based 802.1X authentication for access users. In
this mode, the port supports multiple 802.1X users.
1. Configure mac and psk:
80
Figure 50 Configuring mac and psk port security
Item Description
mac and psk: MAC-based authentication must be performed on access users first.
If MAC-based authentication succeeds, an access user has to use the
Port Mode
pre-configured PSK to negotiate with the device. Access to the port is allowed
only after the negotiation succeeds.
Control the maximum number of users allowed to access the network through the
Max User
port.

The default domain is system. To create a domain, select Authentication > AAA
from the navigation tree, click the Domain Setup tab, and type a new domain
name in the Domain Name field.
wireless service will be logged out.
• pass-phrase—Enter a PSK in the form of a character string. You should enter a
string that can be displayed and is of 8 to 63 characters.
Preshared Key
• raw-key—Enter a PSK in the form of a hexadecimal number. You should input
a valid 64-bit hexadecimal number.
2. Configure psk:
81
Figure 51 Configuring psk port security
Item Description
psk: An access user must use the pre-shared key (PSK) that is pre-configured
Port Mode to negotiate with the device. The access to the port is allowed only after the
negotiation succeeds.
Control the maximum number of users allowed to access the network through
Max User
the port.
• pass-phrase—Enter a PSK in the form of a character string. Enter a string
that can be displayed and is of 8 to 63 characters.
Preshared Key
• raw-key—Enter a PSK in the form of a hexadecimal number. Enter a valid
64-bit hexadecimal number.
3. Configure userlogin-secure-ext:
Perform the configurations as shown in Configure userlogin-secure/userlogin-secure-ext.
Binding an AP radio to a wireless service

1. Select Interface Setup > Wireless > Access Service from the navigation tree.
2. Click the icon for the target wireless service to enter the page as shown in Figure 52.
Figure 52 Binding an AP radio to a wireless service
3. Select the AP radio to be bound.

4. Click Bind.
82
Security parameter dependencies
In a clear-type wireless service or crypto-type wireless service, the security parameter dependencies are
described in Table 51.
Table 51 Security parameter dependencies
WEP
Service Authenticat Encryption
Security IE encryption Port mode
type ion mode type
/key ID
mac-authentication
mac-else-userlogin-secure
mac-else-userlogin-secure-ext
Open-Syste
Clear Unavailable Unavailable Unavailable userlogin-secure
m
userlogin-secure-ext
userlogin-secure-or-mac
userlogin-secure-or-mac-ext
WEP
encryption is mac and psk
available
Selected Required psk
The key ID
can be 1, 2, userlogin-secure-ext
Open-Syste 3, or 4
m WEP
encryption is
required
Unselected Unavailable mac-authentication
The key ID
can be 1, 2,
3 or 4
WEP
encryption is
required
Crypto Shared-Key Unavailable Unavailable mac-authentication
The key ID
can be 1, 2,
3 or 4
WEP
encryption is mac and psk
required
Selected Required psk
The key ID
can be 2, 3 userlogin-secure-ext
Open-Syste or 4
m and
Shared-Key WEP
encryption is
required
Unselected Unavailable mac-authentication
The key ID
can be 1, 2,
3 or 4
83
Displaying wireless access service
Displaying wireless service
Select Interface Setup > Wireless > Summary from the navigation tree and click the name of the specified
WLAN service to view the detailed information, statistics, or connection history.
Displaying detailed information about WLAN service

The detailed information about WLAN service (clear type) is as shown in Figure 53. For the description
of the fields in the detailed information, see Table 52.
Figure 53 Displaying detailed information about WLAN service (clear type)
Field Description
Service Template Number Current service template number.
SSID Service set identifier (SSID) for the ESS.
Service Template Type Service template type.
Type of authentication used.

Authentication Method
WLAN service of the clear type only uses open system authentication.
• Disable—The SSID is advertised in beacon frames.
SSID-hide
• Enable—Disables the advertisement of the SSID in beacon frames.
Status of service template:
Service Template Status • Enable—Enables WLAN service.
• Disable—Disables WLAN service.
Maximum clients per BSS Maximum number of associated clients per BSS.
The detailed information about WLAN service (crypto type) is as shown in Figure 54. For the description
of the fields in the detailed information, see Table 53.
84
Figure 54 Displaying detailed information about WLAN service (crypto type)
Field Description
Service Template Number Current service template number.
SSID SSID for the ESS.
Service Template Type Service template type.
Security IE Security IE: WPA or RSN.
Authentication Method Authentication method: open system or shared key.

• Disable—The SSID is advertised in beacon frames.
SSID-hide • Enable—Disables the advertisement of the SSID in
beacon frames.
Cipher Suite Cipher suite: CCMP, TKIP, WEP40, WEP104, or WEP128.
TKIP Countermeasure Time(s) TKIP countermeasure time in seconds.
PTK Life Time(s) PTK lifetime in seconds.
GTK Rekey GTK rekey configured.
GTK Rekey Method GTK rekey method configured: packet based or time based.
Time for GTK rekey in seconds.

• If Time is selected, the GTK is refreshed after a specified
GTK Rekey Time(s) period of time.
• If Packet is selected, the GTK is refreshed after a
specified number of packets are transmitted.
Status of service template:

Service Template Status • Enable—Enables WLAN service.
• Disable—Disables WLAN service.
Maximum clients per BSS Maximum number of associated clients per BSS.
85
Displaying wireless service statistics
Figure 55 Displaying wireless service statistics
Displaying connection history information about wireless service

Figure 56 Displaying the connection history information about wireless service
Displaying client
Displaying client detailed information
Select Interface Setup > Wireless > Summary from the navigation tree, and click the Client tab to enter
the Client page. Then click the Detail Information tab on the page, and click the name of the specified
client to view the detailed information of the client.
The detailed information about a client is as shown in Figure 57. For the description of the fields in the
client detailed information, see Table 55.
86
Figure 57 Displaying client
Table 54 Client RSSI
Field Description
—Indicates that 0 < RSSI <= 20.

Client RSSI —Indicates that 30 < RSSI <= 35.
—Indicates that 40 < RSSI.
Field Description
MAC address MAC address of the client.
AID Association ID of the client.
Username of the client:

• The field is displayed as -NA- if the client adopts
plain-text authentication or cipher-text authentication
with no username.
User Name
• The field is irrelevant to the portal authentication
method. If the client uses the portal authentication
method, the field does not display the portal username
of the client.
Radio Interface WLAN radio interface.
SSID SSID of the device.
BSSID MAC address of the device.
Port WLAN-DBSS interface associated with the client.
VLAN Number of the VLAN interface to which the client belongs.
87
Field Description
State State of the client such as running.
Power Save Mode Client’s power save mode: active or sleep.
Wireless Mode Wireless mode such as 802.11b, 802.11g, 802.11gn.
QoS Mode Whether the device supports the WMM function.
Number of times the client has been activated to listen to

Listen Interval (Beacon Interval)
beacon frames.
Received signal strength indication. This value indicates

RSSI
the client signal strength detected by the AP.
SNR Signal to Noise Ratio.
Rx/Tx Rate Reception/transmission rate of the last frame.
Client Type Client type such as RSN, WPA, or Pre-RSN.
Authentication Method Authentication method such as open system or shared key.
AKM Method AKM suite used such as Dot1X or PSK.
Four-way handshake states:

• IDLE—Displayed in initial state.
• PTKSTART—Displayed when the 4–way handshake is
initialized.
4-Way Handshake State
• PTKNEGOTIATING—Displayed after valid message 3
was sent.
• PTKINITDONE—Displayed when the 4-way handshake
is successful.
Group key state:

• IDLE—Displayed in initial state.
Group Key State
• REKEYNEGOTIATE—Displayed after the AC sends the
initial message to the client.
• REKEYESTABLISHED—Displayed when re-keying is
successful.
Encryption Cipher Encryption cipher: clear or crypto.
Roam Status Roaming status: Normal or Fast Roaming.
Time for which the client has been associated with the
Up Time
device.
Field Description
Refresh Refresh the current page.
Add the selected client to the static blacklist, which you can
Add to Blacklist display by selecting Security > Filter from the navigation
tree.
Reset Statistic Delete all items in the list or clear all statistics.
Disconnect Log off the selected client.
88
Displaying client statistics
Select Interface Setup > Wireless > Summary from the navigation tree, and then click the Client tab to
enter the Client page, click the Statistic Information tab on the page, and click the name of the specified
client to view the statistics of the client.
The statistics of a client is as shown in Figure 58. For the description of the fields in the client statistics,
see Table 57.
Figure 58 Displaying client statistics
Field Description
AP Name Name of the associated access point.
Radio Id Radio ID.
SSID SSID of the device.
BSSID MAC address of the device.
MAC Address MAC Address of the client.
Received signal strength indication. This value indicates the client

RSSI
signal strength detected by the device.
Transmitted Frames Number of transmitted frames.
Back Ground(Frames/Bytes) Statistics of background traffic, in frames or in bytes.
Best Effort(Frames/Bytes) Statistics of best effort traffic, in frames or in bytes.
Video(Frames/Bytes) Statistics of video traffic, in frames or in bytes.
Voice(Frames/Bytes) Statistics of voice traffic, in frames or in bytes.
Received Frames Number of received frames.
Discarded Frames Number of discarded frames.
89
Displaying RF ping information
Radio Frequency Ping (RF Ping) is a ping function performed on wireless links. This function enables you
to get the connection information between the AP and its associated clients, such as signal strength,
packet re-transmission attempts, and round trip time (RTT).
Select Summary > Client from the navigation tree to enter the Client page, click the Link Test Information
tab on the page, and click the name of the specified client to view the link test information of the client.
Figure 59 Viewing link test information
Field Description
• Rate number for a non-802.11n client.
No./MCS
• MCS value for an 802.11n client.
Rate (Mbps) Rate at which the radio interface sends wireless ping frames.
TxCnt Number of wireless ping frames that the radio interface sent.
RxCnt Number of wireless ping frames that the radio interface received from the client.
Received signal strength indication. This value indicates the client signal strength
RSSI
detected by the AP.
Retries Total number of retransmitted ping frames.
RTT(ms) Round trip time.
90
Wireless access service configuration examples
Wireless service configuration example
Network requirement
As shown in Figure 60, enable the wireless function on the device to enable the client to access the
internal network resources at any time. More specifically:
• The device provides plain-text wireless access service with SSID service1.
• 802.11g is adopted.
Figure 60 Network diagram
IP network SSID：sevice1
Router
Client
1. Configure a wireless service:
# Create a wireless service.
Select Interface Setup > Wireless > Access Service from the navigation tree, and click Add to enter the
page for creating a wireless service, as shown in Figure 61:
• Select the radio unit 1.

• Set the service name to service1.
• Select the wireless service type clear.
• Click Apply.
2. Enable the wireless service:
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the page for enabling
wireless service, as shown in Figure 62:
91
Figure 62 Enabling the wireless service
• Set the service1 option.

• Click Enable.
3. Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional.)
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the Radio Setup page,
as shown in Figure 63. Make sure 802.11g radio is enabled.
Figure 63 Enabling 802.11g radio
Verifying the configuration

If you select Interface Setup > Wireless > Summary from the navigation tree, and click the Client tab, you
can view the online clients.
Follow these guidelines when you configure a wireless service:
• Select a correct district code.
• Make sure the radio unit is enabled.
Access service-based VLAN configuration example

Network requirements
An AP can provide multiple wireless access services. Different wireless access services can use different
wireless security policies, and can be bound to different VLANs to implement wireless access user
isolation.
As shown in Figure 64, configure wireless VLANs to satisfy the following requirements:
• Set up a wireless access service named research, and configure it to use the PSK authentication.
Clients that access the wireless network are in VLAN 2.
• Set up a wireless access service named office, and configure it to use the clear text authentication.
Clients that access the wireless network are in VLAN 3.
92
SSID：research
VLAN：2 Client：0040-96b3-8a77
IP network
Router
SSID：office
VLAN：3
Client：0014-6c8a-43ff
1. Configure a wireless service named research.
Select Interface Setup > Wireless > Access Service from the navigation tree, and click Create to enter the
page for creating a wireless service.
• Configure the name of the wireless service as research.
• Select the wireless service type crypto.
• Click Apply.
# After the wireless service is created, the system is automatically navigated to the wireless service page,
where you can perform the VLAN settings (before this operation, select Network > VLAN and create
VLAN 2 first).
Figure 65 Setting the VLANs
• Type 2 in the VLAN (Untagged) input box.

• Type 2 in the Default VLAN input box.
• Type 1 in the Delete VLAN input box.
For PSK-related configuration, see "PSK authentication configuration example." You can strictly follow the
configuration example to configure the PSK configuration.
2. Configure a wireless service named office.
page for creating a wireless service.
• Configure the wireless service name as office.
93
• Click Apply.
# After the wireless service is created, the system is automatically navigated to the wireless service page,
where you can configure the VLANs (first select Network > VLAN from the navigation tree, and create
VLAN 3).
Figure 66 Setting the VLANs
• Type 3 in the VLAN (Untagged) field.

• Type 3 in the Default VLAN field.
• Type 1 in the Delete VLAN field.
• Click Apply.
3. Verify the configuration
If you select Interface Setup > Wireless > Summary from the navigation tree, and click the Client
tab, you can view the online clients.
On this page, you can see that the client 0014-6c8a-43ff, which accesses the SSID office, is in
VLAN 3, while the client 0040-96b3-8a77, which accesses the SSID research, is in VLAN 2.
Because the two clients are in different VLANs, they cannot access each other.
PSK authentication configuration example

As shown in Figure 67, configure the client to access the wireless network by passing PSK authentication.
Configure the same PSK key 12345678 on the client and AP.
1. Configure a wireless service:
94
• Set the service name to psk.

• Click Apply.
2. Configure PSK authentication:
After you create a wireless service, you will enter the wireless service configuration page. You need to
perform security setup when configuring PSK authentication, as shown in Figure 69:
Figure 69 Configuring security settings
• Select the Open-System from the Authentication Type list.

• Select the Cipher Suite option, select CCMP and TKIP (select an encryption type as needed), and
then select WPA from the Security IE list.
• Select the Port Set option, and select psk from the Port Mode list.
• Select pass-phrase from the Preshared Key list, and type key ID 12345678.
• Click Apply.
a wireless service, as shown in Figure 70:
95
• Select the psk option.

• Click Enable.
4. Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional. )
Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make
sure 802.11g radio is enabled.

• The same PSK pre-shared key is configured on the client. The client can successfully associate with
the device and can access the WLAN network.
• If you select Interface Setup > Wireless > Access Service from the navigation tree, and then click the
Client tab, you can view the online clients.
Local MAC authentication configuration example

As shown in Figure 71, perform MAC authentication on the client.
1. Configure a wireless service
96

• Set the service name to mac-auth.
• Click Apply.
2. Configure local MAC address authentication
After you create a wireless service, you enter the wireless service configuration page. You must perform
security setup when configuring MAC authentication, as shown in Figure 73:
• Select the Open-System from the Authentication Type list.

• Select the Port Set option, and select mac-authentication from the Port Mode list.
• Select the MAC Authentication option, and select system from the Domain list.
• Click Apply.
97
• Select the mac-auth option.

• Click Enable.
4. Configure a MAC authentication list:
Select Interface Setup > Wireless > Access Service from the navigation tree, and click MAC
Authentication List to enter the page for configuring a MAC authentication list, as shown in Figure 75:
Figure 75 Adding a MAC authentication list
• Add a local user in the MAC Address box. 00-14-6c-8a-43-ff is used in this example.
• Click Add.
5. Enable 802.11g radio (By default, 802.11g radio is enabled. Therefore, this step is optional. )
Select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio page. Make sure
802.11g is enabled.

If the MAC address of the client is in the MAC authentication list, the client can pass authentication and
access the WLAN network. If you select Interface Setup > Wireless > Access Service from the navigation
tree, and then click the Client tab, you can view the online clients.
Remote MAC authentication configuration example

Use the intelligent management center (IMC) as the RADIUS server for authentication, authorization, and
accounting (AAA). On the RADIUS server, configure the client’s username and password as the MAC
address of the client and the shared key as expert. The IP address of the RADIUS server is 10.18.1.88.
The IP address of the device is 10.18.1.1. On the device, configure the shared key for communication with
the RADIUS server as expert, and configure the device to remove the domain name of a username before
sending it to the RADIUS server.
98
1. Configure wireless service
• Select radio unit 1.

• Set the wireless service name as mac-auth.
• Click Apply.
2. Configure MAC authentication
After you create a wireless service, the wireless service configuration page appears. Then you can
configure MAC authentication on the Security Setup area, as shown in Figure 78:
99
• Select Open-System from the Authentication Type list.

• Select the Port Set option, and select mac-authentication from the Port Mode list.
• Select the MAC Authentication option, and select system from the Domain list.
• Click Apply.
3. Enable the wireless service
Select Interface Setup > Wireless > Access Service from the navigation tree to enter the page as shown
in the following figure.
• Select the mac-auth option.

• Click Enable.
4. Enable 802.11g radio (By default, the 802.11g radio is enabled. Therefore, this step is optional.)
802.11g is enabled.
5. Configure the RADIUS server (IMCv3)
The following takes the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to
illustrate the basic configuration of the RADIUS server.
# Add an access device.
100
Log in to IMC. Select the Service tab, and then select Access Service > Access Device from the navigation
tree to enter the access device configuration page. Click Add on the page to enter the configuration
page as shown in Figure 80:
• Input expert as the Shared Key.
• Add ports 1812, and 1813 for Authentication Port and Accounting Port.
• Select LAN Access Service for Service Type.
• Select H3C for Access Device Type.
• Select or manually add the access device with the IP address 10.18.1.1.
Figure 80 Adding access device
# Add service.
Select the Service tab, and then select Access Service > Service Configuration from the navigation tree to
enter the add service page. Then click Add on the page to enter the following configuration page. Set the
service name as mac, and keep the default values for other parameters.
Figure 81 Adding service
# Add an account.
Select the User tab, and then select User > All Access Users from the navigation tree to enter the user
page. Then, click Add on the page to enter the page as shown in Figure 82.
101
• Enter username 00-14-6c-8a-43-ff.
• Set the account name and password both as 00-14-6c-8a-43-ff.
• Select the service mac.
Figure 82 Adding account

The following takes the IMC (the IMC versions are IMC PLAT 5.0 and IMC UAM 5.0) as an example to
illustrate the basic configurations of the RADIUS server.
Log in to IMC. Select the Service tab, and then select User Access Manager > Access Device
Management > Access Device from the navigation tree to enter the access device configuration page.
Click Add on the page to enter the configuration page as shown in Figure 83:
• Input 12345678 as the Shared Key. keep the default values for other parameters.
# Add service.
102
Select the Service tab, and then select User Access Manager > Service Configuration from the navigation
tree to enter the add service page. Then click Add on the page to enter the following configuration page.
Set the service name as mac, and keep the default values for other parameters.
# Add an account.
• Enter username 00146c8a43ff.
• Set the account name and password both as 00146c8a43ff.
• Select the service mac.

During authentication, the user does not need to input the username or password. After passing MAC
authentication, the client can associate with the device and access the WLAN. You can view the online
clients by selecting Interface Setup > Wireless > Summary from the navigation tree and then clicking the
Client tab.
103
Remote 802.1X authentication configuration example
Use IMC as a RADIUS server for AAA. On the RADIUS server, configure the client’s username as user,
password as dot1x, and shared key as expert. The IP address of the RADIUS server is 10.18.1.88.
On the device, configure the shared key as expert, and configure the device to remove the domain name
of a username before sending it to the RADIUS server. The IP address of the device is 10.18.1.1.
1. Configure wireless service
• Select radio unit 1.

• Set the service name as dot1x.
• Click Apply.
2. Configure 802.1X authentication
After you create a wireless service, the wireless service configuration page appears. Then you can
configure 802.1X authentication on the Security Setup area, as shown in Figure 88:
104
• Select Open-System from the Authentication Type list.

• Select the Cipher Suite option, select CCMP from the Cipher Suite list, and select WPA2 from the
Security IE list.
• Select the Port Set option, and select userlogin-secure-ext from the Port Mode list.
• Select system from the Mandatory Domain list.
• Select EAP from the Authentication Method list.
• You are recommended to disable Handshake and Multicast Trigger.
• Click Apply.
Select Interface Setup > Wireless > Access Service from the navigation tree.
• Select the dot1x option.
• Click Enable.
4. Enable 802.11g radio (By default, the 802.11g radio is enabled. Therefore, this step is optional.)
802.11g is enabled.
The following takes the IMC (IMC PLAT 3.20-R2602 and IMC UAM 3.60-E6102) as an example to
illustrate the basic configuration of the RADIUS server.
Log in to IMC. Select the Service tab, and then select Access Service > Access Device from the navigation
tree to enter the access device configuration page. Click Add on the page to enter the configuration
page as shown in Figure 89:
• Input expert as the Shared Key.
• Add ports 1812, and 1813 for Authentication Port and Accounting Port.
105
• Select LAN Access Service for Service Type.
• Select H3C for Access Device Type.
# Add a service.
Select the Service tab, and then select Access Service > Service Configuration from the navigation tree to
enter the add service page. Then click Add on the page to enter the following configuration page.
• Set the service name as dot1x.
• Set the Certificate Type to EAP-PEAP AuthN and the Certificate Sub Type to MS-CHAPV2 AuthN.
106
Figure 90 Adding a service
# Add an account.
page. Then, click Add on the page to enter the page shown in Figure 91.
• Enter username user.
• Set the account name as user and password as dot1x.
• Select the service dot1x.
107
The following takes the IMC (the IMC versions are IMC PLAT 5.0 and IMC UAM 5.0) as an example to
illustrate the basic configurations of the RADIUS server.
Log in to IMC. Select the Service tab, and then select User Access Manager > Access Device
Management from the navigation tree to enter the access device configuration page. Click Add on the
page to enter the configuration page as shown in Figure 92:
• Input 12345678 as the Shared Key. keep the default values for other parameters.
# Add service.
Select the Service tab, and then select User Access Manager > Service Configuration from the navigation
tree to enter the add service page. Then click Add on the page to enter the following configuration page.
Set the service name as dot1x, select EAP-PEAP AuthN as the Certificate Type, and MS-CHAPV2 AuthN
as the Certificate Sub-Type.
108
# Add an account.
• Enter username user.
• Set the account name user and password dot1x.
• Select the service dot1x.

• After you enter username user and password dot1x in the popup dialog box, the client can
associate with the device and access the WLAN.
• You can view the online clients by selecting Interface Setup > Wireless > Summary from the
navigation tree, and then clicking the Client tab.
802.11n configuration example

As shown in Figure 95, configure the 802.11n-capable AP to allow the 802.11n client to access the
wireless network at a high rate.
IP network SSID：11nservice
Router
Client
1. Configure a wireless service
109

• Set the service name to 11nservice.
• Click Apply.
• Select the 11nservice option.

• Click Enable.
3. Enable 802.11n(2.4GHZ) radio (By default, 802.11n(2.4GHZ) radio is enabled. Therefore, this
step is optional. )

If you select Interface Setup > Wireless > Summary from the navigation tree, and click the Client tab, you
can view the online clients.
Among these online clients, 0014-6c8a-43ff is an 802.11g client, and 001e-c144-473a is a 802.11n
client. In this example, client types are not restricted. Therefore, both 802.11g and 802.11n clients can
access the wireless network. If Client 802.11n Only is configured, only 001e-c144-473a can access the
wireless network.
When you configure 802.11n, follow these guidelines:
• Select Interface Setup > Wireless > Radio from the navigation tree, select the radio unit to be
configured, and click the corresponding icon to enter the radio configuration page, where you
110
can modify the 802.11n-related parameters, including Bandwidth Mode, A-MSDU, A-MPDU, Short
GI, and Client 802.11n Only (permitting only 802.11n users to access the wireless network).
• Make sure 802.11n(2.4GHZ) is enabled.
• Select Interface Setup > Wireless > Radio from the navigation tree to modify the 802.11n rate.
Client mode
The client mode means that a router operating accesses the wireless network as a client. Multiple hosts
or printers in the wired network can access the wireless network through the router.
Figure 98 Client mode
Enabling the client mode

Select Interface Setup > Wireless Service > Client Mode from the navigation tree and click Connect
Setup.
Figure 99 Enabling the client mode
Select the radio unit to be enabled, and then click Enable.
111
NOTE:
• Support for radio mode types depends on your device model.
• You cannot enable an access service or WDS service on a radio interface with the client mode enabled.
• To modify the radio mode, select Radio > Radio from the navigation tree, click the icon of the target
radio, and change the radio mode in the Radio Mode option.
• If the 802.11(2.4GHz) client mode is used, the client can scan 802.11(2.4GHz) wireless services.
With the client mode enabled, you can check the existing wireless services in the wireless service list.
Figure 100 Checking the wireless service list
Connecting the wireless service

1. Method 1
Click the Connect icon of the wireless service in the wireless service list, and a SET CODE dialog box
shown in Figure 101 appears.
Figure 101 Setting a code
The following authentication modes are supported:

• Open System
• Shared key
• RSN + PSK
112
Item Description
Specify the network authentication mode, which can be:
• Open System—Open system authentication, namely, no
authentication
AuthMode • Shared Key—Shared key authentication, which requires the
client and the device to be configured with the same shared
key.
• RSN+PSK—PSK authentication
Set the data encryption mode, which can be:
• Clear—No encryption
CipherSuite
• WEP—WEP encryption
• TKIP/CCMP—TKIP/CCMP encryption
Password Configure the WEP key
There are four static keys in WEP. Their key indexes are 1, 2, 3,
KeyID and 4. The key corresponding to the specified key index will be
used for encrypting and decrypting frames.
2. Method II
You can also enter a wireless service to specify the wireless service to be connected on the page
displayed after clicking the Connect icon of the wireless service.
Figure 102 Associating the specified wireless service
Enter the specified wireless service in the Wireless Service Name field, and click Connect. Then the
dialog box in Figure 101 appears. Set the options on the dialog box according to the specified wireless
service type.
Displaying statistics
Select Interface Setup > Wireless Service > Client Mode from the navigation tree and click Statistic
Information to enter the page shown in Figure 103.
Figure 103 Displaying statistics
113
Client mode configuration example
As shown in Figure 104, the router accesses the wireless network as a client. The Ethernet interface of the
router connects to multiple hosts or printers in the wired network, and thus the wired network is connected
to the wireless network through the router.
• The AP accesses the wired LAN, and the router accesses the AP as a client.
• The router accesses the wireless service psk by passing the RSN(CCMP)+PSK authentication.
• Client with MAC address 0014-6c8a-43ff also accesses the wireless service psk.
Internet
Gateway
AP
PSK PSK
Client Client
PSK
Router
PC Printer Client
1. Enable the client mode
Select Interface Setup > Wireless Service > Client Mode from the navigation tree and click Connect Setup
to enter the page shown in Figure 105.
114
Figure 105 Enabling the client mode
Select the option corresponding to 802.11g and click Enable. With the client mode enabled, you can
check the existing wireless services in the wireless service list.
Figure 106 Checking the wireless service list
2. Connect the wireless service

Click the Connect icon of the wireless service psk in the wireless service list, and a SET CODE dialog box
shown in Figure 107 appears.
Figure 107 Setting a code
• Specify the AuthMode as RSN+PSK.

• Specify the CipherSuite as CCMP/AES.
• Set the Password to that on the AP, 12345678.
• Click Apply.
115
On the AP shown in Figure 104, select Interface Setup > Wireless Service > Summary > Client from the
navigation tree to enter the page shown in Figure 108, where you can check that the router is online.
Figure 108 Making sure the workgroup bridge is online
• You can see that the client with MAC address 0014-6c8a-43ff and the router with MAC address
000f-e2333-5510 have been successfully associated with the AP.
• The wired devices on the right (such as printers and PCs) can access the wireless network through
the router.
As shown in Figure 109, if the router uses two radio interfaces at the same time, the client connecting to
radio 2 can access the AP through the router.
Client
2
dio
Gateway AP Ra
Internet Radio1
Ra
dio
2
Client
Configuring radios
802.11b/g operates in 2.4 GHz band, 802.11a in 5 GHz band, and 802.11n in both 2.4 GHz and 5
GHz bands. Each band can be divided into multiple channels for wireless communication. You can
configure and adjust the channels to achieve optimal performance.
To configure a radio, select Interface Setup > Wireless > Radio from the navigation tree to enter the Radio
page, select the desired AP, and click the icon to enter the page for AP radio setup page, as shown
in Figure 110:
116
Figure 110 Configuring radio
Item Description
Radio Unit Selected radios.
Radio Mode Selected radio mode.
Maximum radio transmission power, which varies with country codes, channels,
Transmit Power radio modes and antenna types. If you adopt the 802.11n mode, the maximum
transmit power of the radio also depends on the bandwidth mode.
Specify the working channel of the radio, which varies with radio types and country
codes.
auto: The working channel is automatically selected. If you select this mode, the AP
Channel checks the channel quality in the WLAN network, and selects the channel of the best
quality as its working channel.
If you modify the working channel configuration, the transmit power will be
automatically adjusted.
IMPORTANT:
802.11n
The option is available only when the device supports 802.11n.
802.11n can bond two adjacent 20-MHz channels together to form a 40-MHz
channel. During data forwarding, the two 20-MHz channels can work separately
with one acting as the primary channel and the other acting as the secondary
channel or work together as a 40-MHz channel. This provides a simple way of
doubling the data rate.
By default, the channel bandwidth of the 802.11n radio (5 GHz) is 40 MHz, and
bandwidth mode that of the 802.11n radio (2.4GHz) is 20 MHz.
IMPORTANT:
• If the channel bandwidth of the radio is set to 40 MHz, a 40 MHz channel is used
as the working channel. If no 40 MHz channel is available, a 20 MHz channel is
used. For the specifications, see IEEE P802.11n D2.00.
• If you modify the bandwidth mode configuration, the transmit power will be
automatically adjusted.
If you select the client dot11n-only option, non-802.11n clients are prohibited from
client dot11n-only access. If you want to provide access for all 802.11a/b/g clients, disable this
function.
117
Item Description
Selecting the A-MSDU option enables A-MSDU.
Multiple MSDUs can be aggregated into a single A-MSDU. This reduces the MAC
header overhead, improving MAC layer forwarding efficiency.
A-MSDU Only A-MSDUs can be received.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, make sure that they have the same
A-MSDU configuration.
Selecting the A-MPDU option enables A-MPDU.
802.11n introduces the A-MPDU frame format. By using only one PHY header, each
A-MPDU can accommodate multiple Message Protocol Data Units (MPDUs) which
have their PHY headers removed. This reduces the overhead in transmission and the
A-MPDU number of ACK frames to be used, and thus improves network throughput.
IMPORTANT:
When 802.11n radios are used in a mesh WLAN, make sure that they have the same
A-MSDU configuration.
Selecting the short GI option enables short GI.
Delays may occur during receiving radio signals due to factors like multi-path
reception. Therefore, a subsequently sent frame may interfere with a previously sent
short GI frame. The GI function is used to avoid such interference. It increases the throughput
by 10 percent.
The short GI function is independent of bandwidth and thus supports both 20MHz
and 40MHz bandwidths.
Figure 111 Configuring advanced settings for the radio
118
Item Description
Preamble is a pattern of bits at the beginning of a frame so that the receiver
can sync up and be ready for the real data. There are two different kinds of
preambles:
• Short preamble. A short preamble improves network performance.
Preamble Therefore, this option is always selected.
• Long preamble. A long preamble ensures compatibility between access
point and some legacy client devices. Therefore, you can select this option
to make legacy client devices support short preamble.
802.11a/802.11n (5 GHz) do not support this configuration.
Transmit Distance Maximum coverage of a radio.
Adaptive Noise Immunity (ANI). After the ANI function is enabled, the device
automatically adjusts the noise immunity level according to the surrounding
ANI signal environment to eliminate RF interference.
• Enable—Enables ANI.
• Disable—Disables ANI.
Client Max Count Maximum number of clients that can be associated with one radio.
Maximum length of frames that can be transmitted without fragmentation.

When the length of a frame exceeds the specified fragment threshold value, it
is fragmented.
• In a wireless network where error rate is high, you can decrease the
fragment threshold by a rational value. In this way, when a fragment of a
Fragment Threshold frame is not received, only this fragment rather than the whole frame needs
to be retransmitted, and thus the throughput of the wireless network is
improved.
• In a wireless network where no collision occurs, you can increase the
fragment threshold by a rational value to decrease acknowledgement
packets and thus increase network throughput.
Interval for sending beacon frames. Beacon frames are transmitted at a regular
Beacon Interval interval to allow mobile clients to join the network. Beacon frames are used for
a client to identify nearby APs or network control devices.
Request to send (RTS) threshold length. If a frame is larger than this value, the
RTS mechanism will be used.
RTS is used to avoid data collisions in a WLAN.
A smaller RTS threshold causes RTS packets to be sent more often, thus
consuming more available bandwidth. However, the more often RTS packets
RTS Threshold are sent, the quicker the system can recover from interference or collisions.
In a high-density WLAN, you can decrease the RTS threshold by a rational
value to reduce collisions in the network.
IMPORTANT:
The RTS mechanism occupies bandwidth. Therefore, this mechanism applies only
to data frames larger than the RTS threshold.
Number of beacon intervals between delivery traffic indication message
DTIM Period (DTIM) transmissions. The device sends buffered broadcast/multicast frames
when the DTIM counter reaches 0.
119
Item Description
Number of retransmission attempts for unicast frames larger than the RTS
Long Retry Threshold
threshold.
Number of retransmission attempts for unicast frames smaller than the RTS
Short Retry Threshold
threshold if no acknowledgment is received for it.
Max Receive Duration Interval for which a frame received by a device can stay in the buffer memory.
Configuring data transmit rates

Configuring 802.11a/802.11b/802.11g rates
Select Interface Setup > Wireless > Radio from the navigation tree, and click the Rate tab to enter the
page shown in Figure 112:
Figure 112 Setting 802.11a/802.11b/802.11g rates
Item Description
Configure rates (in Mbps) for 802.11a.
By default:
• Mandatory rates—6, 12, and 24.
802.11a • Supported rates—9, 18, 36, 48, and 54.
• Multicast rate—Automatically selected from the mandatory rates. The
transmission rate of multicasts in a BSS is selected from the mandatory rates
supported by all the clients.
120
Item Description
Configure rates (in Mbps) for 802.11b.
By default:
• Mandatory rates—1 and 2.
802.11b • Supported rates—5.5 and 11.
Configure rates (in Mbps) for 802.11g.

By default:
• Mandatory rates—1, 2, 5.5, and 11.
802.11g • Supported rates—6, 9, 12, 18, 24, 36, 48, and 54.
Configuring 802.11n MCS

Configuration of mandatory and supported 802.11n rates is achieved by specifying the maximum
Modulation and Coding Scheme (MCS) index.
Select Interface Setup > Wireless > Radio from the navigation tree, and click the Rate tab to enter the
page shown in Figure 113:
Figure 113 Setting 802.11n rate
Item Description
Set the maximum MCS index for 802.11n mandatory rates.
Mandatory Maximum MCS IMPORTANT:

If you select the client dot11n-only option, you must configure the mandatory
maximum MCS.
Set the multicast MCS for 802.11n.
The multicast MCS is adopted only when all the clients use 802.11n. If a non
802.11n client exists, multicast traffic is transmitted at a mandatory MCS data
rate.
Multicast MCS
IMPORTANT:
When the multicast MCS takes effect, the corresponding data rates defined for
20 MHz are adopted no matter whether the 802.11n radio operates in 40 MHz
mode or in 20 MHz mode.
Supported Maximum MCS Set the maximum MCS index for 802.11n supported rates.
121
For more information about MCS, see WLAN Configuration Guide in H3C MSR Series Routers
Configuration Guides (V5).
Make the MCS configuration the same on all APs in mesh configuration.
Displaying radio
Displaying WLAN services bound to a radio
Select Interface Setup > Wireless > Summary from the navigation tree, click the Radio tab, click the
specified radio unit, and select the Wireless Service tab to view the WLAN services bound to the radio.
Figure 114 Displaying WLAN services bound to the radio
The Noise Floor item in the table indicates various random electromagnetic waves during the wireless
communication. For the environment with a high noise floor, you can improve the signal-to-noise ratio
(SNR) by increasing the transmit power or reducing the noise floor.
Displaying detailed radio information

Select Interface Setup > Wireless > Summary from the navigation tree, and click the Radio tab. Then click
the specified radio unit, and select the Detail Info tab to view the corresponding detailed information.
122
Figure 115 Displaying detailed radio information
Field Description
WLAN-Radio1/0 current state: UP State of the radio interface.
IP Packet Frame Type Output frame encapsulation type.
Hardware Address MAC address of the radio interface.
Radio-type dot11a WLAN protocol type used by the interface.
Channel used by the interface. The keyword auto means the

channel is automatically selected.
channel
If the channel is manually configured, the field will be displayed
in the format of channel configured-channel.
power(dBm) Transmit power of the interface (in dBm).
Received: 2 authentication frames, 2

Number of authentication and association frames received.
association frames
Sent out: 2 authentication frames, 2

Number of authentication and association frames sent.
association frames
Number of stations being associating and stations having been

Stations: 0 associating, 2 associated
associated.
Input packet statistics of the interface:

Input : 70686 packets, 6528920 bytes
• Number of packets, number of bytes.
: 255 unicasts, 34440 bytes • Number of unicast packets, number of bytes of unicast
: 70461 multicasts/broadcasts, packets.
6494480 bytes • Number of multicasts/broadcast packets, number of bytes of
: 0 fragmented multicasts/broadcast packets.
: 414 discarded, 26629 bytes • Number of fragmented packets.
: 0 duplicates, 3785 FCS errors • Number of discarded packets, number of discarded bytes.
• Number of duplicate frames, number of FCS errors.
: 0 decryption errors
• Number of encryption errors.
123
Field Description
Output packet statistics of the interface:
Output: 3436 packets, 492500 bytes • Number of packets, number of bytes.
: 3116 unicasts, 449506 bytes • Number of unicast packets, number of bytes of unicast
packets.
: 320 multicasts/broadcasts, 42994
bytes • Number of multicasts/broadcast packets, number of bytes of
multicasts/broadcast packets.
: 0 fragmented
• Number of fragmented packets.
: 948 discarded, 100690 bytes
• Number of discarded packets, number of discarded bytes.
: 0 failed RTS, 1331 failed ACK
• Number of failed RTS packets, number of failed ACK
: 4394 transmit retries, 1107 multiple packets.
transmit retries • Number of retransmitted frames, number of transmission
retries
124
Configuring WLAN security
When it comes to security, a WLAN is inherently weaker than a wired LAN because all the wireless
devices use the air as the transmission media, which means that the data transmitted by one device can
be received by any other device within the coverage of the WLAN. To improve WLAN security, you can
use white and black lists and user isolation to control user access and behavior.
Blacklist and white list

You can configure the blacklist and white list functions to filter frames from WLAN clients and thereby
implement client access control.
The WLAN client access control is accomplished through the following three types of lists.
• White list—Contains the MAC addresses of all clients allowed to access the WLAN. If the whitelist
is used, only permitted clients can access the WLAN, and all frames from other clients will be
discarded.
• Static blacklist—Contains the MAC addresses of clients forbidden to access the WLAN. This list is
manually configured.
• Dynamic blacklist—Contains MAC addresses of clients whose frames will be dropped. A client is
dynamically added to the list if it is considered sending attacking frames until the timer of the entry
expires.
When a device receives an 802.11 frame, it checks the source MAC address of the frame and processes
the frame as follows:
1. If the source MAC address does not match any entry in the white list, it is dropped. If there is a
match, the frame is considered valid and will be further processed.
2. If no white list entries exist, the static and dynamic blacklists are searched.
If the source MAC address matches an entry in any of the two lists, it is dropped.
If there is no match, or no blacklist entries exist, the frame is considered valid and will be further
processed.
Configuring the blacklist and white list functions

Configuring dynamic blacklist
Select Interface Setup > Wireless > Security from the navigation tree, and then select the Blacklist tab to
enter the dynamic blacklist configuration page, as shown in Figure 116.
125
Figure 116 Configuring dynamic blacklist
Item Description
• Enable—Enables dynamic blacklist.
• Disable—Disables dynamic blacklist.
Dynamic Blacklist IMPORTANT:
Before enabling the dynamic blacklist function, select the Flood Attack Detect option
in the WIDS Setup page.
Configure the lifetime of the entries in the blacklist. When the lifetime of an entry
Lifetime
expires, the entry is removed from the blacklist.
At present, these attacks can be detected through a dynamic blacklist: Assoc-Flood, Reassoc-Flood,
Disassoc-Flood, ProbeReq-Flood, Action-Flood, Auth-Flood, Deauth-Flood and NullData-Flood.
Configuring static blacklist

On the blacklist configuration page as shown in Figure 116, select the Static tab to enter the static
blacklist configuration page, as shown in Figure 117. Click Add Static to enter the static blacklist
configuration page.
Figure 117 Configuring static blacklist
126
Item Description
You can configure a static blacklist in the following two ways:
Select the MAC Address option, and then add a MAC address to the static black
MAC Address
list.
Select Current Connect If you select the option, the table below lists the current existing clients. Select the
Client options of the clients to add their MAC addresses to the static blacklist.
Configuring white list

Select Interface Setup > Wireless > Security from the navigation tree, and then select the Whitelist tab.
Click Add to enter the white list configuration page, as shown in Figure 118.
Figure 118 Configuring white list
Item Description
You can configure a white list in the following two ways:
MAC Address Select the MAC Address option and then add a MAC address to the white list.
Select Current Connect If you select the option, the table below lists the current existing clients. Select the
Client boxes of the clients to add their MAC addresses to the white list.
Configuring user isolation

If a device has the user isolation feature enabled, clients associated with it are isolated at Layer 2.
As shown in Figure 119, after user isolation is enabled on the device, all the clients cannot ping each
other or learn each other's MAC or IP addresses, because they cannot exchange Layer 2 packets.
127
To configure user isolation:

Select Interface Setup > Wireless > Security from the navigation tree, and click the User Isolate tab to
enter the page as shown in Figure 120.
Figure 120 Configuring user isolation
Item Description
• Enable—Enables user isolation on the AP to isolate the clients associated with it
at Layer 2.
User Isolate
• Disable—Disables the user isolation.
By default, wireless user isolation is disabled.
128
Configuring WLAN QoS
An 802.11 network offers wireless access based on the carrier sense multiple access with collision
avoidance (CSMA/CA) channel contention. All clients accessing the WLAN have equal channel
contention opportunities, and all applications carried on the WLAN use the same channel contention
parameters. A live WLAN, however, is required to provide differentiated access services to address
diversified requirements of applications for bandwidth, delay, and jitter.
To provide applications with QoS services, IEEE developed 802.11e for the 802.11-based WLAN
architecture.
While IEEE 802.11e was being standardized, Wi-Fi Alliance defined the Wi-Fi Multimedia (WMM)
standard to allow QoS provision devices of different vendors to interoperate. WMM makes a WLAN
network capable of providing QoS services.
For more information about the WLAN QoS terminology and the WMM protocol, see WLAN
Configuration Guide in H3C MSR Series Routers Configuration Guides (V5).
Configuring wireless QoS

Enabling wireless QoS
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and select the QoS Service
tab to enter the page displaying the QoS, as shown in Figure 121.
Figure 121 Enabling wireless QoS
Select the box in front of the radio unit to be configured, and click Enable. By default, wireless QoS is
enabled.
The WMM protocol is the foundation of the 802.11n protocol. Therefore, when the radio operates in
802.11n (5 GHz) or 802.11n (2.4 GHz) radio mode, you must enable WMM. Otherwise, the associated
802.11n clients may fail to communicate.
Setting the SVP service

Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left of the interface, and
then select QoS Service to enter the page for displaying wireless QoS, as shown in Figure 122.
129
Figure 122 Enabling Wireless QoS
Find the desired radio in the AP list, and click the icon in the Operation column to enter the page for
setting SVP mapping, as shown in Figure 123.
Figure 123 Setting the SVP mapping AC
Item Description
Radio Selected radio.
Select the SVP Mapping option, and then select the mapping AC to be used by
the SVP service:
• AC-VO.
SVP Mapping • AC-VI.
• AC-BE.
• AC-BK.
SVP mapping is applicable to only non-WMM client access.
Setting CAC admission policy

Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left of the interface,
select the QoS Service tab, find the desired radio in the list, and click the corresponding icon in the
Operation column to enter the page for setting CAC admission policy, as shown in Figure 124.
130
Figure 124 Setting CAC admission policy
Item Description
Users-based admission policy, namely, maximum number of clients allowed to
be connected. A client is counted only once, even if it is using both AC-VO and
Client Number AC-VI.
By default, the users-based admission policy applies, with the maximum
number of users being 20.
Channel utilization-based admission policy, namely, the rate of the medium

Channel Utilization time of the accepted AC-VO and AC-VI traffic to the valid time during the unit
time. The valid time is the total time during which data is transmitted.
Setting radio EDCA parameters for APs

Operation column to enter the page for configuring wireless QoS. Find the priority type (AC_BK is taken
for example here) to be modified in the radio EDCA list, and click the corresponding icon in the
Operation column to enter the page for setting radio EDCA parameters.
Figure 125 Setting radio EDCA parameters
Item Description
Priority type Priority type.
AIFSN Arbitration inter-frame spacing number used by the device.
131
Item Description
TXOP Limit Transmission opportunity limit used by the device.
ECWmin Exponent form of CWmin used by the device.
ECWmax Exponent form of CWmax used by the device.
If you select the box before No ACK, the No ACK policy is used by the device.
No ACK
By default, the normal ACK policy is used by the device.
Table 72 Default radio EDCA parameters
AC TXOP Limit AIFSN ECWmin ECWmax

AC-BK 0 7 4 10
AC-BE 0 3 4 6
AC-VI 94 1 3 4
AC-VO 47 1 2 3
ECWmin cannot be greater than ECWmax.

On a device operating in 802.11b radio mode, H3C recommends you to set the TXOP-Limit to 0, 0, 188,
and 102 for AC-BK, AC-BE, AC-VI, and AC-VO.
Setting EDCA parameters for wireless clients

Operation column to enter the page for setting wireless QoS. In the Client EDCA list, find the priority type
(AC_BK is taken for example here) to be modified, and click the corresponding icon in the Operation
column to enter the page for setting client EDCA parameters, as shown in Figure 126.
Figure 126 Setting client EDCA parameters
Item Description
Priority type Priority type.
AIFSN Arbitration inter-frame spacing number used by clients.
TXOP Limit Transmission opportunity limit used by clients.
ECWmin Exponent form of CWmin used by clients.
132
Item Description
ECWmax Exponent form of CWmax used by clients.
Enable CAC.
• Enable—Enables CAC.
CAC • Disable—Disables CAC.
AC-VO and AC-VI support CAC, which is disabled by default. This item is not
available for AC-BE or AC-BK, because they do not support CAC.
Table 74 Default EDCA parameters for clients
AC TXOP Limit AIFSN ECWmin ECWmax

AC-BK 0 7 4 10
AC-BE 0 3 4 10
AC-VI 94 2 3 4
AC-VO 47 2 2 3
ECWmin cannot be greater than ECWmax.

If all clients operate in 802.11b radio mode, you are recommended to set TXOPLimit to 188 and 102 for
AC-VI and AC-VO.
If some clients operate in 802.11b radio mode and some clients operate in 802.11g radio mode in the
network, the TXOPLimit parameters in Table 74 are recommended.
Once you enable CAC for an AC, it is enabled automatically for all ACs with higher priority. For example,
if you enable CAC for AC-VI, CAC is also enabled for AC-VO. However, enabling CAC for AC-VO does
not enable CAC for AC-VI.
Display radio statistics

Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and select the Radio Statistics
tab to enter the page displaying radio statistics. Click a radio to see its details.
133
Figure 127 Displaying radio statistics
Field Description
Radio interface WLAN radio interface.
Client EDCA update count Number of client EDCA parameter updates.
WMM indicates that QoS mode is enabled; None

QoS mode
indicates that QoS mode is not enabled.
Radio chip QoS mode Radio chip’s support for the QoS mode.
Radio chip max AIFSN Maximum AIFSN allowed by the radio chip.
Radio chip max ECWmin Maximum ECWmin allowed by the radio chip.
Radio chip max TXOPLimit Maximum TXOPLimit allowed by the radio chip.
Radio chip max ECWmax Maximum ECWmax allowed by the radio chip.
Number of clients that have been admitted to access

Client accepted the radio, including the number of clients that have
been admitted to access the AC-VO and the AC-VI.
Total requested medium time, including that of the

Total request mediumtime(us)
AC-VO and the AC-VI.
Number of requests rejected due to insufficient

Calls rejected due to insufficient resource
resources.
Number of requests rejected due to invalid

Calls rejected due to invalid parameters
parameters.
Number of requests rejected due to invalid medium

Calls rejected due to invalid mediumtime
time.
Number of requests rejected due to invalid delay

Calls rejected due to invalid delaybound
bound.
Admission Control Policy Admission control policy.
Threshold Threshold used by the admission control policy.
134
Field Description
Response policy adopted for CAC-disabled ACs.
CAC-Free's AC Request Policy Response Success indicates that the response is
successful.
Policy of processing frames unauthorized by CAC,

which can be:
CAC Unauthed Frame Policy • Discard—Drops frames.
• Downgrade—Decreases the priority of frames.
• Disassociate—Disassociates with the client.
Maximum medium time allowed by the CAC policy (in
CAC Medium Time Limitation(us)
microseconds)
Maximum voice traffic delay allowed by the CAC

CAC AC-VO's Max Delay(us)
policy (in microseconds)
Maximum video traffic delay allowed by the CAC

CAC AC-VI's Max Delay(us)
policy (in microseconds)
SVP packet mapped AC number Number of the AC to which SVP packets are mapped.
ECWmin ––.
ECWmax ––.
AIFSN ––.
TXOPLimit ––.
Ack Policy ACK policy adopted by an AC.
Indicates whether an AC is controlled by CAC:

Disabled indicates that the AC is not controlled by
CAC
CAC, Enabled indicates that the AC is controlled by
CAC.
Displaying client statistics

Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and select the Client Statistics
tab to enter the page displaying client statistics. Click a client name to see its details.
135
Figure 128 Displaying client statistics
Field Description
MAC address MAC address of the client.
SSID Service set ID (SSID).
QoS mode, which can be:

QoS Mode • WMM—Indicates that the client is a QoS client.
• None—Indicates that the client is a non-QoS client.
Max SP length Maximum service period.
AC Access category.
APSD attribute of an AC, which can be:

• T—The AC is trigger-enabled.
State • D—The AC is delivery-enabled.
• T | D—The AC is both trigger-enabled and delivery-enabled.
• L—The AC is of legacy attributes.
Assoc State APSD attribute of the four ACs when a client accesses the AP.
Uplink CAC packets Number of uplink CAC packets.
Uplink CAC bytes Number of uplink CAC bytes.
Downlink CAC packets Number of downlink CAC packets.
Downlink CAC bytes Number of downlink CAC bytes.
Downgrade packets Number of downgraded packets.
Downgrade bytes Number of downgraded bytes.
Discard packets Number of dropped packets.
Discard bytes Number of dropped bytes.
136
Setting rate limiting
The WLAN provides limited bandwidth for each device. As the bandwidth is shared by wireless clients
attached to the device, aggressive use of bandwidth by a client will affect other clients. To ensure fair use
of bandwidth, you can rate limit traffic of clients in either of the following two approaches:
• Configure the total bandwidth shared by all clients in the same BSS. This is called dynamic mode.
The rate limit of a client is the configured total rate/the number of online clients. For example, if the
configure total rate is 10 Mbps and five clients are online, the rate of each client is 2 Mbps.
• Configure the maximum bandwidth that can be used by each client in the BSS. This is called static
mode. For example, if the configured rate is 1 Mbps, the rate limit of each user online is 1 Mbps.
When the set rate limit multiplied by the number of access clients exceeds the available bandwidth
provided by the device, no clients can get the guaranteed bandwidth.
Select Interface Setup > Wireless > Wireless QoS from the navigation tree on the left, select the Client
Rate Limit tab, and click Add to enter the page for setting rate limiting, as shown in Figure 129.
Figure 129 Setting rate limiting
Item Description
Wireless Service Existing wireless service.
Inbound or outbound.
• Inbound—From clients to the device.
Direction • Outbound—From the device to clients.
• Both—Includes inbound (from clients to the device) and outbound
(from the device to clients).
Rate limiting mode, dynamic or static.

Mode • Dynamic mode.
• Static mode.
Set the rate of the clients.
• If you select the static mode, static rate is displayed, and the rate is
Rate the bandwidth of each client.
• If you select the dynamic mode, share rate is displayed, and the rate
is the total bandwidth of all clients.
137
Wireless QoS configuration example
CAC service configuration example
As shown in Figure 130, an AP with WMM enabled accesses the Ethernet. Enable CAC for the AC-VO
and AC-VI queues of the clients of the fat AP. Use the user number-based admission policy to limit the
number of access users to 10, so that the clients using high-priority queues (including the AC-VO and
AC-VI queues) can be guaranteed of enough bandwidth.
1. Configure the access service
For related configurations, see "Wireless access service configuration examples." You can strictly
follow the steps in the related configuration example to configure the wireless service.
2. Configure wireless QoS:
# Select Interface Setup > Wireless > Wireless QoS from the navigation tree, and select the QoS
Service tab to enter the page shown in Figure 131. Make sure WMM is enabled.
Figure 131 Enabling wireless QoS
# Select the radio unit to be configured in the list and click the corresponding icon in the
Operation column to enter the page for configuring wireless QoS. In the Client EDCA list, select the
priority type (AC_VO is taken for example here) to be modified, and click the corresponding
icon in the Operation column to enter the page for setting client EDCA parameters.
Figure 132 Enabling CAC
• Select Enable from the CAC list.
138
• Click Apply.
# Enable CAC for AC_VI in the same way.
# Select Interface Setup > Wireless > Wireless QoS from the navigation tree, select the QoS Service tab,
find the radio unit to be configured in the list, and click the corresponding icon in the Operation
column to enter the page for configuring wireless QoS.
Figure 133 Setting CAC client number
• Select the Client Number option, and then input 10.

• Click Apply.

If the number of existing clients in the high-priority ACs plus the number of clients requesting access is
smaller than or equal to the user-defined maximum number of users allowed in high-priority ACs, which
is 10 in this example, the request is allowed. Otherwise, the request is rejected.
Static rate limiting configuration example

As shown in Figure 134, two clients access the WLAN through a SSID named service1. Limit the
maximum bandwidth per client to 128 kbps on the device.
1. Configure the access service:
For the configuration procedure, see "Wireless access service configuration examples." You can
strictly follow the related configuration example to configure the wireless service.
139
2. Configure static rate limiting:
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, click Client Rate Limit,
and click Add to enter the page for configuring rate limit settings for clients, as shown in Figure
135.
Figure 135 Configuring static rate limiting
• Select service1 from the Wireless Service list.

• Select inbound from the direction list.
• Select static from the mode list.
• Input 128000 in the static rate field.
• Click Apply.

• Client 1 and Client 2 access the WLAN through an SSID named service1.
• Check that traffic from Client 1 is rate limited to around 128 kbps, so is traffic from Client 2.
Dynamic rate limiting configuration example

As shown in Figure 136, clients access the WLAN through a SSID named service2. Configure all clients
to share 8000 kbps of bandwidth in any direction.
1. Configure the wireless service
For the configuration procedure, see "Wireless access service configuration examples." You can
strictly follow the related configuration example to configure the wireless service.
140
2. Configure dynamic rate limiting
Select Interface Setup > Wireless > Wireless QoS from the navigation tree, click Client Rate Limit,
and click Add to enter the page for configuring rate limit settings for clients, as shown in Figure
137.
Figure 137 Configuring dynamic rate limiting
• Select service2 from the Wireless Service list.

• Select both from the direction list.
• Select dynamic from the mode list.
• Input 8000 in the share rate field.
• Click Apply.

Check the following:
• When only Client 1 accesses the WLAN through SSID service2, its traffic can pass through at a rate
as high as 8000 kbps.
• When both Client 1 and Client 2 access the WLAN through SSID service2, their traffic flows can
each pass through at a rate as high as 4000 kbps.
141
Configuring advanced settings
Radio frequencies for countries and regions vary based on country regulations. A district code
determines characteristics such as frequency range, channel, and transmit power level. Configure the
valid country code or area code for a WLAN device to meet the specific country regulations.
Setting a district code

Select Interface Setup > Wireless > District Code from the navigation tree to enter the page for setting a
district code, as shown in Figure 138.
Figure 138 Setting a district code
Table 78 Configuration item
Item Description
Select a district code.
District Code Configure the valid district code for a WLAN device to
meet the country regulations.
If the list is grayed out, the setting is preconfigured to meet the requirements of the target market and is
locked. It cannot be changed.
Support for district code depends on your device model.
Channel busy test

A channel busy test is a tool to test how busy a channel is. It tests channels supported by the district code
one by one, and provides a busy rate for each channel. This avoids the situation that some channels are
heavily loaded and some are idle.
During a channel busy test, routers do not provide any WLAN services. All the connected clients are
disconnected and WLAN packets are discarded.
To configure a channel busy test:
Select Interface Setup > Wireless Service > Advanced > Channel Busy Test from the navigation tree to
enter the channel busy test configuration page.
142
Figure 139 Configuring channel busy test
Click the icon of a target AP to enter channel busy testing page, as shown in Figure 140.
Figure 140 Testing busy rate of channels
Click Start to start the testing.

Item Description
Radio Unit Display the radio unit, which takes the value of 1 or 2.
Radio Mode Display the radio mode of the router.
Set a time period in seconds within which a channel is tested.

Test time per channel
The default value is 3 seconds.
143
Managing 3G
You can connect a router to a 3G modem via the USB interface on the MPU of the router. After connected
to an external UIM card, the 3G modem can access the wireless network provided by China Telecom
and carry out 3G wireless communications.
The router supports 3G modems provided by different venders. As a peripheral, the 3G modem is not a
part of the router. However, you can maintain and manage the 3G modem through the Web interface
of the router.
Managing the 3G modem

Displaying 3G information
Select 3G > 3G Information from the navigation tree to enter the configuration page as shown in Figure
141.
Figure 141 3G information
144
Table 80 3G modem information
Item Description
State of the 3G modem:
• Normal—A 3G modem is connected to the router.
3G Modem State
• Absent or unrecognized modem—No 3G modem is connected to the router or
the modem cannot be recognized.
Model Model of the 3G modem.
Manufacturer Manufacturer of the 3G modem.
CMII ID CMII ID of the 3G modem.
Serial Number Serial number of the 3G modem.
Hardware Version Hardware version of the 3G modem.
Firmware Version Firmware version of the 3G modem.
PRL Version Preferred roaming list version of the 3G modem.
Table 81 UIM card information
Item Description
State of the UIM card:
• Absent.
• Being initialized.
• Fault.
UIM Card
• Destructed.
State
• PIN code protection is disabled.
• PIN code protection is enabled. Enter the PIN code for authentication.
• PIN code protection is enabled, and the PIN code has passed the authentication.
• The PIN code has been blocked. Enter the PUK code to unblock it.
IMSI International Mobile Subscriber Identity of the UIM card.
Voltage Power voltage of the UIM card.
Table 82 3G network information
Item Description
Mobile Network 3G network where the UIM card resides.
State of the 3G network where the UIM card resides:

• No Service.
• CDMA.
Network Type
• HDR.
• CDMA/HDR HYBRID.
• Unknown.
RSSI Received signal strength indication of the 3G network.
Managing the pin code

145
CAUTION:
• If the PIN code is entered incorrectly many times that exceed the maximum attempts allowed by the
device, the PIN code is blocked. To unblock the PIN code, you must enter the correct PUK code.
• If the PUK code is entered incorrectly many times that exceed the maximum attempts allowed by the
device, the UIM card is destructed. Be cautious when entering the PUK code.
Select 3G > PIN Code Management from the navigation tree to enter the PIN code management page.
The PIN code allows you to perform different operations depending on the UIM card status.
When the UIM card is abnormal

Figure 142 shows the PIN code management page in the case that the UIM card is absent, being
initialized, faulty, or destructed. In such cases, you cannot manage the PIN code.
Figure 142 PIN code management page I
When the PIN code protection is disabled for the UIM card
Figure 143 shows the PIN code management page when the PIN code protection for the UIM card is
disabled. To enable the PIN code protection, enter the PIN code and click Apply. A PIN code contains
4 to 8 digits.
Figure 143 PIN code management page II
When the PIN code needs to be entered for authentication

Figure 144 shows the PIN code management page in the case that the PIN code protection has been
enabled for the UIM card and the PIN code needs to be entered for authentication. To unblock the PIN
code protection, correctly enter the PIN code and click Apply.
Figure 144 PIN code management page III
When the UIM card has passed the PIN code authentication
Figure 145 shows the PIN code management page in the case that the UIM card has passed the PIN
code authentication. You can do the following operations:
146
• In the Disable PIN Code Protection field, correctly enter the PIN code and click Apply to disable the
PIN code protection for the UIM card.
• In the PIN Code Modification field, correctly enter the current PIN code and the new PIN code twice,
and then click Apply to modify the current PIN code.
Figure 145 PIN code management page IV
When the PUK code needs to be entered to unblock the PIN code of the UIM card
Figure 146 shows the PIN code management page in the case that the PIN code of the UIM card has
been locked and the PUK code needs to be entered.
To unblock the PIN code of the UIM card and set a new PIN code, enter the PUK code correctly and the
new PIN code twice, and then click Apply.
Figure 146 PIN code management page V
147
Configuring NAT
Overview
Network Address Translation (NAT) provides a way of translating an IP address to another IP address for
a packet. In practice, NAT is primarily used to allow private hosts to access public networks. With NAT,
a few public IP addresses are used to translate a large number of internal IP addresses. This effectively
solving the IP address depletion problem.
For more information about NAT, see the Layer 3—IP Services Configuration Guide in H3C MSR Series
Routers Configuration Guide (V5).
Recommended configuration procedure

Task Remarks
Configuring dynamic NAT Use either approach.
• Dynamic NAT—A dynamic NAT entry is generated
dynamically. Dynamic NAT is applicable to the network
environment where a large number of internal users must
Configuring a DMZ host access the Internet.
• Static NAT—Mappings between external and internal network
addresses are manually configured. DMZ host can be
configured through the Web.
Required.
Configuring an internal server You can configure an internal server by mapping a public IP
address and port number to the private IP address and port
number of the internal server.
Optional.
Enabling application layer protocol check Enable NAT to check specified application layer protocols.
By default, all application layer protocols are checked by NAT.
Optional.
Configuring connection limit
Limit the number of connections from a source IP address.
Configuring dynamic NAT

From the navigation tree, select NAT Configuration > NAT Configuration to enter the default Dynamic
NAT configuration page as shown in Figure 147.
148
Figure 147 Configuring dynamic NAT
Item Description
Interface Specify an interface on which the NAT policy is to be enabled.
Select an address translation mode:

• Interface Address—In this mode, the NAT gateway directly uses an interface's
public IP address as the translated IP address. You do not need to configure any
address pool for this mode.
Translation Mode
• PAT—In this mode, both IP addresses and port numbers of packets are translated.
You need to configure an address pool for this mode.
• No-PAT—In this mode, only IP addresses of packets are translated. You need to
configure an address pool for this mode.
Specify the start and the end IP addresses for the NAT address pool.
The start IP address must be lower than the end IP address. If the end IP address and
the start IP address are the same, you specify only one IP address.
IMPORTANT:
Start IP Address
• Only one translation mode can be selected for the same address pool.
End IP Address
• The maximum number of IP addresses contained in an address pool depends on
the device model.
• NAT address pools used by some device models cannot be those used by other
address translation policies, IP addresses of interfaces with Easy IP enabled, or
external IP addresses of internal servers.
149
Configuring a DMZ host
Creating a DMZ host
1. From the navigation tree, select NAT Configuration > NAT Configuration.
2. Click the DMZ HOST tab.
The DMZ host configuration page appears.
Figure 148 Creating a DMZ host
Item Description
Host IP Address Specify the internal IP address of a DMZ host.
Global IP Address Specify the external IP address of a DMZ host.
Enabling DMZ host on an interface

From the navigation tree, select NAT Configuration > NAT Configuration and click the DMZ HOST tab to
enter the DMZ host configuration page as shown in Figure 148. You can enable or disable DMZ host on
interfaces.
• The icon indicates that DMZ host is disabled on the corresponding interface. Click the Enable
link next to the interface to enable DMZ host on the interface.
• The icon indicates that DMZ host is enabled on the corresponding interface. Click the Disable
link next to the interface to disable DMZ host on the interface.
150
Figure 149 Enabling DMZ host on an interface
Configuring an internal server

2. Click the Internal Server tab.
The internal server configuration page appears.
151
Figure 150 Configuring an internal server
Item Description
Interface Specify an interface on which the NAT policy is to be enabled.
Protocol Specify the type of the protocol carried by IP, which can be TCP or UDP.
Specify the public IP address for the internal server.

Global IP Address
You can use the IP address of the current interface, or manually specify an IP address.
Specify the global port number for the internal server.

From the list, you can:
• Select Other and then enter a port number. If you enter 0, all types of services are
Global Port provided. That is, only a static binding between the external IP address and the
internal IP address is established.
• Select a service and the corresponding port number is provided. You cannot modify
the port number displayed.
Host IP Address Specify the internal IP address for the internal server.
152
Item Description
Specify internal port number for the internal server.
From the list, you can:
• Select Other and then enter a port number. If you enter 0, all types of services are
Host Port provided. That is, only a static binding between the external IP address and the
internal IP address is created.
• Select a service and the corresponding port number is provided. You cannot modify
the port number displayed.
Enabling application layer protocol check

2. Click the Application Layer Inspection tab.
The application layer protocol check configuration page appears.
Figure 151 Enabling application layer protocol check
Item Description
Enable/disable checking the specified application layer protocols, including DNS, FTP,
PPTP, NBT, ILS, H.323, and SIP.
Protocol Type
IMPORTANT:
Support for the protocol types depends on the device model.
Configuring connection limit

2. Click the Connection Limit tab.
The connection limit configuration page appears.
153
Figure 152 Configuring connection limit
Item Description
Enable connection limit Enable or disable connection limit.
Set the maximum number of connections that can be initiated from a source IP
Max Connections
address.
NAT configuration examples

Internal hosts accessing public network configuration example
As shown in Figure 153, a company has three public IP addresses ranging from 202.38.1.1/24 to
202.38.1.2/24, and internal network address is 10.110.0.0/16. Specifically, the company has the
following requirements:
• The internal users can access the Internet by using public addresses 202.38.1.2 and 202.38.1.3.
• Configure the upper limit of connections as 1000 based on the source IP address.
Configuring internal hosts accessing public network

1. Configure the IP address of each interface. (Details not shown.)
154
2. Configure dynamic NAT on Ethernet 0/2:
a. Select NAT Configuration > NAT Configuration to enter the dynamic NAT configuration page,
b. Select Ethernet0/2 from the Interface list.
c. Select PAT from the Translation Mode list.
d. Enter 202.38.1.2 in the Start IP Address filed.
e. Enter 202.38.1.3 in the End IP Address filed.
f. Click Apply.
Figure 154 Configuring dynamic NAT
3. Configure the connection limit:

a. Click the Connection Limit tab to enter the connection limit configuration page, as shown
in Figure 155.
b. Select Enable connection limit.
c. Enter 1000 in Max Connections.
d. Click Apply.
155
Figure 155 Configuring connection limit
Internal server configuration example

A company provides one FTP server and two Web servers for external users to access. The internal
network address is 10.110.0.0/16. The company has three public IP addresses ranging from
202.38.1.1/24 to 202.38.1.3/24. Specifically, the company has the following requirements:
• External hosts can access the company internal servers.
• 202.38.1.1 is used as the public IP address for the internal servers and port number 8080 is used
for Web server 2.
Configuring internal server

1. Configure the FTP server:
a. From the navigation tree, select NAT Configuration > NAT Configuration and click the Internal
Server tab to enter the internal server configuration page, as shown in Figure 157.
c. Select the TCP option in the Protocol field.
d. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1.
e. Select ftp from the Global Port list.
f. Enter 10.110.10.3 in the Host IP Address field.
g. Select ftp from the Host Port list.
h. Click Apply.
156
Figure 157 Configuring the FTP server
2. Configure Web server 1:

a. As shown in Figure 158, select Ethernet0/2 from the Interface list.
b. Select the TCP option in the Protocol field.
c. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1.
d. Select http from the Global Port list.
e. Enter 10.110.10.1 in the Host IP Address field.
f. Select http from the Host Port list.
g. Click Apply.
157
Figure 158 Configuring Web server 1
3. Configure Web server 2:

a. Click Add in the internal server configuration page.
b. As shown in Figure 159, select Ethernet0/2 from the Interface list.
c. Select the TCP option in the Protocol field.
d. Select the option next to the field in the Global IP Address filed, and then enter 202.38.1.1.
e. Enter 8080 in the Global Port field.
f. Enter 10.110.10.2 in the Host IP Address field.
g. Enter 8080 in the Host Port field.
h. Click Apply.
158
Figure 159 Configuring Web server 2
159
Configuring access control
Access control allows you to control access to the Internet from the LAN by setting the time range, IP
addresses of computers in the LAN, port range, and protocol type. All data packets matching these
criteria will be denied access to the Internet.
You can configure up to ten access control policies. They are matched in ascending order of sequence
number. The comparison stops immediately after the system finds one match.
The ten access control policies correspond to ACL 3980 through 3989, respectively, in ascending order
of sequence number. Modifying these ACLs may impact the corresponding access control policies.
Access control is effective only to the outgoing direction of WAN interfaces.
Select Security Setup > Access from the navigation tree, and then click the Access Control tab.
Figure 160 Access control
160
Item Description
Set the time range of a day for the rule to IMPORTANT:
Begin-End Time take effect. The start time must be earlier
Set both types of time ranges or set neither
than the end time.
of them. To set neither of them, make sure
the Begin-End Time is 00:00 - 00:00 and
Select the days of a week for the rule to no days of a week are selected. Setting
Week
take effect. neither of them means it takes effect all the
time.
Specify to control accesses based on the protocol used for data transmission.
Protocol Three options are available: TCP, UDP, and IP.
For which services use which protocols, see Table 89.
Configure the IP address range of computers. To control a single IP address, enter the
Source IP Address
address in the two fields.
Set the port range to be filtered.

Destination Port
For example, to control Telnet access, enter 23 in the two fields.
Action to be taken for matching packets.

Operation The action is Deny, which means all packets matching the access control policies are
not allowed to pass.
Table 89 Commonly used services and their ports
Service Transport layer protocol Port number

FTP TCP 21
Telnet TCP 23
TFTP UDP 69
Web TCP 80
Access control configuration example

As shown Figure 161, internal users of a company, Host A to Host D, access the Internet through the router.
Configure an access control policy so that:
• Host A to Host C cannot access the Internet from 09:00 to 18:00 every Monday to Friday. They can
access the Internet at all other times.
• Host D can access the Internet any time.
161
# Configure an access control policy to prohibit Host A to Host C from accessing the Internet during work
time.
• Select Security Setup > Access from the navigation tree.
Figure 162 Configure an access control policy
• Set the Begin-End Time to 09:00 - 18:00.

• Select the boxes for Monday to Friday.
• Select the Protocol of IP.
• Enter source IP address range 10.1.1.1 - 10.1.1.3.
• Click Apply.
162
Configuring URL filtering
The URL filtering function allows you to deny access to certain Internet webpages from the LAN by setting
keywords and URL addresses.
The URL filtering function applies to only the outbound direction of WAN interfaces.
Select Security Setup > URL Filter from the navigation tree to enter the page as shown in Figure 163. Then,
click Add to enter the URL filtering configuration page, as shown in Figure 164.
Figure 163 URL filtering entries
163
Figure 164 URL filtering configuration page
Item Description
Set the URL addresses to be filtered. You IMPORTANT:
URL
can enter a regular expression.
The URL and keyword are in OR relation.
Set the keywords to be filtered. You can When both are configured, the system
Keyword
enter a regular expression. generates two URL filtering conditions.
Import If the Import filter list file box is selected, you can import filtering rules from a file.
filter list File Name Specify the name and path of the file in the local host from which you obtain the file.
file For description of the content format of filter list files, see Figure 164.
URL filtering configuration example

As shown in Figure 165, internal users access the Internet through Router. Configure the URL filtering
function to disallow access of all internal users to Internet website www.webflt.com.
164
# Configure the URL filtering function.
• Select Security Setup > URL Filter from the navigation tree. Click Add and then perform the
following configurations, as shown in Figure 166.
Figure 166 Configure the URL filtering function
• Select the box before URL and then enter www.webflt.com in the field.
• Click Apply.
165
Configuring MAC address filtering
Use MAC address filtering to match MAC addresses of hosts accessing the network through the device,
and deny or permit hosts with matched MAC addresses to access the network through the device.
MAC address filtering is only applicable to the outgoing direction of Layer 3 Ethernet interfaces and
dialer interfaces.
Configuring the MAC address filtering type

Select Security Setup > MAC Address Filtering from the navigation tree to enter the MAC address filtering
configuration page.
Figure 167 MAC address filtering
Item Description
Select a MAC address filtering type:
• Disable MAC address filtering.
• Permit access to the Internet—Enables MAC address filtering to permit only the hosts whose
MAC addresses are on the MAC address list below to access the network through the device.
filtering type • Deny access to the Internet—Enables MAC address filtering to deny the hosts whose MAC
addresses are on the MAC address list below from accessing the network through the device.
IMPORTANT:
A MAC address list appears at the lower part of the page after you select Permit access to the
Internet or Deny access to the Internet.
Configuring the MAC addresses to be filtered

Select Security Setup > MAC Address Filtering from the navigation tree to enter the MAC address filtering
configuration page, as shown in Figure 167. Select Permit access to the Internet or Deny access to the
Internet, the permitted or denied MAC addresses are listed in the lower part of the page, as shown
in Figure 168. Click Add to enter the Add MAC Address page, as shown in Figure 169.
166
Figure 168 MAC address filtering (permit access to the Internet)
Figure 169 Adding MAC addresses
Item Description
Use the customized MAC address Enter the MAC addresses to be filtered or select them from the learned
Use the learned MAC addresses MAC addresses list.
If you select Permit access to the Internet or Deny access to the Internet as the filtering type, the selected
filtering type will take effect as long as you add the MAC addresses for this type, no matter whether or
not you click Apply at the filtering type configuration area on the MAC Address Filtering page.
167
MAC address filtering configuration example
As shown in Figure 170, internal users access the Internet through Router. Configure the MAC address
filtering function to deny users whose MAC addresses are 000d-88f8-0dd7 and 000d-88f7-b8d6 from
accessing the Internet.
Internet
Eth0/1
Router
000d-88f8-0dd7 000d-88f7-b8d6
192.168.1.17 192.168.1.18
# Configure the MAC address filtering function.
• Select Security Setup > MAC Address Filtering from the navigation tree and then perform the
Figure 171 Select MAC address filtering type
• Select Deny access to the Internet as the filtering type.

• Click Add and then perform the following configurations, as shown in Figure 172.
168
Figure 172 Specifying the MAC addresses to be denied access to the Internet
• Select Use the learned MAC addresses.

• Select 000d-88f8-0dd7 and 000d-88f7-b8d6 from the Learned MAC Addresses list, and then click
the << button to add them to the Selected MAC Addresses list.
• Click Apply.
169
Configuring attack protection
You can enable the blacklist function, add a blacklist entry manually, view blacklist entries, and configure
intrusion detection in the Web interface.
Overview
Attack protection is an important network security feature. It can determine whether received packets are
attack packets according to the packet contents and behaviors and, if detecting an attack, take measures
to deal with the attack. Protection measures include logging the event, dropping packets, updating the
session status, and blacklisting the source IP address.
Blacklist function
The blacklist function is an attack protection measure that filters packets by source IP address. Compared
with ACL packet filtering, blacklist filtering is simpler in matching packets. Therefore, it filer packets at a
high speed. Blacklist filtering is very effective in filtering packets from certain IP addresses.
One outstanding benefit of the blacklist function is that it allows the device to add and delete blacklist
entries dynamically. This is done by working in conjunction with the scanning attack protection function.
When the device detects a scanning attack according to the packet behavior, it adds the IP address of
the attacker to the blacklist. Therefore, packets from the IP address will be filtered. Blacklist entries added
dynamically will be aged in a specific period of time.
The blacklist function also allows you to add and delete blacklist entries manually. Blacklist entries added
manually can be permanent blacklist entries or non-permanent blacklist entries. A permanent entry will
always exist in the blacklist unless you delete it manually. You can configure the aging time of a
non-permanent entry. After the timer expires, the device automatically deletes the blacklist entry, allowing
packets from the corresponding IP address to pass.
Intrusion detection function

The device can defend against two categories of network attacks: single-packet attacks and abnormal
traffic, and the later fall into two sub-categories: scanning attacks and flood attacks, according to attack
characteristics.
Protection against single-packet attacks

Single-packet attack is also called malformed packet attack. Such an attack is formed when:
• The attacker sends defective IP packets, such as overlapping IP fragments and packets with illegal
TCP flags, to a target system so that the target system malfunctions or crashes when processing such
packets.
• The attacker sends large quantities of such packets to the network to use up the network bandwidth.
Table 93 lists the types of single-packet attacks that can be prevented by the device.
170
Table 93 Types of single-packet attacks
Single-packet attack Description

A Fraggle attacker sends large amounts of UDP echo packets (with the UDP port
number of 7) or Chargen packets (with the UDP port number of 19) to a subnet
Fraggle
broadcast address. This will cause a large quantity of responses in the network, using
up the network bandwidth of the subnet or crashing the target host.
A LAND attacker forges large amounts of TCP SYN packets with both the source
address and destination address being the IP address of the target, causing the target
LAND to send SYN ACK messages to itself and establish half-open connections as a result.
In this way, the attacker may deplete the half-open connection resources of the target,
making it unable to work normally.
A WinNuke attacker sends Out-of-Band (OOB) data packets to the NetBIOS port
(139) of a target running a Windows system. The pointer fields of these attack packets
WinNuke are overlapped, resulting in NetBIOS fragment overlaps. This will cause the target
host that has established TCP connections with other hosts to crash when it processes
these NetBIOS fragments.
Different operating systems process abnormal TCP flags differently. The attacker
sends TCP packets with abnormal TCP flags to the target host to probe its operating
TCP Flag
system. If the operating system cannot process such packets properly, the host will
crash down.
Upon receiving an ICMP unreachable packet, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
ICMP Unreachable
destination. By sending ICMP unreachable packets, an attacker can cut off the
connection between the target host and the network.
An ICMP Redirect attacker sends ICMP redirect messages to hosts on a subnet to

ICMP Redirect request the hosts to change their routing tables, interfering with the normal forwarding
of IP packets.
The Tracert program usually sends UDP packets with a large destination port number
and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when
Tracert the packet passes each router. Upon receiving a packet with a TTL of 0, a router sends
an ICMP time exceeded message back to the source IP address of the packet. A
Tracert attacker exploits the Tracert program to figure out the network topology.
A Smurf attacker sends ICMP echo requests to the broadcast address of the target
Smurf network. As a result, all hosts on the target network will reply to the requests, causing
the network congested and hosts on the target network unable to provide services.
A Source Route attacker probes the network structure through the Source Route option
Source Route
in IP packets.
A Route Record attacker probes the network structure through the Record Route option
Route Record
in IP packets.
For some hosts and devices, large ICMP packets will cause memory allocation error
Large ICMP and thus crash down the protocol stack. An attacker can make a target crash down by
sending large ICMP packets to it.
The single-packet attack protection function takes effect to only incoming packets. It analyzes the
characteristics of incoming packets to determine whether the packets are offensive and, if they are
offensive, logs the events and discards the packets. For example, if the length of an ICMP packet reaches
or exceeds 4000 bytes, the device considers the packet a large ICMP attack packet, outputs a warning
log, and discards the packet.
171
Protection against scanning attacks
Scanning attackers usually use some scanning tools to scan host addresses and ports in a network, so as
to find possible targets and the services enabled on the targets and figure out the network topology,
preparing for further attacks to the target hosts.
The scanning attack protection function takes effect to only incoming packets. It monitors the rate at which
an IP address initiates connections to destination systems. If the rate reaches or exceeds 4000
connections per second, it logs the event, adds the IP address to the blacklist, and discards subsequent
packets from the IP address.
Protection against flood attacks

Flood attackers send a large number of forged requests to the targets in a short time, so that the target
systems will be too busy to provide services for legal users, resulting in denial of services.
The device can defend against three types of flood attacks:
• SYN flood attack
Because of the limited resources, the TCP/IP stack permits only a limited number of TCP
connections. A SYN flood attacker sends a great quantity of SYN packets to a target server, using
a forged address as the source address. After receiving the SYN packets, the server replies with
SYN ACK packets. As the destination address of the SYN ACK packets is unreachable, the server
can never receive the expected ACK packets, resulting in large amounts of half-open connections.
In this way, the attacker exhausts the system resources, making the server unable to service normal
clients.
• ICMP flood attack
An ICMP flood attacker sends a large number of ICMP requests to the target in a short time by, for
example, using the ping program, causing the target too busy to process normal services.
• UDP flood attack
A UDP flood attacker sends a large number of UDP messages to the target in a short time, so that
the target gets too busy to process normal services.
The flood attack protection function takes effect to only outgoing packets. It is mainly used to
protect servers. It monitors the connection establishment rate and number of half-open connections
of a server. If the rate reaches or exceeds 1000 connections per second or the number of half-open
connections reaches or exceeds 10000 (only SYN flood attack protection supports restriction of
half-open connections), it logs the event, and discards subsequent connection requests to the
server.
Configuring the blacklist function

Step Remarks
Required.
1. Enabling the blacklist function
By default, the blacklist function is disabled.
2. Configuring the scanning attack
Required.
protection function to add
blacklist entries automatically Perform at least one of the two tasks.
172
Step Remarks
You can add blacklist entries manually, or enable the blacklist function
globally, configure the scanning attack protection function, and
enable the blacklist function for scanning attack protection to allow the
device to add the IP addresses of detected scanning attackers to the
blacklist automatically. For configuration of scanning attack
3. Adding a blacklist entry manually protection, see "Configuring intrusion detection."
By default, no blacklist entry exists.
IMPORTANT:
Modifying an automatically added entry will change the type of the
entry to Manual.
4. Viewing blacklist entries Optional.
Enabling the blacklist function

From the navigation tree, select Security Setup > Attack Defend > Blacklist to enter the page shown
in Figure 173, where all manually configured or automatically generated blacklist entries are listed.
Select the box before Enable Blacklist and click Apply to enable the blacklist filtering function.
Figure 173 Blacklist page
Adding a blacklist entry manually

On the blacklist page shown in Figure 173, click Add to configure a blacklist entry, as shown in Figure
174.
173
Figure 174 Add a blacklist entry
Item Description
Specify the IP address to be added to the blacklist. This IP address cannot be a
IP Address broadcast address, a class D address, a class E address, 127.0.0.0/8, or
255.0.0.0/8.
Configure the entry as a non-permanent entry and specify the hold time of the
Hold Time
blacklist entry.
Permanence Configure the entry as a permanent entry.
Viewing blacklist entries

Select Security Setup > Attack Defend > Blacklist from the navigation to view blacklist entries.
Table 95 Fields description
Field Description
IP Address IP address of the blacklist entry.
The way in which the blacklist entry was added, Manual or Automatic.
• Manual: The entry was added manually or has been modified after being
added automatically.
Add Method • Automatic: The entry was added automatically by the scanning attack
protection function.
IMPORTANT:
Modifying an automatically added entry will change the type of the entry to Manual.
Start Time The time when the blacklist entry was added.
Hold Time Duration for which the blacklist entry will be held in the blacklist.
Number of packets matching the blacklist entry and therefore dropped by the
Dropped Count
device.
Configuring intrusion detection

On MSR 900/20-1X routers
Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree to enter the intrusion
detection configuration page, as shown in Figure 175. Select the box before Enable attack defense
174
policy and then select the specific attack protection functions to be enabled. Then, click Apply to finish the
configuration.
Figure 175 Intrusion detection configuration page
On MSR 20/30/50/930 routers

Select Security Setup > Attack Defend > Intrusion Detection to enter the page shown in Figure 176. Click
Add to enter the page for adding a new intrusion detection policy, as shown in Figure 177. Select an
interface and select the attack protection functions to be enabled, and then click Apply. The selected
attack protection functions will be enabled on the selected interface.
Figure 176 Intrusion detection policy list
175
Figure 177 Add an intrusion detection policy
Attack protection configuration examples

Attack protection configuration example for MSR 900/20-1X
As shown in Figure 178, internal users Host A, Host B, and Host C access the Internet through Router. The
network security requirements are as follows:
• Router always drops packets from Host D, an attacker.
• Router denies packets from Host C for 50 minutes for temporary access control of Host C.
• Router provides scanning attack protection and automatically adds detected attackers to the
blacklist.
• Router provides Land attack protection and Smurf attack protection.
176
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable the blacklist function.
• Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the
Figure 179 Enabling the blacklist function
• Select the box before Enable Blacklist.

• Click Apply.
# Add blacklist entries manually.
• Click Add and then perform the following configurations, as shown in Figure 180:
177
Figure 180 Adding a blacklist entry for Host D
• Enter IP address 5.5.5.5, the IP address of Host D.

• Select Permanence for this blacklist entry.
• Click Apply.
Figure 181 Adding a blacklist entry for Host C
• Enter IP address 192.168.1.5, the IP address of Host C.

• Select Hold Time and set the hold time of this blacklist entry to 50 minutes.
• Click Apply.
# Configure intrusion detection: Enable scanning attack protection, and enable blacklist function for it;
enable Land attack protection and Smurf attack protection.
• Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree and then
perform the following configurations, as shown in Figure 182.
178
Figure 182 Configuring intrusion detection
• Select Enable Attack Defense Policy.

• Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack
Detection, and Add Source IP Address to the Blacklist. Clear all other options.
• Click Apply.

• Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist.
• Router drops all packets from Host D unless you remove Host D from the blacklist.
• Router drops packets from Host C within 50 minutes. Then, Router forwards packets from Host C
normally.
• Upon detecting the scanning attack, Router outputs an alarm log and adds the IP address of the
attacker to the blacklist. You can view the added blacklist entry by selecting Security Setup > Attack
Defend > Blacklist.
• Upon detecting the Land or Smurf attack, Router outputs an alarm log and drops the attack packet.
For MSR 20/30/50/930 routers

As shown in Figure 183, internal users Host A, Host B, and Host C access the Internet through Router. The
network security requirements are as follows:
• Router always drops packets from Host D, an attacker.
• Router denies packets from Host C for 50 minutes for temporary access control of Host C.
179
• Router provides scanning attack protection and automatically adds detected attackers to the
blacklist on interface Ethernet 0/2, the interface connecting the Internet.
• Router provides Land attack protection and Smurf attack protection on Ethernet 0/2.
# Configure IP addresses for the interfaces. (Details not shown.)
# Enable the blacklist function.
• Select Security Setup > Attack Defend > Blacklist from the navigation tree, and then perform the
Figure 184 Enabling the blacklist function
• Select the box before Enable Blacklist.

• Click Apply.
# Add blacklist entries manually.
180
Figure 185 Adding a blacklist entry for Host D
• Enter IP address 5.5.5.5, the IP address of Host D.

• Select Permanence for this blacklist entry.
• Click Apply.
Figure 186 Adding a blacklist entry for Host C
• Enter IP address 192.168.1.5, the IP address of Host C.

• Select Hold Time and set the hold time of this blacklist entry to 50 minutes.
• Click Apply.
# Configure intrusion detection on Ethernet 0/2: Enable scanning attack protection, and enable blacklist
function for it; enable Land attack protection and Smurf attack protection.
• Select Security Setup > Attack Defend > Intrusion Detection from the navigation tree. Click Add and
then perform the following configurations, as shown in Figure 187.
181
Figure 187 Configuring intrusion detection
• Select interface Ethernet0/2.

• Select Enable Attack Defense Policy.
• Select Enable Land Attack Detection, Enable Smurf Attack Detection, Enable Scanning Attack
Detection, and Add Source IP Address to the Blacklist. Clear all other options.
• Click Apply.

• Select Security Setup > Attack Defend > Blacklist. Host D and Host C are in the blacklist.
• Router drops all packets from Host D unless you remove Host D from the blacklist.
• Router drops packets from Host C within 50 minutes. Then, Router forwards packets from Host C
normally.
• Upon detecting the scanning attack on Ethernet 0/2, Router outputs an alarm log and adds the IP
address of the attacker to the blacklist. You can view the added blacklist entry by selecting Security
Setup > Attack Defend > Blacklist.
• Upon detecting the Land or Smurf attack on Ethernet 0/2, Router outputs an alarm log and drops
the attack packet.
182
Configuring application control
You can load applications, configure a custom application, and enable application control in the Web
interface.
Application control allows you to control which applications and protocols users can access on the
Internet by specifying the destination IP address, protocol, operation type, and port. Application control
can be based on a group of users or all users in a LAN. This chapter describes the application control
based on all users. For application control based on user group, see "Configuring user groups."
The application control function applies to only the outbound direction of WAN interfaces.

Step Remarks
Optional.
Load the signature file that contains the application control rules to the
device.
1. Loading applications
IMPORTANT:
If you perform this configuration for multiple times, only the last file
loaded to the device takes effect.
Optional.
2. Configuring a custom application
Add a custom application and configure the match rules.
Required.
3. Enabling application control Enable application control for specified applications or protocols
globally.
Loading applications
Select Security Setup > Application Control from the navigation tree, and then select the Load
Application tab to enter the page for loading applications, as shown in Figure 188.
• To load an application control file from the device, select From Device, select the application control
file, and then click Apply.
• To load an application control file from the local host to the device, select From Local, click Browse
to find the file, and then click Apply.
After the file is loaded to the device successfully, all the loaded applications will be displayed at the
lower part of the page.
183
Figure 188 Loading applications
Configuring a custom application

Select Security Setup > Application Control from the navigation tree, and then select the Custom
Application tab to enter the custom application list page, as shown in Figure 189. Click Add to enter the
page for configuring a custom application, as shown in Figure 190.
Figure 189 Custom applications
Figure 190 Adding a custom application
184
Item Description
Application Name Specify the name for the custom application.
Specify the protocol to be used for transferring packets, including TCP, UDP, and All.
Protocol
All means all IP carried protocols.
IP Address Specify the IP address of the server of the applications to be controlled.
Specify the port numbers of the applications to be controlled.

Match Rule
When you select TCP or UDP for the Protocol parameter, the port configuration is
available:
Start Port
• If you do not want to limit port numbers, do not select any option for the match rule.
Port
In this case, you do not need to enter the start port and end port.
• If you want to limit a range of ports, select Range for the match rule, and then enter
End Port the start port and end port to specify the port range.
• If you select other options of the match rule, you just need to enter the start port.
Enabling application control

Select Security Setup > Application Control from the navigation tree and the page of the Application
Control tab is displayed by default, as shown in Figure 191. Select the applications and protocols to be
controlled from the Loaded Applications, Predefined Applications, and Custom Applications areas as
needed, and then click Apply.
Figure 191 Application Control
185
Application control configuration example
As shown in Figure 192, internal users access the Internet through Router. Configure application control
on Router, so that no user can use MSN.
# Load the application control file (assume that signature file p2p_default.mtd, which can prevent using
of MSN, is stored on the device).
• Select Security Setup > Application Control from the navigation tree, and then select the Load
Application tab and perform the following configurations, as shown in Figure 193.
Figure 193 Loading the application signature file
• Select the From Device option, and select file p2p_default from the list.
• Click Apply. Figure 194 shows the loaded applications.
186
Figure 194 Loaded applications
# Enable application control.

• Click the Application Control tab and then perform the following configurations, as shown in Figure
195.
Figure 195 Configuring application control
• Select MSN from the Loaded Applications area.

• Click Apply.
187
Web page redirection configuration
Overview
With web page redirection configured on an interface, a user accessing a web page through the
interface for the first time is forcibly led to a specified web page. That is, the web access request of the
user is redirected to the specified URL. After that, the user can access network resources normally. If the
user sends a web access request after a specified time interval, the specified web page is displayed
again.
This feature is applicable to scenarios where a hotel or carrier wants to push an advertisement web page
periodically to users.
Configuring web page redirection

CAUTION:
Currently, web page redirection is ineffective on the interface with the portal function enabled. It is not
recommended to configure both functions on an interface.
Select Advanced > Redirection from the navigation tree to enter the page shown in Figure 196. The web
page redirection configuration information is displayed on the page. Click Add to enter the configuration
page shown in Figure 197.
Figure 196 Redirection page
188
Figure 197 Redirection URL configuration page
Item Description
Interface Select an interface on which web page redirection is to be enabled.
Type the address of the web page to be displayed, that is, the URL to which the web
Redirection URL
access request is redirected. For example, http://192.0.0.1.
Interval Type the time interval at which web page redirection is triggered.
189
Configuring routes
The term "router" in this chapter refers to both routers and Layer 3 switches. This chapter mainly describes
IPv4 route configuration.
You can perform the following route configurations through the Web interface:
• Creat a static route.
• Display the active route table.
Overview
Upon receiving a packet, a router determines the optimal route based on the destination address and
forwards the packet to the next router in the path. When the packet reaches the last router, it then
forwards the packet to the destination host.
Routing provides the path information that guides the forwarding of packets.
A router selects optimal routes from the routing table, and sends them to the forwarding information base
(FIB) table to guide packet forwarding. Each router maintains a routing table and a FIB table.
You can manually configure routes. Such routes are called static routes.
For more information about the routing table and static routes, see Layer 3—IP Routing Configuration
Guide in H3C MSR Series Routers Configuration Guide (V5).
Configuring routes
Creating an IPv4 static route
1. Select Advanced > Route Setup from the navigation tree.
2. Click the Create tab.
The page for configuring static routes appears.
190
Figure 198 Static route configuration page
3. Configure static routes as described in Table 98.

Item Description
Destination IP Address Enter the destination IP address of the static route, in dotted decimal notation.
Enter the mask of the destination IP address.

Mask
You can enter a mask length or a mask in dotted decimal notation.
Enter a preference value for the static route. The smaller the number, the higher
the preference.
Preference For example, specifying the same preference for multiple static routes to the
same destination enables load sharing on the routes, while specifying different
preferences enables route backup.
Next Hop Enter the next hop IP address of the static route, in dotted decimal notation.
Select the outgoing interface of the static route.

Interface
If you select Null 0, the destination IP address is unreachable.
191
Displaying the active route table
Select Advanced > Route Setup from the navigation tree to display the Summary tab.
Figure 199 Active route table
Field Description
Destination IP Address Destination IP address of the route.
Mask Mask of the destination IP address.
Routing protocol that discovered the route, including static route, direct
Protocol
route, and various dynamic routing protocols.
Preference Preference for the route.
Next Hop Next hop address of the route.
Output interface of the route. Packets destined for the destination IP address
Interface
are forwarded out of the interface.
Static route configuration example

IPv4 static route configuration example
The routers' interfaces and the hosts' IP addresses and masks are shown in Figure 200. You must
configure static routes on the routers for any two hosts to communicate with each other.
192
Configuration considerations
1. Configure a default route with Router B as the next hop on Router A.
2. On Router B, configure one static route with Router A as the next hop and the other with Router C
as the next hop.
3. Configure a default route with Router B as the next hop on Router C.
1. Configure the IP addresses of the interfaces. (Details not shown.)
2. Configure a default route on Router A:
a. Select Advanced > Route Setup from the navigation tree of Router A.
b. Click the Create tab.
c. Enter 0.0.0.0 for Destination IP Address, 0 for Mask, and 1.1.4.2 for Next Hop.
d. Click Apply.
Figure 201 Configuring a default route on Router A
The newly created static route is listed at the lower part of the page.
3. Configure two static routes on Router B:
a. Select Advanced > Route Setup from the navigation tree of Router B.
193
c. Enter 1.1.2.0 for Destination IP Address, 24 for Mask, and 1.1.4.1 for Next Hop.
d. Click Apply.
e. Enter 1.1.3.0 for Destination IP Address, 24 for Mask, and 1.1.5.6 for Next Hop.
f. Click Apply.
4. Configure a default route on Router C:
a. Select Advanced > Route Setup from the navigation tree or Router C.
c. Enter 0.0.0.0 for Destination IP Address, 0 for Mask, and 0 for Mask.
d. Click Apply.
5. Configure the IP addresses of the hosts and configure the default gateways of Host A, Host B, and
Host C as 1.1.2.3, 1.1.6.1, and 1.1.3.1. (Details not shown.)
6. Verify the configuration:
# Display the active route table.
From the navigation tree of Router A, Router B, and Router C, select Advanced > Route Setup to
display the Summary tab. Verify that the newly created static routes are displayed in the active
route table.
# Ping Host A from Host B (assuming both hosts run Windows XP).
C:\Documents and Settings\Administrator>ping 1.1.2.2
Pinging 1.1.2.2 with 32 bytes of data:
Reply from 1.1.2.2: bytes=32 time=1ms TTL=128

Ping statistics for 1.1.2.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
# Use the tracert command on Host B to check the reachability to Host A.
C:\Documents and Settings\Administrator>tracert 1.1.2.2
Tracing route to 1.1.2.2 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 1.1.6.1

2 <1 ms <1 ms <1 ms 1.1.4.1
3 1 ms <1 ms <1 ms 1.1.2.2
Trace complete.
194
When you configure a static route, follow these guidelines:
• If you do not specify the preference, the default preference is used. Reconfiguration of the default
preference applies only to newly created static routes. The Web interface does not support
configuration of the default preference.
• If you specify the next hop address first and then configure it as the IP address of a local interface,
such as an Ethernet interface and VLAN interface, the static route does not take effect.
• When you specify the output interface, note the following:
If Null 0 or a loopback interface is specified as the output interface, there is no need to
configure the next hop.
If a point-to-point interface is specified as the output interface, you do not need to specify the
next hop, and there is no need to change the configuration after the peer address has changed.
For example, a PPP interface obtains the peer's IP address through PPP negotiation. Therefore,
you only need to specify it as the output interface.
If the output interface is an NBMA or P2MP interface, which supports point-to-multipoint
networks, the IP address-to-link layer address mapping must be established. H3C recommends
specifying the next hop when you configure it as the output interface.
If you want to specify a broadcast interface (such as an Ethernet interface, virtual template, or
VLAN interface) as the output interface, which can have multiple next hops, you must specify
the next hop at the same time.
195
Configuring user-based load sharing
You can configure user-based load sharing through the Web interface.
Overview
A routing protocol can have multiple equal-cost routes to the same destination. These routes have the
same preference, and are all used to accomplish load sharing if no route with a higher preference is
available.
The device supports user-based load sharing based on the user information (source IP addresses) of
packets.
Configuring user-based load sharing

1. Select Advanced > User-based-sharing from the navigation tree.
The user-based load sharing page appears.
Figure 202 User-based load sharing
2. Click the icon of an interface.

The Modify configuration page appears.
Figure 203 Modifying configuration
3. Configure the parameters as described in Table 100.
196
Item Description
Interface Name of the interface where user-based load sharing will be configured.
Status of
Set whether to enable user-based load sharing on the interface.
user-based-sharing
Set the bandwidth of the interface.
Bandwidth The load ratio of each interface is calculated based on the bandwidth of each
interface. For example, if the bandwidth of Ethernet 0/0 is set to 200 kbps, and that
of Ethernet 0/1 is set to 100 kbps, then the load ratio is 2:1.
197
Configuring traffic ordering
You can do the following to configure traffic ordering on the Web interface:
• Setting the traffic ordering interval
• Specifying the traffic ordering mode
• Displaying internal interface traffic ordering statistics
• Displaying external interface traffic ordering statistics
Overview
When multiple packet flows (classified by their source addresses) are received or sent by a device, you
can configure IP traffic ordering on the device to collect statistics of the flows in the inbound/outbound
direction, and then rank the statistics. The network administrator can use the traffic ordering statistics to
analyze the network usage for network management.
You can specify an interface as an external or internal interface to collect traffic statistics:
• An internal interface collects both inbound and outbound traffic statistics, including the following:
Total traffic statistics
Total inbound/outbound traffic statistics
Inbound/outbound TCP packet statistics
Inbound/outbound UDP packet statistics
Inbound/outbound ICMP packet statistics
• An external interface collects only the total inbound traffic statistics.

Step Remarks
Optional.
1. Setting the traffic ordering interval.
The default traffic ordering interval is 10 seconds.
Required.
Specify an interface as an internal or external interface to
2. Specifying the traffic ordering mode.
collect traffic statistics.
By default, an interface does not collect traffic statistics.
3. Displaying internal interface traffic
Optional.
ordering statistics.
You can view the traffic ordering statistics of internal or
4. Displaying external interface traffic
external interfaces.
ordering statistics.
198
Setting the traffic ordering interval
Select Advanced > Traffic Ordering from the navigation tree to enter the default configuration page. You
can set the interval for collecting traffic statistics in the lower part of the page.
Figure 204 Traffic ordering configuration page
Specifying the traffic ordering mode

Select Advanced > Traffic Ordering from the navigation tree. You can view and configure the interface
for collecting traffic statistics in the upper part of the page.
Select one or more boxes in front of the interfaces in the list:
• Click Internal interface to set the interfaces as the internal interfaces to collect traffic statistics.
• Click External interface to set the interfaces as the external interfaces to collect traffic statistics.
• Click Disable statistics collecting to disable the interfaces from collecting traffic statistics.
Displaying internal interface traffic ordering

statistics
Select Advanced > Traffic Ordering from the navigation tree and click the Statistics of Internal Interfaces
tab.
By default, the system arranges the entries in descending order of the total traffic statistics, and displays
the top five entries.
199
Select one item from the Arrange in list, enter a number in the Number of entries displayed field, and
then click Refresh to display the list as needed.
Figure 205 Internal interface traffic ordering statistics page
Displaying external interface traffic ordering

statistics
Select Advanced > Traffic Ordering from the navigation tree and click the Statistics of External Interfaces
page.
By default, the system arranges the entries in descending order of the total inbound traffic statistics, and
displays the top five entries.
Select one item from the Arrange in list, enter a number in the Number of entries displayed field, and
then click Refresh to display the list as needed.
Figure 206 External interface traffic ordering statistics page
200
Configuring DNS
Overview
Domain Name System (DNS) is a distributed database that provides TCP/IP applications with the
mappings between host names and IP addresses. With DNS, you can use easy-to-remember host names
in some applications and let the DNS server translate them into correct IP addresses.
For more information about DNS, see Layer 3—IP Services Configuration Guide in H3C MSR Series
DNS provides the following functions:
• Dynamic domain name resolution—Implemented by querying the DNS server.
• DNS proxy—Forwards DNS requests and replies between the DNS client and DNS server.

Configuring dynamic domain name resolution
Task Remarks
Required.
Enabling dynamic domain name resolution Enable dynamic domain name resolution.
Disabled by default.
Required.
Specifying a DNS server Not specified by default.
You can specify up to six DNS servers.
Optional.
A suffix is used when the name to be resolved is incomplete. The
system can supply the missing part. For example, a user can
configure com as the suffix for aabbcc.com. The user only needs
Configuring a domain name suffix to enter aabbcc to obtain the IP address of aabbcc.com because
the system adds the suffix and delimiter before passing the name
to the DNS server.
Not configured by default.
You can configure up to ten DNS suffixes.
Optional.
Clear the dynamic IPv4 domain name cache.
The DNS client stores latest mappings between domain names
Clearing the dynamic domain name cache and IP addresses in the dynamic domain name cache. The DNS
client searches the cache for a repeated query rather than sends
a request to the DNS server. The mappings are aged out from the
cache after a certain time. You can also manually clear the
cache.
201
Configuring DNS proxy
Task Remarks
Required.
Enabling DNS proxy Enable DNS proxy on the device.
Required.
Specifying a DNS server Not specified by default.
You can specify up to six DNS servers.
Enabling dynamic domain name resolution

1. From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the
configuration page as shown in Figure 207.
2. Select Enable for Dynamic DNS.
3. Click Apply.
Figure 207 Dynamic domain name resolution configuration
Enabling DNS proxy

2. Select Enable for DNS Proxy.
202
3. Click Apply.
Clearing the dynamic domain name cache

2. Select the Clear Dynamic DNS cache box.
3. Click Apply.
Specifying a DNS server

2. Click Add IP to enter the page as shown in Figure 208.
Figure 208 Adding a DNS server address
3. Configure the DNS server as described in Table 101.

4. Click Apply.
Item Description
DNS Server IP Address Enter the IP address of a DNS server.
Configuring a domain name suffix

2. Click Add Suffix to enter the configuration page as shown in Figure 209.
Figure 209 Adding a domain name suffix
3. Configure the domain name suffix as described in Table 102.

4. Click Apply.
203
Item Description
DNS Domain Name Suffix Configure a domain name suffix.
Domain name resolution configuration example

As shown in Figure 210, Router B serves as a DNS client and Router A is specified as a DNS server.
Dynamic domain name resolution and the domain name suffix are configured on Router B, and therefore
Router B can use domain name host to access the host with the domain name host.com and the IP
address 3.1.1.1/24.
Router A serves as the DNS proxy. The IP address of the actual DNS server is 4.1.1.1/24.
Router B performs domain name resolution via Router A.
Router B
DNS client 4.1.1.1/24
DNS server
2.1.1.1/24
Router A
DNS proxy
2.1.1.2/24 1.1.1.1/24
IP network
3.1.1.1/24
host.com
Host
Before performing the following configuration, make sure the device and the host are routable to each
other, and the IP addresses of the interfaces are configured as shown in Figure 210.
This configuration may vary with different DNS servers. The following configuration is performed on a PC
running Windows server 2000.
Configuring the DNS server

1. Select Start > Programs > Administrative Tools > DNS.
The page for configuring the DNS server appears.
2. Create zone com:
a. As shown in Figure 211, right-click Forward Lookup Zones.
b. Select New Zone, and then follow the wizard to create a new zone named com.
204
Figure 211 Creating a zone
3. Create a mapping between the host name and the IP address:

a. In Figure 212, right-click zone com.
b. Select New Host to bring up a dialog box as shown in Figure 213.
c. Enter host name host and IP address 3.1.1.1.
Figure 212 Adding a host
205
Figure 213 Adding a mapping between domain name and IP address
Configuring the DNS proxy (Router A).

1. Enable DNS proxy on Router A:
a. From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the
configuration page, as shown in Figure 214.
Figure 214 Enabling DNS proxy on Router A
b. Select Enable for DNS Proxy.

c. Click Apply.
2. Specify the DNS server address:
a. Click Add IP to enter the page as shown in Figure 215.
206
Figure 215 Specifying a DNS server address
b. Enter 4.1.1.1 in DNS Server IP Address.

c. Click Apply.
Configuring the DNS client (Router B).

1. Enable dynamic domain name resolution:
a. From the navigation tree, select Advanced > DNS Setup > DNS Configuration to enter the
Figure 216 Enabling dynamic domain name resolution
b. Select Enable for Dynamic DNS.

c. Click Apply.
2. Specify the DNS server address:
a. Click Add IP to enter the page as shown in Figure 217.
207
Figure 217 Specifying the DNS server address
b. Enter 2.1.1.2 in DNS Server IP Address.

c. Click Apply.
3. Configure the domain name suffix:
a. Click Add Suffix to enter the page as shown in Figure 218.
Figure 218 Configuring DNS domain name suffix
b. Enter com in DNS Domain Name Suffix.

c. Click Apply.

Select Other > Diagnostic Tools from the navigation tree and click the Ping tab. Use the ping host
command to verify that the communication between Router B and the host is normal and that the
corresponding destination IP address is 3.1.1.1.
208
Configuring DDNS
Overview
Although DNS allows you to access nodes in networks using their domain names, it provides only the
static mappings between domain names and IP addresses. When you use the domain name to access
a node whose IP address has changed, your access fails because DNS leads you to the IP address that
is no longer where the node resides.
Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names
and IP addresses for DNS servers to direct you to the latest IP address corresponding to a domain name.
DDNS can only dynamically update the mappings between domain names and IPv4 addresses but not
IPv6 addresses.
Figure 219 DDNS networking application
As shown in Figure 219, DDNS works on the client-server model comprising the DDNS client and the
DDNS server.
• DDNS client—A device that needs to update the mapping between the domain name and the IP
address dynamically on a DNS server. An Internet user usually uses the domain name to access an
application layer server such as an HTTP and FTP server. When its IP address changes, the
application layer server runs as a DDNS client that sends a request to the DDNS server for updating
the mapping between the domain name and the IP address.
• DDNS server—Informs the DNS server of latest mappings. When receiving the mapping update
request from a DDNS client, the DDNS server tells the DNS server to re-map between the domain
name and IP address of the DDNS client. Therefore, the Internet users can use the same domain
name to access the DDNS client even if the IP address of the DDNS client has changed.
The DDNS update process does not have a unified standard and depends on the DDNS server that the
DDNS client contacts. The well-known DDNS service providers include www.3322.org, www.oray.cn
(also known as the PeanutHull server), and www.dyndns.com.
The device can act as a DDNS client to dynamically update the latest mapping between its domain name
and IP address on the DNS server through a DDNS server at www.3322.org or www.oray.cn for
example.
209
Configuration prerequisites
• Visit the website of a DDNS service provider, register an account, and apply for a domain name for
the DDNS client.
• Specify the primary IP address of the interface and make sure the DDNS server and the interface
can reach each other.
• Configure static or dynamic domain name resolution to translate the domain name of the DDNS
server into its IP address.
1. From the navigation tree, select Advanced > DNS Setup > DDNS Configuration to enter the DDNS
page, as shown in Figure 220.
2. Click Add.
Figure 220 Configuring DDNS page
3. Configure a DDNS entry, as described in Table 103.

Figure 221 Creating a DDNS entry
Item Description
Domain Name Specify the DDNS entry name, which is the only identifier of the DDNS entry.
210
Item Description
Server Provider Select the DDNS server provider, which can be 3322.org or PeanutHull.
Specify the server name of the DDNS server for domain name resolution.
IMPORTANT:
After the server provider is selected, the DDNS server name appears
Server Name automatically. For example, if the server provider is 3322.org, the server name is
members.3322.org. If the server provider is PeanutHull, the server name is
phservice2.oray.net. Use the default server name for the server provider
3322.org. The server provider PeanutHull can use phservice2.oray.net,
phddns60.oray.net, client.oray.net, or ph031.oray.net as the server name.
Server
Settings Specify the interval for sending DDNS update requests after DDNS update is
enabled.
IMPORTANT:
• A DDNS update request is immediately initiated when the primary IP
Interval address of the interface changes or the link state of the interface changes
from down to up, no matter whether the interval is reached.
• If you specify the interval as 0, your device does not periodically initiate any
DDNS update request, but initiates a DDNS update request when the
primary IP address of the interface is changed or the link state of the interface
changes from down to up.
Account Username Specify the username used for logging in to the DDNS server.
Settings Password Specify the password used for logging in to the DDNS server.
Select an interface to which the DDNS policy is applied.

The IP address in the host name-to-IP address mapping for update is the primary
Associated IP address of the interface.
Interface
IMPORTANT:
You can bind up to four DDNS entries to an interface.
Other Specify the Fully Qualified Domain Name (FQDN) in the IP-to-FQDN mapping
Settings for update.
• If the DDNS service is provided by www.3322.org, the FQDN must be
specified. Otherwise, DDNS update may fail.
FQDN
• If the DDNS server is a PeanutHull server and no FQDN is specified, the
DDNS server updates all the corresponding domain names of the DDNS
client account. If an FQDN is specified, the DDNS server updates only the
specified IP-to-FQDN mapping.
DDNS configuration example

As shown in Figure 222, Router is a Web server with the domain name whatever.3322.org.
Router acquires an IP address through DHCP. Through DDNS service provided by www.3322.org, Router
informs the DNS server of the latest mapping between its domain name and IP address.
The IP address of the DNS server is 1.1.1.1. Router uses the DNS server to translate www.3322.org into the
corresponding IP address.
211
Configuring DDNS on the router

Before configuring DDNS on Router, register at http://www.3322.org/ (username steven and password
nevets in this example), add Router's host name-to-IP address mapping to the DNS server, and make sure
the devices are reachable to each other.
1. Enable dynamic domain name resolution and set the IP address of the DNS server to 1.1.1.1.
(Details not shown.)
2. Configure DDNS:
a. From the navigation tree, select Advanced > DNS Setup > DDNS Configuration.
b. Click Add to enter the page.
Figure 223 Configuring DDNS
c. Enter 3322 in Domain Name

d. Select 3322.org from the Server Provider list.
e. Enter steven in Username.
f. Enter nevets in Password and select Ethernet0/1 from the Associated Interface list.
g. Enter whatever.3322.org in FQDN.
212
h. Click Apply.
After the preceding configuration is completed, Router notifies the DNS server of its new domain
name-to-IP address mapping through the DDNS server provided by www.3322.org whenever its
IP address changes. Therefore, Router can always provide Web service at whatever.3322.org.
213
Configuring DHCP
Introduction to DHCP
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration
information to network devices.
DHCP uses the client/server model. Figure 224 shows a typical DHCP application.
Figure 224 A typical DHCP application
A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on
another subnet through a DHCP relay agent, as shown in Figure 225.
Figure 225 A typical DHCP relay agent application
For more information about DHCP, see Layer 3—IP Services Configuration Guide in H3C MSR Series
214
Configuring the DHCP server
Task Remarks
Required.
Enabling DHCP Enable DHCP globally.
Optional.
For detailed configuration, see "Configuring DHCP interface setup."
Enabled by default.
Configuring the DHCP server on an
IMPORTANT:
interface
The DHCP server configuration is supported only on a Layer 3 Ethernet
interface (or subinterface), virtual Ethernet interface, VLAN interface,
Layer 3 aggregate interface, serial interface, ATM interface,
MP-group interface, or loopback interface.
Required.
Configuring a static address pool for the
DHCP server An address pool can be either static or dynamic, but not both.
IMPORTANT:
When a DHCP client tries to obtain an IP address through a DHCP
Configuring a dynamic address pool for relay agent, an IP address pool on the same network segment as the
the DHCP server DHCP relay agent interface must be configured. Otherwise, the DHCP
client fails to obtain an IP address.
Optional.
Exclude IP addresses from automatic allocation in the DHCP address
pool.
To avoid address conflicts, the DHCP server excludes IP addresses
Configuring IP addresses excluded from used by the gateway or FTP server from dynamic allocation.
dynamic allocation By default, all IP addresses in the address pool, except the IP address
of the DHCP server, can be assigned automatically.
IMPORTANT:
If a static bound IP address is excluded from automatic allocation, it is
still assignable to the bound user.
Configuring the DHCP relay agent

Task Remarks
Required.
Enabling DHCP Enable DHCP globally.
215
Task Remarks
Required.
To improve reliability, you can specify several DHCP servers as a
Configuring a DHCP server group group on the DHCP relay agent and correlate a relay agent interface
with the server group. When the interface receives DHCP requests
from clients, the relay agent forwards them to all the DHCP servers of
the group.
Required.
For the detailed configuration, see "Configuring DHCP interface
setup."
By default, the interface works as DHCP server.
IMPORTANT:
Configure the DHCP relay agent on the
current interface and correlate it with • At present, the DHCP relay agent configuration is supported only
the DHCP server group. on a Layer 3 Ethernet interface (or subinterface), virtual Ethernet
interface, VLAN interface, Layer 3 aggregate interface, or serial
interface.
• If the DHCP relay agent is enabled on an Ethernet subinterface, a
packet received from a client on this interface must contain a VLAN
tag, and the VLAN tag must be consistent with the VLAN ID of the
subinterface. Otherwise, the packet is discarded.
Configuring the DHCP client

Task Remarks
Required.
For detailed configuration, see "Configuring DHCP interface
setup."
By default, the interface does not obtain an IP address
through DHCP.
Configure the DHCP client on an interface
IMPORTANT:
At present, the DHCP client configuration is supported only on
a Layer 3 interface (or subinterface), VLAN interface, or Layer
3 aggregate interface. You cannot configure an interface of an
aggregation group as a DHCP client.
Enabling DHCP
Select Advanced > DHCP Setup from the navigation tree to enter the default DHCP Enable page as shown
in Figure 226.
216
Figure 226 DHCP Enable
Item Description
DHCP Enable or disable DHCP globally.
Configuring DHCP interface setup

1. Select Advanced > DHCP Setup from the navigation tree.
2. Click the DHCP Interface Setup tab.
The DHCP interface setup configuration page appears, as shown in Figure 227.
Figure 227 DHCP interface setup
3. Configure the DHCP interface setup as described in Table 105.

4. Click Apply.
Item Description
Interface Select an interface to be configured.
Select a type for the interface, which can be:

• None—Upon receiving a DHCP request, the interface does not assign an IP
address to the requesting client nor serves as a DHCP relay agent to forward
the request.
• Server—Upon receiving a DHCP request, the interface assigns the
Type
requesting client an IP address from the address pool.
• Relay—Upon receiving a DHCP request, the interface forwards the request
to an external DHCP server, which assigns an IP address for the requesting
client.
• Client—The interface uses DHCP to obtain an IP address.
217
Item Description
Correlate the relay agent interface with a DHCP server group.
DHCP server group You can correlate a DHCP server group with multiple interfaces. Make sure that
you have already added DHCP server groups for selection.
Configuring a static address pool for the DHCP

server
2. Click the DHCP Interface Setup tab to enter the DHCP interface setup configuration page as shown
in Figure 227.
3. Select the Server option in the Type field and expand the Assignable IP Addresses node.
4. Select Static Binding option in the Address Allocation Mode field to expand the static address pool
setup configuration section.
218
Figure 228 Static address pool setup for the DHCP server
5. Configure the static address pool for the DHCP server as described in Table 106.
6. Click Apply.
Item Description
Pool Name Name of the static DHCP address pool.
Address Allocation
Specify the static address allocation mode for the DHCP address pool.
Mode: Static Binding
219
Item Description
IP address and its subnet mask of the static binding. A natural mask is adopted if no
IP Address subnet mask is specified.
IMPORTANT:
Subnet Mask It cannot be the IP address of the DHCP server interface. Otherwise, IP address conflicts
may occur, and the client cannot obtain the IP address.
MAC Address A client's MAC address of the static binding.
Specify a domain name suffix for the DHCP client.

Domain Name After specifying a domain name in the address pool, the DHCP server assigns the
domain name along with an IP address to a client.
Specify a gateway for the DHCP client.
Gateway IP Address DHCP clients that want to access hosts outside the local subnet needs a gateway to
forward data. After specifying a gateway in the address pool, the DHCP server
assigns the gateway address along with an IP address to a client.
Specify a primary DNS server for the DHCP client.

Primary DNS Server In order for clients to access the Internet using a domain name, the DHCP server
assigns the specified DNS server address along with an IP address to a client.
Standby DNS Server Specify a standby DNS server for the DHCP client.
Configuring a dynamic address pool for the DHCP

server
in Figure 227.
3. Select the Server option in the Type field, and then expand the Assignable IP Addresses node.
4. Select the Dynamic Allocation option in the Address Allocation Mode field to expand the dynamic
address pool setup configuration section.
220
Figure 229 Dynamic address pool setup for the DHCP server
5. Configure the dynamic address pool for the DHCP server as described in Table 107.
6. Click Apply.
Item Description
Pool Name Name of the dynamic DHCP address pool.
Address Allocation Mode:

Specify the dynamic address allocation mode for the DHCP address pool.
Dynamic Allocation
Specify an IP address for dynamic address allocation. A natural mask is

IP Address
adopted if no subnet mask is specified.
221
Item Description
IMPORTANT:
Subnet Mask Make sure the IP address is on the same network segment as the IP address of
the DHCP server interface or the DHCP relay agent interface to avoid wrong IP
address allocation.
Specify the lease for IP addresses to be assigned.
NOTE:
Lease Duration • If the lease has an end time specified later than the year 2106, the system
considers it an expired lease.
• The lease duration does not have the inherit attribute.
Specify a domain name suffix for the DHCP client.
Domain Name After specifying a domain name in the address pool, the DHCP server assigns
the domain name along with an IP address to a client.
Specify a gateway for the DHCP client.

DHCP clients that want to access hosts outside the local subnet need a
Gateway IP Address gateway to forward data. After specifying a gateway in the address pool, the
DHCP server assigns the gateway address along with an IP address to a
client.
Specify a primary DNS server for the DHCP client.
Primary DNS Server In order for clients to access the Internet using a domain name, the DHCP
server assigns the specified DNS server address along with an IP address to
a client.
Standby DNS Server Specify a standby DNS server for the DHCP client.
Configuring IP addresses excluded from dynamic

allocation
in Figure 227.
3. Select the Server option in the Type field.
4. Expand the Forbidden IP Addresses node.
222
Figure 230 IP address excluded from dynamic allocation setup
5. Configure IP addresses excluded from dynamic allocation as described in Table 108.

6. Click Apply
Item Description
Start IP Address Specify the lowest IP address excluded from dynamic allocation.
Specify the highest IP address excluded from dynamic allocation.
End IP Address The end IP address must not be lower than the start IP address. A higher end IP
address and a lower start IP address specify an IP address range while two identical
IP addresses specify a single IP address.
Configuring a DHCP server group

1. Select Advanced > DHCP Setup from the navigation tree
in Figure 227.
3. Select an interface that supports DHCP relay agent
4. Select the Relay option in the Type field, and then expand the Add DHCP Server Group node.
223
Figure 231 DHCP server group setup
5. Configure DHCP server group as described in Table 109.

6. Click Apply.
Item Description
DHCP server group ID.
Group ID
You can create at most 20 DHCP server groups.
Specifies the DHCP server IP addresses for the DHCP server group.
Server IP Address IMPORTANT:

The IP address of a DHCP server cannot be on the same network segment as that of the
DHCP relay agent interface. Otherwise, DHCP clients may fail to obtain IP addresses.
DHCP configuration examples

There are two typical DHCP network types:
• The DHCP server and clients are on the same subnet and directly exchange DHCP messages.
• The DHCP server and clients are not on the same subnet and communicate with each other through
a DHCP relay agent.
The DHCP server configuration for the two types is the same.
224
DHCP configuration example without DHCP relay agent
The DHCP server (Router A) assigns IP addresses to clients on subnet 10.1.1.0/24, which is subnetted into
10.1.1.0/25 and 10.1.1.128/25.
The IP addresses of Ethernet 0/1 and Ethernet 0/2 on Router A are 10.1.1.1/25 and 10.1.1.129/25
respectively.
In subnet 10.1.1.0/25, the lease is ten days and twelve hours, the domain name suffix is aabbcc.com, the
DNS server address is 10.1.1.2/25, and the gateway address is 10.1.1.126/25.
In subnet 10.1.1.128/25, the lease is five days, the domain name suffix is aabbcc.com, the DNS server
address is 10.1.1.2/25, and the gateway address is 10.1.1.254/25.
Subnets 10.1.1.0/25 and 10.1.1.128/25 have the same domain name suffix and DNS server address.
Therefore, the domain name suffix and DNS server address must be configured only for subnet
10.1.1.0/24. Subnet 10.1.1.0/25 and 10.1.1.128/25 can inherit the configuration of subnet 10.1.1.0/24.
Router B (DHCP client) obtains a static IP address, DNS server address, and gateway address from
Router A (DHCP server).
Figure 232 DHCP network without a DHCP relay agent
Configuring the DHCP server (Router A)

1. Specify IP addresses for interfaces (details not shown).
2. Enable DHCP:
a. Select Advanced > DHCP Setup from the navigation tree to enter the default DHCP Enable
page.
225
Figure 233 Enabling DHCP
b. Select the Enable option in the DHCP field.

c. Click Apply.
3. Enable the DHCP server on interface Ethernet 0/1. (By default, the DHCP server is enabled on
interface Ethernet 0/1. Details not shown.)
4. Configure a DHCP static address pool, and bind IP address 10.1.1.5 to Router B:
a. Click the DHCP Interface Setup tab.
226
Figure 234 DHCP static address pool configuration
b. Select the Server option in the Type field and expand the Assignable IP Addresses node.
c. Enter pool-static in the Pool Name field and select the Static Binding option in the Address
Allocation Mode field.
d. Enter 10.1.1.5 in the IP Address field and select the Subnet Mask box, and then enter
255.255.255.128.
e. Enter 000f-e200-0002 in the MAC Address field and select the Gateway IP Address box, and
then enter 10.1.1.126.
f. Select the Primary DNS Server box, and then enter 10.1.1.2.
g. Click Apply.
5. Configure DHCP address pool 0 (including the address range, client domain name suffix and DNS
server address):
227
Figure 235 DHCP address pool 0 configuration
a. Enter pool0 in the Pool Name field, as shown in Figure 235.

b. Select the Dynamic Allocation option in the Address Allocation Mode field.
c. Enter 10.1.1.0 in the IP Address field and select the Subnet Mask box, and then enter
255.255.255.0.
d. Select the Domain Name box, and then enter aabbcc.com.
e. Select the Primary DNS Server box, and then enter 10.1.1.2.
f. Click Apply.
6. Configure DHCP address pool 1 (including the address range, lease duration, and gateway
address):
228
a. Enter poo1 in the Pool Name field, as shown in Figure 236.

b. Select Dynamic Allocation in the Address Allocation Mode field.
c. Enter 10.1.1.0 in the IP Address field.
d. Select the Subnet Mask box, and then enter 255.255.255.128.
e. Set the Lease Duration to 10 days, 12 hours, and 0 minutes.
f. Select the Gateway IP Address box, and then enter 10.1.1.126.
g. Click Apply.
7. Configure DHCP address pool 2 (including the address range, lease duration and gateway IP
address):
229
a. Enter pool2 in the Pool Name field, as shown in Figure 237.

b. Select the Dynamic Allocation option in the Address Allocation Mode field.
c. Enter 10.1.1.128 in the IP Address field.
d. Select the Subnet Mask box, and then enter 255.255.255.128.
f. Select the Gateway IP Address box, and then enter 10.1.1.254.
g. Click Apply.
8. Exclude IP addresses from dynamic allocation (DNS server and gateway addresses):
a. Expand the Forbidden IP Addresses node.
230
Figure 238 Excluding IP addresses from dynamic allocation
b. Enter 10.1.1.2 in the Start IP Address field, enter 10.1.1.2 in the End IP Address field, click
Apply, enter 10.1.1.126 in the Start IP Address field, as shown in Figure 238, enter
10.1.1.126 in the End IP Address field, click Apply, enter 10.1.1.254 in the Start IP Address
field, as shown in Figure 238, and enter 10.1.1.254 in the End IP Address field.
c. Click Apply.
Configuring the DHCP client (Router B)

1. Enable the DHCP client on interface Ethernet 0/1:
a. Select Advanced > DHCP Setup from the navigation tree, and then click the DHCP Interface
Setup tab.
231
Figure 239 Enabling the DHCP client on interface Ethernet 0/1

c. Select the Client option in the Type field.
d. Click Apply.
Configuring the DHCP client (Router C)

a. Select Advanced > DHCP Setup from the navigation tree of Router C, and then click the DHCP
Interface Setup tab, as shown in Figure 239.
c. Select the Client option in the Type field.
d. Click Apply.
DHCP relay agent configuration example

Ethernet 0/1 on the DHCP relay agent (Router A) connects to the network where DHCP clients reside. The
IP address of Ethernet 0/1 is 10.10.1.1/24 and IP address of Ethernet 0/2 is 10.1.1.2/24 that connects
to the DHCP server 10.1.1.1/24 (Router B).
Router A forwards DHCP messages so that the DHCP clients on the network segment 10.10.1.0/24 can
obtain IP addresses, DNS server address and gateway address from the DHCP server. The IP address
lease is seven days, the domain name suffix is aabbcc.com, the DNS server address is 10.10.1.2/24,
and the gateway address is 10.10.1.126/24.
232
Configuring the DHCP relay agent (Router A)

1. Specify IP addresses for interfaces (details not shown).
2. Enable DHCP:
a. Select Advanced > DHCP Setup from the navigation tree of Router A
b. Enter the default DHCP Enable tab.
Figure 241 DHCP enable
c. Select the Enable option in the DHCP field.

d. Click Apply.
3. Create a DHCP server group:
233
Figure 242 DHCP server group creating

c. Select the Relay option in the Type field.
d. Expand the Add DHCP Server Group node.
e. Enter 1 in the Group ID field.
f. Enter 10.1.1.1 in the Server IP Address field.
g. Click Apply.
4. Enable the DHCP relay agent on interface Ethernet 0/1.
Figure 243 The page for enabling the DHCP relay agent on interface Ethernet 0/1
a. Select 1 from the DHCP Server Group list.

b. Click Apply.
Configuring the DHCP server (Router B)

1. Specify addresses for interfaces. (Details now shown.)
234
2. Enable DHCP:
a. Select Advanced > DHCP Setup from the navigation tree of Router B
b. Enter the default DHCP Enable tab, as shown in Figure 244.
Figure 244 Enable DHCP
c. Select the Enable option in the DHCP field.

d. Click Apply.
3. Enable the DHCP server on interface Ethernet 0/1. (By default, the DHCP server is enabled on
Ethernet 0/1. Details are not shown.)
4. Configure a dynamic DHCP address pool:
235
Figure 245 Dynamic DHCP address pool configuration
b. Select the Server option in the Type field and expand the Assignable IP Addresses node.
c. Enter pool1 in the Pool Name field and select the Dynamic Allocation option in the Address
Allocation Mode field.
d. Enter 10.10.1.0 in the IP Address field, select the Subnet Mask box, and then enter
255.255.255.0.
f. Select the Domain Name box, and then enter aabbcc.com.
g. Select the Gateway IP Address box, and then enter 10.10.1.126.
h. Select the Primary DNS Server box, and then enter 10.10.1.2.
i. Click Apply.
5. Exclude IP addresses from dynamic allocation (DNS server and gateway addresses):
a. Expand the Forbidden IP Addresses node, as shown in Figure 246.
236
Figure 246 IP address excluded from dynamic allocation configuration
b. Enter 10.1.1.2 in the Start IP Address field.

c. Enter 10.1.1.2 in the End IP Address field.
d. Click Apply.
e. Enter 10.1.1.126 in the Start IP Address field, as shown in Figure 246.
f. Enter 10.1.1.126 in the End IP Address field.
g. Click Apply.
Configure the DHCP client (Router C)

a. Select Advanced > DHCP Setup from the navigation tree.
b. Click the DHCP Interface Setup tab.
237
Figure 247 Enabling the DHCP client on interface Ethernet 0/1
c. Select Ethernet0/1 in the Interface field.

d. Select the Client option in the Type field.
e. Click Apply.
1. If multiple VLAN interfaces sharing one MAC address request IP addresses using DHCP, the DHCP
server cannot be a Windows 2000 server or a Windows 2003 server.
2. To remove a DHCP server group that is associated with multiple interfaces, cancel the associations
first.
238
Configuring ACLs
The Web interface provides the following ACL configuration functions:

• Configuring an IPv4 ACL
• Configuring a rule for a basic IPv4 ACL
• Configuring a rule for an advanced IPv4 ACL
• Configuring a rule for an Ethernet frame header ACL
Overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also widely used by many modules (for example, QoS
and IP routing) for traffic identification.
IPv4 ACLs fall into the following categories, as shown in Table 110.
Table 110 IPv4 ACL categories
Category ACL number Match criteria

Basic ACLs 2000 to 2999 Source IPv4 address
Source/destination IPv4 address, protocols over IPv4, and other

Advanced ACLs 3000 to 3999
Layer 3 and Layer 4 header fields
Ethernet frame Layer 2 header fields, such as source and destination MAC
4000 to 4999
header ACLs addresses, 802.1p priority, and link layer protocol type
For more information about IPv4 ACL, see H3C MSR Series Routers (V5) ACL and QoS Configuration
Guide.
Recommended IPv4 ACL configuration procedure

Step Remarks
Required.
1. Adding an IPv4 ACL. The category of the added ACL depends on the ACL
number that you specify.
2. Configuring a rule for a basic IPv4 ACL.
Required.
3. Configuring a rule for an advanced IPv4 ACL.
Complete one of these tasks according to the ACL
4. Configuring a rule for an Ethernet frame header category.
ACL.
239
Adding an IPv4 ACL
Select Advanced > QoS Setup > ACL IPv4 from the navigation tree and then select the Add tab to enter
the IPv4 ACL configuration page.
Figure 248 The page for adding an IPv4 ACL
Item Description
Set the number of the IPv4 ACL you want to configure. The value range for the ACL number
ACL Number
is 2000 to 2999.
Set the match order of the ACL:

• Config—Packets are compared against ACL rules in the ascending ACL rule ID order.
Match Order
• Auto—Packets are compared against ACL rules in the depth-first match order. This makes
sure any subset of a rule is always matched before the rule.
Description Set the description for the ACL.
Configuring a rule for a basic IPv4 ACL

Select Advanced > QoS Setup > ACL IPv4 from the navigation tree and then select the Basic Config tab
to enter the rule configuration page for a basic IPv4 ACL.
240
Figure 249 The page for configuring an basic IPv4 ACL
Item Description
Select the basic IPv4 ACL for which you want to configure rules.
ACL
ACLs available for selection are basic IPv4 ACLs.
Select the Rule ID box, and enter a number for the rule.
If you do not specify the rule number, the system will assign one automatically.
Rule ID
If the rule number you specify already exists, the following operations modify the
configuration of the rule.
Select the action to be taken on the IPv4 packets matching the rule:
Action • Permit—Allows matched packets to pass.
• Deny—Drops matched packets.
Select this box to apply the rule only to non-first fragments.
Check Fragment
If you do not select this box, the rule applies to all fragments and non-fragments.
Select this box to keep a log of matched IPv4 packets.
Check Logging A log entry contains the ACL rule number, action on the matched packets, protocol
that IP carries, source/destination address, source/destination port number, and
number of matched packets.
Source IP Address Select the Source IP Address box, and enter a source IPv4 address and source
241
Item Description
Source Wildcard wildcard, in dotted decimal notation.
Select the time range during which the rule takes effect.
Time Range The time ranges available for selection must have been created at the CLI on the
router.
Configuring a rule for an advanced IPv4 ACL

Select Advanced > QoS Setup > ACL IPv4 from the navigation tree and then select the Advanced Config
tab to enter the rule configuration page for an advanced IPv4 ACL.
242
Figure 250 The page for configuring an advanced IPv4 ACL
243
Item Description
Select the advanced IPv4 ACL for which you want to configure
rules.
You can use command line interface to create advanced IPv4
ACL ACLs. For more information, see H3C MSR Series Routers (V5)
ACL and QoS Configuration Guide. Also, when you configure
advanced bandwidth limit and advanced bandwidth
guarantee, the system automatically creates advanced IPv4
ACLs. For more information, see "Configuring QoS."
If you do not specify the rule number, the system assigns one
Rule ID automatically.
If the rule number you specify already exists, the following
operations modify the configuration of the rule.
Select the action to be performed for IPv4 packets matching the

rule:
Action
• Permit—Allows matched packets to pass.
Select this box to apply the rule to only non-first fragments.
Non-First Fragments Only If you do not select this box, the rule applies to all fragments and
non-fragments.
Select this box to keep a log of matched IPv4 packets.

A log entry contains the ACL rule number, operation for the
Logging matched packets, protocol that IP carries, source/destination
address, source/destination port number, and number of
matched packets.
Source IP Address Select the Source IP Address box, and enter a source IPv4
Source Wildcard address and source wildcard, in dotted decimal notation.
IP Address Filter
Destination IP Address Select the Source IP Address box and enter a source IP address
Destination Wildcard and source wildcard, in dotted decimal notation.
Select the protocol to be carried by IP.
Protocol If you select 1 ICMP, you can configure the ICMP message type
and code. If you select 6 TCP or 17 UDP, you can configure the
TCP or UDP specific items.
ICMP Message Specify the ICMP message type and code.
ICMP Type These items are available only when you select 1 ICMP from the
Protocol list.
ICMP Type
If you select Other from the ICMP Message list, you must enter
ICMP Code values in the ICMP Type and ICMP Code fields. Otherwise, the
two fields will take the default values, which cannot be changed.
244
Item Description
Select this box to make the rule match packets used for
establishing and maintaining TCP connections.
TCP Connection These items are available only when you select 6 TCP from the
Established Protocol list.
A rule with this item configured matches TCP connection packets
with the ACK or RST flag.
Source Select the operators and, enter the source port numbers and
destination port numbers as required.
TCP/UDP Port These items are available only when you select 6 TCP or 17 UDP
from the Protocol list.
Different operators have different configuration requirements for
the port number fields:
Destination • Not Check—The following port number fields cannot be
configured.
• Range—The following port number fields must be configured
to define a port range.
• Other values—The first port number field must be configured
and the second must not.
DSCP Specify the DSCP priority.

Precedence
TOS Specify the ToS preference.
Filter
Precedence Specify the IP precedence.
Time Range Select the time range during which the rule takes effect.
Configuring a rule for an Ethernet frame header

ACL
Select Advanced > QoS Setup > ACL IPv4 from the navigation tree and then select the Link Config tab to
enter the rule configuration page for an Ethernet frame header IPv4 ACL.
245
Figure 251 The page for configuring a rule for an Ethernet frame header ACL
Item Description
Select the Ethernet frame header IPv4 ACL for which you want to configure
rules.
ACL You can use command line interface to create Ethernet frame header IPv4
ACLs. For more information, see H3C MSR Series Routers (V5) ACL and
QoS Configuration Guide.
If you do not specify the rule number, the system will assign one
Rule ID automatically.
If the rule number you specify already exists, the following operations
modify the configuration of the rule.
246
Item Description
Select the action to be performed for IPv4 packets matching the rule:
Action • Permit—Allows matched packets to pass.
Source MAC
Address Select the Source MAC Address box, and enter a source MAC address and
wildcard.
MAC Source Mask
Address
Filter Destination MAC
Address Select the Destination MAC Address box, and enter a destination MAC
address and wildcard.
Destination Mask
COS(802.1p priority) Specify the 802.1p priority for the rule.
LSAP Type Select the LSAP Type box, and specify the DSAP and SSAP fields in the LLC
encapsulation by configuring the following items:
LSAP Mask • LSAP Type—Indicates the frame encapsulation format.

• LSAP Mask—Indicates the LSAP wildcard.
Type Filter Protocol Type Select the Protocol Type box, and specify the link layer protocol type by
configuring the following items:
• Protocol Type—Indicates the frame type. It corresponds to the type-code
Protocol Mask field of Ethernet_II and Ethernet_SNAP frames.
• Protocol Mask—Indicates the wildcard.
Time Range Select the time range during which the rule takes effect.
When you configure an ACL, follow these guidelines:
• You cannot create a rule with or modify a rule to have the same permit/deny statement as an
existing rule in the ACL.
• You can only modify the existing rules of an ACL that uses the match order of config. When you
modify a rule of such an ACL, you may choose to change just some of the settings, in which case
the other settings remain the same.
247
Configuring QoS
The Web interface provides the following QoS configuration functions:

• Configuring subnet limit
• Configuring advanced limit
• Configuring advanced queue
Overview
Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to
meet customer needs. Generally, QoS focuses on improving services under certain conditions rather than
grading services precisely.
In an Internet, QoS evaluates the ability of the network to forward packets of different services. You can
base the evaluation on different criteria because the network may provide various services. Generally,
QoS refers to the ability to provide improved service by solving the core issues such as delay, jitter, and
packet loss ratio in the packet forwarding process.
Through the Web interface, you can configure the following QoS features:
• Subnet limit
• Advanced limit
• Advanced queue
Subnet limit
Subnet limit enables you to regulate the specification of traffic entering or leaving a device based on
source/destination IP address. Packets conforming to the specification can pass through, and packets
exceeding the specification are dropped. In this way, the network resources are protected.
Advanced limit
Similar to subnet limit, advanced limit also implements traffic policing at the IP layer. They differ in that:
• Advanced limit can classify traffic based on time range, packet precedence, protocol type, and
port number, and provide more granular services.
• In addition to permitting traffic conforming to the specification to pass through, advanced limit can
also set IP precedence, differentiated service code point (DSCP) value, and 802.1p priority for
packets as required.
For more information about IP precedence, DSCP values, and 802.1p priority, see "Appendix Packet
priorities."
Advanced queue
Advanced queue offers the following functions:
• Interface bandwidth limit—Uses token buckets for traffic control and limits the rate of transmitting
packets (including critical packets) on an interface. When limiting the rate of all packets on an
248
interface, interface bandwidth limit is a better approach than subnet limit and advanced limit. This
is because working at the IP layer the latter two functions do not take effect on packets not
processed by the IP layer.
• Bandwidth guarantee—When congestion occurs to a port, class-based queuing (CBQ) classifies
packets into different classes according to user-defined match criteria and assigns these classes to
their queues. Before assigning packets to a queue, CBQ performs bandwidth restriction check.
When being dequeued, packets are scheduled by WFQ.
Advanced queue applies to only outgoing packets of interfaces.
Configuring subnet limit

Select Advance > QoS Setup > Subnet Limit from the navigation tree Click Add to enter the Subnet Limit
Setting page.
Figure 252 Subnet limit
Figure 253 Subnet limit setting
249
Item Description
Start Address
Set the address range of the subnet where rate limit is to be performed.
End Address
Interface Specify the interface to which the subnet limit is to be applied.
CIR Set the average traffic rate allowed.
Set the rate limit method:

• Share—Limits the total rate of traffic for all IP addresses on the subnet, and
Type dynamically allocates bandwidth to an IP address based on traffic size.
• Per IP—Individually limits the rate of traffic of each IP address on the subnet to the
configured rate.
Set the direction where the rate limit applies:

• Download—Limits the rate of incoming packets of the interface based on their
Direction destination IP addresses.
• Upload—Limits the rate of outgoing packets of the interface based on their source
IP addresses.
Configuring advanced limit

Select Advance > QoS Setup > Advanced Limit from the navigation tree. Click Add to enter the Advanced
Limit Setting page.
Figure 254 Advanced limit
250
Figure 255 Advanced limit setting
251
Item Description
Description Configure a description for the advanced limit policy for management sake.
Interface Specify the interface to which the advanced limit is to apply.
Set the direction where the rate limit applies:

Direction • Download—Limits the rate of incoming packets of the interface.
• Upload—Limits the rate of outgoing packets of the interface.
CIR Set the average traffic rate allowed.
Specify the type of priority to be re-marked for packets conforming to the specification
and allowed to pass through:
• None—Does not re-marks any priority of packets.
Remark Type • 802.1p—Re-marks the 802.1p priority of packets and specifies the 802.1p priority
value.
• IP—Re-marks the IP precedence of packets and specifies the IP precedence value.
• DSCP—Re-marks the DSCP of packets and specifies the DSCP value.
Define a rule to match packets based on their IP addresses.
Add multiple IP addresses/masks to the field. Click Add or Delete to add or delete IP
addresses/masks to/from the field.
IP Address/Mask • When you specify the direction Download, the source IP address of packets is
matched.
• When you specify the direction Upload, the destination IP address of packets is
matched.
Define a rule to match packets based on their IP precedence values.

You can configure up to eight IP precedence values for an advanced limit policy, and
IP Precedence the relationship between the IP precedence values is OR. If the same IP precedence
value is specified multiple times, the system considers them as one. The defined IP
precedence values are displayed in ascending order automatically.
Define a rule to match packets based on their DSCP values.

You can configure up to eight DSCP values for an advanced limit policy, and the
DSCP relationship between the DSCP values is OR. If the same DSCP value is specified
multiple times, the system considers them as one. The defined DSCP values are
displayed in ascending order automatically.
Inbound Interface Define a rule to match packets received on the specified interface.
Set the time range when the advanced limit policy takes effect. The begin-end time
Time Range
and days of the week are required to set.
Define a rule to match packets based on their protocol types.

The protocol types available for selection include the system-defined protocols and the
Protocol Name protocols loaded through the P2P signature file. To load a P2P signature file, select
Security Setup > Application Control from the navigation tree and click Load
Application.
Custom Type Define a rule to match packets based on self-defined protocol types.
Source Port You should select the transport layer protocol type and set the source service port
range and destination service port range.
Destination Port
252
Configuring advanced queue
To use the advanced queue function on tunnel interfaces, sub-interfaces, or VT and dialer interfaces with
PPPoE, PPPoA, PPPoEoA, or PPPoFR at the data link layer, you must configure interface bandwidth for
these interfaces.
Configuring interface bandwidth

Select Advance > QoS Setup > Advanced Queue from the navigation tree to enter the Advanced Queue
page. Select an interface from the Interface Name list, and then configure and view the CIR of the
interface.
Figure 256 Advanced queue
Item Description
Interface Name Select the interface to be configured.
253
Item Description
Set the average traffic rate allowed for the interface.
H3C recommends that you configure the interface bandwidth to be smaller than
the actual available bandwidth of a physical interface or logical link.
If you have specified the interface bandwidth, the maximum interface bandwidth
used for bandwidth check when CBQ enqueues packets is 1000000 kbps. If you
have not specified the interface bandwidth, the maximum interface bandwidth
varies by interface type following these rules:
Interface Bandwidth • If the interface is a physical one, the actual baudrate or rate applies.
• If the interface is T1/E1, MFR or any other type of logical serial interface
formed by timeslots or multiple links, the total bandwidth of all member
channels/links applies.
• If the interface is a template interface, such as a VT interface, a dialer
interface, a BRI interface, or a PRI interface, 1000000 kbps applies.
• If the interface is a virtual interface of any other type, a tunnel interface for
example, 0 kbps applies.
Configure bandwidth guarantee

Select Advance > QoS Setup > Advanced Queue from the navigation tree to enter the Advanced Queue
page. In the Application Bandwidth area, all bandwidth guarantee policies are displayed. Click Add to
enter the page for creating a bandwidth guarantee policy.
254
Figure 257 Creating a bandwidth guarantee policy
255
Item Description
Description Configure a description for the bandwidth guarantee policy for management sake.
Set the service class queue type:

• EF (Expedited Forwarding)—Provides absolutely preferential queue scheduling for
the EF service so as to ensure low delay for real-time data traffic. At the same time,
Queue Type by restricting bandwidth for high-priority traffic, it can overcome the disadvantage
that some low-priority queues are not serviced.
• AF (Assured Forwarding)—Provides a highly precise bandwidth guarantee and
queue scheduling on the basis of AF service weights for various AF services.
Interface Specify the interface to which bandwidth guarantee is to be applied.
Set the bandwidth guarantee for the queue.

• For the EF queue, the set bandwidth is the maximum bandwidth.
Bandwidth • For the AF queue, the set bandwidth is the minimum guaranteed bandwidth.
The sum of the bandwidth specified in the bandwidth guarantee policies applied to an
interface must be no greater than the available bandwidth of the interface.
Define a rule to match packets based on their IP addresses.

IP Address/Mask You can add multiple IP addresses/masks. Click the Add or Delete button to add or
delete IP addresses/masks to/from the field.
Define a rule to match packets based on their IP precedence values.

You can configure up to eight IP precedence values for a bandwidth guarantee policy,
IP Precedence and the relationship between the IP precedence values is OR. If the same IP precedence
value is specified multiple times, the system considers them as one. The defined IP
precedence values are displayed in ascending order automatically.
Define a rule to match packets based on their DSCP values.

You can configure up to eight DSCP values for a bandwidth guarantee policy, and the
DSCP relationship between the DSCP values is OR. If the same DSCP value is specified
multiple times, the system considers them as one. After each configuration, The defined
DSCP values are displayed in ascending order automatically.
Inbound Interface Define a rule to match packets received on the specified interface.
Set the time range when the bandwidth guarantee policy takes effect. The begin-end
Time Range
time and days of the week are required to set.
Define a rule to match packets based on protocol types.

The protocol types available for selection include the system-defined protocols and the
Protocol Name protocols loaded through the P2P signature file. To load a P2P signature file, select
Security Setup > Application Control from the navigation tree and click Load
Application.
Custom Type Define a rule to match packets based on self-defined protocol types.
Source Port Select the transport layer protocol type and set the service source port range and
destination port range.
Destination Port
256
QoS configuration examples
Subnet limit configuration example
As shown in Figure 258, limit the rate of packets leaving Ethernet 1/1 of Router.
Perform per-IP rate limiting for traffic sourced from Host A through Host Z, which are on the network
segments 2.1.1.1 through 2.1.1.100, with the per-IP limit being 5 kbps.
# Configure the bandwidth limit settings for the network segment.
• Select Advance > QoS Setup > Subnet Limit from the navigation tree, and click Add on the
displayed page.
Figure 259 Configuring subnet limit
• Enter 2.1.1.1 in the Start Address field.
257
• Enter 2.1.1.100 in the End Address field.
• Select interface Ethernet 1/1.
• Enter 5 in the CIR field.
• Select Per IP in the Type list.
• Select Upload from the Direction list.
• Click Apply.
Advanced queue configuration example

As shown in Figure 260, data traffic from Router C reaches Router D by the way of Router A and then
Router B. The data traffic from Router C is classified into three classes based on DSCP fields of IP packets.
Configure advanced queue to perform the following actions:
• Perform AF for traffic with the DSCP fields AF11 and AF22 (DSCP values 10 and 18), and set the
minimum bandwidth to 40 kbps.
• Perform EF for traffic with the DSCP field EF (DSCP value 46), and set the maximum bandwidth to
240 kbps.
Before performing the configuration, make sure:
• The route from Router C to Router D through Router A and Router B is reachable.
• The DSCP fields have been set for the traffic before the traffic enters Router A.
1. Configure Router A:
# Perform AF for traffic with DSCP fields AF11 and AF21.
• Select Advance > QoS Setup > Advanced Queue from the navigation tree, and click Add on the
displayed page.
258
Figure 261 Configuring assured forwarding
• Enter the description test-af.

• Select AF (Assured Forwarding) in the Queue Type list.
• Enter 40 in the Bandwidth field.
• Enter 10, 18 in the DSCP field.
• Click Apply.
# Perform EF for traffic with DSCP field EF.
• Select Advance > QoS Setup > Advanced Queue from the navigation tree, and click Add on the
displayed page.
259
Figure 262 Configuring expedited forwarding
• Enter the description test-ef.

• Select EF (Expedited Forwarding) in the Queue Type list.
• Enter 240 in the Bandwidth field.
• Enter 46 in the DSCP field.
• Click Apply.
After the configurations are completed, EF traffic is forwarded preferentially when congestion occurs in
the network.
260
Appendix Packet priorities
IP precedence and DSCP values
Figure 263 DS field and ToS field
As shown in Figure 263, the ToS field of the IP header contains eight bits: the first three bits (0 to 2)
represent IP precedence from 0 to 7. According to RFC 2474, the ToS field of the IP header is redefined
as the differentiated services (DS) field, where a differentiated service code point (DSCP) value is
represented by the first six bits (0 to 5) and is in the range 0 to 63. The remaining two bits (6 and 7) are
reserved.
Table 119 Description on IP precedence
IP precedence (decimal) IP precedence (binary) Keyword

0 000 routine
1 001 priority
2 010 immediate
3 011 flash
4 100 flash-override
5 101 critical
6 110 internet
7 111 network
Table 120 Description on DSCP values
DSCP value (decimal) DSCP value (binary) Keyword

46 101110 ef
10 001010 af11
12 001100 af12
14 001110 af13
18 010010 af21
20 010100 af22
22 010110 af23
26 011010 af31
261
DSCP value (decimal) DSCP value (binary) Keyword
28 011100 af32
30 011110 af33
34 100010 af41
36 100100 af42
38 100110 af43
8 001000 cs1
16 010000 cs2
24 011000 cs3
32 100000 cs4
40 101000 cs5
48 110000 cs6
56 111000 cs7
0 000000 be(default)
802.1p priority
802.1p priority lies in the Layer 2 packet header and is applicable to occasions where Layer 3 header
analysis is not needed and QoS must be assured at Layer 2.
Figure 264 An Ethernet frame with an 802.1q tag header
As shown in Figure 264, the 4-byte 802.1q tag header consists of the TPID (two bytes in length), whose
value is 0x8100, and the TCI (two bytes in length). Figure 265 shows the format of the 802.1q tag header.
The priority in the 802.1q tag header is called "802.1p priority," because its use is defined in IEEE
802.1p.
Figure 265 801.1q tag header
Table 121 describes available 802.1p priority values.
262
Table 121 Description on 802.1p priority
802.1p priority (decimal) 802.1p priority (binary) Keyword

0 000 best-effort
1 001 background
2 010 spare
3 011 excellent-effort
4 100 controlled-load
5 101 video
6 110 voice
7 111 network-management
263
Configuring SNMP
This chapter is only applicable to the MSR 20/30/50/930 series routers.

For information about configuring SNMP from the Web interface for the MSR 900/20-1X series routers,
see "Configuring SNMP (lite version)."
Overview
The Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a
management station to access and operate the devices on a network, regardless of their vendors,
physical characteristics and interconnect technologies.
The SNMP framework comprises the following elements:
• SNMP manager—Works on an NMS to monitor and manage the SNMP-capable devices in the
network.
• SNMP agent—Works on a managed device to receive and handle requests from the NMS, and
send traps to the NMS when some events, such as interface state change, occur.
H3C supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same
SNMP version to communicate with each other.
• SNMPv1—Uses community names for authentication. To access an SNMP agent, an NMS must use
the same community name as set on the SNMP agent. If the community name used by the NMS is
different from the community name set on the agent, the NMS cannot establish an SNMP session to
access the agent or receive traps and notifications from the agent.
• SNMPv2c—Uses community names for authentication. SNMPv2c is compatible with SNMPv1, but
supports more operation modes, data types, and error codes.
• SNMPv3—Uses a user-based security model (USM) to secure SNMP communication. You can
configure authentication and privacy mechanisms to authenticate and encrypt SNMP packets for
integrity, authenticity, and confidentiality.
For more information about SNMP, see H3C MSR Series Routers Network Management and Monitoring
SNMP agent configuration task list

SNMPv3 differs from SNMPv1 and SNMPv2c in many ways. Their configuration procedures are
described in separate sections.
Configuring SNMPv1 or SNMPv2c
264
Task Remarks
Required.
The SNMP agent function is disabled by default.
Enabling the SNMP agent function
IMPORTANT:
If SNMP the agent function is disabled, all SNMP agent-related
configurations are removed.
Optional.
Configuring an SNMP view After creating SNMP views, you can specify an SNMP view for
an SNMP group to limit the MIB objects that can be accessed by
the SNMP group.
Configuring an SNMP community Required.
Optional.
Allows you to configure that the agent can send SNMP traps to
Configuring SNMP trap function the NMS, and configure information about the target host of the
SNMP traps.
By default, an agent is allowed to send SNMP traps to the NMS.
Displaying SNMP packet statistics Optional.
Configuring SNMPv3
Task Remarks
Required.
The SNMP agent function is disabled by default.
IMPORTANT:
If the SNMP agent function is disabled, all SNMP agent-related
configurations are removed.
Optional.
Configuring an SNMP view After creating SNMP views, you can specify an SNMP view for
an SNMP group to limit the MIB objects that can be accessed by
the SNMP group.
Required.
After creating an SNMP group, you can add SNMP users to the
Configuring an SNMP group group when creating the users. Therefore, you can realize
centralized management of users in the group through the
management of the group.
Required.
Configuring an SNMP user Before creating an SNMP user, you need to create the SNMP
group to which the user belongs.
Optional.
Allows you to configure that the agent can send SNMP traps to
Configuring SNMP trap function the NMS, and configure information about the target host of the
SNMP traps
By default, an agent is allowed to send SNMP traps to the NMS.
Displaying SNMP packet statistics Optional.
265
1. Select Advanced > SNMP from the navigation tree to enter the SNMP configuration page, as
shown in Figure 266.
On the upper part of the page, you can select to enable or disable the SNMP agent function and
configure parameters such as SNMP version.
On the lower part of the page, you can view the SNMP statistics, which helps you understand the
running status of the SNMP after your configuration.
Figure 266 Setup tab
2. Configure the SNMP agent, as shown in Table 122.
266
Item Description
SNMP Specify to enable or disable the SNMP agent function.
Configure the local engine ID.
Local Engine ID The validity of a user after it is created depends on the engine ID of the SNMP agent. If
the engine ID when the user is created is not identical to the current engine ID, the user
is invalid.
Maximum Packet
Configure the maximum size of an SNMP packet that the agent can receive or send.
Size
Set a character string to describe the contact information for system maintenance.
Contact If the device is faulty, the maintainer can contact the manufacture factory according to
contact information for the device.
Location Set a character string to describe the physical location of the device.
SNMP Version Set the SNMP version run by the system.
Configuring an SNMP view

Select Advanced > SNMP from the navigation tree, and then click the View tab to enter the page as
Figure 267 View page
Creating an SNMP view

Click Add, and the Add View window appears as shown in Figure 268. Type the view name and click
Apply, and then you enter the page as shown in Figure 269.
267
Figure 268 Creating an SNMP view (1)
Figure 269 Creating an SNMP view (2)
Table 123 describes the configuration items for creating an SNMP view. After configuring the parameters
of a rule, click Add to add the rule into the list box at the lower part of the page. After configuring all rules,
click Apply to create an SNMP view. The view will not be created if you click Cancel.
Item Description
View Name Set the SNMP view name.
Select to exclude or include the objects in the view range determined by

Rule
the MIB subtree OID and subtree mask.
Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as system).
MIB Subtree OID MIB subtree OID identifies the position of a node in the MIB tree, and it can
uniquely identify a MIB subtree.
Set the subtree mask.

Subtree Mask If no subtree mask is specified, the default subtree mask (all Fs) will be used
for mask-OID matching.
Adding rules to an SNMP view
Click the icon corresponding to the specified view on the page as shown in Figure 267. The Add rule
for the view ViewDefault window appears as shown in Figure 270. After configuring the parameters,
click Apply to add the rule for the view. Table 123 describes the configuration items for creating an
SNMP view.
268
Figure 270 Adding rules to an SNMP view
You can also click the icon corresponding to the specified view on the page as shown in Figure 267,
and then you can enter the page to modify the view.
Configuring an SNMP community

1. Select Advanced > SNMP from the navigation tree, then click the Community tab to enter the page
Figure 271 Configuring an SNMP community
2. Click Add to enter the Add SNMP Community page.

Figure 272 Creating an SNMP Community
3. Configure the SNMP community, as shown in Table 124.
269
Item Description
Community Name Set the SNMP community name.
Configure SNMP NMS access right:

• Read only—The NMS can perform read-only
operations to the MIB objects when it uses this
Access Right community name to access the agent.
• Read and write—The NMS can perform both read
and write operations to the MIB objects when it
uses this community name to access the agent.
Specify the view associated with the community to

View limit the MIB objects that can be accessed by the
NMS.
Associate the community with a basic ACL to allow or

ACL prohibit the access to the agent from the NMS with the
specified source IP address.
Configuring an SNMP group

Select Advanced > SNMP from the navigation tree, and then click the Group tab to enter the page as
Figure 273 SNMP group
1. Click Add to enter the Add SNMP Group page.
270
Figure 274 Creating an SNMP group
2. Configure the SNMP group, as shown in Table 125.

Item Description
Group Name Set the SNMP group name.
Select the security level for the SNMP group. The available security levels are:
• NoAuth/NoPriv—No authentication no privacy.
• Auth/NoPriv—Authentication without privacy.
Security Level
• Auth/Priv—Authentication and privacy.
IMPORTANT:
The security level for an existing SNMP group cannot be modified.
Read View Select the read view of the SNMP group.
Select the write view of the SNMP group.

Write View If no write view is configured, the NMS cannot perform the write operations to all MIB
objects on the device.
Select the notify view of the SNMP group, that is, the view that can send trap messages.
Notify View
If no notify view is configured, the agent does not send traps to the NMS.
Associate a basic ACL with the group to restrict the source IP address of SNMP packets,
ACL that is, you can configure to allow or prohibit SNMP packets with a specific source IP
address, so as to restrict the intercommunication between the NMS and the agent.
Configuring an SNMP user

Select Advanced > SNMP from the navigation tree, and then click the User tab to enter the page as
271
Figure 275 SNMP user
1. Click Add to enter the Add SNMP User page, as shown in Figure 276.
Figure 276 Creating an SNMP user
2. Configure the SNMP user, as shown in Table 126.

Item Description
User Name Set the SNMP user name.
Select the security level for the SNMP group. The available security
levels are:
Security Level • NoAuth/NoPriv—No authentication no privacy.
• Auth/NoPriv—Authentication without privacy.
• Auth/Priv—Authentication and privacy.
272
Item Description
Select an SNMP group to which the user belongs:
• When the security level is NoAuth/NoPriv, you can select an
SNMP group with no authentication no privacy.
Group Name
• When the security level is Auth/NoPriv, you can select an
SNMP group with no authentication no privacy or
authentication without privacy.
• When the security level is Auth/Priv, you can select an SNMP
group of any security level.
Select an authentication mode (including MD5 and SHA) when the

Authentication Mode
security level is Auth/NoPriv or Auth/Priv.
Authentication Password Set the authentication password when the security level is
Auth/NoPriv or Auth/Priv.
Confirm Authentication Password The confirm authentication password must be the same with the
authentication password.
Select a privacy mode (including DES56, AES128, and 3DES)

Privacy Mode
when the security level is Auth/Priv.
Privacy Password Set the privacy password when the security level is Auth/Priv.
The confirm privacy password must be the same with the privacy
Confirm Privacy Password
password.
Associate a basic ACL with the user to restrict the source IP address
of SNMP packets, that is, you can configure to allow or prohibit
ACL SNMP packets with a specific source IP address, so as to allow or
prohibit the specified NMS to access the agent by using this user
name.
Configuring SNMP trap function

1. Select Advanced > SNMP from the navigation tree, and click the Trap tab to enter the page as
On the upper part of the page, you can select to enable the SNMP trap function.
On the lower part of the page, you can configure target hosts of the SNMP traps.
273
Figure 277 Traps configuration
2. Click Add to enter the Add Trap Target Host page, as shown in Figure 278.
Figure 278 Adding a target host of SNMP traps
3. Configure the SNMP traps, as shown in Table 127.

Item Description
Set the destination IP address.
Destination IP Address Select the IP address type: IPv4/domain name or IPv6, and then type
the corresponding IP address or domain name in the field according
to the IP address type.
Set the security name, which can be an SNMPv1 community name,

Security Name
an SNMPv2c community name, or an SNMPv3 username.
274
Item Description
Set UDP port number.
IMPORTANT:
The default port number is 162, which is the SNMP-specified port used
UDP Port
for receiving traps on the NMS. Generally (such as using IMC or MIB
Browser as the NMS), you can use the default port number. To change
this parameter to another value, make sure the configuration is the
same with that on the NMS.
Select the security model, the SNMP version.
Security Model IMPORTANT:

The security model must be the same as that running on the NMS.
Otherwise, the NMS cannot receive any trap.
Set the authentication and privacy mode for SNMP traps when the
security model is selected as v3. The available security levels are: no
authentication no privacy, authentication but no privacy, and
Security Level authentication and privacy.
If you select v1 or v2c in the Security Model list, the security level can
only be no authentication no privacy, and cannot be modified.
Displaying SNMP packet statistics

Select Advanced > SNMP from the navigation tree to enter the Setup tab page. On the lower part of the
page, you can view the SNMP statistics, as shown in Figure 279.
Figure 279 SNMP Statistics page
275
SNMPv1/v2c configuration example
As shown in Figure 280, the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the SNMP agent
at 1.1.1.1/24, and the agent automatically sends traps to report events to the NMS.
Configuring the agent

1. Enable SNMP:
a. Select Advanced > SNMP from the navigation tree, and you will enter the Setup page. Perform
the following configuration as shown in Figure 281.
Figure 281 Enabling SNMP
b. Select the Enable radio box.

c. Set the SNMP version to both v1 and v2c.
d. Click Apply.
2. Configure an SNMP community:
a. Click the Community tab and then click Add. Perform the following configuration as shown
in Figure 282.
276
Figure 282 Configuring SNMP community named public
a. Type public in the field of Community Name.

b. Select Read only from the Access Right list.
c. Click Apply.
d. Click the Community tab and then click Add. Perform the following configuration as shown
in Figure 283.
Figure 283 Configuring SNMP community named private
f. Type private in the field of Community Name.

g. Select Read and write from the Access Right list.
h. Click Apply.
3. Enable Agent to send SNMP traps:
a. Click the Trap tab and perform the following configuration as shown in Figure 284.
277
Figure 284 Enabling Agent to send SNMP traps
b. Select the Enable SNMP Trap box.

c. Click Apply.
4. Add target hosts of SNMP traps:
a. On the Trap tab page, click Add and perform the following configuration as shown in Figure
285.
Figure 285 Adding target hosts of SNMP traps
b. Select the destination IP address type as IPv4/Domain.

c. Type the destination address 1.1.1.2.
d. Type the security username public.
e. Select v1 from the Security Model list. (This configuration must be the same as that running on
the NMS; otherwise, the NMS cannot receive any trap.)
f. Click Apply.
278
Configuring the NMS
The configuration on NMS must be consistent with that on the agent. Otherwise, you cannot perform
1. Configure the SNMP version for the NMS as v1 or v2c.
2. Create a read-only community and name it public.
3. Create a read and write community and name it private.
For more information about configuring the NMS, see the NMS manual.

• After the configuration, an SNMP connection is established between the NMS and the agent. The
NMS can get and configure the values of some parameters on the agent through MIB nodes.
• Shut down or bring up an idle interface on the agent, and the NMS receives the corresponding
trap.
SNMPv3 configuration example

As shown in Figure 286, the NMS (1.1.1.2/24) uses SNMPv3 to monitor and manage the interface status
of the agent (1.1.1.1/24), and the agent automatically sends traps to report events to the NMS.
The NMS and the agent perform authentication when they set up an SNMP session. The authentication
algorithm is MD5 and the authentication key is authkey. The NMS and the agent also encrypt the SNMP
packets between them by using the DES algorithm and the privacy key prikey.
Configuring the agent

1. Enable SNMP:
a. Select Advanced > SNMP from the navigation tree, and you will enter the Setup page. Perform
the following configuration as shown in Figure 287.
279
Figure 287 Enabling SNMP
b. Select the Enable radio box.

c. Set the SNMP version to v3.
d. Click Apply.
2. Configure an SNMP view:
a. Click the View tab and then click Add. Perform the following configuration as shown in Figure
288.
Figure 288 Setting the name of the view to be created
b. Type view1 in the field of View Name.

c. Click Apply and enter the page of view1. Perform the following configuration as shown
in Figure 289.
280
Figure 289 Adding a view named view1
d. Select the Included radio box.

e. Type the MIB subtree OID interfaces.
f. Click Add.
g. Click Apply. A configuration progress dialog box appears, as shown in Figure 290.
Figure 290 Configuration progress dialog box
h. After the configuration process is complete, click Close.

3. Configure an SNMP group:
a. Click the Group tab and then click Add. Perform the following configuration as shown in Figure
291.
281
Figure 291 Configuring an SNMP group
b. Type group1 in the Group Name field.

c. Select view1 from the Read View list.
d. Select view1 from the Write View list.
e. Select v3 from the Security Level list.
f. Click Apply.
4. Configure an SNMP user:
a. Click the User tab and then click Add. Perform the following configuration as shown in Figure
292.
Figure 292 Configuring an SNMP user
b. Type user1 in the User Name field.
282
c. Select Auth/Pri from the Security Level list.
d. Select group1 (Auth/Priv) from the Group Name list.
e. Select MD5 from the Authentication Mode list.
f. Type authkey in the Authentication Password and Confirm Authentication Password fields.
g. Select DES56 from the Privacy Mode list.
h. Type prikey in the Privacy Password and Confirm Privacy Password fields.
i. Click Apply.
5. Enable Agent to send SNMP traps:
a. Click the Trap tab and perform the following configuration as shown in Figure 293.
b. Select the Enable SNMP Trap box.

c. Click Apply.
6. Add target hosts of SNMP traps:
a. On the Trap tab page, click Add and perform the following configuration as shown in Figure
294.
283
b. Select the destination IP address type as IPv4/Domain.

c. Type the destination address 1.1.1.2.
d. Type the user name user1.
e. Select v3 from the Security Model list.
f. Select Auth/Priv from the Security Level list.
g. Click Apply.
Configuring the NMS

The configuration on the NMS must be consistent with that on the agent. Otherwise, you cannot perform
1. Specify the SNMP version for the NMS as v3.
2. Create an SNMP user user1.
3. Enable both authentication and privacy functions.
4. Use MD5 for authentication and DES56 for encryption.
5. Set the authentication key to authkey and the privacy key to prikey.

• Shut down or bring up an idle interface on the agent, and the NMS receives the corresponding
trap.
284
Configuring bridging
Through the Web interface, you can configure the following transparent bridging functions:
• Enabling a bridge set
• Adding an interface to a bridge set
Overview
Bridging overview
A bridge is a store-and-forward device that connects and transfers traffic between LAN segments at the
data-link layer. In some small-sized networks, especially those with dispersed distribution of users, the use
of bridges can reduce the network maintenance costs without requiring the end users to perform special
configurations on the devices.
In applications, the following major kinds of bridging technologies apply: transparent bridging,
source-route bridging (SRB), translational bridging, and source-route translational bridging (SR/TLB).
The devices support only transparent bridging.
Transparent bridging bridges LAN segments of the same physical media type, primarily in Ethernet
environments. A transparent bridging device keeps a bridge table, which contains mappings between
destination MAC addresses and outbound interfaces.
For more information about transparent bridging, see Layer 2—WAN Configuration Guide in H3C MSR
Series Routers Configuration Guides (V5).
Major functionalities of bridges

Maintaining the bridge table
A bridge relies on its bridge table to forward data. A bridge table consists two parts: MAC address list
and interface list. Once connected to a physical LAN segment, a bridge listens to all Ethernet frames on
the segments. When it receives an Ethernet frame, it extracts the source MAC address of the frame and
creates a mapping entry between this MAC address and the interface on which the Ethernet frame was
received.
As shown in Figure 295, Host A, Host B, Host C, and Host D are attached to two LAN segments. Host A
and Host B are connected to bridge interface 1. When Host A sends an Ethernet frame to Host B, both
bridging interface 1 and Host B receive this frame.
285
Figure 295 Host A sends an Ethernet frame to Host B on LAN 1
MAC address: 00e0.fcbb. bbbb
MAC address: 00e0.fcaa.aaaa
Host A Host B
Source address Destination address

00e0.fcaa.aaaa 00e0. fcbb.bbbb
LAN segment 1
Bridge interface 1
Bridge
Bridge interface 2
LAN segment 2
Host C Host D
MAC address: 00e0.fccc.cccc MAC address: 00e0.fcdd.dddd
As the bridge receives the Ethernet frame on bridging interface 1, it determines that Host A is attached
to bridging interface 1 and creates a mapping between the MAC address of Host A and bridging
interface 1 in its bridge table, as shown in Figure 296.
Figure 296 The bridge determines that Host A is attached to interface 1
When Host B responds to Host B, the bridge also hears the Ethernet frame from Host B. As the frame is
received on bridging interface 1, the bridge determines that Host B is also attached to bridging interface
1, and creates a mapping between the MAC address of Host B and bridging interface 1 in its bridge
table, as shown in Figure 297.
286
Figure 297 The bridge determines that Host B is also attached to interface 1
MAC address: 00e0.fcaa.aaaa MAC address: 00e0.fcbb.bbbb
Host A Host B

00e0.fcbb. bbbb 00e0.fcaa.aaaa
Bridge table LAN segment 1

MAC address Interface Bridge interface 1
00e 0.fcaa.aaaa 1
Bridge
00e 0.fcbb.bbbb 1
Bridge interface 2
LAN segment 2
Host C Host D
Finally, the bridge obtains all the MAC-interface mappings (assume that all hosts are in use), as shown
in Figure 298.
Figure 298 The final bridge table
MAC address: 00e0.fcaa.aaaa MAC address: 00e0.fcbb.bbbb
Host A Host B

00e0.fcaa.aaaa 1
Bridge
00e0.fcbb.bbbb 1
00e0.fccc.cccc 2 Bridge interface 2
00e0.fcdd.dddd 2
LAN segment 2
Host C Host D
Forwarding and filtering

The bridge makes data forwarding or filtering decisions based on the following scenarios:
• When Host A sends an Ethernet frame to Host C, the bridge searches its bridge table and finds out
that Host C is attached to bridging interface 2, and forwards the Ethernet frame out of bridging
interface 2, as shown in Figure 299.
287
Figure 299 Forwarding
MAC address: 00e0. fcaa.aaaa MAC address: 00e0.fcbb.bbbb
Host A Host B

00e0.fcaa.aaaa 00e0. fccc. cccc

00e0.fcaa.aaaa 1
Bridge
00e0.fcbb.bbbb 1
00e0.fccc.cccc 2 Bridge interface 2
00e0.fcdd.dddd 2
LAN segment 2

00e0.fcaa.aaaa 00e0.fccc.cccc
Host C Host D
MAC address: 00e0.fccc .cccc MAC address: 00e 0.fcdd.dddd
• When Host A sends an Ethernet frame to Host B, as Host B is on the same LAN segment with Host
A, the bridge filters the Ethernet frame instead of forwarding it, as shown in Figure 300.
Figure 300 Filtering
• When Host A sends an Ethernet frame to Host C, if the bridge does not find a MAC-to-interface
mapping about Host C in its bridge table, the bridge forwards the Ethernet frame to all interfaces
except the interface on which the frame was received, as shown in Figure 301.
288
Figure 301 The proper MAC-to-interface mapping is not found in the bridge table
When a bridge receives a broadcast or multicast frame, it forwards the frame to all interfaces other than
the receiving interface.
VLAN transparency
VLAN transparency enables a bridge to forward VLAN-tagged packets without processing their VLAN
tags. If your device does not support VLAN tags, enable VLAN transparency on any interfaces that may
receive VLAN-tagged packets to avoid dropping of VLAN tags.
Configuring bridging
Recommended basic bridging configuration procedure
Step Remarks
Required.
1. Enabling a bridge set
No bridge set is enabled by default.
2. Adding an interface to a Required.

bridge set An interface is not in any bridge set by default.
Enabling a bridge set

Select Advanced > Bridge from the navigation tree to enter the Global config page.
289
Figure 302 Global config
Item Remarks
Bridge Group id Set the ID of the bridge set you want to enable.
Adding an interface to a bridge set

Select Advanced > Bridge from the navigation tree, and click the Config interface tab to enter the page
290
Figure 303 Configuring interface
Item Remarks
Interface Select the interface you want to configure.
Bridge Group Set the ID of the bridge set to which you want add the interface.
Enable or disable VLAN transparency on the interface.

VLAN Transmit H3C does not recommend enabling this function on a subinterface.
A VLAN interface does not support this function.
Bridging configuration example

As shown in Figure 304, the trunk ports of Switch A and of Switch B are assigned to the same VLAN.
Enable VLAN transparency on Ethernet interfaces of the two routers, so the two office areas can
communicate within the same VLAN.
291
Office Switch A Switch B Office

area A area B
Eth1/1 Eth1/1
Trunk Trunk
Eth1/1 Eth1/1
Eth1/2 Eth1/2
Router A Router B
# Enable bridge set 2.
a. Select Advanced > Bridge from the navigation tree to enter the Global config page.
Figure 305 Enabling bridge set 2
a. Enter 2 as the bridge group ID.

b. Click Apply.
# Assign Ethernet 1/1 to bridge set 2, and enable VLAN transparency.
c. Click the Config interface tab.
292
Figure 306 Assigning Ethernet 1/1 to bridge set 2 and enable VLAN transparency

c. Select 2 from the Bridge Group list.
d. Select Enable from the VLAN Transmit list.
e. Click Apply.
# Assign Ethernet 1/2 to bridge set 2, and enable VLAN transparency.
Figure 307 Assigning Ethernet 1/2 to bridge set 2 and enable VLAN transparency

c. Select 2 from the Bridge Group list.
293
d. Select Enable from the VLAN Transmit list.
e. Click Apply.
2. Configure Router B:
Configure Router B in the same way as you configured Router A.
294
Configuring user groups
You can add hosts in a LAN to a user group and perform access control, application control, bandwidth
control, and packet filtering on a per user group basis.
• Access control—Allows you to deny access from hosts during specific time ranges. All data packets
matching these criteria will be denied access to the Internet.
• Application control—Allows you to restrict access to a specific application or protocol (such as
Telnet, DNS, SIP, and HTTP) on the Internet from users in a user group. You can perform application
control based on a user group or all users. For more information about application control, see
"Configuring application control."
• Bandwidth control—Allows you to control the bandwidth consumption based on user group. It
evaluates traffic with token buckets and drops unqualified packets.
• Packet filtering—Allows you to filter packets that match specific criteria such as the protocol,
destination IP address, source port, and destination port on a per user group basis.
User group configuration task list

Perform the tasks in Table 130 to configure user groups.
Table 130 User group configuration task list
Task Remarks
Required.
Configuring a user group
By default, no user groups are configured.
Required.
Configuring a user Add users to the user group.
By default, a user group has no users.

Required.
Use at least one of the approaches.
Configuring bandwidth control
By default, a user group has no service configured.
Configuring packet filtering
Optional.
If a WAN interface is added or a non-WAN interface becomes a
WAN interface after the user or user group is configured, you must
Synchronizing user group synchronize the user group configuration to the WAN interface.
configuration for wan interfaces
IMPORTANT:
Make sure at least one user group exists in the system before
synchronization.
295
Select Advanced > Security > Usergroup from the navigation tree. The group configuration page
appears, as shown in Figure 308.
Figure 308 User group configuration
Table 131 describes the user group configuration item.

Item Description
Set the name of the group to be added.
User Group Name The group name is a character string beginning with letters. The string cannot contain
any question mark (?) or space.
Configuring a user
Select Advanced > Security > Usergroup from the navigation tree, and then select the User tab to enter
the page as shown Figure 309.
296
Figure 309 User configuration
Table 132 describes the user configuration items.

Item Description
Please select a user group Select the group to which you want to add users.
Set the mode in which the users are added.

• Static—In this mode, type the username and IP address manually in the
Add Mode following fields.
• Dynamic—The system displays all devices connected to the device for you to
select.
Set the username.

Username • In static add mode, specify the username manually.
• In dynamic add mode, the system automatically generates a username.
Set the IP address.
• In static add mode, specify the IP address manually.
IP Address
• In dynamic add mode, the system automatically obtains the IP addresses and
MAC addresses of devices connected to the device for you to select.

Select Advanced > Security > Connect Control from the navigation tree to enter the configuration page,
297
Figure 310 Access control configuration
Table 133 describes the access control configuration items.

Item Description
Select a user group for access control.
Please select a user group When there is more than one user group, the option all is available. Selecting
all means that the access control configuration applies to all the user groups.
Days
Set the time range in which access to the Internet is denied.
Time

Select Advanced > Security > Application Control from the navigation tree to enter the page as shown
in Figure 311.
298
Figure 311 Application control
Table 134 describes the application control configuration items.

Item Description
Select a user group for application control.
Please select a user
group When there is more than one user group, the option all is available. Selecting all
means that the application control configuration applies to all the user groups.
Select the applications and protocols to be controlled. There are three types of
applications for you to select:
• Loaded Applications—Applications contained in the loaded signature file. To load
Please select
a signature file, select Security > Application Control.
applications to deny
• Predefined Applications—Predefined applications.
• Custom Applications—To customize applications, select Security > Application
Control.
Configuring bandwidth control

After logging into the Web interface, select Advanced > Security > Band Width from the navigation tree
to enter the bandwidth control configuration page, as shown in Figure 312.
299
Figure 312 Bandwidth control configuration
Table 135 describes the bandwidth control configuration items.

Item Description
Set the user group for bandwidth control configuration.
Please select a user
group When there are more than one user group, the option all is available. Selecting all
means that the bandwidth control configuration applies to all the user groups.
CIR Set the committed information rate (CIR), that is, the permitted average rate of traffic.
Set the committed burst size (CBS). CBS is the token bucket capacity, that is, the
maximum traffic size that is permitted in each burst.
The CBS value must be greater than the maximum packet size.
CBS
IMPORTANT:
By default, the CBS is the number of bytes transmitted in 500 ms at the rate of CIR. If the
number exceeds the value range, the allowed maximum or minimum value is adopted.
Configuring packet filtering

Select Advanced > Security > Packet Filter from the navigation tree to enter the Packet Filter page, as
300
Figure 313 Packet filtering configuration
Table 136 describes the packet filtering configuration items.

Item Description
Select a user group to which packet filtering is applied.
Please select a user group When there is more than one user group, the option all is available.
Selecting all means that the packet filtering configuration applies to all the
user groups.
Protocol Select a protocol.
Destination IP Address
Set the destination IP address and wildcard mask.
Destination Wildcard
Configure the source port for TCP/UDP packets.

Operator
When you select 6 TCP or 17 UDP as the protocol, these parameters can be
configurable.
Port • If you select NotCheck as the operator, port numbers will not be checked
Source Port and no ports need to be specified.
• If you select Range as the operator, you must specify both start and end
ports to define a port range.
ToPort
• If you select other option as the operator, only a start port needs to be
specified.
Configure the destination port of TCP/UDP packets.

Destination Port Operator
When you select 6 TCP or 17 UDP as the protocol, these parameters can be
301
Item Description
configurable.
Port • If you select NotCheck as the operator, port numbers will not be checked
and no ports need to be specified.
• If you select Range as the operator, you must specify both start and end
ports to define a port range.
ToPort
• If you select other option as the operator, only a start port needs to be
specified.
Synchronizing user group configuration for wan interfaces

1. Select Advanced > Security > Usergroup from the navigation tree, and then select the WAN
Synchronization tab to enter the page, as shown in Figure 314.
2. Click the Sync button to synchronize the user group configuration for WAN interfaces.
Figure 314 User group configuration synchronization
User group configuration example

As shown in Figure 315, the router connects the private network to the Internet. Host A is used by the
manager, Host B, Host C, and Host D are used by common users. Do the following on the router:
• Configure access control so that access from common users to the Internet during work time (9:00
to 18:00 from Monday through Friday) is denied while access from the manager is allowed.
• Configure application control so that access from common users to MSN application is denied
while access from the manager is allowed.
• Configure the maximum average rate of Internet access as 8 kbps for common users and 54 kbps
for the manager.
• Configure packet filtering so that access to the server at the address 2.2.2.1 from common users is
denied.
302
Creating user groups staff (for common users) and manager (for the manager)
1. Select Advanced > Security > Usergroup to enter the group configuration page. Perform the
configurations as shown in Figure 316.
Figure 316 Creating user groups staff and manager
2. Enter staff as a user group name.

3. Click Apply.
4. Enter manager as a user group name.
5. Click Apply.
Adding users to user groups

1. Select Advanced > Security > Usergroup, and then select the User tab.
303
Figure 317 Adding users to user group staff
2. Select staff from the user group list.

3. Select Dynamic as the add mode.
The following area then displays the IP addresses and MAC addresses of all the hosts in the private
network that connects to the Router.
4. Select the entries of Host B, Host C, and Host D.
5. Click Apply.
A configuration progress dialog box appears, as shown in Figure 318.
304
6. After the configuration process is complete, click Close.

Figure 319 Adding users to user group manager
7. Select manager from the user group list.

8. Select Static for Add Mode.
9. Enter hosta as the username.
10. Enter 192.168.1.11 as the IP address.
11. Click Apply. A configuration progress dialog box appears.
Configuring access control for user group staff

1. Select Advanced > Security > Connect Control.
305
Figure 320 Configuring access control for user group staff

3. Select the boxes for Monday through Friday.
4. Specify 09:00 as the start time.
5. Specify 18:00 as the end time.
6. Click Apply.
A configuration progress dialog box appears.
Loading the application control file (assume the signature file is stored on the device)
1. Select Security Setup > Application Control from the navigation tree, and then select the Load
Application tab.
306
Figure 321 Loading the application control file
2. Select the From Device option, and select file p2p_default.

3. Click Apply.
Then, you can view MSN is in the loaded applications on the lower part of the page.
Configuring application control for user group staff

1. Select Advanced > Security > Application Control from the navigation tree, and perform the
configurations as shown in Figure 322.
Figure 322 Configuring application control to user group staff

3. Select MSN from the Loaded Applications area.
4. Click Apply.
307
Configuring bandwidth control for user groups staff and manager
1. Select Advanced > Security > Band Width, and then perform the configurations as shown in Figure
323.
Figure 323 Configuring bandwidth control to user groups staff and manager
2. Select the staff user group.

3. Enter 8 for the CIR.
4. Click Apply.
6. Select the manager user group.
7. Enter 54 for the CIR.
8. Click Apply.
Configuring packet filtering for user group staff

1. Select Advanced > Security > Packet Filter, and then perform the configurations as shown in Figure
324.
308
Figure 324 Configuring packet filtering for user group staff

3. Select IP as the protocol.
4. Select the Destination IP Address box.
5. Enter 2.2.2.1 as the destination IP address.
6. Enter 0.0.0.0 as the destination wildcard.
7. Click Apply. A configuration progress dialog box appears.
309
Configuring MSTP
Only MSR 20/30/50/930 routers support this feature.

As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by
selectively blocking redundant links in a network, and allows for link redundancy.
Like many other protocols, STP evolves as the network grows. The later versions of STP are the Rapid
Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP). This chapter describes
the characteristics of STP, RSTP, and MSTP.
Introduction to STP
STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in a
LAN. Devices running this protocol detect loops in the network by exchanging information with one
another and eliminate loops by selectively blocking certain ports to prune the loop structure into a
loop-free tree structure. This avoids proliferation and infinite cycling of packets that would occur in a loop
network and prevents decreased performance of network devices caused by duplicate packets received.
In the narrow sense, STP refers to the IEEE 802.1d STP. In the broad sense, STP refers to the IEEE 802.1d
STP and various improved spanning tree protocols derived from that protocol.
Protocol packets of STP

STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol
packets.
STP-enabled network devices exchange BPDUs to establish a spanning tree. BPDUs contain sufficient
information for the network devices to complete spanning tree calculation.
In STP, BPDUs have the following types:
• Configuration BPDUs—Used for calculating a spanning tree and maintaining the spanning tree
topology.
• Topology change notification (TCN) BPDUs—Used for notifying the concerned devices of network
topology changes, if any.
Basic concepts in STP

Root bridge
A tree network must have a root bridge.
There is only one root bridge in the entire network. The root bridge is not fixed, but can change along
with changes of the network topology.
When a network is initialized, each device generates and sends out BPDUs periodically with itself as the
root bridge. After network convergence, only the root bridge generates and sends out configuration
BPDUs at a certain interval, and the other devices just forward BPDUs.
310
Root port
On a non-root bridge, the port nearest to the root bridge is the root port. The root port is responsible for
communication with the root bridge. Each non-root bridge has one and only one root port. The root
bridge has no root port.
Designated bridge and designated port

Table 137 Description of designated bridges and designated ports:
Classification Designated bridge Designated port

Device directly connected to the local
Port through which the designated bridge
For a device device and responsible for forwarding
forwards BPDUs to the local device.
BPDUs to the local device.
Device responsible for forwarding BPDUs Port through which the designated bridge
For a LAN
to this LAN segment. forwards BPDUs to this LAN segment.
As shown in Figure 325, AP1 and AP2, BP1 and BP2, and CP1 and CP2 are ports on Device A, Device
B, and Device C, respectively.
• If Device A forwards BPDUs to Device B through AP1, the designated bridge for Device B is Device
A, and the designated port of Device B is port AP1 on Device A.
• Two devices are connected to the LAN: Device B and Device C. If Device B forwards BPDUs to the
LAN, the designated bridge for the LAN is Device B, and the designated port for the LAN is the port
BP2 on Device B.
Figure 325 Designated bridges and designated ports
All the ports on the root bridge are designated ports.
Path cost
Path cost is a reference value used for link selection in STP. By calculating path costs, STP selects relatively
robust links and blocks redundant links, and finally prunes the network into a loop-free tree.
How STP works

The devices on a network exchange BPDUs to identify the network topology. Configuration BPDUs
contain sufficient information for the network devices to complete spanning tree calculation. A
configuration BPDU includes the following important fields:
311
• Root bridge ID—Consisting of the priority and MAC address of the root bridge.
• Root path cost—Cost of the shortest path to the root bridge.
• Designated bridge ID—Consisting of the priority and MAC address of the designated bridge.
• Designated port ID—Designated port priority plus port name.
• Message age—Age of the configuration BPDU while it propagates in the network.
• Max age—Maximum age of the configuration BPDU can be maintained on a device.
• Hello time—Configuration BPDU interval.
• Forward delay—Delay used by STP bridges to transit the state of the root and designated ports to
forwarding.
For simplicity, the descriptions and examples in this document involve only the following fields in the
configuration BPDUs:
• Root bridge ID (represented by device priority)
• Root path cost (related to the rate of the link connecting the port)
• Designated bridge ID (represented by device priority)
• Designated port ID (represented by port name)
Calculation process of the STP algorithm

1. Initialize the state.
When you initialize a device, each port generates a BPDU with itself as the root bridge, in which
the root path cost is 0, designated bridge ID is the device ID, and the designated port is the local
port.
2. Select the optimum configuration BPDU.
Each device sends out its configuration BPDU and receives configuration BPDUs from other
devices.
Table 138 Selection of the optimum configuration BPDU
Step Actions
Upon receiving a configuration BPDU on a port, the device performs the following:
• If the received configuration BPDU has a lower priority than that of the configuration BPDU
generated by the port, the device discards the received configuration BPDU and does not
1 process the configuration BPDU of this port.
• If the received configuration BPDU has a higher priority than that of the configuration BPDU
generated by the port, the device replaces the content of the configuration BPDU generated
by the port with the content of the received configuration BPDU.
The device compares the configuration BPDUs of all the ports and chooses the optimum
2
configuration BPDU.
Configuration BPDU comparison uses the following principles:

• The configuration BPDU that has the lowest root bridge ID has the highest priority.
• If all the configuration BPDUs have the same root bridge ID, their root path costs are compared. For
example, the root path cost in a configuration BPDU plus the path cost of a receiving port is S. The
configuration BPDU with the smallest S value has the highest priority.
• If all configuration BPDUs have the same S value, their designated bridge IDs, designated port IDs,
and the IDs of the receiving ports are compared in sequence. The configuration BPDU containing
a smaller ID wins out.
312
3. Selection of the root bridge.
Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root
bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare their
root bridge IDs to elect the device with the smallest root bridge ID as the root bridge.
4. Select the root port and designated ports on a non-root device.
Table 139 Selection of the root port and designated ports
Step Description
A non-root device regards the port on which it received the optimum configuration BPDU as
1
the root port.
Based on the configuration BPDU and the path cost of the root port, the device calculates a
designated port configuration BPDU for each of the rest ports.
• The root bridge ID is replaced with that of the configuration BPDU of the root port.
2 • The root path cost is replaced with that of the configuration BPDU of the root port plus the
path cost of the root port.
• The designated bridge ID is replaced with the ID of this device.
• The designated port ID is replaced with the ID of this port.
The device compares the calculated configuration BPDU with the configuration BPDU on the
port of which the port role is to be defined, and acts depending on the comparison result:
• If the calculated configuration BPDU is superior, the device considers this port as the
designated port, and replaces the configuration BPDU on the port with the calculated
3
configuration BPDU, which will be sent out periodically.
• If the configuration BPDU on the port is superior, the device blocks this port without
updating its configuration BPDU. The blocked port can receive BPDUs but cannot send
BPDUs or forward data.
When the network topology is stable, only the root port and designated ports forward traffic, and other
ports are all in the blocked state—they receive BPDUs but do not forward BPDUs or user traffic.
A tree-shape topology forms upon successful election of the root bridge, the root port on each non-root
bridge and the designated ports.
An example of the STP algorithm calculation

The following example shows how the STP algorithm works. As shown in Figure 326, the priority of
Device A is 0, the priority of Device B is 1, the priority of Device C is 2, and the path costs of these links
are 5, 10, and 4, respectively.
The spanning tree calculation process in this example is only a simplified process.
313
Figure 326 The STP algorithm
1. Initialize the state of each device.

Table 140 Initial state of each device
Device Port name BPDU of port

AP1 {0, 0, 0, AP1}
Device A
AP2 {0, 0, 0, AP2}
BP1 {1, 0, 1, BP1}

Device B
BP2 {1, 0, 1, BP2}
CP1 {2, 0, 2, CP1}

Device C
CP2 {2, 0, 2, CP2}
2. Perform comparisons on each device.

Table 141 Comparison process and result on each device
BPDU of port after

Device Comparison process
comparison
• Port AP1 receives the configuration BPDU of Device B {1, 0, 1,
BP1}. Device A finds that the configuration BPDU of the local
port {0, 0, 0, AP1} is superior to the received configuration
BPDU, and discards the received configuration BPDU.
• Port AP2 receives the configuration BPDU of Device C {2, 0, 2,
CP1}. Device A finds that the BPDU of the local port {0, 0, 0,
AP1: {0, 0, 0, AP1}
Device A AP2} is superior to the received configuration BPDU, and
discards the received configuration BPDU. AP2: {0, 0, 0, AP2}
• Device A finds that both the root bridge and designated bridge
in the configuration BPDUs of all its ports are itself, so it assumes
itself to be the root bridge. It does not make any change to the
configuration BPDU of each port, and starts sending out
configuration BPDUs periodically.
314
BPDU of port after
comparison
• Port BP1 receives the configuration BPDU of Device A {0, 0, 0,
AP1}. Device B finds that the received configuration BPDU is
superior to the configuration BPDU of the local port {1, 0, 1,
BP1}, and updates the configuration BPDU of BP1. BP1: {0, 0, 0, AP1}
• Port BP2 receives the configuration BPDU of Device C {2, 0, 2, BP2: {1, 0, 1, BP2}
CP2}. Device B finds that the configuration BPDU of the local
port {1, 0, 1, BP2} is superior to the received configuration
BPDU, and discards the received configuration BPDU.
• Device B compares the configuration BPDUs of all its ports, and
determines that the configuration BPDU of BP1 is the optimum
Device B configuration BPDU. Then, it uses BP1 as the root port, the
configuration BPDUs of which will not be changed.
• Based on the configuration BPDU of BP1 and the path cost of Root port BP1:
the root port (5), Device B calculates a designated port
{0, 0, 0, AP1}
configuration BPDU for BP2 {0, 5, 1, BP2}.
Designated port BP2:
• Device B compares the calculated configuration BPDU {0, 5, 1,
BP2} with the configuration BPDU of BP2. If the calculated BPDU {0, 5, 1, BP2}
is superior, BP2 will act as the designated port, and the
configuration BPDU on this port will be replaced with the
calculated configuration BPDU, which will be sent out
periodically.
• Port CP1 receives the configuration BPDU of Device A {0, 0, 0,
AP2}. Device C finds that the received configuration BPDU is
superior to the configuration BPDU of the local port {2, 0, 2,
CP1}, and updates the configuration BPDU of CP1.
CP1: {0, 0, 0, AP2}
• Port CP2 receives the configuration BPDU of port BP2 of Device
CP2: {1, 0, 1, BP2}
B {1, 0, 1, BP2} before the configuration BPDU is updated.
Device C finds that the received configuration BPDU is superior
to the configuration BPDU of the local port {2, 0, 2, CP2}, and
updates the configuration BPDU of CP2.
After comparison:
• The configuration BPDU of CP1 is elected as the optimum
configuration BPDU, so CP1 is identified as the root port, the Root port CP1:
Device C configuration BPDUs of which will not be changed. {0, 0, 0, AP2}
• Device C compares the calculated designated port
Designated port CP2:
configuration BPDU {0, 10, 2, CP2} with the configuration
BPDU of CP2, and CP2 becomes the designated port, and the {0, 10, 2, CP2}
configuration BPDU of this port will be replaced with the
calculated configuration BPDU.
• Then, port CP2 receives the updated configuration BPDU of
Device B {0, 5, 1, BP2}. Because the received configuration
BPDU is superior to its own configuration BPDU, Device C
CP1: {0, 0, 0, AP2}
launches a BPDU update process.
CP2: {0, 5, 1, BP2}
• At the same time, port CP1 receives periodic configuration
BPDUs from Device A. Device C does not launch an update
process after comparison.
315
BPDU of port after
comparison
After comparison:
• Because the root path cost of CP2 (9) (root path cost of the
BPDU (5) plus path cost corresponding to CP2 (4)) is smaller
than the root path cost of CP1 (10) (root path cost of the BPDU
(0) + path cost corresponding to CP2 (10)), the BPDU of CP2 is Blocked port CP2:
elected as the optimum BPDU, and CP2 is elected as the root {0, 0, 0, AP2}
port, the messages of which will not be changed.
Root port CP2:
• After comparison between the configuration BPDU of CP1 and
the calculated designated port configuration BPDU, port CP1 is {0, 5, 1, BP2}
blocked, with the configuration BPDU of the port unchanged,
and the port will not receive data from Device A until a
spanning tree calculation process is triggered by a new event,
for example, the link from Device B to Device C going down.
After the comparison processes described in Table 141, a spanning tree with Device A as the root bridge
is established as shown in Figure 327.
Figure 327 The final calculated spanning tree
The BPDU forwarding mechanism in STP

• Upon network initiation, every device regards itself as the root bridge, generates configuration
BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval.
• If it is the root port that received a configuration BPDU and the received configuration BPDU is
superior to the configuration BPDU of the port, the device increases the message age carried in the
configuration BPDU following a certain rule and starts a timer to time the configuration BPDU while
sending this configuration BPDU out of the designated port.
• If the configuration BPDU received on a designated port has a lower priority than the configuration
BPDU of the local port, the port immediately sends out its own configuration BPDU in response.
• If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs
and the old configuration BPDUs will be discarded due to timeout. The device will generate
configuration BPDUs with itself as the root. This triggers a new spanning tree calculation process to
establish a new path to restore the network connectivity.
316
However, the newly calculated configuration BPDU will not be propagated throughout the network
immediately, so the old root ports and designated ports that have not detected the topology change
continue forwarding data along the old path. If the new root ports and designated ports begin to
forward data as soon as they are elected, a temporary loop may occur.
STP timers
STP calculation involves the following timers:
• Forward delay—The delay time for device state transition. A path failure can cause spanning tree
re-calculation to adapt the spanning tree structure to the change. However, the resulting new
configuration BPDU cannot propagate throughout the network immediately. If the newly elected
root ports and designated ports start to forward data right away, a temporary loop is likely to occur.
For this reason, as a mechanism for state transition in STP, the newly elected root ports or
designated ports require twice the forward delay time before transiting to the forwarding state to
make sure the new configuration BPDU has propagated throughout the network.
• Hello time—The time interval at which a device sends hello packets to the surrounding devices to
make sure the paths are fault free.
• Max age—A parameter used to determine whether a configuration BPDU held by the device has
expired. A configuration BPDU beyond the max age will be discarded.
Introduction to RSTP
Developed based on the 802.1w standard of IEEE, RSTP is an optimized version of STP. It achieves rapid
network convergence by allowing a newly elected root port or designated port to enter the forwarding
state much quicker under certain conditions than in STP.
In RSTP, a newly elected root port can enter the forwarding state rapidly if this condition is met: the old
root port on the device has stopped forwarding data and the upstream designated port has started
forwarding data.
In RSTP, a newly elected designated port can enter the forwarding state rapidly if this condition is met:
the designated port is an edge port or a port connected to a point-to-point link. If the designated port is
an edge port, it can enter the forwarding state directly. If the designated port is connected to a
point-to-point link, it can enter the forwarding state immediately after the device undergoes handshake
with the downstream device and gets a response.
Introduction to MSTP
Why MSTP
STP and RSTP limitations
STP does not support rapid state transition of ports. A newly elected root port or designated port must
wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a
point-to-point link or an edge port, which directly connects to a user terminal rather than to another
device or a shared LAN segment.
Although RSTP supports rapid network convergence, it has the same drawback as STP—All bridges
within a LAN share the same spanning tree, so redundant links cannot be blocked based on VLAN, and
the packets of all VLANs are forwarded along the same spanning tree.
317
Features of MSTP
Developed based on IEEE 802.1s, MSTP overcomes the limitations of STP and RSTP. In addition to the
support for rapid network convergence, it also allows data flows of different VLANs to be forwarded
along separate paths, providing a better load sharing mechanism for redundant links.
MSTP includes the following features:
• MSTP supports mapping VLANs to MST instances (MSTIs) by means of a VLAN-to-instance
mapping table. MSTP can reduce communication overheads and resource usage by mapping
multiple VLANs to one MSTI.
• MSTP divides a switched network into multiple regions, each containing multiple spanning trees
that are independent of one another.
• MSTP prunes a loop network into a loop-free tree, avoiding proliferation and endless cycling of
packets in a loop network. In addition, it provides multiple redundant paths for data forwarding,
supporting load balancing of VLAN data.
• MSTP is compatible with STP and RSTP.
Basic concepts in MSTP

Figure 328 Basic concepts in MSTP
Assume that all devices in Figure 328 are running MSTP. This section explains some basic concepts of
MSTP.
318
MST region
A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the
network segments among them. These devices have the following characteristics:
• All are MSTP-enabled.
• They have the same region name.
• They have the same VLAN-to-instance mapping configuration.
• They have the same MSTP revision level configuration.
• They are physically linked with one another.
For example, all the devices in region A0 in Figure 328 have the same MST region configuration.
• The same region name.
• The same VLAN-to-instance mapping configuration (VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI
2, and the rest to the common and internal spanning tree (CIST or MSTI 0).
• The same MSTP revision level (not shown in the figure).
Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST
region.
VLAN-to-instance mapping table

As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping
relationships between VLANs and MSTIs. In Figure 328, for example, the VLAN-to-instance mapping
table of region A0 is: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP
achieves load balancing by means of the VLAN-to-instance mapping table.
IST
An internal spanning tree (IST) is a spanning tree that runs in an MST region.
ISTs in all MST regions and the common spanning tree (CST) jointly constitute the common and internal
spanning tree (CIST) of the entire network. An IST is a section of the CIST in an MST region.
In Figure 328, for example, the CIST has a section in each MST region, and this section is the IST in the
respective MST region.
CST
The CST is a single spanning tree that connects all MST regions in a switched network. If you regard each
MST region as a "device," the CST is a spanning tree calculated by these devices through STP or RSTP.
CSTs are indicated by red lines in Figure 328.
CIST
Jointly constituted by ISTs and the CST, the CIST is a single spanning tree that connects all devices in a
switched network.
In Figure 328, for example, the ISTs in all MST regions plus the inter-region CST constitute the CIST of the
entire network.
MSTI
Multiple spanning trees can be generated in an MST region through MSTP, one spanning tree being
independent of another. Each spanning tree is called a multiple spanning tree instance (MSTI).
In Figure 328, for example, multiple MSTIs can exist in each MST region, each MSTI corresponding to the
specified VLANs.
319
Regional root bridge
The root bridge of the IST or an MSTI within an MST region is the regional root bridge of the IST or the
MSTI. Based on the topology, different spanning trees in an MST region may have different regional
roots.
For example, in region D0 in Figure 328, the regional root of MSTI 1 is device B, and that of MSTI 2 is
device C.
Common root bridge

The common root bridge is the root bridge of the CIST.
In Figure 328, for example, the common root bridge is a device in region A0.
Boundary port
A boundary port is a port that connects an MST region to another MST region, or to a single
spanning-tree region running STP, or to a single spanning-tree region running RSTP. It is at the boundary
of an MST region.
During MSTP calculation, the role of a boundary port in an MSTI must be consistent with its role in the
CIST. However, this is not true with master ports. A master port on MSTIs is a root port on the CIST. For
example, in Figure 328, if a device in region A0 is interconnected to the first port of a device in region
D0 and the common root bridge of the entire switched network is located in region A0, the first port of
that device in region D0 is the boundary port of region D0.
Roles of ports
MSTP calculation involves the following port roles: root port, designated port, master port, boundary port,
alternate port, and backup port.
• Root port—Port responsible for forwarding data to the root bridge.
• Designated port—Port responsible for forwarding data to the downstream network segment or
device.
• Master port—Port on the shortest path from the current region to the common root bridge,
connecting the MST region to the common root bridge. If the region is seen as a node, the master
port is the root port of the region on the CST. The master port is a root port on IST/CIST and still a
master port on the other MSTIs.
• Alternate port—Standby port for the root port and the master port. When the root port or master
port is blocked, the alternate port becomes the new root port or master port.
• Backup port—Backup port of a designated port. When the designated port is blocked, the backup
port becomes a new designated port and starts forwarding data without delay. A loop occurs when
two ports of the same MSTP device are interconnected. The device will block either of the two ports,
and the backup port is the port to be blocked.
A port can play different roles in different MSTIs.
320
Figure 329 Port roles
Connecting to the common
root bridge
Boundary port
MST region Port 2

Port 1
Master port Alternate port

A
B C
Port 6
Port 5
Backup port
D
Designated port
Port 3 Port 4
In Figure 329, devices A, B, C, and D constitute an MST region. Port 1 and port 2 of device A are
connected to the common root bridge, port 5 and port 6 of device C form a loop, and port 3 and port
4 of Device D are connected downstream to the other MST regions.
Port states
In MSTP, a port may be in one of the following states:
• Forwarding—The port learns MAC addresses and forwards user traffic.
• Learning—The port learns MAC addresses but does not forward user traffic.
• Discarding—The port does not learn MAC addresses or forwards user traffic.
A port can have different port states in different MSTIs. A port state is not exclusively associated with a
port role. Table 142 lists the port states supported by each port role. ("√" indicates that the port state is
available for the corresponding port role and "—" indicates that the port state is not available for the
corresponding port role.)
Table 142 Ports states supported by different port roles
Port role
Port state Root port/master Designated
Boundary port Alternate port Backup port
port port
Forwarding √ √ √ — —
Learning √ √ √ — —
Discarding √ √ √ √ √
321
How MSTP works
MSTP divides an entire Layer 2 network into multiple MST regions, which are interconnected by a
calculated CST. Inside an MST region, multiple spanning trees are calculated, each being an MSTI
(Among these MSTIs, MSTI 0 is called the CIST). Similar to RSTP, MSTP uses configuration BPDUs to
calculate spanning trees. The only difference between the two protocols is that an MSTP BPDU carries the
MSTP configuration on the device from which this BPDU is sent.
CIST calculation
The calculation of a CIST tree is also the process of configuration BPDU comparison. During this process,
the device with the highest priority is elected as the root bridge of the CIST. MSTP generates an IST within
each MST region through calculation, and, at the same time, MSTP regards each MST region as a single
device and generates a CST among these MST regions through calculation. The CST and ISTs constitute
the CIST of the entire network.
MSTI calculation
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings. MSTP performs a separate calculation process, which is similar to spanning
tree calculation in STP/RSTP, for each spanning tree. For more information, see "How STP works."
In MSTP, a VLAN packet is forwarded along the following paths:
• Within an MST region, the packet is forwarded along the corresponding MSTI.
• Between two MST regions, the packet is forwarded along the CST.
Implementation of MSTP on devices

MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices
running MSTP and used for spanning tree calculation.
In addition to basic MSTP functions, the device provides the following functions for ease of management:
• Root bridge hold
• Root bridge backup
• Root guard
• BPDU guard
• Loop guard
• TC-BPDU guard
• Support for hot swapping of interface cards and active/standby changeover
Protocols and standards

• IEEE 802.1d, Spanning Tree Protocol
• IEEE 802.1w, Rapid Spanning Tree Protocol
• IEEE 802.1s, Multiple Spanning Tree Protocol
Recommended MSTP configuration procedure

Before you configure MSTP, you must determine the role of each device in each MSTI: root bridge or leaf
node. In each MSTI, one, and only one device acts as the root bridge, and all others as leaf nodes.
322
Step Remarks
Optional.
1. Configuring an MST Configure the MST region-related parameters and VLAN-to-instance mappings.
region.
By default, the MST region-related parameters adopt the default values, and all
VLANs in an MST region are mapped to MSTI 0.
Required.
2. Configuring MSTP
Enable MSTP globally and configure MSTP parameters.
globally.
By default, MSTP is disabled globally. All MSTP parameters have default values.
Optional.
3. Configuring MSTP on Enable MSTP on a port and configure MSTP parameters.
a port.
By default, MSTP is enabled on a port, and all MSTP parameters adopt the
default values.
Configuring an MST region

Select Advanced > MSTP > Region from the navigation tree to enter the page as shown in Figure 330.
Figure 330 MST region
Click Modify to enter the MSTP region configuration page, as shown in Figure 331.
Figure 331 Modifying an MST region
323
Item Description
MST region name.
Region Name
The MST region name is the bridge MAC address of the device by default.
Revision Level Revision level of the MST region.
Manual (Instance ID and Manually add VLAN-to-instance mappings. Click Apply to add a VLAN-to-instance
VLAN ID) mapping entry to the list.
Set the modulo value based on which 4094 VLANs are automatically mapped to the
corresponding MSTIs.
Modulo With the modulo value set, each VLAN is mapped to the MSTI whose ID is (VLAN ID
– 1) %modulo + 1, where (VLAN ID – 1) %modulo is the modulo operation for (VLAN
ID – 1). If the modulo value is 15, for example, VLAN 1 will be mapped to MSTI 1,
VLAN 2 to MSTI 2, VLAN 15 to MSTI 15, VLAN 16 to MSTI 1, and so on.
Activate Validate the VLAN-to- instance mappings, the region name, and the revision level.
Configuring MSTP globally

Select Advanced > MSTP > Global from the navigation tree to enter the Global MSTP Configuration page,
324
Figure 332 Configuring MSTP globally
Item Description
Enable or disable STP globally:
• Enable—Enable STP globally.
Enable STP Globally
• Disable—Disable STP globally.
Other MSTP configurations can take effect only after you enable STP globally.
Enable or disable BPDU guard globally:

• Enable—Enable BPDU guard globally.
BPDU Protection • Disable—Disable BPDU guard globally.
BPDU guard can protect the device from malicious BPDU attacks, keeping the
network topology stable.
325
Item Description
Set the STP operating mode:
• STP mode—All ports of the device send out STP BPDUs.
• RSTP mode—All ports of the device send out RSTP BPDUs. If the device detects
that it is connected to a legacy STP device, the port connecting to the legacy STP
Mode
device will automatically migrate to STP-compatible mode.
• MSTP—All ports of the device send out MSTP BPDUs. If the device detects that it
is connected to a legacy STP device, the port connecting to the legacy STP
device will automatically migrate to STP-compatible mode.
Set the maximum number of hops in an MST region to restrict the region size.
Max Hops
The setting can take effect only when it is configured on the regional root bridge.
Specify the standard for path cost calculation. It can be Legacy, IEEE
Path Cost Standard
802.1D-1998, or IEEE 802.1T.
Any two stations in a switched network are interconnected through a specific path
composed of a series of devices. The bridge diameter (or the network diameter) is
the number of devices on the path composed of the most devices.
After you set the network diameter, you cannot set the timers. Instead, the device
automatically calculates the forward delay, hello time, and max age.
Bridge Diameter
When you configure the bridge diameter, follow these guidelines:
• The network diameter applies to only the CIST. It takes effect only after you
configure it on the root bridge. Each MST region is regarded as a device.
• After you set the network diameter, you cannot set the timers. Instead, the device
calculates the forward delay, hello time, and max age automatically.
326
Item Description
Set the timers:
• Forward Delay—Set the delay for the root and designated ports to transit to the
forwarding state. The length of the forward delay time is related to the network
diameter of the switched network. The larger the network diameter is, the longer
the forward delay time should be. If the forward delay setting is too small,
temporary redundant paths may be introduced. If the forward delay setting is
too big, it may take a long time for the network to converge. H3C recommends
that you use the default setting.
• Hello Time—Set the interval at which the device sends hello packets to the
surrounding devices to make sure the paths are fault-free. An appropriate hello
time setting enables the device to timely detect link failures on the network
without using excessive network resources. If the hello time is set too long, the
device will take packet loss as a link failure and trigger a new spanning tree
calculation process. If the hello time is set too short, the device will send
Timers repeated configuration BPDUs frequently. This adds to the device burden and
wastes network resources. H3C recommends that you use the default setting.
• Max Age—Set the maximum length of time a configuration BPDU can be held
by the device. If the max age time setting is too small, the network devices will
frequently launch spanning tree calculations and may take network congestion
as a link failure. If the max age setting is too large, the network may fail to timely
detect link failures and fail to timely launch spanning tree calculations, reducing
the auto-sensing capability of the network. H3C recommends that you use the
default setting.
When you configure timers, follow these guidelines:
• The settings of hello time, forward delay and max age must meet a certain
formula. Otherwise, the network topology will not be stable. H3C recommends
you to set the network diameter, and then have the device automatically
calculate the forward delay, hello time, and max age.
• The bridge diameter cannot be configured together with the timers.
• Instance ID—Set the ID of the MSTI to be configured.
• Root Type—Set the role of the device in the MSTI:
Not Set—The device role is not configured.
Primary—Configure the device as the root bridge.
Instance Secondary—Configure the device as a secondary root bridge.
• Bridge Priority—Set the bridge priority of the device, which is one of the factors
determining whether the device can be elected as the root bridge.
After specifying the current device as the primary root bridge or a secondary root
bridge, you cannot change the priority of the device.
Select whether to enable TC-BPDU guard.

When receiving topology change (TC) BPDUs, the device flushes its forwarding
address entries. If someone forges TC-BPDUs to attack the device, the device will
receive a large number of TC-BPDUs within a short time and frequently flushes its
TC Protection
forwarding address entries. This affects network stability.
The TC-BPDU guard function prevents frequent flushing of forwarding address
entries.
H3C does not recommend disabling this function.
Set the maximum number of immediate forwarding address entry flushes the device
TC Protection Threshold
can perform within a certain period of time after receiving the first TC-BPDU.
327
Configuring MSTP on a port
Select Advanced > MSTP > Port from the navigation tree to enter the MSTP Port Configuration page, as
Figure 333 MSTP configuration of a port (1)
Click the icon for a port to enter the MSTP Port Configuration page of the port, as shown in Figure
334.
Figure 334 MSTP configuration of a port (2)
Item Description
Port Number Select the port you want to configure.
Enable or disable STP on the port:

STP Status • Enable—Enable STP on the port.
• Disable—Disable STP on the port.
328
Item Description
Set the type of protection enabled on the port:
Protection Type • Not Set—No protection is enabled on the port.
• Edged Port, Root Protection, Loop Protection—For more information, see Table 146.
Specify whether the port is connected to a point-to-point link:
• Auto—Automatically detects whether the link type of the port is point-to-point.
Point to Point
• Force False—Specifies that the link type for the port is not point-to-point link.
• Force True—Specifies that the link type for the port is point-to-point link.
Configure the maximum number of MSTP packets that can be sent during each Hello interval.
Transmit Limit The larger the transmit limit is, the more network resources will be occupied. H3C
recommends you to use the default value.
In a switched network, if a port on an MSTP device connects to an STP device, this port will
automatically migrate to the STP-compatible mode. However, after the STP device is
removed, whether the port on the MSTP device can migrate automatically to the MSTP mode
mCheck depends on which of the following parameter is selected:
• Enable—Performs mCheck. The port automatically migrates back to the MSTP mode.
• Disable—Does not perform mCheck. The port does not automatically migrate back to the
MSTP mode.
• Instance ID—Set the MSTI ID.
• Port Priority—Set the priority of the port in the current MSTI. The priority of a port is an
Instance
import factor in determining whether the port can be elected as the root port.
• Path Cost—Select to calculate the path cost automatically or set the path cost manually.
Table 146 Protection types
Protection type Description

Configure the port as an edge port.
Some ports of access layer devices are directly connected to PCs or file servers, which
cannot generate BPDUs. You can set these ports as edge ports to achieve fast transition
Edged Port for these ports.
H3C recommends you to enable the BPDU guard function in conjunction with the edged
port function to avoid network topology changes when the edge ports receive
configuration BPDUs.
Enable the root guard function.

Configuration errors or attacks may result in configuration BPDUs with their priorities
Root Protection higher than that of a root bridge, which causes a new root bridge to be elected and
network topology change to occur. The root guard function is used to address such a
problem.
Enable the loop guard function.

By keeping receiving BPDUs from the upstream device, a device can maintain the state of
Loop Protection the root port and other blocked ports. These BPDUs may get lost because of network
congestion or unidirectional link failures. The device will re-elect a root port, and blocked
ports may transit to the forwarding state, causing loops in the network. The loop guard
function is used to address such a problem.
329
MSTP configuration example
As shown in Figure 335, all routers on the network are in the same MST region. Router A and Router B
work on the distribution layer. Router C and Router D work on the access layer.
Configure MSTP so that packets of different VLANs are forwarded along different instances: packets of
VLAN 10 along MSTI 1, those of VLAN 30 along MSTI 3, those of VLAN 40 along MSTI 4, and those of
VLAN 20 along MSTI 0.
VLAN 10 and VLAN 30 are terminated on the distribution layer routers, and VLAN 40 is terminated on
the access layer routers, so the root bridges of MSTI 1 and MSTI 3 are Router A and Router B, respectively,
and the root bridge of MSTI 4 is Router C.
"Permit:" next to a link in the figure is followed by the VLANs the packets of which are permitted to pass
this link.
1. Configure VLANs and VLAN member ports (Details not shown.):
Create VLAN 10, VLAN 20, and VLAN 30 on Router A and Router B, respectively.
Create VLAN 10, VLAN 20, and VLAN 40 on Router C.
Create VLAN 20, VLAN 30, and VLAN 40 on Router D.
Configure the ports on these routers as hybrid ports and assign them to related VLANs.
Configure the security zones to which the combinations of these ports and their permitted
VLANs belong.
# Create an MST region named example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1,
MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0:
a. Log in to Router A. Select Advanced > MSTP > Region from the navigation tree, click Modify,
and then make the following configurations on the page shown in Figure 336.
330
Figure 336 Configuring an MST region on Router A
b. Configure the region name as example.

c. Set the revision level to 0.
d. Select the Manual radio button.
e. Select 1 from the Instance list.
f. Set the VLAN ID to 10.
g. Click Apply to map VLAN 10 to MSTI 1, and add the VLAN-to-instance mapping entry to the
VLAN-to-instance mapping list.
h. Repeat the preceding steps to map VLAN 30 to MSTI 3 and VLAN 40 to MSTI 4, and then add
the VLAN-to-instance mapping entries to the VLAN-to-instance mapping list.
i. Click Activate to end the operation.
# Enable MSTP globally and configure the current device as the root bridge of MSTI 1:
j. Select Advanced > MSTP > Global from the navigation tree, and make the following
configurations on the page shown in Figure 337.
331
Figure 337 Configuring global MSTP parameters on Router A
b. Select Enable from the Enable STP Globally list.

c. Select MSTP from the Mode list.
d. Select the box in front of Instance.
e. Set the Instance ID field to 1.
f. Set the Root Type field to Primary.
g. Click Apply to submit the settings.
MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. The
procedure here is the same as that of configuring an MST region on Router A.
a. Select Advanced > MSTP > Global from the navigation tree, and make the following
configurations on the page similar to that shown in Figure 337.
4. Configure Router C:
332
5. Configure Router D:
# Enable MSTP globally:
d. Click Apply to submit the settings.
Verifying the configurations

You can use the display stp brief command to display brief spanning tree information on each device
after the network converges.
# Display brief spanning tree information on Router A.
[RouterA] display stp brief
MSTID Port Role STP State Protection
0 Ethernet0/1 ALTE DISCARDING NONE
0 Ethernet0/2 DESI FORWARDING NONE
0 Ethernet0/3 ROOT FORWARDING NONE
# Display brief spanning tree information on Router B.

[RouterB] display stp brief
# Display brief spanning tree information on Router C.

[RouterC] display stp brief
333
# Display brief spanning tree information on Router D.

[RouterD] display stp brief
Based on the above information, draw the MSTI corresponding to each VLAN, as shown in Figure 338.
Figure 338 MSTIs corresponding to different VLANs
Follow these guidelines when you configure MSTP:
• Two or more MSTP-enabled devices belong to the same MST region only if they are configured with
the same format selector (0 by default, not configurable), MST region name, VLAN-to-instance
mapping entries in the MST region, and MST region revision level, and they are interconnected
through physical links.
334
• After specifying the current device as the root bridge or a secondary root bridge, you cannot
change the priority of the device.
• If two or more devices with the same bridge priority have been designated to be root bridges of the
same spanning tree instance, MSTP will select the device with the lowest MAC address as the root
bridge.
• The values of forward delay, hello time, and max age are interdependent. Inappropriate settings of
these values may cause network flapping. H3C recommends you to set the network diameter and
let the device automatically set an optimal hello time, forward delay, and max age. The settings of
hello time, forward delay and max age must meet the following formulae:
2 × (forward delay – 1 second) ƒ max age
Max age ƒ 2 × (hello time + 1 second)
• If the device is not enabled with BPDU guard, when an edge port receives a BPDU from another port,
it transits into a non-edge port. To restore its port role as an edge port, you must restart the port.
• Configure ports that are directly connected to terminals as edge ports and enable BPDU guard for
them. In this way, these ports can rapidly transit to the forwarding state, and network security can
be ensured.
335
Configuring RADIUS
You can configure RADIUS through the Web interface.
Overview
Remote Authentication Dial-In User Service (RADIUS) protocol is a distributed information interaction
protocol that uses a client/server model to implement AAA. It can protect networks against unauthorized
access and is often used in network environments that require both high security and remote user access.
RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, including Ethernet and ADSL.
RADIUS provides access authentication, authorization, and accounting services. The accounting function
collects and records network resource usage information.
For more information about RADIUS and AAA, see H3C MSR Series Routers Configuration Guides (V5).
Configuring a RADIUS scheme

A RADIUS scheme defines a set of parameters that the device uses to exchange information with the
RADIUS servers. There might be authentication servers and accounting servers, or primary servers and
secondary servers. The parameters mainly include the IP addresses of the servers, the shared keys, and
the RADIUS server type. By default, no RADIUS scheme exists.
To configure a RADIUS scheme:
1. Select Advanced > RADIUS from the navigation tree.
Figure 339 RADIUS scheme list
2. Click Add.
336
Figure 340 RADIUS scheme configuration page
3. Configure the parameters, as described in Table 147.

4. Click Apply.
Item Description
Scheme Name Enter a name for the RADIUS scheme.
Configure the common parameters for the RADIUS scheme, including the server
type, the username format, and the shared keys for authentication and accounting
Common Configuration
packets. For more information about common configuration, see "Configuring
common parameters."
Configure the parameters of the RADIUS authentication servers and accounting

RADIUS Server
servers. For more information about RADIUS server configuration, see "Adding
Configuration
RADIUS servers."
Configuring common parameters

1. Click the expand button before Advanced in the Common Configuration area to expand the
advanced configuration area.
337
Figure 341 Common configuration

Item Description
Select the type of the RADIUS servers supported by the device, which can be:
• Standard—Standard RADIUS servers. The RADIUS client and RADIUS
server communicate by using the standard RADIUS protocol and packet
Server Type format defined in RFC 2865/2866 or later.
• Extended—Extended RADIUS servers, usually running on CAMS or IMC.
The RADIUS client and the RADIUS server communicate by using the
proprietary RADIUS protocol and packet format.
338
Item Description
Select the format of usernames to be sent to the RADIUS server, including
Original format, With domain name, and Without domain name.
Typically, a username is in the format of userid@isp-name, of which isp-name
Username Format is used by the device to determine the ISP domain for the user. If a RADIUS
server (such as a RADIUS server of some early version) does not accept a
username that contains an ISP domain name, you can configure the device to
remove the domain name of a username before sending it to the RADIUS
server.
Set the shared key for authenticating RADIUS authentication packets and that
for authenticating RADIUS accounting packets.
The RADIUS client and the RADIUS server use MD5 to encrypt RADIUS
Authentication Key packets. They verify packets through the specified shared key. The client and
Confirm Authentication Key the server can receive and respond to packets from each other only when
they use the same shared key.
Accounting Key
Confirm Accounting Key IMPORTANT:
The shared keys configured in the common configuration part are used only
when no corresponding shared keys are configured in the RADIUS server
configuration part.
Set the time to wait before the device restores an unreachable RADIUS server
to active state.
If the primary server is unreachable due to temporary interruption on the
network interface or the busy server, you can set the quiet time to 0 so that
Quiet Time authentication and accounting requests for other users are still sent to the
primary server for processing. When the quiet time is 0, if the server being
used is unreachable, the device keeps the server in the active state, and
sends the request to the next server in the active state. In this way, subsequent
authentication or accounting requests may still be sent to the server.
Set the RADIUS server response timeout time.

If the device sends a RADIUS request to a RADIUS server but receives no
Server Response Timeout Time response in the specified server response timeout time, it retransmits the
request. Setting a proper value according to the network conditions helps in
improving the system performance.
Set the maximum number of attempts for transmitting a RADIUS packet to a

single RADIUS server. If the device does not receive a response to its request
from the RADIUS server within the response timeout period, it retransmits the
RADIUS request. If the number of transmission attempts exceeds the limit but
the device still does not receive a response from the RADIUS server, the
Request Transmission Attempts
device considers the request a failure.
IMPORTANT:
The server response timeout time multiplied by the maximum number of
RADIUS packet transmission attempts must not exceed 75.
Set the interval for sending real-time accounting information to the RADIUS
accounting server. The interval must be a multiple of 3.
Different real-time accounting intervals impose different performance
Realtime Accounting Interval requirements on the NAS and the RADIUS server. A shorter interval helps
achieve higher accounting precision but requires higher performance. Use a
longer interval when a large number of users (1000 or more) exist. For more
information about the recommended real-time accounting intervals, see
"Configuration guidelines."
339
Item Description
Set the maximum number of attempts for sending a real-time accounting
Realtime Accounting Attempts
request.
Specify the unit for data flows sent to the RADIUS server, which can be byte,
Unit for Data Flows
kilo-byte, mega-byte, or giga-byte.
Specify the unit for data packets sent to the RADIUS server, which can be
Unit for Packets
one-packet, kilo-packet, mega-packet, or giga-packet.
Specify the VPN to which the RADIUS scheme belongs.
VPN This setting is effective to all RADIUS authentication servers and accounting
servers configured in the RADIUS scheme, but the VPN individually specified
for a RADIUS authentication or accounting server takes priority.
Security Policy Server Specify the IP address of the security policy server.
Specify the source IP address for the device to use in RADIUS packets sent to
the RADIUS server.
RADIUS Packet Source IP H3C recommends using a loopback interface address instead of a physical
interface address as the source IP address. If the physical interface is down,
the response packets from the server cannot reach the device.
Buffer stop-accounting packets Enable or disable buffering of stop-accounting requests for which no
responses are received, and set the maximum number of attempts for
Stop-Accounting Attempts sending stop-accounting requests.
Enable or disable the accounting-on feature, and set the interval and the
maximum number of attempts for sending accounting-on packets.
The accounting-on feature enables a device to send accounting-on packets to
Send accounting-on packets RADIUS servers after it reboots, making the servers forcedly log out users
Accounting-On Interval who logged in through the device before the reboot.
Accounting-On Attempts IMPORTANT:

When enabling the accounting-on feature on a device for the first time, you
must save the configuration so that the feature takes effect after the device
reboots.
Attribute Enable or disable the device to interpret the RADIUS class attribute as CAR
Interpretation parameters.
Adding RADIUS servers

1. In the RADIUS Server Configuration area, click Add.
340
Figure 342 RADIUS server configuration

3. Click Apply.
You can repeat the above steps to configure multiple RADIUS servers for the RADIUS scheme.
Item Description
Select the type of the RADIUS server to be configured. Possible values include
Server Type primary authentication server, primary accounting server, secondary
authentication server, and secondary accounting server.
Specify the IPv4 or IPv6 address of the RADIUS server.

The IP addresses of the primary and secondary servers for a scheme must be
IP Address
different. Otherwise, the configuration fails.
RADIUS server addresses in the same scheme must use the same IP version.
Port Specify the UDP port of the RADIUS server.
Specify the shared key for communication with the RADIUS server.
Key
If no shared key is specified, the shared key specified in the common configuration
Confirm Key
part is used.
Specify the VPN to which the RADIUS server belongs.

VPN
If no VPN is specified, the VPN specified in the common configuration part is used.
RADIUS configuration example

• As shown in Figure 343, connect the Telnet user to the router and the router to the RADIUS server.
• Run the RADIUS server on CAMS or IMC to provide authentication, authorization, and accounting
services for Telnet users. The IP address of the RADIUS server is 10.1.1.1/24.
• Set the shared key for AAA packets exchanged between the router and the RADIUS server to expert,
and specify the ports for authentication/authorization and accounting as 1812 and 1813,
respectively.
• Configure the router to send the RADIUS server usernames that carry domain names.
341
• Add an account on the RADIUS server, with the username and password being hello@bbb and abc.
If the user passes authentication, it is assigned a privilege level of 3.
Configuring the RADIUS server on CAMS

This example assumes that the RADIUS server runs on CAMS Server Version 2.10-R0210.
1. Add the router to CAMS as an access device:
f. Log in to CAMS.
g. Select System Management > System Configuration from the navigation tree.
h. In the System Configuration page, click Modify for Access Device.
i. Click Add.
j. Enter 10.1.1.2 as the IP address of the device.
k. Set both the shared key for authentication and accounting to expert.
l. Select Device Management Service as the service type.
m. Specify the ports for authentication and accounting as 1812 and 1813, respectively.
n. Select Extensible Protocol as the protocol type.
o. Select Standard as the RADIUS packet type.
p. Click OK.
Figure 344 Adding an access device
2. Add a user account:
342
a. Select User Management > User for Device Management from the navigation tree.
b. Click Add in the right pane.
c. Enter hello@bbb as the username.
d. Enter abc for the password and confirm the password.
e. Select Telnet as the service type.
f. Enter 3 for the EXEC privilege level.
This parameter identifies the privilege level of the Telnet user after login. The value is 0 by
default.
g. Enter 192.168.1.0 for the start IP address of the hosts and 192.168.1.255 as the end IP
address of the host.
h. Click Add.
i. Click OK.
Figure 345 Adding a user account
Configuring the RADIUS server on IMC

This example assumes that the RADIUS server runs on IMC PLAT 3.20-R2602 and IMC UAM
3.60-E6102.
1. Add the router to IMC as an access device:
a. Log in to IMC:
b. Click the Service tab.
c. Select Access Service > Service Configuration from the navigation tree.
d. Click Add.
e. Enter expert as the shared key for authentication and accounting.
f. Enter 1812 and 1813 as the ports for authentication and accounting, respectively.
g. Select Device Management Service as the service type.
h. Select H3C as the access device type.
i. Select the access device from the device list, or manually add the device with the IP address of
10.1.1.2.
The IP address of the access device must be the same as the source IP address of the RADIUS
packets sent from the router. By default, the source IP address of a RADIUS packet is the IP
address of the sending interface.
343
j. Click OK.
Figure 346 Adding an access device
2. Add a user account:

a. Log in to IMC:
b. Click the User tab.
c. Select Access User View > All Access Users from the navigation tree.
d. Click Add.
e. Enter hello@bbb as the username.
f. Enter abc as the password and confirm the password.
g. Select Telnet as the service type.
h. Enter 3 as the EXEC privilege level.
This value identifies the privilege level of the Telnet user after login, which is 0 by default.
i. Click Add under IP Address List of Managed Devices, and then enter 10.1.1.0 as the start IP
address and 10.1.1.255 as the end IP address for the IP address range. The IP address range
of the hosts to be managed must contain the IP address of the access device added.
j. Click OK.
344
Figure 347 Adding an account for device management
Configuring the router

1. Configure the IP address of each interface. (Details not shown.)
2. Configure a RADIUS scheme:
a. Select Advanced > RADIUS from the navigation tree.
b. Click Add.
c. To add a RADIUS scheme, enter system as the scheme name, select Extended as the server
type, select Without domain name for the username format.
d. To add the primary authentication server, click Add in the RADIUS Server Configuration area,
select Primary Authentication as the server type, enter 10.1.1.1 as the IP address, enter 1812
as the port, enter expert as the key, enter expert to confirm the key, and click Apply.
345
Figure 348 RADIUS authentication server configuration page
e. To add the primary accounting server, click Add again in the RADIUS Server Configuration
area. select Primary Accounting as the server type, enter 10.1.1.1 as the IP address, enter
1813 as the port, enter expert as the key, enter expert to confirm the key, and click Apply.
The RADIUS scheme configuration page refreshes and the added servers appear in the server
list.
Figure 349 RADIUS accounting server configuration page
f. Click Apply.
346
Figure 350 RADIUS scheme configuration page
3. Enable the Telnet service on the router.

[Router] telnet server enable
4. Configure the router to use AAA for Telnet users.
[Router] user-interface vty 0 4
[Router-ui-vty0-4] authentication-mode scheme
[Router-ui-vty0-4] quit
5. Use either approach to configure the AAA methods for domain bbb:
Approach 1.
Because RADIUS authorization information is sent by the RADIUS server to the RADIUS client
in the authentication response message, reference the same scheme for authentication and
authorization.
[Router] domain bbb
[Router-isp-bbb] authentication login radius-scheme system
[Router-isp-bbb] authorization login radius-scheme system
[Router-isp-bbb] accounting login radius-scheme system
[Router-isp-bbb] quit
Approach 2.
Configure default AAA methods for all types of users in domain bbb.
[Router] domain bbb
[Router-isp-bbb] authentication default radius-scheme system
[Router-isp-bbb] authorization default radius-scheme system
[Router-isp-bbb] accounting default radius-scheme system
347
After the configuration, the user can Telnet to the router and use the configured account (username
hello@bbb and password abc) to enter the user interface of the router, and access all the commands of
level 0 through level 3.
When you configure the RADIUS client, follow these guidelines:
• Accounting for FTP users is not supported.
• If you remove the accounting server used for online users, the router cannot send real-time
accounting requests and stop-accounting messages for the users to the server, and the
stop-accounting messages are not buffered locally.
• The status of RADIUS servers, blocked or active, determines which servers the device will
communicate with or turn to when the current servers are not available. In practice, you can specify
one primary RADIUS server and multiple secondary RADIUS servers, with the secondary servers
that function as the backup of the primary servers. Generally, the device chooses servers based on
these rules:
When the primary server is in the active state, the device communicates with the primary server.
If the primary server fails, the device changes the state of the primary server to blocked, starts
a quiet timer for the server, and turns to a secondary server in the active state (a secondary
server configured earlier has a higher priority). If the secondary server is unreachable, the
device changes the state of the secondary server to blocked, starts a quiet timer for the server,
and continues to check the next secondary server in the active state. This search process
continues until the device finds an available secondary server or has checked all secondary
servers in the active state. If the quiet timer of a server expires or an authentication or
accounting response is received from the server, the status of the server changes back to active
automatically, but the device does not check the server again during the authentication or
accounting process. If no server is found reachable during one search process, the device
considers the authentication or accounting attempt a failure.
Once the accounting process of a user starts, the device keeps sending the user's real-time
accounting requests and stop-accounting requests to the same accounting server. If you remove
the accounting server, real-time accounting requests and stop-accounting requests for the user
cannot be delivered to the server any more.
If you remove an authentication or accounting server in use, the communication of the device
with the server will soon time out, and the device will look for a server in the active state by
checking any primary server first and then the secondary servers in the order they are
configured.
When the primary server and secondary servers are all in the blocked state, the device
communicates with the primary server. If the primary server is available, its statues changes to
active. Otherwise, its status remains to be blocked.
If one server is in the active state but all the others are in the blocked state, the device only tries
to communicate with the server in the active state, even if the server is unavailable.
After receiving an authentication/accounting response from a server, the device changes the
status of the server identified by the source IP address of the response to active if the current
status of the server is blocked.
• Set a proper real-time accounting interval based on the number of users.
348
Table 150 Recommended real-time accounting intervals
Number of users Real-time accounting interval (in minutes)

1 to 99 3
100 to 499 6
500 to 999 12
≥1000 ≥15
349
Configuring login control
The login control feature allows you to control Web or Telnet logins by IP address and login type.
1. Select Advanced > Access from the navigation tree.
The login control configuration page appears. The upper part of the page allows you to configure
login control rules, and the lower part displays existing login control rules.
You can also delete existing rules.
Figure 351 Login control configuration
2. To add a login control rule, configure the rule as described in Table 151 and click Apply.
3. To delete a login control rule, select the rule from the rule list and click Delete.
Item Description
Login Type Select the login type to be restricted, Telnet, Web, or both.
User IP Address Enter an IP address and wildcard to specify the users.
IMPORTANT:
• Exclude the management IP segment from login control. Otherwise, you cannot log
Wildcard in to the device.
• Do not set the wildcard to 255.255.255.255. Otherwise, no user can log in to the
device.
350
Login control configuration example
As shown in Figure 352, configure login control rules so Host A cannot Telnet to Router, and Host B
cannot access Router through the Web.
Configuring a login control rule so Host A cannot Telnet to

Router
1. Select Advanced > Access from the navigation tree to enter the login control configuration page.
Figure 353 Configuring a login control rule so Host A cannot Telnet to Router
2. Select Telnet as the login type to be restricted.

3. Enter the user IP address 10.0.0.1.
4. Enter the wildcard 0.0.0.0.
351
5. Click Apply.
A dialog box appears, asking you whether you want to continue your operation.
6. Click OK.
A configuration progress dialog box appears, as shown in Figure 354.
7. After the setting is complete, click Close.
Configuring a login control rule so Host B cannot access Router

through the Web
1. From the navigation tree, select Advanced > Access to enter the page for configuring login control
rules.
2. Select Web as the login type to be restricted.
3. Enter the user IP address 10.1.1.2 and the wildcard 0.0.0.0.
4. Click Apply.
A dialog box appears, asking you whether you want to continue your operation.
5. Click OK.
6. After the setting is complete, click Close.
352
Figure 355 Configuring a login control rule so Host B cannot access Router through the Web
353
Configuring ARP
Overview
The Address Resolution Protocol (ARP) is used to resolve an IP address into a physical address, such as
an Ethernet MAC address.
In an Ethernet LAN, a device uses ARP to resolve the IP address of the next hop to the corresponding
MAC address.
For more information about ARP, see Layer 3—IP Services Configuration Guide in H3C MSR Series
Gratuitous ARP
Gratuitous ARP packets
In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the
sending device, the sender MAC address is the MAC address of the sending device, and the target MAC
address is the broadcast address ff:ff:ff:ff:ff:ff.
A device sends a gratuitous ARP packet for either of the following purposes:
• Determine whether its IP address is already used by another device. If the IP address is already used,
the device is informed of the conflict by an ARP reply.
• Inform other devices of a change of its MAC address.
Enabling learning of gratuitous ARP packets

With this feature enabled, a device, upon receiving a gratuitous ARP packet, adds an ARP entry that
contains the sender IP and MAC addresses in the packet to its ARP table. If the corresponding ARP entry
exists, the device updates the ARP entry.
With this feature disabled, the device uses received gratuitous ARP packets to update existing ARP entries,
but not to create new ARP entries.
Displaying ARP entries

From the navigation tree, select Advanced > ARP Management > ARP Table to enter the page shown
in Figure 356.
This page displays all ARP entries.
Figure 356 ARP Table configuration page
354
Creating a static ARP entry
1. From the navigation tree, select Advanced > ARP Management > ARP Table.
The ARP Table configuration page as shown in Figure 356 appears.
2. Click Add.
The New Static ARP Entry page appears.
Figure 357 Adding a static ARP entry
Item Description
IP Address Enter an IP address for the static ARP entry.
MAC Address Enter a MAC address for the static ARP entry.
Enter a VLAN ID and specify a port for the static ARP entry.
VLAN ID
IMPORTANT:
Advanced The VLAN ID must be the ID of the VLAN that has already been created, and the port
Options Port must belong to the VLAN. The corresponding VLAN interface must have been
created.
VPN
Enter the name of the VPN instance to which the static ARP entry belongs.
Instance
Removing ARP entries

From the navigation tree, select Advanced > ARP Management > ARP Table to enter the page shown
in Figure 356.
• To remove specific ARP entries, select the boxes in front of them, and click Del Selected.
• To remove all static and dynamic ARP entries, click Delete Static and Dynamic.
• To remove all static ARP entries, click Delete Static.
• To remove all dynamic ARP entries, click Delete Dynamic.
355
Enabling learning of dynamic ARP entries
From the navigation tree, select Advanced > ARP Management > Dynamic Entry to enter the
Figure 358 Dynamic entry management
• To disable all the listed interfaces from learning dynamic ARP entries, click Disable all.
• To disable specific interfaces from learning dynamic ARP entries, select target interfaces and click
Disable selected.
• To allow all the listed interfaces to learn dynamic ARP entries, click Enable all.
• To allow specific interfaces to learn dynamic ARP entries, select target interfaces and click Enable
selected.
• Click the icon of an interface to enter the configuration page as shown in Figure 359, and
specify the maximum number of dynamic ARP entries that this interface can learn.
If you enter 0, the interface is disabled from learning dynamic ARP entries.
Figure 359 Modifying an interface
If you enable an interface to learn dynamic ARP entries on the dynamic entry management page, the
number of dynamic ARP entries that the interface can learn restores the default.
356
Configuring gratuitous ARP
From the navigation tree, select Advanced > ARP Management > Gratuitous ARP to enter the page, as
Figure 360 Configuring gratuitous ARP
Item Description
Disable learning of ARP entries according to
Disable gratuitous ARP packets learning function
gratuitous ARP packets.
Enable the device to send gratuitous ARP packets

Send gratuitous ARP packets when receiving ARP
upon receiving ARP requests from another network
requests from another network segment
segment.
Static ARP configuration example

Network Requirements
As shown in Figure 361, hosts are connected to Router A, which is connected to Router B through Ethernet
0/1 belonging to VLAN 10. The IP address of Router B is 192.168.1.1/24. The MAC address of Router
B is 00e0-fc01-0000.
To enhance communication security between Router A and Router B, a static ARP entry for Router B needs
to be configured on Router A.
357
Configuring static ARP
1. Create VLAN 10 and VLAN-interface 10:
a. From the navigation tree, select Interface Setup > LAN Interface Setup to enter the default VLAN
Setup page.
b. Select the Create option, as shown in Figure 362.
c. Enter 10 for VLAN IDs.
d. Select the Create VLAN Interface box.
e. Click Apply.
Figure 362 Creating VLAN 10 and VLAN-interface 10
2. Add Ethernet 0/1 to VLAN 10:

a. As shown in Figure 363, on the VLAN Setup page, select 10 in the VLAN Config field.
b. Select Ethernet0/1 from the list.
c. Click Add to bring up the configuration progress dialog box, as shown in Figure 364.
d. After the configuration process is complete, click Close.
358
Figure 363 Adding Ethernet 0/1 to VLAN 10
Figure 364 The configuration progress dialog box
3. Configure the IP address of VLAN-interface 10:

a. Click the VLAN Interface Setup tab.
b. Select 10 for Select a VLAN as shown in Figure 365.
c. Enter 192.168.1.2 for IP Address.
d. Enter 255.255.255.0 for Subnet Mask.
e. Click Apply.
359
Figure 365 Configuring the IP address of VLAN-interface 10
4. Create a static ARP entry:

a. From the navigation tree, select Advanced > ARP Management > ARP Table and click Add.
b. Enter 192.168.1.1 for IP Address as shown in Figure 366.
c. Enter 00e0-fc01-0000 for MAC Address.
d. Select the Advanced Options box.
e. Enter 10 for VLAN ID.
f. Select Ethernet0/1 for Port.
g. Click Apply.
360
Figure 366 Creating a static ARP entry
5. View information about static ARP entries:

a. After the previous configuration is complete, the page returns to display ARP entries. Select
Type for Search.
b. Enter Static.
c. Click Search.
You can view the static ARP entries of Router A, as shown in Figure 367.
Figure 367 Displaying information about static ARP entries page
361
Configuring ARP attack defense
Overview
ARP is easy to implement, but it provides no security mechanism. Therefore, it is prone to network attacks.
ARP attacks and viruses threaten LAN security. The device can provide the following features to detect
and prevent such attacks.
Periodic sending of gratuitous ARP packets

Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their
corresponding ARP entries or MAC entries in time. This feature can be used to:
• Prevent gateway spoofing
• Prevent ARP entries from being aged out
• Prevent the virtual IP address of a VRRP group from being used by a host
• Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured
Configuring ARP automatic scanning and fixed ARP

ARP automatic scanning is typically used together with the fixed ARP feature.
• With ARP automatic scanning enabled on an interface, the device automatically scans neighbors
on the interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates
dynamic ARP entries.
• Fixed ARP allows the device to change the existing dynamic ARP entries (including those generated
through ARP automatic scanning) into static ARP entries.
The ARP automatic scanning and fixed ARP feature effectively prevent ARP entries from being modified
by attackers. Use the two functions in a small-sized network with stable environment, such as a cybercafé.
Configuring periodic sending of gratuitous ARP

packets
From the navigation tree, select Advanced > ARP Anti-Attack > Send Gratuitous ARP to enter the page
362
Figure 368 Send Gratuitous ARP configuration page
Item Description
Select one or more interfaces on which gratuitous ARP packets are sent out periodically,
and set the interval at which gratuitous ARP packets are sent.
To enable an interface to send out gratuitous ARP packets periodically, select the
interface from the Standby Interface list box and click <<. To disable an interface from
periodic sending of gratuitous ARP packets, select the interface from the Sending
Interface list box and click >>.
IMPORTANT:
• You can enable periodic sending of gratuitous ARP packets on a maximum of 1024
Sending Interface interfaces.
• This feature takes effect only when the link of the enabled interface goes up and an
IP address has been assigned to the interface.
• If you change the interval for sending gratuitous ARP packets, the configuration is
effective at the next sending interval.
• The frequency of sending gratuitous ARP packets may be much lower than is
expected if this function is enabled on multiple interfaces, or each interface is
configured with multiple secondary IP addresses, or a small sending interval is
configured in the preceding cases.
• Do not configure this feature on an interface belonging to a VRRP group.
Configuring ARP automatic scanning

IMPORTANT:
Do not perform other operations during an ARP automatic scan.
From the navigation tree, select Advanced > ARP Anti-Attack > Scan to enter the page shown in Figure
369.
363
Figure 369 ARP Scan configuration page
Item Description
Interface Specify the interface on which ARP automatic scanning is to be performed.
Enter the address range for ARP automatic scanning.

• To reduce the scanning time, you can specify the address range for scanning.
If the specified address range covers multiple network segments of the
interface's addresses, the sender IP address in the ARP request is the
Start IP Address interface's address on the smallest network segment.
• If no IP address range is specified, the device only scans the network where
the primary IP address of the interface resides for neighbors, and sends ARP
requests in which the sender IP address is the primary IP address of the
interface.
IMPORTANT:
• You must specify both the start IP address and the end IP address. Otherwise,
specify neither of them.
End IP Address
• Start and end IP addresses must be on the same network segment as the
primary IP address or a specific manually configured secondary IP address of
the interface. The end IP address must be higher than or equal to the start IP
address.
Also scan IP addresses of

Select to scan IP addresses already existent in ARP entries.
dynamic ARP entries
After the preceding configuration is complete, click Scan to start an ARP automatic scan.
To stop an ongoing scan, click Interrupt.
After the scanning is complete, a prompt Scanning is complete appears. You can view the generated
dynamic ARP entries by selecting Advanced > ARP Anti-Attack > Fixed ARP from the navigation tree.
Configuring fixed ARP

The static ARP entries changed from dynamic ARP entries have the same attributes as the static ARP
entries manually configured.
364
The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static
ARP entries that the device supports. As a result, the device may fail to change all dynamic ARP entries
into static.
Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is S.
When the dynamic ARP entries are changed into static, new dynamic ARP entries may be created
(suppose the number is M) and some of the dynamic ARP entries may be aged out (suppose the number
is N). After the process is complete, the number of static ARP entries is D + S + M – N.
From the navigation tree, select Advanced > ARP Anti-Attack > Fix to enter the page shown in Figure 370.
The page displays all dynamic ARP entries and static ARP entries (including manually configured and
changed by the fixed ARP feature).
Figure 370 Fixed ARP configuration page
• To change all dynamic ARP entries into static, click Fix All. This operation does not affect existing
static ARP entries.
• To remove all static ARP entries, click Del All Fixed. This operation does not affect dynamic ARP
entries.
• To change a specific dynamic ARP entry into static, select the ARP entry and click Fix. This operation
does not take effect if you select a static ARP entry.
• To remove a specific static ARP entry, select the ARP entry and click Del Fixed. This operation does
not take effect if you select a dynamic ARP entry.
365
Configuring IPsec VPN
You can perform the following IPsec VPN configurations in the Web interface:
• Configure an IPsec connection.
• Display IPsec VPN monitoring information.
Overview
IP Security (IPsec) is a security framework defined by the IETF for securing IP communications. It is a Layer
3 VPN technology that transmits data in a secure tunnel established between two endpoints.
IPsec provides the following security services in insecure network environments:
• Confidentiality—The sender encrypts packets before transmitting them over the Internet, protecting
the packets from being eavesdropped en route.
• Data integrity—The receiver verifies the packets received from the sender to ensure they are not
tampered with during transmission.
• Data origin authentication—The receiver verifies the authenticity of the sender.
• Anti-replay—The receiver examines packets and drops outdated and duplicate packets.
IPsec delivers these benefits:
• Reduced key negotiation overheads and simplified maintenance by supporting the IKE protocol.
IKE provides automatic key negotiation and automatic IPsec SA setup and maintenance.
• Good compatibility. You can apply IPsec to all IP-based application systems and services without
modifying them.
• Encryption on a per-packet rather than per-flow basis. Per-packet encryption allows for flexibility
and greatly enhances IP security.
IKE is built on a framework defined by ISAKMP. It provides automatic key negotiation and SA
establishment services for IPsec, simplifying the application, management, configuration and
maintenance of IPsec dramatically.
Instead of transmitting keys directly across a network, IKE peers transmit keying materials between them,
and calculate shared keys respectively. Even if a third party captures all exchanged data for calculating
the keys, it cannot calculate the keys.
For more information about IPsec and IKE, see Security Configuration Guide in H3C MSR Series Routers

Step Remarks
1. Configuring an IPsec
Required.
connection
366
Step Remarks
Optional.
Displays configuration and status information of IPsec connections, and
2. Displaying IPsec VPN
information of IPsec tunnels.
monitoring information
Allows you to delete tunnels that are set up with configuration of an IPsec
connection, and delete all ISAKMP SAs of all IPsec connections.
Configuring an IPsec connection

1. Select VPN > IPsec VPN from the navigation tree to enter the IPsec connection management page.
Figure 371 IPsec connection management page
2. Click Add to enter the page for adding an IPsec connection.

Figure 372 Adding an IPsec connection
367
3. Perform basic connection configurations as described in Table 156.
Item Description
IPsec Connection Name Enter a name for the IPsec connection.
Interface Select an interface where IPsec is performed.
Network Type Select a network type, site-to-site or PC-to-site.
Enter the address of the remote gateway, which can be an IP address or a host
name.
The IP address can be a host IP address or an IP address range. If the local end is the
initiator of IKE negotiation, it can have only one remote IP address and its remote IP
Remote Gateway address must match the local IP address configured on its peer. If the local end is the
Address/Hostname responder of IKE negotiation, it can have more than one remote IP address and one
of its remote IP addresses must match the local IP address configured on its peer.
The remote host name uniquely identifies the remote gateway in the netowrk, and
can be resolved into an IP address by the DNS server. The local end can be the
initiator of IKE negotiation when the host name is specified.
Enter the IP address of the local gateway.

By default, it is the primary IP address of the interface where the IPsec connection is
set up.
Local Gateway Address IMPORTANT:

Configure this item when you want to specify a special address (a loopback interface
address, for example) for the local gateway. The name or IP address of the remote
gateway is required for an initiator so that the initiator can find the remote peer in
negotiation.
Select the authentication method to be used by the IKE negotiation. Options include:
• Pre-Shared-Key—Uses the pre-shared key method. If this option is selected, enter
the key in the Key field and enter the same key in the Confirm Key filed.
Authentication Method
• Certificate—Uses the digital signature method. If this option is selected, select a
certificate from the list. Available certificates are configured in the certificate
management.
Select the remote ID type for IKE IMPORTANT:

negotiation phase 1. Options include:
• If the IKE negotiation initiator uses the
• IP Address—Uses an IP address as FQDN or user FQDN ID type of the
the ID in IKE negotiation. security gateway as the ID for IKE
Remote ID Type • FQDN—Uses a Fully Qualified negotiation, it sends its gateway ID to
Domain Name (FQDN) type of a the peer, and the peer uses the
gateway name as the ID in IKE locally configured remote gateway ID
negotiation. If this option is selected, to authenticate the initiator. Make
the remote gateway ID is required. sure that the remote gateway ID
368
Item Description
Select the local ID type for IKE configured here is identical to the
negotiation phase 1. Options include: local gateway ID configured on its
peer.
• IP Address—Uses an IP address as
the ID in IKE negotiation. • In main mode, only the ID type of IP
address can be used in IKE
• FQDN—Uses an FQDN type as the
negotiation and SA establishment.
ID in IKE negotiation. If this option is
selected, enter a name without any
Local ID Type at sign (@) for the local security
gateway, for example, foo.bar.com.
• User FQDN—Uses a user FQDN
type as the ID in IKE negotiation. If
this option is selected, enter a name
string with an at sign (@) for the local
security gateway, for example,
test@foo.bar.com.
Selector Select a method to identify the traffic to be protected by IPsec. Options include:
Source • Characteristics of Traffic—Identifies traffic to be protected based on the source

Address/Wildcard address/wildcard and destination address/wildcard specified.
• Designated by Remote Gateway—The remote gateway determines the data to be
protected.
IMPORTANT:
• To make sure SAs can be set up, configure the source address/wildcard on one
peer as the destination address/wildcard on the other, and the destination
Destination
address/wildcard on one peer as the source address/wildcard on the other. If
Address/Wildcard
you do not configure the parameters this way, SAs can be set up only when the IP
addresses configured on one peer are subsets of those configured on the other
and the peer with the narrower address range initiates SA negotiation.
• If the data range is designated by the remote gateway, the local peer cannot
initiate a negotiation.
Enable or disable IPsec RRI. When enabling IPsec RRI, you can specify a next hop
and change the preference of the static routes.
After an outbound IPsec SA is created, IPsec RRI automatically creates a static route
to the peer private network. You do not have to manually configure the static route.
IMPORTANT:
Reverse Route Injection • If you enable IPsec RRI and do not configure the static route, the SA negotiation
must be initiated by the remote gateway.
• IPsec RRI creates static routes when IPsec SAs are set up, and delete the static
routes when the IPsec SAs are deleted.
• To view the static routes created by IPsec RRI, select Advanced > Route Setup
[Summary] from the navigation tree.
Specify a next hop for the static routes.

Next Hop If you do not specify any next hop, the remote tunnel endpoint’s address learned
during IPsec SA negotiation is used.
369
Item Description
Change the preference of the static routes.
Change the route preference for equal-cost multipath (ECMP) routing or route
Priority backup. If multiple routes to the same destination have the same preference, traffic is
balanced among them. If multiple routes to the same destination have different
preference values, the route with the highest preference forwards traffic and all other
routes are backup routes.
4. Click Advanced Configuration to expand the advanced configuration area.

Figure 373 Advanced configuration
5. Perform advanced connection configuration as described in Table 157.

6. Click Apply.
Item Description
Phase 1
370
Item Description
Select the IKE negotiation mode in phase 1, which can be main or aggressive.
IMPORTANT:
• If the IP address of one end of an IPsec tunnel is obtained dynamically, the IKE
Exchange Mode negotiation mode must be aggressive. In this case, SAs can be established as long
as the username and password are correct.
• An IKE peer uses its configured IKE negotiation mode when it is the negotiation
initiator. A negotiation responder uses the IKE negotiation mode of the initiator.
Select the authentication algorithm to be used in IKE negotiation. Options include:

Authentication
• SHA1—Uses HMAC-SHA1.
Algorithm
• MD5—Uses HMAC-MD5.
Select the encryption algorithm to be used in IKE negotiation. Options include:
• DES-CBC—Uses the DES algorithm in CBC mode and 56-bit key.
• 3DES-CBC—Uses the 3DES algorithm in CBC mode and 168-bit key.
Encryption Algorithm
• AES-128—Uses the AES algorithm in CBC mode and 128-bit key.
Select the DH group to be used in key negotiation phase 1. Options include:

• Diffie-Hellman Group1—Uses the 768-bit Diffie-Hellman group.
DH • Diffie-Hellman Group2—Uses the 1024-bit Diffie-Hellman group.
Enter the ISAKMP SA lifetime in IKE negotiation.

Before an SA expires, IKE negotiates a new SA. As soon as the new SA is set up, it
takes effect immediately and the old one will be cleared automatically when it expires.
SA Lifetime
IMPORTANT:
Before an ISAKMP SA expires, IKE negotiates a new SA to replace it. DH calculation in
IKE negotiation takes time, especially on low-end devices. Set the lifetime greater than 10
minutes to prevent the SA update from influencing normal communication.
Phase 2
Select the security protocols to be used. Options include:

• ESP—Uses the ESP protocol.
Security Protocol
• AH—Uses the AH protocol.
• AH-ESP—Uses ESP first and then AH.
Select the authentication algorithm for AH when you select AH or AH-ESP for Security
AH Authentication Protocol.
Algorithm
Available authentication algorithms include MD5 and SHA1.
Select the authentication algorithm for ESP when you select ESP or AH-ESP for Security
Protocol.
ESP Authentication You can select MD5 or SHA1, or select NULL so that ESP performs no authentication.
Algorithm
IMPORTANT:
The ESP authentication algorithm and ESP encryption algorithm cannot be null at the
same time.
371
Item Description
Select the encryption algorithm for ESP when you select ESP or AH-ESP for Security
Protocol. Options include:
• 3DES—Uses the 3DES algorithm and 168-bit key for encryption.
• DES—Uses the DES algorithm and 56-bit key for encryption.
• AES128—Uses the AES algorithm and 128-bit key for encryption.
• AES192—Uses the AES algorithm and 192-bit key for encryption.
ESP Encryption • AES256—Uses the AES algorithm and 256-bit key for encryption.
Algorithm • NULL—Performs no encryption.
IMPORTANT:
• Higher security means more complex implementation and lower speed. DES is
enough to meet general requirements. Use 3DES when high confidentiality and
security are required.
• The ESP authentication algorithm and ESP encryption algorithm cannot be null at
the same time.
Select the IP packet encapsulation mode. Options include:

Encapsulation Mode • Tunnel—Uses the tunnel mode.
• Transport—Uses the transport mode.
Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature.
Options include:
• None—Disables PFS.
• Diffie-Hellman Group1—Enables PFS and uses the 768-bit Diffie-Hellman group.
PFS • Diffie-Hellman Group14—Enables PFS and uses the 2048-bit Diffie-Hellman group.
IMPORTANT:
• DH Group14, DH Group5, DH Group2, and DH Group1 are in the descending
order of security and calculation time.
• When IPsec uses an IPsec connection with PFS configured to initiate negotiation, an
additional key exchange is performed in phase 2 for higher security.
• Two peers must use the same Diffie-Hellman group. Otherwise, negotiation fails.
Enter the IPsec SA lifetime, which can be time-based or traffic-based.
SA Lifetime IMPORTANT:
When negotiating to set up IPsec SAs, IKE uses the smaller one between the lifetime set
locally and the lifetime proposed by the peer.
Enables or disables IKE DPD.
DPD irregularly detects dead IKE peers. When the local end sends an IPsec packet,
DPD checks the time the last IPsec packet was received from the peer. If the time
DPD exceeds the DPD interval, it sends a DPD hello to the peer. If the local end receives no
DPD acknowledgement within the DPD packet retransmission interval, it retransmits the
DPD hello. If the local end still receives no DPD acknowledgement after having made
the maximum number of retransmission attempts (two by default), it considers the peer
already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.
DPD Query Enter the interval after which DPD is triggered if no IPsec protected packets is received
Triggering Interval from the peer.
372
Item Description
DPD Packet
Enter the interval after which DPD packet retransmission will occur if no DPD response
Retransmission
is received.
Interval
Displaying IPsec VPN monitoring information

1. Select VPN > IPsec VPN from the navigation tree.
2. Click the Monitoring Information tab to enter the page that displays the IPsec connection
configuration and status information.
3. Select an IPsec connection.
The lower part of the page shows the information of the IPsec tunnel that was set up with the
selected IPsec connection configuration.
4. To delete all ISAKMP SAs of all IPsec connections, click Delete ISAKMP SA. To delete IPsec tunnels
that use the configuration of an IPsec connection, select the IPsec connection, and click Delete
Selected Connection's Tunnels.
Figure 374 Monitoring information
Table 158 Fields of the IPsec connection list
Field Description
Status of an IPsec connection. Possible values include:
• Connected.
Connection Status
• Disconnected.
• Unconfigured—The IPsec connection is disabled.
373
Field Description
The most recent error, if any. Possible values include:
• ERROR_NONE—No error occurred.
• ERROR_QM_FSM_ERROR—State machine error.
• ERROR_PHASEI_FAIL—Error occurred in phase 1.
• ERROR_PHASEI_PROPOSAL_UNMATCHED—No matching security proposal in
phase 1.
Last Connection Error
• ERROR_PHASEII_PROPOSAL_UNMATCHED—No matching security proposal in
phase 2.
• ERROR_NAT_TRAVERSAL_ERROR—NAT traversal error.
• ERROR_PHASEII_FAIL—Error occurred in phase 2.
• ERROR_INVALID_SPI—SPI error.
• ERROR_UNKNOWN—Unknown error.
Table 159 Fields of the IPsec tunnel list
Field Description
Characteristics of the IPsec protected traffic, including the source
Characteristics of Traffic address/wildcard, destination address/wildcard, protocol, source port, and
destination port.
SPI Inbound and outbound SPIs, and the security protocols used.
IPsec VPN configuration example

As shown in Figure 375, configure an IPsec tunnel between Router A and Router B to protect traffic
between subnet 10.1.1.0/24 and subnet 10.1.2.0/24. Enable IPsec RRI on Router A and specify the next
hop as 2.2.2.2.
Configuring Router A
1. Assign IP addresses to the interfaces. (Details not shown.)
2. Configure an IPsec connection:
a. Select VPN > IPsec VPN from the navigation tree.
b. Click Add.
374
The IPsec connection configuration page appears.
c. Enter map1 as the IPsec connection name.
d. Select interface Ethernet0/1.
e. Enter 2.2.3.1 as the remote gateway IP address.
f. Select the Pre-Shared-Key box, and then enter abcde in both the Key and Confirm Key fields.
g. In the Selector area, select Characteristics of Traffic as the selector type.
h. Specify 10.1.1.0/0.0.0.255 as the source address/wildcard. Specify 10.1.2.0/0.0.0.255
as the destination address/wildcard.
i. Select Enable for RRI. Enter 2.2.2.2 as the next hop.
j. Click Apply.
Figure 376 Adding an IPsec connection
Configuring Router B
1. Assign IP addresses to the interfaces. (Details not shown.)
2. Configure a static route to Host A:
a. Select Advanced > Route Setup from the navigation tree.
The page as shown in Figure 377 appears.
c. Enter 10.1.1.0 as the destination IP address.
d. Enter 24 as the mask.
e. Select Interface and then select Ethernet0/1 as the interface.
375
f. Click Apply.
Figure 377 Configuring a static route to Host A
3. Configure an IPsec connection.

a. Select VPN > IPsec VPN from the navigation tree.
b. Click Add to enter the IPsec connection configuration page (see Figure 376).
c. Enter map1 as the IPsec connection name.
d. Select interface Ethernet0/1.
e. Enter 2.2.2.1 as the remote gateway IP address.
f. Select the Pre-Shared-Key box, and then enter abcde in both the Key and Confirm Key fields.
g. In the Selector area, select the selector type Characteristics of Traffic.
h. Specify 10.1.2.0/0.0.0.255 as the source address/wildcard. Specify 10.1.1.0/0.0.0.255
as the destination address/wildcard.
i. Click Apply.

After you complete the configuration, packets to be exchanged between subnet 10.1.1.0/24 and subnet
10.1.2.0/24 triggers the negotiation of SAs by IKE. After IKE negotiation succeeds and the IPsec SAs are
established, a static route to subnet 10.1.2.0/24 via 2.2.2.2 is added to the routing table on Device A,
and traffic between subnet 10.1.1.0/24 and subnet 10.1.2.0/24 is protected by IPsec.
When you configure IPsec, follow these guidelines:
• Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51
and 50 respectively. Make sure flows of these protocols are not denied on the interfaces with IKE or
IPsec configured.
• If you enable both IPsec and QoS on an interface, traffic of an IPsec SA may be put into different
queues by QoS, causing some packets to be sent out of order. As IPsec performs anti-replay
operation, packets outside the anti-replay window in the inbound direction may be discarded,
resulting in packet loss. When using IPsec together with QoS, make sure the characteristics of traffic
in IPsec are the same as traffic classification in QoS.
376
Configuring L2TP
A VPDN is a VPN that utilizes the dial-up function of public networks such as ISDN or PSTN networks to
provide access services for enterprises, small ISPs, and telecommuters. VPDN provides an economical
and effective, point-to-point way for remote users to connect to their private LANs.
Layer 2 Tunneling Protocol (L2TP) is the most widely-used VPDN tunneling protocol. Figure 378 shows a
typical VPDN built by using L2TP.
Figure 378 VPDN built by using L2TP
A VPDN built by using L2TP has three components:

• Remote system
A remote system is usually a remote user's host or a remote branch's routing device that needs to
access the VPDN network.
• LAC
An L2TP access concentrator (LAC) is a device that has PPP and L2TP capabilities. An LAC is
usually a Network Access Server (NAS) located at a local ISP, which provides access services
mainly for PPP users.
An LAC is an endpoint of an L2TP tunnel and lies between an LNS and a remote system. It
encapsulates packets received from a remote system using L2TP and then sends the resulting
packets to the LNS. It de-encapsulates packets received from the LNS and then sends the resulting
packets to the intended remote system.
Between an LAC and a remote system is a local connection or a PPP link. Usually, a PPP link is used
in a VPDN application.
• LNS
An L2TP network server (LNS) functions as both the L2TP server and the PPP end system. It is usually
an edge device on an enterprise network.
An LNS is the other endpoint of an L2TP tunnel and is a peer to the LAC. It is the logical termination
point of a PPP session tunneled by the LAC. The L2TP extends the termination point of a PPP session
from a NAS to an LNS, logically.
For more information about L2TP, see Layer 2—WAN Configuration Guide in H3C MSR Series Routers
377
Enabling L2TP
1. Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration page, as
2. On the upper part of the page, select the box before Enable L2TP.
3. Click Apply.
Figure 379 L2TP configuration page
Adding an L2TP group

1. Select VPN > L2TP > L2TP Config from the navigation tree to enter the L2TP configuration page, as
2. On the lower part of the page, click Add to add an L2TP group.
378
Figure 380 Adding an L2TP group
3. Configure the L2TP group information, as described in Table 160.

4. Click Apply.
Item Description
L2TP Group Name Specify the name of the L2TP group.
Peer Tunnel Name Specify the peer name of the tunnel.
Local Tunnel Name Specify the local name of the tunnel.
379
Item Description
Tunnel Authentication Enable or disable L2TP tunnel authentication in the group. If you
enable tunnel authentication, you need to set the authentication
password.
Either the LAC or LNS end can initiate a tunnel authentication
request. If tunnel authentication is enabled on one end, the tunnel
can be established successfully only if the other end is also
enabled with tunnel authentication, and the two ends are
configured with the same authentication passwords. If tunnel
authentication is disabled on both ends, authentication passwords
do not take effect.
Authentication Password
IMPORTANT:
• Typically, you must enable tunnel authentication on both ends
of the tunnel for security. You can disable tunnel authentication
if you want to test the network connectivity or let the local end
receive connections initiated by unknown peers.
• To change the tunnel authentication password, do so after
tearing down the tunnel. Otherwise, your change does not take
effect.
Select the authentication method for PPP users on the local end.
Authentication
Method You can select PAP or CHAP. If you do not select an authentication
method, no authentication will be performed.
Specify the ISP domain for PPP user authentication. You can:
• Click Add to enter the page for adding an ISP domain, as
shown in Figure 381. For information about the configuration
items, see Table 161.
PPP • Select an ISP domain and click Modify to enter the ISP domain
Authentication modification page. For information about the configuration
Configuration items, see Table 161.
ISP Domain • Select an ISP domain and click Delete to delete the ISP domain.
If you specify an ISP domain, the specified domain is used for
authentication, and IP addresses must be assigned from the
address pool configured in the specified domain.
If you do not specify any ISP domain, the system checks whether
the domain information is carried in a username. If yes, the
domain is used for authentication; otherwise, the default domain
(system by default) is used for authentication.
PPP Server IP/Mask Specify the IP address and mask of the local end.
Specify the address pool for assigning IP addresses to users on the

peer end, or assign an IP address to a user directly.
If you have specified an ISP domain in PPP authentication
configuration, the address pools in the ISP domain are listed in the
User Address list. You can:
PPP Address • Click Add to add an address pool, as shown in Figure 382. For
User Address
information about the configuration items, see Table 162.
• Select an address pool and click Modify to enter the address
pool modification page. For information about the
configuration items, see Table 162.
• Select an address pool and click Delete to delete the address
pool.
380
Item Description
Specify whether to force the peer end to use the IP address
Assign Address
assigned by the local end. If you enable this function, the peer end
Forcibly
is not allowed to use its locally configured IP address.
Specify the interval between sending hello packets.

To check the connectivity of a tunnel, the LAC and LNS regularly
send Hello packets to each other. Upon receipt of a Hello packet,
the LAC or LNS returns a response packet. If the LAC or LNS
receives no Hello response packet from the peer within a specific
Hello Interval period of time, it retransmits the Hello packet. If it receives no
response packet from the peer after transmitting the Hello packet
for three times, it considers that the L2TP tunnel is down and tries to
re-establish a tunnel with the peer.
The interval on the LAC end and that on the LNS end can be
Advanced different.
Configuration
Specify whether to transfer AVP data in hidden mode.
With L2TP, some parameters are transferred as AVP data. You can
AVP Hidden configure an LAC to transfer AVP data in hidden mode, namely,
encrypt AVP data before transmission, for higher security.
This configuration does not take effect on an LNS.
Specify whether to enable flow control for the L2TP tunnel.
Flow Control The L2TP tunnel flow control function is for control of data packets
in transmission. The flow control function helps in buffering and
adjusting the received out-of-order data packets.
381
Item Description
Configure user authentication on an LNS.
An LNS may be configured to authenticate a user who has passed
authentication on the LAC to increase security. In this case, an
L2TP tunnel can be set up only when both of the authentications
Mandatory CHAP succeed. An LNS can authenticate users the following ways:
• Mandatory CHAP authentication—A VPN user who depends
on a NAS to initiate tunneling requests is authenticated twice,
once when accessing the NAS and once on the LNS by using
CHAP.
• LCP re-negotiation—A PPP user who depends on a NAS to
initiate tunneling requests first performs PPP negotiation with
the NAS. If the negotiation succeeds, the NAS initiates an L2TP
tunneling request and sends the user authentication information
to the LNS. The LNS then determines whether the user is valid
according to the user authentication information received.
Under some circumstances (when authentication and
accounting are required on the LNS for example), another
round of LCP negotiation is required between the LNS and the
user. In this case, the user authentication information from the
NAS will be neglected.
• Proxy authentication—If neither LCP re-negotiation nor
mandatory CHAP authentication is configured, an LNS
performs proxy authentication of users. In this case, the LAC
sends to the LNS all authentication information from users and
the authentication mode configured on the LAC itself.
IMPORTANT:
• Among these three authentication methods, LCP re-negotiation
has the highest priority. If both LCP re-negotiation and
Mandatory LCP mandatory CHAP authentication are configured, the LNS uses
LCP re-negotiation and the PPP authentication method
configured in the L2TP group.
• With LCP re-negotiation, if no PPP authentication method is
configured in the L2TP group, the LNS will not re-authenticate
users. It will assign public addresses to the PPP users
immediately. In other words, the users are authenticated only
once at the LAC end.
• Some PPP clients may not support re-authentication, in which
case LNS side CHAP authentication will fail.
• When the LNS uses proxy authentication and the user
authentication information received from the LAC is valid, if the
authentication method configured in the L2TP group is PAP, the
proxy authentication succeeds and a session can be
established for the user. If the authentication method configured
in the L2TP group is CHAP but that configured on the LAC is
PAP, the proxy authentication fails and no session can be set
up. This is because the level of CHAP authentication, which is
required by the LNS, is higher than that of PAP authentication,
which the LAC provides.
382
Figure 381 Adding an ISP domain
Item Description
ISP Domain Specify the name of the ISP domain.
Select the primary authentication method for PPP users.

• HWTACACS—HWTACACS authentication, which uses the HWTACACS
scheme system.
• Local—Local authentication.
Primary • None—No authentication. All users are trusted and no authentication is
Authentication performed.
Methods • RADIUS—RADIUS authentication, which uses the RADIUS scheme system.
• If you do not select any authentication method, the default authentication
method of the ISP domain will be used. The default is local authentication.
Specify whether to use local authentication as the backup authentication

Backup method. This item is available only when you select HWTACACS or RADIUS
as the primary authentication method.
Select the primary authorization method for PPP users.

• HWTACACS—HWTACACS authorization, which uses the HWTACACS
scheme system.
• Local—Local authorization.
Primary
• None—No authorization. The access device does not perform
authorization for PPP users. After passing authentication, PPP users can
Authorization directly access the network.
Methods
• RADIUS—RADIUS authorization, which uses the RADIUS scheme system.
• If you do not select any authorization method, the default authorization
method of the ISP domain will be used. The default is local authorization.
Specify whether to use local authorization as the backup authorization

Backup method. This item is available only when you select HWTACACS or RADIUS
as the primary authorization method.
383
Item Description
Specify whether to enable the accounting optional function.
For an online user, with the accounting optional function disabled, if no
Accounting accounting server is available or communication with the current accounting
Optional server fails, the user will be disconnected. However, with the accounting
optional function enabled, the user can still use the network resources in such
case, but the system will not send the accounting information of the user to the
accounting server any more.
Select the primary accounting method for PPP users.

• HWTACACS—HWTACACS accounting, which uses the HWTACACS
Accounting scheme system.
Methods
• Local—Local accounting.
Primary • None—No accounting. The system does not perform accounting for the
users.
• RADIUS—RADIUS accounting, which uses the RADIUS scheme system.
• If you do not select any accounting method, the default accounting
method of the ISP domain will be used. The default is local accounting.
Specify whether to use local accounting as the backup accounting method.

Backup This item is available only when you select HWTACACS or RADIUS as the
primary accounting method.
Specify the maximum number of users the ISP domain can accommodate. If
you do not specify the maximum number, the system will not limit the number
of users of the ISP domain.
Max. Number of Users
Because users may compete for resources, setting a proper limit on the
number of users of an ISP domain helps guarantee performance for the users
of the ISP domain.
Figure 382 Adding an address pool
Item Description
ISP Domain Select the ISP domain for the IP address pool to be created.
Specify the number of the IP address pool.

IP Address Pool Number If you set the IP address pool number to 1, the name of the IP address pool is
pool1.
384
Item Description
Start IP Specify the start IP address and end IP address of the IP address pool.
The number of addresses between the start IP address and end IP address
End IP must not exceed 1024. If you specify only the start IP address, the IP address
pool will contain only one IP address, namely, the start IP address.
Displaying L2TP tunnel information

1. Select VPN > L2TP > Tunnel Info from the navigation tree to enter the L2TP tunnel information page.
Figure 383 L2TP tunnel information
2. View the L2TP tunnel information.

Field Description
Local Tunnel ID Local ID of the tunnel.
Peer Tunnel ID Peer ID of the tunnel.
Peer Tunnel Port Peer port of the tunnel.
Peer Tunnel IP Peer IP address of the tunnel.
Session Count Number of sessions on the tunnel.
Peer Tunnel Name Peer name of the tunnel.
Client-initiated VPN configuration example

As shown in Figure 384, a VPN user accesses the corporate headquarters as follows:
1. The user first connects to the Internet, and then initiates a tunneling request to the LNS directly.
2. After the LNS accepts the connection request, an L2TP tunnel is set up between the LNS and the
VPN user.
3. The VPN user communicates with the headquarters over the tunnel.
385
Configure the VPN user

Assign an IP address (2.1.1.1 in this example) to the user host, configure a route to ensure the reachability
of the LNS (1.1.2.2), and create a virtual private network connection using the Windows operating system,
or install L2TP client software such as WinVPN Client and connect to the Internet in dial-up mode. Then,
perform the following configurations (the configuration order may vary with the client software):
• Specify the VPN username as vpdnuser and the password as Hello.
• Set the Internet interface address of the security gateway as the IP address of the LNS. In this
example, the Ethernet interface on the LNS, the interface for the tunnel, has an IP address of 1.1.2.2.
• Modify the connection attributes, setting the protocol to L2TP, the encryption attribute to customized
and the authentication mode to CHAP.
Configure the LNS

Before you perform the following configurations, configure IP addresses for interfaces and make sure the
LNS and the user host can reach each other.
1. Create a local user:
a. Select System Management > Users from the navigation tree.
b. Click the Create User tab.
The local user configuration page appears, as shown in Figure 385.
c. Enter vpdnuser as the username.
d. Select access level Configure.
e. Enter password Hello.
f. Enter Hello to confirm the password.
g. Select PPP as the service type.
h. Click Apply.
386
Figure 385 Adding a local user
2. Enable L2TP:
a. Select VPN > L2TP > L2TP Config from the navigation tree.
The L2TP configuration page appears, as shown in Figure 386.
b. Select the box before Enable L2TP.
c. Click Apply.
Figure 386 Enabling L2TP
3. Modify the PPP authentication method of the ISP domain system:

a. On the L2TP configuration page, click Add to enter the L2TP group configuration page.
b. Select CHAP as the PPP authentication method.
c. Select ISP domain system (the default ISP domain).
d. Click the Modify button of the ISP domain.
The ISP domain modification page appears, as shown in Figure 387.
e. On the page, select the server type Local as the primary PPP authentication method.
f. Click Apply to return to the L2TP group configuration page.
387
Figure 387 Selecting local authentication for VPN users
4. Configure the address pool used to assign IP addresses to users:

a. On the L2TP group configuration page, click the Add button of the User Address parameter.
The IP address pool configuration page appears, as shown in Figure 388.
b. Select ISP domain system.
c. Enter 1 as the IP address pool number.
d. Enter the start IP address 192.168.0.2.
e. Enter the end IP address 192.168.0.100.
f. Click Apply to finish the IP address pool configuration and return to the L2TP group
configuration page.
Figure 388 Adding an IP address pool
5. Add an L2TP group:

Continue to perform the following configurations on the L2TP group configuration page, as shown
in Figure 389.
a. Enter the L2TP group name test.
b. Enter the peer tunnel name vpdnuser.
c. Enter the local tunnel name LNS.
388
d. Select Disable from the Tunnel Authentication list.
e. Enter 192.168.0.1/255.255.255.0 as the PPP server IP/mask.
f. Select pool1 from the User Address list.
g. Select Enable from the Assign Address Forcibly list.
h. Click Apply.
Figure 389 L2TP group configurations

1. On the user host, initiate an L2TP connection to the LNS. The host will obtain an IP address
(192.168.0.2) and will be able to ping the private address of the LNS (192.168.0.1).
2. On the LNS, select VPN > L2TP > Tunnel Info from the navigation tree. Information of the
established L2TP tunnel should appears, as shown in Figure 390.
Figure 390 L2TP tunnel information
389
Configuring GRE
You can configure GRE over IPv4 tunnels through the Web interface.
Overview
Generic Routing Encapsulation (GRE) is a protocol designed for encapsulating and carrying the packets
of one network layer protocol (for example, IP or IPX) over another network layer protocol (for example,
IP). GRE is a tunneling technology and serves as a Layer 3 tunneling protocol.
A GRE tunnel is a virtual point-to-point connection for transferring encapsulated packets. Packets are
encapsulated at one end of the tunnel and de-encapsulated at the other end. Figure 391 depicts the
encapsulation and de-encapsulation processes.
Figure 391 X protocol networks interconnected through the GRE tunnel
For more information about GRE, see Layer 3—IP Services Configuration Guide in H3C MSR Series
Routers Configuration Guides (V5).
Configuring a GRE over IPv4 tunnel

Before you configure a GRE over IPv4 tunnel, configure an IP address for the interface (such as a VLAN
interface, an Ethernet interface, or a Loopback interface) to be used as the source interface of the tunnel
interface.

Task Remarks
Required.
1. Creating a GRE tunnel.
Create a tunnel interface and configure GRE tunnel related parameters.
Optional.
Each end of the tunnel must have a route (static or dynamic) through the
2. Configure a route through
tunnel to the other end, so that GRE encapsulated packets can be forwarded
the tunnel.
normally.
For more information about route configuration, see "Configuring routes."
Creating a GRE tunnel

1. Select VPN > GRE from the navigation tree to enter the GRE tunnel configuration page, as shown
in Figure 392.
390
2. Click Add to add a GRE tunnel, as shown in Figure 393.
Figure 392 GRE tunnel configuration page
Figure 393 Adding a GRE tunnel
Item Description
Tunnel Interface Specify the number of the tunnel interface.
Specify the IP address and subnet mask of the tunnel interface.
IP/Mask IMPORTANT:
When configuring a static route on the tunnel interface, note that the destination IP
address of the static route must not be in the subnet of the tunnel interface.
Specify the source IP address and destination IP address for the tunnel interface.
Tunnel Source
For the tunnel source address, you can input an IP address or select an interface. In
IP/Interface
the latter case, the primary IP address of the interface will be used as the tunnel
source address.
IMPORTANT:
Tunnel Destination IP The source address and destination address of a tunnel uniquely identify a path. They
must be configured at both ends of the tunnel and the source address at one end must
be the destination address at the other end and vice versa.
391
Item Description
Specify the key for the GRE tunnel interface. This configuration is to prevent the
tunnel ends from servicing or receiving packets from other places.
GRE Key
IMPORTANT:
The two ends of a tunnel must have the same key or have no key at the same time.
GRE Packet Checksum Enable or disable the GRE packet checksum function.
Enable or disable the GRE keepalive function.

With the GRE keepalive function enabled on a tunnel interface, the device sends
GRE keepalive packets from the tunnel interface periodically. If no response is
Keepalive received from the peer within the specified interval, the device retransmits the
keepalive packet. If the device still receives no response from the peer after sending
the keepalive packet for the maximum number of attempts, the local tunnel interface
goes down and stays down until it receives a keepalive acknowledgement packet
from the peer.
Keepalive Interval Specify the interval between sending the keepalive packets and the maximum
number of transmission attempts.
Number of Retries The two configuration items are available when you select Enable for the GRE
keepalive function.
GRE over IPv4 tunnel configuration example

As shown in Figure 394, Router A and Router B are interconnected through the Internet. Two private IP
subnets Group 1 and Group 2 are interconnected through a GRE tunnel between Router A and Router B.
Before the configuration, make sure Router A and Router B can reach each other.
1. Configure an IPv4 address for interface Ethernet 0/0:
a. Select Interface Setup > WAN Interface Setup from the navigation tree of Router A.
b. Click the icon for interface Ethernet 0/0.

The WAN parameter configuration page for the interface appears, as shown in Figure 395.
c. Select Manual for Connect Mode.
d. Enter IP address 10.1.1.1.
e. Select IP mask 24 (255.255.255.0).
f. Click Apply.
392
Figure 395 Configuring interface Ethernet 0/0
2. Configure an IP address for interface Ethernet 0/1, the physical interface of the tunnel:
a. Click the icon for interface Ethernet 0/1.
b. Select Manual for Connect Mode.
c. Enter IP address 1.1.1.1.
d. Select IP mask 24 (255.255.255.0).
e. Click Apply.
393
3. Create a GRE tunnel:

a. Select VPN > GRE from the navigation tree.
b. Click Add.
The Add Tunnel page appears, as shown in Figure 397.
c. Enter 0 in the Tunnel Interface field.
d. Enter IP address/mask 10.1.2.1/24.
e. Enter the source end IP address 1.1.1.1, the IP address of Ethernet 0/1.
f. Enter the destination end IP address 2.2.2.2, the IP address of Ethernet 0/1 on Router B.
g. Click Apply.
394
Figure 397 Setting up a GRE tunnel
4. Configure a static route from Router A through interface Tunnel0 to Group 2:

b. Click the Create tab and then perform the configurations shown in Figure 398.
d. Enter mask 24.
e. Select the box before Interface, and then select egress interface Tunnel0.
f. Click Apply.
Figure 398 Adding a static route from Router A through interface Tunnel 0 to Group 2
1. Configure an IPv4 address for interface Ethernet 0/0:
a. Select Interface Setup > WAN Interface Setup from the navigation tree.
b. Click the icon for interface Ethernet 0/0 and then perform the configurations shown
in Figure 399.
395
c. Select Manual for Connect Mode.
d. Enter IP address 10.1.3.1.
e. Select IP mask 24 (255.255.255.0).
f. Click Confirm.
2. Configure an IP address for interface Ethernet 0/1, the physical interface of the tunnel:
a. Click the icon for interface Ethernet 0/1 and then perform the configurations shown
in Figure 400.
b. Select Manual for Connect Mode.
c. Enter IP address 2.2.2.2.
d. Select IP mask 24 (255.255.255.0).
e. Click Confirm.
396
3. Create a GRE tunnel:

a. Select VPN > GRE from the navigation tree.
b. Click Add and then perform the configurations shown in Figure 401.
c. Enter 0 in the Tunnel Interface field.
d. Enter IP address/mask 10.1.2.2/24.
e. Enter the source end IP address 2.2.2.2, the IP address of Ethernet 0/1.
f. Enter the destination end IP address 1.1.1.1, the IP address Ethernet 0/1 on Router A.
g. Click Apply.
397
Figure 401 Setting up a GRE tunnel
4. Configure a static route from Router B through interface Tunnel 0 to Group 1:

b. Click the Create tab and then perform the configurations shown in Figure 402.
d. Enter the mask length 24.
e. Select the box before Interface, and then select egress interface Tunnel0.
f. Click Apply.
Figure 402 Adding a static route from Router B through interface Tunnel 0 to Group 1

1. On Router B, ping the IP address of Ethernet 0/0 of Router A:
a. Select Other > Diagnostic Tools from the navigation tree of Router B.
b. Click the Ping tab.
c. Enter the destination IP address 10.1.1.1.
398
d. Click Start.
e. View the result of the ping operation in the Summary area.
Figure 403 Verifying the configuration
399
SSL VPN overview
SSL VPN is a VPN technology based on SSL. It works between the transport layer and the application
layer. Using the certificate-based identity authentication, data encryption, and integrity verification
mechanisms that SSL provides, SSL VPN can establish secure connections for communications at the
application layer.
SSL VPN has been widely used for secure, remote Web-based access. For example, it can allow remote
users to access the corporate network securely. Figure 404 shows a typical SSL VPN network. On the SSL
VPN gateway, you can create resources to represent the resources on the servers in the internal network.
To access an internal server, a remote user first needs to establish an HTTPS connection with the SSL VPN
gateway and then select the resources to be accessed. The SSL VPN gateway forwards the resource
access request to the internal server. In the SSL VPN deployed network, the SSL VPN gateway establishes
an SSL connection to a remote user. By authenticating the user before allowing the user to access an
internal server, it protects the internal servers.
Figure 404 Network diagram for SSL VPN configuration
How SSL VPN works

SSL VPN works in the following manner:
1. The administrator logs in to the Web interface of the SSL VPN gateway, and then creates resources
to represent resources on the internal servers.
2. A remote user establishes an HTTPS connection to the SSL VPN gateway. The SSL VPN gateway
and the remote user authenticate each other by using the certificate-based authentication function
provided by SSL.
3. After establishing the HTTPS connection, the user can log in to the Web interface of the SSL VPN
gateway by entering the username and password and selecting the authentication method
(RADIUS authentication, for example). The SSL VPN gateway verifies the user information.
4. After logging in to the Web interface, the user finds the resources of interest on the Web interface
and then the user client sends an access request to the SSL VPN gateway through an SSL
connection.
400
5. The SSL VPN gateway resolves the request, interacts with the corresponding server, and then
forwards the server's reply to the user.
Advantages of SSL VPN

Support for various application protocols
Any application can be secured by SSL VPN without knowing the details. SSL VPN classifies the service
resources provided by applications into three categories:
• Web proxy server resources—Web-based access enables users to establish HTTPS connections to
the SSL VPN gateway through a browser and thereby access the Web proxy server resources of the
servers.
• TCP application resources—TCP-based access allows users to use their applications to access the
open service ports of the server securely. Such resources include remote access services, desktop
sharing services, email services, and common application service resources.
• IP network resources—IP-based access allows user hosts to communicate with servers at Layer 3
securely, supporting all IP-based applications to communicate with the servers.
Simple deployment
SSL has been integrated into most browsers, such as IE. Almost every PC installed with a browser
supports SSL. To access Web-based resources, users only need to launch a browser that supports SSL.
When a user tries to access TCP-based or IP-based resources, the SSL VPN client software runs
automatically, without requiring any manual intervention.
Support for multiple authentication methods

In addition to the certificate authentication method provided by SSL, SSL VPN also supports the following
authentication methods and any combination of two of the following methods:
• Local authentication
• RADIUS authentication
• LDAP authentication
• AD authentication
Granular access control of network resources

On the SSL VPN gateway, you can configure multiple resources and users, add resources to resource
groups, add users to user groups, and assign resource groups to user groups. After a user logs in, the SSL
VPN gateway finds the user groups to which the user belongs, and checks the resource groups assigned
to the user groups to determine which resources to provide for the user.
401
Configuring SSL VPN gateway
To perform the configurations described in this chapter, log in to the Web interface of the router. The
default login address is http://192.168.1.1, username is admin, and password is admin.

Step Remarks
Required.
1. Configuring the SSL VPN service Enable SSL VPN, and configure the port number for the SSL
VPN service and the PKI domain to be used.
2. Configuring Web proxy server resources
Configure at least one type of resources.
3. Configuring TCP application resources
By default, no resources are configured.
4. Configuring IP network resources
Required.
Configure a resource group and add resources to the
5. Configuring a resource group resource group.
By default, resource groups named autohome and autostart
exist.
Required.
Configure local SSL VPN users—users that need to pass
6. Configuring local users local authentication to log in to the SSL VPN system.
By default, a local user named guest (without a password)
exists, in denied state.
Required.
Configure a user group, add local users to the user group,
and select the resource groups that the user group can
access.
7. Configuring a user group By default, a user group named Guests exists, and no users
and resource groups are assigned for it.
IMPORTANT:
You can also add a local user to existing user groups when
creating the local user.
Optional.
8. Viewing user information View the online user information and the history user
information, and log out online users.
Optional.
9. Performing basic configurations for the SSL
VPN domain Configure the basic domain policy, caching policy, bulletin
information for an SSL VPN domain.
402
Step Remarks
Optional.
Configure authentication methods and authentication
parameters for an SSL VPN domain.
10. Configuring authentication policies
IMPORTANT:
Local authentication is always enabled. To use other
authentication methods, you must manually enable them.
Optional.
Configure the check items and protected resources for a
security policy. Only user hosts that pass the security
11. Configuring a security policy policy's check can access the configured resources.
IMPORTANT:
To perform security check for user hosts, you must also
enable security check in the domain policy.
Optional.
12. Customizing the SSL VPN user interface
Customize service interfaces for SSL VPN users.
Configuring the SSL VPN service

Before you configure the SSL VPN service, go to Certificate Management to configure a PKI domain and
get a certificate for the SSL VPN gateway. An administrator or user uses the certificate to authenticate the
SSL VPN gateway to avoid logging in to an invalid SSL VPN gateway. For more information about
certificates, see "Managing certificates."
1. Select VPN > SSL VPN > Service Management from the navigation tree to enter the service
management page.
Figure 405 Service management
2. Configure the SSL VPN service information as described in Table 165.

3. Click Apply.
Item Description
Enable SSL VPN Select the box before this item to enable the SSL VPN service.
Specify the port for providing the SSL VPN service. The default port number is
Port
443.
PKI Domain Select a PKI domain for the SSL VPN service.
403
Configuring Web proxy server resources
Typically, Web servers provide services in webpages. Users can get desired information by clicking the
links on the pages. On the Internet, information exchanged between Web servers and users is
transmitted in plain text. The HTTP data may be intercepted in transit. SSL VPN provides secure
connections for users to access Web servers, and can prevent illegal users from accessing the protected
Web servers.
1. Select VPN > SSL VPN > Resource Management > Web Proxy from the navigation tree. A page
that lists the Web proxy server resources appears.
Figure 406 Web proxy server resources list
2. Click Add to enter the page for adding a Web proxy server resource.
Figure 407 Adding a Web proxy server resource
3. Configure the Web proxy server resource as described in Table 166.

Item Description
Enter a name for the Web proxy server source.
Resource Name The resource name must be unique in the SSL VPN system. Resources are
uniquely identified by their names.
404
Item Description
Specify the Website address for providing Web services. It must start with http://
and end with /, for example, http://www.domain.com/web1/.
Website Address The website address can be an IP address or a domain name. If you specify a
domain name, make sure that you configure domain name resolution on
Advanced > DNS Setup > DNS Configuration.
Specify the home page to be displayed after an SSL VPN user logs in. For
Default Page
example, index.htm.
Specify website matching patterns to determine which webpages a user can

access through the website specified in the Website Address field.
Website matching supports fuzzy match based on wildcard *. Use vertical bars
(|) to separate multiple matching patterns.
Website Matching Mode Assume that you have specified a website address in the Website Address field.
To allow access to specific webpages provided at the website, for example, the
webpages www.domain1.com, www.domain2.com, www.domain2.org, and
www.domain2.edu, you can specify www.domain1.com|www.domain2.* as
the matching patterns.
Select this box to enable page protection.

Enable page protection With page protection enabled, a login user cannot capture screen shots, save
pages, or printing pages.
4. Set whether to enable single login:

To enable single login, select the box before the Single login field to expand the configuration area
(as shown in Figure 408), and then configure the single login parameters as described in Table
167.
After you enable single login and configure single login parameters, when a user accesses the
resource through the SSL VPN service interface, the user is redirected to the specified website if the
user's username and password for accessing the website are the same as those for logging in to
the SSL VPN service interface.
5. Click Apply.
Figure 408 Configuring single login
405
Item Description
Select this box to allow IP access to the resource.
If you select this item, you must configure an IP network resource for a website
and associate the IP network resource with the relevant users. When such a user
Use IP network accesses the website from the SSL VPN Web interface, the system logs the user in
automatically to the website through the IP network resource.
If you do not select this item, users access the resource through the Web proxy
server.
• When you select the IP network mode, this item specifies the path that the
system submits during single login. If you leave this field blank, the system uses
the address that is specified in the Website Address field.
Login Request Path
• When the IP network mode is not selected, this item specifies the relative path
of the Web proxy website. If you leave this field blank, the SSL VPN system
uses the default page specified in the Default Page field.
Username Parameter Specify the username parameter name that the system submits during automatic
Name login.
Specify the password parameter name that the system submits during automatic
Password Parameter Name
login.
Specify the other parameters for the system to submit during automatic login.
Other parameters To add a parameter other than the username and password, click Add, enter the
parameter name and parameter value on the popup page and click Apply.
Another way to configure the single login function is as follows:

6. Click the icon of a resource on the Web proxy server resource list, as shown in Figure 406.
7. Enter a username and a password (the password must be different from the username) on the
popup page, and click Apply.
The login page for the website in the resource pops up.
8. Enter the username and password again and log in.
A message will tell you that the single login function is configured successfully.
During this process, the system automatically gets the username parameter name and the password
parameter name. When the website login page requires parameters other than the username and
password, you cannot configure single login in this method.
Configuring TCP application resources

You can configure the following types of TCP application resources:
• Remote access service resources
• Desktop sharing service resources
• Email service resources
• Notes mail service resources
• Common TCP service resources
406
Configuring a remote access service resource
The remote access service includes remote character terminal services (such as Telnet and SSH) and
traditional terminal services (such as IBM3270). These services each simulate a server's terminal window
on a local host through which you can control a remote host as if you were sitting before it. Between the
local and remote hosts, data is transmitted in plain text over the Internet. To ensure the security of data
transmission, SSL VPN uses the SSL encryption technology to encrypt service data.
1. Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree.
The Remote Access Service page appears.
Figure 409 Remote access service resource list
2. Click Add to enter the page for adding a remote access service.
Figure 410 Adding a remote access service
3. Configure the remote access service as described in Table 168.

4. Click Apply.
Item Description
Enter a name for the remote access service resource.
The resource name must be unique in the SSL VPN system. Resources are uniquely
identified by their names.
Resource Name
IMPORTANT:
If you do not configure the command for Command, H3C recommends including the
resource type, local address, and local port in the resource name so that users can view
the desired information after they log in to the SSL VPN system.
Specify the host name or IP address of the remote host that provides the remote access
Remote Host
service.
407
Item Description
Remote Port Specify the port number that the remote host uses for the remote access service.
Local Host Specify a loopback address or a character string that represents a loopback address.
Specify the port number that the local host uses for the remote access service. H3C
Local Port
recommends using a port number greater than 1024 that is rarely used.
Configure the Windows command for the resource.

After you configure the command, users can start the related application to access the
remote server by clicking the resource name on the SSL VPN service interface.
Command For example, you can configure the command for a Telnet service in the format telnet
<local address> <local port>, such as telnet 127.0.0.1 2300. If you specified the
default port number of the remote access service as the local port number, you can omit
the local port in the command.
Configuring a desktop sharing service resource

Desktop sharing, or remote desktop, allows users to access the sessions on a remote host from your local
host. With desktop sharing, you can connect the computer in office, and access all the applications, files,
and network resources at home as if you were working on the computer at the office. Common desktop
sharing services include Windows remote desktop, Virtual Network Computing (VNC) desktop sharing,
and Citrix desktop sharing. For some desktop sharing applications, data is transmitted in plain text and
can be easily intercepted. SSL VPN can encrypt the data to ensure data security.
2. Click the Desktop Sharing Service tab to view existing desktop sharing services.
Figure 411 Desktop sharing services
3. Click Add to enter the page for adding a desktop sharing service.
Figure 412 Adding a desktop sharing service resource
408
4. Configure the desktop sharing service as described in Table 169.
5. Click Apply.
Item Description
Enter a name for the desktop sharing service resource.
Resource Name
IMPORTANT:
Specify the host name or IP address of the remote host that provides the desktop sharing
Remote Host
service.
Remote Port Specify the port number that the remote host uses for the desktop sharing service.
Local Host Specify a loopback address or a character string that represents a loopback address.
Specify the port number that the local host uses for the remote access service. H3C
Local Port
recommends using a port number greater than 1024 that is rarely used.

For example, you can configure the command for a Windows desktop sharing service
Command in the format mstsc /v <local address> <local port>, such as mstsc /v 127.0.0.2
20000. If you specified the default port number of the desktop sharing service as the
local port number, you can omit the local port in the command.
Configuring an email service resource

The email service is widely used to exchange texts and graphics over the network. Generally, emails are
transmitted in plain text on the network. Users can encrypt emails to protect the content of emails, but this
method cannot ensure transmission security. SSL VPN can ensure the transmission security of emails.
For an email service, you must configure at least two resources: a receiving server and a sending server.
2. Click the Email Service tab to view existing email services.
Figure 413 Email services
3. Click Add to enter the page for adding an email service.
409
Figure 414 Adding an email service resource
4. Configure the email service resource as described in Table 170.

5. Click Apply.
Item Description
Enter a name for the email service resource.
Resource Name
IMPORTANT:
Service Type Select an email service type, which can be POP3, IMAP, or SMTP.
Remote Host Enter the host name or IP address of the email server.
Remote Port Enter the service port number of the email server.
Local Address Enter a loopback address or a character string that represents a loopback address.
Enter the local port number. It must be the default port number for the email service of
Local Port
the specified type.

Command Users must manually start the email service application. You do not need to configure
this item.
Configuring a Notes service resource

Notes, a platform for implementing office automation, provides email services in a client/server model.
SSL VPN can improve the security of Notes mail services. Hereafter, the term Notes service refers to
Notes mail services.
2. Click the Notes Service tab to view existing notes services.
410
Figure 415 Notes services
3. Click Add to enter the page for adding a Notes service.

Figure 416 Adding a Notes service resource
4. Configure the Notes service resource as described in Table 171.

5. Click Apply.
Item Description
Enter a name for the Notes service resource.
Resource Name
IMPORTANT:
Remote Host Enter the host name or IP address of the Notes mail server.
Remote Port Enter the service port number of the Notes mail server.
Enter a loopback address or a character string that represents a loopback address.
Local Host IMPORTANT:

The local host character string must be the same as the mail server name in the Notes
application. Otherwise, the Notes service resource cannot be used normally.
Local Port Enter the local port number. It must be the default port number of the Notes service.
Configure the command for the resource.

Command Users must manually start the Notes service application. You do not need to configure
this item.
411
Configuring a common TCP service resource
The common TCP service of SSL VPN is designed to support various client/server applications. It is
widely used to access client/server TCP applications other than the previously mentioned ones.
Generally, you can configure all network ports that are possibly used by applications in common TCP
services. To access an application provided by a common TCP service, a user only needs to configure the
corresponding IP address and port number listed on the common TCP service page as the access
address and port number for the application.
2. Click the TCP Service tab to view existing TCP services.
Figure 417 TCP services
3. Click Add to enter the page for adding a common TCP service.
Figure 418 Adding a TCP service resource
4. Configure the common TCP service as described in Table 172.

5. Click Apply.
Item Description
Enter a name for the common TCP service resource.
Resource Name
IMPORTANT:
412
Item Description
Service Type Enter the type for the TCP service.
Enter the host name or IP address of the remote host that provides the common TCP
Remote Host
service.
Remote Port Enter the port number that the remote host uses for the common TCP service.
Local Host Enter a loopback address or a character string that represents a loopback address.
Local Port Enter the port number that the local host uses for the common TCP service.
Command Configure the Windows command for the resource.
Configuring IP network resources

The SSL VPN IP network access service supports all applications that operate at the IP layer and above,
providing secure communication between users and servers. Users do not need to know the application
types and configurations. After they log in to the SSL VPN service interface, the ActiveX SSL VPN client
will be automatically downloaded and started, and the users can access authorized services of certain
hosts securely.

Step Remarks
Required.
1. Configuring global
parameters Configure global parameters, such as the address pool, gateway address,
timeout time, WINS server, and DNS server, for IP network resources.
Required.
2. Configuring host resources Configure the host resources that users can access from the IP networks list
of the SSL VPN interface.
Optional.
3. Configuring a user-IP Configure user-IP bindings. After a user is bound with an IP address, when
binding the user accesses IP network resource, the system does not assign a virtual
network adapter IP address to the user from the global IP pool but assigns
the bound IP address to the user.
Optional.
4. Configuring a predefined With a predefined domain name configured, the gateway sends the
domain name mapping between the predefined domain name and the IP address to
clients. When accessing this domain, a client directly uses the
corresponding IP address, eliminating the requirement for DNS resolution.
Configuring global parameters

1. Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree. The Global
Configuration tab appears.
413
Figure 419 Global configuration page
2. Configure the global parameters as described in Table 173.

3. Click Apply.
Item Description
Start IP Specify the IP address pool from which the gateway assigns IP addresses for clients'
End IP virtual network adapters.
Subnet Mask Enter the subnet mask to be assigned to a client's virtual network adapter.
Enter the default gateway IP address to be assigned to a client's virtual network

Gateway IP
adapter.
Set an idle timeout for client connections. If the gateway does not receive any packet
Timeout
from a client during this period, the gateway disconnects the client.
WINS Server IP Enter the WINS server IP addresses to be assigned to clients' virtual network adapters.
DNS Server IP Enter the DNS server IP addresses to be assigned to clients' virtual network adapters.
Allow clients to
Select this item to allow IP access between online users.
intercommunicate
Permit only access to Select this item to allow online users to access only the VPN.
VPN If you do not select this item, online users can access both the VPN and the Internet.
Specify how to display network services for online users.

• Description: Shows the description information of the network services that host
Show Network
resources allow users to access.
Services by
• IP address: Shows the destination address, subnet mask, and protocol type of the
network services that host resources allow users to access.
Configuring host resources

1. Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree.
2. Click the Host Configuration tab to view existing host resources.
414
Figure 420 Host configuration
3. Click Add to enter the page for adding a host resource.

Figure 421 Adding a host resource
4. Enter a name for the host resource.

5. Click the Add button under the network services list to enter the page for adding a network service.
Figure 422 Adding an available network service
415
6. Add a network service that the host resource provides for users, as described in Table 174.
Item Description
Destination IP Enter the destination address of the network service.
Subnet Mask Enter the subnet mask of the network service.
Protocol Specify the protocol type of the network service, which can be IP, TCP, or UDP.
Enter a description for the network service.
IMPORTANT:
Description If you have configured the system to show network services by description, H3C
recommends that you include the network services' network information (subnet IP/mask)
in the description so that users can view desired information after they log in to the SSL
VPN system.
7. Click Apply to add the network service to the network service list.
8. Repeat steps 5 to 7 to add multiple network resources.
9. Click the Add button under the shortcuts list to enter the page for adding a network service shortcut.
Figure 423 Adding a network service shortcut
10. Enter a name for the shortcut and specify the Windows command of the shortcut.
11. Click Apply to add the shortcut to the shortcut list.
12. Repeat steps 9 to 11 to add multiple shortcuts.
13. Click Apply at the bottom of the Add Host Resource page.
Configuring a user-IP binding

2. Click the User-IP Binding tab to view existing user-IP bindings.
Figure 424 User-IP bindings
416
3. Click Add to enter the page for adding a user-IP binding.
Figure 425 Adding a user-IP binding
4. Configure the user-IP binding as described in Table 175.

5. Click Apply.
Item Description
Specify the username to be bound with an IP address. The username must contain the
Username
domain name. For example, aaa@local.
Specify the IP address to be bound with the username.

IP Address The specified IP address must be in the same network segment as the global IP address
pool and must not be the gateway address or any address in the global IP pool.
Configuring a predefined domain name

2. Click the Predefined Domain Name tab to view existing predefined domain names.
Figure 426 Predefined domain names
3. Click Add to enter the page for adding a predefined domain name
417
Figure 427 Adding a predefined domain name
4. Configure the predefined domain name as described in Table 176.

5. Click Apply.
Item Description
Domain Name Enter a domain name to be issued to clients.
Select the IP setting method, including Dynamic and Static.

• Dynamic: To use this method, you also need to navigate to page Advanced > DNS
Setup > DNS Configuration to configure domain name resolution. The gateway will
IP Setting Method first resolve the domain name to get an IP address and then issue the IP address to
clients.
• Static: To use this method, you must specify an IP address in the next field. The
gateway will issue the domain name-IP address mapping to clients.
Specify an IP address for the domain name when the IP setting method is Static.
IP
When the IP setting method is Dynamic, this IP setting does not take effect.
Configuring a resource group

1. Select VPN > SSL VPN > Resource Management > Resource Group from the navigation tree. The
Resource Group page appears.
Figure 428 Resource groups
2. Click Add to enter the page for adding a resource group.
418
Figure 429 Adding a resource group
3. Configure the resource group as describe in Table 177.

4. Click Apply.
Item Description
Resource Group Name Enter a name for the resource group.
Selected Resources
Specify resources for the resource group.
Available Resources
419
Configuring local users
Configure SSL VPN users for local authentication in the following methods:
• Configure local users one by one in the SSL VPN system. In this method, you can configure all
parameters for a user at the same time, including the user name, password, the certificate and MAC
addresses to be bound, public account settings, user status, and user groups.
• Write the information of the users into a text file, and then import the users to the SSL VPN system.
Users imported in this method only contain the username and password information, with the user
status being Permitted. You can configure more parameters for an imported user by modifying the
user's information.
Adding a local user manually

1. Select VPN > SSL VPN > User Management > Local User from the navigation tree. The local user
list appears.
Figure 430 Local users
2. Click Add to enter the page for adding a local user.
420
Figure 431 Adding a local user
3. Configure the local user information as described in Table 178.

4. Click Apply.
Item Description
Username Enter a name for the local user.
Description Enter a description for the local user.
Password Specify a password for the local user and enter the password again to confirm the
Confirm Password password.
Specify a certificate sequence number for the local user. The certificate number will be
Certificate SN
used for identity authentication of the local user.
421
Item Description
Select this item to set the local user account as a public account. A public account can
Enable public be concurrently used by multiple users to log in to the SSL VPN system.
account If you do not select this item, only one user can use the local user account to log in to the
SSL VPN system at a time.
Max Number of Set the maximum number of concurrent users that can log in to the SSL VPN system by
Users using the public account.
User Status Select a user status, which can be Permitted, Permitted When Valid, and Denied.
Expiry Date Set the expiry date for the user when the user status is set to Permitted When Valid.
Specify the MAC addresses to be bound with the

MAC Address username. The MAC addresses are used for user identity
authentication. IMPORTANT:
Select this item to enable MAC address learning. To implement the two
functions, you must also
With this function enabled, when a user uses this user
enable the MAC address
account to log in, the SSL VPN system automatically learns
Enable MAC binding function in the
the MAC address of the user host and records the MAC
domain policy (see
address learning address for the account. The SSL VPN can record up to
"Configuring the domain
three MAC addresses for an account. The recorded MAC
policy").
addresses are still effective after you disable the MAC
address learning function.
Selected User
Groups
Specify the user groups to which the local user belongs.
Available User
Groups
Importing local users in bulk

1. Select VPN > SSL VPN > User Management > Batch Import from the navigation tree.
The batch import page appears.
2. Click Browse to locate the local file that saves the user information.
3. Set whether to directly overwrite the file with the same name on the device.
4. Click Apply to import local users from the file into the SSL VPN.
422
Figure 432 Batch import of local users

1. Select VPN > SSL VPN > User Management > User Group from the navigation tree.
The user group list page appears.
Figure 433 User groups
2. Click Add to add a user group.
423
Figure 434 Adding a user group
3. Configure the user group as described in Table 179.

4. Click Apply.
Item Description
User Group Name Enter a name for the user group.
Selected Resource Groups Select resource groups for the user group. Users in the user group will be able to
Available Resources access the resources in the selected resource groups.
Selected Local Users

Select local users for the user group.
Available Local Users
424
Viewing user information
Viewing online user information
1. Select VPN > SSL VPN > User Management > User Information from the navigation tree.
The Online Users tab appears, displaying the information of the current online users.
Figure 435 Online users
2. View information of the online users.

Field Description
Login Time Time when the user logged in to the SSL VPN system.
Username Username of the user, with the domain name.
IP Address IP address of the user host.
Logging out an online user

1. Select VPN > SSL VPN > User Management > User Information from the navigation tree. The
Online Users tab appears, as shown in Figure 435
2. Select the box before a user.
3. Click the Log Out button.
4. Click OK on the confirmation dialog box that appears.
To log out a user, you can also click the icon for the user.
Viewing history user information

1. Select VPN > SSL VPN > User Management > User Information from the navigation tree.
2. Click the History Information tab.
The tab displays the history maximum number of concurrent users and the history maximum
number of concurrent connections.
425
Figure 436 History information
Performing basic configurations for the SSL VPN

domain
Configure a domain policy, caching policy, and a bulletin:
• Domain policy—Defines the common parameters and functions for the SSL VPN domain.
• Caching policy—Specifies which cached contents to clear from user hosts when users log out from
the SSL VPN system.
• Bulletin management—Allows you to provide different information to different users.
Configuring the domain policy

1. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree. The
Domain Policy tab appears.
Figure 437 Domain policy
2. Configure the domain policy as described in Table 181.

3. Click Apply.
426
Item Description
Select this item to enable security check.
With security check enabled, the SSL VPN system checks a user host based on the
security policy and determines whether to allow the user to access resources according
Enable security check to the check result.
IMPORTANT:
To implement user host security check, you must also configure the security policy. See
"Configuring a security policy."
Select this item to use verification codes.
Use verification code After you select this item, users must enter the correct verification codes to log in to the
SSL VPN system.
Select this item to enable the separate client function.

Enable separate After a user logs in to SSL VPN, the SSL VPN client automatically runs. With separate
client client enabled, the system automatically closes the SSL VPN Web interface, leaving the
client software running alone.
Select this item to enable MAC address binding.

Enable MAC address
binding With MAC address binding enabled, the SSL VPN system obtains the MAC address of
a user when the user logs in, for user identity authentication or MAC address learning.
Select this item to enable automatic login.

With automatic login enabled, when a user enters the SSL VPN login page, the system
will automatically log the user in by using the guest account or the certificate account,
depending on the authentication mode specified in the default authentication method.
• When the authentication mode is password, the system uses the guest account for
Enable automatic
automatic login.
login
• When the authentication mode is certificate, the system uses the username carried in
the client certificate for automatic login.
• When the authentication mode is password+certificate, the system uses the guest
account for automatic login and requires that the user have the client certificate for
the guest account.
Set an idle timeout for users.

User Timeout If a login user does not perform any operation during this period, the system logs out
the user.
Select the default authentication method used on the SSL VPN login page.
Default IMPORTANT:
Authentication
To specify an authentication method other than local authentication as the default
Method
authentication method, you must also enable the authentication method (see
"Configuring authentication policies").
Certificate's Select the certificate field to be used as the username when the authentication mode is
Username Field certificate. Options include the Common-Name filed and the Email-Address field.
Set a timeout for the verification code displayed on the SSL VPN login page. If a user
Verify Code Timeout does not enter the displayed verification code in this period, the verification code
becomes invalid. The user can refresh the login page to get a new verification code.
427
Configuring the caching policy
1. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree.
2. Click the Caching Policy tab. The caching policy configuration page appears, as shown in Figure
438.
3. Select the operations to be done on a user host when the user logs out, including:
Clear cached webpages.
Clear cookies.
Clear downloaded programs. Downloaded programs refer to the SSL VPN client software that
was automatically downloaded and run when the users logged in to the SSL VPN system.
Clear configuration files. Configuration files refer to the configuration file that was
automatically saved when a user changed the settings of the SSL VPN client software, if any.
4. Click Apply.
Figure 438 Caching policy
Configuring a bulletin
1. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree.
2. Click the Bulletin Management tab.
The bulletin management page appears.
Figure 439 Bulletin management
3. Click Add to add a new bulletin.
428
Figure 440 Adding a bulletin
4. Configure the bulletin settings as described in Table 182.

5. Click Apply.
Item Description
Title Enter a name for the bulletin.
Content Enter the contents of the bulletin.
Selected User Groups

Select the user groups that can view the bulletin.
Available User Groups
Configuring authentication policies

SSL VPN supports local authentication, RADIUS authentication, LDAP authentication, AD authentication,
and combined authentication of any two of the previous four authentication methods.
Local authentication, LDAP authentication, and AD authentication each supports three authentication
modes:
429
• Password—Authenticates only a user's password.
• Password+Certificate—Authenticates a user's password and client certificate.
• Certificate—Authenticates only a user's client certificate.
RADIUS authentication supports only two authentication policies: password and password+certificate.
Configuring local authentication

Local authentication authenticates users by using the user information saved on the SSL VPN gateway.
This authentication method is the fastest because user information is locally saved, and the SSL VPN
gateway does not need to exchange information with an external authentication server. However, the
number of local users is limited by the capacity of the SSL VPN gateway.
1. Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation tree.
The Local Authentication tab appears.
Figure 441 Local authentication
2. Select an authentication mode for local authentication. Options include Password,

Password+Certificate, and Certificate.
3. Click Apply.
Configuring RADIUS authentication

The RADIUS protocol is a distributed, client/server mode information exchange protocol for protecting
networks against unauthorized access. It is usually deployed in networks that require secure remote
access. The SSL VPN system can cooperate with the existing RADIUS server of an enterprise seamlessly
to provide RADIUS authentication. Users in the enterprise can use their original accounts for RADIUS
authentication through SSL VPN.
To enable RADIUS authentication in the SSL VPN system, navigate to Advanced > RADIUS page to
configure a RADIUS scheme named system. For more configuration information, see "Configuring
RADIUS."
For successful RADIUS authentication of a user, you must also configure the account information and the
user group attribute information for the user on the RADIUS authentication server, and make sure that the
user groups configured on the RADIUS authentication server exist on the SSL VPN gateway. Otherwise,
the user cannot log in. The number of user groups that the gateway supports for a user has a limit. Make
sure the number of user groups specified for a user on the authentication server is equal to or less than
the limit.
2. Click the RADIUS Authentication tab to enter the RADIUS authentication configuration page.
430
Figure 442 RADIUS authentication
3. Configure the RADIUS authentication settings as described in Table 183.

4. Click Apply.
Item Description
Enable RADIUS
Select this item to enable RADIUS authentication.
authentication
Select an authentication mode for RADIUS authentication. Options include Password

Authentication Mode
and Password+Certificate.
Enable RADIUS
Select this item to enable RADIUS accounting.
accounting
Upload virtual With this item selected, the system uploads the IP address of the client's virtual network
address adapter to the RADIUS server after RADIUS accounting succeeds.
Configuring LDAP authentication

The LDAP is a cross-platform, standard directory service system that is based on TCP/IP. It is developed
on the basis of the X.500 protocol but is better than X.500 in data reading, browsing, and search.
LDAP is suitable for saving data that will not change frequently. A typical application of LDAP is to save
user information of a system. For example, Microsoft Windows operating systems use an Active Directory
Server to save user information and user group information, providing LDAP based authentication and
authorization for Windows users. The SSL VPN system can cooperate with an LDAP server to provide
LDAP authentication and obtain resource access rights for users.
For successful LDAP authentication of a user, you must also configure the account information and the
user group attribute information for the user on the LDAP server, and make sure that the user groups
configured on the authentication server exist on the SSL VPN gateway. Otherwise, the user cannot log in.
The number of user groups that the gateway supports for a user has a limit. Make sure the number of user
groups specified for a user on the authentication server is equal to or less than the limit.
2. Click the LDAP Authentication tab. The LDAP authentication configuration page appears.
431
Figure 443 LDAP authentication
3. Configure the LDAP authentication settings as described in Table 184.

4. Click Apply.
Item Description
Enable LDAP
Select this item to enable LDAP authentication.
authentication
LDAP Sever IP Specify the IP address of the LDAP server.
Server Port Specify the TCP port number used by the LDAP server.
Version Specify the supported LDAP protocol version.
Select an authentication mode for LDAP authentication. Options include Password,

Authentication Mode
User Group Attribute Specify the name of the user group attribute configured on the LDAP server.
Specify conditions to Select this option to query user DN by specified conditions, including the administrator
query user DN DN, password, search base DN, and search template.
Enter a user DN that has the administrator rights, which include the right to view the
Admin DN
login user information.
Password Enter a user password that has the administrator right and enter the password again to
Confirm Password confirm the password.
Search Base DN Specify a search base DN.
Search Template Specify a search template.
Use a template to
Select this option to query the user DN by a template.
query user DN
User DN template Specify the user DN template to be used to query the user DN.
432
Configuring AD authentication
Active Directory (AD) is a directory service provided by Windows 2000 Server and later versions. It
saves information of objects on a network and allows administrators and users to query the information.
AD uses structured data storage, which is the basis of the directory information logical structure. The SSL
VPN system can cooperate with the existing AD server of an enterprise seamlessly to provide AD
authentication for users in the enterprise.
For successful AD authentication of a user, you must also configure the user information on the AD
authentication server, create user groups, and add the user to the user groups. Make sure that the user
groups configured on the authentication server exist on the SSL VPN gateway. Otherwise, the user cannot
log in. The number of user groups that the gateway supports for a user has a limit. Make sure the number
of user groups specified for a user on the authentication server is equal to or less than the limit.
2. Click the AD Authentication tab. The LDAP authentication configuration page appears.
Figure 444 AD authentication
3. Configure the AD authentication settings as described in Table 185.

4. Click Apply.
Item Description
Enable AD
Select this item to enable AD authentication.
authentication
AD Domain Name Enter the name of the AD domain.
Enter the IP addresses of the AD servers.
AD Server IP You can specify four AD servers at most. When one server fails, the system uses another
server to authenticate users. The system selects the specified servers in the configuration
order of the servers. The first configured server has the highest priority.
Select an authentication mode for AD authentication. Options include Password,

Authentication Mode
Server Recovery Time Set the interval at which the system checks whether the failed AD server recovers.
Set an administrator account. It must be a user account that has the directory search
Admin Username
right in the User directory in the AD domain.
433
Item Description
Password Set a password for the administrator account, and enter the password again to confirm
Confirm Password the password.
Set the username format used to log in to the AD server. Options include Without the
Username Format
AD domain name, With the AD domain name, and Login name.
Configuring combined authentication

A combination authentication method can combine any two of the four authentication methods (local
authentication, RADIUS authentication, LDAP authentication, and AD authentication) in any order. With
combined authentication configured, the system authenticates a user twice by using the two specified
authentication methods. You can specify which method is used first, and specify whether to ask for a
password during the second authentication.
Which resources are available for a user who has passed a combined authentication and the online
username used are both determined by the first authentication. When the user accesses single login
resources, the system takes the password used in the first authentication as the login password.
2. Click the Combined Authentication tab. The combined authentication configuration page appears.
Figure 445 Combined authentication
3. Configure the combined authentication settings as described in Table 186.

4. Click Apply.
Item Description
Enable combined
Select this item to enable combined authentication.
authentication
First-Time Authentication
Select an authentication method as the first-time authentication method.
Method
Second-Time Authentication
Select an authentication method as the second-time authentication method.
Method
With this item selected, the system provides the login page and asks a user
for a password again after the user passes the first authentication. If you do
not select this item, the system automatically uses the password for the first
Ask password again on the authentication for the second authentication.
second authentication
IMPORTANT:
This function takes effect only when you enable full customization of the user
interface and the customized user interface can provide a login page twice.
434
Configuring a security policy
Insecure user hosts may bring potential security threats to the internal network. You can configure security
policies for the SSL VPN system so that when a user logs in, the SSL VPN system checks the user host's
operating systems, browsers, antivirus software, firewall software, files and processes, and determines
which resources to provide for the user according to the check result.
A security policy defines multiple check categories, each of which contains multiple check rules. To pass
the check of a category, a host must satisfy at least one rule of the category. To pass the check of a
security policy, a host must satisfy all categories of the policy.
1. Select VPN > SSL VPN > Domain Management > Security Policy from the navigation tree. The
security policy list page appears.
Figure 446 Security policies
2. Click Add to add a new security policy.

Figure 447 Adding a security policy
435
3. Configure the security policy as describe in Table 187.
4. Click Apply.
Item Description
Name Enter a name for the security policy.
Set a level for the security policy. A larger number means a higher level.
If multiple security policies are defined, the system first uses the security policy with the
highest priority to check the user host. If the host does not satisfy the security policy, the
Level system uses the security policy with the second highest priority, and so forth until the
host satisfies a security policy or fails security check. The resources that the user can
access are those defined in the security policy that the user first passes. Therefore, when
you configure security policies, specify more resources for a security policy that has a
higher level.
Description Enter a description for the security policy.
Set check rules for the security policy.

Check rules fall into seven categories: operating system, browser, antivirus software,
firewall, certificate, file, and process.
Policy Configuration To pass the check of a category, a host needs to satisfy at least one rule of the category.
To pass the check of a security policy, a host must satisfy all categories of the policy.
Click the expansion button before a category to view the rule information. Click the
Add button to add a rule for the category. For more information about rule
configuration, see Table 188.
Specify the resources that can be accessed by user hosts that satisfy the security policy.
Resource You can select All Web Proxies, All TCP Applications, and all IP Networks. To select
Configuration specific Web proxies, TCP applications, or IP networks, click the corresponding
expansion button.
Item Description
Rule Name Enter a name for the operating system rule.
Specify the operating system type. A user host must run the specified type of
Type
operating system to pass security check.
Operating
System Specify the operating system version. The operating system of a user host must
Version
satisfy the version requirement to pass security check.
Specify the operating system patches. The operating system of a user host must
Patch
have the specified patches installed to pass security check.
Rule Name Enter a name for the browser rule.

Browser Specify the browser type. A user host must use the specified type of browser to
Type
pass security check.
436
Item Description
Set an operator for the browser version check.
• >=: A user host must use the specified version or a later version.
• >: A user host must use a version later than the specified version.
Operator
• =: A user host must use the specified version.
• <=: A user host must use the specified version or an earlier version.
• <: A user host must use a version earlier than the specified version.
Specify the browser version.
Version IMPORTANT:
An IE browser version must be a floating point number with up to two digits after
the radix point.
Specify the browser patches. The browser of a user host must have the
Patch
specified patches installed to pass security check.
Rule Name Enter a name for the antivirus software rule.
Specify the antivirus software type. A user host must use the specified type of
Type
antivirus software to pass security check.
Set an operator for antivirus software version check and virus definitions
version check.
• >=: The antivirus software and its virus definitions must be of the specified
version or a later version.
• >: The antivirus software and its virus definitions must have a version later
Antivirus than the specified version.
Operator
Software • =: The antivirus software and its virus definitions must be of the specified
version.
• <=: The antivirus software and its virus definitions must be of the specified
version or an earlier version.
• <: The antivirus software and its virus definitions must have a version earlier
than the specified version.
Version Specify the antivirus software version.
Virus Definitions
Specify the virus definitions version.
Version
Rule Name Enter a name for the firewall rule.
Specify the firewall type. A user host must use the specified type of firewall to
Type
pass security check.
Set an operator for firewall version check.

• >=: A user host must use the specified version or a later version.
Firewall
• >: A user host must use a version later than the specified version.
Operator
• =: A user host must use the specified version.
• <=: A user host must use the specified version or an earlier version.
• <: A user host must use a version earlier than the specified version.
Version Specify the firewall version.
Rule Name Enter a name for the certificate rule.

Certificate Specify the certificate issuer. A user host must have a client certificate issued by
Issuer
the specified issuer to pass security check.
437
Item Description
Rule Name Enter a name for the file rule.
File Specify the files. A user host must have the specified files to pass security
File Name
check.
Rule Name Enter a name for the process rule.

Process Specify the processes. A user host must have the specified processes to pass
Process Name
security check.
438
Customizing the SSL VPN user interface
The SSL VPN system allows you to customize the user interface partially or fully as desired:
• Partial customization—You can use the webpage files provided by the system and edit some
contents in the files as needed, including the login page title, login page welcome information,
login page logo, service page banner information, service page logo, and service page
background. For the locations of the information items, see the red boxes in Figure 448 and Figure
449.
• Full customization—You can edit a webpage file of your own to provide a fully customized user
access interface.
Figure 448 Customizable information on the login page
439
Figure 449 Customizable information on the service page
Customizing the SSL VPN interface partially

Configuring the text information
1. Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree. The
Text Information tab appears, as shown in Figure 450.
2. Configure the service page banner information, login page welcome information, and login page
title on the page.
3. Click Apply.
Figure 450 Text information
440
Configuring the login page logo
1. Select VPN > SSL VPN > Page Customization > Partial Customization from the navigation tree.
2. Click the Login Page Logo tab to enter the page shown in Figure 451.
3. Click Browse to select a local picture file.
5. Click Apply to upload the picture file to the SSL VPN system and use it as the logo picture on the
login page.
Figure 451 Specifying a login page logo picture
Configuring the service page logo

2. Click the Service Page Logo tab to enter the page shown in Figure 452.
5. Click Apply to upload the picture file to the SSL VPN system and use it as the logo picture on the
service page.
Figure 452 Specifying a service page logo picture
Configuring the service page background

2. Click the Service Page Background tab to enter the page shown in Figure 453.
5. Click Apply to upload the picture file to the SSL VPN system and use it as the service page
background picture.
441
Figure 453 Specifying a service page background picture
Customizing the SSL VPN interface fully

Before full customization of the SSL VPN interface, upload the customized page file to the SSL VPN
gateway through FTP or TFTP.
1. Select VPN > SSL VPN > Page Customization > Full Customization from the navigation tree. The full
customization page appears.
Figure 454 Full customization
2. Configure the full customization settings as described in Table 189.

3. Click Apply.
Item Description
Enable full customization Select this item to enable the full customization function.
Enter the directory where the customized page files are saved on the SSL
Directory
VPN gateway.
Page File Enter the name of the customized login page file.
442
User access to SSL VPN
This chapter introduces user access to the SSL VPN service interface provided by the system. It is not
suitable for user access to a fully customized SSL VPN service interface.
After you finish configurations on the SSL VPN gateway, remote users can establish HTTPS connections
to the SSL VPN gateway, and access resources through the user service interface provided by the SSL
VPN gateway.
Logging in to the SSL VPN service interface

After the SSL VPN gateway is well configured, a user can log in to the SSL VPN service interface,
following these steps:
1. Launch a browser on the user's host.
2. Enter https://192.168.1.1:44300/svpn/ in the address bar of the browser to enter the SSL VPN
login page, as shown in Figure 455. 192.168.1.1 and 44300 are the SSL VPN gateway's host
address and service port number. The service port number can be omitted when it is 443, the
default value.
Figure 455 SSL VPN login page
3. On the login page, enter the username and password, select an authentication method.
4. Click Login to enter the SSL VPN service interface, as shown in Figure 456. If you have specified
TCP applications or IP network resources for the user, the system automatically runs the SSL VPN
client software for the user, as shown in Figure 457.
IMPORTANT:
If you have enabled verification code authentication, the login page also provides the verification code
and the user must enter the correct the verification code to log in.
443
Figure 456 SSL VPN service interface
Figure 457 SSL VPN client software
Accessing SSL VPN resources

After logging in to the SSL VPN service interface, a user can see all resources that you have authorized
the user to access, and perform the following operations:
444
• Clicking a resource name under Websites to access the website.
• Clicking a resource name under TCP Applications to run the command you configured for the
resource (if any), or performing configurations according to the information provided by the
resource name and then access the resource. For example, a user can configure the Outlook email
receiving and sending servers according to the email resource name, logs in by using the username
and password, and then uses the email service.
• For an IP network resource, the user can access any host in any accessible network segment and
can click a shortcut name to execute the corresponding command of the shortcut.
Getting help information

To get help information, a user only needs to click the Help link in the right upper corner of the SSL VPN
service interface. A popup window appears, showing the SSL VPN system help information.
Figure 458 About SSL VPN
445
Changing the login password
To change the login password, a user needs to perform the following configurations:
1. Click the Configure button in the upper right corner of the SSL VPN service interface to enter the
2. Enter the new password, and confirm the new password.
3. Click Apply.
When the user logs in again, the user must enter the new password.
Figure 459 Changing login password
446
SSL VPN configuration example
As shown in Figure 460, request a certificate and enable SSL VPN service on the SSL VPN gateway so
that users can use HTTPS to log in to the SSL VPN gateway to access the internal resources of the
corporate network.
In this configuration example:
• In this example, the CA runs the Windows Server and the SCEP plugin is required on the CA.
• The IP address of the SSL VPN gateway is 10.1.1.1/24. The IP address of the CA is 10.2.1.1/24, and
the name of the CA is CA server. The CA is used to issue certificates to the SSL VPN gateway and
remote users.
• Perform RADIUS authentication for SSL VPN users. The IP address of the RADIUS server (a
CAMS/IMC server) is 10.153.10.131/24. After passing authentication, an SSL VPN user can access
the internal technology website whose IP address is 10.153.1.223, all hosts on subnet
10.153.2.0/24, and the security sever whose IP address is 10.153.2.25 through the FTP shortcut.
• Configure a public account named usera. Specify that only one user can use the public account to
log in at a time. Configure local authentication for the public account and authorize a user who logs
in by using the public account to access the shared desktop provided by internal host
10.153.70.120.
• Specify the default authentication method as RADIUS for the SSL VPN domain and enable
verification code authentication.
Host
Remote user
10.1.1.1/24
Internet
Device
SSL VPN gateway
Internal servers
10.2.1.1/24
CA
Configuration prerequisites
• The SSL VPN gateway, the CA, and the hosts used by remote users can reach each other.
• The CA is enabled with the CA service and can issue certificates to the SSL VPN gateway and the
hosts.
• The RADIUS server is properly configured to provide normal authentication function for users. In this
example, you need to configure the shared key as expert, configure the user account and user
group information, and add users to user group user_gr2.
447
Configuring the SSL VPN service
1. Configure a PKI entity named en:
a. Select Certificate Management > Entity from the navigation tree.
b. Click Add to enter the PKI configuration page, as shown in Figure 461.
c. Enter the PKI entity name en.
d. Enter common name http-server for the entity.
e. Click Apply.
Figure 461 Configuring a PKI entity named en
2. Configure a PKI domain named sslvpn:

a. Select Certificate Management > Domain from the navigation tree.
b. Click Add.
c. On the page that appears, as shown in Figure 462, enter the PKI domain name sslvpn, enter
the CA identifier CA server, select en as the local entity, select RA as the registration authority,
enter the certificate requesting URL http://10.2.1.1/certsrv/mscep/mscep.dll, select Manual
as the certificate request mode, and click Apply.
The system displays "Fingerprint of the root certificate not specified. No root certificate
validation will occur. Continue?"
d. Click OK to continue.
448
Figure 462 Configuring a PKI domain named sslvpn
3. Generate an RSA key pair:

a. Select Certificate Management > Certificate from the navigation tree.
b. Click Create Key to enter the key generation page, as shown in Figure 463.
c. Set the key length to 1024.
d. Click Apply.
Figure 463 Generating an RSA key pair
4. Retrieve the CA certificate:

a. After the key pair is generated, click the Retrieve Cert button on the certificate management
page.
The Retrieve Certificate page appears, as shown in Figure 464.
b. Select sslvpn as the PKI domain.
c. Select CA as the certificate type.
d. Click Apply.
449
Figure 464 Retrieving the CA certificate to the local device
5. Request a local certificate:

a. After the CA certificate retrieval operation is complete, click Request Cert on the certificate
management page.
b. Select sslvpn as the PKI domain.
c. Click Apply.
The system displays "Certificate request has been submitted."
d. Click OK to confirm the operation.
Figure 465 Requesting a local certificate
You can view the retrieved CA certificate and the local certificate on the certificate management page.
450
Figure 466 Certificate management page
6. Enable SSL VPN, and configure a port and a PKI domain for the SSL VPN service:
a. Select VPN > SSL VPN > Service Management from the navigation tree.
b. Select the box before Enable SSL VPN.
c. Set the port number to 443.
d. Select sslvpn as the PKI domain.
e. Click Apply.
Figure 467 SSL VPN service management page
Configuring SSL VPN resources

1. Configure a Web proxy resource named tech for the internal technology website 10.153.1.223:
a. Select VPN > SSL VPN > Resource Management > Web Proxy from the navigation tree.
b. Click Add.
The Web proxy server resource configuration page appears, as shown in Figure 468.
c. Enter the resource name tech.
451
d. Enter the website address http://10.153.1.223/.
e. Click Apply.
Figure 468 Configuring a Web proxy resource
2. Configure a resource named desktop for the desktop sharing service provided by host
10.153.70.120:
a. Select VPN > SSL VPN > Resource Management > TCP Application from the navigation tree.
b. Click the Desktop Sharing Service tab.
c. Click Add.
The desktop sharing service configuration page appears, as shown in Figure 469.
d. Enter the resource name desktop, enter the remote host address 10.153.70.120, set the remote
port for the server to 3389, enter the local host address 127.0.0.2, set the local port for the
service to 20000, and enter the command line mstsc /v 127.0.0.2:20000.
e. Click Apply.
452
Figure 469 Configuring a desktop sharing service resource
3. Configure global parameters for IP network resources:

a. Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree.
The Global Configuration tab appears, as shown in Figure 470.
b. Enter the start IP address 192.168.0.1.
c. Enter the end IP address 192.168.0.100.
d. Enter the subnet mask 24.
e. Enter the gateway IP address 192.168.0.101.
f. Click Apply.
Figure 470 Configuring global parameters for IP network resources
4. Configure a host resource named sec_srv for hosts in subnet 10.153.2.0/24 in IP network mode:
a. Select VPN > SSL VPN > Resource Management > IP Network from the navigation tree.
b. Click the Host Configuration tab.
453
c. Click Add to enter the host resource configuration page.
d. Enter the resource name sec_srv.
e. Click the Add button under the Network Services list.
f. On the page that appears, as shown in Figure 471, enter the destination IP address
10.153.2.0, enter the subnet mask 24, select IP as the protocol type, specify the description
information as 10.153.2.0/24, and click Apply.
The network service is added to the host resource.
g. Click the Add button under the Shortcuts list.
h. On the page that appears, as shown in Figure 472, enter the shortcut name ftp_security-server
and the shortcut command ftp 10.153.2.25, and click Apply.
The shortcut is added to the host resource. Now, the host resource configuration page is as
shown Figure 473.
i. Click Apply.
Figure 471 Adding a network service to the host resource
Figure 472 Adding a shortcut to the host resource
454
Figure 473 Configuring a host resource
5. Configure resource group res_gr1, and add resource desktop to it:

a. Select VPN > SSL VPN > Resource Management > Resource Group from the navigation tree to
enter the resource group list page.
b. Click Add to enter the resource group configuration page, as shown in Figure 474.
c. Enter the resource group name res_gr1.
d. Select desktop on the Available Resources list and click the << button to add it to the Selected
Resources list.
e. Click Apply.
Figure 474 Configuring resource group res_gr1
6. Configure resource group res_gr2, and add resources tech and sec_srv to it:
a. On the resource group list page, click Add.
455
b. Enter the resource group name res_gr2.
c. Select resources tech and sec_srv on the Available Resources list and click the << button to add
them to the Selected Resources list.
d. Click Apply.
Figure 475 Configuring resource group res_gr2
Configuring SSL VPN users

1. Configure a local user account usera:
a. Select VPN > SSL VPN > User Management > Local User from the navigation tree.
b. Click Add.
The local user configuration page appears, as shown in Figure 476.
c. Enter the username usera, enter the password passworda, confirm the password, select the
box before Enable public account, set the maximum number of users for the public account to
1, and select Permitted as the user status.
d. Click Apply.
456
Figure 476 Adding local user usera
2. Configure user group user_gr1, assign resource group res_gr1 to the user group and add local
user usera to the user group:
a. Select VPN > SSL VPN > User Management > User Group from the navigation tree to enter the
user group list page.
b. Click Add.
The user group configuration page appears, as shown in Figure 477.
c. Enter the user group name user_gr1.
d. Select res_gr1 on the Available Resource Groups list and click << to add it to the Selected
Resource Groups list.
e. Select usera on the Available Local Users list and click << to add the user to the Selected Local
Users list.
f. Click Apply.
457
Figure 477 Configuring user group user_gr1
3. Configure user group user_gr2, and assign resource group res_gr2 to the user group:
a. On the user group list page, click Add.
b. Enter the user group name user_gr2.
c. Select res_gr2 on the Available Resource Groups list and click << to add it to the Selected
Resource Groups list.
d. Click Apply.
458
Figure 478 Configuring user group user_gr2
Configuring an SSL VPN domain

1. Configure the default authentication method for the SSL VPN domain as RADIUS and enable
verification code authentication:
a. Select VPN > SSL VPN > Domain Management > Basic Configuration from the navigation tree.
The Domain Policy tab appears, as shown in Figure 479.
b. Select the box before Use verification code.
c. Select RADIUS as the default authentication method.
d. Click Apply.
459
Figure 479 Configuring the domain policy
2. Configure a RADIUS scheme named system:

a. Select Advanced > RADIUS from the navigation tree.
b. Click Add to enter the RADIUS scheme configuration page.
c. Enter the scheme name system.
d. In the Common Configuration area, select Extended as the supported RADIUS server type, and
select Without domain name as the username format.
e. Click the Add button in the RADIUS Server Configuration area.
On the page that appears, as shown in Figure 480, select Primary Authentication Server as
the server type, select IPv4 and enter IP address 10.153.10.131, enter port number 1812,
enter the key expert, enter expert again to confirm the key, and click Apply.
The RADIUS server is then added to the RADIUS server list of the RADIUS scheme. Now, the
RADIUS scheme configuration page is shown as Figure 481.
f. Click Apply.
Figure 480 Adding a RADIUS server for the RADIUS scheme
460
Figure 481 Configuring RADIUS scheme named system
3. Enable RADIUS authentication for the SSL VPN domain:

a. Select VPN > SSL VPN > Domain Management > Authentication Policy from the navigation
tree.
b. Click the RADIUS Authentication tab.
c. Select the box before Enable RADIUS authentication.
d. Click Apply.
Figure 482 Enable RADIUS authentication

Launch a browser on a host, and enter https://10.1.1.1/svpn/ in the address bar to enter the SSL VPN
login page, as shown in Figure 483. You can see that RADIUS authentication is the default authentication
method and a verification code is needed for login.
461
Figure 483 SSL VPN login page
Select Local from the Auth Mode list. Use the public account usera to log in. You can see the resource
desktop, as shown in Figure 484. Clicking the resource name, you can access the shared desktop of the
specified host, as shown in Figure 485.
Figure 484 Resource that the public account usera can access
462
Figure 485 Access the desktop sharing resource
Assume that a user named userb is configured and added to user group user_gr2 on the RADIUS server.
Use this user account and the default authentication method RADIUS to log in. You can see website tech,
subnet resource 10.153.2.0/24, and a shortcut to the security server, as shown in Figure 486. Click tech
to access the technology website. Click shortcut ftp_security-server to access the security server through
FTP, as shown in Figure 487.
463
Figure 486 Resources that a non-public account can access
Figure 487 Access the IP network resource
464
Managing certificates
Overview
Public Key Infrastructure (PKI) offers an infrastructure for securing network services. PKI, also called
asymmetric key infrastructure, uses a pair of keys (one private and one public) for data encryption and
decryption. Data encrypted with the public key can be decrypted only with the private key, and vice
versa.
PKI uses digital certificates to distribute and employ public keys, and provides network communication
and e-commerce with security services such as user authentication, data confidentiality, and data
integrity.
H3C's PKI system provides certificate management for IPsec, SSL, and WAPI.
The PKI technology can satisfy the security requirements of online transactions. As an infrastructure, PKI
has a wide range of applications. Here are some application examples:
• VPN—A VPN is a private data communication network built on the public communication
infrastructure. A VPN can leverage network layer security protocols (for example, IPsec) in
conjunction with PKI-based encryption and digital signature technologies to achieve confidentiality.
• Secure email—Emails require confidentiality, integrity, authentication, and non-repudiation. PKI
can address these needs. A common secure email protocol is S/MIME, which is based on PKI and
allows for transfer of encrypted mails with signature.
• Web security—For Web security, two peers can establish an SSL connection first for transparent
and secure communications at the application layer. With PKI, SSL enables encrypted
communications between a browser and a server. Both the communication parties can verify the
identity of each other through digital certificates. For more information about PKI, see Security

The system supports the following PKI certificate request modes:
• Manual—In manual mode, you need to manually retrieve a CA certificate, generate a local RSA
key pair, and submit a local certificate request for an entity.
• Auto—In auto mode, an entity automatically requests a certificate through the SCEP when it has no
local certificate or the present certificate is about to expire.
You can specify the PKI certificate request mode for a PKI domain. Different PKI certificate request modes
require different configurations.
Recommended configuration procedure for manual request
465
Step Remarks
Required.
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of an
1. Creating a PKI entity entity, where the distinguished name (DN) shows the identity information of
the entity. A CA identifies a certificate applicant uniquely by an entity DN.
The DN settings of an entity must be compliant to the CA certificate issue
policy. Otherwise, the certificate request might be rejected. You must know
the policy to determine which entity parameters are mandatory or optional.
Required.
Create a PKI domain, setting the certificate request mode to Manual.
2. Creating a PKI domain Before requesting a PKI certificate, an entity needs to be configured with
some enrollment information, which is called a PKI domain.
A PKI domain is intended only for convenience of reference by other
applications like IKE and SSL, and has only local significance.
Required.
Generate a local RSA key pair.
By default, no local RSA key pair exists.
Generating an RSA key pair is an important step in certificate request. The
3. Generating an RSA key key pair includes a public key and a private key. The private key is kept by
pair the user, and the public key is transferred to the CA along with some other
information.
IMPORTANT:
If a local certificate already exists, you must remove the certificate before
generating a new key pair, so as to keep the consistency between the key pair
and the local certificate.
Required.
Certificate retrieval serves the following purposes:
• Locally store the certificates associated with the local security domain for
improved query efficiency and reduced query count,
4. Retrieving the CA
• Prepare for certificate verification.
certificate IMPORTANT:
If a local CA certificate already exists, you cannot perform the CA certificate
retrieval operation. This restriction avoids possible mismatch between
certificates and registration information resulting from relevant changes. To
retrieve the CA certificate, you must remove the CA certificate and local
certificate first.
466
Step Remarks
Required.
When requesting a certificate, an entity introduces itself to the CA by
providing its identity information and public key, which will be the major
components of the certificate.
A certificate request can be submitted to a CA in online mode or offline
mode.
• In online mode, if the request is granted, the local certificate will be
5. Requesting a local retrieved to the local system automatically.
certificate • In offline mode, you must retrieve the local certificate by an out-of-band
means.
IMPORTANT:
If a local certificate already exists, you cannot perform the local certificate
retrieval operation. This restriction avoids inconsistency between the certificate
and the registration information due to configuration changes. To retrieve a
new local certificate, you must remove the CA certificate and local certificate
first.
Optional.
If the certificate to be retrieved contains an RSA key pair, you must destroy
6. Destroying the RSA key pair the existing RSA key pair. Otherwise, you cannot retrieved the certificate.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.
Required if you request a certificate in offline mode.

Retrieve an existing certificate and display its contents.
7. Retrieving and displaying a IMPORTANT:

certificate • If you request a certificate in offline mode, you must retrieve the CA
certificate and local certificate by an out-of-band means.
• Before retrieving a local certificate in online mode, be sure to complete
LDAP server configuration.
8. Retrieving and displaying a Optional.

CRL Retrieve a CRL and display its contents.
Recommended configuration procedure for automatic request

Task Remarks
Required.
Create a PKI entity and configure the identity information.
A certificate is the binding of a public key and the identity information of an
1. Creating a PKI entity entity, where the DN shows the identity information of the entity. A CA
identifies a certificate applicant uniquely by an entity DN.
The DN settings of an entity must be compliant to the CA certificate issue
policy. Otherwise, the certificate request might be rejected. You must know
the policy to determine which entity parameters are mandatory or optional.
467
Task Remarks
Required.
Create a PKI domain, setting the certificate request mode to Auto.
2. Creating a PKI domain Before requesting a PKI certificate, an entity needs to be configured with
some enrollment information, which is called a PKI domain.
A PKI domain is intended only for convenience of reference by other
applications like IKE and SSL, and has only local significance.
Optional.
If the certificate to be retrieved contains an RSA key pair, you must destroy
3. Destroying the RSA key pair the existing RSA key pair. Otherwise, the certificate cannot be retrieved.
Destroying the existing RSA key pair also destroys the corresponding local
certificate.
Optional.
Retrieve an existing certificate and display its contents.
IMPORTANT:
• Before retrieving a local certificate in online mode, be sure to complete
4. Retrieving and displaying a
LDAP server configuration.
certificate
• If a CA certificate already exists, you cannot retrieve another CA
certificate. This restriction avoids inconsistency between the certificate
and the registration information due to configuration changes. To retrieve
a new CA certificate, remove the existing CA certificate and local
certificate first.
5. Retrieving and displaying a Optional.

CRL Retrieve a CRL and display its contents.
Creating a PKI entity

1. From the navigation tree, select Certificate Management > Entity.
Figure 488 PKI entities
2. Click Add.
468
Figure 489 Create a PKI entity

4. Click Apply.
Item Description
Entity Name Enter the name for the PKI entity.
Common Name Enter the common name for the entity.
IP Address Enter the IP address of the entity.
Enter the FQDN for the entity.
FQDN An FQDN is a unique identifier of an entity on the network. It consists of a host name and
a domain name and can be resolved to an IP address. For example, www.whatever.com
is an FQDN, where www indicates the host name and whatever.com the domain name.
Country/Region
Enter the country or region code for the entity.
Code
State Enter the state or province for the entity.
Locality Enter the locality for the entity.
Organization Enter the organization name for the entity.
Organization Unit Enter the unit name for the entity.
Creating a PKI domain

1. From the navigation tree, select Certificate Management > Domain.
469
Figure 490 PKI domains
2. Click Add.
Figure 491 Creating a PKI domain

4. Click Apply.
Item Description
Domain Name Enter the name for the PKI domain.
Enter the identifier of the trusted CA.

An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility
of certificate registration, distribution, and revocation, and query.
CA Identifier IMPORTANT:
• In offline mode, this item is optional. In other modes, this item is required.
• The CA identifier is used only when you retrieve a CA certificate. It is not used when
you retrieve a local certificate.
470
Item Description
Select the local PKI entity.
When submitting a certificate request to a CA, an entity needs to show its identity
Entity Name
information.
Available PKI entities are those that have been configured.
Select the authority for certificate request.

• CA—Entity requests a certificate from a CA.
• RA—Entity requests a certificate from an RA.
Generally, an independent RA is in charge of certificate request management. It receives
Institution
the registration request from an entity, examines its qualification, and determines
whether to ask the CA to sign a digital certificate. The RA only examines the application
qualification of an entity. It does not issue any certificate. Sometimes, the registration
management function is provided by the CA, in which case no independent RA is
required. H3C recommends you to deploy an independent RA.
Enter the URL of the RA.

The entity will submit the certificate request to the server at this URL through the SCEP
protocol. The SCEP protocol is intended for communication between an entity and an
authentication authority.
Requesting URL In offline mode, this item is optional. In other modes, this item is required.
IMPORTANT:
• In offline mode, this item is optional. In other modes, this item is required.
• This item does not support domain name resolution.
LDAP IP Enter the IP address, port number, and version of the LDAP server.
Port An LDAP server is usually deployed to store certificates and CRLs. If this is the case, you
must configure the IP address of the LDAP server..
Version
Request Mode Select the online certificate request mode, which can be auto or manual.
Password Set a password for certificate revocation and re-enter it for confirmation.
Confirm Password The two boxes are available only when the certificate request mode is set to Auto..
Specify the fingerprint used for verifying the CA root certificate.
Fingerprint Hash After receiving the root certificate of the CA, an entity needs to verify the fingerprint of the
root certificate, namely, the hash value of the root certificate content. This hash value is
unique to every certificate. If the fingerprint of the root certificate does not match the one
configured for the PKI domain, the entity will reject the root certificate.
• If you specify MD5 as the hash algorithm, enter an MD5 fingerprint. The fingerprint
must a string of 32 characters in hexadecimal notation.
• If you specify SHA1 as the hash algorithm, enter an SHA1 fingerprint. The fingerprint
must a string of 40 characters in hexadecimal notation.
• If you do not specify the fingerprint hash, do not enter any fingerprint. The entity will
Fingerprint not verify the CA root certificate, and you yourself must make sure the CA server is
trusted.
IMPORTANT:
The fingerprint must be configured if you specify the certificate request mode as Auto. If you
specify the certificate request mode as Manual, you can leave the fingerprint settings null. If
you do not configure the fingerprint, the entity will not verify the CA root certificate and you
yourself must make sure the CA server is trusted.
471
Item Description
Set the polling interval and attempt limit for querying the certificate request status.
Polling Count
After an entity makes a certificate request, the CA might need a long period of time if it
verifies the certificate request in manual mode. During this period, the applicant needs to
Polling Interval query the status of the request periodically to get the certificate as soon as possible after
the certificate is signed.
Enable CRL
Select this box to specify that CRL checking is required during certificate verification.
Checking
Enter the CRL update period, that is, the interval at which the PKI entity downloads the
latest CRLs.
This item is available after you click the Enable CRL Checking box.
CRL Update Period By default, the CRL update period depends on the next update field in the CRL file.
IMPORTANT:
The manually configured CRL update period takes precedent over that specified in the CRL
file.
Enter the URL of the CRL distribution point. The URL can be an IP address or a domain
name.
CRL URL This item is available after you click the Enable CRL Checking box.
When the URL of the CRL distribution point is not set, you should acquire the CA
certificate and a local certificate, and then acquire a CRL through SCEP.
Generating an RSA key pair

1. From the navigation tree, select Certificate Management > Certificate.
Figure 492 PKI certificates
2. Click Create Key.
472
3. Set the key length.

4. Click Apply.
Destroying the RSA key pair

2. Click Destroy Key.
3. Click Apply to destroy the existing RSA key pair and the corresponding local certificate.
Figure 494 Destroying the RSA key pair
Retrieving and displaying a certificate

You can retrieve an existing CA certificate or local certificate from the CA server and save it locally. To
do so, you can use offline mode or online mode. In offline mode, you must retrieve a certificate by an
out-of-band means like FTP, disk, email and then import it into the local PKI system. By default, the
retrieved certificate is saved in a file under the root directory of the device, and the filename is
domain-name_ca.cer for the CA certificate, or domain-name_local.cer for the local certificate.
To retrieve a certificate:
2. Click Retrieve Cert.
Figure 495 Retrieving a certificate
473
4. Click Apply.
Item Description
Domain Name Select the PKI domain for the certificate.
Certificate Type Select the type of the certificate to be retrieved, which can be CA or local.
Enable Offline Select this box to retrieve a certificate in offline mode (that is, by an out-of-band means
Mode like FTP, disk, or email).
Get File From Specify the path and name of the certificate file to import if you enable offline mode:
Device • If the certificate file is saved on the device, select Get File From Device and then specify
the path and name of the file on the device. If no file is specified, the system, by
default, gets the file domain-name_ca.cer (for the CA certificate) or
Get File From PC domain-name_local.cer (for the local certificate) under the root directory of the device.
• If the certificate file is saved on a local PC, Select Get File From PC and then specify the
path and name of the file and specify the partition that saves the file..
If offline mode is enabled, enter the password for protecting the private key, which was
Password
specified when the certificate was exported.
After retrieving a certificate, click View Cert for the certificate from the PKI certificates list to display the
contents of the certificate.
Figure 496 Displaying certificate information
474
Requesting a local certificate
2. Click Request Cert.
Figure 497 Requesting a certificate

Item Description
Domain Name Select the PKI domain for the certificate.
Password Enter the password for certificate revocation.
Select this box to request a certificate in offline mode, that is, by an out-of-band means
like FTP, disk, or email.
Enable Offline If you cannot request a certificate from the CA through the SCEP protocol, you can enable
Mode the offline mode. In this case, after clicking Apply, the offline certificate request
information page appears, as shown in Figure 498. Submit the information to the CA to
request a local certificate.
4. Click Apply.
If you request the certificate in online mode, the system displays "Certificate request has been
submitted." Click OK to confirm. If you request the certificate in offline mode, the system displays
the offline certificate request information. You can submit the information to the CA by an
out-of-band means.
Figure 498 Offline certificate request information
475
Retrieving and displaying a CRL
1. From the navigation tree, select Certificate Management > CRL.
Figure 499 CRLs
2. Click Retrieve CRL to retrieve the CRL of a domain.

3. Click View CRL for the domain to display the contents of the CRL.
Figure 500 Displaying CRL information
PKI configuration examples

Certificate request from a Windows 2003 CA server
As shown in Figure 501, configure the router to work as the PKI entity, so that:
• The router submits a local certificate request to the CA server, which runs Windows Server 2003.
476
• The router retrieves CRLs for certificate verification.
Configuring the CA server

1. Install the CA server component:
a. From the start menu, select Control Panel > Add or Remove Programs.
b. Select Add/Remove Windows Components.
c. In the pop-up dialog box, select Certificate Services.
d. Click Next to begin the installation.
2. Install the SCEP add-on:
Because a CA server running Windows 2003 server operating system does not support SCEP by
default, be sure to install the SCEP add-on to provide the router with automatic certificate
registration and retrieval. After the add-on is installed, a prompt dialog box appears, displaying
the URL of the registration server configured on the router.
3. Modify the certificate service properties:
a. From the start menu, select Control Panel > Administrative Tools > Certificate Authority.
If the CA server and SCEP add-on have been installed successfully, there should be two
certificates issued by the CA to the RA.
b. Right-click CA server and select Properties from the shortcut menu.
c. In the CA server Properties dialog box, click the Policy Module tab.
d. Click Follow the settings in the certificate template, if applicable. Otherwise, automatically
issue the certificate.
e. Click OK.
4. Modify the IIS attributes:
a. From the start menu, select Control Panel > Administrative Tools > Internet Information Services
(IIS) Manager.
b. From the navigation tree, select Web Sites.
c. Right-click Default Web Site and select Properties.
d. Click the Home Directory tab.
e. Specify the path for certificate service in the Local path field. To avoid conflicts with existing
services, change the TCP port number to an unused one on the Web Site tab.
After the configuration, make sure the system clock of the router and that of the CA are synchronized, so
that the router can request certificate correctly.

1. Create a PKI entity:
a. From the navigation tree, select Certificate Management > Entity.
b. Click Add.
477
c. Enter aaa as the PKI entity name, enter router as the common name, and click Apply.
Figure 502 Creating a PKI entity
2. Create a PKI domain:

a. From the navigation tree, select Certificate Management > Domain.
b. Click Add.
The page in Figure 503 appears.
c. In upper area of the page, enter torsa as the PKI domain name, enter CA server as the CA
identifier, select aaa as the local entity, select RA as the authority for certificate request, enter
http://4.4.4.1:8080/certsrv/mscep/mscep.dll as the URL for certificate request (the URL must
be in the format of http://host:port/certsrv/mscep/mscep.dll, where host and port are the
host address and port number of the CA server), and select Manual as the certificate request
mode.
d. Click Apply.
e. Click OK to confirm.
478
a. From the navigation tree, select Certificate Management > Certificate.
b. Click Create Key.
c. Enter 1024 as the key length, and click Apply.

b. Click Retrieve Cert.
c. Select torsa as the PKI domain, select CA as the certificate type, and click Apply.
Figure 505 Retrieving the CA certificate

b. Click Request Cert.
479
c. Select torsa as the PKI domain, select Password and then enter "challenge-word" as the
password, and click Apply.
d. Click OK to confirm.

After the configuration, you can select Certificate Management > Certificate from the navigation tree,
and then click View Cert corresponding to the certificate of PKI domain torsa to display the certificate
information. You can also click View Cert corresponding to the CA certificate of PKI domain torsa to
display the CA certificate information.
Certificate request from an RSA Keon CA server

Configure the router working as the PKI entity, so that:
• The router submits a local certificate request to the CA server, which runs the RSA Keon software.
• The router retrieves CRLs for certificate verification.
Configuring the CA server

1. Create a CA server named myca:
In this example, you must first configure the basic attributes of Nickname and Subject DN on the
CA server: the nickname is the name of the trusted CA, and the subject DN is the DN attributes of
the CA, including the common name (CN), organization unit (OU), organization (O), and country
(C). Leave the default values of the other attributes.
480
2. Configure extended attributes:
After configuring the basic attributes, configure the parameters on the Jurisdiction Configuration
page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP
autovetting function, and adding the IP address list for SCEP autovetting.
3. Configure the CRL publishing behavior:
After completing the configuration, perform CRL related configurations.
In this example, select the local CRL publishing mode of HTTP and set the HTTP URL to
http://4.4.4.133:447/myca.crl.
After the configuration, make sure the system clock of the router is synchronous to that of the CA,
so that the router can request certificates and retrieve CRLs properly.

b. Click Add.
c. Enter aaa as the PKI entity name, enter router as the common name, and click Apply.

b. Click Add.
c. In the upper area of the page, enter torsa as the PKI domain name, enter myca as the CA
identifier, select aaa as the local entity, select CA as the authority for certificate request, enter
http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for
certificate request (the URL must be in the format of http://host:port/Issuing Jurisdiction ID,
where Issuing Jurisdiction ID is the hexadecimal string generated on the CA), and select
Manual as the certificate request mode.
d. Click the expansion button before Advanced Configuration to display the advanced
configuration items.
481
e. In the advanced configuration area, click the Enable CRL Checking box, and enter
http://4.4.4.133:447/myca.crl as the CRL URL.
f. Click Apply.
g. Click OK to confirm.

c. Set the key length to 1024, and click Apply.
482
c. Select torsa as the PKI domain, select CA as the certificate type, and click Apply.

c. Select torsa as the PKI domain, select Password, enter "challenge-word" as the password, and
click Apply.
6. Retrieve the CRL:
483
a. From the navigation tree, sfter retrieving a local certificate, select Certificate Management >
CRL.
b. Click Retrieve CRL of the PKI domain of torsa.
Figure 513 Retrieving the CRL

After the configuration, select Certificate Management > Certificate from the navigation tree to display
detailed information about the retrieved CA certificate and local certificate, or select Certificate
Management > CRL from the navigation tree to display detailed information about the retrieved CRL.
IKE negotiation with RSA digital signature

An IPsec tunnel is set up between Router A and Router B to secure the traffic between Host A on subnet
10.1.1.0/24 and Host B on subnet 11.1.1.0/24.
Router A and Router B use IKE for IPsec tunnel negotiation and RSA digital signature of a PKI certificate
system for identity authentication.
Router A and Router B use different CAs. They might also use the same CA as required.
484
b. Click Add.
c. Enter en as the PKI entity name, enter router-a as the common name, enter 2.2.2.1 as the IP
address of the entity, and click Apply.
485

b. Click Add.
c. Enter 1 as the PKI domain name, enter CA1 as the CA identifier, select en as the local entity,
select RA as the authority for certificate request, enter
http://1.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request (the RA URL
given here is just an example. Configure the RA URL as required), enter 1.1.1.102 as the IP
address of the LDAP server and 389 as the port number, select 2 as the version number, and
select Manual as the certificate request mode.
e. In the advanced configuration area, click the Enable CRL Checking box, and enter
ldap://1.1.1.102 as the URL for CRLs.
f. Click Apply.
486

c. Enter 1024 as the key length, and click Apply..

c. Select 1 as the PKI domain, select CA as the certificate type, and click Apply.
487

c. Select 1 as the PKI domain, and click Apply.
6. Configure an IPsec connection:

a. From the navigation tree, select VPN > IPsec VPN.
b. Click Add.
c. Enter con as the IPsec connection name, select Ethernet0/2 as the gateway interface, enter
3.3.3.1 as the remote gateway IP address, select Certificate as the authentication method,
select CN=router-a for the certificate, select Characteristics of Traffic as the selector type, enter
11.1.1.0/0.0.0.255 as the source IP address/wildcard, and enter 10.1.1.0/0.0.0.255 as the
destination IP address/wildcard.
d. Click Apply.
488
Figure 520 Configuring an IPsec connection
The configuration pages for Router B are similar to those of Router A. (Details not shown)
b. Click Add.
c. Enter en as the PKI entity name, enter router-b as the common name, and enter 3.3.3.1 as the
IP address of the entity.
d. Click Apply.
b. Click Add.
The configuration page appears.
c. In the upper area of the page, enter 1 as the PKI domain name, enter CA2 as the CA identifier,
select en as the local entity, select RA as the authority for certificate request, enter
http://2.1.1.100/certsrv/mscep/mscep.dll as the URL for certificate request (the RA URL given
here is just an example. Configure the RA URL as required), enter 2.1.1.102 as the IP address
of the LDAP server and 389 as the port number, select 2 as the version number, and select
Manual as the certificate request mode.
e. In the advanced configuration area, click the Enable CRL Checking box and enter
ldap://2.1.1.102 as the URL for CRLs.
f. Click Apply.
489
c. Click Apply to generate an RSA key pair.
c. Select 1 as the PKI domain, select CA as the certificate type, and click Apply.
c. Select 1 as the PKI domain, and click Apply.
6. Add an IPsec connection:
a. From the navigation tree, select VPN > IPsec VPN.
b. Click Add.
c. Enter con as the IPsec connection name, select Ethernet0/2 as the gateway interface, enter
2.2.2.1 as the remote gateway IP address, select Certificate as the authentication method, and
select CN=router-b for the certificate, select Characteristics of Traffic as the selector type, enter
10.1.1.0/0.0.0.255 as the source IP address/wildcard, and enter 11.1.1.0/0.0.0.255 as the
destination IP address/wildcard.
d. Click Apply.
When you configure PKI, follow these guidelines:
• Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of
certificates will be abnormal.
• The Windows 2000 CA server has some restrictions on the data length of a certificate request. If the
PKI entity identity information in a certificate request goes beyond a certain limit, the server will not
respond to the certificate request.
• The SCEP plug-in is required when you use the Windows Server as the CA. In this case, specify RA
as the authority for certificate request when you configure the PKI domain.
• The SCEP plug-in is not required when you use the RSA Keon software as the CA. In this case,
specify CA as the authority for certificate request when you configure the PKI domain.
490
Managing the system
Managing the configuration

Saving the configuration
This module provides the following two functions:
• Saving the current configuration to the configuration file to be used at the next startup (including
the .cfg and .xml files).
• Saving the current configuration as the factory default configuration, and the name of the
configuration file is init.cfg.
Besides the following methods, the Web management interface allows you to click the button on
the right of the title area to fast save the configuration.
Saving the configuration takes a period of time.
The system does not support the operation of saving configuration of two or more consecutive users. If
such a case occurs, the system prompts the latter users to try later.
When you save the current configuration on a distributed device, the standby main processing unit (MPU)
does not save the .xml configuration file. To ensure the synchronization between the active MPU and the
standby MPU, copy this file to the standby MPU.
To save the configuration:
1. Select System Management > Configuration from the navigation tree.
The save configuration page appears.
Figure 521 Saving the configuration
2. Perform one of the following operations as needed:

To save the current configuration to the configuration file to be used at the next startup, click
Save Current Settings.
491
To save the current configuration to both the configuration file to be used at the next startup and
the factory default configuration file, click Save As Factory-Default Settings.
Restoring factory defaults

This function allows you to clear the current configuration file. Then you can restart the device with the
factory default configuration.
To restore the factory defaults:
2. Click the Initialize tab.
The initialize configuration page appears.
Figure 522 Restoring factory defaults
3. Click Restore Factory-Default Settings.
Backing up configuration
Configuration file backup allows you to:
• View the configuration file for next startup (including .cfg and .xml files).
• Back up the configuration file for next startup (including .cfg and .xml files) to the PC of the current
user.
To back up the configuration:
2. Click the Backup tab.
The page for configuring file backup appears.
Figure 523 Configuration file backup page
3. Click one of the Backup buttons as needed:
492
When you click the upper Backup button in this figure, a file download dialog box appears.
You can select to view the .cfg file or to save the file locally.
When you click the lower Backup button in this figure, a file download dialog box appears.
You can select to view the .xml file or to save the file locally.
Restoring configuration
Configuration restoration allows you to:
• Upload the .cfg file on the host of the current user to the device for the next startup.
• Upload the .xml file on the host of the current user to the device for the next startup, and delete the
previous .xml configuration file that was used for the next startup.
To restore the configuration:
2. Click the Restore tab.
The restoring configuration file page appears.
Figure 524 Restoring configuration file page
3. Click one of the Browse… buttons as needed:

When you click the upper Browse… button in this figure, the file upload dialog box appears.
You can select the .cfg file to upload.
When you click the lower Browse… button in this figure, the file upload dialog box appears.
You can select the .xml file to upload.
4. Click Apply.
Backing up and restoring device files through the USB port

The files needed in device running, such as startup files and configuration files, are stored in the storage
medium of the device. To facilitate management of the files on the device, the device provides the fast
backup and restoration function.
• Fast backup—Backs up files on the device to the destination device through a universal serial bus
(USB) port.
493
• Fast restoration—Transfers files from the device where the files are backed up to the local device
through a USB port. In addition, the system allows you to choose whether to specify the startup file
or configuration file to be restored as the main startup file or configuration file of the device.
The storage medium of a device has many types, such as flash cards, CF cards, and so on. The storage
medium type used by the device depends on the device model.
To backup and restore device files through the USB port:
2. Click Backup and Restore.
The backup and restoration page appears.
Figure 525 Backing up and restoring device files through the USB port
3. Perform one of the following operations as needed:

In the Device File(s) area, select the files to be backed up, and click the Backup button to backup
the selected files to the destination device.
In the USB File(s) area, select the files to be restored, and click the Restore button to transfer the
selected files to the device through the USB port.
At a time, you can restore multiple files, but only one startup file or configuration file can be included in
these files for restoration.
494
Rebooting the device
CAUTION:
Before rebooting the device, save the configuration. Otherwise, all unsaved configuration will be lost after
reboot. After the device reboots, you need to re-log in to the Web interface.
To reboot the device:

1. Select System Management > Reboot from the navigation tree.
The device reboot configuration page appears.
You can verify whether the current configuration has been saved to the configuration file to be
used at the next startup as needed.
If you select the Check whether the current configuration is saved in the next startup
configuration file option, the system checks the configuration before rebooting the device. If the
check is successful, the system reboots the device; if the check fails, the system pops up a dialog
box telling you that the current configuration and the saved configuration are inconsistent, and
does not reboot the device. In this case, save the current configuration manually before you can
reboot the device.
If you do not select the option, the system reboots the device directly.
2. Click Apply.
Figure 526 Device reboot page
Managing services
This module provides six types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or
disable the services as needed. In this way, the performance and security of the system can be enhanced,
thus secure management of the device can be achieved.
This module also provides the function to modify HTTP and HTTPS port numbers, and the function to
associate the FTP, HTTP, or HTTPS service with an ACL, reducing attacks of illegal users on these services.
The description of the services is as follows:
• FTP service—Transfers files between server and client over a TCP/IP network.
• Telnet service—Provides remote login and virtual terminal functions on the network.
• SSH service—Offers an approach to securely logging in to a remote device. By encryption and
strong authentication, it protects devices against attacks such as IP spoofing and plain text
password interception.
495
• SFTP service—Uses the SSH connection to provide secure data transfer. The device can serve as the
SFTP server, allowing a remote user to log in to the SFTP server for secure file management and
transfer. The device can also serve as an SFTP client, enabling a user to log in from the device to a
remote device for secure file transfer. It is a new feature in SSH2.0.
• HTTP service—Transfers Web page information across the Internet. It is an application-layer
protocol in the TCP/IP protocol suite. You can log in to the device by using the HTTP protocol with
HTTP service enabled, accessing and controlling the device with Web-based network
management.
• HTTPS service—Secures data transmission through SSL as follows:
Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the
illegal clients.
Encrypts the data exchanged between the HTTPS client and the device to ensure the data
security and integrity, realizing the security management of the device.
Defines certificate attribute-based access control policy for the device to control the access right
of the client to further avoid attacks from illegal clients.
To manage services:
1. Select System Management> Service Management from the navigation tree.
The service management configuration page appears.
2. Configure the service management as described in Table 194.
3. Click Apply.
Figure 527 Service management
Item Description
Enable FTP Specify whether to enable the FTP service.
service. The FTP service is disabled by default.
FTP Associate the FTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the FTP service.
ACL.
You can view this configuration item by clicking the expanding button in
front of FTP.
Enable Telnet Specify whether to enable the Telnet service.

Telnet
service. The Telnet service is disabled by default.
496
Item Description
Enable SSH Specify whether to enable the SSH service.
SSH
service. The SSH service is disabled by default.
Specify whether to enable the SFTP service.
Enable SFTP The SFTP service is disabled by default.

SFTP
service.
IMPORTANT:
When you enable the SFTP service, the SSH service must be enabled.
Enable HTTP Specify whether to enable the HTTP service.

service. The HTTP service is enabled by default.
Set the port number for HTTP service.

Port Number. front of HTTP.
HTTP
IMPORTANT:
When you modify a port, ensure that the port is not used by other service.
Associate the HTTP service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTP service.
ACL.
front of HTTP.
Enable HTTPS Specify whether to enable the HTTPS service.

service. The HTTPS service is disabled by default.
Configure the local certificate for the HTTPS service. The list displays the
certificate subjects. The optional certificates are configured on the VPN >
Certificate Management page. For more information, see "Managing
Certificate. certificates."
IMPORTANT:
If no certificate is specified, HTTPS generates a self-signed certificate.
HTTPS Set the port number for HTTPS service.
Port Number. front of HTTPS.
IMPORTANT:
When you modify a port, make sure the port is not used by other service.
Associate the HTTPS service with an ACL. Only the clients that pass the ACL
filtering are permitted to use the HTTPS service.
ACL.
front of HTTPS.
Managing users
This module provides the following functions:
• Create a local user, and set the password, access level, and service type for the user.
• Set the super password for switching the current Web user access level to the management level
• Switch the current Web user access level to the management level.
497
Creating a user
1. Select System Management > Users from the navigation tree.
2. Click the Create User tab.
The page for creating local users appears.
3. Create the user as described in Table 195.
4. Click Apply.
Figure 528 Creating a user
Item Description
Username Set the username for a user.
Set the access level for a user. Therefore, users of different levels can perform different
operations. Ranging from low to high, Web user levels are as follows:
• Visitor—Users of this level can use the network diagnostic tools ping and trace route.
They can neither access the device data nor configure the device.
• Monitor—Users of this level can only access the device data but cannot configure the
device.
Access Level • Configure—Users of this level can access data from the device and configure the
device, but they cannot upgrade the host software, add/delete users, modify users, or
backup/restore the application file.
• Management—Users of this level can perform any operations for the device.
IMPORTANT:
Only the Web, FTP, and Telnet users support the access level setting.
Password Set the password for a user.
Enter the same password again. Otherwise, the system prompts that the two passwords
Confirm Password
entered are not consistent when you apply the configuration.
498
Item Description
Set the service type, including Web, FTP, Telnet, Terminal (users logging in to the device
Service through the console port, AUX port, and Asyn port) and PPP services. You must select at
least one of them.
Setting the super password

Users of the management level can specify the password for a lower-level user to switch from the current
access level to the management level. If no such a password is configured, the switchover fails.
To set the super password for switching to the management level:
2. Click the Super Password tab.
The super password configuration page appears.
3. Configure the super password as described in Table 196.
4. Click Apply.
Figure 529 Super password configuration page
Item Description
Set the operation type:
Create/Remove • Create—Configure or modify the super password.
• Remove—Remove the current super password.
Password Set the password for a user to switch to the management level.
Enter the same password again. Otherwise, the system prompts that the two passwords
Confirm Password
entered are not consistent when you apply the configuration.
Switching to the management level

This function enables a user to switch the current user level to the management level.
Before switching, make sure the super password is already configured. A user cannot switch to the
management level without a super password.
499
The access level switchover of a user is valid for the current login only. The access level configured for the
user is not changed. When the user re-logs in to the Web interface, the access level of the user is still the
original level.
To switch the user access level to the management level:
2. Click the Switch to Management tab.
The access level switching page appears.
3. Enter the super password.
4. Click Login.
Figure 530 Access level switching page
Configuring system time

Configure a correct system time so the device can work with other devices properly.
The device supports setting and displaying the system time, and setting the time zone and daylight saving
time through manual configuration and automatic synchronization of NTP server time.
An administrator cannot keep time synchronized among all the devices within a network by changing the
system clock on each device, because this is a huge amount of workload and cannot guarantee the clock
precision. NTP, however, allows quick clock synchronization within the entire network and ensures a high
clock precision.
Defined in RFC 1305, NTP synchronizes timekeeping among distributed time servers and clients. NTP
runs over the User Datagram Protocol (UDP), using UDP port 123.
NTP enables you to keep consistent timekeeping among all clock-dependent devices within the network
so that the devices can provide diverse applications based on the consistent time.
Setting the system time

1. Select System Management > System Time from the navigation tree.
The System Time page appears. On the upper part of the interface, the current system time is
displayed.
2. Set the system time as described in Table 197.
3. Click Apply.
500
Figure 531 System time configuration page
Item Description
NTP Server 1. Enable clock automatic synchronization with an NTP server. You can
specify two NTP servers by entering their IP addresses. NTP Server 1 is the
primary and NTP Server 2 is the secondary.
IMPORTANT:
• With automatic synchronization configured, the device periodically
Automatic synchronizes its time with the NTP server. If the synchronization fails, the
Synchronizat system uses the manually configured time. After the synchronization
ion NTP Server 2. recovers, the system uses the synchronized time.
• The IP address of an NTP server is a host address, and cannot be a
broadcast or a multicast address, or the IP address of the local clock.
• If the system time of the NTP server is ahead of the system time of the
device, and the difference between them exceeds the Web idle time
specified on the device, all online Web users are logged out because of
timeout.
Set the system time manually.

You can type the system date and time in the box, or select the date and time
in the calendar, as shown in Figure 532.
Manual Setup
• Click Today. The date in the calendar becomes the local date, and the
time in the calendar does not change.
• Select the year, month, date, and time, and then click OK.
501
Figure 532 Calendar page
Setting the time zone and daylight saving time

1. Select System Management > System Time from the navigation tree
2. Click the Time Zone tab.
The page for setting time zone appears.
3. Configure the time zone as described in Figure 533.
4. Click Apply.
Figure 533 Time zone
Item Description
Time Zone Set the time zone for the system.
502
Item Description
Adjust the system clock for daylight saving time changes, which means adding one
hour to the current system time.
Click Adjust clock for daylight saving time changes to expand the option, as shown
in Figure 534. You can configure the daylight saving time changes in the following
ways:
Adjust clock for • Specify that the daylight saving time starts on a specific date and ends on a specific
daylight saving time date. The time range must be greater than one day and smaller than one year. For
changes example, configure the daylight saving time to start on August 1st, 2006 at
06:00:00 a.m., and end on September 1st, 2006 at 06:00:00 a.m.
• Specify that the daylight saving time starts and ends on the corresponding specified
days every year. The time range must be greater than one day and smaller than one
year. For example, configure the daylight saving time to start on the first Monday in
August at 06:00:00 a.m., and end on the last Sunday in September at 06:00:00
a.m.
Figure 534 Setting the daylight saving time
Configuring TR-069
TR-069 protocol is a technology specification initiated and developed by the DSL Forum. It defines the
general frame, message format, management method, and data model for the management and
configuration of home network devices in the next-generation network.
TR-069 is mainly applied to DSL access networks. In a DSL access network, user devices are large in
number and deployed separately usually in the customer premise. Therefore device management and
maintenance is hard to perform. TR-069 is designed to solve the problem by the idea of remote central
management of the Customer Premises Equipment (CPE) through an Auto-Configuration Server (ACS).
503
TR-069 network framework
The basic network elements of TR-069 are:

• ACS—Auto-Configuration Server, which is the management device in the network.
• CPE—Customer Premise Equipment, which is the managed device in the network.
• DNS server—Domain Name System server. TR-069 defines that an ACS and a CPE use URLs to
identify and access each other. DNS is used to resolve the URLs.
• DHCP server—Dynamic Host Configuration Protocol server, which assigns an IP address to an ACS
and a CPE, and uses the options filed in the DHCP packet to provide configuration parameters to
the CPE.
The MSR router is a CPE and uses TR-069 to communicate with an ACS.
Basic functions of TR-069

Auto connection between ACS and CPE
A CPE can connect to an ACS automatically by sending an Inform message. The following conditions
may trigger an auto connection:
• CPE startup. A CPE can find the corresponding ACS according to the acquired URL, and initiates
a connection to the ACS.
• A CPE is configured to send Inform messages periodically. The CPE automatically sends an Inform
message at the configured interval (1 hour for example) to establish connections.
• A CPE is configured to send Inform messages at a specific time. The CPE automatically sends an
Inform message at the configured time to establish a connection.
• The current session is not finished but interrupted abnormally. In this case, if the number of CPE
auto-connection retries does not reach the limit, the CPE automatically establishes a connection.
An ACS can initiate a Connect Request to a CPE at any time, and can establish a connection with the
CPE after passing the CPE authentication.
Auto-configuration
When a CPE logs in to an ACS, the ACS can automatically apply some configurations to the CPE to
perform auto configuration of the CPE. Auto-configurable parameters supported by the device include,
but are not limited to the following:
• Configuration file (ConfigFile)
504
• ACS address (URL)
• ACS username (Username)
• ACS password (Password)
• Inform message auto sending flag (PeriodicInformEnable)
• Inform message auto sending interval (PeriodicInformInterval)
• Inform message auto sending time (PeriodicInformTime)
• CPE username (ConnectionRequestUsername)
• CPE password (ConnectionRequestPassword)
CPE system software image and configuration file management

The administrator can store important files such as the system software image and configuration file on
an ACS. If the ACS finds that a file is updated, it notifies the CPE to download the file by sending a
request. After the CPE receives the request, it can automatically download the file from the specified file
server according to the filename and download address provided in the ACS request. After the CPE
downloads the file, it checks the file validity and then reports the download result (succeeded or failed)
to the ACS. The device does not support file download using digital signature.
The device supports to download the following types of files: system software image and configuration
file.
To backup important data, a CPE can upload the current configuration file to the specified server
according to the requirement of an ACS. The device only supports to upload the vendor configuration file
and log file.
CPE status and performance monitoring

An ACS can monitor the parameters of the CPE connected to it. Different CPE have different
performances and functionalities. Therefore the ACS must be able to identify each CPE and monitor the
current configuration and the configuration changes of each CPE. TR-069 also allows the administrator
to define monitor parameters and get the parameters through an ACS, so as to get the CPE status and
statistics information.
The status and performance that can be monitored by an ACS include:
• Manufacture name (Manufacturer)
• Manufacture identification (ManufacturerOUI)
• Serial number (SerialNumber)
• Hardware version (HardwareVersion)
• Software version (SoftwareVersion)
• Device status (DeviceStatus)
• Up time (UpTime)
• Configuration file
• ACS address
• ACS username
• ACS password
• PeriodicInformEnable
• PeriodicInformInterval
• PeriodicInformTime
505
• CPE address
• CPE username
• CPE password
For the TR-069 mechanism, see Network Management and Monitoring Configuration Guide in H3C
MSR Series Routers Configuration Guide (V5).
The TR-069 parameters of CPE can be configured automatically through ACS remote management, and
also can be configured manually through Web, which is described in detail in this section.
To configure TR-069 manually:
1. Select System Management > TR-069 from the navigation tree.
The TR-069 configuration page appears.
2. Configure TR-069 as described in Table 199.
3. Click Apply.
Figure 536 TR-069 configuration page
Item Description
Enable or disable TR-069.
TR-069
TR-069 configurations can take effect only after you enable TR-069.
URL. Configure the URL used by a CPE to initiate a connection to the ACS.
Username. Configure the username used by a CPE to initiate a connection to the ACS.
ACS Configure the password used by a CPE to initiate a connection to the ACS.
Password. You can specify a username without a password that is used in the authentication.
If so, the configuration on the ACS and that on the CPE must be the same.
Configure the username used by the CPE to authenticate the connection sent from
CPE Username.
the ACS.
506
Item Description
Configure the password used by the CPE to authenticate the connection sent from
the ACS.
Password.
You can specify a username without a password that is used in the authentication.
If so, the configuration on the ACS and that on the CPE must be the same.
Sending
Enable or disable CPE's periodical sending of Inform messages.
Inform.
Interval. Configure the interval between sending the Inform messages.
Set the CPE connection interface. The CPE sends inform packets carrying the IP
CPE Interface. address of this interface to make the ACS establish a connection with the CPE using
this IP address.
TR-069 configuration through ACS is of higher priority than that through Web. You cannot use a
configuration mode to modify parameters configured through a configuration mode with a higher
priority.
To remove the configuration of a parameter, select the parameter, clear the value you entered, and click
Apply.
Upgrading software
CAUTION:
Software upgrade takes a period of time. During software upgrade, do not perform any operation on the
Web interface. Otherwise, software upgrade may be interrupted.
A system software image, also known as the "boot file", is an application file used to boot the device. A
main system software image is used to boot a device and a backup system software image is used to
boot a device only when the main system software image is unavailable.
Software upgrade allows you to get a target application file from the current host and set the file as the
system software image ( or as the main or backup system software image on the devices that support
main/backup system software image) to be used at the next boot.
Upgrading software (for the MSR 900/MSR 20-1X)

1. Select System Management > Software Upgrade from the navigation tree.
The software upgrade configuration page appears.
2. Configure the software upgrading as described in Table 200.
3. Click Apply.
507
Figure 537 Software upgrade configuration page
Item Description
Specify the filename of the local application file, which must be suffixed with
the .app or .bin extension.
File
IMPORTANT:
The filename is main.bin when the file is saved on the device.
Reboot after the upgrading Specify whether to reboot the device to make the upgraded software take
finished effect after the application file is uploaded.
Upgrading software (for the MSR 20/30/50/930)

1. Select System Management > Software Upgrade from the navigation tree.
The software upgrade configuration page appears.
2. Configure the software upgrading as described in Table 201.
3. Click Apply.
Figure 538 Software upgrade configuration page
508
Item Description
Specify the filename of the local application file, which must be suffixed with
File
the .app or .bin extension.
Specify the type of the system software image for the next boot:
File Type • Main.
• Backup.
If a file with same name Specify whether to overwrite the file with the same name.
already exists, overwrite If you do not select the option, when a file with the same name exists, the system
it without any prompt prompts "The file has existed.", and you cannot perform the upgrade operation.
Reboot after the Specify whether to reboot the device to make the upgraded software take effect
upgrading finished after the application file is uploaded.
509
Configuring SNMP (lite version)
This chapter is only applicable to the MSR 900/20-1X series routers.

For information about configuring SNMP from the Web interface for the MSR 20/30/50/930 series
routers, see "Configuring SNMP."
Overview
The Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a
management station to access and operate the devices on a network, regardless of their vendors,
physical characteristics and interconnect technologies.
The SNMP framework comprises the following elements:
• SNMP manager—Works on a network management system (NMS) to monitor and manage the
SNMP-capable devices in the network.
• SNMP agent—Works on a managed device to receive and handle requests from the NMS, and
send traps to the NMS when some events, such as interface state change, occur.
H3C supports SNMPv1, SNMPv2c, and SNMPv3. An NMS and an SNMP agent must use the same
SNMP version to communicate with each other.
• SNMPv1—Uses community names for authentication. To access an SNMP agent, an NMS must use
the same community name as set on the SNMP agent. If the community name used by the NMS is
different from the community name set on the agent, the NMS cannot establish an SNMP session to
access the agent or receive traps and notifications from the agent.
• SNMPv2c—Uses community names for authentication. SNMPv2c is compatible with SNMPv1, but
supports more operation modes, data types, and error codes.
• SNMPv3—Uses a user-based security model (USM) to secure SNMP communication. You can
configure authentication and privacy mechanisms to authenticate and encrypt SNMP packets for
integrity, authenticity, and confidentiality.
For more information about the SNMP protocol, see H3C MSR Series Routers Network Management and
Monitoring Configuration Guide.

1. Select System Management > SNMP from the navigation tree to enter the page as shown in Figure
539.
510
Figure 539 SNMP page
2. Configure the SNMP agent, as shown in Table 202.

Item Description
Specify to enable or disable the SNMP agent.
SNMP IMPORTANT:
If the SNMP agent function is disabled, all SNMP agent-related configurations will
be removed.
Set the SNMP version run by the system.
SNMP Version The option SNMPv1 & v2 represents SNMPv1 and SNMPv2c.
The SNMP version on the agent must be the same as that running on the NMS.
Set a character string to describe contact information for system maintenance.

Contact If the device is faulty, the maintainer can contact the manufacturer according to
the contact information of the device.
Set the system name of the device.

Sysname
The configured system name is displayed on the top of the navigation tree.
Device Location Set a character string to describe the physical location of the device.
511
Item Description
Set the SNMP security username when you select the SNMP version SNMPv3.
Security Username
The security name on the agent must be the same as that on the NMS.
Set the authentication password when you select the SNMP version SNMPv3.
The authentication password on the agent must be the same as that on the NMS.
Authentication Password
The authentication mode on the agent is MD5, and the authentication mode on
the NMS must be MD5.
Set the privacy password when the SNMP version is selected as SNMPv3.
The privacy password on the agent must be the same as that on the NMS.
Privacy Password
The privacy mode on the agent is DES56, and the privacy mode on the NMS
must be DES56.
When the SNMP version is SNMPv1 & v2 set the read-only password with which
Read Password the NMS can perform only read operation to the agent.
The read password on the agent must be the same as that on the NMS.
When the SNMP version is SNMPv1 & v2, set the read and write password with
Read & Write Password which the NMS can perform both read and write operations to the agent.
The read and write password on the agent must be the same as that on the NMS.
• When the SNMP version is SNMPv1 & v2, set the authentication password
with which the agent can send traps to the NMS. The trap password on the
agent must be the same as that on the NMS. The trap password is usually the
Trap Password same with either the read password or the read & write password.
• The trap password defaults to the security username and is not configurable
when the SNMP version is SNMPv3.
Set the trusted IP address of the agent:

• If the trusted host is specified, only the NMS with the specified source IP
Trusted Host address can access the agent.
• If no trusted host is specified, there is no IP-address-based access control to the
NMS.
Trap Target Host

Set the IP address or hostname of the SNMP trap target host.
Address/Domain
SNMP configuration examples

SNMPv1/v2c configuration example
As shown in Figure 540, the NMS at 1.1.1.2/24 uses SNMPv1 or SNMPv2c to manage the SNMP agent
at 1.1.1.1/24. The agent automatically sends traps to report events to the NMS.
512
Configuring the SNMP agent
1. Select System Management > SNMP from the navigation tree, and then perform configuration as
Figure 541 Configuring the SNMP agent
2. Select the Enable option.

3. Select the SNMPv1 & v2 option.
4. Type readonly in the field of Read Password.
5. Type read&write in the field of Read & Write Password.
6. Type read&write in the field of Trap Password.
7. Type 1.1.1.2 in the field of Trap Target Host Address/Domain.
8. Click Apply.
Configuring the SNMP NMS

1. Configure the SNMP version for the NMS as v1 or v2c.
2. Create a read-only community public and set the read-only password to readonly.
3. Create a read and write community and set the read and write password to readwrite.

• Disable or enable an idle interface on the device, and the NMS receives the corresponding trap.
513
SNMPv3 configuration example
As shown in Figure 542, the NMS (1.1.1.2/24) uses SNMPv3 to monitor and manage the interface status
of the agent (1.1.1.1/24), and the agent automatically sends traps to report events to the NMS.
The NMS and the agent perform authentication when they set up an SNMP session. The authentication
algorithm is MD5 and the authentication key is authkey. The NMS and the agent also encrypt the SNMP
packets between them by using the DES algorithm and the privacy key prikey.
Configuring the SNMP agent

1. Select System Management > SNMP from the navigation tree, and then perform the following
configurations, as shown in Figure 543.
Figure 543 Configuring the SNMP agent
2. Select the Enable radio box.

3. Select the SNMPv3 radio box.
4. Type user1 in the field of Security Username.
5. Type authkey in the field of Authentication Password.
6. Type prikey in the field of Privacy Password.
7. Type 1.1.1.2 in the field of Trusted Host.
8. Type 1.1.1.2 in the field of Trap Target Host Address/Domain.
9. Click Apply.
514
Configuring the SNMP NMS
1. Specify the SNMP version for the NMS as v3.
2. Create an SNMP user user1.
3. Enable both authentication and privacy functions
4. Use MD5 for authentication and DES56 for encryption.
5. Set the authentication key to authkey and the privacy key to prikey.

• Disable or enable an idle interface on the device, and the NMS receives the corresponding trap.
515
Configuring syslogs
System logs record network and device information, including running status and configuration changes.
With system log information, network administrators can find network or security problems, and take
corresponding actions against them.
The system sends system logs to the following destinations:
• Console
• Monitor terminal, a terminal that has logged in to the device through the AUX, VTY, or TTY user
interface
• Log buffer
• Log host
• Web interface
Displaying syslogs
1. Select Other > Syslog from the navigation tree.
The syslog display page appears, as shown in Figure 544.
516
Figure 544 Syslog display page
2. View system logs.

To clear all system logs in the log cache, click Reset. To refresh system logs, click Refresh. To make
the syslog display page refresh automatically, set the refresh interval on the syslog configuration
page. For more information, see "Setting buffer capacity and refresh interval."
Table 203 Syslog display items
Item Description
Time/Date Displays the time/date when the system log was generated.
Source Displays the module that generated the system log.
517
Item Description
Displays the severity level of the system log. The information is classified into eight
levels by severity:
• Emergency—The system is unusable.
• Alert—Action must be taken immediately.
• Critical—Critical condition.
Level
• Error—Error condition.
• Warning—Warning condition.
• Notification—Normal but significant condition.
• Information—Informational messages.
• Debug—Debug-level messages.
Digest Displays the summary of the system log.
Description Displays the content of the system log.
Setting the log host

1. Select Other > Syslog from the navigation tree,
2. Click the Loghost tab to enter the log host configuration page, as shown in Figure 545.
Figure 545 Loghost configuration page
3. Configure the log host as described in Table 204.

4. Click Apply.
518
Table 204 Loghost configuration items
Item Description
IPv4/Domain
Set the IPv4 address or domain name of the log host.
Loghost IP/Domain
IPv6
Set the IPv6 address of the log host.
Loghost IP
Setting buffer capacity and refresh interval

1. Select Other > Syslog from the navigation tree.
2. Click the Log Setup tab.
The syslog configuration page appears, as shown in Figure 546.
Figure 546 Log setup
3. Configure buffer capacity and refresh interval as described in Table 205.

4. Click Apply.
Table 205 Syslog configuration items
Item Description
Buffer Capacity Set the number of logs that can be stored in the log buffer.
Set the refresh interval of log information.

You can select manual refresh or automatic refresh:
Refresh Interval • Manual—Click Refresh to refresh the Web interface.
• Automatic—Select to refresh the Web interface every 1 minute, 5 minutes, or 10
minutes.
519
Using diagnostic tools
This chapter describes how to use the ping and traceroute facilities.
Traceroute
By using the traceroute facility, you can trace Layer 3 devices involved in delivering a packet from source
to destination.
You can traceroute the IP address or the host name of a device. If the target host name cannot be resolved,
a prompt appears.
A traceroute operation involves the following steps:
1. The source device sends a packet with a Time to Live (TTL) value of 1 to the destination device.
2. The first hop device responds with an ICMP TTL-expired message to the source. In this way, the
source device can get the address of the first Layer 3 device.
3. The source device sends a packet with a TTL value of 2 to the destination device.
4. The second hop responds with an ICMP TTL-expired message.
5. The above process continues until the ultimate destination device is reached. The destination
device responds with an ICMP port-unreachable message because the packet from the source has
an unreachable port number. In this way, the source device can get the addresses of all Layer 3
devices on the path.
Ping
You can ping the IP address or the host name of a device.
If the host name cannot be resolved, a prompt appears. If the source device does not receive an ICMP
echo reply within the timeout time, it displays a prompt and ping statistics. If the source device receives
ICMP echo replies within the timeout time, it displays the number of bytes for each echo reply, the
message sequence number, Time to Live (TTL), the response time, and ping statistics. Ping statistics
include number of packets sent, number of echo reply messages received, percentage of messages not
received, and the minimum, average, and maximum response time.
A ping operation involves the following steps:
1. The source device sends ICMP echo requests to the destination device.
2. The destination device responds by sending ICMP echo replies to the source device after receiving
the ICMP echo requests.
3. The source device displays related statistics after receiving the replies.
Traceroute operation
The Web interface does not support IPv6 traceroute.
Before executing a traceroute operation, execute the ip ttl-expires enable command on intermediate
devices to enable the sending of ICMP timeout packets, and execute the ip unreachables enable
command on the destination device to enable the sending of ICMP destination unreachable packets.
520
To perform a traceroute operation:
1. Log in to the Web interface, and select Other > Diagnostic Tools from the navigation tree to enter
the traceroute operation page, as shown in Figure 547.
2. Enter the destination IP address or host name.
3. Click Start.
You can see the result in the Summary box.
Figure 547 Traceroute configuration page
Ping operation
The Web interface does not support IPv6 ping.
To perform a ping operation:
1. Select Other > Diagnostic Tools from the navigation tree.
2. Click the Ping tab, as shown in 3.
3. Enter the destination IP address or host name.
4. Click Start.
You can see the result in the Summary box.
521
Figure 548 Ping configuration page
522
Configuring WiNet
The Wisdom Network (WiNet) technology helps you centrally manage a large number of scattered
network devices by using a small number of public IP addresses.
WiNet has the following benefits:
• Integration—WiNet is integrated in network devices as a function without needing any dedicated
management device.
• Easy to deploy—To build a WiNet, you only need to select a management device to complete
network configurations.
• Low cost—No additional software is needed.
• User-friendly GUI—Facilitates operations and management.
• Plug-and-play—Displays a device in the network topology once it is connected to the network and
allows you to perform corresponding operations.
• Easy and quick deployment of security authentication—Allows you to configure a RADIUS server on
the administrator device through simple Web configuration and to configure interfaces of member
devices for security authentication through the administrator device.
Devices in a WiNet are classified into three roles.
• Administrator—Refers to the device serving as the WiNet management device. In a WiNet, only
the administrator is configured with a public IP address. You only need to specify one administrator
in each WiNet to configure, manage, and monitor other devices. The administrator collects
information to discover and add candidates.
• Member—Refers to a device managed by the administrator.
• Candidate—Refers to a WiNet-capable device that has not been added to the WiNet but its
topology information has been collected by the administrator.
Configuring WiNet
Enabling WiNet
To build a WiNet, configure a candidate as the administrator and configure WiNet on it.
523
1. Select WiNet from the navigation tree.
When WiNet is disabled, a dialog box Only the WiNet administrator supports the function
appears.
2. Click OK to enter the Setup page, as shown in Figure 550.
3. Configure WiNet, as shown in Table 206.
Figure 550 WiNet setup page
Item Description
WiNet Name Enter a WiNet name.
Enter a management VLAN ID in the WiNet. You can enter an existing static
VLAN only.
The management VLAN is used by WiNet packets for communication. It
actually defines the WiNet management range and delivers the following
functions:
Management VLAN • Isolates WiNet management packets from other packets.
• Enables internal communication between the administrator, members, and
candidates.
WiNet management requires that the management VLAN traffic be permitted
on the administrator’s ports (including cascade ports if there is any) connected
to members, candidates, and the external network.
IP Pool (Administrator IP) Enter an IP address and select a network mask for the administrator. After that,
each WiNet member is assigned an IP address on the same subnet as the
Mask of IP Pool administrator.
After a WiNet is built, you cannot configure items on the Setup page, and the Build WiNet button
changes to Close WiNet. To delete the WiNet, click the Close WiNet button.
Setting the background image for the WiNet topology diagram

The WiNet topology diagram is displayed in the WiNet Management page and uses a white
background by default. You can customize the background image by uploading a JPG or BMP image
(which is less than 0.5 MB).
Select WiNet from the navigation tree and then click the Setup tab to enter the configuration page as
524
To customize the background image, click Browse, locate the image you want to use, and click Upload.
To remove the customized background image, click Clear.
Managing WiNet
To manage WiNet members, make sure the port that connects your host to the administrator permits
packets of the management VLAN. Select WiNet from the navigation tree to enter the default WiNet
Management page.
Figure 551 WiNet management page
On the WiNet Management page, you can perform these operations:

1. Set the refresh period for automatic refreshing of the WiNet topology diagram. Or you can select
Manual for Refresh Period and click Refresh to display the latest WiNet topology diagram.
2. Click Collect Topology.
After that the administrator starts to collect topology information. Note that, in addition to manual
topology collection, the system automatically collects topology information every minute.
3. Click Network Snapshot to save the current WiNet topology as the baseline topology. The
baseline topology is used to show changes in network topology at different time points.
4. Click Initialize Topology to clear the stored baseline topology and cookies.
5. Click Open AuthN Center to configure a RADIUS server for security authentication on the
administrator device. The administrator device automatically generates a guest user guest and its
password and updates the user and password at 24:00.
525
6. After the authentication center starts up, the Open AuthN Center button changes to Close AuthN
Center. Click the Close AuthN Center to remove the RADIUS server and the guest user.
7. Drag the icon of a specific device in the WiNet topology and place it to a position as needed. If
the browser is configured to accept cookies, the latest position information of each device is stored
after you click Network Snapshot.
8. Double-click a device on the WiNet topology map to show details about the device, including the
hostname, MAC address, device model, IP address, version, number of hops, and WiNet
information, as shown in Figure 552.
Figure 552 Device details
9. View the WiNet topology information, including the role of each device and connection status
between devices. The connection status can be:
Normal link—Indicates a connection existing in the baseline topology and the current
topology.
New link—Indicates a connection not existing in the baseline topology but in the current
topology.
Blocked loops—Indicate connections blocked by STP. If a normal link is blocked, it is displayed
as a black broken line; if a new link is blocked, it is displayed as a blue broken line.
Down link—Indicates a connection existing in the baseline topology but not in the current
topology.
10. Click a device in the topology diagram to view its panel diagram. You can manage the device as
follows:
NOTE:
Support for displaying of the device panel, device renaming, and Layer 2 portal authentication on
interfaces depends on the device model.
a. Click Rename Device and enter a new system name for the device.
526
Figure 553 Rename a device
b. Select one or multiple Layer 2 Ethernet interfaces on the panel diagram of the device, and click
Port Guard to enable Layer 2 portal authentication on the interfaces.
CAUTION:
You cannot enable Layer 2 portal authentication on an interface that connects to a member/candidate
device, connects to an external network, or connects to the console terminal.
c. If a member is selected, click Manage Device to log in to the Web interface for configuring the
member. You can configure and manage the member through the Web interface. The
username and password are required before you can log in to the member. If the current user
and password are consistent with those of the member, you can directly log in to the member.
d. If a member is selected, click Initialize to restore the configuration to factory defaults and restart
the member.
e. If a member is selected, click Reboot to restart the member.
Configuring a RADIUS user

Adding a RADIUS user
1. Select WiNet from the navigation tree, and click the User Management tab to enter the page as
2. Click Add to enter the page, as shown in Figure 555.
3. Configure the user as shown in Table 207.
Figure 554 User management page
527
Figure 555 Add a user
Item Description
Username Enter the name of the user.
Set a user password and confirm it.

Password
IMPORTANT:
Confirm Password The leading spaces (if any) of a password will be omitted.
Enter an authorized VLAN ID for the user.
VLAN IMPORTANT:
If the access device does not support authorized VLANs, users with the authorized
VLAN ID specified cannot pass authentication.
Enter an authorized ACL number for the user.
ACL IMPORTANT:
If the access device does not support authorized ACL properties, users with the
authorized ACL specified cannot pass authentication.
Set the time when the user becomes invalid, in the format of
HH:MM:SS-YYYY/MM/DD.
Expire Time
A user whose system time is later than the preset expire time cannot pass
authentication.
Description Enter the user information.
Select a user type, which can be a common user or guest administrator.

User-type The guest administrator can obtain the passwords of guest users. For more
information, see "How the guest administrator obtains the guest password."
528
Batch importing and exporting RADIUS users
Select WiNet from the navigation tree, and click the User Management tab to enter the page as shown
in Figure 554.
1. Click Export and click Save in the dialog box that appears.
2. Set the local path and file name for saving the exported files.
3. Click Save to export all the RADIUS user information in the files to the local host.
4. Click Import.
The page for importing files appears.
5. Click Browse to locate the local xml files to be imported.
6. Click Apply to import the user information in the files to the device.
Figure 556 Import files
How the guest administrator obtains the guest password

If you start up the authentication center on the administrator in a WiNet, the device automatically
generates a guest user guest and its password. When the guest administrator wants to access the Internet
through an interface enabled with Layer 2 portal authentication in the WiNet, it must pass portal
authentication on the administration device. If the authentication succeeds, the guest password is
displayed, as shown in Figure 557. The guest user can use the password to access the Internet.
Figure 557 Authentication passed
Because the guest password is automatically updated at 24:00 every day, the guest administrator must
re-obtain the password.
To customize a portal authentication page on a member, reference the variable szPTGuestPWD (for
saving guest password) in pt_private.js in the authentication passed page, and use the JS mode to
529
display the password, for example, <script type="text/javascript">if (szPTGuestPWD !="")
document.write("Guest password is " + szPTGuestPWD);</script>.
WiNet configuration example

WiNet establishment configuration example
As shown in Figure 558, a WiNet comprises an administrator and two members.
• The administrator is connected to the external network through Ethernet 0/1, and is connected to
the members through Ethernet 0/2 and Ethernet 0/3.
• The WiNet management VLAN is VLAN 10.
• The network interface of the administrator is VLAN-interface 10 with IP address 163.172.55.1/24.
1. Configure Device A and Device C:
# Configure Ethernet 0/1 on each device to permit VLAN 10 traffic. (Details not shown.)
2. Configure Device B:
# Create VLAN 10 and VLAN-interface 10.
a. Select Interface Setup > LAN Interface Setup from the navigation tree to enter the default VLAN
Setup page.
530
Figure 559 Creating VLAN 10 and VLAN-interface 10
a. Select the Create option.

b. Enter 10 for VLAN IDs.
c. Select the Create VLAN Interface box.
d. Click Apply.
# Assign Ethernet 0/1, Ethernet 0/2, and Ethernet 0/3 to VLAN 10.
Figure 560 Assigning interfaces to VLAN 10
531
a. On the VLAN Setup page, select 10 in the VLAN Config field.
b. Select Ethernet0/1, Ethernet0/2, and Ethernet0/3 from the list.
c. Click Add.
The configuration progress dialog box appears.
d. After the configuration is complete, click Close.

# Configure the IP address of VLAN-interface 10.
e. Click the VLAN Interface Setup tab.
532
Figure 562 Specifying an IP address for VLAN-interface 10
b. Select 10 for VLAN ID.

c. Enter 163.172.55.1 for IP Address.
d. Enter 255.255.255.0 for Subnet Mask.
e. Click Apply.
# Enable WiNet.
f. Select WiNet from the navigation tree.
When WiNet is disabled, a dialog box Only the WiNet administrator supports the function
appears.
g. Click OK.
533
Figure 563 Enabling WiNet
c. Enter WiNet for WiNet Name.

d. Click Advance Options.
e. Enter 10 for Management VLAN.
f. Enter 192.168.0.1 for IP Pool (Administrator IP).
g. Select 255.255.255.0 for Mask of IP Pool.
h. Click Build WiNet.

After the preceding configuration is complete, log in to Device B via Ethernet 0/1, select WiNet from the
navigation tree to enter the WiNet Management page. You can view a WiNet topology diagram
comprising an administrator (Device B) and two members (Device A and Device C), and manage the
devices, as shown in Figure 564.
534
Figure 564 WiNet topology diagram
WiNet-based RADIUS authentication configuration example

As shown in Figure 565, a WiNet comprises an administrator (Device B ) and two members (Device A
and Device C). The client connects to Device A through Ethernet 0/2.
Deploy security authentication in the WiNet so that the client can access external networks after passing
authentication on Device B.
535
1. Establish a WiNet
See "WiNet establishment configuration example."
2. Configure WiNet-based RADIUS authentication
# Specify a RADIUS user.
a. Log in to Device B through Ethernet 0/1.
b. Select WiNet from the navigation tree on Device B.
c. Click the User Management tab.
d. Click Add.
Figure 566 Configure WiNet-based RADIUS authentication
e. Enter client for Username, client_password for Password, and client_password for Confirm
Password, and select Common User for User-type.
f. Click Apply.
# Set up a RADIUS server.
536
Figure 567 Setting up a RADIUS server
a. Click the WiNet Management tab.

b. Click Open AuthN Center.
# Enable Layer 2 portal authentication on Ethernet 0/2 of Device A.
537
Figure 568 Enabling Layer 2 portal authentication on Ethernet 0/2 of Device A
a. Click Device A on the topology diagram.

b. Click Ethernet 0/2 on the panel diagram.
c. Click Port Guard.
538
Configuration wizard
Overview
The configuration wizard helps you establish a basic call, and configure local numbers and connection
properties.
Basic service setup

Entering the configuration wizard homepage
From the navigation tree, select Voice Management > Configuration Wizard to access the configuration
wizard homepage, as shown in Figure 569.
Figure 569 Configuration wizard homepage
Selecting a country
In the wizard homepage, click Start to access the country selection page, as shown in Figure 570.
539
Figure 570 Country selection page
Item Description
Call Progress Tone
Configure the device to play the call progress tones of a specified country or region.
Country Mode
Configuring local numbers

In the country tone configuration page, click Next to access the local number configuration page, as
Figure 571 Local number configuration page
Item Description
Line Specify the FXS voice subscriber lines.
Number Specify the local telephone numbers.
Username Specify the username used for the register authentication.
Password Specify the password used for the register authentication.
540
Configuring connection properties
After you finish the local number configuration, click Next to access the connection property
Figure 572 Connection property configuration page
Item Description
Specify the address of the main registrar. It can be an IP address or a
Main Registrar Address
domain name.
Main Registrar Port Number Specify the port number of the main registrar.
Specify the address of the backup registrar. It can be an IP address or a

Backup Registrar Address
domain name.
Backup Registrar Port Number Specify the port number of the backup registrar.
Specify the address of the proxy server. It can be an IP address or a domain

Proxy Server Address
name.
Proxy Server Port Number Specify the port number of the proxy server.
Finishing configuration wizard

After you finish the connection property configuration, click Finish to compete your configuration. Then
the page jumps to the local number list where you can view the configured local numbers and modify
their settings.
541
Local number and call route
The local number and call route parts contain basic settings, fax and modem, call services, and
advanced settings pages.
Basic settings
To implement a basic voice call, complete local number and call route configurations.
• Local number configuration includes setting a local telephone number and authentication
information used for registration.
• Call route configuration includes setting a destination telephone number and call route type. You
can select either SIP routing or trunk routing as the call route type. SIP routing includes proxy server
mode, IP routing mode, and binding server group mode.
For more information about basic settings of local number and call route, see Basic settings.
Fax and modem

After completing the VoIP configurations (that is, the basic settings of local number and call route), you
can make IP calls. Generally, if you connect the device to a fax machine or a modem, you can send and
receive faxes with the default settings. In the fax and modem configuration page, you can adjust some
parameters according to your needs.
For more information about fax and modem configuration, see Fax and modem.
Call services
Call services contains various new functions on the basis of voice basic call to meet the application
requirements of VoIP users.
For more information about call services configuration, see Call services.
Some call services require the involvement of a voice server. For how to configure the voice server, see
"Configuring SIP connections."
Advanced settings
The advanced settings include the following parts:
• Coding parameters—This part includes the configuration of codec priorities and packet assembly
intervals. The voice codec affects the voice bandwidth and voice quality. You must select a proper
codec according to the actual network. The packet assembly interval depends on the network
bandwidth and network architecture, and affects codec delay time.
• Others—This part includes the configuration of number selection priority, dial prefix, called number
sending mode, DTMF transmission mode, DSCP field value, and so on.
542
Basic settings
This section provides information about configuring basic settings.
Introduction to basic settings

Local number
Local number configuration includes setting a local telephone number and authentication information
used for registration.
Call route
Call route configuration includes setting a destination telephone number and call route type. The call
route type can be either SIP routing or trunk routing.
SIP routing
SIP routing includes proxy server mode, IP routing mode, and binding server group mode. If you select
IP routing, the called parties can be found through static IP addresses or domain names. Figure 573
shows the network diagram for IP routing mode.
Figure 573 Network diagram for IP routing mode
Figure 574 shows the network diagram for proxy server and binding server group modes, which require
the involvement of a SIP server.
Figure 574 Network diagram for proxy server and binding server group modes
Trunk routing
You can connect devices to the PBX on the PSTN network through FXO, E&M, VE1, VT1, and BSV trunk
lines. Among them, VE1 and VT1 trunk routing enables the device to provide more voice communication
channels. Therefore, it greatly increases device usage and broadens the service range.
543
See Configuring trunking mode calling for the configuration example of using the trunking routing as the
call route type.
Basic settings
Configuring a local number
Select Voice Management > Local Number from the navigation tree, and click Add to access the page for
creating a local number, as shown in Figure 575.
Figure 575 Local number configuration page
Item Description
Number ID Enter a local number ID in the range of 1 to 9999.
Number Enter a local number.
This list displays all FXS voice subscriber lines. Select a voice subscriber line to be
Bound Line
bound with the local number.
Description Specify the description of the number.

• Enable. After you select the Enable option, you can configure the authentication
Register Function related options.
• Disable.
Register Username Specify the username used for registration authentication.
Register Password Specify the password used for registration authentication.
544
Item Description
Specify the authentication information used for handshake authentication between the
Cnonce Name
registrar and the SIP UA.
Specify the realm name used for handshake authentication between the registrar and
SIP UA.
IMPORTANT:
Realm Name
If you configure a realm name on the SIP UA, make sure it is the same as that configured
on the registrar. Otherwise, the SIP UA fails the authentication due to mismatch. If no
realm name is configured on a SIP UA, the SIP UA performs no realm name match and
considers that the realm name configured on the registrar is trusted.
Status Enable or disable the local number.
IMPORTANT:
• If it is necessary to configure authentication information for a local number, the same authentication
information is recommended for the same telephone number.
• In the case of authentication, it is forbidden to modify the authentication information after the register
function is enabled because this operation may result in registration update failures.
Configuring a call route

Select Voice Management > Call Route from the navigation tree and click Add to access the page for
creating a call route, as shown in Figure 576.
545
Figure 576 Call route configuration page
Item Description
Call Route ID Enter a call route ID in the range of 10000 to 19999.
Destination
Enter the called telephone number.
Number
Route Description Enter the description of the call route.
Use a SIP proxy server to complete

Proxy Server
calling.
Use the SIP protocol to perform direct

calling. It you select this option, you must
IP Routing
provide the destination address and port
SIP number.
Required to
Call Route Type Select a server group from the Server use one
Group list. You can add SIP server approach
Binding Server
groups into the list in Voice
Group
Management > Call Connection > SIP
Server Group Management.
Select a trunk routing line from the list

Trunk Trunk Route Line that displays all available voice
subscriber lines.
546
Item Description
Select one of the following transport layer protocols.
Transport Layer • UDP.
Protocol for Call • TCP.
Route • TLS.
By default, UDP is selected.
• SIP—Specifies the SIP scheme.
URL Scheme for
• SIPS—Specifies the SIPS scheme.
Call Route
By default, the SIP scheme is selected.
• Enable. After you select the Enable option, you can configure the authentication
related options.
• Disable.
Register Function
IMPORTANT:
The trunk routing mode supports register function. Authentication related options and their
meanings are the same as those of local number and therefore are not included here.
Status Enable or disable the call route.
Configuration examples of local number and call

route
Configuring direct calling for SIP UAs through the SIP protocol
(configuring static IP address)
As shown in Figure 577, Router A and Router B can directly call each other as SIP UAs using the SIP
protocol (configuring static IP addresses).
# Create a local number.
Select Voice Management > Local Number from the navigation tree, and then click Add to access the
page for creating a local number.
547
Figure 578 Creating local number 1111
1. Enter 1 for Number ID.

2. Enter 1111 for Number.
3. Select subscriber-line 8/0 from the Bound Line list.
4. Enter Telephone A for Description.
5. Click Apply.
# Create a call route.
Select Voice Management > Call Route List from the navigation tree, and then click Add to access the
page for creating a call route.
548
Figure 579 Creating call route 2222
6. Enter 10000 for Call Route ID.

7. Enter 2222 for Destination Number.
8. Select IP Routing for SIP Routing, and type 192.168.2.2 for Destination Address.
9. Click Apply.
1. Select Voice Management > Local Number from the navigation tree, and then click Add to access
the page for creating a local number.
549

5. Enter Telephone B for Description.
6. Click Apply.
7. Select Voice Management > Call Route List from the navigation tree, and then click Add to access
the page for creating a call route.
550

10. Select IP Routing for SIP Routing, and enter 192.168.2.1 for Destination Address.
11. Click Apply.

• After the previous configuration, you can use telephone 1111 to call telephone 2222, or use
telephone 2222 to call telephone 1111.
• Select Voice Management > States and Statistics > Call Statistics from the navigation tree to access
the Active Call Summary page, which displays the statistics of ongoing calls.
Configuring direct calling for SIP UAs through the SIP protocol
(configuring domain name)
As shown in Figure 582, acting as SIP UAs, Router A and Router B can first query destination addresses
through a DNS server and then make calls using the SIP protocol.
551
IMPORTANT:
Before the following configurations, you need to configure domain name resolution. For more information
about DNS, see "Configuring DNS."
Select Voice Management > Local Number from the navigation tree, and then click Add to access the
page for creating a local number.

5. Click Apply.
552

9. Select IP Routing for SIP Routing, and type cc.news.com for Destination Address.
10. Click Apply.
553

6. Click Apply.
554

10. Select IP Routing for SIP Routing, and enter 192.168.2.1 for Destination Address.
11. Click Apply.

• After the previous configuration, you can use telephone 1111 to call telephone 2222 by using the
DNS server to get the destination address, and you can use telephone 2222 to call telephone 1111
by querying the static IP address of the called party.
Configuring proxy server involved calling for SIP UAs

As shown in Figure 587, Router A and Router B act as SIP UAs and SIP calls are made through a SIP proxy
server.
555

6. Click Apply.
556

10. Select SIP Routing for Call Route Type.
11. Select Proxy Server for SIP Routing.
12. Click Apply.
# Configure the registrar and the proxy server.
13. Select Voice Management > Call Connection > SIP Connection from the navigation tree to access
the connection properties configuration page.
557
Figure 590 Configuring registration information
14. Select Enable for Register State.

15. Enter 192.168.2.3 for Main Registrar Address.
16. Enter Router A for Username and abc for Password.
17. In the Proxy Server area, enter 192.168.2.3 for Server Address.
18. Click Apply.
558

6. Click Apply.
# Create a call route
559

10. Select SIP for Call Route Type.
12. Click Apply.
# Configure the registrar and the proxy server.
13. Select Voice Management > Call Connection > SIP Connection from the navigation tree to access
the connection properties configuration page.
560
Figure 593 Configuring registration information

16. In the Proxy Server area, enter 192.168.2.3 for Server Address.
17. Enter Router A for Username and abc for Password.
18. Click Apply.

• After the local numbers of the two sides are registered on the registrar successfully, telephone 1111
and telephone 2222 can call each other through the proxy server.
• Select Voice Management > States and Statistics > Connection Status from the navigation tree, and
then click the Register Status tab to view the SIP register status.
561
Configuring trunking mode calling
As shown in Figure 594, Router A and Router B are connected through an FXO trunk line. It is required
that Telephone 1111 can call telephone 2222.

6. Click Apply.
562

10. Select Trunk for Call Route Type.
11. Select subscriber-line 1/0 from the Trunk Route Line list.
12. Click Apply.
# Configure number sending mode.
13. Select Voice Management > Call Route from the navigation tree, and click the icon of the
number to be configured to access the advanced settings page.
563
Figure 597 Configuring number sending mode
14. Select Send All Digits of a Called Number for Called Number Sending Mode.
15. Click Apply.

564
6. Click Apply.

• Telephone 1111 can call telephone 2222 over the trunk line.
565
Fax and modem
Traditional fax machines transmit and receive faxes over PSTN. As time passes, fax has gained wide
applications owing to its advantages such as various information, high transmission speed, and simple
operations. By far, G3 fax machines are dominant in the fax communications. A G3 fax machine adopts
the signal digitizing technology. Image signals are digitized and compressed internally, converted into
analog signals through a modem, and finally transmitted into the PSTN switch through common
subscriber lines.
FoIP means sending and receiving faxes over the Internet. Devices can provide the FoIP function after the
FoIP feature is added on the basis of the VoIP function. Because the FoIP is the Internet-based fax service,
users spend low cost for sending national and international faxes.
The network diagram for FoIP is similar to that for VoIP. You just replace the IP phone with a fax machine
to implement the fax function. As long as you can use IP phones, you can use the fax function. Therefore,
the fax function is very simple. The following figure shows the FoIP system structure.
Figure 599 FoIP system structure
Protocols and standards for FoIP

IP real-time fax complies with the ITU-T T.30 and T.4 protocols on the PSTN side and the H.323 and T.38
protocols on the IP network side.
• T.30 protocol is about file and fax transmission over PSTN. It describes and regulates the
communication traffic of G3 fax machines over common telephone networks, signal format, control
signaling, and error correction to the full extent.
• T.4 protocol is a standard protocol involving the G3 fax terminals for file transmission. It provides
a standard regulation for the G3 fax terminals on image encoding/decoding scheme, signal
modulation and speed, transmission duration, error correction, and file transmission mode.
• T.38 protocol is about the real-time G3 fax over IP networks. It describes and regulates the
communication mode, packet format, error correction and some communication flows of real-time
G3 fax over IP networks.
Fax flow
In FoIP, the call setup, handshake, rate training, packet transfer, and call release are always in real time.
From the perspective of users, FoIP has no difference from faxing over PSTN.
Signals that a G3 fax machine receives and sends are modulated analog signals. Therefore the router
processes fax signals in a different way it processes telephone signals. The router needs to perform A/D
566
or D/A conversion for fax signals (that is, the router demodulates analog signals from PSTN into digital
signals, or modulates digital signals from the IP network into analog signals), but does not need to
compress fax signals.
A real-time fax process consists of five phases:
1. Fax call setup phase. This phase is similar to the process of a telephone call setup. The difference
is that the fax tones identifying the sending/receiving terminals are included.
2. Prior-messaging phase. During this phase, fax faculty negotiation and training are performed.
3. Messaging phase. During this phase, fax packets are transmitted in accordance with the T.4
procedure, and packet transmission is controlled (including packets synchronization, error
detection and correction, and line monitoring).
4. Post-messaging phase. During this phase, control operations such as packet authentication,
messaging completion, and multi-page continuous transmission are performed.
5. Fax call release phase. During this phase, the fax call is released.
Introduction to fax methods

T.38 fax
The device supports two fax protocols: T.38 protocol and standard T.38 protocol. The standard T.38
protocol should be selected for interworking with leading fax terminals in the industry. Because most
leading fax terminals in the industry do not support the local training mode, the end-to-end training
mode must be selected for interworking with them.
Pass-through fax
The fax pass-through technology was developed primarily for the purpose of compressing and
transmitting T.30 fax packets that cannot be demodulated through packet switched networks. With this
technology, the devices on two sides can directly communicate over a transparent IP link, and the voice
gateways do not distinguish fax calls from voice calls. After detecting a fax tone in an established VoIP
call, the voice gateway checks whether the voice codec protocol is G.711. If not, the voice gateway
switches the codec to G.711. Then fax data is transmitted as voice data in the pass-through mode.
In the pass-through mode, fax information is in the format of uncompressed G.711 codes and is
encapsulated in RTP packets between gateways, and a fixed bandwidth of 64 Kbps is occupied.
Although the packet redundancy mechanism can reduce the packet loss ratio, the pass-through mode is
subject to factors such as packet loss ratio, jitter, and delay. Therefore, it is necessary to ensure
synchronization of the clocks on both sides. Fax pass-through is called voice band data (VBD) by ITU-T.
That is, fax or modem signals are transmitted over a voice channel using a proper coding method. So far,
the codecs supported are only G.711 A-law and G.711 μ-law. In addition, when the fax pass-through
function is enabled, the voice activity detection (VAD) function must be disabled to avoid fax failures.
You can implement the fax pass-through function on the voice gateway in two ways:
• Configure the fax to operate in pass-through mode on both sides.
• Negotiate the codec as G.711 and disable fax forwarding. Then, disable the VAD function to avoid
fax failures. This method is used for the voice gateway to interwork with other devices in the
pass-through mode.
SIP modem pass-through function

The SIP modem pass-through function is mainly used for remote device management. Because the VoIP
network has replaced part of the traditional PSTN, VoIP devices are required to support the modem
567
pass-through function, which can help remote PSTN users to log in to internal network devices through
dialup.
Configuring fax and modem

Before you configure fax and modem, you must configure local numbers and call routes. See Basic
settings for details.
Configuring fax and modem parameters of a local number

Select Voice Management > Local Number from the navigation tree, and then click the icon of the
local number to be configured to access the local number fax and modem configuration page, as shown
in Figure 600.
Figure 600 Local number fax and modem configuration page
Item Description
• Enable. The fax parameters can be configured only when the fax function is enabled.
Fax Function
• Disable.
568
Item Description
Configure the protocol used for fax communication with other devices.
• T.38—With this protocol, a fax connection can be set up quickly.
• Standard T.38—It supports H.323 and SIP.
Configure the fax pass-through mode.
Fax Protocol • G.711 A-law.
• G.711 μ-law.
The pass-through mode is subject to such factors as loss of packet, jitter, and delay, so the
clocks on both communication sides must be kept synchronized. Only G.711 A-law and
G.711 μ−law are supported, and the VAD function should be disabled.
Low-speed data refers to the V.21

Number of command data. IMPORTANT:
Redundant Increasing the number of redundant packets
Low-speed T.38 This option is configurable when T.38
or standard T.38 is selected as the fax improves reliability of network transmission and
Packets reduces packet loss ratio. A great amount of
protocol.
redundant packets, however, can increase
High-speed data refers to the TCF and bandwidth consumption to a great extent and
Number of image data. thereby, in the case of low bandwidth, affect the
Redundant
This option is configurable when T.38 fax quality seriously. Therefore, the number of
High-speed T.38
or standard T.38 is selected as the fax redundant packets should be selected properly
Packets
protocol. according to the network bandwidth.
Specify the maximum fax transmission rate:

24000 bps—Set the maximum transmission rate to 2400 bps.
4800 bps—Negotiate the baud rate first in accordance with the V.27 fax protocol. The
maximum transmission rate is 4800 bps.
maximum transmission rate is 9600 bps.
maximum transmission rate is 14,400 bps.
Allowed Max Voice Speed of the Codec Protocol—Determines the maximum fax rate
depending on the codec protocol.
Max Transmission • If G.711 is adopted, the maximum fax transmission rate is 14,400 bps and the fax
Rate of Fax protocol is V.17.
• If G.723.1 Annex A is adopted, the maximum fax transmission rate is 4800 bps and the
fax protocol is V.27.
• If G.726 is adopted, the maximum fax transmission rate is 14,400 bps and the fax
protocol is V.17.
By default, the Allowed Max Voice Speed of the Codec Protocol option is adopted.
• If G.729 is adopted, the maximum fax transmission rate is 7200 bps and the fax
protocol is V.29.
IMPORTANT:
If an option other than the default option is adopted, the maximum rate is negotiated first in
accordance with the corresponding fax protocol.
569
Item Description
Specify the fax training mode, which can be:
• Local—Indicates that the gateways participate in the rate training between fax
terminals. In the local training mode, rate training is performed between fax terminals
and gateways, respectively, and then the receiving gateway sends the training result of
Fax Training the receiving fax terminal to the transmitting gateway. The transmitting gateway
Mode finalizes the packet transmission rate by comparing the received training result with its
own training result.
• Point-to-Point—Indicates that the gateways do not participate in the rate training
between two fax terminals. In this mode, rate training is performed between two fax
terminals and is transparent to the gateways.
When rate training is carried on between fax terminals, the transmitting terminal transmits
"zero-filled" TCF data (the filling time per packet is 1.5±10% seconds) to the receiving fax
terminal, and the receiving fax terminal decides whether the current rate is acceptable
according to the received TCF data.
When the percentage of all-ones or all-zeros TCF data to the total number of TCP data is
Local Training less than the local training threshold, the current rate training succeeds. Otherwise, the
Threshold in current rate training fails and you must drop the rate for a local training operation again.
Percentage
By default, the threshold is 10.
IMPORTANT:
When the local training mode is adopted, use this option to configure the threshold in
percentage. When the point-to-point training mode is adopted, the gateway does not
participate in rate training and the threshold of local training is not applicable.
In common fax applications, the participating fax terminals negotiate with the standard
faculty (such as V.17 and V.29 rate) by default. It means that they do not send each other
non-standard facilities (NSF) message frames. In some cases such as encrypted fax, both
fax terminals adopt a nonstandard faculty (NSF) to negotiate.
Signal At the start of negotiation, both terminals first exchange NSF message frames, and then
Transmission negotiate the subsequent fax faculty for communication. NSF messages are standard T.30
Mode of Fax messages and carry private information.
Faculty To use a nonstandard faculty for negotiation, the following conditions must be satisfied:
6. Fax terminals must support nonstandard transmission mode.
7. The transmission mode must be set to a nonstandard mode in the POTS and VoIP
entities for both fax terminals.
By default, a standard faculty mode is adopted for fax faculty transmission.
Usually, the default transmit energy level of the gateway carrier is acceptable. If the fax
cannot be set up yet on the premise that other configurations are correct, you can try to
Transmit Energy adjust the transmit energy level of the gateway carrier (that is, transmit energy level
Level of a attenuation). A greater level indicates greater energy. A smaller level indicates greater
Gateway Carrier attenuation.
By default, the transmit energy level of the gateway carrier is –15 dBm.
570
Item Description
As defined in ITU-T, the ECM is required for a half duplex and fax message transmission
using the half-duplex and half-modulation system of ITU-T V.34 protocol. Besides, the G3
fax terminals working in full duplex mode are required to support half-duplex mode, that is,
ECM.
The fax machines using ECM can correct errors, provide the automatic repeat request
(ARQ) function, and transmit fax packets in the format of HDLC frames. On the contrary,
the fax machines using non-ECM cannot correct errors and they transmit fax packets in the
format of binary strings.
ECM Fax
• Enable—Enable ECM for fax.
• Disable—Disable ECM for fax.
By default, ECM is disabled.
ECM can be adopted only if fax machines on both sides support ECM and the gateways
are configured with ECM.
You must enable ECM mode for the local numbers and call routes corresponding to the fax
sender and receiver in the ECM mode.
Implements the CNG fax switchover is mainly used to implement the fax mailbox service
through communication with the VCX. When the local fax machine A originates a fax call
to the peer fax machine B, if B is busy or is unattended, A can send the originated fax to
CNG Fax the fax mailbox of the VCX. With CNG fax switchover enabled, the voice gateway can
Switchover switch to the fax mode once it receives a CNG from A.
Function • Enable.
• Disable.
The function is disabled by default.
Configure the codec type and switching mode for SIP modem pass-through function.
• Standard G.711 A-law—Adopt G.711 A-law as the codec type and use Re-Invite
switching for SIP modem pass-through.
Codec Type and
• Standard G.711 μ-law—Adopt G.711 μ-law as the codec type and use Re-Invite
Switching Mode
switching for SIP modem pass-through.
for SIP Modem
Pass-through • NTE Compatible G.711 A-law—Adopt G.711 A-law as the codec type and use
NTE-compatible switching for SIP modem pass-through.
• NTE Compatible G.711 μ-law—Adopt G.711 μ-law as the codec type and use
NTE-compatible switching for SIP modem pass-through.
Configure the value of NTE payload type for the NTE-compatible switching mode.
This option is configurable only when NTE Compatible G.711 A-law or NTE Compatible
NTE Payload
G.711 μ-law is selected from the Codec Type and Switching Mode for SIP Modem
Type Field
Pass-through list.
By default, the value of the NTE payload type is 100.
Configuring fax and modem parameters of a call route

Select Voice Management > Call Route from the navigation tree, and then click the icon of the call
route to be configured to access the call route fax and modem configuration page.
571
Figure 601 Call route fax and modem configuration page
For call route fax and modem configuration items, see Table 213 for details.
572
Call services
More and more VoIP-based services are demanded as voice application environments expand. On basis
of basic calls, new features are implemented to meet different application requirements of VoIP
subscribers.
Call waiting
When subscriber C calls subscriber A who is already engaged in a call with subscriber B, the call is not
be rejected if call waiting is enabled. Just like a normal call, subscriber C hears ringback tones, while
subscriber A hears call waiting tones that remind that a call is waiting on the line.
Subscriber A can answer the new call by pressing the flash hook or hanging up to end the call with
subscriber B. In the former case, subscriber B is held. In the latter case, subscriber A is immediately
alerted and can pick up the phone to answer the call originated by subscriber C (the waiting call).
Call hold
If subscriber A in a conversation with subscriber B presses the flash hook, the media session of subscriber
B is temporarily cut through and is held (in the silent state or listening to the waiting tones). The system
plays silent tones or dial tones to subscriber A, depending on the configuration. (The system first plays
dial tones and waits for the subscriber to dial. If the subscriber fails to dial within a period of time, the
system stops playing dial tones and the line stays on hold.). Subscriber A can resume the call with
subscriber B by pressing the flash hook again.
After pressing the flash hook, subscriber A hears dial tones and can initiate a new call. The setup flow
for the new call is completely the same as the one for ordinary calls.
Call forwarding
After receiving a session request, the called party cannot answer the call for some reason. In this case,
the called party notifies in a response the calling party of the forwarded-to number so that the calling
party can re-initiate a session request to the new destination. This is call forwarding.
The system supports four different types of call forwarding:
• Call forwarding unconditional—With this feature enabled on a voice subscriber line, incoming
calls are forwarded to the predetermined destination, no matter whether the voice subscriber line is
available.
• Call forwarding busy—With this feature enabled on a voice subscriber line, an incoming call is
forwarded to the predetermined destination when the voice subscriber line is busy.
• Call forwarding no reply—With this feature enabled on a voice subscriber line, an incoming call is
forwarded to the predetermined destination when the voice subscriber line is not answered within
a period of time, which is configured by specifying Max Duration of Playing Ringback Tones on the
FXS, FXS or E&M line configuration page and defaults to 60 seconds.
• Call forwarding unavailable—With this feature enabled on a voice subscriber line, an incoming
call is forwarded to the predetermined destination when the voice subscriber line is shut down.
573
Call transfer
Subscriber A (originator) and subscriber B (recipient) are in a conversation. Subscriber A presses the
flash hook and the call is put on hold. Subscriber A dials another number to originate a call to subscriber
C (final recipient). After Subscriber A hangs up, the call between subscriber B and subscriber C is
established. This is call transfer.
To perfect the call transfer feature, the device supports the call recovery function after the call transfer fails,
that is, if subscriber C in the previous example is in a conversation with another subscriber and cannot
establish a conversation with subscriber B, the call between subscriber A and subscriber B is recovered.
Call backup
After initiating a call to the called party, the calling party is unable to receive a response. In this case, if
there is another link (PSTN link or VoIP link) to the called party, the calling party re-initiates a call to the
called party over the new route. This is call backup.
The system supports two types of call backup:
• A PSTN link or VoIP link backs up a PSTN link.
• A PSTN link backs up a VoIP link.
Hunt group
Multiple voice subscriber lines are configured with the same called number to form a hunt group. If the
voice subscriber line with the first priority is unavailable when a call setup request to the called party is
received, the call is still established through another voice subscriber line in the hunt group.
Call barring
Call barring includes incoming call barring and outgoing call barring.
Incoming call barring usually refers to the DND service. When incoming call barring is enabled on a
voice subscribe line, calls originated to the attached phone fails.
When outgoing call barring is enabled on a voice subscriber line, calls originated from the attached
phone will fail, too.
Message waiting indication

The MWI feature allows a voice gateway to notify a subscriber of messages got from a voice mailbox
server. For example, when a call destined to subscriber A is forwarded to the voice mailbox server, the
server notifies the state change to the voice gateway. When subscriber A picks up the phone, subscriber
A hears the message waiting tone without needing to query the mailbox.
Three-party conference
When subscriber A has a call with subscriber B and holds a call with subscriber C, A can make C join
the current conversation to implement a three-party conference.
During a three-party conference, a passive participant can initiate a new call to create another
conversation. In this way, conference chaining is implemented, and each conference initiator serves as
a conference bridge.
574
Silent monitor and barge in services
Silent monitor service—Allows a supervisor to monitor active calls without being heard.
Barge in service—Allows a supervisor to participate in a monitored call to implement three-party
conference. For example, suppose subscribers A and B are in a conversation and subscriber C is the
supervisor. If C wants to join the conversation, it sends a request to A. If A permits, the three-party
conference can be held. In this example, C is called the active participant of the conference, A is the
voice mixer, and B is the original participant of the conversation.
Silent monitor and barge in services can be considered as the extensions of three-party conference. To
distinguish them from traditional three-party conference, these two services are called three-party
conference in active participation mode.
Calling party control

The calling party control service allows the called party to resume the conversation with the calling party
by picking up the phone within the specified time. For example, subscriber A is the calling party, and
subscriber B is the called party. The on-hook delay is set to m seconds on the voice subscriber line of
subscriber B. After the call between A and B is established, if the calling party A hangs up first, the call
is ended up. If the called party B hangs up first, it can resume the call with A by picking up the phone
within m seconds. After that, no matter how many times B hangs up within m seconds, it can resume the
call with A by picking up the phone.
In this example, after B hangs up for the first time, A hears silent tones from the headphone within m
seconds. If subscriber C dials subscriber B during this time, the telephone of B does not ring, and C hears
busy tones.
Door opening control

The door opening control service allows a user to open a door remotely. The process is as follows: user
A that wants to access a door calls user B. After the session is established, user B enters a password
starting with an asterisk (*) and ending with a pound (#) on the phone,
• If the entered password is correct (the password matches the door opening control password
configured for the voice subscriber line), the door control relay opens the door. After a predefined
door open duration, the door control relay locks the door automatically.
• If the entered password is incorrect, the door cannot be opened.
CID on the FXS voice subscriber line

The CID service means that the calling identity information (including the calling number and calling
name) such as calling number, calling name, date, and time is displayed on the called terminal.
With the CID function, calling numbers and calling time in single-data-message format can be
transmitted or received in an on-hook state. When the CID function is combined with services such as
CFU and CFB, calling identity information can also be transmitted if required. A message in the SDMF
contains the following information:
• Date and time when the voice call occurs (MM DD hh:mm)
• Calling number if CID is enabled on the device
• P if CID is disabled on the device
575
• O if the terminating PBX fails to obtain the calling number (for example, the originating PBX end
does not send it)
A message in the MDMF contains the following information:
• Date and time when the voice call occurs (MM DD hh:mm)
• Calling number and calling name if CID is enabled on the device
• Two Ps for the calling number and the calling name, respectively, if CID is disabled on the device
• O if the terminating PBX fails to obtain the calling number (for example, the originating PBX end
does not send it)
• O if the terminating PBX fails to obtain the calling name (for example, the originating PBX end does
not send it)
The FXS voice subscriber line sends the calling identity information to the called telephone. The calling
identity information is sent to the called telephone through FSK) modulation between first and second
rings. Therefore, the called user must pick up the telephone after the second ring to be sure that the
calling identity information is sent and received correctly. Otherwise, the calling identity information may
fail to be displayed.
CID on the FXO voice subscriber line

The FXO voice subscriber line receives the calling identity information from the PBX. The FXO interface
receives the modulation information of the calling identity information from the PBX between the first and
second rings. This is the default situation. You can configure the Time for CID Check on the FXO line
configuration page to configure the time for CID check.
The calling identity information then undergoes FSK demodulation and parity check. The function of
sending calling identity information is checked after the parity check succeeds. If the function is enabled,
the calling identity information (indicating that the calling identity information is received) is sent.
Otherwise, the character P or O is sent.
Support for SIP voice service of the VCX

Together with a server, the VCX implements the application of multiple voice features such as Silent
Monitor, Camp On, and FwdMail Toggle by using the H3C proprietary SIP Feature messages.
Configuring call services of a local number

Configuring call forwarding, call waiting, call hold, call
transfer, and three-party conference
local number to be configured to access the call services configuration page as shown in Figure 602.
576
Figure 602 Call services configuration page
Item Description
The Forwarded-to Number for Call Forwarding no Reply—Enter the forwarded-to
number for call forwarding no reply.
The Forwarded-to Number for Call Forwarding Busy—Enter the forwarded-to number
for call forwarding busy.
Call Forwarding
Call Forwarding Unconditional—Enter the forwarded-to number for forwarding
unconditional.
The Forwarded-to Number for Call Forwarding Unavailable—Enter the forwarded-to
number for call forwarding unavailable.
After call waiting is enabled, configure the following parameters according to your
needs:
• Number of Call Waiting Tone Play Times.
• Number of Tones Played at One Time.
Call Waiting
• Interval for Playing Call Waiting Tones.
By default, two call waiting tones are played once, and if the value of Number of
Tones in a Call Waiting Tone is greater than 1, the Interval for Playing Call Waiting
Tones is 15 seconds.
Call Hold Enable or disable the call hold function.
Call hold must be enabled before call transfer.

Call Transfer After call transfer is enabled, you can set the Call Transfer Start Delay parameter
according to your needs.
Three-Party The three-party conference function depends on the call hold function. Therefore, you
Conference must enable the call hold function before configuring three-party conference.
Monitor and Barge In Enable or disable the silent-monitor and barge in services.
577
Configuring other voice functions
local number to be configured to access the call services configuration page as shown in Figure 603.
Item Description
Set the calling name, a string of case-sensitive characters including numbers 0 through 9,
letters A through Z or a through z, underlines (_), hyphens (-),dots (.), exclamation point
(!), percent sign (%), asterisk (*), plus sign (+), grave accent (`), single quotation mark ('),
and tilde (~).
Calling Name
By default, no calling name is configured.
The calling name in the calling identity information can only be transmitted in MDMF
format. Therefore, if the calling information delivery is enabled, you must select the
Complex Delivery option in the Calling Information Delivery area.
Configure the format of calling information:

• Complex Delivery—Calling identity information is transmitted in complex format.
• Simple Delivery—Calling identity information is transmitted in simple format.
Calling Information
• Do Not Delivery—Do not deliver the Calling identity information.
Delivery
By default, the complex delivery is adopted.
If the remote end supports one format only, you must use the same message format at the
local end.
• Enable.
Call Identity
• Disable.
Delivery
The calling identity is delivered by default.
578
Item Description
• Enable.
Incoming Call
• Disable.
Barring
By default, incoming call barring is disabled.
Password for
Set a password to lock your telephone when you do not want others to use your
Outgoing Call
telephone.
Barring
Door Opening Enable the door opening control service and set a password for
Password. opening the door and the door open duration before the door control
relay locks the door.
By default, the door opening service is disabled.
Door Open Service IMPORTANT:

Door Open • Install a SIC audio card on the device on which the door opening
Duration. control enabled FXS voice subscriber line resides.
• When the door opening control service enabled, the out-of-band
DTMF transmission is disabled. No matter the line is a calling or
called line, the out-of-band DTMF transmission loses effect.
• Enable.
Feature Service • Disable.
By default, feature service is disabled.
• Enable.
• Disable.
By default, the hunt group function is disabled.
Hunt Group
IMPORTANT:
To use the hunt group feature, you need to select the Enable option of all local numbers
involved in this service.
• Enable.
• Disable.
By default, MWI is disabled.
After MWI is enabled, you can configure the Duration of Playing the Message Waiting
Message Waiting
Tone parameter according to your needs.
Indicator
IMPORTANT:
Generally, the voice gateway sends a SUBSCRIBE to the server, and receives a NOTIFY
from the server if the subscription is successful, and gets the status of the voice mailbox
afterwards.
Configure the private line auto ring-down (PLAR) function. The number is the E.164
Hotline Numbers
telephone number of the terminating end.
Enable calling party control and set the on-hook delay time of the called party. If the
On-hook Delay delay time is set to 0, this indicates that the call party control is disabled.
Time of the Called
Party By default, calling party control is disabled, that is, the on-hook delay of the called party
is set to 0.
Processing Priority
When the Line is Specify the processing sequence of services when the line is busy.
Busy
579
Configuring call services of a call route
route to be configured to access the call route call services configuration page as shown in Figure 604.
After completing the trunk configuration of a call route, you can configure the call services of the call
route. The SIP call route does not support call services configuration.
Support for options provided on the call services page of a call route depends on the selected trunk route
line. Only the FXO trunks support the Calling Number Delivery and Calling Identity Delivery functions.
Item Description
After call waiting is enabled, configure the following parameters according to your
needs:
• Number of Call Waiting Tone Play Times.
Call Waiting
By default, the number of call waiting tone play times is one, and the number of call wait
tones played at one time is 2, and if the value of Number of Tones Played at One Time
is greater than 1, the Interval for Playing Call Waiting Tones is 15 seconds.
• Enable.
Incoming Call
• Disable.
Barring
By default, incoming call barring is disabled.
Password for
Set a password to lock your telephone when you do not want others to use your
Outgoing Call
telephone.
Barring
580
Item Description
• Enable.
• Disable.
By default, hunt group function is disabled.
Hunt Group
IMPORTANT:
To use the hunt group feature, you must select the Enable option of all call routes involved
in this service.
Configure the private line auto ring-down (PLAR) function. The number is an E.164
Hotline Numbers
telephone number of the terminating end.
Call services configuration examples

Configuring call waiting
As shown in Figure 605, place a call from Telephone C to Telephone A which is already engaged in a
call with Telephone B, and the call is not rejected. Just like a normal call, the subscriber at Telephone C
hears ringback tones, while the subscriber at Telephone A hears call waiting tones which remind that
another call is waiting on the line.
Router A Router B Router C
Eth1/1 Eth1/1
10.1.1.1/24 20.1.1.2/24
Eth1/2 Eth1/1
1000 10.1.1.2/24 20.1.1.1/24 3000
Telephone A Telephone C
2000
Telephone B
Before performing the following configuration, make sure Router A, Router B and Router C are reachable
to each other.
1. Complete basic voice call configurations.
Complete basic voice call configurations on Router A, Router B, and Router C.
2. Configure call waiting.
Configure call waiting on Router A.
a. Select Voice Management > Local Number from the navigation tree, click the icon of local
number 1000 in the local number list to access the call services configuration page.
581
Figure 606 Configuring call waiting
a. Select Enable for Call Waiting.

b. Click Apply.

Verify the two call waiting operation modes:
• Operation 1—When the subscriber at Telephone C dials 1000 to call Telephone A which is
already engaged in a call with Telephone B, the subscriber at Telephone C hears ringback tones,
while the subscriber at Telephone A hears call waiting tones that remind that a call is waiting on the
line. If then the subscriber at Telephone A hangs up, the telephone rings, the subscriber at
Telephone A can pick up the phone to start a conversation with Telephone C.
• Operation 2—When the subscriber at Telephone C dials 1000 to call Telephone A who is already
engaged in a call with Telephone B, the subscriber at Telephone A can press the flash hook to start
a conversation with Telephone C, and therefore Telephone B is held. The subscriber at Telephone
A can press the flash hook again to continue the talk with Telephone B, and then Telephone C is
held. In this case, call hold function must be enabled on the voice subscriber line connecting to
Telephone A.
Configuring call forwarding

As shown in Figure 607, place a call from Telephone A to Telephone B. Router B forwards the call to
Telephone C when Telephone B is busy. Finally, Telephone A and Telephone C start a conversation.
582
Eth1/1 Eth1/1
10.1.1.1/24 20.1.1.2/24
Eth1/2 Eth1/1
1000 10.1.1.2/24 20.1.1.1/24 3000
2000
Telephone B
Before performing the following configuration, make sure Router A, Router B and Router C are reachable
to each other.
1. Complete basic voice call configurations: complete basic voice call configurations on Router A,
Router B, and Router C.
2. Configure call forwarding:
Configure call forwarding on Router B.
b. Enter 3000 for The Forwarded-to Number for Call Forwarding Busy.
c. Click Apply.
Figure 608 Configuring call forwarding
583
Place a call from Telephone A to Telephone B. Router B forwards the call to Telephone C when Telephone
B is busy. Finally, Telephone A and Telephone C start a conversation
Configuring call transfer

As shown in Figure 609, call transfer enables Telephone A to transfer Telephone B to Telephone C. After
the call transfer is completed, Telephone B and Telephone C are in a conversation.
The whole process is as follows:
1. Call Telephone B from Telephone A, and then Telephone B and Telephone A are in a conversation.
2. Perform a hookflash at Telephone A to put the call with Telephone B on hold.
3. Call Telephone C (3000) from Telephone A after hearing dial tones.
4. Hang up Telephone A.
5. Telephone B and Telephone C are in a conversation and call transfer is completed.
Eth1/1 Eth1/1
10.1.1.1/24 20.1.1.2/24
Eth1/2 Eth1/1
1000 10.1.1.2/24 20.1.1.1/24 3000
2000
Telephone B
Before performing the following configuration, make sure that Router A, Router B and Router C are
reachable to each other.
2. Configure call transfer:
# Configure call hold and call transfer on Router A.
b. Select Enable for Call Hold.
c. Select Enable for Call Transfer.
d. Click Apply.
584
Figure 610 Configuring call transfer

The whole process is as follows:
1. Call Telephone B from Telephone A, and then Telephone B and Telephone A are in a conversation.
2. Perform a hookflash at Telephone A to put the call with Telephone B on hold.
3. Call Telephone C (3000) from Telephone A after hearing dial tones.
4. Hang up Telephone A.
5. Telephone B and Telephone C are in a conversation and call transfer is completed.
Configuring hunt group

As shown in Figure 611, hunt group applies to the situation where multiple subscriber lines correspond to
the same number. When the voice subscriber line with the first highest priority is in use, the device can
automatically connect an incoming call to the voice subscriber line with the second highest priority.
Telephone A1 (1000) and Telephone A2 (1000) are both connected to Router A, and Telephone A1 has
a higher priority. Dial number 1000 from Telephone B (2000). Because Telephone A1 has a higher
priority, Telephone B is connected to Telephone A1. If number 1000 is dialed from Telephone C (3000)
when Telephone A1 and Telephone B are in a conversation, hunt group enables Telephone C to have a
conversation with Telephone A2.
585
routable to each other.
2. Configure hunt group:
# Configure a number selection priority for Telephone A2 on Router A. Keep the default priority 0
(the highest priority) for Telephone A1.
number 1000 in the local number list to access the advanced settings configuration page.
586
Figure 612 Configuring number selection priority of Telephone A2
a. Select 4 from the Number Selection Priority list.

b. Click Apply.
# Configure hunt group on Router A.

c. Select Voice Management > Local Number from the navigation tree, click the icon of local
number 1000 of Telephone A1 in the local number list to access the call services configuration
page.
587
Figure 613 Configuring hunt group
a. Select Enable for Hunt Group.

b. Click Apply.
Perform the same configuration for the local number 1000 of Telephone A2. The configuration procedure
is not included here.

Dial number 1000 from Telephone B (2000). Because Telephone A1 has a higher priority, Telephone B
is connected to Telephone A1. If you dial number 1000 from Telephone C (3000) when Telephone A1
and Telephone B are in a conversation, hunt group enables Telephone C to have a conversation with
Telephone A2.
Configuring three-party conference

As shown in Figure 614, place a call from Telephone A to Telephone B and after the call is established,
hold the call on Telephone B. Then, place a call from Telephone B to Telephone C. After success, press
the hook flash on Telephone B and press 3. Then a three-party conference can be established among
Telephones A, B, and C.
588
Eth1/0 Eth1/0
10.1.1.1/24 20.1.1.2/24
Eth1/0 Eth1/1
1000 10.1.1.2/24 20.1.1.1/24 3000
2000
Telephone B
routable to each other.
2. Configure three-party conference.
# Enable call hold on Router A and Router C.
a. Select Voice Management > Local Number from the navigation tree, click the icon of the
local number to be configured to access the call services configuration page.
Figure 615 Configuring call hold
a. Select Enable for Call Hold.

b. Click Apply.
# Enable call hold and three-party conference on Router B.
589
c. Select Voice Management > Local Number from the navigation tree, click the icon of local
Figure 616 Configuring call hold
a. Select Enable for Call Hold.

b. Select Enable for Three-Party Conference.
c. Click Apply.

Now Telephone B, as the conference initiator, can establish a three-party conference with participants
Telephone A and Telephone C.
If you also enable three-party conference on the FXS lines of Telephone A and Telephone C on Router A
and Router C, then during the conference, a new call can be initiated from Telephone A or Telephone C
to invite another passive participant. In this way, you can implement conference chaining.
Configuring silent monitor and barge in

• Configure silent monitor for Telephone C to monitor the conversation between Telephone A and
Telephone B. After configuration, when Telephone A and Telephone B is in a conversation, dialing
the feature code *425*Number of Telephone A# at Telephone C can monitor the conversation
between Telephone A and Telephone B.
• Configure barge in for Telephone C to participate the conversation between Telephone A and
Telephone B. After configuration, dialing the feature code *428# at Telephone C can participate
the conversation between Telephone A and Telephone B.
590
Configure the VCX

Open the Web interface of the VCX and select Central Management Console. Configure the information
of Telephone A, Telephone B, and Telephone C. The following takes Telephone A as an example.
Figure 618 Telephone configuration page
# Configure the silent-monitor authority

1. Click Features of number 1000 to access the feature configuration page, and then click Edit
Feature of the Silent Monitor and Barge In feature to access the page as shown in Figure 619.
591
Figure 619 Silent monitor and barge in feature configuration page (1)
2. Click Assign External Phones to specify that number 3000 has the authority to monitor number
1000. After this configuration, the page as shown in Figure 620 appears.
Figure 620 Silent monitor and barge in feature configuration page (2)
After the previous configuration, Telephone C with the number 3000 can monitor and barge in the
conversations of Telephone A with the number 1000.
Configure Router A
# Configure a local number and call routes.
1. Configure a local number: specify the local number ID as 1000 and the number as 1000, and
bind the number to line line 1/0 on the local number configuration page.
2. Configure the call route to Router B: specify the call route ID as 2000, the destination number as
3000, and the call route type as SIP, and use a SIP proxy server to complete calls on the call route
configuration page.
3. Configure the call route to Router C: specify the call route ID as 3000, the destination number as
3000, and the call route type as SIP, and use a proxy server to complete calls on the call route
configuration page.
4. Configure SIP registration: enable register function of the server on the connection properties
configuration page. Select Voice Management > Call Connection > SIP Connection from the
navigation tree to access the connection properties configuration page, and configure the IP
addresses of both the main registrar and the proxy server as 100.1.1.101.
# Enable the feature service and the silent-monitor and barge-in function.
5. Select Voice Management > Local Number from the navigation tree, and click the icon of local
number 1000 to access the call services page as shown in Figure 621.
592
Figure 621 Enabling the feature service and the silent monitor and barge in function
6. Select Enable for Monitor and Barge In.

7. Select Enable for Feature Service.
8. Click Apply.
Configure Router B
593
2. Configure the call route to Router A: specify the call route ID as 1000, the destination number as
configuration page.
3. Configure the call route to Router C: specify the call route ID as 3000, the destination number as
configuration page.
navigation tree to access the connection properties configuration page, then configure the IP
Configure Router C
2. Configure the call route to Router A: specify the call route ID as 1000, the destination number as
configuration page.
3. Configure the call route to Router B: specify the call route ID as 2000, the destination number as
configuration page.
navigation tree to access the connection properties configuration page, then configure the IP
# Configure the DTMF transmission mode as out-of-band transmission.
5. Select Voice Management > Call Route from the navigation tree and click the icon of call route
1000 to access the advanced settings page as shown in Figure 622.
Figure 622 Configuring DTMF transmission mode
594
6. Select RFC2833 for DTMF Transmission Mode.
7. Click Apply.
# Enable the feature service.
8. Select Voice Management > Local Number from the navigation tree, and click the icon of local
number 3000 to access the call services page as shown in Figure 623.
Figure 623 Enabling the feature service
9. Select Enable for Feature Service.

10. Click Apply.

After the above configuration, dial feature code *425*1000# at Telephone C, and you can monitor the
conversation between Telephone A and Telephone C. If you want to participate in the conversation, dial
*428# at Telephone C.
595
Advanced settings
This section provides information on configuring various advanced settings.
Introduction to advanced settings

Coding parameters
The configuration of coding parameters includes specifying codec priorities and packet assembly
intervals.
The codecs include: g711alaw, g711ulaw, g723r53, g723r63, g726r16, g726r24, g726r32, g726r40,
g729a, g729br8, and g729r8.
The following are the characteristics of different codecs.
• g711alaw and g711ulaw provide high-quality voice transmission, while requiring greater
bandwidth.
• g723r53 and g723r63 provide silence suppression technology and comfortable noise. The
relatively higher speed output is based on multi-pulse multi-quantitative level technology and
provides relatively higher voice quality. The relatively lower speed output is based on the
Algebraic-Code-Excited Linear-Prediction technology and provides greater flexibility for
application.
• The voice quality provided by g729r8 and g729a is similar to the adaptive differential pulse code
modulation (ADPCM) of 32 kbps, having the quality of a toll. Also, it features how bandwidth,
lesser event delay, and medium processing complexity. Therefore, it has a wide field of application.
Table 217 Relationship between algorithms and bandwidth
Codec Bandwidth Voice quality

G.711 (A-law and μ-law) 64 kbps (without compression) Best
G.726 16, 24, 32, 40 kbps Good
G.729 8 kbps Good
G.723 r63 6.3 kbps Fair
G.723 r53 5.3 kbps Fair
Actual network bandwidth is related to packet assembly interval and network structure. The longer the
packet assembly interval, the closer the network bandwidth is to the media stream bandwidth. More
headers consume more bandwidth. A longer packet assembly interval results in a longer fixed coding
latency.
The following tables show the relevant packet assembly parameters without IPHC, including packet
assembly interval, bytes coded in a time unit, and network bandwidth. Therefore, you can choose a
suitable codec algorithm according to idle and busy status of the line and network situations more
conveniently.
596
Table 218 G.711 algorithm (A-law and μ-law)
Packet Packet Network Packet length Network

Bytes coded Coding
assembly length (IP) bandwidth (IP+PPP) bandwidth
in a time unit latency
interval (bytes) (IP) (bytes) (IP+PPP)
10 ms 80 120 96 kbps 126 100.8 kbps 10 ms
20 ms 160 200 80 kbps 206 82.4 kbps 20 ms
30 ms 240 280 74.7 kbps 286 76.3 kbps 30 ms
G.711 algorithm (A-law and μ-law): media stream bandwidth 64 kbps, minimum packet assembly interval 10
ms.
Table 219 G.723 r63 algorithm
Packet Bytes Packet Network Packet length Network

Coding
assembly coded in a length (IP) bandwidth (IP+PPP) bandwidth
latency
interval time unit (bytes) (IP) (bytes) (IP+PPP)
30 ms 24 64 16.8 kbps 70 18.4 kbps 30 ms
60 ms 48 88 11.6 kbps 94 12.3 kbps 60 ms
90 ms 72 112 9.8 kbps 118 10.3 kbps 90 ms
120 ms 96 136 9.1 kbps 142 9.5 kbps 120 ms
150 ms 120 160 8.5 kbps 166 8.9 kbps 150 ms
180 ms 144 184 8.2 kbps 190 8.4 kbps 180 ms
G.723 r63 algorithm: media stream bandwidth 6.3 kbps, minimum packet assembly interval 30 ms.
Packet Bytes coded Packet Network Packet length Network

Coding
assembly in a time length (IP) bandwidth (IP+PPP) bandwidth
latency
interval unit (bytes) (IP) (bytes) (IP+PPP)
30 ms 20 60 15.9 kbps 66 17.5 kbps 30 ms
60 ms 40 80 10.6 kbps 86 11.4 kbps 60 ms
90 ms 60 100 8.8 kbps 106 9.3 kbps 90 ms
120 ms 80 120 8 kbps 126 8.4 kbps 120 ms
150 ms 100 140 7.5 kbps 146 7.8 kbps 150 ms
180 ms 120 160 7.1 kbps 166 7.4 kbps 180 ms
G.723 r53 algorithm: media stream bandwidth 5.3 kbps, minimum packet assembly interval 30 ms.

Coding
latency
10 ms 20 60 48 kbps 66 52.8 kbps 10 ms
20 ms 40 80 32 kbps 86 34.4 kbps 20 ms
597
Coding
latency
30 ms 60 100 26.7 kbps 106 28.3 kbps 30 ms
40 ms 80 120 24 kbps 126 22.1 kbps 40 ms
50 ms 100 140 22.4 kbps 146 23.4 kbps 50 ms
60 ms 120 160 21.3 kbps 166 11.4 kbps 60 ms
70 ms 140 180 20.6 kbps 186 21.3 kbps 70 ms
80 ms 160 200 20 kbps 206 20.6 kbps 80 ms
90 ms 180 220 19.5 kbps 226 20.1 kbps 90 ms
100 ms 200 240 19.2 kbps 246 19.7 kbps 100 ms
110 ms 220 260 18.9 kbps 266 19.3 kbps 110 ms
G.726 r16 algorithm: media stream bandwidth 16 kbps, minimum packet assembly interval 10 ms.
Packet Bytes Packet Network Network

Packet length Coding
assembly coded in a length (IP) bandwidth bandwidth
(IP+PPP) (bytes) latency
interval time unit (bytes) (IP) (IP+PPP)
10 ms 30 70 56 kbps 76 60.8 kbps 10 ms
20 ms 60 100 40 kbps 106 42.4 kbps 20 ms
30 ms 90 130 34.7 kbps 136 36.3 kbps 30 ms
40 ms 120 160 32 kbps 166 33.2 kbps 40 ms
50 ms 150 190 30.4 kbps 196 31.2 kbps 50 ms
60 ms 180 220 29.3 kbps 226 30.1 kbps 60 ms
70 ms 210 250 28.6 kbps 256 29.3 kbps 70 ms
Packet Bytes coded Packet Network Network

assembly in a time length (IP) bandwidth bandwidth
interval unit (bytes) (IP) (IP+PPP)
10 ms 40 80 64 kbps 86 68.8 kbps 10 ms
20 ms 80 120 48 kbps 126 50.4 kbps 20 ms
30 ms 120 160 42.7 kbps 166 44.3 kbps 30 ms
40 ms 160 200 40 kbps 206 41.2 kbps 40 ms
50 ms 200 240 38.4 kbps 246 39.4 kbps 50 ms
598
Packet Packet Network Network

Bytes coded Packet length Coding
assembly length (IP) bandwidt bandwidth
in a time unit (IP+PPP) (bytes) latency
interval (bytes) h (IP) (IP+PPP)
10 ms 50 90 72 kbps 96 76.8 kbps 10 ms
20 ms 100 140 56 kbps 146 58.4 kbps 20 ms
30 ms 150 190 50.7 kbps 196 52.3 kbps 30 ms
40 ms 200 240 48 kbps 246 49.2 kbps 40 ms
Table 225 G.729 algorithm
Packet Bytes Packet Network Network

assembly coded in a length (IP) bandwidth bandwidth
interval time unit (bytes) (IP) (IP+PPP)
10 ms 10 50 40 kbps 56 44.8 kbps 10 ms
20 ms 20 60 24 kbps 66 26.4 kbps 20 ms
30 ms 30 70 18.7 kbps 76 20.3 kbps 30 ms
40 ms 40 80 16 kbps 86 17.2 kbps 40 ms
50 ms 50 90 14.4 kbps 96 15.4 kbps 50 ms
60 ms 60 100 13.3 kbps 106 14.1 kbps 60 ms
70 ms 70 110 12.6 kbps 116 13.3 kbps 70 ms
80 ms 80 120 12 kbps 126 12.6 kbps 80 ms
90 ms 90 130 11.6 kbps 136 12.1 kbps 90 ms
100 ms 100 140 11.2 kbps 146 11.7 kbps 100 ms
110 ms 110 150 10.9 kbps 156 11.3 kbps 110 ms
120 ms 120 160 10.7 kbps 166 11.1 kbps 120 ms
130 ms 130 170 10.5 kbps 176 10.8 kbps 130 ms
140 ms 140 180 10.3 kbps 186 10.6 kbps 140 ms
150 ms 150 190 10.1 kbps 196 10.5 kbps 150 ms
160 ms 160 200 10 kbps 206 10.3 kbps 160 ms
170 ms 170 210 9.9 kbps 216 10.2 kbps 170 ms
180 ms 180 220 9.8 kbps 226 10 kbps 180 ms
G.729 algorithm: media stream bandwidth 8 kbps, minimum packet assembly interval 10 ms.
599
NOTE:
• The packet assembly interval is the duration to encapsulate information into a voice packet.
• Bytes coded in a time unit = packet assembly interval × media stream bandwidth.
• Packet length (IP) = IP header + RTP header + UDP header + voice information length = 20+12+8+data.
• Packet length (IP+PPP) = PPP header + IP header + RTP header + UDP header + voice information length
= 6+20+12+8+data.
• Network bandwidth = Bandwidth of the media stream × packet length/bytes coded in a time unit.
Because IPHC compression is affected significantly by network stability, it cannot achieve high efficiency
unless the line is of high quality, the network is very stable, and packet loss does not occur or seldom
occurs. When the network is unstable, IPHC efficiency drops drastically. With best IPHC performance,
the IP (RTP) header can be compressed to 2 bytes. If the PPP header is compressed at the same time, a
great deal of media stream bandwidth can be saved. The following table shows the best IPHC
compression efficiency of codec algorithms with a packet assembly interval of 30 milliseconds.
Table 226 Compression efficiency of IPHC+PPP header
Bytes Before compression After IPHC+PPP compression

coded in Network Network
Codec Packet length Packet length
a time bandwidth bandwidth
unit (IP+PPP) (bytes) (IP+PPP) (bytes)
(IP+PPP) (IP+PPP)
G.729 30 76 20.3 kbps 34 9.1 kbps
G.723r63 24 70 18.4 kbps 28 7.4 kbps
G.723r53 20 66 17.5 kbps 24 6.4 kbps
G.726r16 60 106 28.3 kbps 64 17.1 kbps
G.726r24 90 136 17.5 kbps 94 25.1 kbps
G.726r32 120 166 44.3 kbps 124 33.1 kbps
G.726r40 150 196 52.3 kbps 154 41.1 kbps
Other parameters
Other parameters are some optional parameters, such as number selection priority, dial prefix, called
number sending mode, and DTMF transmission mode. For the description of these parameters,
see Configuring other parameters of a local number and Configuring other parameters for a call route.
Configuring advanced settings of a local number

Configuring coding parameters of a local number
local number to be configured to access the advanced settings configuration page.
600
Figure 624 Configuring coding parameters of the local number
Item Description
Specify a codec Specify the codecs and their priority levels. The available
Codec with the First Priority with the first codes are:
priority. • g711alaw—G.711 A-law codec (defining the pulse code
Specify a codec modulation technology), requiring a bandwidth of 64
Codec with the Second kbps, usually adopted in Europe.
with the second
Priority
priority. • g711ulaw—G.711μ-law codec, requiring a bandwidth of
64 kbps, usually adopted in North America and Japan.
Specify a codec
Codec with the Third • g723r53—G.723.1 Annex A codec, requiring a
with the third
Priority bandwidth of 5.3 kbps.
priority.
• g723r63—G.723.1 Annex A codec, requiring a
bandwidth of 6.3 kbps.
• g726r16—G.726 Annex A codec. It uses the ADPCM
technology, requiring a bandwidth of 16 kbps.
• g726r24—G.726 Annex A codec. It uses ADPCM,
requiring a bandwidth of 24 kbps.
• g726r32—G.726 Annex A codec. It uses ADPCM,
requiring a bandwidth of 32 kbps.
Specify a codec • g726r40—G.726 Annex A codec. It uses ADPCM,
Codec with the Lowest
with the lowest requiring a bandwidth of 40 kbps.
Priority
priority.
• g729a—G.729 Annex A codec (a simplified version of
G.729), requiring a bandwidth of 8 kbps.
• g729br8—G.729 Annex B (the voice compression
technology using conjugate algebraic-code-excited
linear-prediction), requiring a bandwidth of 8 kbps.
• g729r8—G.729 (the voice compression technology
using conjugate algebraic-code-excited
linear-prediction), requiring a bandwidth of 8 kbps.
Packet Assembly Interval of

Specify the packet assembly interval for g711alaw and g711ulaw codecs.
G711

Specify the packet assembly interval for g723r53 and g723r63 codecs.
G723
601
Item Description
Specify the packet assembly interval for g726r16 codec.
G726r16

G726r24

G726r32

G726r40

Specify the packet assembly interval for g729r8, g729br8, and g729a codecs.
G729
Two communication parties can communicate normally only if they share some identical
coding/decoding algorithms. If the codec algorithm between two connected devices is inconsistent, or
the two devices share no common coding/decoding algorithms, the calling fails.
Configuring other parameters of a local number

local number to be configured to access the advanced settings configuration page.
Figure 625 Configuring other parameters of the local number
Item Description
Set the priority of the local number. The smaller the value, the higher
Number Selection Priority
the priority.
Configure a dial prefix for the local number. For a trunk type call
Dial Prefix
route, the dial prefix is added to the called number to be sent out.
602
Item Description
Send a Truncated
Send a truncated called number.
Called Number
Send All Digits of

Called Number Send all digits of a called number.
a Called Number
Sending Mode
Send a certain number of digits (that are extracted from the end of a
Send Certain
number) of a called number. The specified value should be not
Number of Digits
greater than the total number of digits of the called number.
In-band
Specify the in-band SIP DTMF transmission mode.
Transmission
DTMF Out-of-band
Specify the out-of-band SIP DTMF transmission mode.
Transmission Transmission
Mode
Adopt DTMF named telephone event (NTE) transmission mode.
RFC2833 When you adopt this transmission mode, you can configure the
payload type field in RTP packets.
Set the DSCP value in the ToS field in the IP packets that carry the
Pre-defined
DSCP Field Value RTP stream.
Customized Input the customized DSCP value in the Customized field.
The voice activity detection (VAD) discriminates between silence

and speech on a voice connection according to signal energies.
VAD reduces the bandwidth requirements of a voice connection by
not generating traffic during periods of silence in an active voice
connection. Speech signals are generated and transmitted only
VAD when an active voice segment is detected. Researches show that
VAD can save the transmission bandwidth by 50%.
• Enable.
• Disable.
By default, VAD is disabled.
Configuring advanced settings of a call route

Configuring coding parameters of a call route
route to be configured to access the advanced settings configuration page.
603
Figure 626 Configuring coding parameters of the call route
For coding parameters configuration items of the call route, see Table 228.
Configuring other parameters for a call route

route to be configured to access the advanced settings configuration page.
Figure 627 Configuring other parameters of the call route
For the configuration items of other parameters of the call route, see Table 228 and Table 229.
Item Description
Call Route Selection Priority Set the priority of the call route. The smaller the value, the higher the priority.
• Enable.
The Local End Plays
• Disable.
Ringback Tone
By default, the remote end instead of the local end plays ringback tones.
604
Advanced settings configuration example
Configuring out-of-band DTMF transmission mode for SIP
Two routers work as SIP UAs. After establishing a call connection, the calling and called parties adopt
DTMF SIP out-of-band transmission to make the transmission of DTMF digits more reliable.
1. Configure voice basic calling settings.
For detailed configuration, see Configuring direct calling for SIP UAs through the SIP protocol
(configuring static IP address).
2. Configure out-of-band DTMF transmission mode for SIP.
# Configure the out-of-band DTMF transmission mode on Router A for the call route.
a. Select Voice Management > Call Route from the navigation tree, find call route 2222 in the list,
and click its icon to access its advanced settings page.
b. Select Out-of-band Transmission for DTMF Transmission Mode.
c. Click Apply.
Figure 629 Configuring out-of-band DTMF transmission mode
# Configure out-of-band DTMF transmission mode on Router B for the local number.
a. Select Voice Management > Local Number from the navigation tree, find local number 2222
in the list, and click its icon to access the advanced settings page.
605
b. Select Out-of-band Transmission for DTMF Transmission Mode.
c. Click Apply.
Figure 630 Configure out-of-band DTMF transmission mode

After a call connection is established, if one side presses the telephone keys, the DTMF digits are
transmitted to the other side using out of band signaling, and the other side hears short DTMF tones from
the handset.
606
SIP-to-SIP connections
Configuring media parameters for SIP-to-SIP

connections
1. Select Voice Management > Call Route from the navigation tree.
2. Click the icon of the call route to be configured.
The page for configuring SIP-to-SIP connection parameters appears.
Figure 631 Configuring media parameters
3. Configure media parameters for SIP-to-SIP connections as described in Table 230.

Item Description
If the SIP trunk device does not support the codec capability sets
supported by the calling and called parties, you can select the
Enable option to enable codec transparent transfer on the SIP trunk
Codec Transparent device. The SIP trunk device transparently transfers codec capability
sets between two parties. The calling and called parties complete
the codec negotiation.
By default, the Disable option is selected.
607
Item Description
In the scenario where the SIP trunk device controls the results of
media capability negotiation, if the SIP trunk device cannot find a
common codec for two parties during negotiation, the two parties
fail to establish a call. In this case, you can select the Enable option
to enable codec transcoding on the SIP trunk device.
With this function enabled, the SIP trunk device uses its own codec
capability set to negotiate with the calling and called parties
respectively. If the negotiated codecs with the two parties do not
match, the SIP trunk device transcodes the media flows passing
Codec Transcoding through it.
IMPORTANT:
The codec transcoding feature does not take effect in any of the
following cases:
• Codec transcoding is enabled, but no DSP resources are
available for codec transcoding.
• Codec transparent transfer is enabled.
• Media flow-around is enabled.
Select the media flow mode:
• Around—Enable the media packets to pass directly between two
SIP endpoints, without the intervention of the SIP trunk device.
Media Flow Mode The media packets flow around the SIP trunk device.
• Relay—Specify the SIP trunk device to act as the RTP trunk proxy
to forward the media packets.
By default, the Relay option is selected.
• Enable—Enable delayed offer to early offer (DO-EO) conversion
on the SIP trunk device.
Delayed Offer to Early Offer
• Disable—Disable the DO-EO conversion on the SIP trunk device.
Configuring signaling parameters for SIP-to-SIP

connections
608
Figure 632 Configuring signal process
3. Configure signaling parameters for SIP-to-SIP connections as described in Table 231.

Item Description
• Remote process—The SIP trunk device transparently transfers the
SIP messages carrying call forwarding information to the
endpoints, and the endpoints perform the call forwarding.
Call-forwarding Signal
• Local process—The SIP trunk device processes the SIP messages
carrying call forwarding information locally.
By default, the Remote option is selected.
SIP messages carrying call transfer information to the endpoints,
and the endpoints perform the call transfer.
Call-transfer Signal
carrying call transfer information locally.
• Remote process—If the session timer mechanism is initiated by
the calling party, and the called party also supports this
mechanism, you can select this option to enable the called party
to process the session update information. Otherwise, the session
timer mechanism only works between the calling party and the
Mid-call Signal SIP trunk device. The interval for sending session update requests
is negotiated by endpoints. For more information, see RFC 4028.
• Local process—The SIP trunk device processes the update
messages rather than transparently pass them to the peer end.
By default, the Local option is selected.
609
Configuring dial plans
More requirements on dial plans arise with the wide application of VoIP. A desired dial plan should be
flexible, reasonable, and operable. Also it should be able to help a voice gateway to manage numbers
in a unified way, making number management more convenient and reasonable.
The dial plan process on the calling side differs from that on the called side. The following discusses these
two dial plan processes, respectively.
Dial plan process

On the calling side
Figure 633 shows the dial plan operation process on the calling side.
Figure 633 Flow chart for dial plan operation process on the calling side
1. The voice gateway on the calling side replaces the calling and called numbers according to the
number substitution rule on the receiving line.
2. The voice gateway performs global number substitution.
3. The gateway selects proper numbers based on the local number or on call route selection priority
rules and replaces the calling and called numbers.
4. The gateway initiates a call to the called side and sends the calling and called numbers.
610
On the called side
Figure 634 shows the dial plan operation process on the called side.
Figure 634 Flow chart for dial plan operation process on the called side
1. After receiving a voice call (the called number), the voice gateway on the called side performs
global calling/called number substitution.
2. The voice gateway on the called side selects proper local numbers or call routes based on the local
number or call route selection priority rules. Number substitution may also be involved during the
local number or call route selection. If the called party is a local number, the gateway directly
connects the line. If the called party is a PSTN subscriber, the gateway initiates a call and sends the
calling and called numbers to the PSTN. The PBX in the PSTN connects the call.
Regular expression
You will use some regular expressions frequently when you configure number substitution rules. Regular
expressions are a powerful and flexible tool for pattern matching and substitution. They are not restricted
to a language or system, and have been widely accepted.
When using a regular expression, you must construct a matching pattern according to certain rules, and
then compare the matching pattern with the target object. The simplest regular expressions do not
contain any meta-character. For example, you can specify a regular expression hello, which only
matches the string hello.
To help you construct matching patterns flexibly, regular expressions support some special characters,
called meta-characters, which define the way other characters appear in the target object.
Table 232 Meta-characters
Meta-character Meaning
0-9 Digits 0 through 9.
611
Meta-character Meaning
# and * Each indicates a valid digit.
Wildcard, which can match any valid digit. For example, 555…. can match any number
.
beginning with 555 and ending in four additional characters.
Hyphen (connecting element), used to connect two numbers (The smaller comes before
-
the larger) to indicate a range of numbers, for example, 1-9 inclusive.
Delimits a range for matching. It can be used together with signs such as !, %, and +. For
[]
example, [235-9] indicates one number of 2, 3, and 5 through 9.
Indicates a sub-expression. For example, (086) indicates the character string 086. It is
() usually used together with signs such as !, %, and +. For example, (086)!010 can match
two character strings 010 and 086010.
A control character, indicating that the sub-expression before it appears once or does not
!
appear. For example, (010)!12345678 can match 12345678 and 01012345678.
A control character, indicating that the sub-expression before it appears one or more
times. However, if a calling number starts with the plus sign, the sign itself does not have
+ special meanings, and only indicates that the following is an effective number and the
whole number is E.164-compliant. For example, 9876(54)+ can match 987654,
98765454, 9876545454, and so on, and +110022 is an E.164-compliant number.
A control character, indicating that the sub-expression before it appears multiple times or
% does not appear. For example, 9876(54)% can match 9876, 987654, 98765454,
9876545454, and so on.
The sub-expression (one digit or digit string) before a control character such as !, +, and % can appear
for the times indicated by the control character. For example, (100)+ can match 100, 100100,
100100100, and so on. Once any number of them is matched, the match is considered an exact match.
In the longest match mode, the voice gateway ignore subsequent digits dialed by the subscriber after an
exact match.
For the case that the gateway needs to wait for subscribers to continue dialing after an exact match, refer
to the T mode.
The characters (\) and (|) are mainly used in regular expressions and cannot be used as common
characters. The character (\) is an escape character. If you want a control character to represent itself,
you need to add the escape character (\) before it. For example, (\+) represents the character (+) itself
because (+) is a control character in regular expressions. The character (|) means that the current
character (string) is the character (string) on either the left or the right. For example, 0860108888|T
means that the current character string is either 0860108888 or T.
T mode: If the character T is in the number set in a local number or call route, it means that the voice
gateway should wait for more digits until the number exceeds the maximum length or the dial timer
expires.
If a number starts with the plus sign (+), you must know what happens when you use it on a trunk: The
E&M, R2, and LGS signaling uses DTMF, and as the plus sign (+) does not have a corresponding audio,
the number cannot be transmitted to the called side successfully. While the DSS1 signaling uses ISDN,
the above problem does not exist. Therefore, you should avoid using a number that cannot be identified
by the signaling itself. Otherwise, the call will fail.
612
Dial plan functions
Number match
Dial terminator
In areas where variable-length numbers are used, you can specify a character as the dial terminator so
that the voice gateway can dial out the number before the dialing interval expires. The dial terminator
identifies the end of a dialing process, and a call connection is established based on the received digits
when the dial terminator is received. The voice gateway does not wait for further digits even if the longest
match mode has been globally configured.
Maximum number of local numbers or call routes found before a search process stops
This function enables you to define the maximum number of qualified local numbers or call routes to be
found before a search process stops. Even if the number of local numbers or call routes meeting call
requirements is greater than the defined maximum number, the system matches against the local numbers
or call routes that are found in the search according to the configured maximum number.
Number match mode

You can specify a match mode, either longest match or shortest march.
For example, you have configured two destination numbers 0106688 and 01066880011 on the device
respectively.
When a subscriber dials 01066880011:
• If the device is configured to use the shortest match mode, the dialed number matches 0106688.
That is, the device establishes a call connection to 0106688 at the remote end, without processing
the last four digits 0011.
• If the device is configured to use the longest match mode, the dialed number will match
01066880011. That is, the device establishes a call connection to 01066880011 at the remote end.
When a subscriber dials 0106688:
• If the device is configured to use the shortest match mode, it matches 0106688.
• If the device is configured to use the longest match mode, it waits for further digits. After the dial
timer expires, the device ignores the configured longest match mode, and uses shortest match mode
automatically to establish a call connection.
When a subscriber dials 0106688#, if you configure the longest match mode and a dial terminator of
a pound sign (#) on the device, the device ignores the configured longest match mode and uses shortest
match mode to establish a call connection.
Number match policy

A number match policy can be in either service-first mode or number–first mode.
If the number-first mode is applied, a dialed number matches first against numbers and then local service
numbers or the service feature codes (when the service feature switch is enabled). For example, if a local
service feature number is *40*1234 and the number *40 is configured for a local number or call route,
*40*1234 dialed by a subscriber first matches the number *40 (*40 is dialed out as the called number),
and the local service corresponding to the local service code *40*1234 is not triggered.
613
Entity type selection priority rules
You can configure the priorities for different types of entities. When multiple local numbers or call routes
are qualified for a call connection, the system selects a suitable local number or call route whose entity
type has the highest priority.
Match order of number selection rules

You can configure the match order of local number or call route selection rules. The system selects a local
number or call route according to the configured rules, which include exact match, priority, random
selection, and longest idle time.
The match order of rules determines the application sequence of the rules:
• If there are multiple rules, the system first selects a local number or call route according to the first
rule.
• If the first rule cannot decide which local number or call route should be selected, the system applies
the second rule. If the second rule still cannot decide a local number or call route, the system applies
the third rule.
• If all the rules cannot decide which local number or call route should be selected, the system selects
a local number or call route with the smallest ID.
• After the random selection rule is applied, there is no local number or call route selection conflict.
Therefore, the random selection rule can only serve as a rule with the lowest priority or serve as a
unique rule separately.
Call control
Call authority control
To configure call authority control, assign subscriber numbers to a number group, and then bind the
group, which has authorities configured, to a local number or call route.
When a subscriber originates a call that matches the local number or call route that has bound with a
number group, the system compares the calling number with each number in the number group. If a
match is found, the calling is permitted. Otherwise, the system finds the next matching local number or
call route until the calling is permitted or denied. For related configurations of this function,
see Configuring a number group.
Maximum-call-connection set
You can limit the total call connections for local numbers or call routes according to the network scale to
control communication traffic. You can bind a local number or call route to a maximum-call-connection
set. After that, the number of call connections of the local number or call route is restricted.
Number substitution
A number substitution rule list defines some number substitution methods. It can be used wherever
number substitution is necessary. There is no limitation on where and how many times it is used. Therefore,
a number substitution rule list may be bound globally and bound to different local numbers/call routes
and lines.
The characteristics of global calling/called number substitution or calling/called number substitution on
local numbers/call routes and lines are as follows:
614
• Global number substitution—The voice gateway substitutes calling and called numbers of all
incoming and outgoing calls according to the number substitution rules configured in dial program
view. Multiple number substitution rule lists can be bound for global calling and called number
substitution of incoming and outgoing calls. If there is no match in the first number substitution rule
list, the voice gateway matches against other number substitution rule lists.
• Number substitution on local numbers or call routes—The voice gateway substitutes the calling and
called numbers based on the number substitution rule lists bound to local numbers or call routes.
• Number substitution on a specific line—The voice gateway substitutes the calling and called
numbers of incoming calls based on the number substitution rules configured on the receiving line.
Configuring dial plan

Configuring number match
Select Voice Management > Dial Plan > Number Match from the navigation tree to access the number
match configuration page, as shown in Figure 635.
Figure 635 Number match configuration page
Item Description
Configure a special character as the dial terminator for length-variable
telephone numbers.
If you set the argument character to # or *, and if the first character of the
Dial Terminator configured local number or call route is the same as the argument
character (# or *), the device takes this first character as a common
number rather than a dial terminator.
By default, no dial terminator is configured.
Max Count of Numbers Found Set the maximum number of local numbers or call routes found before a
before Search Stops search process stops.
615
Item Description
• Longest Number Match—Matches the longest number.
Number Match Mode • Shortest Number Match—Matches the shortest number.
By default, the shortest-number match mode is adopted.
• Specify service first.
Number Match Policy
• Specify number first.
Select Based on Voice Entity Type Select the Enable option, the sequence of the voice entities in the Selection
Sequence box determines the match order, and you can click the Up and
Down buttons to move a voice entity.
Selection Sequence By default, entities are not selected by type.
The Web interface does not support the configuration of VoFR entities.
First Rule in the Match Order • Exact match—The more digits of a digit string are matched from left to
right, the higher the precision is. The system stops using the rule once
Second Rule in the Match Order a digit cannot be matched uniquely.
• Priority—Number priorities are divided into 11 levels numbered from
0 to 10. The smaller the value is, the higher the priority is. That means
level 0 has the highest priority.
• Random selection—The system selects at random a number from a set
of qualified numbers. After the random selection rule is applied, there
are no number selection conflicts. The random selection rule can only
serve as a rule with the lowest priority or serve as a unique rule
separately.
Third Rule in the Match Order
• Longest idle time—The longer the voice entity is idle, the higher the
priority is.
You can select one to three rules to form a sequence. The voice gateway
first selects a number according to the first rule. If the voice gateway fails
to decide which number should be selected according to the first rule, it
applies the second rule, and so on.
By default, the match order of rules for the number selection is exact
match-> priority-> random selection.
Configuring call control

Configuring a number group
When you configure call control, first configure a number group and numbers in the group, and then
bind the local numbers, call routes, or IVR numbers to the number group.
1. Add a number group:
a. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree.
The number group page appears.
616
Figure 2 Number group page
b. Click Add.
The number group configuration page appears.
Figure 2 Number group configuration page
c. Configure the number group as described in Table 233.

d. Click Apply.
Item Description
Group ID Specify the ID of the number group.
Description Specify the description of the number group.
Numbers in the Group Specify the input subscriber numbers to be added into the group in the
Add field. You can add a number by clicking Add.
2. Bind local numbers to the call number group:

a. Click Not Bound in the Local Numbers Bound column on the Number Group tab page.
The local call number binding page appears.
617
Figure 3 Local number binding page
b. Configure local number binding as describe in Table 3.

c. Click the box in front of the ID column, and click Apply.
Item Description
• Permit the calls from the number group.
Binding Mode
• Deny the calls from the number group.
A local number can be bound to multiple number groups in the same binding mode, that is, a local
number can either permit or deny the calls from bound number groups.
3. Bind call routes to the call number group:
Click Not Bound in the Call Routes Bound column on the Number Group tab page to access the call
route binding page.
The configuration of call route binding is similar to that of local number binding, and is not shown.
A call route can be bound to multiple number groups in the same binding mode, that is, a call route
can either permit or deny the calls from bound number groups.
4. Bind IVR numbers to the call number group:
Click Not Bound in the IVR Numbers Bound column on the Number Group tab page to access the
IVR number binding page.
The configuration of IVR number binding is similar to that of local number binding. Therefore, it is
not included here.
Configuring a max-call-connection set

When you configure a max-call-connection set, first configure a max-call-connection set and specify the
maximum number of call connections in this set, and then bind the local numbers, call routes, or IVR
numbers to the max-call-connection set.
1. Add a max-call-connection set:
a. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree.
b. Click the Max-Call-Connection Set tab.
The max-call-connection set configuration page appears.
618
Figure 2 Max-call-connection set page
c. Click Add to access the Max-Call-Connection Set Configuration page as shown in Figure 3.
Figure 3 Max-call-connection set configuration page
Item Description
Connection Set ID Specify the ID of the max-call-connection set.
Max Number of Call

Specify the maximum number of call connections in the max-call-connection set.
Connections in the Set
2. Bind local numbers to a max-call-connection set:

d. Click Not Bound in the Local Numbers Bound column to access the local call number binding
Figure 4 Local number binding page
e. Click the box in front of the ID column, and then click Apply to complete local number binding.
3. Bind call routes to a max-call-connection set:
Click Not Bound in the Call Routes Bound column to access the call route binding page.
The configuration of call route binding is similar to that of local number binding, and is not shown.
4. Bind IVR numbers to a max-call-connection set:
Click Not Bound in the IVR Numbers Bound column to access the IVR number binding page.
619
The configuration of IVR number binding is similar to that of local number binding. Therefore, it is
not included here.
Configuring number substitution

When you configure number substitution, you need to first add a number substitution list, and then bind
a number substitution list to global, local numbers, call routes, or lines.
2. Add a number substitution list:
a. Select Voice Management > Dial Plan > Number Substitution from the navigation tree to
access the number substitution list page, as shown in Figure 636.
Figure 636 Number substitution list page
a. Click Add to access the number substitution configuration page.
Figure 637 Number substitution configuration page
a. Add a number substitution list as described in Table 3.

b. Click Apply.
620
Item Description
Number Substitution Rule
Specify the ID of the number substitution rule list.
List ID
• End-Only—Reserve the digits to which all ending dots (.) in the input number
correspond.
• Left-to-Right—Reserve from left to right the digits to which the dots in the
input number correspond.
• Right-to-Left—Reserve from right to left the digits to which the dots in the
input number correspond.
Dot Match Rule By default, the dot match rule is End-Only.
The dots here are virtual match digits. Virtual match digits refer to those
matching the variable part such as ., +, %, !, and [] in a regular expression. For
example, when 1255 is matched with the regular expression 1[234]55, the
virtual match digit is 2, when matched with the regular expression 125+, the
virtual match digit is 5, and matched with the regular expression 1..5, the virtual
match digits are 25.
Rule ID Specify the ID of the number substitution rule.
Specify the input number involved in number substitution, in the format of [ ^ ]

[ + ] input number [ $ ], up to 31 characters. The signs are explained as follows:
• ^—Caret. The match begins with the first character of a number string. That
is, the device begins with the first character of the match string to match a
user number.
• +—Plus sign. The sign itself does not have special meanings. It only indicates
Input Number
that the following string is an effective number and the number is
E.164-compliant.
• $—Dollar sign. It indicates that the last character of the match string must be
matched. That is, the last digit of a user number must match the last character
of the match string.
• string—String consisting of characters such as 0 to 9, #, *, ., !, and %.
Specify the output involved in number substitution, in the format of
Output Number
^(+)![0-9#*.]+$.
Input Number Type Specify the types of the input number and output number involved in number
Output Number Type substitution.
Input Numbering Plan

Specify the input and output numbering plans involved number substitution.
Output Numbering Plan
Set the preferred number substitution rule of the current number substitution rule
list.
In a voice call, the system first uses the preferred number substitution rule for
number substitution. If this rule fails to apply or is not configured, it tries to apply
Applied First (only one rule all other rules in order until one or none of them applies.
can be applied first)
During a number substitution process, there may be multiple rules, but only one
of them can be set as the preferred one. Moreover, the latest configuration
overwrites the previous one.
By default, this function is disabled.
Add a Rule Save the configured rule.
621
3. Bind a number substitution list to global, local numbers, call routes, or lines:
Click Not Bound in the Global Binding, Local Numbers Bound, Call Routes Bound, or Bound Line
column to access the corresponding binding page.
The configurations of these bindings are similar to that of local number binding in call control.
Therefore is not included here.
Dial plan configuration examples

Configuring number match mode
As shown in Figure 638, configure different number match modes for calls from Telephone A to
Telephone B and Telephone C.
1. Shortest number match
a. Configure Router A:
# Add a local number: specify the number ID as 1000, the number as 10001234$, and the
bound line as line 1/0 on the local number configuration page.
# Add a call route: specify the call route ID as 2000, the destination number as 20001234$,
and the destination address as 1.1.1.2 on the call route configuration page.
# Add a call route: and specify the call route ID as 2001, the destination number as
200012341234$, and the destination address as 1.1.1.2 on the call route configuration
page.
b. Configure Router B:
bound line as 1/0 on the local number configuration page.
# Add a local number: specify the number ID as 2001, the number as 200012341234$, and
the bound line as 1/1 on the local number configuration page.
When you dial number 20001234 at Telephone A, the number 20001234 matches call route
2000, and Telephone B is alerted because the device adopts the shortest match mode by default.
622
2. Longest number match
a. Configure Router A: select Voice Management > Dial Plan > Number Match from the
navigation tree to access the number match configuration page, as shown in Figure 639.
Figure 639 Number match mode configuration page
b. Select Longest Number Match for Number Match Mode.

a. Click Apply.
After you dial number 20001234 at Telephone A and wait for some time (during this period, you
can continue dialing), the dialed number 20001234 matches call route 2000 and Telephone B is
alerted.
If you continue to dial 1234 during that period, the dialed number 200012341234 matches call
route 2001 and Telephone C is alerted.
3. Dial terminator
a. Configure Router A: select Voice Management > Dial Plan > Number Match from the
navigation tree to access the dial terminator configuration page, as shown in Figure 640.
b. Type # for Dial Terminator.
c. Click Apply.
623
Figure 640 Dial terminator configuration page
After you dial 20001234# at Telephone A, the number immediately matches call route 2000 and
Telephone B is alerted.
Configuring the match order of number selection rules

As shown in Figure 641, configure different number selection rule match orders for calls from Telephone
A to Telephone B.
1. Add a local number:
Specify the number ID as 1000, the number as 10001234$, and the bound line as 1/0 on the
local number configuration page.
2. Add a call route:
Specify the call route ID as 2000, the destination number as 20001234$, and the destination
address as 1.1.1.2 on the call route configuration page.
3. Configure call route selection priority:
a. Select Voice Management > Call Route from the navigation tree to access the call route list
page.
b. Find the call route with the ID of 2000 in the list, and click its corresponding icon to access
the advanced setting page.
c. Select 10 from the Call Route Selection Priority list.
d. Click Apply.
624
Figure 642 Call route selection priority configuration page

Specify the call route ID as 2001, the destination number as 2000123.$, and the destination
5. Configure the call route:
a. Select Voice Management > Call Route from the navigation tree to access the call route list
page.
b. Find the call route with the ID of 2001 in the list, and click its corresponding icon to access
the advanced setting page.
c. Select 5 from the Call Route Selection Priority list.
d. Click Apply.
Figure 643 Cal route selection priority configuration page
625
Specify the call route ID as 2002, the destination number as 2000....$, and the destination
# Add a local number: specify the number ID as 2000, the number as 20001234$, and the bound line
as 1/0 on the local number configuration page.

The first rule is exact match, the second rule is priority, and the third rule is random selection.
Configure Router A:
1. Select Voice Management > Dial Plan > Number Match from the navigation tree to access the
page for configuring the match order of number selection rules, as shown in Figure 644.
Figure 644 Match order of number selection rules configuration page
2. Select Exact Match from the First Rule in the Match Order list.
3. Select Priority from the Second Rule in the Match Order list.
4. Select Random Selection from the Third Rule in the Match Order list.
5. Click Apply.
After you dial number 20001234 at Telephone A, the number matches call route 2000.

The first rule is priority, the second rule is exact match, and the third rule is random selection.
Configure Router A:
page for configuring the match order of number selection rules.
626
2. Select Priority from the First Rule in the Match Order list.
3. Select Exact Match from the Second Rule in the Match Order list.
4. Select Random Selection from the Third Rule in the Match Order list.
5. Click Apply.
After you dial number 20001234 at Telephone A, the number matches call route 2002.
Configuring the number selection rule as random selection

Configure Router A:
page for configuring the match order of number selection rules.
2. Select Random Selection from the First Rule in the Match Order list.
3. Click Apply.
627
After you dial number 20001234 at Telephone A, the number matches call route 2000, 2001, or 2002
at random.
Configuring entity type selection priority rules

Network diagram
As shown in Figure 647, there are an IP connection and a PRI connection between Router A and Router
B. Configure different entity type selection priority rules for calls from Telephone A to Telephone B.
1. Select Voice Management > Digital Link Management from the navigation tree to access the digital
link list page.
2. Find the digital link VE1 5/0 in the list, click its corresponding icon to access the E1
parameters configuration page.
628
Figure 648 E1 parameters configuration page
3. Select PRI Trunk Signaling for Working Mode.

4. Select Internal for TDM Clock Source. (Internal is the default setting)
5. Select the Network Side Mode for ISDN Working Mode.
6. Click Apply.
bound line as 1/0 on the local number configuration page.
# Add a call route: specify the call route ID as 1001, the destination number as 20001234$, and
the trunk route line as 5/0:15 on the call route configuration page. In addition, you need to select
the Send All Digits of a Called Number option in the Called Number Sending Mode area when you
configure the advanced settings of this call route.
# Add a call route: specify the call route ID as 2000, the destination number as 20001234$, and
the destination address as 1.1.1.2 on the call route configuration page.
629
Select Voice Management > Digital Link Management from the navigation tree to access the digital link
list page. Find the digital link VE1 5/0 in the list, click its corresponding icon to access the E1
parameters configuration page.
• Select PRI Trunk Signaling for Working Mode.

• Select User Side Mode for ISDN Working Mode. (User Side Mode is the default setting)
• Select Line for TDM Clock Source.
• Click Apply.
# Add a local number: specify the number ID as 2000, the number as 20001234$, and the bound line
as 1/0 on the local number configuration page.
Configuring the system to first select VoIP entity

Configure Router A. Select Voice Management > Dial Plan > Number Match from the navigation tree to
access the number match configuration page.
630
Figure 650 Entity type selection priority rule configuration page (1)
• Configure the order of the voice entities in the Selection Sequence box: the first is VOIP, the second
is POTS, the third is VoFR, and the last is IVR.
• Click Apply.
After you dial 20001234 at Telephone A, the number will match call route 2000 (VoIP entity).
Configuring the system to first select POTS entity

Configure Router A. Select Voice Management > Dial Plan > Number Match from the navigation tree to
access the number match configuration page.
Figure 651 Entity type selection priority rule configuration page (2)
• Configure the order of the voice entities in the Selection Sequence box: the first is POTS , the second
is VOIP, the third is VoFR, and the last is IVR.
• Click Apply.
After you dial 20001234 at Telephone A, the number will match call route 1001 (POTS entity).
631
Configuring call authority control
As shown in Figure 652, Router A, Router B, and Router C are located at place A, place B, and place C,
respectively. They are all connected to the SIP server to allow subscribers to make SIP calls. When VoIP
links fail for some reason, PSTN links that provide backup for VoIP links can be automatically brought up.
It is required that subscribers whose telephone numbers beginning with 1100 at place A can originate
calls to place B while subscribers whose telephone number beginning with 1200 can originate calls to
both place B and place C.
Place A Place B
110000
Router B
2100
1100..
PBX
110099 Router A
2200
IP PSTN’s
central office
120000 PBX
Router C
1200.. 3100
PSTN’s
central office
120099 PBX
SIP server
3200
PSTN’s
Place C
central office
# Configure two number groups.
Configure Router A. Select Voice Management > Dial Plan > Call Authority Control from the navigation
tree, and then click Add to access the number group configuration page.
Figure 653 Number group configuration page
1. Type 1 for Group ID.
632
2. Type 1100.. for Numbers in the Group.
3. Click Add to add numbers into the group.
4. Click Apply.
Enter the number group configuration page again to add another number group:
5. Type 2 for Group ID.
6. Type 1200.. for Numbers in the Group.
7. Click Add to add numbers into the group.
8. Click Apply.
# Add a call route for place B: specify the call route ID as 2000, the destination number as 2..., and use
a proxy server for SIP routing on the call route configuration page.
# Crete a call route for place C: specify the call route ID as 3000, the destination number as 3...,and use
a proxy server for SIP routing on the call route configuration page.
# Add a call route for place B: specify the call route ID as 2100, the destination number as 2…, and trunk
route line as 5/0:15 on the call route configuration page. In addition, you need to select the Send All
Digits of a Called Number option in the Called Number Sending Mode area when you configure the
advanced settings of this call route.
# Add a call route 3… for place C: specify the call route ID as 3100, the destination number as 3..., and
the trunk route line as 5/1:15 on the call route configuration page. In addition, you need to select the
Send All Digits of a Called Number option in the Called Number Sending Mode area when you
# Bind a call route to number group 1 to allow that subscribers whose telephone numbers beginning with
1100 at place A can originate calls to place B.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree to access the
page as shown in Figure 654.
Figure 654 Binding call route configuration page (I)
Click Not Bound in the Call Routes Bound column to access the call route binding page of number group
1.
633
Figure 655 Call route binding page (1)
9. Select Permit the calls from the number group for Binding Mode.
10. Select the box of call route 2100.
11. Click Apply.
# Bind a call route to the number group 2 to allow that subscribers whose telephone number beginning
with 1200 can originate calls to both place B and place C.
Select Voice Management > Dial Plan > Call Authority Control from the navigation tree to access the
Figure 656 Binding call route configuration page (2)
Click Not Bound in the Call Routes Bound column to access the call route binding page of number group
2.
634
Figure 657 Call route binding page (II)
12. Select Permit the calls from the number group for Binding Mode.
13. Select the checkboxes of call routes 2100 and 3100.
14. Click Apply.
Add a call route:
1. Specify the call route ID as 2100, the destination number as 2…, and the trunk route line as
1/0:15 on the call route configuration page.
2. Select the Send All Digits of a Called Number option in the Called Number Sending Mode area
when you configure the advanced settings of this call route.
Configuring Router C
Add a call route:
1. Specify its call route ID as 3100, the destination number as 3..., and the trunk route line as 1/0:15
on the call route configuration page.
2. Select the Send All Digits of a Called Number option in the Called Number Sending Mode area
Configuring number substitution

As shown in Figure 658, there is a PBX to form a local telephony network at place A and place B,
respectively. The following requirements should be met:
• These two local telephony networks communicate through two voice gateways. Subscribers in one
PBX network can make ordinary calls to remote subscribers in the other PBX network over a VoIP
network.
• Configure two FXO trunk lines between each router and its PBX and enable hunt group to realize
trunk line backup.
• There are a financial department, market department, and sales department at both place A (area
code 021) and place B (area code 010). A department at place A only needs to know the telephone
numbers of the local departments and the area code of place B when calling a department at place
B. For example, the financial department at place B can dial 3366 to call the local market
department. The financial department at place B can dial 0103366 to call the market department
635
at place A, and the caller ID displayed on the terminal at place A is 0211234, that is, the area code
of place B + telephone number of the financial department at place B.
Place B Place A
Market Dept. 3366 Market Dept. 6788
FXO Line 1/0 Eth2/1 Eth2/1

FXO Line 1/0
2.2.2.2/24 1.1.1.1/24
WAN
FXO Line 1/1 FXO Line 1/1
Financial Dept. 1688
PBX PBX Financial Dept. 1234
Router B Router A
Sales Dept. 2323 Sales Dept. 6565
The PBX (calling side) at place B changes the called number to an intermediate number.
The PBX (called side) at place A changes the received intermediate number to a local number before
initiating the call.
The following configuration supports dial plan–based calls from place B to place A only.
# Set the IP address of the Ethernet interface to 2.2.2.2.
# Add a call route for place A: specify the call route ID as 10, the destination number as 010…., the call
route type as SIP, the SIP routing as IP routing, and the destination address as 1.1.1.1 on the call route
configuration page.
# Add a call route: specify the call route ID as 100, the destination number as ...., and the trunk route
line as 1/0 on the call route configuration page. In addition, you need to select the Send All Digits of a
Called Number option in the Called Number Sending Mode area when you configure the advanced
settings of this call route; you also need to select the Enable option in the Hunt Group area when you
configure the call services of this call route.
# Add a call route: specify the call route ID as 101, the destination number as ...., and the trunk route
line as 1/1 on the call route configuration page. In addition, you need to select the Send All Digits of a
Called Number option in the Called Number Sending Mode area when you configure the advanced
settings of this call route; you also need to select the Enable option in the Hunt Group area when you
configure the call services of this call route.
# Add a number substitution rule list for called numbers of outgoing calls.
Select Voice Management > Dial Plan > Number Substitution from the navigation tree, click Add to
access the number substitution configuration page.
636
Figure 659 Number substitution configuration page (1)
• Type 21101 for Number Substitution Rule List ID.

• Add three number substitution rules as shown in Figure 659.
• Click Apply.
# Add another number substitution rule list for calling numbers of outgoing calls.
637

• Click Apply.
# Enter the call route binding page of number substitution list 21101.
Figure 661 Call routing binding page of number substitution list 21101
• Select Apply Call Routing Binding Rule to Called Numbers for Binding Mode.
• Select call route 10.
• Click Apply.
# Enter the call route binding page of number substitution list 21102.
638
Figure 662 Call routing binding page of number substitution list 21102
• Select Apply Call Routing Binding Rule to Calling Numbers for Binding Mode.
• Select call route 10.
• Click Apply.
# Set the IP address of the Ethernet interface to 1.1.1.1.
# Add a call route: specify the call route ID as 1010, the destination number as …., and the trunk route
line as FXO line 1/0 on the call route configuration page. In addition, you need to select the Send All
advanced settings of this call route; you also need to select the Enable option in the Hunt Group area
when you configure the call services of this call route.
# Add a call route: specify the call route ID as 2010, the destination number as ...., and to the trunk route
line as FXO line 1/1 on the call route configuration page. In addition, you need to select the Send All
advanced settings of this call route; you also need to select the Enable option in the Hunt Group area
when you configure the call services of this call route.
# Add number substitution rule list 101 for called numbers of incoming calls.
Select Voice Management > Dial Plan > Number Substitution from the navigation tree, and click Add to
639

• Click Apply.
# Add another number substitution rule list for calling numbers of incoming calls.
640

• Click Apply.
# Enter the global binding page of number substitution list 101.
Figure 665 Global binding page of number substitution list 101
• Select Incoming Calling for Incoming Binding Type.

• Click Apply.
# Enter the global binding page of number substitution list 102.
641
Figure 666 Global binding page of number substitution list 102
• Select Incoming Called for Incoming Binding Type.

• Click Apply.
642
Call connection
Introduction to SIP
The Session Initiation Protocol (SIP) is an application layer control protocol that can establish, modify,
and terminate multimedia sessions such as IP phone calls, multimedia session and multimedia
conferences. It is the core component in the multimedia data and control architecture of the IETF (RFC
3261).
SIP is responsible for signaling control in IP networks and communication with soft switch platforms. The
intent is to build a next generation value-added service platform to deliver better value-added services to
telecom carriers, banks, and financial organizations.
SIP is used for initiating sessions. It sets up and terminates a multimedia session involving a group of
participants and dynamically adjusts and modifies session characteristics such as required session
bandwidth, media type (voice, video, or data), media encoding/decoding format, and
multicast/unicast. SIP is based on text encoding, and it is constructed by taking the mature protocol HTTP
as a model. Easy to extend and implement, it is suitable for implementing Internet-based multimedia
conference systems.
Terminology
Multimedia session
According to RFC2327, a multimedia session is a set of multimedia senders and receivers and the data
streams flowing from senders to receivers. A multimedia conference is an example of a multimedia
session.
A session is identified by a set of username, session ID, network type, address type, and address.
User agent
A user agent (UA), or a SIP endpoint, is a SIP-enabled multimedia session endpoint. Usually, a
SIP-enabled router serves as a SIP UA.
There are two types of UAs: user agent client (UAC) and user agent server (UAS). To make a call, a SIP
endpoint needs to process the SIP request as a UAS and initiate the SIP request as a UAC.
A UAC is a device that initiates a session request. It can be a calling SIP endpoint or a proxy server
forwarding a request to a called endpoint for example.
A UAS is a device that generates a response to a SIP request. It can be a called SIP endpoint or a proxy
server receiving a request from a calling endpoint for example.
Proxy server
A proxy server is a device that forwards session requests to a called UA on behalf of a calling UA (a SIP
endpoint), and responds to the calling UA on behalf of the called UA.
When the proxy server receives a request from a calling UA, it first requests its location server for
information on called UA location and call policies of calling UA and called UA. If the location
information of the called UA is available and the calling UA is allowed to make the call, the proxy server
then forwards the request to the called UA.
643
Redirect server
A redirect server sends a new connection address to a requesting client.
For example, when it receives a request from a calling UA, the redirect server searches for the location
information of the called UA and returns the location information to the UA. This location can be that of
the called UA or another proxy server, to which the UA can initiate the session request again. The
subsequent procedure is the same as that for calling a called UA directly or for calling a proxy server.
Location server
A location server is a device that provides UA information to proxy and redirect servers. It retains UA
information received by a registrar. The location server and registrar can locate on the same server as
two logical components or locate on different devices.
Registrar
A registrar receives Uas' registrations. The registration information (for example, the local telephone
number) is usually stored on the location server for future retrieval. The location server and the registrar
are both logical components and are usually co-located.
Functions and features of SIP

Functions
SIP supports five basic functions:
• Locating called SIP endpoints—The most powerful function of SIP. For this purpose, SIP can use the
registration information of SIP endpoints on the registrar. In addition, it can improve its user location
service by using other location services provided by the DNS and LDAP.
• Determining user availability—Makes sure whether a called endpoint can participate in a session.
SIP supports multiple address description and addressing styles, SIP-URI (for example, SIP:
123456@172.18.24.11), Tel-URL (for example, Tel: +1312000), and SIPS-URI (SIPS:
123456@172.18.24.11). Therefore, a SIP caller can identify whether a callee is attached to a PSTN
network by callee's address, and then initiate and set up the call to the callee through the gateway
connected to the PSTN.
• Determining user capabilities—Determines the media type and media parameters of a called
endpoint. In a message exchange process, each SIP endpoint sends such information in messages
so that all other participants can learn about its capabilities.
• Setting up a session, or session parameters, at both callee and caller sides—Two parties can select
the appropriate capabilities for session setup through negotiation about media type and media
parameters to be used.
• Managing sessions—Manages sessions by modifying session parameters or terminating sessions.
Features
The following are the features delivered by SIP:
• Open standards. It can accommodate new functions, products, and services introduced by different
service providers.
• Flexible configuration. It accommodates a wide range of dialup, wire, and wireless devices, allows
highly flexible configurations, and can work with other systems.
• Scalable system. The system allows expansion as enterprises grow.
• Support to remote users. With SIP, an enterprise network can extend to all its users, wherever they
are.
644
• Consistent communication method. Management becomes easier as the result of consistency in
dialup mode and system access method used by branches, SOHOs, and traveling personnel.
• Quick launch. The system can be updated quickly to accommodate new branches and personnel,
and changes resulting from job rotation or relocation.
• Easy to install and maintain. Nonprofessional individuals can install and maintain SIP systems.
SIP messages
SIP messages, falling into SIP request messages and SIP response messages, are encoded in text mode.
SIP request messages include INVITE, ACK, OPTIONS, BYE, CANCEL, and REGISTER. RFC 3261 defines
the following six request messages:
• INVITE—Used to invite a user to join a call.
• ACK—Used to acknowledge the response to a request.
• OPTIONS—Used to query for the capabilities.
• BYE—Used to release an established call.
• CANCEL—Used to give up a call attempt.
• REGISTER—Used to register with the SIP registrar.
SIP response messages, used to respond to SIP requests, indicate the status of a call or registration,
succeeded or failed. Response messages are distinguished by status codes. Each status code is a 3-digit
integer, where the first digit defines the class of a response, and the last two digits describe the response
message in more detail.
Table 235 Status codes of response messages
Code Description Class

100–199 Request is received and is being processed. Provisional
200–299 Request is successfully received, understood, and accepted. Success
300–399 Further action needs to be taken to process the request. Redirection
400–499 Request contains bad syntax, and therefore cannot be processed. Client error
500–599 Request cannot be processed due to UAS or server error. Server error
600–699 Request cannot be processed by any UAS or server. Global error
SIP fundamentals
Registration
In a complete SIP system, all SIP endpoints working as UAs should register with SIP registrars, providing
information such as location, session capabilities, and call policy.
Typically, a SIP UA sends its registrar a REGISTER request at startup or in response to an administratively
registration operation, carrying all the information that must be recorded. Upon receipt of the request, the
registrar sends back a response notifying receipt of the request, and a 200 OK (SUCCESS) message if
the registration is accepted. The following figure shows the message exchange.
645
Figure 667 Message exchange for a UA to register with a Registrar
Call setup
SIP operates in the Client/Server mode and sets up calls through communication between UA and proxy
server.
In the previous figure, Telephone A wants to call Telephone B, and Router A and Router B work as SIP
endpoints (UAs).
The following is the procedure for connecting a call from Telephone A to Telephone B:
1. Telephone A sends the number of Telephone B.
2. Upon receipt of the call, Router A sends a session request (INVITE) to the proxy server.
3. The proxy server consults its database for information corresponding to the number of Telephone
B. If such information is available, it forwards the request to Router B.
4. Router B, after receiving the request, responds to the proxy server and makes Telephone B ring if
Telephone B is available.
5. The proxy server forwards the response to Router A. The response discussed here includes two
provisional response messages (100 Trying and 180 Ringing) and one success response (200
OK).
Figure 669 shows the complete call setup procedure.
646
Figure 669 Call setup procedures involving a proxy server
This is a simplified scenario where only one proxy server is involved and no registrar is present. however,
a complex scenario may involve multiple proxy servers and registrars.
Call redirection
When a SIP redirect server receives a session request, it sends back a response indicating the address of
the called SIP endpoint instead of forwarding the request. The calling and called endpoints therefore can
send request and response to each other directly. See Figure 670.
647
Figure 670 Call redirection procedure for UAs
Internet
User agent User agent
Redirect Server
INVITE
100 Trying
302 Moved Temporarily
ACK
INVITE
100 Trying
200 OK
ACK
This is a common application. Fundamentally, a redirect server can respond with the address of a proxy
server as well. The subsequent call procedures are the same as the call procedures involving proxy
servers.
Support for transport layer protocols

As an application layer protocol, SIP supports three transport layer protocols, including:
• UDP—UDP is a connectionless protocol and does not provide reliability. Therefore, SIP connections
established over UDP are unreliable.
• TCP—Ensures transmission reliability for SIP messages. TCP provides connection-oriented and
reliable transmission for SIP-based VoIP communications. Using TCP, SIP need not consider packet
loss and retransmission issues.
• Transport layer security (TLS)—Ensures transmission security for SIP messages. For more information,
see Signaling encryption.
The above three transport layer protocols have their own benefits, and allow you to select a protocol
based on your network environment. The system does not support transport layer protocol switchover
during communication.
SIP security
This section provides information on signaling encryption, media flow encryption, and TLS-SRTP
combinations.
648
Signaling encryption
TLS runs over TCP and provides a complete set of authentication and encryption solutions for application
layer protocols. When you establish a TLS connection, both sides must authenticate each other by using
their own digital certificates. They can communicate with each other only after passing authentication.
SIP messages are encrypted during SIP over TLS transmissions to prevent your data from being sniffed
and increases the security of voice communications.
Media flow encryption

RTP and RTCP are the supported media flow protocols. RTP provides end-to-end real-time transmission for
real-time data such as audio and video data. RTCP monitors data transmission in real time and performs
congestion and traffic control in time. RTP and RTCP can work together to optimize the transmission
efficiency by providing efficient replies and minimizing overheads.
Media flows are transmitted in plain text. To ensure transmission security, the Secure Real-Time Transport
Protocol (SRTP) was introduced.
SRTP provides for encryption of the RTP/RTCP packet payload, for authentication of the entire RTP/RTCP
packet, and for packet replay protection.
The first step of SRTP encryption is to negotiate encryption information, which can only be carried in the
crypto header field of the Session Description Protocol (SDP) at present. The initiator sends its encryption
information to the receiver for negotiation. If the negotiation is successful, the receiver returns
corresponding encryption information. After you establish a session, each end uses its own key to encrypt
sent RTP/RTCP packets and uses the key of the peer to decrypt received RTP/RTCP packets.
SDP negotiation includes the following cryptographic attributes:
Table 236 Cryptographic attributes
Attribute Description Remarks

The tag attribute is an identifier for a particular cryptographic
Tag attribute to determine which of the several offered cryptographic Required.
attributes was chosen by the receiver.
The crypto-suite attribute defines the encryption and

authentication algorithm. The device supports suites
Crypto-Suite Required.
AES_CM_128_HMAC_SHA1_80 and
AES_CM_128_HMAC_SHA1_32.
The key parameters attribute defines key information, including

Key Parameters Required.
the key generation algorithm and the key value.
The session parameters attribute defines session parameters, Optional.

Session
such as key generation rate, UNENCRYPTED_SRTP, Not supported at
Parameters
UNENCRYPTED_SRTCP, UNAUTHENTICATED_SRTP, and FEC. present.
When you use SRTP to encrypt RTP/RTCP packets, the encryption engine, if enabled, encrypts and
authenticates RTP/RTCP packets. If the encryption engine is disabled, the CPU encrypts and
authenticates RTP/RTCP packets. For more information about the encryption engine, see Security
Configuration Guide in H3C MSR Series Routers Configuration Guides (V5).
SRTP is available only for SIP calls. SIP trunk devices do not support SRTP. For information about SIP trunk,
see "Configuring SIP trunk."
649
TLS-SRTP combinations
TLS protects control signaling, and SRTP encrypts and authenticates voice media flows. You can use them
separately or together. The following table shows four combinations of TLS and SRTP.
Table 237 TLS-SRTP combinations
TLS SRTP Description

Signaling packets are secured. Personal information is protected.
On On Media packets are secured. Call conversations are protected.
Recommended.
Signaling packets are not secured. Personal information is not protected.

Off On
Media packets are secured. Call conversations are protected.
Signaling packets are secured. Personal information is protected.

On Off
Media packets are not secured. Call conversations are not protected.
Signaling packets are not secured. Personal information is not protected.

Off Off
Media packets are not secured. Call conversations are not protected.
Support for SIP extensions

• Strict SIP routing is supported. In a complicated network environment where a request from SIP UAC
to SIP UAS needs to pass through multiple proxy servers, SIP uses the Route header field and the
Record-Route header field to make sure that requests in the dialog can be routed through these
proxy servers.
• The new update method for SIP defined in RFC 3311 is supported. It is mainly used to update
parameters of a session, such as switching codecs, switching the voice to the media server, and
mute operation before the session is established, but has no impact on normal call procedures.
650
Configuring SIP connections
This section describes how to configure SIP connections.
Configuring connection properties

Configuring registrar
Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the
connection properties configuration page as shown in Figure 671.
Figure 671 Registrar configuration page
Item Description
• Enable—Select the option to enable the SIP registrar.
Registrar State
• Disable—Select the option to disable the SIP registrar.
651
Item Description
• UDP—Apply the UDP transport layer protocol when the device registers to the
main registrar.
• TCP—Apply the TCP transport layer protocol when the device registers to the
Main Registrar Transport main registrar.
Layer Protocol
• TLS—Apply the TLS transport layer protocol when the device registers to the
main registrar.
By default, the UDP protocol is applied.
• SIP—Apply the SIP scheme as the URL scheme when the device registers to the
main registrar.
Main Registrar URL
• SIPS—Apply the SIPS scheme as the URL scheme when the device registers to
Scheme
the main registrar.
By default, the SIP scheme is applied.
Main Registrar Address Specify the IP address or domain name of the main registrar.
Main Registrar Port

Specify the port number of the main registrar.
Number
Aging Time for the Main

Specify the registration aging time for the main registrar.
Registrar
• UDP—Apply the UDP transport layer protocol when the device registers to the
backup registrar.
• TCP—Apply the TCP transport layer protocol when the device registers to the
Backup Registrar backup registrar.
Transport Layer Protocol
• TLS—Apply the TLS transport layer protocol when the device registers to the
backup registrar.
• SIP—Apply the SIP scheme as the URL scheme when the device registers to the
backup registrar.
Backup Registrar URL
• SIPS—Apply the SIPS scheme as the URL scheme when the device registers to
Scheme
the backup registrar.
Backup Registrar Address Specify the IP address or domain name of the backup registrar.
Backup Registrar Port

Specify the port number of the backup registrar.
Number
Aging Time for the

Specify the registration aging time for the backup registrar.
Backup Registrar
Username Specify the username used for authentication.
Password Specify the password used for authentication.
Authentication
Information Field for Specify the authentication information field used for handshake authentication
Handshake between the registrar and the SIP UA.
Authentication
Domain Name for

Specify the domain name used for handshake authentication between the registrar
Handshake
and the SIP UA.
Authentication
652
Configuring proxy server
Select Voice Management > Call Connection > SIP Connection from the navigation tree to access the
proxy server configuration page, as shown in Figure 672.
Figure 672 Proxy server configuration page
Item Description
Select a server group from the list as the proxy server. You can add a server group
Use Server Group on the page that can be accessed by selecting Voice Management > Call
Connection > SIP Server Group Management from the navigation tree.
• UDP—Apply the UDP transport layer protocol when the device initiates a call.
Transport Layer Protocol • TCP—Apply the TCP transport layer protocol when the device initiates a call.
for SIP Calls • TLS—Apply the TLS transport layer protocol when the device initiates a call.
• SIP—Specify the SIP scheme as the URL scheme.
URL Scheme • SIPS—Specify the SIPS scheme as the URL scheme.
Proxy Server Address Specify the IP address or a domain name of the proxy server.
Proxy Server Port Number Specify the port number of the proxy server.
Configuring session properties

Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the
Session Properties tab to access the session properties configuration page.
Configuring source address binding

Introduction to SIP support for source IP address binding
With this function, you can specify a source IP address for SIP signaling or media streams that go out of
the gateway. SIP support for source IP address binding is implemented by binding a static IP address or
the primary IP address of an interface.
• Static IPv4 address binding—The source IP address specified for SIP calls is the bound IP address.
• Source address interface binding—In a large network, an interface obtains its IP address from a
DHCP or PPPoE server. In this scenario, you can use this function to configure an interface as the
653
source of SIP signaling and media streams to avoid manual IP address configuration, and therefore
help network management.
Source IP address binding is supported on the Layer 3 Ethernet interface, GigabitEthernet interface, or
dialer interface.
For information about DHCP, see Layer 3—IP Services Configuration Guide in H3C MSR Series Routers
Configuring source address binding

Session Properties tab to access the session properties configuration page, as shown in Figure 673.
Figure 673 Source address binding configuration page
Item Description
Configure media stream binding mode or disable media stream binding.
Media Stream Binding • None—Disable media stream binding.
Mode • IPv4 Address Binding—Bind the media stream to a static IPv4 address.
• Interface Binding—Bind the media stream to an interface.
IPv4 Address Bound with If you select IPv4 Address Binding as the media stream binding mode, you must
the Media Stream enter the IPv4 address to be bound in this field.
If you select Interface Binding as the media stream binding mode, you must specify
Interface Bound with the
the interface to be bound from the list. Only the Layer 3 Ethernet interface, GE
Media Stream
interface, and dialer interface are supported.
Configure the signaling stream binding mode or disable signaling stream binding.
Signaling Stream Binding • None—Disable signaling stream binding.
Mode • IPv4 Address Binding—Bind the signaling stream to an IPv4 address.
• Interface Binding—Bind the signaling stream to an interface.
IPv4 Address Bound with If you select IPv4 Address Binding as the signaling stream binding mode, you must
the Signaling Stream enter the IPv4 address to be bound in this field.
If you select Interface Binding as the signaling stream binding mode, you must
specify the interface to be bound from the list. Only Layer 3 Ethernet interfaces, GE
Signaling Stream
interfaces, and dialer interfaces are supported.
654
Table 241 Application of the source address binding settings in different states
Settings made when… Result

• For SIP media streams, the source IP address binding settings does
not take effect until the next SIP call.
The call is active
• For SIP signaling streams, the source IP address binding settings
take effect immediately.
The source IP address binding settings do not take effect, and the
The bound interface or the interface
original sending mode of the signaling streams or media streams is
whose IP address is bound has been
restored. After the interface is up, the source IP address binding
shut down
settings take effect immediately.
The bound static IP address has been

removed or modified, or the bound Removes the source IP address binding settings.
interface has been removed
The bound hot-swappable interface Cancels the source IP address binding settings. They are restored the
have been disconnected next time the interface is connected.
The physical layer or link layer of the The source IP address binding settings never take effect and the
corresponding interface is down gateway automatically gets an IP address to send packets.
The DHCP lease duration expires and

the interface dynamically obtains a Uses the new IP address as the source IP address.
new IP address from the DHCP server
The subsequent registration update messages use the source IP

The SIP registrar is enabled
address newly bound to signaling streams to initiate registration.
Configuring SIP listening

Session Properties tab to access the page as shown in Figure 674.
Figure 674 Configuring SIP listening
655
Item Description
• UDP—Specify UDP as the transport layer protocol for incoming SIP calls and
enables UDP listening port 5060.
• TCP—Specify TCP as the transport layer protocol for incoming SIP calls and
enables TCP listening port 5060.
• TLS—Specify TLS as the transport layer protocol for incoming SIP calls and
enables TLS listening port 5061. If you select this option, you must select a
certificate from the Certificate list.
SIP Listening Transport By default, both the UDP and TCP listening ports are enabled, and the TLS listening
Layer Protocol port is disabled.
Configure this item in either of the following scenarios:
• If the device is the call receiver, you must enable the listening port of the
transport layer protocol used by the incoming calls.
• If TCP or TLS is selected as the transport layer protocol when the device initiates
a call, you must specify it as the SIP listening transport layer protocol in this item.
Otherwise, no register request can be initiated.
Resetting the setting for this item deletes the currently established connections.
Configuring media security

Session Properties tab to access the page as shown in Figure 675.
Figure 675 Configuring media security
Item Description
• RTP—Specify the Real-time Transport Protocol (RTP) as the media flow protocol
for SIP calls.
• SRTP—Specify the Secure Real-time Transport Protocol (SRTP) as the media flow
protocol for SIP calls.
By default, the RTP protocol is applied.
Media Protocol When both the RTP and SRTP protocols are specified as the media flow protocols
for SIP calls:
• If the device is the call initiator, both two media flow protocols are carried in the
INVITE message for the receiver to select.
• If the device is the call receiver, the SRTP protocol is first used for media flow
negotiation. If the negotiation fails, the RTP protocol is used.
656
Configuring caller identity and privacy
Session Properties tab to access the caller identity and privacy configuration page, as shown in Figure
676.
Figure 676 Caller identity and privacy configuration page
Item Description
• None—Neither the P-Preferred-Identity header field nor the P-Asserted-Identity

header field is added.
• P-Assented-Identity—Add the P-Asserted-Identity header field. The Privacy
Caller Identity header field indicates whether caller identity presentation is enabled or not, and
Presentation Restriction the P-Asserted-Identity header field contains the caller’s number.
Mode • P-Preferred-Identity—Add the P-Preferred-Identity header field. The Privacy
header field indicates whether caller identity presentation is enabled or not, and
the P-Asserted-Identity header field contains the caller's number.
The default setting is None, that is, caller identity presentation is enabled.
• Enable—Add the Remote-Party-ID header field.

Add the Remote-Party-ID
• Disable—Remove the Remote-Party-ID header field.
Header Field
By default, the Remote-Party-ID header field is not added.
Caller ID presentation can be disabled by adding the P-Preferred-Identity, P-Asserted-Identity, or

Remote-Party-ID header field.
• When the P-Preferred-Identity or P-Asserted-Identity header field is added, the Privacy header field
will be added. When the Privacy header field is set to none, caller identity presentation is allowed.
When the Privacy header field is set to id, caller identity presentation is restricted.
• Remote-Party-ID header field: privacy=off indicates caller identity presentation and privacy=full
indicates caller identity screening. The calling information can be transparently transmitted by
adding the Remote-Party-ID header field.
The Remote-Party-ID header field can be used together with the P-Preferred-Identity header field or
P-Asserted-Identity header field. If so, the Remote-Party-ID header field takes precedence over the
P-Preferred-Identity header field or the P-Asserted-Identity header field.
657
Configuring SIP session refresh
Introduction to SIP session refresh
In a high-volume traffic environment, if a BYE message gets lost for a session, the call proxy server will not
know that the session has ended. Therefore, it still maintains the state information for the call, which
wastes resources of the server. To solve this problem, the RFC 4082 defines a session timer mechanism
for SIP sessions: the UA sends periodic re-INVITE or UPDATE requests (called session refresh requests) to
notify the proxy server about the current state of the session. The interval for sending session refresh
requests is determined through the negotiation of both sides.
Two new header fields are added to the session refresh requests:
• Session-Expires—Conveys the maximum session duration, that is, if no refresh request is received
during this time, the session is considered ended.
• Min-SE—Conveys the minimum session duration, which is used to avoid frequent refresh requests
from occupying network bandwidth.
Configuring SIP session refresh

Session Properties tab to access the SIP session refresh configuration page, as shown in Figure 677.
Figure 677 SIP session refresh configuration page
Item Description
• Enable—Enable SIP session refresh.
• Disable—Disable SIP session refresh.
SIP Session Refresh
You can configure Session Expiration and Min Session Refresh Interval only after
the SIP session refresh function is enabled.
Session Expiration Maximum and minimum session durations of SIP sessions.

By default,
• The periodic refresh of SIP sessions is not enabled automatically. That is, if
Min Session Refresh periodic refresh of SIP sessions is disabled on the called party but enabled on
Interval the calling party, the called party will enable periodic refresh of SIP sessions
after negotiation.
• The minimum session duration is 90 seconds.
Configuring compatibility
Session Properties tab to access the compatibility configuration page as shown in Figure 678.
658
Figure 678 Compatibility configuration page
Item Description
The devices of some vendors do not strictly follow the SIP protocol. To interoperate with such devices, you must
configure the SIP compatibility options.
• Enable—Configure the device to use the address (IP address or DNS domain
name) in the To header field as the address in the From header field when
Use the address in the To sending a SIP request.
header field as the
• Disable—Do not use the address in the To header field as the address in the
address in the From
From header field. That is, the From header field contains the source address
header field
and the To header field contains the destination address.
By default, the SIP compatibility function is disabled.
Configure the source of the called number.

• Request-Line Header Field—Get the called number from the Request-Line
Source of the Called header field.
Number • To Header Field—Get the called number from the To header field.
By default, the called number is obtained from the request-line, which is the start
line in an SIP request message.
• Carry the x-param compatibility option:
If the device receives a re-INVITE request with the a=X-modem field, it will
reply with a 200 OK response carrying the a=X-modem field in the SDP
field.
If the device receives a re-INVITE request with the a=X-fax field, it will reply
with a 200 OK response carrying the a=X-fax field.
When the device initiates a fax pass-through operation, the a=X-fax field is
SIP Fax and Modem
carried in the re-INVITE request. When the device initiates a modem
Pass-through
pass-through operation, the a=X-modem field is carried in the re-INVITE
request.
• Compatible with T.38 fax: the device can recognize T.38-specific description
fields, and fax parameters T38FaxTranscodingJBIG, T38FaxTranscodingMMR,
and T38FaxFillBitRemoval, which are in the SDP fields of the re-INVITE requests
and 200 OK responses, do not contain :0.
By default, the compatibility options are not carried in re-INVITE requests.
UAC Product Name Specify the product name of the UAC.
659
Item Description
UAC Product Version Specify the product version of the UAC.
UAS Product Name Specify the product name of the UAS.
UAS Product Version Specify the product version of the UAS.
Configuring advanced settings

Registration timers are available to SIP trunk accounts. For information about SIP trunk, see "Configuring
SIP trunk."
Configuring the address hiding mode

1. Select Voice Management > Call Connection > SIP Connection from the navigation tree.
2. Click the Advanced Settings tab.
The page for configuring advanced settings appears.
Figure 679 Configuring address hiding
3. Configure the address hiding function as described in Table 247.

Item Description
Specify the address hiding function enables the SIP trunk device to replace the
endpoints' addresses carried in SIP messages with the addresses of the
corresponding egress interfaces.
Address hiding • Enable—Enable the address hiding function.
• Disable—Disable the address hiding function.
Specifying the outbound proxy

1. Select Voice Management > Call Connection > SIP Connection from the navigation tree.
2. Click the Advanced Settings tab.
The page for configuring advanced settings appears.
Figure 680 Configuring outbound proxy
3. Specify the proxy server used for outbound calls as described in Table 248.
660
Item Description
Address Specify the IP address or domain name of the proxy server.
Port Specify the port number of the proxy server.
Configuring registration parameters

Advanced Settings tab to access the configuration page as shown in Figure 681.
Figure 681 Configuring advanced settings
Item Description
Set the interval for the local number or SIP trunk account to re-register with the
Re-registration Interval
registrar after a registration failure.
Set the registration expiration time. A local number or an SIP trunk account expires
Registration Expiration
after it has registered with the registrar for a specified period of time, which is the
Time
registration expiration interval.
661
Item Description
Registration Percentage To ensure the validity of registration information of a local number or an SIP trunk
account on the registrar, the local number or SIP trunk account must re-register with
the registrar at a specified time before the registration expiration interval is
reached. You can set the registration percentage or lead time before registration to
set the time when the local number or SIP trunk account re-registers with the
registrar.
• Time is registration expiration interval multiplied by expiration percentage.
When the time is reached, the local number or SIP trunk account re-registers
Lead Time Before with the registrar.
Registration • Time is registration expiration interval minus lead time before expiration. When
the time is reached, the local number or SIP trunk account re-registers with the
registrar.
You can configure both timers. In this case, the actual re-registration time is
decided by the timer that expires first. In other words, the local number or SIP trunk
account tries to re-register with the registrar when any one of the two timers
expires.
• Parking—The SIP trunk device sends the OPTIONS or REGISTER message to the
current server. When the current server is not available, the SIP trunk device
selects the member server with the second highest priority in the SIP server
group as the current server even if the original current server recovers. Before the
parking mode is applied, you must set OPTIONS or REGISTER as the keep-alive
mode on the page that can be accessed by selecting Voice Management > Call
Connection > SIP Server Group Management from the navigation tree.
• Homing—The SIP trunk device sends the OPTIONS messages to both the
current server and the member server with the second highest priority in the SIP
Redundancy Mode server group. When the current server is not available, the SIP trunk device
selects the member server with the second highest priority as the current server.
Once the original current server recovers or a server with a higher priority than
the current server is available in the SIP server group, the SIP trunk device selects
the original current server or the server with the highest priority as the current
server. Before the homing mode is applied, you must set OPTIONS as the
keep-alive mode on the page that can be accessed by selecting Voice
Management > Call Connection > SIP Server Group Management from the
navigation tree.
By default, parking mode is applied.
• Enable—Configure the Contact header fields of the REGISTER messages to
contain the dt parameter. This option is used when the device communicates
with a VCX device.
Carry VCX Authentication
• Disable—Configure the Contact header fields of the REGISTER messages not to
Information
contain the dt parameter.
By default, the Contact header fields of the REGISTER messages do not contain the
dt parameter.
662
Item Description
Fuzzy telephone number registration refers to the use of a wildcard (including the
dot . and the character T), rather than a standard E.164 number in the match
template of a POTS entity.
After enabling fuzzy telephone number registration, the voice gateway (router)
retains dots and substitutes asterisks (*) for Ts when sending REGISTER messages.
Fuzzy Telephone Number • Enable—Enable fuzzy telephone number registration.
Registration • Disable—Disable fuzzy telephone number registration.
By default, the function is disabled.
IMPORTANT:
To use the fuzzy telephone number registration function, make sure the registrar and
the location server also support the function.
Configuring voice mailbox server

Introdunction to MWI
The message waiting indication (MWI) feature allows a voice gateway to notify a subscriber of
messages got from a voice mailbox server. For example, when a call destined to subscriber A is
forwarded to the voice mailbox server, the server will notify the state change to the voice gateway. If
there is any mew message or voice mail, when subscriber A picks up the phone, subscriber A will hear
the message waiting tone without needing to query the mailbox.
To configure MWI:
1. Configure voice mailbox server.
2. Enable MWI for local numbers.
Configuring voice mailbox server

Advanced Settings tab to access the voice mailbox server configuration page as shown in Figure 682.
Figure 682 Voice mailbox server configuration page
663
Item Description
• UDP—Specify UDP as the transport layer protocol to be used during the
subscription.
• TCP—Specify TCP as the transport layer protocol to be used during the
Transport Layer Protocol subscription.
• TLS—Specify TLS as the transport layer protocol to be used during the
subscription.
By default, UDP is adopted.
• SIP—Specify SIP as the URL scheme to be used during subscription.
URL Scheme • SIPS—Specify SIPS as the URL scheme to be used during subscription.
By default, SIP is adopted.
Specify the voice mailbox server address, which can be either an IP address or a
Server Address
domain name.
Port Number Specify the port number of the voice mailbox server.
Subscription Valid Time Specify the effective time of the subscription.
Re-subscription Time Specify the subscription retry interval.
Voice Mailbox Number Set the voice mailbox number.

8. Binding Mode—The MWI function is bound with the voice mailbox and the
voice mailbox server has set up subscription information for the UA. Therefore,
the UA can receive NOTIFY messages without sending SUBSCRIBEs to the
voice mailbox server.
9. Non-binding Mode—The voice mailbox server does not set up subscription
information for the UA automatically, so the UA has to send a SUBSCRIBE to
the server and after that it can get NOTIFY messages from the server.
Binding Mode Non-binding mode falls into two categories:
Loose Match—Strict consistency check is not needed, so the call ID that the
NOTIFY is sent to can be different from the call ID that proposed the
subscription.
Strict Match—Strict consistency check is needed, so the call ID that the
NOTIFY is sent to must be the same as the call ID that proposed the
subscription.
Generally, the voice gateway sends a SUBSCRIBE to the server, and receives a NOTIFY from the server
if the subscription is successful, and gets the status of the voice mailbox afterwards.
Configuring signaling security

Advanced Settings tab to access the configuration page as shown in Figure 683.
Figure 683 Configuring signaling security
664
Item Description
TCP Connection Set the aging time for TCP connections. If the idle time of an established TCP
Aging Time connection reaches the specified aging time, the connection will be closed.
TLS Connection Aging Set the aging time for TLS connections. If the idle time of an established TLS connection
Time reaches the specified aging time, the connection will be closed.
Configuring call release cause code mapping

No matter whether a voice call is cleared normally or abnormally, a message with the call release cause
code will be sent. The default SIP status code to PSTN release cause code mappings and PSTN release
cause code to SIP status mappings are used for communication between a SIP network and a PSTN. To
adapt to more complex network applications, you can change the default mappings.
Configuring PSTN call release cause code mappings

PSTN Release Cause Code Mapping tab to access the configuration page shown in Figure 684.
Figure 684 PSTN release cause code mapping configuration page
You can enter the SIP status code into the corresponding SIP Status Code (400-699) field. Because the
PSTN release cause code 16 corresponds to a SIP request message, instead of a SIP status code, you can
configure no SIP status code for 16.
Click Load Default Value to restore the default mappings between PSTN release cause codes and SIP
status codes.
665
Configuring SIP status code mappings
Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click the SIP
Status Code Mapping tab to access the page as shown in Figure 685.
Figure 685 SIP status code mapping configuration page
You can select the values in the PSTN Release Cause Code fields. You can also click Load Default Value
to restore the default mappings between PSTN release cause codes and SIP status codes.
SIP connection configuration examples

Configuring basic SIP calling features
For how to implement direct SIP calling through static IP addressing, configure domain name involved SIP
calling, and configure proxy server involved SIP calling, see "Basic settings."
Configuring caller ID blocking

Router A and Router B work as SIP UAs. Use Telephone 1111 to call telephone 2222. It is required to block
calling number 1111.
666
1. Configure basic voice calls: configure a local number and the call route to Router B.
Configure a local number: specify the local number ID as 1111 and the number as 1111, and
Configure the call route to Router B: specify the call route ID as 2222, the destination number
as 2222, the call route type as SIP, the SIP routing as IP routing, and the destination address as
192.168.2.2 on the call route configuration page.
2. Configure caller identity and privacy:
# Disable the sending of calling information on Route A
Select Voice Management > Local Number from the navigation tree, and then click the
corresponding icon to access the call services configuration page as shown in Figure 687.
Figure 687 Configuring call services of the calling party
Select Do Not Deliver for Calling Information Delivery.

Click Apply.
# Configure the P-Asserted-Identity header field.
Select Voice Management > Call Connection > SIP Connection from the navigation tree, and then
click the Session Properties tab to access the session properties configuration page as shown
in Figure 688.
667
Figure 688 Configuring caller identity presentation restriction mode
• Select P-Asserted-Identity for Caller Identity Presentation Restriction Mode.

• Click Apply.

After the above configuration, when you use telephone 1111 to call telephone 2222, the calling number
1111 will not be displayed on telephone 2222.
Configuring SRTP for SIP calls

Two routers Router A and Router B work as SIP UAs. It is required that SIP calls use the SRTP protocol to
protect call conversations.
1. Configure basic voice calls, see "Configure basic voice calls: configure a local number and the
call route to Router B."
2. Specify SRTP as the media flow protocol for SIP calls:
# Specify SRTP as the media flow protocol for SIP calls on Router A and Router B.
Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click
the Session Properties tab to access the media security configuration page as shown in Figure
690.
Figure 690 Configuring media security
a. Select SRTP for Media Protocol.

b. Click Apply.
668
SIP calls use the SRTP protocol to encrypt and authenticate media flows, and call conversations are well
protected.
Configuring TCP to carry outgoing SIP calls

Two routers Router A and Router B work as SIP UAs. It is required that SIP calls between the two parties
be carried over TCP.
2. Specify the transport layer protocol:
# Specify TCP as the transport layer protocol for outgoing calls on Router A.
the Session Properties tab to access the transport layer protocol configuration page as shown
in Figure 692.
Figure 692 Specifying transport layer protocol for outgoing calls
a. Select TCP for Transport Layer Protocol for SIP Calls.

b. Click Apply.
# Specify TCP as the transport layer protocol for incoming SIP calls. This is optional, because the
TCP listening port is enabled by default.
in Figure 693.
669
Figure 693 Specifying listening transport layer protocol
a. Select TCP for SIP Listening Transport Layer Protocol.

b. Click Apply.

SIP calls from telephone 1111 to telephone 2222 are carried over TCP. You can view information about
TCP connections on the TCP Connection Information tab page by selecting Voice Management > States
and Statistics > SIP UA States from the navigation tree and clicking the TCP Connection Information tab.
Configuring TLS to carry outgoing SIP calls

Two routers Router A and Router B work as SIP UAs. It is required that the SIP calls between the two
parties be carried over TLS.
The certification authority (CA) server runs RSA Keon in this configuration example.
CAUTION:
To make sure the certificate on the device can be used, be sure that the device system time falls within the
validity time of the certificate.
1. Retrieve the CA certificate from the certificate issuing server.

For more information about how to retrieve the CA certificate from the certificate issuing server,
see "Managing certificates."
3. Specify the transport layer protocol on Router A:
# Specify TLS as the transport layer protocol for outgoing calls on Router A.
in Figure 695.
670
Figure 695 Specifying transport layer protocol for outgoing calls
a. Select TLS for Transport Layer Protocol for SIP Calls.

b. Click Apply.
# Specify TLS as the transport layer protocol for incoming SIP calls.
in Figure 696.
Figure 696 Specifying listening transport layer protocol
a. Select TLS for SIP Listening Transport Layer Protocol.

b. Click Apply.
4. Specify the transport layer protocol on Router B. The configuration procedure is the same with that
on Router A.
Verifing the configuration

SIP calls from telephone 1111 to telephone 2222 are carried over TLS. You can view information about TLS
connections on the TLS Connection Information tab page by selecting Voice Management > States and
Statistics > SIP UA States from the navigation tree and clicking the TLS Connection Information tab.
671
Managing SIP server groups
A SIP server group is used to manage the registrar and call servers. A SIP server group can be configured
with up to five member servers. An index represents the priority of a member server in the SIP server
group. The smaller the index value, the higher the priority. The currently used SIP server is called the
current server. Each server in the SIP server group can be the current server, but there is only one current
server at a time.
Creating a SIP server group

1. Select Voice Management > Call Connection > SIP Server Group Management from the navigation
tree.
2. Click Add.
The page for configuring a server group appears.
Figure 697 Creating a SIP server group
3. Configuring a SIP server group as described in Table 252.

Item Description
Server Group ID Specify the ID of the SIP server group.
Specify the name of a SIP server group identifies the SIP server group. The domain
name of the carrier server is usually used as the name of a SIP server group. If the
name of a SIP server group is not configured, the host name specified on the
account management page (which can be accessed by selecting Voice
Server Group Name
Management > SIP Trunk Management > Account Management from the
navigation tree) is used to identify the group, if any. Otherwise, the IP address or
domain name of the current server in the SIP server group is used to identify the
group.
Description Specify the description of the SIP server group.
For more configuration examples of SIP server group, see "Configuring SIP trunk."
Configuring the real-time switching function

tree.
672
2. Click Add.
Figure 698 Configuring real-time switching
3. Configure real-time switching as described in Table 253.

Item Description
Enable or disable the real-time switching function. When the real-time switching
function is enabled:
• If the SIP trunk device receives no response message or receives response
message 408 or 5XX (excluding 502, 504, 505, and 513) after sending a
registration request to the SIP server, the SIP trunk device tries to connect to the
member server with the second highest priority value in the SIP server group,
Real-Time Switching and so on, until it successfully connects to a SIP server or have tried all the
servers in the group.
• If the SIP trunk device receives no response message or receives response
message 403, 408 or 5XX (excluding 502, 504, 505, and 513) after initiating
a call, the SIP trunk device tries to connect to the member server with the second
highest priority value in the SIP server group, and so on, until it successfully
connects to a SIP server or have tried all the servers in the group.
Configuring the keep-alive mode

tree.
2. Click Add.
Figure 699 Configuring the keep-alive mode
3. Configure the keep-alive mode as described in Table 254.
673
Item Description
The keep-alive function is used to detect whether the SIP servers in a SIP server
group are reachable. The SIP trunk device selects a server according to the detect
result and the redundancy mode. If the keep-alive function is disabled, the SIP trunk
device always uses the server with the highest priority in the SIP server group.
• Disabled—Disable the keep-alive function.
• Options—The SIP trunk device periodically sends OPTIONS messages to detect
Keep-Alive Mode the servers. If the SIP trunk device receives response message 408 or 5XX
(excluding 502, 504, 505, and 513) from a SIP server after sending an
OPTIONS message, it considers the SIP server unreachable.
• Register—The REGISTER message can be used to detect the SIP servers. If the
SIP trunk device receives response message 408 or 5XX (excluding 502, 504,
505, and 513) from a SIP server after sending a REGISTER message, it
considers the SIP server unreachable.
Interval for Sending Set the interval for sending OPTIONS messages to the SIP servers when the
OPTIONS Messages keep-alive mode is set to Options.
Configuring the source address binding mode

tree.
2. Click Add.
Figure 700 Configuring source address binding
3. Configure source address binding as described in Table 255.

Item Description
Configure source address binding mode for media streams.
Media Stream Binding • None—Disable source address binding.
Mode • IPv4 Address Binding—Specify a static IPv4 address as the source address.
• Interface Binding—Specify the IP address of an interface as the source address.
674
Item Description
IPv4 Address Bound with If you select IPv4 Address Binding as the media stream binding mode, you must
the Media Stream type the IPv4 address to be bound in this field.
If you select Interface Binding as the media stream binding mode, you need to
specify the interface to be bound from the list. Only the Layer 3 Ethernet interface,
Media Stream
GE interface, and dialer interface are supported.
Configure source address binding mode for signaling streams.

Signaling Stream Binding • None—Disable source address binding.
Mode • IPv4 Address Binding—Specify a static IPv4 address as the source address.
• Interface Binding—Specify the IP address of an interface as the source address.
IPv4 Address Bound with If you select IPv4 Address Binding as the signaling stream binding mode, you must
the Signaling Stream enter the IPv4 address to be bound in this field.
If you select Interface Binding as the signaling stream binding mode, you must
specify the interface to be bound from the list. Only Layer 3 Ethernet interfaces, GE
Signaling Stream
interfaces, and dialer interfaces are supported.
The following table describes how source address binding works upon different conditions:
Condition Result
• A new source address binding for media does not take effect
for ongoing SIP media sessions but takes effect for
Configure a source address binding when subsequent SIP media sessions.
ongoing calls exist.
• A new source address binding for signal takes effect
immediately for all SIP signaling sessions.
The source IP address binding becomes invalid and will not work
The bound source interface or the interface
until the interface is up. During the shutdown period, the
whose IP address is set as the source
gateway automatically gets a source IP address for sent
address is shut down.
signaling or media flows.
The bound static IP address is removed or

modified, or the bound interface is The source IP address binding is removed.
removed.
The source IP address binding is cancelled, and restored when

The bound interface is disconnected.
the interface is connected.
Configure a source address binding when

The source address binding does not take effect and the
the physical layer or link layer state of the
gateway automatically gets a source IP address for packets.
corresponding interface is down.
The DHCP lease duration expires and the

bound interface dynamically obtains a new The new IP address will be used as the source IP address.
IP address from the DHCP server
The subsequent registration update messages use the source IP

The SIP registrar is enabled. address newly bound for signaling streams to initiate
registration.
Configuring server information management

tree.
2. Click Add.
675
Figure 701 Configuring server information management
3. Configure server information management as described in Table 256.

4. Click Apply.
Item Description
Set server ID. A SIP server group can be configured with up to five member servers.
Server ID A server ID represents the priority of the server in the SIP server group. The smaller
the ID, the higher the priority.
• UDP—Specify UDP as the transport layer protocol for the connections between
the SIP trunk device and the SIP server.
• TCP—Specify TCP as the transport layer protocol for the connections between
Transport Layer Protocol the SIP trunk device and the SIP server.
• TLS—Specify TLS as the transport layer protocol for the connections between the
SIP trunk device and the SIP server.
By default, the UDP protocol is adopted.
• SIP—Specify the SIP scheme as the URL scheme.
URL Scheme • SIPS—Specify the SIPS scheme as the URL scheme.
By default, the SIP URL scheme is adopted.
Server Address Specify the IPv4 address or domain name of the SIP server.
Port Number Specify the port number of the SIP server.
676
Configuring SIP trunk
As shown in Figure 702, on a typical telephone network, internal calls of the enterprise are made through
the internal PBX, and external calls are placed over a PSTN trunk.
Figure 702 Typical telephone network
With the development of IP technology, many enterprises deploy SIP-based IP-PBX networks as shown
in Figure 703. Internal calls of the enterprise are made by using the SIP protocol, and external calls are
still placed over a PSTN trunk. The problem is that the enterprises have to maintain both the SIP network
and PSTN trunk. This increases the difficulty of network management.
Figure 703 SIP+PSTN network
As more enterprise IP-PBX networks run SIP and more Internet Telephone Service Providers (ITSPs) use SIP
to provide basic voice communication structures, enterprises urgently need a technology that uses SIP to
connect the enterprise IP-PBX network to the ITSP. This is necessary to have network that is entirely
IP-based. This technology is called SIP trunk. A typical SIP trunk network is shown in Figure 704.
The SIP trunk function can be embedded into the voice gateway or the firewall deployed at the edge of
an enterprise private network. The device providing the SIP trunk function is called the SIP trunk device,
or the SIP trunk gateway.
677
Figure 704 All IP-based network
All IP-based network

ITSP
Enterprise
intranet
SIP SIP
SIP trunk SIP server
Router IP-PBX SIP trunk device
SIP server
Features
SIP trunk has the following features:
1. Only one secure and QoS guaranteed SIP trunk link is required between a SIP trunk device and the
ITSP. The SIP trunk link can carry multiple concurrent calls, and the carrier only authenticates the
link instead of each SIP call carried on this link.
2. The internal calls of the enterprise are placed by the enterprise IP-PBX. The outbound calls of the
enterprise are forwarded by the SIP trunk device to the ITSP, and are finally routed to the PSTN by
the device in the ITSP. Enterprises do not need to maintain the PSTN trunk. Consequently, they save
the costs of hardware and maintenance.
3. By setting destination addresses, the enterprise can select to connect to multiple ITSPs, to make full
use of the ITSPs all over the world, and save call costs.
4. With the SIP trunk device deployed, the entire network can use the SIP protocol to better support
IP communication services, like voice, conference, and instant messaging.
5. A SIP trunk device differs from a SIP proxy server. The SIP trunk device initiates a new call request
to the ITSP on behalf of the user after receiving a call request from the user, and both the user and
the ITSP communicate only with the SIP trunk device. During the forwarding process, the SIP trunk
device forwards both signaling messages and RTP media messages.
Typical applications
The SIP trunk device is deployed between the enterprise IP-PBX and the ITSP. All internal calls are placed
by the enterprise IP-PBX. All outbound calls are forwarded by the SIP trunk device to the ITSP through the
SIP trunk link. Figure 705 shows a typical SIP trunk network.
678
Figure 705 SIP trunk network diagram

SIP trunk-related protocols and standards are as follows:
• RFC 3261
• RFC 3515
• SIPconnect Technical Recommendation v1.1
Configuring SIP trunk

This section describes how to configure SIP trunk.
Configuration task list

Task Remarks
Enabling the SIP trunk function Required.
Creating a SIP server group Required.
Configuring a SIP
server group Enabling the real-time switching, Required if there are multiple servers
keep-alive, and redundancy function in a SIP server group.
Configuring a SIP trunk account Required.

Configuring a SIP trunk
account Configuring registration parameters for a
Optional.
SIP trunk account
Configuring a call route for a SIP trunk

Required
account
Configuring a call route Configuring fax and modem parameters of

Optional.
for outbound call the call route of a SIP trunk account
Configuring advanced settings of the call

Optional.
route of a SIP trunk account
679
Task Remarks
Configuring a call route for inbound calls Required.
Enabling the SIP trunk function

Select Voice Management > SIP Trunk Management > Service Configuration from the navigation tree.
Figure 706 Configuring services
Item Description
Enable the SIP trunk function before you can use other SIP trunk functions. H3C
recommends you to not use a device enabled with the SIP trunk function as a SIP
UA.
SIP Trunk Function • Enable.
• Disable.
By default, the SIP trunk function is disabled.
Configuring a SIP server group

Creating a SIP server group
Select Voice Management > Call Connection > SIP Server Group Management from the navigation tree.
On the server group configuration page that appears, create a SIP server group.
Enabling the real-time switching, keep-alive, and redundancy functions

• Select Voice Management > Call Connection > SIP Server Group Management from the navigation
tree. On the server group configuration page that appears, configure the real-time switching and
keep-alive functions.
• Select Voice Management > Call Connection > SIP Connection from the navigation tree, and click
the Advanced Settings tab, where you can specify the redundancy mode.
For more information about how to configure a SIP server group, real-time switching, and keep-alive
function, see "Managing SIP server groups."
For more information about how to configure the redundancy function, see "Configuring SIP
connections."
680
Configuring a SIP trunk account
Configuring a SIP trunk account
A SIP trunk account contains information allocated to users by the carrier, including authentication
username, authentication password, host name, host username, and the associated SIP server group.
Select Voice Management > SIP Trunk Management > Account Management from the navigation tree,
and click Add. The following page appears.
Figure 707 Configuring a SIP trunk account
Item Description
Account ID Enter a SIP trunk account ID.
Select the SIP server group used by the SIP trunk account for registration. SIP server group
SIP Server Group can be configured in Voice Management > Call Connection > SIP Server Group
for Registration Management.
By default, a SIP trunk account has no SIP server group specified for registration.
Set the registration aging time. If you do not configure this item, the system uses the
Registration
registration aging time configured in Voice Management > Call Connection > SIP
Aging Time
Connection.
Host Username Enter the host username allocated by the ITSP to the SIP trunk account.
Host Name Enter the host name allocated by the ITSP to the SIP trunk account.
681
Item Description
• Enable.
• Disable.
By default, the SIP trunk account is enabled.
Account Status
Disabling a SIP trunk account that is already involved in a connection does not delete the
connection. In other words, the disable configuration takes effect to the next call that uses
this account.
• Enable.
• Disable.
Registration
By default, the registration function of the SIP trunk account is disabled.
Function
To perform registration, you must provide the host username or associate the account with
a SIP server group.
Authentication
Enter the authentication username for the SIP trunk account.
Username
Authentication
Enter the authentication password for the SIP trunk account.
Password
Configuring registration parameters for a SIP trunk account

Select Voice Management > Call Connection > SIP Connection from the navigation tree and click the
Advanced Settings tab to configure registration parameters for a SIP trunk account. For more information
about registration parameter configuration, see "Configuring SIP connection."
Configuring a call route for outbound calls

This section describes how to configure a call route for outbound calls.
Configuring a call route for a SIP trunk account

To use a SIP trunk account to call an external user, you must first bind the SIP trunk account to a call route,
and then configure call routes in one of the following methods:
• Bind a SIP server group to the VoIP voice entity.
• Specify the IP routing.
• Specify the proxy server used for outbound calls.
To configure a call route for a SIP trunk account:
Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and click
Add.
682
Figure 708 Configuring a call route
Item Description
Call Route ID Enter a call route ID.
Destination Number Enter the called telephone number.
Bound Account Select a SIP trunk account to be bound to the voice entity.
Description Enter a description for the call route.
Use a SIP proxy server to complete calling. If you select this option, you must
Proxy
configure the proxy server beforehand in Voice Management > Call
Server.
Connection > SIP Connection.
Select one of the following transport layer protocols.

Transport • UDP.
Layer • TCP.
Protocol • TLS.
By default, UDP is selected.
SIP Trunk Routing
IP • SIP—Specify the SIP scheme.
Routing SIP URL
• SIPS—Specify the SIPS scheme.
. Scheme
By default, the SIP scheme is selected.
Destinati
on
Address Enter the destination address and port number of the called
party.
Port
Number
683
Item Description
Bind to
Server Select a server group. You can create a SIP server group in Voice
server
Group Management > Call Connection > SIP Server Management.
group.
• Enable.
Status
• Disable.
Configuring fax and modem parameters of the call route of a

SIP trunk account
Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and click the
icon of the call route to be configured to access the call route fax and modem configuration page.
The fax and modem parameters of the call route of a SIP trunk account are the same as those of a call
route. For more information about fax and modem parameters, see "Fax and modem."
Configuring advanced settings of the call route of a SIP trunk

account
Configuring call match rules
Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and click the
icon of the call route to be configured to access the advanced settings configuration page.
Figure 709 Advanced settings
Item Description
You can control call route selection by configuring the prefix of source host name, prefix of destination host
name, or the source IP address as the call match rules. If you select several call match rules, only the calls that
match all rules are permitted.
684
Item Description
• Specify the prefix of a source host name as a call match rule. The specified source
host name prefix is used to match against the source host names of calls. If the
INVITE message received by the SIP trunk device carries the Remote-Party-ID
header, the source host name is abstracted from this header field. If the INVITE
message received by the SIP trunk device carries the Privacy header, the source
host name is abstracted from the P-Asserted-Identity or P-Preferred-Identity header
Match a Source Host field. If the INVITE message received by the SIP trunk device does not carry any of
Name Prefix the previously mentioned three header fields, the host name in the From header
field of the INVITE message is used as the source host name.
• Specify the prefix of a source host name consists of 1 to 31 characters, which are
not case-sensitive and can include letters, digits, underlines (_), hyphens (-),
asterisk (*), and dots (.). An asterisk represents a character string of any length,
for example, t*m can match the source host names tom, tim, and so on.
• Specify the prefix of a destination host name as a call match rule. The specified
destination host name prefix is used to match against the destination host names
of calls. The host name in the To header field of an INVITE message received by
the SIP trunk device is used as the destination host name.
Match a Destination
• Specify the prefix of a destination host name consists of 1 to 31 characters, which
Host Name Prefix
are not case-sensitive and can include letters, digits, underlines (_), hyphens (-),
asterisk (*), and dots (.). An asterisk represents a character string of any length,
for example, b*y can match the destination host names boy, boundary, and so
on.
Specify a source IP address as a call match rule. The value must be in

dotted notation and can include dots (.), multiplication signs (x), asterisks
(*), and digits, where x represents any number between 0 and 9, *
IPv4 represents any number between 0 and 255, and x and * can appear
address. multiple times in one source IP address. Fuzzy matching is supported. For
example, 100.1.x.3 indicates any IP address between 100.1.0.3 and
100.1.9.3, and 192.*.*.* indicates any IP address between 192.0.0.1
and 192.255.255.255.
Specify a domain name as a call match rule. A domain name is not

Match a Source
case-insensitive and can include letters, digits, hyphens (-), underscores
Address
(_), asterisk (*), and dots (.), with a maximum length of 255 characters.
If you provide this parameter, the specified domain name is used to
DNS. match against the source addresses of calls, and a whole-word match is
considered a match. For example, if the domain name is configured as
sohu, sohu.com is not a match. However, fuzzy matching is supported.
An asterisk represents a character string of any length, for example, i*n
can match the source addresses ilison, iverson, inn, and so on.
Server
Specify the index of a SIP server group as a call match rule.
Group.
Configuring coding parameters

The coding parameters of the call route of a SIP trunk account are the same as those of a call route. For
more information about coding parameters, see "Advanced settings."
685
Configuring other parameters
Other parameters of the call route of a SIP trunk account are the same as those of a call route. For more
information about other parameters, see "Advanced settings."
Configuring media parameters for SIP-to-SIP connections

Figure 710 Configuring media parameters
3. Configure media parameters for SIP-to-SIP connections as described in Table 261.

Item Description
If the SIP trunk device does not support the codec capability sets
supported by the calling and called parties, you can select the
Enable option to enable codec transparent transfer on the SIP trunk
Codec Transparent device. The SIP trunk device transparently transfers codec capability
sets between two parties. The calling and called parties complete
the codec negotiation.
686
Item Description
In the scenario where the SIP trunk device controls the results of
media capability negotiation, if the SIP trunk device cannot find a
common codec for two parties during negotiation, the two parties
will fail to establish a call. In this case, you can select the Enable
option to enable codec transcoding on the SIP trunk device.
With this function enabled, the SIP trunk device uses its own codec
capability set to negotiate with the calling and called parties
respectively. If the negotiated codecs with the two parties do not
match, the SIP trunk device transcodes the media flows passing
Codec Transcoding through it.
IMPORTANT:
The codec transcoding feature does not take effect in any of the
following cases:
• Codec transcoding is enabled, but no DSP resources are
available for codec transcoding.
• Codec transparent transfer is enabled.
• Media flow-around is enabled.
Select the media flow mode:
• Around—Enable the media packets to pass directly between two
SIP endpoints, without the intervention of the SIP trunk device.
Media Flow Mode The media packets flow around the SIP trunk device.
• Relay—Specify the SIP trunk device to act as the RTP trunk proxy
to forward the media packets.
By default, the Relay option is selected.
• Enable—Enable delayed offer to early offer (DO-EO) conversion
on the SIP trunk device.
Delayed Offer to Early Offer
• Disable—Disable the DO-EO conversion on the SIP trunk device.
Configuring signaling parameters for SIP-to-SIP connections

687
Figure 711 Configuring signal process
3. Configure signaling parameters for SIP-to-SIP connections as described in Table 262.

Item Description
SIP messages carrying call forwarding information to the
endpoints, and the endpoints perform the call forwarding.
Call-forwarding Signal
carrying call forwarding information locally.
SIP messages carrying call transfer information to the endpoints,
and the endpoints perform the call transfer.
Call-transfer Signal
carrying call transfer information locally.
• Remote process—If the session timer mechanism is initiated by
the calling party, and the called party also supports this
mechanism, you can select this option to enable the called party
to process the session update information. Otherwise, the session
timer mechanism only works between the calling party and the
Mid-call Signal SIP trunk device. The interval for sending session update requests
is negotiated by endpoints. For more information, see RFC 4028.
• Local process—The SIP trunk device processes the update
messages rather than transparently pass them to the peer end.
By default, the Local option is selected.
Configuring a call route for inbound calls

Select Voice Management > Call Route from the navigation tree, and click Add to access the call route
configuration page. Specify the call route type as SIP.
For more information about call route, see "Local number and call route" and "Basic settings".
688
SIP trunk configuration examples
Configuring a SIP server group with only one member server
The enterprise private network has a SIP trunk device. Router A is a private network device, and Router
B is a public network device. Configure a SIP server group with only one member server so that all calls
between the private network and public network are made through the SIP trunk device.
# Configure a local call number.
1. Select Voice Management > Local Number from the navigation tree and click Add.
689
Figure 713 Configuring a local number

5. Click Apply.
# Configure a call route.
6. Select Voice Management > Call Route from the navigation tree and click Add.

10. Enter 1.1.1.2 for Destination Address.
690
11. Click Apply.
Configuring the SIP trunk device

# Enable the SIP trunk function.
1. Select Voice Management > SIP Trunk Management > Service Configuration from the navigation
tree.
Figure 715 Configuring services
2. Select Enable for SIP Trunk Function.

3. Click Apply.
# Create SIP server group 1. Add a SIP server into the server group: the ID and the IPv4 address of the
server are 1 and 10.1.1.2 respectively.
4. Select Voice Management > Call Connection > SIP Server Group Management from the
navigation tree and click Add.
Figure 716 Configuring server group
5. Enter 1 for Server Group ID.
691
6. Enter 1 for Server ID.
7. Enter 10.1.1.2 for Server Address.
8. Click Add the Server.
9. Click Apply.
# Create SIP trunk account 1 with the host username 2000, and associate the account with SIP server
group 1.
10. Select Voice Management > SIP Trunk Management > Account Management from the navigation
tree, and click Add.
Figure 717 Configuring a SIP trunk account
11. Enter 1 for Account ID.

12. Select server-group-1 from the SIP Server Group for Registration list.
13. Enter 2000 for Host Username.
14. Select Enable for Registration Function.
15. Click Apply.
# Configure the call route for the outbound calls from private network user 2000 to public network user
1000 by binding SIP server group 1 to the VoIP voice entity.
16. Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and
click Add.
692
Figure 718 Configuring a call route for the SIP trunk account

19. Select account1 from the Bound Account list.
20. Select Bind to Server Group for SIP Trunk Routing.
21. Select server-group-1 from the Server Group list.
22. Click Apply.
# Configure the call route for the inbound calls from public network user 1000 to private network user
2000. Configure the IP address of the peer end as 1.1.1.1, which is the address of the interface on Router
A.
693
26. Select IP Routing for SIP Route Type.
27. Enter 1.1.1.1 for Destination Address.
28. Click Apply.
# Configure a local call number.
1. Select Voice Management > Local Number from the navigation tree and click Add.
Figure 720 Configuring a local number

5. Click Apply.
# Configure a call route.
694
11. Click Apply.
# Configure the IPv4 address of the registrar as 10.1.1.2 and enable the registrar.
12. Select Voice Management > Call Connection > SIP Connection from the navigation tree and click
the Connection Properties tab.
Figure 722 Configuring connection properties

15. Click Apply.

1. On the SIP trunk device, display SIP trunk account information.
Select Voice Management > States and Statistics > SIP Trunk Account States from the navigation
tree. You can see that the private network account 2000 has registered with the server at
10.1.1.2.
2. All calls between the private network and public network are made through the SIP trunk device.
On the SIP trunk device, you can see in Voice Management > States and Statistics > Call Statistics
that all calls between the private network and public network are made through the SIP trunk
device.
3. On the SIP server of the carrier, you can view only the interface address of the SIP trunk device,
which means that the SIP trunk device can filter the information of the enterprise private network
users.
Configuring a SIP server group with multiple member servers

The enterprise private network has a SIP trunk device. Router A is a private network device, and Router
B is a public network device. Configure a SIP server group with multiple member servers so that all calls
between the private network and public network are made through the SIP trunk device. The carrier is
required to provide multiple servers to ensure call reliability.
695
ITSP-A
SIP server
10.1.1.3/24
Enterprise private network

Public network
1.1.1.1/24 1.1.1.2/24
2.1.1.1/24 2.1.1.2/24
IP
SIP trunk Router B
1000
2000 Router A SIP trunk device
SIP server
10.1.1.2/24
# Enable the SIP trunk function. (Details not shown.)
# Create SIP server group 1. Add two SIP servers into the server group: the IP addresses are 10.1.1.2 and
10.1.1.3, and the server with the address 10.1.1.2 has a higher priority value. Enable the real-time
switching function of SIP server group 1. Set the keep-alive mode for SIP server group 1 to Options.
1. Select Voice Management > Call Connection > SIP Server Group Management from the
navigation tree and click Add.
696
Figure 724 Configuring server group
2. Enter 1 for Server Group ID.

3. Select Enable for Real-Time Switching.
4. Select Options for Keep-Alive Mode.
11. Click Apply.
# Set the redundancy mode for SIP server group 1 to parking. (Optional. The redundancy mode for a SIP
server group is parking by default.)
12. Select Voice Management > Call Connection > SIP Connection from the navigation tree and click
the Advanced Settings tab.
697
13. Select Parking for Redundancy Mode.

14. Click Apply.
Other configurations on the SIP trunk device and on other devices are the same as those described in
"Configuring Router A " ,"Configuring the SIP trunk device" and "Configuring Router B."

1. When the SIP server with IP address 10.1.1.2 fails, the SIP server with IP address 10.1.1.3 takes
over communications between the private network and the public network. After that, the
communications recover.
2. When the SIP server with IP address 10.1.1.2 recovers, it does not take over call processing and
the SIP server with IP address 10.1.1.3 keeps working.
Configuring call match rules

The enterprise private network has a SIP trunk device. Router A1 and Router A2 are private network
devices, and Router B is a public network device.
• Users connected to Router A2 are not allowed to call public network users.
• All calls between the private network and public network are made through the SIP trunk device.
698
# Configurations on the SIP trunk device and on other devices are the same as those described in
"Configuring Router A " ,"Configuring the SIP trunk device" and "Configuring Router B."
# Configure Router A2: Configure a local number 2001 and a call route to Router B. For the
configuration procedure, see "Configuring Router A."
# Configure Router B: Configure a call route to Router A2. For configuration procedure, see "Configuring
Router B."
# Configure the SIP trunk device: Select Voice Management > Call Route from the navigation tree and
click Add to configure the call route for calls from the number 1000 to 2001. Enter the 3.3.3.1 (the IP
address of the interface on Router A2) as the Destination Number.
# Configure call match rules on the SIP trunk device: specify that calls with source IP address 1.1.1.1 are
permitted.
1. Select Voice Management > SIP Trunk Management > Call Route from the navigation tree, and
click the icon of the call route to be configured to access the advanced settings configuration
page.
699
2. Select IPv4 Address from the Match a Source Address list.
3. Enter 1.1.1.1 for IPv4 Address.
4. Click Apply.

1. Private network users connected to Router A1 can call public network users, but private network
users connected to Router A2 cannot call public network users.
2. Public network users can call any private network user.
700
Managing data links
This section provides information about data link management and configuration.
Overview
Introduction to E1 and T1
Plesiochronous digital hierarchy (PDH) includes two major communications systems: ITU-T E1 system and
ANSI T1 system. The E1 system is dominant in European and some non-Europe countries. The T1 system
is dominant in USA, Canada and Japan.
E1 and T1 use the same sampling frequency (8 kHz), PCM frame length (125 　μs), bits per code (8 bits)
and timeslot bit rate (64 kbps). They differ in these aspects:
• E1 adopts A law coding/decoding of 13-segment but T1 adopts μ law coding/decoding of
15-segment.
• Each PCM primary frame of E1 contains 32 timeslots but that of T1 contains 24 timeslots. Each
PCM primary frame of E1 contains 256 bits but that of T1 contains 193 bits. Therefore, E1 provides
2.048 Mbps bandwidth and T1 provides 1.544 Mbps bandwidth.
E1 and T1 voice functions

E1 and T1 mainly provide voice and signaling trunks to the PSTN. To realize this function, the router must
have E1 and T1 voice interfaces and be configured with functions required for transmitting voice over E1
and T1 lines.
The E1 and T1 voice physical interfaces are VE1 and VT1 interfaces, respectively.
PSTN and routers are connected through E1/T1 trunks, as shown in Figure 728.
E1/T1 voice transmission allows a router to provide more channels of voice communication, greatly
improving router use and broadening service range.
701
E1 and T1 interfaces
E1 interface
An E1 interface is logically divided into timeslots (TSs) with TS16 being a signaling channel.
On E1 interfaces, you may create PRI groups or TS sets.
You may use an E1 interface as an ISDN PRI or CE1 interface:
1. As an ISDN PRI interface, the E1 interface adopts DSS1 or QSIG signaling. As TS0 is used to
transfer synchronization information and TS16 is used as a D channel to transfer signaling, you
may arbitrarily bind any timeslot other than TS0 and TS16 as a logical interface, which is
equivalent to an ISDN PRI interface.
2. As a CE1 interface with a signaling channel, the E1 interface can adopt R2 signaling, digital E&M
signaling, or digital LGS signaling.
• When R2 signaling is adopted, every 32 timeslots form a primary frame (PCM30 for example),
where TS0 is used for frame synchronization, TS16 for digital line signaling, and other 30 timeslots
for voice transmission. Every 16 primary frames form one multiframe. In each multiframe, TS0 in
even primary frames conveys frame alignment signal (FAS) and TS0 in odd primary frames conveys
non–FAS (NFAS) about link status information. NFAS provides control signaling for primary rate
multiplexing. In the first primary frame, frame 0, the high-order four bits in TS16 convey multiframe
FAS (MFAS) and the lower-order four bits convey non-multiframe FAS (NMFAS). TS16 in each of
other 15 primary frames conveys line status information for two timeslots. For example, TS16 in
frame 1 conveys the digital line signaling status of TS1 and TS17 while that in frame 2 conveys the
digital line signaling status of TS2 and TS18, and so on.
• When digital E&M signaling is adopted, the E1 interface functions as a digital E&M interface. On
the interface, timeslot division and functions are the same as those with R2 signaling.
• When digital LGS signaling is adopted, the E1 interface functions as a digital FXO or FXS interface.
On the interface, timeslot division and functions are the same as those with R2 signaling.
After you create a TS set and configure signaling on an E1 voice interface card, the system can
automatically create the voice subscriber line for the TS set.
After TSs of an E1 interface are bound to form a PRI group, the system will automatically generate the
corresponding voice subscriber line.
The Web interface supports only the PRI trunk signaling.
T1 interface
A T1 interface can be physically divided into 24 timeslots numbered TS1 through TS24.
You may use a T1 interface as an ISDN PRI interface. The interface adopts DSS1 or QSIG signaling. On
the interface, except TS24 used as D channel for signaling, you may arbitrarily bundle other timeslots
into an interface logically equivalent to an ISDN PRI interface.
In addition to DSS1 and QSIG signaling, T1 interfaces support R2 signaling, digital E&M signaling, and
LGS signaling. Configured with digital E&M signaling, a T1 interface is used as a digital E&M interface.
With digital LGS signaling, a digital FXO or FXS interface.
Like E1 voice interface cards, T1 voice interface cards also have the features of voice subscriber lines.
The Web interface supports only the PRI trunk signaling.
702
Features of E1 and T1
E1 and T1 are characterized by the following:
• Signaling modes
• Fax function
• Protocols and standards
Signaling modes
E1/T1 interfaces support these types of signaling:
• DSS1/QSIG user signaling, adopted on the D channel between ISDN user and network interface
(UNI). It has a data link layer protocol and a Layer 3 protocol used for basic call control.
• ITU-T R2 signaling, which falls into digital line signaling and interregister signaling. Digital line
signaling is transmitted in TS16 (ABCD bits) of E1 trunk. It conveys status information about E1
trunks to describe whether the trunks are occupied, released, or blocked. Interregister signaling
conveys information about address, language and discriminating digits for internal calls, echo
suppressor, caller properties and callee properties in multi-frequency compelled approach (forward
and backward) in each timeslot.
• Digital E&M signaling, similar to R2 signaling. It transmits E (recEive) and M (transMit) call control
signals similar to analog E&M signaling in TS16, alignment signals in TS0, and voice signals in
other timeslots. In digital E&M signaling, when an E1 trunk detects and sends connection signaling,
it looks at the signal in TS16. Digital E&M signaling provides three start modes, immediate, wink,
and delay, to adapt to different devices for more reliable connection.
• Digital LGS. Digital loop start signaling is used between telephones and switches to identify the
off-hook/on-hook state, while ground-start signaling is used between switches. They differ in that
the two parties in conversation must check grounding state before closing the line in the ground-start
approach.
Fax function
The fax function is available on E1/T1 voice interfaces to set up fax channels and transmit/receive fax
data.

E1/T1 voice supports SIP and recommendations in ITU-T H.323 framework, and G.711, G.729, and
G.723.1 Annex A (5.3 K and 6.3 K) in ITU standards.
Table 263 Protocols supported by E1/T1
Item E1 voice T1 voice

Framing format CRC4, non-CRC4 SF, ESF
Line coding
HDB3, AMI B8ZS, AMI
format
Introduction to BSV interface

The BRI S/T voice (BSV) interface supports simultaneous transmission of voice and data, can receive,
send, compress, de-compress digital PCM voice traffic, and realizes VoIP function through other WAN
interfaces of the router.
703
Generally, a BSV interface is used to connect an ISDN digital telephone. Also, it can be used as a trunk
interface connecting to a PBX digital trunk. If it cooperates with an FXS or FXO interface, a BSV interface
can realize flexible routing policies for voice callings.
Configuring digital link management

You can click the link of a digital link name to access the page displaying the link state. For more
information, see Displaying ISDN link state.
Configuring VE1 line

Select Voice Management > Digital Link Management from the navigation tree, and then click the
icon of the VE1 line to be configured to access the E1 parameters configuration page.
Figure 729 E1 parameters configuration page (1)
Item Description
Physical Parameters Configuration
Configure the working mode of the E1 interface:

• None—Remove the existing bundle.
Working Mode
• PRI trunk signaling—Bundle timeslots on an E1 interface into a PRI group.
By default, no PRI group is created.
Bound Timeslot
Specify the timeslots to be bundled.
Number
• CRC4—Perform cyclic redundancy check (CRC).
Frame Check Mode
• NO_CRC4—Do not perform CRC.
• HDB3—The line coding format is high-density bipolar 3 (HDB3).
Line Coding
• AMI—The line coding format is alternate mark inversion (AMI).
704
Item Description
• Internal—Set the internal crystal oscillator time division multiplexing (TDM) clock
as the TDM clock source on the E1 interface. After that, the E1 interface obtains
clock from the crystal oscillator on the main board. If it fails to do that, the
interface obtains clock from the crystal oscillator on its E1 card. Because SIC
cards are not available with crystal oscillator clocks, E1 interfaces on SIC cards
can only obtain clock from the main board. The internal clock source is also called
master clock mode in some features.
• Line—Set the line TDM clock as the TDM clock source on the E1 interface. After
that, the E1 interface obtains clock from the remote device through the line. The
line clock source is also called slave clock mode in some features.
• Line primary—Set the E1 interface to preferably use the line TDM clock as the
TDM clock source. After that, the E1 interface always attempts to use the line TDM
clock before any other clock sources.
By default, the TDM clock source for an E1 interface is the internal clock.
When digital voice E1 interfaces perform TDM timeslot interchange, it is important
TDM Clock Source for them to achieve clock synchronization to prevent frame slips and bit errors.
Depending on your configurations on E1 interfaces at the CLI, the system adopts
different clocking approaches. When there is a subcard VCPM on the main board,
the clock distribution principle is as follows:
• If the line keyword is specified for all interfaces, the clock on the interface with the
lowest number is adopted. In case the interface goes down, the clock on the
interface with the second lowest number is adopted.
• If line primary is specified for interface X and line or internal is specified for other
interfaces, the clock on interface X is adopted.
• If line is specified for interface X and internal is specified for other interfaces, the
clock on interface X is adopted.
• Normally, you cannot set the clock source for all interfaces in a system as internal
to prevent frame slips and bit errors. You can do this however if the remote E1
interfaces adopt the line clock source.
When there is no VCPM on the main board, the configuration of each MIM/FIC is
independent but only one interface can be set as line primary.
• Enable—Enable the E1 interface.
Status
• Disable—Disable the E1 interface.
If you select the PRI Trunk Signaling option, the page as shown in Figure 730 appears.
705
Figure 730 E1 parameters configuration page (2)
You are not allowed to configure the following parameters on an ISDN interface if there is still a call on
it:
• ISDN Overlap-Sending
• Switch to ACTIVE State Without Receiving a Connect-Ack Message
• Carry High Layer Compatibility Information
• Carry Low Layer Compatibility Information
• ISDN Call Reference Length
These parameters can take effect only if it is configured when there is no call on the interface.
Alternatively you can manually disable the ISDN interface, configure the parameters, and then enable
the interface again. The operations, however, will lead to the disconnection of calls existing on the
interface.
Item Description
ISDN Parameters Configuration
706
Item Description
Set the ISDN protocol to be run on an ISDN interface, including DSS1, QSIG,
ISDN Protocol Type and ETSI.
By default, an ISDN interface runs DSS1.
Set the ISDN working mode, which can be network side mode or user side
ISDN Working Mode mode.
By default, an ISDN interface operates in user side mode.
Configure local ISDN B channel management.

• Disable—Local ISDN B channel management is disabled and is in the
charge of ISDN switch.
• Common management—Device operates in local B channel management
mode to select available B channels for calls. However, the ISDN switch
still has a higher priority in B channel selection. If a locally selected B
channel is different from that selected by the ISDN switch, the one
indicated by the ISDN switch is used for communication.
• Forced management—Device operates in forced local B channel
management mode. In this mode, the device indicates in the Channel ID
information element of a call Setup message that the local B channel is
ISDN Timeslot Management mandatory and unchangeable. If the ISDN switch indicates a B channel
different from the local one, the call fails.
By default, the local ISDN B channel management is not enabled and is in the
It is very important to put appropriate control on the B channels used for calls
in process, especially in PRI mode. Proper channel management can improve
call efficiency and reduce call loss.
Typically, the centralized B channel management provided by exchanges
can work well. For this reason, you should adopt the management function
provided by exchanges in most cases, despite that the ISDN module can
provide the channel management function as well.
Set a B channel selection method:

• Ascending order—Select B channels in ascending order.
• Descending order—Select B channels in descending order.
ISDN Timeslot Order When operating in B channel local management mode, the device selects B
channels in ascending order by default.
When the exchange manages B channels, these options take no effect. If you
select the Disable option in the ISDN Timeslot Management area, these
options take no effect.
ISDN Overlap-Sending • Enable—Set the ISDN interface to send the called number in overlap
mode. In this mode, the digits of each called number are sent separately
and the maximum number of the digits sent each time can be set.
Max Number of Digits that

• Disable—Set the ISDN interface to send the called number in full-sending
mode. In this mode, all the digits of each called number are collected and
Can Be Sent Each Time
sent at a time.
By default, the ISDN interface sends the called number in full-sending mode.
• Enable—Enable the ISDN interface to convert received Progress messages
Progress-to-Alerting into Alerting messages.
Conversion • Disable—Disable the progress-to-alerting conversion function.
This option just takes effects on messages received on an ISDN interface.
707
Item Description
• Enable for outgoing direction—Configure the ISDN protocol to switch to
the ACTIVE state after receiving a Connect message without having to
send a Connect-Ack message.
• Enable for incoming direction—Configure the ISDN protocol to switch to
the ACTIVE state to start Connect and voice service communications after
sending a Connect message without having to wait for a Connect-Ack
message.
• Enable for bidirectional directions—Configure the ISDN protocol to switch
to the ACTIVE state after receiving or sending a Connect message without
having to wait for or send a Connect-Ack message.
• Disable (default)—Configure the ISDN protocol not to ignore the
Connect-Ack messages, that is, the ISDN protocol must wait for the
Connect-Ack message in response to the Connect message before it can
switch to the ACTIVE state to start data and voice service communications.
Switch to ACTIVE State
Without Receiving or Sending By default, in the event that the device is communicating with an ISDN switch:
a Connect-Ack Message • The ISDN protocol must wait for the Connect-Ack message in response to
the Connect message before it can switch to the ACTIVE state to start data
and voice service communications.
• After the ISDN protocol receives a Connect message, it needs to send a
Connect-Ack message in response.
IMPORTANT:
• In the event that the device is communicating with an ISDN switch, its
settings must be the same as those on the switch.
• You are not allowed to configure this list on an ISDN interface if there is still
a call on it. Configuration of this list can take effect only if it is configured
when there is no call on the interface. Alternatively, you can manually
disable the interface, configure this list, and then enable the interface.
However, the operations lead to the disconnection of the calls existing on
the interface.
• Enable— Configure ISDN to carry the higher layer compatibility (HLC)
information element in Setup messages when placing voice calls.
Carry High Layer • Disable—Disable ISDN from carrying the HLC information element in the
Compatibility Information Setup messages when placing voice calls.
By default, the HLC information element is carried in Setup messages when
ISDN places voice calls.
• Enable—Configure ISDN to carry the lower layer compatibility (LLC)
information element in Setup messages when placing voice calls.
Carry Low Layer Compatibility • Disable—Disable ISDN from carrying the LLC information element in the
Information Setup messages when placing voice calls.
By default, the LLC information element is carried in Setup messages when
708
Item Description
• Enable for outgoing direction—Configure the ISDN protocol to send Setup
messages without the Sending-Complete Information Element when
placing a call.
• Enable for incoming direction—Configure the ISDN protocol to ignore the
Sending-Complete Information Element in Setup messages when receiving
a call.
• Enable for bidirectional directions—Configure the ISDN protocol to ignore
Ignore the Sending-Complete the Sending-Complete Information Element in Setup messages when
Information Element in Setup receiving a call, and to send Setup messages without the
Messages Sending-Complete Information Element when placing a call.
• Disable (default)—Configure ISDN not to ignore the Sending-Complete
Information Element in Setup messages. During data exchange between
the device and an ISDN switch, for an incoming call, if a Setup message
does not contain the Sending-Complete Information Element, the number is
not received completely. For an outgoing call, a Setup message containing
the Sending-Complete Information Element indicates that the number is
sent completely.
ISDN Sliding Window Size Set the sliding window size on an ISDN BRI interface.
ISDN T302 Timer Duration Configure the duration of the ISDN protocol Layer 3 timer T302.
Set the length of the call reference used when a call is placed on an ISDN
interface.
The call reference is equal to the sequence number that the protocol assigns to
each call. It is one or two bytes in length and can be used cyclically.
ISDN Call Reference Length When the device receives a call from a remote device, it can automatically
identify the length of the call reference. However, some devices on the
network do not have this capability. In the event that the device is required to
place calls to such a device connected to it, you must configure the device to
use the same call reference length configured on the connected device.
Configuring VT1 line

icon of the VT1 line to be configured to access the T1 parameters configuration page.
Figure 731 T1 parameters configuration page (1)
709
Item Description
Physical Parameters Configuration
Configure the working mode of the T1 interface:

• None—Remove the existing bundle.
Working Mode
• PRI Trunk Signaling—Bundle timeslots on a T1 interface into a PRI group.
By default, no PRI group is created.
Bound Timeslot
Specify the timeslots to be bundled.
Number
• ESF—Perform extended super frame (ESF).
Frame Check Mode
• SF—Perform super frame (SF).
• B8ZS—The line coding format is bipolar 8 zero substitution (B8ZS).
Line Coding
• AMI—The line coding format is alternate mark inversion (AMI).
• Internal—Set the internal crystal oscillator TDM clock as the TDM clock source on
the T1 interface. After that, the T1 interface obtains clock from the crystal oscillator
on the main board. If it fails to do that, the interface obtains clock from the crystal
oscillator on its T1 card. Because SIC cards are not available with crystal
oscillator clocks, T1 interfaces on SIC cards can only obtain clock from the main
board. The internal clock source is also called master clock mode in some
features.
• Line—Set the line TDM clock as the TDM clock source on the T1 interface. After
that, the T1 interface obtains clock from the remote device through the line. The
line clock source is called as slave clock mode in some features.
• Line primary—Set the T1 interface to preferably use the line TDM clock as the
TDM clock source. After that, the T1 interface always attempts to use the line TDM
clock prior to any other clock sources.
By default, the TDM clock source for a T1 interface is the internal clock.
When digital voice T1 interfaces perform TDM timeslot interchange, it is important
TDM Clock Source for them to achieve clock synchronization to prevent frame slips and bit errors.
Depending on your configurations on T1 interfaces at the CLI, the system adopts
different clocking approaches. When there is a subcard VCPM on the main board,
the clock distribution principle is as follows:
• If the line keyword is specified for all interfaces, the clock on the interface with the
lowest number is adopted. In case the interface goes down, the clock on the
interface with the next second number is adopted.
• If line primary is specified for interface X and line or internal is specified for other
interfaces, the clock on interface X is adopted.
• If line is specified for interface X and internal is specified for other interfaces, the
clock on interface X is adopted.
• Normally, you cannot set the clock source for all interfaces in a system as internal
to prevent frame slips and bit errors. You can do this however if the remote T1
interfaces adopt the line clock source.
When there is no VCPM on the main board, the configuration of each MIM/FIC is
independent but only one interface can be set as line primary.
• Enable—Enable the T1 interface.
Status
• Disable—Disable the T1 interface.
If you select the PRI Trunk Signaling option, the page as shown in Figure 732 appears.
710
Figure 732 T1 parameters configuration page (2)
ISDN protocol types supported by VT1 are DSS1, ATT, ANSI, ETSI, NTT, QSIG, NI2, and 5ESS. Table
265 describes the ISDN parameters configuration items.
Configuring BSV line

icon of the BSV line to be configured to access the BSV parameters configuration page.
711
Figure 733 BSV parameters configuration page
Item Description
Set the ISDN protocol to be run on an ISDN interface, including DSS1, ANSI,
ISDN Protocol Type NI, NTT, and ETSI.
By default, an ISDN interface runs DSS1.
Set the ISDN working mode, which can be network side mode or user side
ISDN Working Mode mode.
By default, an ISDN interface operates in user side mode.
712
Item Description
Configure local ISDN B channel management.
• Disable—Local ISDN B channel management is disabled and is in the
• Common management—The device operates in local B channel
management mode to select available B channels for calls. However, the
ISDN switch still has a higher priority in B channel selection. If a locally
selected B channel is different from that selected by the ISDN switch, the
one indicated by the ISDN switch is used for communication.
• Forced management—The device operates in forced local B channel
management mode. In this mode, the device indicates in the Channel ID
information element of a call Setup message that the local B channel is
ISDN Timeslot Management
mandatory and unchangeable. If the ISDN switch indicates a B channel
different from the local one, the call fails.
By default, the local ISDN B channel management is not enabled but is in the
It is very important to put appropriate control on the B channels used for calls
in process, especially in PRI mode. Proper channel management can improve
call efficiency and reduce call loss. Normally, the centralized B channel
management provided by exchanges can work well. For this reason, you are
recommended to adopt the management function provided by exchanges in
most cases, despite that the ISDN module can provide the channel
management function as well.
Set a B channel selection method:

• Ascending order—Select B channels in ascending order.
• Descending order—Select B channels in descending order.
ISDN Timeslot Order When operating in B channel local management mode, the device selects B
channels in ascending order by default.
When the exchange manages B channel, these options take no effect. If you
select the Disable option in the ISDN Timeslot Management area, these
options take no effect.
ISDN Overlap-Sending • Enable—Set the ISDN interface to send the called number in overlap
mode. In this mode, the digits of each called number are sent separately
and the maximum number of the digits sent each time can be set.
Max Number of Digits that

• Disable—Set the ISDN interface to send the called number in full-sending
mode. In this mode, all the digits of each called number are collected and
Can Be sent Each Time
sent at a time.
By default, the ISDN interface sends the called number in full-sending mode.
• Enable—Enable the ISDN interface to convert received Progress messages
Progress-to-Alerting into Alerting messages.
Conversion • Disable—Disable the progress-to-alerting conversion function.
This option just takes effects on messages received on an ISDN interface.
713
Item Description
• Enable for outgoing direction—Configure the ISDN protocol to switch to
the ACTIVE state after receiving a Connect message without having to send
a Connect-Ack message.
• Enable for incoming direction—Configure the ISDN protocol to switch to
the ACTIVE state to start Connect and voice service communications after
sending a Connect message without having to wait for a Connect-Ack
message.
• Enable for bidirectional directions—Configure the ISDN protocol to switch
to the ACTIVE state after receiving or sending a Connect message without
having to wait for or send a Connect-Ack message.
• Disable (default)—Configure the ISDN protocol not to ignore the
Connect-Ack messages, that is, the ISDN protocol must wait for the
Connect-Ack message in response to the Connect message before it can
switch to the ACTIVE state to start data and voice service communications.
Switch to ACTIVE State
Without Receiving a By default, in the event that the device is communicating with an ISDN switch:
Connect-Ack Message • The ISDN protocol must wait for the Connect-Ack message in response to
the Connect message before it can switch to the ACTIVE state to start data
and voice service communications.
• After the ISDN protocol receives a Connect message, it needs to send a
Connect-Ack message in response.
IMPORTANT:
• In the event that the device is communicating with an ISDN switch, its
settings must be the same as those on the switch.
• You are not allowed to configure this list on an ISDN interface if there is still
a call on it. Configuration of this list can take effect only if it is configured
when there is no call on the interface. Alternatively, you can manually
disable the interface, configure this list, and then enable the interface.
However, the operations lead to the disconnection of the call existing on
the interface.
• Enable—Configure ISDN to carry the HLC information element in Setup
messages when placing voice calls.
Carry High Layer • Disable—Disable ISDN from carrying the HLC information element in the
Compatibility Information Setup messages when placing voice calls.
By default, the HLC information element is carried in Setup messages when
• Enable—Configure ISDN to carry the LLC information element in Setup
messages when placing voice calls.
Carry Low Layer Compatibility • Disable—Disable ISDN from carrying the LLC information element in the
Information Setup messages when placing voice calls.
By default, LLC information element is carried in Setup messages when ISND
places voice calls.
714
Item Description
• Enable for outgoing direction—Configure the ISDN protocol to send Setup
messages without the Sending-Complete Information Element when
placing a call.
• Enable for incoming direction—Configure the ISDN protocol to ignore the
Sending-Complete Information Element in Setup messages when receiving
a call.
• Enable for bidirectional directions—Configure the ISDN protocol to ignore
the Sending-Complete Information Element in Setup messages when
Ignore the Sending-Complete receiving a call, and to send Setup messages without the
Information Element in Setup Sending-Complete Information Element when placing a call.
Messages • Disable (default)—Configure the ISDN not to ignore the Sending-Complete
Information Element in Setup messages. When the data exchange
performed between the device and an ISDN switch, for an incoming call,
the device checks the received Setup messages for the Sending-Complete
Information Element to determine whether or not the number is received
completely. If a Setup message does contain the Sending-Complete
Information Element, the number is not received completely. For outgoing
calls, a Setup message containing the Sending-Complete Information
Element indicates that the number is sent completely.
Configure the Q.921 permanent link function:

• Enable—The BRI interface sets up a data link connection automatically
and maintains the connection even when no calls are received from the
network layer. If the two-tei mode is also enabled on the interface, two
Q.921 Permanent Link such connections are present.
• Disable—Disable the Q.921 permanent link function on the BRI interface.
This parameter is available only when the User Side Mode option in the ISDN
Working Mode area is selected.
• Enable—Each call on the BRI interface uses a different EI.
ISDN two-tei • Disable—All calls on all the B channels on the BRI interface use one TEI
value.
• Point-to-Multipoint—A BRI interface operating on the network side can
have multiple end devices attached to it.
ISDN Link Mode
• Point-to-Point—Configure the BRI interface operates in point-to-point
mode.
• Enable—Specify an ISDN BRI interface to be in the permanent active state
at the physical layer.
BSV Permanent Active State at • Disable—The BRI interfaces operating on the network side are not in the
the Physical Layer permanent active state at the physical layer.
This parameter is available only when the Network Side Mode option in the
ISDN Working Mode area is selected.
• Enable—Enable remote powering on an ISDN BRI interface.
• Disable—Disable remote powering on an ISDN BRI interface.
BSV Remote Powering
This parameter is available only when the Network Side Mode option in the
ISDN Working Mode area is selected.
ISDN Sliding Window Size Set the sliding window size on an ISDN BRI interface.
ISDN T302 Timer Duration Configure the duration of the ISDN protocol Layer 3 timer T302.
715
Item Description
Set length of the call reference used when a call is placed on an ISDN
interface.
The call reference is equal to the sequence number that the protocol assigns to
each call. It is one or two bytes in length and can be used cyclically.
ISDN Call Reference Length When the device receives a call from a remote device, it can automatically
identify the length of the call reference. However, some devices on the
network do not have this capability. In the event that the device is required to
place calls to such a device connected to it, you must configure the device to
use the same call reference length configured on the connected device.
Enable—Enable the BSV interface.

Status
Disable—Disable the BSV interface.
Displaying ISDN link state

Select Voice Management > Digital Link Management from the navigation tree, and then click the name
of the target digital link (taking a VE1 digital link as an example) to access the page displaying the link
state as shown in Figure 734.
Figure 734 Displaying ISDN link state
E1 voice DSS1 signaling configuration example

As shown in Figure 735, Telephones in City A and City B communicate with each other through Router
A and Router B over an IP network.
• Router A is connected to a PBX through an E1 voice subscriber line, and to the telephone at
0101003 through an FXS voice subscriber line.
• Router B is connected only to a PBX through an E1 voice subscriber line.
The two routers communicate with their respective PBX by exchanging DSS1 user signaling through an
ISDN interface. The one-stage dialing mode is configured on the two routers.
716
# Configure an ISDN PRI group.
icon of E1 1/1 to access the E1 parameters configuration page.
a. Select the PRI Trunk Signaling option. For other options, use the default settings.
b. Click Apply.
# Configure local numbers and call routes.
c. Configure a local number in the local number configuration page: The number ID is 1003, the
number is 0101003, and the bound line is 3/0.
d. Configure a call route in the call route configuration page: The call route ID is 1001, the
destination number is 0101001, and the trunk route line is 1/1:15. In addition, to select the
e. Configure a call route in the call route configuration page: The call route ID is 1002, the
destination number is 0101002, and the trunk route line is 1/1:15. In addition, select the
f. Configure a call route in the call route configuration page: The call route ID is 0755, the
destination number is 0755...., and the call route type is SIP, the SIP routing type is IP routing,
and the destination address is 2.2.2.2.
717
2. Configure Router B.
# Configure an ISDN PRI group.
icon of E1 1/1 to access the E1 parameters configuration page.
a. Select the PRI Trunk Signaling option. For other options, use the default settings.
b. Click Apply.
# Configure call routes.
c. Configure a call route in the call route configuration page: The call route ID is 2001, the
Send All Digits of a Called Number option in the Called Number Sending Mode area if you
d. Configure a call route in the call route configuration page: The call route ID is 2002, the
e. Configure a call route in the call route configuration page: The call route ID is 010, the
destination number is 010...., the call route type is SIP, the SIP routing mode is IP routing, and
the destination address is 1.1.1.1.

• Telephones in City A and City B can communicate with each other.
• Select Voice Management > Statistics > Call Statistics from the navigation tree to access the Active
Call Summary page, and you can view the statistics of active calls.
• Select Voice Management > Digital Link Management from the navigation tree, and then click the
name of the target digital link line 1/1:15 to access the page displaying the link state.
718
Managing lines
This section provides information on managing and configuring various types of subscriber lines.
FXS voice subscriber line

A foreign exchange station (FXS) interface uses a standard RJ-11 connector and a telephone cable to
directly connect with an ordinary telephone or a fax machine. An FXS interface accomplishes signaling
exchange based on the level changes on the Tip/Ring line and provides ring, voltage, and dial tone.
FXO voice subscriber line

A foreign exchange office (FXO) interface uses a RJ-11 connector and a telephone cable to connect local
calls to a PSTN or PBX. Like an FXS interface, an FXO interface accomplishes signaling exchange based
on the level changes on the Tip/Ring line. An FXO interface can be connected only to an FXS interface.
E&M subscriber line

E&M introduction
An E&M interface uses a RJ-48 telephone cable to connect a PBX. The PBX sends signals on the M (M
represents mouth) line and receives signals on the E (E represents ear) line. The voice router receives M
signals from the PBX and sends E signals to the PBX. An E&M interface can only be connected to another
E&M interface.
When E&M is applied in voice communication, two or four voice wires can be used. Besides, there are
two or four signaling wires. Therefore, 4-wire analog E&M actually has six wires at least. The 2-wire
mode provides full duplex voice transmission and voice is transmitted in two directions on the two wires.
The 4-wire mode is equivalent to the simplex mode and every two wires are responsible for the voice
transmission in one direction.
E&M start mode

An E&M interface supports E&M signaling and divides each voice connection into trunk circuit side and
signaling unit side (similar to DCE and DTE).
An E&M interface provides on-hook/off-hook signals and minimizes the interference. Because an E&M
interface does not provide any dial tone, one of the following three signaling technologies is used to start
dialing:
• Immediate start—In this mode, the caller picks up the phone, and after a brief period, the dialed
number is sent to the called side. During this period, whether the called side has been ready to
receive the called number is not checked. After the called information is received, the callee can
pick up the phone to answer the call.
719
Figure 738 Immediate start mode
Pick up the phone, requesting for service Hang up
Calling side Conversation

Send the called number
(E/M)
Called side Conversation

Hang up
(M/E)
Pick up the phone to answer
• Delay start—In this mode, the caller first picks up the phone to seize the trunk line, and the called
side (such as the peer PBX) also enters the off-hook state in response to the off-hook action of the
caller. The called side (PBX) will be in the off-hook state until it is ready for receiving the address
information. After it is ready, it will enter the on-hook state and this interval is the so-called dial
delay. The calling side sends the address information, and the called side (PBX) connects the call to
the callee. Therefore, the two parties can begin the communication.
Figure 739 Delay start mode
• Wink start—In this mode, the caller first picks up the phone to seize the trunk line, and the called
side (such as the peer PBX) is in the on-hook state until receiving a connection signal from the calling
side. Then, the called side will send a wink signal to make an acknowledgement and enter the
ready state. Upon receiving the wink signal, the calling side begins to send the address information
and the called side connects the call to the callee. Therefore, the two parties can begin the
communication.
Figure 740 Wink start mode
720
One-to-one binding between FXS and FXO voice
subscriber lines
The one-to-one binding between FXS voice subscriber lines and FXO voice subscriber lines improves the
reliability of voice solutions. For industry-specific users, highly reliable communication over FXS voice
subscriber lines is required. That is, dedicated FXO voice subscriber lines can be used for communication
over PSTN when the IP network is unavailable. The one-to-one binding between FXS voice subscriber
lines and FXO voice subscriber lines can meet this requirement.
The one-to-one binding between FXS voice subscriber lines and FXO voice subscriber lines provides the
following functions:
• Dedicated FXO voice subscriber lines—The dedicated FXO voice subscriber lines can be used only
for the bound FXS voice subscriber lines and PSTN-originated calls received over dedicated FXO
voice subscriber lines are directly connected to the bound FXS voice subscriber lines.
• Consistent state between bound FXS and FXO voice subscriber lines—The on-hook/off-hook state
of the bound FXS and FXO voice subscriber lines is consistent. If an FXO subscriber line receives a
PSTN-originated call when the corresponding FXS voice subscriber line goes off-hook, the calling
party will hear busy tones.
Echo adjustment function

Echo is that the user hearing his own voice in the telephone receiver while he is talking. This is because
analog signals leak into the receiving path of the user. The echo adjustment function provided by the VoIP
gateway can cancel echoes to some extent.
You can cancel echoes in three ways: adjust echo duration, adjust echo cancellation parameters, and
enable the nonlinearity function of echo cancellation.
Adjusting echo duration

Table 268 Adjust echo duration
Symptom Reason Adjustment method

The echo duration is so long that the convergence time
A user hears his or Shorten echo duration
of echo cancellation on the network becomes longer.
her voice in
conversation. The echo duration is so short that long-duration echoes
Prolong echo duration
are not completely cancelled.
Adjusting echo cancellation parameters

Table 269 Adjust echo cancellation parameters
Symptom Parameters adjusted Effect

A user hears his or her voice or
Speed up the convergence of Too fast convergence may make noises
loud background noises from
comfortable noise amplitudes uncomfortable.
the peer when speaking.
721
Symptom Parameters adjusted Effect
There are loud environment Increase the maximum Too large amplitude may make noises
noises. amplitude of comfortable noises. uncomfortable.
A user hears his or her voice Enlarge the control factor of Too high a control factor leads to audio
when speaking. mixed proportion of noises. discontinuity.
Too high a judgment threshold slows

There are echoes when both Enlarge the judgment threshold
down the convergence of the filter
parties speak at the same time. for bidirectional conversation.
factor.
Enabling the nonlinear function of echo cancellation

The nonlinear function of echo cancellation, also known as residual echo suppression, means the
removal of residual echoes after echo cancellation when the user at the local end does not speak.
Line management configuration

Select Voice Management > Line Management from the navigation tree to access the line list page, as
show in Figure 741.
Figure 741 Line list page
Configuring an FXS voice subscriber line

Select Voice Management > Line Management from the navigation tree, and then click the icon of
the FXS line to be configured to access the FXS line configuration page, as show in Figure 742.
722
Figure 742 FXS line configuration page
Item Description
Basic Configurations
Description Specify the description of the FXS line.
Specify the maximum interval for the user to dial the next digit.
Max Interval for Dialing the This timer will restart each time the user dials a digit and will work in this way until
Next Digit all the digits of the number are dialed. If the timer expires before the dialing is
completed, the user will be prompted to hook up and the call is terminated.
Specify the maximum interval in seconds between off-hook and dialing the first
Max Interval between digit.
Off-hook and Dialing the
First Digit Upon the expiration of the timer, the user will be prompted to hook up and the call
is terminated.
Max Duration of Playing

Specify the maximum duration in seconds of playing ringback tones.
Ringback Tones
723
Item Description
• Enable.
Status
• Disable.
Advanced Settings
Dial Delay Time Specify the dial delay in seconds.
Lower Limit for Hookflash Specify the time range for the duration of an on-hook condition that will be
Detection detected as a hookflash. That is, if an on-hook condition that lasts for a period
Upper Limit for Hookflash that falls within the hookflash duration range (that is, the period is longer than the
Detection lower limit and shorter than the upper limit) is considered a hookflash.
When the voice signals on the line IMPORTANT:

Input Gain on the Voice
attenuate to a relatively great extent,
Interface Gain adjustment may lead to call
increase the voice input gain value.
failures. H3C recommends that you do
When a relatively small voice signal not adjust the gain. If necessary, do it
Output Gain on the Voice
power is needed on the output line, with the guidance of technical
Interface
increase the voice output gain value. personnel.
Each country corresponds to an impedance value. Therefore, you can specify an
impedance value by specifying a country. By default, the electrical impedance on
Electrical Impedance
the FXO or FXS voice subscriber line is the impedance value corresponding to
China.
Specify either of the following packet loss compensation algorithms:

Packet Loss Compensation
• Specific algorithm of the device.
Mode
• Universal frame erasure algorithm.
Generate some comfortable background noise to replace the toneless intervals
during a conversation. If no comfortable noise is generated, the toneless intervals
will make both parties in conversation feel uncomfortable.
Comfortable Noise
Function • Enable.
• Disable.
By default, the comfortable noise function is enabled.
Echo Cancellation Function • Enable.

• Disable.
Echo Duration After you enable this function, set the echo duration, that is, the time that elapses
from when a user speaks to when he hears the echo.
Nonlinear Function of Echo • Enable.

Cancellation • Disable.
Set the DTMF detection sensitivity level.
• Low—In this mode, the reliability is high, but DTMF tones may fail to be
detected.
DTMF Detection Sensitivity • Medium—In this mode, the reliability is medium. If you select this option, you
Level can specify the Frequency Tolerance of Medium DTMF Detection Sensitivity
Level. The greater the value, the higher the probability of false detection.
Support for this option varies with installed cards.
• High—In this mode, the reliability is low and detection errors may occur.
724
Configuring an FXO voice subscriber line
the FXO line to be configured to access the FXO line configuration page, as show in Figure 743.
Figure 743 FXO line configuration page
Item Description
Description Specify the description of the FXO line.
725
Item Description
Max Interval for Dialing the This timer restarts each time the user dials a digit and will work in this way until
Next Digit all the digits of the number are dialed. If the timer expires before the dialing is
completed, the user will be prompted to hook up and the call is terminated.
Specify the maximum interval in seconds between off-hook and dialing the first
Max Interval between digit.
Off-hook and Dialing the
First Digit Upon the expiration of the timer, the user will be prompted to hook up and the
call is terminated.
Max Duration of Playing

Ringback Tones
• Enable.
Status
• Disable.
Advanced Settings
• Delay off-hook—In this mode, you need to configure a dedicated line
number, which the system uses to connect the call to the callee automatically.
The communication can be performed over the FXO subscriber line only after
Off-hook Mode the callee picks up the telephone.
• Immediate off-hook—In this mode, when a call arrives, the FXO interface
goes off-hook immediately and then the caller performs the second stage
dialing.
Bind an FXS voice subscriber line to the FXO voice subscriber line. This list is
available only when you select the Delay Off-hook option in the Off-hook Mode
area.
Binding FXS Line To keep the consistent off-hook/on-hook state between the bound FXS and FXO
lines, the specified FXS line must be the one to which the dedicated line number
points. In addition, only the bound FXS line is allowed to originate calls to the
FXO line by restricting incoming calls.
• Delay Ring.
• Immediate Ring.
Ring Mode You can select the Delay Ring option to quicken ringing synchronization
between the FXO voice subscriber line and its bound FXS voice subscriber line.
However, for the telephone supporting calling identification display, the calling
number will be displayed after the second ringing tone.
In some countries, PBXs do not play busy tones, or the busy tones played by
them only last for a short period of time. When noise is present on a
transmission link, the configuration of silence threshold and silence duration for
automatic on-hook cannot solve the problem that the resource of the FXO
interface cannot be released. In this case, you can specify the duration before a
Duration before a Forced forced on-hook to solve the problem.
On-hook No duration is configured by default.
IMPORTANT:
Once the duration before a forced on-hook is configured, the call will be
automatically disconnected when the duration expires, even if the call is currently
going on.
Configure the dial delay time.
Dial Delay Time
By default, the dial delay is 1 second.
726
Item Description
Set the silence threshold. Silence detection-based automatic
If the amplitude of voice signals from the on-hook prevents the case that the
switch is smaller than this value, the resource of the FXO interface
system regards the voice signals as cannot be released owing to busy
VAD Threshold
silence. Normally, the signal amplitude tone detection failure when the
on the links without traffic is in the range busy tone parameters provided by
of 2 to 5. the connected PBX are special.
By default, the silence threshold is 20. When the signal values of two
successive sampling points are less
Set the silence duration for automatic
than the silence detection
on-hook.
threshold, the system considers that
Upon expiration of this duration, the the line goes into the silent state. If
On-hook Duration for VAD system performs on-hook automatically. the line stays in the silent state
By default, the silence duration for longer than the silence duration for
automatic on-hook is 7,200 seconds (that automatic on-hook, the system will
is, 2 hours). automatically disconnect the call.
Configure the interval between on-hook and off-hook.

By default, the interval between on-hook and off-hook is 500 milliseconds.
In the delay off-hook mode, the on-hook/off-hook state of FXS and FXO lines is
Interval between On-hook consistent. When an FXS line goes off-hook, the FXO line to which the FXS line
and Off-hook is bound goes off-hook, too. When the FXS line in the off-hook state needs to
connect the FXO line to originate a call over PSTN, the FXO line must first
perform an on-hook operation, and then perform an off-hook operation to send
the called number. This task is to set the interval between the on-hook and
off-hook operations.

increase the input gain value.
failures. H3C recommends that you
When a relatively small voice signal do not adjust the gain. If necessary,
Output gain on the Voice
power is needed on the output line, do it with the guidance of technical
Interface
Time for CID Check Configure the time for CID check. By default, CID check is performed
between the first and the second
Set the number of rings after the CID rings, and the FXO line goes
Number of Rings after CID
check to off-hook. The greater the value, off-hook as soon as the check
Check to Off-hook
the later the FXO line goes off-hook. completes.
Each country corresponds to an impedance value. Therefore, you can specify

an impedance value by specifying a country. By default, the electrical
Electrical Impedance
impedance on the FXO or FXS voice subscriber line is the impedance value
corresponding to China.
Specify either of the following packet loss compensation algorithms:

Packet Loss Compensation
• Specific algorithm of the device.
Mode
• Universal frame erasure algorithm.
727
Item Description
Generate some comfortable background noise to replace the toneless intervals
during a conversation. If no comfortable noise is generated, the toneless
intervals will make both parties in conversation feel uncomfortable.
Comfortable Noise Function • Enable.
• Disable.
Busy Tone Sending • Enable.

• Disable.
Duration of Busy Tone With the busy-tone sending function enabled, you can set the duration of busy
tones.

• Disable.
Echo Duration After enabling this function, you can set the echo duration, that is, the time that
elapses from when a user speaks to when he hears the echo.

• Low—In this mode, the reliability is high, but DTMF tones may fail to be
detected.
DTMF Detection Sensitivity • Medium—In this mode, the reliability is medium. If you select this option, you
Level can specify the Frequency Tolerance of Medium DTMF Detection Sensitivity
Level. The greater the value, the higher the probability of false detection.
Support for this option varies with installed cards.
Configuring an E&M subscriber line

the E&M line to be configured to access the E&M line configuration page, as shown in Figure 744.
728
Figure 744 E&M line configuration page
Item Description
Description Description of the E&M line.
Select the E&M interface cable type: 4-wire or 2-wire.

By default, the cable type is 4-wire.
Cable Type When you configure the cable type, make sure the cable type is the
same as that of the peer device. Otherwise, only unidirectional
voice service is available.
The configuration will be applied to all E&M interfaces of the card.
729
Item Description
Specify the types 1, 2, 3, and 5 are the four signal types (that is,
types I, II, III, and V) of the analog E&M subscriber line.
When you configure the signal type, make sure the signal type is the
Signal Type
same as that of the peer device.
The configuration will be applied to all analog E&M lines in the
corresponding slot.
This timer will restart each time the user dials a digit and will work in
Max Interval for Dialing the Next Digit this way until all the digits of the number are dialed. If the timer
expires before the dialing is completed, the user will be prompted to
hook up and the call is terminated.
Max Duration the System Waits for the Specify the maximum duration for the system to wait for the first digit
First Digit of a number.
Max Duration of Playing Ringback

Tones
• Enable.
Status
• Disable.
Advanced Settings
Delay Time
before the Calling
Immediate Party Sends Specify the delay time before the calling party sends DTMF signals
Start DTMF Signals in in the immediate start mode.
Immediate Start
Mode
Delay Signal
Duration in Delay Specify the delay signal duration in the delay start mode.
Start Mode
Delay Delay Time
Start before the Called
Specify the delay time from when the called party detects a seizure
Party Sends a
signal to when it sends a delay signal in the delay start mode.
Delay Signal in
Delay Start Mode
Start
Mode Delay Time
before the Called
Specify the delay time from when the called party receives a seizure
Party Sends a
signal to when it sends a wink signal in the wink start mode.
Wink Signal in
Wink Start Mode
Duration of a
Wink Signal
Wink Specify the time duration the called party sends wink signals in the
Send by the
Start wink start mode.
Called Party in
Wink Start Mode
Max Time the

Calling Party
Specify the maximum amount of time the calling party waits for a
Waits for a Wink
wink signal after sending a seizure signal in the wink start mode.
Signal in Wink
Start Mode
730
Item Description
When the voice signals on the
line attenuate to a relatively IMPORTANT:
Input Gain on the Voice Interface
great extent, increase the voice
input gain value. Gain adjustment may lead to a
call failure. H3C recommends
When a relatively small voice that you do not adjust the gain. If
signal power is needed on the necessary, do it with the
Output Gain on the Voice Interface
output line, increase the voice guidance of technical personnel.
output gain value.
Configure the output gain of the SLIC chip. The bottom layer tunes
SLIC Chip Output Gain the signal gain through the SLIC chip.
By default, the output gain of the SLIC chip is 0.8 dB.
Generate some comfortable background noise to replace the

toneless intervals during a conversation. If no comfortable noise is
generated, the toneless intervals will make both parties in
conversation feel uncomfortable.
Comfortable Noise Function
• Enable.
• Disable.

• Disable.
After enabling this function, you can set the echo duration, that is,
Echo Duration
the time that elapses from when a user speaks to when he hears the
echo.

Configuring an ISDN line

the ISDN line to be configured to access the ISDN line configuration page, as show in Figure 745.
ISDN lines include BSV interfaces (for information about the BSV interface, see "Managing data links."
and ISDN lines generated by binding timeslots of digital E1 interfaces or T1 interfaces into PRI sets. For
the latter, before configuring the ISDN line, you need to perform the following configuration: select Voice
Management > Line Management from the navigation tree, and then click the icon of the line to be
configured to access the corresponding parameters configuration page, and in the Working Mode area,
select the PRI Trunk Signaling option to create the ISDN line.
731
Figure 745 ISDN line configuration page
Item Description
Description Description of the ISDN line.
Generate some comfortable background noise to replace the toneless

intervals during a conversation. If no comfortable noise is generated, the
toneless intervals will make both parties in conversation feel uncomfortable.
Comfortable Noise Function • Enable.
• Disable.

• Disable.
Echo Duration After enabling this function, you can set the echo duration, that is, the time that
elapses from when a user speaks to when he hears the echo.

increase the input gain value.
failures. H3C recommends that you
When a relatively small voice signal do not adjust the gain. If necessary,
Output Gain on the Voice
power is needed on the output line, do it with the guidance of technical
Interface
Configure a companding law used for quantizing signals.
• A-law, used in China, Europe, Africa, and South America.
Companding Law • μ-law, used in USA.
IMPORTANT:
A BRI interface does not support this configuration item.
732
Item Description
DTMF Detection Sensitivity • Low—In this mode, the reliability is high, but DTMF tones may fail to be
Level detected.
• Enable.
Status
• Disable.
Configuring a paging line

the paging line to be configured to access the audio interface configuration page, as shown in Figure
746.
Figure 746 Configuring SIC-audio page interface
Item Description
Line Description Specify the description of the paging line.
When a relatively small voice signal power is needed on the output line, increase the
voice output gain value.
Voice Interface Output
Gain IMPORTANT:
Gain adjustment may lead to call failures. H3C recommends that you do not adjust the
gain. If necessary, do it with the guidance of technical personnel.
• Enable.
• Disable.
Silent Mode By default, the silent mode is disabled.
IMPORTANT:
If the silent mode is enabled on an audio interface, the interface cannot transmit data.
733
Item Description
Set the value of the audio input gain, in the range of -24.0 to 12.0 with a step of 1.
Voice Output Gain
IMPORTANT:
Configuring an MoH line

the paging line to be configured to access the MoH interface configuration page, as shown in Figure
747.
Figure 747 Configuring SIC-audio MoH interface
Item Description
Line Description Specify the description of the MoH line.
Voice Interface Output
Gain IMPORTANT:
• Enable.
• Disable.
Silent Mode By default, the silent mode is disabled.
IMPORTANT:
If the silent mode is enabled on an audio interface, the interface cannot transmit data.
Set the value of the audio input gain, ranging from of -19.5 to 41.5 with a step of 2.
Voice Output Gain
IMPORTANT:
734
Line management configuration examples
Configuring an FXO voice subscriber line
As shown in Figure 748, the FXO voice subscriber line connected to Router B operates in PLAR mode, and
the default remote phone number is 010-1001.
Dialing the number 0755-2003 on phone 0755-2001 connects to Router B. Because Router B operates
in private-line mode (that is, the hotline mode), it requests connection to the preset remote number
010-1001 at Router A.
# Create a call route and local number.
1. Configure a call route in the call route configuration page: The call route ID is 0755, the
destination number is 0755...., and the destination address is 2.2.2.2.
2. Create a local number in the local number configuration page: The number ID is 1001, the
# Create call routes.
1. Create a call route in the call route configuration page: The call route ID is 010, the destination
number is 010….., and the destination address is 1.1.1.1.
2. Create a call route in the call route configuration page: The call route ID is 2001, the destination
number is 07552001, the call route type is Trunk, and the trunk route line is 1/0. In addition,
select the Send All Digits of a Called Number option in the Called Number Sending Mode area
# Configure the hotline number
3. Select Voice Management > Call Route from the navigation tree, and then click the icon of call
route 2001 to access the call services configuration page.
735
Figure 749 Hotline number configuration page
4. Enter 0101001 in the Hotline Numbers field.

5. Click Apply.

If you dial the number 0755-2003 on phone 0755-2001, a connection is established to number 010-1001
at Router A.
Configuring one-to-one binding between FXS and FXO

• Router A and Router B are connected over an IP network and a PSTN. Telephone A attached to
Router A can make calls to Telephone B attached to Router B over the IP network or the PSTN.
• Usually, Telephone A makes calls to Telephone B over the IP network. In the case that the IP network
is unavailable, Router A sends calls from Telephone A through the bound FXO interface to
Telephone B over PSTN.
736
• Configure one-to-one binding between FXS and FXO voice subscriber lines.
• When the IP network is available, the VoIP entity is preferably used to make calls over the IP
network.
• When the IP network is unavailable, the POTS entity is used to make calls through the bound FXO
voice subscriber line over the PSTN.
Router A and Router B are routable to each other.
The configuration of interface IP addresses is not shown.
# Configure a local number and two call routes.
• Configure a call route in the call route configuration page: The call route ID is 210, the destination
number is 210…., and the destination address is 192.168.0.76.
• Configure a local number in the local number configuration page: The number ID is 0101001, the
• Configure the backup call route 211 for the FXO line in the call route configuration page: The
destination address is .T, call route type is Trunk, and the trunk route line is 4/0. In addition, select
the Send All Digits of a Called Number option in the Called Number Sending Mode area when you
# Configure call authority control.
a. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and
then click Add to access the permitted call number group configuration page.
737
Figure 751 Permitted call number group configuration page
a. Enter 1 in the Group ID field.

b. Enter 0101001 in the Numbers in the Group field and click Add.
c. Click Apply.
d. Select Voice Management > Dial Plan > Call Authority Control from the navigation tree, and
then click Not Bound to access the call route binding page of permitted call number group 1.
Figure 752 Call route binding page
a. Select the Permit the calls from the number group option.
b. Select call route 211.
c. Click Apply.
# Configure the hotline number.
d. Select Voice Management > Call Route from the navigation tree, and then click the icon of
call route 211 to access the call services configuration page.
738
a. Enter 0101001 in the Hotline Numbers field.

b. Click Apply.
# Configure the delay off-hook binding for the FXO line.

c. Select Voice Management > Line Management from the navigation tree, and then click the
icon of FXO line 4/0 to access the FXO line configuration page.
Figure 754 FXO line delay off-hook binding configuration page
a. Select the Delay Off-hook option.

b. Select subscriber-line 3/0 from the Binding FXS Line list.
c. Click Apply.
# Configure the system to first select VoIP entity.
d. Select Voice Management > Dial Plan > Number Match from the navigation tree to access the
number match configuration page.
739
Figure 755 Entity type selection sequence configuration page
a. Select Enable in the Select Based on Voice Entity Type area.

b. Configure the order of the voice entities in the Selection Sequence box: the first is VOIP, the
second is POTS, the third is VoFR, and the last is IVR.
c. Click Apply.
# Configure a local number and two call routes.
a. Configure a call route in the call route configuration page: The call route ID is 10, the
destination number is 010…., and the destination address is 192.168.0.71.
b. Configure a local number in the local number configuration page: The number ID is 2101002,
the number ID is 2101002, and the bound line is 3/0.
c. Configure the backup call route 211 for the FXO line in the call route configuration page: The
destination address is .T, call route type is Trunk, and the trunk route line is 4/0. In addition,
select the Send All Digits of a Called Number option in the Called Number Sending Mode area
# Configure call authority control.
then click Add to access the permitted call number group configuration page.
Figure 756 Permitted call number group configuration page
740
a. Type 1 in the Group ID field.
b. Type 2101002 in the Numbers in the Group field and click Add.
c. Click Apply.
then click Not Bound to access the call route binding page of permitted call number group 1.
Figure 757 211 Call route binding page
a. Select the Permit the calls from the number group option.
b. Select call route 211.
c. Click Apply.
# Configure the hotline number.
d. Select Voice Management > Call Route from the navigation tree, and then click the icon of
call route 211 to access the call services configuration page.
a. Type 2101002 in the Hotline Numbers field.

b. Click Apply.
# Configure the delay off-hook binding for the FXO line.

c. Select Voice Management > Line Management from the navigation tree, and then click the
icon of the FXO line 4/0 to access the FXO line configuration page.
741
Figure 759 FXO line delay off-hook binding configuration page
a. Select the Delay Off-hook option.

b. Select subscriber-line 3/0 from the Binding FXS Line list.
c. Click Apply.
# Configure the system to first select VoIP entity.
d. Select Voice Management > Dial Plan > Number Match from the navigation tree to access the
number match configuration page.
Figure 760 Entity type selection sequence configuration page
a. Select Enable in the Select Based on Voice Entity Type area.

b. Configure the order of the voice entities in the Selection Sequence box: the first is VoIP, the
second is POTS, the third is VoFR, and the last is IVR.
c. Click Apply.
742
In the case that the IP network is unavailable, calls can be made over PSTN.
743
Configuring SIP local survival
IP phones have been deployed throughout the headquarters and branches of many enterprises and
organizations. Typically, a voice server is deployed at the headquarters to control calls originated by IP
phones at branches.
The local survival feature enables the voice router at a branch to automatically detect the reachability to
the headquarter voice server, and process calls originated by attached IP phones when the headquaters
voice server is unreachable. The headquarters voice server will take over call services from the branch
voice router when the failure is removed.
Figure 761 shows a typical network diagram for the local survival feature.
Figure 761 Network diagram for the local survival feature
Branch A
WAN
Server Headquarters Branch B

PSTN
Branch C
The following describes the local survival feature in detail:

1. When the WAN link from a branch to the headquarters is normal, all IP phones at the branch are
registered with the headquarters voice server and the headquarters voice server processes calls
originated by branch IP phones.
2. When the WAN link to the headquarters or the primary server fails:
• The branch voice router can accept registrations from its attached IP phones.
• The branch voice router ensures the normal call services between its IP phones, between its IP
phones and FXS interfaces, and between its FXS interfaces.
• IP phone users at the branch can place or receive PSTN calls through FXS interfaces on the voice
router.
3. When the WAN link or the primary server recovers, the branch voice router rejects registrations
from IP phones and the headquarters voice server takes over call processing.
744
Configuring SIP local survival
Service configuration
Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to
access the page as shown in Figure 762.
Figure 762 Configuring service
Item Description
• Enable—Enable the local SIP server.
Server Running State • Disable—Disable the local SIP server.
By default, the local SIP server is disabled.
Enter the IP address of the local server, which can be a local interface's IP address,
or a loopback address such as 127.0.0.1. The IP address of a local interface is
IP Address Bound to the recommended because a loopback address cannot accept registrations from
Server remote users.
When the local SIP server is enabled, the IP address of the local server must be
provided.
Port Bound to the Server Enter the port number of the local SIP server.
Registration Aging Time

Enter the maximum registration interval of clients.
of the Client
745
Item Description
• Alone—The local SIP server in alone mode acts as a small voice server.
• Alive—The local SIP server in alive mode supports the local survival feature.
That is, when the communication with the remote server fails, the local SIP
server accepts registrations and calls; when the communication resumes, the
Server Operation Mode
remote server accepts registrations and calls again and the local SIP server
rejects registrations and calls. In the alive mode, Options messages will
periodically be sent to the remote server.
By default, the local SIP server operates in alone mode.
Enter the IP address of the remote SIP server.

Remote Server IP address When the alive mode is selected, the IP address of the remote SIP server must be
provided.
Remote Server Port Enter the port number of the remote SIP server.
Interval for Sending Probe

Specify the interval for sending Options messages to the remote SIP server.
Packets
User management
Select Voice Management > SIP Local Survival > User Management from the navigation tree, and click
Add to access the page as shown in Figure 763.
Figure 763 Configuring user
Item Description
User ID Enter the ID of a user to be registered.
Telephone Number Enter the telephone number of the user.
Authentication Username Enter the name of the user for authentication.
Authentication Password Enter the password of the user for authentication.
Enter the maximum registration interval of the user.

Registration Aging Time By default, the maximum registration interval of clients set in Service configuration
is used.
746
Trusted nodes
Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to access the
Figure 764 Configuring a trusted node
Item Description
Enter the IP address of the trusted node. A trusted node can directly originate calls without
IP address By default, no trusted node is being authenticated by the local SIP server. You do
configured. not need to configure user information for the number
of the trusted node.
Enter the port number of the trusted Up to eight trusted nodes can be configured.
Port Whether a trusted node is reachable is determined by
node.
its IP address rather than its port number.
Call-out route
The local SIP server uses a static routing table to forward outgoing calls. If the called number of a call
matches a static route, the local SIP server forwards the call to the specified destination. The called
number does not need to register on the local SIP server. For example, as an external number, 5552000
does not need to register on the local SIP server. Configure a static route entry with the area prefix of 333
and called number of 5552000 on the local SIP server. Upon receiving a call from local number 1000
to external number 5552000, the local SIP server adds the area prefix 333 to the calling number, and
forwards the call to the destination specified in the static route entry.
Select Voice Management > SIP Local Survival > Call-Out Route from the navigation tree, and click Add
to access the page as shown in Figure 765.
747
Figure 765 Configuring a call-out route
Item Description
ID Enter the ID of the call-out route.
Destination Number Enter the destination number prefix and length. Suppose the destination number
Prefix prefix is 4100, and the number length is 6. This configuration matches destination
numbers that are 6-digit long and start with 4100.
Number length A dot can be used after a number to represent a character. This configuration does
not support other characters.
Destination IP address
Enter the destination IP address and port number.
Port Number
Area Prefix Enter the area prefix added before the calling numbers of outgoing calls.
Area prefix
When the local SIP server is connected to the extranet, external users can originate calls to internal users
registered with the local SIP server. For calls from external users to internal users, the local SIP server
removes the configured area prefix from each called number to converts it to an internal short number.
For example, if an external user dials number 01050009999, the local SIP server checks whether any
area prefix matches the called number. If the area prefix 0105000 is available, the local SIP server
removes the prefix 0105000 from the called number and sends the call to 9999.
Select Voice Management > SIP Local Survival > Area Prefix from the navigation tree to access the page
Figure 766 Configuring a call-in number prefix
Enter the call-in number prefix, and click Add a Prefix.
748
You can configure up to eight call-in number prefixes. The local SIP server adopts longest match to deal
with a called number.
Call authority control

Configure a call rule set
Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and
click Add to access the page as shown in Figure 767.
Figure 767 Configuring a call rule set
Item Description
Rule Set ID Enter the ID of the call rule set.
Rule
Rule ID Enter the rule ID.

• Outgoing—Applies the rule to outgoing calls.
Call Direction
• Incoming—Applies the call to incoming calls.
• Permit— Permits the matching calls.
Call Authority
• Deny—Denies the matching calls.
Enter the number match pattern.
Number Pattern A dot can be used after a number to represent a character. This configuration does
not support other characters.
Apply the call rule set

Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree, and
click the icon of the call rule set to access the page as shown in Figure 768.
749
Figure 768 Applying the call rule set
Item Description
Rule Set ID Displays the call rule set ID.
• Enable—Applies the call rule set to all registered users.
Applied Globally
• Disable—Specifies that the call rule set does not apply to any registered users.
• In the Available register users field, select registered users and click << to add
them to Register users bound to the rule set.
Register users bound to
• In the Register users bound to the rule set field, select registered users and
the rule set
click >> to unbind them.
Users in the Available register users field are added in User management.
SIP local survival configuration examples

Configuring local SIP server to operate in alone mode
Configure the local SIP server on Router C to operate in alone mode so that the phones register with the
local SIP server and they can make and receive calls through the local SIP server.
750
Configuring Router C
# Configure the router to operate in the alone mode.
1. Select Voice Management > SIP Local Survival > Service Configuration from the navigation tree to
access the following page.
Figure 770 Configuring alone mode
2. Select Enable for Server Running State.

3. Enter 2.1.1.2 in IP Address Bound to the Server.
4. Select Alone for Server Operation Mode.
5. Click Apply.
# Configure user 1000.
6. Select Voice Management > SIP Local Survival > User Management from the navigation tree, and
click Add to access the following page.
751
Figure 771 Configuring a user
7. Enter 1000 for User ID.

8. Enter 1000 for Telephone Number.
9. Enter 1000 for Authentication Username.
10. Enter 1000 for Authentication Password.
11. Click Apply.
# Configure user 5000 in the similar way.
1. Configure a local number in the local number configuration page: The ID is 1000, the number is
1000, the bound line is line2/0, the username is 1000, and the password is 1000.
2. Configure a call route to Router B in the call route configuration page: The ID is 5000, the
destination number is 5000, the routing type is SIP, and the SIP routing method is proxy server.
3. Configure SIP registration in the connection properties configuration page: Enable SIP registration,
and configure the main registrar’s IP address as 2.1.1.2.
5000, the bound line is line2/0, the username is 5000, and the password is 5000.
2. Configure a call route to Router A in the call route configuration page: The ID is 1000, the
3. Configure SIP registration in the connection properties configuration page: Enable registration,

• Select Voice Management > States and Statistics > Local Survival Service States from the
navigation tree. You can find that numbers 1000 and 5000 have been registered with the local SIP
server on Router C.
• Phones 1000 and 5000 can call each other through the local SIP server.
752
Configuring local SIP server to operate in alive mode
Router A and Router B carry out call services through the remote voice server VCX. Configure the local
SIP server on Router A to operate in alive mode, so that calls can be originated or received through
Router A when the VCX fails. When the VCX recovers, it will take over call services again.
# Configure the IP address of Ethernet 1/1 as 1.1.1.2, and the IP address of the sub interface as 2.1.1.2.
(Details not shown.)
# Configure the local SIP server to operate in alive mode.
Figure 773 Configuring alive mode

4. Select Alive for Server Operation Mode.
753
5. Enter 3.1.1.1 for Remote Server IP Address.
6. Click Apply.

10. Click Apply.
# Configure user 5000 in the similar way.
1000, and the bound line is line2/0.
and configure the main registrar’s IP address as 3.1.1.2, and the backup registrar’s IP address as
2.1.1.2.
5000, and the bound line is line2/0.
and configure the main registrar’s IP address as 3.1.1.2, and the backup registrar’s IP address as
2.1.1.2
754
• When the VCX fails, the local SIP server on Router A starts to accept registrations from phones,
which then can call each other through Router A. Select Voice Management > States and Statistics >
Local Survival Service States from the navigation tree. You can find that numbers 1000 and 5000
have been registered with the local SIP server on Router A.
• When the VCX recovers, Router A disables the local SIP server, and the phones register with the
VCX again.
Configuring call authority control

The numbers for Department A in a company are in the range of 1000 to 1999, while those for
Department B are in the range of 5000 to 5999. The following restrictions need to be implemented:
• Phones in Department A and Department B cannot originate external calls.
• Phone 5000 is not allowed to call phone 1000.
Configuring the local SIP server on Router C

# Configure the local SIP server to operate in alone mode.
755

5. Click Apply.

11. Click Apply.
# Configure users with phone numbers 1111, 5000, and 5555 in the similar way.
756
# Configure call rule set 0.
12. Select Voice Management > SIP Local Survival > Call Authority Control from the navigation tree,
and click Add to access the following page.
Figure 778 Configuring call rule set 0
13. Enter 0 for Rule Set ID.

14. Add three rules as shown in Figure 778.
15. Click Apply.
# Apply call rule set 0.
and click the icon of call rule set 0 to access the following page.
757
Figure 779 Applying call rule set 0
17. Select Enable for Applied Globally.

18. Click Apply.
# Configure call rule set 2.
Figure 780 Configuring call rule set 2
20. Enter 2 for Rule Set ID.
758
21. Add a rule as shown in Figure 780.
22. Click Apply.
# Apply call rule set 2.
and click the icon of call rule set 2 to access the following page.
Figure 781 Applying call rule set 2
24. Click 5000 in Available register users, and then click << to add it to Register users bound to the
rule set.
25. Click Apply.
1000, the bound line is line2/0, the user name is 1000, and the password is 1000.
destination number is 5…, the routing type is SIP, and the SIP routing method is proxy server.
759
destination number is 1…, the routing type is SIP, and the SIP routing method is proxy server.

navigation tree. You can find that numbers 1000, 1111, 5000, and 5000 have been registered with
the local SIP server on Router C.
• The four phones cannot call external numbers, and phone 5000 cannot call phone 1000.
Configuring an area prefix

The internal numbers of a company are four-digit long and the area prefix is 8899. An external user
needs to dial the area prefix 8899 before an internal number. The local SIP server on Router C removes
the area prefix from the dialed number and calls the four-digit internal number. The external phone
attached to Router A is not registered with Router C. The internal phone attached to Router B is registers
with Router C.
Configure the local SIP server on Router C

760

5. Click Apply.
# Configure Router A as a trusted node.
6. Select Voice Management > SIP Local Survival > Trusted Nodes from the navigation tree to access
the following page.
Figure 784 Configuring a trusted node
7. Type 1.1.1.1 for IP Address.

8. Click Apply.
# Configure area prefix 8899.
9. Select Voice Management > SIP Local Survival > Area Prefix from the navigation tree to access the
following page.
761
Figure 785 Configuring an area prefix
10. Enter 8899 for Area Prefix.

11. Click Add a Prefix.
12. Click Apply.
Figure 786 Configuring user 5000

18. Click Apply.
1. Configure a local number in the local number configuration page: The ID is 55661000, the
number is 55661000, and the bound line is line2/0.
destination number is 88995000, the routing type is SIP, and the destination address is 2.1.1.2.
762
navigation tree. You can find that number 5000 has been registered with the local SIP server on
Router C.
• Place a call from phone 55661000 to phone 88995000. The local SIP server on Router C removes
the area prefix 8899 from the called number, and alerts internal phone 5000. Pick up phone 5000.
The call is established.
Configuring a call-out route

The internal numbers of a company are four-digit long and the area prefix is 8899. External phone
55665000 attached to Router B is not registered with the local SIP server on Router C; internal phone
1000 attached to Router A is already registered with Router C. When a user in the company dials the
external number, the local SIP server will route the call according to the configured call-out route and add
area prefix 8899 to the calling number.
Configuring the local SIP server on Router C

access the page for configuring services.

763
5. Click Apply.
# Configure a call-out route
6. Select Voice Management > SIP Local Survival > Call-Out Route from the navigation tree, and click
Add to access the following page.
Figure 789 Configuring a call-out route
7. Enter 0 for ID.

8. Enter 55665000 for Destination Number Prefix, and 8 for Number Length.
9. Enter 2.1.1.1 for Destination IP Address.
10. Enter 8899 for Area Prefix.
11. Click Apply.
Figure 790 Configuring user 1000

17. Click Apply.
764
destination number is 55665000, the routing type is SIP, and the routing method is proxy server.
1. Configure a local number in the local number configuration page: The ID is 55665000, the
number is 55665000, and the bound line is line2/0.
destination number is 1000, the routing type is SIP, and the routing method is proxy server.

navigation tree. You can find that number 1000 has been registered with the local SIP server on
Router C.
• Place a call from phone 1000 to phone 55665000. The local SIP server on Router C adds prefix
8899 before the calling number, and sends the call to phone 55665000. Pick up phone
55665000. The call is established.
765
Configuring IVR
Overview
Interactive voice response (IVR) is used in voice communications. You can use the IVR system to customize
interactive operations and humanize other services. If a subscriber dials an IVR access number, the IVR
system plays the prerecorded voice telling the subscriber what to do. For example, it might tell the
subscriber to dial a number.
Advantages
A conventional interactive voice system uses fixed audio files and operations. IVR enables you to
customize your own interactive system by adding, modifying, and removing audio files. IVR has the
following advantages.
Customizable voice prompts

Voice prompts can be saved as audio files, which must be .wav files. You can record personalized voice
prompts and upload the audio files to the voice devices. The customizable voice prompts can be played
to subscribers. The adding, modifying and removing operations in the IVR system are simple and easy to
use, and the configurations take effect instantly.
Various codecs
The IVR system supports four codecs for voice prompts: G.711alaw, G.711ulaw, G.723r5, and G.729r8.
Each kind of codec has its advantages and disadvantages: G.711alaw and G.711ulaw provide high
quality of voice, while requiring greater memory space; G.723r53 and G.729r8 provide relatively low
quality of voice, while requiring less memory space.
Flexible node configuration

To simplify configuration, the IVR system uses nodes as basic units for configuration. You can define three
types of nodes: call node, jump node, and service node. Each node type has a single function, and you
can combine them to realize complex functions.
• Call node—Executes a secondary call.
• Jump node—Jumps to another node according to the input of the subscriber.
• Service node—Executes various operations, such as executing an immediate secondary call, auto
jumping, terminating a call, and playing an audio file.
Customizable process
You can customize the interactive process easily. For example, configure custom IVR access numbers,
voice prompts, and combinations of keys and voice prompts.
766
Successive jumping
The IVR process can realize successive jumping at most eight times from node to node.
Error processing methods

The IVR system provides three error processing methods: terminate the call, jump to a specified node,
and return to the previous node. You can select an error processing method for a call node, a jump node,
or globally to handle errors.
Timeout processing methods

The IVR system provides three timeout processing methods: terminate the call, jump to a specified node,
and return to the previous node. You can select a timeout processing method for a call node, a jump node,
or globally to handle the keypress timeout event.
Various types of secondary calls

The IVR system supports immediate secondary call, normal secondary call, and extension secondary
call:
• A subscriber makes an immediate secondary call without the need of dialing the number of the
called party. Immediate secondary calls are executed by service nodes.
• A subscriber makes a normal secondary call by dialing the number of the called party. Normal
secondary calls are executed by call nodes. You can configure a node to match the length of a
number, matching the terminator, or matching the number.
• A subscriber makes an extension secondary call by dialing the extension number of the called party.
Extension secondary calls are executed by call nodes.
Configuring IVR
Uploading media resource files
Select Voice Management > IVR Services > Media Resources Management from the navigation tree to
Figure 791 Media file list
767
You can click to save the media resource file to a specified directory.
Click Add. The following page appears.
Figure 792 Configuring media resource
Item Description
Media Resource ID Set a media resource ID.
Rename Media Resource Type a name for the media resource file.
Upload Media Resource Upload media resource files for g729r8, g711alaw, g711ulaw, and g723r53.
Importing a media resource through an MoH audio input port

Select Voice Management > IVR Services > Media Resources Management from the navigation tree, and
click the Audio Card List tab.
Figure 793 Audio card list
Click of a media resource to access the following page.
768
Figure 794 Modifying a media resource
Item Description
Media resource ID Set a media resource ID.
Configuring the global key policy

Select Voice Management > IVR Services > Advanced Settings from the navigation tree, and click the
Global Key Policy tab.
Figure 795 Global key policy
769
Item Description
Input Error Processing Method
Max Count of Input Errors Enter the maximum number of input errors.
• Enable.
Play Voice Prompts for
• Disable.
Input Errors
Not enabled by default.
Select a voice prompt file. You can configure voice prompt files in Voice
Voice Prompts
Management > IVR Services > Media Resources Management.
Voice Prompts Play Count Set the number of voice prompts.
Input Timeout Processing Method
Max Count of Input

Set the maximum number of input timeouts.
Timeouts
Timeout Time Set the timeout time.

• Enable.
• Disable.
Input Timeout
Voice Prompts
Voice Prompts Play Count Set the number of voice prompts.
Configuring IVR nodes

You can configure three types of IVR nodes: call node, jump node, and service node.
Avoid the following misconfiguration:
• No operation is configured for a node.
• Several nodes form a loop. The subscriber has no other options except jumping around these
nodes.
• The IVR process jumps from node to node for more than eight times.
Configuring a call node

Use call nodes to configure the secondary call function. You can configure two kinds of dial plans for a
call node: normal secondary call and extension secondary call. If you configure both dial plans for a call
node, the extension secondary call plan takes precedence over the normal secondary call plan.
To handle input errors and input timeouts, configure error processing and timeout processing methods for
a node. If you do not configure the methods, global processing methods apply.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, click the Call
Node List tab, and click Add to access the following page.
770
Figure 796 Configuring a call node
Item Description
Node ID Enter a node ID.
Description Enter a description for the node.
771
Item Description
• Enable.
• Disable.
The following options are available for playing voice prompts:

• Mandatory play—Only after the voice prompts end can the subscriber press
Play Voice Prompts keys effectively.
• Voice prompts—Select a voice prompt file. Voice prompt files can be
configured in Voice Management > IVR Services > Media Resources
Management.
• Play count: Number of play times.
By default, mandatory play is disabled, and the play count is 1.
Input Method
• Terminate the call.
• Jump to a specified node.
Input Error Processing
• Return to the previous node.
Method
By default, the node uses the input error processing method configured in the
global key policy.
Specify the node to which the subscriber is directed when the number of input
Specify A Node
errors reaches the maximum.
Max Count of Input Errors Specify the maximum number of input errors.
• Enable.
• Disable.
Input Errors
Select a voice prompt file. Voice prompt files can be configured in Voice
Voice Prompts
Play Count Number of play times.

Input Timeout Processing
Method
By default, the node uses the input timeout processing method configured in the
global key policy.
Specify the node to which the subscriber is directed when the number of input
Specify A Node
timeouts reaches the maximum.
Max Count of Input

Specify the maximum number of input timeouts.
Timeouts
Timeout Time Specify the timeout time.

• Enable.
• Disable.
Input Timeout
Voice Prompts
Play Count Number of play times.
772
Item Description
Secondary-Call
• Match the terminator of the numbers.
• Match the length of the numbers.
Number Match Mode • Match the local number and route.
Either the number match mode or the extension secondary call must be configured
at least.
Length of Numbers Enter the number length.
Terminator Enter the terminator.
Extension Secondary-Call
Extension Number Associate the extension number with the corresponding number. You can click
Add a Rule to configure a rule for executing the secondary call.
Corresponding Number
By default, no extension secondary call is configured.
Configure a jump node

You can configure the following functions for a jump node: playing audio files, jumping to another node,
and terminating a call, and configure error processing and timeout processing methods for the jump
node. If you do not configure these methods, the jump node uses the global methods
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, click the Jump
773
Figure 797 Configuring a jump node
774
Item Description
See Table 285 for description about other items.
Map actions with keys. Actions include:

• Jump to a specified node. If this option is selected, you need to select the target
Key mapping
node from the Specify a node list.
No key mapping is configured by default.
Configure a service node

The functions of a service node include playing audio files, jumping to another node, executing
immediate secondary call, and terminating a call.
You can configure at most three functions for a service node. If an executed function is to jump to another
node or to terminate a call, the rest of the functions are not be executed.
Because a service node has no need to wait for subscriber input, the error processing and timeout
processing methods are unavailable for a service node.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, click the Service
Figure 798 Configuring a service node
775
Item Description

• Jump to a specified node. If this operation is selected, you must select a node
from the Specify A Node list.
Operation Configuration
• Play voice prompts. If this operation is selected, you must select a voice prompt
file from the Voice Prompt File list.
• Immediate secondary-call. If this operation is selected, you must type the
secondary call number in the Secondary-call Number field.
Execution Order Select the execution order.
Configuring access number management

Configuring an access number
Select Voice Management > IVR Services > Access Number Management from the navigation tree, and
Figure 799 Configuring an access number
Item Description
Number ID Enter a number ID in the range of 30000 to 39999.
776
Item Description
Number Enter the access number.
Bind a node in the list to the access number. You can configure the nodes in Voice
Bind to Menu
Management > IVR Services > Advanced Settings.
Description Enter a description for the access number.

• Enable. The following registration parameters are configurable when Enable is
Register Function selected.
• Disable.
Register Username Enter the username for registration.
Register Password Enter the password for registration.
Cnonce Name Enter the cnonce name for handshake authentication.
Enter the realm name for handshake authentication.
IMPORTANT:
Realm Name
The realm name must be consistent with that configured on the server. Otherwise,
authentication will fail. If no realm name is configured, the device trusts the realm
name from the server.
• Enable—Enables the access number.
Status
• Disable—Disables the access number.
Configuring advanced settings for the access number

click the icon of the configured access number to access the following page.
Figure 800 Configuring advanced settings
For information about advanced settings, see "Advanced settings."
777
IVR configuration examples
Configure a secondary call on a call node (match the
terminator of numbers)
As shown in Figure 801, configure an IVR access number and call node functions on Router B to meet the
following requirements.
• After the subscriber dials 300 (the IVR access number) from Telephone A, Router B plays the audio
file welcome.wav.
• The subscriber dials 50# at Telephone A to originate a secondary call and then Telephone B1 rings.
• If the subscriber dials a wrong number at Telephone A, Router B plays the audio file
input_error.wav.
• If no number is dialed at Telephone A within the timeout time, Router B plays the audio file
timeout.wav.
50
Telephone B1
Eth1/1 Eth1/1
1.1.1.1/24 1.1.1.2/24
100 Router A Router B

Telephone A
500
Telephone B2
# Configure a local number and call route.
1. Configure a local number in the local number configuration page: The number ID is 100, the
number is 100, and the bound line is line 1/0.
2. Configure a route to Router B in the call route configuration page: The route ID is 300; the
destination number is 300, the SIP routing method is IP routing, the destination IP address is
1.1.1.2, and the DTMF transmission mode is out-of-band.
# Configure local numbers in the local number configuration page:
• Local number 500: The number ID is 500, the number is 500, and the bound line is line 1/0.
• Local number 50: The number ID is 50, the number is 50, and the bound line is line 1/1.
# Upload g729r8 media resource files.
Select Voice Management > IVR Services > Media Resources Management from the navigation tree to
778
Figure 802 Uploading a media resource file
1. Enter 10001 for Media Resource ID.

2. Enter welcome for Rename Media Resource.
3. Click the Browse button of g729r8 codec to select the target file.
4. Click Apply.
Use the same method to upload other g729r8 media resource files timeout, input_error, and bye.
# Configure global error and timeout processing methods to achieve the following purposes:
• If no number is dialed at Telephone A within the timeout time, Router B plays audio file timeout.wav.
If number of timeouts reaches four, Router B terminates the call.
input_error.wav. If the number of input errors reaches three, Router B terminates the call.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, and select the
Global Key Policy tab.
779
Figure 803 Configuring the global key policy
5. Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice
Prompts list.
6. Type 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice
Prompts for Input Timeout; select timeout from the Voice Prompts list.
7. Click Apply.
Configure the call node to achieve the following:
8. The subscriber dials the number 300 at Telephone A, and hears the voice prompts of audio file
welcome.wav. After that, the subscriber dials 50# at Telephone A, and Telephone B1 rings.
9. Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the
Configure Call Node tab, and click Add to access the following page.
780
10. Type 10 for Node ID.

11. Type play-welcome for Description.
12. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list.
13. Select Match the terminator of the numbers from the Number Match Mode list; type # for
Terminator.
14. Click Apply.
# Configure the access number.
781
15. Type 30000 for Number ID.

16. Type 300 for Number.
17. Select play-welcome from the Bind to Menu list.
18. Click Apply.
Verifiying the configuration

1. Dial the number 300 at Telephone A.
The call node plays audio file welcome.wav.
2. Dial 50# at Telephone A,
Telephone B1 rings.
Configure a secondary call on a call node (match the number

length)
file welcome.wav. Configure the number match length as 3, that is, when the subscriber dials 500
that matches number length 3, Telephone B2 rings.
input_error.wav.
timeout.wav.
782
50
Telephone B1
Eth1/1 Eth1/1
1.1.1.1/24 1.1.1.2/24

Telephone A
500
Telephone B2
1. Configure Router A: see 0.
# Configure the call node.
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, select the
783
Figure 807 Configuring the call node
a. Type 10 for Node ID.

b. Type play-welcome for Description.
c. Select Enable for Play Voice Prompts; select welcome from the Voice Prompts list.
d. Select Match the length of the numbers from the Number Match Mode list; type 3 for Length of
Numbers.
e. Click Apply.
For other settings, see 0.

1. Dial 300 at Telephone A.
Router B plays the audio file welcome.wav.
2. Dial 500.
784
Telephone B2 rings.
Configure a secondary call on a call node (match a number)

file welcome.wav. Configure number match so that when the subscriber dials 50, Telephone B1
rings.
input_error.wav.
timeout.wav.
50
Telephone B1
Eth1/1 Eth1/1
1.1.1.1/24 1.1.1.2/24

Telephone A
500
Telephone B2
# Configure a call node.
785

d. Select Match the local number and route from the Number Match Mode list.
e. Click Apply.

2. Dial 50.
Telephone B1 rings.
786
Configure an extension secondary call on a call node
file welcome.wav. Then the subscriber dials 0, and Router B makes an extension secondary call so
that Telephone B rings.
input_error.wav.
timeout.wav.
1. Configure Router A: See 0.
787

d. Select 0 for Extension Number.
e. Select 500 for Corresponding Number.
788
f. Click Apply.

2. Dial 0.
Telephone B rings.
Configure a jump node

As shown in Figure 812, configure an IVR access number and jump node functions on Router B to meet
the following requirements.
file welcome.wav. Then if the subscriber dials #, Router B terminates the call.
input_error.wav.
timeout.wav.
# Configure a jump node.
Configure Jump Node tab, and click Add to access the following page.
789
790
d. Select Terminate the call for Key#.
e. Click Apply.

2. Dial #.
The call is terminated.
Configure an immediate secondary call on a service node

As shown in Figure 814, configure an IVR access number and service node functions on Router B to meet
• After the subscriber dials 300 (the IVR access number) from Telephone A, Telephone B rings.
input_error.wav.
timeout.wav.
# Configure a service node.
Configure Service Node tab, and click Add to access the following page.
791

c. Add two operations as shown in Figure 815.
d. Click Apply.
# Configure an access number.
Select Voice Management > IVR Services > Access Number Management from the navigation tree,
792
a. Type 30000 for Number ID.

b. Type 300 for Number.
c. Select call500 from the Bind to Menu list.
d. Click Apply.

Dial 300 at Telephone A. Telephone B rings.
Configure a secondary call on a service node

As shown in Figure 817, configure an IVR access number and service node functions on Router B to meet
file bye.wav, and then terminates the call.
input_error.wav.
timeout.wav.
793
# Configure a servcie node.

b. Type reject-call for Description.
d. Click Apply.
794
a. Type 30000 for Number ID.

b. Type 300 for Number.
c. Select reject-call from the Bind to Menu list.
d. Click Apply.

Dial number 300 at Telephone A. Router B plays the audio file bye.wav, and then terminates the call.
Configure a call node, jump node, and service node

As shown in Figure 820, configure an IVR access number and configure a call node, jump node, and
service node on Router B to meet the following requirements:
After the subscriber dials 300 at Telephone A, Router B plays the audio file welcome.wav. Then,
• If the subscriber presses the * key at Telephone A, the call jumps to the service node and the
subscriber hears voice prompts of the audio file bye.wav. After that, the service node releases the
call.
• If the subscriber presses the # key at Telephone A, the call jumps to the call node and the subscriber
hears the voice prompts of the audio file call.wav. After that, if the subscriber dials 1, Telephone B
rings.
795
# Configure a local number in the local number configuration page.
The number ID is 500, the number is 500, and the bound line is line 1/0.
# Upload a g729r8 media resource file.
Select Voice Management > IVR Services > Media Resources Management from the navigation
tree to access the following page.
Figure 821 Uploading a g729r8 media resource file
a. Enter 10001 for Media Resource ID.

b. Enter welcome for Rename Media Resource.
c. Click the Browse button of g729r8 codec to select the target file.
d. Click Apply.
Use the same method to upload other g729r8 media resource files timeout, input_error, and bye.
# Configure global error and timeout processing methods to achieve the following purposes:
If no number is dialed at Telephone A within the timeout time, Router B plays audio file
timeout.wav. If number of timeouts reaches four, Router B terminates the call.
If the subscriber dials a wrong number at Telephone A, Router B plays the audio file
input_error.wav. If the number of input errors reaches three, Router B terminates the call.
796
Select Voice Management > IVR Services > Advanced Settings from the navigation tree, and select
the Global Key Policy tab.
Figure 822 Configuring the global key policy
a. Select Enable for Play Voice Prompts for Input Errors, and select input_error from the Voice
Prompts list.
b. Enter 4 for Max Count of Input Timeouts, and 5 for Timeout Time; select Enable for Play Voice
Prompts for Input Timeout; select timeout from the Voice Prompts list.
c. Click Apply.
797
a. Enter 10 for Node ID.

b. Enter play-call for Description.
c. Select Enable for Play Voice Prompts, select Enable for Mandatory Play, and select call from
the Voice Prompts list.
d. Enter 1 for Extension Number, Enter 500 for Corresponding Number, and click Add a Rule.
798
e. Click Apply.
# Configure a service node.

b. Enter reject-call for Description.
d. Click Apply.
# Configure a jump node.
Configure Jump Node tab, and click Add to access the following page.
799

b. Enter play-welcome for Description.
800
c. Select Enable for both Play Voice Prompts and Mandatory Play.
d. Select welcome from the Voice Prompts list.
e. Select Jump to a specified node from the Key* list, and reject-all from its Specify a node list.
f. Select Jump to a specified node from the Key# list, and play-all from its Specify a node list.
g. Click Apply.
a. Enter 30000 for Number ID.

b. Enter 300 for Number.
c. Select play-welcome from the Bind to Menu list.
d. Click Apply.

Dial 300 at Telephone A. Router B plays the audio file welcome.wav. Then, the following events occur:
• If you press the * key at Telephone A, the call jumps to service node 20 and you hear voice prompts
of the audio file bye.wav. After that, the service node releases the call;
• If you press the # key at Telephone A, the call jumps to call node 10 and you hears the voice
prompts of the audio file call.wav. After that, if you dial 1, Telephone B rings.
Customizing IVR services

You can customize your own IVR systems to automate services such as service query and save costs.
801
Create a menu
Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree,
and click Add to create a menu. The following describes settings for different types of menus, including
jump, terminate the call, enter the next menu, return to the previous menu, dial immediately, and
secondary call.
Configure a Jump menu

Select Jump from the Menu Type list to access the following page.
Figure 827 Configuring a jump menu
Item Description
Menu Node ID Enter a menu ID.
Menu Name Enter a menu name.
802
Item Description
Select Jump.
Menu Type
By default, Jump is selected.
Play Voice Prompts Select an audio file.

When the User Enters
the Menu No audio file is selected by default.
Select one of the following methods:

Input Error Processing
• Jump.
Method
• Return to the previous menu.
By default, no method is set.
Specify the target menu.

Specify A Menu
This setting is available when the Input Error Processing Method is Jump to a menu.
Select an audio file.

Input Error Prompts
No audio file is selected by default.
Select one of the following methods.

Input Timeout
Processing Method
By default, no method is set.

Specify A Menu
This setting is available when the Input Timeout Processing Method is Jump to a Menu.
Select an audio file.

Timeout Prompts
No audio file is selected by default.
Map keys with operations, which include.

• Jump to a menu.
Key Mapping
• Return to the previous menu.
No key mapping is configured by default.
Jump to submenu is available when the operation is Jump to a menu.
Configure a Terminate the call menu

Select Terminate the call from the Menu Type list to access the following page.
803
Figure 828 Configuring a Terminate the call menu
Item Description
Select Terminate the call.

Menu Type
Play Voice Prompts When the User Enters Select an audio file.
the Menu No audio file is selected by default.
Configure a menu of type Enter the next menu

Select Enter the next menu from the Menu Type list to access the following page.
Figure 829 Entering the next menu
Item Description
Select Enter the next menu.

Menu Type
Play Voice Prompts When the User Enters the Select an audio file.
Menu No audio file is selected by default.
804
Item Description
Jump to the next menu Select the target menu.
Configure a menu of type Return to the previous menu

Select Return to the previous menu from the Menu Type list to access the following page.
Figure 830 Returning to the previous menu
Item Description
Select Return to the previous menu.

Menu Type
Play Voice Prompts When the User Select an audio file.

Enters the Menu No audio file is selected by default.
Configure a Dial immediately menu

Select Dial immediately from the Menu Type list to access the following page.
Figure 831 Dial immediately menu
805
Item Description
Select Dial immediately.

Menu Type
Play Voice Prompts When the User Select an audio file.

Enters the Menu No audio file is selected by default.
Call immediately Enter the target number.
Configure a Secondary-call menu

Select Secondary-call from the Menu Type list to access the following page.
Figure 832 Secondary-call menu
806
Item Description
Select Secondary-call.
Menu Type
Play Voice Prompts Select an audio file.

When the User Enters the
Menu No audio file is selected by default.

Input Error Processing • Jump to a menu.
Method • Return to the previous menu.
By default, the menu uses the input error processing method configured in the
global key policy.

Specify A Menu
Select an audio file. Voice prompt files can be configured in Voice Management >
Input Error Prompts
IVR Services > Media Resources Management.

Input Timeout Processing • Jump to a menu.
Method • Return to the previous menu.
By default, the menu uses the input timeout processing method configured in the
global key policy.

Specify A Menu
Select an audio file. Voice prompt files can be configured in Voice Management >
Timeout Prompts
IVR Services > Media Resources Management.
Select one of the following policies:

• Match the terminator of the numbers.
Normal Secondary-Call
• Match the length of the numbers.
Number Matching Policy
• Match the local number and route.
By default, no policy is configured.
Match Number Length Enter the number length.
Match Number
Enter the number terminator.
Terminator
Extension Secondary-Call Number Matching Policy
Extension number Enter an extension number and the corresponding number, and click Add to
associate them.
Corresponding number
By default, no extension secondary call is configured.
807
Bind an access number
After configuring a menu, click Next to access the following page.
Figure 833 Binding an access number
Select the box of the target access number, and click Apply.
Customize IVR services

Enter the Customize IVR Services interface
Select Voice Management > IVR Services > Processing Methods Customization from the navigation tree,
and click the icon of the target menu to access the Customize IVR Services page.
NOTE:
To perform any operation to the previous page, you must close the Customize IVR Services page first.
Otherwise, you will get errors.
Figure 834 Customizing IVR services
808
Add a submenu
Select Add A New Node from the Jump to submenu list of Key 0. Click OK on the popup dialog box to
Figure 835 Adding a submenu
You can configure the type of the new menu as jump, terminate the call, enter the next menu, return to the
previous menu, dial immediately, or secondary-call. For information about the menu configuration,
see Create a menu.
NOTE:
If new settings are made on the page, click Apply to save them first before you select Add a new menu.
Otherwise, the new settings may get lost.
Delete a menu
Enter the Customize IVR Services page, click the target menu, and click Delete the menu. On the popup
page, click OK.
If you delete a menu that is referenced by another menu, the operation deletes the reference relation in
the menu but not the menu.
If you delete a menu that is referenced within itself, the delete operation deletes both the reference
relation and the menu.
Custom IVR service configuration example

Company A needs a custom IVR system to achieve the following purposes.
1. Voice menu system of Company A
809
When a user dials the access number 300, the system plays the audio file Hello.wav. Then, the
following events occur:
If the user dials 0, the system jumps to the marketing and sales department menu.
If the user dials 1, the system jumps to the telecom product sales department menu.
If the user dials 2, the system jumps to the government product sales department menu. If the
user dials #, the system terminates the call.
2. Marketing and sales department menu
This menu plays the audio file Welcome1.wav. Then, the following events occur:
If the user dials 0, the system dials the number 500 to call the attendant.
If the user dials 1, the system jumps to the major financial customer department menu.
If the user dials 2, the system jumps to the carrier customer department menu.
If the user dials 3, the system jumps to the SME department menu.
If the user dials *, the system returns to the previous menu.
3. Telecom product sales department menu
If the user dials 1, the system plays the audio file that introduces product A.
If the user dials 2, the system plays the audio file that introduces product B.
If the user dials 3, the system plays the audio file that introduces product C.
If the user dials *, the system returns to the previous menu.
4. Government production sales department
If the user dials 1, the system plays the audio file that introduces product D.
If the user dials 2, the system plays the audio file that introduces product E.
If the user dials 3, the system plays the audio file that introduces product F.
If the user dials *, the system returns the previous menu.
1. Upload media resource files:
# Upload a media resource file.
Select Voice Management > IVR Services > Media Resources Management from the navigation
tree to access the following page.
810
Figure 836 Configuring media resource
a. Enter 1000 for Media Resource ID.

b. Enter Hello for Rename Media Resource.
c. Click the Browse button of g729r8 codec to select the target file.
d. Click Apply.
Use the same method to upload other g729r8 media resource files. You can see these uploaded
files in Voice Management > IVR Services > Media Resources Management, as shown in Figure
837
Figure 837 Media file list
2. Configure the access number:

# Configure the access number.
811
a. Enter 300 for Number ID.

b. Enter 300 for Number.
c. Enter Voice Menu Access Number for Description.
d. Click Apply.
# Create a menu.
Select Voice Management > IVR Services > Processing Methods Customization from the navigation
tree, and click Add to create a menu.
Figure 839 Configuring a menu
a. Enter 1 for Menu Node ID.

b. Enter Voice Menu System of Company A for Menu Name.
c. Select Jump from the Menu Type list, and Hello from the Play Voice Prompts When the User
Enters the Menu list.
d. Click Next.
# Bind the access number.
812
Figure 840 Binding the access number
Select the box of the access number 300, and click Apply.
3. Configure the voice menu system:
# Enter the Customize IVR Services page.
Select Voice Management > IVR Services > Processing Methods Customization from the navigation
tree to access the page shown in Figure 841. Click the icon of the menu to access the
Customize IVR Services page shown in Figure 842.
Figure 841 Menu list
Figure 842 Customize IVR services
813
# Add submenus for the marketing and sales department, telecom product sales department, and
government product sales department.
Select the voice menu system of Company A from the navigation tree to access the following page.
Figure 843 Voice menu system of Company A
a. Select Add A New Node from the Jump to submenu list of key 0.
b. Click OK on the popup dialog box to access the following page.
Figure 844 Creating a submenu for the marketing and sales department

b. Enter Marketing and Sales Dept for Menu Description.
c. Select Jump from the Menu Type list, and welcome1 from the Player Voice Prompts When the
User Enters the Menu list.
d. Click Apply.
Configure submenus for the telecom product department and government product department as
per Figure 845 and Figure 846.
814
Figure 845 Adding a submenu for the telecom product sales department
Figure 846 Adding a submenu for the government product sales department
Return to the Customize IVR Service page.

Figure 847 Voice menu system of Company A
a. Select Terminate the call from the Operation list of key #.

b. Click Apply.
c. Configure the marketing and sales department submenu:
Select Marketing and Sales Dept from the navigation tree.
815
Figure 848 Marketing and sales department submenu
a. Select Jump from the Operation list, and Add A New Node from the Jump to submenu list for
key 0.
b. Click OK on the popup dialog box to access the following page.

b. Enter Attendant for Menu Description.
c. Select Dial immediately from the Menu Type list, and type 500 for Call immediately.
d. Click Apply.
Use the same method to add submenus for the major financial customer department, carrier
customer department, and SMB department.
816
Figure 850 Marketing and sales department submenu
a. Select Return to the previous node from the Operation list of key *.
b. Click Apply.
After the configuration, the marketing and sales department submenu is as shown in Figure 850
4. Configure the telecom product sales department submenu:
a. Select Telecom Product Sales Dept from the navigation tree.
Figure 851 Telecom product sales department submenu
817
a. Select Jump from the Operation list, and Attendant from the Jump to submenu list of key 0.
b. Select Jump from the Operation list, and Add A New Node from the Jump to submenu list of
key 1.
c. Click OK on the popup dialog box to access the following page.

b. Enter Introduction to Product A for Menu Description.
c. Select Return to the previous node from the Menu Type list, and ProductA from the Play Voice
Prompts When the User Enters the Menu list.
d. Click Apply.
Use the same method to add submenus for introductions to Products B and C. After that, return to
the Customize IVR Services page.
Figure 853 Telecom product sales department submenu
a. Select Return to the previous node from the Operation list of key *.
b. Click Apply.
818
After the configuration, the telecom product sales department submenu is as shown in Figure 853.
5. Configure the government product sales department submenu:
Select Government Product Sales Dept from the navigation tree. Configure the submenu as shown
in Figure 854. The configuration procedure is identical with the configuration of the telecom
product sales department submenu.
Figure 854 Government product sales department submenu
After all the configuration, the Customize IVR Services page is as shown in Figure 854.
819
Advanced configuration
This section provides global configuration and batch configuration.
Global configuration
Select Voice Management > Advanced Configuration > Global Configuration from the navigation tree to
access the global configuration page, as shown in Figure 855.
Figure 855 Global configuration page
Item Description
• Silent—The calling party does not play any tones to the called party during call
hold.
Tone Playing Mode for
• Playing music—The calling party plays the specified tones to the called party
Call Hold
during call hold.
By default, the tone playing mode is the silent mode.
Select the media resource if you select the Playing Music option. You can upload
Media Resource media resource files in Voice Management > IVR Services > Media Resources
Management.
Call Progress Tones Configure the device to play the call progress tones of a specified country or region.
Country Mode By default, the call progress tones of China are specified.
820
Item Description
Specify the backup rule:
• Strict—One of the following three conditions will trigger strict call backup:
The device does not receive any reply from the peer after sending out a call
request.
The device fails to initiate a call to the IP network side.
Backup Rule
The device fails to register on the voice server.
• Loose—Loose call backup is triggered if any of the above mentioned three
conditions or the following condition happens: the device receives a reject reply
(with a number from 3xx to 6xx except 300, 301, 302, 305, 401, 407, and 422)
after sending a call request.
Specify the time duration in seconds for switching from the current VoIP link to
Call Backup Switch
another VoIP link or a PSTN link (that is, the call backup switching time) in case of a
Time
VoIP call failure.
Number of Saved Call

Set the maximum number of call history records that can be stored.
Records
Related Time • Duration of Sending DTMF Digits.

Parameters of DTMF • Interval of Sending DTMF Tones.
DSCP Value in the ToS
Set the DSCP value in the ToS field in the IP packets that carry the RTP stream
Field of the IP Packets
globally.
Carrying RTP Stream
DSCP Value in the ToS

Field of the IP Packets Set the DSCP value in the ToS field in the IP packets that carry the voice signaling
Carrying Voice globally.
Signaling
Batch configuration
Local number
Creating numbers in batch
Select Voice Management > Advanced Configuration > Batch Configuration from the navigation tree,
and then click the Create Numbers in Batch link in the Local Number area to access the page for creating
numbers in batch, as shown in Figure 856.
821
Figure 856 Creating numbers in batch
Item Description
Specify the start number, and then a serial of consecutive numbers starting with the start
number will be bound to the selected voice subscriber lines. For example, if you specify
Start Number
the start number as 3000 and select lines 3/0 and line 3/1, then line 3/0 is bound to
number 3000, and line 3/1 is bound to number 3001.
Set the register username and password in one of the following ways:
• Username and Password are the Same as Number.
Register Mode • No Username and No Password.
• Username and Password are Specified Uniformly: If you select this option, you need
to set the username and password.
Register Username Username used for registration and authentication.
Register Password Password used for registration and authentication.

• Selected FXS Lines.
• Available FXS Lines.
Select an FXS voice subscriber line in the Available FXS Lines box, click < to add the line
into the Selected FXS Lines box.
FXS Lines Select an FXS voice subscriber line in the Selected FXS Lines box, click > to remove the
line from the box.
Click << to add all FXS voice subscriber lines in the Available FXS Lines box in to the
Selected FXS Lines box, and then click >> to remove all FXS voice subscriber lines from
the Selected FXS Lines box.
Fax and Modem

and then click the Fax and Modem link in the Local Number area to access the local number fax and
modem configuration page, as shown in Figure 857.
822
Figure 857 Local number fax and Modem configuration page
Item Description
Configure the protocol used for fax communication with other devices.
• T.38—Use T.38 fax protocol. With this protocol, a fax connection can be set up
quickly.
• Standard T.38—Use the standard T38 protocol of H323 or SIP. The fax negotiation
mode depends on the protocol used (H323 or SIP).

Fax Protocol
• G.711 A-law.
• G.711 μ-law.
The pass-through mode is subject to such factors as packet loss, jitter and delay, so the
clocks on both communication sides must be kept synchronized. At present, only
G.711 A-law and G.711 μ−law are supported, and the VAD function should be
disabled.
Enable ECM fax. As defined in ITU-T, the ECM is required by the half-duplex and
half-modulation system running ITU-T V.34 protocol for fax message transmission.
Besides, the G3 fax terminals working in full duplex mode are required to support
half-duplex mode, that is, ECM.
The fax machines using ECM can correct errors, provide the ARQ function, and
transmit fax packets in the format of HDLC frames. On the contrary, the fax machines
using non-ECM cannot correct errors and they transmit fax packets in the format of
ECM Fax binary strings.
• Enable—Enable ECM.
• Disable—Disable ECM.
By default, ECM is disabled.
To use ECM, fax machines on both sides and the gateway must support ECM.
You must enable ECM mode for the local numbers and call routes corresponding to the
fax sender and receiver in the ECM mode.
823
Item Description
Enable CNG fax switchover function. The CNG fax switchover is used to implement the
fax mailbox service through communication with the VCX. When the local fax machine
A originates a fax call to the peer fax machine B, if B is busy or is unattended, A can
send the fax call to the fax mailbox of the VCX. With CNG fax switchover enabled, the
CNG Fax Switchover
voice gateway can switch to the fax mode once it receives a CNG from A.
Function
• Enable.
• Disable.
Configure the codec type and switching mode for SIP Modem pass-through function.
• Standard G.711 A-law—Adopt G.711 A-law as the codec type and use Re-Invite
switching for SIP Modem pass-through.
Codec Type and
• Standard G.711 μ-law—Adopt the G.711 μ-law codec type and Re-Invite switching
Switching mode for
mode.
SIP Modem
Pass-through • NTE Compatible G.711 A-law—Adopt the G.711 A-law codec type and
NTE-compatible switching mode.
• NTE Compatible G.711 μ-law—Adopt the G.711 μ-law codec type and
Configure the value of NTE payload type for the NTE-compatible switching mode.
NET Payload Type
G.711 μ-law is selected in the Codec Type and Switching Mode for SIP Modem
Field
Pass-through list.
Select the checkboxes of specific local numbers and then click the Apply to Selected
Select the Number(s) Number(s) button to apply the above fax and Modem settings to the selected local
numbers.
Call services
and then click the Call Services link in the Local Number area to access the local number call services
824
Item Description
Configure call forwarding:
• Enable.
• Disable.
By default, call forwarding is disabled.
After you enable a call forwarding, enter the corresponding forwarded-to number:
Call Forwarding • The Forwarded-to Number for Call Forwarding no Reply—Enter the forwarded-to
number.
• The Forwarded-to Number for Call Forwarding Busy—Enter the forwarded-to
number.
• The Forwarding Unconditional—Enter the forwarded-to number.
• The Forwarded-to Number for Call Forwarding Unavailable—Enter the
forwarded-to number.
825
Item Description
Configure call hold:
• Enable.
• Disable.
By default, call hold is disabled.
Call Hold After call hold is enabled, set the Max Time Length the Held Party Can Wait parameter
as needed.
IMPORTANT:
The Max Time Length the Held Party Can Wait is only applied to the held party of a call,
that is, the receiver of call hold.
Configure call transfer:
• Enable.
• Disable.
Call Transfer By default, call transfer is disabled.
Call hold must be enabled before you can configure call transfer.
After call transfer is enabled, you can set the Call Transfer Start Delay parameter as
needed.
Configure three-party conference:

• Enable.
Three-Party • Disable.
Conference By default, three-party conference is disabled.
The three-party conference function depends on the call hold function. Therefore, you
must enable the call hold function before configuring three-party conference.
Configure call waiting:

• Enable.
• Disable.
By default, call waiting is disabled.
After call waiting is enabled, configure the following parameters as needed:
Call Waiting • Number of Call Waiting Tone Play Times.
By default, two call waiting tones are played once, and if the value of Number of Tones
in a Call Waiting Tone is greater than 1, the Interval for Playing Call Waiting Tones is
15 seconds.
Configure hunt group:

• Enable.
Hunt Group
• Disable.
By default, hunt group is disabled.
Configure Feature service:

• Enable.
Feature Service
• Disable.
By default, Feature service is disabled.
826
Item Description
Configure MWI:
• Enable.
• Disable.
Message Waiting By default, MWI is disabled.
Indicator
IMPORTANT:
Generally, the voice gateway sends a SUBSCRIBE to the server, and receives a NOTIFY
from the server if the subscription is successful, and gets the status of the voice mailbox
afterwards.
Processing Priority
When the Line is Specify the processing sequence of services when the line is busy.
Busy
Select the boxes of desired local numbers, and then click the Apply to Selected
Select the Number(s)
Number(s) button to apply the above call services settings to the selected local numbers.
Advanced settings
and then click the Advanced Settings link in the Local Number area to access the local number advanced
settings page, as shown in Figure 859.
Figure 859 Local number advanced settings page
827
Item Description
Codec with the First Priority.
Codec with the Second Priority.
Codecs and Priorities
Codec with the Third Priority.
Codec with the Lowest Priority.
Specify DTMF transmission mode:

• In-band Transmission.
DTMF Transmission • Out-of-band Transmission.
Mode • RFC2833—Adopt DTMF named telephone event (NTE) transmission mode. When
you adopt this transmission mode, you can configure the payload type field in RTP
packets.
Specify number sending mode:

• Send a Truncated Called Number.
Number Sending • Send All Digits of a Called Number.
Mode • Send Certain Number of Digits: Send certain number of digits (that are extracted
from the end of a number) of a called number. The specified value should not be
greater than the total number of digits of the called number.
Number Selection
Set the priority of the local number. The smaller the value, the higher the priority.
Priority
Configure a dial prefix for the local number. For a trunk type call route, the dial prefix
is added to the called number to be sent out.
Dial Prefix • Enable.
• Disable—Remove the configured dial prefix.
If you select to enable the function, you must enter the dial prefix.
Configure VAD. The VAD discriminates between silence and speech on a voice
connection according to their energies. VAD reduces the bandwidth requirements of a
voice connection by not generating traffic during periods of silence in an active voice
connection. Speech signals are generated and transmitted only when an active voice
segment is detected. Researches show that VAD can save the transmission bandwidth
VAD
by 50%.
• Enable.
• Disable.
Select the boxes of desired local numbers, and then click the Apply to Selected
Select the Number(s)
Number(s) button to apply the above advanced settings to the selected local numbers.
Call route
Fax and Modem
and then click the Fax and Modem link in the Call Route area to access the call route fax and modem
828
Figure 860 Call route fax and Modem configuration page
Item Description
Specify the protocol used for fax communication with other devices.
• T.38—Use T.38 fax protocol. With this protocol, a fax connection can be set up
quickly.
• Standard T.38— Use the standard T38 protocol of H323 or SIP. The fax negotiation
mode depends on the protocol used (H323 or SIP).

Fax Protocol
• G.711 A-law.
• G.711 μ-law.
The pass-through mode is subject to such factors as packet loss, jitter and delay, so the
clocks on both communication sides must be kept synchronized. At present, only
G.711 A-law and G.711 μ−law are supported, and the VAD function should be
disabled.
As defined in ITU-T, the error correction mode (ECM) is required by the half-duplex and
half-modulation system running ITU-T V.34 protocol for fax message transmission.
Besides, the G3 fax terminals working in full duplex mode are required to support
half-duplex mode, namely, ECM.
The fax machines using ECM can correct errors, provide the automatic repeat request
(ARQ) function, and transmit fax packets in the format of HDLC frames. On the
contrary, the fax machines using non-ECM cannot correct errors and they transmit fax
packets in the format of binary strings.
ECM Fax
• Enable—Enable ECM for fax.
• Disable—Disable ECM for fax.
By default, ECM fax is disabled.
ECM can work only if fax machines on both sides support ECM and the gateway is
configured with ECM.
You must enable ECM mode for the local numbers and call routes corresponding to the
fax sender and receiver in the ECM mode.
829
Item Description
CNG fax switchover is used to implement the fax mailbox service through
communication with the VCX. When the local fax machine A originates a fax call to the
peer fax machine B, if B is busy or is unattended, A can send fax call to the fax mailbox
of the VCX. With CNG fax switchover enabled, the voice gateway can switch to the fax
CNG Fax Switchover
mode once it receives a CNG from A.
Function
• Enable.
• Disable.
Configure the codec type and switching mode for SIP Modem pass-through function.
• Standard G.711 A-law—Adopt the G.711 A-law codec type and Re-Invite switching
mode.
Codec Type and
• Standard G.711 μ-law—Adopt the G.711 μ-law codec type and Re-Invite switching
Switching mode for
mode.
SIP Modem
Pass-through • NTE Compatible G.711 A-law—Adopt the G.711 A-law codec type and
• NTE Compatible G.711 μ-law—Adopt the G.711 μ-law codec type and
Configure the value of the NTE payload type for the NTE-compatible switching mode.
NET Payload Type
G.711 μ-law is selected in the Codec Type and Switching Mode for SIP Modem
Field
Pass-through list.
Select the boxes of call routes, and then click the Apply to Selected Route(s) button to
Select the Route(s)
apply the above fax and Modem settings to the selected call routes.
Advanced settings
and then click the Advanced Settings link in the Call Route area to access the call route advanced settings
page, as shown in Figure 861.
Figure 861 Call route advanced settings page
830
Item Description
Codec with the First Priority.
Codec with the Second Priority.
Codecs and Priorities
Codec with the Third Priority.
Codec with the Lowest Priority.
Specify DTMF transmission mode:

• In-band Transmission.
• Out-of-band Transmission.
DTMF Transmission
Mode • RFC2833: Adopt DTMF named telephone event (NTE) transmission mode. When
you adopt this transmission mode, you can configure the payload type field in RTP
packets.
By default, the value of the NTE payload type field is 101.
Route Selection
Set the priority of the call route. The smaller the value, the higher the priority.
Priority
The VAD discriminates between silence and speech on a voice connection according
to their energies. VAD reduces the bandwidth requirements of a voice connection by
not generating traffic during periods of silence in an active voice connection. Speech
signals are generated and transmitted only when an active voice segment is detected.
VAD Researches show that VAD can save the transmission bandwidth by 50%.
• Enable.
• Disable.
Select the boxes of desired call routes, and then click the Apply to Selected Route(s)
Select the Route(s)
button to apply the above advanced settings to the selected call routes.
Line management
FXS line configuration
and then click the FXS Line Configuration link in the Line Management area to access the FXS line
831
Figure 862 FXS line configuration page
Item Description
Max Interval for
Dialing the Next This timer will restart each time the user dials a digit and will work in this way until all
Digit the digits of the number are dialed. If the timer expires before the dialing is completed,
the user will be prompted to hang up and the call is terminated.
Max Interval Specify the maximum interval in seconds between off-hook and dialing the first digit.
between Off-hook
and Dialing the First Upon the expiration of the timer, the user will be prompted to hang up and the call is
Digit terminated.
Configure dial delay time.

Dial Delay Time
By default, the dial delay time is 1 second.
When the voice signals on the line

Input Gain on the IMPORTANT:
Voice Interface
increases the voice input gain value. Gain adjustment may lead to call failures.
When a relatively small voice signal You are not recommended to adjust the
Output Gain on the gain. If necessary, do it with the guidance
power is needed on the output line,
Voice Interface of technical personnel.
increases the voice output gain value.

• Low—In this mode, the reliability is high, but DTMF tones may fail to be detected.
DTMF Detection
• Medium—In this mode, the reliability is medium. If you select this option, you can
specify the Frequency Tolerance of Medium DTMF Detection Sensitivity Level. The
Sensitivity Level
greater the value, the higher the probability of false detection. Support for this
option varies with installed cards.
832
Item Description
Select the boxes of desire lines, and then click the Apply to Selected Line(s) button to
Select the Line(s)
apply the above settings to the selected FXS lines.
FXO line configuration

and then click the FXO Line Configuration link in the Line Management area to access the FXO line
Figure 863 FXO line configuration page
Item Description
Max Interval for
Max Interval Specify the maximum interval in seconds between off-hook and dialing the first digit.
between Off-hook
and Dialing the First Upon the expiration of the timer, the user will be prompted to hang up and the call is
Digit terminated.
Configure dial delay time.

Dial Delay Time
By default, the dial delay time is 1 second.
833
Item Description
Voice Interface
You are not recommended to adjust the
When a relatively small voice signal

• Low—In this mode, the reliability is high, but DTMF tones may fail to be detected.
DTMF Detection • Medium—In this mode, the reliability is medium. If you select this option, you can
specify the Frequency Tolerance of Medium DTMF Detection Sensitivity Level. The
Sensitivity Level
greater the value, the higher the probability of false detection. Support for this
option varies with installed cards.
Select the boxes of desired lines, and then click the Apply to Selected Line(s) button to
Select the Line(s)
apply the above settings to the selected FXO lines.
E&M line configuration

and then click the E&M Line Configuration link in the Line Management area to access the E&M line
Figure 864 E&M line configuration page
Item Description
Max Interval for
834
Item Description
Voice Interface
You are not recommended to adjust the
When a relatively small voice signal
Select the boxes of desired lines, and then click the Apply to Selected Line(s) button to
Select the Line(s)
apply the above settings to the selected E&M lines.
ISDN line configuration

and then click the ISDN Line Configuration link in the Line Management area to access the ISDN line
Figure 865 ISDN line configuration page
Item Description
Input Gain on the
attenuate to a relatively great extent, IMPORTANT:
Voice Interface
increases the voice input gain.
Gain adjustment may lead to call failures.
When a relatively small voice signal You are not recommended to adjust the
Output Gain on the power is needed on the output line, gain. If necessary, do it with the guidance
Voice Interface increases the voice output attenuation of technical personnel.
value.
Select the boxes of desired line, and then click the Apply to Selected Line(s) button to
Select the Line(s)
apply the above settings to the selected ISDN lines.
SIP local survival services

and then click the Create Users in Batches link in the SIP Local Survival Services area to access the page
835
Figure 866 Creating users in batches
Item Description
Specify the telephone number of the first For example, if you specify the start
Start Number
user to be registered. number as 2000 and set the register
user quantity to 5, the device
Specify the number of users to be automatically generates five registered
Register User Quantity users with telephone numbers from
registered.
2000 to 2004.
Set the registration mode:

• No username and password.
Registration Mode • Username and password are the same as the number.
• Username and password are specified uniformly—If you select this option, you
must specify the authentication username and authentication password.
Authentication
Enter the name of the user for authentication.
Username
Authentication
Enter the password of the user for authentication.
Password
836
States and statistics
This section provides information on displaying various states and statistics.
Line states
Use this page to view information about all voice subscriber lines.
Select Voice Management > States and Statistics > Line States from the navigation tree. The Line State
Information page appears.
Figure 867 Line state information page
This page supports two types of voice subscriber lines:

• Analog voice subscriber lines—FXS, FXO, paging, MoH, and E&M.
• Digital voice subscriber lines—BSV, VE1, and VT1.
Field Description
Name Voice subscriber line name.
Voice subscriber line type:

• BRI.
• PRI.
• FXS.
• FXO.
Type
• EM.
• PAGE.
• MOH.
• ISDN PRI.
• ISDN BRI.
Description Voice subscriber line description.
837
Field Description
• Physical Down—Voice subscriber line is physically down, possibly because no
physical link is present or the link has failed.
Subscriber Line Status
• UP—Voice subscriber line is administratively down.
• Shutdown—Voice subscriber line is up both administratively and physically.
Displaying detailed information about analog voice subscriber

lines
For analog voice subscriber lines FXS, FXO, paging, MoH, and E&M, click the Details link to view
details.
Figure 868 Paging line details
Displaying detailed information about digital voice subscriber

lines
For digital voice subscriber lines BSV, VE1, and VT1, click the Details link to view details about the line.
838
Figure 869 ISDN line details
Click a timeslot (TS) link to view the details about the TS.
Figure 870 Timeslot details
Call statistics
The following pages display call statistics.
• Active Call Summary page—Displays statistics about ongoing calls.
• History Call Summary page—Displays statistics about ended calls.
839
Displaying active call summary
Select Voice Management > States and Statistics > Call Statistics from the navigation tree. The Active Call
Summary page appears.
Figure 871 Active call summary page
Field Description
Call type.
Type
Only Speech and Fax are supported.
Call status:
• Unknown—The call status is unknown.
Status • Connecting—A connection attempt (outgoing call) is being made.
• Connected—A connection attempt (incoming call) is being made.
• Active—The call is active.
Displaying history call summary

Select Voice Management > States and Statistics > Call Statistics from the navigation tree and click the
History Call Summary tab.
Figure 872 History call summary page
840
SIP UA states
The following pages show SIP UA states:
• TCP Connection Information page—Displays information about all TCP-based call connections.
• TLS Connection Information page—Displays information about all TLS-based call connections.
• Number Register Status page—Displays number register information when you use SIP servers to
manage SIP calls.
• Number Subscriber Status pages—Displays the subscription status information of MWI when MWI
is in use.
Displaying TCP connection information

Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree. The TCP
Connection Information page appears.
Figure 873 TCP connection information
Field Description
Connection ID Call connection ID, automatically generated by the system.
Local Address IP address of the calling party.
Local Port Port number of the calling party.
Remote Address IP address of the called party.
Remote Port Port number of the called party.
Connection state:
• Idle.
Connection State
• Connecting.
• Established.
Displaying TLS connection information

Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree. The TLS
Connection Information page appears.
841
Figure 874 TLS connection information
For information items, see Table 309.
Connection status
Displaying number register status
Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree and click the
Number Register Status tab.
Figure 875 Number register status
Field Description
Number Registered phone number.
Address of the registrar, in the format of IP address plus port number or domain
Registrar
name.
Remaining aging time of a number, that is, the remaining time before the next
Remaining Aging Time (Sec)
registration.
Status of the number, including.

• offline—Not registered.
• online—Registered.
Status • login—Being registered.
• logout—Being deregistered.
• dnsin—DNS query is being performed before registration.
• dnsout—DNS query is being performed before the number is deregistration.
842
Displaying number subscription status
Select Voice Management > Sates and Statistics > SIP UA States from the navigation tree and click the
Number Subscription Status tab.
Figure 876 Number subscription status
Field Description
Number Phone number.
MWI server address, in the format of IP address plus port number or domain
Subscription Server
name.
Remaining aging time of the subscription, that is, the remaining time before
Remaining Aging Time (Sec)
the next subscription.
Subscription status, including.

• offline—Not subscribed.
Status • online—Subscribed.
• login—The subscription is being proposed.
• logout—The subscription is being canceled.
Local survival service states

Select Voice Management > States and Statistics > Local Survival Service States from the navigation tree.
The Local Survival Service States page appears.
Figure 877 Local survival service states
843
Field Description
Server operation mode:
Server Operation Mode • Alone.
• Alive.
Server running state:
Server Status • Enabled.
• Disabled.
User ID User ID.
Phone Number Registered phone number.
State of the registered user:

State • Online—User is online.
• Offline—User is offline.
SIP trunk account states

Displaying SIP trunk account states
Select Voice Management > States and Statistics > SIP Trunk Account States from the navigation tree.
The page for displaying SIP trunk account states appears.
Figure 878 SIP trunk account states
Field Description
Aging Time SIP trunk account aging time.
Registration status of the SIP trunk account:

• Disabled—Not in use.
• Offline—Not registered.
• Online—Registered.
Status
• Login—Being registered.
• Logout—Being deregistered.
• Dnsin—DNS query is being performed before registration.
• Dnsout—DNS query is being performed before deregistration.
844
Displaying dynamic contact states
Select Voice Management > States and Statistics > SIP Trunk Account States from the navigation tree.
The page for displaying dynamic contact states appears.
Figure 879 Dynamic contact states
Field Description
Telephone number, which could be one of the following types:
• Roaming user registration number that is temporarily saved on the device.
Number • Roaming user subscription number that is temporarily saved on the device.
• Called number of a forwarded call carried in a received 3xx message.
• Destination number of a transferred call carried in a received REFER message.
Contact Address Real contact address of the number.
Remaining
Aging Time Remaining aging time of the contact address, in seconds.
(Sec)
Type of the service that sets up the connection:

• Register—Registration of a roaming user.
Type • Subscribe—Subscription of a roaming user.
• Forward—Call forwarding service.
• Transfer—Call transfer service.
Server group information

Select Voice Management > States and Statistics > Server Group Information from the navigation tree.
The Server Group Information page appears.
845
Figure 880 Server group information
This page shows the configuration information of group servers. For how to configure group servers, see
"Managing SIP server groups."
IVR information
The following pages show IVR information:
• IVR Call States page—Display information about ongoing IVR calls.
• IVR Play States page—Displays information about ongoing IVR playing.
Displaying IVR call states

Select Voice Management > States and Statistics > IVR Information from the navigation tree. The IVR Call
States page appears.
Figure 881 IVR call states
Field Description
Corresponding Access Number IVR access number corresponding to the called number.
Current Menu Node Current menu node ID.
Current state:
• Idle—Node is idle.
State • Playing a media file.
• Waiting for input—Node is waiting for the input of the subscriber.
• Calling—Node is calling a number.
846
Displaying IVR play states
Select Voice Management > States and Statistics > IVR Information from the navigation tree. The IVR
Play States page appears.
Figure 882 IVR play states
Field Description
Play Count Play times of the media file.
• Playing.
Play State
• Not playing.
• PSTN—Called party is from PSTN.
Play Type
• IP—IP address of the peer media.
847
Index
ABCDEFGHILMNOPQRSTUVW
A Configuration guidelines,348
Configuration guidelines,490
Access control configuration example,161
Configuration guidelines,247
Accessing SSL VPN resources,444
Configuration prerequisites,447
Adding an IPv4 ACL,240
Configuration prerequisites,210
Adding an L2TP group,378
Configuration procedure,350
Advanced settings,542
Advanced settings configuration example,605
Advantages,766
Advantages of SSL VPN,401
Appendix Packet priorities,261
Configuration task list,67
Application control configuration example,186
Configuring a call route for inbound calls,688
Attack protection configuration examples,176
Configuring a call route for outbound calls,682
B Configuring a CE1/PRI interface,55
Basic service setup,539 Configuring a cellular interface,59
Basic settings,542 Configuring a CT1/PRI interface,58
Basic settings,544 Configuring a DHCP server group,223
Batch configuration,821 Configuring a DMZ host,150
Blacklist and white list,125 Configuring a domain name suffix,203
Bridging configuration example,291 Configuring a dynamic address pool for the DHCP
server,220
C
Configuring a GRE over IPv4 tunnel,390
Call services,542 Configuring a RADIUS scheme,336
Call services configuration examples,581 Configuring a resource group,418
Call statistics,839 Configuring a rule for a basic IPv4 ACL,240
Changing the login password,446 Configuring a rule for an advanced IPv4 ACL,242
Channel busy test,142 Configuring a rule for an Ethernet frame header
Clearing the dynamic domain name cache,203 ACL,245
Client mode configuration example,114 Configuring a security policy,435
Client-initiated VPN configuration example,385 Configuring a static address pool for the DHCP
Common Web interface elements,19 server,218
Configuration examples of local number and call Configuring a user group,423
route,547 Configuring a VLAN and its VLAN interface,62
Configuration guidelines,238 Configuring access number management,776
Configuration guidelines,376 Configuring advanced limit,250
Configuration guidelines,66 Configuring advanced queue,253
Configuration guidelines,195 Configuring advanced settings,660
Configuration guidelines,334 Configuring advanced settings of a call route,603
Configuration guidelines,23 Configuring advanced settings of a local number,600
848
Configuring an ADSL/G.SHDSL interface,52 Configuring the blacklist and white list functions,125
Configuring an Ethernet interface or subinterface,47 Configuring the blacklist function,172
Configuring an internal server,151 Configuring the global key policy,769
Configuring an IPsec connection,367 Configuring the MAC address filtering type,166
Configuring an MST region,323 Configuring the MAC addresses to be filtered,166
Configuring an SA interface,50 Configuring the SSL VPN service,403
Configuring ARP automatic scanning,363 Configuring TR-069,503
Configuring authentication policies,429 Configuring user isolation,127
Configuring basic services,34 Configuring user-based load sharing,196
Configuring bridging,289 Configuring web page redirection,188
Configuring call release cause code mapping,665 Configuring Web proxy server resources,404
Configuring call services of a call route,580 Configuring WiNet,523
Configuring call services of a local number,576 Configuring wireless access service,68
Configuring connection limit,153 Configuring wireless QoS,129
Configuring connection properties,651 Connection status,842
Configuring data transmit rates,120 Creating a PKI domain,469
Configuring DHCP interface setup,217 Creating a PKI entity,468
Configuring dial plan,615 Creating a static ARP entry,355
Configuring digital link management,704 Customizing IVR services,801
Configuring dynamic NAT,148 Customizing the SSL VPN user interface,439
Configuring fax and modem,568 D
Configuring fixed ARP,364
DDNS configuration example,211
Configuring gratuitous ARP,357
Destroying the RSA key pair,473
Configuring intrusion detection,174
DHCP configuration examples,224
Configuring IP addresses excluded from dynamic
Dial plan configuration examples,622
allocation,222
Dial plan functions,613
Configuring IP network resources,413
Dial plan process,610
Configuring IVR,767
Displaying 3G wireless card state,30
Configuring IVR nodes,770
Displaying ARP entries,354
Configuring local users,420
Displaying broadband connection information,30
Configuring media parameters for SIP-to-SIP
connections,607 Displaying device information,30
Configuring MSTP globally,324 Displaying external interface traffic ordering
statistics,200
Configuring MSTP on a port,328
Displaying internal interface traffic ordering
Configuring periodic sending of gratuitous ARP
statistics,199
packets,362
Displaying IPsec VPN monitoring information,373
Configuring routes,190
Displaying L2TP tunnel information,385
Configuring session properties,653
Displaying LAN information,32
Configuring signaling parameters for SIP-to-SIP
connections,608 Displaying radio,122
Configuring SIP local survival,745 Displaying recent system logs,33
Configuring SIP trunk,679 Displaying service information,33
Configuring subnet limit,249 Displaying syslogs,516
Configuring system time,500 Displaying wireless access service,84
Configuring TCP application resources,406 Displaying WLAN information,32
849
Domain name resolution configuration example,204 Logging in to the SSL VPN service interface,443
E Logging in to the Web interface,1
Logging out of the Web interface,2
E&M subscriber line,719
Login control configuration example,351
E1 voice DSS1 signaling configuration example,716
Echo adjustment function,721 M
Enabling application layer protocol check,153 MAC address filtering configuration example,168
Enabling DHCP,216 Managing integrated services,33
Enabling DNS proxy,202 Managing services,495
Enabling dynamic domain name resolution,202 Managing the 3G modem,144
Enabling L2TP,378 Managing the configuration,491
Enabling learning of dynamic ARP entries,356 Managing users,497
Enabling the client mode,111 Managing Web-based NM through CLI,23
Enabling the SNMP agent function,510 MSTP configuration example,330
F N
Fax and modem,542 NAT configuration examples,154
FXO voice subscriber line,719 Network requirements,447
FXS voice subscriber line,719 O
G One-to-one binding between FXS and FXO voice
Generating an RSA key pair,472 subscriber lines,721
Getting help information,445 Overview,766
Global configuration,820 Overview,465
GRE over IPv4 tunnel configuration example,392 Overview,209
Overview,285
H
Overview,264
How SSL VPN works,400
Overview,239
I Overview,362
Introduction to advanced settings,596 Overview,248
Introduction to basic settings,543 Overview,148
Introduction to DHCP,214 Overview,201
Introduction to MSTP,317 Overview,190
Introduction to RSTP,317 Overview,196
Introduction to SIP,643 Overview,354
Introduction to STP,310 Overview,198
Introduction to the Web interface,2 Overview,390
Introduction to the Web-based NM functions,5 Overview,170
IPsec VPN configuration example,374 Overview,336
IVR configuration examples,778 Overview,366
IVR information,846 Overview,188
Overview,701
L
Overview,510
Line management configuration,722 Overview,62
Line management configuration examples,735 Overview,67
Line states,837 Overview,539
Local survival service states,843
850
P SIP modem pass-through function,567
Performing basic configurations for the SSL VPN SIP security,648
domain,426 SIP trunk account states,844
Ping,520 SIP trunk configuration examples,689
Ping operation,521 SIP UA states,841
PKI configuration examples,476 SNMP agent configuration task list,264
SNMP configuration examples,512
Q
SNMPv1/v2c configuration example,276
QoS configuration examples,257
SNMPv3 configuration example,279
R Specifying a DNS server,203
RADIUS configuration example,341 Specifying the traffic ordering mode,199
Rebooting the device,495 Static ARP configuration example,357
Recommended configuration procedure,198 Static route configuration example,192
Recommended configuration procedure,366 Support for SIP extensions,650
Recommended configuration procedure,201 Support for transport layer protocols,648
Recommended configuration procedure,183 T
Recommended configuration procedure,148
Traceroute,520
Traceroute operation,520
Troubleshooting Web browser,24
U
Recommended IPv4 ACL configuration procedure,239
Recommended MSTP configuration procedure,322 Upgrading software,507
Regular expression,611 URL filtering configuration example,164
Removing ARP entries,355 User group configuration example,302
Requesting a local certificate,475 User group configuration task list,295
Retrieving and displaying a certificate,473 User level,5
Retrieving and displaying a CRL,476 V
S Verifying the configuration,461
Server group information,845 Viewing the general information and statistics of an
Setting a district code,142 interface,61
Setting buffer capacity and refresh interval,519 Viewing user information,425
Setting the log host,518 W
Setting the traffic ordering interval,199 WiNet configuration example,530
SIP connection configuration examples,666 Wireless access service configuration examples,91
SIP local survival configuration examples,750 Wireless QoS configuration example,138
851

H3C MSR Series Routers Web Configuration Guide (V5) - Release 2311 (V1.06) - Book PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

H3C MSR Series Routers Web Configuration Guide (V5) - Release 2311 (V1.06) - Book PDF

Uploaded by

Copyright:

Available Formats

H3C MSR Series Routers

Web-Based Configuration Guide(V5)

Hangzhou H3C Technologies Co., Ltd.

Software version: MSR-CMW520-R2311

All rights reserved

H3C, , H3CS, H3CIE, H3CNE, Aolynk, , H3Care, , IRF, NetPilot, Netflow,

# A line that starts with a pound (#) sign is comments.

IMPORTANT An alert that calls attention to essential information.

TIP An alert that provides helpful information.

Network topology icons

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Port numbering in examples

About the H3C MSR documentation set

Provide an in-depth description of software features

Compliance and safety Provides regulatory information and the safety

MSR Series Routers Describe software features and configuration

MSR Series Routers Provide a quick reference to all available

Provide information about the product release,

Displaying device information ·································································································································· 28

Configuring WAN interfaces ···································································································································· 47

Wireless configuration overview ······························································································································ 67

Configuring wireless services ···································································································································· 68

Configuring WLAN security ··································································································································· 125

Configuring advanced settings ······························································································································ 142

Configuring access control ····································································································································· 160

Configuring MAC address filtering ······················································································································· 166

Configuring attack protection································································································································· 170

Configuring application control ····························································································································· 183

Web page redirection configuration ····················································································································· 188

Configuring user-based load sharing ···················································································································· 196

Configuring traffic ordering ··································································································································· 198

Configuring ARP attack defense ···························································································································· 362

Configuring SSL VPN gateway ······························································································································ 402

SSL VPN configuration example ···························································································································· 447

Configuring SNMP (lite version) ···························································································································· 510

Local number and call route ··································································································································· 542

Configuring SIP connections ·································································································································· 651

Managing SIP server groups ·································································································································· 672

Configuring SIP local survival ································································································································ 744

Logging in to the Web interface

Logging out of the Web interface

Introduction to the Web interface

Introduction to the Web-based NM functions

Function menu Description User level

Displays the URL address on

Integrated Service Management Allows you to change the

Guides you through the

Displays the configuration

Allows you to configure a

Displays wireless service,

Allows you to view wireless

Allows you to create and

Displays wireless QoS and

Allows you to set the country

Displays information about

Allows you to create a DMZ

Allows you to configure

Displays the access control

Allows you to add or delete

Displays the information

Displays and allows you to

Displays intrusion detection